- Mar 11, 2015
-
-
Rich Salz authored
Suggested by John Foley <foleyj@cisco.com>. Reviewed-by: Matt Caswell <matt@openssl.org>
-
Matt Caswell authored
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
-
Richard Levitte authored
Configure would load the glob "Configurations*". The problem with this is that it also loads all kinds of backups of those configurations that some editors do, like emacs' classic 'Configurations~'. The solution is to give them an extension, such as '.conf', and make sure to end the glob with that. Also, because 'Configurations.conf' makes for a silly name, and because a possibly large number of configurations will become clutter, move them to a subdirectory 'Configurations/', and rename them to something more expressive, as well as something that sets up some form of sorting order. Thus: Configurations -> Configurations/10-main.conf Configurations.team -> Configurations/90-team.conf Finally, make sure that Configure sorts the list of files that 'glob' produces, and adapt Makefile.org. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Matt Caswell authored
Cleanse various intermediate buffers used by the PRF. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- Mar 10, 2015
-
-
Emilia Kasper authored
Ensure all malloc failures return -1. Reported by Adam Langley (Google). Reviewed-by: Matt Caswell <matt@openssl.org>
-
Richard Godbee authored
BIO_debug_callback() no longer assumes the hexadecimal representation of a pointer fits in 8 characters. Signed-off-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
-
Matt Caswell authored
Fix security issue where under certain conditions a client can complete a handshake with an unseeded PRNG. The conditions are: - Client is on a platform where the PRNG has not been seeded, and the user has not seeded manually - A protocol specific client method version has been used (i.e. not SSL_client_methodv23) - A ciphersuite is used that does not require additional random data from the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA) If the handshake succeeds then the client random that has been used will have been generated from a PRNG with insufficient entropy and therefore the output may be predictable. For example using the following command with an unseeded openssl will succeed on an unpatched platform: openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA CVE-2015-0285 Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- Mar 09, 2015
-
-
Dmitry-Me authored
Signed-off-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Matt Caswell <matt@openssl.org>
-
David Woodhouse authored
Since commit 741c9959 ("DTLS revision."), we put the wrong protocol version into our ClientHello for DTLS1_BAD_VER. The old DTLS code which used ssl->version was replaced by the more generic SSL3 code which uses ssl->client_version. The Cisco ASA no longer likes our ClientHello. RT#3711 Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Matt Caswell authored
Commit 9cf0f187 in HEAD, and 68039af3 in 1.0.2, removed a version check from dtls1_buffer_message() which was needed to distinguish between DTLS 1.x and Cisco's pre-standard version of DTLS (DTLS1_BAD_VER). Based on an original patch by David Woodhouse <dwmw2@infradead.org> RT#3703 Reviewed-by: Tim Hudson <tjh@openssl.org>
-
- Mar 08, 2015
-
-
Dr. Stephen Henson authored
New function ASN1_STRING_clear_free which cleanses an ASN1_STRING structure before freeing it. Call ASN1_STRING_clear_free on PKCS#8 private key components. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Andy Polyakov authored
Reviewed-by: Tim Hudson <tjh@openssl.org>
-
Viktor Szakats authored
Signed-off-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
-
- Mar 06, 2015
-
-
Matt Caswell authored
Run make errors on master Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Make the output from mkerr.pl consistent with the newly reformatted code. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org>
-
- Mar 05, 2015
-
-
Richard Levitte authored
crypto/crypto-lib.com - catch up with the OCSP changes test/maketest.com and test/tests.com - catch up with the addition of test_evp_extra Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Matt Caswell <matt@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Matt Caswell <matt@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Matt Caswell <matt@openssl.org>
-
Kurt Cancemi authored
This patch uses warning/fatal constants instead of numbers with comments for warning/alerts in d1_pkt.c and s3_pkt.c RT#3725 Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Matt Caswell authored
Miscellaneous unchecked malloc fixes. Also fixed some mem leaks on error paths as I spotted them along the way. Reviewed-by: Tim Hudson <tjh@openssl.org>
-
- Mar 04, 2015
-
-
Dr. Stephen Henson authored
Add RIPEMD160 and whirlpool test data. Add Count keyword to repeatedly call EVP_DigestUpate. Reviewed-by: Matt Caswell <matt@openssl.org>
-
- Mar 02, 2015
-
-
Dr. Stephen Henson authored
CVE-2015-0288 PR#3708 Reviewed-by: Matt Caswell <matt@openssl.org>
-
Dr. Stephen Henson authored
The format script didn't correctly recognise some ASN.1 macros and didn't reformat some files as a result. Fix script and reformat affected files. Reviewed-by: Tim Hudson <tjh@openssl.org>
-
Rich Salz authored
ACKNOWLEDGEMENTS is now spelled correctly :) README.ASN1 talked about 0.9.6, so it's deleted. I turned doc/standards.txt into a set of one-line summaries of RFCs, and also updated the pointers to original sources (to be web links) Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- Mar 01, 2015
-
-
Rich Salz authored
These ciphers are removed: TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA TLS1_CK_DHE_DSS_WITH_RC4_128_SHA They were defined in a long-expired IETF internet-draft: draft-ietf-tls-56-bit-ciphersuites-01.txt Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- Feb 27, 2015
-
-
Matt Caswell authored
Some Cisco appliances use a pre-standard version number for DTLS. We support this as DTLS1_BAD_VER within the code. This change fixes d2i_SSL_SESSION for that DTLS version. Based on an original patch by David Woodhouse <dwmw2@infradead.org> RT#3704 Reviewed-by: Tim Hudson <tjh@openssl.org>
-
Matt Caswell authored
Added various missing return value checks in tls1_change_cipher_state. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Fixed various missing return value checks in ssl3_send_newsession_ticket. Also a mem leak on error. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Matt Caswell <matt@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Matt Caswell <matt@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Matt Caswell <matt@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Matt Caswell <matt@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Matt Caswell <matt@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Matt Caswell <matt@openssl.org>
-
Dr. Stephen Henson authored
Add support for skipping disabled algorithms: if an attempt to load a public or private key results in an unknown algorithm error then any test using that key is automatically skipped. Reviewed-by: Tim Hudson <tjh@openssl.org>
-