The recent updates to libssl to enforce stricter return code checking, left
a small number of instances behind where return codes were being swallowed
(typically because the function they were being called from was declared as
void). This commit fixes those instances to handle the return codes more
appropriately.
Reviewed-by: Richard Levitte <levitte@openssl.org>
The X509_ATTRIBUTE structure includes a hack to tolerate malformed
attributes that encode as the type instead of SET OF type. This form
is never created by OpenSSL and shouldn't be needed any more.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Support loading of key and certificate from the same file if
SSL_CONF_FLAG_REQUIRE_PRIVATE is set. This is done by remembering the
filename used for each certificate type and attempting to load a private
key from the file when SSL_CONF_CTX_finish is called.
Update docs.
Reviewed-by: Richard Levitte <levitte@openssl.org>
The justification for RAND_pseudo_bytes is somewhat dubious, and the reality
is that it is frequently being misused. RAND_bytes and RAND_pseudo_bytes in
the default implementation both end up calling ssleay_rand_bytes. Both may
return -1 in an error condition. If there is insufficient entropy then
both will return 0, but RAND_bytes will additionally add an error to the
error queue. They both return 1 on success.
Therefore the fundamental difference between the two is that one will add an
error to the error queue with insufficient entory whilst the other will not.
Frequently there are constructions of this form:
if(RAND_pseudo_bytes(...) <= 1)
goto err;
In the above form insufficient entropy is treated as an error anyway, so
RAND_bytes is probably the better form to use.
This form is also seen:
if(!RAND_pseudo_bytes(...))
goto err;
This is technically not correct at all since a -1 return value is
incorrectly handled - but this form will also treat insufficient entropy as
an error.
Within libssl it is required that you have correctly seeded your entropy
pool and so there seems little benefit in using RAND_pseudo_bytes.
Similarly in libcrypto many operations also require a correctly seeded
entropy pool and so in most interesting cases you would be better off
using RAND_bytes anyway. There is a significant risk of RAND_pseudo_bytes
being incorrectly used in scenarios where security can be compromised by
insufficient entropy.
If you are not using the default implementation, then most engines use the
same function to implement RAND_bytes and RAND_pseudo_bytes in any case.
Given its misuse, limited benefit, and potential to compromise security,
RAND_pseudo_bytes has been deprecated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Filled in lots of return value checks that were missing the GOST engine, and
added appropriate error handling.
Reviewed-by: Richard Levitte <levitte@openssl.org>
In ssl3_send_new_session_ticket the message to be sent is constructed. We
skip adding the length of the session ticket initially, then call
ssl_set_handshake_header, and finally go back and add in the length of the
ticket. Unfortunately, in DTLS, ssl_set_handshake_header also has the side
effect of buffering the message for subsequent retransmission if required.
By adding the ticket length after the call to ssl_set_handshake_header the
message that is buffered is incomplete, causing an invalid message to be
sent on retransmission.
Reviewed-by: Richard Levitte <levitte@openssl.org>
In DTLS, immediately prior to epoch change, the write_sequence is supposed
to be stored in s->d1->last_write_sequence. The write_sequence is then reset
back to 00000000. In the event of retransmits of records from the previous
epoch, the last_write_sequence is restored. This commit fixes a bug in
DTLS1.2 where the write_sequence was being reset before last_write_sequence
was saved, and therefore retransmits are sent with incorrect sequence
numbers.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Start ensuring all OpenSSL "free" routines allow NULL, and remove
any if check before calling them.
This gets DH_free, DSA_free, RSA_free
Reviewed-by: Matt Caswell <matt@openssl.org>
Thanks to the change of mkdef.pl, a few more deprecated functions were
properly defined in util/libeay.num.
Reviewed-by: Matt Caswell <matt@openssl.org>
For the moment, this is specially crafted for DECLARE_DEPRECATED because
that's where we found the problem, but it can easily be expanded to other
types of special delarations when needed.
Reviewed-by: Matt Caswell <matt@openssl.org>
Disable loop checking when we retry verification with an alternative path.
This fixes the case where an intermediate CA is explicitly trusted and part
of the untrusted certificate list. By disabling loop checking for this case
the untrusted CA can be replaced by the explicitly trusted case and
verification will succeed.
Reviewed-by: Matt Caswell <matt@openssl.org>
If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.
PR#3668
Reviewed-by: Matt Caswell <matt@openssl.org>
Move ASN.1 internals used across multiple directories into new internal
header file asn1_int.h remove crypto/Makefile hack which allowed other
directories to include "asn1_locl.h"
Reviewed-by: Matt Caswell <matt@openssl.org>
Start ensuring all OpenSSL "free" routines allow NULL, and remove
any if check before calling them.
This gets ASN1_OBJECT_free and ASN1_STRING_free.
Reviewed-by: Matt Caswell <matt@openssl.org>
Fix compilation failure when SCTP is compiled due to incorrect define.
Reported-by: Conrad Kostecki <ck+gentoobugzilla@bl4ckb0x.de>
URL: https://bugs.gentoo.org/543828
RT#3758
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Thanks to a -I.., the path does work, at least on unix. However, this
doesn't work so well on VMS. Correcting the path to not rely on given
-I does work on both.
Reviewed-by: Matt Caswell <matt@openssl.org>
Remove old ASN.1 COMPAT type. This was meant as a temporary measure
so older ASN.1 code (from OpenSSL 0.9.6) still worked. It's a hack
which breaks constification and hopefully nothing uses it now, if
it ever did.
Reviewed-by: Matt Caswell <matt@openssl.org>
The certificate already contains the DH parameters in that case.
ssl3_send_server_key_exchange() would fail in that case anyway.
Reviewed-by: Matt Caswell <matt@openssl.org>