1Because this project is maintained both in the OpenBSD tree using CVS and in 2Git, it can be confusing following all of the changes. 3 4Most of the libssl and libcrypto source code is is here in OpenBSD CVS: 5 6 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/ 7 8Some of the libcrypto and OS-compatibility files for entropy and random number 9generation are here: 10 11 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/ 12 13A simplified TLS wrapper library is here: 14 15 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/ 16 17The LibreSSL Portable project copies these portions of the OpenBSD tree, along 18with relevant portions of the C library, to a Git repository. This makes it 19easier to follow all of the relevant changes to the upstream project in a 20single place: 21 22 https://github.com/libressl-portable/openbsd 23 24The portable bits of the project are largely maintained out-of-tree, and their 25history is also available from Git. 26 27 https://github.com/libressl-portable/portable 28 29LibreSSL Portable Release Notes: 30 313.1.3 - Bug fix 32 33 * libcrypto may fail to build a valid certificate chain due to 34 expired untrusted issuer certificates. 35 363.1.2 - Bug fix 37 38 * A TLS client with peer verification disabled may crash when 39 contacting a server that sends an empty certificate list. 40 413.1.1 - Stable release 42 43 * Improved cipher suite handling to automatically include TLSv1.3 44 cipher suites when they are not explicitly referred to in the 45 cipher string. 46 47 * Improved handling of TLSv1.3 HelloRetryRequests, simplifying 48 state transitions and ensuring that the legacy session identifer 49 retains the same value across the handshake. 50 51 * Provided TLSv1.3 cipher suite aliases to match the names used 52 in RFC 8446. 53 54 * Improved TLSv1.3 client key share handling to allow the use of 55 any groups in our configured NID list. 56 57 * Fixed printing the serialNumber with X509_print_ex() fall back to 58 the colon separated hex bytes in case greater than int value. 59 60 * Fix to disallow setting the AES-GCM IV length to zero. 61 62 * Added -groups option to openssl(1) s_server subcommand. 63 64 * Fix to show TLSv1.3 extension types with openssl(1) -tlsextdebug. 65 66 * Improved portable builds to support the use of static MSVC runtimes. 67 68 * Fixed portable builds to avoid exporting a sleep() symbol. 69 703.1.0 - Development release 71 72 * Completed initial TLS 1.3 implementation with a completely new state 73 machine and record layer. TLS 1.3 is now enabled by default for the 74 client side, with the server side to be enabled in a future release. 75 Note that the OpenSSL TLS 1.3 API is not yet visible/available. 76 77 * Many more code cleanups, fixes, and improvements to memory handling 78 and protocol parsing. 79 80 * Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1. 81 82 * Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL 83 1.1.1 and enabled by default. 84 85 * Improved compatibility by backporting functionality and documentation 86 from OpenSSL 1.1.1. 87 88 * Added many new additional crypto test vectors. 89 90 * Adjusted EVP_chacha20()'s behavior to match OpenSSL's semantics. 91 92 * Default CA bundle location is now configurable in portable builds. 93 94 * Added cms subcommand to openssl(1). 95 96 * Added -addext option to openssl(1) req subcommand. 97 983.0.2 - Stable release 99 100 * Use a valid curve when constructing an EC_KEY that looks like X25519. 101 The recent EC group cofactor change results in stricter validation, 102 which causes the EC_GROUP_set_generator() call to fail. 103 Issue reported and fix tested by rsadowski@ 104 105 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 106 (Note that the CMS code is currently disabled) 107 Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license) 108 109 * Avoid a path traversal bug in s_server on Windows when run with the -WWW 110 or -HTTP options, due to incomplete path check logic. 111 Issue reported and fix tested by Jobert Abma 112 1133.0.1 - Development release 114 115 * Ported Billy Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1. If a NULL 116 or zero cofactor is passed to EC_GROUP_set_generator(), try to compute 117 it using Hasse's bound. This works as long as the cofactor is small 118 enough. 119 120 * Fixed a memory leak in error paths for eckey_type2param(). 121 122 * Initial work on supporting Cryptographic Message Syntax (CMS) in 123 libcrypto (not enabled). 124 125 * Various manual page improvements and additions. 126 127 * Added a CMake check for an existing uninstall target, facilitating 128 embedding LibreSSL in larger CMake projects, from Matthew Albrecht. 129 1303.0.0 - Development release 131 132 * Completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API. 133 134 * Documented undescribed options and removed unfunctional options 135 description in openssl(1) manual. 136 137 * A plethora of small fixes due to regular oss-fuzz testing. 138 139 * Various side channels in DSA and ECDSA were addressed. These are some of 140 the many issues found in an extensive systematic analysis of bignum usage 141 by Samuel Weiser, David Schrammel et al. 142 143 * Enabled openssl(1) speed subcommand on Windows platform. 144 145 * Enabled performance optimizations when building with Visual Studio on Windows. 146 147 * Fixed incorrect carry operation in 512 addition for Streebog. 148 149 * Fixed -modulus option with openssl(1) dsa subcommand. 150 151 * Fixed PVK format output issue with openssl(1) dsa and rsa subcommand. 152 1532.9.2 - Bug fixes 154 155 * Fixed portable builds with older versions of MacOS, 156 Android targets < API 21, and Solaris 10 157 158 * Fixed SRTP profile advertisement for DTLS servers. 159 1602.9.1 - Stable release 161 162 * Added support for XChaCha20 and XChaCha20-Poly1305. 163 164 * Added support for AES key wrap constructions via the EVP interface. 165 166 * Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH. 167 168 * Added pbkdf2 key derivation support to openssl(1) 169 170 * Removed SHA224 based handshake signatures from consideration for use in a TLS 1.2 handshake. 171 172 * Changed the default digest type of openssl(1) enc to to sha256. 173 174 * Changed the default digest type of openssl(1) dgst to sha256. 175 176 * Changed the default digest type of openssl(1) x509 -fingerprint to sha256. 177 178 * Changed the default digest type of openssl(1) crl -fingerprint to sha256. 179 180 * Improved Windows, Android, and ARM compatibility, including assembly 181 optimizations on Mingw-w64 targets. 182 1832.9.0 - Development release 184 185 * Added the SM4 block cipher from the Chinese standard GB/T 32907-2016. 186 187 * Fixed warnings about clock_gettime on Windows Visual Studio builds. 188 189 * Fixed CMake builds on systems where getpagesize is defined as an 190 inline function. 191 192 * CRYPTO_LOCK is now automatically initialized, with the legacy 193 callbacks stubbed for compatibility. 194 195 * Added the SM3 hash function from the Chinese standard GB/T 32905-2016. 196 197 * Added more OPENSSL_NO_* macros for compatibility with OpenSSL. 198 199 * Added extensive interoperability tests between LibreSSL and OpenSSL 200 1.0 and 1.1. 201 202 * Added additional Wycheproof tests and related bug fixes. 203 204 * Simplified sigalgs option processing and handshake signing algorithm 205 206 * Added the ability to use the RSA PSS algorithm for handshake 207 signatures. 208 209 * Added bn_rand_interval() and use it in code needing ranges of random 210 bn values. 211 212 * Added functionality to derive early, handshake, and application 213 secrets as per RFC8446. 214 215 * Added handshake state machine from RFC8446. 216 217 * Removed some ASN.1 related code from libcrypto that had not been used 218 since around 2000. 219 220 * Unexported internal symbols and internalized more record layer structs. 221 222 * Added support for assembly optimizations on 32-bit ARM ELF targets. 223 224 * Improved protection against timing side channels in ECDSA signature 225 generation. 226 227 * Coordinate blinding was added to some elliptic curves. This is the 228 last bit of the work by Brumley et al. to protect against the 229 Portsmash vulnerability. 230 231 * Ensure transcript handshake is always freed with TLS 1.2. 232 2332.8.2 - Stable release 234 235 * Added Wycheproof support for ECDH and ECDSA Web Crypto test vectors, 236 along with test harness fixes. 237 238 * Fixed memory leak in nc(1) 239 2402.8.1 - Test and compatibility improvements 241 242 * Added Wycheproof support for ECDH, RSASSA-PSS, AES-GCM, 243 AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and 244 X25519 test vectors. Applied appropriate fixes for errors uncovered 245 by tests. 246 247 * Simplified key exchange signature generation and verification. 248 249 * Fixed a one-byte buffer overrun in callers of EVP_read_pw_string 250 251 * Converted more code paths to use CBB/CBS. All handshake messages are 252 now created by CBB. 253 254 * Fixed various memory leaks found by Coverity. 255 256 * Simplified session ticket parsing and handling, inspired by 257 BoringSSL. 258 259 * Modified signature of CRYPTO_mem_leaks_* to return -1. This function 260 is a no-op in LibreSSL, so this function returns an error to not 261 indicate the (non-)existence of memory leaks. 262 263 * SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher, 264 X509_OBJECT_up_ref_count now return an int for error handling, 265 matching OpenSSL. 266 267 * Converted a number of #defines into proper functions, matching 268 OpenSSL's ABI. 269 270 * Added X509_get0_serialNumber from OpenSSL. 271 272 * Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding 273 PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching 274 OpenSSL. 275 276 * Removed broken pkcs8 formats from openssl(1). 277 278 * Converted more functions in public API to use const arguments. 279 280 * Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the 281 EVP_AEAD interface. 282 283 * Stopped using composite EVP_CIPHER AEADs. 284 285 * Added timing-safe compares for checking results of signature 286 verification. There are no known attacks, this is just inexpensive 287 prudence. 288 289 * Correctly clear the current cipher state, when changing cipher state. 290 This fixed an issue where renegotiation of cipher suites would fail 291 when switched from AEAD to non-AEAD or vice-versa. 292 Issue reported by Bernard Spil. 293 294 * Added more cipher tests to appstest.sh, including all TLSv1.2 295 ciphers. 296 297 * Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL. 298 299 * Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be 300 retrieved and set with appropriate validation. 301 3022.8.0 - Bug fixes, security, and compatibility improvements 303 304 * Extensive documentation updates and additional API history. 305 306 * Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry 307 308 * Tighten up checks for various X509_VERIFY_PARAM functions, 309 'poisoning' parameters so that an unverified certificate cannot be 310 used if it fails verification. 311 312 * Fixed a potential memory leak on failure in ASN1_item_digest 313 314 * Fixed a potential memory alignment crash in asn1_item_combine_free 315 316 * Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and 317 SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths. 318 319 * Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. 320 321 * Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers 322 and matching OpenSSL behavior, rewrote ENGINE_* documentation. 323 324 * Added const annotations to many existing APIs from OpenSSL, making 325 interoperability easier for downstream applications. 326 327 * Fixed small timing side-channels in ecdsa_sign_setup and 328 dsa_sign_setup. 329 330 * Documented security pitfalls with BN_FLG_CONSTTIME and constant-time 331 operation of BN_* functions. 332 333 * Updated BN_clear to use explicit_bzero. 334 335 * Added a missing bounds check in c2i_ASN1_BIT_STRING. 336 337 * More CBS conversions, including simplifications to RSA key exchange, 338 and converted code to use dedicated buffers for secrets. 339 340 * Removed three remaining single DES cipher suites. 341 342 * Fixed a potential leak/incorrect return value in DSA signature 343 generation. 344 345 * Added a blinding value when generating DSA and ECDSA signatures, in 346 order to reduce the possibility of a side-channel attack leaking the 347 private key. 348 349 * Added ECC constant time scalar multiplication support. 350 From Billy Brumley and his team at Tampere University of Technology. 351 352 * Revised the implementation of RSASSA-PKCS1-v1_5 to match the 353 specification in RFC 8017. Based on an OpenSSL commit by David 354 Benjamin. 355 356 * Cleaned up BN_* implementations following changes made in OpenSSL by 357 Davide Galassi and others. 358 3592.7.4 - Security fixes 360 361 * Avoid a timing side-channel leak when generating DSA and ECDSA 362 signatures. This is caused by an attempt to do fast modular 363 arithmetic, which introduces branches that leak information 364 regarding secret values. Issue identified and reported by Keegan 365 Ryan of NCC Group. 366 367 * Reject excessively large primes in DH key generation. Problem 368 reported by Guido Vranken to OpenSSL 369 (https://github.com/openssl/openssl/pull/6457) and based on his 370 diff. 371 3722.7.3 - Bug fixes 373 374 * Removed incorrect NULL checks in DH_set0_key(). Reported by Ondrej 375 Sury 376 377 * Fixed an issue normalizing CPU architecture in the configure script, 378 which disabled assembly optimizations on platforms that get detected 379 as 'amd64', opposed to 'x86_64' 380 381 * Limited tls_config_clear_keys() to only clear private keys. 382 This was inadvertently clearing the keypair, which includes the OCSP 383 staple and pubkey hash - if an application called tls_configure() 384 followed by tls_config_clear_keys(), this would prevent OCSP staples 385 from working. 386 3872.7.2 - Stable release 388 389 * Updated and added extensive new HISTORY sections to API manuals. 390 391 * Added support for shared library builds with CMake on all supported 392 platforms. Note that some of the CMake options have changed, consult 393 the README for details. 394 3952.7.1 - Bug fixes 396 397 * Fixed a bug in int_x509_param_set_hosts, calling strlen() if name 398 length provided is 0 to match the OpenSSL behaviour. Issue noticed 399 by Christian Heimes <christian@python.org>. 400 401 * Fixed builds macOS 10.11 and older. 402 4032.7.0 - Bug fixes and improvements 404 405 * Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on 406 observations of real-world usage in applications. These are 407 implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility 408 changes have not been made to existing structs, allowing code written 409 for older OpenSSL APIs to continue working. 410 411 * Extensive corrections, improvements, and additions to the 412 API documentation, including new public APIs from OpenSSL that had 413 no pre-existing documentation. 414 415 * Added support for automatic library initialization in libcrypto, 416 libssl, and libtls. Support for pthread_once or a compatible 417 equivalent is now required of the target operating system. As a 418 side-effect, minimum Windows support is Vista or higher. 419 420 * Converted more packet handling methods to CBB, which improves 421 resiliency when generating TLS messages. 422 423 * Completed TLS extension handling rewrite, improving consistency of 424 checks for malformed and duplicate extensions. 425 426 * Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1. 427 This removes the last remaining use of the old M_ASN1_* macros 428 (asn1_mac.h) from API that needs to continue to exist. 429 430 * Added support for client-side session resumption in libtls. 431 A libtls client can specify a session file descriptor (a regular 432 file with appropriate ownership and permissions) and libtls will 433 manage reading and writing of session data across TLS handshakes. 434 435 * Improved support for strict alignment on ARMv7 architectures, 436 conditionally enabling assembly in those cases. 437 438 * Fixed a memory leak in libtls when reusing a tls_config. 439 440 * Merged more DTLS support into the regular TLS code path, removing 441 duplicated code. 442 443 * Many improvements to Windows Cmake-based builds and tests, 444 especially when targeting Visual Studio. 445 4462.6.4 - Bug fixes 447 448 * Make tls_config_parse_protocols() work correctly when passed a NULL 449 pointer for a protocol string. Issue found by semarie@, who also 450 provided the diff. 451 452 * Correct TLS extensions handling when no extensions are present. 453 If no TLS extensions are present in a client hello or server hello, 454 omit the entire extensions block, rather than including it with a 455 length of zero. Thanks to Eric Elena <eric at voguemerry dot com> for 456 providing packet captures and testing the fix. 457 458 * Fixed portable builds on older Android systems, and systems with out 459 IPV6_TCLASS support. 460 4612.6.3 - OpenBSD 6.2 Release 462 463 * No core changes from LibreSSL 2.6.2 464 465 * Minor compatibility fixes in portable version. 466 4672.6.2 - Bug fixes 468 469 * Provide a useful error with libtls if there are no OCSP URLs in a 470 peer certificate. 471 472 * Keep track of which keypair is in use by a TLS context, fixing a bug 473 where a TLS server with SNI would only return the OCSP staple for the 474 default keypair. Issue reported by William Graeber and confirmed by 475 Andreas Bartelt. 476 477 * Fixed various issues in the OCSP extension parsing code. 478 The original code incorrectly passes the pointer allocated via 479 CBS_stow() (using malloc()) to a d2i_*() function and then calls 480 free() on the now incremented pointer, most likely resulting in a 481 crash. This issue was reported by Robert Swiecki who found the issue 482 using honggfuzz. 483 484 * If tls_config_parse_protocols() is called with a NULL pointer, 485 return the default protocols instead of crashing - this makes the 486 behaviour more useful and mirrors what we already do in 487 tls_config_set_ciphers() et al. 488 4892.6.1 - Code removal, rewrites 490 491 * Added a "-T tlscompat" option to nc(1), which enables the use of all 492 TLS protocols and "compat" ciphers. This allows for TLS connections 493 to TLS servers that are using less than ideal cipher suites, without 494 having to resort to "-T tlsall" which enables all known cipher 495 suites. Diff from Kyle J. McKay. 496 497 * Added a new TLS extension handling framework, somewhat analogous to 498 BoringSSL, and converted all TLS extensions to use it. Added new TLS 499 extension regression tests. 500 501 * Improved and added many new manpages. Updated *check_private_key 502 manpages with additional cautions regarding their use. 503 504 * Cleaned up the EC key/curve configuration handling. 505 506 * Added tls_config_set_ecdhecurves() to libtls, which allows the names 507 of the eliptical curves that may be used during client and server 508 key exchange to be specified. 509 510 * Converted more code paths to use CBB/CBS. 511 512 * Removed support for DSS/DSA, since we removed the cipher suites a 513 while back. 514 515 * Removed NPN support. NPN was never standardised and the last draft 516 expired in October 2012. ALPN was standardised in July 2014 and has 517 been supported in LibreSSL since December 2014. NPN has also been 518 removed from Chromium in May 2016. 519 520 * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken 521 CryptoPro clients. 522 523 * Removed support for the TLS padding extension, which was added as a 524 workaround for an old bug in F5's TLS termination. 525 526 * Worked around another bug in F5's TLS termination handling of the 527 elliptical curves extension. RFC 4492 only defines elliptic_curves 528 for ClientHello. However, F5 is sending it in ServerHello. We need 529 to skip over it since our TLS extension parsing code is now more 530 strict. Thanks to Armin Wolfermann and WJ Liu for reporting. 531 532 * Added ability to clamp notafter valies in certificates for systems 533 with 32-bit time_t. This is necessary to conform to RFC 5280 534 4.1.2.5. 535 536 * Implemented the SSL_CTX_set_min_proto_version(3) API. 537 538 * Removed the original (pre-IETF) chacha20-poly1305 cipher suites. 539 540 * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. 541 5422.6.0 - New APIs, bug fixes and improvements 543 544 * Added support for providing CRLs to libtls. Once a CRL is provided we 545 enable CRL checking for the full certificate chain. Based on a diff 546 from Jack Burton 547 548 * Allow non-compliant clients using IP literal addresses with SNI 549 to connect to a server using libtls. 550 551 * Avoid a potential NULL pointer dereference in d2i_ECPrivateKey(). 552 Reported by Robert Swiecki, who found the issue using honggfuzz. 553 554 * Added definitions for three OIDs used in EV certificates. 555 From Kyle J. McKay 556 557 * Added tls_peer_cert_chain_pem to libtls, useful in private 558 certificate validation callbacks such as those in relayd. 559 560 * Converted explicit clear/free sequences to use freezero(3). 561 562 * Reworked TLS certificate name verification code to more strictly 563 follow RFC 6125. 564 565 * Cleaned up and simplified server key exchange EC point handling. 566 567 * Added tls_keypair_clear_key for clearing key material. 568 569 * Removed inconsistent IPv6 handling from BIO_get_accept_socket, 570 simplified BIO_get_host_ip and BIO_accept. 571 572 * Fixed the openssl(1) ca command so that is generates certificates 573 with RFC 5280-conformant time. Problem noticed by Harald Dunkel. 574 575 * Added ASN1_TIME_set_tm to set an asn1 from a struct tm * 576 577 * Added SSL{,_CTX}_set_{min,max}_proto_version() functions. 578 579 * Added HKDF (HMAC Key Derivation Function) from BoringSSL 580 581 * Provided a tls_unload_file() function that frees the memory returned 582 from a tls_load_file() call, ensuring that it the contents become 583 inaccessible. This is specifically needed on platforms where the 584 library allocators may be different from the application allocator. 585 586 * Perform reference counting for tls_config. This allows 587 tls_config_free() to be called as soon as it has been passed to the 588 final tls_configure() call, simplifying lifetime tracking for the 589 application. 590 591 * Moved internal state of SSL and other structures to be opaque. 592 593 * Dropped cipher suites with DSS authentication. 594 595 * nc(1) improvements, including: 596 nc -W to terminate nc after receiving a number of packets 597 nc -Z for saving the peer certificate and chain in a pem file 598 5992.5.5 - Bug fixes 600 601 * Distinguish between self-issued certificates and self-signed 602 certificates. The certificate verification code has special cases 603 for self-signed certificates and without this change, self-issued 604 certificates (which it seems are common place with 605 openvpn/easyrsa) were also being included in this category. 606 607 * Added getpagesize fallback, needed for Android bionic libc. 608 6092.5.4 - Security Updates 610 611 * Revert a previous change that forced consistency between return 612 value and error code when specifing a certificate verification 613 callback, since this breaks the documented API. When a user supplied 614 callback always returns 1, and later code checks the error code to 615 potentially abort post verification, this will result in incorrect 616 successul certificate verification. 617 618 * Switched Linux getrandom() usage to non-blocking mode, continuing to 619 use fallback mechanims if unsuccessful. This works around a design 620 flaw in Linux getrandom(2) where early boot usage in a library makes 621 it impossible to recover if getrandom(2) is not yet initialized. 622 623 * Fixed a bug caused by the return value being set early to signal 624 successful DTLS cookie validation. This can mask a later failure and 625 result in a positive return value being returned from 626 ssl3_get_client_hello(), when it should return a negative value to 627 propagate the error. 628 629 * Fixed a build error on non-x86/x86_64 systems running Solaris. 630 6312.5.3 - OpenBSD 6.1 Release 632 633 * Documentation updates 634 635 * Improved ocspcheck(1) error handling 636 6372.5.2 - Security features and bugfixes 638 639 * Added the recallocarray(3) memory allocation function, and converted 640 various places in the library to use it, such as CBB and BUF_MEM_grow. 641 recallocarray(3) is similar to reallocarray. Newly allocated memory 642 is cleared similar to calloc(3). Memory that becomes unallocated 643 while shrinking or moving existing allocations is explicitly 644 discarded by unmapping or clearing to 0 645 646 * Added new root CAs from SECOM Trust Systems / Security Communication 647 of Japan. 648 649 * Added EVP interface for MD5+SHA1 hashes. 650 651 * Fixed DTLS client failures when the server sends a certificate 652 request. 653 654 * Correct handling of padding when upgrading an SSLv2 challenge into 655 an SSLv3/TLS connection. 656 657 * Allow protocols and ciphers to be set on a TLS config object in 658 libtls. 659 660 * Improved nc(1) TLS handshake CPU usage and server-side error 661 reporting. 662 6632.5.1 - Bug and security fixes, new features, documentation updates 664 665 * X509_cmp_time() now passes a malformed GeneralizedTime field as an 666 error. Reported by Theofilos Petsios. 667 668 * Detect zero-length encrypted session data early, instead of when 669 malloc(0) fails or the HMAC check fails. Noted independently by 670 jsing@ and Kurt Cancemi. 671 672 * Check for and handle failure of HMAC_{Update,Final} or 673 EVP_DecryptUpdate(). 674 675 * Massive update and normalization of manpages, conversion to 676 mandoc format. Many pages were rewritten for clarity and accuracy. 677 Portable doc links are up-to-date with a new conversion tool. 678 679 * Curve25519 Key Exchange support. 680 681 * Support for alternate chains for certificate verification. 682 683 * Code cleanups, CBS conversions, further unification of DTLS/SSL 684 handshake code, further ASN1 macro expansion and removal. 685 686 * Private symbol are now hidden in libssl and libcryto. 687 688 * Friendly certificate verification error messages in libtls, peer 689 verification is now always enabled. 690 691 * Added OCSP stapling support to libtls and netcat. 692 693 * Added ocspcheck utility to validate a certificate against its OCSP 694 responder and save the reply for stapling 695 696 * Enhanced regression tests and error handling for libtls. 697 698 * Added explicit constant and non-constant time BN functions, 699 defaulting to constant time wherever possible. 700 701 * Moved many leaked implementation details in public structs behind 702 opaque pointers. 703 704 * Added ticket support to libtls. 705 706 * Added support for setting the supported EC curves via 707 SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous 708 SSL{_CTX}_set1_curves{_list} names. This also changes the default 709 list of curves to be X25519, P-256 and P-384. All other curves must 710 be manually enabled. 711 712 * Added -groups option to openssl(1) s_client for specifying the curves 713 to be used in a colon-separated list. 714 715 * Merged client/server version negotiation code paths into one, 716 reducing much duplicate code. 717 718 * Removed error function codes from libssl and libcrypto. 719 720 * Fixed an issue where a truncated packet could crash via an OOB read. 721 722 * Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows 723 client-initiated renegotiation. This is the default for libtls 724 servers. 725 726 * Avoid a side-channel cache-timing attack that can leak the ECDSA 727 private keys when signing. This is due to BN_mod_inverse() being 728 used without the constant time flag being set. Reported by Cesar 729 Pereida Garcia and Billy Brumley (Tampere University of Technology). 730 The fix was developed by Cesar Pereida Garcia. 731 732 * iOS and MacOS compatibility updates from Simone Basso and Jacob 733 Berkman. 734 735 7362.5.0 - New APIs, bug fixes and improvements 737 738 * libtls now supports ALPN and SNI 739 740 * libtls adds a new callback interface for integrating custom IO 741 functions. Thanks to Tobias Pape. 742 743 * libtls now handles 4 cipher suite groups: 744 "secure" (TLSv1.2+AEAD+PFS) 745 "compat" (HIGH:!aNULL) 746 "legacy" (HIGH:MEDIUM:!aNULL) 747 "insecure" (ALL:!aNULL:!eNULL) 748 749 This allows for flexibility and finer grained control, rather than 750 having two extremes (an issue raised by Marko Kreen some time ago). 751 752 * Tightened error handling for tls_config_set_ciphers(). 753 754 * libtls now always loads CA, key and certificate files at the time the 755 configuration function is called. This simplifies code and results in 756 a single memory based code path being used to provide data to libssl. 757 758 * Add support for OCSP intermediate certificates. 759 760 * Added functions used by stunnel and exim from BoringSSL - this 761 brings in X509_check_host, X509_check_email, X509_check_ip, and 762 X509_check_ip_asc. 763 764 * Added initial support for iOS, thanks to Jacob Berkman. 765 766 * Improved behavior of arc4random on Windows when using memory leak 767 analysis software. 768 769 * Correctly handle an EOF that occurs prior to the TLS handshake 770 completing. Reported by Vasily Kolobkov, based on a diff from Marko 771 Kreen. 772 773 * Limit the support of the "backward compatible" ssl2 handshake to 774 only be used if TLS 1.0 is enabled. 775 776 * Fix incorrect results in certain cases on 64-bit systems when 777 BN_mod_word() can return incorrect results. BN_mod_word() now can 778 return an error condition. Thanks to Brian Smith. 779 780 * Added constant-time updates to address CVE-2016-0702 781 782 * Fixed undefined behavior in BN_GF2m_mod_arr() 783 784 * Removed unused Cryptographic Message Support (CMS) 785 786 * More conversions of long long idioms to time_t 787 788 * Improved compatibility by avoiding printing NULL strings with 789 printf. 790 791 * Reverted change that cleans up the EVP cipher context in 792 EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the 793 previous behaviour. 794 795 * Avoid unbounded memory growth in libssl, which can be triggered by a 796 TLS client repeatedly renegotiating and sending OCSP Status Request 797 TLS extensions. 798 799 * Avoid falling back to a weak digest for (EC)DH when using SNI with 800 libssl. 801 8022.4.2 - Bug fixes and improvements 803 804 * Fixed loading default certificate locations with openssl s_client. 805 806 * Ensured OCSP only uses and compares GENERALIZEDTIME values as per 807 RFC6960. Also added fixes for OCSP to work with intermediate 808 certificates provided in responses. 809 810 * Improved behavior of arc4random on Windows to not appear to leak 811 memory in debug tools, reduced privileges of allocated memory. 812 813 * Fixed incorrect results from BN_mod_word() when the modulus is too 814 large, thanks to Brian Smith from BoringSSL. 815 816 * Correctly handle an EOF prior to completing the TLS handshake in 817 libtls. 818 819 * Improved libtls ceritificate loading and cipher string validation. 820 821 * Updated libtls cipher group suites into four categories: 822 "secure" (TLSv1.2+AEAD+PFS) 823 "compat" (HIGH:!aNULL) 824 "legacy" (HIGH:MEDIUM:!aNULL) 825 "insecure" (ALL:!aNULL:!eNULL) 826 This allows for flexibility and finer grained control, rather than 827 having two extremes. 828 829 * Limited support for 'backward compatible' SSLv2 handshake packets to 830 when TLS 1.0 is enabled, providing more restricted compatibility 831 with TLS 1.0 clients. 832 833 * openssl(1) and other documentation improvements. 834 835 * Removed flags for disabling constant-time operations. 836 This removes support for DSA_FLAG_NO_EXP_CONSTTIME, 837 DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making 838 all of these operations unconditionally constant-time. 839 840 8412.4.1 - Security fix 842 843 * Correct a problem that prevents the DSA signing algorithm from 844 running in constant time even if the flag BN_FLG_CONSTTIME is set. 845 This issue was reported by Cesar Pereida (Aalto University), Billy 846 Brumley (Tampere University of Technology), and Yuval Yarom (The 847 University of Adelaide and NICTA). The fix was developed by Cesar 848 Pereida. 849 8502.4.0 - Build improvements, new features 851 852 * Many improvements to the CMake build infrastructure, including 853 Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro 854 Inoguchi for this work. 855 856 * Added missing error handling around bn_wexpand() calls. 857 858 * Added explicit_bzero calls for freed ASN.1 objects. 859 860 * Fixed X509_*set_object functions to return 0 on allocation failure. 861 862 * Implemented the IETF ChaCha20-Poly1305 cipher suites. 863 864 * Changed default EVP_aead_chacha20_poly1305() implementation to the 865 IETF version, which is now the default. 866 867 * Fixed password prompts from openssl(1) to properly handle ^C. 868 869 * Reworked error handling in libtls so that configuration errors are 870 visible. 871 872 * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final. 873 874 * Manpage fixes and updates 875 8762.3.5 - Reliability fix 877 878 * Fixed an error in libcrypto when parsing some ASN.1 elements > 16k. 879 8802.3.4 - Security Update 881 882 * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding. 883 From OpenSSL. 884 885 * Minor build fixes 886 8872.3.3 - OpenBSD 5.9 release branch tagged 888 889 * Reworked build scripts to better sync with OpenNTPD-portable 890 891 * Fixed broken manpage links 892 893 * Fixed an nginx compatibility issue by adding an 'install_sw' make alias 894 895 * Fixed HP-UX builds 896 897 * Changed the default configuration directory to c:\LibreSSL\ssl on Windows 898 binary builds 899 900 * cert.pem has been reorganized and synced with Mozilla's certificate store 901 9022.3.2 - Compatibility and Reliability fixes 903 904 * Changed format of LIBRESSL_VERSION_NUMBER to match that of 905 OPENSSL_VERSION_NUMBER, see: 906 https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3) 907 908 * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD 909 construction introduced in RFC 7539, which is different than that 910 already used in TLS with EVP_aead_chacha20_poly1305() 911 912 * Avoid a potential undefined C99+ behavior due to shift overflow in 913 AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com> 914 915 * More man pages converted from pod to mdoc format 916 917 * Added COMODO RSA Certification Authority and QuoVadis 918 root certificates to cert.pem 919 920 * Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification 921 Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root 922 certificate from cert.pem 923 924 * Added support for building nc(1) on Solaris 925 926 * Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev 927 928 * Improved console handling with openssl(1) on Windows 929 930 * Ensure the network stack is enabled on Windows when running 931 tls_init() 932 933 * Fixed incorrect TLS certificate loading by nc(1) 934 935 * Added support for Solaris 11.3's getentropy(2) system call 936 937 * Enabled support for using NetBSD 7.0's arc4random(3) implementation 938 939 * Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect 940 941 * Fixes from OpenSSL 1.0.1q 942 - CVE-2015-3194 - NULL pointer dereference in client side certificate 943 validation. 944 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL 945 946 * The following OpenSSL CVEs did not apply to LibreSSL 947 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery 948 squaring procedure. 949 - CVE-2015-3196 - Double free race condition of the identify hint 950 data. 951 952 See https://marc.info/?l=openbsd-announce&m=144925068504102 953 9542.3.1 - ASN.1 and time handling cleanups 955 956 * ASN.1 cleanups and RFC5280 compliance fixes. 957 958 * Time representations switched from 'unsigned long' to 'time_t'. LibreSSL 959 now checks if the host OS supports 64-bit time_t. 960 961 * Fixed a leak in SSL_new in the error path. 962 963 * Support always extracting the peer cipher and version with libtls. 964 965 * Added ability to check certificate validity times with libtls, 966 tls_peer_cert_notbefore and tls_peer_cert_notafter. 967 968 * Changed tls_connect_servername to use the first address that resolves with 969 getaddrinfo(). 970 971 * Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since 972 initial commit in 2004). 973 974 * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported 975 by Qualys Security. 976 977 * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of 978 sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>. 979 980 * Reject too small bits value in BN_generate_prime_ex(), so that it does 981 not risk becoming negative in probable_prime_dh_safe(), reported by 982 Franck Denis. 983 984 * Enable nc(1) builds on more platforms. 985 9862.3.0 - SSLv3 removed, libtls API changes, portability improvements 987 988 * SSLv3 is now permanently removed from the tree. 989 990 * The libtls API is changed from the 2.2.x series. 991 992 The read/write functions work correctly with external event 993 libraries. See the tls_init man page for examples of using libtls 994 correctly in asynchronous mode. 995 996 Client-side verification is now supported, with the client supplying 997 the certificate to the server. 998 999 Also, when using tls_connect_fds, tls_connect_socket or 1000 tls_accept_fds, libtls no longer implicitly closes the passed in 1001 sockets. The caller is responsible for closing them in this case. 1002 1003 * When loading a DSA key from an raw (without DH parameters) ASN.1 1004 serialization, perform some consistency checks on its `p' and `q' 1005 values, and return an error if the checks failed. 1006 1007 Thanks for Georgi Guninski (guninski at guninski dot com) for 1008 mentioning the possibility of a weak (non prime) q value and 1009 providing a test case. 1010 1011 See 1012 https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html 1013 for a longer discussion. 1014 1015 * Fixed a bug in ECDH_compute_key that can lead to silent truncation 1016 of the result key without error. A coding error could cause software 1017 to use much shorter keys than intended. 1018 1019 * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no 1020 longer supported. 1021 1022 * The engine command and parameters are removed from the openssl(1). 1023 Previous releases removed dynamic and builtin engine support 1024 already. 1025 1026 * SHA-0 is removed, which was withdrawn shortly after publication 20 1027 years ago. 1028 1029 * Added Certplus CA root certificate to the default cert.pem file. 1030 1031 * New interface OPENSSL_cpu_caps is provided that does not allow 1032 software to inadvertently modify cpu capability flags. 1033 OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed. 1034 1035 * The out_len argument of AEAD changed from ssize_t to size_t. 1036 1037 * Deduplicated DTLS code, sharing bugfixes and improvements with 1038 TLS. 1039 1040 * Converted 'nc' to use libtls for client and server operations; it is 1041 included in the libressl-portable distribution as an example of how 1042 to use the library. 1043 10442.2.3 - Bug fixes, build enhancements 1045 1046 * LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not 1047 include TLS extensions, resulting in such handshakes being aborted. 1048 This release corrects the handling of such messages. Thanks to 1049 Ligushka from github for reporting the issue. 1050 1051 * Added install target for cmake builds. Thanks to TheNietsnie from 1052 github. 1053 1054 * Updated pkgconfig files to correctly report the release version 1055 number, not the individual library ABI version numbers. Thanks to 1056 Jan Engelhardt for reporting the issue. 1057 10582.2.2 - More TLS parser rework, bug fixes, expanded portable build support 1059 1060 * Switched 'openssl dhparam' default from 512 to 2048 bits 1061 1062 * Reworked openssl(1) option handling 1063 1064 * More CRYPTO ByteString (CBC) packet parsing conversions 1065 1066 * Fixed 'openssl pkeyutl -verify' to exit with a 0 on success 1067 1068 * Fixed dozens of Coverity issues including dead code, memory leaks, 1069 logic errors and more. 1070 1071 * Ensure that openssl(1) restores terminal echo state after reading a 1072 password. 1073 1074 * Incorporated fix for OpenSSL Issue #3683 1075 1076 * LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped 1077 for each portable release. 1078 1079 * Removed workarounds for TLS client padding bugs. 1080 1081 * No longer disable ECDHE-ECDSA on OS X 1082 1083 * Removed SSLv3 support from openssl(1) 1084 1085 * Removed IE 6 SSLv3 workarounds. 1086 1087 * Modified tls_write in libtls to allow partial writes, clarified with 1088 examples in the documentation. 1089 1090 * Removed RSAX engine 1091 1092 * Tested SSLv3 removal with the OpenBSD ports tree and found several 1093 applications that were not ready to build without SSLv3 yet. For 1094 now, building a program that intentionally uses SSLv3 will result in 1095 a linker warning. 1096 1097 * Added TLS_method, TLS_client_method and TLS_server_method as a 1098 replacement for the SSLv23_*method calls. 1099 1100 * Added initial cmake build support, including support for building with 1101 Visual Studio, currently tested with Visual Studio 2013 Community 1102 Edition. 1103 1104 * --with-enginesdir is removed as a configuration parameter 1105 1106 * Default cert.pem, openssl.cnf, and x509v3.cnf files are now 1107 installed under $sysconfdir/ssl or the directory specified by 1108 --with-openssldir. Previous versions of LibreSSL left these empty. 1109 11102.2.1 - Build fixes, feature added, features removed 1111 1112 * Assorted build fixes for musl, HP-UX, Mingw, Solaris. 1113 1114 * Initial support for Windows Embedded 2009, Server 2003, XP 1115 1116 * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API 1117 1118 * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL 1119 1120 * Removed Dynamic Engine support 1121 1122 * Removed unused and obsolete MDC-2DES cipher 1123 1124 * Removed workarounds for obsolete SSL implementations 1125 11262.2.0 - Build cleanups and new OS support, Security Updates 1127 1128 * AIX Support - thanks to Michael Felt 1129 1130 * Cygwin Support - thanks to Corinna Vinschen 1131 1132 * Refactored build macros, support packaging libtls independently. 1133 There are more pieces required to support building and using OpenSSL 1134 with libtls, but this is an initial start at providing an 1135 independent package for people to start hacking on. 1136 1137 * Removal of OPENSSL_issetugid and all library getenv calls. 1138 Applications can and should no longer rely on environment variables 1139 for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still 1140 supported with the openssl(1) command. 1141 1142 * libtls API and documentation additions 1143 1144 * Various bug fixes and simplifications to libssl and libcrypto 1145 1146 * Fixes for the following issues are integrated into LibreSSL 2.2.0: 1147 - CVE-2015-1788 - Malformed ECParameters causes infinite loop 1148 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time 1149 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function 1150 1151 * The following CVEs did not apply to LibreSSL or were fixed in 1152 earlier releases: 1153 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam) 1154 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent 1155 - CVE-2014-8176 - Invalid free in DTLS 1156 1157 * Fixes for the following CVEs are still in review for LibreSSL 1158 - CVE-2015-1791 - Race condition handling NewSessionTicket 1159 11602.1.6 - Security update 1161 1162 * Fixes for the following issues are integrated into LibreSSL 2.1.6: 1163 - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error 1164 - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp 1165 - CVE-2015-0287 - ASN.1 structure reuse memory corruption 1166 - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref 1167 - CVE-2015-0289 - PKCS7 NULL pointer dereferences 1168 1169 * The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen 1170 is integrated for safety, but LibreSSL is not vulnerable. 1171 1172 * Libtls is now built by default. The --enable-libtls 1173 configuration option is no longer required. 1174 The libtls API is now stable for the 2.1.x series. 1175 11762.1.5 - Bug fixes and a security update 1177 * Fix incorrect comparison function in openssl(1) certhash command. 1178 Thanks to Christian Neukirchen / Void Linux. 1179 1180 * Windows port improvements and bug fixes. 1181 - Removed a dependency on libgcc in 32-bit dynamic libraries. 1182 - Correct a hang in openssl(1) reading from stdin on an connection. 1183 - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and 1184 any other network-related commands to function properly. 1185 1186 * Reject all server DH keys smaller than 1024 bits. 1187 11882.1.4 - Security and feature updates 1189 * Improvements to libtls: 1190 - a new API for loading CA chains directly from memory instead of a 1191 file, allowing verification with privilege separation in a chroot 1192 without direct access to CA certificate files. 1193 1194 - Ciphers default to TLSv1.2 with AEAD and PFS. 1195 1196 - Improved error handling and message generation 1197 1198 - New APIs and improved documentation 1199 1200 * Added X509_STORE_load_mem API for loading certificates from memory. 1201 This facilitates accessing certificates from a chrooted environment. 1202 1203 * New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by 1204 using 'TLSv1.2+AEAD' as the cipher selection string. 1205 1206 * Dead and disabled code removal including MD5, Netscape workarounds, 1207 non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more. 1208 1209 * ASN1 macro maze expanded to aid reading and searching the code. 1210 1211 * NULL pointer asserts removed in favor of letting the OS/signal 1212 handler catch them. 1213 1214 * Refactored argument handling in openssl(1) for consistency and 1215 maintainability. 1216 1217 * New openssl(1) command 'certhash' replaces the c_rehash script. 1218 1219 * Support for building with OPENSSL_NO_DEPRECATED 1220 1221 * Server-side support for TLS_FALLBACK_SCSV for compatibility with 1222 various auditor and vulnerability scanners. 1223 1224 * Dozens of issues found with the Coverity scanner fixed. 1225 1226 * Security Updates: 1227 1228 - Fix a minor information leak that was introduced in t1_lib.c 1229 r1.71, whereby an additional 28 bytes of .rodata (or .data) is 1230 provided to the network. In most cases this is a non-issue since 1231 the memory content is already public. Issue found and reported by 1232 Felix Groebert of the Google Security Team. 1233 1234 - Fixes for the following low-severity issues were integrated into 1235 LibreSSL from OpenSSL 1.0.1k: 1236 1237 CVE-2015-0205 - DH client certificates accepted without 1238 verification 1239 CVE-2014-3570 - Bignum squaring may produce incorrect results 1240 CVE-2014-8275 - Certificate fingerprints can be modified 1241 CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client] 1242 Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA. 1243 1244 The following CVEs were fixed in earlier LibreSSL releases: 1245 CVE-2015-0206 - Memory leak handling repeated DLTS records 1246 CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites. 1247 1248 The following CVEs did not apply to LibreSSL: 1249 CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record 1250 CVE-2014-3569 - no-ssl3 configuration sets method to NULL 1251 CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA 1252 12532.1.3 - Security update and OS support improvements 1254 * Fixed various memory leaks in DTLS, including fixes for 1255 CVE-2015-0206. 1256 1257 * Added Application-Layer Protocol Negotiation (ALPN) support. 1258 1259 * Removed GOST R 34.10-94 signature authentication. 1260 1261 * Removed nonfunctional Netscape browser-hang workaround code. 1262 1263 * Simplified and refactored SSL/DTLS handshake code. 1264 1265 * Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932. 1266 1267 * Hide timing info about padding errors during handshakes. 1268 1269 * Improved libtls support for non-blocking sockets, added randomized 1270 session ID contexts. Work is ongoing with this library - feedback 1271 and potential use-cases are welcome. 1272 1273 * Support building Windows DLLs. 1274 Thanks to Jan Engelhard. 1275 1276 * Packaged config wrapper for better compatibility with OpenSSL-based 1277 build systems. 1278 Thanks to @technion from github 1279 1280 * Ensure the stack is marked non-executable for assembly sections. 1281 Thanks to Anthony G. Bastile. 1282 1283 * Enable extra compiler hardening flags by default, where applicable. 1284 The default set of hardening features can vary by OS to OS, so 1285 feedback is welcome on this. To disable the default hardening flags, 1286 specify '--disable-hardening' during configure. 1287 Thanks to Jim Barlow 1288 1289 * Initial HP-UX support, tested with HP-UX 11.31 ia64 1290 Thanks to Kinichiro Inoguchi 1291 1292 * Initial NetBSD support, tested with NetBSD 6.1.5 x86_64 1293 Imported from OpenNTPD, thanks to @gitisihara from github 1294 12952.1.2 - Many new features and improvements 1296 * Added reworked GOST cipher suite support 1297 thanks to Dmitry Eremin-Solenikov 1298 1299 * Enabled Camellia ciphers due to improved patent situation 1300 1301 * Use builtin arc4random implementation on OS X and FreeBSD 1302 this addresses some deficiencies in the native implementations of 1303 these operating systems, see commit logs for more information 1304 1305 * Added initial Windows mingw-w64 support (32 and 64-bit) 1306 thanks to Song Dongsheng and others for code and feedback 1307 1308 * Enabled assembly optimizations on x86_64 CPUs 1309 supports Linux, *BSD, Solaris and OS X operating systems 1310 thanks to Wouter Clarie for the initial implementation 1311 1312 * Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl(1) 1313 1314 * Improved build infrastructure, 'make distcheck' now passes 1315 this simplifies and speeds developer efficiency 1316 thanks to Dmitry Eremin-Solenikov and Wouter Clarie 1317 1318 * Allow conditional building of the libtls library 1319 expect the API and ABI of the library to change 1320 feedback is welcome 1321 1322 * Fixes for more memory leaks, cleanups, etc. 1323 13242.1.1 - Security update 1325 * Address POODLE attack by disabling SSLv3 by default 1326 1327 * Fix Eliptical Curve cipher selection bug 1328 (https://github.com/libressl-portable/portable/issues/35) 1329 13302.1.0 - First release from the OpenBSD 5.7 tree 1331 * Added support for automatic ephemeral EC keys 1332 1333 * Fixes for many memory leaks and overflows in error handlers 1334 1335 * The TLS padding extension (that works around bugs in F5 terminators) is 1336 off by default 1337 1338 * support for getrandom(2) on Linux 3.17 1339 1340 * the NO_ASM macro is no longer being set, providing the first bits toward 1341 enabling other assembly offloads. 1342 13432.0.5 - Fixes for CVEs from OpenSSL 1.0.1i 1344 * CVE-2014-3506 1345 * CVE-2014-3507 1346 * CVE-2014-3508 (partially vulnerable)he 1347 * CVE-2014-3509 1348 * CVE-2014-3510 1349 * CVE-2014-3511 1350 * Synced LibreSSL Portable with the release version of OpenBSD 5.6 1351 13522.0.4 - Portability fixes, deleted unused SRP code 1353 13542.0.3 - Portability fixes, improvements to fork detection 1355 13562.0.2 - Address arc4random fork PID wraparound issues with pthread_atfork 1357 13582.0.1 - Portability fixes: 1359 * Removed -Werror and and other non-portable compiler flags 1360 1361 * Allow setting OPENSSLDIR and ENGINSDIR 1362 13632.0.0 - First release from the OpenBSD 5.6 tree 1364 * Removal of many obsolete features and coding conventions from the OpenSSL 1365 1.0.1h source 1366