LibreSSL 4.0.0 Released
15 October, 2024 by busterb@gmail.com | openbsd
We have released LibreSSL 4.0.0, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is the first stable release for the 4.0.x branch, also available with OpenBSD 7.6 It includes the following change from LibreSSL 3.9.2: * Portable changes - Added initial Emscripten support in CMake builds. - Removed timegm() compatibility layer since all uses were replaced with OPENSSL_timegm(). Cleaned up the corresponding test harness. - The mips32 platform is no longer actively supported. - Fixed Windows support for dates beyond 2038. * Internal improvements - Cleaned up parts of the conf directory. Simplified some logic, fixed memory leaks. - Simplified X509_check_trust() internals to be somewhat readable. - Removed last internal uses of gmtime() and timegm() and replaced them with BoringSSL's posix time conversion API. - Removed unnecessary stat calls in by_dir. - Split parsing and processing of TLS extensions to ensure that extension callbacks are called in a predefined order. - Cleaned up the MD4 and MD5 implementations. - Assembly functions are no longer exposed in the public API, they are all wrapped by C functions. - Removed assembly implementations of legacy ciphers on legacy architectures. - Merged most multi-file implementations of ciphers into one or two C files. - Removed the cache of certificate validity. This was added for performance reasons which no longer apply since BoringSSL's time conversion API isn't slow. Also, a recently added error check led to obscure, undesirable validation failures. - Stopped calling OPENSSL_cpuid_setup() from the .init section on amd64 and i386. - Rewrote various BN conversion functions. - Improved certification request internals. - Removed unused DSA methods. - Improved X.509v3 extension internals. Fixed various bugs and leaks in X509V3_add1_i2d() and X509V3_get_d2i(). Their implementations now vaguely resemble code. - Rewrote BN_bn2mpi() using CBB. - Made most error string tables const. - Removed handling for SSLv2 client hello messages. - Improvements in the openssl(1) speed app's signal handler. - Cleaned up various X509v3_* extension API. - Unified the X.509v3 extension methods. - Cleaned up cipher handling in SSL_SESSION. - Removed get_cipher from SSL_METHOD. - Rewrote CRYPTO_EX_DATA from scratch. The only intentional change of behavior is that there is now a hard limit on the number of indexes that can be allocated. - Removed bogus connect() call from netcat. - Uses of atoi() and strtol() in libcrypto were replaced with strtonum(). - Introduced crypto_arch.h which will contain the architecture dependent code and defines rather than the public opensslconf.h. - OPENSSL_cpu_caps() is now architecture independent. - Reorganized the DES implementation to use fewer files and removed optimizations for ancient processors and compilers. * New features - Added CRLfile option to the cms command of openssl(1) to specify additional CRLs for use during verification. * Documentation improvements - Removed documentation of no longer existing API. - Unified the description of the obsolete ENGINE parameter that needs to remain in many functions and should always be NULL. * Testing and proactive security - Switched the remaining tests to new certs. * Compatibility changes - Protocol parsing in libtls was changed. The unsupported TLSv1.1 and TLSv1.0 protocols are ignored and no longer enable or disable TLSv1.2 in surprising ways. - The dangerous EVP_PKEY*_check(3) family of functions was removed. The openssl(1) pkey and pkeyparam commands no longer support the -check and -pubcheck flags. - The one-step hashing functions, MD4(), MD5(), RIPEMD160(), SHA1(), all SHA-2, and HMAC() no longer support returning a static buffer. Callers must pass in a correctly sized buffer. - Support for Whirlpool was removed. Applications still using this should honor OPENSSL_NO_WHIRLPOOL. - Removed workaround for F5 middle boxes. - Removed the useless pem2.h, a public header that was added since it was too hard to add a single prototype to one file. - Removed conf_api.h and the public API therein. - Removed ssl2.h, ssl23.h and ui_compat.h. - Numerous conf and attribute functions were removed. Some unused types were removed, others were made opaque. - Removed the deprecated HMAC_Init() function. - Removed OPENSSL_load_builtin_modules(). - Removed X509_REQ_{get,set}_extension_nids(). - X509_check_trust() and was removed, X509_VAL was made opaque. - Only specified versions can be set on certs, CRLs and CSRs. - Removed unused PEM_USER and PEM_CTX types from pem.h. - Removed typdefs for COMP_CTX, COMP_METHOD, X509_CRL_METHOD, STORE, STORE_METHOD, and SSL_AEAD_CTX. - i2d_ASN1_OBJECT() now returns -1 on error like most other i2d_*. - SPKAC support was removed from openssl(1). - Added TLS1-PRF support to the EVP interface. - Support for attributes in EVP_PKEYs was removed. - The X509at_* API is no longer public. - SSL_CTX_set1_cert_store() and SSL_CIPHER_get_handshake_digest() were added to libssl. - The completely broken UI_UTIL password API was removed. - The OpenSSL pkcs12 command and PKCS12_create() no longer support setting the Microsoft-specific Local Key Set and Cryptographic Service Provider attributes. * Bug fixes - Made ASN1_TIME_set_string() and ASN1_TIME_set_string_X509() match their documentation. They always set an RFC 5280 conformant time. - Improved standards compliance for supported groups and key shares extensions: - Duplicate key shares are disallowed. - Duplicate supported groups are disallowed. - Key shares must be sent in the order of supported groups. - Key shares will only be selected if they match the most preferred supported group by client preference order. - Fixed signed integer overflow in bnrand(). - Prevent negative zero from being created via BN_clear_bit() and BN_mask_bits(). Avoids a one byte overread in BN_bn2mpi(). - Add guard to avoid contracting the number linear hash buckets to zero, which could lead to a crash due to accessing a zero sized allocation. - Fixed i2d_ASN1_OBJECT() with an output buffer pointing to NULL. - Implemented RSA key exchange in constant time. This is done by decrypting with RSA_NO_PADDING and checking the padding in libssl in constant time. This is possible because the pre-master secret is of known length based on the size of the RSA key. - Rewrote SSL_select_next_proto() using CBS, also fixing a buffer overread that wasn't reachable when used as intended from an ALPN callback. - Avoid pushing a spurious error onto the error stack in ssl_sigalg_select(). - Made fatal alerts fatal in QUIC. The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.