IABSD.fr/src/lib

Branch :


Log

Author Commit Date CI Message
a9b4b4b8 2026-05-16 08:20:41 Introduce and use dtls12_handshake_msg. Add struct dtls12_handshake_msg and various related functions, which allow for the construction of DTLS handshake messages and associated fragments. Use this on the DTLS write path for sending handshake message fragments. This means that we no longer modify the init buffer, which also fixes a bug where the message callback is called with a corrupted handshake message when multiple fragments have been sent. We also now correctly track fragment offsets when sending a handshake message that results in multiple calls to dtls1_do_write_handshake_message(). This is the first step towards further untangling of the write path in the legacy TLS stack. ok kenjiro@ tb@
21ec3d9e 2026-05-16 07:12:27 x509_prn: zap more than useless comments
23bf55ed 2026-05-16 07:10:30 x509_prn: hoist unknown_ext_print() above its only caller; drop prototype
47603321 2026-05-16 07:06:35 asn1_print_obstring_ctx: cast to const char * rather than char * Another call to BIO_dump_indent() that cast away const for no good reason.
6e75a92b 2026-05-16 06:30:53 unknown_ext_print: avoid casting away const The BIO_dump_indent() API masterpiece expects a const char pointer as input. Don't cast away const when suppressing pointer sign warnings. Prompted by a report by N. Dossche ok kenjiro
d0081f8f 2026-05-16 06:27:05 Ensure X509V3_EXT_print() only returns 0 and 1 In a rare mistake by schwarze, X509V3_EXT_print() is documented to return 0 and 1. This is also what most internal callers expect. However, if either X509V3_EXT_DUMP_UNKNOWN or X509V3_EXT_PARSE_UNKNOWN is set, the extension has an unknown NID or on failure to deserialize the extension value, the return values of BIO_dump_indent() (which is number of bytes written or -1 on error) and ASN1_parse_dump() (which is 0, 1, or 2 on EOC) are propagated. Follow what OpenSSL did and translate to Boolean returns. Error indicators are rather useless here since most errors are ignored anyway. Most callers do if (!X509V3_EXT_print(...)) but they also pass a zero flag. Reported by N. Dossche ok kenjiro
b3e8cfe5 2026-05-16 06:26:28 remove unused ssleay.cnf file; ok tb@
bf8adbcc 2026-05-16 06:17:05 ASN1{,_parse}_dump: document return value 2 on EOC Prompted by a report by N. Dossche ok kenjiro
b089cf41 2026-05-16 06:15:22 BIO_dump: Xr BIO_printf rather than BIO_write/fwrite Prompted by a report by N. Dossche ok kenjiro
bc456530 2026-05-15 13:56:16 incorrect test for error
bcab7b16 2026-05-15 04:55:45 correct mdoc macro ordering
3a78a8aa 2026-05-15 04:47:23 remove tab at end of line
8e47d2e8 2026-05-15 01:28:28 Insist on opening only regular files. (On OpenBSD, the directory case is handled by the kernel, but I want to stop other weird stuff) ok millert, dgl
0e67b3de 2026-05-15 00:39:21 Make __pledge_open(2) of /etc/localtime and /usr/share/zoneinfo much more strict. If /etc/localtime is a symbolic link, allow one translation which must land cleanly in /usr/share/zoneinfo (.. is checked for) otherwise error with EACCES. In /usr/share/zoneinfo, do not allow symbolic links and error with ELOOP. Alfredo Ortega observed the non-strict handling, but agrees no specific exploitability exists. Changing this took almost a month with many discarded prototypes. ok beck dgl
0d274ac1 2026-05-14 11:00:10 Sync cert.pem with mozilla roots; quite a few CA certificates were either removed or distrusted for web so are removed here. ok tb@ Common policies (moz, google, ca/b) are now to distrust roots with key material created before a certain time (currently 2008, this rolls forwards by 2 years each April until 2029 when it moves to '15 years from creation'), and also roots used for TLS are not permitted to be shared with other purposes (Secure Email, Code Signing, or others). This removes all root certificates from the following CA operators: -AffirmTrust - /C=US/O=AffirmTrust/CN=AffirmTrust Commercial - /C=US/O=AffirmTrust/CN=AffirmTrust Networking - /C=US/O=AffirmTrust/CN=AffirmTrust Premium - /C=US/O=AffirmTrust/CN=AffirmTrust Premium ECC -Firmaprofesional SA - /C=ES/O=Firmaprofesional SA/2.5.4.97=VATES-A62634068/CN=FIRMAPROFESIONAL CA ROOT-A WEB -SecureTrust Corporation - /C=US/O=SecureTrust Corporation/CN=Secure Global CA - /C=US/O=SecureTrust Corporation/CN=SecureTrust CA -TeliaSonera - /O=TeliaSonera/CN=TeliaSonera Root CA v1 -Trustwave Holdings, Inc. - /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global Certification Authority - /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P256 Certification Authority - /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P384 Certification Authority -certSIGN - /C=RO/O=certSIGN/OU=certSIGN ROOT CA -e-commerce monitoring GmbH - /C=AT/O=e-commerce monitoring GmbH/CN=GLOBALTRUST 2020 ...and some but not all root certificates from these (the ones without - are still remaining): COMODO CA Limited - /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority Dhimyotis - /C=FR/O=Dhimyotis/CN=Certigna /C=FR/O=Dhimyotis/OU=0002 48146308100036/CN=Certigna Root CA DigiCert Inc - /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root G2 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root G3 - /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G3 - /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Trusted Root G4 Entrust, Inc. - /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2 - /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - EC1 /C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority Google Trust Services LLC /C=US/O=Google Trust Services LLC/CN=GTS Root R1 - /C=US/O=Google Trust Services LLC/CN=GTS Root R2 /C=US/O=Google Trust Services LLC/CN=GTS Root R3 /C=US/O=Google Trust Services LLC/CN=GTS Root R4 QuoVadis Limited /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 1 G3 - /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 G3 - /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3 /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3 G3 SwissSign AG - /C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2 /C=CH/O=SwissSign AG/CN=SwissSign RSA TLS Root CA 2022 - 1 This is based on changes hitting the Mozilla release branch https://raw.githubusercontent.com/mozilla-firefox/firefox/refs/heads/release/security/nss/lib/ckfw/builtins/certdata.txt but the individual commits are easier to see here: https://hg-edge.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt
9f9eafea 2026-05-13 14:45:38 strict localtime / zoneinfo __pledge_open() behaviours coming soon
104c6742 2026-05-12 19:16:16 Update libexpat to version 2.8.1. Relevant for OpenBSD are security fixes #1216, other changes #1209. Library bump is not necessary. CVE-2026-45186 OK tb@
44680a3d 2026-05-12 16:01:15 ibuf_set_maxsize() need to ensure that the invariants are upheld by checking also that wpos and size are not bigger then the new max. If wpos is bigger fail hard, for size the allocation may have been used before and so do an explicit_bzero() to clear the extra memory out. OK tb@
a9d2f8a3 2026-05-12 15:14:41 check_sym: do not run output commands twice ok guenther@
95317e4b 2026-05-12 15:07:30 Add a guarded .note.GNU-stack section to crypto assembly files. Add a .note.GNU-stack section to avoid ending up with an executable stack on toolchains that believe we should have an executable stack by default. Reported by ruuda on Github. Discussed with tb@
cd8e3297 2026-05-11 22:41:23 Update libexpat to version 2.8.0 Relevant for OpenBSD are other changes #1201 #1189 #1203 #1204 #1194 #1202 #1187 #1192 #1171 #1170. Minor library bump is necessary as XML_SetHashSalt16Bytes() has been added. Security fixes have been backported in previous commit. OK tb@
955e2d57 2026-05-11 13:08:52 For clarity, improve the __pledge_open documentation
3e8b0da3 2026-05-10 10:35:20 Slightly adjust BUGS section for X509_addr_add_range() Since x509_addr.c r1.95 X509_addr_add_range() clears the unused bits in the maximum, so this is is only true in some implementations.
3013aa33 2026-05-09 19:39:14 libc: declare _hwcap and related variables as hidden ok tb@ deraadt@
177318a7 2026-05-09 11:45:50 libssl: record extension lengths in ClientHello hashing The ClientHello hash is intended to ensure that the second CH after an HRR only makes the allowed changes to the TLS extensiosn by recording message type followed by the raw extension data if it must remain unchanged. This makes it possible (in principle) that part of free form extension data is confused with type (and length) information of a subsequent extension. Recording the length after the type prevents such a confusion and fixes the framing of the extensions. Found by Frank Denis ok jsing
faf182d3 2026-05-09 11:29:51 ssl_lib: trade two extra empty lines for a missing one
a1505993 2026-05-09 10:52:02 PKCS#12: fix erroneous error check in PKCS12_newpass() This is an error I introduced in a refactoring two years ago in r1.20. This means that nothing uses this... From Frank Denis via logan
84482c2d 2026-05-09 07:14:42 Use uint32_t instead of SHA_LONG in the SHA-256 code. This is more readable and we already have a compile time assert that they are the same size. ok tb@
f35adb27 2026-05-09 07:12:51 Use W rather than X for the SHA-256 message schedule. This more closely matches the SHA-256 specification in FIPS 180-4. ok tb@
7b35a4fe 2026-05-09 07:11:05 Use consistent variable names in the sha256 code. Use 'ctx' rather than 'c' for the SHA256_CTX and use data/len rather than d/n. ok kenjiro@ tb@
0eb29a10 2026-05-09 07:08:43 Use crypto_add_u32dw_u64() to increment SHA-256 message bit counter. ok kenjiro@ tb@
dcbba1f6 2026-05-09 07:03:49 Correct argument type for SHA context. These are SHA_CTX not SHA256_CTX.
ca56b5a4 2026-05-09 07:02:29 Correct argument type in comments.
61a495c8 2026-05-09 01:54:51 Avoid recursive cleanup in getrrsetbyname() Instead of freeing struct dns_query and struct dns_rr by walking the linked lists recursively, use a simple loop. This avoids a possible stack exhaustion unlikely to be reachable with the limits modern resolvers impose. From Dhiraj Mishra ok djm
b751158f 2026-05-08 14:30:57 Adapt the negative seek fix from rev 1.8 of open_memstream.c
68af95de 2026-05-08 05:15:20 remove bogus ifdefs; ok tb@
09c0e9f1 2026-05-08 04:28:28 x509_purp: fix doc comment for check_ca() This comment has gotten out of sync with reality. The "I don't know..." fallback was removed and a special case for netscape CAs was added. Sync from the manual and add some more details. Pointed out by Maximilian Radoy in https://github.com/libressl/portable/issues/1274 ok kenjiro
dfc436a2 2026-05-07 18:22:26 A collection of AI-assisted reports come from Frank Denis, which says that the YP getgrent code when doing YP operations has a group of buffer mismanagement issues which in the reports are labelled 'high severity'. This fixes the buffer checks. The big question to ask is this: Is a malicious YP server going to send you messages that exercise a buffer overflow codepath, or are they going to send you perfectly correct messages containing wrong group members? The old-school ypserv model was that you run ypserv on a "trusted network" segment, which today is laughable but it matched operations in that era. (Our) new operational model is that ypbind is reached with a custom system call and provides trusted path to a an on-host ypserv, which is more likely to be the ypldap(8) LDAP schema to YP protocol converter. If a YP server is broken and sending bad messages, THIS code is the least of your worries. High severity? No. ok millert jmatthew
59d7872a 2026-05-07 18:21:27 A collection of AI-assisted reports come from Frank Denis, which says that the YP getpwent code when doing YP operations has a group of buffer mismanagement issues which in the reports are labelled 'high severity'. This fixes the buffer checks. In reality, the memory being operated on is always a full page so the overflow onto unmanagement memory is hard to see as a risk. The big question to ask is this: Is a malicious YP server going to send you messages that exercise a buffer overflow codepath, or are they going to send you perfectly correct messages containing :0:0: ? The old-school ypserv model was that you run ypserv on a "trusted network" segment, which today is laughable but it matched operations in that era. (Our) new operational model is that ypbind is reached with a custom system call and provides trusted path to a an on-host ypserv, which is more likely to be the ypldap(8) LDAP schema to YP protocol converter. If a YP server is broken and sending bad messages, THIS code is the least of your worries. High severity? No. ok millert jmatthew
834364c0 2026-05-07 17:59:56 In the yp_next() case, on error the key memory is leaked. Hiding in an unrelated diff from Frank Denis ok millert jmatthew
ef976b65 2026-05-07 15:50:47 Use macros for global functions and objects within SHA assembly. This lets us remove some of the repetitive statements and allows for them to be adjusted for various platforms. ok kenjiro@ tb@
eaa7a734 2026-05-07 15:41:37 Use defines for symbol offsets in aarch64 assembly. These also very between platforms. ok kenjiro@ tb@
94719c1d 2026-05-07 15:40:33 Use defines for text and rodata section names in SHA assembly. These vary between platforms. ok kenjiro@ tb@
c4e88d03 2026-05-07 15:38:03 Use a define based instruction separator in SHA assembly. Unfortunately, not all assemblers use the same instruction separator. In particular, LLVM on macOS uses %% as an instruction separator, while most other assemblers use a semi-colon. ok kenjiro@ tb@
3699ef32 2026-05-07 14:51:20 Include the padding length when testing the remaining bytes in an octet string, to prevent a size_t underflow on a malformed packet and make us run into infinity. Same diff as for snmpd
eea3785c 2026-05-06 15:06:35 Get rid of struct dtls1_retransmit_state. In order to retransmit DTLS messages we potentially need to use the record protection from a previous epoch. However, DTLS currently also saves and restores the session, which is unnecessary - all of the record protection and keys are handled in the TLS record layer. Remove the rather useless dtls1_retransmit_state struct and just keep the epoch - keeping pointers hanging around to sessions is pretty nasty and unnecessary. ok kenjiro@ tb@
501fc80d 2026-05-06 15:02:51 Avoid use of uninitialised decode_error variable. Pull initialisation of decode_error and invalid_key up to tls_key_share_{client,server}_peer_public(), which are the entry points for the key share code. The entry point was previously tls_key_share_peer_public(), however with the introduction of MLKEM this was split into separate client and server functions, without the initialisation being included. Also initialise decode_error and invalid_params on entry to tls_key_share_peer_params(). Code that reaches tls_key_share_client_peer_public_mlkem768x25519() could previously result in code branching based on decode_error, which is uninitialised stack based memory. Thanks to Guido Vranken of Aisle Research for reporting this issue. With and ok tb@
881e5316 2026-05-06 02:54:35 Size is the number of wide characters, not the number of bytes. The correct amount of memory was allocated but the stored size did not match the allocation due to being multiplied by sizeof(wchar_t). Spotted by Frank Denis using the Swival Security Scanner OK deraadt@
e504a2af 2026-05-04 20:44:36 mlkem: also zero the failure_key from logan https://github.com/libressl/openbsd/pull/154
3aaacd8a 2026-05-04 13:55:20 verifier: re-enable the callback override for depth kirill reported that his nginx reverse proxy setup stopped working with x509_verify.c r1.74 and r1.75. It turns out that nginx relies on a verify callback that always returns 1. In revision 1.74 we removed the possibility of the verify_cb() to override X509_V_ERR_CERT_CHAIN_TOO_LONG, which is what breaks the config in kirill's setup since it used to use the nginx default of setting the depth to 1. Re-enable this to make the new scenario "2a with depth 1 and depth callback" pass. As shown by the other new test scenario "14b with yolo calback" with a "just say yes" cb, the guard added in r1.74 still prevents the overwrite. This makes kirill's reproducer work as verified by kirill and myself. It was also tested by kirill in the real life setup. discussed with beck ok jsing kenjiro
f47ae624 2026-05-02 03:20:45 correct history; endfsent(), getfsfile(), getfsspec(), and setfsent() appeared in 4BSD
cdbf859d 2026-05-02 03:05:31 correct history, getdiskbyname() appeared in 4.2BSD
bedf3632 2026-05-01 11:25:21 correct history, dirfd() did not appear until tahoe
03308499 2026-04-30 15:38:52 Refactor dtls1_do_write_handshake_message(). If the call to dtls1_write_bytes() fails, handle the potential MTU update and return/continue, which allows for the remainder to be moved out of an else statement. ok kenjiro@ tb@
04e2410c 2026-04-29 18:07:41 Backport fixes from libexpat version 2.8.0. Relevant for OpenBSD are security fixes #47 #1183. Library bump is not necessary. CVE-2026-41080 OK tb@
a5bdb2b8 2026-04-29 15:13:27 Split dtls1_do_write() into handshake message and CCS handling. dtls1_do_write() is currently a single function that handles both handshake messages and CCS. This is a strange mix that only serves to complicate the code - handshake messages have their own headers and may need to be fragmented, while CCS must be sent verbatim (and only contain a single byte). Pull the CCS part out into a separate function, simplifying the code. By definition, when sending a CCS message the MTU will already be set appropriately. ok kenjiro@ tb@
75ec6d5b 2026-04-29 15:04:15 Avoid unnecessary lookups in dtls1_retransmit_message(). dtls1_retransmit_buffered_messages() is iterating over the sent_messages pqueue, only to pass dtls1_retransmit_message() a sequence number that it turns back into a priority, to then do a lookup on the sent_messages pqueue. This is pointless given that we already have the message that we need to retransmit - just pass that to dtls1_retransmit_message() directly. ok kenjiro@ tb@
1cee6617 2026-04-29 15:00:53 Remove unused frag_off argument from dtls1_retransmit_message(). ok kenjiro@ tb@
2b72bffc 2026-04-29 14:59:26 Make dtls1_retransmit_message() static. This function is only called from dtls1_retransmit_buffered_messages(). Make it static and move it above the caller. ok kenjiro@ tb@
cd8a77e0 2026-04-29 14:57:29 Inline dtls1_fix_message_header(). This is only used in one place and it makes no sense to have it as a separate function. Furthermore, pull up an assertion so that we check before assigning frag_len. ok kenjiro@ tb@
2993de40 2026-04-29 14:55:21 Convert DTLS code to ssl_msg_callback(). ok kenjiro@ tb@
7697f431 2026-04-28 15:36:52 Escape is octal 33, not 27 (which is escape in decimal) From Eric Mulholland
80ba1745 2026-04-26 17:58:58 make_addressRange: unused bits in max must be zero X509v3_addr_add_range() requires that min and max of an address range have network encoding. In the RFC 3779 encoding of an actual address range (as opposed to a prefix) as a SEQUENCE OF two ASN.1 BIT STRINGs, the trailing one bits of the maximum become unused bits and therefore must be DER encoded as zeroes. The DER encoder will clear them via i2d but these trailing ones are annoying. Make a copy in which the unused bits are cleared. ok kenjiro
443952c0 2026-04-26 04:19:11 Fix PKCS7_set_{un,}signed_attributes() In both these functions, if the X509_ATTRIBUTE_dup() fails, the remainder of the sk stack is shared with p7si->{un,}auth_attr and the caller will likely end up freeing it twice. Fix this by writing another sk_deep_copy() patterned after the existing ones in x509_lu.c and x509_vpm.c. PKCS7_set_{un,}signed_attributes() become trivial wrappers of that. ok jsing kenjiro
7da61030 2026-04-25 10:54:30 pkcs7: drop silly use of i in PKCS7_dataVerify() ok jsing kenjiro
b239058e 2026-04-25 10:53:13 pkcs7: don't use i, j for NIDs in PKCS7_dataFinal() Use nid for NIDs and use i only for for loops. ok jsing kenjiro
66e0b98d 2026-04-25 10:50:50 pkcs7: don't use i and j for NIDs in PKCS7_dataDecode() There's no need to assign to i before the switch and j is a terrible name for a NID. Inline the latter and switch directly over the return value of OBJ_obj2nid(). ok jsing kenjiro
69950265 2026-04-25 10:48:59 pkcs7: avoid assignment to i in PKCS7_dataInit() We can switch over the return value of OBJ_obj2nid() rather than using i for an indirection. ok jsing kenjiro
6c5f0280 2026-04-25 10:30:11 pkcs7: Simplify PKCS7_type_is_other() Remove unnecessary isOther and nid variables and use direct returns. The function should probably be removed... ok jsing kenjiro
921eb3c3 2026-04-25 05:47:03 Add FIPS 180-4 references for SHA-256 constants.
a7010633 2026-04-24 15:10:20 Simplify PKCS7_get_issuer_and_serial() The i variable is unused. Likewise for the first assignment to ri. Instead of an incomplete check that idx is in range, which still results in a NULL deref if idx < 0, check if ri is not NULL before accessing, as sk_value() checks the index correctly. ok jsing kenjiro
b018fffb 2026-04-23 01:08:47 Fix difftime() result when it is passed a negative value We need to cast the result of bitwise AND to time_t before the cast to double in the HI and LO macros. Otherwise, we get a very large positive floating point value instead of a negative value. Reported by Xuntao Chi
9ce5d767 2026-04-20 08:14:29 mlkem: use <openssl/mlkem.h> instead of "mlkem.h" patch from portable
7c6fd3f2 2026-04-20 04:35:00 tls_keypair: add missing <limits.h> from bcook kenjiro
e0a2ac41 2026-04-20 04:26:12 ec_pmeth: fix 20yo comment: *outlen -> *keylen
5323d241 2026-04-17 06:23:09 cgetnext() in lib/libc/gen/getcap.c copies a record name into a stack buffer without bounds checking OK deraadt@
8b1d0754 2026-04-16 07:35:25 libtls: consistently handle allocation failures Use tls_set_errorx() or tls_error_setx() rather than the versions without x for TLS_ERROR_OUT_OF_MEMORY. ENOMEM adds no further info. From Michael Forney ok bcook
7d022cae 2026-04-16 07:33:11 libtls: use TLS_ERROR_OUT_OF_MEMORY after malloc failure tls_config_load_file() hat a spot that used TLS_ERROR_UNKNOWN, so switch that to the usual error code. Use tls_error_setx() since strerror(ENOMEM) adds nothing. From Michael Forney ok bcook
e709fac2 2026-04-16 07:29:53 libtls: use tls_error_setx() after BIO_new_mem_buf() This is the only place where tls_error_set() was used. While the new length check now guarantees that the failure is due to ENOMEM, this info does not add value. From Michael Forney ok bcook
ddea2ef3 2026-04-16 07:28:00 libtls: prefer x version of error setting If a check fails and errno is not necessarily set by the previous API call use tls_set_errorx() or tls_error_setx() since turning an unrelated errno into an error string is unhelpful. From Michael Forney ok bcook
8d7a3d55 2026-04-16 05:16:48 libtls: add missing length checks before BIO_new_mem_buf() Like all proper libcrypto APIs, BIO_new_mem_buf() takes an int as a length argument. Check the size_t passed in to be at most INT_MAX to avoid issues with truncation and overflow like it's done everywhere else. After release this should probably be clamped down further since legitimate files (certs and keys) are nowhere near this large. Prompted by a diff by Michael Forney ok jsing
8928aa24 2026-04-15 00:20:28 Provide an example how to disambiguate mktime() return values OK beck@
0486237e 2026-04-13 17:04:23 Prior to this we substring matched and allowed a leading . on a SAN DNSname constraint. This is not correct, as with a DNSname constraint, it may exacly match or match zero or more additional components on the front of the candidte to match. Spotted by Haruto Kimura <hkimura2026@gmail.com> ok tb@ kenjiro@
a0d7485e 2026-04-13 16:01:54 Document RETURN value for timegm(3) APIs with in-band errors that conflate the error with a legitimate return value are about the worst you can get. Near and dear to my heart is the API aptly described as "gibbering eidritch horror" by beck: ASN1_INTEGER_get(3). Adapt the wording of its RETURN VALUES to timegm() and mktime(), for which Dec 31, 1969 at 23:59:59 will yield the error return -1 and thereby errata. Missing docs pointed out by claudio a while back and yesterday by deraadt ok deraadt millert
303c0c33 2026-04-12 09:31:01 remove .Bf matching .Ef removed in previous; fixes unintended bold
6018ae1d 2026-04-11 17:04:55 Before it is disabled, unveil allows you to override the settings on any vnode. A block of #if 0 code suggests this might be different. That can be deleted. This also shows one word "other" in the manual page is misleading. question asked by Stuart Thomas ok beck
6e2242fc 2026-04-08 12:08:25 Error with EISDIR when calling open(2) with O_CREAT when the last component of the path is an existing directory and O_DIRECTORY is not specified. This is required by recent versions of POSIX. We previously did not return an error. Flagged by Sortix os-test. committing on behalf of daniel@, partly based on FreeBSD changes ok guenther@ jsg@ deraadt@
4629ffe2 2026-04-08 11:36:40 mention O_CREAT and O_DIRECTORY error
15cb22fd 2026-04-08 05:30:20 Bump LibreSSL version for the release ok deraadt
4b39dd3d 2026-04-07 13:16:41 Rename labellen to label_len Requested by jsing, ok beck
2fc71f32 2026-04-07 13:15:29 Fix NULL deref for malformed OAEP parameters in CMS decryption This converts rsa_cms_decrypt() to use X509_ALGOR_get0() and fixes a NULL deref when a parameter is (invalidly) omitted similar to the fix in ec/ec_ameth.c r1.66 from a couple years back. There is currently an XXX annotating a hairy leak due to trying to be smart and stealing the parameters from the oaep object. Instead, just make a copy of the label string and free it in the exit path. The diff adds an error for labellen == 0 since that is an invalid encoding of pSpecifiedEmpty (see RFC 8017) -- per the DER the default must be omitted. This way we avoid a malloc(0) implementation-defined behavior. This minor issue was assigned CVE-2026-28390 by OpenSSL and was reported by too many to list. The fix is my own. It is similar to OpenSSL's fix only because I rewiewed theirs and suggested an improvement or two. This is the last of the "security fixes" in today's OpenSSL release that "affect" LibreSSL. All the other bugs were already fixed a few years back or we didn't have the code/bugs in the first place. ok beck jsing
c74741bd 2026-04-07 13:02:50 Refactor and fix ocsp_find_signer_sk() Instead of reaching deep inside the OCSP_BASICRESP and ignoring its semantics and then try to untangle things in ocsp_find_signer_sk(), pass the OCSP_BASICRESP and use OCSP_resp_get0_id() which has the logic built in. Avoids a crash if you call OCSP_basic_verify() after OCSP_BASICRESP_new() without OCSP_basic_sign(). This cannot happen on a deserialized OCSP object. Prompted by a report by Kamil Frankowicz, Jan Kaminski, Bartosz Michalowski. ok jsing
9ad5b7ec 2026-04-07 12:52:19 Add a few to-do items to the crl_cb() Prompted by the "fix" fighting symptoms of misdesign in Delta CRL processing rather than addressing the root cause. Probably the best fix is to remove support for Indirect CRLs and Delta CRLs outright. ok jsing
842a6bbe 2026-04-07 12:48:37 Stop Delta CRL processing if a CRL number is misssing A malformed Delta CRL could cause a crash. Funnily enough the deserializer recognizes this and marks such a CRL as invalid, but nothing ever checks the EXFLAG_INVALID for CRLs. For certificates this would usually result in verification failure due to x509v3_cache_extensions() failing. This is only reachable if the X509_V_FLAG_USE_DELTAS is used, which only a handful of ports do, plus openssl(1) does if you use the undocumented -use_deltas flag. Reported by Igor Morgenstern to OpenSSL who then sat on this since Jan 8 and assigned CVE-2026-28388. ok jsing
e7e66f06 2026-04-06 08:24:57 x509v3.h: remove pointless #ifdef HEADER_CONF_H x509v3.h has included conf.h since June 20, 1999, OpenSSL commit ba404b5e, so HEADER_CONF_H has been defined since then. Also since then, CONF_VALUE (only available via conf.h) has been used outside of HEADER_CONF_H, making that #ifdef doubly pointless. ok bcook jsing kenjiro
1155ce2f 2026-04-06 08:18:19 cms_local.h: remove #ifdef X509V3_HEADER_H All thirteen files including cms_local.h do that after including cms.h, which already includes x509v3.h, so this is always defined. While here make the cms_local.h a bit more selfstanding by including asn1.h and x509v3.h ok bcook jsing (who had the same diff) kenjiro
9340cd4a 2026-04-04 19:26:32 Fix hw.blockcpu sysctl variable name From Matthias Schmidt
a9ecf4b7 2026-04-03 14:16:38 Remove lib/libssl/test. This is all unhelpful historical cruft. Discussed with tb@
760e21a7 2026-04-03 13:11:00 Remove workaround for SSL 3.0/TLS 1.0 CBC vulnerability. We no longer support TLSv1.0 and definitely do not support SSLv3 - remove the empty fragments workaround for the CBC vulnerability in these protocols. ok kenjiro@ tb@
8da299b8 2026-04-03 12:58:19 Ensure that we cannot negotiate TLSv1.1 or lower. TLS versions prior to TLSv1.2 were disabled a while ago, however this was done in the version handling code. Remove TLSv1.1 and earlier from ssl_get_method() and add an explicit min version check in the legacy client and server, to provide a stronger guarantee. ok kenjiro@ tb@