1 Because this project is maintained both in the OpenBSD tree using CVS and in
2 Git, it can be confusing following all of the changes.
4 Most of the libssl and libcrypto source code is is here in OpenBSD CVS:
6 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/
8 Some of the libcrypto and OS-compatibility files for entropy and random number
11 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/
13 A simplified TLS wrapper library is here:
15 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/
17 The LibreSSL Portable project copies these portions of the OpenBSD tree, along
18 with relevant portions of the C library, to a Git repository. This makes it
19 easier to follow all of the relevant changes to the upstream project in a
22 https://github.com/libressl-portable/openbsd
24 The portable bits of the project are largely maintained out-of-tree, and their
25 history is also available from Git.
27 https://github.com/libressl-portable/portable
29 LibreSSL Portable Release Notes:
31 2.4.2 - Bug fixes and improvements
33 * Fixed loading default certificate locations with openssl s_client.
35 * Ensured OSCP only uses and compares GENERALIZEDTIME values as per
36 RFC6960. Also added fixes for OCSP to work with intermediate
37 certificates provided in responses.
39 * Improved behavior of arc4random on Windows to not appear to leak
40 memory in debug tools, reduced privileges of allocated memory.
42 * Fixed incorrect results from BN_mod_word() when the modulus is too
43 large, thanks to Brian Smith from BoringSSL.
45 * Correctly handle an EOF prior to completing the TLS handshake in
48 * Improved libtls ceritificate loading and cipher string validation.
50 * Updated libtls cipher group suites into four categories:
51 "secure" (TLSv1.2+AEAD+PFS)
52 "compat" (HIGH:!aNULL)
53 "legacy" (HIGH:MEDIUM:!aNULL)
54 "insecure" (ALL:!aNULL:!eNULL)
55 This allows for flexibility and finer grained control, rather than
58 * Limited support for 'backward compatible' SSLv2 handshake packets to
59 when TLS 1.0 is enabled, providing more restricted compatibility
62 * openssl(1) and other documentation improvements.
64 * Removed flags for disabling constant-time operations.
65 This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
66 DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
67 all of these operations unconditionally constant-time.
72 * Correct a problem that prevents the DSA signing algorithm from
73 running in constant time even if the flag BN_FLG_CONSTTIME is set.
74 This issue was reported by Cesar Pereida (Aalto University), Billy
75 Brumley (Tampere University of Technology), and Yuval Yarom (The
76 University of Adelaide and NICTA). The fix was developed by Cesar
79 2.4.0 - Build improvements, new features
81 * Many improvements to the CMake build infrastructure, including
82 Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro
83 Inoguchi for this work.
85 * Added missing error handling around bn_wexpand() calls.
87 * Added explicit_bzero calls for freed ASN.1 objects.
89 * Fixed X509_*set_object functions to return 0 on allocation failure.
91 * Implemented the IETF ChaCha20-Poly1305 cipher suites.
93 * Changed default EVP_aead_chacha20_poly1305() implementation to the
94 IETF version, which is now the default.
96 * Fixed password prompts from openssl(1) to properly handle ^C.
98 * Reworked error handling in libtls so that configuration errors are
101 * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.
103 * Manpage fixes and updates
105 2.3.5 - Reliability fix
107 * Fixed an error in libcrypto when parsing some ASN.1 elements > 16k.
109 2.3.4 - Security Update
111 * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.
116 2.3.3 - OpenBSD 5.9 release branch tagged
118 * Reworked build scripts to better sync with OpenNTPD-portable
120 * Fixed broken manpage links
122 * Fixed an nginx compatibility issue by adding an 'install_sw' make alias
126 * Changed the default configuration directory to c:\LibreSSL\ssl on Windows
129 * cert.pem has been reorganized and synced with Mozilla's certificate store
131 2.3.2 - Compatibility and Reliability fixes
133 * Changed format of LIBRESSL_VERSION_NUMBER to match that of
134 OPENSSL_VERSION_NUMBER, see:
135 https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3)
137 * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD
138 construction introduced in RFC 7539, which is different than that
139 already used in TLS with EVP_aead_chacha20_poly1305()
141 * Avoid a potential undefined C99+ behavior due to shift overflow in
142 AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com>
144 * More man pages converted from pod to mdoc format
146 * Added COMODO RSA Certification Authority and QuoVadis
147 root certificates to cert.pem
149 * Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification
150 Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root
151 certificate from cert.pem
153 * Added support for building nc(1) on Solaris
155 * Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev
157 * Improved console handling with openssl(1) on Windows
159 * Ensure the network stack is enabled on Windows when running
162 * Fixed incorrect TLS certificate loading by nc(1)
164 * Added support for Solaris 11.3's getentropy(2) system call
166 * Enabled support for using NetBSD 7.0's arc4random(3) implementation
168 * Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect
170 * Fixes from OpenSSL 1.0.1q
171 - CVE-2015-3194 - NULL pointer dereference in client side certificate
173 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL
175 * The following OpenSSL CVEs did not apply to LibreSSL
176 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery
178 - CVE-2015-3196 - Double free race condition of the identify hint
181 See https://marc.info/?l=openbsd-announce&m=144925068504102
183 2.3.1 - ASN.1 and time handling cleanups
185 * ASN.1 cleanups and RFC5280 compliance fixes.
187 * Time representations switched from 'unsigned long' to 'time_t'. LibreSSL
188 now checks if the host OS supports 64-bit time_t.
190 * Fixed a leak in SSL_new in the error path.
192 * Support always extracting the peer cipher and version with libtls.
194 * Added ability to check certificate validity times with libtls,
195 tls_peer_cert_notbefore and tls_peer_cert_notafter.
197 * Changed tls_connect_servername to use the first address that resolves with
200 * Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since
201 initial commit in 2004).
203 * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported
206 * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of
207 sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>.
209 * Reject too small bits value in BN_generate_prime_ex(), so that it does
210 not risk becoming negative in probable_prime_dh_safe(), reported by
213 * Enable nc(1) builds on more platforms.
215 2.3.0 - SSLv3 removed, libtls API changes, portability improvements
217 * SSLv3 is now permanently removed from the tree.
219 * The libtls API is changed from the 2.2.x series.
221 The read/write functions work correctly with external event
222 libraries. See the tls_init man page for examples of using libtls
223 correctly in asynchronous mode.
225 Client-side verification is now supported, with the client supplying
226 the certificate to the server.
228 Also, when using tls_connect_fds, tls_connect_socket or
229 tls_accept_fds, libtls no longer implicitly closes the passed in
230 sockets. The caller is responsible for closing them in this case.
232 * When loading a DSA key from an raw (without DH parameters) ASN.1
233 serialization, perform some consistency checks on its `p' and `q'
234 values, and return an error if the checks failed.
236 Thanks for Georgi Guninski (guninski at guninski dot com) for
237 mentioning the possibility of a weak (non prime) q value and
238 providing a test case.
241 https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html
242 for a longer discussion.
244 * Fixed a bug in ECDH_compute_key that can lead to silent truncation
245 of the result key without error. A coding error could cause software
246 to use much shorter keys than intended.
248 * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no
251 * The engine command and parameters are removed from the openssl(1).
252 Previous releases removed dynamic and builtin engine support
255 * SHA-0 is removed, which was withdrawn shortly after publication 20
258 * Added Certplus CA root certificate to the default cert.pem file.
260 * New interface OPENSSL_cpu_caps is provided that does not allow
261 software to inadvertently modify cpu capability flags.
262 OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
264 * The out_len argument of AEAD changed from ssize_t to size_t.
266 * Deduplicated DTLS code, sharing bugfixes and improvements with
269 * Converted 'nc' to use libtls for client and server operations; it is
270 included in the libressl-portable distribution as an example of how
273 2.2.3 - Bug fixes, build enhancements
275 * LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not
276 include TLS extensions, resulting in such handshakes being aborted.
277 This release corrects the handling of such messages. Thanks to
278 Ligushka from github for reporting the issue.
280 * Added install target for cmake builds. Thanks to TheNietsnie from
283 * Updated pkgconfig files to correctly report the release version
284 number, not the individual library ABI version numbers. Thanks to
285 Jan Engelhardt for reporting the issue.
287 2.2.2 - More TLS parser rework, bug fixes, expanded portable build support
289 * Switched 'openssl dhparam' default from 512 to 2048 bits
291 * Reworked openssl(1) option handling
293 * More CRYPTO ByteString (CBC) packet parsing conversions
295 * Fixed 'openssl pkeyutl -verify' to exit with a 0 on success
297 * Fixed dozens of Coverity issues including dead code, memory leaks,
298 logic errors and more.
300 * Ensure that openssl(1) restores terminal echo state after reading a
303 * Incorporated fix for OpenSSL Issue #3683
305 * LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped
306 for each portable release.
308 * Removed workarounds for TLS client padding bugs.
310 * No longer disable ECDHE-ECDSA on OS X
312 * Removed SSLv3 support from openssl(1)
314 * Removed IE 6 SSLv3 workarounds.
316 * Modified tls_write in libtls to allow partial writes, clarified with
317 examples in the documentation.
319 * Removed RSAX engine
321 * Tested SSLv3 removal with the OpenBSD ports tree and found several
322 applications that were not ready to build without SSLv3 yet. For
323 now, building a program that intentionally uses SSLv3 will result in
326 * Added TLS_method, TLS_client_method and TLS_server_method as a
327 replacement for the SSLv23_*method calls.
329 * Added initial cmake build support, including support for building with
330 Visual Studio, currently tested with Visual Studio 2013 Community
333 * --with-enginesdir is removed as a configuration parameter
335 * Default cert.pem, openssl.cnf, and x509v3.cnf files are now
336 installed under $sysconfdir/ssl or the directory specified by
337 --with-openssldir. Previous versions of LibreSSL left these empty.
339 2.2.1 - Build fixes, feature added, features removed
341 * Assorted build fixes for musl, HP-UX, Mingw, Solaris.
343 * Initial support for Windows Embedded 2009, Server 2003, XP
345 * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API
347 * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL
349 * Removed Dynamic Engine support
351 * Removed unused and obsolete MDC-2DES cipher
353 * Removed workarounds for obsolete SSL implementations
355 2.2.0 - Build cleanups and new OS support, Security Updates
357 * AIX Support - thanks to Michael Felt
359 * Cygwin Support - thanks to Corinna Vinschen
361 * Refactored build macros, support packaging libtls independently.
362 There are more pieces required to support building and using OpenSSL
363 with libtls, but this is an initial start at providing an
364 independent package for people to start hacking on.
366 * Removal of OPENSSL_issetugid and all library getenv calls.
367 Applications can and should no longer rely on environment variables
368 for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still
369 supported with the openssl(1) command.
371 * libtls API and documentation additions
373 * Various bug fixes and simplifications to libssl and libcrypto
375 * Fixes for the following issues are integrated into LibreSSL 2.2.0:
376 - CVE-2015-1788 - Malformed ECParameters causes infinite loop
377 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
378 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function
380 * The following CVEs did not apply to LibreSSL or were fixed in
382 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam)
383 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent
384 - CVE-2014-8176 - Invalid free in DTLS
386 * Fixes for the following CVEs are still in review for LibreSSL
387 - CVE-2015-1791 - Race condition handling NewSessionTicket
389 2.1.6 - Security update
391 * Fixes for the following issues are integrated into LibreSSL 2.1.6:
392 - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
393 - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
394 - CVE-2015-0287 - ASN.1 structure reuse memory corruption
395 - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
396 - CVE-2015-0289 - PKCS7 NULL pointer dereferences
398 * The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen
399 is integrated for safety, but LibreSSL is not vulnerable.
401 * Libtls is now built by default. The --enable-libtls
402 configuration option is no longer required.
403 The libtls API is now stable for the 2.1.x series.
405 2.1.5 - Bug fixes and a security update
406 * Fix incorrect comparison function in openssl(1) certhash command.
407 Thanks to Christian Neukirchen / Void Linux.
409 * Windows port improvements and bug fixes.
410 - Removed a dependency on libgcc in 32-bit dynamic libraries.
411 - Correct a hang in openssl(1) reading from stdin on an connection.
412 - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and
413 any other network-related commands to function properly.
415 * Reject all server DH keys smaller than 1024 bits.
417 2.1.4 - Security and feature updates
418 * Improvements to libtls:
419 - a new API for loading CA chains directly from memory instead of a
420 file, allowing verification with privilege separation in a chroot
421 without direct access to CA certificate files.
423 - Ciphers default to TLSv1.2 with AEAD and PFS.
425 - Improved error handling and message generation
427 - New APIs and improved documentation
429 * Added X509_STORE_load_mem API for loading certificates from memory.
430 This facilitates accessing certificates from a chrooted environment.
432 * New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by
433 using 'TLSv1.2+AEAD' as the cipher selection string.
435 * Dead and disabled code removal including MD5, Netscape workarounds,
436 non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more.
438 * ASN1 macro maze expanded to aid reading and searching the code.
440 * NULL pointer asserts removed in favor of letting the OS/signal
443 * Refactored argument handling in openssl(1) for consistency and
446 * New openssl(1) command 'certhash' replaces the c_rehash script.
448 * Support for building with OPENSSL_NO_DEPRECATED
450 * Server-side support for TLS_FALLBACK_SCSV for compatibility with
451 various auditor and vulnerability scanners.
453 * Dozens of issues found with the Coverity scanner fixed.
457 - Fix a minor information leak that was introduced in t1_lib.c
458 r1.71, whereby an additional 28 bytes of .rodata (or .data) is
459 provided to the network. In most cases this is a non-issue since
460 the memory content is already public. Issue found and reported by
461 Felix Groebert of the Google Security Team.
463 - Fixes for the following low-severity issues were integrated into
464 LibreSSL from OpenSSL 1.0.1k:
466 CVE-2015-0205 - DH client certificates accepted without
468 CVE-2014-3570 - Bignum squaring may produce incorrect results
469 CVE-2014-8275 - Certificate fingerprints can be modified
470 CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]
471 Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA.
473 The following CVEs were fixed in earlier LibreSSL releases:
474 CVE-2015-0206 - Memory leak handling repeated DLTS records
475 CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites.
477 The following CVEs did not apply to LibreSSL:
478 CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record
479 CVE-2014-3569 - no-ssl3 configuration sets method to NULL
480 CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA
482 2.1.3 - Security update and OS support improvements
483 * Fixed various memory leaks in DTLS, including fixes for
486 * Added Application-Layer Protocol Negotiation (ALPN) support.
488 * Removed GOST R 34.10-94 signature authentication.
490 * Removed nonfunctional Netscape browser-hang workaround code.
492 * Simplfied and refactored SSL/DTLS handshake code.
494 * Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932.
496 * Hide timing info about padding errors during handshakes.
498 * Improved libtls support for non-blocking sockets, added randomized
499 session ID contexts. Work is ongoing with this library - feedback
500 and potential use-cases are welcome.
502 * Support building Windows DLLs.
503 Thanks to Jan Engelhard.
505 * Packaged config wrapper for better compatibility with OpenSSL-based
507 Thanks to @technion from github
509 * Ensure the stack is marked non-executable for assembly sections.
510 Thanks to Anthony G. Bastile.
512 * Enable extra compiler hardening flags by default, where applicable.
513 The default set of hardening features can vary by OS to OS, so
514 feedback is welcome on this. To disable the default hardening flags,
515 specify '--disable-hardening' during configure.
518 * Initial HP-UX support, tested with HP-UX 11.31 ia64
519 Thanks to Kinichiro Inoguchi
521 * Initial NetBSD support, tested with NetBSD 6.1.5 x86_64
522 Imported from OpenNTPD, thanks to @gitisihara from github
524 2.1.2 - Many new features and improvements
525 * Added reworked GOST cipher suite support
526 thanks to Dmitry Eremin-Solenikov
528 * Enabled Camellia ciphers due to improved patent situation
530 * Use builtin arc4random implementation on OS X and FreeBSD
531 this addresses some deficiencies in the native implementations of
532 these operating systems, see commit logs for more information
534 * Added initial Windows mingw-w64 support (32 and 64-bit)
535 thanks to Song Dongsheng and others for code and feedback
537 * Enabled assembly optimizations on x86_64 CPUs
538 supports Linux, *BSD, Solaris and OS X operating systems
539 thanks to Wouter Clarie for the initial implementation
541 * Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl(1)
543 * Improved build infrastructure, 'make distcheck' now passes
544 this simplifies and speeds developer efficiency
545 thanks to Dmitry Eremin-Solenikov and Wouter Clarie
547 * Allow conditional building of the libtls library
548 expect the API and ABI of the library to change
551 * Fixes for more memory leaks, cleanups, etc.
553 2.1.1 - Security update
554 * Address POODLE attack by disabling SSLv3 by default
556 * Fix Eliptical Curve cipher selection bug
557 (https://github.com/libressl-portable/portable/issues/35)
559 2.1.0 - First release from the OpenBSD 5.7 tree
560 * Added support for automatic ephemeral EC keys
562 * Fixes for many memory leaks and overflows in error handlers
564 * The TLS padding extension (that works around bugs in F5 terminators) is
567 * support for getrandom(2) on Linux 3.17
569 * the NO_ASM macro is no longer being set, providing the first bits toward
570 enabling other assembly offloads.
572 2.0.5 - Fixes for CVEs from OpenSSL 1.0.1i
575 * CVE-2014-3508 (partially vulnerable)he
579 * Synced LibreSSL Portable with the release version of OpenBSD 5.6
581 2.0.4 - Portability fixes, deleted unused SRP code
583 2.0.3 - Portability fixes, improvements to fork detection
585 2.0.2 - Address arc4random fork PID wraparound issues with pthread_atfork
587 2.0.1 - Portability fixes:
588 * Removed -Werror and and other non-portable compiler flags
590 * Allow setting OPENSSLDIR and ENGINSDIR
592 2.0.0 - First release from the OpenBSD 5.6 tree
593 * Removal of many obsolete features and coding conventions from the OpenSSL