version 1.2, 2024/03/03 20:55:54 |
version 1.3, 2024/03/09 17:50:13 |
|
|
<li>... |
<li>... |
</ul> |
</ul> |
|
|
<li>LibreSSL version 3.8.x |
<li>LibreSSL version 3.9.0 |
<ul> |
<ul> |
<li>Security fixes |
<li>Portable changes |
<ul> |
<ul> |
<li>... |
<li>libcrypto no longer exports compat symbols in cmake builds. |
|
<li>Most compatibility symbols are prefixed with <code>libressl_</code> |
|
to avoid symbol clashes in static links. |
|
<li>Fixed various warnings on Windows. |
|
<li>Removed assert pop-ups with Windows debug builds. |
|
<li>Fixed crashes and hangs in Windows ARM64 builds. |
|
<li>Improved control-flow enforcement (CET) support. |
</ul> |
</ul> |
<li>Portable changes |
<li>Internal improvements |
<ul> |
<ul> |
<li>... |
<li>Converted uses of <code>OBJ_bsearch_()</code> to standard |
|
<a href="https://man.openbsd.org/bsearch">bsearch(3)</a>. |
|
<li>Greatly simplified <code>by_file_ctrl()</code>. |
|
<li>Simplified and cleaned up the OBJ_ API. |
|
<li>Cleaned up the <a href="https://man.openbsd.org/EVP_CipherInit">EVP_Cipher{Init,Update,Final}(3)</a> implementations. |
|
<li>Removed unused function pointers from X.509 stores and contexts. |
|
<li>A lot of cleanup and reorganization in EVP. |
|
<li>Removed all remaining <code>ENGINE</code> tentacles. |
|
<li>Simplified internals of <code>X509_TRUST</code> handling. |
|
<li>Made deletion from a <a href="https://man.openbsd.org/lh_delete">lhash</a> |
|
doall callback safe. |
|
<li>Rewrote <a href="https://man.openbsd.org/BIO_dump">BIO_dump*(3)</a> internals |
|
to be less bad. |
</ul> |
</ul> |
<li>New features |
<li>Documentation improvements |
<ul> |
<ul> |
<li>... |
<li><code>ENGINE</code> documentation was updated to reflect reality. |
|
<li>Made EVP API documentation more accurate and less incoherent. |
|
<li>Call out some shortcomings of the <code>EC_KEY_set_*</code> API explicitly. |
</ul> |
</ul> |
<li>Compatibility changes |
<li>Testing and proactive security |
<ul> |
<ul> |
<li>... |
<li>Bug fixes and simplifications in the Wycheproof tests. |
</ul> |
</ul> |
<li>Internal improvements |
<li>Compatibility changes |
<ul> |
<ul> |
<li>... |
<li>Added ChaCha20 and chacha20 aliases for ChaCha. |
|
<li><a href="https://man.openbsd.org/SSL_library_init">SSL_library_init(3)</a> |
|
now has the same effect as OPENSSL_init_ssl(). |
|
<li><code>EVP_add_{cipher,digest}()</code> were removed. From the <code>OBJ_NAME</code> API, |
|
only <a href="https://man.openbsd.org/OBJ_NAME_do_all">OBJ_NAME_do_all*()</a> remain. |
|
In particular, it is no longer possible to add aliases for ciphers and digests. |
|
<li>The thread unsafe global tables are no longer supported. It is no |
|
longer possible to add aliases for ciphers and digests, custom ASN.1 |
|
strings table entries, ASN.1 methods, PKEY methods, digest methods, |
|
CRL methods, purpose and trust identifiers, or X.509 extensions. |
|
<li>Removed the _cb() and _fp() versions of |
|
<a href="https://man.openbsd.org/BIO_dump">BIO_dump{,_indent}()</a>. |
|
<li><code>BIO_set()</code> was removed. |
|
<li><code>BIO_{sn,v,vsn}printf()</code> were removed. |
|
<li>Turn the long dysfunctional |
|
<a href="https://man.openbsd.org/openssl(1)">openssl(1)</a> |
|
<code>s_client -pause</code> into a noop. |
|
<li><a href="https://man.openbsd.org/openssl(1)">openssl(1)</a> <code>x509</code> |
|
now supports <code>-new</code>, <code>-force_pubkey</code>, <code>-multivalue-rdn</code>, |
|
<code>-set_issuer</code> <code>-set_subject</code>, and <code>-utf8</code>. |
|
<li>Support ECDSA with SHA-3 signature algorithms. |
|
<li>Support HMAC with truncated SHA-2 and SHA-3 as PBE PRF. |
|
<li>GOST and STREEBOG support was removed. |
|
<li><code>CRYPTO_THREADID</code>, <code>_LHASH</code>, <code>_STACK</code> and |
|
<code>X509_PURPOSE</code> are now opaque, <code>X509_CERT_AUX</code> and |
|
<code>X509_TRUST</code> were removed from the public API. |
|
<li><a href="https://man.openbsd.org/ASN1_STRING_TABLE_get()">ASN1_STRING_TABLE_get(3)</a> |
|
and <a href="https://man.openbsd.org/X509_PURPOSE_get0">X509_PURPOSE_get0*(3)</a> now |
|
return const pointers. |
|
<li><code>EVP_{CIPHER,MD}_CTX_init()</code>'s signatures and semantics now match |
|
OpenSSL's behavior. |
|
<li><code>sk_find_ex()</code> and <code>OBJ_bsearch_()</code> were removed. |
|
<li><a href="https://man.openbsd.org/CRYPTO_malloc">CRYPTO_malloc(3)</a> was fixed to use |
|
<code>size_t</code> argument. <code>CRYPTO_malloc()</code> |
|
and <code>CRYPTO_free()</code> now accept file and line arguments. |
|
<li>A lot of decrepit CRYPTO memory API was removed. |
</ul> |
</ul> |
<li>Bug fixes |
<li>Bug fixes |
<ul> |
<ul> |
<li>... |
<li>Fixed aliasing issues in <code>BN_mod_exp_simple()</code> and <code>BN_mod_exp_recp()</code>. |
</ul> |
<li>Fixed numerous misuses of |
<li>Documentation improvements |
<a href="https://man.openbsd.org/X509_ALGOR_set0">X509_ALGOR_set0(3)</a> |
<ul> |
resulting in leaks and potentially incorrect encodings. |
<li>... |
<li>Fixed potential double free in |
</ul> |
<a href="https://man.openbsd.org/X509v3_asid_add_id_or_range">X509v3_asid_add_id_or_range(3)</a>. |
<li>Testing and Proactive Security |
<li>Stopped using <code>ASN1_time_parse()</code> outside of libcrypto. |
<ul> |
<li>Prepared <a href="https://man.openbsd.org/OPENSSL_gmtime">OPENSSL_gmtime(3)</a> and |
<li>... |
<a href="https://man.openbsd.org/OPENSSL_timegm">OPENSSL_timegm(3)</a> as public API |
|
wrappers of internal functions compatible with BoringSSL API. |
|
<li>Removed <code>print_bin()</code> to avoid overwriting the stack with 5 bytes |
|
of <code>" "</code> when ECPK parameters are printed with large |
|
indentation. |
|
<li>Avoid a <code>NULL</code> dereference after memory allocation failure during TLS |
|
version downgrade. |
|
<li>Fixed various bugs in CMAC internals. |
|
<li>Fixed 4-byte overreads in GHASH assembly on amd64 and i386. |
|
<li>Fixed various NULL dereferences in PKCS #12 code due to mishandling |
|
of OPTIONAL content in PKCS #7 ContentInfo. |
|
<li>Aligned <a href="https://man.openbsd.org/SSL_shutdown">SSL_shutdown(3)</a> |
|
behavior in TLSv1.3 with the legacy stack. |
|
<li>Fixed the new X.509 verifier to find trust anchors in the trusted |
|
stack. |
</ul> |
</ul> |
</ul> |
</ul> |
|
|