diff options
Diffstat (limited to 'crypto')
79 files changed, 1256 insertions, 321 deletions
diff --git a/crypto/asn1/a_d2i_fp.c b/crypto/asn1/a_d2i_fp.c index 4af2276a8d..f36c769b18 100644 --- a/crypto/asn1/a_d2i_fp.c +++ b/crypto/asn1/a_d2i_fp.c @@ -148,6 +148,9 @@ int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) goto err; } len += i; + if ((size_t)i < want) + continue; + } } /* else data already loaded */ diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c index 73c69eacd2..2279379793 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -198,7 +198,8 @@ int i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a) } if (i <= 0) { i = BIO_write(bp, "<INVALID>", 9); - i += BIO_dump(bp, (const char *)a->data, a->length); + if (i > 0) + i += BIO_dump(bp, (const char *)a->data, a->length); return i; } BIO_write(bp, p, i); diff --git a/crypto/asn1/f_int.c b/crypto/asn1/f_int.c index 20192b577b..416c6f7195 100644 --- a/crypto/asn1/f_int.c +++ b/crypto/asn1/f_int.c @@ -76,8 +76,7 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size) again = (buf[i - 1] == '\\'); for (j = 0; j < i; j++) { - if (!ossl_isxdigit(buf[j])) - { + if (!ossl_isxdigit(buf[j])) { i = j; break; } diff --git a/crypto/asn1/standard_methods.h b/crypto/asn1/standard_methods.h index 6b73d9a771..ab5af9d76f 100644 --- a/crypto/asn1/standard_methods.h +++ b/crypto/asn1/standard_methods.h @@ -23,7 +23,6 @@ static const EVP_PKEY_ASN1_METHOD *standard_methods[] = { &ossl_dsa_asn1_meths[1], &ossl_dsa_asn1_meths[2], &ossl_dsa_asn1_meths[3], - &ossl_dsa_asn1_meths[4], #endif #ifndef OPENSSL_NO_EC &ossl_eckey_asn1_meth, diff --git a/crypto/bio/bf_readbuff.c b/crypto/bio/bf_readbuff.c index 135ccef83b..62490b9a2b 100644 --- a/crypto/bio/bf_readbuff.c +++ b/crypto/bio/bf_readbuff.c @@ -222,10 +222,13 @@ static int readbuffer_gets(BIO *b, char *buf, int size) char *p; int i, j; - if (size == 0) + if (buf == NULL || size == 0) return 0; --size; /* the passed in size includes the terminator - so remove it here */ ctx = (BIO_F_BUFFER_CTX *)b->ptr; + + if (ctx == NULL || b->next_bio == NULL) + return 0; BIO_clear_retry_flags(b); /* If data is already buffered then use this first */ diff --git a/crypto/bio/bio_addr.c b/crypto/bio/bio_addr.c index 0a64d0749a..9081a2071c 100644 --- a/crypto/bio/bio_addr.c +++ b/crypto/bio/bio_addr.c @@ -774,16 +774,19 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type, /* Windows doesn't seem to have in_addr_t */ #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) static uint32_t he_fallback_address; - static const char *he_fallback_addresses[] = - { (char *)&he_fallback_address, NULL }; + static const char *he_fallback_addresses[] = { + (char *)&he_fallback_address, NULL + }; #else static in_addr_t he_fallback_address; - static const char *he_fallback_addresses[] = - { (char *)&he_fallback_address, NULL }; + static const char *he_fallback_addresses[] = { + (char *)&he_fallback_address, NULL + }; #endif - static const struct hostent he_fallback = - { NULL, NULL, AF_INET, sizeof(he_fallback_address), - (char **)&he_fallback_addresses }; + static const struct hostent he_fallback = { + NULL, NULL, AF_INET, sizeof(he_fallback_address), + (char **)&he_fallback_addresses + }; #if defined(OPENSSL_SYS_VMS) && defined(__DECC) # pragma pointer_size restore #endif @@ -799,14 +802,12 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type, if (!RUN_ONCE(&bio_lookup_init, do_bio_lookup_init)) { /* Should this be raised inside do_bio_lookup_init()? */ ERR_raise(ERR_LIB_BIO, ERR_R_CRYPTO_LIB); - ret = 0; - goto err; + return 0; } - if (!CRYPTO_THREAD_write_lock(bio_lookup_lock)) { - ret = 0; - goto err; - } + if (!CRYPTO_THREAD_write_lock(bio_lookup_lock)) + return 0; + he_fallback_address = INADDR_ANY; if (host == NULL) { he = &he_fallback; diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index cab87d9959..c46424c8ea 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -82,8 +82,9 @@ int BN_get_params(int which) const BIGNUM *BN_value_one(void) { static const BN_ULONG data_one = 1L; - static const BIGNUM const_one = - { (BN_ULONG *)&data_one, 1, 1, 0, BN_FLG_STATIC_DATA }; + static const BIGNUM const_one = { + (BN_ULONG *)&data_one, 1, 1, 0, BN_FLG_STATIC_DATA + }; return &const_one; } diff --git a/crypto/bn/bn_mod.c b/crypto/bn/bn_mod.c index d7c2f4bd5b..4cb64b453b 100644 --- a/crypto/bn/bn_mod.c +++ b/crypto/bn/bn_mod.c @@ -8,6 +8,7 @@ */ #include "internal/cryptlib.h" +#include "internal/nelem.h" #include "bn_local.h" int BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx) @@ -61,7 +62,7 @@ int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, if (bn_wexpand(r, mtop) == NULL) return 0; - if (mtop > sizeof(storage) / sizeof(storage[0])) { + if (mtop > OSSL_NELEM(storage)) { tp = OPENSSL_malloc(mtop * sizeof(BN_ULONG)); if (tp == NULL) return 0; diff --git a/crypto/bn/bn_nist.c b/crypto/bn/bn_nist.c index bc864346fb..0d254736e0 100644 --- a/crypto/bn/bn_nist.c +++ b/crypto/bn/bn_nist.c @@ -84,8 +84,8 @@ static const BN_ULONG _nist_p_384_sqr[] = { 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL }; -static const BN_ULONG _nist_p_521[] = - { 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, +static const BN_ULONG _nist_p_521[] = { + 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, diff --git a/crypto/build.info b/crypto/build.info index 90a3b78cda..2642d30754 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -91,7 +91,7 @@ DEFINE[../providers/libdefault.a]=$CPUIDDEF $CORE_COMMON=provider_core.c provider_predefined.c \ core_fetch.c core_algorithm.c core_namemap.c self_test_core.c -SOURCE[../libcrypto]=$CORE_COMMON provider_conf.c +SOURCE[../libcrypto]=$CORE_COMMON provider_conf.c indicator_core.c SOURCE[../providers/libfips.a]=$CORE_COMMON # Central utilities @@ -107,7 +107,7 @@ SOURCE[../libcrypto]=$UTIL_COMMON \ comp_methods.c cversion.c info.c cpt_err.c ebcdic.c uid.c o_time.c \ o_dir.c o_fopen.c getenv.c o_init.c init.c trace.c provider.c \ provider_child.c punycode.c passphrase.c sleep.c deterministic_nonce.c \ - quic_vlint.c time.c + quic_vlint.c time.c defaults.c SOURCE[../providers/libfips.a]=$UTIL_COMMON SOURCE[../libcrypto]=$UPLINKSRC diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 4ba7b81087..9628f0500a 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -145,34 +145,6 @@ static int add1_extension(X509_EXTENSIONS **pexts, int nid, int crit, void *ex) return res; } -/* Add extension list to the referenced extension stack, which may be NULL */ -static int add_extensions(STACK_OF(X509_EXTENSION) **target, - const STACK_OF(X509_EXTENSION) *exts) -{ - int i; - - if (target == NULL) - return 0; - - for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) { - X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i); - ASN1_OBJECT *obj = X509_EXTENSION_get_object(ext); - int idx = X509v3_get_ext_by_OBJ(*target, obj, -1); - - /* Does extension exist in target? */ - if (idx != -1) { - /* Delete all extensions of same type */ - do { - X509_EXTENSION_free(sk_X509_EXTENSION_delete(*target, idx)); - idx = X509v3_get_ext_by_OBJ(*target, obj, -1); - } while (idx != -1); - } - if (!X509v3_add_ext(target, ext, -1)) - return 0; - } - return 1; -} - /* Add a CRL revocation reason code to extension stack, which may be NULL */ static int add_crl_reason_extension(X509_EXTENSIONS **pexts, int reason_code) { @@ -359,7 +331,7 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid) && !add1_extension(&exts, NID_subject_alt_name, crit, default_sans)) goto err; if (ctx->reqExtensions != NULL /* augment/override existing ones */ - && !add_extensions(&exts, ctx->reqExtensions)) + && X509v3_add_extensions(&exts, ctx->reqExtensions) == NULL) goto err; if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0 && !add1_extension(&exts, NID_subject_alt_name, diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c index 53c41bc96e..84bddcec09 100644 --- a/crypto/cmp/cmp_server.c +++ b/crypto/cmp/cmp_server.c @@ -20,8 +20,7 @@ #include <openssl/err.h> /* the context for the generic CMP server */ -struct ossl_cmp_srv_ctx_st -{ +struct ossl_cmp_srv_ctx_st { OSSL_CMP_CTX *ctx; /* CMP client context reused for transactionID etc. */ void *custom_ctx; /* application-specific server context */ int certReqId; /* of ir/cr/kur, OSSL_CMP_CERTREQID_NONE for p10cr */ diff --git a/crypto/cms/cms_dh.c b/crypto/cms/cms_dh.c index c6e8c076da..e5931c985c 100644 --- a/crypto/cms/cms_dh.c +++ b/crypto/cms/cms_dh.c @@ -123,7 +123,7 @@ static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) goto err; kekcipher = EVP_CIPHER_fetch(pctx->libctx, name, pctx->propquery); - if (kekcipher == NULL + if (kekcipher == NULL || EVP_CIPHER_get_mode(kekcipher) != EVP_CIPH_WRAP_MODE) goto err; if (!EVP_EncryptInit_ex(kekctx, kekcipher, NULL, NULL, NULL)) diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index 37dfbe5389..217d27dd90 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -1301,7 +1301,7 @@ int ossl_cms_AuthEnvelopedData_final(CMS_ContentInfo *cms, BIO *cmsbio) BIO_get_cipher_ctx(cmsbio, &ctx); - /* + /* * The tag is set only for encryption. There is nothing to do for * decryption. */ diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c index 759e1d46af..b09985ad3e 100644 --- a/crypto/cms/cms_lib.c +++ b/crypto/cms/cms_lib.c @@ -622,12 +622,18 @@ STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms) STACK_OF(X509) *certs = NULL; CMS_CertificateChoices *cch; STACK_OF(CMS_CertificateChoices) **pcerts; - int i; + int i, n; pcerts = cms_get0_certificate_choices(cms); if (pcerts == NULL) return NULL; - for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++) { + + /* make sure to return NULL only on error */ + n = sk_CMS_CertificateChoices_num(*pcerts); + if ((certs = sk_X509_new_reserve(NULL, n)) == NULL) + return NULL; + + for (i = 0; i < n; i++) { cch = sk_CMS_CertificateChoices_value(*pcerts, i); if (cch->type == 0) { if (!ossl_x509_add_cert_new(&certs, cch->d.certificate, @@ -638,7 +644,6 @@ STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms) } } return certs; - } STACK_OF(X509_CRL) *CMS_get1_crls(CMS_ContentInfo *cms) @@ -646,12 +651,18 @@ STACK_OF(X509_CRL) *CMS_get1_crls(CMS_ContentInfo *cms) STACK_OF(X509_CRL) *crls = NULL; STACK_OF(CMS_RevocationInfoChoice) **pcrls; CMS_RevocationInfoChoice *rch; - int i; + int i, n; pcrls = cms_get0_revocation_choices(cms); if (pcrls == NULL) return NULL; - for (i = 0; i < sk_CMS_RevocationInfoChoice_num(*pcrls); i++) { + + /* make sure to return NULL only on error */ + n = sk_CMS_RevocationInfoChoice_num(*pcrls); + if ((crls = sk_X509_CRL_new_reserve(NULL, n)) == NULL) + return NULL; + + for (i = 0; i < n; i++) { rch = sk_CMS_RevocationInfoChoice_value(*pcrls, i); if (rch->type == 0) { if (crls == NULL) { diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index 4df4487cbc..3bc70a7b30 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -15,6 +15,7 @@ #include <openssl/cms.h> #include "cms_local.h" #include "crypto/asn1.h" +#include "crypto/x509.h" static BIO *cms_get_text_bio(BIO *out, unsigned int flags) { @@ -308,7 +309,7 @@ int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, { CMS_SignerInfo *si; STACK_OF(CMS_SignerInfo) *sinfos; - STACK_OF(X509) *cms_certs = NULL; + STACK_OF(X509) *untrusted = NULL; STACK_OF(X509_CRL) *crls = NULL; STACK_OF(X509) **si_chains = NULL; X509 *signer; @@ -360,13 +361,21 @@ int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, if (si_chains == NULL) goto err; } - cms_certs = CMS_get1_certs(cms); - if (!(flags & CMS_NOCRL)) - crls = CMS_get1_crls(cms); + if ((untrusted = CMS_get1_certs(cms)) == NULL) + goto err; + if (sk_X509_num(certs) > 0 + && !ossl_x509_add_certs_new(&untrusted, certs, + X509_ADD_FLAG_UP_REF | + X509_ADD_FLAG_NO_DUP)) + goto err; + + if ((flags & CMS_NOCRL) == 0 + && (crls = CMS_get1_crls(cms)) == NULL) + goto err; for (i = 0; i < scount; i++) { si = sk_CMS_SignerInfo_value(sinfos, i); - if (!cms_signerinfo_verify_cert(si, store, cms_certs, crls, + if (!cms_signerinfo_verify_cert(si, store, untrusted, crls, si_chains ? &si_chains[i] : NULL, ctx)) goto err; @@ -482,7 +491,7 @@ int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, OSSL_STACK_OF_X509_free(si_chains[i]); OPENSSL_free(si_chains); } - OSSL_STACK_OF_X509_free(cms_certs); + sk_X509_pop_free(untrusted, X509_free); sk_X509_CRL_pop_free(crls, X509_CRL_free); return ret; diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c index e047746f67..b007692022 100644 --- a/crypto/conf/conf_def.c +++ b/crypto/conf/conf_def.c @@ -330,7 +330,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) v = NULL; /* check for line continuation */ - if (bufnum >= 1) { + if (!again && bufnum >= 1) { /* * If we have bytes and the last char '\\' and second last char * is not '\\' diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c index 1ac3d9f7b7..9d49a5f69d 100644 --- a/crypto/conf/conf_mod.c +++ b/crypto/conf/conf_mod.c @@ -692,6 +692,18 @@ char *CONF_get1_default_config_file(void) return OPENSSL_strdup(file); t = X509_get_default_cert_area(); + /* + * On windows systems with -DOSSL_WINCTX set, if the needed registry + * keys are not yet set, openssl applets will return, due to an inability + * to locate various directories, like the default cert area. In that + * ev |