Commits · cf61ef75be301d41696b6b45ce992562058c350a · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

26 Feb, 2015 2 commits

Matt Caswell authored Feb 25, 2015


NETSCAPE_HANG_BUG is a workaround for a browser bug from many years ago
(2000).
It predates DTLS, so certainly has no place in d1_srvr.c.
In s3_srvr.c it forces the ServerDone to appear in the same record as the
CertificateRequest when doing client auth.

BoringSSL have already made the same commit:
79ae85e4f777f94d91b7be19e8a62016cb55b3c5

Reviewed-by: Tim Hudson <tjh@openssl.org>

cf61ef75

Removed support for SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG. Also removed · 7a4dadc3
Matt Caswell authored Feb 05, 2015
```
the "-hack" option from s_server that set this option.

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
7a4dadc3

25 Feb, 2015 12 commits

Update the SHA* documentation · f7812493

Matt Caswell authored Feb 25, 2015


Updates to include SHA224, SHA256, SHA384 and SHA512. In particular note
the restriction on setting md to NULL with regards to thread safety.

Reviewed-by: Tim Hudson <tjh@openssl.org>

f7812493

Fix NAME section of d2i_ECPKParameters to prevent broken symlinks when using · 64d27331
Rainer Jung authored Feb 24, 2015
```
the extract-names.pl script.

RT#3718

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
64d27331
Fix some minor documentation issues · 12e0ea30
Matt Caswell authored Feb 20, 2015
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
12e0ea30
Remove pointless free, and use preferred way of calling d2i_* functions · 535bc8fa
Matt Caswell authored Feb 10, 2015
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
535bc8fa
Add dire warnings about the "reuse" capability of the d2i_* functions. · 09f278f9
Matt Caswell authored Feb 10, 2015
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
09f278f9
Provide documentation for i2d_ECPrivateKey and d2i_ECPrivateKey · 93b83d06
Matt Caswell authored Feb 10, 2015
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
93b83d06

Fix a failure to NULL a pointer freed on error. · 9e442d48

Matt Caswell authored Feb 09, 2015



Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman@chromium.org>

CVE-2015-0209

Reviewed-by: Emilia Käsper <emilia@openssl.org>

9e442d48

Import evp_test.c from BoringSSL. Unfortunately we already have a file · 71ea6b48
Matt Caswell authored Feb 09, 2015
```
called evp_test.c, so I have called this one evp_extra_test.c

Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
71ea6b48
Add documentation for the -no_alt_chains option for various apps, as well as · fa7b0111
Matt Caswell authored Jan 27, 2015
```
the X509_V_FLAG_NO_ALT_CHAINS flag.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
```
fa7b0111

Add -no_alt_chains option to apps to implement the new · 25690b7f

Matt Caswell authored Jan 27, 2015

X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building
certificate chains, the first chain found will be the one used. Without this
flag, if the first chain found is not trusted then we will keep looking to
see if we can build an alternative chain instead.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

25690b7f

Add flag to inhibit checking for alternate certificate chains. Setting this · 15dba5be
Matt Caswell authored Jan 27, 2015
```
behaviour will force behaviour as per previous versions of OpenSSL

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
```
15dba5be

In certain situations the server provided certificate chain may no longer be · da084a5e

Matt Caswell authored Jan 27, 2015


valid. However the issuer of the leaf, or some intermediate cert is in fact
in the trust store.

When building a trust chain if the first attempt fails, then try to see if
alternate chains could be constructed that are trusted.

RT3637
RT3621

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

da084a5e

24 Feb, 2015 6 commits

Remove CVS filtering from find targets · 5b8aa1a2
Rich Salz authored Feb 24, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
5b8aa1a2

Move build config table to separate files. · f09e7ca9

Rich Salz authored Feb 24, 2015



Move the build configuration table into separate files.  The Configurations
file is standard configs, and Configurations.team is for openssl-team
members.  Any other file, Configurations*, found in the same directory
as the Configure script, is loaded.

To add another file, use --config=FILE flags (which should probably be
an absolute path).

Written by Stefen Eissing <stefan.eissing@greenbytes.de> and Rich Salz
<rsalz@openssl.org>, contributed by Akamai Technologies.

Reviewed-by: Richard Levitte <levitte@openssl.org>

f09e7ca9

Document -no_explicit · 384dee51
Dr. Stephen Henson authored Feb 24, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
384dee51
Fix crash in SPARC T4 XTS. · 775b669d
Andy Polyakov authored Feb 22, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
775b669d
aes/asm/bsaes-armv7: fix kernel-side XTS and harmonize with Linux. · e620e5ae
Andy Polyakov authored Feb 24, 2015
```
XTS bug spotted and fix suggested by Adrian Kotelba.

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
e620e5ae
Don't set no_protocol if -tls1 selected. · ccc22756
Dr. Stephen Henson authored Feb 24, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
ccc22756

22 Feb, 2015 8 commits

perlasm/x86masm.pl: make it work. · 2f8d82d6

Andy Polyakov authored Feb 22, 2015



Though this doesn't mean that masm becomes supported, the script is
still provided on don't-ask-in-case-of-doubt-use-nasm basis.
See RT#3650 for background.

Reviewed-by: Matt Caswell <matt@openssl.org>

2f8d82d6

sha/asm/sha1-586.pl: fix typo. · 3372c4ff

Andy Polyakov authored Feb 22, 2015



The typo doesn't affect supported configuration, only unsupported masm.

Reviewed-by: Matt Caswell <matt@openssl.org>

3372c4ff

evp/evp_test.c: avoid crashes when referencing uninitialized pointers. · 1526fea5
Andy Polyakov authored Feb 22, 2015
```
For some reason failure surfaced on ARM platforms.

Reviewed-by: Matt Caswell <matt@openssl.org>
```
1526fea5
typo · 15b5d658
Dr. Stephen Henson authored Feb 22, 2015
```
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
```
15b5d658

Fix null-pointer dereference · bcfa19a8

Edgar Pek authored Feb 21, 2015



Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>

bcfa19a8

Fix memory leak · edac5dc2
Kurt Roeckx authored Feb 21, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
edac5dc2

Avoid a double-free in an error path. · 1549a265

Doug Hogan authored Jan 07, 2015



Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>

1549a265

Restore -DTERMIO/-DTERMIOS on Windows platforms. · ba4bdee7

Richard Levitte authored Feb 22, 2015



The previous defaulting to TERMIOS took away -DTERMIOS / -DTERMIO a
bit too enthusiastically.  Windows/DOSish platforms of all sorts get
identified as OPENSSL_SYS_MSDOS, and they get a different treatment
altogether UNLESS -DTERMIO or -DTERMIOS is explicitely given with the
configuration.  The answer is to restore those macro definitions for
the affected configuration targets.

Reviewed-by: Tim Hudson <tjh@openssl.org>

ba4bdee7

21 Feb, 2015 2 commits

Assume TERMIOS is default, remove TERMIO on all Linux. · 64e6bf64

Richard Levitte authored Feb 12, 2015



The rationale for this move is that TERMIOS is default, supported by
POSIX-1.2001, and most definitely on Linux.  For a few other systems,
TERMIO may still be the termnial interface of preference, so we keep
-DTERMIO on those in Configure.

crypto/ui/ui_openssl.c is simplified in this regard, and will define
TERMIOS for all systems except a select few exceptions.
Reviewed-by: Matt Caswell <matt@openssl.org>

64e6bf64

Add additional EC documentation. · 146ca72c
Dr. Stephen Henson authored Feb 19, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
146ca72c

19 Feb, 2015 1 commit

Use named curve parameter encoding by default. · 86f300d3

Dr. Stephen Henson authored Feb 19, 2015



Many applications require named curve parameter encoding instead of explicit
parameter encoding (including the TLS library in OpenSSL itself). Set this
encoding by default instead of requiring an explicit call to set it.

Add OPENSSL_EC_EXPLICT_CURVE define.
Reviewed-by: Matt Caswell <matt@openssl.org>

86f300d3

14 Feb, 2015 1 commit
- More RSA tests. · f37879d0
  Dr. Stephen Henson authored Feb 14, 2015
```
Reviewed-by: Andy Polyakov <appro@openssl.org>
```
  f37879d0
13 Feb, 2015 8 commits

remove unused method declaration · f9e31463
Dr. Stephen Henson authored Feb 13, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
f9e31463

size_t for buffer functions. · e5bf3c92

Dr. Stephen Henson authored Feb 13, 2015



Change BUF_MEM_grow and BUF_MEM_grow_clean to return size_t.
Reviewed-by: Richard Levitte <levitte@openssl.org>

e5bf3c92

Add leak detection, fix leaks. · d5ec8efc
Dr. Stephen Henson authored Feb 12, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
d5ec8efc

Add EVP_PKEY test data. · b9d4e97c

Dr. Stephen Henson authored Feb 12, 2015



Add some EVP_PKEY test data for sign and verify tests including
failure cases.
Reviewed-by: Richard Levitte <levitte@openssl.org>

b9d4e97c

EVP_PKEY support for evp_test · 5824cc29

Dr. Stephen Henson authored Feb 11, 2015



Add two new keywords "PublicKey" and "PrivateKey". These will load a key
in PEM format from the lines immediately following the keyword and assign
it a name according to the value. These will be used later for public and
private key testing operations.

Add tests for Sign, Verify, VerifyRecover and Decrypt.
Reviewed-by: Richard Levitte <levitte@openssl.org>

5824cc29

Add CMAC test data. · 16cb8eb0
Dr. Stephen Henson authored Feb 10, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
16cb8eb0
Add HMAC test data. · b8c792dc
Dr. Stephen Henson authored Feb 10, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
b8c792dc
MAC support for evp_test · 83251f39
Dr. Stephen Henson authored Feb 10, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
83251f39