Commits · 31c34a3e2f2a2421f66f1ab2a1fcc98e28d01848 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

16 Aug, 2016 4 commits
- Fix satsub64be() to unconditionally use 64-bit integers · 31c34a3e
  David Woodhouse authored Aug 05, 2016
```
Now we support (u)int64_t this can be very much simpler.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
```
  31c34a3e
- SSL tests: send some application data · e0421bd8
  Emilia Kasper authored Aug 11, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  e0421bd8
- Add a "config" for verbosity and use it with Travis · ffb261ff
  Richard Levitte authored Aug 15, 2016
```
Modify VMS config.com to match

Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
  ffb261ff
- Make "make" less verbose in Travis, except for the build only case · a4ffbbee
  Richard Levitte authored Aug 15, 2016
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
  a4ffbbee
15 Aug, 2016 16 commits

Dr. Stephen Henson authored Aug 15, 2016



Apply a limit to the maximum blob length which can be read in do_d2i_bio()
to avoid excessive allocation.

Thanks to Shi Lei for reporting this.

Reviewed-by: Rich Salz <rsalz@openssl.org>

66bcba14

Check for errors in a2d_ASN1_OBJECT() · 8b9afbc0
Dr. Stephen Henson authored Aug 05, 2016
```
Check for error return in BN_div_word().

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
8b9afbc0

Check for errors in BN_bn2dec() · 07bed46f

Dr. Stephen Henson authored Aug 05, 2016



If an oversize BIGNUM is presented to BN_bn2dec() it can cause
BN_div_word() to fail and not reduce the value of 't' resulting
in OOB writes to the bn_data buffer and eventually crashing.

Fix by checking return value of BN_div_word() and checking writes
don't overflow buffer.

Thanks to Shi Lei for reporting this bug.

CVE-2016-2182

Reviewed-by: Tim Hudson <tjh@openssl.org>

07bed46f

Avoid truncating the pointer on x32 platform. · 40c60b0d

Tomas Mraz authored Aug 15, 2016



The 64 bit pointer must not be cast to 32bit unsigned long on
x32 platform.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

40c60b0d

Add a comment for the added cast with explanation. · e7e5d608
Tomas Mraz authored Aug 10, 2016
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
```
e7e5d608

Fix af_alg engine failure on 32 bit architectures. · 3f8d1216

Tomas Mraz authored Aug 09, 2016



Add extra cast to unsigned long to avoid sign extension when
converting pointer to 64 bit data.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

3f8d1216

Remove a stray unneeded line in 70-test_sslrecords.t · bb982ce7
Matt Caswell authored Aug 04, 2016
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
bb982ce7
Address feedback on SSLv2 ClientHello processing · 78fcddbb
Matt Caswell authored Aug 03, 2016
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
78fcddbb

Add some SSLv2 ClientHello tests · a2a0c86b

Matt Caswell authored Aug 02, 2016



Test that we handle a TLS ClientHello in an SSLv2 record correctly.

Reviewed-by: Tim Hudson <tjh@openssl.org>

a2a0c86b

Send an alert if we get a non-initial record with the wrong version · a01c86a2

Matt Caswell authored Aug 02, 2016



If we receive a non-initial record but the version number isn't right then
we should send an alert.

Reviewed-by: Tim Hudson <tjh@openssl.org>

a01c86a2

Address feedback on SSLv2 ClientHello processing · 44efb88a

Matt Caswell authored Aug 01, 2016



Feedback on the previous SSLv2 ClientHello processing fix was that it
breaks layering by reading init_num in the record layer. It also does not
detect if there was a previous non-fatal warning.

This is an alternative approach that directly tracks in the record layer
whether this is the first record.

GitHub Issue #1298

Reviewed-by: Tim Hudson <tjh@openssl.org>

44efb88a

Replaces CT_POLICY_EVAL_CTX_set0 entries with new setters in libcrypto.num · c35d339d

Rob Percival authored Aug 15, 2016



Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1408)

c35d339d

Make CT_POLICY_EVAL_CTX_set1_{cert,issuer} into boolean functions · 11c68cea

Rob Percival authored Aug 15, 2016



They may fail if they cannot increment the reference count of the
certificate they are storing a pointer for. They should return 0 if this
occurs.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1408)

11c68cea

Improves CTLOG_STORE setters · a1bb7708

Rob Percival authored Aug 05, 2016

Changes them to have clearer ownership semantics, as suggested in
https://github.com/openssl/openssl/pull/1372#discussion_r73232196

.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1408)

a1bb7708

Skip the SRP tests in 80-test_ssl_old.t if no TLS versions is enabled · a0ef6bb6
Richard Levitte authored Aug 15, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
a0ef6bb6

Fix no-ec · 0a699a07

Dr. Stephen Henson authored Aug 15, 2016



Fix no-ec builds by having separate functions to create keys based on
an existing EVP_PKEY and a curve id.

Reviewed-by: Rich Salz <rsalz@openssl.org>

0a699a07

14 Aug, 2016 1 commit

Never return -1 from BN_exp · 0818dbad

Jakub Zelenka authored Aug 14, 2016



Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1455)

0818dbad

13 Aug, 2016 15 commits

update CHANGES · 3d9a51f7
Dr. Stephen Henson authored Aug 13, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
3d9a51f7
add documentation · c082201a
Dr. Stephen Henson authored Aug 12, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
c082201a
Print out names of other temp key algorithms. · 23143e4d
Dr. Stephen Henson authored Aug 11, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
23143e4d
Remove old EC based X25519 code. · bc7bfb83
Dr. Stephen Henson authored Aug 11, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
bc7bfb83

Modify TLS support for new X25519 API. · ec24630a

Dr. Stephen Henson authored Aug 11, 2016



When handling ECDH check to see if the curve is "custom" (X25519 is
currently the only curve of this type) and instead of setting a curve
NID just allocate a key of appropriate type.

Reviewed-by: Rich Salz <rsalz@openssl.org>

ec24630a

Add encoded points to other EC curves too. · 3bca6c27

Dr. Stephen Henson authored Aug 11, 2016



Add encoded point ctrl support for other curves: this makes it possible
to handle X25519 and other EC curve point encoding in a similar way
for TLS.

Reviewed-by: Rich Salz <rsalz@openssl.org>

3bca6c27

make update · c06f2aaa
Dr. Stephen Henson authored Aug 11, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
c06f2aaa

Add point ctrls to X25519 · 5d6aaf8a

Dr. Stephen Henson authored Aug 10, 2016



Add ctrl operations to set or retrieve encoded point in
EVP_PKEY structures containing X25519 keys.

Reviewed-by: Rich Salz <rsalz@openssl.org>

5d6aaf8a

Update X25519 key format in evptests.txt · 10f8d0ea
Dr. Stephen Henson authored Aug 10, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
10f8d0ea
Add X25519 methods to internal tables · 262bd85f
Dr. Stephen Henson authored Aug 09, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
262bd85f
add to build.info · 873feeb9
Dr. Stephen Henson authored Aug 09, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
873feeb9
make errors · 59bf0f03
Dr. Stephen Henson authored Aug 10, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
59bf0f03

X25519 public key methods · 756b198d

Dr. Stephen Henson authored Aug 09, 2016



Add X25519 methods to match current key format defined in
draft-ietf-curdle-pkix-02

Reviewed-by: Rich Salz <rsalz@openssl.org>

756b198d

Fix type of ptr field. · a4cb54d2

Dr. Stephen Henson authored Aug 09, 2016



Since "ptr" is used to handle arbitrary other types it should be
void *.

Reviewed-by: Rich Salz <rsalz@openssl.org>

a4cb54d2

Use OIDs from draft-ietf-curdle-pkix-02 · 4950f888
Dr. Stephen Henson authored Aug 09, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
4950f888

12 Aug, 2016 4 commits
- GH1446: Add SSL_SESSION_get0_cipher · e9281323
  Rich Salz authored Aug 12, 2016
```
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1451)
```
  e9281323
- Check for bad filename in evp_test · ce7a2232
  Rich Salz authored Aug 12, 2016
```
Thanks to Brian Carpter for reporting this.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
```
  ce7a2232
- Update documentation for DSA_SIG and ECDSA_SIG. · 721f3980
  Dr. Stephen Henson authored Aug 08, 2016
```
RT#4590

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  721f3980
- crypto/sparcv9cap.c: add missing declaration. · d40a13af
  Andy Polyakov authored Aug 11, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  d40a13af