- Apr 04, 2018
-
-
cedral authored
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5861)
-
Richard Levitte authored
We started using $(CPP) instead of $(CC) -E, with the assumption that CPP would be predefined. This is, however, not always true, and rather depends on the 'make' implementation. Furthermore, on platforms where CPP=cpp or something else other than '$(CC) -E', there's a risk that it won't understand machine specific flags that we pass to it. So it turns out that trying to use $(CPP) was a mistake, and we therefore revert that use back to using $(CC) -E directly. Fixes #5867 Note: this affects config targets that use Alpha, ARM, IA64, MIPS, s390x or SPARC assembler modules. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5871)
-
- Apr 03, 2018
-
-
Matt Caswell authored
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5795)
-
Matt Caswell authored
Where a CMS detached signature is used with text content the text goes through a canonicalisation process first prior to signing or verifying a signature. This process strips trailing space at the end of lines, converts line terminators to CRLF and removes additional trailing line terminators at the end of a file. A bug in the canonicalisation process meant that some characters, such as form-feed, were incorrectly treated as whitespace and removed. This is contrary to the specification (RFC5485). This fix could mean that detached text data signed with an earlier version of OpenSSL 1.1.0 may fail to verify using the fixed version, or text data signed with a fixed OpenSSL may fail to verify with an earlier version of OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data and use the "-binary" flag (for the "cms" command line application) or set the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()). Reviewed-by: Tim Hudson <tjh@opens...>
-
Bernd Edlinger authored
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/5826) (cherry picked from commit 1518c55a)
-
Bernd Edlinger authored
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/5826) (cherry picked from commit 21db0e1a)
-
Bernd Edlinger authored
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/5826) (cherry picked from commit 16e1eea6)
-
Bernd Edlinger authored
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/5826) (cherry picked from commit 18ada952)
-
Bernd Edlinger authored
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/5826) (cherry picked from commit b998745a)
-
Bernd Edlinger authored
Thanks to Sem Voigtländer for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/5826) (cherry picked from commit 752837e0)
-
- Apr 02, 2018
-
-
FdaSilvaYY authored
in methods : - EVP_PBE_scrypt - EVP_PKEY_meth_add0 - EVP_PKEY_meth_new - EVP_PKEY_CTX_dup Backport of 3484236d Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/5803)
-
- Apr 01, 2018
-
-
Daniel Bevenius authored
It looks like the usage of these functions were removed in in commit 0a4edb93 ("Unified - adapt the generation of cpuid, uplink and buildinf to use GENERATE"). This commit removes the import/use of File::Spec::Functions module as it is no longer needed by crypto/build.info. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5832) (cherry picked from commit 0e34f37f)
-
Richard Levitte authored
Because many of our test programs use internal headers, we need to make sure they know how, exactly, to mangle the symbols. So far, we've done so by specifying it in the affected test programs, but as things change, that will develop into a goose chase. Better then to declare once and for all how symbols belonging in our libraries are meant to be treated, internally as well as publically. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3259) (cherry picked from commit f46f69f4)
-
- Mar 31, 2018
-
-
Richard Levitte authored
test/cipherlist_test.c is an internal consistency check, and therefore requires that the shared library it runs against matches what it was built for. test/recipes/test_cipherlist.t is made to refuse running unless library version and build version match. This adds a helper program test/versions.c, that simply displays the library and the build version. Partially fixes #5751 Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5753)
-
- Mar 29, 2018
-
-
Richard Levitte authored
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5788)
-
Richard Levitte authored
Instead of invoking the fuzz test programs once for every corpora file, we invoke them once for each directory of corpora files. This dramatically reduces the number of program invokations, as well as the time 90-test_fuzz.t takes to complete. fuzz/test-corpus.c was enhanced to handle directories as well as regular files. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5788)
-
Richard Levitte authored
This wasn't a good solution, too many things depend on the quotes being there consistently. This reverts commit 49cd47ea . Fixes #5772 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5773) (cherry picked from commit 00701e5e)
-
- Mar 28, 2018
-
-
Matt Caswell authored
If a server has been configured to use an ECDSA certificate, we should allow it regardless of whether the server's own supported groups list includes the certificate's group. Fixes #2033 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5607)
-
- Mar 27, 2018
-
-
Philippe Antoine authored
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5686)
-
Miroslav Suk authored
ts/ts_rsp_sign.c: change to OPENSSL_gmtime. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5720) (cherry picked from commit 98c03302)
-
Rich Salz authored
CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3292) (cherry picked from commit b3c42fc2)
-
Matt Caswell authored
If we don't have OID data for an object then we should fail if we are asked to encode the ASN.1 for that OID. Fixes #5723 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5725) (cherry picked from commit 53c9818e)
-
Matt Caswell authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Andy Polyakov authored
Comparison was effectively reduced to least significant bits. CVE-2018-0733 Reviewed-by: Matt Caswell <matt@openssl.org>
-
Matt Caswell authored
Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Matt Caswell authored
Constructed types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. Therefore we limit the stack depth. CVE-2018-0739 Credit to OSSFuzz for finding this issue. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Richard Levitte authored
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5759)
-
- Mar 26, 2018
-
-
Bernd Edlinger authored
openssl x509 -in server.pem -signkey privkey.pem -out server.pem Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5747)
-
Bernd Edlinger authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5744) (cherry picked from commit 52814352)
-
- Mar 25, 2018
-
-
Bernd Edlinger authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5741) (cherry picked from commit 4bdc25b0)
-
- Mar 22, 2018
-
-
Bernd Edlinger authored
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5726)
-
- Mar 21, 2018
-
-
Matt Caswell authored
Fixes #5711 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5712) (cherry picked from commit ab0a3914)
-
Samuel Weiser authored
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5170)
-
Samuel Weiser authored
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5170)
-
Samuel Weiser authored
Replaced variable-time GCD with consttime inversion to avoid side-channel attacks on RSA key generation Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5170)
-
Bernd Edlinger authored
Various code-cleanups. Use SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY) insead of handling SSL_ERROR_WANT_READ everywhere. Turn off the linger option on connected sockets to avoid failure. Add BIO_set_conn_mode(conn, BIO_SOCK_NODELAY) to improve thruput. Continue test even without -cipher option as in 1.0.2. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5698)
-
Matt Caswell authored
For DTLS/SCTP we were waiting for a dry event during the call to tls_finish_handshake(). This function just tidies up various internal things, and after it completes the handshake is over. I can find no good reason for waiting for a dry event here, and nothing in RFC6083 suggests to me that we should need to. More importantly though it seems to be wrong. It is perfectly possible for a peer to send app data/alerts/new handshake while we are still cleaning up our handshake. If this happens then we will never get the dry event and so we cannot continue. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5085)
-