Commits · 985a9af8133e0b0e9af60c66098c0f7eddea0a33 · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

Jan 22, 2015
- bn/bntest.c: make it indent-friendly. · 985a9af8
  Andy Polyakov authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  985a9af8
- bn/bn_recp.c: make it indent-friendly. · e95bbc3c
  Andy Polyakov authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  e95bbc3c
- engines/e_ubsec.c: make it indent-friendly. · aec4b334
  Andy Polyakov authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  aec4b334
- apps/srp.c: make it indent-friendly. · 6e81b270
  Andy Polyakov authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  6e81b270
- apps/speed.c: make it indent-friendly. · e751bba4
  Andy Polyakov authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  e751bba4
- bn/rsaz_exp.c: make it indent-friendly. · 5f0b4448
  Andy Polyakov authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  5f0b4448
- Fix make errors · 2dc57eb5
  Matt Caswell authored Jan 14, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  2dc57eb5
- Make the script a little more location agnostic · 2f1ac20b
  Richard Levitte authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  2f1ac20b
- Provide script for filtering data initialisers for structs/unions. indent just can't handle it. · acb82df4
  Matt Caswell authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  acb82df4
- Script fixes. · 6f08264e
  Dr. Stephen Henson authored Jan 20, 2015
```
Don't use double newline for headers.
Don't interpret ASN1_PCTX as start of an ASN.1 module.

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  6f08264e
- Run expand before perl, to make sure things are properly aligned · ff7ca7a3
  Richard Levitte authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  ff7ca7a3
- Force the use of our indent profile · d09481a1
  Richard Levitte authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  d09481a1
- Provide source reformating script. Requires GNU indent to be · 849c80bc
  Tim Hudson authored Jan 05, 2015
```
available.

Script written by Tim Hudson, with amendments by Steve Henson, Rich Salz and
Matt Caswell

Reviewed-by: Matt Caswell <matt@openssl.org>
```
  849c80bc
- Fix source where indent will not be able to cope · e636e2ac
  Matt Caswell authored Jan 19, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  e636e2ac
- Yet more comments · 28470b60
  Matt Caswell authored Jan 16, 2015
```
Conflicts:
	crypto/dsa/dsa_asn1.c
	crypto/pem/pem_all.c
	fips/dh/dh_gen.c
	fips/dh/fips_dh_check.c
	fips/dh/fips_dh_gen.c
	ssl/ssl_ciph.c

Conflicts:
	ssl/d1_clnt.c

Conflicts:
	ssl/s2_pkt.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  28470b60
- More comments · 23a22b4c
  Matt Caswell authored Jan 16, 2015
```
Conflicts:
	crypto/dsa/dsa_vrf.c
	crypto/ec/ec2_smpl.c
	crypto/ec/ecp_smpl.c

Conflicts:
	demos/bio/saccept.c
	ssl/d1_clnt.c

Conflicts:
	bugs/dggccbug.c
	demos/tunala/cb.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  23a22b4c
- Further comment changes for reformat (master) · c80fd6b2
  Matt Caswell authored Jan 16, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  c80fd6b2
Jan 14, 2015

Cleanup OPENSSL_NO_xxx, part 1 · 4b618848

Rich Salz authored Jan 14, 2015



OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
Two typo's on #endif comments fixed:
	OPENSSL_NO_ECB fixed to OPENSSL_NO_OCB
	OPENSSL_NO_HW_SureWare fixed to OPENSSL_NO_HW_SUREWARE

Reviewed-by: Richard Levitte <levitte@openssl.org>

4b618848

Jan 13, 2015
- Add Broadwell performance results. · b3d72949
  Andy Polyakov authored Jan 05, 2015
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
  b3d72949
- Remove use of BN_init, BN_RECP_CTX_init from bntest · a5a41235
  Dr. Stephen Henson authored Jan 13, 2015
```
BN_init and BN_RECP_CTX_init are deprecated and are not exported
from shared libraries on some platforms (e.g. Windows) convert
bntest to use BN_new and BN_RECP_CTX_new instead.
Reviewed-by: Matt Caswell <matt@openssl.org>
```
  a5a41235
- For master windows build dsa.h is now needed. · 98b3b116
  Dr. Stephen Henson authored Jan 13, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
  98b3b116
- Make output from openssl version -f consistent with previous versions · 2d267179
  Matt Caswell authored Jan 13, 2015
```
Reviewed-by: Andy Polyakov <appro@openssl.org>
```
  2d267179
- Fix warning where BIO_FLAGS_UPLINK was being redefined. · b1ffc6ca
  Matt Caswell authored Jan 10, 2015
```
This warning breaks the build in 1.0.0 and 0.9.8

Reviewed-by: Andy Polyakov <appro@openssl.org>
```
  b1ffc6ca
- Avoid deprecation problems in Visual Studio 13 · 86d21d0b
  Matt Caswell authored Jan 09, 2015
```
Reviewed-by: Andy Polyakov <appro@openssl.org>
```
  86d21d0b
- Ensure internal header files are used from mk1mf based builds · 964012dc
  Matt Caswell authored Jan 13, 2015
```
Reviewed-by: Richard Levitte: <levitte@openssl.org>
```
  964012dc
Jan 12, 2015

RT3548: Remove unsupported platforms · 6d23cf97

Rich Salz authored Jan 12, 2015



This last one for this ticket.  Removes WIN16.
So long, MS_CALLBACK and MS_FAR.  We won't miss you.

Reviewed-by: Richard Levitte <levitte@openssl.org>

6d23cf97

Allow multiple IDN xn-- indicators · 31d1d374

Rich Salz authored Jan 12, 2015



Update the X509v3 name parsing to allow multiple xn-- international
domain name indicators in a name.  Previously, only allowed one at
the beginning of a name, which was wrong.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

31d1d374

RT3548: Remove some unsupported platforms. · fcf64ba0

Rich Salz authored Jan 12, 2015



This commit removes NCR, Tandem, Cray.
Regenerates TABLE.
Removes another missing BEOS fluff.
The last platform remaining on this ticket is WIN16.

Reviewed-by: Richard Levitte <levitte@openssl.org>

fcf64ba0

RT478: Add uninstall make target · 9405a9a2

Rich Salz authored Jan 12, 2015



Add INSTALLDIRS variable, list of directories where things get
installed. Change install_html_docs to use perl mkdir-p script.

Add uninstall, uninstall_sw, uninstall_docs, uninstall_html_docs
to Makefile.org.  The actions of these targets were figured out
by "inverting" the install target.

Recurse into subdirs to do uninstall as needed.  Added uninstall
targets whose actions were similarly figured out by "inverting"
the install target.

Also remove some 'space before tab' complaints in Makefile.org

Reviewed-by: Tim Hudson <tjh@openssl.org>

9405a9a2

Fix no-deprecated on Windows · 732192a0
Matt Caswell authored Jan 11, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
732192a0
make update · 1211e29c
Matt Caswell authored Jan 11, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
1211e29c
Remove redundant DSO_METHOD_beos declaration in dso.h. BEOS support has been · 8e964419
Matt Caswell authored Jan 11, 2015
```
removed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
```
8e964419

Jan 10, 2015

Make build reproducible · 264212b6

Kurt Roeckx authored Jan 02, 2015



It contained a date on when it was build.

Reviewed-by: Rich Salz <rsalz@openssl.org>

264212b6

Jan 09, 2015
- Further windows specific .gitignore entries · 41c9cfbc
  Matt Caswell authored Jan 09, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  41c9cfbc
- Update .gitignore with windows files to be excluded from git · 448e6f06
  Matt Caswell authored Jan 09, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  448e6f06
Jan 08, 2015

Fix build failure on Windows due to undefined cflags identifier · 5c5e7e1a
Matt Caswell authored Jan 08, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
5c5e7e1a

A memory leak can occur in dtls1_buffer_record if either of the calls to · 103b171d

Matt Caswell authored Jan 07, 2015

ssl3_setup_buffers or pqueue_insert fail. The former will fail if there is a
malloc failure, whilst the latter will fail if attempting to add a duplicate
record to the queue. This should never happen because duplicate records should
be detected and dropped before any attempt to add them to the queue.
Unfortunately records that arrive that are for the next epoch are not being
recorded correctly, and therefore replays are not being detected.
Additionally, these "should not happen" failures that can occur in
dtls1_buffer_record are not being treated as fatal and therefore an attacker
could exploit this by sending repeated replay records for the next epoch,
eventually causing a DoS through memory exhaustion.

Thanks to Chris Mueller for reporting this issue and providing initial
analysis and a patch. Further analysis and the final patch was performed by
Matt Caswell from the OpenSSL development team.

CVE-2015-0206

Reviewed-by: Dr Stephen Henson <steve@openssl.org>

103b171d

Unauthenticated DH client certificate fix. · 1421e0c5

Dr. Stephen Henson authored Oct 23, 2014



Fix to prevent use of DH client certificates without sending
certificate verify message.

If we've used a client certificate to generate the premaster secret
ssl3_get_client_key_exchange returns 2 and ssl3_get_cert_verify is
never called.

We can only skip the certificate verify message in
ssl3_get_cert_verify if the client didn't send a certificate.

Thanks to Karthikeyan Bhargavan for reporting this issue.
CVE-2015-0205
Reviewed-by: Matt Caswell <matt@openssl.org>

1421e0c5

Fix for CVE-2014-3570 (with minor bn_asm.c revamp). · a7a44ba5
Andy Polyakov authored Jan 05, 2015
```
Reviewed-by: Emilia Kasper <emilia@openssl.org>
```
a7a44ba5

Follow on from CVE-2014-3571. This fixes the code that was the original source · 248385c6

Matt Caswell authored Jan 03, 2015

of the crash due to p being NULL. Steve's fix prevents this situation from
occuring - however this is by no means obvious by looking at the code for
dtls1_get_record. This fix just makes things look a bit more sane.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>

248385c6