summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Convert tls_connect_fds() and tls_accept_socket() to the new OpenSSL errorjsing2015-02-074-26/+16
| | | | | | | dance handling code. This means that we get slightly useful messages when a TLS connection or accept fails. Requested by reyk@
* Convert several of the server side handshake functions to the new handshakejsing2015-02-074-238/+108
| | | | | | message handling routines. ok miod@
* Crank major for libcrypto since symbols have been removed.jsing2015-02-072-4/+4
| | | | Requested by deraadt@
* Add tls_config_set_dheparams() to allow specification of the parameters tojsing2015-02-077-22/+53
| | | | | | | | | use for DHE. This enables the use of DHE cipher suites. Rename tls_config_set_ecdhcurve() to tls_config_set_ecdhecurve() since it is only used to specify the curve for ephemeral ECDH. Discussed with reyk@
* Don't allow tag number 31 in CBB_add_asn1().doug2015-02-074-24/+54
| | | | | | | | | Tag 31 is invalid for a short form identifier octet (single byte). KNF a little more. Based on BoringSSL commit 5ba305643f55d37a3e45e8388a36d50c1b2d4ff5 ok miod@
* Crank libssl major due to the recent changes and removals.jsing2015-02-072-4/+4
| | | | ok beck@ deraadt@ miod@
* Clean up the {get,put}_cipher_by_char() implementations. Also usejsing2015-02-076-60/+28
| | | | | | | ssl3_get_cipher_by_value() in other parts of the code where it simplifies things. ok doug@
* Only call free in CBB_init().doug2015-02-072-6/+12
| | | | | | | | | | | CBB_init_fixed() should not call free because it can lead to use after free or double free bugs. The caller should be responsible for creating and destroying the buffer. From BoringSSL commit a84f06fc1eee6ea25ce040675fbad72c532afece miod agrees with the reasoning ok jsing@, beck@
* Attempt to implement the OpenSSL error dance so that TLS read/writejsing2015-02-071-29/+61
| | | | | | failures return something that is actually useful to the caller. ok reyk@
* Add regress tests for SSL_CIPHER_get_by_value() and SSL_CIPHER_get_by_id().jsing2015-02-071-1/+61
|
* Provide a SSL_CIPHER_get_by_value() function that allows a cipher to bejsing2015-02-078-8/+66
| | | | | | | | | | | | | | retrieved via its cipher suite value. A corresponding SSL_CIPHER_by_value() function returns the cipher suite value for a given SSL_CIPHER. These functions should mean that software does not need to resort to put_cipher_by_char()/get_cipher_by_char() in order to locate a cipher. Begrudgingly also provide a SSL_CIPHER_get_by_id() function that locates a cipher via the internal cipher identifier. Unfortunately these have already been leaked outside the library via SSL_CIPHER_by_id() and the various SSL3_CK_* and TLS1_CK_* defines in the ssl3.h/tls1.h headers. ok beck@ miod@
* Modify BSIZE to BUFLEN to avoid redefinition on HP-UX.bcook2015-02-072-15/+15
| | | | | | | | | | HP-UX defines BSIZE in its <sys/param.h>, and there is a route where its getting included as a side-effect. I tracked back to at least from HP-UX 9.0 ca. 1993, up to the latest, so the user namespace is polluted. from kinichiro <kinichiro.inoguchi@gmail.com> ok miod@, jsing@
* Stop defining TERMIOS, ANSI_SOURCE and OPENSSL_NO_RC5 for libssl builds.jsing2015-02-071-3/+1
| | | | | | | The first two are unused in libssl/libcrypto and OPENSSL_NO_RC5 is already defined via openssl/opensslfeatures.h. ok beck@ doug@ miod@
* Combine c_allc.c and c_alld.c into c_all.c - there is not much point havingjsing2015-02-077-724/+462
| | | | | | | this split across files, especially when two of them have less code than license text. ok bcook@ beck@ doug@ miod@
* Fix typo and ASN.1 tag number range comment in bytestring.h.doug2015-02-072-8/+8
| | | | | | | | | | CBS_get_asn1() and CBS_get_any_asn1_element() only support the single byte ASN.1 identifier octets (aka short form tags). Tag number 31 is the start of the multi-byte long form per X.690 section 8.1.2.4. From BoringSSL commit 2683af70e73f116e14db2bca6290fa4a010a2ee4 ok miod@
* SIZE_MAX is standard, we should be using it in preference to themillert2015-02-061-5/+3
| | | | obsolete SIZE_T_MAX. OK miod@ beck@
* KNF bytestring files.doug2015-02-069-2398/+2788
| | | | | | | | I checked that this doesn't change anything. Compiled with clang using -Wno-pointer-sign -g0 to reduce the differences. Only difference in the asm is due to assert(0) line number changes in bs_cbs.c and bs_cbb.c. miod is ok with the general process.
* Remove accidental, commented out code.doug2015-02-062-22/+2
| | | | This was to test a patch for upstream.
* Unifdef NETSCAPE_HANG_BUG.jsing2015-02-062-44/+2
| | | | | | | If you're still using a buggy version of Netscape from 2000, for HTTPS with client certificates, it is probably a good time to find a new browser. "kill it softly... with napalm and kisses" miod@
* Add additional checks to ssl3_send_client_key_exchange() that ensuresjsing2015-02-062-36/+50
| | | | | | | | ephemeral keys exist for SSL_kDHE and SSL_kECDHE. This would have prevented CVE-2014-3572. ok doug@
* Import BoringSSL's crypto bytestring and crypto bytebuilder APIs.doug2015-02-0612-2/+3359
| | | | | | | | | | | | | | This is imported with as few changes as possible for the initial commit. I removed OPENSSL_EXPORT, replaced OPENSSL_malloc() etc with malloc() and changed a few header includes. BoringSSL has this as part of their public API. We're leaving it internal to libssl for now. Based on BoringSSL's CBB/CBS API as of commit c5cc15b4f5b1d6e9b9112cb8d30205a638aa2c54. input + ok jsing@, miod@
* Add libssl ciphers regress, which currently only coversjsing2015-02-063-1/+130
| | | | get_cipher_by_char/put_cipher_by_char.
* Bring back the horrible API that is get_cipher_by_char/put_cipher_by_char.jsing2015-02-0628-30/+176
| | | | | | | | This API was intended to be an internal only, however like many things in OpenSSL, it is exposed externally and parts of the software ecosystem are now using it since there is no real alternative within the public API. ok doug@, tedu@ and reluctantly miod@
* Rename SSL_CTX_use_certificate_chain() to SSL_CTX_use_certificate_chain_mem().reyk2015-02-068-21/+22
| | | | | As discussed with beck@ jsing@ and others OK beck@
* Declare the x509_(mem|file|dir)_lookup symbols as static because theyreyk2015-02-056-12/+12
| | | | | | | | shouldn't be used directly. They aren't part of the API; each module (file, dir, mem) provides an actual function to export the now-static object. OK miod@
* Make the TLS connect and accept error messages consistent.bluhm2015-01-302-5/+4
| | | | OK jsing@
* Use .Rv where appropriate, and move it to RETURN VALUES;schwarze2015-01-293-27/+13
| | | | | remove .Tn, and a few minor macro adjustments. Patch from Kaspars at Bankovskis dot net.
* dial the time back to about 0.1s, closer to the original targets andtedu2015-01-281-4/+4
| | | | friendlier for users. requested by deraadt
* Fix a number of issues relating to algorithms in signatures, Mostlybeck2015-01-2814-18/+116
| | | | | | from OpenSSL with a hint of boring and some things done here. Addresses CVE-2014-8275 for OpenSSL fully ok miod@ doug@
* Place the remainder of e_os2.h under #ifndef LIBRESSL_INTERNAL until we canjsing2015-01-261-1/+5
| | | | | hopefully remove it completely - nothing in LibreSSL should be making use of any of these defines.
* Add AEAD as a "MAC alias" so that it is possible to identify/select ciphersjsing2015-01-264-4/+14
| | | | | | | | that use AEAD instead of a MAC. This allows for TLSv1.2 AEAD ciphers (effectively the only ciphers that are still considered to be secure) to be selected using TLSv1.2+AEAD as a cipher string. ok bcook@ doug@ miod@
* Convert openssl(1) sess_id to the new option handling.doug2015-01-241-88/+113
| | | | input + ok jsing@
* Convert openssl(1)'s rsa.c to the new option handling code.doug2015-01-241-184/+251
| | | | input + ok jsing@
* Ensure that a ServerKeyExchange message is received if the selected cipherjsing2015-01-232-10/+36
| | | | | | | | | | | | | | suite uses ephemeral keys. This avoids an issue where an ECHDE cipher suite can effectively be downgraded to ECDH, if the server omits the ServerKeyExchange message and has provided a certificate with an ECC public key. Issue reported to OpenSSL by Karthikeyan Bhargavan. Based on OpenSSL. Fixes CVE-2014-3572. ok beck@
* Use field names in struct initialisers.jsing2015-01-226-66/+66
| | | | No change to generated assembly.
* last entry in NAME should not have a trailing comma;jmc2015-01-221-2/+2
|
* Add MLINK for tls_config_set_ca_mem()reyk2015-01-221-1/+2
|
* Allow to to load the CA chain directly from memory instead ofreyk2015-01-226-8/+39
| | | | | | | | specifying a file. This enables CA verification in privsep'ed processes that are running chroot'ed without direct access to the certificate files. With feedback, tests, and OK from bluhm@
* Support CA verification in chroot'ed processes without direct filereyk2015-01-226-6/+20
| | | | | | | | | | access to the certificates. SSL_CTX_load_verify_mem() is a frontend to the new X509_STORE_load_mem() function that allows to load the CA chain from a memory buffer that is holding the PEM-encoded files. This function allows to handle the verification in privsep'ed code. Adopted for LibreSSL based on older code from relayd (by pyr@ and myself) With feedback and OK bluhm@
* Add X509_STORE_load_mem() to load certificates from a memory bufferreyk2015-01-229-8/+338
| | | | | | | | | | | instead of disk. OpenSSL didn't provide a built-in API from loading certificates in a chroot'ed process that doesn't have direct access to the files. X509_STORE_load_mem() provides a new backend that will be used by libssl and libtls to implement such privsep-friendly functionality. Adopted for LibreSSL based on older code from relayd (by pyr@ and myself) With feedback and OK bluhm@
* Make it obvious which openssl test complained and whether it was expected.doug2015-01-221-2/+5
| | | | ok bcook@
* Assume that the size of a pointer will not change at runtime.bcook2015-01-222-56/+30
| | | | | | | Change the runtime check for whether a long is smaller than a pointer to a compile-time check. Replace the silly hash for LLP64 platforms. ok tedu@
* Fix DTLS memory leak (CVE-2015-0206).libressl-v2.1.3doug2015-01-212-18/+46
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There were four bugs fixed by this patch: * dtls1_buffer_record() now frees rdata->rbuf.buf on error. Since s->s3->rbuf was memset, rdata->rbuf is the only pointer left which points to the old rbuf. On error, rdata is freed so there will not be any way of freeing this memory unless we do it here. * Changed the return code of dtls1_buffer_record() to differentiate between queue full (0) and error (-1). See below as this differs from upstream. * Handle errors if calls to dtls1_buffer_record() fail with -1. Previously, it did not check the return value. * Changed the way receipts are recorded. Previously, it was recorded when processed successfully (whether buffered or not) in dtls1_process_record(). Now, it records when it is handled in dtls1_get_record(): either when it is entered into the queue to buffer for the next epoch or when it is processed directly. Processing buffered records does not add a receipt because it needed one in order to get into the queue. The above bugs combined contributed to an eventual DoS through memory exhaustion. The memory leak came from dtls1_buffer_record()'s error handling. The error handling can be triggered by a duplicate record or malloc failure. It was possible to add duplicate records because they were not being dropped. The faulty receipts logic did not detect replays when dealing with records for the next epoch. Additionally, dtls1_buffer_record()'s return value was not checked so an attacker could send repeated replay records for the next epoch. Reported to OpenSSL by Chris Mueller. Patch based on OpenSSL commit 103b171d8fc282ef435f8de9afbf7782e312961f and BoringSSL commit 44e2709cd65fbd2172b9516c79e56f1875f60300. Our patch matches BoringSSL's commit. OpenSSL returns 0 when the queue is full or when malloc() or pitem_new() fails. They return -1 on error including !ssl3_setup_buffers() which is another failure to allocate memory. BoringSSL and LibreSSL changed the return code for dtls1_buffer_record() to be 1 on success, 0 when the queue is full and -1 on error. input + ok bcook@, jsing@
* Missing $OpenBSD$'s.krw2015-01-205-0/+5
| | | | ok deraadt@
* Add arc4random/getentropy shims for NetBSD.bcook2015-01-194-0/+300
| | | | | | | | | | The latest NetBSD (6.1.5) arc4random does not appear to reseed the CRNG state after a fork, so provide an override until the fork-safe version in CVS appears in a release. These are the same as the FreeBSD shims. ok deraadt@
* Improve wording in alloca.tedu2015-01-171-7/+5
| | | | | | | 1. it's not a bug; it's a caveat. 2. "slightly unsafe" gives me the willies. 3. one .Xr to malloc should suffice ok deraadt jmc
* Use ">", not ">=" when comparing length to HOST_NAME_MAX sincemillert2015-01-161-3/+3
| | | | | otherwise we end up needlessly replacing a NUL with a NUL. OK deraadt@
* Replace HOST_NAME_MAX+1-1 with HOST_NAME_MAX. OK deraad@millert2015-01-162-8/+8
|
* Replace check for ">= HOST_NAME_MAX+1" with "> HOST_NAME_MAX".millert2015-01-161-1/+1
| | | | OK deraadt@
* Move to the <limits.h> universe.deraadt2015-01-1623-57/+40
| | | | review by millert, binary checking process with doug, concept with guenther
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-26 03:49:38 +0000