| Age | Commit message (Collapse) | Author |
|---|
|
to prefer that. No binary change except in d1_srtp.c where the
generated assembly differs only in line numbers (due to a wrapped
long line) and in s3_cbc.c where there is no change in the generated
assembly.
ok inoguchi jsing
|
|
We currently throw an error on overflow, but still wrap. Check up front
if we would need to wrap and only increment if that case is excluded.
This simplifies the increment loop and makes the returns in this function
less magic.
ok jsing
|
|
Like much of the original DTLS code, dtls1_enc() is effectively a renamed
copy of tls1_enc(). Since then tls1_enc() has been modified, however the
non-AEAD code remains largely the same. As such, remove dtls1_enc() and
instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS,
however this is a non-issue since we do not support AEAD cipher suites with
DTLS currently.
ok tb@
|
|
Fix proposed by tb@
|
|
ok tb@
|
|
problems as 64-bit models. To resolve the syscall speculation, as a first
step "nop; nop" was added after all occurances of the syscall ("swi 0")
instruction. Then the kernel was changed to jump over the 2 extra instructions.
In this final step, those pair of nops are converted into the speculation-blocking
sequence ("dsb nsh; isb").
Don't try to build through these multiple steps, use a snapshot instead.
Packages matching the new ABI will be out in a while...
ok kettenis
|
|
spotted at https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
|
CBB uses recallocarray() to expand buffers, however was still using
malloc() for the initial buffer, which could result in memory being leaked
in incorrect use cases.
While here also use calloc() to allocate internal structs.
ok inoguchi@ tb@
|
|
This reduces the chance of accidently leaking stack memory.
ok inoguchi@ tb@
|
|
Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.
ok inoguchi@ tb@
|
|
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
|
problems as 64-bit models. For the syscall instruction issue, add nop;nop
after swi 0, in preparation for jumping over a speculation barrier here later.
|
|
problems as 64-bit models. For the syscall instruction issue, add nop;nop
after swi 0, in preparation for jumping over a speculation barrier here later.
ok kettenis
|
|
|
|
ok inoguchi@ tb@
|
|
Both session tickets and key updates are post-handshake handshake messages,
which were originally included in the handshake code.
ok inoguchi@ tb@
|
|
In the unlikely event that the return value from the read callback is
larger than the number of bytes we asked for, we can end up incrementing
buf->len beyond capacity. Check the return value from the read callback to
prevent this.
ok inoguchi@ tb@
|
|
The enc function pointers do not serve any purpose these days - remove
a layer of indirection and call dtls1_enc()/tls1_enc() directly.
ok inoguchi@ tb@
|
|
TLSv1.1 or below, it should check whether the server's random value
contains the magic downgrade protection cookie and in that case abort
the handshake with an illegal parameter alert.
ok inoguchi, jsing
|
|
eight bytes of the server's random to a magic cookie (RFC 8446, 4.1.3).
The TLSv1.3 spec changes the TLSv1.2 spec in that it recommends that
TLSv1.2 servers that negotiate TLSv1.1 or below do the same. This gives
a limited additional protection against downgrade attacks beyond what is
already present in the Finished exchange.
The TLSv1.3 part was already implemented in Hobart and can be trivially
modified to do the TLSv1.2 bit as well.
ok inoguchi, jsing
|
|
OpenBSD macppc builds these libs with clang. Their ABI is changing
because of clang -msvr4-struct-return
|
|
Referred to this OpenSSL commit and adopted to the codebase.
b785504a10310cb2872270eb409b70971be5e76e
suggest and ok tb@
|
|
Fix the problem that long unbroken line of base64 text is not decoded.
Referred to this OpenSSL commit and adapted to the codebase.
3cdd1e94b1d71f2ce3002738f9506da91fe2af45
Reported by john.a.passaro <at> gmail.com to the LibreSSL ML.
ok tb@
|
|
|
|
|
|
From jmc@, thanks.
|
|
The API exposes controls of modern audio hardware and sndiod software
volume knobs in a uniform way. Hardware knobs are exposed through
sndiod. Multiple programs may use the controls at the same time
without the need to continuously scan the controls.
For now sndiod exposes only its own controls and the master output and
input volumes of the underlying hardware (if any), i.e. those
typically exposed by acpi volume keys.
ok deraadt
|
|
Use a bad_record_mac alert instead.
Found with tlsfuzzer's ChaCha20 test.
ok beck inoguchi jsing
|
|
messages must terminate the connection with a decrypt_error alert, so
replace the use of the deprecated decryption_failed alert accordingly.
ok beck inoguchi jsing
|
|
ok inoguchi@ tb@
|
|
ok inoguchi@ tb@
|
|
Also consolidate it into the one place, since there is no reason to write
the epoch and sequence out later.
ok inoguchi@ tb@
|
|
comments to their correct places.
ok inoguchi@ tb@
|
|
ok inoguchi@ tb@
|
|
ok inoguchi@ tb@
|
|
ok inoguchi@ tb@
|
|
ok inoguchi@ tb@
|
|
When empty fragments were added as a countermeasure against chosen
plaintext attacks on CBC, it was done by adding a recursive call to
do_ssl3_write(). This makes the code more complex and difficult to change.
Split the record creation code into a separate ssl3_create_record()
function, which do_ssl3_write() calls. In the case where an empty fragment
is needed, ssl3_create_record() is simply called twice, removing the need
for recursion.
ok inoguchi@ tb@
|
|
ok inoguchi jsing
|
|
a syscall, replace the double nop with a dsb nsh; isb; sequence which
stops the CPU from speculating any further. This fix was suggested
by Anthony Steinhauser.
ok deraadt@
|
|
ok and suggestion jmc@
|
|
There was no limitation for the length of openssl conf value.
This brings possibility of out-of-memory problem as oss-fuzz had detected.
This diff restricts the length of conf value up to 64k.
ok jsing@
|
|
It is currently possible for key_share to be NULL when a TLS client
receives a keyshare extension. However, for this to occur the client has
to be doing TLS 1.2 or earlier, which means that it was invalid for the
server to send the extension. As such, check for NULL and treat it as an
invalid extension.
Found by oss-fuzz (#20741 and #20745).
ok inoguchi@ tb@
|
|
Changed to use local variable to hold malloc address rather than directly
set to S3I(s)->tmp.x25519, and set that private_key pointer to
S3I(s)->tmp.x25519 after all the "goto err;".
Also added freezero for S3I(s)->tmp.x25519 to ssl3_free() and ssl3_clear().
ok jsing@ tb@
|
|
separate file.
Discussed with beck@ and tb@
|
|
|
|
in many underlying subsystems and device drivers. guenther@ pointed
out this applies to system calls taking a file descriptor as an
argument. deraadt@ warned against attempting to be excessively
precise and against spreading fear, uncertainty, and doubt.
So apply a minimal patch that merely avoids the misleading wording
"will succeed unless", given that the lists aren't really exhaustive,
and simply uses a more usual wording.
Unfortunate wording reported by <David dot Raymond at nmt dot edu>.
|
|
This was replaced by a getlogin() system call which Ingo discovered we
incorrectly list as being 4.2BSD when it was introduced in 4.3BSD Reno.
ok schwarze@
|
|
Starting from "Combined Table of Contents" in Doug McIlroy's
"A Research UNIX Reader" a table of which edition manuals appeared in.
Checked against manuals from bitsavers/TUHS and source from TUHS where
available.
Ingo points out there are cases where something is included but not
documented until a later release.
bcd(6) v6 v7
printf(3) v2 v4
abort(3) v5 v6
system(3) v6 v7
fmod(3) v5 v6
ok schwarze@
|
|
clang / "super new gcc" ism's, in particular ones which are totally
pointless as far as language goes.
Delete them.
|
