LibreSSL 4.3.1 released

We have released LibreSSL 4.3.1, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is a development release for the 4.3.x branch, so we appreciate early testing and feedback. There will be no further API and ABI changes on the 4.3 branch. It includes a build fix from 4.3.0 and the following changes: * Internal improvements - Remove the unused sequence number from X509_REVOKED. - Replace a call to atoi() with strtonum() in nc(1) and replace a misleading use of ntohs() with htons(). - openssl(1) speed now uses HMAC-SHA256 for its hmac benchmark. - Reimplemented only use of ASN1_PRINTABLE_type() in openssl(1) ca. The API will be removed in an upcoming release. - Add curve NID to EC_POINT objects so the library has a clue on which curve a given EC_POINT is supposed to live. - Use curve NID to check for compatibility between group and points in various EC API. This isn't 100% failsafe but good enough for sane uses. - Require SSE in order to use gcm_{gmult,ghash}_4bit_mmx(). On rare i386 machines suporting MMX but not SSE this could result in an illegal instruction. - Cleaned up asn1t.h to make it somewhat readable and more robust by using C99 initializers in particular. - Further assembly macro improvements for -portable. - Add fast path for well-known DH primes in DH_check() (including those from RFC 7919). Some projects still fiddle with this in 2025. - Rewrite ec_point_cmp() for readability and robustness. - Improve EVP_{Open,Seal}Init() internals. This is legacy API that cannot be removed since one scripting language still exposes it. - ASN1_BIT_STRING_set_bit() now trims trailing zero bits itself rather than relying on i2c_ASN1_BIT_STRING() to do that when encoding. - Fix and add workarounds to libtls to improve const correctness and to avoid warnings when compiling with OpenSSL 4. - Prefix EC_KEY methods with ec_key_ to avoid problems in some static links. - Remove mac_packet, a leftover from accepting SSLv2 ClientHellos. - Remove ssl_server_legacy_first_packet(). - In addition to what was done in LibreSSL 4.0 for the version handling, disable TLSv1.1 and lower also on the method level. - Remove workaround for SSL 3.0/TLS 1.0 CBC vulnerability. - Refactor ocsp_find_signer_sk() to avoid neglecting the ASN.1's semantics by direct reaching into deeply nested OCSP structures. * Compatibility changes - Expose X509_VERIFY_PARAM_set_hostflags() as a public symbol. - Provide SSL_SESSION_dup(). - BIGNUMs now use the C99 types uint64_t/uint32_t for the word width. Fixes long-standing issues with 32-bit longs on 64-bit Windows. - Many unused BN_* macros with incomprehensible names were removed: BN_LONG, BN_BITS{,4}, BN_MASK2{,l,h,h1}, BN_TBIT, BN_DEC_CONV, BN_{DEC,HEX}_FMT{1,2}, ... - openssl(1) cms no longer accepts the unsupported -compress and -uncompress switches. - Added PKCS7_NO_DUAL_CONTENT flag/behavior. This is incorrect legacy behavior but some language bindings decided to rely on it in 2025. - Remove STABLE_FLAGS_MALLOC but keep STABLE_NO_MASK because there is still one user... - Fix ASN1_ADB_END macro to have compatible signature with OpenSSL. The adb_cb() argument is currently ignored. - Unexport ASN1_LONG_UNDEF. * New features - Support for MLKEM768_X25519 keyshare in TLS. https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/ - Added ML-KEM benchmarks to openssl(1) speed. - Added support for starttls protocol sieve. - Add support for RSASSA-PSS with pubkey OID RSASSA-PSS to libssl. * Bug fixes - Ensure the group selected by a TLSv1.3 server for a HelloRetryRequest is not one for which the client has already sent a key share. - Plug memory leak in CMS_EncryptedData_encrypt(). - Plug possible memory leak and double free in nref_nos(). - Removed always zero test results for some no longer available legacy primitives in openssl(1) speed. - List SHA-3 digests in openssl(1) help output. - Fix encoding of bit strings with trailing zeroes on which ASN1_STRING_FLAG_BITS_LEFT is not set. - Add missing NULL pointer check to PKCS12_item_decrypt_d2i(). - Avoid type confusion leading to 1-byte read at address 0x00-0xff in PKCS#12 parsing. - Fix type confusion in timestamp response parsing for v2 signing certs. - Fix EVP_SealInit() to return 0 on error, not -1. - Replace incorrect strncmp() with strcmp() in CRL distribution point config parsing. - openssl x509 -text writes its output to the file specified by -out like all other openssl(1) subcommands. - Stop Delta CRL processing in the verifier if the cRLNumber is missing. This is flagged on deserialization, but nothing checks that flag. This can lead to a NULL dereference if the verification has enabled Delta CRL checking by setting X509_V_FLAG_USE_DELTAS. - Fix NULL dereference that can be triggered with malformed OAEP parameter encoding for CMS decryption. - Add missing length checks before BIO_new_mem_buf() in libtls. - Improve libtls error reporting consistency, avoid reporting unrelated errnos. - Fix SAN dNSName constraints: instead of substring matching, match exactly and allow zero or more components in front of the candidate. * Reliability fix - Fix off-by-one error in the X.509 verifier depth checking. This can lead to a 4-byte overwrite on heap allocated memory for clients talking to a malicious server or for servers that have client certificate verification enabled. In addition, the maximum depth must be set to the maximum allowed value of 32. Thanks to Calif.io in collaboration with Claude and Anthropic Research, for reporting the issue. The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.