| Commit message (Collapse) | Author | Files | Lines |
|---|
|
Requested by deraadt@
|
|
use for DHE. This enables the use of DHE cipher suites.
Rename tls_config_set_ecdhcurve() to tls_config_set_ecdhecurve() since it
is only used to specify the curve for ephemeral ECDH.
Discussed with reyk@
|
|
Tag 31 is invalid for a short form identifier octet (single byte).
KNF a little more.
Based on BoringSSL commit 5ba305643f55d37a3e45e8388a36d50c1b2d4ff5
ok miod@
|
|
ok beck@ deraadt@ miod@
|
|
ssl3_get_cipher_by_value() in other parts of the code where it simplifies
things.
ok doug@
|
|
CBB_init_fixed() should not call free because it can lead to use after
free or double free bugs. The caller should be responsible for
creating and destroying the buffer.
From BoringSSL commit a84f06fc1eee6ea25ce040675fbad72c532afece
miod agrees with the reasoning
ok jsing@, beck@
|
|
failures return something that is actually useful to the caller.
ok reyk@
|
|
|
|
retrieved via its cipher suite value. A corresponding SSL_CIPHER_by_value()
function returns the cipher suite value for a given SSL_CIPHER. These
functions should mean that software does not need to resort to
put_cipher_by_char()/get_cipher_by_char() in order to locate a cipher.
Begrudgingly also provide a SSL_CIPHER_get_by_id() function that locates a
cipher via the internal cipher identifier. Unfortunately these have already
been leaked outside the library via SSL_CIPHER_by_id() and the various
SSL3_CK_* and TLS1_CK_* defines in the ssl3.h/tls1.h headers.
ok beck@ miod@
|
|
HP-UX defines BSIZE in its <sys/param.h>, and there is a route where its
getting included as a side-effect. I tracked back to at least from HP-UX 9.0
ca. 1993, up to the latest, so the user namespace is polluted.
from kinichiro <kinichiro.inoguchi@gmail.com>
ok miod@, jsing@
|
|
The first two are unused in libssl/libcrypto and OPENSSL_NO_RC5 is already
defined via openssl/opensslfeatures.h.
ok beck@ doug@ miod@
|
|
this split across files, especially when two of them have less code than
license text.
ok bcook@ beck@ doug@ miod@
|
|
CBS_get_asn1() and CBS_get_any_asn1_element() only support the single
byte ASN.1 identifier octets (aka short form tags). Tag number 31 is
the start of the multi-byte long form per X.690 section 8.1.2.4.
From BoringSSL commit 2683af70e73f116e14db2bca6290fa4a010a2ee4
ok miod@
|
|
obsolete SIZE_T_MAX. OK miod@ beck@
|
|
I checked that this doesn't change anything. Compiled with clang using
-Wno-pointer-sign -g0 to reduce the differences. Only difference in the
asm is due to assert(0) line number changes in bs_cbs.c and bs_cbb.c.
miod is ok with the general process.
|
|
This was to test a patch for upstream.
|
|
If you're still using a buggy version of Netscape from 2000, for HTTPS with
client certificates, it is probably a good time to find a new browser.
"kill it softly... with napalm and kisses" miod@
|
|
ephemeral keys exist for SSL_kDHE and SSL_kECDHE.
This would have prevented CVE-2014-3572.
ok doug@
|
|
This is imported with as few changes as possible for the initial commit.
I removed OPENSSL_EXPORT, replaced OPENSSL_malloc() etc with malloc()
and changed a few header includes.
BoringSSL has this as part of their public API. We're leaving it internal
to libssl for now.
Based on BoringSSL's CBB/CBS API as of commit
c5cc15b4f5b1d6e9b9112cb8d30205a638aa2c54.
input + ok jsing@, miod@
|
|
get_cipher_by_char/put_cipher_by_char.
|
|
This API was intended to be an internal only, however like many things in
OpenSSL, it is exposed externally and parts of the software ecosystem are
now using it since there is no real alternative within the public API.
ok doug@, tedu@ and reluctantly miod@
|
|
As discussed with beck@ jsing@ and others
OK beck@
|
|
shouldn't be used directly. They aren't part of the API; each module
(file, dir, mem) provides an actual function to export the now-static
object.
OK miod@
|
|
OK jsing@
|
|
remove .Tn, and a few minor macro adjustments.
Patch from Kaspars at Bankovskis dot net.
|
|
friendlier for users. requested by deraadt
|
|
from OpenSSL with a hint of boring and some things done here. Addresses
CVE-2014-8275 for OpenSSL fully
ok miod@ doug@
|
|
hopefully remove it completely - nothing in LibreSSL should be making use
of any of these defines.
|
|
that use AEAD instead of a MAC. This allows for TLSv1.2 AEAD ciphers
(effectively the only ciphers that are still considered to be secure) to be
selected using TLSv1.2+AEAD as a cipher string.
ok bcook@ doug@ miod@
|
|
input + ok jsing@
|
|
input + ok jsing@
|
|
suite uses ephemeral keys. This avoids an issue where an ECHDE cipher suite can
effectively be downgraded to ECDH, if the server omits the ServerKeyExchange
message and has provided a certificate with an ECC public key.
Issue reported to OpenSSL by Karthikeyan Bhargavan.
Based on OpenSSL.
Fixes CVE-2014-3572.
ok beck@
|
|
No change to generated assembly.
|
|
|
|
|
|
specifying a file. This enables CA verification in privsep'ed
processes that are running chroot'ed without direct access to the
certificate files.
With feedback, tests, and OK from bluhm@
|
|
access to the certificates. SSL_CTX_load_verify_mem() is a frontend
to the new X509_STORE_load_mem() function that allows to load the CA
chain from a memory buffer that is holding the PEM-encoded files.
This function allows to handle the verification in privsep'ed code.
Adopted for LibreSSL based on older code from relayd (by pyr@ and myself)
With feedback and OK bluhm@
|
|
instead of disk. OpenSSL didn't provide a built-in API from loading
certificates in a chroot'ed process that doesn't have direct access to
the files. X509_STORE_load_mem() provides a new backend that will be
used by libssl and libtls to implement such privsep-friendly
functionality.
Adopted for LibreSSL based on older code from relayd (by pyr@ and myself)
With feedback and OK bluhm@
|
|
ok bcook@
|
|
Change the runtime check for whether a long is smaller than a pointer to a
compile-time check. Replace the silly hash for LLP64 platforms.
ok tedu@
|
|
There were four bugs fixed by this patch:
* dtls1_buffer_record() now frees rdata->rbuf.buf on error. Since
s->s3->rbuf was memset, rdata->rbuf is the only pointer left which
points to the old rbuf. On error, rdata is freed so there will not
be any way of freeing this memory unless we do it here.
* Changed the return code of dtls1_buffer_record() to differentiate
between queue full (0) and error (-1). See below as this differs
from upstream.
* Handle errors if calls to dtls1_buffer_record() fail with -1.
Previously, it did not check the return value.
* Changed the way receipts are recorded. Previously, it was recorded
when processed successfully (whether buffered or not) in
dtls1_process_record(). Now, it records when it is handled in
dtls1_get_record(): either when it is entered into the queue to buffer
for the next epoch or when it is processed directly. Processing
buffered records does not add a receipt because it needed one in
order to get into the queue.
The above bugs combined contributed to an eventual DoS through memory
exhaustion. The memory leak came from dtls1_buffer_record()'s error
handling. The error handling can be triggered by a duplicate record
or malloc failure. It was possible to add duplicate records because
they were not being dropped. The faulty receipts logic did not detect
replays when dealing with records for the next epoch. Additionally,
dtls1_buffer_record()'s return value was not checked so an attacker
could send repeated replay records for the next epoch.
Reported to OpenSSL by Chris Mueller.
Patch based on OpenSSL commit 103b171d8fc282ef435f8de9afbf7782e312961f
and BoringSSL commit 44e2709cd65fbd2172b9516c79e56f1875f60300.
Our patch matches BoringSSL's commit. OpenSSL returns 0 when the queue
is full or when malloc() or pitem_new() fails. They return -1 on error
including !ssl3_setup_buffers() which is another failure to allocate
memory.
BoringSSL and LibreSSL changed the return code for dtls1_buffer_record()
to be 1 on success, 0 when the queue is full and -1 on error.
input + ok bcook@, jsing@
|
|
ok deraadt@
|
|
The latest NetBSD (6.1.5) arc4random does not appear to reseed the CRNG state
after a fork, so provide an override until the fork-safe version in CVS appears
in a release.
These are the same as the FreeBSD shims.
ok deraadt@
|
|
1. it's not a bug; it's a caveat.
2. "slightly unsafe" gives me the willies.
3. one .Xr to malloc should suffice
ok deraadt jmc
|
|
otherwise we end up needlessly replacing a NUL with a NUL.
OK deraadt@
|
|
|
|
OK deraadt@
|
|
review by millert, binary checking process with doug, concept with guenther
|
|
using the name of relayd relay or smtpd pki, use a 32 byte arc4random
buffer that should be unique for the context. This fixes an issue in
OpenSMTPD when a long pki name could break the configuration.
OK gilles@ benno@
|
|
since yesterday, "mandoc -Tlint -Wfatal" can no longer fail.
Instead, as suggested by deraadt@, provide a manlint target
that is *not* run during make build, but can be run
whenever you want to check syntax of manuals.
"nice stuff" deraadt@
|
