2445 lines
90 KiB
Plaintext
Executable File
2445 lines
90 KiB
Plaintext
Executable File
Because this project is maintained both in the OpenBSD tree using CVS and in
|
|
Git, it can be confusing following all of the changes.
|
|
|
|
Most of the libssl and libcrypto source code is is here in OpenBSD CVS:
|
|
|
|
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/
|
|
|
|
Some of the libcrypto and OS-compatibility files for entropy and random number
|
|
generation are here:
|
|
|
|
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/
|
|
|
|
A simplified TLS wrapper library is here:
|
|
|
|
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/
|
|
|
|
The LibreSSL Portable project copies these portions of the OpenBSD tree, along
|
|
with relevant portions of the C library, to a Git repository. This makes it
|
|
easier to follow all of the relevant changes to the upstream project in a
|
|
single place:
|
|
|
|
https://github.com/libressl-portable/openbsd
|
|
|
|
The portable bits of the project are largely maintained out-of-tree, and their
|
|
history is also available from Git.
|
|
|
|
https://github.com/libressl-portable/portable
|
|
|
|
LibreSSL Portable Release Notes:
|
|
|
|
3.5.2 - Stable release
|
|
|
|
* Bug fixes
|
|
- Avoid single byte overread in asn1_parse2().
|
|
- Allow name constraints with a leading dot. From Alex Wilson.
|
|
- Relax a check in x509_constraints_dirname() to allow prefixes.
|
|
From Alex Wilson.
|
|
- Fix NULL dereferences in openssl(1) cms option parsing.
|
|
- Do not zero the computed cofactor on ec_guess_cofactor() success.
|
|
- Bound cofactor in EC_GROUP_set_generator() to reduce the number of
|
|
bogus groups that can be described with nonsensical parameters.
|
|
- Avoid various potential segfaults in EVP_PKEY_CTX_free() in low
|
|
memory conditions. Reported for HMAC by Masaru Masuda.
|
|
- Plug leak in ASN1_TIME_adj_internal().
|
|
- Avoid infinite loop for custom curves of order 1.
|
|
Issue reported by Hanno Boeck, comments by David Benjamin.
|
|
- Avoid an infinite loop on parsing DSA private keys by validating
|
|
that the provided parameters conform to FIPS 186-4.
|
|
Issue reported by Hanno Boeck, comments by David Benjamin.
|
|
* Compatibility improvements
|
|
- Allow non-standard name constraints of the form @domain.com.
|
|
* Internal improvements
|
|
- Limit OID text conversion to 64 bits per arc.
|
|
- Clean up and simplify memory BIO code.
|
|
- Reduce number of memmove() calls in memory BIOs.
|
|
- Factor out alert handling code in the legacy stack.
|
|
- Add sanity checks on p and q in old_dsa_priv_decode()
|
|
- Cache the SHA-512 hash instead of the SHA-1 for CRLs.
|
|
- Suppress various compiler warnings for old gcc versions.
|
|
- Remove free_cont from asn1_d2i_ex_primitive()/asn1_ex_c2i().
|
|
- Rework ownership handling in x509_constraints_validate().
|
|
- Rework ASN1_STRING_set().
|
|
- Remove const from tls1_transcript_hash_value().
|
|
- Clean up and simplify ssl3_renegotiate{,_check}().
|
|
- Rewrite legacy TLS and DTLS unexpected handshake message handling.
|
|
- Simplify SSL_do_handshake().
|
|
- Rewrite ASCII/text to ASN.1 object conversion.
|
|
- Provide t2i_ASN1_OBJECT_internal() and use it for OBJ_txt2obj().
|
|
- Split armv7 and aarch64 code into separate locations.
|
|
- Rewrote openssl(1) ts to use the new option handling and cleaned
|
|
up the C code.
|
|
- Provide asn1_get_primitive().
|
|
- Convert {c2i,d2i}_ASN1_OBJECT() to CBS.
|
|
- Remove the minimum record length checks from dtls1_read_bytes().
|
|
- Clean up {dtls1,ssl3}_read_bytes().
|
|
- Be more careful with embedded and terminating NULs in the new
|
|
name constraints code.
|
|
- Check EVP_Digest* return codes in openssl(1) ts
|
|
- Various minor code cleanup in openssl(1) pkcs12
|
|
- Use calloc() in pkey_hmac_init().
|
|
- Simplify priv_key handling in d2i_ECPrivateKey().
|
|
* Documentation improvements
|
|
- Update d2i_ASN1_OBJECT(3) documentation to reflect reality after
|
|
refactoring and bug fixes.
|
|
- Fixed numerous minor grammar, spelling, wording, and punctuation
|
|
issues.
|
|
|
|
3.5.1 - Security release
|
|
|
|
* A malicious certificate can cause an infinite loop.
|
|
Reported by and fix from Tavis Ormandy and David Benjamin, Google.
|
|
|
|
3.5.0 - Development release
|
|
|
|
* New Features
|
|
- The RFC 3779 API was ported from OpenSSL. Many bugs were fixed,
|
|
regression tests were added and the code was cleaned up.
|
|
- Certificate Transparency was ported from OpenSSL. Many internal
|
|
improvements were made, resulting in cleaner and safer code.
|
|
Regress coverage was added. libssl does not yet make use of it.
|
|
* Portable Improvements
|
|
- Fixed various POSIX compliance and other portability issues
|
|
found by the port to the Sortix operating system.
|
|
- Add libmd as platform specific libraries for Solaris.
|
|
Issue reported from (ihsan <at> opencsw org) on libressl ML.
|
|
- Set IA-64 compiler flag only if it is HP-UX with IA-64.
|
|
Suggested from Larkin Nickle (me <at> larbob org) by libressl ML.
|
|
- Enabled and scheduled Coverity scan.
|
|
Contributed by Ilya Shipitsin (chipitsine <at> gmail com> on github.
|
|
* Compatibility Changes
|
|
- Most structs that were previously defined in the following headers
|
|
are now opaque as they are in OpenSSL 1.1:
|
|
bio.h, bn.h, comp.h, dh.h, dsa.h, evp.h, hmac.h, ocsp.h, rsa.h,
|
|
x509.h, x509v3.h, x509_vfy.h
|
|
- Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_
|
|
OpenSSL added the TLSv1.3 ciphersuites with "RFC names" instead
|
|
of using something consistent with the previous naming. Various
|
|
test suites expect these names (instead of checking for the much
|
|
more sensible cipher numbers). The old names are still accepted
|
|
as aliases.
|
|
- Subject alternative names and name constraints are now validated
|
|
when they are added to certificates. Various interoperability
|
|
problems with stacks that validate certificates more strictly
|
|
than OpenSSL can be avoided this way.
|
|
- Attempt to opportunistically use the host name for SNI in s_client
|
|
* Bug fixes
|
|
- In some situations, the verifier would discard the error on an
|
|
unvalidated certificate chain. This would happen when the
|
|
verification callback was in use, instructing the verifier to
|
|
continue unconditionally. This could lead to incorrect decisions
|
|
being made in software.
|
|
- Avoid an infinite loop in SSL_shutdown()
|
|
- Fix another return 0 bug in SSL_shutdown()
|
|
- Handle zero byte reads/writes that trigger handshakes in the
|
|
TLSv1.3 stack
|
|
- A long standing memleak in libtls CRL handling was fixed
|
|
* Internal Improvements
|
|
- Cache the SHA-512 hash instead of the SHA-1 hash and cache
|
|
notBefore and notAfter times when X.509 certificates are parsed.
|
|
- The X.509 lookup code has been simplified and cleaned up.
|
|
- Fixed numerous issues flagged by coverity and the cryptofuzz
|
|
project
|
|
- Increased the number of Miller-Rabin checks in DH and DSA
|
|
key/parameter generation
|
|
- Started using the bytestring API in libcrypto for cleaner and
|
|
safer code
|
|
- Convert {i2d,d2i}_{,EC_,DSA_,RSA_}PUBKEY{,_bio,_fp}() to templated
|
|
ASN1
|
|
- Convert ASN1_OBJECT_new() to calloc()
|
|
- Convert ASN1_STRING_type_new() to calloc()
|
|
- Rewrite ASN1_STRING_cmp()
|
|
- Use calloc() for X509_CRL_METHOD_new() instead of malloc()
|
|
- Convert ASN1_PCTX_new() to calloc()
|
|
- Replace asn1_tlc_clear and asn1_tlc_clear_nc macros with a
|
|
function
|
|
- Consolidate {d2i,i2d}_{pr,pu}.c
|
|
- Remove handling of a NULL BUF_MEM from asn1_collect()
|
|
- Pull the recursion depth check up to the top of asn1_collect()
|
|
- Inline collect_data() in asn1_collect()
|
|
- Convert asn1_d2i_ex_primitive()/asn1_collect() from BUF_MEM to CBB
|
|
- Clean up d2i_ASN1_BOOLEAN() and i2d_ASN1_BOOLEAN()
|
|
- Consolidate ASN.1 universal tag type data
|
|
- Rewrite ASN.1 identifier/length parsing in CBS
|
|
- Make OBJ_obj2nid() work correctly with NID_undef
|
|
- tlsext_tick_lifetime_hint is now an uint32_t
|
|
- Untangle ssl3_get_message() return values
|
|
- Rename tls13_buffer to tls_buffer
|
|
- Fold DTLS_STATE_INTERNAL into DTLS1_STATE
|
|
- Provide a way to determine our maximum legacy version
|
|
- Mop up enc_read_ctx and read_hash
|
|
- Fold SSL_SESSION_INTERNAL into SSL_SESSION
|
|
- Use ssl_force_want_read in the DTLS code
|
|
- Add record processing limit to DTLS code
|
|
- Add explicit CBS_contains_zero_byte() check in CBS_strdup()
|
|
- Improve SNI hostname validation
|
|
- Ensure SSL_set_tlsext_host_name() is given a valid hostname
|
|
- Fix a strange check in the auto DH codepath
|
|
- Factor out/rewrite DHE key exchange
|
|
- Convert server serialisation of DHE parameters/public key to new
|
|
functions
|
|
- Check DH public key in ssl_kex_peer_public_dhe()
|
|
- Move the minimum DHE key size check into ssl_kex_peer_params_dhe()
|
|
- Clean up and refactor server side DHE key exchange
|
|
- Provide CBS_get_last_u8()
|
|
- Provide CBS_get_u64()
|
|
- Provide CBS_add_u64()
|
|
- Provide various CBS_peek_* functions
|
|
- Use CBS_get_last_u8() to find the content type in TLSv1.3 records
|
|
- unifdef TLS13_USE_LEGACY_CLIENT_AUTH
|
|
- Correct SSL_get_peer_cert_chain() when used with the TLSv1.3 stack
|
|
- Only allow zero length key shares when we know we're doing HRR
|
|
- Pull key share group/length CBB code up from
|
|
tls13_key_share_public()
|
|
- Refactor ssl3_get_server_kex_ecdhe() to separate parsing and
|
|
validation
|
|
- Return 0 on failure from send/get kex functions in the legacy
|
|
stack
|
|
- Rename tls13_key_share to tls_key_share
|
|
- Allocate and free the EVP_AEAD_CTX struct in
|
|
tls13_record_protection
|
|
- Convert legacy TLS client to tls_key_share
|
|
- Convert legacy TLS server to tls_key_share
|
|
- Stop attempting to duplicate the public and private key of dh_tmp
|
|
- Rename dh_tmp to dhe_params
|
|
- Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY
|
|
- Clean up pkey handling in ssl3_get_server_key_exchange()
|
|
- Fix GOST skip certificate verify handling
|
|
- Simplify tlsext_keyshare_server_parse()
|
|
- Plumb decode errors through key share parsing code
|
|
- Simplify SSL_get_peer_certificate()
|
|
- Cleanup/simplify ssl_cert_type()
|
|
- The S3I macro was removed
|
|
- The openssl(1) cms and smime subcommands option handling was
|
|
converted and the C source was cleaned up.
|
|
* Documentation improvements
|
|
- 45 new manual pages, most of which were written from scratch.
|
|
Documentation coverage of ASN.1 and X.509 code has been
|
|
significantly improved.
|
|
* API additions and removals
|
|
- libssl
|
|
API additions
|
|
SSL_get0_verified_chain SSL_peek_ex SSL_read_ex SSL_write_ex
|
|
API stubs for compatibility
|
|
SSL_CTX_get_keylog_callback SSL_CTX_get_num_tickets
|
|
SSL_CTX_set_keylog_callback SSL_CTX_set_num_tickets
|
|
SSL_get_num_tickets SSL_set_num_tickets
|
|
- libcrypto
|
|
added API (some of these were previously available as macros):
|
|
ASIdOrRange_free ASIdOrRange_new ASIdentifierChoice_free
|
|
ASIdentifierChoice_new ASIdentifiers_free ASIdentifiers_new
|
|
ASN1_TIME_diff ASRange_free ASRange_new BIO_get_callback_ex
|
|
BIO_get_init BIO_set_callback_ex BIO_set_next
|
|
BIO_set_retry_reason BN_GENCB_set BN_GENCB_set_old
|
|
BN_abs_is_word BN_get_flags BN_is_negative
|
|
BN_is_odd BN_is_one BN_is_word BN_is_zero BN_set_flags
|
|
BN_to_montgomery BN_with_flags BN_zero_ex CTLOG_STORE_free
|
|
CTLOG_STORE_get0_log_by_id CTLOG_STORE_load_default_file
|
|
CTLOG_STORE_load_file CTLOG_STORE_new CTLOG_free
|
|
CTLOG_get0_log_id CTLOG_get0_name CTLOG_get0_public_key
|
|
CTLOG_new CTLOG_new_from_base64 CT_POLICY_EVAL_CTX_free
|
|
CT_POLICY_EVAL_CTX_get0_cert CT_POLICY_EVAL_CTX_get0_issuer
|
|
CT_POLICY_EVAL_CTX_get0_log_store CT_POLICY_EVAL_CTX_get_time
|
|
CT_POLICY_EVAL_CTX_new CT_POLICY_EVAL_CTX_set1_cert
|
|
CT_POLICY_EVAL_CTX_set1_issuer
|
|
CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE
|
|
CT_POLICY_EVAL_CTX_set_time DH_get0_g DH_get0_p DH_get0_priv_key
|
|
DH_get0_pub_key DH_get0_q DH_get_length DSA_bits DSA_get0_g
|
|
DSA_get0_p DSA_get0_priv_key DSA_get0_pub_key DSA_get0_q
|
|
ECDSA_SIG_get0_r ECDSA_SIG_get0_s EVP_AEAD_CTX_free
|
|
EVP_AEAD_CTX_new EVP_CIPHER_CTX_buf_noconst
|
|
EVP_CIPHER_CTX_get_cipher_data EVP_CIPHER_CTX_set_cipher_data
|
|
EVP_MD_CTX_md_data EVP_MD_CTX_pkey_ctx EVP_MD_CTX_set_pkey_ctx
|
|
EVP_MD_meth_dup EVP_MD_meth_free EVP_MD_meth_new
|
|
EVP_MD_meth_set_app_datasize EVP_MD_meth_set_cleanup
|
|
EVP_MD_meth_set_copy EVP_MD_meth_set_ctrl EVP_MD_meth_set_final
|
|
EVP_MD_meth_set_flags EVP_MD_meth_set_init
|
|
EVP_MD_meth_set_input_blocksize EVP_MD_meth_set_result_size
|
|
EVP_MD_meth_set_update EVP_PKEY_asn1_set_check
|
|
EVP_PKEY_asn1_set_param_check EVP_PKEY_asn1_set_public_check
|
|
EVP_PKEY_check EVP_PKEY_meth_set_check
|
|
EVP_PKEY_meth_set_param_check EVP_PKEY_meth_set_public_check
|
|
EVP_PKEY_param_check EVP_PKEY_public_check FIPS_mode
|
|
FIPS_mode_set IPAddressChoice_free IPAddressChoice_new
|
|
IPAddressFamily_free IPAddressFamily_new IPAddressOrRange_free
|
|
IPAddressOrRange_new IPAddressRange_free IPAddressRange_new
|
|
OBJ_get0_data OBJ_length OCSP_resp_get0_certs OCSP_resp_get0_id
|
|
OCSP_resp_get0_produced_at OCSP_resp_get0_respdata
|
|
OCSP_resp_get0_signature OCSP_resp_get0_signer
|
|
OCSP_resp_get0_tbs_sigalg PEM_write_bio_PrivateKey_traditional
|
|
RSA_get0_d RSA_get0_dmp1 RSA_get0_dmq1 RSA_get0_e RSA_get0_iqmp
|
|
RSA_get0_n RSA_get0_p RSA_get0_pss_params RSA_get0_q
|
|
SCT_LIST_free SCT_LIST_print SCT_LIST_validate SCT_free
|
|
SCT_get0_extensions SCT_get0_log_id SCT_get0_signature
|
|
SCT_get_log_entry_type SCT_get_signature_nid SCT_get_source
|
|
SCT_get_timestamp SCT_get_validation_status SCT_get_version
|
|
SCT_new SCT_new_from_base64 SCT_print SCT_set0_extensions
|
|
SCT_set0_log_id SCT_set0_signature SCT_set1_extensions
|
|
SCT_set1_log_id SCT_set1_signature SCT_set_log_entry_type
|
|
SCT_set_signature_nid SCT_set_source SCT_set_timestamp
|
|
SCT_set_version SCT_validate SCT_validation_status_string
|
|
X509_OBJECT_free X509_OBJECT_new X509_REQ_get0_pubkey
|
|
X509_SIG_get0 X509_SIG_getm X509_STORE_CTX_get_by_subject
|
|
X509_STORE_CTX_get_num_untrusted
|
|
X509_STORE_CTX_get_obj_by_subject X509_STORE_CTX_get_verify
|
|
X509_STORE_CTX_get_verify_cb X509_STORE_CTX_set0_verified_chain
|
|
X509_STORE_CTX_set_current_cert X509_STORE_CTX_set_error_depth
|
|
X509_STORE_CTX_set_verify X509_STORE_get_verify
|
|
X509_STORE_get_verify_cb X509_STORE_set_verify
|
|
X509_get_X509_PUBKEY X509_get_extended_key_usage
|
|
X509_get_extension_flags X509_get_key_usage
|
|
X509v3_addr_add_inherit X509v3_addr_add_prefix
|
|
X509v3_addr_add_range X509v3_addr_canonize X509v3_addr_get_afi
|
|
X509v3_addr_get_range X509v3_addr_inherits
|
|
X509v3_addr_is_canonical X509v3_addr_subset
|
|
X509v3_addr_validate_path X509v3_addr_validate_resource_set
|
|
X509v3_asid_add_id_or_range X509v3_asid_add_inherit
|
|
X509v3_asid_canonize X509v3_asid_inherits
|
|
X509v3_asid_is_canonical X509v3_asid_subset
|
|
X509v3_asid_validate_path X509v3_asid_validate_resource_set
|
|
d2i_ASIdOrRange d2i_ASIdentifierChoice d2i_ASIdentifiers
|
|
d2i_ASRange d2i_IPAddressChoice d2i_IPAddressFamily
|
|
d2i_IPAddressOrRange d2i_IPAddressRange d2i_SCT_LIST
|
|
i2d_ASIdOrRange i2d_ASIdentifierChoice i2d_ASIdentifiers
|
|
i2d_ASRange i2d_IPAddressChoice i2d_IPAddressFamily
|
|
i2d_IPAddressOrRange i2d_IPAddressRange i2d_SCT_LIST
|
|
i2d_re_X509_CRL_tbs i2d_re_X509_REQ_tbs i2d_re_X509_tbs i2o_SCT
|
|
i2o_SCT_LIST o2i_SCT o2i_SCT_LIST
|
|
removed API:
|
|
ASN1_check_infinite_end ASN1_const_check_infinite_end EVP_dss
|
|
EVP_dss1 EVP_ecdsa HMAC_CTX_cleanup HMAC_CTX_init
|
|
NETSCAPE_ENCRYPTED_PKEY_free NETSCAPE_ENCRYPTED_PKEY_new
|
|
NETSCAPE_PKEY_free NETSCAPE_PKEY_new NETSCAPE_X509_free
|
|
NETSCAPE_X509_new OBJ_bsearch_ex_ PEM_SealFinal PEM_SealInit
|
|
PEM_SealUpdate PEM_read_X509_CERT_PAIR
|
|
PEM_read_bio_X509_CERT_PAIR PEM_write_X509_CERT_PAIR
|
|
PEM_write_bio_X509_CERT_PAIR X509_CERT_PAIR_free
|
|
X509_CERT_PAIR_new X509_OBJECT_free_contents asn1_do_adb
|
|
asn1_do_lock asn1_enc_free asn1_enc_init asn1_enc_restore
|
|
asn1_enc_save asn1_ex_c2i asn1_get_choice_selector
|
|
asn1_get_field_ptr asn1_set_choice_selector check_defer
|
|
d2i_ASN1_BOOLEAN d2i_NETSCAPE_ENCRYPTED_PKEY d2i_NETSCAPE_PKEY
|
|
d2i_NETSCAPE_X509 d2i_Netscape_RSA d2i_RSA_NET
|
|
d2i_X509_CERT_PAIR i2d_ASN1_BOOLEAN i2d_NETSCAPE_ENCRYPTED_PKEY
|
|
i2d_NETSCAPE_PKEY i2d_NETSCAPE_X509 i2d_Netscape_RSA i2d_RSA_NET
|
|
i2d_X509_CERT_PAIR name_cmp obj_cleanup_defer
|
|
|
|
3.4.1 - Stable release
|
|
|
|
* New Features
|
|
- Added support for OpenSSL 1.1.1 TLSv1.3 APIs.
|
|
- Enabled the new X.509 validator to allow verification of
|
|
modern certificate chains.
|
|
* Portable Improvements
|
|
- Ported continuous integration and test infrastructure to Github
|
|
actions.
|
|
- Added Universal Windows Platform (UWP) build support.
|
|
- Fixed mingw-w64 builds on newer versions with missing SSP support.
|
|
- Added non-executable stack annotations for CMake builds.
|
|
* API and Documentation Enhancements
|
|
- Added the following APIs from OpenSSL
|
|
BN_bn2binpad BN_bn2lebinpad BN_lebin2bn EC_GROUP_get_curve
|
|
EC_GROUP_order_bits EC_GROUP_set_curve
|
|
EC_POINT_get_affine_coordinates
|
|
EC_POINT_set_affine_coordinates
|
|
EC_POINT_set_compressed_coordinates EVP_DigestSign
|
|
EVP_DigestVerify SSL_CIPHER_find SSL_CTX_get0_privatekey
|
|
SSL_CTX_get_max_early_data SSL_CTX_get_ssl_method
|
|
SSL_CTX_set_ciphersuites SSL_CTX_set_max_early_data
|
|
SSL_CTX_set_post_handshake_auth SSL_SESSION_get0_cipher
|
|
SSL_SESSION_get_max_early_data SSL_SESSION_is_resumable
|
|
SSL_SESSION_set_max_early_data SSL_get_early_data_status
|
|
SSL_get_max_early_data SSL_read_early_data SSL_set0_rbio
|
|
SSL_set_ciphersuites SSL_set_max_early_data
|
|
SSL_set_post_handshake_auth
|
|
SSL_set_psk_use_session_callback
|
|
SSL_verify_client_post_handshake SSL_write_early_data
|
|
- Added AES-GCM constants from RFC 7714 for SRTP.
|
|
* Compatibility Changes
|
|
- Implement flushing for TLSv1.3 handshakes behavior, needed for Apache.
|
|
- Call the info callback on connect/accept exit in TLSv1.3,
|
|
needed for p5-Net-SSLeay.
|
|
- Default to using named curve parameter encoding from
|
|
pre-OpenSSL 1.1.0, adding OPENSSL_EC_EXPLICIT_CURVE.
|
|
- Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback.
|
|
* Testing and Proactive Security
|
|
- Added additional state machine test coverage.
|
|
- Improved integration test support with ruby/openssl tests.
|
|
- Error codes and callback support in new X.509 validator made
|
|
compatible with p5-Net_SSLeay tests.
|
|
* Internal Improvements
|
|
- Numerous fixes and improvements to the new X.509 validator to
|
|
ensure compatible error codes and callback support compatible
|
|
with the legacy OpenSSL validator.
|
|
|
|
3.4.0 - Development release
|
|
|
|
* Add support for OpenSSL 1.1.1 TLSv1.3 APIs.
|
|
|
|
* Enable new x509 validator.
|
|
|
|
* More details to come, testing is appreciated.
|
|
|
|
3.3.5 - Security fix
|
|
|
|
* A stack overread could occur when checking X.509 name constraints.
|
|
From GoldBinocle on GitHub.
|
|
|
|
* Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
|
|
This compensates for the expiry of the DST Root X3 certificate.
|
|
|
|
3.3.4 - Security fix
|
|
|
|
* In LibreSSL, printing a certificate can result in a crash in
|
|
X509_CERT_AUX_print().
|
|
From Ingo Schwarze
|
|
|
|
* Ensure GNU-stack is set on ELF platforms when building with CMake to
|
|
enable non-executable stack annotations for the GNU toolchain.
|
|
From Tobias Heider
|
|
|
|
3.3.3 - Stable release
|
|
|
|
* This is the first stable release from the 3.3.x series.
|
|
There are no changes from 3.3.2.
|
|
|
|
3.3.2 - Development release
|
|
|
|
* This release adds support for DTLSv1.2 and continues the rewrite
|
|
of the record layer for the legacy stack. Numerous bugs and
|
|
interoperability issues were fixed in the new verifier. A few bugs
|
|
and incompatibilities remain, so this release uses the old verifier
|
|
by default. The OpenSSL 1.1 TLSv1.3 API is not yet available.
|
|
|
|
* Switch finish{,_peer}_md_len from an int to a size_t.
|
|
|
|
* Make SSL_get{,_peer}_finished() work when used with TLSv1.3.
|
|
|
|
* Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size
|
|
for cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2
|
|
was a historical artefact.
|
|
|
|
* Correct the return value type from ERR_peek_error() to a long.
|
|
|
|
* Avoid use of uninitialized in ASN1_time_parse() which could happen
|
|
on parsing UTCTime if the caller did not initialise the passed
|
|
struct tm.
|
|
|
|
* Destroy the mutex in a tls_config object on tls_config_free().
|
|
|
|
* Free alert_data and phh_data in tls13_record_layer_free()
|
|
these could leak if SSL_shutdown() or tls_close() were called
|
|
after closing the underlying socket().
|
|
|
|
* Free struct members in tls13_record_layer_free() in their natural
|
|
order for reviewability.
|
|
|
|
* Gracefully handle root certificates being both trusted and
|
|
untrusted.
|
|
|
|
* Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new
|
|
verifier.
|
|
|
|
* Use the legacy verifier when building auto chains for TLS.
|
|
|
|
* Use consistent names in tls13_{client,server}_finished_{recv,send}().
|
|
|
|
* Add tls13_secret_{init,cleanup}() and use them throughout the
|
|
TLSv1.3 code base.
|
|
|
|
* Move the read MAC key into the TLSv1.2 record layer.
|
|
|
|
* Make tls12_record_layer_free() NULL safe.
|
|
|
|
* Search the intermediates only after searching the root certs in the
|
|
new verifier to avoid problems with the legacy callback.
|
|
|
|
* Bail out early after finding a single chain in the new verifier, if
|
|
we have been called via the legacy verifier API.
|
|
|
|
* Set (invalid and likely incomplete) chain on the xsc on chain build
|
|
failure prior to calling the callback. This is required by various
|
|
callers, including auto chain.
|
|
|
|
* Align SSL_get_shared_ciphers() with OpenSSL. This takes into account
|
|
that it never returned server ciphers, so now it will fail when
|
|
called from the client side.
|
|
|
|
* Add support for SSL_get_shared_ciphers() with TLSv1.3.
|
|
|
|
* Split the record protection from the TLSv1.2 record layer.
|
|
|
|
* Clean up sequence number handling in the new TLSv1.2 record layer.
|
|
|
|
* Clean up sequence number handling in DTLS.
|
|
|
|
* Clean up dtls1_reset_seq_numbers().
|
|
|
|
* Factor out code for explicit IV length, block size and MAC length
|
|
from tls12_record_layer_open_record_protected_cipher().
|
|
|
|
* Provide record layer overhead for DTLS.
|
|
|
|
* Provide functions to determine if TLSv1.2 record protection is
|
|
engaged.
|
|
|
|
* Add code to handle change of cipher state in the new TLSv1.2 record
|
|
layer.
|
|
|
|
* Mop up now unused dtls1_build_sequence_numbers() function.
|
|
|
|
* Allow setting a keypair on a tls context without specifying the
|
|
private key, and fake it internally in libtls. This removes the
|
|
need for privsep engines like relayd to use bogus keys.
|
|
|
|
* Skip the private key check for fake private keys.
|
|
|
|
* Move the private key setup from tls_configure_ssl_keypair() to a
|
|
helper function with proper error checking.
|
|
|
|
* Change the internal tls_configure_ssl_keypair() function to
|
|
return -1 instead of 1 on failure.
|
|
|
|
* Move sequence numbers into the new TLSv1.2 record layer.
|
|
|
|
* Move AEAD handling into the new TLSv1.2 record layer.
|
|
|
|
* Remove direct assignment of aead_ctx to avoid a leak.
|
|
|
|
* Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360,
|
|
draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds.
|
|
|
|
* Fail early in legacy exporter if the master secret is not available
|
|
to avoid a segfault if it is called when the handshake is not
|
|
completed.
|
|
|
|
* Factor out legacy stack version checks.
|
|
|
|
* Correct handshake MAC/PRF for various TLSv1.2 cipher suites which
|
|
were originally added with the default handshake MAC and PRF rather
|
|
than the SHA256 handshake MAC and PRF.
|
|
|
|
* Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().
|
|
|
|
* Use dtls1_record_retrieve_buffered_record() to load buffered
|
|
application data.
|
|
|
|
* Enforce read ahead with DTLS.
|
|
|
|
* Remove bogus DTLS checks that disabled ECC and OCSP.
|
|
|
|
* Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA".
|
|
|
|
* Only print the certificate file once on verification failure.
|
|
|
|
* Pull in fix for EVP_CipherUpdate() overflow from OpenSSL.
|
|
|
|
* Clean up and simplify dtls1_get_cipher().
|
|
|
|
* Group HelloVerifyRequest decoding and add missing check for trailing
|
|
data.
|
|
|
|
* Revise HelloVerifyRequest handling for DTLSv1.2.
|
|
|
|
* Handle DTLS1_2_VERSION in various places.
|
|
|
|
* Add DTLSv1.2 methods.
|
|
|
|
* Make SSL{_CTX,}_get_{min,max}_proto_version() return a version of
|
|
zero if the minimum or maximum has been set to zero to match
|
|
OpenSSL's behavior.
|
|
|
|
* Rename the "truncated" label into "decode_err" and the "f_err"
|
|
label into "fatal_err".
|
|
|
|
* Factor out and change some of the legacy client version code.
|
|
|
|
* Simplify version checks in the TLSv1.3 client. Ensure that the
|
|
server announced TLSv1.3 and nothing higher and check that the
|
|
legacy_version is set to TLSv1.2 as required by RFC 8446.
|
|
|
|
* Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that
|
|
the new validator checks for EXFLAG_CRITICAL in
|
|
x509_vfy_check_chain_extension() for all untrusted certs in the
|
|
chain. Take into account that the root is not necessarily trusted.
|
|
|
|
* Avoid passing last and depth to x509_verify_cert_error() on ENOMEM.
|
|
|
|
* Rename depth to num_untrusted.
|
|
|
|
* Only use TLS versions internally rather than both TLS and DTLS
|
|
versions since the latter are the one's complement of the human
|
|
readable version numbers, which means that newer versions decrease
|
|
in value.
|
|
|
|
* Fix two bugs in the legacy verifier that resulted from refactoring
|
|
of X509_verify_cert() for the new verifier: a return value was
|
|
incorrectly treated as boolean, making it insufficient to decide
|
|
whether validation should carry on or not.
|
|
|
|
* Identify DTLS based on the version major value.
|
|
|
|
* Move handling of cipher/hash based cipher suites into the new record
|
|
layer.
|
|
|
|
* Add tls12_record_protection_unused() and call it from CCS functions.
|
|
|
|
* Move key/IV length checks closer to usage sites. Also add explicit
|
|
checks against EVP_CIPHER_{iv,key}_length().
|
|
|
|
* Replace two handrolled tls12_record_protection_engaged().
|
|
|
|
* Improve internal version handling: add handshake fields for our
|
|
minimum version, our maximum version and the TLS version negotiated
|
|
during the handshake. Convert most of the internal code to use these
|
|
version fields.
|
|
|
|
* Guard against future internal use of TLS1_get_{client,}_version()
|
|
macros.
|
|
|
|
* Remove the internal ssl_downgrade_max_version() function which is no
|
|
longer needed.
|
|
|
|
* Fix checks for memory caps of constraints names. There are internal
|
|
caps on the number of name constraints and other names, that the new
|
|
name constraints code allocates per cert chain. These limits were
|
|
checked too late, making them only partially effective.
|
|
|
|
* Use EXFLAG_INVALID to handle out of memory and parse errors in
|
|
x509v3_cache_extensions().
|
|
|
|
* Add support for DTLSv1.2 version handling.
|
|
|
|
* Enable DTLSv1.2 support.
|
|
|
|
* Add DTLSv1.2 support to openssl s_client/s_server.
|
|
|
|
* Remove no longer needed read ahead workarounds in the s_client and
|
|
s_server.
|
|
|
|
* Fix a copy-paste error - skid was confused with an akid when
|
|
checking for EXFLAG_INVALID. This broke OCSP validation with
|
|
certain mirrors.
|
|
|
|
* Make supported protocols and options for DHE params more prominent
|
|
in tls_config_set_protocols.3.
|
|
|
|
* Avoid a use-after-scope in tls13_cert_add().
|
|
|
|
* Split TLSv1.3 record protection from record layer.
|
|
|
|
* Move the TLSv1.3 handshake struct inside the shared handshake
|
|
struct.
|
|
|
|
* Fully initialize rrec in tls12_record_layer_open_record_protected()
|
|
to avoid confusing some static analyzers.
|
|
|
|
* Use tls_set_errorx() on OCSP_basic_verify() failure since the latter
|
|
does not set errno.
|
|
|
|
* Convert openssl(1) x509 to new option handling and do the usual
|
|
clean up that goes along with it.
|
|
|
|
* Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
|
|
|
|
* Rename new_cipher to cipher to align naming with keyblock or other
|
|
parts of the handshake data.
|
|
|
|
* Avoid mangled output in BIO_debug_callback().
|
|
|
|
* Fix client initiated renegotiation by replacing use of s->internal-type
|
|
with s->server.
|
|
|
|
* Move the TLSv1.2 record number increment into the new record layer.
|
|
|
|
* Move finished and peer finished into the handshake struct.
|
|
|
|
* Avoid transcript initialization when sending a TLS HelloRequest,
|
|
fixing server initiated renegotiation.
|
|
|
|
* Remove pointless assignment in SSL_get0_alpn_selected().
|
|
|
|
* Provide EVP_PKEY_new_CMAC_KEY(3).
|
|
|
|
* Add missing prototype for d2i_DSAPrivateKey_fp(3) to x509.h.
|
|
|
|
* Add DTLSv1.2 to openssl(1) s_server and s_client protocol message
|
|
logging.
|
|
|
|
* Avoid leaking param->name in x509_verify_param_zero().
|
|
|
|
* Avoid a leak in an error path in openssl(1) x509.
|
|
|
|
* Add some error checking to openssl(1) x509.
|
|
|
|
* When sending an alert in TLSv1.3, only set its error code when no
|
|
other error was set previously. Certain clients rely on specific
|
|
SSL_R_ error codes to identify that they are dealing with a self
|
|
signed cert.
|
|
|
|
* Switch to the legacy verifier for the stable release.
|
|
|
|
* Provide SSL_use_certificate_chain_file(3).
|
|
|
|
* Provide SSL_set_hostflags(3) and SSL_get0_peername(3).
|
|
|
|
* Provide various DTLSv1.2 specific functions and defines.
|
|
|
|
* Document meaning of '*' in the genrsa output.
|
|
|
|
* Updated documentation for SSL_get_shared_ciphers(3).
|
|
|
|
* Add documentation for SSL_get_finished(3).
|
|
|
|
* Document EVP_PKEY_new_CMAC_key(3)
|
|
|
|
* Document SSL_use_certificate_chain_file(3).
|
|
|
|
* Document SSL_set_hostflags(3) and SSL_get0_peername(3).
|
|
|
|
* Update SSL_get_version.3 manual for DTLSv.1.2 support.
|
|
|
|
* Added '--enable-libtls-only' build option, which builds and installs a
|
|
statically-linked libtls, skipping libcrypto and libssl. This is useful
|
|
for systems that ship with OpenSSL but wish to also package libtls.
|
|
|
|
3.3.1 - Security fix
|
|
|
|
* Malformed ASN.1 in a certificate revocation list or a timestamp
|
|
response token can lead to a NULL pointer dereference.
|
|
|
|
Bug fixes
|
|
|
|
* Move point-on-curve check to set_affine_coordinates to avoid
|
|
verifying ECDSA signatures with unchecked public keys.
|
|
|
|
* Fix SSL_is_server() to behave as documented by re-introducing the
|
|
client-specific methods.
|
|
|
|
* Avoid undefined behavior due to memcpy(NULL, NULL, 0).
|
|
|
|
* Mark a few more internal static tables const.
|
|
|
|
3.3.0 - Development release
|
|
|
|
* Make openssl(1) s_server ignore -4 and -6 for compatibility with
|
|
OpenSSL.
|
|
|
|
* Further cleanup of the DTLS record handling.
|
|
|
|
* Continue the replacement of the TLSv1.2 record layer by
|
|
reimplementing the read side of the TLSv1.2 record handling.
|
|
|
|
* Replace DTLSv1_enc_data() with TLSv1_1_enc_data().
|
|
|
|
* Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c.
|
|
|
|
* When switching from the TLSv1.3 stack to the legacy stack include
|
|
a TLS record header. This is necessary if there is more than one
|
|
handshake message in the TLS plaintext record.
|
|
|
|
* Set SO_REUSEADDR on the server socket in the openssl(1) ocsp
|
|
command.
|
|
|
|
* Fix resource handling on error in OCSP_request_add0_id().
|
|
|
|
* Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into
|
|
.data.rel.ro and .rodata, respectively.
|
|
|
|
* Add a const qualifier to srtp_known_profiles.
|
|
|
|
* Simplify TLS method by removing the client and server specific
|
|
methods internally.
|
|
|
|
* Avoid casting away const in ssl_ctx_make_profiles().
|
|
|
|
* Make sure there is enough room for stashing the handshake message
|
|
when switching to the legacy TLS stack.
|
|
|
|
* Avoid explicitly conditioning an assert on DTLS1_VERSION to make
|
|
the assert work for newer DTLS versions.
|
|
|
|
* Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL.
|
|
|
|
* Send a host header with OCSP queries to make openssl(1) ocsp
|
|
work with some widely used OCSP responders.
|
|
|
|
* Fix a memory leak in the openssl(1) s_client.
|
|
|
|
* Add a flag to mark DTLS methods as DTLS to have an easy way to
|
|
recognize DTLS methods that avoids inspecting the version number.
|
|
|
|
* Implement SSL_is_dtls() and use it internally in place of the
|
|
SSL_IS_DTLS macro.
|
|
|
|
* Unbreak DTLS retransmissions for flights that include a CCS.
|
|
|
|
* Add ability to ocspcheck(8) to parse a port in the specified
|
|
OCSP URL.
|
|
|
|
* Refactor and clean up ocspcheck(8) and add regression tests.
|
|
|
|
* If x509_verify() fails, ensure that the error is set on both
|
|
the x509_verify_ctx() and its store context to make some failures
|
|
visible from SSL_get_verify_result().
|
|
|
|
* Use the X509_STORE_CTX get_issuer() callback from the new X.509
|
|
verifier to fix hashed certificate directories.
|
|
|
|
* Only check BIO_should_read() on read and BIO_should_write() on
|
|
write. Previously, BIO_should_write() was also checked after read
|
|
and BIO_should_read() after write which could cause stalls in
|
|
software that uses the same BIO for read and write.
|
|
|
|
* In openssl(1) verify, also check for error on the store context
|
|
since the return value of X509_verify_cert() is unreliable in
|
|
presence of a callback that returns 1 too often.
|
|
|
|
* Update getentropy on Windows to use Cryptography Next Generation
|
|
(CNG). wincrypt is deprecated and no longer works with newer Windows
|
|
environments, such as in Windows Store apps.
|
|
|
|
* Implement auto chain for the TLSv1.3 server since some software
|
|
relies on this.
|
|
|
|
* Handle additional certificate error cases in the new X.509 verifier.
|
|
Keep track of the errors encountered if a verify callback tells the
|
|
verifier to continue and report them back via the error on the store
|
|
context. This mimics the behavior of the old verifier that would
|
|
persist the first error encountered while building the chain.
|
|
|
|
* Report specific failures for "self signed certificates" in a way
|
|
compatible with the old verifier since software relies on the
|
|
error code.
|
|
|
|
* Implement key exporter for TLSv1.3.
|
|
|
|
* Plug a large memory leak in the new verifier caused by calling
|
|
X509_policy_check() repeatedly.
|
|
|
|
* Avoid leaking memory in x509_verify_chain_dup().
|
|
|
|
* Various documentation improvements, particularly around TLS methods.
|
|
|
|
3.2.3 - Security fix
|
|
|
|
* Malformed ASN.1 in a certificate revocation list or a timestamp
|
|
response token can lead to a NULL pointer dereference.
|
|
|
|
3.2.2 - Stable release
|
|
|
|
* This is the first stable release with the new TLSv1.3
|
|
implementation enabled by default for both client and server. The
|
|
OpenSSL 1.1 TLSv1.3 API is not yet available and will be provided
|
|
in an upcoming release.
|
|
|
|
* New X509 certificate chain validator that correctly handles
|
|
multiple paths through intermediate certificates. Loosely based on
|
|
Go's X509 validator.
|
|
|
|
* New name constraints verification implementation which passes the
|
|
bettertls.com certificate validation check suite.
|
|
|
|
* Improve the handling of BIO_read()/BIO_write() failures in the
|
|
TLSv1.3 stack.
|
|
|
|
* Start replacing the existing TLSv1.2 record layer.
|
|
|
|
* Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h.
|
|
|
|
* Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash.
|
|
|
|
* Send alert on ssl_get_prev_session() failure.
|
|
|
|
* Zero out variable on the stack to avoid leaving garbage in the tail
|
|
of short session IDs.
|
|
|
|
* Move state initialization from SSL_clear() to ssl3_clear() to ensure
|
|
that it gets correctly reinitialized across a SSL_set_ssl_method()
|
|
call.
|
|
|
|
* Avoid an out-of-bounds write in BN_rand().
|
|
|
|
* Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up
|
|
the code in ui_lib.c.
|
|
|
|
* Correctly track selected ALPN length to avoid a potential segmentation
|
|
fault with SSL_get0_alpn_selected() when alpn_selected is NULL.
|
|
|
|
* Include machine/endian.h gost2814789.c in order to pick up the
|
|
__STRICT_ALIGNMENT define.
|
|
|
|
* Simplify SSL method lookups.
|
|
|
|
* Clean up and simplify SSL_get_ciphers(), SSL_set_session(),
|
|
SSL_set_ssl_method() and several internal functions.
|
|
|
|
* Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX().
|
|
|
|
* Refactor dtls1_new(), dtls1_hm_fragment_new(),
|
|
dtls1_drain_fragments(), dtls1_clear_queues().
|
|
|
|
* Copy the session ID directly in ssl_get_prev_session() instead of
|
|
handing it through several functions for copying.
|
|
|
|
* Clean up and refactor ssl_get_prev_session(); simplify
|
|
tls_decrypt_ticket() and tls1_process_ticket() exit paths.
|
|
|
|
* Avoid memset() before memcpy() in CBS_add_bytes().
|
|
|
|
* Rewrite X509_INFO_{new,free}() more idiomatically.
|
|
|
|
* Remove unnecessary zeroing after recallocarray() in
|
|
ASN1_BIT_STRING_set_bit().
|
|
|
|
* Convert openssl(1) ocsp new option handling.
|
|
|
|
* Document SSL_set1_host(3), SSL_set_SSL_CTX(3).
|
|
|
|
* Document return value from EC_KEY_get0_public_key(3).
|
|
|
|
* Greatly expanded test coverage via the tlsfuzzer test scripts.
|
|
|
|
* Expanded test coverage via the bettertls certificate test suite.
|
|
|
|
* Test interoperability with the Botan TLS client.
|
|
|
|
* Make pthread_mutex static initialisation work on Windows.
|
|
|
|
* Get __STRICT_ALIGNMENT from machine/endian.h with portable build.
|
|
|
|
3.2.1 - Development release
|
|
|
|
* Propagate alerts from the read half of the TLSv1.3 record layer to I/O
|
|
functions.
|
|
|
|
* Send a record overflow alert for TLSv1.3 messages having overlong
|
|
plaintext or inner plaintext.
|
|
|
|
* Send an illegal parameter alert if a client sends an invalid DH key
|
|
share.
|
|
|
|
* Document PKCS7_final(3), PKCS7_add_attribute(3).
|
|
|
|
* Collapse x509v3 directory into x509.
|
|
|
|
* Improve TLSv1.3 client certificate selection to allow EC certificates
|
|
instead of only RSA certificates.
|
|
|
|
* Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead
|
|
of constructing a broken objects that may cause NULL pointer accesses.
|
|
|
|
* Add support for additional GOST curves from RFC 7836 and
|
|
draft-deremin-rfc4491-bis.
|
|
|
|
* Add OIDs for HMAC using the Streebog hash function.
|
|
|
|
* Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5.
|
|
|
|
* Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures.
|
|
|
|
* Handle GOST in ssl_cert_dup().
|
|
|
|
* Stop sending GOST R 34.10-94 as a CertificateType.
|
|
|
|
* Use IANA allocated GOST ClientCertificateTypes.
|
|
|
|
* Add a custom copy handler for AES keywrap to fix a use-after-free.
|
|
|
|
* Enforce in the TLSv1.3 server that that ClientHello messages after
|
|
a HelloRetryRequest match the original ClientHello as per RFC 8446
|
|
section 4.1.2
|
|
|
|
* Document more PKCS7 attribute functions.
|
|
|
|
* Document PKCS7_get_signer_info(3).
|
|
|
|
* Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3).
|
|
|
|
* Document PEM_def_callback(3).
|
|
|
|
* Document EVP_read_pw_string_min(3).
|
|
|
|
* Merge documentation of X509_get0_serialNumber from OpenSSL 1.1.1.
|
|
|
|
* Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3)
|
|
|
|
* Document X509_get0_pubkey_bitstr(3).
|
|
|
|
* Fix an off-by-one in the CBC padding removal. From BoringSSL.
|
|
|
|
* Enforce restrictions on extensions present in the ClientHello as per
|
|
RFC 8446, section 9.2.
|
|
|
|
* Add new CMAC_Init(3) and ChaCha(3) manual pages.
|
|
|
|
* Fix SSL_shutdown behavior to match the legacy stack. The previous
|
|
behavior could cause a hang.
|
|
|
|
* Add initial support for openbsd/powerpc64.
|
|
|
|
* Make the message type available in the internal TLS extensions API
|
|
functions.
|
|
|
|
* Enable TLSv1.3 for the generic TLS_method().
|
|
|
|
* Convert openssl(1) s_client option handling.
|
|
|
|
* Document openssl(1) certhash.
|
|
|
|
* Convert openssl(1) verify option handling.
|
|
|
|
* Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause
|
|
use-after-free and double-free issues in calling programs.
|
|
|
|
* Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3).
|
|
|
|
* Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session.
|
|
|
|
* Convert openssl(1) s_server option handling.
|
|
|
|
* Add minimal info callback support for TLSv1.3.
|
|
|
|
* Refactor, clean up and simplify some SSL3/DTLS1 record writing code.
|
|
|
|
* Correctly handle server requests for an OCSP response.
|
|
|
|
* Add the P-521 curve to the list of curves supported by default
|
|
in the client.
|
|
|
|
* Convert openssl(1) req option handling.
|
|
|
|
* Avoid calling freezero with a negative size if a server sends a
|
|
malformed plaintext of all zeroes.
|
|
|
|
* Send an unexpected message alert if no valid content type is found
|
|
in a TLSv1.3 record.
|
|
|
|
3.2.0 - Development release
|
|
|
|
* Enable TLS 1.3 server side in addition to client by default.
|
|
With this change TLS 1.3 is handled entirely on the new stack
|
|
and state machine, with fallback to the legacy stack and
|
|
state machine for older versions. Note that the OpenSSL TLS 1.3
|
|
API is not yet visible/available.
|
|
|
|
* Improve length checks in the TLS 1.3 record layer and provide
|
|
appropriate alerts for violations of record layer limits.
|
|
|
|
* Enforce that SNI hostnames received by the TLS server are correctly
|
|
formed as per RFC 5890 and RFC 6066, responding with illegal parameter
|
|
for a nonconformant host name.
|
|
|
|
* Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic
|
|
retry of handshake messages.
|
|
|
|
* Modify I/O behavior so that SSL_MODE_AUTO_RETRY is the default
|
|
similar to new OpenSSL releases.
|
|
|
|
* Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in
|
|
various commands.
|
|
|
|
* Add tlsfuzzer based regression tests.
|
|
|
|
* Support sending certificate status requests from the TLS 1.3
|
|
client to request OCSP staples for leaf certificates.
|
|
|
|
* Support sending certificate status replies from the TLS 1.3 server
|
|
in order to send OCSP staples for leaf certificates.
|
|
|
|
* Send correct alerts when handling failed key share extensions
|
|
on the TLS 1.3 server.
|
|
|
|
* Various compatibility fixes for TLS 1.3 to 1.2 fallback for
|
|
switching from the new to legacy stacks.
|
|
|
|
* Support TLS 1.3 options in the openssl(1) command.
|
|
|
|
* Many alert cleanups in TLS 1.3 to provide expected alerts in failure
|
|
conditions.
|
|
|
|
* Modify "openssl x509" to display invalid certificate times as
|
|
invalid, and correctly deal with the failing return case from
|
|
X509_cmp_time so that a certificate with an invalid NotAfter does
|
|
not appear valid.
|
|
|
|
* Support sending dummy change_cipher_spec records for TLS 1.3 middlebox
|
|
compatibility.
|
|
|
|
* Ensure only PSS signatures are used with RSA in TLS 1.3.
|
|
|
|
* Ensure that TLS 1.3 clients advertise exactly the "null" compression
|
|
method in its legacy_compression_methods.
|
|
|
|
* Correct use of sockaddr_storage instead of sockaddr in openssl(1)
|
|
s_client, which could lead to using 14 bytes of stack garbage instead
|
|
of an IPv6 address in DTLS mode.
|
|
|
|
* Use non-expired certificates first when building a certificate chain.
|
|
|
|
3.1.5 - Security fix
|
|
|
|
* Malformed ASN.1 in a certificate revocation list or a timestamp
|
|
response token can lead to a NULL pointer dereference.
|
|
|
|
3.1.4 - Interoperability and bug fixes for the TLSv1.3 client:
|
|
|
|
* Improve client certificate selection to allow EC certificates
|
|
instead of only RSA certificates.
|
|
|
|
* Do not error out if a TLSv1.3 server requests an OCSP response as
|
|
part of a certificate request.
|
|
|
|
* Fix SSL_shutdown behavior to match the legacy stack. The previous
|
|
behaviour could cause a hang.
|
|
|
|
* Fix a memory leak and add a missing error check in the handling of
|
|
the key update message.
|
|
|
|
* Fix a memory leak in tls13_record_layer_set_traffic_key.
|
|
|
|
* Avoid calling freezero with a negative size if a server sends a
|
|
malformed plaintext of all zeroes.
|
|
|
|
* Ensure that only PSS may be used with RSA in TLSv1.3 in order
|
|
to avoid using PKCS1-based signatures.
|
|
|
|
* Add the P-521 curve to the list of curves supported by default
|
|
in the client.
|
|
|
|
3.1.3 - Bug fix
|
|
|
|
* libcrypto may fail to build a valid certificate chain due to
|
|
expired untrusted issuer certificates.
|
|
|
|
3.1.2 - Bug fix
|
|
|
|
* A TLS client with peer verification disabled may crash when
|
|
contacting a server that sends an empty certificate list.
|
|
|
|
3.1.1 - Stable release
|
|
|
|
* Improved cipher suite handling to automatically include TLSv1.3
|
|
cipher suites when they are not explicitly referred to in the
|
|
cipher string.
|
|
|
|
* Improved handling of TLSv1.3 HelloRetryRequests, simplifying
|
|
state transitions and ensuring that the legacy session identifer
|
|
retains the same value across the handshake.
|
|
|
|
* Provided TLSv1.3 cipher suite aliases to match the names used
|
|
in RFC 8446.
|
|
|
|
* Improved TLSv1.3 client key share handling to allow the use of
|
|
any groups in our configured NID list.
|
|
|
|
* Fixed printing the serialNumber with X509_print_ex() fall back to
|
|
the colon separated hex bytes in case greater than int value.
|
|
|
|
* Fix to disallow setting the AES-GCM IV length to zero.
|
|
|
|
* Added -groups option to openssl(1) s_server subcommand.
|
|
|
|
* Fix to show TLSv1.3 extension types with openssl(1) -tlsextdebug.
|
|
|
|
* Improved portable builds to support the use of static MSVC runtimes.
|
|
|
|
* Fixed portable builds to avoid exporting a sleep() symbol.
|
|
|
|
3.1.0 - Development release
|
|
|
|
* Completed initial TLS 1.3 implementation with a completely new state
|
|
machine and record layer. TLS 1.3 is now enabled by default for the
|
|
client side, with the server side to be enabled in a future release.
|
|
Note that the OpenSSL TLS 1.3 API is not yet visible/available.
|
|
|
|
* Many more code cleanups, fixes, and improvements to memory handling
|
|
and protocol parsing.
|
|
|
|
* Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1.
|
|
|
|
* Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL
|
|
1.1.1 and enabled by default.
|
|
|
|
* Improved compatibility by backporting functionality and documentation
|
|
from OpenSSL 1.1.1.
|
|
|
|
* Added many new additional crypto test vectors.
|
|
|
|
* Adjusted EVP_chacha20()'s behavior to match OpenSSL's semantics.
|
|
|
|
* Default CA bundle location is now configurable in portable builds.
|
|
|
|
* Added cms subcommand to openssl(1).
|
|
|
|
* Added -addext option to openssl(1) req subcommand.
|
|
|
|
3.0.2 - Stable release
|
|
|
|
* Use a valid curve when constructing an EC_KEY that looks like X25519.
|
|
The recent EC group cofactor change results in stricter validation,
|
|
which causes the EC_GROUP_set_generator() call to fail.
|
|
Issue reported and fix tested by rsadowski@
|
|
|
|
* Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
|
|
(Note that the CMS code is currently disabled)
|
|
Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license)
|
|
|
|
* Avoid a path traversal bug in s_server on Windows when run with the -WWW
|
|
or -HTTP options, due to incomplete path check logic.
|
|
Issue reported and fix tested by Jobert Abma
|
|
|
|
3.0.1 - Development release
|
|
|
|
* Ported Billy Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1. If a NULL
|
|
or zero cofactor is passed to EC_GROUP_set_generator(), try to compute
|
|
it using Hasse's bound. This works as long as the cofactor is small
|
|
enough.
|
|
|
|
* Fixed a memory leak in error paths for eckey_type2param().
|
|
|
|
* Initial work on supporting Cryptographic Message Syntax (CMS) in
|
|
libcrypto (not enabled).
|
|
|
|
* Various manual page improvements and additions.
|
|
|
|
* Added a CMake check for an existing uninstall target, facilitating
|
|
embedding LibreSSL in larger CMake projects, from Matthew Albrecht.
|
|
|
|
3.0.0 - Development release
|
|
|
|
* Completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API.
|
|
|
|
* Documented undescribed options and removed unfunctional options
|
|
description in openssl(1) manual.
|
|
|
|
* A plethora of small fixes due to regular oss-fuzz testing.
|
|
|
|
* Various side channels in DSA and ECDSA were addressed. These are some of
|
|
the many issues found in an extensive systematic analysis of bignum usage
|
|
by Samuel Weiser, David Schrammel et al.
|
|
|
|
* Enabled openssl(1) speed subcommand on Windows platform.
|
|
|
|
* Enabled performance optimizations when building with Visual Studio on Windows.
|
|
|
|
* Fixed incorrect carry operation in 512 addition for Streebog.
|
|
|
|
* Fixed -modulus option with openssl(1) dsa subcommand.
|
|
|
|
* Fixed PVK format output issue with openssl(1) dsa and rsa subcommand.
|
|
|
|
2.9.2 - Bug fixes
|
|
|
|
* Fixed portable builds with older versions of MacOS,
|
|
Android targets < API 21, and Solaris 10
|
|
|
|
* Fixed SRTP profile advertisement for DTLS servers.
|
|
|
|
2.9.1 - Stable release
|
|
|
|
* Added support for XChaCha20 and XChaCha20-Poly1305.
|
|
|
|
* Added support for AES key wrap constructions via the EVP interface.
|
|
|
|
* Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH.
|
|
|
|
* Added pbkdf2 key derivation support to openssl(1)
|
|
|
|
* Removed SHA224 based handshake signatures from consideration for use in a TLS 1.2 handshake.
|
|
|
|
* Changed the default digest type of openssl(1) enc to to sha256.
|
|
|
|
* Changed the default digest type of openssl(1) dgst to sha256.
|
|
|
|
* Changed the default digest type of openssl(1) x509 -fingerprint to sha256.
|
|
|
|
* Changed the default digest type of openssl(1) crl -fingerprint to sha256.
|
|
|
|
* Improved Windows, Android, and ARM compatibility, including assembly
|
|
optimizations on Mingw-w64 targets.
|
|
|
|
2.9.0 - Development release
|
|
|
|
* Added the SM4 block cipher from the Chinese standard GB/T 32907-2016.
|
|
|
|
* Fixed warnings about clock_gettime on Windows Visual Studio builds.
|
|
|
|
* Fixed CMake builds on systems where getpagesize is defined as an
|
|
inline function.
|
|
|
|
* CRYPTO_LOCK is now automatically initialized, with the legacy
|
|
callbacks stubbed for compatibility.
|
|
|
|
* Added the SM3 hash function from the Chinese standard GB/T 32905-2016.
|
|
|
|
* Added more OPENSSL_NO_* macros for compatibility with OpenSSL.
|
|
|
|
* Added extensive interoperability tests between LibreSSL and OpenSSL
|
|
1.0 and 1.1.
|
|
|
|
* Added additional Wycheproof tests and related bug fixes.
|
|
|
|
* Simplified sigalgs option processing and handshake signing algorithm
|
|
|
|
* Added the ability to use the RSA PSS algorithm for handshake
|
|
signatures.
|
|
|
|
* Added bn_rand_interval() and use it in code needing ranges of random
|
|
bn values.
|
|
|
|
* Added functionality to derive early, handshake, and application
|
|
secrets as per RFC8446.
|
|
|
|
* Added handshake state machine from RFC8446.
|
|
|
|
* Removed some ASN.1 related code from libcrypto that had not been used
|
|
since around 2000.
|
|
|
|
* Unexported internal symbols and internalized more record layer structs.
|
|
|
|
* Added support for assembly optimizations on 32-bit ARM ELF targets.
|
|
|
|
* Improved protection against timing side channels in ECDSA signature
|
|
generation.
|
|
|
|
* Coordinate blinding was added to some elliptic curves. This is the
|
|
last bit of the work by Brumley et al. to protect against the
|
|
Portsmash vulnerability.
|
|
|
|
* Ensure transcript handshake is always freed with TLS 1.2.
|
|
|
|
2.8.2 - Stable release
|
|
|
|
* Added Wycheproof support for ECDH and ECDSA Web Crypto test vectors,
|
|
along with test harness fixes.
|
|
|
|
* Fixed memory leak in nc(1)
|
|
|
|
2.8.1 - Test and compatibility improvements
|
|
|
|
* Added Wycheproof support for ECDH, RSASSA-PSS, AES-GCM,
|
|
AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and
|
|
X25519 test vectors. Applied appropriate fixes for errors uncovered
|
|
by tests.
|
|
|
|
* Simplified key exchange signature generation and verification.
|
|
|
|
* Fixed a one-byte buffer overrun in callers of EVP_read_pw_string
|
|
|
|
* Converted more code paths to use CBB/CBS. All handshake messages are
|
|
now created by CBB.
|
|
|
|
* Fixed various memory leaks found by Coverity.
|
|
|
|
* Simplified session ticket parsing and handling, inspired by
|
|
BoringSSL.
|
|
|
|
* Modified signature of CRYPTO_mem_leaks_* to return -1. This function
|
|
is a no-op in LibreSSL, so this function returns an error to not
|
|
indicate the (non-)existence of memory leaks.
|
|
|
|
* SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher,
|
|
X509_OBJECT_up_ref_count now return an int for error handling,
|
|
matching OpenSSL.
|
|
|
|
* Converted a number of #defines into proper functions, matching
|
|
OpenSSL's ABI.
|
|
|
|
* Added X509_get0_serialNumber from OpenSSL.
|
|
|
|
* Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding
|
|
PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching
|
|
OpenSSL.
|
|
|
|
* Removed broken pkcs8 formats from openssl(1).
|
|
|
|
* Converted more functions in public API to use const arguments.
|
|
|
|
* Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the
|
|
EVP_AEAD interface.
|
|
|
|
* Stopped using composite EVP_CIPHER AEADs.
|
|
|
|
* Added timing-safe compares for checking results of signature
|
|
verification. There are no known attacks, this is just inexpensive
|
|
prudence.
|
|
|
|
* Correctly clear the current cipher state, when changing cipher state.
|
|
This fixed an issue where renegotiation of cipher suites would fail
|
|
when switched from AEAD to non-AEAD or vice-versa.
|
|
Issue reported by Bernard Spil.
|
|
|
|
* Added more cipher tests to appstest.sh, including all TLSv1.2
|
|
ciphers.
|
|
|
|
* Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL.
|
|
|
|
* Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be
|
|
retrieved and set with appropriate validation.
|
|
|
|
2.8.0 - Bug fixes, security, and compatibility improvements
|
|
|
|
* Extensive documentation updates and additional API history.
|
|
|
|
* Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry
|
|
|
|
* Tighten up checks for various X509_VERIFY_PARAM functions,
|
|
'poisoning' parameters so that an unverified certificate cannot be
|
|
used if it fails verification.
|
|
|
|
* Fixed a potential memory leak on failure in ASN1_item_digest
|
|
|
|
* Fixed a potential memory alignment crash in asn1_item_combine_free
|
|
|
|
* Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and
|
|
SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths.
|
|
|
|
* Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds.
|
|
|
|
* Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers
|
|
and matching OpenSSL behavior, rewrote ENGINE_* documentation.
|
|
|
|
* Added const annotations to many existing APIs from OpenSSL, making
|
|
interoperability easier for downstream applications.
|
|
|
|
* Fixed small timing side-channels in ecdsa_sign_setup and
|
|
dsa_sign_setup.
|
|
|
|
* Documented security pitfalls with BN_FLG_CONSTTIME and constant-time
|
|
operation of BN_* functions.
|
|
|
|
* Updated BN_clear to use explicit_bzero.
|
|
|
|
* Added a missing bounds check in c2i_ASN1_BIT_STRING.
|
|
|
|
* More CBS conversions, including simplifications to RSA key exchange,
|
|
and converted code to use dedicated buffers for secrets.
|
|
|
|
* Removed three remaining single DES cipher suites.
|
|
|
|
* Fixed a potential leak/incorrect return value in DSA signature
|
|
generation.
|
|
|
|
* Added a blinding value when generating DSA and ECDSA signatures, in
|
|
order to reduce the possibility of a side-channel attack leaking the
|
|
private key.
|
|
|
|
* Added ECC constant time scalar multiplication support.
|
|
From Billy Brumley and his team at Tampere University of Technology.
|
|
|
|
* Revised the implementation of RSASSA-PKCS1-v1_5 to match the
|
|
specification in RFC 8017. Based on an OpenSSL commit by David
|
|
Benjamin.
|
|
|
|
* Cleaned up BN_* implementations following changes made in OpenSSL by
|
|
Davide Galassi and others.
|
|
|
|
2.7.4 - Security fixes
|
|
|
|
* Avoid a timing side-channel leak when generating DSA and ECDSA
|
|
signatures. This is caused by an attempt to do fast modular
|
|
arithmetic, which introduces branches that leak information
|
|
regarding secret values. Issue identified and reported by Keegan
|
|
Ryan of NCC Group.
|
|
|
|
* Reject excessively large primes in DH key generation. Problem
|
|
reported by Guido Vranken to OpenSSL
|
|
(https://github.com/openssl/openssl/pull/6457) and based on his
|
|
diff.
|
|
|
|
2.7.3 - Bug fixes
|
|
|
|
* Removed incorrect NULL checks in DH_set0_key(). Reported by Ondrej
|
|
Sury
|
|
|
|
* Fixed an issue normalizing CPU architecture in the configure script,
|
|
which disabled assembly optimizations on platforms that get detected
|
|
as 'amd64', opposed to 'x86_64'
|
|
|
|
* Limited tls_config_clear_keys() to only clear private keys.
|
|
This was inadvertently clearing the keypair, which includes the OCSP
|
|
staple and pubkey hash - if an application called tls_configure()
|
|
followed by tls_config_clear_keys(), this would prevent OCSP staples
|
|
from working.
|
|
|
|
2.7.2 - Stable release
|
|
|
|
* Updated and added extensive new HISTORY sections to API manuals.
|
|
|
|
* Added support for shared library builds with CMake on all supported
|
|
platforms. Note that some of the CMake options have changed, consult
|
|
the README for details.
|
|
|
|
2.7.1 - Bug fixes
|
|
|
|
* Fixed a bug in int_x509_param_set_hosts, calling strlen() if name
|
|
length provided is 0 to match the OpenSSL behaviour. Issue noticed
|
|
by Christian Heimes <christian@python.org>.
|
|
|
|
* Fixed builds macOS 10.11 and older.
|
|
|
|
2.7.0 - Bug fixes and improvements
|
|
|
|
* Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on
|
|
observations of real-world usage in applications. These are
|
|
implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility
|
|
changes have not been made to existing structs, allowing code written
|
|
for older OpenSSL APIs to continue working.
|
|
|
|
* Extensive corrections, improvements, and additions to the
|
|
API documentation, including new public APIs from OpenSSL that had
|
|
no pre-existing documentation.
|
|
|
|
* Added support for automatic library initialization in libcrypto,
|
|
libssl, and libtls. Support for pthread_once or a compatible
|
|
equivalent is now required of the target operating system. As a
|
|
side-effect, minimum Windows support is Vista or higher.
|
|
|
|
* Converted more packet handling methods to CBB, which improves
|
|
resiliency when generating TLS messages.
|
|
|
|
* Completed TLS extension handling rewrite, improving consistency of
|
|
checks for malformed and duplicate extensions.
|
|
|
|
* Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1.
|
|
This removes the last remaining use of the old M_ASN1_* macros
|
|
(asn1_mac.h) from API that needs to continue to exist.
|
|
|
|
* Added support for client-side session resumption in libtls.
|
|
A libtls client can specify a session file descriptor (a regular
|
|
file with appropriate ownership and permissions) and libtls will
|
|
manage reading and writing of session data across TLS handshakes.
|
|
|
|
* Improved support for strict alignment on ARMv7 architectures,
|
|
conditionally enabling assembly in those cases.
|
|
|
|
* Fixed a memory leak in libtls when reusing a tls_config.
|
|
|
|
* Merged more DTLS support into the regular TLS code path, removing
|
|
duplicated code.
|
|
|
|
* Many improvements to Windows Cmake-based builds and tests,
|
|
especially when targeting Visual Studio.
|
|
|
|
2.6.4 - Bug fixes
|
|
|
|
* Make tls_config_parse_protocols() work correctly when passed a NULL
|
|
pointer for a protocol string. Issue found by semarie@, who also
|
|
provided the diff.
|
|
|
|
* Correct TLS extensions handling when no extensions are present.
|
|
If no TLS extensions are present in a client hello or server hello,
|
|
omit the entire extensions block, rather than including it with a
|
|
length of zero. Thanks to Eric Elena <eric at voguemerry dot com> for
|
|
providing packet captures and testing the fix.
|
|
|
|
* Fixed portable builds on older Android systems, and systems with out
|
|
IPV6_TCLASS support.
|
|
|
|
2.6.3 - OpenBSD 6.2 Release
|
|
|
|
* No core changes from LibreSSL 2.6.2
|
|
|
|
* Minor compatibility fixes in portable version.
|
|
|
|
2.6.2 - Bug fixes
|
|
|
|
* Provide a useful error with libtls if there are no OCSP URLs in a
|
|
peer certificate.
|
|
|
|
* Keep track of which keypair is in use by a TLS context, fixing a bug
|
|
where a TLS server with SNI would only return the OCSP staple for the
|
|
default keypair. Issue reported by William Graeber and confirmed by
|
|
Andreas Bartelt.
|
|
|
|
* Fixed various issues in the OCSP extension parsing code.
|
|
The original code incorrectly passes the pointer allocated via
|
|
CBS_stow() (using malloc()) to a d2i_*() function and then calls
|
|
free() on the now incremented pointer, most likely resulting in a
|
|
crash. This issue was reported by Robert Swiecki who found the issue
|
|
using honggfuzz.
|
|
|
|
* If tls_config_parse_protocols() is called with a NULL pointer,
|
|
return the default protocols instead of crashing - this makes the
|
|
behaviour more useful and mirrors what we already do in
|
|
tls_config_set_ciphers() et al.
|
|
|
|
2.6.1 - Code removal, rewrites
|
|
|
|
* Added a "-T tlscompat" option to nc(1), which enables the use of all
|
|
TLS protocols and "compat" ciphers. This allows for TLS connections
|
|
to TLS servers that are using less than ideal cipher suites, without
|
|
having to resort to "-T tlsall" which enables all known cipher
|
|
suites. Diff from Kyle J. McKay.
|
|
|
|
* Added a new TLS extension handling framework, somewhat analogous to
|
|
BoringSSL, and converted all TLS extensions to use it. Added new TLS
|
|
extension regression tests.
|
|
|
|
* Improved and added many new manpages. Updated *check_private_key
|
|
manpages with additional cautions regarding their use.
|
|
|
|
* Cleaned up the EC key/curve configuration handling.
|
|
|
|
* Added tls_config_set_ecdhecurves() to libtls, which allows the names
|
|
of the eliptical curves that may be used during client and server
|
|
key exchange to be specified.
|
|
|
|
* Converted more code paths to use CBB/CBS.
|
|
|
|
* Removed support for DSS/DSA, since we removed the cipher suites a
|
|
while back.
|
|
|
|
* Removed NPN support. NPN was never standardised and the last draft
|
|
expired in October 2012. ALPN was standardised in July 2014 and has
|
|
been supported in LibreSSL since December 2014. NPN has also been
|
|
removed from Chromium in May 2016.
|
|
|
|
* Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken
|
|
CryptoPro clients.
|
|
|
|
* Removed support for the TLS padding extension, which was added as a
|
|
workaround for an old bug in F5's TLS termination.
|
|
|
|
* Worked around another bug in F5's TLS termination handling of the
|
|
elliptical curves extension. RFC 4492 only defines elliptic_curves
|
|
for ClientHello. However, F5 is sending it in ServerHello. We need
|
|
to skip over it since our TLS extension parsing code is now more
|
|
strict. Thanks to Armin Wolfermann and WJ Liu for reporting.
|
|
|
|
* Added ability to clamp notafter valies in certificates for systems
|
|
with 32-bit time_t. This is necessary to conform to RFC 5280
|
|
4.1.2.5.
|
|
|
|
* Implemented the SSL_CTX_set_min_proto_version(3) API.
|
|
|
|
* Removed the original (pre-IETF) chacha20-poly1305 cipher suites.
|
|
|
|
* Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.
|
|
|
|
2.6.0 - New APIs, bug fixes and improvements
|
|
|
|
* Added support for providing CRLs to libtls. Once a CRL is provided we
|
|
enable CRL checking for the full certificate chain. Based on a diff
|
|
from Jack Burton
|
|
|
|
* Allow non-compliant clients using IP literal addresses with SNI
|
|
to connect to a server using libtls.
|
|
|
|
* Avoid a potential NULL pointer dereference in d2i_ECPrivateKey().
|
|
Reported by Robert Swiecki, who found the issue using honggfuzz.
|
|
|
|
* Added definitions for three OIDs used in EV certificates.
|
|
From Kyle J. McKay
|
|
|
|
* Added tls_peer_cert_chain_pem to libtls, useful in private
|
|
certificate validation callbacks such as those in relayd.
|
|
|
|
* Converted explicit clear/free sequences to use freezero(3).
|
|
|
|
* Reworked TLS certificate name verification code to more strictly
|
|
follow RFC 6125.
|
|
|
|
* Cleaned up and simplified server key exchange EC point handling.
|
|
|
|
* Added tls_keypair_clear_key for clearing key material.
|
|
|
|
* Removed inconsistent IPv6 handling from BIO_get_accept_socket,
|
|
simplified BIO_get_host_ip and BIO_accept.
|
|
|
|
* Fixed the openssl(1) ca command so that is generates certificates
|
|
with RFC 5280-conformant time. Problem noticed by Harald Dunkel.
|
|
|
|
* Added ASN1_TIME_set_tm to set an asn1 from a struct tm *
|
|
|
|
* Added SSL{,_CTX}_set_{min,max}_proto_version() functions.
|
|
|
|
* Added HKDF (HMAC Key Derivation Function) from BoringSSL
|
|
|
|
* Provided a tls_unload_file() function that frees the memory returned
|
|
from a tls_load_file() call, ensuring that it the contents become
|
|
inaccessible. This is specifically needed on platforms where the
|
|
library allocators may be different from the application allocator.
|
|
|
|
* Perform reference counting for tls_config. This allows
|
|
tls_config_free() to be called as soon as it has been passed to the
|
|
final tls_configure() call, simplifying lifetime tracking for the
|
|
application.
|
|
|
|
* Moved internal state of SSL and other structures to be opaque.
|
|
|
|
* Dropped cipher suites with DSS authentication.
|
|
|
|
* nc(1) improvements, including:
|
|
nc -W to terminate nc after receiving a number of packets
|
|
nc -Z for saving the peer certificate and chain in a pem file
|
|
|
|
2.5.5 - Bug fixes
|
|
|
|
* Distinguish between self-issued certificates and self-signed
|
|
certificates. The certificate verification code has special cases
|
|
for self-signed certificates and without this change, self-issued
|
|
certificates (which it seems are common place with
|
|
openvpn/easyrsa) were also being included in this category.
|
|
|
|
* Added getpagesize fallback, needed for Android bionic libc.
|
|
|
|
2.5.4 - Security Updates
|
|
|
|
* Revert a previous change that forced consistency between return
|
|
value and error code when specifing a certificate verification
|
|
callback, since this breaks the documented API. When a user supplied
|
|
callback always returns 1, and later code checks the error code to
|
|
potentially abort post verification, this will result in incorrect
|
|
successul certificate verification.
|
|
|
|
* Switched Linux getrandom() usage to non-blocking mode, continuing to
|
|
use fallback mechanims if unsuccessful. This works around a design
|
|
flaw in Linux getrandom(2) where early boot usage in a library makes
|
|
it impossible to recover if getrandom(2) is not yet initialized.
|
|
|
|
* Fixed a bug caused by the return value being set early to signal
|
|
successful DTLS cookie validation. This can mask a later failure and
|
|
result in a positive return value being returned from
|
|
ssl3_get_client_hello(), when it should return a negative value to
|
|
propagate the error.
|
|
|
|
* Fixed a build error on non-x86/x86_64 systems running Solaris.
|
|
|
|
2.5.3 - OpenBSD 6.1 Release
|
|
|
|
* Documentation updates
|
|
|
|
* Improved ocspcheck(1) error handling
|
|
|
|
2.5.2 - Security features and bugfixes
|
|
|
|
* Added the recallocarray(3) memory allocation function, and converted
|
|
various places in the library to use it, such as CBB and BUF_MEM_grow.
|
|
recallocarray(3) is similar to reallocarray. Newly allocated memory
|
|
is cleared similar to calloc(3). Memory that becomes unallocated
|
|
while shrinking or moving existing allocations is explicitly
|
|
discarded by unmapping or clearing to 0
|
|
|
|
* Added new root CAs from SECOM Trust Systems / Security Communication
|
|
of Japan.
|
|
|
|
* Added EVP interface for MD5+SHA1 hashes.
|
|
|
|
* Fixed DTLS client failures when the server sends a certificate
|
|
request.
|
|
|
|
* Correct handling of padding when upgrading an SSLv2 challenge into
|
|
an SSLv3/TLS connection.
|
|
|
|
* Allow protocols and ciphers to be set on a TLS config object in
|
|
libtls.
|
|
|
|
* Improved nc(1) TLS handshake CPU usage and server-side error
|
|
reporting.
|
|
|
|
2.5.1 - Bug and security fixes, new features, documentation updates
|
|
|
|
* X509_cmp_time() now passes a malformed GeneralizedTime field as an
|
|
error. Reported by Theofilos Petsios.
|
|
|
|
* Detect zero-length encrypted session data early, instead of when
|
|
malloc(0) fails or the HMAC check fails. Noted independently by
|
|
jsing@ and Kurt Cancemi.
|
|
|
|
* Check for and handle failure of HMAC_{Update,Final} or
|
|
EVP_DecryptUpdate().
|
|
|
|
* Massive update and normalization of manpages, conversion to
|
|
mandoc format. Many pages were rewritten for clarity and accuracy.
|
|
Portable doc links are up-to-date with a new conversion tool.
|
|
|
|
* Curve25519 Key Exchange support.
|
|
|
|
* Support for alternate chains for certificate verification.
|
|
|
|
* Code cleanups, CBS conversions, further unification of DTLS/SSL
|
|
handshake code, further ASN1 macro expansion and removal.
|
|
|
|
* Private symbol are now hidden in libssl and libcryto.
|
|
|
|
* Friendly certificate verification error messages in libtls, peer
|
|
verification is now always enabled.
|
|
|
|
* Added OCSP stapling support to libtls and netcat.
|
|
|
|
* Added ocspcheck utility to validate a certificate against its OCSP
|
|
responder and save the reply for stapling
|
|
|
|
* Enhanced regression tests and error handling for libtls.
|
|
|
|
* Added explicit constant and non-constant time BN functions,
|
|
defaulting to constant time wherever possible.
|
|
|
|
* Moved many leaked implementation details in public structs behind
|
|
opaque pointers.
|
|
|
|
* Added ticket support to libtls.
|
|
|
|
* Added support for setting the supported EC curves via
|
|
SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
|
|
SSL{_CTX}_set1_curves{_list} names. This also changes the default
|
|
list of curves to be X25519, P-256 and P-384. All other curves must
|
|
be manually enabled.
|
|
|
|
* Added -groups option to openssl(1) s_client for specifying the curves
|
|
to be used in a colon-separated list.
|
|
|
|
* Merged client/server version negotiation code paths into one,
|
|
reducing much duplicate code.
|
|
|
|
* Removed error function codes from libssl and libcrypto.
|
|
|
|
* Fixed an issue where a truncated packet could crash via an OOB read.
|
|
|
|
* Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
|
|
client-initiated renegotiation. This is the default for libtls
|
|
servers.
|
|
|
|
* Avoid a side-channel cache-timing attack that can leak the ECDSA
|
|
private keys when signing. This is due to BN_mod_inverse() being
|
|
used without the constant time flag being set. Reported by Cesar
|
|
Pereida Garcia and Billy Brumley (Tampere University of Technology).
|
|
The fix was developed by Cesar Pereida Garcia.
|
|
|
|
* iOS and MacOS compatibility updates from Simone Basso and Jacob
|
|
Berkman.
|
|
|
|
|
|
2.5.0 - New APIs, bug fixes and improvements
|
|
|
|
* libtls now supports ALPN and SNI
|
|
|
|
* libtls adds a new callback interface for integrating custom IO
|
|
functions. Thanks to Tobias Pape.
|
|
|
|
* libtls now handles 4 cipher suite groups:
|
|
"secure" (TLSv1.2+AEAD+PFS)
|
|
"compat" (HIGH:!aNULL)
|
|
"legacy" (HIGH:MEDIUM:!aNULL)
|
|
"insecure" (ALL:!aNULL:!eNULL)
|
|
|
|
This allows for flexibility and finer grained control, rather than
|
|
having two extremes (an issue raised by Marko Kreen some time ago).
|
|
|
|
* Tightened error handling for tls_config_set_ciphers().
|
|
|
|
* libtls now always loads CA, key and certificate files at the time the
|
|
configuration function is called. This simplifies code and results in
|
|
a single memory based code path being used to provide data to libssl.
|
|
|
|
* Add support for OCSP intermediate certificates.
|
|
|
|
* Added functions used by stunnel and exim from BoringSSL - this
|
|
brings in X509_check_host, X509_check_email, X509_check_ip, and
|
|
X509_check_ip_asc.
|
|
|
|
* Added initial support for iOS, thanks to Jacob Berkman.
|
|
|
|
* Improved behavior of arc4random on Windows when using memory leak
|
|
analysis software.
|
|
|
|
* Correctly handle an EOF that occurs prior to the TLS handshake
|
|
completing. Reported by Vasily Kolobkov, based on a diff from Marko
|
|
Kreen.
|
|
|
|
* Limit the support of the "backward compatible" ssl2 handshake to
|
|
only be used if TLS 1.0 is enabled.
|
|
|
|
* Fix incorrect results in certain cases on 64-bit systems when
|
|
BN_mod_word() can return incorrect results. BN_mod_word() now can
|
|
return an error condition. Thanks to Brian Smith.
|
|
|
|
* Added constant-time updates to address CVE-2016-0702
|
|
|
|
* Fixed undefined behavior in BN_GF2m_mod_arr()
|
|
|
|
* Removed unused Cryptographic Message Support (CMS)
|
|
|
|
* More conversions of long long idioms to time_t
|
|
|
|
* Improved compatibility by avoiding printing NULL strings with
|
|
printf.
|
|
|
|
* Reverted change that cleans up the EVP cipher context in
|
|
EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
|
|
previous behaviour.
|
|
|
|
* Avoid unbounded memory growth in libssl, which can be triggered by a
|
|
TLS client repeatedly renegotiating and sending OCSP Status Request
|
|
TLS extensions.
|
|
|
|
* Avoid falling back to a weak digest for (EC)DH when using SNI with
|
|
libssl.
|
|
|
|
2.4.2 - Bug fixes and improvements
|
|
|
|
* Fixed loading default certificate locations with openssl s_client.
|
|
|
|
* Ensured OCSP only uses and compares GENERALIZEDTIME values as per
|
|
RFC6960. Also added fixes for OCSP to work with intermediate
|
|
certificates provided in responses.
|
|
|
|
* Improved behavior of arc4random on Windows to not appear to leak
|
|
memory in debug tools, reduced privileges of allocated memory.
|
|
|
|
* Fixed incorrect results from BN_mod_word() when the modulus is too
|
|
large, thanks to Brian Smith from BoringSSL.
|
|
|
|
* Correctly handle an EOF prior to completing the TLS handshake in
|
|
libtls.
|
|
|
|
* Improved libtls ceritificate loading and cipher string validation.
|
|
|
|
* Updated libtls cipher group suites into four categories:
|
|
"secure" (TLSv1.2+AEAD+PFS)
|
|
"compat" (HIGH:!aNULL)
|
|
"legacy" (HIGH:MEDIUM:!aNULL)
|
|
"insecure" (ALL:!aNULL:!eNULL)
|
|
This allows for flexibility and finer grained control, rather than
|
|
having two extremes.
|
|
|
|
* Limited support for 'backward compatible' SSLv2 handshake packets to
|
|
when TLS 1.0 is enabled, providing more restricted compatibility
|
|
with TLS 1.0 clients.
|
|
|
|
* openssl(1) and other documentation improvements.
|
|
|
|
* Removed flags for disabling constant-time operations.
|
|
This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
|
|
DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
|
|
all of these operations unconditionally constant-time.
|
|
|
|
|
|
2.4.1 - Security fix
|
|
|
|
* Correct a problem that prevents the DSA signing algorithm from
|
|
running in constant time even if the flag BN_FLG_CONSTTIME is set.
|
|
This issue was reported by Cesar Pereida (Aalto University), Billy
|
|
Brumley (Tampere University of Technology), and Yuval Yarom (The
|
|
University of Adelaide and NICTA). The fix was developed by Cesar
|
|
Pereida.
|
|
|
|
2.4.0 - Build improvements, new features
|
|
|
|
* Many improvements to the CMake build infrastructure, including
|
|
Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro
|
|
Inoguchi for this work.
|
|
|
|
* Added missing error handling around bn_wexpand() calls.
|
|
|
|
* Added explicit_bzero calls for freed ASN.1 objects.
|
|
|
|
* Fixed X509_*set_object functions to return 0 on allocation failure.
|
|
|
|
* Implemented the IETF ChaCha20-Poly1305 cipher suites.
|
|
|
|
* Changed default EVP_aead_chacha20_poly1305() implementation to the
|
|
IETF version, which is now the default.
|
|
|
|
* Fixed password prompts from openssl(1) to properly handle ^C.
|
|
|
|
* Reworked error handling in libtls so that configuration errors are
|
|
visible.
|
|
|
|
* Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.
|
|
|
|
* Manpage fixes and updates
|
|
|
|
2.3.5 - Reliability fix
|
|
|
|
* Fixed an error in libcrypto when parsing some ASN.1 elements > 16k.
|
|
|
|
2.3.4 - Security Update
|
|
|
|
* Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.
|
|
From OpenSSL.
|
|
|
|
* Minor build fixes
|
|
|
|
2.3.3 - OpenBSD 5.9 release branch tagged
|
|
|
|
* Reworked build scripts to better sync with OpenNTPD-portable
|
|
|
|
* Fixed broken manpage links
|
|
|
|
* Fixed an nginx compatibility issue by adding an 'install_sw' make alias
|
|
|
|
* Fixed HP-UX builds
|
|
|
|
* Changed the default configuration directory to c:\LibreSSL\ssl on Windows
|
|
binary builds
|
|
|
|
* cert.pem has been reorganized and synced with Mozilla's certificate store
|
|
|
|
2.3.2 - Compatibility and Reliability fixes
|
|
|
|
* Changed format of LIBRESSL_VERSION_NUMBER to match that of
|
|
OPENSSL_VERSION_NUMBER, see:
|
|
https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3)
|
|
|
|
* Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD
|
|
construction introduced in RFC 7539, which is different than that
|
|
already used in TLS with EVP_aead_chacha20_poly1305()
|
|
|
|
* Avoid a potential undefined C99+ behavior due to shift overflow in
|
|
AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com>
|
|
|
|
* More man pages converted from pod to mdoc format
|
|
|
|
* Added COMODO RSA Certification Authority and QuoVadis
|
|
root certificates to cert.pem
|
|
|
|
* Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification
|
|
Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root
|
|
certificate from cert.pem
|
|
|
|
* Added support for building nc(1) on Solaris
|
|
|
|
* Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev
|
|
|
|
* Improved console handling with openssl(1) on Windows
|
|
|
|
* Ensure the network stack is enabled on Windows when running
|
|
tls_init()
|
|
|
|
* Fixed incorrect TLS certificate loading by nc(1)
|
|
|
|
* Added support for Solaris 11.3's getentropy(2) system call
|
|
|
|
* Enabled support for using NetBSD 7.0's arc4random(3) implementation
|
|
|
|
* Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect
|
|
|
|
* Fixes from OpenSSL 1.0.1q
|
|
- CVE-2015-3194 - NULL pointer dereference in client side certificate
|
|
validation.
|
|
- CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL
|
|
|
|
* The following OpenSSL CVEs did not apply to LibreSSL
|
|
- CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery
|
|
squaring procedure.
|
|
- CVE-2015-3196 - Double free race condition of the identify hint
|
|
data.
|
|
|
|
See https://marc.info/?l=openbsd-announce&m=144925068504102
|
|
|
|
2.3.1 - ASN.1 and time handling cleanups
|
|
|
|
* ASN.1 cleanups and RFC5280 compliance fixes.
|
|
|
|
* Time representations switched from 'unsigned long' to 'time_t'. LibreSSL
|
|
now checks if the host OS supports 64-bit time_t.
|
|
|
|
* Fixed a leak in SSL_new in the error path.
|
|
|
|
* Support always extracting the peer cipher and version with libtls.
|
|
|
|
* Added ability to check certificate validity times with libtls,
|
|
tls_peer_cert_notbefore and tls_peer_cert_notafter.
|
|
|
|
* Changed tls_connect_servername to use the first address that resolves with
|
|
getaddrinfo().
|
|
|
|
* Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since
|
|
initial commit in 2004).
|
|
|
|
* Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported
|
|
by Qualys Security.
|
|
|
|
* Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of
|
|
sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>.
|
|
|
|
* Reject too small bits value in BN_generate_prime_ex(), so that it does
|
|
not risk becoming negative in probable_prime_dh_safe(), reported by
|
|
Franck Denis.
|
|
|
|
* Enable nc(1) builds on more platforms.
|
|
|
|
2.3.0 - SSLv3 removed, libtls API changes, portability improvements
|
|
|
|
* SSLv3 is now permanently removed from the tree.
|
|
|
|
* The libtls API is changed from the 2.2.x series.
|
|
|
|
The read/write functions work correctly with external event
|
|
libraries. See the tls_init man page for examples of using libtls
|
|
correctly in asynchronous mode.
|
|
|
|
Client-side verification is now supported, with the client supplying
|
|
the certificate to the server.
|
|
|
|
Also, when using tls_connect_fds, tls_connect_socket or
|
|
tls_accept_fds, libtls no longer implicitly closes the passed in
|
|
sockets. The caller is responsible for closing them in this case.
|
|
|
|
* When loading a DSA key from an raw (without DH parameters) ASN.1
|
|
serialization, perform some consistency checks on its `p' and `q'
|
|
values, and return an error if the checks failed.
|
|
|
|
Thanks for Georgi Guninski (guninski at guninski dot com) for
|
|
mentioning the possibility of a weak (non prime) q value and
|
|
providing a test case.
|
|
|
|
See
|
|
https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html
|
|
for a longer discussion.
|
|
|
|
* Fixed a bug in ECDH_compute_key that can lead to silent truncation
|
|
of the result key without error. A coding error could cause software
|
|
to use much shorter keys than intended.
|
|
|
|
* Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no
|
|
longer supported.
|
|
|
|
* The engine command and parameters are removed from the openssl(1).
|
|
Previous releases removed dynamic and builtin engine support
|
|
already.
|
|
|
|
* SHA-0 is removed, which was withdrawn shortly after publication 20
|
|
years ago.
|
|
|
|
* Added Certplus CA root certificate to the default cert.pem file.
|
|
|
|
* New interface OPENSSL_cpu_caps is provided that does not allow
|
|
software to inadvertently modify cpu capability flags.
|
|
OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
|
|
|
|
* The out_len argument of AEAD changed from ssize_t to size_t.
|
|
|
|
* Deduplicated DTLS code, sharing bugfixes and improvements with
|
|
TLS.
|
|
|
|
* Converted 'nc' to use libtls for client and server operations; it is
|
|
included in the libressl-portable distribution as an example of how
|
|
to use the library.
|
|
|
|
2.2.3 - Bug fixes, build enhancements
|
|
|
|
* LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not
|
|
include TLS extensions, resulting in such handshakes being aborted.
|
|
This release corrects the handling of such messages. Thanks to
|
|
Ligushka from github for reporting the issue.
|
|
|
|
* Added install target for cmake builds. Thanks to TheNietsnie from
|
|
github.
|
|
|
|
* Updated pkgconfig files to correctly report the release version
|
|
number, not the individual library ABI version numbers. Thanks to
|
|
Jan Engelhardt for reporting the issue.
|
|
|
|
2.2.2 - More TLS parser rework, bug fixes, expanded portable build support
|
|
|
|
* Switched 'openssl dhparam' default from 512 to 2048 bits
|
|
|
|
* Reworked openssl(1) option handling
|
|
|
|
* More CRYPTO ByteString (CBC) packet parsing conversions
|
|
|
|
* Fixed 'openssl pkeyutl -verify' to exit with a 0 on success
|
|
|
|
* Fixed dozens of Coverity issues including dead code, memory leaks,
|
|
logic errors and more.
|
|
|
|
* Ensure that openssl(1) restores terminal echo state after reading a
|
|
password.
|
|
|
|
* Incorporated fix for OpenSSL Issue #3683
|
|
|
|
* LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped
|
|
for each portable release.
|
|
|
|
* Removed workarounds for TLS client padding bugs.
|
|
|
|
* No longer disable ECDHE-ECDSA on OS X
|
|
|
|
* Removed SSLv3 support from openssl(1)
|
|
|
|
* Removed IE 6 SSLv3 workarounds.
|
|
|
|
* Modified tls_write in libtls to allow partial writes, clarified with
|
|
examples in the documentation.
|
|
|
|
* Removed RSAX engine
|
|
|
|
* Tested SSLv3 removal with the OpenBSD ports tree and found several
|
|
applications that were not ready to build without SSLv3 yet. For
|
|
now, building a program that intentionally uses SSLv3 will result in
|
|
a linker warning.
|
|
|
|
* Added TLS_method, TLS_client_method and TLS_server_method as a
|
|
replacement for the SSLv23_*method calls.
|
|
|
|
* Added initial cmake build support, including support for building with
|
|
Visual Studio, currently tested with Visual Studio 2013 Community
|
|
Edition.
|
|
|
|
* --with-enginesdir is removed as a configuration parameter
|
|
|
|
* Default cert.pem, openssl.cnf, and x509v3.cnf files are now
|
|
installed under $sysconfdir/ssl or the directory specified by
|
|
--with-openssldir. Previous versions of LibreSSL left these empty.
|
|
|
|
2.2.1 - Build fixes, feature added, features removed
|
|
|
|
* Assorted build fixes for musl, HP-UX, Mingw, Solaris.
|
|
|
|
* Initial support for Windows Embedded 2009, Server 2003, XP
|
|
|
|
* Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API
|
|
|
|
* Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL
|
|
|
|
* Removed Dynamic Engine support
|
|
|
|
* Removed unused and obsolete MDC-2DES cipher
|
|
|
|
* Removed workarounds for obsolete SSL implementations
|
|
|
|
2.2.0 - Build cleanups and new OS support, Security Updates
|
|
|
|
* AIX Support - thanks to Michael Felt
|
|
|
|
* Cygwin Support - thanks to Corinna Vinschen
|
|
|
|
* Refactored build macros, support packaging libtls independently.
|
|
There are more pieces required to support building and using OpenSSL
|
|
with libtls, but this is an initial start at providing an
|
|
independent package for people to start hacking on.
|
|
|
|
* Removal of OPENSSL_issetugid and all library getenv calls.
|
|
Applications can and should no longer rely on environment variables
|
|
for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still
|
|
supported with the openssl(1) command.
|
|
|
|
* libtls API and documentation additions
|
|
|
|
* Various bug fixes and simplifications to libssl and libcrypto
|
|
|
|
* Fixes for the following issues are integrated into LibreSSL 2.2.0:
|
|
- CVE-2015-1788 - Malformed ECParameters causes infinite loop
|
|
- CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
|
|
- CVE-2015-1792 - CMS verify infinite loop with unknown hash function
|
|
|
|
* The following CVEs did not apply to LibreSSL or were fixed in
|
|
earlier releases:
|
|
- CVE-2015-4000 - DHE man-in-the-middle protection (Logjam)
|
|
- CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent
|
|
- CVE-2014-8176 - Invalid free in DTLS
|
|
|
|
* Fixes for the following CVEs are still in review for LibreSSL
|
|
- CVE-2015-1791 - Race condition handling NewSessionTicket
|
|
|
|
2.1.6 - Security update
|
|
|
|
* Fixes for the following issues are integrated into LibreSSL 2.1.6:
|
|
- CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
|
|
- CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
|
|
- CVE-2015-0287 - ASN.1 structure reuse memory corruption
|
|
- CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
|
|
- CVE-2015-0289 - PKCS7 NULL pointer dereferences
|
|
|
|
* The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen
|
|
is integrated for safety, but LibreSSL is not vulnerable.
|
|
|
|
* Libtls is now built by default. The --enable-libtls
|
|
configuration option is no longer required.
|
|
The libtls API is now stable for the 2.1.x series.
|
|
|
|
2.1.5 - Bug fixes and a security update
|
|
* Fix incorrect comparison function in openssl(1) certhash command.
|
|
Thanks to Christian Neukirchen / Void Linux.
|
|
|
|
* Windows port improvements and bug fixes.
|
|
- Removed a dependency on libgcc in 32-bit dynamic libraries.
|
|
- Correct a hang in openssl(1) reading from stdin on an connection.
|
|
- Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and
|
|
any other network-related commands to function properly.
|
|
|
|
* Reject all server DH keys smaller than 1024 bits.
|
|
|
|
2.1.4 - Security and feature updates
|
|
* Improvements to libtls:
|
|
- a new API for loading CA chains directly from memory instead of a
|
|
file, allowing verification with privilege separation in a chroot
|
|
without direct access to CA certificate files.
|
|
|
|
- Ciphers default to TLSv1.2 with AEAD and PFS.
|
|
|
|
- Improved error handling and message generation
|
|
|
|
- New APIs and improved documentation
|
|
|
|
* Added X509_STORE_load_mem API for loading certificates from memory.
|
|
This facilitates accessing certificates from a chrooted environment.
|
|
|
|
* New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by
|
|
using 'TLSv1.2+AEAD' as the cipher selection string.
|
|
|
|
* Dead and disabled code removal including MD5, Netscape workarounds,
|
|
non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more.
|
|
|
|
* ASN1 macro maze expanded to aid reading and searching the code.
|
|
|
|
* NULL pointer asserts removed in favor of letting the OS/signal
|
|
handler catch them.
|
|
|
|
* Refactored argument handling in openssl(1) for consistency and
|
|
maintainability.
|
|
|
|
* New openssl(1) command 'certhash' replaces the c_rehash script.
|
|
|
|
* Support for building with OPENSSL_NO_DEPRECATED
|
|
|
|
* Server-side support for TLS_FALLBACK_SCSV for compatibility with
|
|
various auditor and vulnerability scanners.
|
|
|
|
* Dozens of issues found with the Coverity scanner fixed.
|
|
|
|
* Security Updates:
|
|
|
|
- Fix a minor information leak that was introduced in t1_lib.c
|
|
r1.71, whereby an additional 28 bytes of .rodata (or .data) is
|
|
provided to the network. In most cases this is a non-issue since
|
|
the memory content is already public. Issue found and reported by
|
|
Felix Groebert of the Google Security Team.
|
|
|
|
- Fixes for the following low-severity issues were integrated into
|
|
LibreSSL from OpenSSL 1.0.1k:
|
|
|
|
CVE-2015-0205 - DH client certificates accepted without
|
|
verification
|
|
CVE-2014-3570 - Bignum squaring may produce incorrect results
|
|
CVE-2014-8275 - Certificate fingerprints can be modified
|
|
CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]
|
|
Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA.
|
|
|
|
The following CVEs were fixed in earlier LibreSSL releases:
|
|
CVE-2015-0206 - Memory leak handling repeated DLTS records
|
|
CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites.
|
|
|
|
The following CVEs did not apply to LibreSSL:
|
|
CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record
|
|
CVE-2014-3569 - no-ssl3 configuration sets method to NULL
|
|
CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA
|
|
|
|
2.1.3 - Security update and OS support improvements
|
|
* Fixed various memory leaks in DTLS, including fixes for
|
|
CVE-2015-0206.
|
|
|
|
* Added Application-Layer Protocol Negotiation (ALPN) support.
|
|
|
|
* Removed GOST R 34.10-94 signature authentication.
|
|
|
|
* Removed nonfunctional Netscape browser-hang workaround code.
|
|
|
|
* Simplified and refactored SSL/DTLS handshake code.
|
|
|
|
* Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932.
|
|
|
|
* Hide timing info about padding errors during handshakes.
|
|
|
|
* Improved libtls support for non-blocking sockets, added randomized
|
|
session ID contexts. Work is ongoing with this library - feedback
|
|
and potential use-cases are welcome.
|
|
|
|
* Support building Windows DLLs.
|
|
Thanks to Jan Engelhard.
|
|
|
|
* Packaged config wrapper for better compatibility with OpenSSL-based
|
|
build systems.
|
|
Thanks to @technion from github
|
|
|
|
* Ensure the stack is marked non-executable for assembly sections.
|
|
Thanks to Anthony G. Bastile.
|
|
|
|
* Enable extra compiler hardening flags by default, where applicable.
|
|
The default set of hardening features can vary by OS to OS, so
|
|
feedback is welcome on this. To disable the default hardening flags,
|
|
specify '--disable-hardening' during configure.
|
|
Thanks to Jim Barlow
|
|
|
|
* Initial HP-UX support, tested with HP-UX 11.31 ia64
|
|
Thanks to Kinichiro Inoguchi
|
|
|
|
* Initial NetBSD support, tested with NetBSD 6.1.5 x86_64
|
|
Imported from OpenNTPD, thanks to @gitisihara from github
|
|
|
|
2.1.2 - Many new features and improvements
|
|
* Added reworked GOST cipher suite support
|
|
thanks to Dmitry Eremin-Solenikov
|
|
|
|
* Enabled Camellia ciphers due to improved patent situation
|
|
|
|
* Use builtin arc4random implementation on OS X and FreeBSD
|
|
this addresses some deficiencies in the native implementations of
|
|
these operating systems, see commit logs for more information
|
|
|
|
* Added initial Windows mingw-w64 support (32 and 64-bit)
|
|
thanks to Song Dongsheng and others for code and feedback
|
|
|
|
* Enabled assembly optimizations on x86_64 CPUs
|
|
supports Linux, *BSD, Solaris and OS X operating systems
|
|
thanks to Wouter Clarie for the initial implementation
|
|
|
|
* Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl(1)
|
|
|
|
* Improved build infrastructure, 'make distcheck' now passes
|
|
this simplifies and speeds developer efficiency
|
|
thanks to Dmitry Eremin-Solenikov and Wouter Clarie
|
|
|
|
* Allow conditional building of the libtls library
|
|
expect the API and ABI of the library to change
|
|
feedback is welcome
|
|
|
|
* Fixes for more memory leaks, cleanups, etc.
|
|
|
|
2.1.1 - Security update
|
|
* Address POODLE attack by disabling SSLv3 by default
|
|
|
|
* Fix Eliptical Curve cipher selection bug
|
|
(https://github.com/libressl-portable/portable/issues/35)
|
|
|
|
2.1.0 - First release from the OpenBSD 5.7 tree
|
|
* Added support for automatic ephemeral EC keys
|
|
|
|
* Fixes for many memory leaks and overflows in error handlers
|
|
|
|
* The TLS padding extension (that works around bugs in F5 terminators) is
|
|
off by default
|
|
|
|
* support for getrandom(2) on Linux 3.17
|
|
|
|
* the NO_ASM macro is no longer being set, providing the first bits toward
|
|
enabling other assembly offloads.
|
|
|
|
2.0.5 - Fixes for CVEs from OpenSSL 1.0.1i
|
|
* CVE-2014-3506
|
|
* CVE-2014-3507
|
|
* CVE-2014-3508 (partially vulnerable)he
|
|
* CVE-2014-3509
|
|
* CVE-2014-3510
|
|
* CVE-2014-3511
|
|
* Synced LibreSSL Portable with the release version of OpenBSD 5.6
|
|
|
|
2.0.4 - Portability fixes, deleted unused SRP code
|
|
|
|
2.0.3 - Portability fixes, improvements to fork detection
|
|
|
|
2.0.2 - Address arc4random fork PID wraparound issues with pthread_atfork
|
|
|
|
2.0.1 - Portability fixes:
|
|
* Removed -Werror and and other non-portable compiler flags
|
|
|
|
* Allow setting OPENSSLDIR and ENGINSDIR
|
|
|
|
2.0.0 - First release from the OpenBSD 5.6 tree
|
|
* Removal of many obsolete features and coding conventions from the OpenSSL
|
|
1.0.1h source
|