deadsimple BSD Security Advisories and Announcements

LibreSSL 2.5.1, 2.4.5, and 2.3.10 released

We have released LibreSSL 2.5.1 along with stable versions 2.4.5 and
2.3.10. These will be arriving in the LibreSSL directory of your local
OpenBSD mirror soon.

All of the releases contain the following updates:

    * Avoid a side-channel cache-timing attack that can leak the ECDSA
      private keys when signing. This is due to BN_mod_inverse() being
      used without the constant time flag being set. Reported by Cesar
      Pereida Garcia and Billy Brumley (Tampere University of Technology).
      The fix was developed by Cesar Pereida Garcia.

    * iOS and MacOS compatibility updates from Simone Basso and Jacob

LibreSSL 2.5.1 contains these additional features and improvements:

    * X509_cmp_time() now passes a malformed GeneralizedTime field as an
      error. Reported by Theofilos Petsios.

    * Detect zero-length encrypted session data early, instead of when
      malloc(0) fails or the HMAC check fails. Noted independently by
      jsing@ and Kurt Cancemi.

    * Check for and handle failure of HMAC_{Update,Final} or

    * Massive update and normalization of manpages, conversion to
      mandoc format. Many pages were rewritten for clarity and accuracy.
      Portable doc links are up-to-date with a new conversion tool.

    * Curve25519 Key Exchange support.

    * Support for alternate chains for certificate verification.

    * Code cleanups, CBB conversions, further unification of DTLS/SSL
      handshake code, further ASN1 macro expansion and removal.

    * Private symbol are now hidden in libssl and libcryto.

    * Friendly certificate verification error messages in libtls, peer
      verification is now always enabled.

    * Added OCSP stapling support to libtls and netcat.

    * Added ocspcheck utility to validate a certificate against its OCSP
      responder and save the reply for stapling

    * Enhanced regression tests and error handling for libtls.

    * Added explicit constant and non-constant time BN functions,
      defaulting to constant time wherever possible.

    * Moved many leaked implementation details in public structs behind
      opaque pointers.

    * Added ticket support to libtls.

    * Added support for setting the supported EC curves via
      SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
      SSL{_CTX}_set1_curves{_list} names. This also changes the default
      list of curves to be X25519, P-256 and P-384. All other curves must
      be manually enabled.

    * Added -groups option to openssl(1) s_client for specifying the curves
      to be used in a colon-separated list.

    * Merged client/server version negotiation code paths into one,
      reducing much duplicate code.

    * Removed error function codes from libssl and libcrypto.

    * Fixed an issue where a truncated packet could crash via an OOB read.

    * Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
      client-initiated renegotiation. This is the default for libtls

    * Added BN_gcd_nonct, based on BN_mod_inverse_no_branch,
      as suggested by Alejandro Cabrera, to avoid the possibility of a
      sidechannel timing attack during RSA private key generation.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.