1 Because this project is maintained both in the OpenBSD tree using CVS and in
2 Git, it can be confusing following all of the changes.
4 Most of the libssl and libcrypto source code is is here in OpenBSD CVS:
6 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/
8 Some of the libcrypto and OS-compatibility files for entropy and random number
11 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/
13 A simplified TLS wrapper library is here:
15 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/
17 The LibreSSL Portable project copies these portions of the OpenBSD tree, along
18 with relevant portions of the C library, to a Git repository. This makes it
19 easier to follow all of the relevant changes to the upstream project in a
22 https://github.com/libressl-portable/openbsd
24 The portable bits of the project are largely maintained out-of-tree, and their
25 history is also available from Git.
27 https://github.com/libressl-portable/portable
29 LibreSSL Portable Release Notes:
31 3.2.2 - Stable release
33 * This is the first stable release with the new TLSv1.3
34 implementation enabled by default for both client and server. The
35 OpenSSL 1.1 TLSv1.3 API is not yet available and will be provided
36 in an upcoming release.
38 * New X509 certificate chain validator that correctly handles
39 multiple paths through intermediate certificates. Loosely based on
42 * New name constraints verification implementation which passes the
43 bettertls.com certificate validation check suite.
45 * Improve the handling of BIO_read()/BIO_write() failures in the
48 * Start replacing the existing TLSv1.2 record layer.
50 * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h.
52 * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash.
54 * Send alert on ssl_get_prev_session() failure.
56 * Zero out variable on the stack to avoid leaving garbage in the tail
59 * Move state initialization from SSL_clear() to ssl3_clear() to ensure
60 that it gets correctly reinitialized across a SSL_set_ssl_method()
63 * Avoid an out-of-bounds write in BN_rand().
65 * Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up
68 * Correctly track selected ALPN length to avoid a potential segmentation
69 fault with SSL_get0_alpn_selected() when alpn_selected is NULL.
71 * Include machine/endian.h gost2814789.c in order to pick up the
72 __STRICT_ALIGNMENT define.
74 * Simplify SSL method lookups.
76 * Clean up and simplify SSL_get_ciphers(), SSL_set_session(),
77 SSL_set_ssl_method() and several internal functions.
79 * Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX().
81 * Refactor dtls1_new(), dtls1_hm_fragment_new(),
82 dtls1_drain_fragments(), dtls1_clear_queues().
84 * Copy the session ID directly in ssl_get_prev_session() instead of
85 handing it through several functions for copying.
87 * Clean up and refactor ssl_get_prev_session(); simplify
88 tls_decrypt_ticket() and tls1_process_ticket() exit paths.
90 * Avoid memset() before memcpy() in CBS_add_bytes().
92 * Rewrite X509_INFO_{new,free}() more idiomatically.
94 * Remove unnecessary zeroing after recallocarray() in
95 ASN1_BIT_STRING_set_bit().
97 * Convert openssl(1) ocsp new option handling.
99 * Document SSL_set1_host(3), SSL_set_SSL_CTX(3).
101 * Document return value from EC_KEY_get0_public_key(3).
103 * Greatly expanded test coverage via the tlsfuzzer test scripts.
105 * Expanded test coverage via the bettertls certificate test suite.
107 * Test interoperability with the Botan TLS client.
109 * Make pthread_mutex static initialisation work on Windows.
111 * Get __STRICT_ALIGNMENT from machine/endian.h with portable build.
113 3.2.1 - Development release
115 * Propagate alerts from the read half of the TLSv1.3 record layer to I/O
118 * Send a record overflow alert for TLSv1.3 messages having overlong
119 plaintext or inner plaintext.
121 * Send an illegal parameter alert if a client sends an invalid DH key
124 * Document PKCS7_final(3), PKCS7_add_attribute(3).
126 * Collapse x509v3 directory into x509.
128 * Improve TLSv1.3 client certificate selection to allow EC certificates
129 instead of only RSA certificates.
131 * Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead
132 of constructing a broken objects that may cause NULL pointer accesses.
134 * Add support for additional GOST curves from RFC 7836 and
135 draft-deremin-rfc4491-bis.
137 * Add OIDs for HMAC using the Streebog hash function.
139 * Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5.
141 * Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures.
143 * Handle GOST in ssl_cert_dup().
145 * Stop sending GOST R 34.10-94 as a CertificateType.
147 * Use IANA allocated GOST ClientCertificateTypes.
149 * Add a custom copy handler for AES keywrap to fix a use-after-free.
151 * Enforce in the TLSv1.3 server that that ClientHello messages after
152 a HelloRetryRequest match the original ClientHello as per RFC 8446
155 * Document more PKCS7 attribute functions.
157 * Document PKCS7_get_signer_info(3).
159 * Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3).
161 * Document PEM_def_callback(3).
163 * Document EVP_read_pw_string_min(3).
165 * Merge documentation of X509_get0_serialNumber from OpenSSL 1.1.1.
167 * Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3)
169 * Document X509_get0_pubkey_bitstr(3).
171 * Fix an off-by-one in the CBC padding removal. From BoringSSL.
173 * Enforce restrictions on extensions present in the ClientHello as per
174 RFC 8446, section 9.2.
176 * Add new CMAC_Init(3) and ChaCha(3) manual pages.
178 * Fix SSL_shutdown behavior to match the legacy stack. The previous
179 behavior could cause a hang.
181 * Add initial support for openbsd/powerpc64.
183 * Make the message type available in the internal TLS extensions API
186 * Enable TLSv1.3 for the generic TLS_method().
188 * Convert openssl(1) s_client option handling.
190 * Document openssl(1) certhash.
192 * Convert openssl(1) verify option handling.
194 * Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause
195 use-after-free and double-free issues in calling programs.
197 * Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3).
199 * Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session.
201 * Convert openssl(1) s_server option handling.
203 * Add minimal info callback support for TLSv1.3.
205 * Refactor, clean up and simplify some SSL3/DTLS1 record writing code.
207 * Correctly handle server requests for an OCSP response.
209 * Add the P-521 curve to the list of curves supported by default
212 * Convert openssl(1) req option handling.
214 * Avoid calling freezero with a negative size if a server sends a
215 malformed plaintext of all zeroes.
217 * Send an unexpected message alert if no valid content type is found
220 3.2.0 - Development release
222 * Enable TLS 1.3 server side in addition to client by default.
223 With this change TLS 1.3 is handled entirely on the new stack
224 and state machine, with fallback to the legacy stack and
225 state machine for older versions. Note that the OpenSSL TLS 1.3
226 API is not yet visible/available.
228 * Improve length checks in the TLS 1.3 record layer and provide
229 appropriate alerts for violations of record layer limits.
231 * Enforce that SNI hostnames received by the TLS server are correctly
232 formed as per RFC 5890 and RFC 6066, responding with illegal parameter
233 for a nonconformant host name.
235 * Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic
236 retry of handshake messages.
238 * Modify I/O behavior so that SSL_MODE_AUTO_RETRY is the default
239 similar to new OpenSSL releases.
241 * Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in
244 * Add tlsfuzzer based regression tests.
246 * Support sending certificate status requests from the TLS 1.3
247 client to request OCSP staples for leaf certificates.
249 * Support sending certificate status replies from the TLS 1.3 server
250 in order to send OCSP staples for leaf certificates.
252 * Send correct alerts when handling failed key share extensions
253 on the TLS 1.3 server.
255 * Various compatibility fixes for TLS 1.3 to 1.2 fallback for
256 switching from the new to legacy stacks.
258 * Support TLS 1.3 options in the openssl(1) command.
260 * Many alert cleanups in TLS 1.3 to provide expected alerts in failure
263 * Modify "openssl x509" to display invalid certificate times as
264 invalid, and correctly deal with the failing return case from
265 X509_cmp_time so that a certificate with an invalid NotAfter does
268 * Support sending dummy change_cipher_spec records for TLS 1.3 middlebox
271 * Ensure only PSS signatures are used with RSA in TLS 1.3.
273 * Ensure that TLS 1.3 clients advertise exactly the "null" compression
274 method in its legacy_compression_methods.
276 * Correct use of sockaddr_storage instead of sockaddr in openssl(1)
277 s_client, which could lead to using 14 bytes of stack garbage instead
278 of an IPv6 address in DTLS mode.
280 * Use non-expired certificates first when building a certificate chain.
282 3.1.4 - Interoperability and bug fixes for the TLSv1.3 client:
284 * Improve client certificate selection to allow EC certificates
285 instead of only RSA certificates.
287 * Do not error out if a TLSv1.3 server requests an OCSP response as
288 part of a certificate request.
290 * Fix SSL_shutdown behavior to match the legacy stack. The previous
291 behaviour could cause a hang.
293 * Fix a memory leak and add a missing error check in the handling of
294 the key update message.
296 * Fix a memory leak in tls13_record_layer_set_traffic_key.
298 * Avoid calling freezero with a negative size if a server sends a
299 malformed plaintext of all zeroes.
301 * Ensure that only PSS may be used with RSA in TLSv1.3 in order
302 to avoid using PKCS1-based signatures.
304 * Add the P-521 curve to the list of curves supported by default
309 * libcrypto may fail to build a valid certificate chain due to
310 expired untrusted issuer certificates.
314 * A TLS client with peer verification disabled may crash when
315 contacting a server that sends an empty certificate list.
317 3.1.1 - Stable release
319 * Improved cipher suite handling to automatically include TLSv1.3
320 cipher suites when they are not explicitly referred to in the
323 * Improved handling of TLSv1.3 HelloRetryRequests, simplifying
324 state transitions and ensuring that the legacy session identifer
325 retains the same value across the handshake.
327 * Provided TLSv1.3 cipher suite aliases to match the names used
330 * Improved TLSv1.3 client key share handling to allow the use of
331 any groups in our configured NID list.
333 * Fixed printing the serialNumber with X509_print_ex() fall back to
334 the colon separated hex bytes in case greater than int value.
336 * Fix to disallow setting the AES-GCM IV length to zero.
338 * Added -groups option to openssl(1) s_server subcommand.
340 * Fix to show TLSv1.3 extension types with openssl(1) -tlsextdebug.
342 * Improved portable builds to support the use of static MSVC runtimes.
344 * Fixed portable builds to avoid exporting a sleep() symbol.
346 3.1.0 - Development release
348 * Completed initial TLS 1.3 implementation with a completely new state
349 machine and record layer. TLS 1.3 is now enabled by default for the
350 client side, with the server side to be enabled in a future release.
351 Note that the OpenSSL TLS 1.3 API is not yet visible/available.
353 * Many more code cleanups, fixes, and improvements to memory handling
354 and protocol parsing.
356 * Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1.
358 * Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL
359 1.1.1 and enabled by default.
361 * Improved compatibility by backporting functionality and documentation
364 * Added many new additional crypto test vectors.
366 * Adjusted EVP_chacha20()'s behavior to match OpenSSL's semantics.
368 * Default CA bundle location is now configurable in portable builds.
370 * Added cms subcommand to openssl(1).
372 * Added -addext option to openssl(1) req subcommand.
374 3.0.2 - Stable release
376 * Use a valid curve when constructing an EC_KEY that looks like X25519.
377 The recent EC group cofactor change results in stricter validation,
378 which causes the EC_GROUP_set_generator() call to fail.
379 Issue reported and fix tested by rsadowski@
381 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
382 (Note that the CMS code is currently disabled)
383 Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license)
385 * Avoid a path traversal bug in s_server on Windows when run with the -WWW
386 or -HTTP options, due to incomplete path check logic.
387 Issue reported and fix tested by Jobert Abma
389 3.0.1 - Development release
391 * Ported Billy Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1. If a NULL
392 or zero cofactor is passed to EC_GROUP_set_generator(), try to compute
393 it using Hasse's bound. This works as long as the cofactor is small
396 * Fixed a memory leak in error paths for eckey_type2param().
398 * Initial work on supporting Cryptographic Message Syntax (CMS) in
399 libcrypto (not enabled).
401 * Various manual page improvements and additions.
403 * Added a CMake check for an existing uninstall target, facilitating
404 embedding LibreSSL in larger CMake projects, from Matthew Albrecht.
406 3.0.0 - Development release
408 * Completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API.
410 * Documented undescribed options and removed unfunctional options
411 description in openssl(1) manual.
413 * A plethora of small fixes due to regular oss-fuzz testing.
415 * Various side channels in DSA and ECDSA were addressed. These are some of
416 the many issues found in an extensive systematic analysis of bignum usage
417 by Samuel Weiser, David Schrammel et al.
419 * Enabled openssl(1) speed subcommand on Windows platform.
421 * Enabled performance optimizations when building with Visual Studio on Windows.
423 * Fixed incorrect carry operation in 512 addition for Streebog.
425 * Fixed -modulus option with openssl(1) dsa subcommand.
427 * Fixed PVK format output issue with openssl(1) dsa and rsa subcommand.
431 * Fixed portable builds with older versions of MacOS,
432 Android targets < API 21, and Solaris 10
434 * Fixed SRTP profile advertisement for DTLS servers.
436 2.9.1 - Stable release
438 * Added support for XChaCha20 and XChaCha20-Poly1305.
440 * Added support for AES key wrap constructions via the EVP interface.
442 * Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH.
444 * Added pbkdf2 key derivation support to openssl(1)
446 * Removed SHA224 based handshake signatures from consideration for use in a TLS 1.2 handshake.
448 * Changed the default digest type of openssl(1) enc to to sha256.
450 * Changed the default digest type of openssl(1) dgst to sha256.
452 * Changed the default digest type of openssl(1) x509 -fingerprint to sha256.
454 * Changed the default digest type of openssl(1) crl -fingerprint to sha256.
456 * Improved Windows, Android, and ARM compatibility, including assembly
457 optimizations on Mingw-w64 targets.
459 2.9.0 - Development release
461 * Added the SM4 block cipher from the Chinese standard GB/T 32907-2016.
463 * Fixed warnings about clock_gettime on Windows Visual Studio builds.
465 * Fixed CMake builds on systems where getpagesize is defined as an
468 * CRYPTO_LOCK is now automatically initialized, with the legacy
469 callbacks stubbed for compatibility.
471 * Added the SM3 hash function from the Chinese standard GB/T 32905-2016.
473 * Added more OPENSSL_NO_* macros for compatibility with OpenSSL.
475 * Added extensive interoperability tests between LibreSSL and OpenSSL
478 * Added additional Wycheproof tests and related bug fixes.
480 * Simplified sigalgs option processing and handshake signing algorithm
482 * Added the ability to use the RSA PSS algorithm for handshake
485 * Added bn_rand_interval() and use it in code needing ranges of random
488 * Added functionality to derive early, handshake, and application
489 secrets as per RFC8446.
491 * Added handshake state machine from RFC8446.
493 * Removed some ASN.1 related code from libcrypto that had not been used
496 * Unexported internal symbols and internalized more record layer structs.
498 * Added support for assembly optimizations on 32-bit ARM ELF targets.
500 * Improved protection against timing side channels in ECDSA signature
503 * Coordinate blinding was added to some elliptic curves. This is the
504 last bit of the work by Brumley et al. to protect against the
505 Portsmash vulnerability.
507 * Ensure transcript handshake is always freed with TLS 1.2.
509 2.8.2 - Stable release
511 * Added Wycheproof support for ECDH and ECDSA Web Crypto test vectors,
512 along with test harness fixes.
514 * Fixed memory leak in nc(1)
516 2.8.1 - Test and compatibility improvements
518 * Added Wycheproof support for ECDH, RSASSA-PSS, AES-GCM,
519 AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and
520 X25519 test vectors. Applied appropriate fixes for errors uncovered
523 * Simplified key exchange signature generation and verification.
525 * Fixed a one-byte buffer overrun in callers of EVP_read_pw_string
527 * Converted more code paths to use CBB/CBS. All handshake messages are
530 * Fixed various memory leaks found by Coverity.
532 * Simplified session ticket parsing and handling, inspired by
535 * Modified signature of CRYPTO_mem_leaks_* to return -1. This function
536 is a no-op in LibreSSL, so this function returns an error to not
537 indicate the (non-)existence of memory leaks.
539 * SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher,
540 X509_OBJECT_up_ref_count now return an int for error handling,
543 * Converted a number of #defines into proper functions, matching
546 * Added X509_get0_serialNumber from OpenSSL.
548 * Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding
549 PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching
552 * Removed broken pkcs8 formats from openssl(1).
554 * Converted more functions in public API to use const arguments.
556 * Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the
559 * Stopped using composite EVP_CIPHER AEADs.
561 * Added timing-safe compares for checking results of signature
562 verification. There are no known attacks, this is just inexpensive
565 * Correctly clear the current cipher state, when changing cipher state.
566 This fixed an issue where renegotiation of cipher suites would fail
567 when switched from AEAD to non-AEAD or vice-versa.
568 Issue reported by Bernard Spil.
570 * Added more cipher tests to appstest.sh, including all TLSv1.2
573 * Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL.
575 * Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be
576 retrieved and set with appropriate validation.
578 2.8.0 - Bug fixes, security, and compatibility improvements
580 * Extensive documentation updates and additional API history.
582 * Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry
584 * Tighten up checks for various X509_VERIFY_PARAM functions,
585 'poisoning' parameters so that an unverified certificate cannot be
586 used if it fails verification.
588 * Fixed a potential memory leak on failure in ASN1_item_digest
590 * Fixed a potential memory alignment crash in asn1_item_combine_free
592 * Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and
593 SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths.
595 * Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds.
597 * Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers
598 and matching OpenSSL behavior, rewrote ENGINE_* documentation.
600 * Added const annotations to many existing APIs from OpenSSL, making
601 interoperability easier for downstream applications.
603 * Fixed small timing side-channels in ecdsa_sign_setup and
606 * Documented security pitfalls with BN_FLG_CONSTTIME and constant-time
607 operation of BN_* functions.
609 * Updated BN_clear to use explicit_bzero.
611 * Added a missing bounds check in c2i_ASN1_BIT_STRING.
613 * More CBS conversions, including simplifications to RSA key exchange,
614 and converted code to use dedicated buffers for secrets.
616 * Removed three remaining single DES cipher suites.
618 * Fixed a potential leak/incorrect return value in DSA signature
621 * Added a blinding value when generating DSA and ECDSA signatures, in
622 order to reduce the possibility of a side-channel attack leaking the
625 * Added ECC constant time scalar multiplication support.
626 From Billy Brumley and his team at Tampere University of Technology.
628 * Revised the implementation of RSASSA-PKCS1-v1_5 to match the
629 specification in RFC 8017. Based on an OpenSSL commit by David
632 * Cleaned up BN_* implementations following changes made in OpenSSL by
633 Davide Galassi and others.
635 2.7.4 - Security fixes
637 * Avoid a timing side-channel leak when generating DSA and ECDSA
638 signatures. This is caused by an attempt to do fast modular
639 arithmetic, which introduces branches that leak information
640 regarding secret values. Issue identified and reported by Keegan
643 * Reject excessively large primes in DH key generation. Problem
644 reported by Guido Vranken to OpenSSL
645 (https://github.com/openssl/openssl/pull/6457) and based on his
650 * Removed incorrect NULL checks in DH_set0_key(). Reported by Ondrej
653 * Fixed an issue normalizing CPU architecture in the configure script,
654 which disabled assembly optimizations on platforms that get detected
655 as 'amd64', opposed to 'x86_64'
657 * Limited tls_config_clear_keys() to only clear private keys.
658 This was inadvertently clearing the keypair, which includes the OCSP
659 staple and pubkey hash - if an application called tls_configure()
660 followed by tls_config_clear_keys(), this would prevent OCSP staples
663 2.7.2 - Stable release
665 * Updated and added extensive new HISTORY sections to API manuals.
667 * Added support for shared library builds with CMake on all supported
668 platforms. Note that some of the CMake options have changed, consult
669 the README for details.
673 * Fixed a bug in int_x509_param_set_hosts, calling strlen() if name
674 length provided is 0 to match the OpenSSL behaviour. Issue noticed
675 by Christian Heimes <christian@python.org>.
677 * Fixed builds macOS 10.11 and older.
679 2.7.0 - Bug fixes and improvements
681 * Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on
682 observations of real-world usage in applications. These are
683 implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility
684 changes have not been made to existing structs, allowing code written
685 for older OpenSSL APIs to continue working.
687 * Extensive corrections, improvements, and additions to the
688 API documentation, including new public APIs from OpenSSL that had
689 no pre-existing documentation.
691 * Added support for automatic library initialization in libcrypto,
692 libssl, and libtls. Support for pthread_once or a compatible
693 equivalent is now required of the target operating system. As a
694 side-effect, minimum Windows support is Vista or higher.
696 * Converted more packet handling methods to CBB, which improves
697 resiliency when generating TLS messages.
699 * Completed TLS extension handling rewrite, improving consistency of
700 checks for malformed and duplicate extensions.
702 * Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1.
703 This removes the last remaining use of the old M_ASN1_* macros
704 (asn1_mac.h) from API that needs to continue to exist.
706 * Added support for client-side session resumption in libtls.
707 A libtls client can specify a session file descriptor (a regular
708 file with appropriate ownership and permissions) and libtls will
709 manage reading and writing of session data across TLS handshakes.
711 * Improved support for strict alignment on ARMv7 architectures,
712 conditionally enabling assembly in those cases.
714 * Fixed a memory leak in libtls when reusing a tls_config.
716 * Merged more DTLS support into the regular TLS code path, removing
719 * Many improvements to Windows Cmake-based builds and tests,
720 especially when targeting Visual Studio.
724 * Make tls_config_parse_protocols() work correctly when passed a NULL
725 pointer for a protocol string. Issue found by semarie@, who also
728 * Correct TLS extensions handling when no extensions are present.
729 If no TLS extensions are present in a client hello or server hello,
730 omit the entire extensions block, rather than including it with a
731 length of zero. Thanks to Eric Elena <eric at voguemerry dot com> for
732 providing packet captures and testing the fix.
734 * Fixed portable builds on older Android systems, and systems with out
737 2.6.3 - OpenBSD 6.2 Release
739 * No core changes from LibreSSL 2.6.2
741 * Minor compatibility fixes in portable version.
745 * Provide a useful error with libtls if there are no OCSP URLs in a
748 * Keep track of which keypair is in use by a TLS context, fixing a bug
749 where a TLS server with SNI would only return the OCSP staple for the
750 default keypair. Issue reported by William Graeber and confirmed by
753 * Fixed various issues in the OCSP extension parsing code.
754 The original code incorrectly passes the pointer allocated via
755 CBS_stow() (using malloc()) to a d2i_*() function and then calls
756 free() on the now incremented pointer, most likely resulting in a
757 crash. This issue was reported by Robert Swiecki who found the issue
760 * If tls_config_parse_protocols() is called with a NULL pointer,
761 return the default protocols instead of crashing - this makes the
762 behaviour more useful and mirrors what we already do in
763 tls_config_set_ciphers() et al.
765 2.6.1 - Code removal, rewrites
767 * Added a "-T tlscompat" option to nc(1), which enables the use of all
768 TLS protocols and "compat" ciphers. This allows for TLS connections
769 to TLS servers that are using less than ideal cipher suites, without
770 having to resort to "-T tlsall" which enables all known cipher
771 suites. Diff from Kyle J. McKay.
773 * Added a new TLS extension handling framework, somewhat analogous to
774 BoringSSL, and converted all TLS extensions to use it. Added new TLS
775 extension regression tests.
777 * Improved and added many new manpages. Updated *check_private_key
778 manpages with additional cautions regarding their use.
780 * Cleaned up the EC key/curve configuration handling.
782 * Added tls_config_set_ecdhecurves() to libtls, which allows the names
783 of the eliptical curves that may be used during client and server
784 key exchange to be specified.
786 * Converted more code paths to use CBB/CBS.
788 * Removed support for DSS/DSA, since we removed the cipher suites a
791 * Removed NPN support. NPN was never standardised and the last draft
792 expired in October 2012. ALPN was standardised in July 2014 and has
793 been supported in LibreSSL since December 2014. NPN has also been
794 removed from Chromium in May 2016.
796 * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken
799 * Removed support for the TLS padding extension, which was added as a
800 workaround for an old bug in F5's TLS termination.
802 * Worked around another bug in F5's TLS termination handling of the
803 elliptical curves extension. RFC 4492 only defines elliptic_curves
804 for ClientHello. However, F5 is sending it in ServerHello. We need
805 to skip over it since our TLS extension parsing code is now more
806 strict. Thanks to Armin Wolfermann and WJ Liu for reporting.
808 * Added ability to clamp notafter valies in certificates for systems
809 with 32-bit time_t. This is necessary to conform to RFC 5280
812 * Implemented the SSL_CTX_set_min_proto_version(3) API.
814 * Removed the original (pre-IETF) chacha20-poly1305 cipher suites.
816 * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.
818 2.6.0 - New APIs, bug fixes and improvements
820 * Added support for providing CRLs to libtls. Once a CRL is provided we
821 enable CRL checking for the full certificate chain. Based on a diff
824 * Allow non-compliant clients using IP literal addresses with SNI
825 to connect to a server using libtls.
827 * Avoid a potential NULL pointer dereference in d2i_ECPrivateKey().
828 Reported by Robert Swiecki, who found the issue using honggfuzz.
830 * Added definitions for three OIDs used in EV certificates.
833 * Added tls_peer_cert_chain_pem to libtls, useful in private
834 certificate validation callbacks such as those in relayd.
836 * Converted explicit clear/free sequences to use freezero(3).
838 * Reworked TLS certificate name verification code to more strictly
841 * Cleaned up and simplified server key exchange EC point handling.
843 * Added tls_keypair_clear_key for clearing key material.
845 * Removed inconsistent IPv6 handling from BIO_get_accept_socket,
846 simplified BIO_get_host_ip and BIO_accept.
848 * Fixed the openssl(1) ca command so that is generates certificates
849 with RFC 5280-conformant time. Problem noticed by Harald Dunkel.
851 * Added ASN1_TIME_set_tm to set an asn1 from a struct tm *
853 * Added SSL{,_CTX}_set_{min,max}_proto_version() functions.
855 * Added HKDF (HMAC Key Derivation Function) from BoringSSL
857 * Provided a tls_unload_file() function that frees the memory returned
858 from a tls_load_file() call, ensuring that it the contents become
859 inaccessible. This is specifically needed on platforms where the
860 library allocators may be different from the application allocator.
862 * Perform reference counting for tls_config. This allows
863 tls_config_free() to be called as soon as it has been passed to the
864 final tls_configure() call, simplifying lifetime tracking for the
867 * Moved internal state of SSL and other structures to be opaque.
869 * Dropped cipher suites with DSS authentication.
871 * nc(1) improvements, including:
872 nc -W to terminate nc after receiving a number of packets
873 nc -Z for saving the peer certificate and chain in a pem file
877 * Distinguish between self-issued certificates and self-signed
878 certificates. The certificate verification code has special cases
879 for self-signed certificates and without this change, self-issued
880 certificates (which it seems are common place with
881 openvpn/easyrsa) were also being included in this category.
883 * Added getpagesize fallback, needed for Android bionic libc.
885 2.5.4 - Security Updates
887 * Revert a previous change that forced consistency between return
888 value and error code when specifing a certificate verification
889 callback, since this breaks the documented API. When a user supplied
890 callback always returns 1, and later code checks the error code to
891 potentially abort post verification, this will result in incorrect
892 successul certificate verification.
894 * Switched Linux getrandom() usage to non-blocking mode, continuing to
895 use fallback mechanims if unsuccessful. This works around a design
896 flaw in Linux getrandom(2) where early boot usage in a library makes
897 it impossible to recover if getrandom(2) is not yet initialized.
899 * Fixed a bug caused by the return value being set early to signal
900 successful DTLS cookie validation. This can mask a later failure and
901 result in a positive return value being returned from
902 ssl3_get_client_hello(), when it should return a negative value to
905 * Fixed a build error on non-x86/x86_64 systems running Solaris.
907 2.5.3 - OpenBSD 6.1 Release
909 * Documentation updates
911 * Improved ocspcheck(1) error handling
913 2.5.2 - Security features and bugfixes
915 * Added the recallocarray(3) memory allocation function, and converted
916 various places in the library to use it, such as CBB and BUF_MEM_grow.
917 recallocarray(3) is similar to reallocarray. Newly allocated memory
918 is cleared similar to calloc(3). Memory that becomes unallocated
919 while shrinking or moving existing allocations is explicitly
920 discarded by unmapping or clearing to 0
922 * Added new root CAs from SECOM Trust Systems / Security Communication
925 * Added EVP interface for MD5+SHA1 hashes.
927 * Fixed DTLS client failures when the server sends a certificate
930 * Correct handling of padding when upgrading an SSLv2 challenge into
931 an SSLv3/TLS connection.
933 * Allow protocols and ciphers to be set on a TLS config object in
936 * Improved nc(1) TLS handshake CPU usage and server-side error
939 2.5.1 - Bug and security fixes, new features, documentation updates
941 * X509_cmp_time() now passes a malformed GeneralizedTime field as an
942 error. Reported by Theofilos Petsios.
944 * Detect zero-length encrypted session data early, instead of when
945 malloc(0) fails or the HMAC check fails. Noted independently by
946 jsing@ and Kurt Cancemi.
948 * Check for and handle failure of HMAC_{Update,Final} or
951 * Massive update and normalization of manpages, conversion to
952 mandoc format. Many pages were rewritten for clarity and accuracy.
953 Portable doc links are up-to-date with a new conversion tool.
955 * Curve25519 Key Exchange support.
957 * Support for alternate chains for certificate verification.
959 * Code cleanups, CBS conversions, further unification of DTLS/SSL
960 handshake code, further ASN1 macro expansion and removal.
962 * Private symbol are now hidden in libssl and libcryto.
964 * Friendly certificate verification error messages in libtls, peer
965 verification is now always enabled.
967 * Added OCSP stapling support to libtls and netcat.
969 * Added ocspcheck utility to validate a certificate against its OCSP
970 responder and save the reply for stapling
972 * Enhanced regression tests and error handling for libtls.
974 * Added explicit constant and non-constant time BN functions,
975 defaulting to constant time wherever possible.
977 * Moved many leaked implementation details in public structs behind
980 * Added ticket support to libtls.
982 * Added support for setting the supported EC curves via
983 SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
984 SSL{_CTX}_set1_curves{_list} names. This also changes the default
985 list of curves to be X25519, P-256 and P-384. All other curves must
988 * Added -groups option to openssl(1) s_client for specifying the curves
989 to be used in a colon-separated list.
991 * Merged client/server version negotiation code paths into one,
992 reducing much duplicate code.
994 * Removed error function codes from libssl and libcrypto.
996 * Fixed an issue where a truncated packet could crash via an OOB read.
998 * Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
999 client-initiated renegotiation. This is the default for libtls
1002 * Avoid a side-channel cache-timing attack that can leak the ECDSA
1003 private keys when signing. This is due to BN_mod_inverse() being
1004 used without the constant time flag being set. Reported by Cesar
1005 Pereida Garcia and Billy Brumley (Tampere University of Technology).
1006 The fix was developed by Cesar Pereida Garcia.
1008 * iOS and MacOS compatibility updates from Simone Basso and Jacob
1012 2.5.0 - New APIs, bug fixes and improvements
1014 * libtls now supports ALPN and SNI
1016 * libtls adds a new callback interface for integrating custom IO
1017 functions. Thanks to Tobias Pape.
1019 * libtls now handles 4 cipher suite groups:
1020 "secure" (TLSv1.2+AEAD+PFS)
1021 "compat" (HIGH:!aNULL)
1022 "legacy" (HIGH:MEDIUM:!aNULL)
1023 "insecure" (ALL:!aNULL:!eNULL)
1025 This allows for flexibility and finer grained control, rather than
1026 having two extremes (an issue raised by Marko Kreen some time ago).
1028 * Tightened error handling for tls_config_set_ciphers().
1030 * libtls now always loads CA, key and certificate files at the time the
1031 configuration function is called. This simplifies code and results in
1032 a single memory based code path being used to provide data to libssl.
1034 * Add support for OCSP intermediate certificates.
1036 * Added functions used by stunnel and exim from BoringSSL - this
1037 brings in X509_check_host, X509_check_email, X509_check_ip, and
1040 * Added initial support for iOS, thanks to Jacob Berkman.
1042 * Improved behavior of arc4random on Windows when using memory leak
1045 * Correctly handle an EOF that occurs prior to the TLS handshake
1046 completing. Reported by Vasily Kolobkov, based on a diff from Marko
1049 * Limit the support of the "backward compatible" ssl2 handshake to
1050 only be used if TLS 1.0 is enabled.
1052 * Fix incorrect results in certain cases on 64-bit systems when
1053 BN_mod_word() can return incorrect results. BN_mod_word() now can
1054 return an error condition. Thanks to Brian Smith.
1056 * Added constant-time updates to address CVE-2016-0702
1058 * Fixed undefined behavior in BN_GF2m_mod_arr()
1060 * Removed unused Cryptographic Message Support (CMS)
1062 * More conversions of long long idioms to time_t
1064 * Improved compatibility by avoiding printing NULL strings with
1067 * Reverted change that cleans up the EVP cipher context in
1068 EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
1071 * Avoid unbounded memory growth in libssl, which can be triggered by a
1072 TLS client repeatedly renegotiating and sending OCSP Status Request
1075 * Avoid falling back to a weak digest for (EC)DH when using SNI with
1078 2.4.2 - Bug fixes and improvements
1080 * Fixed loading default certificate locations with openssl s_client.
1082 * Ensured OCSP only uses and compares GENERALIZEDTIME values as per
1083 RFC6960. Also added fixes for OCSP to work with intermediate
1084 certificates provided in responses.
1086 * Improved behavior of arc4random on Windows to not appear to leak
1087 memory in debug tools, reduced privileges of allocated memory.
1089 * Fixed incorrect results from BN_mod_word() when the modulus is too
1090 large, thanks to Brian Smith from BoringSSL.
1092 * Correctly handle an EOF prior to completing the TLS handshake in
1095 * Improved libtls ceritificate loading and cipher string validation.
1097 * Updated libtls cipher group suites into four categories:
1098 "secure" (TLSv1.2+AEAD+PFS)
1099 "compat" (HIGH:!aNULL)
1100 "legacy" (HIGH:MEDIUM:!aNULL)
1101 "insecure" (ALL:!aNULL:!eNULL)
1102 This allows for flexibility and finer grained control, rather than
1103 having two extremes.
1105 * Limited support for 'backward compatible' SSLv2 handshake packets to
1106 when TLS 1.0 is enabled, providing more restricted compatibility
1107 with TLS 1.0 clients.
1109 * openssl(1) and other documentation improvements.
1111 * Removed flags for disabling constant-time operations.
1112 This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
1113 DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
1114 all of these operations unconditionally constant-time.
1117 2.4.1 - Security fix
1119 * Correct a problem that prevents the DSA signing algorithm from
1120 running in constant time even if the flag BN_FLG_CONSTTIME is set.
1121 This issue was reported by Cesar Pereida (Aalto University), Billy
1122 Brumley (Tampere University of Technology), and Yuval Yarom (The
1123 University of Adelaide and NICTA). The fix was developed by Cesar
1126 2.4.0 - Build improvements, new features
1128 * Many improvements to the CMake build infrastructure, including
1129 Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro
1130 Inoguchi for this work.
1132 * Added missing error handling around bn_wexpand() calls.
1134 * Added explicit_bzero calls for freed ASN.1 objects.
1136 * Fixed X509_*set_object functions to return 0 on allocation failure.
1138 * Implemented the IETF ChaCha20-Poly1305 cipher suites.
1140 * Changed default EVP_aead_chacha20_poly1305() implementation to the
1141 IETF version, which is now the default.
1143 * Fixed password prompts from openssl(1) to properly handle ^C.
1145 * Reworked error handling in libtls so that configuration errors are
1148 * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.
1150 * Manpage fixes and updates
1152 2.3.5 - Reliability fix
1154 * Fixed an error in libcrypto when parsing some ASN.1 elements > 16k.
1156 2.3.4 - Security Update
1158 * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.
1163 2.3.3 - OpenBSD 5.9 release branch tagged
1165 * Reworked build scripts to better sync with OpenNTPD-portable
1167 * Fixed broken manpage links
1169 * Fixed an nginx compatibility issue by adding an 'install_sw' make alias
1171 * Fixed HP-UX builds
1173 * Changed the default configuration directory to c:\LibreSSL\ssl on Windows
1176 * cert.pem has been reorganized and synced with Mozilla's certificate store
1178 2.3.2 - Compatibility and Reliability fixes
1180 * Changed format of LIBRESSL_VERSION_NUMBER to match that of
1181 OPENSSL_VERSION_NUMBER, see:
1182 https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3)
1184 * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD
1185 construction introduced in RFC 7539, which is different than that
1186 already used in TLS with EVP_aead_chacha20_poly1305()
1188 * Avoid a potential undefined C99+ behavior due to shift overflow in
1189 AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com>
1191 * More man pages converted from pod to mdoc format
1193 * Added COMODO RSA Certification Authority and QuoVadis
1194 root certificates to cert.pem
1196 * Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification
1197 Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root
1198 certificate from cert.pem
1200 * Added support for building nc(1) on Solaris
1202 * Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev
1204 * Improved console handling with openssl(1) on Windows
1206 * Ensure the network stack is enabled on Windows when running
1209 * Fixed incorrect TLS certificate loading by nc(1)
1211 * Added support for Solaris 11.3's getentropy(2) system call
1213 * Enabled support for using NetBSD 7.0's arc4random(3) implementation
1215 * Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect
1217 * Fixes from OpenSSL 1.0.1q
1218 - CVE-2015-3194 - NULL pointer dereference in client side certificate
1220 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL
1222 * The following OpenSSL CVEs did not apply to LibreSSL
1223 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery
1225 - CVE-2015-3196 - Double free race condition of the identify hint
1228 See https://marc.info/?l=openbsd-announce&m=144925068504102
1230 2.3.1 - ASN.1 and time handling cleanups
1232 * ASN.1 cleanups and RFC5280 compliance fixes.
1234 * Time representations switched from 'unsigned long' to 'time_t'. LibreSSL
1235 now checks if the host OS supports 64-bit time_t.
1237 * Fixed a leak in SSL_new in the error path.
1239 * Support always extracting the peer cipher and version with libtls.
1241 * Added ability to check certificate validity times with libtls,
1242 tls_peer_cert_notbefore and tls_peer_cert_notafter.
1244 * Changed tls_connect_servername to use the first address that resolves with
1247 * Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since
1248 initial commit in 2004).
1250 * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported
1253 * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of
1254 sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>.
1256 * Reject too small bits value in BN_generate_prime_ex(), so that it does
1257 not risk becoming negative in probable_prime_dh_safe(), reported by
1260 * Enable nc(1) builds on more platforms.
1262 2.3.0 - SSLv3 removed, libtls API changes, portability improvements
1264 * SSLv3 is now permanently removed from the tree.
1266 * The libtls API is changed from the 2.2.x series.
1268 The read/write functions work correctly with external event
1269 libraries. See the tls_init man page for examples of using libtls
1270 correctly in asynchronous mode.
1272 Client-side verification is now supported, with the client supplying
1273 the certificate to the server.
1275 Also, when using tls_connect_fds, tls_connect_socket or
1276 tls_accept_fds, libtls no longer implicitly closes the passed in
1277 sockets. The caller is responsible for closing them in this case.
1279 * When loading a DSA key from an raw (without DH parameters) ASN.1
1280 serialization, perform some consistency checks on its `p' and `q'
1281 values, and return an error if the checks failed.
1283 Thanks for Georgi Guninski (guninski at guninski dot com) for
1284 mentioning the possibility of a weak (non prime) q value and
1285 providing a test case.
1288 https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html
1289 for a longer discussion.
1291 * Fixed a bug in ECDH_compute_key that can lead to silent truncation
1292 of the result key without error. A coding error could cause software
1293 to use much shorter keys than intended.
1295 * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no
1298 * The engine command and parameters are removed from the openssl(1).
1299 Previous releases removed dynamic and builtin engine support
1302 * SHA-0 is removed, which was withdrawn shortly after publication 20
1305 * Added Certplus CA root certificate to the default cert.pem file.
1307 * New interface OPENSSL_cpu_caps is provided that does not allow
1308 software to inadvertently modify cpu capability flags.
1309 OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
1311 * The out_len argument of AEAD changed from ssize_t to size_t.
1313 * Deduplicated DTLS code, sharing bugfixes and improvements with
1316 * Converted 'nc' to use libtls for client and server operations; it is
1317 included in the libressl-portable distribution as an example of how
1320 2.2.3 - Bug fixes, build enhancements
1322 * LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not
1323 include TLS extensions, resulting in such handshakes being aborted.
1324 This release corrects the handling of such messages. Thanks to
1325 Ligushka from github for reporting the issue.
1327 * Added install target for cmake builds. Thanks to TheNietsnie from
1330 * Updated pkgconfig files to correctly report the release version
1331 number, not the individual library ABI version numbers. Thanks to
1332 Jan Engelhardt for reporting the issue.
1334 2.2.2 - More TLS parser rework, bug fixes, expanded portable build support
1336 * Switched 'openssl dhparam' default from 512 to 2048 bits
1338 * Reworked openssl(1) option handling
1340 * More CRYPTO ByteString (CBC) packet parsing conversions
1342 * Fixed 'openssl pkeyutl -verify' to exit with a 0 on success
1344 * Fixed dozens of Coverity issues including dead code, memory leaks,
1345 logic errors and more.
1347 * Ensure that openssl(1) restores terminal echo state after reading a
1350 * Incorporated fix for OpenSSL Issue #3683
1352 * LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped
1353 for each portable release.
1355 * Removed workarounds for TLS client padding bugs.
1357 * No longer disable ECDHE-ECDSA on OS X
1359 * Removed SSLv3 support from openssl(1)
1361 * Removed IE 6 SSLv3 workarounds.
1363 * Modified tls_write in libtls to allow partial writes, clarified with
1364 examples in the documentation.
1366 * Removed RSAX engine
1368 * Tested SSLv3 removal with the OpenBSD ports tree and found several
1369 applications that were not ready to build without SSLv3 yet. For
1370 now, building a program that intentionally uses SSLv3 will result in
1373 * Added TLS_method, TLS_client_method and TLS_server_method as a
1374 replacement for the SSLv23_*method calls.
1376 * Added initial cmake build support, including support for building with
1377 Visual Studio, currently tested with Visual Studio 2013 Community
1380 * --with-enginesdir is removed as a configuration parameter
1382 * Default cert.pem, openssl.cnf, and x509v3.cnf files are now
1383 installed under $sysconfdir/ssl or the directory specified by
1384 --with-openssldir. Previous versions of LibreSSL left these empty.
1386 2.2.1 - Build fixes, feature added, features removed
1388 * Assorted build fixes for musl, HP-UX, Mingw, Solaris.
1390 * Initial support for Windows Embedded 2009, Server 2003, XP
1392 * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API
1394 * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL
1396 * Removed Dynamic Engine support
1398 * Removed unused and obsolete MDC-2DES cipher
1400 * Removed workarounds for obsolete SSL implementations
1402 2.2.0 - Build cleanups and new OS support, Security Updates
1404 * AIX Support - thanks to Michael Felt
1406 * Cygwin Support - thanks to Corinna Vinschen
1408 * Refactored build macros, support packaging libtls independently.
1409 There are more pieces required to support building and using OpenSSL
1410 with libtls, but this is an initial start at providing an
1411 independent package for people to start hacking on.
1413 * Removal of OPENSSL_issetugid and all library getenv calls.
1414 Applications can and should no longer rely on environment variables
1415 for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still
1416 supported with the openssl(1) command.
1418 * libtls API and documentation additions
1420 * Various bug fixes and simplifications to libssl and libcrypto
1422 * Fixes for the following issues are integrated into LibreSSL 2.2.0:
1423 - CVE-2015-1788 - Malformed ECParameters causes infinite loop
1424 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
1425 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function
1427 * The following CVEs did not apply to LibreSSL or were fixed in
1429 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam)
1430 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent
1431 - CVE-2014-8176 - Invalid free in DTLS
1433 * Fixes for the following CVEs are still in review for LibreSSL
1434 - CVE-2015-1791 - Race condition handling NewSessionTicket
1436 2.1.6 - Security update
1438 * Fixes for the following issues are integrated into LibreSSL 2.1.6:
1439 - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
1440 - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
1441 - CVE-2015-0287 - ASN.1 structure reuse memory corruption
1442 - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
1443 - CVE-2015-0289 - PKCS7 NULL pointer dereferences
1445 * The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen
1446 is integrated for safety, but LibreSSL is not vulnerable.
1448 * Libtls is now built by default. The --enable-libtls
1449 configuration option is no longer required.
1450 The libtls API is now stable for the 2.1.x series.
1452 2.1.5 - Bug fixes and a security update
1453 * Fix incorrect comparison function in openssl(1) certhash command.
1454 Thanks to Christian Neukirchen / Void Linux.
1456 * Windows port improvements and bug fixes.
1457 - Removed a dependency on libgcc in 32-bit dynamic libraries.
1458 - Correct a hang in openssl(1) reading from stdin on an connection.
1459 - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and
1460 any other network-related commands to function properly.
1462 * Reject all server DH keys smaller than 1024 bits.
1464 2.1.4 - Security and feature updates
1465 * Improvements to libtls:
1466 - a new API for loading CA chains directly from memory instead of a
1467 file, allowing verification with privilege separation in a chroot
1468 without direct access to CA certificate files.
1470 - Ciphers default to TLSv1.2 with AEAD and PFS.
1472 - Improved error handling and message generation
1474 - New APIs and improved documentation
1476 * Added X509_STORE_load_mem API for loading certificates from memory.
1477 This facilitates accessing certificates from a chrooted environment.
1479 * New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by
1480 using 'TLSv1.2+AEAD' as the cipher selection string.
1482 * Dead and disabled code removal including MD5, Netscape workarounds,
1483 non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more.
1485 * ASN1 macro maze expanded to aid reading and searching the code.
1487 * NULL pointer asserts removed in favor of letting the OS/signal
1490 * Refactored argument handling in openssl(1) for consistency and
1493 * New openssl(1) command 'certhash' replaces the c_rehash script.
1495 * Support for building with OPENSSL_NO_DEPRECATED
1497 * Server-side support for TLS_FALLBACK_SCSV for compatibility with
1498 various auditor and vulnerability scanners.
1500 * Dozens of issues found with the Coverity scanner fixed.
1504 - Fix a minor information leak that was introduced in t1_lib.c
1505 r1.71, whereby an additional 28 bytes of .rodata (or .data) is
1506 provided to the network. In most cases this is a non-issue since
1507 the memory content is already public. Issue found and reported by
1508 Felix Groebert of the Google Security Team.
1510 - Fixes for the following low-severity issues were integrated into
1511 LibreSSL from OpenSSL 1.0.1k:
1513 CVE-2015-0205 - DH client certificates accepted without
1515 CVE-2014-3570 - Bignum squaring may produce incorrect results
1516 CVE-2014-8275 - Certificate fingerprints can be modified
1517 CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]
1518 Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA.
1520 The following CVEs were fixed in earlier LibreSSL releases:
1521 CVE-2015-0206 - Memory leak handling repeated DLTS records
1522 CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites.
1524 The following CVEs did not apply to LibreSSL:
1525 CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record
1526 CVE-2014-3569 - no-ssl3 configuration sets method to NULL
1527 CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA
1529 2.1.3 - Security update and OS support improvements
1530 * Fixed various memory leaks in DTLS, including fixes for
1533 * Added Application-Layer Protocol Negotiation (ALPN) support.
1535 * Removed GOST R 34.10-94 signature authentication.
1537 * Removed nonfunctional Netscape browser-hang workaround code.
1539 * Simplified and refactored SSL/DTLS handshake code.
1541 * Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932.
1543 * Hide timing info about padding errors during handshakes.
1545 * Improved libtls support for non-blocking sockets, added randomized
1546 session ID contexts. Work is ongoing with this library - feedback
1547 and potential use-cases are welcome.
1549 * Support building Windows DLLs.
1550 Thanks to Jan Engelhard.
1552 * Packaged config wrapper for better compatibility with OpenSSL-based
1554 Thanks to @technion from github
1556 * Ensure the stack is marked non-executable for assembly sections.
1557 Thanks to Anthony G. Bastile.
1559 * Enable extra compiler hardening flags by default, where applicable.
1560 The default set of hardening features can vary by OS to OS, so
1561 feedback is welcome on this. To disable the default hardening flags,
1562 specify '--disable-hardening' during configure.
1563 Thanks to Jim Barlow
1565 * Initial HP-UX support, tested with HP-UX 11.31 ia64
1566 Thanks to Kinichiro Inoguchi
1568 * Initial NetBSD support, tested with NetBSD 6.1.5 x86_64
1569 Imported from OpenNTPD, thanks to @gitisihara from github
1571 2.1.2 - Many new features and improvements
1572 * Added reworked GOST cipher suite support
1573 thanks to Dmitry Eremin-Solenikov
1575 * Enabled Camellia ciphers due to improved patent situation
1577 * Use builtin arc4random implementation on OS X and FreeBSD
1578 this addresses some deficiencies in the native implementations of
1579 these operating systems, see commit logs for more information
1581 * Added initial Windows mingw-w64 support (32 and 64-bit)
1582 thanks to Song Dongsheng and others for code and feedback
1584 * Enabled assembly optimizations on x86_64 CPUs
1585 supports Linux, *BSD, Solaris and OS X operating systems
1586 thanks to Wouter Clarie for the initial implementation
1588 * Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl(1)
1590 * Improved build infrastructure, 'make distcheck' now passes
1591 this simplifies and speeds developer efficiency
1592 thanks to Dmitry Eremin-Solenikov and Wouter Clarie
1594 * Allow conditional building of the libtls library
1595 expect the API and ABI of the library to change
1598 * Fixes for more memory leaks, cleanups, etc.
1600 2.1.1 - Security update
1601 * Address POODLE attack by disabling SSLv3 by default
1603 * Fix Eliptical Curve cipher selection bug
1604 (https://github.com/libressl-portable/portable/issues/35)
1606 2.1.0 - First release from the OpenBSD 5.7 tree
1607 * Added support for automatic ephemeral EC keys
1609 * Fixes for many memory leaks and overflows in error handlers
1611 * The TLS padding extension (that works around bugs in F5 terminators) is
1614 * support for getrandom(2) on Linux 3.17
1616 * the NO_ASM macro is no longer being set, providing the first bits toward
1617 enabling other assembly offloads.
1619 2.0.5 - Fixes for CVEs from OpenSSL 1.0.1i
1622 * CVE-2014-3508 (partially vulnerable)he
1626 * Synced LibreSSL Portable with the release version of OpenBSD 5.6
1628 2.0.4 - Portability fixes, deleted unused SRP code
1630 2.0.3 - Portability fixes, improvements to fork detection
1632 2.0.2 - Address arc4random fork PID wraparound issues with pthread_atfork
1634 2.0.1 - Portability fixes:
1635 * Removed -Werror and and other non-portable compiler flags
1637 * Allow setting OPENSSLDIR and ENGINSDIR
1639 2.0.0 - First release from the OpenBSD 5.6 tree
1640 * Removal of many obsolete features and coding conventions from the OpenSSL