Commits · 2d540402aac7a05af9c99b58864d53c0201a0b42 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Jun 23, 2015

RT3856: Fix memory leaks in test code · 2d540402
Russell Webb authored Jun 13, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
2d540402
make update · a1c506ae
Richard Levitte authored Jun 23, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
a1c506ae

Richard Levitte authored Jun 23, 2015



A small rearrangement so the inclusion of rsaz_exp.h would be
unconditional, but what that header defines becomes conditional.

This solves the weirdness where rsaz_exp.h gets in and out of the
dependency list for bn_exp.c, depending on the present architecture.

Reviewed-by: Rich Salz <rsalz@openssl.org>

ed45f3c2

RT3907-fix · cc3f3fc2

Rich Salz authored Jun 22, 2015



Typo in local variable name; introduced by previous fix.

Reviewed-by: Richard Levitte <levitte@openssl.org>

cc3f3fc2

Jun 22, 2015

RT3907: avoid "local" in testssl script · 75ba5c58
Rich Salz authored Jun 13, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
75ba5c58
Remove SESS_CERT entirely. · 389ebcec
Dr. Stephen Henson authored Jun 21, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
389ebcec
Move peer chain to SSL_SESSION structure. · c34b0f99
Dr. Stephen Henson authored Jun 21, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
c34b0f99

Remove unnuecessary ifdefs. · 8df53b7a

Dr. Stephen Henson authored Jun 21, 2015



If RSA or DSA is disabled we will never use a ciphersuite with
RSA/DSA authentication as it is already filtered out by the cipher
list logic.

Reviewed-by: Richard Levitte <levitte@openssl.org>

8df53b7a

Remove certificates from sess_cert · a273c6ee

Dr. Stephen Henson authored Jun 21, 2015



As numerous comments indicate the certificate and key array is not an
appopriate structure to store the peers certificate: so remove it and
just the s->session->peer instead.

Reviewed-by: Richard Levitte <levitte@openssl.org>

a273c6ee

Remove peer temp keys from SESS_CERT · 8d92c1f8
Dr. Stephen Henson authored Jun 21, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
8d92c1f8

Jun 21, 2015
- RT3917: add cleanup on an error path · 7fba8407
  Rich Salz authored Jun 21, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  7fba8407
- Cleanup mttest.c : because we no longer use stdio here, don't include it · 8ca96efd
  Richard Levitte authored Jun 21, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  8ca96efd
- Add -ldl to the build of mttest.c · d62c98c8
  Richard Levitte authored Jun 21, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  d62c98c8
- Cleanup mttest.c : use BIO_free only, no preceding hacks · 03b672de
  Richard Levitte authored Jun 21, 2015
```
Since [sc]_ssl->[rw]bio aren't available, do not try to fiddle with
them.  Surely, a BIO_free on the "main" BIOs should be enough

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  03b672de
- Cleanup mttest.c : do not try to output reference counts when threads are done · 96462695
  Richard Levitte authored Jun 21, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  96462695
- Cleanup mttest.c : better error reporting when certs are miggins · 7a1789d2
  Richard Levitte authored Jun 21, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  7a1789d2
- Cleanup mttest.c : make ssl_method a pointer to const · f4c73bfe
  Richard Levitte authored Jun 21, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  f4c73bfe
- Cleanup mttest.c : modernise output · bb8abd67
  Richard Levitte authored Jun 21, 2015
```
Construct bio_err and bio_stdout from file handles instead of FILE
pointers, since the latter might not be implemented (when OPENSSL_NO_STDIO
is defined).
Convert all output to use BIO_printf.
Change lh_foo to lh_SSL_SESSION_foo.

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  bb8abd67
- Cleanup mttest.c : modernise the threads setup · 5c78e183
  Richard Levitte authored Jun 21, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  5c78e183
- Cleanup mttest.c : remove MS_CALLBACK · a3f92865
  Richard Levitte authored Jun 21, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  a3f92865
- Revert "Avoid duplication." · f6a10313
  Dr. Stephen Henson authored Jun 21, 2015
```
This reverts commit d480e182

.

Commit broke TLS handshakes due to fragility of digest caching: that will be
fixed separately.

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  f6a10313
- Avoid duplication. · d480e182
  Dr. Stephen Henson authored Jun 20, 2015
```
We always free the handshake buffer when digests are freed so move
it into ssl_free_digest_list()

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  d480e182
- remove unnecessary NULL checks · 85fb6fda
  Dr. Stephen Henson authored Jun 20, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  85fb6fda
Jun 20, 2015
- typo: should be OPENSSL_free · bc9567cd
  Dr. Stephen Henson authored Jun 20, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  bc9567cd
Jun 16, 2015
- Make preprocessor error into real preprocessor error · b4f0d1a4
  Richard Levitte authored Jun 15, 2015
```
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
```
  b4f0d1a4
- Remove one extraneous parenthesis · 30cf9178
  Richard Levitte authored Jun 13, 2015
```
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
```
  30cf9178
Jun 15, 2015

RT2547: Tighten perms on generated privkey files · 3b061a00

Rich Salz authored May 02, 2015

When generating a private key, try to make the output file be readable
only by the owner. Put it in CHANGES file since it might be noticeable.

Add "int private" flag to apps that write private keys, and check that it's
set whenever we do write a private key. Checked via assert so that this
bug (security-related) gets fixed. Thanks to Viktor for help in tracing
the code-paths where private keys are written.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

3b061a00

Refactor into clear_ciphers; RT3588 · d31fb0b5

Rich Salz authored Jun 13, 2015



While closing RT3588 (Remove obsolete comment) Kurt and I saw that a
few lines to completely clear the SSL cipher state could be moved into
a common function.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

d31fb0b5

Fix argument processing error from the option parsing change over. · 29eca1c0
Tim Hudson authored Jun 15, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
29eca1c0
Fix argument processing error from the option parsing change over. · e58ddf0a
Tim Hudson authored Jun 15, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
e58ddf0a

Jun 13, 2015
- Encode b == NULL or blen == 0 as zero. · f2dc4d51
  Dr. Stephen Henson authored Jun 12, 2015
```
PR#3904

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  f2dc4d51
Jun 12, 2015

Allow a zero length extension block · 1ae3fdbe

Adam Langley authored Jun 12, 2015



It is valid for an extension block to be present in a ClientHello, but to
be of zero length.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

1ae3fdbe

Fix ABI break with HMAC · 4b464e7b

Matt Caswell authored Jun 12, 2015



Recent HMAC changes broke ABI compatibility due to a new field in HMAC_CTX.
This backs that change out, and does it a different way.

Thanks to Timo Teras for the concept.

Reviewed-by: Richard Levitte <levitte@openssl.org>

4b464e7b

Jun 11, 2015

Update CHANGES and NEWS · 063dccd0

Matt Caswell authored Jun 10, 2015



Updates to CHANGES and NEWS to take account of the latest security fixes.

Reviewed-by: Rich Salz <rsalz@openssl.org>

063dccd0

bn/bn_gf2m.c: avoid infinite loop wich malformed ECParamters. · 4924b37e
Andy Polyakov authored Jun 11, 2015
```
CVE-2015-1788

Reviewed-by: Matt Caswell <matt@openssl.org>
```
4924b37e
PKCS#7: Fix NULL dereference with missing EncryptedContent. · 59302b60
Emilia Kasper authored May 12, 2015
```
CVE-2015-1790

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
59302b60

Fix length checks in X509_cmp_time to avoid out-of-bounds reads. · f48b83b4

Emilia Kasper authored Apr 08, 2015



Also tighten X509_cmp_time to reject more than three fractional
seconds in the time; and to reject trailing garbage after the offset.

CVE-2015-1789

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

f48b83b4

More ssl_session_dup fixes · 708cf593

Matt Caswell authored Jun 11, 2015



Fix error handling in ssl_session_dup, as well as incorrect setting up of
the session ticket. Follow on from CVE-2015-1791.

Thanks to LibreSSL project for reporting these issues.

Reviewed-by: Tim Hudson <tjh@openssl.org>

708cf593

e_aes_cbc_hmac_sha*.c: address linker warning about OPENSSL_ia32cap_P size mismatch. · f0fa5c83
Andy Polyakov authored Jun 11, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
f0fa5c83

Jun 10, 2015
- gcm.c: address linker warning about OPENSSL_ia32cap_P size mismatch. · 75c4827d
  Andy Polyakov authored Jun 01, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  75c4827d