| Age | Commit message (Collapse) | Author |
|---|
|
Switch to using EVP_DigestVerify(). Move the freeing of in where it
belongs (previously it would leak on EVP_DigestVerifyUpdate() failure),
and use the proper idiom for ASN1_item_i2d() error checking.
ok jsing
|
|
|
|
Rename buf_in into in, buf_out into out, use in_len and out_len for their
lengths, drop a couple of silly casts and remove some empty lines.
ok jsing
|
|
This makes this function work with Ed25519 and cleans up a handful of
ugly contortions: use EVP_DigestSign() to determine the signature length
instead of using the strange EVP_PKEY_size() and garbage collect the now
useless out_len. Also use calloc().
ok jsing
|
|
Also move the NULL check for the EVP_MD into the rv == 2 path, which
is the only branch where it is used.
ok jsing
|
|
Pull a NULL check for pkey->ameth up to before ameth is first accessed. An
EVP_PKEY created with EVP_PKEY_new() has ameth == NULL, so this check makes
sense, but it does not make sense to do it where it was.
|
|
If the item_sign() ASN.1 method returns 1, it supposedly handles everything
and the goto err prior to r1.5 was actually a success path. Go figure.
This is fortunately inconsequential since there are only two item_sign()
methods, one for RSA and one for Ed25519, neither of which can return 1.
They only return 0, 2, and 3.
Pointed out by and ok jsing
|
|
Reword it in such a way that it stands on its own and doesn't refer
to a non-existent model above. Also tweak grammar and fix typos.
|
|
Instead of adding a NUL termination to OBJ_obj2txt(), move the aobj == NULL
or aobj->data == NULL checks to i2t_ASN1_OBJECT_internal(). The only other
caller, i2t_ASN1_OBJECT(), fails on aobj == NULL and aobj->length == 0, and
the latter condition is implied by aobj->data.
Cleaner solution for obj_dat.c r1.52
suggested by/ok jsing
|
|
Without the cache, we verify CRL signatures on bytes that have been
pulled through d2i_ -> i2d_, this can cause reordering, which in turn
invalidates the signature. for example if in the original CRL revocation
entries were sorted by date instead of ascending serial number order.
There are probably multiple things we can do here, but they will need
careful consideration and planning.
OK jsing@
|
|
A long time ago a workflow was envisioned for X509, X509_CRL, and X509_REQ
structures in which only fields modified after deserialization would need to
be re-encoded upon serialization.
Unfortunately, over the years, authors would sometimes forget to add code in
setter functions to trigger invalidation of previously cached DER encodings.
The presence of stale versions of structures can lead to very hard-to-debug
issues and cause immense sorrow.
Fully removing the concept of caching DER encodings ensures stale versions
of structures can never rear their ugly heads again.
OK tb@ jsing@
|
|
with beck
|
|
The old policy codes remains the default, with the new policy code
selectable by defining LIBRESSL_HAS_POLICY_DAG.
ok tb@ jsing@
|
|
|
|
|
|
Discussed with jsing and beck
|
|
jsing@ noted that ASN1_OP_D2I_POST might not be the best place to
introduce this check (as could lead to pushing errors
(ASN1_R_AUX_ERROR) onto the stack). Additionally, without matching
validation on the encoding side brittleness is introduced.
|
|
Check whether the X.509 version is in the range of valid version
values, and also checks whether the version is consistent with fields
new to those versions (such as X.509 v3 extensions).
X.690 section 11.5 states: "The encoding of a set value or a sequence
value shall not include an encoding for any component value which is
equal to its default value." However, enforcing version 1 (value 0) to
be absent reportedly caused some issues as recent as July 2020, so
accept version 1 even if it is explicitly encoded.
OK tb@ beck@
|
|
|
|
Requested by jsing
|
|
Some headers were included conditionally on OPENSSL_NO_DEPRECATED in hopes
that eventually the mess of everything includes everything will magically
resolve itself. Of course everyone would end up building openssl with
OPENSSL_NO_DEPRECATED over time... Right.
Surprisingly, the ecosystem has come to rely on these implicit inclusions,
so about two dozen ports would fail to build because of this. Patching this
would be easy but really not worth the effort.
ok jsing
|
|
|
|
|
|
|
|
|
|
There's some method to this madness.
ok jsing
|
|
pull the setting of the ex_arg up, so we can do error
checking.
ok jsing
|
|
ok jsing
|
|
BIO_new_NDEF() sets up an ASN.1 BIO to the output chain and then adds even
more BIOs. Since BIO_push(bio, new_tail) returns bio on success, after the
if ((out = BIO_push(asn_bio, out)) != NULL) the 'out' BIO and the 'asn_bio'
are the same. The code then goes on and uses one or the other. This is very
confusing. Simply stop using out once it's appended to asn_bio.
ok jsing
|
|
In case the input is not NUL terminated, the reversed check for length
and terminating NUL results in a one-byte overread. The documentation
says that the input should be a string, but in ASN.1 land you never
know...
Reported by Guido Vranken a while back
ok beck
|
|
|
|
Turn a malloc() into calloc() and check two function calls directly
forever instead of a combined check afterward.
|
|
Requested by jsing
|
|
Once the asn_bio is prepended to the out chain, and before the asn1_cb()
has done its thing, asn_bio needs to be popped off again on error. Failing
to do this can cause write after frees or double frees when the out BIO
is used after the function returned.
Based on a very complicated diff by Matt Caswell and Viktor Dukhovni.
This was part of the fixes in OpenSSL 1.1.1t.
ok jsing
|
|
|
|
If something goes wrong before the ASN.1 BIO state machine has passed
both flushing states, asn1_bio_free() forgets to free the ndef_aux
and the ex_arg since the prefix_free() and suffix_free callbacks are
not called.
This can lead to leaks, notably in streaming bios.
Part of https://github.com/openssl/openssl/pull/15999
I have a regress covering this but it is not yet ready to land.
ok beck jsing
|
|
ASN.1 BOOLEANs and ASN.1 NULL are handled specially in the ASN.1 sausage
factory and they are special in that they don't have a->value.ptr set.
Both need to be special cased here since they fail the a->type.ptr != NULL
check.
Apart from fixing an obvious bug in ASN1_TYPE_get(), this fixes another
crash in openssl(1) asn1parse. There is more to do in the vicinity, but
that is more complex and will have to wait for OpenBSD 7.3-current.
with/ok jsing
|
|
These functions are rather similar, so there's no need for the code to
be wildly different. Add a missing NULL check to ndef_prefix_free() since
that will be needed in a subsequent commit.
ok jsing
|
|
Flip the logic of NULL checks on out and *out to unindent, use calloc()
instead of malloc() and check on assign. Also drop the newly added len2
again, it isn't needed.
ok jsing
|
|
The i2d API design is: call a function first with a pointer to NULL, get
the length, allocate a buffer, call the function passing the buffer in.
Both calls should be checked since ther are still internal allocations.
At the heart of ASN.1 encoding, this idiom is used and the second call
is assumed to succeed after the length was determined. This is far from
guaranteed. Check that the second call returns the same length and error
otherwise.
ok jsing
|
|
If the BIO_write() in the ASN1_STATE_DATA_COPY state fails, incorrect
error handling will break out of the switch without changing the state,
and the infinite for loop will immediately try the same write again,
which is unlikely to succeed... Clearly this code intended to break out
of the loop instead.
Via OpenSSL 1.1 commit 723f616df81ea05f31407f7417f49eea89bb459a
ok millert
|
|
If an ASN.1 BIT STRING a of length > 0 contains only zero bytes in a->data,
this old code would end up reading from a->data[-1]. This may or may not
crash. Luckily, anton observed two openssl-ruby regress test failures in
the last few days, which could eventually be traced back to this (after a
lot of painful digging due to coredumps not working properly).
ok jsing
|
|
32-bit platforms; NFCI
ok tb@
|
|
This is an obvious omission from the OpenSSL 1.1 and OpenSSL 3 API which
does not provide a way to access the tbs sigalg of a CRL. This is needed
in security/pivy.
From Alex Wilson
ok jsing
|
|
i removed the arithmetics -> arithmetic changes, as i felt they
were not clearly correct
ok tb
|
|
ok jsing
|
|
Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.
Adjust all .c files in libcrypto, libssl and regress.
The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.
discussed with jsing,
no objection bcook
|
|
This rename was done before commit, but one instance was missed since it
was hidden behind #ifdef SMALL_TIME_T.
Spotted by Android CI.
|
|
This is needed to print the 32-byte Ed25519 keys which aren't handled
as BNs.
|
|
ok beck@ tb@
|
