| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to work around the expired DST Root CA X3 certficiate, enable
X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the
default chain provided by Let's Encrypt will stop at the ISRG Root X1
intermediate, rather than following the DST Root CA X3 intermediate.
Note that the new verifier does not suffer from this issue, so only a
small number of things will hit this code path.
ok millert@ robert@ tb@
this is errata 6.8/032_cert.patch
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The length checks need to be >= rather than > in order to ensure the string
remains NUL terminated. While here consistently check wi before using it
so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
this is 6.8 errata 031
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Various interoperability issues and memory leaks were discovered in
libcrypto and libssl.
The new verifier is not bug compatible with the old verifier and caused
many issues by failing to propagate errors correctly, returning different
error codes than some software was trained to expect and otherwise failing
when it shouldn't. While much of this is fixed in -current, it's still not
perfect, so switching back to the legacy verifier is preferable at this
point.
Other included fixes:
* Unbreak DTLS retransmissions for flights that include a CCS
* Only check BIO_should_read() on read and BIO_should_write() on write
* Implement autochain for the TLSv1.3 server
* Use the legacy verifier for AUTO_CHAIN
* Implement exporter for TLSv1.3
* Free alert_data and phh_data in tls13_record_layer_free()
* Plug leak in x509_verify_chain_dup()
* Free the policy tree in x509_vfy_check_policy()
Original commits by jsing and tb
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Comparing two GENERAL_NAME structures containing an EDIPARTYNAME can lead
to a crash. This enables a denial of service attack for an attacker who can
control both sides of the comparison.
Issue reported to OpenSSL on Nov 9 by David Benjamin.
OpenSSL shared the information with us on Dec 1st.
Fix from Matt Caswell (OpenSSL) with a few small tweaks.
ok jsing
this is errata/6.8/008_asn1.patch.sig
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the leaf certificate was only being set up on the X509_STORE_CTX
after two verification steps were performed, however at least one of those
steps could result in the verification callback being triggered and
existing code breaking.
Issue noticed by Raf Czlonka when attempting to connect to talk.google.com
using profanity (which does not set SNI and ends up receiving an invalid
certificate).
ok beck@ deraadt@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Various software expects the previous behaviour where the certificate chain
is available on the X509_STORE_CTX when the verify callback is triggered.
Issue hit by bket@ with lastpass-cli which has built in certificate
pinning that is checked via the verify callback.
Fix confirmed by bket@.
ok beck@
|
| |
|
|
| |
No change in the generated assembly on amd64.
|
| |
|
|
| |
Requested by jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
The outer scope in x509_constraints_extract_names() contains a vname
variable which will be freed on error, but an inner scope contains
another vname that won't be freed, e.g., if x509_constraints_names_add
fails.
Found by llvm scan-build.
ok beck
|
| | |
|
| |
|
|
|
|
|
|
| |
regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
| |
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
| |
|
|
| |
symbol is exposed api and we probably need to deprecate it thoughtfully.
|
| |
|
|
|
|
|
|
|
|
|
| |
On OSX and Windows platform portable build fails since it can't find
NAME_CONSTRAINTS_check.
It is still remain in x509v3.h and Symbols.list but '#if 0'ed from
x509_ncons.c.
In this situation, some platforms appears to get error.
Add noop NAME_CONSTRAINTS_check stub to solve this issue.
ok beck@
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
|
| |
Rather than duplicating code, have x509_verify_ctx_new_from_xsc() call
x509_verify_ctx_new(), then handle the xsc specific parts.
ok beck@
|
| |
|
|
|
|
| |
happy
ok tb@
|
| |
|
|
|
|
| |
verification code.
ok jsing@
|
| |
|
|
|
|
| |
of staying with the new name constraint code this will be deleted
ok jsing@
|
| |
|
|
|
|
|
|
| |
to X509_V_ERR_OUT_OF_MEM instead of UNSPECIFIED in chain_append when
allocation fails.
noticed by ingo@
ok tb@
|
| | |
|
| |
|
|
|
|
|
| |
the extension list.
found by llvm static analyzer
ok tb@
|
| |
|
|
|
| |
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
| |
|
|
|
| |
found by llvm static analyzer.
ok tb@
|
| |
|
|
|
| |
noticed by llvm static analyzer
ok tb@
|
| |
|
|
|
| |
noticed by llvm static analyzer
ok tb@
|
| |
|
|
|
|
|
| |
eat a NULL.
found by clang static analyzer
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
the roots for a ctx are only freed in the free function, not in the
clear function, so that a ctx can be re-used with the same roots.
ok tb@
|
| |
|
|
| |
so we don't need to pop free the roots separately
|
| | |
|
| |
|
|
| |
ok jsing@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator
This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
|
| |
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| |
|
|
| |
ok tb@ jsing@
|
| |
|
|
|
|
|
|
|
| |
A number of years ago we dropped the concept of having function names in
errors, since it is not that useful and very quickly gets out of sync when
refactoring. It would seem that some new ones got imported and some missed
the last clean up.
ok tb@ beck@ "kill it with fire"
|
| | |
|
| |
|
|
|
|
|
| |
This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested the release build)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, when building a certificate chain we look up an issuer and if
it is the only issuer certificate available we still use it even if it has
expired. When X509_V_FLAG_TRUSTED_FIRST is not in use, untrusted
certificates are processed first and if one of these happens to be expired
it will be used to build the chain, even if there is another non-expired
option in the trusted store.
Rework this code so that we first look for a non-expired untrusted
certificate. If one does not exist then we take a look in the trusted
store to see if we would be able to build the chain and only if there is
not, do we then look for an expired untrusted certificate.
This makes certificate validation possible for various sites that are
serving expired AddTrust certificates.
Issue reported by Christian Heimes via GitHub.
ok beck@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
mechanical M_ASN1 macro expansion. The ASN1_INTEGER_cmp function
takes signs into account while ASN1_STRING_cmp doesn't. The mixups
mostly involve serialNumbers, which, in principle, should be positive.
However, it is unclear whether that is checked or enforced anywhere
in the code, so these are probably bugs.
Patch from Holger Mikolon
ok jsing
|
| |
|
|
| |
From Holger Mikolon
|
| |
|
|
|
| |
tested in a bulk by sthen
ok jsing
|
| |
|
|
|
|
|
|
| |
we can add const to PKCS8_pkey_get0(). In order for this to work,
we need to sprinkle a few consts here and there.
tested in a bulk by sthen
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
Provide PKCS8_pkey_add1_attr_by_NID() and PKCS8_pkey_get0_attrs().
Remove the whole broken code and simplify pkcs8_priv_key_info_st
accordingly. Based on OpenSSL commit
54dbf42398e23349b59f258a3dd60387bbc5ba13 plus some const that was
added later.
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
| |
tested in a bulk by sthen
ok jsing
|
