1Because this project is maintained both in the OpenBSD tree using CVS and in 2Git, it can be confusing following all of the changes. 3 4Most of the libssl and libcrypto source code is is here in OpenBSD CVS: 5 6 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/ 7 8Some of the libcrypto and OS-compatibility files for entropy and random number 9generation are here: 10 11 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/ 12 13A simplified TLS wrapper library is here: 14 15 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/ 16 17The LibreSSL Portable project copies these portions of the OpenBSD tree, along 18with relevant portions of the C library, to a Git repository. This makes it 19easier to follow all of the relevant changes to the upstream project in a 20single place: 21 22 https://github.com/libressl-portable/openbsd 23 24The portable bits of the project are largely maintained out-of-tree, and their 25history is also available from Git. 26 27 https://github.com/libressl-portable/portable 28 29LibreSSL Portable Release Notes: 30 313.1.4 - Interoperability and bug fixes for the TLSv1.3 client: 32 33 * Improve client certificate selection to allow EC certificates 34 instead of only RSA certificates. 35 36 * Do not error out if a TLSv1.3 server requests an OCSP response as 37 part of a certificate request. 38 39 * Fix SSL_shutdown behavior to match the legacy stack. The previous 40 behaviour could cause a hang. 41 42 * Fix a memory leak and add a missing error check in the handling of 43 the key update message. 44 45 * Fix a memory leak in tls13_record_layer_set_traffic_key. 46 47 * Avoid calling freezero with a negative size if a server sends a 48 malformed plaintext of all zeroes. 49 50 * Ensure that only PSS may be used with RSA in TLSv1.3 in order 51 to avoid using PKCS1-based signatures. 52 53 * Add the P-521 curve to the list of curves supported by default 54 in the client. 55 563.1.3 - Bug fix 57 58 * libcrypto may fail to build a valid certificate chain due to 59 expired untrusted issuer certificates. 60 613.1.2 - Bug fix 62 63 * A TLS client with peer verification disabled may crash when 64 contacting a server that sends an empty certificate list. 65 663.1.1 - Stable release 67 68 * Improved cipher suite handling to automatically include TLSv1.3 69 cipher suites when they are not explicitly referred to in the 70 cipher string. 71 72 * Improved handling of TLSv1.3 HelloRetryRequests, simplifying 73 state transitions and ensuring that the legacy session identifer 74 retains the same value across the handshake. 75 76 * Provided TLSv1.3 cipher suite aliases to match the names used 77 in RFC 8446. 78 79 * Improved TLSv1.3 client key share handling to allow the use of 80 any groups in our configured NID list. 81 82 * Fixed printing the serialNumber with X509_print_ex() fall back to 83 the colon separated hex bytes in case greater than int value. 84 85 * Fix to disallow setting the AES-GCM IV length to zero. 86 87 * Added -groups option to openssl(1) s_server subcommand. 88 89 * Fix to show TLSv1.3 extension types with openssl(1) -tlsextdebug. 90 91 * Improved portable builds to support the use of static MSVC runtimes. 92 93 * Fixed portable builds to avoid exporting a sleep() symbol. 94 953.1.0 - Development release 96 97 * Completed initial TLS 1.3 implementation with a completely new state 98 machine and record layer. TLS 1.3 is now enabled by default for the 99 client side, with the server side to be enabled in a future release. 100 Note that the OpenSSL TLS 1.3 API is not yet visible/available. 101 102 * Many more code cleanups, fixes, and improvements to memory handling 103 and protocol parsing. 104 105 * Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1. 106 107 * Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL 108 1.1.1 and enabled by default. 109 110 * Improved compatibility by backporting functionality and documentation 111 from OpenSSL 1.1.1. 112 113 * Added many new additional crypto test vectors. 114 115 * Adjusted EVP_chacha20()'s behavior to match OpenSSL's semantics. 116 117 * Default CA bundle location is now configurable in portable builds. 118 119 * Added cms subcommand to openssl(1). 120 121 * Added -addext option to openssl(1) req subcommand. 122 1233.0.2 - Stable release 124 125 * Use a valid curve when constructing an EC_KEY that looks like X25519. 126 The recent EC group cofactor change results in stricter validation, 127 which causes the EC_GROUP_set_generator() call to fail. 128 Issue reported and fix tested by rsadowski@ 129 130 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 131 (Note that the CMS code is currently disabled) 132 Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license) 133 134 * Avoid a path traversal bug in s_server on Windows when run with the -WWW 135 or -HTTP options, due to incomplete path check logic. 136 Issue reported and fix tested by Jobert Abma 137 1383.0.1 - Development release 139 140 * Ported Billy Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1. If a NULL 141 or zero cofactor is passed to EC_GROUP_set_generator(), try to compute 142 it using Hasse's bound. This works as long as the cofactor is small 143 enough. 144 145 * Fixed a memory leak in error paths for eckey_type2param(). 146 147 * Initial work on supporting Cryptographic Message Syntax (CMS) in 148 libcrypto (not enabled). 149 150 * Various manual page improvements and additions. 151 152 * Added a CMake check for an existing uninstall target, facilitating 153 embedding LibreSSL in larger CMake projects, from Matthew Albrecht. 154 1553.0.0 - Development release 156 157 * Completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API. 158 159 * Documented undescribed options and removed unfunctional options 160 description in openssl(1) manual. 161 162 * A plethora of small fixes due to regular oss-fuzz testing. 163 164 * Various side channels in DSA and ECDSA were addressed. These are some of 165 the many issues found in an extensive systematic analysis of bignum usage 166 by Samuel Weiser, David Schrammel et al. 167 168 * Enabled openssl(1) speed subcommand on Windows platform. 169 170 * Enabled performance optimizations when building with Visual Studio on Windows. 171 172 * Fixed incorrect carry operation in 512 addition for Streebog. 173 174 * Fixed -modulus option with openssl(1) dsa subcommand. 175 176 * Fixed PVK format output issue with openssl(1) dsa and rsa subcommand. 177 1782.9.2 - Bug fixes 179 180 * Fixed portable builds with older versions of MacOS, 181 Android targets < API 21, and Solaris 10 182 183 * Fixed SRTP profile advertisement for DTLS servers. 184 1852.9.1 - Stable release 186 187 * Added support for XChaCha20 and XChaCha20-Poly1305. 188 189 * Added support for AES key wrap constructions via the EVP interface. 190 191 * Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH. 192 193 * Added pbkdf2 key derivation support to openssl(1) 194 195 * Removed SHA224 based handshake signatures from consideration for use in a TLS 1.2 handshake. 196 197 * Changed the default digest type of openssl(1) enc to to sha256. 198 199 * Changed the default digest type of openssl(1) dgst to sha256. 200 201 * Changed the default digest type of openssl(1) x509 -fingerprint to sha256. 202 203 * Changed the default digest type of openssl(1) crl -fingerprint to sha256. 204 205 * Improved Windows, Android, and ARM compatibility, including assembly 206 optimizations on Mingw-w64 targets. 207 2082.9.0 - Development release 209 210 * Added the SM4 block cipher from the Chinese standard GB/T 32907-2016. 211 212 * Fixed warnings about clock_gettime on Windows Visual Studio builds. 213 214 * Fixed CMake builds on systems where getpagesize is defined as an 215 inline function. 216 217 * CRYPTO_LOCK is now automatically initialized, with the legacy 218 callbacks stubbed for compatibility. 219 220 * Added the SM3 hash function from the Chinese standard GB/T 32905-2016. 221 222 * Added more OPENSSL_NO_* macros for compatibility with OpenSSL. 223 224 * Added extensive interoperability tests between LibreSSL and OpenSSL 225 1.0 and 1.1. 226 227 * Added additional Wycheproof tests and related bug fixes. 228 229 * Simplified sigalgs option processing and handshake signing algorithm 230 231 * Added the ability to use the RSA PSS algorithm for handshake 232 signatures. 233 234 * Added bn_rand_interval() and use it in code needing ranges of random 235 bn values. 236 237 * Added functionality to derive early, handshake, and application 238 secrets as per RFC8446. 239 240 * Added handshake state machine from RFC8446. 241 242 * Removed some ASN.1 related code from libcrypto that had not been used 243 since around 2000. 244 245 * Unexported internal symbols and internalized more record layer structs. 246 247 * Added support for assembly optimizations on 32-bit ARM ELF targets. 248 249 * Improved protection against timing side channels in ECDSA signature 250 generation. 251 252 * Coordinate blinding was added to some elliptic curves. This is the 253 last bit of the work by Brumley et al. to protect against the 254 Portsmash vulnerability. 255 256 * Ensure transcript handshake is always freed with TLS 1.2. 257 2582.8.2 - Stable release 259 260 * Added Wycheproof support for ECDH and ECDSA Web Crypto test vectors, 261 along with test harness fixes. 262 263 * Fixed memory leak in nc(1) 264 2652.8.1 - Test and compatibility improvements 266 267 * Added Wycheproof support for ECDH, RSASSA-PSS, AES-GCM, 268 AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and 269 X25519 test vectors. Applied appropriate fixes for errors uncovered 270 by tests. 271 272 * Simplified key exchange signature generation and verification. 273 274 * Fixed a one-byte buffer overrun in callers of EVP_read_pw_string 275 276 * Converted more code paths to use CBB/CBS. All handshake messages are 277 now created by CBB. 278 279 * Fixed various memory leaks found by Coverity. 280 281 * Simplified session ticket parsing and handling, inspired by 282 BoringSSL. 283 284 * Modified signature of CRYPTO_mem_leaks_* to return -1. This function 285 is a no-op in LibreSSL, so this function returns an error to not 286 indicate the (non-)existence of memory leaks. 287 288 * SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher, 289 X509_OBJECT_up_ref_count now return an int for error handling, 290 matching OpenSSL. 291 292 * Converted a number of #defines into proper functions, matching 293 OpenSSL's ABI. 294 295 * Added X509_get0_serialNumber from OpenSSL. 296 297 * Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding 298 PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching 299 OpenSSL. 300 301 * Removed broken pkcs8 formats from openssl(1). 302 303 * Converted more functions in public API to use const arguments. 304 305 * Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the 306 EVP_AEAD interface. 307 308 * Stopped using composite EVP_CIPHER AEADs. 309 310 * Added timing-safe compares for checking results of signature 311 verification. There are no known attacks, this is just inexpensive 312 prudence. 313 314 * Correctly clear the current cipher state, when changing cipher state. 315 This fixed an issue where renegotiation of cipher suites would fail 316 when switched from AEAD to non-AEAD or vice-versa. 317 Issue reported by Bernard Spil. 318 319 * Added more cipher tests to appstest.sh, including all TLSv1.2 320 ciphers. 321 322 * Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL. 323 324 * Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be 325 retrieved and set with appropriate validation. 326 3272.8.0 - Bug fixes, security, and compatibility improvements 328 329 * Extensive documentation updates and additional API history. 330 331 * Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry 332 333 * Tighten up checks for various X509_VERIFY_PARAM functions, 334 'poisoning' parameters so that an unverified certificate cannot be 335 used if it fails verification. 336 337 * Fixed a potential memory leak on failure in ASN1_item_digest 338 339 * Fixed a potential memory alignment crash in asn1_item_combine_free 340 341 * Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and 342 SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths. 343 344 * Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. 345 346 * Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers 347 and matching OpenSSL behavior, rewrote ENGINE_* documentation. 348 349 * Added const annotations to many existing APIs from OpenSSL, making 350 interoperability easier for downstream applications. 351 352 * Fixed small timing side-channels in ecdsa_sign_setup and 353 dsa_sign_setup. 354 355 * Documented security pitfalls with BN_FLG_CONSTTIME and constant-time 356 operation of BN_* functions. 357 358 * Updated BN_clear to use explicit_bzero. 359 360 * Added a missing bounds check in c2i_ASN1_BIT_STRING. 361 362 * More CBS conversions, including simplifications to RSA key exchange, 363 and converted code to use dedicated buffers for secrets. 364 365 * Removed three remaining single DES cipher suites. 366 367 * Fixed a potential leak/incorrect return value in DSA signature 368 generation. 369 370 * Added a blinding value when generating DSA and ECDSA signatures, in 371 order to reduce the possibility of a side-channel attack leaking the 372 private key. 373 374 * Added ECC constant time scalar multiplication support. 375 From Billy Brumley and his team at Tampere University of Technology. 376 377 * Revised the implementation of RSASSA-PKCS1-v1_5 to match the 378 specification in RFC 8017. Based on an OpenSSL commit by David 379 Benjamin. 380 381 * Cleaned up BN_* implementations following changes made in OpenSSL by 382 Davide Galassi and others. 383 3842.7.4 - Security fixes 385 386 * Avoid a timing side-channel leak when generating DSA and ECDSA 387 signatures. This is caused by an attempt to do fast modular 388 arithmetic, which introduces branches that leak information 389 regarding secret values. Issue identified and reported by Keegan 390 Ryan of NCC Group. 391 392 * Reject excessively large primes in DH key generation. Problem 393 reported by Guido Vranken to OpenSSL 394 (https://github.com/openssl/openssl/pull/6457) and based on his 395 diff. 396 3972.7.3 - Bug fixes 398 399 * Removed incorrect NULL checks in DH_set0_key(). Reported by Ondrej 400 Sury 401 402 * Fixed an issue normalizing CPU architecture in the configure script, 403 which disabled assembly optimizations on platforms that get detected 404 as 'amd64', opposed to 'x86_64' 405 406 * Limited tls_config_clear_keys() to only clear private keys. 407 This was inadvertently clearing the keypair, which includes the OCSP 408 staple and pubkey hash - if an application called tls_configure() 409 followed by tls_config_clear_keys(), this would prevent OCSP staples 410 from working. 411 4122.7.2 - Stable release 413 414 * Updated and added extensive new HISTORY sections to API manuals. 415 416 * Added support for shared library builds with CMake on all supported 417 platforms. Note that some of the CMake options have changed, consult 418 the README for details. 419 4202.7.1 - Bug fixes 421 422 * Fixed a bug in int_x509_param_set_hosts, calling strlen() if name 423 length provided is 0 to match the OpenSSL behaviour. Issue noticed 424 by Christian Heimes <christian@python.org>. 425 426 * Fixed builds macOS 10.11 and older. 427 4282.7.0 - Bug fixes and improvements 429 430 * Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on 431 observations of real-world usage in applications. These are 432 implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility 433 changes have not been made to existing structs, allowing code written 434 for older OpenSSL APIs to continue working. 435 436 * Extensive corrections, improvements, and additions to the 437 API documentation, including new public APIs from OpenSSL that had 438 no pre-existing documentation. 439 440 * Added support for automatic library initialization in libcrypto, 441 libssl, and libtls. Support for pthread_once or a compatible 442 equivalent is now required of the target operating system. As a 443 side-effect, minimum Windows support is Vista or higher. 444 445 * Converted more packet handling methods to CBB, which improves 446 resiliency when generating TLS messages. 447 448 * Completed TLS extension handling rewrite, improving consistency of 449 checks for malformed and duplicate extensions. 450 451 * Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1. 452 This removes the last remaining use of the old M_ASN1_* macros 453 (asn1_mac.h) from API that needs to continue to exist. 454 455 * Added support for client-side session resumption in libtls. 456 A libtls client can specify a session file descriptor (a regular 457 file with appropriate ownership and permissions) and libtls will 458 manage reading and writing of session data across TLS handshakes. 459 460 * Improved support for strict alignment on ARMv7 architectures, 461 conditionally enabling assembly in those cases. 462 463 * Fixed a memory leak in libtls when reusing a tls_config. 464 465 * Merged more DTLS support into the regular TLS code path, removing 466 duplicated code. 467 468 * Many improvements to Windows Cmake-based builds and tests, 469 especially when targeting Visual Studio. 470 4712.6.4 - Bug fixes 472 473 * Make tls_config_parse_protocols() work correctly when passed a NULL 474 pointer for a protocol string. Issue found by semarie@, who also 475 provided the diff. 476 477 * Correct TLS extensions handling when no extensions are present. 478 If no TLS extensions are present in a client hello or server hello, 479 omit the entire extensions block, rather than including it with a 480 length of zero. Thanks to Eric Elena <eric at voguemerry dot com> for 481 providing packet captures and testing the fix. 482 483 * Fixed portable builds on older Android systems, and systems with out 484 IPV6_TCLASS support. 485 4862.6.3 - OpenBSD 6.2 Release 487 488 * No core changes from LibreSSL 2.6.2 489 490 * Minor compatibility fixes in portable version. 491 4922.6.2 - Bug fixes 493 494 * Provide a useful error with libtls if there are no OCSP URLs in a 495 peer certificate. 496 497 * Keep track of which keypair is in use by a TLS context, fixing a bug 498 where a TLS server with SNI would only return the OCSP staple for the 499 default keypair. Issue reported by William Graeber and confirmed by 500 Andreas Bartelt. 501 502 * Fixed various issues in the OCSP extension parsing code. 503 The original code incorrectly passes the pointer allocated via 504 CBS_stow() (using malloc()) to a d2i_*() function and then calls 505 free() on the now incremented pointer, most likely resulting in a 506 crash. This issue was reported by Robert Swiecki who found the issue 507 using honggfuzz. 508 509 * If tls_config_parse_protocols() is called with a NULL pointer, 510 return the default protocols instead of crashing - this makes the 511 behaviour more useful and mirrors what we already do in 512 tls_config_set_ciphers() et al. 513 5142.6.1 - Code removal, rewrites 515 516 * Added a "-T tlscompat" option to nc(1), which enables the use of all 517 TLS protocols and "compat" ciphers. This allows for TLS connections 518 to TLS servers that are using less than ideal cipher suites, without 519 having to resort to "-T tlsall" which enables all known cipher 520 suites. Diff from Kyle J. McKay. 521 522 * Added a new TLS extension handling framework, somewhat analogous to 523 BoringSSL, and converted all TLS extensions to use it. Added new TLS 524 extension regression tests. 525 526 * Improved and added many new manpages. Updated *check_private_key 527 manpages with additional cautions regarding their use. 528 529 * Cleaned up the EC key/curve configuration handling. 530 531 * Added tls_config_set_ecdhecurves() to libtls, which allows the names 532 of the eliptical curves that may be used during client and server 533 key exchange to be specified. 534 535 * Converted more code paths to use CBB/CBS. 536 537 * Removed support for DSS/DSA, since we removed the cipher suites a 538 while back. 539 540 * Removed NPN support. NPN was never standardised and the last draft 541 expired in October 2012. ALPN was standardised in July 2014 and has 542 been supported in LibreSSL since December 2014. NPN has also been 543 removed from Chromium in May 2016. 544 545 * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken 546 CryptoPro clients. 547 548 * Removed support for the TLS padding extension, which was added as a 549 workaround for an old bug in F5's TLS termination. 550 551 * Worked around another bug in F5's TLS termination handling of the 552 elliptical curves extension. RFC 4492 only defines elliptic_curves 553 for ClientHello. However, F5 is sending it in ServerHello. We need 554 to skip over it since our TLS extension parsing code is now more 555 strict. Thanks to Armin Wolfermann and WJ Liu for reporting. 556 557 * Added ability to clamp notafter valies in certificates for systems 558 with 32-bit time_t. This is necessary to conform to RFC 5280 559 4.1.2.5. 560 561 * Implemented the SSL_CTX_set_min_proto_version(3) API. 562 563 * Removed the original (pre-IETF) chacha20-poly1305 cipher suites. 564 565 * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. 566 5672.6.0 - New APIs, bug fixes and improvements 568 569 * Added support for providing CRLs to libtls. Once a CRL is provided we 570 enable CRL checking for the full certificate chain. Based on a diff 571 from Jack Burton 572 573 * Allow non-compliant clients using IP literal addresses with SNI 574 to connect to a server using libtls. 575 576 * Avoid a potential NULL pointer dereference in d2i_ECPrivateKey(). 577 Reported by Robert Swiecki, who found the issue using honggfuzz. 578 579 * Added definitions for three OIDs used in EV certificates. 580 From Kyle J. McKay 581 582 * Added tls_peer_cert_chain_pem to libtls, useful in private 583 certificate validation callbacks such as those in relayd. 584 585 * Converted explicit clear/free sequences to use freezero(3). 586 587 * Reworked TLS certificate name verification code to more strictly 588 follow RFC 6125. 589 590 * Cleaned up and simplified server key exchange EC point handling. 591 592 * Added tls_keypair_clear_key for clearing key material. 593 594 * Removed inconsistent IPv6 handling from BIO_get_accept_socket, 595 simplified BIO_get_host_ip and BIO_accept. 596 597 * Fixed the openssl(1) ca command so that is generates certificates 598 with RFC 5280-conformant time. Problem noticed by Harald Dunkel. 599 600 * Added ASN1_TIME_set_tm to set an asn1 from a struct tm * 601 602 * Added SSL{,_CTX}_set_{min,max}_proto_version() functions. 603 604 * Added HKDF (HMAC Key Derivation Function) from BoringSSL 605 606 * Provided a tls_unload_file() function that frees the memory returned 607 from a tls_load_file() call, ensuring that it the contents become 608 inaccessible. This is specifically needed on platforms where the 609 library allocators may be different from the application allocator. 610 611 * Perform reference counting for tls_config. This allows 612 tls_config_free() to be called as soon as it has been passed to the 613 final tls_configure() call, simplifying lifetime tracking for the 614 application. 615 616 * Moved internal state of SSL and other structures to be opaque. 617 618 * Dropped cipher suites with DSS authentication. 619 620 * nc(1) improvements, including: 621 nc -W to terminate nc after receiving a number of packets 622 nc -Z for saving the peer certificate and chain in a pem file 623 6242.5.5 - Bug fixes 625 626 * Distinguish between self-issued certificates and self-signed 627 certificates. The certificate verification code has special cases 628 for self-signed certificates and without this change, self-issued 629 certificates (which it seems are common place with 630 openvpn/easyrsa) were also being included in this category. 631 632 * Added getpagesize fallback, needed for Android bionic libc. 633 6342.5.4 - Security Updates 635 636 * Revert a previous change that forced consistency between return 637 value and error code when specifing a certificate verification 638 callback, since this breaks the documented API. When a user supplied 639 callback always returns 1, and later code checks the error code to 640 potentially abort post verification, this will result in incorrect 641 successul certificate verification. 642 643 * Switched Linux getrandom() usage to non-blocking mode, continuing to 644 use fallback mechanims if unsuccessful. This works around a design 645 flaw in Linux getrandom(2) where early boot usage in a library makes 646 it impossible to recover if getrandom(2) is not yet initialized. 647 648 * Fixed a bug caused by the return value being set early to signal 649 successful DTLS cookie validation. This can mask a later failure and 650 result in a positive return value being returned from 651 ssl3_get_client_hello(), when it should return a negative value to 652 propagate the error. 653 654 * Fixed a build error on non-x86/x86_64 systems running Solaris. 655 6562.5.3 - OpenBSD 6.1 Release 657 658 * Documentation updates 659 660 * Improved ocspcheck(1) error handling 661 6622.5.2 - Security features and bugfixes 663 664 * Added the recallocarray(3) memory allocation function, and converted 665 various places in the library to use it, such as CBB and BUF_MEM_grow. 666 recallocarray(3) is similar to reallocarray. Newly allocated memory 667 is cleared similar to calloc(3). Memory that becomes unallocated 668 while shrinking or moving existing allocations is explicitly 669 discarded by unmapping or clearing to 0 670 671 * Added new root CAs from SECOM Trust Systems / Security Communication 672 of Japan. 673 674 * Added EVP interface for MD5+SHA1 hashes. 675 676 * Fixed DTLS client failures when the server sends a certificate 677 request. 678 679 * Correct handling of padding when upgrading an SSLv2 challenge into 680 an SSLv3/TLS connection. 681 682 * Allow protocols and ciphers to be set on a TLS config object in 683 libtls. 684 685 * Improved nc(1) TLS handshake CPU usage and server-side error 686 reporting. 687 6882.5.1 - Bug and security fixes, new features, documentation updates 689 690 * X509_cmp_time() now passes a malformed GeneralizedTime field as an 691 error. Reported by Theofilos Petsios. 692 693 * Detect zero-length encrypted session data early, instead of when 694 malloc(0) fails or the HMAC check fails. Noted independently by 695 jsing@ and Kurt Cancemi. 696 697 * Check for and handle failure of HMAC_{Update,Final} or 698 EVP_DecryptUpdate(). 699 700 * Massive update and normalization of manpages, conversion to 701 mandoc format. Many pages were rewritten for clarity and accuracy. 702 Portable doc links are up-to-date with a new conversion tool. 703 704 * Curve25519 Key Exchange support. 705 706 * Support for alternate chains for certificate verification. 707 708 * Code cleanups, CBS conversions, further unification of DTLS/SSL 709 handshake code, further ASN1 macro expansion and removal. 710 711 * Private symbol are now hidden in libssl and libcryto. 712 713 * Friendly certificate verification error messages in libtls, peer 714 verification is now always enabled. 715 716 * Added OCSP stapling support to libtls and netcat. 717 718 * Added ocspcheck utility to validate a certificate against its OCSP 719 responder and save the reply for stapling 720 721 * Enhanced regression tests and error handling for libtls. 722 723 * Added explicit constant and non-constant time BN functions, 724 defaulting to constant time wherever possible. 725 726 * Moved many leaked implementation details in public structs behind 727 opaque pointers. 728 729 * Added ticket support to libtls. 730 731 * Added support for setting the supported EC curves via 732 SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous 733 SSL{_CTX}_set1_curves{_list} names. This also changes the default 734 list of curves to be X25519, P-256 and P-384. All other curves must 735 be manually enabled. 736 737 * Added -groups option to openssl(1) s_client for specifying the curves 738 to be used in a colon-separated list. 739 740 * Merged client/server version negotiation code paths into one, 741 reducing much duplicate code. 742 743 * Removed error function codes from libssl and libcrypto. 744 745 * Fixed an issue where a truncated packet could crash via an OOB read. 746 747 * Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows 748 client-initiated renegotiation. This is the default for libtls 749 servers. 750 751 * Avoid a side-channel cache-timing attack that can leak the ECDSA 752 private keys when signing. This is due to BN_mod_inverse() being 753 used without the constant time flag being set. Reported by Cesar 754 Pereida Garcia and Billy Brumley (Tampere University of Technology). 755 The fix was developed by Cesar Pereida Garcia. 756 757 * iOS and MacOS compatibility updates from Simone Basso and Jacob 758 Berkman. 759 760 7612.5.0 - New APIs, bug fixes and improvements 762 763 * libtls now supports ALPN and SNI 764 765 * libtls adds a new callback interface for integrating custom IO 766 functions. Thanks to Tobias Pape. 767 768 * libtls now handles 4 cipher suite groups: 769 "secure" (TLSv1.2+AEAD+PFS) 770 "compat" (HIGH:!aNULL) 771 "legacy" (HIGH:MEDIUM:!aNULL) 772 "insecure" (ALL:!aNULL:!eNULL) 773 774 This allows for flexibility and finer grained control, rather than 775 having two extremes (an issue raised by Marko Kreen some time ago). 776 777 * Tightened error handling for tls_config_set_ciphers(). 778 779 * libtls now always loads CA, key and certificate files at the time the 780 configuration function is called. This simplifies code and results in 781 a single memory based code path being used to provide data to libssl. 782 783 * Add support for OCSP intermediate certificates. 784 785 * Added functions used by stunnel and exim from BoringSSL - this 786 brings in X509_check_host, X509_check_email, X509_check_ip, and 787 X509_check_ip_asc. 788 789 * Added initial support for iOS, thanks to Jacob Berkman. 790 791 * Improved behavior of arc4random on Windows when using memory leak 792 analysis software. 793 794 * Correctly handle an EOF that occurs prior to the TLS handshake 795 completing. Reported by Vasily Kolobkov, based on a diff from Marko 796 Kreen. 797 798 * Limit the support of the "backward compatible" ssl2 handshake to 799 only be used if TLS 1.0 is enabled. 800 801 * Fix incorrect results in certain cases on 64-bit systems when 802 BN_mod_word() can return incorrect results. BN_mod_word() now can 803 return an error condition. Thanks to Brian Smith. 804 805 * Added constant-time updates to address CVE-2016-0702 806 807 * Fixed undefined behavior in BN_GF2m_mod_arr() 808 809 * Removed unused Cryptographic Message Support (CMS) 810 811 * More conversions of long long idioms to time_t 812 813 * Improved compatibility by avoiding printing NULL strings with 814 printf. 815 816 * Reverted change that cleans up the EVP cipher context in 817 EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the 818 previous behaviour. 819 820 * Avoid unbounded memory growth in libssl, which can be triggered by a 821 TLS client repeatedly renegotiating and sending OCSP Status Request 822 TLS extensions. 823 824 * Avoid falling back to a weak digest for (EC)DH when using SNI with 825 libssl. 826 8272.4.2 - Bug fixes and improvements 828 829 * Fixed loading default certificate locations with openssl s_client. 830 831 * Ensured OCSP only uses and compares GENERALIZEDTIME values as per 832 RFC6960. Also added fixes for OCSP to work with intermediate 833 certificates provided in responses. 834 835 * Improved behavior of arc4random on Windows to not appear to leak 836 memory in debug tools, reduced privileges of allocated memory. 837 838 * Fixed incorrect results from BN_mod_word() when the modulus is too 839 large, thanks to Brian Smith from BoringSSL. 840 841 * Correctly handle an EOF prior to completing the TLS handshake in 842 libtls. 843 844 * Improved libtls ceritificate loading and cipher string validation. 845 846 * Updated libtls cipher group suites into four categories: 847 "secure" (TLSv1.2+AEAD+PFS) 848 "compat" (HIGH:!aNULL) 849 "legacy" (HIGH:MEDIUM:!aNULL) 850 "insecure" (ALL:!aNULL:!eNULL) 851 This allows for flexibility and finer grained control, rather than 852 having two extremes. 853 854 * Limited support for 'backward compatible' SSLv2 handshake packets to 855 when TLS 1.0 is enabled, providing more restricted compatibility 856 with TLS 1.0 clients. 857 858 * openssl(1) and other documentation improvements. 859 860 * Removed flags for disabling constant-time operations. 861 This removes support for DSA_FLAG_NO_EXP_CONSTTIME, 862 DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making 863 all of these operations unconditionally constant-time. 864 865 8662.4.1 - Security fix 867 868 * Correct a problem that prevents the DSA signing algorithm from 869 running in constant time even if the flag BN_FLG_CONSTTIME is set. 870 This issue was reported by Cesar Pereida (Aalto University), Billy 871 Brumley (Tampere University of Technology), and Yuval Yarom (The 872 University of Adelaide and NICTA). The fix was developed by Cesar 873 Pereida. 874 8752.4.0 - Build improvements, new features 876 877 * Many improvements to the CMake build infrastructure, including 878 Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro 879 Inoguchi for this work. 880 881 * Added missing error handling around bn_wexpand() calls. 882 883 * Added explicit_bzero calls for freed ASN.1 objects. 884 885 * Fixed X509_*set_object functions to return 0 on allocation failure. 886 887 * Implemented the IETF ChaCha20-Poly1305 cipher suites. 888 889 * Changed default EVP_aead_chacha20_poly1305() implementation to the 890 IETF version, which is now the default. 891 892 * Fixed password prompts from openssl(1) to properly handle ^C. 893 894 * Reworked error handling in libtls so that configuration errors are 895 visible. 896 897 * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final. 898 899 * Manpage fixes and updates 900 9012.3.5 - Reliability fix 902 903 * Fixed an error in libcrypto when parsing some ASN.1 elements > 16k. 904 9052.3.4 - Security Update 906 907 * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding. 908 From OpenSSL. 909 910 * Minor build fixes 911 9122.3.3 - OpenBSD 5.9 release branch tagged 913 914 * Reworked build scripts to better sync with OpenNTPD-portable 915 916 * Fixed broken manpage links 917 918 * Fixed an nginx compatibility issue by adding an 'install_sw' make alias 919 920 * Fixed HP-UX builds 921 922 * Changed the default configuration directory to c:\LibreSSL\ssl on Windows 923 binary builds 924 925 * cert.pem has been reorganized and synced with Mozilla's certificate store 926 9272.3.2 - Compatibility and Reliability fixes 928 929 * Changed format of LIBRESSL_VERSION_NUMBER to match that of 930 OPENSSL_VERSION_NUMBER, see: 931 https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3) 932 933 * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD 934 construction introduced in RFC 7539, which is different than that 935 already used in TLS with EVP_aead_chacha20_poly1305() 936 937 * Avoid a potential undefined C99+ behavior due to shift overflow in 938 AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com> 939 940 * More man pages converted from pod to mdoc format 941 942 * Added COMODO RSA Certification Authority and QuoVadis 943 root certificates to cert.pem 944 945 * Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification 946 Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root 947 certificate from cert.pem 948 949 * Added support for building nc(1) on Solaris 950 951 * Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev 952 953 * Improved console handling with openssl(1) on Windows 954 955 * Ensure the network stack is enabled on Windows when running 956 tls_init() 957 958 * Fixed incorrect TLS certificate loading by nc(1) 959 960 * Added support for Solaris 11.3's getentropy(2) system call 961 962 * Enabled support for using NetBSD 7.0's arc4random(3) implementation 963 964 * Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect 965 966 * Fixes from OpenSSL 1.0.1q 967 - CVE-2015-3194 - NULL pointer dereference in client side certificate 968 validation. 969 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL 970 971 * The following OpenSSL CVEs did not apply to LibreSSL 972 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery 973 squaring procedure. 974 - CVE-2015-3196 - Double free race condition of the identify hint 975 data. 976 977 See https://marc.info/?l=openbsd-announce&m=144925068504102 978 9792.3.1 - ASN.1 and time handling cleanups 980 981 * ASN.1 cleanups and RFC5280 compliance fixes. 982 983 * Time representations switched from 'unsigned long' to 'time_t'. LibreSSL 984 now checks if the host OS supports 64-bit time_t. 985 986 * Fixed a leak in SSL_new in the error path. 987 988 * Support always extracting the peer cipher and version with libtls. 989 990 * Added ability to check certificate validity times with libtls, 991 tls_peer_cert_notbefore and tls_peer_cert_notafter. 992 993 * Changed tls_connect_servername to use the first address that resolves with 994 getaddrinfo(). 995 996 * Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since 997 initial commit in 2004). 998 999 * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported 1000 by Qualys Security. 1001 1002 * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of 1003 sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>. 1004 1005 * Reject too small bits value in BN_generate_prime_ex(), so that it does 1006 not risk becoming negative in probable_prime_dh_safe(), reported by 1007 Franck Denis. 1008 1009 * Enable nc(1) builds on more platforms. 1010 10112.3.0 - SSLv3 removed, libtls API changes, portability improvements 1012 1013 * SSLv3 is now permanently removed from the tree. 1014 1015 * The libtls API is changed from the 2.2.x series. 1016 1017 The read/write functions work correctly with external event 1018 libraries. See the tls_init man page for examples of using libtls 1019 correctly in asynchronous mode. 1020 1021 Client-side verification is now supported, with the client supplying 1022 the certificate to the server. 1023 1024 Also, when using tls_connect_fds, tls_connect_socket or 1025 tls_accept_fds, libtls no longer implicitly closes the passed in 1026 sockets. The caller is responsible for closing them in this case. 1027 1028 * When loading a DSA key from an raw (without DH parameters) ASN.1 1029 serialization, perform some consistency checks on its `p' and `q' 1030 values, and return an error if the checks failed. 1031 1032 Thanks for Georgi Guninski (guninski at guninski dot com) for 1033 mentioning the possibility of a weak (non prime) q value and 1034 providing a test case. 1035 1036 See 1037 https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html 1038 for a longer discussion. 1039 1040 * Fixed a bug in ECDH_compute_key that can lead to silent truncation 1041 of the result key without error. A coding error could cause software 1042 to use much shorter keys than intended. 1043 1044 * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no 1045 longer supported. 1046 1047 * The engine command and parameters are removed from the openssl(1). 1048 Previous releases removed dynamic and builtin engine support 1049 already. 1050 1051 * SHA-0 is removed, which was withdrawn shortly after publication 20 1052 years ago. 1053 1054 * Added Certplus CA root certificate to the default cert.pem file. 1055 1056 * New interface OPENSSL_cpu_caps is provided that does not allow 1057 software to inadvertently modify cpu capability flags. 1058 OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed. 1059 1060 * The out_len argument of AEAD changed from ssize_t to size_t. 1061 1062 * Deduplicated DTLS code, sharing bugfixes and improvements with 1063 TLS. 1064 1065 * Converted 'nc' to use libtls for client and server operations; it is 1066 included in the libressl-portable distribution as an example of how 1067 to use the library. 1068 10692.2.3 - Bug fixes, build enhancements 1070 1071 * LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not 1072 include TLS extensions, resulting in such handshakes being aborted. 1073 This release corrects the handling of such messages. Thanks to 1074 Ligushka from github for reporting the issue. 1075 1076 * Added install target for cmake builds. Thanks to TheNietsnie from 1077 github. 1078 1079 * Updated pkgconfig files to correctly report the release version 1080 number, not the individual library ABI version numbers. Thanks to 1081 Jan Engelhardt for reporting the issue. 1082 10832.2.2 - More TLS parser rework, bug fixes, expanded portable build support 1084 1085 * Switched 'openssl dhparam' default from 512 to 2048 bits 1086 1087 * Reworked openssl(1) option handling 1088 1089 * More CRYPTO ByteString (CBC) packet parsing conversions 1090 1091 * Fixed 'openssl pkeyutl -verify' to exit with a 0 on success 1092 1093 * Fixed dozens of Coverity issues including dead code, memory leaks, 1094 logic errors and more. 1095 1096 * Ensure that openssl(1) restores terminal echo state after reading a 1097 password. 1098 1099 * Incorporated fix for OpenSSL Issue #3683 1100 1101 * LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped 1102 for each portable release. 1103 1104 * Removed workarounds for TLS client padding bugs. 1105 1106 * No longer disable ECDHE-ECDSA on OS X 1107 1108 * Removed SSLv3 support from openssl(1) 1109 1110 * Removed IE 6 SSLv3 workarounds. 1111 1112 * Modified tls_write in libtls to allow partial writes, clarified with 1113 examples in the documentation. 1114 1115 * Removed RSAX engine 1116 1117 * Tested SSLv3 removal with the OpenBSD ports tree and found several 1118 applications that were not ready to build without SSLv3 yet. For 1119 now, building a program that intentionally uses SSLv3 will result in 1120 a linker warning. 1121 1122 * Added TLS_method, TLS_client_method and TLS_server_method as a 1123 replacement for the SSLv23_*method calls. 1124 1125 * Added initial cmake build support, including support for building with 1126 Visual Studio, currently tested with Visual Studio 2013 Community 1127 Edition. 1128 1129 * --with-enginesdir is removed as a configuration parameter 1130 1131 * Default cert.pem, openssl.cnf, and x509v3.cnf files are now 1132 installed under $sysconfdir/ssl or the directory specified by 1133 --with-openssldir. Previous versions of LibreSSL left these empty. 1134 11352.2.1 - Build fixes, feature added, features removed 1136 1137 * Assorted build fixes for musl, HP-UX, Mingw, Solaris. 1138 1139 * Initial support for Windows Embedded 2009, Server 2003, XP 1140 1141 * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API 1142 1143 * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL 1144 1145 * Removed Dynamic Engine support 1146 1147 * Removed unused and obsolete MDC-2DES cipher 1148 1149 * Removed workarounds for obsolete SSL implementations 1150 11512.2.0 - Build cleanups and new OS support, Security Updates 1152 1153 * AIX Support - thanks to Michael Felt 1154 1155 * Cygwin Support - thanks to Corinna Vinschen 1156 1157 * Refactored build macros, support packaging libtls independently. 1158 There are more pieces required to support building and using OpenSSL 1159 with libtls, but this is an initial start at providing an 1160 independent package for people to start hacking on. 1161 1162 * Removal of OPENSSL_issetugid and all library getenv calls. 1163 Applications can and should no longer rely on environment variables 1164 for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still 1165 supported with the openssl(1) command. 1166 1167 * libtls API and documentation additions 1168 1169 * Various bug fixes and simplifications to libssl and libcrypto 1170 1171 * Fixes for the following issues are integrated into LibreSSL 2.2.0: 1172 - CVE-2015-1788 - Malformed ECParameters causes infinite loop 1173 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time 1174 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function 1175 1176 * The following CVEs did not apply to LibreSSL or were fixed in 1177 earlier releases: 1178 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam) 1179 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent 1180 - CVE-2014-8176 - Invalid free in DTLS 1181 1182 * Fixes for the following CVEs are still in review for LibreSSL 1183 - CVE-2015-1791 - Race condition handling NewSessionTicket 1184 11852.1.6 - Security update 1186 1187 * Fixes for the following issues are integrated into LibreSSL 2.1.6: 1188 - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error 1189 - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp 1190 - CVE-2015-0287 - ASN.1 structure reuse memory corruption 1191 - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref 1192 - CVE-2015-0289 - PKCS7 NULL pointer dereferences 1193 1194 * The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen 1195 is integrated for safety, but LibreSSL is not vulnerable. 1196 1197 * Libtls is now built by default. The --enable-libtls 1198 configuration option is no longer required. 1199 The libtls API is now stable for the 2.1.x series. 1200 12012.1.5 - Bug fixes and a security update 1202 * Fix incorrect comparison function in openssl(1) certhash command. 1203 Thanks to Christian Neukirchen / Void Linux. 1204 1205 * Windows port improvements and bug fixes. 1206 - Removed a dependency on libgcc in 32-bit dynamic libraries. 1207 - Correct a hang in openssl(1) reading from stdin on an connection. 1208 - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and 1209 any other network-related commands to function properly. 1210 1211 * Reject all server DH keys smaller than 1024 bits. 1212 12132.1.4 - Security and feature updates 1214 * Improvements to libtls: 1215 - a new API for loading CA chains directly from memory instead of a 1216 file, allowing verification with privilege separation in a chroot 1217 without direct access to CA certificate files. 1218 1219 - Ciphers default to TLSv1.2 with AEAD and PFS. 1220 1221 - Improved error handling and message generation 1222 1223 - New APIs and improved documentation 1224 1225 * Added X509_STORE_load_mem API for loading certificates from memory. 1226 This facilitates accessing certificates from a chrooted environment. 1227 1228 * New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by 1229 using 'TLSv1.2+AEAD' as the cipher selection string. 1230 1231 * Dead and disabled code removal including MD5, Netscape workarounds, 1232 non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more. 1233 1234 * ASN1 macro maze expanded to aid reading and searching the code. 1235 1236 * NULL pointer asserts removed in favor of letting the OS/signal 1237 handler catch them. 1238 1239 * Refactored argument handling in openssl(1) for consistency and 1240 maintainability. 1241 1242 * New openssl(1) command 'certhash' replaces the c_rehash script. 1243 1244 * Support for building with OPENSSL_NO_DEPRECATED 1245 1246 * Server-side support for TLS_FALLBACK_SCSV for compatibility with 1247 various auditor and vulnerability scanners. 1248 1249 * Dozens of issues found with the Coverity scanner fixed. 1250 1251 * Security Updates: 1252 1253 - Fix a minor information leak that was introduced in t1_lib.c 1254 r1.71, whereby an additional 28 bytes of .rodata (or .data) is 1255 provided to the network. In most cases this is a non-issue since 1256 the memory content is already public. Issue found and reported by 1257 Felix Groebert of the Google Security Team. 1258 1259 - Fixes for the following low-severity issues were integrated into 1260 LibreSSL from OpenSSL 1.0.1k: 1261 1262 CVE-2015-0205 - DH client certificates accepted without 1263 verification 1264 CVE-2014-3570 - Bignum squaring may produce incorrect results 1265 CVE-2014-8275 - Certificate fingerprints can be modified 1266 CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client] 1267 Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA. 1268 1269 The following CVEs were fixed in earlier LibreSSL releases: 1270 CVE-2015-0206 - Memory leak handling repeated DLTS records 1271 CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites. 1272 1273 The following CVEs did not apply to LibreSSL: 1274 CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record 1275 CVE-2014-3569 - no-ssl3 configuration sets method to NULL 1276 CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA 1277 12782.1.3 - Security update and OS support improvements 1279 * Fixed various memory leaks in DTLS, including fixes for 1280 CVE-2015-0206. 1281 1282 * Added Application-Layer Protocol Negotiation (ALPN) support. 1283 1284 * Removed GOST R 34.10-94 signature authentication. 1285 1286 * Removed nonfunctional Netscape browser-hang workaround code. 1287 1288 * Simplified and refactored SSL/DTLS handshake code. 1289 1290 * Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932. 1291 1292 * Hide timing info about padding errors during handshakes. 1293 1294 * Improved libtls support for non-blocking sockets, added randomized 1295 session ID contexts. Work is ongoing with this library - feedback 1296 and potential use-cases are welcome. 1297 1298 * Support building Windows DLLs. 1299 Thanks to Jan Engelhard. 1300 1301 * Packaged config wrapper for better compatibility with OpenSSL-based 1302 build systems. 1303 Thanks to @technion from github 1304 1305 * Ensure the stack is marked non-executable for assembly sections. 1306 Thanks to Anthony G. Bastile. 1307 1308 * Enable extra compiler hardening flags by default, where applicable. 1309 The default set of hardening features can vary by OS to OS, so 1310 feedback is welcome on this. To disable the default hardening flags, 1311 specify '--disable-hardening' during configure. 1312 Thanks to Jim Barlow 1313 1314 * Initial HP-UX support, tested with HP-UX 11.31 ia64 1315 Thanks to Kinichiro Inoguchi 1316 1317 * Initial NetBSD support, tested with NetBSD 6.1.5 x86_64 1318 Imported from OpenNTPD, thanks to @gitisihara from github 1319 13202.1.2 - Many new features and improvements 1321 * Added reworked GOST cipher suite support 1322 thanks to Dmitry Eremin-Solenikov 1323 1324 * Enabled Camellia ciphers due to improved patent situation 1325 1326 * Use builtin arc4random implementation on OS X and FreeBSD 1327 this addresses some deficiencies in the native implementations of 1328 these operating systems, see commit logs for more information 1329 1330 * Added initial Windows mingw-w64 support (32 and 64-bit) 1331 thanks to Song Dongsheng and others for code and feedback 1332 1333 * Enabled assembly optimizations on x86_64 CPUs 1334 supports Linux, *BSD, Solaris and OS X operating systems 1335 thanks to Wouter Clarie for the initial implementation 1336 1337 * Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl(1) 1338 1339 * Improved build infrastructure, 'make distcheck' now passes 1340 this simplifies and speeds developer efficiency 1341 thanks to Dmitry Eremin-Solenikov and Wouter Clarie 1342 1343 * Allow conditional building of the libtls library 1344 expect the API and ABI of the library to change 1345 feedback is welcome 1346 1347 * Fixes for more memory leaks, cleanups, etc. 1348 13492.1.1 - Security update 1350 * Address POODLE attack by disabling SSLv3 by default 1351 1352 * Fix Eliptical Curve cipher selection bug 1353 (https://github.com/libressl-portable/portable/issues/35) 1354 13552.1.0 - First release from the OpenBSD 5.7 tree 1356 * Added support for automatic ephemeral EC keys 1357 1358 * Fixes for many memory leaks and overflows in error handlers 1359 1360 * The TLS padding extension (that works around bugs in F5 terminators) is 1361 off by default 1362 1363 * support for getrandom(2) on Linux 3.17 1364 1365 * the NO_ASM macro is no longer being set, providing the first bits toward 1366 enabling other assembly offloads. 1367 13682.0.5 - Fixes for CVEs from OpenSSL 1.0.1i 1369 * CVE-2014-3506 1370 * CVE-2014-3507 1371 * CVE-2014-3508 (partially vulnerable)he 1372 * CVE-2014-3509 1373 * CVE-2014-3510 1374 * CVE-2014-3511 1375 * Synced LibreSSL Portable with the release version of OpenBSD 5.6 1376 13772.0.4 - Portability fixes, deleted unused SRP code 1378 13792.0.3 - Portability fixes, improvements to fork detection 1380 13812.0.2 - Address arc4random fork PID wraparound issues with pthread_atfork 1382 13832.0.1 - Portability fixes: 1384 * Removed -Werror and and other non-portable compiler flags 1385 1386 * Allow setting OPENSSLDIR and ENGINSDIR 1387 13882.0.0 - First release from the OpenBSD 5.6 tree 1389 * Removal of many obsolete features and coding conventions from the OpenSSL 1390 1.0.1h source 1391