- 27 Feb, 2017 1 commit
-
-
Adrian Vollmer authored
...in the man page to reflect the actual default (2048 instead of 512) CLA: trivial Reviewed-by:
Richard Levitte <levitte@openssl.org> Reviewed-by:
Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2754) (cherry picked from commit 013bc448)
-
- 25 Feb, 2017 2 commits
-
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
- 23 Feb, 2017 8 commits
-
-
Pauli authored
Reviewed-by:
Andy Polyakov <appro@openssl.org> Reviewed-by:
-
Andy Polyakov authored
Travis OS X utilization and backlog statistics suggest that it became bottleneck for our integration builds with requests piling up for days during working days of the week. Suggestion is to remove osx till capacity is lesser issue. Reviewed-by:
-
Todd Short authored
If ret is allocated, it may be leaked on error. Reviewed-by:
Tim Hudson <tjh@openssl.org> Reviewed-by:
-
Rich Salz authored
Avoid a -Wundef warning in o_str.c Avoid a -Wundef warning in testutil.h Include internal/cryptlib.h before openssl/stack.h to avoid use of undefined symbol OPENSSL_API_COMPAT. Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
The library files are built with symbol names as is, while the application is built with the default uppercase-all-symbols mode. That's fine for public APIs, because we have __DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H automatically telling the compiler how to treat the public header files. However, we don't have the same setup for internal library APIs, since they are usually only used by the libraries. Because apps/rehash.c uses a library internal header file, we have to surround that inclusion with the same kind of pragmas found in __DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H, or we get unresolved symbols when building no-shared. Reviewed-by:
-
Richard Levitte authored
The generation number is ';nnn' at the end of the file name fetched with readdir(). Because rehash checks for specific extensions and doesn't expect an additional generation number, the easiest is to massage the received file name early by simply removing the generation number. Reviewed-by:
-
Richard Levitte authored
Also, don't exit with an error code Reviewed-by:
-
- 22 Feb, 2017 6 commits
-
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Rich Salz authored
Prevent that memory beyond the last element is accessed if every element of group->poly[] is non-zero Reviewed-by:
-
Richard Levitte authored
A spelling error prevented it from building correctly. Furthermore, we need to be more careful when to add a / at the end of the dirname and when not. Reviewed-by:
-
Richard Levitte authored
opendir(), readdir() and closedir() have been available on VMS since version 7.0. Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
- 21 Feb, 2017 8 commits
-
-
Bernd Edlinger authored
Reviewed-by:
Matt Caswell <matt@openssl.org> Reviewed-by:
-
Dmitry Belyavskiy authored
Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
Rich Salz authored
Change size comparison from > (GT) to >= (GTE) to ensure an additional byte of output buffer, to prevent OOB reads/writes later in the function Reject input strings larger than 2GB Detect invalid output buffer size and return early Reviewed-by:
-
Hikar authored
CLA: trivial. Reviewed-by:
-
Pauli authored
The sh_add_to_list function will overwrite subsequent slots in the free list for small allocations. This causes a segmentation fault if the writes goes off the end of the secure memory. I've not investigated if this problem can overwrite memory without the segmentation fault, but it seems likely. This fix limits the minsize to the sizeof of the SH_LIST structure (which also has a side effect of properly aligning the pointers). The alternative would be to return an error if minsize is too small. Reviewed-by:
-
Rich Salz authored
Prevent undefined behavior in CRYPTO_cbc128_encrypt: calling this function with the 'len' parameter being 0 would result in a memcpy where the source and destination parameters are the same, which is undefined behavior. Do same for AES_ige_encrypt. Reviewed-by:
-
- 19 Feb, 2017 1 commit
-
-
Richard Levitte authored
On VMS, file names with more than one period get all but the last get escaped with a ^, so 21-key-update.conf.in becomes 21-key-update^.conf.in That means that %conf_dependent_tests and %skip become useless unless we massage the file names that are used as indexes. Reviewed-by:
-
- 17 Feb, 2017 5 commits
-
-
Richard Levitte authored
For example, 'no-dtls1 no-dtls1_2' will imply 'no-dtls' Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
Richard Levitte authored
Don't run this test unless 'openssl rehash' works properly. Reviewed-by:
-
Richard Levitte authored
Fortunately, "openssl verify" makes good use of that API Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
- 16 Feb, 2017 9 commits
-
-
Matt Caswell authored
Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
lrns authored
it also accepts 20 bytes, but states 'less than' in the error message Reviewed-by:
-
Benjamin Kaduk authored
The intent seems to be that the WIN32 symbol is for things that are a direct byproduct of being a windows-variant configuration and should be used for feature en/disablement on windows systems. Use of the _WIN32 symbol is more widespread, being used to implement platform portability of more generic code. We do define WIN32 in some situations in e_os.h, but that is not included universally. Reviewed-by:
-
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Following on from CVE-2017-3733, this removes the OPENSSL_assert() check that failed and replaces it with a soft assert, and an explicit check of value with an error return if it fails. Reviewed-by: -
Matt Caswell authored
Changing the ciphersuite during a renegotiation can result in a crash leading to a DoS attack. ETM has not been implemented in 1.1.0 for DTLS so this is TLS only. The problem is caused by changing the flag indicating whether to use ETM or not immediately on negotiation of ETM, rather than at CCS. Therefore, during a renegotiation, if the ETM state is changing (usually due to a change of ciphersuite), then an error/crash will occur. Due to the fact that there are separate CCS messages for read and write we actually now need two flags to determine whether to use ETM or not. CVE-2017-3733 Reviewed-by:
-
