|  | Commit message (Collapse) | Author | Age | Files | Lines | 
|---|
| ... |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| | ok tb@ | 
| | 
| 
| 
| 
| 
| 
| | We get an implementation of this for free by having bn_bin2bn_cbs() use
CBS_get_u8() instead of CBS_get_last_u8().
ok tb@ | 
| | 
| 
| 
| 
| 
| | These will be used in upcoming changes.
ok tb@ | 
| | 
| 
| 
| 
| 
| 
| | Another stroke of the already very dirty brush eliminates more traces
of ADHD and/or crack.
ok jsing | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | This manually constructs an X509_ALGOR because the (now internal) legacy
interface EVP_CIPHER_param_to_asn1() (which is an unwelcome complication
thanks to RC2) is entirely incompatible with X509_ALGOR_set0() since
the ASN1_TYPE can't be pulled apart nicely (because the ASN1_TYPE API
is incomplete as well).
Once we got this far, we get to DER-encode the inner AlgorithmIdentifier
and set that blob as the parameters of another one. The same variables
are reused of course and needless to say an unchecked X509_ALGOR_set0()
would leak this blob on failure. So fix this by switching to the usual
error checked X509_ALGOR_set0_by_nid().
ok jsing | 
| | 
| 
| 
| | ok jsing | 
| | 
| 
| 
| 
| 
| 
| | Again the getting and the setting were interrupted by ten lines of
completely unrelated code.
ok jsing | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | It is much simpler to avoid the key_type variable altogether and inline
its use. Also it makes no sense to have 15 unrelated lines between the
getting of the kdf type, checking its content, and then actually setting
it to EVP_PKEY_ECDH_KDF_X9_63.
ok jsing | 
| | 
| 
| 
| 
| 
| 
| 
| | While setting the parameters to type V_ASN1_UNDEF can't actually fail,
it is cleaner to just do the check. Using the by_nid() variant also
removes the need for an unchecked nested OBJ_nid2obj() call.
ok jsing | 
| | 
| 
| 
| 
| 
| 
| | The pkey is only used in one scope. i2o allocates if passed a pointer
to NULL, so use that to drop two unnecessary local variables.
ok jsing | 
| | 
| 
| 
| 
| 
| 
| | This looks like a use after free, but setting the unused bits to 0
can't actually fail.
ok jsing | 
| | 
| 
| 
| 
| 
| | Also use ret instead of rv.
ok jsing | 
| | 
| 
| 
| 
| 
| 
| 
| | ASN1_TYPE_get() returns V_ASN1_* constants.  Checking the return for
NID_undef instead means that we actually check for V_ASN1_EOC, which
makes absolutely no sense here. Clearly V_ASN1_UNDEF was intended.
ok jsing | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| | If EVP_PKEY_new() returns NULL, it would be passed to the paramgen() pmeth
which would typically dereference it. This is identical to a recent change
in keygen().
ok jsing | 
| | 
| 
| 
| | CID 492603 | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | In the ClientHello retrying the handshake after a HelloRetryRequest, the
client must send a single key share matching the group selected by the
server in the HRR. This is not necessarily the mutually preferred group.
Incorrect logic added in ssl_tlsect.c r1.134 would potentially reject
such a key share because of that.
Instead, add logic to ensure on the server side that there is a single
share matching the group we selected in the HRR.
Fixes a regress test in p5-IO-Socket-SSL where server is configured
with P-521:P-384 and the client with P-256:P-384:P-521. Since the
client sends an initial P-256 key share, a HRR is triggered which
the faulty logic rejected because it was not the mutually preferred
P-384 but rather matching the server-selected P-521.
This will need some deduplication in subsequent commits. We may also
want to consider honoring the mutual preference and request a key
accordingly in the HRR.
reported by bluhm, fix suggested by jsing
ok beck jsing | 
| | 
| 
| 
| 
| 
| | This results in simpler code.
Suggested by tb@ during review. | 
| | 
| 
| 
| | ok tb@ | 
| | 
| 
| 
| 
| 
| | This will be used in an upcoming change.
ok tb@ | 
| | 
| 
| 
| 
| 
| 
| | Also change the bits type from int to size_t, since that's what the callers
are passing and we can avoid unnecessary input validation.
ok tb@ | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| | ok jsing | 
| | |  | 
| | 
| 
| 
| | ok jsing | 
| | 
| 
| 
| | ok jsing | 
| | 
| 
| 
| 
| 
| | It's always good to see something called internal in the public API.
ok jsing | 
| | 
| 
| 
| | ok jsing | 
| | 
| 
| 
| | ok jsing | 
| | 
| 
| 
| 
| 
| | We only need the ASN.1 items.
ok jsing | 
| | 
| 
| 
| | ok jsing | 
| | 
| 
| 
| | ok jsing | 
| | 
| 
| 
| | ok jsing | 
| | 
| 
| 
| | ok jsing | 
| | 
| 
| 
| 
| 
| 
| | This was only ever semi-public and libtls no longer uses it since it was
switched to the BoringSSL POSIX time API.
ok jsing | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Both BN_clear_bit() and BN_mask_bits() can create zero values - in both
cases ensure that the negative sign is correctly handled if the value
becomes zero.
Thanks to Guido Vranken for providing a reproducer.
Fixes oss-fuzz #67901
ok tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Userland code compiled in a normal fashion picks up the htonl(),
htons(), ntohl(), ntohs() macros implemented by endian.h.  The
functions in libc are effectively unused.  Keep the MI functions
in case something looks for the symbols in libc or plays games
with #undef, but change them to wrap the implementation from
endian.h.
tweaks suggested by claudio@, ok miod@ | 
| | 
| 
| 
| 
| | the very end of the page. Circumvent that. Reported by and fix ok
anton@ | 
| | 
| 
| 
| | pointed out by jsing | 
| | 
| 
| 
| 
| 
| 
| 
| | When I unifdefed GOST support, the tree wasn't fully unlocked, so I didn't
want to touch a public header. All this code is in #ifndef OPENSSL_NO_GOST,
which we define.
ok jsing | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | These are four versions of near identical code: PKCS#7 and CMS controls
for DSA and EC. The checks are rather incomplete and should probably be
merged somehow (see the Ed25519 version in ecx_methods(). For now, only
replace X509_ALGOR_set0() with its internal by_nid() version and, while
there, spell NULL correctly.
ok jca | 
| | |  |