| Age | Commit message (Collapse) | Author |
|---|
|
Needed for an upcoming change.
ok tb@
|
|
c99 6.11.5:
"The placement of a storage-class specifier other than at the beginning
of the declaration specifiers in a declaration is an obsolescent
feature."
ok miod@ tb@
|
|
development. "looks ok" miod@ ok sthen@
NB. libfido2 major bump
|
|
c99 6.11.5:
"The placement of a storage-class specifier other than at the beginning
of the declaration specifiers in a declaration is an obsolescent
feature."
ok guenther@
|
|
ok miod@ guenther@
|
|
ASN1_INTEGER_set() fails.
ok jsing
|
|
When an ASN1_INTEGER is created it has NULL data until a value is set -
previously, an ASN1_INTEGER in this state encoded to an ASN.1 INTEGER with
a value of 0, rather than being treated as an error. While code should
really set values, the historical behaviour has not required this.
Found the hard way by sthen@ with acme-client.
ok tb@
|
|
inline use was removed in 1998
|
|
If SSL_do_handshake() is called before SSL_provide_quic_data() has been
called, the QUIC read buffer will not have been initialised. In this case
we want to return TLS13_IO_WANT_POLLIN so that the QUIC stack will provide
handshake data.
|
|
While these will not be used by LibreSSL, they are used by some QUIC
implementations (such as ngtcp2).
ok tb@
|
|
Since llvm 13, there are compiler warnings in libm on amd64 and i386 due
to .weak overriding an earlier .globl. Use ENTRY_NB() instead of ENTRY()
to avoid emitting the .globl.
ok deraadt jca (for amd64)
ok guenther
|
|
mount_mfs(8) no monger mounts "/build" with the following fstab(5) entry:
/dev/sd0b /build mfs rw,noperm,nodev,nosuid,-s=2064348,noauto
as found out by bluhm the hard way.
|
|
If the requested path contained a slash, opendev(3) blindly opened the file
and returned a file descriptor to it.
Check for block or character devices (according to OPENDEV_BLCK) and fail
for other types.
Spotted through installboot(8) which happily opened a stage file as device
when forgetting the device argument:
# installboot -v ./biosboot
Using / as root
installing bootstrap on ./biosboot
using first-stage /usr/mdec/biosboot, second-stage /usr/mdec/boot
installboot: disklabel: ./biosboot: Inappropriate ioctl for device
This makes it fail earlier, as expected:
# installboot -v ./biosboot
installboot: open: ./biosboot: Block device required
The case where opendev(3) is passed a string not containing a slash, i.e.
a supposed DUID, is fine, as diskmap(4) will ensure that only valid device
paths are returned, if the DUID is valid.
Feedback OK millert
|
|
|
|
ok jmatthew
|
|
While more work is still required, this is sufficient to get ngtcp2 to
compile with QUIC and for curl to be able to make HTTP/3 requests.
ok tb@
|
|
ok tb@
|
|
This provides SSL_QUIC_METHOD (aka ssl_quic_method_st), which allows for
QUIC callback hooks to be passed to an SSL_CTX or SSL. This is largely
ported/adapted from BoringSSL.
It is worth noting that this struct is not opaque and the original
interface exposed by BoringSSL differs to the one they now use. The
original interface was copied by quictls and it appears that this API
will not be updated to match BoringSSL.
To make things even more challenging, at least one consumer does not use
named initialisers, making code completely dependent on the order in
which the function pointers are defined as struct members. In order to
try to support both variants, the set_read_secret/set_write_secret
functions are included, however they have to go at the end.
ok tb@
|
|
ok tb@
|
|
ok tb@
|
|
LibreSSL will not return these values, however software is starting to
check for these as return values from SSL_get_error().
ok tb@
|
|
|
|
|
|
EVP_chacha20_poly1305() is an EVP_CIPHER implementation of the
ChaCha20-Poly1305 AEAD. This is potentially used to provide encryption for
the QUIC transport layer.
Where possible, this should be avoided in favour of the significantly saner
EVP_AEAD interface.
ok tb@
|
|
The length checks for EVP_aead_chacha20_poly1305() seal/open were incorrect
and are no longer necessary (not to mention that the comment failed to
match the code). Remove these since the underlying ChaCha implementation
will now handle the same sized inputs at these functions can.
Issue flagged by and ok tb@
|
|
We can avoid this unnecessary limitation by calling chacha_encrypt_bytes()
multiple times internally. In the case of ChaCha(), the caller still needs
to ensure that the same IV is not used for more than 2^70 bytes.
ok tb@
|
|
This gives us cleaner and safer code, although it is worth noting that we
now generate the encoding even when called with NULL as the output pointer
(and then discard it, returning just the length).
Resolves oss-fuzz #49963.
ok tb@
|
|
In asn1_i2d_ex_primitive(), asn1_ex_i2c() returning -1 is used to indicate
that the object is optional and should be skipped, while -2 is used to
indicate that indefinite length encoding should be used. Any other negative
value was treated as success, resulting in the out pointer being walked
backwards. Avoid this by treating any negative value (aside from -1 and -2)
as a failure, propagating it up the stack.
Additionally, check the return value of the second asn1_ex_i2c() call to
ensure that it matches the value returned by the first call. This makes
sure that the length of the encoded object is correct, plus it detects the
case where a failure occurs during the second call.
Discussed with tb@ (who also flagged the negative value issue).
|
|
|
|
In bio.h r1.54, the signature of BIO_callback_ctrl() was changed from
bio_info_cb to BIO_info_cb. Adjust manual to reflect this change.
At the moment, bio_info_cb and BIO_info_cb are still distinct types with
our BIO_info_cb matching OpenSSL's definition. Historically, bio_info_cb
had a different type, but that leads to issues with casting function
pointers. The ecosystem has moved on to embrace the new type and several
ports confuse the two types because OpenSSL decided to "solve" the issues
with "typedef BIO_info_cb bio_info_cb; /* backward compatibilty */". We
will align with this in the next bump.
ok jsing
|
|
While each attribute must contain at least one extension, it is not
required that a CSR have attributes at all. Instead of signalling an
error by returning NULL if no extensions are found, return an empty
stack of extensions.
Via OpenSSL 1f02ca2d
ok jsing
|
|
|
|
This implements SSL_get_shared_{curve,group}() in a bug-compatible
fashion with OpenSSL.
This is your average OpenSSL-style overloaded parameter API where n >= 0
means "return the n-th shared group's NID" (as if anyone possibly ever
cared about the case n > 0) and n == -1 means "return the number of
shared groups". There is also an undocumented case n == -2 for Suite B
profile support which falls back to n == 0 in case Suite B profile
support is disabled, so n == -2 is the same as n == 0 in LibreSSL.
The API also returns 0 for error, which is indistinguishable from a
count of 0 shared groups but coincides with NID_undef. Contrary to claims
in the documentation, the API doesn't actually return -1 for clients,
rather it returns 0.
Obviously this entire exercise is pretty useless, but since somebody
exposed it because they could and someone else used it because they could
we need to provide it.
ok jsing
|
|
This splits tls1_get_supported_group() into a few helper functions to
be able to count shared groups and to return the n-th shared group since
someone thought it is a great idea to expose that in a single API and
some others thought it is useful to add this info to log noise.
This is all made a bit more complicated thanks to the security level
having its tentacles everywhere and because a user-provided security
callback can influence the list of groups shared by the peers.
ok jsing
|
|
These are wrappers of SSL_ctrl() using the SSL_CTRL_GET_SHARED_GROUP
control. Do not provide SSL_CTRL_GET_SHARED_CURVE since that is only
mentioned in Net::SSLeay docs according to codesearch.debian.net.
ok jsing
|
|
ok jsing
|
|
Refactor ssl_security_supported_group() into a wrapper of a new internal
ssl_security_group() which takes a secop as an argument. This allows
adding ssl_security_shared_group() which will be needed in upcoming
commits.
ok jsing
|
|
Rather than reimplement this in each TLS client and server, deduplicate it
into a single function. Furthermore, rather than dealing with the API
hazard that is SSL_get_peer_cert_chain() in this code, simply produce two
chains - one that has the leaf and one that does not.
SSL_get_peer_cert_chain() can then return the appropriate one.
This also moves the peer cert chain from the SSL_SESSION to the
SSL_HANDSHAKE, which makes more sense since it is not available on
resumption.
ok tb@
|
|
OK millert@ deraadt@
|
|
|
|
|
|
If the bgets() callback returns <= 0, we currently rely on the user
provided callback to set readbytes, which isn't ideal. This also
matches what's done in BIO_read() and BIO_write().
ok jsing
|
|
ok jsing
|
|
When ret was introduced in an outer scope in r1.113, this declaration
wasn't garbage collected.
ok jsing
|
|
X509_NAME_print() is documented to print things at a given indentation
level. Unfortunately, this never worked since someone got some logic
wrong. Part of the wrong logic was removed in a dead code removal in
OpenSSL commit 92ada7cc, but the variable l was left behind, which leads
to compiler warnings on some platforms. End its sad life pointlessly
and incorrectly measuring column width and remove it.
ok jsing
|
|
The current X509_print_ex() tries too hard pretty printing negative
serialNumbers (which shouldn't occur in the first place). In particular,
negating LONG_MAX leads to signed overflow. Ditch the code dealing with
negative serialNumbers representable as long and fall back to the long
form printing. This simplifies the code and fixes
oss-fuzz #49944
with/ok jsing
|
|
Avoid signed integer overflow by casting an int64_t to uint64_t before
negating. Same fix was applied in a_int.c -r1.44, but was forgotten to
be applied to a_enum.c.
ok jsing
|
|
The version field of an X.509 Certificate is an enum
Version ::= INTEGER { v1(0), v2(1), v3(2) }
Printing the version as l + 1 only really makes sense with 0 <= l <= 2.
Otherwise print a naked l while also indicating that it is an unknown
version.
ok jsing
|
|
This is the initial fix combined with a fix for a NULL deref introduced
in the initial fix.
ok millert, help from tj
commit eff308af425b67093bab25f80f1ae950166bece1
Author: Mark Adler <fork@madler.net>
Date: Sat Jul 30 15:51:11 2022 -0700
Fix a bug when getting a gzip header extra field with inflate().
If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.
https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
commit 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d (HEAD -> develop, origin/develop)
Author: Mark Adler <fork@madler.net>
Date: Mon Aug 8 10:50:09 2022 -0700
Fix extra field processing bug that dereferences NULL state->head.
The recent commit to fix a gzip header extra field processing bug
introduced the new bug fixed here.
https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d
|
|
Both FreeBSD and NetBSD have this behavior. OK deraadt@
|
