| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
| |
commit.
|
| |
|
|
|
| |
OpenSSL commits d2e9e320186f0917cc940f46bdf1a7e4120da9b0 and
b6cff313cbb1d0381b329fe4f6a8f009cdb270e4
|
| | |
|
| |
|
|
| |
21dcbebc6e35419f1842f39a125374ea1ba45693
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This imports verbatim copies as of the OpenSSL_1_1_1o tag of
crypto/kdf/hkdf.c
crypto/kdf/hkdf_err.c
include/openssl/kdf.h
include/openssl/kdferr.h
from https://www.github.com/openssl/openssl.git into lib/libcrypto/kdf.
We only want the EVP interface to HKDF since some ports need them. Not
yet linked to the build since it will not compile. Follow-on commits will
add KNF, clean up and make this compile.
Tests of an early draft version by abieber and Caspar Schutijser
ok jsing
|
| |
|
|
|
|
| |
Use more readable variable and arguments names in the process.
ok tb@
|
| |
|
|
|
|
|
|
| |
The asn1_find_end() function handles definite length ASN.1, which means
that there is no point in the only caller having code to explicitly handle
definite length - it can just call the function.
ok tb@
|
| |
|
|
|
|
|
|
| |
The long vs size_t checks can be handled in the asn1_check_tag() wrapper
and this will help to avoid propagating long vs size_t issues into new
code.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
Test decoding of sequences with length and indefinite length into an ASN.1
string - in this case the ASN.1 is not decoded, rather the octets are
stored directly as the content of the string.
This exercises a specific path through the ASN.1 decoder.
(you know asn1complex is living up to its name when you have to import
openssl/asn1t.h directly...)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rather than calling asn1_get_object_cbs(), call asn1_get_identifier_cbs(),
then immediately proceed with the tag number and tag class check. Only if
that succeeds (or it is not required) do we call asn1_get_length_cbs().
This avoids incurring the overhead of decoding the length in the case where
the tag number and tag class do not match.
While here rename asn1_check_tlen() to asn1_check_tag() - while we decode
the length, what we are normally checking is the tag number and tag class.
Also rename the arguments for readability. For now the argument types
and encoding remain unchanged.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ASN1_TIME_adj_internal() does some strange dances with remembering
allocations in a boolean and using strlen(p) to deduce what happened
inside *_string_from_tm(). It also (mis)translates a NULL p to an
illegal time value error.
This can be streamlined by converting directly from a struct tm into an
ASN1_TIME and setting the errors when they occur instead of trying to
deduce them from a NULL return. This is made a bit uglier than necessary
due to the reuse-or-allocate semantics of the public API.
At the cost of a little code duplication, ASN1_TIME_adj_internal()
becomes very easy and ASN1_TIME_to_generalizedtime() is also simplified
somewhat.
ok inoguchi jsing
|
| |
|
|
| |
comment from tb@
|
| |
|
|
| |
ok tb@
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
This also makes validation stricter and inline with X.690 - we now reject
zero length inputs (rather than treating them as zero values) and enforce
minimal encoding.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, every time an ASN.1 identifier and length is decoded it is
stored in a tag/length cache for potential reuse. However, the only time
this is actually of benefit is when decoding CHOICE or SEQUENCE with
OPTIONAL fields (or MSTRING and ANY due to less than ideal
implementation). For CHOICE and SEQUENCE with OPTIONAL fields the
current code attempts to decode the first option and if that fails, it
moves onto the next option and attempts to decode it, repeating until
it succeeds (or runs out of options).
There are a number of problems with the cache. Firstly, it adds complexity
to the ASN.1 decoder since it has to be passed up and down through the
various layers. Secondly, there is nothing that keeps the cached data in
synchronisation with the input stream. This makes it fragile and a
potential security risk. Thirdly, the type is in the public headers and
API, meaning that we cannot readily change the types or fields to improve
the code.
Testing also suggests that in typical decoding cases we actually get a
small performance increase by removing the cache. There are also several
other options that would improve decoding performance, which we can visit
once we have simpler and more robust code.
ok beck@ inoguchi@ tb@
|
| |
|
|
| |
so there's no longer a need to document that they are undocumented.
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
Also switch to freeing and allocating, rather than attempting to recycle.
While here, factor out the flags ASN1_STRING_FLAG_BITS_LEFT bit bashing
and use the name "unused bits" rather than "bits left", to be more inline
with X.690 wording.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
This allows us to make direct use of c2i_ASN1_OBJECT_cbs().
ok inoguchi@ tb@
|
| | |
|
| | |
|
| |
|
|
| |
Requested by jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
X509v3_{addr,asid}_is_canonical() check that the ipAddrBlocks and
autonomousSysIds extension conform to RFC 3779. These checks are not
cheap. Certs containing non-conformant extensions should not be
considered valid, so mark them with EXFLAG_INVALID while caching the
extension information in x509v3_cache_extensions(). This way the
expensive check while walking the chains during X509_verify_cert() is
replaced with a cheap check of the extension flags. This avoids a lot
of superfluous work when validating numerous certs with similar chains
against the same roots as is done in rpki-client.
Issue noticed and fix suggested by claudio
ok claudio inoguchi jsing
|
| |
|
|
|
|
| |
Ensure that EXFLAG_INVALID is set on X509_get_purpose() failure.
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
| |
If either of the two initial BN_CTX_get() fails, we will call
BN_RECP_CTX_free() on the uninitialized recp, which won't end
well, so hoist the BN_RECP_CTX_init() call a few lines up.
From Pauli, OpenSSL ad249412
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
| |
The handshake state machine does not handle key updates since that's a
post-handshake handshake message. This is code under #ifdef TLS13_DEBUG
and if it is ever to be reused in tls13_handshake_msg.c, that will have
to be revisited.
ok inoguchi jsing
|
| | |
|
| |
|
|
|
|
|
| |
Use a temporary variable to store the number of bytes to be copied
(size_t) and also use it as the memcpy(3) length. Previously we
copied "size" bytes instead of just the necessary number.
OK claudio@ tb@
|
| | |
|
| |
|
|
|
|
|
| |
'flags' should have ASN1_OBJECT_FLAG_DYNAMIC_DATA bit to free 'data'
by ASN1_OBJECT_free as c2i_ASN1_OBJECT_cbs does.
ok jsing@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
DSA private keys with ill-chosen g could cause an infinite
loop on deserializing. Add a few sanity checks that ensure
that g is according to the FIPS 186-4: check 1 < g < p and
g^q == 1 (mod p). This is enough to ascertain that g is a
generator of a multiplicative group of order q once we know
that q is prime (which is checked a bit later).
Issue reported with reproducers by Hanno Boeck.
Additional variants and analysis by David Benjamin.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If a private key encoded with EC parameters happens to have
order 1 and is used for ECDSA signatures, this causes an
infinite loop since a random integer x in the interval [0,1)
will be 0, so do ... while (x == 0); will loop indefinitely.
Found and reported with a reproducer by Hanno Boeck.
Helpful comments and analysis from David Benjamin.
ok beck jsing
|
| |
|
|
|
|
|
|
| |
a race in which one thread is currently initializing the mutex which is
not an atomic operation whereas another thread tries to use it too
early.
With and ok schwarze@
|
| | |
|
| |
|
|
|
|
|
| |
jmc@ dislikes a comma before "then" in a conditional, so leave those
untouched.
ok jmc@
|
| |
|
|
|
|
|
|
|
| |
p is allocated by asprintf() in one of the *_from_tm() functions, so
it needs to be freed as in the other error path below.
CID 346194
ok jsing
|
| |
|
|
|
|
|
|
|
| |
d2i_EC_PRIVATEKEY() can handle the allocation of priv_key internally,
no need to do this up front and reach it through the dangerous reuse
mechanism. There's also no point in freeing a variable we know to be
NULL.
ok jsing
|
| |
|
|
| |
CID 351293
|
| |
|
|
| |
pkey_ctx->data.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
It is possible to call pmeth->cleanup() with an EVP_PKEY_CTX whose data
is NULL. If pmeth->init() in int_ctx_new() fails, EVP_PKEY_CTX_free() is
called with such a context. This in turn calls pmeth->cleanup(), and thus
these cleanup functions must be careful not to use NULL data. Most of
them are, but one of GOST's functions and HMAC's aren't.
Reported for HMAC by Masaru Masada
https://github.com/libressl-portable/openbsd/issues/129
ok bcook jsing
|
| |
|
|
|
|
|
| |
Instead of using malloc() and setting most struct members to 0,
simply use calloc().
ok bcook jsing
|
| | |
|
| |
|
|
| |
ok jmc@ schwarze@
|
| |
|
|
|
|
|
| |
we no longer have, focus on what our implementation now does, but
keep short warnings in how far other implementations might be more
fragile. Some improvements to wordings and clarity while here.
OK tb@
|
