| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
The current convoluted mess can be handled with two calls to the new
rsa_alg_set_pss_padding() helper. Not that this would be obvious at
all.
This fixes two more leaks in case of X509_ALGOR_set0() failure.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This sets the AlgorithmIdentifier's algorithm to id-RSASSA-PSS with
appropriate RSASSA-PSS parameters. This pulls a chunk of code out of
rsa_cms_sign() and rewrites it with proper error checking, thereby
fixing a long-standing leak.
This helper can also be used in rsa_item_sign(), but that part is a
bit special, and will therefore be commmitted separately.
ok jsing
|
| |
|
|
|
|
|
|
| |
This removes a few duplicated and unchecked X509_ALGOR_set0() calls and
factors them into a helper function that sets the AlgorithmIdentifier on
the recipient info or signer info to rsaEncryption with null parameters.
ok jsing
|
| |
|
|
| |
not real problems)
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
X509_ALGOR_set0() is annoyingly unergonomic since it takes an ASN1_OBJECT
rather than a nid. This means that almost all callers call OBJ_obj2nid()
and they often do this inline without error checking so that the resulting
X509_ALGOR object is corrupted and may lead to incorrect encodings.
Provide an internal alternative X509_ALGOR_set0_by_nid() that takes a nid
instead of an ASN1_OBJECT and performs proper error checking. This will be
used to convert callers of X509_ALGOR_set0() in the library.
ok jsing
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
| |
Otherwise, the prototypes for timespec_get() and aligned_alloc()
are not visible. OK guenther@
|
| |
|
|
|
|
|
|
| |
If the topmost cert is invalid, this should result in a validation failure.
Do the same dance as elsewhere permitting the verify callback to intercept
the error but ensuring that we throw an error.
ok jsing
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
This streamlines the code to use safer idioms, do proper error checking
and be slightly less convoluted. Sprinkle a few references to RFC 8017
and explain better what we are doing and why. Clarify ownership and use
more consistent style.
This removes the last internal use of X509_ALGOR_set_md().
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
OpenSSL has the 20 in the long and short names, so add aliases to the
existing names to make things work. In particular, EVP_get_cipherbyname()
will now return EVP_chacha20() for both 'ChaCha20' and 'chacha20'.
Found by Facundo Tuesca when trying to add LibreSSL support for ChaCha20 in
https://github.com/pyca/cryptography/pull/9209
ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
the 0x0 call sites for leak reports. Also display more info on
detected write of free chunks: print the info about where the chunk
was allocated, and for the preceding chunk as well.
ok asou@
|
| | |
|
| |
|
|
| |
OK tb@
|
| |
|
|
|
| |
This matches what other pages use. Also rewrite the definition of the
modular inverse to be less ugly.
|
| |
|
|
|
|
| |
If they ever had any meaning, that's long been lost.
Requested by jsing
|
| |
|
|
| |
This is basically the same fix as the one applied in BN_mod_exp_simple().
|
| |
|
|
|
|
| |
Reported and reminded by Guido Vranken in OpenSSL issue #21110
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function was the unfortunate protagonist in a series of tragic merge
errors resulting in only a short stint of a year and nine months between
OpenSSL 0.9.8j and 1.0.0a actually present in OpenBSD. Then it said good
bye for good, but somehow a prototype came back with 1.0.1g, a famous
version released when there were slightly more pressing things to be
taken care of than a function supporting a config knob whose only purpose
was to turn off fips mode or to error.
from schwarze
PS: The mechanism that it was supposed to provide is still documented in
openssl.cnf(5). I am going remove the relevant bit at some point, but not
today.
|
| |
|
|
|
|
|
|
|
|
| |
Contrary to X509_ALGOR_set_md() this allows for error checking. Avoid
local complications by freeing in the exit path and use a const version
of X509_ALGOR for walking a STACK_OF() to avoid a bad free.
Clean up includes
ok jsing
|
| |
|
|
|
|
|
|
|
| |
Our internal version allows for error checking and this avoids a silent
failure leading to corruption later on.
Clean up includes while there.
ok jsing
|
| | |
|
| |
|
|
|
| |
The old description was vague, but strictly speaking a lie, so make it
more precise and turn the lie into a truth.
|
| |
|
|
|
|
| |
Fix includes and zap an empty line.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current implementation is a complete mess. There are three cases:
1) ptype == V_ASN1_UNDEF: parameter must be freed and set to NULL.
2) ptype == 0: existing non-NULL parameters are left untouched, NULL
parameters are replaced with ASN1_TYPE_new()'s wacky defaults.
3) otherwise allocate new parameters if needed and set them to ptype/pval.
In all three cases free the algorithm and set it to aobj.
The challenge now is to implement this using nine if statements and one
else clause... We can do better. This preserves existing behavior. There
would be cleaner implementations possible, but they would change behavior.
There are many callers in the ecosystem that do not error check
X509_ALGOR_set0() since OpenSSL failed to do so. So this was carefully
rewritten to leave alg in a consisten state so that unchecking callers
don't encounter corrupted algs.
ok jsing
|
| |
|
|
|
|
| |
This fixes the printf in the x509_algor regress.
ok jsing
|
| |
|
|
|
|
|
|
| |
Make the logic slightly less convoluted. Preserve the behavior that
*ppval remains unset if pptype == NULL for now. However, ensure that
*ppval is set to NULL if pptype is V_ASN1_UNDER.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
X509_ALGOR_set_md() is a void function that cannot easily be error checked.
The caller has to jump through hoops to make sure this function doesn't
fail. Prepare replacing this internally with X509_ALGOR_set_evp_md(), which
allows error checking. There is one slight change of behavior: if the EVP_MD
object passed in does not have an OID known to the library, then this new
API fails.
It is unclear what the library should do with such an object and people
who use EVP_MD_meth_new() need to know what they are doing anyway and they
are better off teaching the lib about the OID if they're going to be
messing with certs.
Oh, and the prototype is in x509_local.h because the rest of this API is
in x509.h despite being implemented in asn1/.
ok jsing
|
| |
|
|
|
|
|
| |
This is currently written in what is likely the most stupid way possible.
Rewrite this function in a more straightforward way.
ok jsing
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous wording was misleading since the result of X509_ALGOR_new()
is not actually an empty X509_ALGOR object. Rather, it contains the
undefined ASN1_OBJECT returned by OBJ_nid2obj(NID_undef). Therefore using
X509_ALGOR_get0(3) for error checking X509_ALGOR_set_md() is not trivial.
So: change the initial paragraph into a general intro referring to the
OpenSSL API needed to interface with X509_ALGOR and write a new paragraph
documenting X509_ALGOR_new(3) and drop the incorrect suggestion of an error
check. Notably there's now a reference to the OBJ_nid2obj() family without
which one cannot really use X509_ALGOR_* for anything at all.
With and ok schwarze
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The X509_ALGOR_set0() and X509_ALGOR_set_md() documentation comes from
upstream, which means it is as sloppy as the code and as vague as your
average upstream manpage. Be precise on what X509_ALGOR_set0() does on
different inputs and document return values and failure modes.
X509_ALGOR_set_md() is a void function that calls X509_ALGOR_set0() in a
way that can fail, leaving alg in a corrupted state. Document when that
can occur and how to avoid or detect that, but do not go too far, because
EVP_MD_meth_new(), one potential source of failures, is a whole another
can of worms.
joint work with schwarze
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ASN1_TIME_compare() compares two times t1 and t2. Due to a copy-paste
error, we would do ASN1_time_parse(t1->data, t2->length, &tm2, t2->type)
Now if t1 is a UTCTime (length 13) and t2 is a GeneralizedTime (length 15),
the worst that could happen is a 2-byte out-of-bounds read. Fortunately, t1
will already have parsed as a UTCTime, so it will have a Z where there
should be the first digit of the seconds for a GeneralizedTime and we will
error out.
Now if both t1 and t2 have the same type, we will parse t1's data twice
and we will return an incorrect comparison. This could have some security
impact if anything relied on this function for security purposes. It is
unused in our tree and unused in our ports tree ports and the only consumer
I could find was some MongoDB things doing OCSP, so this won't be too bad.
Then of course there's also the language bindings.
Issue reported by Duncan Thomson at esri dot com via libressl-security
ok beck deraadt
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We aligned with upstream behavior. Let's document it properly.
Surprisingly, OpenSSL 1.1 half-assed the docs: two parts of the manual
contradict each other. The part getting EVP_CIPHER_CTX_iv_length() right,
incorrectly documents possible -1 return value to EVP_CIPHER_iv_length().
OpenSSL 3 documentation improvement efforts seem to have tried to address
this issue with the result that the manual is now entirely wrong when it
comes to the EVP_CIPHER_CTX_iv_length() replacement. Par for the course.
|
| |
|
|
| |
crypto(3)
|
| | |
|
