| Commit message (Collapse) | Author | Files | Lines |
|---|
|
Inspired by OpenSSL commit a130950d Aug 23 12:06:41 2017 -0400
by Rich Salz <rsalz at openssl dot org>, but using a more explicit
wording, and fixing *both* places rather than only half of them.
|
|
inspired by OpenSSL commit 1f13ad31 Dec 25 17:50:39 2017 +0800
by Paul Yang <yang sot yang at baishancloud dot com>,
but without creating a RETURN VALUES section because that makes
no sense here: it would either result in a confusing order of
information or in duplicate information.
|
|
from Jakub Wilk <jwilk at jwilk dot net> via
OpenSSL commit a21285b3 Aug 21 18:30:34 2018 +0200
|
|
|
|
drops CA certificates whose validity dates don't comply with the rules on
ASN.1 encoding in RFC 5280 (and predecessors - same rule goes back to at
least RFC 2459, section 4.1.2.5).
LibreSSL strictly enforces this, so attempting to validate certificates
signed by these CAs just result in the following:
error 13 at 1 depth lookup:format error in certificate's notBefore field
"probably" beck@
|
|
Skip outputting them if invalid (e.g. GENERALIZEDTIME date before 2050).
|
|
use strcasecmp for reading args.
|
|
that should have been deleted before commit.
The cross reference is already present below SEE ALSO.
Glitch noticed by jsing@.
|
|
tested by many; ok florian@
|
|
ok jmc@, jsing@
|
|
|
|
around broken GOST implementations. It looks like client certificates with
GOST have been completely broken since reimport of the GOST code, so no-one
is using LibreSSL this way. The client side was fixed only last week for
TLSv1.0 and TLSv1.1. This workaround is now in the way of much needed
simplifcation and cleanup, so it is time for it to go.
suggested by and ok jsing
|
|
patch from Hiltjo Posthuma <hiltjo at codemadness dot org>
|
|
invalid change cipher spec. Found due to dead assignment warnings
by the Clang static analyzer.
ok inoguchi (previous version), jsing
|
|
This prototype was removed inadvertantly in r1.50.
OK jsing@
|
|
J. Clear that option to allow running full regress with paranoid
malloc flags. This is the same fix as for malloc_ulimit1.
|
|
|
|
bonus: this exposed a few missing const qualifiers.
|
|
an internal detail of the library, so the string should live inside it,
not in the application code.
ok jsing
|
|
type, sigalgs/rsa/ec/gost. Move a few special dances for GOST where they
belong now. This prompted a fix for a long-standing bug with GOST client
certificate authentication where tls1_transcript_data() fails since the
transcript was already freed before. Add a bit of missing error checking
and leave some further cleanup for later.
idea, guidance & ok jsing
|
|
ok bluhm@
|
|
The current crypto_lock_init() function is not called early enough, meaning
that locks are already in use before it gets called. Worse, locks could be
in use when they are then initialised. Furthermore, since functions like
CRYPTO_lock() are public API, these could be called directly bypassing
initialisation.
Avoid these issues by using static initialisers.
ok bcook@
|
|
J. Clear that option to allow running full regress with paranoid
malloc flags. Also fix whitespace.
OK otto@
|
|
|
|
|
|
|
|
The previous code meant that a caller could set the locking callback, after
which CRYPTO_get_locking_callback() would return non-NULL. Some existing
code depends on this behaviour, specifically to identify if lock handling
has been configured. As such, always returning NULL from
CRYPTO_get_locking_callback() can result in unexpected application
behaviour.
ok bcook@
|
|
If DTLS sees a HelloVerifyRequest the transcript is reset - the previous
tls1_init_finished_mac() function could be called multiple times and would
discard any existing state. The replacement tls1_transcript_init() is more
strict and fails if a transcript already exists.
Provide an explicit tls1_transcript_reset() function and call it from the
appropriate places. This also lets us make DTLS less of a special snowflake
and call tls1_transcript_init() in the same place as used for TLS.
ok beck@ tb@
|
|
now that there is essentially no malloc.conf;
text tweaked by deraadt; ok otto deraadt
|
|
libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line
between malloc managed memory and application managed memory and
exposes some of the internal workings of malloc. If an application
relies on that, it is likely to break using another implementation
of malloc. If you want usable size x, just allocate x bytes. ok
deraadt@ and other devs
|
|
here could creates non-uniformity since very short fetches of 0 would
be excluded. blocks of 0 are just as random as any other data, including
blocks of 4 4 4.. This is a misguided attempt to identify errors from the
entropy churn/gather code doesn't make sense, errors don't happen.
ok bcook
|
|
PROTO_NORMAL(). Problem noted by deraadt@
|
|
Discussed with beck@
|
|
In TLSv1.2, if the client does not send a signature algorithms extension
then for RSA key exchange a signature algorithm of {sha1,rsa} is implied.
The MD5+SHA1 hash only applies to older versions of TLS, which do not
support sigalgs.
|
|
|
|
|
|
|
|
|
|
joel's line of thinking about it
|
|
sigalg for MD5_SHA1 and using it as the non sigalgs default
ok jsing@
|
|
for a timing vullnerability in ECDSA signature generation (CVE-2018-0735).
Note that the blinding that we introduced back in June for ECDSA and DSA
should mitigate this and related issues. This simply adds an additional
layer of protection.
discussed with jsing
|
|
instead of 'uint16_t'
Found with llvm's static analyzer, noticed that it was also already reported in
Coverity CID 155890 and to ensure this was correct also inspected OpenSSL's
equivalent code.
OK tb@ and jsing@
|
|
From Edgar Pettijohn III
|
|
Makes connections to outlook.office365.com work
|
|
|
|
|
|
Spotted by maestre@, ok tb@
|
|
ok tb@
|
|
ok bcook
|
|
hex_encode() function and use byte arrays instead of strings to store
the expected values. Snatch and tweak hexdump() from beck's key_schedule
test to pretty-print data in case of failure.
|
