Skip to content

Rollup of small fixes#5521

Open
randombit wants to merge 21 commits intomasterfrom
jack/fix-rollup
Open

Rollup of small fixes#5521
randombit wants to merge 21 commits intomasterfrom
jack/fix-rollup

Conversation

@randombit
Copy link
Copy Markdown
Owner

@randombit randombit commented Apr 4, 2026

No description provided.

randombit added 21 commits April 3, 2026 22:58
@randombit
Add missing nullptr checks to ffi
a60b02b
@randombit
Fix various bugs in the libsodium compat layer
5a634cf
@randombit
Improve merging process of IPAddressOrRange
9b85593
@randombit
Limit the sizes of PEM labels
d2fe82e
@randombit
Reject OCSP responses that use anything other than SHA-1 or SHA-256
25a6df0 
Sadly SHA-1 seems to be still quite common in this ecosystem.
@randombit
Use peek instead of double-decode for nextUpdate in X509_CRL
69361b7
@randombit
In PBES2 check for invalid PBKDF2 or Scrypt params
ace6ac9 
This would later cause an exception but one rather more opauqe as to
the source, so just reject it right away.
@randombit
Add decoding-time validation of HyMES McEliece key parameters
71bebe5 
This would accept invalid inputs and then fail in more opaque ways later.
@randombit
Reject negative integers in BER_Decoder::decode_constrainted_integer
3f44c42 
This is only used for TLS session data so not likely to occur in practice.
@randombit
Fix a bug that incorrectly applied name constraints when it should not
c7dff5f 
Fixes Limbo rfc5280::nc::permitted-self-issued which was marked xfail
@randombit
Handle name constraints when SAN has a wildcard that could match an e…
14134eb 
…xcluded name

If the SAN is a wildcard, and that wildcard could match some specific excluded
name, then the certificate could be used to match against the excluded name, and
so should be rejected. RFC 5280 is somewhere between ambigous and silent about
this situation.
@randombit
Add NIST key wrap with padding to the Python binding
9e68381
@randombit
Check for identity point in base_point_mul_x_mod_order
478e841 
Since the multiplication occurs against the base point this can only
happen if the caller passed zero as the scalar.
@randombit
In SM2 signature generation, check for r == 0 and s == 0
08d4b9b
@randombit
Always use e=65537 for RSA_PublicKey::generate_another
fe769b8
@randombit
Fix CT::poison invocation in bitsliced AES decrypt
af2a9f0 
The code poisoned the buffer then loaded the input into it, which
would cause valgrind to treat the data as initialized.
@randombit
Ensure a TLS 1.2 server never considers a signature scheme not allowe…
c15a096 
…d by policy
@randombit
Normalize IPv4 addresses in name constraints
70ac4f7
@randombit
Fix an incorrect Poly1305 computation
d2ff959 
Would cause incorrect MAC to be computed with probability ~1/2**85.
@randombit
Add missing EC_Scalar deserialization check to pcurves_generic
3189e8d
@randombit
In OAEP return early if the input is too small to be possibly valid
c99f6dd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@randombit