Commits · ae69c7d35351f9b1dcf42a21455e62d0ed5379e9 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

May 12, 2016

Move the DJGPP target to its own config. · ae69c7d3

Richard Levitte authored May 11, 2016

DJGPP is a 3rd party configuration, we rely entirely on the OpenSSL to
help us fine tune and test. Therefore, it's moved to its own config.

Reviewed-by: Andy Polyakov <appro@openssl.org>

ae69c7d3

Fix uninitialized variable · 396ba1ca
Rich Salz authored May 12, 2016
```
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
```
396ba1ca

Remove proxy tests. Add verify callback tests. · a263f320

Emilia Kasper authored Apr 07, 2016



The old proxy tests test the implementation of an application proxy
policy callback defined in the test itself, which is not particularly
useful.

It is, however, useful to test cert verify overrides in
general. Therefore, replace these tests with tests for cert verify
callback behaviour.

Also glob the ssl test inputs on the .in files to catch missing
generated files.

Reviewed-by: Rich Salz <rsalz@openssl.org>

a263f320

Appease ubsan · d82c2758

Emilia Kasper authored May 11, 2016



ERR_LIB_USER has value 128, and shifting into the sign bit upsets the
shift sanitizer.

Reviewed-by: Rich Salz <rsalz@openssl.org>

d82c2758

Correctly check for trailing digest options. · 6302bbd2

Dr. Stephen Henson authored May 12, 2016



Multiple digest options to the ocsp utility are allowed: e.g. to use
different digests for different certificate IDs. A digest option without
a following certificate is however illegal.

RT#4215

Reviewed-by: Rich Salz <rsalz@openssl.org>

6302bbd2

Remove openssl.spec · d535e565

Richard Levitte authored May 11, 2016



While it seemed like a good idea to have this file once upon a time,
this kind of file belongs with the package maintainer rather than in
our source.

Reviewed-by: Rich Salz <rsalz@openssl.org>

d535e565

Restore support for ENGINE format keys in apps. · d18ba3cc
Dr. Stephen Henson authored May 10, 2016
```
RT#4207

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
d18ba3cc

Don't use GOST ciphersuites with DTLS. · 48c16012

Dmitry Belyavsky authored May 11, 2016



RT#4438

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>

48c16012

Don't leak memory if realloc fails. · 7c0ef843
Dr. Stephen Henson authored May 11, 2016
```
RT#4403

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
```
7c0ef843

Add a case for 64-bit OS X in config · 3dfcb6a0

Richard Levitte authored May 10, 2016



This makes it possible to just run ./config on a x86_64 machine with
no extra fuss.

RT#4356

Reviewed-by: Tim Hudson <tjh@openssl.org>

3dfcb6a0

May 11, 2016

Fix TLSProxy race by adding missing eval · 7ad5fb62
Viktor Dukhovni authored May 11, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
7ad5fb62
Recommend GH over RT, per team vote. · f2b9c257
Rich Salz authored Apr 26, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
f2b9c257
make update · 19252eef
Richard Levitte authored May 11, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
19252eef

typo · 538dbbc6

Dr. Stephen Henson authored May 11, 2016



RT#4442

Reviewed-by: Emilia Käsper <emilia@openssl.org>

538dbbc6

Update pkcs8 defaults. · 8fc06e88

Dr. Stephen Henson authored May 11, 2016



Update pkcs8 utility to use 256 bit AES using SHA256 by default.

Update documentation.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

8fc06e88

Adding missing BN_CTX_(start/end) in crypto/ec/ec_key.c · 2ab851b7

Steven Valdez authored Mar 01, 2016



RT#4363

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>

2ab851b7

Replace cipherlist test · 5a22cf96

Emilia Kasper authored Apr 06, 2016



The old cipherlist test in ssltest.c only tests the internal order of
the cipher table, which is pretty useless.

Replace this test with a test that catches inadvertent changes to the
default cipherlist.

Fix run_tests.pl to correctly filter tests that have "list" in their name.

(Also includes a small drive-by fix in .gitignore.)

Reviewed-by: Rich Salz <rsalz@openssl.org>

5a22cf96

Make null_compression const · 6e3ff632
Matt Caswell authored May 11, 2016
```
Reviewed-by: Stephen Henson <steve@openssl.org>
```
6e3ff632

Fix V2ClientHello handling. · cb21df32

David Benjamin authored Mar 05, 2016



The V2ClientHello code creates an empty compression list, but the
compression list must explicitly contain the null compression (and later
code enforces this).

RT#4387

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

cb21df32

Add -signcert to CA.pl usage message. · c1176ebf
Dr. Stephen Henson authored May 10, 2016
```
RT#4256

Reviewed-by: Matt Caswell <matt@openssl.org>
```
c1176ebf

Fix i2d_X509_AUX, update docs and add tests · fde2257f

Viktor Dukhovni authored May 02, 2016



When *pp is NULL, don't write garbage, return an unexpected pointer
or leak memory on error.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

fde2257f

May 10, 2016
- Add a couple of checks to prime app. · 9b5164ce
  Dr. Stephen Henson authored May 10, 2016
```
RT#4402

Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  9b5164ce
- Add -srp option to ciphers command. · 1480b8a9
  Dr. Stephen Henson authored May 10, 2016
```
RT#4224

Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  1480b8a9
- crypto/des: remove obsolete functions. · bfcdd4d0
  Andy Polyakov authored May 09, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  bfcdd4d0
- Configurations: engage MIPS64 Poly1305 module. · 5d8b70a4
  Andy Polyakov authored May 04, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  5d8b70a4
- MIPS64 assembly pack: add Poly1305 module. · c6b77c16
  Andy Polyakov authored May 04, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  c6b77c16
- Configure: replace which() with IPC::Cmd::can_run. · 6646f69f
  Andy Polyakov authored May 09, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  6646f69f
- windows-makefile.tmpl: minor adjustments. · c3ad47f5
  Andy Polyakov authored May 10, 2016
```
- some Perl versions are allergic to missing ';';
- don't stop if del fails;
- omit unused environment variable;

Reviewed-by: Stephen Henson <steve@openssl.org>
```
  c3ad47f5
- util/mkdef.pl: omit ordinals from Windows DLLs. · 6d8b3dce
  Andy Polyakov authored May 09, 2016
```
Reviewed-by: Stephen Henson <steve@openssl.org>
```
  6d8b3dce
- Typo. · 981b5bb8
  Dr. Stephen Henson authored May 10, 2016
```
RT#4538

Reviewed-by: Matt Caswell <matt@openssl.org>
```
  981b5bb8
- Fix the docs for ERR_remove_thread_state and ERR_remove_state · 6d53100f
  Richard Levitte authored May 10, 2016
```
Don't primarly recommend using OPENSSL_thread_stop(), as that's a last
resort.  Instead, recommend leaving it to automatic mechanisms.

Reviewed-by: Matt Caswell <matt@openssl.org>
```
  6d53100f
- Restore the ERR_remove_thread_state() API and make it a no-op · 21e00174
  Richard Levitte authored May 08, 2016
```
The ERR_remove_thread_state() API is restored to take a pointer
argument, but does nothing more.  ERR_remove_state() is also made into
a no-op.  Both functions are deprecated and users are recommended to
use OPENSSL_thread_stop() instead.

Documentation is changed to reflect this.

Reviewed-by: Matt Caswell <matt@openssl.org>
```
  21e00174
- Have [.VMS]openssl_{startup,shutdown}.com depend on respective *.in · 06aa885d
  Richard Levitte authored May 10, 2016
```
Reviewed-by: Andy Polyakov <appro@openssl.org>
```
  06aa885d
- Fix VMS/openssl_{startup,shutddown}.com.in · ee7fb55e
  Richard Levitte authored May 09, 2016
```
They were using the wrong variables.

Reviewed-by: Andy Polyakov <appro@openssl.org>
```
  ee7fb55e
- Configure: adhere to $(CROSS_COMPILE)ranlib. · f58a0acb
  Andy Polyakov authored May 09, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  f58a0acb
- Configure: make it work with Perl 5.10. · c145d197
  Andy Polyakov authored May 09, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  c145d197
- IRIX fixes. · c21c7830
  Andy Polyakov authored May 04, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  c21c7830
May 09, 2016

Add NULL check in i2d_PrivateKey() · 59a56c4c

Richard Levitte authored May 09, 2016



Originally submitted by Kurt Cancemi <kurt@x64architecture.com>

Closes RT#4533

Reviewed-by: Matt Caswell <matt@openssl.org>

59a56c4c

Don't send signature algorithms when client_version is below TLS 1.2. · f7aa3185

David Benjamin authored Mar 05, 2016

Per RFC 5246,

    Note: this extension is not meaningful for TLS versions prior to 1.2.
    Clients MUST NOT offer it if they are offering prior versions.
    However, even if clients do offer it, the rules specified in [TLSEXT]
    require servers to ignore extensions they do not understand.

Although second sentence would suggest that there would be no interop
problems in always offering the extension, WebRTC has reported issues
with Bouncy Castle on < TLS 1.2 ClientHellos that still include
signature_algorithms. See also
https://bugs.chromium.org/p/webrtc/issues/detail?id=4223



RT#4390

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>

f7aa3185

Fix BIO_eof() for BIO pairs · 3105d695

Matt Caswell authored May 09, 2016



BIO_eof() was always returning true when using a BIO pair. It should only
be true if the peer BIO is empty and has been shutdown.

RT#1215

Reviewed-by: Richard Levitte <levitte@openssl.org>

3105d695