diff options
Diffstat (limited to 'crypto')
53 files changed, 436 insertions, 199 deletions
diff --git a/crypto/asn1/a_bytes.c b/crypto/asn1/a_bytes.c index 385b53986a29..65e5394664a4 100644 --- a/crypto/asn1/a_bytes.c +++ b/crypto/asn1/a_bytes.c @@ -60,7 +60,12 @@ #include "cryptlib.h" #include <openssl/asn1.h> -static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c); +static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c, + int depth); +static ASN1_STRING *int_d2i_ASN1_bytes(ASN1_STRING **a, + const unsigned char **pp, long length, + int Ptag, int Pclass, int depth, + int *perr); /* * type is a 'bitmap' of acceptable string types. */ @@ -99,7 +104,7 @@ ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, const unsigned char **pp, ret = (*a); if (len != 0) { - s = (unsigned char *)OPENSSL_malloc((int)len + 1); + s = OPENSSL_malloc((int)len + 1); if (s == NULL) { i = ERR_R_MALLOC_FAILURE; goto err; @@ -154,15 +159,38 @@ int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass) return (r); } +/* + * Maximum recursion depth of d2i_ASN1_bytes(): much more than should be + * encountered in pratice. + */ + +#define ASN1_BYTES_MAXDEPTH 20 + ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp, long length, int Ptag, int Pclass) { + int err = 0; + ASN1_STRING *s = int_d2i_ASN1_bytes(a, pp, length, Ptag, Pclass, 0, &err); + if (err != 0) + ASN1err(ASN1_F_D2I_ASN1_BYTES, err); + return s; +} + +static ASN1_STRING *int_d2i_ASN1_bytes(ASN1_STRING **a, + const unsigned char **pp, long length, + int Ptag, int Pclass, + int depth, int *perr) +{ ASN1_STRING *ret = NULL; const unsigned char *p; unsigned char *s; long len; int inf, tag, xclass; - int i = 0; + + if (depth > ASN1_BYTES_MAXDEPTH) { + *perr = ASN1_R_NESTED_ASN1_STRING; + return NULL; + } if ((a == NULL) || ((*a) == NULL)) { if ((ret = ASN1_STRING_new()) == NULL) @@ -173,18 +201,19 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp, p = *pp; inf = ASN1_get_object(&p, &len, &tag, &xclass, length); if (inf & 0x80) { - i = ASN1_R_BAD_OBJECT_HEADER; + *perr = ASN1_R_BAD_OBJECT_HEADER; goto err; } if (tag != Ptag) { - i = ASN1_R_WRONG_TAG; + *perr = ASN1_R_WRONG_TAG; goto err; } if (inf & V_ASN1_CONSTRUCTED) { ASN1_const_CTX c; + c.error = 0; c.pp = pp; c.p = p; c.inf = inf; @@ -192,17 +221,18 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp, c.tag = Ptag; c.xclass = Pclass; c.max = (length == 0) ? 0 : (p + length); - if (!asn1_collate_primitive(ret, &c)) + if (!asn1_collate_primitive(ret, &c, depth)) { + *perr = c.error; goto err; - else { + } else { p = c.p; } } else { if (len != 0) { if ((ret->length < len) || (ret->data == NULL)) { - s = (unsigned char *)OPENSSL_malloc((int)len + 1); + s = OPENSSL_malloc((int)len + 1); if (s == NULL) { - i = ERR_R_MALLOC_FAILURE; + *perr = ERR_R_MALLOC_FAILURE; goto err; } if (ret->data != NULL) @@ -230,7 +260,6 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp, err: if ((ret != NULL) && ((a == NULL) || (*a != ret))) ASN1_STRING_free(ret); - ASN1err(ASN1_F_D2I_ASN1_BYTES, i); return (NULL); } @@ -242,7 +271,8 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp, * There have been a few bug fixes for this function from Paul Keogh * <paul.keogh@sse.ie>, many thanks to him */ -static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c) +static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c, + int depth) { ASN1_STRING *os = NULL; BUF_MEM b; @@ -270,9 +300,8 @@ static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c) } c->q = c->p; - if (d2i_ASN1_bytes(&os, &c->p, c->max - c->p, c->tag, c->xclass) - == NULL) { - c->error = ERR_R_ASN1_LIB; + if (int_d2i_ASN1_bytes(&os, &c->p, c->max - c->p, c->tag, c->xclass, + depth + 1, &c->error) == NULL) { goto err; } @@ -297,7 +326,6 @@ static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c) ASN1_STRING_free(os); return (1); err: - ASN1err(ASN1_F_ASN1_COLLATE_PRIMITIVE, c->error); if (os != NULL) ASN1_STRING_free(os); if (b.data != NULL) diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c index 27f9c1691462..229a40ffa344 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -73,7 +73,7 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp) return (0); objsize = ASN1_object_size(0, a->length, V_ASN1_OBJECT); - if (pp == NULL) + if (pp == NULL || objsize == -1) return objsize; p = *pp; @@ -174,8 +174,12 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num) if (!tmp) goto err; } - while (blsize--) - tmp[i++] = (unsigned char)BN_div_word(bl, 0x80L); + while (blsize--) { + BN_ULONG t = BN_div_word(bl, 0x80L); + if (t == (BN_ULONG)-1) + goto err; + tmp[i++] = (unsigned char)t; + } } else { for (;;) { diff --git a/crypto/asn1/a_set.c b/crypto/asn1/a_set.c index bf3f97188926..5fb58655757d 100644 --- a/crypto/asn1/a_set.c +++ b/crypto/asn1/a_set.c @@ -57,6 +57,7 @@ */ #include <stdio.h> +#include <limits.h> #include "cryptlib.h" #include <openssl/asn1_mac.h> @@ -98,10 +99,14 @@ int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp, if (a == NULL) return (0); - for (i = sk_OPENSSL_BLOCK_num(a) - 1; i >= 0; i--) + for (i = sk_OPENSSL_BLOCK_num(a) - 1; i >= 0; i--) { + int tmplen = i2d(sk_OPENSSL_BLOCK_value(a, i), NULL); + if (tmplen > INT_MAX - ret) + return -1; ret += i2d(sk_OPENSSL_BLOCK_value(a, i), NULL); + } r = ASN1_object_size(1, ret, ex_tag); - if (pp == NULL) + if (pp == NULL || r == -1) return (r); p = *pp; diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index 874b1af8b09a..e63e82a8b476 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -256,26 +256,30 @@ static void asn1_put_length(unsigned char **pp, int length) int ASN1_object_size(int constructed, int length, int tag) { - int ret; - - ret = length; - ret++; + int ret = 1; + if (length < 0) + return -1; if (tag >= 31) { while (tag > 0) { tag >>= 7; ret++; } } - if (constructed == 2) - return ret + 3; - ret++; - if (length > 127) { - while (length > 0) { - length >>= 8; - ret++; + if (constructed == 2) { + ret += 3; + } else { + ret++; + if (length > 127) { + int tmplen = length; + while (tmplen > 0) { + tmplen >>= 8; + ret++; + } } } - return (ret); + if (ret >= INT_MAX - length) + return -1; + return ret + length; } static int _asn1_Finish(ASN1_const_CTX *c) @@ -324,7 +328,7 @@ int asn1_GetSequence(ASN1_const_CTX *c, long *length) return (0); } if (c->inf == (1 | V_ASN1_CONSTRUCTED)) - c->slen = *length + *(c->pp) - c->p; + c->slen = *length; c->eos = 0; return (1); } @@ -366,7 +370,7 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len) else len = strlen(data); } - if ((str->length < len) || (str->data == NULL)) { + if ((str->length <= len) || (str->data == NULL)) { c = str->data; if (c == NULL) str->data = OPENSSL_malloc(len + 1); diff --git a/crypto/asn1/asn_mime.c b/crypto/asn1/asn_mime.c index 96110c540f3d..9fd5bef0fc97 100644 --- a/crypto/asn1/asn_mime.c +++ b/crypto/asn1/asn_mime.c @@ -289,7 +289,7 @@ int SMIME_write_ASN1(BIO *bio, ASN1_VALUE *val, BIO *data, int flags, if ((flags & SMIME_DETACHED) && data) { /* We want multipart/signed */ /* Generate a random boundary */ - if (RAND_pseudo_bytes((unsigned char *)bound, 32) < 0) + if (RAND_bytes((unsigned char *)bound, 32) <= 0) return 0; for (i = 0; i < 32; i++) { c = bound[i] & 0xf; diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c index d21829af192f..86dcf5fba9d7 100644 --- a/crypto/asn1/d2i_pr.c +++ b/crypto/asn1/d2i_pr.c @@ -97,15 +97,17 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, if (!ret->ameth->old_priv_decode || !ret->ameth->old_priv_decode(ret, &p, length)) { if (ret->ameth->priv_decode) { + EVP_PKEY *tmp; PKCS8_PRIV_KEY_INFO *p8 = NULL; p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, length); if (!p8) goto err; - EVP_PKEY_free(ret); - ret = EVP_PKCS82PKEY(p8); + tmp = EVP_PKCS82PKEY(p8); PKCS8_PRIV_KEY_INFO_free(p8); - if (ret == NULL) + if (tmp == NULL) goto err; + EVP_PKEY_free(ret); + ret = tmp; } else { ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB); goto err; diff --git a/crypto/asn1/f_enum.c b/crypto/asn1/f_enum.c index 591c3b578127..94cd54dbeedd 100644 --- a/crypto/asn1/f_enum.c +++ b/crypto/asn1/f_enum.c @@ -160,8 +160,6 @@ int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char *buf, int size) i * 2); if (sp == NULL) { ASN1err(ASN1_F_A2I_ASN1_ENUMERATED, ERR_R_MALLOC_FAILURE); - if (s != NULL) - OPENSSL_free(s); goto err; } s = sp; @@ -199,5 +197,7 @@ int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char *buf, int size) err_sl: ASN1err(ASN1_F_A2I_ASN1_ENUMERATED, ASN1_R_SHORT_LINE); } + if (ret != 1) + OPENSSL_free(s); return (ret); } diff --git a/crypto/asn1/f_int.c b/crypto/asn1/f_int.c index 4a81f81c8832..2bdc78d74491 100644 --- a/crypto/asn1/f_int.c +++ b/crypto/asn1/f_int.c @@ -172,8 +172,6 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size) sp = OPENSSL_realloc_clean(s, slen, num + i * 2); if (sp == NULL) { ASN1err(ASN1_F_A2I_ASN1_INTEGER, ERR_R_MALLOC_FAILURE); - if (s != NULL) - OPENSSL_free(s); goto err; } s = sp; @@ -211,5 +209,7 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size) err_sl: ASN1err(ASN1_F_A2I_ASN1_INTEGER, ASN1_R_SHORT_LINE); } + if (ret != 1) + OPENSSL_free(s); return (ret); } diff --git a/crypto/asn1/f_string.c b/crypto/asn1/f_string.c index 6a6cf3471408..0f7b9cfb119b 100644 --- a/crypto/asn1/f_string.c +++ b/crypto/asn1/f_string.c @@ -166,8 +166,6 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size) i * 2); if (sp == NULL) { ASN1err(ASN1_F_A2I_ASN1_STRING, ERR_R_MALLOC_FAILURE); - if (s != NULL) - OPENSSL_free(s); goto err; } s = sp; @@ -205,5 +203,7 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size) err_sl: ASN1err(ASN1_F_A2I_ASN1_STRING, ASN1_R_SHORT_LINE); } + if (ret != 1) + OPENSSL_free(s); return (ret); } diff --git a/crypto/asn1/p5_pbe.c b/crypto/asn1/p5_pbe.c index bdbfdcd67c07..e2a1def53f1d 100644 --- a/crypto/asn1/p5_pbe.c +++ b/crypto/asn1/p5_pbe.c @@ -101,7 +101,7 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter, sstr = ASN1_STRING_data(pbe->salt); if (salt) memcpy(sstr, salt, saltlen); - else if (RAND_pseudo_bytes(sstr, saltlen) < 0) + else if (RAND_bytes(sstr, saltlen) <= 0) goto err; if (!ASN1_item_pack(pbe, ASN1_ITEM_rptr(PBEPARAM), &pbe_str)) { diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c index 73ba4a3d67aa..388053e0a1bf 100644 --- a/crypto/asn1/p5_pbev2.c +++ b/crypto/asn1/p5_pbev2.c @@ -120,7 +120,7 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, if (EVP_CIPHER_iv_length(cipher)) { if (aiv) memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher)); - else if (RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0) + else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) <= 0) goto err; } @@ -225,7 +225,7 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, if (salt) memcpy(osalt->data, salt, saltlen); - else if (RAND_pseudo_bytes(osalt->data, saltlen) < 0) + else if (RAND_bytes(osalt->data, saltlen) <= 0) goto merr; if (iter <= 0) diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c index f7f83e56a981..081a9d534f8a 100644 --- a/crypto/asn1/tasn_enc.c +++ b/crypto/asn1/tasn_enc.c @@ -59,6 +59,7 @@ #include <stddef.h> #include <string.h> +#include <limits.h> #include "cryptlib.h" #include <openssl/asn1.h> #include <openssl/asn1t.h> @@ -216,17 +217,19 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) { const ASN1_TEMPLATE *seqtt; ASN1_VALUE **pseqval; + int tmplen; seqtt = asn1_do_adb(pval, tt, 1); if (!seqtt) return 0; pseqval = asn1_get_field_ptr(pval, seqtt); - /* FIXME: check for errors in enhanced version */ - seqcontlen += asn1_template_ex_i2d(pseqval, NULL, seqtt, - -1, aclass); + tmplen = asn1_template_ex_i2d(pseqval, NULL, seqtt, -1, aclass); + if (tmplen == -1 || (tmplen > INT_MAX - seqcontlen)) + return -1; + seqcontlen += tmplen; } seqlen = ASN1_object_size(ndef, seqcontlen, tag); - if (!out) + if (!out || seqlen == -1) return seqlen; /* Output SEQUENCE header */ ASN1_put_object(out, ndef, seqcontlen, tag, aclass); @@ -339,19 +342,24 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, /* Determine total length of items */ skcontlen = 0; for (i = 0; i < sk_ASN1_VALUE_num(sk); i++) { + int tmplen; skitem = sk_ASN1_VALUE_value(sk, i); - skcontlen += ASN1_item_ex_i2d(&skitem, NULL, - ASN1_ITEM_ptr(tt->item), - -1, iclass); + tmplen = ASN1_item_ex_i2d(&skitem, NULL, ASN1_ITEM_ptr(tt->item), + -1, iclass); + if (tmplen == -1 || (skcontlen > INT_MAX - tmplen)) + return -1; + skcontlen += tmplen; } sklen = ASN1_object_size(ndef, skcontlen, sktag); + if (sklen == -1) + return -1; /* If EXPLICIT need length of surrounding tag */ if (flags & ASN1_TFLG_EXPTAG) ret = ASN1_object_size(ndef, sklen, ttag); else ret = sklen; - if (!out) + if (!out || ret == -1) return ret; /* Now encode this lot... */ @@ -380,7 +388,7 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, return 0; /* Find length of EXPLICIT tag */ ret = ASN1_object_size(ndef, i, ttag); - if (out) { + if (out && ret != -1) { /* Output tag and item */ ASN1_put_object(out, ndef, i, ttag, tclass); ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, iclass); diff --git a/crypto/asn1/tasn_prn.c b/crypto/asn1/tasn_prn.c index 5e7d53e9854a..d163acb81400 100644 --- a/crypto/asn1/tasn_prn.c +++ b/crypto/asn1/tasn_prn.c @@ -446,6 +446,8 @@ static int asn1_print_integer_ctx(BIO *out, ASN1_INTEGER *str, char *s; int ret = 1; s = i2s_ASN1_INTEGER(NULL, str); + if (s == NULL) + return 0; if (BIO_puts(out, s) <= 0) ret = 0; OPENSSL_free(s); diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c index a858c2993b90..26378fdb2a02 100644 --- a/crypto/asn1/x_name.c +++ b/crypto/asn1/x_name.c @@ -199,10 +199,8 @@ static int x509_name_ex_d2i(ASN1_VALUE **val, int i, j, ret; STACK_OF(X509_NAME_ENTRY) *entries; X509_NAME_ENTRY *entry; - if (len > X509_NAME_MAX) { - ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG); - return 0; - } + if (len > X509_NAME_MAX) + len = X509_NAME_MAX; q = p; /* Get internal representation of Name */ diff --git a/crypto/bio/bf_nbio.c b/crypto/bio/bf_nbio.c index a04f32a00817..4842bb4c82ff 100644 --- a/crypto/bio/bf_nbio.c +++ b/crypto/bio/bf_nbio.c @@ -139,7 +139,7 @@ static int nbiof_read(BIO *b, char *out, int outl) BIO_clear_retry_flags(b); #if 1 - if (RAND_pseudo_bytes(&n, 1) < 0) + if (RAND_bytes(&n, 1) <= 0) return -1; num = (n & 0x07); @@ -179,7 +179,7 @@ static int nbiof_write(BIO *b, const char *in, int inl) num = nt->lwn; nt->lwn = 0; } else { - if (RAND_pseudo_bytes(&n, 1) < 0) + if (RAND_bytes(&n, 1) <= 0) return -1; num = (n & 7); } diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 80105fff410c..10b78f512607 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -569,7 +569,7 @@ void BN_clear(BIGNUM *a) { bn_check_top(a); if (a->d != NULL) - memset(a->d, 0, a->dmax * sizeof(a->d[0])); + OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0])); a->top = 0; a->neg = 0; } diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c index bfa31efc5621..a9ff271b9ae9 100644 --- a/crypto/bn/bn_print.c +++ b/crypto/bn/bn_print.c @@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a) char *p; BIGNUM *t = NULL; BN_ULONG *bn_data = NULL, *lp; + int bn_data_num; /*- * get an upper bound for the length of the decimal integer @@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a) */ i = BN_num_bits(a) * 3; num = (i / 10 + i / 1000 + 1) + 1; - bn_data = - (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG)); - buf = (char *)OPENSSL_malloc(num + 3); + bn_data_num = num / BN_DEC_NUM + 1; + bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG)); + buf = OPENSSL_malloc(num + 3); if ((buf == NULL) || (bn_data == NULL)) { BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE); goto err; @@ -140,9 +141,12 @@ char *BN_bn2dec(const BIGNUM *a) if (BN_is_negative(t)) *p++ = '-'; - i = 0; while (!BN_is_zero(t)) { + if (lp - bn_data >= bn_data_num) + goto err; *lp = BN_div_word(t, BN_DEC_CONV); + if (*lp == (BN_ULONG)-1) + goto err; lp++; } lp--; diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index f9fb2e9e45e0..2266d22b66aa 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -145,13 +145,9 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) time(&tim); RAND_add(&tim, sizeof(tim), 0.0); - if (pseudorand) { - if (RAND_pseudo_bytes(buf, bytes) == -1) - goto err; - } else { - if (RAND_bytes(buf, bytes) <= 0) - goto err; - } + /* We ignore the value of pseudorand and always call RAND_bytes */ + if (RAND_bytes(buf, bytes) <= 0) + goto err; #if 1 if (pseudorand == 2) { diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c index b14b4b68b5c9..90b1fcc75075 100644 --- a/crypto/cms/cms_enc.c +++ b/crypto/cms/cms_enc.c @@ -119,7 +119,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec) /* Generate a random IV if we need one */ ivlen = EVP_CIPHER_CTX_iv_length(ctx); if (ivlen > 0) { - if (RAND_pseudo_bytes(iv, ivlen) <= 0) + if (RAND_bytes(iv, ivlen) <= 0) goto err; piv = iv; } @@ -179,10 +179,9 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec) CMS_R_CIPHER_INITIALISATION_ERROR); goto err; } - - if (piv) { + if (enc) { calg->parameter = ASN1_TYPE_new(); - if (!calg->parameter) { + if (calg->parameter == NULL) { CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO, ERR_R_MALLOC_FAILURE); goto err; } @@ -191,6 +190,11 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec) CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); goto err; } + /* If parameter type not set omit parameter */ + if (calg->parameter->type == V_ASN1_UNDEF) { + ASN1_TYPE_free(calg->parameter); + calg->parameter = NULL; + } } ok = 1; diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c index 8631a2eb2b30..8212560628a9 100644 --- a/crypto/cms/cms_ess.c +++ b/crypto/cms/cms_ess.c @@ -107,8 +107,7 @@ CMS_ReceiptRequest *CMS_ReceiptRequest_create0(unsigned char *id, int idlen, else { if (!ASN1_STRING_set(rr->signedContentIdentifier, NULL, 32)) goto merr; - if (RAND_pseudo_bytes(rr->signedContentIdentifier->data, 32) - <= 0) + if (RAND_bytes(rr->signedContentIdentifier->data, 32) <= 0) goto err; } diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c index b91c01691fec..5c817caf2f05 100644 --- a/crypto/cms/cms_pwri.c +++ b/crypto/cms/cms_pwri.c @@ -134,7 +134,7 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms, ivlen = EVP_CIPHER_CTX_iv_length(&ctx); if (ivlen > 0) { - if (RAND_pseudo_bytes(iv, ivlen) <= 0) + if (RAND_bytes(iv, ivlen) <= 0) goto err; if (EVP_EncryptInit_ex(&ctx, NULL, NULL, NULL, iv) <= 0) { CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_EVP_LIB); @@ -301,7 +301,7 @@ static int kek_wrap_key(unsigned char *out, size_t *outlen, memcpy(out + 4, in, inlen); /* Add random padding to end */ if (olen > inlen + 4 - && RAND_pseudo_bytes(out + 4 + inlen, olen - 4 - inlen) < 0) + && RAND_bytes(out + 4 + inlen, olen - 4 - inlen) <= 0) return 0; /* Encrypt twice */ EVP_EncryptUpdate(ctx, out, &dummy, out, olen); diff --git a/crypto/des/des.c b/crypto/des/des.c index 586aed72378c..d7374382d83a 100644 --- a/crypto/des/des.c +++ b/crypto/des/des.c @@ -456,7 +456,7 @@ void doencryption(void) len = l - rem; if (feof(DES_IN)) { for (i = 7 - rem; i > 0; i--) { - if (RAND_pseudo_bytes(buf + l++, 1) < 0) + if (RAND_bytes(buf + l++, 1) <= 0) goto problems; } buf[l++] = rem; diff --git a/crypto/des/enc_writ.c b/crypto/des/enc_writ.c index bfaabde516ae..c2aaa8e98ca2 100644 --- a/crypto/des/enc_writ.c +++ b/crypto/des/enc_writ.c @@ -135,7 +135,7 @@ int DES_enc_write(int fd, const void *_buf, int len, if (len < 8) { cp = shortbuf; memcpy(shortbuf, buf, len); - if (RAND_pseudo_bytes(shortbuf + len, 8 - len) < 0) { + if (RAND_bytes(shortbuf + len, 8 - len) <= 0) { return -1; } rnum = 8; diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c index 34c6113c45e2..ba496b2d5f1d 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -195,7 +195,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, goto err; if (!seed_len || !seed_in) { - if (RAND_pseudo_bytes(seed, qsize) < 0) + if (RAND_bytes(seed, qsize) <= 0) goto err; seed_is_random = 1; } else { diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 9a3772e00dac..06cd2a2aed67 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -247,11 +247,13 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, do if (!BN_rand_range(&k, dsa->q)) goto err; - while (BN_is_zero(&k)) ; + while (BN_is_zero(&k)); + if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { BN_set_flags(&k, BN_FLG_CONSTTIME); } + if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, CRYPTO_LOCK_DSA, dsa->p, ctx)) @@ -264,6 +266,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, if (!BN_copy(&kq, &k)) goto err; + BN_set_flags(&kq, BN_FLG_CONSTTIME); + /* * We do not want timing information to leak the length of k, so we * compute g^k using an equivalent exponent of fixed length. (This @@ -282,6 +286,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, } else { K = &k; } + DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, dsa->method_mont_p); if (!BN_mod(r, r, dsa->q, ctx)) diff --git a/crypto/evp/bio_ok.c b/crypto/evp/bio_ok.c index 5c32e35e17b9..16e151f11017 100644 --- a/crypto/evp/bio_ok.c +++ b/crypto/evp/bio_ok.c @@ -491,7 +491,7 @@ static int sig_out(BIO *b) * FIXME: there's absolutely no guarantee this makes any sense at all, * particularly now EVP_MD_CTX has been restructured. */ - if (RAND_pseudo_bytes(md->md_data, md->digest->md_size) < 0) + if (RAND_bytes(md->md_data, md->digest->md_size) <= 0) goto berr; memcpy(&(ctx->buf[ctx->buf_len]), md->md_data, md->digest->md_size); longswap(&(ctx->buf[ctx->buf_len]), md->digest->md_size); diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index 32167b294db1..0654050ab087 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -241,10 +241,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) { #ifdef OPENSSL_FIPS - return FIPS_digestupdate(ctx, data, count); -#else - return ctx->update(ctx, data, count); + if (FIPS_mode()) + return FIPS_digestupdate(ctx, data, count); #endif + return ctx->update(ctx, data, count); } /* The caller can assume that this removes any secret data from the context */ @@ -259,10 +259,11 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) /* The caller can assume that this removes any secret data from the context */ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) { -#ifdef OPENSSL_FIPS - return FIPS_digestfinal(ctx, md, size); -#else int ret; +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + return FIPS_digestfinal(ctx, md, size); +#endif OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); ret = ctx->digest->final(ctx, md); @@ -272,9 +273,8 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) ctx->digest->cleanup(ctx); EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_CLEANED); } - memset(ctx->md_data, 0, ctx->digest->ctx_size); + OPENSSL_cleanse(ctx->md_data, ctx->digest->ctx_size); return ret; -#endif } int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) diff --git a/crypto/evp/e_seed.c b/crypto/evp/e_seed.c index 7249d1b1eecb..3d01eacac06e 100644 --- a/crypto/evp/e_seed.c +++ b/crypto/evp/e_seed.c @@ -70,7 +70,8 @@ typedef struct { } EVP_SEED_KEY; IMPLEMENT_BLOCK_CIPHER(seed, ks, SEED, EVP_SEED_KEY, NID_seed, - 16, 16, 16, 128, 0, seed_init_key, 0, 0, 0, 0) + 16, 16, 16, 128, EVP_CIPH_FLAG_DEFAULT_ASN1, + seed_init_key, 0, 0, 0, 0) static int seed_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) diff --git a/crypto/md2/md2_dgst.c b/crypto/md2/md2_dgst.c index 9cd79f8d70c3..7f5d9ba69ba2 100644 --- a/crypto/md2/md2_dgst.c +++ b/crypto/md2/md2_dgst.c @@ -219,6 +219,6 @@ int MD2_Final(unsigned char *md, MD2_CTX *c) for (i = 0; i < 16; i++) md[i] = (UCHAR) (p1[i] & 0xff); - memset((char *)&c, 0, sizeof(c)); + OPENSSL_cleanse(c, sizeof(*c)); return 1; } diff --git a/crypto/md32_common.h b/crypto/md32_common.h index 1823833419c4..aac719139e32 100644 --- a/crypto/md32_common.h +++ b/crypto/md32_common.h @@ -109,6 +109,8 @@ * <appro@fy.chalmers.se> */ +#include <openssl/crypto.h> + #if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN) # error "DATA_ORDER must be defined!" #endif @@ -311,6 +313,12 @@ int HASH_UPDATE(HASH_CTX *c, const void *data_, size_t len) data += n; len -= n; c->num = 0; + /* + * We use memset rather than OPENSSL_cleanse() here deliberately. + * Using OPENSSL_cleanse() here could be a performance issue. It + * will get properly cleansed on finalisation so this isn't a + * security problem. + */ memset(p, 0, HASH_CBLOCK); /* keep it zeroed */ } else { memcpy(p + n, data, len); @@ -366,7 +374,7 @@ int HASH_FINAL(unsigned char *md, HASH_CTX *c) p -= HASH_CBLOCK; HASH_BLOCK_DATA_ORDER(c, p, 1); c->num = 0; - memset(p, 0, HASH_CBLOCK); + OPENSSL_cleanse(p, HASH_CBLOCK); #ifndef HASH_MAKE_STRING # error "HASH_MAKE_STRING must be defined!" diff --git a/crypto/mdc2/mdc2dgst.c b/crypto/mdc2/mdc2dgst.c index 6615cf84d7d2..2dce4936337a 100644 --- a/crypto/mdc2/mdc2dgst.c +++ b/crypto/mdc2/mdc2dgst.c @@ -91,7 +91,7 @@ int MDC2_Update(MDC2_CTX *c, const unsigned char *in, size_t len) i = c->num; if (i != 0) { - if (i + len < MDC2_BLOCK) { + if (len < MDC2_BLOCK - i) { /* partial block */ memcpy(&(c->data[i]), in, len); c->num += (int)len; diff --git a/crypto/ocsp/ocsp_ext.c b/crypto/ocsp/ocsp_ext.c index c19648c7329b..55af31b5734a 100755 --- a/crypto/ocsp/ocsp_ext.c +++ b/crypto/ocsp/ocsp_ext.c @@ -361,7 +361,7 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL); if (val) memcpy(tmpval, val, len); - else if (RAND_pseudo_bytes(tmpval, len) < 0) + else if (RAND_bytes(tmpval, len) <= 0) goto err; if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0, X509V3_ADD_REPLACE)) diff --git a/crypto/opensslv.h b/crypto/opensslv.h index 2f293232f44c..4d014f430c00 100644 --- a/crypto/opensslv.h +++ b/crypto/opensslv.h @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x1000114fL +# define OPENSSL_VERSION_NUMBER 0x1000115fL # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1t-fips 3 May 2016" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1u-fips 22 Sep 2016" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1t 3 May 2016" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1u 22 Sep 2016" # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/pem/pem.h b/crypto/pem/pem.h index 2cdad8ac2669..de4ba3ee1d56 100644 --- a/crypto/pem/pem.h +++ b/crypto/pem/pem.h @@ -588,6 +588,7 @@ void ERR_load_PEM_strings(void); # define PEM_R_ERROR_CONVERTING_PRIVATE_KEY 115 # define PEM_R_EXPECTING_PRIVATE_KEY_BLOB 119 # define PEM_R_EXPECTING_PUBLIC_KEY_BLOB 120 +# define PEM_R_HEADER_TOO_LONG 128 # define PEM_R_INCONSISTENT_HEADER 121 # define PEM_R_KEYBLOB_HEADER_PARSE_ERROR 122 # define PEM_R_KEYBLOB_TOO_SHORT 123 diff --git a/crypto/pem/pem_err.c b/crypto/pem/pem_err.c index 702c5adecb86..f02de5c44a1e 100644 --- a/crypto/pem/pem_err.c +++ b/crypto/pem/pem_err.c @@ -1,6 +1,6 @@ /* crypto/pem/pem_err.c */ /* ==================================================================== - * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -130,6 +130,7 @@ static ERR_STRING_DATA PEM_str_reasons[] = { "expecting private key blob"}, {ERR_REASON(PEM_R_EXPECTING_PUBLIC_KEY_BLOB), "expecting public key blob"}, + {ERR_REASON(PEM_R_HEADER_TOO_LONG), "header too long"}, {ERR_REASON(PEM_R_INCONSISTENT_HEADER), "inconsistent header"}, {ERR_REASON(PEM_R_KEYBLOB_HEADER_PARSE_ERROR), "keyblob header parse error"}, diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index ab45a84fa265..7e598833887e 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -383,7 +383,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, } RAND_add(data, i, 0); /* put in the RSA key. */ OPENSSL_assert(enc->iv_len <= (int)sizeof(iv)); - if (RAND_pseudo_bytes(iv, enc->iv_len) < 0) /* Generate a salt */ + if (RAND_bytes(iv, enc->iv_len) <= 0) /* Generate a salt */ goto err; /* * The 'iv' is used as the iv and as a salt. It is NOT taken from diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c index 61864468f6d4..1ce5a1e319c5 100644 --- a/crypto/pem/pvkfmt.c +++ b/crypto/pem/pvkfmt.c @@ -127,6 +127,9 @@ static int read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r) # define MS_KEYTYPE_KEYX 0x1 # define MS_KEYTYPE_SIGN 0x2 +/* Maximum length of a blob after header */ +# define BLOB_MAX_LENGTH 102400 + /* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */ # define MS_PVKMAGIC 0xb0b5f11eL /* Salt length for PVK files */ @@ -272,6 +275,10 @@ static EVP_PKEY *do_b2i_bio(BIO *in, int ispub) return NULL; length = blob_length(bitlen, isdss, ispub); + if (length > BLOB_MAX_LENGTH) { + PEMerr(PEM_F_DO_B2I_BIO, PEM_R_HEADER_TOO_LONG); + return NULL; + } buf = OPENSSL_malloc(length); if (!buf) { PEMerr(PEM_F_DO_B2I_BIO, ERR_R_MALLOC_FAILURE); diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c index a9277827ff2d..cbf34da05ada 100644 --- a/crypto/pkcs12/p12_mutl.c +++ b/crypto/pkcs12/p12_mutl.c @@ -179,7 +179,7 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, } p12->mac->salt->length = saltlen; if (!salt) { - if (RAND_pseudo_bytes(p12->mac->salt->data, saltlen) < 0) + if (RAND_bytes(p12->mac->salt->data, saltlen) <= 0) return 0; } else memcpy(p12->mac->salt->data, salt, saltlen); diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c index a89b61abab37..9e8ebb2a78c3 100644 --- a/crypto/pkcs12/p12_npas.c +++ b/crypto/pkcs12/p12_npas.c @@ -66,17 +66,18 @@ /* PKCS#12 password change routine */ -static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass); -static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *oldpass, - char *newpass); -static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass); +static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass); +static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *oldpass, + const char *newpass); +static int newpass_bag(PKCS12_SAFEBAG *bag, const char *oldpass, + const char *newpass); static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen); /* * Change the password on a PKCS#12 structure. */ -int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass) +int PKCS12_newpass(PKCS12 *p12, const char *oldpass, const char *newpass) { /* Check for NULL PKCS12 structure */ @@ -103,20 +104,21 @@ int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass) /* Parse the outer PKCS#12 structure */ -static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass) +static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass) { - STACK_OF(PKCS7) *asafes, *newsafes; - STACK_OF(PKCS12_SAFEBAG) *bags; + STACK_OF(PKCS7) *asafes = NULL, *newsafes = NULL; + STACK_OF(PKCS12_SAFEBAG) *bags = NULL; int i, bagnid, pbe_nid = 0, pbe_iter = 0, pbe_saltlen = 0; PKCS7 *p7, *p7new; - ASN1_OCTET_STRING *p12_data_tmp = NULL, *macnew = NULL; + ASN1_OCTET_STRING *p12_data_tmp = NULL; unsigned char mac[EVP_MAX_MD_SIZE]; unsigned int maclen; + int rv = 0; - if (!(asafes = PKCS12_unpack_authsafes(p12))) - return 0; - if (!(newsafes = sk_PKCS7_new_null())) - return 0; + if ((asafes = PKCS12_unpack_authsafes(p12)) == NULL) + goto err; + if ((newsafes = sk_PKCS7_new_null()) == NULL) + goto err; for (i = 0; i < sk_PKCS7_num(asafes); i++) { p7 = sk_PKCS7_value(asafes, i); bagnid = OBJ_obj2nid(p7->type); @@ -125,67 +127,57 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass) } else if (bagnid == NID_pkcs7_encrypted) { bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); if (!alg_get(p7->d.encrypted->enc_data->algorithm, - &pbe_nid, &pbe_iter, &pbe_saltlen)) { - sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); - bags = NULL; - } - } else + &pbe_nid, &pbe_iter, &pbe_saltlen)) + goto err; + } else { continue; - if (!bags) { - sk_PKCS7_pop_free(asafes, PKCS7_free); - return 0; - } - if (!newpass_bags(bags, oldpass, newpass)) { - sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); - sk_PKCS7_pop_free(asafes, PKCS7_free); - return 0; } + if (bags == NULL) + goto err; + if (!newpass_bags(bags, oldpass, newpass)) + goto err; /* Repack bag in same form with new password */ if (bagnid == NID_pkcs7_data) p7new = PKCS12_pack_p7data(bags); else p7new = PKCS12_pack_p7encdata(pbe_nid, newpass, -1, NULL, pbe_saltlen, pbe_iter, bags); + if (!p7new || !sk_PKCS7_push(newsafes, p7new)) + goto err; sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); - if (!p7new) { - sk_PKCS7_pop_free(asafes, PKCS7_free); - return 0; - } - sk_PKCS7_push(newsafes, p7new); + bags = NULL; } - sk_PKCS7_pop_free(asafes, PKCS7_free); /* Repack safe: save old safe in case of error */ p12_data_tmp = p12->authsafes->d.data; - if (!(p12->authsafes->d.data = ASN1_OCTET_STRING_new())) - goto saferr; + if ((p12->authsafes->d.data = ASN1_OCTET_STRING_new()) == NULL) + goto err; if (!PKCS12_pack_authsafes(p12, newsafes)) - goto saferr; - + goto err; if (!PKCS12_gen_mac(p12, newpass, -1, mac, &maclen)) - goto saferr; - if (!(macnew = ASN1_OCTET_STRING_new())) - goto saferr; - if (!ASN1_OCTET_STRING_set(macnew, mac, maclen)) - goto saferr; - ASN1_OCTET_STRING_free(p12->mac->dinfo->digest); - p12->mac->dinfo->digest = macnew; - ASN1_OCTET_STRING_free(p12_data_tmp); - - return 1; - - saferr: - /* Restore old safe */ - ASN1_OCTET_STRING_free(p12->authsafes->d.data); - ASN1_OCTET_STRING_free(macnew); - p12->authsafes->d.data = p12_data_tmp; - return 0; - + goto err; + if (!ASN1_OCTET_STRING_set(p12->mac->dinfo->digest, mac, maclen)) + goto err; + + rv = 1; + +err: + /* Restore old safe if necessary */ + if (rv == 1) { + ASN1_OCTET_STRING_free(p12_data_tmp); + } else if (p12_data_tmp != NULL) { + ASN1_OCTET_STRING_free(p12->authsafes->d.data); + p12->authsafes->d.data = p12_data_tmp; + } + sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); + sk_PKCS7_pop_free(asafes, PKCS7_free); + sk_PKCS7_pop_free(newsafes, PKCS7_free); + return rv; } -static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *oldpass, - char *newpass) +static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *oldpass, + const char *newpass) { int i; for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) { @@ -197,7 +189,8 @@ static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *oldpass, /* Change password of safebag: only needs handle shrouded keybags */ -static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass) +static int newpass_bag(PKCS12_SAFEBAG *bag, const char *oldpass, + const char *newpass) { PKCS8_PRIV_KEY_INFO *p8; X509_SIG *p8new; @@ -210,8 +203,10 @@ static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass) return 0; if (!alg_get(bag->value.shkeybag->algor, &p8_nid, &p8_iter, &p8_saltlen)) return 0; - if (!(p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen, - p8_iter, p8))) + p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen, + p8_iter, p8); + PKCS8_PRIV_KEY_INFO_free(p8); + if (p8new == NULL) return 0; X509_SIG_free(bag->value.shkeybag); bag->value.shkeybag = p8new; diff --git a/crypto/pkcs12/p12_utl.c b/crypto/pkcs12/p12_utl.c index a0b992eab66c..e466f762ffda 100644 --- a/crypto/pkcs12/p12_utl.c +++ b/crypto/pkcs12/p12_utl.c @@ -91,6 +91,10 @@ char *OPENSSL_uni2asc(unsigned char *uni, int unilen) { int asclen, i; char *asctmp; + + /* string must contain an even number of bytes */ + if (unilen & 1) + return NULL; asclen = unilen / 2; /* If no terminating zero allow for one */ if (!unilen || uni[unilen - 1]) diff --git a/crypto/pkcs12/pkcs12.h b/crypto/pkcs12/pkcs12.h index a39adf5eb52e..21f1f62b36c6 100644 --- a/crypto/pkcs12/pkcs12.h +++ b/crypto/pkcs12/pkcs12.h @@ -270,7 +270,7 @@ int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12); int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12); PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12); PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12); -int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass); +int PKCS12_newpass(PKCS12 *p12, const char *oldpass, const char *newpass); /* BEGIN ERROR CODES */ /* diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 946aaa65435b..1ab6d5ae7129 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -340,7 +340,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) ivlen = EVP_CIPHER_iv_length(evp_cipher); xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher)); if (ivlen > 0) - if (RAND_pseudo_bytes(iv, ivlen) <= 0) + if (RAND_bytes(iv, ivlen) <= 0) goto err; if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL, NULL, 1) <= 0) goto err; diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c index 266111edda8c..6c5b65da0070 100644 --- a/crypto/rand/rand_unix.c +++ b/crypto/rand/rand_unix.c @@ -235,7 +235,7 @@ int RAND_poll(void) rnd >>= 8; } RAND_add(buf, sizeof(buf), ENTROPY_NEEDED); - memset(buf, 0, sizeof(buf)); + OPENSSL_cleanse(buf, sizeof(buf)); return 1; } diff --git a/crypto/srp/srp_lib.c b/crypto/srp/srp_lib.c index e9a2e058f687..e310946e073b 100644 --- a/crypto/srp/srp_lib.c +++ b/crypto/srp/srp_lib.c @@ -159,8 +159,7 @@ BIGNUM *SRP_Calc_server_key(BIGNUM *A, BIGNUM *v, BIGNUM *u, BIGNUM *b, if (u == NULL || A == NULL || v == NULL || b == NULL || N == NULL) return NULL; - if ((bn_ctx = BN_CTX_new()) == NULL || - (tmp = BN_new()) == NULL || (S = BN_new()) == NULL) + if ((bn_ctx = BN_CTX_new()) == NULL || (tmp = BN_new()) == NULL) goto err; /* S = (A*v**u) ** b */ @@ -169,8 +168,12 @@ BIGNUM *SRP_Calc_server_key(BIGNUM *A, BIGNUM *v, BIGNUM *u, BIGNUM *b, goto err; if (!BN_mod_mul(tmp, A, tmp, N, bn_ctx)) goto err; - if (!BN_mod_exp(S, tmp, b, N, bn_ctx)) - goto err; + + S = BN_new(); + if (S != NULL && !BN_mod_exp(S, tmp, b, N, bn_ctx)) { + BN_free(S); + S = NULL; + } err: BN_CTX_free(bn_ctx); BN_clear_free(tmp); @@ -267,7 +270,7 @@ BIGNUM *SRP_Calc_client_key(BIGNUM *N, BIGNUM *B, BIGNUM *g, BIGNUM *x, if ((tmp = BN_new()) == NULL || (tmp2 = BN_new()) == NULL || - (tmp3 = BN_new()) == NULL || (K = BN_new()) == NULL) + (tmp3 = BN_new()) == NULL) goto err; if (!BN_mod_exp(tmp, g, x, N, bn_ctx)) @@ -283,8 +286,11 @@ BIGNUM *SRP_Calc_client_key(BIGNUM *N, BIGNUM *B, BIGNUM *g, BIGNUM *x, goto err; if (!BN_mod_add(tmp2, a, tmp3, N, bn_ctx)) goto err; - if (!BN_mod_exp(K, tmp, tmp2, N, bn_ctx)) - goto err; + K = BN_new(); + if (K != NULL && !BN_mod_exp(K, tmp, tmp2, N, bn_ctx)) { + BN_free(K); + K = NULL; + } err: BN_CTX_free(bn_ctx); diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 26ad3e07b4bb..986babfd493c 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -544,7 +544,7 @@ SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username) if (!SRP_user_pwd_set_ids(user, username, NULL)) goto err; - if (RAND_pseudo_bytes(digv, SHA_DIGEST_LENGTH) < 0) + if (RAND_bytes(digv, SHA_DIGEST_LENGTH) <= 0) goto err; EVP_MD_CTX_init(&ctxt); EVP_DigestInit_ex(&ctxt, EVP_sha1(), NULL); @@ -597,7 +597,7 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, } if (*salt == NULL) { - if (RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN) < 0) + if (RAND_bytes(tmp2, SRP_RANDOM_SALT_LEN) <= 0) goto err; s = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); @@ -670,7 +670,7 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, srp_bn_print(g); if (*salt == NULL) { - if (RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN) < 0) + if (RAND_bytes(tmp2, SRP_RANDOM_SALT_LEN) <= 0) goto err; salttmp = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); diff --git a/crypto/ts/ts_lib.c b/crypto/ts/ts_lib.c index c51538a17f42..e0f106353723 100644 --- a/crypto/ts/ts_lib.c +++ b/crypto/ts/ts_lib.c @@ -90,9 +90,8 @@ int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj) { char obj_txt[128]; - int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0); - BIO_write(bio, obj_txt, len); - BIO_write(bio, "\n", 1); + OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0); + BIO_printf(bio, "%s\n", obj_txt); return 1; } diff --git a/crypto/whrlpool/wp_dgst.c b/crypto/whrlpool/wp_dgst.c index e33bb4f833b5..807d1c49b2d3 100644 --- a/crypto/whrlpool/wp_dgst.c +++ b/crypto/whrlpool/wp_dgst.c @@ -51,6 +51,7 @@ * input. This is done for perfomance. */ +#include <openssl/crypto.h> #include "wp_locl.h" #include <openssl/crypto.h> #include <string.h> @@ -237,7 +238,7 @@ int WHIRLPOOL_Final(unsigned char *md, WHIRLPOOL_CTX *c) if (md) { memcpy(md, c->H.c, WHIRLPOOL_DIGEST_LENGTH); - memset(c, 0, sizeof(*c)); + OPENSSL_cleanse(c, sizeof(*c)); return (1); } return (0); diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index bd600de43107..dc326a725620 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -1216,6 +1216,7 @@ int X509_TRUST_get_trust(X509_TRUST *xp); * The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. */ + void ERR_load_X509_strings(void); /* Error codes for the X509 functions. */ @@ -1223,6 +1224,7 @@ void ERR_load_X509_strings(void); /* Function codes. */ # define X509_F_ADD_CERT_DIR 100 # define X509_F_BY_FILE_CTRL 101 +# define X509_F_CHECK_NAME_CONSTRAINTS 106 # define X509_F_CHECK_POLICY 145 # define X509_F_DIR_CTRL 102 # define X509_F_GET_CERT_BY_SUBJECT 103 @@ -1296,7 +1298,7 @@ void ERR_load_X509_strings(void); # define X509_R_WRONG_LOOKUP_TYPE 112 # define X509_R_WRONG_TYPE 122 -#ifdef __cplusplus +# ifdef __cplusplus } -#endif +# endif #endif diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c index a2b8b7fc358f..174b65e33130 100644 --- a/crypto/x509/x509_err.c +++ b/crypto/x509/x509_err.c @@ -72,6 +72,7 @@ static ERR_STRING_DATA X509_str_functs[] = { {ERR_FUNC(X509_F_ADD_CERT_DIR), "ADD_CERT_DIR"}, {ERR_FUNC(X509_F_BY_FILE_CTRL), "BY_FILE_CTRL"}, + {ERR_FUNC(X509_F_CHECK_NAME_CONSTRAINTS), "CHECK_NAME_CONSTRAINTS"}, {ERR_FUNC(X509_F_CHECK_POLICY), "CHECK_POLICY"}, {ERR_FUNC(X509_F_DIR_CTRL), "DIR_CTRL"}, {ERR_FUNC(X509_F_GET_CERT_BY_SUBJECT), "GET_CERT_BY_SUBJECT"}, diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index d834180ec443..b249d4256731 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -183,6 +183,12 @@ const char *X509_verify_cert_error_string(long n) return ("unsupported or invalid name syntax"); case X509_V_ERR_CRL_PATH_VALIDATION_ERROR: return ("CRL path validation error"); + case X509_V_ERR_INVALID_CALL: + return ("Invalid certificate verification context"); + case X509_V_ERR_STORE_LOOKUP: + return ("Issuer certificate lookup error"); + case X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION: + return ("proxy subject name violation"); default: BIO_snprintf(buf, sizeof buf, "error number %ld", n); diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 3bad523f7114..f0fa7f4f07b4 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -160,6 +160,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) STACK_OF(X509) *sktmp = NULL; if (ctx->cert == NULL) { X509err(X509_F_X509_VERIFY_CERT, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); + ctx->error = X509_V_ERR_INVALID_CALL; return -1; } if (ctx->chain != NULL) { @@ -168,6 +169,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) * cannot do another one. */ X509err(X509_F_X509_VERIFY_CERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + ctx->error = X509_V_ERR_INVALID_CALL; return -1; } @@ -180,6 +182,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx) if (((ctx->chain = sk_X509_new_null()) == NULL) || (!sk_X509_push(ctx->chain, ctx->cert))) { X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); + ctx->error = X509_V_ERR_OUT_OF_MEM; + ok = -1; goto end; } CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509); @@ -189,6 +193,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx) if (ctx->untrusted != NULL && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) { X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); + ctx->error = X509_V_ERR_OUT_OF_MEM; + ok = -1; goto end; } @@ -214,6 +220,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx) if (xtmp != NULL) { if (!sk_X509_push(ctx->chain, xtmp)) { X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); + ctx->error = X509_V_ERR_OUT_OF_MEM; + ok = -1; goto end; } CRYPTO_add(&xtmp->references, 1, CRYPTO_LOCK_X509); @@ -293,15 +301,19 @@ int X509_verify_cert(X509_STORE_CTX *ctx) if (ctx->check_issued(ctx, x, x)) break; ok = ctx->get_issuer(&xtmp, ctx, x); - if (ok < 0) - return ok; + if (ok < 0) { + ctx->error = X509_V_ERR_STORE_LOOKUP; + goto end; + } if (ok == 0) break; x = xtmp; if (!sk_X509_push(ctx->chain, x)) { X509_free(xtmp); X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); - return 0; + ctx->error = X509_V_ERR_OUT_OF_MEM; + ok = -1; + goto end; } num++; } @@ -317,8 +329,10 @@ int X509_verify_cert(X509_STORE_CTX *ctx) while (j-- > 1) { xtmp2 = sk_X509_value(ctx->chain, j - 1); ok = ctx->get_issuer(&xtmp, ctx, xtmp2); - if (ok < 0) + if (ok < 0) { + ctx->error = X509_V_ERR_STORE_LOOKUP; goto end; + } /* Check if we found an alternate chain */ if (ok > 0) { /* @@ -432,6 +446,10 @@ int X509_verify_cert(X509_STORE_CTX *ctx) sk_X509_free(sktmp); if (chain_ss != NULL) X509_free(chain_ss); + + /* Safety net, error returns must set ctx->error */ + if (ok <= 0 && ctx->error == X509_V_OK) + ctx->error = X509_V_ERR_UNSPECIFIED; return ok; } @@ -615,13 +633,27 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) * the next certificate must be a CA certificate. */ if (x->ex_flags & EXFLAG_PROXY) { - if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) { - ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; - ctx->error_depth = i; - ctx->current_cert = x; - ok = cb(0, ctx); - if (!ok) - goto end; + /* + * RFC3820, 4.1.3 (b)(1) stipulates that if pCPathLengthConstraint + * is less than max_path_length, the former should be copied to + * the latter, and 4.1.4 (a) stipulates that max_path_length + * should be verified to be larger than zero and decrement it. + * + * Because we're checking the certs in the reverse order, we start + * with verifying that proxy_path_length isn't larger than pcPLC, + * and copy the latter to the former if it is, and finally, + * increment proxy_path_length. + */ + if (x->ex_pcpathlen != -1) { + if (proxy_path_length > x->ex_pcpathlen) { + ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; + ctx->error_depth = i; + ctx->current_cert = x; + ok = cb(0, ctx); + if (!ok) + goto end; + } + proxy_path_length = x->ex_pcpathlen; } proxy_path_length++; must_be_ca = 0; @@ -644,6 +676,81 @@ static int check_name_constraints(X509_STORE_CTX *ctx) /* Ignore self issued certs unless last in chain */ if (i && (x->ex_flags & EXFLAG_SI)) continue; + + /* + * Proxy certificates policy has an extra constraint, where the + * certificate subject MUST be the issuer with a single CN entry + * added. + * (RFC 3820: 3.4, 4.1.3 (a)(4)) + */ + if (x->ex_flags & EXFLAG_PROXY) { + X509_NAME *tmpsubject = X509_get_subject_name(x); + X509_NAME *tmpissuer = X509_get_issuer_name(x); + X509_NAME_ENTRY *tmpentry = NULL; + int last_object_nid = 0; + int err = X509_V_OK; + int last_object_loc = X509_NAME_entry_count(tmpsubject) - 1; + + /* Check that there are at least two RDNs */ + if (last_object_loc < 1) { + err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION; + goto proxy_name_done; + } + + /* + * Check that there is exactly one more RDN in subject as + * there is in issuer. + */ + if (X509_NAME_entry_count(tmpsubject) + != X509_NAME_entry_count(tmpissuer) + 1) { + err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION; + goto proxy_name_done; + } + + /* + * Check that the last subject component isn't part of a + * multivalued RDN + */ + if (X509_NAME_get_entry(tmpsubject, last_object_loc)->set + == X509_NAME_get_entry(tmpsubject, last_object_loc - 1)->set) { + err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION; + goto proxy_name_done; + } + + /* + * Check that the last subject RDN is a commonName, and that + * all the previous RDNs match the issuer exactly + */ + tmpsubject = X509_NAME_dup(tmpsubject); + if (tmpsubject == NULL) { + X509err(X509_F_CHECK_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE); + ctx->error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + + tmpentry = + X509_NAME_delete_entry(tmpsubject, last_object_loc); + last_object_nid = + OBJ_obj2nid(X509_NAME_ENTRY_get_object(tmpentry)); + + if (last_object_nid != NID_commonName + || X509_NAME_cmp(tmpsubject, tmpissuer) != 0) { + err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION; + } + + X509_NAME_ENTRY_free(tmpentry); + X509_NAME_free(tmpsubject); + + proxy_name_done: + if (err != X509_V_OK) { + ctx->error = err; + ctx->error_depth = i; + ctx->current_cert = x; + if (!ctx->verify_cb(0, ctx)) + return 0; + } + } + /* * Check against constraints for all certificates higher in chain * including trust anchor. Trust anchor not strictly speaking needed @@ -654,12 +761,19 @@ static int check_name_constraints(X509_STORE_CTX *ctx) NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc; if (nc) { rv = NAME_CONSTRAINTS_check(x, nc); - if (rv != X509_V_OK) { + switch (rv) { + case X509_V_OK: + continue; + case X509_V_ERR_OUT_OF_MEM: + ctx->error = rv; + return 0; + default: ctx->error = rv; ctx->error_depth = i; ctx->current_cert = x; if (!ctx->verify_cb(0, ctx)) return 0; + break; } } } @@ -1469,6 +1583,7 @@ static int check_policy(X509_STORE_CTX *ctx) ctx->param->policies, ctx->param->flags); if (ret == 0) { X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE); + ctx->error = X509_V_ERR_OUT_OF_MEM; return 0; } /* Invalid or inconsistent extensions */ @@ -1497,7 +1612,12 @@ static int check_policy(X509_STORE_CTX *ctx) if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) { ctx->current_cert = NULL; - ctx->error = X509_V_OK; + /* + * Verification errors need to be "sticky", a callback may have allowed + * an SSL handshake to continue despite an error, and we must then + * remain in an error state. Therefore, we MUST NOT clear earlier + * verification errors by setting the error to X509_V_OK. + */ if (!ctx->verify_cb(2, ctx)) return 0; } diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index b7d8b2472e44..31f9f7f2c41e 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -365,13 +365,33 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); # define X509_V_ERR_PERMITTED_VIOLATION 47 # define X509_V_ERR_EXCLUDED_VIOLATION 48 # define X509_V_ERR_SUBTREE_MINMAX 49 +# define X509_V_ERR_APPLICATION_VERIFICATION 50 # define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51 # define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52 # define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53 # define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54 -/* The application is not happy */ -# define X509_V_ERR_APPLICATION_VERIFICATION 50 +# if 0 /* Reserved for compatibility 1.0.2 */ +/* Suite B mode algorithm violation */ +# define X509_V_ERR_SUITE_B_INVALID_VERSION 56 +# define X509_V_ERR_SUITE_B_INVALID_ALGORITHM 57 +# define X509_V_ERR_SUITE_B_INVALID_CURVE 58 +# define X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM 59 +# define X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED 60 +# define X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 61 + +/* Host, email and IP check errors */ +# define X509_V_ERR_HOSTNAME_MISMATCH 62 +# define X509_V_ERR_EMAIL_MISMATCH 63 +# define X509_V_ERR_IP_ADDRESS_MISMATCH 64 +# endif + +/* Caller error */ +# define X509_V_ERR_INVALID_CALL 65 +/* Issuer lookup error */ +# define X509_V_ERR_STORE_LOOKUP 66 + +# define X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION 67 /* Certificate verify flags */ diff --git a/crypto/x509v3/v3_addr.c b/crypto/x509v3/v3_addr.c index 94cfed050910..1290dec9bb8c 100644 --- a/crypto/x509v3/v3_addr.c +++ b/crypto/x509v3/v3_addr.c @@ -1211,6 +1211,11 @@ int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) /* * Core code for RFC 3779 2.3 path validation. + * + * Returns 1 for success, 0 on error. + * + * When returning 0, ctx->error MUST be set to an appropriate value other than + * X509_V_OK. */ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, @@ -1245,6 +1250,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE); + ctx->error = X509_V_ERR_OUT_OF_MEM; ret = 0; goto done; } |