openbsd/src/lib, branch libressl-v2.5.0

openbsd/src/lib, branch libressl-v2.5.0 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v2.5.0 2016-09-22T12:34:59+00:00 Improve on code from the previous commit. 2016-09-22T12:34:59+00:00 jsing 2016-09-22T12:34:59+00:00 urn:sha1:5aaca8e163f9816b5f3c9c1794e3e1fe045acbe7 ok bcook@ Avoid unbounded memory growth, which can be triggered by a client 2016-09-22T12:33:50+00:00 jsing 2016-09-22T12:33:50+00:00 urn:sha1:d23573ff3bd92843d23073b2f9edce30965eadf6 repeatedly renegotiating and sending OCSP Status Request TLS extensions. Fix based on OpenSSL. Check for packet with truncated DTLS cookie. 2016-09-22T07:17:41+00:00 guenther 2016-09-22T07:17:41+00:00 urn:sha1:28e429dc7ade584440562d4ea6b27e6a7833e946 Flip pointer comparison logic to avoid beyond-end-of-buffer pointers to make it less likely a compiler will decide to screw you. Based on parts of openssl commits 6f35f6deb5ca7daebe289f86477e061ce3ee5f46 and 89c2720298f875ac80777da2da88a64859775898 ok jsing@ Improve ticket validity checking when tlsext_ticket_key_cb() callback 2016-09-22T06:57:40+00:00 guenther 2016-09-22T06:57:40+00:00 urn:sha1:0a9499f5b06c96665b68f63b3a97beacf46d7f33 chooses a different HMAC algorithm. Avert memory leaks if the callback preps the HMAC in some way. Based on openssl commit 1bbe48ab149893a78bf99c8eb8895c928900a16f but retaining a pre-callback length check to guarantee the callback is provided the buffer that the API claims. ok bcook@ jsing@ revert documentation update for the clearning behavior we already reverted 2016-09-22T04:28:24+00:00 bcook 2016-09-22T04:28:24+00:00 urn:sha1:92bd6bca06ecb9d0a0f4e5807b6d6ac237e11346 Delete casts to off_t and size_t that are implied by assignments 2016-09-21T04:38:56+00:00 guenther 2016-09-21T04:38:56+00:00 urn:sha1:4f42c802703f53d8169bb55766b44a362a136d7c or prototypes. Ditto for some of the char* and void* casts too. verified no change to instructions on ILP32 (i386) and LP64 (amd64) ok natano@ abluhm@ deraadt@ millert@ Avoid selecting weak digests for (EC)DH when using SNI. 2016-09-20T04:25:09+00:00 bcook 2016-09-20T04:25:09+00:00 urn:sha1:1dbcb54204a7b24fa96a79e4bd09dc80c94bc016 from OpenSSL: SSL_set_SSL_CTX is normally called for SNI after ClientHello has received and the digest to use for each certificate has been decided. The original ssl->cert contains the negotiated digests and is now copied to the new ssl->cert. noted by David Benjamin and Kinichiro Inoguchi Update ld search path for libssl/libcrypto, fixes cross-build after source moved. 2016-09-19T03:25:22+00:00 bcook 2016-09-19T03:25:22+00:00 urn:sha1:1a999a2e5f31bf8aaec9ebbb0346bfc1f51dddb6 from Patrick Wildt move page junking tp unmap(), right before we stick the region in the cache; 2016-09-18T13:46:28+00:00 otto 2016-09-18T13:46:28+00:00 urn:sha1:9fa30aecea45cf25c82da7630541699ccdd8d3a4 ok tedu@ Set callbacks on the right tls ctx on accept. 2016-09-14T11:34:37+00:00 bcook 2016-09-14T11:34:37+00:00 urn:sha1:b84341609d6c305c2f887baa1dc4dca62cd06a52 From Tobias Pape