that bad encryptions are treated like random session keys in constant
time.
(cherry picked from commit adb46dbc6d)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1
This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Conflicts:
crypto/rsa/rsa_oaep.c
crypto/rsa/rsa_pk1.c
ssl/s3_cbc.c
i2d_re_X509_tbs re-encodes the TBS portion of the certificate.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 95b1752cc7)
This reverts commit cacdfcb247.
Conflicts:
crypto/x509/x509.h
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
that fixed PR#3450 where an existing cast masked an issue when i was changed
from int to long in that commit
Picked up on z/linux (s390) where sizeof(int)!=sizeof(long)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b5ff559ff9)
GetDIBits has been around since Windows2000 and
BitBitmapBits is an old Win16 compatibility function
that is much slower.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 99b00fd993)
Move the readdir() lines out of the if statement, so
that flist is available globally.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 6f46c3c3b0)
If we don't find a signer in the internal list, then fall
through and look at the internal list; don't just return NULL.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit b2aa38a980)
Say where to email bug reports.
Mention general RT tracker info in a separate paragraph.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 468ab1c20d)
This is funny; Ben commented in the source, Matt opend a ticket,
and Rich is doing the submit. Need more code-review? :)
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit eb63bce040)
When calling X509_set_version to set v1 certificate, that
should mean that the version number field is omitted.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 1f18f50c4b)
This is a more comprehensive fix. It changes all
keygen apps to use 2K keys. It also changes the
default to use SHA256 not SHA1. This is from
Kurt's upstream Debian changes.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 44e0c2bae4)
In addition to Matthias's change, I also added -n to
not remove links. And updated the manpage.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit a787c2590e)
The documentation is wrong about what happens when the
session cache fills up.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit e9edfc4196)
pod2man now complains when item tags are not sequential.
Also complains about missing =back and other tags.
Silence the warnings; most were already done.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit fe7573042f)
Fix a bug in handling of 128 byte long PSK identity in
psk_client_callback.
OpenSSL supports PSK identities of up to (and including) 128 bytes in
length. PSK identity is obtained via the psk_client_callback,
implementors of which are expected to provide a NULL-terminated
identity. However, the callback is invoked with only 128 bytes of
storage thus making it impossible to return a 128 byte long identity and
the required additional NULL byte.
This CL fixes the issue by passing in a 129 byte long buffer into the
psk_client_callback. As a safety precaution, this CL also zeroes out the
buffer before passing it into the callback, uses strnlen for obtaining
the length of the identity returned by the callback, and aborts the
handshake if the identity (without the NULL terminator) is longer than
128 bytes.
(Original patch amended to achieve strnlen in a different way.)
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit be0d851732)
Can't really happen, but the flow of control isn't obvious.
Add an initializer.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 0ff3687eab)
