[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

Dr. Stephen Henson steve at openssl.org
Mon Jul 6 17:38:51 UTC 2015


The branch OpenSSL_1_0_1-stable has been updated
       via  cb6e0ed17a61ae3711d385f517d61be2b4c33a55 (commit)
       via  e5d5019a233d15e3ce93e57925c98bd0c8e71f46 (commit)
      from  d6be3124f22870f1888c532523b74ea5d89795eb (commit)


- Log -----------------------------------------------------------------
commit cb6e0ed17a61ae3711d385f517d61be2b4c33a55
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Tue Jun 9 23:17:06 2015 +0100

    Relax CCM tag check.
    
    In CCM mode don't require a tag before initialising decrypt: this allows
    the tag length to be set without requiring the tag.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit 9cca7be11d62298b2af0722f94345012c86eaed4)

commit e5d5019a233d15e3ce93e57925c98bd0c8e71f46
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Jul 6 14:17:49 2015 +0100

    document -2 return value
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit 5727582cf51e98e5e0faa435e7da2c8929533c0d)

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/e_aes.c                        | 2 +-
 doc/crypto/X509_NAME_get_index_by_NID.pod | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index 1ede7bd..a4327fc 100644
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -1146,7 +1146,7 @@ static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
     case EVP_CTRL_CCM_SET_TAG:
         if ((arg & 1) || arg < 4 || arg > 16)
             return 0;
-        if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
+        if (c->encrypt && ptr)
             return 0;
         if (ptr) {
             cctx->tag_set = 1;
diff --git a/doc/crypto/X509_NAME_get_index_by_NID.pod b/doc/crypto/X509_NAME_get_index_by_NID.pod
index c8a8128..109f561 100644
--- a/doc/crypto/X509_NAME_get_index_by_NID.pod
+++ b/doc/crypto/X509_NAME_get_index_by_NID.pod
@@ -29,6 +29,7 @@ and issuer names.
 X509_NAME_get_index_by_NID() and X509_NAME_get_index_by_OBJ() retrieve
 the next index matching B<nid> or B<obj> after B<lastpos>. B<lastpos>
 should initially be set to -1. If there are no more entries -1 is returned.
+If B<nid> is invalid (doesn't correspond to a valid OID) then -2 is returned.
 
 X509_NAME_entry_count() returns the total number of entries in B<name>.
 
@@ -63,6 +64,10 @@ The list of all relevant B<NID_*> and B<OBJ_* codes> can be found in
 the source code header files E<lt>openssl/obj_mac.hE<gt> and/or
 E<lt>openssl/objects.hE<gt>.
 
+Applications which could pass invalid NIDs to X509_NAME_get_index_by_NID()
+should check for the return value of -2. Alternatively the NID validity
+can be determined first by checking OBJ_nid2obj(nid) is not NULL.
+
 =head1 EXAMPLES
 
 Process all entries:
@@ -95,6 +100,8 @@ Process all commonName entries:
 
 X509_NAME_get_index_by_NID() and X509_NAME_get_index_by_OBJ()
 return the index of the next matching entry or -1 if not found.
+X509_NAME_get_index_by_NID() can also return -2 if the supplied
+NID is invalid.
 
 X509_NAME_entry_count() returns the total number of entries.
 


More information about the openssl-commits mailing list