Skip to content

Fix error handling in x509v3_cache_extensions and related functions#10755

Closed
bernd-edlinger wants to merge 11 commits intoopenssl:masterfrom
bernd-edlinger:fix_error_handling_x509_flags
Closed

Fix error handling in x509v3_cache_extensions and related functions#10755
bernd-edlinger wants to merge 11 commits intoopenssl:masterfrom
bernd-edlinger:fix_error_handling_x509_flags

Conversation

@bernd-edlinger
Copy link
Member

@bernd-edlinger bernd-edlinger commented Jan 4, 2020

Basically we use EXFLAG_INVALID for all kinds of out of memory and
all kinds of parse errors in x509v3_cache_extensions.

[extended tests]

Checklist
  • documentation is added or updated
  • tests are added or updated

@bernd-edlinger bernd-edlinger added the branch: master Applies to master branch label Jan 4, 2020
@bernd-edlinger bernd-edlinger force-pushed the fix_error_handling_x509_flags branch from 28c5aea to c9f275f Compare January 4, 2020 15:07
@bernd-edlinger
Fix error handling in x509v3_cache_extensions and related functions
f919606 
Basically we use EXFLAG_INVALID for all kinds of out of memory and
all kinds of parse errors in x509v3_cache_extensions.

[extended tests]
@bernd-edlinger bernd-edlinger force-pushed the fix_error_handling_x509_flags branch from c9f275f to f919606 Compare January 4, 2020 15:10
@bernd-edlinger bernd-edlinger mentioned this pull request Jan 4, 2020
Closed
FdaSilvaYY
FdaSilvaYY suggested changes Jan 5, 2020
View reviewed changes
Copy link
Contributor

@FdaSilvaYY FdaSilvaYY left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EXFLAG_INVALID is not very well documented .
I suggest to add something like this :
This bit may also be raised after some internal cert-processing failures
So it may not be related to the processed object itself.

paulidale
paulidale reviewed Jan 8, 2020
View reviewed changes
crypto/x509/v3_purp.c Outdated
BASIC_CONSTRAINTS_free(bs);
x->ex_flags |= EXFLAG_BCONS;
}
else if (i != -1) {
Copy link
Contributor

@paulidale paulidale Jan 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Style nit: on previous line.

paulidale
paulidale reviewed Jan 8, 2020
View reviewed changes
apps/rehash.c
name = X509_get_subject_name(x->x509);
X509_digest(x->x509, evpmd, digest, NULL);
if (!X509_digest(x->x509, evpmd, digest, NULL)) {
BIO_printf(bio_err, "out of memory\n");
Copy link
Contributor

@paulidale paulidale Jan 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is out of memory the only possible failure?

Copy link
Member Author

@bernd-edlinger bernd-edlinger Jan 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think, only on X509*_get_ext_d2i a syntax or OOM error can both be possible

paulidale
paulidale reviewed Jan 8, 2020
View reviewed changes
crypto/x509/v3_purp.c Outdated
PROXY_CERT_INFO_EXTENSION_free(pci);
x->ex_flags |= EXFLAG_PROXY;
}
else if (i != -1) {
Copy link
Contributor

@paulidale paulidale Jan 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Style nit: on previous line.

Copy link
Member Author

@bernd-edlinger bernd-edlinger Jan 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed. Thanks!

@bernd-edlinger bernd-edlinger mentioned this pull request Mar 20, 2020
Closed
2 tasks
t8m
t8m approved these changes Mar 20, 2020
View reviewed changes
Copy link
Member

@t8m t8m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@t8m t8m added the approval: done This pull request has the required number of approvals label Mar 20, 2020
@bernd-edlinger
Copy link
Member Author

bernd-edlinger commented Mar 20, 2020

Mind, lookin at #10756 as well?

@openssl-machine
Copy link
Collaborator

openssl-machine commented Mar 21, 2020

24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually.

openssl-machine pushed a commit that referenced this pull request Mar 21, 2020
@bernd-edlinger
Fix error handling in x509v3_cache_extensions and related functions
7e06a67 
Basically we use EXFLAG_INVALID for all kinds of out of memory and
all kinds of parse errors in x509v3_cache_extensions.

[extended tests]

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from #10755)
@bernd-edlinger
Copy link
Member Author

bernd-edlinger commented Mar 21, 2020

Merged to master 7e06a67
Thanks!

@sthagen sthagen mentioned this pull request Mar 23, 2020
Merged
2 tasks
@FdaSilvaYY FdaSilvaYY mentioned this pull request Apr 10, 2020
Closed
2 tasks
@Tomasmule2015 Tomasmule2015 mentioned this pull request Jul 14, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@paulidale paulidale paulidale left review comments

@t8m t8m t8m approved these changes

+1 more reviewer

@FdaSilvaYY FdaSilvaYY FdaSilvaYY requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

approval: done This pull request has the required number of approvals branch: master Applies to master branch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@bernd-edlinger @openssl-machine @t8m @FdaSilvaYY @paulidale