Commit graph

11580 commits

Author SHA1 Message Date
Andy Polyakov
80e1750976 modes/cts128.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:26:32 +00:00
Andy Polyakov
11552ddc13 crypto/mem_dbg.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:26:26 +00:00
Matt Caswell
4ce632fb45 More indent fixes for STACK_OF
Conflicts:
	ssl/s3_lib.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:26:15 +00:00
Matt Caswell
7b1ac23412 Fix indent issue with functions using STACK_OF
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:26:10 +00:00
Matt Caswell
bdc21a1571 Fix indent issue with engine.h
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:26:04 +00:00
Matt Caswell
39108d595e Fix logic to check for indent.pro
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:25:58 +00:00
Andy Polyakov
d565023ae8 crypto/cryptlib.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:25:52 +00:00
Andy Polyakov
96a66a973b bn/bntest.c: make it indent-friendly.
Conflicts:
	crypto/bn/bntest.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:25:45 +00:00
Andy Polyakov
20c554ce8f bn/bn_recp.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:25:39 +00:00
Andy Polyakov
d72781b4c9 engines/e_ubsec.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:25:33 +00:00
Andy Polyakov
ff397a8ff0 apps/speed.c: make it indent-friendly.
Conflicts:
	apps/speed.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:25:25 +00:00
Andy Polyakov
abef2b4c53 bn/rsaz_exp.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:25:19 +00:00
Matt Caswell
d2f8517ad0 Fix make errors
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:25:13 +00:00
Richard Levitte
27df27d4b9 Make the script a little more location agnostic
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:25:06 +00:00
Matt Caswell
4a81e0f0d6 Provide script for filtering data initialisers for structs/unions. indent just can't handle it.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:24:59 +00:00
Dr. Stephen Henson
24e6a032bf Script fixes.
Don't use double newline for headers.
Don't interpret ASN1_PCTX as start of an ASN.1 module.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:24:44 +00:00
Richard Levitte
9d63b5e375 Run expand before perl, to make sure things are properly aligned
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:24:38 +00:00
Richard Levitte
a45030fc9b Force the use of our indent profile
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:24:32 +00:00
Tim Hudson
45b575a031 Provide source reformating script. Requires GNU indent to be
available.

Script written by Tim Hudson, with amendments by Steve Henson, Rich Salz and
Matt Caswell

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-22 09:24:12 +00:00
Matt Caswell
bc2d623c0e Fix source where indent will not be able to cope
Conflicts:
	apps/ciphers.c
	ssl/s3_pkt.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:24:04 +00:00
Matt Caswell
c695ebe2a0 Additional comment changes for reformat of 1.0.2
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:23:58 +00:00
Matt Caswell
e19d4a99b8 Further comment amendments to preserve formatting prior to source reformat
(cherry picked from commit 4a7fa26ffd65bf36beb8d1cb8f29fc0ae203f5c5)

Conflicts:
	crypto/x509v3/pcy_tree.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:23:50 +00:00
Tim Hudson
6977c7e2ba mark all block comments that need format preserving so that
indent will not alter them when reformatting comments

(cherry picked from commit 1d97c84351)

Conflicts:
	crypto/bn/bn_lcl.h
	crypto/bn/bn_prime.c
	crypto/engine/eng_all.c
	crypto/rc4/rc4_utl.c
	crypto/sha/sha.h
	ssl/kssl.c
	ssl/t1_lib.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:23:04 +00:00
Richard Levitte
43257b9f51 Define CFLAGS as cflags on VMS as well
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-14 00:14:20 +01:00
Andy Polyakov
10771e3421 Add Broadwell performance results.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit b3d7294976)
2015-01-13 21:42:13 +01:00
Matt Caswell
36f694e09a Make output from openssl version -f consistent with previous versions
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 2d2671790e)
2015-01-13 11:28:54 +00:00
Matt Caswell
635ca4446f Fix warning where BIO_FLAGS_UPLINK was being redefined.
This warning breaks the build in 1.0.0 and 0.9.8

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit b1ffc6ca1c)
2015-01-13 11:24:52 +00:00
Matt Caswell
bd00b8dc65 Avoid deprecation problems in Visual Studio 13
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 86d21d0b95)
2015-01-13 09:47:09 +00:00
Rich Salz
2194b36979 Allow multiple IDN xn-- indicators
Update the X509v3 name parsing to allow multiple xn-- international
domain name indicators in a name.  Previously, only allowed one at
the beginning of a name, which was wrong.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 31d1d3741f)
2015-01-12 12:40:29 -05:00
Kurt Roeckx
e81a83657c Make build reproducible
It contained a date on when it was build.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-01-10 16:31:27 +01:00
Matt Caswell
cbbb952f3a Further windows specific .gitignore entries
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 41c9cfbc4e)
2015-01-09 23:40:41 +00:00
Matt Caswell
04f670cf3d Update .gitignore with windows files to be excluded from git
Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	.gitignore
2015-01-09 11:30:07 +00:00
Matt Caswell
5cee72382c Fix build failure on Windows due to undefined cflags identifier
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 5c5e7e1a7e)
2015-01-08 19:24:09 +00:00
Matt Caswell
7c6a3cf237 A memory leak can occur in dtls1_buffer_record if either of the calls to
ssl3_setup_buffers or pqueue_insert fail. The former will fail if there is a
malloc failure, whilst the latter will fail if attempting to add a duplicate
record to the queue. This should never happen because duplicate records should
be detected and dropped before any attempt to add them to the queue.
Unfortunately records that arrive that are for the next epoch are not being
recorded correctly, and therefore replays are not being detected.
Additionally, these "should not happen" failures that can occur in
dtls1_buffer_record are not being treated as fatal and therefore an attacker
could exploit this by sending repeated replay records for the next epoch,
eventually causing a DoS through memory exhaustion.

Thanks to Chris Mueller for reporting this issue and providing initial
analysis and a patch. Further analysis and the final patch was performed by
Matt Caswell from the OpenSSL development team.

CVE-2015-0206

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 652ff0f4796eecd8729b4690f2076d1c7ccb2862)
2015-01-08 15:46:42 +00:00
Dr. Stephen Henson
be3fb8d15d Unauthenticated DH client certificate fix.
Fix to prevent use of DH client certificates without sending
certificate verify message.

If we've used a client certificate to generate the premaster secret
ssl3_get_client_key_exchange returns 2 and ssl3_get_cert_verify is
never called.

We can only skip the certificate verify message in
ssl3_get_cert_verify if the client didn't send a certificate.

Thanks to Karthikeyan Bhargavan for reporting this issue.
CVE-2015-0205
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-08 15:46:42 +00:00
Matt Caswell
fb73f12a9c Follow on from CVE-2014-3571. This fixes the code that was the original source
of the crash due to p being NULL. Steve's fix prevents this situation from
occuring - however this is by no means obvious by looking at the code for
dtls1_get_record. This fix just makes things look a bit more sane.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2015-01-08 15:46:19 +00:00
Dr. Stephen Henson
25d738c3a4 Fix crash in dtls1_get_record whilst in the listen state where you get two
separate reads performed - one for the header and one for the body of the
handshake record.

CVE-2014-3571

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-08 11:20:29 +00:00
Andy Polyakov
49446ea62f Fix for CVE-2014-3570 (with minor bn_asm.c revamp).
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 56df92efb6893abe323307939425957ce878c8f0)
2015-01-08 11:20:29 +00:00
Dr. Stephen Henson
f33ab61b5f fix error discrepancy
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4a4d415857)
2015-01-07 18:10:38 +00:00
Andy Polyakov
2d63d0c84a Fix irix-cc build.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit e464403d0b)
2015-01-07 18:41:17 +01:00
Richard Levitte
cfb5d6c10a VMS fixups for 1.0.2
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-01-07 02:15:35 +01:00
Dr. Stephen Henson
a936ba1148 use correct credit in CHANGES
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4138e38825)
2015-01-06 22:41:27 +00:00
Emilia Kasper
ed736ddd74 Only inherit the session ID context in SSL_set_SSL_CTX if the existing
context was also inherited (matches that of the existing SSL_CTX).

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit ac8e9cbe14)
2015-01-06 23:10:03 +01:00
Dr. Stephen Henson
c7c2a56a1b use correct function name
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit cb62ab4b17)
2015-01-06 21:04:38 +00:00
Dr. Stephen Henson
129344a8fb RT3662: Allow leading . in nameConstraints
Change by SteveH from original by John Denker (in the RT)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 77ff1f3b8b)
2015-01-06 15:33:41 -05:00
Martin Brejcha
be6e766953 Fix memory leak.
Fix memory leak by freeing up saved_message.data if it is not NULL.

PR#3489
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 41cd41c441)
2015-01-06 16:49:36 +00:00
Matt Caswell
8dc461eccf Remove blank line from start of cflags character array in buildinf.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit b691154e18)
2015-01-06 15:35:15 +00:00
Dr. Stephen Henson
4b4c1fcc88 Only allow ephemeral RSA keys in export ciphersuites.
OpenSSL clients would tolerate temporary RSA keys in non-export
ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
enabled this server side. Remove both options as they are a
protocol violation.

Thanks to Karthikeyan Bhargavan for reporting this issue.
(CVE-2015-0204)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-06 12:45:10 +00:00
Andy Polyakov
1cfd7cf3cc CHANGES: mention "universal" ARM support.
This is re-commit without unrelated modification.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 0548505f4c)
2015-01-06 12:15:40 +01:00
Andy Polyakov
2996157127 Revert "CHANGES: mention "universal" ARM support."
This reverts commit caeed719fe.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-06 12:12:15 +01:00