BSDSec

deadsimple BSD Security Advisories and Announcements

LibreSSL 3.9.0 released

We have released LibreSSL 3.9.0, which will be arriving in the LibreSSL
directory of your local OpenBSD mirror soon. This is a development release for
the 3.9.x branch, so we appreciate early testing and feedback.

It includes the following changes:

  * Portable changes
    - libcrypto no longer exports compat symbols in cmake builds.
    - Most compatibility symbols are prefixed with libressl_ to avoid
      symbol clashes in static links.
    - Fixed various warnings on Windows.
    - Removed assert pop-ups with Windows debug builds.
    - Fixed crashes and hangs in Windows ARM64 builds.
    - Improved control-flow enforcement (CET) support.
  * Internal improvements
    - Converted uses of OBJ_bsearch_() to standard bsearch().
    - Greatly simplified by_file_ctrl().
    - Simplified and cleaned up the OBJ_ API.
    - Cleaned up the EVP_Cipher{Init,Update,Final}() implementations.
    - Removed unused function pointers from X.509 stores and contexts.
    - A lot of cleanup and reorganization in EVP.
    - Removed all remaining ENGINE tentacles.
    - Simplified internals of X509_TRUST handling.
    - Made deletion from a lhash doall callback safe.
    - Rewrote BIO_dump*(3) internals to be less bad.
  * Documentation improvements
    - ENGINE documentation was updated to reflect reality.
    - Made EVP API documentation more accurate and less incoherent. 
    - Call out some shortcomings of the EC_KEY_set_* API explicitly.
  * Testing and proactive security
    - Bug fixes and simplifications in the Wycheproof tests.
  * Compatibility changes
    - Added ChaCha20 and chacha20 aliases for ChaCha.
    - SSL_library_init() now has the same effect as OPENSSL_init_ssl().
    - EVP_add_{cipher,digest}() were removed. From the OBJ_NAME API,
      only OBJ_NAME_do_all*() remain. In particular, it is no longer
      possible to add aliases for ciphers and digests.
    - The thread unsafe global tables are no longer supported. It is no
      longer possible to add aliases for ciphers and digests, custom ASN.1
      strings table entries, ASN.1 methods, PKEY methods, digest methods,
      CRL methods, purpose and trust identifiers, or X.509 extensions.
    - Removed the _cb() and _fp() versions of BIO_dump{,_indent}().
    - BIO_set() was removed.
    - BIO_{sn,v,vsn}printf() were removed.
    - Turn the long dysfunctional openssl(1) s_client -pause into a noop.
    - openssl(1) x509 now supports -new -force_pubkey, -multivalue-rdn,
      -set_issuer, -set_subject, and -utf8.
    - Support ECDSA with SHA-3 signature algorithms.
    - Support HMAC with truncated SHA-2 and SHA-3 as PBE PRF.
    - GOST and STREEBOG support was removed.
    - CRYPTO_THREADID, _LHASH, _STACK, X509_PURPOSE are now opaque,
      X509_CERT_AUX and X509_TRUST were removed from the public API.
    - ASN1_STRING_TABLE_get() and X509_PURPOSE_get0*() now return const
      pointers.
    - EVP_{CIPHER,MD}_CTX_init()'s signatures and semantics now match
      OpenSSL's behavior.
    - sk_find_ex() and OBJ_bsearch_() were removed.
    - CRYPTO_malloc() was fixed to use size_t argument.  CRYPTO_malloc()
      and CRYPTO_free() now accept file and line arguments.
    - A lot of decrepit CRYPTO memory API was removed.
  * Bug fixes
    - Fixed aliasing issues in BN_mod_exp_simple() and BN_mod_exp_recp().
    - Fixed numerous misuses of X509_ALGOR_set0() resulting in leaks and
      potentially incorrect encodings.
    - Fixed potential double free in X509v3_asid_add_id_or_range().
    - Stopped using ASN1_time_parse() outside of libcrypto.
    - Prepared OPENSSL_gmtime() and OPENSSL_timegm() as public API
      wrappers of internal functions compatible with BoringSSL API.
    - Removed print_bin() to avoid overwriting the stack with 5 bytes
      of ' ' when ECPK parameters are printed with large indentation.
    - Avoid a NULL dereference after memory allocation failure during TLS
      version downgrade.
    - Fixed various bugs in CMAC internals.
    - Fixed 4-byte overreads in GHASH assembly on amd64 and i386.
    - Fixed various NULL dereferences in PKCS #12 code due to mishandling
      of OPTIONAL content in PKCS #7 ContentInfo.
    - Aligned SSL_shutdown() behavior in TLSv1.3 with the legacy stack.
    - Fixed the new X.509 verifier to find trust anchors in the trusted
      stack.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.