Skip to content

v3.9.0

Pre-release
Pre-release
Compare
Choose a tag to compare
@github-actions github-actions released this 09 Mar 20:48
· 351 commits to master since this release

Portable changes

  • libcrypto no longer exports compat symbols in cmake builds.
  • Most compatibility symbols are prefixed with libressl_ to avoid
    symbol clashes in static links.
  • Fixed various warnings on Windows.
  • Removed assert pop-ups with Windows debug builds.
  • Fixed crashes and hangs in Windows ARM64 builds.
  • Improved control-flow enforcement (CET) support.

Internal improvements

  • Converted uses of OBJ_bsearch_() to standard bsearch().
  • Greatly simplified by_file_ctrl().
  • Simplified and cleaned up the OBJ_ API.
  • Cleaned up the EVP_Cipher{Init,Update,Final}() implementations.
  • Removed unused function pointers from X.509 stores and contexts.
  • A lot of cleanup and reorganization in EVP.
  • Removed all remaining ENGINE tentacles.
  • Simplified internals of X509_TRUST handling.
  • Made deletion from a lhash doall callback safe.
  • Rewrote BIO_dump*(3) internals to be less bad.

Documentation improvements

  • ENGINE documentation was updated to reflect reality.
  • Made EVP API documentation more accurate and less incoherent.
  • Call out some shortcomings of the EC_KEY_set_* API explicitly.

Testing and proactive security

  • Bug fixes and simplifications in the Wycheproof tests.

Compatibility changes

  • Added ChaCha20 and chacha20 aliases for ChaCha.
  • SSL_library_init() now has the same effect as OPENSSL_init_ssl().
  • EVP_add_{cipher,digest}() were removed. From the OBJ_NAME API,
    only OBJ_NAME_do_all*() remain. In particular, it is no longer
    possible to add aliases for ciphers and digests.
  • The thread unsafe global tables are no longer supported. It is no
    longer possible to add aliases for ciphers and digests, custom ASN.1
    strings table entries, ASN.1 methods, PKEY methods, digest methods,
    CRL methods, purpose and trust identifiers, or X.509 extensions.
  • Removed the _cb() and _fp() versions of BIO_dump{,_indent}().
  • BIO_set() was removed.
  • BIO_{sn,v,vsn}printf() were removed.
  • Turn the long dysfunctional openssl(1) s_client -pause into a noop.
  • openssl(1) x509 now supports -new -force_pubkey, -multivalue-rdn,
    -set_issuer, -set_subject, and -utf8.
  • Support ECDSA with SHA-3 signature algorithms.
  • Support HMAC with truncated SHA-2 and SHA-3 as PBE PRF.
  • GOST and STREEBOG support was removed.
  • CRYPTO_THREADID, _LHASH, _STACK, X509_PURPOSE are now opaque,
    X509_CERT_AUX and X509_TRUST were removed from the public API.
  • ASN1_STRING_TABLE_get() and X509_PURPOSE_get0*() now return const
    pointers.
  • EVP_{CIPHER,MD}_CTX_init()'s signatures and semantics now match
    OpenSSL's behavior.
  • sk_find_ex() and OBJ_bsearch_() were removed.
  • CRYPTO_malloc() was fixed to use size_t argument. CRYPTO_malloc()
    and CRYPTO_free() now accept file and line arguments.
  • A lot of decrepit CRYPTO memory API was removed.

Bug fixes

  • Fixed aliasing issues in BN_mod_exp_simple() and BN_mod_exp_recp().
  • Fixed numerous misuses of X509_ALGOR_set0() resulting in leaks and
    potentially incorrect encodings.
  • Fixed potential double free in X509v3_asid_add_id_or_range().
  • Stopped using ASN1_time_parse() outside of libcrypto.
  • Prepared OPENSSL_gmtime() and OPENSSL_timegm() as public API
    wrappers of internal functions compatible with BoringSSL API.
  • Removed print_bin() to avoid overwriting the stack with 5 bytes
    of ' ' when ECPK parameters are printed with large indentation.
  • Avoid a NULL dereference after memory allocation failure during TLS
    version downgrade.
  • Fixed various bugs in CMAC internals.
  • Fixed 4-byte overreads in GHASH assembly on amd64 and i386.
  • Fixed various NULL dereferences in PKCS #12 code due to mishandling
    of OPTIONAL content in PKCS #7 ContentInfo.
  • Aligned SSL_shutdown() behavior in TLSv1.3 with the legacy stack.
  • Fixed the new X.509 verifier to find trust anchors in the trusted
    stack.

Full changelog: https://github.com/libressl/portable/blob/master/ChangeLog