summaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2020-12-05Mark bitmask_{start,end}_values[] and g_probable_mtu[] const.Theo Buehler
ok jsing kn
2020-12-05Mark nid_list[] const. This moves 116 bytes to .rodata.Theo Buehler
ok jsing kn
2020-12-04Move point-on-curve check to set_affine_coordinatesTheo Buehler
Bad API design makes it possible to set an EC_KEY public key to a point not on the curve. As a consequence, it was possible to have bogus ECDSA signatures validated. In practice, all software uses either EC_POINT_oct2point*() to unmarshal public keys or issues a call to EC_KEY_check_key() after setting it. This way, a point on curve check is performed and the problem is mitigated. In OpenSSL commit 1e2012b7ff4a5f12273446b281775faa5c8a1858, Emilia Kasper moved the point-on-curve check from EC_POINT_oct2point to EC_POINT_set_affine_coordinates_*, which results in more checking. In addition to this commit, we also check in the currently unused codepath of a user set callback for setting compressed coordinates, just in case this will be used at some point in the future. The documentation of EC_KEY_check_key() is very vague on what it checks and when checks are needed. It could certainly be improved a lot. It's also strange that EC_KEY_set_key() performs no checks, while EC_KEY_set_public_key_affine_coordinates() implicitly calls EC_KEY_check_key(). It's a mess. Issue found and reported by Guido Vranken who also tested an earlier version of this fix. ok jsing
2020-12-03grammar fixes from Varik "The Genuine Article!!!" Valefor;Jason McIntyre
2020-12-03There are special rules regarding the memory passed to pthread_attr_setstack().Otto Moerbeek
ok semarie@
2020-12-01Set type to DB_RECNO in __rec_open() for consistency with other db types.Todd C. Miller
From Boudewijn Dijkstra
2020-12-01Bring back *_client_method() structsTheo Buehler
The method unification broke an API promise of SSL_is_server(). According to the documentation, calling SSL_is_server() on SSL objects constructed from generic and server methods would result in 1 even before any call to SSL_set_accept_state(). This means the information needs to be available when SSL_new() is called, so must come from the method itself. Prior to the method unification, s->server would be set to 0 or 1 in SSL_new() depending on whether the accept method was undefined or not. Instead, introduce a flag to the internal structs to distinguish client methods from server and generic methods and copy that flag to s->server in SSL_new(). This problem was reported to otto due to breakage of DoH in net/dnsdist. The reason for this is that www/h2o relies on SSL_is_server() to decide whether to call SSL_accept() or SSL_connect(). Thus, the h2o server would end up responding to a ClientHello with another ClientHello, which results in a handshake failure. The bandaid applied to www/h2o can be removed once this fix has made it into snaps. No other breakage is known. This commit brings back only about half of the duplication removed in the method unification, so is preferable to a full revert. ok jsing
2020-11-29Clarify what sio_start() does exactlyAlexandre Ratchov
Suggested by Erico Nogueira <ericonr@disroot.org>, help from and ok jmc@, schwarze@
2020-11-28Add retguard to macppc kernel locore.S, ofwreal.S, setjmp.Sgkoehler
This changes RETGUARD_SETUP(ffs) to RETGUARD_SETUP(ffs, %r11, %r12) and RETGUARD_CHECK(ffs) to RETGUARD_CHECK(ffs, %r11, %r12) to show that r11 and r12 are in use between setup and check, and to pick registers other than r11 and r12 in some kernel functions. ok mortimer@ deraadt@
2020-11-25Avoid undefined behavior due to memcpy(NULL, NULL, 0)Theo Buehler
This happens if name->der_len == 0. Since we already have a length check, we can malloc and memcpy inside the conditional. This also makes the code easier to read. agreement from millert ok jsing
2020-11-23mapalign() only handles allocations >= a page; problem found by and ok semarie@Otto Moerbeek
2020-11-20* Make .Nd more specific.Ingo Schwarze
* Avoid lots of short non-standard .Sh sections. * Describe server and raw descriptors separately. * Move examples to the EXAMPLES section. * Mention that "default" is used even when *not* specified. tweak and OK ratchov@
2020-11-20* Add SIO_BPS() to NAME and SYNOPSIS where it is missing.Ingo Schwarze
* Use .Fn rather than .Dv for macros taking arguments. * Actually say what SIO_LE_NATIVE means. * Add closely related APIs to SEE ALSO. * Add missing HISTORY and AUTHORS sections. OK ratchov@
2020-11-20fix another misleading line break and indentTheo Buehler
2020-11-20fix confusing line break and indentTheo Buehler
2020-11-19Allow specific devices to be used for play-only and rec-only modes.Alexandre Ratchov
Introduce new AUDIO{PLAY,REC}DEVICE environment variables that override AUDIODEVICE in cases play-only and rec-only mode is requested. This allows using different devices for playback and recording in programs requesting twice the default device (one in play-only mode and one in rec-only mode). Based on diffs from Peter J Philipp, semarie, and solene ok solene, sthen
2020-11-18Plug leak in x509_verify_chain_dup()Theo Buehler
x509_verify_chain_new() allocates a few members of a certificate chain: an empty stack of certificates, a list of errors encountered while validating the chain, and a list of name constraints. The function to copy a chain would allocate a new chain using x509_verify_chain_new() and then clobber its members by copies of the old chain. Fix this by replacing x509_verify_chain_new() with calloc(). Found by review while investigating the report by Hanno Zysik who found the same leak using valgrind. This is a cleaner version of my initial fix from jsing. ok jsing
2020-11-18Plug a big memory leak in the new validatorTheo Buehler
The legacy validator would only call x509_vfy_check_policy() once at the very end after cobbling together a chain. Therefore it didn't matter that X509_policy_check() always allocates a new tree on top of the one that might have been passed in. This is in stark contrast to other, similar APIs in this code base. The new validator calls this function several times over while building its chains. This adds up to a sizable leak in the new validator. Reported with a reproducer by Hanno Zysik on github, who also bisected this to the commit enabling the new validator. Narrowed down to x509_vfy_check_policy() by jsing. We simultaenously came up with a functionally identical fix. ok jsing
2020-11-18zap ugly empty line before closing braceTheo Buehler
2020-11-18Move freeing of the verify context to its natural place instead ofTheo Buehler
a few lines after. stylistic nit from jsing
2020-11-18KNF (whitespace)Theo Buehler
2020-11-18bump to 3.3.0Brent Cook
2020-11-17typo & punctuation in commentTheo Buehler
2020-11-16Implement exporter for TLSv1.3.Joel Sing
This implements the key material exporter for TLSv1.3, as defined in RFC8446 section 7.5. Issue reported by nmathewson on github. ok inoguchi@ tb@
2020-11-16Use X509_V_OK instead of 0.Joel Sing
ok beck@ tb@
2020-11-16Add back an X509_STORE_CTX error code assignment.Joel Sing
This was inadvertently removed in r1.19. Spotted by tb@ ok beck@ tb@
2020-11-15Return the specific failure for a "self signed certificate" in the chainBob Beck
in order to be compatible with the openssl error craziness in the legacy verifier case. This will fix a regress problem noticed by znc ok tb@
2020-11-14Constify dktypenames and fstypenames in libc.Philip Guenther
Adjust variable declaration in disklabel to match. ok millert@ deraadt@
2020-11-14remove macro instances from arbitrary string width specifiers. for exampleJason McIntyre
-width ".Dv BOB" -> -width "BOB" although they are not errors, they are misleading and probably should not get pasted around
2020-11-14EVFILT_EXCEPT operates on sockets (emil engler)Jason McIntyre
or pseudo terminals (visa); ok mpi visa
2020-11-11Handle additional certificate error cases in new X.509 verifier.Joel Sing
With the old verifier, the verify callback can always return 1 instructing the verifier to simply continue regardless of a certificate verification failure (e.g. the certificate is expired or revoked). This would result in a chain being built, however the first error encountered would be persisted, which allows the caller to build the chain, have the verification process succeed, yet upon inspecting the error code note that the chain is not valid for some reason. Mimic this behaviour by keeping track of certificate errors while building chains - when we finish verification, find the certificate error closest to the leaf certificate and expose that via the X509_STORE_CTX. There are various corner cases that we also have to handle, like the fact that we keep an certificate error until we find the issuer, at which point we have to clear it. Issue reported by Ilya Shipitcin due to failing haproxy regression tests. With much discussion and input from beck@ and tb@! ok beck@ tb@
2020-11-11Implement auto chain for the TLSv1.3 server.Joel Sing
Apparently OpenLDAP relies on this craziness to provide intermediates, rather than specifying the chain directly like a normal TLS server would. Issue noted by sthen@ and Bernard Spil, who both also tested this diff. ok tb@
2020-11-11Use size_t for key_block_len.Joel Sing
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here. ok inoguchi@ tb@
2020-11-11Update getentropy on Windows to use Cryptography Next Generation (CNG).Brent Cook
wincrypt is deprecated and no longer works with newer Windows environments, such as in Windows Store apps.
2020-11-07Fix ilogb(3) implementation. The results have to match FP_ILOGB0 andMark Kettenis
FP_ILOGBNAN which isn't the case for the amd64 and i386 assembly versions. Drop these in favour of C implementations. Als reimplement ilogbl(3) by providing separate ld80 and ld128 implementations that replace the existing implementation which may hit an infinite loop when built for quad-precision long double. ok patrick@, gkoehler@
2020-11-07Fix ilogb(3) implementation. The results have to match FP_ILOGB0 andMark Kettenis
FP_ILOGBNAN which isn't the case for the amd64 and i386 assembly versions. Drop these in favour of C implementations. Als reimplement ilogbl(3) by providing separate ld80 and ld128 implementations that replace the existing implementation which may hit an infinite loop when built for quad-precision long double. ok patrick@, gkoehler@
2020-11-07Actually m88k assembler can not handle 'nop' mnemonic, use a macro instead.Kenji Aoyama
ok deraadt@
2020-11-05double word fixes;Jason McIntyre
2020-11-03Fix bad indent.Joel Sing
2020-11-03Only check BIO_should_read() on read and BIO_should_write() on write.Joel Sing
The TLSv1.3 code that drives a BIO currently checks BIO_should_read() after BIO_write() and BIO_should_write() after BIO_read(), which was modelled on SSL_get_error(). However, there are certain cases where this can confuse the caller - primarily where the same BIO is being used for both read and write and the caller is manipulating the retry flags. SSL_get_error() tends avoids this issue by relying on another layer of state tracking. Unfortunately haproxy hits this situation - it has its own BIO_METHOD, the same BIO is used for both read and write and it manipulates the retry flags - resulting in it stalling. Issued noted by Thorsten Lockert <tholo@tzecmaun.org> ok beck@ tb@
2020-11-03Hook X509_STORE_CTX get_issuer() callback from new X509 verifier.Joel Sing
If we fail to find a parent certificate from either the supplied roots or intermediates and we have a X509_STORE_CTX, call its get_issuer() callback to see if it can supply a suitable certificate. This makes things like certificates by directory (aka by_dir) work correctly. Issue noted by Uwe Werler <uwe@werler.is> ok beck@ tb@
2020-11-02typo: ASN1_parse_time -> ASN1_time_parseTheo Buehler
2020-10-31Align with C99 (and our implementation) and describe the return values forMark Kettenis
NaN and 0 arguments using FP_ILOGB0 and FP_ILOGBNAN.
2020-10-27The printf format string component %n is a nearly turning-complete gadget.Theo de Raadt
Largely considered attack surface nowadays. The benefit provided by %n is completely overshadowed by the risk. New uses of %n don't seem to be entering the C ecosystem, as static tools flag them. And everyone points fingers at those people.... The list of programs (and libraries) which use %n is therefore finite and shrinking. Most of the %n use comes out of the GNU ecosystem. jca@ has convinced gnulib to fix their code (so we need to wait for software including gnulib to make new releases). A few libraries have moved ahead of us and become more strict. Some n longer permit %n (for instance, andriod bionic). Others log the occurance. Some log and abort if the output location is W|X (MacOS). Our base tree is clean. The ports tree contains a handful during build time, and unknown count (more) during runtime. We would like to abort programs on any occurance of %n. Or we could be like MacOS, aborting for W|X pages (but would need a system call which can check that condition, and that introduces addressspace knowledge we don't want attackers to know, and may be a poor tradeoff). For now, we can syslog, to increase awareness, and involve more people in the greater community to remove %n uses. [If %n is at the end, use the *printf return value. If it occurs in the middle, split the printf calls into multiples] Hopefully one day, we can just abort() when %n happens. Help us get there? ok jca, plus naddy for ports team
2020-10-27Add agentx_varbind_unsigned32 as a wrapper around agentx_varbind_gauge32 toMartijn van Duren
be more clear what to use when a normal unsigned is desired. This is in conformance with RFC 2578/SMIv2. Ride yesterday's bump OK tb@
2020-10-27Adjust manpage to uint32_t->int32_t change.Martijn van Duren
2020-10-27According to SMI (RFC 2578) an integer is signed. Somehow I managed toMartijn van Duren
overlook this. This change prevens indices larger then INT32_MAX, but this shouldn't happen in the current code (relayd) anyway. In all other cases the bytes would've been passed on to SNMP anyway, so there's no effective difference there. Probably no ABI-change, but we can ride yesterday's bump anyway. OK tb@
2020-10-26Retguard asm macros for powerpc libc, ld.sogkoehler
Add retguard to some, but not all, asm functions in libc. Edit SYS.h in libc to remove the PREFIX macros and add SYSENTRY (more like aarch64 and powerpc64), so we can insert RETGUARD_SETUP after SYSENTRY. Some .S files in this commit don't get retguard, but do stop using the old prefix macros. Tested by deraadt@, who put this diff in a macppc snap.
2020-10-26Set ax_rbsize before calling malloc and use it in malloc.Martijn van Duren
OK tb@ and kn@
2020-10-26The agentx API will first appear in 6.9.Theo Buehler