openbsd/src/lib/libcrypto/dh, branch OPENBSD_6_4

openbsd/src/lib/libcrypto/dh, branch OPENBSD_6_4_BASE A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_6_4_BASE 2018-08-24T20:22:15+00:00 Add consts to EVP_PKEY_asn1_set_private() 2018-08-24T20:22:15+00:00 tb 2018-08-24T20:22:15+00:00 urn:sha1:b9a3c83c03543369636a655128b69d56eb619b83 Requires adding a const to the priv_decode() member of EVP_PKEY_ASN1_METHOD and adjusting all *_priv_decode() functions. All this is already documented this way. tested in a bulk build by sthen ok jsing After removing support for broken PKCS#8 formats (it was high time), 2018-08-24T20:17:33+00:00 tb 2018-08-24T20:17:33+00:00 urn:sha1:4cdbdc5207fa48804d8ed3a7929a97ae5f9f466d we can add const to PKCS8_pkey_get0(). In order for this to work, we need to sprinkle a few consts here and there. tested in a bulk by sthen ok jsing zap stray tab 2018-06-12T15:33:18+00:00 sthen 2018-06-12T15:33:18+00:00 urn:sha1:60f21d03f2d8bf7428ce8a6df3877e2f33b2409b Reject excessively large primes in DH key generation. Problem reported 2018-06-12T15:32:54+00:00 sthen 2018-06-12T15:32:54+00:00 urn:sha1:944885610663d79b2787c4d04d9ae3b283754f55 by Guido Vranken to OpenSSL (https://github.com/openssl/openssl/pull/6457) and based on his diff. suggestions from tb@, ok tb@ jsing@ "During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack." Remove incorrect NULL checks in DH_set0_key(). 2018-05-02T15:48:38+00:00 tb 2018-05-02T15:48:38+00:00 urn:sha1:dc053da7652000e4e59c19008d5c94c59a773b37 Reported by Ondřej Surý, LibreSSL-portable issue #92. ok inoguchi, jsing Convert a handful of X509_*() functions to take const as in OpenSSL. 2018-05-01T19:01:28+00:00 tb 2018-05-01T19:01:28+00:00 urn:sha1:7c375c1a832336c8d9c706ebe1c9cd62252a1d88 tested in a bulk by sthen ok jsing make ENGINE_finish() succeed on NULL and simplify callers as in 2018-04-14T07:09:21+00:00 tb 2018-04-14T07:09:21+00:00 urn:sha1:0c5418014797b1fadca3f270eb2f140fd6f5bdf8 OpenSSL commit 7c96dbcdab9 by Rich Salz. This cleans up the caller side quite a bit and reduces the number of lines enclosed in #ifndef OPENSSL_NO_ENGINE. codesearch.debian.net shows that almost nothing checks the return value of ENGINE_finish(). While there, replace a few nearby 'if (!ptr)' with 'if (ptr == NULL)'. ok jsing, tested by & ok inoguchi Provide DH_get0_engine(). 2018-02-22T16:41:04+00:00 jsing 2018-02-22T16:41:04+00:00 urn:sha1:d44ad2f21844969256b468a00cfa6fcd05c148c1 Fix bogus check. Spotted by brynet, thanks. 2018-02-20T21:11:15+00:00 tb 2018-02-20T21:11:15+00:00 urn:sha1:fe75a84399547ea9363ace5823b4c0a3c6c1076a Provide DH_set_length() 2018-02-20T18:01:42+00:00 tb 2018-02-20T18:01:42+00:00 urn:sha1:d6f857847da13bf66a33e009fdcf59034786be48 ok jsing