Log Message:
Update to 3.7.0. From the upstream LibreSSL changelog:

3.5.3:
  * Fix d2i_ASN1_OBJECT(). A confusion of two CBS resulted in advancing
    the passed *der_in pointer incorrectly. Thanks to Aram Sargsyan for
    reporting the issue and testing the fix.

3.6.0:
 * Internal improvements
   - Avoid expensive RFC 3779 checks during cert verification.
   - The templated ASN.1 decoder has been cleaned up, refactored,
     modernized with parts rewritten using CBB and CBS.
   - The ASN.1 time parser has been rewritten.
   - Rewrite and fix ASN1_STRING_to_UTF8().
   - Use asn1_abs_set_unused_bits() rather than inlining it.
   - Simplify ec_asn1_group2curve().
   - First pass at a clean up of ASN1_item_sign_ctx()
   - ssl_txt.c was cleaned up.
   - Internal function arguments and struct member have been changed
     to size_t.
   - Lots of missing error checks of EVP API were added.
   - Clean up and clarify BN_kronecker().
   - Simplify ASN1_INTEGER_cmp()
   - Rewrite ASN1_INTEGER_{get,set}() using CBS and CBB and reuse
     the ASN1_INTEGER functions for ASN1_ENUMERATED.
   - Use ASN1_INTEGER to parse and build {Z,}LONG_it
   - Refactored and cleaned up group (elliptic curve) handling in
     t1_lib.c.
   - Simplify certificate list handling code in the legacy server.
   - Make CBB_finish() fail if *out_data is not NULL.
   - Remove tls_buffer_set_data() and remove/revise callers.
   - Rewrite SSL{_CTX,}_set_alpn_protos() using CBS.
   - Simplify tlsext_supported_groups_server_parse().
   - Remove redundant length checks in tlsext parse functions.
   - Simplify tls13_server_encrypted_extensions_recv().
   - Add read and write support to tls_buffer.
   - Convert TLS transcript from BUF_MEM to tls_buffer.
   - Clear key on exit in PKCS12_gen_mac().
   - Minor fixes in PKCS12_parse().
   - Provide and use a primitive clear function for BIGNUM_it.
   - Use ASN1_INTEGER to encode/decode BIGNUM_it.
   - Add stack frames to AES-NI x86_64 assembly.
   - Use named initialisers for BIGNUMs.
   - Tidy up some of BN_nist_mod_*.
   - Expand BLOCK_CIPHER_* and related macros.
   - Avoid shadowing the cbs function parameter in
     tlsext_alpn_server_parse()
   - Deduplicate peer certificate chain processing code.
   - Make it possible to signal an error from an i2c_* function.
   - Rewrite i2c_ASN1_INTEGER() using CBB/CBS.
   - Remove UINT32_MAX limitation on ChaCha() and CRYPTO_chacha_20().
   - Remove bogus length checks from EVP_aead_chacha20_poly1305().
   - Reworked DSA_size() and ECDSA_size().
   - Stop using CBIGNUM_it internal to libcrypto.
   - Provide c2i_ASN1_ENUMERATED_cbs() and call it from
     asn1_c2i_primitive().
   - Ensure ASN.1 types are appropriately encoded.
   - Avoid recycling ASN1_STRINGs when decoding ASN.1.
   - Tidy up asn1_c2i_primitive() slightly.
   - Mechanically expand IMPLEMENT_BLOCK_CIPHER, IMPLEMENT_CFBR,
     BLOCK_CIPHER and the looney M_do_cipher macros.
   - Use correct length for EVP CFB mode ciphers.
   - Provide a version of ssl_msg_callback() that takes a CBS.
   - Use CBS to parse TLS alerts in the legacy stack.
   - Increment the input and output position for EVP AES CFB1.
   - Ensure there is no trailing data for a CCS received by the
     TLSv1.3 stack.
   - Use CBS when procesing a CCS message in the legacy stack.
   - Be stricter with middlebox compatibility mode in the TLSv1.3
     server.
 * Compatibility changes
   - The ASN.1 time parser has been refactored and rewritten using CBS.
     It has been made stricter in that it now enforces the rules from
     RFC 5280.
   - ASN1_AFLG_BROKEN was removed.
   - Error check tls_session_secret_cb() like OpenSSL.
   - Added ASN1_INTEGER_{get,set}_{u,}int64()
   - Move leaf certificate checks to the last thing after chain
     validation.
   - Added -s option to openssl(1) ciphers that only shows the ciphers
     supported by the specified protocol.
   - Use TLS_client_method() instead of TLSv1_client_method() in
     the openssl(1) ciphers command.
   - Validate the protocols in SSL{_CTX,}_set_alpn_protos().
   - Made TS and PKCS12 opaque.
   - Per RFC 7292, safeContentsBag is a SEQUENCE OF, not a SET OF.
   - Align PKCS12_key_gen_uni() with OpenSSL
   - Various PKCS12 and TS accessors were added. In particular, the
     TS_RESP_CTX_set_time_cb() function was added back.
   - Allow a NULL header in PEM_write{,_bio}()
   - Allow empty attribute sets in CSRs.
   - Adjust signatures of BIO_ctrl functions.
   - Provide additional defines for EVP AEAD.
   - Provide OPENSSL_cleanup().
   - Make BIO_info_cb() identical to bio_info_cb().
 * Bug fixes
   - Avoid use of uninitialized in BN_mod_exp_recp().
   - Fix X509_get_extension_flags() by ensuring that EXFLAG_INVALID is
     set on X509_get_purpose() failure.
   - Fix HMAC() with NULL key.
   - Add ERR_load_{COMP,CT,KDF}_strings() to ERR_load_crypto_strings().
   - Avoid strict aliasing violations in BN_nist_mod_*().
   - Do not return X509_V_ERR_UNSPECIFIED from X509_check_ca().
     No return value of X509_check_ca() indicates failure. Application
     code should therefore issue a checked call to X509_check_purpose()
     before calling X509_check_ca().
   - Rewrite and fix X509v3_asid_subset() to avoid segfaults on some
     valid input.
   - Call the ASN1_OP_D2I_PRE callback after ASN1_item_ex_new().
   - Fix d2i_ASN1_OBJECT to advance the *der_in pointer correctly.
   - Avoid use of uninitialized in ASN1_STRING_to_UTF8().
   - Do not pass uninitialized pointer to ASN1_STRING_to_UTF8().
   - Do not refuse valid IPv6 addresses in nc(1)'s HTTP CONNECT proxy.
   - Do not reject primes in trial divisions.
   - Error out on negative shifts in BN_{r,l}shift() instead of
     accessing arrays out of bounds.
   - Fix URI name constraints, allow for URI's with no host part.
   - Fix the legacy verifier callback behaviour for untrusted certs.
   - Correct serfver-side handling of TLSv1.3 key updates.
   - Plug leak in PKCS12_setup_mac().
   - Plug leak in X509V3_add1_i2d().
   - Only print X.509 versions we know about.
   - Avoid signed integer overflow due to unary negation
   - Initialize readbytes in BIO_gets().
   - Plug memory leak in CMS_add_simple_smimecap().
   - Plug memory leak in X509_REQ_print_ex().
   - Check HMAC() return value to avoid a later use of uninitialized.
   - Avoid potential NULL dereference in ssl_set_pkey().
   - Check return values in ssl_print_tmp_key().
   - Switch loop bounds from size_t to int in check_hosts().
   - Avoid division by zero if no connection was made in s_time.c.
   - Check sk_SSL_CIPHER_push() return value
   - Avoid out-of-bounds read in ssl_cipher_process_rulestr().
   - Use LONG_MAX as the limit for ciphers with long based APIs.
 * New features
   - EVP API for HKDF ported from OpenSSL and subsequently cleaned up.
   - The security level API (SSL_{,CTX}_{get,set}_security_level()) is
     now available. Callbacks and ex_data are not supported. Sane
     software will not be using this.
   - Experimental support for the BoringSSL QUIC API.
   - Add initial support for TS ESSCertIDv2 verification.
   - LibreSSL now uses the Baillie-PSW primality test instead of
     Miller-Rabin .

3.6.1:
 - Custom verification callbacks could cause the X.509 verifier to
   fail to store errors resulting from leaf certificate verification.
     Reported by Ilya Shipitsin.
 - Unbreak ASN.1 indefinite length encoding.
     Reported by Niklas Hallqvist.
 - Fix endian detection on macOS
     Reported by jiegec on Github

3.7.0:
    * Internal improvements
      - Remove dependency on system timegm() and gmtime() by replacing
        traditional Julian date conversion with POSIX epoch-seconds date
        conversion from BoringSSL.
      - Clean old and unused BN code dealing with primes.
      - Start rewriting name constraints code using CBS.
      - Remove support for the HMAC PRIVATE KEY.
      - Rework DSA signing and verifying internals.
      - First few passes on cleaning up the BN code.
      - Internal headers coming from OpenSSL are all called *_local.h now.
      - Rewrite TLSv1.2 key exporter.
      - Cleaned up and refactored various aspects of the legacy TLS stack.
    * Compatibility changes
      - BIO_read() and BIO_write() now behave more closely to OpenSSL 3 in
        various corner cases. More work is needed here.
    * Bug fixes
      - Add EVP_chacha20_poly1305() to the list of all ciphers.
      - Fix potential leaks of EVP_PKEY in various printing functions
      - Fix potential leak in OBJ_NAME_add().
      - Avoid signed overflow in i2c_ASN1_BIT_STRING().
      - Clean up EVP_PKEY_ASN1_METHOD related tables and code.
      - Fix long standing bugs BN_GF2m_poly2arr() and BN_GF2m_mod().
      - Fix segfaults in BN_{dec,hex}2bn().
      - Fix NULL dereference in x509_constraints_uri_host() reachable only
        in the process of generating certificates.
      - Fixed a variety of memory corruption issues in BIO chains coming
        from poor old and new API: BIO_push(), BIO_pop(), BIO_set_next().
      - Avoid potential divide by zero in BIO_dump_indent_cb()
    * Documentation improvements
      - Numerous improvements and additions for ASN.1, BIO, BN, and X.509.
      - The BN documentation is now considered to be complete.
    * Testing and Proactive Security
      - As always, new test coverage is added as bugs are fixed and
        subsystems are cleaned up.
      - Many old tests rewritten, cleaned up and extended.
    * New features
      - Added Ed25519 support both as a primitive and via OpenSSL's EVP
        interfaces.
      - X25519 is now also supported via EVP.
      - The OpenSSL 1.1 raw public and private key API is available with
        support for EVP_PKEY_ED25519, EVP_PKEY_HMAC and EVP_PKEY_X25519.
        Poly1305 is not currently supported via this interface.