OpenBSD Journal

LibreSSL 3.7.0 Released

Contributed by Peter N. M. Hansteen on from the TLSd & ready to go! Now with more Ed25519, better than ED-209 dept.

A new development release of LibreSSL is out, and should be arriving on a mirror near you shortly.

Brent Cook (bcook@)'s announcement reads,

We have released LibreSSL 3.7.0, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. This is a
development release from the 3.7.x branch, which will eventually ship
with OpenBSD 7.3.

It includes the following changes:

  * Internal improvements
    - Remove dependency on system timegm() and gmtime() by replacing
      traditional Julian date conversion with POSIX epoch-seconds date
      conversion from BoringSSL.
    - Clean old and unused BN code dealing with primes.
    - Start rewriting name constraints code using CBS.
    - Remove support for the HMAC PRIVATE KEY.
    - Rework DSA signing and verifying internals.
    - First few passes on cleaning up the BN code.
    - Internal headers coming from OpenSSL are all called *_local.h now.
    - Rewrite TLSv1.2 key exporter.
    - Cleaned up and refactored various aspects of the legacy TLS stack.
  * Compatibility changes
    - BIO_read() and BIO_write() now behave more closely to OpenSSL 3 in
      various corner cases. More work is needed here.
  * Bug fixes
    - Add EVP_chacha20_poly1305() to the list of all ciphers.
    - Fix potential leaks of EVP_PKEY in various printing functions
    - Fix potential leak in OBJ_NAME_add().
    - Avoid signed overflow in i2c_ASN1_BIT_STRING().
    - Clean up EVP_PKEY_ASN1_METHOD related tables and code.
    - Fix long standing bugs BN_GF2m_poly2arr() and BN_GF2m_mod().
    - Fix segfaults in BN_{dec,hex}2bn().
    - Fix NULL dereference in x509_constraints_uri_host() reachable only
      in the process of generating certificates.
    - Fixed a variety of memory corruption issues in BIO chains coming
      from poor old and new API: BIO_push(), BIO_pop(), BIO_set_next().
    - Avoid potential divide by zero in BIO_dump_indent_cb()
  * Documentation improvements
    - Numerous improvements and additions for ASN.1, BIO, BN, and X.509.
    - The BN documentation is now considered to be complete.
  * Testing and Proactive Security
    - As always, new test coverage is added as bugs are fixed and
      subsystems are cleaned up.
    - Many old tests rewritten, cleaned up and extended.
  * New features
    - Added Ed25519 support both as a primitive and via OpenSSL's EVP
      interfaces.
    - X25519 is now also supported via EVP.
    - The OpenSSL 1.1 raw public and private key API is available with
      support for EVP_PKEY_ED25519, EVP_PKEY_HMAC and EVP_PKEY_X25519.
      Poly1305 is not currently supported via this interface.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.

(Comments are closed)


Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]