diff options
| author | tb <> | 2020-08-10 18:59:47 +0000 |
|---|---|---|
| committer | tb <> | 2020-08-10 18:59:47 +0000 |
| commit | 5a715e5d56517275cd64092796fb2595209eb962 (patch) | |
| tree | e71b2891b8ce65ccefec5a7582a532ae6f33f7f4 /src/lib/libssl/ssl_sigalgs.c | |
| parent | a91baa573ac5ab1cbde7a2761d1d1da9501f45ec (diff) | |
| download | openbsd-5a715e5d56517275cd64092796fb2595209eb962.tar.gz openbsd-5a715e5d56517275cd64092796fb2595209eb962.tar.bz2 openbsd-5a715e5d56517275cd64092796fb2595209eb962.zip | |
LibreSSL 3.1.4 - Interoperability and bug fixes for the TLSv1.3 client:
* Improve client certificate selection to allow EC certificates
instead of only RSA certificates.
* Do not error out if a TLSv1.3 server requests an OCSP response as
part of a certificate request.
* Fix SSL_shutdown behavior to match the legacy stack. The previous
behaviour could cause a hang.
* Fix a memory leak and add a missing error check in the handling of
the key update message.
* Fix a memory leak in tls13_record_layer_set_traffic_key.
* Avoid calling freezero with a negative size if a server sends a
malformed plaintext of all zeroes.
* Ensure that only PSS may be used with RSA in TLSv1.3 in order
to avoid using PKCS1-based signatures.
* Add the P-521 curve to the list of curves supported by default
in the client.
This is errata/6.7/019_libssl.patch.sig
Diffstat (limited to 'src/lib/libssl/ssl_sigalgs.c')
| -rw-r--r-- | src/lib/libssl/ssl_sigalgs.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c index 37fdcfa73f..374ba3cef2 100644 --- a/src/lib/libssl/ssl_sigalgs.c +++ b/src/lib/libssl/ssl_sigalgs.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_sigalgs.c,v 1.20 2019/04/01 02:09:21 beck Exp $ */ | 1 | /* $OpenBSD: ssl_sigalgs.c,v 1.20.8.1 2020/08/10 18:59:47 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -322,6 +322,12 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey) | |||
| 322 | tls_sigalgs_len)) == NULL) | 322 | tls_sigalgs_len)) == NULL) |
| 323 | continue; | 323 | continue; |
| 324 | 324 | ||
| 325 | /* RSA cannot be used without PSS in TLSv1.3. */ | ||
| 326 | if (TLS1_get_version(s) >= TLS1_3_VERSION && | ||
| 327 | sigalg->key_type == EVP_PKEY_RSA && | ||
| 328 | (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0) | ||
| 329 | continue; | ||
| 330 | |||
| 325 | if (ssl_sigalg_pkey_ok(sigalg, pkey, check_curve)) | 331 | if (ssl_sigalg_pkey_ok(sigalg, pkey, check_curve)) |
| 326 | return sigalg; | 332 | return sigalg; |
| 327 | } | 333 | } |