summaryrefslogtreecommitdiff
path: root/src/lib/libssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().jsing2014-10-1834-130/+76
| | | | | | | | | | | | | | | arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code. It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL). ok beck@ deraadt@ miod@
* Typical malloc() with size multiplication to reallocarray().doug2014-10-183-12/+12
| | | | ok deraadt@
* Get rid of the last remaining BUF_strdup and BUF_strlcpy and friends, usebeck2014-10-165-10/+14
| | | | | intrinsic functions everywhere, and wrap these functions in an #ifndef LIBRESSL_INTERNAL to make sure we don't bring their use back.
* Disable SSLv3 by default.jsing2014-10-152-2/+8
| | | | | | | | | | | | | | SSLv3 has been long known to have weaknesses and the POODLE attack has once again shown that it is effectively broken/insecure. As such, it is time to stop enabling a protocol was deprecated almost 15 years ago. If an application really wants to provide backwards compatibility, at the cost of security, for now SSL_CTX_clear_option(ctx, SSL_OP_NO_SSLv3) can be used to re-enable it on a per-application basis. General agreement from many. ok miod@
* Only require an EC public key in tls1_set_ec_id(), if we need to providejsing2014-10-152-8/+8
| | | | | | | a compression identifier. In the case of a server using ephemeral EC keys, the supplied key is unlikely to have a public key where SSL_CTX_set_tmp_ecdh() is called after SSL_OP_SINGLE_ECDH_USE has been set. This makes ECDHE ciphers work again for this use case.
* Add cipher aliases for DHE (the correct name for EDH) and ECDHE (thejsing2014-10-154-8/+32
| | | | | correct name for EECDH). The EDH and EECDH aliases remain for backwards compatibility.
* Bump libressl version string to 2.1.bcook2014-10-141-2/+2
| | | | | | | | | | | This makes 'openssl version' print a string that matches the -portable release number. Thanks to @blakkeim for pointing it out. The version integer is left alone, with the idea of discouraging software from relying on magic numbers for detecting features. Software configuration should do explicit feature tests instead. ok beck@, deraadt@
* The return value on success of fcntl(F_SETFL) is not actually specified,bcook2014-10-131-3/+3
| | | | | | only that it returns -1 on failure. pointed out by guenther@
* Use O_NONBLOCK over FIONBIO.bcook2014-10-131-2/+8
| | | | | | | | | Prefer this because it is the POSIX standard and has consistent behavior across platforms. Use BIO_socket_nbio consistently across the tree. from Jonas 'Sortie' Termansen, ok deraadt@
* Remove useless comments in DES_is_weak_key(). Do we really care that thismiod2014-10-121-14/+10
| | | | function was found broken in 1993, and later on in 1997?
* Paranoia: in ASN1_mbstring_ncopy(), check for len < 0 instead of len == -1,miod2014-10-121-2/+2
| | | | in order to catch all negative sizes.
* Convert libssl manpages from pod to mdoc(7).bentley2014-10-12249-7737/+19938
| | | | | | libcrypto has not been started yet. ok schwarze@ miod@
* Use strdup() instead of malloc() + memcpy().miod2014-10-071-8/+3
| | | | ok doug@ jsing@
* EC_KEY_set_group() does an EC_GROUP_dup() of its argument, so we don'tmiod2014-10-071-8/+2
| | | | | need to do it in ec_copy_parameters() prior to invoking EC_KEY_set_group(). ok doug@ jsing@
* The fixes to X509_PURPOSE_add() in r1.18 actually could cause a globalmiod2014-10-051-27/+29
| | | | | | | | | | | | | X509_PURPOSE object (obtained with X509_PURPOSE_get0() instead of being allocated in the function) to be freed if modifying that object would fail due to a low memory condition, while this object would still be referenced elsewhere. Fix this by only cleaning the object if we did not allocate it here. While there, fail early if either `name' or `sname' are NULL, rather than allocating an object and realizing we have nothing to strdup() into it. ok guenther@
* Be sure to check the stack push operation for success in v2i_POLICY_MAPPINGS();miod2014-10-051-17/+19
| | | | | | if it fails, free the object we were about to push. Factor error handling to avoid having four copies of about the same code. ok guenther@
* In v2i_AUTHORITY_INFO_ACCESS(), separate object allocation from object pushmiod2014-10-051-3/+8
| | | | | | on a stack; if the latter fails, we need to free the object before returning failure. ok guenther@
* Memory leak upon error in set_dist_point_name().miod2014-10-051-1/+2
| | | | ok guenther@
* Be sure to check object allocation for success before using them.miod2014-10-051-5/+10
| | | | Tweaks and ok guenther@
* Missing deallocation upon error.miod2014-10-051-2/+3
| | | | ok deraadt@ guenther@
* Fix memory leak in the error path of v2i_AUTHORITY_KEYID().miod2014-10-051-3/+6
| | | | ok deraadt@ guenther@
* compile with c89 (code / decl ordering); from Joakim.Tjernlund@transmode.sederaadt2014-10-051-2/+3
| | | | ok miod
* Use more specific curves/formats naming for local variables injsing2014-10-052-60/+56
| | | | | | | ssl_add_clienthello_tlsext() and ssl_add_serverhello_tlsext(), rather than the current generic naming. ok miod@
* Use tls1_get_curvelist() in ssl_add_clienthello_tlsext(), rather thanjsing2014-10-052-22/+4
| | | | | | hand rolling the same code. ok miod@
* Make tls1_get_formatlist() behave the same as tls1_get_curvelist() andjsing2014-10-052-42/+58
| | | | | | | | return the client format list if the client_formats flag is specified. Use tls1_get_formatlist()/tls1_get_curvelist() in tls1_check_ec_key(), simplifying the code. ok miod@
* Bump minor version for ECDH auto.jsing2014-10-032-2/+2
| | | | | While there are no additional symbols, there is an additional command that clients will potentially depend on.
* Add support for automatic ephemeral EC keys.jsing2014-10-0314-26/+152
| | | | | | | | | | This allows an SSL server to enable ECDHE ciphers with a single setting, which results in an EC key being generated using the first preference shared curve. Based on OpenSSL with inspiration from boringssl. ok miod@
* Use string literals in printf style calls so gcc's -Wformat works.doug2014-10-035-23/+22
| | | | ok tedu@, miod@
* Clean up EC cipher handling in ssl3_choose_cipher().jsing2014-09-306-290/+304
| | | | | | | | | | | The existing code reaches around into various internals of EC, which it should not know anything about. Replace this with a set of functions that that can correctly extract the necessary details and handle the comparisions. Based on a commit to OpenSSL, with some inspiration from boringssl. ok miod@
* Previous fix (1.12) would cause a NULL pointer dereference in the error pathmiod2014-09-291-4/+3
| | | | | if a NULL stack was passed as argument. Fix this by returning NULL early in that case.
* check_cert(): be sure to reset ctx->current_crl to NULL before freeing it.miod2014-09-291-10/+5
| | | | | | | | | X509_STORE_CTX_init(): do not free the X509_STORE_CTX * parameter upon failure, for we did not allocate it and it might not come from the heap, such as in check_crl_path() in this very same file where X509_STORE_CTX_init() gets invoked with a stack address. ok bcook@
* X509_NAME_get_text_by_OBJ(): make sure we do not pass a negative size tomiod2014-09-291-3/+5
| | | | | memcpy(). ok bcook@
* X509_VERIFY_PARAM_set1_name(): if invoked with NULL as the secondmiod2014-09-291-1/+2
| | | | | parameter, correctly set param->name to NULL after having freed it. ok bcook@
* Bump minor after adding SSL_CTX_use_certificate_chain().reyk2014-09-282-2/+2
| | | | ok jsing@ miod@
* Add a new API function SSL_CTX_use_certificate_chain() that allows toreyk2014-09-285-38/+106
| | | | | | | | | | | read the PEM-encoded certificate chain from memory instead of a file. This idea is derived from an older implementation in relayd that was needed to use the function with a privep'ed process in a chroot. Now it is time to get it into LibreSSL to make the API more privsep- friendly and to make it available for other programs and the ressl library. ok jsing@ miod@
* X509v3_add_ext(): do not free stuff we did not allocate in the error path.miod2014-09-281-2/+2
| | | | ok bcook@
* X509_TRUST_add(): check X509_TRUST_get0() return value before dereferencing it,miod2014-09-281-15/+23
| | | | | | for it may be NULL. Do not leak memory upon error. ok bcook@
* Someone (TM) thought it was smart to save memory by using malloc(1) andmiod2014-09-281-5/+4
| | | | | | | | | | | | | manual field fiddling to create an ASN1_INTEGER object, instead of using M_ASN1_INTEGER_new() which will allocate sizeof(long) bytes. That person had probably never looked into malloc(3) and never heard of allocation size rounding. Thus, replace the obfuscated code with M_ASN1_INTEGER_new() followed by ASN1_INTEGER_set(), to achieve a similar result, without the need for /* version == 0 */ comments. ok bcook@
* Doh, rev 1.4 had left out one routine with both 32-bit and 64-bit code, wheremiod2014-09-271-0/+2
| | | | the 64-bit code has to be disabled under OpenBSD/hppa.
* There is not much point checking ecdhp is not NULL... twice.jsing2014-09-274-28/+10
| | | | ok miod@
* Check that the specified curve is one of the client preferences.jsing2014-09-2710-16/+140
| | | | | | Based on OpenSSL. ok miod@
* X509_STORE_new(): do not leak memory upon error.miod2014-09-261-14/+17
| | | | | | | X509_STORE_get1_certs(), X509_STORE_get1_crls(): check the result of allocations. ok tedu@
* X509_issuer_and_serial_hash(): do not leak memory if an error occurs duringmiod2014-09-261-1/+3
| | | | | | the first EVP block. ok tedu@
* X509at_add1_attr(): do not free stuff we did not allocate in the error path.miod2014-09-261-3/+3
| | | | ok tedu@
* Now that we have a static version of the default EC formats, also use itjsing2014-09-262-94/+88
| | | | | | | | for the server hello. From OpenSSL. ok miod@
* Fix regression introduced in revision 1.15 by using strndup() instead ofmiod2014-09-231-6/+6
| | | | | | strdup() to allocated directory list components. ok jsing@
* Refactor and simplify the ECC extension handling. The existing codejsing2014-09-224-244/+196
| | | | | | | | | effectively built two "static" data structures - instead of doing this, just use static data structures to start with. From OpenSSL (part of a larger commit). ok miod@
* Also check the result from final_finish_mac() against finish_mac_length injsing2014-09-222-38/+34
| | | | | | ssl3_send_finished(). While this previously checked against a zero return value (which could occur on failure), we may as well test against the expected length, since we already know what that is.
* It is possible (although unlikely in practice) for peer_finish_md_len tojsing2014-09-222-26/+22
| | | | | | | | | | | | | | end up with a value of zero, primarily since ssl3_take_mac() fails to check the return value from the final_finish_mac() call. This would then mean that an SSL finished message with a zero-byte payload would successfully match against the calculated finish MAC. Avoid this by checking the length of peer_finish_md_len and the SSL finished message payload, against the known length already stored in the SSL3_ENC_METHOD finish_mac_length field (making use of a previously unused field). ok miod@ (a little while back)
* Document SSL_OP_TLSEXT_PADDING.jsing2014-09-211-0/+6
| | | | From OpenSSL.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-27 20:45:10 +0000