- Nov 16, 2017
-
-
Andy Polyakov authored
Performance regression was reported for EC key generation between 1.0.2 and 1.1.x [in GH#2891]. It naturally depends on platform, values between 6 and 9% were observed. Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4743) (cherry picked from commit a78324d9)
-
- Nov 13, 2017
-
-
Andy Polyakov authored
|flags| argument to do_esc_char was apparently truncated by implicit cast. [Caught by VC warning subsytem.] Reviewed-by:
Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4721) (cherry picked from commit 37246310)
-
- Nov 11, 2017
-
-
Long Qin authored
* addressing", Proc. 6th Conference on Very Large Databases: 212–223 ^ The EN DASH ('–') in this line is one UTF-8 character (hex: e2 80 93). Under some code page setting (e.g. 936), Visual Studio may report C4819 warning: The file contains a character that cannot be represented in the current code page. Replace this character with the ASCII char '-' (Hex Code: 2D). Reviewed-by:Tim Hudson <tjh@openssl.org> Reviewed-by:
-
- Nov 10, 2017
-
-
FdaSilvaYY authored
Reviewed-by:
Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4677) (cherry picked from commit 1687aa76)
-
Andy Polyakov authored
In earlier 5.1x Perl versions quoting globs works only if there is white space. If there is none, it's looking for names starting with ". Reviewed-by:
-
- Nov 08, 2017
-
-
Andy Polyakov authored
HP-UX make doesn't recognize $< in explict target rules, only in inference ones such as .c.o. Reviewed-by:
-
Andy Polyakov authored
HP-UX make doesn't recognize $< in explict target rules, only in inference ones such as .c.o. Reviewed-by:
-
- Nov 07, 2017
-
-
Richard Levitte authored
'rsa', 'sha' and 'tlsext' can't be disabled, not even as a consequence of other conditions, so having cascading disables that depend on them is futile. Clean up! Reviewed-by:
-
Matt Caswell authored
If SSL_read() is called with a zero length buffer, and we read a zero length record then we should mark that record as read. Reviewed-by:
-
Matt Caswell authored
Normally TLSProxy waits for the s_server process to finish before continuing. However in cases where serverconnects > 1 we need to keep the s_server process around for a later test so we continue immediately. This means that TAP test output can end up being printed to stdout at the same time as s_server is printing stuff. This confuses the test runner and can cause spurious test failures. This commit introduces a small delay in cases where serverconnects > 1 in order to give s_server enough time to finish what it was doing before we continue to the next test. Fixes #4129 Reviewed-by:
-
Matt Caswell authored
There were 4 macros in ocsp.h that have not worked since 1.1.0 because they attempt to access the internals of an opaque structure. For OCSP_REQUEST_sign() applications should use OCSP_request_sign() instead. For OCSP_BASICRESP_sign() applications should use OCSP_basic_sign() instead. For OCSP_REQUEST_verify() applications should use OCSP_request_verify() instead. For OCSP_BASICRESP_verify() applications should use OCSP_basic_verify() instead. Reviewed-by:
Ben Kaduk <kaduk@mit.edu> Reviewed-by:
-
- Nov 05, 2017
-
-
Richard Levitte authored
Instead of having perl modules under test/testlib and util, consolidate them all to be inside util/perl. (this is an adaptation of the part of #4069 that wasn't included in #4666) Reviewed-by:
-
Richard Levitte authored
File::Glob::glob is deprecated, it's use generates this kind of message: File::Glob::glob() will disappear in perl 5.30. Use File::Glob::bsd_glob() instead. at ../master/Configure line 277. The first idea was to use a construction that makes the caller glob() use File::Glob::bsd_glob(). That turned out not to work well everywhere, so instead, we make our own wrapper, OpenSSL::Glob and use that. Fixes #4636 (this is an adaptation of #4040 and part of #4069, for 1.1.0) Reviewed-by: -
Andy Polyakov authored
It's not clear if it's a feature or bug, but binutils-2.29[.1] interprets 'adr' instruction with Thumb2 code reference differently, in a way that affects calculation of addresses of constants' tables. Reviewed-by:
Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4669) (cherry picked from commit b82acc3c)
-
- Nov 03, 2017
-
-
FdaSilvaYY authored
Duplicated tests descriptions Backport of #3580 to 1.1.0 plus a few other typo fixes found at fligth. Reviewed-by:
Kurt Roeckx <kurt@roeckx.be> Reviewed-by:
-
Pavel Kopyl authored
CLA: trivial Reviewed-by:
-
Pavel Kopyl authored
CLA: trivial Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
- Nov 02, 2017
-
-
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Andy Polyakov authored
Credit to OSS-Fuzz for finding this. CVE-2017-3736 Reviewed-by: -
Richard Levitte authored
In OpenSSL pre 1.1.0, 'openssl x509 -CAkeyformat engine' was possible and supported. In 1.1.0, a small typo ('F' instead of 'f') removed that possibility. This restores the pre 1.1.0 behavior. Fixes #4366 Reviewed-by:
-
- Nov 01, 2017
-
-
Pauli authored
information about the length of the scalar used in ECDSA operations from a large number (2^32) of signatures. This doesn't rate as a CVE because: * For the non-constant time code, there are easier ways to extract more information. * For the constant time code, it requires a significant number of signatures to leak a small amount of information. Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for reporting this issue. Reviewed-by:
Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4576) (cherry picked from commit 4a089bbd)
-
Pauli authored
information about the length of a value used in DSA operations from a large number of signatures. This doesn't rate as a CVE because: * For the non-constant time code, there are easier ways to extract more information. * For the constant time code, it requires a significant number of signatures to leak a small amount of information. Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for reporting this issue. Reviewed-by:
-
- Oct 31, 2017
-
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
This version was a direct port from 1.1.1-dev, which has a different source structure for the docs. Adjustment done. Reviewed-by:
-
Richard Levitte authored
Missing names slipped through Reviewed-by:
-
Baptiste Jonglez authored
The check should reject kernel versions < 4.1.0, not <= 4.1.0. The issue was spotted on OpenSUSE 42.1 Leap, since its linux/version.h header advertises 4.1.0. CLA: trivial Fixes: 7f458a48 ("ALG: Add AFALG engine") Signed-off-by:
Baptiste Jonglez <git@bitsofnetworks.org> Reviewed-by:
-
Baptiste Jonglez authored
The eventfd syscall is deprecated and is not available on aarch64, causing build to fail: engines/e_afalg.c: In function 'eventfd': engines/e_afalg.c:108:20: error: '__NR_eventfd' undeclared (first use in this function) return syscall(__NR_eventfd, n); ^ Instead, switch to the newer eventfd2 syscall, which is supposed to be supported by all architectures. This kind of issues would be avoided by simply using the eventfd(2) wrapper from the libc, but there must be subtle reasons not to... Tested on a aarch64 system running OpenSUSE Leap 42.1 (gcc118 from https://cfarm.tetaneutral.net/machines/list/ ) and also cross-compiling for aarch64 with LEDE (kernel 4.9). This properly fixes #1685. CLA: trivial Fixes: 7f458a48 ("ALG: Add AFALG engine") Signed-off-by: -
Richard Levitte authored
No two public key ASN.1 methods with the same pkey_id can be registered at the same time. Reviewed-by:
-
Richard Levitte authored
[skip ci] Reviewed-by:
-
- Oct 30, 2017
-
-
Kurt Roeckx authored
This restores the 1.0.2 behaviour Reviewed-by:
Benjamin Kaduk <bkaduk@akamai.com> GH: #4613 (cherry picked from commit ffd23209)
-
- Oct 28, 2017
-
-
Rich Salz authored
Thanks to Remi Gacogne for pointing this out. Also indented the two macro bodies Reviewed-by:
-
- Oct 27, 2017
-
-
Andy Polyakov authored
Thanks to David Benjamin for spotting this. Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
- Oct 26, 2017
-
-
Matt Caswell authored
The functions strcasecmp() and strncasecmp() will use locale specific rules when performing comparison. This could cause some problems in certain locales. For example in the Turkish locale an 'I' character is not the uppercase version of 'i'. However IA5 strings should not use locale specific rules, i.e. for an IA5 string 'I' is uppercase 'i' even if using the Turkish locale. This fixes a bug in name constraints checking reported by Thomas Pornin (NCCGroup). This is not considered a security issue because it would require both a Turkish locale (or other locale with similar issues) and malfeasance by a trusted name-constrained CA for a certificate to pass name constraints in error. The constraints also have to be for excluded sub-trees which are extremely rare. Failure to match permitted subtrees is a bug, not a vulnerability. Reviewed-by:
-
