oweals/openssl.git
7 years agoutil/copy.pl: work around glob quirk in some of earlier 5.1x Perl versions.
Andy Polyakov [Tue, 7 Nov 2017 20:38:30 +0000 (21:38 +0100)]
util/copy.pl: work around glob quirk in some of earlier 5.1x Perl versions.

In earlier 5.1x Perl versions quoting globs works only if there is
white space. If there is none, it's looking for names starting with ".

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4696)

7 years ago{aes-armv4|bsaes-armv7|sha256-armv4}.pl: make it work with binutils-2.29
Andy Polyakov [Sun, 5 Nov 2017 16:08:16 +0000 (17:08 +0100)]
{aes-armv4|bsaes-armv7|sha256-armv4}.pl: make it work with binutils-2.29

It's not clear if it's a feature or bug, but binutils-2.29[.1]
interprets 'adr' instruction with Thumb2 code reference differently,
in a way that affects calculation of addresses of constants' tables.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4673)

7 years agoFix error handling in heartbeat processing
Bernd Edlinger [Mon, 6 Nov 2017 10:27:41 +0000 (11:27 +0100)]
Fix error handling in heartbeat processing

Fixes: #4590

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4681)

7 years agoDon't error with -1 for BIGNUM exp operations
Matt Caswell [Mon, 6 Nov 2017 11:18:35 +0000 (11:18 +0000)]
Don't error with -1 for BIGNUM exp operations

The man pages say that BIGNUM arithmetic operations fail with a 0 return.
However some functions were returning -1 on error. In master and 1.1.0 they
already return 0, so this brings 1.0.2 in line.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4682)

7 years agoFix an endless loop in rsa_builtin_keygen.
Rich Salz [Mon, 6 Mar 2017 14:54:17 +0000 (09:54 -0500)]
Fix an endless loop in rsa_builtin_keygen.

Cherry-picked by Matt Caswell from 69795831.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4670)

7 years agoAdd error handling in dsa_main and ASN1_i2d_bio.
Pavel Kopyl [Fri, 27 Oct 2017 13:13:11 +0000 (16:13 +0300)]
Add error handling in dsa_main and ASN1_i2d_bio.

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4600)

(cherry picked from commit a6f622bc99ffdc7b34199babb9d200b24a7a6431)

7 years agoCheck return value of OBJ_nid2obj in dsa_pub_encode.
Pavel Kopyl [Fri, 27 Oct 2017 13:18:06 +0000 (16:18 +0300)]
Check return value of OBJ_nid2obj in dsa_pub_encode.

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4600)

(cherry picked from commit 7760384b403a61824c43cc767a11cd22abfa9e49)

7 years agoFix no-ssl3-method build
Kurt Roeckx [Thu, 2 Nov 2017 17:53:16 +0000 (18:53 +0100)]
Fix no-ssl3-method build

Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #4649

7 years agoPrepare for 1.0.2n-dev
Matt Caswell [Thu, 2 Nov 2017 14:34:50 +0000 (14:34 +0000)]
Prepare for 1.0.2n-dev

Reviewed-by: Andy Polyakov <appro@openssl.org>
7 years agoPrepare for 1.0.2m release OpenSSL_1_0_2m
Matt Caswell [Thu, 2 Nov 2017 14:33:44 +0000 (14:33 +0000)]
Prepare for 1.0.2m release

Reviewed-by: Andy Polyakov <appro@openssl.org>
7 years agomake update
Matt Caswell [Thu, 2 Nov 2017 14:33:44 +0000 (14:33 +0000)]
make update

Reviewed-by: Andy Polyakov <appro@openssl.org>
7 years agoUpdate CHANGES and NEWS for new release
Matt Caswell [Thu, 2 Nov 2017 11:23:17 +0000 (11:23 +0000)]
Update CHANGES and NEWS for new release

Reviewed-by: Andy Polyakov <appro@openssl.org>
7 years agobn/asm/x86_64-mont5.pl: fix carry bug in bn_sqrx8x_internal.
Andy Polyakov [Thu, 17 Aug 2017 19:08:57 +0000 (21:08 +0200)]
bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqrx8x_internal.

Credit to OSS-Fuzz for finding this.

CVE-2017-3736

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoAddress a timing side channel whereby it is possible to determine some
Pauli [Tue, 31 Oct 2017 23:47:13 +0000 (09:47 +1000)]
Address a timing side channel whereby it is possible to determine some

information about the length of the scalar used in ECDSA operations
from a large number (2^32) of signatures.

Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.

Refer to #4576 for further details.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4623)

7 years agoAddress a timing side channel whereby it is possible to determine some
Pauli [Tue, 31 Oct 2017 20:58:13 +0000 (06:58 +1000)]
Address a timing side channel whereby it is possible to determine some

information about the length of a value used in DSA operations from
a large number of signatures.

This doesn't rate as a CVE because:

* For the non-constant time code, there are easier ways to extract
  more information.

* For the constant time code, it requires a significant number of signatures
  to leak a small amount of information.

Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.

Original commit by Paul Dale. Backported to 1.0.2 by Matt Caswell

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4642)

7 years agoFix weak digest in TLS 1.2 with SNI.
David Benjamin [Mon, 23 Oct 2017 23:13:05 +0000 (19:13 -0400)]
Fix weak digest in TLS 1.2 with SNI.

1ce95f19601bbc6bfd24092c76c8f8105124e857 was incomplete and did not
handle the case when SSL_set_SSL_CTX was called from the cert_cb
callback rather than the SNI callback. The consequence is any server
using OpenSSL 1.0.2 and the cert_cb callback for SNI only ever signs a
weak digest, SHA-1, even when connecting to clients which use secure
ones.

Fix this and add regression tests for both this and the original issue.

Fixes #4554.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4577)

7 years agoUse malloc/memset not calloc for WinCE portability
Richard Levitte [Thu, 26 Oct 2017 18:49:47 +0000 (20:49 +0200)]
Use malloc/memset not calloc for WinCE portability

Fixes: #2539

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4594)

7 years agoDon't use strcasecmp and strncasecmp for IA5 strings
Matt Caswell [Fri, 20 Oct 2017 16:11:03 +0000 (17:11 +0100)]
Don't use strcasecmp and strncasecmp for IA5 strings

The functions strcasecmp() and strncasecmp() will use locale specific rules
when performing comparison. This could cause some problems in certain
locales. For example in the Turkish locale an 'I' character is not the
uppercase version of 'i'. However IA5 strings should not use locale specific
rules, i.e. for an IA5 string 'I' is uppercase 'i' even if using the
Turkish locale.

This fixes a bug in name constraints checking reported by Thomas Pornin
(NCCGroup).

This is not considered a security issue because it would require both a
Turkish locale (or other locale with similar issues) and malfeasance by
a trusted name-constrained CA for a certificate to pass name constraints
in error. The constraints also have to be for excluded sub-trees which are
extremely rare. Failure to match permitted subtrees is a bug, not a
vulnerability.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4570)

7 years agoDon't make any changes to the lhash structure if we are going to fail
Matt Caswell [Wed, 18 Oct 2017 13:07:57 +0000 (14:07 +0100)]
Don't make any changes to the lhash structure if we are going to fail

The lhash expand() function can fail if realloc fails. The previous
implementation made changes to the structure and then attempted to do a
realloc. If the realloc failed then it attempted to undo the changes it
had just made. Unfortunately changes to lh->p were not undone correctly,
ultimately causing subsequent expand() calls to increment num_nodes to a
value higher than num_alloc_nodes, which can cause out-of-bounds reads/
writes. This is not considered a security issue because an attacker cannot
cause realloc to fail.

This commit moves the realloc call to near the beginning of the function
before any other changes are made to the lhash structure. That way if a
failure occurs we can immediately fail without having to undo anything.

Thanks to Pavel Kopyl (Samsung) for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4551)

7 years agoasn1_item_embed_new(): don't free an embedded item
Richard Levitte [Tue, 24 Oct 2017 11:42:41 +0000 (13:42 +0200)]
asn1_item_embed_new(): don't free an embedded item

The previous change with this intention didn't quite do it.  An
embedded item must not be freed itself, but might potentially contain
non-embedded elements, which must be freed.

So instead of calling ASN1_item_ex_free(), where we can't pass the
combine flag, we call asn1_item_embed_free() directly.

This changes asn1_item_embed_free() from being a static function to
being a private non-static function.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4578)

7 years agoFix memory leak in GENERAL_NAME_set0_othername.
Xiangyu Bu [Wed, 18 Oct 2017 00:10:53 +0000 (17:10 -0700)]
Fix memory leak in GENERAL_NAME_set0_othername.

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4544)

(cherry picked from commit 04761b557a53f026630dd5916b2b8522d94579db)

7 years agoasn1_item_embed_new(): don't free an embedded item
Richard Levitte [Mon, 23 Oct 2017 14:48:17 +0000 (16:48 +0200)]
asn1_item_embed_new(): don't free an embedded item

An embedded item wasn't allocated separately on the heap, so don't
free it as if it was.

Issue discovered by Pavel Kopyl

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4571)

7 years agoAdditional name for all commands
Rich Salz [Thu, 19 Oct 2017 12:22:12 +0000 (08:22 -0400)]
Additional name for all commands

Add openssl-foo as a name for the openssl "foo" command.
Recommended by a usability study conducted by Martin Ukrop at CRoCS, FI MU
Fixes: #4548
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4557)

7 years agoDon't use colortable; avoid Win32 overwrite
Rich Salz [Wed, 4 Oct 2017 19:00:23 +0000 (15:00 -0400)]
Don't use colortable; avoid Win32 overwrite

Thanks to Jo Hornsby for reporting this and helping with the fix.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4464)

7 years agoEnsure we test all parameters for BN_FLG_CONSTTIME
Matt Caswell [Wed, 27 Sep 2017 10:13:47 +0000 (11:13 +0100)]
Ensure we test all parameters for BN_FLG_CONSTTIME

RSA_setup_blinding() calls BN_BLINDING_create_param() which later calls
BN_mod_exp() as follows:

BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx)

ret->mod will have BN_FLG_CONSTTIME set, but ret->e does not. In
BN_mod_exp() we only test the third param for the existence of this flag.
We should test all the inputs.

Thanks to Samuel Weiser (samuel.weiser@iaik.tugraz.at) for reporting this
issue.

This typically only happens once at key load, so this is unlikely to be
exploitable in any real scenario.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4477)

(cherry picked from commit e913d11f444e0b46ec1ebbf3340813693f4d869d)

7 years agoFix backport by moving file.
Dr. Stephen Henson [Mon, 2 Oct 2017 22:15:32 +0000 (23:15 +0100)]
Fix backport by moving file.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4453)

7 years agoDocument missing EVP_PKEY_method_* items
Paul Yang [Mon, 21 Aug 2017 15:47:17 +0000 (11:47 -0400)]
Document missing EVP_PKEY_method_* items

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 43f985fdbf4e5c2d5c95a717cc644f000de8bc75)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4453)

7 years agoupdate ordinals
Dr. Stephen Henson [Mon, 2 Oct 2017 20:08:17 +0000 (21:08 +0100)]
update ordinals

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4453)

7 years agoEVP_PKEY_METHOD accessor functions.
Dr. Stephen Henson [Mon, 20 Jul 2015 21:05:10 +0000 (22:05 +0100)]
EVP_PKEY_METHOD accessor functions.

Functions to retrieve the function pointer of an existing method: this
can be used to create a method which intercepts or modifies the behaviour
of an existing method while retaining most of the existing behaviour.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e7451ed137450e4bc6c4bec33bc9054bce443feb)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4453)

7 years agoFix the return type of felem_is_zero_int which should be int.
Bernd Edlinger [Mon, 2 Oct 2017 15:24:17 +0000 (17:24 +0200)]
Fix the return type of felem_is_zero_int which should be int.
Change argument type of xxxelem_is_zero_int to const void*
to avoid the need of type casts.

Fixes #4413

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4450)

(cherry picked from commit c55b786a8911cef41f890735ba5fde79e116e055)

7 years agoAdded const-time flag to DSA key decoding to avoid potential leak of privkey
Samuel Weiser [Fri, 29 Sep 2017 11:29:25 +0000 (13:29 +0200)]
Added const-time flag to DSA key decoding to avoid potential leak of privkey

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4440)

(cherry picked from commit 6364475a990449ef33fc270ac00472f7210220f2)

7 years agodoc: note that the BN_new() initialises the BIGNUM
Hubert Kario [Fri, 29 Sep 2017 13:40:43 +0000 (15:40 +0200)]
doc: note that the BN_new() initialises the BIGNUM

BN_new() and BN_secure_new() not only allocate memory, but also
initialise it to deterministic value - 0.

Document that behaviour to make it explicit

backport from #4438

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4443)

7 years agodoc: BN_free() is NULL-safe
Hubert Kario [Fri, 29 Sep 2017 11:27:32 +0000 (13:27 +0200)]
doc: BN_free() is NULL-safe

document that parameter to BN_free can be NULL

backport from master

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4439)

7 years agoBN_copy now propagates BN_FLG_CONSTTIME
Samuel Weiser [Sat, 16 Sep 2017 14:52:44 +0000 (16:52 +0200)]
BN_copy now propagates BN_FLG_CONSTTIME

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4377)

(cherry picked from commit 9f9442918aeaed5dc2442d81ab8d29fe3e1fb906)

7 years agoFixed error in propagating BN_FLG_CONSTTIME flag through BN_MONT_CTX_set, which could...
Samuel Weiser [Fri, 15 Sep 2017 20:12:53 +0000 (22:12 +0200)]
Fixed error in propagating BN_FLG_CONSTTIME flag through BN_MONT_CTX_set, which could lead to information disclosure on RSA primes p and q.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4377)

(cherry picked from commit 3de81a5912041a70884cf4e52e7213f3b5dfa747)

7 years agoMake sure that a cert with extensions gets version number 2 (v3)
Richard Levitte [Tue, 26 Sep 2017 08:45:05 +0000 (10:45 +0200)]
Make sure that a cert with extensions gets version number 2 (v3)

Fixes #4419

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4421)

7 years agoFix overflow in c2i_ASN1_BIT_STRING.
David Benjamin [Mon, 18 Sep 2017 19:58:41 +0000 (15:58 -0400)]
Fix overflow in c2i_ASN1_BIT_STRING.

c2i_ASN1_BIT_STRING takes length as a long but uses it as an int.  Check
bounds before doing so. Previously, excessively large inputs to the
function could write a single byte outside the target buffer. (This is
unreachable as asn1_ex_c2i already uses int for the length.)

Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4385)

(cherry picked from commit 6b1c8204b33aaedb7df7a009c241412839aaf950)

7 years agoUpdate rsautl.pod for typo
multics [Sun, 10 Sep 2017 13:02:07 +0000 (21:02 +0800)]
Update rsautl.pod for typo

Fixes the typo
CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4354)

(cherry picked from commit f70c22eb23763c6dce050293cc1b9a0a234d72b2)

7 years agoFix error handling/cleanup
Rich Salz [Thu, 7 Sep 2017 20:17:06 +0000 (16:17 -0400)]
Fix error handling/cleanup

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4326)
(cherry picked from commit 180794c54e98ae467c4ebced3737e1ede03e320a)

7 years agoAvoid out-of-bounds read
Rich Salz [Tue, 22 Aug 2017 15:44:41 +0000 (11:44 -0400)]
Avoid out-of-bounds read

Fixes CVE 2017-3735

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4276)

(cherry picked from commit b23171744b01e473ebbfd6edad70c1c3825ffbcd)

7 years agoRemove an out of date reference to RT
Matt Caswell [Fri, 25 Aug 2017 13:39:07 +0000 (14:39 +0100)]
Remove an out of date reference to RT

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4260)

7 years agoFix cherry-pick; move file.
Rich Salz [Wed, 23 Aug 2017 21:51:56 +0000 (17:51 -0400)]
Fix cherry-pick; move file.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4238)

7 years agoCorrect GCM docs.
Dr. Stephen Henson [Wed, 23 Aug 2017 23:00:31 +0000 (00:00 +0100)]
Correct GCM docs.

Fix GCM documentation: the tag does not have to be supplied before
decrypting any data any more.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4231)

7 years agoTweak wording to be more clear.
Rich Salz [Wed, 23 Aug 2017 16:06:41 +0000 (12:06 -0400)]
Tweak wording to be more clear.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4234)

(cherry picked from commit a130950df92abf7dd787b000403da02af8f41c2d)

7 years agoUse casts for arguments to ctype functions.
Pauli [Mon, 21 Aug 2017 23:10:50 +0000 (09:10 +1000)]
Use casts for arguments to ctype functions.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4212)

7 years agoSet FIPS thread id callback.
Dr. Stephen Henson [Fri, 18 Aug 2017 16:58:05 +0000 (17:58 +0100)]
Set FIPS thread id callback.

Fixes #4180

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4192)

7 years agoFix OCSP_basic_verify() cert chain construction in case bs->certs is NULL (backport)
David von Oheimb [Thu, 17 Aug 2017 19:45:06 +0000 (21:45 +0200)]
Fix OCSP_basic_verify() cert chain construction in case bs->certs is NULL (backport)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4183)

7 years agoerr/err.c: fix "wraparound" bug in ERR_set_error_data.
Andy Polyakov [Wed, 16 Aug 2017 21:06:57 +0000 (23:06 +0200)]
err/err.c: fix "wraparound" bug in ERR_set_error_data.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit d3d880ce01cfaf0091f46a2f6b5bd146d47a93e7)

7 years agoClear outputs in PKCS12_parse error handling.
Bernd Edlinger [Sat, 12 Aug 2017 08:02:09 +0000 (10:02 +0200)]
Clear outputs in PKCS12_parse error handling.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4146)

7 years agoFix 'no-cms'
Richard Levitte [Thu, 6 Jul 2017 08:11:17 +0000 (10:11 +0200)]
Fix 'no-cms'

Fixes #3867

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3873)

7 years agoAdd missing HTML tag in www_body in s_server.c
Xiaoyin Liu [Sat, 5 Aug 2017 06:31:04 +0000 (02:31 -0400)]
Add missing HTML tag in www_body in s_server.c

In the generated HTML document, the `<pre>` tag is not closed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4088)
(cherry picked from commit 1a9f5cf0d58629ab8972f50e937d8ab78bf27b6f)

7 years agoAvoid surpising password dialog in X509 file lookup.
Bernd Edlinger [Mon, 7 Aug 2017 16:02:53 +0000 (18:02 +0200)]
Avoid surpising password dialog in X509 file lookup.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4111)

(cherry picked from commit db854bb14a7010712cfc02861731399b1b587474)

7 years agoAdd NOTTOOLONG macro for more clear code.
Rich Salz [Mon, 7 Aug 2017 16:36:39 +0000 (12:36 -0400)]
Add NOTTOOLONG macro for more clear code.

Also fix one missing use of it. Thanks to GitHub user Vort for finding
it and pointing out the fix.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4106)

7 years agoAdd a missing CRYPTO_w_unlock in get_cert_by_subject
Bernd Edlinger [Fri, 4 Aug 2017 06:11:24 +0000 (08:11 +0200)]
Add a missing CRYPTO_w_unlock in get_cert_by_subject

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4084)

7 years agoFix an information leak in the RSA padding check code.
Bernd Edlinger [Mon, 31 Jul 2017 18:38:26 +0000 (20:38 +0200)]
Fix an information leak in the RSA padding check code.
The memory blocks contain secret data and must be
cleared before returning to the system heap.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4063)

7 years agoClean password buffer on stack for PEM_read_bio_PrivateKey
Bernd Edlinger [Sat, 29 Jul 2017 10:19:29 +0000 (12:19 +0200)]
Clean password buffer on stack for PEM_read_bio_PrivateKey
and d2i_PKCS8PrivateKey_bio before it goes out of scope.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4047)

(cherry picked from commit 02fd47c8b0930dff9b188fd13bfb9da5e59444a8)

7 years agoFix a reference nit in doc
Paul Yang [Fri, 28 Jul 2017 05:31:27 +0000 (13:31 +0800)]
Fix a reference nit in doc

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4036)

(cherry picked from commit dbd007d7d2cae4891936aed55949b55b776b97ec)

7 years agoBackport X509_check_private_key.pod
Paul Yang [Mon, 24 Jul 2017 08:02:47 +0000 (16:02 +0800)]
Backport X509_check_private_key.pod

to address #3973, and original PR to master branch is #3614

test case in the original PR is not applied.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4002)

7 years agoFix comment typo.
David Benjamin [Wed, 26 Jul 2017 16:30:27 +0000 (12:30 -0400)]
Fix comment typo.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4023)

(cherry picked from commit d67e755418b62fb451ec221c126c9935a06ea63b)

7 years agox86_64 assembly pack: "optimize" for Knights Landing.
Andy Polyakov [Mon, 24 Jul 2017 19:50:52 +0000 (21:50 +0200)]
x86_64 assembly pack: "optimize" for Knights Landing.

"Optimize" is in quotes because it's rather a "salvage operation"
for now. Idea is to identify processor capability flags that
drive Knights Landing to suboptimial code paths and mask them.
Two flags were identified, XSAVE and ADCX/ADOX. Former affects
choice of AES-NI code path specific for Silvermont (Knights Landing
is of Silvermont "ancestry"). And 64-bit ADCX/ADOX instructions are
effectively mishandled at decode time. In both cases we are looking
at ~2x improvement.

Hardware used for benchmarking courtesy of Atos, experiments run by
Romain Dolbeau <romain.dolbeau@atos.net>. Kudos!

This is minimalistic backpoint of 64d92d74985ebb3d0be58a9718f9e080a14a8e7f

Thanks to David Benjamin for spotting typo in Knights Landing detection!

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4006)

(cherry picked from commit 738a9dd53cacce593cd7d67e18e1273549640a79)

7 years agoFix installation on VC-WIN32 with nmake
Simon Richter [Sun, 16 Jul 2017 20:49:36 +0000 (22:49 +0200)]
Fix installation on VC-WIN32 with nmake

Commit b83265697 fixed whitespace handling in the copy script, which
exposes bugs in the install routine for nmake Makefiles.

This corrects the quoting around the copy invocation for the openssl.exe
binary.

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3942)

7 years agoschlock global variable needs to be volatile
Xiaoyin Liu [Mon, 24 Jul 2017 15:28:50 +0000 (11:28 -0400)]
schlock global variable needs to be volatile

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4000)

(cherry picked from commit e0de4dd5a2b0c0dc27e6a6ab01fabe374d657d23)

7 years agoevp/e_aes_cbc_hmac_sha256.c: give SHAEXT right priority.
Andy Polyakov [Mon, 10 Jul 2017 13:19:45 +0000 (15:19 +0200)]
evp/e_aes_cbc_hmac_sha256.c: give SHAEXT right priority.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/3898)

(cherry picked from commit d0f6eb1d8c84165c383a677266cfae9c0b162781)

7 years agoFix RSA-PSS in FIPS mode by switching digest implementations.
Dr. Stephen Henson [Sat, 22 Jul 2017 14:54:48 +0000 (15:54 +0100)]
Fix RSA-PSS in FIPS mode by switching digest implementations.

Fixes #2718

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3996)

7 years agoFix apps/s_client.c's XMPP client
Richard Levitte [Thu, 20 Jul 2017 19:22:31 +0000 (21:22 +0200)]
Fix apps/s_client.c's XMPP client

When an error occurs during the starttls handskake, s_client gets stuck
looping around zero bytes reads, because the server won't sent anything more
after its error tag.  Shutting down on the first zero byte read fixes this.

Fixes #3980

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3981)

7 years agoRemove some dead code
Matt Caswell [Mon, 17 Jul 2017 15:55:32 +0000 (16:55 +0100)]
Remove some dead code

The intention of the removed code was to check if the previous operation
carried. However this does not work. The "mask" value always ends up being
a constant and is all ones - thus it has no effect. This check is no longer
required because of the previous commit.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3832)

(cherry picked from commit d5475e319575a45b20f560bdfae56cbfb165cb01)

7 years agoFix undefined behaviour in e_aes_cbc_hmac_sha256.c and e_aes_cbc_hmac_sha1.c
Matt Caswell [Wed, 28 Jun 2017 14:18:30 +0000 (15:18 +0100)]
Fix undefined behaviour in e_aes_cbc_hmac_sha256.c and e_aes_cbc_hmac_sha1.c

In TLS mode of operation the padding value "pad" is obtained along with the
maximum possible padding value "maxpad". If pad > maxpad then the data is
invalid. However we must continue anyway because this is constant time code.

We calculate the payload length like this:

    inp_len = len - (SHA_DIGEST_LENGTH + pad + 1);

However if pad is invalid then inp_len ends up -ve (actually large +ve
because it is a size_t).

Later we do this:

    /* verify HMAC */
    out += inp_len;
    len -= inp_len;

This ends up with "out" pointing before the buffer which is undefined
behaviour. Next we calculate "p" like this:

    unsigned char *p =
        out + len - 1 - maxpad - SHA256_DIGEST_LENGTH;

Because of the "out + len" term the -ve inp_len value is cancelled out
so "p" points to valid memory (although technically the pointer arithmetic
is undefined behaviour again).

We only ever then dereference "p" and never "out" directly so there is
never an invalid read based on the bad pointer - so there is no security
issue.

This commit fixes the undefined behaviour by ensuring we use maxpad in
place of pad, if the supplied pad is invalid.

With thanks to Brian Carpenter for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3832)

(cherry picked from commit 335d0a4646981c9d96b62811bcfd69a96a1a67d9)

7 years agoRSA_padding_check_PKCS1_type_2 is not constant time.
Emilia Kasper [Tue, 18 Jul 2017 09:26:34 +0000 (11:26 +0200)]
RSA_padding_check_PKCS1_type_2 is not constant time.

This is an inherent weakness of the padding mode. We can't make the
implementation constant time (see the comments in rsa_pk1.c), so add a
warning to the docs.

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoBackport of 5b8fa43 and remove resolved TODO: see PR#3924.
Bernd Edlinger [Fri, 14 Jul 2017 15:05:37 +0000 (17:05 +0200)]
Backport of 5b8fa43 and remove resolved TODO: see PR#3924.
Make RSA key exchange code actually constant-time.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3935)

7 years agofix copy and copy-if-different whitespace problem
simon-p-r [Mon, 10 Jul 2017 22:19:33 +0000 (23:19 +0100)]
fix copy and copy-if-different whitespace problem

From https://github.com/openssl/openssl/pull/1023

CLA: trivial

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3904)

7 years agoAvoid possible memleak in X509_policy_check()
Richard Levitte [Wed, 5 Jul 2017 09:08:45 +0000 (11:08 +0200)]
Avoid possible memleak in X509_policy_check()

When tree_calculate_user_set() fails, a jump to error failed to
deallocate a possibly allocated |auth_nodes|.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3851)

7 years agoFix a memleak in X509_PKEY_new.
Bernd Edlinger [Sat, 1 Jul 2017 07:37:44 +0000 (09:37 +0200)]
Fix a memleak in X509_PKEY_new.
Fixes #3349

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3819)

7 years agoUndo one UI fix
Richard Levitte [Wed, 5 Jul 2017 12:55:51 +0000 (14:55 +0200)]
Undo one UI fix

Undoing:
> - in UI_process(), |state| was never made NULL, which means an error
>   when closing the session wouldn't be accurately reported.

This was a faulty cherry-pick from master

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3853)

7 years agoFix small UI issues
Richard Levitte [Wed, 5 Jul 2017 08:26:25 +0000 (10:26 +0200)]
Fix small UI issues

- in EVP_read_pw_string_min(), the return value from UI_add_* wasn't
  properly checked
- in UI_process(), |state| was never made NULL, which means an error
  when closing the session wouldn't be accurately reported.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3849)

(cherry picked from commit b96dba9e5ec7afc355be1eab915f69c8c0d51741)

7 years agoAdd echo for each build phase
Rich Salz [Tue, 4 Jul 2017 22:10:40 +0000 (18:10 -0400)]
Add echo for each build phase

Port of GH#3842 to 1.0.2

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3845)

7 years agoFix a memleak in ec_GFp_mont_group_set_curve.
Bernd Edlinger [Sun, 2 Jul 2017 10:32:47 +0000 (12:32 +0200)]
Fix a memleak in ec_GFp_mont_group_set_curve.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3828)

7 years agoFix a memory leak in ecdh/ecdsa_check.
Bernd Edlinger [Sat, 1 Jul 2017 20:18:10 +0000 (22:18 +0200)]
Fix a memory leak in ecdh/ecdsa_check.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3825)

7 years agotsget: remove call of WWW::Curl::Easy::global_cleanup
Richard Levitte [Sun, 25 Jun 2017 20:10:42 +0000 (22:10 +0200)]
tsget: remove call of WWW::Curl::Easy::global_cleanup

This function is undocumented, but similarly named functions (such as
'curl_global_cleanup') are documented as internals that should not be
called by scripts.

Fixes #3765

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3769)

7 years agoRemove inadvertently commited test binaries
Benjamin Kaduk [Tue, 20 Jun 2017 19:41:54 +0000 (14:41 -0500)]
Remove inadvertently commited test binaries

Commit 201015ee4f38e5d216a7625282c6b8a395b680b7 added some generated
files that were not part of the intended functionality; remove them.
(Only the 1.0.2 branch version of the commit was affected, probably due
to a smaller .gitignore on that branch.)

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3729)

7 years agoAdd documentation for the SSL_export_keying_material() function
Matt Caswell [Wed, 21 Jun 2017 12:55:02 +0000 (13:55 +0100)]
Add documentation for the SSL_export_keying_material() function

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3738)

7 years agoRemove a pointless "#if 0" block from BN_mul.
Bernd Edlinger [Wed, 14 Jun 2017 19:54:15 +0000 (21:54 +0200)]
Remove a pointless "#if 0" block from BN_mul.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3683)

(cherry picked from commit 93a8b3ba793c769a3634e56642dac55a8d44023f)

7 years agoFix a possible crash in dsa_builtin_paramgen2.
Bernd Edlinger [Tue, 13 Jun 2017 19:22:45 +0000 (21:22 +0200)]
Fix a possible crash in dsa_builtin_paramgen2.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3675)
(cherry picked from commit fb0a64126b8c11a6961dfa1323c3602b591af7df)

7 years agoFix possible crash in X931 code.
Bernd Edlinger [Tue, 13 Jun 2017 20:34:30 +0000 (22:34 +0200)]
Fix possible crash in X931 code.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3675)
(cherry picked from commit 5419dadd4bd1f7abbfa23326ca766d2c143f257c)

7 years agoRemove the fallback from ERR_get_state because the
Bernd Edlinger [Wed, 14 Jun 2017 08:16:15 +0000 (10:16 +0200)]
Remove the fallback from ERR_get_state because the
return value is now checked at the callers.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3678)

7 years agoFix a possible crash in the error handling.
Bernd Edlinger [Tue, 13 Jun 2017 17:00:35 +0000 (19:00 +0200)]
Fix a possible crash in the error handling.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3672)

(cherry picked from commit 4fc426b78964b3d234cb7b1b6112c9b80e16a13a)

7 years agoRemove needless type casting.
Rich Salz [Sat, 10 Jun 2017 19:25:56 +0000 (15:25 -0400)]
Remove needless type casting.

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3627)

(cherry picked from commit a020f54c25985fc83e809daa15a3920731d39612)

7 years agoFix possible usage of NULL pointers in apps/spkac.c
Paul Yang [Fri, 9 Jun 2017 18:22:22 +0000 (02:22 +0800)]
Fix possible usage of NULL pointers in apps/spkac.c

Check return value of NETSCAPE_SPKI_new() and
NETSCAPE_SPKI_b64_encode(), and also clean up coding style incidentally.

Signed-off-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3647)
(cherry picked from commit f2582f08d5167ee84b7b313fd1435fe91ee44880)

7 years agoFix speed command for alternation of ciphers and digests.
Jonathan Protzenko [Wed, 17 May 2017 16:09:01 +0000 (09:09 -0700)]
Fix speed command for alternation of ciphers and digests.

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3487)

(cherry picked from commit 9ae4e664da0692f27bfe0d1a34db29ed815203c8)

7 years agoRemove stale note from s_server.pod
Benjamin Kaduk [Thu, 8 Jun 2017 20:55:30 +0000 (15:55 -0500)]
Remove stale note from s_server.pod

Modern browsers are now, well, pretty modern.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3644)
(cherry picked from commit 36c438514db71eba3e8062fef7869b9211630a19)

7 years agoFix a read off the end of the input buffer
Rich Salz [Thu, 8 Jun 2017 20:05:52 +0000 (16:05 -0400)]
Fix a read off the end of the input buffer

when building with OPENSSL_SMALL_FOOTPRINT defined.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3533)

(cherry picked from commit 0b20ad127ce86b05a854f31d51d91312c86ccc74)

7 years agoDocument default client -psk_identity
Rich Salz [Fri, 2 Jun 2017 20:05:37 +0000 (16:05 -0400)]
Document default client -psk_identity

Document that -psk is required to use PSK cipher

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3607)
(cherry picked from commit 9d772829c9e4f202460acb43f9e073841a7cb9db)

(cherry picked from commit c1abfde735eca6346eb2c0641b67b11d0e68b94c)

7 years agoec/asm/ecp_nistz256-x86_64.pl: minor sqr_montx cleanup.
Andy Polyakov [Sat, 3 Jun 2017 19:08:57 +0000 (21:08 +0200)]
ec/asm/ecp_nistz256-x86_64.pl: minor sqr_montx cleanup.

Drop some redundant instructions in reduction in ecp_nistz256_sqr_montx.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 8fc063dcc9668589fd95533d25932396d60987f9)

7 years agoAdd text pointing to full change list.
Rich Salz [Fri, 2 Jun 2017 14:30:44 +0000 (10:30 -0400)]
Add text pointing to full change list.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3606)
(cherry picked from commit 01dfaa08b1960049f91485f2e5eec6c6bd03db39)

7 years agoFix ex_data memory leak
Todd Short [Fri, 26 May 2017 12:42:21 +0000 (08:42 -0400)]
Fix ex_data memory leak

Code was added in commit 62f488d that overwrite the last ex_data valye
using CRYPTO_dup_ex_data() causing a memory leak and potentially
confusing the ex_data dup() callback.

In ssl_session_dup(), new-up the ex_data before calling
CRYPTO_dup_ex_data(); all the other structures that dup ex_data have
the destination ex_data new'd before the dup.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3568)

7 years agoFix srp app missing NULL termination with password callback
Diego Santa Cruz [Tue, 16 May 2017 14:05:19 +0000 (16:05 +0200)]
Fix srp app missing NULL termination with password callback

The password_callback() function does not necessarily NULL terminate
the password buffer, the caller must use the returned length but the
srp app uses this function as if it was doing NULL termination.

This made the -passin and -passout options of "openssl srp"
fail inexpicably and randomly or even crash.

Fixed by enlarging the buffer by one, so that the maximum password length
remains unchanged, and adding NULL termination upon return.

[Rearrange code for coding style compliance in process.]

This backport of 0e83981d61fc435f42d4bb4d774272b69556b7bc.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3579)

7 years agoSend a protocol version alert
Matt Caswell [Thu, 1 Jun 2017 09:31:56 +0000 (10:31 +0100)]
Send a protocol version alert

If we fail to negotiate a version then we should send a protocol version
alert.

Fixes #3595

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3598)

7 years agoFix inconsistent check of UNSAFE_LEGACY_RENEGOTIATION (1.0.2)
Todd Short [Mon, 22 May 2017 15:24:59 +0000 (11:24 -0400)]
Fix inconsistent check of UNSAFE_LEGACY_RENEGOTIATION (1.0.2)

The check for SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is
inconsistent. Most places check SSL->options, one place is checking
SSL_CTX->options; fix that.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
GH: #3521

7 years agoDocument that HMAC() with a NULL md is not thread safe
Matt Caswell [Thu, 25 May 2017 14:18:22 +0000 (15:18 +0100)]
Document that HMAC() with a NULL md is not thread safe

Fixes #3541

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3555)

7 years agoPrepare for 1.0.2m-dev
Matt Caswell [Thu, 25 May 2017 12:57:07 +0000 (13:57 +0100)]
Prepare for 1.0.2m-dev

Reviewed-by: Stephen Henson <steve@openssl.org>
7 years agoPrepare for 1.0.2l release OpenSSL_1_0_2l
Matt Caswell [Thu, 25 May 2017 12:55:36 +0000 (13:55 +0100)]
Prepare for 1.0.2l release

Reviewed-by: Stephen Henson <steve@openssl.org>