summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* This commit was manufactured by cvs2git to create branch 'OPENBSD_6_2'.libressl-v2.6.3cvs2svn2017-09-260-0/+0
|
* bump version in advance of final releasebcook2017-09-261-3/+3
|
* bump wo 2.6.2libressl-v2.6.2bcook2017-09-261-3/+3
|
* If tls_config_parse_protocols() is called with a NULL pointer, return thejsing2017-09-251-1/+4
| | | | | default protocols instead of crashing - this makes the behaviour more useful and mirrors what we already do in tls_config_set_ciphers() et al.
* Annotate some API-side memory leaks for future resolution.jsing2017-09-251-1/+3
|
* Fix various issues in the OCSP extension parsing code:jsing2017-09-251-20/+14
| | | | | | | | | | | | | | | | | | - When parsing the OCSP extension we can have multiple responder IDs - pull these out correctly. - Stop using CBS_stow() - it's unnecessary since we just need access to the data and length (which we can get via CBS_data() and CBS_len()). - Use a temporary pointer when calling d2i_*() functions, since it will increment the pointer by the number of bytes it consumed when decoding. The original code incorrectly passes the pointer allocated via CBS_stow() (using malloc()) to a d2i_*() function and then calls free() on the now incremented pointer, most likely resulting in a crash. This issue was reported by Robert Swiecki who found the issue using honggfuzz. ok beck@
* When building the OCSP extension, only add the length prefixed extensionsjsing2017-09-251-6/+6
| | | | | | | after we finish building the responder ID list. Otherwise adding to the responder ID list fails. ok beck@
* Make delayed free non-optional and make F do an extensive double free check.otto2017-09-231-21/+26
| | | | ok tb@ tedu@
* Keep track of which keypair is in use by a TLS context.jsing2017-09-204-14/+25
| | | | | | | | | | This fixes a bug where by a TLS server with SNI would always only return the OCSP staple for the default keypair, rather than returning the OCSP staple associated with the keypair that was selected via SNI. Issue reported by William Graeber and confirmed by Andreas Bartelt. Fix tested by William Graeber and Andreas Bartelt - thanks!
* Slightly restructure tls_ocsp_verify_cb() to make it more like libtls code.jsing2017-09-201-6/+7
|
* Provide a useful error if there are no OCSP URLs in the peer certificate.jsing2017-09-201-1/+4
|
* Fix indentation.jsing2017-09-201-1/+1
|
* mapalign returns MAP_FAILED for failuer; from George Koehlerotto2017-09-121-2/+2
|
* check double free before canary for chunks; ok millert@otto2017-09-111-5/+5
|
* New POSIX xlocale implementation written from scratch.libressl-v2.6.1schwarze2017-09-0511-96/+396
| | | | | | | | | | | | Complete in the sense that all POSIX *locale(3) and *_l(3) functions are included, but in OpenBSD, we of course only really care about LC_CTYPE and we only support ASCII and UTF-8. With important help from kettenis@, guenther@, and jca@. Repeated testing in ports bulk builds by naddy@. Additional testing by jca@, sebastia@, dcoppa@, and others. OK kettenis@ dcoppa@, and guenther@ on an earlier version. Riding guenther@'s libc/librthread major bump.
* Move mutex, condvar, and thread-specific data routes, pthread_once, andguenther2017-09-052-11/+182
| | | | | | | | pthread_exit from libpthread to libc, along with low-level bits to support them. Major bump to both libc and libpthread. Requested by libressl team. Ports testing by naddy@ ok kettenis@
* Checking sizeof size_t by SIZE_MAX instead of _LP64inoguchi2017-09-031-7/+7
| | | | ok bcook@
* delete pointless .Tn ASCII found by jca@ with mandoc -Tlintschwarze2017-09-021-5/+4
|
* Remove OPENSSL_NO_NEXTPROTONEG - some software creates conflictingjsing2017-08-311-1/+0
| | | | | prototypes if we have both OPENSSL_NO_NEXTPROTONEG and the prototypes defined.
* Mention strtok_r in STANDARDSjca2017-08-311-2/+6
| | | | POSIX 2001 instead of POSIX.1c suggested by millert@ and jmc@, ok jmc@
* Move the full extension building into tlsext_{client,server}hello_build(),jsing2017-08-302-47/+26
| | | | | | leaving ssl_add_{client,server}hello_tlsext() as pointer to CBB wrappers. ok doug@
* Bump libssl/libtls minors due to symbol (re)addition.jsing2017-08-302-2/+2
|
* Bring back the NPN related symbols.jsing2017-08-303-3/+36
| | | | | | | | | | | Several pieces of software make use of these based on a conditional around OPENSSL_NPN_NEGOTIATED, rather than using the presence of the symbols, the non-existence of a OPENSSL_NO_NEXTPROTONEG define or even the existence of the TLS extension type. Unfortunately we cannot remove OPENSSL_NPN_NEGOTIATED since the API for ALPN was effectively botched and reuses two parts from the NPN implementation, rather than providing ALPN specific or generic versions.
* Bring back the RSA_SSLV23_PADDING define.jsing2017-08-301-1/+2
| | | | Several pieces of software expect this to be available unconditionally.
* Fix ifdef to if in gcm128.cinoguchi2017-08-301-2/+2
| | | | ok deraadt@ bcook@
* When OCSP status type is unknown, ignore the extension.doug2017-08-291-1/+6
| | | | | | | This needs to skip past the CBS data or it will be treated as a decode error even though it returns 1. ok jsing@
* When parsing extensions by calling the parse functions directly, ensurejsing2017-08-291-2/+82
| | | | | that we have consumed all of the extension data. This catches the ALPN extension handling issue that was just fixed.
* Actually parse the ALPN extension in a client hello, even if no ALPNjsing2017-08-291-4/+4
| | | | | | | | callback has been installed. This ensures that the ALPN extension is valid and avoids leaving unprocessed extension data, which leads to a decode error. Found the hard way by jsg@
* ECDHE-RSA-DES-CBC3-SHA should not be marked HIGH.jsing2017-08-281-2/+2
| | | | Spotted by Andreas Bartelt <obsd at bartula dot de>
* Some style(9).jsing2017-08-281-3/+6
|
* Remove chacha20-poly1305-old regress and test vectors.jsing2017-08-282-627/+0
|
* Remove SSLv23 padding mode.jsing2017-08-282-7/+5
|
* Bump lib{crypto,ssl,tls} majors due to symbol removals.jsing2017-08-283-6/+6
|
* Remove EVP_aead_chacha20_poly1305_old() now that the original/oldjsing2017-08-283-83/+28
| | | | chacha20-poly1305 cipher suites have been removed from libssl.
* Remove documentation for EVP_aead_chacha20_poly1305_ietf() - this wasjsing2017-08-281-13/+3
| | | | removed/renamed a long time back.
* Put the opening curly brace in the right place.jsing2017-08-281-2/+3
|
* Remove RSA_padding_add_SSLv23()/RSA_padding_check_SSLv23() and relatedjsing2017-08-289-202/+11
| | | | | | code. We removed SSLv2/SSLv3 a long time ago... Discussed with doug@
* Define OPENSSL_NO_NEXTPROTONEG since there is no longer any NPN.jsing2017-08-281-0/+1
|
* Completely remove NPN remnants.jsing2017-08-287-107/+9
| | | | Based on a diff from doug@, similar diff from inoguchi@
* Use current chacha20-poly1305 cipher suite values.jsing2017-08-281-7/+7
|
* Update due to removal of original chacha20-poly1305 cipher suites.jsing2017-08-281-42/+39
|
* Remove the original (pre-IETF) chacha20-poly1305 cipher suites.jsing2017-08-284-73/+5
| | | | | | | | | | Support for the IETF standardised chacha20-poly1305 cipher suites was added 16 months ago, which means they exist in both of the currently supported OpenBSD releases. Also prompted by Andreas Bartelt <obsd at bartula dot de>. ok beck@ doug@
* Fix unchecked return nitbeck2017-08-281-2/+5
| | | | ok bcook@ jsing@
* Rewrite SRTP extension using CBB/CBS and the new extension framework.doug2017-08-276-275/+652
| | | | input + ok beck@, jsing@
* check return value from CBB_initbeck2017-08-271-2/+3
|
* Make the symbol for ASN1_time_tm_clamp_notafter visible so libtlsbeck2017-08-274-5/+10
| | | | | can get at it, so libtls can also deal with notafter's past the realm of 32 bit time in portable
* Rewrite ALPN extension using CBB/CBS and the new extension framework.doug2017-08-265-144/+540
| | | | | ok bcook@ beck@ input + ok jsing@
* Work around bug in F5's handling of the supported elliptic curves extension.doug2017-08-231-2/+16
| | | | | | | | | | RFC 4492 only defines elliptic_curves for ClientHello. However, F5 is sending it in ServerHello. We need to skip over it since our TLS extension parsing code is now more strict. Thanks to Armin Wolfermann and WJ Liu for reporting the issue. input + ok jsing@
* import SSL_export_keying_material(3) from OpenSSLschwarze2017-08-213-3/+132
|
* merge the applicable parts of SSL_set_tlsext_host_name(3) documentation;schwarze2017-08-211-4/+28
| | | | | from Paul Yang <yang dot yang at baishancloud dot com> via OpenSSL commit 190b9a03 Jun 28 15:46:13 2017 +0800
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-16 02:17:31 +0000