Switch LibreSSL to use

[Brent Cook]

This switches libcrypto and libssl to use endian.h over
machine/endian.h, easing some portability contortions. The Austin group
works in mysterious ways, but endian.h also might be a POSIX
standard in the wings, whatever 'Applied' means.
https://www.austingroupbugs.net/view.php?id=162

ok?

diff --git a/src/lib/libcrypto/bn/bn_nist.c b/src/lib/libcrypto/bn/bn_nist.c
index b16584d6b9..4e98adfc8e 100644
--- a/src/lib/libcrypto/bn/bn_nist.c
+++ b/src/lib/libcrypto/bn/bn_nist.c
@@ -56,8 +56,7 @@
  *
  */
 
-#include 
-
+#include 
 #include 
 #include 
 
diff --git a/src/lib/libcrypto/des/cfb_enc.c b/src/lib/libcrypto/des/cfb_enc.c
index 59a3e71862..84a71bf52e 100644
--- a/src/lib/libcrypto/des/cfb_enc.c
+++ b/src/lib/libcrypto/des/cfb_enc.c
@@ -57,7 +57,7 @@
  */
 
 #include "des_locl.h"
-#include 
+#include 
 
 /* The input and output are loaded in multiples of 8 bits.
  * What this means is that if you hame numbits=12 and length=2
diff --git a/src/lib/libcrypto/gost/gost2814789.c 
b/src/lib/libcrypto/gost/gost2814789.c
index f1066f2467..c3d0754339 100644
--- a/src/lib/libcrypto/gost/gost2814789.c
+++ b/src/lib/libcrypto/gost/gost2814789.c
@@ -49,8 +49,7 @@
  * 
  */
 
-#include 
-
+#include 
 #include 
 
 #include 
diff --git a/src/lib/libcrypto/gost/streebog.c 
b/src/lib/libcrypto/gost/streebog.c
index 61bce0e32c..c0b2006cd4 100644
--- a/src/lib/libcrypto/gost/streebog.c
+++ b/src/lib/libcrypto/gost/streebog.c
@@ -49,8 +49,7 @@
  * 
  */
 
-#include 
-
+#include 
 #include 
 #include 
 
diff --git a/src/lib/libcrypto/modes/modes_lcl.h 
b/src/lib/libcrypto/modes/modes_lcl.h
index f8830e4deb..0d2541c49f 100644
--- a/src/lib/libcrypto/modes/modes_lcl.h
+++ b/src/lib/libcrypto/modes/modes_lcl.h
@@ -6,7 +6,7 @@
  * 
  */
 
-#include 
+#include 
 
 #include 
 
diff --git a/src/lib/libcrypto/modes/xts128.c b/src/lib/libcrypto/modes/xts128.c
index 0be23d4ea9..e4a89dc77b 100644
--- a/src/lib/libcrypto/modes/xts128.c
+++ b/src/lib/libcrypto/modes/xts128.c
@@ -48,9 +48,10 @@
  * 
  */
 
-#include 
 #include 
 #include "modes_lcl.h"
+
+#include 
 #include 
 
 #ifndef MODES_DEBUG
diff --git a/src/lib/libcrypto/rc4/rc4_enc.c b/src/lib/libcrypto/rc4/rc4_enc.c
index bd928b58c9..87223140bc 100644
--- a/src/lib/libcrypto/rc4/rc4_enc.c
+++ b/src/lib/libcrypto/rc4/rc4_enc.c
@@ -56,7 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#include 
+#include 
+
 #include 
 #include "rc4_locl.h"
 
diff --git a/src/lib/libcrypto/sha/sha256.c b/src/lib/libcrypto/sha/sha256.c
index 9c05d3b0f8..632ebb9070 100644
--- a/src/lib/libcrypto/sha/sha256.c
+++ b/src/lib/libcrypto/sha/sha256.c
@@ -9,8 +9,7 @@
 
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA256)
 
-#include 
-
+#include 
 #include 
 #include 
 
diff --git a/src/lib/libcrypto/sha/sha512.c b/src/lib/libcrypto/sha/sha512.c
index 6b95cfa72e..3752aa02fe 100644
--- a/src/lib/libcrypto/sha/sha512.c
+++ b/src/lib/libcrypto/sha/sha512.c
@@ -5,8 +5,7 @@
  * 
  */
 
-#include 
-
+#include 
 #include 
 #include 
 
diff --git a/src/lib/libcrypto/sha/sha_locl.h b/src/lib/libcrypto/sha/sha_locl.h
index 46c9a39be2..07d4d2d39a 100644
--- a/src/lib/libcrypto/sha/sha_locl.h
+++ b/src/lib/libcrypto/sha/sha_locl.h
@@ -186,7 +186,7 @@ int SHA1_Init(SHA_CTX *c)
 #endif
 
 #if !defined(SHA1_ASM)
-#include 
+#include 
 static void HASH_BLOCK_DATA_ORDER (SHA_CTX *c, const void *p, size_t num)
{
const unsigned char *data=p;
diff --git a/src/lib/libcrypto/whrlpool/wp_block.c 
b/src/lib/libcrypto/whrlpool/wp_block.c
index 1e00a01330..1ab8630ecd 100644
--- a/src/lib/libcrypto/whrlpool/wp_block.c
+++ b/src/lib/libcrypto/whrlpool/wp_block.c
@@ -36,9 +36,9 @@
  *
  */
 
+#include 
 #include 
 #include 
-#include 
 
 #include "wp_locl.h"
 
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index f0f393b0fd..98353e7a1a 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -113,8 +113,7 @@
  * [including the GNU Public Licence.]
  */
 
-#include 
-
+#include 
 #include 
 #include 
 

Re: update explicit_bzero test to not assume SIGSTKSZ to be constant

[Brent Cook]

On Fri, Mar 26, 2021 at 1:56 PM Alexander Bluhm  wrote:
>
> On Mon, Mar 22, 2021 at 08:38:23PM -0500, Brent Cook wrote:
> > In the next version of Linux glibc, SIGSTKSZ is defined at runtime if
> > source is built with _GNU_SOURCE. On LibreSSL-portable, this is set to
> > bring in asprintf/vasprintf, which causes the explicit_bzero test to
> > fail to compile since the size of SIGSTKSZ is no longer known at compile
> > time. This adjusts the test to treat SIGSTKSZ as a runtime variable.
> >
> > See http://patches-tcwg.linaro.org/patch/48127/ and
> > https://github.com/libressl-portable/portable/issues/653 for the
> > LibreSSL build failure report on Fedora Rawhide.
> >
> > ok?
>
> OK bluhm@
>
> Could you put a comment there that SIGSTKSZ is not constant in GNU
> libc.  Then someone reading the test knows why we malloc.

Thanks for all of the feedback! I just committed with added comments
and clarifications.

>
> > Index: explicit_bzero.c
> > ===
> > RCS file: /cvs/src/regress/lib/libc/explicit_bzero/explicit_bzero.c,v
> > retrieving revision 1.6
> > diff -u -p -u -p -r1.6 explicit_bzero.c
> > --- explicit_bzero.c  11 Jul 2014 01:10:35 -  1.6
> > +++ explicit_bzero.c  23 Mar 2021 01:32:21 -
> > @@ -18,6 +18,7 @@
> >  #include 
> >  #include 
> >  #include 
> > +#include 
> >  #include 
> >  #include 
> >
> > @@ -36,16 +37,20 @@ enum {
> >   SECRETBYTES = SECRETCOUNT * sizeof(secret)
> >  };
> >
> > -static char altstack[SIGSTKSZ + SECRETBYTES];
> > +static char *altstack;
> > +#define ALTSTACK_SIZE (SIGSTKSZ + SECRETBYTES)
> >
> >  static void
> >  setup_stack(void)
> >  {
> > + altstack = malloc(ALTSTACK_SIZE);
> > +
> >   const stack_t sigstk = {
> >   .ss_sp = altstack,
> > - .ss_size = sizeof(altstack),
> > + .ss_size = ALTSTACK_SIZE
> >   };
> >
> > + ASSERT_NE(NULL, altstack);
> >   ASSERT_EQ(0, sigaltstack(, NULL));
> >  }
> >
> > @@ -129,7 +134,7 @@ test_without_bzero()
> >   char buf[SECRETBYTES];
> >   assert_on_stack();
> >   populate_secret(buf, sizeof(buf));
> > - char *res = memmem(altstack, sizeof(altstack), buf, sizeof(buf));
> > + char *res = memmem(altstack, ALTSTACK_SIZE, buf, sizeof(buf));
> >   ASSERT_NE(NULL, res);
> >   return (res);
> >  }
> > @@ -140,7 +145,7 @@ test_with_bzero()
> >   char buf[SECRETBYTES];
> >   assert_on_stack();
> >   populate_secret(buf, sizeof(buf));
> > - char *res = memmem(altstack, sizeof(altstack), buf, sizeof(buf));
> > + char *res = memmem(altstack, ALTSTACK_SIZE, buf, sizeof(buf));
> >   ASSERT_NE(NULL, res);
> >   explicit_bzero(buf, sizeof(buf));
> >   return (res);
> > @@ -183,14 +188,14 @@ main()
> >* on the stack.  This sanity checks that call_on_stack() and
> >* populate_secret() work as intended.
> >*/
> > - memset(altstack, 0, sizeof(altstack));
> > + memset(altstack, 0, ALTSTACK_SIZE);
> >   call_on_stack(do_test_without_bzero);
> >
> >   /*
> >* Now test with a call to explicit_bzero() and check that we
> >* *don't* find any instances of the secret data.
> >*/
> > - memset(altstack, 0, sizeof(altstack));
> > + memset(altstack, 0, ALTSTACK_SIZE);
> >   call_on_stack(do_test_with_bzero);
> >
> >   return (0);

update explicit_bzero test to not assume SIGSTKSZ to be constant

[Brent Cook]

In the next version of Linux glibc, SIGSTKSZ is defined at runtime if
source is built with _GNU_SOURCE. On LibreSSL-portable, this is set to
bring in asprintf/vasprintf, which causes the explicit_bzero test to
fail to compile since the size of SIGSTKSZ is no longer known at compile
time. This adjusts the test to treat SIGSTKSZ as a runtime variable.

See http://patches-tcwg.linaro.org/patch/48127/ and
https://github.com/libressl-portable/portable/issues/653 for the
LibreSSL build failure report on Fedora Rawhide.

ok?

Index: explicit_bzero.c
===
RCS file: /cvs/src/regress/lib/libc/explicit_bzero/explicit_bzero.c,v
retrieving revision 1.6
diff -u -p -u -p -r1.6 explicit_bzero.c
--- explicit_bzero.c11 Jul 2014 01:10:35 -  1.6
+++ explicit_bzero.c23 Mar 2021 01:32:21 -
@@ -18,6 +18,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 
@@ -36,16 +37,20 @@ enum {
SECRETBYTES = SECRETCOUNT * sizeof(secret)
 };
 
-static char altstack[SIGSTKSZ + SECRETBYTES];
+static char *altstack;
+#define ALTSTACK_SIZE (SIGSTKSZ + SECRETBYTES)
 
 static void
 setup_stack(void)
 {
+   altstack = malloc(ALTSTACK_SIZE);
+
const stack_t sigstk = {
.ss_sp = altstack,
-   .ss_size = sizeof(altstack),
+   .ss_size = ALTSTACK_SIZE
};
 
+   ASSERT_NE(NULL, altstack);
ASSERT_EQ(0, sigaltstack(, NULL));
 }
 
@@ -129,7 +134,7 @@ test_without_bzero()
char buf[SECRETBYTES];
assert_on_stack();
populate_secret(buf, sizeof(buf));
-   char *res = memmem(altstack, sizeof(altstack), buf, sizeof(buf));
+   char *res = memmem(altstack, ALTSTACK_SIZE, buf, sizeof(buf));
ASSERT_NE(NULL, res);
return (res);
 }
@@ -140,7 +145,7 @@ test_with_bzero()
char buf[SECRETBYTES];
assert_on_stack();
populate_secret(buf, sizeof(buf));
-   char *res = memmem(altstack, sizeof(altstack), buf, sizeof(buf));
+   char *res = memmem(altstack, ALTSTACK_SIZE, buf, sizeof(buf));
ASSERT_NE(NULL, res);
explicit_bzero(buf, sizeof(buf));
return (res);
@@ -183,14 +188,14 @@ main()
 * on the stack.  This sanity checks that call_on_stack() and
 * populate_secret() work as intended.
 */
-   memset(altstack, 0, sizeof(altstack));
+   memset(altstack, 0, ALTSTACK_SIZE);
call_on_stack(do_test_without_bzero);
 
/*
 * Now test with a call to explicit_bzero() and check that we
 * *don't* find any instances of the secret data.
 */
-   memset(altstack, 0, sizeof(altstack));
+   memset(altstack, 0, ALTSTACK_SIZE);
call_on_stack(do_test_with_bzero);
 
return (0);

Update Windows getentropy implementation

[Brent Cook]

This updates the getentropy implementation for Windows to use the newer
"Cryptography Next Generation APIs", replacing CryptGenRandom, which
already has been removed from applications built for the Windows Store.

Tested with libressl-portable, it passes all regression tests. Details
of the API are in the comment link below. Noted by Stephan Vedder
(feliwir on github) and others.

Any objections to gettin this in?

diff --git a/src/lib/libcrypto/arc4random/getentropy_win.c 
b/src/lib/libcrypto/arc4random/getentropy_win.c
index 2abeb27bc..0a014f3b0 100644
--- a/src/lib/libcrypto/arc4random/getentropy_win.c
+++ b/src/lib/libcrypto/arc4random/getentropy_win.c
@@ -21,39 +21,30 @@
  */
 
 #include 
+#include 
 #include 
 #include 
 #include 
-#include 
-#include 
 
 intgetentropy(void *buf, size_t len);
 
 /*
- * On Windows, CryptGenRandom is supposed to be a well-seeded
- * cryptographically strong random number generator.
+ * On Windows, BCryptGenRandom with BCRYPT_USE_SYSTEM_PREFERRED_RNG is supposed
+ * to be a well-seeded, cryptographically strong random number generator.
+ * 
https://docs.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom
  */
 int
 getentropy(void *buf, size_t len)
 {
-   HCRYPTPROV provider;
-
if (len > 256) {
errno = EIO;
return (-1);
}
 
-   if (CryptAcquireContext(, NULL, NULL, PROV_RSA_FULL,
-   CRYPT_VERIFYCONTEXT) == 0)
-   goto fail;
-   if (CryptGenRandom(provider, len, buf) == 0) {
-   CryptReleaseContext(provider, 0);
-   goto fail;
+   if (FAILED(BCryptGenRandom(NULL, buf, len, 
BCRYPT_USE_SYSTEM_PREFERRED_RNG))) {
+   errno = EIO;
+   return (-1);
}
-   CryptReleaseContext(provider, 0);
+
return (0);
-
-fail:
-   errno = EIO;
-   return (-1);
 }

Re: bgpd: fix last few common symbols

[Brent Cook]

ok bcook@

On Thu, Nov 5, 2020 at 6:16 AM Claudio Jeker  wrote:
>
> Since newer compilers default to -fno-common fix bgpd to not depend on
> common symbols. The last few ones can just be converted to static symbols
> since these are only used in the RDE or SE main code.
> With the previous diffs and this one I can compile bgpd and bgpctl with
> -fno-common.
>
> OK?
> --
> :wq Claudio
>
> ? obj
> Index: rde.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
> retrieving revision 1.505
> diff -u -p -r1.505 rde.c
> --- rde.c   5 Nov 2020 11:52:59 -   1.505
> +++ rde.c   5 Nov 2020 12:05:59 -
> @@ -98,12 +98,13 @@ static void  network_flush_upcall(struct
>  voidrde_shutdown(void);
>  int ovs_match(struct prefix *, u_int32_t);
>
> +static struct imsgbuf  *ibuf_se;
> +static struct imsgbuf  *ibuf_se_ctl;
> +static struct imsgbuf  *ibuf_main;
> +static struct bgpd_config  *conf, *nconf;
> +
>  volatile sig_atomic_t   rde_quit = 0;
> -struct bgpd_config *conf, *nconf;
>  struct filter_head *out_rules, *out_rules_tmp;
> -struct imsgbuf *ibuf_se;
> -struct imsgbuf *ibuf_se_ctl;
> -struct imsgbuf *ibuf_main;
>  struct rde_memstats rdemem;
>  int softreconfig;
>
> Index: session.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/session.c,v
> retrieving revision 1.404
> diff -u -p -r1.404 session.c
> --- session.c   5 Nov 2020 11:52:59 -   1.404
> +++ session.c   5 Nov 2020 12:05:59 -
> @@ -100,15 +100,16 @@ void   session_template_clone(struct pee
> u_int32_t, u_int32_t);
>  int session_match_mask(struct peer *, struct bgpd_addr *);
>
> -struct bgpd_config *conf, *nconf;
> +static struct bgpd_config  *conf, *nconf;
> +static struct imsgbuf  *ibuf_rde;
> +static struct imsgbuf  *ibuf_rde_ctl;
> +static struct imsgbuf  *ibuf_main;
> +
>  struct bgpd_sysdep  sysdep;
>  volatile sig_atomic_t   session_quit;
>  int pending_reconf;
>  int csock = -1, rcsock = -1;
>  u_int   peer_cnt;
> -struct imsgbuf *ibuf_rde;
> -struct imsgbuf *ibuf_rde_ctl;
> -struct imsgbuf *ibuf_main;
>
>  struct mrt_head mrthead;
>  time_t  pauseaccept;
>

Re: zero tmpkeyiv in openssl enc

[Brent Cook]

Sure, looks fine in this micro context so maybe someone copying code from
here as an example will do better. Though note that wider-scoped key/iv
still contain the key material after EVP_CipherInit_ex and so on.

Doesn't appear we've sprinkled many explicit_bzero's into openssl(1) in
general given its short lifetime for most operations. I'm not sure how
paranoid we need to be in this context, but I'll apply this.

On Tue, Jul 23, 2019 at 3:54 PM Steven Roberts  wrote:

> Hi,
>
> This patch for openssl enc will zero out tmpkeyiv which contains key
> information.
>
> Thanks.
>
> Index: enc.c
> ===
> RCS file: /cvs/src/usr.bin/openssl/enc.c,v
> retrieving revision 1.21
> diff -u -p -u -r1.21 enc.c
> --- enc.c   14 Jul 2019 03:30:45 -  1.21
> +++ enc.c   22 Jul 2019 16:53:20 -
> @@ -633,6 +633,8 @@ enc_main(int argc, char **argv)
> /* split and move data back to global
> buffer */
> memcpy(key, tmpkeyiv, iklen);
> memcpy(iv, tmpkeyiv+iklen, ivlen);
> +   /* zero the tmpkeyiv buffer */
> +   explicit_bzero(tmpkeyiv, sizeof(tmpkeyiv));
> } else {
> EVP_BytesToKey(enc_config.cipher, dgst,
> sptr,
> (unsigned char *)enc_config.keystr,
>
>

OCSP Stapling with Nginx in LibreSSL 2.9.x

[Brent Cook]

Hi,

I haven’t looked deeply into this, but there was a reported issue with OCSP 
stapling with Nginx between the LibreSSL portable releases 2.9.0 and 2.9.1 
(which would have been between December 15th, 2018 and April 21st, 2019)

Reposting here for visibility:

https://github.com/libressl-portable/portable/issues/532#issuecomment-501828392 


- Brent

Re: dd conv=fsync

[Brent Cook]

On Thu, Feb 14, 2019 at 4:21 PM Ted Unangst  wrote:

> Alexander Bluhm wrote:
> > GNU dd has the conv=fsync feature which does an fsync(2) after final
> > write to output.  I find this useful for write performance measurement
> > through the file system without buffer cache optimization.  Others
> > may like the reliable storage guarantee of fsync(2).
> >
> > Do we want dd conv=fsync in OpenBSD?
>
> What does gnu dd do if the output is stdout? Is it an error?
>

> With this patch, I get dd: fsync stdout: Invalid argument
>

gnu dd prints something similar to stderr, and returns exit code 1.

dd: fsync failed for 'standard output': Invalid argument
3+1 records in
3+1 records out
1784 bytes (1.8 kB, 1.7 KiB) copied, 9.4827e-05 s, 18.8 MB/s



> after the transfer is complete. Should there be an fstat check to make sure
> it's a regular file?
>
> > +.It Cm fsync
> > +Write output to permanent storage device before finishing.
>
> I know this wording is similar to fsync(2), but I think I'd prefer just a
> reference. The output may not be permanent storage. What about
>
> Call
> .Xr fsync 2
> on the output file before exiting.
>
>
>

Re: Fix length checks in AES_{un,}wrap_key()

[Brent Cook]

This makes sense, ok bcook@

On Wed, Oct 17, 2018 at 6:28 PM Theo Buehler  wrote:

> The spec, https://tools.ietf.org/html/rfc3394, section 2, states that
> we need at least two 64 bit blocks for wrapping and, accordingly, three
> 64 bit blocks for unwrapping. That is: we need at least 16 bytes for
> wrapping and 24 bytes for unwrapping.
>
> This also matches the lower bounds that OpenSSL have in their
> CRYPTO_128_{un,}wrap() functions.
>
> In fact, if we pass an input with 'inlen < 8' to AES_unwrap_key(),
> this results in a segfault since then inlen -= 8 underflows.
>
> Found while playing with the Wycheproof keywrap test vectors.
>
> Index: aes/aes_wrap.c
> ===
> RCS file: /var/cvs/src/lib/libcrypto/aes/aes_wrap.c,v
> retrieving revision 1.10
> diff -u -p -r1.10 aes_wrap.c
> --- aes/aes_wrap.c  10 Sep 2015 15:56:24 -  1.10
> +++ aes/aes_wrap.c  17 Oct 2018 23:12:19 -
> @@ -66,7 +66,8 @@ AES_wrap_key(AES_KEY *key, const unsigne
>  {
> unsigned char *A, B[16], *R;
> unsigned int i, j, t;
> -   if ((inlen & 0x7) || (inlen < 8))
> +
> +   if ((inlen & 0x7) || (inlen < 16))
> return -1;
> A = B;
> t = 1;
> @@ -100,11 +101,10 @@ AES_unwrap_key(AES_KEY *key, const unsig
>  {
> unsigned char *A, B[16], *R;
> unsigned int i, j, t;
> -   inlen -= 8;
> -   if (inlen & 0x7)
> -   return -1;
> -   if (inlen < 8)
> +
> +   if ((inlen & 0x7) || (inlen < 24))
> return -1;
> +   inlen -= 8;
> A = B;
> t = 6 * (inlen >> 3);
> memcpy(A, in, 8);
>

Re: Change CMakeLists.txt in LibreSSL to use target_include_directores

[Brent Cook]

You're correct, ​include/compat is intended to ​be private. We will need to
make some tweaks here.

On Mon, Jun 4, 2018 at 5:36 PM, Cameron Palmer  wrote:

> Question about the PUBLIC status of the ../include/compat headers in
> CMakeLists.txt.
>
> I wrote the target_include_directories calls to include ../include/compat
> in each of the targets and marked them PUBLIC, but I’m wondering if that
> will cause conflicts with system headers like time.h and if they should be
> marked PRIVATE.
>
> With them marked PUBLIC and including ssl or crypto one must add a
> compiler define like -D HAVE_CLOCK_GETTIME in the linking project to avoid
> a conflict.
>
> > On 29 May 2018, at 12:48, Brent Cook  wrote:
> >
> > On Thu, May 24, 2018 at 10:10:58AM +, Cameron Palmer wrote:
> >> It is beneficial for projects that depend on LibreSSL libraries and are
> built with CMake to use target_link_libraries and automatically receive the
> PUBLIC or INTERFACE headers without needing to specify include_directories.
> This patch changes the project to use target_include_directories and header
> scoping.
> >>
> >
> > Makes sense. I made some minor fixes and committed to master.
>
>

Re: add const to the return value of BIO_s_file()

[Brent Cook]

ok bcook@

On Mon, May 28, 2018 at 3:23 PM, Theo Buehler  wrote:

> This is the first trivial part of the last batch of diffs catching up
> with OpenSSL's const additions.
>
> As usual, sthen kindly ran the whole diff through a ports bulk build.
>
> Only this small change caused some fallout, namely devel/ptlib.
> Of course, I'll commit a fix for the port at the same time as this diff.
>
> Index: lib/libcrypto/bio/bio.h
> ===
> RCS file: /var/cvs/src/lib/libcrypto/bio/bio.h,v
> retrieving revision 1.43
> diff -u -p -r1.43 bio.h
> --- lib/libcrypto/bio/bio.h 12 May 2018 18:51:59 -  1.43
> +++ lib/libcrypto/bio/bio.h 28 May 2018 20:07:41 -
> @@ -597,7 +597,7 @@ BIO_asn1_get_suffix(BIO *b, asn1_ps_func
>  asn1_ps_func **psuffix_free);
>
>  int BIO_get_new_index(void);
> -BIO_METHOD *BIO_s_file(void );
> +const BIO_METHOD *BIO_s_file(void);
>  BIO *BIO_new_file(const char *filename, const char *mode);
>  BIO *BIO_new_fp(FILE *stream, int close_flag);
>  # define BIO_s_file_internal   BIO_s_file
> Index: lib/libcrypto/bio/bss_file.c
> ===
> RCS file: /var/cvs/src/lib/libcrypto/bio/bss_file.c,v
> retrieving revision 1.32
> diff -u -p -r1.32 bss_file.c
> --- lib/libcrypto/bio/bss_file.c29 Jan 2017 17:49:22 -
> 1.32
> +++ lib/libcrypto/bio/bss_file.c28 May 2018 20:07:41 -
> @@ -98,7 +98,7 @@ static long file_ctrl(BIO *h, int cmd, l
>  static int file_new(BIO *h);
>  static int file_free(BIO *data);
>
> -static BIO_METHOD methods_filep = {
> +static const BIO_METHOD methods_filep = {
> .type = BIO_TYPE_FILE,
> .name = "FILE pointer",
> .bwrite = file_write,
> @@ -148,7 +148,7 @@ BIO_new_fp(FILE *stream, int close_flag)
> return (ret);
>  }
>
> -BIO_METHOD *
> +const BIO_METHOD *
>  BIO_s_file(void)
>  {
> return (_filep);
>

Re: Libressl question

[Brent Cook]

On Mon, Feb 12, 2018 at 09:27:16AM -0600, ed...@pettijohn-web.com wrote:
> Has there been any discussion of packaging libtls separately from libressl 
> for portable use? With my limited skills I was able to write a program to 
> talk to smtpd and starttls using nothing but the manuals. I seriously doubt I 
> could have done so with the gnu tls library. This really shows how well it is 
> written as far as the code involved, but also the quality of the manuals. I 
> only had one hickup and if I can think of a way to word it better I'll send a 
> patch for that manual.
>
> Thanks,
>
> Edgar

Hi Edgar,

  I had a working version a couple of years ago against OpenSSL. There
  were a few challenges even with a closely-related library:

1. libtls can and does reply on LibreSSL-specific features in the
   core library, e.g. for privilege separation. These would either
   need to be ported into OpenSSL or a compatibility interface
   provided in addition to the libtls interface.

2. Which version of the OpenSSL API / ABI to support? Now that
   OpenSSL is incompatible between 1.1 and 1.0, even more
   workarounds may be needed.

3. The libtls API is usually defined in terms of the LibreSSL
   version it ships with, and changed somewhat quickly.
   Would libtls-standalone be shipped as part of the target library?
   How would we sync API / ABI changes between them.

You could probably port libtls to have a gnutls backend, though you may
have to implement more lower-level changes in gnutls as well to support
some of the features. The longer-term support, release, and
fragmentation issues also remain.

Re: Change CMakeLists.txt in LibreSSL to use target_include_directores

[Brent Cook]

On Thu, May 24, 2018 at 10:10:58AM +, Cameron Palmer wrote:
> It is beneficial for projects that depend on LibreSSL libraries and are built 
> with CMake to use target_link_libraries and automatically receive the PUBLIC 
> or INTERFACE headers without needing to specify include_directories. This 
> patch changes the project to use target_include_directories and header 
> scoping.
>

Makes sense. I made some minor fixes and committed to master.

Re: EVP_PKEY_asn1_{new,copy}(): pointless zeroing + a tiny bug

[Brent Cook]

ok bcook@

On Wed, May 23, 2018 at 2:11 AM, Theo Buehler  wrote:

> Very minor polishing, really:
>
> Since we converted EVP_PKEY_asn1_new() to using calloc(), there's no
> need to set the structure to zero manually with an odd spelling of NULL.
> Besides, the list of zeroed members is incomplete: it misses sig_print.
>
> Copy-pasting this list is likely the reason why EVP_PKEY_asn1_copy()
> forgets to copy that member. Luckily, this copy function is rarely used
> and the omitted callback is only used once (in X509_signature_print()).
>
> Index: lib/libcrypto/asn1/ameth_lib.c
> ===
> RCS file: /var/cvs/src/lib/libcrypto/asn1/ameth_lib.c,v
> retrieving revision 1.17
> diff -u -p -r1.17 ameth_lib.c
> --- lib/libcrypto/asn1/ameth_lib.c  13 May 2018 06:40:55 -
> 1.17
> +++ lib/libcrypto/asn1/ameth_lib.c  23 May 2018 06:42:11 -
> @@ -309,59 +309,26 @@ EVP_PKEY_asn1_new(int id, int flags, con
>  {
> EVP_PKEY_ASN1_METHOD *ameth;
>
> -   ameth = calloc(1, sizeof(EVP_PKEY_ASN1_METHOD));
> -   if (!ameth)
> +   if ((ameth = calloc(1, sizeof(EVP_PKEY_ASN1_METHOD))) == NULL)
> return NULL;
>
> ameth->pkey_id = id;
> ameth->pkey_base_id = id;
> ameth->pkey_flags = flags | ASN1_PKEY_DYNAMIC;
>
> -   if (info) {
> -   ameth->info = strdup(info);
> -   if (!ameth->info)
> +   if (info != NULL) {
> +   if ((ameth->info = strdup(info)) == NULL)
> goto err;
> -   } else
> -   ameth->info = NULL;
> +   }
>
> -   if (pem_str) {
> -   ameth->pem_str = strdup(pem_str);
> -   if (!ameth->pem_str)
> +   if (pem_str != NULL) {
> +   if ((ameth->pem_str = strdup(pem_str)) == NULL)
> goto err;
> -   } else
> -   ameth->pem_str = NULL;
> -
> -   ameth->pub_decode = 0;
> -   ameth->pub_encode = 0;
> -   ameth->pub_cmp = 0;
> -   ameth->pub_print = 0;
> -
> -   ameth->priv_decode = 0;
> -   ameth->priv_encode = 0;
> -   ameth->priv_print = 0;
> -
> -   ameth->old_priv_encode = 0;
> -   ameth->old_priv_decode = 0;
> -
> -   ameth->item_verify = 0;
> -   ameth->item_sign = 0;
> -
> -   ameth->pkey_size = 0;
> -   ameth->pkey_bits = 0;
> -
> -   ameth->param_decode = 0;
> -   ameth->param_encode = 0;
> -   ameth->param_missing = 0;
> -   ameth->param_copy = 0;
> -   ameth->param_cmp = 0;
> -   ameth->param_print = 0;
> -
> -   ameth->pkey_free = 0;
> -   ameth->pkey_ctrl = 0;
> +   }
>
> return ameth;
>
> -err:
> + err:
> EVP_PKEY_asn1_free(ameth);
> return NULL;
>  }
> @@ -390,6 +357,7 @@ EVP_PKEY_asn1_copy(EVP_PKEY_ASN1_METHOD
> dst->param_copy = src->param_copy;
> dst->param_cmp = src->param_cmp;
> dst->param_print = src->param_print;
> +   dst->sig_print = src->sig_print;
>
> dst->pkey_free = src->pkey_free;
> dst->pkey_ctrl = src->pkey_ctrl;
>

Re: const for X509_CRL_* functions

[Brent Cook]

ok bcook@

On Fri, May 18, 2018 at 9:13 AM, Theo Buehler  wrote:

> On Fri, May 18, 2018 at 04:03:16PM +0200, Theo Buehler wrote:
> > Simple diff that adds const qualifiers to the X509_CRL *x and
> > ASN1_OBJECT *obj arguments of X509_CRL_get_ext_count(3),
> > X509_CRL_get_ext_by_NID(3), X509_CRL_get_ext_by_OBJ(3),
> > X509_CRL_get_ext_by_critical(3), X509_CRL_get_ext(3),
> > X509_CRL_get_ext_d2i(3).
>
> I forgot to mention two things. First, this continues my working through
> the big diff that was in sthen's bulk last week. Second, please don't
> request whitespace changes here. I've already wasted enough time on
> this.
>
> >
> > Index: lib/libcrypto/x509/x509.h
> > ===
> > RCS file: /var/cvs/src/lib/libcrypto/x509/x509.h,v
> > retrieving revision 1.49
> > diff -u -p -r1.49 x509.h
> > --- lib/libcrypto/x509/x509.h 13 May 2018 10:36:35 -  1.49
> > +++ lib/libcrypto/x509/x509.h 18 May 2018 13:54:54 -
> > @@ -1149,16 +1149,20 @@ void  *   X509_get_ext_d2i(X509 *x, int nid
> >  int  X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
> >   unsigned long
> flags);
> >
> > -int  X509_CRL_get_ext_count(X509_CRL *x);
> > -int  X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int
> lastpos);
> > -int  X509_CRL_get_ext_by_OBJ(X509_CRL *x,ASN1_OBJECT *obj,int
> lastpos);
> > -int  X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int
> lastpos);
> > -X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc);
> > +int  X509_CRL_get_ext_count(const X509_CRL *x);
> > +int  X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid,
> > + int lastpos);
> > +int  X509_CRL_get_ext_by_OBJ(const X509_CRL *x,
> > + const ASN1_OBJECT *obj, int lastpos);
> > +int  X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit,
> > + int lastpos);
> > +X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);
> >  X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
> >  int  X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
> > -void *   X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int
> *idx);
> > -int  X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value,
> int crit,
> > - unsigned long
> flags);
> > +void *   X509_CRL_get_ext_d2i(const X509_CRL *x, int nid, int *crit,
> > + int *idx);
> > +int  X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value,
> > + int crit, unsigned long flags);
> >
> >  int  X509_REVOKED_get_ext_count(X509_REVOKED *x);
> >  int  X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int
> lastpos);
> > Index: lib/libcrypto/x509/x509_ext.c
> > ===
> > RCS file: /var/cvs/src/lib/libcrypto/x509/x509_ext.c,v
> > retrieving revision 1.9
> > diff -u -p -r1.9 x509_ext.c
> > --- lib/libcrypto/x509/x509_ext.c 10 Feb 2015 08:33:10 -  1.9
> > +++ lib/libcrypto/x509/x509_ext.c 18 May 2018 13:54:54 -
> > @@ -66,31 +66,31 @@
> >  #include 
> >
> >  int
> > -X509_CRL_get_ext_count(X509_CRL *x)
> > +X509_CRL_get_ext_count(const X509_CRL *x)
> >  {
> >   return (X509v3_get_ext_count(x->crl->extensions));
> >  }
> >
> >  int
> > -X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos)
> > +X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos)
> >  {
> >   return (X509v3_get_ext_by_NID(x->crl->extensions, nid, lastpos));
> >  }
> >
> >  int
> > -X509_CRL_get_ext_by_OBJ(X509_CRL *x, ASN1_OBJECT *obj, int lastpos)
> > +X509_CRL_get_ext_by_OBJ(const X509_CRL *x, const ASN1_OBJECT *obj, int
> lastpos)
> >  {
> >   return (X509v3_get_ext_by_OBJ(x->crl->extensions, obj, lastpos));
> >  }
> >
> >  int
> > -X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos)
> > +X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit, int lastpos)
> >  {
> >   return (X509v3_get_ext_by_critical(x->crl->extensions, crit,
> lastpos));
> >  }
> >
> >  X509_EXTENSION *
> > -X509_CRL_get_ext(X509_CRL *x, int loc)
> > +X509_CRL_get_ext(const X509_CRL *x, int loc)
> >  {
> >   return (X509v3_get_ext(x->crl->extensions, loc));
> >  }
> > @@ -102,7 +102,7 @@ X509_CRL_delete_ext(X509_CRL *x, int loc
> >  }
> >
> >  void *
> > -X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx)
> > +X509_CRL_get_ext_d2i(const X509_CRL *x, int nid, int *crit, int *idx)
> >  {
> >   return X509V3_get_d2i(x->crl->extensions, nid, crit, idx);
> >  }
> >
>

Re: some const for libcrypto

[Brent Cook]

Looks good, ok bcook@

On Wed, Apr 25, 2018 at 3:22 AM, Theo Buehler  wrote:

> This is the second, larger part of the diff that was part of sthen's
> i386 bulk and it had no fallout. It adds const like OpenSSL to most of
> the public API exposed in asn1.h and needs some adjustments in internal
> functions. I deliberately left BIO_f_asn1() for later.
>
> Index: lib/libcrypto/asn1/a_bitstr.c
> ===
> RCS file: /var/cvs/src/lib/libcrypto/asn1/a_bitstr.c,v
> retrieving revision 1.24
> diff -u -p -r1.24 a_bitstr.c
> --- lib/libcrypto/asn1/a_bitstr.c   29 Jan 2017 17:49:22 -
> 1.24
> +++ lib/libcrypto/asn1/a_bitstr.c   25 Apr 2018 07:39:34 -
> @@ -222,7 +222,7 @@ ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING
>  }
>
>  int
> -ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *a, int n)
> +ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *a, int n)
>  {
> int w, v;
>
> @@ -240,7 +240,8 @@ ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING
>   * 'len' is the length of 'flags'.
>   */
>  int
> -ASN1_BIT_STRING_check(ASN1_BIT_STRING *a, unsigned char *flags, int
> flags_len)
> +ASN1_BIT_STRING_check(const ASN1_BIT_STRING *a, const unsigned char
> *flags,
> +int flags_len)
>  {
> int i, ok;
>
> Index: lib/libcrypto/asn1/a_enum.c
> ===
> RCS file: /var/cvs/src/lib/libcrypto/asn1/a_enum.c,v
> retrieving revision 1.18
> diff -u -p -r1.18 a_enum.c
> --- lib/libcrypto/asn1/a_enum.c 29 Jan 2017 17:49:22 -  1.18
> +++ lib/libcrypto/asn1/a_enum.c 25 Apr 2018 07:39:34 -
> @@ -104,7 +104,7 @@ ASN1_ENUMERATED_set(ASN1_ENUMERATED *a,
>  }
>
>  long
> -ASN1_ENUMERATED_get(ASN1_ENUMERATED *a)
> +ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a)
>  {
> int neg = 0, i;
> long r = 0;
> @@ -134,7 +134,7 @@ ASN1_ENUMERATED_get(ASN1_ENUMERATED *a)
>  }
>
>  ASN1_ENUMERATED *
> -BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
> +BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai)
>  {
> ASN1_ENUMERATED *ret;
> int len, j;
> @@ -177,7 +177,7 @@ err:
>  }
>
>  BIGNUM *
> -ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai, BIGNUM *bn)
> +ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, BIGNUM *bn)
>  {
> BIGNUM *ret;
>
> Index: lib/libcrypto/asn1/a_object.c
> ===
> RCS file: /var/cvs/src/lib/libcrypto/asn1/a_object.c,v
> retrieving revision 1.30
> diff -u -p -r1.30 a_object.c
> --- lib/libcrypto/asn1/a_object.c   2 May 2017 03:59:44 -
>  1.30
> +++ lib/libcrypto/asn1/a_object.c   25 Apr 2018 07:39:34 -
> @@ -67,7 +67,7 @@
>  #include 
>
>  int
> -i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
> +i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp)
>  {
> unsigned char *p;
> int objsize;
> @@ -213,13 +213,13 @@ err:
>  }
>
>  int
> -i2t_ASN1_OBJECT(char *buf, int buf_len, ASN1_OBJECT *a)
> +i2t_ASN1_OBJECT(char *buf, int buf_len, const ASN1_OBJECT *a)
>  {
> return OBJ_obj2txt(buf, buf_len, a, 0);
>  }
>
>  int
> -i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a)
> +i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a)
>  {
> char *tmp = NULL;
> size_t tlen = 256;
> Index: lib/libcrypto/asn1/a_strex.c
> ===
> RCS file: /var/cvs/src/lib/libcrypto/asn1/a_strex.c,v
> retrieving revision 1.25
> diff -u -p -r1.25 a_strex.c
> --- lib/libcrypto/asn1/a_strex.c7 Feb 2015 13:19:15 -
>  1.25
> +++ lib/libcrypto/asn1/a_strex.c25 Apr 2018 07:39:34 -
> @@ -289,7 +289,7 @@ do_hex_dump(char_io *io_ch, void *arg, u
>   */
>
>  static int
> -do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str)
> +do_dump(unsigned long lflags, char_io *io_ch, void *arg, const
> ASN1_STRING *str)
>  {
> /* Placing the ASN1_STRING in a temp ASN1_TYPE allows
>  * the DER encoding to readily obtained
> @@ -346,7 +346,8 @@ static const signed char tag2nbyte[] = {
>   */
>
>  static int
> -do_print_ex(char_io *io_ch, void *arg, unsigned long lflags, ASN1_STRING
> *str)
> +do_print_ex(char_io *io_ch, void *arg, unsigned long lflags,
> +const ASN1_STRING *str)
>  {
> int outlen, len;
> int type;
> @@ -605,13 +606,13 @@ X509_NAME_print_ex_fp(FILE *fp, X509_NAM
>  }
>
>  int
> -ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags)
> +ASN1_STRING_print_ex(BIO *out, const ASN1_STRING *str, unsigned long
> flags)
>  {
> return do_print_ex(send_bio_chars, out, flags, str);
>  }
>
>  int
> -ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags)
> +ASN1_STRING_print_ex_fp(FILE *fp, const ASN1_STRING *str, unsigned long
> flags)
>  {
> return do_print_ex(send_fp_chars, fp, flags, str);
>  }
> Index: lib/libcrypto/asn1/a_time_tm.c
> 

Re: sprinkle some const over libssl

[Brent Cook]

Nice to see the "const unsigned char *p = d;" hackery going away. ok bcook@

On Tue, Apr 24, 2018 at 2:50 PM, Theo Buehler  wrote:

> OpenSSL started adding const to functions all over the place. The patch
> below makes all our libssl functions match theirs wrt const, except for
> BIO_f_ssl(3). I plan to do this one in a later step as a reacharound
> into libcrypto would about double the size of the diff.
>
> This diff was put through an i386 bulk build by sthen (thanks!) and only
> had minimal fallout which I'll deal with when committing this diff.
>
> Index: lib/libssl/ssl.h
> ===
> RCS file: /var/cvs/src/lib/libssl/ssl.h,v
> retrieving revision 1.155
> diff -u -p -r1.155 ssl.h
> --- lib/libssl/ssl.h11 Apr 2018 17:47:36 -  1.155
> +++ lib/libssl/ssl.h20 Apr 2018 14:25:04 -
> @@ -727,10 +727,10 @@ void SSL_CTX_sess_set_remove_cb(SSL_CTX
>  void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx,
>  SSL_SESSION *sess);
>  void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
> -SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char
> *data,
> -int len, int *copy));
> +SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
> +const unsigned char *data, int len, int *copy));
>  SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl,
> -unsigned char *Data, int len, int *copy);
> +const unsigned char *Data, int len, int *copy);
>  void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,
>  int type, int val));
>  void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type,
> @@ -746,7 +746,7 @@ void SSL_CTX_set_cookie_generate_cb(SSL_
>  int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie,
>  unsigned int *cookie_len));
>  void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
> -int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie,
> +int (*app_verify_cookie_cb)(SSL *ssl, const unsigned char *cookie,
>  unsigned int cookie_len));
>  void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s, int (*cb)(SSL
> *ssl,
>  const unsigned char **out, unsigned int *outlen, void *arg), void
> *arg);
> @@ -1247,7 +1247,7 @@ const SSL_CIPHER *SSL_get_current_cipher
>  const SSL_CIPHER *SSL_CIPHER_get_by_id(unsigned int id);
>  const SSL_CIPHER *SSL_CIPHER_get_by_value(uint16_t value);
>  intSSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits);
> -char * SSL_CIPHER_get_version(const SSL_CIPHER *c);
> +const char *   SSL_CIPHER_get_version(const SSL_CIPHER *c);
>  const char *   SSL_CIPHER_get_name(const SSL_CIPHER *c);
>  unsigned long  SSL_CIPHER_get_id(const SSL_CIPHER *c);
>  uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *c);
> @@ -1279,7 +1279,7 @@ void  SSL_set_verify(SSL *s, int mode,
> int (*callback)(int ok, X509_STORE_CTX *ctx));
>  void   SSL_set_verify_depth(SSL *s, int depth);
>  intSSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
> -intSSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
> +intSSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long
> len);
>  intSSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
>  intSSL_use_PrivateKey_ASN1(int pk, SSL *ssl, const unsigned char *d,
> long len);
>  intSSL_use_certificate(SSL *ssl, X509 *x);
> @@ -1457,12 +1457,12 @@ long SSL_get_default_timeout(const SSL *
>  int SSL_library_init(void );
>
>  char *SSL_CIPHER_description(const SSL_CIPHER *, char *buf, int size);
> -STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
> +STACK_OF(X509_NAME) *SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk);
>
>  SSL *SSL_dup(SSL *ssl);
>
>  X509 *SSL_get_certificate(const SSL *ssl);
> -/* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl);
> +/* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(const SSL *ssl);
>
>  void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode);
>  int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
> Index: lib/libssl/ssl_cert.c
> ===
> RCS file: /var/cvs/src/lib/libssl/ssl_cert.c,v
> retrieving revision 1.66
> diff -u -p -r1.66 ssl_cert.c
> --- lib/libssl/ssl_cert.c   12 Aug 2017 02:55:22 -  1.66
> +++ lib/libssl/ssl_cert.c   20 Apr 2018 14:25:04 -
> @@ -454,7 +454,7 @@ set_client_CA_list(STACK_OF(X509_NAME) *
>  }
>
>  STACK_OF(X509_NAME) *
> -SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
> +SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk)
>  {
> int i;
> STACK_OF(X509_NAME) *ret;
> Index: lib/libssl/ssl_ciph.c
> ===
> RCS file: /var/cvs/src/lib/libssl/ssl_ciph.c,v
> retrieving revision 1.98
> diff -u -p -r1.98 ssl_ciph.c
> --- lib/libssl/ssl_ciph.c   17 Mar 2018 14:40:45 -  1.98
> +++ lib/libssl/ssl_ciph.c   20 Apr 2018 14:25:04 -
> @@ -1674,7 +1674,7 @@ SSL_CIPHER_description(const 

Re: make X509_CRL_METHOD_free() NULL-safe

[Brent Cook]

OK bcook@

On Mon, Apr 23, 2018 at 3:27 AM, Theo Buehler  wrote:

> This is a practically unused function (both in our tree and globally),
> but it is the only remaining public *_free() function in libcrypto that
> segfaults on being passed NULL. I'll of course add it to the regress
> tests should this go in.
>
> Index: lib/libcrypto/asn1/x_crl.c
> ===
> RCS file: /var/cvs/src/lib/libcrypto/asn1/x_crl.c,v
> retrieving revision 1.30
> diff -u -p -r1.30 x_crl.c
> --- lib/libcrypto/asn1/x_crl.c  17 Mar 2018 14:33:20 -  1.30
> +++ lib/libcrypto/asn1/x_crl.c  22 Apr 2018 12:12:14 -
> @@ -675,7 +675,7 @@ X509_CRL_METHOD_new(int (*crl_init)(X509
>  void
>  X509_CRL_METHOD_free(X509_CRL_METHOD *m)
>  {
> -   if (!(m->flags & X509_CRL_METHOD_DYNAMIC))
> +   if (m == NULL || !(m->flags & X509_CRL_METHOD_DYNAMIC))
> return;
> free(m);
>  }
>

Re: plug memory leak in ASN1_item_digest

[Brent Cook]

ok bcook@

On Thu, Apr 5, 2018 at 12:06 PM, Theo Buehler  wrote:

> If EVP_Digest() fails, str is leaked.
>
> This is part of the combo-diff 83b4049ab75e9da1815e9c854a9297bca3d4af6b
> some more of which may also apply to us, but I'm still disentangling it.
> See also https://github.com/openssl/openssl/issues/2111
>
> Index: lib/libcrypto/asn1/a_digest.c
> ===
> RCS file: /var/cvs/src/lib/libcrypto/asn1/a_digest.c,v
> retrieving revision 1.15
> diff -u -p -r1.15 a_digest.c
> --- lib/libcrypto/asn1/a_digest.c   11 Jul 2014 08:44:47 -
> 1.15
> +++ lib/libcrypto/asn1/a_digest.c   5 Apr 2018 16:46:22 -
> @@ -77,8 +77,11 @@ ASN1_item_digest(const ASN1_ITEM *it, co
> if (!str)
> return (0);
>
> -   if (!EVP_Digest(str, i, md, len, type, NULL))
> -   return 0;
> +   if (!EVP_Digest(str, i, md, len, type, NULL)) {
> +   free(str);
> +   return (0);
> +   }
> +
> free(str);
> return (1);
>  }
>
>

Re: openssl s_time, speed: use monotime for absolute interval measurement

[Brent Cook]

Thanks guys. This will make enabling this on the odder platforms in
portable easier.

On Fri, Nov 24, 2017 at 7:03 AM, Scott Cheloha 
wrote:

> > On Nov 24, 2017, at 6:58 AM, Jeremie Courreges-Anglas 
> wrote:
> >
> > On Wed, Nov 22 2017, Scott Cheloha  wrote:
> >> Whoops, ignore that last patch, it lacked the
> >> static changes in apps_posix.c
> >
> > This looks good to me.  I'm tempted to commit the apps_posix.c part
> > first: it seems to me that app_tminterval() could be reused in s_time.c,
> > leading to simpler code instead of inlining clock_gettime calls.
>
> I intend to refactor that module next.  One thing I was going to
> do was abstract away the timer interface, so that works.
>
> --
> Scott Cheloha
>
>

Re: libressl: crash in DES_fcrypt

[Brent Cook]

Thank you Jan. This is a good thing to fix, but I had a hard time envisioning a 
security issue with it. Will see about backporting it though.

Regards
 - Brent

> On Oct 26, 2017, at 6:50 PM, Jan Engelhardt  wrote:
> 
> 
> libressl-2.6.2 is susceptible to an out-of-bounds read:
> 
> #include 
> int main(void) {
>char salt[3] = {0xf8, 0xd0, 0x00};
>char out[32];
>DES_fcrypt("foo", salt, out);
> }
> 
> Place in libressl's fcrypt.c:
>x=ret[0]=((salt[0] == '\0')?'A':salt[0]);
>Eswap0=con_salt[x]<<2;  // boom
> 
> ASM:  => 0x777a6fa8 <+56>:movzbl (%rcx,%rdx,1),%ebp
>   rcx = con_salt
>   rdx = 0xfff8
> 
> 
> Because salt[0] is -8, x will be 0xfff8 due to
> type promotion and conversion. con_salt[0xfff8]
> is then evaluted, which bombs out.
> 
> openssl 1.1.x has it fixed (but 1.0.2l does not!) - their commit
> seems to be 6493e4801e9edbe1ad1e256d4ce9cd55c8aa2242 in
> https://github.com/openssl/openssl .
> 

[libcrypto] Don't build empty ecp_nistp* objects

[Brent Cook]

OPENSSL_NO_EC_NISTP_64_GCC_128 has been defined in opensslfeatures.h for a
long time, which effectively means that ecp_nistp* are all empty files. So,
there is no reason to build them in the first place. OK?

Index: Makefile
===
RCS file: /cvs/src/lib/libcrypto/Makefile,v
retrieving revision 1.20
diff -u -p -u -p -r1.20 Makefile
--- Makefile10 Jul 2017 21:30:37 -  1.20
+++ Makefile17 Jul 2017 11:21:23 -
@@ -126,7 +126,6 @@ SRCS+= dso_openssl.c
 SRCS+= ec_lib.c ecp_smpl.c ecp_mont.c ecp_nist.c ec_cvt.c ec_mult.c
 SRCS+= ec_err.c ec_curve.c ec_check.c ec_print.c ec_asn1.c ec_key.c
 SRCS+= ec2_smpl.c ec2_mult.c ec_ameth.c ec_pmeth.c eck_prn.c
-SRCS+= ecp_nistp224.c ecp_nistp256.c ecp_nistp521.c ecp_nistputil.c
 SRCS+= ecp_oct.c ec2_oct.c ec_oct.c

 # ecdh/

OpenNTPD 6.1p1, 6.2p1 released

[Brent Cook]

We have made two new portable OpenNTPD releases today. These should be
arriving soon in the OpenNTPD directory of an OpenBSD mirror near you.

OpenNTPD 6.1p1 represents the version shipped with OpenBSD 6.1. It
provides a number of new features and reliability improvements.

OpenNTPD 6.2p1 is the first development snapshot from what will become
OpenBSD 6.2.

Changes since OpenNTPD 6.0p1


* Quieted warnings about constraint connection retries.

* Implemented fork+exec for ntpd child processes.

* Added imsg inter-process reliability fixes.

* Fixed memory leaks and reduced heap memory usage.

* Numerous logging improvements and additions.

* Added macOS 10.12 getentropy support.

* Fixed arc4random blacklist use native implementations where
  possible.

Changes since OpenNTPD 6.1p1


* Added option "query from " to ntpd.conf, to specify a local IP
  address for outgoing NTP queries.

The libtls library, as shipped with LibreSSL 2.5.0 or later, is
required to use the HTTPS constraint feature, though it is not
required to use OpenNTPD.

OpenNTPD 6.1p1, 6.2p1 released

[Brent Cook]

announce at openbsd.org
 Thu, 13 Jul 2017 10:41:48 -0500

Re: libcrypto: fix assembly for clang

[Brent Cook]

On Wed, Jan 4, 2017 at 5:12 AM, Mark Kettenis 
wrote:

> > Date: Wed, 4 Jan 2017 11:04:43 +0100
> > From: Patrick Wildt 
> >
> > On Tue, Jan 03, 2017 at 02:16:25PM -0500, Ted Unangst wrote:
> > > Patrick Wildt wrote:
> > > >
> > > > Maybe they want to support older binutils that do not support the
> unified syntax?
> > > > What's our policy there?
> > >
> > > OpenBSD is just about the oldest binutils around. I wouldn't worry
> about
> > > anything older than what we have in base.
> >
> > Considering that, I'm going to ask for OKs then.
> >
> > ok?
>
> ok kettenis@, but lets give the LibreSSL people a chance to raise any
> portability concerns as they might have a better idea about LibreSSL
> portable deployment on ARM.
>
> ​
ok bcook@ - we don't even enable assembly on ARM in portable. Happy if
someone wants to help change that.

Re: [s...@spacehopper.org: Re: cert.pem: Re-add mistakenly removed GlobalSign R2]

[Brent Cook]

Looks good to me, ok bcook@

On Sat, Dec 31, 2016 at 2:45 PM, Stuart Henderson 
wrote:

> Since there wasn't much interest in that (which unbreaks e.g.
> https://www.nginx.com),
> here's a longer diff that syncs with Mozilla's release branch for those CA
> organisations
> which we currently carry.
>
> Compared to the in-tree version it adds the following:
>
> +  /C=FR/O=Certplus/CN=Certplus Root CA G1
> +  /C=FR/O=Certplus/CN=Certplus Root CA G2
> +  /C=US/O=Digital Signature Trust/OU=DST ACES/CN=DST ACES CA X6
> +  /OU=GlobalSign ECC Root CA - R4/O=GlobalSign/CN=GlobalSign
> +  /OU=GlobalSign ECC Root CA - R5/O=GlobalSign/CN=GlobalSign
> +  /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
> +  /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification
> Authority/CN=Certum Trusted Network CA
> +  /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification
> Authority/CN=Certum Trusted Network CA 2
>
> And removes these which were removed from Mozilla some time ago, which
> should
> no longer be a problem now that the alt roots diff is committed to
> libressl.
>
> -  /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
> liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
> Certification Authority
> -  /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> -  /C=US/O=Equifax Secure Inc./CN=Equifax Secure eBusiness CA-1
> -  /C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
> -  /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
> CyberTrust Global Root
> -  /C=CH/O=SwissSign AG/CN=SwissSign Platinum CA - G2
> -  /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
> cc/OU=Certification Services Division/CN=Thawte Premium Server
> CA/emailAddress=premium-ser...@thawte.com
> -  /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
> cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=
> server-ce...@thawte.com
> -  /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2
> Policy Validation Authority/CN=http://www.valicert.com//emailAddress=
> i...@valicert.com
> -  /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use
> only/OU=VeriSign Trust Network
> -  /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign,
> Inc. - For authorized use only/CN=VeriSign Class 4 Public Primary
> Certification Authority - G3
>
> Full diff below - as mentioned previously there is a bunch of churn because
> this is generated with the newer format-pem.pl script which prints and
> sorts
> based on the full certificate subject, rather than a pretty-printed
> version,
> fixing the problem reported by Steven McDonald.
>
> Since this is on ramdisks I will also note that the newer one is smaller.
>
> $ acvs up -p cert.pem | wc
> 36347922  191908
> $ wc cert.pem
> 35347861  190452 cert.pem
>
> OK?
>
> (StartCom is still in there for now, but we should also consider what to do
> about that.)
>
> Index: cert.pem
> ===
> RCS file: /cvs/src/lib/libcrypto/cert.pem,v
> retrieving revision 1.13
> diff -u -p -r1.13 cert.pem
> --- cert.pem4 Sep 2016 11:58:15 -   1.13
> +++ cert.pem31 Dec 2016 20:41:20 -
> @@ -2,55 +2,7 @@
>
>  ### AddTrust AB
>
> -=== AddTrust Class 1 CA Root
> -Certificate:
> -Data:
> -Version: 3 (0x2)
> -Serial Number: 1 (0x1)
> -Signature Algorithm: sha1WithRSAEncryption
> -Validity
> -Not Before: May 30 10:38:31 2000 GMT
> -Not After : May 30 10:38:31 2020 GMT
> -Subject: C=SE, O=AddTrust AB, OU=AddTrust TTP Network,
> CN=AddTrust Class 1 CA Root
> -X509v3 extensions:
> -X509v3 Subject Key Identifier:
> -95:B1:B4:F0:94:B6:BD:C7:DA:D1:
> 11:09:21:BE:C1:AF:49:FD:10:7B
> -X509v3 Key Usage:
> -Certificate Sign, CRL Sign
> -X509v3 Basic Constraints: critical
> -CA:TRUE
> -X509v3 Authority Key Identifier:
> -keyid:95:B1:B4:F0:94:B6:BD:C7:
> DA:D1:11:09:21:BE:C1:AF:49:FD:10:7B
> -DirName:/C=SE/O=AddTrust AB/OU=AddTrust TTP
> Network/CN=AddTrust Class 1 CA Root
> -serial:01
> -
> -SHA1 Fingerprint=CC:AB:0E:A0:4C:23:01:D6:69:7B:DD:37:9F:CD:12:EB:
> 24:E3:94:9D
> -SHA256 Fingerprint=8C:72:09:27:9A:C0:4E:27:5E:16:D0:7F:D3:B7:75:E8:
> 01:54:B5:96:80:46:E3:1F:52:DD:25:76:63:24:E9:A7
> --BEGIN CERTIFICATE-
> -MIIEGDCCAwCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQGEwJTRTEU
> -MBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3
> -b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwHhcNMDAwNTMw
> -MTAzODMxWhcNMjAwNTMwMTAzODMxWjBlMQswCQYDVQQGEwJTRTEUMBIGA1UEChML
> -QWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYD
> -VQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUA
> 

Re: ntpd(8): use stack instead of heap

[Brent Cook]

OK bcook@

On Fri, Dec 2, 2016 at 10:29 AM, Rafael Zalamena 
wrote:

> On Sat, Oct 01, 2016 at 07:05:51PM +0200, Rafael Zalamena wrote:
> > The ntpd(8) constraint fork+exec diff changed the way the constraint
> > processes are created, but then it introduced new calloc()s to avoid
> > increasing diff size and to focus on the problem. Now that the fork+exec
> > is in, this diff make those variables to become a part of the stack.
> >
> > No functional changes, just changing variables storage location.
> >
> > ok?
>
> Ping.
>
> Updated diff to apply on the latest ntpd sources.
>
> ok?
>
> Index: usr.sbin/ntpd//constraint.c
> ===
> RCS file: /home/obsdcvs/src/usr.sbin/ntpd/constraint.c,v
> retrieving revision 1.34
> diff -u -p -r1.34 constraint.c
> --- usr.sbin/ntpd//constraint.c 18 Oct 2016 22:05:47 -  1.34
> +++ usr.sbin/ntpd//constraint.c 2 Dec 2016 16:27:15 -
> @@ -321,8 +321,8 @@ priv_constraint_readquery(struct constra
>  void
>  priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid)
>  {
> -   struct constraint   *cstr;
> -   struct ntp_addr_msg *am;
> +   struct constraintcstr;
> +   struct ntp_addr_msg  am;
> uint8_t *data;
> static char  addr[NI_MAXHOST];
> struct timeval   rectv, xmttv;
> @@ -336,10 +336,6 @@ priv_constraint_child(const char *pw_dir
> if (setpriority(PRIO_PROCESS, 0, 0) == -1)
> log_warn("could not set priority");
>
> -   if ((cstr = calloc(1, sizeof(*cstr))) == NULL ||
> -   (am = calloc(1, sizeof(*am))) == NULL)
> -   fatal("%s: calloc", __func__);
> -
> /* Init TLS and load CA certs before chroot() */
> if (tls_init() == -1)
> fatalx("tls_init");
> @@ -368,9 +364,9 @@ priv_constraint_child(const char *pw_dir
> if (pledge("stdio inet", NULL) == -1)
> fatal("pledge");
>
> -   cstr->fd = CONSTRAINT_PASSFD;
> -   imsg_init(>ibuf, cstr->fd);
> -   priv_constraint_readquery(cstr, am, );
> +   cstr.fd = CONSTRAINT_PASSFD;
> +   imsg_init(, cstr.fd);
> +   priv_constraint_readquery(, , );
>
> /*
>  * Get the IP address as name and set the process title
> accordingly.
> @@ -378,8 +374,8 @@ priv_constraint_child(const char *pw_dir
>  * any DNS operation, so it is safe to be called without the dns
>  * pledge.
>  */
> -   if (getnameinfo((struct sockaddr *)>addr->ss,
> -   SA_LEN((struct sockaddr *)>addr->ss),
> +   if (getnameinfo((struct sockaddr *)>ss,
> +   SA_LEN((struct sockaddr *)>ss),
> addr, sizeof(addr), NULL, 0,
> NI_NUMERICHOST) != 0)
> fatalx("%s getnameinfo", __func__);
> @@ -398,21 +394,21 @@ priv_constraint_child(const char *pw_dir
> fatal("%s fcntl F_SETFD", __func__);
>
> /* Get remaining data from imsg in the unpriv child */
> -   if (am->namelen) {
> -   if ((cstr->addr_head.name =
> -   get_string(data, am->namelen)) == NULL)
> +   if (am.namelen) {
> +   if ((cstr.addr_head.name =
> +   get_string(data, am.namelen)) == NULL)
> fatalx("invalid IMSG_CONSTRAINT_QUERY name");
> -   data += am->namelen;
> +   data += am.namelen;
> }
> -   if (am->pathlen) {
> -   if ((cstr->addr_head.path =
> -   get_string(data, am->pathlen)) == NULL)
> +   if (am.pathlen) {
> +   if ((cstr.addr_head.path =
> +   get_string(data, am.pathlen)) == NULL)
> fatalx("invalid IMSG_CONSTRAINT_QUERY path");
> }
>
> /* Run! */
> if ((ctx = httpsdate_query(addr,
> -   CONSTRAINT_PORT, cstr->addr_head.name, cstr->addr_head.path,
> +   CONSTRAINT_PORT, cstr.addr_head.name, cstr.addr_head.path,
> conf->ca, conf->ca_len, , )) == NULL) {
> /* Abort with failure but without warning */
> exit(1);
> @@ -422,10 +418,10 @@ priv_constraint_child(const char *pw_dir
> iov[0].iov_len = sizeof(rectv);
> iov[1].iov_base = 
> iov[1].iov_len = sizeof(xmttv);
> -   imsg_composev(>ibuf,
> +   imsg_composev(,
> IMSG_CONSTRAINT_RESULT, 0, 0, -1, iov, 2);
> do {
> -   rv = imsg_flush(>ibuf);
> +   rv = imsg_flush();
> } while (rv == -1 && errno == EAGAIN);
>
> /* Tear down the TLS connection after sending the result */
>
>

Re: libcrypto: get rid of I386_ONLY

[Brent Cook]

OK bcook@, looks fine for portable too.

> On Nov 4, 2016, at 11:02 AM, Tom Cosgrove 
>  wrote:
> 
 Miod Vallat 4-Nov-16 08:53 >>>
>> 
>> I386_ONLY was used to prefer a different assembler sequence in the
>> sha512 code, which would be faster on 80386 processors, but slower on
>> 80486 and above.
>> 
>> This code path has never been enabled, and there are actually no plans
>> to make libcrypto friendlier to genuine 80386 chips, so why bother
>> keeping this - it's only contributing to obfuscation.
> 
> ... not to mention that OpenBSD hasn't supported the 386 for a long time now
> 
> ok tom@
> 
>> Index: cryptlib.c
>> ===
>> RCS file: /cvs/src/lib/libcrypto/cryptlib.c,v
>> retrieving revision 1.37
>> diff -u -p -r1.37 cryptlib.c
>> --- cryptlib.c   13 Sep 2015 16:56:11 -  1.37
>> +++ cryptlib.c   4 Nov 2016 08:49:22 -
>> @@ -635,7 +635,7 @@ OPENSSL_cpu_caps(void)
>>  return *(uint64_t *)OPENSSL_ia32cap_P;
>> }
>> 
>> -#if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM) && 
>> !defined(I386_ONLY)
>> +#if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM)
>> #define OPENSSL_CPUID_SETUP
>> typedef unsigned long long IA32CAP;
>> void
>> Index: md32_common.h
>> ===
>> RCS file: /cvs/src/lib/libcrypto/md32_common.h,v
>> retrieving revision 1.21
>> diff -u -p -r1.21 md32_common.h
>> --- md32_common.h4 Sep 2016 14:31:29 -   1.21
>> +++ md32_common.h4 Nov 2016 08:49:22 -
>> @@ -152,8 +152,8 @@ static inline uint32_t ROTATE(uint32_t a
>> #if defined(DATA_ORDER_IS_BIG_ENDIAN)
>> 
>> #if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && 
>> !defined(OPENSSL_NO_INLINE_ASM)
>> -# if ((defined(__i386) || defined(__i386__)) && !defined(I386_ONLY)) || \
>> -  (defined(__x86_64) || defined(__x86_64__))
>> +# if (defined(__i386) || defined(__i386__) || \
>> +  defined(__x86_64) || defined(__x86_64__))
>> /*
>>  * This gives ~30-40% performance improvement in SHA-256 compiled
>>  * with gcc [on P4]. Well, first macro to be frank. We can pull
>> Index: arch/alpha/opensslconf.h
>> ===
>> RCS file: /cvs/src/lib/libcrypto/arch/alpha/opensslconf.h,v
>> retrieving revision 1.7
>> diff -u -p -r1.7 opensslconf.h
>> --- arch/alpha/opensslconf.h 19 Jun 2015 06:05:11 -  1.7
>> +++ arch/alpha/opensslconf.h 4 Nov 2016 08:49:22 -
>> @@ -1,9 +1,6 @@
>> #include 
>> /* crypto/opensslconf.h.in */
>> 
>> -/* Generate 80386 code? */
>> -#undef I386_ONLY
>> -
>> #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
>> #define OPENSSLDIR "/etc/ssl"
>> #endif
>> Index: arch/amd64/opensslconf.h
>> ===
>> RCS file: /cvs/src/lib/libcrypto/arch/amd64/opensslconf.h,v
>> retrieving revision 1.9
>> diff -u -p -r1.9 opensslconf.h
>> --- arch/amd64/opensslconf.h 19 Jun 2015 06:05:11 -  1.9
>> +++ arch/amd64/opensslconf.h 4 Nov 2016 08:49:22 -
>> @@ -1,9 +1,6 @@
>> #include 
>> /* crypto/opensslconf.h.in */
>> 
>> -/* Generate 80386 code? */
>> -#undef I386_ONLY
>> -
>> #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
>> #define OPENSSLDIR "/etc/ssl"
>> #endif
>> Index: arch/arm/opensslconf.h
>> ===
>> RCS file: /cvs/src/lib/libcrypto/arch/arm/opensslconf.h,v
>> retrieving revision 1.7
>> diff -u -p -r1.7 opensslconf.h
>> --- arch/arm/opensslconf.h   19 Jun 2015 06:05:11 -  1.7
>> +++ arch/arm/opensslconf.h   4 Nov 2016 08:49:22 -
>> @@ -1,9 +1,6 @@
>> #include 
>> /* crypto/opensslconf.h.in */
>> 
>> -/* Generate 80386 code? */
>> -#undef I386_ONLY
>> -
>> #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
>> #define OPENSSLDIR "/etc/ssl"
>> #endif
>> Index: arch/hppa/opensslconf.h
>> ===
>> RCS file: /cvs/src/lib/libcrypto/arch/hppa/opensslconf.h,v
>> retrieving revision 1.7
>> diff -u -p -r1.7 opensslconf.h
>> --- arch/hppa/opensslconf.h  19 Jun 2015 06:05:11 -  1.7
>> +++ arch/hppa/opensslconf.h  4 Nov 2016 08:49:22 -
>> @@ -1,9 +1,6 @@
>> #include 
>> /* crypto/opensslconf.h.in */
>> 
>> -/* Generate 80386 code? */
>> -#undef I386_ONLY
>> -
>> #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
>> #define OPENSSLDIR "/etc/ssl"
>> #endif
>> Index: arch/i386/opensslconf.h
>> ===
>> RCS file: /cvs/src/lib/libcrypto/arch/i386/opensslconf.h,v
>> retrieving revision 1.7
>> diff -u -p -r1.7 opensslconf.h
>> --- arch/i386/opensslconf.h  19 Jun 2015 06:05:11 -  1.7
>> +++ arch/i386/opensslconf.h  4 Nov 2016 08:49:22 -
>> @@ -1,9 +1,6 @@
>> #include 
>> /* crypto/opensslconf.h.in */
>> 
>> -/* Generate 80386 code? */
>> 

Re: Explicitly cast the return variable in tls_load_file()

[Brent Cook]

On Sat, Oct 1, 2016 at 7:12 PM, Ted Unangst  wrote:

> Kinichiro Inoguchi wrote:
> > I would like to cast the return variable explicitly in tls_load_file().
> > This fix also avoiding Intel C++ compiler "assertion failed" described
> here.
> > https://github.com/libressl-portable/portable/issues/209#
> issuecomment-249587024
>
> This is a compiler bug? The code doesn't change, and there's no bug in the
> library that I see.
>

​If the compiler is implying that the code is incorrect, it has a funny way
of saying it. This looks not-dissimilar to a gcc ICE:

​
 1>C:\libressl-2.5.0\tls\tls_util.c(157): error : assertion failed:
construct_message: not all fill-ins used (shared/cfe/edgcpfe/error.c, line
3586)
1>

​Why not just make the variable type match the return type to begin with?

​--- a/src/lib/libtls/tls_util.c
+++ b/src/lib/libtls/tls_util.c
@@ -105,7 +105,8 @@ tls_load_file(const char *name, size_t *len, char
*password)
FILE *fp;
EVP_PKEY *key = NULL;
BIO *bio = NULL;
-   char *data, *buf = NULL;
+   char *data;
+   uint8_t *buf = NULL;
struct stat st;
size_t size;
int fd = -1;

Re: EVP_CipherFinal_ex for snmpd

[Brent Cook]

ok

On Sun, Oct 2, 2016 at 12:34 AM, David Gwynne  wrote:

> this gets rid of a linker warning.
>
> the impression i get is that EVP_CipherFinal_ex explicitely does
> not do cleanup of the cipher context thing, while EVP_CipherFinal
> could if it wanted to.
>
> ok?
>
> Index: usm.c
> ===
> RCS file: /cvs/src/usr.sbin/snmpd/usm.c,v
> retrieving revision 1.9
> diff -u -p -r1.9 usm.c
> --- usm.c   16 Jan 2015 00:05:13 -  1.9
> +++ usm.c   2 Oct 2016 05:32:03 -
> @@ -605,7 +605,7 @@ usm_crypt(struct snmp_message *msg, u_ch
> EVP_CIPHER_CTX_set_padding(, 0);
>
> if (EVP_CipherUpdate(, outbuf, , inbuf, inlen) &&
> -   EVP_CipherFinal(, outbuf + len, ))
> +   EVP_CipherFinal_ex(, outbuf + len, ))
> rv = len + len2;
> else
> rv = -1;
>
>

Re: LibreSSL selects weak digest for (EC)DH

[Brent Cook]

Looks fine to me. Shall I commit it?

On Thu, Sep 15, 2016 at 2:32 AM, Kinichiro Inoguchi <
kinichiro.inogu...@gmail.com> wrote:

> Sorry, I attached wrong patch file.
> I re-post the patch file again.
>
> On Thu, Sep 15, 2016 at 04:10:55PM +0900, Kinichiro Inoguchi wrote:
> > Hi,
> >
> > I would like to fix this SNI issue.
> >
> > reported by @davidben
> > https://github.com/libressl-portable/openbsd/issues/69
> >
> > #3560: OpenSSL selects weak digest for (EC)DH
> > https://rt.openssl.org/Ticket/Display.html?id=3560
> >
> > original OpenSSL commit is here.
> > https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=
> 4e05aedbcab7f7f83a887e952ebdcc5d4f2291e4
> >
> > I will add a patch for this.
> > ok ?
>

Re: [PATCH] Callback-based interface to libtls

[Brent Cook]

On Wed, Sep 14, 2016 at 6:41 AM, Tobias Pape <tob...@netshed.de> wrote:

> Hi
>
> On 14.09.2016, at 13:37, Brent Cook <bust...@gmail.com> wrote:
>
> >
> > ​Once the expectations of the callbacks are finalized, this needs a good
> explanation in the manual.​
>
>
> Ok, how would I do that best?
> I admit to have amended the man page by sheer copy-and-paste-of-very-small-
> bits™,
> so what would you suggest me to write?
>
> Other than that, thanks for applying the patch.
>
> Best regards
> -Tobias


​Generally, what are the expectations of a callback, what should it return
and when.

A good example section and/or regression test would go a long way.​ We've
used nc(1) to test a lot of the other libtls features so far. There also
are some libtls golang bindings in tree under regress, though I'm not sure
how up-to-date they are.

Re: [PATCH] Callback-based interface to libtls

[Brent Cook]

​Thanks!​

On Wed, Sep 14, 2016 at 4:48 AM,  wrote:

> Hi again,
>
> On 07.09.2016, at 18:08, tob...@netshed.de wrote:
> [..]
> >> On 05.09.2016, at 15:50, bust...@gmail.com wrote:
> >>
> >>> Hey, the typedef came in handy :) Ok bcook@
> >>>
> >>> On Sep 5, 2016, at 11:52 AM, Bob Beck  wrote:
> >>>
>  I am in agreement in principle, but please coordinate with bcook@
> and/or jsing@ who were possibly doing
>  some related adjustments.
> 
> 
> >>
> >> I have a minor adjustment: it should be able to instruct POLLIN/POLLOUT
> via the callbacks.
> >> I added this, see the diff.
> >
> > Aaand: a fix for the FLUSH BIO cntl, that happens at the end of SSL
> handshakes…
>
> Next fix: put the callback on the right context for tls_accept.
>
> Updated diff at the end.
>
> Best regards
> -Tobias
>
> diff --git src/lib/libtls/tls_bio_cb.c src/lib/libtls/tls_bio_cb.c
> index c4220df..e52f43c 100644
> --- src/lib/libtls/tls_bio_cb.c
> +++ src/lib/libtls/tls_bio_cb.c
> @@ -154,6 +154,7 @@ ctrl_cb(BIO *b, int cmd, long num, void *ptr)
> b->shutdown = (int)num;
> break;
> case BIO_CTRL_DUP:
> +   case BIO_CTRL_FLUSH:
> break;
> case BIO_CTRL_INFO:
> case BIO_CTRL_GET:
> @@ -169,14 +170,32 @@ static int
>  tls_bio_write_cb(BIO *h, const char *buf, int num, void *cb_arg)
>  {
> struct tls *ctx = cb_arg;
> -   return (ctx->write_cb)(ctx, buf, num, ctx->cb_arg);
> +   BIO_clear_retry_flags(h);
> +   int rv = (ctx->write_cb)(ctx, buf, num, ctx->cb_arg);
> +   if (rv == TLS_WANT_POLLIN) {
> +   BIO_set_retry_read(h);
> +   rv = -1;
> +   } else if (rv == TLS_WANT_POLLOUT) {
> +   BIO_set_retry_write(h);
> +   rv = -1;
> +   }
> +   return (rv);
>  }
>
>  static int
>  tls_bio_read_cb(BIO *h, char *buf, int size, void *cb_arg)
>  {
> struct tls *ctx = cb_arg;
> -   return (ctx->read_cb)(ctx, buf, size, ctx->cb_arg);
> +   BIO_clear_retry_flags(h);
> +   int rv = (ctx->read_cb)(ctx, buf, size, ctx->cb_arg);
> +   if (rv == TLS_WANT_POLLIN) {
> +   BIO_set_retry_read(h);
> +   rv = -1;
> +   } else if (rv == TLS_WANT_POLLOUT) {
> +   BIO_set_retry_write(h);
> +   rv = -1;
> +   }
> +   return (rv);
>  }
>

​Once the expectations of the callbacks are finalized, this needs a good
explanation in the manual.​


>  static BIO *
> diff --git src/lib/libtls/tls_server.c src/lib/libtls/tls_server.c
> index 09a83ca..ea37700 100644
> --- src/lib/libtls/tls_server.c
> +++ src/lib/libtls/tls_server.c
> @@ -346,12 +346,13 @@ int
>  tls_accept_cbs(struct tls *ctx, struct tls **cctx,
>  tls_read_cb read_cb, tls_write_cb write_cb, void *cb_arg)
>  {
> -   struct tls *conn_ctx;
> +   struct tls *conn_ctx = NULL;
> +
>
> if ((conn_ctx = tls_accept_common(ctx)) == NULL)
> goto err;
>
> -   if (tls_set_cbs(ctx, read_cb, write_cb, cb_arg) != 0) {
> +   if (tls_set_cbs(conn_ctx, read_cb, write_cb, cb_arg) != 0) {
> tls_set_errorx(ctx, "callback registration failure");
> goto err;
> }
>
>
​Oops. I took out the extra NULL assignment, but otherwise looks good,
applied.

Re: [PATCH] Callback-based interface to libtls

[Brent Cook]

On Sun, Sep 04, 2016 at 05:57:54AM -0400, Ted Unangst wrote:
> Brent Cook wrote:
> > @@ -246,14 +252,18 @@ An already existing socket can be upgrad
> >  .Fn tls_connect_socket .
> >  Alternatively, a secure connection can be established over a pair of 
> > existing
> >  file descriptors by calling
> > -.Fn tls_connect_fds .
> > +.Fn tls_connect_fds . Using
> > +.Fn tls_connect_cbs , read and write callbacks can be specified to handle 
> > the
> > +actual data transfer.
>
> I think we need just a wee bit more documentation. payload is not the clearest
> name. It sounds like connection data. I think cookie? Or cbarg? Is it
> necessary to pass the tls context to the callback? I think that's unusual.
>
> read callback should be more like:
>
>   ssize_t (*read_cb)(void *buf, size_t buflen, void *cbarg);

Agreed, I was also a bit unclear on payload at first (though it grew on
me over time, so I didn't change it). Here's an update with the
parameter renamed and better documented.

ok?

Index: Makefile
===
RCS file: /cvs/src/lib/libtls/Makefile,v
retrieving revision 1.23
diff -u -p -u -p -r1.23 Makefile
--- Makefile30 Mar 2016 06:38:43 -  1.23
+++ Makefile4 Sep 2016 10:23:42 -
@@ -13,6 +13,7 @@ LDADD+= -L${BSDOBJDIR}/lib/libssl/ssl -l
 HDRS=  tls.h

 SRCS=  tls.c \
+   tls_bio_cb.c \
tls_client.c \
tls_config.c \
tls_conninfo.c \
Index: shlib_version
===
RCS file: /cvs/src/lib/libtls/shlib_version,v
retrieving revision 1.20
diff -u -p -u -p -r1.20 shlib_version
--- shlib_version   31 Aug 2016 23:05:30 -  1.20
+++ shlib_version   4 Sep 2016 10:23:42 -
@@ -1,2 +1,2 @@
 major=11
-minor=3
+minor=4
Index: tls.c
===
RCS file: /cvs/src/lib/libtls/tls.c,v
retrieving revision 1.48
diff -u -p -u -p -r1.48 tls.c
--- tls.c   22 Aug 2016 17:12:35 -  1.48
+++ tls.c   4 Sep 2016 10:23:42 -
@@ -424,6 +424,10 @@ tls_reset(struct tls *ctx)
tls_sni_ctx_free(sni);
}
ctx->sni_ctx = NULL;
+
+   ctx->read_cb = NULL;
+   ctx->write_cb = NULL;
+   ctx->cb_arg = NULL;
 }

 int
Index: tls.h
===
RCS file: /cvs/src/lib/libtls/tls.h,v
retrieving revision 1.35
diff -u -p -u -p -r1.35 tls.h
--- tls.h   22 Aug 2016 14:58:26 -  1.35
+++ tls.h   4 Sep 2016 10:23:42 -
@@ -44,6 +44,11 @@ extern "C" {
 struct tls;
 struct tls_config;

+typedef ssize_t (*tls_read_cb)(void *_ctx, void *_buf, size_t _buflen,
+void *_cb_arg);
+typedef ssize_t (*tls_write_cb)(void *_ctx, const void *_buf,
+size_t _buflen, void *_cb_arg);
+
 int tls_init(void);

 const char *tls_config_error(struct tls_config *_config);
@@ -102,12 +107,16 @@ void tls_free(struct tls *_ctx);
 int tls_accept_fds(struct tls *_ctx, struct tls **_cctx, int _fd_read,
 int _fd_write);
 int tls_accept_socket(struct tls *_ctx, struct tls **_cctx, int _socket);
+int tls_accept_cbs(struct tls *_ctx, struct tls **_cctx,
+tls_read_cb _read_cb, tls_write_cb _write_cb, void *_cb_arg);
 int tls_connect(struct tls *_ctx, const char *_host, const char *_port);
 int tls_connect_fds(struct tls *_ctx, int _fd_read, int _fd_write,
 const char *_servername);
 int tls_connect_servername(struct tls *_ctx, const char *_host,
 const char *_port, const char *_servername);
 int tls_connect_socket(struct tls *_ctx, int _s, const char *_servername);
+int tls_connect_cbs(struct tls *_ctx, tls_read_cb _read_cb,
+tls_write_cb _write_cb, void *_cb_arg, const char *_servername);
 int tls_handshake(struct tls *_ctx);
 ssize_t tls_read(struct tls *_ctx, void *_buf, size_t _buflen);
 ssize_t tls_write(struct tls *_ctx, const void *_buf, size_t _buflen);
Index: tls_bio_cb.c
===
RCS file: tls_bio_cb.c
diff -N tls_bio_cb.c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ tls_bio_cb.c4 Sep 2016 10:23:42 -
@@ -0,0 +1,224 @@
+/* $ID$ */
+/*
+ * Copyright (c) 2016 Tobias Pape <tob...@netshed.de>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CO

Re: [PATCH] Callback-based interface to libtls

[Brent Cook]

On Sun, Jul 17, 2016 at 01:32:43PM +0200, Tobias Pape wrote:
> Hi all,
>
> I'm Tobias and fond of using libtls.
> I have a certain use case, where I want to do TLS/SSL but
> can only work with buffers/callbacks and not sockets or FDs.
> In p(l)ain openssl, this is doable, but not nice. Libtls
> does not yet have such a facility.
>
> I did a patch (or Pull-Request in GitHub parlance) against
> portable on github, it would be great if it were considered.
> Then I could migrate the SSL facilities of the Squeak
> programming system from openssl to libtls.
>
> Best regards
>   -Tobias

Thanks Tobias,

I took some time rebasing and reworking this a bit. Here are the main
things:

 * renamed and hid the exported private BIO_* functions from
   tls_bio_cb.c, so it does not look like we are creating new functions
   in libssl's BIO_ namespace

 * refactored tls_connect* and tls_accept* to use shared setup, rather
   than copying the internals of tls_*_fds into tls_*_cbs

 * renamed 'cb_read/write' to 'read/write_cb' for consistency with other
   variable naming

 * use the callback function typedefs directly rather than redefining in
   multiple places

Tested with nc, but the callback-specific functionality is only
build-tested. How does this work for your use-cases?

 - Brent

Index: Makefile
===
RCS file: /cvs/src/lib/libtls/Makefile,v
retrieving revision 1.23
diff -u -p -u -p -r1.23 Makefile
--- Makefile30 Mar 2016 06:38:43 -  1.23
+++ Makefile4 Sep 2016 09:38:56 -
@@ -13,6 +13,7 @@ LDADD+= -L${BSDOBJDIR}/lib/libssl/ssl -l
 HDRS=  tls.h

 SRCS=  tls.c \
+   tls_bio_cb.c \
tls_client.c \
tls_config.c \
tls_conninfo.c \
Index: shlib_version
===
RCS file: /cvs/src/lib/libtls/shlib_version,v
retrieving revision 1.20
diff -u -p -u -p -r1.20 shlib_version
--- shlib_version   31 Aug 2016 23:05:30 -  1.20
+++ shlib_version   4 Sep 2016 09:38:56 -
@@ -1,2 +1,2 @@
 major=11
-minor=3
+minor=4
Index: tls.c
===
RCS file: /cvs/src/lib/libtls/tls.c,v
retrieving revision 1.48
diff -u -p -u -p -r1.48 tls.c
--- tls.c   22 Aug 2016 17:12:35 -  1.48
+++ tls.c   4 Sep 2016 09:38:56 -
@@ -424,6 +424,10 @@ tls_reset(struct tls *ctx)
tls_sni_ctx_free(sni);
}
ctx->sni_ctx = NULL;
+
+   ctx->read_cb = NULL;
+   ctx->write_cb = NULL;
+   ctx->cb_payload = NULL;
 }

 int
Index: tls.h
===
RCS file: /cvs/src/lib/libtls/tls.h,v
retrieving revision 1.35
diff -u -p -u -p -r1.35 tls.h
--- tls.h   22 Aug 2016 14:58:26 -  1.35
+++ tls.h   4 Sep 2016 09:38:57 -
@@ -44,6 +44,11 @@ extern "C" {
 struct tls;
 struct tls_config;

+typedef ssize_t (*tls_read_cb)(void *_ctx, void *_buf, size_t _buflen,
+void *_payload);
+typedef ssize_t (*tls_write_cb)(void *_ctx, const void *_buf,
+size_t _buflen, void *_payload);
+
 int tls_init(void);

 const char *tls_config_error(struct tls_config *_config);
@@ -102,12 +107,16 @@ void tls_free(struct tls *_ctx);
 int tls_accept_fds(struct tls *_ctx, struct tls **_cctx, int _fd_read,
 int _fd_write);
 int tls_accept_socket(struct tls *_ctx, struct tls **_cctx, int _socket);
+int tls_accept_cbs(struct tls *_ctx, struct tls **_cctx,
+tls_read_cb _read_cb, tls_write_cb _write_cb, void *_cb_payload);
 int tls_connect(struct tls *_ctx, const char *_host, const char *_port);
 int tls_connect_fds(struct tls *_ctx, int _fd_read, int _fd_write,
 const char *_servername);
 int tls_connect_servername(struct tls *_ctx, const char *_host,
 const char *_port, const char *_servername);
 int tls_connect_socket(struct tls *_ctx, int _s, const char *_servername);
+int tls_connect_cbs(struct tls *_ctx, tls_read_cb _read_cb,
+tls_write_cb _write_cb, void *_cb_payload, const char *_servername);
 int tls_handshake(struct tls *_ctx);
 ssize_t tls_read(struct tls *_ctx, void *_buf, size_t _buflen);
 ssize_t tls_write(struct tls *_ctx, const void *_buf, size_t _buflen);
Index: tls_bio_cb.c
===
RCS file: tls_bio_cb.c
diff -N tls_bio_cb.c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ tls_bio_cb.c4 Sep 2016 09:38:57 -
@@ -0,0 +1,222 @@
+/* $ID$ */
+/*
+ * Copyright (c) 2016 Tobias Pape 
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE 

Re: Enable Camellia ciphers with SHA-2 family HMAC

[Brent Cook]

No objection here. Anyone else?

> On Aug 25, 2016, at 8:54 AM, Guenther Niess  wrote:
> 
> Hi,
> 
> is there a reason why the Camellia cipher suits with SHA2 HMAC is not
> supported?
> 
> I added them and tested the result with an Nginx server and the s_client
> command.
> 
> I would like to have a look to support the Camellia GCM based cipher
> suites, but if there is a reason why libressl shouldn't support them, I
> would spend my time with something else.
> 
> Best Regards,
> Guenther
> 
> 
> 
> Index: lib/libssl/src/ssl/s3_lib.c
> ===
> RCS file: /cvs/src/lib/libssl/src/ssl/s3_lib.c,v
> retrieving revision 1.108
> diff -u -p -r1.108 s3_lib.c
> --- lib/libssl/src/ssl/s3_lib.c   28 Apr 2016 16:39:45 -  1.108
> +++ lib/libssl/src/ssl/s3_lib.c   25 Aug 2016 13:45:27 -
> @@ -1805,6 +1805,138 @@ SSL_CIPHER ssl3_ciphers[] = {
>   .strength_bits = 256,
>   .alg_bits = 256,
>   },
> +
> +#ifndef OPENSSL_NO_CAMELLIA
> + /* TLS 1.2 ECDH Camellia based ciphersuites from RFC 6367 */
> +
> + /* Cipher C072 */
> + {
> + .valid = 1,
> + .name = TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
> + .id = TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
> + .algorithm_mkey = SSL_kECDHE,
> + .algorithm_auth = SSL_aECDSA,
> + .algorithm_enc = SSL_CAMELLIA128,
> + .algorithm_mac = SSL_SHA256,
> + .algorithm_ssl = SSL_TLSV1_2,
> + .algo_strength = SSL_HIGH,
> + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
> + .strength_bits = 128,
> + .alg_bits = 128,
> + },
> +
> + /* Cipher C073 */
> + {
> + .valid = 1,
> + .name = TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
> + .id = TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
> + .algorithm_mkey = SSL_kECDHE,
> + .algorithm_auth = SSL_aECDSA,
> + .algorithm_enc = SSL_CAMELLIA256,
> + .algorithm_mac = SSL_SHA384,
> + .algorithm_ssl = SSL_TLSV1_2,
> + .algo_strength = SSL_HIGH,
> + .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
> + .strength_bits = 256,
> + .alg_bits = 256,
> + },
> +
> + /* Cipher C074 */
> + {
> + .valid = 1,
> + .name = TLS1_TXT_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
> + .id = TLS1_CK_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
> + .algorithm_mkey = SSL_kECDHe,
> + .algorithm_auth = SSL_aECDH,
> + .algorithm_enc = SSL_CAMELLIA128,
> + .algorithm_mac = SSL_SHA256,
> + .algorithm_ssl = SSL_TLSV1_2,
> + .algo_strength = SSL_HIGH,
> + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
> + .strength_bits = 128,
> + .alg_bits = 128,
> + },
> +
> + /* Cipher C075 */
> + {
> + .valid = 1,
> + .name = TLS1_TXT_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
> + .id = TLS1_CK_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
> + .algorithm_mkey = SSL_kECDHe,
> + .algorithm_auth = SSL_aECDH,
> + .algorithm_enc = SSL_CAMELLIA256,
> + .algorithm_mac = SSL_SHA384,
> + .algorithm_ssl = SSL_TLSV1_2,
> + .algo_strength = SSL_HIGH,
> + .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
> + .strength_bits = 256,
> + .alg_bits = 256,
> + },
> +
> + /* Cipher C076 */
> + {
> + .valid = 1,
> + .name = TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
> + .id = TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
> + .algorithm_mkey = SSL_kECDHE,
> + .algorithm_auth = SSL_aRSA,
> + .algorithm_enc = SSL_CAMELLIA128,
> + .algorithm_mac = SSL_SHA256,
> + .algorithm_ssl = SSL_TLSV1_2,
> + .algo_strength = SSL_HIGH,
> + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
> + .strength_bits = 128,
> + .alg_bits = 128,
> + },
> +
> + /* Cipher C077 */
> + {
> + .valid = 1,
> + .name = TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
> + .id = TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
> + .algorithm_mkey = SSL_kECDHE,
> + .algorithm_auth = SSL_aRSA,
> + .algorithm_enc = SSL_CAMELLIA256,
> + .algorithm_mac = SSL_SHA384,
> + .algorithm_ssl = SSL_TLSV1_2,
> + .algo_strength = SSL_HIGH,
> + .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
> + .strength_bits = 256,
> + .alg_bits = 256,
> + },
> +
> + /* Cipher 

LibreSSL 2.4.2 and 2.3.7 released

[Brent Cook]

We have released LibreSSL 2.4.2 and 2.3.7, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

LibreSSL 2.4.2 is based on the new OpenBSD 6.0 release branch, and is
now the current stable version. LibreSSL 2.3.7 is based on the previous
OpenBSD 5.9 release, and will be supported for one more release cycle.
LibreSSL 2.2.x support has now ended.

LibreSSL 2.4.2 and 2.3.7 contain the following changes:

* Fixed several issues in the OCSP code that could result in the
  incorrect generation and parsing of OCSP requests. This remediates
  a lack of error checking on time parsing in these functions, and
  ensures that only GENERALIZEDTIME formats are accepted for OCSP,
  as per RFC 6960.

  Issues reported, and fixes provided by Kazuki Yamaguchi 
  and Kinichiro Inoguchi 

LibreSSL 2.4.2 contains additional changes:

* Fixed loading default certificate locations with openssl s_client.

* Improved behavior of arc4random on Windows to not appear to leak
  memory in debug tools, reduced privileges of allocated memory.

* Fixed incorrect results from BN_mod_word() when the modulus is too
  large, thanks to Brian Smith from BoringSSL.

* Correctly handle an EOF prior to completing the TLS handshake in
  libtls.

* Improved libtls ceritificate loading and cipher string validation.

* Updated libtls cipher group suites into four categories:
"secure"   (TLSv1.2+AEAD+PFS)
"compat"   (HIGH:!aNULL)
"legacy"   (HIGH:MEDIUM:!aNULL)
"insecure" (ALL:!aNULL:!eNULL)
  This allows for flexibility and finer grained control, rather than
  having two extremes.

* Limited support for 'backward compatible' SSLv2 handshake packets to
  when TLS 1.0 is enabled, providing more restricted compatibility
  with TLS 1.0 clients.

* openssl(1) and other documentation improvements.

* Removed flags for disabling constant-time operations.
  This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
  DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
  all of these operations unconditionally constant-time.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.

Re: initialize variables patch for bn_nist.c

[Brent Cook]

I didn't notice it at first, because the patch wasn't inline, but the union
here needed to be initialized with memset or use a different kind of
initializer.

I went with the memset on top of your patch:

--- bn_nist.c   17 Jul 2016 21:21:40 -  1.16
+++ bn_nist.c   17 Jul 2016 22:00:45 -
@@ -59,6 +59,7 @@
 #include 

 #include 
+#include 

 #include "bn_lcl.h"

@@ -568,7 +569,8 @@ BN_nist_mod_224(BIGNUM *r, const BIGNUM
BN_ULONG bn[BN_NIST_224_TOP];
unsigned int ui[BN_NIST_224_TOP *
sizeof(BN_ULONG) / sizeof(unsigned int)];
-   } buf = {0};
+   } buf;
+   memset(, 0, sizeof(buf));
BN_ULONG c_d[BN_NIST_224_TOP], *res;
uintptr_t mask;
union {


On Thu, Jul 14, 2016 at 8:39 AM, Bob Beck  wrote:

> I'm ok with this.
>
>
> On Thu, Jul 14, 2016 at 4:57 AM, Kinichiro Inoguchi <
> kinichiro.inogu...@gmail.com> wrote:
>
> > Hi,
> >
> > When I build LibreSSL portable on HP-UX 11.3 with HP C/aC++ compiler,
> > this warning is detected.
> >
> > ...
> > "bn/bn_nist.c", line 611: warning #2549-D: variable "buf" is used before
> > its value is set
> > nist_set_224(buf.bn, c_d, 14, 13, 12, 11, 10, 9, 8);
> > ^
> > ...
> >
> > To initialize these variables before using, I would like to apply the
> > patch.
> > OK ?
> >
> > Here is original topic on GitHub.
> > https://github.com/libressl-portable/openbsd/pull/19
> >
> > Best Regards,
> >
> > kinichiro inoguchi
> >
> >
>

Re: libcrypto: explicitly initialize constant

[Brent Cook]

On Tue, Jul 12, 2016 at 6:41 AM, Miod Vallat  wrote:

> >> Noted by VS2013, const values should be initialized (though I think
> >> the 'static' should also implicitly zero).
> >
> > this sounds like the compiler doesn't know C?
>
> He is talking about Visual Studio. The C part of that piece of shit
> pretending to be a compiler only supports a subset of C89.
>
>
​Well, it's more of a C++ compiler pretending to be a C compiler :)

This is the only const in the LibreSSL tree that's not explicitly
initialized though, right or wrong.​ There are plenty more things it
complains about, if we wanted to mull over the full list. Possibly a few
bits of gold amongst the slag.

libcrypto: explicitly initialize constant

[Brent Cook]

Noted by VS2013, const values should be initialized (though I think
the 'static' should also implicitly zero).

This also removes some unused code that also contained uninitialized
static consts.

ok?

Index: evp/e_chacha20poly1305.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/evp/e_chacha20poly1305.c,v
retrieving revision 1.14
diff -u -p -u -p -r1.14 e_chacha20poly1305.c
--- evp/e_chacha20poly1305.c28 Apr 2016 16:06:53 -  1.14
+++ evp/e_chacha20poly1305.c11 Jul 2016 13:10:31 -
@@ -109,7 +109,7 @@ static void
 poly1305_update_with_pad16(poly1305_state *poly1305,
 const unsigned char *data, size_t data_len)
 {
-   static const unsigned char zero_pad16[16];
+   static const unsigned char zero_pad16[16] = {0};
size_t pad_len;
 
CRYPTO_poly1305_update(poly1305, data, data_len);
Index: objects/obj_dat.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/objects/obj_dat.c,v
retrieving revision 1.35
diff -u -p -u -p -r1.35 obj_dat.c
--- objects/obj_dat.c   14 Oct 2015 21:54:10 -  1.35
+++ objects/obj_dat.c   11 Jul 2016 13:10:31 -
@@ -70,20 +70,7 @@
 #include 
 
 /* obj_dat.h is generated from objects.h by obj_dat.pl */
-#ifndef OPENSSL_NO_OBJECT
 #include "obj_dat.h"
-#else
-/* You will have to load all the objects needed manually in the application */
-#define NUM_NID 0
-#define NUM_SN 0
-#define NUM_LN 0
-#define NUM_OBJ 0
-static const unsigned char lvalues[1];
-static const ASN1_OBJECT nid_objs[1];
-static const unsigned int sn_objs[1];
-static const unsigned int ln_objs[1];
-static const unsigned int obj_objs[1];
-#endif
 
 DECLARE_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, unsigned int, sn);
 DECLARE_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, unsigned int, ln);

Re: add error check to ocsp_test.c

[Brent Cook]

sure, this makes it easier to patch in the right path in portable as well

On Thu, Jul 7, 2016 at 7:23 AM, Kinichiro Inoguchi <
kinichiro.inogu...@gmail.com> wrote:

> Hi,
>
> I would like to add error check for CAfile loading
> since some OS doesn't have /etc/ssl/cert.pem.
>
> Best regards,
> Kinichiro Inoguchi
>

Re: libcrypto: fix BN_mod_word bug

[Brent Cook]

I copied some of the commit text here from BoringSSL, but it's wrong for 
LibreSSL it seems.

BN_ULLONG is not defined on all 64-bit systems as far as I can tell. So, this 
fix is more widely applicable than Win64 for LibreSSL.

Any comments?

 - Brent

> On Jun 30, 2016, at 8:40 AM, Brent Cook <bust...@gmail.com> wrote:
> 
> On systems where we do not have BN_ULLONG (notably Win64), BN_mod_word()
> can return incorrect results if the supplied modulus is too big.
> 
> Note now that BN_mod_word may fail, like BN_div_word. Handle this
> properly and document in the man page.
> 
> Thanks to Brian Smith for pointing out these fixes from BoringSSL:
> 
> https://boringssl.googlesource.com/boringssl/+/67cb49d045f04973ddba0f92fe8a8ad483c7da89
> https://boringssl.googlesource.com/boringssl/+/44bedc348d9491e63c7ed1438db100a4b8a830be
> 
> diff --git a/src/lib/libcrypto/man/BN_add_word.3 
> b/src/lib/libcrypto/man/BN_add_word.3
> index eb5874a..66fdc0a 100644
> --- a/src/lib/libcrypto/man/BN_add_word.3
> +++ b/src/lib/libcrypto/man/BN_add_word.3
> @@ -75,7 +75,8 @@ returns the remainder of
> .Fa a
> divided by
> .Fa w
> -.Pq Li a%w .
> +.Pq Li a%w
> +or (BN_ULONG)-1 on error.
> .Pp
> For
> .Fn BN_div_word
> diff --git a/src/lib/libssl/src/crypto/bn/bn_prime.c 
> b/src/lib/libssl/src/crypto/bn/bn_prime.c
> index 09af6a1..1dd0153 100644
> --- a/src/lib/libssl/src/crypto/bn/bn_prime.c
> +++ b/src/lib/libssl/src/crypto/bn/bn_prime.c
> @@ -277,9 +277,13 @@ BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, 
> BN_CTX *ctx_passed,
>   /* a is even => a is prime if and only if a == 2 */
>   return BN_is_word(a, 2);
>   if (do_trial_division) {
> - for (i = 1; i < NUMPRIMES; i++)
> - if (BN_mod_word(a, primes[i]) == 0)
> + for (i = 1; i < NUMPRIMES; i++) {
> + BN_ULONG mod = BN_mod_word(a, primes[i]);
> + if (mod == (BN_ULONG)-1)
> + goto err;
> + if (mod == 0)
>   return 0;
> + }
>   if (!BN_GENCB_call(cb, 1, -1))
>   goto err;
>   }
> @@ -398,8 +402,12 @@ again:
>   if (!BN_rand(rnd, bits, 1, 1))
>   return (0);
>   /* we now have a random number 'rand' to test. */
> - for (i = 1; i < NUMPRIMES; i++)
> - mods[i] = (prime_t)BN_mod_word(rnd, (BN_ULONG)primes[i]);
> + for (i = 1; i < NUMPRIMES; i++) {
> + BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
> + if (mod == (BN_ULONG)-1)
> + return (0);
> + mods[i] = (prime_t)mod;
> + }
>   maxdelta = BN_MASK2 - primes[NUMPRIMES - 1];
>   delta = 0;
> loop:
> @@ -452,7 +460,10 @@ probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM 
> *add, const BIGNUM *rem,
> loop:
>   for (i = 1; i < NUMPRIMES; i++) {
>   /* check that rnd is a prime */
> - if (BN_mod_word(rnd, (BN_ULONG)primes[i]) <= 1) {
> + BN_LONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
> + if (mod == (BN_ULONG)-1)
> + goto err;
> + if (mod <= 1) {
>   if (!BN_add(rnd, rnd, add))
>   goto err;
>   goto loop;
> @@ -514,8 +525,11 @@ loop:
>   /* check that p and q are prime */
>   /* check that for p and q
>* gcd(p-1,primes) == 1 (except for 2) */
> - if ((BN_mod_word(p, (BN_ULONG)primes[i]) == 0) ||
> - (BN_mod_word(q, (BN_ULONG)primes[i]) == 0)) {
> + BN_ULONG pmod = BN_mod_word(p, (BN_ULONG)primes[i]);
> + BN_ULONG qmod = BN_mod_word(q, (BN_ULONG)primes[i]);
> + if (pmod == (BN_ULONG)-1 || qmod == (BN_ULONG)-1)
> + goto err;
> + if (pmod == 0 || qmod == 0) {
>   if (!BN_add(p, p, padd))
>   goto err;
>   if (!BN_add(q, q, qadd))
> diff --git a/src/lib/libssl/src/crypto/bn/bn_word.c 
> b/src/lib/libssl/src/crypto/bn/bn_word.c
> index 897b06d..acc7032 100644
> --- a/src/lib/libssl/src/crypto/bn/bn_word.c
> +++ b/src/lib/libssl/src/crypto/bn/bn_word.c
> @@ -73,6 +73,20 @@ BN_mod_word(const BIGNUM *a, BN_ULONG w)
>   if (w == 0)
>   return (BN_ULONG) - 1;
> 
> +#ifndef BN_ULLONG
> + /* If |w| is too long and we don't have |BN_ULLONG| then we need to 
> fall back
> + * to using |BN_div_word|. */
> + if (w > ((BN_ULONG)1 << BN_BITS4)) {
> +   

libcrypto: fix BN_mod_word bug

[Brent Cook]

On systems where we do not have BN_ULLONG (notably Win64), BN_mod_word()
can return incorrect results if the supplied modulus is too big.

Note now that BN_mod_word may fail, like BN_div_word. Handle this
properly and document in the man page.

Thanks to Brian Smith for pointing out these fixes from BoringSSL:

https://boringssl.googlesource.com/boringssl/+/67cb49d045f04973ddba0f92fe8a8ad483c7da89
https://boringssl.googlesource.com/boringssl/+/44bedc348d9491e63c7ed1438db100a4b8a830be

diff --git a/src/lib/libcrypto/man/BN_add_word.3 
b/src/lib/libcrypto/man/BN_add_word.3
index eb5874a..66fdc0a 100644
--- a/src/lib/libcrypto/man/BN_add_word.3
+++ b/src/lib/libcrypto/man/BN_add_word.3
@@ -75,7 +75,8 @@ returns the remainder of
 .Fa a
 divided by
 .Fa w
-.Pq Li a%w .
+.Pq Li a%w
+or (BN_ULONG)-1 on error.
 .Pp
 For
 .Fn BN_div_word
diff --git a/src/lib/libssl/src/crypto/bn/bn_prime.c 
b/src/lib/libssl/src/crypto/bn/bn_prime.c
index 09af6a1..1dd0153 100644
--- a/src/lib/libssl/src/crypto/bn/bn_prime.c
+++ b/src/lib/libssl/src/crypto/bn/bn_prime.c
@@ -277,9 +277,13 @@ BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, 
BN_CTX *ctx_passed,
/* a is even => a is prime if and only if a == 2 */
return BN_is_word(a, 2);
if (do_trial_division) {
-   for (i = 1; i < NUMPRIMES; i++)
-   if (BN_mod_word(a, primes[i]) == 0)
+   for (i = 1; i < NUMPRIMES; i++) {
+   BN_ULONG mod = BN_mod_word(a, primes[i]);
+   if (mod == (BN_ULONG)-1)
+   goto err;
+   if (mod == 0)
return 0;
+   }
if (!BN_GENCB_call(cb, 1, -1))
goto err;
}
@@ -398,8 +402,12 @@ again:
if (!BN_rand(rnd, bits, 1, 1))
return (0);
/* we now have a random number 'rand' to test. */
-   for (i = 1; i < NUMPRIMES; i++)
-   mods[i] = (prime_t)BN_mod_word(rnd, (BN_ULONG)primes[i]);
+   for (i = 1; i < NUMPRIMES; i++) {
+   BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
+   if (mod == (BN_ULONG)-1)
+   return (0);
+   mods[i] = (prime_t)mod;
+   }
maxdelta = BN_MASK2 - primes[NUMPRIMES - 1];
delta = 0;
 loop:
@@ -452,7 +460,10 @@ probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM 
*add, const BIGNUM *rem,
 loop:
for (i = 1; i < NUMPRIMES; i++) {
/* check that rnd is a prime */
-   if (BN_mod_word(rnd, (BN_ULONG)primes[i]) <= 1) {
+   BN_LONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
+   if (mod == (BN_ULONG)-1)
+   goto err;
+   if (mod <= 1) {
if (!BN_add(rnd, rnd, add))
goto err;
goto loop;
@@ -514,8 +525,11 @@ loop:
/* check that p and q are prime */
/* check that for p and q
 * gcd(p-1,primes) == 1 (except for 2) */
-   if ((BN_mod_word(p, (BN_ULONG)primes[i]) == 0) ||
-   (BN_mod_word(q, (BN_ULONG)primes[i]) == 0)) {
+   BN_ULONG pmod = BN_mod_word(p, (BN_ULONG)primes[i]);
+   BN_ULONG qmod = BN_mod_word(q, (BN_ULONG)primes[i]);
+   if (pmod == (BN_ULONG)-1 || qmod == (BN_ULONG)-1)
+   goto err;
+   if (pmod == 0 || qmod == 0) {
if (!BN_add(p, p, padd))
goto err;
if (!BN_add(q, q, qadd))
diff --git a/src/lib/libssl/src/crypto/bn/bn_word.c 
b/src/lib/libssl/src/crypto/bn/bn_word.c
index 897b06d..acc7032 100644
--- a/src/lib/libssl/src/crypto/bn/bn_word.c
+++ b/src/lib/libssl/src/crypto/bn/bn_word.c
@@ -73,6 +73,20 @@ BN_mod_word(const BIGNUM *a, BN_ULONG w)
if (w == 0)
return (BN_ULONG) - 1;
 
+#ifndef BN_ULLONG
+   /* If |w| is too long and we don't have |BN_ULLONG| then we need to 
fall back
+   * to using |BN_div_word|. */
+   if (w > ((BN_ULONG)1 << BN_BITS4)) {
+   BIGNUM *tmp = BN_dup(a);
+   if (tmp == NULL) {
+   return (BN_ULONG)-1;
+   }
+   ret = BN_div_word(tmp, w);
+   BN_free(tmp);
+   return ret;
+   }
+#endif
+
bn_check_top(a);
w &= BN_MASK2;
for (i = a->top - 1; i >= 0; i--) {
diff --git a/src/lib/libssl/src/crypto/dh/dh_check.c 
b/src/lib/libssl/src/crypto/dh/dh_check.c
index ad827dd..c34511d 100644
--- a/src/lib/libssl/src/crypto/dh/dh_check.c
+++ b/src/lib/libssl/src/crypto/dh/dh_check.c
@@ -89,10 +89,14 @@ DH_check(const DH *dh, int *ret)
 
if (BN_is_word(dh->g, DH_GENERATOR_2)) {
l = BN_mod_word(dh->p, 24);
+   if (l == (BN_ULONG)-1)
+   

netcat: simplify and enhance IP proto-specific sockopt error handling

[Brent Cook]

As a precedent, nc has a conversational, specific style of error
reporting when a socketopt fails. With the IPv4/6-specific options, we
refactored the code to the point that the error messages are less
specific and maybe misleading (e.g. setting ToS on an IPv6 socket).

This patch makes the per-address-family options instead have specific
error reporting, and IMO simplifies things a bit as well.

I'll admit it I have an ulterior motive here too. Structuring code like
this also makes it easier to add #ifdefs for non-existent sockopts for
the portable version packaged with LibreSSL.

diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c
index c9c5ebe..f5dfe18 100644
--- a/src/usr.bin/nc/netcat.c
+++ b/src/usr.bin/nc/netcat.c
@@ -1412,18 +1412,13 @@ set_common_sockopts(int s, int af)
err(1, NULL);
}
if (Tflag != -1) {
-   int proto, option;
-
-   if (af == AF_INET6) {
-   proto = IPPROTO_IPV6;
-   option = IPV6_TCLASS;
-   } else {
-   proto = IPPROTO_IP;
-   option = IP_TOS;
-   }
-
-   if (setsockopt(s, proto, option, , sizeof(Tflag)) == -1)
+   if (af == AF_INET && setsockopt(s, IPPROTO_IP,
+   IP_TOS, , sizeof(Tflag)) == -1)
err(1, "set IP ToS");
+
+   else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
+   IPV6_TCLASS, , sizeof(Tflag)) == -1)
+   err(1, "set IPv6 traffic class");
}
if (Iflag) {
if (setsockopt(s, SOL_SOCKET, SO_RCVBUF,
@@ -1435,28 +1430,25 @@ set_common_sockopts(int s, int af)
, sizeof(Oflag)) == -1)
err(1, "set TCP send buffer size");
}
-   if (ttl != -1 || minttl != -1) {
-   int proto, in_ttl_opt, out_ttl_opt;
-   switch (af) {
-   case AF_INET:
-   proto = IPPROTO_IP;
-   in_ttl_opt = IP_MINTTL;
-   out_ttl_opt = IP_TTL;
-   break;
-   case AF_INET6:
-   proto = IPPROTO_IPV6;
-   in_ttl_opt = IPV6_MINHOPCOUNT;
-   out_ttl_opt = IPV6_UNICAST_HOPS;
-   break;
-   default:
-   errx(1, "unknown address family: %d", af);
-   }
-   if (minttl != -1 && setsockopt(s, proto, in_ttl_opt,
-   , sizeof(minttl)))
-   err(1, "setsockopt minttl");
-   if (ttl != -1 && setsockopt(s, proto, out_ttl_opt,
-   , sizeof(ttl)))
-   err(1, "setsockopt ttl");
+
+   if (ttl != -1) {
+   if (af == AF_INET && setsockopt(s, IPPROTO_IP,
+   IP_TTL, , sizeof(ttl)))
+   err(1, "set IP TTL");
+
+   else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
+   IPV6_UNICAST_HOPS, , sizeof(ttl)))
+   err(1, "set IPv6 unicast hops");
+   }
+
+   if (minttl != -1) {
+   if (af == AF_INET && setsockopt(s, IPPROTO_IP,
+   IP_MINTTL, , sizeof(minttl)))
+   err(1, "set IP min TTL");
+
+   else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
+   IPV6_MINHOPCOUNT, , sizeof(minttl)))
+   err(1, "set IPv6 min hop count");
}
 }
 

tighten behavior of _rs_allocate for portable arc4random implementations

[Brent Cook]

This is something I noticed while reviewing this report:

https://github.com/libressl-portable/portable/issues/200

In the event of a failure in _rs_allocate for rsx, we still return the
freed memory for rs. Not a huge deal since we subsequently abort in
_rs_init, but it looks strange on its own.

Also, for Windows, we are simply using calloc, which has two annoyances:
the memory has more permissions than needed by default, and it comes
from the process heap, which looks like a memory leak since this memory
is rightfully never freed. This switches to _rs_alloc on windows use
VirtualAlloc, which restricts the memory to READ|WRITE, possibly
provides better address randomization (or at least page-aligns the
allocations), and the memory doesn't end up in the process heap.

ok?

Index: arc4random_aix.h
===
RCS file: /cvs/src/lib/libcrypto/crypto/arc4random_aix.h,v
retrieving revision 1.1
diff -u -p -u -p -r1.1 arc4random_aix.h
--- arc4random_aix.h30 Mar 2015 11:29:48 -  1.1
+++ arc4random_aix.h30 Jun 2016 11:28:18 -
@@ -72,6 +72,7 @@ _rs_allocate(struct _rs **rsp, struct _r
if ((*rsxp = mmap(NULL, sizeof(**rsxp), PROT_READ|PROT_WRITE,
MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED) {
munmap(*rsp, sizeof(**rsp));
+   *rsp = NULL;
return (-1);
}
 
Index: arc4random_freebsd.h
===
RCS file: /cvs/src/lib/libcrypto/crypto/arc4random_freebsd.h,v
retrieving revision 1.3
diff -u -p -u -p -r1.3 arc4random_freebsd.h
--- arc4random_freebsd.h11 Sep 2015 11:52:55 -  1.3
+++ arc4random_freebsd.h30 Jun 2016 11:28:18 -
@@ -78,6 +78,7 @@ _rs_allocate(struct _rs **rsp, struct _r
if ((*rsxp = mmap(NULL, sizeof(**rsxp), PROT_READ|PROT_WRITE,
MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED) {
munmap(*rsp, sizeof(**rsp));
+   *rsp = NULL;
return (-1);
}
 
Index: arc4random_hpux.h
===
RCS file: /cvs/src/lib/libcrypto/crypto/arc4random_hpux.h,v
retrieving revision 1.2
diff -u -p -u -p -r1.2 arc4random_hpux.h
--- arc4random_hpux.h   15 Jan 2015 06:57:18 -  1.2
+++ arc4random_hpux.h   30 Jun 2016 11:28:18 -
@@ -72,6 +72,7 @@ _rs_allocate(struct _rs **rsp, struct _r
if ((*rsxp = mmap(NULL, sizeof(**rsxp), PROT_READ|PROT_WRITE,
MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED) {
munmap(*rsp, sizeof(**rsp));
+   *rsp = NULL;
return (-1);
}
 
Index: arc4random_linux.h
===
RCS file: /cvs/src/lib/libcrypto/crypto/arc4random_linux.h,v
retrieving revision 1.10
diff -u -p -u -p -r1.10 arc4random_linux.h
--- arc4random_linux.h  4 Jan 2016 02:04:56 -   1.10
+++ arc4random_linux.h  30 Jun 2016 11:28:18 -
@@ -79,6 +79,7 @@ _rs_allocate(struct _rs **rsp, struct _r
if ((*rsxp = mmap(NULL, sizeof(**rsxp), PROT_READ|PROT_WRITE,
MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED) {
munmap(*rsp, sizeof(**rsp));
+   *rsp = NULL;
return (-1);
}
 
Index: arc4random_netbsd.h
===
RCS file: /cvs/src/lib/libcrypto/crypto/arc4random_netbsd.h,v
retrieving revision 1.2
diff -u -p -u -p -r1.2 arc4random_netbsd.h
--- arc4random_netbsd.h 11 Sep 2015 11:52:55 -  1.2
+++ arc4random_netbsd.h 30 Jun 2016 11:28:18 -
@@ -78,6 +78,7 @@ _rs_allocate(struct _rs **rsp, struct _r
if ((*rsxp = mmap(NULL, sizeof(**rsxp), PROT_READ|PROT_WRITE,
MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED) {
munmap(*rsp, sizeof(**rsp));
+   *rsp = NULL;
return (-1);
}
 
Index: arc4random_osx.h
===
RCS file: /cvs/src/lib/libcrypto/crypto/arc4random_osx.h,v
retrieving revision 1.10
diff -u -p -u -p -r1.10 arc4random_osx.h
--- arc4random_osx.h11 Sep 2015 11:52:55 -  1.10
+++ arc4random_osx.h30 Jun 2016 11:28:18 -
@@ -72,6 +72,7 @@ _rs_allocate(struct _rs **rsp, struct _r
if ((*rsxp = mmap(NULL, sizeof(**rsxp), PROT_READ|PROT_WRITE,
MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED) {
munmap(*rsp, sizeof(**rsp));
+   *rsp = NULL;
return (-1);
}
 
Index: arc4random_solaris.h
===
RCS file: /cvs/src/lib/libcrypto/crypto/arc4random_solaris.h,v
retrieving revision 1.9
diff -u -p -u -p -r1.9 arc4random_solaris.h
--- arc4random_solaris.h15 Jan 2015 06:57:18 -  1.9
+++ arc4random_solaris.h30 Jun 2016 11:28:18 -
@@ -72,6 +72,7 @@ 

Re: Deprecate flags DH_FLAG_NO_EXP_CONSTTIME and RSA_FLAG_NO_CONSTTIME

[Brent Cook]

On Sun, Jun 26, 2016 at 12:22 PM, Brent Cook <bust...@gmail.com> wrote:

> On Sun, Jun 26, 2016 at 06:26:36AM +, César Pereida wrote:
> >
> > On Sun, Jun 26, 2016, 8:19 AM Brent Cook <bust...@gmail.com> wrote:
> >
> > > Hmm, on second review, something seems odd.
> > >
> > > César, why does this patch also replace all of the stack-allocated
> > > BIGNUM's with heap ones? Why add a new set of failure cases?
> > >
> > Hi Brent,
> >
> > As far as I remember this is what I did for the RSA patch so I maintained
> > consistency with that one.
> >
> > Are there any problems with that approach?
> >
> > Regards,
>
> Hi César,
>
> Yeah, I think the original stack variables are preferable, since all we
> are doing is cloning the fields from the original BIGNUM and adding a
> flag. Here's a revised patch with regress tests fixed as well:
>
> ok?
>

​Is it too late in the 6.0 cycle to get this one in? Feels like I need to
get it in soon if not...



> Index: lib/libssl/src/crypto/dh/dh.h
> ===
> RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh.h,v
> retrieving revision 1.16
> diff -u -p -u -p -r1.16 dh.h
> --- lib/libssl/src/crypto/dh/dh.h   12 Jun 2014 15:49:28 -
> 1.16
> +++ lib/libssl/src/crypto/dh/dh.h   26 Jun 2016 17:19:39 -
> @@ -78,13 +78,6 @@
>  #endif
>
>  #define DH_FLAG_CACHE_MONT_P 0x01
> -#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
> -   * implementation now uses constant
> time
> -   * modular exponentiation for
> secret exponents
> -   * by default. This flag causes the
> -   * faster variable sliding window
> method to
> -   * be used for all exponents.
> -   */
>
>  /* If this flag is set the DH method is FIPS compliant and can be used
>   * in FIPS mode. This is set in the validated module method. If an
> Index: lib/libssl/src/crypto/dh/dh_key.c
> ===
> RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh_key.c,v
> retrieving revision 1.23
> diff -u -p -u -p -r1.23 dh_key.c
> --- lib/libssl/src/crypto/dh/dh_key.c   9 Feb 2015 15:49:22 -
>  1.23
> +++ lib/libssl/src/crypto/dh/dh_key.c   26 Jun 2016 17:19:39 -
> @@ -147,21 +147,16 @@ generate_key(DH *dh)
> }
>
> {
> -   BIGNUM local_prk;
> -   BIGNUM *prk;
> +   BIGNUM prk;
>
> -   if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
> -   BN_init(_prk);
> -   prk = _prk;
> -   BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
> -   } else
> -   prk = priv_key;
> +   BN_with_flags(, priv_key, BN_FLG_CONSTTIME);
>
> -   if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p,
> ctx,
> -   mont))
> +   if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, , dh->p,
> ctx,
> +   mont)) {
> goto err;
> +   }
> }
> -
> +
> dh->pub_key = pub_key;
> dh->priv_key = priv_key;
> ok = 1;
> @@ -206,10 +201,9 @@ compute_key(unsigned char *key, const BI
> if (dh->flags & DH_FLAG_CACHE_MONT_P) {
> mont = BN_MONT_CTX_set_locked(>method_mont_p,
> CRYPTO_LOCK_DH, dh->p, ctx);
> -   if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
> -   /* XXX */
> -   BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
> -   }
> +
> +   BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
> +
> if (!mont)
> goto err;
> }
> @@ -238,16 +232,7 @@ static int
>  dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
>  const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
>  {
> -   /*
> -* If a is only one word long and constant time is false, use the
> faster
> -* exponenentiation function.
> -*/
> -   if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) {
> -   BN_ULONG A = a->d[0];
> -
> -   return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
> -   } else
> -   

Re: Deprecate flags DH_FLAG_NO_EXP_CONSTTIME and RSA_FLAG_NO_CONSTTIME

[Brent Cook]

On Sun, Jun 26, 2016 at 06:26:36AM +, César Pereida wrote:
> 
> On Sun, Jun 26, 2016, 8:19 AM Brent Cook <bust...@gmail.com> wrote:
> 
> > Hmm, on second review, something seems odd.
> >
> > César, why does this patch also replace all of the stack-allocated
> > BIGNUM's with heap ones? Why add a new set of failure cases?
> >
> Hi Brent,
> 
> As far as I remember this is what I did for the RSA patch so I maintained
> consistency with that one.
> 
> Are there any problems with that approach?
> 
> Regards,

Hi César,

Yeah, I think the original stack variables are preferable, since all we
are doing is cloning the fields from the original BIGNUM and adding a
flag. Here's a revised patch with regress tests fixed as well:

ok?

Index: lib/libssl/src/crypto/dh/dh.h
===
RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh.h,v
retrieving revision 1.16
diff -u -p -u -p -r1.16 dh.h
--- lib/libssl/src/crypto/dh/dh.h   12 Jun 2014 15:49:28 -  1.16
+++ lib/libssl/src/crypto/dh/dh.h   26 Jun 2016 17:19:39 -
@@ -78,13 +78,6 @@
 #endif
 
 #define DH_FLAG_CACHE_MONT_P 0x01
-#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
-   * implementation now uses constant time
-   * modular exponentiation for secret 
exponents
-   * by default. This flag causes the
-   * faster variable sliding window method 
to
-   * be used for all exponents.
-   */
 
 /* If this flag is set the DH method is FIPS compliant and can be used
  * in FIPS mode. This is set in the validated module method. If an
Index: lib/libssl/src/crypto/dh/dh_key.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh_key.c,v
retrieving revision 1.23
diff -u -p -u -p -r1.23 dh_key.c
--- lib/libssl/src/crypto/dh/dh_key.c   9 Feb 2015 15:49:22 -   1.23
+++ lib/libssl/src/crypto/dh/dh_key.c   26 Jun 2016 17:19:39 -
@@ -147,21 +147,16 @@ generate_key(DH *dh)
}
 
{
-   BIGNUM local_prk;
-   BIGNUM *prk;
+   BIGNUM prk;
 
-   if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
-   BN_init(_prk);
-   prk = _prk;
-   BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
-   } else
-   prk = priv_key;
+   BN_with_flags(, priv_key, BN_FLG_CONSTTIME);
 
-   if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx,
-   mont))
+   if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, , dh->p, ctx,
+   mont)) {
goto err;
+   }
}
-   
+
dh->pub_key = pub_key;
dh->priv_key = priv_key;
ok = 1;
@@ -206,10 +201,9 @@ compute_key(unsigned char *key, const BI
if (dh->flags & DH_FLAG_CACHE_MONT_P) {
mont = BN_MONT_CTX_set_locked(>method_mont_p,
CRYPTO_LOCK_DH, dh->p, ctx);
-   if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
-   /* XXX */
-   BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
-   }
+
+   BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
+
if (!mont)
goto err;
}
@@ -238,16 +232,7 @@ static int
 dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
 {
-   /*
-* If a is only one word long and constant time is false, use the faster
-* exponenentiation function.
-*/
-   if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) {
-   BN_ULONG A = a->d[0];
-
-   return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
-   } else
-   return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
+   return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
 }
 
 static int
Index: lib/libssl/src/crypto/dsa/dsa.h
===
RCS file: /cvs/src/lib/libssl/src/crypto/dsa/dsa.h,v
retrieving revision 1.20
diff -u -p -u -p -r1.20 dsa.h
--- lib/libssl/src/crypto/dsa/dsa.h 21 Jun 2016 04:16:53 -  1.20
+++ lib/libssl/src/crypto/dsa/dsa.h 26 Jun 2016 17:19:40 -
@@ -89,9 +89,6 @@
 #endif
 
 #define DSA_FLAG_CACHE_MONT_P  0x01
-#define DSA_FLAG_NO_EXP_CONSTTIME   0x00 /* Does nothing. Previously this 
switched off 
-  * constant time behaviour.
-

Re: Deprecate flags DH_FLAG_NO_EXP_CONSTTIME and RSA_FLAG_NO_CONSTTIME

[Brent Cook]

On Sun, Jun 26, 2016 at 12:00:51AM -0500, Brent Cook wrote:
> On Sat, Jun 25, 2016 at 07:19:09PM -0600, Bob Beck wrote:
> > If we are going to delete it, lets just do so
> > 
> > IMO we can commit this removing the define. bets are we see nothing in
> > ports for fallout so lets just blow it away
> > 
> 
> Sounds good, I'll commit this:
> 
> Index: src/crypto/dh/dh.h
> ===
> RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh.h,v
> retrieving revision 1.16
> diff -u -p -u -p -r1.16 dh.h
> --- src/crypto/dh/dh.h12 Jun 2014 15:49:28 -  1.16
> +++ src/crypto/dh/dh.h26 Jun 2016 04:51:19 -
> @@ -78,13 +78,6 @@
>  #endif
>  
>  #define DH_FLAG_CACHE_MONT_P 0x01
> -#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
> -   * implementation now uses constant 
> time
> -   * modular exponentiation for secret 
> exponents
> -   * by default. This flag causes the
> -   * faster variable sliding window 
> method to
> -   * be used for all exponents.
> -   */
>  
>  /* If this flag is set the DH method is FIPS compliant and can be used
>   * in FIPS mode. This is set in the validated module method. If an
> Index: src/crypto/dh/dh_key.c
> ===
> RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh_key.c,v
> retrieving revision 1.23
> diff -u -p -u -p -r1.23 dh_key.c
> --- src/crypto/dh/dh_key.c9 Feb 2015 15:49:22 -   1.23
> +++ src/crypto/dh/dh_key.c26 Jun 2016 04:51:19 -
> @@ -147,21 +147,21 @@ generate_key(DH *dh)
>   }
>  
>   {
> - BIGNUM local_prk;
> - BIGNUM *prk;
> + BIGNUM *prk = BN_new();

Hmm, on second review, something seems odd.

César, why does this patch also replace all of the stack-allocated
BIGNUM's with heap ones? Why add a new set of failure cases?

>  
> - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
> - BN_init(_prk);
> - prk = _prk;
> - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
> - } else
> - prk = priv_key;
> + if (prk == NULL)
> + goto err;
> +
> + BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
>  
>   if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx,
> - mont))
> + mont)) {
> + BN_free(prk);
>   goto err;
> + }
> + BN_free(prk);
>   }
> - 
> +
>   dh->pub_key = pub_key;
>   dh->priv_key = priv_key;
>   ok = 1;
> @@ -206,10 +206,9 @@ compute_key(unsigned char *key, const BI
>   if (dh->flags & DH_FLAG_CACHE_MONT_P) {
>   mont = BN_MONT_CTX_set_locked(>method_mont_p,
>   CRYPTO_LOCK_DH, dh->p, ctx);
> - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
> - /* XXX */
> - BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
> - }
> +
> + BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
> +
>   if (!mont)
>   goto err;
>   }
> @@ -238,16 +237,7 @@ static int
>  dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
>  const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
>  {
> - /*
> -  * If a is only one word long and constant time is false, use the faster
> -  * exponenentiation function.
> -  */
> - if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) {
> - BN_ULONG A = a->d[0];
> -
> - return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
> - } else
> - return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
> + return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
>  }
>  
>  static int
> Index: src/crypto/dsa/dsa.h
> ===
> RCS file: /cvs/src/lib/libssl/src/crypto/dsa/dsa.h,v
> retrieving revision 1.20
> diff -u -p -u -p -r1.20 dsa.h
> --- src/crypto/dsa/dsa.h  21 Jun 2016 04:16:53 -  1.20
> +++ src/crypto/dsa/dsa.h  26 Jun 2016 04:51:19 -
> @@ -89,9 +89,6 @@
>  #endif
>  
>  #define DSA_FL

Re: Deprecate flags DH_FLAG_NO_EXP_CONSTTIME and RSA_FLAG_NO_CONSTTIME

[Brent Cook]

On Sat, Jun 25, 2016 at 07:19:09PM -0600, Bob Beck wrote:
> If we are going to delete it, lets just do so
> 
> IMO we can commit this removing the define. bets are we see nothing in
> ports for fallout so lets just blow it away
> 

Sounds good, I'll commit this:

Index: src/crypto/dh/dh.h
===
RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh.h,v
retrieving revision 1.16
diff -u -p -u -p -r1.16 dh.h
--- src/crypto/dh/dh.h  12 Jun 2014 15:49:28 -  1.16
+++ src/crypto/dh/dh.h  26 Jun 2016 04:51:19 -
@@ -78,13 +78,6 @@
 #endif
 
 #define DH_FLAG_CACHE_MONT_P 0x01
-#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
-   * implementation now uses constant time
-   * modular exponentiation for secret 
exponents
-   * by default. This flag causes the
-   * faster variable sliding window method 
to
-   * be used for all exponents.
-   */
 
 /* If this flag is set the DH method is FIPS compliant and can be used
  * in FIPS mode. This is set in the validated module method. If an
Index: src/crypto/dh/dh_key.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh_key.c,v
retrieving revision 1.23
diff -u -p -u -p -r1.23 dh_key.c
--- src/crypto/dh/dh_key.c  9 Feb 2015 15:49:22 -   1.23
+++ src/crypto/dh/dh_key.c  26 Jun 2016 04:51:19 -
@@ -147,21 +147,21 @@ generate_key(DH *dh)
}
 
{
-   BIGNUM local_prk;
-   BIGNUM *prk;
+   BIGNUM *prk = BN_new();
 
-   if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
-   BN_init(_prk);
-   prk = _prk;
-   BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
-   } else
-   prk = priv_key;
+   if (prk == NULL)
+   goto err;
+
+   BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
 
if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx,
-   mont))
+   mont)) {
+   BN_free(prk);
goto err;
+   }
+   BN_free(prk);
}
-   
+
dh->pub_key = pub_key;
dh->priv_key = priv_key;
ok = 1;
@@ -206,10 +206,9 @@ compute_key(unsigned char *key, const BI
if (dh->flags & DH_FLAG_CACHE_MONT_P) {
mont = BN_MONT_CTX_set_locked(>method_mont_p,
CRYPTO_LOCK_DH, dh->p, ctx);
-   if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
-   /* XXX */
-   BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
-   }
+
+   BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
+
if (!mont)
goto err;
}
@@ -238,16 +237,7 @@ static int
 dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
 {
-   /*
-* If a is only one word long and constant time is false, use the faster
-* exponenentiation function.
-*/
-   if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) {
-   BN_ULONG A = a->d[0];
-
-   return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
-   } else
-   return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
+   return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
 }
 
 static int
Index: src/crypto/dsa/dsa.h
===
RCS file: /cvs/src/lib/libssl/src/crypto/dsa/dsa.h,v
retrieving revision 1.20
diff -u -p -u -p -r1.20 dsa.h
--- src/crypto/dsa/dsa.h21 Jun 2016 04:16:53 -  1.20
+++ src/crypto/dsa/dsa.h26 Jun 2016 04:51:19 -
@@ -89,9 +89,6 @@
 #endif
 
 #define DSA_FLAG_CACHE_MONT_P  0x01
-#define DSA_FLAG_NO_EXP_CONSTTIME   0x00 /* Does nothing. Previously this 
switched off 
-  * constant time behaviour.
-  */
 
 /* If this flag is set the DSA method is FIPS compliant and can be used
  * in FIPS mode. This is set in the validated module method. If an
Index: src/crypto/rsa/rsa.h
===
RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa.h,v
retrieving revision 1.27
diff -u -p -u -p -r1.27 rsa.h
--- src/crypto/rsa/rsa.h14 Feb 2015 15:10:39 -  1.27
+++ src/crypto/rsa/rsa.h26 Jun 2016 04:51:20 -
@@ -194,16 +194,6 @@ struct rsa_st {
  */
 #define RSA_FLAG_NO_BLINDING   0x0080
 
-/*
- * The built-in RSA implementation uses 

Re: Deprecate flags DH_FLAG_NO_EXP_CONSTTIME and RSA_FLAG_NO_CONSTTIME

[Brent Cook]

I searched around a bit and could find only one open-source instance
of RSA_FLAG_NO_CONSTTIME in the wild - something called 'anon-proxy' that
lives as a zombie in the Debian repos, but hasn't had a real release since
2008 and seems to be orphaned from its original source site. I didn't even
see any scripting language bindings for these flags, which is especially
unusual when a lot of OpenSSL bindings export every trivial feature
otherwise.

So yeah, not a lot should change in the world in removing the defines. Mind
if we wrap in #ifndef LIBRESSL_INTERNAL guards first though?


On Wed, Jun 22, 2016 at 12:52 PM, Bob Beck <b...@openbsd.org> wrote:

> I'm wondering outloud it we should remove the #define, instead of
> leaving it in there. I.E. should we be deliberately
> breaking anything making use of that?
>
> At the very least this (along with the DH one) can probably #ifndef
> LIBRESSL_INTERNAL - and failing that should
> we nuke them and bump majors?
>
>
> On Wed, Jun 22, 2016 at 7:44 AM, Brent Cook <bust...@gmail.com> wrote:
> > This is another patch from César Pereida that disables the DH and RSA
> > non-constant-time flags as well.
> >
> > ok?
> >
> > Index: src/crypto/dh/dh.h
> > ===
> > RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh.h,v
> > retrieving revision 1.16
> > diff -u -p -u -p -r1.16 dh.h
> > --- src/crypto/dh/dh.h  12 Jun 2014 15:49:28 -  1.16
> > +++ src/crypto/dh/dh.h  22 Jun 2016 13:37:33 -
> > @@ -78,12 +78,8 @@
> >  #endif
> >
> >  #define DH_FLAG_CACHE_MONT_P 0x01
> > -#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in
> DH
> > -   * implementation now uses
> constant time
> > -   * modular exponentiation for
> secret exponents
> > -   * by default. This flag causes
> the
> > -   * faster variable sliding window
> method to
> > -   * be used for all exponents.
> > +#define DH_FLAG_NO_EXP_CONSTTIME 0x00 /* Does nothing. Previously this
> switched off
> > +   * constant time behaviour.
> > */
> >
> >  /* If this flag is set the DH method is FIPS compliant and can be used
> > Index: src/crypto/dh/dh_key.c
> > ===
> > RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh_key.c,v
> > retrieving revision 1.23
> > diff -u -p -u -p -r1.23 dh_key.c
> > --- src/crypto/dh/dh_key.c  9 Feb 2015 15:49:22 -   1.23
> > +++ src/crypto/dh/dh_key.c  22 Jun 2016 13:37:33 -
> > @@ -147,21 +147,21 @@ generate_key(DH *dh)
> > }
> >
> > {
> > -   BIGNUM local_prk;
> > -   BIGNUM *prk;
> > +   BIGNUM *prk = BN_new();
> >
> > -   if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
> > -   BN_init(_prk);
> > -   prk = _prk;
> > -   BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
> > -   } else
> > -   prk = priv_key;
> > +   if (prk == NULL)
> > +   goto err;
> > +
> > +   BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
> >
> > if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk,
> dh->p, ctx,
> > -   mont))
> > +   mont)) {
> > +   BN_free(prk);
> > goto err;
> > +   }
> > +   BN_free(prk);
> > }
> > -
> > +
> > dh->pub_key = pub_key;
> > dh->priv_key = priv_key;
> > ok = 1;
> > @@ -206,10 +206,9 @@ compute_key(unsigned char *key, const BI
> > if (dh->flags & DH_FLAG_CACHE_MONT_P) {
> > mont = BN_MONT_CTX_set_locked(>method_mont_p,
> > CRYPTO_LOCK_DH, dh->p, ctx);
> > -   if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
> > -   /* XXX */
> > -   BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
> > -   }
> > +
> > +   BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
> > +
> > if (!mont)
> > goto err;
> > 

Deprecate flags DH_FLAG_NO_EXP_CONSTTIME and RSA_FLAG_NO_CONSTTIME

[Brent Cook]

This is another patch from César Pereida that disables the DH and RSA
non-constant-time flags as well.

ok?

Index: src/crypto/dh/dh.h
===
RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh.h,v
retrieving revision 1.16
diff -u -p -u -p -r1.16 dh.h
--- src/crypto/dh/dh.h  12 Jun 2014 15:49:28 -  1.16
+++ src/crypto/dh/dh.h  22 Jun 2016 13:37:33 -
@@ -78,12 +78,8 @@
 #endif
 
 #define DH_FLAG_CACHE_MONT_P 0x01
-#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
-   * implementation now uses constant time
-   * modular exponentiation for secret 
exponents
-   * by default. This flag causes the
-   * faster variable sliding window method 
to
-   * be used for all exponents.
+#define DH_FLAG_NO_EXP_CONSTTIME 0x00 /* Does nothing. Previously this 
switched off 
+   * constant time behaviour.
*/
 
 /* If this flag is set the DH method is FIPS compliant and can be used
Index: src/crypto/dh/dh_key.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh_key.c,v
retrieving revision 1.23
diff -u -p -u -p -r1.23 dh_key.c
--- src/crypto/dh/dh_key.c  9 Feb 2015 15:49:22 -   1.23
+++ src/crypto/dh/dh_key.c  22 Jun 2016 13:37:33 -
@@ -147,21 +147,21 @@ generate_key(DH *dh)
}
 
{
-   BIGNUM local_prk;
-   BIGNUM *prk;
+   BIGNUM *prk = BN_new();
 
-   if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
-   BN_init(_prk);
-   prk = _prk;
-   BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
-   } else
-   prk = priv_key;
+   if (prk == NULL)
+   goto err;
+
+   BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
 
if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx,
-   mont))
+   mont)) {
+   BN_free(prk);
goto err;
+   }
+   BN_free(prk);
}
-   
+
dh->pub_key = pub_key;
dh->priv_key = priv_key;
ok = 1;
@@ -206,10 +206,9 @@ compute_key(unsigned char *key, const BI
if (dh->flags & DH_FLAG_CACHE_MONT_P) {
mont = BN_MONT_CTX_set_locked(>method_mont_p,
CRYPTO_LOCK_DH, dh->p, ctx);
-   if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
-   /* XXX */
-   BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
-   }
+
+   BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
+
if (!mont)
goto err;
}
@@ -238,16 +237,7 @@ static int
 dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
 {
-   /*
-* If a is only one word long and constant time is false, use the faster
-* exponenentiation function.
-*/
-   if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) {
-   BN_ULONG A = a->d[0];
-
-   return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
-   } else
-   return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
+   return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
 }
 
 static int
Index: src/crypto/rsa/rsa.h
===
RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa.h,v
retrieving revision 1.27
diff -u -p -u -p -r1.27 rsa.h
--- src/crypto/rsa/rsa.h14 Feb 2015 15:10:39 -  1.27
+++ src/crypto/rsa/rsa.h22 Jun 2016 13:37:33 -
@@ -195,13 +195,9 @@ struct rsa_st {
 #define RSA_FLAG_NO_BLINDING   0x0080
 
 /*
- * The built-in RSA implementation uses constant time operations by default
- * in private key operations, e.g., constant time modular exponentiation,
- * modular inverse without leaking branches, division without leaking branches.
- * This flag disables these constant time operations and results in faster RSA
- * private key operations.
+ * Does nothing. Previously this switched off constant time behaviour.
  */
-#define RSA_FLAG_NO_CONSTTIME  0x0100
+#define RSA_FLAG_NO_CONSTTIME  0x
 
 
 #define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \
Index: src/crypto/rsa/rsa_crpt.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_crpt.c,v
retrieving revision 1.14
diff -u -p -u -p -r1.14 rsa_crpt.c
--- src/crypto/rsa/rsa_crpt.c   11 Feb 2015 03:19:37 -  1.14
+++ 

Re: Disable DSA_FLAG_NO_EXP_CONSTTIME, always enable constant-time behavior

[Brent Cook]

No problem, I undid that bit.

Thanks all.

On Mon, Jun 20, 2016 at 11:32 AM, Ted Unangst <t...@tedunangst.com> wrote:

> Brent Cook wrote:
> > diff --git a/src/lib/libssl/src/crypto/dsa/dsa_key.c
> b/src/lib/libssl/src/crypto/dsa/dsa_key.c
> > index 2968fa2..e01bacb 100644
> > --- a/src/lib/libssl/src/crypto/dsa/dsa_key.c
> > +++ b/src/lib/libssl/src/crypto/dsa/dsa_key.c
> > -#endif
> > +#endif
> > \ No newline at end of file
>
> can we please keep the newline at the end of the file?
>

openssl(1): fix bug loading default certificate path locations

[Brent Cook]

This fixes a bug where the default certificate path locations would only
be loaded if the CAfile or CApath locations were succesfully loaded
first. Original patch from OpenSSL:

https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190

Noted here on the LibreSSL-portable github tracker:

https://github.com/libressl-portable/openbsd/issues/62

ok?

Index: s_client.c
===
RCS file: /cvs/src/usr.bin/openssl/s_client.c,v
retrieving revision 1.27
diff -u -p -r1.27 s_client.c
--- s_client.c  1 Dec 2015 12:01:56 -   1.27
+++ s_client.c  20 Jun 2016 13:31:43 -
@@ -728,15 +728,13 @@ bad:
if (!set_cert_key_stuff(ctx, cert, key))
goto end;

-   if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
-   (!SSL_CTX_set_default_verify_paths(ctx))) {
-   /*
-* BIO_printf(bio_err,"error setting default verify
-* locations\n");
-*/
+   if ((CAfile || CApath)
+   && !SSL_CTX_load_verify_locations(ctx, CAfile, CApath))
ERR_print_errors(bio_err);
-   /* goto end; */
-   }
+
+   if (!SSL_CTX_set_default_verify_paths(ctx))
+   ERR_print_errors(bio_err);
+
if (servername != NULL) {
tlsextcbp.biodebug = bio_err;
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);

Disable DSA_FLAG_NO_EXP_CONSTTIME, always enable constant-time behavior

[Brent Cook]

Hi,

This is a patch from Cesar Pereida, removing support for
DSA_FLAG_NO_EXP_CONSTTIME by making DSA always operate in constant time.

See https://github.com/libressl-portable/openbsd/pull/61 for more
details.

ok?

diff --git a/src/lib/libssl/src/crypto/dsa/dsa.h 
b/src/lib/libssl/src/crypto/dsa/dsa.h
index 909096d..d2d1d5f 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa.h
+++ b/src/lib/libssl/src/crypto/dsa/dsa.h
@@ -89,12 +89,8 @@
 #endif

 #define DSA_FLAG_CACHE_MONT_P  0x01
-#define DSA_FLAG_NO_EXP_CONSTTIME   0x02 /* new with 0.9.7h; the built-in 
DSA
-  * implementation now uses 
constant time
-  * modular exponentiation for 
secret exponents
-  * by default. This flag causes 
the
-  * faster variable sliding window 
method to
-  * be used for all exponents.
+#define DSA_FLAG_NO_EXP_CONSTTIME   0x00 /* Does nothing. Previously this 
switched off
+  * constant time behaviour.
   */

 /* If this flag is set the DSA method is FIPS compliant and can be used
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_key.c 
b/src/lib/libssl/src/crypto/dsa/dsa_key.c
index 2968fa2..e01bacb 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_key.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_key.c
@@ -104,18 +104,18 @@ dsa_builtin_keygen(DSA *dsa)
pub_key=dsa->pub_key;

{
-   BIGNUM local_prk;
-   BIGNUM *prk;
+   BIGNUM *prk = BN_new();

-   if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
-   BN_init(_prk);
-   prk = _prk;
-   BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
-   } else
-   prk = priv_key;
+   if (prk == NULL)
+   goto err;
+
+   BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);

-   if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx))
+   if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) {
+   BN_free(prk);
goto err;
+   }
+   BN_free(prk);
}

dsa->priv_key = priv_key;
@@ -130,4 +130,4 @@ err:
BN_CTX_free(ctx);
return ok;
 }
-#endif
+#endif
\ No newline at end of file
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c 
b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
index 726e6c7..4a3b417 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
@@ -83,46 +83,6 @@ static DSA_METHOD openssl_dsa_meth = {
.finish = dsa_finish
 };

-/*
- * These macro wrappers replace attempts to use the dsa_mod_exp() and
- * bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of
- * having a the macro work as an expression by bundling an "err_instr". So;
- *
- * if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,,dsa->p,ctx,
- * dsa->method_mont_p)) goto err;
- *
- * can be replaced by;
- *
- * DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, , dsa->p, ctx,
- * dsa->method_mont_p);
- */
-
-#define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \
-do { \
-   int _tmp_res53; \
-   if ((dsa)->meth->dsa_mod_exp) \
-   _tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), \
-   (a1), (p1), (a2), (p2), (m), (ctx), (in_mont)); \
-   else \
-   _tmp_res53 = BN_mod_exp2_mont((rr), (a1), \
-   (p1), (a2), (p2), (m), (ctx), (in_mont)); \
-   if (!_tmp_res53) \
-   err_instr; \
-} while(0)
-
-#define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \
-do { \
-   int _tmp_res53; \
-   if ((dsa)->meth->bn_mod_exp) \
-   _tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), \
-   (a), (p), (m), (ctx), (m_ctx)); \
-   else \
-   _tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), \
-   (ctx), (m_ctx)); \
-   if (!_tmp_res53) \
-   err_instr; \
-} while(0)
-
 const DSA_METHOD *
 DSA_OpenSSL(void)
 {
@@ -222,7 +182,7 @@ static int
 dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 {
BN_CTX *ctx;
-   BIGNUM k, kq, *K, *kinv = NULL, *r = NULL;
+   BIGNUM k, *kinv = NULL, *r = NULL;
int ret = 0;

if (!dsa->p || !dsa->q || !dsa->g) {
@@ -231,7 +191,6 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, 
BIGNUM **rp)
}

BN_init();
-   BN_init();

if (ctx_in == NULL) {
if ((ctx = BN_CTX_new()) == NULL)
@@ -248,6 +207,8 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, 
BIGNUM **rp)
goto err;
} while (BN_is_zero());

+ 

LibreSSL 2.4.0/2.3.5/2.2.8 Released

[Brent Cook]

We have released a first development snapshot of LibreSSL 2.4.0 along
with two stable builds, 2.3.5 and 2.2.8. These should be arriving in
the LibreSSL directory of your local OpenBSD mirror soon.

The 2.3.5 and 2.2.8 releases contain a reliability fix, correcting an
error when parsing certain ASN.1 elements over 16k in size.

The 2.4.0 release contains the following additional changes:

* Implemented the IETF ChaCha20-Poly1305 cipher suites.

* Changed default EVP_aead_chacha20_poly1305() implementation to the
  IETF version, which is now the default.

* Many improvements to the CMake build infrastructure, including
  Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro
  Inoguchi for this work.

* Reworked error handling in libtls so that configuration errors are
  more visible.

* Added missing error handling around bn_wexpand() calls.

* Added explicit_bzero calls for freed ASN.1 objects.

* Fixed X509_*set_object functions to return 0 on allocation failure.

* Fixed password prompts from openssl(1) to properly handle ^C.

* Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.

libcrypto errata update

[Brent Cook]

A bug in the previous libcrypto errata caused an error when reading
ASN.1 elements over 16kb.

Patches for OpenBSD are available. Updated LibreSSL-portable releases
will be available later.

http://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/009_crypto.patch.sig

http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/015_crypto.patch.sig

Re: [ntpd] Simultaneously listen on IPv4 and IPv6

[Brent Cook]

On Tue, May 17, 2016 at 2:56 PM, Stuart Henderson <s...@spacehopper.org>
wrote:

> On 2016/05/17 08:27, Brent Cook wrote:
> > This patch came by way of the openntpd github. Linux (and possibly
> others)
> > will attempt to bind to 0.0.0.0 when binding to '::' and return an error
> if
> > it can't, unless IPV6_V6ONLY is set.
>
> Do you see why they're doing this?
>
> In an OS where IPV6_V6ONLY=0 is the default (i.e. allowing v4 on
> v6 sockets), someone binds to :: expecting to pick up all traffic.
>
> Now another user's process binds to 0.0.0.0.
>
>
I honestly don't think a lot of people realize when IPV6_V6ONLY=0 and when
it doesn't. It's a surprising default. Maybe it should actually log a more
visible warning.

My goal is to make OpenNTPD work as closely as possible on other OSes as it
does on OpenBSD. Sometimes this means injecting compatibility layers
between the system and the program (it shares LibreSSL's arc4random
selection code for instance). I'm probably making it too easy on upstream
OSes in the interest of OpenNTPD-portable's direct users, but this seems
preferable to having different behavior between OpenBSD and other OSes.

[libcrypto] fix short ASN1 reads

[Brent Cook]

Hi,

 Our errata patch for fixing large memory allocations in
 asn1_d2i_read_bio dropped the while (want > 0) loop, causing the
 function to only read chunk_max bytes once. This limits the max size
 read to 16k. This patch restores the outer loop. Noted on misc@

ftp http://ccd.serpro.gov.br/lcr/acserprorfbv3.crl
openssl crl -in acserprorfbv3.crl -inform DER

 ok?

Index: asn1/a_d2i_fp.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c,v
retrieving revision 1.14
diff -u -p -u -p -r1.14 a_d2i_fp.c
--- asn1/a_d2i_fp.c 4 May 2016 14:58:09 -   1.14
+++ asn1/a_d2i_fp.c 20 May 2016 11:21:14 -
@@ -236,36 +236,38 @@ asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
ASN1_R_TOO_LONG);
goto err;
}
-   /*
-* Read content in chunks of increasing size
-* so we can return an error for EOF without
-* having to allocate the entire content length
-* in one go.
-*/
-   size_t chunk = want > chunk_max ? chunk_max : 
want;
+   while (want > 0) {
+   /*
+* Read content in chunks of increasing 
size
+* so we can return an error for EOF 
without
+* having to allocate the entire 
content length
+* in one go.
+*/
+   size_t chunk = want > chunk_max ? 
chunk_max : want;

-   if (!BUF_MEM_grow_clean(b, len + chunk)) {
-   ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
-   ERR_R_MALLOC_FAILURE);
-   goto err;
-   }
-   want -= chunk;
-   while (chunk > 0) {
-   i = BIO_read(in, &(b->data[len]), 
chunk);
-   if (i <= 0) {
+   if (!BUF_MEM_grow_clean(b, len + 
chunk)) {

ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
-   ASN1_R_NOT_ENOUGH_DATA);
+   ERR_R_MALLOC_FAILURE);
goto err;
}
-   /*
-* This can't overflow because 
|len+want|
-* didn't overflow.
-*/
-   len += i;
-   chunk -= i;
+   want -= chunk;
+   while (chunk > 0) {
+   i = BIO_read(in, 
&(b->data[len]), chunk);
+   if (i <= 0) {
+   
ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
+   
ASN1_R_NOT_ENOUGH_DATA);
+   goto err;
+   }
+   /*
+* This can't overflow because 
|len+want|
+* didn't overflow.
+*/
+   len += i;
+   chunk -= i;
+   }
+   if (chunk_max < INT_MAX/2)
+   chunk_max *= 2;
}
-   if (chunk_max < INT_MAX/2)
-   chunk_max *= 2;
}
if (off + c.slen < off) {
ASN1err(ASN1_F_ASN1_D2I_READ_BIO, 
ASN1_R_TOO_LONG);

Re: [ntpd] Simultaneously listen on IPv4 and IPv6

[Brent Cook]

> On May 17, 2016, at 10:21 AM, Stuart Henderson <s...@spacehopper.org> wrote:
> 
> On 2016/05/17 08:27, Brent Cook wrote:
>> This patch came by way of the openntpd github. Linux (and possibly others)
>> will attempt to bind to 0.0.0.0 when binding to '::' and return an error if
>> it can't, unless IPV6_V6ONLY is set. See
>> https://github.com/openntpd-portable/openntpd-portable/issues/19
>> 
>> OK as an in-tree patch? OpenBSD seems to adopt a more liberal
>> interpretation and not return a failure in the same scenario. (The patch
>> against the 5.7 tree, but you get the idea)
>> 
>> diff -uNr openntpd-5.7p4/src/server.c new/src/server.c
>> --- openntpd-5.7p4/src/server.c 2015-03-25 04:18:56.0 +0300
>> +++ new/src/server.c2016-03-05 18:06:07.946888570 +0300
>> @@ -40,6 +40,7 @@
>>size_t   sa6len = sizeof(struct in6_addr);
>>u_intnew_cnt = 0;
>>int  tos = IPTOS_LOWDELAY;
>> +   int  on = 1;
>>int  rdomain, fd;
>> @@ -139,6 +140,12 @@
>>IPPROTO_IP, IP_TOS, , sizeof(tos)) == -1)
>>log_warn("setsockopt IPTOS_LOWDELAY");
>> 
>> +#ifdef IPV6_V6ONLY
>> +   if (la->sa.ss_family == AF_INET6 && setsockopt(la->fd,
>> +   IPPROTO_IPV6, IPV6_V6ONLY, , sizeof(on)) == -1)
>> +   log_warn("setsockopt IPV6_V6ONLY");
>> +#endif
> 
> Does it need the ifdef? It's standard ipv6 api..
> 

No, I do not think so.

[ntpd] Simultaneously listen on IPv4 and IPv6

[Brent Cook]

This patch came by way of the openntpd github. Linux (and possibly others)
will attempt to bind to 0.0.0.0 when binding to '::' and return an error if
it can't, unless IPV6_V6ONLY is set. See
https://github.com/openntpd-portable/openntpd-portable/issues/19

OK as an in-tree patch? OpenBSD seems to adopt a more liberal
interpretation and not return a failure in the same scenario. (The patch
against the 5.7 tree, but you get the idea)

diff -uNr openntpd-5.7p4/src/server.c new/src/server.c
--- openntpd-5.7p4/src/server.c 2015-03-25 04:18:56.0 +0300
+++ new/src/server.c2016-03-05 18:06:07.946888570 +0300
@@ -40,6 +40,7 @@
size_t   sa6len = sizeof(struct in6_addr);
u_intnew_cnt = 0;
int  tos = IPTOS_LOWDELAY;
+   int  on = 1;
int  rdomain, fd;
@@ -139,6 +140,12 @@
IPPROTO_IP, IP_TOS, , sizeof(tos)) == -1)
log_warn("setsockopt IPTOS_LOWDELAY");

+#ifdef IPV6_V6ONLY
+   if (la->sa.ss_family == AF_INET6 && setsockopt(la->fd,
+   IPPROTO_IPV6, IPV6_V6ONLY, , sizeof(on)) == -1)
+   log_warn("setsockopt IPV6_V6ONLY");
+#endif
+
if (la->rtable != -1 &&
setsockopt(la->fd, SOL_SOCKET, SO_RTABLE, >rtable,

Re: [PATCH]: remove references to "outlen" from tls_init.3.

[Brent Cook]

yes, that is correct - ok bcook@

On Sun, Apr 24, 2016 at 2:06 AM, Jason McIntyre  wrote:

> On Sat, Apr 23, 2016 at 06:24:58PM +0200, Remco wrote:
> > Index: tls_init.3
> >
> > ===
> >
>
> i think your diff is correct - in -r1.33 beck altered this to "document
> changed tls_read and tls_write semantics".
>
> i'm less convinced about stating that it may return an error code -
> nothing else is documented that way, and i think it's obvious anyway. to
> be fair, i can;t honestly tell by looking at the code if it returns
> anything at all, so i'm guessing that hasn't changed.
>
> so, i'll commit the diff below soon, unless i hear it's wrong.
> jmc
>
> Index: tls_init.3
> ===
> RCS file: /cvs/src/lib/libtls/tls_init.3,v
> retrieving revision 1.55
> diff -u -r1.55 tls_init.3
> --- tls_init.3  24 Apr 2016 07:02:07 -  1.55
> +++ tls_init.3  24 Apr 2016 07:03:13 -
> @@ -550,8 +550,7 @@
>  .Fa buflen
>  bytes of data from the socket into
>  .Fa buf .
> -The amount of data read is returned in
> -.Fa outlen .
> +It returns the amount of data read.
>  .It
>  .Fn tls_write
>  writes
> @@ -559,8 +558,7 @@
>  bytes of data from
>  .Fa buf
>  to the socket.
> -The amount of data written is returned in
> -.Fa outlen .
> +It returns the amount of data written.
>  .It
>  .Fn tls_close
>  closes a connection after use.
>
>

Fix examples for EVP_PKEY_CTX_set_rsa_padding

[Brent Cook]

Noted here, https://github.com/libressl-portable/portable/issues/161, we
document a non-existent constant in the examples
for EVP_PKEY_CTX_set_rsa_padding. Is this the correct one to use?

Index: EVP_PKEY_decrypt.pod
===
RCS file: /cvs/src/lib/libssl/src/doc/crypto/EVP_PKEY_decrypt.pod,v
retrieving revision 1.3
diff -u -p -u -p -r1.3 EVP_PKEY_decrypt.pod
--- EVP_PKEY_decrypt.pod13 Jul 2014 15:42:42 -  1.3
+++ EVP_PKEY_decrypt.pod12 Mar 2016 21:28:57 -
@@ -60,7 +60,7 @@ Decrypt data using OAEP (for RSA keys):
/* Error occurred */
  if (EVP_PKEY_decrypt_init(ctx) <= 0)
/* Error */
- if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_OAEP_PADDING) <= 0)
+ if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING) <= 0)
/* Error */

  /* Determine buffer length */
Index: EVP_PKEY_encrypt.pod
===
RCS file: /cvs/src/lib/libssl/src/doc/crypto/EVP_PKEY_encrypt.pod,v
retrieving revision 1.3
diff -u -p -u -p -r1.3 EVP_PKEY_encrypt.pod
--- EVP_PKEY_encrypt.pod13 Jul 2014 15:42:42 -  1.3
+++ EVP_PKEY_encrypt.pod12 Mar 2016 21:28:57 -
@@ -60,7 +60,7 @@ Encrypt data using OAEP (for RSA keys):
/* Error occurred */
  if (EVP_PKEY_encrypt_init(ctx) <= 0)
/* Error */
- if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_OAEP_PADDING) <= 0)
+ if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING) <= 0)
/* Error */

  /* Determine buffer length */

Re: ntpd: really enable debug messages

[Brent Cook]

On Sat, Jan 23, 2016 at 08:48:22PM +0100, Reyk Floeter wrote:
> On Sat, Jan 23, 2016 at 12:39:19PM -0600, Brent Cook wrote:
> > I'm going with this instead. That way it works like the manual
> > specifies already (-v enables logging debug messages)
> >
>
> Yes, the -v flag is better, but see below.
>
> > cvs server: Diffing .
> > Index: ntpd.c
> > ===
> > RCS file: /cvs/src/usr.sbin/ntpd/ntpd.c,v
> > retrieving revision 1.103
> > diff -u -p -r1.103 ntpd.c
> > --- ntpd.c  11 Jan 2016 15:30:56 -  1.103
> > +++ ntpd.c  23 Jan 2016 18:36:52 -
> > @@ -138,7 +138,7 @@ main(int argc, char *argv[])
> > switch (ch) {
> > case 'd':
> > lconf.debug = 1;
> > -   log_verbose(1);
> > +   log_verbose(2);
>
> This will get overridden by the various log_init() calls later.
>
> You should better set a "verbose" variable in the switch statements
> and call log_verbose() after the various log_init() calls later
> (ntpd's puristic privsep has to call it in various places).
>
>   log_init(..)
>   log_verbose(verbose)
>
> Splitting log_init() and log_verbose() allowed us to change the
> verbose flag during runtime; for example "relayctl verbose" allows to
> toggle the flag and calls log_verbose() internally.  Maybe ntpctl is
> too minimalistic for it, but I would prefer if ntpd could follow the
> same/similar semantics in its main().
>

How's this? It makes the logic look just like relayd. This was a good
exercise, because I found a nice bug while trying to exercise the
log_debug messages. ok?

Index: ntpd.h
===
RCS file: /cvs/src/usr.sbin/ntpd/ntpd.h,v
retrieving revision 1.127
diff -u -p -r1.127 ntpd.h
--- ntpd.h  19 Dec 2015 20:44:35 -  1.127
+++ ntpd.h  24 Jan 2016 19:07:25 -
@@ -213,9 +213,10 @@ struct ntpd_conf {
struct ntp_status   status;
struct ntp_freq freq;
u_int32_t   scale;
+   int debug;
+   int verbose;
u_int8_tlisten_all;
u_int8_tsettime;
-   u_int8_tdebug;
u_int8_tnoaction;
u_int8_tfilters;
time_t  constraint_last;
Index: ntpd.c
===
RCS file: /cvs/src/usr.sbin/ntpd/ntpd.c,v
retrieving revision 1.103
diff -u -p -r1.103 ntpd.c
--- ntpd.c  11 Jan 2016 15:30:56 -  1.103
+++ ntpd.c  24 Jan 2016 19:07:25 -
@@ -132,18 +132,16 @@ main(int argc, char *argv[])

memset(, 0, sizeof(lconf));

-   log_init(1, LOG_DAEMON);/* log to stderr until daemonized */
-
while ((ch = getopt(argc, argv, "df:nsSv")) != -1) {
switch (ch) {
case 'd':
-   lconf.debug = 1;
-   log_verbose(1);
+   lconf.debug = 2;
break;
case 'f':
conffile = optarg;
break;
case 'n':
+   lconf.debug = 2;
lconf.noaction = 1;
break;
case 's':
@@ -153,7 +151,7 @@ main(int argc, char *argv[])
lconf.settime = 0;
break;
case 'v':
-   log_verbose(1);
+   lconf.verbose++;
break;
default:
usage();
@@ -161,6 +159,9 @@ main(int argc, char *argv[])
}
}

+   /* log to stderr until daemonized */
+   log_init(lconf.debug ? lconf.debug : 1, LOG_DAEMON);
+
argc -= optind;
argv += optind;
if (argc > 0)
@@ -190,6 +191,7 @@ main(int argc, char *argv[])
reset_adjtime();
if (!lconf.settime) {
log_init(lconf.debug, LOG_DAEMON);
+   log_verbose(lconf.verbose);
if (!lconf.debug)
if (daemon(1, 0))
fatal("daemon");
@@ -269,6 +271,7 @@ main(int argc, char *argv[])
lconf.settime = 0;
timeout = INFTIM;
log_

Re: ntpd: really enable debug messages

[Brent Cook]

I'm going with this instead. That way it works like the manual
specifies already (-v enables logging debug messages)

cvs server: Diffing .
Index: ntpd.c
===
RCS file: /cvs/src/usr.sbin/ntpd/ntpd.c,v
retrieving revision 1.103
diff -u -p -r1.103 ntpd.c
--- ntpd.c  11 Jan 2016 15:30:56 -  1.103
+++ ntpd.c  23 Jan 2016 18:36:52 -
@@ -138,7 +138,7 @@ main(int argc, char *argv[])
switch (ch) {
case 'd':
lconf.debug = 1;
-   log_verbose(1);
+   log_verbose(2);
break;
case 'f':
conffile = optarg;
@@ -153,7 +153,7 @@ main(int argc, char *argv[])
lconf.settime = 0;
break;
case 'v':
-   log_verbose(1);
+   log_verbose(2);
break;
default:
usage();

On Wed, Jan 20, 2016 at 7:23 AM, Sebastian Benoit <be...@openbsd.org> wrote:
> in relayd we use -v for that, so you need to run -d to get lots of
> output. check main() there?
>
> i think thats more intuitive, but maybe i'm just used to it.
>
> Brent Cook(bust...@gmail.com) on 2016.01.20 06:31:44 -0600:
>> Since the relatively recent logging unification, log_init needs a
>> debug level > 1 in order for log_debug to print anything. This change
>> makes it so 'ntpd -d' stays in the foreground but doesn't log much
>> (the current behavior, different than previous releases though), 'ntpd
>> -dd' actually prints more verbose debug messages.
>>
>> Index: ntpd.8
>> ===
>> RCS file: /cvs/src/usr.sbin/ntpd/ntpd.8,v
>> retrieving revision 1.40
>> diff -u -p -u -p -r1.40 ntpd.8
>> --- ntpd.8  30 Oct 2015 16:41:53 -  1.40
>> +++ ntpd.8  20 Jan 2016 12:31:16 -
>> @@ -50,6 +50,7 @@ If this option is specified,
>>  .Nm
>>  will run in the foreground and log to
>>  .Em stderr .
>> +It may be specified again to enable more verbose debug logs.
>>  .It Fl f Ar file
>>  Use
>>  .Ar file
>> Index: ntpd.c
>> ===
>> RCS file: /cvs/src/usr.sbin/ntpd/ntpd.c,v
>> retrieving revision 1.103
>> diff -u -p -u -p -r1.103 ntpd.c
>> --- ntpd.c  11 Jan 2016 15:30:56 -  1.103
>> +++ ntpd.c  20 Jan 2016 12:31:16 -
>> @@ -137,7 +137,7 @@ main(int argc, char *argv[])
>> while ((ch = getopt(argc, argv, "df:nsSv")) != -1) {
>> switch (ch) {
>> case 'd':
>> -   lconf.debug = 1;
>> +   lconf.debug++;
>> log_verbose(1);
>> break;
>> case 'f':
>>
>
> --

ntpd: really enable debug messages

[Brent Cook]

Since the relatively recent logging unification, log_init needs a
debug level > 1 in order for log_debug to print anything. This change
makes it so 'ntpd -d' stays in the foreground but doesn't log much
(the current behavior, different than previous releases though), 'ntpd
-dd' actually prints more verbose debug messages.

Index: ntpd.8
===
RCS file: /cvs/src/usr.sbin/ntpd/ntpd.8,v
retrieving revision 1.40
diff -u -p -u -p -r1.40 ntpd.8
--- ntpd.8  30 Oct 2015 16:41:53 -  1.40
+++ ntpd.8  20 Jan 2016 12:31:16 -
@@ -50,6 +50,7 @@ If this option is specified,
 .Nm
 will run in the foreground and log to
 .Em stderr .
+It may be specified again to enable more verbose debug logs.
 .It Fl f Ar file
 Use
 .Ar file
Index: ntpd.c
===
RCS file: /cvs/src/usr.sbin/ntpd/ntpd.c,v
retrieving revision 1.103
diff -u -p -u -p -r1.103 ntpd.c
--- ntpd.c  11 Jan 2016 15:30:56 -  1.103
+++ ntpd.c  20 Jan 2016 12:31:16 -
@@ -137,7 +137,7 @@ main(int argc, char *argv[])
while ((ch = getopt(argc, argv, "df:nsSv")) != -1) {
switch (ch) {
case 'd':
-   lconf.debug = 1;
+   lconf.debug++;
log_verbose(1);
break;
case 'f':

Re: nc(1) - fix use of certificates for TLS

[Brent Cook]

Applied, thanks Andreas!

On Sun, Jan 3, 2016 at 7:01 PM, Andreas Bartelt  wrote:
> Hello,
>
> the use of certificates for TLS didn't work with nc(1). Fix is attached.
>
> Best regards
> Andreas

[nc] rename sun to s_un (for building on Solaris)

[Brent Cook]

Finally getting around to trying out nc on some more platforms for
LibreSSL-portable, and ran into Sun/Oracle's silly definition of 'sun'
in the system headers. OK to rename the local sockaddr_un variables?

Portable contains a patch full of #ifdef's around other systems-specific
nc features (e.g. rdomain support). I'm not sure if any of those
should also move into cvs or stay in the portable patch.

Index: netcat.c
===
RCS file: /cvs/src/usr.bin/nc/netcat.c,v
retrieving revision 1.143
diff -u -p -u -p -r1.143 netcat.c
--- netcat.c13 Nov 2015 18:13:13 -  1.143
+++ netcat.c22 Nov 2015 22:26:08 -
@@ -643,7 +643,7 @@ main(int argc, char *argv[])
 int
 unix_bind(char *path, int flags)
 {
-   struct sockaddr_un sun;
+   struct sockaddr_un s_un;
int s;

/* Create unix domain socket. */
@@ -651,17 +651,17 @@ unix_bind(char *path, int flags)
0)) < 0)
return (-1);

-   memset(, 0, sizeof(struct sockaddr_un));
-   sun.sun_family = AF_UNIX;
+   memset(_un, 0, sizeof(struct sockaddr_un));
+   s_un.sun_family = AF_UNIX;

-   if (strlcpy(sun.sun_path, path, sizeof(sun.sun_path)) >=
-   sizeof(sun.sun_path)) {
+   if (strlcpy(s_un.sun_path, path, sizeof(s_un.sun_path)) >=
+   sizeof(s_un.sun_path)) {
close(s);
errno = ENAMETOOLONG;
return (-1);
}

-   if (bind(s, (struct sockaddr *), sizeof(sun)) < 0) {
+   if (bind(s, (struct sockaddr *)_un, sizeof(s_un)) < 0) {
close(s);
return (-1);
}
@@ -737,7 +737,7 @@ tls_setup_server(struct tls *tls_ctx, in
 int
 unix_connect(char *path)
 {
-   struct sockaddr_un sun;
+   struct sockaddr_un s_un;
int s;

if (uflag) {
@@ -748,16 +748,16 @@ unix_connect(char *path)
return (-1);
}

-   memset(, 0, sizeof(struct sockaddr_un));
-   sun.sun_family = AF_UNIX;
+   memset(_un, 0, sizeof(struct sockaddr_un));
+   s_un.sun_family = AF_UNIX;

-   if (strlcpy(sun.sun_path, path, sizeof(sun.sun_path)) >=
-   sizeof(sun.sun_path)) {
+   if (strlcpy(s_un.sun_path, path, sizeof(s_un.sun_path)) >=
+   sizeof(s_un.sun_path)) {
close(s);
errno = ENAMETOOLONG;
return (-1);
}
-   if (connect(s, (struct sockaddr *), sizeof(sun)) < 0) {
+   if (connect(s, (struct sockaddr *)_un, sizeof(s_un)) < 0) {
close(s);
return (-1);
}

openssl.cnf req defaults -> default_md sha256

[Brent Cook]

U

On Tue, Oct 20, 2015 at 12:12 AM, Jonathan Gray > wrote:
> On Wed, Oct 01, 2014 at 10:53:34AM +0100, Stuart Henderson wrote:
>> On 2014/10/01 19:05, Joel Sing wrote:
>> > > I should also add that the other obvious/easy "fix" is to initialise
digest
>> > > in openssl/req.c to the SHA-256 EVP. That only changes 'openssl req'
>> > > though.
>> > >
>> > > > (and yes, clearly I've spent too much time in this code base
recently...
>> > > > :)
>> > > >
>> > > > > Index: openssl.cnf
>> > > > >
===
>> > > > > RCS file: /cvs/src/lib/libcrypto/openssl.cnf,v
>> > > > > retrieving revision 1.1
>> > > > > diff -u -p -r1.1 openssl.cnf
>> > > > > --- openssl.cnf   11 Apr 2014 22:51:53 -  1.1
>> > > > > +++ openssl.cnf   30 Sep 2014 22:42:53 -
>> > > > > @@ -7,7 +7,8 @@
>> > > > >
>> > > > >

>> > > > >  [ req ]
>> > > > > -default_bits = 1024
>> > > > > +default_bits = 2048
>> > > > > +default_md   = sha256
>> > > > >  default_keyfile  = privkey.pem
>> > > > >  distinguished_name   = req_distinguished_name
>> > > > >  attributes   = req_attributes
>> >
>> > The following does this, however note that the default_bits of 1024
from
>> > openssl.cnf trumps the 2048 in the define... we probably should also
stop
>> > making EVP_des_ede3_cbc() the default cipher...
>>
>> I think I prefer it this way (changing usr.bin/openssl rather than
>> the library) as there's less risk of impact in unpredictable areas.
>> How about this one?
>
> Any reason to not change the default for crl/ocsp/fingerprints as well?
>
> It looks like openssl(1) could use updating:
> "The digest of choice for all new applications is SHA1."

I like this idea, of course with a man page update as well.

> Index: crl.c
> ===
> RCS file: /cvs/src/usr.bin/openssl/crl.c,v
> retrieving revision 1.9
> diff -u -p -r1.9 crl.c
> --- crl.c   17 Oct 2015 15:00:11 -  1.9
> +++ crl.c   20 Oct 2015 04:48:26 -
> @@ -243,7 +243,7 @@ crl_main(int argc, char **argv)
> }
> }
>
> -   digest = EVP_sha1();
> +   digest = EVP_sha256();
>
> memset(_config, 0, sizeof(crl_config));
> crl_config.informat = FORMAT_PEM;
> Index: ocsp.c
> ===
> RCS file: /cvs/src/usr.bin/openssl/ocsp.c,v
> retrieving revision 1.7
> diff -u -p -r1.7 ocsp.c
> --- ocsp.c  17 Oct 2015 15:00:11 -  1.7
> +++ ocsp.c  20 Oct 2015 04:47:42 -
> @@ -355,7 +355,7 @@ ocsp_main(int argc, char **argv)
> if (!cert)
> goto end;
> if (!cert_id_md)
> -   cert_id_md = EVP_sha1();
> +   cert_id_md = EVP_sha256();
> if (!add_ocsp_cert(, cert,
cert_id_md, issuer, ids))
> goto end;
> if (!sk_OPENSSL_STRING_push(reqnames,
*args))
> @@ -366,7 +366,7 @@ ocsp_main(int argc, char **argv)
> if (args[1]) {
> args++;
> if (!cert_id_md)
> -   cert_id_md = EVP_sha1();
> +   cert_id_md = EVP_sha256();
> if (!add_ocsp_serial(, *args,
cert_id_md, issuer, ids))
> goto end;
> if (!sk_OPENSSL_STRING_push(reqnames,
*args))
> Index: x509.c
> ===
> RCS file: /cvs/src/usr.bin/openssl/x509.c,v
> retrieving revision 1.12
> diff -u -p -r1.12 x509.c
> --- x509.c  17 Oct 2015 15:00:11 -  1.12
> +++ x509.c  20 Oct 2015 04:50:25 -
> @@ -788,7 +788,7 @@ bad:
> const EVP_MD *fdig = digest;
>
> if (!fdig)
> -   fdig = EVP_sha1();
> +   fdig = EVP_sha256();
>
> if (!X509_digest(x, fdig, md, )) {
> BIO_printf(bio_err, "out of
memory\n");
>

Re: minor reallocarray() change

[Brent Cook]

It be significant that this patch slowed me browser because o' it's length.

Methinks you deserve t' be keelhauled for such transgressions.

Re: openvpn-2.3.8p1 segv in libcrypto BN_bn2dec on OpenBSD/i386 current Sep 16, 2015

[Brent Cook]

I think this is the right thing to do for now. ok bcook@

On Thu, Sep 17, 2015 at 5:19 PM, Stuart Henderson  wrote:
> CC'ing tech@.
>
> The last commit to bn_print.c is wrong, it dereferences t while it's still 
> NULL.
>
> Backout diff below.
>
>
> On 2015/09/17 22:42, Mikolaj Kucharski wrote:
>> Hi,
>>
>> Does anyone see this as well? I've just upgraded to:
>>
>> OpenBSD 5.8-current (GENERIC) #1164: Wed Sep 16 21:16:53 MDT 2015
>> dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
>>
>> and to openvpn-2.3.8 from packages but it segfaulted during connecting
>> by remote client. Then I've recompiled by hand with DEBUG='-g' from
>> ports and now running openvpn-2.3.8p1, but facing the same issue.
>>
>> To be able to get core dump, needed to run openvpn as root, but the same
>> segfault happens when openvpn drops priviliges.
>>
>> Before that I was running snapshot from Aug 13 with packages and I
>> didn't had that problem.
>>
>> Let me know if you need any more info.
>>
>>
>> # /usr/local/sbin/openvpn --cd /etc/openvpn --config server.conf --mtu-test
>> Thu Sep 17 22:16:17 2015 OpenVPN 2.3.8 i386-unknown-openbsd5.8 [SSL 
>> (OpenSSL)] [LZO] [MH] [IPv6] built on Sep 17 2015
>> Thu Sep 17 22:16:17 2015 library versions: LibreSSL 2.3.0, LZO 2.09
>> Thu Sep 17 22:16:17 2015 mlockall call succeeded
>> Thu Sep 17 22:16:17 2015 WARNING: you are using chroot without specifying 
>> user and group -- this may cause the chroot jail to be insecure
>> Thu Sep 17 22:16:22 2015 Diffie-Hellman initialized with 4096 bit key
>> Thu Sep 17 22:16:22 2015 Control Channel Authentication: using 
>> 'certs/hmac.key' as a OpenVPN static key file
>> Thu Sep 17 22:16:22 2015 Outgoing Control Channel Authentication: Using 512 
>> bit message hash 'SHA512' for HMAC authentication
>> Thu Sep 17 22:16:22 2015 Incoming Control Channel Authentication: Using 512 
>> bit message hash 'SHA512' for HMAC authentication
>> Thu Sep 17 22:16:22 2015 Socket Buffers: R=[41600->65536] S=[9216->65536]
>> Thu Sep 17 22:16:22 2015 TUN/TAP device tun2 exists previously, keep at 
>> program end
>> Thu Sep 17 22:16:22 2015 TUN/TAP device /dev/tun2 opened
>> Thu Sep 17 22:16:22 2015 do_ifconfig, tt->ipv6=1, 
>> tt->did_ifconfig_ipv6_setup=1
>> Thu Sep 17 22:16:22 2015 /sbin/ifconfig tun2 192.168.202.1 192.168.202.1 mtu 
>> 1500 netmask 255.255.255.0 up -link0
>> Thu Sep 17 22:16:22 2015 /sbin/ifconfig tun2 inet6 
>> 2001:::::::1/64
>> Thu Sep 17 22:16:22 2015 
>> add_route_ipv6(2001:::::::/64 -> 
>> 2001:::::::1 metric 0) dev tun2
>> Thu Sep 17 22:16:22 2015 /sbin/route add -inet6 
>> 2001::::::: -prefixlen 64 
>> 2001:::::::1
>> route: writing to routing socket: File exists
>> add net 2001:::::::: gateway 
>> 2001:::::::1: File exists
>> Thu Sep 17 22:16:22 2015 ERROR: OpenBSD route add -inet6 command failed: 
>> external program exited with error status: 1
>> Thu Sep 17 22:16:22 2015 /sbin/route add -net 192.168.202.0 192.168.202.1 
>> -netmask 255.255.255.0
>> add net 192.168.202.0: gateway 192.168.202.1
>> Thu Sep 17 22:16:22 2015 chroot to '/var/openvpn' and cd to '/' succeeded
>> Thu Sep 17 22:16:22 2015 UDPv4 link local (bound): [undef]
>> Thu Sep 17 22:16:22 2015 UDPv4 link remote: [undef]
>> Thu Sep 17 22:16:22 2015 MULTI: multi_init called, r=256 v=256
>> Thu Sep 17 22:16:22 2015 IFCONFIG POOL IPv6: (IPv4) size=252, 
>> size_ipv6=65536, netbits=64, 
>> base_ipv6=2001:::::::1000
>> Thu Sep 17 22:16:22 2015 IFCONFIG POOL: base=192.168.202.2 size=252, ipv6=1
>> Thu Sep 17 22:16:22 2015 Initialization Sequence Completed
>> Thu Sep 17 22:16:32 2015 83.xxx.xxx.xxx:48100 TLS: Initial packet from 
>> [AF_INET]83.xxx.xxx.xxx:48100, sid=41b68ea4 12015b6e
>> Segmentation fault (core dumped)
>>
>>
>>
>> (gdb) bt
>> #0  BN_bn2dec (a=0x805e8460) at 
>> /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bn/bn_print.c:117
>> #1  0x179a2aa0 in backend_x509_get_serial (cert=0x8308b500, gc=0xcf7d0320) 
>> at 
>> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify_openssl.c:229
>> #2  0x179a0345 in verify_cert_set_env (x509_track=, 
>> common_name=, subject=, cert_depth=> out>, peer_cert=, es=0x78d2d230) at 
>> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify.c:438
>> #3  verify_cert (session=0x8130a6bc, cert=0x8308b500, cert_depth=0) at 
>> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify.c:665
>> #4  0x179a2d26 in verify_callback (preverify_ok=1, ctx=0xcf7d05d4) at 
>> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify_openssl.c:84
>> #5  0x05aebfcf in internal_verify (ctx=0xcf7d05d4) at 
>> /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/x509/x509_vfy.c:1612
>> #6  0x05aed6b2 in X509_verify_cert (ctx=0xcf7d05d4) at 
>> 

Re: openssl(1) remove redundant defines

[Brent Cook]

On Wed, Sep 9, 2015 at 9:43 PM, Lawrence Teo <l...@openbsd.org> wrote:
> On Wed, Sep 09, 2015 at 11:17:55AM -0500, Brent Cook wrote:
>> On Wed, Sep 9, 2015 at 10:15 AM, Todd C. Miller
>> <todd.mil...@courtesan.com> wrote:
>> > On Wed, 09 Sep 2015 10:02:17 -0400, Lawrence Teo wrote:
>> >> In s_time.c, NO_SHUTDOWN is always defined, so there is no need for a
>> >> bunch of NO_SHUTDOWN #ifdef blocks.
>> >
>> > I'm less sure about this as without calling SSL_shutdown() the
>> > client is not notified.  I suppose that's intentional as s_time is
>> > just for timing connections?
>> >
>> >  - todd
>> >
>>
>> OK, who has a camera looking over my shoulder? I was just looking at this :)
>
> Oops!  Please pay no attention to the drone buzzing behind you. :)
>
>> TBH, I'd rather this were a flag rather than a define. Yes, a knob,
>> but this is a benchmark that really should be able to benchmark a full
>> TLS connection and shutdown to be accurate. The default behavior of
>> faking out the shutdown state machine does make the this run about 25%
>> faster, but I would have never known that if not for playing with the
>> define.
>
> Thank you all for the feedback.  I agree that a flag would be preferred
> over recompiling openssl(1).
>
> Here's a diff that adds a flag called -no_shutdown (the underscore is
> there to match the -no_* flags used by other openssl(1) commands).
>
> The diff also changes the behavior of s_time so that it will perform
> a proper full shutdown by default (i.e. if -no_shutdown is not
> specified).
>
> Thoughts?

Nice, I like this better, and the behavior change makes it a little more honest
(but still allows apples-to-apples comparison with OpenSSL's version).

ok bcook@

>
> Index: openssl.1
> ===
> RCS file: /cvs/src/usr.bin/openssl/openssl.1,v
> retrieving revision 1.19
> diff -u -p -u -p -r1.19 openssl.1
> --- openssl.1   11 Aug 2015 05:01:03 -  1.19
> +++ openssl.1   10 Sep 2015 01:51:18 -
> @@ -7074,6 +7074,7 @@ unknown cipher suites a client says it s
>  .Op Fl key Ar keyfile
>  .Op Fl nbio
>  .Op Fl new
> +.Op Fl no_shutdown
>  .Op Fl reuse
>  .Op Fl time Ar seconds
>  .Op Fl verify Ar depth
> @@ -7135,6 +7136,10 @@ nor
>  .Fl reuse
>  are specified,
>  they are both on by default and executed in sequence.
> +.It Fl no_shutdown
> +Shutdown the connection without sending a
> +.Dq close notify
> +shutdown alert to the server.
>  .It Fl reuse
>  Performs the timing test using the same session ID;
>  this can be used as a test that session caching is working.
> Index: s_time.c
> ===
> RCS file: /cvs/src/usr.bin/openssl/s_time.c,v
> retrieving revision 1.9
> diff -u -p -u -p -r1.9 s_time.c
> --- s_time.c22 Aug 2015 16:36:05 -  1.9
> +++ s_time.c10 Sep 2015 01:58:17 -
> @@ -56,8 +56,6 @@
>   * [including the GNU Public Licence.]
>   */
>
> -#define NO_SHUTDOWN
> -
>  /*-
> s_time - SSL client connection timer program
> Written and donated by Larry Streepy <stre...@healthcare.com>
> @@ -114,6 +112,7 @@ struct {
> char *keyfile;
> int maxtime;
> int nbio;
> +   int no_shutdown;
> int perform;
> int verify;
> int verify_depth;
> @@ -184,6 +183,12 @@ struct option s_time_options[] = {
> .value = 1,
> },
> {
> +   .name = "no_shutdown",
> +   .desc = "Shutdown the connection without notifying the 
> server",
> +   .type = OPTION_FLAG,
> +   .opt.flag = _time_config.no_shutdown,
> +   },
> +   {
> .name = "reuse",
> .desc = "Reuse the same session ID for each connection",
> .type = OPTION_VALUE,
> @@ -221,7 +226,7 @@ s_time_usage(void)
> "usage: s_time "
> "[-bugs] [-CAfile file] [-CApath directory] [-cert file]\n"
> "[-cipher cipherlist] [-connect host:port] [-key keyfile]\n"
> -   "[-nbio] [-new] [-reuse] [-time seconds]\n"
> +   "[-nbio] [-new] [-no_shutdown] [-reuse] [-time seconds]\n"
> "[-verify depth] [-www page]\n\n");
> options_usage(s_time_options);
>  }
> @@ -341,11 +346,11 @@ s_time_main(int argc, char **argv)
> while ((i = SSL_read(scon, buf, si

Re: openssl(1) remove redundant defines

[Brent Cook]

On Wed, Sep 9, 2015 at 10:15 AM, Todd C. Miller
 wrote:
> On Wed, 09 Sep 2015 10:02:17 -0400, Lawrence Teo wrote:
>
>> This diff removes redundant defines in two files.
>>
>> In s_socket.c, SOCKET_PROTOCOL is defined as IPPROTO_TCP, but it's only
>> used once.
>
> OK.
>
>> In s_time.c, NO_SHUTDOWN is always defined, so there is no need for a
>> bunch of NO_SHUTDOWN #ifdef blocks.
>
> I'm less sure about this as without calling SSL_shutdown() the
> client is not notified.  I suppose that's intentional as s_time is
> just for timing connections?
>
>  - todd
>

OK, who has a camera looking over my shoulder? I was just looking at this :)

TBH, I'd rather this were a flag rather than a define. Yes, a knob,
but this is a benchmark that really should be able to benchmark a full
TLS connection and shutdown to be accurate. The default behavior of
faking out the shutdown state machine does make the this run about 25%
faster, but I would have never known that if not for playing with the
define.

LibreSSL 2.2.3 Prerelease available for testing

[Brent Cook]

We have put together a prerelease of LibreSSL 2.2.3. This release
primarily targets a bug that causes connections with some SSL clients
to fail during the initial handshake. Preliminary release notes and a
tarball are available at the following link:

https://github.com/libressl-portable/portable/releases/tag/v2.2.3

Re: LibreSSL 2.2.2 release

[Brent Cook]

On Wed, Aug 12, 2015 at 1:29 PM, Mark Kettenis mark.kette...@xs4all.nl wrote:
 Date: Tue, 11 Aug 2015 09:15:43 -0600
 From: Bob Beck b...@obtuse.com

 I'm wondering out loud if these versions should follow the openbsd shlib
 major minor numbers.  That is where we are careful about semantic
 versioning for api change/add/remove

 No.  Shared library versions are tracking the ABI.  What's wanted here
 is something that tracks API, including bug fixes and such.

 People really expect something like a package version here such that
 they can add a check into their autoconf script that the installed
 version of a package is new enough to provide the functionality their
 software needs.  Doing something clever here is not going to help
 people.  If a configure script fails telling me to get libcrypto
 version 34.2, how do I determine what version of LibreSSL I need to
 install?

 One possible reason to deviate from using the LibreSSL release version
 would be if we want to continue to be a drop-in replacement for
 OpenSSL.  In that case continuing to adevrtise a reasonable OpenSSL
 version number for openssl.pc, libcrypto.pc and libssl.pc might make
 sense.  Probably best to involve ports people in that decision though.

I have updated the .pc files to report @VERSION@ for LibreSSL-portable
now (which is reported as 2.3.0, not 2:3:0). Note that openssl.pc
always reported @VERSION@ anyway, so it is not a big deviation for the
library .pc files to do the same.

Thanks
 - Brent

Re: LibreSSL 2.2.2 release

[Brent Cook]

On Mon, Aug 10, 2015 at 5:10 AM, Mark Kettenis mark.kette...@xs4all.nl wrote:
 Jan Engelhardt schreef op 2015-08-10 10:29:

 On Monday 2015-08-10 02:38, Brent Cook wrote:

 On Aug 9, 2015, at 10:07 AM, Jan Engelhardt jeng...@inai.de wrote:

 We have released LibreSSL 2.2.2, which will be arriving in the
 LibreSSL directory of your local OpenBSD mirror soon.


 The .pc files in libressl-2.2.2 upset the package mechanisms at hand, in
 particular rpm, where ':' is used to denote the (ancient concept of)
 epochs.

 [   99s] Invalid version (double separator ':'): 35:0:0:
 mingw32(pkg:libcrypto) = 35:0:0
 [   99s] mingw32(pkg:libssl) = 35:0:0
 [   99s] mingw32(pkg:libtls) = 6:0:0
 [   99s] mingw32(pkg:openssl) = 2.2.2

 The version: field in .pc files is (still) supposed to be the
 package version number, not the ABI number, and this was not a problem
 in libressl = 2.2.1.


 Thanks for the note, Jan.

 Right or wrong, I'm fairly certain the format has not changed any time
 recently, e.g. here is the libtls .pc file from 2.2.1:


 So it turns out rpm does not consider it an error, just a warning (but it
 is the first time the warning showed up on the last screenful, the one
 paid most attention to).

 I'm not so sure that this should be the package version number though.
 Can you
 point to some further documentation here?


 pkg-config(1): Version:
 This   should  be  the  most-specific-possible  package  version
 string.

 * x:0:0 is not specific enough, as it would not change when the ABI-API
   stays unmodified between two releases.

 * the observation that all other .pc files I happen to have installed
   on my machine right now (some 194) all match \d+(\.\d+)*

Thanks. That matches my observation too.


 Right.  Brent, looks like you used the libtool version specification here,
 which is (primarily) about encoding the ABI.  But for pkg-config it's
 the API that's important.  Hence the tradition to simply use the package
 version number here, since that will change (by definition) when the API
 changes, but will also change when there are just some bug fixes (which
 people might want to check for).  Configure scripts will often contain
 checks
 for the package version number to be larger or equal (using pkg-config
 --atleast-version) to some version that is known to have all features
 required for building the software.

 So I think all the .pc files in LibreSSL should simply use the LibreSSL
 version number (2.2.2) like the openssl.pc does.  This does mean that
 checking
 for individual libraries in LibreSSL version 2.2.2 and older will probably
 busted, but such is life.  Not sure how the colon-separated version strings
 interact with --atleast-version.  Might be worth checking that out.

The main exception I found was that ffmpeg encoded ABI rather than API
in its .pc files too, but your explanations make sense to me.

I'm happy that people are noticing issues like this now, since it
means the files are getting some use :) I'll make the change for the
next release.

 Cheers,

 Mark

 P.S. OpenBSD still ships with .pc files that have 1.0.0 as the version
 number.  We might want to change that at some point, but this should be
 coordinated with the ports people.

LibreSSL 2.2.2 released

[Brent Cook]

We have released LibreSSL 2.2.2, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This release marks the end of the OpenBSD 5.8 development cycle,
featuring expanded portable build support, code improvements, removal of
obsolete workarounds.

SSLv3 deprecation continues with its removal from openssl(1) and new
linker warnings on supported platforms, indicating if a program is still
using the SSLv3-only methods. We are working with upstream software
providers to update programs that were not ready for SSLv3 support to be
removed entirely yet.

 * Switched 'openssl dhparam' default from 512 to 2048 bits

 * Reworked openssl(1) option handling

 * More CRYPTO ByteString (CBC) packet parsing conversions

 * Fixed 'openssl pkeyutl -verify' to exit with a 0 on success

 * Fixed dozens of Coverity issues including dead code, memory leaks,
   logic errors and more.

 * Ensure that openssl(1) restores terminal echo state after reading a
   password.

 * Incorporated fix for OpenSSL Issue #3683

 * LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped
   for each portable release.

 * Removed workarounds for TLS client padding bugs.

 * No longer disable ECDHE-ECDSA on OS X

 * Removed SSLv3 support from openssl(1)

 * Removed IE 6 SSLv3 workarounds.

 * Modified tls_write in libtls to allow partial writes, clarified with
   examples in the documentation.

 * Removed RSAX engine

 * Tested SSLv3 removal with the OpenBSD ports tree and found several
   applications that were not ready to build without SSLv3 yet. For now,
   building a program that intentionally uses SSLv3 will result in a
   linker warning.

 * Added TLS_method, TLS_client_method and TLS_server_method as a
   replacement for the SSLv23_*method calls.

 * Added initial cmake build support, including support for building
   with Visual Studio, currently working with Visual Studio 2013
   Community Edition. There are some issues with earlier versions of
   Visual Studio that will be resolved in a future release.

 * --with-enginesdir is removed as a configuration parameter

 * Default cert.pem, openssl.cnf, and x509v3.cnf files are now installed
   under $sysconfdir/ssl or the directory specified by
   --with-openssldir. Previous versions of LibreSSL left these empty.

The LibreSSL project continues improvement of the codebase to reflect
modern, safe programming practices. We welcome feedback and improvements
from the broader community. Thanks to all of the contributors who helped
make this release possible.

LibreSSL-portable 2.2.2 test release

[Brent Cook]

I have posted a test release of LibreSSL-portable 2.2.2 for testing here:

  https://github.com/libressl-portable/portable/releases/tag/v2.2.2-test

Let me know if I have missed anything in the Changelog, or if you run into any 
issues.

Thanks
- Brent

OpenNTPD: Remove _PATH_DEVNULL

[Brent Cook]

/dev/null will be available on any POSIX system, but _PATH_DEVNULL may
not, e.g. Solaris. There doesn't seem to be any advantage to
using the define (and we don't use it much in the tree either.)

http://pubs.opengroup.org/onlinepubs/95399/basedefs/xbd_chap10.html
---
 src/usr.sbin/ntpd/ntp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/usr.sbin/ntpd/ntp.c b/src/usr.sbin/ntpd/ntp.c
index b89ddf2..ddb9cf1 100644
--- a/src/usr.sbin/ntpd/ntp.c
+++ b/src/usr.sbin/ntpd/ntp.c
@@ -125,7 +125,7 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf 
*nconf,
if ((se = getservbyname(ntp, udp)) == NULL)
fatal(getservbyname);

-   if ((nullfd = open(_PATH_DEVNULL, O_RDWR, 0)) == -1)
+   if ((nullfd = open(/dev/null, O_RDWR, 0)) == -1)
fatal(NULL);

close(pipe_prnt[0]);
--
2.4.5

OpenNTPD: replace bzero with memset

[Brent Cook]

This diff converts bzero calls to memset, which is more portable and
compilers can optimize as well.

---
 src/usr.sbin/ntpd/client.c  | 2 +-
 src/usr.sbin/ntpd/config.c  | 6 +++---
 src/usr.sbin/ntpd/control.c | 2 +-
 src/usr.sbin/ntpd/ntp.c | 6 +++---
 src/usr.sbin/ntpd/ntpd.c| 4 ++--
 src/usr.sbin/ntpd/parse.y   | 2 +-
 src/usr.sbin/ntpd/server.c  | 2 +-
 7 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/src/usr.sbin/ntpd/client.c b/src/usr.sbin/ntpd/client.c
index 1d982d6..eca2467 100644
--- a/src/usr.sbin/ntpd/client.c
+++ b/src/usr.sbin/ntpd/client.c
@@ -215,7 +215,7 @@ client_dispatch(struct ntp_peer *p, u_int8_t settime)
double   T1, T2, T3, T4;
time_t   interval;

-   bzero(somsg, sizeof(somsg));
+   memset(somsg, 0, sizeof(somsg));
iov[0].iov_base = buf;
iov[0].iov_len = sizeof(buf);
somsg.msg_iov = iov;
diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
index 3945405..7e2ecb6 100644
--- a/src/usr.sbin/ntpd/config.c
+++ b/src/usr.sbin/ntpd/config.c
@@ -65,7 +65,7 @@ host_v4(const char *s)
struct sockaddr_in  *sa_in;
struct ntp_addr *h;

-   bzero(ina, sizeof(struct in_addr));
+   memset(ina, 0, sizeof(struct in_addr));
if (inet_pton(AF_INET, s, ina) != 1)
return (NULL);

@@ -86,7 +86,7 @@ host_v6(const char *s)
struct sockaddr_in6 *sa_in6;
struct ntp_addr *h = NULL;

-   bzero(hints, sizeof(hints));
+   memset(hints, 0, sizeof(hints));
hints.ai_family = AF_INET6;
hints.ai_socktype = SOCK_DGRAM; /*dummy*/
hints.ai_flags = AI_NUMERICHOST;
@@ -128,7 +128,7 @@ host_dns(const char *s, struct ntp_addr **hn)
struct sockaddr_in6 *sa_in6;
struct ntp_addr *h, *hh = NULL;

-   bzero(hints, sizeof(hints));
+   memset(hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_DGRAM; /* DUMMY */
/* ntpd MUST NOT use AI_ADDRCONFIG here */
diff --git a/src/usr.sbin/ntpd/control.c b/src/usr.sbin/ntpd/control.c
index 3662971..fa95504 100644
--- a/src/usr.sbin/ntpd/control.c
+++ b/src/usr.sbin/ntpd/control.c
@@ -45,7 +45,7 @@ control_init(char *path)
return (-1);
}

-   bzero(sa, sizeof(sa));
+   memset(sa, 0, sizeof(sa));
sa.sun_family = AF_UNIX;
if (strlcpy(sa.sun_path, path, sizeof(sa.sun_path)) =
sizeof(sa.sun_path))
diff --git a/src/usr.sbin/ntpd/ntp.c b/src/usr.sbin/ntpd/ntp.c
index 50fc468..b89ddf2 100644
--- a/src/usr.sbin/ntpd/ntp.c
+++ b/src/usr.sbin/ntpd/ntp.c
@@ -188,7 +188,7 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf 
*nconf,
TAILQ_FOREACH(p, conf-ntp_peers, entry)
client_peer_init(p);

-   bzero(conf-status, sizeof(conf-status));
+   memset(conf-status, 0, sizeof(conf-status));

conf-freq.num = 0;
conf-freq.samples = 0;
@@ -246,8 +246,8 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf 
*nconf,
pfd_elms = new_cnt;
}

-   bzero(pfd, sizeof(*pfd) * pfd_elms);
-   bzero(idx2peer, sizeof(*idx2peer) * idx2peer_elms);
+   memset(pfd, 0, sizeof(*pfd) * pfd_elms);
+   memset(idx2peer, 0, sizeof(*idx2peer) * idx2peer_elms);
nextaction = getmonotime() + 3600;
pfd[PFD_PIPE_MAIN].fd = ibuf_main-fd;
pfd[PFD_PIPE_MAIN].events = POLLIN;
diff --git a/src/usr.sbin/ntpd/ntpd.c b/src/usr.sbin/ntpd/ntpd.c
index 045bdd4..3adf4dc 100644
--- a/src/usr.sbin/ntpd/ntpd.c
+++ b/src/usr.sbin/ntpd/ntpd.c
@@ -119,7 +119,7 @@ main(int argc, char *argv[])

conffile = CONFFILE;

-   bzero(lconf, sizeof(lconf));
+   memset(lconf, 0, sizeof(lconf));

log_init(1);/* log to stderr until daemonized */

@@ -557,7 +557,7 @@ ctl_main(int argc, char *argv[])
if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1)
err(1, ntpctl: socket);

-   bzero(sa, sizeof(sa));
+   memset(sa, 0, sizeof(sa));
sa.sun_family = AF_UNIX;
if (strlcpy(sa.sun_path, sockname, sizeof(sa.sun_path)) =
sizeof(sa.sun_path))
diff --git a/src/usr.sbin/ntpd/parse.y b/src/usr.sbin/ntpd/parse.y
index 4b9ef49..999ff24 100644
--- a/src/usr.sbin/ntpd/parse.y
+++ b/src/usr.sbin/ntpd/parse.y
@@ -426,7 +426,7 @@ rtable  : RTABLE NUMBER {
 void
 opts_default(void)
 {
-   bzero(opts, sizeof opts);
+   memset(opts, 0, sizeof opts);
opts.weight = 1;
opts.rtable = -1;
opts.stratum = 1;
diff --git a/src/usr.sbin/ntpd/server.c b/src/usr.sbin/ntpd/server.c
index ef448d3..9c71eed 100644
--- a/src/usr.sbin/ntpd/server.c
+++ b/src/usr.sbin/ntpd/server.c
@@ -175,7 +175,7 @@ server_dispatch(int fd, struct ntpd_conf *lconf)
if (ntp_getmsg((struct sockaddr *)fsa, buf, size, 

Bump LIBRESSL_VERSION defines

[Brent Cook]

Up to now, we have only bumped the LIBRESSL_VERSION_TEXT for each
portable release in the portable tree, and the VERSION_NUMBER has never
incremented.

This change establishes a policy of bumping the number for each portable
release, and syncs the version string between the portable and in-tree
releases. This is the simplest way to allow software not using
auto-configuration mechanisms to determine what LibreSSL version is in
use without breaking backward compatibility.

Index: src/crypto/opensslv.h
===
RCS file: /cvs/src/lib/libssl/src/crypto/opensslv.h,v
retrieving revision 1.29
diff -u -p -u -p -r1.29 opensslv.h
--- src/crypto/opensslv.h   23 May 2015 21:09:46 -  1.29
+++ src/crypto/opensslv.h   16 Jul 2015 22:00:18 -
@@ -2,9 +2,13 @@
 #ifndef HEADER_OPENSSLV_H
 #define HEADER_OPENSSLV_H

-#define LIBRESSL_VERSION_NUMBER0x2000L
+/* These will change with each release of LibreSSL-portable */
+#define LIBRESSL_VERSION_NUMBER0x20020002L
+#define LIBRESSL_VERSION_TEXT  LibreSSL 2.2.2
+
+/* These will never change */
 #define OPENSSL_VERSION_NUMBER 0x2000L
-#define OPENSSL_VERSION_TEXT   LibreSSL 2.2
+#define OPENSSL_VERSION_TEXT   LIBRESSL_VERSION_TEXT
 #define OPENSSL_VERSION_PTEXT   part of  OPENSSL_VERSION_TEXT

 #define SHLIB_VERSION_HISTORY 

Re: LibreSSL 2.2.1 released - Windows version clarification

[Brent Cook]

On Wed, Jul 8, 2015 at 7:49 AM, Brent Cook bust...@gmail.com wrote:
 We have released LibreSSL 2.2.1, which will be arriving in the
 LibreSSL directory of your local OpenBSD mirror soon.

 This release continues from the OpenBSD 5.8 development tree, featuring
 expanded OS support, code improvements, and feature removal. Also note
 that SSLv3 support has not been removed yet, but it should happen soon.

 Notable changes in this release are:

   * Assorted build fixes for musl, HP-UX, Mingw, and Solaris.

   * Initial support for Windows 2009, 2003, and XP.

Update:

As I continue to receive emails stating that I must have made a typo
about Windows 2009 and 2003, I would like to point out that these are,
in fact, real! I have amended the Changelog to be more clear:

* Initial support for Windows Embeded 2009, Server 2003, XP

While these are not all consumer desktop editions, they share a common
core API level, and thus were supported by the same additions to the
LibreSSL portability layer. I thought it was worth mentioning simply
because these were the versions for which people have kindly sent me
test reports.

Thanks, and enjoy using LibreSSL.

 - Brent

LibreSSL 2.2.1 released

[Brent Cook]

We have released LibreSSL 2.2.1, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This release continues from the OpenBSD 5.8 development tree, featuring
expanded OS support, code improvements, and feature removal. Also note
that SSLv3 support has not been removed yet, but it should happen soon.

Notable changes in this release are:

  * Assorted build fixes for musl, HP-UX, Mingw, and Solaris.

  * Initial support for Windows 2009, 2003, and XP.

  * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API

  * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL

  * Removed Dynamic Engine support

  * Removed MDC-2DES support

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.

Re: error:0906D064:PEM routines:PEM_read_bio:bad base64

[Brent Cook]

 On Jun 30, 2015, at 1:52 AM, mxb m...@alumni.chalmers.se wrote:
 
 
 I’m sorry but I can’t provide private key. 
 It is basically production and not self-signed. Comes from Thawte.
 
 I’m able to produce output from ‘openssl enc -d base64  key’, 
 so issue from the link you pointed out is not on my side.
 
 I’m following OpenBSD-current by moving from snap to snap.
 I just actually started to deploy SSL acceleration with relayd, so I’m not 
 aware on
 any prev. working snap. I had older snap which produced this issue, so I 
 moved to
 up-to-date -CURRENT.
 
 Linux dist which working is FC20, with 'OpenSSL 1.0.1e-fips 11 Feb 2013’.
 I have 3 more key/cert pairs from Thawte. Those are OK both on FC20 and 
 OpenBSD-current.
 
 Question how do I debug this?
 I’m happy to apply any patches for testing.


It would be interesting to see if you're hitting any of the extra checks added 
here:

https://github.com/libressl-portable/openbsd/commit/d1114a9633e1f7004537f5238a5f1f111898ebeb

Would you be comfortable adding some extra output to the various failure points 
in EVP_DecodeUpdate to see where we are bailing out?

 Br
 //mxb
 
 On 30 jun 2015, at 05:25, Brent Cook bust...@gmail.com wrote:
 
 On Mon, Jun 29, 2015 at 1:22 AM, mxb m...@alumni.chalmers.se wrote:
 Hey,
 
 getting following error on OpenBSD-current as of yesterdays 'cvs up’:
 
 Does this imply that it worked in some earlier version of
 OpenBSD-current? If so, what was the version that worked?
 
 unable to load Private Key
 30008934842236:error:0906D064:PEM routines:PEM_read_bio:bad base64 
 decode:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/pem/pem_lib.c:822:
 
 Cmd issued: 'openssl rsa -noout -modulus -in key’
 
 ‘openssl version’: LibreSSL 2.2
 
 This key is OK with openssl on Linux
 
 It's probably silly to ask for a copy of your private key, but could
 you share an example of the input that is failing here? Maybe if you
 can generate a new pem file?
 
 I seem to recall an actually invalid base64 encoding issue that was
 reported last year. Does this seem relevant?
 
 http://tech.openbsd.narkive.com/tHdomkKq/libressl-base64-decoding-error
 
 Saying 'openssl on Linux' doesn't help us much (especially without a
 sample of the input), though something like 'OpenSSL 1.0.1e on Ubuntu
 14.04' might if we had something to test against.
 
 Br
 
 //mxb
 
 
 

Re: error:0906D064:PEM routines:PEM_read_bio:bad base64

[Brent Cook]

On Mon, Jun 29, 2015 at 1:22 AM, mxb m...@alumni.chalmers.se wrote:
 Hey,

 getting following error on OpenBSD-current as of yesterdays 'cvs up’:

Does this imply that it worked in some earlier version of
OpenBSD-current? If so, what was the version that worked?

 unable to load Private Key
 30008934842236:error:0906D064:PEM routines:PEM_read_bio:bad base64 
 decode:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/pem/pem_lib.c:822:

 Cmd issued: 'openssl rsa -noout -modulus -in key’

 ‘openssl version’: LibreSSL 2.2

 This key is OK with openssl on Linux

It's probably silly to ask for a copy of your private key, but could
you share an example of the input that is failing here? Maybe if you
can generate a new pem file?

I seem to recall an actually invalid base64 encoding issue that was
reported last year. Does this seem relevant?

http://tech.openbsd.narkive.com/tHdomkKq/libressl-base64-decoding-error

Saying 'openssl on Linux' doesn't help us much (especially without a
sample of the input), though something like 'OpenSSL 1.0.1e on Ubuntu
14.04' might if we had something to test against.

 Br

 //mxb

LibreSSL 2.1.7 and 2.2.0 released

[Brent Cook]

We have released LibreSSL 2.2.0, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This release is the first from the OpenBSD 5.8 development tree and
features mainly on build system improvements and new OS support.

We have also released LibreSSL 2.1.7, which contains additional security
fixes.

  * AIX Support - thanks to Michael Felt

  * Cygwin Support - thanks to Corinna Vinschen

  * Refactored build macros, support packaging libtls independently.
There are more pieces required to support building and using OpenSSL
with libtls, but this is an initial start at providing an
independent package for people to start hacking on.

  * Removal of OPENSSL_issetugid and all library getenv calls.
Applications can and should no longer rely on environment variables
for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still
supported with the openssl(1) command.

  * libtls API and documentation additions

  * Various bug fixes and simplifications to libssl and libcrypto

  * Fixes for the following issues are integrated into LibreSSL 2.1.7
and LibreSSL 2.2.0:
- CVE-2015-1788 - Malformed ECParameters causes infinite loop
- CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
- CVE-2015-1792 - CMS verify infinite loop with unknown hash function
  (this code is not enabled by default)

  * The following CVEs did not apply to LibreSSL or were fixed in earlier
releases:
- CVE-2015-4000 - DHE man-in-the-middle protection (Logjam)
- CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent
- CVE-2014-8176 - Invalid free in DTLS

  * Fixes for the following CVEs are still in review for LibreSSL:
- CVE-2015-1791 - Race condition handling NewSessionTicket

Note: This will likely be the last 2.2.x release with support for SSLv3,
as it will be removed entirely from the main LibreSSL tree.

Windows binaries are currently delayed, but they should be available
next week. You can build them fairly easily using the dist-win.sh
script available in the LibreSSL portable git repository.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.

Re: Thread-safe libcrypto by using weak symbols to pthread

[Brent Cook]

On Sun, Mar 29, 2015 at 4:51 AM, Carlos Martín Nieto c...@dwim.me wrote:
 On Sat, Mar 28, 2015 at 09:59:57PM -0700, Philip Guenther wrote:
 On Sat, 28 Mar 2015, Carlos Mart?n Nieto wrote:
  I?ve been looking into making libcrypto automatically thread-safe. The
  obvious solution is to use pthread to perform the locking instead of
  relying on the user to set locking callbacks, as the final user
  shouldn?t need to care that LibreSSL is involved in the dependencies at
  some level.

 Well.  How far is our reach on this?

 Solving this just for LibreSSL on OpenBSD?  I guess you diff works, though
 it doesn't work when libpthread can be loaded after startup as the
 bindings won't be updated.  If the goal is just this, then application
 writers in the wider software ecosystem won't even notice and will have to
 continue to use the callbacks, etc.

 Fixing this in LibreSSL (even if on all supported OSs) rather than in
 OpenSSL certainly gives this less reach, but as LibreSSL is a lot more
 focused on what it wants to support, it makes the implementation for
 this much less problematic.

Today in LibreSSL portable, we already either link -lpthread, or the
target OS has some sort of mutex support already factored into the C
library directly. I'd be in favor of just always having the mutexes
enabled. We're already unconditionally enabling mutexes in arc4random
- this is not much of a stretch.

I think it makes sense to make some parts of libtls independently
threadsafe too, such as tls_init.

Re: Code coverage report for LibreSSL tests

[Brent Cook]

On Wed, May 6, 2015 at 2:54 PM, Harri Porten por...@froglogic.com wrote:
 Hi!

 We've started to generate code coverage reports for test suites of some
 projects on a regular basis. You'll find on overview for LibreSSL (Portable)
 here:

  http://www.opencoverage.net/libressl/index_html/sources.html

 Out of 59877 conditions and decisions 13389, or 22.36% were covered during
 yesterdays run. OpenSSL currently has 67832 conditions/decisions, i.e. the
 project's goal of simplifying the code has been reached. The percentage
 covered through the test suite is lower however. Hence I wonder whether our
 use of the Linux port or our build configuration is to blame.

Testing the latest LibreSSL 2.2.0 development branch, I now get the
following result testing just the libraries (libtls, libcrypto,
libssl) as it appears is reported at opencoverage.net:

Overall coverage rate:
  lines..: 39.6% (28500 of 72029 lines)
  functions..: 42.0% (2299 of 5472 functions)
  branches...: 31.8% (13420 of 42223 branches)

After adding the openssl(1) command itself, the overall coverage looks
like this:

Overall coverage rate:
  lines..: 33.5% (29595 of 88381 lines)
  functions..: 40.4% (2339 of 5795 functions)
  branches...: 26.4% (14017 of 53168 branches)

The test script I used to generate this is here:

https://github.com/libressl-portable/portable/blob/master/gen-coverage-report.sh

Here is an example where these stats can be a little misleading: a
compatibility wrapper that has largely been turned into a no-op on
purpose. In fact, we probably want to make sure that _no_ functions in
this file are called eventually:

http://www.opencoverage.net/libressl/index_html/source_332.html

Re: Code coverage report for LibreSSL tests

[Brent Cook]

On Wed, May 6, 2015 at 2:54 PM, Harri Porten por...@froglogic.com wrote:
 Hi!

 We've started to generate code coverage reports for test suites of some
 projects on a regular basis. You'll find on overview for LibreSSL (Portable)
 here:

  http://www.opencoverage.net/libressl/index_html/sources.html

 Out of 59877 conditions and decisions 13389, or 22.36% were covered during
 yesterdays run. OpenSSL currently has 67832 conditions/decisions, i.e. the
 project's goal of simplifying the code has been reached. The percentage
 covered through the test suite is lower however. Hence I wonder whether our
 use of the Linux port or our build configuration is to blame.

 You might be able to use the reports for your coding and testing efforts.
 Attempts to increase test coverage can sometimes result in spotting of buggy
 code paths.

Hi Hari,

Nice tool! What version are you testing, the latest release or builds
straight from the source tree? There are a few more tests in the
OpenBSD that are not in portable release yet, though it is not a huge
amount. I just put in a PR to add a few more of the missing ones.

I have looked at the output from the 'gen-coverage-report.sh' script
that is in the libressl-portable source tree, and a large number of
untested functions were ones that were either simple aliases for other
functions, or empty stubs. Is there a way that lcov can be modified to
display condition coverage as well, or can either of these tools
segregate stub function coverage from real ones?

 - Brent

Re: libressl-2.1.6 on AIX

[Brent Cook]

Thanks Michael,

I have incorporated some initial AIX patches - can you please check out the 
latest tree?

https://github.com/libressl-portable/portable/commit/fe3f7fc6365bfaac3418a72256b8c11603e80cbf

https://github.com/libressl-portable/openbsd/commit/37d8e3c080e7c73158093f253d8e06fa1906dc03

There are a few changes from your original patch set, but this should make it 
easier to move forward now that they are in-tree. You can just patch on top of 
that rather than sending the whole thing.

I undid some of the formatting changes for the getentropy file so it matched 
the other files - the style is intentional between the files so its easy to 
diff between them to spot changes. The perfstat stuff moves into the inner loop 
like the other files as well. I added the network counters (we have network 
counters on OS X too), but also added wpar cpu stats.

The issetugid currently short circuits to always return '1' because I think it 
still needs some work, as we discussed earlier. If we can't find a way to make 
it work, a failsafe version isn't really a bad thing for most uses.

Also, I didn't add the configure.ac line that set CFLAGS to empty string that 
was in the original patch. The current master branch has switched to letting 
autoconf initialize the CFLAGS directly. This worked fine with gcc when I tried 
it, but I'd be interested in seeing how it works with other AIX compilers.

One slightly annoying thing I found was the system library loader would find 
other versions of libcrypto.a / libssl.a under LIBPATH and try to load those 
when running binaries in-tree rather than the build versions. I don't know if 
that was just a misconfiguration with my system.

 - Brent

 On Apr 8, 2015, at 9:19 PM, Michael Felt aixto...@gmail.com wrote:
 
 I applied the patch I had sent in before, made one change (correction) - 
 correcting a typo that brent had pointed out (netinfo that needs to be 
 diskinfo) in the getentrophy_aix.c
 
 If you need the patch again, I can send it again. I am curious about whether 
 this is moving forward - and if there is anything extra I can do to assist.
 
 
 Testsuite summary for libressl 2.1.6
 
 # TOTAL: 47
 # PASS:  47
 # SKIP:  0
 # XFAIL: 0
 # FAIL:  0
 # XPASS: 0
 # ERROR: 0
 
 
 regards,
 Michael

Re: Remove useless lock around opendir/readdir

[Brent Cook]

 On Mar 30, 2015, at 12:11 AM, Philip Guenther guent...@gmail.com wrote:
 
 On Fri, Mar 27, 2015 at 2:50 AM, Carlos Martín Nieto c...@dwim.me wrote:
 A call to opendir thread-safe and the readdir calls only share the buffer 
 within the same directory stream,
 which is local to this function. Therefore this lock does not buy us 
 anything.
 
 Yep.
 
 Heads up on this, bcook, in case the Windows opendir/readdir emulation
 isn't thread-safe (unlikely).
 
 
 Philip Guenther
 

Thanks. We're currently inheriting that emulation from mingw-w64's runtime, 
which wraps _findfirst/_findnext. It is thread safe.

Re: ntpd:support adjusting initial time = y2k36 on 32-bit time_t platforms

[Brent Cook]

On Mon, Mar 23, 2015 at 10:42 AM, Alexey Suslikov
alexey.susli...@gmail.com wrote:
 Brent Cook busterb at gmail.com writes:

 + T4 += (uint64_t)tv.tv_sec + JAN_1970 + 1.0e-6 *
 tv.tv_usec;

 snip

 + return ((uint64_t)tv.tv_sec + JAN_1970 + 1.0e-6 * tv.tv_usec);

 snip

 Can gettime_from_timeval be used over the code instead of repeating
 same chunk?

 T4 += gettime_from_timeval(...

 return gettime_from_timeval(...

Good point Alexy. That is the right way to go.

ntpd:support adjusting initial time = y2k36 on 32-bit time_t platforms

[Brent Cook]

This came up in the OpenNTPD issue tracker:
https://github.com/openntpd-portable/openntpd-openbsd/pull/4

The issue is an overflow when calculating time offsets with a 32-bit
time_t in early 2036. The main reason to fix it in now, in 2015, is that
OpenNTPD fails to adjust time if such a system simply has a bad initial
time value.

I could maintain this as a local patch on the portable tree, but it
felt like this one should be upstream rather than hidden away in a patch
file.

Suggestions on better wording or oks?

Maybe 'sorry in advance for prolonging the Android uprising an
additional 2 years'.

Index: client.c
===
RCS file: /cvs/src/usr.sbin/ntpd/client.c,v
retrieving revision 1.100
diff -u -p -u -p -r1.100 client.c
--- client.c12 Feb 2015 01:54:57 -  1.100
+++ client.c22 Mar 2015 03:21:08 -
@@ -258,7 +258,11 @@ client_dispatch(struct ntp_peer *p, u_in
if (cmsg-cmsg_level == SOL_SOCKET 
cmsg-cmsg_type == SCM_TIMESTAMP) {
memcpy(tv, CMSG_DATA(cmsg), sizeof(tv));
-   T4 += tv.tv_sec + JAN_1970 + 1.0e-6 * tv.tv_usec;
+   /*
+* Account for overflow that occurs on OSes that still
+* have a 32-bit time_t.
+*/
+   T4 += (uint64_t)tv.tv_sec + JAN_1970 + 1.0e-6 * 
tv.tv_usec;
break;
}
}
Index: util.c
===
RCS file: /cvs/src/usr.sbin/ntpd/util.c,v
retrieving revision 1.18
diff -u -p -u -p -r1.18 util.c
--- util.c  10 Feb 2015 11:46:39 -  1.18
+++ util.c  22 Mar 2015 03:21:08 -
@@ -45,13 +45,21 @@ gettime(void)
if (gettimeofday(tv, NULL) == -1)
fatal(gettimeofday);

-   return (tv.tv_sec + JAN_1970 + 1.0e-6 * tv.tv_usec);
+   /*
+* Account for overflow that occurs on OSes that still
+* have a 32-bit time_t.
+*/
+   return ((uint64_t)tv.tv_sec + JAN_1970 + 1.0e-6 * tv.tv_usec);
 }

 double
 gettime_from_timeval(struct timeval *tv)
 {
-   return (tv-tv_sec + JAN_1970 + 1.0e-6 * tv-tv_usec);
+   /*
+* Account for overflow that occurs on OSes that still
+* have a 32-bit time_t.
+*/
+   return ((uint64_t)tv-tv_sec + JAN_1970 + 1.0e-6 * tv-tv_usec);
 }

 time_t

LibreSSL 2.1.6 released

[Brent Cook]

We have released LibreSSL 2.1.6, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This release primarily addresses a number of security issues in
coordination with the OpenSSL project.

  Fixes for the following issues are integrated into LibreSSL 2.1.6:

 * CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
 * CVE-2015-0287 - ASN.1 structure reuse memory corruption
 * CVE-2015-0289 - PKCS7 NULL pointer dereferences
 * CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
 * CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref

  The patch for this issue is integrated in LibreSSL 2.1.6:

 * CVE-2015-0207 - Segmentation fault in DTLSv1_listen
 LibreSSL is not vulnerable, but the fix was safe to merge.

  The following issues were addressed in earlier LibreSSL releases:

 * CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA
  Fixed in LibreSSL 2.1.2 - reclassifed from low to high,
 * CVE-2015-0292 - Fault processing Base64 decode
  Fixed in LibreSSL 2.0.0
 * CVE-2015-1787 - Empty CKE with client auth and DHE
  Fixed in LibreSSL 2.0.1

  The following issues did not apply to LibreSSL 2.1.6:

 * CVE-2015-0291 - OpenSSL 1.0.2 ClientHello sigalgs DoS
  Affected code is not present.
 * CVE-2015-0290 - Multiblock corrupted pointer
  Affected code is not present.
 * CVE-2015-0208 - Segmentation fault for invalid PSS parameters
  Affected code is not present.
 * CVE-2015-0293 - DoS via reachable assert in SSLv2 servers
  Affected code is not present.
 * CVE-2015-0285 - Handshake with unseeded PRNG
  Cannot happen by the design of the LibreSSL PRNG.

This release also enables the building of libtls by default, as the API
and ABI are declared stable within the LibreSSL 2.1.x series. Further
changes to libtls will resume with LibreSSL 2.2.x.

The LibreSSL project continues improvement of the codebase to reflect
modern, safe programming practices. We welcome feedback and improvements
from the broader community. Thanks to all of the contributors who helped
make this release possible.

Enable libtls in LibreSSL by default

[Brent Cook]

The API/ABI for the LibreSSL 2.1.x series is now stable, so we can safely
enable libtls it by default. This is useful for new OpenNTPD and
OpenSMTPD releases as well.

I would like to apply this to the OPENBSD_5_7 / 2.1.x and master
branches on the portable tree. Building with libtls has been the default
for all of my test builds since it was added, and there are no
compatibility issues. I didn't see a need for a --disable-libtls switch.

ok?

---
 Makefile.am| 6 +-
 configure.ac   | 6 +-
 dist-win.sh| 2 +-
 dist.sh| 2 +-
 gen-coverage-report.sh | 2 +-
 include/Makefile.am| 2 --
 scripts/travis | 4 ++--
 tls/Makefile.am| 3 ---
 update.sh  | 6 --
 9 files changed, 7 insertions(+), 26 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 45aa9cc..d3011ec 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2,10 +2,6 @@ SUBDIRS = crypto ssl tls include apps tests man
 ACLOCAL_AMFLAGS = -I m4

 pkgconfigdir = $(libdir)/pkgconfig
-pkgconfig_DATA = libcrypto.pc libssl.pc openssl.pc
-
-if ENABLE_LIBTLS
-pkgconfig_DATA += libtls.pc
-endif
+pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc

 EXTRA_DIST = README README.windows VERSION config scripts
diff --git a/configure.ac b/configure.ac
index 30c7dd6..0bbf998 100644
--- a/configure.ac
+++ b/configure.ac
@@ -310,11 +310,6 @@ AM_CONDITIONAL([HOST_ASM_ELF_X86_64],
 AM_CONDITIONAL([HOST_ASM_MACOSX_X86_64],
 [test x$HOST_ABI = xmacosx -a $host_cpu = x86_64 -a x$enable_asm 
!= xno])

-AC_ARG_ENABLE([libtls],
-   AS_HELP_STRING([--enable-libtls], [Enable building the libtls library]))
-AM_CONDITIONAL([ENABLE_LIBTLS], [test x$enable_libtls = xyes])
-AM_COND_IF([ENABLE_LIBTLS], [AC_CONFIG_FILES([libtls.pc])])
-
 LT_INIT

 AC_CONFIG_FILES([
@@ -329,6 +324,7 @@ AC_CONFIG_FILES([
man/Makefile
libcrypto.pc
libssl.pc
+   libtls.pc
openssl.pc
 ])

diff --git a/dist-win.sh b/dist-win.sh
index 42569ac..cfb6414 100755
--- a/dist-win.sh
+++ b/dist-win.sh
@@ -22,7 +22,7 @@ for ARCH in X86 X64; do

echo Building for $HOST

-   CC=$HOST-gcc ./configure --host=$HOST --enable-libtls
+   CC=$HOST-gcc ./configure --host=$HOST
make clean
PATH=$PATH:/usr/$HOST/sys-root/mingw/bin \
   make -j 4 check
diff --git a/dist.sh b/dist.sh
index 27bd40a..ff740b7 100755
--- a/dist.sh
+++ b/dist.sh
@@ -3,5 +3,5 @@ set -e

 rm -f man/*.1 man/*.3
 ./autogen.sh
-./configure --enable-libtls
+./configure
 make distcheck
diff --git a/gen-coverage-report.sh b/gen-coverage-report.sh
index f99bd8e..1a199cf 100755
--- a/gen-coverage-report.sh
+++ b/gen-coverage-report.sh
@@ -20,7 +20,7 @@ find -name '*.gcda' -o -name '*.gcno' -delete
 rm -fr $DESTDIR

 echo Configuring to build with code coverage support
-./configure --enable-libtls CFLAGS='-O0 -fprofile-arcs -ftest-coverage'
+./configure CFLAGS='-O0 -fprofile-arcs -ftest-coverage'

 echo Running all code paths
 make clean
diff --git a/include/Makefile.am b/include/Makefile.am
index 31cc0ab..7e1ece2 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -28,6 +28,4 @@ noinst_HEADERS += sys/times.h
 noinst_HEADERS += sys/types.h
 noinst_HEADERS += sys/uio.h

-if ENABLE_LIBTLS
 include_HEADERS = tls.h
-endif
diff --git a/scripts/travis b/scripts/travis
index c52be79..091f37d 100755
--- a/scripts/travis
+++ b/scripts/travis
@@ -4,7 +4,7 @@ set -e
 ./autogen.sh

 if [ x$ARCH = xnative ]; then
-   ./configure --enable-libtls
+   ./configure
if [ `uname` = Darwin ]; then
# OS X runs out of resources if we run 'make -j check'
make check
@@ -28,6 +28,6 @@ else
export PATH=$PATH:/opt/$ARCH/bin
fi

-   ./configure --host=$CPU-w64-mingw32 --enable-libtls
+   ./configure --host=$CPU-w64-mingw32
make -j
 fi
diff --git a/tls/Makefile.am b/tls/Makefile.am
index f0919a5..e82a694 100644
--- a/tls/Makefile.am
+++ b/tls/Makefile.am
@@ -1,6 +1,5 @@
 include $(top_srcdir)/Makefile.am.common

-if ENABLE_LIBTLS
 lib_LTLIBRARIES = libtls.la

 EXTRA_DIST = VERSION
@@ -20,5 +19,3 @@ noinst_HEADERS = tls_internal.h
 if !HAVE_STRSEP
 libtls_la_SOURCES += strsep.c
 endif
-
-endif
diff --git a/update.sh b/update.sh
index 7b03d03..c4d33e8 100755
--- a/update.sh
+++ b/update.sh
@@ -304,9 +304,7 @@ echo copying manpages
$CP $openssl_app_src/openssl.1 .
echo dist_man_MANS += openssl.1  Makefile.am
$CP $libtls_src/tls_init.3 .
-   echo if ENABLE_LIBTLS  Makefile.am
echo dist_man_MANS += tls_init.3  Makefile.am
-   echo endif  Makefile.am

# convert remaining POD manpages
for i in `ls -1 $libssl_src/src/doc/crypto/*.pod | sort`; do
@@ -328,23 +326,19 @@ echo copying manpages
echo   ln -f \$(DESTDIR)\$(mandir)/man3/$1 \\  Makefile.am
echo \$(DESTDIR)\$(mandir)/man3/$2  Makefile.am
done
-   echo if ENABLE_LIBTLS  

LibreSSL 2.1.5 released

[Brent Cook]

We have released LibreSSL 2.1.5, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This release is relatively small, focused on bug fixes before 2.2.x
development begins along-side OpenBSD 5.8.

This or earlier LibreSSL releases may also address issues that are to be
revealed by The OpenSSL Project Team on the 19th of March, 2015.

The LibreSSL team is not typically apprised of OpenSSL-related security
issues in advance. We will address any previously-unknown issues that
are found to affect LibreSSL in future releases.

Issues addressed since 2.1.4:

* Fix incorrect comparison function in openssl(1) certhash command.
  Thanks to Christian Neukirchen / Void Linux.

* Windows port improvements and bug fixes.
  - Removed a dependency on libgcc in 32-bit dynamic libraries.
  - Correct a hang in openssl(1) reading from stdin on an connection.
  - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and
any other network-related commands to function properly.

* Reject all server DH keys smaller than 1024 bits.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.

Re: LibreSSL 2.1.4 released

[Brent Cook]

 On Mar 6, 2015, at 10:40 AM, Martin Hecht he...@hlrs.de wrote:
 
 
 I have tested it on a few linux platforms I have at hand:
 
 SLES 11 SP3
 Ubuntu 14.04.2 LTS
 Scientific Linux  6.6
 
 
 Testsuite summary for libressl 2.1.4
 
 # TOTAL: 47
 # PASS:  47
 # SKIP:  0
 # XFAIL: 0
 # FAIL:  0
 # XPASS: 0
 # ERROR: 0
 
 
 
 PS: just let me know when you have a testing environment which makes
 this input obsolete
 
 
 

We do have automatic builds for OS X, Linux and Mingw/Windows publically via 
Travis CI:

https://travis-ci.org/libressl-portable/portable

I have more private builds that get run through a local Jenkins server, but its 
always nice to get feedback for other variants.

Thanks
 - Brent

Testing LibreSSL Windows binaries

[Brent Cook]

Hi,

Based on difficulty people have had building LibreSSL on Windows and
desire for integration with Visual Studio, I have made a test package
with LibreSSL Windows binaries available here:

https://github.com/libressl-portable/portable/releases/tag/untagged-1124b2dee438a382b881

These should work with Microsoft tools, and the debug information
should be compatible with most Windows debuggers. This is not an
official release, but I would be interested in
feedback/success/failure stories. No fruit throwing please!

The build script that generates these is here:

https://github.com/libressl-portable/portable/blob/master/dist-win.sh

With some initial build notes here:

https://github.com/libressl-portable/portable/blob/master/README.windows

 - Brent

Re: Testing LibreSSL Windows binaries

[Brent Cook]

 On Mar 3, 2015, at 9:22 AM, Brent Cook bust...@gmail.com wrote:
 
 Hi,
 
 Based on difficulty people have had building LibreSSL on Windows and
 desire for integration with Visual Studio, I have made a test package
 with LibreSSL Windows binaries available here:
 
 https://github.com/libressl-portable/portable/releases/tag/untagged-1124b2dee438a382b881

I apparently linked to the 'Draft' URL. Here is a public one.

https://github.com/libressl-portable/portable/releases/tag/v2.1.4-pre

 These should work with Microsoft tools, and the debug information
 should be compatible with most Windows debuggers. This is not an
 official release, but I would be interested in
 feedback/success/failure stories. No fruit throwing please!
 
 The build script that generates these is here:
 
 https://github.com/libressl-portable/portable/blob/master/dist-win.sh
 
 With some initial build notes here:
 
 https://github.com/libressl-portable/portable/blob/master/README.windows
 
 - Brent

LibreSSL 2.1.4 released

[Brent Cook]

We have released LibreSSL 2.1.4, which will be arriving in the LibreSSL
directory of your local OpenBSD mirror soon.

This release adds a number of new security features, makes building
privilege-separated programs simpler, and improves the libtls API.

This release also includes a binary package for convenience integrating
LibreSSL on Windows platforms, and the latest source tarball is signed
with GPG and signify for easier integration into existing build systems.

Feedback is welcome. Bugs, patches, and features requests can be
reported to tech@openbsd.org or at
https://github.com/libressl-portable/portable/issues

As the OpenBSD 5.7 development effort comes to a close, so does the
LibreSSL 2.1.x branch. The next release will begin the 2.2.x development
branch.

User-visible features:

  * Improvements to libtls:
- a new API for loading CA chains directly from memory instead of a
  file, allowing verification with privilege separation in a chroot
  without direct access to CA certificate files.

- Ciphers default to TLSv1.2 with AEAD and PFS.

- Improved error handling and message generation

- New APIs and improved documentation

  * Added X509_STORE_load_mem API for loading certificates from memory.
This facilitates accessing certificates from a chrooted environment.

  * New AEAD MAC alias allows configuring TLSv1.2 AEAD ciphers by
using 'TLSv1.2+AEAD' as the cipher selection string.

  * New openssl(1) command 'certhash' replaces the c_rehash script.

  * Server-side support for TLS_FALLBACK_SCSV for compatibility with
various auditor and vulnerability scanners.

Code improvements:

  * Dead and disabled code removal including MD5, Netscape workarounds,
non-POSIX IO, SCTP, RFC 3779 support, #if 0 sections, and more.

  * The ASN1 macros are expanded to aid readability and maintainability.

  * Various NULL pointer asserts removed in favor of letting the OS/signal
handler catch them.

  * Refactored argument handling in openssl(1) for consistency and
maintainability.

  * Support for building with OPENSSL_NO_DEPRECATED

  * Dozens of issues found with the Coverity scanner fixed.

Security updates:

- Fix a minor information leak that was introduced in t1_lib.c
  r1.71, whereby an additional 28 bytes of .rodata (or .data) is
  provided to the network. In most cases this is a non-issue since
  the memory content is already public. Issue found and reported by
  Felix Groebert of the Google Security Team.

- Fixes for the following low-severity issues were integrated into
  LibreSSL from OpenSSL 1.0.1k:

   CVE-2015-0205 - DH client certificates accepted without
   verification
   CVE-2014-3570 - Bignum squaring may produce incorrect results
   CVE-2014-8275 - Certificate fingerprints can be modified
   CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]
   Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA.

  The following CVEs were fixed in earlier LibreSSL releases:
   CVE-2015-0206 - Memory leak handling repeated DLTS records
   CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites.

  The following CVEs did not apply to LibreSSL:
   CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record
   CVE-2014-3569 - no-ssl3 configuration sets method to NULL
   CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA

The LibreSSL project continues improvement of the codebase to reflect
modern, safe programming practices. We welcome feedback and improvements
from the broader community. Thanks to all of the contributors who helped
make this release possible.

Re: libtls documentation

[Brent Cook]

 On Feb 20, 2015, at 10:36 AM, Greg Martin g...@softsprocket.com wrote:
 
 Hi,
 I just build libressl on Linux 3.13.0-44-generic. I haven't installed it
 yet but it was a clean build.
 
 I'm interested in trying libssl but the only documentation I've found is
 a single manpage (tls_int). Are there some example programs somewhere or
 more comprehensive documentation?
 
 Thanks,
 Greg Martin.
 

Well, this does indicate that I neglected to add the manpage links in
portable - thanks for the note.