From: John Marino Date: Mon, 3 Oct 2016 19:23:51 +0000 (-0500) Subject: Update LibreSSL from version 2.4.2 => 2.4.3 X-Git-Tag: v4.8.0rc~897^2 X-Git-Url: https://gitweb.dragonflybsd.org/dragonfly.git/commitdiff_plain/0acf6c5cec1bb550d161ebd159e4ecad45908ec5 Update LibreSSL from version 2.4.2 => 2.4.3 --- diff --git a/crypto/libressl/ChangeLog b/crypto/libressl/ChangeLog index 6ec28e0d09..0c5a93423f 100644 --- a/crypto/libressl/ChangeLog +++ b/crypto/libressl/ChangeLog @@ -28,6 +28,19 @@ history is also available from Git. LibreSSL Portable Release Notes: +2.4.3 - Bug fixes and reliability improvements + + * Reverted change that cleans up the EVP cipher context in + EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the + previous behaviour. + + * Avoid unbounded memory growth in libssl, which can be triggered by a + TLS client repeatedly renegotiating and sending OCSP Status Request + TLS extensions. + + * Avoid falling back to a weak digest for (EC)DH when using SNI with + libssl. + 2.4.2 - Bug fixes and improvements * Fixed loading default certificate locations with openssl s_client. diff --git a/crypto/libressl/VERSION b/crypto/libressl/VERSION index b674b92354..cf12b30d2e 100644 --- a/crypto/libressl/VERSION +++ b/crypto/libressl/VERSION @@ -1,2 +1,2 @@ -2.4.2 +2.4.3 diff --git a/crypto/libressl/crypto/evp/evp_enc.c b/crypto/libressl/crypto/evp/evp_enc.c index 222d476dbb..ea694740f8 100644 --- a/crypto/libressl/crypto/evp/evp_enc.c +++ b/crypto/libressl/crypto/evp/evp_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_enc.c,v 1.30 2016/05/04 15:05:13 tedu Exp $ */ +/* $OpenBSD: evp_enc.c,v 1.31 2016/05/30 13:42:54 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -371,7 +371,6 @@ EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) int ret; ret = EVP_EncryptFinal_ex(ctx, out, outl); - (void) EVP_CIPHER_CTX_cleanup(ctx); return ret; } @@ -485,7 +484,6 @@ EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) int ret; ret = EVP_DecryptFinal_ex(ctx, out, outl); - (void) EVP_CIPHER_CTX_cleanup(ctx); return ret; } diff --git a/crypto/libressl/include/openssl/opensslv.h b/crypto/libressl/include/openssl/opensslv.h index 14239e0a84..bbefbd7a19 100644 --- a/crypto/libressl/include/openssl/opensslv.h +++ b/crypto/libressl/include/openssl/opensslv.h @@ -1,10 +1,10 @@ -/* $OpenBSD: opensslv.h,v 1.35 2016/06/06 09:50:15 bcook Exp $ */ +/* $OpenBSD: opensslv.h,v 1.36 2016/06/30 11:10:29 bcook Exp $ */ #ifndef HEADER_OPENSSLV_H #define HEADER_OPENSSLV_H /* These will change with each release of LibreSSL-portable */ -#define LIBRESSL_VERSION_NUMBER 0x2040200fL -#define LIBRESSL_VERSION_TEXT "LibreSSL 2.4.2" +#define LIBRESSL_VERSION_NUMBER 0x2040300fL +#define LIBRESSL_VERSION_TEXT "LibreSSL 2.4.3" /* These will never change */ #define OPENSSL_VERSION_NUMBER 0x20000000L diff --git a/crypto/libressl/ssl/ssl_lib.c b/crypto/libressl/ssl/ssl_lib.c index 409fed4b40..1225f68248 100644 --- a/crypto/libressl/ssl/ssl_lib.c +++ b/crypto/libressl/ssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.115 2015/10/19 17:59:39 beck Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.116 2015/10/25 15:52:49 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2847,13 +2847,20 @@ SSL_get_SSL_CTX(const SSL *ssl) SSL_CTX * SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) { + CERT *ocert = ssl->cert; + if (ssl->ctx == ctx) return (ssl->ctx); if (ctx == NULL) ctx = ssl->initial_ctx; - if (ssl->cert != NULL) - ssl_cert_free(ssl->cert); ssl->cert = ssl_cert_dup(ctx->cert); + if (ocert != NULL) { + int i; + /* Copy negotiated digests from original certificate. */ + for (i = 0; i < SSL_PKEY_NUM; i++) + ssl->cert->pkeys[i].digest = ocert->pkeys[i].digest; + ssl_cert_free(ocert); + } CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); SSL_CTX_free(ssl->ctx); /* decrement reference count */ ssl->ctx = ctx; diff --git a/crypto/libressl/ssl/t1_lib.c b/crypto/libressl/ssl/t1_lib.c index b225bb3c87..c1e5f54aec 100644 --- a/crypto/libressl/ssl/t1_lib.c +++ b/crypto/libressl/ssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.86 2016/03/10 23:21:46 mmcc Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.87 2016/05/30 13:42:54 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1438,10 +1438,28 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, /* Read in responder_id_list */ n2s(data, dsize); size -= 2; - if (dsize > size ) { + if (dsize > size) { *al = SSL_AD_DECODE_ERROR; return 0; } + + /* + * We remove any OCSP_RESPIDs from a + * previous handshake to prevent + * unbounded memory growth. + */ + sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, + OCSP_RESPID_free); + s->tlsext_ocsp_ids = NULL; + if (dsize > 0) { + s->tlsext_ocsp_ids = + sk_OCSP_RESPID_new_null(); + if (s->tlsext_ocsp_ids == NULL) { + *al = SSL_AD_INTERNAL_ERROR; + return 0; + } + } + while (dsize > 0) { OCSP_RESPID *id; int idsize; @@ -1469,13 +1487,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, *al = SSL_AD_DECODE_ERROR; return 0; } - if (!s->tlsext_ocsp_ids && - !(s->tlsext_ocsp_ids = - sk_OCSP_RESPID_new_null())) { - OCSP_RESPID_free(id); - *al = SSL_AD_INTERNAL_ERROR; - return 0; - } if (!sk_OCSP_RESPID_push( s->tlsext_ocsp_ids, id)) { OCSP_RESPID_free(id);