Skip to content
  1. Apr 25, 2015
  2. Apr 24, 2015
    • Rich Salz's avatar
      Big apps cleanup (option-parsing, etc) · 7e1b7485
      Rich Salz authored
      This is merges the old "rsalz-monolith" branch over to master.  The biggest
      change is that option parsing switch from cascasding 'else if strcmp("-foo")'
      to a utility routine and somethin akin to getopt.  Also, an error in the
      command line no longer prints the full summary; use -help (or --help :)
      for that.  There have been many other changes and code-cleanup, see
      bullet list below.
      
      Special thanks to Matt for the long and detailed code review.
      
      TEMPORARY:
              For now, comment out CRYPTO_mem_leaks() at end of main
      
      Tickets closed:
              RT3515: Use 3DES in pkcs12 if built with no-rc2
              RT1766: s_client -reconnect and -starttls broke
              RT2932: Catch write errors
              RT2604: port should be 'unsigned short'
              RT2983: total_bytes undeclared #ifdef RENEG
              RT1523: Add -nocert to fix output in x509 app
              RT3508: Remove unused variable introduced by b09eb246
      
      
              RT3511: doc fix; req default serial is random
              RT1325,2973: Add more extensions to c_rehash
              RT2119,3407: Updated to dgst.pod
              RT2379: Additional typo fix
              RT2693: Extra include of string.h
              RT2880: HFS is case-insensitive filenames
              RT3246: req command prints version number wrong
      
      Other changes; incompatibilities marked with *:
              Add SCSV support
              Add -misalign to speed command
              Make dhparam, dsaparam, ecparam, x509 output C in proper style
              Make some internal ocsp.c functions void
              Only display cert usages with -help in verify
              Use global bio_err, remove "BIO*err" parameter from functions
              For filenames, - always means stdin (or stdout as appropriate)
              Add aliases for -des/aes "wrap" ciphers.
              *Remove support for IISSGC (server gated crypto)
              *The undocumented OCSP -header flag is now "-header name=value"
              *Documented the OCSP -header flag
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      7e1b7485
    • Emilia Kasper's avatar
      Fix error checking and memory leaks in NISTZ256 precomputation. · 53dd4ddf
      Emilia Kasper authored
      
      
      Thanks to Brian Smith for reporting these issues.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      53dd4ddf
    • Emilia Kasper's avatar
      Correctly set Z_is_one on the return value in the NISTZ256 implementation. · c028254b
      Emilia Kasper authored
      
      
      Also add a few comments about constant-timeness.
      
      Thanks to Brian Smith for reporting this issue.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      c028254b
  3. Apr 22, 2015
    • Loganaden Velvindron's avatar
      Fix CRYPTO_strdup · 8031d26b
      Loganaden Velvindron authored
      
      
      The function CRYPTO_strdup (aka OPENSSL_strdup) fails to check the return
      value from CRYPTO_malloc to see if it is NULL before attempting to use it.
      This patch adds a NULL check.
      
      RT3786
      
      Signed-off-by: default avatarMatt Caswell <matt@openssl.org>
      (cherry picked from commit 37b0cf936744d9edb99b5dd82cae78a7eac6ad60)
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (cherry picked from commit 20d21389c8b6f5b754573ffb6a4dc4f3986f2ca4)
      8031d26b
    • Dr. Stephen Henson's avatar
      SSL_CIPHER lookup functions. · 98c9ce2f
      Dr. Stephen Henson authored
      
      
      Add tables to convert between SSL_CIPHER fields and indices for ciphers
      and MACs.
      
      Reorganise ssl_ciph.c to use tables to lookup values and load them.
      
      New functions SSL_CIPHER_get_cipher_nid and SSL_CIPHER_get_digest_nid.
      
      Add documentation.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      98c9ce2f
  4. Apr 21, 2015
  5. Apr 20, 2015
  6. Apr 18, 2015
  7. Apr 17, 2015
  8. Apr 16, 2015
  9. Apr 15, 2015
  10. Apr 14, 2015
    • Matt Caswell's avatar
      Fix ssl_get_prev_session overrun · 5e0a80c1
      Matt Caswell authored
      
      
      If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read
      past the end of the ClientHello message if the session_id length in the
      ClientHello is invalid. This should not cause any security issues since the
      underlying buffer is 16k in size. It should never be possible to overrun by
      that many bytes.
      
      This is probably made redundant by the previous commit - but you can never be
      too careful.
      
      With thanks to Qinghao Tang for reporting this issue.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      5e0a80c1
    • Matt Caswell's avatar
      Check for ClientHello message overruns · 5e9f0eeb
      Matt Caswell authored
      
      
      The ClientHello processing is insufficiently rigorous in its checks to make
      sure that we don't read past the end of the message. This does not have
      security implications due to the size of the underlying buffer - but still
      needs to be fixed.
      
      With thanks to Qinghao Tang for reporting this issue.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      5e9f0eeb