A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_6_9_BASE 2021-04-15T14:15:03+00:00 2021-04-15T14:15:03+00:00 tb 2021-04-15T14:15:03+00:00 urn:sha1:013c39e97f0af8342cdb560b4a2a45f87602f7b7 This is disappointing as a lot of work was put into the new verifier during this cycle. However, there are still too many known bugs and incompatibilities. It is better to be faced with known broken behavior than with new broken behavior and to switch now rather than via errata. This way we have another cycle to iron out the kinks and to fix some of the remaining bugs. ok jsing 2021-04-05T07:02:50+00:00 tb 2021-04-05T07:02:50+00:00 urn:sha1:57e3ff55d71172acc1caf21e8c346e67b7089676 For dynamically allocated verify parameters, param->name is only ever set in X509_VERIFY_set1_name() where the old one is freed and the new one is assigned via strdup(). Setting it to NULL without freeing it beforehand is a leak. looks correct to millert, ok inoguchi 2021-03-31T16:51:06+00:00 tb 2021-03-31T16:51:06+00:00 urn:sha1:a2c7dc9f61c905842b4ecaed7ee8beba13289e15 ok bcook inoguchi jsing 2021-03-19T18:52:14+00:00 tb 2021-03-19T18:52:14+00:00 urn:sha1:7a958181310bd7835ec408fe536f58123486fc76 Found the hard way by lists y42 org via an OCSP validation failure that in turn caused pkg_add over TLS to fail. Detailed report by sthen. ok sthen 2021-03-13T23:01:49+00:00 tobhe 2021-03-13T23:01:49+00:00 urn:sha1:0c378cc53837d51d2f3a48a028d7726d2a78d8d7 x509v3_cache_extensions(). ok tb@ 2021-03-12T15:57:30+00:00 tb 2021-03-12T15:57:30+00:00 urn:sha1:266aa0aa5323d0e87855e9e761085c9b055a4f10 suggested by jsing 2021-03-12T15:55:26+00:00 tb 2021-03-12T15:55:26+00:00 urn:sha1:93c437239760ae62e33d9a36197c37c8dec288b3 ok jsing 2021-03-12T15:53:38+00:00 tb 2021-03-12T15:53:38+00:00 urn:sha1:430ac1ca1c8120f48481984e640aa9977f780961 x509_internal.h defines caps on the number of name constraints and other names (such as subjectAltNames) that we want to allocate per cert chain. These limits are checked too late. In a particularly silly cert that jan found on ugos.ugm.ac.id 443, we ended up allocating six times 2048 x509_constraint_name structures before deciding that these are more than 512. Fix this by adding a names_max member to x509_constraints_names which is set on allocation against which each addition of a name is checked. cluebat/ok jsing ok inoguchi on earlier version 2021-02-26T15:19:41+00:00 tb 2021-02-26T15:19:41+00:00 urn:sha1:d39817e2eea4f130aa37342af07d31565eb6c161 If we're about to add a chain we have a trust path, so we have at least one trusted certificate. This fixes a thinko from r1.31 and fixes the openssl(1) cms verify test. ok jsing (who had the same diff) 2021-02-25T17:29:22+00:00 tb 2021-02-25T17:29:22+00:00 urn:sha1:f801668b7f20816ead496f22d533135350a4deda To integrate the new X.509 verifier, X509_verify_cert() was refactored. The code building chains in the legacy verifier was split into a separate function. The first bug is that its return value was treated as a Boolean although it wasn't. Second, the return alone is not enough to decide whether to carry on the validation or not. Slightly rearrange things to restore the behavior of the legacy verifier prior to this refactoring. Issue found and test case provided by Anton Borowka and jan. ok jan jsing