Commits · 4020c0b33b25f829ca68976970d44227d115eb9e · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

15 Feb, 2017 1 commit

Dr. Stephen Henson authored Feb 13, 2017



Add inline function ssl_has_cert which checks to see if a certificate and
private key for a given index are not NULL.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)

4020c0b3

14 Feb, 2017 24 commits

Fix a few typos · 7e12cdb5

FdaSilvaYY authored Feb 07, 2017


[skip ci]

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2571)

7e12cdb5

Remove obsolete comment · 7c120357

Guido Vranken authored Feb 11, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1613)

7c120357

Prevents that OPENSSL_gmtime incorrectly signals success if gmtime_r fails,... · 873019f2

Guido Vranken authored Sep 22, 2016


Prevents that OPENSSL_gmtime incorrectly signals success if gmtime_r fails, and that struct* tm result's possibly uninitialized content is used

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1613)

873019f2

Use TLSEXT_KEYNAME_LENGTH in tls_decrypt_ticket. · 57b0d651

Bernd Edlinger authored Feb 13, 2017



Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2618)

57b0d651

Prevent allocations of size 0 in sh_init, which are not possible with the... · 7f07149d

Guido Vranken authored Feb 13, 2017


Prevent allocations of size 0 in sh_init, which are not possible with the default OPENSSL_zalloc, but are possible if the user has installed their own allocator using CRYPTO_set_mem_functions. If the 0-allocations succeeds, the secure heap code will later access (at least) the first byte of that space, which is technically an OOB access. This could lead to problems with some custom allocators that only return a valid pointer for subsequent free()-ing, and do not expect that the pointer is actually dereferenced.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2605)

7f07149d

Add Sieve support (RFC 5804) to s_client ("-starttls sieve") · 20967afb

Robert Scheck authored Feb 09, 2017



Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2300)

20967afb

Add no-ec build · b08ee30b

Rich Salz authored Feb 14, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2626)

b08ee30b

Make -xcert work again. · 52f4840c

Dr. Stephen Henson authored Feb 14, 2017



When a certificate is prepended update the list pointer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2628)

52f4840c

Fix no-ec compilation · deb2d5e7

Matt Caswell authored Feb 14, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2624)

deb2d5e7

Remove a double call to ssl3_send_alert() · 429ff318

Matt Caswell authored Feb 08, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

429ff318

Fix a bogus uninit variable warning · 319a33d0

Matt Caswell authored Feb 08, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

319a33d0

Add a bytestogroup macro · 0dd7ba24

Matt Caswell authored Feb 06, 2017



For converting the 2 byte group id into an unsigned int.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

0dd7ba24

Various style fixes following review feedback · 2248dbeb

Matt Caswell authored Feb 06, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

2248dbeb

Update the tls13messages test to add some HRR scenarios · b0bfd140

Matt Caswell authored Feb 02, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

b0bfd140

Update the kex modes tests to check various HRR scenarios · d542790b

Matt Caswell authored Feb 02, 2017



Make sure we get an HRR in the right circumstances based on kex mode.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

d542790b

Update TLSProxy to know about HelloRetryRequest messages · 0adb6417

Matt Caswell authored Feb 02, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

0adb6417

Update test counting in checkhandshake.pm · f6cec2d8

Matt Caswell authored Feb 02, 2017



Previously counting the number of tests in checkhandshake.pm took an
initial guess and then modified it based on various known special
cases. That is becoming increasingly untenable, so this changes it to
properly calculate the number of tests we expect to run.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

f6cec2d8

Update the key_share tests for HelloRetryRequest · 38f5c30b

Matt Caswell authored Feb 02, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

38f5c30b

Add trace support for HelloRetryRequest · 87d70b63

Matt Caswell authored Feb 02, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

87d70b63

Implement support for resumption with a HelloRetryRequest · aff9929b

Matt Caswell authored Feb 01, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

aff9929b

Add client side support for parsing Hello Retry Request · 3847d426

Matt Caswell authored Feb 01, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

3847d426

Add server side support for creating the Hello Retry Request message · 7d061fce
Matt Caswell authored Jan 30, 2017
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
```
7d061fce
Make the context available to the extensions parse and construction funcs · 61138358
Matt Caswell authored Jan 31, 2017
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
```
61138358

mem leak on error path and error propagation fix · e0670973

Yuchi authored Feb 05, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2559)

e0670973

13 Feb, 2017 11 commits

aes/asm/*-x86_64.pl: add CFI annotations. · b84460ad
Andy Polyakov authored Feb 10, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
b84460ad
perlasm/x86_64-xlate.pl: recognize even offset(%reg) in cfa_expression. · 1cb35b47
Andy Polyakov authored Feb 10, 2017
```
This is handy when "offset(%reg)" is a perl variable.

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
1cb35b47
ec/asm/ecp_nistz256-x86_64.pl: add CFI directives. · 86e11278
Andy Polyakov authored Feb 10, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
86e11278
ec/asm/ecp_nistz256-x86_64.pl: fix typo-bug in Win64 SE handler. · 79ca382d
Andy Polyakov authored Feb 10, 2017
```
Thanks to Jun Sun for spotting this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
79ca382d

Further improvements to ASYNC_WAIT_CTX_clear_fd · 219aa86c

Andrea Grandi authored Feb 10, 2017



Remove call to cleanup function
Use only one loop to find previous element

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2581)

219aa86c

Remove fd from the list when the engine clears the wait context before pause · f89dd673

Andrea Grandi authored Feb 03, 2017



This fixes the num of fds added/removed returned by ASYNC_WAIT_CTX_get_changed_fds

Previously, the numbers were not consistent with the fds actually written in
the buffers since the fds that have been both added and removed are explicitly
ignored in the loop.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2581)

f89dd673

Add test to show wrong behavior of ASYNC_WAIT_CTX · f44e6364

Andrea Grandi authored Jan 26, 2017



This happens when a fd is added and then immediately removed from the
ASYNC_WAIT_CTX before pausing the job.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2581)

f44e6364

{md5,rc4}/asm/*-x86_64.pl: add CFI annotations. · 2dfb52d3
Andy Polyakov authored Feb 11, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
2dfb52d3
modes/asm/*-x86_64.pl: add CFI annotations. · 5c72e5ea
Andy Polyakov authored Feb 11, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
5c72e5ea

DES keys are not 7 days long. · 4fd7b54d

Darren Tucker authored Feb 13, 2017



CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2604)

4fd7b54d

test_rehash does nothing, have it do something · 4bbd8a5d

Richard Levitte authored Feb 10, 2017



test/recipes/40-test_rehash.t uses test files from certs/demo, which
doesn't exist any longer.  Have it use PEM files from test/ instead.

Because rehash wants only one certificate or CRL per file, we must
also filter those PEM files to produce test files with a single object
each.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2594)

4bbd8a5d

11 Feb, 2017 1 commit

sha/asm/sha1-x86_64.pl: add CFI annotations. · 1f9e00a6

Adam Langley authored Feb 10, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2590)

1f9e00a6

10 Feb, 2017 3 commits

Replace SSL_PKEY_RSA_ENC, SSL_PKEY_RSA_SIGN · d0ff28f8

Dr. Stephen Henson authored Feb 10, 2017



The original intent of SSL_PKEY_RSA_SIGN and SSL_PKEY_RSA_ENC was to
support two different keys for RSA signing and decrypt. However this
was never implemented and we only ever set one key and the other was
always NULL. Replace with single SSL_PKEY_RSA type.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2587)

d0ff28f8

Check index >= 0 as 0 is a valid index. · 8fd19b20

Dr. Stephen Henson authored Feb 10, 2017



Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2587)

8fd19b20

perlasm/x86_64-xlate.pl: fix pair of typo-bugs in the new cfi_directive. · 88be429f

Andy Polyakov authored Feb 10, 2017



.cfi_{start|end}proc and .cfi_def_cfa were not tracked.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2585)

88be429f