| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
|
| |
These exercise MD4 and MD5 with the test vectors from RFCs 1320 and 1321.
From Joshua Sing <joshua () hypera ! dev>
|
| | |
|
| | |
|
| |
|
|
| |
for output, use 'err' as a label and avoid some silly repetitions.
|
| |
|
|
|
|
| |
The old tests were incomplete, some of them had no license and the code
quality was questionable. The new tests by Joshua Sing cover what they
did (and additionally SHA-224 and SHA-384). Many thanks!
|
| | |
|
| |
|
|
| |
From Joshua Sing
|
| |
|
|
|
|
| |
CID 24797
ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
This tests covers the NIST vectors for SHA-{1,224,256,384,256} and will
soon be able to replace the old SHA tests entirely.
From Joshua Sing <joshua () hypera ! dev>
|
| | |
|
| |
|
|
|
|
|
|
| |
EVP_PKEY_copy_parameters() will unconditionally fail if the pkey's ameth
has no copy_params(). Obviously this is indistinguishable from actual
failure...
ok jsing
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DSA_size() and ECDSA_size() have a very special hack. They fudge up an
ASN1_INTEGER with a size which is typically > 100 bytes, backed by a
buffer of size 4. This was "fine", however, since they set buf[0] = 0xff,
where the craziness that was i2c_ASN1_INTEGER() only looks at the first
octet (one may then ask why a buffer of size 4 was necessary...).
This changed with the rewrite of i2c_ASN1_INTEGER(), which doesn't
respect this particular hack and rightly assumes that it is fed an
actual ASN1_INTEGER...
Instead, create an appropriate signature and use i2d to determine its
size.
Fixes an out-of-bounds read flagged by ASAN and oss-fuzz.
ok jsing
|
| |
|
|
| |
CID 184043
|
| | |
|
| |
|
|
|
|
| |
The ASN.1 encoding of the modified ECDSA signature can grow in size due to
padding of the ASN.1 integers. Instead of reusing the same signature buffer
freshly allocate it. Avoids some buffer overflows caught by ASAN.
|
| | |
|
| |
|
|
|
|
| |
The ASN.1 encoding of the modified ECDSA signature can grow in size due to
padding of the ASN.1 integers. Instead of reusing the same signature buffer
freshly allocate it. Avoids some buffer overflows caught by ASAN.
|
| |
|
|
|
|
|
|
|
| |
sk_num() can return a negative value, in which case the upper bound is
SIZE_MAX, which results in a very long for loop.
CID 153997
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
Use EVP_PKEY_get0_EC_KEY() instead of the get1 version to avoid an
EVP_PKEY_free(). Check return values: if either EVP_PKEY_get0_EC_KEY()
or EC_KEY_get0_group() fail, a NULL dereference occurs.
CID 43289
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
Switch from X509_get_pubkey() to X509_get0_pubkey() to avoid an unnecessary
EVP_PKEY_free(). Check the return values of X509_get0_pubkey() and
EVP_PKEY_copy_parameters(). If the former returns NULL, the latter will
dereference NULL.
CID 25020
ok jsing
|
| |
|
|
| |
CID 25421
|
| | |
|
| |
|
|
|
|
| |
Otherwise EVP_CIPHER_CTX_cleanup() leaks, as spotted by the ASAN CI.
ok jsing
|
| |
|
|
|
|
|
| |
If rbio and wbio are the same, SSL_free() only frees one BIO, so the
BIO_up_ref() before SSL_set_bio() leads to a leak.
ok jsing
|
| |
|
|
|
|
| |
CID 356353
ok jsing
|
| | |
|
| |
|
|
|
|
| |
Needed for an upcoming change.
ok tb@
|
| |
|
|
|
|
| |
Needed for an upcoming change.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
c99 6.11.5:
"The placement of a storage-class specifier other than at the beginning
of the declaration specifiers in a declaration is an obsolescent
feature."
ok miod@ tb@
|
| |
|
|
|
|
| |
ASN1_INTEGER_set() fails.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
When an ASN1_INTEGER is created it has NULL data until a value is set -
previously, an ASN1_INTEGER in this state encoded to an ASN.1 INTEGER with
a value of 0, rather than being treated as an error. While code should
really set values, the historical behaviour has not required this.
Found the hard way by sthen@ with acme-client.
ok tb@
|
| |
|
|
| |
inline use was removed in 1998
|
| | |
|
| |
|
|
|
| |
This exercises the libssl QUIC implementation and completes a TLS handshake
using the SSL_QUIC_METHOD interface.
|
| |
|
|
|
|
|
| |
If SSL_do_handshake() is called before SSL_provide_quic_data() has been
called, the QUIC read buffer will not have been initialised. In this case
we want to return TLS13_IO_WANT_POLLIN so that the QUIC stack will provide
handshake data.
|
| |
|
|
|
|
|
| |
While these will not be used by LibreSSL, they are used by some QUIC
implementations (such as ngtcp2).
ok tb@
|
| | |
|
| |
|
|
|
|
|
| |
While more work is still required, this is sufficient to get ngtcp2 to
compile with QUIC and for curl to be able to make HTTP/3 requests.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This provides SSL_QUIC_METHOD (aka ssl_quic_method_st), which allows for
QUIC callback hooks to be passed to an SSL_CTX or SSL. This is largely
ported/adapted from BoringSSL.
It is worth noting that this struct is not opaque and the original
interface exposed by BoringSSL differs to the one they now use. The
original interface was copied by quictls and it appears that this API
will not be updated to match BoringSSL.
To make things even more challenging, at least one consumer does not use
named initialisers, making code completely dependent on the order in
which the function pointers are defined as struct members. In order to
try to support both variants, the set_read_secret/set_write_secret
functions are included, however they have to go at the end.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
LibreSSL will not return these values, however software is starting to
check for these as return values from SSL_get_error().
ok tb@
|
| | |
|
