summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Unwrap a linetb2022-03-021-3/+2
|
* whitespacetb2022-03-021-2/+2
|
* Provide additional ASN1_OBJECT test coverage.jsing2022-03-021-16/+114
|
* Rewrite ASN1_OBJECT content to ascii/text conversion.jsing2022-03-023-101/+186
| | | | | | | | | | Rewrite the ASN1_OBJECT content to ascii/text conversion code using CBB and CBS. Currently there is a strange split with i2t_ASN1_OBJECT() calling OBJ_obj2txt() which implements the conversion, while OBJ_txt2obj() calls back into the misnamed a2d_ASN1_OBJECT() function. Move the conversion code into asn1/a_object.c and have OBJ_txt2obj() call that instead. ok inoguchi@ tb@
* Remove unused ivbits argument from chacha_keysetup to match otherdtucker2022-02-282-4/+4
| | | | instances in the tree. ok deraadt@
* Add regress coverage for ASN1_OBJECT public interfaces.jsing2022-02-262-1/+399
|
* Currently malloc caches a number of free'ed regions up to 128kotto2022-02-261-33/+160
| | | | | | | | | | in size. This cache is indexed by size (in # of pages), so it is very quick to check. Some programs allocate and deallocate larger allocations in a frantic way. Accomodate those programs by also keeping a cache of regions between 128k and 2M, in a cache of variable sized regions. Tested by many in snaps; ok deraadt@
* Get rid of SHA1 for comparing CRL's - use SHA512 just like we do for certs.beck2022-02-243-9/+7
| | | | ok tb@
* Remove accidentally committed debug code.tb2022-02-241-3/+1
|
* Minor tweakstb2022-02-241-7/+8
| | | | i is a silly name for BN_num_bits(dsa->q); move a comment for readability.
* Add sanity checks on p and q in old_dsa_priv_decode()tb2022-02-241-1/+15
| | | | | | | | | | | | | | | | | | dsa_do_verify() has checks on dsa->p and dsa->q that ensure that p isn't overly long and that q has one of the three allowed lengths specified in FIPS 186-3, namely 160, 224, or 256. Do these checks on deserialization of DSA keys without parameters. This means that we will now reject keys we would previously deserialize. Such keys are useless in that signatures generated by them would be rejected by both LibreSSL and OpenSSL. This avoids a timeout flagged in oss-fuzz #26899 due to a ridiculous DSA key whose q has size 65KiB. The timeout comes from additional checks on DSA keys added by miod in dsa_ameth.c r1.18, especially checking such a humungous number for primality is expensive. ok jsing
* Factor out alert handing code in the legacy stack.libressl-v3.5.0jsing2022-02-213-85/+77
| | | | | | | | | | | | | | | Pull out the code that processes incoming alerts - a chunk of the complexity is due to the fact that in TLSv1.2 and earlier, alerts can be fragmented across multiple records or multiple alerts can be delivered in a single record. In DTLS there is no way that we can reassemble fragmented alerts (although the RFC is silent on this), however we could have multiple alerts in the same record. This change means that we will handle this situation more appropriately and if we encounter a fragmented alert we will now treat this as a decode error (instead of silently ignoring it). ok beck@ tb@
* mutibyte -> multibytejsg2022-02-211-3/+3
|
* Fix a buffer overread in OAEP padding removaltb2022-02-201-11/+11
| | | | | | | | | This only occurs on very small payloads and tightly allocated buffers that don't usually occur in practice. This is OpenSSL f61c6804 ok inoguchi jsing
* Test OBJ_obj2txt() with NULL and short buffers.jsing2022-02-201-1/+12
|
* Add memory BIO small I/O tests.jsing2022-02-191-1/+72
|
* Remove references to performance issues caused by frequent memmove().jsing2022-02-191-13/+2
| | | | ok inoguchi@ tb@
* Reduce memmoves in memory BIOs.jsing2022-02-191-22/+38
| | | | | | | | | | | | | | | | | Currently, a read/write memory BIO pulls up the data via memmove() on each read. This becomes very expensive when a lot of small reads are performed, especially if there is a reasonable amount of data stored in the memory BIO. Instead, store a read offset into the buffer and only perform a memmove() to pull up the data on a write, if we have read more than 4096 bytes. This way we only perform memmove() when the space saving will potentially be of benefit, while avoiding frequent memmove() in the case of small interleaved reads and writes. Should address oss-fuzz #19881. ok inoguchi@ tb@
* certificiate -> certificatejsg2022-02-191-3/+3
|
* Provide a struct bio_mem for memory BIO specific data.jsing2022-02-191-47/+58
| | | | | | | | | In order to fix and improve the memory BIO, we need to be able to track more than just a single BUF_MEM *. Provide a struct bio_mem (which currently only contains a BUF_MEM *) and rework the internals to use this struct. ok inoguchi@ tb@
* Avoid gendered language in man pages when not referring to a specificjsg2022-02-181-4/+4
| | | | | | | | person. Rewrite or use singular they. ok thfr@ sthen@ daniel@ ian@ job@ kmos@ jcs@ ratchov@ phessler@ and others I'm likely missing on an earlier version. feedback tj@, feedback and ok jmc@
* Clean up and simplify memory BIO code.jsing2022-02-181-124/+139
| | | | | | | | This is a first pass that uses sensible and consistent names for variables. Call the BIO 'bio' (instead of 'a', 'b', 'bp', or 'h'), drop a bunch of unnecessary casts, simplify some logic and add additional error checking. With input from and ok tb@
* prefer https links in man pagesjsg2022-02-183-9/+9
| | | | ok gnezdo@ miod@ jmc@
* grammar/rewordjsg2022-02-181-5/+7
| | | | ok jmc@
* Add tests for memory BIO.jsing2022-02-171-2/+254
|
* Add test coverage for OBJ_txt2obj()/OBJ_obj2txt() with no_name == 0.jsing2022-02-121-4/+99
|
* Avoid potential single byte overread in asn1_parse2().jsing2022-02-121-3/+4
| | | | | | | | | | A fix for this was previously commited in r1.32, however while this added a bounds check the logic means we still fall through and perform the overread. Fix the logic such that we only log the error if the bounds check fails. While here, flip the test around such that we check for validity then print (which is more readable and matches earlier code). ok inoguchi@ tb@
* Revise for OBJ_obj2txt() OID arc limits.jsing2022-02-121-4/+4
|
* Limit OID text conversion to 64 bits per arc.jsing2022-02-121-55/+16
| | | | | | | | | | | | | | | | The current implementation uses an unsigned long, then switches to BN once the arc exceeds its size. However, the complexity of BN_bn2dec() is quadratic in the length of number being converted. This means that OIDs with excessively large arcs take a lot of computation to convert to text. While the X.660 specification states that arcs are unbounded, in reality they are not overly large numbers - 640K^W64 bits ought to be enough for any arc. Remove BN entirely, switch from unsigned long to uin64_t and fail if an arc exceeds this size. Identified via oss-fuzz timeouts - should fix #41028 and #44372. ok tb@
* Fix length check of IP addresses for name constraintstb2022-02-111-2/+3
| | | | | | | | | An IP address in a name constraint is actually an IP address concatenated with a netmask, so it is twice as long as usual. This fixes a third bug introduced in r1.3 and reported by Volker Schlecht ok jsing
* Add missing error check for a2i_GENERAL_NAME()tb2022-02-111-1/+3
| | | | | | Fixes a segfault reported by Volker Schlecht. ok jsing
* Fix a double free in v2i_NAME_CONSTRAINTS()tb2022-02-111-2/+3
| | | | | | | | | | | a2i_GENERAL_NAME() modifies and returns the out argument that was passed in unless out == NULL, in which case it returns something freshly allocated. Thus, in v2i_GENERAL_NAME_ex() we must only free ret if out == NULL so v2i_NAME_CONSTRAINTS() can free correctly. Issue reported by Volker Schlecht ok jsing
* Test OBJ_obj2nid() with an undefined (NID_undef) object.jsing2022-02-111-2/+2
|
* Make OBJ_obj2nid() work correctly with NID_undef.jsing2022-02-111-3/+3
| | | | | | | | | | Currently OBJ_obj2nid() with NID_undef returns NID_ccitt - this is due to doing a lookup on an empty value and having NID_undef conflict with an uninitialised NID value. Somewhat based on OpenSSL 0fb99904809. ok tb@
* Add initial regress for objects.jsing2022-02-113-1/+449
|
* If running with ASAN, mark test_with{,out}_bzero() with thetb2022-02-101-3/+14
| | | | | | | | | | | | | no_sanitize_address attribute. ASAN doesn't seem to be able to understand these lowlevel gymnastics with sigaltstack() and segfaults in __intercept_memem(). This allows LibreSSL and other portable projects that use this test run tests with ASAN enabled. Issue reported and workaround suggested by Ilya Shipitsin Paraphrasing millert: it's a little ugly but it's only a regress.
* silence "function declaration isn't a prototype" warning by changingtb2022-02-091-6/+6
| | | | int foo() to int foo(void)
* Plug a long standing leak in libtls CRL handlingtb2022-02-081-2/+1
| | | | | | | | | X509_STORE_add_crl() does not take ownership of the CRL, it bumps its refcount. So nulling out the CRL from the stack will leak it. Issue reported by KS Sreeram, thanks! ok jsing
* Plug leaks reported by Ilya Shipitsintb2022-02-081-1/+5
|
* Plug a number of leaks reported by Ilya Shipitsintb2022-02-081-2/+9
|
* Garbage collect the unused hash and print kp->pubkey_hash instead of NULL.tb2022-02-081-7/+4
| | | | | | Make sure kp is freed also on error. ok jsing
* Fix memleaks reported by Ilya Shipitsintb2022-02-081-3/+5
|
* Change second argument of x25519_ge_scalarmult_base() fromtb2022-02-081-2/+2
| | | | | | | | a 'const uint8_t *a' to a 'const uint8_t a[32]' to match the prototype in curve25519_internal.h and the other variant inside OPENSSL_SMALL. ok millert
* Avoid a NULL dereference in BN_mod_exp2_mont()tb2022-02-071-2/+2
| | | | | | | | | | This is a very rarely used function and the crash is hard to reach in practice. Instead of implementing BN_is_odd() badly by hand, just call the real thing. Reported by Guido Vranken ok beck jsing
* Check for zero modulus in BN_MONT_CTX_set().tb2022-02-071-1/+4
| | | | | | From OpenSSL 6a009812, prompted by a report by Guido Vranken ok beck jsing
* Remove i <= 0 checks from SSL_get_error()jsing2022-02-061-15/+16
| | | | | | | | | | | In order for SSL_get_error() to work with SSL_read_ex() and SSL_write_ex() the error handling needs to be performed without checking i <= 0. This is effectively part of OpenSSL 8051ab2b6f8 and should bring the behaviour of SSL_get_error() largely inline with OpenSSL 1.1. Issue reported by Johannes Nixdorf. ok inoguchi@ tb@
* Handle zero byte reads/writes that trigger handshakes in the TLSv1.3 stack.jsing2022-02-061-1/+5
| | | | | | | | | | | | | | | With the legaacy stack, it is possible to do a zero byte SSL_read() or SSL_write() that triggers the handshake, but then returns zero without SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE being flagged. This currently works in the TLSv1.3 stack by returning TLS_IO_WANT_POLLIN or TLS_IO_WANT_POLLOUT, which is then hidden by SSL_get_error(). However, due to upcoming changes to SSL_get_error() this will no longer be the case. In order to maintain the existing legacy behaviour, explicitly handle zero byte reads and writes in the TLSv1.3 stack, following completion of a handshake. ok inoguchi@ tb@
* cope with recent S3I removal; ok tb@anton2022-02-061-2/+2
|
* remove please from manual pagesjsg2022-02-062-6/+6
| | | | ok jmc@ sthen@ millert@
* Adapt appstest.sh for the new TLS_ names.tb2022-02-051-9/+5
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-01 11:49:30 +0000