| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, a read/write memory BIO pulls up the data via memmove() on each
read. This becomes very expensive when a lot of small reads are performed,
especially if there is a reasonable amount of data stored in the memory
BIO.
Instead, store a read offset into the buffer and only perform a memmove()
to pull up the data on a write, if we have read more than 4096 bytes. This
way we only perform memmove() when the space saving will potentially be of
benefit, while avoiding frequent memmove() in the case of small interleaved
reads and writes.
Should address oss-fuzz #19881.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
In order to fix and improve the memory BIO, we need to be able to track
more than just a single BUF_MEM *. Provide a struct bio_mem (which
currently only contains a BUF_MEM *) and rework the internals to use this
struct.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
person. Rewrite or use singular they.
ok thfr@ sthen@ daniel@ ian@ job@ kmos@ jcs@ ratchov@ phessler@ and
others I'm likely missing on an earlier version.
feedback tj@, feedback and ok jmc@
|
| |
|
|
|
|
|
|
| |
This is a first pass that uses sensible and consistent names for variables.
Call the BIO 'bio' (instead of 'a', 'b', 'bp', or 'h'), drop a bunch of
unnecessary casts, simplify some logic and add additional error checking.
With input from and ok tb@
|
| |
|
|
| |
ok gnezdo@ miod@ jmc@
|
| |
|
|
| |
ok jmc@
|
| |
|
|
|
|
|
|
|
|
| |
A fix for this was previously commited in r1.32, however while this added
a bounds check the logic means we still fall through and perform the
overread. Fix the logic such that we only log the error if the bounds check
fails. While here, flip the test around such that we check for validity then
print (which is more readable and matches earlier code).
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current implementation uses an unsigned long, then switches to BN once
the arc exceeds its size. However, the complexity of BN_bn2dec() is
quadratic in the length of number being converted. This means that OIDs
with excessively large arcs take a lot of computation to convert to text.
While the X.660 specification states that arcs are unbounded, in reality
they are not overly large numbers - 640K^W64 bits ought to be enough for
any arc. Remove BN entirely, switch from unsigned long to uin64_t and fail
if an arc exceeds this size.
Identified via oss-fuzz timeouts - should fix #41028 and #44372.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
An IP address in a name constraint is actually an IP address concatenated
with a netmask, so it is twice as long as usual.
This fixes a third bug introduced in r1.3 and reported by Volker Schlecht
ok jsing
|
| |
|
|
|
|
| |
Fixes a segfault reported by Volker Schlecht.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
a2i_GENERAL_NAME() modifies and returns the out argument that was
passed in unless out == NULL, in which case it returns something
freshly allocated. Thus, in v2i_GENERAL_NAME_ex() we must only free
ret if out == NULL so v2i_NAME_CONSTRAINTS() can free correctly.
Issue reported by Volker Schlecht
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
Currently OBJ_obj2nid() with NID_undef returns NID_ccitt - this is due to
doing a lookup on an empty value and having NID_undef conflict with an
uninitialised NID value.
Somewhat based on OpenSSL 0fb99904809.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
X509_STORE_add_crl() does not take ownership of the CRL, it bumps its
refcount. So nulling out the CRL from the stack will leak it.
Issue reported by KS Sreeram, thanks!
ok jsing
|
| |
|
|
|
|
|
|
| |
a 'const uint8_t *a' to a 'const uint8_t a[32]' to match
the prototype in curve25519_internal.h and the other variant
inside OPENSSL_SMALL.
ok millert
|
| |
|
|
|
|
|
|
|
|
| |
This is a very rarely used function and the crash is hard to reach in
practice. Instead of implementing BN_is_odd() badly by hand, just call
the real thing.
Reported by Guido Vranken
ok beck jsing
|
| |
|
|
|
|
| |
From OpenSSL 6a009812, prompted by a report by Guido Vranken
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
In order for SSL_get_error() to work with SSL_read_ex() and SSL_write_ex()
the error handling needs to be performed without checking i <= 0. This is
effectively part of OpenSSL 8051ab2b6f8 and should bring the behaviour of
SSL_get_error() largely inline with OpenSSL 1.1.
Issue reported by Johannes Nixdorf.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With the legaacy stack, it is possible to do a zero byte SSL_read() or
SSL_write() that triggers the handshake, but then returns zero without
SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE being flagged. This currently
works in the TLSv1.3 stack by returning TLS_IO_WANT_POLLIN or
TLS_IO_WANT_POLLOUT, which is then hidden by SSL_get_error().
However, due to upcoming changes to SSL_get_error() this will no longer be
the case. In order to maintain the existing legacy behaviour, explicitly
handle zero byte reads and writes in the TLSv1.3 stack, following
completion of a handshake.
ok inoguchi@ tb@
|
| |
|
|
| |
ok jmc@ sthen@ millert@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL chose to break the previous naming convention for ciphers and
to adopt TLS_* "RFC" names instead. Unfortunately, these names are
exposed in several APIs and some language bindings test for these
non-standard names instead of cipher values, which is ... unfortunate
(others would say "plain crazy").
We currently have to maintain patches in regress and ports (p5-Net-SSLeay,
openssl-ruby-tests - which means that Ruby will pick this up at some point)
to work around this difference and that's just not worth the effort.
The old AEAD- names will become aliases and continue to work, but in
openssl ciphers and netcat output the TLS_* names will now be displayed.
"I would be very happy if this gets committed" bluhm
ok beck inoguchi, begrudgingly ok jsing
|
| |
|
|
|
|
|
|
| |
S3I has served us well, however now that libssl is fully opaque it is time
to say goodbye. Aside from removing the calloc/free/memset, the rest is
mechanical sed.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
LibreSSL's pc files effectively hardcode the version to 1.0.0 since
LibreSSL exists. That probably never made much sense. This causes
some pain for ports that "need 'openssl' ['>= +1.1.0'] found '1.0.0'"
or similar while they would build perfectly fine with LibreSSL.
This only affects OpenBSD. We do not put the actual LibreSSL version
in there since it may cause trouble
Discussed with sthen, millert, inoguchi, beck over the past year.
Diff from/ok sthen
|
| |
|
|
|
|
|
|
| |
The trust anchor can't inherit, but the code says that it can inherit
just not if the leaf tries to inherit from that. This makes no sense
and doesn't match what is done on the asid side.
ok jsing
|
| | |
|
| |
|
|
| |
CRL's signature is invalid, not the certificate's.
|
| |
|
|
|
|
|
|
| |
Remove the X509 argument as it is unused - this was passed so that
ssl_cert_type() can get the public key from the X509 object if the
EVP_PKEY argument is NULL, however this is never the case.
ok tb@
|
| |
|
|
|
|
|
|
| |
Rather than leaking libcrypto defines through the tls_sign_cb and
tls_signer_sign() interfaces, provide and use our own TLS_PADDING_*
defines.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current design of tls_sign_cb provides a pointer to a buffer where the
signature needs to be copied, however it fails to provide a length which
could result in buffer overwrites. Furthermore, tls_signer_sign() is
designed such that it allocates and returns ownership to the caller.
Revise tls_sign_cb so that the called function is expected to allocate a
buffer, returning ownership of the buffer (along with its length) to the
caller of the callback. This makes it far easier (and safer) to implement
a tls_sign_cb callback, plus tls_signer_sign can be directly plugged in
(with an appropriate cast).
While here, rename and reorder some arguments - while we will normally
sign a digest, there is no requirement for this to be the case hence use
'input' and 'input_len'. Move padding (an input) before the outputs and
add some additional bounds/return value checks.
This is technically an API/ABI break that would need a libtls major bump,
however since nothing is using the signer interface (outside of regress),
we'll ride the original minor bump.
With input from tb@
ok inoguchi@ tb@
|
| |
|
|
| |
ok jsing@ tb@
|
| |
|
|
|
|
| |
CID 118976 118979
ok tb@
|
| |
|
|
|
|
| |
CID 24838
comment and ok tb@
|
| |
|
|
|
|
|
| |
Add tls_signer_error to Symbols.list - this was missed during the last
libtls minor bump and can ride along.
ok deraadt@
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
to implement.
Add a tls_config_set_sign_cb() function that allows to register
a callback for the signing operation on a tls_config. When used,
the context installs fake pivate keys internally, and the callback
receives the hash of the public key.
Add a tls_signer_*() set of functions to manage tls_signer objects.
A tls_signer is an opaque structure on which keys are added.
It is used to compute signatures with private keys identified by
their associated public key hash.
Discussed with and ok jsing@ tb@
|
| |
|
|
|
|
| |
to match reality.
spotted by/ok jmc
|
| |
|
|
| |
spotted by/ok jmc
|
| |
|
|
|
|
|
|
|
|
|
| |
If tls13_recod_layer_send_pending() returns TLS13_IO_EOF, we will
bubble this up to the caller via tls13_legacy_return_code(), which
translates TLS13_IO_EOF to 0. This can happen if we have pending
post handshake-handshake data and the peer closes the pipe.
Presumably tls13_legacy_shutdown() should be rewritten yet again.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the peer closed the write side of the connection and we have not
yet received the close_notify, SSL_shutdown() makes an extra read to
try and read the peer's close_notify from the pipe. In that situation,
we receive EOF. The legacy stack will return -1 while the TLSv1.3
stack will end up returning 0.
Since the documentation is not super explicit about what should be
done if SSL_shutdown() returns 0, some applications will enter an
infinite loop. The code and documentation indicate that SSL_shutdown()
should only be called once more if it returned 0. Newer versions
of the OpenSSL documentation explicitly say that one should call
SSL_read() if SSL_shutdown() returns 0 in order to retrieve the
close_notify. Doing this would also have avoided this infinite loop.
Reported by Carsten Arzig and bluhm with a test case extracted from the
syslogd tests using IO::Socket::SSL, which has such an infinite loop.
ok bluhm jsing
|
| |
|
|
| |
to claudio
|
| |
|
|
|
|
|
| |
ret is used to bubble up an error from ssl3_get_message() and is unused
otherwise. Zap dead store and silly ret = 1; return ret;
ok inoguchi jsing
|
| |
|
|
|
|
|
| |
'goto fatal_err' so that the illegal_parameter alert is
actually sent in case of X509_get0_pubkey() failure.
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
| |
If the hostname is too long, tlsext_sni_is_valid_hostname() will fail
without having initialized *is_ip. As a result, the garbage value could
lead to accepting (but otherwise ignoring) overlong and possibly invalid
hostnames without erroring in tlsext_sni_server_parse().
ok inoguchi jsing
|
| |
|
|
|
|
| |
convert to usual form of error checking.
ok inoguchi jsing
|
| |
|
|
|
|
| |
CID 251047 251094
OK beck@ jsing@ millert@ tb@
|
| |
|
|
|
|
| |
CID 250936 251103
OK beck@ jsing@ millert@ tb@
|
