1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.OPENBSD.ANN

  • LibreSSL 2.9.1 Released

    From Brent Cook@21:1/5 to All on Wed Apr 24 14:55:02 2019
    Copy: libressl@openbsd.org

    We have released LibreSSL 2.9.1, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is the first stable release from the 2.9 series, which is also included with OpenBSD 6.5

    It includes the following changes and improvements from LibreSSL 2.8.x:

    * API and Documentation Enhancements
    - CRYPTO_LOCK is now automatically initialized, with the legacy
    callbacks stubbed for compatibility.
    - Added the SM3 hash function from the Chinese standard GB/T 32905-2016.
    - Added the SM4 block cipher from the Chinese standard GB/T 32907-2016.
    - Added more OPENSSL_NO_* macros for compatibility with OpenSSL.
    - Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH.
    - Implemented further missing OpenSSL 1.1 API.
    - Added support for XChaCha20 and XChaCha20-Poly1305.
    - Added support for AES key wrap constructions via the EVP interface.

    * Compatibility Changes
    - Added pbkdf2 key derivation support to openssl(1) enc.
    - Changed the default digest type of openssl(1) enc to sha256.
    - Changed the default digest type of openssl(1) dgst to sha256.
    - Changed the default digest type of openssl(1) x509 -fingerprint to sha256.
    - Changed the default digest type of openssl(1) crl -fingerprint to sha256.

    * Testing and Proactive Security
    - Added extensive interoperability tests between LibreSSL and OpenSSL
    1.0 and 1.1.
    - Added additional Wycheproof tests and related bug fixes.

    * Internal Improvements
    - Simplified sigalgs option processing and handshake signing
    algorithm selection.
    - Added the ability to use the RSA PSS algorithm for handshake signatures.
    - Added bn_rand_interval() and use it in code needing ranges of
    random bn values.
    - Added functionality to derive early, handshake, and application
    secrets as per RFC8446.
    - Added handshake state machine from RFC8446.
    - Removed some ASN.1 related code from libcrypto that had not been
    used since around 2000.
    - Unexported internal symbols and internalized more record layer structs.
    - Removed SHA224 based handshake signatures from consideration for
    use in a TLS 1.2 handshake.

    * Portable Improvements
    - Added support for assembly optimizations on 32-bit ARM ELF targets.
    - Added support for assembly optimizations on Mingw-w64 targets.
    - Improved Android compatibility

    * Bug Fixes
    - Improved protection against timing side channels in ECDSA signature
    generation.
    - Coordinate blinding was added to some elliptic curves. This is the
    last bit of the work by Brumley et al. to protect against the Portsmash
    vulnerability.
    - Ensure transcript handshake is always freed with TLS 1.2.

    The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)