- May 23, 2017
-
-
Paul Yang authored
In the example section. CLA: trivial Signed-off-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3520) (cherry picked from commit 719b289d)
-
- May 22, 2017
-
-
Alex Gaynor authored
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3519)
-
Todd Short authored
Remove assertion when mmap() fails. Only give the 1<<31 limit test as an example. Fix the small arena test to just check for the symptom of the infinite loop (i.e. initialized set on failure), rather than the actual infinite loop. This avoids some valgrind errors. Backport of: PR #3512 commit fee423bb PR #3510 commit a486561b PR #3455 commit c8e89d58 PR #3449 commit 7031ddac Issue 1: sh.bittable_size is a size_t but i is and int, which can result in freelist == -1 if sh.bittable_size exceeds an int. This seems to result in an OPENSSL_assert due to invalid allocation size, so maybe that is "ok." Worse, if sh.bittable_size is exactly 1<<31, then this becomes an infinite loop (because 1<<31 is a negative int, so it can be shifted right forever and sticks at -1). Issue 2: CRYPTO_secure_malloc_init() sets secure_mem_initialized=1 even when sh_init() returns 0. If sh_init() fails, we end up with secure_mem_initialized=1 but sh.minsize=0. If you then call secure_malloc(), which then calls, sh_malloc(), this then enters an infite loop since 0 << anything will never be larger than size. Issue 3: That same sh_malloc loop will loop forever for a size greater than size_t/2 because i will proceed (assuming sh.minsize=16): i=16, 32, 64, ..., size_t/8, size_t/4, size_t/2, 0, 0, 0, 0, .... This sequence will never be larger than "size". Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3453)
-
Diego Santa Cruz authored
The password_callback() function does not necessarily NULL terminate the password buffer, the caller must use the returned length but the srp app uses this function as if it was doing NULL termination. This made the -passin and -passout options of "openssl srp" fail inexpicably and randomly or even crash. Fixed by enlarging the buffer by one, so that the maximum password length remains unchanged, and adding NULL termination upon return. [Rearrange code for coding style compliance in process.] Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3475) (cherry picked from commit 0e83981d)
-
Andy Polyakov authored
Switch to TAP::Harness inadvertently masked test failures. Test::Harness::runtests was terminating with non-zero exit code in case of failure[s], while TAP::Harness apparently holds caller responsible for doing so. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- May 21, 2017
-
-
Rich Salz authored
update pkcs12, smime, ts apps. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3507) (cherry picked from commit 48b53522)
-
- May 19, 2017
-
-
Diego Santa Cruz authored
With the -list option the srp app loops on the main while() endlessly, whether users were given on the command line or not. The loop should be stopped when in list mode and there are no more users. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3489) (cherry picked from commit 5ec3210f)
-
Matt Caswell authored
Fixes #1526 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3360) (cherry picked from commit 9bfeeef8)
-
Matt Caswell authored
Fixes #1526 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3360) (cherry picked from commit 69443116)
-
- May 17, 2017
-
-
Richard Levitte authored
Notifications can be (and should be) configured on account basis on the CI web site. This avoids getting emails to openssl-commits for personal accounts that also build OpenSSL stuff. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3484) (cherry picked from commit 7a94f5b0)
-
- May 15, 2017
-
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3469) (cherry picked from commit 62f218cb)
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3468) (cherry picked from commit a3cb4cfc)
-
- May 12, 2017
-
-
Todd Short authored
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3439) (cherry picked from commit 80a2fc41)
-
- May 11, 2017
-
-
Richard Levitte authored
BIO_socket_ioctl is only implemented on VMS for VMS version 7.0 and up, but since we only support version 7.1 and up, there's no need to check the VMS version. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3448) (cherry picked from commit b57f0c59)
-
Richard Levitte authored
Not exactly everywhere, but in those source files where stdint.h is included conditionally, or where it will be eventually Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3447) (cherry picked from commit 74a011eb)
-
Patrick Steuer authored
crypto/asn1/a_strex.c: Type of width variable in asn1_valid_host function needs to be changed from char to signed char to avoid build error due to '-Werror=type-limits'. Signed-off-by: Patrick Steuer <psteuer@mail.de> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> CLA: trivial (cherry picked from commit 34657a8d)
-
Tomas Mraz authored
Allow conversion of existing requests to certificates again. Fixes the issue #3396 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3437) (cherry picked from commit 888adbe0)
-
Pauli authored
The second BN_is_zero test can never be true. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3434) (cherry picked from commit 3f970523)
-
- May 10, 2017
-
-
Rich Salz authored
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3420) (cherry picked from commit 05004f36)
-
Matt Caswell authored
Test that custom extensions still work even after a change in SSL_CTX due to SNI. See #2180. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3426)
-
Matt Caswell authored
The function SSL_set_SSL_CTX() can be used to swap the SSL_CTX used for a connection as part of an SNI callback. One result of this is that the s->cert structure is replaced. However this structure contains information about any custom extensions that have been loaded. In particular flags are set indicating whether a particular extension has been received in the ClientHello. By replacing the s->cert structure we lose the custom extension flag values, and it appears as if a client has not sent those extensions. SSL_set_SSL_CTX() should copy any flags for custom extensions that appear in both the old and the new cert structure. Fixes #2180 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3426)
-
Richard Levitte authored
TAP:Harness came along in perl 5.10.1, and since we claim to support perl 5.10.0 in configuration and testing, we can only load it conditionally. The main reason to use TAP::Harness rather than Test::Harness is its capability to merge stdout and stderr output from the test recipes, which Test::Harness can't. The merge gives much more comprehensible output when testing verbosely. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3424) (cherry picked from commit 76e0d0b2)
-
- May 09, 2017
-
-
Matt Caswell authored
This trace option does not appear in Configure as a separate option and is undocumented. It can be switched on using "-DOPENSSL_SSL_TRACE_CRYPTO", however this does not compile in master or in any 1.1.0 released version. (cherry picked from commit eee2750b ) Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3413)
-
- May 08, 2017
-
-
Meena Vyas authored
Fixed compilation warning in file aesgcm.c Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3406) (cherry picked from commit d396da33)
-
- May 05, 2017
-
-
Andy Polyakov authored
Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit ce1932f2)
-
Andy Polyakov authored
Perl, multiple versions, for some reason occasionally takes issue with letter b[?] in ox([0-9a-f]+) regex. As result some constants, such as 0xb1 came out wrong when generating code for MASM. Fixes GH#3241. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3385) (cherry picked from commit c47aea8a)
-
- May 04, 2017
-
-
Rich Salz authored
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3388) (cherry picked from commit 1d3235f8)
-
Matt Caswell authored
The init code uses DSO_dsobyaddr() to leak a reference to ourselves to ensure we remain loaded until atexit() time. In some circumstances that can fail and leave stale errors on the error queue. Fixes #3372 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3383) (cherry picked from commit 689f112d)
-
- May 02, 2017
-
-
Rich Salz authored
Fixes #2360 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3366) (cherry picked from commit c41048ff)
-
Matt Caswell authored
Fixes #1653 reported by Guido Vranken Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3362) (cherry picked from commit 75a3e392)
-
Rich Salz authored
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3365) (cherry picked from commit dea0eb2c)
-
Todd Short authored
ASN1_GENERALIZEDTIME and ASN1_UTCTIME may be specified using offsets, even though that's not supported within certificates. To convert the offset time back to GMT, the offsets are supposed to be subtracted, not added. e.g. 1759-0500 == 2359+0100 == 2259Z. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3335)
-
- Apr 30, 2017
-
-
Andy Polyakov authored
"Next" refers to negative minimum "next" to one presentable by given number of bytes. For example, -128 is negative minimum presentable by one byte, and -256 is "next" one. Thanks to Kazuki Yamaguchi for report, GH#3339 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 1e93d619)
-
- Apr 28, 2017
-
-
Rich Salz authored
Bug found and fix suggested by Julian Rüth. Push error if fflush fails Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3266) (cherry picked from commit 595b2a42)
-
Rich Salz authored
Also add a comment describing the file format. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3337) (cherry picked from commit 9a837f22)
-
Richard Levitte authored
When you want to debug a test that goes wrong, it's useful to know exactly what subprocess commands are run. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3342) (cherry picked from commit 46d5e2b4)
-
- Apr 27, 2017
-
-
Rich Salz authored
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3336) (cherry picked from commit f2150cd7)
-
Bernd Edlinger authored
It is not necessary to remove leading zeros here because RSA_padding_check_PKCS1_OAEP_mgf1 appends them again. As this was not done in constant time, this might have leaked timing information. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3313) (cherry picked from commit 237bc6c9)
-
- Apr 26, 2017
-
-
Rob Percival authored
This resulted in the SCT timestamp check always failing, because the timestamp appeared to be in the future. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3260)
-
Rob Percival authored
The only SSL tests prior to this tested using certificates with no embedded Signed Certificate Timestamps (SCTs), which meant they couldn't confirm whether Certificate Transparency checks in "strict" mode were working. These tests reveal a bug in the validation of SCT timestamps, which is fixed by the next commit. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3260)
-