summaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2019-03-31Clean up and simplify the client verify code:Joel Sing
- Be consistent with _len naming. - Use size_t where possible/appropriate. - Group the CBB code. - Use EVP_MAX_MD_SIZE consistently, instead of "magic" values. - Switch GOST to EVP_DigestSign*, making it similar to sigalgs. ok tb@ a while back.
2019-03-31Wrap long lines and apply some style(9).Joel Sing
2019-03-31Use named field initialisers.Joel Sing
2019-03-30Add retguard macros to setjmp/longjmp on amd64. Knocks out some usefulmortimer
gadgets from libc. ok deraadt@, kettenis@
2019-03-29Use correct capitalization of EC_GROUP_get_curve_GF{2m,p}(3).Theo Buehler
2019-03-29Copy categories outside "mask" from "oldloc" to the new locale object.Ingo Schwarze
While POSIX appears to allow the old behaviour of ignoring "oldloc", Ted and Karl convinced me that is a bug in the spec and the Austin group almost certainly intended to require the new behaviour. Anyway, compatibility strongly suggests the new behaviour because most (or maybe even all?) other systems do not ignore "oldloc", and some software appears to depend on the copying from "oldloc" to the new locale. Issue analyzed and reported by Karl Williamson <public at khwilliamson dot com> with support from the Perl 5 community. This final diff is similar to two earlier diffs from Ted, but handles invalid input in a mode robust way. OK tedu@.
2019-03-28Wait until server disconnects before closing the socket. Otherwise,Alexandre Ratchov
last bytes sent may be lost by the server.
2019-03-27Cast nonce bytes to avoid undefined behaviour when left shifting.Joel Sing
Reported by oss-fuzz, really fixes issue #13805. ok beck@ tb@
2019-03-27remove duplicate set key file call. from alf.Ted Unangst
ok jsing
2019-03-27bump to 2.9.1Brent Cook
2019-03-26adjtime(2): set EINVAL if delta overflows 64 bits of microseconds.cheloha
No other (known) BSD-derived adjtime(2) implementation checks for overflow when converting delta into its final denomination of fractional seconds. This is peculiar, as the call originates in 4.3BSD. However, glibc, uclibc, and (to an extent) musl /do/ check the input and set EINVAL if it exceeds a certain bound, so we'll just use the errno that they use to be consistent with extant practice. Prompted by the comment kettenis@ left when we switched to storing the adjustment in an int64_t like ~5 years ago (kern_time.c,v 1.87). Positive feedback from deraadt@, manpage bits ok jmc@, no code complaints from otto@ or tedu@.
2019-03-26Use limits.h instead of sys/limits.h for portability.Joel Sing
From phrocker via github.
2019-03-25fix copy pasto: flag -> atflags; ok deraadt@ jca@ millert@anton
2019-03-25Strip out all of the pkey to sigalg and sigalg to pkey linkages.Joel Sing
These are no longer used now that we defer signature algorithm selection. ok beck@
2019-03-25tls1_process_sigalgs() is no longer needed.Joel Sing
ok beck@
2019-03-25Defer sigalgs selection until the certificate is known.Joel Sing
Previously the signature algorithm was selected when the TLS extension was parsed (or the client received a certificate request), however the actual certificate to be used is not known at this stage. This leads to various problems, including the selection of a signature algorithm that cannot be used with the certificate key size (as found by jeremy@ via ruby regress). Instead, store the signature algorithms list and only select a signature algorithm when we're ready to do signature generation. Joint work with beck@.
2019-03-25Rework ssl_ctx_use_certificate_chain_bio() to use the CERT_PKEY chain.Joel Sing
This means that any additional CA certificates end up on the per certificate chain, rather than the single/shared extra_certs. Also simplify this code and in particular, avoid setting the return value to indicate success until we've actually succeeded. ok beck@ tb@
2019-03-25Remove ssl_get_server_send_cert() which is now unused.Joel Sing
ok beck@ tb@
2019-03-25Rework ssl3_output_cert_chain() to take a CERT_PKEY and consider chains.Joel Sing
We will now include the certificates in the chain in the certificate list, or use the existing extra_certs if present. Failing that we fall back to the automatic chain building if not disabled. This also simplifies the code significantly. ok beck@ tb@
2019-03-25Add a chain member to CERT_PKEY and provide functions for manipulating it.Joel Sing
Note that this is not the full chain, as the leaf certificate currently remains in the x509 member of CERT_PKEY. Unfortunately we've got to contend with the fact that some OpenSSL *_chain_* APIs exclude the leaf certificate while others include it... ok beck@ tb@
2019-03-24BUGS goes last;Jason McIntyre
2019-03-24Document the fact that readlink(2) can bypass restrictions as neededBob Beck
by realpath(3). This will go away post 6.5. ok deraadt@
2019-03-24In the incredibly unbelievable circumstance where _rs_init() fails toTheo de Raadt
allocate pages, don't call abort() because of corefile data leakage concerns, but simply _exit(). The reasoning is _rs_init() will only fail if someone finds a way to apply specific pressure against this failure point, for the purpose of leaking information into a core which they can read. We don't need a corefile in this instance to debug that. So take this "lever" away from whoever in the future wants to do that.
2019-03-24If ssl_cipher_apply_rule() is given a specific cipher suite, match on it.Joel Sing
Otherwise matching a specific cipher is performed by matching against its characteristics, which can result in multiple rather than a single match. Found by bluhm@'s regress tests. ok bluhm@ tb@
2019-03-24Don't allow asn1_parse2 to recurse arbitrarily deep. Constrain to a maxBob Beck
depth of 128 - For oss-fuzz issue 13802 ok jsing@
2019-03-24Cast nonce bytes to avoid undefined behaviour when left shifting.Joel Sing
Reported by oss-fuzz, fixes issue #13805. ok beck@ tb@
2019-03-24do not call assert(), which has a tendency to leave traces of stuff inTheo de Raadt
corefiles. Instead call OPENSSL_assert(), which has recently been trained to do this in a safer (if more awkward to debug) way. discussed with jsing and beck a while back
2019-03-23Add range checks to varios ASN1_INTEGER functions to ensure theBob Beck
sizes used remain a positive integer. Should address issue 13799 from oss-fuzz ok tb@ jsing@
2019-03-23Remove useless secure_path(3) calls.Todd C. Miller
There is no point in checking permissions of files in root-owned directories. If it even was a problem, secure_path(3) suffers from unsolvable TOCTOU issues. OK deraadt@
2019-03-23Separate symbol name and type with a comma for consistency andVisa Hankala
to make clang happier. No binary change with gas.
2019-03-22that "device" is an abstraction to the underlying OS PRNG.Marc Espie
In OpenBSD's case, we know it has optimal entropy properties, so just say so. okay mikeb@, "why not" deraadt@
2016-09-03Import libc++ 3.9.0Patrick Wildt
2019-03-21Reference permissions in the canonical plural.rob
ok jmc@
2019-03-21import EVP_camellia_128_cbc(3) from OpenSSL 1.1.1,Ingo Schwarze
still under a free license, tweaked by me
2019-03-21space before punct;Jason McIntyre
2019-03-21Split EVP_rc4(3) out of EVP_EncryptInit(3) to reduce clutter.Ingo Schwarze
The algorithm is insecure and yet its description would spread over three paragraphs in the cipher list, including remarkable advice like using a 40 bit key length.
2019-03-21Split EVP_des_cbc(3) out of EVP_EncryptInit(3) to reduce clutter:Ingo Schwarze
this moves a large number of functions out of the way that are no longer the latest and greatest. Also mention a few that were missing.
2019-03-21add a handful of missing functionsIngo Schwarze
that are also documented in OpenSSL 1.1.1 (still under a free license)
2019-03-21Bring back EVP_chacha20 list item that was accidentally removedTheo Buehler
in r1.28 when the AES ciphers were split into their own manual.
2019-03-20fix examples (libtls uses its own error reporting mechanism)Marc Espie
okay tb@
2019-03-20escape backslashes;Ingo Schwarze
patch from Peter Piwowarski <peterjpiwowarski at gmail dot com>
2019-03-19Document the flag EVP_CIPHER_CTX_FLAG_WRAP_ALLOW needed for the EVPIngo Schwarze
AES wrap modes, the function EVP_CIPHER_CTX_set_flags(3) needed to set it, and the companion functions EVP_CIPHER_CTX_clear_flags(3) and EVP_CIPHER_CTX_test_flags(3). With help and an OK from tb@.
2019-03-19Avoid an internal 2 byte overread in ssl_sigalgs().Joel Sing
Found by oss-fuzz, fixes issue #13797. ok beck@ tb@
2019-03-19Revert TLS1_get{,_client}_version simplification because DTLS.Joel Sing
2019-03-19update libelf from elftoolchain r3714 to r3717Jonathan Gray
check for overflow correctly after computing a file offset
2019-03-19update libelf from elftoolchain r3669 to r3714Jonathan Gray
includes changes to address problems sunil@ found with fuzzing original diff from and ok sunil@
2019-03-18* note that the handshake must be completed firstIngo Schwarze
* correct the description of "unknown" (the previous are both from OpenSSL 1.1.1, still under a free license) * add a comment saying that TLS1_get_version() and TLS1_get_client_version() are intentionally undocumented (reasons provided by jsing@)
2019-03-18Insert a missing input line break after a .Vt macro;Ingo Schwarze
from Jan Stary <hans at stare dot cz>. Where here, correct one .Vt NULL -> .Dv NULL.
2019-03-18Split EVP_aes_128_cbc(3) out of EVP_EncryptInit(3):Ingo Schwarze
both resulting pages are still long. Mention a number of missing functions. Add some text from the OpenSSL 1.1.1 EVP_aes.pod manual page, which is still under a free license. Add missing HISTORY information. Triggered by tb@ providing EVP_aes_{128,192,256}_wrap(3) in evp.h rev. 1.74.
2019-03-18In ssl.h rev. 1.165, tb@ provided version agnostic DTLS methods.Ingo Schwarze
Document them.