openbsd, branch libressl-v3.0.2A mirror of https://github.com/libressl/openbsd.git
https://git.lua4.win/openbsd/atom?h=libressl-v3.0.22019-10-10T14:29:22+00:00This commit was manufactured by cvs2git to create branch 'OPENBSD_6_6'.2019-10-10T14:29:22+00:00cvs2svnadmin@example.com2019-10-10T14:29:22+00:00urn:sha1:49a68803553e7feabe91ba07c6c45683be07e010bump internal version to 3.0.22019-10-10T14:29:20+00:00bcook2019-10-10T14:29:20+00:00urn:sha1:9f575b7b67999a0838ebf26803a142688baaacacbump to 3.0.22019-10-10T14:28:48+00:00bcook2019-10-10T14:28:48+00:00urn:sha1:3b4111cb852a3e82e0beb5cb11892eed2c99349eUse EVP_MAX_MD_SIZE instead of SHA_DIGEST_LENGTH and remove OPENSSL_NO_SHA*2019-10-09T16:17:59+00:00jsing2019-10-09T16:17:59+00:00urn:sha1:435a67696ac71b140532868b31909dae30c70c14
conditionals, now that this code handles arbitrary message digests.
ok inoguchi@ tb@
Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.2019-10-04T18:03:56+00:00tb2019-10-04T18:03:56+00:00urn:sha1:03a0a727a85c64d9828255b797ef2d1d59c061df
(Note that the CMS code is currently disabled.)
Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license)
tests from bluhm@
ok jsing
commit e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f
Author: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sun Sep 1 00:16:28 2019 +0200
Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.
As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.
The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9777)
(cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37)
Use a valid curve when constructing an EC_KEY that looks like X25519.2019-10-04T17:21:24+00:00jsing2019-10-04T17:21:24+00:00urn:sha1:4cd703f8ea6ce1ad19febbcab84532f2943d2b6c
The recent EC group cofactor change results in stricter validation,
which causes the EC_GROUP_set_generator() call to fail.
Issue reported and fix tested by rsadowski@
ok tb@
Provide internal RSA_padding_{add,check}_PKCS1_OAEP_mgf1() functions.2019-10-04T16:51:31+00:00jsing2019-10-04T16:51:31+00:00urn:sha1:1d41f46c2a5e0581e3cba084d53e63f128812374
These are internal only for now and will be made public at a later date.
The RSA_padding_{add,check}_PKCS1_OAEP() functions become wrappers around
the *_mgf1() variant.
ok tb@ inoguchi@ (as part of a larger diff)
Avoid a path traversal bug in s_server on Windows.2019-10-04T09:47:34+00:00bcook2019-10-04T09:47:34+00:00urn:sha1:b29a57bea58d7cd747e966d28767faf30528d923
openssl s_server has an arbitrary read vulnerability on Windows when run with
the -WWW or -HTTP options, due to an incomplete path check logic. Thanks to
Jobert Abma for reporting.
ok tb@
the formatting for the mini synopses in this page did not render well2019-10-04T06:22:51+00:00jmc2019-10-04T06:22:51+00:00urn:sha1:4ce125314d2319097bddaec3cf989e1d336cf4e4
on html or groff. the solution, to replace the non-standard .nr macros
with a hang list, was provided by ingo - thanks!
ok schwarze
Move towards making RSA OAEP functions handle arbitrary message digests.2019-10-03T17:45:27+00:00jsing2019-10-03T17:45:27+00:00urn:sha1:11581776295d0e14eb646d3c3c995dfc20a2c4e6
Based on OpenSSL 1.1.1.
ok tb@, inoguchi@ (on an earlier/larger diff)