Commit graph

79 commits

Author SHA1 Message Date
Dr. Matthias St. Pierre
0c994d54af Reorganize private crypto header files
Currently, there are two different directories which contain internal
header files of libcrypto which are meant to be shared internally:

While header files in 'include/internal' are intended to be shared
between libcrypto and libssl, the files in 'crypto/include/internal'
are intended to be shared inside libcrypto only.

To make things complicated, the include search path is set up in such
a way that the directive #include "internal/file.h" could refer to
a file in either of these two directoroes. This makes it necessary
in some cases to add a '_int.h' suffix to some files to resolve this
ambiguity:

  #include "internal/file.h"      # located in 'include/internal'
  #include "internal/file_int.h"  # located in 'crypto/include/internal'

This commit moves the private crypto headers from

  'crypto/include/internal'  to  'include/crypto'

As a result, the include directives become unambiguous

  #include "internal/file.h"       # located in 'include/internal'
  #include "crypto/file.h"         # located in 'include/crypto'

hence the superfluous '_int.h' suffixes can be stripped.

The files 'store_int.h' and 'store.h' need to be treated specially;
they are joined into a single file.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9681)
2019-09-27 23:57:58 +02:00
Richard Levitte
28428130db Update copyright year
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5990)
2018-04-17 15:18:40 +02:00
Rich Salz
cdb10bae3f Set error code on alloc failures
Almost all *alloc failures now set an error code.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5842)
2018-04-03 11:31:16 -04:00
Rich Salz
cbe2964821 Consistent formatting for sizeof(foo)
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4872)
2017-12-07 19:11:49 -05:00
Andy Polyakov
3a63c0edab Resolve warnings in VC-WIN32 build, which allows to add /WX.
It's argued that /WX allows to keep better focus on new code, which
motivates its comeback...

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4721)
2017-11-13 10:58:57 +01:00
FdaSilvaYY
f479eab227 style : fix some if(...
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4457)
2017-11-07 17:09:24 +01:00
KaoruToda
26a7d938c9 Remove parentheses of return.
Since return is inconsistent, I removed unnecessary parentheses and
unified them.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4541)
2017-10-18 16:05:06 +01:00
Pauli
a1df06b363 This has been added to avoid the situation where some host ctype.h functions
return true for characters > 127.  I.e. they are allowing extended ASCII
characters through which then cause problems.  E.g. marking superscript '2' as
a number then causes the common (ch - '0') conversion to number to fail
miserably.  Likewise letters with diacritical marks can also cause problems.

If a non-ASCII character set is being used (currently only EBCDIC), it is
adjusted for.

The implementation uses a single table with a bit for each of the defined
classes.  These functions accept an int argument and fail for
values out of range or for characters outside of the ASCII set.  They will
work for both signed and unsigned character inputs.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4102)
2017-08-22 09:45:25 +10:00
Matt Caswell
888098304b More updates following review feedback
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3740)
2017-08-21 08:44:44 +01:00
Matt Caswell
86f31dd9cc Remove OPENSSL_assert() from various crypto/bio files
bss_dgram.c is deferred until later due to ongoing discussions.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3740)
2017-08-21 08:44:44 +01:00
Bernd Edlinger
018fcbec38 Fix gcc-7 warnings.
- Mostly missing fall thru comments
- And uninitialized value used in sslapitest.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3440)
2017-05-11 19:39:38 +02:00
Andy Polyakov
15b337fa58 bio/b_print.c: switch to int64_t as "greatest-width integer type".
Originally there was dependency on BN configuration parameters, but
it stemmed from times when "long long" support was optional. Today
we require 64-bit support from compiler, and there is no reason to
have "greatest-width integer" depend on BN configuration.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2017-04-01 15:40:43 +02:00
Andy Polyakov
74d9519a68 bio/b_print.c: recognize even 'j' format modifier.
'j' is specified as modifier for "greatest-width integer type", which in
practice means 64 bits on both 32- and 64-bit platforms. Since we rely
on __attribute__((__format__(__printf__,...))) to sanitize BIO_print
format, we can use it to denote [u]int64_t-s in platform-neutral manner.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3083)
2017-03-30 19:33:32 +02:00
Andy Polyakov
c141782130 bio/b_print.c: fix %z failure in 32-bit build.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2017-03-29 23:51:57 +02:00
Richard Levitte
1e53a9fd1a Add z modifier parsing to the BIO_printf et all format string
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3064)
2017-03-29 16:16:25 +02:00
Kurt Roeckx
68d4bcfd06 Fix VC warnings about unary minus to an unsigned type.
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #2230
2017-01-15 22:21:07 +01:00
Kurt Roeckx
1618679ac4 Cast to an unsigned type before negating
llvm's ubsan reported:
runtime error: negation of -9223372036854775808 cannot be represented in type
'long'; cast to an unsigned type to negate this value to itself

Found using afl

Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1325
2016-07-20 19:25:16 +02:00
Matt Caswell
416a5b6c92 BIO_printf() can fail to print the last character
If the string to print is exactly 2048 character long (excluding the NULL
terminator) then BIO_printf will chop off the last byte. This is because
it has filled its static buffer but hasn't yet allocated a dynamic buffer.
In cases where we don't have a dynamic buffer we need to truncate but that
is not the case for BIO_printf(). We need to check whether we are able to
have a dynamic buffer buffer deciding to truncate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-03 20:29:04 +01:00
Richard Levitte
453fc7a018 Make sure max in fmtstr() doesn't overflow into negativity
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-30 05:41:57 +02:00
Richard Levitte
230c691a52 Fix fmtstr for BIO_printf() et al
-   If we have a maximum amount of characters permitted to be printed
    (for example "%.2s", which allows for a maximum of 2 chars), we
    minimize the number of characters from the string to printed to
    that size.
-   If there is space for padding and there is a maximum amount of
    characters to print (for example "%3.2s", which shall give at
    least a 1 space padding), the amount of characters to pad with
    gets added to the maximum so the minimum field size (3 in this
    example) gets filled out.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-27 17:47:25 +02:00
Matt Caswell
1b62d880b5 Prevent an overflow when trying to print excessively big floats
We convert the integer part of the float to a long. We should check it
fits first.

Issue reported by Guido Vranken.

GitHub Issue #1102

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-27 10:23:18 +01:00
Matt Caswell
d6056f085d Fix implementation of "e" and "g" formats for printing floating points
The previous commit which "fixed" the "e" and "g" floating point formats
just printed them in the same way as "f". This is wrong. This commit
provides the correct formatting.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-27 10:23:18 +01:00
Matt Caswell
242073bdbc Fix some issues in b_print.c code
Convert assert to OPENSSL_assert(), add some documentation, add the calls
to fmtfp() for the "e" and "g" floating point formats which were missing.

Based on a patch provided by Ger Hobbelt <ger@hobbelt.com>.

RT#2270

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-27 10:23:18 +01:00
Rich Salz
b1322259d9 Copyright consolidation 09/10
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-17 14:53:16 -04:00
Andy Polyakov
463a7b8cb0 Clean-up *_DEBUG options.
Since NDEBUG is defined unconditionally on command line for release
builds, we can omit *_DEBUG options in favour of effective "all-on"
in debug builds exercised though CI.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-04-07 21:18:00 +02:00
Matt Caswell
9cb177301f Fix memory issues in BIO_*printf functions
The internal |fmtstr| function used in processing a "%s" format string
in the BIO_*printf functions could overflow while calculating the length
of a string and cause an OOB read when printing very long strings.

Additionally the internal |doapr_outch| function can attempt to write to
an OOB memory location (at an offset from the NULL pointer) in the event of
a memory allocation failure. In 1.0.2 and below this could be caused where
the size of a buffer to be allocated is greater than INT_MAX. E.g. this
could be in processing a very long "%s" format string. Memory leaks can also
occur.

These issues will only occur on certain platforms where sizeof(size_t) >
sizeof(int). E.g. many 64 bit systems. The first issue may mask the second
issue dependent on compiler behaviour.

These problems could enable attacks where large amounts of untrusted data
is passed to the BIO_*printf functions. If applications use these functions
in this way then they could be vulnerable. OpenSSL itself uses these
functions when printing out human-readable dumps of ASN.1 data. Therefore
applications that print this data could be vulnerable if the data is from
untrusted sources. OpenSSL command line applications could also be
vulnerable where they print out ASN.1 data, or if untrusted data is passed
as command line arguments.

Libssl is not considered directly vulnerable. Additionally certificates etc
received via remote connections via libssl are also unlikely to be able to
trigger these issues because of message size limits enforced within libssl.

CVE-2016-0799

Issue reported by Guido Vranken.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-25 22:45:58 +00:00
Rich Salz
349807608f Remove /* foo.c */ comments
This was done by the following
        find . -name '*.[ch]' | /tmp/pl
where /tmp/pl is the following three-line script:
        print unless $. == 1 && m@/\* .*\.[ch] \*/@;
        close ARGV if eof; # Close file to reset $.

And then some hand-editing of other files.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-26 16:40:43 -05:00
Rich Salz
4fae386cb0 Cleanup CRYPTO_{push,pop}_info
Rename to OPENSSL_mem_debug_{push,pop}.
Remove simple calls; keep only calls used in recursive functions.
Ensure we always push, to simplify so that we can always pop

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 09:11:07 -05:00
Matt Caswell
90945fa31a Continue standardising malloc style for libcrypto
Continuing from previous commit ensure our style is consistent for malloc
return checks.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-11-09 22:48:41 +00:00
Andy Polyakov
5f0580ccf1 Harmonize pointer printing and size_t-fy casts.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-05 09:26:19 +02:00
Richard Levitte
b39fc56061 Identify and move common internal libcrypto header files
There are header files in crypto/ that are used by a number of crypto/
submodules.  Move those to crypto/include/internal and adapt the
affected source code and Makefiles.

The header files that got moved are:

crypto/cryptolib.h
crypto/md32_common.h

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-14 17:21:40 +02:00
Matt Caswell
9d9e37744c Clarify logic in BIO_*printf functions
The static function dynamically allocates an output buffer if the output
grows larger than the static buffer that is normally used. The original
logic implied that |currlen| could be greater than |maxlen| which is
incorrect (and if so would cause a buffer overrun). Also the original
logic would call OPENSSL_malloc to create a dynamic buffer equal to the
size of the static buffer, and then immediately call OPENSSL_realloc to
make it bigger, rather than just creating a buffer than was big enough in
the first place. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot
Oberoi (Int3 Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-04-30 23:12:39 +01:00
Viktor Dukhovni
61986d32f3 Code style: space after 'if'
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-16 13:44:59 -04:00
Matt Caswell
b7573c597c Remove dead code from crypto
Some miscellaneous removal of dead code from lib crypto.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-17 14:48:44 +00:00
Matt Caswell
918bb86529 Unchecked malloc fixes
Miscellaneous unchecked malloc fixes. Also fixed some mem leaks on error
paths as I spotted them along the way.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-03-05 09:09:57 +00:00
Matt Caswell
0f113f3ee4 Run util/openssl-format-source -v -c .
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:09 +00:00
Tim Hudson
1d97c84351 mark all block comments that need format preserving so that
indent will not alter them when reformatting comments

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-30 22:10:26 +00:00
Andy Polyakov
77519b51db Make bn2dec work on "SIXTY_FOUR_BIT" platforms.
PR: 1456
2007-09-15 17:05:11 +00:00
Geoff Thorpe
209b12814f Fix compilation when HAVE_LONG_LONG isn't defined. 2005-07-26 04:43:31 +00:00
Nils Larsch
2c288b2a7e fix compiler warning; pow10 is also in math.h 2005-05-05 20:57:37 +00:00
Nils Larsch
70f34a5841 some const fixes and cleanup 2005-04-05 10:29:43 +00:00
Geoff Thorpe
032c3ecb18 Protect against gcc's "warning: cast does not match function type". 2004-03-25 02:19:42 +00:00
Richard Levitte
ec5d8a54e9 Remove a warning for conversion double->long. This has impacts on Windows.
PR: 849
2004-03-21 22:39:52 +00:00
Richard Levitte
a2b0de98af To figure out if we're going outside the buffer, use the size of the buffer,
not the size of the integer used to index in said buffer.

PR: 794
Notified by: Rhett Garber <rhett_garber@hp.com>
2003-12-11 18:01:03 +00:00
Geoff Thorpe
d8ec0dcf45 Avoid some shadowed variable names.
Submitted by: Nils Larsch
2003-11-04 00:51:32 +00:00
Geoff Thorpe
8a66d17899 Remove an unnecessary cast that causes certain compilers (eg. mine) some
confusion. Also silence a couple of signed/unsigned warnings.
2003-10-29 05:00:57 +00:00
Richard Levitte
83743ad039 Fix sign bugs.
PR: 621
2003-05-21 14:29:13 +00:00
Richard Levitte
c433d72593 Make %p and %# work properly, at least with pointers and floats. 2003-04-03 23:35:14 +00:00
Ben Laurie
54a656ef08 Security fixes brought forward from 0.9.7. 2002-11-13 15:43:43 +00:00
Richard Levitte
ba8fb52183 Certain flag macros were tested with #if instead if #ifdef... 2002-08-02 11:13:37 +00:00