Skip to content
  1. Apr 29, 2016
  2. Apr 28, 2016
  3. Apr 27, 2016
    • Dr. Stephen Henson's avatar
      Reject inappropriate private key encryption ciphers. · d78df5df
      Dr. Stephen Henson authored
      
      
      The traditional private key encryption algorithm doesn't function
      properly if the IV length of the cipher is zero. These ciphers
      (e.g. ECB mode) are not suitable for private key encryption
      anyway.
      
      Reviewed-by: default avatarEmilia Käsper <emilia@openssl.org>
      d78df5df
    • Viktor Dukhovni's avatar
      Fix set0 reuse test · 4a397f51
      Viktor Dukhovni authored
      
      
      We must test for new object == current object, not !=.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      4a397f51
    • Viktor Dukhovni's avatar
      Future proof build_chain() in x509_vfy.c · 69664d6a
      Viktor Dukhovni authored
      
      
      Coverity reports a potential NULL deref when "2 0 0" DANE trust-anchors
      from DNS are configured via SSL_dane_tlsa_add() and X509_STORE_CTX_init()
      is called with a NULL stack of untrusted certificates.
      
      Since ssl_verify_cert_chain() always provideds a non-NULL stack of
      untrusted certs, and no other code path enables DANE, the problem
      can only happen in applications that use SSL_CTX_set_cert_verify_callback()
      to implement their own wrappers around X509_verify_cert() passing
      only the leaf certificate to the latter.
      
      Regardless of the "improbability" of the problem, we do need to
      ensure that build_chain() handles this case correctly.
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      69664d6a