| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
| |
The i variable is unused. Likewise for the first assignment to ri.
Instead of an incomplete check that idx is in range, which still
results in a NULL deref if idx < 0, check if ri is not NULL before
accessing, as sk_value() checks the index correctly.
ok jsing kenjiro
|
| |
|
|
| |
patch from portable
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
on a SAN DNSname constraint. This is not correct, as with
a DNSname constraint, it may exacly match or match zero or
more additional components on the front of the candidte to
match.
Spotted by Haruto Kimura <hkimura2026@gmail.com>
ok tb@ kenjiro@
|
| |
|
|
| |
ok deraadt
|
| |
|
|
| |
Requested by jsing, ok beck
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This converts rsa_cms_decrypt() to use X509_ALGOR_get0() and fixes a
NULL deref when a parameter is (invalidly) omitted similar to the fix
in ec/ec_ameth.c r1.66 from a couple years back. There is currently
an XXX annotating a hairy leak due to trying to be smart and stealing
the parameters from the oaep object. Instead, just make a copy of the
label string and free it in the exit path.
The diff adds an error for labellen == 0 since that is an invalid
encoding of pSpecifiedEmpty (see RFC 8017) -- per the DER the default
must be omitted. This way we avoid a malloc(0) implementation-defined
behavior.
This minor issue was assigned CVE-2026-28390 by OpenSSL and was reported
by too many to list. The fix is my own. It is similar to OpenSSL's fix
only because I rewiewed theirs and suggested an improvement or two.
This is the last of the "security fixes" in today's OpenSSL release that
"affect" LibreSSL. All the other bugs were already fixed a few years back
or we didn't have the code/bugs in the first place.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of reaching deep inside the OCSP_BASICRESP and ignoring its
semantics and then try to untangle things in ocsp_find_signer_sk(),
pass the OCSP_BASICRESP and use OCSP_resp_get0_id() which has the
logic built in. Avoids a crash if you call OCSP_basic_verify() after
OCSP_BASICRESP_new() without OCSP_basic_sign(). This cannot happen on
a deserialized OCSP object.
Prompted by a report by Kamil Frankowicz, Jan Kaminski, Bartosz Michalowski.
ok jsing
|
| |
|
|
|
|
|
|
| |
Prompted by the "fix" fighting symptoms of misdesign in Delta CRL processing
rather than addressing the root cause. Probably the best fix is to remove
support for Indirect CRLs and Delta CRLs outright.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A malformed Delta CRL could cause a crash. Funnily enough the deserializer
recognizes this and marks such a CRL as invalid, but nothing ever checks
the EXFLAG_INVALID for CRLs. For certificates this would usually result in
verification failure due to x509v3_cache_extensions() failing.
This is only reachable if the X509_V_FLAG_USE_DELTAS is used, which only
a handful of ports do, plus openssl(1) does if you use the undocumented
-use_deltas flag.
Reported by Igor Morgenstern to OpenSSL who then sat on this since Jan 8
and assigned CVE-2026-28388.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
x509v3.h has included conf.h since June 20, 1999, OpenSSL commit ba404b5e,
so HEADER_CONF_H has been defined since then. Also since then, CONF_VALUE
(only available via conf.h) has been used outside of HEADER_CONF_H, making
that #ifdef doubly pointless.
ok bcook jsing kenjiro
|
| |
|
|
|
|
|
|
|
| |
All thirteen files including cms_local.h do that after including cms.h,
which already includes x509v3.h, so this is always defined. While here
make the cms_local.h a bit more selfstanding by including asn1.h and
x509v3.h
ok bcook jsing (who had the same diff) kenjiro
|
| |
|
|
|
|
|
|
|
|
|
| |
The maximum depth is not expected to include the leaf certificate - restore
the decrement prior to checking, which means the previous behaviour is
retained for the callback depth and the maximum depth. Reduce the maximum
depth by one in order to avoid the overwrite that could previously occur.
Thanks to anton@ for flagging the rust-openssl failure in regress.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In x509_verify_build_chains(), ensure that we check the current depth
against max_depth prior to turning it into a legacy-style depth index.
Additionally, add a guard to x509_verify_chain_append() so that we avoid
exceeding the maximum certs per chain, even if we fail to handle this
correctly elsewhere. Also prevent the legacy callback from being able
to override the maximum verification depth.
The current off-by-one allows for a 4 byte overwrite to occur on heap
allocated memory - this will likely trigger a crash on OpenBSD (but may
go unnoticed elsewhere). This is only reachable if a TLS client is talking
to a malicious server or if a TLS server has client certificate
verification enabled - in both cases the verification depth also needs to
be set to the maximum allowed value of 32.
It is worth noting that many TLS clients/servers set the maximum
verification depth to a value that is much less than the default. A libtls
client or server uses a default depth of 6 and is not impacted in this
configuration.
Thanks to Calif.io in collaboration with Claude and Anthropic Research,
for reporting the issue.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
This looks like a NULL dereference that should crash, but for some reason
it doesn't, even with -O0 with all compilers i tried. At the very least it
may result in compilers deducing that key_768 != NULL and lead to incorrect
optimizations.
ok claudio jsing kenjiro miod
|
| |
|
|
| |
ok kenjiro@ tb@
|
| |
|
|
|
|
|
|
|
| |
This will contain defines and macros that we need for assembly code,
without polluting other headers that are primarily used for C code.
For now, this just unconditionally provides _CET_ENDBR on amd64.
ok kenjiro@ tb@
|
| |
|
|
|
|
|
|
| |
- remove CommScope CA (they requested it themselves;
https://bugzilla.mozilla.org/show_bug.cgi?id=1994866)
- add new cert:
/C=HU/L=Budapest/O=Microsec Ltd./2.5.4.97=VATHU-23584497/CN=e-Szigno TLS Root CA 2023
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We received reports that the too generic internal ecdsa_{sign,verify}()
symbol names clash in some static links. The naming here is annoying
because the EC_KEY_METHOD amalgamated the no longer existing ECDH and
ECDSA methods which themselves had poorly chosen method names, still
reflected in public API.
There are various messes here. The ECDSA verify methods are declared
in ec_local.h, whereas the ECDSA sign methods are in ecdsa_local.h
(which is itself pretty useless and really only about EC_KEY_METHOD).
I therefore merged the ECDSA method declarations into ec_local.h and
deleted ecdsa_local.h since I see no real benefit to the latter.
ecdsa.c needs ec_local.h anyway. Having the method declarations next
to EC_KEY_METHOD seems sensible. I left the order as it was, matching
ecdsa.c. The eckey_compute_pubkey() prototype should probably be moved
down.
With one exception I just added an ec_key_ prefix. This leads to a
a repetition of 'key' in ec_key_ecdh_compute_key() which I chose to
live with because it matches the public ECDH_compute_key() (mostly
used by SSH implementations). The exception is ec_key_generate_key()
where I expanded the gen() leading to another _key repetition but
this then matches EC_KEY_generate_key().
Thanks to Rosen Penev for reporting and sending an initial diff.
See also https://github.com/gsliepen/tinc/issues/478
ok jsing
|
| | |
|
| |
|
|
| |
pointed out by/ok dlg
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Replace memcmp() with timingsafe_memcmp() when comparing the
re-encrypted ciphertext.
FIPS 203 Section 6.3 defines this comparison result as a secret piece
of intermediate data that must not be revealed in any form.
ok tb
|
| | |
|
| |
|
|
|
|
|
|
| |
jsing prefers doing all computations first and comparing at the end. This
means we do more work when we fail and no longer (ab)use err as an out label.
Also split out one more helper.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of relying on i2c_ASN1_BIT_STRING() to determine the "unused"
bits on encoding, set them explicitly in abs->flags via a call to
asn1_abs_set_unused_bits(). This means ASN1_STRING_FLAGS_BITS_LEFT is
now set on a bit string, which was previously explicitly cleared.
This also means that the encoding of a non-zero ASN1_BIT_STRING
populated by setting the bits individually will now go through the
if (a->flags & ASN1_STRING_FLAG_BITS_LEFT) path in i2c_ASN1_BIT_STRING().
The most prominent usage of this function is in X.509 for the keyUsage
extension or the CRL reason codes. There's also the NS cert type, TS
PKIFailureInfo and general BITLIST config strings.
The reason for the truncation logic comes from the DER for NamedBitLists
X.690, 11.2.2 below:
X.680, 22.7:
When a "NamedBitList" is used in defining a bitstring type ASN.1
encoding rules are free to add (or remove) arbitrarily any trailing 0
bits to (or from) values that are being encoded or decoded. Application
designers should therefore ensure that different semantics are not
associated with such values which differ only in the number of trailing
0 bits.
X.690, 11.2.2
Where ITU-T Rec. X.680 | ISO/IEC 8824-1, 22.7, applies, the bitstring
shall have all trailing 0 bits removed before it is encoded.
Note 1 - In the case where a size constraint has been applied, the
abstract value delivered by a decoder to the application will be one of
those satisfying the size constraint and differing from the transmitted
value only in the number of trailing zero bits.
Note 2 - If a bitstring value has no 1 bits, then an encoder shall
encode the value with a length of 1 and an initial octet set to 0.
ok kenjiro (on an earlier version) jsing
|
| |
|
|
|
|
| |
Found the same fix from davidben in BoringSSL as well (https://boringssl-review.googlesource.com/c/boringssl/+/87927). OpenSSL appears to have accidentally changed the semantics here with the HAS_PREFIX macro, which appears to be incorrect.
discussed w/ tb@ & beck@
|
| |
|
|
|
|
|
|
|
| |
While normal calls return 0 for error and npubk for success, there is a
case where it returns the usual 1/0 thing. Make that explicit.
Prompted by a report by Niels Dossche
ok jsing kenjiro
|
| |
|
|
|
|
|
| |
This has been incorrectly documented since forever. The function only ever
returned 0/1.
ok jsing kenjiro
|
| |
|
|
| |
ok jsing kenjiro
|
| |
|
|
|
|
| |
The subsequent EVP_{Decrypt,Encrypt}Init_ex() calls already do that.
pointed out by jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Explicitly compare pointers against NULL, turn the function into single
exit, add hint at why npubk <= 0 or pubk == NULL are a success path:
The documentation briefly explains that EVP_OpenInit() and EVP_SealInit()
is able to initialize the EVP_CIPHER_CTX in two steps exactly like the
EVP_CipherInit_ex() API they wrap: the first call with non-NULL cipher
(aka type) only sets the cipher on the ctx, then it returns to allow
callers to customize the EVP_CIPHER_CTX, and a second call with
cipher == NULL skips the initialization and finishes the ctx setup
by setting key and iv.
Prompted by a report by Niels Dossche.
ok jsing kenjiro
|
| |
|
|
|
|
|
|
| |
It is documented that EVP_SealInit() returns 0 on error. So -1 is wrong.
Reported by Niels Dossche
ok jsing kenjiro
|
| |
|
|
|
|
|
|
|
| |
Explicitly compare pointers against NULL, turn the function into single
exit and explain why priv == NULL is a success (hint: muppet API).
Prompted by a report by Niels Dossche.
ok jsing kenjiro
|
| |
|
|
|
|
|
|
|
|
| |
A malformed v2 signing cert can lead to a type confusion, and the result
is a read from an invalid memory address or NULL, so a crash. Unlike for
OpenSSL, v1 signing certs aren't affected since miod fixed this in '14.
Reported by Luigino Camastra, fix by Bob Beck, via OpenSSL, CVE 2025-69420.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
A type confusion can lead to a 1-byte read at address 0x00-0xff, so a
crash.
Reported by Luigino Camastra, fix by Bob Beck, via OpenSSL, CVE 2025-22795
ok jsing
|
| |
|
|
|
|
|
|
| |
Avoids a NULL pointer dereference triggerable by a malformed PCKS#12 file.
From Luigino Camastra via OpenSSL (CVE-2025-69421)
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
gcc is extremely fussy about register naming and insists on q and s naming
for the ARM CE SHA instructions, even though they're referring to the same
register (while LLVM just figures it out). Work around this by mapping
registers to their required variant at usage and defining a handful of
mappings between v registers and alternate names/views.
This is still somewhat ugly, but seems to be one of the cleaner options
that will allow portable to enable SHA assembly on platforms that use gcc.
ok kenjiro@ tb@
|
| |
|
|
|
| |
Remove unnecessary separators and add a few to macros that call other
macros (instead of expecting them to exist).
|
| |
|
|
| |
ok beck
|
| |
|
|
|
|
|
|
| |
There is no intention to expose these via public API or to use them in TLS.
For now these will only be used for short-circuiting pointless expensive
computations in DH_check().
ok beck
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The latest release of Scapy calls DH_check() on all the well-known
Diffie-Hellman parameters for RFCs 2409, 3526, and 7919. It does this
via pyca/cryptography at startup. Every single time. This is obviously
very expensive, due to our 64 MR rounds (which are complete overkill
now that we have BPSW). Instead of pondering the ideal number of rounds
for BPSW with FFDH, simply skip the check if the parameter matches a
well-known prime. These are known to be safe primes, so we can skip
those super-expensive and pointless checks without any risk.
This is only done for the public dh->p parameter. It could be further
optimized, but with the follow-up commit adding the RFC 7919 primes this
reduces the startup time to what it was before Scapy 2.7.0: < 1s.
Reverting from 64 MR rounds to BN_check_primes rounds, we would still
have ~8s startup time without this optimization, which isn't great for
an interactive tool.
Clearly, it's not entirely our fault, it's also Scapy and cryptography
that do something ... suboptimal, but I think we're better off if
DH_check() isn't a complete DoS vector. If you're using non-standard
parameters with FFDH, you deserve it.
We could consider adding a flag for non-well-known p and thus making
DH_check() indicate failure for candidate primes larger than, say, 4k.
https://github.com/pyca/cryptography/issues/14048
ok beck kenjiro
|
| |
|
|
|
|
|
|
| |
This removes some complications due to handling the fast path for affine
points and general points at the same time. The result is a bit more code
but both paths should be much easier to follow.
ok jsing kenjiro
|
| |
|
|
|
|
|
|
|
|
| |
The prototypes used sized arrays appropriate only for MLKEM768 while the
declarations used pointers. For some reason clang doesn't flag this but
gcc does. In any case it was wrong. The callers of these functions check
that they pass in the correct size. Which is weird but the mlkem directory
has an unbelievable amount of mess and bad code.
found by/ok jsing
|
| |
|
|
|
|
|
| |
These are flagged by more recent gcc since declarations and definitions
don't match (sized array vs pointer). Also an array was checked for NULL.
found by/ok jsing
|
| |
|
|
|
|
|
|
|
| |
Make life easier for portable by providing LIBRESSL_USE_.*_ASSEMBLY
defines, which enable/disable assembly for a specific algorithm. This
means that selected platforms can include the assembly files and specify
a define, rather than having to try to patch the crypto_arch.h headers.
Discussed with tb@
|
| |
|
|
|
| |
Use the same pattern that is now used for most other code - provide
HAVE_MD5_BLOCK_DATA_ORDER and use this to selectively enable source code.
|
| |
|
|
|
| |
Use the same pattern that is now used for most other code - provide HAVE_*
defines for functions and use these to selectively enable source code.
|
