OpenBSD Journal

LibreSSL 3.7.1 Released

Contributed by Peter N. M. Hansteen on from the libretto warmup dept.

With a message to openbsd-announce and other lists, Brent Cook (bcook@) announced the release of LibreSSL 3.7.1, with numerous improvements.

It is worth noting that this is the final version to be released before the upcoming OpenBSD 7.3 release.

The announcement reads,

Subject:    LibreSSL 3.7.1 Released
From:       Brent Cook <busterb () gmail ! com>

We have released LibreSSL 3.7.1, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. This is the final
development release for the 3.7.x branch, and we appreciate additional testing
and feedback before the stable release coming soon with OpenBSD 7.3

It includes the following changes:

 * Internal improvements
   - Initial overhaul of the BIGNUM code:
     - Added a new framework that allows architecture-dependent
       replacement implementations for bignum primitives.
     - Imported various s2n-bignum's constant time assembly primitives
       and switched amd64 to them.
     - Lots of cleanup, simplification and bug fixes.
   - Changed Perl assembly generators to move constants into .rodata,
     allowing code to run with execute-only permissions.
   - Capped the number of iterations in DSA and ECDSA signing (avoiding
     infinite loops), added additional sanity checks to DSA.
   - ASN.1 parsing improvements.
   - Made UI_destroy_method() NULL safe.
   - Various improvements to nc(1).
   - Always clear EC groups and points on free.
   - Cleanup and improvements in EC code.
   - Various openssl(1) improvements.
 * Bug fixes
   - Fixed a memory leak, a double free and various other issues in
     BIO_new_NDEF().
   - Fixed various crashes in the openssl(1) testing utility.
   - Do not check policies by default in the new X.509 verifier.
   - Avoid crash with ASN.1 BOOLEANS in openssl(1) asn1parse.
   - Added missing error checking in PKCS7.
   - Call CRYPTO_cleanup_all_ex_data() from OPENSSL_cleanup().
 * Compatibility changes
   - Correct the prototypes of BIO_get_conn_ip(3) and
     BIO_get_conn_int_port(3).
 * New features
   - Added UI_null()
   - Added X509_STORE_*check_issued()
   - Added X509_CRL_get0_sigalg() and X509_get0_uids() accessors.
   - Added EVP_CIPHER_meth_*() setter API.
 * Documentation improvements
   - Marked BIO_s_log(3) BIO_nread0(3), BIO_nread(3), BIO_nwrite0(3), BIO_nwrite(3),
     BIO_dump_cb(3) and BIO_dump_indent_cb(3) as intentionally undocumented.
   - Merged documentation of UI_null() from OpenSSL 1.1
   - Document UI_null()(3), BIO_number_written(3),
     BIO_set_retry_read(3), BIO_set_retry_write(3),
     BIO_set_retry_special(3), BIO_clear_retry_flags(3),
     BIO_get_retry_flags(3), BIO_dup_chain(3), BIO_set_flags(3),
     BIO_clear_flags(3), BIO_test_flags(3), BIO_get_flags(3), 
     BIO_callback_fn_ex(3), BIO_set_callback_ex(3), BIO_get_callback_ex(3),
     BIO_callback_fn(3), and the BIO_FLAGS_* constants
   - Document ED25519_keypair(3), ED25519_sign(3), and ED25519_verify(3).
   - Document EVP_PKEY_new_raw_private_key(3),
     EVP_PKEY_new_raw_public_key(3), EVP_PKEY_get_raw_private_key(3), and
     EVP_PKEY_get_raw_public_key(3).
   - Document ASN1_buf_print(3).
   - Document {ECDSA_SIG_get0_r,s}().
   - Document DH_get0_* for individual DH members.
   - Document DSA_get0_* for individual DSA members
   - Document RSA_get0_* for individual RSA members.
   - Various spelling and other documentation improvements.
 * Testing and Proactive Security
   - As always, new test coverage is added as bugs are fixed and subsystems
     are cleaned up.
   - New Wycheproof tests added.
   - OpenSSL 3.0 Interop tests added.
   - Many old tests rewritten, cleaned up and extended.
 * Security fixes
   - A malicious certificate revocation list or timestamp response token
     would allow an attacker to read arbitrary memory.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.

(Comments are closed)


Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]