Commits · 907e95006820c84d2efe1adb2c8af8340f3ba6cc · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Feb 05, 2016

Use BN_bn2binpad · 907e9500
Dr. Stephen Henson authored Feb 03, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
```
907e9500
use enum type for do_EC_KEY_print · d6755bb6
Dr. Stephen Henson authored Feb 03, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
```
d6755bb6

update EC ASN1 and print routines · d810700b

Dr. Stephen Henson authored Feb 01, 2016



Update EC ASN.1 and print routines to use EC_KEY_oct2priv and
EC_KEY_priv2oct.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

d810700b

Add EC_KEY_oct2priv and EC_KEY_priv2oct · cf241395

Dr. Stephen Henson authored Feb 01, 2016



New functions EC_KEY_oct2priv and EC_KEY_priv2oct. These are private key
equivalents of EC_POINT_oct2point and EC_POINT_point2oct which convert
between the private key octet format and EC_KEY.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

cf241395

Add ASN1_buf_print to print a buffer in ASN1_bn_print format. · 26c255fc
Dr. Stephen Henson authored Jan 27, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
```
26c255fc

Feb 04, 2016

Don't use RDRAND if told not to · d698550f

Matt Caswell authored Feb 04, 2016



Ensure we respect OPENSSL_NO_RDRAND

Reviewed-by: Rich Salz <rsalz@openssl.org>

d698550f

Initialise with -1 rather than 1 · c4cbf9b3
Richard Levitte authored Feb 05, 2016
```
A small typo crept in.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
```
c4cbf9b3
Add new DTLS-SRTP protection profiles from RFC 7714 · 43e5faa2
Dmitry Sobinov authored Jan 02, 2016
```
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
```
43e5faa2

Add checks for IPv4 and IPv6 in OpenSSL::Test::Utils and use them · b7be6d22

Richard Levitte authored Feb 04, 2016



This uilds on the same way of checking for availability as we do in
TLSProxy.  We use all IP factories we know of, starting with those who
know both IPv6 and IPv4 and ending with the one that only knows IPv4
and cache their possible success as foundation for checking the
available of each IP domain.

80-test_ssl.t has bigger chances of working on platforms that do not
run both IP domains.

Reviewed-by: Rich Salz <rsalz@openssl.org>

b7be6d22

Update crypto/bio/build.info · b8c84b28
Richard Levitte authored Feb 04, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
b8c84b28
Fix pkeyutl inability to directly access keys on hardware tokens · 9880236e
Mouse authored Jan 13, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
9880236e

Change the transfer perl module so the real module gets properly registered · 1cc98f75

Richard Levitte authored Feb 04, 2016



This is an important move if scripts want to refer to the loaded
module without having perl think it needs to be loaded (again).

Reviewed-by: Rich Salz <rsalz@openssl.org>

1cc98f75

Add option to disable async · 52739e40

Todd Short authored Feb 04, 2016



Add no-async option to Configure that forces ASYNC_NULL.
Related to RT1979
An embedded system or replacement C library (e.g. musl or uClibc)
may not support the *context APIs that are needed for async operation.

Compiles with musl. Ran unit tests, async tests skipped as expected.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

52739e40

Make sure getaddrinfo and getnameinfo works as intended on Windows · ed03c461

Richard Levitte authored Feb 04, 2016



Both getaddrinfo() and getnameinfo() have to be preceeded with a call
to BIO_sock_init().

Also, make sure to give gai_strerror() the actual error code.

Reviewed-by: Stephen Henson <steve@openssl.org>

ed03c461

If egd is disabled by default, it should be possible to enable · b31feae6
Richard Levitte authored Feb 03, 2016
```
Reviewed-by: Andy Polyakov <appro@openssl.org>
```
b31feae6
Add ec -check option · 7565cbc4
Dr. Stephen Henson authored Feb 04, 2016
```
Reviewed-by: Andy Polyakov <appro@openssl.org>
```
7565cbc4

Fix potential buffer overrun · 947f9da1

Dmitry-Me authored Feb 04, 2016



Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>

947f9da1

Use WSAGetLastError() on windows · c86d1f19

Kurt Roeckx authored Feb 04, 2016



Windows doesn't have h_error or hstrerror()

Reviewed-by: Richard Levitte <levitte@openssl.org>

MR: #1848

c86d1f19

Restore xmm7 from the correct address on win64 · df057ea6
Kurt Roeckx authored Feb 03, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>

RT: #4288, MR: #1831
```
df057ea6
update OID tables · da15ce22
Dr. Stephen Henson authored Feb 04, 2016
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
da15ce22
Add Curve OIDs from draft-josefsson-pkix-newcurves · d8489448
Dr. Stephen Henson authored Feb 03, 2016
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
d8489448
RT2887: Add more packet and handshake types · 7429b398
Daniel Black authored Feb 03, 2016
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
7429b398

Fix BN_gcd errors for some curves · 3a6a4a93

Billy Brumley authored Jan 20, 2016



Those even order that do not play nicely with Montgomery arithmetic

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

3a6a4a93

RT3095: allow NULL key for single-shot HMAC · b1413d9b

Emilia Kasper authored Sep 10, 2015



In HMAC_Init_ex, NULL key signals reuse, but in single-shot HMAC,
we can allow it to signal an empty key for convenience.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

b1413d9b

bio_err.c: remove a reappeared filename comment · bdb7a621

Viktor Szakats authored Feb 04, 2016


Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

bdb7a621

Make fallback addresses static so that we can initialize it · 37e3daf4
Kurt Roeckx authored Feb 04, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>

MR: #1841
```
37e3daf4
Only use TLS1.2 when it's available · 47c1a0e0
Richard Levitte authored Feb 04, 2016
```
Reviewed-by: Ben Laurie <ben@openssl.org>
```
47c1a0e0

Have 70-test_clienthello.t be selective on when it can be run · c02bcb66

Richard Levitte authored Feb 04, 2016



The test program clienthello checks TLS extensions, so there's no
point running it when no TLS protocol is available.

Reviewed-by: Ben Laurie <ben@openssl.org>

c02bcb66

Have OpenSSL::Test::Utils::available_protocols load configdata as well · 1fff160b

Richard Levitte authored Feb 04, 2016



Otherwise, it could typically always return an empty list, since it's
often called first if at all.

Reviewed-by: Ben Laurie <ben@openssl.org>

1fff160b

RT2752: Add some EKU OID's · d9f77726

Rich Salz authored Feb 03, 2016



And some others found in the Internet.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

d9f77726

Handle localhost being either 127.0.0.1 or ::1 · 4c35c936

Viktor Dukhovni authored Feb 03, 2016



When connecting to "localhost" the Proxy's choice of client address
family may not match the server's choice address family.  Without
MultiHomed => 1, the proxy may try the wrong address family first,
and give up without trying the other.

Reviewed-by: Richard Levitte <levitte@openssl.org>

4c35c936

Use matching quotes · ef249929
Richard Levitte authored Feb 04, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
ef249929
Make the mk1mf 'mv' command variable · db73bd22
Richard Levitte authored Feb 04, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
db73bd22

Feb 03, 2016

Tweak opensslconf.h.in for style · cde052f5
Rich Salz authored Jan 31, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
cde052f5
Use BIO_snprintf() rather than snprintf() · 6339ece1
Richard Levitte authored Feb 03, 2016
```
Some platforms do not have the latter.

Reviewed-by: Matt Caswell <matt@openssl.org>
```
6339ece1
Refactoring BIO: small test correction · b7d53d41
Richard Levitte authored Feb 03, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
```
b7d53d41

GH614: Use memcpy()/strdup() when possible · a89c9a0d

Dmitry-Me authored Feb 03, 2016



Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>

a89c9a0d

Refactoring BIO: Add a few lines in CHANGES & NEWS · 0f45c26f
Richard Levitte authored Feb 03, 2016
```
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
```
0f45c26f

Refactoring BIO: add a simple networking test of s_client and s_server · 72b65aa4

Richard Levitte authored Feb 03, 2016



This makes use of TLSProxy, which was expanded to use IO::Socket::IP
(which is a core perl module) or IO::Socket::INET6 (which is said to
be more popular) instead IO::Socket::INET if one of them is installed.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

72b65aa4

Refactoring BIO: Adapt s_client and s_server · ab69ac00

Richard Levitte authored Feb 03, 2016



s_socket.c gets brutally cleaned out and now consists of only two
functions, one for client and the other for server.  They both handle
AF_INET, AF_INET6 and additionally AF_UNIX where supported.  The rest
is just easy adaptation.

Both s_client and s_server get the new flags -4 and -6 to force the
use of IPv4 or IPv6 only.

Also, the default host "localhost" in s_client is removed.  It's not
certain that this host is set up for both IPv4 and IPv6.  For example,
Debian has "ip6-localhost" as the default hostname for [::1].  The
better way is to default |host| to NULL and rely on BIO_lookup() to
return a BIO_ADDRINFO with the appropriate loopback address for IPv4
or IPv6 as indicated by the |family| parameter.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

ab69ac00