Skip to content
  1. Aug 11, 2015
    • Matt Caswell's avatar
      Extend TLSProxy capabilities · a1accbb1
      Matt Caswell authored
      
      
      Add ServerHello parsing to TLSProxy.
      Also add some (very) limited ServerKeyExchange parsing.
      Add the capability to set client and server cipher lists
      Fix a bug with fragment lengths
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      a1accbb1
    • Matt Caswell's avatar
      Add some libssl tests · 011467ee
      Matt Caswell authored
      
      
      Two tests are added: one is a simple version tolerance test; the second is
      a test to ensure that OpenSSL operates correctly in the case of a zero
      length extensions block. The latter was broken inadvertently (now fixed)
      and it would have been helpful to have a test case for it.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      011467ee
    • Matt Caswell's avatar
      Add a libssl test harness · 631c1206
      Matt Caswell authored
      
      
      This commit provides a set of perl modules that support the testing of
      libssl. The test harness operates as a man-in-the-middle proxy between
      s_server and s_client. Both s_server and s_client must be started using the
      "-testmode" option which loads the new OSSLTEST engine.
      
      The test harness enables scripts to be written that can examine the packets
      sent during a handshake, as well as (potentially) modifying them so that
      otherwise illegal handshake messages can be sent.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      631c1206
    • Matt Caswell's avatar
      Add OSSLTest Engine · 2d5d70b1
      Matt Caswell authored
      
      
      This engine is for testing purposes only. It provides crippled crypto
      implementations and therefore must not be used in any instance where
      security is required.
      
      This will be used by the forthcoming libssl test harness which will operate
      as a man-in-the-middle proxy. The test harness will be able to modify
      TLS packets and read their contents. By using this test engine packets are
      not encrypted and MAC codes always verify.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      2d5d70b1
    • Matt Caswell's avatar
      Check for 0 modulus in BN_MONT_CTX_set · 6a009812
      Matt Caswell authored
      
      
      The function BN_MONT_CTX_set was assuming that the modulus was non-zero
      and therefore that |mod->top| > 0. In an error situation that may not be
      the case and could cause a seg fault.
      
      This is a follow on from CVE-2015-1794.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      6a009812
    • Guy Leaver (guleaver)'s avatar
      Fix seg fault with 0 p val in SKE · 61e72d76
      Guy Leaver (guleaver) authored
      
      
      If a client receives a ServerKeyExchange for an anon DH ciphersuite with the
      value of p set to 0 then a seg fault can occur. This commits adds a test to
      reject p, g and pub key parameters that have a 0 value (in accordance with
      RFC 5246)
      
      The security vulnerability only affects master and 1.0.2, but the fix is
      additionally applied to 1.0.1 for additional confidence.
      
      CVE-2015-1794
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      61e72d76
    • Matt Caswell's avatar
      Normalise make errors output · 870063c8
      Matt Caswell authored
      
      
      make errors wants things in a different order to the way things are
      currently defined in the header files. The easiest fix is to just let it
      reorder it.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      870063c8
  2. Aug 10, 2015
  3. Aug 08, 2015
  4. Aug 06, 2015
  5. Aug 04, 2015
  6. Aug 03, 2015
  7. Aug 02, 2015
  8. Aug 01, 2015
  9. Jul 31, 2015