summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Fix infinite loop in BN_mod_sqrt()OPENBSD_7_0tb2022-03-151-14/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A bug in the implementation of the Tonelli-Shanks algorithm can lead to an infinite loop. This loop can be hit in various ways, in particular on decompressing an elliptic curve public key via EC_POINT_oct2point() - to do this, one must solve y^2 = x^3 + ax + b for y, given x. If a certificate uses explicit encoding for elliptic curve parameters, this operation needs to be done during certificate verification, leading to a DoS. In particular, everything dealing with untrusted certificates is affected, notably TLS servers explicitly configured to request client certificates (httpd, smtpd, various VPN implementations, ...). Ordinary TLS servers do not consume untrusted certificates. The problem is that we cannot assume that x^3 + ax + b is actually a square on untrusted input and neither can we assume that the modulus p is a prime. Ensuring that p is a prime is too expensive (it would likely itself lead to a DoS). To avoid the infinite loop, fix the logic to be more resilient and explicitly limit the number of iterations that can be done. The bug is such that the infinite loop can also be hit for primes = 3 (mod 4) but fortunately that case is optimized earlier. It's also worth noting that there is a size bound on the field size enforced via OPENSSL_ECC_MAX_FIELD_BITS (= 661), which help mitigate further DoS vectors in presence of this fix. Reported by Tavis Ormandy and David Benjamin, Google Patch based on the fixes by David Benjamin and Tomas Mraz, OpenSSL ok beck inoguchi This is errata/7.0/016_bignum.patch.sig
* In some situations, the verifier would discard the error on an unvalidatedlibressl-v3.4.3libressl-v3.4.2tb2021-11-243-50/+91
| | | | | | | | certificate chain. This would happen when the verification callback was in use, instructing the verifier to continue unconditionally. This could lead to incorrect decisions being made in software. This is patches/common/006_x509.patch.sig
* This commit was manufactured by cvs2git to create branch 'OPENBSD_7_0'.libressl-v3.4.1cvs2svn2021-09-302-49/+10
|
* Fix appstest.sh for testing with OpenSSL 3.0inoguchi2021-09-201-2/+5
| | | | | - Fix 'Server Temp Key' check to work with both words "P-384" and "secp384r1". - Test TLSv1 and TLSv1.1 only if OpenSSL version is 1.x.
* Switch two calls from memset() to explicit_bzero()tb2021-09-191-3/+3
| | | | | | | This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely. Discussed with deraadt and otto
* At least t_fork and t_vfork tests need coredumps enabled to succeed.claudio2021-09-191-1/+2
| | | | | | Add ulimit -c unlimited before running the tests like it is done in other places in regress. OK bluhm@
* Implement flushing for TLSv1.3 handshakes.jsing2021-09-165-7/+69
| | | | | | | | | | | | | | | When we finish sending a flight of records, flush the record layer output. This effectively means calling BIO_flush() on the wbio. Some things (such as apache2) have custom BIOs that perform buffering and do not actually send on BIO_write(). Without BIO_flush() the server thinks it has sent data and starts receiving records, however the client never sends records since it never received those that the server should have sent. Joint work with tb@ ok tb@
* bump to LibreSSL 3.4.1tb2021-09-151-3/+3
|
* Avoid typedef redefinitionlibressl-v3.4.0inoguchi2021-09-141-3/+1
| | | | | | | "typedef struct ssl_st SSL;" is defined in ossl_typ.h. This reverts part of r1.204. ok tb@
* Add missing void to definition of http_init().tb2021-09-141-2/+2
| | | | ok deraadt florian
* zap trailing white spacetb2021-09-141-2/+2
|
* Call the info cb on connect/accept exit in TLSv1.3tb2021-09-142-4/+16
| | | | | | | | | The p5-Net-SSLeay test expects the info callback to be called on connect exit. This is the behavior in the legacy stack but wasn't implemented in the TLSv1.3 stack. With this commit, p5-Net-SSLeay tests are happy again after the bump. ok bluhm inoguchi jsing
* provide a small manual page for the SSL_set_psk_use_session_callback(3)schwarze2021-09-142-1/+88
| | | | | stub, written from scratch; OK tb@ on SSL_set_psk_use_session_callback.3
* Merge the stub SSL_SESSION_is_resumable(3) manual page from theschwarze2021-09-143-3/+86
| | | | | | OpenSSL 1.1.1 branch, which is still under a free license. A few tweaks to wording and structure by me. OK tb@ on SSL_SESSION_is_resumable.3
* As suggested by tb@, merge the description of OPENSSL_EC_NAMED_CURVEschwarze2021-09-141-9/+15
| | | | | | | | | | | | | | and OPENSSL_EC_EXPLICIT_CURVE from OpenSSL commit 146ca72c Feb 19 14:35:43 2015 +0000 after tb@ changed the default from 0 to OPENSSL_EC_NAMED_CURVE in ec/ec_lib.c rev. 1.41, which is the same default that OpenSSL uses since 1.1.0. While merging, drop the description of the pre-1.1.0 behaviour. It seems irrelevant to me because tb@ found no application in Debian codesearch using OPENSSL_EC_EXPLICIT_CURVE. A former devious default that was probably never relied upon by anyone does not need to be documented.
* In X509_check_issued() do the same dance around x509v3_cache_extensions()claudio2021-09-131-3/+11
| | | | | | as in all other palces. Check the EXFLAG_SET flag first and if not set grab the CRYPTO_LOCK_X509 before calling x509v3_cache_extensions(). OK tb@ beck@
* Default to using named curve parameter encodingtb2021-09-122-4/+5
| | | | | | | | | | | | | | | | | | The pre-OpenSSL 1.1.0 default was to use explicit curve parameter encoding. Most applications want to use named curve parameter encoding and have to opt into this explicitly. Stephen Henson changed this default in OpenSSL commit 86f300d3 6 years ago and provided a new OPENSSL_EC_EXPLICIT_CURVE define to opt back into the old default. According to Debian's codesearch, no application currently does this, which indicates that we currently have a bad default. In the future it is more likely that applications expect the new default, so we follow OpenSSL to avoid problems. Prompted by schwarze who noted that OPENSSL_EC_EXPLICIT_CURVE is missing. ok beck inoguchi jsing
* merge the description of SSL_get_tlsext_status_type(3)schwarze2021-09-111-3/+35
| | | | from the OpenSSL 1.1.1 branch, which is still under a free license
* Merge documentation of EC_GROUP_order_bits(3) from the OpenSSL 1.1.1schwarze2021-09-111-26/+70
| | | | | | | | | branch, which is still under a free license. While here, also merge a few other improvements, mostly regarding EC_GROUP_get_order(3) and EC_GROUP_get_cofactor(3); in particular, some statements below RETURN VALUES were outright wrong. This patch includes a few minor tweaks and an addition to HISTORY by me. Feedback and OK tb@.
* Add BGPSec Router (RFC 8209) Key Purpose OIDjob2021-09-112-0/+2
| | | | OK tb@
* Merge documentation for BN_bn2binpad(3), BN_bn2lebinpad(3),schwarze2021-09-111-13/+77
| | | | | | | and BN_lebin2bn(3) from the OpenSSL 1.1.1 branch, which is still under a free license. While here, tweak a number of details for clarity. OK tb@
* Calling OpenSSL_add_all_digests() is no longer needed since the librarymillert2021-09-101-7/+2
| | | | automatically initializes itself. OK tb@
* crank major for libcrypto as welltb2021-09-101-2/+2
| | | | 'may as well' deraadt
* major bump (same type of crank as libssl)tb2021-09-101-1/+1
|
* bump major after symbol addition and struct removal, struct visibilitytb2021-09-101-1/+1
| | | | changes
* Update Symbols.list after API additionstb2021-09-101-0/+18
|
* Bump minor after symbol additiontb2021-09-101-1/+1
|
* Add BN_bn2{,le}binpad(), BN_lebin2bn(), EC_GROUP_order_bits to Symbols.listtb2021-09-101-0/+4
| | | | ok beck inoguchi jsing
* Move SSL_set0_rbio() outside of LIBRESSL_HAS_TLS1_3tb2021-09-101-3/+1
| | | | ok inoguchi jsing
* Expose SSL_get_tlext_status_type() in tls1.htb2021-09-101-3/+1
| | | | ok beck jsing
* Expose SSL_R_NO_APPLICATION_PROTOCOL in ssl.htb2021-09-101-3/+1
| | | | ok beck jsing
* Expose SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE in ssl.htb2021-09-101-3/+1
| | | | ok beck jsing
* Expose SSL_CTX_get0_privatekey() in ssl.htb2021-09-101-3/+1
| | | | ok beck
* Remove TLS1_get_{,client_}version()tb2021-09-101-9/+1
| | | | ok jsing
* Remove SSL3_RECORD and SSL3_BUFFERtb2021-09-101-25/+1
| | | | with/ok jsing
* Remove TLS1_RT_HEARTBEATtb2021-09-101-2/+1
| | | | ok jsing
* Make SSL opaquetb2021-09-101-2/+4
| | | | with/ok jsing
* Remove struct tls_session_ticket_ext_st and TLS_SESSION_TICKET_EXTtb2021-09-102-2/+6
| | | | | | from public visibility. with/ok jsing
* Uncomment LIBRESSL_HAS_{TLS1_3,DTLS1_2} in opensslfeatures.htb2021-09-101-2/+2
|
* Use BN_RAND_* instead of mysterious values in the documentation oftb2021-09-101-7/+19
| | | | | | | | BN_rand_range() From OpenSSL 1.1.1l ok beck jsing
* Expose EC_GROUP_order_bits() in <openssl/ec.h>tb2021-09-101-3/+1
| | | | ok beck jsing
* Expose BN_bn2{,le}binpad() and BN_lebin2bn() in <openssl/bn.h>tb2021-09-101-3/+1
| | | | ok beck inoguchi
* Expose BN_RAND_* in <openssl/bn.h>tb2021-09-101-3/+1
| | | | ok beck jsing
* Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callbacktb2021-09-104-7/+31
| | | | | | | | | | | | | | | | | | | As reported by Jeremy Harris, we inherited a strange behavior from OpenSSL, in that we ignore the SSL_TLSEXT_ERR_FATAL return from the ALPN callback. RFC 7301, 3.2 states: 'In the event that the server supports no protocols that the client advertises, then the server SHALL respond with a fatal "no_application_protocol" alert.' Honor this requirement and succeed only on SSL_TLSEXT_ERR_{OK,NOACK} which is the current behavior of OpenSSL. The documentation change is taken from OpenSSL 1.1.1 as well. As pointed out by jsing, there is more to be fixed here: - ensure that the same protocol is selected on session resumption - should the callback be called even if no ALPN extension was sent? - ensure for TLSv1.2 and earlier that the SNI has already been processed ok beck jsing
* Prepare to provide BN_RAND_* flags for BN_rand_range()tb2021-09-101-1/+12
| | | | ok beck jsing
* Prepare to provide SSL_CTX_get0_privatekey()tb2021-09-102-2/+14
| | | | ok beck
* Ensure that the kill signal undergoing testing is not ignored.anton2021-09-091-1/+15
| | | | ok bluhm@
* When calling the legacy callback, ensure we catch the case where itbeck2021-09-091-2/+5
| | | | | | | | | has decided to change a succeess to a failure and change the error code. Fixes a regression in the openssl-ruby tests which expect to test this functionality. ok tb@
* Rework openssl-ruby-tests to run all passing tests first, thentb2021-09-091-4/+12
| | | | | | | | | | | run the one failing test as a separate regress test. This way, all regressions should be caught with REGRESS_FAIL_EARLY=yes or on bluhm's regress webpage. This needs an up-to-date openssl-ruby-tests package and an upcoming commit by beck in x509_verify.c to work. ok beck bluhm
* zap trailing whitespacetb2021-09-092-14/+14
|