Branch :
| Author | Commit | Date | CI | Message |
|---|---|---|---|---|
| a9b4b4b8 | 2026-05-16 08:20:41 | Introduce and use dtls12_handshake_msg. Add struct dtls12_handshake_msg and various related functions, which allow for the construction of DTLS handshake messages and associated fragments. Use this on the DTLS write path for sending handshake message fragments. This means that we no longer modify the init buffer, which also fixes a bug where the message callback is called with a corrupted handshake message when multiple fragments have been sent. We also now correctly track fragment offsets when sending a handshake message that results in multiple calls to dtls1_do_write_handshake_message(). This is the first step towards further untangling of the write path in the legacy TLS stack. ok kenjiro@ tb@ | ||
| 21ec3d9e | 2026-05-16 07:12:27 | x509_prn: zap more than useless comments | ||
| 23bf55ed | 2026-05-16 07:10:30 | x509_prn: hoist unknown_ext_print() above its only caller; drop prototype | ||
| 47603321 | 2026-05-16 07:06:35 | asn1_print_obstring_ctx: cast to const char * rather than char * Another call to BIO_dump_indent() that cast away const for no good reason. | ||
| 6e75a92b | 2026-05-16 06:30:53 | unknown_ext_print: avoid casting away const The BIO_dump_indent() API masterpiece expects a const char pointer as input. Don't cast away const when suppressing pointer sign warnings. Prompted by a report by N. Dossche ok kenjiro | ||
| d0081f8f | 2026-05-16 06:27:05 | Ensure X509V3_EXT_print() only returns 0 and 1 In a rare mistake by schwarze, X509V3_EXT_print() is documented to return 0 and 1. This is also what most internal callers expect. However, if either X509V3_EXT_DUMP_UNKNOWN or X509V3_EXT_PARSE_UNKNOWN is set, the extension has an unknown NID or on failure to deserialize the extension value, the return values of BIO_dump_indent() (which is number of bytes written or -1 on error) and ASN1_parse_dump() (which is 0, 1, or 2 on EOC) are propagated. Follow what OpenSSL did and translate to Boolean returns. Error indicators are rather useless here since most errors are ignored anyway. Most callers do if (!X509V3_EXT_print(...)) but they also pass a zero flag. Reported by N. Dossche ok kenjiro | ||
| b3e8cfe5 | 2026-05-16 06:26:28 | remove unused ssleay.cnf file; ok tb@ | ||
| bf8adbcc | 2026-05-16 06:17:05 | ASN1{,_parse}_dump: document return value 2 on EOC Prompted by a report by N. Dossche ok kenjiro | ||
| b089cf41 | 2026-05-16 06:15:22 | BIO_dump: Xr BIO_printf rather than BIO_write/fwrite Prompted by a report by N. Dossche ok kenjiro | ||
| bc456530 | 2026-05-15 13:56:16 | incorrect test for error | ||
| bcab7b16 | 2026-05-15 04:55:45 | correct mdoc macro ordering | ||
| 3a78a8aa | 2026-05-15 04:47:23 | remove tab at end of line | ||
| 8e47d2e8 | 2026-05-15 01:28:28 | Insist on opening only regular files. (On OpenBSD, the directory case is handled by the kernel, but I want to stop other weird stuff) ok millert, dgl | ||
| 0e67b3de | 2026-05-15 00:39:21 | Make __pledge_open(2) of /etc/localtime and /usr/share/zoneinfo much more strict. If /etc/localtime is a symbolic link, allow one translation which must land cleanly in /usr/share/zoneinfo (.. is checked for) otherwise error with EACCES. In /usr/share/zoneinfo, do not allow symbolic links and error with ELOOP. Alfredo Ortega observed the non-strict handling, but agrees no specific exploitability exists. Changing this took almost a month with many discarded prototypes. ok beck dgl | ||
| 0d274ac1 | 2026-05-14 11:00:10 | Sync cert.pem with mozilla roots; quite a few CA certificates were either removed or distrusted for web so are removed here. ok tb@ Common policies (moz, google, ca/b) are now to distrust roots with key material created before a certain time (currently 2008, this rolls forwards by 2 years each April until 2029 when it moves to '15 years from creation'), and also roots used for TLS are not permitted to be shared with other purposes (Secure Email, Code Signing, or others). This removes all root certificates from the following CA operators: -AffirmTrust - /C=US/O=AffirmTrust/CN=AffirmTrust Commercial - /C=US/O=AffirmTrust/CN=AffirmTrust Networking - /C=US/O=AffirmTrust/CN=AffirmTrust Premium - /C=US/O=AffirmTrust/CN=AffirmTrust Premium ECC -Firmaprofesional SA - /C=ES/O=Firmaprofesional SA/2.5.4.97=VATES-A62634068/CN=FIRMAPROFESIONAL CA ROOT-A WEB -SecureTrust Corporation - /C=US/O=SecureTrust Corporation/CN=Secure Global CA - /C=US/O=SecureTrust Corporation/CN=SecureTrust CA -TeliaSonera - /O=TeliaSonera/CN=TeliaSonera Root CA v1 -Trustwave Holdings, Inc. - /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global Certification Authority - /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P256 Certification Authority - /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P384 Certification Authority -certSIGN - /C=RO/O=certSIGN/OU=certSIGN ROOT CA -e-commerce monitoring GmbH - /C=AT/O=e-commerce monitoring GmbH/CN=GLOBALTRUST 2020 ...and some but not all root certificates from these (the ones without - are still remaining): COMODO CA Limited - /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority Dhimyotis - /C=FR/O=Dhimyotis/CN=Certigna /C=FR/O=Dhimyotis/OU=0002 48146308100036/CN=Certigna Root CA DigiCert Inc - /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root G2 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root G3 - /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G3 - /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Trusted Root G4 Entrust, Inc. - /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2 - /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - EC1 /C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority Google Trust Services LLC /C=US/O=Google Trust Services LLC/CN=GTS Root R1 - /C=US/O=Google Trust Services LLC/CN=GTS Root R2 /C=US/O=Google Trust Services LLC/CN=GTS Root R3 /C=US/O=Google Trust Services LLC/CN=GTS Root R4 QuoVadis Limited /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 1 G3 - /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 G3 - /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3 /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3 G3 SwissSign AG - /C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2 /C=CH/O=SwissSign AG/CN=SwissSign RSA TLS Root CA 2022 - 1 This is based on changes hitting the Mozilla release branch https://raw.githubusercontent.com/mozilla-firefox/firefox/refs/heads/release/security/nss/lib/ckfw/builtins/certdata.txt but the individual commits are easier to see here: https://hg-edge.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt | ||
| 9f9eafea | 2026-05-13 14:45:38 | strict localtime / zoneinfo __pledge_open() behaviours coming soon | ||
| 104c6742 | 2026-05-12 19:16:16 | Update libexpat to version 2.8.1. Relevant for OpenBSD are security fixes #1216, other changes #1209. Library bump is not necessary. CVE-2026-45186 OK tb@ | ||
| 44680a3d | 2026-05-12 16:01:15 | ibuf_set_maxsize() need to ensure that the invariants are upheld by checking also that wpos and size are not bigger then the new max. If wpos is bigger fail hard, for size the allocation may have been used before and so do an explicit_bzero() to clear the extra memory out. OK tb@ | ||
| a9d2f8a3 | 2026-05-12 15:14:41 | check_sym: do not run output commands twice ok guenther@ | ||
| 95317e4b | 2026-05-12 15:07:30 | Add a guarded .note.GNU-stack section to crypto assembly files. Add a .note.GNU-stack section to avoid ending up with an executable stack on toolchains that believe we should have an executable stack by default. Reported by ruuda on Github. Discussed with tb@ | ||
| cd8e3297 | 2026-05-11 22:41:23 | Update libexpat to version 2.8.0 Relevant for OpenBSD are other changes #1201 #1189 #1203 #1204 #1194 #1202 #1187 #1192 #1171 #1170. Minor library bump is necessary as XML_SetHashSalt16Bytes() has been added. Security fixes have been backported in previous commit. OK tb@ | ||
| 955e2d57 | 2026-05-11 13:08:52 | For clarity, improve the __pledge_open documentation | ||
| 3e8b0da3 | 2026-05-10 10:35:20 | Slightly adjust BUGS section for X509_addr_add_range() Since x509_addr.c r1.95 X509_addr_add_range() clears the unused bits in the maximum, so this is is only true in some implementations. | ||
| 3013aa33 | 2026-05-09 19:39:14 | libc: declare _hwcap and related variables as hidden ok tb@ deraadt@ | ||
| 177318a7 | 2026-05-09 11:45:50 | libssl: record extension lengths in ClientHello hashing The ClientHello hash is intended to ensure that the second CH after an HRR only makes the allowed changes to the TLS extensiosn by recording message type followed by the raw extension data if it must remain unchanged. This makes it possible (in principle) that part of free form extension data is confused with type (and length) information of a subsequent extension. Recording the length after the type prevents such a confusion and fixes the framing of the extensions. Found by Frank Denis ok jsing | ||
| faf182d3 | 2026-05-09 11:29:51 | ssl_lib: trade two extra empty lines for a missing one | ||
| a1505993 | 2026-05-09 10:52:02 | PKCS#12: fix erroneous error check in PKCS12_newpass() This is an error I introduced in a refactoring two years ago in r1.20. This means that nothing uses this... From Frank Denis via logan | ||
| 84482c2d | 2026-05-09 07:14:42 | Use uint32_t instead of SHA_LONG in the SHA-256 code. This is more readable and we already have a compile time assert that they are the same size. ok tb@ | ||
| f35adb27 | 2026-05-09 07:12:51 | Use W rather than X for the SHA-256 message schedule. This more closely matches the SHA-256 specification in FIPS 180-4. ok tb@ | ||
| 7b35a4fe | 2026-05-09 07:11:05 | Use consistent variable names in the sha256 code. Use 'ctx' rather than 'c' for the SHA256_CTX and use data/len rather than d/n. ok kenjiro@ tb@ | ||
| 0eb29a10 | 2026-05-09 07:08:43 | Use crypto_add_u32dw_u64() to increment SHA-256 message bit counter. ok kenjiro@ tb@ | ||
| dcbba1f6 | 2026-05-09 07:03:49 | Correct argument type for SHA context. These are SHA_CTX not SHA256_CTX. | ||
| ca56b5a4 | 2026-05-09 07:02:29 | Correct argument type in comments. | ||
| 61a495c8 | 2026-05-09 01:54:51 | Avoid recursive cleanup in getrrsetbyname() Instead of freeing struct dns_query and struct dns_rr by walking the linked lists recursively, use a simple loop. This avoids a possible stack exhaustion unlikely to be reachable with the limits modern resolvers impose. From Dhiraj Mishra ok djm | ||
| b751158f | 2026-05-08 14:30:57 | Adapt the negative seek fix from rev 1.8 of open_memstream.c | ||
| 68af95de | 2026-05-08 05:15:20 | remove bogus ifdefs; ok tb@ | ||
| 09c0e9f1 | 2026-05-08 04:28:28 | x509_purp: fix doc comment for check_ca() This comment has gotten out of sync with reality. The "I don't know..." fallback was removed and a special case for netscape CAs was added. Sync from the manual and add some more details. Pointed out by Maximilian Radoy in https://github.com/libressl/portable/issues/1274 ok kenjiro | ||
| dfc436a2 | 2026-05-07 18:22:26 | A collection of AI-assisted reports come from Frank Denis, which says that the YP getgrent code when doing YP operations has a group of buffer mismanagement issues which in the reports are labelled 'high severity'. This fixes the buffer checks. The big question to ask is this: Is a malicious YP server going to send you messages that exercise a buffer overflow codepath, or are they going to send you perfectly correct messages containing wrong group members? The old-school ypserv model was that you run ypserv on a "trusted network" segment, which today is laughable but it matched operations in that era. (Our) new operational model is that ypbind is reached with a custom system call and provides trusted path to a an on-host ypserv, which is more likely to be the ypldap(8) LDAP schema to YP protocol converter. If a YP server is broken and sending bad messages, THIS code is the least of your worries. High severity? No. ok millert jmatthew | ||
| 59d7872a | 2026-05-07 18:21:27 | A collection of AI-assisted reports come from Frank Denis, which says that the YP getpwent code when doing YP operations has a group of buffer mismanagement issues which in the reports are labelled 'high severity'. This fixes the buffer checks. In reality, the memory being operated on is always a full page so the overflow onto unmanagement memory is hard to see as a risk. The big question to ask is this: Is a malicious YP server going to send you messages that exercise a buffer overflow codepath, or are they going to send you perfectly correct messages containing :0:0: ? The old-school ypserv model was that you run ypserv on a "trusted network" segment, which today is laughable but it matched operations in that era. (Our) new operational model is that ypbind is reached with a custom system call and provides trusted path to a an on-host ypserv, which is more likely to be the ypldap(8) LDAP schema to YP protocol converter. If a YP server is broken and sending bad messages, THIS code is the least of your worries. High severity? No. ok millert jmatthew | ||
| 834364c0 | 2026-05-07 17:59:56 | In the yp_next() case, on error the key memory is leaked. Hiding in an unrelated diff from Frank Denis ok millert jmatthew | ||
| ef976b65 | 2026-05-07 15:50:47 | Use macros for global functions and objects within SHA assembly. This lets us remove some of the repetitive statements and allows for them to be adjusted for various platforms. ok kenjiro@ tb@ | ||
| eaa7a734 | 2026-05-07 15:41:37 | Use defines for symbol offsets in aarch64 assembly. These also very between platforms. ok kenjiro@ tb@ | ||
| 94719c1d | 2026-05-07 15:40:33 | Use defines for text and rodata section names in SHA assembly. These vary between platforms. ok kenjiro@ tb@ | ||
| c4e88d03 | 2026-05-07 15:38:03 | Use a define based instruction separator in SHA assembly. Unfortunately, not all assemblers use the same instruction separator. In particular, LLVM on macOS uses %% as an instruction separator, while most other assemblers use a semi-colon. ok kenjiro@ tb@ | ||
| 3699ef32 | 2026-05-07 14:51:20 | Include the padding length when testing the remaining bytes in an octet string, to prevent a size_t underflow on a malformed packet and make us run into infinity. Same diff as for snmpd | ||
| eea3785c | 2026-05-06 15:06:35 | Get rid of struct dtls1_retransmit_state. In order to retransmit DTLS messages we potentially need to use the record protection from a previous epoch. However, DTLS currently also saves and restores the session, which is unnecessary - all of the record protection and keys are handled in the TLS record layer. Remove the rather useless dtls1_retransmit_state struct and just keep the epoch - keeping pointers hanging around to sessions is pretty nasty and unnecessary. ok kenjiro@ tb@ | ||
| 501fc80d | 2026-05-06 15:02:51 | Avoid use of uninitialised decode_error variable. Pull initialisation of decode_error and invalid_key up to tls_key_share_{client,server}_peer_public(), which are the entry points for the key share code. The entry point was previously tls_key_share_peer_public(), however with the introduction of MLKEM this was split into separate client and server functions, without the initialisation being included. Also initialise decode_error and invalid_params on entry to tls_key_share_peer_params(). Code that reaches tls_key_share_client_peer_public_mlkem768x25519() could previously result in code branching based on decode_error, which is uninitialised stack based memory. Thanks to Guido Vranken of Aisle Research for reporting this issue. With and ok tb@ | ||
| 881e5316 | 2026-05-06 02:54:35 | Size is the number of wide characters, not the number of bytes. The correct amount of memory was allocated but the stored size did not match the allocation due to being multiplied by sizeof(wchar_t). Spotted by Frank Denis using the Swival Security Scanner OK deraadt@ | ||
| e504a2af | 2026-05-04 20:44:36 | mlkem: also zero the failure_key from logan https://github.com/libressl/openbsd/pull/154 | ||
| 3aaacd8a | 2026-05-04 13:55:20 | verifier: re-enable the callback override for depth kirill reported that his nginx reverse proxy setup stopped working with x509_verify.c r1.74 and r1.75. It turns out that nginx relies on a verify callback that always returns 1. In revision 1.74 we removed the possibility of the verify_cb() to override X509_V_ERR_CERT_CHAIN_TOO_LONG, which is what breaks the config in kirill's setup since it used to use the nginx default of setting the depth to 1. Re-enable this to make the new scenario "2a with depth 1 and depth callback" pass. As shown by the other new test scenario "14b with yolo calback" with a "just say yes" cb, the guard added in r1.74 still prevents the overwrite. This makes kirill's reproducer work as verified by kirill and myself. It was also tested by kirill in the real life setup. discussed with beck ok jsing kenjiro | ||
| f47ae624 | 2026-05-02 03:20:45 | correct history; endfsent(), getfsfile(), getfsspec(), and setfsent() appeared in 4BSD | ||
| cdbf859d | 2026-05-02 03:05:31 | correct history, getdiskbyname() appeared in 4.2BSD | ||
| bedf3632 | 2026-05-01 11:25:21 | correct history, dirfd() did not appear until tahoe | ||
| 03308499 | 2026-04-30 15:38:52 | Refactor dtls1_do_write_handshake_message(). If the call to dtls1_write_bytes() fails, handle the potential MTU update and return/continue, which allows for the remainder to be moved out of an else statement. ok kenjiro@ tb@ | ||
| 04e2410c | 2026-04-29 18:07:41 | Backport fixes from libexpat version 2.8.0. Relevant for OpenBSD are security fixes #47 #1183. Library bump is not necessary. CVE-2026-41080 OK tb@ | ||
| a5bdb2b8 | 2026-04-29 15:13:27 | Split dtls1_do_write() into handshake message and CCS handling. dtls1_do_write() is currently a single function that handles both handshake messages and CCS. This is a strange mix that only serves to complicate the code - handshake messages have their own headers and may need to be fragmented, while CCS must be sent verbatim (and only contain a single byte). Pull the CCS part out into a separate function, simplifying the code. By definition, when sending a CCS message the MTU will already be set appropriately. ok kenjiro@ tb@ | ||
| 75ec6d5b | 2026-04-29 15:04:15 | Avoid unnecessary lookups in dtls1_retransmit_message(). dtls1_retransmit_buffered_messages() is iterating over the sent_messages pqueue, only to pass dtls1_retransmit_message() a sequence number that it turns back into a priority, to then do a lookup on the sent_messages pqueue. This is pointless given that we already have the message that we need to retransmit - just pass that to dtls1_retransmit_message() directly. ok kenjiro@ tb@ | ||
| 1cee6617 | 2026-04-29 15:00:53 | Remove unused frag_off argument from dtls1_retransmit_message(). ok kenjiro@ tb@ | ||
| 2b72bffc | 2026-04-29 14:59:26 | Make dtls1_retransmit_message() static. This function is only called from dtls1_retransmit_buffered_messages(). Make it static and move it above the caller. ok kenjiro@ tb@ | ||
| cd8a77e0 | 2026-04-29 14:57:29 | Inline dtls1_fix_message_header(). This is only used in one place and it makes no sense to have it as a separate function. Furthermore, pull up an assertion so that we check before assigning frag_len. ok kenjiro@ tb@ | ||
| 2993de40 | 2026-04-29 14:55:21 | Convert DTLS code to ssl_msg_callback(). ok kenjiro@ tb@ | ||
| 7697f431 | 2026-04-28 15:36:52 | Escape is octal 33, not 27 (which is escape in decimal) From Eric Mulholland | ||
| 80ba1745 | 2026-04-26 17:58:58 | make_addressRange: unused bits in max must be zero X509v3_addr_add_range() requires that min and max of an address range have network encoding. In the RFC 3779 encoding of an actual address range (as opposed to a prefix) as a SEQUENCE OF two ASN.1 BIT STRINGs, the trailing one bits of the maximum become unused bits and therefore must be DER encoded as zeroes. The DER encoder will clear them via i2d but these trailing ones are annoying. Make a copy in which the unused bits are cleared. ok kenjiro | ||
| 443952c0 | 2026-04-26 04:19:11 | Fix PKCS7_set_{un,}signed_attributes() In both these functions, if the X509_ATTRIBUTE_dup() fails, the remainder of the sk stack is shared with p7si->{un,}auth_attr and the caller will likely end up freeing it twice. Fix this by writing another sk_deep_copy() patterned after the existing ones in x509_lu.c and x509_vpm.c. PKCS7_set_{un,}signed_attributes() become trivial wrappers of that. ok jsing kenjiro | ||
| 7da61030 | 2026-04-25 10:54:30 | pkcs7: drop silly use of i in PKCS7_dataVerify() ok jsing kenjiro | ||
| b239058e | 2026-04-25 10:53:13 | pkcs7: don't use i, j for NIDs in PKCS7_dataFinal() Use nid for NIDs and use i only for for loops. ok jsing kenjiro | ||
| 66e0b98d | 2026-04-25 10:50:50 | pkcs7: don't use i and j for NIDs in PKCS7_dataDecode() There's no need to assign to i before the switch and j is a terrible name for a NID. Inline the latter and switch directly over the return value of OBJ_obj2nid(). ok jsing kenjiro | ||
| 69950265 | 2026-04-25 10:48:59 | pkcs7: avoid assignment to i in PKCS7_dataInit() We can switch over the return value of OBJ_obj2nid() rather than using i for an indirection. ok jsing kenjiro | ||
| 6c5f0280 | 2026-04-25 10:30:11 | pkcs7: Simplify PKCS7_type_is_other() Remove unnecessary isOther and nid variables and use direct returns. The function should probably be removed... ok jsing kenjiro | ||
| 921eb3c3 | 2026-04-25 05:47:03 | Add FIPS 180-4 references for SHA-256 constants. | ||
| a7010633 | 2026-04-24 15:10:20 | Simplify PKCS7_get_issuer_and_serial() The i variable is unused. Likewise for the first assignment to ri. Instead of an incomplete check that idx is in range, which still results in a NULL deref if idx < 0, check if ri is not NULL before accessing, as sk_value() checks the index correctly. ok jsing kenjiro | ||
| b018fffb | 2026-04-23 01:08:47 | Fix difftime() result when it is passed a negative value We need to cast the result of bitwise AND to time_t before the cast to double in the HI and LO macros. Otherwise, we get a very large positive floating point value instead of a negative value. Reported by Xuntao Chi | ||
| 9ce5d767 | 2026-04-20 08:14:29 | mlkem: use <openssl/mlkem.h> instead of "mlkem.h" patch from portable | ||
| 7c6fd3f2 | 2026-04-20 04:35:00 | tls_keypair: add missing <limits.h> from bcook kenjiro | ||
| e0a2ac41 | 2026-04-20 04:26:12 | ec_pmeth: fix 20yo comment: *outlen -> *keylen | ||
| 5323d241 | 2026-04-17 06:23:09 | cgetnext() in lib/libc/gen/getcap.c copies a record name into a stack buffer without bounds checking OK deraadt@ | ||
| 8b1d0754 | 2026-04-16 07:35:25 | libtls: consistently handle allocation failures Use tls_set_errorx() or tls_error_setx() rather than the versions without x for TLS_ERROR_OUT_OF_MEMORY. ENOMEM adds no further info. From Michael Forney ok bcook | ||
| 7d022cae | 2026-04-16 07:33:11 | libtls: use TLS_ERROR_OUT_OF_MEMORY after malloc failure tls_config_load_file() hat a spot that used TLS_ERROR_UNKNOWN, so switch that to the usual error code. Use tls_error_setx() since strerror(ENOMEM) adds nothing. From Michael Forney ok bcook | ||
| e709fac2 | 2026-04-16 07:29:53 | libtls: use tls_error_setx() after BIO_new_mem_buf() This is the only place where tls_error_set() was used. While the new length check now guarantees that the failure is due to ENOMEM, this info does not add value. From Michael Forney ok bcook | ||
| ddea2ef3 | 2026-04-16 07:28:00 | libtls: prefer x version of error setting If a check fails and errno is not necessarily set by the previous API call use tls_set_errorx() or tls_error_setx() since turning an unrelated errno into an error string is unhelpful. From Michael Forney ok bcook | ||
| 8d7a3d55 | 2026-04-16 05:16:48 | libtls: add missing length checks before BIO_new_mem_buf() Like all proper libcrypto APIs, BIO_new_mem_buf() takes an int as a length argument. Check the size_t passed in to be at most INT_MAX to avoid issues with truncation and overflow like it's done everywhere else. After release this should probably be clamped down further since legitimate files (certs and keys) are nowhere near this large. Prompted by a diff by Michael Forney ok jsing | ||
| 8928aa24 | 2026-04-15 00:20:28 | Provide an example how to disambiguate mktime() return values OK beck@ | ||
| 0486237e | 2026-04-13 17:04:23 | Prior to this we substring matched and allowed a leading . on a SAN DNSname constraint. This is not correct, as with a DNSname constraint, it may exacly match or match zero or more additional components on the front of the candidte to match. Spotted by Haruto Kimura <hkimura2026@gmail.com> ok tb@ kenjiro@ | ||
| a0d7485e | 2026-04-13 16:01:54 | Document RETURN value for timegm(3) APIs with in-band errors that conflate the error with a legitimate return value are about the worst you can get. Near and dear to my heart is the API aptly described as "gibbering eidritch horror" by beck: ASN1_INTEGER_get(3). Adapt the wording of its RETURN VALUES to timegm() and mktime(), for which Dec 31, 1969 at 23:59:59 will yield the error return -1 and thereby errata. Missing docs pointed out by claudio a while back and yesterday by deraadt ok deraadt millert | ||
| 303c0c33 | 2026-04-12 09:31:01 | remove .Bf matching .Ef removed in previous; fixes unintended bold | ||
| 6018ae1d | 2026-04-11 17:04:55 | Before it is disabled, unveil allows you to override the settings on any vnode. A block of #if 0 code suggests this might be different. That can be deleted. This also shows one word "other" in the manual page is misleading. question asked by Stuart Thomas ok beck | ||
| 6e2242fc | 2026-04-08 12:08:25 | Error with EISDIR when calling open(2) with O_CREAT when the last component of the path is an existing directory and O_DIRECTORY is not specified. This is required by recent versions of POSIX. We previously did not return an error. Flagged by Sortix os-test. committing on behalf of daniel@, partly based on FreeBSD changes ok guenther@ jsg@ deraadt@ | ||
| 4629ffe2 | 2026-04-08 11:36:40 | mention O_CREAT and O_DIRECTORY error | ||
| 15cb22fd | 2026-04-08 05:30:20 | Bump LibreSSL version for the release ok deraadt | ||
| 4b39dd3d | 2026-04-07 13:16:41 | Rename labellen to label_len Requested by jsing, ok beck | ||
| 2fc71f32 | 2026-04-07 13:15:29 | Fix NULL deref for malformed OAEP parameters in CMS decryption This converts rsa_cms_decrypt() to use X509_ALGOR_get0() and fixes a NULL deref when a parameter is (invalidly) omitted similar to the fix in ec/ec_ameth.c r1.66 from a couple years back. There is currently an XXX annotating a hairy leak due to trying to be smart and stealing the parameters from the oaep object. Instead, just make a copy of the label string and free it in the exit path. The diff adds an error for labellen == 0 since that is an invalid encoding of pSpecifiedEmpty (see RFC 8017) -- per the DER the default must be omitted. This way we avoid a malloc(0) implementation-defined behavior. This minor issue was assigned CVE-2026-28390 by OpenSSL and was reported by too many to list. The fix is my own. It is similar to OpenSSL's fix only because I rewiewed theirs and suggested an improvement or two. This is the last of the "security fixes" in today's OpenSSL release that "affect" LibreSSL. All the other bugs were already fixed a few years back or we didn't have the code/bugs in the first place. ok beck jsing | ||
| c74741bd | 2026-04-07 13:02:50 | Refactor and fix ocsp_find_signer_sk() Instead of reaching deep inside the OCSP_BASICRESP and ignoring its semantics and then try to untangle things in ocsp_find_signer_sk(), pass the OCSP_BASICRESP and use OCSP_resp_get0_id() which has the logic built in. Avoids a crash if you call OCSP_basic_verify() after OCSP_BASICRESP_new() without OCSP_basic_sign(). This cannot happen on a deserialized OCSP object. Prompted by a report by Kamil Frankowicz, Jan Kaminski, Bartosz Michalowski. ok jsing | ||
| 9ad5b7ec | 2026-04-07 12:52:19 | Add a few to-do items to the crl_cb() Prompted by the "fix" fighting symptoms of misdesign in Delta CRL processing rather than addressing the root cause. Probably the best fix is to remove support for Indirect CRLs and Delta CRLs outright. ok jsing | ||
| 842a6bbe | 2026-04-07 12:48:37 | Stop Delta CRL processing if a CRL number is misssing A malformed Delta CRL could cause a crash. Funnily enough the deserializer recognizes this and marks such a CRL as invalid, but nothing ever checks the EXFLAG_INVALID for CRLs. For certificates this would usually result in verification failure due to x509v3_cache_extensions() failing. This is only reachable if the X509_V_FLAG_USE_DELTAS is used, which only a handful of ports do, plus openssl(1) does if you use the undocumented -use_deltas flag. Reported by Igor Morgenstern to OpenSSL who then sat on this since Jan 8 and assigned CVE-2026-28388. ok jsing | ||
| e7e66f06 | 2026-04-06 08:24:57 | x509v3.h: remove pointless #ifdef HEADER_CONF_H x509v3.h has included conf.h since June 20, 1999, OpenSSL commit ba404b5e, so HEADER_CONF_H has been defined since then. Also since then, CONF_VALUE (only available via conf.h) has been used outside of HEADER_CONF_H, making that #ifdef doubly pointless. ok bcook jsing kenjiro | ||
| 1155ce2f | 2026-04-06 08:18:19 | cms_local.h: remove #ifdef X509V3_HEADER_H All thirteen files including cms_local.h do that after including cms.h, which already includes x509v3.h, so this is always defined. While here make the cms_local.h a bit more selfstanding by including asn1.h and x509v3.h ok bcook jsing (who had the same diff) kenjiro | ||
| 9340cd4a | 2026-04-04 19:26:32 | Fix hw.blockcpu sysctl variable name From Matthias Schmidt | ||
| a9ecf4b7 | 2026-04-03 14:16:38 | Remove lib/libssl/test. This is all unhelpful historical cruft. Discussed with tb@ | ||
| 760e21a7 | 2026-04-03 13:11:00 | Remove workaround for SSL 3.0/TLS 1.0 CBC vulnerability. We no longer support TLSv1.0 and definitely do not support SSLv3 - remove the empty fragments workaround for the CBC vulnerability in these protocols. ok kenjiro@ tb@ | ||
| 8da299b8 | 2026-04-03 12:58:19 | Ensure that we cannot negotiate TLSv1.1 or lower. TLS versions prior to TLSv1.2 were disabled a while ago, however this was done in the version handling code. Remove TLSv1.1 and earlier from ssl_get_method() and add an explicit min version check in the legacy client and server, to provide a stronger guarantee. ok kenjiro@ tb@ |