===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/75.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- www/75.html 2024/03/03 20:55:54 1.2
+++ www/75.html 2024/03/09 17:50:13 1.3
@@ -230,39 +230,108 @@
...
-LibreSSL version 3.8.x
+LibreSSL version 3.9.0
- - Security fixes
+
- Portable changes
- - ...
+
- libcrypto no longer exports compat symbols in cmake builds.
+
- Most compatibility symbols are prefixed with
libressl_
+ to avoid symbol clashes in static links.
+ - Fixed various warnings on Windows.
+
- Removed assert pop-ups with Windows debug builds.
+
- Fixed crashes and hangs in Windows ARM64 builds.
+
- Improved control-flow enforcement (CET) support.
- - Portable changes
+
- Internal improvements
- - ...
+
- Converted uses of
OBJ_bsearch_()
to standard
+ bsearch(3).
+ - Greatly simplified
by_file_ctrl()
.
+ - Simplified and cleaned up the OBJ_ API.
+
- Cleaned up the EVP_Cipher{Init,Update,Final}(3) implementations.
+
- Removed unused function pointers from X.509 stores and contexts.
+
- A lot of cleanup and reorganization in EVP.
+
- Removed all remaining
ENGINE
tentacles.
+ - Simplified internals of
X509_TRUST
handling.
+ - Made deletion from a lhash
+ doall callback safe.
+
- Rewrote BIO_dump*(3) internals
+ to be less bad.
- - New features
+
- Documentation improvements
- - ...
+
ENGINE
documentation was updated to reflect reality.
+ - Made EVP API documentation more accurate and less incoherent.
+
- Call out some shortcomings of the
EC_KEY_set_*
API explicitly.
- - Compatibility changes
+
- Testing and proactive security
- - ...
+
- Bug fixes and simplifications in the Wycheproof tests.
- - Internal improvements
+
- Compatibility changes
- - ...
+
- Added ChaCha20 and chacha20 aliases for ChaCha.
+
- SSL_library_init(3)
+ now has the same effect as OPENSSL_init_ssl().
+
EVP_add_{cipher,digest}()
were removed. From the OBJ_NAME
API,
+ only OBJ_NAME_do_all*() remain.
+ In particular, it is no longer possible to add aliases for ciphers and digests.
+ - The thread unsafe global tables are no longer supported. It is no
+ longer possible to add aliases for ciphers and digests, custom ASN.1
+ strings table entries, ASN.1 methods, PKEY methods, digest methods,
+ CRL methods, purpose and trust identifiers, or X.509 extensions.
+
- Removed the _cb() and _fp() versions of
+ BIO_dump{,_indent}().
+
BIO_set()
was removed.
+ BIO_{sn,v,vsn}printf()
were removed.
+ - Turn the long dysfunctional
+ openssl(1)
+
s_client -pause
into a noop.
+ - openssl(1)
x509
+ now supports -new
, -force_pubkey
, -multivalue-rdn
,
+ -set_issuer
-set_subject
, and -utf8
.
+ - Support ECDSA with SHA-3 signature algorithms.
+
- Support HMAC with truncated SHA-2 and SHA-3 as PBE PRF.
+
- GOST and STREEBOG support was removed.
+
CRYPTO_THREADID
, _LHASH
, _STACK
and
+ X509_PURPOSE
are now opaque, X509_CERT_AUX
and
+ X509_TRUST
were removed from the public API.
+ - ASN1_STRING_TABLE_get(3)
+ and X509_PURPOSE_get0*(3) now
+ return const pointers.
+
EVP_{CIPHER,MD}_CTX_init()
's signatures and semantics now match
+ OpenSSL's behavior.
+ sk_find_ex()
and OBJ_bsearch_()
were removed.
+ - CRYPTO_malloc(3) was fixed to use
+
size_t
argument. CRYPTO_malloc()
+ and CRYPTO_free()
now accept file and line arguments.
+ - A lot of decrepit CRYPTO memory API was removed.
- Bug fixes
-
- Documentation improvements
-
-
- Testing and Proactive Security
-
- - ...
+
- Fixed aliasing issues in
BN_mod_exp_simple()
and BN_mod_exp_recp()
.
+ - Fixed numerous misuses of
+ X509_ALGOR_set0(3)
+ resulting in leaks and potentially incorrect encodings.
+
- Fixed potential double free in
+ X509v3_asid_add_id_or_range(3).
+
- Stopped using
ASN1_time_parse()
outside of libcrypto.
+ - Prepared OPENSSL_gmtime(3) and
+ OPENSSL_timegm(3) as public API
+ wrappers of internal functions compatible with BoringSSL API.
+
- Removed
print_bin()
to avoid overwriting the stack with 5 bytes
+ of " "
when ECPK parameters are printed with large
+ indentation.
+ - Avoid a
NULL
dereference after memory allocation failure during TLS
+ version downgrade.
+ - Fixed various bugs in CMAC internals.
+
- Fixed 4-byte overreads in GHASH assembly on amd64 and i386.
+
- Fixed various NULL dereferences in PKCS #12 code due to mishandling
+ of OPTIONAL content in PKCS #7 ContentInfo.
+
- Aligned SSL_shutdown(3)
+ behavior in TLSv1.3 with the legacy stack.
+
- Fixed the new X.509 verifier to find trust anchors in the trusted
+ stack.