Merge remote-tracking branch 'upstream/main' into ec-key-infinity-rejection

Author: nebeid

crypto/ocsp/ocsp_verify.c

@@ -35,7 +35,7 @@ static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id) {
   for (size_t i = 0; i < sk_X509_num(certs); i++) {
     cert = sk_X509_value(certs, i);
     if (X509_pubkey_digest(cert, EVP_sha1(), tmphash, NULL)) {
-      if (memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH) == 0) {
+      if (OPENSSL_memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH) == 0) {
         return cert;
       }
     }
@@ -201,6 +201,8 @@ static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret) {
   return 1;
 }
 
+// Returns -1 on fatal error, 0 if there is no match and 1 if there is a
+// match.
 static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
                                STACK_OF(OCSP_SINGLERESP) *sresp) {
   if (cert == NULL) {
@@ -232,13 +234,14 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
         return 0;
       }
     }
-    if (memcmp(md, cid->issuerNameHash->data, mdlen) != 0) {
+    if (0 != OPENSSL_memcmp(md, cid->issuerNameHash->data, mdlen)) {
       return 0;
     }
-    if (0 <= X509_pubkey_digest(cert, dgst, md, NULL)) {
-      if (memcmp(md, cid->issuerKeyHash->data, mdlen) != 0) {
-        return 0;
-      }
+    if (1 != X509_pubkey_digest(cert, dgst, md, NULL)) {
+      return -1;
+    }
+    if (0 != OPENSSL_memcmp(md, cid->issuerKeyHash->data, mdlen)) {
+      return 0;
     }
     return 1;
 
@@ -473,8 +476,8 @@ int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
   int ret = 0;
   if (!IS_OCSP_FLAG_SET(flags, OCSP_NOVERIFY)) {
     // Initialize and set purpose of |ctx| for verification.
-    if (!X509_STORE_CTX_init(ctx, store, signer, NULL) &&
-        !X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER)) {
+    if (1 != X509_STORE_CTX_init(ctx, store, signer, NULL) ||
+        1 != X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER)) {
       OPENSSL_PUT_ERROR(OCSP, ERR_R_X509_LIB);
       goto end;
     }

crypto/x509/x509_vfy.c

@@ -676,7 +676,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) {
     }
     // Check pathlen if not self issued
     if (i > 1 && !(x->ex_flags & EXFLAG_SI) && x->ex_pathlen != -1 &&
-        plen > x->ex_pathlen + 1) {
+        plen - 1 > x->ex_pathlen) {
       ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
       ctx->error_depth = i;
       ctx->current_cert = x;

ssl/tls13_both.cc

@@ -374,7 +374,7 @@ bool tls13_process_finished(SSL_HANDSHAKE *hs, const SSLMessage &msg,
   if (verify_data.size() > sizeof(ssl->s3->previous_client_finished) ||
       verify_data.size() > sizeof(ssl->s3->previous_server_finished)) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-    return ssl_hs_error;
+    return false;
   }
 
   if (ssl->server) {
@@ -614,7 +614,7 @@ bool tls13_add_finished(SSL_HANDSHAKE *hs) {
   if (verify_data_len > sizeof(ssl->s3->previous_client_finished) ||
       verify_data_len > sizeof(ssl->s3->previous_server_finished)) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-    return ssl_hs_error;
+    return false;
   }
 
   if (ssl->server) {

tool-openssl/pass_util.cc

@@ -5,6 +5,8 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/pem.h>
+#include <cerrno>
+#include <climits>
 #include <cstring>
 #include <string>
 #include "internal.h"
@@ -39,6 +41,11 @@ static Source DetectSource(const Password &source) {
 // Helper function to validate password sources and detect same-file case
 static bool ValidateSource(Password &passin, Password *passout = nullptr,
                            bool *same_file = nullptr) {
+  // Always initialize same_file
+  if (same_file) {
+    *same_file = false;
+  }
+
   // Validate passin format (if not empty)
   if (!passin.empty()) {
     Source passin_type = DetectSource(passin);
@@ -68,26 +75,14 @@ static bool ValidateSource(Password &passin, Password *passout = nullptr,
     }
   }
 
-  // Initialize same_file to false if not detected
-  if (same_file && (!passout || passout->empty())) {
-    *same_file = false;
-  }
-
   return true;
 }
 
 static bool ExtractDirectPassword(Password &source) {
-  // Check for additional colons in password portion after prefix
-  if (source.get().find(':', 5) != std::string::npos) {
-    fprintf(stderr,
-            "Invalid password format (use pass:, file:, env:, or stdin)\n");
-    return false;
-  }
-
   // Check length before modification
-  if (source.get().length() - 5 > PEM_BUFSIZE) {
+  if (source.get().length() >= 5 + PEM_BUFSIZE) {
     fprintf(stderr, "Password exceeds maximum allowed length (%d bytes)\n",
-            PEM_BUFSIZE);
+            PEM_BUFSIZE - 1);
     return false;
   }
 
@@ -121,12 +116,13 @@ static bool ExtractPasswordFromStream(Password &source, Source source_type,
       fprintf(stderr, "Invalid file descriptor: %s\n", source.get().c_str());
       return false;
     }
-
-    int fd = atoi(source.get().c_str());
-    if (fd < 0) {
+    errno = 0;
+    unsigned long fd_val = strtoul(source.get().c_str(), nullptr, 10);
+    if (errno != 0 || fd_val > INT_MAX) {
       fprintf(stderr, "Invalid file descriptor: %s\n", source.get().c_str());
       return false;
     }
+    int fd = static_cast<int>(fd_val);
     bio.reset(BIO_new_fd(fd, BIO_NOCLOSE));
 #endif
   } else {
@@ -189,6 +185,7 @@ static bool ExtractPasswordFromStream(Password &source, Source source_type,
     }
 
     target.assign(buf, len);
+    OPENSSL_cleanse(buf, sizeof(buf));
     return true;
   };
 
@@ -201,8 +198,8 @@ static bool ExtractPasswordFromStream(Password &source, Source source_type,
   } else {
     // Handle skip_first_line if needed
     if (skip_first_line) {
-      std::string dummy;
-      if (!read_password_line(dummy)) {
+      Password dummy;
+      if (!read_password_line(dummy.get())) {
         return false;
       }
     }
@@ -213,7 +210,6 @@ static bool ExtractPasswordFromStream(Password &source, Source source_type,
     }
   }
 
-  OPENSSL_cleanse(buf, sizeof(buf));
   return true;
 }
 
@@ -239,14 +235,14 @@ static bool ExtractPasswordFromEnv(Password &source) {
             source.get().c_str());
     return false;
   }
-  if (env_val_len > PEM_BUFSIZE) {
+  if (env_val_len >= PEM_BUFSIZE) {
     fprintf(stderr, "Environment variable value too long (maximum %d bytes)\n",
-            PEM_BUFSIZE);
+            PEM_BUFSIZE - 1);
     return false;
   }
 
   // Replace source content with environment value
-  source.get() = std::string(env_val);
+  source.get().assign(env_val, env_val_len);
   return true;
 }
 
@@ -305,7 +301,7 @@ bool ExtractPasswords(Password &passin, Password &passout) {
   // Handle same_file case with single extraction call
   if (same_file && !passin.empty() && !passout.empty()) {
     Source source_type = DetectSource(passin);
-    return ExtractPasswordFromSource(passin, source_type, same_file, &passout);
+    return ExtractPasswordFromSource(passin, source_type, false, &passout);
   }
 
   // Extract passin (always from first line)

tool-openssl/pass_util_test.cc

@@ -236,10 +236,20 @@ TEST_F(PassUtilTest, DirectPasswordEdgeCases) {
   EXPECT_TRUE(result) << "Should succeed with empty direct password";
   EXPECT_TRUE(source.empty()) << "Password should be empty";
 
+  // Test password containing colons
+  source = Password("pass:test:123");
+  result = pass_util::ExtractPassword(source);
+  EXPECT_TRUE(result) << "Should succeed with colons in password";
+  EXPECT_EQ(source.get(), "test:123") << "Password with colons should be preserved";
+
+  source = Password("pass:a:b:c:d");
+  result = pass_util::ExtractPassword(source);
+  EXPECT_TRUE(result) << "Should succeed with multiple colons in password";
+  EXPECT_EQ(source.get(), "a:b:c:d") << "All colons in password should be preserved";
+
   // Test invalid format strings
   const char *invalid_formats[] = {
       "pass",           // Missing colon
-      "pass:test:123",  // Multiple colons
       ":password",      // Missing prefix
       "invalid:pass",   // Invalid prefix
       "file:",          // Empty file path