From f7ce93d97949fe0897bf8f1b2e95da73c620ff8a Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 6 Oct 2015 08:58:03 -0400 Subject: [PATCH 1/2] Fix 17251: avoid integer overflow in test_crypto_slow --- changes/bug17251 | 3 +++ src/test/test_crypto_slow.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 changes/bug17251 diff --git a/changes/bug17251 b/changes/bug17251 new file mode 100644 index 0000000000..edd7739d2f --- /dev/null +++ b/changes/bug17251 @@ -0,0 +1,3 @@ + o Minor bugfixes (compilation): + - Fix an integer overflow warning in test_crypto_slow.c. + Fixes bug 17251; bugfix on 0.2.7.2-alpha. diff --git a/src/test/test_crypto_slow.c b/src/test/test_crypto_slow.c index d0f50f83b9..853a08d886 100644 --- a/src/test/test_crypto_slow.c +++ b/src/test/test_crypto_slow.c @@ -217,7 +217,7 @@ test_libscrypt_eq_openssl(void *arg) memset(buf2,0,64); N = 1048576; - maxmem = 2 * 1024 * 1024 * 1024; // 2 GB + maxmem = 2 * 1024 * 1024 * (uint64_t)1024; // 2 GB libscrypt_retval = libscrypt_scrypt((const uint8_t *)"pleaseletmein", From 1eb838b30361b0dcc1e2b82815be25391d5a15f1 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 6 Oct 2015 09:04:37 -0400 Subject: [PATCH 2/2] Work around openssl declaring x509_get_not{Before,After} as functions Now that x509_get_not{Before,After} are functions in OpenSSL 1.1 (not yet releasesd), we need to define a variant that takes a const pointer to X509 and returns a const pointer to ASN1_time. Part of 17237. I'm not convinced this is an openssl bug or a tor bug. It might be just one of those things. --- changes/bug17237_027 | 4 ++++ src/common/tortls.c | 13 +++++++++---- 2 files changed, 13 insertions(+), 4 deletions(-) create mode 100644 changes/bug17237_027 diff --git a/changes/bug17237_027 b/changes/bug17237_027 new file mode 100644 index 0000000000..8448bb052f --- /dev/null +++ b/changes/bug17237_027 @@ -0,0 +1,4 @@ + o Minor features (compilation): + - Repair compilation with the most recent (unreleased, alpha) + vesions of OpenSSL 1.1. Fixes the 0.2.7-related part of + ticket 17237. diff --git a/src/common/tortls.c b/src/common/tortls.c index 20c898456a..97d0ce2d4c 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -75,6 +75,11 @@ #include "container.h" #include +#define X509_get_notBefore_const(cert) \ + ((const ASN1_TIME*) X509_get_notBefore((X509 *)cert)) +#define X509_get_notAfter_const(cert) \ + ((const ASN1_TIME*) X509_get_notAfter((X509 *)cert)) + /* Enable the "v2" TLS handshake. */ #define V2_HANDSHAKE_SERVER @@ -2203,7 +2208,7 @@ log_cert_lifetime(int severity, const X509 *cert, const char *problem) if (!(bio = BIO_new(BIO_s_mem()))) { log_warn(LD_GENERAL, "Couldn't allocate BIO!"); goto end; } - if (!(ASN1_TIME_print(bio, X509_get_notBefore(cert)))) { + if (!(ASN1_TIME_print(bio, X509_get_notBefore_const(cert)))) { tls_log_errors(NULL, LOG_WARN, LD_NET, "printing certificate lifetime"); goto end; } @@ -2211,7 +2216,7 @@ log_cert_lifetime(int severity, const X509 *cert, const char *problem) s1 = tor_strndup(buf->data, buf->length); (void)BIO_reset(bio); - if (!(ASN1_TIME_print(bio, X509_get_notAfter(cert)))) { + if (!(ASN1_TIME_print(bio, X509_get_notAfter_const(cert)))) { tls_log_errors(NULL, LOG_WARN, LD_NET, "printing certificate lifetime"); goto end; } @@ -2374,12 +2379,12 @@ check_cert_lifetime_internal(int severity, const X509 *cert, now = time(NULL); t = now + future_tolerance; - if (X509_cmp_time(X509_get_notBefore(cert), &t) > 0) { + if (X509_cmp_time(X509_get_notBefore_const(cert), &t) > 0) { log_cert_lifetime(severity, cert, "not yet valid"); return -1; } t = now - past_tolerance; - if (X509_cmp_time(X509_get_notAfter(cert), &t) < 0) { + if (X509_cmp_time(X509_get_notAfter_const(cert), &t) < 0) { log_cert_lifetime(severity, cert, "already expired"); return -1; }