Commits · bb90d02a71c60bc16389fba4ff06965714b1826f · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

15 Feb, 2017 8 commits

Matt Caswell authored Feb 15, 2017



Causes make update to fail.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2634)

bb90d02a

Skip curve check if sigalg doesn't specify a curve. · a34a9df0

Dr. Stephen Henson authored Feb 14, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)

a34a9df0

Use CERT_PKEY pointer instead of index · a497cf25

Dr. Stephen Henson authored Feb 14, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)

a497cf25

Simplify tls_construct_server_key_exchange · f695571e

Dr. Stephen Henson authored Feb 13, 2017



Use negotiated signature algorithm and certificate index in
tls_construct_key_exchange instead of recalculating it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)

f695571e

Use cert_index and sigalg · f365a3e2

Dr. Stephen Henson authored Feb 13, 2017



Now the certificate and signature algorithm is set in one place we
can use it directly insetad of recalculating it. The old functions
ssl_get_server_send_pkey() and ssl_get_server_cert_index() are no
longer required.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)

f365a3e2

Add sigalg for earlier TLS versions · 0972bc5c

Dr. Stephen Henson authored Feb 13, 2017



Update tls_choose_sigalg to choose a signature algorithm for all
versions of TLS not just 1.3.

For TLS 1.2 we choose the highest preference signature algorithm
for the chosen ciphersuite.

For TLS 1.1 and earlier the signature algorithm is determined by
the ciphersuite alone. For RSA we use a special MD5+SHA1 signature
algorithm.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)

0972bc5c

Change tls_choose_sigalg so it can set errors and alerts. · 4a419f60
Dr. Stephen Henson authored Feb 13, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
```
4a419f60

add ssl_has_cert · 4020c0b3

Dr. Stephen Henson authored Feb 13, 2017



Add inline function ssl_has_cert which checks to see if a certificate and
private key for a given index are not NULL.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)

4020c0b3

14 Feb, 2017 24 commits

Fix a few typos · 7e12cdb5

FdaSilvaYY authored Feb 07, 2017


[skip ci]

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2571)

7e12cdb5

Remove obsolete comment · 7c120357

Guido Vranken authored Feb 11, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1613)

7c120357

Prevents that OPENSSL_gmtime incorrectly signals success if gmtime_r fails,... · 873019f2

Guido Vranken authored Sep 22, 2016


Prevents that OPENSSL_gmtime incorrectly signals success if gmtime_r fails, and that struct* tm result's possibly uninitialized content is used

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1613)

873019f2

Use TLSEXT_KEYNAME_LENGTH in tls_decrypt_ticket. · 57b0d651

Bernd Edlinger authored Feb 13, 2017



Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2618)

57b0d651

Prevent allocations of size 0 in sh_init, which are not possible with the... · 7f07149d

Guido Vranken authored Feb 13, 2017


Prevent allocations of size 0 in sh_init, which are not possible with the default OPENSSL_zalloc, but are possible if the user has installed their own allocator using CRYPTO_set_mem_functions. If the 0-allocations succeeds, the secure heap code will later access (at least) the first byte of that space, which is technically an OOB access. This could lead to problems with some custom allocators that only return a valid pointer for subsequent free()-ing, and do not expect that the pointer is actually dereferenced.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2605)

7f07149d

Add Sieve support (RFC 5804) to s_client ("-starttls sieve") · 20967afb

Robert Scheck authored Feb 09, 2017



Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2300)

20967afb

Add no-ec build · b08ee30b

Rich Salz authored Feb 14, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2626)

b08ee30b

Make -xcert work again. · 52f4840c

Dr. Stephen Henson authored Feb 14, 2017



When a certificate is prepended update the list pointer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2628)

52f4840c

Fix no-ec compilation · deb2d5e7

Matt Caswell authored Feb 14, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2624)

deb2d5e7

Remove a double call to ssl3_send_alert() · 429ff318

Matt Caswell authored Feb 08, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

429ff318

Fix a bogus uninit variable warning · 319a33d0

Matt Caswell authored Feb 08, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

319a33d0

Add a bytestogroup macro · 0dd7ba24

Matt Caswell authored Feb 06, 2017



For converting the 2 byte group id into an unsigned int.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

0dd7ba24

Various style fixes following review feedback · 2248dbeb

Matt Caswell authored Feb 06, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

2248dbeb

Update the tls13messages test to add some HRR scenarios · b0bfd140

Matt Caswell authored Feb 02, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

b0bfd140

Update the kex modes tests to check various HRR scenarios · d542790b

Matt Caswell authored Feb 02, 2017



Make sure we get an HRR in the right circumstances based on kex mode.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

d542790b

Update TLSProxy to know about HelloRetryRequest messages · 0adb6417

Matt Caswell authored Feb 02, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

0adb6417

Update test counting in checkhandshake.pm · f6cec2d8

Matt Caswell authored Feb 02, 2017



Previously counting the number of tests in checkhandshake.pm took an
initial guess and then modified it based on various known special
cases. That is becoming increasingly untenable, so this changes it to
properly calculate the number of tests we expect to run.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

f6cec2d8

Update the key_share tests for HelloRetryRequest · 38f5c30b

Matt Caswell authored Feb 02, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

38f5c30b

Add trace support for HelloRetryRequest · 87d70b63

Matt Caswell authored Feb 02, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

87d70b63

Implement support for resumption with a HelloRetryRequest · aff9929b

Matt Caswell authored Feb 01, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

aff9929b

Add client side support for parsing Hello Retry Request · 3847d426

Matt Caswell authored Feb 01, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)

3847d426

Add server side support for creating the Hello Retry Request message · 7d061fce
Matt Caswell authored Jan 30, 2017
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
```
7d061fce
Make the context available to the extensions parse and construction funcs · 61138358
Matt Caswell authored Jan 31, 2017
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
```
61138358

mem leak on error path and error propagation fix · e0670973

Yuchi authored Feb 05, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2559)

e0670973

13 Feb, 2017 8 commits

aes/asm/*-x86_64.pl: add CFI annotations. · b84460ad
Andy Polyakov authored Feb 10, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
b84460ad
perlasm/x86_64-xlate.pl: recognize even offset(%reg) in cfa_expression. · 1cb35b47
Andy Polyakov authored Feb 10, 2017
```
This is handy when "offset(%reg)" is a perl variable.

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
1cb35b47
ec/asm/ecp_nistz256-x86_64.pl: add CFI directives. · 86e11278
Andy Polyakov authored Feb 10, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
86e11278
ec/asm/ecp_nistz256-x86_64.pl: fix typo-bug in Win64 SE handler. · 79ca382d
Andy Polyakov authored Feb 10, 2017
```
Thanks to Jun Sun for spotting this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
79ca382d

Further improvements to ASYNC_WAIT_CTX_clear_fd · 219aa86c

Andrea Grandi authored Feb 10, 2017



Remove call to cleanup function
Use only one loop to find previous element

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2581)

219aa86c

Remove fd from the list when the engine clears the wait context before pause · f89dd673

Andrea Grandi authored Feb 03, 2017



This fixes the num of fds added/removed returned by ASYNC_WAIT_CTX_get_changed_fds

Previously, the numbers were not consistent with the fds actually written in
the buffers since the fds that have been both added and removed are explicitly
ignored in the loop.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2581)

f89dd673

Add test to show wrong behavior of ASYNC_WAIT_CTX · f44e6364

Andrea Grandi authored Jan 26, 2017



This happens when a fd is added and then immediately removed from the
ASYNC_WAIT_CTX before pausing the job.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2581)

f44e6364

{md5,rc4}/asm/*-x86_64.pl: add CFI annotations. · 2dfb52d3
Andy Polyakov authored Feb 11, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
2dfb52d3