[ANNOUNCE] LibreTLS 3.5.2

[ANNOUNCE] LibreTLS 3.5.2

From: june
This release is based on LibreSSL 3.5.2:
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.2-relnotes.txt

As far as I can tell some interfaces were made public in the previous
release that weren't meant to be, so they're made private here and
the shared library version is bumped to 25. Inconvenient!

A release tarball for this version can be downloaded from:
https://causal.agency/libretls/libretls-3.5.2.tar.gz

----- Original message -----
From: Brent Cook <busterb@gmail.com>
To: announce@openbsd.org
Cc: libressl@openbsd.org
Subject: LibreSSL 3.5.2 Released
Date: Saturday, April 23, 2022 18:19

We have released LibreSSL 3.5.2, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. This is the
first stable release for the 3.5.x branch, also available with OpenBSD 7.1

It includes the following changes from LibreSSL 3.4.x

 * New Features
   - The RFC 3779 API was ported from OpenSSL. Many bugs were fixed,
     regression tests were added and the code was cleaned up.
   - Certificate Transparency was ported from OpenSSL. Many internal
     improvements were made, resulting in cleaner and safer code.
     Regress coverage was added. libssl does not yet make use of it.
 * Bug fixes
   - Avoid single byte overread in asn1_parse2().
   - Allow name constraints with a leading dot. From Alex Wilson.
   - Relax a check in x509_constraints_dirname() to allow prefixes.
     From Alex Wilson.
   - Fix NULL dereferences in openssl(1) cms option parsing.
   - Do not zero the computed cofactor on ec_guess_cofactor() success.
   - Bound cofactor in EC_GROUP_set_generator() to reduce the number of
     bogus groups that can be described with nonsensical parameters.
   - Avoid various potential segfaults in EVP_PKEY_CTX_free() in low
     memory conditions. Reported for HMAC by Masaru Masuda.
   - Plug leak in ASN1_TIME_adj_internal().
   - Avoid infinite loop for custom curves of order 1.
     Issue reported by Hanno Boeck, comments by David Benjamin.
   - Avoid an infinite loop on parsing DSA private keys by validating
     that the provided parameters conform to FIPS 186-4.
     Issue reported by Hanno Boeck, comments by David Benjamin.
   - In some situations, the verifier would discard the error on an
     unvalidated certificate chain. This would happen when the
     verification callback was in use, instructing the verifier to
     continue unconditionally. This could lead to incorrect decisions
     being made in software.
   - Avoid an infinite loop in SSL_shutdown()
   - Fix another return 0 bug in SSL_shutdown()
   - Handle zero byte reads/writes that trigger handshakes in the
     TLSv1.3 stack
   - A long standing memleak in libtls CRL handling was fixed
 * Compatibility improvements
   - Allow non-standard name constraints of the form @domain.com.
   - Most structs that were previously defined in the following headers
     are now opaque as they are in OpenSSL 1.1:
     bio.h, bn.h, comp.h, dh.h, dsa.h, evp.h, hmac.h, ocsp.h, rsa.h,
     x509.h, x509v3.h, x509_vfy.h
   - Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_
     OpenSSL added the TLSv1.3 ciphersuites with "RFC names" instead
     of using something consistent with the previous naming. Various
     test suites expect these names (instead of checking for the much
     more sensible cipher numbers). The old names are still accepted
     as aliases.
   - Subject alternative names and name constraints are now validated
     when they are added to certificates. Various interoperability
     problems with stacks that validate certificates more strictly
     than OpenSSL can be avoided this way.
   - Attempt to opportunistically use the host name for SNI in s_client
 * Internal improvements
   - Limit OID text conversion to 64 bits per arc.
   - Clean up and simplify memory BIO code.
   - Reduce number of memmove() calls in memory BIOs.
   - Factor out alert handling code in the legacy stack.
   - Add sanity checks on p and q in old_dsa_priv_decode()
   - Cache the SHA-512 hash instead of the SHA-1 for CRLs.
   - Suppress various compiler warnings for old gcc versions.
   - Remove free_cont from asn1_d2i_ex_primitive()/asn1_ex_c2i().
   - Rework ownership handling in x509_constraints_validate().
   - Rework ASN1_STRING_set().
   - Remove const from tls1_transcript_hash_value().
   - Clean up and simplify ssl3_renegotiate{,_check}().
   - Rewrite legacy TLS and DTLS unexpected handshake message handling.
   - Simplify SSL_do_handshake().
   - Rewrite ASCII/text to ASN.1 object conversion.
   - Provide t2i_ASN1_OBJECT_internal() and use it for OBJ_txt2obj().
   - Split armv7 and aarch64 code into separate locations.
   - Rewrote openssl(1) ts to use the new option handling and cleaned
     up the C code.
   - Provide asn1_get_primitive().
   - Convert {c2i,d2i}_ASN1_OBJECT() to CBS.
   - Remove the minimum record length checks from dtls1_read_bytes().
   - Clean up {dtls1,ssl3}_read_bytes().
   - Be more careful with embedded and terminating NULs in the new
     name constraints code.
   - Check EVP_Digest* return codes in openssl(1) ts
   - Various minor code cleanup in openssl(1) pkcs12
   - Use calloc() in pkey_hmac_init().
   - Simplify priv_key handling in d2i_ECPrivateKey().
   - Cache the SHA-512 hash instead of the SHA-1 hash and cache
     notBefore and notAfter times when X.509 certificates are parsed.
   - The X.509 lookup code has been simplified and cleaned up.
   - Fixed numerous issues flagged by coverity and the cryptofuzz
     project
   - Increased the number of Miller-Rabin checks in DH and DSA
     key/parameter generation
   - Started using the bytestring API in libcrypto for cleaner and
     safer code
   - Convert {i2d,d2i}_{,EC_,DSA_,RSA_}PUBKEY{,_bio,_fp}() to templated
     ASN1
   - Convert ASN1_OBJECT_new() to calloc()
   - Convert ASN1_STRING_type_new() to calloc()
   - Rewrite ASN1_STRING_cmp()
   - Use calloc() for X509_CRL_METHOD_new() instead of malloc()
   - Convert ASN1_PCTX_new() to calloc()
   - Replace asn1_tlc_clear and asn1_tlc_clear_nc macros with a
     function
   - Consolidate {d2i,i2d}_{pr,pu}.c
   - Remove handling of a NULL BUF_MEM from asn1_collect()
   - Pull the recursion depth check up to the top of asn1_collect()
   - Inline collect_data() in asn1_collect()
   - Convert asn1_d2i_ex_primitive()/asn1_collect() from BUF_MEM to CBB
   - Clean up d2i_ASN1_BOOLEAN() and i2d_ASN1_BOOLEAN()
   - Consolidate ASN.1 universal tag type data
   - Rewrite ASN.1 identifier/length parsing in CBS
   - Make OBJ_obj2nid() work correctly with NID_undef
   - tlsext_tick_lifetime_hint is now an uint32_t
   - Untangle ssl3_get_message() return values
   - Rename tls13_buffer to tls_buffer
   - Fold DTLS_STATE_INTERNAL into DTLS1_STATE
   - Provide a way to determine our maximum legacy version
   - Mop up enc_read_ctx and read_hash
   - Fold SSL_SESSION_INTERNAL into SSL_SESSION
   - Use ssl_force_want_read in the DTLS code
   - Add record processing limit to DTLS code
   - Add explicit CBS_contains_zero_byte() check in CBS_strdup()
   - Improve SNI hostname validation
   - Ensure SSL_set_tlsext_host_name() is given a valid hostname
   - Fix a strange check in the auto DH codepath
   - Factor out/rewrite DHE key exchange
   - Convert server serialisation of DHE parameters/public key to new
     functions
   - Check DH public key in ssl_kex_peer_public_dhe()
   - Move the minimum DHE key size check into ssl_kex_peer_params_dhe()
   - Clean up and refactor server side DHE key exchange
   - Provide CBS_get_last_u8()
   - Provide CBS_get_u64()
   - Provide CBS_add_u64()
   - Provide various CBS_peek_* functions
   - Use CBS_get_last_u8() to find the content type in TLSv1.3 records
   - unifdef TLS13_USE_LEGACY_CLIENT_AUTH
   - Correct SSL_get_peer_cert_chain() when used with the TLSv1.3 stack
   - Only allow zero length key shares when we know we're doing HRR
   - Pull key share group/length CBB code up from
     tls13_key_share_public()
   - Refactor ssl3_get_server_kex_ecdhe() to separate parsing and
     validation
   - Return 0 on failure from send/get kex functions in the legacy
     stack
   - Rename tls13_key_share to tls_key_share
   - Allocate and free the EVP_AEAD_CTX struct in
     tls13_record_protection
   - Convert legacy TLS client to tls_key_share
   - Convert legacy TLS server to tls_key_share
   - Stop attempting to duplicate the public and private key of dh_tmp
   - Rename dh_tmp to dhe_params
   - Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY
   - Clean up pkey handling in ssl3_get_server_key_exchange()
   - Fix GOST skip certificate verify handling
   - Simplify tlsext_keyshare_server_parse()
   - Plumb decode errors through key share parsing code
   - Simplify SSL_get_peer_certificate()
   - Cleanup/simplify ssl_cert_type()
   - The S3I macro was removed
   - The openssl(1) cms and smime subcommands option handling was
     converted and the C source was cleaned up.
 * Documentation improvements
   - Update d2i_ASN1_OBJECT(3) documentation to reflect reality after
     refactoring and bug fixes.
   - Fixed numerous minor grammar, spelling, wording, and punctuation
     issues.
   - 45 new manual pages, most of which were written from scratch.
     Documentation coverage of ASN.1 and X.509 code has been
     significantly improved.
 * Portable Improvements
   - Fixed various POSIX compliance and other portability issues
     found by the port to the Sortix operating system.
   - Add libmd as platform specific libraries for Solaris.
     Issue reported from (ihsan <at> opencsw org) on libressl ML.
   - Set IA-64 compiler flag only if it is HP-UX with IA-64.
     Suggested from Larkin Nickle (me <at> larbob org) by libressl ML.
   - Enabled and scheduled Coverity scan.
     Contributed by Ilya Shipitsin (chipitsine <at> gmail com> on github.
   - nc(1) command fixed when run on macOS.
     Contributed by sebastianblunt on github.
 * API additions and removals
   - libssl
     API additions
       SSL_get0_verified_chain SSL_peek_ex SSL_read_ex SSL_write_ex
     API stubs for compatibility
       SSL_CTX_get_keylog_callback SSL_CTX_get_num_tickets
       SSL_CTX_set_keylog_callback SSL_CTX_set_num_tickets
       SSL_get_num_tickets SSL_set_num_tickets
   - libcrypto
     added API (some of these were previously available as macros):
       ASIdOrRange_free ASIdOrRange_new ASIdentifierChoice_free
       ASIdentifierChoice_new ASIdentifiers_free ASIdentifiers_new
       ASN1_TIME_diff ASRange_free ASRange_new BIO_get_callback_ex
       BIO_get_init BIO_set_callback_ex BIO_set_next
       BIO_set_retry_reason BN_GENCB_set BN_GENCB_set_old
       BN_abs_is_word BN_get_flags BN_is_negative
       BN_is_odd BN_is_one BN_is_word BN_is_zero BN_set_flags
       BN_to_montgomery BN_with_flags BN_zero_ex CTLOG_STORE_free
       CTLOG_STORE_get0_log_by_id CTLOG_STORE_load_default_file
       CTLOG_STORE_load_file CTLOG_STORE_new CTLOG_free
       CTLOG_get0_log_id CTLOG_get0_name CTLOG_get0_public_key
       CTLOG_new CTLOG_new_from_base64 CT_POLICY_EVAL_CTX_free
       CT_POLICY_EVAL_CTX_get0_cert CT_POLICY_EVAL_CTX_get0_issuer
       CT_POLICY_EVAL_CTX_get0_log_store CT_POLICY_EVAL_CTX_get_time
       CT_POLICY_EVAL_CTX_new CT_POLICY_EVAL_CTX_set1_cert
       CT_POLICY_EVAL_CTX_set1_issuer
       CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE
       CT_POLICY_EVAL_CTX_set_time DH_get0_g DH_get0_p DH_get0_priv_key
       DH_get0_pub_key DH_get0_q DH_get_length DSA_bits DSA_get0_g
       DSA_get0_p DSA_get0_priv_key DSA_get0_pub_key DSA_get0_q
       ECDSA_SIG_get0_r ECDSA_SIG_get0_s EVP_AEAD_CTX_free
       EVP_AEAD_CTX_new EVP_CIPHER_CTX_buf_noconst
       EVP_CIPHER_CTX_get_cipher_data EVP_CIPHER_CTX_set_cipher_data
       EVP_MD_CTX_md_data EVP_MD_CTX_pkey_ctx EVP_MD_CTX_set_pkey_ctx
       EVP_MD_meth_dup EVP_MD_meth_free EVP_MD_meth_new
       EVP_MD_meth_set_app_datasize EVP_MD_meth_set_cleanup
       EVP_MD_meth_set_copy EVP_MD_meth_set_ctrl EVP_MD_meth_set_final
       EVP_MD_meth_set_flags EVP_MD_meth_set_init
       EVP_MD_meth_set_input_blocksize EVP_MD_meth_set_result_size
       EVP_MD_meth_set_update EVP_PKEY_asn1_set_check
       EVP_PKEY_asn1_set_param_check EVP_PKEY_asn1_set_public_check
       EVP_PKEY_check EVP_PKEY_meth_set_check
       EVP_PKEY_meth_set_param_check EVP_PKEY_meth_set_public_check
       EVP_PKEY_param_check EVP_PKEY_public_check FIPS_mode
       FIPS_mode_set IPAddressChoice_free IPAddressChoice_new
       IPAddressFamily_free IPAddressFamily_new IPAddressOrRange_free
       IPAddressOrRange_new IPAddressRange_free IPAddressRange_new
       OBJ_get0_data OBJ_length OCSP_resp_get0_certs OCSP_resp_get0_id
       OCSP_resp_get0_produced_at OCSP_resp_get0_respdata
       OCSP_resp_get0_signature OCSP_resp_get0_signer
       OCSP_resp_get0_tbs_sigalg PEM_write_bio_PrivateKey_traditional
       RSA_get0_d RSA_get0_dmp1 RSA_get0_dmq1 RSA_get0_e RSA_get0_iqmp
       RSA_get0_n RSA_get0_p RSA_get0_pss_params RSA_get0_q
       SCT_LIST_free SCT_LIST_print SCT_LIST_validate SCT_free
       SCT_get0_extensions SCT_get0_log_id SCT_get0_signature
       SCT_get_log_entry_type SCT_get_signature_nid SCT_get_source
       SCT_get_timestamp SCT_get_validation_status SCT_get_version
       SCT_new SCT_new_from_base64 SCT_print SCT_set0_extensions
       SCT_set0_log_id SCT_set0_signature SCT_set1_extensions
       SCT_set1_log_id SCT_set1_signature SCT_set_log_entry_type
       SCT_set_signature_nid SCT_set_source SCT_set_timestamp
       SCT_set_version SCT_validate SCT_validation_status_string
       X509_OBJECT_free X509_OBJECT_new X509_REQ_get0_pubkey
       X509_SIG_get0 X509_SIG_getm X509_STORE_CTX_get_by_subject
       X509_STORE_CTX_get_num_untrusted
       X509_STORE_CTX_get_obj_by_subject X509_STORE_CTX_get_verify
       X509_STORE_CTX_get_verify_cb X509_STORE_CTX_set0_verified_chain
       X509_STORE_CTX_set_current_cert X509_STORE_CTX_set_error_depth
       X509_STORE_CTX_set_verify X509_STORE_get_verify
       X509_STORE_get_verify_cb X509_STORE_set_verify
       X509_get_X509_PUBKEY X509_get_extended_key_usage
       X509_get_extension_flags X509_get_key_usage
       X509v3_addr_add_inherit X509v3_addr_add_prefix
       X509v3_addr_add_range X509v3_addr_canonize X509v3_addr_get_afi
       X509v3_addr_get_range X509v3_addr_inherits
       X509v3_addr_is_canonical X509v3_addr_subset
       X509v3_addr_validate_path X509v3_addr_validate_resource_set
       X509v3_asid_add_id_or_range X509v3_asid_add_inherit
       X509v3_asid_canonize X509v3_asid_inherits
       X509v3_asid_is_canonical X509v3_asid_subset
       X509v3_asid_validate_path X509v3_asid_validate_resource_set
       d2i_ASIdOrRange d2i_ASIdentifierChoice d2i_ASIdentifiers
       d2i_ASRange d2i_IPAddressChoice d2i_IPAddressFamily
       d2i_IPAddressOrRange d2i_IPAddressRange d2i_SCT_LIST
       i2d_ASIdOrRange i2d_ASIdentifierChoice i2d_ASIdentifiers
       i2d_ASRange i2d_IPAddressChoice i2d_IPAddressFamily
       i2d_IPAddressOrRange i2d_IPAddressRange i2d_SCT_LIST
       i2d_re_X509_CRL_tbs i2d_re_X509_REQ_tbs i2d_re_X509_tbs i2o_SCT
       i2o_SCT_LIST o2i_SCT o2i_SCT_LIST
   removed API:
       ASN1_check_infinite_end ASN1_const_check_infinite_end EVP_dss
       EVP_dss1 EVP_ecdsa HMAC_CTX_cleanup HMAC_CTX_init
       NETSCAPE_ENCRYPTED_PKEY_free NETSCAPE_ENCRYPTED_PKEY_new
       NETSCAPE_PKEY_free NETSCAPE_PKEY_new NETSCAPE_X509_free
       NETSCAPE_X509_new OBJ_bsearch_ex_ PEM_SealFinal PEM_SealInit
       PEM_SealUpdate PEM_read_X509_CERT_PAIR
       PEM_read_bio_X509_CERT_PAIR PEM_write_X509_CERT_PAIR
       PEM_write_bio_X509_CERT_PAIR X509_CERT_PAIR_free
       X509_CERT_PAIR_new X509_OBJECT_free_contents asn1_do_adb
       asn1_do_lock asn1_enc_free asn1_enc_init asn1_enc_restore
       asn1_enc_save asn1_ex_c2i asn1_get_choice_selector
       asn1_get_field_ptr asn1_set_choice_selector check_defer
       d2i_ASN1_BOOLEAN d2i_NETSCAPE_ENCRYPTED_PKEY d2i_NETSCAPE_PKEY
       d2i_NETSCAPE_X509 d2i_Netscape_RSA d2i_RSA_NET
       d2i_X509_CERT_PAIR i2d_ASN1_BOOLEAN i2d_NETSCAPE_ENCRYPTED_PKEY
       i2d_NETSCAPE_PKEY i2d_NETSCAPE_X509 i2d_Netscape_RSA i2d_RSA_NET
       i2d_X509_CERT_PAIR name_cmp obj_cleanup_defer

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.