untrusted comment: verify with openbsd-68-base.pub

untrusted comment: verify with openbsd-68-base.pub
RWQZj25CSG5R2tHMsSzbcO8IXiSc9hWA1a+0S/P7kjlkCNmfPHdKxUTIgFhmPBgSrqpxgrEac0ypN9LQ6ZExyuMgHFpKj64gwQ0=

OpenBSD 6.8 errata 013, February 3, 2021:

Various interoperability issues and memory leaks were discovered in
libcrypto and libssl.

Apply by doing:
signify -Vep /etc/signify/openbsd-68-base.pub -x 013_libressl.patch.sig \
-m - | (cd /usr/src && patch -p0)

And then rebuild and install libcrypto, libssl, isakmpd and unwind:
cd /usr/src/lib/libcrypto
make obj
make
make install
cd /usr/src/lib/libssl
make obj
make
make install
cd /usr/src/sbin/isakmpd
make obj
make
make install
cd /usr/src/sbin/unwind
make obj
make
make install

Index: lib/libcrypto/x509/x509_verify.c
===================================================================
RCS file: /cvs/src/lib/libcrypto/x509/x509_verify.c,v
retrieving revision 1.13
diff -u -p -r1.13 x509_verify.c
--- lib/libcrypto/x509/x509_verify.c 26 Sep 2020 15:44:06 -0000 1.13
+++ lib/libcrypto/x509/x509_verify.c 18 Jan 2021 21:09:47 -0000
@@ -81,7 +81,7 @@ x509_verify_chain_dup(struct x509_verify
{
struct x509_verify_chain *new_chain;

- if ((new_chain = x509_verify_chain_new()) == NULL)
+ if ((new_chain = calloc(1, sizeof(*chain))) == NULL)
goto err;
if ((new_chain->certs = X509_chain_up_ref(chain->certs)) == NULL)
goto err;
Index: lib/libcrypto/x509/x509_vfy.c
===================================================================
RCS file: /cvs/src/lib/libcrypto/x509/x509_vfy.c,v
retrieving revision 1.81
diff -u -p -r1.81 x509_vfy.c
--- lib/libcrypto/x509/x509_vfy.c 26 Sep 2020 02:06:28 -0000 1.81
+++ lib/libcrypto/x509/x509_vfy.c 18 Jan 2021 21:09:54 -0000
@@ -1794,6 +1794,11 @@ x509_vfy_check_policy(X509_STORE_CTX *ct

if (ctx->parent)
return 1;
+
+ /* X509_policy_check always allocates a new tree. */
+ X509_policy_tree_free(ctx->tree);
+ ctx->tree = NULL;
+
ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
ctx->param->policies, ctx->param->flags);
if (ret == 0) {
Index: lib/libcrypto/x509/x509_vpm.c
===================================================================
RCS file: /cvs/src/lib/libcrypto/x509/x509_vpm.c,v
retrieving revision 1.22
diff -u -p -r1.22 x509_vpm.c
--- lib/libcrypto/x509/x509_vpm.c 14 Sep 2020 08:10:04 -0000 1.22
+++ lib/libcrypto/x509/x509_vpm.c 30 Jan 2021 08:33:55 -0000
@@ -177,7 +177,7 @@ x509_verify_param_zero(X509_VERIFY_PARAM
param->trust = 0;
/*param->inh_flags = X509_VP_FLAG_DEFAULT;*/
param->inh_flags = 0;
- param->flags = 0;
+ param->flags = X509_V_FLAG_LEGACY_VERIFY;
param->depth = -1;
if (param->policies) {
sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
Index: lib/libssl/d1_both.c
===================================================================
RCS file: /cvs/src/lib/libssl/d1_both.c,v
retrieving revision 1.60
diff -u -p -r1.60 d1_both.c
--- lib/libssl/d1_both.c 26 Sep 2020 14:43:17 -0000 1.60
+++ lib/libssl/d1_both.c 18 Jan 2021 20:58:39 -0000
@@ -1060,18 +1060,18 @@ dtls1_retransmit_message(SSL *s, unsigne
frag->msg_header.frag_len);

/* save current state */
- saved_state.enc_write_ctx = s->internal->enc_write_ctx;
- saved_state.write_hash = s->internal->write_hash;
saved_state.session = s->session;
saved_state.epoch = D1I(s)->w_epoch;

D1I(s)->retransmitting = 1;

/* restore state in which the message was originally sent */
- s->internal->enc_write_ctx = frag->msg_header.saved_retransmit_state.enc_write_ctx;
- s->internal->write_hash = frag->msg_header.saved_retransmit_state.write_hash;
s->session = frag->msg_header.saved_retransmit_state.session;
D1I(s)->w_epoch = frag->msg_header.saved_retransmit_state.epoch;
+ if (!tls12_record_layer_set_write_cipher_hash(s->internal->rl,
+ frag->msg_header.saved_retransmit_state.enc_write_ctx,
+ frag->msg_header.saved_retransmit_state.write_hash, 0))
+ return 0;

if (frag->msg_header.saved_retransmit_state.epoch ==
saved_state.epoch - 1) {
@@ -1085,10 +1085,11 @@ dtls1_retransmit_message(SSL *s, unsigne
SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE);

/* restore current state */
- s->internal->enc_write_ctx = saved_state.enc_write_ctx;
- s->internal->write_hash = saved_state.write_hash;
s->session = saved_state.session;
D1I(s)->w_epoch = saved_state.epoch;
+ if (!tls12_record_layer_set_write_cipher_hash(s->internal->rl,
+ s->internal->enc_write_ctx, s->internal->write_hash, 0))
+ return 0;

if (frag->msg_header.saved_retransmit_state.epoch ==
saved_state.epoch - 1) {
Index: lib/libssl/ssl_both.c
===================================================================
RCS file: /cvs/src/lib/libssl/ssl_both.c,v
retrieving revision 1.20
diff -u -p -r1.20 ssl_both.c
--- lib/libssl/ssl_both.c 24 Sep 2020 18:12:00 -0000 1.20
+++ lib/libssl/ssl_both.c 30 Jan 2021 08:32:31 -0000
@@ -408,6 +408,8 @@ ssl3_output_cert_chain(SSL *s, CBB *cbb,
SSLerror(s, ERR_R_X509_LIB);
goto err;
}
+ X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xs_ctx),
+ X509_V_FLAG_LEGACY_VERIFY);
X509_verify_cert(xs_ctx);
ERR_clear_error();
chain = xs_ctx->chain;
Index: lib/libssl/ssl_lib.c
===================================================================
RCS file: /cvs/src/lib/libssl/ssl_lib.c,v
retrieving revision 1.234
diff -u -p -r1.234 ssl_lib.c
--- lib/libssl/ssl_lib.c 24 Sep 2020 18:12:00 -0000 1.234
+++ lib/libssl/ssl_lib.c 18 Jan 2021 20:59:21 -0000
@@ -1710,8 +1710,17 @@ SSL_export_keying_material(SSL *s, unsig
const char *label, size_t llen, const unsigned char *p, size_t plen,
int use_context)
{
- return (tls1_export_keying_material(s, out, olen,
- label, llen, p, plen, use_context));
+ if (s->internal->tls13 != NULL && s->version == TLS1_3_VERSION) {
+ if (!use_context) {
+ p = NULL;
+ plen = 0;
+ }
+ return tls13_exporter(s->internal->tls13, label, llen, p, plen,
+ out, olen);
+ }
+
+ return (tls1_export_keying_material(s, out, olen, label, llen, p, plen,
+ use_context));
}

static unsigned long
Index: lib/libssl/tls13_internal.h
===================================================================
RCS file: /cvs/src/lib/libssl/tls13_internal.h,v
retrieving revision 1.86
diff -u -p -r1.86 tls13_internal.h
--- lib/libssl/tls13_internal.h 30 Jul 2020 16:23:17 -0000 1.86
+++ lib/libssl/tls13_internal.h 18 Jan 2021 20:59:21 -0000
@@ -148,6 +148,16 @@ void tls13_secrets_destroy(struct tls13_
int tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest,
const struct tls13_secret *secret, const char *label,
const struct tls13_secret *context);
+int tls13_hkdf_expand_label_with_length(struct tls13_secret *out,
+ const EVP_MD *digest, const struct tls13_secret *secret,
+ const uint8_t *label, size_t label_len, const struct tls13_secret *context);
+
+int tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest,
+ const struct tls13_secret *secret, const char *label,
+ const struct tls13_secret *context);
+int tls13_derive_secret_with_label_length(struct tls13_secret *out,
+ const EVP_MD *digest, const struct tls13_secret *secret,
+ const uint8_t *label, size_t label_len, const struct tls13_secret *context);

int tls13_derive_early_secrets(struct tls13_secrets *secrets, uint8_t *psk,
size_t psk_len, const struct tls13_secret *context);
@@ -411,6 +421,10 @@ int tls13_error_setx(struct tls13_error
#define tls13_set_errorx(ctx, code, subcode, fmt, ...) \
tls13_error_setx(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \
(fmt), __VA_ARGS__)
+
+int tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len,
+ const uint8_t *context_value, size_t context_value_len, uint8_t *out,
+ size_t out_len);

extern const uint8_t tls13_downgrade_12[8];
extern const uint8_t tls13_downgrade_11[8];
Index: lib/libssl/tls13_key_schedule.c
===================================================================
RCS file: /cvs/src/lib/libssl/tls13_key_schedule.c,v
retrieving revision 1.8
diff -u -p -r1.8 tls13_key_schedule.c
--- lib/libssl/tls13_key_schedule.c 17 Nov 2019 21:01:08 -0000 1.8
+++ lib/libssl/tls13_key_schedule.c 18 Jan 2021 20:59:21 -0000
@@ -174,6 +174,15 @@ tls13_hkdf_expand_label(struct tls13_sec
const struct tls13_secret *secret, const char *label,
const struct tls13_secret *context)
{
+ return tls13_hkdf_expand_label_with_length(out, digest, secret, label,
+ strlen(label), context);
+}
+
+int
+tls13_hkdf_expand_label_with_length(struct tls13_secret *out,
+ const EVP_MD *digest, const struct tls13_secret *secret,
+ const uint8_t *label, size_t label_len, const struct tls13_secret *context)
+{
const char tls13_plabel[] = "tls13 ";
uint8_t *hkdf_label;
size_t hkdf_label_len;
@@ -188,7 +197,7 @@ tls13_hkdf_expand_label(struct tls13_sec
goto err;
if (!CBB_add_bytes(&child, tls13_plabel, strlen(tls13_plabel)))
goto err;
- if (!CBB_add_bytes(&child, label, strlen(label)))
+ if (!CBB_add_bytes(&child, label, label_len))
goto err;
if (!CBB_add_u8_length_prefixed(&cbb, &child))
goto err;
@@ -207,12 +216,21 @@ tls13_hkdf_expand_label(struct tls13_sec
return(0);
}

-static int
+int
tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest,
const struct tls13_secret *secret, const char *label,
const struct tls13_secret *context)
{
return tls13_hkdf_expand_label(out, digest, secret, label, context);
+}
+
+int
+tls13_derive_secret_with_label_length(struct tls13_secret *out,
+ const EVP_MD *digest, const struct tls13_secret *secret, const uint8_t *label,
+ size_t label_len, const struct tls13_secret *context)
+{
+ return tls13_hkdf_expand_label_with_length(out, digest, secret, label,
+ label_len, context);
}

int
Index: lib/libssl/tls13_legacy.c
===================================================================
RCS file: /cvs/src/lib/libssl/tls13_legacy.c,v
retrieving revision 1.13
diff -u -p -r1.13 tls13_legacy.c
--- lib/libssl/tls13_legacy.c 13 Sep 2020 15:04:35 -0000 1.13
+++ lib/libssl/tls13_legacy.c 18 Jan 2021 20:57:38 -0000
@@ -40,8 +40,6 @@ tls13_legacy_wire_read(SSL *ssl, uint8_t
if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) {
if (BIO_should_read(ssl->rbio))
return TLS13_IO_WANT_POLLIN;
- if (BIO_should_write(ssl->rbio))
- return TLS13_IO_WANT_POLLOUT;
if (n == 0)
return TLS13_IO_EOF;

@@ -79,8 +77,6 @@ tls13_legacy_wire_write(SSL *ssl, const
errno = 0;

if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) {
- if (BIO_should_read(ssl->wbio))
- return TLS13_IO_WANT_POLLIN;
if (BIO_should_write(ssl->wbio))
return TLS13_IO_WANT_POLLOUT;

Index: lib/libssl/tls13_lib.c
===================================================================
RCS file: /cvs/src/lib/libssl/tls13_lib.c,v
retrieving revision 1.54
diff -u -p -r1.54 tls13_lib.c
--- lib/libssl/tls13_lib.c 11 Sep 2020 15:03:36 -0000 1.54
+++ lib/libssl/tls13_lib.c 18 Jan 2021 20:59:21 -0000
@@ -579,3 +579,75 @@ tls13_clienthello_hash_validate(struct t
return 1;
}

+int
+tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len,
+ const uint8_t *context_value, size_t context_value_len, uint8_t *out,
+ size_t out_len)
+{
+ struct tls13_secret context, export_out, export_secret;
+ struct tls13_secrets *secrets = ctx->hs->secrets;
+ EVP_MD_CTX *md_ctx = NULL;
+ unsigned int md_out_len;
+ int md_len;
+ int ret = 0;
+
+ /*
+ * RFC 8446 Section 7.5.
+ */
+
+ memset(&context, 0, sizeof(context));
+ memset(&export_secret, 0, sizeof(export_secret));
+
+ export_out.data = out;
+ export_out.len = out_len;
+
+ if (!ctx->handshake_completed)
+ return 0;
+
+ md_len = EVP_MD_size(secrets->digest);
+ if (md_len <= 0 || md_len > EVP_MAX_MD_SIZE)
+ goto err;
+
+ if ((export_secret.data = calloc(1, md_len)) == NULL)
+ goto err;
+ export_secret.len = md_len;
+
+ if ((context.data = calloc(1, md_len)) == NULL)
+ goto err;
+ context.len = md_len;
+
+ /* In TLSv1.3 no context is equivalent to an empty context. */
+ if (context_value == NULL) {
+ context_value = "";
+ context_value_len = 0;
+ }
+
+ if ((md_ctx = EVP_MD_CTX_new()) == NULL)
+ goto err;
+ if (!EVP_DigestInit_ex(md_ctx, secrets->digest, NULL))
+ goto err;
+ if (!EVP_DigestUpdate(md_ctx, context_value, context_value_len))
+ goto err;
+ if (!EVP_DigestFinal_ex(md_ctx, context.data, &md_out_len))
+ goto err;
+ if (md_len != md_out_len)
+ goto err;
+
+ if (!tls13_derive_secret_with_label_length(&export_secret,
+ secrets->digest, &secrets->exporter_master, label, label_len,
+ &secrets->empty_hash))
+ goto err;
+
+ if (!tls13_hkdf_expand_label(&export_out, secrets->digest,
+ &export_secret, "exporter", &context))
+ goto err;
+
+ ret = 1;
+
+ err:
+ EVP_MD_CTX_free(md_ctx);
+ freezero(context.data, context.len);
+ freezero(export_secret.data, export_secret.len);
+
+ return ret;
+}
Index: lib/libssl/tls13_record_layer.c
===================================================================
RCS file: /cvs/src/lib/libssl/tls13_record_layer.c,v
retrieving revision 1.53
diff -u -p -r1.53 tls13_record_layer.c
--- lib/libssl/tls13_record_layer.c 11 Sep 2020 15:03:36 -0000 1.53
+++ lib/libssl/tls13_record_layer.c 18 Jan 2021 21:01:58 -0000
@@ -134,6 +134,9 @@ tls13_record_layer_free(struct tls13_rec
{
if (rl == NULL)
return;
+
+ freezero(rl->alert_data, rl->alert_len);
+ freezero(rl->phh_data, rl->phh_len);

tls13_record_layer_rbuf_free(rl);

Index: lib/libssl/tls13_server.c
===================================================================
RCS file: /cvs/src/lib/libssl/tls13_server.c,v
retrieving revision 1.61
diff -u -p -r1.61 tls13_server.c
--- lib/libssl/tls13_server.c 3 Jul 2020 04:12:51 -0000 1.61
+++ lib/libssl/tls13_server.c 30 Jan 2021 08:32:31 -0000
@@ -611,6 +611,7 @@ tls13_server_certificate_send(struct tls
SSL *s = ctx->ssl;
CBB cert_request_context, cert_list;
const struct ssl_sigalg *sigalg;
+ X509_STORE_CTX *xsc = NULL;
STACK_OF(X509) *chain;
CERT_PKEY *cpk;
X509 *cert;
@@ -633,6 +634,18 @@ tls13_server_certificate_send(struct tls
if ((chain = cpk->chain) == NULL)
chain = s->ctx->extra_certs;

+ if (chain == NULL && !(s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) {
+ if ((xsc = X509_STORE_CTX_new()) == NULL)
+ goto err;
+ if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL))
+ goto err;
+ X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc),
+ X509_V_FLAG_LEGACY_VERIFY);
+ X509_verify_cert(xsc);
+ ERR_clear_error();
+ chain = xsc->chain;
+ }
+
if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
goto err;
if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
@@ -643,6 +656,15 @@ tls13_server_certificate_send(struct tls

for (i = 0; i < sk_X509_num(chain); i++) {
cert = sk_X509_value(chain, i);
+
+ /*
+ * In the case of auto chain, the leaf certificate will be at
+ * the top of the chain - skip over it as we've already added
+ * it earlier.
+ */
+ if (i == 0 && cert == cpk->x509)
+ continue;
+
/*
* XXX we don't send extensions with chain certs to avoid sending
* a leaf ocsp stape with the chain certs. This needs to get
@@ -658,6 +680,8 @@ tls13_server_certificate_send(struct tls
ret = 1;

err:
+ X509_STORE_CTX_free(xsc);
+
return ret;
}