| Age | Commit message (Collapse) | Author |
|---|
|
Requested by jsing
|
|
X509v3_{addr,asid}_is_canonical() check that the ipAddrBlocks and
autonomousSysIds extension conform to RFC 3779. These checks are not
cheap. Certs containing non-conformant extensions should not be
considered valid, so mark them with EXFLAG_INVALID while caching the
extension information in x509v3_cache_extensions(). This way the
expensive check while walking the chains during X509_verify_cert() is
replaced with a cheap check of the extension flags. This avoids a lot
of superfluous work when validating numerous certs with similar chains
against the same roots as is done in rpki-client.
Issue noticed and fix suggested by claudio
ok claudio inoguchi jsing
|
|
Ensure that EXFLAG_INVALID is set on X509_get_purpose() failure.
ok inoguchi jsing
|
|
custom implementation that only allowed matching all files in a
directory.
ok millert
|
|
This matches the prototypes in glibc and musl libc.
From Matthew Martin. OK tb@
|
|
If either of the two initial BN_CTX_get() fails, we will call
BN_RECP_CTX_free() on the uninitialized recp, which won't end
well, so hoist the BN_RECP_CTX_init() call a few lines up.
From Pauli, OpenSSL ad249412
ok inoguchi jsing
|
|
The handshake state machine does not handle key updates since that's a
post-handshake handshake message. This is code under #ifdef TLS13_DEBUG
and if it is ever to be reused in tls13_handshake_msg.c, that will have
to be revisited.
ok inoguchi jsing
|
|
(and we all laughed a little)
|
|
|
|
Fix "left shift of 255 by 24 places cannot be represented in type 'int'"
error from UBSAN. Adapted from a FreeBSD diff via tb@. OK tb@ deraadt@
|
|
Use a temporary variable to store the number of bytes to be copied
(size_t) and also use it as the memcpy(3) length. Previously we
copied "size" bytes instead of just the necessary number.
OK claudio@ tb@
|
|
|
|
'flags' should have ASN1_OBJECT_FLAG_DYNAMIC_DATA bit to free 'data'
by ASN1_OBJECT_free as c2i_ASN1_OBJECT_cbs does.
ok jsing@ tb@
|
|
DSA private keys with ill-chosen g could cause an infinite
loop on deserializing. Add a few sanity checks that ensure
that g is according to the FIPS 186-4: check 1 < g < p and
g^q == 1 (mod p). This is enough to ascertain that g is a
generator of a multiplicative group of order q once we know
that q is prime (which is checked a bit later).
Issue reported with reproducers by Hanno Boeck.
Additional variants and analysis by David Benjamin.
ok beck jsing
|
|
If a private key encoded with EC parameters happens to have
order 1 and is used for ECDSA signatures, this causes an
infinite loop since a random integer x in the interval [0,1)
will be 0, so do ... while (x == 0); will loop indefinitely.
Found and reported with a reproducer by Hanno Boeck.
Helpful comments and analysis from David Benjamin.
ok beck jsing
|
|
|
|
jmc@ dislikes a comma before "then" in a conditional, so leave those
untouched.
ok jmc@
|
|
p is allocated by asprintf() in one of the *_from_tm() functions, so
it needs to be freed as in the other error path below.
CID 346194
ok jsing
|
|
d2i_EC_PRIVATEKEY() can handle the allocation of priv_key internally,
no need to do this up front and reach it through the dangerous reuse
mechanism. There's also no point in freeing a variable we know to be
NULL.
ok jsing
|
|
It is possible to call pmeth->cleanup() with an EVP_PKEY_CTX whose data
is NULL. If pmeth->init() in int_ctx_new() fails, EVP_PKEY_CTX_free() is
called with such a context. This in turn calls pmeth->cleanup(), and thus
these cleanup functions must be careful not to use NULL data. Most of
them are, but one of GOST's functions and HMAC's aren't.
Reported for HMAC by Masaru Masada
https://github.com/libressl-portable/openbsd/issues/129
ok bcook jsing
|
|
Instead of using malloc() and setting most struct members to 0,
simply use calloc().
ok bcook jsing
|
|
ok jmc@ schwarze@
|
|
we no longer have, focus on what our implementation now does, but
keep short warnings in how far other implementations might be more
fragile. Some improvements to wordings and clarity while here.
OK tb@
|
|
|
|
Instead of bounding only bounding the group order, also bound the
cofactor using Hasse's theorem. This could probably be made a lot
tighter since all curves of cryptographic interest have small
cofactors, but for now this is good enough.
A timeout found by oss-fuzz creates a "group" with insane parameters
over a 40-bit field: the order is 14464, and the cofactor has 4196223
bits (which is obviously impossible by Hasse's theorem). These led to
running an expensive loop in ec_GFp_simple_mul_ct() millions of times.
Fixes oss-fuzz #46056
Diagnosed and fix joint with jsing
ok inoguchi jsing (previous version)
|
|
The cofactor we tried to calculate should only be zeroed if we failed
to compute it.
ok inoguchi jsing
|
|
|
|
Eliminate weasel words and needless parentheses, reduce "will" and
"shall" and "may", add more precision, some grammar fixes, shorten
and improve wordings, add some missing macros.
Triggered by a question from naddy@.
|
|
OK tb@
|
|
without this the code effectively just compares the start of the
string, which means you can get a prefix match unexpectedly. including
the nul in the comparison means it only works for whole interface
names, as it was originally intended.
reported by Aner Perez on misc@
ok deraadt@ (who also dug through the history behind this)
|
|
An IA5STRING is a Pascal string that can have embedded NULs and is
not NUL terminated (except that for legacy reasons it happens to be).
Instead of taking the strlen(), use the already known ASN.1 length and
use strndup() instead of strdup() to generate NUL terminated strings
after some existing code has checked that there are no embedded NULs.
In v2i_GENERAL_NAME_ex() use %.*s to print the bytes. This is not
optimal and might be switched to using strvis() later.
ok beck inoguchi jsing
|
|
Now that {dtls1,ssl3}_read_bytes() have been refactored, do a clean up
pass - this cleans up various parts of the code and reduces differences
between these two functions.
ok = 1; *(&(ok)) tb@
ok inoguchi@
|
|
The code that handles each record type already has appropriate length
checks. Furthermore, the handling of application data here is likely
incorrect and bypasses the normal state checks at the end of this function.
ok inoguchi@ tb@
|
|
Along the way, rather than having yet another piece of code that parses
OID arcs, reuse oid_parse_arc(). Always allocate a new ASN1_OBJECT rather
than doing a crazy dance with ASN1_OBJECT_FLAG_DYNAMIC and trying to free
parts of an ASN1_OBJECT if one is passed in.
ok inoguchi@ tb@
|
|
This takes a CBS, gets the ASN.1 identifier and length, ensures the
resulting identifier is a valid primitive, then returns the tag number and
the content as a CBS.
ok inoguchi@ tb@
|
|
ok tb@, deraadt@, kettenis@
|
|
This is a small follow-up commit to the previous commit.
ok mbuhl millert
commit 4346a16853e19b45787ce933666026903fb8f3f8
Author: Mark Adler <madler@alumni.caltech.edu>
Date: Tue Apr 17 22:44:41 2018 -0700
Assure that the number of bits for deflatePrime() is valid.
https://github.com/madler/zlib/commit/4346a16853e19b45787ce933666026903fb8f3f8
|
|
zlib has a crashing bug. The bug fix has been sitting in the
unreleased develop branch for nearly four years. Pull in this fix.
ok mbuhl millert
Reported by Tavis Ormandy on oss-security:
https://marc.info/?l=oss-security&m=164809382107156&w=2
commit 5c44459c3b28a9bd3283aaceab7c615f8020c531
Author: Mark Adler <madler@alumni.caltech.edu>
Date: Tue Apr 17 22:09:22 2018 -0700
Fix a bug that can crash deflate on some input when using Z_FIXED.
This bug was reported by Danilo Ramos of Eideticom, Inc. It has
lain in wait 13 years before being found! The bug was introduced
in zlib 1.2.2.2, with the addition of the Z_FIXED option. That
option forces the use of fixed Huffman codes. For rare inputs with
a large number of distant matches, the pending buffer into which
the compressed data is written can overwrite the distance symbol
table which it overlays. That results in corrupted output due to
invalid distances, and can result in out-of-bound accesses,
crashing the application.
The fix here combines the distance buffer and literal/length
buffers into a single symbol buffer. Now three bytes of pending
buffer space are opened up for each literal or length/distance
pair consumed, instead of the previous two bytes. This assures
that the pending buffer cannot overwrite the symbol table, since
the maximum fixed code compressed length/distance is 31 bits, and
since there are four bytes of pending space for every three bytes
of symbol space.
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
|
|
an else branch where only half of the macro is executed conditionally.
Acording to upstream comment this has only little impact.
https://github.com/madler/zlib/commit/38e8ce32afbaa82f67d992b9f3056f281fe69259
OK deraadt@ tb@
|
|
|
|
should not be used. It will be revisited after release.
ok beck inoguchi jsing
|
|
arm_arch.h and armcap.c are shared between armv7 and aarch64 which
results in an inscrutable #ifdef maze. Move copies of these files
into arch/{arm,aarch64}/ with appropriate names and some trivial
minor adjustments.
ok deraadt inoguchi kettenis
|
|
|
|
Specifically, describe the default behavior if the corresponding
login.conf fields are not present. OK deraadt@
|
|
Do not clear LOGIN_SETRTABLE if it is set in flags.
OK deraadt@
|
|
When LOGIN_SETRTABLE is set in flags, only call setrtable(2) if
there is an "rtable" entry in login.conf. Previously, a default
value of 0 was used if the capability was missing. That had the
effect of resetting the rtable for every program that uses
setusercontext(3), even if a different rtable was chosen by, e.g.,
"route -T exec command". OK deraadt@ matthieu@
|
|
|
|
The asn1test depends on asn1_mac.h which had a date with the bitbucket a
few years back (and the test "isn't meant to run particularly, it's just
to test type checking"). methtest.c tests an API that was never present
in OpenSSL's git history. r160test.c is nothing but a licence.
"nuke away" jsing
|
|
The current OBJ_txt2obj() implementation converts the text to ASN.1
object content octets, builds a full DER encoding from it, then feeds
the entire thing back through the DER to ASN.1 object conversion. Rather
than doing this crazy dance, provide an t2i_ASN1_OBJECT_internal() function
that converts the text to ASN.1 object content octets, then creates a new
ASN1_OBJECT and attaches the content octets to it.
ok inoguchi@ tb@
|
|
Rewrite the ascii/text to ASN.1 object conversion code using CBB/CBS,
while also addressing some of the bizarre behaviour (such as allowing
mixed separators and treating '..' as a zero value).
ok inoguchi@ tb@
|
