| 3d2e575 | Matt Caswell | 03 May 2016, 13:49:52 UTC | Prepare for 1.0.1t release Reviewed-by: Rich Salz <rsalz@openssl.org> | 03 May 2016, 13:49:52 UTC |
| 289cc05 | Matt Caswell | 03 May 2016, 13:49:52 UTC | make update Reviewed-by: Rich Salz <rsalz@openssl.org> | 03 May 2016, 13:49:52 UTC |
| 0e6b8bf | Matt Caswell | 03 May 2016, 08:37:23 UTC | Update CHANGES and NEWS for the new release Reviewed-by: Richard Levitte <levitte@openssl.org> | 03 May 2016, 12:20:26 UTC |
| f5da52e | Dr. Stephen Henson | 15 April 2016, 01:37:09 UTC | Fix ASN1_INTEGER handling. Only treat an ASN1_ANY type as an integer if it has the V_ASN1_INTEGER tag: V_ASN1_NEG_INTEGER is an internal only value which is never used for on the wire encoding. Thanks to David Benjamin <davidben@google.com> for reporting this bug. This was found using libFuzzer. RT#4364 (part)CVE-2016-2108. Reviewed-by: Emilia Käsper <emilia@openssl.org> | 03 May 2016, 12:06:36 UTC |
| 4159f31 | Kurt Roeckx | 16 April 2016, 21:08:56 UTC | Check that we have enough padding characters. Reviewed-by: Emilia Käsper <emilia@openssl.org> CVE-2016-2107 MR: #2572 | 03 May 2016, 12:06:36 UTC |
| e903aaf | Matt Caswell | 03 May 2016, 11:45:45 UTC | Remove some documentation for functions not in 1.0.x A few functions in the recently added EVP_EncodeInit docs don't apply to the 1.0.x branches. Reviewed-by: Richard Levitte <levitte@openssl.org> | 03 May 2016, 11:54:06 UTC |
| fec6d1e | Matt Caswell | 25 April 2016, 10:54:30 UTC | Add documentation for EVP_EncodeInit() and similar functions Reviewed-by: Richard Levitte <levitte@openssl.org> | 03 May 2016, 10:54:00 UTC |
| 5d20e98 | Matt Caswell | 25 April 2016, 08:06:29 UTC | Ensure EVP_EncodeUpdate handles an output length that is too long With the EVP_EncodeUpdate function it is the caller's responsibility to determine how big the output buffer should be. The function writes the amount actually used to |*outl|. However this could go negative with a sufficiently large value for |inl|. We add a check for this error condition. Reviewed-by: Richard Levitte <levitte@openssl.org> | 03 May 2016, 10:52:53 UTC |
| 5b81448 | Matt Caswell | 04 March 2016, 10:17:17 UTC | Avoid overflow in EVP_EncodeUpdate An overflow can occur in the EVP_EncodeUpdate function which is used for Base64 encoding of binary data. If an attacker is able to supply very large amounts of input data then a length check can overflow resulting in a heap corruption. Due to the very large amounts of data involved this will most likely result in a crash. Internally to OpenSSL the EVP_EncodeUpdate function is primarly used by the PEM_write_bio* family of functions. These are mainly used within the OpenSSL command line applications, so any application which processes data from an untrusted source and outputs it as a PEM file should be considered vulnerable to this issue. User applications that call these APIs directly with large amounts of untrusted data may also be vulnerable. Issue reported by Guido Vranken. CVE-2016-2105 Reviewed-by: Richard Levitte <levitte@openssl.org> | 03 May 2016, 10:52:53 UTC |
| 2919516 | Matt Caswell | 28 April 2016, 09:46:55 UTC | Prevent EBCDIC overread for very long strings ASN1 Strings that are over 1024 bytes can cause an overread in applications using the X509_NAME_oneline() function on EBCDIC systems. This could result in arbitrary stack data being returned in the buffer. Issue reported by Guido Vranken. CVE-2016-2176 Reviewed-by: Andy Polyakov <appro@openssl.org> | 03 May 2016, 09:28:00 UTC |
| 56ea224 | Matt Caswell | 03 March 2016, 23:36:23 UTC | Fix encrypt overflow An overflow can occur in the EVP_EncryptUpdate function. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate with a partial block then a length check can overflow resulting in a heap corruption. Following an analysis of all OpenSSL internal usage of the EVP_EncryptUpdate function all usage is one of two forms. The first form is like this: EVP_EncryptInit() EVP_EncryptUpdate() i.e. where the EVP_EncryptUpdate() call is known to be the first called function after an EVP_EncryptInit(), and therefore that specific call must be safe. The second form is where the length passed to EVP_EncryptUpdate() can be seen from the code to be some small value and therefore there is no possibility of an overflow. Since all instances are one of these two forms, I believe that there can be no overflows in internal code due to this problem. It should be noted that EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). Therefore I have checked all instances of these calls too, and came to the same conclusion, i.e. there are no instances in internal usage where an overflow could occur. This could still represent a security issue for end user code that calls this function directly. CVE-2016-2106 Issue reported by Guido Vranken. Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit 3f3582139fbb259a1c3cbb0a25236500a409bf26) | 03 May 2016, 08:03:16 UTC |
| 1d29506 | Dr. Stephen Henson | 02 May 2016, 16:33:50 UTC | Fix i2d_X509_AUX: pp can be NULL. Reported by David Benjamin Reviewed-by: Emilia Käsper <emilia@openssl.org> (cherry picked from commit 05aef4bbdbc18e7b9490512cdee41e8a608bcc0e) | 02 May 2016, 21:50:19 UTC |
| 66ce286 | Dr. Stephen Henson | 27 April 2016, 19:27:41 UTC | Don't free ret->data if malloc fails. Issue reported by Guido Vranken. Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 64eaf6c928f4066d62aa86f805796ef05bd0b1cc) | 29 April 2016, 20:43:12 UTC |
| 1c81a59 | Dr. Stephen Henson | 28 April 2016, 18:45:44 UTC | Add checks to X509_NAME_oneline() Sanity check field lengths and sums to avoid potential overflows and reject excessively large X509_NAME structures. Issue reported by Guido Vranken. Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 9b08619cb45e75541809b1154c90e1a00450e537) Conflicts: crypto/x509/x509.h crypto/x509/x509_err.c | 29 April 2016, 18:55:56 UTC |
| 0b34cf8 | Dr. Stephen Henson | 28 April 2016, 12:09:27 UTC | Sanity check buffer length. Reject zero length buffers passed to X509_NAME_onelne(). Issue reported by Guido Vranken. Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit b33d1141b6dcce947708b984c5e9e91dad3d675d) | 29 April 2016, 18:54:06 UTC |
| 53d6c14 | Dr. Stephen Henson | 28 April 2016, 11:55:29 UTC | Add size limit to X509_NAME structure. This adds an explicit limit to the size of an X509_NAME structure. Some part of OpenSSL (e.g. TLS) already effectively limit the size due to restrictions on certificate size. Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 295f3a24919157e2f9021d0b1709353710ad63db) | 29 April 2016, 18:53:47 UTC |
| 6dfa55a | Dr. Stephen Henson | 23 April 2016, 12:33:05 UTC | Reject inappropriate private key encryption ciphers. The traditional private key encryption algorithm doesn't function properly if the IV length of the cipher is zero. These ciphers (e.g. ECB mode) are not suitable for private key encryption anyway. Reviewed-by: Emilia Käsper <emilia@openssl.org> (cherry picked from commit d78df5dfd650e6de159a19a033513481064644f5) | 27 April 2016, 23:07:20 UTC |
| a04d08f | Matt Caswell | 25 April 2016, 15:05:55 UTC | Ensure we check i2d_X509 return val The i2d_X509() function can return a negative value on error. Therefore we should make sure we check it. Issue reported by Yuan Jochen Kang. Reviewed-by: Emilia Käsper <emilia@openssl.org> (cherry picked from commit 446ba8de9af9aa4fa3debc7c76a38f4efed47a62) | 26 April 2016, 13:39:56 UTC |
| 1ee4541 | Matt Caswell | 25 April 2016, 16:45:11 UTC | Fix a signed/unsigned warning This causes a compilation failure when using --strict-warnings in 1.0.2 and 1.0.1 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (cherry picked from commit 0ca67644ddedfd656d43a6639d89a6236ff64652) | 25 April 2016, 18:47:18 UTC |
| 184ebf0 | Rich Salz | 25 April 2016, 12:56:54 UTC | Fix NULL deref in apps/pkcs7 Thanks to Brian Carpenter for finding and reporting this. Reviewed-by: Emilia Käsper <emilia@openssl.org> (cherry picked from commit 79356a83b78a2d936dcd022847465d9ebf6c67b1) | 25 April 2016, 15:46:52 UTC |
| 697283b | Viktor Dukhovni | 20 April 2016, 02:23:24 UTC | Fix buffer overrun in ASN1_parse(). Backport of commits: 79c7f74d6cefd5d32fa20e69195ad3de834ce065 bdcd660e33710079b495cf5cc6a1aaa5d2dcd317 from master. Reviewed-by: Matt Caswell <matt@openssl.org> | 23 April 2016, 04:46:32 UTC |
| 3d41105 | Dr. Stephen Henson | 11 April 2016, 12:57:20 UTC | Harden ASN.1 BIO handling of large amounts of data. If the ASN.1 BIO is presented with a large length field read it in chunks of increasing size checking for EOF on each read. This prevents small files allocating excessive amounts of data. CVE-2016-2109 Thanks to Brian Carpenter for reporting this issue. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (cherry picked from commit c62981390d6cf9e3d612c489b8b77c2913b25807) | 22 April 2016, 23:28:06 UTC |
| 7a43389 | David Benjamin | 14 March 2016, 19:03:07 UTC | Fix memory leak on invalid CertificateRequest. Free up parsed X509_NAME structure if the CertificateRequest message contains excess data. The security impact is considered insignificant. This is a client side only leak and a large number of connections to malicious servers would be needed to have a significant impact. This was found by libFuzzer. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Stephen Henson <steve@openssl.org> (cherry picked from commit ec66c8c98881186abbb4a7ddd6617970f1ee27a7) | 07 April 2016, 18:27:45 UTC |
| f4bed7c | Dr. Stephen Henson | 26 March 2016, 15:00:53 UTC | Fix FIPS SSLv2 test Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (cherry picked from commit 21211ade53f92629250bbea5e37d9179a31d3be2) | 26 March 2016, 16:02:39 UTC |
| f160807 | Matt Caswell | 17 March 2016, 12:55:02 UTC | Fix the no-comp option for Windows no-comp on Windows was not actually suppressing compilation of the code, although it was suppressing its use. Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit a6406c95984a1009f5676bbcf60cc0d6db107af4) | 18 March 2016, 12:17:06 UTC |
| 4275ee3 | Matt Caswell | 15 March 2016, 11:51:48 UTC | Add a check for a failed malloc Ensure we check for a NULL return from OPENSSL_malloc Issue reported by Guido Vranken. Reviewed-by: Richard Levitte <levitte@openssl.org> | 18 March 2016, 11:59:11 UTC |
| d31b251 | Matt Caswell | 15 March 2016, 11:38:56 UTC | Ensure that memory allocated for the ticket is freed If a call to EVP_DecryptUpdate fails then a memory leak could occur. Ensure that the memory is freed appropriately. Issue reported by Guido Vranken. Reviewed-by: Richard Levitte <levitte@openssl.org> | 18 March 2016, 11:59:11 UTC |
| 4161523 | Matt Caswell | 14 March 2016, 17:06:19 UTC | Fix a potential double free in EVP_DigestInit_ex There is a potential double free in EVP_DigestInit_ex. This is believed to be reached only as a result of programmer error - but we should fix it anyway. Issue reported by Guido Vranken. Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit ffe9150b1508a0ffc9e724f975691f24eb045c05) | 18 March 2016, 11:44:47 UTC |
| 6629966 | Kurt Roeckx | 09 March 2016, 17:10:52 UTC | Add no-ssl2-method Reviewed-by: Viktor Dukhovni <viktor@openssl.org> MR: #2341 (cherry picked from commit 4256957570a233ed4e9840353e95e623dfd62086) | 14 March 2016, 20:17:18 UTC |
| 03c71b8 | Viktor Dukhovni | 08 March 2016, 20:30:27 UTC | expose SSLv2 method prototypes Reviewed-by: Kurt Roeckx <kurt@openssl.org> | 09 March 2016, 08:13:06 UTC |
| 5bac9d4 | Viktor Dukhovni | 07 March 2016, 21:10:38 UTC | Retain SSLv2 methods as functions that return NULL This improves ABI compatibility when symbol resolution is not lazy. Reviewed-by: Richard Levitte <levitte@openssl.org> | 08 March 2016, 14:08:28 UTC |
| a159719 | Andy Polyakov | 04 March 2016, 10:39:11 UTC | bn/asm/x86[_64]-mont*.pl: complement alloca with page-walking. Some OSes, *cough*-dows, insist on stack being "wired" to physical memory in strictly sequential manner, i.e. if stack allocation spans two pages, then reference to farmost one can be punishable by SEGV. But page walking can do good even on other OSes, because it guarantees that villain thread hits the guard page before it can make damage to innocent one... Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit adc4f1fc25b2cac90076f1e1695b05b7aeeae501) Resolved conflicts: crypto/bn/asm/x86_64-mont.pl crypto/bn/asm/x86_64-mont5.pl Reviewed-by: Richard Levitte <levitte@openssl.org> | 07 March 2016, 21:16:11 UTC |
| 6e7a1f3 | Kurt Roeckx | 10 January 2016, 12:23:43 UTC | Remove LOW from the default Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (cherry picked from commit 29cce508972f61511318bf8cf7011fae027cddb2) | 07 March 2016, 17:57:40 UTC |
| 0199251 | Dr. Stephen Henson | 04 March 2016, 18:04:46 UTC | Don't shift serial number into sign bit Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 01c32b5e448f6d42a23ff16bdc6bb0605287fa6f) | 07 March 2016, 15:19:58 UTC |
| 298d823 | Dr. Stephen Henson | 03 March 2016, 23:37:36 UTC | Sanity check PVK file fields. PVK files with abnormally large length or salt fields can cause an integer overflow which can result in an OOB read and heap corruption. However this is an rarely used format and private key files do not normally come from untrusted sources the security implications not significant. Fix by limiting PVK length field to 100K and salt to 10K: these should be more than enough to cover any files encountered in practice. Issue reported by Guido Vranken. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 5f57abe2b150139b8b057313d52b1fe8f126c952) | 04 March 2016, 01:26:13 UTC |
| 7315877 | Matt Caswell | 01 March 2016, 13:42:02 UTC | Prepare for 1.0.1t-dev Reviewed-by: Richard Levitte <levitte@openssl.org> | 01 March 2016, 13:42:02 UTC |
| 57ac73f | Matt Caswell | 01 March 2016, 13:40:46 UTC | Prepare for 1.0.1s release Reviewed-by: Richard Levitte <levitte@openssl.org> | 01 March 2016, 13:40:46 UTC |
| 5d2b93a | Matt Caswell | 01 March 2016, 13:40:45 UTC | make update Reviewed-by: Richard Levitte <levitte@openssl.org> | 01 March 2016, 13:40:45 UTC |
| f588db9 | Matt Caswell | 01 March 2016, 12:08:33 UTC | Ensure mk1mf.pl is aware of no-weak-ssl-ciphers option Update mk1mf.pl to properly handle no-weak-ssl-ciphers Reviewed-by: Richard Levitte <levitte@openssl.org> | 01 March 2016, 12:42:12 UTC |
| 8954b54 | Matt Caswell | 01 March 2016, 11:00:48 UTC | Update CHANGES and NEWS for new release Reviewed-by: Richard Levitte <levitte@openssl.org> | 01 March 2016, 11:51:00 UTC |
| c582e9d | Andy Polyakov | 11 September 2014, 22:06:00 UTC | perlasm/x86_64-xlate.pl: handle inter-bank movd. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 902b30df193afc3417a96ba72a81ed390bd50de3) | 01 March 2016, 11:27:40 UTC |
| 7f98aa7 | Andy Polyakov | 26 January 2016, 15:25:02 UTC | crypto/bn/x86_64-mont5.pl: constant-time gather procedure. [Backport from master] CVE-2016-0702 Reviewed-by: Richard Levitte <levitte@openssl.org> | 01 March 2016, 11:27:40 UTC |
| d7a854c | Andy Polyakov | 26 January 2016, 10:34:41 UTC | bn/bn_exp.c: constant-time MOD_EXP_CTIME_COPY_FROM_PREBUF. Performance penalty varies from platform to platform, and even key length. For rsa2048 sign it was observed to reach almost 10%. CVE-2016-0702 Reviewed-by: Richard Levitte <levitte@openssl.org> | 01 March 2016, 11:24:05 UTC |
| abd5d8f | Viktor Dukhovni | 19 February 2016, 18:05:11 UTC | Disable EXPORT and LOW SSLv3+ ciphers by default Reviewed-by: Emilia Käsper <emilia@openssl.org> | 01 March 2016, 11:24:02 UTC |
| a82cfd6 | Viktor Dukhovni | 18 February 2016, 04:22:59 UTC | Bring SSL method documentation up to date Reviewed-by: Emilia Käsper <emilia@openssl.org> | 01 March 2016, 11:24:02 UTC |
| 56f1acf | Viktor Dukhovni | 18 February 2016, 02:37:15 UTC | Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 is by default disabled at build-time. Builds that are not configured with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will need to explicitly call either of: SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); or SSL_clear_options(ssl, SSL_OP_NO_SSLv2); as appropriate. Even if either of those is used, or the application explicitly uses the version-specific SSLv2_method() or its client or server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no longer available. Mitigation for CVE-2016-0800 Reviewed-by: Emilia Käsper <emilia@openssl.org> | 01 March 2016, 11:23:45 UTC |
| 8f65132 | Matt Caswell | 22 February 2016, 10:27:18 UTC | Fix BN_hex2bn/BN_dec2bn NULL ptr/heap corruption In the BN_hex2bn function the number of hex digits is calculated using an int value |i|. Later |bn_expand| is called with a value of |i * 4|. For large values of |i| this can result in |bn_expand| not allocating any memory because |i * 4| is negative. This leaves ret->d as NULL leading to a subsequent NULL ptr deref. For very large values of |i|, the calculation |i * 4| could be a positive value smaller than |i|. In this case memory is allocated to ret->d, but it is insufficiently sized leading to heap corruption. A similar issue exists in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn is ever called by user applications with very large untrusted hex/dec data. This is anticipated to be a rare occurrence. All OpenSSL internal usage of this function uses data that is not expected to be untrusted, e.g. config file data or application command line arguments. If user developed applications generate config file data based on untrusted data then it is possible that this could also lead to security consequences. This is also anticipated to be a rare. Issue reported by Guido Vranken. CVE-2016-0797 Reviewed-by: Andy Polyakov <appro@openssl.org> (cherry picked from commit c175308407858afff3fc8c2e5e085d94d12edc7d) | 29 February 2016, 16:40:02 UTC |
| f16bc6f | Kurt Roeckx | 27 February 2016, 12:38:01 UTC | Revert "Don't check RSA_FLAG_SIGN_VER." This reverts commit 23a58779f53a9060c823d00d76b3070cad61d9a3. This broke existing engines that didn't properly implement the sign and verify functions. Reviewed-by: Richard Levitte <levitte@openssl.org> MR: #2077 | 27 February 2016, 12:38:01 UTC |
| a801bf2 | Matt Caswell | 25 February 2016, 13:09:46 UTC | Fix memory issues in BIO_*printf functions The internal |fmtstr| function used in processing a "%s" format string in the BIO_*printf functions could overflow while calculating the length of a string and cause an OOB read when printing very long strings. Additionally the internal |doapr_outch| function can attempt to write to an OOB memory location (at an offset from the NULL pointer) in the event of a memory allocation failure. In 1.0.2 and below this could be caused where the size of a buffer to be allocated is greater than INT_MAX. E.g. this could be in processing a very long "%s" format string. Memory leaks can also occur. These issues will only occur on certain platforms where sizeof(size_t) > sizeof(int). E.g. many 64 bit systems. The first issue may mask the second issue dependent on compiler behaviour. These problems could enable attacks where large amounts of untrusted data is passed to the BIO_*printf functions. If applications use these functions in this way then they could be vulnerable. OpenSSL itself uses these functions when printing out human-readable dumps of ASN.1 data. Therefore applications that print this data could be vulnerable if the data is from untrusted sources. OpenSSL command line applications could also be vulnerable where they print out ASN.1 data, or if untrusted data is passed as command line arguments. Libssl is not considered directly vulnerable. Additionally certificates etc received via remote connections via libssl are also unlikely to be able to trigger these issues because of message size limits enforced within libssl. CVE-2016-0799 Issue reported by Guido Vranken. Reviewed-by: Andy Polyakov <appro@openssl.org> (cherry picked from commit 578b956fe741bf8e84055547b1e83c28dd902c73) | 25 February 2016, 22:48:17 UTC |
| 59a908f | Emilia Kasper | 24 February 2016, 11:59:59 UTC | CVE-2016-0798: avoid memory leak in SRP The SRP user database lookup method SRP_VBASE_get_by_user had confusing memory management semantics; the returned pointer was sometimes newly allocated, and sometimes owned by the callee. The calling code has no way of distinguishing these two cases. Specifically, SRP servers that configure a secret seed to hide valid login information are vulnerable to a memory leak: an attacker connecting with an invalid username can cause a memory leak of around 300 bytes per connection. Servers that do not configure SRP, or configure SRP but do not configure a seed are not vulnerable. In Apache, the seed directive is known as SSLSRPUnknownUserSeed. To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user is now disabled even if the user has configured a seed. Applications are advised to migrate to SRP_VBASE_get1_by_user. However, note that OpenSSL makes no strong guarantees about the indistinguishability of valid and invalid logins. In particular, computations are currently not carried out in constant time. Reviewed-by: Rich Salz <rsalz@openssl.org> | 25 February 2016, 14:44:21 UTC |
| 3ee48ad | FdaSilvaYY | 19 February 2016, 22:28:52 UTC | GH714: missing field initialisation Signed-off-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org> (cherry picked from commit 04f2a0b50d219aafcef2fa718d91462b587aa23d) | 23 February 2016, 18:21:48 UTC |
| ccb2a61 | Dr. Stephen Henson | 18 February 2016, 12:47:23 UTC | Fix double free in DSA private key parsing. Fix double free bug when parsing malformed DSA private keys. Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using libFuzzer. CVE-2016-0705 Reviewed-by: Emilia Käsper <emilia@openssl.org> (cherry picked from commit 6c88c71b4e4825c7bc0489306d062d017634eb88) | 19 February 2016, 14:04:21 UTC |
| 3629c49 | Andy Polyakov | 12 February 2016, 13:07:27 UTC | modes/ctr128.c: pay attention to ecount_buf alignment in CRYPTO_ctr128_encrypt. It's never problem if CRYPTO_ctr128_encrypt is called from EVP, because buffer in question is always aligned within EVP_CIPHER_CTX structure. RT#4218 Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 5e4bbeb49fb6522d858703201b5adee9611e7b7b) | 12 February 2016, 21:01:13 UTC |
| b0b9f69 | Andy Polyakov | 03 February 2016, 17:21:00 UTC | util/mk1mf.pl: use LINK_CMD instead of LINK variable. Trouble is that LINK variable assignment in make-file interferes with LINK environment variable, which can be used to modify Microsoft's LINK.EXE behaviour. RT#4289 Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit d44bb1c31ca00f4359090daa15659c0dd1a08f0d) Resolved conflicts: util/pl/VC-32.pl (cherry picked from commit 0fffd522426c7fc022894c8dd079dc2625c04096) | 11 February 2016, 20:30:19 UTC |
| 9b6e183 | Andy Polyakov | 09 February 2016, 10:53:11 UTC | ms/uplink-x86.pl: make it work. Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 740b2b9a6cf31b02916a4d18f868e8a95934c083) | 10 February 2016, 11:57:29 UTC |
| 99a5c8a | Kurt Roeckx | 27 January 2016, 19:31:57 UTC | Fix CHANGES entry about DSA_generate_parameters_ex Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org> (cherry picked from commit 2b0c11a620c3a3431410c5d56799286f60f60d8d) | 28 January 2016, 18:56:49 UTC |
| 5d5de78 | Richard Levitte | 28 January 2016, 16:55:11 UTC | Correct number of arguments in BIO_get_conn_int_port macro Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 41a28cb2944a4e1c9d13889757a3bd9f72abeca1) | 28 January 2016, 17:20:53 UTC |
| 69ff244 | Matt Caswell | 28 January 2016, 14:22:09 UTC | Prepare for 1.0.1s-dev Reviewed-by: Richard Levitte <levitte@openssl.org> | 28 January 2016, 17:06:38 UTC |
| 09ccb58 | Matt Caswell | 28 January 2016, 14:21:21 UTC | Prepare for 1.0.1r release Reviewed-by: Richard Levitte <levitte@openssl.org> | 28 January 2016, 17:06:38 UTC |
| 6210c70 | Richard Levitte | 28 January 2016, 14:18:50 UTC | TARFILE wasn't correctly set This solves an earlier cherry-pick mistake. Reviewed-by: Matt Caswell <matt@openssl.org> | 28 January 2016, 17:06:38 UTC |
| bea4cb2 | Matt Caswell | 28 January 2016, 12:28:53 UTC | Further updates to CHANGES and NEWS Reviewed-by: Richard Levitte <levitte@openssl.org> | 28 January 2016, 17:06:38 UTC |
| 5fed60f | Matt Caswell | 27 January 2016, 13:55:05 UTC | Update CHANGES and NEWS ready for release Update CHANGES and NEWS with details of the issues fixed in the forthcoming release. Reviewed-by: Rich Salz <rsalz@openssl.org> | 28 January 2016, 17:06:38 UTC |
| 4040a7f | Viktor Dukhovni | 31 December 2015, 03:44:51 UTC | Better SSLv2 cipher-suite enforcement Based on patch by: Nimrod Aviram <nimrod.aviram@gmail.com> CVE-2015-3197 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> | 28 January 2016, 17:06:38 UTC |
| 8bc643e | Matt Caswell | 17 December 2015, 02:57:20 UTC | Always generate DH keys for ephemeral DH cipher suites Modified version of the commit ffaef3f15 in the master branch by Stephen Henson. This makes the SSL_OP_SINGLE_DH_USE option a no-op and always generates a new DH key for every handshake regardless. This is a follow on from CVE-2016-0701. This branch is not impacted by that CVE because it does not support X9.42 style parameters. It is still possible to generate parameters based on primes that are not "safe", although by default OpenSSL does not do this. The documentation does sign post that using such parameters is unsafe if the private DH key is reused. However to avoid accidental problems or future attacks this commit has been backported to this branch. Issue reported by Antonio Sanso Reviewed-by: Viktor Dukhovni <viktor@openssl.org> | 28 January 2016, 10:27:55 UTC |
| 126ac21 | Richard Levitte | 19 January 2016, 19:35:41 UTC | Fix BSD -rpath parameter For BSD systems, Configure adds a shared_ldflags including a reference to the Makefile variable LIBRPATH, but since it must be passed down to Makefile.shared, care must be taken so the value of LIBRPATH doesn't get expanded too early, or it ends up giving an empty string. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (cherry picked from commit c64879d3f3cc4c7f1c436a9fe3bd109847a23629) | 19 January 2016, 19:59:31 UTC |
| 5122374 | Alessandro Ghedini | 13 January 2016, 12:49:24 UTC | Validate ClientHello session_id field length and send alert on failure RT#4080 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> | 19 January 2016, 15:42:23 UTC |
| 4c33d58 | Prayag Verma | 18 January 2016, 03:19:09 UTC | Update license year range to 2016 Signed-off-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 02f70372470b4dd3b21443bb615292175f5d2c88) | 19 January 2016, 15:24:52 UTC |
| e9a6c72 | Viktor Dukhovni | 16 January 2016, 17:57:24 UTC | Empty SNI names are not valid Reviewed-by: Rich Salz <rsalz@openssl.org> | 17 January 2016, 02:14:02 UTC |
| 00cebd1 | Dr. Stephen Henson | 14 January 2016, 00:25:25 UTC | To avoid possible time_t overflow use X509_time_adj_ex() Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (cherry picked from commit 9aa00b187a65b1f30789d6274ec31ea86efe7973) Conflicts: apps/x509.c | 14 January 2016, 03:04:31 UTC |
| f5fc940 | Kurt Roeckx | 10 January 2016, 12:55:08 UTC | Change minimum DH size from 768 to 1024 Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org> | 10 January 2016, 23:13:54 UTC |
| ff9cef0 | Kurt Roeckx | 02 January 2016, 19:42:27 UTC | File is about s_time, not s_client Reviewed-by: Dr. Stephen Henson <steve@openssl.org> (cherry picked from commit 1918e01c9f915e2eba31a5e2f86f0a5daa4fafb6) | 10 January 2016, 12:14:52 UTC |
| 737d57d | Viktor Dukhovni | 01 January 2016, 05:51:12 UTC | Fix X509_STORE_CTX_cleanup() Reviewed-by: Dr. Stephen Henson <steve@openssl.org> | 05 January 2016, 02:50:01 UTC |
| b5dbbeb | Rich Salz | 28 December 2015, 19:58:23 UTC | RT4202: Update rt URL's. Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 41977c53cd04f52b2b5e56d31ace782577620ac3) | 28 December 2015, 21:41:28 UTC |
| 968bcce | Matt Caswell | 30 November 2015, 16:04:51 UTC | Add some documentation for the OCSP callback functions Describe the usage of the OCSP callback functions on both the client and the server side. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (cherry picked from commit c52c3b5e11253afabaa62739a8ee1c4c4bddcd53) | 27 December 2015, 22:05:36 UTC |
| 604f67f | Matt Caswell | 30 November 2015, 13:29:41 UTC | Ensure we don't call the OCSP callback if resuming a session It makes no sense to call the OCSP status callback if we are resuming a session because no certificates will be sent. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (cherry picked from commit 0ac6239955965f58f9dddb4229e8cd58e0dba20d) | 27 December 2015, 22:05:36 UTC |
| a7316aa | Matt Caswell | 05 November 2015, 14:52:27 UTC | Fix error when server does not send CertificateStatus message If a server sends the status_request extension then it may choose to send the CertificateStatus message. However this is optional. We were treating it as mandatory and the connection was failing. Thanks to BoringSSL for reporting this issue. RT#4120 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (cherry picked from commit 905943af3b43116b64ae815db1a6b9c2f15e0356) | 27 December 2015, 22:05:36 UTC |
| 1967199 | David Benjamin | 17 December 2015, 19:11:11 UTC | Fix memory leak in DSA redo case. Found by clang scan-build. Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Richard Levitte <levitte@openssl.org> RT: #4184, MR: #1496 (cherry picked from commit 679d87515d23ca31491effdc264edc81c695a72a) | 22 December 2015, 10:54:42 UTC |
| 23a5877 | Dr. Stephen Henson | 20 December 2015, 18:18:43 UTC | Don't check RSA_FLAG_SIGN_VER. Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 6656ba7152dfe4bba865e327dd362ea08544aa80) | 20 December 2015, 19:28:23 UTC |
| f9b52eb | Richard Levitte | 02 November 2015, 15:43:28 UTC | BIO_s_datagram() ctrl doesn't support SEEK/TELL, so don't pretend it does Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 17592f323ac7dad381cc3b512573c291b1a820c0) | 19 December 2015, 21:10:32 UTC |
| 0748211 | Richard Levitte | 01 November 2015, 14:56:21 UTC | Correct or add comments indicating what controls belong to what Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 6d97060ee00518efc99c5d89a78529dc111780fb) | 19 December 2015, 21:10:32 UTC |
| 0dae963 | Richard Levitte | 01 November 2015, 14:45:49 UTC | Document how BIO_get_conn_ip and BIO_get_conn_int_port actually work No dummy arguments. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 7eb51251252ea0b269227d267512b98495f51bc4) | 19 December 2015, 21:10:32 UTC |
| f08360a | Richard Levitte | 01 November 2015, 14:42:04 UTC | Have BIO_get_conn_int_port use BIO_ctrl instead BIO_int_ctrl BIO_int_ctrl isn't made for the purpose BIO_get_conn_int_port used it for. This also changes BIO_C_GET_CONNECT to actually return the port instead of assigning it to a pointer that was never returned back to the caller. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 2a60fccdd9b696e01fddaa268e92ea210beb0e8f) | 19 December 2015, 21:10:32 UTC |
| 583f4bf | Matt Caswell | 19 December 2015, 14:42:06 UTC | Fix more URLs mangled by reformat Fix some more URLs mangled by indent in the reformat. These ones don't exist in master so we have a separate commit. Based on a patch supplied by Arnaud Lacombe <al@aerilon.ca> Reviewed-by: Richard Levitte <levitte@openssl.org> | 19 December 2015, 20:40:39 UTC |
| ff2c19e | Matt Caswell | 19 December 2015, 14:38:17 UTC | Fix URLs mangled by reformat Some URLs in the source code ended up getting mangled by indent. This fixes it. Based on a patch supplied by Arnaud Lacombe <al@aerilon.ca> Reviewed-by: Richard Levitte <levitte@openssl.org> | 19 December 2015, 20:40:39 UTC |
| e961c7a | Richard Levitte | 18 December 2015, 12:13:31 UTC | Remove the "eay" c-file-style indicators Since we don't use the eay style any more, there's no point tryint to tell emacs to use it. Reviewed-by: Ben Laurie <ben@openssl.org> | 18 December 2015, 12:13:31 UTC |
| d7f7144 | Rich Salz | 10 December 2015, 17:31:01 UTC | Provide better "make depend" warning. Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 2e31ef0366d368ac8cf7f5ecc9052bff27337799) | 16 December 2015, 22:47:22 UTC |
| d6af325 | Emilia Kasper | 14 December 2015, 15:38:15 UTC | Fix a ** 0 mod 1 = 0 for real this time. Commit 2b0180c37fa6ffc48ee40caa831ca398b828e680 attempted to do this but only hit one of many BN_mod_exp codepaths. Fix remaining variants and add a test for each method. Thanks to Hanno Boeck for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Dr. Stephen Henson <steve@openssl.org> (cherry picked from commit d911097d7c93e4cfeab624b34d73fe51da158b69) (cherry picked from commit 44e4f5b04b43054571e278381662cebd3f3555e6) | 14 December 2015, 17:27:04 UTC |
| 36be5f7 | Richard Levitte | 14 December 2015, 02:53:06 UTC | Fix tarball production to keep test/bctest and util/pod2mantest Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 474a53b3a36568d19d7b918ee879efd2707e7c67) | 14 December 2015, 10:24:24 UTC |
| f612bdb | Matt Caswell | 04 November 2015, 11:20:50 UTC | Ensure |rwstate| is set correctly on BIO_flush A BIO_flush call in the DTLS code was not correctly setting the |rwstate| variable to SSL_WRITING. This means that SSL_get_error() will not return SSL_ERROR_WANT_WRITE in the event of an IO retry. Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 67f60be8c9ae5ff3129fcd6238baf124385a41d8) | 10 December 2015, 12:50:56 UTC |
| 4a53424 | Matt Caswell | 03 November 2015, 14:45:07 UTC | Fix DTLS handshake fragment retries If using DTLS and NBIO then if a second or subsequent handshake message fragment hits a retry, then the retry attempt uses the wrong fragment offset value. This commit restores the fragment offset from the last attempt. Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 2ad226e88bee97847496e542d63c67997d5beda6) | 10 December 2015, 12:50:55 UTC |
| d724616 | Dr Stephen Henson | 08 December 2015, 19:10:48 UTC | Don't use applink for static builds. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 10119938215298ad414468e7c2779d7fd1a0b979) | 09 December 2015, 00:30:27 UTC |
| d27f073 | Rich Salz | 08 December 2015, 21:07:09 UTC | Refer to website for acknowledgements. Reviewed-by: Steve Marquess <marquess@openssl.com> (cherry picked from commit ab29c82a55f3583a490733dd521ea6c486e8e2fb) | 08 December 2015, 21:08:20 UTC |
| a19244a | Richard Levitte | 08 December 2015, 14:34:52 UTC | Not all 'find's know -xtype, use -type instead Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 3cd7aef34d0d414d27ab00abadb99265a2cffde9) | 08 December 2015, 20:06:34 UTC |
| cf269a1 | Richard Levitte | 08 December 2015, 11:43:05 UTC | Adapt the OS X build to use the OS X tar As part of this, move release creation to a script to be called from .travis.yml. That makes it much easier to test outside of travis. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 382af61f6213e975b4c2a50fd8b9fedd23d86ab5) | 08 December 2015, 20:06:34 UTC |
| 4305622 | Richard Levitte | 08 December 2015, 11:42:27 UTC | Make it possible to affect the way dists are made Introducing DISTTARVARS to propagate changed variables down to the tar-making target. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 4d3c30a1799bf7b4dc7223b84417c4de992a6b9c) | 08 December 2015, 20:06:33 UTC |
| 66a1ccf | Richard Levitte | 08 December 2015, 00:01:13 UTC | Cleanup the EVP_MD_CTX before exit rather than after Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit c44844d928ad3c471c8dbe8baf2df8957900125b) | 08 December 2015, 11:07:22 UTC |
| 777adea | Richard Levitte | 07 December 2015, 15:50:15 UTC | Change tar owner and group to just 0 It seems like some tar versions don't like the name:id form for --owner and --group. The closest known anonymous user being 0 (root), that seems to be the most appropriate user/group to assign ownership to. It matters very little when unpacking either way. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit b91dd150d2b9b5ddca37722e7f52ea59ba7f80da) | 07 December 2015, 19:11:05 UTC |
| 6413654 | Richard Levitte | 07 December 2015, 14:56:27 UTC | Do not add symlinks in the source release Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 451a5bdf0386d7acf091c3e3b39107e5ed8be25d) | 07 December 2015, 15:25:18 UTC |
| 1e8a872 | Richard Levitte | 07 December 2015, 14:47:43 UTC | In travis, build from a "source release" rather than from the build tree Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 475fc3d8729190fd12b4ff23d6ec488439fb78f9) | 07 December 2015, 15:25:13 UTC |
| 3b92a6f | Richard Levitte | 07 December 2015, 14:45:50 UTC | Small changes to creating dists Make TARFILE include ../ instead of having that hard coded all over the place. When transforming file names in TAR_COMMAND, use $(NAME) instead of openssl-$(VERSION) Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 4a544810f08539f1549eea9be36bd878c67c8e26) | 07 December 2015, 15:24:23 UTC |
