summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
* MFC.OPENBSD_6_0jsing2017-04-301-5/+5
| | | | | | | | | Fix a bug caused by the return value being set early to signal successful DTLS cookie validation. This can mask a later failure and result in a positive return value being returned from ssl3_get_client_hello(), when it should return a negative value to propagate the error. ok beck@
* Bump for LibreSSL 2.4.5libressl-v2.4.5bcook2017-01-071-3/+3
|
* MFC: Avoid a side-channel cache-timing attack that can leak the ECDSAjsing2017-01-051-1/+3
| | | | | | | | | private keys when signing. This is due to BN_mod_inverse() being used without the constant time flag being set. This issue was reported by Cesar Pereida Garcia and Billy Brumley (Tampere University of Technology). The fix was developed by Cesar Pereida Garcia.
* MFC: In ssl3_read_bytes(), do not process more than three consecutive TLSlibressl-v2.4.4jsing2016-11-031-4/+24
| | | | | | | | records, otherwise a peer can potentially cause us to loop indefinately. Return with an SSL_ERROR_WANT_READ instead, so that the caller can choose when they want to handle further processing for this connection. ok beck@ miod@
* Check for and handle failure of HMAC_{Update,Final} or EVP_DecryptUpdate()bcook2016-10-031-5/+11
| | | | | | based on openssl commit a5184a6c89ff954261e73d1e8691ab73b9b4b2d4 ok bcook@ original patch by guenther@
* Detect zero-length encrypted session data early, instead of when malloc(0)bcook2016-10-031-2/+2
| | | | | | | | fails or the HMAC check fails. Noted independently by jsing@ and Kurt Cancemi (kurt (at) x64architecture.com) ok bcook@ original patch by guenther@
* Check for packet with truncated DTLS cookie.bcook2016-10-031-12/+17
| | | | | | | | | | | | Flip pointer comparison logic to avoid beyond-end-of-buffer pointers to make it less likely a compiler will decide to screw you. Based on parts of openssl commits 6f35f6deb5ca7daebe289f86477e061ce3ee5f46 and 89c2720298f875ac80777da2da88a64859775898 ok jsing@ original commit by @guenther
* Improve ticket validity checking when tlsext_ticket_key_cb() callbackbcook2016-10-031-4/+25
| | | | | | | | | | | | chooses a different HMAC algorithm. Avert memory leaks if the callback preps the HMAC in some way. Based on openssl commit 1bbe48ab149893a78bf99c8eb8895c928900a16f but retaining a pre-callback length check to guarantee the callback is provided the buffer that the API claims. ok bcook@ jsing@ original commit by guenther@
* In X509_cmp_time(), pass asn1_time_parse() the tag of the field beingbcook2016-10-031-2/+3
| | | | | | | | parsed so that a malformed GeneralizedTime field is recognized as an error instead of potentially being interpreted as if it was a valid UTCTime. Reported by Theofilos Petsios (theofilos (at) cs.columbia.edu) ok beck@ tedu@ jsing@
* bump to 2.4.4bcook2016-10-021-3/+3
|
* MFC: Avoid falling back to a weak digest for (EC)DH when using SNI withlibressl-v2.4.3jsing2016-09-221-3/+10
| | | | libssl.
* MFC: Avoid unbounded memory growth in libssl, which can be triggered by ajsing2016-09-221-9/+20
| | | | | TLS client repeatedly renegotiating and sending OCSP Status Request TLS extensions.
* bump version for 2.4.3bcook2016-09-221-3/+3
|
* back out calls to EVP_CIPHER_CTX_cleanup() in EVP_Encrypt/DecryptFinalbcook2016-09-221-3/+1
| | | | | Software that refers to ctx after calling Final breaks with these changes. revert parts of 1.31. ok jsing@
* This commit was manufactured by cvs2git to create branch 'OPENBSD_6_0'.libressl-v2.4.2cvs2svn2016-07-231187-380610/+0
|
* don't mix code and decls, ok tedu@bcook2016-07-182-4/+6
|
* use memset to initialize the unionbcook2016-07-172-4/+8
|
* remove unused OPENSSL_NO_OBJECT casebcook2016-07-172-28/+2
| | | | ok tedu@
* Initialize buffers before use, noted by Kinichiro Inoguchi.bcook2016-07-172-14/+14
| | | | ok beck@
* Clean up OCSP_check_validity() a bit more.beck2016-07-162-22/+20
| | | | | | - Return on first failure rather than continuing. - Don't compare times by comparing strings that possibly were not parsable as a time. ok deraadt@
* Limit the support of the "backward compatible" ssl2 handshake to only bebeck2016-07-162-2/+18
| | | | | used if TLS 1.0 is enabled. Sugessted/discussed with jsing@ and bcook@. ok guenther@ sthen@
* Split the existing TLS cipher suite groups into four:jsing2016-07-133-11/+22
| | | | | | | | | | | | "secure" (TLSv1.2+AEAD+PFS) "compat" (HIGH:!aNULL) "legacy" (HIGH:MEDIUM:!aNULL) "insecure" (ALL:!aNULL:!eNULL) This allows for flexibility and finer grained control, rather than having two extremes (an issue raised by Marko Kreen some time ago). ok beck@ tedu@
* zero the read buffer after copying data to user so it doesn't linger.tedu2016-07-102-2/+4
| | | | ok beck
* Revert previous - it introduces problems with a common privsep use case.jsing2016-07-073-72/+35
|
* call BN_init on temporaries to avoid use-before-set warningsbcook2016-07-076-6/+28
| | | | ok beck@
* J/j is a three valued option, document and fix code to actuall support thatotto2016-07-061-3/+5
| | | | | with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
* Check that the given ciphers string is syntactically valid and results injsing2016-07-061-1/+17
| | | | | | at least one matching cipher suite. ok doug@
* Always load CA, key and certificate files at the time the configurationjsing2016-07-063-35/+72
| | | | | | | | | | function is called. This simplifies code and results in a single memory based code path being used to provide data to libssl. Errors that occur when accessing the specified file are now detected and propagated immediately. Since the file access now occurs when the configuration function is called, we now play nicely with privsep/pledge. ok beck@ bluhm@ doug@
* Correctly handle an EOF that occurs prior to the TLS handshake completing.jsing2016-07-061-3/+6
| | | | | | Reported by Vasily Kolobkov, based on a diff from Marko Kreen. ok beck@
* remove unneeded duplicate call - spotted by jsing@beck2016-07-052-6/+2
|
* On systems where we do not have BN_ULLONG defined (most 64-bit systems),bcook2016-07-057-22/+87
| | | | | | | | | | | | | | BN_mod_word() can return incorrect results if the supplied modulus is too big, so we need to fall back to BN_div_word. Now that BN_mod_word may fail, handle errors properly update the man page. Thanks to Brian Smith for pointing out these fixes from BoringSSL: https://boringssl.googlesource.com/boringssl/+/67cb49d045f04973ddba0f92fe8a8ad483c7da89 https://boringssl.googlesource.com/boringssl/+/44bedc348d9491e63c7ed1438db100a4b8a830be ok beck@
* Add several fixes from OpenSSL to make OCSP work with intermediatebeck2016-07-052-20/+48
| | | | | | certificates provided in the response. - makes our newly added ocsp regress test pass too.. ok bcook@
* Tighten behavior of _rs_allocate failure for portable arc4random ↵bcook2016-06-3014-14/+28
| | | | | | | | | | implementations. In the event of a failure in _rs_allocate for rsx, we still have a reference to freed memory for rs on return. Not a huge deal since we subsequently abort in _rs_init, but it looks strange on its own. ok deraadt@
* Tighten behavior of _rs_allocate on Windows.bcook2016-06-302-8/+14
| | | | | | | | | | | | For Windows, we are simply using calloc, which has two annoyances: the memory has more permissions than needed by default, and it comes from the process heap, which looks like a memory leak since this memory is rightfully never freed. This switches _rs_alloc on Windows to use VirtualAlloc, which restricts the memory to READ|WRITE and keeps the memory out of the process heap. ok deraadt@
* bump to 2.4.2bcook2016-06-302-6/+6
|
* adapt S option: add C, rm F (not relevant with 0 cache and disablesotto2016-06-301-3/+3
| | | | chunk rnd), rm P: is default
* Remove flags for disabling constant-time operations.bcook2016-06-3016-354/+174
| | | | | | | | This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally constant-time. Based on the original patch by César Pereid. ok beck@
* Back out previous; otto saw a potential race that could lead to atb2016-06-281-32/+23
| | | | | | double unmap and I experienced a much more unstable firefox. discussed with otto on icb
* defer munmap to after unlocking malloc. this can (unfortunately) be antedu2016-06-271-23/+32
| | | | | | | expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
* increase the minimum for auto rounds to 6. that was the previous low boundtedu2016-06-261-2/+2
| | | | for login.conf, and we don't want to go lower.
* Fix from kinichiro.inoguchi@gmail.com to ensure that OCSP usesbeck2016-06-252-4/+4
| | | | Generalized Time on requests as per RFC6960
* Fix the ocsp code to actually check for errors when comparing time valuesbeck2016-06-252-14/+62
| | | | | | | | | which was not being done due to a lack of checking of the return code for X509_cmp_time. Ensure that we only compare GERNERALIZEDTIME values because this is what is specified by RFC6960. Issue reported, and fix provided by Kazuki Yamaguchi <k@rhe.jp> ok bcook@
* Disable DSA_FLAG_NO_EXP_CONSTTIME, always enable constant-time behavior.bcook2016-06-216-176/+92
| | | | | | | Improved patch from Cesar Pereida. See https://github.com/libressl-portable/openbsd/pull/61 for more details. ok beck@
* Set BN_FLG_CONSTTIME on the correct variable. beck committed wrong fix.libressl-v2.4.1tedu2016-06-062-4/+4
| | | | Mistake noted by Billy Brumley. Many thanks.
* Correct a problem that prevents the DSA signing algorithm from runningbeck2016-06-062-8/+12
| | | | | | | in constant time even if the flag BN_FLG_CONSTTIME is set. This issue was reported by Cesar Pereida (Aalto University), Billy Brumley (Tampere University of Technology), and Yuval Yarom (The University of Adelaide and NICTA). The fix was developed by Cesar Pereida.
* LibreSSL 2.4.1bcook2016-06-062-6/+6
|
* Fix typo; the period should be outside the parens. From Michael McConvillemillert2016-06-021-3/+3
|
* deprecate internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.beck2016-05-308-24/+40
| | | | | | | 14 years ago these were changed in OpenSSL to be the same as the _ex functions. We use the _ex functions only internally to ensure it is obvious the ctx must be cleared. ok bcook@
* The icdb magic number doesn't need to be visible to static linksguenther2016-05-301-2/+2
| | | | ok tedu@
* Remove dead support for changing BDB hash algorithm and cache of alternativesguenther2016-05-291-5/+4
| | | | ok natano@ millert@ deraadt@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-25 18:25:10 +0000