-
Notifications
You must be signed in to change notification settings - Fork 265
/
ChangeLog
3192 lines (2403 loc) · 125 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Because this project is maintained both in the OpenBSD tree using CVS and in
Git, it can be confusing following all of the changes.
Most of the libssl and libcrypto source code is is here in OpenBSD CVS:
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/
Some of the libcrypto and OS-compatibility files for entropy and random number
generation are here:
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/
A simplified TLS wrapper library is here:
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/
The LibreSSL Portable project copies these portions of the OpenBSD tree, along
with relevant portions of the C library, to a Git repository. This makes it
easier to follow all of the relevant changes to the upstream project in a
single place:
https://github.com/libressl/openbsd
The portable bits of the project are largely maintained out-of-tree, and their
history is also available from Git.
https://github.com/libressl/portable
LibreSSL Portable Release Notes:
4.1.0 - In development
* Portable changes
- Fixed CMake builds on FreeBSD.
- Fixed the --prefix option for cmake --install.
* Internal improvements
- Cleaned up the error implementation.
- Many bug fixes and simplifications in the EC ASN.1 code.
- Corrected DER encoding for EC keys and parameters.
- Polished EC_POINT_{oct2point,point2oct}() internals.
- Rewrote the wNAF code for fast ECDSA verification.
- Improved the code setting compressed coordinates for EC points.
- Reworked CPU capabilities detection for amd64 and aarch64.
- New SHA-1, SHA-256 and SHA-512 assembly implementations for amd64.
These make use of the SHA-NI instruction if it is available and
replace the perl-generated assembly optimized for museum pieces.
- Rewrote BN_bn2binpad() and its lebin siblings.
* Compatibility changes
- Added an OPENSSL_INIT_NO_ATEXIT flag for OPENSSL_init_crypto().
It has no effect since LibreSSL doesn't call atexit().
- Elliptic curve parameters are only accepted if they encode a
built-in curve.
- All elliptic curves over fields with less than 224 bits and a
few more were removed from the built-in curves. This includes
all WTLS curves and P-192.
* New features
- libtls has a new tls_peer_cert_common_name() API call to retrieve
the peer's common name without having to inspect the PEM.
- Imported ML-KEM 768 and 1024 from BoringSSL with matching API.
* Bug fixes
- Plugged a leak in eckey_compute_pubkey().
* Testing and proactive security
- Improved regress coverage of the EC code.
4.0.0 - Stable release
* Portable changes
- Added initial Emscripten support in CMake builds.
- Removed timegm() compatibility layer since all uses were replaced
with OPENSSL_timegm(). Cleaned up the corresponding test harness.
- The mips32 platform is no longer actively supported.
- Fixed Windows support for dates beyond 2038.
* Internal improvements
- Cleaned up parts of the conf directory. Simplified some logic,
fixed memory leaks.
- Simplified X509_check_trust() internals to be somewhat readable.
- Removed last internal uses of gmtime() and timegm() and replaced
them with BoringSSL's posix time conversion API.
- Removed unnecessary stat calls in by_dir.
- Split parsing and processing of TLS extensions to ensure that
extension callbacks are called in a predefined order.
- Cleaned up the MD4 and MD5 implementations.
- Assembly functions are no longer exposed in the public API, they
are all wrapped by C functions.
- Removed assembly implementations of legacy ciphers on legacy
architectures.
- Merged most multi-file implementations of ciphers into one or two
C files.
- Removed the cache of certificate validity. This was added for
performance reasons which no longer apply since BoringSSL's time
conversion API isn't slow. Also, a recently added error check led
to obscure, undesirable validation failures.
- Stopped calling OPENSSL_cpuid_setup() from the .init section on
amd64 and i386.
- Rewrote various BN conversion functions.
- Improved certification request internals.
- Removed unused DSA methods.
- Improved X.509v3 extension internals. Fixed various bugs and leaks
in X509V3_add1_i2d() and X509V3_get_d2i(). Their implementations
now vaguely resemble code.
- Rewrote BN_bn2mpi() using CBB.
- Made most error string tables const.
- Removed handling for SSLv2 client hello messages.
- Improvements in the openssl(1) speed app's signal handler.
- Cleaned up various X509v3_* extension API.
- Unified the X.509v3 extension methods.
- Cleaned up cipher handling in SSL_SESSION.
- Removed get_cipher from SSL_METHOD.
- Rewrote CRYPTO_EX_DATA from scratch. The only intentional change of
behavior is that there is now a hard limit on the number of indexes
that can be allocated.
- Removed bogus connect() call from netcat.
- Uses of atoi() and strtol() in libcrypto were replaced with
strtonum().
- Introduced crypto_arch.h which will contain the architecture
dependent code and defines rather than the public opensslconf.h.
- OPENSSL_cpu_caps() is now architecture independent.
- Reorganized the DES implementation to use fewer files and removed
optimizations for ancient processors and compilers.
* New features
- Added CRLfile option to the cms command of openssl(1) to specify
additional CRLs for use during verification.
* Documentation improvements
- Removed documentation of no longer existing API.
- Unified the description of the obsolete ENGINE parameter that
needs to remain in many functions and should always be NULL.
* Testing and proactive security
- Switched the remaining tests to new certs.
* Compatibility changes
- Protocol parsing in libtls was changed. The unsupported TLSv1.1
and TLSv1.0 protocols are ignored and no longer enable or disable
TLSv1.2 in surprising ways.
- The dangerous EVP_PKEY*_check(3) family of functions was removed.
The openssl(1) pkey and pkeyparam commands no longer support the
-check and -pubcheck flags.
- The one-step hashing functions, MD4(), MD5(), RIPEMD160(), SHA1(),
all SHA-2, and HMAC() no longer support returning a static buffer.
Callers must pass in a correctly sized buffer.
- Support for Whirlpool was removed. Applications still using this
should honor OPENSSL_NO_WHIRLPOOL.
- Removed workaround for F5 middle boxes.
- Removed the useless pem2.h, a public header that was added since
it was too hard to add a single prototype to one file.
- Removed conf_api.h and the public API therein.
- Removed ssl2.h, ssl23.h and ui_compat.h.
- Numerous conf and attribute functions were removed. Some unused
types were removed, others were made opaque.
- Removed the deprecated HMAC_Init() function.
- Removed OPENSSL_load_builtin_modules().
- Removed X509_REQ_{get,set}_extension_nids().
- X509_check_trust() and was removed, X509_VAL was made opaque.
- Only specified versions can be set on certs, CRLs and CSRs.
- Removed unused PEM_USER and PEM_CTX types from pem.h.
- Removed typdefs for COMP_CTX, COMP_METHOD, X509_CRL_METHOD, STORE,
STORE_METHOD, and SSL_AEAD_CTX.
- i2d_ASN1_OBJECT() now returns -1 on error like most other i2d_*.
- SPKAC support was removed from openssl(1).
- Added TLS1-PRF support to the EVP interface.
- Support for attributes in EVP_PKEYs was removed.
- The X509at_* API is no longer public.
- SSL_CTX_set1_cert_store() and SSL_CIPHER_get_handshake_digest()
were added to libssl.
- The completely broken UI_UTIL password API was removed.
- The OpenSSL pkcs12 command and PKCS12_create() no longer support
setting the Microsoft-specific Local Key Set and Cryptographic
Service Provider attributes.
* Bug fixes
- Made ASN1_TIME_set_string() and ASN1_TIME_set_string_X509() match
their documentation. They always set an RFC 5280 conformant time.
- Improved standards compliance for supported groups and key shares
extensions:
- Duplicate key shares are disallowed.
- Duplicate supported groups are disallowed.
- Key shares must be sent in the order of supported groups.
- Key shares will only be selected if they match the most
preferred supported group by client preference order.
- Fixed signed integer overflow in bnrand().
- Prevent negative zero from being created via BN_clear_bit() and
BN_mask_bits(). Avoids a one byte overread in BN_bn2mpi().
- Add guard to avoid contracting the number linear hash buckets
to zero, which could lead to a crash due to accessing a zero
sized allocation.
- Fixed i2d_ASN1_OBJECT() with an output buffer pointing to NULL.
- Implemented RSA key exchange in constant time. This is done by
decrypting with RSA_NO_PADDING and checking the padding in libssl
in constant time. This is possible because the pre-master secret
is of known length based on the size of the RSA key.
- Rewrote SSL_select_next_proto() using CBS, also fixing a buffer
overread that wasn't reachable when used as intended from an
ALPN callback.
- Avoid pushing a spurious error onto the error stack in
ssl_sigalg_select().
- Made fatal alerts fatal in QUIC.
3.9.2 - Stable release
* Bugfixes
- OpenBSD 7.5 errata 003. A missing bounds check could lead to a crash
due to dereferencing a zero-sized allocation.
3.9.1 - Stable release
* Portable changes
- Updated tests with expiring certificates
- CET-related build fixes for Windows and macOS targets
- update libtls linker script to include libssl and libcrypto again
3.9.0 - Development release
* Portable changes
- libcrypto no longer exports compat symbols in cmake builds.
- Most compatibility symbols are prefixed with libressl_ to avoid
symbol clashes in static links.
- Fixed various warnings on Windows.
- Removed assert pop-ups with Windows debug builds.
- Fixed crashes and hangs in Windows ARM64 builds.
- Improved control-flow enforcement (CET) support.
* Internal improvements
- Converted uses of OBJ_bsearch_() to standard bsearch().
- Greatly simplified by_file_ctrl().
- Simplified and cleaned up the OBJ_ API.
- Cleaned up the EVP_Cipher{Init,Update,Final}() implementations.
- Removed unused function pointers from X.509 stores and contexts.
- A lot of cleanup and reorganization in EVP.
- Removed all remaining ENGINE tentacles.
- Simplified internals of X509_TRUST handling.
- Made deletion from a lhash doall callback safe.
- Rewrote BIO_dump*(3) internals to be less bad.
* Documentation improvements
- ENGINE documentation was updated to reflect reality.
- Made EVP API documentation more accurate and less incoherent.
- Call out some shortcomings of the EC_KEY_set_* API explicitly.
* Testing and proactive security
- Bug fixes and simplifications in the Wycheproof tests.
* Compatibility changes
- Added ChaCha20 and chacha20 aliases for ChaCha.
- SSL_library_init() now has the same effect as OPENSSL_init_ssl().
- EVP_add_{cipher,digest}() were removed. From the OBJ_NAME API,
only OBJ_NAME_do_all*() remain. In particular, it is no longer
possible to add aliases for ciphers and digests.
- The thread unsafe global tables are no longer supported. It is no
longer possible to add aliases for ciphers and digests, custom ASN.1
strings table entries, ASN.1 methods, PKEY methods, digest methods,
CRL methods, purpose and trust identifiers, or X.509 extensions.
- Removed the _cb() and _fp() versions of BIO_dump{,_indent}().
- BIO_set() was removed.
- BIO_{sn,v,vsn}printf() were removed.
- Turn the long dysfunctional openssl(1) s_client -pause into a noop.
- openssl(1) x509 now supports -new -force_pubkey, -multivalue-rdn,
-set_issuer, -set_subject, and -utf8.
- Support ECDSA with SHA-3 signature algorithms.
- Support HMAC with truncated SHA-2 and SHA-3 as PBE PRF.
- GOST and STREEBOG support was removed.
- CRYPTO_THREADID, _LHASH, _STACK, X509_PURPOSE are now opaque,
X509_CERT_AUX and X509_TRUST were removed from the public API.
- ASN1_STRING_TABLE_get() and X509_PURPOSE_get0*() now return const
pointers.
- EVP_{CIPHER,MD}_CTX_init()'s signatures and semantics now match
OpenSSL's behavior.
- sk_find_ex() and OBJ_bsearch_() were removed.
- CRYPTO_malloc() was fixed to use size_t argument. CRYPTO_malloc()
and CRYPTO_free() now accept file and line arguments.
- A lot of decrepit CRYPTO memory API was removed.
* Bug fixes
- Fixed aliasing issues in BN_mod_exp_simple() and BN_mod_exp_recp().
- Fixed numerous misuses of X509_ALGOR_set0() resulting in leaks and
potentially incorrect encodings.
- Fixed potential double free in X509v3_asid_add_id_or_range().
- Stopped using ASN1_time_parse() outside of libcrypto.
- Prepared OPENSSL_gmtime() and OPENSSL_timegm() as public API
wrappers of internal functions compatible with BoringSSL API.
- Removed print_bin() to avoid overwriting the stack with 5 bytes
of ' ' when ECPK parameters are printed with large indentation.
- Avoid a NULL dereference after memory allocation failure during TLS
version downgrade.
- Fixed various bugs in CMAC internals.
- Fixed 4-byte overreads in GHASH assembly on amd64 and i386.
- Fixed various NULL dereferences in PKCS #12 code due to mishandling
of OPTIONAL content in PKCS #7 ContentInfo.
- Aligned SSL_shutdown() behavior in TLSv1.3 with the legacy stack.
- Fixed the new X.509 verifier to find trust anchors in the trusted
stack.
- Made in-place decryption work for EVP_chacha20_poly1305().
3.8.4 - Stable release
* Portable changes
- Updated tests with expiring certificates
- CET-related build fixes for Windows and macOS targets
- update libtls linker script to include libssl and libcrypto again
3.8.3 - Stable release
* Portable changes
- Removed assert pop-ups with Windows debug builds.
- Fixed crashes and hangs in Windows ARM64 builds.
- Improved control-flow enforcement (CET) support.
3.8.2 - Stable release
* Portable changes
- Fixed processor detection for CMake targets.
Thanks to @jiegec from github.
- Enabled building oscpcheck with MSVC.
Thanks to @FtZPetruska from github.
- Improve CMake package detection and installation.
Thanks to @mark-groundctl from github.
- Fixed assembly optimizations on x64 Windows targets.
- Allow disabling warnings about WINCRYPT overrides.
- Use system arc4random on FreeBSD 12 and newer.
* Documentation improvements
- Documented the RFC 3779 API.
* Compatibility changes
- Restrict the RFC 3779 code to IPv4 and IPv6. It was not written
to be able to deal with anything else.
- Fixed EVP_CIPHER_CTX_iv_length() to return what was set with
EVP_CTRL_AEAD_SET_IVLEN or one of its aliases.
* Bug fixes
- Fixed EVP_PKEY_get{0,1}_RSA for RSA-PSS.
- Plug a potential memory leak in ASN1_TIME_normalize().
- Avoid memory leak in EVP_CipherInit().
- Redirect EVP_PKEY_get1_* through their get0 siblings.
- Fixed a use of uninitialized in i2r_IPAddrBlocks().
- Rewrote CMS_SignerInfo_{sign,verify}().
- Further cleanup and refactoring in the EC code.
- Allow IP addresses to be specified in a URI.
- Fixed a copy-paste error in ASN1_TIME_compare() that could lead
to two UTCTimes or two GeneralizedTimes incorrectly being compared
as equal.
3.8.1 - Development release
* Portable changes
- Applications bundled as part of the LibreSSL package internally,
nc(1) and openssl(1), now are linked statically if static libraries
are built.
- Internal compatibility function symbols are no longer exported from
libcrypto. Instead, the libcompat library is linked to libcrypto,
libssl, and libtls separately. This increases size a little, but
ensures that the libraries are not exporting symbols to programs
unintentionally.
- Selective removal of CET implementation on platforms where it is
not supported (macOS).
- Integrated four more tests.
- Added Windows ARM64 architecture to tested platforms.
- Removed Solaris 10 support, fixed Solaris 11.
- libtls no longer links statically to libcrypto / libssl unless
'--enable-libtls-only' is specified at configure time.
- Improved Windows compatibility library, namely handling of files vs
sockets, correcting an exception when operating on a closed socket.
- CMake builds no longer hardcode '-O2' into the compiler flags, instead
using flags from the CMake build type instead.
- Set the CMake default build type to 'Release'. This can be overridden
during configuration.
- Fixed broken ASM support with MinGW builds.
* Internal improvements
- Fixed alignment handling in SHA-512.
- Moved the verified_chain to the correct internal struct.
- Improved checks for commonName in libtls.
- Fixed error check for X509_get_ext_d2i() failure in libtls.
- Improved BIGNUM internals and performance.
- Significantly improved Montgomery multiplication performance.
- Initial cleanup passes for SHA-256 internals.
- Converted more libcrypto internals API using CBB and CBS.
- Removed code guarded by #ifdef ZLIB.
- Changed ASN1_item_sign_ctx() and ASN1_item_verify() to work with
Ed25519 and fixed a few bugs in there.
- Fixed various issues with EVP_PKEY_CTX_{new,dup}().
- Improved X.509 certificate version checks.
- Cleaned up handling of elliptic curve cofactors.
- Made BN_num_bits() independent of bn->top.
- Rewrote and simplified bn_sqr().
- Removed EC_GROUP precomp machinery.
- Ensure no X.509v3 extensions appear more than once in certificates.
- Cleaned up various ECDH, ECDSA and EC internals.
- Replaced ASN1_bn_print with a cleaner internal implementation.
- Simplified ASN1_item_sign_ctx().
- Rewrote OBJ_find_sigid_algs() and OBJ_find_sigid_by_algs().
- Various improvements in the 'simple' EC code.
- Fix OPENSSL_cpuid_setup() invocations on arm/aarch64.
- Reduced the dependency of hash implementations on many layers of
macros. This results in significant speedups since modern compilers
are now less confused.
- Significantly simplified the BN_BLINDING internals used in RSA.
* New features
* Compatibility changes
- X509_NAME_get_text_by_{NID,OBJ}() now only succeed if they contain
valid UTF-8 without embedded NUL.
- Moved libtls from ECDSA_METHOD to EC_KEY_METHOD.
- Removed support for ECDH_METHOD and ECDSA_METHOD.
- BN_is_prime{,_fasttest}_ex() refuse to check numbers larger than
32 kbits for primality. This mitigates various DoS vectors.
- Comp was removed.
- Dynamic loading of conf modules is no longer supported.
- DSO was removed and OPENSSL_NO_DSO is defined.
- ENGINE support was removed and OPENSSL_NO_ENGINE is set. In spite
of this, some stub functions are provided to avoid patching some
applications that do not honor OPENSSL_NO_ENGINE.
- It is no longer possible to make the library use your own error
stack or ex_data implementation.
* Bug fixes
- Fixed aliasing issue in BN_mod_inverse().
- Made CRYPTO_get_ex_new_index() not return 0 to allow applications
to use *_{get,set}_app_data() and *_{get,set}_ex_data() alongside
each other.
- Made EVP_PKEY_set1_hkdf_key() fail on a NULL key.
- Plugged leaks in BIO_chain_dup().
- Fixed numerous leaks and other minor bugs in RSA, DH, DSA and EC
ASN.1 methods. Unified the coding style.
- On socket errors in the poll loop, netcat could issue system calls
on invalidated file descriptors.
* Documentation improvements
- Made it very explicit that the verify callback should not be used.
- Called out that the CRL lastUpdate is standardized as thisUpdate.
* Testing and Proactive Security
- As always, new test coverage is added as bugs are fixed and subsystems
are cleaned up.
* Security fixes
- Disabled TLSv1.0 and TLSv1.1 in libssl so that they may no longer
be selected for use.
3.8.0 - Development release
* Portable changes
- Extended the endian.h compat header with hto* and *toh macros.
- Adapted more tests to the portable framework.
- Internal tools are now statically linked.
* Internal improvements
- Improved sieve of Eratosthenes script used for generating a table
of small primes.
- Started cleaning up and rewriting SHA internals.
- Replace internal use of BN_copy() with bn_copy() for consistency.
- Rewrote and improved BN_exp() and BN_copy().
- Add branch target information (BTI) support to arm64 assembly.
- Replaced BN_mod_sqrt() with a new implementation.
- Removed incomplete and dangerous BN_RECURSION code.
- Added endbr64 instructions to amd64 assembly.
- Imported RFC 5280 policy checking code from BoringSSL and used it
to replace the old exponential time code.
- Converted more of libcrypto to use CBB/CBS.
- Cleaned up and simplified the code dealing with builtin curves.
* New features
- Added support for truncated SHA-2 and for SHA-3.
- The BPSW primality test performs additional Miller-Rabin rounds
with random bases to reduce the likelihood of composites passing.
- Allow testing of ciphers and digests using badly aligned buffers
in openssl speed.
- Added a workaround for a poorly thought-out change in OpenSSL 3 that
broke privilege separation support in libtls.
* Compatibility changes
- Support for GF2m was removed: BIGNUM no longer supports binary extension
field arithmetic and all binary elliptic builtin curves were removed.
- Removed dangerous, "fast" NIST prime and elliptic curve implementations.
In particular, EC_GFp_nist_method() is no longer available.
- Removed most public symbols that were deprecated in OpenSSL 0.9.8.
- Removed the public X9.31 API (RSA_X931_PADDING is still available).
- Removed Cipher Text Stealing mode.
- Removed SXNET and NETSCAPE_CERT_SEQUENCE support including the
openssl(1) nseq command.
- Dropped proxy certificate (RFC 3820) support.
- The POLICY_TREE and its related structures and API were removed.
- The explicitText user notice uses UTF8String instead of VisibleString
to reduce the risk of emitting certificates with invalid DER-encoding.
- Initial fixes for RSA-PSS support to make the TLSv1.3 stack more
compliant with RFC 8446.
* Bug fixes
- Correctly handle negative input to various BIGNUM functions.
- Ensure ERR_load_ERR_strings() does not set errno unexpectedly.
- Fix error checking of i2d_ECDSA_SIG() in ossl_ecdsa_sign().
- Fixed detection of extended operations (XOP) on AMD hardware.
- Ensure Montgomery exponentiation is used for the initial RSA blinding.
- Policy is always checked in X509 validation. Critical policy extensions
are no longer silently ignored.
- Fixed error handling in tls_check_common_name().
- Add missing pointer invalidation in SSL_free().
- Fixed X509err() and X509V3err() and their internal versions.
- Ensure that OBJ_obj2txt() always returns a C string again.
- In X509_VERIFY_PARAM_inherit() copy hostflags independently of the
host list.
* Documentation improvements
- Improved documentation of BIO_ctrl(3), BIO_set_info_callback(3),
BIO_get_info_callback(3), BIO_method_type(3), and BIO_method_name(3).
- Marked BIO_CB_return(), BIO_cb_pre(), and BIO_cb_post() as intentionally
undocumented.
* Testing and Proactive Security
- Significantly improved test coverage of BN_mod_sqrt() and GCD.
- As always, new test coverage is added as bugs are fixed and subsystems
are cleaned up.
3.7.3 - Bug and reliability fixes
* Bug fix
- Hostflags in the verify parameters would not propagate from an
SSL_CTX to newly created SSL.
* Reliability fix
- A double free or use after free could occur after SSL_clear(3).
3.7.2 - Stable release
* Portable changes
- Moved official Github project to https://github.com/libressl/.
- Build support for Apple Silicon.
- Installed opensslconf.h is now architecture-specific.
- Removed internal defines from opensslconf.h.
- Support reproducible builds on tagged commits in main branch.
3.7.1 - Development release
* Internal improvements
- Initial overhaul of the BIGNUM code:
- Added a new framework that allows architecture-dependent
replacement implementations for bignum primitives.
- Imported various s2n-bignum's constant time assembly primitives
and switched amd64 to them.
- Lots of cleanup, simplification and bug fixes.
- Changed Perl assembly generators to move constants into .rodata,
allowing code to run with execute-only permissions.
- Capped the number of iterations in DSA and ECDSA signing (avoiding
infinite loops), added additional sanity checks to DSA.
- ASN.1 parsing improvements.
- Made UI_destroy_method() NULL safe.
- Various improvements to nc(1).
- Always clear EC groups and points on free.
- Cleanup and improvements in EC code.
- Various openssl(1) improvements.
* Bug fixes
- Fixed a memory leak, a double free and various other issues in
BIO_new_NDEF().
- Fixed various crashes in the openssl(1) testing utility.
- Do not check policies by default in the new X.509 verifier.
- Added missing error checking in PKCS7.
- Call CRYPTO_cleanup_all_ex_data() from OPENSSL_cleanup().
* New features
- Added UI_null()
- Added X509_STORE_*check_issued()
- Added X509_CRL_get0_tbs_sigalg() and X509_get0_uids() accessors.
- Added EVP_CIPHER_meth_*() setter API.
* Documentation improvements
- Marked BIO_s_log(3) BIO_nread0(3), BIO_nread(3), BIO_nwrite0(3), BIO_nwrite(3),
BIO_dump_cb(3) and BIO_dump_indent_cb(3) as intentionally undocumented.
- Document BIO_number_read(3), BIO_number_written(3),
BIO_set_retry_read(3), BIO_set_retry_write(3),
BIO_set_retry_special(3), BIO_clear_retry_flags(3),
BIO_get_retry_flags(3), BIO_dup_chain(3), BIO_set_flags(3),
BIO_clear_flags(3), BIO_test_flags(3), BIO_get_flags(3).
BIO_callback_fn_ex(3), BIO_set_callback_ex(3), BIO_get_callback_ex(3),
BIO_callback_fn(3), and the BIO_FLAGS_* constants
- Correct the prototypes of BIO_get_conn_ip(3) and BIO_get_conn_int_port(3).
- Document ED25519_keypair(3), ED25519_sign(3), and ED25519_verify(3).
- Document EVP_PKEY_new_raw_private_key(3),
EVP_PKEY_new_raw_public_key(3), EVP_PKEY_get_raw_private_key(3), and
EVP_PKEY_get_raw_public_key(3).
- Document ASN1_buf_print(3).
- Document DH_get0_*, DSA_get0_*, ECDSA_SIG_get0_{r,s}() and RSA_get0_*.
- Merged documentation of UI_null() from OpenSSL 1.1
- Various spelling and other documentation improvements.
* Testing and Proactive Security
- As always, new test coverage is added as bugs are fixed and subsystems
are cleaned up.
- New Wycheproof tests added.
- OpenSSL 3.0 Interop tests added.
- Many old tests rewritten, cleaned up and extended.
* Security fixes
- A malicious certificate revocation list or timestamp response token
would allow an attacker to read arbitrary memory.
3.7.0 - Development release
* Internal improvements
- Remove dependency on system timegm() and gmtime() by replacing
traditional Julian date conversion with POSIX epoch-seconds date
conversion from BoringSSL.
- Clean old and unused BN code dealing with primes.
- Start rewriting name constraints code using CBS.
- Remove support for the HMAC PRIVATE KEY.
- Rework DSA signing and verifying internals.
- First few passes on cleaning up the BN code.
- Internal headers coming from OpenSSL are all called *_local.h now.
- Rewrite TLSv1.2 key exporter.
- Cleaned up and refactored various aspects of the legacy TLS stack.
* Compatibility changes
- BIO_read() and BIO_write() now behave more closely to OpenSSL 3 in
various corner cases. More work is needed here.
* Bug fixes
- Add EVP_chacha20_poly1305() to the list of all ciphers.
- Fix potential leaks of EVP_PKEY in various printing functions
- Fix potential leak in OBJ_NAME_add().
- Avoid signed overflow in i2c_ASN1_BIT_STRING().
- Clean up EVP_PKEY_ASN1_METHOD related tables and code.
- Fix long standing bugs BN_GF2m_poly2arr() and BN_GF2m_mod().
- Fix segfaults in BN_{dec,hex}2bn().
- Fix NULL dereference in x509_constraints_uri_host() reachable only
in the process of generating certificates.
- Fixed a variety of memory corruption issues in BIO chains coming
from poor old and new API: BIO_push(), BIO_pop(), BIO_set_next().
- Avoid potential divide by zero in BIO_dump_indent_cb()
* Documentation improvements
- Numerous improvements and additions for ASN.1, BIO, BN, and X.509.
- The BN documentation is now considered to be complete.
* Testing and Proactive Security
- As always, new test coverage is added as bugs are fixed and
subsystems are cleaned up.
- Many old tests rewritten, cleaned up and extended.
* New features
- Added Ed25519 support both as a primitive and via OpenSSL's EVP
interfaces.
- X25519 is now also supported via EVP.
- The OpenSSL 1.1 raw public and private key API is available with
support for EVP_PKEY_ED25519, EVP_PKEY_HMAC and EVP_PKEY_X25519.
Poly1305 is not currently supported via this interface.
3.6.3 - Bug and reliability fixes
* Bug fix
- Hostflags in the verify parameters would not propagate from an
SSL_CTX to newly created SSL.
* Reliability fix
- A double free or use after free could occur after SSL_clear(3).
3.6.2 - Security release
* Security fix
- A malicious certificate revocation list or timestamp response token
would allow an attacker to read arbitrary memory.
3.6.1 - Stable release
* Bug fixes
- Custom verification callbacks could cause the X.509 verifier to
fail to store errors resulting from leaf certificate verification.
Reported by Ilya Shipitsin.
- Unbreak ASN.1 indefinite length encoding.
Reported by Niklas Hallqvist.
3.6.0 - Development release
* Internal improvements
- Avoid expensive RFC 3779 checks during cert verification.
- The templated ASN.1 decoder has been cleaned up, refactored,
modernized with parts rewritten using CBB and CBS.
- The ASN.1 time parser has been rewritten.
- Rewrite and fix ASN1_STRING_to_UTF8().
- Use asn1_abs_set_unused_bits() rather than inlining it.
- Simplify ec_asn1_group2curve().
- First pass at a clean up of ASN1_item_sign_ctx()
- ssl_txt.c was cleaned up.
- Internal function arguments and struct member have been changed
to size_t.
- Lots of missing error checks of EVP API were added.
- Clean up and clarify BN_kronecker().
- Simplify ASN1_INTEGER_cmp()
- Rewrite ASN1_INTEGER_{get,set}() using CBS and CBB and reuse
the ASN1_INTEGER functions for ASN1_ENUMERATED.
- Use ASN1_INTEGER to parse and build {Z,}LONG_it
- Refactored and cleaned up group (elliptic curve) handling in
t1_lib.c.
- Simplify certificate list handling code in the legacy server.
- Make CBB_finish() fail if *out_data is not NULL.
- Remove tls_buffer_set_data() and remove/revise callers.
- Rewrite SSL{_CTX,}_set_alpn_protos() using CBS.
- Simplify tlsext_supported_groups_server_parse().
- Remove redundant length checks in tlsext parse functions.
- Simplify tls13_server_encrypted_extensions_recv().
- Add read and write support to tls_buffer.
- Convert TLS transcript from BUF_MEM to tls_buffer.
- Clear key on exit in PKCS12_gen_mac().
- Minor fixes in PKCS12_parse().
- Provide and use a primitive clear function for BIGNUM_it.
- Use ASN1_INTEGER to encode/decode BIGNUM_it.
- Add stack frames to AES-NI x86_64 assembly.
- Use named initialisers for BIGNUMs.
- Tidy up some of BN_nist_mod_*.
- Expand BLOCK_CIPHER_* and related macros.
- Avoid shadowing the cbs function parameter in
tlsext_alpn_server_parse()
- Deduplicate peer certificate chain processing code.
- Make it possible to signal an error from an i2c_* function.
- Rewrite i2c_ASN1_INTEGER() using CBB/CBS.
- Remove UINT32_MAX limitation on ChaCha() and CRYPTO_chacha_20().
- Remove bogus length checks from EVP_aead_chacha20_poly1305().
- Reworked DSA_size() and ECDSA_size().
- Stop using CBIGNUM_it internal to libcrypto.
- Provide c2i_ASN1_ENUMERATED_cbs() and call it from
asn1_c2i_primitive().
- Ensure ASN.1 types are appropriately encoded.
- Avoid recycling ASN1_STRINGs when decoding ASN.1.
- Tidy up asn1_c2i_primitive() slightly.
- Mechanically expand IMPLEMENT_BLOCK_CIPHER, IMPLEMENT_CFBR,
BLOCK_CIPHER and the looney M_do_cipher macros.
- Use correct length for EVP CFB mode ciphers.
- Provide a version of ssl_msg_callback() that takes a CBS.
- Use CBS to parse TLS alerts in the legacy stack.
- Increment the input and output position for EVP AES CFB1.
- Ensure there is no trailing data for a CCS received by the
TLSv1.3 stack.
- Use CBS when procesing a CCS message in the legacy stack.
- Be stricter with middlebox compatibility mode in the TLSv1.3
server.
* Compatibility changes
- The ASN.1 time parser has been refactored and rewritten using CBS.
It has been made stricter in that it now enforces the rules from
RFC 5280.
- ASN1_AFLG_BROKEN was removed.
- Error check tls_session_secret_cb() like OpenSSL.
- Added ASN1_INTEGER_{get,set}_{u,}int64()
- Move leaf certificate checks to the last thing after chain
validation.
- Added -s option to openssl(1) ciphers that only shows the ciphers
supported by the specified protocol.
- Use TLS_client_method() instead of TLSv1_client_method() in
the openssl(1) ciphers command.
- Validate the protocols in SSL{_CTX,}_set_alpn_protos().
- Made TS and PKCS12 opaque.
- Per RFC 7292, safeContentsBag is a SEQUENCE OF, not a SET OF.
- Align PKCS12_key_gen_uni() with OpenSSL
- Various PKCS12 and TS accessors were added. In particular, the
TS_RESP_CTX_set_time_cb() function was added back.
- Allow a NULL header in PEM_write{,_bio}()
- Allow empty attribute sets in CSRs.
- Adjust signatures of BIO_ctrl functions.
- Provide additional defines for EVP AEAD.
- Provide OPENSSL_cleanup().
- Make BIO_info_cb() identical to bio_info_cb().
* Bug fixes
- Avoid use of uninitialized in BN_mod_exp_recp().
- Fix X509_get_extension_flags() by ensuring that EXFLAG_INVALID is
set on X509_get_purpose() failure.
- Fix HMAC() with NULL key.
- Add ERR_load_{COMP,CT,KDF}_strings() to ERR_load_crypto_strings().
- Avoid strict aliasing violations in BN_nist_mod_*().
- Do not return X509_V_ERR_UNSPECIFIED from X509_check_ca().
No return value of X509_check_ca() indicates failure. Application
code should therefore issue a checked call to X509_check_purpose()
before calling X509_check_ca().
- Rewrite and fix X509v3_asid_subset() to avoid segfaults on some
valid input.
- Call the ASN1_OP_D2I_PRE callback after ASN1_item_ex_new().
- Fix d2i_ASN1_OBJECT to advance the *der_in pointer correctly.
- Avoid use of uninitialized in ASN1_STRING_to_UTF8().
- Do not pass uninitialized pointer to ASN1_STRING_to_UTF8().
- Do not refuse valid IPv6 addresses in nc(1)'s HTTP CONNECT proxy.
- Do not reject primes in trial divisions.
- Error out on negative shifts in BN_{r,l}shift() instead of
accessing arrays out of bounds.
- Fix URI name constraints, allow for URI's with no host part.
- Fix the legacy verifier callback behaviour for untrusted certs.
- Correct serfver-side handling of TLSv1.3 key updates.
- Plug leak in PKCS12_setup_mac().
- Plug leak in X509V3_add1_i2d().
- Only print X.509 versions we know about.
- Avoid signed integer overflow due to unary negation
- Initialize readbytes in BIO_gets().
- Plug memory leak in CMS_add_simple_smimecap().
- Plug memory leak in X509_REQ_print_ex().
- Check HMAC() return value to avoid a later use of uninitialized.
- Avoid potential NULL dereference in ssl_set_pkey().
- Check return values in ssl_print_tmp_key().
- Switch loop bounds from size_t to int in check_hosts().
- Avoid division by zero if no connection was made in s_time.c.
- Check sk_SSL_CIPHER_push() return value
- Avoid out-of-bounds read in ssl_cipher_process_rulestr().
- Use LONG_MAX as the limit for ciphers with long based APIs.
* New features
- EVP API for HKDF ported from OpenSSL and subsequently cleaned up.
- The security level API (SSL_{,CTX}_{get,set}_security_level()) is
now available. Callbacks and ex_data are not supported. Sane
software will not be using this.
- Experimental support for the BoringSSL QUIC API.
- Add initial support for TS ESSCertIDv2 verification.
- LibreSSL now uses the Baillie-PSW primality test instead of
Miller-Rabin .
3.5.3 - Reliability fix
* Fix d2i_ASN1_OBJECT(). A confusion of two CBS resulted in advancing
the passed *der_in pointer incorrectly. Thanks to Aram Sargsyan for
reporting the issue and testing the fix.
3.5.2 - Stable release
* Bug fixes
- Avoid single byte overread in asn1_parse2().
- Allow name constraints with a leading dot. From Alex Wilson.
- Relax a check in x509_constraints_dirname() to allow prefixes.
From Alex Wilson.
- Fix NULL dereferences in openssl(1) cms option parsing.
- Do not zero the computed cofactor on ec_guess_cofactor() success.
- Bound cofactor in EC_GROUP_set_generator() to reduce the number of
bogus groups that can be described with nonsensical parameters.
- Avoid various potential segfaults in EVP_PKEY_CTX_free() in low
memory conditions. Reported for HMAC by Masaru Masuda.
- Plug leak in ASN1_TIME_adj_internal().
- Avoid infinite loop for custom curves of order 1.
Issue reported by Hanno Boeck, comments by David Benjamin.
- Avoid an infinite loop on parsing DSA private keys by validating
that the provided parameters conform to FIPS 186-4.
Issue reported by Hanno Boeck, comments by David Benjamin.
* Compatibility improvements
- Allow non-standard name constraints of the form @domain.com.
* Internal improvements
- Limit OID text conversion to 64 bits per arc.
- Clean up and simplify memory BIO code.
- Reduce number of memmove() calls in memory BIOs.
- Factor out alert handling code in the legacy stack.
- Add sanity checks on p and q in old_dsa_priv_decode()
- Cache the SHA-512 hash instead of the SHA-1 for CRLs.
- Suppress various compiler warnings for old gcc versions.
- Remove free_cont from asn1_d2i_ex_primitive()/asn1_ex_c2i().
- Rework ownership handling in x509_constraints_validate().
- Rework ASN1_STRING_set().
- Remove const from tls1_transcript_hash_value().
- Clean up and simplify ssl3_renegotiate{,_check}().
- Rewrite legacy TLS and DTLS unexpected handshake message handling.
- Simplify SSL_do_handshake().
- Rewrite ASCII/text to ASN.1 object conversion.
- Provide t2i_ASN1_OBJECT_internal() and use it for OBJ_txt2obj().
- Split armv7 and aarch64 code into separate locations.
- Rewrote openssl(1) ts to use the new option handling and cleaned
up the C code.
- Provide asn1_get_primitive().
- Convert {c2i,d2i}_ASN1_OBJECT() to CBS.
- Remove the minimum record length checks from dtls1_read_bytes().
- Clean up {dtls1,ssl3}_read_bytes().
- Be more careful with embedded and terminating NULs in the new
name constraints code.
- Check EVP_Digest* return codes in openssl(1) ts
- Various minor code cleanup in openssl(1) pkcs12
- Use calloc() in pkey_hmac_init().
- Simplify priv_key handling in d2i_ECPrivateKey().
* Documentation improvements
- Update d2i_ASN1_OBJECT(3) documentation to reflect reality after
refactoring and bug fixes.
- Fixed numerous minor grammar, spelling, wording, and punctuation
issues.
3.5.1 - Security release
* A malicious certificate can cause an infinite loop.
Reported by and fix from Tavis Ormandy and David Benjamin, Google.
3.5.0 - Development release
* New Features
- The RFC 3779 API was ported from OpenSSL. Many bugs were fixed,
regression tests were added and the code was cleaned up.
- Certificate Transparency was ported from OpenSSL. Many internal
improvements were made, resulting in cleaner and safer code.
Regress coverage was added. libssl does not yet make use of it.
* Portable Improvements
- Fixed various POSIX compliance and other portability issues
found by the port to the Sortix operating system.
- Add libmd as platform specific libraries for Solaris.
Issue reported from (ihsan <at> opencsw org) on libressl ML.
- Set IA-64 compiler flag only if it is HP-UX with IA-64.
Suggested from Larkin Nickle (me <at> larbob org) by libressl ML.
- Enabled and scheduled Coverity scan.
Contributed by Ilya Shipitsin (chipitsine <at> gmail com> on github.
* Compatibility Changes
- Most structs that were previously defined in the following headers
are now opaque as they are in OpenSSL 1.1:
bio.h, bn.h, comp.h, dh.h, dsa.h, evp.h, hmac.h, ocsp.h, rsa.h,
x509.h, x509v3.h, x509_vfy.h
- Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_
OpenSSL added the TLSv1.3 ciphersuites with "RFC names" instead
of using something consistent with the previous naming. Various
test suites expect these names (instead of checking for the much
more sensible cipher numbers). The old names are still accepted
as aliases.
- Subject alternative names and name constraints are now validated
when they are added to certificates. Various interoperability
problems with stacks that validate certificates more strictly
than OpenSSL can be avoided this way.
- Attempt to opportunistically use the host name for SNI in s_client
* Bug fixes
- In some situations, the verifier would discard the error on an
unvalidated certificate chain. This would happen when the
verification callback was in use, instructing the verifier to
continue unconditionally. This could lead to incorrect decisions
being made in software.
- Avoid an infinite loop in SSL_shutdown()
- Fix another return 0 bug in SSL_shutdown()
- Handle zero byte reads/writes that trigger handshakes in the
TLSv1.3 stack
- A long standing memleak in libtls CRL handling was fixed
* Internal Improvements
- Cache the SHA-512 hash instead of the SHA-1 hash and cache
notBefore and notAfter times when X.509 certificates are parsed.
- The X.509 lookup code has been simplified and cleaned up.
- Fixed numerous issues flagged by coverity and the cryptofuzz
project
- Increased the number of Miller-Rabin checks in DH and DSA
key/parameter generation
- Started using the bytestring API in libcrypto for cleaner and
safer code
- Convert {i2d,d2i}_{,EC_,DSA_,RSA_}PUBKEY{,_bio,_fp}() to templated
ASN1
- Convert ASN1_OBJECT_new() to calloc()
- Convert ASN1_STRING_type_new() to calloc()
- Rewrite ASN1_STRING_cmp()
- Use calloc() for X509_CRL_METHOD_new() instead of malloc()
- Convert ASN1_PCTX_new() to calloc()
- Replace asn1_tlc_clear and asn1_tlc_clear_nc macros with a
function
- Consolidate {d2i,i2d}_{pr,pu}.c
- Remove handling of a NULL BUF_MEM from asn1_collect()
- Pull the recursion depth check up to the top of asn1_collect()
- Inline collect_data() in asn1_collect()
- Convert asn1_d2i_ex_primitive()/asn1_collect() from BUF_MEM to CBB
- Clean up d2i_ASN1_BOOLEAN() and i2d_ASN1_BOOLEAN()
- Consolidate ASN.1 universal tag type data
- Rewrite ASN.1 identifier/length parsing in CBS
- Make OBJ_obj2nid() work correctly with NID_undef
- tlsext_tick_lifetime_hint is now an uint32_t
- Untangle ssl3_get_message() return values
- Rename tls13_buffer to tls_buffer
- Fold DTLS_STATE_INTERNAL into DTLS1_STATE
- Provide a way to determine our maximum legacy version
- Mop up enc_read_ctx and read_hash
- Fold SSL_SESSION_INTERNAL into SSL_SESSION
- Use ssl_force_want_read in the DTLS code
- Add record processing limit to DTLS code
- Add explicit CBS_contains_zero_byte() check in CBS_strdup()
- Improve SNI hostname validation
- Ensure SSL_set_tlsext_host_name() is given a valid hostname
- Fix a strange check in the auto DH codepath
- Factor out/rewrite DHE key exchange
- Convert server serialisation of DHE parameters/public key to new
functions
- Check DH public key in ssl_kex_peer_public_dhe()
- Move the minimum DHE key size check into ssl_kex_peer_params_dhe()
- Clean up and refactor server side DHE key exchange
- Provide CBS_get_last_u8()
- Provide CBS_get_u64()
- Provide CBS_add_u64()
- Provide various CBS_peek_* functions
- Use CBS_get_last_u8() to find the content type in TLSv1.3 records
- unifdef TLS13_USE_LEGACY_CLIENT_AUTH
- Correct SSL_get_peer_cert_chain() when used with the TLSv1.3 stack
- Only allow zero length key shares when we know we're doing HRR
- Pull key share group/length CBB code up from
tls13_key_share_public()
- Refactor ssl3_get_server_kex_ecdhe() to separate parsing and
validation
- Return 0 on failure from send/get kex functions in the legacy
stack
- Rename tls13_key_share to tls_key_share
- Allocate and free the EVP_AEAD_CTX struct in
tls13_record_protection
- Convert legacy TLS client to tls_key_share
- Convert legacy TLS server to tls_key_share
- Stop attempting to duplicate the public and private key of dh_tmp
- Rename dh_tmp to dhe_params
- Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY
- Clean up pkey handling in ssl3_get_server_key_exchange()
- Fix GOST skip certificate verify handling
- Simplify tlsext_keyshare_server_parse()
- Plumb decode errors through key share parsing code
- Simplify SSL_get_peer_certificate()
- Cleanup/simplify ssl_cert_type()
- The S3I macro was removed
- The openssl(1) cms and smime subcommands option handling was
converted and the C source was cleaned up.
* Documentation improvements
- 45 new manual pages, most of which were written from scratch.
Documentation coverage of ASN.1 and X.509 code has been
significantly improved.
* API additions and removals
- libssl
API additions
SSL_get0_verified_chain SSL_peek_ex SSL_read_ex SSL_write_ex
API stubs for compatibility
SSL_CTX_get_keylog_callback SSL_CTX_get_num_tickets
SSL_CTX_set_keylog_callback SSL_CTX_set_num_tickets
SSL_get_num_tickets SSL_set_num_tickets
- libcrypto
added API (some of these were previously available as macros):
ASIdOrRange_free ASIdOrRange_new ASIdentifierChoice_free
ASIdentifierChoice_new ASIdentifiers_free ASIdentifiers_new
ASN1_TIME_diff ASRange_free ASRange_new BIO_get_callback_ex
BIO_get_init BIO_set_callback_ex BIO_set_next
BIO_set_retry_reason BN_GENCB_set BN_GENCB_set_old
BN_abs_is_word BN_get_flags BN_is_negative
BN_is_odd BN_is_one BN_is_word BN_is_zero BN_set_flags
BN_to_montgomery BN_with_flags BN_zero_ex CTLOG_STORE_free
CTLOG_STORE_get0_log_by_id CTLOG_STORE_load_default_file
CTLOG_STORE_load_file CTLOG_STORE_new CTLOG_free
CTLOG_get0_log_id CTLOG_get0_name CTLOG_get0_public_key
CTLOG_new CTLOG_new_from_base64 CT_POLICY_EVAL_CTX_free
CT_POLICY_EVAL_CTX_get0_cert CT_POLICY_EVAL_CTX_get0_issuer
CT_POLICY_EVAL_CTX_get0_log_store CT_POLICY_EVAL_CTX_get_time
CT_POLICY_EVAL_CTX_new CT_POLICY_EVAL_CTX_set1_cert
CT_POLICY_EVAL_CTX_set1_issuer
CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE
CT_POLICY_EVAL_CTX_set_time DH_get0_g DH_get0_p DH_get0_priv_key
DH_get0_pub_key DH_get0_q DH_get_length DSA_bits DSA_get0_g
DSA_get0_p DSA_get0_priv_key DSA_get0_pub_key DSA_get0_q
ECDSA_SIG_get0_r ECDSA_SIG_get0_s EVP_AEAD_CTX_free
EVP_AEAD_CTX_new EVP_CIPHER_CTX_buf_noconst
EVP_CIPHER_CTX_get_cipher_data EVP_CIPHER_CTX_set_cipher_data
EVP_MD_CTX_md_data EVP_MD_CTX_pkey_ctx EVP_MD_CTX_set_pkey_ctx