summaryrefslogtreecommitdiff
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
* In LibreSSL, printing a certificate can result in a crash inlibressl-v3.3.4benno2021-08-201-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | X509_CERT_AUX_print(). Commit in -current: CVSROOT: /cvs Module name: src Changes by: schwarze@cvs.openbsd.org 2021/07/10 11:45:16 Modified files: lib/libcrypto/asn1: t_x509a.c Log message: Fix a read buffer overrun in X509_CERT_AUX_print(3), which by implication also affects X509_print(3). The ASN1_STRING_get0_data(3) manual explitely cautions the reader that the data is not necessarily NUL-terminated, and the function X509_alias_set1(3) does not sanitize the data passed into it in any way either, so we must assume the alias->data field is merely a byte array and not necessarily a string in the sense of the C language. I found this bug while writing manual pages for these functions. OK tb@ As an aside, note that the function still produces incomplete and misleading results when the data contains a NUL byte in the middle and that error handling is consistently absent throughout, even though the function provides an "int" return value obviously intended to be 1 for success and 0 for failure, and even though this function is called by another function that also wants to return 1 for success and 0 for failure and even does so in many of its code paths, though not in others. But let's stay focussed. Many things would be nice to have in the wide wild world, but a buffer overflow must not be allowed to remain in our backyard. This is patches/6.9/common/015_x509.patch.sig
* mention DTLS1_2_VERSIONtb2021-04-151-3/+4
|
* Mention DTLS1_2_VERSION here, tootb2021-04-151-6/+8
|
* Document SSL_OP_NO_DTLSv1{,_2}tb2021-04-151-2/+15
|
* Document DTLSv1_2_{,client_,server_}method(3)tb2021-04-151-4/+36
|
* Merge documentation for SSL_is_dtls() from OpenSSLtb2021-04-151-5/+21
|
* Switch back to the legacy verifier for the release.tb2021-04-151-2/+2
| | | | | | | | | | | This is disappointing as a lot of work was put into the new verifier during this cycle. However, there are still too many known bugs and incompatibilities. It is better to be faced with known broken behavior than with new broken behavior and to switch now rather than via errata. This way we have another cycle to iron out the kinks and to fix some of the remaining bugs. ok jsing
* revert previous. some of the keyupdate tests still fail occasionallytb2021-04-141-2/+11
|
* Enable test-tls13-keyupdate.pytb2021-04-141-9/+2
|
* move test-record-size-limit.py to unsupportedtb2021-04-141-4/+3
|
* enable test-record-layer-fragmentation.pytb2021-04-141-7/+2
|
* factor argument to catch an alert mismatch into a helper functiontb2021-04-141-7/+8
|
* enable test-tlsfuzzer-invalid-compression-methods.pytb2021-04-131-5/+10
|
* enable test-large-hello.py as a slow testtb2021-04-131-3/+2
|
* with new defaults, test-fuzzed-plaintext.py is no longer slowtb2021-04-131-3/+2
|
* move a few tests to the unsupported group and fix two commentstb2021-04-131-15/+15
|
* annotate test-ecdhe-rsa-key-exchange-with-bad-messages.py with expectedtb2021-04-131-2/+3
| | | | alerts and where to add them.
* Update a stale comment and fix a typo.tb2021-04-111-3/+3
|
* An extra internal consistency check and a missing stats adjustment. ok tb@otto2021-04-091-1/+4
|
* Cache implementation has changed, we do not hold on to an exact numberotto2021-04-091-3/+4
| | | | of pages anymore, but also cache larger regions; ok tb@
* Enable test-cve-2016-6309.pytb2021-04-081-3/+2
|
* Avoid clobbering the error code when sending an alerttb2021-04-071-2/+3
| | | | | | | | | | | | In order to fail gracefully on encountering a self-signed cert, curl looks at the top-most error on the stack and needs specific SSL_R_ error codes. This mechanism was broken when the tls13_alert_sent_cb() was added after people complained about unhelpful unknown errors. Fix this by only setting the error code from a fatal alert if no error has been set previously. Issue reported by Christopher Reid ok jsing
* Use ERR_print_error_fp() to avoid leaking a BIO in fatal()tb2021-04-071-2/+2
|
* Check function return value in openssl(1) x509.cinoguchi2021-04-071-24/+71
| | | | input from bcook@, ok and comments from tb@
* Avoid leak in error pathinoguchi2021-04-071-3/+7
| | | | ok and input from tb@
* use errx() instead of err()tb2021-04-061-8/+8
|
* spaces -> tabstb2021-04-061-5/+5
|
* minor style tweakstb2021-04-061-5/+6
|
* Don't leak param->name in x509_verify_param_zero()tb2021-04-051-1/+2
| | | | | | | | | For dynamically allocated verify parameters, param->name is only ever set in X509_VERIFY_set1_name() where the old one is freed and the new one is assigned via strdup(). Setting it to NULL without freeing it beforehand is a leak. looks correct to millert, ok inoguchi
* Add missing error check for AES_unwrap_key().tb2021-04-041-1/+3
|
* Fix two copy paste errors in error messagestb2021-04-041-3/+3
|
* Add tests for DTLSv1_2{,_client,_server}_method()tb2021-04-041-1/+20
|
* Use correct type for tmp in test_write_bytes()tb2021-04-041-2/+2
|
* Explicitly NULL pointers to avoid a double free.tb2021-04-041-1/+3
|
* Don't leak key and dh in the error path.tb2021-04-041-4/+7
|
* Clean up client and server tls{,_config} contexts in tls_test().tb2021-04-041-2/+11
| | | | Leaks reported by Ilya Shipitsin.
* Run the CMAC tests through EVP_PKEY_new_CMAC_key().tb2021-04-031-10/+22
|
* Two cases of BRE involving counts and backrefs that go wrong andotto2021-04-021-1/+16
| | | | | similar that have no isssues. Reported by Michael Paoli. Failing cases commented out for now.
* Show DTLS1.2 message with openssl(1) s_server and s_clientinoguchi2021-04-021-2/+6
| | | | ok jsing@ tb@
* Compare the pointer variable explicitly with NULL in if conditioninoguchi2021-04-011-18/+17
|
* one of the examples needs an -N (and explanation);jmc2021-03-311-4/+7
| | | | | | diff from robert scheck discussed with and tweaked by sthen
* Update for DTLSv1.2 support.tb2021-03-311-2/+4
|
* Remove workarounds for SSL_is_dtls()tb2021-03-312-11/+2
| | | | Reminded by inoguchi jsing
* Remove workaround for missing d2i_DSAPrivateKey_fp prototypetb2021-03-311-5/+1
|
* Bump minors after symbol additiontb2021-03-313-3/+3
|
* Expose various DTLSv1.2 specific functions and definestb2021-03-315-27/+8
| | | | ok bcook inoguchi jsing
* Document SSL_set_hostflags(3) and SSL_get0_peername(3)tb2021-03-311-18/+4
| | | | ok bcook inoguchi jsing
* Expose SSL_set_hostflags(3) and SSL_get0_peername(3)tb2021-03-312-3/+3
| | | | ok bcook inoguchi jsing
* Document SSL_use_certificate_chain_file(3)tb2021-03-311-11/+3
| | | | ok bcook inoguchi jsing
* Expose SSL_use_certificate_chain_file(3)tb2021-03-312-3/+2
| | | | ok bcook inoguchi jsing
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-27 05:31:33 +0000