Skip to content

Instantly share code, notes, and snippets.

@theuni

theuni/gentoodiff2

Created March 23, 2015 18:55
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save theuni/10a5345be3ef2daf1d70 to your computer and use it in GitHub Desktop.
Save theuni/10a5345be3ef2daf1d70 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gentoodiff2
diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index 6f19829..d28dc60 100644
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -130,11 +130,17 @@ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval,
{
ASN1_TLC c;
ASN1_VALUE *ptmpval = NULL;
- if (!pval)
- pval = &ptmpval;
asn1_tlc_clear_nc(&c);
- if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0)
- return *pval;
+ if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE)
+ ptmpval = *pval;
+ if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) {
+ if (pval && it->itype != ASN1_ITYPE_PRIMITIVE) {
+ if (*pval)
+ ASN1_item_free(*pval, it);
+ *pval = ptmpval;
+ }
+ return ptmpval;
+ }
return NULL;
}
@@ -310,6 +316,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
case ASN1_ITYPE_CHOICE:
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
goto auxerr;
+
if (*pval) {
/* Free up and zero CHOICE value if initialised */
i = asn1_get_choice_selector(pval, it);
@@ -320,7 +327,6 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
asn1_set_choice_selector(pval, -1, it);
}
} else if (!ASN1_item_ex_new(pval, it)) {
- {
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
ERR_R_NESTED_ASN1_ERROR);
goto err;
diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c
index b854827..de3df9e 100644
--- a/crypto/asn1/x_x509.c
+++ b/crypto/asn1/x_x509.c
@@ -170,14 +170,8 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
{
const unsigned char *q;
X509 *ret;
- int freeret = 0;
-
/* Save start position */
q = *pp;
-
- if(!a || *a == NULL) {
- freeret = 1;
- }
ret = d2i_X509(a, pp, length);
/* If certificate unreadable then forget it */
if(!ret) return NULL;
@@ -187,11 +181,7 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
if(!d2i_X509_CERT_AUX(&ret->aux, pp, length)) goto err;
return ret;
err:
- if(freeret) {
X509_free(ret);
- if (a)
- *a = NULL;
- }
return NULL;
}
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 60e3786..52d31c2 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -1142,6 +1142,8 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
ERR_R_MALLOC_FAILURE);
goto err;
}
+ if (a)
+ *a = ret;
}
else
ret = *a;
@@ -1222,13 +1224,12 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
/* Remember the original private-key-only encoding. */
ret->enc_flag |= EC_PKEY_NO_PUBKEY;
}
- if (a)
- *a = ret;
+
ok = 1;
err:
if (!ok)
{
- if (ret && (a == NULL || *a != ret))
+ if (ret)
EC_KEY_free(ret);
ret = NULL;
}
@@ -1377,6 +1378,8 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len)
ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
return NULL;
}
+ if (a)
+ *a = ret;
}
else
ret = *a;
@@ -1384,14 +1387,9 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len)
if (!d2i_ECPKParameters(&ret->group, in, len))
{
ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
- if (a == NULL || *a != ret)
- EC_KEY_free(ret);
return NULL;
}
- if (a)
- *a = ret;
-
return ret;
}
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index 29928ba..31b8a46 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -462,7 +462,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
return NULL;
}
-
i=OBJ_obj2nid(p7->type);
p7->state=PKCS7_S_HEADER;
@@ -919,6 +918,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
goto err;
M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
}
+
if (!PKCS7_is_detached(p7)) {
/*
* NOTE(emilia): I think we only reach os == NULL here because detached
@@ -930,13 +930,13 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
char *cont;
long contlen;
btmp = BIO_find_type(bio, BIO_TYPE_MEM);
- if (btmp == NULL)
- {
+ if (btmp == NULL) {
PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
goto err;
}
contlen = BIO_get_mem_data(btmp, &cont);
- /* Mark the BIO read only then we can use its copy of the data
+ /*
+ * Mark the BIO read only then we can use its copy of the data
* instead of making an extra copy.
*/
BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c
index 69d4816..e2fc802 100644
--- a/crypto/pkcs7/pk7_lib.c
+++ b/crypto/pkcs7/pk7_lib.c
@@ -70,8 +70,8 @@ long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg)
nid=OBJ_obj2nid(p7->type);
switch (cmd)
- /* NOTE(emilia): does not support detached digested data. */
{
+ /* NOTE(emilia): does not support detached digested data. */
case PKCS7_OP_SET_DETACHED_SIGNATURE:
if (nid == NID_pkcs7_signed)
{
@@ -459,9 +459,9 @@ int PKCS7_set_digest(PKCS7 *p7, const EVP_MD *md)
}
STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
+ {
if (p7 == NULL || p7->d.ptr == NULL)
return NULL;
- {
if (PKCS7_type_is_signed(p7))
{
return(p7->d.sign->signer_info);
diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
index 6876d6c..48183dc 100644
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -92,8 +92,6 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
goto err;
pktmp = X509_get_pubkey(x);
- if (pktmp == NULL)
- goto err;
i=X509_REQ_set_pubkey(ret,pktmp);
EVP_PKEY_free(pktmp);
if (!i) goto err;
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index 0aa1bad..6086d0a 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -109,8 +109,8 @@ The following is a list of all permitted cipher strings and their meanings.
=item B<DEFAULT>
-the default cipher list. This is determined at compile time and
-is normally B<ALL:!EXPORT:!aNULL:!eNULL:!SSLv2>. This must be the firstcipher string
+the default cipher list. This is determined at compile time and, as of OpenSSL
+1.0.0, is normally B<ALL:!aNULL:!eNULL>. This must be the first cipher string
specified.
=item B<COMPLEMENTOFDEFAULT>
diff --git a/doc/crypto/d2i_X509.pod b/doc/crypto/d2i_X509.pod
index 298ec54..6fed4b1 100644
--- a/doc/crypto/d2i_X509.pod
+++ b/doc/crypto/d2i_X509.pod
@@ -199,6 +199,12 @@ B<*px> is valid is broken and some parts of the reused structure may
persist if they are not present in the new one. As a result the use
of this "reuse" behaviour is strongly discouraged.
+Current versions of OpenSSL will not modify B<*px> if an error occurs.
+If parsing succeeds then B<*px> is freed (if it is not NULL) and then
+set to the value of the newly decoded structure. As a result B<*px>
+B<must not> be allocated on the stack or an attempt will be made to
+free an invalid pointer.
+
i2d_X509() will not return an error in many versions of OpenSSL,
if mandatory fields are not initialized due to a programming error
then the encoded structure may contain invalid data or omit the
@@ -210,7 +216,9 @@ always succeed.
d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B<X509> structure
or B<NULL> if an error occurs. The error code that can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>.
+L<ERR_get_error(3)|ERR_get_error(3)>. If the "reuse" capability has been used
+with a valid X509 structure being passed in via B<px> then the object is not
+modified in the event of error.
i2d_X509() returns the number of bytes successfully encoded or a negative
value if an error occurs. The error code can be obtained by
diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c
index f7410b4..1406b3b 100644
--- a/ssl/s2_srvr.c
+++ b/ssl/s2_srvr.c
@@ -371,8 +371,7 @@ end:
static int get_client_master_key(SSL *s)
{
- int is_export, i, n, keya;
- unsigned int ek;
+ int is_export,i,n,keya,ek;
unsigned long len;
unsigned char *p;
const SSL_CIPHER *cp;
@@ -455,7 +454,6 @@ static int get_client_master_key(SSL *s)
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
return(-1);
}
-
is_export=SSL_C_IS_EXPORT(s->session->cipher);
if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL))
@@ -491,7 +489,7 @@ static int get_client_master_key(SSL *s)
* must be zero).
*/
if ((!is_export && s->s2->tmp.clear != 0) ||
- (is_export && s->s2->tmp.clear + ek != (unsigned int)EVP_CIPHER_key_length(c))) {
+ (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) {
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
return -1;
@@ -502,7 +500,7 @@ static int get_client_master_key(SSL *s)
* bytes to fit the key in the buffer, stop now.
*/
if ((is_export && s->s2->tmp.enc < ek) ||
- (!is_export && s->s2->tmp.enc < (unsigned int)EVP_CIPHER_key_length(c))) {
+ (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) {
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
return -1;
@@ -519,7 +517,7 @@ static int get_client_master_key(SSL *s)
/* If a bad decrypt, continue with protocol but with a
* random master secret (Bleichenbacher attack) */
if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c))
- || (is_export && i != (int)ek))) {
+ || (is_export && i != ek))) {
ERR_clear_error();
if (is_export)
i=ek;
@@ -549,7 +547,8 @@ static int get_client_master_key(SSL *s)
}
#endif
- if (is_export) i = EVP_CIPHER_key_length(c);
+ if (is_export)
+ i = EVP_CIPHER_key_length(c);
if (i > SSL_MAX_MASTER_KEY_LENGTH)
{
diff --git a/ssl/ssl.h b/ssl/ssl.h
index f8db039..2ba5923 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -332,7 +332,7 @@ extern "C" {
/* The following cipher list is used by default.
* It also is substituted when an application-defined cipher list string
* starts with 'DEFAULT'. */
-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
+#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"
/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is
* throwing out anonymous and unencrypted ciphersuites!
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index a97929f..b767361 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -230,8 +230,7 @@ static const SSL_CIPHER cipher_aliases[]={
{0,SSL_TXT_CMPALL,0, 0,0,SSL_eNULL,0,0,0,0,0,0},
/* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in ALL!) */
- {0, SSL_TXT_CMPDEF, 0, 0, SSL_aNULL, ~SSL_eNULL, 0, ~SSL_SSLV2,
- SSL_EXP_MASK, 0, 0, 0},
+ {0,SSL_TXT_CMPDEF,0, SSL_kEDH|SSL_kEECDH,SSL_aNULL,~SSL_eNULL,0,0,0,0,0,0},
/* key exchange aliases
* (some of those using only a single bit here combine
@@ -980,10 +979,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
#ifdef CIPHER_DEBUG
fprintf(stderr, "\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength);
#endif
- if (algo_strength == SSL_EXP_MASK && SSL_C_IS_EXPORT(cp))
- goto ok;
- if (alg_ssl == ~SSL_SSLV2 && cp->algorithm_ssl == SSL_SSLV2)
- goto ok;
+
if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
continue;
if (alg_auth && !(alg_auth & cp->algorithm_auth))
@@ -1000,8 +996,6 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
continue;
}
- ok:
-
#ifdef CIPHER_DEBUG
fprintf(stderr, "Action = %d\n", rule);
#endif
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment