openbsd/src/lib/libssl, branch libressl-v2.6.3A mirror of https://github.com/libressl/openbsd.git
https://git.lua4.win/openbsd/atom?h=libressl-v2.6.32017-09-25T18:04:08+00:00Annotate some API-side memory leaks for future resolution.2017-09-25T18:04:08+00:00jsing2017-09-25T18:04:08+00:00urn:sha1:bf2198bdfe9143b542ef133958510a9ed4abf154Fix various issues in the OCSP extension parsing code:2017-09-25T18:02:27+00:00jsing2017-09-25T18:02:27+00:00urn:sha1:7639841ec4865f7b5291dd45001f1dfaf669e342
- When parsing the OCSP extension we can have multiple responder IDs - pull
these out correctly.
- Stop using CBS_stow() - it's unnecessary since we just need access to the
data and length (which we can get via CBS_data() and CBS_len()).
- Use a temporary pointer when calling d2i_*() functions, since it will
increment the pointer by the number of bytes it consumed when decoding.
The original code incorrectly passes the pointer allocated via CBS_stow()
(using malloc()) to a d2i_*() function and then calls free() on the now
incremented pointer, most likely resulting in a crash. This issue was
reported by Robert Swiecki who found the issue using honggfuzz.
ok beck@
When building the OCSP extension, only add the length prefixed extensions2017-09-25T17:51:49+00:00jsing2017-09-25T17:51:49+00:00urn:sha1:07931285f5ddfc85a89b75c784c029c72187c885
after we finish building the responder ID list. Otherwise adding to the
responder ID list fails.
ok beck@
Move the full extension building into tlsext_{client,server}hello_build(),2017-08-30T16:44:37+00:00jsing2017-08-30T16:44:37+00:00urn:sha1:a1e52c53539972675487f29fed3f02106fd1be64
leaving ssl_add_{client,server}hello_tlsext() as pointer to CBB wrappers.
ok doug@
Bump libssl/libtls minors due to symbol (re)addition.2017-08-30T16:24:56+00:00jsing2017-08-30T16:24:56+00:00urn:sha1:6d77941ef30dc628bccd79f321a73668f2c02945Bring back the NPN related symbols.2017-08-30T16:24:21+00:00jsing2017-08-30T16:24:21+00:00urn:sha1:d5403ea18a4111f78be17230a52dc7b8b58ffd06
Several pieces of software make use of these based on a conditional around
OPENSSL_NPN_NEGOTIATED, rather than using the presence of the symbols, the
non-existence of a OPENSSL_NO_NEXTPROTONEG define or even the existence of
the TLS extension type.
Unfortunately we cannot remove OPENSSL_NPN_NEGOTIATED since the API for
ALPN was effectively botched and reuses two parts from the NPN
implementation, rather than providing ALPN specific or generic versions.
When OCSP status type is unknown, ignore the extension.2017-08-29T19:20:13+00:00doug2017-08-29T19:20:13+00:00urn:sha1:5635919e838b12ddb9bac1770b102c0ddfa4795c
This needs to skip past the CBS data or it will be treated as a decode
error even though it returns 1.
ok jsing@
Actually parse the ALPN extension in a client hello, even if no ALPN2017-08-29T17:24:12+00:00jsing2017-08-29T17:24:12+00:00urn:sha1:b474b8eb2f6ddb9abd39d2693c797915880dbde3
callback has been installed. This ensures that the ALPN extension is valid
and avoids leaving unprocessed extension data, which leads to a decode
error.
Found the hard way by jsg@
ECDHE-RSA-DES-CBC3-SHA should not be marked HIGH.2017-08-28T18:12:10+00:00jsing2017-08-28T18:12:10+00:00urn:sha1:8ec8163c2218db7d5a9da4bdaea767bb454a01f5
Spotted by Andreas Bartelt <obsd at bartula dot de>
Bump lib{crypto,ssl,tls} majors due to symbol removals.2017-08-28T17:49:06+00:00jsing2017-08-28T17:49:06+00:00urn:sha1:7795ed9d1b5591626b5be060048191880b39c390