Andy Polyakov
134d38bcde
modes/cts128.c: make it indent-friendly.
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:43:57 +00:00
Andy Polyakov
74d3242514
crypto/mem_dbg.c: make it indent-friendly.
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:43:52 +00:00
Matt Caswell
6020ffc766
More indent fixes for STACK_OF
...
Conflicts:
ssl/s3_lib.c
Conflicts:
apps/cms.c
crypto/x509/x509_lu.c
crypto/x509/x509_vfy.h
ssl/s3_lib.c
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:43:43 +00:00
Matt Caswell
7cba857c9a
Fix indent issue with functions using STACK_OF
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:43:37 +00:00
Matt Caswell
08220fec49
Fix indent issue with engine.h
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:43:32 +00:00
Matt Caswell
bfe4de7257
Fix logic to check for indent.pro
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:43:26 +00:00
Andy Polyakov
7a9f1f174c
crypto/cryptlib.c: make it indent-friendly.
...
Conflicts:
crypto/cryptlib.c
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:43:21 +00:00
Andy Polyakov
033a5fcfe8
bn/bntest.c: make it indent-friendly.
...
Conflicts:
crypto/bn/bntest.c
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:43:16 +00:00
Andy Polyakov
4f6930f5d3
bn/bn_recp.c: make it indent-friendly.
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:43:10 +00:00
Andy Polyakov
bc18f2f140
engines/e_ubsec.c: make it indent-friendly.
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:43:05 +00:00
Andy Polyakov
1a9c746696
apps/speed.c: make it indent-friendly.
...
Conflicts:
apps/speed.c
Conflicts:
apps/speed.c
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:42:56 +00:00
Matt Caswell
92fd726fb4
Fix make errors
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:42:50 +00:00
Richard Levitte
46d8227210
Make the script a little more location agnostic
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:42:45 +00:00
Matt Caswell
5d3dc701b9
Provide script for filtering data initialisers for structs/unions. indent just can't handle it.
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:42:39 +00:00
Dr. Stephen Henson
25c438987b
Script fixes.
...
Don't use double newline for headers.
Don't interpret ASN1_PCTX as start of an ASN.1 module.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:42:34 +00:00
Richard Levitte
016b92d112
Run expand before perl, to make sure things are properly aligned
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:42:29 +00:00
Richard Levitte
dd6da173fd
Force the use of our indent profile
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:42:21 +00:00
Tim Hudson
6ff1bf382e
Provide source reformating script. Requires GNU indent to be
...
available.
Script written by Tim Hudson, with amendments by Steve Henson, Rich Salz and
Matt Caswell
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-22 09:41:55 +00:00
Matt Caswell
65f1d188c5
Fix source where indent will not be able to cope
...
Conflicts:
apps/ciphers.c
ssl/s3_pkt.c
Conflicts:
crypto/ec/ec_curve.c
Conflicts:
crypto/ec/ec_curve.c
ssl/s3_clnt.c
ssl/s3_srvr.c
ssl/ssl_sess.c
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:41:47 +00:00
Matt Caswell
a25d0527b7
Additional comment changes for reformat of 1.0.0
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:41:42 +00:00
Matt Caswell
89f6c5b492
Further comment amendments to preserve formatting prior to source reformat
...
(cherry picked from commit 4a7fa26ffd65bf36beb8d1cb8f29fc0ae203f5c5)
Conflicts:
crypto/x509v3/pcy_tree.c
Conflicts:
apps/apps.c
ssl/ssltest.c
Conflicts:
apps/apps.c
crypto/ec/ec2_oct.c
crypto/ec/ecp_nistp224.c
crypto/ec/ecp_nistp256.c
crypto/ec/ecp_nistp521.c
ssl/s3_cbc.c
ssl/ssl_sess.c
ssl/t1_lib.c
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:41:33 +00:00
Tim Hudson
f326f6544d
mark all block comments that need format preserving so that
...
indent will not alter them when reformatting comments
(cherry picked from commit 1d97c84351
)
Conflicts:
crypto/bn/bn_lcl.h
crypto/bn/bn_prime.c
crypto/engine/eng_all.c
crypto/rc4/rc4_utl.c
crypto/sha/sha.h
ssl/kssl.c
ssl/t1_lib.c
Conflicts:
crypto/rc4/rc4_enc.c
crypto/x509v3/v3_scts.c
crypto/x509v3/v3nametest.c
ssl/d1_both.c
ssl/s3_srvr.c
ssl/ssl.h
ssl/ssl_locl.h
ssl/ssltest.c
ssl/t1_lib.c
Conflicts:
crypto/asn1/a_sign.c
crypto/bn/bn_div.c
crypto/dsa/dsa_asn1.c
crypto/ec/ecp_nistp224.c
crypto/ec/ecp_nistp256.c
crypto/ec/ecp_nistp521.c
crypto/ec/ecp_nistputil.c
crypto/modes/gcm128.c
crypto/opensslv.h
ssl/d1_both.c
ssl/heartbeat_test.c
ssl/s3_clnt.c
ssl/s3_srvr.c
ssl/ssl_sess.c
ssl/t1_lib.c
test/testutil.h
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:41:18 +00:00
Matt Caswell
569c68744a
Prepare for 1.0.0r-dev
...
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-15 15:01:09 +00:00
Matt Caswell
cdac2e8928
Prepare for 1.0.0q release
...
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-15 14:56:27 +00:00
Matt Caswell
01fb34ad43
make update
...
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-15 14:56:27 +00:00
Matt Caswell
08fac3fb6f
Updates to CHANGES and NEWS
...
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2015-01-15 13:18:57 +00:00
Richard Levitte
0c8dc6ebe5
Fixup installation script for VMS
...
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-14 19:17:17 +01:00
Richard Levitte
f4f1e80801
VMS fixups for 1.0.0
...
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-14 00:18:23 +01:00
Matt Caswell
36f309c50a
Make output from openssl version -f consistent with previous versions
...
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 2d2671790e
)
2015-01-13 11:29:21 +00:00
Matt Caswell
94e5cf36bd
Fix warning where BIO_FLAGS_UPLINK was being redefined.
...
This warning breaks the build in 1.0.0 and 0.9.8
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit b1ffc6ca1c
)
2015-01-13 11:25:55 +00:00
Matt Caswell
23df532ec4
Avoid deprecation problems in Visual Studio 13
...
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 86d21d0b95
)
2015-01-13 09:48:38 +00:00
Matt Caswell
b960060a0d
Further windows specific .gitignore entries
...
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 41c9cfbc4e
)
2015-01-09 23:41:07 +00:00
Matt Caswell
e9cb6eb1d3
Update .gitignore with windows files to be excluded from git
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
Conflicts:
.gitignore
(cherry picked from commit 04f670cf3d
)
2015-01-09 11:30:50 +00:00
Matt Caswell
181ae2badb
Fix build failure on Windows due to undefined cflags identifier
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 5c5e7e1a7e
)
2015-01-08 19:28:43 +00:00
Matt Caswell
a98051fb47
Prepare for 1.0.0q-dev
...
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-08 14:23:38 +00:00
Matt Caswell
225628f280
Prepare for 1.0.0p release
...
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-08 14:21:42 +00:00
Matt Caswell
ca39b261bf
make update
...
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-08 14:21:42 +00:00
Matt Caswell
c1beec0e6d
CHANGES and NEWS updates for release
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Steve Henson <steve@openssl.org>
2015-01-08 14:14:56 +00:00
Matt Caswell
b095884a58
A memory leak can occur in dtls1_buffer_record if either of the calls to
...
ssl3_setup_buffers or pqueue_insert fail. The former will fail if there is a
malloc failure, whilst the latter will fail if attempting to add a duplicate
record to the queue. This should never happen because duplicate records should
be detected and dropped before any attempt to add them to the queue.
Unfortunately records that arrive that are for the next epoch are not being
recorded correctly, and therefore replays are not being detected.
Additionally, these "should not happen" failures that can occur in
dtls1_buffer_record are not being treated as fatal and therefore an attacker
could exploit this by sending repeated replay records for the next epoch,
eventually causing a DoS through memory exhaustion.
Thanks to Chris Mueller for reporting this issue and providing initial
analysis and a patch. Further analysis and the final patch was performed by
Matt Caswell from the OpenSSL development team.
CVE-2015-0206
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 652ff0f4796eecd8729b4690f2076d1c7ccb2862)
2015-01-08 14:14:56 +00:00
Dr. Stephen Henson
f7fe3d235a
Unauthenticated DH client certificate fix.
...
Fix to prevent use of DH client certificates without sending
certificate verify message.
If we've used a client certificate to generate the premaster secret
ssl3_get_client_key_exchange returns 2 and ssl3_get_cert_verify is
never called.
We can only skip the certificate verify message in
ssl3_get_cert_verify if the client didn't send a certificate.
Thanks to Karthikeyan Bhargavan for reporting this issue.
CVE-2015-0205
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-08 14:14:56 +00:00
Matt Caswell
b2688c9161
Follow on from CVE-2014-3571. This fixes the code that was the original source
...
of the crash due to p being NULL. Steve's fix prevents this situation from
occuring - however this is by no means obvious by looking at the code for
dtls1_get_record. This fix just makes things look a bit more sane.
Conflicts:
ssl/d1_pkt.c
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2015-01-08 14:14:29 +00:00
Dr. Stephen Henson
bf6fa208b5
Fix crash in dtls1_get_record whilst in the listen state where you get two
...
separate reads performed - one for the header and one for the body of the
handshake record.
CVE-2014-3571
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-08 11:25:45 +00:00
Andy Polyakov
eb37b6aa41
Fix for CVE-2014-3570.
...
Reviewed-by: Emilia Kasper <emilia@openssl.org>
2015-01-08 11:25:45 +00:00
Dr. Stephen Henson
f66f76a24a
fix error discrepancy
...
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4a4d415857
)
2015-01-07 18:11:07 +00:00
Dr. Stephen Henson
65c63da207
use correct credit in CHANGES
...
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4138e38825
)
2015-01-06 22:41:45 +00:00
Dr. Stephen Henson
9f028e4a78
use correct function name
...
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit cb62ab4b17
)
2015-01-06 21:05:07 +00:00
Matt Caswell
64eec8f898
Remove blank line from start of cflags character array in buildinf.h
...
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit b691154e18
)
2015-01-06 15:39:32 +00:00
Dr. Stephen Henson
08a88774bd
Only allow ephemeral RSA keys in export ciphersuites.
...
OpenSSL clients would tolerate temporary RSA keys in non-export
ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
enabled this server side. Remove both options as they are a
protocol violation.
Thanks to Karthikeyan Bhargavan for reporting this issue.
(CVE-2015-0204)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 4b4c1fcc88
)
Conflicts:
CHANGES
doc/ssl/SSL_CTX_set_options.pod
2015-01-06 13:18:46 +00:00
Dr. Stephen Henson
802a070bb6
ECDH downgrade bug fix.
...
Fix bug where an OpenSSL client would accept a handshake using an
ephemeral ECDH ciphersuites with the server key exchange message omitted.
Thanks to Karthikeyan Bhargavan for reporting this issue.
CVE-2014-3572
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b15f876964
)
Conflicts:
CHANGES
2015-01-05 23:52:28 +00:00
Dr. Stephen Henson
31c65a7bc0
update ordinals
...
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-01-05 16:50:31 +00:00