libressl/portable (libressl/portable)
### [`v3.9.2`](https://redirect.github.com/libressl/portable/releases/tag/v3.9.2)
[Compare Source](https://redirect.github.com/libressl/portable/compare/v3.9.1...v3.9.2)
##### Bugfixes
- [OpenBSD 7.5 errata 003](https://www.openbsd.org/errata75.html#:~:text=003%3A%20RELIABILITY%20FIX). A missing bounds check could lead to a crash due to dereferencing a zero-sized allocation.
Full changelog: https://github.com/libressl/portable/blob/master/ChangeLog
### [`v3.9.1`](https://redirect.github.com/libressl/portable/releases/tag/v3.9.1)
[Compare Source](https://redirect.github.com/libressl/portable/compare/v3.9.0...v3.9.1)
##### Portable changes
- Updated tests with expiring certificates
- CET-related build fixes for Windows and macOS targets
- update libtls linker script to include libssl and libcrypto again
Full changelog: https://github.com/libressl/portable/blob/master/ChangeLog
### [`v3.9.0`](https://redirect.github.com/libressl/portable/releases/tag/v3.9.0)
[Compare Source](https://redirect.github.com/libressl/portable/compare/v3.8.4...v3.9.0)
##### Portable changes
- libcrypto no longer exports compat symbols in cmake builds.
- Most compatibility symbols are prefixed with libressl\_ to avoid
symbol clashes in static links.
- Fixed various warnings on Windows.
- Removed assert pop-ups with Windows debug builds.
- Fixed crashes and hangs in Windows ARM64 builds.
- Improved control-flow enforcement (CET) support.
##### Internal improvements
- Converted uses of OBJ_bsearch\_() to standard bsearch().
- Greatly simplified by_file_ctrl().
- Simplified and cleaned up the OBJ\_ API.
- Cleaned up the EVP_Cipher{Init,Update,Final}() implementations.
- Removed unused function pointers from X.509 stores and contexts.
- A lot of cleanup and reorganization in EVP.
- Removed all remaining ENGINE tentacles.
- Simplified internals of X509\_TRUST handling.
- Made deletion from a lhash doall callback safe.
- Rewrote BIO_dump\*(3) internals to be less bad.
##### Documentation improvements
- ENGINE documentation was updated to reflect reality.
- Made EVP API documentation more accurate and less incoherent.
- Call out some shortcomings of the EC_KEY_set_\* API explicitly.
##### Testing and proactive security
- Bug fixes and simplifications in the Wycheproof tests.
##### Compatibility changes
- Added ChaCha20 and chacha20 aliases for ChaCha.
- SSL_library_init() now has the same effect as OPENSSL_init_ssl().
- EVP_add\_{cipher,digest}() were removed. From the OBJ_NAME API,
only OBJ_NAME_do_all\*() remain. In particular, it is no longer
possible to add aliases for ciphers and digests.
- The thread unsafe global tables are no longer supported. It is no
longer possible to add aliases for ciphers and digests, custom ASN.1
strings table entries, ASN.1 methods, PKEY methods, digest methods,
CRL methods, purpose and trust identifiers, or X.509 extensions.
- Removed the \_cb() and \_fp() versions of BIO_dump{,\_indent}().
- BIO_set() was removed.
- BIO\_{sn,v,vsn}printf() were removed.
- Turn the long dysfunctional openssl(1) s_client -pause into a noop.
- openssl(1) x509 now supports -new -force_pubkey, -multivalue-rdn,
\-set_issuer, -set_subject, and -utf8.
- Support ECDSA with SHA-3 signature algorithms.
- Support HMAC with truncated SHA-2 and SHA-3 as PBE PRF.
- GOST and STREEBOG support was removed.
- CRYPTO_THREADID, \_LHASH, \_STACK, X509\_PURPOSE are now opaque,
X509\_CERT_AUX and X509\_TRUST were removed from the public API.
- ASN1\_STRING_TABLE_get() and X509\_PURPOSE_get0\*() now return const
pointers.
- EVP\_{CIPHER,MD}\_CTX_init()'s signatures and semantics now match
OpenSSL's behavior.
- sk_find_ex() and OBJ_bsearch\_() were removed.
- CRYPTO_malloc() was fixed to use size_t argument. CRYPTO_malloc()
and CRYPTO_free() now accept file and line arguments.
- A lot of decrepit CRYPTO memory API was removed.
##### Bug fixes
- Fixed aliasing issues in BN_mod_exp_simple() and BN_mod_exp_recp().
- Fixed numerous misuses of X509\_ALGOR_set0() resulting in leaks and
potentially incorrect encodings.
- Fixed potential double free in X509v3\_asid_add_id_or_range().
- Stopped using ASN1\_time_parse() outside of libcrypto.
- Prepared OPENSSL_gmtime() and OPENSSL_timegm() as public API
wrappers of internal functions compatible with BoringSSL API.
- Removed print_bin() to avoid overwriting the stack with 5 bytes
of ' ' when ECPK parameters are printed with large indentation.
- Avoid a NULL dereference after memory allocation failure during TLS
version downgrade.
- Fixed various bugs in CMAC internals.
- Fixed 4-byte overreads in GHASH assembly on amd64 and i386.
- Fixed various NULL dereferences in PKCS [#12](https://redirect.github.com/libressl/portable/issues/12) code due to mishandling
of OPTIONAL content in PKCS [#7](https://redirect.github.com/libressl/portable/issues/7) ContentInfo.
- Aligned SSL_shutdown() behavior in TLSv1.3 with the legacy stack.
- Fixed the new X.509 verifier to find trust anchors in the trusted
stack.
Full changelog: https://github.com/libressl/portable/blob/master/ChangeLog
### [`v3.8.4`](https://redirect.github.com/libressl/portable/releases/tag/v3.8.4)
[Compare Source](https://redirect.github.com/libressl/portable/compare/v3.8.3...v3.8.4)
##### Portable changes
- Updated tests with expiring certificates
- CET-related build fixes for Windows and macOS targets
- update libtls linker script to include libssl and libcrypto again
Full changelog: https://github.com/libressl/portable/blob/master/ChangeLog
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
v3.8.3->v3.9.2Release Notes
libressl/portable (libressl/portable)
### [`v3.9.2`](https://redirect.github.com/libressl/portable/releases/tag/v3.9.2) [Compare Source](https://redirect.github.com/libressl/portable/compare/v3.9.1...v3.9.2) ##### Bugfixes - [OpenBSD 7.5 errata 003](https://www.openbsd.org/errata75.html#:~:text=003%3A%20RELIABILITY%20FIX). A missing bounds check could lead to a crash due to dereferencing a zero-sized allocation. Full changelog: https://github.com/libressl/portable/blob/master/ChangeLog ### [`v3.9.1`](https://redirect.github.com/libressl/portable/releases/tag/v3.9.1) [Compare Source](https://redirect.github.com/libressl/portable/compare/v3.9.0...v3.9.1) ##### Portable changes - Updated tests with expiring certificates - CET-related build fixes for Windows and macOS targets - update libtls linker script to include libssl and libcrypto again Full changelog: https://github.com/libressl/portable/blob/master/ChangeLog ### [`v3.9.0`](https://redirect.github.com/libressl/portable/releases/tag/v3.9.0) [Compare Source](https://redirect.github.com/libressl/portable/compare/v3.8.4...v3.9.0) ##### Portable changes - libcrypto no longer exports compat symbols in cmake builds. - Most compatibility symbols are prefixed with libressl\_ to avoid symbol clashes in static links. - Fixed various warnings on Windows. - Removed assert pop-ups with Windows debug builds. - Fixed crashes and hangs in Windows ARM64 builds. - Improved control-flow enforcement (CET) support. ##### Internal improvements - Converted uses of OBJ_bsearch\_() to standard bsearch(). - Greatly simplified by_file_ctrl(). - Simplified and cleaned up the OBJ\_ API. - Cleaned up the EVP_Cipher{Init,Update,Final}() implementations. - Removed unused function pointers from X.509 stores and contexts. - A lot of cleanup and reorganization in EVP. - Removed all remaining ENGINE tentacles. - Simplified internals of X509\_TRUST handling. - Made deletion from a lhash doall callback safe. - Rewrote BIO_dump\*(3) internals to be less bad. ##### Documentation improvements - ENGINE documentation was updated to reflect reality. - Made EVP API documentation more accurate and less incoherent. - Call out some shortcomings of the EC_KEY_set_\* API explicitly. ##### Testing and proactive security - Bug fixes and simplifications in the Wycheproof tests. ##### Compatibility changes - Added ChaCha20 and chacha20 aliases for ChaCha. - SSL_library_init() now has the same effect as OPENSSL_init_ssl(). - EVP_add\_{cipher,digest}() were removed. From the OBJ_NAME API, only OBJ_NAME_do_all\*() remain. In particular, it is no longer possible to add aliases for ciphers and digests. - The thread unsafe global tables are no longer supported. It is no longer possible to add aliases for ciphers and digests, custom ASN.1 strings table entries, ASN.1 methods, PKEY methods, digest methods, CRL methods, purpose and trust identifiers, or X.509 extensions. - Removed the \_cb() and \_fp() versions of BIO_dump{,\_indent}(). - BIO_set() was removed. - BIO\_{sn,v,vsn}printf() were removed. - Turn the long dysfunctional openssl(1) s_client -pause into a noop. - openssl(1) x509 now supports -new -force_pubkey, -multivalue-rdn, \-set_issuer, -set_subject, and -utf8. - Support ECDSA with SHA-3 signature algorithms. - Support HMAC with truncated SHA-2 and SHA-3 as PBE PRF. - GOST and STREEBOG support was removed. - CRYPTO_THREADID, \_LHASH, \_STACK, X509\_PURPOSE are now opaque, X509\_CERT_AUX and X509\_TRUST were removed from the public API. - ASN1\_STRING_TABLE_get() and X509\_PURPOSE_get0\*() now return const pointers. - EVP\_{CIPHER,MD}\_CTX_init()'s signatures and semantics now match OpenSSL's behavior. - sk_find_ex() and OBJ_bsearch\_() were removed. - CRYPTO_malloc() was fixed to use size_t argument. CRYPTO_malloc() and CRYPTO_free() now accept file and line arguments. - A lot of decrepit CRYPTO memory API was removed. ##### Bug fixes - Fixed aliasing issues in BN_mod_exp_simple() and BN_mod_exp_recp(). - Fixed numerous misuses of X509\_ALGOR_set0() resulting in leaks and potentially incorrect encodings. - Fixed potential double free in X509v3\_asid_add_id_or_range(). - Stopped using ASN1\_time_parse() outside of libcrypto. - Prepared OPENSSL_gmtime() and OPENSSL_timegm() as public API wrappers of internal functions compatible with BoringSSL API. - Removed print_bin() to avoid overwriting the stack with 5 bytes of ' ' when ECPK parameters are printed with large indentation. - Avoid a NULL dereference after memory allocation failure during TLS version downgrade. - Fixed various bugs in CMAC internals. - Fixed 4-byte overreads in GHASH assembly on amd64 and i386. - Fixed various NULL dereferences in PKCS [#12](https://redirect.github.com/libressl/portable/issues/12) code due to mishandling of OPTIONAL content in PKCS [#7](https://redirect.github.com/libressl/portable/issues/7) ContentInfo. - Aligned SSL_shutdown() behavior in TLSv1.3 with the legacy stack. - Fixed the new X.509 verifier to find trust anchors in the trusted stack. Full changelog: https://github.com/libressl/portable/blob/master/ChangeLog ### [`v3.8.4`](https://redirect.github.com/libressl/portable/releases/tag/v3.8.4) [Compare Source](https://redirect.github.com/libressl/portable/compare/v3.8.3...v3.8.4) ##### Portable changes - Updated tests with expiring certificates - CET-related build fixes for Windows and macOS targets - update libtls linker script to include libssl and libcrypto again Full changelog: https://github.com/libressl/portable/blob/master/ChangeLogConfiguration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.