Log message:
libretls: update to 3.8.1. LibreSSL changes:
3.8.1:
* Portable changes
- Applications bundled as part of the LibreSSL package internally,
nc(1) and openssl(1), now are linked statically if static libraries
are built.
- Internal compatibility function symbols are no longer exported from
libcrypto. Instead, the libcompat library is linked to libcrypto,
libssl, and libtls separately. This increases size a little, but
ensures that the libraries are not exporting symbols to programs
unintentionally.
- Selective removal of CET implementation on platforms where it is
not supported (macOS).
- Integrated four more tests.
- Added Windows ARM64 architecture to tested platforms.
- Removed Solaris 10 support, fixed Solaris 11.
- libtls no longer links statically to libcrypto / libssl unless
'--enable-libtls-only' is specified at configure time.
- Improved Windows compatibility library, namely handling of files vs
sockets, correcting an exception when operating on a closed socket.
- CMake builds no longer hardcode '-O2' into the compiler flags, instead
using flags from the CMake build type instead.
- Set the CMake default build type to 'Release'. This can be overridden
during configuration.
- Fixed broken ASM support with MinGW builds.
* Internal improvements
- Fixed alignment handling in SHA-512.
- Moved the verified_chain to the correct internal struct.
- Improved checks for commonName in libtls.
- Fixed error check for X509_get_ext_d2i() failure in libtls.
- Improved BIGNUM internals and performance.
- Significantly improved Montgomery multiplication performance.
- Initial cleanup passes for SHA-256 internals.
- Converted more libcrypto internals API using CBB and CBS.
- Removed code guarded by #ifdef ZLIB.
- Changed ASN1_item_sign_ctx() and ASN1_item_verify() to work with
Ed25519 and fixed a few bugs in there.
- Fixed various issues with EVP_PKEY_CTX_{new,dup}().
- Improved X.509 certificate version checks.
- Cleaned up handling of elliptic curve cofactors.
- Made BN_num_bits() independent of bn->top.
- Rewrote and simplified bn_sqr().
- Removed EC_GROUP precomp machinery.
- Ensure no X.509v3 extensions appear more than once in certificates.
- Cleaned up various ECDH, ECDSA and EC internals.
- Replaced ASN1_bn_print with a cleaner internal implementation.
- Simplified ASN1_item_sign_ctx().
- Rewrote OBJ_find_sigid_algs() and OBJ_find_sigid_by_algs().
- Various improvements in the 'simple' EC code.
- Fix OPENSSL_cpuid_setup() invocations on arm/aarch64.
- Reduced the dependency of hash implementations on many layers of
macros. This results in significant speedups since modern compilers
are now less confused.
- Significantly simplified the BN_BLINDING internals used in RSA.
* New features
* Compatibility changes
- X509_NAME_get_text_by_{NID,OBJ}() now only succeed if they contain
valid UTF-8 without embedded NUL.
- Moved libtls from ECDSA_METHOD to EC_KEY_METHOD.
- Removed support for ECDH_METHOD and ECDSA_METHOD.
- BN_is_prime{,_fasttest}_ex() refuse to check numbers larger than
32 kbits for primality. This mitigates various DoS vectors.
- Comp was removed.
- Dynamic loading of conf modules is no longer supported.
- DSO was removed and OPENSSL_NO_DSO is defined.
- ENGINE support was removed and OPENSSL_NO_ENGINE is set. In spite
of this, some stub functions are provided to avoid patching some
applications that do not honor OPENSSL_NO_ENGINE.
- It is no longer possible to make the library use your own error
stack or ex_data implementation.
* Bug fixes
- Fixed aliasing issue in BN_mod_inverse().
- Made CRYPTO_get_ex_new_index() not return 0 to allow applications
to use *_{get,set}_app_data() and *_{get,set}_ex_data() alongside
each other.
- Made EVP_PKEY_set1_hkdf_key() fail on a NULL key.
- Plugged leaks in BIO_chain_dup().
- Fixed numerous leaks and other minor bugs in RSA, DH, DSA and EC
ASN.1 methods. Unified the coding style.
- On socket errors in the poll loop, netcat could issue system calls
on invalidated file descriptors.
* Documentation improvements
- Made it very explicit that the verify callback should not be used.
- Called out that the CRL lastUpdate is standardized as thisUpdate.
* Testing and Proactive Security
- As always, new test coverage is added as bugs are fixed and subsystems
are cleaned up.
* Security fixes
- Disabled TLSv1.0 and TLSv1.1 in libssl so that they may no longer
be selected for use.
3.8.0:
* Portable changes
- Extended the endian.h compat header with hto* and *toh macros.
- Adapted more tests to the portable framework.
* Internal improvements
- Improved sieve of Eratosthenes script used for generating a table
of small primes.
- Started cleaning up and rewriting SHA internals.
- Replace internal use of BN_copy() with bn_copy() for consistency.
- Rewrote and improved BN_exp() and BN_copy().
- Add branch target information (BTI) support to arm64 assembly.
- Replaced BN_mod_sqrt() with a new implementation.
- Removed incomplete and dangerous BN_RECURSION code.
- Added endbr64 instructions to amd64 assembly.
- Imported RFC 5280 policy checking code from BoringSSL and used it
to replace the old exponential time code.
- Converted more of libcrypto to use CBB/CBS.
- Cleaned up and simplified the code dealing with builtin curves.
* New features
- Added support for truncated SHA-2 and for SHA-3.
- The BPSW primality test performs additional Miller-Rabin rounds
with random bases to reduce the likelihood of composites passing.
- Allow testing of ciphers and digests using badly aligned buffers
in openssl speed.
- Added a workaround for a poorly thought-out change in OpenSSL 3 that
broke privilege separation support in libtls.
* Compatibility changes
- Support for GF2m was removed: BIGNUM no longer supports binary extension
field arithmetic and all binary elliptic builtin curves were removed.
- Removed dangerous, "fast" NIST prime and elliptic curve \
implementations.
In particular, EC_GFp_nist_method() is no longer available.
- Removed most public symbols that were deprecated in OpenSSL 0.9.8.
- Removed the public X9.31 API (RSA_X931_PADDING is still available).
- Removed Cipher Text Stealing mode.
- Removed SXNET and NETSCAPE_CERT_SEQUENCE support including the
openssl(1) nseq command.
- Dropped proxy certificate (RFC 3820) support.
- The POLICY_TREE and its related structures and API were removed.
- The explicitText user notice uses UTF8String instead of VisibleString
to reduce the risk of emitting certificates with invalid DER-encoding.
- Initial fixes for RSA-PSS support to make the TLSv1.3 stack more
compliant with RFC 8446.
* Bug fixes
- Correctly handle negative input to various BIGNUM functions.
- Ensure ERR_load_ERR_strings() does not set errno unexpectedly.
- Fix error checking of i2d_ECDSA_SIG() in ossl_ecdsa_sign().
- Fixed detection of extended operations (XOP) on AMD hardware.
- Ensure Montgomery exponentiation is used for the initial RSA blinding.
- Policy is always checked in X509 validation. Critical policy extensions
are no longer silently ignored.
- Fixed error handling in tls_check_common_name().
- Add missing pointer invalidation in SSL_free().
- Fixed X509err() and X509V3err() and their internal versions.
- Ensure that OBJ_obj2txt() always returns a C string again.
- In X509_VERIFY_PARAM_inherit() copy hostflags independently of the
host list.
* Documentation improvements
- Improved documentation of BIO_ctrl(3), BIO_set_info_callback(3),
BIO_get_info_callback(3), BIO_method_type(3), and BIO_method_name(3).
- Marked BIO_CB_return(), BIO_cb_pre(), and BIO_cb_post() as intentionally
undocumented.
* Testing and Proactive Security
- Significantly improved test coverage of BN_mod_sqrt() and GCD.
- As always, new test coverage is added as bugs are fixed and subsystems
are cleaned up.
3.7.3:
* Bug fix
- Hostflags in the verify parameters would not propagate from an
SSL_CTX to newly created SSL.
* Reliability fix
- A double free or use after free could occur after SSL_clear(3).
3.7.2:
* Portable changes
- Moved official Github project to https://github.com/libressl/.
- Build support for Apple Silicon.
- Installed opensslconf.h is now architecture-specific.
- Removed internal defines from opensslconf.h.
- Support reproducible builds on tagged commits in main branch.
* Internal improvements
- Initial overhaul of the BIGNUM code:
- Added a new framework that allows architecture-dependent
replacement implementations for bignum primitives.
- Imported various s2n-bignum's constant time assembly primitives
and switched amd64 to them.
- Lots of cleanup, simplification and bug fixes.
- Changed Perl assembly generators to move constants into .rodata,
allowing code to run with execute-only permissions.
- Capped the number of iterations in DSA and ECDSA signing (avoiding
infinite loops), added additional sanity checks to DSA.
- ASN.1 parsing improvements.
- Made UI_destroy_method() NULL safe.
- Various improvements to nc(1).
- Always clear EC groups and points on free.
- Cleanup and improvements in EC code.
- Various openssl(1) improvements.
- Remove dependency on system timegm() and gmtime() by replacing
traditional Julian date conversion with POSIX epoch-seconds date
conversion from BoringSSL.
- Clean old and unused BN code dealing with primes.
- Start rewriting name constraints code using CBS.
- Remove support for the HMAC PRIVATE KEY.
- Rework DSA signing and verifying internals.
- Internal headers coming from OpenSSL are all called *_local.h now.
- Rewrite TLSv1.2 key exporter.
- Cleaned up and refactored various aspects of the legacy TLS stack.
* Bug fixes
- Fixed a memory leak, a double free and various other issues in
BIO_new_NDEF().
- Fixed various crashes in the openssl(1) testing utility.
- Do not check policies by default in the new X.509 verifier.
- Added missing error checking in PKCS7.
- Call CRYPTO_cleanup_all_ex_data() from OPENSSL_cleanup().
- Add EVP_chacha20_poly1305() to the list of all ciphers.
- Fix potential leaks of EVP_PKEY in various printing functions
- Fix potential leak in OBJ_NAME_add().
- Avoid signed overflow in i2c_ASN1_BIT_STRING().
- Clean up EVP_PKEY_ASN1_METHOD related tables and code.
- Fix long standing bugs BN_GF2m_poly2arr() and BN_GF2m_mod().
- Fix segfaults in BN_{dec,hex}2bn().
- Fix NULL dereference in x509_constraints_uri_host() reachable only
in the process of generating certificates.
- Fixed a variety of memory corruption issues in BIO chains coming
from poor old and new API: BIO_push(), BIO_pop(), BIO_set_next().
- Avoid potential divide by zero in BIO_dump_indent_cb()
* New features
- Added UI_null()
- Added X509_STORE_*check_issued()
- Added X509_CRL_get0_tbs_sigalg() and X509_get0_uids() accessors.
- Added EVP_CIPHER_meth_*() setter API.
- BIO_read() and BIO_write() now behave more closely to OpenSSL 3 in
various corner cases. More work is needed here.
- Added Ed25519 support both as a primitive and via OpenSSL's EVP
interfaces.
- X25519 is now also supported via EVP.
- The OpenSSL 1.1 raw public and private key API is available with
support for EVP_PKEY_ED25519, EVP_PKEY_HMAC and EVP_PKEY_X25519.
Poly1305 is not currently supported via this interface.
* Documentation improvements
- Marked BIO_s_log(3) BIO_nread0(3), BIO_nread(3), BIO_nwrite0(3), BIO_nwrite(3),
BIO_dump_cb(3) and BIO_dump_indent_cb(3) as intentionally undocumented.
- Document BIO_number_read(3), BIO_number_written(3),
BIO_set_retry_read(3), BIO_set_retry_write(3),
BIO_set_retry_special(3), BIO_clear_retry_flags(3),
BIO_get_retry_flags(3), BIO_dup_chain(3), BIO_set_flags(3),
BIO_clear_flags(3), BIO_test_flags(3), BIO_get_flags(3).
BIO_callback_fn_ex(3), BIO_set_callback_ex(3), BIO_get_callback_ex(3),
BIO_callback_fn(3), and the BIO_FLAGS_* constants
- Correct the prototypes of BIO_get_conn_ip(3) and BIO_get_conn_int_port(3).
- Document ED25519_keypair(3), ED25519_sign(3), and ED25519_verify(3).
- Document EVP_PKEY_new_raw_private_key(3),
EVP_PKEY_new_raw_public_key(3), EVP_PKEY_get_raw_private_key(3), and
EVP_PKEY_get_raw_public_key(3).
- Document ASN1_buf_print(3).
- Document DH_get0_*, DSA_get0_*, ECDSA_SIG_get0_{r,s}() and RSA_get0_*.
- Merged documentation of UI_null() from OpenSSL 1.1
- Various spelling and other documentation improvements.
- Numerous improvements and additions for ASN.1, BIO, BN, and X.509.
- The BN documentation is now considered to be complete.
* Testing and Proactive Security
- As always, new test coverage is added as bugs are fixed and subsystems
are cleaned up.
- New Wycheproof tests added.
- OpenSSL 3.0 Interop tests added.
- Many old tests rewritten, cleaned up and extended.
* Security fixes
- A malicious certificate revocation list or timestamp response token
would allow an attacker to read arbitrary memory.
3.7.1:
* Internal improvements
- Initial overhaul of the BIGNUM code:
- Added a new framework that allows architecture-dependent
replacement implementations for bignum primitives.
- Imported various s2n-bignum's constant time assembly primitives
and switched amd64 to them.
- Lots of cleanup, simplification and bug fixes.
- Changed Perl assembly generators to move constants into .rodata,
allowing code to run with execute-only permissions.
- Capped the number of iterations in DSA and ECDSA signing (avoiding
infinite loops), added additional sanity checks to DSA.
- ASN.1 parsing improvements.
- Made UI_destroy_method() NULL safe.
- Various improvements to nc(1).
- Always clear EC groups and points on free.
- Cleanup and improvements in EC code.
- Various openssl(1) improvements.
* Bug fixes
- Fixed a memory leak, a double free and various other issues in
BIO_new_NDEF().
- Fixed various crashes in the openssl(1) testing utility.
- Do not check policies by default in the new X.509 verifier.
- Avoid crash with ASN.1 BOOLEANS in openssl(1) asn1parse.
- Added missing error checking in PKCS7.
- Call CRYPTO_cleanup_all_ex_data() from OPENSSL_cleanup().
* Compatibility changes
- Correct the prototypes of BIO_get_conn_ip(3) and
BIO_get_conn_int_port(3).
* New features
- Added UI_null()
- Added X509_STORE_*check_issued()
- Added X509_CRL_get0_sigalg() and X509_get0_uids() accessors.
- Added EVP_CIPHER_meth_*() setter API.
* Documentation improvements
- Marked BIO_s_log(3) BIO_nread0(3), BIO_nread(3), BIO_nwrite0(3), BIO_nwrite(3),
BIO_dump_cb(3) and BIO_dump_indent_cb(3) as intentionally undocumented.
- Merged documentation of UI_null() from OpenSSL 1.1
- Document BIO_number_read(3), BIO_number_written(3),
BIO_set_retry_read(3), BIO_set_retry_write(3),
BIO_set_retry_special(3), BIO_clear_retry_flags(3),
BIO_get_retry_flags(3), BIO_dup_chain(3), BIO_set_flags(3),
BIO_clear_flags(3), BIO_test_flags(3), BIO_get_flags(3).
BIO_callback_fn_ex(3), BIO_set_callback_ex(3), BIO_get_callback_ex(3),
BIO_callback_fn(3), and the BIO_FLAGS_* constants
- Document ED25519_keypair(3), ED25519_sign(3), and ED25519_verify(3).
- Document EVP_PKEY_new_raw_private_key(3),
EVP_PKEY_new_raw_public_key(3), EVP_PKEY_get_raw_private_key(3), and
EVP_PKEY_get_raw_public_key(3).
- Document ASN1_buf_print(3).
- Document ECDSA_SIG_get0_{r,s}().
- Document DH_get0_* for individual DH members.
- Document DSA_get0_* for individual DSA members
- Document RSA_get0_* for individual RSA members.
- Various spelling and other documentation improvements.
* Testing and Proactive Security
- As always, new test coverage is added as bugs are fixed and subsystems
are cleaned up.
- New Wycheproof tests added.
- OpenSSL 3.0 Interop tests added.
- Many old tests rewritten, cleaned up and extended.
* Security fixes
- A malicious certificate revocation list or timestamp response token
would allow an attacker to read arbitrary memory.
|
Log message:
Update to 3.7.0. From the upstream LibreSSL changelog:
3.5.3:
* Fix d2i_ASN1_OBJECT(). A confusion of two CBS resulted in advancing
the passed *der_in pointer incorrectly. Thanks to Aram Sargsyan for
reporting the issue and testing the fix.
3.6.0:
* Internal improvements
- Avoid expensive RFC 3779 checks during cert verification.
- The templated ASN.1 decoder has been cleaned up, refactored,
modernized with parts rewritten using CBB and CBS.
- The ASN.1 time parser has been rewritten.
- Rewrite and fix ASN1_STRING_to_UTF8().
- Use asn1_abs_set_unused_bits() rather than inlining it.
- Simplify ec_asn1_group2curve().
- First pass at a clean up of ASN1_item_sign_ctx()
- ssl_txt.c was cleaned up.
- Internal function arguments and struct member have been changed
to size_t.
- Lots of missing error checks of EVP API were added.
- Clean up and clarify BN_kronecker().
- Simplify ASN1_INTEGER_cmp()
- Rewrite ASN1_INTEGER_{get,set}() using CBS and CBB and reuse
the ASN1_INTEGER functions for ASN1_ENUMERATED.
- Use ASN1_INTEGER to parse and build {Z,}LONG_it
- Refactored and cleaned up group (elliptic curve) handling in
t1_lib.c.
- Simplify certificate list handling code in the legacy server.
- Make CBB_finish() fail if *out_data is not NULL.
- Remove tls_buffer_set_data() and remove/revise callers.
- Rewrite SSL{_CTX,}_set_alpn_protos() using CBS.
- Simplify tlsext_supported_groups_server_parse().
- Remove redundant length checks in tlsext parse functions.
- Simplify tls13_server_encrypted_extensions_recv().
- Add read and write support to tls_buffer.
- Convert TLS transcript from BUF_MEM to tls_buffer.
- Clear key on exit in PKCS12_gen_mac().
- Minor fixes in PKCS12_parse().
- Provide and use a primitive clear function for BIGNUM_it.
- Use ASN1_INTEGER to encode/decode BIGNUM_it.
- Add stack frames to AES-NI x86_64 assembly.
- Use named initialisers for BIGNUMs.
- Tidy up some of BN_nist_mod_*.
- Expand BLOCK_CIPHER_* and related macros.
- Avoid shadowing the cbs function parameter in
tlsext_alpn_server_parse()
- Deduplicate peer certificate chain processing code.
- Make it possible to signal an error from an i2c_* function.
- Rewrite i2c_ASN1_INTEGER() using CBB/CBS.
- Remove UINT32_MAX limitation on ChaCha() and CRYPTO_chacha_20().
- Remove bogus length checks from EVP_aead_chacha20_poly1305().
- Reworked DSA_size() and ECDSA_size().
- Stop using CBIGNUM_it internal to libcrypto.
- Provide c2i_ASN1_ENUMERATED_cbs() and call it from
asn1_c2i_primitive().
- Ensure ASN.1 types are appropriately encoded.
- Avoid recycling ASN1_STRINGs when decoding ASN.1.
- Tidy up asn1_c2i_primitive() slightly.
- Mechanically expand IMPLEMENT_BLOCK_CIPHER, IMPLEMENT_CFBR,
BLOCK_CIPHER and the looney M_do_cipher macros.
- Use correct length for EVP CFB mode ciphers.
- Provide a version of ssl_msg_callback() that takes a CBS.
- Use CBS to parse TLS alerts in the legacy stack.
- Increment the input and output position for EVP AES CFB1.
- Ensure there is no trailing data for a CCS received by the
TLSv1.3 stack.
- Use CBS when procesing a CCS message in the legacy stack.
- Be stricter with middlebox compatibility mode in the TLSv1.3
server.
* Compatibility changes
- The ASN.1 time parser has been refactored and rewritten using CBS.
It has been made stricter in that it now enforces the rules from
RFC 5280.
- ASN1_AFLG_BROKEN was removed.
- Error check tls_session_secret_cb() like OpenSSL.
- Added ASN1_INTEGER_{get,set}_{u,}int64()
- Move leaf certificate checks to the last thing after chain
validation.
- Added -s option to openssl(1) ciphers that only shows the ciphers
supported by the specified protocol.
- Use TLS_client_method() instead of TLSv1_client_method() in
the openssl(1) ciphers command.
- Validate the protocols in SSL{_CTX,}_set_alpn_protos().
- Made TS and PKCS12 opaque.
- Per RFC 7292, safeContentsBag is a SEQUENCE OF, not a SET OF.
- Align PKCS12_key_gen_uni() with OpenSSL
- Various PKCS12 and TS accessors were added. In particular, the
TS_RESP_CTX_set_time_cb() function was added back.
- Allow a NULL header in PEM_write{,_bio}()
- Allow empty attribute sets in CSRs.
- Adjust signatures of BIO_ctrl functions.
- Provide additional defines for EVP AEAD.
- Provide OPENSSL_cleanup().
- Make BIO_info_cb() identical to bio_info_cb().
* Bug fixes
- Avoid use of uninitialized in BN_mod_exp_recp().
- Fix X509_get_extension_flags() by ensuring that EXFLAG_INVALID is
set on X509_get_purpose() failure.
- Fix HMAC() with NULL key.
- Add ERR_load_{COMP,CT,KDF}_strings() to ERR_load_crypto_strings().
- Avoid strict aliasing violations in BN_nist_mod_*().
- Do not return X509_V_ERR_UNSPECIFIED from X509_check_ca().
No return value of X509_check_ca() indicates failure. Application
code should therefore issue a checked call to X509_check_purpose()
before calling X509_check_ca().
- Rewrite and fix X509v3_asid_subset() to avoid segfaults on some
valid input.
- Call the ASN1_OP_D2I_PRE callback after ASN1_item_ex_new().
- Fix d2i_ASN1_OBJECT to advance the *der_in pointer correctly.
- Avoid use of uninitialized in ASN1_STRING_to_UTF8().
- Do not pass uninitialized pointer to ASN1_STRING_to_UTF8().
- Do not refuse valid IPv6 addresses in nc(1)'s HTTP CONNECT proxy.
- Do not reject primes in trial divisions.
- Error out on negative shifts in BN_{r,l}shift() instead of
accessing arrays out of bounds.
- Fix URI name constraints, allow for URI's with no host part.
- Fix the legacy verifier callback behaviour for untrusted certs.
- Correct serfver-side handling of TLSv1.3 key updates.
- Plug leak in PKCS12_setup_mac().
- Plug leak in X509V3_add1_i2d().
- Only print X.509 versions we know about.
- Avoid signed integer overflow due to unary negation
- Initialize readbytes in BIO_gets().
- Plug memory leak in CMS_add_simple_smimecap().
- Plug memory leak in X509_REQ_print_ex().
- Check HMAC() return value to avoid a later use of uninitialized.
- Avoid potential NULL dereference in ssl_set_pkey().
- Check return values in ssl_print_tmp_key().
- Switch loop bounds from size_t to int in check_hosts().
- Avoid division by zero if no connection was made in s_time.c.
- Check sk_SSL_CIPHER_push() return value
- Avoid out-of-bounds read in ssl_cipher_process_rulestr().
- Use LONG_MAX as the limit for ciphers with long based APIs.
* New features
- EVP API for HKDF ported from OpenSSL and subsequently cleaned up.
- The security level API (SSL_{,CTX}_{get,set}_security_level()) is
now available. Callbacks and ex_data are not supported. Sane
software will not be using this.
- Experimental support for the BoringSSL QUIC API.
- Add initial support for TS ESSCertIDv2 verification.
- LibreSSL now uses the Baillie-PSW primality test instead of
Miller-Rabin .
3.6.1:
- Custom verification callbacks could cause the X.509 verifier to
fail to store errors resulting from leaf certificate verification.
Reported by Ilya Shipitsin.
- Unbreak ASN.1 indefinite length encoding.
Reported by Niklas Hallqvist.
- Fix endian detection on macOS
Reported by jiegec on Github
3.7.0:
* Internal improvements
- Remove dependency on system timegm() and gmtime() by replacing
traditional Julian date conversion with POSIX epoch-seconds date
conversion from BoringSSL.
- Clean old and unused BN code dealing with primes.
- Start rewriting name constraints code using CBS.
- Remove support for the HMAC PRIVATE KEY.
- Rework DSA signing and verifying internals.
- First few passes on cleaning up the BN code.
- Internal headers coming from OpenSSL are all called *_local.h now.
- Rewrite TLSv1.2 key exporter.
- Cleaned up and refactored various aspects of the legacy TLS stack.
* Compatibility changes
- BIO_read() and BIO_write() now behave more closely to OpenSSL 3 in
various corner cases. More work is needed here.
* Bug fixes
- Add EVP_chacha20_poly1305() to the list of all ciphers.
- Fix potential leaks of EVP_PKEY in various printing functions
- Fix potential leak in OBJ_NAME_add().
- Avoid signed overflow in i2c_ASN1_BIT_STRING().
- Clean up EVP_PKEY_ASN1_METHOD related tables and code.
- Fix long standing bugs BN_GF2m_poly2arr() and BN_GF2m_mod().
- Fix segfaults in BN_{dec,hex}2bn().
- Fix NULL dereference in x509_constraints_uri_host() reachable only
in the process of generating certificates.
- Fixed a variety of memory corruption issues in BIO chains coming
from poor old and new API: BIO_push(), BIO_pop(), BIO_set_next().
- Avoid potential divide by zero in BIO_dump_indent_cb()
* Documentation improvements
- Numerous improvements and additions for ASN.1, BIO, BN, and X.509.
- The BN documentation is now considered to be complete.
* Testing and Proactive Security
- As always, new test coverage is added as bugs are fixed and
subsystems are cleaned up.
- Many old tests rewritten, cleaned up and extended.
* New features
- Added Ed25519 support both as a primitive and via OpenSSL's EVP
interfaces.
- X25519 is now also supported via EVP.
- The OpenSSL 1.1 raw public and private key API is available with
support for EVP_PKEY_ED25519, EVP_PKEY_HMAC and EVP_PKEY_X25519.
Poly1305 is not currently supported via this interface.
|
Log message:
Update to 3.5.2. From the changelog:
- tls_signer: Replace ECDSA_METHOD with EC_KEY_METHOD
- doc: Note OpenSSL 3.0.0 compatibility in README
From the upstream LibreSSL changelog for 3.5.0:
* New Features
- The RFC 3779 API was ported from OpenSSL. Many bugs were fixed,
regression tests were added and the code was cleaned up.
- Certificate Transparency was ported from OpenSSL. Many internal
improvements were made, resulting in cleaner and safer code.
Regress coverage was added. libssl does not yet make use of it.
* Portable Improvements
- Fixed various POSIX compliance and other portability issues
found by the port to the Sortix operating system.
- Add libmd as platform specific libraries for Solaris.
Issue reported from (ihsan <at> opencsw org) on libressl ML.
- Set IA-64 compiler flag only if it is HP-UX with IA-64.
Suggested from Larkin Nickle (me <at> larbob org) by libressl ML.
- Enabled and scheduled Coverity scan.
Contributed by Ilya Shipitsin (chipitsine <at> gmail com> on github.
* Compatibility Changes
- Most structs that were previously defined in the following headers
are now opaque as they are in OpenSSL 1.1:
bio.h, bn.h, comp.h, dh.h, dsa.h, evp.h, hmac.h, ocsp.h, rsa.h,
x509.h, x509v3.h, x509_vfy.h
- Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_
OpenSSL added the TLSv1.3 ciphersuites with "RFC names" instead
of using something consistent with the previous naming. Various
test suites expect these names (instead of checking for the much
more sensible cipher numbers). The old names are still accepted
as aliases.
- Subject alternative names and name constraints are now validated
when they are added to certificates. Various interoperability
problems with stacks that validate certificates more strictly
than OpenSSL can be avoided this way.
- Attempt to opportunistically use the host name for SNI in s_client
* Bug fixes
- In some situations, the verifier would discard the error on an
unvalidated certificate chain. This would happen when the
verification callback was in use, instructing the verifier to
continue unconditionally. This could lead to incorrect decisions
being made in software.
- Avoid an infinite loop in SSL_shutdown()
- Fix another return 0 bug in SSL_shutdown()
- Handle zero byte reads/writes that trigger handshakes in the
TLSv1.3 stack
- A long standing memleak in libtls CRL handling was fixed
* Internal Improvements
- Cache the SHA-512 hash instead of the SHA-1 hash and cache
notBefore and notAfter times when X.509 certificates are parsed.
- The X.509 lookup code has been simplified and cleaned up.
- Fixed numerous issues flagged by coverity and the cryptofuzz
project
- Increased the number of Miller-Rabin checks in DH and DSA
key/parameter generation
- Started using the bytestring API in libcrypto for cleaner and
safer code
- Convert {i2d,d2i}_{,EC_,DSA_,RSA_}PUBKEY{,_bio,_fp}() to templated
ASN1
- Convert ASN1_OBJECT_new() to calloc()
- Convert ASN1_STRING_type_new() to calloc()
- Rewrite ASN1_STRING_cmp()
- Use calloc() for X509_CRL_METHOD_new() instead of malloc()
- Convert ASN1_PCTX_new() to calloc()
- Replace asn1_tlc_clear and asn1_tlc_clear_nc macros with a
function
- Consolidate {d2i,i2d}_{pr,pu}.c
- Remove handling of a NULL BUF_MEM from asn1_collect()
- Pull the recursion depth check up to the top of asn1_collect()
- Inline collect_data() in asn1_collect()
- Convert asn1_d2i_ex_primitive()/asn1_collect() from BUF_MEM to CBB
- Clean up d2i_ASN1_BOOLEAN() and i2d_ASN1_BOOLEAN()
- Consolidate ASN.1 universal tag type data
- Rewrite ASN.1 identifier/length parsing in CBS
- Make OBJ_obj2nid() work correctly with NID_undef
- tlsext_tick_lifetime_hint is now an uint32_t
- Untangle ssl3_get_message() return values
- Rename tls13_buffer to tls_buffer
- Fold DTLS_STATE_INTERNAL into DTLS1_STATE
- Provide a way to determine our maximum legacy version
- Mop up enc_read_ctx and read_hash
- Fold SSL_SESSION_INTERNAL into SSL_SESSION
- Use ssl_force_want_read in the DTLS code
- Add record processing limit to DTLS code
- Add explicit CBS_contains_zero_byte() check in CBS_strdup()
- Improve SNI hostname validation
- Ensure SSL_set_tlsext_host_name() is given a valid hostname
- Fix a strange check in the auto DH codepath
- Factor out/rewrite DHE key exchange
- Convert server serialisation of DHE parameters/public key to new
functions
- Check DH public key in ssl_kex_peer_public_dhe()
- Move the minimum DHE key size check into ssl_kex_peer_params_dhe()
- Clean up and refactor server side DHE key exchange
- Provide CBS_get_last_u8()
- Provide CBS_get_u64()
- Provide CBS_add_u64()
- Provide various CBS_peek_* functions
- Use CBS_get_last_u8() to find the content type in TLSv1.3 records
- unifdef TLS13_USE_LEGACY_CLIENT_AUTH
- Correct SSL_get_peer_cert_chain() when used with the TLSv1.3 stack
- Only allow zero length key shares when we know we're doing HRR
- Pull key share group/length CBB code up from
tls13_key_share_public()
- Refactor ssl3_get_server_kex_ecdhe() to separate parsing and
validation
- Return 0 on failure from send/get kex functions in the legacy
stack
- Rename tls13_key_share to tls_key_share
- Allocate and free the EVP_AEAD_CTX struct in
tls13_record_protection
- Convert legacy TLS client to tls_key_share
- Convert legacy TLS server to tls_key_share
- Stop attempting to duplicate the public and private key of dh_tmp
- Rename dh_tmp to dhe_params
- Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY
- Clean up pkey handling in ssl3_get_server_key_exchange()
- Fix GOST skip certificate verify handling
- Simplify tlsext_keyshare_server_parse()
- Plumb decode errors through key share parsing code
- Simplify SSL_get_peer_certificate()
- Cleanup/simplify ssl_cert_type()
- The S3I macro was removed
- The openssl(1) cms and smime subcommands option handling was
converted and the C source was cleaned up.
* Documentation improvements
- 45 new manual pages, most of which were written from scratch.
Documentation coverage of ASN.1 and X.509 code has been
significantly improved.
Upstream 3.5.1 changelog:
* A malicious certificate can cause an infinite loop.
Reported by and fix from Tavis Ormandy and David Benjamin, Google.
Upstream 3.5.2 changelog:
This is the first stable release for the 3.5.x branch, as shipped with
OpenBSD 7.1.
|