summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Decode via c2i_ASN1_INTEGER_cbs() from asn1_ex_c2i().jsing2022-04-272-5/+5
|
* Ensure we clear the error stack before running tests that print errors.jsing2022-04-272-2/+10
|
* Enable ASN.1 INTEGER tests with invalid lengths/encodings.jsing2022-04-271-3/+1
|
* Rewrite c2i_ASN1_INTEGER() using CBS.jsing2022-04-271-84/+129
| | | | | | | | This also makes validation stricter and inline with X.690 - we now reject zero length inputs (rather than treating them as zero values) and enforce minimal encoding. ok tb@
* Remove the ASN.1 decoder tag/length cache (TLC).jsing2022-04-271-90/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | Currently, every time an ASN.1 identifier and length is decoded it is stored in a tag/length cache for potential reuse. However, the only time this is actually of benefit is when decoding CHOICE or SEQUENCE with OPTIONAL fields (or MSTRING and ANY due to less than ideal implementation). For CHOICE and SEQUENCE with OPTIONAL fields the current code attempts to decode the first option and if that fails, it moves onto the next option and attempts to decode it, repeating until it succeeds (or runs out of options). There are a number of problems with the cache. Firstly, it adds complexity to the ASN.1 decoder since it has to be passed up and down through the various layers. Secondly, there is nothing that keeps the cached data in synchronisation with the input stream. This makes it fragile and a potential security risk. Thirdly, the type is in the public headers and API, meaning that we cannot readily change the types or fields to improve the code. Testing also suggests that in typical decoding cases we actually get a small performance increase by removing the cache. There are also several other options that would improve decoding performance, which we can visit once we have simpler and more robust code. ok beck@ inoguchi@ tb@
* ASN1_{,const_}check_infinite_end(3) were removed in the last major bump,tb2022-04-271-5/+2
| | | | so there's no longer a need to document that they are undocumented.
* Decode via c2i_ASN1_BIT_STRING_cbs() from asn1_ex_c2i().jsing2022-04-263-9/+14
| | | | ok inoguchi@ tb@
* Rewrite c2i_ASN1_BIT_STRING() using CBS.jsing2022-04-231-44/+83
| | | | | | | | | Also switch to freeing and allocating, rather than attempting to recycle. While here, factor out the flags ASN1_STRING_FLAG_BITS_LEFT bit bashing and use the name "unused bits" rather than "bits left", to be more inline with X.690 wording. ok inoguchi@ tb@
* Convert asn1_ex_c2i() to CBS.jsing2022-04-233-24/+43
| | | | | | This allows us to make direct use of c2i_ASN1_OBJECT_cbs(). ok inoguchi@ tb@
* Add ASN1_INTEGER test coverage.jsing2022-04-231-1/+248
|
* Add missing self. From antontb2022-04-211-2/+2
|
* Clarify comments at the start of {asid,addr}_validate_path_internal()tb2022-04-212-7/+7
| | | | Requested by jsing
* Avoid expensive RFC 3779 checks during cert verificationtb2022-04-213-16/+22
| | | | | | | | | | | | | | | X509v3_{addr,asid}_is_canonical() check that the ipAddrBlocks and autonomousSysIds extension conform to RFC 3779. These checks are not cheap. Certs containing non-conformant extensions should not be considered valid, so mark them with EXFLAG_INVALID while caching the extension information in x509v3_cache_extensions(). This way the expensive check while walking the chains during X509_verify_cert() is replaced with a cheap check of the extension flags. This avoids a lot of superfluous work when validating numerous certs with similar chains against the same roots as is done in rpki-client. Issue noticed and fix suggested by claudio ok claudio inoguchi jsing
* Fix X509_get_extension_flags()tb2022-04-211-2/+2
| | | | | | Ensure that EXFLAG_INVALID is set on X509_get_purpose() failure. ok inoguchi jsing
* Avoid use of uninitialized in BN_mod_exp_recp()tb2022-04-201-2/+3
| | | | | | | | | | If either of the two initial BN_CTX_get() fails, we will call BN_RECP_CTX_free() on the uninitialized recp, which won't end well, so hoist the BN_RECP_CTX_init() call a few lines up. From Pauli, OpenSSL ad249412 ok inoguchi jsing
* Drop unused KeyUpdate from debug printftb2022-04-191-3/+1
| | | | | | | | | The handshake state machine does not handle key updates since that's a post-handshake handshake message. This is code under #ifdef TLS13_DEBUG and if it is ever to be reused in tls13_handshake_msg.c, that will have to be revisited. ok inoguchi jsing
* Fix typo in last commit.millert2022-04-131-2/+2
|
* inet_net_pton_ipv6: avoid signed vs unsigned comparisonmillert2022-04-131-3/+5
| | | | | | | Use a temporary variable to store the number of bytes to be copied (size_t) and also use it as the memcpy(3) length. Previously we copied "size" bytes instead of just the necessary number. OK claudio@ tb@
* KNF for a brace and zap trailing blank linetb2022-04-121-3/+3
|
* Set ASN1_OBJECT_FLAG_DYNAMIC_DATA flag with t2i_ASN1_OBJECT_internalinoguchi2022-04-101-1/+2
| | | | | | | 'flags' should have ASN1_OBJECT_FLAG_DYNAMIC_DATA bit to free 'data' by ASN1_OBJECT_free as c2i_ASN1_OBJECT_cbs does. ok jsing@ tb@
* Avoid infinite loop on parsing DSA private keystb2022-04-071-3/+24
| | | | | | | | | | | | | | DSA private keys with ill-chosen g could cause an infinite loop on deserializing. Add a few sanity checks that ensure that g is according to the FIPS 186-4: check 1 < g < p and g^q == 1 (mod p). This is enough to ascertain that g is a generator of a multiplicative group of order q once we know that q is prime (which is checked a bit later). Issue reported with reproducers by Hanno Boeck. Additional variants and analysis by David Benjamin. ok beck jsing
* Avoid infinite loop for custom curves of order 1tb2022-04-072-4/+9
| | | | | | | | | | | | If a private key encoded with EC parameters happens to have order 1 and is used for ECDSA signatures, this causes an infinite loop since a random integer x in the interval [0,1) will be 0, so do ... while (x == 0); will loop indefinitely. Found and reported with a reproducer by Hanno Boeck. Helpful comments and analysis from David Benjamin. ok beck jsing
* Initialize the mutex before making us of it from many threads. Preventsanton2022-04-031-28/+23
| | | | | | | | a race in which one thread is currently initializing the mutex which is not an atomic operation whereas another thread tries to use it too early. With and ok schwarze@
* man pages: fix some typos found while looking for other issuesnaddy2022-03-311-2/+2
|
* man pages: add missing commas between subordinate and main clausesnaddy2022-03-3141-167/+167
| | | | | | | jmc@ dislikes a comma before "then" in a conditional, so leave those untouched. ok jmc@
* Fix leak in ASN1_TIME_adj_internal()tb2022-03-311-3/+5
| | | | | | | | | p is allocated by asprintf() in one of the *_from_tm() functions, so it needs to be freed as in the other error path below. CID 346194 ok jsing
* Simplify priv_key handling in d2i_ECPrivateKey()tb2022-03-311-8/+3
| | | | | | | | | d2i_EC_PRIVATEKEY() can handle the allocation of priv_key internally, no need to do this up front and reach it through the dangerous reuse mechanism. There's also no point in freeing a variable we know to be NULL. ok jsing
* Check EVPDigest* return values.tb2022-03-311-4/+7
| | | | CID 351293
* Add a simple test to ensure that pmeth->cleanup() can cope with NULLtb2022-03-302-2/+93
| | | | pkey_ctx->data.
* Avoid segfaults in EVP_PKEY_CTX_free()tb2022-03-302-4/+10
| | | | | | | | | | | | | It is possible to call pmeth->cleanup() with an EVP_PKEY_CTX whose data is NULL. If pmeth->init() in int_ctx_new() fails, EVP_PKEY_CTX_free() is called with such a context. This in turn calls pmeth->cleanup(), and thus these cleanup functions must be careful not to use NULL data. Most of them are, but one of GOST's functions and HMAC's aren't. Reported for HMAC by Masaru Masada https://github.com/libressl-portable/openbsd/issues/129 ok bcook jsing
* pkey_hmac_init(): use calloc()tb2022-03-301-7/+3
| | | | | | | Instead of using malloc() and setting most struct members to 0, simply use calloc(). ok bcook jsing
* Remove double slash in path to test program.anton2022-03-301-9/+9
|
* man pages: add missing word, The foo() ... -> The foo() function ...naddy2022-03-295-17/+18
| | | | ok jmc@ schwarze@
* Given asn1/a_object.c rev. 1.45 by jsing@, stop talking about BUGSschwarze2022-03-291-22/+21
| | | | | | | we no longer have, focus on what our implementation now does, but keep short warnings in how far other implementations might be more fragile. Some improvements to wordings and clarity while here. OK tb@
* man pages: add missing commas in enumerationsnaddy2022-03-293-9/+9
|
* Bound cofactor in EC_GROUP_set_generator()tb2022-03-291-1/+7
| | | | | | | | | | | | | | | | | | Instead of bounding only bounding the group order, also bound the cofactor using Hasse's theorem. This could probably be made a lot tighter since all curves of cryptographic interest have small cofactors, but for now this is good enough. A timeout found by oss-fuzz creates a "group" with insane parameters over a 40-bit field: the order is 14464, and the cofactor has 4196223 bits (which is obviously impossible by Hasse's theorem). These led to running an expensive loop in ec_GFp_simple_mul_ct() millions of times. Fixes oss-fuzz #46056 Diagnosed and fix joint with jsing ok inoguchi jsing (previous version)
* Do not zero cofactor on ec_guess_cofactor() successtb2022-03-291-2/+6
| | | | | | | The cofactor we tried to calculate should only be zeroed if we failed to compute it. ok inoguchi jsing
* Zap trailing whitespacetb2022-03-291-46/+46
|
* Change internal functions to static in openssl(1) pkcs12inoguchi2022-03-281-24/+30
| | | | ok tb@
* Remove unused function cert_load in openssl(1) pkcs12inoguchi2022-03-281-19/+1
| | | | ok tb@
* Remove extra 'or'claudio2022-03-281-3/+2
| | | | OK tb@
* Check EVP_Digest* functions return value in openssl(1) tsinoguchi2022-03-271-5/+16
| | | | | | | Move up md_ctx and add EVP_MD_CTX_free under the 'err:' label. CID 149810 comment and ok jsing@
* name constraints: be more careful with NULstb2022-03-262-12/+25
| | | | | | | | | | | | | | An IA5STRING is a Pascal string that can have embedded NULs and is not NUL terminated (except that for legacy reasons it happens to be). Instead of taking the strlen(), use the already known ASN.1 length and use strndup() instead of strdup() to generate NUL terminated strings after some existing code has checked that there are no embedded NULs. In v2i_GENERAL_NAME_ex() use %.*s to print the bytes. This is not optimal and might be switched to using strvis() later. ok beck inoguchi jsing
* Clean up {dtls1,ssl3}_read_bytes()jsing2022-03-262-200/+166
| | | | | | | | | | Now that {dtls1,ssl3}_read_bytes() have been refactored, do a clean up pass - this cleans up various parts of the code and reduces differences between these two functions. ok = 1; *(&(ok)) tb@ ok inoguchi@
* Remove the minimum record length checks from dtls1_read_bytes()jsing2022-03-261-32/+1
| | | | | | | | The code that handles each record type already has appropriate length checks. Furthermore, the handling of application data here is likely incorrect and bypasses the normal state checks at the end of this function. ok inoguchi@ tb@
* Convert c2i_ASN1_OBJECT() and d2i_ASN1_OBJECT to CBS.jsing2022-03-261-81/+92
| | | | | | | | | Along the way, rather than having yet another piece of code that parses OID arcs, reuse oid_parse_arc(). Always allocate a new ASN1_OBJECT rather than doing a crazy dance with ASN1_OBJECT_FLAG_DYNAMIC and trying to free parts of an ASN1_OBJECT if one is passed in. ok inoguchi@ tb@
* Provide asn1_get_primitive()jsing2022-03-262-2/+35
| | | | | | | | This takes a CBS, gets the ASN.1 identifier and length, ensures the resulting identifier is a valid primitive, then returns the tag number and the content as a CBS. ok inoguchi@ tb@
* use the new CPU_ID_AA64ISAR0 sysctl to determine CPU features on arm64robert2022-03-251-5/+55
| | | | ok tb@, deraadt@, kettenis@
* Adjust the signer test to link statically and work with hidden tls_signertb2022-03-242-3/+7
| | | | API.
* Crank major after symbol removal.tb2022-03-241-2/+2
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-28 22:17:36 +0000