| e5bba24 | Matt Caswell | 07 December 2017, 13:19:36 UTC | Prepare for 1.0.2n release Reviewed-by: Andy Polyakov <appro@openssl.org> | 07 December 2017, 13:19:36 UTC |
| f3b6b41 | Matt Caswell | 06 December 2017, 13:54:37 UTC | Update CHANGES and NEWS for the new release Reviewed-by: Rich Salz <rsalz@openssl.org> | 07 December 2017, 11:31:48 UTC |
| df7797f | Matt Caswell | 07 December 2017, 11:17:22 UTC | Fix linking of fatalerrtest in VisualStudio Reviewed-by: Andy Polyakov <appro@openssl.org> | 07 December 2017, 11:29:36 UTC |
| c7383fb | Matt Caswell | 29 November 2017, 13:56:15 UTC | Add a test for CVE-2017-3737 Test reading/writing to an SSL object after a fatal error has been detected. Reviewed-by: Rich Salz <rsalz@openssl.org> | 06 December 2017, 15:40:23 UTC |
| 898fb88 | Matt Caswell | 29 November 2017, 14:04:01 UTC | Don't allow read/write after fatal error OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an attacker would have to trick an application into behaving incorrectly by issuing an SSL_read()/SSL_write() after having already received a fatal error. Thanks to David Benjamin (Google) for reporting this issue and suggesting this fix. CVE-2017-3737 Reviewed-by: Rich Salz <rsalz@openssl.org> | 06 December 2017, 15:40:23 UTC |
| ca51baf | Andy Polyakov | 24 November 2017, 10:35:50 UTC | bn/asm/rsaz-avx2.pl: fix digit correction bug in rsaz_1024_mul_avx2. Credit to OSS-Fuzz for finding this. CVE-2017-3738 Reviewed-by: Rich Salz <rsalz@openssl.org> | 06 December 2017, 15:36:54 UTC |
| 7ed680c | MerQGh | 04 December 2017, 06:20:51 UTC | Update eng_fat.c This line will allow use private keys, which created by Crypto Pro, to sign with OpenSSL. CLA: trivial Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4836) (cherry picked from commit b35bb37a3d6ecf11b43ef8717600ab61718c3cc2) | 04 December 2017, 16:44:38 UTC |
| 2821412 | FdaSilvaYY | 28 November 2017, 22:16:02 UTC | Fix docs for EVP_EncryptUpdate and EVP_DecryptUpdate Fixes #4775 Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4815) (cherry picked from commit a61c15eb9b8d0ef513d695c854516958e2ccf1eb) | 30 November 2017, 18:09:17 UTC |
| c29f83c | FdaSilvaYY | 06 November 2017, 11:56:58 UTC | Fix possible leaks on sk_X509_EXTENSION_push() failure ... Backport of #4677 / 1687aa760cdd164b12c5b70e65cadcbce1e7ccfa Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4715) | 16 November 2017, 15:00:38 UTC |
| 046c5f7 | Richard Levitte | 14 November 2017, 04:03:19 UTC | Don't use SSLv3_client_method internally with no-ssl3 Fixes #4734 #4649 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4735) | 14 November 2017, 04:20:47 UTC |
| b2921cf | Andy Polyakov | 11 November 2017, 15:27:48 UTC | Configure: add back /WX to VC-WIN32. We had /WX (treat warnings as errors) in VC-WIN32 for long time. At some point it was somehow omitted. It's argued that it allows to keep better focus on new code, which motivates the comeback... Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4718) | 13 November 2017, 10:17:28 UTC |
| 1bc5c3c | Andy Polyakov | 11 November 2017, 15:35:46 UTC | Resolve warnings in VC-WIN32 build, which allows to add /WX. It's argued that /WX allows to keep better focus on new code, which motivates its comeback... Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4718) | 13 November 2017, 10:16:52 UTC |
| 45a58b1 | Long Qin | 07 November 2017, 06:59:20 UTC | lhash.c: Replace Unicode EN DASH with the ASCII char '-'. * addressing", Proc. 6th Conference on Very Large Databases: 212–223 ^ The EN DASH ('–') in this line is one UTF-8 character (hex: e2 80 93). Under some code page setting (e.g. 936), Visual Studio may report C4819 warning: The file contains a character that cannot be represented in the current code page. Replace this character with the ASCII char '-' (Hex Code: 2D). Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4691) (cherry picked from commit b4d0fa49d9d1a43792e58b0c8066bb23b9e53ef4) | 11 November 2017, 11:45:01 UTC |
| 179af54 | Richard Levitte | 10 November 2017, 12:26:10 UTC | ssltest.c: cb_ticket2 appears to not return a value when it "should" cb_ticket2() does an exit, and should therefore not need to return anything. Some compilers don't detect that, or don't care, and warn about a non-void function without a return statement. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4713) | 11 November 2017, 10:07:05 UTC |
| 7718de6 | Richard Levitte | 10 November 2017, 12:25:00 UTC | VMS: make an alias for a long symbol (> 31 chars) Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4714) | 10 November 2017, 12:25:00 UTC |
| 0d5d76c | Andy Polyakov | 07 November 2017, 20:38:30 UTC | util/copy.pl: work around glob quirk in some of earlier 5.1x Perl versions. In earlier 5.1x Perl versions quoting globs works only if there is white space. If there is none, it's looking for names starting with ". Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4696) | 08 November 2017, 21:01:19 UTC |
| d1d6c69 | Andy Polyakov | 05 November 2017, 16:08:16 UTC | {aes-armv4|bsaes-armv7|sha256-armv4}.pl: make it work with binutils-2.29 It's not clear if it's a feature or bug, but binutils-2.29[.1] interprets 'adr' instruction with Thumb2 code reference differently, in a way that affects calculation of addresses of constants' tables. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/4673) | 07 November 2017, 19:34:30 UTC |
| 565a53f | Bernd Edlinger | 06 November 2017, 10:27:41 UTC | Fix error handling in heartbeat processing Fixes: #4590 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4681) | 07 November 2017, 14:09:16 UTC |
| d88c136 | Matt Caswell | 06 November 2017, 11:18:35 UTC | Don't error with -1 for BIGNUM exp operations The man pages say that BIGNUM arithmetic operations fail with a 0 return. However some functions were returning -1 on error. In master and 1.1.0 they already return 0, so this brings 1.0.2 in line. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4682) | 07 November 2017, 11:04:43 UTC |
| 3249209 | Rich Salz | 06 March 2017, 14:54:17 UTC | Fix an endless loop in rsa_builtin_keygen. Cherry-picked by Matt Caswell from 69795831. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4670) | 07 November 2017, 11:02:26 UTC |
| 950d49d | Pavel Kopyl | 27 October 2017, 13:13:11 UTC | Add error handling in dsa_main and ASN1_i2d_bio. CLA: trivial Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4600) (cherry picked from commit a6f622bc99ffdc7b34199babb9d200b24a7a6431) | 03 November 2017, 15:19:00 UTC |
| 200de40 | Pavel Kopyl | 27 October 2017, 13:18:06 UTC | Check return value of OBJ_nid2obj in dsa_pub_encode. CLA: trivial Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4600) (cherry picked from commit 7760384b403a61824c43cc767a11cd22abfa9e49) | 03 November 2017, 15:03:05 UTC |
| 98fe34c | Kurt Roeckx | 02 November 2017, 17:53:16 UTC | Fix no-ssl3-method build Reviewed-by: Rich Salz <rsalz@openssl.org> GH: #4649 | 03 November 2017, 14:19:05 UTC |
| 95aec44 | Matt Caswell | 02 November 2017, 14:34:50 UTC | Prepare for 1.0.2n-dev Reviewed-by: Andy Polyakov <appro@openssl.org> | 02 November 2017, 14:34:50 UTC |
| 8b1549a | Matt Caswell | 02 November 2017, 14:33:44 UTC | Prepare for 1.0.2m release Reviewed-by: Andy Polyakov <appro@openssl.org> | 02 November 2017, 14:33:44 UTC |
| c7a906b | Matt Caswell | 02 November 2017, 14:33:44 UTC | make update Reviewed-by: Andy Polyakov <appro@openssl.org> | 02 November 2017, 14:33:44 UTC |
| 64c46a9 | Matt Caswell | 02 November 2017, 11:23:17 UTC | Update CHANGES and NEWS for new release Reviewed-by: Andy Polyakov <appro@openssl.org> | 02 November 2017, 12:03:59 UTC |
| 38d6001 | Andy Polyakov | 17 August 2017, 19:08:57 UTC | bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqrx8x_internal. Credit to OSS-Fuzz for finding this. CVE-2017-3736 Reviewed-by: Rich Salz <rsalz@openssl.org> | 02 November 2017, 11:06:40 UTC |
| 23f7e97 | Pauli | 31 October 2017, 23:47:13 UTC | Address a timing side channel whereby it is possible to determine some information about the length of the scalar used in ECDSA operations from a large number (2^32) of signatures. Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for reporting this issue. Refer to #4576 for further details. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4623) | 01 November 2017, 16:43:06 UTC |
| b96beba | Pauli | 31 October 2017, 20:58:13 UTC | Address a timing side channel whereby it is possible to determine some information about the length of a value used in DSA operations from a large number of signatures. This doesn't rate as a CVE because: * For the non-constant time code, there are easier ways to extract more information. * For the constant time code, it requires a significant number of signatures to leak a small amount of information. Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for reporting this issue. Original commit by Paul Dale. Backported to 1.0.2 by Matt Caswell Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4642) | 01 November 2017, 16:41:59 UTC |
| a92ca56 | David Benjamin | 23 October 2017, 23:13:05 UTC | Fix weak digest in TLS 1.2 with SNI. 1ce95f19601bbc6bfd24092c76c8f8105124e857 was incomplete and did not handle the case when SSL_set_SSL_CTX was called from the cert_cb callback rather than the SNI callback. The consequence is any server using OpenSSL 1.0.2 and the cert_cb callback for SNI only ever signs a weak digest, SHA-1, even when connecting to clients which use secure ones. Fix this and add regression tests for both this and the original issue. Fixes #4554. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4577) | 01 November 2017, 12:35:19 UTC |
| 2175343 | Richard Levitte | 26 October 2017, 18:49:47 UTC | Use malloc/memset not calloc for WinCE portability Fixes: #2539 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4594) | 26 October 2017, 20:34:32 UTC |
| 44cbf6a | Matt Caswell | 20 October 2017, 16:11:03 UTC | Don't use strcasecmp and strncasecmp for IA5 strings The functions strcasecmp() and strncasecmp() will use locale specific rules when performing comparison. This could cause some problems in certain locales. For example in the Turkish locale an 'I' character is not the uppercase version of 'i'. However IA5 strings should not use locale specific rules, i.e. for an IA5 string 'I' is uppercase 'i' even if using the Turkish locale. This fixes a bug in name constraints checking reported by Thomas Pornin (NCCGroup). This is not considered a security issue because it would require both a Turkish locale (or other locale with similar issues) and malfeasance by a trusted name-constrained CA for a certificate to pass name constraints in error. The constraints also have to be for excluded sub-trees which are extremely rare. Failure to match permitted subtrees is a bug, not a vulnerability. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4570) | 26 October 2017, 13:57:01 UTC |
| 1aa0fcf | Matt Caswell | 18 October 2017, 13:07:57 UTC | Don't make any changes to the lhash structure if we are going to fail The lhash expand() function can fail if realloc fails. The previous implementation made changes to the structure and then attempted to do a realloc. If the realloc failed then it attempted to undo the changes it had just made. Unfortunately changes to lh->p were not undone correctly, ultimately causing subsequent expand() calls to increment num_nodes to a value higher than num_alloc_nodes, which can cause out-of-bounds reads/ writes. This is not considered a security issue because an attacker cannot cause realloc to fail. This commit moves the realloc call to near the beginning of the function before any other changes are made to the lhash structure. That way if a failure occurs we can immediately fail without having to undo anything. Thanks to Pavel Kopyl (Samsung) for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4551) | 25 October 2017, 10:12:05 UTC |
| 65d4144 | Richard Levitte | 24 October 2017, 11:42:41 UTC | asn1_item_embed_new(): don't free an embedded item The previous change with this intention didn't quite do it. An embedded item must not be freed itself, but might potentially contain non-embedded elements, which must be freed. So instead of calling ASN1_item_ex_free(), where we can't pass the combine flag, we call asn1_item_embed_free() directly. This changes asn1_item_embed_free() from being a static function to being a private non-static function. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4578) | 24 October 2017, 11:42:41 UTC |
| deee898 | Xiangyu Bu | 18 October 2017, 00:10:53 UTC | Fix memory leak in GENERAL_NAME_set0_othername. CLA: trivial Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4544) (cherry picked from commit 04761b557a53f026630dd5916b2b8522d94579db) | 24 October 2017, 08:40:45 UTC |
| cdc3307 | Richard Levitte | 23 October 2017, 14:48:17 UTC | asn1_item_embed_new(): don't free an embedded item An embedded item wasn't allocated separately on the heap, so don't free it as if it was. Issue discovered by Pavel Kopyl Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4571) | 23 October 2017, 15:44:30 UTC |
| 8c61017 | Rich Salz | 19 October 2017, 12:22:12 UTC | Additional name for all commands Add openssl-foo as a name for the openssl "foo" command. Recommended by a usability study conducted by Martin Ukrop at CRoCS, FI MU Fixes: #4548 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/4557) | 19 October 2017, 12:26:19 UTC |
| f6f9a73 | Rich Salz | 04 October 2017, 19:00:23 UTC | Don't use colortable; avoid Win32 overwrite Thanks to Jo Hornsby for reporting this and helping with the fix. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4464) | 13 October 2017, 12:39:47 UTC |
| 86ccadf | Matt Caswell | 27 September 2017, 10:13:47 UTC | Ensure we test all parameters for BN_FLG_CONSTTIME RSA_setup_blinding() calls BN_BLINDING_create_param() which later calls BN_mod_exp() as follows: BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx) ret->mod will have BN_FLG_CONSTTIME set, but ret->e does not. In BN_mod_exp() we only test the third param for the existence of this flag. We should test all the inputs. Thanks to Samuel Weiser (samuel.weiser@iaik.tugraz.at) for reporting this issue. This typically only happens once at key load, so this is unlikely to be exploitable in any real scenario. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4477) (cherry picked from commit e913d11f444e0b46ec1ebbf3340813693f4d869d) | 11 October 2017, 15:03:56 UTC |
| 720aa0f | Dr. Stephen Henson | 02 October 2017, 22:15:32 UTC | Fix backport by moving file. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4453) | 03 October 2017, 13:23:26 UTC |
| a48d7b1 | Paul Yang | 21 August 2017, 15:47:17 UTC | Document missing EVP_PKEY_method_* items Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 43f985fdbf4e5c2d5c95a717cc644f000de8bc75) Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Stephen Henson <steve@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4453) | 03 October 2017, 13:23:26 UTC |
| 1f58c16 | Dr. Stephen Henson | 02 October 2017, 20:08:17 UTC | update ordinals Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4453) | 03 October 2017, 13:23:26 UTC |
| 4a0dcd8 | Dr. Stephen Henson | 20 July 2015, 21:05:10 UTC | EVP_PKEY_METHOD accessor functions. Functions to retrieve the function pointer of an existing method: this can be used to create a method which intercepts or modifies the behaviour of an existing method while retaining most of the existing behaviour. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit e7451ed137450e4bc6c4bec33bc9054bce443feb) Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4453) | 03 October 2017, 13:23:26 UTC |
| e4c2e4c | Bernd Edlinger | 02 October 2017, 15:24:17 UTC | Fix the return type of felem_is_zero_int which should be int. Change argument type of xxxelem_is_zero_int to const void* to avoid the need of type casts. Fixes #4413 Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4450) (cherry picked from commit c55b786a8911cef41f890735ba5fde79e116e055) | 02 October 2017, 15:27:47 UTC |
| f9cbf47 | Samuel Weiser | 29 September 2017, 11:29:25 UTC | Added const-time flag to DSA key decoding to avoid potential leak of privkey Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4440) (cherry picked from commit 6364475a990449ef33fc270ac00472f7210220f2) | 29 September 2017, 17:52:18 UTC |
| d9a38e8 | Hubert Kario | 29 September 2017, 13:40:43 UTC | doc: note that the BN_new() initialises the BIGNUM BN_new() and BN_secure_new() not only allocate memory, but also initialise it to deterministic value - 0. Document that behaviour to make it explicit backport from #4438 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4443) | 29 September 2017, 16:53:14 UTC |
| 20d2aaf | Hubert Kario | 29 September 2017, 11:27:32 UTC | doc: BN_free() is NULL-safe document that parameter to BN_free can be NULL backport from master Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4439) | 29 September 2017, 11:27:32 UTC |
| 8372efb | Samuel Weiser | 16 September 2017, 14:52:44 UTC | BN_copy now propagates BN_FLG_CONSTTIME Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4377) (cherry picked from commit 9f9442918aeaed5dc2442d81ab8d29fe3e1fb906) | 27 September 2017, 09:12:19 UTC |
| a703f44 | Samuel Weiser | 15 September 2017, 20:12:53 UTC | Fixed error in propagating BN_FLG_CONSTTIME flag through BN_MONT_CTX_set, which could lead to information disclosure on RSA primes p and q. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4377) (cherry picked from commit 3de81a5912041a70884cf4e52e7213f3b5dfa747) | 27 September 2017, 09:12:19 UTC |
| ed0245e | Richard Levitte | 26 September 2017, 08:45:05 UTC | Make sure that a cert with extensions gets version number 2 (v3) Fixes #4419 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4421) | 26 September 2017, 09:04:01 UTC |
| 859a425 | David Benjamin | 18 September 2017, 19:58:41 UTC | Fix overflow in c2i_ASN1_BIT_STRING. c2i_ASN1_BIT_STRING takes length as a long but uses it as an int. Check bounds before doing so. Previously, excessively large inputs to the function could write a single byte outside the target buffer. (This is unreachable as asn1_ex_c2i already uses int for the length.) Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4385) (cherry picked from commit 6b1c8204b33aaedb7df7a009c241412839aaf950) | 19 September 2017, 19:33:57 UTC |
| 772fc32 | multics | 10 September 2017, 13:02:07 UTC | Update rsautl.pod for typo Fixes the typo CLA: trivial Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4354) (cherry picked from commit f70c22eb23763c6dce050293cc1b9a0a234d72b2) | 11 September 2017, 13:34:28 UTC |
| 4d2df46 | Rich Salz | 07 September 2017, 20:17:06 UTC | Fix error handling/cleanup Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/4326) (cherry picked from commit 180794c54e98ae467c4ebced3737e1ede03e320a) | 07 September 2017, 20:18:04 UTC |
| 31c8b26 | Rich Salz | 22 August 2017, 15:44:41 UTC | Avoid out-of-bounds read Fixes CVE 2017-3735 Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/4276) (cherry picked from commit b23171744b01e473ebbfd6edad70c1c3825ffbcd) | 28 August 2017, 17:34:08 UTC |
| 917552f | Matt Caswell | 25 August 2017, 13:39:07 UTC | Remove an out of date reference to RT Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4260) | 25 August 2017, 13:53:15 UTC |
| 9ebcb3a | Rich Salz | 23 August 2017, 21:51:56 UTC | Fix cherry-pick; move file. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4238) | 24 August 2017, 13:10:43 UTC |
| e74be32 | Dr. Stephen Henson | 23 August 2017, 23:00:31 UTC | Correct GCM docs. Fix GCM documentation: the tag does not have to be supplied before decrypting any data any more. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4231) | 23 August 2017, 23:00:31 UTC |
| c0f4a55 | Rich Salz | 23 August 2017, 16:06:41 UTC | Tweak wording to be more clear. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4234) (cherry picked from commit a130950df92abf7dd787b000403da02af8f41c2d) | 23 August 2017, 21:47:58 UTC |
| 173f0a0 | Pauli | 21 August 2017, 23:10:50 UTC | Use casts for arguments to ctype functions. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4212) | 22 August 2017, 05:16:28 UTC |
| 0ab2408 | Dr. Stephen Henson | 18 August 2017, 16:58:05 UTC | Set FIPS thread id callback. Fixes #4180 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4192) | 18 August 2017, 17:34:34 UTC |
| f36fedc | David von Oheimb | 17 August 2017, 19:45:06 UTC | Fix OCSP_basic_verify() cert chain construction in case bs->certs is NULL (backport) Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4183) | 18 August 2017, 09:01:05 UTC |
| 3281f1e | Andy Polyakov | 16 August 2017, 21:06:57 UTC | err/err.c: fix "wraparound" bug in ERR_set_error_data. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit d3d880ce01cfaf0091f46a2f6b5bd146d47a93e7) | 18 August 2017, 07:27:06 UTC |
| e3348cf | Bernd Edlinger | 12 August 2017, 08:02:09 UTC | Clear outputs in PKCS12_parse error handling. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4146) | 17 August 2017, 16:03:46 UTC |
| d46d2da | Richard Levitte | 06 July 2017, 08:11:17 UTC | Fix 'no-cms' Fixes #3867 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3873) | 15 August 2017, 10:54:47 UTC |
| 3735a90 | Xiaoyin Liu | 05 August 2017, 06:31:04 UTC | Add missing HTML tag in www_body in s_server.c In the generated HTML document, the `<pre>` tag is not closed. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4088) (cherry picked from commit 1a9f5cf0d58629ab8972f50e937d8ab78bf27b6f) | 09 August 2017, 16:02:57 UTC |
| 6df2a8c | Bernd Edlinger | 07 August 2017, 16:02:53 UTC | Avoid surpising password dialog in X509 file lookup. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4111) (cherry picked from commit db854bb14a7010712cfc02861731399b1b587474) | 07 August 2017, 17:58:19 UTC |
| bb77f84 | Rich Salz | 07 August 2017, 16:36:39 UTC | Add NOTTOOLONG macro for more clear code. Also fix one missing use of it. Thanks to GitHub user Vort for finding it and pointing out the fix. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4106) | 07 August 2017, 16:36:39 UTC |
| a33a335 | Bernd Edlinger | 04 August 2017, 06:11:24 UTC | Add a missing CRYPTO_w_unlock in get_cert_by_subject Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4084) | 04 August 2017, 06:11:24 UTC |
| 57ad215 | Bernd Edlinger | 31 July 2017, 18:38:26 UTC | Fix an information leak in the RSA padding check code. The memory blocks contain secret data and must be cleared before returning to the system heap. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4063) | 31 July 2017, 18:38:26 UTC |
| 5292833 | Bernd Edlinger | 29 July 2017, 10:19:29 UTC | Clean password buffer on stack for PEM_read_bio_PrivateKey and d2i_PKCS8PrivateKey_bio before it goes out of scope. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4047) (cherry picked from commit 02fd47c8b0930dff9b188fd13bfb9da5e59444a8) | 29 July 2017, 13:07:35 UTC |
| 0d72ba5 | Paul Yang | 28 July 2017, 05:31:27 UTC | Fix a reference nit in doc Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4036) (cherry picked from commit dbd007d7d2cae4891936aed55949b55b776b97ec) | 28 July 2017, 15:36:42 UTC |
| 63de36a | Paul Yang | 24 July 2017, 08:02:47 UTC | Backport X509_check_private_key.pod to address #3973, and original PR to master branch is #3614 test case in the original PR is not applied. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4002) | 27 July 2017, 03:16:26 UTC |
| d33b352 | David Benjamin | 26 July 2017, 16:30:27 UTC | Fix comment typo. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4023) (cherry picked from commit d67e755418b62fb451ec221c126c9935a06ea63b) | 27 July 2017, 03:14:57 UTC |
| 777cf0f | Andy Polyakov | 24 July 2017, 19:50:52 UTC | x86_64 assembly pack: "optimize" for Knights Landing. "Optimize" is in quotes because it's rather a "salvage operation" for now. Idea is to identify processor capability flags that drive Knights Landing to suboptimial code paths and mask them. Two flags were identified, XSAVE and ADCX/ADOX. Former affects choice of AES-NI code path specific for Silvermont (Knights Landing is of Silvermont "ancestry"). And 64-bit ADCX/ADOX instructions are effectively mishandled at decode time. In both cases we are looking at ~2x improvement. Hardware used for benchmarking courtesy of Atos, experiments run by Romain Dolbeau <romain.dolbeau@atos.net>. Kudos! This is minimalistic backpoint of 64d92d74985ebb3d0be58a9718f9e080a14a8e7f Thanks to David Benjamin for spotting typo in Knights Landing detection! Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4006) (cherry picked from commit 738a9dd53cacce593cd7d67e18e1273549640a79) | 25 July 2017, 19:34:33 UTC |
| f794476 | Simon Richter | 16 July 2017, 20:49:36 UTC | Fix installation on VC-WIN32 with nmake Commit b83265697 fixed whitespace handling in the copy script, which exposes bugs in the install routine for nmake Makefiles. This corrects the quoting around the copy invocation for the openssl.exe binary. CLA: trivial Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3942) | 25 July 2017, 14:35:57 UTC |
| 5bb8467 | Xiaoyin Liu | 24 July 2017, 15:28:50 UTC | schlock global variable needs to be volatile Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4000) (cherry picked from commit e0de4dd5a2b0c0dc27e6a6ab01fabe374d657d23) | 24 July 2017, 23:34:48 UTC |
| 34ee5a1 | Andy Polyakov | 10 July 2017, 13:19:45 UTC | evp/e_aes_cbc_hmac_sha256.c: give SHAEXT right priority. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/3898) (cherry picked from commit d0f6eb1d8c84165c383a677266cfae9c0b162781) | 24 July 2017, 21:31:28 UTC |
| 6b0c387 | Dr. Stephen Henson | 22 July 2017, 14:54:48 UTC | Fix RSA-PSS in FIPS mode by switching digest implementations. Fixes #2718 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3996) | 22 July 2017, 23:17:33 UTC |
| 56d9098 | Richard Levitte | 20 July 2017, 19:22:31 UTC | Fix apps/s_client.c's XMPP client When an error occurs during the starttls handskake, s_client gets stuck looping around zero bytes reads, because the server won't sent anything more after its error tag. Shutting down on the first zero byte read fixes this. Fixes #3980 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3981) | 20 July 2017, 21:26:42 UTC |
| e3d1a4e | Matt Caswell | 17 July 2017, 15:55:32 UTC | Remove some dead code The intention of the removed code was to check if the previous operation carried. However this does not work. The "mask" value always ends up being a constant and is all ones - thus it has no effect. This check is no longer required because of the previous commit. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3832) (cherry picked from commit d5475e319575a45b20f560bdfae56cbfb165cb01) | 19 July 2017, 12:33:34 UTC |
| ec642d5 | Matt Caswell | 28 June 2017, 14:18:30 UTC | Fix undefined behaviour in e_aes_cbc_hmac_sha256.c and e_aes_cbc_hmac_sha1.c In TLS mode of operation the padding value "pad" is obtained along with the maximum possible padding value "maxpad". If pad > maxpad then the data is invalid. However we must continue anyway because this is constant time code. We calculate the payload length like this: inp_len = len - (SHA_DIGEST_LENGTH + pad + 1); However if pad is invalid then inp_len ends up -ve (actually large +ve because it is a size_t). Later we do this: /* verify HMAC */ out += inp_len; len -= inp_len; This ends up with "out" pointing before the buffer which is undefined behaviour. Next we calculate "p" like this: unsigned char *p = out + len - 1 - maxpad - SHA256_DIGEST_LENGTH; Because of the "out + len" term the -ve inp_len value is cancelled out so "p" points to valid memory (although technically the pointer arithmetic is undefined behaviour again). We only ever then dereference "p" and never "out" directly so there is never an invalid read based on the bad pointer - so there is no security issue. This commit fixes the undefined behaviour by ensuring we use maxpad in place of pad, if the supplied pad is invalid. With thanks to Brian Carpenter for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3832) (cherry picked from commit 335d0a4646981c9d96b62811bcfd69a96a1a67d9) | 19 July 2017, 12:33:33 UTC |
| 5c5fef4 | Emilia Kasper | 18 July 2017, 09:26:34 UTC | RSA_padding_check_PKCS1_type_2 is not constant time. This is an inherent weakness of the padding mode. We can't make the implementation constant time (see the comments in rsa_pk1.c), so add a warning to the docs. Reviewed-by: Rich Salz <rsalz@openssl.org> | 18 July 2017, 09:27:27 UTC |
| c63a5ea | Bernd Edlinger | 14 July 2017, 15:05:37 UTC | Backport of 5b8fa43 and remove resolved TODO: see PR#3924. Make RSA key exchange code actually constant-time. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3935) | 16 July 2017, 15:21:03 UTC |
| b832656 | simon-p-r | 10 July 2017, 22:19:33 UTC | fix copy and copy-if-different whitespace problem From https://github.com/openssl/openssl/pull/1023 CLA: trivial Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3904) | 15 July 2017, 13:10:00 UTC |
| 5831419 | Richard Levitte | 05 July 2017, 09:08:45 UTC | Avoid possible memleak in X509_policy_check() When tree_calculate_user_set() fails, a jump to error failed to deallocate a possibly allocated |auth_nodes|. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3851) | 06 July 2017, 07:15:41 UTC |
| 95f966b | Bernd Edlinger | 01 July 2017, 07:37:44 UTC | Fix a memleak in X509_PKEY_new. Fixes #3349 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3819) | 05 July 2017, 14:48:45 UTC |
| 787ce7e | Richard Levitte | 05 July 2017, 12:55:51 UTC | Undo one UI fix Undoing: > - in UI_process(), |state| was never made NULL, which means an error > when closing the session wouldn't be accurately reported. This was a faulty cherry-pick from master Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3853) | 05 July 2017, 12:55:51 UTC |
| f22a078 | Richard Levitte | 05 July 2017, 08:26:25 UTC | Fix small UI issues - in EVP_read_pw_string_min(), the return value from UI_add_* wasn't properly checked - in UI_process(), |state| was never made NULL, which means an error when closing the session wouldn't be accurately reported. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/3849) (cherry picked from commit b96dba9e5ec7afc355be1eab915f69c8c0d51741) | 05 July 2017, 09:17:16 UTC |
| 1408482 | Rich Salz | 04 July 2017, 22:10:40 UTC | Add echo for each build phase Port of GH#3842 to 1.0.2 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/3845) | 04 July 2017, 22:18:21 UTC |
| 953a166 | Bernd Edlinger | 02 July 2017, 10:32:47 UTC | Fix a memleak in ec_GFp_mont_group_set_curve. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3828) | 02 July 2017, 10:32:47 UTC |
| 0cfb422 | Bernd Edlinger | 01 July 2017, 20:18:10 UTC | Fix a memory leak in ecdh/ecdsa_check. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3825) | 02 July 2017, 05:56:27 UTC |
| 282c132 | Richard Levitte | 25 June 2017, 20:10:42 UTC | tsget: remove call of WWW::Curl::Easy::global_cleanup This function is undocumented, but similarly named functions (such as 'curl_global_cleanup') are documented as internals that should not be called by scripts. Fixes #3765 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3769) | 25 June 2017, 20:17:12 UTC |
| 72d2ba9 | Benjamin Kaduk | 20 June 2017, 19:41:54 UTC | Remove inadvertently commited test binaries Commit 201015ee4f38e5d216a7625282c6b8a395b680b7 added some generated files that were not part of the intended functionality; remove them. (Only the 1.0.2 branch version of the commit was affected, probably due to a smaller .gitignore on that branch.) Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3729) | 21 June 2017, 16:50:56 UTC |
| b70f619 | Matt Caswell | 21 June 2017, 12:55:02 UTC | Add documentation for the SSL_export_keying_material() function Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3738) | 21 June 2017, 15:21:03 UTC |
| 4533644 | Bernd Edlinger | 14 June 2017, 19:54:15 UTC | Remove a pointless "#if 0" block from BN_mul. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3683) (cherry picked from commit 93a8b3ba793c769a3634e56642dac55a8d44023f) | 17 June 2017, 12:20:17 UTC |
| f3ce10b | Bernd Edlinger | 13 June 2017, 19:22:45 UTC | Fix a possible crash in dsa_builtin_paramgen2. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3675) (cherry picked from commit fb0a64126b8c11a6961dfa1323c3602b591af7df) | 14 June 2017, 13:51:10 UTC |
| ccefe0e | Bernd Edlinger | 13 June 2017, 20:34:30 UTC | Fix possible crash in X931 code. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3675) (cherry picked from commit 5419dadd4bd1f7abbfa23326ca766d2c143f257c) | 14 June 2017, 13:45:50 UTC |
| 7ff7f5e | Bernd Edlinger | 14 June 2017, 08:16:15 UTC | Remove the fallback from ERR_get_state because the return value is now checked at the callers. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3678) | 14 June 2017, 10:53:11 UTC |
| 8dc2e33 | Bernd Edlinger | 13 June 2017, 17:00:35 UTC | Fix a possible crash in the error handling. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3672) (cherry picked from commit 4fc426b78964b3d234cb7b1b6112c9b80e16a13a) | 14 June 2017, 01:58:29 UTC |
