Commits · 99e1ad3c4bb1dd03f36429c1ce4eafa5ed162964 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Mar 09, 2015

update ordinals · 99e1ad3c
Dr. Stephen Henson authored Mar 09, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
99e1ad3c

Wrong SSL version in DTLS1_BAD_VER ClientHello · f7683aaf

David Woodhouse authored Mar 02, 2015

Since commit 741c9959

 ("DTLS revision."), we put the wrong protocol
version into our ClientHello for DTLS1_BAD_VER. The old DTLS
code which used ssl->version was replaced by the more generic SSL3 code
which uses ssl->client_version. The Cisco ASA no longer likes our
ClientHello.

RT#3711

Reviewed-by: Rich Salz <rsalz@openssl.org>

f7683aaf

Fix DTLS1_BAD_VER regression · 5178a16c

Matt Caswell authored Mar 02, 2015

Commit 9cf0f187 in HEAD, and 68039af3

 in 1.0.2, removed a version check
from dtls1_buffer_message() which was needed to distinguish between DTLS
1.x and Cisco's pre-standard version of DTLS (DTLS1_BAD_VER).

Based on an original patch by David Woodhouse <dwmw2@infradead.org>
RT#3703

Reviewed-by: Tim Hudson <tjh@openssl.org>

5178a16c

Mar 08, 2015

Cleanse PKCS#8 private key components. · a8ae0891

Dr. Stephen Henson authored Mar 03, 2015



New function ASN1_STRING_clear_free which cleanses an ASN1_STRING
structure before freeing it.

Call ASN1_STRING_clear_free on PKCS#8 private key components.

Reviewed-by: Rich Salz <rsalz@openssl.org>

a8ae0891

Additional CMS documentation. · e3013932
Dr. Stephen Henson authored Feb 24, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
e3013932
ARMv4 assembly pack: add Cortex-A15 performance data. · e390ae50
Andy Polyakov authored Mar 03, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
e390ae50

GitHub 237: Use https for IETF links · 63a3c455

Viktor Szakats authored Mar 07, 2015



Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

63a3c455

Mar 06, 2015

make errors · f3b9ce90

Matt Caswell authored Mar 06, 2015



Run make errors on master

Reviewed-by: Richard Levitte <levitte@openssl.org>

f3b9ce90

Update mkerr.pl for new format · 65aaab2f

Matt Caswell authored Mar 06, 2015



Make the output from mkerr.pl consistent with the newly reformatted code.

Reviewed-by: Richard Levitte <levitte@openssl.org>

65aaab2f

update TABLE · c7223a11
Richard Levitte authored Mar 06, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
c7223a11
Cleanup spaces · 4a577300
Richard Levitte authored Mar 06, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
4a577300

Mar 05, 2015

Catch up the VMS build. · cdca82dc

Richard Levitte authored Mar 05, 2015



crypto/crypto-lib.com - catch up with the OCSP changes
test/maketest.com and test/tests.com - catch up with the addition of test_evp_extra

Reviewed-by: Rich Salz <rsalz@openssl.org>

cdca82dc

Make STACK_OF opaque. · 31c2b6ee
Dr. Stephen Henson authored Mar 05, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
31c2b6ee
update ordinals · d62bc5d3
Dr. Stephen Henson authored Mar 05, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
d62bc5d3
Make OCSP structures opaque. · 6ef869d7
Dr. Stephen Henson authored Mar 05, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
6ef869d7

Use constants not numbers · fd865cad

Kurt Cancemi authored Mar 04, 2015



This patch uses warning/fatal constants instead of numbers with comments for
warning/alerts in d1_pkt.c and s3_pkt.c

RT#3725

Reviewed-by: Rich Salz <rsalz@openssl.org>

fd865cad

Unchecked malloc fixes · 918bb865

Matt Caswell authored Mar 04, 2015



Miscellaneous unchecked malloc fixes. Also fixed some mem leaks on error
paths as I spotted them along the way.

Reviewed-by: Tim Hudson <tjh@openssl.org>

918bb865

Mar 04, 2015

add RIPEMD160 whirlpool tests · 618be04e

Dr. Stephen Henson authored Mar 01, 2015



Add RIPEMD160 and whirlpool test data.
Add Count keyword to repeatedly call EVP_DigestUpate.

Reviewed-by: Matt Caswell <matt@openssl.org>

618be04e

Mar 02, 2015

Check public key is not NULL. · 28a00bcd
Dr. Stephen Henson authored Feb 18, 2015
```
CVE-2015-0288
PR#3708

Reviewed-by: Matt Caswell <matt@openssl.org>
```
28a00bcd

Fix format script. · 437b14b5

Dr. Stephen Henson authored Mar 02, 2015



The format script didn't correctly recognise some ASN.1 macros and
didn't reformat some files as a result. Fix script and reformat
affected files.

Reviewed-by: Tim Hudson <tjh@openssl.org>

437b14b5

Cleanup some doc files · 9f7f8ece

Rich Salz authored Mar 01, 2015



ACKNOWLEDGEMENTS is now spelled correctly :)
README.ASN1 talked about 0.9.6, so it's deleted.
I turned doc/standards.txt into a set of one-line summaries of RFCs, and
also updated the pointers to original sources (to be web links)

Reviewed-by: Richard Levitte <levitte@openssl.org>

9f7f8ece

Mar 01, 2015

Remove experimental 56bit export ciphers · a258afaf

Rich Salz authored Feb 27, 2015



These ciphers are removed:
    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5
    TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
    TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA
    TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA
    TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
    TLS1_CK_DHE_DSS_WITH_RC4_128_SHA
They were defined in a long-expired IETF internet-draft:
draft-ietf-tls-56-bit-ciphersuites-01.txt

Reviewed-by: Richard Levitte <levitte@openssl.org>

a258afaf

Feb 27, 2015

Fix d2i_SSL_SESSION for DTLS1_BAD_VER · af674d4e

Matt Caswell authored Feb 27, 2015



Some Cisco appliances use a pre-standard version number for DTLS. We support
this as DTLS1_BAD_VER within the code.

This change fixes d2i_SSL_SESSION for that DTLS version.

Based on an original patch by David Woodhouse <dwmw2@infradead.org>

RT#3704

Reviewed-by: Tim Hudson <tjh@openssl.org>

af674d4e

Fixed missing return value checks. · eadf70d2

Matt Caswell authored Feb 26, 2015



Added various missing return value checks in tls1_change_cipher_state.

Reviewed-by: Richard Levitte <levitte@openssl.org>

eadf70d2

Fix missing return value checks. · 687eaf27

Matt Caswell authored Feb 26, 2015



Fixed various missing return value checks in ssl3_send_newsession_ticket.
Also a mem leak on error.

Reviewed-by: Richard Levitte <levitte@openssl.org>

687eaf27

reformat evp_test.c · 366448ec
Dr. Stephen Henson authored Feb 27, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
366448ec
Add OCB support and test vectors for evp_test. · 2207ba7b
Dr. Stephen Henson authored Feb 27, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
2207ba7b
Skip unsupported digests in evp_test · 578ce42d
Dr. Stephen Henson authored Feb 26, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
578ce42d
add MD4 test data · 7406e323
Dr. Stephen Henson authored Feb 26, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
7406e323
Skip unsupported ciphers in evp_test. · 33a89fa6
Dr. Stephen Henson authored Feb 26, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
33a89fa6
Make OpenSSL compile with no-rc4 · 35313768
Dr. Stephen Henson authored Feb 26, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
35313768

Add algorithm skip support. · 7a6c9792

Dr. Stephen Henson authored Feb 26, 2015



Add support for skipping disabled algorithms: if an attempt to load a
public or private key results in an unknown algorithm error then any
test using that key is automatically skipped.

Reviewed-by: Tim Hudson <tjh@openssl.org>

7a6c9792

Feb 26, 2015

Fix evp_extra_test.c with no-ec · a9880362

Matt Caswell authored Feb 26, 2015

When OpenSSL is configured with no-ec, then the new evp_extra_test fails to
pass. This change adds appropriate OPENSSL_NO_EC guards around the code.

Reviewed-by: Tim Hudson <tjh@openssl.org>

a9880362

Remove NETSCAPE_HANG_BUG · cf61ef75

Matt Caswell authored Feb 25, 2015


NETSCAPE_HANG_BUG is a workaround for a browser bug from many years ago
(2000).
It predates DTLS, so certainly has no place in d1_srvr.c.
In s3_srvr.c it forces the ServerDone to appear in the same record as the
CertificateRequest when doing client auth.

BoringSSL have already made the same commit:
79ae85e4f777f94d91b7be19e8a62016cb55b3c5

Reviewed-by: Tim Hudson <tjh@openssl.org>

cf61ef75

Removed support for SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG. Also removed · 7a4dadc3
Matt Caswell authored Feb 05, 2015
```
the "-hack" option from s_server that set this option.

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
7a4dadc3

Feb 25, 2015
- Update the SHA* documentation · f7812493
  Matt Caswell authored Feb 25, 2015
```
Updates to include SHA224, SHA256, SHA384 and SHA512. In particular note
the restriction on setting md to NULL with regards to thread safety.

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  f7812493
- Fix NAME section of d2i_ECPKParameters to prevent broken symlinks when using · 64d27331
  Rainer Jung authored Feb 24, 2015
```
the extract-names.pl script.

RT#3718

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  64d27331
- Fix some minor documentation issues · 12e0ea30
  Matt Caswell authored Feb 20, 2015
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
  12e0ea30
- Remove pointless free, and use preferred way of calling d2i_* functions · 535bc8fa
  Matt Caswell authored Feb 10, 2015
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
  535bc8fa
- Add dire warnings about the "reuse" capability of the d2i_* functions. · 09f278f9
  Matt Caswell authored Feb 10, 2015
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
  09f278f9