Commits · c6720f816f4c9373890939d6ec63a7dc29835fdd · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Dec 10, 2016

Additional error tests in evp_test.c · c6720f81

Dr. Stephen Henson authored Dec 10, 2016



Support checking for errors during test initialisation and parsing.

Add errors and tests for key operation initalisation and ctrl errors.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cce65266)

c6720f81

VMS UI_OpenSSL: generate OpenSSL errors when things go wrong. · fad4832a

Richard Levitte authored Dec 09, 2016



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2063)
(cherry picked from commit c922ebe2)

fad4832a

VMS UI_OpenSSL: if the TT device isn't a tty, flag instead of error · feb879b0

Richard Levitte authored Dec 09, 2016



On all platforms, if the controlling tty isn't an actual tty, this is
flagged by setting is_a_tty to zero...  except on VMS, where this was
treated as an error.  Change this to behave like the other platforms.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2063)
(cherry picked from commit 18edbe65)

feb879b0

Check input length to pkey_rsa_verify() · f096bbd7

Dr. Stephen Henson authored Dec 08, 2016



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2065)
(cherry picked from commit 71bbc79b)

f096bbd7

Add RSA PSS tests · 1742e840

Dr. Stephen Henson authored Dec 07, 2016



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2065)
(cherry picked from commit 2d7bbd6c)

1742e840

Dec 08, 2016

Remove extra bang · 2c4ee10c

Richard Levitte authored Dec 08, 2016



A bang (!) slipped through in the recent UI cleanup

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2051)
(cherry picked from commit 949320c5)

2c4ee10c

Only call memcpy when the length is larger than 0. · c1f138c1
Kurt Roeckx authored Dec 08, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #2050
(cherry picked from commit a19fc66a)
```
c1f138c1

UI code style cleanup · e01cee6d

Richard Levitte authored Dec 08, 2016



Mostly condition check changes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2047)
(cherry picked from commit 120fb9e4)

e01cee6d

UI_OpenSSL()'s session opener fails on MacOS X · 58f5f415

Richard Levitte authored Dec 07, 2016



If on a non-tty stdin, TTY_get() will fail with errno == ENODEV.
We didn't catch that.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2039)
(cherry picked from commit c901bcce)

58f5f415

In UI_OpenSSL's open(), generate an error on unknown errno · dc76164c

Richard Levitte authored Dec 08, 2016



TTY_get() sometimes surprises us with new errno values to determine if
we have a controling terminal or not.  This generated error is a
helpful tool to figure out that this was what happened and what the
unknown value is.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2043)
(cherry picked from commit 49844486)

dc76164c

Make sure that password_callback exercises UI · e8a93291

Richard Levitte authored Dec 08, 2016



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2040)
(cherry picked from commit 57c0f378)

e8a93291

Add a test for the UI API · b1bbee13

Richard Levitte authored Dec 07, 2016



The best way to test the UI interface is currently by using an openssl
command that uses password_callback.  The only one that does this is
'genrsa'.
Since password_callback uses a UI method derived from UI_OpenSSL(), it
ensures that one gets tested well enough as well.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2040)
(cherry picked from commit 17ac8eaf)

b1bbee13

Dec 07, 2016

UI_process() didn't generate errors · aff927e8

Richard Levitte authored Dec 07, 2016



Since there are many parts of UI_process() that can go wrong, it isn't
very helpful to only return -1 with no further explanation.  With this
change, the error message will at least show which part went wrong.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2037)
(cherry picked from commit 0a687ab0)

aff927e8

Dec 03, 2016
- Restore last-resort expired untrusted intermediate issuers · 72ea4b8d
  Viktor Dukhovni authored Nov 25, 2016
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
  72ea4b8d
Nov 29, 2016

Ensure we are in accept state in DTLSv1_listen · 9fa50668

Matt Caswell authored Nov 23, 2016



Calling SSL_set_accept_state() after DTLSv1_listen() clears the state, so
SSL_accept() no longer works. In 1.0.2 calling DTLSv1_listen() would set
the accept state automatically. We should still do that.

Fixes #1989

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 5bdcd362)

9fa50668

Nov 25, 2016

Fix ctrl operation for SHA1/MD5SHA1. · cbc8a839

Dr. Stephen Henson authored Nov 22, 2016



This makes S/MIME and CMS signing in MIME format for SHA1 work again.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a5abd438)

cbc8a839

add CMS SHA1 signing test · fb3b70c0

Dr. Stephen Henson authored Nov 22, 2016



Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c6d67f09)

fb3b70c0

INSTALL: clarify 386 and no-sse2 options. · 82593038

Andy Polyakov authored Nov 20, 2016



Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 5ae5dc96)

82593038

modes/ctr128.c: fix false carry in counter increment procedure. · 025697a9

Andy Polyakov authored Nov 20, 2016



GH issue #1916 affects only big-endian platforms. TLS is not affected,
because TLS fragment is never big enough.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 76f572ed)

025697a9

test/evptests.txt: add regression test for false carry in ctr128.c. · 04bec2a3

Andy Polyakov authored Nov 20, 2016



GH issue #1916 affects only big-endian platforms. TLS is not affected,
because TLS fragment is never big enough.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b47f116b)

04bec2a3

Nov 24, 2016
- Fix a missing function prototype in AFALG engine · e15c45fb
  Matt Caswell authored Nov 23, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit a1fd1fb2)
```
  e15c45fb
Nov 23, 2016
- Fix missing NULL checks in CKE processing · efbe126e
  Matt Caswell authored Nov 23, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  efbe126e
Nov 22, 2016

Clarify what X509_NAME_online does with the given buffer and size · 793d9b79

Richard Levitte authored Nov 22, 2016



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1980)
(cherry picked from commit 19cb71ef)

793d9b79

Nov 21, 2016

Add missing -zdelete for some linux arches · e9a86d6b

Kurt Roeckx authored Nov 21, 2016

b6d5ba1a

 forgot to update some linux arches.

Reviewed-by: Richard Levitte <levitte@openssl.org>

GH: #1977
(cherry picked from commit 55ab86e4)

e9a86d6b

Make SSL_read and SSL_write return the old behaviour and document it. · 11f1fd4b

Kurt Roeckx authored Nov 15, 2016

Backport of beacb0f0, revert of
122580ef



Fixes: #1903

Reviewed-by: Matt Caswell <matt@openssl.org>

GH: #1966

11f1fd4b

Make async_read and async_write return -1 on failure. · c947fa49
Kurt Roeckx authored Nov 20, 2016
```
Reviewed-by: Matt Caswell <matt@openssl.org>

GH: #1966
```
c947fa49

Nov 20, 2016

Skipping tests in evp_test leaks memory · 0a2a5d26

Todd Short authored Nov 17, 2016



When configured with "no-mdc2 enable-crypto-mdebug" the evp_test
will leak memory due to skipped tests, and error out.

Also fix a skip condition

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1946)

0a2a5d26

Nov 18, 2016

Use consistent variable names · 4b9c2669

Beat Bolli authored Nov 18, 2016



In the X509_NAME_get_index_by_NID.pod example, the initialized variable is called
"loc", but the one used in the for loop is called "lastpos". Make the names match.

CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1949)

4b9c2669

Nov 17, 2016

Support MSBLOB format if RC4 is disabled · e597b2ba
Dr. Stephen Henson authored Nov 17, 2016
```
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b6c68982)
```
e597b2ba

Fix MSBLOB format with RSA. · 3ead66d1

Dr. Stephen Henson authored Nov 16, 2016



Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 159f6e7e)

3ead66d1

Make MSBLOB format work with dsa utility. · 11425567
Dr. Stephen Henson authored Nov 16, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit b3795987)
```
11425567
Add conversion test for MSBLOB format. · c9a1525c
Dr. Stephen Henson authored Nov 16, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit d922634d)
```
c9a1525c

Raise an error on memory alloc failure. · a4905bf6

FdaSilvaYY authored Nov 10, 2016



Both strdup or malloc failure should raise an err.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1905)
(cherry picked from commit bad6b116)

a4905bf6

Missing free item on push failure · c08ce19e

FdaSilvaYY authored Nov 11, 2016



Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1905)
(cherry picked from commit 2d13250f)

c08ce19e

Nov 16, 2016

Move SCT_LIST_free definition into a more logical place · 56518d82

Rob Percival authored Oct 19, 2016



This reflects its position in include/openssl/ct.h.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)
(cherry picked from commit e1940e9f)

56518d82

Make sure things get deleted when test setup fails in ct_test.c · 0140f9d9

Rob Percival authored Oct 19, 2016



Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)
(cherry picked from commit 765731a8)

0140f9d9

Use valid signature in test_decode_tls_sct() · 6ae6ff57

Rob Percival authored Oct 19, 2016



Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)
(cherry picked from commit e2635c49)

6ae6ff57

Pass a temporary pointer to o2i_SCT_signature from SCT_new_from_base64 · 4caa44d7

Rob Percival authored Oct 19, 2016



Otherwise, |dec| gets moved past the end of the signature by
o2i_SCT_signature and then can't be correctly freed afterwards.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)
(cherry picked from commit 73ccf3ca)

4caa44d7

Subtract padding from outlen in ct_base64_decode · bb2b6b6c

Rob Percival authored Oct 19, 2016



Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)
(cherry picked from commit 70a06fc1)

bb2b6b6c

Construct SCT from base64 in ct_test · 189d4e09

Rob Percival authored Sep 07, 2016



This gives better code coverage and is more representative of how a
user would likely construct an SCT (using the base64 returned by a CT log).

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)
(cherry picked from commit f7a39a5a)

189d4e09