| Age | Commit message (Collapse) | Author |
|---|
|
* mention TLSv1.3
* remove DSS, DES(56), RC4(64), and IDEA(128), which are no longer supported
* remove ChaCha20-Poly1305-Old and STREEBOG512 which don't exist in LibreSSL
* correct the instruction for printing the complete list
OK jsing@
|
|
cipher suites" to the DES entry and use the same wording for DSS;
OK jsing@
|
|
in LOW, MEDIUM, and HIGH. That's going to change repeatedly and
the extra maintenance effort for keeping it up to date is a waste
because people can trivially run "openssl ciphers -v LOW" to look
it up. Besides, updating it will usually be forgotten; the LOW
entry was already wrong.
Suggested by jsing@.
|
|
TLSv1 control word, and explain how TLSv1.3 cipher suites can be
configured in LibreSSL and in OpenSSL. While here, also mention
how users can inspect the DEFAULT list of cipher suites.
Stimulus, feedback and OK from jsing@.
|
|
|
|
ok deraadt@
|
|
bytes in case ASN1_INTEGER_get() failed. This happens more often since
asn1/a_int.c -r1.34. Matches OpenSSL behavior.
Issue in openssl x509 -text output reported by sthen
ok jsing sthen
|
|
OpenSSL has always taken the approach of enabling almost everything by
default. As a result, if you wanted to run a secure TLS client/server
you had to specify your own "secure" cipher string, rather than being
able to trust the defaults as being sensible and secure. The problem
is that with the introduction of TLSv1.3, most of these "secure" cipher
strings result in the new TLSv1.3 cipher suites being excluded.
The "work around" for this issue in OpenSSL was to add a new TLSv1.3
API (SSL_CTX_set_ciphersuites(), SSL_set_ciphersuites()) and have separate
knobs for the pre-TLSv1.3 and TLSv1.3 cipher suites. This of course means
that every application now needs to call two APIs, but it does mean that
applications that only call SSL_CTX_set_cipher_list()/SSL_set_cipher_list()
cannot remove TLSv1.3 cipher suites and prevent TLSv1.3 from working.
We've taken a different approach and have allowed TLSv1.3 cipher suites
to be manipulated via the existing SSL_set_cipher_list() API. However,
in order to avoid problems with hardcoded cipher strings, change this
behaviour so that we always include TLSv1.3 cipher suites unless the
cipher string has a specific reference to the TLSv1.3 protocol or a
TLSv1.3 cipher suite.
This means that:
$ openssl ciphers -v TLSv1.2:!TLSv1.3
still gives TLSv1.2 only cipher suites and:
$ openssl ciphers -v AEAD-CHACHA20-POLY1305-SHA256
only lists a single TLSv1.3 cipher, however:
$ openssl ciphers -v ECDHE-RSA-AES256-GCM-SHA384
now includes both TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 and all TLSv1.3
cipher suites (which also matches OpenSSL's openssl(1) behaviour).
Issue encountered by kn@ with mumble.
ok tb@
|
|
|
|
explicitly comparing against a value.
|
|
Generate an unpredictable 32-byte legacy session ID during client
initialisation, rather than when the ClientHello message is being created.
Otherwise in the case of a HelloRetryRequest the legacy session ID values
will differ between the first and second ClientHello messages, which is
not permitted by the RFC.
Fixes an issue talking TLSv1.3 to smtp.mail.yahoo.com.
ok beck@
|
|
If the maximum version is less than TLSv1.3, send a zero-length session
identifier (matching the behaviour of the legacy TLS stack), rather than
a 32 byte random identifier. The 32 byte random identifier is only needed
for "compatibility" mode in TLSv1.3.
ok beck@
|
|
|
|
on sparc64
Discrepancy spotted in
http://build-failures.rhaalovely.net/sparc64/2020-04-03/devel/llvm,,-main.log
Input from gkoehler@, ok kettenis@ deraadt@
|
|
|
|
architecture doesn't implement 64-bit atomic operations. This
implementation is pessimistic and only flags naturally aligned
operations up to and including 32-bit as lock free.
tested by cwen@
ok gkoehler@
|
|
Defer saving the altivec registers until we need to access them (like
how arm defers saving the VFP registers). This prevents a SIGILL on a
G3 cpu when code throws a C++ exception.
ok kettenis@
|
|
It happens not just if the mutex is locked by another thread, but also
if any other threads refer to the mutex (e.g. by waiting for the lock).
ok guenther
|
|
Programs will see the device handled by sndiod (instead of the first
one) and will always get access at least the sndiod master level
control. If present, hardware master input and output volumes are
exposed as well.
feedback from landry and sthen, "do it" deraadt
|
|
OK schwarze@
|
|
Patch from Martin Vahlensieck <academicsolutions dot ch>.
|
|
Patch from Martin Vahlensieck <academicsolutions dot ch>.
|
|
Useless text reported by Martin Vahlensieck (academicsolutions.ch) on tech@.
|
|
Check and print out boolean type properly.
Based on OpenSSL commit ad72d9fdf7709ddb97a58d7d45d755e6e0504b96.
Reduced unneeded parentheses from if condition.
Check return value from i2s_ASN1_INTEGER.
Based on OpenSSL commit 5e3553c2de9a365479324b8ba8b998f0cce3e527.
Added if condition expression and return 0 if NULL is returned.
ok tb@
|
|
to prefer that. No binary change except in d1_srtp.c where the
generated assembly differs only in line numbers (due to a wrapped
long line) and in s3_cbc.c where there is no change in the generated
assembly.
ok inoguchi jsing
|
|
We currently throw an error on overflow, but still wrap. Check up front
if we would need to wrap and only increment if that case is excluded.
This simplifies the increment loop and makes the returns in this function
less magic.
ok jsing
|
|
Like much of the original DTLS code, dtls1_enc() is effectively a renamed
copy of tls1_enc(). Since then tls1_enc() has been modified, however the
non-AEAD code remains largely the same. As such, remove dtls1_enc() and
instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS,
however this is a non-issue since we do not support AEAD cipher suites with
DTLS currently.
ok tb@
|
|
Fix proposed by tb@
|
|
ok tb@
|
|
problems as 64-bit models. To resolve the syscall speculation, as a first
step "nop; nop" was added after all occurances of the syscall ("swi 0")
instruction. Then the kernel was changed to jump over the 2 extra instructions.
In this final step, those pair of nops are converted into the speculation-blocking
sequence ("dsb nsh; isb").
Don't try to build through these multiple steps, use a snapshot instead.
Packages matching the new ABI will be out in a while...
ok kettenis
|
|
spotted at https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
|
CBB uses recallocarray() to expand buffers, however was still using
malloc() for the initial buffer, which could result in memory being leaked
in incorrect use cases.
While here also use calloc() to allocate internal structs.
ok inoguchi@ tb@
|
|
This reduces the chance of accidently leaking stack memory.
ok inoguchi@ tb@
|
|
Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.
ok inoguchi@ tb@
|
|
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
|
problems as 64-bit models. For the syscall instruction issue, add nop;nop
after swi 0, in preparation for jumping over a speculation barrier here later.
|
|
problems as 64-bit models. For the syscall instruction issue, add nop;nop
after swi 0, in preparation for jumping over a speculation barrier here later.
ok kettenis
|
|
|
|
ok inoguchi@ tb@
|
|
Both session tickets and key updates are post-handshake handshake messages,
which were originally included in the handshake code.
ok inoguchi@ tb@
|
|
In the unlikely event that the return value from the read callback is
larger than the number of bytes we asked for, we can end up incrementing
buf->len beyond capacity. Check the return value from the read callback to
prevent this.
ok inoguchi@ tb@
|
|
The enc function pointers do not serve any purpose these days - remove
a layer of indirection and call dtls1_enc()/tls1_enc() directly.
ok inoguchi@ tb@
|
|
TLSv1.1 or below, it should check whether the server's random value
contains the magic downgrade protection cookie and in that case abort
the handshake with an illegal parameter alert.
ok inoguchi, jsing
|
|
eight bytes of the server's random to a magic cookie (RFC 8446, 4.1.3).
The TLSv1.3 spec changes the TLSv1.2 spec in that it recommends that
TLSv1.2 servers that negotiate TLSv1.1 or below do the same. This gives
a limited additional protection against downgrade attacks beyond what is
already present in the Finished exchange.
The TLSv1.3 part was already implemented in Hobart and can be trivially
modified to do the TLSv1.2 bit as well.
ok inoguchi, jsing
|
|
OpenBSD macppc builds these libs with clang. Their ABI is changing
because of clang -msvr4-struct-return
|
|
Referred to this OpenSSL commit and adopted to the codebase.
b785504a10310cb2872270eb409b70971be5e76e
suggest and ok tb@
|
|
Fix the problem that long unbroken line of base64 text is not decoded.
Referred to this OpenSSL commit and adapted to the codebase.
3cdd1e94b1d71f2ce3002738f9506da91fe2af45
Reported by john.a.passaro <at> gmail.com to the LibreSSL ML.
ok tb@
|
|
|
|
|
|
From jmc@, thanks.
|
