We have released LibreSSL 3.7.1, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is the final development release for the 3.7.x branch, and we appreciate additional testing and feedback before the stable release coming soon with OpenBSD 7.3 It includes the following changes: * Internal improvements - Initial overhaul of the BIGNUM code: - Added a new framework that allows architecture-dependent replacement implementations for bignum primitives. - Imported various s2n-bignum's constant time assembly primitives and switched amd64 to them. - Lots of cleanup, simplification and bug fixes. - Changed Perl assembly generators to move constants into .rodata, allowing code to run with execute-only permissions. - Capped the number of iterations in DSA and ECDSA signing (avoiding infinite loops), added additional sanity checks to DSA. - ASN.1 parsing improvements. - Made UI_destroy_method() NULL safe. - Various improvements to nc(1). - Always clear EC groups and points on free. - Cleanup and improvements in EC code. - Various openssl(1) improvements. * Bug fixes - Fixed a memory leak, a double free and various other issues in BIO_new_NDEF(). - Fixed various crashes in the openssl(1) testing utility. - Do not check policies by default in the new X.509 verifier. - Avoid crash with ASN.1 BOOLEANS in openssl(1) asn1parse. - Added missing error checking in PKCS7. - Call CRYPTO_cleanup_all_ex_data() from OPENSSL_cleanup(). * Compatibility changes - Correct the prototypes of BIO_get_conn_ip(3) and BIO_get_conn_int_port(3). * New features - Added UI_null() - Added X509_STORE_*check_issued() - Added X509_CRL_get0_sigalg() and X509_get0_uids() accessors. - Added EVP_CIPHER_meth_*() setter API. * Documentation improvements - Marked BIO_s_log(3) BIO_nread0(3), BIO_nread(3), BIO_nwrite0(3), BIO_nwrite(3), BIO_dump_cb(3) and BIO_dump_indent_cb(3) as intentionally undocumented. - Merged documentation of UI_null() from OpenSSL 1.1 - Document BIO_number_read(3), BIO_number_written(3), BIO_set_retry_read(3), BIO_set_retry_write(3), BIO_set_retry_special(3), BIO_clear_retry_flags(3), BIO_get_retry_flags(3), BIO_dup_chain(3), BIO_set_flags(3), BIO_clear_flags(3), BIO_test_flags(3), BIO_get_flags(3). BIO_callback_fn_ex(3), BIO_set_callback_ex(3), BIO_get_callback_ex(3), BIO_callback_fn(3), and the BIO_FLAGS_* constants - Document ED25519_keypair(3), ED25519_sign(3), and ED25519_verify(3). - Document EVP_PKEY_new_raw_private_key(3), EVP_PKEY_new_raw_public_key(3), EVP_PKEY_get_raw_private_key(3), and EVP_PKEY_get_raw_public_key(3). - Document ASN1_buf_print(3). - Document ECDSA_SIG_get0_{r,s}(). - Document DH_get0_* for individual DH members. - Document DSA_get0_* for individual DSA members - Document RSA_get0_* for individual RSA members. - Various spelling and other documentation improvements. * Testing and Proactive Security - As always, new test coverage is added as bugs are fixed and subsystems are cleaned up. - New Wycheproof tests added. - OpenSSL 3.0 Interop tests added. - Many old tests rewritten, cleaned up and extended. * Security fixes - A malicious certificate revocation list or timestamp response token would allow an attacker to read arbitrary memory. The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.