Commits · 2db6bf6f856fc7a6e848e3c45b274b327a86784c · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Dec 07, 2015

Make the definition of EVP_MD opaque · 2db6bf6f

Richard Levitte authored Nov 29, 2015



This moves the definition to crypto/include/internal/evp_int.h and
defines all the necessary method creators, destructors, writers and
accessors.  The name standard for the latter is inspired from the
corresponding functions to manipulate UI methods.

Reviewed-by: Rich Salz <rsalz@openssl.org>

2db6bf6f

Adjust all accesses to EVP_MD_CTX to use accessor functions. · 6e59a892
Richard Levitte authored Nov 27, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
6e59a892
Document the changed HMAC API. · 9b6c0070
Richard Levitte authored Nov 27, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
9b6c0070

Adapt HMAC to the EVP_MD_CTX changes · fa0c23de

Richard Levitte authored Nov 27, 2015



This change required some special treatment, as HMAC is intertwined
with EVP_MD.  For now, all local HMAC_CTX variables MUST be
initialised with HMAC_CTX_EMPTY, or whatever happens to be on the
stack will be mistaken for actual pointers to EVP_MD_CTX.  This will
change as soon as HMAC_CTX becomes opaque.

Also, since HMAC_CTX_init() can fail now, its return type changes from
void to int, and it will return 0 on failure, 1 on success.

Reviewed-by: Rich Salz <rsalz@openssl.org>

fa0c23de

Have other crypto/evp files include evp_locl.h · 77a01145

Richard Levitte authored Nov 27, 2015



Note: this does not include the files in crypto/evp that are just
instanciations of EVP_MD.

Reviewed-by: Rich Salz <rsalz@openssl.org>

77a01145

Make the definition of EVP_MD_CTX opaque · 7638370c

Richard Levitte authored Nov 27, 2015



This moves the definitionto crypto/evp/evp_locl.h, along with a few
associated accessor macros.  A few accessor/writer functions added.

Reviewed-by: Rich Salz <rsalz@openssl.org>

7638370c

Do not add symlinks in the source release · 451a5bdf
Richard Levitte authored Dec 07, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
451a5bdf
In travis, build from a "source release" rather than from the build tree · 475fc3d8
Richard Levitte authored Dec 07, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
475fc3d8

Small changes to creating dists · 4a544810

Richard Levitte authored Dec 07, 2015

Make TARFILE include ../ instead of having that hard coded all over the place.
When transforming file names in TAR_COMMAND, use $(NAME) instead of openssl-$(VERSION)

Reviewed-by: Rich Salz <rsalz@openssl.org>

4a544810

Fix and update versions in CHANGES and NEWS · 5fa30720
Dr. Stephen Henson authored Dec 03, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
5fa30720
ARMv4 assembly pack: allow Thumb2 even in iOS build, · a2859927
Andy Polyakov authored Dec 06, 2015
```
and engage it in most modules.

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
a2859927
Fix typo and improve a bit of text · d231a401
Viktor Dukhovni authored Dec 06, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
d231a401

Dec 06, 2015
- Really disable 56-bit (single-DES) ciphers · 1c735804
  Viktor Dukhovni authored Dec 06, 2015
```
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
```
  1c735804
Dec 05, 2015
- Remove support for all 40 and 56 bit ciphers. · 361a1191
  Kurt Roeckx authored Dec 05, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>

MR: #364
```
  361a1191
Dec 04, 2015

Remove SSL_{CTX_}set_ecdh_auto() and always enable ECDH · fe6ef247
Kurt Roeckx authored Dec 04, 2015
```
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
```
fe6ef247

Make SSL_{CTX}_set_tmp_ecdh() call SSL_{CTX_}set1_curves() · 6977e8ee

Kurt Roeckx authored Dec 04, 2015

SSL_{CTX}_set_tmp_ecdh() allows to set 1 EC curve and then tries to use it. On
the other hand SSL_{CTX_}set1_curves() allows you to set a list of curves, but
only when SSL_{CTX_}set_ecdh_auto() was called to turn it on.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

6977e8ee

Remove support for SSL_{CTX_}set_tmp_ecdh_callback(). · 6f78b9e8

Kurt Roeckx authored Dec 04, 2015

This only gets used to set a specific curve without actually checking that the
peer supports it or not and can therefor result in handshake failures that can
be avoided by selecting a different cipher.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

6f78b9e8

Fix EAP FAST in the new state machine · ad3819c2

Matt Caswell authored Dec 04, 2015



The new state machine code missed an allowed transition when resuming a
session via EAP FAST. This commits adds the missing check for the
transition.

Reviewed-by: Andy Polyakov <appro@openssl.org>

ad3819c2

Revert unnecessary SSL_CIPHER_get_bits API change · 1c86d8fd
Viktor Dukhovni authored Dec 04, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
1c86d8fd

Run test/run_tests.pl directly in the test_ordinals target · f6e9c553

Richard Levitte authored Dec 04, 2015



Running 'make TEST=test_ordinals test' starts the whole build process,
which wasn't desired for this target.  Instead, we take a shortcut.

Reviewed-by: Rich Salz <rsalz@openssl.org>

f6e9c553

Dec 03, 2015
- bn/asm/x86_64-mont5.pl: fix carry propagating bug (CVE-2015-3193). · 29851264
  Andy Polyakov authored Dec 01, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  29851264
- perlasm/ppc-xlate.pl: comply with ABIs that specify vrsave as reserved. · b5516cfb
  Andy Polyakov authored Dec 02, 2015
```
RT#4162

Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  b5516cfb
Dec 02, 2015

modes/ocb128.c: fix sanitizer warning. · 1bbea403
Andy Polyakov authored Dec 02, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
1bbea403

Fix ./Configure reconf · 16b6081e

Richard Levitte authored Dec 02, 2015



'./Configure reconf' hasn't been working for a while, because a perl
lable needs to be immediately followed by a block.

Reviewed-by: Andy Polyakov <appro@openssl.org>

16b6081e

Remove RSA_FLAG_SIGN_VER flag. · 19c6d3ea

Dr. Stephen Henson authored Dec 02, 2015



Remove RSA_FLAG_SIGN_VER: this was origininally used to retain binary
compatibility after RSA_METHOD was extended to include rsa_sign and
rsa_verify fields. It is no longer needed.

Reviewed-by: Richard Levitte <levitte@openssl.org>

19c6d3ea

Move the backtrace memleak options to a separate variable · a1d3f3d1

Richard Levitte authored Dec 02, 2015



The contents of this variable ($memleak_devteam_backtrace) is added to
$cflags unless we build for a platform we know doesn't support gcc's
-rdynamic och backtrace() and friends.

Reviewed-by: Andy Polyakov <appro@openssl.org>

a1d3f3d1

make update · df04754b
Dr. Stephen Henson authored Dec 02, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
df04754b

Remove legacy sign/verify from EVP_MD. · 7f572e95

Dr. Stephen Henson authored Dec 02, 2015



Remove sign/verify and required_pkey_type fields of EVP_MD: these are a
legacy from when digests were linked to public key types. All signing is
now handled by the corresponding EVP_PKEY_METHOD.

Only allow supported digest types in RSA EVP_PKEY_METHOD: other algorithms
already block unsupported types.

Remove now obsolete EVP_dss1() and EVP_ecdsa().

Reviewed-by: Richard Levitte <levitte@openssl.org>

7f572e95

Run test_ordinals after update · 0aca86b3

Rich Salz authored Dec 02, 2015



Catch a common 'make update' failure: conflicting ordinals.

Reviewed-by: Richard Levitte <levitte@openssl.org>

0aca86b3

_BSD_SOURCE is deprecated, use _DEFAULT_SOURCE instead · f9fd3524

Richard Levitte authored Dec 02, 2015



The feature_test_macros(7) manual tells us that _BSD_SOURCE is
deprecated since glibc 2.20 and that the compiler will warn about it
being used, unless _DEFAULT_SOURCE is defined as well.

Reviewed-by: Rich Salz <rsalz@openssl.org>

f9fd3524

Add backtrace to memory leak output · 012c5408

Richard Levitte authored Dec 02, 2015



This is an option for builds with gcc and --strict-warnings.

Reviewed-by: Rich Salz <rsalz@openssl.org>

012c5408

crypto/sparcv9cap.c: add SIGILL-free feature detection for Solaris. · 2238e0e4
Andy Polyakov authored Dec 01, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
2238e0e4

modes/ocb128.c: split fixed block xors to aligned and misaligned. · 81f3d632

Andy Polyakov authored Nov 30, 2015



Main goal was to improve performance on RISC platforms, e.g. 10%
was measured on MIPS, POWER8...

Reviewed-by: Matt Caswell <matt@openssl.org>

81f3d632

modes/ocb128.c: ocb_lookup_l to allow non-contiguous lookup · b9e3d7e0
Andy Polyakov authored Nov 30, 2015
```
and CRYPTO_ocb128_encrypt to handle in==out.

Reviewed-by: Matt Caswell <matt@openssl.org>
```
b9e3d7e0

Dec 01, 2015

typo fix on function · 338f5727
Rich Salz authored Dec 01, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
338f5727

ex_data part 2: doc fixes and CRYPTO_free_ex_index. · e6390aca

Rich Salz authored Jul 21, 2015



Add CRYPTO_free_ex_index (for shared libraries)
Unify and complete the documentation for all "ex_data" API's and objects.
Replace xxx_get_ex_new_index functions with a macro.
Added an exdata test.
Renamed the ex_data internal datatypes.

Reviewed-by: Matt Caswell <matt@openssl.org>

e6390aca

Nov 30, 2015
- Remove BN_init · d59c7c81
  Rich Salz authored Nov 21, 2015
```
Rename it to be an internal function bn_init.

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  d59c7c81
- Remove GOST special case: handled automatically now. · 30c7fea4
  Dr. Stephen Henson authored Nov 29, 2015
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
```
  30c7fea4
- Use digest indices for signature algorithms. · 7afd2312
  Dr. Stephen Henson authored Nov 29, 2015
```
Don't hard code EVP_sha* etc for signature algorithms: use table
indices instead. Add SHA224 and SHA512 to tables.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
```
  7afd2312
- For TLS < 1.2 use default digest for client certificate · aa430c74
  Dr. Stephen Henson authored Nov 29, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  aa430c74