openbsd/src/lib, branch libressl-v2.6.4 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v2.6.4 2017-12-11T10:50:37+00:00 bump to 2.6.4 2017-12-11T10:50:37+00:00 bcook 2017-12-11T10:50:37+00:00 urn:sha1:2ece5bdc17bcc46a1d94daac2d5feab95a419b69 MFC: Make tls_config_parse_protocols() work correctly when passed a NULL 2017-12-09T16:49:17+00:00 jsing 2017-12-09T16:49:17+00:00 urn:sha1:b8100fcfb98cb2782f144c3357545c2162b1e3c1 pointer for a protocol string. Issue found by semarie@, who also provided the diff. MFC: Correct TLS extensions handling when no extensions are present. 2017-12-09T13:43:25+00:00 jsing 2017-12-09T13:43:25+00:00 urn:sha1:764541b0cbbef5bbe8943ea3da53ba158801937c If no TLS extensions are present in a client hello or server hello, omit the entire extensions block, rather than including it with a length of zero. ok beck@ inoguchi@ Thanks to Eric Elena <eric at voguemerry dot com> for providing packet captures and testing the fix. bump version in advance of final release 2017-09-26T14:23:20+00:00 bcook 2017-09-26T14:23:20+00:00 urn:sha1:bb11ab9e637768f627fefb664f488f744d3d5662 bump wo 2.6.2 2017-09-26T00:55:13+00:00 bcook 2017-09-26T00:55:13+00:00 urn:sha1:d62b89fe0278e5cfb01c030b03f8177f702b6580 If tls_config_parse_protocols() is called with a NULL pointer, return the 2017-09-25T18:07:03+00:00 jsing 2017-09-25T18:07:03+00:00 urn:sha1:4d8ee4aa62048ceec0971789b40645cbe219bc06 default protocols instead of crashing - this makes the behaviour more useful and mirrors what we already do in tls_config_set_ciphers() et al. Annotate some API-side memory leaks for future resolution. 2017-09-25T18:04:08+00:00 jsing 2017-09-25T18:04:08+00:00 urn:sha1:bf2198bdfe9143b542ef133958510a9ed4abf154 Fix various issues in the OCSP extension parsing code: 2017-09-25T18:02:27+00:00 jsing 2017-09-25T18:02:27+00:00 urn:sha1:7639841ec4865f7b5291dd45001f1dfaf669e342 - When parsing the OCSP extension we can have multiple responder IDs - pull these out correctly. - Stop using CBS_stow() - it's unnecessary since we just need access to the data and length (which we can get via CBS_data() and CBS_len()). - Use a temporary pointer when calling d2i_*() functions, since it will increment the pointer by the number of bytes it consumed when decoding. The original code incorrectly passes the pointer allocated via CBS_stow() (using malloc()) to a d2i_*() function and then calls free() on the now incremented pointer, most likely resulting in a crash. This issue was reported by Robert Swiecki who found the issue using honggfuzz. ok beck@ When building the OCSP extension, only add the length prefixed extensions 2017-09-25T17:51:49+00:00 jsing 2017-09-25T17:51:49+00:00 urn:sha1:07931285f5ddfc85a89b75c784c029c72187c885 after we finish building the responder ID list. Otherwise adding to the responder ID list fails. ok beck@ Make delayed free non-optional and make F do an extensive double free check. 2017-09-23T15:13:12+00:00 otto 2017-09-23T15:13:12+00:00 urn:sha1:1cfdab61d8a917bffa62b6d4d7f7bd8d906b7cc0 ok tb@ tedu@