Commits · f6c460e8f69e90fdb87129bb70951ced89c7906f · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

20 Jul, 2016 4 commits

FdaSilvaYY authored May 09, 2016



Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1284)

f6c460e8

Simplify code related to tmp_email_dn. · cdd202f2

FdaSilvaYY authored May 30, 2016



Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1284)

cdd202f2

Use more X509_REQ_get0_pubkey & X509_get0_pubkey · 1c72f70d

FdaSilvaYY authored Apr 07, 2016



Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1284)

1c72f70d

OCSP_request_add0_id() inconsistent error return · 415e7c48

Todd Short authored Jul 05, 2016



There are two failure cases for OCSP_request_add_id():
1. OCSP_ONEREQ_new() failure, where |cid| is not freed
2. sk_OCSP_ONEREQ_push() failure, where |cid| is freed

This changes makes the error behavior consistent, such that |cid| is
not freed when sk_OCSP_ONEREQ_push() fails. OpenSSL only takes
ownership of |cid| when the function succeeds.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1289)

415e7c48

19 Jul, 2016 30 commits

Sanity check in ssl_get_algorithm2(). · 52eede5a
Dr. Stephen Henson authored Jul 19, 2016
```
RT#4600

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
52eede5a
Send alert on CKE error. · fb933982
Dr. Stephen Henson authored Jul 19, 2016
```
RT#4610

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
fb933982

Resolve over command syntax error which causes 'make install' to fail · 2a5f907e

Coty Sutherland authored Jul 14, 2016



Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1312)

2a5f907e

Document the slight change in CRYPTO_mem_ctrl() · 0a522854
Richard Levitte authored Jul 19, 2016
```
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
```
0a522854
Document the slight change in ERR_get_next_error_library() · c1c26660
Richard Levitte authored Jul 19, 2016
```
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
```
c1c26660
make update · 963f043d
Richard Levitte authored Jul 19, 2016
```
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
```
963f043d

Change all our uses of CRYPTO_THREAD_run_once to use RUN_ONCE instead · c2e4e5d2

Richard Levitte authored Jul 19, 2016



That way, we have a way to check if the init function was successful
or not.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

c2e4e5d2

Define a few internal macros for easy use of run_once functions · 925d17f3

Richard Levitte authored Jul 19, 2016



Because pthread_once() takes a function taking no argument and
returning nothing, and we want to be able to check if they're
successful, we define a few internal macros to get around the issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

925d17f3

RT4593: Add space after comma (doc nits) · aebb9aac

Rich Salz authored Jul 19, 2016



Update find-doc-nits to find errors in SYNOPSIS (the most common
place where they were missing).

Reviewed-by: Matt Caswell <matt@openssl.org>

aebb9aac

Fix forgotten goto · d6accd50
Richard Levitte authored Jul 19, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
d6accd50

Fix building with no-cms · df0aa777

Matt Caswell authored Jul 18, 2016



The new fuzzing code broke no-cms

Reviewed-by: Richard Levitte <levitte@openssl.org>

df0aa777

Convert the last uses of sockaddr in apps/* to use BIO_ADDR instead · 642a166c
Richard Levitte authored Jul 19, 2016
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
642a166c

Fix two bugs in clienthello processing · 70c22888

Emilia Kasper authored Jul 04, 2016



- Always process ALPN (previously there was an early return in the
  certificate status handling)
- Don't send a duplicate alert. Previously, both
  ssl_check_clienthello_tlsext_late and its caller would send an
  alert. Consolidate alert sending code in the caller.

Reviewed-by: Rich Salz <rsalz@openssl.org>

70c22888

SSL test framework: port NPN and ALPN tests · ce2cdac2
Emilia Kasper authored Jul 04, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
ce2cdac2

Cleanup after sk_push fail · 02f730b3

mrpre authored Jul 02, 2016



Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1281)

02f730b3

Update error codes following tls_process_key_exchange() refactor · 4fa88861
Matt Caswell authored Jul 08, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
4fa88861

Tidy up tls_process_key_exchange() · e1e588ac

Matt Caswell authored Jul 08, 2016



After the refactor of tls_process_key_exchange(), this commit tidies up
some loose ends.

Reviewed-by: Richard Levitte <levitte@openssl.org>

e1e588ac

Split out ECDHE from tls_process_key_exchange() · ff74aeb1

Matt Caswell authored Jul 08, 2016



Continuing from the previous commit. Refactor tls_process_key_exchange() to
split out into a separate function the ECDHE aspects.

Reviewed-by: Richard Levitte <levitte@openssl.org>

ff74aeb1

Split out DHE from tls_process_key_exchange() · e01a610d

Matt Caswell authored Jul 08, 2016



Continuing from the previous commit. Refactor tls_process_key_exchange() to
split out into a separate function the DHE aspects.

Reviewed-by: Richard Levitte <levitte@openssl.org>

e01a610d

Split out SRP from tls_process_key_exchange() · 25c6c10c

Matt Caswell authored Jul 08, 2016



Continuing from the previous commit. Refactor tls_process_key_exchange() to
split out into a separate function the SRP aspects.

Reviewed-by: Richard Levitte <levitte@openssl.org>

25c6c10c

Split out the PSK preamble from tls_process_key_exchange() · 7dc1c647

Matt Caswell authored Jul 08, 2016



The tls_process_key_exchange() function is too long. This commit starts
the process of splitting it up by moving the PSK preamble code to a
separate function.

Reviewed-by: Richard Levitte <levitte@openssl.org>

7dc1c647

Move the PSK preamble for tls_process_key_exchange() · 02a74590

Matt Caswell authored Jul 08, 2016



The function tls_process_key_exchange() is too long. This commit moves
the PSK preamble processing out to a separate function.

Reviewed-by: Richard Levitte <levitte@openssl.org>

02a74590

Narrow scope of locals vars in tls_process_key_exchange() · be8dba2c

Matt Caswell authored Jul 08, 2016



Narrow the scope of the local vars in preparation for split up this
function.

Reviewed-by: Richard Levitte <levitte@openssl.org>

be8dba2c

Add more session tests · eaa776da

Matt Caswell authored Jun 13, 2016



Add some more tests for sessions following on from the previous commit
to ensure the callbacks are called when appropriate.

Reviewed-by: Richard Levitte <levitte@openssl.org>

eaa776da

Remove sessions from external cache, even if internal cache not used. · e4612d02

Matt Caswell authored Jun 13, 2016



If the SSL_SESS_CACHE_NO_INTERNAL_STORE cache mode is used then we weren't
removing sessions from the external cache, e.g. if an alert occurs the
session is supposed to be automatically removed.

Reviewed-by: Richard Levitte <levitte@openssl.org>

e4612d02

Have the Travis builds do a "make update" · 941b10bd
Richard Levitte authored Jul 19, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
941b10bd
make update · bbba0a7d
Richard Levitte authored Jul 19, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
bbba0a7d
Fixup a few SSLerr calls in ssl/statem/ · 340a2828
Richard Levitte authored Jul 19, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
340a2828
Fixup collision between SSL_F_TLS_PROCESS_SKE and SSL_F_TLS_PROCESS_CKE macros · 384a5d25
Richard Levitte authored Jul 19, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
384a5d25

Check and print out boolean type properly. · ad72d9fd

Dr. Stephen Henson authored Jul 18, 2016



If underlying type is boolean don't check field is NULL.

Reviewed-by: Rich Salz <rsalz@openssl.org>

ad72d9fd

18 Jul, 2016 6 commits

Refactor Identity Hint handling · e3ea3afd

Matt Caswell authored Jul 18, 2016

Don't call strncpy with strlen of the source as the length. Don't call
strlen multiple times. Eventually we will want to replace this with a proper
PACKET style handling (but for construction of PACKETs instead of just
reading them as it is now). For now though this is safe because
PSK_MAX_IDENTITY_LEN will always fit into the destination buffer.

This addresses an OCAP Audit issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>

e3ea3afd

Fix up error codes after splitting up tls_construct_key_exchange() · 05ec6a25
Matt Caswell authored Jul 08, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
05ec6a25
Some tidy ups after the CKE construction refactor · a7a75228
Matt Caswell authored Jul 08, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
a7a75228

Split out SRP CKE construction into a separate function · 840a2bf8

Matt Caswell authored Jul 08, 2016



Continuing previous commit to break up the
tls_construct_client_key_exchange() function. This splits out the SRP
code.

Reviewed-by: Richard Levitte <levitte@openssl.org>

840a2bf8

Split out GOST CKE construction into a separate function · e00e0b3d

Matt Caswell authored Jul 08, 2016



Continuing previous commit to break up the
tls_construct_client_key_exchange() function. This splits out the GOST
code.

Reviewed-by: Richard Levitte <levitte@openssl.org>

e00e0b3d

Split out DHE CKE construction into a separate function · 67ad5aab

Matt Caswell authored Jul 08, 2016



Continuing previous commit to break up the
tls_construct_client_key_exchange() function. This splits out the ECDHE
code.

Reviewed-by: Richard Levitte <levitte@openssl.org>

67ad5aab