openbsd/src, branch OPENBSD_6_5 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_6_5 2019-06-10T01:52:16+00:00 bump to LibreSSL 2.9.3 2019-06-10T01:52:16+00:00 bcook 2019-06-10T01:52:16+00:00 urn:sha1:f5cdaf4e4d7b589f05e0f2c5368a3833d0d5b863 MFC libssl fix - rev 1.49 (commitid: DLpHk0vyoFEK0Baa) 2019-06-07T15:09:44+00:00 sthen 2019-06-07T15:09:44+00:00 urn:sha1:589c03d1f6136c07954ea6249feb4baa330990a6 --- Relax parsing of TLS key share extensions on the server. The RFC does not require X25519 and it also allows clients to send an empty key share when the want the server to select a group. The current behaviour results in handshake failures where the client supports TLS 1.3 and sends a TLS key share extension that does not contain X25519. --- (this fixes server side in some cases with TLS 1.3 clients with what would normally be unusual config - however triggered by recent Firefox packages on Fedora, https://bugzilla.redhat.com/show_bug.cgi?id=1713777) In DTLS, use_srtp is part of the extended server hello while in TLSv1.3, 2019-05-15T19:25:15+00:00 tb 2019-05-15T19:25:15+00:00 urn:sha1:f0d432029321083529b36d45280f5308ff8bf24f it is an encrypted extension. Include it in the server hello for now. This will have to be revisited once TLSv1.3 gets there. Fixes SRTP negotiation. Problem found by two rust-openssl regress failures reported by mikeb. with & ok beck OpenBSD 6.5 errata 002 LibreSSL 2.9.2 2019-05-13T12:05:04+00:00 bcook 2019-05-13T12:05:04+00:00 urn:sha1:39ea782f8d3743e9fc4a3caccf90f833d3dc65a1 Avoid an overread caused by d2i_PrivateKey(). 2019-04-10T16:23:55+00:00 jsing 2019-04-10T16:23:55+00:00 urn:sha1:8ab9e3c33c0dd587e42c1c871bbe154fd19af00f There are cases where the old_priv_decode() function can fail but consume bytes. This will result in the pp pointer being advanced, which causes d2i_PKCS8_PRIV_KEY_INFO() to be called with an advanced pointer and incorrect length. Fixes oss-fuzz #13803 and #14142. ok deraadt@ tb@ Recommend SSL_CTX_add1_chain_cert(3) rather than 2019-04-09T22:01:50+00:00 schwarze 2019-04-09T22:01:50+00:00 urn:sha1:1e058bee4dd8093d5d6bebd88f82654927d1582c SSL_CTX_add_extra_chain_cert(3). From Dr. Stephen Henson <steve at openssl dot org> via OpenSSL commit a4339ea3 Jan 3 22:38:03 2014 +0000 which is still under a free license. Document SSL_CTX_clear_mode(3) and SSL_clear_mode(3). 2019-04-09T21:06:31+00:00 schwarze 2019-04-09T21:06:31+00:00 urn:sha1:58b03032ff8a03f5c8a1f05dc50a303855755822 From Kurt Roeckx <kurt at roeckx dot be> via OpenSSL commit 57fd5170 May 13 11:24:11 2018 +0200 which is still under a free license. While here, polish awkward wording and reduce duplication. exitting -> exiting 2019-04-07T16:41:16+00:00 tb 2019-04-07T16:41:16+00:00 urn:sha1:27cf13864a9022c226f613ef67a6ba10261a0b63 From Michael Scovetta, PR #108 Revert tasn_prn.c r1.18. 2019-04-07T16:35:50+00:00 jsing 2019-04-07T16:35:50+00:00 urn:sha1:a2af4c7dba7453f0994ce278075358a1d3a0e14f In this code, just because something is cast to a type doesn't mean it is necessarily that type - in this case we cannot check the length of the ASN1_STRING here, since it might be another data type and later handled as an int (for example, in the V_ASN1_BOOLEAN case). We will revisit this post release. ok tb@ whitespace consistency 2019-04-05T20:25:42+00:00 tb 2019-04-05T20:25:42+00:00 urn:sha1:ee8ec972cc5eb7e1ba590f332a6052e9bec80de2