Commit Graph

15 Commits

Author SHA1 Message Date
Adam Langley
5e3c8a61ab Bound two other cases of PKCS#12 iteration counts.
The fuzzer found another place where it could cause a timeout by
providing a huge PBKDF2 iteration count. This change bounds another two
places where we parse out iteration counts and that's hopefully all of
them.

BUG=oss-fuzz:9853

Change-Id: I037fa09d2bee79e7435a9d40cbd89c07b4a9d443
Reviewed-on: https://boringssl-review.googlesource.com/30944
Commit-Queue: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-13 21:42:06 +00:00
Adam Langley
04e149f840 Set the fuzzer PBKDF2 limit to 2048.
Our test data uses values to up 2048 so the 1024 limit was causing tests
to fail in fuzzing mode.

Change-Id: I71b97be26376a04c13d1f438e5e36a5ffff1c1a4
Reviewed-on: https://boringssl-review.googlesource.com/30484
Commit-Queue: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-08 18:33:00 +00:00
Adam Langley
c81965a8ad Set PBKDF2 limit in PKCS#12 to 100M.
The previous limit was |UINT_MAX|. Windows limits to 600K, but that's
already causing issues. This seems like a balance between being
completely crazy and still large enough not to have to worry for a long
time. It's still probably too large for backend systems wanting to
process arbitrary PKCS#12, but I don't think any fixed value will
satisfy all desires.

Change-Id: I01a3f78d5f2df086f8dbc0e8bacfb95153738f55
Reviewed-on: https://boringssl-review.googlesource.com/30424
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-08 17:09:36 +00:00
Adam Langley
2bcb315138 Limit the number of PBKDF2 iterations when fuzzing.
(Otherwise the fuzzer will discover that it can trigger extremely large
amounts of computation and start timing out.)

BUG=oss-fuzz:9767

Change-Id: Ibc1da5a90da169c7caf522f792530d1020f8cb54
Reviewed-on: https://boringssl-review.googlesource.com/30404
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-08 16:12:50 +00:00
David Benjamin
8803c0589d Properly advance the CBS when parsing BER structures.
CBS_asn1_ber_to_der was a little cumbersome to use. While it, in theory,
allowed callers to consistently advance past the element, no caller
actually did so consistently. Instead they would advance if conversion
happened, and not if it was already DER. For the PKCS7_* functions, this
was even caller-exposed.

Change-Id: I658d265df899bace9ba6616cb465f19c9e6c3534
Reviewed-on: https://boringssl-review.googlesource.com/29304
Reviewed-by: Adam Langley <agl@google.com>
2018-06-26 07:23:10 +00:00
David Benjamin
982279b366 Add a PKCS#12 fuzzer.
Change-Id: Iee3a3d46d283bd6cbb46940e630916aacdd71db6
Reviewed-on: https://boringssl-review.googlesource.com/28552
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-05-15 23:58:32 +00:00
David Benjamin
9b2c6a93e5 Extract friendly names attached to certificates.
OpenSSL staples each certificate's friendly name to the X509 with
X509_alias_set1. Mimic this. pyOpenSSL expects to find it there.

Update-Note: We actually parse some attributes now. PKCS#12 files with
malformed ones may not parse.

Change-Id: I3b78958eedf195509cd222ea4f0c884be3753770
Reviewed-on: https://boringssl-review.googlesource.com/28551
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-05-15 23:44:53 +00:00
David Benjamin
22ae0b8577 Try both null and empty passwords when decoding PKCS#12.
PKCS#12 encodes passwords as NUL-terminated UCS-2, so the empty password
is encoded as {0, 0}. Some implementations use the empty byte array for
"no password". OpenSSL considers a non-NULL password as {0, 0} and a
NULL password as {}. It then, in high-level PKCS#12 parsing code, tries
both options.

Match this behavior to appease pyOpenSSL's tests.

Change-Id: I07ef91d54454b6f2647f86b7eb9b13509b2876d3
Reviewed-on: https://boringssl-review.googlesource.com/28550
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2018-05-15 23:41:32 +00:00
David Benjamin
2e67153de4 Add PKCS12_create.
PyOpenSSL calls this function these days. Tested by roundtripping with
ourselves and also manually confirming our output interoperates with
OpenSSL.  (For anyone repeating this experiment, the OpenSSL
command-line tool has a bug and does not correctly output friendlyName
attributes with non-ASCII characters. I'll send them a PR to fix this
shortly.)

Between this and the UTF-8 logic earlier, the theme of this patch series
seems to be "implement in C something I last implemented in
JavaScript"...

Change-Id: I258d563498d82998c6bffc6789efeaba36fe3a5e
Reviewed-on: https://boringssl-review.googlesource.com/28328
Reviewed-by: Adam Langley <agl@google.com>
2018-05-11 21:59:34 +00:00
David Benjamin
a3c2517bd9 Add i2d_PKCS12*.
This is not very useful without PKCS12_create, which a follow-up change
will implement.

Change-Id: I355ccd22a165830911ae189871ab90a6101f42ae
Reviewed-on: https://boringssl-review.googlesource.com/28327
Reviewed-by: Adam Langley <agl@google.com>
2018-05-11 21:59:20 +00:00
David Benjamin
42e93b6cf5 Export EVP_parse_digest_algorithm and add EVP_marshal_digest_algorithm.
Chromium's OCSP code needs the OIDs and we already have them on hand.

Change-Id: Icab012ba4ae15ce029cbfe3ed93f89470137e7f6
Reviewed-on: https://boringssl-review.googlesource.com/20724
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-09-25 20:44:13 +00:00
David Benjamin
808f832917 Run the comment converter on libcrypto.
crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL
style.

Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c
Reviewed-on: https://boringssl-review.googlesource.com/19504
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-18 21:49:04 +00:00
Adam Langley
fd49993c3b First part of the FIPS module.
Change-Id: Ic3a91ccd2c8cdc364740f256fdb8a7ff66177947
Reviewed-on: https://boringssl-review.googlesource.com/14506
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
2017-04-07 00:05:34 +00:00
David Benjamin
02084ea398 Decouple PKCS8_encrypt and PKCS8_decrypt's core from crypto/asn1.
These will be used by Chromium's crypto::ECPrivateKey to work with
EncryptedPrivateKeyInfo structures.

Note this comes with a behavior change: PKCS8_encrypt and PKCS8_decrypt
will no longer preserve PKCS#8 PrivateKeyInfo attributes. However, those
functions are only called by Chromium which does not care. They are also
called by the PEM code, but not in a way which exposes attributes.

The PKCS#12 PFX code is made to use PKCS8_parse_encrypted_private_key
because it's cleaner (no more tossing X509_SIG around) and to ease
decoupling that in the future.

crypto/pkcs8's dependency on the legacy ASN.1 stack is now limited to
pkcs8_x509.c.

BUG=54

Change-Id: I173e605d175e982c6b0250dd22187b73aca15b1a
Reviewed-on: https://boringssl-review.googlesource.com/14215
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-03-26 04:00:26 +00:00
David Benjamin
7ce10d5da7 Partially split out crypto/pkcs8's legacy ASN.1 dependencies.
PKCS8_encrypt and PKCS8_decrypt still need to be split. The code for
processing PKCS#12 files is, for now, placed entirely in pkcs8_x509.c.
If we need to split it up, it should be straightforward to do so.
(Introduce a CRYPTO_BUFFER version of PKCS12_get_key_and_certs and go
from there.)

BUG=54

Change-Id: I9c87e916ec29ee14dbbd81c4d3fc10ac8a461f1a
Reviewed-on: https://boringssl-review.googlesource.com/14214
Reviewed-by: Steven Valdez <svaldez@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@chromium.org>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-03-26 00:17:25 +00:00