| Age | Commit message (Collapse) | Author |
|---|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 776e15f9393a9e3083bec60a8da376ce2fe1e97e)
|
|
Never output -0; make "negative zero" an impossibility.
Do better checking on BN_rand top/bottom requirements and #bits.
Update doc.
Ignoring trailing garbage in BN_asc2bn.
Port this commit from boringSSL: https://boringssl.googlesource.com/boringssl/+/899b9b19a4cd3fe526aaf5047ab9234cdca19f7d%5E!/
Ensure |BN_div| never gives negative zero in the no_branch code.
Have |bn_correct_top| fix |bn->neg| if the input is zero so that we
don't have negative zeros lying around.
Thanks to Brian Smith for noticing.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 01c09f9fde5793e0b3712d602b02e2aed4908e8d)
(Some manual work required)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 2a9afa4046592d44af84644cd89fe1a0d6d46889)
|
|
RT4386: Add sanity checks for BN_new()
RT4384: Missing Sanity Checks for RSA_new_method()
RT4384: Missing Sanity Check plus potential NULL pointer deref
RT4382: Missing Sanity Check(s) for BUF_strdup()
RT4380: Missing Sanity Checks for EVP_PKEY_new()
RT4377: Prevent potential NULL pointer dereference
RT4375: Missing sanity checks for OPENSSL_malloc()
RT4374: Potential for NULL pointer dereferences
RT4371: Missing Sanity Check for malloc()
RT4370: Potential for NULL pointer dereferences
Also expand tabs, make update, typo fix (rsalz)
Minor tweak by Paul Dale.
Some minor internal review feedback.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
RT#4603
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
OBJ_nid2obj() and friends should be treated as const.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 5d28ff38fd4127c5894d22533e842ee446c3d3c2)
|
|
This reverts commit 58b18779ba6e6060ac357cd0803d83317ed00f8b.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
|
|
OBJ_nid2obj() and friends should be treated as const.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 82f31fe4dd0dac30229fa8684229b49d2bcef404)
|
|
[Note that in master declaration is different.]
RT#4568
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Manual cherry-pick of 538860a3ce0b9fd142a7f1a62e597cccb74475d3.
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
According to the x509 man page in the section discussing -certopt it says
that the ca_default option is the same as that used by the ca utility and
(amongst other things) has the effect of suppressing printing of the
signature - but in fact it doesn't. This error seems to have been present
since the documentation was written back in 2001. It never had this effect.
The default config file sets the certopt value to ca_default. The ca utility
takes that and THEN adds additional options to suppress printing of the
signature. So the ca utility DOES suppress printing of the signature - but
it is not as a result of using the ca_default option.
GitHub Issue #247
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 39a470088af6f833bd1a912908c44bf4a9f48b0c)
|
|
Don't copy parameters is they're already present in the destination.
Return error if an attempt is made to copy different parameters to
destination. Update documentation.
If key type is not initialised return missing parameters
RT#4149
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit f72f00d49549c6620d7101f5e9bf7963da6df9ee)
|
|
This reverts commit 54fc5795c9f7d0dc95d537672c716c9d250eb0fb.
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
RT#1466
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a37458c1bf76c603cc27e8baf32ac2aa1cd7662e)
|
|
The given sizes to not include the final NUL character.
RT#2622
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 727ee8cfeb2893d5aec4a6e571e9adf0667e9135)
|
|
When *pp is NULL, don't write garbage, return an unexpected pointer
or leak memory on error.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
|
|
RT#4538
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 981b5bb8efca8a8adbf6a567e3a401c586a694cc)
|
|
BIO_eof() was always returning true when using a BIO pair. It should only
be true if the peer BIO is empty and has been shutdown.
RT#1215
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 3105d695358d86c0f2a404b2b74a1870b941ce5e)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b1b3e14fbeb373a288ba20402600e071e6f402f8)
|
|
A few functions in the recently added EVP_EncodeInit docs don't apply to
the 1.0.x branches.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
If no serverinfo extension is found in some cases, do not abort the handshake,
but simply omit/skip that extension.
Check for already-registered serverinfo callbacks during serverinfo
registration.
Update SSL_CTX_use_serverinfo() documentation to mention the need to reload the
same serverinfo per certificate, for servers with multiple server certificates.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
* Perform ALPN after the SNI callback; the SSL_CTX may change due to
that processing
* Add flags to indicate that we actually sent ALPN, to properly error
out if unexpectedly received.
* document ALPN functions
* unit tests
Backport of commit 817cd0d52f0462039d1fe60462150be7f59d2002
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
|
|
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
Change the default keysize to 2048 bits, and the minimum to 512 bits.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a76265574398944d686d2d0de9bacca162f555ca)
|
|
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 53619f9f40740ae8b256998574758aa191635db8)
|
|
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 8ab31975bacb9c907261088937d3aa4102e3af84)
|
|
Modified version of the commit ffaef3f15 in the master branch by Stephen
Henson. This makes the SSL_OP_SINGLE_DH_USE option a no-op and always
generates a new DH key for every handshake regardless.
CVE-2016-0701 (fix part 2 or 2)
Issue reported by Antonio Sanso
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
|
|
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 1918e01c9f915e2eba31a5e2f86f0a5daa4fafb6)
|
|
Describe the usage of the OCSP callback functions on both the client and
the server side.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
|
|
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
RT: #4192, MR: #1533
(cherry picked from commit d938e8dfee16e6bb5427eac7bda32337634ce130)
|
|
No dummy arguments.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
EVP_SignInit_ex was missing from the NAME section of its man page so
typing "man EVP_SignInit_ex" failed to load the page.
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit 3d866ea67e8b19777e88ac2a78ee4188e0983168)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit d900a015b5a89ea2018e6122dd2738925e4d68ab)
|
|
Previous language was unclear. New language isn't pretty but I believe
it is more accurate.
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 8cbb048c3ea416f2bd8a3706d027f3aa26ef08d9)
|
|
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 21b0fa91186ff1c1c3d956c0593ef4ac02521695)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 58e3457a82e8940ff36b36949f9c7a60e7614b2c)
|
|
Was only approved for master, to avoid compatibility issues on
previous releases.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
If the field separator isn't specified through -nameopt then use
XN_FLAG_SEP_CPLUS_SPC instead of printing nothing and returing an error.
PR#2397
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 03706afa30aeb4407287171a9d6f9a765395d0a2)
|
|
No, we should just delete it. And updated the README
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 8db78781069697cfa30a2261413f33f5055a2838)
|
|
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 36ac7bc8a9c856bcdff6eecdaca128ccc5430a1e)
|
|
Apparently, emacs sees changes to auto-fill-mode as insecure
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6dc08048d93ff35de882878f190ae49aa698b5d2)
|
