openbsd/src, branch libressl-v2.6.2

openbsd/src, branch libressl-v2.6.2 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v2.6.2 2017-09-26T00:55:13+00:00 bump wo 2.6.2 2017-09-26T00:55:13+00:00 bcook 2017-09-26T00:55:13+00:00 urn:sha1:d62b89fe0278e5cfb01c030b03f8177f702b6580 If tls_config_parse_protocols() is called with a NULL pointer, return the 2017-09-25T18:07:03+00:00 jsing 2017-09-25T18:07:03+00:00 urn:sha1:4d8ee4aa62048ceec0971789b40645cbe219bc06 default protocols instead of crashing - this makes the behaviour more useful and mirrors what we already do in tls_config_set_ciphers() et al. Annotate some API-side memory leaks for future resolution. 2017-09-25T18:04:08+00:00 jsing 2017-09-25T18:04:08+00:00 urn:sha1:bf2198bdfe9143b542ef133958510a9ed4abf154 Fix various issues in the OCSP extension parsing code: 2017-09-25T18:02:27+00:00 jsing 2017-09-25T18:02:27+00:00 urn:sha1:7639841ec4865f7b5291dd45001f1dfaf669e342 - When parsing the OCSP extension we can have multiple responder IDs - pull these out correctly. - Stop using CBS_stow() - it's unnecessary since we just need access to the data and length (which we can get via CBS_data() and CBS_len()). - Use a temporary pointer when calling d2i_*() functions, since it will increment the pointer by the number of bytes it consumed when decoding. The original code incorrectly passes the pointer allocated via CBS_stow() (using malloc()) to a d2i_*() function and then calls free() on the now incremented pointer, most likely resulting in a crash. This issue was reported by Robert Swiecki who found the issue using honggfuzz. ok beck@ When building the OCSP extension, only add the length prefixed extensions 2017-09-25T17:51:49+00:00 jsing 2017-09-25T17:51:49+00:00 urn:sha1:07931285f5ddfc85a89b75c784c029c72187c885 after we finish building the responder ID list. Otherwise adding to the responder ID list fails. ok beck@ Make delayed free non-optional and make F do an extensive double free check. 2017-09-23T15:13:12+00:00 otto 2017-09-23T15:13:12+00:00 urn:sha1:1cfdab61d8a917bffa62b6d4d7f7bd8d906b7cc0 ok tb@ tedu@ Keep track of which keypair is in use by a TLS context. 2017-09-20T17:05:17+00:00 jsing 2017-09-20T17:05:17+00:00 urn:sha1:cb877fda6d4f301551f4f41cbe708b7a31217fba This fixes a bug where by a TLS server with SNI would always only return the OCSP staple for the default keypair, rather than returning the OCSP staple associated with the keypair that was selected via SNI. Issue reported by William Graeber and confirmed by Andreas Bartelt. Fix tested by William Graeber and Andreas Bartelt - thanks! Slightly restructure tls_ocsp_verify_cb() to make it more like libtls code. 2017-09-20T16:52:37+00:00 jsing 2017-09-20T16:52:37+00:00 urn:sha1:373953b07ced62cde74a839d1249fa9b7d8df5e7 Provide a useful error if there are no OCSP URLs in the peer certificate. 2017-09-20T16:38:23+00:00 jsing 2017-09-20T16:38:23+00:00 urn:sha1:87f911b10521db48d4a40fc8d3426bf0af0b23ce Fix indentation. 2017-09-20T16:36:45+00:00 jsing 2017-09-20T16:36:45+00:00 urn:sha1:5068b8b7a6b9aeb5547f87d2352bfa52e9d6c448