A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_7 2025-10-23T15:27:27+00:00 2025-10-23T15:27:27+00:00 tb 2025-10-23T15:27:27+00:00 urn:sha1:b087cd0400f51020d64ecc9afd0c0f8c8abdcf4f When processing the client supported groups and key shares extensions, the group selection is currently based on client preference. However, when building a HRR the preferred group is identified by calling tls1_get_supported_group(). If SSL_OP_CIPHER_SERVER_PREFERENCE is enabled, group selection will be based on server instead of client preference. This in turn can result in the server sending a HRR for a group that the client has already provided a key share for, violating the RFC. Avoid this issue by storing the client preferred group when processing the key share extension, then using this group when creating the HRR. Thanks to dzwdz for identifying and reporting the issue. ok beck@ tb@ from jsing@ This is errata/7.7/013_libssl.patch.sig 2025-03-28T12:13:03+00:00 tb 2025-03-28T12:13:03+00:00 urn:sha1:34d4647beddb60ec830124d4fc67ee4b51155edd 2025-03-13T10:44:36+00:00 sthen 2025-03-13T10:44:36+00:00 urn:sha1:181f99fca485a8c857ea69a0c27cd192bb2d93f4 code #ifdef'ing these and compiled with new headers won't work as expected on earlier libraries minor libtls bump to match libssl bump ok tb@ 2025-03-13T10:26:41+00:00 tb 2025-03-13T10:26:41+00:00 urn:sha1:fa6fcfa10c39c657cc034faabd7bfed5972d48e3 ok miod 2025-03-12T14:03:55+00:00 jsing 2025-03-12T14:03:55+00:00 urn:sha1:b150ad681869b78ec3662f92df947a5790b32862 In January 2017 we added SSL_OP_NO_CLIENT_RENEGOTIATION, which results in a SSL_AD_NO_RENEGOTIATION fatal alert if a ClientHello message is seen on an active connection (client initiated renegotation). Then in May 2017 OpenSSL added SSL_OP_NO_RENEGOTIATION, which results in a SSL_AD_NO_RENEGOTIATION warning alert if a server receives a ClientHello on an active connection (client initiated renegotation), or a client receives a HelloRequest (server requested renegotation). This option also causes calls to SSL_renegotiate() and SSL_renegotiate_abbreviated() to fail. Then in 2021, OpenSSL also added SSL_OP_ALLOW_CLIENT_RENEGOTIATION, which trumps SSL_OP_NO_RENEGOTIATION but only for incoming ClientHello messages (apparently unsetting SSL_OP_NO_RENEGOTIATION is too hard). Provide SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION, primarily to make life easier for ports. If SSL_OP_NO_CLIENT_RENEGOTIATION is set it will take precedence and render SSL_OP_ALLOW_CLIENT_RENEGOTIATION ineffective. The rest of the behaviour should match OpenSSL, with the exception of ClientHellos triggering fatal alerts instead of warnings. ok tb@ 2025-03-09T15:54:59+00:00 tb 2025-03-09T15:54:59+00:00 urn:sha1:dc2438bcde9b64de27b73dda2d57b4b7b7544645 2025-03-09T15:53:36+00:00 tb 2025-03-09T15:53:36+00:00 urn:sha1:868965d7ddee60d0be2a9a0555eaa25936c7b901 Various ports throw a warning since their tls_session_secret_cb's signature doesn't match what we expect. Aligns us with OpenSSL 1.1. This is only useful for RFC 4851 EAP-FAST implementations and surprisingly it's undocumented. ok jsing 2025-03-09T15:12:18+00:00 tb 2025-03-09T15:12:18+00:00 urn:sha1:b8acfd2983c50474382bf8ed132a5b7e7bdedb34 Some people are concerned that leaking a user name is a privacy issue. Allow disabling the __FILE__ and __LINE__ argument in the error stack to avoid this. This can be improved a bit in tree. From Viktor Szakats in https://github.com/libressl/portable/issues/761 ok bcook jsing 2025-02-04T14:00:05+00:00 tb 2025-02-04T14:00:05+00:00 urn:sha1:34e1b64159d087e05f782ae75be204547c4c12cc 2025-01-18T14:17:05+00:00 tb 2025-01-18T14:17:05+00:00 urn:sha1:9d0a134867a0f5a4df40d59bbd46f54f330d7dea It doesn't need to have optional arguments anymore, so we can pass in values and don't need NULL checks and dereferencing. ok jsing