Age | Commit message (Collapse) | Author |
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3519)
|
|
Remove assertion when mmap() fails.
Only give the 1<<31 limit test as an example.
Fix the small arena test to just check for the symptom of the infinite
loop (i.e. initialized set on failure), rather than the actual infinite
loop. This avoids some valgrind errors.
Backport of:
PR #3512 commit fee423bb68869de02fceaceefbc847e98213574b
PR #3510 commit a486561b691d6293a901b412172ca0c6d1ffc0dc
PR #3455 commit c8e89d58a5d44b9dd657d6d13a5a10d1d4d30733
PR #3449 commit 7031ddac94d0ae616d1b0670263a9265ce672cd2
Issue 1:
sh.bittable_size is a size_t but i is and int, which can result in
freelist == -1 if sh.bittable_size exceeds an int.
This seems to result in an OPENSSL_assert due to invalid allocation
size, so maybe that is "ok."
Worse, if sh.bittable_size is exactly 1<<31, then this becomes an
infinite loop (because 1<<31 is a negative int, so it can be shifted
right forever and sticks at -1).
Issue 2:
CRYPTO_secure_malloc_init() sets secure_mem_initialized=1 even when
sh_init() returns 0.
If sh_init() fails, we end up with secure_mem_initialized=1 but
sh.minsize=0. If you then call secure_malloc(), which then calls,
sh_malloc(), this then enters an infite loop since 0 << anything will
never be larger than size.
Issue 3:
That same sh_malloc loop will loop forever for a size greater
than size_t/2 because i will proceed (assuming sh.minsize=16):
i=16, 32, 64, ..., size_t/8, size_t/4, size_t/2, 0, 0, 0, 0, ....
This sequence will never be larger than "size".
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3453)
|
|
Fixes #1526
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3360)
(cherry picked from commit 9bfeeef8ee2220339e601a028fa991c30d296ed4)
|
|
BIO_socket_ioctl is only implemented on VMS for VMS version 7.0 and
up, but since we only support version 7.1 and up, there's no need to
check the VMS version.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3448)
(cherry picked from commit b57f0c598bde43e147a886c9ffb0d6fdb3141d72)
|
|
Not exactly everywhere, but in those source files where stdint.h is
included conditionally, or where it will be eventually
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3447)
(cherry picked from commit 74a011ebb5e9028ef18982d737a434a8ff926a95)
|
|
crypto/asn1/a_strex.c: Type of width variable in asn1_valid_host
function needs to be changed from char to signed char to avoid
build error due to '-Werror=type-limits'.
Signed-off-by: Patrick Steuer <psteuer@mail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
CLA: trivial
(cherry picked from commit 34657a8da2ead453460d668771984432cc767044)
|
|
The second BN_is_zero test can never be true.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3434)
(cherry picked from commit 3f97052392cb10fca5309212bf720685262ad4a6)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit ce1932f25f784bc5df3505c5de8b6b53436202a3)
|
|
Perl, multiple versions, for some reason occasionally takes issue with
letter b[?] in ox([0-9a-f]+) regex. As result some constants, such as
0xb1 came out wrong when generating code for MASM. Fixes GH#3241.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3385)
(cherry picked from commit c47aea8af1e28e46e1ad5e2e7468b49fec3f4f29)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3388)
(cherry picked from commit 1d3235f85c4b0e51b6baf7d8b89089c6c77f6928)
|
|
The init code uses DSO_dsobyaddr() to leak a reference to ourselves to
ensure we remain loaded until atexit() time. In some circumstances that
can fail and leave stale errors on the error queue.
Fixes #3372
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3383)
(cherry picked from commit 689f112d9806fa4a0c2f8c108226639455bc770d)
|
|
Fixes #1653 reported by Guido Vranken
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3362)
(cherry picked from commit 75a3e39288feeeefde5ed1f96ff9faeba0d2b233)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3365)
(cherry picked from commit dea0eb2c5452cd4c2160a64a6868e79efeca6e9d)
|
|
ASN1_GENERALIZEDTIME and ASN1_UTCTIME may be specified using offsets,
even though that's not supported within certificates.
To convert the offset time back to GMT, the offsets are supposed to be
subtracted, not added. e.g. 1759-0500 == 2359+0100 == 2259Z.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3335)
|
|
"Next" refers to negative minimum "next" to one presentable by given
number of bytes. For example, -128 is negative minimum presentable by
one byte, and -256 is "next" one.
Thanks to Kazuki Yamaguchi for report, GH#3339
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 1e93d619b78832834ae32f5c0c1b0e466267f72d)
|
|
Bug found and fix suggested by Julian Rüth.
Push error if fflush fails
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3266)
(cherry picked from commit 595b2a42375427a254ad5a8c85870efea839a9b9)
|
|
It is not necessary to remove leading zeros here because
RSA_padding_check_PKCS1_OAEP_mgf1 appends them again. As this was not done
in constant time, this might have leaked timing information.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3313)
(cherry picked from commit 237bc6c997e42295eeb32c8c1c709e6e6042b839)
|
|
Trouble was that integer negation wasn't producing *formally* correct
result in platform-neutral sense. Formally correct thing to do is
-(int64_t)u, but this triggers undefined behaviour for one value that
would still be representable in ASN.1. The trigger was masked with
(int64_t)(0-u), but this is formally inappropriate for values other
than the problematic one. [Also reorder branches to favour most-likely
paths and harmonize asn1_string_set_int64 with asn1_get_int64].]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3231)
(cherry picked from commit 786b6a45fbecc068d0fb8b05252a9228e0661c63)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3192)
(cherry picked from commit b997adb3a518b065240e70acf38ec5f77a937f53)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3192)
(cherry picked from commit 6d4321fc242829490e1e7a36358eb12874c9b9e0)
|
|
i.e. reduce amount of branches and favour likely ones.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3192)
(cherry picked from commit a3ea6bf0ef703b38a656245931979c7e53c410b7)
|
|
In SCTP the code was only allowing a send of a close_notify alert if the
socket is dry. If the socket isn't dry then it was attempting to save away
the close_notify alert to resend later when it is dry and then it returned
success. However because the application then thinks that the close_notify
alert has been successfully sent it never re-enters the DTLS code to
actually resend the alert. A much simpler solution is to just fail with a
retryable error in the event that the socket isn't dry. That way the
application knows to retry sending the close_notify alert.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3287)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3290)
|
|
EV Guidelines section 9.2.5 says jurisdictionCountryName follows the
same ASN.1 encoding rules as countryName.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3284)
(cherry picked from commit e8d542121b10158c1bdd5fbe02e0d17c59470cae)
|
|
BN_is_prime_fasttest_ex begins by rejecting if a <= 1. Then it goes to
set A := abs(a), but a cannot be negative at this point.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3275)
(cherry picked from commit 8b24f94209676bbe9933affd2879a686b1ed044d)
|
|
Fixes #3191
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3200)
|
|
Also, when "allocating" or "deallocating" an embedded item, never call
prim_new() or prim_free(). Call prim_clear() instead.
Fixes #3191
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3200)
|
|
fixes segmentation fault in case of not enough memory for object creation
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3157)
(cherry picked from commit 487a73def65aa6ffedf5baf353e912fe61aa3c7c)
|
|
Clearing a misunderstanding. The routines c2i_uint64_int() and
i2c_uint64_int() expect to receive that internal values are absolute
and with a separate sign flag, and the x_int64.c code handles values
that aren't absolute and have the sign bit embedded. We therefore
need to convert between absolute and non-absolute values for the
encoding of negative values to be correct.
[extended tests]
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3160)
(cherry picked from commit 429223d198aabacd129cf6dde5a4203b5af41737)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3159)
(cherry picked from commit 0856e3f167964f58c26796331eab9d8b0a883921)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit ce57ac431964f7692af674fd124103d6fe07af2e)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3152)
(cherry picked from commit e128f891de71bbdba8391355af8d6d47d20b1969)
|
|
PRIu64 is error-prone with BIO_printf, so introduce and stick to custom
platform-neutral macro. 'll' allows to print 64-bit values on *all*
supported platforms, but it's problematic with -Wformat -Werror. Hence
use 'l' in identifiable LP64 cases.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3148)
|
|
This might seem controversial, but it doesn't actually affect anything.
Or rather it doesn't make worse cases when it was problematic [with code
additions to 1.1.0]. One of such rare cases is 32-bit PA-RISC target
with *vendor* compiler.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3148)
|
|
When configured no-engine, we still refered to rand_engine_lock.
Rework the lock init code to avoid that.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3145)
(cherry picked from commit 2f881d2d9065342454fe352eac9e835cefa0ba90)
|
|
This is especially harmful since OPENSSL_cleanup() has already called
the RAND cleanup function
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3137)
(cherry picked from commit 789a2b6250d5e05dfde6ce259e79ef8c172c9f3f)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3137)
(cherry picked from commit 87975cfa91c3f06a52f2550ed2ef632644be6dde)
|
|
If no default method was yet given, RAND_get_rand_method() will set it
up. Doing so just to clean it away seems pretty silly, so instead,
use the default_RAND_meth variable directly.
This also clears a possible race condition where this will try to init
things, such as ERR or ENGINE when in the middle of a OPENSSL_cleanup.
Fixes #3128
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3136)
(cherry picked from commit 5006b37b31c5a520c3065048bd8aba8cc3ff128d)
|
|
Bug uncovered by test
[extended tests]
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3120)
|
|
Credit to OSS-Fuzz for finding this.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3120)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3120)
|
|
Also Z varieties.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3120)
|
|
It seems to be problematic to probe processor capabilities with SIGILL
on MacOS X. The problem should be limited to cases when application code
is debugged, but crashes were reported even during normal execution...
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 0bd93bbe4ae60e5f318b298bfe617e468a7b71d0)
|
|
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3087)
(cherry picked from commit e6f648fd880369e186039501c960809b17f96e88)
|
|
Backport of 69687aa829bc8bdcaf5468eb3dd0ada13700b7aa
(Merged from #3069)
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3079)
|
|
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3066)
(cherry picked from commit a6ac1ed686346d2164c16446624c973e51d3ae92)
|
|
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3066)
(cherry picked from commit cbe952418376a25acd872db4281a0b09735001f1)
|
|
Fixes #3033
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3035)
(cherry picked from commit 165f1c3ef39680471339d21b9f6c12ea86b4a26a)
|
|
Even though Apple refers to Procedure Call Standard for ARM Architecture
(AAPCS), they apparently adhere to custom version that doesn't follow
stack alignment constraints in the said standard. [Why or why? If it's
vendor lock-in thing, then it would be like worst spot ever.] And since
bsaes-armv7 relied on standard alignment, it became problematic to
execute the code on iOS.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 0822d41b6d54132df96c02cc6f6fa9b179378351)
|
|
aesni_cbc_hmac_sha256_ctrl in case EVP_CTRL_AEAD_TLS1_AAD.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3023)
(cherry picked from commit 1b6f5a4d3b8cdb02e0bba6878a2b70c850522440)
|