1642 lines
57 KiB
Plaintext
Executable File
1642 lines
57 KiB
Plaintext
Executable File
Because this project is maintained both in the OpenBSD tree using CVS and in
|
|
Git, it can be confusing following all of the changes.
|
|
|
|
Most of the libssl and libcrypto source code is is here in OpenBSD CVS:
|
|
|
|
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/
|
|
|
|
Some of the libcrypto and OS-compatibility files for entropy and random number
|
|
generation are here:
|
|
|
|
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/
|
|
|
|
A simplified TLS wrapper library is here:
|
|
|
|
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/
|
|
|
|
The LibreSSL Portable project copies these portions of the OpenBSD tree, along
|
|
with relevant portions of the C library, to a Git repository. This makes it
|
|
easier to follow all of the relevant changes to the upstream project in a
|
|
single place:
|
|
|
|
https://github.com/libressl-portable/openbsd
|
|
|
|
The portable bits of the project are largely maintained out-of-tree, and their
|
|
history is also available from Git.
|
|
|
|
https://github.com/libressl-portable/portable
|
|
|
|
LibreSSL Portable Release Notes:
|
|
|
|
3.2.2 - Stable release
|
|
|
|
* This is the first stable release with the new TLSv1.3
|
|
implementation enabled by default for both client and server. The
|
|
OpenSSL 1.1 TLSv1.3 API is not yet available and will be provided
|
|
in an upcoming release.
|
|
|
|
* New X509 certificate chain validator that correctly handles
|
|
multiple paths through intermediate certificates. Loosely based on
|
|
Go's X509 validator.
|
|
|
|
* New name constraints verification implementation which passes the
|
|
bettertls.com certificate validation check suite.
|
|
|
|
* Improve the handling of BIO_read()/BIO_write() failures in the
|
|
TLSv1.3 stack.
|
|
|
|
* Start replacing the existing TLSv1.2 record layer.
|
|
|
|
* Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h.
|
|
|
|
* Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash.
|
|
|
|
* Send alert on ssl_get_prev_session() failure.
|
|
|
|
* Zero out variable on the stack to avoid leaving garbage in the tail
|
|
of short session IDs.
|
|
|
|
* Move state initialization from SSL_clear() to ssl3_clear() to ensure
|
|
that it gets correctly reinitialized across a SSL_set_ssl_method()
|
|
call.
|
|
|
|
* Avoid an out-of-bounds write in BN_rand().
|
|
|
|
* Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up
|
|
the code in ui_lib.c.
|
|
|
|
* Correctly track selected ALPN length to avoid a potential segmentation
|
|
fault with SSL_get0_alpn_selected() when alpn_selected is NULL.
|
|
|
|
* Include machine/endian.h gost2814789.c in order to pick up the
|
|
__STRICT_ALIGNMENT define.
|
|
|
|
* Simplify SSL method lookups.
|
|
|
|
* Clean up and simplify SSL_get_ciphers(), SSL_set_session(),
|
|
SSL_set_ssl_method() and several internal functions.
|
|
|
|
* Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX().
|
|
|
|
* Refactor dtls1_new(), dtls1_hm_fragment_new(),
|
|
dtls1_drain_fragments(), dtls1_clear_queues().
|
|
|
|
* Copy the session ID directly in ssl_get_prev_session() instead of
|
|
handing it through several functions for copying.
|
|
|
|
* Clean up and refactor ssl_get_prev_session(); simplify
|
|
tls_decrypt_ticket() and tls1_process_ticket() exit paths.
|
|
|
|
* Avoid memset() before memcpy() in CBS_add_bytes().
|
|
|
|
* Rewrite X509_INFO_{new,free}() more idiomatically.
|
|
|
|
* Remove unnecessary zeroing after recallocarray() in
|
|
ASN1_BIT_STRING_set_bit().
|
|
|
|
* Convert openssl(1) ocsp new option handling.
|
|
|
|
* Document SSL_set1_host(3), SSL_set_SSL_CTX(3).
|
|
|
|
* Document return value from EC_KEY_get0_public_key(3).
|
|
|
|
* Greatly expanded test coverage via the tlsfuzzer test scripts.
|
|
|
|
* Expanded test coverage via the bettertls certificate test suite.
|
|
|
|
* Test interoperability with the Botan TLS client.
|
|
|
|
* Make pthread_mutex static initialisation work on Windows.
|
|
|
|
* Get __STRICT_ALIGNMENT from machine/endian.h with portable build.
|
|
|
|
3.2.1 - Development release
|
|
|
|
* Propagate alerts from the read half of the TLSv1.3 record layer to I/O
|
|
functions.
|
|
|
|
* Send a record overflow alert for TLSv1.3 messages having overlong
|
|
plaintext or inner plaintext.
|
|
|
|
* Send an illegal parameter alert if a client sends an invalid DH key
|
|
share.
|
|
|
|
* Document PKCS7_final(3), PKCS7_add_attribute(3).
|
|
|
|
* Collapse x509v3 directory into x509.
|
|
|
|
* Improve TLSv1.3 client certificate selection to allow EC certificates
|
|
instead of only RSA certificates.
|
|
|
|
* Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead
|
|
of constructing a broken objects that may cause NULL pointer accesses.
|
|
|
|
* Add support for additional GOST curves from RFC 7836 and
|
|
draft-deremin-rfc4491-bis.
|
|
|
|
* Add OIDs for HMAC using the Streebog hash function.
|
|
|
|
* Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5.
|
|
|
|
* Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures.
|
|
|
|
* Handle GOST in ssl_cert_dup().
|
|
|
|
* Stop sending GOST R 34.10-94 as a CertificateType.
|
|
|
|
* Use IANA allocated GOST ClientCertificateTypes.
|
|
|
|
* Add a custom copy handler for AES keywrap to fix a use-after-free.
|
|
|
|
* Enforce in the TLSv1.3 server that that ClientHello messages after
|
|
a HelloRetryRequest match the original ClientHello as per RFC 8446
|
|
section 4.1.2
|
|
|
|
* Document more PKCS7 attribute functions.
|
|
|
|
* Document PKCS7_get_signer_info(3).
|
|
|
|
* Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3).
|
|
|
|
* Document PEM_def_callback(3).
|
|
|
|
* Document EVP_read_pw_string_min(3).
|
|
|
|
* Merge documentation of X509_get0_serialNumber from OpenSSL 1.1.1.
|
|
|
|
* Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3)
|
|
|
|
* Document X509_get0_pubkey_bitstr(3).
|
|
|
|
* Fix an off-by-one in the CBC padding removal. From BoringSSL.
|
|
|
|
* Enforce restrictions on extensions present in the ClientHello as per
|
|
RFC 8446, section 9.2.
|
|
|
|
* Add new CMAC_Init(3) and ChaCha(3) manual pages.
|
|
|
|
* Fix SSL_shutdown behavior to match the legacy stack. The previous
|
|
behavior could cause a hang.
|
|
|
|
* Add initial support for openbsd/powerpc64.
|
|
|
|
* Make the message type available in the internal TLS extensions API
|
|
functions.
|
|
|
|
* Enable TLSv1.3 for the generic TLS_method().
|
|
|
|
* Convert openssl(1) s_client option handling.
|
|
|
|
* Document openssl(1) certhash.
|
|
|
|
* Convert openssl(1) verify option handling.
|
|
|
|
* Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause
|
|
use-after-free and double-free issues in calling programs.
|
|
|
|
* Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3).
|
|
|
|
* Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session.
|
|
|
|
* Convert openssl(1) s_server option handling.
|
|
|
|
* Add minimal info callback support for TLSv1.3.
|
|
|
|
* Refactor, clean up and simplify some SSL3/DTLS1 record writing code.
|
|
|
|
* Correctly handle server requests for an OCSP response.
|
|
|
|
* Add the P-521 curve to the list of curves supported by default
|
|
in the client.
|
|
|
|
* Convert openssl(1) req option handling.
|
|
|
|
* Avoid calling freezero with a negative size if a server sends a
|
|
malformed plaintext of all zeroes.
|
|
|
|
* Send an unexpected message alert if no valid content type is found
|
|
in a TLSv1.3 record.
|
|
|
|
3.2.0 - Development release
|
|
|
|
* Enable TLS 1.3 server side in addition to client by default.
|
|
With this change TLS 1.3 is handled entirely on the new stack
|
|
and state machine, with fallback to the legacy stack and
|
|
state machine for older versions. Note that the OpenSSL TLS 1.3
|
|
API is not yet visible/available.
|
|
|
|
* Improve length checks in the TLS 1.3 record layer and provide
|
|
appropriate alerts for violations of record layer limits.
|
|
|
|
* Enforce that SNI hostnames received by the TLS server are correctly
|
|
formed as per RFC 5890 and RFC 6066, responding with illegal parameter
|
|
for a nonconformant host name.
|
|
|
|
* Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic
|
|
retry of handshake messages.
|
|
|
|
* Modify I/O behavior so that SSL_MODE_AUTO_RETRY is the default
|
|
similar to new OpenSSL releases.
|
|
|
|
* Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in
|
|
various commands.
|
|
|
|
* Add tlsfuzzer based regression tests.
|
|
|
|
* Support sending certificate status requests from the TLS 1.3
|
|
client to request OCSP staples for leaf certificates.
|
|
|
|
* Support sending certificate status replies from the TLS 1.3 server
|
|
in order to send OCSP staples for leaf certificates.
|
|
|
|
* Send correct alerts when handling failed key share extensions
|
|
on the TLS 1.3 server.
|
|
|
|
* Various compatibility fixes for TLS 1.3 to 1.2 fallback for
|
|
switching from the new to legacy stacks.
|
|
|
|
* Support TLS 1.3 options in the openssl(1) command.
|
|
|
|
* Many alert cleanups in TLS 1.3 to provide expected alerts in failure
|
|
conditions.
|
|
|
|
* Modify "openssl x509" to display invalid certificate times as
|
|
invalid, and correctly deal with the failing return case from
|
|
X509_cmp_time so that a certificate with an invalid NotAfter does
|
|
not appear valid.
|
|
|
|
* Support sending dummy change_cipher_spec records for TLS 1.3 middlebox
|
|
compatibility.
|
|
|
|
* Ensure only PSS signatures are used with RSA in TLS 1.3.
|
|
|
|
* Ensure that TLS 1.3 clients advertise exactly the "null" compression
|
|
method in its legacy_compression_methods.
|
|
|
|
* Correct use of sockaddr_storage instead of sockaddr in openssl(1)
|
|
s_client, which could lead to using 14 bytes of stack garbage instead
|
|
of an IPv6 address in DTLS mode.
|
|
|
|
* Use non-expired certificates first when building a certificate chain.
|
|
|
|
3.1.4 - Interoperability and bug fixes for the TLSv1.3 client:
|
|
|
|
* Improve client certificate selection to allow EC certificates
|
|
instead of only RSA certificates.
|
|
|
|
* Do not error out if a TLSv1.3 server requests an OCSP response as
|
|
part of a certificate request.
|
|
|
|
* Fix SSL_shutdown behavior to match the legacy stack. The previous
|
|
behaviour could cause a hang.
|
|
|
|
* Fix a memory leak and add a missing error check in the handling of
|
|
the key update message.
|
|
|
|
* Fix a memory leak in tls13_record_layer_set_traffic_key.
|
|
|
|
* Avoid calling freezero with a negative size if a server sends a
|
|
malformed plaintext of all zeroes.
|
|
|
|
* Ensure that only PSS may be used with RSA in TLSv1.3 in order
|
|
to avoid using PKCS1-based signatures.
|
|
|
|
* Add the P-521 curve to the list of curves supported by default
|
|
in the client.
|
|
|
|
3.1.3 - Bug fix
|
|
|
|
* libcrypto may fail to build a valid certificate chain due to
|
|
expired untrusted issuer certificates.
|
|
|
|
3.1.2 - Bug fix
|
|
|
|
* A TLS client with peer verification disabled may crash when
|
|
contacting a server that sends an empty certificate list.
|
|
|
|
3.1.1 - Stable release
|
|
|
|
* Improved cipher suite handling to automatically include TLSv1.3
|
|
cipher suites when they are not explicitly referred to in the
|
|
cipher string.
|
|
|
|
* Improved handling of TLSv1.3 HelloRetryRequests, simplifying
|
|
state transitions and ensuring that the legacy session identifer
|
|
retains the same value across the handshake.
|
|
|
|
* Provided TLSv1.3 cipher suite aliases to match the names used
|
|
in RFC 8446.
|
|
|
|
* Improved TLSv1.3 client key share handling to allow the use of
|
|
any groups in our configured NID list.
|
|
|
|
* Fixed printing the serialNumber with X509_print_ex() fall back to
|
|
the colon separated hex bytes in case greater than int value.
|
|
|
|
* Fix to disallow setting the AES-GCM IV length to zero.
|
|
|
|
* Added -groups option to openssl(1) s_server subcommand.
|
|
|
|
* Fix to show TLSv1.3 extension types with openssl(1) -tlsextdebug.
|
|
|
|
* Improved portable builds to support the use of static MSVC runtimes.
|
|
|
|
* Fixed portable builds to avoid exporting a sleep() symbol.
|
|
|
|
3.1.0 - Development release
|
|
|
|
* Completed initial TLS 1.3 implementation with a completely new state
|
|
machine and record layer. TLS 1.3 is now enabled by default for the
|
|
client side, with the server side to be enabled in a future release.
|
|
Note that the OpenSSL TLS 1.3 API is not yet visible/available.
|
|
|
|
* Many more code cleanups, fixes, and improvements to memory handling
|
|
and protocol parsing.
|
|
|
|
* Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1.
|
|
|
|
* Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL
|
|
1.1.1 and enabled by default.
|
|
|
|
* Improved compatibility by backporting functionality and documentation
|
|
from OpenSSL 1.1.1.
|
|
|
|
* Added many new additional crypto test vectors.
|
|
|
|
* Adjusted EVP_chacha20()'s behavior to match OpenSSL's semantics.
|
|
|
|
* Default CA bundle location is now configurable in portable builds.
|
|
|
|
* Added cms subcommand to openssl(1).
|
|
|
|
* Added -addext option to openssl(1) req subcommand.
|
|
|
|
3.0.2 - Stable release
|
|
|
|
* Use a valid curve when constructing an EC_KEY that looks like X25519.
|
|
The recent EC group cofactor change results in stricter validation,
|
|
which causes the EC_GROUP_set_generator() call to fail.
|
|
Issue reported and fix tested by rsadowski@
|
|
|
|
* Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
|
|
(Note that the CMS code is currently disabled)
|
|
Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license)
|
|
|
|
* Avoid a path traversal bug in s_server on Windows when run with the -WWW
|
|
or -HTTP options, due to incomplete path check logic.
|
|
Issue reported and fix tested by Jobert Abma
|
|
|
|
3.0.1 - Development release
|
|
|
|
* Ported Billy Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1. If a NULL
|
|
or zero cofactor is passed to EC_GROUP_set_generator(), try to compute
|
|
it using Hasse's bound. This works as long as the cofactor is small
|
|
enough.
|
|
|
|
* Fixed a memory leak in error paths for eckey_type2param().
|
|
|
|
* Initial work on supporting Cryptographic Message Syntax (CMS) in
|
|
libcrypto (not enabled).
|
|
|
|
* Various manual page improvements and additions.
|
|
|
|
* Added a CMake check for an existing uninstall target, facilitating
|
|
embedding LibreSSL in larger CMake projects, from Matthew Albrecht.
|
|
|
|
3.0.0 - Development release
|
|
|
|
* Completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API.
|
|
|
|
* Documented undescribed options and removed unfunctional options
|
|
description in openssl(1) manual.
|
|
|
|
* A plethora of small fixes due to regular oss-fuzz testing.
|
|
|
|
* Various side channels in DSA and ECDSA were addressed. These are some of
|
|
the many issues found in an extensive systematic analysis of bignum usage
|
|
by Samuel Weiser, David Schrammel et al.
|
|
|
|
* Enabled openssl(1) speed subcommand on Windows platform.
|
|
|
|
* Enabled performance optimizations when building with Visual Studio on Windows.
|
|
|
|
* Fixed incorrect carry operation in 512 addition for Streebog.
|
|
|
|
* Fixed -modulus option with openssl(1) dsa subcommand.
|
|
|
|
* Fixed PVK format output issue with openssl(1) dsa and rsa subcommand.
|
|
|
|
2.9.2 - Bug fixes
|
|
|
|
* Fixed portable builds with older versions of MacOS,
|
|
Android targets < API 21, and Solaris 10
|
|
|
|
* Fixed SRTP profile advertisement for DTLS servers.
|
|
|
|
2.9.1 - Stable release
|
|
|
|
* Added support for XChaCha20 and XChaCha20-Poly1305.
|
|
|
|
* Added support for AES key wrap constructions via the EVP interface.
|
|
|
|
* Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH.
|
|
|
|
* Added pbkdf2 key derivation support to openssl(1)
|
|
|
|
* Removed SHA224 based handshake signatures from consideration for use in a TLS 1.2 handshake.
|
|
|
|
* Changed the default digest type of openssl(1) enc to to sha256.
|
|
|
|
* Changed the default digest type of openssl(1) dgst to sha256.
|
|
|
|
* Changed the default digest type of openssl(1) x509 -fingerprint to sha256.
|
|
|
|
* Changed the default digest type of openssl(1) crl -fingerprint to sha256.
|
|
|
|
* Improved Windows, Android, and ARM compatibility, including assembly
|
|
optimizations on Mingw-w64 targets.
|
|
|
|
2.9.0 - Development release
|
|
|
|
* Added the SM4 block cipher from the Chinese standard GB/T 32907-2016.
|
|
|
|
* Fixed warnings about clock_gettime on Windows Visual Studio builds.
|
|
|
|
* Fixed CMake builds on systems where getpagesize is defined as an
|
|
inline function.
|
|
|
|
* CRYPTO_LOCK is now automatically initialized, with the legacy
|
|
callbacks stubbed for compatibility.
|
|
|
|
* Added the SM3 hash function from the Chinese standard GB/T 32905-2016.
|
|
|
|
* Added more OPENSSL_NO_* macros for compatibility with OpenSSL.
|
|
|
|
* Added extensive interoperability tests between LibreSSL and OpenSSL
|
|
1.0 and 1.1.
|
|
|
|
* Added additional Wycheproof tests and related bug fixes.
|
|
|
|
* Simplified sigalgs option processing and handshake signing algorithm
|
|
|
|
* Added the ability to use the RSA PSS algorithm for handshake
|
|
signatures.
|
|
|
|
* Added bn_rand_interval() and use it in code needing ranges of random
|
|
bn values.
|
|
|
|
* Added functionality to derive early, handshake, and application
|
|
secrets as per RFC8446.
|
|
|
|
* Added handshake state machine from RFC8446.
|
|
|
|
* Removed some ASN.1 related code from libcrypto that had not been used
|
|
since around 2000.
|
|
|
|
* Unexported internal symbols and internalized more record layer structs.
|
|
|
|
* Added support for assembly optimizations on 32-bit ARM ELF targets.
|
|
|
|
* Improved protection against timing side channels in ECDSA signature
|
|
generation.
|
|
|
|
* Coordinate blinding was added to some elliptic curves. This is the
|
|
last bit of the work by Brumley et al. to protect against the
|
|
Portsmash vulnerability.
|
|
|
|
* Ensure transcript handshake is always freed with TLS 1.2.
|
|
|
|
2.8.2 - Stable release
|
|
|
|
* Added Wycheproof support for ECDH and ECDSA Web Crypto test vectors,
|
|
along with test harness fixes.
|
|
|
|
* Fixed memory leak in nc(1)
|
|
|
|
2.8.1 - Test and compatibility improvements
|
|
|
|
* Added Wycheproof support for ECDH, RSASSA-PSS, AES-GCM,
|
|
AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and
|
|
X25519 test vectors. Applied appropriate fixes for errors uncovered
|
|
by tests.
|
|
|
|
* Simplified key exchange signature generation and verification.
|
|
|
|
* Fixed a one-byte buffer overrun in callers of EVP_read_pw_string
|
|
|
|
* Converted more code paths to use CBB/CBS. All handshake messages are
|
|
now created by CBB.
|
|
|
|
* Fixed various memory leaks found by Coverity.
|
|
|
|
* Simplified session ticket parsing and handling, inspired by
|
|
BoringSSL.
|
|
|
|
* Modified signature of CRYPTO_mem_leaks_* to return -1. This function
|
|
is a no-op in LibreSSL, so this function returns an error to not
|
|
indicate the (non-)existence of memory leaks.
|
|
|
|
* SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher,
|
|
X509_OBJECT_up_ref_count now return an int for error handling,
|
|
matching OpenSSL.
|
|
|
|
* Converted a number of #defines into proper functions, matching
|
|
OpenSSL's ABI.
|
|
|
|
* Added X509_get0_serialNumber from OpenSSL.
|
|
|
|
* Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding
|
|
PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching
|
|
OpenSSL.
|
|
|
|
* Removed broken pkcs8 formats from openssl(1).
|
|
|
|
* Converted more functions in public API to use const arguments.
|
|
|
|
* Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the
|
|
EVP_AEAD interface.
|
|
|
|
* Stopped using composite EVP_CIPHER AEADs.
|
|
|
|
* Added timing-safe compares for checking results of signature
|
|
verification. There are no known attacks, this is just inexpensive
|
|
prudence.
|
|
|
|
* Correctly clear the current cipher state, when changing cipher state.
|
|
This fixed an issue where renegotiation of cipher suites would fail
|
|
when switched from AEAD to non-AEAD or vice-versa.
|
|
Issue reported by Bernard Spil.
|
|
|
|
* Added more cipher tests to appstest.sh, including all TLSv1.2
|
|
ciphers.
|
|
|
|
* Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL.
|
|
|
|
* Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be
|
|
retrieved and set with appropriate validation.
|
|
|
|
2.8.0 - Bug fixes, security, and compatibility improvements
|
|
|
|
* Extensive documentation updates and additional API history.
|
|
|
|
* Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry
|
|
|
|
* Tighten up checks for various X509_VERIFY_PARAM functions,
|
|
'poisoning' parameters so that an unverified certificate cannot be
|
|
used if it fails verification.
|
|
|
|
* Fixed a potential memory leak on failure in ASN1_item_digest
|
|
|
|
* Fixed a potential memory alignment crash in asn1_item_combine_free
|
|
|
|
* Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and
|
|
SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths.
|
|
|
|
* Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds.
|
|
|
|
* Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers
|
|
and matching OpenSSL behavior, rewrote ENGINE_* documentation.
|
|
|
|
* Added const annotations to many existing APIs from OpenSSL, making
|
|
interoperability easier for downstream applications.
|
|
|
|
* Fixed small timing side-channels in ecdsa_sign_setup and
|
|
dsa_sign_setup.
|
|
|
|
* Documented security pitfalls with BN_FLG_CONSTTIME and constant-time
|
|
operation of BN_* functions.
|
|
|
|
* Updated BN_clear to use explicit_bzero.
|
|
|
|
* Added a missing bounds check in c2i_ASN1_BIT_STRING.
|
|
|
|
* More CBS conversions, including simplifications to RSA key exchange,
|
|
and converted code to use dedicated buffers for secrets.
|
|
|
|
* Removed three remaining single DES cipher suites.
|
|
|
|
* Fixed a potential leak/incorrect return value in DSA signature
|
|
generation.
|
|
|
|
* Added a blinding value when generating DSA and ECDSA signatures, in
|
|
order to reduce the possibility of a side-channel attack leaking the
|
|
private key.
|
|
|
|
* Added ECC constant time scalar multiplication support.
|
|
From Billy Brumley and his team at Tampere University of Technology.
|
|
|
|
* Revised the implementation of RSASSA-PKCS1-v1_5 to match the
|
|
specification in RFC 8017. Based on an OpenSSL commit by David
|
|
Benjamin.
|
|
|
|
* Cleaned up BN_* implementations following changes made in OpenSSL by
|
|
Davide Galassi and others.
|
|
|
|
2.7.4 - Security fixes
|
|
|
|
* Avoid a timing side-channel leak when generating DSA and ECDSA
|
|
signatures. This is caused by an attempt to do fast modular
|
|
arithmetic, which introduces branches that leak information
|
|
regarding secret values. Issue identified and reported by Keegan
|
|
Ryan of NCC Group.
|
|
|
|
* Reject excessively large primes in DH key generation. Problem
|
|
reported by Guido Vranken to OpenSSL
|
|
(https://github.com/openssl/openssl/pull/6457) and based on his
|
|
diff.
|
|
|
|
2.7.3 - Bug fixes
|
|
|
|
* Removed incorrect NULL checks in DH_set0_key(). Reported by Ondrej
|
|
Sury
|
|
|
|
* Fixed an issue normalizing CPU architecture in the configure script,
|
|
which disabled assembly optimizations on platforms that get detected
|
|
as 'amd64', opposed to 'x86_64'
|
|
|
|
* Limited tls_config_clear_keys() to only clear private keys.
|
|
This was inadvertently clearing the keypair, which includes the OCSP
|
|
staple and pubkey hash - if an application called tls_configure()
|
|
followed by tls_config_clear_keys(), this would prevent OCSP staples
|
|
from working.
|
|
|
|
2.7.2 - Stable release
|
|
|
|
* Updated and added extensive new HISTORY sections to API manuals.
|
|
|
|
* Added support for shared library builds with CMake on all supported
|
|
platforms. Note that some of the CMake options have changed, consult
|
|
the README for details.
|
|
|
|
2.7.1 - Bug fixes
|
|
|
|
* Fixed a bug in int_x509_param_set_hosts, calling strlen() if name
|
|
length provided is 0 to match the OpenSSL behaviour. Issue noticed
|
|
by Christian Heimes <christian@python.org>.
|
|
|
|
* Fixed builds macOS 10.11 and older.
|
|
|
|
2.7.0 - Bug fixes and improvements
|
|
|
|
* Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on
|
|
observations of real-world usage in applications. These are
|
|
implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility
|
|
changes have not been made to existing structs, allowing code written
|
|
for older OpenSSL APIs to continue working.
|
|
|
|
* Extensive corrections, improvements, and additions to the
|
|
API documentation, including new public APIs from OpenSSL that had
|
|
no pre-existing documentation.
|
|
|
|
* Added support for automatic library initialization in libcrypto,
|
|
libssl, and libtls. Support for pthread_once or a compatible
|
|
equivalent is now required of the target operating system. As a
|
|
side-effect, minimum Windows support is Vista or higher.
|
|
|
|
* Converted more packet handling methods to CBB, which improves
|
|
resiliency when generating TLS messages.
|
|
|
|
* Completed TLS extension handling rewrite, improving consistency of
|
|
checks for malformed and duplicate extensions.
|
|
|
|
* Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1.
|
|
This removes the last remaining use of the old M_ASN1_* macros
|
|
(asn1_mac.h) from API that needs to continue to exist.
|
|
|
|
* Added support for client-side session resumption in libtls.
|
|
A libtls client can specify a session file descriptor (a regular
|
|
file with appropriate ownership and permissions) and libtls will
|
|
manage reading and writing of session data across TLS handshakes.
|
|
|
|
* Improved support for strict alignment on ARMv7 architectures,
|
|
conditionally enabling assembly in those cases.
|
|
|
|
* Fixed a memory leak in libtls when reusing a tls_config.
|
|
|
|
* Merged more DTLS support into the regular TLS code path, removing
|
|
duplicated code.
|
|
|
|
* Many improvements to Windows Cmake-based builds and tests,
|
|
especially when targeting Visual Studio.
|
|
|
|
2.6.4 - Bug fixes
|
|
|
|
* Make tls_config_parse_protocols() work correctly when passed a NULL
|
|
pointer for a protocol string. Issue found by semarie@, who also
|
|
provided the diff.
|
|
|
|
* Correct TLS extensions handling when no extensions are present.
|
|
If no TLS extensions are present in a client hello or server hello,
|
|
omit the entire extensions block, rather than including it with a
|
|
length of zero. Thanks to Eric Elena <eric at voguemerry dot com> for
|
|
providing packet captures and testing the fix.
|
|
|
|
* Fixed portable builds on older Android systems, and systems with out
|
|
IPV6_TCLASS support.
|
|
|
|
2.6.3 - OpenBSD 6.2 Release
|
|
|
|
* No core changes from LibreSSL 2.6.2
|
|
|
|
* Minor compatibility fixes in portable version.
|
|
|
|
2.6.2 - Bug fixes
|
|
|
|
* Provide a useful error with libtls if there are no OCSP URLs in a
|
|
peer certificate.
|
|
|
|
* Keep track of which keypair is in use by a TLS context, fixing a bug
|
|
where a TLS server with SNI would only return the OCSP staple for the
|
|
default keypair. Issue reported by William Graeber and confirmed by
|
|
Andreas Bartelt.
|
|
|
|
* Fixed various issues in the OCSP extension parsing code.
|
|
The original code incorrectly passes the pointer allocated via
|
|
CBS_stow() (using malloc()) to a d2i_*() function and then calls
|
|
free() on the now incremented pointer, most likely resulting in a
|
|
crash. This issue was reported by Robert Swiecki who found the issue
|
|
using honggfuzz.
|
|
|
|
* If tls_config_parse_protocols() is called with a NULL pointer,
|
|
return the default protocols instead of crashing - this makes the
|
|
behaviour more useful and mirrors what we already do in
|
|
tls_config_set_ciphers() et al.
|
|
|
|
2.6.1 - Code removal, rewrites
|
|
|
|
* Added a "-T tlscompat" option to nc(1), which enables the use of all
|
|
TLS protocols and "compat" ciphers. This allows for TLS connections
|
|
to TLS servers that are using less than ideal cipher suites, without
|
|
having to resort to "-T tlsall" which enables all known cipher
|
|
suites. Diff from Kyle J. McKay.
|
|
|
|
* Added a new TLS extension handling framework, somewhat analogous to
|
|
BoringSSL, and converted all TLS extensions to use it. Added new TLS
|
|
extension regression tests.
|
|
|
|
* Improved and added many new manpages. Updated *check_private_key
|
|
manpages with additional cautions regarding their use.
|
|
|
|
* Cleaned up the EC key/curve configuration handling.
|
|
|
|
* Added tls_config_set_ecdhecurves() to libtls, which allows the names
|
|
of the eliptical curves that may be used during client and server
|
|
key exchange to be specified.
|
|
|
|
* Converted more code paths to use CBB/CBS.
|
|
|
|
* Removed support for DSS/DSA, since we removed the cipher suites a
|
|
while back.
|
|
|
|
* Removed NPN support. NPN was never standardised and the last draft
|
|
expired in October 2012. ALPN was standardised in July 2014 and has
|
|
been supported in LibreSSL since December 2014. NPN has also been
|
|
removed from Chromium in May 2016.
|
|
|
|
* Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken
|
|
CryptoPro clients.
|
|
|
|
* Removed support for the TLS padding extension, which was added as a
|
|
workaround for an old bug in F5's TLS termination.
|
|
|
|
* Worked around another bug in F5's TLS termination handling of the
|
|
elliptical curves extension. RFC 4492 only defines elliptic_curves
|
|
for ClientHello. However, F5 is sending it in ServerHello. We need
|
|
to skip over it since our TLS extension parsing code is now more
|
|
strict. Thanks to Armin Wolfermann and WJ Liu for reporting.
|
|
|
|
* Added ability to clamp notafter valies in certificates for systems
|
|
with 32-bit time_t. This is necessary to conform to RFC 5280
|
|
4.1.2.5.
|
|
|
|
* Implemented the SSL_CTX_set_min_proto_version(3) API.
|
|
|
|
* Removed the original (pre-IETF) chacha20-poly1305 cipher suites.
|
|
|
|
* Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.
|
|
|
|
2.6.0 - New APIs, bug fixes and improvements
|
|
|
|
* Added support for providing CRLs to libtls. Once a CRL is provided we
|
|
enable CRL checking for the full certificate chain. Based on a diff
|
|
from Jack Burton
|
|
|
|
* Allow non-compliant clients using IP literal addresses with SNI
|
|
to connect to a server using libtls.
|
|
|
|
* Avoid a potential NULL pointer dereference in d2i_ECPrivateKey().
|
|
Reported by Robert Swiecki, who found the issue using honggfuzz.
|
|
|
|
* Added definitions for three OIDs used in EV certificates.
|
|
From Kyle J. McKay
|
|
|
|
* Added tls_peer_cert_chain_pem to libtls, useful in private
|
|
certificate validation callbacks such as those in relayd.
|
|
|
|
* Converted explicit clear/free sequences to use freezero(3).
|
|
|
|
* Reworked TLS certificate name verification code to more strictly
|
|
follow RFC 6125.
|
|
|
|
* Cleaned up and simplified server key exchange EC point handling.
|
|
|
|
* Added tls_keypair_clear_key for clearing key material.
|
|
|
|
* Removed inconsistent IPv6 handling from BIO_get_accept_socket,
|
|
simplified BIO_get_host_ip and BIO_accept.
|
|
|
|
* Fixed the openssl(1) ca command so that is generates certificates
|
|
with RFC 5280-conformant time. Problem noticed by Harald Dunkel.
|
|
|
|
* Added ASN1_TIME_set_tm to set an asn1 from a struct tm *
|
|
|
|
* Added SSL{,_CTX}_set_{min,max}_proto_version() functions.
|
|
|
|
* Added HKDF (HMAC Key Derivation Function) from BoringSSL
|
|
|
|
* Provided a tls_unload_file() function that frees the memory returned
|
|
from a tls_load_file() call, ensuring that it the contents become
|
|
inaccessible. This is specifically needed on platforms where the
|
|
library allocators may be different from the application allocator.
|
|
|
|
* Perform reference counting for tls_config. This allows
|
|
tls_config_free() to be called as soon as it has been passed to the
|
|
final tls_configure() call, simplifying lifetime tracking for the
|
|
application.
|
|
|
|
* Moved internal state of SSL and other structures to be opaque.
|
|
|
|
* Dropped cipher suites with DSS authentication.
|
|
|
|
* nc(1) improvements, including:
|
|
nc -W to terminate nc after receiving a number of packets
|
|
nc -Z for saving the peer certificate and chain in a pem file
|
|
|
|
2.5.5 - Bug fixes
|
|
|
|
* Distinguish between self-issued certificates and self-signed
|
|
certificates. The certificate verification code has special cases
|
|
for self-signed certificates and without this change, self-issued
|
|
certificates (which it seems are common place with
|
|
openvpn/easyrsa) were also being included in this category.
|
|
|
|
* Added getpagesize fallback, needed for Android bionic libc.
|
|
|
|
2.5.4 - Security Updates
|
|
|
|
* Revert a previous change that forced consistency between return
|
|
value and error code when specifing a certificate verification
|
|
callback, since this breaks the documented API. When a user supplied
|
|
callback always returns 1, and later code checks the error code to
|
|
potentially abort post verification, this will result in incorrect
|
|
successul certificate verification.
|
|
|
|
* Switched Linux getrandom() usage to non-blocking mode, continuing to
|
|
use fallback mechanims if unsuccessful. This works around a design
|
|
flaw in Linux getrandom(2) where early boot usage in a library makes
|
|
it impossible to recover if getrandom(2) is not yet initialized.
|
|
|
|
* Fixed a bug caused by the return value being set early to signal
|
|
successful DTLS cookie validation. This can mask a later failure and
|
|
result in a positive return value being returned from
|
|
ssl3_get_client_hello(), when it should return a negative value to
|
|
propagate the error.
|
|
|
|
* Fixed a build error on non-x86/x86_64 systems running Solaris.
|
|
|
|
2.5.3 - OpenBSD 6.1 Release
|
|
|
|
* Documentation updates
|
|
|
|
* Improved ocspcheck(1) error handling
|
|
|
|
2.5.2 - Security features and bugfixes
|
|
|
|
* Added the recallocarray(3) memory allocation function, and converted
|
|
various places in the library to use it, such as CBB and BUF_MEM_grow.
|
|
recallocarray(3) is similar to reallocarray. Newly allocated memory
|
|
is cleared similar to calloc(3). Memory that becomes unallocated
|
|
while shrinking or moving existing allocations is explicitly
|
|
discarded by unmapping or clearing to 0
|
|
|
|
* Added new root CAs from SECOM Trust Systems / Security Communication
|
|
of Japan.
|
|
|
|
* Added EVP interface for MD5+SHA1 hashes.
|
|
|
|
* Fixed DTLS client failures when the server sends a certificate
|
|
request.
|
|
|
|
* Correct handling of padding when upgrading an SSLv2 challenge into
|
|
an SSLv3/TLS connection.
|
|
|
|
* Allow protocols and ciphers to be set on a TLS config object in
|
|
libtls.
|
|
|
|
* Improved nc(1) TLS handshake CPU usage and server-side error
|
|
reporting.
|
|
|
|
2.5.1 - Bug and security fixes, new features, documentation updates
|
|
|
|
* X509_cmp_time() now passes a malformed GeneralizedTime field as an
|
|
error. Reported by Theofilos Petsios.
|
|
|
|
* Detect zero-length encrypted session data early, instead of when
|
|
malloc(0) fails or the HMAC check fails. Noted independently by
|
|
jsing@ and Kurt Cancemi.
|
|
|
|
* Check for and handle failure of HMAC_{Update,Final} or
|
|
EVP_DecryptUpdate().
|
|
|
|
* Massive update and normalization of manpages, conversion to
|
|
mandoc format. Many pages were rewritten for clarity and accuracy.
|
|
Portable doc links are up-to-date with a new conversion tool.
|
|
|
|
* Curve25519 Key Exchange support.
|
|
|
|
* Support for alternate chains for certificate verification.
|
|
|
|
* Code cleanups, CBS conversions, further unification of DTLS/SSL
|
|
handshake code, further ASN1 macro expansion and removal.
|
|
|
|
* Private symbol are now hidden in libssl and libcryto.
|
|
|
|
* Friendly certificate verification error messages in libtls, peer
|
|
verification is now always enabled.
|
|
|
|
* Added OCSP stapling support to libtls and netcat.
|
|
|
|
* Added ocspcheck utility to validate a certificate against its OCSP
|
|
responder and save the reply for stapling
|
|
|
|
* Enhanced regression tests and error handling for libtls.
|
|
|
|
* Added explicit constant and non-constant time BN functions,
|
|
defaulting to constant time wherever possible.
|
|
|
|
* Moved many leaked implementation details in public structs behind
|
|
opaque pointers.
|
|
|
|
* Added ticket support to libtls.
|
|
|
|
* Added support for setting the supported EC curves via
|
|
SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
|
|
SSL{_CTX}_set1_curves{_list} names. This also changes the default
|
|
list of curves to be X25519, P-256 and P-384. All other curves must
|
|
be manually enabled.
|
|
|
|
* Added -groups option to openssl(1) s_client for specifying the curves
|
|
to be used in a colon-separated list.
|
|
|
|
* Merged client/server version negotiation code paths into one,
|
|
reducing much duplicate code.
|
|
|
|
* Removed error function codes from libssl and libcrypto.
|
|
|
|
* Fixed an issue where a truncated packet could crash via an OOB read.
|
|
|
|
* Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
|
|
client-initiated renegotiation. This is the default for libtls
|
|
servers.
|
|
|
|
* Avoid a side-channel cache-timing attack that can leak the ECDSA
|
|
private keys when signing. This is due to BN_mod_inverse() being
|
|
used without the constant time flag being set. Reported by Cesar
|
|
Pereida Garcia and Billy Brumley (Tampere University of Technology).
|
|
The fix was developed by Cesar Pereida Garcia.
|
|
|
|
* iOS and MacOS compatibility updates from Simone Basso and Jacob
|
|
Berkman.
|
|
|
|
|
|
2.5.0 - New APIs, bug fixes and improvements
|
|
|
|
* libtls now supports ALPN and SNI
|
|
|
|
* libtls adds a new callback interface for integrating custom IO
|
|
functions. Thanks to Tobias Pape.
|
|
|
|
* libtls now handles 4 cipher suite groups:
|
|
"secure" (TLSv1.2+AEAD+PFS)
|
|
"compat" (HIGH:!aNULL)
|
|
"legacy" (HIGH:MEDIUM:!aNULL)
|
|
"insecure" (ALL:!aNULL:!eNULL)
|
|
|
|
This allows for flexibility and finer grained control, rather than
|
|
having two extremes (an issue raised by Marko Kreen some time ago).
|
|
|
|
* Tightened error handling for tls_config_set_ciphers().
|
|
|
|
* libtls now always loads CA, key and certificate files at the time the
|
|
configuration function is called. This simplifies code and results in
|
|
a single memory based code path being used to provide data to libssl.
|
|
|
|
* Add support for OCSP intermediate certificates.
|
|
|
|
* Added functions used by stunnel and exim from BoringSSL - this
|
|
brings in X509_check_host, X509_check_email, X509_check_ip, and
|
|
X509_check_ip_asc.
|
|
|
|
* Added initial support for iOS, thanks to Jacob Berkman.
|
|
|
|
* Improved behavior of arc4random on Windows when using memory leak
|
|
analysis software.
|
|
|
|
* Correctly handle an EOF that occurs prior to the TLS handshake
|
|
completing. Reported by Vasily Kolobkov, based on a diff from Marko
|
|
Kreen.
|
|
|
|
* Limit the support of the "backward compatible" ssl2 handshake to
|
|
only be used if TLS 1.0 is enabled.
|
|
|
|
* Fix incorrect results in certain cases on 64-bit systems when
|
|
BN_mod_word() can return incorrect results. BN_mod_word() now can
|
|
return an error condition. Thanks to Brian Smith.
|
|
|
|
* Added constant-time updates to address CVE-2016-0702
|
|
|
|
* Fixed undefined behavior in BN_GF2m_mod_arr()
|
|
|
|
* Removed unused Cryptographic Message Support (CMS)
|
|
|
|
* More conversions of long long idioms to time_t
|
|
|
|
* Improved compatibility by avoiding printing NULL strings with
|
|
printf.
|
|
|
|
* Reverted change that cleans up the EVP cipher context in
|
|
EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
|
|
previous behaviour.
|
|
|
|
* Avoid unbounded memory growth in libssl, which can be triggered by a
|
|
TLS client repeatedly renegotiating and sending OCSP Status Request
|
|
TLS extensions.
|
|
|
|
* Avoid falling back to a weak digest for (EC)DH when using SNI with
|
|
libssl.
|
|
|
|
2.4.2 - Bug fixes and improvements
|
|
|
|
* Fixed loading default certificate locations with openssl s_client.
|
|
|
|
* Ensured OCSP only uses and compares GENERALIZEDTIME values as per
|
|
RFC6960. Also added fixes for OCSP to work with intermediate
|
|
certificates provided in responses.
|
|
|
|
* Improved behavior of arc4random on Windows to not appear to leak
|
|
memory in debug tools, reduced privileges of allocated memory.
|
|
|
|
* Fixed incorrect results from BN_mod_word() when the modulus is too
|
|
large, thanks to Brian Smith from BoringSSL.
|
|
|
|
* Correctly handle an EOF prior to completing the TLS handshake in
|
|
libtls.
|
|
|
|
* Improved libtls ceritificate loading and cipher string validation.
|
|
|
|
* Updated libtls cipher group suites into four categories:
|
|
"secure" (TLSv1.2+AEAD+PFS)
|
|
"compat" (HIGH:!aNULL)
|
|
"legacy" (HIGH:MEDIUM:!aNULL)
|
|
"insecure" (ALL:!aNULL:!eNULL)
|
|
This allows for flexibility and finer grained control, rather than
|
|
having two extremes.
|
|
|
|
* Limited support for 'backward compatible' SSLv2 handshake packets to
|
|
when TLS 1.0 is enabled, providing more restricted compatibility
|
|
with TLS 1.0 clients.
|
|
|
|
* openssl(1) and other documentation improvements.
|
|
|
|
* Removed flags for disabling constant-time operations.
|
|
This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
|
|
DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
|
|
all of these operations unconditionally constant-time.
|
|
|
|
|
|
2.4.1 - Security fix
|
|
|
|
* Correct a problem that prevents the DSA signing algorithm from
|
|
running in constant time even if the flag BN_FLG_CONSTTIME is set.
|
|
This issue was reported by Cesar Pereida (Aalto University), Billy
|
|
Brumley (Tampere University of Technology), and Yuval Yarom (The
|
|
University of Adelaide and NICTA). The fix was developed by Cesar
|
|
Pereida.
|
|
|
|
2.4.0 - Build improvements, new features
|
|
|
|
* Many improvements to the CMake build infrastructure, including
|
|
Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro
|
|
Inoguchi for this work.
|
|
|
|
* Added missing error handling around bn_wexpand() calls.
|
|
|
|
* Added explicit_bzero calls for freed ASN.1 objects.
|
|
|
|
* Fixed X509_*set_object functions to return 0 on allocation failure.
|
|
|
|
* Implemented the IETF ChaCha20-Poly1305 cipher suites.
|
|
|
|
* Changed default EVP_aead_chacha20_poly1305() implementation to the
|
|
IETF version, which is now the default.
|
|
|
|
* Fixed password prompts from openssl(1) to properly handle ^C.
|
|
|
|
* Reworked error handling in libtls so that configuration errors are
|
|
visible.
|
|
|
|
* Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.
|
|
|
|
* Manpage fixes and updates
|
|
|
|
2.3.5 - Reliability fix
|
|
|
|
* Fixed an error in libcrypto when parsing some ASN.1 elements > 16k.
|
|
|
|
2.3.4 - Security Update
|
|
|
|
* Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.
|
|
From OpenSSL.
|
|
|
|
* Minor build fixes
|
|
|
|
2.3.3 - OpenBSD 5.9 release branch tagged
|
|
|
|
* Reworked build scripts to better sync with OpenNTPD-portable
|
|
|
|
* Fixed broken manpage links
|
|
|
|
* Fixed an nginx compatibility issue by adding an 'install_sw' make alias
|
|
|
|
* Fixed HP-UX builds
|
|
|
|
* Changed the default configuration directory to c:\LibreSSL\ssl on Windows
|
|
binary builds
|
|
|
|
* cert.pem has been reorganized and synced with Mozilla's certificate store
|
|
|
|
2.3.2 - Compatibility and Reliability fixes
|
|
|
|
* Changed format of LIBRESSL_VERSION_NUMBER to match that of
|
|
OPENSSL_VERSION_NUMBER, see:
|
|
https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3)
|
|
|
|
* Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD
|
|
construction introduced in RFC 7539, which is different than that
|
|
already used in TLS with EVP_aead_chacha20_poly1305()
|
|
|
|
* Avoid a potential undefined C99+ behavior due to shift overflow in
|
|
AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com>
|
|
|
|
* More man pages converted from pod to mdoc format
|
|
|
|
* Added COMODO RSA Certification Authority and QuoVadis
|
|
root certificates to cert.pem
|
|
|
|
* Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification
|
|
Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root
|
|
certificate from cert.pem
|
|
|
|
* Added support for building nc(1) on Solaris
|
|
|
|
* Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev
|
|
|
|
* Improved console handling with openssl(1) on Windows
|
|
|
|
* Ensure the network stack is enabled on Windows when running
|
|
tls_init()
|
|
|
|
* Fixed incorrect TLS certificate loading by nc(1)
|
|
|
|
* Added support for Solaris 11.3's getentropy(2) system call
|
|
|
|
* Enabled support for using NetBSD 7.0's arc4random(3) implementation
|
|
|
|
* Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect
|
|
|
|
* Fixes from OpenSSL 1.0.1q
|
|
- CVE-2015-3194 - NULL pointer dereference in client side certificate
|
|
validation.
|
|
- CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL
|
|
|
|
* The following OpenSSL CVEs did not apply to LibreSSL
|
|
- CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery
|
|
squaring procedure.
|
|
- CVE-2015-3196 - Double free race condition of the identify hint
|
|
data.
|
|
|
|
See https://marc.info/?l=openbsd-announce&m=144925068504102
|
|
|
|
2.3.1 - ASN.1 and time handling cleanups
|
|
|
|
* ASN.1 cleanups and RFC5280 compliance fixes.
|
|
|
|
* Time representations switched from 'unsigned long' to 'time_t'. LibreSSL
|
|
now checks if the host OS supports 64-bit time_t.
|
|
|
|
* Fixed a leak in SSL_new in the error path.
|
|
|
|
* Support always extracting the peer cipher and version with libtls.
|
|
|
|
* Added ability to check certificate validity times with libtls,
|
|
tls_peer_cert_notbefore and tls_peer_cert_notafter.
|
|
|
|
* Changed tls_connect_servername to use the first address that resolves with
|
|
getaddrinfo().
|
|
|
|
* Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since
|
|
initial commit in 2004).
|
|
|
|
* Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported
|
|
by Qualys Security.
|
|
|
|
* Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of
|
|
sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>.
|
|
|
|
* Reject too small bits value in BN_generate_prime_ex(), so that it does
|
|
not risk becoming negative in probable_prime_dh_safe(), reported by
|
|
Franck Denis.
|
|
|
|
* Enable nc(1) builds on more platforms.
|
|
|
|
2.3.0 - SSLv3 removed, libtls API changes, portability improvements
|
|
|
|
* SSLv3 is now permanently removed from the tree.
|
|
|
|
* The libtls API is changed from the 2.2.x series.
|
|
|
|
The read/write functions work correctly with external event
|
|
libraries. See the tls_init man page for examples of using libtls
|
|
correctly in asynchronous mode.
|
|
|
|
Client-side verification is now supported, with the client supplying
|
|
the certificate to the server.
|
|
|
|
Also, when using tls_connect_fds, tls_connect_socket or
|
|
tls_accept_fds, libtls no longer implicitly closes the passed in
|
|
sockets. The caller is responsible for closing them in this case.
|
|
|
|
* When loading a DSA key from an raw (without DH parameters) ASN.1
|
|
serialization, perform some consistency checks on its `p' and `q'
|
|
values, and return an error if the checks failed.
|
|
|
|
Thanks for Georgi Guninski (guninski at guninski dot com) for
|
|
mentioning the possibility of a weak (non prime) q value and
|
|
providing a test case.
|
|
|
|
See
|
|
https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html
|
|
for a longer discussion.
|
|
|
|
* Fixed a bug in ECDH_compute_key that can lead to silent truncation
|
|
of the result key without error. A coding error could cause software
|
|
to use much shorter keys than intended.
|
|
|
|
* Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no
|
|
longer supported.
|
|
|
|
* The engine command and parameters are removed from the openssl(1).
|
|
Previous releases removed dynamic and builtin engine support
|
|
already.
|
|
|
|
* SHA-0 is removed, which was withdrawn shortly after publication 20
|
|
years ago.
|
|
|
|
* Added Certplus CA root certificate to the default cert.pem file.
|
|
|
|
* New interface OPENSSL_cpu_caps is provided that does not allow
|
|
software to inadvertently modify cpu capability flags.
|
|
OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
|
|
|
|
* The out_len argument of AEAD changed from ssize_t to size_t.
|
|
|
|
* Deduplicated DTLS code, sharing bugfixes and improvements with
|
|
TLS.
|
|
|
|
* Converted 'nc' to use libtls for client and server operations; it is
|
|
included in the libressl-portable distribution as an example of how
|
|
to use the library.
|
|
|
|
2.2.3 - Bug fixes, build enhancements
|
|
|
|
* LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not
|
|
include TLS extensions, resulting in such handshakes being aborted.
|
|
This release corrects the handling of such messages. Thanks to
|
|
Ligushka from github for reporting the issue.
|
|
|
|
* Added install target for cmake builds. Thanks to TheNietsnie from
|
|
github.
|
|
|
|
* Updated pkgconfig files to correctly report the release version
|
|
number, not the individual library ABI version numbers. Thanks to
|
|
Jan Engelhardt for reporting the issue.
|
|
|
|
2.2.2 - More TLS parser rework, bug fixes, expanded portable build support
|
|
|
|
* Switched 'openssl dhparam' default from 512 to 2048 bits
|
|
|
|
* Reworked openssl(1) option handling
|
|
|
|
* More CRYPTO ByteString (CBC) packet parsing conversions
|
|
|
|
* Fixed 'openssl pkeyutl -verify' to exit with a 0 on success
|
|
|
|
* Fixed dozens of Coverity issues including dead code, memory leaks,
|
|
logic errors and more.
|
|
|
|
* Ensure that openssl(1) restores terminal echo state after reading a
|
|
password.
|
|
|
|
* Incorporated fix for OpenSSL Issue #3683
|
|
|
|
* LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped
|
|
for each portable release.
|
|
|
|
* Removed workarounds for TLS client padding bugs.
|
|
|
|
* No longer disable ECDHE-ECDSA on OS X
|
|
|
|
* Removed SSLv3 support from openssl(1)
|
|
|
|
* Removed IE 6 SSLv3 workarounds.
|
|
|
|
* Modified tls_write in libtls to allow partial writes, clarified with
|
|
examples in the documentation.
|
|
|
|
* Removed RSAX engine
|
|
|
|
* Tested SSLv3 removal with the OpenBSD ports tree and found several
|
|
applications that were not ready to build without SSLv3 yet. For
|
|
now, building a program that intentionally uses SSLv3 will result in
|
|
a linker warning.
|
|
|
|
* Added TLS_method, TLS_client_method and TLS_server_method as a
|
|
replacement for the SSLv23_*method calls.
|
|
|
|
* Added initial cmake build support, including support for building with
|
|
Visual Studio, currently tested with Visual Studio 2013 Community
|
|
Edition.
|
|
|
|
* --with-enginesdir is removed as a configuration parameter
|
|
|
|
* Default cert.pem, openssl.cnf, and x509v3.cnf files are now
|
|
installed under $sysconfdir/ssl or the directory specified by
|
|
--with-openssldir. Previous versions of LibreSSL left these empty.
|
|
|
|
2.2.1 - Build fixes, feature added, features removed
|
|
|
|
* Assorted build fixes for musl, HP-UX, Mingw, Solaris.
|
|
|
|
* Initial support for Windows Embedded 2009, Server 2003, XP
|
|
|
|
* Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API
|
|
|
|
* Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL
|
|
|
|
* Removed Dynamic Engine support
|
|
|
|
* Removed unused and obsolete MDC-2DES cipher
|
|
|
|
* Removed workarounds for obsolete SSL implementations
|
|
|
|
2.2.0 - Build cleanups and new OS support, Security Updates
|
|
|
|
* AIX Support - thanks to Michael Felt
|
|
|
|
* Cygwin Support - thanks to Corinna Vinschen
|
|
|
|
* Refactored build macros, support packaging libtls independently.
|
|
There are more pieces required to support building and using OpenSSL
|
|
with libtls, but this is an initial start at providing an
|
|
independent package for people to start hacking on.
|
|
|
|
* Removal of OPENSSL_issetugid and all library getenv calls.
|
|
Applications can and should no longer rely on environment variables
|
|
for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still
|
|
supported with the openssl(1) command.
|
|
|
|
* libtls API and documentation additions
|
|
|
|
* Various bug fixes and simplifications to libssl and libcrypto
|
|
|
|
* Fixes for the following issues are integrated into LibreSSL 2.2.0:
|
|
- CVE-2015-1788 - Malformed ECParameters causes infinite loop
|
|
- CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
|
|
- CVE-2015-1792 - CMS verify infinite loop with unknown hash function
|
|
|
|
* The following CVEs did not apply to LibreSSL or were fixed in
|
|
earlier releases:
|
|
- CVE-2015-4000 - DHE man-in-the-middle protection (Logjam)
|
|
- CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent
|
|
- CVE-2014-8176 - Invalid free in DTLS
|
|
|
|
* Fixes for the following CVEs are still in review for LibreSSL
|
|
- CVE-2015-1791 - Race condition handling NewSessionTicket
|
|
|
|
2.1.6 - Security update
|
|
|
|
* Fixes for the following issues are integrated into LibreSSL 2.1.6:
|
|
- CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
|
|
- CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
|
|
- CVE-2015-0287 - ASN.1 structure reuse memory corruption
|
|
- CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
|
|
- CVE-2015-0289 - PKCS7 NULL pointer dereferences
|
|
|
|
* The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen
|
|
is integrated for safety, but LibreSSL is not vulnerable.
|
|
|
|
* Libtls is now built by default. The --enable-libtls
|
|
configuration option is no longer required.
|
|
The libtls API is now stable for the 2.1.x series.
|
|
|
|
2.1.5 - Bug fixes and a security update
|
|
* Fix incorrect comparison function in openssl(1) certhash command.
|
|
Thanks to Christian Neukirchen / Void Linux.
|
|
|
|
* Windows port improvements and bug fixes.
|
|
- Removed a dependency on libgcc in 32-bit dynamic libraries.
|
|
- Correct a hang in openssl(1) reading from stdin on an connection.
|
|
- Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and
|
|
any other network-related commands to function properly.
|
|
|
|
* Reject all server DH keys smaller than 1024 bits.
|
|
|
|
2.1.4 - Security and feature updates
|
|
* Improvements to libtls:
|
|
- a new API for loading CA chains directly from memory instead of a
|
|
file, allowing verification with privilege separation in a chroot
|
|
without direct access to CA certificate files.
|
|
|
|
- Ciphers default to TLSv1.2 with AEAD and PFS.
|
|
|
|
- Improved error handling and message generation
|
|
|
|
- New APIs and improved documentation
|
|
|
|
* Added X509_STORE_load_mem API for loading certificates from memory.
|
|
This facilitates accessing certificates from a chrooted environment.
|
|
|
|
* New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by
|
|
using 'TLSv1.2+AEAD' as the cipher selection string.
|
|
|
|
* Dead and disabled code removal including MD5, Netscape workarounds,
|
|
non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more.
|
|
|
|
* ASN1 macro maze expanded to aid reading and searching the code.
|
|
|
|
* NULL pointer asserts removed in favor of letting the OS/signal
|
|
handler catch them.
|
|
|
|
* Refactored argument handling in openssl(1) for consistency and
|
|
maintainability.
|
|
|
|
* New openssl(1) command 'certhash' replaces the c_rehash script.
|
|
|
|
* Support for building with OPENSSL_NO_DEPRECATED
|
|
|
|
* Server-side support for TLS_FALLBACK_SCSV for compatibility with
|
|
various auditor and vulnerability scanners.
|
|
|
|
* Dozens of issues found with the Coverity scanner fixed.
|
|
|
|
* Security Updates:
|
|
|
|
- Fix a minor information leak that was introduced in t1_lib.c
|
|
r1.71, whereby an additional 28 bytes of .rodata (or .data) is
|
|
provided to the network. In most cases this is a non-issue since
|
|
the memory content is already public. Issue found and reported by
|
|
Felix Groebert of the Google Security Team.
|
|
|
|
- Fixes for the following low-severity issues were integrated into
|
|
LibreSSL from OpenSSL 1.0.1k:
|
|
|
|
CVE-2015-0205 - DH client certificates accepted without
|
|
verification
|
|
CVE-2014-3570 - Bignum squaring may produce incorrect results
|
|
CVE-2014-8275 - Certificate fingerprints can be modified
|
|
CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]
|
|
Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA.
|
|
|
|
The following CVEs were fixed in earlier LibreSSL releases:
|
|
CVE-2015-0206 - Memory leak handling repeated DLTS records
|
|
CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites.
|
|
|
|
The following CVEs did not apply to LibreSSL:
|
|
CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record
|
|
CVE-2014-3569 - no-ssl3 configuration sets method to NULL
|
|
CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA
|
|
|
|
2.1.3 - Security update and OS support improvements
|
|
* Fixed various memory leaks in DTLS, including fixes for
|
|
CVE-2015-0206.
|
|
|
|
* Added Application-Layer Protocol Negotiation (ALPN) support.
|
|
|
|
* Removed GOST R 34.10-94 signature authentication.
|
|
|
|
* Removed nonfunctional Netscape browser-hang workaround code.
|
|
|
|
* Simplified and refactored SSL/DTLS handshake code.
|
|
|
|
* Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932.
|
|
|
|
* Hide timing info about padding errors during handshakes.
|
|
|
|
* Improved libtls support for non-blocking sockets, added randomized
|
|
session ID contexts. Work is ongoing with this library - feedback
|
|
and potential use-cases are welcome.
|
|
|
|
* Support building Windows DLLs.
|
|
Thanks to Jan Engelhard.
|
|
|
|
* Packaged config wrapper for better compatibility with OpenSSL-based
|
|
build systems.
|
|
Thanks to @technion from github
|
|
|
|
* Ensure the stack is marked non-executable for assembly sections.
|
|
Thanks to Anthony G. Bastile.
|
|
|
|
* Enable extra compiler hardening flags by default, where applicable.
|
|
The default set of hardening features can vary by OS to OS, so
|
|
feedback is welcome on this. To disable the default hardening flags,
|
|
specify '--disable-hardening' during configure.
|
|
Thanks to Jim Barlow
|
|
|
|
* Initial HP-UX support, tested with HP-UX 11.31 ia64
|
|
Thanks to Kinichiro Inoguchi
|
|
|
|
* Initial NetBSD support, tested with NetBSD 6.1.5 x86_64
|
|
Imported from OpenNTPD, thanks to @gitisihara from github
|
|
|
|
2.1.2 - Many new features and improvements
|
|
* Added reworked GOST cipher suite support
|
|
thanks to Dmitry Eremin-Solenikov
|
|
|
|
* Enabled Camellia ciphers due to improved patent situation
|
|
|
|
* Use builtin arc4random implementation on OS X and FreeBSD
|
|
this addresses some deficiencies in the native implementations of
|
|
these operating systems, see commit logs for more information
|
|
|
|
* Added initial Windows mingw-w64 support (32 and 64-bit)
|
|
thanks to Song Dongsheng and others for code and feedback
|
|
|
|
* Enabled assembly optimizations on x86_64 CPUs
|
|
supports Linux, *BSD, Solaris and OS X operating systems
|
|
thanks to Wouter Clarie for the initial implementation
|
|
|
|
* Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl(1)
|
|
|
|
* Improved build infrastructure, 'make distcheck' now passes
|
|
this simplifies and speeds developer efficiency
|
|
thanks to Dmitry Eremin-Solenikov and Wouter Clarie
|
|
|
|
* Allow conditional building of the libtls library
|
|
expect the API and ABI of the library to change
|
|
feedback is welcome
|
|
|
|
* Fixes for more memory leaks, cleanups, etc.
|
|
|
|
2.1.1 - Security update
|
|
* Address POODLE attack by disabling SSLv3 by default
|
|
|
|
* Fix Eliptical Curve cipher selection bug
|
|
(https://github.com/libressl-portable/portable/issues/35)
|
|
|
|
2.1.0 - First release from the OpenBSD 5.7 tree
|
|
* Added support for automatic ephemeral EC keys
|
|
|
|
* Fixes for many memory leaks and overflows in error handlers
|
|
|
|
* The TLS padding extension (that works around bugs in F5 terminators) is
|
|
off by default
|
|
|
|
* support for getrandom(2) on Linux 3.17
|
|
|
|
* the NO_ASM macro is no longer being set, providing the first bits toward
|
|
enabling other assembly offloads.
|
|
|
|
2.0.5 - Fixes for CVEs from OpenSSL 1.0.1i
|
|
* CVE-2014-3506
|
|
* CVE-2014-3507
|
|
* CVE-2014-3508 (partially vulnerable)he
|
|
* CVE-2014-3509
|
|
* CVE-2014-3510
|
|
* CVE-2014-3511
|
|
* Synced LibreSSL Portable with the release version of OpenBSD 5.6
|
|
|
|
2.0.4 - Portability fixes, deleted unused SRP code
|
|
|
|
2.0.3 - Portability fixes, improvements to fork detection
|
|
|
|
2.0.2 - Address arc4random fork PID wraparound issues with pthread_atfork
|
|
|
|
2.0.1 - Portability fixes:
|
|
* Removed -Werror and and other non-portable compiler flags
|
|
|
|
* Allow setting OPENSSLDIR and ENGINSDIR
|
|
|
|
2.0.0 - First release from the OpenBSD 5.6 tree
|
|
* Removal of many obsolete features and coding conventions from the OpenSSL
|
|
1.0.1h source
|