| e71ebf2 | Matt Caswell | 14 August 2018, 13:01:02 UTC | Prepare for 1.0.2p release Reviewed-by: Richard Levitte <levitte@openssl.org> | 14 August 2018, 13:01:02 UTC |
| b9dd4b9 | Matt Caswell | 14 August 2018, 13:01:02 UTC | make update Reviewed-by: Richard Levitte <levitte@openssl.org> | 14 August 2018, 13:01:02 UTC |
| 2d2fe42 | Richard Levitte | 14 August 2018, 12:52:49 UTC | i2d_ASN1_BOOLEAN(): correct error module Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6957) | 14 August 2018, 12:57:51 UTC |
| c24e2f1 | Matt Caswell | 14 August 2018, 12:29:02 UTC | Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6955) | 14 August 2018, 12:40:34 UTC |
| 0698c33 | Matt Caswell | 14 August 2018, 09:39:19 UTC | Updates to CHANGES and NEWS for the new release Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6951) | 14 August 2018, 09:57:38 UTC |
| 7d4c97a | Richard Levitte | 13 August 2018, 18:37:43 UTC | i2d_ASN1_BOOLEAN(): allocate memory if the user didn't provide a buffer Just as was done recently for i2d_ASN1_OBJECT, we also make i2d_ASN1_BOOLEAN comply with the documentation. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6943) | 14 August 2018, 09:50:12 UTC |
| 0971432 | Richard Levitte | 11 August 2018, 07:59:20 UTC | i2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer Since 0.9.7, all i2d_ functions were documented to allocate an output buffer if the user didn't provide one, under these conditions (from the 1.0.2 documentation): For OpenSSL 0.9.7 and later if B<*out> is B<NULL> memory will be allocated for a buffer and the encoded data written to it. In this case B<*out> is not incremented and it points to the start of the data just written. i2d_ASN1_OBJECT was found not to do this, and would crash if a NULL output buffer was provided. Fixes #6914 Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6918) (cherry picked from commit 6114041540d8d1fecaf23a861788c3c742d3b467) | 11 August 2018, 10:38:46 UTC |
| ec3f996 | Andy Polyakov | 04 February 2018, 14:24:54 UTC | rsa/*: switch to BN_bn2binpad. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6889) (cherry picked from commit 582ad5d4d9b7703eb089016935133e3a18ea8205) Resolved conflicts: crypto/rsa/rsa_ossl.c crypto/rsa/rsa_pk1.c | 10 August 2018, 19:08:21 UTC |
| df6b67b | Andy Polyakov | 16 July 2018, 16:17:44 UTC | bn/bn_lib.c address Coverity nit in bn2binpad. It was false positive, but one can as well view it as readability issue. Switch even to unsigned indices because % BN_BYTES takes 4-6 instructions with signed dividend vs. 1 (one) with unsigned. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6889) (cherry picked from commit 83e034379fa3f6f0d308ec75fbcb137e26154aec) | 10 August 2018, 19:08:15 UTC |
| 6412738 | Andy Polyakov | 04 February 2018, 14:20:29 UTC | bn/bn_lib.c: add computationally constant-time bn_bn2binpad. "Computationally constant-time" means that it might still leak information about input's length, but only in cases when input is missing complete BN_ULONG limbs. But even then leak is possible only if attacker can observe memory access pattern with limb granularity. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6889) (cherry picked from commit 89d8aade5f4011ddeea7827f08ec544c914f275a) Resolved conflicts: crypto/bn/bn_lib.c | 10 August 2018, 19:07:14 UTC |
| f72a7ce | Richard Levitte | 07 August 2018, 04:21:43 UTC | Make EVP_PKEY_asn1_new() stricter with its input Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6881) | 07 August 2018, 05:58:27 UTC |
| 29d8bda | Andy Polyakov | 30 July 2018, 10:39:08 UTC | CHANGES: mention blinding reverting in ECDSA. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6810) | 01 August 2018, 14:33:51 UTC |
| 983e1ad | Andy Polyakov | 30 July 2018, 10:37:17 UTC | ecdsa/ecs_ossl.c: switch to fixed-length Montgomery multiplication. (back-ported from commit 37132c9702328940a99b1307f742ab094ef754a7) Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6810) | 01 August 2018, 14:33:51 UTC |
| e3ab8cc | Billy Brumley | 20 January 2016, 11:18:21 UTC | Fix BN_gcd errors for some curves Those even order that do not play nicely with Montgomery arithmetic (back-ported from commit 3a6a4a93518fbb3d96632bfdcb538d340f29c56b) Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6810) | 01 August 2018, 14:33:06 UTC |
| 6a81596 | Andy Polyakov | 25 July 2018, 08:29:51 UTC | bn/bn_mod.c: harmonize BN_mod_add_quick with original implementation. New implementation failed to correctly reset r->neg flag. Spotted by OSSFuzz. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6810) (cherry picked from commit 70a579ae2f37437a1e02331eeaa84e1b68ba021e) | 01 August 2018, 14:15:25 UTC |
| 83325a6 | Andy Polyakov | 06 July 2018, 13:55:34 UTC | ecdsa/ecs_ossl.c: revert blinding in ECDSA signature. Originally suggested solution for "Return Of the Hidden Number Problem" is arguably too expensive. While it has marginal impact on slower curves, none to ~6%, optimized implementations suffer real penalties. Most notably sign with P-256 went more than 2 times[!] slower. Instead, just implement constant-time BN_mod_add_quick. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6810) (cherry picked from commit 3fc7a9b96cbed0c3da6f53c08e34d8d0c982745f) Resolved onflicts: crypto/ec/ecdsa_ossl.c crypto/include/internal/bn_int.h | 01 August 2018, 14:15:17 UTC |
| c9046a0 | Andy Polyakov | 06 July 2018, 13:13:15 UTC | bn/bn_{mont|exp}.c: switch to zero-padded intermediate vectors. Note that exported functions maintain original behaviour, so that external callers won't observe difference. While internally we can now perform Montogomery multiplication on fixed-length vectors, fixed at modulus size. The new functions, bn_to_mont_fixed_top and bn_mul_mont_fixed_top, are declared in bn_int.h, because one can use them even outside bn, e.g. in RSA, DSA, ECDSA... Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6810) (cherry picked from commit 71883868ea5b33416ae8283bcc38dd2d97e5006b) Resolved conflicts: crypto/bn/bn_exp.c crypto/bn/bn_lcl.h crypto/bn/bn_mont.c crypto/include/internal/bn_int.h | 01 August 2018, 14:15:01 UTC |
| 327b2c0 | Andy Polyakov | 06 July 2018, 13:02:29 UTC | bn/bn_lib.c: add BN_FLG_FIXED_TOP flag. The new flag marks vectors that were not treated with bn_correct_top, in other words such vectors are permitted to be zero padded. For now it's BN_DEBUG-only flag, as initial use case for zero-padded vectors would be controlled Montgomery multiplication/exponentiation, not general purpose. For general purpose use another type might be more appropriate. Advantage of this suggestion is that it's possible to back-port it... bn/bn_div.c: fix memory sanitizer problem. bn/bn_sqr.c: harmonize with BN_mul. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6810) (cherry picked from commit 305b68f1a2b6d4d0aa07a6ab47ac372f067a40bb) Resolved conflicts: crypto/bn/bn_lcl.h crypto/bn/bn_lib.c | 01 August 2018, 14:14:51 UTC |
| c1c0e4f | Andy Polyakov | 06 July 2018, 12:54:34 UTC | bn/bn_mont.c: improve readability of post-condition code. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6810) (cherry picked from commit 6c90182a5f87af1a1e462536e7123ad2afb84c43) | 01 August 2018, 14:14:41 UTC |
| 7cca1f9 | Andy Polyakov | 06 July 2018, 11:16:40 UTC | bn/bn_lib.c: remove bn_check_top from bn_expand2. Trouble is that addition is postponing expansion till carry is calculated, and if addition carries, top word can be zero, which triggers assertion in bn_check_top. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6810) (cherry picked from commit e42395e637c3507b80b25c7ed63236898822d2f1) Resolved conflicts: crypto/bn/bn_lib.c | 01 August 2018, 14:14:16 UTC |
| d69f31f | Kurt Roeckx | 26 July 2018, 09:10:24 UTC | Fix inconsistent use of bit vs bits Reviewed-by: Tim Hudson <tjh@openssl.org> GH: #6794 (cherry picked from commit b9e54e98066c1ff8adab5d68b6c114b14d2f74e5) | 26 July 2018, 09:29:52 UTC |
| be4e1f7 | Kurt Roeckx | 25 July 2018, 16:55:16 UTC | Make number of Miller-Rabin tests for a prime tests depend on the security level of the prime The old numbers where all generated for an 80 bit security level. But the number should depend on security level you want to reach. For bigger primes we want a higher security level and so need to do more tests. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> GH: #6075 Fixes: #6012 (cherry picked from commit feac7a1c8be49fbcb76fcb721ec9f02fdd91030e) | 26 July 2018, 04:44:47 UTC |
| 7a23bff | Kurt Roeckx | 25 April 2018, 19:47:20 UTC | Change the number of Miller-Rabin test for DSA generation to 64 This changes the security level from 100 to 128 bit. We only have 1 define, this sets it to the highest level supported for DSA, and needed for keys larger than 3072 bit. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> GH: #6075 (cherry picked from commit 74ee379651fb2bb12c6f7eb9fa10e70be89ac7c8) | 26 July 2018, 04:40:50 UTC |
| 9df990c | Rich Salz | 25 July 2018, 19:57:18 UTC | Check for failures, to avoid memory leak Thanks to Jiecheng Wu, Zuxing Gu for the report. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6791) (cherry picked from commit 037241bf046be8cfc7e9216959393dd20b06fc21) (Only the EC part) | 25 July 2018, 20:11:43 UTC |
| a8a9745 | Andy Polyakov | 22 July 2018, 14:28:20 UTC | ec/ecp_nistz256.c: fix ecp_nistz256_set_from_affine. ecp_nistz256_set_from_affine is called when application attempts to use custom generator, i.e. rarely. Even though it was wrong, it didn't affect point operations, they were just not as fast as expected. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6761) | 23 July 2018, 19:47:39 UTC |
| 7ccc506 | Richard Levitte | 12 July 2018, 20:55:03 UTC | PKCS12: change safeContentsBag from a SET OF to a SEQUENCE OF As per RFC 7292. Fixes #6665 Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/6708) (cherry picked from commit b709babbca0498cd2b05f543b09f57f4a670298e) | 22 July 2018, 09:03:55 UTC |
| 3d5d123 | Alexandre Perrin | 13 July 2018, 08:32:42 UTC | Documentation typo fix in BN_bn2bin.pod Change the description for BN_hex2bn() so that it uses the same BIGNUM argument name as its prototype. CLA: trivial Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6712) | 13 July 2018, 12:55:47 UTC |
| 434af36 | Matt Caswell | 02 July 2018, 13:09:03 UTC | Don't create an invalid CertificateRequest We should validate that the various fields we put into the CertificateRequest are not too long. Otherwise we will construct an invalid message. Fixes #6609 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6629) | 03 July 2018, 10:24:48 UTC |
| 2c739f7 | Rich Salz | 28 June 2018, 22:13:54 UTC | Zero-fill IV by default. Fixes uninitialized memory read reported by Nick Mathewson Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6603) (cherry picked from commit 10c3c1c1ec41ce16e51b92bb18fab92d1a42b49c) | 28 June 2018, 23:47:12 UTC |
| da0bbdd | Bernd Edlinger | 25 June 2018, 07:53:46 UTC | Fix some more gcc-9 warnings [-Wstringop-truncation] Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6586) | 25 June 2018, 13:30:28 UTC |
| e78c4f5 | Bernd Edlinger | 23 June 2018, 20:17:19 UTC | Fix a new gcc-9 warning [-Wstringop-truncation] Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6581) (cherry picked from commit dc6c374bdb4872f6d5d727e73a2ed834e972842c) | 24 June 2018, 16:05:49 UTC |
| 8a85346 | Nick Mathewson | 24 May 2018, 19:23:15 UTC | Improve the example getpass() implementation to show an error return Also, modernize the code, so that it isn't trying to store a size_t into an int, and then check the int's sign. :/ Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6271) (cherry picked from commit c8c250333cd254ab3f4d709ebc5ed86a7c065721) (cherry picked from commit 50d06d1c7d2682b0042e921a76beb509d7ea68e1) | 21 June 2018, 17:10:51 UTC |
| df70ef2 | Richard Levitte | 21 June 2018, 17:01:28 UTC | doc/crypto/pem.pod: modernise the example code Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6552) | 21 June 2018, 17:03:51 UTC |
| d04e651 | Nick Mathewson | 16 May 2018, 15:07:48 UTC | Update documentation for PEM callback: error is now -1. In previous versions of OpenSSL, the documentation for PEM_read_* said: The callback B<must> return the number of characters in the passphrase or 0 if an error occurred. But since c82c3462267afdbbaa5, 0 is now treated as a non-error return value. Applications that want to indicate an error need to return -1 instead. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6271) (cherry picked from commit bbbf752a3c8b5a966bcb48fc71a3dc03832e7b27) (cherry picked from commit e4b47f7f19392e3be604e44f6999de2bc9e7ecf3) | 21 June 2018, 17:03:43 UTC |
| 41d23d4 | Matt Caswell | 19 June 2018, 14:07:02 UTC | Add blinding to a DSA signature This extends the recently added ECDSA signature blinding to blind DSA too. This is based on side channel attacks demonstrated by Keegan Ryan (NCC Group) for ECDSA which are likely to be able to be applied to DSA. Normally, as in ECDSA, during signing the signer calculates: s:= k^-1 * (m + r * priv_key) mod order In ECDSA, the addition operation above provides a sufficient signal for a flush+reload attack to derive the private key given sufficient signature operations. As a mitigation (based on a suggestion from Keegan) we add blinding to the operation so that: s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order Since this attack is a localhost side channel only no CVE is assigned. This commit also tweaks the previous ECDSA blinding so that blinding is only removed at the last possible step. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6524) | 21 June 2018, 09:28:20 UTC |
| 8fbbbdd | Matt Caswell | 18 June 2018, 12:00:40 UTC | Fix no-ssl3-method in 1.0.2 Fixes #5322 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6510) | 19 June 2018, 10:12:59 UTC |
| 8b4e971 | Andy Polyakov | 16 June 2018, 14:23:34 UTC | sha/asm/sha{1|256}-586.pl: harmonize clang version detection. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6499) (cherry picked from commit b55e21b357902959ae8ec0255952402f5ccaa515) | 18 June 2018, 18:04:42 UTC |
| 7c17124 | Andy Polyakov | 16 June 2018, 14:22:19 UTC | bn/asm/rsaz-avx2.pl: harmonize clang version detection. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6499) (cherry picked from commit 9e97f61dec312084abe03226e5c962d818c9fc2b) | 18 June 2018, 18:04:27 UTC |
| fc4b2bf | Nicola Tuveri | 12 June 2018, 13:28:25 UTC | Warn against nonce reuse in DSA_sign_setup() doc Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6465) | 18 June 2018, 09:35:19 UTC |
| 949ff36 | Matt Caswell | 25 May 2018, 11:10:13 UTC | Add blinding to an ECDSA signature Keegan Ryan (NCC Group) has demonstrated a side channel attack on an ECDSA signature operation. During signing the signer calculates: s:= k^-1 * (m + r * priv_key) mod order The addition operation above provides a sufficient signal for a flush+reload attack to derive the private key given sufficient signature operations. As a mitigation (based on a suggestion from Keegan) we add blinding to the operation so that: s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order Since this attack is a localhost side channel only no CVE is assigned. Reviewed-by: Rich Salz <rsalz@openssl.org> | 13 June 2018, 15:26:16 UTC |
| 3984ef0 | Guido Vranken | 11 June 2018, 17:38:54 UTC | Reject excessively large primes in DH key generation. CVE-2018-0732 Signed-off-by: Guido Vranken <guidovranken@gmail.com> (cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6457) | 12 June 2018, 09:30:14 UTC |
| bd45a8d | Andy Polyakov | 08 June 2018, 13:02:39 UTC | bn/asm/sparcv9-mont.pl: iron another glitch in squaring code path. This module is used only with odd input lengths, i.e. not used in normal PKI cases, on contemporary processors. The problem was "illuminated" by fuzzing tests. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6440) (cherry picked from commit f55ef97b5c0f8559f393b72ebd4b2de32ad6d231) | 09 June 2018, 12:49:45 UTC |
| 278f65e | Ken Goldman | 02 June 2018, 20:22:04 UTC | Document failure return of ECDSA_SIG_new ECDSA_SIG_new() returns NULL on error. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6398) (cherry picked from commit 6da34cfbddede5e46f9c9183b724c99999dcfb41) | 02 June 2018, 20:23:39 UTC |
| 1ac3cd6 | Richard Levitte | 31 May 2018, 09:12:34 UTC | ENGINE_pkey_asn1_find_str(): don't assume an engine implements ASN1 method Just because an engine implements algorithm methods, that doesn't mean it also implements the ASN1 method. Therefore, be careful when looking for an ASN1 method among all engines, don't try to use one that doesn't exist. Fixes #6381 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6383) | 31 May 2018, 09:15:26 UTC |
| af21f71 | Richard Levitte | 31 May 2018, 04:51:25 UTC | apps: when the 'compat' nameopt has been set, leave it be XN_FLAG_COMPAT has a unique property, its zero for value. This means it needs special treatment; if it has been set (which can only be determined indirectly) and set alone (*), no other flags should be set. (*) if any other nameopt flag has been set by the user, compatibility mode is blown away. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6382) (cherry picked from commit 3190d1dca43ecfd748c06aa06752de06af3768b9) | 31 May 2018, 09:02:21 UTC |
| 235119f | Matt Caswell | 24 May 2018, 15:12:52 UTC | The result of a ^ 0 mod -1 is 0 not 1 Thanks to Guido Vranken and OSSFuzz for finding this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6355) (cherry picked from commit 4aa5b725d549b3ebc3a4f2f1c44e44a11f68752b) | 29 May 2018, 15:51:52 UTC |
| d8908c3 | Matt Caswell | 22 May 2018, 12:34:42 UTC | Fix a bogus warning about an uninitialised var The variable in question can never be used uninitialised, but we silence the compiler anyway. Fixes #6301 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6329) | 23 May 2018, 14:13:23 UTC |
| f2bb6b8 | Matt Caswell | 16 May 2018, 10:59:47 UTC | Fix undefined behaviour in X509_NAME_cmp() If the lengths of both names is 0 then don't attempt to do a memcmp. Issue reported by Simon Friedberger, Robert Merget and Juraj Somorovsky. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6291) (cherry picked from commit 511190b691183a1fb160e7e05e2974dc73cab0c6) | 21 May 2018, 09:31:07 UTC |
| ec91c3d | Andy Polyakov | 15 May 2018, 18:31:04 UTC | util/domd: harmonize with compiler detection in Configure. Configure detects if compiler can generate dependency lists for any command name, while this script didn't quite tolerate arbitrary one. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6261) | 18 May 2018, 09:37:24 UTC |
| 7e5292b | Matt Caswell | 16 May 2018, 08:58:27 UTC | Make BN_GF2m_mod_arr more constant time Experiments have shown that the lookup table used by BN_GF2m_mod_arr introduces sufficient timing signal to recover the private key for an attacker with access to cache timing information on the victim's host. This only affects binary curves (which are less frequently used). No CVE is considered necessary for this issue. The fix is to replace the lookup table with an on-the-fly calculation of the value from the table instead, which can be performed in constant time. Thanks to Youngjoo Shin for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6270) (cherry picked from commit b336ce57f2d5cca803a920d2a9e622b588cead3c) | 17 May 2018, 16:11:41 UTC |
| fe4fe67 | Richard Levitte | 14 May 2018, 03:01:54 UTC | When configuring 'no-comp', zlib support should be disabled too Fixes #6241 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6248) | 14 May 2018, 12:53:11 UTC |
| 4080f4d | Richard Levitte | 02 May 2018, 12:28:53 UTC | UI console: Restore tty settings, do not force ECHO after prompt The Console UI method always set echo on after prompting without echo. However, echo might not have been on originally, so just restore the original TTY settings. Fixes #2373 Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6158) | 14 May 2018, 09:01:45 UTC |
| 66e4a89 | Pavel Kopyl | 03 November 2017, 15:18:59 UTC | Fix memory leaks in CA related functions. (cherry picked from commit aebd0e5ca12d1ba0b229a4121a54afa5ea2d8aa1) Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6238) | 12 May 2018, 22:40:54 UTC |
| f54b665 | Matt Caswell | 11 May 2018, 09:28:47 UTC | Don't memcpy the contents of an empty fragment In DTLS if we have buffered a fragment for a zero length message (e.g. ServerHelloDone) then, when we unbuffered the fragment, we were attempting to memcpy the contents of the fragment which is zero length and a NULL pointer. This is undefined behaviour. We should check first whether we have a zero length fragment. Fixes a travis issue. [extended tests] Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6225) | 12 May 2018, 09:09:59 UTC |
| 18026c0 | Richard Levitte | 04 May 2018, 12:19:44 UTC | In cases where we ask PEM_def_callback for minimum 0 length, accept 0 length Fixes #4716 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6173) (cherry picked from commit c82c3462267afdbbaa53e11da0508ce4e03c02b3) | 12 May 2018, 08:25:18 UTC |
| 0602a14 | Dr. Matthias St. Pierre | 11 May 2018, 14:58:44 UTC | Fix typo 'is an error occurred' in documentation Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6231) | 11 May 2018, 15:03:44 UTC |
| 7b6cfcd | Emilia Kasper | 17 February 2017, 18:00:15 UTC | X509 time: tighten validation per RFC 5280 - Reject fractional seconds - Reject offsets - Check that the date/time digits are in valid range. - Add documentation for X509_cmp_time GH issue 2620 Backported from 80770da39e Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6182) | 05 May 2018, 20:14:37 UTC |
| 8dd55d9 | Richard Levitte | 04 May 2018, 12:44:19 UTC | BIO_s_mem() write: Skip early when input length is zero When the input length is zero, just return zero early. Otherwise, there's a small chance that memory allocation is engaged, fails and returns -1, which is a bit confusing when nothing should be written. Fixes #4782 #4827 Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/6175) (cherry picked from commit 0d94212a046e87fafea6e83e8ea2b2a58db49979) | 04 May 2018, 22:19:17 UTC |
| aed0ecb | Andy Polyakov | 30 April 2018, 20:59:51 UTC | bn/asm/*-mont.pl: harmonize with BN_from_montgomery_word. Montgomery multiplication post-conditions in some of code paths were formally non-constant time. Cache access pattern was result-neutral, but a little bit asymmetric, which might have produced a signal [if processor reordered load and stores at run-time]. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6163) (cherry picked from commit 774ff8fed67e19d4f5f0df2f59050f2737abab2a) Resolved conflicts in ppc-mont.pl and x86_64-mont.pl. (cherry picked from commit d067ba3bcc4944140578bdbf857affa6faf9e8c1) | 04 May 2018, 09:45:23 UTC |
| c14a3be | Dr. Matthias St. Pierre | 02 May 2018, 21:06:15 UTC | v3_purp.c: add locking to x509v3_cache_extensions() Fixes #6121 Thanks to Mingtao Yang for reporting this bug. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6164) | 03 May 2018, 20:34:02 UTC |
| 1b3af97 | Todd Short | 23 April 2018, 18:06:22 UTC | Configure: fix Mac OS X builds that still require makedepend Earlier Apple Xcode compilers, e.g. one targeting Mac OS X 10.7, don't support dependency generation and one still has to use makedepend. It's unclear when it was fixed, but all clang-based Apple compilers seem to support -M options. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6073) | 03 May 2018, 20:26:39 UTC |
| bd05644 | Matt Caswell | 27 April 2018, 10:38:19 UTC | Add some documentation for SSL_get_shared_ciphers() Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6115) | 02 May 2018, 22:39:23 UTC |
| d7d6d95 | Matt Caswell | 27 April 2018, 10:24:01 UTC | Fix comment in ssl.h The ciphers field in a session contains the stack of ciphers offered by the client. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6115) | 02 May 2018, 22:39:23 UTC |
| 3f5b234 | Matt Caswell | 27 April 2018, 10:20:52 UTC | Fix SSL_get_shared_ciphers() The function SSL_get_shared_ciphers() is supposed to return ciphers shared by the client and the server. However it only ever returned the client ciphers. Fixes #5317 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6115) | 02 May 2018, 22:39:23 UTC |
| 7e6c0f5 | Dr. Matthias St. Pierre | 26 April 2018, 18:36:41 UTC | a_strex.c: prevent out of bound read in do_buf() which is used for ASN1_STRING_print_ex*() and X509_NAME_print_ex*(). Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6118) | 02 May 2018, 18:39:25 UTC |
| a96022b | Matt Caswell | 30 April 2018, 14:05:45 UTC | Clarify BN_mod_exp docs Specifically this is not supported with an even modulus and BN_FLG_CONSTTIME. Fixes #5082 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6138) (cherry picked from commit 966b3df182b9c8644c154f1c3e686027d37acb05) | 01 May 2018, 13:26:10 UTC |
| b9f0d18 | Matt Caswell | 30 April 2018, 11:05:42 UTC | Fix some errors and missing info in the CMS docs Fixes #5063 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6136) | 01 May 2018, 13:20:31 UTC |
| 8503250 | Matt Caswell | 19 April 2018, 12:32:45 UTC | Update version docs Make it clear that you should not attempt to get the version before the first handshake is complete. Fixes #2893 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6015) | 27 April 2018, 09:14:05 UTC |
| ad25108 | Richard Levitte | 27 April 2018, 04:05:49 UTC | Skip the CMS test if configured 'no-cms' Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6108) | 27 April 2018, 09:13:13 UTC |
| 98f2e51 | Billy Brumley | 26 April 2018, 16:08:59 UTC | fix: BN_swap mishandles flags (1.0.2) Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6102) | 27 April 2018, 09:02:04 UTC |
| b10794b | Cristian Stoica | 29 June 2016, 14:45:59 UTC | s_server: fix warnings unused-but-set-variable (no-dh) This patch fixes the following two warnings when OpenSSL is built with no-dh option: s_server.c: In function 's_server_main': s_server.c:1105:25: warning: variable 'no_dhe' set but not used [-Wunused-but-set-variable] int no_tmp_rsa = 0, no_dhe = 0, no_ecdhe = 0, nocert = 0; ^ s_server.c:1101:11: warning: variable 'dhfile' set but not used [-Wunused-but-set-variable] char *dhfile = NULL; ^ CLA: trivial Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6087) | 27 April 2018, 04:00:10 UTC |
| 60ced07 | Cristian Stoica | 29 June 2016, 15:34:33 UTC | fix warning unused-but-set-variable 'alg_k' (no-dh and no-ec) This patch fixes the following warning when OpenSSL is configured with no-dh and no-ec: ./Configure no-ec no-dh linux-x86_64 ... s3_lib.c: In function 'ssl3_get_req_cert_type': s3_lib.c:4234:19: warning: variable 'alg_k' set but not used [-Wunused-but-set-variable] unsigned long alg_k; CLA: trivial Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6087) | 27 April 2018, 04:00:10 UTC |
| 76b8b69 | Cristian Stoica | 29 June 2016, 15:30:58 UTC | fix warning unused-but-set-variable 'nostrict' (no-dh and no-ec) This patch fixes the following warning when OpenSSL is configured with no-dh and no-ec: ./Configure no-ec no-dh linux-x86_64 ... s3_lib.c:4231:9: warning: variable 'nostrict' set but not used [-Wunused-but-set-variable] int nostrict = 1; ^ CLA: trivial Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6087) | 27 April 2018, 04:00:10 UTC |
| aadcf06 | Matt Caswell | 26 April 2018, 13:05:40 UTC | Update the *use_certificate* docs Note that calling the *use_certificate* functions will replace any existing certificate of the same type. The same thing applies for private keys. Fixes #2147 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6093) (cherry picked from commit db747425b0caae12e73c680799b57bdfcc72dbb4) | 26 April 2018, 15:41:54 UTC |
| 165a92d | Richard Levitte | 25 April 2018, 20:53:40 UTC | PEM_def_callback(): use same parameter names as for pem_password_cb Add a bit more commentary to explain what's going on. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6080) (cherry picked from commit d6d94d339756332bbabe2a1032ac511ae31b3fdc) | 26 April 2018, 08:52:15 UTC |
| 3986986 | Richard Levitte | 25 April 2018, 11:57:39 UTC | PEM_def_callback(): don't loop because of too short password given That error is already caught by EVP_read_pw_string_min, and causes this function to return -1, so the code detecting too short passwords in this function is practically dead. Fixes #5465 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6080) (cherry picked from commit 4977b4e9281c981efcf6a8b31378b8bbd6a8a96f) | 26 April 2018, 08:49:49 UTC |
| e77017b | Matt Caswell | 24 April 2018, 09:27:32 UTC | Fix documentation for the -showcerts s_client option This option shows the certificates as sent by the server. It is not the full verified chain. Fixes #4933 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6069) | 25 April 2018, 09:56:02 UTC |
| 9668efb | Matt Caswell | 23 April 2018, 10:23:43 UTC | Document when a session gets removed from cache Document the fact that if a session is not closed down cleanly then the session gets removed from the cache and marked as non-resumable. Fixes #4720 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6054) (cherry picked from commit 0abb903b7618ad404c83ac9b44b2c1bf162b90de) | 24 April 2018, 08:25:05 UTC |
| 279bf3e | Matt Caswell | 19 April 2018, 09:38:57 UTC | Fix the alert sent if no shared sig algs We were sending illegal parameter. This isn't correct. The parameters are legal, we just don't have an overlap. A more appropriate alert is handshake failure. Fixes #2919 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6011) | 20 April 2018, 10:42:07 UTC |
| b389992 | Richard Levitte | 19 April 2018, 14:35:37 UTC | apps/s_socket.c: Fix do_accept do_accept() checked that the peer IP address had a PTR record, and would fail if not. The retrieved named was then never used, even though passed around. All this is unnecessary, so we remove it. Fixes #3407 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6018) | 19 April 2018, 19:08:00 UTC |
| 5e80a5d | Matt Caswell | 18 April 2018, 13:20:29 UTC | Don't crash if there are no trusted certs The X509_STORE_CTX_init() docs explicitly allow a NULL parameter for the X509_STORE. Therefore we shouldn't crash if we subsequently call X509_verify_cert() and no X509_STORE has been set. Fixes #2462 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6003) | 19 April 2018, 08:01:14 UTC |
| c6c7bb0 | Matt Caswell | 18 April 2018, 11:03:41 UTC | Return 0 on a non-matching kdf_type If we have a non-matching kdf_type then pkey_dh_derive silently succeeds. It should fail. This is a "should not happen" condition anyway so the impact is negligible. Fixes #2440 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6000) | 19 April 2018, 07:49:40 UTC |
| 4571b3c | Matt Caswell | 18 April 2018, 10:07:18 UTC | Fix ocsp app exit code If we run the ocsp command line app and the responder returns a non-successful status code then the app should exit with a failure code. Based on an original patch by Tatsuhiro Tsujikawa. Fixes #2387 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5999) (cherry picked from commit 2add645dfc364cfc609e6138de1bf43c217bb557) | 19 April 2018, 07:46:48 UTC |
| 67567b2 | Emilia Kasper | 18 December 2017, 17:41:05 UTC | X509_cmp_time: only return 1, 0, -1. The behaviour of X509_cmp_time used to be undocumented. The new behaviour, documented in master, is to return only 0, 1, or -1. Make the code in the other branches to adhere to this behaviour too, to reduce confusion. There is nothing to be gained from returning other values. Fixes GH#4954 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4955) (cherry picked from commit 48345917747a34feea3da2936994a265c7f2ca11) | 19 April 2018, 07:42:09 UTC |
| 82d8cec | John Eichenberger | 03 April 2018, 23:08:31 UTC | Correct the check of RSA_FLAG_SIGN_VER The wrong flags were being tested. It is the rsa->meth flags not the rsa flags that should be tested. wpa_supplicant has a bit of code that 1. Allocates and defines a RSA_METHOD structure. 2. calls RSA_new(); 3. calls RSA_set_method(). In current versions of that code the rsa_sign and rsa_verify members of the RSA_METHOD structure are not defined, thus making it compatible with the really old versions of OpenSSL. But should one change it use the rsa_sign method one must set the RSA_FLAG_SIGN_VER bit of the RSA_METHOD structure to indicate that one or both of those new methods are required. In doing so, OpenSSL will not call the new methods, not without this change. CLA: trivial Change-Id: I6e65a80f21399f25e966466ff676e3b21f85f360 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5971) | 17 April 2018, 16:02:04 UTC |
| 363c9f0 | Matt Caswell | 17 April 2018, 12:40:07 UTC | Update fingerprints.txt Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5988) | 17 April 2018, 15:58:49 UTC |
| 1084fc8 | Matt Caswell | 06 April 2018, 13:33:07 UTC | Ignore the status_request extension in a resumption handshake We cannot provide a certificate status on a resumption so we should ignore this extension in that case. Fixes #1662 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5898) | 17 April 2018, 15:47:37 UTC |
| 349a41d | Billy Brumley | 11 April 2018, 07:10:58 UTC | RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set. CVE-2018-0737 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787) | 16 April 2018, 15:21:05 UTC |
| d1a6414 | Daniel Bevenius | 12 April 2018, 11:39:37 UTC | Clarify default section in config.pod This is a minor update which hopefully makes these particular lines read a little easier. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5938) (cherry picked from commit 0652e8a7fe6dd8cbdf4516b221642b10bbfc68fe) (cherry picked from commit 9e8554fca5019b81ed7659d97f103f388ea3a2bf) | 12 April 2018, 12:34:03 UTC |
| 06196e7 | Rich Salz | 07 April 2018, 17:09:15 UTC | Updated to CONTRIBUTING to reflect GitHub, etc. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5889) (cherry picked from commit 2876872ffe5dd53ec1c446656e924ff463e5d4bf) | 07 April 2018, 17:48:58 UTC |
| 0ac1a7e | Matt Caswell | 29 March 2018, 20:02:20 UTC | Update the genpkey documentation Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5884) | 05 April 2018, 16:04:01 UTC |
| 3e5f19a | Matt Caswell | 29 March 2018, 16:49:17 UTC | Pick a q size consistent with the digest for DSA param generation There are two undocumented DSA parameter generation options available in the genpkey command line app: dsa_paramgen_md and dsa_paramgen_q_bits. These can also be accessed via the EVP API but only by using EVP_PKEY_CTX_ctrl() or EVP_PKEY_CTX_ctrl_str() directly. There are no helper macros for these options. dsa_paramgen_q_bits sets the length of q in bits (default 160 bits). dsa_paramgen_md sets the digest that is used during the parameter generation (default SHA1). In particular the output length of the digest used must be equal to or greater than the number of bits in q because of this code: if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL)) goto err; if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL)) goto err; for (i = 0; i < qsize; i++) md[i] ^= buf2[i]; /* step 3 */ md[0] |= 0x80; md[qsize - 1] |= 0x01; if (!BN_bin2bn(md, qsize, q)) goto err; qsize here is the number of bits in q and evpmd is the digest set via dsa_paramgen_md. md and buf2 are buffers of length SHA256_DIGEST_LENGTH. buf2 has been filled with qsize bits of random seed data, and md is uninitialised. If the output size of evpmd is less than qsize then the line "md[i] ^= buf2[i]" will be xoring an uninitialised value and the random seed data together to form the least significant bits of q (and not using the output of the digest at all for those bits) - which is probably not what was intended. The same seed is then used as an input to generating p. If the uninitialised data is actually all zeros (as seems quite likely) then the least significant bits of q will exactly match the least significant bits of the seed. This problem only occurs if you use these undocumented and difficult to find options and you set the size of q to be greater than the message digest output size. This is for parameter generation only not key generation. This scenario is considered highly unlikely and therefore the security risk of this is considered negligible. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5884) | 05 April 2018, 16:04:01 UTC |
| 5068cfb | Matt Caswell | 29 March 2018, 16:48:28 UTC | Don't crash if an unrecognised digest is used with dsa_paramgen_md Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5884) | 05 April 2018, 16:04:01 UTC |
| a3dbbe4 | Bernd Edlinger | 02 April 2018, 08:54:52 UTC | Change the "offset too large" message to more generic wording Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/5826) (cherry picked from commit 1518c55a796b058eff01f3cbf177f4b726c01d7c) | 03 April 2018, 14:11:31 UTC |
| 82ff31d | Bernd Edlinger | 02 April 2018, 07:13:49 UTC | Fix range checks with -offset and -length in asn1parse Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/5826) (cherry picked from commit 16e1eea6a67c85c9d786f3c4448182b1aca101b8) | 03 April 2018, 14:08:44 UTC |
| 477e40b | Bernd Edlinger | 31 March 2018, 19:09:32 UTC | Fix a crash in the asn1parse command Thanks to Sem Voigtländer for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/5826) (cherry picked from commit 752837e0664e990b5edf6f0b69e1b4612efadce0) | 03 April 2018, 14:05:49 UTC |
| 6a285ed | Miroslav Suk | 22 March 2018, 08:20:43 UTC | o_time.c: use gmtime_s with MSVC Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5719) | 28 March 2018, 20:46:31 UTC |
| 46c815a | Philippe Antoine | 26 March 2018, 08:25:55 UTC | Adds multiple checks to avoid buffer over reads Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5687) | 27 March 2018, 19:28:09 UTC |
| f3f8e72 | Matt Caswell | 22 March 2018, 14:33:05 UTC | Don't write out a bad OID If we don't have OID data for an object then we should fail if we are asked to encode the ASN.1 for that OID. Fixes #5723 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5725) (cherry picked from commit 53c9818e970fc0c22d77e19fda3b3e6f6c9e759d) | 27 March 2018, 15:10:07 UTC |
| 69a61c2 | Matt Caswell | 27 March 2018, 13:56:15 UTC | Prepare for 1.0.2p-dev Reviewed-by: Richard Levitte <levitte@openssl.org> | 27 March 2018, 13:56:15 UTC |
