Commits · 77672802a665b26a44524a7a8091e56ee84bdf39 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

24 Jun, 2015 1 commit
- Add docs for ssl verification parameter functions. · 77672802
  Dr. Stephen Henson authored Jun 17, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
  77672802
23 Jun, 2015 14 commits

Rich Salz authored Jun 23, 2015



Move #include's inside the #ifdef.

Reviewed-by: Matt Caswell <matt@openssl.org>

d4dfb0ba

Fix PSK client handling. · a16ca4e8

Dr. Stephen Henson authored Jun 22, 2015



The PSK identity hint should be stored in the SSL_SESSION structure
and not in the parent context (which will overwrite values used
by other SSL structures with the same SSL_CTX).

Reviewed-by: Matt Caswell <matt@openssl.org>

a16ca4e8

Add PSK GCM ciphersuites from RFC5487 · 547dba74
Dr. Stephen Henson authored Jun 17, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
547dba74
PSK trace keyex fixes. · 52f78269
Dr. Stephen Henson authored Jun 17, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
52f78269

Avoid duplication. · c7238204

Dr. Stephen Henson authored Jun 20, 2015



We always free the handshake buffer when digests are freed so move
it into ssl_free_digest_list()

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

c7238204

Tidy up ssl3_digest_cached_records logic. · 124037fd

Dr. Stephen Henson authored Jun 16, 2015



Rewrite ssl3_digest_cached_records handling. Only digest cached records
if digest array is NULL: this means it is safe to call
ssl3_digest_cached_records multiple times (subsequent calls are no op).

Remove flag TLS1_FLAGS_KEEP_HANDSHAKE instead only update handshake buffer
if digest array is NULL.

Add additional "keep" parameter to ssl3_digest_cached_records to indicate
if the handshake buffer should be retained after digesting cached records
(needed for TLS 1.2 client authentication).

Reviewed-by: Matt Caswell <matt@openssl.org>

124037fd

More secure storage of key material. · 74924dcb

Rich Salz authored Apr 24, 2015



Add secure heap for storage of private keys (when possible).
Add BIO_s_secmem(), CBIGNUM, etc.
Add BIO_CTX_secure_new so all BIGNUM's in the context are secure.
Contributed by Akamai Technologies under the Corporate CLA.

Reviewed-by: Richard Levitte <levitte@openssl.org>

74924dcb

Add $! to errors, use script basename. · ce7e647b
Rich Salz authored Jun 23, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
ce7e647b
GH297: Fix NAME section of SSL_CTX_use_serverinfo.pod · 4ba81134
Vitezslav Cizek authored Jun 16, 2015
```
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
```
4ba81134
RT3682: Avoid double-free on OCSP parse error · 4b8d8e2a
Rich Salz authored Jun 13, 2015
```
Found by Kurt Cancemi.

Reviewed-by: Matt Caswell <matt@openssl.org>
```
4b8d8e2a
RT3856: Fix memory leaks in test code · 2d540402
Russell Webb authored Jun 13, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
2d540402
make update · a1c506ae
Richard Levitte authored Jun 23, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
a1c506ae

Rearrange rsaz · ed45f3c2

Richard Levitte authored Jun 23, 2015



A small rearrangement so the inclusion of rsaz_exp.h would be
unconditional, but what that header defines becomes conditional.

This solves the weirdness where rsaz_exp.h gets in and out of the
dependency list for bn_exp.c, depending on the present architecture.

Reviewed-by: Rich Salz <rsalz@openssl.org>

ed45f3c2

RT3907-fix · cc3f3fc2

Rich Salz authored Jun 22, 2015



Typo in local variable name; introduced by previous fix.

Reviewed-by: Richard Levitte <levitte@openssl.org>

cc3f3fc2

22 Jun, 2015 6 commits

RT3907: avoid "local" in testssl script · 75ba5c58
Rich Salz authored Jun 13, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
75ba5c58
Remove SESS_CERT entirely. · 389ebcec
Dr. Stephen Henson authored Jun 21, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
389ebcec
Move peer chain to SSL_SESSION structure. · c34b0f99
Dr. Stephen Henson authored Jun 21, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
c34b0f99

Remove unnuecessary ifdefs. · 8df53b7a

Dr. Stephen Henson authored Jun 21, 2015



If RSA or DSA is disabled we will never use a ciphersuite with
RSA/DSA authentication as it is already filtered out by the cipher
list logic.

Reviewed-by: Richard Levitte <levitte@openssl.org>

8df53b7a

Remove certificates from sess_cert · a273c6ee

Dr. Stephen Henson authored Jun 21, 2015



As numerous comments indicate the certificate and key array is not an
appopriate structure to store the peers certificate: so remove it and
just the s->session->peer instead.

Reviewed-by: Richard Levitte <levitte@openssl.org>

a273c6ee

Remove peer temp keys from SESS_CERT · 8d92c1f8
Dr. Stephen Henson authored Jun 21, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
8d92c1f8

21 Jun, 2015 13 commits
- RT3917: add cleanup on an error path · 7fba8407
  Rich Salz authored Jun 21, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  7fba8407
- Cleanup mttest.c : because we no longer use stdio here, don't include it · 8ca96efd
  Richard Levitte authored Jun 21, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  8ca96efd
- Add -ldl to the build of mttest.c · d62c98c8
  Richard Levitte authored Jun 21, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  d62c98c8
- Cleanup mttest.c : use BIO_free only, no preceding hacks · 03b672de
  Richard Levitte authored Jun 21, 2015
```
Since [sc]_ssl->[rw]bio aren't available, do not try to fiddle with
them.  Surely, a BIO_free on the "main" BIOs should be enough

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  03b672de
- Cleanup mttest.c : do not try to output reference counts when threads are done · 96462695
  Richard Levitte authored Jun 21, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  96462695
- Cleanup mttest.c : better error reporting when certs are miggins · 7a1789d2
  Richard Levitte authored Jun 21, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  7a1789d2
- Cleanup mttest.c : make ssl_method a pointer to const · f4c73bfe
  Richard Levitte authored Jun 21, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  f4c73bfe
- Cleanup mttest.c : modernise output · bb8abd67
  Richard Levitte authored Jun 21, 2015
```
Construct bio_err and bio_stdout from file handles instead of FILE
pointers, since the latter might not be implemented (when OPENSSL_NO_STDIO
is defined).
Convert all output to use BIO_printf.
Change lh_foo to lh_SSL_SESSION_foo.

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  bb8abd67
- Cleanup mttest.c : modernise the threads setup · 5c78e183
  Richard Levitte authored Jun 21, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  5c78e183
- Cleanup mttest.c : remove MS_CALLBACK · a3f92865
  Richard Levitte authored Jun 21, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  a3f92865
- Revert "Avoid duplication." · f6a10313
  Dr. Stephen Henson authored Jun 21, 2015
```
This reverts commit d480e182

.

Commit broke TLS handshakes due to fragility of digest caching: that will be
fixed separately.

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  f6a10313
- Avoid duplication. · d480e182
  Dr. Stephen Henson authored Jun 20, 2015
```
We always free the handshake buffer when digests are freed so move
it into ssl_free_digest_list()

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  d480e182
- remove unnecessary NULL checks · 85fb6fda
  Dr. Stephen Henson authored Jun 20, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  85fb6fda
20 Jun, 2015 1 commit
- typo: should be OPENSSL_free · bc9567cd
  Dr. Stephen Henson authored Jun 20, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  bc9567cd
16 Jun, 2015 2 commits
- Make preprocessor error into real preprocessor error · b4f0d1a4
  Richard Levitte authored Jun 15, 2015
```
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
```
  b4f0d1a4
- Remove one extraneous parenthesis · 30cf9178
  Richard Levitte authored Jun 13, 2015
```
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
```
  30cf9178
15 Jun, 2015 3 commits

RT2547: Tighten perms on generated privkey files · 3b061a00

Rich Salz authored May 02, 2015

When generating a private key, try to make the output file be readable
only by the owner. Put it in CHANGES file since it might be noticeable.

Add "int private" flag to apps that write private keys, and check that it's
set whenever we do write a private key. Checked via assert so that this
bug (security-related) gets fixed. Thanks to Viktor for help in tracing
the code-paths where private keys are written.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

3b061a00

Refactor into clear_ciphers; RT3588 · d31fb0b5

Rich Salz authored Jun 13, 2015



While closing RT3588 (Remove obsolete comment) Kurt and I saw that a
few lines to completely clear the SSL cipher state could be moved into
a common function.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

d31fb0b5

Fix argument processing error from the option parsing change over. · 29eca1c0
Tim Hudson authored Jun 15, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
29eca1c0