diff options
author | schwarze <> | 2022-12-16 13:41:55 +0000 |
---|---|---|
committer | schwarze <> | 2022-12-16 13:41:55 +0000 |
commit | 6777ddb358a28ff896be81dbbfce1f14e0a836e0 (patch) | |
tree | c86cfa2845b8dbb2e966a35f402a8007996539e0 /src/lib | |
parent | 4049dbe994284a40aeef67c382535608578d7ee0 (diff) | |
download | openbsd-6777ddb358a28ff896be81dbbfce1f14e0a836e0.tar.gz openbsd-6777ddb358a28ff896be81dbbfce1f14e0a836e0.tar.bz2 openbsd-6777ddb358a28ff896be81dbbfce1f14e0a836e0.zip |
Revert BIO_push(3) cycle prevention (bio_lib.c rev. 1.42).
jsing@ worries that cycle prevention might increase risk because
software that is not checking return values (and indeed, not checking
is likely common in practice) might silently behave incorrectly
with cycle prevention whereas without, it will likely either crash
right away through infinite recursion or at least hang in an infinite
loop when trying to use the cyclic chain, in both cases making it
likely that the bug will be found and fixed.
Besides, tb@ points out that BIO_set_next(3) ought to behave as
similarly as possible to BIO_push(3), but adding cycle prevention
to BIO_set_next(3) would be even less convincing because that
function does not provide a return value, encouraging users to
expect that it will always succeed. While a safe idiom for checking
the success of BIO_set_next(3) could easily be designed, let's be
realistic: application software would be highly unlikely to pick up
such an idiom.
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/libcrypto/bio/bio_lib.c | 8 | ||||
-rw-r--r-- | src/lib/libcrypto/man/BIO_push.3 | 38 |
2 files changed, 7 insertions, 39 deletions
diff --git a/src/lib/libcrypto/bio/bio_lib.c b/src/lib/libcrypto/bio/bio_lib.c index 3eb0869ca9..31b1e7305d 100644 --- a/src/lib/libcrypto/bio/bio_lib.c +++ b/src/lib/libcrypto/bio/bio_lib.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: bio_lib.c,v 1.42 2022/12/07 23:08:47 schwarze Exp $ */ | 1 | /* $OpenBSD: bio_lib.c,v 1.43 2022/12/16 13:41:55 schwarze Exp $ */ |
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | * All rights reserved. | 3 | * All rights reserved. |
4 | * | 4 | * |
@@ -637,12 +637,6 @@ BIO_push(BIO *b, BIO *bio) | |||
637 | 637 | ||
638 | if (b == NULL) | 638 | if (b == NULL) |
639 | return (bio); | 639 | return (bio); |
640 | |||
641 | /* If this would create a cycle, change nothing and fail. */ | ||
642 | for (lb = bio; lb != NULL; lb = lb->next_bio) | ||
643 | if (lb == b) | ||
644 | return NULL; | ||
645 | |||
646 | lb = b; | 640 | lb = b; |
647 | while (lb->next_bio != NULL) | 641 | while (lb->next_bio != NULL) |
648 | lb = lb->next_bio; | 642 | lb = lb->next_bio; |
diff --git a/src/lib/libcrypto/man/BIO_push.3 b/src/lib/libcrypto/man/BIO_push.3 index 35c0c5b6d0..413f8249a6 100644 --- a/src/lib/libcrypto/man/BIO_push.3 +++ b/src/lib/libcrypto/man/BIO_push.3 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: BIO_push.3,v 1.12 2022/12/08 11:33:58 tb Exp $ | 1 | .\" $OpenBSD: BIO_push.3,v 1.13 2022/12/16 13:41:55 schwarze Exp $ |
2 | .\" full merge up to: | 2 | .\" full merge up to: |
3 | .\" OpenSSL doc/man3/BIO_push.pod 791bfd91 Nov 19 20:38:27 2021 +0100 | 3 | .\" OpenSSL doc/man3/BIO_push.pod 791bfd91 Nov 19 20:38:27 2021 +0100 |
4 | .\" OpenSSL doc/man7/bio.pod 1cb7eff4 Sep 10 13:56:40 2019 +0100 | 4 | .\" OpenSSL doc/man7/bio.pod 1cb7eff4 Sep 10 13:56:40 2019 +0100 |
@@ -67,7 +67,7 @@ | |||
67 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | 67 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
68 | .\" OF THE POSSIBILITY OF SUCH DAMAGE. | 68 | .\" OF THE POSSIBILITY OF SUCH DAMAGE. |
69 | .\" | 69 | .\" |
70 | .Dd $Mdocdate: December 8 2022 $ | 70 | .Dd $Mdocdate: December 16 2022 $ |
71 | .Dt BIO_PUSH 3 | 71 | .Dt BIO_PUSH 3 |
72 | .Os | 72 | .Os |
73 | .Sh NAME | 73 | .Sh NAME |
@@ -141,11 +141,6 @@ For portability, it is best to make sure that | |||
141 | is at the beginning of its chain before calling | 141 | is at the beginning of its chain before calling |
142 | .Fn BIO_push . | 142 | .Fn BIO_push . |
143 | .Pp | 143 | .Pp |
144 | The LibreSSL implementation of | ||
145 | .Fn BIO_push | ||
146 | never creates cycles. | ||
147 | If a call would result in a cycle, nothing is changed and the call fails. | ||
148 | .Pp | ||
149 | .Fn BIO_pop | 144 | .Fn BIO_pop |
150 | removes the BIO | 145 | removes the BIO |
151 | .Fa b | 146 | .Fa b |
@@ -214,16 +209,11 @@ have any effect is | |||
214 | .Fn BIO_push | 209 | .Fn BIO_push |
215 | returns | 210 | returns |
216 | .Fa b | 211 | .Fa b |
217 | for success or a different pointer for failure. | 212 | if it is not |
218 | In particular, it fails and returns | ||
219 | .Fa new_tail | ||
220 | if | ||
221 | .Fa b | ||
222 | is | ||
223 | .Dv NULL . | ||
224 | In LibreSSL, it fails and returns | ||
225 | .Dv NULL | 213 | .Dv NULL |
226 | if appending would create a cycle. | 214 | or |
215 | .Fa new_tail | ||
216 | if it is. | ||
227 | .Pp | 217 | .Pp |
228 | .Fn BIO_pop | 218 | .Fn BIO_pop |
229 | returns the BIO that followed | 219 | returns the BIO that followed |
@@ -294,22 +284,6 @@ and the new chain will be | |||
294 | data can be written to | 284 | data can be written to |
295 | .Sy md1 | 285 | .Sy md1 |
296 | as before. | 286 | as before. |
297 | .Pp | ||
298 | Even though LibreSSL handles some of the edge cases gracefully, | ||
299 | the following idiom is recommended for portable error checking: | ||
300 | .Bd -literal -offset indent | ||
301 | if (b == NULL || new_tail == NULL || b == new_tail) | ||
302 | /* Report the problem and bail out. */ | ||
303 | if (BIO_push(b, new_tail) != b) | ||
304 | /* Report that nothing was changed | ||
305 | * because it would have created a cycle. */ | ||
306 | .Ed | ||
307 | .Pp | ||
308 | Even with the portable idiom, old and non-LibreSSL library implementations | ||
309 | may silently attempt to create cycles instead of rejecting them and returning | ||
310 | .Dv NULL , | ||
311 | which may result in infinite loops, infinite recursion, or segmentation | ||
312 | faults either right away or later on. | ||
313 | .Sh SEE ALSO | 287 | .Sh SEE ALSO |
314 | .Xr BIO_find_type 3 , | 288 | .Xr BIO_find_type 3 , |
315 | .Xr BIO_new 3 , | 289 | .Xr BIO_new 3 , |