A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.5.4 2023-02-07T15:59:30+00:00 2023-02-07T15:59:30+00:00 bluhm 2023-02-07T15:59:30+00:00 urn:sha1:ad1c8162ed483dc5234494f59b209481e4a44243 The ASN.1 template for GENERAL_NAME and its corresponding C structure disagree on the type of the x400Address member. This results in an ASN.1 string to be considered as an ASN.1 type, which allows an attacker to read (essentially) arbitrary memory. Fix this by forcing comparison as strings. While the underlying type confusion has been present since time immemorial, this particular bug came with the EdiPartyName fix (6.8/008_asn1.patch.sig). Reported by David Benjamin, fix suggested by jsing. Release date for this was set to be January 31. Unilaterally pushed back to February 7 by OpenSSL by way of announcement of many completely unrelated embargoed issues, some of which they had been sitting on since July 2020. from tb@; OK beck@ jsing@ this is errata/7.1/022_x509.patch.sig 2022-05-14T15:06:09+00:00 tb 2022-05-14T15:06:09+00:00 urn:sha1:9f9c4fab3ed4b876aac3fa82d052dca0c1af9827 Due to a confusion of two CBS, the API would incorrectly advance the *der_in pointer, resulting in a DER parse failure. Issue reported by Aram Sargsyan ok jsing This is patches/7.1/004_asn1.patch.sig 2022-04-10T12:42:33+00:00 inoguchi 2022-04-10T12:42:33+00:00 urn:sha1:c694612e6569c6b13f7f2c75a3a1c4d9479509c2 'flags' should have ASN1_OBJECT_FLAG_DYNAMIC_DATA bit to free 'data' by ASN1_OBJECT_free as c2i_ASN1_OBJECT_cbs does. ok jsing@ tb@ 2022-04-07T17:38:24+00:00 tb 2022-04-07T17:38:24+00:00 urn:sha1:3340c71f78097b15a0cacb114e0b6c483ad85c02 DSA private keys with ill-chosen g could cause an infinite loop on deserializing. Add a few sanity checks that ensure that g is according to the FIPS 186-4: check 1 < g < p and g^q == 1 (mod p). This is enough to ascertain that g is a generator of a multiplicative group of order q once we know that q is prime (which is checked a bit later). Issue reported with reproducers by Hanno Boeck. Additional variants and analysis by David Benjamin. ok beck jsing 2022-04-07T17:37:25+00:00 tb 2022-04-07T17:37:25+00:00 urn:sha1:1061feec63ce8eec5e559ca2697b80bc73044484 If a private key encoded with EC parameters happens to have order 1 and is used for ECDSA signatures, this causes an infinite loop since a random integer x in the interval [0,1) will be 0, so do ... while (x == 0); will loop indefinitely. Found and reported with a reproducer by Hanno Boeck. Helpful comments and analysis from David Benjamin. ok beck jsing 2022-03-31T17:30:05+00:00 naddy 2022-03-31T17:30:05+00:00 urn:sha1:3d8a2499d7a0a70420723f21fbf735e079a6e74c 2022-03-31T17:27:26+00:00 naddy 2022-03-31T17:27:26+00:00 urn:sha1:3d8be07546f5ec331a0f851b0ea88212376ebb95 jmc@ dislikes a comma before "then" in a conditional, so leave those untouched. ok jmc@ 2022-03-31T13:04:47+00:00 tb 2022-03-31T13:04:47+00:00 urn:sha1:31dad1243d69de787b0589750cc4b78379c43734 p is allocated by asprintf() in one of the *_from_tm() functions, so it needs to be freed as in the other error path below. CID 346194 ok jsing 2022-03-31T13:00:58+00:00 tb 2022-03-31T13:00:58+00:00 urn:sha1:91087446015ebb4341a9f7c6accff0e586a0ba5d d2i_EC_PRIVATEKEY() can handle the allocation of priv_key internally, no need to do this up front and reach it through the dangerous reuse mechanism. There's also no point in freeing a variable we know to be NULL. ok jsing 2022-03-30T07:17:48+00:00 tb 2022-03-30T07:17:48+00:00 urn:sha1:c650ef2b4f969ce6b8d9a39f9e86c5e181dfafbc It is possible to call pmeth->cleanup() with an EVP_PKEY_CTX whose data is NULL. If pmeth->init() in int_ctx_new() fails, EVP_PKEY_CTX_free() is called with such a context. This in turn calls pmeth->cleanup(), and thus these cleanup functions must be careful not to use NULL data. Most of them are, but one of GOST's functions and HMAC's aren't. Reported for HMAC by Masaru Masada https://github.com/libressl-portable/openbsd/issues/129 ok bcook jsing