A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.8.0 2023-05-27T13:54:46+00:00 2023-05-27T13:54:46+00:00 tb 2023-05-27T13:54:46+00:00 urn:sha1:2f2250317843f203cc5e5a81d870b029d8c8aea9 2023-05-27T09:18:17+00:00 jsing 2023-05-27T09:18:17+00:00 urn:sha1:fce75c36c6fda1fa1488c600abe6490c27e90d75 This recommits r1.37 of sha512.c, however uses uint8_t * instead of void * for the crypto_load_* functions and primarily uses const uint8_t * to track input, only casting to const SHA_LONG64 * once we know that it is suitably aligned. This prevents the compiler from implying alignment based on type. Tested by tb@ and deraadt@ on platforms with gcc and strict alignment. ok tb@ 2023-05-27T04:33:00+00:00 otto 2023-05-27T04:33:00+00:00 urn:sha1:79242671d4fc62c0520403a6875e4c4254611365 ok guenther@ 2023-05-26T13:44:05+00:00 tb 2023-05-26T13:44:05+00:00 urn:sha1:33f6bc89aff8b9c4a1a456d40bfb863802115b1a This is a better version of the fix for the missing pointer invalidation but a bit larger, so errata got the minimal fix. tested by jcs ok jsing 2023-05-25T07:46:21+00:00 op 2023-05-25T07:46:21+00:00 urn:sha1:38d31da6097a882f2d9c61b4831257122ba27fc1 To aid privilege separation, libtls maintains application-specific data on the key inside the EVP_PKEY abstraction because the EVP API doesn't provide a way to do that on the EVP_PKEY itself. OpenSSL 3 changed behavior of EVP_PKEY_get1_RSA() and related functions. These now return a struct from some cache. Thus, modifying the RSA will no longer modify the EVP_PKEY like it did previously, which was clearly implied to be the case in the older documentation. This is a subtle breaking change that affects several applications. While this is documented, no real solution is provided. The transition plan from one OpenSSL major version to the next one tends to involve many #ifdef in the ecosystem, and the only suggestion provided by the new documentation is to switch to a completely unrelated, new API. Instead, forcibly reset the internal key on EVP_PKEY after modification, this way the change is picked up also by OpenSSL 3. Fixes issue 1171 in OpenSMTPD-portable ok tb@, jsing@ 2023-05-24T09:57:50+00:00 tb 2023-05-24T09:57:50+00:00 urn:sha1:56399223febab8afe987ce313ede003d9bd49348 in x509_vpm.c r1.39. 2023-05-24T09:15:14+00:00 tb 2023-05-24T09:15:14+00:00 urn:sha1:cb416a0ac54838a4c54249c6c74fbaa3aafa6d6b Without this, hostflags set on the SSL_CTX would not propagate to newly created SSL. This is surprising behavior that was changed in OpenSSL 1.1 by Christian Heimes after the issue was flagged by Quentin Pradet: https://bugs.python.org/issue43522 This is a version of the fix that landed in OpenSSL. There used to be a workaround in place in urllib3, but that was removed at some point. We haven't fixed this earlier since it wasn't reported. It only showed up after recent fallout of extraordinarily strict library checking in urllib3 coming from their own interpretation of the implications of PEP 644. ok jsing 2023-05-24T08:54:59+00:00 tb 2023-05-24T08:54:59+00:00 urn:sha1:0151931d7b9060a9d578a30bd59113ee37d19c9d This is currently an expected failure that will be fixed shortly. 2023-05-24T08:49:06+00:00 tb 2023-05-24T08:49:06+00:00 urn:sha1:c30d8915b92324dbd7b7e4ae1afec4b16a034358 This will be needed for the ssl_verify_param test 2023-05-24T08:46:01+00:00 tb 2023-05-24T08:46:01+00:00 urn:sha1:56ed6e40d9d9c7905b788e788884d3c7302807cc This is needed for an upcoming regress test that needs to access the hostflag. This is public API in OpenSSL but since nothing seems to be using this, this accessor will be kept internal-only for the time being. ok jsing