#
1.32 |
|
29-Sep-2023 |
beck |
Allow IP addresses to be specified in a URI.
Our checking here was a bit too aggressive, and did not permit an IP address in a URI. IP's in a URI are allowed for things like CRLdp's AIA, SAN URI's etc.). The check for this was also slightly flawed as we would permit an IP if memory allocation failed while checking for an IP.
Correct both issues.
ok tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.31 |
|
26-Dec-2022 |
jmc |
spelling fixes; from paul tagliamonte i removed the arithmetics -> arithmetic changes, as i felt they were not clearly correct
ok tb
|
#
1.30 |
|
28-Nov-2022 |
tb |
Fix NULL dereference in x509_constraints_uri_host()
When called from v2i, hostpart in x509_constraints_uri_host() is NULL, so add a NULL check before storing the strdup result in it.
From Anton Borowka
ok jsing miod
|
#
1.29 |
|
11-Nov-2022 |
beck |
Start CBS-ifying the name constraints code.
ok jsing@ tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.28 |
|
27-Jun-2022 |
beck |
Correct misleading comment for URI parsing
ok jsing@
|
#
1.27 |
|
26-Jun-2022 |
beck |
Fix URI name constraints, allow for URI's with no host part.
Such uri's must be parsed and allowed, but then should fail if a name constraint is present.
Adds regress testing for this same case.
fixes https://github.com/libressl-portable/openbsd/issues/131
ok tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.26 |
|
26-Mar-2022 |
tb |
name constraints: be more careful with NULs
An IA5STRING is a Pascal string that can have embedded NULs and is not NUL terminated (except that for legacy reasons it happens to be).
Instead of taking the strlen(), use the already known ASN.1 length and use strndup() instead of strdup() to generate NUL terminated strings after some existing code has checked that there are no embedded NULs.
In v2i_GENERAL_NAME_ex() use %.*s to print the bytes. This is not optimal and might be switched to using strvis() later.
ok beck inoguchi jsing
|
#
1.25 |
|
14-Mar-2022 |
tb |
Allow constraints of the form @domain.com
Some things issue and expect that we support a non-standard extension of accepting any email address from a host by prefixing an email name constraint with @. This used to be the case with the old code as well.
Pointed out and based on a diff by Alex Wilson.
ok jsing
|
#
1.24 |
|
14-Mar-2022 |
tb |
Rework ownership handling in x509_constraints_validate()
Instead of having the caller allocate and pass in a new x509_constraints_name struct, handle allocation inside x509_constraints_validate(). Also make the error optional. All this is done to simplify the call sites and to make it more obvious that there are no leaks.
ok jsing
|
#
1.23 |
|
13-Mar-2022 |
tb |
Relax the check of x509_constraints_dirname()
The dirname constraint must be a prefix in DER format, so relax the check from requiring equal-length strings to allow shorter names also.
From Alex Wilson
ok jsing
|
#
1.22 |
|
13-Mar-2022 |
tb |
Add missing error check after strdup()
From Alex Wilson
ok jsing
|
#
1.21 |
|
03-Mar-2022 |
tb |
Pull a len == 0 check up before malloc(len) to avoid implementation defined behavior.
ok deraadt inoguchi
|
#
1.20 |
|
02-Mar-2022 |
tb |
Unwrap a line
|
#
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
#
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses that are malformed at certificate creation time.
ok jsing@ tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string remains NUL terminated. While here consistently check wi before using it so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
#
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading * wildcards. While we may choose not to support them the standards appear to permit them optionally so we can't declare a certificate containing them invalid. Noticed by jeremy@, and Steffan Ulrich and others. Modify the regression tests to test these cases and not check the SAN DNSnames as "hostnames" anymore (which don't support wildcards).
ok jsing@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2; Zap a useless variable.
suggested by jsing
|
#
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
#
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and other names (such as subjectAltNames) that we want to allocate per cert chain. These limits are checked too late. In a particularly silly cert that jan found on ugos.ugm.ac.id 443, we ended up allocating six times 2048 x509_constraint_name structures before deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which is set on allocation against which each addition of a name is checked.
cluebat/ok jsing ok inoguchi on earlier version
|
#
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length check, we can malloc and memcpy inside the conditional. This also makes the code easier to read.
agreement from millert ok jsing
|
#
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4; Fix some line wrapping and other whitespace issues. No change in the generated assembly on amd64.
|
#
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
#
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname variable which will be freed on error, but an inner scope contains another vname that won't be freed, e.g., if x509_constraints_names_add fails.
Found by llvm scan-build.
ok beck
|
#
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
#
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
#
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added to the names list and will leak when it is set to NULL. Simplify the logic by eliminating the add Boolean. Instead, free and zero vname in the default case and continue the while loop directly. At the bottom of the switch, add vname to the names list unconditionally zero it out since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
#
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
#
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer ok tb@
|
#
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer. ok tb@
|
#
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
#
1.31 |
|
26-Dec-2022 |
jmc |
spelling fixes; from paul tagliamonte i removed the arithmetics -> arithmetic changes, as i felt they were not clearly correct
ok tb
|
#
1.30 |
|
28-Nov-2022 |
tb |
Fix NULL dereference in x509_constraints_uri_host()
When called from v2i, hostpart in x509_constraints_uri_host() is NULL, so add a NULL check before storing the strdup result in it.
From Anton Borowka
ok jsing miod
|
#
1.29 |
|
11-Nov-2022 |
beck |
Start CBS-ifying the name constraints code.
ok jsing@ tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.28 |
|
27-Jun-2022 |
beck |
Correct misleading comment for URI parsing
ok jsing@
|
#
1.27 |
|
26-Jun-2022 |
beck |
Fix URI name constraints, allow for URI's with no host part.
Such uri's must be parsed and allowed, but then should fail if a name constraint is present.
Adds regress testing for this same case.
fixes https://github.com/libressl-portable/openbsd/issues/131
ok tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.26 |
|
26-Mar-2022 |
tb |
name constraints: be more careful with NULs
An IA5STRING is a Pascal string that can have embedded NULs and is not NUL terminated (except that for legacy reasons it happens to be).
Instead of taking the strlen(), use the already known ASN.1 length and use strndup() instead of strdup() to generate NUL terminated strings after some existing code has checked that there are no embedded NULs.
In v2i_GENERAL_NAME_ex() use %.*s to print the bytes. This is not optimal and might be switched to using strvis() later.
ok beck inoguchi jsing
|
#
1.25 |
|
14-Mar-2022 |
tb |
Allow constraints of the form @domain.com
Some things issue and expect that we support a non-standard extension of accepting any email address from a host by prefixing an email name constraint with @. This used to be the case with the old code as well.
Pointed out and based on a diff by Alex Wilson.
ok jsing
|
#
1.24 |
|
14-Mar-2022 |
tb |
Rework ownership handling in x509_constraints_validate()
Instead of having the caller allocate and pass in a new x509_constraints_name struct, handle allocation inside x509_constraints_validate(). Also make the error optional. All this is done to simplify the call sites and to make it more obvious that there are no leaks.
ok jsing
|
#
1.23 |
|
13-Mar-2022 |
tb |
Relax the check of x509_constraints_dirname()
The dirname constraint must be a prefix in DER format, so relax the check from requiring equal-length strings to allow shorter names also.
From Alex Wilson
ok jsing
|
#
1.22 |
|
13-Mar-2022 |
tb |
Add missing error check after strdup()
From Alex Wilson
ok jsing
|
#
1.21 |
|
03-Mar-2022 |
tb |
Pull a len == 0 check up before malloc(len) to avoid implementation defined behavior.
ok deraadt inoguchi
|
#
1.20 |
|
02-Mar-2022 |
tb |
Unwrap a line
|
#
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
#
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses that are malformed at certificate creation time.
ok jsing@ tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string remains NUL terminated. While here consistently check wi before using it so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
#
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading * wildcards. While we may choose not to support them the standards appear to permit them optionally so we can't declare a certificate containing them invalid. Noticed by jeremy@, and Steffan Ulrich and others. Modify the regression tests to test these cases and not check the SAN DNSnames as "hostnames" anymore (which don't support wildcards).
ok jsing@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2; Zap a useless variable.
suggested by jsing
|
#
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
#
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and other names (such as subjectAltNames) that we want to allocate per cert chain. These limits are checked too late. In a particularly silly cert that jan found on ugos.ugm.ac.id 443, we ended up allocating six times 2048 x509_constraint_name structures before deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which is set on allocation against which each addition of a name is checked.
cluebat/ok jsing ok inoguchi on earlier version
|
#
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length check, we can malloc and memcpy inside the conditional. This also makes the code easier to read.
agreement from millert ok jsing
|
#
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4; Fix some line wrapping and other whitespace issues. No change in the generated assembly on amd64.
|
#
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
#
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname variable which will be freed on error, but an inner scope contains another vname that won't be freed, e.g., if x509_constraints_names_add fails.
Found by llvm scan-build.
ok beck
|
#
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
#
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
#
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added to the names list and will leak when it is set to NULL. Simplify the logic by eliminating the add Boolean. Instead, free and zero vname in the default case and continue the while loop directly. At the bottom of the switch, add vname to the names list unconditionally zero it out since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
#
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
#
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer ok tb@
|
#
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer. ok tb@
|
#
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
#
1.30 |
|
28-Nov-2022 |
tb |
Fix NULL dereference in x509_constraints_uri_host()
When called from v2i, hostpart in x509_constraints_uri_host() is NULL, so add a NULL check before storing the strdup result in it.
From Anton Borowka
ok jsing miod
|
#
1.29 |
|
11-Nov-2022 |
beck |
Start CBS-ifying the name constraints code.
ok jsing@ tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.28 |
|
27-Jun-2022 |
beck |
Correct misleading comment for URI parsing
ok jsing@
|
#
1.27 |
|
26-Jun-2022 |
beck |
Fix URI name constraints, allow for URI's with no host part.
Such uri's must be parsed and allowed, but then should fail if a name constraint is present.
Adds regress testing for this same case.
fixes https://github.com/libressl-portable/openbsd/issues/131
ok tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.26 |
|
26-Mar-2022 |
tb |
name constraints: be more careful with NULs
An IA5STRING is a Pascal string that can have embedded NULs and is not NUL terminated (except that for legacy reasons it happens to be).
Instead of taking the strlen(), use the already known ASN.1 length and use strndup() instead of strdup() to generate NUL terminated strings after some existing code has checked that there are no embedded NULs.
In v2i_GENERAL_NAME_ex() use %.*s to print the bytes. This is not optimal and might be switched to using strvis() later.
ok beck inoguchi jsing
|
#
1.25 |
|
14-Mar-2022 |
tb |
Allow constraints of the form @domain.com
Some things issue and expect that we support a non-standard extension of accepting any email address from a host by prefixing an email name constraint with @. This used to be the case with the old code as well.
Pointed out and based on a diff by Alex Wilson.
ok jsing
|
#
1.24 |
|
14-Mar-2022 |
tb |
Rework ownership handling in x509_constraints_validate()
Instead of having the caller allocate and pass in a new x509_constraints_name struct, handle allocation inside x509_constraints_validate(). Also make the error optional. All this is done to simplify the call sites and to make it more obvious that there are no leaks.
ok jsing
|
#
1.23 |
|
13-Mar-2022 |
tb |
Relax the check of x509_constraints_dirname()
The dirname constraint must be a prefix in DER format, so relax the check from requiring equal-length strings to allow shorter names also.
From Alex Wilson
ok jsing
|
#
1.22 |
|
13-Mar-2022 |
tb |
Add missing error check after strdup()
From Alex Wilson
ok jsing
|
#
1.21 |
|
03-Mar-2022 |
tb |
Pull a len == 0 check up before malloc(len) to avoid implementation defined behavior.
ok deraadt inoguchi
|
#
1.20 |
|
02-Mar-2022 |
tb |
Unwrap a line
|
#
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
#
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses that are malformed at certificate creation time.
ok jsing@ tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string remains NUL terminated. While here consistently check wi before using it so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
#
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading * wildcards. While we may choose not to support them the standards appear to permit them optionally so we can't declare a certificate containing them invalid. Noticed by jeremy@, and Steffan Ulrich and others. Modify the regression tests to test these cases and not check the SAN DNSnames as "hostnames" anymore (which don't support wildcards).
ok jsing@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2; Zap a useless variable.
suggested by jsing
|
#
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
#
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and other names (such as subjectAltNames) that we want to allocate per cert chain. These limits are checked too late. In a particularly silly cert that jan found on ugos.ugm.ac.id 443, we ended up allocating six times 2048 x509_constraint_name structures before deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which is set on allocation against which each addition of a name is checked.
cluebat/ok jsing ok inoguchi on earlier version
|
#
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length check, we can malloc and memcpy inside the conditional. This also makes the code easier to read.
agreement from millert ok jsing
|
#
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4; Fix some line wrapping and other whitespace issues. No change in the generated assembly on amd64.
|
#
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
#
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname variable which will be freed on error, but an inner scope contains another vname that won't be freed, e.g., if x509_constraints_names_add fails.
Found by llvm scan-build.
ok beck
|
#
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
#
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
#
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added to the names list and will leak when it is set to NULL. Simplify the logic by eliminating the add Boolean. Instead, free and zero vname in the default case and continue the while loop directly. At the bottom of the switch, add vname to the names list unconditionally zero it out since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
#
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
#
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer ok tb@
|
#
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer. ok tb@
|
#
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
#
1.29 |
|
11-Nov-2022 |
beck |
Start CBS-ifying the name constraints code.
ok jsing@ tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.28 |
|
27-Jun-2022 |
beck |
Correct misleading comment for URI parsing
ok jsing@
|
#
1.27 |
|
26-Jun-2022 |
beck |
Fix URI name constraints, allow for URI's with no host part.
Such uri's must be parsed and allowed, but then should fail if a name constraint is present.
Adds regress testing for this same case.
fixes https://github.com/libressl-portable/openbsd/issues/131
ok tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.26 |
|
26-Mar-2022 |
tb |
name constraints: be more careful with NULs
An IA5STRING is a Pascal string that can have embedded NULs and is not NUL terminated (except that for legacy reasons it happens to be).
Instead of taking the strlen(), use the already known ASN.1 length and use strndup() instead of strdup() to generate NUL terminated strings after some existing code has checked that there are no embedded NULs.
In v2i_GENERAL_NAME_ex() use %.*s to print the bytes. This is not optimal and might be switched to using strvis() later.
ok beck inoguchi jsing
|
#
1.25 |
|
14-Mar-2022 |
tb |
Allow constraints of the form @domain.com
Some things issue and expect that we support a non-standard extension of accepting any email address from a host by prefixing an email name constraint with @. This used to be the case with the old code as well.
Pointed out and based on a diff by Alex Wilson.
ok jsing
|
#
1.24 |
|
14-Mar-2022 |
tb |
Rework ownership handling in x509_constraints_validate()
Instead of having the caller allocate and pass in a new x509_constraints_name struct, handle allocation inside x509_constraints_validate(). Also make the error optional. All this is done to simplify the call sites and to make it more obvious that there are no leaks.
ok jsing
|
#
1.23 |
|
13-Mar-2022 |
tb |
Relax the check of x509_constraints_dirname()
The dirname constraint must be a prefix in DER format, so relax the check from requiring equal-length strings to allow shorter names also.
From Alex Wilson
ok jsing
|
#
1.22 |
|
13-Mar-2022 |
tb |
Add missing error check after strdup()
From Alex Wilson
ok jsing
|
#
1.21 |
|
03-Mar-2022 |
tb |
Pull a len == 0 check up before malloc(len) to avoid implementation defined behavior.
ok deraadt inoguchi
|
#
1.20 |
|
02-Mar-2022 |
tb |
Unwrap a line
|
#
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
#
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses that are malformed at certificate creation time.
ok jsing@ tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string remains NUL terminated. While here consistently check wi before using it so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
#
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading * wildcards. While we may choose not to support them the standards appear to permit them optionally so we can't declare a certificate containing them invalid. Noticed by jeremy@, and Steffan Ulrich and others. Modify the regression tests to test these cases and not check the SAN DNSnames as "hostnames" anymore (which don't support wildcards).
ok jsing@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2; Zap a useless variable.
suggested by jsing
|
#
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
#
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and other names (such as subjectAltNames) that we want to allocate per cert chain. These limits are checked too late. In a particularly silly cert that jan found on ugos.ugm.ac.id 443, we ended up allocating six times 2048 x509_constraint_name structures before deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which is set on allocation against which each addition of a name is checked.
cluebat/ok jsing ok inoguchi on earlier version
|
#
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length check, we can malloc and memcpy inside the conditional. This also makes the code easier to read.
agreement from millert ok jsing
|
#
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4; Fix some line wrapping and other whitespace issues. No change in the generated assembly on amd64.
|
#
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
#
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname variable which will be freed on error, but an inner scope contains another vname that won't be freed, e.g., if x509_constraints_names_add fails.
Found by llvm scan-build.
ok beck
|
#
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
#
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
#
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added to the names list and will leak when it is set to NULL. Simplify the logic by eliminating the add Boolean. Instead, free and zero vname in the default case and continue the while loop directly. At the bottom of the switch, add vname to the names list unconditionally zero it out since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
#
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
#
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer ok tb@
|
#
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer. ok tb@
|
#
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
#
1.28 |
|
27-Jun-2022 |
beck |
Correct misleading comment for URI parsing
ok jsing@
|
#
1.27 |
|
26-Jun-2022 |
beck |
Fix URI name constraints, allow for URI's with no host part.
Such uri's must be parsed and allowed, but then should fail if a name constraint is present.
Adds regress testing for this same case.
fixes https://github.com/libressl-portable/openbsd/issues/131
ok tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.26 |
|
26-Mar-2022 |
tb |
name constraints: be more careful with NULs
An IA5STRING is a Pascal string that can have embedded NULs and is not NUL terminated (except that for legacy reasons it happens to be).
Instead of taking the strlen(), use the already known ASN.1 length and use strndup() instead of strdup() to generate NUL terminated strings after some existing code has checked that there are no embedded NULs.
In v2i_GENERAL_NAME_ex() use %.*s to print the bytes. This is not optimal and might be switched to using strvis() later.
ok beck inoguchi jsing
|
#
1.25 |
|
14-Mar-2022 |
tb |
Allow constraints of the form @domain.com
Some things issue and expect that we support a non-standard extension of accepting any email address from a host by prefixing an email name constraint with @. This used to be the case with the old code as well.
Pointed out and based on a diff by Alex Wilson.
ok jsing
|
#
1.24 |
|
14-Mar-2022 |
tb |
Rework ownership handling in x509_constraints_validate()
Instead of having the caller allocate and pass in a new x509_constraints_name struct, handle allocation inside x509_constraints_validate(). Also make the error optional. All this is done to simplify the call sites and to make it more obvious that there are no leaks.
ok jsing
|
#
1.23 |
|
13-Mar-2022 |
tb |
Relax the check of x509_constraints_dirname()
The dirname constraint must be a prefix in DER format, so relax the check from requiring equal-length strings to allow shorter names also.
From Alex Wilson
ok jsing
|
#
1.22 |
|
13-Mar-2022 |
tb |
Add missing error check after strdup()
From Alex Wilson
ok jsing
|
#
1.21 |
|
03-Mar-2022 |
tb |
Pull a len == 0 check up before malloc(len) to avoid implementation defined behavior.
ok deraadt inoguchi
|
#
1.20 |
|
02-Mar-2022 |
tb |
Unwrap a line
|
#
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
#
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses that are malformed at certificate creation time.
ok jsing@ tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string remains NUL terminated. While here consistently check wi before using it so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
#
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading * wildcards. While we may choose not to support them the standards appear to permit them optionally so we can't declare a certificate containing them invalid. Noticed by jeremy@, and Steffan Ulrich and others. Modify the regression tests to test these cases and not check the SAN DNSnames as "hostnames" anymore (which don't support wildcards).
ok jsing@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2; Zap a useless variable.
suggested by jsing
|
#
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
#
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and other names (such as subjectAltNames) that we want to allocate per cert chain. These limits are checked too late. In a particularly silly cert that jan found on ugos.ugm.ac.id 443, we ended up allocating six times 2048 x509_constraint_name structures before deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which is set on allocation against which each addition of a name is checked.
cluebat/ok jsing ok inoguchi on earlier version
|
#
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length check, we can malloc and memcpy inside the conditional. This also makes the code easier to read.
agreement from millert ok jsing
|
#
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4; Fix some line wrapping and other whitespace issues. No change in the generated assembly on amd64.
|
#
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
#
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname variable which will be freed on error, but an inner scope contains another vname that won't be freed, e.g., if x509_constraints_names_add fails.
Found by llvm scan-build.
ok beck
|
#
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
#
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
#
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added to the names list and will leak when it is set to NULL. Simplify the logic by eliminating the add Boolean. Instead, free and zero vname in the default case and continue the while loop directly. At the bottom of the switch, add vname to the names list unconditionally zero it out since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
#
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
#
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer ok tb@
|
#
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer. ok tb@
|
#
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
#
1.27 |
|
26-Jun-2022 |
beck |
Fix URI name constraints, allow for URI's with no host part.
Such uri's must be parsed and allowed, but then should fail if a name constraint is present.
Adds regress testing for this same case.
fixes https://github.com/libressl-portable/openbsd/issues/131
ok tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.26 |
|
26-Mar-2022 |
tb |
name constraints: be more careful with NULs
An IA5STRING is a Pascal string that can have embedded NULs and is not NUL terminated (except that for legacy reasons it happens to be).
Instead of taking the strlen(), use the already known ASN.1 length and use strndup() instead of strdup() to generate NUL terminated strings after some existing code has checked that there are no embedded NULs.
In v2i_GENERAL_NAME_ex() use %.*s to print the bytes. This is not optimal and might be switched to using strvis() later.
ok beck inoguchi jsing
|
#
1.25 |
|
14-Mar-2022 |
tb |
Allow constraints of the form @domain.com
Some things issue and expect that we support a non-standard extension of accepting any email address from a host by prefixing an email name constraint with @. This used to be the case with the old code as well.
Pointed out and based on a diff by Alex Wilson.
ok jsing
|
#
1.24 |
|
14-Mar-2022 |
tb |
Rework ownership handling in x509_constraints_validate()
Instead of having the caller allocate and pass in a new x509_constraints_name struct, handle allocation inside x509_constraints_validate(). Also make the error optional. All this is done to simplify the call sites and to make it more obvious that there are no leaks.
ok jsing
|
#
1.23 |
|
13-Mar-2022 |
tb |
Relax the check of x509_constraints_dirname()
The dirname constraint must be a prefix in DER format, so relax the check from requiring equal-length strings to allow shorter names also.
From Alex Wilson
ok jsing
|
#
1.22 |
|
13-Mar-2022 |
tb |
Add missing error check after strdup()
From Alex Wilson
ok jsing
|
#
1.21 |
|
03-Mar-2022 |
tb |
Pull a len == 0 check up before malloc(len) to avoid implementation defined behavior.
ok deraadt inoguchi
|
#
1.20 |
|
02-Mar-2022 |
tb |
Unwrap a line
|
#
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
#
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses that are malformed at certificate creation time.
ok jsing@ tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string remains NUL terminated. While here consistently check wi before using it so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
#
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading * wildcards. While we may choose not to support them the standards appear to permit them optionally so we can't declare a certificate containing them invalid. Noticed by jeremy@, and Steffan Ulrich and others. Modify the regression tests to test these cases and not check the SAN DNSnames as "hostnames" anymore (which don't support wildcards).
ok jsing@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2; Zap a useless variable.
suggested by jsing
|
#
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
#
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and other names (such as subjectAltNames) that we want to allocate per cert chain. These limits are checked too late. In a particularly silly cert that jan found on ugos.ugm.ac.id 443, we ended up allocating six times 2048 x509_constraint_name structures before deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which is set on allocation against which each addition of a name is checked.
cluebat/ok jsing ok inoguchi on earlier version
|
#
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length check, we can malloc and memcpy inside the conditional. This also makes the code easier to read.
agreement from millert ok jsing
|
#
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4; Fix some line wrapping and other whitespace issues. No change in the generated assembly on amd64.
|
#
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
#
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname variable which will be freed on error, but an inner scope contains another vname that won't be freed, e.g., if x509_constraints_names_add fails.
Found by llvm scan-build.
ok beck
|
#
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
#
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
#
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added to the names list and will leak when it is set to NULL. Simplify the logic by eliminating the add Boolean. Instead, free and zero vname in the default case and continue the while loop directly. At the bottom of the switch, add vname to the names list unconditionally zero it out since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
#
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
#
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer ok tb@
|
#
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer. ok tb@
|
#
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
#
1.26 |
|
26-Mar-2022 |
tb |
name constraints: be more careful with NULs
An IA5STRING is a Pascal string that can have embedded NULs and is not NUL terminated (except that for legacy reasons it happens to be).
Instead of taking the strlen(), use the already known ASN.1 length and use strndup() instead of strdup() to generate NUL terminated strings after some existing code has checked that there are no embedded NULs.
In v2i_GENERAL_NAME_ex() use %.*s to print the bytes. This is not optimal and might be switched to using strvis() later.
ok beck inoguchi jsing
|
#
1.25 |
|
14-Mar-2022 |
tb |
Allow constraints of the form @domain.com
Some things issue and expect that we support a non-standard extension of accepting any email address from a host by prefixing an email name constraint with @. This used to be the case with the old code as well.
Pointed out and based on a diff by Alex Wilson.
ok jsing
|
#
1.24 |
|
14-Mar-2022 |
tb |
Rework ownership handling in x509_constraints_validate()
Instead of having the caller allocate and pass in a new x509_constraints_name struct, handle allocation inside x509_constraints_validate(). Also make the error optional. All this is done to simplify the call sites and to make it more obvious that there are no leaks.
ok jsing
|
#
1.23 |
|
13-Mar-2022 |
tb |
Relax the check of x509_constraints_dirname()
The dirname constraint must be a prefix in DER format, so relax the check from requiring equal-length strings to allow shorter names also.
From Alex Wilson
ok jsing
|
#
1.22 |
|
13-Mar-2022 |
tb |
Add missing error check after strdup()
From Alex Wilson
ok jsing
|
#
1.21 |
|
03-Mar-2022 |
tb |
Pull a len == 0 check up before malloc(len) to avoid implementation defined behavior.
ok deraadt inoguchi
|
#
1.20 |
|
02-Mar-2022 |
tb |
Unwrap a line
|
#
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
#
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses that are malformed at certificate creation time.
ok jsing@ tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string remains NUL terminated. While here consistently check wi before using it so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
#
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading * wildcards. While we may choose not to support them the standards appear to permit them optionally so we can't declare a certificate containing them invalid. Noticed by jeremy@, and Steffan Ulrich and others. Modify the regression tests to test these cases and not check the SAN DNSnames as "hostnames" anymore (which don't support wildcards).
ok jsing@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2; Zap a useless variable.
suggested by jsing
|
#
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
#
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and other names (such as subjectAltNames) that we want to allocate per cert chain. These limits are checked too late. In a particularly silly cert that jan found on ugos.ugm.ac.id 443, we ended up allocating six times 2048 x509_constraint_name structures before deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which is set on allocation against which each addition of a name is checked.
cluebat/ok jsing ok inoguchi on earlier version
|
#
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length check, we can malloc and memcpy inside the conditional. This also makes the code easier to read.
agreement from millert ok jsing
|
#
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4; Fix some line wrapping and other whitespace issues. No change in the generated assembly on amd64.
|
#
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
#
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname variable which will be freed on error, but an inner scope contains another vname that won't be freed, e.g., if x509_constraints_names_add fails.
Found by llvm scan-build.
ok beck
|
#
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
#
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
#
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added to the names list and will leak when it is set to NULL. Simplify the logic by eliminating the add Boolean. Instead, free and zero vname in the default case and continue the while loop directly. At the bottom of the switch, add vname to the names list unconditionally zero it out since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
#
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
#
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer ok tb@
|
#
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer. ok tb@
|
#
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
#
1.25 |
|
14-Mar-2022 |
tb |
Allow constraints of the form @domain.com
Some things issue and expect that we support a non-standard extension of accepting any email address from a host by prefixing an email name constraint with @. This used to be the case with the old code as well.
Pointed out and based on a diff by Alex Wilson.
ok jsing
|
#
1.24 |
|
14-Mar-2022 |
tb |
Rework ownership handling in x509_constraints_validate()
Instead of having the caller allocate and pass in a new x509_constraints_name struct, handle allocation inside x509_constraints_validate(). Also make the error optional. All this is done to simplify the call sites and to make it more obvious that there are no leaks.
ok jsing
|
#
1.23 |
|
13-Mar-2022 |
tb |
Relax the check of x509_constraints_dirname()
The dirname constraint must be a prefix in DER format, so relax the check from requiring equal-length strings to allow shorter names also.
From Alex Wilson
ok jsing
|
#
1.22 |
|
13-Mar-2022 |
tb |
Add missing error check after strdup()
From Alex Wilson
ok jsing
|
#
1.21 |
|
03-Mar-2022 |
tb |
Pull a len == 0 check up before malloc(len) to avoid implementation defined behavior.
ok deraadt inoguchi
|
#
1.20 |
|
02-Mar-2022 |
tb |
Unwrap a line
|
#
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
#
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses that are malformed at certificate creation time.
ok jsing@ tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string remains NUL terminated. While here consistently check wi before using it so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
#
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading * wildcards. While we may choose not to support them the standards appear to permit them optionally so we can't declare a certificate containing them invalid. Noticed by jeremy@, and Steffan Ulrich and others. Modify the regression tests to test these cases and not check the SAN DNSnames as "hostnames" anymore (which don't support wildcards).
ok jsing@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2; Zap a useless variable.
suggested by jsing
|
#
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
#
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and other names (such as subjectAltNames) that we want to allocate per cert chain. These limits are checked too late. In a particularly silly cert that jan found on ugos.ugm.ac.id 443, we ended up allocating six times 2048 x509_constraint_name structures before deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which is set on allocation against which each addition of a name is checked.
cluebat/ok jsing ok inoguchi on earlier version
|
#
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length check, we can malloc and memcpy inside the conditional. This also makes the code easier to read.
agreement from millert ok jsing
|
#
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4; Fix some line wrapping and other whitespace issues. No change in the generated assembly on amd64.
|
#
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
#
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname variable which will be freed on error, but an inner scope contains another vname that won't be freed, e.g., if x509_constraints_names_add fails.
Found by llvm scan-build.
ok beck
|
#
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
#
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
#
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added to the names list and will leak when it is set to NULL. Simplify the logic by eliminating the add Boolean. Instead, free and zero vname in the default case and continue the while loop directly. At the bottom of the switch, add vname to the names list unconditionally zero it out since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
#
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
#
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer ok tb@
|
#
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer. ok tb@
|
#
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
#
1.23 |
|
13-Mar-2022 |
tb |
Relax the check of x509_constraints_dirname()
The dirname constraint must be a prefix in DER format, so relax the check from requiring equal-length strings to allow shorter names also.
From Alex Wilson
ok jsing
|
#
1.22 |
|
13-Mar-2022 |
tb |
Add missing error check after strdup()
From Alex Wilson
ok jsing
|
#
1.21 |
|
03-Mar-2022 |
tb |
Pull a len == 0 check up before malloc(len) to avoid implementation defined behavior.
ok deraadt inoguchi
|
#
1.20 |
|
02-Mar-2022 |
tb |
Unwrap a line
|
#
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
#
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses that are malformed at certificate creation time.
ok jsing@ tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string remains NUL terminated. While here consistently check wi before using it so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
#
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading * wildcards. While we may choose not to support them the standards appear to permit them optionally so we can't declare a certificate containing them invalid. Noticed by jeremy@, and Steffan Ulrich and others. Modify the regression tests to test these cases and not check the SAN DNSnames as "hostnames" anymore (which don't support wildcards).
ok jsing@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2; Zap a useless variable.
suggested by jsing
|
#
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
#
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and other names (such as subjectAltNames) that we want to allocate per cert chain. These limits are checked too late. In a particularly silly cert that jan found on ugos.ugm.ac.id 443, we ended up allocating six times 2048 x509_constraint_name structures before deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which is set on allocation against which each addition of a name is checked.
cluebat/ok jsing ok inoguchi on earlier version
|
#
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length check, we can malloc and memcpy inside the conditional. This also makes the code easier to read.
agreement from millert ok jsing
|
#
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4; Fix some line wrapping and other whitespace issues. No change in the generated assembly on amd64.
|
#
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
#
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname variable which will be freed on error, but an inner scope contains another vname that won't be freed, e.g., if x509_constraints_names_add fails.
Found by llvm scan-build.
ok beck
|
#
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
#
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
#
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added to the names list and will leak when it is set to NULL. Simplify the logic by eliminating the add Boolean. Instead, free and zero vname in the default case and continue the while loop directly. At the bottom of the switch, add vname to the names list unconditionally zero it out since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
#
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
#
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer ok tb@
|
#
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer. ok tb@
|
#
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
#
1.21 |
|
03-Mar-2022 |
tb |
Pull a len == 0 check up before malloc(len) to avoid implementation defined behavior.
ok deraadt inoguchi
|
#
1.20 |
|
02-Mar-2022 |
tb |
Unwrap a line
|
#
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
#
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses that are malformed at certificate creation time.
ok jsing@ tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string remains NUL terminated. While here consistently check wi before using it so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
#
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading * wildcards. While we may choose not to support them the standards appear to permit them optionally so we can't declare a certificate containing them invalid. Noticed by jeremy@, and Steffan Ulrich and others. Modify the regression tests to test these cases and not check the SAN DNSnames as "hostnames" anymore (which don't support wildcards).
ok jsing@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2; Zap a useless variable.
suggested by jsing
|
#
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
#
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and other names (such as subjectAltNames) that we want to allocate per cert chain. These limits are checked too late. In a particularly silly cert that jan found on ugos.ugm.ac.id 443, we ended up allocating six times 2048 x509_constraint_name structures before deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which is set on allocation against which each addition of a name is checked.
cluebat/ok jsing ok inoguchi on earlier version
|
#
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length check, we can malloc and memcpy inside the conditional. This also makes the code easier to read.
agreement from millert ok jsing
|
#
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4; Fix some line wrapping and other whitespace issues. No change in the generated assembly on amd64.
|
#
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
#
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname variable which will be freed on error, but an inner scope contains another vname that won't be freed, e.g., if x509_constraints_names_add fails.
Found by llvm scan-build.
ok beck
|
#
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
#
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
#
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added to the names list and will leak when it is set to NULL. Simplify the logic by eliminating the add Boolean. Instead, free and zero vname in the default case and continue the while loop directly. At the bottom of the switch, add vname to the names list unconditionally zero it out since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
#
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
#
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer ok tb@
|
#
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer. ok tb@
|
#
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
#
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
#
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses that are malformed at certificate creation time.
ok jsing@ tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string remains NUL terminated. While here consistently check wi before using it so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
#
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading * wildcards. While we may choose not to support them the standards appear to permit them optionally so we can't declare a certificate containing them invalid. Noticed by jeremy@, and Steffan Ulrich and others. Modify the regression tests to test these cases and not check the SAN DNSnames as "hostnames" anymore (which don't support wildcards).
ok jsing@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2; Zap a useless variable.
suggested by jsing
|
#
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
#
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and other names (such as subjectAltNames) that we want to allocate per cert chain. These limits are checked too late. In a particularly silly cert that jan found on ugos.ugm.ac.id 443, we ended up allocating six times 2048 x509_constraint_name structures before deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which is set on allocation against which each addition of a name is checked.
cluebat/ok jsing ok inoguchi on earlier version
|
#
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length check, we can malloc and memcpy inside the conditional. This also makes the code easier to read.
agreement from millert ok jsing
|
#
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4; Fix some line wrapping and other whitespace issues. No change in the generated assembly on amd64.
|
#
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
#
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname variable which will be freed on error, but an inner scope contains another vname that won't be freed, e.g., if x509_constraints_names_add fails.
Found by llvm scan-build.
ok beck
|
#
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
#
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
#
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added to the names list and will leak when it is set to NULL. Simplify the logic by eliminating the add Boolean. Instead, free and zero vname in the default case and continue the while loop directly. At the bottom of the switch, add vname to the names list unconditionally zero it out since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
#
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
#
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer ok tb@
|
#
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer. ok tb@
|
#
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
#
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses that are malformed at certificate creation time.
ok jsing@ tb@
|
#
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string remains NUL terminated. While here consistently check wi before using it so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading * wildcards. While we may choose not to support them the standards appear to permit them optionally so we can't declare a certificate containing them invalid. Noticed by jeremy@, and Steffan Ulrich and others. Modify the regression tests to test these cases and not check the SAN DNSnames as "hostnames" anymore (which don't support wildcards).
ok jsing@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2; Zap a useless variable.
suggested by jsing
|
#
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
#
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and other names (such as subjectAltNames) that we want to allocate per cert chain. These limits are checked too late. In a particularly silly cert that jan found on ugos.ugm.ac.id 443, we ended up allocating six times 2048 x509_constraint_name structures before deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which is set on allocation against which each addition of a name is checked.
cluebat/ok jsing ok inoguchi on earlier version
|
#
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length check, we can malloc and memcpy inside the conditional. This also makes the code easier to read.
agreement from millert ok jsing
|
#
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4; Fix some line wrapping and other whitespace issues. No change in the generated assembly on amd64.
|
#
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
#
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname variable which will be freed on error, but an inner scope contains another vname that won't be freed, e.g., if x509_constraints_names_add fails.
Found by llvm scan-build.
ok beck
|
#
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
#
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
#
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added to the names list and will leak when it is set to NULL. Simplify the logic by eliminating the add Boolean. Instead, free and zero vname in the default case and continue the while loop directly. At the bottom of the switch, add vname to the names list unconditionally zero it out since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
#
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
#
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer ok tb@
|
#
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer. ok tb@
|
#
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string remains NUL terminated. While here consistently check wi before using it so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
#
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading * wildcards. While we may choose not to support them the standards appear to permit them optionally so we can't declare a certificate containing them invalid. Noticed by jeremy@, and Steffan Ulrich and others. Modify the regression tests to test these cases and not check the SAN DNSnames as "hostnames" anymore (which don't support wildcards).
ok jsing@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.15 |
|
12-Mar-2021 |
tb |
Zap a useless variable.
suggested by jsing
|
#
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
#
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and other names (such as subjectAltNames) that we want to allocate per cert chain. These limits are checked too late. In a particularly silly cert that jan found on ugos.ugm.ac.id 443, we ended up allocating six times 2048 x509_constraint_name structures before deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which is set on allocation against which each addition of a name is checked.
cluebat/ok jsing ok inoguchi on earlier version
|
#
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length check, we can malloc and memcpy inside the conditional. This also makes the code easier to read.
agreement from millert ok jsing
|
#
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.10 |
|
21-Sep-2020 |
tb |
Fix some line wrapping and other whitespace issues. No change in the generated assembly on amd64.
|
#
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
#
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname variable which will be freed on error, but an inner scope contains another vname that won't be freed, e.g., if x509_constraints_names_add fails.
Found by llvm scan-build.
ok beck
|
#
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
#
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
#
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added to the names list and will leak when it is set to NULL. Simplify the logic by eliminating the add Boolean. Instead, free and zero vname in the default case and continue the while loop directly. At the bottom of the switch, add vname to the names list unconditionally zero it out since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
#
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
#
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer ok tb@
|
#
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer. ok tb@
|
#
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
#
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading * wildcards. While we may choose not to support them the standards appear to permit them optionally so we can't declare a certificate containing them invalid. Noticed by jeremy@, and Steffan Ulrich and others. Modify the regression tests to test these cases and not check the SAN DNSnames as "hostnames" anymore (which don't support wildcards).
ok jsing@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.15 |
|
12-Mar-2021 |
tb |
Zap a useless variable.
suggested by jsing
|
#
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
#
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and other names (such as subjectAltNames) that we want to allocate per cert chain. These limits are checked too late. In a particularly silly cert that jan found on ugos.ugm.ac.id 443, we ended up allocating six times 2048 x509_constraint_name structures before deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which is set on allocation against which each addition of a name is checked.
cluebat/ok jsing ok inoguchi on earlier version
|
#
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length check, we can malloc and memcpy inside the conditional. This also makes the code easier to read.
agreement from millert ok jsing
|
#
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.10 |
|
21-Sep-2020 |
tb |
Fix some line wrapping and other whitespace issues. No change in the generated assembly on amd64.
|
#
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
#
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname variable which will be freed on error, but an inner scope contains another vname that won't be freed, e.g., if x509_constraints_names_add fails.
Found by llvm scan-build.
ok beck
|
#
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
#
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
#
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added to the names list and will leak when it is set to NULL. Simplify the logic by eliminating the add Boolean. Instead, free and zero vname in the default case and continue the while loop directly. At the bottom of the switch, add vname to the names list unconditionally zero it out since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
#
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
#
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer ok tb@
|
#
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer. ok tb@
|
#
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
#
1.15 |
|
12-Mar-2021 |
tb |
Zap a useless variable.
suggested by jsing
|
#
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
#
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and other names (such as subjectAltNames) that we want to allocate per cert chain. These limits are checked too late. In a particularly silly cert that jan found on ugos.ugm.ac.id 443, we ended up allocating six times 2048 x509_constraint_name structures before deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which is set on allocation against which each addition of a name is checked.
cluebat/ok jsing ok inoguchi on earlier version
|
#
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length check, we can malloc and memcpy inside the conditional. This also makes the code easier to read.
agreement from millert ok jsing
|
#
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.10 |
|
21-Sep-2020 |
tb |
Fix some line wrapping and other whitespace issues. No change in the generated assembly on amd64.
|
#
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
#
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname variable which will be freed on error, but an inner scope contains another vname that won't be freed, e.g., if x509_constraints_names_add fails.
Found by llvm scan-build.
ok beck
|
#
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
#
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
#
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added to the names list and will leak when it is set to NULL. Simplify the logic by eliminating the add Boolean. Instead, free and zero vname in the default case and continue the while loop directly. At the bottom of the switch, add vname to the names list unconditionally zero it out since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
#
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
#
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer ok tb@
|
#
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer. ok tb@
|
#
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
#
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length check, we can malloc and memcpy inside the conditional. This also makes the code easier to read.
agreement from millert ok jsing
|
#
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.10 |
|
21-Sep-2020 |
tb |
Fix some line wrapping and other whitespace issues. No change in the generated assembly on amd64.
|
#
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
#
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname variable which will be freed on error, but an inner scope contains another vname that won't be freed, e.g., if x509_constraints_names_add fails.
Found by llvm scan-build.
ok beck
|
#
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
#
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
#
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added to the names list and will leak when it is set to NULL. Simplify the logic by eliminating the add Boolean. Instead, free and zero vname in the default case and continue the while loop directly. At the bottom of the switch, add vname to the names list unconditionally zero it out since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
#
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
#
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer ok tb@
|
#
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer. ok tb@
|
#
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
#
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.10 |
|
21-Sep-2020 |
tb |
Fix some line wrapping and other whitespace issues. No change in the generated assembly on amd64.
|
#
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
#
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname variable which will be freed on error, but an inner scope contains another vname that won't be freed, e.g., if x509_constraints_names_add fails.
Found by llvm scan-build.
ok beck
|
#
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
#
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
#
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added to the names list and will leak when it is set to NULL. Simplify the logic by eliminating the add Boolean. Instead, free and zero vname in the default case and continue the while loop directly. At the bottom of the switch, add vname to the names list unconditionally zero it out since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
#
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
#
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer ok tb@
|
#
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer. ok tb@
|
#
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
#
1.10 |
|
21-Sep-2020 |
tb |
Fix some line wrapping and other whitespace issues. No change in the generated assembly on amd64.
|
#
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
#
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname variable which will be freed on error, but an inner scope contains another vname that won't be freed, e.g., if x509_constraints_names_add fails.
Found by llvm scan-build.
ok beck
|
#
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
#
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
#
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added to the names list and will leak when it is set to NULL. Simplify the logic by eliminating the add Boolean. Instead, free and zero vname in the default case and continue the while loop directly. At the bottom of the switch, add vname to the names list unconditionally zero it out since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
#
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
#
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer ok tb@
|
#
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer. ok tb@
|
#
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
#
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer ok tb@
|
#
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer. ok tb@
|
#
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
#
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|