| #
1.32 |
|
29-Sep-2023 |
beck |
Allow IP addresses to be specified in a URI.
Our checking here was a bit too aggressive, and did not permit an
IP address in a URI. IP's in a URI are allowed for things like CRLdp's
AIA, SAN URI's etc.). The check for this was also slightly flawed as
we would permit an IP if memory allocation failed while checking for
an IP.
Correct both issues.
ok tb@
|
|
Revision tags: OPENBSD_7_3_BASE
|
|
| #
1.31 |
|
26-Dec-2022 |
jmc |
spelling fixes; from paul tagliamonte
i removed the arithmetics -> arithmetic changes, as i felt they
were not clearly correct
ok tb
|
| #
1.30 |
|
28-Nov-2022 |
tb |
Fix NULL dereference in x509_constraints_uri_host()
When called from v2i, hostpart in x509_constraints_uri_host() is NULL, so
add a NULL check before storing the strdup result in it.
From Anton Borowka
ok jsing miod
|
| #
1.29 |
|
11-Nov-2022 |
beck |
Start CBS-ifying the name constraints code.
ok jsing@ tb@
|
|
Revision tags: OPENBSD_7_2_BASE
|
|
| #
1.28 |
|
27-Jun-2022 |
beck |
Correct misleading comment for URI parsing
ok jsing@
|
| #
1.27 |
|
26-Jun-2022 |
beck |
Fix URI name constraints, allow for URI's with no host part.
Such uri's must be parsed and allowed, but then should
fail if a name constraint is present.
Adds regress testing for this same case.
fixes https://github.com/libressl-portable/openbsd/issues/131
ok tb@
|
|
Revision tags: OPENBSD_7_1_BASE
|
|
| #
1.26 |
|
26-Mar-2022 |
tb |
name constraints: be more careful with NULs
An IA5STRING is a Pascal string that can have embedded NULs and is
not NUL terminated (except that for legacy reasons it happens to be).
Instead of taking the strlen(), use the already known ASN.1 length and
use strndup() instead of strdup() to generate NUL terminated strings
after some existing code has checked that there are no embedded NULs.
In v2i_GENERAL_NAME_ex() use %.*s to print the bytes. This is not
optimal and might be switched to using strvis() later.
ok beck inoguchi jsing
|
| #
1.25 |
|
14-Mar-2022 |
tb |
Allow constraints of the form @domain.com
Some things issue and expect that we support a non-standard extension of
accepting any email address from a host by prefixing an email name
constraint with @. This used to be the case with the old code as well.
Pointed out and based on a diff by Alex Wilson.
ok jsing
|
| #
1.24 |
|
14-Mar-2022 |
tb |
Rework ownership handling in x509_constraints_validate()
Instead of having the caller allocate and pass in a new
x509_constraints_name struct, handle allocation inside
x509_constraints_validate(). Also make the error optional.
All this is done to simplify the call sites and to make it
more obvious that there are no leaks.
ok jsing
|
| #
1.23 |
|
13-Mar-2022 |
tb |
Relax the check of x509_constraints_dirname()
The dirname constraint must be a prefix in DER format, so relax the
check from requiring equal-length strings to allow shorter names also.
From Alex Wilson
ok jsing
|
| #
1.22 |
|
13-Mar-2022 |
tb |
Add missing error check after strdup()
From Alex Wilson
ok jsing
|
| #
1.21 |
|
03-Mar-2022 |
tb |
Pull a len == 0 check up before malloc(len) to avoid implementation
defined behavior.
ok deraadt inoguchi
|
| #
1.20 |
|
02-Mar-2022 |
tb |
Unwrap a line
|
| #
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
| #
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses
that are malformed at certificate creation time.
ok jsing@ tb@
|
|
Revision tags: OPENBSD_7_0_BASE
|
|
| #
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string
remains NUL terminated. While here consistently check wi before using it
so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
| #
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading *
wildcards. While we may choose not to support them the standards
appear to permit them optionally so we can't declare a certificate
containing them invalid. Noticed by jeremy@, and Steffan Ulrich
and others. Modify the regression tests to test these cases and
not check the SAN DNSnames as "hostnames" anymore (which don't support
wildcards).
ok jsing@, tb@
|
|
Revision tags: OPENBSD_6_9_BASE
|
|
| #
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2;
Zap a useless variable.
suggested by jsing
|
| #
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
| #
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and
other names (such as subjectAltNames) that we want to allocate per
cert chain. These limits are checked too late. In a particularly
silly cert that jan found on ugos.ugm.ac.id 443, we ended up
allocating six times 2048 x509_constraint_name structures before
deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which
is set on allocation against which each addition of a name is checked.
cluebat/ok jsing
ok inoguchi on earlier version
|
| #
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length
check, we can malloc and memcpy inside the conditional. This also
makes the code easier to read.
agreement from millert
ok jsing
|
| #
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
|
Revision tags: OPENBSD_6_8_BASE
|
|
| #
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4;
Fix some line wrapping and other whitespace issues.
No change in the generated assembly on amd64.
|
| #
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
| #
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname
variable which will be freed on error, but an inner scope contains
another vname that won't be freed, e.g., if x509_constraints_names_add
fails.
Found by llvm scan-build.
ok beck
|
| #
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
| #
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add
regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
| #
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
| #
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
| #
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
| #
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer.
ok tb@
|
| #
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| #
1.31 |
|
26-Dec-2022 |
jmc |
spelling fixes; from paul tagliamonte
i removed the arithmetics -> arithmetic changes, as i felt they
were not clearly correct
ok tb
|
| #
1.30 |
|
28-Nov-2022 |
tb |
Fix NULL dereference in x509_constraints_uri_host()
When called from v2i, hostpart in x509_constraints_uri_host() is NULL, so
add a NULL check before storing the strdup result in it.
From Anton Borowka
ok jsing miod
|
| #
1.29 |
|
11-Nov-2022 |
beck |
Start CBS-ifying the name constraints code.
ok jsing@ tb@
|
|
Revision tags: OPENBSD_7_2_BASE
|
|
| #
1.28 |
|
27-Jun-2022 |
beck |
Correct misleading comment for URI parsing
ok jsing@
|
| #
1.27 |
|
26-Jun-2022 |
beck |
Fix URI name constraints, allow for URI's with no host part.
Such uri's must be parsed and allowed, but then should
fail if a name constraint is present.
Adds regress testing for this same case.
fixes https://github.com/libressl-portable/openbsd/issues/131
ok tb@
|
|
Revision tags: OPENBSD_7_1_BASE
|
|
| #
1.26 |
|
26-Mar-2022 |
tb |
name constraints: be more careful with NULs
An IA5STRING is a Pascal string that can have embedded NULs and is
not NUL terminated (except that for legacy reasons it happens to be).
Instead of taking the strlen(), use the already known ASN.1 length and
use strndup() instead of strdup() to generate NUL terminated strings
after some existing code has checked that there are no embedded NULs.
In v2i_GENERAL_NAME_ex() use %.*s to print the bytes. This is not
optimal and might be switched to using strvis() later.
ok beck inoguchi jsing
|
| #
1.25 |
|
14-Mar-2022 |
tb |
Allow constraints of the form @domain.com
Some things issue and expect that we support a non-standard extension of
accepting any email address from a host by prefixing an email name
constraint with @. This used to be the case with the old code as well.
Pointed out and based on a diff by Alex Wilson.
ok jsing
|
| #
1.24 |
|
14-Mar-2022 |
tb |
Rework ownership handling in x509_constraints_validate()
Instead of having the caller allocate and pass in a new
x509_constraints_name struct, handle allocation inside
x509_constraints_validate(). Also make the error optional.
All this is done to simplify the call sites and to make it
more obvious that there are no leaks.
ok jsing
|
| #
1.23 |
|
13-Mar-2022 |
tb |
Relax the check of x509_constraints_dirname()
The dirname constraint must be a prefix in DER format, so relax the
check from requiring equal-length strings to allow shorter names also.
From Alex Wilson
ok jsing
|
| #
1.22 |
|
13-Mar-2022 |
tb |
Add missing error check after strdup()
From Alex Wilson
ok jsing
|
| #
1.21 |
|
03-Mar-2022 |
tb |
Pull a len == 0 check up before malloc(len) to avoid implementation
defined behavior.
ok deraadt inoguchi
|
| #
1.20 |
|
02-Mar-2022 |
tb |
Unwrap a line
|
| #
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
| #
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses
that are malformed at certificate creation time.
ok jsing@ tb@
|
|
Revision tags: OPENBSD_7_0_BASE
|
|
| #
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string
remains NUL terminated. While here consistently check wi before using it
so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
| #
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading *
wildcards. While we may choose not to support them the standards
appear to permit them optionally so we can't declare a certificate
containing them invalid. Noticed by jeremy@, and Steffan Ulrich
and others. Modify the regression tests to test these cases and
not check the SAN DNSnames as "hostnames" anymore (which don't support
wildcards).
ok jsing@, tb@
|
|
Revision tags: OPENBSD_6_9_BASE
|
|
| #
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2;
Zap a useless variable.
suggested by jsing
|
| #
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
| #
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and
other names (such as subjectAltNames) that we want to allocate per
cert chain. These limits are checked too late. In a particularly
silly cert that jan found on ugos.ugm.ac.id 443, we ended up
allocating six times 2048 x509_constraint_name structures before
deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which
is set on allocation against which each addition of a name is checked.
cluebat/ok jsing
ok inoguchi on earlier version
|
| #
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length
check, we can malloc and memcpy inside the conditional. This also
makes the code easier to read.
agreement from millert
ok jsing
|
| #
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
|
Revision tags: OPENBSD_6_8_BASE
|
|
| #
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4;
Fix some line wrapping and other whitespace issues.
No change in the generated assembly on amd64.
|
| #
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
| #
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname
variable which will be freed on error, but an inner scope contains
another vname that won't be freed, e.g., if x509_constraints_names_add
fails.
Found by llvm scan-build.
ok beck
|
| #
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
| #
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add
regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
| #
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
| #
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
| #
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
| #
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer.
ok tb@
|
| #
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| #
1.30 |
|
28-Nov-2022 |
tb |
Fix NULL dereference in x509_constraints_uri_host()
When called from v2i, hostpart in x509_constraints_uri_host() is NULL, so
add a NULL check before storing the strdup result in it.
From Anton Borowka
ok jsing miod
|
| #
1.29 |
|
11-Nov-2022 |
beck |
Start CBS-ifying the name constraints code.
ok jsing@ tb@
|
|
Revision tags: OPENBSD_7_2_BASE
|
|
| #
1.28 |
|
27-Jun-2022 |
beck |
Correct misleading comment for URI parsing
ok jsing@
|
| #
1.27 |
|
26-Jun-2022 |
beck |
Fix URI name constraints, allow for URI's with no host part.
Such uri's must be parsed and allowed, but then should
fail if a name constraint is present.
Adds regress testing for this same case.
fixes https://github.com/libressl-portable/openbsd/issues/131
ok tb@
|
|
Revision tags: OPENBSD_7_1_BASE
|
|
| #
1.26 |
|
26-Mar-2022 |
tb |
name constraints: be more careful with NULs
An IA5STRING is a Pascal string that can have embedded NULs and is
not NUL terminated (except that for legacy reasons it happens to be).
Instead of taking the strlen(), use the already known ASN.1 length and
use strndup() instead of strdup() to generate NUL terminated strings
after some existing code has checked that there are no embedded NULs.
In v2i_GENERAL_NAME_ex() use %.*s to print the bytes. This is not
optimal and might be switched to using strvis() later.
ok beck inoguchi jsing
|
| #
1.25 |
|
14-Mar-2022 |
tb |
Allow constraints of the form @domain.com
Some things issue and expect that we support a non-standard extension of
accepting any email address from a host by prefixing an email name
constraint with @. This used to be the case with the old code as well.
Pointed out and based on a diff by Alex Wilson.
ok jsing
|
| #
1.24 |
|
14-Mar-2022 |
tb |
Rework ownership handling in x509_constraints_validate()
Instead of having the caller allocate and pass in a new
x509_constraints_name struct, handle allocation inside
x509_constraints_validate(). Also make the error optional.
All this is done to simplify the call sites and to make it
more obvious that there are no leaks.
ok jsing
|
| #
1.23 |
|
13-Mar-2022 |
tb |
Relax the check of x509_constraints_dirname()
The dirname constraint must be a prefix in DER format, so relax the
check from requiring equal-length strings to allow shorter names also.
From Alex Wilson
ok jsing
|
| #
1.22 |
|
13-Mar-2022 |
tb |
Add missing error check after strdup()
From Alex Wilson
ok jsing
|
| #
1.21 |
|
03-Mar-2022 |
tb |
Pull a len == 0 check up before malloc(len) to avoid implementation
defined behavior.
ok deraadt inoguchi
|
| #
1.20 |
|
02-Mar-2022 |
tb |
Unwrap a line
|
| #
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
| #
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses
that are malformed at certificate creation time.
ok jsing@ tb@
|
|
Revision tags: OPENBSD_7_0_BASE
|
|
| #
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string
remains NUL terminated. While here consistently check wi before using it
so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
| #
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading *
wildcards. While we may choose not to support them the standards
appear to permit them optionally so we can't declare a certificate
containing them invalid. Noticed by jeremy@, and Steffan Ulrich
and others. Modify the regression tests to test these cases and
not check the SAN DNSnames as "hostnames" anymore (which don't support
wildcards).
ok jsing@, tb@
|
|
Revision tags: OPENBSD_6_9_BASE
|
|
| #
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2;
Zap a useless variable.
suggested by jsing
|
| #
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
| #
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and
other names (such as subjectAltNames) that we want to allocate per
cert chain. These limits are checked too late. In a particularly
silly cert that jan found on ugos.ugm.ac.id 443, we ended up
allocating six times 2048 x509_constraint_name structures before
deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which
is set on allocation against which each addition of a name is checked.
cluebat/ok jsing
ok inoguchi on earlier version
|
| #
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length
check, we can malloc and memcpy inside the conditional. This also
makes the code easier to read.
agreement from millert
ok jsing
|
| #
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
|
Revision tags: OPENBSD_6_8_BASE
|
|
| #
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4;
Fix some line wrapping and other whitespace issues.
No change in the generated assembly on amd64.
|
| #
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
| #
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname
variable which will be freed on error, but an inner scope contains
another vname that won't be freed, e.g., if x509_constraints_names_add
fails.
Found by llvm scan-build.
ok beck
|
| #
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
| #
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add
regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
| #
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
| #
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
| #
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
| #
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer.
ok tb@
|
| #
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| #
1.29 |
|
11-Nov-2022 |
beck |
Start CBS-ifying the name constraints code.
ok jsing@ tb@
|
|
Revision tags: OPENBSD_7_2_BASE
|
|
| #
1.28 |
|
27-Jun-2022 |
beck |
Correct misleading comment for URI parsing
ok jsing@
|
| #
1.27 |
|
26-Jun-2022 |
beck |
Fix URI name constraints, allow for URI's with no host part.
Such uri's must be parsed and allowed, but then should
fail if a name constraint is present.
Adds regress testing for this same case.
fixes https://github.com/libressl-portable/openbsd/issues/131
ok tb@
|
|
Revision tags: OPENBSD_7_1_BASE
|
|
| #
1.26 |
|
26-Mar-2022 |
tb |
name constraints: be more careful with NULs
An IA5STRING is a Pascal string that can have embedded NULs and is
not NUL terminated (except that for legacy reasons it happens to be).
Instead of taking the strlen(), use the already known ASN.1 length and
use strndup() instead of strdup() to generate NUL terminated strings
after some existing code has checked that there are no embedded NULs.
In v2i_GENERAL_NAME_ex() use %.*s to print the bytes. This is not
optimal and might be switched to using strvis() later.
ok beck inoguchi jsing
|
| #
1.25 |
|
14-Mar-2022 |
tb |
Allow constraints of the form @domain.com
Some things issue and expect that we support a non-standard extension of
accepting any email address from a host by prefixing an email name
constraint with @. This used to be the case with the old code as well.
Pointed out and based on a diff by Alex Wilson.
ok jsing
|
| #
1.24 |
|
14-Mar-2022 |
tb |
Rework ownership handling in x509_constraints_validate()
Instead of having the caller allocate and pass in a new
x509_constraints_name struct, handle allocation inside
x509_constraints_validate(). Also make the error optional.
All this is done to simplify the call sites and to make it
more obvious that there are no leaks.
ok jsing
|
| #
1.23 |
|
13-Mar-2022 |
tb |
Relax the check of x509_constraints_dirname()
The dirname constraint must be a prefix in DER format, so relax the
check from requiring equal-length strings to allow shorter names also.
From Alex Wilson
ok jsing
|
| #
1.22 |
|
13-Mar-2022 |
tb |
Add missing error check after strdup()
From Alex Wilson
ok jsing
|
| #
1.21 |
|
03-Mar-2022 |
tb |
Pull a len == 0 check up before malloc(len) to avoid implementation
defined behavior.
ok deraadt inoguchi
|
| #
1.20 |
|
02-Mar-2022 |
tb |
Unwrap a line
|
| #
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
| #
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses
that are malformed at certificate creation time.
ok jsing@ tb@
|
|
Revision tags: OPENBSD_7_0_BASE
|
|
| #
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string
remains NUL terminated. While here consistently check wi before using it
so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
| #
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading *
wildcards. While we may choose not to support them the standards
appear to permit them optionally so we can't declare a certificate
containing them invalid. Noticed by jeremy@, and Steffan Ulrich
and others. Modify the regression tests to test these cases and
not check the SAN DNSnames as "hostnames" anymore (which don't support
wildcards).
ok jsing@, tb@
|
|
Revision tags: OPENBSD_6_9_BASE
|
|
| #
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2;
Zap a useless variable.
suggested by jsing
|
| #
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
| #
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and
other names (such as subjectAltNames) that we want to allocate per
cert chain. These limits are checked too late. In a particularly
silly cert that jan found on ugos.ugm.ac.id 443, we ended up
allocating six times 2048 x509_constraint_name structures before
deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which
is set on allocation against which each addition of a name is checked.
cluebat/ok jsing
ok inoguchi on earlier version
|
| #
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length
check, we can malloc and memcpy inside the conditional. This also
makes the code easier to read.
agreement from millert
ok jsing
|
| #
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
|
Revision tags: OPENBSD_6_8_BASE
|
|
| #
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4;
Fix some line wrapping and other whitespace issues.
No change in the generated assembly on amd64.
|
| #
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
| #
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname
variable which will be freed on error, but an inner scope contains
another vname that won't be freed, e.g., if x509_constraints_names_add
fails.
Found by llvm scan-build.
ok beck
|
| #
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
| #
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add
regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
| #
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
| #
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
| #
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
| #
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer.
ok tb@
|
| #
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| #
1.28 |
|
27-Jun-2022 |
beck |
Correct misleading comment for URI parsing
ok jsing@
|
| #
1.27 |
|
26-Jun-2022 |
beck |
Fix URI name constraints, allow for URI's with no host part.
Such uri's must be parsed and allowed, but then should
fail if a name constraint is present.
Adds regress testing for this same case.
fixes https://github.com/libressl-portable/openbsd/issues/131
ok tb@
|
|
Revision tags: OPENBSD_7_1_BASE
|
|
| #
1.26 |
|
26-Mar-2022 |
tb |
name constraints: be more careful with NULs
An IA5STRING is a Pascal string that can have embedded NULs and is
not NUL terminated (except that for legacy reasons it happens to be).
Instead of taking the strlen(), use the already known ASN.1 length and
use strndup() instead of strdup() to generate NUL terminated strings
after some existing code has checked that there are no embedded NULs.
In v2i_GENERAL_NAME_ex() use %.*s to print the bytes. This is not
optimal and might be switched to using strvis() later.
ok beck inoguchi jsing
|
| #
1.25 |
|
14-Mar-2022 |
tb |
Allow constraints of the form @domain.com
Some things issue and expect that we support a non-standard extension of
accepting any email address from a host by prefixing an email name
constraint with @. This used to be the case with the old code as well.
Pointed out and based on a diff by Alex Wilson.
ok jsing
|
| #
1.24 |
|
14-Mar-2022 |
tb |
Rework ownership handling in x509_constraints_validate()
Instead of having the caller allocate and pass in a new
x509_constraints_name struct, handle allocation inside
x509_constraints_validate(). Also make the error optional.
All this is done to simplify the call sites and to make it
more obvious that there are no leaks.
ok jsing
|
| #
1.23 |
|
13-Mar-2022 |
tb |
Relax the check of x509_constraints_dirname()
The dirname constraint must be a prefix in DER format, so relax the
check from requiring equal-length strings to allow shorter names also.
From Alex Wilson
ok jsing
|
| #
1.22 |
|
13-Mar-2022 |
tb |
Add missing error check after strdup()
From Alex Wilson
ok jsing
|
| #
1.21 |
|
03-Mar-2022 |
tb |
Pull a len == 0 check up before malloc(len) to avoid implementation
defined behavior.
ok deraadt inoguchi
|
| #
1.20 |
|
02-Mar-2022 |
tb |
Unwrap a line
|
| #
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
| #
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses
that are malformed at certificate creation time.
ok jsing@ tb@
|
|
Revision tags: OPENBSD_7_0_BASE
|
|
| #
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string
remains NUL terminated. While here consistently check wi before using it
so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
| #
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading *
wildcards. While we may choose not to support them the standards
appear to permit them optionally so we can't declare a certificate
containing them invalid. Noticed by jeremy@, and Steffan Ulrich
and others. Modify the regression tests to test these cases and
not check the SAN DNSnames as "hostnames" anymore (which don't support
wildcards).
ok jsing@, tb@
|
|
Revision tags: OPENBSD_6_9_BASE
|
|
| #
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2;
Zap a useless variable.
suggested by jsing
|
| #
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
| #
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and
other names (such as subjectAltNames) that we want to allocate per
cert chain. These limits are checked too late. In a particularly
silly cert that jan found on ugos.ugm.ac.id 443, we ended up
allocating six times 2048 x509_constraint_name structures before
deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which
is set on allocation against which each addition of a name is checked.
cluebat/ok jsing
ok inoguchi on earlier version
|
| #
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length
check, we can malloc and memcpy inside the conditional. This also
makes the code easier to read.
agreement from millert
ok jsing
|
| #
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
|
Revision tags: OPENBSD_6_8_BASE
|
|
| #
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4;
Fix some line wrapping and other whitespace issues.
No change in the generated assembly on amd64.
|
| #
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
| #
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname
variable which will be freed on error, but an inner scope contains
another vname that won't be freed, e.g., if x509_constraints_names_add
fails.
Found by llvm scan-build.
ok beck
|
| #
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
| #
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add
regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
| #
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
| #
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
| #
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
| #
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer.
ok tb@
|
| #
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| #
1.27 |
|
26-Jun-2022 |
beck |
Fix URI name constraints, allow for URI's with no host part.
Such uri's must be parsed and allowed, but then should
fail if a name constraint is present.
Adds regress testing for this same case.
fixes https://github.com/libressl-portable/openbsd/issues/131
ok tb@
|
|
Revision tags: OPENBSD_7_1_BASE
|
|
| #
1.26 |
|
26-Mar-2022 |
tb |
name constraints: be more careful with NULs
An IA5STRING is a Pascal string that can have embedded NULs and is
not NUL terminated (except that for legacy reasons it happens to be).
Instead of taking the strlen(), use the already known ASN.1 length and
use strndup() instead of strdup() to generate NUL terminated strings
after some existing code has checked that there are no embedded NULs.
In v2i_GENERAL_NAME_ex() use %.*s to print the bytes. This is not
optimal and might be switched to using strvis() later.
ok beck inoguchi jsing
|
| #
1.25 |
|
14-Mar-2022 |
tb |
Allow constraints of the form @domain.com
Some things issue and expect that we support a non-standard extension of
accepting any email address from a host by prefixing an email name
constraint with @. This used to be the case with the old code as well.
Pointed out and based on a diff by Alex Wilson.
ok jsing
|
| #
1.24 |
|
14-Mar-2022 |
tb |
Rework ownership handling in x509_constraints_validate()
Instead of having the caller allocate and pass in a new
x509_constraints_name struct, handle allocation inside
x509_constraints_validate(). Also make the error optional.
All this is done to simplify the call sites and to make it
more obvious that there are no leaks.
ok jsing
|
| #
1.23 |
|
13-Mar-2022 |
tb |
Relax the check of x509_constraints_dirname()
The dirname constraint must be a prefix in DER format, so relax the
check from requiring equal-length strings to allow shorter names also.
From Alex Wilson
ok jsing
|
| #
1.22 |
|
13-Mar-2022 |
tb |
Add missing error check after strdup()
From Alex Wilson
ok jsing
|
| #
1.21 |
|
03-Mar-2022 |
tb |
Pull a len == 0 check up before malloc(len) to avoid implementation
defined behavior.
ok deraadt inoguchi
|
| #
1.20 |
|
02-Mar-2022 |
tb |
Unwrap a line
|
| #
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
| #
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses
that are malformed at certificate creation time.
ok jsing@ tb@
|
|
Revision tags: OPENBSD_7_0_BASE
|
|
| #
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string
remains NUL terminated. While here consistently check wi before using it
so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
| #
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading *
wildcards. While we may choose not to support them the standards
appear to permit them optionally so we can't declare a certificate
containing them invalid. Noticed by jeremy@, and Steffan Ulrich
and others. Modify the regression tests to test these cases and
not check the SAN DNSnames as "hostnames" anymore (which don't support
wildcards).
ok jsing@, tb@
|
|
Revision tags: OPENBSD_6_9_BASE
|
|
| #
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2;
Zap a useless variable.
suggested by jsing
|
| #
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
| #
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and
other names (such as subjectAltNames) that we want to allocate per
cert chain. These limits are checked too late. In a particularly
silly cert that jan found on ugos.ugm.ac.id 443, we ended up
allocating six times 2048 x509_constraint_name structures before
deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which
is set on allocation against which each addition of a name is checked.
cluebat/ok jsing
ok inoguchi on earlier version
|
| #
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length
check, we can malloc and memcpy inside the conditional. This also
makes the code easier to read.
agreement from millert
ok jsing
|
| #
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
|
Revision tags: OPENBSD_6_8_BASE
|
|
| #
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4;
Fix some line wrapping and other whitespace issues.
No change in the generated assembly on amd64.
|
| #
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
| #
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname
variable which will be freed on error, but an inner scope contains
another vname that won't be freed, e.g., if x509_constraints_names_add
fails.
Found by llvm scan-build.
ok beck
|
| #
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
| #
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add
regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
| #
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
| #
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
| #
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
| #
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer.
ok tb@
|
| #
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| #
1.26 |
|
26-Mar-2022 |
tb |
name constraints: be more careful with NULs
An IA5STRING is a Pascal string that can have embedded NULs and is
not NUL terminated (except that for legacy reasons it happens to be).
Instead of taking the strlen(), use the already known ASN.1 length and
use strndup() instead of strdup() to generate NUL terminated strings
after some existing code has checked that there are no embedded NULs.
In v2i_GENERAL_NAME_ex() use %.*s to print the bytes. This is not
optimal and might be switched to using strvis() later.
ok beck inoguchi jsing
|
| #
1.25 |
|
14-Mar-2022 |
tb |
Allow constraints of the form @domain.com
Some things issue and expect that we support a non-standard extension of
accepting any email address from a host by prefixing an email name
constraint with @. This used to be the case with the old code as well.
Pointed out and based on a diff by Alex Wilson.
ok jsing
|
| #
1.24 |
|
14-Mar-2022 |
tb |
Rework ownership handling in x509_constraints_validate()
Instead of having the caller allocate and pass in a new
x509_constraints_name struct, handle allocation inside
x509_constraints_validate(). Also make the error optional.
All this is done to simplify the call sites and to make it
more obvious that there are no leaks.
ok jsing
|
| #
1.23 |
|
13-Mar-2022 |
tb |
Relax the check of x509_constraints_dirname()
The dirname constraint must be a prefix in DER format, so relax the
check from requiring equal-length strings to allow shorter names also.
From Alex Wilson
ok jsing
|
| #
1.22 |
|
13-Mar-2022 |
tb |
Add missing error check after strdup()
From Alex Wilson
ok jsing
|
| #
1.21 |
|
03-Mar-2022 |
tb |
Pull a len == 0 check up before malloc(len) to avoid implementation
defined behavior.
ok deraadt inoguchi
|
| #
1.20 |
|
02-Mar-2022 |
tb |
Unwrap a line
|
| #
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
| #
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses
that are malformed at certificate creation time.
ok jsing@ tb@
|
|
Revision tags: OPENBSD_7_0_BASE
|
|
| #
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string
remains NUL terminated. While here consistently check wi before using it
so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
| #
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading *
wildcards. While we may choose not to support them the standards
appear to permit them optionally so we can't declare a certificate
containing them invalid. Noticed by jeremy@, and Steffan Ulrich
and others. Modify the regression tests to test these cases and
not check the SAN DNSnames as "hostnames" anymore (which don't support
wildcards).
ok jsing@, tb@
|
|
Revision tags: OPENBSD_6_9_BASE
|
|
| #
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2;
Zap a useless variable.
suggested by jsing
|
| #
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
| #
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and
other names (such as subjectAltNames) that we want to allocate per
cert chain. These limits are checked too late. In a particularly
silly cert that jan found on ugos.ugm.ac.id 443, we ended up
allocating six times 2048 x509_constraint_name structures before
deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which
is set on allocation against which each addition of a name is checked.
cluebat/ok jsing
ok inoguchi on earlier version
|
| #
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length
check, we can malloc and memcpy inside the conditional. This also
makes the code easier to read.
agreement from millert
ok jsing
|
| #
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
|
Revision tags: OPENBSD_6_8_BASE
|
|
| #
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4;
Fix some line wrapping and other whitespace issues.
No change in the generated assembly on amd64.
|
| #
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
| #
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname
variable which will be freed on error, but an inner scope contains
another vname that won't be freed, e.g., if x509_constraints_names_add
fails.
Found by llvm scan-build.
ok beck
|
| #
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
| #
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add
regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
| #
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
| #
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
| #
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
| #
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer.
ok tb@
|
| #
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| #
1.25 |
|
14-Mar-2022 |
tb |
Allow constraints of the form @domain.com
Some things issue and expect that we support a non-standard extension of
accepting any email address from a host by prefixing an email name
constraint with @. This used to be the case with the old code as well.
Pointed out and based on a diff by Alex Wilson.
ok jsing
|
| #
1.24 |
|
14-Mar-2022 |
tb |
Rework ownership handling in x509_constraints_validate()
Instead of having the caller allocate and pass in a new
x509_constraints_name struct, handle allocation inside
x509_constraints_validate(). Also make the error optional.
All this is done to simplify the call sites and to make it
more obvious that there are no leaks.
ok jsing
|
| #
1.23 |
|
13-Mar-2022 |
tb |
Relax the check of x509_constraints_dirname()
The dirname constraint must be a prefix in DER format, so relax the
check from requiring equal-length strings to allow shorter names also.
From Alex Wilson
ok jsing
|
| #
1.22 |
|
13-Mar-2022 |
tb |
Add missing error check after strdup()
From Alex Wilson
ok jsing
|
| #
1.21 |
|
03-Mar-2022 |
tb |
Pull a len == 0 check up before malloc(len) to avoid implementation
defined behavior.
ok deraadt inoguchi
|
| #
1.20 |
|
02-Mar-2022 |
tb |
Unwrap a line
|
| #
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
| #
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses
that are malformed at certificate creation time.
ok jsing@ tb@
|
|
Revision tags: OPENBSD_7_0_BASE
|
|
| #
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string
remains NUL terminated. While here consistently check wi before using it
so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
| #
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading *
wildcards. While we may choose not to support them the standards
appear to permit them optionally so we can't declare a certificate
containing them invalid. Noticed by jeremy@, and Steffan Ulrich
and others. Modify the regression tests to test these cases and
not check the SAN DNSnames as "hostnames" anymore (which don't support
wildcards).
ok jsing@, tb@
|
|
Revision tags: OPENBSD_6_9_BASE
|
|
| #
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2;
Zap a useless variable.
suggested by jsing
|
| #
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
| #
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and
other names (such as subjectAltNames) that we want to allocate per
cert chain. These limits are checked too late. In a particularly
silly cert that jan found on ugos.ugm.ac.id 443, we ended up
allocating six times 2048 x509_constraint_name structures before
deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which
is set on allocation against which each addition of a name is checked.
cluebat/ok jsing
ok inoguchi on earlier version
|
| #
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length
check, we can malloc and memcpy inside the conditional. This also
makes the code easier to read.
agreement from millert
ok jsing
|
| #
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
|
Revision tags: OPENBSD_6_8_BASE
|
|
| #
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4;
Fix some line wrapping and other whitespace issues.
No change in the generated assembly on amd64.
|
| #
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
| #
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname
variable which will be freed on error, but an inner scope contains
another vname that won't be freed, e.g., if x509_constraints_names_add
fails.
Found by llvm scan-build.
ok beck
|
| #
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
| #
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add
regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
| #
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
| #
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
| #
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
| #
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer.
ok tb@
|
| #
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| #
1.23 |
|
13-Mar-2022 |
tb |
Relax the check of x509_constraints_dirname()
The dirname constraint must be a prefix in DER format, so relax the
check from requiring equal-length strings to allow shorter names also.
From Alex Wilson
ok jsing
|
| #
1.22 |
|
13-Mar-2022 |
tb |
Add missing error check after strdup()
From Alex Wilson
ok jsing
|
| #
1.21 |
|
03-Mar-2022 |
tb |
Pull a len == 0 check up before malloc(len) to avoid implementation
defined behavior.
ok deraadt inoguchi
|
| #
1.20 |
|
02-Mar-2022 |
tb |
Unwrap a line
|
| #
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
| #
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses
that are malformed at certificate creation time.
ok jsing@ tb@
|
|
Revision tags: OPENBSD_7_0_BASE
|
|
| #
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string
remains NUL terminated. While here consistently check wi before using it
so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
| #
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading *
wildcards. While we may choose not to support them the standards
appear to permit them optionally so we can't declare a certificate
containing them invalid. Noticed by jeremy@, and Steffan Ulrich
and others. Modify the regression tests to test these cases and
not check the SAN DNSnames as "hostnames" anymore (which don't support
wildcards).
ok jsing@, tb@
|
|
Revision tags: OPENBSD_6_9_BASE
|
|
| #
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2;
Zap a useless variable.
suggested by jsing
|
| #
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
| #
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and
other names (such as subjectAltNames) that we want to allocate per
cert chain. These limits are checked too late. In a particularly
silly cert that jan found on ugos.ugm.ac.id 443, we ended up
allocating six times 2048 x509_constraint_name structures before
deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which
is set on allocation against which each addition of a name is checked.
cluebat/ok jsing
ok inoguchi on earlier version
|
| #
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length
check, we can malloc and memcpy inside the conditional. This also
makes the code easier to read.
agreement from millert
ok jsing
|
| #
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
|
Revision tags: OPENBSD_6_8_BASE
|
|
| #
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4;
Fix some line wrapping and other whitespace issues.
No change in the generated assembly on amd64.
|
| #
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
| #
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname
variable which will be freed on error, but an inner scope contains
another vname that won't be freed, e.g., if x509_constraints_names_add
fails.
Found by llvm scan-build.
ok beck
|
| #
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
| #
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add
regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
| #
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
| #
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
| #
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
| #
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer.
ok tb@
|
| #
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| #
1.21 |
|
03-Mar-2022 |
tb |
Pull a len == 0 check up before malloc(len) to avoid implementation
defined behavior.
ok deraadt inoguchi
|
| #
1.20 |
|
02-Mar-2022 |
tb |
Unwrap a line
|
| #
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
| #
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses
that are malformed at certificate creation time.
ok jsing@ tb@
|
|
Revision tags: OPENBSD_7_0_BASE
|
|
| #
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string
remains NUL terminated. While here consistently check wi before using it
so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
| #
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading *
wildcards. While we may choose not to support them the standards
appear to permit them optionally so we can't declare a certificate
containing them invalid. Noticed by jeremy@, and Steffan Ulrich
and others. Modify the regression tests to test these cases and
not check the SAN DNSnames as "hostnames" anymore (which don't support
wildcards).
ok jsing@, tb@
|
|
Revision tags: OPENBSD_6_9_BASE
|
|
| #
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2;
Zap a useless variable.
suggested by jsing
|
| #
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
| #
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and
other names (such as subjectAltNames) that we want to allocate per
cert chain. These limits are checked too late. In a particularly
silly cert that jan found on ugos.ugm.ac.id 443, we ended up
allocating six times 2048 x509_constraint_name structures before
deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which
is set on allocation against which each addition of a name is checked.
cluebat/ok jsing
ok inoguchi on earlier version
|
| #
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length
check, we can malloc and memcpy inside the conditional. This also
makes the code easier to read.
agreement from millert
ok jsing
|
| #
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
|
Revision tags: OPENBSD_6_8_BASE
|
|
| #
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4;
Fix some line wrapping and other whitespace issues.
No change in the generated assembly on amd64.
|
| #
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
| #
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname
variable which will be freed on error, but an inner scope contains
another vname that won't be freed, e.g., if x509_constraints_names_add
fails.
Found by llvm scan-build.
ok beck
|
| #
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
| #
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add
regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
| #
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
| #
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
| #
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
| #
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer.
ok tb@
|
| #
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| #
1.19 |
|
26-Dec-2021 |
tb |
zap doubled semicolon
|
| #
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses
that are malformed at certificate creation time.
ok jsing@ tb@
|
|
Revision tags: OPENBSD_7_0_BASE
|
|
| #
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string
remains NUL terminated. While here consistently check wi before using it
so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
| #
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading *
wildcards. While we may choose not to support them the standards
appear to permit them optionally so we can't declare a certificate
containing them invalid. Noticed by jeremy@, and Steffan Ulrich
and others. Modify the regression tests to test these cases and
not check the SAN DNSnames as "hostnames" anymore (which don't support
wildcards).
ok jsing@, tb@
|
|
Revision tags: OPENBSD_6_9_BASE
|
|
| #
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2;
Zap a useless variable.
suggested by jsing
|
| #
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
| #
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and
other names (such as subjectAltNames) that we want to allocate per
cert chain. These limits are checked too late. In a particularly
silly cert that jan found on ugos.ugm.ac.id 443, we ended up
allocating six times 2048 x509_constraint_name structures before
deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which
is set on allocation against which each addition of a name is checked.
cluebat/ok jsing
ok inoguchi on earlier version
|
| #
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length
check, we can malloc and memcpy inside the conditional. This also
makes the code easier to read.
agreement from millert
ok jsing
|
| #
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
|
Revision tags: OPENBSD_6_8_BASE
|
|
| #
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4;
Fix some line wrapping and other whitespace issues.
No change in the generated assembly on amd64.
|
| #
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
| #
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname
variable which will be freed on error, but an inner scope contains
another vname that won't be freed, e.g., if x509_constraints_names_add
fails.
Found by llvm scan-build.
ok beck
|
| #
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
| #
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add
regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
| #
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
| #
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
| #
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
| #
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer.
ok tb@
|
| #
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| #
1.18 |
|
26-Oct-2021 |
beck |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses
that are malformed at certificate creation time.
ok jsing@ tb@
|
| #
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string
remains NUL terminated. While here consistently check wi before using it
so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
|
Revision tags: OPENBSD_7_0_BASE
|
|
| #
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading *
wildcards. While we may choose not to support them the standards
appear to permit them optionally so we can't declare a certificate
containing them invalid. Noticed by jeremy@, and Steffan Ulrich
and others. Modify the regression tests to test these cases and
not check the SAN DNSnames as "hostnames" anymore (which don't support
wildcards).
ok jsing@, tb@
|
|
Revision tags: OPENBSD_6_9_BASE
|
|
| #
1.15 |
|
12-Mar-2021 |
tb |
branches: 1.15.2;
Zap a useless variable.
suggested by jsing
|
| #
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
| #
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and
other names (such as subjectAltNames) that we want to allocate per
cert chain. These limits are checked too late. In a particularly
silly cert that jan found on ugos.ugm.ac.id 443, we ended up
allocating six times 2048 x509_constraint_name structures before
deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which
is set on allocation against which each addition of a name is checked.
cluebat/ok jsing
ok inoguchi on earlier version
|
| #
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length
check, we can malloc and memcpy inside the conditional. This also
makes the code easier to read.
agreement from millert
ok jsing
|
| #
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
|
Revision tags: OPENBSD_6_8_BASE
|
|
| #
1.10 |
|
21-Sep-2020 |
tb |
branches: 1.10.4;
Fix some line wrapping and other whitespace issues.
No change in the generated assembly on amd64.
|
| #
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
| #
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname
variable which will be freed on error, but an inner scope contains
another vname that won't be freed, e.g., if x509_constraints_names_add
fails.
Found by llvm scan-build.
ok beck
|
| #
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
| #
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add
regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
| #
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
| #
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
| #
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
| #
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer.
ok tb@
|
| #
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
|
Revision tags: OPENBSD_7_0_BASE
|
|
| #
1.17 |
|
23-Sep-2021 |
jsing |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string
remains NUL terminated. While here consistently check wi before using it
so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
| #
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading *
wildcards. While we may choose not to support them the standards
appear to permit them optionally so we can't declare a certificate
containing them invalid. Noticed by jeremy@, and Steffan Ulrich
and others. Modify the regression tests to test these cases and
not check the SAN DNSnames as "hostnames" anymore (which don't support
wildcards).
ok jsing@, tb@
|
|
Revision tags: OPENBSD_6_9_BASE
|
|
| #
1.15 |
|
12-Mar-2021 |
tb |
Zap a useless variable.
suggested by jsing
|
| #
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
| #
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and
other names (such as subjectAltNames) that we want to allocate per
cert chain. These limits are checked too late. In a particularly
silly cert that jan found on ugos.ugm.ac.id 443, we ended up
allocating six times 2048 x509_constraint_name structures before
deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which
is set on allocation against which each addition of a name is checked.
cluebat/ok jsing
ok inoguchi on earlier version
|
| #
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length
check, we can malloc and memcpy inside the conditional. This also
makes the code easier to read.
agreement from millert
ok jsing
|
| #
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
|
Revision tags: OPENBSD_6_8_BASE
|
|
| #
1.10 |
|
21-Sep-2020 |
tb |
Fix some line wrapping and other whitespace issues.
No change in the generated assembly on amd64.
|
| #
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
| #
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname
variable which will be freed on error, but an inner scope contains
another vname that won't be freed, e.g., if x509_constraints_names_add
fails.
Found by llvm scan-build.
ok beck
|
| #
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
| #
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add
regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
| #
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
| #
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
| #
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
| #
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer.
ok tb@
|
| #
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| #
1.16 |
|
27-Apr-2021 |
beck |
Relax SAN DNSname validation and constraints to permit non leading *
wildcards. While we may choose not to support them the standards
appear to permit them optionally so we can't declare a certificate
containing them invalid. Noticed by jeremy@, and Steffan Ulrich
and others. Modify the regression tests to test these cases and
not check the SAN DNSnames as "hostnames" anymore (which don't support
wildcards).
ok jsing@, tb@
|
|
Revision tags: OPENBSD_6_9_BASE
|
|
| #
1.15 |
|
12-Mar-2021 |
tb |
Zap a useless variable.
suggested by jsing
|
| #
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
| #
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and
other names (such as subjectAltNames) that we want to allocate per
cert chain. These limits are checked too late. In a particularly
silly cert that jan found on ugos.ugm.ac.id 443, we ended up
allocating six times 2048 x509_constraint_name structures before
deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which
is set on allocation against which each addition of a name is checked.
cluebat/ok jsing
ok inoguchi on earlier version
|
| #
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length
check, we can malloc and memcpy inside the conditional. This also
makes the code easier to read.
agreement from millert
ok jsing
|
| #
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
|
Revision tags: OPENBSD_6_8_BASE
|
|
| #
1.10 |
|
21-Sep-2020 |
tb |
Fix some line wrapping and other whitespace issues.
No change in the generated assembly on amd64.
|
| #
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
| #
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname
variable which will be freed on error, but an inner scope contains
another vname that won't be freed, e.g., if x509_constraints_names_add
fails.
Found by llvm scan-build.
ok beck
|
| #
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
| #
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add
regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
| #
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
| #
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
| #
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
| #
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer.
ok tb@
|
| #
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| #
1.15 |
|
12-Mar-2021 |
tb |
Zap a useless variable.
suggested by jsing
|
| #
1.14 |
|
12-Mar-2021 |
tb |
Missing void in function definition
ok jsing
|
| #
1.13 |
|
12-Mar-2021 |
tb |
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and
other names (such as subjectAltNames) that we want to allocate per
cert chain. These limits are checked too late. In a particularly
silly cert that jan found on ugos.ugm.ac.id 443, we ended up
allocating six times 2048 x509_constraint_name structures before
deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which
is set on allocation against which each addition of a name is checked.
cluebat/ok jsing
ok inoguchi on earlier version
|
| #
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length
check, we can malloc and memcpy inside the conditional. This also
makes the code easier to read.
agreement from millert
ok jsing
|
| #
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
|
Revision tags: OPENBSD_6_8_BASE
|
|
| #
1.10 |
|
21-Sep-2020 |
tb |
Fix some line wrapping and other whitespace issues.
No change in the generated assembly on amd64.
|
| #
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
| #
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname
variable which will be freed on error, but an inner scope contains
another vname that won't be freed, e.g., if x509_constraints_names_add
fails.
Found by llvm scan-build.
ok beck
|
| #
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
| #
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add
regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
| #
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
| #
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
| #
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
| #
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer.
ok tb@
|
| #
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| #
1.12 |
|
25-Nov-2020 |
tb |
Avoid undefined behavior due to memcpy(NULL, NULL, 0)
This happens if name->der_len == 0. Since we already have a length
check, we can malloc and memcpy inside the conditional. This also
makes the code easier to read.
agreement from millert
ok jsing
|
| #
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
|
Revision tags: OPENBSD_6_8_BASE
|
|
| #
1.10 |
|
21-Sep-2020 |
tb |
Fix some line wrapping and other whitespace issues.
No change in the generated assembly on amd64.
|
| #
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
| #
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname
variable which will be freed on error, but an inner scope contains
another vname that won't be freed, e.g., if x509_constraints_names_add
fails.
Found by llvm scan-build.
ok beck
|
| #
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
| #
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add
regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
| #
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
| #
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
| #
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
| #
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer.
ok tb@
|
| #
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| #
1.11 |
|
18-Nov-2020 |
tb |
KNF (whitespace)
|
|
Revision tags: OPENBSD_6_8_BASE
|
|
| #
1.10 |
|
21-Sep-2020 |
tb |
Fix some line wrapping and other whitespace issues.
No change in the generated assembly on amd64.
|
| #
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
| #
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname
variable which will be freed on error, but an inner scope contains
another vname that won't be freed, e.g., if x509_constraints_names_add
fails.
Found by llvm scan-build.
ok beck
|
| #
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
| #
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add
regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
| #
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
| #
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
| #
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
| #
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer.
ok tb@
|
| #
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| #
1.10 |
|
21-Sep-2020 |
tb |
Fix some line wrapping and other whitespace issues.
No change in the generated assembly on amd64.
|
| #
1.9 |
|
21-Sep-2020 |
tb |
Move freeing and zeroing up to right after the while loop.
Requested by jsing
|
| #
1.8 |
|
20-Sep-2020 |
tb |
Avoid memleak caused by shadowing
The outer scope in x509_constraints_extract_names() contains a vname
variable which will be freed on error, but an inner scope contains
another vname that won't be freed, e.g., if x509_constraints_names_add
fails.
Found by llvm scan-build.
ok beck
|
| #
1.7 |
|
20-Sep-2020 |
tb |
KNF/whitespace nits
|
| #
1.6 |
|
20-Sep-2020 |
beck |
Correct a 1 byte read overflow in x509_contraints_uri and add
regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
|
| #
1.5 |
|
20-Sep-2020 |
tb |
Fix a memory leak in x509_constraints_extract_names
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
| #
1.4 |
|
18-Sep-2020 |
beck |
Fix potential overflow in CN subject line parsing, thanks to
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
| #
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
| #
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer.
ok tb@
|
| #
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| #
1.3 |
|
14-Sep-2020 |
beck |
remove unneeded variable "type".
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
| #
1.2 |
|
14-Sep-2020 |
beck |
Don't leak names on success
found by llvm static analyzer.
ok tb@
|
| #
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| #
1.1 |
|
11-Sep-2020 |
beck |
Add x509_constraints.c - a new implementation of x509 name constraints, with
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|