summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Don't leave stale sequence numbers behind in ssl3_clear()libressl-v3.2.5tb2021-03-152-5/+13
| | | | | | | | | | | | | | | A TLS client doing session reuse in a certain way could run into a use-after-free. Set the sequence numbers inside ssl3_clear() to make sure this points at valid memory and do the initialization of the record layer a bit earlier so that this works as desired. Additionally, explicitly clear the sequence numbers in ssl3_free() which would have turned the use-after-free into a NULL dereference. Issue reported by Ilya Chipitsine. Fix from jsing This is errata/6.8/017_libssl.patch.sig
* This is errata/6.8/013_libressl.patch.siglibressl-v3.2.4tb2021-02-0312-28/+172
| | | | | | | | | | | | | | | | | | | | | | | | | | | Various interoperability issues and memory leaks were discovered in libcrypto and libssl. The new verifier is not bug compatible with the old verifier and caused many issues by failing to propagate errors correctly, returning different error codes than some software was trained to expect and otherwise failing when it shouldn't. While much of this is fixed in -current, it's still not perfect, so switching back to the legacy verifier is preferable at this point. Other included fixes: * Unbreak DTLS retransmissions for flights that include a CCS * Only check BIO_should_read() on read and BIO_should_write() on write * Implement autochain for the TLSv1.3 server * Use the legacy verifier for AUTO_CHAIN * Implement exporter for TLSv1.3 * Free alert_data and phh_data in tls13_record_layer_free() * Plug leak in x509_verify_chain_dup() * Free the policy tree in x509_vfy_check_policy() Original commits by jsing and tb ok inoguchi jsing
* Fix a NULL dereference in GENERAL_NAME_cmp()libressl-v3.2.3tb2020-12-086-11/+94
| | | | | | | | | | | | | | Comparing two GENERAL_NAME structures containing an EDIPARTYNAME can lead to a crash. This enables a denial of service attack for an attacker who can control both sides of the comparison. Issue reported to OpenSSL on Nov 9 by David Benjamin. OpenSSL shared the information with us on Dec 1st. Fix from Matt Caswell (OpenSSL) with a few small tweaks. ok jsing this is errata/6.8/008_asn1.patch.sig
* This commit was manufactured by cvs2git to create branch 'OPENBSD_6_8'.libressl-v3.2.2cvs2svn2020-09-260-0/+0
|
* Ensure leaf is set up on X509_STORE_CTX before verification.jsing2020-09-261-9/+7
| | | | | | | | | | | | | Previously the leaf certificate was only being set up on the X509_STORE_CTX after two verification steps were performed, however at least one of those steps could result in the verification callback being triggered and existing code breaking. Issue noticed by Raf Czlonka when attempting to connect to talk.google.com using profanity (which does not set SNI and ends up receiving an invalid certificate). ok beck@ deraadt@ tb@
* Call dtls1_hm_fragment_free() from dtls1_drain_fragments()jsing2020-09-262-8/+7
| | | | | | | | Currently dtls1_drain_fragments() has a incomplete handrolled version of dtls1_hm_fragment_free(), which has the potential to leak memory. Replace the handrolled free with a call to dtls1_hm_fragment_free(). ok inoguchi@ tb@
* Have dtls1_new() call dtls1_free() on failure.jsing2020-09-261-36/+22
| | | | | | | | Allocate into the appropriate structures and call dtls1_free() on failure, rather than allocating into local variables and then remembering to free various things on failure. ok tb@
* Have dtls1_hm_fragment_new() call dtls1_hm_fragment_free() on failure.jsing2020-09-261-26/+17
| | | | | | | | | | Rather than using local variables and having to remember which things need to be freed upon a failure at a certain point, simply allocate into the hm_fragment struct and call dtls1_hm_fragment_free() on failure. Also use calloc() to ensure memory is appropriately zeroed/initialised. ok tb@
* Refactor dtls1_clear_queues()tb2020-09-261-25/+26
| | | | | | | | | | An upcoming cleanup diff by jsing needs dtls1_clear_queues() to be able to handle NULL pqueues. While one can easily add a NULL check to pqueue_pop(), this does not really fit in with the rest of the code. There are two kinds of while loops in dtls1_clear_queues that drain pqueues, so add two helper functions with a NULL check each. ok jsing
* jumping into the x509 fray with a bunch of whitespace repairderaadt2020-09-261-6/+6
|
* move test-tls13-finished.py from slow tests to normal tests.tb2020-09-251-27/+26
|
* bump to LibreSSL 3.2.2 ahead of lockbcook2020-09-251-3/+3
| | | | ok tb@
* KNF for a few comments and indent a labeltb2020-09-251-8/+12
|
* Remove some dangling elses for consistency with the rest of the filetb2020-09-251-25/+19
|
* Simplify UI_new_method()tb2020-09-251-10/+4
| | | | | Use calloc() instead of malloc() and setting all members manually to 0. Avoid unnecessary else branch.
* Move variable declaration to the top of UI_set_result and ditchtb2020-09-251-19/+16
| | | | | | a pointless local scope. suggested by jsing
* The default branch of a switch somehow got moved inside of a pointlesstb2020-09-251-3/+3
| | | | | | | | local scope of a case branch. Move it into the proper location. No binary change on amd64. "sure" jsing
* Simplify call to ERR_print_errors_cb()tb2020-09-251-5/+4
| | | | | | | | | There is no reason for print_error()'s third argument to be a UI *. It may just as well be a void * to match what ERR_print_errors_cb() expects. This avoids casting the function pointer. Also, there's no need for a (void *) cast. ok jsing
* test-tls13-finished.py has 70 failing tests that expect a "decode_error"tb2020-09-251-6/+94
| | | | | | instead of the "decrypt_error" sent by tls13_server_finished_recv(). Both alerts appear to be reasonable in this context, so enable the tests while working around this.
* delete a stale commenttb2020-09-251-5/+1
|
* Error out if ok_chars and cancel_chars overlaptb2020-09-241-2/+4
| | | | | | | It is a bit silly to push an error on the stack without erroring out, so error out if the ok_chars and cancel_chars overlap. ok jsing
* Fix a number of leaks in the UI_dup_* functionstb2020-09-241-143/+99
| | | | | | | | | | | | | | | | | | | | | | | | | If any of general_allocate_{prompt,string,boolean}() fail, the UI_dup_* functions may leak the strings they strduped beforehand. Instead, use strdup inside these functions, so we can free as necessary. This makes the UI_add_* and UI_dup_* simple wrappers around general_allocate_{string,boolean}() that differ only in passing a Boolean that indicates whether or not to use strdup. Make a general cleanup pass over these functions, simplify the logic and make it overall a bit easier to follow. While there, use strcspn() instead of a handrolled variant. The only changes in behavior are that ERR_R_MALLOC_FAILURE is now pushed onto the stack a bit more often and that UI_dup_input_string() now returns -1 on failure to dup prompt like all the other UI_dup_* functions. This is not a problem since the manual already documents that errors are signaled with <= 0. The only consumer of this function according to Debian's codesearch is libp11, I sent them a PR to fix their (already broken) error handling. Addresses about 10 errors thrown by the LLVM static analyzer in ui/. ok jsing
* Push ERR_R_MALLOC_FAILURE onto the error stacktb2020-09-241-3/+3
| | | | | | | If sk_UI_STRING_new_null() fails, this must be due to a memory error, so signal this to the user. ok jsing
* Make free_strings() NULL safetb2020-09-241-1/+3
| | | | ok jsing
* KNF and grammar tweaks for comments; wrap a few overlong prototypes.tb2020-09-241-163/+188
|
* Simplify the cleanup of init_buf via a ssl3_release_init_buffer() function.jsing2020-09-245-16/+22
| | | | ok beck@ inoguchi@ tb@
* Release read and write buffers using freezero().jsing2020-09-244-21/+26
| | | | | | | | | Provide a ssl3_release_buffer() function that correctly frees a buffer and call it from the appropriate locations. While here also change ssl3_release_{read,write}_buffer() to void since they cannot fail and no callers check the return value currently. ok beck@ inoguchi@ tb@
* Ensure chain is set on the X509_STORE_CTX before triggering callback.jsing2020-09-231-12/+39
| | | | | | | | | | | | Various software expects the previous behaviour where the certificate chain is available on the X509_STORE_CTX when the verify callback is triggered. Issue hit by bket@ with lastpass-cli which has built in certificate pinning that is checked via the verify callback. Fix confirmed by bket@. ok beck@
* Comment out SSL_get0_peername(3) for the OpenBSD 6.8 releaseschwarze2020-09-221-4/+18
| | | | | because tb@ decided to not enable it before the release. OK tb@
* reword ambiguous title line;schwarze2020-09-221-3/+3
| | | | issue noticed by and patch OK by jsing@
* s/before the handshake is complete/during the handshake/gschwarze2020-09-211-8/+7
| | | | | because that is both shorter and more precise; wording suggested by jsing@
* 1) Move the interop tests to the end so we see tlsfuzzer firstbeck2020-09-215-9/+35
| | | | | | | | | | 2) Reorder the interop tests so the really slow "cert" test is at the end 3) Change the cert tests to use REGRESS_SLOW_TARGETS when testing combination of client and server that does not involve libressl. This way we can skip testing openssl to openssl11 when running these manually by setting REGRESS_SKIP_SLOW to "yet" in mk.conf ok jsing@
* two wording tweaks suggested by jsing@, adding clarityschwarze2020-09-211-5/+4
|
* In ssl.h rev. 1.174 to 1.176, tb@ added some stubs related to 0-RTT data.schwarze2020-09-213-4/+183
| | | | | | | | | | Write documentation from scratch explaining why we don't support 0-RTT but how we stub it out instead. Tweaks and OK tb@. ... and beck@ pointed out that this OpenSSL API is akin to adding a laser sighting system to a giant blackpowder cannon that one keeps blowing one's own feet to mangled scraps with ...
* move a misplaced 'goto done;' so that all invalid uris are testedtb2020-09-211-1/+1
|
* add a few short invalid URIs in test_constraints1() that cause earlytb2020-09-211-0/+4
| | | | failure of x509_constraints_uri_host() in x509_constraints_uri()
* Fix some line wrapping and other whitespace issues.tb2020-09-211-45/+34
| | | | No change in the generated assembly on amd64.
* Move freeing and zeroing up to right after the while loop.tb2020-09-211-5/+5
| | | | Requested by jsing
* Avoid memleak caused by shadowingtb2020-09-201-2/+5
| | | | | | | | | | | The outer scope in x509_constraints_extract_names() contains a vname variable which will be freed on error, but an inner scope contains another vname that won't be freed, e.g., if x509_constraints_names_add fails. Found by llvm scan-build. ok beck
* KNF/whitespace nitstb2020-09-202-6/+7
|
* Correct a 1 byte read overflow in x509_contraints_uri and addbeck2020-09-202-4/+13
| | | | | | | | regress to catch it in the future. found by Guido Vranken's cryptofuzzer ok tb@
* Document the public function SSL_set_SSL_CTX(3) from scratch,schwarze2020-09-203-3/+72
| | | | | | | which is undocumented in OpenSSL but mentioned in passing in one OpenSSL manual page, and which was recently mentioned by jsing@ when working on SSL_set_ciphersuites(3). With corrections from and OK inoguchi@.
* Add guards around SSL_get0_peername that were accidentally omitted.tb2020-09-201-1/+3
|
* Fix a memory leak in x509_constraints_extract_namestb2020-09-201-6/+6
| | | | | | | | | | | | | If the default path of the switch is taken, vname will not be added to the names list and will leak when it is set to NULL. Simplify the logic by eliminating the add Boolean. Instead, free and zero vname in the default case and continue the while loop directly. At the bottom of the switch, add vname to the names list unconditionally zero it out since it's now owned by names. Found by Guido Vranken's cryptofuzzer ok beck
* remove superfluous NULL checkbeck2020-09-191-2/+2
| | | | ok tb@
* Prepare to provide SSL_get0_peernametb2020-09-192-2/+9
| | | | | | | | | This is a convenience reacharound to libcrypto that trivially wraps X509_VERIFY_PARAM_get0_peername(). It is used by unbound 1.11.0 for better logging. As it's part of the API that landed with OpenSSL's DANE, more recent postfix snapshots use it as well. ok beck inoguchi jsing
* Prepare to provide stubbed out versions for reading/writing 0-RTT datatb2020-09-192-2/+41
| | | | | | | | | | | We do not support this feature but need to provide OpenSSL's API since software assumes it's available whenever TLS1_3_VERSION is available. These are minimal stubs that should have a decent chance to interact reasonably with software expecting the tricky upstream semantics, but this will have to be sorted out with runtime testing, so will likely have to be refined and revisited. ok beck jsing
* Prepare to provide SSL{,_CTX}_{get,set}_max_early_datatb2020-09-192-2/+34
| | | | | | | Similar to the SSL_SESSION versions, these are noops that are expected to be available by some configure tests. ok beck jsing
* Prepare to provide SSL_SESSION_{set,get}_max_early_data()tb2020-09-192-2/+18
| | | | | | | Since we do not support 0-RTT, these are noops. Some software expects this API to be available if TLS1_3_VERSION is defined. ok beck jsing
* If ssl_cert_dup() fails in SSL_set_SSL_CTX(3), return failureschwarze2020-09-181-5/+10
| | | | | | | | | | | | | | | | rather than silently leaving a NULL pointer in ssl->cert. Kurt Roeckx fixed the same bug similarly in OpenSSL in 2015. While here, (1) make the code easier to read and more robust by returning right away when ssl still uses the context it was created from and the ctx argument is NULL, rather than doing a lot of work that changes nothing unless data is already corrupt, and (2) use the shorter and more inituitive SSL_CTX_up_ref(3) rather than manually calling CRYPTO_add(3), which means no functional change and is also in the OpenSSL 1.1 branch. OK tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-16 02:17:33 +0000