| 
									
										
										
										
											2020-12-28 15:15:37 +00:00
										 |  |  | Because this project is maintained both in the OpenBSD tree using CVS and in | 
					
						
							|  |  |  | Git, it can be confusing following all of the changes. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | Most of the libssl and libcrypto source code is is here in OpenBSD CVS: | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/ | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | Some of the libcrypto and OS-compatibility files for entropy and random number | 
					
						
							|  |  |  | generation are here: | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/ | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | A simplified TLS wrapper library is here: | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/ | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | The LibreSSL Portable project copies these portions of the OpenBSD tree, along | 
					
						
							|  |  |  | with relevant portions of the C library, to a Git repository. This makes it | 
					
						
							|  |  |  | easier to follow all of the relevant changes to the upstream project in a | 
					
						
							|  |  |  | single place: | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	https://github.com/libressl-portable/openbsd | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | The portable bits of the project are largely maintained out-of-tree, and their | 
					
						
							|  |  |  | history is also available from Git. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	https://github.com/libressl-portable/portable | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | LibreSSL Portable Release Notes: | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-04-24 22:29:35 +02:00
										 |  |  | 3.5.2 - Stable release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Bug fixes | 
					
						
							|  |  |  | 	  - Avoid single byte overread in asn1_parse2(). | 
					
						
							|  |  |  | 	  - Allow name constraints with a leading dot. From Alex Wilson. | 
					
						
							|  |  |  | 	  - Relax a check in x509_constraints_dirname() to allow prefixes. | 
					
						
							|  |  |  | 	    From Alex Wilson. | 
					
						
							|  |  |  | 	  - Fix NULL dereferences in openssl(1) cms option parsing. | 
					
						
							|  |  |  | 	  - Do not zero the computed cofactor on ec_guess_cofactor() success. | 
					
						
							|  |  |  | 	  - Bound cofactor in EC_GROUP_set_generator() to reduce the number of | 
					
						
							|  |  |  | 	    bogus groups that can be described with nonsensical parameters. | 
					
						
							|  |  |  | 	  - Avoid various potential segfaults in EVP_PKEY_CTX_free() in low | 
					
						
							|  |  |  | 	    memory conditions. Reported for HMAC by Masaru Masuda. | 
					
						
							|  |  |  | 	  - Plug leak in ASN1_TIME_adj_internal(). | 
					
						
							|  |  |  | 	  - Avoid infinite loop for custom curves of order 1. | 
					
						
							|  |  |  | 	    Issue reported by Hanno Boeck, comments by David Benjamin. | 
					
						
							|  |  |  | 	  - Avoid an infinite loop on parsing DSA private keys by validating | 
					
						
							|  |  |  | 	    that the provided parameters conform to FIPS 186-4. | 
					
						
							|  |  |  | 	    Issue reported by Hanno Boeck, comments by David Benjamin. | 
					
						
							|  |  |  | 	* Compatibility improvements | 
					
						
							|  |  |  | 	  - Allow non-standard name constraints of the form @domain.com. | 
					
						
							|  |  |  | 	* Internal improvements | 
					
						
							|  |  |  | 	  - Limit OID text conversion to 64 bits per arc. | 
					
						
							|  |  |  | 	  - Clean up and simplify memory BIO code. | 
					
						
							|  |  |  | 	  - Reduce number of memmove() calls in memory BIOs. | 
					
						
							|  |  |  | 	  - Factor out alert handling code in the legacy stack. | 
					
						
							|  |  |  | 	  - Add sanity checks on p and q in old_dsa_priv_decode() | 
					
						
							|  |  |  | 	  - Cache the SHA-512 hash instead of the SHA-1 for CRLs. | 
					
						
							|  |  |  | 	  - Suppress various compiler warnings for old gcc versions. | 
					
						
							|  |  |  | 	  - Remove free_cont from asn1_d2i_ex_primitive()/asn1_ex_c2i(). | 
					
						
							|  |  |  | 	  - Rework ownership handling in x509_constraints_validate(). | 
					
						
							|  |  |  | 	  - Rework ASN1_STRING_set(). | 
					
						
							|  |  |  | 	  - Remove const from tls1_transcript_hash_value(). | 
					
						
							|  |  |  | 	  - Clean up and simplify ssl3_renegotiate{,_check}(). | 
					
						
							|  |  |  | 	  - Rewrite legacy TLS and DTLS unexpected handshake message handling. | 
					
						
							|  |  |  | 	  - Simplify SSL_do_handshake(). | 
					
						
							|  |  |  | 	  - Rewrite ASCII/text to ASN.1 object conversion. | 
					
						
							|  |  |  | 	  - Provide t2i_ASN1_OBJECT_internal() and use it for OBJ_txt2obj(). | 
					
						
							|  |  |  | 	  - Split armv7 and aarch64 code into separate locations. | 
					
						
							|  |  |  | 	  - Rewrote openssl(1) ts to use the new option handling and cleaned | 
					
						
							|  |  |  | 	    up the C code. | 
					
						
							|  |  |  | 	  - Provide asn1_get_primitive(). | 
					
						
							|  |  |  | 	  - Convert {c2i,d2i}_ASN1_OBJECT() to CBS. | 
					
						
							|  |  |  | 	  - Remove the minimum record length checks from dtls1_read_bytes(). | 
					
						
							|  |  |  | 	  - Clean up {dtls1,ssl3}_read_bytes(). | 
					
						
							|  |  |  | 	  - Be more careful with embedded and terminating NULs in the new | 
					
						
							|  |  |  | 	    name constraints code. | 
					
						
							|  |  |  | 	  - Check EVP_Digest* return codes in openssl(1) ts | 
					
						
							|  |  |  | 	  - Various minor code cleanup in openssl(1) pkcs12 | 
					
						
							|  |  |  | 	  - Use calloc() in pkey_hmac_init(). | 
					
						
							|  |  |  | 	  - Simplify priv_key handling in d2i_ECPrivateKey(). | 
					
						
							|  |  |  | 	* Documentation improvements | 
					
						
							|  |  |  | 	  - Update d2i_ASN1_OBJECT(3) documentation to reflect reality after | 
					
						
							|  |  |  | 	    refactoring and bug fixes. | 
					
						
							|  |  |  | 	  - Fixed numerous minor grammar, spelling, wording, and punctuation | 
					
						
							|  |  |  | 	    issues. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 3.5.1 - Security release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* A malicious certificate can cause an infinite loop. | 
					
						
							|  |  |  | 	  Reported by and fix from Tavis Ormandy and David Benjamin, Google. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 3.5.0 - Development release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* New Features | 
					
						
							|  |  |  | 	  - The RFC 3779 API was ported from OpenSSL. Many bugs were fixed, | 
					
						
							|  |  |  | 	    regression tests were added and the code was cleaned up. | 
					
						
							|  |  |  | 	  - Certificate Transparency was ported from OpenSSL. Many internal | 
					
						
							|  |  |  | 	    improvements were made, resulting in cleaner and safer code. | 
					
						
							|  |  |  | 	    Regress coverage was added. libssl does not yet make use of it. | 
					
						
							|  |  |  | 	* Portable Improvements | 
					
						
							|  |  |  | 	  - Fixed various POSIX compliance and other portability issues | 
					
						
							|  |  |  | 	    found by the port to the Sortix operating system. | 
					
						
							|  |  |  | 	  - Add libmd as platform specific libraries for Solaris. | 
					
						
							|  |  |  | 	    Issue reported from (ihsan <at> opencsw org) on libressl ML. | 
					
						
							|  |  |  | 	  - Set IA-64 compiler flag only if it is HP-UX with IA-64. | 
					
						
							|  |  |  | 	    Suggested from Larkin Nickle (me <at> larbob org) by libressl ML. | 
					
						
							|  |  |  | 	  - Enabled and scheduled Coverity scan. | 
					
						
							|  |  |  | 	    Contributed by Ilya Shipitsin (chipitsine <at> gmail com> on github. | 
					
						
							|  |  |  | 	* Compatibility Changes | 
					
						
							|  |  |  | 	  - Most structs that were previously defined in the following headers | 
					
						
							|  |  |  | 	    are now opaque as they are in OpenSSL 1.1: | 
					
						
							|  |  |  | 	    bio.h, bn.h, comp.h, dh.h, dsa.h, evp.h, hmac.h, ocsp.h, rsa.h, | 
					
						
							|  |  |  | 	    x509.h, x509v3.h, x509_vfy.h | 
					
						
							|  |  |  | 	  - Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_ | 
					
						
							|  |  |  | 	    OpenSSL added the TLSv1.3 ciphersuites with "RFC names" instead | 
					
						
							|  |  |  | 	    of using something consistent with the previous naming. Various | 
					
						
							|  |  |  | 	    test suites expect these names (instead of checking for the much | 
					
						
							|  |  |  | 	    more sensible cipher numbers). The old names are still accepted | 
					
						
							|  |  |  | 	    as aliases. | 
					
						
							|  |  |  | 	  - Subject alternative names and name constraints are now validated | 
					
						
							|  |  |  | 	    when they are added to certificates. Various interoperability | 
					
						
							|  |  |  | 	    problems with stacks that validate certificates more strictly | 
					
						
							|  |  |  | 	    than OpenSSL can be avoided this way. | 
					
						
							|  |  |  | 	  - Attempt to opportunistically use the host name for SNI in s_client | 
					
						
							|  |  |  | 	* Bug fixes | 
					
						
							|  |  |  | 	  - In some situations, the verifier would discard the error on an | 
					
						
							|  |  |  | 	    unvalidated certificate chain. This would happen when the | 
					
						
							|  |  |  | 	    verification callback was in use, instructing the verifier to | 
					
						
							|  |  |  | 	    continue unconditionally. This could lead to incorrect decisions | 
					
						
							|  |  |  | 	    being made in software. | 
					
						
							|  |  |  | 	  - Avoid an infinite loop in SSL_shutdown() | 
					
						
							|  |  |  | 	  - Fix another return 0 bug in SSL_shutdown() | 
					
						
							|  |  |  | 	  - Handle zero byte reads/writes that trigger handshakes in the | 
					
						
							|  |  |  | 	    TLSv1.3 stack | 
					
						
							|  |  |  | 	  - A long standing memleak in libtls CRL handling was fixed | 
					
						
							|  |  |  | 	* Internal Improvements | 
					
						
							|  |  |  | 	  - Cache the SHA-512 hash instead of the SHA-1 hash and cache | 
					
						
							|  |  |  | 	    notBefore and notAfter times when X.509 certificates are parsed. | 
					
						
							|  |  |  | 	  - The X.509 lookup code has been simplified and cleaned up. | 
					
						
							|  |  |  | 	  - Fixed numerous issues flagged by coverity and the cryptofuzz | 
					
						
							|  |  |  | 	    project | 
					
						
							|  |  |  | 	  - Increased the number of Miller-Rabin checks in DH and DSA | 
					
						
							|  |  |  | 	    key/parameter generation | 
					
						
							|  |  |  | 	  - Started using the bytestring API in libcrypto for cleaner and | 
					
						
							|  |  |  | 	    safer code | 
					
						
							|  |  |  | 	  - Convert {i2d,d2i}_{,EC_,DSA_,RSA_}PUBKEY{,_bio,_fp}() to templated | 
					
						
							|  |  |  | 	    ASN1 | 
					
						
							|  |  |  | 	  - Convert ASN1_OBJECT_new() to calloc() | 
					
						
							|  |  |  | 	  - Convert ASN1_STRING_type_new() to calloc() | 
					
						
							|  |  |  | 	  - Rewrite ASN1_STRING_cmp() | 
					
						
							|  |  |  | 	  - Use calloc() for X509_CRL_METHOD_new() instead of malloc() | 
					
						
							|  |  |  | 	  - Convert ASN1_PCTX_new() to calloc() | 
					
						
							|  |  |  | 	  - Replace asn1_tlc_clear and asn1_tlc_clear_nc macros with a | 
					
						
							|  |  |  | 	    function | 
					
						
							|  |  |  | 	  - Consolidate {d2i,i2d}_{pr,pu}.c | 
					
						
							|  |  |  | 	  - Remove handling of a NULL BUF_MEM from asn1_collect() | 
					
						
							|  |  |  | 	  - Pull the recursion depth check up to the top of asn1_collect() | 
					
						
							|  |  |  | 	  - Inline collect_data() in asn1_collect() | 
					
						
							|  |  |  | 	  - Convert asn1_d2i_ex_primitive()/asn1_collect() from BUF_MEM to CBB | 
					
						
							|  |  |  | 	  - Clean up d2i_ASN1_BOOLEAN() and i2d_ASN1_BOOLEAN() | 
					
						
							|  |  |  | 	  - Consolidate ASN.1 universal tag type data | 
					
						
							|  |  |  | 	  - Rewrite ASN.1 identifier/length parsing in CBS | 
					
						
							|  |  |  | 	  - Make OBJ_obj2nid() work correctly with NID_undef | 
					
						
							|  |  |  | 	  - tlsext_tick_lifetime_hint is now an uint32_t | 
					
						
							|  |  |  | 	  - Untangle ssl3_get_message() return values | 
					
						
							|  |  |  | 	  - Rename tls13_buffer to tls_buffer | 
					
						
							|  |  |  | 	  - Fold DTLS_STATE_INTERNAL into DTLS1_STATE | 
					
						
							|  |  |  | 	  - Provide a way to determine our maximum legacy version | 
					
						
							|  |  |  | 	  - Mop up enc_read_ctx and read_hash | 
					
						
							|  |  |  | 	  - Fold SSL_SESSION_INTERNAL into SSL_SESSION | 
					
						
							|  |  |  | 	  - Use ssl_force_want_read in the DTLS code | 
					
						
							|  |  |  | 	  - Add record processing limit to DTLS code | 
					
						
							|  |  |  | 	  - Add explicit CBS_contains_zero_byte() check in CBS_strdup() | 
					
						
							|  |  |  | 	  - Improve SNI hostname validation | 
					
						
							|  |  |  | 	  - Ensure SSL_set_tlsext_host_name() is given a valid hostname | 
					
						
							|  |  |  | 	  - Fix a strange check in the auto DH codepath | 
					
						
							|  |  |  | 	  - Factor out/rewrite DHE key exchange | 
					
						
							|  |  |  | 	  - Convert server serialisation of DHE parameters/public key to new | 
					
						
							|  |  |  | 	    functions | 
					
						
							|  |  |  | 	  - Check DH public key in ssl_kex_peer_public_dhe() | 
					
						
							|  |  |  | 	  - Move the minimum DHE key size check into ssl_kex_peer_params_dhe() | 
					
						
							|  |  |  | 	  - Clean up and refactor server side DHE key exchange | 
					
						
							|  |  |  | 	  - Provide CBS_get_last_u8() | 
					
						
							|  |  |  | 	  - Provide CBS_get_u64() | 
					
						
							|  |  |  | 	  - Provide CBS_add_u64() | 
					
						
							|  |  |  | 	  - Provide various CBS_peek_* functions | 
					
						
							|  |  |  | 	  - Use CBS_get_last_u8() to find the content type in TLSv1.3 records | 
					
						
							|  |  |  | 	  - unifdef TLS13_USE_LEGACY_CLIENT_AUTH | 
					
						
							|  |  |  | 	  - Correct SSL_get_peer_cert_chain() when used with the TLSv1.3 stack | 
					
						
							|  |  |  | 	  - Only allow zero length key shares when we know we're doing HRR | 
					
						
							|  |  |  | 	  - Pull key share group/length CBB code up from | 
					
						
							|  |  |  | 	    tls13_key_share_public() | 
					
						
							|  |  |  | 	  - Refactor ssl3_get_server_kex_ecdhe() to separate parsing and | 
					
						
							|  |  |  | 	    validation | 
					
						
							|  |  |  | 	  - Return 0 on failure from send/get kex functions in the legacy | 
					
						
							|  |  |  | 	    stack | 
					
						
							|  |  |  | 	  - Rename tls13_key_share to tls_key_share | 
					
						
							|  |  |  | 	  - Allocate and free the EVP_AEAD_CTX struct in | 
					
						
							|  |  |  | 	    tls13_record_protection | 
					
						
							|  |  |  | 	  - Convert legacy TLS client to tls_key_share | 
					
						
							|  |  |  | 	  - Convert legacy TLS server to tls_key_share | 
					
						
							|  |  |  | 	  - Stop attempting to duplicate the public and private key of dh_tmp | 
					
						
							|  |  |  | 	  - Rename dh_tmp to dhe_params | 
					
						
							|  |  |  | 	  - Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY | 
					
						
							|  |  |  | 	  - Clean up pkey handling in ssl3_get_server_key_exchange() | 
					
						
							|  |  |  | 	  - Fix GOST skip certificate verify handling | 
					
						
							|  |  |  | 	  - Simplify tlsext_keyshare_server_parse() | 
					
						
							|  |  |  | 	  - Plumb decode errors through key share parsing code | 
					
						
							|  |  |  | 	  - Simplify SSL_get_peer_certificate() | 
					
						
							|  |  |  | 	  - Cleanup/simplify ssl_cert_type() | 
					
						
							|  |  |  | 	  - The S3I macro was removed | 
					
						
							|  |  |  | 	  - The openssl(1) cms and smime subcommands option handling was | 
					
						
							|  |  |  | 	    converted and the C source was cleaned up. | 
					
						
							|  |  |  | 	* Documentation improvements | 
					
						
							|  |  |  | 	  - 45 new manual pages, most of which were written from scratch. | 
					
						
							|  |  |  | 	    Documentation coverage of ASN.1 and X.509 code has been | 
					
						
							|  |  |  | 	    significantly improved. | 
					
						
							|  |  |  | 	* API additions and removals | 
					
						
							|  |  |  | 	  - libssl | 
					
						
							|  |  |  | 	    API additions | 
					
						
							|  |  |  | 	      SSL_get0_verified_chain SSL_peek_ex SSL_read_ex SSL_write_ex | 
					
						
							|  |  |  | 	    API stubs for compatibility | 
					
						
							|  |  |  | 	      SSL_CTX_get_keylog_callback SSL_CTX_get_num_tickets | 
					
						
							|  |  |  | 	      SSL_CTX_set_keylog_callback SSL_CTX_set_num_tickets | 
					
						
							|  |  |  | 	      SSL_get_num_tickets SSL_set_num_tickets | 
					
						
							|  |  |  | 	  - libcrypto | 
					
						
							|  |  |  | 	    added API (some of these were previously available as macros): | 
					
						
							|  |  |  | 	      ASIdOrRange_free ASIdOrRange_new ASIdentifierChoice_free | 
					
						
							|  |  |  | 	      ASIdentifierChoice_new ASIdentifiers_free ASIdentifiers_new | 
					
						
							|  |  |  | 	      ASN1_TIME_diff ASRange_free ASRange_new BIO_get_callback_ex | 
					
						
							|  |  |  | 	      BIO_get_init BIO_set_callback_ex BIO_set_next | 
					
						
							|  |  |  | 	      BIO_set_retry_reason BN_GENCB_set BN_GENCB_set_old | 
					
						
							|  |  |  | 	      BN_abs_is_word BN_get_flags BN_is_negative | 
					
						
							|  |  |  | 	      BN_is_odd BN_is_one BN_is_word BN_is_zero BN_set_flags | 
					
						
							|  |  |  | 	      BN_to_montgomery BN_with_flags BN_zero_ex CTLOG_STORE_free | 
					
						
							|  |  |  | 	      CTLOG_STORE_get0_log_by_id CTLOG_STORE_load_default_file | 
					
						
							|  |  |  | 	      CTLOG_STORE_load_file CTLOG_STORE_new CTLOG_free | 
					
						
							|  |  |  | 	      CTLOG_get0_log_id CTLOG_get0_name CTLOG_get0_public_key | 
					
						
							|  |  |  | 	      CTLOG_new CTLOG_new_from_base64 CT_POLICY_EVAL_CTX_free | 
					
						
							|  |  |  | 	      CT_POLICY_EVAL_CTX_get0_cert CT_POLICY_EVAL_CTX_get0_issuer | 
					
						
							|  |  |  | 	      CT_POLICY_EVAL_CTX_get0_log_store CT_POLICY_EVAL_CTX_get_time | 
					
						
							|  |  |  | 	      CT_POLICY_EVAL_CTX_new CT_POLICY_EVAL_CTX_set1_cert | 
					
						
							|  |  |  | 	      CT_POLICY_EVAL_CTX_set1_issuer | 
					
						
							|  |  |  | 	      CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE | 
					
						
							|  |  |  | 	      CT_POLICY_EVAL_CTX_set_time DH_get0_g DH_get0_p DH_get0_priv_key | 
					
						
							|  |  |  | 	      DH_get0_pub_key DH_get0_q DH_get_length DSA_bits DSA_get0_g | 
					
						
							|  |  |  | 	      DSA_get0_p DSA_get0_priv_key DSA_get0_pub_key DSA_get0_q | 
					
						
							|  |  |  | 	      ECDSA_SIG_get0_r ECDSA_SIG_get0_s EVP_AEAD_CTX_free | 
					
						
							|  |  |  | 	      EVP_AEAD_CTX_new EVP_CIPHER_CTX_buf_noconst | 
					
						
							|  |  |  | 	      EVP_CIPHER_CTX_get_cipher_data EVP_CIPHER_CTX_set_cipher_data | 
					
						
							|  |  |  | 	      EVP_MD_CTX_md_data EVP_MD_CTX_pkey_ctx EVP_MD_CTX_set_pkey_ctx | 
					
						
							|  |  |  | 	      EVP_MD_meth_dup EVP_MD_meth_free EVP_MD_meth_new | 
					
						
							|  |  |  | 	      EVP_MD_meth_set_app_datasize EVP_MD_meth_set_cleanup | 
					
						
							|  |  |  | 	      EVP_MD_meth_set_copy EVP_MD_meth_set_ctrl EVP_MD_meth_set_final | 
					
						
							|  |  |  | 	      EVP_MD_meth_set_flags EVP_MD_meth_set_init | 
					
						
							|  |  |  | 	      EVP_MD_meth_set_input_blocksize EVP_MD_meth_set_result_size | 
					
						
							|  |  |  | 	      EVP_MD_meth_set_update EVP_PKEY_asn1_set_check | 
					
						
							|  |  |  | 	      EVP_PKEY_asn1_set_param_check EVP_PKEY_asn1_set_public_check | 
					
						
							|  |  |  | 	      EVP_PKEY_check EVP_PKEY_meth_set_check | 
					
						
							|  |  |  | 	      EVP_PKEY_meth_set_param_check EVP_PKEY_meth_set_public_check | 
					
						
							|  |  |  | 	      EVP_PKEY_param_check EVP_PKEY_public_check FIPS_mode | 
					
						
							|  |  |  | 	      FIPS_mode_set IPAddressChoice_free IPAddressChoice_new | 
					
						
							|  |  |  | 	      IPAddressFamily_free IPAddressFamily_new IPAddressOrRange_free | 
					
						
							|  |  |  | 	      IPAddressOrRange_new IPAddressRange_free IPAddressRange_new | 
					
						
							|  |  |  | 	      OBJ_get0_data OBJ_length OCSP_resp_get0_certs OCSP_resp_get0_id | 
					
						
							|  |  |  | 	      OCSP_resp_get0_produced_at OCSP_resp_get0_respdata | 
					
						
							|  |  |  | 	      OCSP_resp_get0_signature OCSP_resp_get0_signer | 
					
						
							|  |  |  | 	      OCSP_resp_get0_tbs_sigalg PEM_write_bio_PrivateKey_traditional | 
					
						
							|  |  |  | 	      RSA_get0_d RSA_get0_dmp1 RSA_get0_dmq1 RSA_get0_e RSA_get0_iqmp | 
					
						
							|  |  |  | 	      RSA_get0_n RSA_get0_p RSA_get0_pss_params RSA_get0_q | 
					
						
							|  |  |  | 	      SCT_LIST_free SCT_LIST_print SCT_LIST_validate SCT_free | 
					
						
							|  |  |  | 	      SCT_get0_extensions SCT_get0_log_id SCT_get0_signature | 
					
						
							|  |  |  | 	      SCT_get_log_entry_type SCT_get_signature_nid SCT_get_source | 
					
						
							|  |  |  | 	      SCT_get_timestamp SCT_get_validation_status SCT_get_version | 
					
						
							|  |  |  | 	      SCT_new SCT_new_from_base64 SCT_print SCT_set0_extensions | 
					
						
							|  |  |  | 	      SCT_set0_log_id SCT_set0_signature SCT_set1_extensions | 
					
						
							|  |  |  | 	      SCT_set1_log_id SCT_set1_signature SCT_set_log_entry_type | 
					
						
							|  |  |  | 	      SCT_set_signature_nid SCT_set_source SCT_set_timestamp | 
					
						
							|  |  |  | 	      SCT_set_version SCT_validate SCT_validation_status_string | 
					
						
							|  |  |  | 	      X509_OBJECT_free X509_OBJECT_new X509_REQ_get0_pubkey | 
					
						
							|  |  |  | 	      X509_SIG_get0 X509_SIG_getm X509_STORE_CTX_get_by_subject | 
					
						
							|  |  |  | 	      X509_STORE_CTX_get_num_untrusted | 
					
						
							|  |  |  | 	      X509_STORE_CTX_get_obj_by_subject X509_STORE_CTX_get_verify | 
					
						
							|  |  |  | 	      X509_STORE_CTX_get_verify_cb X509_STORE_CTX_set0_verified_chain | 
					
						
							|  |  |  | 	      X509_STORE_CTX_set_current_cert X509_STORE_CTX_set_error_depth | 
					
						
							|  |  |  | 	      X509_STORE_CTX_set_verify X509_STORE_get_verify | 
					
						
							|  |  |  | 	      X509_STORE_get_verify_cb X509_STORE_set_verify | 
					
						
							|  |  |  | 	      X509_get_X509_PUBKEY X509_get_extended_key_usage | 
					
						
							|  |  |  | 	      X509_get_extension_flags X509_get_key_usage | 
					
						
							|  |  |  | 	      X509v3_addr_add_inherit X509v3_addr_add_prefix | 
					
						
							|  |  |  | 	      X509v3_addr_add_range X509v3_addr_canonize X509v3_addr_get_afi | 
					
						
							|  |  |  | 	      X509v3_addr_get_range X509v3_addr_inherits | 
					
						
							|  |  |  | 	      X509v3_addr_is_canonical X509v3_addr_subset | 
					
						
							|  |  |  | 	      X509v3_addr_validate_path X509v3_addr_validate_resource_set | 
					
						
							|  |  |  | 	      X509v3_asid_add_id_or_range X509v3_asid_add_inherit | 
					
						
							|  |  |  | 	      X509v3_asid_canonize X509v3_asid_inherits | 
					
						
							|  |  |  | 	      X509v3_asid_is_canonical X509v3_asid_subset | 
					
						
							|  |  |  | 	      X509v3_asid_validate_path X509v3_asid_validate_resource_set | 
					
						
							|  |  |  | 	      d2i_ASIdOrRange d2i_ASIdentifierChoice d2i_ASIdentifiers | 
					
						
							|  |  |  | 	      d2i_ASRange d2i_IPAddressChoice d2i_IPAddressFamily | 
					
						
							|  |  |  | 	      d2i_IPAddressOrRange d2i_IPAddressRange d2i_SCT_LIST | 
					
						
							|  |  |  | 	      i2d_ASIdOrRange i2d_ASIdentifierChoice i2d_ASIdentifiers | 
					
						
							|  |  |  | 	      i2d_ASRange i2d_IPAddressChoice i2d_IPAddressFamily | 
					
						
							|  |  |  | 	      i2d_IPAddressOrRange i2d_IPAddressRange i2d_SCT_LIST | 
					
						
							|  |  |  | 	      i2d_re_X509_CRL_tbs i2d_re_X509_REQ_tbs i2d_re_X509_tbs i2o_SCT | 
					
						
							|  |  |  | 	      i2o_SCT_LIST o2i_SCT o2i_SCT_LIST | 
					
						
							|  |  |  | 	  removed API: | 
					
						
							|  |  |  | 	      ASN1_check_infinite_end ASN1_const_check_infinite_end EVP_dss | 
					
						
							|  |  |  | 	      EVP_dss1 EVP_ecdsa HMAC_CTX_cleanup HMAC_CTX_init | 
					
						
							|  |  |  | 	      NETSCAPE_ENCRYPTED_PKEY_free NETSCAPE_ENCRYPTED_PKEY_new | 
					
						
							|  |  |  | 	      NETSCAPE_PKEY_free NETSCAPE_PKEY_new NETSCAPE_X509_free | 
					
						
							|  |  |  | 	      NETSCAPE_X509_new OBJ_bsearch_ex_ PEM_SealFinal PEM_SealInit | 
					
						
							|  |  |  | 	      PEM_SealUpdate PEM_read_X509_CERT_PAIR | 
					
						
							|  |  |  | 	      PEM_read_bio_X509_CERT_PAIR PEM_write_X509_CERT_PAIR | 
					
						
							|  |  |  | 	      PEM_write_bio_X509_CERT_PAIR X509_CERT_PAIR_free | 
					
						
							|  |  |  | 	      X509_CERT_PAIR_new X509_OBJECT_free_contents asn1_do_adb | 
					
						
							|  |  |  | 	      asn1_do_lock asn1_enc_free asn1_enc_init asn1_enc_restore | 
					
						
							|  |  |  | 	      asn1_enc_save asn1_ex_c2i asn1_get_choice_selector | 
					
						
							|  |  |  | 	      asn1_get_field_ptr asn1_set_choice_selector check_defer | 
					
						
							|  |  |  | 	      d2i_ASN1_BOOLEAN d2i_NETSCAPE_ENCRYPTED_PKEY d2i_NETSCAPE_PKEY | 
					
						
							|  |  |  | 	      d2i_NETSCAPE_X509 d2i_Netscape_RSA d2i_RSA_NET | 
					
						
							|  |  |  | 	      d2i_X509_CERT_PAIR i2d_ASN1_BOOLEAN i2d_NETSCAPE_ENCRYPTED_PKEY | 
					
						
							|  |  |  | 	      i2d_NETSCAPE_PKEY i2d_NETSCAPE_X509 i2d_Netscape_RSA i2d_RSA_NET | 
					
						
							|  |  |  | 	      i2d_X509_CERT_PAIR name_cmp obj_cleanup_defer | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 3.4.1 - Stable release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* New Features | 
					
						
							|  |  |  | 	  - Added support for OpenSSL 1.1.1 TLSv1.3 APIs. | 
					
						
							|  |  |  | 	  - Enabled the new X.509 validator to allow verification of | 
					
						
							|  |  |  | 	    modern certificate chains. | 
					
						
							|  |  |  | 	* Portable Improvements | 
					
						
							|  |  |  | 	  - Ported continuous integration and test infrastructure to Github | 
					
						
							|  |  |  | 	    actions. | 
					
						
							|  |  |  | 	  - Added Universal Windows Platform (UWP) build support. | 
					
						
							|  |  |  | 	  - Fixed mingw-w64 builds on newer versions with missing SSP support. | 
					
						
							|  |  |  | 	  - Added non-executable stack annotations for CMake builds. | 
					
						
							|  |  |  | 	* API and Documentation Enhancements | 
					
						
							|  |  |  | 	  - Added the following APIs from OpenSSL | 
					
						
							|  |  |  | 	    BN_bn2binpad BN_bn2lebinpad BN_lebin2bn EC_GROUP_get_curve | 
					
						
							|  |  |  | 	    EC_GROUP_order_bits EC_GROUP_set_curve | 
					
						
							|  |  |  | 	    EC_POINT_get_affine_coordinates | 
					
						
							|  |  |  | 	    EC_POINT_set_affine_coordinates | 
					
						
							|  |  |  | 	    EC_POINT_set_compressed_coordinates EVP_DigestSign | 
					
						
							|  |  |  | 	    EVP_DigestVerify SSL_CIPHER_find SSL_CTX_get0_privatekey | 
					
						
							|  |  |  | 	    SSL_CTX_get_max_early_data SSL_CTX_get_ssl_method | 
					
						
							|  |  |  | 	    SSL_CTX_set_ciphersuites SSL_CTX_set_max_early_data | 
					
						
							|  |  |  | 	    SSL_CTX_set_post_handshake_auth SSL_SESSION_get0_cipher | 
					
						
							|  |  |  | 	    SSL_SESSION_get_max_early_data SSL_SESSION_is_resumable | 
					
						
							|  |  |  | 	    SSL_SESSION_set_max_early_data SSL_get_early_data_status | 
					
						
							|  |  |  | 	    SSL_get_max_early_data SSL_read_early_data SSL_set0_rbio | 
					
						
							|  |  |  | 	    SSL_set_ciphersuites SSL_set_max_early_data | 
					
						
							|  |  |  | 	    SSL_set_post_handshake_auth | 
					
						
							|  |  |  | 	    SSL_set_psk_use_session_callback | 
					
						
							|  |  |  | 	    SSL_verify_client_post_handshake SSL_write_early_data | 
					
						
							|  |  |  | 	  - Added AES-GCM constants from RFC 7714 for SRTP. | 
					
						
							|  |  |  | 	* Compatibility Changes | 
					
						
							|  |  |  | 	  - Implement flushing for TLSv1.3 handshakes behavior, needed for Apache. | 
					
						
							|  |  |  | 	  - Call the info callback on connect/accept exit in TLSv1.3, | 
					
						
							|  |  |  | 	    needed for p5-Net-SSLeay. | 
					
						
							|  |  |  | 	  - Default to using named curve parameter encoding from | 
					
						
							|  |  |  | 	    pre-OpenSSL 1.1.0, adding OPENSSL_EC_EXPLICIT_CURVE. | 
					
						
							|  |  |  | 	  - Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback. | 
					
						
							|  |  |  | 	* Testing and Proactive Security | 
					
						
							|  |  |  | 	  - Added additional state machine test coverage. | 
					
						
							|  |  |  | 	  - Improved integration test support with ruby/openssl tests. | 
					
						
							|  |  |  | 	  - Error codes and callback support in new X.509 validator made | 
					
						
							|  |  |  | 	    compatible with p5-Net_SSLeay tests. | 
					
						
							|  |  |  | 	* Internal Improvements | 
					
						
							|  |  |  | 	  - Numerous fixes and improvements to the new X.509 validator to | 
					
						
							|  |  |  | 	    ensure compatible error codes and callback support compatible | 
					
						
							|  |  |  | 	    with the legacy OpenSSL validator. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 3.4.0 - Development release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add support for OpenSSL 1.1.1 TLSv1.3 APIs. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Enable new x509 validator. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* More details to come, testing is appreciated. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 3.3.5 - Security fix | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* A stack overread could occur when checking X.509 name constraints. | 
					
						
							|  |  |  | 	  From GoldBinocle on GitHub. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier. | 
					
						
							|  |  |  | 	  This compensates for the expiry of the DST Root X3 certificate. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 3.3.4 - Security fix | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* In LibreSSL, printing a certificate can result in a crash in | 
					
						
							|  |  |  | 	  X509_CERT_AUX_print(). | 
					
						
							|  |  |  | 	  From Ingo Schwarze | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Ensure GNU-stack is set on ELF platforms when building with CMake to | 
					
						
							|  |  |  | 	  enable non-executable stack annotations for the GNU toolchain. | 
					
						
							|  |  |  | 	  From Tobias Heider | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 3.3.3 - Stable release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* This is the first stable release from the 3.3.x series. | 
					
						
							|  |  |  | 	  There are no changes from 3.3.2. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 3.3.2 - Development release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* This release adds support for DTLSv1.2 and continues the rewrite | 
					
						
							|  |  |  | 	  of the record layer for the legacy stack. Numerous bugs and | 
					
						
							|  |  |  | 	  interoperability issues were fixed in the new verifier. A few bugs | 
					
						
							|  |  |  | 	  and incompatibilities remain, so this release uses the old verifier | 
					
						
							|  |  |  | 	  by default. The OpenSSL 1.1 TLSv1.3 API is not yet available. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Switch finish{,_peer}_md_len from an int to a size_t. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Make SSL_get{,_peer}_finished() work when used with TLSv1.3. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size | 
					
						
							|  |  |  | 	  for cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2 | 
					
						
							|  |  |  | 	  was a historical artefact. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Correct the return value type from ERR_peek_error() to a long. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid use of uninitialized in ASN1_time_parse() which could happen | 
					
						
							|  |  |  | 	  on parsing UTCTime if the caller did not initialise the passed | 
					
						
							|  |  |  | 	  struct tm. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Destroy the mutex in a tls_config object on tls_config_free(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Free alert_data and phh_data in tls13_record_layer_free() | 
					
						
							|  |  |  | 	  these could leak if SSL_shutdown() or tls_close() were called | 
					
						
							|  |  |  | 	  after closing the underlying socket(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Free struct members in tls13_record_layer_free() in their natural | 
					
						
							|  |  |  | 	  order for reviewability. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Gracefully handle root certificates being both trusted and | 
					
						
							|  |  |  | 	  untrusted. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new | 
					
						
							|  |  |  | 	  verifier. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Use the legacy verifier when building auto chains for TLS. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Use consistent names in tls13_{client,server}_finished_{recv,send}(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add tls13_secret_{init,cleanup}() and use them throughout the | 
					
						
							|  |  |  | 	  TLSv1.3 code base. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Move the read MAC key into the TLSv1.2 record layer. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Make tls12_record_layer_free() NULL safe. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Search the intermediates only after searching the root certs in the | 
					
						
							|  |  |  | 	  new verifier to avoid problems with the legacy callback. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Bail out early after finding a single chain in the new verifier, if | 
					
						
							|  |  |  | 	  we have been called via the legacy verifier API. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Set (invalid and likely incomplete) chain on the xsc on chain build | 
					
						
							|  |  |  | 	  failure prior to calling the callback. This is required by various | 
					
						
							|  |  |  | 	  callers, including auto chain. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Align SSL_get_shared_ciphers() with OpenSSL. This takes into account | 
					
						
							|  |  |  | 	  that it never returned server ciphers, so now it will fail when | 
					
						
							|  |  |  | 	  called from the client side. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add support for SSL_get_shared_ciphers() with TLSv1.3. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Split the record protection from the TLSv1.2 record layer. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Clean up sequence number handling in the new TLSv1.2 record layer. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Clean up sequence number handling in DTLS. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Clean up dtls1_reset_seq_numbers(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Factor out code for explicit IV length, block size and MAC length | 
					
						
							|  |  |  | 	  from tls12_record_layer_open_record_protected_cipher(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Provide record layer overhead for DTLS. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Provide functions to determine if TLSv1.2 record protection is | 
					
						
							|  |  |  | 	  engaged. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add code to handle change of cipher state in the new TLSv1.2 record | 
					
						
							|  |  |  | 	  layer. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Mop up now unused dtls1_build_sequence_numbers() function. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Allow setting a keypair on a tls context without specifying the | 
					
						
							|  |  |  | 	  private key, and fake it internally in libtls. This removes the | 
					
						
							|  |  |  | 	  need for privsep engines like relayd to use bogus keys. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Skip the private key check for fake private keys. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Move the private key setup from tls_configure_ssl_keypair() to a | 
					
						
							|  |  |  | 	  helper function with proper error checking. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Change the internal tls_configure_ssl_keypair() function to | 
					
						
							|  |  |  | 	  return -1 instead of 1 on failure. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Move sequence numbers into the new TLSv1.2 record layer. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Move AEAD handling into the new TLSv1.2 record layer. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Remove direct assignment of aead_ctx to avoid a leak. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360, | 
					
						
							|  |  |  | 	  draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fail early in legacy exporter if the master secret is not available | 
					
						
							|  |  |  | 	  to avoid a segfault if it is called when the handshake is not | 
					
						
							|  |  |  | 	  completed. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Factor out legacy stack version checks. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Correct handshake MAC/PRF for various TLSv1.2 cipher suites which | 
					
						
							|  |  |  | 	  were originally added with the default handshake MAC and PRF rather | 
					
						
							|  |  |  | 	  than the SHA256 handshake MAC and PRF. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Use dtls1_record_retrieve_buffered_record() to load buffered | 
					
						
							|  |  |  | 	  application data. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Enforce read ahead with DTLS. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Remove bogus DTLS checks that disabled ECC and OCSP. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA". | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Only print the certificate file once on verification failure. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Pull in fix for EVP_CipherUpdate() overflow from OpenSSL. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Clean up and simplify dtls1_get_cipher(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Group HelloVerifyRequest decoding and add missing check for trailing | 
					
						
							|  |  |  | 	  data. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Revise HelloVerifyRequest handling for DTLSv1.2. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Handle DTLS1_2_VERSION in various places. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add DTLSv1.2 methods. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Make SSL{_CTX,}_get_{min,max}_proto_version() return a version of | 
					
						
							|  |  |  | 	  zero if the minimum or maximum has been set to zero to match | 
					
						
							|  |  |  | 	  OpenSSL's behavior. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Rename the "truncated" label into "decode_err" and the "f_err" | 
					
						
							|  |  |  | 	  label into "fatal_err". | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Factor out and change some of the legacy client version code. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Simplify version checks in the TLSv1.3 client. Ensure that the | 
					
						
							|  |  |  | 	  server announced TLSv1.3 and nothing higher and check that the | 
					
						
							|  |  |  | 	  legacy_version is set to TLSv1.2 as required by RFC 8446. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that | 
					
						
							|  |  |  | 	  the new validator checks for EXFLAG_CRITICAL in | 
					
						
							|  |  |  | 	  x509_vfy_check_chain_extension() for all untrusted certs in the | 
					
						
							|  |  |  | 	  chain. Take into account that the root is not necessarily trusted. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid passing last and depth to x509_verify_cert_error() on ENOMEM. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Rename depth to num_untrusted. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Only use TLS versions internally rather than both TLS and DTLS | 
					
						
							|  |  |  | 	  versions since the latter are the one's complement of the human | 
					
						
							|  |  |  | 	  readable version numbers, which means that newer versions decrease | 
					
						
							|  |  |  | 	  in value. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fix two bugs in the legacy verifier that resulted from refactoring | 
					
						
							|  |  |  | 	  of X509_verify_cert() for the new verifier: a return value was | 
					
						
							|  |  |  | 	  incorrectly treated as boolean, making it insufficient to decide | 
					
						
							|  |  |  | 	  whether validation should carry on or not. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Identify DTLS based on the version major value. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Move handling of cipher/hash based cipher suites into the new record | 
					
						
							|  |  |  | 	  layer. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add tls12_record_protection_unused() and call it from CCS functions. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Move key/IV length checks closer to usage sites. Also add explicit | 
					
						
							|  |  |  | 	  checks against EVP_CIPHER_{iv,key}_length(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Replace two handrolled tls12_record_protection_engaged(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improve internal version handling: add handshake fields for our | 
					
						
							|  |  |  | 	  minimum version, our maximum version and the TLS version negotiated | 
					
						
							|  |  |  | 	  during the handshake. Convert most of the internal code to use these | 
					
						
							|  |  |  | 	  version fields. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Guard against future internal use of TLS1_get_{client,}_version() | 
					
						
							|  |  |  | 	  macros. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Remove the internal ssl_downgrade_max_version() function which is no | 
					
						
							|  |  |  | 	  longer needed. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fix checks for memory caps of constraints names. There are internal | 
					
						
							|  |  |  | 	  caps on the number of name constraints and other names, that the new | 
					
						
							|  |  |  | 	  name constraints code allocates per cert chain. These limits were | 
					
						
							|  |  |  | 	  checked too late, making them only partially effective. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Use EXFLAG_INVALID to handle out of memory and parse errors in | 
					
						
							|  |  |  | 	  x509v3_cache_extensions(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add support for DTLSv1.2 version handling. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Enable DTLSv1.2 support. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add DTLSv1.2 support to openssl s_client/s_server. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Remove no longer needed read ahead workarounds in the s_client and | 
					
						
							|  |  |  | 	  s_server. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fix a copy-paste error - skid was confused with an akid when | 
					
						
							|  |  |  | 	  checking for EXFLAG_INVALID. This broke OCSP validation with | 
					
						
							|  |  |  | 	  certain mirrors. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Make supported protocols and options for DHE params more prominent | 
					
						
							|  |  |  | 	  in tls_config_set_protocols.3. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid a use-after-scope in tls13_cert_add(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Split TLSv1.3 record protection from record layer. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Move the TLSv1.3 handshake struct inside the shared handshake | 
					
						
							|  |  |  | 	  struct. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fully initialize rrec in tls12_record_layer_open_record_protected() | 
					
						
							|  |  |  | 	  to avoid confusing some static analyzers. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Use tls_set_errorx() on OCSP_basic_verify() failure since the latter | 
					
						
							|  |  |  | 	  does not set errno. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Convert openssl(1) x509 to new option handling and do the usual | 
					
						
							|  |  |  | 	  clean up that goes along with it. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Rename new_cipher to cipher to align naming with keyblock or other | 
					
						
							|  |  |  | 	  parts of the handshake data. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid mangled output in BIO_debug_callback(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fix client initiated renegotiation by replacing use of s->internal-type | 
					
						
							|  |  |  | 	  with s->server. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Move the TLSv1.2 record number increment into the new record layer. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Move finished and peer finished into the handshake struct. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid transcript initialization when sending a TLS HelloRequest, | 
					
						
							|  |  |  | 	  fixing server initiated renegotiation. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Remove pointless assignment in SSL_get0_alpn_selected(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Provide EVP_PKEY_new_CMAC_KEY(3). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add missing prototype for d2i_DSAPrivateKey_fp(3) to x509.h. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add DTLSv1.2 to openssl(1) s_server and s_client protocol message | 
					
						
							|  |  |  | 	  logging. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid leaking param->name in x509_verify_param_zero(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid a leak in an error path in openssl(1) x509. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add some error checking to openssl(1) x509. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* When sending an alert in TLSv1.3, only set its error code when no | 
					
						
							|  |  |  | 	  other error was set previously. Certain clients rely on specific | 
					
						
							|  |  |  | 	  SSL_R_ error codes to identify that they are dealing with a self | 
					
						
							|  |  |  | 	  signed cert. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Switch to the legacy verifier for the stable release. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Provide SSL_use_certificate_chain_file(3). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Provide SSL_set_hostflags(3) and SSL_get0_peername(3). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Provide various DTLSv1.2 specific functions and defines. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Document meaning of '*' in the genrsa output. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Updated documentation for SSL_get_shared_ciphers(3). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add documentation for SSL_get_finished(3). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Document EVP_PKEY_new_CMAC_key(3) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Document SSL_use_certificate_chain_file(3). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Document SSL_set_hostflags(3) and SSL_get0_peername(3). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Update SSL_get_version.3 manual for DTLSv.1.2 support. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added '--enable-libtls-only' build option, which builds and installs a | 
					
						
							|  |  |  | 	  statically-linked libtls, skipping libcrypto and libssl. This is useful | 
					
						
							|  |  |  | 	  for systems that ship with OpenSSL but wish to also package libtls. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 3.3.1 - Security fix | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Malformed ASN.1 in a certificate revocation list or a timestamp | 
					
						
							|  |  |  | 	  response token can lead to a NULL pointer dereference. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	Bug fixes | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Move point-on-curve check to set_affine_coordinates to avoid | 
					
						
							|  |  |  | 	  verifying ECDSA signatures with unchecked public keys. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fix SSL_is_server() to behave as documented by re-introducing the | 
					
						
							|  |  |  | 	  client-specific methods. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid undefined behavior due to memcpy(NULL, NULL, 0). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Mark a few more internal static tables const. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 3.3.0 - Development release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Make openssl(1) s_server ignore -4 and -6 for compatibility with | 
					
						
							|  |  |  | 	  OpenSSL. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Further cleanup of the DTLS record handling. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Continue the replacement of the TLSv1.2 record layer by | 
					
						
							|  |  |  | 	  reimplementing the read side of the TLSv1.2 record handling. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Replace DTLSv1_enc_data() with TLSv1_1_enc_data(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* When switching from the TLSv1.3 stack to the legacy stack include | 
					
						
							|  |  |  | 	  a TLS record header. This is necessary if there is more than one | 
					
						
							|  |  |  | 	  handshake message in the TLS plaintext record. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Set SO_REUSEADDR on the server socket in the openssl(1) ocsp | 
					
						
							|  |  |  | 	  command. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fix resource handling on error in OCSP_request_add0_id(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into | 
					
						
							|  |  |  | 	  .data.rel.ro and .rodata, respectively. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add a const qualifier to srtp_known_profiles. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Simplify TLS method by removing the client and server specific | 
					
						
							|  |  |  | 	  methods internally. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid casting away const in ssl_ctx_make_profiles(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Make sure there is enough room for stashing the handshake message | 
					
						
							|  |  |  | 	  when switching to the legacy TLS stack. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid explicitly conditioning an assert on DTLS1_VERSION to make | 
					
						
							|  |  |  | 	  the assert work for newer DTLS versions. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Send a host header with OCSP queries to make openssl(1) ocsp | 
					
						
							|  |  |  | 	  work with some widely used OCSP responders. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fix a memory leak in the openssl(1) s_client. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add a flag to mark DTLS methods as DTLS to have an easy way to | 
					
						
							|  |  |  | 	  recognize DTLS methods that avoids inspecting the version number. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Implement SSL_is_dtls() and use it internally in place of the | 
					
						
							|  |  |  | 	  SSL_IS_DTLS macro. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Unbreak DTLS retransmissions for flights that include a CCS. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add ability to ocspcheck(8) to parse a port in the specified | 
					
						
							|  |  |  | 	  OCSP URL. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Refactor and clean up ocspcheck(8) and add regression tests. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* If x509_verify() fails, ensure that the error is set on both | 
					
						
							|  |  |  | 	  the x509_verify_ctx() and its store context to make some failures | 
					
						
							|  |  |  | 	  visible from SSL_get_verify_result(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Use the X509_STORE_CTX get_issuer() callback from the new X.509 | 
					
						
							|  |  |  | 	  verifier to fix hashed certificate directories. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Only check BIO_should_read() on read and BIO_should_write() on | 
					
						
							|  |  |  | 	  write.  Previously, BIO_should_write() was also checked after read | 
					
						
							|  |  |  | 	  and BIO_should_read() after write which could cause stalls in | 
					
						
							|  |  |  | 	  software that uses the same BIO for read and write. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* In openssl(1) verify, also check for error on the store context | 
					
						
							|  |  |  | 	  since the return value of X509_verify_cert() is unreliable in | 
					
						
							|  |  |  | 	  presence of a callback that returns 1 too often. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Update getentropy on Windows to use Cryptography Next Generation | 
					
						
							|  |  |  | 	  (CNG). wincrypt is deprecated and no longer works with newer Windows | 
					
						
							|  |  |  | 	  environments, such as in Windows Store apps. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Implement auto chain for the TLSv1.3 server since some software | 
					
						
							|  |  |  | 	  relies on this. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Handle additional certificate error cases in the new X.509 verifier. | 
					
						
							|  |  |  | 	  Keep track of the errors encountered if a verify callback tells the | 
					
						
							|  |  |  | 	  verifier to continue and report them back via the error on the store | 
					
						
							|  |  |  | 	  context. This mimics the behavior of the old verifier that would | 
					
						
							|  |  |  | 	  persist the first error encountered while building the chain. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Report specific failures for "self signed certificates" in a way | 
					
						
							|  |  |  | 	  compatible with the old verifier since software relies on the | 
					
						
							|  |  |  | 	  error code. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Implement key exporter for TLSv1.3. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Plug a large memory leak in the new verifier caused by calling | 
					
						
							|  |  |  | 	  X509_policy_check() repeatedly. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid leaking memory in x509_verify_chain_dup(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Various documentation improvements, particularly around TLS methods. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 3.2.3 - Security fix | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Malformed ASN.1 in a certificate revocation list or a timestamp | 
					
						
							|  |  |  | 	  response token can lead to a NULL pointer dereference. | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-12-28 15:15:37 +00:00
										 |  |  | 3.2.2 - Stable release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* This is the first stable release with the new TLSv1.3 | 
					
						
							|  |  |  | 	  implementation enabled by default for both client and server. The | 
					
						
							|  |  |  | 	  OpenSSL 1.1 TLSv1.3 API is not yet available and will be provided | 
					
						
							|  |  |  | 	  in an upcoming release. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* New X509 certificate chain validator that correctly handles | 
					
						
							|  |  |  | 	  multiple paths through intermediate certificates. Loosely based on | 
					
						
							|  |  |  | 	  Go's X509 validator. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* New name constraints verification implementation which passes the | 
					
						
							|  |  |  | 	  bettertls.com certificate validation check suite. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improve the handling of BIO_read()/BIO_write() failures in the | 
					
						
							|  |  |  | 	  TLSv1.3 stack. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Start replacing the existing TLSv1.2 record layer. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Send alert on ssl_get_prev_session() failure. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Zero out variable on the stack to avoid leaving garbage in the tail | 
					
						
							|  |  |  | 	  of short session IDs. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Move state initialization from SSL_clear() to ssl3_clear() to ensure | 
					
						
							|  |  |  | 	  that it gets correctly reinitialized across a SSL_set_ssl_method() | 
					
						
							|  |  |  | 	  call. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid an out-of-bounds write in BN_rand(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up | 
					
						
							|  |  |  | 	  the code in ui_lib.c. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Correctly track selected ALPN length to avoid a potential segmentation | 
					
						
							|  |  |  | 	  fault with SSL_get0_alpn_selected() when alpn_selected is NULL. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Include machine/endian.h gost2814789.c in order to pick up the | 
					
						
							|  |  |  | 	  __STRICT_ALIGNMENT define. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Simplify SSL method lookups. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Clean up and simplify SSL_get_ciphers(), SSL_set_session(), | 
					
						
							|  |  |  | 	  SSL_set_ssl_method() and several internal functions. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Refactor dtls1_new(), dtls1_hm_fragment_new(), | 
					
						
							|  |  |  | 	  dtls1_drain_fragments(), dtls1_clear_queues(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Copy the session ID directly in ssl_get_prev_session() instead of | 
					
						
							|  |  |  | 	  handing it through several functions for copying. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Clean up and refactor ssl_get_prev_session(); simplify | 
					
						
							|  |  |  | 	  tls_decrypt_ticket() and tls1_process_ticket() exit paths. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid memset() before memcpy() in CBS_add_bytes(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Rewrite X509_INFO_{new,free}() more idiomatically. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Remove unnecessary zeroing after recallocarray() in | 
					
						
							|  |  |  | 	  ASN1_BIT_STRING_set_bit(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Convert openssl(1) ocsp new option handling. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Document SSL_set1_host(3), SSL_set_SSL_CTX(3). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Document return value from EC_KEY_get0_public_key(3). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Greatly expanded test coverage via the tlsfuzzer test scripts. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Expanded test coverage via the bettertls certificate test suite. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Test interoperability with the Botan TLS client. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Make pthread_mutex static initialisation work on Windows. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Get __STRICT_ALIGNMENT from machine/endian.h with portable build. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 3.2.1 - Development release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Propagate alerts from the read half of the TLSv1.3 record layer to I/O | 
					
						
							|  |  |  | 	  functions. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Send a record overflow alert for TLSv1.3 messages having overlong | 
					
						
							|  |  |  | 	  plaintext or inner plaintext. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Send an illegal parameter alert if a client sends an invalid DH key | 
					
						
							|  |  |  | 	  share. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Document PKCS7_final(3), PKCS7_add_attribute(3). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Collapse x509v3 directory into x509. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improve TLSv1.3 client certificate selection to allow EC certificates | 
					
						
							|  |  |  | 	  instead of only RSA certificates. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead | 
					
						
							|  |  |  | 	  of constructing a broken objects that may cause NULL pointer accesses. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add support for additional GOST curves from RFC 7836 and | 
					
						
							|  |  |  | 	  draft-deremin-rfc4491-bis. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add OIDs for HMAC using the Streebog hash function. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Handle GOST in ssl_cert_dup(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Stop sending GOST R 34.10-94 as a CertificateType. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Use IANA allocated GOST ClientCertificateTypes. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add a custom copy handler for AES keywrap to fix a use-after-free. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Enforce in the TLSv1.3 server that that ClientHello messages after | 
					
						
							|  |  |  | 	  a HelloRetryRequest match the original ClientHello as per RFC 8446 | 
					
						
							|  |  |  | 	  section 4.1.2 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Document more PKCS7 attribute functions. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Document PKCS7_get_signer_info(3). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Document PEM_def_callback(3). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Document EVP_read_pw_string_min(3). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Merge documentation of X509_get0_serialNumber from OpenSSL 1.1.1. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Document X509_get0_pubkey_bitstr(3). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fix an off-by-one in the CBC padding removal. From BoringSSL. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Enforce restrictions on extensions present in the ClientHello as per | 
					
						
							|  |  |  | 	  RFC 8446, section 9.2. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add new CMAC_Init(3) and ChaCha(3) manual pages. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fix SSL_shutdown behavior to match the legacy stack.  The previous | 
					
						
							|  |  |  | 	  behavior could cause a hang. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add initial support for openbsd/powerpc64. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Make the message type available in the internal TLS extensions API | 
					
						
							|  |  |  | 	  functions. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Enable TLSv1.3 for the generic TLS_method(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Convert openssl(1) s_client option handling. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Document openssl(1) certhash. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Convert openssl(1) verify option handling. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause | 
					
						
							|  |  |  | 	  use-after-free and double-free issues in calling programs. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Convert openssl(1) s_server option handling. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add minimal info callback support for TLSv1.3. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Refactor, clean up and simplify some SSL3/DTLS1 record writing code. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Correctly handle server requests for an OCSP response. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add the P-521 curve to the list of curves supported by default | 
					
						
							|  |  |  | 	  in the client. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Convert openssl(1) req option handling. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid calling freezero with a negative size if a server sends a | 
					
						
							|  |  |  | 	  malformed plaintext of all zeroes. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Send an unexpected message alert if no valid content type is found | 
					
						
							|  |  |  | 	  in a TLSv1.3 record. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 3.2.0 - Development release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Enable TLS 1.3 server side in addition to client by default. | 
					
						
							|  |  |  | 	  With this change TLS 1.3 is handled entirely on the new stack | 
					
						
							|  |  |  | 	  and state machine, with fallback to the legacy stack and | 
					
						
							|  |  |  | 	  state machine for older versions. Note that the OpenSSL TLS 1.3 | 
					
						
							|  |  |  | 	  API is not yet visible/available. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improve length checks in the TLS 1.3 record layer and provide | 
					
						
							|  |  |  | 	  appropriate alerts for violations of record layer limits. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Enforce that SNI hostnames received by the TLS server are correctly | 
					
						
							|  |  |  | 	  formed as per RFC 5890 and RFC 6066, responding with illegal parameter | 
					
						
							|  |  |  | 	  for a nonconformant host name. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic | 
					
						
							|  |  |  | 	  retry of handshake messages. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Modify I/O behavior so that SSL_MODE_AUTO_RETRY is the default | 
					
						
							|  |  |  | 	  similar to new OpenSSL releases. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in | 
					
						
							|  |  |  | 	  various commands. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add tlsfuzzer based regression tests. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Support sending certificate status requests from the TLS 1.3 | 
					
						
							|  |  |  | 	  client to request OCSP staples for leaf certificates. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Support sending certificate status replies from the TLS 1.3 server | 
					
						
							|  |  |  | 	  in order to send OCSP staples for leaf certificates. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Send correct alerts when handling failed key share extensions | 
					
						
							|  |  |  | 	  on the TLS 1.3 server. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Various compatibility fixes for TLS 1.3 to 1.2 fallback for | 
					
						
							|  |  |  | 	  switching from the new to legacy stacks. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Support TLS 1.3 options in the openssl(1) command. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Many alert cleanups in TLS 1.3 to provide expected alerts in failure | 
					
						
							|  |  |  | 	  conditions. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Modify "openssl x509" to display invalid certificate times as | 
					
						
							|  |  |  | 	  invalid, and correctly deal with the failing return case from | 
					
						
							|  |  |  | 	  X509_cmp_time so that a certificate with an invalid NotAfter does | 
					
						
							|  |  |  | 	  not appear valid. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Support sending dummy change_cipher_spec records for TLS 1.3 middlebox | 
					
						
							|  |  |  | 	  compatibility. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Ensure only PSS signatures are used with RSA in TLS 1.3. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Ensure that TLS 1.3 clients advertise exactly the "null" compression | 
					
						
							|  |  |  | 	  method in its legacy_compression_methods. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Correct use of sockaddr_storage instead of sockaddr in openssl(1) | 
					
						
							|  |  |  | 	  s_client, which could lead to using 14 bytes of stack garbage instead | 
					
						
							|  |  |  |  	  of an IPv6 address in DTLS mode. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Use non-expired certificates first when building a certificate chain. | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-04-24 22:29:35 +02:00
										 |  |  | 3.1.5 - Security fix | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Malformed ASN.1 in a certificate revocation list or a timestamp | 
					
						
							|  |  |  | 	  response token can lead to a NULL pointer dereference. | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-12-28 15:15:37 +00:00
										 |  |  | 3.1.4 - Interoperability and bug fixes for the TLSv1.3 client: | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improve client certificate selection to allow EC certificates | 
					
						
							|  |  |  | 	  instead of only RSA certificates. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Do not error out if a TLSv1.3 server requests an OCSP response as | 
					
						
							|  |  |  | 	  part of a certificate request. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fix SSL_shutdown behavior to match the legacy stack.  The previous | 
					
						
							|  |  |  | 	  behaviour could cause a hang. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fix a memory leak and add a missing error check in the handling of | 
					
						
							|  |  |  | 	  the key update message. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fix a memory leak in tls13_record_layer_set_traffic_key. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid calling freezero with a negative size if a server sends a | 
					
						
							|  |  |  | 	  malformed plaintext of all zeroes. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Ensure that only PSS may be used with RSA in TLSv1.3 in order | 
					
						
							|  |  |  | 	  to avoid using PKCS1-based signatures. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add the P-521 curve to the list of curves supported by default | 
					
						
							|  |  |  | 	  in the client. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 3.1.3 - Bug fix | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* libcrypto may fail to build a valid certificate chain due to | 
					
						
							|  |  |  | 	  expired untrusted issuer certificates. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 3.1.2 - Bug fix | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* A TLS client with peer verification disabled may crash when | 
					
						
							|  |  |  | 	  contacting a server that sends an empty certificate list. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 3.1.1 - Stable release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improved cipher suite handling to automatically include TLSv1.3 | 
					
						
							|  |  |  | 	  cipher suites when they are not explicitly referred to in the | 
					
						
							|  |  |  | 	  cipher string. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improved handling of TLSv1.3 HelloRetryRequests, simplifying | 
					
						
							|  |  |  | 	  state transitions and ensuring that the legacy session identifer | 
					
						
							|  |  |  | 	  retains the same value across the handshake. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Provided TLSv1.3 cipher suite aliases to match the names used | 
					
						
							|  |  |  | 	  in RFC 8446. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improved TLSv1.3 client key share handling to allow the use of | 
					
						
							|  |  |  | 	  any groups in our configured NID list. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed printing the serialNumber with X509_print_ex() fall back to | 
					
						
							|  |  |  | 	  the colon separated hex bytes in case greater than int value. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fix to disallow setting the AES-GCM IV length to zero. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added -groups option to openssl(1) s_server subcommand. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fix to show TLSv1.3 extension types with openssl(1) -tlsextdebug. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improved portable builds to support the use of static MSVC runtimes. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed portable builds to avoid exporting a sleep() symbol. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 3.1.0 - Development release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Completed initial TLS 1.3 implementation with a completely new state | 
					
						
							|  |  |  | 	  machine and record layer. TLS 1.3 is now enabled by default for the | 
					
						
							|  |  |  | 	  client side, with the server side to be enabled in a future release. | 
					
						
							|  |  |  | 	  Note that the OpenSSL TLS 1.3 API is not yet visible/available. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Many more code cleanups, fixes, and improvements to memory handling | 
					
						
							|  |  |  | 	  and protocol parsing. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL | 
					
						
							|  |  |  | 	  1.1.1 and enabled by default. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improved compatibility by backporting functionality and documentation | 
					
						
							|  |  |  | 	  from OpenSSL 1.1.1. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added many new additional crypto test vectors. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Adjusted EVP_chacha20()'s behavior to match OpenSSL's semantics. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Default CA bundle location is now configurable in portable builds. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added cms subcommand to openssl(1). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added -addext option to openssl(1) req subcommand. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 3.0.2 - Stable release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Use a valid curve when constructing an EC_KEY that looks like X25519. | 
					
						
							|  |  |  | 	  The recent EC group cofactor change results in stricter validation, | 
					
						
							|  |  |  | 	  which causes the EC_GROUP_set_generator() call to fail. | 
					
						
							|  |  |  | 	  Issue reported and fix tested by rsadowski@ | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. | 
					
						
							|  |  |  | 	  (Note that the CMS code is currently disabled) | 
					
						
							|  |  |  | 	  Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license)  | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid a path traversal bug in s_server on Windows when run with the -WWW | 
					
						
							|  |  |  | 	  or -HTTP options, due to incomplete path check logic. | 
					
						
							|  |  |  | 	  Issue reported and fix tested by Jobert Abma | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 3.0.1 - Development release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Ported Billy Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1. If a NULL | 
					
						
							|  |  |  | 	  or zero cofactor is passed to EC_GROUP_set_generator(), try to compute | 
					
						
							|  |  |  | 	  it using Hasse's bound. This works as long as the cofactor is small | 
					
						
							|  |  |  | 	  enough. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed a memory leak in error paths for eckey_type2param(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Initial work on supporting Cryptographic Message Syntax (CMS) in | 
					
						
							|  |  |  | 	  libcrypto (not enabled). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Various manual page improvements and additions. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added a CMake check for an existing uninstall target, facilitating | 
					
						
							|  |  |  | 	  embedding LibreSSL in larger CMake projects, from Matthew Albrecht. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 3.0.0 - Development release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Documented undescribed options and removed unfunctional options | 
					
						
							|  |  |  | 	  description in openssl(1) manual. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* A plethora of small fixes due to regular oss-fuzz testing. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Various side channels in DSA and ECDSA were addressed.  These are some of | 
					
						
							|  |  |  | 	  the many issues found in an extensive systematic analysis of bignum usage | 
					
						
							|  |  |  | 	  by Samuel Weiser, David Schrammel et al. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Enabled openssl(1) speed subcommand on Windows platform. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Enabled performance optimizations when building with Visual Studio on Windows. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed incorrect carry operation in 512 addition for Streebog. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed -modulus option with openssl(1) dsa subcommand. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed PVK format output issue with openssl(1) dsa and rsa subcommand. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.9.2 - Bug fixes | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed portable builds with older versions of MacOS, | 
					
						
							|  |  |  | 	  Android targets < API 21, and Solaris 10 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed SRTP profile advertisement for DTLS servers. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.9.1 - Stable release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added support for XChaCha20 and XChaCha20-Poly1305. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added support for AES key wrap constructions via the EVP interface. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added pbkdf2 key derivation support to openssl(1) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed SHA224 based handshake signatures from consideration for use in a TLS 1.2 handshake. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Changed the default digest type of openssl(1) enc to to sha256. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Changed the default digest type of openssl(1) dgst to sha256. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Changed the default digest type of openssl(1) x509 -fingerprint to sha256. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Changed the default digest type of openssl(1) crl -fingerprint to sha256. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improved Windows, Android, and ARM compatibility, including assembly | 
					
						
							|  |  |  | 	  optimizations on Mingw-w64 targets. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.9.0 - Development release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added the SM4 block cipher from the Chinese standard GB/T 32907-2016. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed warnings about clock_gettime on Windows Visual Studio builds. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed CMake builds on systems where getpagesize is defined as an | 
					
						
							|  |  |  | 	  inline function. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* CRYPTO_LOCK is now automatically initialized, with the legacy | 
					
						
							|  |  |  | 	  callbacks stubbed for compatibility. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added the SM3 hash function from the Chinese standard GB/T 32905-2016. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added more OPENSSL_NO_* macros for compatibility with OpenSSL. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added extensive interoperability tests between LibreSSL and OpenSSL | 
					
						
							|  |  |  | 	  1.0 and 1.1. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added additional Wycheproof tests and related bug fixes. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Simplified sigalgs option processing and handshake signing algorithm | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added the ability to use the RSA PSS algorithm for handshake | 
					
						
							|  |  |  | 	  signatures. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added bn_rand_interval() and use it in code needing ranges of random | 
					
						
							|  |  |  | 	  bn values. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added functionality to derive early, handshake, and application | 
					
						
							|  |  |  | 	  secrets as per RFC8446. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added handshake state machine from RFC8446. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed some ASN.1 related code from libcrypto that had not been used | 
					
						
							|  |  |  | 	  since around 2000. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Unexported internal symbols and internalized more record layer structs. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added support for assembly optimizations on 32-bit ARM ELF targets. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improved protection against timing side channels in ECDSA signature | 
					
						
							|  |  |  | 	  generation. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Coordinate blinding was added to some elliptic curves. This is the | 
					
						
							|  |  |  | 	  last bit of the work by Brumley et al. to protect against the | 
					
						
							|  |  |  | 	  Portsmash vulnerability. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Ensure transcript handshake is always freed with TLS 1.2. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.8.2 - Stable release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added Wycheproof support for ECDH and ECDSA Web Crypto test vectors, | 
					
						
							|  |  |  | 	  along with test harness fixes. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed memory leak in nc(1) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.8.1 - Test and compatibility improvements | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added Wycheproof support for ECDH, RSASSA-PSS, AES-GCM, | 
					
						
							|  |  |  | 	  AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and | 
					
						
							|  |  |  | 	  X25519 test vectors. Applied appropriate fixes for errors uncovered | 
					
						
							|  |  |  | 	  by tests. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Simplified key exchange signature generation and verification. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed a one-byte buffer overrun in callers of EVP_read_pw_string | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Converted more code paths to use CBB/CBS. All handshake messages are | 
					
						
							|  |  |  | 	  now created by CBB. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed various memory leaks found by Coverity. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Simplified session ticket parsing and handling, inspired by | 
					
						
							|  |  |  | 	  BoringSSL. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Modified signature of CRYPTO_mem_leaks_* to return -1. This function | 
					
						
							|  |  |  | 	  is a no-op in LibreSSL, so this function returns an error to not | 
					
						
							|  |  |  | 	  indicate the (non-)existence of memory leaks. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher, | 
					
						
							|  |  |  | 	  X509_OBJECT_up_ref_count now return an int for error handling, | 
					
						
							|  |  |  | 	  matching OpenSSL. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Converted a number of #defines into proper functions, matching | 
					
						
							|  |  |  | 	  OpenSSL's ABI. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added X509_get0_serialNumber from OpenSSL. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding | 
					
						
							|  |  |  | 	  PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching | 
					
						
							|  |  |  | 	  OpenSSL. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed broken pkcs8 formats from openssl(1). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Converted more functions in public API to use const arguments. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the | 
					
						
							|  |  |  | 	  EVP_AEAD interface. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Stopped using composite EVP_CIPHER AEADs. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added timing-safe compares for checking results of signature | 
					
						
							|  |  |  | 	  verification. There are no known attacks, this is just inexpensive | 
					
						
							|  |  |  | 	  prudence. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Correctly clear the current cipher state, when changing cipher state. | 
					
						
							|  |  |  | 	  This fixed an issue where renegotiation of cipher suites would fail | 
					
						
							|  |  |  | 	  when switched from AEAD to non-AEAD or vice-versa. | 
					
						
							|  |  |  | 	  Issue reported by Bernard Spil. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added more cipher tests to appstest.sh, including all TLSv1.2 | 
					
						
							|  |  |  | 	  ciphers. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be | 
					
						
							|  |  |  | 	  retrieved and set with appropriate validation. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.8.0 - Bug fixes, security, and compatibility improvements | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Extensive documentation updates and additional API history. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Tighten up checks for various X509_VERIFY_PARAM functions, | 
					
						
							|  |  |  | 	  'poisoning' parameters so that an unverified certificate cannot be | 
					
						
							|  |  |  | 	  used if it fails verification. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed a potential memory leak on failure in ASN1_item_digest | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed a potential memory alignment crash in asn1_item_combine_free | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and | 
					
						
							|  |  |  | 	  SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers | 
					
						
							|  |  |  | 	  and matching OpenSSL behavior, rewrote ENGINE_* documentation. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added const annotations to many existing APIs from OpenSSL, making | 
					
						
							|  |  |  | 	  interoperability easier for downstream applications. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed small timing side-channels in ecdsa_sign_setup and | 
					
						
							|  |  |  | 	  dsa_sign_setup. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Documented security pitfalls with BN_FLG_CONSTTIME and constant-time | 
					
						
							|  |  |  | 	  operation of BN_* functions. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Updated BN_clear to use explicit_bzero. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added a missing bounds check in c2i_ASN1_BIT_STRING. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* More CBS conversions, including simplifications to RSA key exchange, | 
					
						
							|  |  |  | 	  and converted code to use dedicated buffers for secrets. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed three remaining single DES cipher suites. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed a potential leak/incorrect return value in DSA signature | 
					
						
							|  |  |  | 	  generation. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added a blinding value when generating DSA and ECDSA signatures, in | 
					
						
							|  |  |  | 	  order to reduce the possibility of a side-channel attack leaking the | 
					
						
							|  |  |  | 	  private key. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added ECC constant time scalar multiplication support. | 
					
						
							|  |  |  | 	  From Billy Brumley and his team at Tampere University of Technology. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Revised the implementation of RSASSA-PKCS1-v1_5 to match the | 
					
						
							|  |  |  | 	  specification in RFC 8017. Based on an OpenSSL commit by David | 
					
						
							|  |  |  | 	  Benjamin. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Cleaned up BN_* implementations following changes made in OpenSSL by | 
					
						
							|  |  |  | 	  Davide Galassi and others. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.7.4 - Security fixes | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid a timing side-channel leak when generating DSA and ECDSA | 
					
						
							|  |  |  | 	  signatures. This is caused by an attempt to do fast modular | 
					
						
							|  |  |  | 	  arithmetic, which introduces branches that leak information | 
					
						
							|  |  |  | 	  regarding secret values. Issue identified and reported by Keegan | 
					
						
							|  |  |  | 	  Ryan of NCC Group. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Reject excessively large primes in DH key generation. Problem | 
					
						
							|  |  |  | 	  reported by Guido Vranken to OpenSSL | 
					
						
							|  |  |  | 	  (https://github.com/openssl/openssl/pull/6457) and based on his | 
					
						
							|  |  |  | 	  diff. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.7.3 - Bug fixes | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed incorrect NULL checks in DH_set0_key(). Reported by Ondrej | 
					
						
							|  |  |  | 	  Sury | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed an issue normalizing CPU architecture in the configure script, | 
					
						
							|  |  |  | 	  which disabled assembly optimizations on platforms that get detected | 
					
						
							|  |  |  | 	  as 'amd64', opposed to 'x86_64' | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Limited tls_config_clear_keys() to only clear private keys. | 
					
						
							|  |  |  | 	  This was inadvertently clearing the keypair, which includes the OCSP | 
					
						
							|  |  |  | 	  staple and pubkey hash - if an application called tls_configure() | 
					
						
							|  |  |  | 	  followed by tls_config_clear_keys(), this would prevent OCSP staples | 
					
						
							|  |  |  | 	  from working. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.7.2 - Stable release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Updated and added extensive new HISTORY sections to API manuals. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added support for shared library builds with CMake on all supported | 
					
						
							|  |  |  | 	  platforms. Note that some of the CMake options have changed, consult | 
					
						
							|  |  |  | 	  the README for details. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.7.1 - Bug fixes | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed a bug in int_x509_param_set_hosts, calling strlen() if name | 
					
						
							|  |  |  | 	  length provided is 0 to match the OpenSSL behaviour. Issue noticed | 
					
						
							|  |  |  | 	  by Christian Heimes <christian@python.org>. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed builds macOS 10.11 and older. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.7.0 - Bug fixes and improvements | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on | 
					
						
							|  |  |  | 	  observations of real-world usage in applications. These are | 
					
						
							|  |  |  | 	  implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility | 
					
						
							|  |  |  | 	  changes have not been made to existing structs, allowing code written | 
					
						
							|  |  |  | 	  for older OpenSSL APIs to continue working. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Extensive corrections, improvements, and additions to the | 
					
						
							|  |  |  | 	  API documentation, including new public APIs from OpenSSL that had | 
					
						
							|  |  |  | 	  no pre-existing documentation. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added support for automatic library initialization in libcrypto, | 
					
						
							|  |  |  | 	  libssl, and libtls. Support for pthread_once or a compatible | 
					
						
							|  |  |  | 	  equivalent is now required of the target operating system. As a | 
					
						
							|  |  |  | 	  side-effect, minimum Windows support is Vista or higher. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Converted more packet handling methods to CBB, which improves | 
					
						
							|  |  |  | 	  resiliency when generating TLS messages. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Completed TLS extension handling rewrite, improving consistency of | 
					
						
							|  |  |  | 	  checks for malformed and duplicate extensions. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1. | 
					
						
							|  |  |  | 	  This removes the last remaining use of the old M_ASN1_* macros | 
					
						
							|  |  |  | 	  (asn1_mac.h) from API that needs to continue to exist. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added support for client-side session resumption in libtls. | 
					
						
							|  |  |  | 	  A libtls client can specify a session file descriptor (a regular | 
					
						
							|  |  |  | 	  file with appropriate ownership and permissions) and libtls will | 
					
						
							|  |  |  | 	  manage reading and writing of session data across TLS handshakes. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improved support for strict alignment on ARMv7 architectures, | 
					
						
							|  |  |  | 	  conditionally enabling assembly in those cases. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed a memory leak in libtls when reusing a tls_config. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Merged more DTLS support into the regular TLS code path, removing | 
					
						
							|  |  |  | 	  duplicated code. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Many improvements to Windows Cmake-based builds and tests, | 
					
						
							|  |  |  | 	  especially when targeting Visual Studio. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.6.4 - Bug fixes | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Make tls_config_parse_protocols() work correctly when passed a NULL | 
					
						
							|  |  |  | 	  pointer for a protocol string. Issue found by semarie@, who also | 
					
						
							|  |  |  | 	  provided the diff. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Correct TLS extensions handling when no extensions are present. | 
					
						
							|  |  |  | 	  If no TLS extensions are present in a client hello or server hello, | 
					
						
							|  |  |  | 	  omit the entire extensions block, rather than including it with a | 
					
						
							|  |  |  | 	  length of zero. Thanks to Eric Elena <eric at voguemerry dot com> for | 
					
						
							|  |  |  | 	  providing packet captures and testing the fix. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed portable builds on older Android systems, and systems with out | 
					
						
							|  |  |  | 	  IPV6_TCLASS support. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.6.3 - OpenBSD 6.2 Release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* No core changes from LibreSSL 2.6.2 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Minor compatibility fixes in portable version. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.6.2 - Bug fixes | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Provide a useful error with libtls if there are no OCSP URLs in a | 
					
						
							|  |  |  | 	  peer certificate. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Keep track of which keypair is in use by a TLS context, fixing a bug | 
					
						
							|  |  |  | 	  where a TLS server with SNI would only return the OCSP staple for the | 
					
						
							|  |  |  | 	  default keypair. Issue reported by William Graeber and confirmed by | 
					
						
							|  |  |  | 	  Andreas Bartelt. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed various issues in the OCSP extension parsing code. | 
					
						
							|  |  |  | 	  The original code incorrectly passes the pointer allocated via | 
					
						
							|  |  |  | 	  CBS_stow() (using malloc()) to a d2i_*() function and then calls | 
					
						
							|  |  |  | 	  free() on the now incremented pointer, most likely resulting in a | 
					
						
							|  |  |  | 	  crash. This issue was reported by Robert Swiecki who found the issue | 
					
						
							|  |  |  | 	  using honggfuzz. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* If tls_config_parse_protocols() is called with a NULL pointer, | 
					
						
							|  |  |  | 	  return the default protocols instead of crashing - this makes the | 
					
						
							|  |  |  | 	  behaviour more useful and mirrors what we already do in | 
					
						
							|  |  |  | 	  tls_config_set_ciphers() et al. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.6.1 - Code removal, rewrites | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added a "-T tlscompat" option to nc(1), which enables the use of all | 
					
						
							|  |  |  | 	  TLS protocols and "compat" ciphers. This allows for TLS connections | 
					
						
							|  |  |  | 	  to TLS servers that are using less than ideal cipher suites, without | 
					
						
							|  |  |  | 	  having to resort to "-T tlsall" which enables all known cipher | 
					
						
							|  |  |  | 	  suites.  Diff from Kyle J. McKay. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added a new TLS extension handling framework, somewhat analogous to | 
					
						
							|  |  |  | 	  BoringSSL, and converted all TLS extensions to use it. Added new TLS | 
					
						
							|  |  |  | 	  extension regression tests. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improved and added many new manpages. Updated *check_private_key | 
					
						
							|  |  |  | 	  manpages with additional cautions regarding their use. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Cleaned up the EC key/curve configuration handling. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added tls_config_set_ecdhecurves() to libtls, which allows the names | 
					
						
							|  |  |  | 	  of the eliptical curves that may be used during client and server | 
					
						
							|  |  |  | 	  key exchange to be specified. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Converted more code paths to use CBB/CBS. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed support for DSS/DSA, since we removed the cipher suites a | 
					
						
							|  |  |  | 	  while back. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed NPN support. NPN was never standardised and the last draft | 
					
						
							|  |  |  | 	  expired in October 2012. ALPN was standardised in July 2014 and has | 
					
						
							|  |  |  | 	  been supported in LibreSSL since December 2014. NPN has also been | 
					
						
							|  |  |  | 	  removed from Chromium in May 2016. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken | 
					
						
							|  |  |  | 	  CryptoPro clients. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed support for the TLS padding extension, which was added as a | 
					
						
							|  |  |  | 	  workaround for an old bug in F5's TLS termination. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Worked around another bug in F5's TLS termination handling of the | 
					
						
							|  |  |  | 	  elliptical curves extension. RFC 4492 only defines elliptic_curves | 
					
						
							|  |  |  | 	  for ClientHello. However, F5 is sending it in ServerHello.  We need | 
					
						
							|  |  |  | 	  to skip over it since our TLS extension parsing code is now more | 
					
						
							|  |  |  | 	  strict. Thanks to Armin Wolfermann and WJ Liu for reporting. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added ability to clamp notafter valies in certificates for systems | 
					
						
							|  |  |  | 	  with 32-bit time_t. This is necessary to conform to RFC 5280 | 
					
						
							|  |  |  | 	  4.1.2.5. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Implemented the SSL_CTX_set_min_proto_version(3) API. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed the original (pre-IETF) chacha20-poly1305 cipher suites. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.6.0 - New APIs, bug fixes and improvements | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added support for providing CRLs to libtls. Once a CRL is provided we | 
					
						
							|  |  |  | 	  enable CRL checking for the full certificate chain. Based on a diff | 
					
						
							|  |  |  | 	  from Jack Burton | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Allow non-compliant clients using IP literal addresses with SNI | 
					
						
							|  |  |  | 	  to connect to a server using libtls. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid a potential NULL pointer dereference in d2i_ECPrivateKey(). | 
					
						
							|  |  |  | 	  Reported by Robert Swiecki, who found the issue using honggfuzz. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added definitions for three OIDs used in EV certificates. | 
					
						
							|  |  |  | 	  From Kyle J. McKay | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added tls_peer_cert_chain_pem to libtls, useful in private | 
					
						
							|  |  |  | 	  certificate validation callbacks such as those in relayd. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Converted explicit clear/free sequences to use freezero(3). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Reworked TLS certificate name verification code to more strictly | 
					
						
							|  |  |  | 	  follow RFC 6125. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Cleaned up and simplified server key exchange EC point handling. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added tls_keypair_clear_key for clearing key material. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed inconsistent IPv6 handling from BIO_get_accept_socket, | 
					
						
							|  |  |  | 	  simplified BIO_get_host_ip and BIO_accept. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed the openssl(1) ca command so that is generates certificates | 
					
						
							|  |  |  | 	  with RFC 5280-conformant time. Problem noticed by Harald Dunkel. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added ASN1_TIME_set_tm to set an asn1 from a struct tm * | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added SSL{,_CTX}_set_{min,max}_proto_version() functions. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added HKDF (HMAC Key Derivation Function) from BoringSSL | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Provided a tls_unload_file() function that frees the memory returned | 
					
						
							|  |  |  | 	  from a tls_load_file() call, ensuring that it the contents become | 
					
						
							|  |  |  | 	  inaccessible. This is specifically needed on platforms where the | 
					
						
							|  |  |  | 	  library allocators may be different from the application allocator. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Perform reference counting for tls_config. This allows | 
					
						
							|  |  |  | 	  tls_config_free() to be called as soon as it has been passed to the | 
					
						
							|  |  |  | 	  final tls_configure() call, simplifying lifetime tracking for the | 
					
						
							|  |  |  | 	  application. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Moved internal state of SSL and other structures to be opaque. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Dropped cipher suites with DSS authentication. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* nc(1) improvements, including: | 
					
						
							|  |  |  | 	   nc -W to terminate nc after receiving a number of packets | 
					
						
							|  |  |  | 	   nc -Z for saving the peer certificate and chain in a pem file | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.5.5 - Bug fixes | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Distinguish between self-issued certificates and self-signed | 
					
						
							|  |  |  | 	  certificates. The certificate verification code has special cases | 
					
						
							|  |  |  | 	  for self-signed certificates and without this change, self-issued | 
					
						
							|  |  |  | 	  certificates (which it seems are common place with | 
					
						
							|  |  |  | 	  openvpn/easyrsa) were also being included in this category. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added getpagesize fallback, needed for Android bionic libc. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.5.4 - Security Updates | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Revert a previous change that forced consistency between return | 
					
						
							|  |  |  | 	  value and error code when specifing a certificate verification | 
					
						
							|  |  |  | 	  callback, since this breaks the documented API. When a user supplied | 
					
						
							|  |  |  | 	  callback always returns 1, and later code checks the error code to | 
					
						
							|  |  |  | 	  potentially abort post verification, this will result in incorrect | 
					
						
							|  |  |  | 	  successul certificate verification. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Switched Linux getrandom() usage to non-blocking mode, continuing to | 
					
						
							|  |  |  | 	  use fallback mechanims if unsuccessful. This works around a design | 
					
						
							|  |  |  | 	  flaw in Linux getrandom(2) where early boot usage in a library makes | 
					
						
							|  |  |  | 	  it impossible to recover if getrandom(2) is not yet initialized. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed a bug caused by the return value being set early to signal | 
					
						
							|  |  |  | 	  successful DTLS cookie validation. This can mask a later failure and | 
					
						
							|  |  |  | 	  result in a positive return value being returned from | 
					
						
							|  |  |  | 	  ssl3_get_client_hello(), when it should return a negative value to | 
					
						
							|  |  |  | 	  propagate the error. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed a build error on non-x86/x86_64 systems running Solaris. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.5.3 - OpenBSD 6.1 Release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Documentation updates | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improved ocspcheck(1) error handling | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.5.2 - Security features and bugfixes | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added the recallocarray(3) memory allocation function, and converted | 
					
						
							|  |  |  | 	  various places in the library to use it, such as CBB and BUF_MEM_grow. | 
					
						
							|  |  |  | 	  recallocarray(3) is similar to reallocarray. Newly allocated memory | 
					
						
							|  |  |  | 	  is cleared similar to calloc(3). Memory that becomes unallocated | 
					
						
							|  |  |  | 	  while shrinking or moving existing allocations is explicitly | 
					
						
							|  |  |  | 	  discarded by unmapping or clearing to 0 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added new root CAs from SECOM Trust Systems / Security Communication | 
					
						
							|  |  |  | 	  of Japan. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added EVP interface for MD5+SHA1 hashes. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed DTLS client failures when the server sends a certificate | 
					
						
							|  |  |  | 	  request. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Correct handling of padding when upgrading an SSLv2 challenge into | 
					
						
							|  |  |  | 	  an SSLv3/TLS connection. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Allow protocols and ciphers to be set on a TLS config object in | 
					
						
							|  |  |  | 	  libtls. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improved nc(1) TLS handshake CPU usage and server-side error | 
					
						
							|  |  |  | 	  reporting. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.5.1 - Bug and security fixes, new features, documentation updates | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* X509_cmp_time() now passes a malformed GeneralizedTime field as an | 
					
						
							|  |  |  | 	  error. Reported by Theofilos Petsios. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Detect zero-length encrypted session data early, instead of when | 
					
						
							|  |  |  | 	  malloc(0) fails or the HMAC check fails. Noted independently by | 
					
						
							|  |  |  | 	  jsing@ and Kurt Cancemi. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Check for and handle failure of HMAC_{Update,Final} or | 
					
						
							|  |  |  | 	  EVP_DecryptUpdate(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Massive update and normalization of manpages, conversion to | 
					
						
							|  |  |  | 	  mandoc format. Many pages were rewritten for clarity and accuracy. | 
					
						
							|  |  |  | 	  Portable doc links are up-to-date with a new conversion tool. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Curve25519 Key Exchange support. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Support for alternate chains for certificate verification. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Code cleanups, CBS conversions, further unification of DTLS/SSL | 
					
						
							|  |  |  | 	  handshake code, further ASN1 macro expansion and removal. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Private symbol are now hidden in libssl and libcryto. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Friendly certificate verification error messages in libtls, peer | 
					
						
							|  |  |  | 	  verification is now always enabled. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added OCSP stapling support to libtls and netcat. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added ocspcheck utility to validate a certificate against its OCSP | 
					
						
							|  |  |  | 	  responder and save the reply for stapling | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Enhanced regression tests and error handling for libtls. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added explicit constant and non-constant time BN functions, | 
					
						
							|  |  |  | 	  defaulting to constant time wherever possible. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Moved many leaked implementation details in public structs behind | 
					
						
							|  |  |  | 	  opaque pointers. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added ticket support to libtls. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added support for setting the supported EC curves via | 
					
						
							|  |  |  | 	  SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous | 
					
						
							|  |  |  | 	  SSL{_CTX}_set1_curves{_list} names. This also changes the default | 
					
						
							|  |  |  | 	  list of curves to be X25519, P-256 and P-384. All other curves must | 
					
						
							|  |  |  | 	  be manually enabled. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added -groups option to openssl(1) s_client for specifying the curves | 
					
						
							|  |  |  | 	  to be used in a colon-separated list. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Merged client/server version negotiation code paths into one, | 
					
						
							|  |  |  | 	  reducing much duplicate code. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed error function codes from libssl and libcrypto. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed an issue where a truncated packet could crash via an OOB read. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows | 
					
						
							|  |  |  | 	  client-initiated renegotiation. This is the default for libtls | 
					
						
							|  |  |  | 	  servers. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid a side-channel cache-timing attack that can leak the ECDSA | 
					
						
							|  |  |  | 	  private keys when signing. This is due to BN_mod_inverse() being | 
					
						
							|  |  |  | 	  used without the constant time flag being set. Reported by Cesar | 
					
						
							|  |  |  | 	  Pereida Garcia and Billy Brumley (Tampere University of Technology). | 
					
						
							|  |  |  | 	  The fix was developed by Cesar Pereida Garcia. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* iOS and MacOS compatibility updates from Simone Basso and Jacob | 
					
						
							|  |  |  | 	  Berkman. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.5.0 - New APIs, bug fixes and improvements | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* libtls now supports ALPN and SNI | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* libtls adds a new callback interface for integrating custom IO | 
					
						
							|  |  |  | 	  functions. Thanks to Tobias Pape. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* libtls now handles 4 cipher suite groups: | 
					
						
							|  |  |  | 	    "secure" (TLSv1.2+AEAD+PFS) | 
					
						
							|  |  |  | 	    "compat" (HIGH:!aNULL) | 
					
						
							|  |  |  | 	    "legacy" (HIGH:MEDIUM:!aNULL) | 
					
						
							|  |  |  | 	    "insecure" (ALL:!aNULL:!eNULL) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	    This allows for flexibility and finer grained control, rather than | 
					
						
							|  |  |  | 	    having two extremes (an issue raised by Marko Kreen some time ago). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Tightened error handling for tls_config_set_ciphers(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* libtls now always loads CA, key and certificate files at the time the | 
					
						
							|  |  |  | 	  configuration function is called. This simplifies code and results in | 
					
						
							|  |  |  | 	  a single memory based code path being used to provide data to libssl. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Add support for OCSP intermediate certificates. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added functions used by stunnel and exim from BoringSSL - this | 
					
						
							|  |  |  | 	  brings in X509_check_host, X509_check_email, X509_check_ip, and | 
					
						
							|  |  |  | 	  X509_check_ip_asc. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added initial support for iOS, thanks to Jacob Berkman. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improved behavior of arc4random on Windows when using memory leak | 
					
						
							|  |  |  | 	  analysis software. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Correctly handle an EOF that occurs prior to the TLS handshake | 
					
						
							|  |  |  | 	  completing. Reported by Vasily Kolobkov, based on a diff from Marko | 
					
						
							|  |  |  | 	  Kreen. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Limit the support of the "backward compatible" ssl2 handshake to | 
					
						
							|  |  |  | 	  only be used if TLS 1.0 is enabled. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fix incorrect results in certain cases on 64-bit systems when | 
					
						
							|  |  |  | 	  BN_mod_word() can return incorrect results. BN_mod_word() now can | 
					
						
							|  |  |  | 	  return an error condition. Thanks to Brian Smith. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added constant-time updates to address CVE-2016-0702 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed undefined behavior in BN_GF2m_mod_arr() | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed unused Cryptographic Message Support (CMS) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* More conversions of long long idioms to time_t | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improved compatibility by avoiding printing NULL strings with | 
					
						
							|  |  |  | 	  printf. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Reverted change that cleans up the EVP cipher context in | 
					
						
							|  |  |  | 	  EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the | 
					
						
							|  |  |  | 	  previous behaviour. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid unbounded memory growth in libssl, which can be triggered by a | 
					
						
							|  |  |  | 	  TLS client repeatedly renegotiating and sending OCSP Status Request | 
					
						
							|  |  |  | 	  TLS extensions. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid falling back to a weak digest for (EC)DH when using SNI with | 
					
						
							|  |  |  | 	  libssl. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.4.2 - Bug fixes and improvements | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed loading default certificate locations with openssl s_client. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Ensured OCSP only uses and compares GENERALIZEDTIME values as per | 
					
						
							|  |  |  | 	  RFC6960. Also added fixes for OCSP to work with intermediate | 
					
						
							|  |  |  | 	  certificates provided in responses. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improved behavior of arc4random on Windows to not appear to leak | 
					
						
							|  |  |  | 	  memory in debug tools, reduced privileges of allocated memory. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed incorrect results from BN_mod_word() when the modulus is too | 
					
						
							|  |  |  | 	  large, thanks to Brian Smith from BoringSSL. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Correctly handle an EOF prior to completing the TLS handshake in | 
					
						
							|  |  |  | 	  libtls. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improved libtls ceritificate loading and cipher string validation. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Updated libtls cipher group suites into four categories: | 
					
						
							|  |  |  | 	    "secure"   (TLSv1.2+AEAD+PFS) | 
					
						
							|  |  |  | 	    "compat"   (HIGH:!aNULL) | 
					
						
							|  |  |  | 	    "legacy"   (HIGH:MEDIUM:!aNULL) | 
					
						
							|  |  |  | 	    "insecure" (ALL:!aNULL:!eNULL) | 
					
						
							|  |  |  | 	  This allows for flexibility and finer grained control, rather than | 
					
						
							|  |  |  | 	  having two extremes. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Limited support for 'backward compatible' SSLv2 handshake packets to | 
					
						
							|  |  |  | 	  when TLS 1.0 is enabled, providing more restricted compatibility | 
					
						
							|  |  |  | 	  with TLS 1.0 clients. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* openssl(1) and other documentation improvements. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed flags for disabling constant-time operations. | 
					
						
							|  |  |  | 	  This removes support for DSA_FLAG_NO_EXP_CONSTTIME, | 
					
						
							|  |  |  | 	  DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making | 
					
						
							|  |  |  | 	  all of these operations unconditionally constant-time. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.4.1 - Security fix | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Correct a problem that prevents the DSA signing algorithm from | 
					
						
							|  |  |  | 	  running in constant time even if the flag BN_FLG_CONSTTIME is set. | 
					
						
							|  |  |  | 	  This issue was reported by Cesar Pereida (Aalto University), Billy | 
					
						
							|  |  |  | 	  Brumley (Tampere University of Technology), and Yuval Yarom (The | 
					
						
							|  |  |  | 	  University of Adelaide and NICTA). The fix was developed by Cesar | 
					
						
							|  |  |  | 	  Pereida. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.4.0 - Build improvements, new features | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Many improvements to the CMake build infrastructure, including | 
					
						
							|  |  |  | 	  Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro | 
					
						
							|  |  |  | 	  Inoguchi for this work. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added missing error handling around bn_wexpand() calls. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added explicit_bzero calls for freed ASN.1 objects. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed X509_*set_object functions to return 0 on allocation failure. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Implemented the IETF ChaCha20-Poly1305 cipher suites. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Changed default EVP_aead_chacha20_poly1305() implementation to the | 
					
						
							|  |  |  | 	  IETF version, which is now the default. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed password prompts from openssl(1) to properly handle ^C. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Reworked error handling in libtls so that configuration errors are | 
					
						
							|  |  |  | 	  visible. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Manpage fixes and updates | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.3.5 - Reliability fix | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed an error in libcrypto when parsing some ASN.1 elements > 16k. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.3.4 - Security Update | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding. | 
					
						
							|  |  |  | 	From OpenSSL. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Minor build fixes | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.3.3 - OpenBSD 5.9 release branch tagged | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Reworked build scripts to better sync with OpenNTPD-portable | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed broken manpage links | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed an nginx compatibility issue by adding an 'install_sw' make alias | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed HP-UX builds | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Changed the default configuration directory to c:\LibreSSL\ssl on Windows | 
					
						
							|  |  |  | 	  binary builds | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* cert.pem has been reorganized and synced with Mozilla's certificate store | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.3.2 - Compatibility and Reliability fixes | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Changed format of LIBRESSL_VERSION_NUMBER to match that of | 
					
						
							|  |  |  | 	  OPENSSL_VERSION_NUMBER, see: | 
					
						
							|  |  |  | 	  https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD | 
					
						
							|  |  |  | 	  construction introduced in RFC 7539, which is different than that | 
					
						
							|  |  |  | 	  already used in TLS with EVP_aead_chacha20_poly1305() | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Avoid a potential undefined C99+ behavior due to shift overflow in | 
					
						
							|  |  |  | 	  AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com> | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* More man pages converted from pod to mdoc format | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added COMODO RSA Certification Authority and QuoVadis | 
					
						
							|  |  |  | 	  root certificates to cert.pem | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification | 
					
						
							|  |  |  | 	  Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root | 
					
						
							|  |  |  | 	  certificate from cert.pem | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added support for building nc(1) on Solaris | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improved console handling with openssl(1) on Windows | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Ensure the network stack is enabled on Windows when running | 
					
						
							|  |  |  | 	  tls_init() | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed incorrect TLS certificate loading by nc(1) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added support for Solaris 11.3's getentropy(2) system call | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Enabled support for using NetBSD 7.0's arc4random(3) implementation | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixes from OpenSSL 1.0.1q | 
					
						
							|  |  |  | 	 - CVE-2015-3194 - NULL pointer dereference in client side certificate | 
					
						
							|  |  |  | 	                   validation. | 
					
						
							|  |  |  | 	 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* The following OpenSSL CVEs did not apply to LibreSSL | 
					
						
							|  |  |  | 	 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery | 
					
						
							|  |  |  | 	                   squaring procedure. | 
					
						
							|  |  |  | 	 - CVE-2015-3196 - Double free race condition of the identify hint | 
					
						
							|  |  |  | 	                   data. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	 See https://marc.info/?l=openbsd-announce&m=144925068504102 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.3.1 - ASN.1 and time handling cleanups | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* ASN.1 cleanups and RFC5280 compliance fixes. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Time representations switched from 'unsigned long' to 'time_t'. LibreSSL | 
					
						
							|  |  |  | 	  now checks if the host OS supports 64-bit time_t. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed a leak in SSL_new in the error path. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Support always extracting the peer cipher and version with libtls. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added ability to check certificate validity times with libtls, | 
					
						
							|  |  |  | 	  tls_peer_cert_notbefore and tls_peer_cert_notafter. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Changed tls_connect_servername to use the first address that resolves with | 
					
						
							|  |  |  | 	  getaddrinfo(). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since | 
					
						
							|  |  |  | 	  initial commit in 2004). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported | 
					
						
							|  |  |  | 	  by Qualys Security. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of | 
					
						
							|  |  |  | 	  sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Reject too small bits value in BN_generate_prime_ex(), so that it does | 
					
						
							|  |  |  | 	  not risk becoming negative in probable_prime_dh_safe(), reported by | 
					
						
							|  |  |  | 		Franck Denis. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Enable nc(1) builds on more platforms. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.3.0 - SSLv3 removed, libtls API changes, portability improvements | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* SSLv3 is now permanently removed from the tree. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* The libtls API is changed from the 2.2.x series. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	  The read/write functions work correctly with external event | 
					
						
							|  |  |  | 	  libraries.  See the tls_init man page for examples of using libtls | 
					
						
							|  |  |  | 	  correctly in asynchronous mode. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	  Client-side verification is now supported, with the client supplying | 
					
						
							|  |  |  | 	  the certificate to the server. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	  Also, when using tls_connect_fds, tls_connect_socket or | 
					
						
							|  |  |  | 	  tls_accept_fds, libtls no longer implicitly closes the passed in | 
					
						
							|  |  |  | 	  sockets. The caller is responsible for closing them in this case. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* When loading a DSA key from an raw (without DH parameters) ASN.1 | 
					
						
							|  |  |  | 	  serialization, perform some consistency checks on its `p' and `q' | 
					
						
							|  |  |  | 	  values, and return an error if the checks failed. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	  Thanks for Georgi Guninski (guninski at guninski dot com) for | 
					
						
							|  |  |  | 	  mentioning the possibility of a weak (non prime) q value and | 
					
						
							|  |  |  | 	  providing a test case. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	  See | 
					
						
							|  |  |  | 	  https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html | 
					
						
							|  |  |  | 	  for a longer discussion. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed a bug in ECDH_compute_key that can lead to silent truncation | 
					
						
							|  |  |  | 	  of the result key without error. A coding error could cause software | 
					
						
							|  |  |  | 	  to use much shorter keys than intended. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no | 
					
						
							|  |  |  | 	  longer supported. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* The engine command and parameters are removed from the openssl(1). | 
					
						
							|  |  |  | 	  Previous releases removed dynamic and builtin engine support | 
					
						
							|  |  |  | 	  already. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* SHA-0 is removed, which was withdrawn shortly after publication 20 | 
					
						
							|  |  |  | 	  years ago. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added Certplus CA root certificate to the default cert.pem file. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* New interface OPENSSL_cpu_caps is provided that does not allow | 
					
						
							|  |  |  | 	  software to inadvertently modify cpu capability flags. | 
					
						
							|  |  |  | 	  OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* The out_len argument of AEAD changed from ssize_t to size_t. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Deduplicated DTLS code, sharing bugfixes and improvements with | 
					
						
							|  |  |  | 	  TLS. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Converted 'nc' to use libtls for client and server operations; it is | 
					
						
							|  |  |  | 	  included in the libressl-portable distribution as an example of how | 
					
						
							|  |  |  | 	  to use the library. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.2.3 - Bug fixes, build enhancements | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not | 
					
						
							|  |  |  | 	  include TLS extensions, resulting in such handshakes being aborted. | 
					
						
							|  |  |  | 	  This release corrects the handling of such messages. Thanks to | 
					
						
							|  |  |  | 	  Ligushka from github for reporting the issue. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added install target for cmake builds. Thanks to TheNietsnie from | 
					
						
							|  |  |  | 	  github. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Updated pkgconfig files to correctly report the release version | 
					
						
							|  |  |  | 	  number, not the individual library ABI version numbers. Thanks to | 
					
						
							|  |  |  | 	  Jan Engelhardt for reporting the issue. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.2.2 - More TLS parser rework, bug fixes, expanded portable build support | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Switched 'openssl dhparam' default from 512 to 2048 bits | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Reworked openssl(1) option handling | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* More CRYPTO ByteString (CBC) packet parsing conversions | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed 'openssl pkeyutl -verify' to exit with a 0 on success | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixed dozens of Coverity issues including dead code, memory leaks, | 
					
						
							|  |  |  | 	  logic errors and more. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Ensure that openssl(1) restores terminal echo state after reading a | 
					
						
							|  |  |  | 	  password. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Incorporated fix for OpenSSL Issue #3683 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped | 
					
						
							|  |  |  | 	  for each portable release. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed workarounds for TLS client padding bugs. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* No longer disable ECDHE-ECDSA on OS X | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed SSLv3 support from openssl(1) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed IE 6 SSLv3 workarounds. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Modified tls_write in libtls to allow partial writes, clarified with | 
					
						
							|  |  |  | 	  examples in the documentation. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed RSAX engine | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Tested SSLv3 removal with the OpenBSD ports tree and found several | 
					
						
							|  |  |  | 	  applications that were not ready to build without SSLv3 yet. For | 
					
						
							|  |  |  | 	  now, building a program that intentionally uses SSLv3 will result in | 
					
						
							|  |  |  | 	  a linker warning. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added TLS_method, TLS_client_method and TLS_server_method as a | 
					
						
							|  |  |  | 	  replacement for the SSLv23_*method calls. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added initial cmake build support, including support for building with | 
					
						
							|  |  |  | 	  Visual Studio, currently tested with Visual Studio 2013 Community | 
					
						
							|  |  |  | 	  Edition. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* --with-enginesdir is removed as a configuration parameter | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Default cert.pem, openssl.cnf, and x509v3.cnf files are now | 
					
						
							|  |  |  | 	  installed under $sysconfdir/ssl or the directory specified by | 
					
						
							|  |  |  | 	  --with-openssldir. Previous versions of LibreSSL left these empty. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.2.1 - Build fixes, feature added, features removed | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Assorted build fixes for musl, HP-UX, Mingw, Solaris. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Initial support for Windows Embedded 2009, Server 2003, XP | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed Dynamic Engine support | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed unused and obsolete MDC-2DES cipher | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed workarounds for obsolete SSL implementations | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.2.0 - Build cleanups and new OS support, Security Updates | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* AIX Support - thanks to Michael Felt | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Cygwin Support - thanks to Corinna Vinschen | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Refactored build macros, support packaging libtls independently. | 
					
						
							|  |  |  | 	  There are more pieces required to support building and using OpenSSL | 
					
						
							|  |  |  | 	  with libtls, but this is an initial start at providing an | 
					
						
							|  |  |  | 	  independent package for people to start hacking on. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removal of OPENSSL_issetugid and all library getenv calls. | 
					
						
							|  |  |  | 	  Applications can and should no longer rely on environment variables | 
					
						
							|  |  |  | 	  for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still | 
					
						
							|  |  |  | 	  supported with the openssl(1) command. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* libtls API and documentation additions | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Various bug fixes and simplifications to libssl and libcrypto | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixes for the following issues are integrated into LibreSSL 2.2.0: | 
					
						
							|  |  |  | 	 - CVE-2015-1788 - Malformed ECParameters causes infinite loop | 
					
						
							|  |  |  | 	 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time | 
					
						
							|  |  |  | 	 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* The following CVEs did not apply to LibreSSL or were fixed in | 
					
						
							|  |  |  | 	  earlier releases: | 
					
						
							|  |  |  | 	 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam) | 
					
						
							|  |  |  | 	 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent | 
					
						
							|  |  |  | 	 - CVE-2014-8176 - Invalid free in DTLS | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixes for the following CVEs are still in review for LibreSSL | 
					
						
							|  |  |  | 	 - CVE-2015-1791 - Race condition handling NewSessionTicket | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.1.6 - Security update | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixes for the following issues are integrated into LibreSSL 2.1.6: | 
					
						
							|  |  |  | 	  - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error | 
					
						
							|  |  |  | 	  - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp | 
					
						
							|  |  |  | 	  - CVE-2015-0287 - ASN.1 structure reuse memory corruption | 
					
						
							|  |  |  | 	  - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref | 
					
						
							|  |  |  | 	  - CVE-2015-0289 - PKCS7 NULL pointer dereferences | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen | 
					
						
							|  |  |  | 	  is integrated for safety, but LibreSSL is not vulnerable. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Libtls is now built by default. The --enable-libtls | 
					
						
							|  |  |  | 	  configuration option is no longer required. | 
					
						
							|  |  |  | 	  The libtls API is now stable for the 2.1.x series. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.1.5 - Bug fixes and a security update | 
					
						
							|  |  |  | 	* Fix incorrect comparison function in openssl(1) certhash command. | 
					
						
							|  |  |  | 	  Thanks to Christian Neukirchen / Void Linux. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Windows port improvements and bug fixes. | 
					
						
							|  |  |  | 	  - Removed a dependency on libgcc in 32-bit dynamic libraries. | 
					
						
							|  |  |  | 	  - Correct a hang in openssl(1) reading from stdin on an connection. | 
					
						
							|  |  |  | 	  - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and | 
					
						
							|  |  |  | 	    any other network-related commands to function properly. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Reject all server DH keys smaller than 1024 bits. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.1.4 - Security and feature updates | 
					
						
							|  |  |  | 	* Improvements to libtls: | 
					
						
							|  |  |  | 	  - a new API for loading CA chains directly from memory instead of a | 
					
						
							|  |  |  | 	    file, allowing verification with privilege separation in a chroot | 
					
						
							|  |  |  | 	    without direct access to CA certificate files. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	  - Ciphers default to TLSv1.2 with AEAD and PFS. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	  - Improved error handling and message generation | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	  - New APIs and improved documentation | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added X509_STORE_load_mem API for loading certificates from memory. | 
					
						
							|  |  |  | 	  This facilitates accessing certificates from a chrooted environment. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by | 
					
						
							|  |  |  | 	  using 'TLSv1.2+AEAD' as the cipher selection string. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Dead and disabled code removal including MD5, Netscape workarounds, | 
					
						
							|  |  |  | 	  non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* ASN1 macro maze expanded to aid reading and searching the code. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* NULL pointer asserts removed in favor of letting the OS/signal | 
					
						
							|  |  |  | 	  handler catch them. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Refactored argument handling in openssl(1) for consistency and | 
					
						
							|  |  |  | 	  maintainability. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* New openssl(1) command 'certhash' replaces the c_rehash script. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Support for building with OPENSSL_NO_DEPRECATED | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Server-side support for TLS_FALLBACK_SCSV for compatibility with | 
					
						
							|  |  |  | 	  various auditor and vulnerability scanners. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Dozens of issues found with the Coverity scanner fixed. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Security Updates: | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	  - Fix a minor information leak that was introduced in t1_lib.c | 
					
						
							|  |  |  | 	    r1.71, whereby an additional 28 bytes of .rodata (or .data) is | 
					
						
							|  |  |  | 	    provided to the network. In most cases this is a non-issue since | 
					
						
							|  |  |  | 	    the memory content is already public. Issue found and reported by | 
					
						
							|  |  |  | 	    Felix Groebert of the Google Security Team. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	  - Fixes for the following low-severity issues were integrated into | 
					
						
							|  |  |  | 	    LibreSSL from OpenSSL 1.0.1k: | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	     CVE-2015-0205 - DH client certificates accepted without | 
					
						
							|  |  |  | 	                     verification | 
					
						
							|  |  |  | 	     CVE-2014-3570 - Bignum squaring may produce incorrect results | 
					
						
							|  |  |  | 	     CVE-2014-8275 - Certificate fingerprints can be modified | 
					
						
							|  |  |  | 	     CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client] | 
					
						
							|  |  |  | 	     Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	    The following CVEs were fixed in earlier LibreSSL releases: | 
					
						
							|  |  |  | 	     CVE-2015-0206 - Memory leak handling repeated DLTS records | 
					
						
							|  |  |  | 	     CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	    The following CVEs did not apply to LibreSSL: | 
					
						
							|  |  |  | 	     CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record | 
					
						
							|  |  |  | 	     CVE-2014-3569 - no-ssl3 configuration sets method to NULL | 
					
						
							|  |  |  | 	     CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.1.3 - Security update and OS support improvements | 
					
						
							|  |  |  | 	* Fixed various memory leaks in DTLS, including fixes for | 
					
						
							|  |  |  | 	  CVE-2015-0206. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added Application-Layer Protocol Negotiation (ALPN) support. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed GOST R 34.10-94 signature authentication. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Removed nonfunctional Netscape browser-hang workaround code. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Simplified and refactored SSL/DTLS handshake code. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Hide timing info about padding errors during handshakes. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improved libtls support for non-blocking sockets, added randomized | 
					
						
							|  |  |  | 	  session ID contexts. Work is ongoing with this library - feedback | 
					
						
							|  |  |  | 	  and potential use-cases are welcome. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Support building Windows DLLs. | 
					
						
							|  |  |  | 	  Thanks to Jan Engelhard. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Packaged config wrapper for better compatibility with OpenSSL-based | 
					
						
							|  |  |  | 	  build systems. | 
					
						
							|  |  |  | 	  Thanks to @technion from github | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Ensure the stack is marked non-executable for assembly sections. | 
					
						
							|  |  |  | 	  Thanks to Anthony G. Bastile. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Enable extra compiler hardening flags by default, where applicable. | 
					
						
							|  |  |  | 	  The default set of hardening features can vary by OS to OS, so | 
					
						
							|  |  |  | 	  feedback is welcome on this. To disable the default hardening flags, | 
					
						
							|  |  |  | 	  specify '--disable-hardening' during configure. | 
					
						
							|  |  |  | 	  Thanks to Jim Barlow | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Initial HP-UX support, tested with HP-UX 11.31 ia64 | 
					
						
							|  |  |  | 	  Thanks to Kinichiro Inoguchi | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Initial NetBSD support, tested with NetBSD 6.1.5 x86_64 | 
					
						
							|  |  |  | 	  Imported from OpenNTPD, thanks to @gitisihara from github | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.1.2 - Many new features and improvements | 
					
						
							|  |  |  | 	* Added reworked GOST cipher suite support | 
					
						
							|  |  |  | 	   thanks to Dmitry Eremin-Solenikov | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Enabled Camellia ciphers due to improved patent situation | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Use builtin arc4random implementation on OS X and FreeBSD | 
					
						
							|  |  |  | 	   this addresses some deficiencies in the native implementations of | 
					
						
							|  |  |  | 	   these operating systems, see commit logs for more information | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added initial Windows mingw-w64 support (32 and 64-bit) | 
					
						
							|  |  |  | 	   thanks to Song Dongsheng and others for code and feedback | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Enabled assembly optimizations on x86_64 CPUs | 
					
						
							|  |  |  | 	   supports Linux, *BSD, Solaris and OS X operating systems | 
					
						
							|  |  |  | 	   thanks to Wouter Clarie for the initial implementation | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl(1) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Improved build infrastructure, 'make distcheck' now passes | 
					
						
							|  |  |  | 	   this simplifies and speeds developer efficiency | 
					
						
							|  |  |  | 	   thanks to Dmitry Eremin-Solenikov and Wouter Clarie | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Allow conditional building of the libtls library | 
					
						
							|  |  |  | 	   expect the API and ABI of the library to change | 
					
						
							|  |  |  | 	   feedback is welcome | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixes for more memory leaks, cleanups, etc. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.1.1 - Security update | 
					
						
							|  |  |  | 	* Address POODLE attack by disabling SSLv3 by default | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fix Eliptical Curve cipher selection bug | 
					
						
							|  |  |  | 	  (https://github.com/libressl-portable/portable/issues/35) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.1.0 - First release from the OpenBSD 5.7 tree | 
					
						
							|  |  |  | 	* Added support for automatic ephemeral EC keys | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Fixes for many memory leaks and overflows in error handlers | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* The TLS padding extension (that works around bugs in F5 terminators) is | 
					
						
							|  |  |  | 	  off by default | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* support for getrandom(2) on Linux 3.17 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* the NO_ASM macro is no longer being set, providing the first bits toward | 
					
						
							|  |  |  | 	  enabling other assembly offloads. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.0.5 - Fixes for CVEs from OpenSSL 1.0.1i | 
					
						
							|  |  |  | 	* CVE-2014-3506 | 
					
						
							|  |  |  | 	* CVE-2014-3507 | 
					
						
							|  |  |  | 	* CVE-2014-3508 (partially vulnerable)he | 
					
						
							|  |  |  | 	* CVE-2014-3509 | 
					
						
							|  |  |  | 	* CVE-2014-3510 | 
					
						
							|  |  |  | 	* CVE-2014-3511 | 
					
						
							|  |  |  | 	* Synced LibreSSL Portable with the release version of OpenBSD 5.6 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.0.4 - Portability fixes, deleted unused SRP code | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.0.3 - Portability fixes, improvements to fork detection | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.0.2 - Address arc4random fork PID wraparound issues with pthread_atfork | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.0.1 - Portability fixes: | 
					
						
							|  |  |  | 	* Removed -Werror and and other non-portable compiler flags | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	* Allow setting OPENSSLDIR and ENGINSDIR | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 2.0.0 - First release from the OpenBSD 5.6 tree | 
					
						
							|  |  |  | 	* Removal of many obsolete features and coding conventions from the OpenSSL | 
					
						
							|  |  |  | 	  1.0.1h source |