A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_0 2022-03-15T15:54:26+00:00 2022-03-15T15:54:26+00:00 tb 2022-03-15T15:54:26+00:00 urn:sha1:76591ba244323a2970ad751e551ba496278315b1 A bug in the implementation of the Tonelli-Shanks algorithm can lead to an infinite loop. This loop can be hit in various ways, in particular on decompressing an elliptic curve public key via EC_POINT_oct2point() - to do this, one must solve y^2 = x^3 + ax + b for y, given x. If a certificate uses explicit encoding for elliptic curve parameters, this operation needs to be done during certificate verification, leading to a DoS. In particular, everything dealing with untrusted certificates is affected, notably TLS servers explicitly configured to request client certificates (httpd, smtpd, various VPN implementations, ...). Ordinary TLS servers do not consume untrusted certificates. The problem is that we cannot assume that x^3 + ax + b is actually a square on untrusted input and neither can we assume that the modulus p is a prime. Ensuring that p is a prime is too expensive (it would likely itself lead to a DoS). To avoid the infinite loop, fix the logic to be more resilient and explicitly limit the number of iterations that can be done. The bug is such that the infinite loop can also be hit for primes = 3 (mod 4) but fortunately that case is optimized earlier. It's also worth noting that there is a size bound on the field size enforced via OPENSSL_ECC_MAX_FIELD_BITS (= 661), which help mitigate further DoS vectors in presence of this fix. Reported by Tavis Ormandy and David Benjamin, Google Patch based on the fixes by David Benjamin and Tomas Mraz, OpenSSL ok beck inoguchi This is errata/7.0/016_bignum.patch.sig 2021-11-24T09:28:56+00:00 tb 2021-11-24T09:28:56+00:00 urn:sha1:0f0b16dc977f6ca499f0f4540078d992c96da597 certificate chain. This would happen when the verification callback was in use, instructing the verifier to continue unconditionally. This could lead to incorrect decisions being made in software. This is patches/common/006_x509.patch.sig 2021-09-30T18:16:13+00:00 cvs2svn admin@example.com 2021-09-30T18:16:13+00:00 urn:sha1:d7513e7d4daf94905fd4cb0a5e5c89109d2874f7 2021-09-19T09:15:22+00:00 tb 2021-09-19T09:15:22+00:00 urn:sha1:f7454b8bede1be416adc77267c65bdcb40ee9f98 This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely. Discussed with deraadt and otto 2021-09-16T19:25:30+00:00 jsing 2021-09-16T19:25:30+00:00 urn:sha1:30d2e422df85a55715b7f1da39294259d57b2b4f When we finish sending a flight of records, flush the record layer output. This effectively means calling BIO_flush() on the wbio. Some things (such as apache2) have custom BIOs that perform buffering and do not actually send on BIO_write(). Without BIO_flush() the server thinks it has sent data and starts receiving records, however the client never sends records since it never received those that the server should have sent. Joint work with tb@ ok tb@ 2021-09-15T17:14:26+00:00 tb 2021-09-15T17:14:26+00:00 urn:sha1:87ad048671e38be9ceea42ed9e24726a49a0167b 2021-09-14T23:07:18+00:00 inoguchi 2021-09-14T23:07:18+00:00 urn:sha1:76f3844ea887613e8a6df2ccc1f84d9ac93169b3 "typedef struct ssl_st SSL;" is defined in ossl_typ.h. This reverts part of r1.204. ok tb@ 2021-09-14T14:35:09+00:00 tb 2021-09-14T14:35:09+00:00 urn:sha1:746c55aa543d6248b92ed473eba70fcb07059390 2021-09-14T14:31:21+00:00 tb 2021-09-14T14:31:21+00:00 urn:sha1:2b3f71d6bd6fb2c09b1e9b6022796a88a8ac4f7f The p5-Net-SSLeay test expects the info callback to be called on connect exit. This is the behavior in the legacy stack but wasn't implemented in the TLSv1.3 stack. With this commit, p5-Net-SSLeay tests are happy again after the bump. ok bluhm inoguchi jsing 2021-09-14T14:30:57+00:00 schwarze 2021-09-14T14:30:57+00:00 urn:sha1:893064c29739c4260c6617f7fdd94a8a802ae9cb stub, written from scratch; OK tb@ on SSL_set_psk_use_session_callback.3