Featured content is also available via:

Update LibreSSL from version 2.4.2 => 2.4.3

Operating Systems / DragonFlyBSD - John Marino [marino.st] - 3 October 2016 14:54 UTC

###

diff --git a/crypto/libressl/ChangeLog b/crypto/libressl/ChangeLog
index 6ec28e0..0c5a934 100644
--- a/crypto/libressl/ChangeLog
+++ b/crypto/libressl/ChangeLog
@@ -28,6 +28,19 @@ history is also available from Git.

LibreSSL Portable Release Notes:

+2.4.3 - Bug fixes and reliability improvements
+
+ * Reverted change that cleans up the EVP cipher context in
+ EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
+ previous behaviour.
+
+ * Avoid unbounded memory growth in libssl, which can be triggered by a
+ TLS client repeatedly renegotiating and sending OCSP Status Request
+ TLS extensions.
+
+ * Avoid falling back to a weak digest for (EC)DH when using SNI with
+ libssl.
+
2.4.2 - Bug fixes and improvements

* Fixed loading default certificate locations with openssl s_client.
diff --git a/crypto/libressl/VERSION b/crypto/libressl/VERSION
index b674b92..cf12b30 100644
--- a/crypto/libressl/VERSION
+++ b/crypto/libressl/VERSION
@@ -1,2 +1,2 @@
-2.4.2
+2.4.3

diff --git a/crypto/libressl/crypto/evp/evp_enc.c b/crypto/libressl/crypto/evp/evp_enc.c
index 222d476..ea69474 100644
--- a/crypto/libressl/crypto/evp/evp_enc.c
+++ b/crypto/libressl/crypto/evp/evp_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_enc.c,v 1.30 2016/05/04 15:05:13 tedu Exp $ */
+/* $OpenBSD: evp_enc.c,v 1.31 2016/05/30 13:42:54 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -371,7 +371,6 @@ EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
int ret;

ret = EVP_EncryptFinal_ex(ctx, out, outl);
- (void) EVP_CIPHER_CTX_cleanup(ctx);
return ret;
}

@@ -485,7 +484,6 @@ EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
int ret;

ret = EVP_DecryptFinal_ex(ctx, out, outl);
- (void) EVP_CIPHER_CTX_cleanup(ctx);
return ret;
}

diff --git a/crypto/libressl/include/openssl/opensslv.h b/crypto/libressl/include/openssl/opensslv.h
index 14239e0..bbefbd7 100644
--- a/crypto/libressl/include/openssl/opensslv.h
+++ b/crypto/libressl/include/openssl/opensslv.h
@@ -1,10 +1,10 @@
-/* $OpenBSD: opensslv.h,v 1.35 2016/06/06 09:50:15 bcook Exp $ */
+/* $OpenBSD: opensslv.h,v 1.36 2016/06/30 11:10:29 bcook Exp $ */
#ifndef HEADER_OPENSSLV_H
#define HEADER_OPENSSLV_H

/* These will change with each release of LibreSSL-portable */
-#define LIBRESSL_VERSION_NUMBER 0x2040200fL
-#define LIBRESSL_VERSION_TEXT "LibreSSL 2.4.2"
+#define LIBRESSL_VERSION_NUMBER 0x2040300fL
+#define LIBRESSL_VERSION_TEXT "LibreSSL 2.4.3"

/* These will never change */
#define OPENSSL_VERSION_NUMBER 0x20000000L
diff --git a/crypto/libressl/ssl/ssl_lib.c b/crypto/libressl/ssl/ssl_lib.c
index 409fed4..1225f68 100644
--- a/crypto/libressl/ssl/ssl_lib.c
+++ b/crypto/libressl/ssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.115 2015/10/19 17:59:39 beck Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.116 2015/10/25 15:52:49 doug Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -2847,13 +2847,20 @@ SSL_get_SSL_CTX(const SSL *ssl)
SSL_CTX *
SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
{
+ CERT *ocert = ssl->cert;
+
if (ssl->ctx == ctx)
return (ssl->ctx);
if (ctx == NULL)
ctx = ssl->initial_ctx;
- if (ssl->cert != NULL)
- ssl_cert_free(ssl->cert);
ssl->cert = ssl_cert_dup(ctx->cert);
+ if (ocert != NULL) {
+ int i;
+ /* Copy negotiated digests from original certificate. */
+ for (i = 0; i < SSL_PKEY_NUM; i++)
+ ssl->cert->pkeys[i].digest = ocert->pkeys[i].digest;
+ ssl_cert_free(ocert);
+ }
CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
SSL_CTX_free(ssl->ctx); /* decrement reference count */
ssl->ctx = ctx;
diff --git a/crypto/libressl/ssl/t1_lib.c b/crypto/libressl/ssl/t1_lib.c
index b225bb3..c1e5f54 100644
--- a/crypto/libressl/ssl/t1_lib.c
+++ b/crypto/libressl/ssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.86 2016/03/10 23:21:46 mmcc Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.87 2016/05/30 13:42:54 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1438,10 +1438,28 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
/* Read in responder_id_list */
n2s(data, dsize);
size -= 2;
- if (dsize > size ) {
+ if (dsize > size) {
*al = SSL_AD_DECODE_ERROR;
return 0;
}
+
+ /*
+ * We remove any OCSP_RESPIDs from a
+ * previous handshake to prevent
+ * unbounded memory growth.
+ */
+ sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
+ OCSP_RESPID_free);
+ s->tlsext_ocsp_ids = NULL;
+ if (dsize > 0) {
+ s->tlsext_ocsp_ids =
+ sk_OCSP_RESPID_new_null();
+ if (s->tlsext_ocsp_ids == NULL) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ return 0;
+ }
+ }
+
while (dsize > 0) {
OCSP_RESPID *id;
int idsize;
@@ -1469,13 +1487,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
*al = SSL_AD_DECODE_ERROR;
return 0;
}
- if (!s->tlsext_ocsp_ids &&
- !(s->tlsext_ocsp_ids =
- sk_OCSP_RESPID_new_null())) {
- OCSP_RESPID_free(id);
- *al = SSL_AD_INTERNAL_ERROR;
- return 0;
- }
if (!sk_OCSP_RESPID_push(
s->tlsext_ocsp_ids, id)) {
OCSP_RESPID_free(id);

0acf6c5 Update LibreSSL from version 2.4.2 => 2.4.3
crypto/libressl/ChangeLog | 13 +++++++++++++
crypto/libressl/VERSION | 2 +-
crypto/libressl/crypto/evp/evp_enc.c | 4 +---
crypto/libressl/include/openssl/opensslv.h | 6 +++---
crypto/libressl/ssl/ssl_lib.c | 13 ++++++++++---
crypto/libressl/ssl/t1_lib.c | 29 +++++++++++++++++++---------
6 files changed, 48 insertions(+), 19 deletions(-)

Upstream: gitweb.dragonflybsd.org