Commits · c7223a115f0b372d54f0a50c1e6dc92cabb1429c · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Mar 06, 2015
- update TABLE · c7223a11
  Richard Levitte authored Mar 06, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  c7223a11
- Cleanup spaces · 4a577300
  Richard Levitte authored Mar 06, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  4a577300
Mar 05, 2015

Richard Levitte authored Mar 05, 2015



crypto/crypto-lib.com - catch up with the OCSP changes
test/maketest.com and test/tests.com - catch up with the addition of test_evp_extra

Reviewed-by: Rich Salz <rsalz@openssl.org>

cdca82dc

Make STACK_OF opaque. · 31c2b6ee
Dr. Stephen Henson authored Mar 05, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
31c2b6ee
update ordinals · d62bc5d3
Dr. Stephen Henson authored Mar 05, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
d62bc5d3
Make OCSP structures opaque. · 6ef869d7
Dr. Stephen Henson authored Mar 05, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
6ef869d7

Use constants not numbers · fd865cad

Kurt Cancemi authored Mar 04, 2015



This patch uses warning/fatal constants instead of numbers with comments for
warning/alerts in d1_pkt.c and s3_pkt.c

RT#3725

Reviewed-by: Rich Salz <rsalz@openssl.org>

fd865cad

Unchecked malloc fixes · 918bb865

Matt Caswell authored Mar 04, 2015



Miscellaneous unchecked malloc fixes. Also fixed some mem leaks on error
paths as I spotted them along the way.

Reviewed-by: Tim Hudson <tjh@openssl.org>

918bb865

Mar 04, 2015

add RIPEMD160 whirlpool tests · 618be04e

Dr. Stephen Henson authored Mar 01, 2015



Add RIPEMD160 and whirlpool test data.
Add Count keyword to repeatedly call EVP_DigestUpate.

Reviewed-by: Matt Caswell <matt@openssl.org>

618be04e

Mar 02, 2015

Check public key is not NULL. · 28a00bcd
Dr. Stephen Henson authored Feb 18, 2015
```
CVE-2015-0288
PR#3708

Reviewed-by: Matt Caswell <matt@openssl.org>
```
28a00bcd

Fix format script. · 437b14b5

Dr. Stephen Henson authored Mar 02, 2015



The format script didn't correctly recognise some ASN.1 macros and
didn't reformat some files as a result. Fix script and reformat
affected files.

Reviewed-by: Tim Hudson <tjh@openssl.org>

437b14b5

Cleanup some doc files · 9f7f8ece

Rich Salz authored Mar 01, 2015



ACKNOWLEDGEMENTS is now spelled correctly :)
README.ASN1 talked about 0.9.6, so it's deleted.
I turned doc/standards.txt into a set of one-line summaries of RFCs, and
also updated the pointers to original sources (to be web links)

Reviewed-by: Richard Levitte <levitte@openssl.org>

9f7f8ece

Mar 01, 2015

Remove experimental 56bit export ciphers · a258afaf

Rich Salz authored Feb 27, 2015



These ciphers are removed:
    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5
    TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
    TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA
    TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA
    TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
    TLS1_CK_DHE_DSS_WITH_RC4_128_SHA
They were defined in a long-expired IETF internet-draft:
draft-ietf-tls-56-bit-ciphersuites-01.txt

Reviewed-by: Richard Levitte <levitte@openssl.org>

a258afaf

Feb 27, 2015

Fix d2i_SSL_SESSION for DTLS1_BAD_VER · af674d4e

Matt Caswell authored Feb 27, 2015



Some Cisco appliances use a pre-standard version number for DTLS. We support
this as DTLS1_BAD_VER within the code.

This change fixes d2i_SSL_SESSION for that DTLS version.

Based on an original patch by David Woodhouse <dwmw2@infradead.org>

RT#3704

Reviewed-by: Tim Hudson <tjh@openssl.org>

af674d4e

Fixed missing return value checks. · eadf70d2

Matt Caswell authored Feb 26, 2015



Added various missing return value checks in tls1_change_cipher_state.

Reviewed-by: Richard Levitte <levitte@openssl.org>

eadf70d2

Fix missing return value checks. · 687eaf27

Matt Caswell authored Feb 26, 2015



Fixed various missing return value checks in ssl3_send_newsession_ticket.
Also a mem leak on error.

Reviewed-by: Richard Levitte <levitte@openssl.org>

687eaf27

reformat evp_test.c · 366448ec
Dr. Stephen Henson authored Feb 27, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
366448ec
Add OCB support and test vectors for evp_test. · 2207ba7b
Dr. Stephen Henson authored Feb 27, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
2207ba7b
Skip unsupported digests in evp_test · 578ce42d
Dr. Stephen Henson authored Feb 26, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
578ce42d
add MD4 test data · 7406e323
Dr. Stephen Henson authored Feb 26, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
7406e323
Skip unsupported ciphers in evp_test. · 33a89fa6
Dr. Stephen Henson authored Feb 26, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
33a89fa6
Make OpenSSL compile with no-rc4 · 35313768
Dr. Stephen Henson authored Feb 26, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
35313768

Add algorithm skip support. · 7a6c9792

Dr. Stephen Henson authored Feb 26, 2015



Add support for skipping disabled algorithms: if an attempt to load a
public or private key results in an unknown algorithm error then any
test using that key is automatically skipped.

Reviewed-by: Tim Hudson <tjh@openssl.org>

7a6c9792

Feb 26, 2015

Fix evp_extra_test.c with no-ec · a9880362

Matt Caswell authored Feb 26, 2015

When OpenSSL is configured with no-ec, then the new evp_extra_test fails to
pass. This change adds appropriate OPENSSL_NO_EC guards around the code.

Reviewed-by: Tim Hudson <tjh@openssl.org>

a9880362

Remove NETSCAPE_HANG_BUG · cf61ef75

Matt Caswell authored Feb 25, 2015


NETSCAPE_HANG_BUG is a workaround for a browser bug from many years ago
(2000).
It predates DTLS, so certainly has no place in d1_srvr.c.
In s3_srvr.c it forces the ServerDone to appear in the same record as the
CertificateRequest when doing client auth.

BoringSSL have already made the same commit:
79ae85e4f777f94d91b7be19e8a62016cb55b3c5

Reviewed-by: Tim Hudson <tjh@openssl.org>

cf61ef75

Removed support for SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG. Also removed · 7a4dadc3
Matt Caswell authored Feb 05, 2015
```
the "-hack" option from s_server that set this option.

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
7a4dadc3

Feb 25, 2015

Update the SHA* documentation · f7812493

Matt Caswell authored Feb 25, 2015


Updates to include SHA224, SHA256, SHA384 and SHA512. In particular note
the restriction on setting md to NULL with regards to thread safety.

Reviewed-by: Tim Hudson <tjh@openssl.org>

f7812493

Fix NAME section of d2i_ECPKParameters to prevent broken symlinks when using · 64d27331
Rainer Jung authored Feb 24, 2015
```
the extract-names.pl script.

RT#3718

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
64d27331
Fix some minor documentation issues · 12e0ea30
Matt Caswell authored Feb 20, 2015
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
12e0ea30
Remove pointless free, and use preferred way of calling d2i_* functions · 535bc8fa
Matt Caswell authored Feb 10, 2015
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
535bc8fa
Add dire warnings about the "reuse" capability of the d2i_* functions. · 09f278f9
Matt Caswell authored Feb 10, 2015
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
09f278f9
Provide documentation for i2d_ECPrivateKey and d2i_ECPrivateKey · 93b83d06
Matt Caswell authored Feb 10, 2015
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
93b83d06

Fix a failure to NULL a pointer freed on error. · 9e442d48

Matt Caswell authored Feb 09, 2015



Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman@chromium.org>

CVE-2015-0209

Reviewed-by: Emilia Käsper <emilia@openssl.org>

9e442d48

Import evp_test.c from BoringSSL. Unfortunately we already have a file · 71ea6b48
Matt Caswell authored Feb 09, 2015
```
called evp_test.c, so I have called this one evp_extra_test.c

Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
71ea6b48
Add documentation for the -no_alt_chains option for various apps, as well as · fa7b0111
Matt Caswell authored Jan 27, 2015
```
the X509_V_FLAG_NO_ALT_CHAINS flag.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
```
fa7b0111

Add -no_alt_chains option to apps to implement the new · 25690b7f

Matt Caswell authored Jan 27, 2015

X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building
certificate chains, the first chain found will be the one used. Without this
flag, if the first chain found is not trusted then we will keep looking to
see if we can build an alternative chain instead.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

25690b7f

Add flag to inhibit checking for alternate certificate chains. Setting this · 15dba5be
Matt Caswell authored Jan 27, 2015
```
behaviour will force behaviour as per previous versions of OpenSSL

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
```
15dba5be

In certain situations the server provided certificate chain may no longer be · da084a5e

Matt Caswell authored Jan 27, 2015


valid. However the issuer of the leaf, or some intermediate cert is in fact
in the trust store.

When building a trust chain if the first attempt fails, then try to see if
alternate chains could be constructed that are trusted.

RT3637
RT3621

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

da084a5e

Feb 24, 2015

Remove CVS filtering from find targets · 5b8aa1a2
Rich Salz authored Feb 24, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
5b8aa1a2

Move build config table to separate files. · f09e7ca9

Rich Salz authored Feb 24, 2015



Move the build configuration table into separate files.  The Configurations
file is standard configs, and Configurations.team is for openssl-team
members.  Any other file, Configurations*, found in the same directory
as the Configure script, is loaded.

To add another file, use --config=FILE flags (which should probably be
an absolute path).

Written by Stefen Eissing <stefan.eissing@greenbytes.de> and Rich Salz
<rsalz@openssl.org>, contributed by Akamai Technologies.

Reviewed-by: Richard Levitte <levitte@openssl.org>

f09e7ca9