Commits · 4ce632fb45f4278f7e23fb545b8e380333e17905 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Jan 22, 2015
- More indent fixes for STACK_OF · 4ce632fb
  Matt Caswell authored Jan 21, 2015
```
Conflicts:
	ssl/s3_lib.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  4ce632fb
- Fix indent issue with functions using STACK_OF · 7b1ac234
  Matt Caswell authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  7b1ac234
- Fix indent issue with engine.h · bdc21a15
  Matt Caswell authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  bdc21a15
- Fix logic to check for indent.pro · 39108d59
  Matt Caswell authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  39108d59
- crypto/cryptlib.c: make it indent-friendly. · d565023a
  Andy Polyakov authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  d565023a
- bn/bntest.c: make it indent-friendly. · 96a66a97
  Andy Polyakov authored Jan 20, 2015
```
Conflicts:
	crypto/bn/bntest.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  96a66a97
- bn/bn_recp.c: make it indent-friendly. · 20c554ce
  Andy Polyakov authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  20c554ce
- engines/e_ubsec.c: make it indent-friendly. · d72781b4
  Andy Polyakov authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  d72781b4
- apps/speed.c: make it indent-friendly. · ff397a8f
  Andy Polyakov authored Jan 20, 2015
```
Conflicts:
	apps/speed.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  ff397a8f
- bn/rsaz_exp.c: make it indent-friendly. · abef2b4c
  Andy Polyakov authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  abef2b4c
- Fix make errors · d2f8517a
  Matt Caswell authored Jan 14, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  d2f8517a
- Make the script a little more location agnostic · 27df27d4
  Richard Levitte authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  27df27d4
- Provide script for filtering data initialisers for structs/unions. indent just can't handle it. · 4a81e0f0
  Matt Caswell authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  4a81e0f0
- Script fixes. · 24e6a032
  Dr. Stephen Henson authored Jan 20, 2015
```
Don't use double newline for headers.
Don't interpret ASN1_PCTX as start of an ASN.1 module.

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  24e6a032
- Run expand before perl, to make sure things are properly aligned · 9d63b5e3
  Richard Levitte authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  9d63b5e3
- Force the use of our indent profile · a45030fc
  Richard Levitte authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  a45030fc
- Provide source reformating script. Requires GNU indent to be · 45b575a0
  Tim Hudson authored Jan 05, 2015
```
available.

Script written by Tim Hudson, with amendments by Steve Henson, Rich Salz and
Matt Caswell

Reviewed-by: Matt Caswell <matt@openssl.org>
```
  45b575a0
- Fix source where indent will not be able to cope · bc2d623c
  Matt Caswell authored Jan 19, 2015
```
Conflicts:
	apps/ciphers.c
	ssl/s3_pkt.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  bc2d623c
- Additional comment changes for reformat of 1.0.2 · c695ebe2
  Matt Caswell authored Jan 16, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  c695ebe2
- Further comment amendments to preserve formatting prior to source reformat · e19d4a99
  Matt Caswell authored Jan 05, 2015
```
(cherry picked from commit 4a7fa26ffd65bf36beb8d1cb8f29fc0ae203f5c5)

Conflicts:
	crypto/x509v3/pcy_tree.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  e19d4a99
- mark all block comments that need format preserving so that · 6977c7e2
  Tim Hudson authored Dec 28, 2014
```
indent will not alter them when reformatting comments

(cherry picked from commit 1d97c843

)

Conflicts:
	crypto/bn/bn_lcl.h
	crypto/bn/bn_prime.c
	crypto/engine/eng_all.c
	crypto/rc4/rc4_utl.c
	crypto/sha/sha.h
	ssl/kssl.c
	ssl/t1_lib.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  6977c7e2
Jan 13, 2015
- Define CFLAGS as cflags on VMS as well · 43257b9f
  Richard Levitte authored Jan 13, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
  OpenSSL_1_0_2-pre-reformat
  
  43257b9f
- Add Broadwell performance results. · 10771e34
  Andy Polyakov authored Jan 05, 2015
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit b3d72949)
```
  10771e34
- Make output from openssl version -f consistent with previous versions · 36f694e0
  Matt Caswell authored Jan 13, 2015
```
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 2d267179)
```
  36f694e0
- Fix warning where BIO_FLAGS_UPLINK was being redefined. · 635ca444
  Matt Caswell authored Jan 10, 2015
```
This warning breaks the build in 1.0.0 and 0.9.8

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit b1ffc6ca)
```
  635ca444
- Avoid deprecation problems in Visual Studio 13 · bd00b8dc
  Matt Caswell authored Jan 09, 2015
```
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 86d21d0b)
```
  bd00b8dc
Jan 12, 2015

Allow multiple IDN xn-- indicators · 2194b369

Rich Salz authored Jan 12, 2015



Update the X509v3 name parsing to allow multiple xn-- international
domain name indicators in a name.  Previously, only allowed one at
the beginning of a name, which was wrong.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 31d1d374)

2194b369

Jan 10, 2015

Make build reproducible · e81a8365

Kurt Roeckx authored Jan 02, 2015



It contained a date on when it was build.

Reviewed-by: Rich Salz <rsalz@openssl.org>

e81a8365

Jan 09, 2015

Further windows specific .gitignore entries · cbbb952f

Matt Caswell authored Jan 09, 2015



Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 41c9cfbc)

cbbb952f

Update .gitignore with windows files to be excluded from git · 04f670cf
Matt Caswell authored Jan 09, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	.gitignore
```
04f670cf

Jan 08, 2015

Fix build failure on Windows due to undefined cflags identifier · 5cee7238
Matt Caswell authored Jan 08, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 5c5e7e1a)
```
5cee7238

A memory leak can occur in dtls1_buffer_record if either of the calls to · 7c6a3cf2

Matt Caswell authored Jan 07, 2015


ssl3_setup_buffers or pqueue_insert fail. The former will fail if there is a
malloc failure, whilst the latter will fail if attempting to add a duplicate
record to the queue. This should never happen because duplicate records should
be detected and dropped before any attempt to add them to the queue.
Unfortunately records that arrive that are for the next epoch are not being
recorded correctly, and therefore replays are not being detected.
Additionally, these "should not happen" failures that can occur in
dtls1_buffer_record are not being treated as fatal and therefore an attacker
could exploit this by sending repeated replay records for the next epoch,
eventually causing a DoS through memory exhaustion.

Thanks to Chris Mueller for reporting this issue and providing initial
analysis and a patch. Further analysis and the final patch was performed by
Matt Caswell from the OpenSSL development team.

CVE-2015-0206

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 652ff0f4796eecd8729b4690f2076d1c7ccb2862)

7c6a3cf2

Unauthenticated DH client certificate fix. · be3fb8d1

Dr. Stephen Henson authored Oct 23, 2014



Fix to prevent use of DH client certificates without sending
certificate verify message.

If we've used a client certificate to generate the premaster secret
ssl3_get_client_key_exchange returns 2 and ssl3_get_cert_verify is
never called.

We can only skip the certificate verify message in
ssl3_get_cert_verify if the client didn't send a certificate.

Thanks to Karthikeyan Bhargavan for reporting this issue.
CVE-2015-0205
Reviewed-by: Matt Caswell <matt@openssl.org>

be3fb8d1

Follow on from CVE-2014-3571. This fixes the code that was the original source · fb73f12a

Matt Caswell authored Jan 03, 2015

of the crash due to p being NULL. Steve's fix prevents this situation from
occuring - however this is by no means obvious by looking at the code for
dtls1_get_record. This fix just makes things look a bit more sane.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>

fb73f12a

Fix crash in dtls1_get_record whilst in the listen state where you get two · 25d738c3

Dr. Stephen Henson authored Jan 03, 2015


separate reads performed - one for the header and one for the body of the
handshake record.

CVE-2014-3571

Reviewed-by: Matt Caswell <matt@openssl.org>

25d738c3

Fix for CVE-2014-3570 (with minor bn_asm.c revamp). · 49446ea6

Andy Polyakov authored Jan 05, 2015



Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 56df92efb6893abe323307939425957ce878c8f0)

49446ea6

Jan 07, 2015

fix error discrepancy · f33ab61b

Dr. Stephen Henson authored Jan 07, 2015



Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4a4d4158)

f33ab61b

Fix irix-cc build. · 2d63d0c8

Andy Polyakov authored Jan 05, 2015



Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit e464403d)

2d63d0c8

VMS fixups for 1.0.2 · cfb5d6c1
Richard Levitte authored Jan 07, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
cfb5d6c1

Jan 06, 2015

use correct credit in CHANGES · a936ba11

Dr. Stephen Henson authored Jan 06, 2015



Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4138e388)

a936ba11