summaryrefslogtreecommitdiff
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Allow constraints of the form @domain.comtb2022-03-141-10/+17
| | | | | | | | | | Some things issue and expect that we support a non-standard extension of accepting any email address from a host by prefixing an email name constraint with @. This used to be the case with the old code as well. Pointed out and based on a diff by Alex Wilson. ok jsing
* Rework ownership handling in x509_constraints_validate()tb2022-03-143-39/+49
| | | | | | | | | | Instead of having the caller allocate and pass in a new x509_constraints_name struct, handle allocation inside x509_constraints_validate(). Also make the error optional. All this is done to simplify the call sites and to make it more obvious that there are no leaks. ok jsing
* Factor out unexpected handshake message handling code in the legacy stack.jsing2022-03-142-229/+256
| | | | | | | | | | | | | | The TLS record layer has to be able to handle unexpected handshake messages that result when it has been asked to read application data. The way that this is currently done in the legacy stack is a layering violation - the record layer knows about DTLS/TLS handshake messages, parsing them and then deciding what action to take. This is further complicated by the need to handle handshake message fragments. For now, factor this code out with minimal changes - since it is a layering violation we have to retain separate code for DTLS and TLS. ok beck@ inoguchi@ tb@
* Factor out ASN1_STRING clearing code.jsing2022-03-141-4/+15
| | | | | | | This fixes a bug in ASN1_STRING_set0() where it does not respect the ASN1_STRING_FLAG_NDEF flag and potentially frees memory that we do not own. ok inguchi@ tb@
* First pass clean up of ASN1_STRING code.jsing2022-03-141-74/+87
| | | | | | | Use consistent variable names (astr/src) rather than 'a', 'bs', 'str', 'v' or 'x', add some whitespace and remove some unneeded parentheses. ok inoguchi@ tb@
* Relax the check of x509_constraints_dirname()libressl-v3.5.1tb2022-03-131-2/+6
| | | | | | | | | The dirname constraint must be a prefix in DER format, so relax the check from requiring equal-length strings to allow shorter names also. From Alex Wilson ok jsing
* Add x509_constraints_validate() to x509_internal.htb2022-03-131-1/+3
| | | | | | From Alex Wilson ok jsing
* Check name constraints using the proper APItb2022-03-131-4/+21
| | | | | | | | The previous versions were too strict and disallowed leading dots. From Alex Wilson ok jsing
* style tweaktb2022-03-131-2/+2
|
* Add missing error check after strdup()tb2022-03-131-2/+5
| | | | | | From Alex Wilson ok jsing
* Remove free_cont from asn1_d2i_ex_primitive()/asn1_ex_c2i().jsing2022-03-132-50/+31
| | | | | | | | | | | The constructed ASN.1 handling in asn1_d2i_ex_primitive() and asn1_ex_c2i() currently has code to potentially avoid a malloc/memcpy - this is a less common code path and it introduces a bunch of complexity for minimal gain. In particular, we're manually adding a trailing NUL when ASN1_STRING_set() would already do that for us, plus we currently manually free() the data on an ASN1_STRING, rather than using freezero(). ok inoguchi@ tb@
* Factor out change cipher spec handing code in the legacy stack.jsing2022-03-123-65/+73
| | | | | | | | Factor out the code that handles the processing of a change cipher spec message that has been read in the legacy stack, deduplicating code in the DTLS stack. ok inoguchi@ tb@
* Simple regress for NULL deref reported by Guido Vranken and fixed intb2022-03-102-1/+51
| | | | bn_exp2.c r1.13.
* unsusual -> unusualjsg2022-03-101-3/+3
|
* Some more c99 initializers for consistency and readabilitytb2022-03-081-23/+62
|
* bump for LibreSSL 3.5.1bcook2022-03-071-3/+3
|
* Add test coverage for i2a_ASN1_OBJECT()jsing2022-03-051-3/+39
|
* Fix typo in commentbket2022-03-051-2/+2
| | | | OK tb@
* Pull a len == 0 check up before malloc(len) to avoid implementationtb2022-03-031-5/+5
| | | | | | defined behavior. ok deraadt inoguchi
* Do not write out terminating NUL in i2a_ASN1_OBJECT()tb2022-03-031-2/+2
| | | | | | | | | | | The conversion to CBB made us write out an extra NUL since we no longer use the return value of i2t_ASN1_OBJECT() (which returns strlen(data)) but rather the size of the CBB (which includes a terminal NUL) to write out data. Issue found by anton via an openssl-ruby test failure. ok jsing
* Unwrap a linetb2022-03-021-3/+2
|
* whitespacetb2022-03-021-2/+2
|
* Provide additional ASN1_OBJECT test coverage.jsing2022-03-021-16/+114
|
* Rewrite ASN1_OBJECT content to ascii/text conversion.jsing2022-03-023-101/+186
| | | | | | | | | | Rewrite the ASN1_OBJECT content to ascii/text conversion code using CBB and CBS. Currently there is a strange split with i2t_ASN1_OBJECT() calling OBJ_obj2txt() which implements the conversion, while OBJ_txt2obj() calls back into the misnamed a2d_ASN1_OBJECT() function. Move the conversion code into asn1/a_object.c and have OBJ_txt2obj() call that instead. ok inoguchi@ tb@
* Remove unused ivbits argument from chacha_keysetup to match otherdtucker2022-02-282-4/+4
| | | | instances in the tree. ok deraadt@
* Add regress coverage for ASN1_OBJECT public interfaces.jsing2022-02-262-1/+399
|
* Currently malloc caches a number of free'ed regions up to 128kotto2022-02-261-33/+160
| | | | | | | | | | in size. This cache is indexed by size (in # of pages), so it is very quick to check. Some programs allocate and deallocate larger allocations in a frantic way. Accomodate those programs by also keeping a cache of regions between 128k and 2M, in a cache of variable sized regions. Tested by many in snaps; ok deraadt@
* Get rid of SHA1 for comparing CRL's - use SHA512 just like we do for certs.beck2022-02-243-9/+7
| | | | ok tb@
* Remove accidentally committed debug code.tb2022-02-241-3/+1
|
* Minor tweakstb2022-02-241-7/+8
| | | | i is a silly name for BN_num_bits(dsa->q); move a comment for readability.
* Add sanity checks on p and q in old_dsa_priv_decode()tb2022-02-241-1/+15
| | | | | | | | | | | | | | | | | | dsa_do_verify() has checks on dsa->p and dsa->q that ensure that p isn't overly long and that q has one of the three allowed lengths specified in FIPS 186-3, namely 160, 224, or 256. Do these checks on deserialization of DSA keys without parameters. This means that we will now reject keys we would previously deserialize. Such keys are useless in that signatures generated by them would be rejected by both LibreSSL and OpenSSL. This avoids a timeout flagged in oss-fuzz #26899 due to a ridiculous DSA key whose q has size 65KiB. The timeout comes from additional checks on DSA keys added by miod in dsa_ameth.c r1.18, especially checking such a humungous number for primality is expensive. ok jsing
* Factor out alert handing code in the legacy stack.libressl-v3.5.0jsing2022-02-213-85/+77
| | | | | | | | | | | | | | | Pull out the code that processes incoming alerts - a chunk of the complexity is due to the fact that in TLSv1.2 and earlier, alerts can be fragmented across multiple records or multiple alerts can be delivered in a single record. In DTLS there is no way that we can reassemble fragmented alerts (although the RFC is silent on this), however we could have multiple alerts in the same record. This change means that we will handle this situation more appropriately and if we encounter a fragmented alert we will now treat this as a decode error (instead of silently ignoring it). ok beck@ tb@
* mutibyte -> multibytejsg2022-02-211-3/+3
|
* Fix a buffer overread in OAEP padding removaltb2022-02-201-11/+11
| | | | | | | | | This only occurs on very small payloads and tightly allocated buffers that don't usually occur in practice. This is OpenSSL f61c6804 ok inoguchi jsing
* Test OBJ_obj2txt() with NULL and short buffers.jsing2022-02-201-1/+12
|
* Add memory BIO small I/O tests.jsing2022-02-191-1/+72
|
* Remove references to performance issues caused by frequent memmove().jsing2022-02-191-13/+2
| | | | ok inoguchi@ tb@
* Reduce memmoves in memory BIOs.jsing2022-02-191-22/+38
| | | | | | | | | | | | | | | | | Currently, a read/write memory BIO pulls up the data via memmove() on each read. This becomes very expensive when a lot of small reads are performed, especially if there is a reasonable amount of data stored in the memory BIO. Instead, store a read offset into the buffer and only perform a memmove() to pull up the data on a write, if we have read more than 4096 bytes. This way we only perform memmove() when the space saving will potentially be of benefit, while avoiding frequent memmove() in the case of small interleaved reads and writes. Should address oss-fuzz #19881. ok inoguchi@ tb@
* certificiate -> certificatejsg2022-02-191-3/+3
|
* Provide a struct bio_mem for memory BIO specific data.jsing2022-02-191-47/+58
| | | | | | | | | In order to fix and improve the memory BIO, we need to be able to track more than just a single BUF_MEM *. Provide a struct bio_mem (which currently only contains a BUF_MEM *) and rework the internals to use this struct. ok inoguchi@ tb@
* Avoid gendered language in man pages when not referring to a specificjsg2022-02-181-4/+4
| | | | | | | | person. Rewrite or use singular they. ok thfr@ sthen@ daniel@ ian@ job@ kmos@ jcs@ ratchov@ phessler@ and others I'm likely missing on an earlier version. feedback tj@, feedback and ok jmc@
* Clean up and simplify memory BIO code.jsing2022-02-181-124/+139
| | | | | | | | This is a first pass that uses sensible and consistent names for variables. Call the BIO 'bio' (instead of 'a', 'b', 'bp', or 'h'), drop a bunch of unnecessary casts, simplify some logic and add additional error checking. With input from and ok tb@
* prefer https links in man pagesjsg2022-02-183-9/+9
| | | | ok gnezdo@ miod@ jmc@
* grammar/rewordjsg2022-02-181-5/+7
| | | | ok jmc@
* Add tests for memory BIO.jsing2022-02-171-2/+254
|
* Add test coverage for OBJ_txt2obj()/OBJ_obj2txt() with no_name == 0.jsing2022-02-121-4/+99
|
* Avoid potential single byte overread in asn1_parse2().jsing2022-02-121-3/+4
| | | | | | | | | | A fix for this was previously commited in r1.32, however while this added a bounds check the logic means we still fall through and perform the overread. Fix the logic such that we only log the error if the bounds check fails. While here, flip the test around such that we check for validity then print (which is more readable and matches earlier code). ok inoguchi@ tb@
* Revise for OBJ_obj2txt() OID arc limits.jsing2022-02-121-4/+4
|
* Limit OID text conversion to 64 bits per arc.jsing2022-02-121-55/+16
| | | | | | | | | | | | | | | | The current implementation uses an unsigned long, then switches to BN once the arc exceeds its size. However, the complexity of BN_bn2dec() is quadratic in the length of number being converted. This means that OIDs with excessively large arcs take a lot of computation to convert to text. While the X.660 specification states that arcs are unbounded, in reality they are not overly large numbers - 640K^W64 bits ought to be enough for any arc. Remove BN entirely, switch from unsigned long to uin64_t and fail if an arc exceeds this size. Identified via oss-fuzz timeouts - should fix #41028 and #44372. ok tb@
* Fix length check of IP addresses for name constraintstb2022-02-111-2/+3
| | | | | | | | | An IP address in a name constraint is actually an IP address concatenated with a netmask, so it is twice as long as usual. This fixes a third bug introduced in r1.3 and reported by Volker Schlecht ok jsing
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-25 00:23:20 +0000