summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Remove accidental, commented out code.doug2015-02-062-22/+2
| | | | This was to test a patch for upstream.
* Unifdef NETSCAPE_HANG_BUG.jsing2015-02-062-44/+2
| | | | | | | If you're still using a buggy version of Netscape from 2000, for HTTPS with client certificates, it is probably a good time to find a new browser. "kill it softly... with napalm and kisses" miod@
* Add additional checks to ssl3_send_client_key_exchange() that ensuresjsing2015-02-062-36/+50
| | | | | | | | ephemeral keys exist for SSL_kDHE and SSL_kECDHE. This would have prevented CVE-2014-3572. ok doug@
* Import BoringSSL's crypto bytestring and crypto bytebuilder APIs.doug2015-02-0612-2/+3359
| | | | | | | | | | | | | | This is imported with as few changes as possible for the initial commit. I removed OPENSSL_EXPORT, replaced OPENSSL_malloc() etc with malloc() and changed a few header includes. BoringSSL has this as part of their public API. We're leaving it internal to libssl for now. Based on BoringSSL's CBB/CBS API as of commit c5cc15b4f5b1d6e9b9112cb8d30205a638aa2c54. input + ok jsing@, miod@
* Add libssl ciphers regress, which currently only coversjsing2015-02-063-1/+130
| | | | get_cipher_by_char/put_cipher_by_char.
* Bring back the horrible API that is get_cipher_by_char/put_cipher_by_char.jsing2015-02-0628-30/+176
| | | | | | | | This API was intended to be an internal only, however like many things in OpenSSL, it is exposed externally and parts of the software ecosystem are now using it since there is no real alternative within the public API. ok doug@, tedu@ and reluctantly miod@
* Rename SSL_CTX_use_certificate_chain() to SSL_CTX_use_certificate_chain_mem().reyk2015-02-068-21/+22
| | | | | As discussed with beck@ jsing@ and others OK beck@
* Declare the x509_(mem|file|dir)_lookup symbols as static because theyreyk2015-02-056-12/+12
| | | | | | | | shouldn't be used directly. They aren't part of the API; each module (file, dir, mem) provides an actual function to export the now-static object. OK miod@
* Make the TLS connect and accept error messages consistent.bluhm2015-01-302-5/+4
| | | | OK jsing@
* Use .Rv where appropriate, and move it to RETURN VALUES;schwarze2015-01-293-27/+13
| | | | | remove .Tn, and a few minor macro adjustments. Patch from Kaspars at Bankovskis dot net.
* dial the time back to about 0.1s, closer to the original targets andtedu2015-01-281-4/+4
| | | | friendlier for users. requested by deraadt
* Fix a number of issues relating to algorithms in signatures, Mostlybeck2015-01-2814-18/+116
| | | | | | from OpenSSL with a hint of boring and some things done here. Addresses CVE-2014-8275 for OpenSSL fully ok miod@ doug@
* Place the remainder of e_os2.h under #ifndef LIBRESSL_INTERNAL until we canjsing2015-01-261-1/+5
| | | | | hopefully remove it completely - nothing in LibreSSL should be making use of any of these defines.
* Add AEAD as a "MAC alias" so that it is possible to identify/select ciphersjsing2015-01-264-4/+14
| | | | | | | | that use AEAD instead of a MAC. This allows for TLSv1.2 AEAD ciphers (effectively the only ciphers that are still considered to be secure) to be selected using TLSv1.2+AEAD as a cipher string. ok bcook@ doug@ miod@
* Convert openssl(1) sess_id to the new option handling.doug2015-01-241-88/+113
| | | | input + ok jsing@
* Convert openssl(1)'s rsa.c to the new option handling code.doug2015-01-241-184/+251
| | | | input + ok jsing@
* Ensure that a ServerKeyExchange message is received if the selected cipherjsing2015-01-232-10/+36
| | | | | | | | | | | | | | suite uses ephemeral keys. This avoids an issue where an ECHDE cipher suite can effectively be downgraded to ECDH, if the server omits the ServerKeyExchange message and has provided a certificate with an ECC public key. Issue reported to OpenSSL by Karthikeyan Bhargavan. Based on OpenSSL. Fixes CVE-2014-3572. ok beck@
* Use field names in struct initialisers.jsing2015-01-226-66/+66
| | | | No change to generated assembly.
* last entry in NAME should not have a trailing comma;jmc2015-01-221-2/+2
|
* Add MLINK for tls_config_set_ca_mem()reyk2015-01-221-1/+2
|
* Allow to to load the CA chain directly from memory instead ofreyk2015-01-226-8/+39
| | | | | | | | specifying a file. This enables CA verification in privsep'ed processes that are running chroot'ed without direct access to the certificate files. With feedback, tests, and OK from bluhm@
* Support CA verification in chroot'ed processes without direct filereyk2015-01-226-6/+20
| | | | | | | | | | access to the certificates. SSL_CTX_load_verify_mem() is a frontend to the new X509_STORE_load_mem() function that allows to load the CA chain from a memory buffer that is holding the PEM-encoded files. This function allows to handle the verification in privsep'ed code. Adopted for LibreSSL based on older code from relayd (by pyr@ and myself) With feedback and OK bluhm@
* Add X509_STORE_load_mem() to load certificates from a memory bufferreyk2015-01-229-8/+338
| | | | | | | | | | | instead of disk. OpenSSL didn't provide a built-in API from loading certificates in a chroot'ed process that doesn't have direct access to the files. X509_STORE_load_mem() provides a new backend that will be used by libssl and libtls to implement such privsep-friendly functionality. Adopted for LibreSSL based on older code from relayd (by pyr@ and myself) With feedback and OK bluhm@
* Make it obvious which openssl test complained and whether it was expected.doug2015-01-221-2/+5
| | | | ok bcook@
* Assume that the size of a pointer will not change at runtime.bcook2015-01-222-56/+30
| | | | | | | Change the runtime check for whether a long is smaller than a pointer to a compile-time check. Replace the silly hash for LLP64 platforms. ok tedu@
* Fix DTLS memory leak (CVE-2015-0206).libressl-v2.1.3doug2015-01-212-18/+46
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There were four bugs fixed by this patch: * dtls1_buffer_record() now frees rdata->rbuf.buf on error. Since s->s3->rbuf was memset, rdata->rbuf is the only pointer left which points to the old rbuf. On error, rdata is freed so there will not be any way of freeing this memory unless we do it here. * Changed the return code of dtls1_buffer_record() to differentiate between queue full (0) and error (-1). See below as this differs from upstream. * Handle errors if calls to dtls1_buffer_record() fail with -1. Previously, it did not check the return value. * Changed the way receipts are recorded. Previously, it was recorded when processed successfully (whether buffered or not) in dtls1_process_record(). Now, it records when it is handled in dtls1_get_record(): either when it is entered into the queue to buffer for the next epoch or when it is processed directly. Processing buffered records does not add a receipt because it needed one in order to get into the queue. The above bugs combined contributed to an eventual DoS through memory exhaustion. The memory leak came from dtls1_buffer_record()'s error handling. The error handling can be triggered by a duplicate record or malloc failure. It was possible to add duplicate records because they were not being dropped. The faulty receipts logic did not detect replays when dealing with records for the next epoch. Additionally, dtls1_buffer_record()'s return value was not checked so an attacker could send repeated replay records for the next epoch. Reported to OpenSSL by Chris Mueller. Patch based on OpenSSL commit 103b171d8fc282ef435f8de9afbf7782e312961f and BoringSSL commit 44e2709cd65fbd2172b9516c79e56f1875f60300. Our patch matches BoringSSL's commit. OpenSSL returns 0 when the queue is full or when malloc() or pitem_new() fails. They return -1 on error including !ssl3_setup_buffers() which is another failure to allocate memory. BoringSSL and LibreSSL changed the return code for dtls1_buffer_record() to be 1 on success, 0 when the queue is full and -1 on error. input + ok bcook@, jsing@
* Missing $OpenBSD$'s.krw2015-01-205-0/+5
| | | | ok deraadt@
* Add arc4random/getentropy shims for NetBSD.bcook2015-01-194-0/+300
| | | | | | | | | | The latest NetBSD (6.1.5) arc4random does not appear to reseed the CRNG state after a fork, so provide an override until the fork-safe version in CVS appears in a release. These are the same as the FreeBSD shims. ok deraadt@
* Improve wording in alloca.tedu2015-01-171-7/+5
| | | | | | | 1. it's not a bug; it's a caveat. 2. "slightly unsafe" gives me the willies. 3. one .Xr to malloc should suffice ok deraadt jmc
* Use ">", not ">=" when comparing length to HOST_NAME_MAX sincemillert2015-01-161-3/+3
| | | | | otherwise we end up needlessly replacing a NUL with a NUL. OK deraadt@
* Replace HOST_NAME_MAX+1-1 with HOST_NAME_MAX. OK deraad@millert2015-01-162-8/+8
|
* Replace check for ">= HOST_NAME_MAX+1" with "> HOST_NAME_MAX".millert2015-01-161-1/+1
| | | | OK deraadt@
* Move to the <limits.h> universe.deraadt2015-01-1623-57/+40
| | | | review by millert, binary checking process with doug, concept with guenther
* The SSL/TLS session Id context is limited to 32 bytes. Instead ofreyk2015-01-161-1/+13
| | | | | | | | using the name of relayd relay or smtpd pki, use a 32 byte arc4random buffer that should be unique for the context. This fixes an issue in OpenSMTPD when a long pki name could break the configuration. OK gilles@ benno@
* Delete the MANLINT variable and the related SUFFIXES rules becauseschwarze2015-01-162-4/+4
| | | | | | | | since yesterday, "mandoc -Tlint -Wfatal" can no longer fail. Instead, as suggested by deraadt@, provide a manlint target that is *not* run during make build, but can be run whenever you want to check syntax of manuals. "nice stuff" deraadt@
* remove unused variablechl2015-01-151-2/+1
| | | | ok tedu@
* back in september I did the large abstraction refactoring to allow thesederaadt2015-01-1514-14/+28
| | | | other systems to fit into the same mold, so add copyright
* Make strlcpy/strlcat slightly easier to read.millert2015-01-154-86/+82
|
* For non-blocking sockets tls_connect_fds() could fail with EAGAIN.bluhm2015-01-132-7/+22
| | | | | | | | Use the same logic from the read, write, accept functions to inform the caller wether a readable or writable socket is needed. After that event, the connect function must be called again. All the checks before connecting are done only once. OK tedu@
* Document the openssl s_client -proxy feature.bluhm2015-01-131-2/+14
| | | | OK jmc@
* Add the possibility to use the openssl s_client tool with an httpbluhm2015-01-131-4/+24
| | | | | | proxy. Implement the -proxy feature in the same hackish way as -starttls. OK jsing@
* Implement more thorough error checks:lteo2015-01-131-12/+38
| | | | | | | | | | | | - Check the return value of every relevant function call. - If BIO_new() returns NULL instead of a valid BIO, do not attempt to blindly use the NULL value as a BIO throughout the rest of the code. - Ensure that bio_out is freed by BIO_free_all() at the end of all error paths. ok doug@
* rename blocks to words. bcrypt "blocks" are unrelated to blowfish blocks,tedu2015-01-121-9/+9
| | | | nor are they the same size.
* Fix a memory leak in bss_dgram.doug2015-01-122-6/+26
| | | | | | | | Free data->saved_message.data. Based on OpenSSL commit: 41cd41c4416f545a18ead37e09e437c75fa07c95 except this version sets a->ptr to NULL to avoid accidental reuse and handles malloc failing. ok beck@, input + ok miod@
* Convert spkac.c to the new option handling code.doug2015-01-081-100/+137
| | | | input + ok jsing@
* Convert pkcs8.c to the new option handling code.doug2015-01-081-157/+220
| | | | | Minor KNF in a few places too. input + ok jsing@
* Convert asn1pars.c to the new option handling.doug2015-01-081-137/+206
| | | | | | | Also, removed a few useless if null checks. input from bcook@ input + ok jsing@
* missing , found by Dongsheng Songderaadt2015-01-081-3/+3
|
* Avoid a double-free in an error path.doug2015-01-082-2/+4
| | | | ok jsing@ beck@
* stupid me. need errno.htedu2015-01-071-1/+2
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-26 03:46:20 +0000