Log Message:
libretls: update to 3.8.1. LibreSSL changes:

3.8.1:

* Portable changes
  - Applications bundled as part of the LibreSSL package internally,
    nc(1) and openssl(1), now are linked statically if static libraries
    are built.
  - Internal compatibility function symbols are no longer exported from
    libcrypto. Instead, the libcompat library is linked to libcrypto,
    libssl, and libtls separately. This increases size a little, but
    ensures that the libraries are not exporting symbols to programs
    unintentionally.
  - Selective removal of CET implementation on platforms where it is
    not supported (macOS).
  - Integrated four more tests.
  - Added Windows ARM64 architecture to tested platforms.
  - Removed Solaris 10 support, fixed Solaris 11.
  - libtls no longer links statically to libcrypto / libssl unless
    '--enable-libtls-only' is specified at configure time.
  - Improved Windows compatibility library, namely handling of files vs
    sockets, correcting an exception when operating on a closed socket.
  - CMake builds no longer hardcode '-O2' into the compiler flags, instead
    using flags from the CMake build type instead.
  - Set the CMake default build type to 'Release'. This can be overridden
    during configuration.
  - Fixed broken ASM support with MinGW builds.
* Internal improvements
  - Fixed alignment handling in SHA-512.
  - Moved the verified_chain to the correct internal struct.
  - Improved checks for commonName in libtls.
  - Fixed error check for X509_get_ext_d2i() failure in libtls.
  - Improved BIGNUM internals and performance.
  - Significantly improved Montgomery multiplication performance.
  - Initial cleanup passes for SHA-256 internals.
  - Converted more libcrypto internals API using CBB and CBS.
  - Removed code guarded by #ifdef ZLIB.
  - Changed ASN1_item_sign_ctx() and ASN1_item_verify() to work with
    Ed25519 and fixed a few bugs in there.
  - Fixed various issues with EVP_PKEY_CTX_{new,dup}().
  - Improved X.509 certificate version checks.
  - Cleaned up handling of elliptic curve cofactors.
  - Made BN_num_bits() independent of bn->top.
  - Rewrote and simplified bn_sqr().
  - Removed EC_GROUP precomp machinery.
  - Ensure no X.509v3 extensions appear more than once in certificates.
  - Cleaned up various ECDH, ECDSA and EC internals.
  - Replaced ASN1_bn_print with a cleaner internal implementation.
  - Simplified ASN1_item_sign_ctx().
  - Rewrote OBJ_find_sigid_algs() and OBJ_find_sigid_by_algs().
  - Various improvements in the 'simple' EC code.
  - Fix OPENSSL_cpuid_setup() invocations on arm/aarch64.
  - Reduced the dependency of hash implementations on many layers of
    macros. This results in significant speedups since modern compilers
    are now less confused.
  - Significantly simplified the BN_BLINDING internals used in RSA.
* New features
* Compatibility changes
  - X509_NAME_get_text_by_{NID,OBJ}() now only succeed if they contain
    valid UTF-8 without embedded NUL.
  - Moved libtls from ECDSA_METHOD to EC_KEY_METHOD.
  - Removed support for ECDH_METHOD and ECDSA_METHOD.
  - BN_is_prime{,_fasttest}_ex() refuse to check numbers larger than
    32 kbits for primality. This mitigates various DoS vectors.
  - Comp was removed.
  - Dynamic loading of conf modules is no longer supported.
  - DSO was removed and OPENSSL_NO_DSO is defined.
  - ENGINE support was removed and OPENSSL_NO_ENGINE is set. In spite
    of this, some stub functions are provided to avoid patching some
    applications that do not honor OPENSSL_NO_ENGINE.
  - It is no longer possible to make the library use your own error
    stack or ex_data implementation.
* Bug fixes
  - Fixed aliasing issue in BN_mod_inverse().
  - Made CRYPTO_get_ex_new_index() not return 0 to allow applications
    to use *_{get,set}_app_data() and *_{get,set}_ex_data() alongside
    each other.
  - Made EVP_PKEY_set1_hkdf_key() fail on a NULL key.
  - Plugged leaks in BIO_chain_dup().
  - Fixed numerous leaks and other minor bugs in RSA, DH, DSA and EC
    ASN.1 methods. Unified the coding style.
  - On socket errors in the poll loop, netcat could issue system calls
    on invalidated file descriptors.
* Documentation improvements
  - Made it very explicit that the verify callback should not be used.
  - Called out that the CRL lastUpdate is standardized as thisUpdate.
* Testing and Proactive Security
  - As always, new test coverage is added as bugs are fixed and subsystems
    are cleaned up.
* Security fixes
  - Disabled TLSv1.0 and TLSv1.1 in libssl so that they may no longer
    be selected for use.

3.8.0:

* Portable changes
  - Extended the endian.h compat header with hto* and *toh macros.
  - Adapted more tests to the portable framework.
* Internal improvements
  - Improved sieve of Eratosthenes script used for generating a table
    of small primes.
  - Started cleaning up and rewriting SHA internals.
  - Replace internal use of BN_copy() with bn_copy() for consistency.
  - Rewrote and improved BN_exp() and BN_copy().
  - Add branch target information (BTI) support to arm64 assembly.
  - Replaced BN_mod_sqrt() with a new implementation.
  - Removed incomplete and dangerous BN_RECURSION code.
  - Added endbr64 instructions to amd64 assembly.
  - Imported RFC 5280 policy checking code from BoringSSL and used it
    to replace the old exponential time code.
  - Converted more of libcrypto to use CBB/CBS.
  - Cleaned up and simplified the code dealing with builtin curves.
* New features
  - Added support for truncated SHA-2 and for SHA-3.
  - The BPSW primality test performs additional Miller-Rabin rounds
    with random bases to reduce the likelihood of composites passing.
  - Allow testing of ciphers and digests using badly aligned buffers
    in openssl speed.
  - Added a workaround for a poorly thought-out change in OpenSSL 3 that
    broke privilege separation support in libtls.
* Compatibility changes
  - Support for GF2m was removed: BIGNUM no longer supports binary extension
    field arithmetic and all binary elliptic builtin curves were removed.
  - Removed dangerous, "fast" NIST prime and elliptic curve \ 
implementations.
    In particular, EC_GFp_nist_method() is no longer available.
  - Removed most public symbols that were deprecated in OpenSSL 0.9.8.
  - Removed the public X9.31 API (RSA_X931_PADDING is still available).
  - Removed Cipher Text Stealing mode.
  - Removed SXNET and NETSCAPE_CERT_SEQUENCE support including the
    openssl(1) nseq command.
  - Dropped proxy certificate (RFC 3820) support.
  - The POLICY_TREE and its related structures and API were removed.
  - The explicitText user notice uses UTF8String instead of VisibleString
    to reduce the risk of emitting certificates with invalid DER-encoding.
  - Initial fixes for RSA-PSS support to make the TLSv1.3 stack more
    compliant with RFC 8446.
* Bug fixes
  - Correctly handle negative input to various BIGNUM functions.
  - Ensure ERR_load_ERR_strings() does not set errno unexpectedly.
  - Fix error checking of i2d_ECDSA_SIG() in ossl_ecdsa_sign().
  - Fixed detection of extended operations (XOP) on AMD hardware.
  - Ensure Montgomery exponentiation is used for the initial RSA blinding.
  - Policy is always checked in X509 validation. Critical policy extensions
    are no longer silently ignored.
  - Fixed error handling in tls_check_common_name().
  - Add missing pointer invalidation in SSL_free().
  - Fixed X509err() and X509V3err() and their internal versions.
  - Ensure that OBJ_obj2txt() always returns a C string again.
  - In X509_VERIFY_PARAM_inherit() copy hostflags independently of the
    host list.
* Documentation improvements
  - Improved documentation of BIO_ctrl(3), BIO_set_info_callback(3),
    BIO_get_info_callback(3), BIO_method_type(3), and BIO_method_name(3).
  - Marked BIO_CB_return(), BIO_cb_pre(), and BIO_cb_post() as intentionally
    undocumented.
* Testing and Proactive Security
  - Significantly improved test coverage of BN_mod_sqrt() and GCD.
  - As always, new test coverage is added as bugs are fixed and subsystems
    are cleaned up.

3.7.3:

* Bug fix
  - Hostflags in the verify parameters would not propagate from an
    SSL_CTX to newly created SSL.
* Reliability fix
  - A double free or use after free could occur after SSL_clear(3).

3.7.2:

* Portable changes
  - Moved official Github project to https://github.com/libressl/.
  - Build support for Apple Silicon.
  - Installed opensslconf.h is now architecture-specific.
  - Removed internal defines from opensslconf.h.
  - Support reproducible builds on tagged commits in main branch.
* Internal improvements
  - Initial overhaul of the BIGNUM code:
    - Added a new framework that allows architecture-dependent
      replacement implementations for bignum primitives.
    - Imported various s2n-bignum's constant time assembly primitives
      and switched amd64 to them.
    - Lots of cleanup, simplification and bug fixes.
  - Changed Perl assembly generators to move constants into .rodata,
    allowing code to run with execute-only permissions.
  - Capped the number of iterations in DSA and ECDSA signing (avoiding
    infinite loops), added additional sanity checks to DSA.
  - ASN.1 parsing improvements.
  - Made UI_destroy_method() NULL safe.
  - Various improvements to nc(1).
  - Always clear EC groups and points on free.
  - Cleanup and improvements in EC code.
  - Various openssl(1) improvements.
  - Remove dependency on system timegm() and gmtime() by replacing
    traditional Julian date conversion with POSIX epoch-seconds date
    conversion from BoringSSL.
  - Clean old and unused BN code dealing with primes.
  - Start rewriting name constraints code using CBS.
  - Remove support for the HMAC PRIVATE KEY.
  - Rework DSA signing and verifying internals.
  - Internal headers coming from OpenSSL are all called *_local.h now.
  - Rewrite TLSv1.2 key exporter.
  - Cleaned up and refactored various aspects of the legacy TLS stack.
* Bug fixes
  - Fixed a memory leak, a double free and various other issues in
    BIO_new_NDEF().
  - Fixed various crashes in the openssl(1) testing utility.
  - Do not check policies by default in the new X.509 verifier.
  - Added missing error checking in PKCS7.
  - Call CRYPTO_cleanup_all_ex_data() from OPENSSL_cleanup().
  - Add EVP_chacha20_poly1305() to the list of all ciphers.
  - Fix potential leaks of EVP_PKEY in various printing functions
  - Fix potential leak in OBJ_NAME_add().
  - Avoid signed overflow in i2c_ASN1_BIT_STRING().
  - Clean up EVP_PKEY_ASN1_METHOD related tables and code.
  - Fix long standing bugs BN_GF2m_poly2arr() and BN_GF2m_mod().
  - Fix segfaults in BN_{dec,hex}2bn().
  - Fix NULL dereference in x509_constraints_uri_host() reachable only
    in the process of generating certificates.
  - Fixed a variety of memory corruption issues in BIO chains coming
    from poor old and new API: BIO_push(), BIO_pop(), BIO_set_next().
  - Avoid potential divide by zero in BIO_dump_indent_cb()
* New features
  - Added UI_null()
  - Added X509_STORE_*check_issued()
  - Added X509_CRL_get0_tbs_sigalg() and X509_get0_uids() accessors.
  - Added EVP_CIPHER_meth_*() setter API.
  - BIO_read() and BIO_write() now behave more closely to OpenSSL 3 in
    various corner cases. More work is needed here.
  - Added Ed25519 support both as a primitive and via OpenSSL's EVP
    interfaces.
  - X25519 is now also supported via EVP.
  - The OpenSSL 1.1 raw public and private key API is available with
    support for EVP_PKEY_ED25519, EVP_PKEY_HMAC and EVP_PKEY_X25519.
    Poly1305 is not currently supported via this interface.
* Documentation improvements
  - Marked BIO_s_log(3) BIO_nread0(3), BIO_nread(3), BIO_nwrite0(3), BIO_nwrite(3),
    BIO_dump_cb(3) and BIO_dump_indent_cb(3) as intentionally undocumented.
  - Document BIO_number_read(3), BIO_number_written(3),
    BIO_set_retry_read(3), BIO_set_retry_write(3),
    BIO_set_retry_special(3), BIO_clear_retry_flags(3),
    BIO_get_retry_flags(3), BIO_dup_chain(3), BIO_set_flags(3),
    BIO_clear_flags(3), BIO_test_flags(3), BIO_get_flags(3).
    BIO_callback_fn_ex(3), BIO_set_callback_ex(3), BIO_get_callback_ex(3),
    BIO_callback_fn(3), and the BIO_FLAGS_* constants
  - Correct the prototypes of BIO_get_conn_ip(3) and BIO_get_conn_int_port(3).
  - Document ED25519_keypair(3), ED25519_sign(3), and ED25519_verify(3).
  - Document EVP_PKEY_new_raw_private_key(3),
    EVP_PKEY_new_raw_public_key(3), EVP_PKEY_get_raw_private_key(3), and
    EVP_PKEY_get_raw_public_key(3).
  - Document ASN1_buf_print(3).
  - Document DH_get0_*, DSA_get0_*, ECDSA_SIG_get0_{r,s}() and RSA_get0_*.
  - Merged documentation of UI_null() from OpenSSL 1.1
  - Various spelling and other documentation improvements.
  - Numerous improvements and additions for ASN.1, BIO, BN, and X.509.
  - The BN documentation is now considered to be complete.
* Testing and Proactive Security
  - As always, new test coverage is added as bugs are fixed and subsystems
    are cleaned up.
  - New Wycheproof tests added.
  - OpenSSL 3.0 Interop tests added.
  - Many old tests rewritten, cleaned up and extended.
* Security fixes
  - A malicious certificate revocation list or timestamp response token
    would allow an attacker to read arbitrary memory.

3.7.1:

* Internal improvements
  - Initial overhaul of the BIGNUM code:
    - Added a new framework that allows architecture-dependent
      replacement implementations for bignum primitives.
    - Imported various s2n-bignum's constant time assembly primitives
      and switched amd64 to them.
    - Lots of cleanup, simplification and bug fixes.
  - Changed Perl assembly generators to move constants into .rodata,
    allowing code to run with execute-only permissions.
  - Capped the number of iterations in DSA and ECDSA signing (avoiding
    infinite loops), added additional sanity checks to DSA.
  - ASN.1 parsing improvements.
  - Made UI_destroy_method() NULL safe.
  - Various improvements to nc(1).
  - Always clear EC groups and points on free.
  - Cleanup and improvements in EC code.
  - Various openssl(1) improvements.
* Bug fixes
  - Fixed a memory leak, a double free and various other issues in
    BIO_new_NDEF().
  - Fixed various crashes in the openssl(1) testing utility.
  - Do not check policies by default in the new X.509 verifier.
  - Avoid crash with ASN.1 BOOLEANS in openssl(1) asn1parse.
  - Added missing error checking in PKCS7.
  - Call CRYPTO_cleanup_all_ex_data() from OPENSSL_cleanup().
* Compatibility changes
  - Correct the prototypes of BIO_get_conn_ip(3) and
    BIO_get_conn_int_port(3).
* New features
  - Added UI_null()
  - Added X509_STORE_*check_issued()
  - Added X509_CRL_get0_sigalg() and X509_get0_uids() accessors.
  - Added EVP_CIPHER_meth_*() setter API.
* Documentation improvements
  - Marked BIO_s_log(3) BIO_nread0(3), BIO_nread(3), BIO_nwrite0(3), BIO_nwrite(3),
    BIO_dump_cb(3) and BIO_dump_indent_cb(3) as intentionally undocumented.
  - Merged documentation of UI_null() from OpenSSL 1.1
  - Document BIO_number_read(3), BIO_number_written(3),
    BIO_set_retry_read(3), BIO_set_retry_write(3),
    BIO_set_retry_special(3), BIO_clear_retry_flags(3),
    BIO_get_retry_flags(3), BIO_dup_chain(3), BIO_set_flags(3),
    BIO_clear_flags(3), BIO_test_flags(3), BIO_get_flags(3).
    BIO_callback_fn_ex(3), BIO_set_callback_ex(3), BIO_get_callback_ex(3),
    BIO_callback_fn(3), and the BIO_FLAGS_* constants
  - Document ED25519_keypair(3), ED25519_sign(3), and ED25519_verify(3).
  - Document EVP_PKEY_new_raw_private_key(3),
    EVP_PKEY_new_raw_public_key(3), EVP_PKEY_get_raw_private_key(3), and
    EVP_PKEY_get_raw_public_key(3).
  - Document ASN1_buf_print(3).
  - Document ECDSA_SIG_get0_{r,s}().
  - Document DH_get0_* for individual DH members.
  - Document DSA_get0_* for individual DSA members
  - Document RSA_get0_* for individual RSA members.
  - Various spelling and other documentation improvements.
* Testing and Proactive Security
  - As always, new test coverage is added as bugs are fixed and subsystems
    are cleaned up.
  - New Wycheproof tests added.
  - OpenSSL 3.0 Interop tests added.
  - Many old tests rewritten, cleaned up and extended.
* Security fixes
  - A malicious certificate revocation list or timestamp response token
    would allow an attacker to read arbitrary memory.