ChangeLog

Because this project is maintained both in the OpenBSD tree using CVS and in
Git, it can be confusing following all of the changes.

Most of the libssl and libcrypto source code is is here in OpenBSD CVS:

	http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/

Some of the libcrypto and OS-compatibility files for entropy and random number
generation are here:

	http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/

A simplified TLS wrapper library is here:

	http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/

The LibreSSL Portable project copies these portions of the OpenBSD tree, along
with relevant portions of the C library, to a Git repository. This makes it
easier to follow all of the relevant changes to the upstream project in a
single place:

	https://github.com/libressl-portable/openbsd

The portable bits of the project are largely maintained out-of-tree, and their
history is also available from Git.

	https://github.com/libressl-portable/portable

LibreSSL Portable Release Notes:

3.3.3 - Stable release

	* This is the first stable release from the 3.3.x series.
	  There are no changes from 3.3.2.

3.3.2 - Development release

	* This release adds support for DTLSv1.2 and continues the rewrite
	  of the record layer for the legacy stack. Numerous bugs and
	  interoperability issues were fixed in the new verifier. A few bugs
	  and incompatibilities remain, so this release uses the old verifier
	  by default. The OpenSSL 1.1 TLSv1.3 API is not yet available.

	* Switch finish{,_peer}_md_len from an int to a size_t.

	* Make SSL_get{,_peer}_finished() work when used with TLSv1.3.

	* Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size
	  for cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2
	  was a historical artefact.

	* Correct the return value type from ERR_peek_error() to a long.

	* Avoid use of uninitialized in ASN1_time_parse() which could happen
	  on parsing UTCTime if the caller did not initialise the passed
	  struct tm.

	* Destroy the mutex in a tls_config object on tls_config_free().

	* Free alert_data and phh_data in tls13_record_layer_free()
	  these could leak if SSL_shutdown() or tls_close() were called
	  after closing the underlying socket().

	* Free struct members in tls13_record_layer_free() in their natural
	  order for reviewability.

	* Gracefully handle root certificates being both trusted and
	  untrusted.

	* Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new
	  verifier.

	* Use the legacy verifier when building auto chains for TLS.

	* Use consistent names in tls13_{client,server}_finished_{recv,send}().

	* Add tls13_secret_{init,cleanup}() and use them throughout the
	  TLSv1.3 code base.

	* Move the read MAC key into the TLSv1.2 record layer.

	* Make tls12_record_layer_free() NULL safe.

	* Search the intermediates only after searching the root certs in the
	  new verifier to avoid problems with the legacy callback.

	* Bail out early after finding a single chain in the new verifier, if
	  we have been called via the legacy verifier API.

	* Set (invalid and likely incomplete) chain on the xsc on chain build
	  failure prior to calling the callback. This is required by various
	  callers, including auto chain.

	* Align SSL_get_shared_ciphers() with OpenSSL. This takes into account
	  that it never returned server ciphers, so now it will fail when
	  called from the client side.

	* Add support for SSL_get_shared_ciphers() with TLSv1.3.

	* Split the record protection from the TLSv1.2 record layer.

	* Clean up sequence number handling in the new TLSv1.2 record layer.

	* Clean up sequence number handling in DTLS.

	* Clean up dtls1_reset_seq_numbers().

	* Factor out code for explicit IV length, block size and MAC length
	  from tls12_record_layer_open_record_protected_cipher().

	* Provide record layer overhead for DTLS.

	* Provide functions to determine if TLSv1.2 record protection is
	  engaged.

	* Add code to handle change of cipher state in the new TLSv1.2 record
	  layer.

	* Mop up now unused dtls1_build_sequence_numbers() function.

	* Allow setting a keypair on a tls context without specifying the
	  private key, and fake it internally in libtls. This removes the
	  need for privsep engines like relayd to use bogus keys.

	* Skip the private key check for fake private keys.

	* Move the private key setup from tls_configure_ssl_keypair() to a
	  helper function with proper error checking.

	* Change the internal tls_configure_ssl_keypair() function to
	  return -1 instead of 1 on failure.

	* Move sequence numbers into the new TLSv1.2 record layer.

	* Move AEAD handling into the new TLSv1.2 record layer.

	* Remove direct assignment of aead_ctx to avoid a leak.

	* Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360,
	  draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds.

	* Fail early in legacy exporter if the master secret is not available
	  to avoid a segfault if it is called when the handshake is not
	  completed.

	* Factor out legacy stack version checks.

	* Correct handshake MAC/PRF for various TLSv1.2 cipher suites which
	  were originally added with the default handshake MAC and PRF rather
	  than the SHA256 handshake MAC and PRF.

	* Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().

	* Use dtls1_record_retrieve_buffered_record() to load buffered
	  application data.

	* Enforce read ahead with DTLS.

	* Remove bogus DTLS checks that disabled ECC and OCSP.

	* Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA".

	* Only print the certificate file once on verification failure.

	* Pull in fix for EVP_CipherUpdate() overflow from OpenSSL.

	* Clean up and simplify dtls1_get_cipher().

	* Group HelloVerifyRequest decoding and add missing check for trailing
	  data.

	* Revise HelloVerifyRequest handling for DTLSv1.2.

	* Handle DTLS1_2_VERSION in various places.

	* Add DTLSv1.2 methods.

	* Make SSL{_CTX,}_get_{min,max}_proto_version() return a version of
	  zero if the minimum or maximum has been set to zero to match
	  OpenSSL's behavior.

	* Rename the "truncated" label into "decode_err" and the "f_err"
	  label into "fatal_err".

	* Factor out and change some of the legacy client version code.

	* Simplify version checks in the TLSv1.3 client. Ensure that the
	  server announced TLSv1.3 and nothing higher and check that the
	  legacy_version is set to TLSv1.2 as required by RFC 8446.

	* Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that
	  the new validator checks for EXFLAG_CRITICAL in
	  x509_vfy_check_chain_extension() for all untrusted certs in the
	  chain. Take into account that the root is not necessarily trusted.

	* Avoid passing last and depth to x509_verify_cert_error() on ENOMEM.

	* Rename depth to num_untrusted.

	* Only use TLS versions internally rather than both TLS and DTLS
	  versions since the latter are the one's complement of the human
	  readable version numbers, which means that newer versions decrease
	  in value.

	* Fix two bugs in the legacy verifier that resulted from refactoring
	  of X509_verify_cert() for the new verifier: a return value was
	  incorrectly treated as boolean, making it insufficient to decide
	  whether validation should carry on or not.

	* Identify DTLS based on the version major value.

	* Move handling of cipher/hash based cipher suites into the new record
	  layer.

	* Add tls12_record_protection_unused() and call it from CCS functions.

	* Move key/IV length checks closer to usage sites. Also add explicit
	  checks against EVP_CIPHER_{iv,key}_length().

	* Replace two handrolled tls12_record_protection_engaged().

	* Improve internal version handling: add handshake fields for our
	  minimum version, our maximum version and the TLS version negotiated
	  during the handshake. Convert most of the internal code to use these
	  version fields.

	* Guard against future internal use of TLS1_get_{client,}_version()
	  macros.

	* Remove the internal ssl_downgrade_max_version() function which is no
	  longer needed.

	* Fix checks for memory caps of constraints names. There are internal
	  caps on the number of name constraints and other names, that the new
	  name constraints code allocates per cert chain. These limits were
	  checked too late, making them only partially effective.

	* Use EXFLAG_INVALID to handle out of memory and parse errors in
	  x509v3_cache_extensions().

	* Add support for DTLSv1.2 version handling.

	* Enable DTLSv1.2 support.

	* Add DTLSv1.2 support to openssl s_client/s_server.

	* Remove no longer needed read ahead workarounds in the s_client and
	  s_server.

	* Fix a copy-paste error - skid was confused with an akid when
	  checking for EXFLAG_INVALID. This broke OCSP validation with
	  certain mirrors.

	* Make supported protocols and options for DHE params more prominent
	  in tls_config_set_protocols.3.

	* Avoid a use-after-scope in tls13_cert_add().

	* Split TLSv1.3 record protection from record layer.

	* Move the TLSv1.3 handshake struct inside the shared handshake
	  struct.

	* Fully initialize rrec in tls12_record_layer_open_record_protected()
	  to avoid confusing some static analyzers.

	* Use tls_set_errorx() on OCSP_basic_verify() failure since the latter
	  does not set errno.

	* Convert openssl(1) x509 to new option handling and do the usual
	  clean up that goes along with it.

	* Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.

	* Rename new_cipher to cipher to align naming with keyblock or other
	  parts of the handshake data.

	* Avoid mangled output in BIO_debug_callback().

	* Fix client initiated renegotiation by replacing use of s->internal-type
	  with s->server.

	* Move the TLSv1.2 record number increment into the new record layer.

	* Move finished and peer finished into the handshake struct.

	* Avoid transcript initialization when sending a TLS HelloRequest,
	  fixing server initiated renegotiation.

	* Remove pointless assignment in SSL_get0_alpn_selected().

	* Provide EVP_PKEY_new_CMAC_KEY(3).

	* Add missing prototype for d2i_DSAPrivateKey_fp(3) to x509.h.

	* Add DTLSv1.2 to openssl(1) s_server and s_client protocol message
	  logging.

	* Avoid leaking param->name in x509_verify_param_zero().

	* Avoid a leak in an error path in openssl(1) x509.

	* Add some error checking to openssl(1) x509.

	* When sending an alert in TLSv1.3, only set its error code when no
	  other error was set previously. Certain clients rely on specific
	  SSL_R_ error codes to identify that they are dealing with a self
	  signed cert.

	* Switch to the legacy verifier for the stable release.

	* Provide SSL_use_certificate_chain_file(3).

	* Provide SSL_set_hostflags(3) and SSL_get0_peername(3).

	* Provide various DTLSv1.2 specific functions and defines.

	* Document meaning of '*' in the genrsa output.

	* Updated documentation for SSL_get_shared_ciphers(3).

	* Add documentation for SSL_get_finished(3).

	* Document EVP_PKEY_new_CMAC_key(3)

	* Document SSL_use_certificate_chain_file(3).

	* Document SSL_set_hostflags(3) and SSL_get0_peername(3).

	* Update SSL_get_version.3 manual for DTLSv.1.2 support.

	* Added '--enable-libtls-only' build option, which builds and installs a
	  statically-linked libtls, skipping libcrypto and libssl. This is useful
	  for systems that ship with OpenSSL but wish to also package libtls.

3.3.1 - Security fix

	* Malformed ASN.1 in a certificate revocation list or a timestamp
	  response token can lead to a NULL pointer dereference.

	Bug fixes

	* Move point-on-curve check to set_affine_coordinates to avoid
	  verifying ECDSA signatures with unchecked public keys.

	* Fix SSL_is_server() to behave as documented by re-introducing the
	  client-specific methods.

	* Avoid undefined behavior due to memcpy(NULL, NULL, 0).

	* Mark a few more internal static tables const.

3.3.0 - Development release

	* Make openssl(1) s_server ignore -4 and -6 for compatibility with
	  OpenSSL.

	* Further cleanup of the DTLS record handling.

	* Continue the replacement of the TLSv1.2 record layer by
	  reimplementing the read side of the TLSv1.2 record handling.

	* Replace DTLSv1_enc_data() with TLSv1_1_enc_data().

	* Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c.

	* When switching from the TLSv1.3 stack to the legacy stack include
	  a TLS record header. This is necessary if there is more than one
	  handshake message in the TLS plaintext record.

	* Set SO_REUSEADDR on the server socket in the openssl(1) ocsp
	  command.

	* Fix resource handling on error in OCSP_request_add0_id().

	* Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into
	  .data.rel.ro and .rodata, respectively.

	* Add a const qualifier to srtp_known_profiles.

	* Simplify TLS method by removing the client and server specific
	  methods internally.

	* Avoid casting away const in ssl_ctx_make_profiles().

	* Make sure there is enough room for stashing the handshake message
	  when switching to the legacy TLS stack.

	* Avoid explicitly conditioning an assert on DTLS1_VERSION to make
	  the assert work for newer DTLS versions.

	* Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL.

	* Send a host header with OCSP queries to make openssl(1) ocsp
	  work with some widely used OCSP responders.

	* Fix a memory leak in the openssl(1) s_client.

	* Add a flag to mark DTLS methods as DTLS to have an easy way to
	  recognize DTLS methods that avoids inspecting the version number.

	* Implement SSL_is_dtls() and use it internally in place of the
	  SSL_IS_DTLS macro.

	* Unbreak DTLS retransmissions for flights that include a CCS.

	* Add ability to ocspcheck(8) to parse a port in the specified
	  OCSP URL.

	* Refactor and clean up ocspcheck(8) and add regression tests.

	* If x509_verify() fails, ensure that the error is set on both
	  the x509_verify_ctx() and its store context to make some failures
	  visible from SSL_get_verify_result().

	* Use the X509_STORE_CTX get_issuer() callback from the new X.509
	  verifier to fix hashed certificate directories.

	* Only check BIO_should_read() on read and BIO_should_write() on
	  write.  Previously, BIO_should_write() was also checked after read
	  and BIO_should_read() after write which could cause stalls in
	  software that uses the same BIO for read and write.

	* In openssl(1) verify, also check for error on the store context
	  since the return value of X509_verify_cert() is unreliable in
	  presence of a callback that returns 1 too often.

	* Update getentropy on Windows to use Cryptography Next Generation
	  (CNG). wincrypt is deprecated and no longer works with newer Windows
	  environments, such as in Windows Store apps.

	* Implement auto chain for the TLSv1.3 server since some software
	  relies on this.

	* Handle additional certificate error cases in the new X.509 verifier.
	  Keep track of the errors encountered if a verify callback tells the
	  verifier to continue and report them back via the error on the store
	  context. This mimics the behavior of the old verifier that would
	  persist the first error encountered while building the chain.

	* Report specific failures for "self signed certificates" in a way
	  compatible with the old verifier since software relies on the
	  error code.

	* Implement key exporter for TLSv1.3.

	* Plug a large memory leak in the new verifier caused by calling
	  X509_policy_check() repeatedly.

	* Avoid leaking memory in x509_verify_chain_dup().

	* Various documentation improvements, particularly around TLS methods.

3.2.3 - Security fix

	* Malformed ASN.1 in a certificate revocation list or a timestamp
	  response token can lead to a NULL pointer dereference.

3.2.2 - Stable release

	* This is the first stable release with the new TLSv1.3
	  implementation enabled by default for both client and server. The
	  OpenSSL 1.1 TLSv1.3 API is not yet available and will be provided
	  in an upcoming release.

	* New X509 certificate chain validator that correctly handles
	  multiple paths through intermediate certificates. Loosely based on
	  Go's X509 validator.

	* New name constraints verification implementation which passes the
	  bettertls.com certificate validation check suite.

	* Improve the handling of BIO_read()/BIO_write() failures in the
	  TLSv1.3 stack.

	* Start replacing the existing TLSv1.2 record layer.

	* Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h.

	* Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash.

	* Send alert on ssl_get_prev_session() failure.

	* Zero out variable on the stack to avoid leaving garbage in the tail
	  of short session IDs.

	* Move state initialization from SSL_clear() to ssl3_clear() to ensure
	  that it gets correctly reinitialized across a SSL_set_ssl_method()
	  call.

	* Avoid an out-of-bounds write in BN_rand().

	* Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up
	  the code in ui_lib.c.

	* Correctly track selected ALPN length to avoid a potential segmentation
	  fault with SSL_get0_alpn_selected() when alpn_selected is NULL.

	* Include machine/endian.h gost2814789.c in order to pick up the
	  __STRICT_ALIGNMENT define.

	* Simplify SSL method lookups.

	* Clean up and simplify SSL_get_ciphers(), SSL_set_session(),
	  SSL_set_ssl_method() and several internal functions.

	* Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX().

	* Refactor dtls1_new(), dtls1_hm_fragment_new(),
	  dtls1_drain_fragments(), dtls1_clear_queues().

	* Copy the session ID directly in ssl_get_prev_session() instead of
	  handing it through several functions for copying.

	* Clean up and refactor ssl_get_prev_session(); simplify
	  tls_decrypt_ticket() and tls1_process_ticket() exit paths.

	* Avoid memset() before memcpy() in CBS_add_bytes().

	* Rewrite X509_INFO_{new,free}() more idiomatically.

	* Remove unnecessary zeroing after recallocarray() in
	  ASN1_BIT_STRING_set_bit().

	* Convert openssl(1) ocsp new option handling.

	* Document SSL_set1_host(3), SSL_set_SSL_CTX(3).

	* Document return value from EC_KEY_get0_public_key(3).

	* Greatly expanded test coverage via the tlsfuzzer test scripts.

	* Expanded test coverage via the bettertls certificate test suite.

	* Test interoperability with the Botan TLS client.

	* Make pthread_mutex static initialisation work on Windows.

	* Get __STRICT_ALIGNMENT from machine/endian.h with portable build.

3.2.1 - Development release

	* Propagate alerts from the read half of the TLSv1.3 record layer to I/O
	  functions.

	* Send a record overflow alert for TLSv1.3 messages having overlong
	  plaintext or inner plaintext.

	* Send an illegal parameter alert if a client sends an invalid DH key
	  share.

	* Document PKCS7_final(3), PKCS7_add_attribute(3).

	* Collapse x509v3 directory into x509.

	* Improve TLSv1.3 client certificate selection to allow EC certificates
	  instead of only RSA certificates.

	* Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead
	  of constructing a broken objects that may cause NULL pointer accesses.

	* Add support for additional GOST curves from RFC 7836 and
	  draft-deremin-rfc4491-bis.

	* Add OIDs for HMAC using the Streebog hash function.

	* Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5.

	* Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures.

	* Handle GOST in ssl_cert_dup().

	* Stop sending GOST R 34.10-94 as a CertificateType.

	* Use IANA allocated GOST ClientCertificateTypes.

	* Add a custom copy handler for AES keywrap to fix a use-after-free.

	* Enforce in the TLSv1.3 server that that ClientHello messages after
	  a HelloRetryRequest match the original ClientHello as per RFC 8446
	  section 4.1.2

	* Document more PKCS7 attribute functions.

	* Document PKCS7_get_signer_info(3).

	* Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3).

	* Document PEM_def_callback(3).

	* Document EVP_read_pw_string_min(3).

	* Merge documentation of X509_get0_serialNumber from OpenSSL 1.1.1.

	* Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3)

	* Document X509_get0_pubkey_bitstr(3).

	* Fix an off-by-one in the CBC padding removal. From BoringSSL.

	* Enforce restrictions on extensions present in the ClientHello as per
	  RFC 8446, section 9.2.

	* Add new CMAC_Init(3) and ChaCha(3) manual pages.

	* Fix SSL_shutdown behavior to match the legacy stack.  The previous
	  behavior could cause a hang.

	* Add initial support for openbsd/powerpc64.

	* Make the message type available in the internal TLS extensions API
	  functions.

	* Enable TLSv1.3 for the generic TLS_method().

	* Convert openssl(1) s_client option handling.

	* Document openssl(1) certhash.

	* Convert openssl(1) verify option handling.

	* Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause
	  use-after-free and double-free issues in calling programs.

	* Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3).

	* Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session.

	* Convert openssl(1) s_server option handling.

	* Add minimal info callback support for TLSv1.3.

	* Refactor, clean up and simplify some SSL3/DTLS1 record writing code.

	* Correctly handle server requests for an OCSP response.

	* Add the P-521 curve to the list of curves supported by default
	  in the client.

	* Convert openssl(1) req option handling.

	* Avoid calling freezero with a negative size if a server sends a
	  malformed plaintext of all zeroes.

	* Send an unexpected message alert if no valid content type is found
	  in a TLSv1.3 record.

3.2.0 - Development release

	* Enable TLS 1.3 server side in addition to client by default.
	  With this change TLS 1.3 is handled entirely on the new stack
	  and state machine, with fallback to the legacy stack and
	  state machine for older versions. Note that the OpenSSL TLS 1.3
	  API is not yet visible/available.

	* Improve length checks in the TLS 1.3 record layer and provide
	  appropriate alerts for violations of record layer limits.

	* Enforce that SNI hostnames received by the TLS server are correctly
	  formed as per RFC 5890 and RFC 6066, responding with illegal parameter
	  for a nonconformant host name.

	* Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic
	  retry of handshake messages.

	* Modify I/O behavior so that SSL_MODE_AUTO_RETRY is the default
	  similar to new OpenSSL releases.

	* Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in
	  various commands.

	* Add tlsfuzzer based regression tests.

	* Support sending certificate status requests from the TLS 1.3
	  client to request OCSP staples for leaf certificates.

	* Support sending certificate status replies from the TLS 1.3 server
	  in order to send OCSP staples for leaf certificates.

	* Send correct alerts when handling failed key share extensions
	  on the TLS 1.3 server.

	* Various compatibility fixes for TLS 1.3 to 1.2 fallback for
	  switching from the new to legacy stacks.

	* Support TLS 1.3 options in the openssl(1) command.

	* Many alert cleanups in TLS 1.3 to provide expected alerts in failure
	  conditions.

	* Modify "openssl x509" to display invalid certificate times as
	  invalid, and correctly deal with the failing return case from
	  X509_cmp_time so that a certificate with an invalid NotAfter does
	  not appear valid.

	* Support sending dummy change_cipher_spec records for TLS 1.3 middlebox
	  compatibility.

	* Ensure only PSS signatures are used with RSA in TLS 1.3.

	* Ensure that TLS 1.3 clients advertise exactly the "null" compression
	  method in its legacy_compression_methods.

	* Correct use of sockaddr_storage instead of sockaddr in openssl(1)
	  s_client, which could lead to using 14 bytes of stack garbage instead
 	  of an IPv6 address in DTLS mode.

	* Use non-expired certificates first when building a certificate chain.

3.1.5 - Security fix

	* Malformed ASN.1 in a certificate revocation list or a timestamp
	  response token can lead to a NULL pointer dereference.

3.1.4 - Interoperability and bug fixes for the TLSv1.3 client:

	* Improve client certificate selection to allow EC certificates
	  instead of only RSA certificates.

	* Do not error out if a TLSv1.3 server requests an OCSP response as
	  part of a certificate request.

	* Fix SSL_shutdown behavior to match the legacy stack.  The previous
	  behaviour could cause a hang.

	* Fix a memory leak and add a missing error check in the handling of
	  the key update message.

	* Fix a memory leak in tls13_record_layer_set_traffic_key.

	* Avoid calling freezero with a negative size if a server sends a
	  malformed plaintext of all zeroes.

	* Ensure that only PSS may be used with RSA in TLSv1.3 in order
	  to avoid using PKCS1-based signatures.

	* Add the P-521 curve to the list of curves supported by default
	  in the client.

3.1.3 - Bug fix

	* libcrypto may fail to build a valid certificate chain due to
	  expired untrusted issuer certificates.

3.1.2 - Bug fix

	* A TLS client with peer verification disabled may crash when
	  contacting a server that sends an empty certificate list.

3.1.1 - Stable release

	* Improved cipher suite handling to automatically include TLSv1.3
	  cipher suites when they are not explicitly referred to in the
	  cipher string.

	* Improved handling of TLSv1.3 HelloRetryRequests, simplifying
	  state transitions and ensuring that the legacy session identifer
	  retains the same value across the handshake.

	* Provided TLSv1.3 cipher suite aliases to match the names used
	  in RFC 8446.

	* Improved TLSv1.3 client key share handling to allow the use of
	  any groups in our configured NID list.

	* Fixed printing the serialNumber with X509_print_ex() fall back to
	  the colon separated hex bytes in case greater than int value.

	* Fix to disallow setting the AES-GCM IV length to zero.

	* Added -groups option to openssl(1) s_server subcommand.

	* Fix to show TLSv1.3 extension types with openssl(1) -tlsextdebug.

	* Improved portable builds to support the use of static MSVC runtimes.

	* Fixed portable builds to avoid exporting a sleep() symbol.

3.1.0 - Development release

	* Completed initial TLS 1.3 implementation with a completely new state
	  machine and record layer. TLS 1.3 is now enabled by default for the
	  client side, with the server side to be enabled in a future release.
	  Note that the OpenSSL TLS 1.3 API is not yet visible/available.

	* Many more code cleanups, fixes, and improvements to memory handling
	  and protocol parsing.

	* Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1.

	* Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL
	  1.1.1 and enabled by default.

	* Improved compatibility by backporting functionality and documentation
	  from OpenSSL 1.1.1.

	* Added many new additional crypto test vectors.

	* Adjusted EVP_chacha20()'s behavior to match OpenSSL's semantics.

	* Default CA bundle location is now configurable in portable builds.

	* Added cms subcommand to openssl(1).

	* Added -addext option to openssl(1) req subcommand.

3.0.2 - Stable release

	* Use a valid curve when constructing an EC_KEY that looks like X25519.
	  The recent EC group cofactor change results in stricter validation,
	  which causes the EC_GROUP_set_generator() call to fail.
	  Issue reported and fix tested by rsadowski@

	* Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
	  (Note that the CMS code is currently disabled)
	  Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license) 

	* Avoid a path traversal bug in s_server on Windows when run with the -WWW
	  or -HTTP options, due to incomplete path check logic.
	  Issue reported and fix tested by Jobert Abma

3.0.1 - Development release

	* Ported Billy Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1. If a NULL
	  or zero cofactor is passed to EC_GROUP_set_generator(), try to compute
	  it using Hasse's bound. This works as long as the cofactor is small
	  enough.

	* Fixed a memory leak in error paths for eckey_type2param().

	* Initial work on supporting Cryptographic Message Syntax (CMS) in
	  libcrypto (not enabled).

	* Various manual page improvements and additions.

	* Added a CMake check for an existing uninstall target, facilitating
	  embedding LibreSSL in larger CMake projects, from Matthew Albrecht.

3.0.0 - Development release

	* Completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API.

	* Documented undescribed options and removed unfunctional options
	  description in openssl(1) manual.

	* A plethora of small fixes due to regular oss-fuzz testing.

	* Various side channels in DSA and ECDSA were addressed.  These are some of
	  the many issues found in an extensive systematic analysis of bignum usage
	  by Samuel Weiser, David Schrammel et al.

	* Enabled openssl(1) speed subcommand on Windows platform.

	* Enabled performance optimizations when building with Visual Studio on Windows.

	* Fixed incorrect carry operation in 512 addition for Streebog.

	* Fixed -modulus option with openssl(1) dsa subcommand.

	* Fixed PVK format output issue with openssl(1) dsa and rsa subcommand.

2.9.2 - Bug fixes

	* Fixed portable builds with older versions of MacOS,
	  Android targets < API 21, and Solaris 10

	* Fixed SRTP profile advertisement for DTLS servers.

2.9.1 - Stable release

	* Added support for XChaCha20 and XChaCha20-Poly1305.

	* Added support for AES key wrap constructions via the EVP interface.

	* Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH.

	* Added pbkdf2 key derivation support to openssl(1)

	* Removed SHA224 based handshake signatures from consideration for use in a TLS 1.2 handshake.

	* Changed the default digest type of openssl(1) enc to to sha256.

	* Changed the default digest type of openssl(1) dgst to sha256.

	* Changed the default digest type of openssl(1) x509 -fingerprint to sha256.

	* Changed the default digest type of openssl(1) crl -fingerprint to sha256.

	* Improved Windows, Android, and ARM compatibility, including assembly
	  optimizations on Mingw-w64 targets.

2.9.0 - Development release

	* Added the SM4 block cipher from the Chinese standard GB/T 32907-2016.

	* Fixed warnings about clock_gettime on Windows Visual Studio builds.

	* Fixed CMake builds on systems where getpagesize is defined as an
	  inline function.

	* CRYPTO_LOCK is now automatically initialized, with the legacy
	  callbacks stubbed for compatibility.

	* Added the SM3 hash function from the Chinese standard GB/T 32905-2016.

	* Added more OPENSSL_NO_* macros for compatibility with OpenSSL.

	* Added extensive interoperability tests between LibreSSL and OpenSSL
	  1.0 and 1.1.

	* Added additional Wycheproof tests and related bug fixes.

	* Simplified sigalgs option processing and handshake signing algorithm

	* Added the ability to use the RSA PSS algorithm for handshake
	  signatures.

	* Added bn_rand_interval() and use it in code needing ranges of random
	  bn values.

	* Added functionality to derive early, handshake, and application
	  secrets as per RFC8446.

	* Added handshake state machine from RFC8446.

	* Removed some ASN.1 related code from libcrypto that had not been used
	  since around 2000.

	* Unexported internal symbols and internalized more record layer structs.

	* Added support for assembly optimizations on 32-bit ARM ELF targets.

	* Improved protection against timing side channels in ECDSA signature
	  generation.

	* Coordinate blinding was added to some elliptic curves. This is the
	  last bit of the work by Brumley et al. to protect against the
	  Portsmash vulnerability.

	* Ensure transcript handshake is always freed with TLS 1.2.

2.8.2 - Stable release

	* Added Wycheproof support for ECDH and ECDSA Web Crypto test vectors,
	  along with test harness fixes.

	* Fixed memory leak in nc(1)

2.8.1 - Test and compatibility improvements

	* Added Wycheproof support for ECDH, RSASSA-PSS, AES-GCM,
	  AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and
	  X25519 test vectors. Applied appropriate fixes for errors uncovered
	  by tests.

	* Simplified key exchange signature generation and verification.

	* Fixed a one-byte buffer overrun in callers of EVP_read_pw_string

	* Converted more code paths to use CBB/CBS. All handshake messages are
	  now created by CBB.

	* Fixed various memory leaks found by Coverity.

	* Simplified session ticket parsing and handling, inspired by
	  BoringSSL.

	* Modified signature of CRYPTO_mem_leaks_* to return -1. This function
	  is a no-op in LibreSSL, so this function returns an error to not
	  indicate the (non-)existence of memory leaks.

	* SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher,
	  X509_OBJECT_up_ref_count now return an int for error handling,
	  matching OpenSSL.

	* Converted a number of #defines into proper functions, matching
	  OpenSSL's ABI.

	* Added X509_get0_serialNumber from OpenSSL.

	* Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding
	  PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching
	  OpenSSL.

	* Removed broken pkcs8 formats from openssl(1).

	* Converted more functions in public API to use const arguments.

	* Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the
	  EVP_AEAD interface.

	* Stopped using composite EVP_CIPHER AEADs.

	* Added timing-safe compares for checking results of signature
	  verification. There are no known attacks, this is just inexpensive
	  prudence.

	* Correctly clear the current cipher state, when changing cipher state.
	  This fixed an issue where renegotiation of cipher suites would fail
	  when switched from AEAD to non-AEAD or vice-versa.
	  Issue reported by Bernard Spil.

	* Added more cipher tests to appstest.sh, including all TLSv1.2
	  ciphers.

	* Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL.

	* Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be
	  retrieved and set with appropriate validation.

2.8.0 - Bug fixes, security, and compatibility improvements

	* Extensive documentation updates and additional API history.

	* Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry

	* Tighten up checks for various X509_VERIFY_PARAM functions,
	  'poisoning' parameters so that an unverified certificate cannot be
	  used if it fails verification.

	* Fixed a potential memory leak on failure in ASN1_item_digest

	* Fixed a potential memory alignment crash in asn1_item_combine_free

	* Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and
	  SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths.

	* Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds.

	* Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers
	  and matching OpenSSL behavior, rewrote ENGINE_* documentation.

	* Added const annotations to many existing APIs from OpenSSL, making
	  interoperability easier for downstream applications.

	* Fixed small timing side-channels in ecdsa_sign_setup and
	  dsa_sign_setup.

	* Documented security pitfalls with BN_FLG_CONSTTIME and constant-time
	  operation of BN_* functions.

	* Updated BN_clear to use explicit_bzero.

	* Added a missing bounds check in c2i_ASN1_BIT_STRING.

	* More CBS conversions, including simplifications to RSA key exchange,
	  and converted code to use dedicated buffers for secrets.

	* Removed three remaining single DES cipher suites.

	* Fixed a potential leak/incorrect return value in DSA signature
	  generation.

	* Added a blinding value when generating DSA and ECDSA signatures, in
	  order to reduce the possibility of a side-channel attack leaking the
	  private key.

	* Added ECC constant time scalar multiplication support.
	  From Billy Brumley and his team at Tampere University of Technology.

	* Revised the implementation of RSASSA-PKCS1-v1_5 to match the
	  specification in RFC 8017. Based on an OpenSSL commit by David
	  Benjamin.

	* Cleaned up BN_* implementations following changes made in OpenSSL by
	  Davide Galassi and others.

2.7.4 - Security fixes

	* Avoid a timing side-channel leak when generating DSA and ECDSA
	  signatures. This is caused by an attempt to do fast modular
	  arithmetic, which introduces branches that leak information
	  regarding secret values. Issue identified and reported by Keegan
	  Ryan of NCC Group.

	* Reject excessively large primes in DH key generation. Problem
	  reported by Guido Vranken to OpenSSL
	  (https://github.com/openssl/openssl/pull/6457) and based on his
	  diff.

2.7.3 - Bug fixes

	* Removed incorrect NULL checks in DH_set0_key(). Reported by Ondrej
	  Sury

	* Fixed an issue normalizing CPU architecture in the configure script,
	  which disabled assembly optimizations on platforms that get detected
	  as 'amd64', opposed to 'x86_64'

	* Limited tls_config_clear_keys() to only clear private keys.
	  This was inadvertently clearing the keypair, which includes the OCSP
	  staple and pubkey hash - if an application called tls_configure()
	  followed by tls_config_clear_keys(), this would prevent OCSP staples
	  from working.

2.7.2 - Stable release

	* Updated and added extensive new HISTORY sections to API manuals.

	* Added support for shared library builds with CMake on all supported
	  platforms. Note that some of the CMake options have changed, consult
	  the README for details.

2.7.1 - Bug fixes

	* Fixed a bug in int_x509_param_set_hosts, calling strlen() if name
	  length provided is 0 to match the OpenSSL behaviour. Issue noticed
	  by Christian Heimes <christian@python.org>.

	* Fixed builds macOS 10.11 and older.

2.7.0 - Bug fixes and improvements

	* Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on
	  observations of real-world usage in applications. These are
	  implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility
	  changes have not been made to existing structs, allowing code written
	  for older OpenSSL APIs to continue working.

	* Extensive corrections, improvements, and additions to the
	  API documentation, including new public APIs from OpenSSL that had
	  no pre-existing documentation.

	* Added support for automatic library initialization in libcrypto,
	  libssl, and libtls. Support for pthread_once or a compatible
	  equivalent is now required of the target operating system. As a
	  side-effect, minimum Windows support is Vista or higher.

	* Converted more packet handling methods to CBB, which improves
	  resiliency when generating TLS messages.

	* Completed TLS extension handling rewrite, improving consistency of
	  checks for malformed and duplicate extensions.

	* Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1.
	  This removes the last remaining use of the old M_ASN1_* macros
	  (asn1_mac.h) from API that needs to continue to exist.

	* Added support for client-side session resumption in libtls.
	  A libtls client can specify a session file descriptor (a regular
	  file with appropriate ownership and permissions) and libtls will
	  manage reading and writing of session data across TLS handshakes.

	* Improved support for strict alignment on ARMv7 architectures,
	  conditionally enabling assembly in those cases.

	* Fixed a memory leak in libtls when reusing a tls_config.

	* Merged more DTLS support into the regular TLS code path, removing
	  duplicated code.

	* Many improvements to Windows Cmake-based builds and tests,
	  especially when targeting Visual Studio.

2.6.4 - Bug fixes

	* Make tls_config_parse_protocols() work correctly when passed a NULL
	  pointer for a protocol string. Issue found by semarie@, who also
	  provided the diff.

	* Correct TLS extensions handling when no extensions are present.
	  If no TLS extensions are present in a client hello or server hello,
	  omit the entire extensions block, rather than including it with a
	  length of zero. Thanks to Eric Elena <eric at voguemerry dot com> for
	  providing packet captures and testing the fix.

	* Fixed portable builds on older Android systems, and systems with out
	  IPV6_TCLASS support.

2.6.3 - OpenBSD 6.2 Release

	* No core changes from LibreSSL 2.6.2

	* Minor compatibility fixes in portable version.

2.6.2 - Bug fixes

	* Provide a useful error with libtls if there are no OCSP URLs in a
	  peer certificate.

	* Keep track of which keypair is in use by a TLS context, fixing a bug
	  where a TLS server with SNI would only return the OCSP staple for the
	  default keypair. Issue reported by William Graeber and confirmed by
	  Andreas Bartelt.

	* Fixed various issues in the OCSP extension parsing code.
	  The original code incorrectly passes the pointer allocated via
	  CBS_stow() (using malloc()) to a d2i_*() function and then calls
	  free() on the now incremented pointer, most likely resulting in a
	  crash. This issue was reported by Robert Swiecki who found the issue
	  using honggfuzz.

	* If tls_config_parse_protocols() is called with a NULL pointer,
	  return the default protocols instead of crashing - this makes the
	  behaviour more useful and mirrors what we already do in
	  tls_config_set_ciphers() et al.

2.6.1 - Code removal, rewrites

	* Added a "-T tlscompat" option to nc(1), which enables the use of all
	  TLS protocols and "compat" ciphers. This allows for TLS connections
	  to TLS servers that are using less than ideal cipher suites, without
	  having to resort to "-T tlsall" which enables all known cipher
	  suites.  Diff from Kyle J. McKay.

	* Added a new TLS extension handling framework, somewhat analogous to
	  BoringSSL, and converted all TLS extensions to use it. Added new TLS
	  extension regression tests.

	* Improved and added many new manpages. Updated *check_private_key
	  manpages with additional cautions regarding their use.

	* Cleaned up the EC key/curve configuration handling.

	* Added tls_config_set_ecdhecurves() to libtls, which allows the names
	  of the eliptical curves that may be used during client and server
	  key exchange to be specified.

	* Converted more code paths to use CBB/CBS.

	* Removed support for DSS/DSA, since we removed the cipher suites a
	  while back.

	* Removed NPN support. NPN was never standardised and the last draft
	  expired in October 2012. ALPN was standardised in July 2014 and has
	  been supported in LibreSSL since December 2014. NPN has also been
	  removed from Chromium in May 2016.

	* Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken
	  CryptoPro clients.

	* Removed support for the TLS padding extension, which was added as a
	  workaround for an old bug in F5's TLS termination.

	* Worked around another bug in F5's TLS termination handling of the
	  elliptical curves extension. RFC 4492 only defines elliptic_curves
	  for ClientHello. However, F5 is sending it in ServerHello.  We need
	  to skip over it since our TLS extension parsing code is now more
	  strict. Thanks to Armin Wolfermann and WJ Liu for reporting.

	* Added ability to clamp notafter valies in certificates for systems
	  with 32-bit time_t. This is necessary to conform to RFC 5280
	  4.1.2.5.

	* Implemented the SSL_CTX_set_min_proto_version(3) API.

	* Removed the original (pre-IETF) chacha20-poly1305 cipher suites.

	* Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.

2.6.0 - New APIs, bug fixes and improvements

	* Added support for providing CRLs to libtls. Once a CRL is provided we
	  enable CRL checking for the full certificate chain. Based on a diff
	  from Jack Burton

	* Allow non-compliant clients using IP literal addresses with SNI
	  to connect to a server using libtls.

	* Avoid a potential NULL pointer dereference in d2i_ECPrivateKey().
	  Reported by Robert Swiecki, who found the issue using honggfuzz.

	* Added definitions for three OIDs used in EV certificates.
	  From Kyle J. McKay

	* Added tls_peer_cert_chain_pem to libtls, useful in private
	  certificate validation callbacks such as those in relayd.

	* Converted explicit clear/free sequences to use freezero(3).

	* Reworked TLS certificate name verification code to more strictly
	  follow RFC 6125.

	* Cleaned up and simplified server key exchange EC point handling.

	* Added tls_keypair_clear_key for clearing key material.

	* Removed inconsistent IPv6 handling from BIO_get_accept_socket,
	  simplified BIO_get_host_ip and BIO_accept.

	* Fixed the openssl(1) ca command so that is generates certificates
	  with RFC 5280-conformant time. Problem noticed by Harald Dunkel.

	* Added ASN1_TIME_set_tm to set an asn1 from a struct tm *

	* Added SSL{,_CTX}_set_{min,max}_proto_version() functions.

	* Added HKDF (HMAC Key Derivation Function) from BoringSSL

	* Provided a tls_unload_file() function that frees the memory returned
	  from a tls_load_file() call, ensuring that it the contents become
	  inaccessible. This is specifically needed on platforms where the
	  library allocators may be different from the application allocator.

	* Perform reference counting for tls_config. This allows
	  tls_config_free() to be called as soon as it has been passed to the
	  final tls_configure() call, simplifying lifetime tracking for the
	  application.

	* Moved internal state of SSL and other structures to be opaque.

	* Dropped cipher suites with DSS authentication.

	* nc(1) improvements, including:
	   nc -W to terminate nc after receiving a number of packets
	   nc -Z for saving the peer certificate and chain in a pem file

2.5.5 - Bug fixes

	* Distinguish between self-issued certificates and self-signed
	  certificates. The certificate verification code has special cases
	  for self-signed certificates and without this change, self-issued
	  certificates (which it seems are common place with
	  openvpn/easyrsa) were also being included in this category.

	* Added getpagesize fallback, needed for Android bionic libc.

2.5.4 - Security Updates

	* Revert a previous change that forced consistency between return
	  value and error code when specifing a certificate verification
	  callback, since this breaks the documented API. When a user supplied
	  callback always returns 1, and later code checks the error code to
	  potentially abort post verification, this will result in incorrect
	  successul certificate verification.

	* Switched Linux getrandom() usage to non-blocking mode, continuing to
	  use fallback mechanims if unsuccessful. This works around a design
	  flaw in Linux getrandom(2) where early boot usage in a library makes
	  it impossible to recover if getrandom(2) is not yet initialized.

	* Fixed a bug caused by the return value being set early to signal
	  successful DTLS cookie validation. This can mask a later failure and
	  result in a positive return value being returned from
	  ssl3_get_client_hello(), when it should return a negative value to
	  propagate the error.

	* Fixed a build error on non-x86/x86_64 systems running Solaris.

2.5.3 - OpenBSD 6.1 Release

	* Documentation updates

	* Improved ocspcheck(1) error handling

2.5.2 - Security features and bugfixes

	* Added the recallocarray(3) memory allocation function, and converted
	  various places in the library to use it, such as CBB and BUF_MEM_grow.
	  recallocarray(3) is similar to reallocarray. Newly allocated memory
	  is cleared similar to calloc(3). Memory that becomes unallocated
	  while shrinking or moving existing allocations is explicitly
	  discarded by unmapping or clearing to 0

	* Added new root CAs from SECOM Trust Systems / Security Communication
	  of Japan.

	* Added EVP interface for MD5+SHA1 hashes.

	* Fixed DTLS client failures when the server sends a certificate
	  request.

	* Correct handling of padding when upgrading an SSLv2 challenge into
	  an SSLv3/TLS connection.

	* Allow protocols and ciphers to be set on a TLS config object in
	  libtls.

	* Improved nc(1) TLS handshake CPU usage and server-side error
	  reporting.

2.5.1 - Bug and security fixes, new features, documentation updates

	* X509_cmp_time() now passes a malformed GeneralizedTime field as an
	  error. Reported by Theofilos Petsios.

	* Detect zero-length encrypted session data early, instead of when
	  malloc(0) fails or the HMAC check fails. Noted independently by
	  jsing@ and Kurt Cancemi.

	* Check for and handle failure of HMAC_{Update,Final} or
	  EVP_DecryptUpdate().

	* Massive update and normalization of manpages, conversion to
	  mandoc format. Many pages were rewritten for clarity and accuracy.
	  Portable doc links are up-to-date with a new conversion tool.

	* Curve25519 Key Exchange support.

	* Support for alternate chains for certificate verification.

	* Code cleanups, CBS conversions, further unification of DTLS/SSL
	  handshake code, further ASN1 macro expansion and removal.

	* Private symbol are now hidden in libssl and libcryto.

	* Friendly certificate verification error messages in libtls, peer
	  verification is now always enabled.

	* Added OCSP stapling support to libtls and netcat.

	* Added ocspcheck utility to validate a certificate against its OCSP
	  responder and save the reply for stapling

	* Enhanced regression tests and error handling for libtls.

	* Added explicit constant and non-constant time BN functions,
	  defaulting to constant time wherever possible.

	* Moved many leaked implementation details in public structs behind
	  opaque pointers.

	* Added ticket support to libtls.

	* Added support for setting the supported EC curves via
	  SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
	  SSL{_CTX}_set1_curves{_list} names. This also changes the default
	  list of curves to be X25519, P-256 and P-384. All other curves must
	  be manually enabled.

	* Added -groups option to openssl(1) s_client for specifying the curves
	  to be used in a colon-separated list.

	* Merged client/server version negotiation code paths into one,
	  reducing much duplicate code.

	* Removed error function codes from libssl and libcrypto.

	* Fixed an issue where a truncated packet could crash via an OOB read.

	* Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
	  client-initiated renegotiation. This is the default for libtls
	  servers.

	* Avoid a side-channel cache-timing attack that can leak the ECDSA
	  private keys when signing. This is due to BN_mod_inverse() being
	  used without the constant time flag being set. Reported by Cesar
	  Pereida Garcia and Billy Brumley (Tampere University of Technology).
	  The fix was developed by Cesar Pereida Garcia.

	* iOS and MacOS compatibility updates from Simone Basso and Jacob
	  Berkman.


2.5.0 - New APIs, bug fixes and improvements

	* libtls now supports ALPN and SNI

	* libtls adds a new callback interface for integrating custom IO
	  functions. Thanks to Tobias Pape.

	* libtls now handles 4 cipher suite groups:
	    "secure" (TLSv1.2+AEAD+PFS)
	    "compat" (HIGH:!aNULL)
	    "legacy" (HIGH:MEDIUM:!aNULL)
	    "insecure" (ALL:!aNULL:!eNULL)

	    This allows for flexibility and finer grained control, rather than
	    having two extremes (an issue raised by Marko Kreen some time ago).

	* Tightened error handling for tls_config_set_ciphers().

	* libtls now always loads CA, key and certificate files at the time the
	  configuration function is called. This simplifies code and results in
	  a single memory based code path being used to provide data to libssl.

	* Add support for OCSP intermediate certificates.

	* Added functions used by stunnel and exim from BoringSSL - this
	  brings in X509_check_host, X509_check_email, X509_check_ip, and
	  X509_check_ip_asc.

	* Added initial support for iOS, thanks to Jacob Berkman.

	* Improved behavior of arc4random on Windows when using memory leak
	  analysis software.

	* Correctly handle an EOF that occurs prior to the TLS handshake
	  completing. Reported by Vasily Kolobkov, based on a diff from Marko
	  Kreen.

	* Limit the support of the "backward compatible" ssl2 handshake to
	  only be used if TLS 1.0 is enabled.

	* Fix incorrect results in certain cases on 64-bit systems when
	  BN_mod_word() can return incorrect results. BN_mod_word() now can
	  return an error condition. Thanks to Brian Smith.

	* Added constant-time updates to address CVE-2016-0702

	* Fixed undefined behavior in BN_GF2m_mod_arr()

	* Removed unused Cryptographic Message Support (CMS)

	* More conversions of long long idioms to time_t

	* Improved compatibility by avoiding printing NULL strings with
	  printf.

	* Reverted change that cleans up the EVP cipher context in
	  EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
	  previous behaviour.

	* Avoid unbounded memory growth in libssl, which can be triggered by a
	  TLS client repeatedly renegotiating and sending OCSP Status Request
	  TLS extensions.

	* Avoid falling back to a weak digest for (EC)DH when using SNI with
	  libssl.

2.4.2 - Bug fixes and improvements

	* Fixed loading default certificate locations with openssl s_client.

	* Ensured OCSP only uses and compares GENERALIZEDTIME values as per
	  RFC6960. Also added fixes for OCSP to work with intermediate
	  certificates provided in responses.

	* Improved behavior of arc4random on Windows to not appear to leak
	  memory in debug tools, reduced privileges of allocated memory.

	* Fixed incorrect results from BN_mod_word() when the modulus is too
	  large, thanks to Brian Smith from BoringSSL.

	* Correctly handle an EOF prior to completing the TLS handshake in
	  libtls.

	* Improved libtls ceritificate loading and cipher string validation.

	* Updated libtls cipher group suites into four categories:
	    "secure"   (TLSv1.2+AEAD+PFS)
	    "compat"   (HIGH:!aNULL)
	    "legacy"   (HIGH:MEDIUM:!aNULL)
	    "insecure" (ALL:!aNULL:!eNULL)
	  This allows for flexibility and finer grained control, rather than
	  having two extremes.

	* Limited support for 'backward compatible' SSLv2 handshake packets to
	  when TLS 1.0 is enabled, providing more restricted compatibility
	  with TLS 1.0 clients.

	* openssl(1) and other documentation improvements.

	* Removed flags for disabling constant-time operations.
	  This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
	  DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
	  all of these operations unconditionally constant-time.


2.4.1 - Security fix

	* Correct a problem that prevents the DSA signing algorithm from
	  running in constant time even if the flag BN_FLG_CONSTTIME is set.
	  This issue was reported by Cesar Pereida (Aalto University), Billy
	  Brumley (Tampere University of Technology), and Yuval Yarom (The
	  University of Adelaide and NICTA). The fix was developed by Cesar
	  Pereida.

2.4.0 - Build improvements, new features

	* Many improvements to the CMake build infrastructure, including
	  Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro
	  Inoguchi for this work.

	* Added missing error handling around bn_wexpand() calls.

	* Added explicit_bzero calls for freed ASN.1 objects.

	* Fixed X509_*set_object functions to return 0 on allocation failure.

	* Implemented the IETF ChaCha20-Poly1305 cipher suites.

	* Changed default EVP_aead_chacha20_poly1305() implementation to the
	  IETF version, which is now the default.

	* Fixed password prompts from openssl(1) to properly handle ^C.

	* Reworked error handling in libtls so that configuration errors are
	  visible.

	* Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.

	* Manpage fixes and updates

2.3.5 - Reliability fix

	* Fixed an error in libcrypto when parsing some ASN.1 elements > 16k.

2.3.4 - Security Update

	* Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.
	From OpenSSL.

	* Minor build fixes

2.3.3 - OpenBSD 5.9 release branch tagged

	* Reworked build scripts to better sync with OpenNTPD-portable

	* Fixed broken manpage links

	* Fixed an nginx compatibility issue by adding an 'install_sw' make alias

	* Fixed HP-UX builds

	* Changed the default configuration directory to c:\LibreSSL\ssl on Windows
	  binary builds

	* cert.pem has been reorganized and synced with Mozilla's certificate store

2.3.2 - Compatibility and Reliability fixes

	* Changed format of LIBRESSL_VERSION_NUMBER to match that of
	  OPENSSL_VERSION_NUMBER, see:
	  https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3)

	* Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD
	  construction introduced in RFC 7539, which is different than that
	  already used in TLS with EVP_aead_chacha20_poly1305()

	* Avoid a potential undefined C99+ behavior due to shift overflow in
	  AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com>

	* More man pages converted from pod to mdoc format

	* Added COMODO RSA Certification Authority and QuoVadis
	  root certificates to cert.pem

	* Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification
	  Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root
	  certificate from cert.pem

	* Added support for building nc(1) on Solaris

	* Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev

	* Improved console handling with openssl(1) on Windows

	* Ensure the network stack is enabled on Windows when running
	  tls_init()

	* Fixed incorrect TLS certificate loading by nc(1)

	* Added support for Solaris 11.3's getentropy(2) system call

	* Enabled support for using NetBSD 7.0's arc4random(3) implementation

	* Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect

	* Fixes from OpenSSL 1.0.1q
	 - CVE-2015-3194 - NULL pointer dereference in client side certificate
	                   validation.
	 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL

	* The following OpenSSL CVEs did not apply to LibreSSL
	 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery
	                   squaring procedure.
	 - CVE-2015-3196 - Double free race condition of the identify hint
	                   data.

	 See https://marc.info/?l=openbsd-announce&m=144925068504102

2.3.1 - ASN.1 and time handling cleanups

	* ASN.1 cleanups and RFC5280 compliance fixes.

	* Time representations switched from 'unsigned long' to 'time_t'. LibreSSL
	  now checks if the host OS supports 64-bit time_t.

	* Fixed a leak in SSL_new in the error path.

	* Support always extracting the peer cipher and version with libtls.

	* Added ability to check certificate validity times with libtls,
	  tls_peer_cert_notbefore and tls_peer_cert_notafter.

	* Changed tls_connect_servername to use the first address that resolves with
	  getaddrinfo().

	* Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since
	  initial commit in 2004).

	* Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported
	  by Qualys Security.

	* Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of
	  sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>.

	* Reject too small bits value in BN_generate_prime_ex(), so that it does
	  not risk becoming negative in probable_prime_dh_safe(), reported by
		Franck Denis.

	* Enable nc(1) builds on more platforms.

2.3.0 - SSLv3 removed, libtls API changes, portability improvements

	* SSLv3 is now permanently removed from the tree.

	* The libtls API is changed from the 2.2.x series.

	  The read/write functions work correctly with external event
	  libraries.  See the tls_init man page for examples of using libtls
	  correctly in asynchronous mode.

	  Client-side verification is now supported, with the client supplying
	  the certificate to the server.

	  Also, when using tls_connect_fds, tls_connect_socket or
	  tls_accept_fds, libtls no longer implicitly closes the passed in
	  sockets. The caller is responsible for closing them in this case.

	* When loading a DSA key from an raw (without DH parameters) ASN.1
	  serialization, perform some consistency checks on its `p' and `q'
	  values, and return an error if the checks failed.

	  Thanks for Georgi Guninski (guninski at guninski dot com) for
	  mentioning the possibility of a weak (non prime) q value and
	  providing a test case.

	  See
	  https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html
	  for a longer discussion.

	* Fixed a bug in ECDH_compute_key that can lead to silent truncation
	  of the result key without error. A coding error could cause software
	  to use much shorter keys than intended.

	* Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no
	  longer supported.

	* The engine command and parameters are removed from the openssl(1).
	  Previous releases removed dynamic and builtin engine support
	  already.

	* SHA-0 is removed, which was withdrawn shortly after publication 20
	  years ago.

	* Added Certplus CA root certificate to the default cert.pem file.

	* New interface OPENSSL_cpu_caps is provided that does not allow
	  software to inadvertently modify cpu capability flags.
	  OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.

	* The out_len argument of AEAD changed from ssize_t to size_t.

	* Deduplicated DTLS code, sharing bugfixes and improvements with
	  TLS.

	* Converted 'nc' to use libtls for client and server operations; it is
	  included in the libressl-portable distribution as an example of how
	  to use the library.

2.2.3 - Bug fixes, build enhancements

	* LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not
	  include TLS extensions, resulting in such handshakes being aborted.
	  This release corrects the handling of such messages. Thanks to
	  Ligushka from github for reporting the issue.

	* Added install target for cmake builds. Thanks to TheNietsnie from
	  github.

	* Updated pkgconfig files to correctly report the release version
	  number, not the individual library ABI version numbers. Thanks to
	  Jan Engelhardt for reporting the issue.

2.2.2 - More TLS parser rework, bug fixes, expanded portable build support

	* Switched 'openssl dhparam' default from 512 to 2048 bits

	* Reworked openssl(1) option handling

	* More CRYPTO ByteString (CBC) packet parsing conversions

	* Fixed 'openssl pkeyutl -verify' to exit with a 0 on success

	* Fixed dozens of Coverity issues including dead code, memory leaks,
	  logic errors and more.

	* Ensure that openssl(1) restores terminal echo state after reading a
	  password.

	* Incorporated fix for OpenSSL Issue #3683

	* LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped
	  for each portable release.

	* Removed workarounds for TLS client padding bugs.

	* No longer disable ECDHE-ECDSA on OS X

	* Removed SSLv3 support from openssl(1)

	* Removed IE 6 SSLv3 workarounds.

	* Modified tls_write in libtls to allow partial writes, clarified with
	  examples in the documentation.

	* Removed RSAX engine

	* Tested SSLv3 removal with the OpenBSD ports tree and found several
	  applications that were not ready to build without SSLv3 yet. For
	  now, building a program that intentionally uses SSLv3 will result in
	  a linker warning.

	* Added TLS_method, TLS_client_method and TLS_server_method as a
	  replacement for the SSLv23_*method calls.

	* Added initial cmake build support, including support for building with
	  Visual Studio, currently tested with Visual Studio 2013 Community
	  Edition.

	* --with-enginesdir is removed as a configuration parameter

	* Default cert.pem, openssl.cnf, and x509v3.cnf files are now
	  installed under $sysconfdir/ssl or the directory specified by
	  --with-openssldir. Previous versions of LibreSSL left these empty.

2.2.1 - Build fixes, feature added, features removed

	* Assorted build fixes for musl, HP-UX, Mingw, Solaris.

	* Initial support for Windows Embedded 2009, Server 2003, XP

	* Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API

	* Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL

	* Removed Dynamic Engine support

	* Removed unused and obsolete MDC-2DES cipher

	* Removed workarounds for obsolete SSL implementations

2.2.0 - Build cleanups and new OS support, Security Updates

	* AIX Support - thanks to Michael Felt

	* Cygwin Support - thanks to Corinna Vinschen

	* Refactored build macros, support packaging libtls independently.
	  There are more pieces required to support building and using OpenSSL
	  with libtls, but this is an initial start at providing an
	  independent package for people to start hacking on.

	* Removal of OPENSSL_issetugid and all library getenv calls.
	  Applications can and should no longer rely on environment variables
	  for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still
	  supported with the openssl(1) command.

	* libtls API and documentation additions

	* Various bug fixes and simplifications to libssl and libcrypto

	* Fixes for the following issues are integrated into LibreSSL 2.2.0:
	 - CVE-2015-1788 - Malformed ECParameters causes infinite loop
	 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
	 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function

	* The following CVEs did not apply to LibreSSL or were fixed in
	  earlier releases:
	 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam)
	 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent
	 - CVE-2014-8176 - Invalid free in DTLS

	* Fixes for the following CVEs are still in review for LibreSSL
	 - CVE-2015-1791 - Race condition handling NewSessionTicket

2.1.6 - Security update

	* Fixes for the following issues are integrated into LibreSSL 2.1.6:
	  - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
	  - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
	  - CVE-2015-0287 - ASN.1 structure reuse memory corruption
	  - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
	  - CVE-2015-0289 - PKCS7 NULL pointer dereferences

	* The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen
	  is integrated for safety, but LibreSSL is not vulnerable.

	* Libtls is now built by default. The --enable-libtls
	  configuration option is no longer required.
	  The libtls API is now stable for the 2.1.x series.

2.1.5 - Bug fixes and a security update
	* Fix incorrect comparison function in openssl(1) certhash command.
	  Thanks to Christian Neukirchen / Void Linux.

	* Windows port improvements and bug fixes.
	  - Removed a dependency on libgcc in 32-bit dynamic libraries.
	  - Correct a hang in openssl(1) reading from stdin on an connection.
	  - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and
	    any other network-related commands to function properly.

	* Reject all server DH keys smaller than 1024 bits.

2.1.4 - Security and feature updates
	* Improvements to libtls:
	  - a new API for loading CA chains directly from memory instead of a
	    file, allowing verification with privilege separation in a chroot
	    without direct access to CA certificate files.

	  - Ciphers default to TLSv1.2 with AEAD and PFS.

	  - Improved error handling and message generation

	  - New APIs and improved documentation

	* Added X509_STORE_load_mem API for loading certificates from memory.
	  This facilitates accessing certificates from a chrooted environment.

	* New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by
	  using 'TLSv1.2+AEAD' as the cipher selection string.

	* Dead and disabled code removal including MD5, Netscape workarounds,
	  non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more.

	* ASN1 macro maze expanded to aid reading and searching the code.

	* NULL pointer asserts removed in favor of letting the OS/signal
	  handler catch them.

	* Refactored argument handling in openssl(1) for consistency and
	  maintainability.

	* New openssl(1) command 'certhash' replaces the c_rehash script.

	* Support for building with OPENSSL_NO_DEPRECATED

	* Server-side support for TLS_FALLBACK_SCSV for compatibility with
	  various auditor and vulnerability scanners.

	* Dozens of issues found with the Coverity scanner fixed.

	* Security Updates:

	  - Fix a minor information leak that was introduced in t1_lib.c
	    r1.71, whereby an additional 28 bytes of .rodata (or .data) is
	    provided to the network. In most cases this is a non-issue since
	    the memory content is already public. Issue found and reported by
	    Felix Groebert of the Google Security Team.

	  - Fixes for the following low-severity issues were integrated into
	    LibreSSL from OpenSSL 1.0.1k:

	     CVE-2015-0205 - DH client certificates accepted without
	                     verification
	     CVE-2014-3570 - Bignum squaring may produce incorrect results
	     CVE-2014-8275 - Certificate fingerprints can be modified
	     CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]
	     Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA.

	    The following CVEs were fixed in earlier LibreSSL releases:
	     CVE-2015-0206 - Memory leak handling repeated DLTS records
	     CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites.

	    The following CVEs did not apply to LibreSSL:
	     CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record
	     CVE-2014-3569 - no-ssl3 configuration sets method to NULL
	     CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA

2.1.3 - Security update and OS support improvements
	* Fixed various memory leaks in DTLS, including fixes for
	  CVE-2015-0206.

	* Added Application-Layer Protocol Negotiation (ALPN) support.

	* Removed GOST R 34.10-94 signature authentication.

	* Removed nonfunctional Netscape browser-hang workaround code.

	* Simplified and refactored SSL/DTLS handshake code.

	* Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932.

	* Hide timing info about padding errors during handshakes.

	* Improved libtls support for non-blocking sockets, added randomized
	  session ID contexts. Work is ongoing with this library - feedback
	  and potential use-cases are welcome.

	* Support building Windows DLLs.
	  Thanks to Jan Engelhard.

	* Packaged config wrapper for better compatibility with OpenSSL-based
	  build systems.
	  Thanks to @technion from github

	* Ensure the stack is marked non-executable for assembly sections.
	  Thanks to Anthony G. Bastile.

	* Enable extra compiler hardening flags by default, where applicable.
	  The default set of hardening features can vary by OS to OS, so
	  feedback is welcome on this. To disable the default hardening flags,
	  specify '--disable-hardening' during configure.
	  Thanks to Jim Barlow

	* Initial HP-UX support, tested with HP-UX 11.31 ia64
	  Thanks to Kinichiro Inoguchi

	* Initial NetBSD support, tested with NetBSD 6.1.5 x86_64
	  Imported from OpenNTPD, thanks to @gitisihara from github

2.1.2 - Many new features and improvements
	* Added reworked GOST cipher suite support
	   thanks to Dmitry Eremin-Solenikov

	* Enabled Camellia ciphers due to improved patent situation

	* Use builtin arc4random implementation on OS X and FreeBSD
	   this addresses some deficiencies in the native implementations of
	   these operating systems, see commit logs for more information

	* Added initial Windows mingw-w64 support (32 and 64-bit)
	   thanks to Song Dongsheng and others for code and feedback

	* Enabled assembly optimizations on x86_64 CPUs
	   supports Linux, *BSD, Solaris and OS X operating systems
	   thanks to Wouter Clarie for the initial implementation

	* Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl(1)

	* Improved build infrastructure, 'make distcheck' now passes
	   this simplifies and speeds developer efficiency
	   thanks to Dmitry Eremin-Solenikov and Wouter Clarie

	* Allow conditional building of the libtls library
	   expect the API and ABI of the library to change
	   feedback is welcome

	* Fixes for more memory leaks, cleanups, etc.

2.1.1 - Security update
	* Address POODLE attack by disabling SSLv3 by default

	* Fix Eliptical Curve cipher selection bug
	  (https://github.com/libressl-portable/portable/issues/35)

2.1.0 - First release from the OpenBSD 5.7 tree
	* Added support for automatic ephemeral EC keys

	* Fixes for many memory leaks and overflows in error handlers

	* The TLS padding extension (that works around bugs in F5 terminators) is
	  off by default

	* support for getrandom(2) on Linux 3.17

	* the NO_ASM macro is no longer being set, providing the first bits toward
	  enabling other assembly offloads.

2.0.5 - Fixes for CVEs from OpenSSL 1.0.1i
	* CVE-2014-3506
	* CVE-2014-3507
	* CVE-2014-3508 (partially vulnerable)he
	* CVE-2014-3509
	* CVE-2014-3510
	* CVE-2014-3511
	* Synced LibreSSL Portable with the release version of OpenBSD 5.6

2.0.4 - Portability fixes, deleted unused SRP code

2.0.3 - Portability fixes, improvements to fork detection

2.0.2 - Address arc4random fork PID wraparound issues with pthread_atfork

2.0.1 - Portability fixes:
	* Removed -Werror and and other non-portable compiler flags

	* Allow setting OPENSSLDIR and ENGINSDIR

2.0.0 - First release from the OpenBSD 5.6 tree
	* Removal of many obsolete features and coding conventions from the OpenSSL
	  1.0.1h source