summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto
diff options
context:
space:
mode:
authortb <>2021-02-03 07:06:14 +0000
committertb <>2021-02-03 07:06:14 +0000
commit70029edfad38276befdaee62f4fe7e084070c0cd (patch)
tree9f524641600313fef6d235a1c7bfeced27fbe075 /src/lib/libcrypto
parent7708b34c3988d3cd2e01b8bd5d4f1a64461e6464 (diff)
downloadopenbsd-70029edfad38276befdaee62f4fe7e084070c0cd.tar.gz
openbsd-70029edfad38276befdaee62f4fe7e084070c0cd.tar.bz2
openbsd-70029edfad38276befdaee62f4fe7e084070c0cd.zip
This is errata/6.8/013_libressl.patch.siglibressl-v3.2.4
Various interoperability issues and memory leaks were discovered in libcrypto and libssl. The new verifier is not bug compatible with the old verifier and caused many issues by failing to propagate errors correctly, returning different error codes than some software was trained to expect and otherwise failing when it shouldn't. While much of this is fixed in -current, it's still not perfect, so switching back to the legacy verifier is preferable at this point. Other included fixes: * Unbreak DTLS retransmissions for flights that include a CCS * Only check BIO_should_read() on read and BIO_should_write() on write * Implement autochain for the TLSv1.3 server * Use the legacy verifier for AUTO_CHAIN * Implement exporter for TLSv1.3 * Free alert_data and phh_data in tls13_record_layer_free() * Plug leak in x509_verify_chain_dup() * Free the policy tree in x509_vfy_check_policy() Original commits by jsing and tb ok inoguchi jsing
Diffstat (limited to 'src/lib/libcrypto')
-rw-r--r--src/lib/libcrypto/x509/x509_verify.c4
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c7
-rw-r--r--src/lib/libcrypto/x509/x509_vpm.c4
3 files changed, 10 insertions, 5 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index 0c32cd04b7..be70ff8372 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_verify.c,v 1.13 2020/09/26 15:44:06 jsing Exp $ */ 1/* $OpenBSD: x509_verify.c,v 1.13.4.1 2021/02/03 07:06:13 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -81,7 +81,7 @@ x509_verify_chain_dup(struct x509_verify_chain *chain)
81{ 81{
82 struct x509_verify_chain *new_chain; 82 struct x509_verify_chain *new_chain;
83 83
84 if ((new_chain = x509_verify_chain_new()) == NULL) 84 if ((new_chain = calloc(1, sizeof(*chain))) == NULL)
85 goto err; 85 goto err;
86 if ((new_chain->certs = X509_chain_up_ref(chain->certs)) == NULL) 86 if ((new_chain->certs = X509_chain_up_ref(chain->certs)) == NULL)
87 goto err; 87 goto err;
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index fe1431ce49..931adb84bc 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_vfy.c,v 1.81 2020/09/26 02:06:28 deraadt Exp $ */ 1/* $OpenBSD: x509_vfy.c,v 1.81.4.1 2021/02/03 07:06:13 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1794,6 +1794,11 @@ x509_vfy_check_policy(X509_STORE_CTX *ctx)
1794 1794
1795 if (ctx->parent) 1795 if (ctx->parent)
1796 return 1; 1796 return 1;
1797
1798 /* X509_policy_check always allocates a new tree. */
1799 X509_policy_tree_free(ctx->tree);
1800 ctx->tree = NULL;
1801
1797 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, 1802 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
1798 ctx->param->policies, ctx->param->flags); 1803 ctx->param->policies, ctx->param->flags);
1799 if (ret == 0) { 1804 if (ret == 0) {
diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
index 448ee20984..d4715228dc 100644
--- a/src/lib/libcrypto/x509/x509_vpm.c
+++ b/src/lib/libcrypto/x509/x509_vpm.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_vpm.c,v 1.22 2020/09/14 08:10:04 beck Exp $ */ 1/* $OpenBSD: x509_vpm.c,v 1.22.4.1 2021/02/03 07:06:13 tb Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004. 3 * project 2004.
4 */ 4 */
@@ -177,7 +177,7 @@ x509_verify_param_zero(X509_VERIFY_PARAM *param)
177 param->trust = 0; 177 param->trust = 0;
178 /*param->inh_flags = X509_VP_FLAG_DEFAULT;*/ 178 /*param->inh_flags = X509_VP_FLAG_DEFAULT;*/
179 param->inh_flags = 0; 179 param->inh_flags = 0;
180 param->flags = 0; 180 param->flags = X509_V_FLAG_LEGACY_VERIFY;
181 param->depth = -1; 181 param->depth = -1;
182 if (param->policies) { 182 if (param->policies) {
183 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); 183 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);