A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=master 2026-04-03T07:26:20+00:00 2026-04-03T07:26:20+00:00 jsing 2026-04-03T07:26:20+00:00 urn:sha1:ba2c2f6b31a0d325528b48899a6a12f650464c2f This has not been reachable since we made the TLSv1.3 stack the default entry point - tls13_record_layer_read_record() will send a protocol version alert and raise an error, which means we never transition into the legacy stack. ok kenjiro@ 2024-08-11T13:05:43+00:00 jsing 2024-08-11T13:05:43+00:00 urn:sha1:341dbacd0684abaf44bcebf3bf3e63879c853b29 2024-07-13T18:33:18+00:00 tb 2024-07-13T18:33:18+00:00 urn:sha1:f5b8bec4f31efdcdb08519f0081a8e1c0ad0fa7a Now that the SSL2 client hello support is gone, nothing uses this anymore, except that a few ports still need SSL2_VERSION. ok beck 2024-07-09T09:39:14+00:00 beck 2024-07-09T09:39:14+00:00 urn:sha1:54b6e05f31be6c330d091e640680a068cf9124fc (instead of commiting only one part) 2024-06-25T14:10:45+00:00 jsing 2024-06-25T14:10:45+00:00 urn:sha1:dd9ce93fac0548a1fd292d2d756a968f576f40de RSA key exchange is known to have multiple security weaknesses, including being potentially susceptible to padding oracle and timing attacks. The RSA key exchange code that we inherited from OpenSSL was riddled with timing leaks, many of which we fixed (or minimised) early on. However, a number of issues still remained, particularly those related to libcrypto's RSA decryption and padding checks. Rework the RSA key exchange code such that we decrypt with RSA_NO_PADDING and then check the padding ourselves in constant time. In this case, the pre-master secret is of a known length, hence the padding is also a known length based on the size of the RSA key. This makes it easy to implement a check that is much safer than having RSA_private_decrypt() depad for us. Regardless, we still strongly recommend disabling RSA key exchange and using other key exchange methods that provide perfect forward secrecy and do not depend on client generated keys. Thanks to Marcel Maehren, Nurullah Erinola, Robert Merget, Juraj Somorovsky, Joerg Schwenk and Hubert Kario for raising these issues with us at various points in time. ok tb@ 2023-11-22T15:55:28+00:00 tb 2023-11-22T15:55:28+00:00 urn:sha1:e48c697c099dba5cedf695d7fbd564b5fc740d59 ok jsing 2023-07-06T07:56:32+00:00 beck 2023-07-06T07:56:32+00:00 urn:sha1:deb33f171f3135e4367961ec4388c20da87f41c8 And remove the tendrils. This was useful for transition but we are now well past this. 2023-05-05T21:23:02+00:00 tb 2023-05-05T21:23:02+00:00 urn:sha1:549cbe92324cb49a0d9fce29e4ece1813496c88b ok jsing (a very long time ago) 2022-11-11T11:25:18+00:00 beck 2022-11-11T11:25:18+00:00 urn:sha1:0ba6b15619d4e4feafccdbd0226ee99b70553a11 Fully explained in libcrypto/README. TL;DR make sure libcrypto and libssl's function calls internally and to each other are via symbol names that won't get overridden by linking other libraries. Mostly work by guenther@, which will currently be gated behind a build setting NAMESPACE=yes. once we convert all the symbols to this method we will do a major bump and pick up the changes. ok tb@ jsing@ 2022-08-17T07:39:19+00:00 jsing 2022-08-17T07:39:19+00:00 urn:sha1:5f133a78eec6f3a2549c066b9a561d6350d6e07a Rather than reimplement this in each TLS client and server, deduplicate it into a single function. Furthermore, rather than dealing with the API hazard that is SSL_get_peer_cert_chain() in this code, simply produce two chains - one that has the leaf and one that does not. SSL_get_peer_cert_chain() can then return the appropriate one. This also moves the peer cert chain from the SSL_SESSION to the SSL_HANDSHAKE, which makes more sense since it is not available on resumption. ok tb@