| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
imported OpenSSL 0.9.4 in 1999. It won't ever be used.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
We only have to find one extension, so do that first then proceed with
processing and decryption. This makes the code more readable and drops
two levels of indent.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
Separate the malloc() check and EVP_DecryptUpdate() - the malloc() failure
is fatal while a EVP_DecryptUpdate() is a decryption failure.
Also ensure that we clear the error stack in all cases where we are
indicating a failure to decrypt or decode the ticket - otherwise
SSL_error() while later return failure when it should not.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Rather than returning from multiple places and trying to clean up as we go,
move to a single exit point and clean/free in one place. Also invert the
logic that handles NULL sessions - fail early, rather than having an
indented if test for success.
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
| |
minimum value.
Fixes oss-fuzz #14354.
ok beck@ bcook@ tb@
|
| |
|
|
|
|
| |
Found by Guido Vranken when fuzzing and trying to use GOST with HMAC.
Fix confirmed by Guido; ok tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
X509V3_add_value() helpfully allocates a STACK_OF(CONF_VALUE) if it
receives a pointer to a NULL pointer. If anything fails along the way,
it is however the caller's responsibility to free it. This can easily
be fixed by freeing *extlist in the error path and zeroing it to avoid
a double free if there happens to be a caller out there that avoids
the leak.
Polish a few things so the function conforms a bit better to our usual
style.
tweak & ok jsing
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Fixes oss-fuzz issue #13843.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Some bread/bwrite functions implement this themselves, while others do not.
This makes it consistent across all BIO implementations.
Addresses an issue that Guido Vranken found with his fuzzer.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
| |
This reverts part of OpenSSL c2fd5d79, which added the same code to AES
CCM, GCM and XTS. In the case of CCM and GCM nothing assigns {ccm,gcm}.key
so there is never going to be anything to update (unlike XTS).
ok tb@
|
| |
|
|
|
|
| |
Avoids use of uninitialised memory.
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
In the case of a cipher with a custom copy control, if that control fails
we may still have pointers that we do not own in the previously copied
cipher data. Avoid potential double-frees by zeroing and freeing the
copied cipher data in this case.
Issue reported by Guido Vranken.
ok tb@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
These pointers will be passed to free. According to asprintf(3), "on
OpenBSD, ret will be set to the null pointer, but this behavior should
not be relied upon."
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The complexity of BN_bn2dec(bn) is quadratic in the length of bn. This
function is used for printing numbers in CRLs which are typically small.
If a BN is larger than 127 bits, dump it as hex because that's cheap and
for numbers this size not significantly harder for humans to parse.
OpenSSL commit 10a3195fcf7d04ba519651cf12e945a8fe470a3c by David Benjamin
(still under the old licence), but significantly simplified.
Ideally, we would catch excessively large numbers on deserialization, but
that is made trickier by the templated ASN1. Erroring out is also not an
option since the relevant part of the x509v3/ directory doesn't like to
do proper error checking (looking at you v2i and i2v).
Timeout found by oss-fuzz, should fix issues #13823 and #14130.
input & ok jsing
|
| |
|
|
|
|
|
|
| |
In the case that X509_NAME_dup() succeeds, but sk_X509_NAME_push()
fails, name is leaked. The entire function is trying to be clever
and therefore hard to follow. Let's do it the stupid but safe way.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
There are cases where the old_priv_decode() function can fail but consume
bytes. This will result in the pp pointer being advanced, which causes
d2i_PKCS8_PRIV_KEY_INFO() to be called with an advanced pointer and
incorrect length.
Fixes oss-fuzz #13803 and #14142.
ok deraadt@ tb@
|
| |
|
|
|
|
|
| |
SSL_CTX_add_extra_chain_cert(3).
From Dr. Stephen Henson <steve at openssl dot org>
via OpenSSL commit a4339ea3 Jan 3 22:38:03 2014 +0000
which is still under a free license.
|
| |
|
|
|
|
|
| |
From Kurt Roeckx <kurt at roeckx dot be>
via OpenSSL commit 57fd5170 May 13 11:24:11 2018 +0200
which is still under a free license.
While here, polish awkward wording and reduce duplication.
|
| |
|
|
| |
From Michael Scovetta, PR #108
|
| |
|
|
|
|
|
|
|
|
|
| |
In this code, just because something is cast to a type doesn't mean it is
necessarily that type - in this case we cannot check the length of the
ASN1_STRING here, since it might be another data type and later handled
as an int (for example, in the V_ASN1_BOOLEAN case).
We will revisit this post release.
ok tb@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
the spec. To avoid the obvious loop in the RFC's state machine, we added
a CLIENT_HELLO_RETRY state which is a second ClientHello with special
rules. There is, however, no state to react to this second client hello.
This adds a matching SERVER_HELLO_RETRY state to the handshakes table.
This means in particular that the WITH_HRR state cannot be set in
tls13_server_hello_recv(), so remove this now dead check.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
under a free license, omitting functions we don't have and tweaked by me;
the functions were provided by jsing@ in ssl.h rev. 1.166.
While here, also document SSL_CTX_get_extra_chain_certs(3) because
it is closely related to companion functions are already documented
and the API is kind of incomplete without it.
|
| |
|
|
|
|
| |
record_type member of the tls13_handshake_action struct.
ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
If the Server Hello received indicates that the server did not negotiate
TLS 1.3, fallback to the original TLS client implementation.
ok bcook@, tb@
|
| |
|
|
|
|
|
|
|
|
| |
The original implementation allows for libcrypto to be compiled without a
given algorithm and libssl then detects that ciphers or digests are
unavailable so that it can disable the associated cipher suites.
This is unnecessary since we do not compile out algorithms.
ok beck@, tb@ (a while back)
|
| | |
|
| |
|
|
| |
This avoids ever having a non-zero len with a NULL pointer.
|
| |
|
|
|
|
|
| |
While PTHREAD_MUTEX_INITIALIZER can be used on OpenBSD, some other
platforms do not like it.
Noted by bcook@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
These allow for chains to be managed on a per-certificate basis rather than
as a single "extra certificates" list. Note that "chain" in this context
does not actually include the leaf certificate however, unlike
SSL_CTX_use_certificate_chain_{file,mem}().
Thanks to sthen@ for running this through a bulk ports build.
ok beck@ tb@
|
| | |
|
| |
|
|
| |
ok millert@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The plen variable can be NO_PAYLOAD_LENGTH == (size_t)-1, so doing
tls_aad[plen-4] is no good. Also check that the length of the AAD
set via the control interface is equal to 13 since the whole file
is written with that case in mind.
Note that we no longer use this code in LibreSSL/OpenBSD. We
eliminated the use of these control interfaces and stitched cipher
modes in libssl a while ago.
Problem found by Guido Vranken with his cryptofuzz - thanks!
input & ok beck, jsing
|
| | |
|
| | |
|
| |
|
|
| |
Diff from Steven Roberts <sroberts at fenderq dot com> - thanks!
|
