A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.8.2 2023-10-01T22:14:36+00:00 2023-10-01T22:14:36+00:00 tb 2023-10-01T22:14:36+00:00 urn:sha1:801723e5c82440629905965bd58e34dc2f2d62a7 ASN1_TIME_compare() compares two times t1 and t2. Due to a copy-paste error, we would do ASN1_time_parse(t1->data, t2->length, &tm2, t2->type) Now if t1 is a UTCTime (length 13) and t2 is a GeneralizedTime (length 15), the worst that could happen is a 2-byte out-of-bounds read. Fortunately, t1 will already have parsed as a UTCTime, so it will have a Z where there should be the first digit of the seconds for a GeneralizedTime and we will error out. Now if both t1 and t2 have the same type, we will parse t1's data twice and we will return an incorrect comparison. This could have some security impact if anything relied on this function for security purposes. It is unused in our tree and unused in our ports tree ports and the only consumer I could find was some MongoDB things doing OCSP, so this won't be too bad. Then of course there's also the language bindings. Issue reported by Duncan Thomson at esri dot com via libressl-security ok beck deraadt 2023-08-30T10:13:12+00:00 job 2023-08-30T10:13:12+00:00 urn:sha1:1b9ecfa7cff0a57d523522d8d77745aaebf3da47 OK tb@ 2023-08-15T18:05:15+00:00 tb 2023-08-15T18:05:15+00:00 urn:sha1:2241a2de986c88d243f72c0f2b18a8efd3478520 2023-08-15T17:40:06+00:00 tb 2023-08-15T17:40:06+00:00 urn:sha1:a4680335ab2e7a1fe55d95eb8ed3999a07570ce9 2023-08-15T17:38:00+00:00 tb 2023-08-15T17:38:00+00:00 urn:sha1:cc9f1360c7d1412dcf9c79e0d37328353a91d6e7 ok jsing miod 2023-07-28T13:30:07+00:00 jsg 2023-07-28T13:30:07+00:00 urn:sha1:3533ccfbce70fcfaf4223aaa815d97590210a9f9 public symbol removed in April ok tb@ 2023-07-28T10:33:13+00:00 tb 2023-07-28T10:33:13+00:00 urn:sha1:b8d30e719ace66cc62ab262ddf8f89df4046d5e8 This removes ASN1_BIT_STRING_name_print(), ASN1_BIT_STRING_{num,set}_asc(). Before trust was properly handled using OIDs, there was a period where it used bit strings. The actual interfaces used in openssl x509 were removed, but the functions they wrapped remained unused for the next 24 years. ok jsing 2023-07-28T10:30:16+00:00 tb 2023-07-28T10:30:16+00:00 urn:sha1:e2147417de87aad6ba65ecc032ecbc394ba9b139 This was added with the TS code for no discernible reason. I could not find a single consumer. In the unlikely event that you need this, it is easy enough to write a better version of it yourself. ok jsing 2023-07-28T10:02:11+00:00 tb 2023-07-28T10:02:11+00:00 urn:sha1:f72d08156c2afabfd1c38468eca631a5afed0f79 ASN1_bn_print() is a hilariously bad API that was replaced with a saner interface internally. ASN1_buf_print() isn't terrible, but it is too specialized to be of real use. It was only exposed because ASN1_bn_print() was already there. Its only use had been in the EdDSA printing code before it was replaced with an internal helper. ok jsing 2023-07-28T10:00:10+00:00 tb 2023-07-28T10:00:10+00:00 urn:sha1:6602851323526cd6d822de23c4b19db917aa927a These were long removed from the public OpenSSL API, so we can do the same. Remove ASN1_template_{d2i,i2d}() - those are unused internally. ok jsing