Commits · 04a73c844f31e117cd22d5704f05a56ead7cef23 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Dec 03, 2014

Verify that we have a sensible message len and fail if not · 04a73c84

Matt Caswell authored Dec 01, 2014


RT#3592 provides an instance where the OPENSSL_assert that this commit
replaces can be hit. I was able to recreate this issue by forcing the
underlying BIO to misbehave and come back with very small mtu values. This
happens the second time around the while loop after we have detected that the
MTU has been exceeded following the call to dtls1_write_bytes.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit cf75017b)

04a73c84

Nov 28, 2014

Check for FindNextFile when defining it rather than FindFirstFile · 87ff17a0
Richard Levitte authored Nov 28, 2014
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
87ff17a0

[PR3597] Advance to the next state variant when reusing messages. · d93112ab

Richard Levitte authored Nov 28, 2014



Previously, state variant was not advanced, which resulted in state
being stuck in the st1 variant (usually "_A").

This broke certificate callback retry logic when accepting connections
that were using SSLv2 ClientHello (hence reusing the message), because
their state never advanced to SSL3_ST_SR_CLNT_HELLO_C variant required
for the retry code path.

Reported by Yichun Zhang (agentzh).

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

d93112ab

Correct some layout issues, convert all remaining tabs to appropriate amounts of spaces. · 875a33d7
Richard Levitte authored Nov 28, 2014
```
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 8123d158)
```
875a33d7

Improves the proxy certificates howto doc. · cf48a6d7

Alok Menghrajani authored Nov 14, 2014



The current documentation contains a bunch of spelling and grammar mistakes. I also
found it hard to understand some paragraphs, so here is my attempt to improve its
readability.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 03b637a7)

cf48a6d7

Nov 27, 2014

Fixed warning in ssl2_enc · 7f3490e6

Matt Caswell authored Nov 27, 2014



Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 2db95e09)

7f3490e6

Check EVP_Cipher return values for SSL2 · dcf7a2dc

Matt Caswell authored Nov 18, 2014



Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 5fc8bb6a)

dcf7a2dc

Add checks to the return value of EVP_Cipher to prevent silent encryption failure. · 6ff76b33
Matt Caswell authored Nov 18, 2014
```
PR#1767

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 244d0955)
```
6ff76b33
Remove redundant checks in ssl_cert_dup. This was causing spurious error messages when using GOST · 3b125151
Matt Caswell authored Nov 27, 2014
```
PR#3613

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit fc3968a2)
```
3b125151
Remove duplicated code · 4e73dc5b
Matt Caswell authored Nov 17, 2014
```
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
```
4e73dc5b

Tidy up ocsp help output · 67eb85d7

Matt Caswell authored Nov 27, 2014



Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 5e31a40f)

Conflicts:
	apps/ocsp.c

(cherry picked from commit e1645826)

67eb85d7

Add documentation on -timeout option in the ocsp utility · 915a3b1c

André Guerreiro authored Nov 27, 2014



PR#3612

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit de87dd46)
(cherry picked from commit 4d3df37b)

915a3b1c

Nov 26, 2014
- Fixed memory leak due to incorrect freeing of DTLS reassembly bit mask · e1b1d82a
  Matt Caswell authored Nov 25, 2014
```
PR#3608

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 8a35dbb6)
```
  e1b1d82a
Nov 25, 2014
- Corrected comments in ssl.h about SSLv23_method and friends · c2545663
  Matt Caswell authored Nov 25, 2014
```
PR#3574

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 3a076588)
```
  c2545663
Nov 13, 2014

Fix cross reference table generator. · aaf93359

Dr. Stephen Henson authored Nov 01, 2014



If the hash or public key algorithm is "undef" the signature type
will receive special handling and shouldn't be included in the
cross reference table.
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 55f7fb88)

Conflicts:
	crypto/objects/obj_xref.h

aaf93359

Nov 12, 2014

Fixes a minor typo in the EVP docs. · cee17f96

Alok Menghrajani authored Nov 11, 2014



Out is the buffer which needs to contain at least inl + cipher_block_size - 1 bytes. Outl
is just an int*.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 5211e094)

cee17f96

Correct timestamp output when clock_precision_digits > 0 · bd366159
Michal Bozon authored Nov 12, 2014
```
PR#3535

Reviewed-by: Stephen Henson <steve@openssl.org>
```
bd366159

Fix free of garbage pointer. PR#3595 · db856119

Matt Caswell authored Nov 12, 2014



Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit e04d426b)

db856119

Nov 11, 2014
- Fix warning about negative unsigned intergers · 9e5267fc
  Kurt Roeckx authored Nov 10, 2014
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  9e5267fc
Oct 28, 2014
- Use only unsigned arithmetic in constant-time operations · 0d330ce5
  Samuel Neves authored Oct 04, 2014
```
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
  0d330ce5
Oct 21, 2014

Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation. · 2a303a58
Bodo Moeller authored Oct 21, 2014
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
2a303a58
When processing ClientHello.cipher_suites, don't ignore cipher suites · 8d81dfd0
Bodo Moeller authored Oct 21, 2014
```
listed after TLS_FALLBACK_SCSV.

RT: 3575
Reviewed-by: Emilia Kasper <emilia@openssl.org>
```
8d81dfd0

Keep old method in case of an unsupported protocol · 69c163ac

Kurt Roeckx authored Oct 21, 2014

When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
the method to NULL.  We didn't used to do that, and it breaks things.  This is a
regression introduced in 62f45cc2

.  Keep the old
method since the code is not able to deal with a NULL method at this time.

CVE-2014-3569, PR#3571

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 392fa7a9)

69c163ac

Oct 20, 2014
- no-ssl2 with no-ssl3 does not mean drop the ssl lib · b7eaea73
  Tim Hudson authored Oct 20, 2014
```
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit c882abd5)
```
  b7eaea73
Oct 17, 2014
- e_os.h: refine inline override logic (to address warnings in debug build). · 2d2965d2
  Andy Polyakov authored Sep 30, 2014
```
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 55c7a4cf)
```
  2d2965d2
- e_os.h: allow inline functions to be compiled by legacy compilers. · 56cee260
  Andy Polyakov authored Sep 25, 2014
```
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 40155f40)
```
  56cee260
- RT3547: Add missing static qualifier · e2e13b8f
  Kurt Cancemi authored Sep 28, 2014
```
Reviewed-by: Ben Laurie <ben@openssl.org>
(cherry picked from commit 87d388c9)
```
  e2e13b8f
Oct 15, 2014

Prepare for 1.0.0p-dev · 13b2a4d0
Matt Caswell authored Oct 15, 2014
```
Reviewed-by: Stephen Henson <steve@openssl.org>
```
13b2a4d0
Prepare for 1.0.0o release · 41da9188
Matt Caswell authored Oct 15, 2014
```
Reviewed-by: Stephen Henson <steve@openssl.org>
```
OpenSSL_1_0_0o

41da9188
Updates to NEWS · e9fe4b10
Matt Caswell authored Oct 15, 2014
```
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
```
e9fe4b10
Update to CHANGES file · 6469c947
Matt Caswell authored Oct 15, 2014
```
Reviewed-by: Bodo Möller <bodo@openssl.org>
```
6469c947

Fix no-ssl3 configuration option · 9bf3ff1c

Geoff Thorpe authored Oct 15, 2014



CVE-2014-3568

Reviewed-by: Emilia Kasper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

9bf3ff1c

Fix for session tickets memory leak. · 74f77d40

Dr. Stephen Henson authored Oct 15, 2014



CVE-2014-3567

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

74f77d40

Fix SSL_R naming inconsistency. · 55513f3e
Bodo Moeller authored Oct 15, 2014
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
55513f3e

Add constant_time_locl.h to HEADERS, · c8dd7190

Tim Hudson authored Sep 25, 2014


so the Win32 compile picks it up correctly.

Reviewed-by: Richard Levitte <levitte@openssl.org>

c8dd7190

Add the constant time test to the VMS build and tests · 0bfd0bff
Richard Levitte authored Sep 25, 2014
```
Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	test/maketests.com
	test/tests.com
```
0bfd0bff

Include "constant_time_locl.h" rather than "../constant_time_locl.h". · eb269523

Richard Levitte authored Sep 24, 2014


The different -I compiler parameters will take care of the rest...

Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	crypto/evp/evp_enc.c

eb269523

Spaces were added in some strings for better readability. However, those... · 802feda7

Richard Levitte authored Jun 16, 2014


Spaces were added in some strings for better readability. However, those spaces do not belong in file names, so when picking out the individual parts, remove the spaces

Reviewed-by: Tim Hudson <tjh@openssl.org>

802feda7

Adjust VMS build to Unix build. Most of all, make it so the disabled · cdad6ad0

Richard Levitte authored Aug 06, 2014


algorithms MD2 and RC5 don't get built.
Also, disable building the test apps in crypto/des and crypto/pkcs7, as
they have no support at all.

Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	crypto/crypto-lib.com
	makevms.com
	ssl/ssl-lib.com

cdad6ad0

Make sure test/tests.com exit gracefully, even when openssl.exe wasn't properly built. · 4eca4cfb
Richard Levitte authored Jun 18, 2014
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
4eca4cfb