Commit graph

8 commits

Author SHA1 Message Date
schmonz
b726309f0a Update to 3.4.2. From the LibreSSL changelog:
* In some situations the X.509 verifier would discard an error on an
  unverified certificate chain, resulting in an authentication bypass.
  Thanks to Ilya Shipitsin and Timo Steinlein for reporting.
2021-12-18 13:55:18 +00:00
nia
3df0f20e22 security: Replace RMD160 checksums with BLAKE2s checksums
All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2
2021-10-26 11:16:56 +00:00
schmonz
9f076f9d11 Update to 3.4.1. From the changelog:
The shared library major version of libtls has been bumped to 22.

tls_connect(3) and friends now strip a trailing dot from servername.

This patch imports the missing scripts/wrap-compiler-for-flag-check
file, which was incorrectly causing compiler flags to not be used.

From the upstream LibreSSL changelog:

* New Features
  - Added support for OpenSSL 1.1.1 TLSv1.3 APIs.
  - Enabled the new X.509 validator to allow verification of
    modern certificate chains.
* Portable Improvements
  - Added Universal Windows Platform (UWP) build support.
  - Fixed mingw-w64 builds on newer versions with missing SSP support.
* API and Documentation Enhancements
  - Added the following APIs from OpenSSL
    BN_bn2binpad BN_bn2lebinpad BN_lebin2bn EC_GROUP_get_curve
    EC_GROUP_order_bits EC_GROUP_set_curve
    EC_POINT_get_affine_coordinates
    EC_POINT_set_affine_coordinates
    EC_POINT_set_compressed_coordinates EVP_DigestSign
    EVP_DigestVerify SSL_CIPHER_find SSL_CTX_get0_privatekey
    SSL_CTX_get_max_early_data SSL_CTX_get_ssl_method
    SSL_CTX_set_ciphersuites SSL_CTX_set_max_early_data
    SSL_CTX_set_post_handshake_auth SSL_SESSION_get0_cipher
    SSL_SESSION_get_max_early_data SSL_SESSION_is_resumable
    SSL_SESSION_set_max_early_data SSL_get_early_data_status
    SSL_get_max_early_data SSL_read_early_data SSL_set0_rbio
    SSL_set_ciphersuites SSL_set_max_early_data
    SSL_set_post_handshake_auth
    SSL_set_psk_use_session_callback
    SSL_verify_client_post_handshake SSL_write_early_data
  - Added AES-GCM constants from RFC 7714 for SRTP.
* Compatibility Changes
  - Implement flushing for TLSv1.3 handshakes behavior, needed for Apache.
  - Call the info callback on connect/accept exit in TLSv1.3,
    needed for p5-Net-SSLeay.
  - Default to using named curve parameter encoding from
    pre-OpenSSL 1.1.0, adding OPENSSL_EC_EXPLICIT_CURVE.
  - Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback.
* Testing and Proactive Security
  - Added additional state machine test coverage.
  - Improved integration test support with ruby/openssl tests.
  - Error codes and callback support in new X.509 validator made
    compatible with p5-Net_SSLeay tests.
* Internal Improvements
  - Numerous fixes and improvements to the new X.509 validator to
    ensure compatible error codes and callback support compatible
    with the legacy OpenSSL validator.
2021-10-18 14:33:04 +00:00
nia
fa4b2904a6 security: Remove SHA1 hashes for distfiles 2021-10-07 14:53:40 +00:00
schmonz
8ef8a3e1f5 Update to 3.3.3, syncing with LibreSSL. No known changes. 2021-05-22 09:12:31 +00:00
schmonz
fb116dabc7 Update to 3.3.2. From the (OpenBSD 6.9 LibreSSL) changelog:
# New Features

- Support for DTLSv1.2.
- Continued rewrite of the record layer for the legacy stack.
- Numerous bugs and interoperability issues were fixed in the new
  verifier. A few bugs and incompatibilities remain, so this release
  uses the old verifier by default.
- The OpenSSL 1.1 TLSv1.3 API is not yet available.


# Portable Improvements

- Added '--enable-libtls-only' build option, which builds and
  installs a statically-linked libtls, skipping libcrypto and libssl.
  This is useful for systems that ship with OpenSSL but wish to also
  package libtls.
- Update getentropy on Windows to use Cryptography Next Generation
  (CNG). wincrypt is deprecated and no longer works with newer Windows
  environments, such as in Windows Store apps.


# API and Documentation Enhancements

- Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360,
  draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds.
- Add support for
  [SSL_get_shared_ciphers(3)](https://man.openbsd.org/SSL_get_shared_ciphers.3)
  with TLSv1.3.
- Add DTLSv1.2 methods.
- Implement SSL_is_dtls(3) and use it internally in place of the
  SSL_IS_DTLS macro.
- Provide
  [EVP_PKEY_new_CMAC_KEY(3)](https://man.openbsd.org/EVP_PKEY_new_CMAC_KEY.3).
- Add missing prototype for
  [d2i_DSAPrivateKey_fp(3)](https://man.openbsd.org/d2i_DSAPrivateKey_fp.3) to x509.h.
- Add DTLSv1.2 to [openssl(1)](https://man.openbsd.org/openssl.1)
  s_server and s_client protocol message logging.
- Provide
  [SSL_use_certificate_chain_file(3)](https://man.openbsd.org/SSL_use_certificate_chain_file.3).
- Provide
  [SSL_set_hostflags(3)](https://man.openbsd.org/SSL_set_hostflags.3)
  and
  [SSL_get0_peername(3)](https://man.openbsd.org/SSL_get0_peername.3).
- Provide various DTLSv1.2 specific functions and defines.
- Document meaning of '*' in the genrsa output.
- Updated documentation for
  SSL_get_shared_ciphers(3)](https://man.openbsd.org/SSL_get_shared_ciphers.3).
- Add documentation for
  [SSL_get_finished(3)](https://man.openbsd.org/SSL_get_finished.3).
- Document
  [EVP_PKEY_new_CMAC_key(3)](https://man.openbsd.org/EVP_PKEY_new_CMAC_key.3).
- Document
  [SSL_use_certificate_chain_file(3)](https://man.openbsd.org/SSL_use_certificate_chain_file.3).
- Document
  [SSL_set_hostflags(3)](https://man.openbsd.org/SSL_set_hostflags.3)
  and
  [SSL_get0_peername(3)](https://man.openbsd.org/SSL_get0_peername.3).
- Update [SSL_get_version(3)](https://man.openbsd.org/SSL_get_version.3)
  manual for DTLSv.1.2 support.
- Make supported protocols and options for DHE params more prominent in
  [tls_config_set_protocols(3)](https://man.openbsd.org/tls_config_set_protocols.3).
- Various documentation improvements around TLS methods.


# Compatibility Changes

- Make [openssl(1)](https://man.openbsd.org/openssl.3) s_server ignore
  -4 and -6 for compatibility with OpenSSL.
- Set SO_REUSEADDR on the server socket in the
  [openssl(1)](https://man.openbsd.org/openssl.1) ocsp command.
- Send a host header with OCSP queries to make
  [openssl(1)](https://man.openbsd.org/openssl.1) ocsp work with some
  widely used OCSP responders.
- Add ability to [ocspcheck(8)](https://man.openbsd.org/ocspcheck.8) to
  parse a port in the specified OCSP URL.
- Implement auto chain for the TLSv1.3 server since some software
  relies on this.
- Implement key exporter for TLSv1.3.
- Align
  [SSL_get_shared_ciphers(3)](https://man.openbsd.org/SSL_get_shared_ciphers.3)
  with OpenSSL. This takes into account that it never returned server
  ciphers, so now it will fail when called from the client side.
- Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA".
- Make
  [SSL{_CTX,}_get_{min,max}_proto_version(3)](https://man.openbsd.org/SSL_CTX_get_min_proto_version.3)
  return a version of zero if the minimum or maximum has been set to
  zero to match OpenSSL's behavior.
- Add DTLSv1.2 support to
  [openssl(1)](https://man.openbsd.org/openssl.1) s_client/s_server.


# Testing and Proactive Security

- Malformed ASN.1 in a certificate revocation list or a timestamp
  response token can lead to a NULL pointer dereference.
- Pull in fix for
  [EVP_CipherUpdate(3)](https://man.openbsd.org/EVP_CipherUpdate.3)
  overflow from OpenSSL.
- Use EXFLAG_INVALID to handle out of memory and parse errors in
  x509v3_cache_extensions().
- Refactor and clean up
  [ocspcheck(8)](https://man.openbsd.org/ocspcheck.8) and add
  regression tests.


# Internal Improvements

- Further cleanup of the DTLS record handling.
- Continue the replacement of the TLSv1.2 record layer by reimplementing
  the read side of the TLSv1.2 record handling.
- Replace DTLSv1_enc_data() with TLSv1_1_enc_data().
- Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c.
- Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into
  .data.rel.ro and .rodata, respectively.
- Add a const qualifier to srtp_known_profiles.
- Simplify TLS method by removing the client and server specific methods
  internally.
- Avoid casting away const in ssl_ctx_make_profiles().
- Avoid explicitly conditioning an assert on DTLS1_VERSION to make the
  assert work for newer DTLS versions.
- Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL.
- Add a flag to mark DTLS methods as DTLS to have an easy way to
  recognize DTLS methods that avoids inspecting the version number.
- Mark a few more internal static tables const.
- Switch finish{,_peer}_md_len from an int to a size_t.
- Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size for
  cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2 was a
  historical artefact.
- Free struct members in tls13_record_layer_free() in their natural
  order for reviewability.
- Use consistent names in tls13_{client,server}_finished_{recv,send}().
- Add tls13_secret_{init,cleanup}() and use them throughout the TLSv1.3
  code base.
- Move the read MAC key into the TLSv1.2 record layer.
- Make tls12_record_layer_free() NULL safe.
- Split the record protection from the TLSv1.2 record layer.
- Clean up sequence number handling in the new TLSv1.2 record layer.
- Clean up sequence number handling in DTLS.
- Clean up dtls1_reset_seq_numbers().
- Factor out code for explicit IV length, block size and MAC length from
  tls12_record_layer_open_record_protected_cipher().
- Provide record layer overhead for DTLS.
- Provide functions to determine if TLSv1.2 record protection is
  engaged.
- Add code to handle change of cipher state in the new TLSv1.2
  record layer.
- Mop up now unused dtls1_build_sequence_numbers() function.
- Allow setting a keypair on a tls context without specifying the
  private key, and fake it internally in libtls. This removes the need
  for privsep engines like relayd to use bogus keys.
- Skip the private key check for fake private keys.
- Move the private key setup from tls_configure_ssl_keypair() to a
  helper function with proper error checking.
- Change the internal tls_configure_ssl_keypair() function to return -1
  instead of 1 on failure.
- Move sequence numbers into the new TLSv1.2 record layer.
- Move AEAD handling into the new TLSv1.2 record layer.
- Factor out legacy stack version checks.
- Correct handshake MAC/PRF for various TLSv1.2 cipher suites which were
  originally added with the default handshake MAC and PRF rather than
  the SHA256 handshake MAC and PRF.
- Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().
- Use dtls1_record_retrieve_buffered_record() to load buffered
  application data.
- Enforce read ahead with DTLS.
- Remove bogus DTLS checks that disabled ECC and OCSP.
- Clean up and simplify dtls1_get_cipher().
- Group HelloVerifyRequest decoding and add missing check for
  trailing data.
- Revise HelloVerifyRequest handling for DTLSv1.2.
- Handle DTLS1_2_VERSION in various places.
- Rename the "truncated" label into "decode_err" and the "f_err" label
  into "fatal_err".
- Factor out and change some of the legacy client version code.
- Simplify version checks in the TLSv1.3 client. Ensure that the server
  announced TLSv1.3 and nothing higher and check that the legacy_version
  is set to TLSv1.2 as required by RFC 8446.
- Only use TLS versions internally rather than both TLS and DTLS
  versions since the latter are the one's complement of the human
  readable version numbers, which means that newer versions
  decrease in value.
- Identify DTLS based on the version major value.
- Move handling of cipher/hash based cipher suites into the new
  record layer.
- Add tls12_record_protection_unused() and call it from CCS functions.
- Move key/IV length checks closer to usage sites. Also add explicit
  checks against
  [EVP_CIPHER_{iv,key}_length()](https://man.openbsd.org/EVP_CIPHER_iv_length.3).
- Replace two handrolled tls12_record_protection_engaged().
- Improve internal version handling: add handshake fields for our
  minimum version, our maximum version and the TLS version negotiated
  during the handshake. Convert most of the internal code to use these
  version fields.
- Guard against future internal use of
  TLS1_get_{client,}_version() macros.
- Remove the internal ssl_downgrade_max_version() function which is no
  longer needed.
- Add support for DTLSv1.2 version handling.
- Remove no longer needed read ahead workarounds in the s_client
  and s_server.
- Split TLSv1.3 record protection from record layer.
- Move the TLSv1.3 handshake struct inside the shared handshake struct.
- Fully initialize rrec in tls12_record_layer_open_record_protected() to
  avoid confusing some static analyzers.
- Use tls_set_errorx() on OCSP_basic_verify() failure since the latter
  does not set errno.
- Convert openssl(1) x509 to new option handling and do the usual clean
  up that goes along with it.
- Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
- Rename new_cipher to cipher to align naming with keyblock or other
  parts of the handshake data.
- Move the TLSv1.2 record number increment into the new record layer.
- Move finished and peer finished into the handshake struct.
- Remove pointless assignment in SSL_get0_alpn_selected().
- Add some error checking to openssl(1) x509.


# Bug Fixes

- Move point-on-curve check to set_affine_coordinates to avoid verifying
  ECDSA signatures with unchecked public keys.
- Fix [SSL_is_server(3)](https://man.openbsd.org/SSL_is_server.3) to
  behave as documented by re-introducing the client-specific methods.
- Avoid undefined behavior due to memcpy(NULL, NULL, 0).
- Make SSL_get{,_peer}_finished() work when used with TLSv1.3.
- Correct the return value type from ERR_peek_error() to a long.
- Avoid use of uninitialized in ASN1_time_parse() which could happen on
  parsing UTCTime if the caller did not initialize the passed struct tm.
- Destroy the mutex in a tls_config object on tls_config_free().
- Free alert_data and phh_data in tls13_record_layer_free(). These could
  leak if [SSL_shutdown(3)](https://man.openbsd.org/SSL_shutdown.3) or
  [tls_close(3)](https://man.openbsd.org/tls_close.3) were called after
  closing the underlying socket().
- Gracefully handle root certificates being both trusted and untrusted.
- Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new verifier.
- Use the legacy verifier when building auto chains for TLS.
- Search the intermediates only after searching the root certs in the
  new verifier to avoid problems with the legacy callback.
- Bail out early after finding a single chain in the new verifier, if we
  have been called via the legacy verifier API.
- Set (invalid and likely incomplete) chain on the xsc on chain build
  failure prior to calling the callback. This is required by various
  callers, including auto chain.
- Remove direct assignment of aead_ctx to avoid a leak.
- Fail early in legacy exporter if the master secret is not available to
  avoid a segfault if it is called when the handshake is not completed.
- Only print the certificate file once on verification failure.
- Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that the
  new validator checks for EXFLAG_CRITICAL in
  x509_vfy_check_chain_extension() for all untrusted certs in the chain.
  Take into account that the root is not necessarily trusted.
- Avoid passing last and depth to x509_verify_cert_error() on ENOMEM.
- Fix two bugs in the legacy verifier that resulted from refactoring
  of [X509_verify_cert(3)](https://man.openbsd.org/X509_verify_cert.3)
  for the new verifier: a return value was incorrectly treated as
  boolean, making it insufficient to decide whether validation should
  carry on or not.
- Fix checks for memory caps of constraints names. There are internal
  caps on the number of name constraints and other names, that the new
  name constraints code allocates per cert chain. These limits were
  checked too late, making them only partially effective.
- Fix a copy-paste error - skid was confused with an akid when checking
  for EXFLAG_INVALID. This broke OCSP validation with certain mirrors.
- Avoid a use-after-scope in tls13_cert_add().
- Avoid mangled output in BIO_debug_callback().
- Fix client initiated renegotiation by replacing use of
  s->internal-type with s->server.
- Avoid transcript initialization when sending a TLS HelloRequest,
  fixing server initiated renegotiation.
- Avoid leaking param->name in x509_verify_param_zero().
- Avoid a leak in an error path in openssl(1) x509.
- When sending an alert in TLSv1.3, only set its error code when no
  other error was set previously. Certain clients rely on specific
  SSL_R_ error codes to identify that they are dealing with a self
  signed cert.
- When switching from the TLSv1.3 stack to the legacy stack include a
  TLS record header. This is necessary if there is more than one
  handshake message in the TLS plaintext record.
- Fix resource handling on error in OCSP_request_add0_id().
- Make sure there is enough room for stashing the handshake message when
  switching to the legacy TLS stack.
- Fix a memory leak in the openssl(1) s_client.
- Unbreak DTLS retransmissions for flights that include a CCS.
- If x509_verify() fails, ensure that the error is set on both the
  x509_verify_ctx() and its store context to make some failures visible
  from SSL_get_verify_result().
- Use the X509_STORE_CTX get_issuer() callback from the new X.509
  verifier to fix hashed certificate directories.
- Only check
  [BIO_should_read(3)](https://man.openbsd.org/BIO_should_read.3) on
  read and
  [BIO_should_write(3)](https://man.openbsd.org/BIO_should_write.3) on
  write. Previously,
  [BIO_should_write(3)](https://man.openbsd.org/BIO_should_write.3) was
  also checked after read and
  [BIO_should_read(3)](https://man.openbsd.org/BIO_should_read.3) after
  write which could cause stalls in software that uses the same BIO for
  read and write.
- In [openssl(1)](https://man.openbsd.org/openssl.1) verify, also check
  for error on the store context since the return value of
  [X509_verify_cert(3)](https://man.openbsd.org/X509_verify_cert.3) is
  unreliable in presence of a callback that returns 1 too often.
- Handle additional certificate error cases in the new X.509 verifier.
  Keep track of the errors encountered if a verify callback tells the
  verifier to continue and report them back via the error on the store
  context. This mimics the behavior of the old verifier that would
  persist the first error encountered while building the chain.
- Report specific failures for "self signed certificates" in a way
  compatible with the old verifier since software relies on the
  error code.
- Plug a large memory leak in the new verifier caused by calling
  X509_policy_check(3) repeatedly.
- Avoid leaking memory in x509_verify_chain_dup().
2021-05-01 08:07:24 +00:00
schmonz
4d18ee6362 Update to 3.3.1p1. From the changelog:
- build: Add OpenSSL includes to libcompat HEAD master
  Some compat sources (getentropy_linux.c for example) require OpenSSL.
2021-03-09 09:55:30 +00:00
schmonz
17f843bdeb Initial import of libretls, a port of libtls to OpenSSL.
libtls is a new TLS library, designed to make it easier to write
foolproof applications. LibreTLS is a port of libtls from LibreSSL
to OpenSSL.
2020-11-27 10:19:38 +00:00