openbsd - A mirror of https://github.com/libressl/openbsd.git

	Commit message (Collapse)	Author	Files	Lines
2021-09-30	delete expired DST Root CA X3 to work around bugs various librarieslibressl-v3.3.6 libressl-v3.3.5	deraadt	1	-44/+1
	ok sthen, beck, jsing, tb, etc etc This cannot be issued as an errata/syspatch, because syspatch cannot
2021-09-30	Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.	deraadt	1	-1/+2
	In order to work around the expired DST Root CA X3 certficiate, enable X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the default chain provided by Let's Encrypt will stop at the ISRG Root X1 intermediate, rather than following the DST Root CA X3 intermediate. Note that the new verifier does not suffer from this issue, so only a small number of things will hit this code path. ok millert@ robert@ tb@ this is errata 6.9/018_cert
2021-09-26	Avoid a potential overread in x509_constraints_parse_mailbox()	deraadt	1	-5/+9
	The length checks need to be >= rather than > in order to ensure the string remains NUL terminated. While here consistently check wi before using it so we have the same idiom throughout this function. Issue reported by GoldBinocle on GitHub. ok deraadt@ tb@ this is 6.9 errata 017
2021-08-20	In LibreSSL, printing a certificate can result in a crash inlibressl-v3.3.4	benno	1	-3/+3
	X509_CERT_AUX_print(). Commit in -current: CVSROOT: /cvs Module name: src Changes by: schwarze@cvs.openbsd.org 2021/07/10 11:45:16 Modified files: lib/libcrypto/asn1: t_x509a.c Log message: Fix a read buffer overrun in X509_CERT_AUX_print(3), which by implication also affects X509_print(3). The ASN1_STRING_get0_data(3) manual explitely cautions the reader that the data is not necessarily NUL-terminated, and the function X509_alias_set1(3) does not sanitize the data passed into it in any way either, so we must assume the alias->data field is merely a byte array and not necessarily a string in the sense of the C language. I found this bug while writing manual pages for these functions. OK tb@ As an aside, note that the function still produces incomplete and misleading results when the data contains a NUL byte in the middle and that error handling is consistently absent throughout, even though the function provides an "int" return value obviously intended to be 1 for success and 0 for failure, and even though this function is called by another function that also wants to return 1 for success and 0 for failure and even does so in many of its code paths, though not in others. But let's stay focussed. Many things would be nice to have in the wide wild world, but a buffer overflow must not be allowed to remain in our backyard. This is patches/6.9/common/015_x509.patch.sig
2021-04-15	mention DTLS1_2_VERSION	tb	1	-3/+4

2021-04-15	Mention DTLS1_2_VERSION here, too	tb	1	-6/+8

2021-04-15	Document SSL_OP_NO_DTLSv1{,_2}	tb	1	-2/+15

2021-04-15	Document DTLSv1_2_{,client_,server_}method(3)	tb	1	-4/+36

2021-04-15	Merge documentation for SSL_is_dtls() from OpenSSL	tb	1	-5/+21

2021-04-15	Switch back to the legacy verifier for the release.	tb	1	-2/+2
	This is disappointing as a lot of work was put into the new verifier during this cycle. However, there are still too many known bugs and incompatibilities. It is better to be faced with known broken behavior than with new broken behavior and to switch now rather than via errata. This way we have another cycle to iron out the kinks and to fix some of the remaining bugs. ok jsing
2021-04-14	revert previous. some of the keyupdate tests still fail occasionally	tb	1	-2/+11

2021-04-14	Enable test-tls13-keyupdate.py	tb	1	-9/+2

2021-04-14	move test-record-size-limit.py to unsupported	tb	1	-4/+3

2021-04-14	enable test-record-layer-fragmentation.py	tb	1	-7/+2

2021-04-14	factor argument to catch an alert mismatch into a helper function	tb	1	-7/+8

2021-04-13	enable test-tlsfuzzer-invalid-compression-methods.py	tb	1	-5/+10

2021-04-13	enable test-large-hello.py as a slow test	tb	1	-3/+2

2021-04-13	with new defaults, test-fuzzed-plaintext.py is no longer slow	tb	1	-3/+2

2021-04-13	move a few tests to the unsupported group and fix two comments	tb	1	-15/+15

2021-04-13	annotate test-ecdhe-rsa-key-exchange-with-bad-messages.py with expected	tb	1	-2/+3
	alerts and where to add them.
2021-04-11	Update a stale comment and fix a typo.	tb	1	-3/+3

2021-04-09	An extra internal consistency check and a missing stats adjustment. ok tb@	otto	1	-1/+4

2021-04-09	Cache implementation has changed, we do not hold on to an exact number	otto	1	-3/+4
	of pages anymore, but also cache larger regions; ok tb@
2021-04-08	Enable test-cve-2016-6309.py	tb	1	-3/+2

2021-04-07	Avoid clobbering the error code when sending an alert	tb	1	-2/+3
	In order to fail gracefully on encountering a self-signed cert, curl looks at the top-most error on the stack and needs specific SSL_R_ error codes. This mechanism was broken when the tls13_alert_sent_cb() was added after people complained about unhelpful unknown errors. Fix this by only setting the error code from a fatal alert if no error has been set previously. Issue reported by Christopher Reid ok jsing
2021-04-07	Use ERR_print_error_fp() to avoid leaking a BIO in fatal()	tb	1	-2/+2

2021-04-07	Check function return value in openssl(1) x509.c	inoguchi	1	-24/+71
	input from bcook@, ok and comments from tb@
2021-04-07	Avoid leak in error path	inoguchi	1	-3/+7
	ok and input from tb@
2021-04-06	use errx() instead of err()	tb	1	-8/+8

2021-04-06	spaces -> tabs	tb	1	-5/+5

2021-04-06	minor style tweaks	tb	1	-5/+6

2021-04-05	Don't leak param->name in x509_verify_param_zero()	tb	1	-1/+2
	For dynamically allocated verify parameters, param->name is only ever set in X509_VERIFY_set1_name() where the old one is freed and the new one is assigned via strdup(). Setting it to NULL without freeing it beforehand is a leak. looks correct to millert, ok inoguchi
2021-04-04	Add missing error check for AES_unwrap_key().	tb	1	-1/+3

2021-04-04	Fix two copy paste errors in error messages	tb	1	-3/+3

2021-04-04	Add tests for DTLSv1_2{,_client,_server}_method()	tb	1	-1/+20

2021-04-04	Use correct type for tmp in test_write_bytes()	tb	1	-2/+2

2021-04-04	Explicitly NULL pointers to avoid a double free.	tb	1	-1/+3

2021-04-04	Don't leak key and dh in the error path.	tb	1	-4/+7

2021-04-04	Clean up client and server tls{,_config} contexts in tls_test().	tb	1	-2/+11
	Leaks reported by Ilya Shipitsin.
2021-04-03	Run the CMAC tests through EVP_PKEY_new_CMAC_key().	tb	1	-10/+22

2021-04-02	Two cases of BRE involving counts and backrefs that go wrong and	otto	1	-1/+16
	similar that have no isssues. Reported by Michael Paoli. Failing cases commented out for now.
2021-04-02	Show DTLS1.2 message with openssl(1) s_server and s_client	inoguchi	1	-2/+6
	ok jsing@ tb@
2021-04-01	Compare the pointer variable explicitly with NULL in if condition	inoguchi	1	-18/+17

2021-03-31	one of the examples needs an -N (and explanation);	jmc	1	-4/+7
	diff from robert scheck discussed with and tweaked by sthen
2021-03-31	Update for DTLSv1.2 support.	tb	1	-2/+4

2021-03-31	Remove workarounds for SSL_is_dtls()	tb	2	-11/+2
	Reminded by inoguchi jsing
2021-03-31	Remove workaround for missing d2i_DSAPrivateKey_fp prototype	tb	1	-5/+1

2021-03-31	Bump minors after symbol addition	tb	3	-3/+3

2021-03-31	Expose various DTLSv1.2 specific functions and defines	tb	5	-27/+8
	ok bcook inoguchi jsing
2021-03-31	Document SSL_set_hostflags(3) and SSL_get0_peername(3)	tb	1	-18/+4
	ok bcook inoguchi jsing