vendor/LIBRESSL: Import LibreSSL 3.6.1

For a full list of changes:

https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.6-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2

vendor/LIBRESSL: Import LibreSSL 3.6.1

For a full list of changes:

https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.6-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.7-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.2-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.3-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.4-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.5-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.6-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.0-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.1-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.3-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.1-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.2-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.3-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.0-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.1-relnotes.txt

show more ...

vendor/libressl: upgrade from 3.2.4 to 3.2.5

Fixes possible use-after-free caused by TLS client using session
resumption.

vendor/libressl: upgrade from 3.2.3 to 3.2.4

Bug and interoperability fixes:

* Switch back to certificate verification code from LibreSSL 3.1.x. The
new verifier is not bug compatible with the

vendor/libressl: upgrade from 3.2.3 to 3.2.4

Bug and interoperability fixes:

* Switch back to certificate verification code from LibreSSL 3.1.x. The
new verifier is not bug compatible with the old verifier causing issues
with applications expecting behavior of the old verifier.

* Unbreak DTLS retransmissions for flights that include a CCS

* Only check BIO_should_read() on read and BIO_should_write() on write

* Implement autochain for the TLSv1.3 server

* Use the legacy verifier for autochain

* Implement exporter for TLSv1.3

* Free alert_data and phh_data in tls13_record_layer_free()

* Plug leak in x509_verify_chain_dup()

* Free the policy tree in x509_vfy_check_policy()

show more ...

vendor/libressl: upgrade from 3.2.2 to 3.2.3

Fixes ASN.1 vulnerability (aka CVE-2020-1971):

* Malformed ASN.1 in a certificate revocation list or a timestamp
response token can lead to a NULL poi

vendor/libressl: upgrade from 3.2.2 to 3.2.3

Fixes ASN.1 vulnerability (aka CVE-2020-1971):

* Malformed ASN.1 in a certificate revocation list or a timestamp
response token can lead to a NULL pointer dereference

show more ...

vendor/libressl: upgrade from 3.1.4 to 3.2.2

Summary of notable changes:

* new TLSv1.3 implementation enabled by default for both client
and server

* new X509 certificate chain validator t

vendor/libressl: upgrade from 3.1.4 to 3.2.2

Summary of notable changes:

* new TLSv1.3 implementation enabled by default for both client
and server

* new X509 certificate chain validator that correctly handles
multiple paths through intermediate certificates

* new name constraints verification implementation which passes
the bettertls.com certificate validation check suite

* numerous leaks and out-of-bounds write fixed

* many improvements, refactoring, optimizations and code cleanups

See ChangeLog for details.

show more ...

vendor/libressl: upgrade from 3.1.3 to 3.1.4

Interoperability and bug fixes for the TLSv1.3 client:

* Improve client certificate selection to allow EC certificates
instead of only RSA certifica

vendor/libressl: upgrade from 3.1.3 to 3.1.4

Interoperability and bug fixes for the TLSv1.3 client:

* Improve client certificate selection to allow EC certificates
instead of only RSA certificates.

* Do not error out if a TLSv1.3 server requests an OCSP response as
part of a certificate request.

* Fix SSL_shutdown behavior to match the legacy stack. The previous
behaviour could cause a hang.

* Fix a memory leak and add a missing error check in the handling of
the key update message.

* Fix a memory leak in tls13_record_layer_set_traffic_key.

* Avoid calling freezero with a negative size if a server sends a
malformed plaintext of all zeroes.

* Ensure that only PSS may be used with RSA in TLSv1.3 in order
to avoid using PKCS1-based signatures.

* Add the P-521 curve to the list of curves supported by default
in the client.

show more ...

vendor/libressl: upgrade from 2.9.1 to 3.1.3

Summary of notable changes:

- fixed CVE-2019-1547 and CVE-2019-1563
- various side channels in DSA and ECDSA were addressed
- fixed PVK format output is

vendor/libressl: upgrade from 2.9.1 to 3.1.3

Summary of notable changes:

- fixed CVE-2019-1547 and CVE-2019-1563
- various side channels in DSA and ECDSA were addressed
- fixed PVK format output issue with openssl(1) dsa and rsa subcommand
- added cms subcommand to openssl(1)
- added -addext option to openssl(1) req subcommand
- added -groups option to openssl(1) s_server subcommand
- improved compatibility by backporting functionality and documentation
from OpenSSL 1.1.1
- added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1
- completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API
- ported Cryptographic Message Syntax (CMS) implementation from OpenSSL
1.1.1 and enabled by default
- completed initial TLS 1.3 implementation, TLS 1.3 is now enabled
by default for the client side, with the server side to be enabled
in a future release
- provided TLSv1.3 cipher suite aliases to match the names used
in RFC 8446

For details see ChangeLog.

show more ...

Update LibreSSL from version 2.4.4 => 2.9.1

Submitted-by: Maxim + v2 update to 2.9.1 stable

Update LibreSSL from version 2.4.3 => 2.4.4

Update LibreSSL from version 2.4.2 => 2.4.3

Import LibreSSL v2.4.2 to vendor branch

vendor/libressl: upgrade from 3.2.4 to 3.2.5

Fixes possible use-after-free caused by TLS client using session
resumption.

vendor/libressl: upgrade from 3.2.3 to 3.2.4

Bug and interoperability fixes:

* Switch back to certificate verification code from LibreSSL 3.1.x. The
new verifier is not bug compatible with the

vendor/libressl: upgrade from 3.2.3 to 3.2.4

Bug and interoperability fixes:

* Switch back to certificate verification code from LibreSSL 3.1.x. The
new verifier is not bug compatible with the old verifier causing issues
with applications expecting behavior of the old verifier.

* Unbreak DTLS retransmissions for flights that include a CCS

* Only check BIO_should_read() on read and BIO_should_write() on write

* Implement autochain for the TLSv1.3 server

* Use the legacy verifier for autochain

* Implement exporter for TLSv1.3

* Free alert_data and phh_data in tls13_record_layer_free()

* Plug leak in x509_verify_chain_dup()

* Free the policy tree in x509_vfy_check_policy()

show more ...

vendor/libressl: upgrade from 3.2.2 to 3.2.3

Fixes ASN.1 vulnerability (aka CVE-2020-1971):

* Malformed ASN.1 in a certificate revocation list or a timestamp
response token can lead to a NULL poi

vendor/libressl: upgrade from 3.2.2 to 3.2.3

Fixes ASN.1 vulnerability (aka CVE-2020-1971):

* Malformed ASN.1 in a certificate revocation list or a timestamp
response token can lead to a NULL pointer dereference

show more ...

vendor/libressl: upgrade from 3.1.4 to 3.2.2

Summary of notable changes:

* new TLSv1.3 implementation enabled by default for both client
and server

* new X509 certificate chain validator t

vendor/libressl: upgrade from 3.1.4 to 3.2.2

Summary of notable changes:

* new TLSv1.3 implementation enabled by default for both client
and server

* new X509 certificate chain validator that correctly handles
multiple paths through intermediate certificates

* new name constraints verification implementation which passes
the bettertls.com certificate validation check suite

* numerous leaks and out-of-bounds write fixed

* many improvements, refactoring, optimizations and code cleanups

See ChangeLog for details.

show more ...

vendor/libressl: upgrade from 3.1.3 to 3.1.4

Interoperability and bug fixes for the TLSv1.3 client:

* Improve client certificate selection to allow EC certificates
instead of only RSA certifica

vendor/libressl: upgrade from 3.1.3 to 3.1.4

Interoperability and bug fixes for the TLSv1.3 client:

* Improve client certificate selection to allow EC certificates
instead of only RSA certificates.

* Do not error out if a TLSv1.3 server requests an OCSP response as
part of a certificate request.

* Fix SSL_shutdown behavior to match the legacy stack. The previous
behaviour could cause a hang.

* Fix a memory leak and add a missing error check in the handling of
the key update message.

* Fix a memory leak in tls13_record_layer_set_traffic_key.

* Avoid calling freezero with a negative size if a server sends a
malformed plaintext of all zeroes.

* Ensure that only PSS may be used with RSA in TLSv1.3 in order
to avoid using PKCS1-based signatures.

* Add the P-521 curve to the list of curves supported by default
in the client.

show more ...

vendor/libressl: upgrade from 2.9.1 to 3.1.3

Summary of notable changes:

- fixed CVE-2019-1547 and CVE-2019-1563
- various side channels in DSA and ECDSA were addressed
- fixed PVK format output is

vendor/libressl: upgrade from 2.9.1 to 3.1.3

Summary of notable changes:

- fixed CVE-2019-1547 and CVE-2019-1563
- various side channels in DSA and ECDSA were addressed
- fixed PVK format output issue with openssl(1) dsa and rsa subcommand
- added cms subcommand to openssl(1)
- added -addext option to openssl(1) req subcommand
- added -groups option to openssl(1) s_server subcommand
- improved compatibility by backporting functionality and documentation
from OpenSSL 1.1.1
- added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1
- completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API
- ported Cryptographic Message Syntax (CMS) implementation from OpenSSL
1.1.1 and enabled by default
- completed initial TLS 1.3 implementation, TLS 1.3 is now enabled
by default for the client side, with the server side to be enabled
in a future release
- provided TLSv1.3 cipher suite aliases to match the names used
in RFC 8446

For details see ChangeLog.

show more ...

Update LibreSSL from version 2.4.4 => 2.9.1

Submitted-by: Maxim + v2 update to 2.9.1 stable

Update LibreSSL from version 2.4.3 => 2.4.4

Update LibreSSL from version 2.4.2 => 2.4.3

Import LibreSSL v2.4.2 to vendor branch