openbsd/src/lib/libcrypto, branch libressl-v2.3.8

openbsd/src/lib/libcrypto, branch libressl-v2.3.8 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v2.3.8 2016-02-17T13:06:56+00:00 This commit was manufactured by cvs2git to create branch 'OPENBSD_5_9'. 2016-02-17T13:06:56+00:00 cvs2svn admin@example.com 2016-02-17T13:06:56+00:00 urn:sha1:90ce84455c27c87d71ff108edf7d3d0109e81775 Sync some root certificates with Mozilla's cert store. ok bcook@ 2016-02-17T13:06:54+00:00 sthen 2016-02-17T13:06:54+00:00 urn:sha1:5e028a458eda039db3f8d1a098b2934bd6d466e4 - Add new root certificates present in Mozilla cert store from CA organizations who are already in cert.pem (AddTrust, Comodo, DigiCert, Entrust, GeoTrust, USERTrust). - Replace Startcom's root with their updated sha256 version present in Mozilla cert store. (They maintained serial# etc so this is still valid for existing signed certificates). - Add two root certificates from CA not previously present: "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority" "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" (the latter used by yandex.ru) We are still listing some certificates that have been removed from Mozilla's store (1024-bit etc) however these cannot be removed until cert validation is improved (we don't currently accept a certificate as valid unless the CA is at the end of a chain). Sort cert.pem alphabetically, first by organisation, then by CA name 2016-02-01T00:23:43+00:00 sthen 2016-02-01T00:23:43+00:00 urn:sha1:225f1ee35564ab235a59d5bd45096011a51741cd (CN if available, otherwise OU). Add a comment identifying the org. Now to get an easy-to-read list of certificates in the file you can use "grep ^[#=] cert.pem". Prepared with https://spacehopper.org/format-pem.20160201. If you would like to verify this commit to ensure that I didn't sneak in any other changes, it will be easier to use the script rather than do it by hand. Revamp cert.pem certificate information formatting. Skip headers which 2016-01-31T23:10:02+00:00 sthen 2016-01-31T23:10:02+00:00 urn:sha1:0b99bfb21d223cf0ce031b1a6e7d6e7e4c0ee255 aren't really useful (the information can be obtained by feeding the cert into "openssl x509 -in filename -text") and add a separator between certs showing the CA's CN or OU (similar to the display format in web browsers). Include both SHA1 and SHA256 fingerprints for all certificates. ok beck@ zhuk@ jung@ Calling clone(2) with CLONE_NEWPID yields multiple processes with pid=1. 2016-01-04T02:04:56+00:00 bcook 2016-01-04T02:04:56+00:00 urn:sha1:0f894628446dec0db2f00dac168dac6bcb7dd705 Work around this particular case by reseeding whenever pid=1, but as guenther@ notes, directly calling clone(2), and then forking to match another pid, provides other ways to bypass new process detection on Linux. Hopefully at some point Linux implements something like MAP_INHERIT_ZERO, and does not invent a corresponding mechanism to subvert it. Noted by Sebastian Krahmer and the opmsg team. See http://stealth.openwall.net/crypto/randup.c for a test program. ok beck@ More adress -> address 2015-12-24T05:50:16+00:00 mmcc 2015-12-24T05:50:16+00:00 urn:sha1:c9941e688a2d017068fd83419a3e3346b270db54 remove NULL-checks before free() 2015-12-23T20:37:23+00:00 mmcc 2015-12-23T20:37:23+00:00 urn:sha1:0acfd6965d2e7de3e9d3fff1348f689e59164fb7 assign pointer NULL rather than 0 2015-12-23T01:50:26+00:00 mmcc 2015-12-23T01:50:26+00:00 urn:sha1:9aa6664d2b19fc6a669e2d548bbb7e3bec9e6012 assign pointer to NULL rather than 0 2015-12-23T01:46:33+00:00 mmcc 2015-12-23T01:46:33+00:00 urn:sha1:def92b9d687af788e21407f183715d0811b6fbf4 initialize a pointer to NULL rather than 0 2015-12-22T08:44:44+00:00 mmcc 2015-12-22T08:44:44+00:00 urn:sha1:76a9959cf18079f893f945dd59dde8adadd0d1d6