Update libressl README.DRAGONFLY for v2.4.4
[dragonfly.git] / crypto / libressl / ChangeLog
CommitLineData
f5b1c8a1
JM
1Because this project is maintained both in the OpenBSD tree using CVS and in
2Git, it can be confusing following all of the changes.
3
4Most of the libssl and libcrypto source code is is here in OpenBSD CVS:
5
6 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/
7
8Some of the libcrypto and OS-compatibility files for entropy and random number
9generation are here:
10
11 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/
12
13A simplified TLS wrapper library is here:
14
15 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/
16
17The LibreSSL Portable project copies these portions of the OpenBSD tree, along
18with relevant portions of the C library, to a Git repository. This makes it
19easier to follow all of the relevant changes to the upstream project in a
20single place:
21
22 https://github.com/libressl-portable/openbsd
23
24The portable bits of the project are largely maintained out-of-tree, and their
25history is also available from Git.
26
27 https://github.com/libressl-portable/portable
28
29LibreSSL Portable Release Notes:
30
0acf6c5c
JM
312.4.3 - Bug fixes and reliability improvements
32
33 * Reverted change that cleans up the EVP cipher context in
34 EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
35 previous behaviour.
36
37 * Avoid unbounded memory growth in libssl, which can be triggered by a
38 TLS client repeatedly renegotiating and sending OCSP Status Request
39 TLS extensions.
40
41 * Avoid falling back to a weak digest for (EC)DH when using SNI with
42 libssl.
43
f5b1c8a1
JM
442.4.2 - Bug fixes and improvements
45
46 * Fixed loading default certificate locations with openssl s_client.
47
48 * Ensured OSCP only uses and compares GENERALIZEDTIME values as per
49 RFC6960. Also added fixes for OCSP to work with intermediate
50 certificates provided in responses.
51
52 * Improved behavior of arc4random on Windows to not appear to leak
53 memory in debug tools, reduced privileges of allocated memory.
54
55 * Fixed incorrect results from BN_mod_word() when the modulus is too
56 large, thanks to Brian Smith from BoringSSL.
57
58 * Correctly handle an EOF prior to completing the TLS handshake in
59 libtls.
60
61 * Improved libtls ceritificate loading and cipher string validation.
62
63 * Updated libtls cipher group suites into four categories:
64 "secure" (TLSv1.2+AEAD+PFS)
65 "compat" (HIGH:!aNULL)
66 "legacy" (HIGH:MEDIUM:!aNULL)
67 "insecure" (ALL:!aNULL:!eNULL)
68 This allows for flexibility and finer grained control, rather than
69 having two extremes.
70
71 * Limited support for 'backward compatible' SSLv2 handshake packets to
72 when TLS 1.0 is enabled, providing more restricted compatibility
73 with TLS 1.0 clients.
74
75 * openssl(1) and other documentation improvements.
76
77 * Removed flags for disabling constant-time operations.
78 This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
79 DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
80 all of these operations unconditionally constant-time.
81
82
832.4.1 - Security fix
84
85 * Correct a problem that prevents the DSA signing algorithm from
86 running in constant time even if the flag BN_FLG_CONSTTIME is set.
87 This issue was reported by Cesar Pereida (Aalto University), Billy
88 Brumley (Tampere University of Technology), and Yuval Yarom (The
89 University of Adelaide and NICTA). The fix was developed by Cesar
90 Pereida.
91
922.4.0 - Build improvements, new features
93
94 * Many improvements to the CMake build infrastructure, including
95 Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro
96 Inoguchi for this work.
97
98 * Added missing error handling around bn_wexpand() calls.
99
100 * Added explicit_bzero calls for freed ASN.1 objects.
101
102 * Fixed X509_*set_object functions to return 0 on allocation failure.
103
104 * Implemented the IETF ChaCha20-Poly1305 cipher suites.
105
106 * Changed default EVP_aead_chacha20_poly1305() implementation to the
107 IETF version, which is now the default.
108
109 * Fixed password prompts from openssl(1) to properly handle ^C.
110
111 * Reworked error handling in libtls so that configuration errors are
112 visible.
113
114 * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.
115
116 * Manpage fixes and updates
117
1182.3.5 - Reliability fix
119
120 * Fixed an error in libcrypto when parsing some ASN.1 elements > 16k.
121
1222.3.4 - Security Update
123
124 * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.
125 From OpenSSL.
126
127 * Minor build fixes
128
1292.3.3 - OpenBSD 5.9 release branch tagged
130
131 * Reworked build scripts to better sync with OpenNTPD-portable
132
133 * Fixed broken manpage links
134
135 * Fixed an nginx compatibility issue by adding an 'install_sw' make alias
136
137 * Fixed HP-UX builds
138
139 * Changed the default configuration directory to c:\LibreSSL\ssl on Windows
140 binary builds
141
142 * cert.pem has been reorganized and synced with Mozilla's certificate store
143
1442.3.2 - Compatibility and Reliability fixes
145
146 * Changed format of LIBRESSL_VERSION_NUMBER to match that of
147 OPENSSL_VERSION_NUMBER, see:
148 https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3)
149
150 * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD
151 construction introduced in RFC 7539, which is different than that
152 already used in TLS with EVP_aead_chacha20_poly1305()
153
154 * Avoid a potential undefined C99+ behavior due to shift overflow in
155 AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com>
156
157 * More man pages converted from pod to mdoc format
158
159 * Added COMODO RSA Certification Authority and QuoVadis
160 root certificates to cert.pem
161
162 * Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification
163 Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root
164 certificate from cert.pem
165
166 * Added support for building nc(1) on Solaris
167
168 * Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev
169
170 * Improved console handling with openssl(1) on Windows
171
172 * Ensure the network stack is enabled on Windows when running
173 tls_init()
174
175 * Fixed incorrect TLS certificate loading by nc(1)
176
177 * Added support for Solaris 11.3's getentropy(2) system call
178
179 * Enabled support for using NetBSD 7.0's arc4random(3) implementation
180
181 * Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect
182
183 * Fixes from OpenSSL 1.0.1q
184 - CVE-2015-3194 - NULL pointer dereference in client side certificate
185 validation.
186 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL
187
188 * The following OpenSSL CVEs did not apply to LibreSSL
189 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery
190 squaring procedure.
191 - CVE-2015-3196 - Double free race condition of the identify hint
192 data.
193
194 See https://marc.info/?l=openbsd-announce&m=144925068504102
195
1962.3.1 - ASN.1 and time handling cleanups
197
198 * ASN.1 cleanups and RFC5280 compliance fixes.
199
200 * Time representations switched from 'unsigned long' to 'time_t'. LibreSSL
201 now checks if the host OS supports 64-bit time_t.
202
203 * Fixed a leak in SSL_new in the error path.
204
205 * Support always extracting the peer cipher and version with libtls.
206
207 * Added ability to check certificate validity times with libtls,
208 tls_peer_cert_notbefore and tls_peer_cert_notafter.
209
210 * Changed tls_connect_servername to use the first address that resolves with
211 getaddrinfo().
212
213 * Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since
214 initial commit in 2004).
215
216 * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported
217 by Qualys Security.
218
219 * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of
220 sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>.
221
222 * Reject too small bits value in BN_generate_prime_ex(), so that it does
223 not risk becoming negative in probable_prime_dh_safe(), reported by
224 Franck Denis.
225
226 * Enable nc(1) builds on more platforms.
227
2282.3.0 - SSLv3 removed, libtls API changes, portability improvements
229
230 * SSLv3 is now permanently removed from the tree.
231
232 * The libtls API is changed from the 2.2.x series.
233
234 The read/write functions work correctly with external event
235 libraries. See the tls_init man page for examples of using libtls
236 correctly in asynchronous mode.
237
238 Client-side verification is now supported, with the client supplying
239 the certificate to the server.
240
241 Also, when using tls_connect_fds, tls_connect_socket or
242 tls_accept_fds, libtls no longer implicitly closes the passed in
243 sockets. The caller is responsible for closing them in this case.
244
245 * When loading a DSA key from an raw (without DH parameters) ASN.1
246 serialization, perform some consistency checks on its `p' and `q'
247 values, and return an error if the checks failed.
248
249 Thanks for Georgi Guninski (guninski at guninski dot com) for
250 mentioning the possibility of a weak (non prime) q value and
251 providing a test case.
252
253 See
254 https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html
255 for a longer discussion.
256
257 * Fixed a bug in ECDH_compute_key that can lead to silent truncation
258 of the result key without error. A coding error could cause software
259 to use much shorter keys than intended.
260
261 * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no
262 longer supported.
263
264 * The engine command and parameters are removed from the openssl(1).
265 Previous releases removed dynamic and builtin engine support
266 already.
267
268 * SHA-0 is removed, which was withdrawn shortly after publication 20
269 years ago.
270
271 * Added Certplus CA root certificate to the default cert.pem file.
272
273 * New interface OPENSSL_cpu_caps is provided that does not allow
274 software to inadvertently modify cpu capability flags.
275 OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
276
277 * The out_len argument of AEAD changed from ssize_t to size_t.
278
279 * Deduplicated DTLS code, sharing bugfixes and improvements with
280 TLS.
281
282 * Converted 'nc' to use libtls for client and server operations; it is
283 included in the libressl-portable distribution as an example of how
284 to use the library.
285
2862.2.3 - Bug fixes, build enhancements
287
288 * LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not
289 include TLS extensions, resulting in such handshakes being aborted.
290 This release corrects the handling of such messages. Thanks to
291 Ligushka from github for reporting the issue.
292
293 * Added install target for cmake builds. Thanks to TheNietsnie from
294 github.
295
296 * Updated pkgconfig files to correctly report the release version
297 number, not the individual library ABI version numbers. Thanks to
298 Jan Engelhardt for reporting the issue.
299
3002.2.2 - More TLS parser rework, bug fixes, expanded portable build support
301
302 * Switched 'openssl dhparam' default from 512 to 2048 bits
303
304 * Reworked openssl(1) option handling
305
306 * More CRYPTO ByteString (CBC) packet parsing conversions
307
308 * Fixed 'openssl pkeyutl -verify' to exit with a 0 on success
309
310 * Fixed dozens of Coverity issues including dead code, memory leaks,
311 logic errors and more.
312
313 * Ensure that openssl(1) restores terminal echo state after reading a
314 password.
315
316 * Incorporated fix for OpenSSL Issue #3683
317
318 * LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped
319 for each portable release.
320
321 * Removed workarounds for TLS client padding bugs.
322
323 * No longer disable ECDHE-ECDSA on OS X
324
325 * Removed SSLv3 support from openssl(1)
326
327 * Removed IE 6 SSLv3 workarounds.
328
329 * Modified tls_write in libtls to allow partial writes, clarified with
330 examples in the documentation.
331
332 * Removed RSAX engine
333
334 * Tested SSLv3 removal with the OpenBSD ports tree and found several
335 applications that were not ready to build without SSLv3 yet. For
336 now, building a program that intentionally uses SSLv3 will result in
337 a linker warning.
338
339 * Added TLS_method, TLS_client_method and TLS_server_method as a
340 replacement for the SSLv23_*method calls.
341
342 * Added initial cmake build support, including support for building with
343 Visual Studio, currently tested with Visual Studio 2013 Community
344 Edition.
345
346 * --with-enginesdir is removed as a configuration parameter
347
348 * Default cert.pem, openssl.cnf, and x509v3.cnf files are now
349 installed under $sysconfdir/ssl or the directory specified by
350 --with-openssldir. Previous versions of LibreSSL left these empty.
351
3522.2.1 - Build fixes, feature added, features removed
353
354 * Assorted build fixes for musl, HP-UX, Mingw, Solaris.
355
356 * Initial support for Windows Embedded 2009, Server 2003, XP
357
358 * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API
359
360 * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL
361
362 * Removed Dynamic Engine support
363
364 * Removed unused and obsolete MDC-2DES cipher
365
366 * Removed workarounds for obsolete SSL implementations
367
3682.2.0 - Build cleanups and new OS support, Security Updates
369
370 * AIX Support - thanks to Michael Felt
371
372 * Cygwin Support - thanks to Corinna Vinschen
373
374 * Refactored build macros, support packaging libtls independently.
375 There are more pieces required to support building and using OpenSSL
376 with libtls, but this is an initial start at providing an
377 independent package for people to start hacking on.
378
379 * Removal of OPENSSL_issetugid and all library getenv calls.
380 Applications can and should no longer rely on environment variables
381 for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still
382 supported with the openssl(1) command.
383
384 * libtls API and documentation additions
385
386 * Various bug fixes and simplifications to libssl and libcrypto
387
388 * Fixes for the following issues are integrated into LibreSSL 2.2.0:
389 - CVE-2015-1788 - Malformed ECParameters causes infinite loop
390 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
391 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function
392
393 * The following CVEs did not apply to LibreSSL or were fixed in
394 earlier releases:
395 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam)
396 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent
397 - CVE-2014-8176 - Invalid free in DTLS
398
399 * Fixes for the following CVEs are still in review for LibreSSL
400 - CVE-2015-1791 - Race condition handling NewSessionTicket
401
4022.1.6 - Security update
403
404 * Fixes for the following issues are integrated into LibreSSL 2.1.6:
405 - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
406 - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
407 - CVE-2015-0287 - ASN.1 structure reuse memory corruption
408 - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
409 - CVE-2015-0289 - PKCS7 NULL pointer dereferences
410
411 * The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen
412 is integrated for safety, but LibreSSL is not vulnerable.
413
414 * Libtls is now built by default. The --enable-libtls
415 configuration option is no longer required.
416 The libtls API is now stable for the 2.1.x series.
417
4182.1.5 - Bug fixes and a security update
419 * Fix incorrect comparison function in openssl(1) certhash command.
420 Thanks to Christian Neukirchen / Void Linux.
421
422 * Windows port improvements and bug fixes.
423 - Removed a dependency on libgcc in 32-bit dynamic libraries.
424 - Correct a hang in openssl(1) reading from stdin on an connection.
425 - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and
426 any other network-related commands to function properly.
427
428 * Reject all server DH keys smaller than 1024 bits.
429
4302.1.4 - Security and feature updates
431 * Improvements to libtls:
432 - a new API for loading CA chains directly from memory instead of a
433 file, allowing verification with privilege separation in a chroot
434 without direct access to CA certificate files.
435
436 - Ciphers default to TLSv1.2 with AEAD and PFS.
437
438 - Improved error handling and message generation
439
440 - New APIs and improved documentation
441
442 * Added X509_STORE_load_mem API for loading certificates from memory.
443 This facilitates accessing certificates from a chrooted environment.
444
445 * New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by
446 using 'TLSv1.2+AEAD' as the cipher selection string.
447
448 * Dead and disabled code removal including MD5, Netscape workarounds,
449 non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more.
450
451 * ASN1 macro maze expanded to aid reading and searching the code.
452
453 * NULL pointer asserts removed in favor of letting the OS/signal
454 handler catch them.
455
456 * Refactored argument handling in openssl(1) for consistency and
457 maintainability.
458
459 * New openssl(1) command 'certhash' replaces the c_rehash script.
460
461 * Support for building with OPENSSL_NO_DEPRECATED
462
463 * Server-side support for TLS_FALLBACK_SCSV for compatibility with
464 various auditor and vulnerability scanners.
465
466 * Dozens of issues found with the Coverity scanner fixed.
467
468 * Security Updates:
469
470 - Fix a minor information leak that was introduced in t1_lib.c
471 r1.71, whereby an additional 28 bytes of .rodata (or .data) is
472 provided to the network. In most cases this is a non-issue since
473 the memory content is already public. Issue found and reported by
474 Felix Groebert of the Google Security Team.
475
476 - Fixes for the following low-severity issues were integrated into
477 LibreSSL from OpenSSL 1.0.1k:
478
479 CVE-2015-0205 - DH client certificates accepted without
480 verification
481 CVE-2014-3570 - Bignum squaring may produce incorrect results
482 CVE-2014-8275 - Certificate fingerprints can be modified
483 CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]
484 Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA.
485
486 The following CVEs were fixed in earlier LibreSSL releases:
487 CVE-2015-0206 - Memory leak handling repeated DLTS records
488 CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites.
489
490 The following CVEs did not apply to LibreSSL:
491 CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record
492 CVE-2014-3569 - no-ssl3 configuration sets method to NULL
493 CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA
494
4952.1.3 - Security update and OS support improvements
496 * Fixed various memory leaks in DTLS, including fixes for
497 CVE-2015-0206.
498
499 * Added Application-Layer Protocol Negotiation (ALPN) support.
500
501 * Removed GOST R 34.10-94 signature authentication.
502
503 * Removed nonfunctional Netscape browser-hang workaround code.
504
505 * Simplfied and refactored SSL/DTLS handshake code.
506
507 * Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932.
508
509 * Hide timing info about padding errors during handshakes.
510
511 * Improved libtls support for non-blocking sockets, added randomized
512 session ID contexts. Work is ongoing with this library - feedback
513 and potential use-cases are welcome.
514
515 * Support building Windows DLLs.
516 Thanks to Jan Engelhard.
517
518 * Packaged config wrapper for better compatibility with OpenSSL-based
519 build systems.
520 Thanks to @technion from github
521
522 * Ensure the stack is marked non-executable for assembly sections.
523 Thanks to Anthony G. Bastile.
524
525 * Enable extra compiler hardening flags by default, where applicable.
526 The default set of hardening features can vary by OS to OS, so
527 feedback is welcome on this. To disable the default hardening flags,
528 specify '--disable-hardening' during configure.
529 Thanks to Jim Barlow
530
531 * Initial HP-UX support, tested with HP-UX 11.31 ia64
532 Thanks to Kinichiro Inoguchi
533
534 * Initial NetBSD support, tested with NetBSD 6.1.5 x86_64
535 Imported from OpenNTPD, thanks to @gitisihara from github
536
5372.1.2 - Many new features and improvements
538 * Added reworked GOST cipher suite support
539 thanks to Dmitry Eremin-Solenikov
540
541 * Enabled Camellia ciphers due to improved patent situation
542
543 * Use builtin arc4random implementation on OS X and FreeBSD
544 this addresses some deficiencies in the native implementations of
545 these operating systems, see commit logs for more information
546
547 * Added initial Windows mingw-w64 support (32 and 64-bit)
548 thanks to Song Dongsheng and others for code and feedback
549
550 * Enabled assembly optimizations on x86_64 CPUs
551 supports Linux, *BSD, Solaris and OS X operating systems
552 thanks to Wouter Clarie for the initial implementation
553
554 * Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl(1)
555
556 * Improved build infrastructure, 'make distcheck' now passes
557 this simplifies and speeds developer efficiency
558 thanks to Dmitry Eremin-Solenikov and Wouter Clarie
559
560 * Allow conditional building of the libtls library
561 expect the API and ABI of the library to change
562 feedback is welcome
563
564 * Fixes for more memory leaks, cleanups, etc.
565
5662.1.1 - Security update
567 * Address POODLE attack by disabling SSLv3 by default
568
569 * Fix Eliptical Curve cipher selection bug
570 (https://github.com/libressl-portable/portable/issues/35)
571
5722.1.0 - First release from the OpenBSD 5.7 tree
573 * Added support for automatic ephemeral EC keys
574
575 * Fixes for many memory leaks and overflows in error handlers
576
577 * The TLS padding extension (that works around bugs in F5 terminators) is
578 off by default
579
580 * support for getrandom(2) on Linux 3.17
581
582 * the NO_ASM macro is no longer being set, providing the first bits toward
583 enabling other assembly offloads.
584
5852.0.5 - Fixes for CVEs from OpenSSL 1.0.1i
586 * CVE-2014-3506
587 * CVE-2014-3507
588 * CVE-2014-3508 (partially vulnerable)he
589 * CVE-2014-3509
590 * CVE-2014-3510
591 * CVE-2014-3511
592 * Synced LibreSSL Portable with the release version of OpenBSD 5.6
593
5942.0.4 - Portability fixes, deleted unused SRP code
595
5962.0.3 - Portability fixes, improvements to fork detection
597
5982.0.2 - Address arc4random fork PID wraparound issues with pthread_atfork
599
6002.0.1 - Portability fixes:
601 * Removed -Werror and and other non-portable compiler flags
602
603 * Allow setting OPENSSLDIR and ENGINSDIR
604
6052.0.0 - First release from the OpenBSD 5.6 tree
606 * Removal of many obsolete features and coding conventions from the OpenSSL
607 1.0.1h source