| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
This includes the wonderful BLOCK_CIPHER_ecb_loop - a for loop in a macro.
No change in generated assembly.
|
| | |
|
| |
|
|
| |
Only change to generated assembly is due to the use of EVPerror().
|
| |
|
|
|
|
| |
Also remove various comments noting that it cannot be used for certain
block ciphers (which kinda defeats the purpose of having a generic
implementation in the first place).
|
| |
|
|
|
| |
Only change to generated assembly is due to EVPerror()'s use of line
numbers.
|
| |
|
|
| |
No change in generated assembly.
|
| |
|
|
|
|
| |
Only change to generated assembly is due to EVPerror()'s use of line
numbers.
CVS ----------------------------------------------------------------------
|
| |
|
|
| |
No change to generated assembly.
|
| |
|
|
|
|
|
|
|
| |
These macros make the ASN.1 macros seem sane - there are layers and layers
and layers here, which are hiding bugs.
No change to generated assembly.
Discussed with tb@
|
| | |
|
| |
|
|
|
|
| |
Rename some variables and consistently goto error.
ok tb@
|
| |
|
|
|
|
|
|
| |
Rather than recycling an existing ASN1_STRING and changing its type, free
it and allocate a replacement. This simplifies the code and potentially
avoids bugs resulting from reuse.
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
| |
Per X.690, some ASN.1 types must be primitive encoded, some must be
constructed and some may be either. Add this data to our types table
and check the encoding against this information when decoding.
ok tb@
|
| |
|
|
|
|
|
| |
This avoids asn1_c2i_primitive() from needing knowledge about the internals
of ASN1_INTEGER and ASN1_ENUMERATED.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
OPENSSL_cleanup() cleans up and deallocates memory in use by the library.
There are a couple of use cases for this, primarily related to memory
leak testing. This will not be called automatically in LibreSSL, which
means that OpenSSL's OPENSSL_NO_INIT_ATEXIT is implied. If code wants to
clean up then they need to explicitly call this themselves.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
CBIGNUM_it is supposed to be the "clear bignum" or "secure" bignum - that
is one which zeros its memory after use and ensures that the constant time
flags are set... in LibreSSL we always do both of these things for BIGNUMs,
so just use BIGNUM_it instead.
ok tb@
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DSA_size() and ECDSA_size() have a very special hack. They fudge up an
ASN1_INTEGER with a size which is typically > 100 bytes, backed by a
buffer of size 4. This was "fine", however, since they set buf[0] = 0xff,
where the craziness that was i2c_ASN1_INTEGER() only looks at the first
octet (one may then ask why a buffer of size 4 was necessary...).
This changed with the rewrite of i2c_ASN1_INTEGER(), which doesn't
respect this particular hack and rightly assumes that it is fed an
actual ASN1_INTEGER...
Instead, create an appropriate signature and use i2d to determine its
size.
Fixes an out-of-bounds read flagged by ASAN and oss-fuzz.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
sk_num() can return a negative value, in which case the upper bound is
SIZE_MAX, which results in a very long for loop.
CID 153997
ok jsing
|
| |
|
|
|
|
| |
Otherwise EVP_CIPHER_CTX_cleanup() leaks, as spotted by the ASAN CI.
ok jsing
|
| |
|
|
|
|
| |
CID 356353
ok jsing
|
| | |
|
| |
|
|
|
|
| |
Needed for an upcoming change.
ok tb@
|
| |
|
|
|
|
| |
Needed for an upcoming change.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
c99 6.11.5:
"The placement of a storage-class specifier other than at the beginning
of the declaration specifiers in a declaration is an obsolescent
feature."
ok miod@ tb@
|
| |
|
|
|
|
| |
ASN1_INTEGER_set() fails.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
When an ASN1_INTEGER is created it has NULL data until a value is set -
previously, an ASN1_INTEGER in this state encoded to an ASN.1 INTEGER with
a value of 0, rather than being treated as an error. While code should
really set values, the historical behaviour has not required this.
Found the hard way by sthen@ with acme-client.
ok tb@
|
| |
|
|
|
|
|
| |
While these will not be used by LibreSSL, they are used by some QUIC
implementations (such as ngtcp2).
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
EVP_chacha20_poly1305() is an EVP_CIPHER implementation of the
ChaCha20-Poly1305 AEAD. This is potentially used to provide encryption for
the QUIC transport layer.
Where possible, this should be avoided in favour of the significantly saner
EVP_AEAD interface.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
The length checks for EVP_aead_chacha20_poly1305() seal/open were incorrect
and are no longer necessary (not to mention that the comment failed to
match the code). Remove these since the underlying ChaCha implementation
will now handle the same sized inputs at these functions can.
Issue flagged by and ok tb@
|
| |
|
|
|
|
|
|
| |
We can avoid this unnecessary limitation by calling chacha_encrypt_bytes()
multiple times internally. In the case of ChaCha(), the caller still needs
to ensure that the same IV is not used for more than 2^70 bytes.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
This gives us cleaner and safer code, although it is worth noting that we
now generate the encoding even when called with NULL as the output pointer
(and then discard it, returning just the length).
Resolves oss-fuzz #49963.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In asn1_i2d_ex_primitive(), asn1_ex_i2c() returning -1 is used to indicate
that the object is optional and should be skipped, while -2 is used to
indicate that indefinite length encoding should be used. Any other negative
value was treated as success, resulting in the out pointer being walked
backwards. Avoid this by treating any negative value (aside from -1 and -2)
as a failure, propagating it up the stack.
Additionally, check the return value of the second asn1_ex_i2c() call to
ensure that it matches the value returned by the first call. This makes
sure that the length of the encoded object is correct, plus it detects the
case where a failure occurs during the second call.
Discussed with tb@ (who also flagged the negative value issue).
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In bio.h r1.54, the signature of BIO_callback_ctrl() was changed from
bio_info_cb to BIO_info_cb. Adjust manual to reflect this change.
At the moment, bio_info_cb and BIO_info_cb are still distinct types with
our BIO_info_cb matching OpenSSL's definition. Historically, bio_info_cb
had a different type, but that leads to issues with casting function
pointers. The ecosystem has moved on to embrace the new type and several
ports confuse the two types because OpenSSL decided to "solve" the issues
with "typedef BIO_info_cb bio_info_cb; /* backward compatibilty */". We
will align with this in the next bump.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
While each attribute must contain at least one extension, it is not
required that a CSR have attributes at all. Instead of signalling an
error by returning NULL if no extensions are found, return an empty
stack of extensions.
Via OpenSSL 1f02ca2d
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
| |
If the bgets() callback returns <= 0, we currently rely on the user
provided callback to set readbytes, which isn't ideal. This also
matches what's done in BIO_read() and BIO_write().
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
X509_NAME_print() is documented to print things at a given indentation
level. Unfortunately, this never worked since someone got some logic
wrong. Part of the wrong logic was removed in a dead code removal in
OpenSSL commit 92ada7cc, but the variable l was left behind, which leads
to compiler warnings on some platforms. End its sad life pointlessly
and incorrectly measuring column width and remove it.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The current X509_print_ex() tries too hard pretty printing negative
serialNumbers (which shouldn't occur in the first place). In particular,
negating LONG_MAX leads to signed overflow. Ditch the code dealing with
negative serialNumbers representable as long and fall back to the long
form printing. This simplifies the code and fixes
oss-fuzz #49944
with/ok jsing
|
| |
|
|
|
|
|
|
| |
Avoid signed integer overflow by casting an int64_t to uint64_t before
negating. Same fix was applied in a_int.c -r1.44, but was forgotten to
be applied to a_enum.c.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The version field of an X.509 Certificate is an enum
Version ::= INTEGER { v1(0), v2(1), v3(2) }
Printing the version as l + 1 only really makes sense with 0 <= l <= 2.
Otherwise print a naked l while also indicating that it is an unknown
version.
ok jsing
|
| |
|
|
|
|
|
|
| |
p5-IO-Socket-SSL regress and regress/sbin/iked/live
Still passes the mutt regress that this was intended to fix.
ok tb@
|
| |
|
|
|
|
|
| |
Remove unnecessary conditions for XTS mode, since we know which are XTS.
Also use bytes rather than bits / 8.
ok tb@
|
| |
|
|
|
|
| |
LibreSSL does not do FIPS and nothing else sets or checks these.
ok tb@
|
| |
|
|
|
|
|
| |
A number of the AES-NI functions are #defines to an aes_* function - remove
these and just use the AES variant directly.
ok tb@
|
