Skip to content
GitLab
  1. 25 Apr, 2015 1 commit
  3. 24 Apr, 2015 3 commits
    • Rich Salz's avatar
      Big apps cleanup (option-parsing, etc) · 7e1b7485
      Rich Salz authored 
      This is merges the old "rsalz-monolith" branch over to master.  The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt.  Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that.  There have been many other changes and code-cleanup, see
bullet list below.

Special thanks to Matt for the long and detailed code review.

TEMPORARY:
        For now, comment out CRYPTO_mem_leaks() at end of main

Tickets closed:
        RT3515: Use 3DES in pkcs12 if built with no-rc2
        RT1766: s_client -reconnect and -starttls broke
        RT2932: Catch write errors
        RT2604: port should be 'unsigned short'
        RT2983: total_bytes undeclared #ifdef RENEG
        RT1523: Add -nocert to fix output in x509 app
        RT3508: Remove unused variable introduced by b09eb246


        RT3511: doc fix; req default serial is random
        RT1325,2973: Add more extensions to c_rehash
        RT2119,3407: Updated to dgst.pod
        RT2379: Additional typo fix
        RT2693: Extra include of string.h
        RT2880: HFS is case-insensitive filenames
        RT3246: req command prints version number wrong

Other changes; incompatibilities marked with *:
        Add SCSV support
        Add -misalign to speed command
        Make dhparam, dsaparam, ecparam, x509 output C in proper style
        Make some internal ocsp.c functions void
        Only display cert usages with -help in verify
        Use global bio_err, remove "BIO*err" parameter from functions
        For filenames, - always means stdin (or stdout as appropriate)
        Add aliases for -des/aes "wrap" ciphers.
        *Remove support for IISSGC (server gated crypto)
        *The undocumented OCSP -header flag is now "-header name=value"
        *Documented the OCSP -header flag

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      7e1b7485
    • Emilia Kasper's avatar
      Fix error checking and memory leaks in NISTZ256 precomputation. · 53dd4ddf
      Emilia Kasper authored 
      

Thanks to Brian Smith for reporting these issues.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      53dd4ddf
    • Emilia Kasper's avatar
      Correctly set Z_is_one on the return value in the NISTZ256 implementation. · c028254b
      Emilia Kasper authored 
      

Also add a few comments about constant-timeness.

Thanks to Brian Smith for reporting this issue.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      c028254b
  5. 22 Apr, 2015 2 commits
    • Loganaden Velvindron's avatar
      Fix CRYPTO_strdup · 8031d26b
      Loganaden Velvindron authored 
      

The function CRYPTO_strdup (aka OPENSSL_strdup) fails to check the return
value from CRYPTO_malloc to see if it is NULL before attempting to use it.
This patch adds a NULL check.

RT3786

Signed-off-by: default avatarMatt Caswell <matt@openssl.org>
(cherry picked from commit 37b0cf936744d9edb99b5dd82cae78a7eac6ad60)

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(cherry picked from commit 20d21389c8b6f5b754573ffb6a4dc4f3986f2ca4)
      8031d26b
    • Dr. Stephen Henson's avatar
      SSL_CIPHER lookup functions. · 98c9ce2f
      Dr. Stephen Henson authored 
      

Add tables to convert between SSL_CIPHER fields and indices for ciphers
and MACs.

Reorganise ssl_ciph.c to use tables to lookup values and load them.

New functions SSL_CIPHER_get_cipher_nid and SSL_CIPHER_get_digest_nid.

Add documentation.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      98c9ce2f
  7. 21 Apr, 2015 7 commits
  9. 20 Apr, 2015 13 commits
  11. 18 Apr, 2015 1 commit
  13. 17 Apr, 2015 3 commits
  15. 16 Apr, 2015 4 commits
  17. 15 Apr, 2015 3 commits
  19. 14 Apr, 2015 2 commits
    • Matt Caswell's avatar
      Fix ssl_get_prev_session overrun · 5e0a80c1
      Matt Caswell authored 
      

If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read
past the end of the ClientHello message if the session_id length in the
ClientHello is invalid. This should not cause any security issues since the
underlying buffer is 16k in size. It should never be possible to overrun by
that many bytes.

This is probably made redundant by the previous commit - but you can never be
too careful.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      5e0a80c1
    • Matt Caswell's avatar
      Check for ClientHello message overruns · 5e9f0eeb
      Matt Caswell authored 
      

The ClientHello processing is insufficiently rigorous in its checks to make
sure that we don't read past the end of the message. This does not have
security implications due to the size of the underlying buffer - but still
needs to be fixed.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      5e9f0eeb
  21. 11 Apr, 2015 1 commit
    • Rich Salz's avatar
      free NULL cleanup 9 · e0e920b1
      Rich Salz authored 
      

Ongoing work to skip NULL check before calling free routine.  This gets:
    ecp_nistz256_pre_comp_free nistp224_pre_comp_free nistp256_pre_comp_free
    nistp521_pre_comp_free PKCS7_free PKCS7_RECIP_INFO_free
    PKCS7_SIGNER_INFO_free sk_PKCS7_pop_free PKCS8_PRIV_KEY_INFO_free
    PKCS12_free PKCS12_SAFEBAG_free PKCS12_free sk_PKCS12_SAFEBAG_pop_free
    SSL_CONF_CTX_free SSL_CTX_free SSL_SESSION_free SSL_free ssl_cert_free
    ssl_sess_cert_free

Reviewed-by: default avatarKurt Roeckx <kurt@openssl.org>
      e0e920b1