Commits · afec9f57da80b63957e620219a4f7af8ccdca910 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Nov 10, 2013
- Makefile.org: make FIPS build work with BSD make. · afec9f57
  Andy Polyakov authored Nov 10, 2013
```
(cherry picked from commit 60adefa6)
```
  afec9f57
Nov 09, 2013
- Check for missing components in RSA_check. · 0ec1a778
  Dr. Stephen Henson authored Nov 07, 2013
```
(cherry picked from commit 01be36ef70525e81fc358d2e559bdd0a0d9427a5)
```
  0ec1a778
- Document RSAPublicKey_{in,out} options. · 62c2b6d9
  Dr. Stephen Henson authored Nov 07, 2013
```
(cherry picked from commit 7040d73d22987532faa503630d6616cf2788c975)
```
  62c2b6d9
Nov 08, 2013

engines/ccgost/gost89.h: make word32 defintion unconditional. · 5b989797

Andy Polyakov authored Nov 08, 2013

Original definition depended on __LONG_MAX__ that is not guaranteed to
be present. As we don't support platforms with int narrower that 32 bits
it's appropriate to make defition inconditional.

PR: 3165
(cherry picked from commit 96180cac)

5b989797

modes/asm/ghash-alpha.pl: make it work with older assembler. · 9abbf5cc
Andy Polyakov authored Nov 08, 2013
```
PR: 3165
(cherry picked from commit d24d1d7d)
```
9abbf5cc

Nov 06, 2013
- Enable PSK in FIPS mode. · ddfe486e
  Dr. Stephen Henson authored Nov 06, 2013
```
Enable PSK ciphersuites with AES or DES3 in FIPS mode.
(cherry picked from commit e0ffd129)
```
  ddfe486e
- Initialise context before using it. · 834d30bc
  Dr. Stephen Henson authored Nov 06, 2013
```
(cherry picked from commit a4947e4e)
```
  834d30bc
Nov 03, 2013
- PBKDF2 should be efficient. Contributed by Christian Heimes · e26faa9e
  Ben Laurie authored Nov 03, 2013
```
<christian@python.org>.
```
  e26faa9e
Nov 01, 2013

DTLS/SCTP Finished Auth Bug · 025f7dbd

Robin Seggelmann authored May 09, 2012

PR: 2808

With DTLS/SCTP the SCTP extension SCTP-AUTH is used to protect DATA and
FORWARD-TSN chunks. The key for this extension is derived from the
master secret and changed with the next ChangeCipherSpec, whenever a new
key has been negotiated. The following Finished then already uses the
new key.  Unfortunately, the ChangeCipherSpec and Finished are part of
the same flight as the ClientKeyExchange, which is necessary for the
computation of the new secret. Hence, these messages are sent
immediately following each other, leaving the server very little time to
compute the new secret and pass it to SCTP before the finished arrives.
So the Finished is likely to be discarded by SCTP and a retransmission
becomes necessary. To prevent this issue, the Finished of the client is
still sent with the old key.
(cherry picked from commit 9fb523ad)
(cherry picked from commit b9ef52b0)

025f7dbd

DTLS/SCTP struct authchunks Bug · 44f4934b

Robin Seggelmann authored May 09, 2012

PR: 2809

DTLS/SCTP requires DATA and FORWARD-TSN chunks to be protected with
SCTP-AUTH.  It is checked if this has been activated successfully for
the local and remote peer. Due to a bug, however, the
gauth_number_of_chunks field of the authchunks struct is missing on
FreeBSD, and was therefore not considered in the OpenSSL implementation.
This patch sets the corresponding pointer for the check correctly
whether or not this bug is present.
(cherry picked from commit f596e3c4)
(cherry picked from commit b8140811)

44f4934b

Oct 20, 2013

Fix another gmt_unix_time case in server_random · 453ca706
Nick Mathewson authored Oct 20, 2013

453ca706

Don't use RSA+MD5 with TLS 1.2 · 5e1ff664

Dr. Stephen Henson authored Oct 15, 2013

Since the TLS 1.2 supported signature algorithms extension is less
sophisticaed in OpenSSL 1.0.1 this has to be done in two stages.

RSA+MD5 is removed from supported signature algorithms extension:
any compliant implementation should never use RSA+MD5 as a result.

To cover the case of a broken implementation using RSA+MD5 anyway
disable lookup of MD5 algorithm in TLS 1.2.

5e1ff664

Oct 19, 2013
- More cleanup. · 833a8966
  Ben Laurie authored Oct 19, 2013
  
  833a8966
- Cleanup. · 34e43b90
  Ben Laurie authored Oct 19, 2013
  
  34e43b90
- Merge branch 'no_gmt_unix_time' of git://github.com/nmathewson/openssl into OpenSSL_1_0_1-stable · 62036c6f
  Ben Laurie authored Oct 19, 2013
  
  62036c6f
Oct 13, 2013

MIPS assembly pack: get rid of deprecated instructions. · 68dd8512

Andy Polyakov authored Oct 13, 2013

Latest MIPS ISA specification declared 'branch likely' instructions
obsolete. To makes code future-proof replace them with equivalent.
(cherry picked from commit 0c2adb0a)

68dd8512

Oct 12, 2013

aes/asm/bsaes-x86_64.pl: update from master. · bbf9f3c6

Andy Polyakov authored Oct 12, 2013

Performance improvement and Windows-specific bugfix (PR#3139).
(cherry picked from commit 9ed6fba2)

bbf9f3c6

Oct 09, 2013

Control sending time with SSL_SEND_{CLIENT,SERVER}RANDOM_MODE · 25832701

Nick Mathewson authored Oct 09, 2013

(I'd rather use an option, but it appears that the options field is
full.)

Now, we send the time in the gmt_unix_time field if the appropriate
one of these mode options is set, but randomize the field if the flag
is not set.

25832701

Refactor {client,server}_random to call an intermediate function · 3da721da
Nick Mathewson authored Oct 09, 2013
```
I'll be using this to make an option for randomizing the time.
```
3da721da

Oct 03, 2013
- evp/e_des3.c: fix typo with potential integer overflow on 32-bit platforms. · eb22b7ec
  Andy Polyakov authored Oct 03, 2013
```
Submitted by: Yuriy Kaminskiy
(cherry picked from commit 524b00c0)

Resolved conflicts:

	crypto/evp/e_des3.c
```
  eb22b7ec
Oct 01, 2013
- Constification. · b9391614
  Ben Laurie authored Oct 01, 2013
  
  b9391614
Sep 30, 2013
- Typo. · 82f42a1d
  Dr. Stephen Henson authored Jul 17, 2013
```
(cherry picked from commit 415ece73)
```
  82f42a1d
Sep 22, 2013
- Disable Dual EC DRBG. · a4870de5
  Dr. Stephen Henson authored Sep 16, 2013
```
Return an error if an attempt is made to enable the Dual EC DRBG: it
is not used by default.
```
  a4870de5
- Fix warning. · 39aabe59
  Dr. Stephen Henson authored Sep 16, 2013
  
  39aabe59
Sep 16, 2013
- Do not include a timestamp in the ServerHello Random field. · f4c93b46
  Nick Mathewson authored Sep 16, 2013
```
Instead, send random bytes.
```
  f4c93b46
- Do not include a timestamp in the ClientHello Random field. · 4af79303
  Nick Mathewson authored Sep 07, 2013
```
Instead, send random bytes.

While the gmt_unix_time record was added in an ostensible attempt to
mitigate the dangers of a bad RNG, its presence leaks the host's view
of the current time in the clear.  This minor leak can help
fingerprint TLS instances across networks and protocols... and what's
worse, it's doubtful thet the gmt_unix_time record does any good at
all for its intended purpose, since:

    * It's quite possible to open two TLS connections in one second.
    * If the PRNG output is prone to repeat itself, ephemeral
    * handshakes (and who knows what else besides) are broken.
```
  4af79303
- Update CHANGES. · 13bca90a
  Rob Stradling authored Sep 12, 2013
  
  13bca90a
- Tidy up comments. · c9a6ddaf
  Rob Stradling authored Sep 10, 2013
  
  c9a6ddaf
- Use TLS version supplied by client when fingerprinting Safari. · f4a51970
  Rob Stradling authored Sep 10, 2013
  
  f4a51970
- Fix compilation with no-ec and/or no-tlsext. · 937f125e
  Rob Stradling authored Sep 10, 2013
  
  937f125e
- Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X. · 4b61f6d2
  Rob Stradling authored Sep 09, 2013
```
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
```
  4b61f6d2
- Remove AVX and VIS3 support. · d5bff726
  Ben Laurie authored Sep 16, 2013
  
  d5bff726
- gcm128.c: update from master (add AVX and VIS3 support). · 3b4be001
  Andy Polyakov authored May 19, 2013
  
  3b4be001
- crypto/modes: even more strict aliasing fixes [and fix bug in cbc128.c from · 125c2ed8
  Andy Polyakov authored Nov 05, 2012
```
previous cbc128.c commit].
```
  125c2ed8
- cbc128.c: fix strict aliasing warning. · 09da9554
  Andy Polyakov authored Nov 05, 2012
  
  09da9554
- Sync CHANGES and NEWS files. · cc53b385
  Bodo Moeller authored Sep 16, 2013
  
  cc53b385
- Fix overly lenient comparisons: · 0aeeae0c
  Bodo Moeller authored Sep 16, 2013
```
    - EC_GROUP_cmp shouldn't consider curves equal just because
      the curve name is the same. (They really *should* be the same
      in this case, but there's an EC_GROUP_set_curve_name API,
      which could be misused.)

    - EC_POINT_cmp shouldn't return 0 for ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
      or EC_R_INCOMPATIBLE_OBJECTS errors because in a cmp API, 0 indicates
      equality (not an error).

    Reported by: king cope

(cherry picked from commit 312a46791ab465cfa3bf26764361faed0e5df014)
```
  0aeeae0c
Sep 15, 2013
- crypto/armcap.c: fix typo in rdtsc subroutine. · 00c991f0
  Andy Polyakov authored Sep 15, 2013
```
PR: 3125
Submitted by: Kyle McMartin
(cherry picked from commit 8e52a906)
```
  00c991f0
Aug 20, 2013
- Correct ECDSA example. · 55856a7b
  Dr. Stephen Henson authored Aug 20, 2013
```
(cherry picked from commit 3a918ea2bbf4175d9461f81be1403d3781b2c0dc)
```
  55856a7b
Aug 13, 2013

DTLS message_sequence number wrong in rehandshake ServerHello · 83a3af9f

Michael Tuexen authored Aug 13, 2013

This fix ensures that
* A HelloRequest is retransmitted if not responded by a ClientHello
* The HelloRequest "consumes" the sequence number 0. The subsequent
ServerHello uses the sequence number 1.
* The client also expects the sequence number of the ServerHello to
be 1 if a HelloRequest was received earlier.
This patch fixes the RFC violation.
(cherry picked from commit b62f4daa)

83a3af9f