openbsd/src/lib, branch libressl-v4.2.1

openbsd/src/lib, branch libressl-v4.2.1 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v4.2.1 2025-10-23T15:26:57+00:00 Ensure that we specify the correct group when creating a HelloRetryRequest. 2025-10-23T15:26:57+00:00 tb 2025-10-23T15:26:57+00:00 urn:sha1:a0dca9ee89cde95a556cd215202b7542ee5f598f When processing the client supported groups and key shares extensions, the group selection is currently based on client preference. However, when building a HRR the preferred group is identified by calling tls1_get_supported_group(). If SSL_OP_CIPHER_SERVER_PREFERENCE is enabled, group selection will be based on server instead of client preference. This in turn can result in the server sending a HRR for a group that the client has already provided a key share for, violating the RFC. Avoid this issue by storing the client preferred group when processing the key share extension, then using this group when creating the HRR. Thanks to dzwdz for identifying and reporting the issue. ok beck@ tb@ from jsing@ This is errata/7.8/003_libssl.patch.sig cms: fix incorrect length check in kek_unwrap_key() 2025-09-30T12:51:16+00:00 tb 2025-09-30T12:51:16+00:00 urn:sha1:0da76a9548849eb542ab090dc5eace7a2be789cb An incorrect length check can result in a 4-byte overwrite and an 8-byte overread. From Stanislav Fort and Viktor Dukhovni via OpenSSL. CVE-2025-9230. ok jsing cms_RecipientInfo_pwri_crypt: fix incorrect return check 2025-09-30T12:49:34+00:00 tb 2025-09-30T12:49:34+00:00 urn:sha1:4867be3b7736b15337f62460c0a92c9f3f6f5005 ok jsing cms_RecipientInfo_pwri_crypt: plug leak of kekalg 2025-09-30T12:46:55+00:00 tb 2025-09-30T12:46:55+00:00 urn:sha1:9c492217dca486db9aacff39780c63445db043a4 ok jsing libcrypto: rsa gen: min. distance between p and q 2025-09-29T08:46:15+00:00 jan 2025-09-29T08:46:15+00:00 urn:sha1:46c56e258ad51543fa1d174ca9568ef545233a34 This is required in NIST Special Publication 800-56B Revision 2 "Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography": 6 RSA Key Pairs 6.2 Criteria for RSA Key Pairs for Key Establishment 6.2.1 Definition of a Key Pair 3. The prime factors p and q shall be generated using one of the methods specified in Appendix B.3 of FIPS 186 such that: c. |p – q| > 2nBits/2−100 ok djm@, tb@ Bump libressl version to 4.2.0 2025-09-28T14:17:52+00:00 tb 2025-09-28T14:17:52+00:00 urn:sha1:3d7417f2050e2c59d3bc34048d7ddf7f9335c1e0 The version check will break the rust-openssl regress unless you have rust-openssl-tests-20250927p0. Revert NULL,0 -> OPENSSL_FILE,OPENSSL_LINE from r1.78 2025-09-28T07:52:53+00:00 tb 2025-09-28T07:52:53+00:00 urn:sha1:dee41641c860153d9ff3214fdf9f43ae9a10429c This wasn't part of the initial proposal and causes issues in curl downstream. We could pile more hacks on top of this, but at some point this is getting too silly. Relatedly, most of the FOOerr() could be removed, although PEMerr(), RSAerr() and SSLerr() are used by some downstreams and probably not worth patching out. Discussed with @vszakats in https://github.com/libressl/portable/issues/1154 mlkem_generate_key_external_entropy: normalize sizeof() use 2025-09-16T06:12:04+00:00 tb 2025-09-16T06:12:04+00:00 urn:sha1:c0502723cf1da15eab87e3434cd70dfaae2910f6 Simplify MLKEM_{private,public}_key_new() 2025-09-16T06:10:24+00:00 tb 2025-09-16T06:10:24+00:00 urn:sha1:e7b57a14f72bfb330c5d26dd387f302ecbb52b42 This removes two unnecessary variables in each of these functions, normalizes the sizeof() use and undoes unnecessary line wraps. ok deraadt djm kenjiro aes: move explicit_bzero() after NULL check 2025-09-15T07:36:12+00:00 tb 2025-09-15T07:36:12+00:00 urn:sha1:1f8d0b443d28c5e431333f56e1a6384d8123e15c CID 621601 621602 ok djm jsg jsing miod