| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
Rewrite the code that handles unexpected handshake messages in the legacy
TLS stack. Parse the TLS message header up front, then process it based on
the message type. Overall the code should be more strict and we should
reject various invalid messages that would have previously been accepted.
I also reviewed steve's experimental code and fixed the bug that it
contained.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This function populates the passed *out argument, hence it should not be
marked const.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
Rework ASN1_STRING_set() so that we always clear and free an existing
allocation, prior to storing the new data. This fixes a number of issues,
including a failure to zero data if the existing allocation was too small.
This also fixes other bugs such as leaving the allocation uninitialised
if NULL is passed for data. Require -1 where strlen() is expected and
improve length and overflow checks.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
gcc 4 on sparc64 issues a few 'warning: value computed is not used'.
There are two cases: sk_set_cmp_function() returns the old comparison
function of the stack which we don't care about. The one warning about
an sk_delete() is about a return value that we know already and which
we will free a few lines down.
ok inoguchi miod
|
| | |
|
| |
|
|
| |
ok tb@
|
| | |
|
| |
|
|
| |
is fixed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A bug in the implementation of the Tonelli-Shanks algorithm can lead to
an infinite loop. This loop can be hit in various ways, in particular on
decompressing an elliptic curve public key via EC_POINT_oct2point() - to
do this, one must solve y^2 = x^3 + ax + b for y, given x.
If a certificate uses explicit encoding for elliptic curve parameters,
this operation needs to be done during certificate verification, leading
to a DoS. In particular, everything dealing with untrusted certificates
is affected, notably TLS servers explicitly configured to request
client certificates (httpd, smtpd, various VPN implementations, ...).
Ordinary TLS servers do not consume untrusted certificates.
The problem is that we cannot assume that x^3 + ax + b is actually a
square on untrusted input and neither can we assume that the modulus
p is a prime. Ensuring that p is a prime is too expensive (it would
likely itself lead to a DoS). To avoid the infinite loop, fix the logic
to be more resilient and explicitly limit the number of iterations that
can be done. The bug is such that the infinite loop can also be hit for
primes = 3 (mod 4) but fortunately that case is optimized earlier.
It's also worth noting that there is a size bound on the field size
enforced via OPENSSL_ECC_MAX_FIELD_BITS (= 661), which help mitigate
further DoS vectors in presence of this fix.
Reported by Tavis Ormandy and David Benjamin, Google
Patch based on the fixes by David Benjamin and Tomas Mraz, OpenSSL
ok beck inoguchi
|
| |
|
|
| |
From Alex Wilson
|
| |
|
|
|
|
|
|
|
|
| |
Some things issue and expect that we support a non-standard extension of
accepting any email address from a host by prefixing an email name
constraint with @. This used to be the case with the old code as well.
Pointed out and based on a diff by Alex Wilson.
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
Instead of having the caller allocate and pass in a new
x509_constraints_name struct, handle allocation inside
x509_constraints_validate(). Also make the error optional.
All this is done to simplify the call sites and to make it
more obvious that there are no leaks.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TLS record layer has to be able to handle unexpected handshake messages
that result when it has been asked to read application data. The way that
this is currently done in the legacy stack is a layering violation - the
record layer knows about DTLS/TLS handshake messages, parsing them and then
deciding what action to take. This is further complicated by the need to
handle handshake message fragments.
For now, factor this code out with minimal changes - since it is a layering
violation we have to retain separate code for DTLS and TLS.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This fixes a bug in ASN1_STRING_set0() where it does not respect the
ASN1_STRING_FLAG_NDEF flag and potentially frees memory that we do not own.
ok inguchi@ tb@
|
| |
|
|
|
|
|
| |
Use consistent variable names (astr/src) rather than 'a', 'bs', 'str', 'v'
or 'x', add some whitespace and remove some unneeded parentheses.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
The dirname constraint must be a prefix in DER format, so relax the
check from requiring equal-length strings to allow shorter names also.
From Alex Wilson
ok jsing
|
| |
|
|
|
|
| |
From Alex Wilson
ok jsing
|
| |
|
|
|
|
|
|
| |
The previous versions were too strict and disallowed leading dots.
From Alex Wilson
ok jsing
|
| | |
|
| |
|
|
|
|
| |
From Alex Wilson
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
The constructed ASN.1 handling in asn1_d2i_ex_primitive() and asn1_ex_c2i()
currently has code to potentially avoid a malloc/memcpy - this is a less
common code path and it introduces a bunch of complexity for minimal gain.
In particular, we're manually adding a trailing NUL when ASN1_STRING_set()
would already do that for us, plus we currently manually free() the data on
an ASN1_STRING, rather than using freezero().
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Factor out the code that handles the processing of a change cipher spec
message that has been read in the legacy stack, deduplicating code in the
DTLS stack.
ok inoguchi@ tb@
|
| |
|
|
| |
bn_exp2.c r1.13.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
OK tb@
|
| |
|
|
|
|
| |
defined behavior.
ok deraadt inoguchi
|
| |
|
|
|
|
|
|
|
|
|
| |
The conversion to CBB made us write out an extra NUL since we no longer
use the return value of i2t_ASN1_OBJECT() (which returns strlen(data))
but rather the size of the CBB (which includes a terminal NUL) to write
out data.
Issue found by anton via an openssl-ruby test failure.
ok jsing
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Rewrite the ASN1_OBJECT content to ascii/text conversion code using CBB and
CBS. Currently there is a strange split with i2t_ASN1_OBJECT() calling
OBJ_obj2txt() which implements the conversion, while OBJ_txt2obj() calls
back into the misnamed a2d_ASN1_OBJECT() function. Move the conversion
code into asn1/a_object.c and have OBJ_txt2obj() call that instead.
ok inoguchi@ tb@
|
| |
|
|
| |
instances in the tree. ok deraadt@
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
in size. This cache is indexed by size (in # of pages), so it is
very quick to check. Some programs allocate and deallocate larger
allocations in a frantic way. Accomodate those programs by also
keeping a cache of regions between 128k and 2M, in a cache of variable
sized regions.
Tested by many in snaps; ok deraadt@
|
| |
|
|
| |
ok tb@
|
| | |
|
| |
|
|
| |
i is a silly name for BN_num_bits(dsa->q); move a comment for readability.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
dsa_do_verify() has checks on dsa->p and dsa->q that ensure that p isn't
overly long and that q has one of the three allowed lengths specified in
FIPS 186-3, namely 160, 224, or 256.
Do these checks on deserialization of DSA keys without parameters. This
means that we will now reject keys we would previously deserialize. Such
keys are useless in that signatures generated by them would be rejected
by both LibreSSL and OpenSSL.
This avoids a timeout flagged in oss-fuzz #26899 due to a ridiculous
DSA key whose q has size 65KiB. The timeout comes from additional checks
on DSA keys added by miod in dsa_ameth.c r1.18, especially checking such
a humungous number for primality is expensive.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pull out the code that processes incoming alerts - a chunk of the
complexity is due to the fact that in TLSv1.2 and earlier, alerts can be
fragmented across multiple records or multiple alerts can be delivered
in a single record.
In DTLS there is no way that we can reassemble fragmented alerts (although
the RFC is silent on this), however we could have multiple alerts in the
same record. This change means that we will handle this situation more
appropriately and if we encounter a fragmented alert we will now treat this
as a decode error (instead of silently ignoring it).
ok beck@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This only occurs on very small payloads and tightly allocated buffers
that don't usually occur in practice.
This is OpenSSL f61c6804
ok inoguchi jsing
|
| | |
|
| | |
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, a read/write memory BIO pulls up the data via memmove() on each
read. This becomes very expensive when a lot of small reads are performed,
especially if there is a reasonable amount of data stored in the memory
BIO.
Instead, store a read offset into the buffer and only perform a memmove()
to pull up the data on a write, if we have read more than 4096 bytes. This
way we only perform memmove() when the space saving will potentially be of
benefit, while avoiding frequent memmove() in the case of small interleaved
reads and writes.
Should address oss-fuzz #19881.
ok inoguchi@ tb@
|
