openbsd/src/lib, branch libressl-v2.1.4

openbsd/src/lib, branch libressl-v2.1.4 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v2.1.4 2015-03-02T21:41:08+00:00 Update comment to match code; Caspar Schutijser 2015-03-02T21:41:08+00:00 millert 2015-03-02T21:41:08+00:00 urn:sha1:f6e9eb23339296eec0a10399b584cbdf4948b62f Fix a minor information leak that was introduced in t1_lib.c r1.71, whereby 2015-03-02T13:43:09+00:00 jsing 2015-03-02T13:43:09+00:00 urn:sha1:45ee9e335c1b859ecec006aefb1a3c604a1c8d29 an additional 28 bytes of .rodata (or .data) is provided to the network. In most cases this is a non-issue since the memory content is already public. Issue found and reported by Felix Groebert of the Google Security Team. ok bcook@ beck@ Prefix function parameter names with underscores in tls.h, since this makes 2015-02-26T10:36:30+00:00 jsing 2015-02-26T10:36:30+00:00 urn:sha1:edbffccc662d783a95fcd535b216b27918cb35d0 them guaranteed to not conflict per POSIX. ok espie@ guenther@ Fix CVE-2014-3570: properly calculate the square of a BIGNUM value. 2015-02-25T15:39:49+00:00 bcook 2015-02-25T15:39:49+00:00 urn:sha1:f3031aa7bff24911a8cae9bdd7cdcd88d8554f42 See https://www.openssl.org/news/secadv_20150108.txt for a more detailed discussion. Original OpenSSL patch here: https://github.com/openssl/openssl/commit/a7a44ba55cb4f884c6bc9ceac90072dea38e66d0 The regression test is modified a little for KNF. ok miod@ Fix CVE-2015-0205: Do not accept client authentication with Diffie-Hellman 2015-02-25T03:49:21+00:00 bcook 2015-02-25T03:49:21+00:00 urn:sha1:07a99d742112a2ad5f56da7d83e8519f21d605b9 certificates without requiring a CertificateVerify message. From OpenSSL commit: https://github.com/openssl/openssl/commit/1421e0c584ae9120ca1b88098f13d6d2e90b83a3 Thanks to Karthikeyan Bhargavan for reporting this. ok miod@ we don't let strtonum errors bleed through now. 2015-02-24T19:22:12+00:00 tedu 2015-02-24T19:22:12+00:00 urn:sha1:d5b4efbc16863a5e213cd02ec7b8579ccc721006 Set errno to EINVAL, instead of letting ERANGE escape out. 2015-02-24T19:19:32+00:00 tedu 2015-02-24T19:19:32+00:00 urn:sha1:2183f1732174b17cc3ac80af51756f37e634f81d Printing strerror() in that case will say result too large, even if rounds is actually too small. invalid is less specific, but less incorrect. ok millert fourth batch of perlpod(1) to mdoc(7) conversion 2015-02-23T17:43:24+00:00 schwarze 2015-02-23T17:43:24+00:00 urn:sha1:3fed19a0557c5cc4db5053d380747aa1615cb201 Bump libcrypto and libssl majors, due to various recent churn. 2015-02-22T16:03:06+00:00 jsing 2015-02-22T16:03:06+00:00 urn:sha1:bb820e160520888599d0966ac5d4a5270c855a23 Discussed with/requested by deraadt@ at the conclusion of s2k15. Reluctantly add server-side support for TLS_FALLBACK_SCSV. 2015-02-22T15:54:27+00:00 jsing 2015-02-22T15:54:27+00:00 urn:sha1:1b087adcf5d3e3b653d1d37eb198d47d73c1e448 This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol. TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends. Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols. Diff is loosely based on OpenSSL with some inspiration from BoringSSL. Discussed with beck@ and miod@. ok bcook@