Commits · 049615e35d6706ef381589ade2b7ebf742e7bf24 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

05 Jun, 2014 9 commits

Prepare for 1.0.1i-dev · 049615e3
Dr. Stephen Henson authored Jun 05, 2014

049615e3
Prepare for 1.0.1h release · 6b72417a
Dr. Stephen Henson authored Jun 05, 2014

OpenSSL_1_0_1h

6b72417a
Update CHANGES and NEWS · aabbe99f
Dr. Stephen Henson authored Jun 05, 2014

aabbe99f
Fix CVE-2014-3470 · 8011cd56
Dr. Stephen Henson authored May 29, 2014
```
Check session_cert is not NULL before dereferencing it.
```
8011cd56

Fix CVE-2014-0221 · d3152655

Dr. Stephen Henson authored May 16, 2014

Unnecessary recursion when receiving a DTLS hello request can be used to
crash a DTLS client. Fixed by handling DTLS hello request without recursion.

Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.

d3152655

Additional CVE-2014-0224 protection. · 006cd708
Dr. Stephen Henson authored May 16, 2014
```
Return a fatal error if an attempt is made to use a zero length
master secret.
```
006cd708

Fix for CVE-2014-0224 · bc8923b1

Dr. Stephen Henson authored May 16, 2014

Only accept change cipher spec when it is expected instead of at any
time. This prevents premature setting of session keys before the master
secret is determined which an attacker could use as a MITM attack.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
and providing the initial fix this patch is based on.

bc8923b1

Fix for CVE-2014-0195 · 1632ef74

Dr. Stephen Henson authored May 13, 2014

A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Fixed by adding consistency check for DTLS fragments.

Thanks to Jüri Aedla for reporting this issue.

1632ef74

make update · f1f4fbde
Dr. Stephen Henson authored Jun 05, 2014

f1f4fbde

03 Jun, 2014 1 commit
- Corrected OPENSSL_NO_EC_NISTP_64_GCC_128 usage in ec_lcl.h. PR#3370 · 1854c480
  Libor Krystek authored Jun 03, 2014
  
  1854c480
02 Jun, 2014 3 commits
- Check there is enough room for extension. · ebda73f8
  David Benjamin authored Jun 02, 2014
```
(cherry picked from commit 7d89b3bf42e4b4067371ab33ef7631434e41d1e4)
```
  ebda73f8
- Free up s->d1->buffered_app_data.q properly. · bcc31166
  zhu qun-ying authored Jun 02, 2014
```
PR#3286
(cherry picked from commit 71e95000afb2227fe5cac1c79ae884338bcd8d0b)
```
  bcc31166
- Typo: set i to -1 before goto. · 1dd26414
  Sami Farin authored Jun 02, 2014
```
PR#3302
(cherry picked from commit 9717f01951f976f76dd40a38d9fc7307057fa4c4)
```
  1dd26414
01 Jun, 2014 7 commits
- Added SSLErr call for internal error in dtls1_buffer_record · 056389eb
  Matt Caswell authored Jun 01, 2014
  
  056389eb
- Delays the queue insertion until after the ssl3_setup_buffers() call due to... · a07856a0
  David Ramos authored Jun 01, 2014
```
Delays the queue insertion until after the ssl3_setup_buffers() call due to use-after-free bug. PR#3362
```
  a07856a0
- Recognise padding extension. · 19ce768c
  Dr. Stephen Henson authored Jun 01, 2014
```
(cherry picked from commit ea2bb861f0daaa20819bf9ac8c146f7593feacd4)

Conflicts:

	apps/s_cb.c
(cherry picked from commit 14dc83ca779e91a267701a1fb05b2bbcf2cb63c4)
```
  19ce768c
- Option to disable padding extension. · aaed77c5
  Dr. Stephen Henson authored Jun 01, 2014
```
Add TLS padding extension to SSL_OP_ALL so it is used with other
"bugs" options and can be turned off.

This replaces SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG which is an ancient
option referring to SSLv2 and SSLREF.

PR#3336
```
  aaed77c5
- Set default global mask to UTF8 only. · 49270d04
  Dr. Stephen Henson authored Jun 01, 2014
```
(cherry picked from commit 3009244d)
```
  49270d04
- Allocate extra space when NETSCAPE_HANG_BUG defined. · 673c42b2
  David Ramos authored Jun 01, 2014
```
Make sure there is an extra 4 bytes for server done message when
NETSCAPE_HANG_BUG is defined.

PR#3361
```
  673c42b2
- Initialise alg. · 5541b18b
  David Ramos authored Jun 01, 2014
```
PR#3313
(cherry picked from commit 7e2c6f7e)
```
  5541b18b
31 May, 2014 2 commits
- Use correct digest when exporting keying material. · 28e117f4
  Dr. Stephen Henson authored May 30, 2014
```
PR#3319
(cherry picked from commit 84691390eae86befd33c83721dacedb539ae34e6)
```
  28e117f4
- Don't compile heartbeat test code on Windows (for now). · 46bfc054
  Dr. Stephen Henson authored May 30, 2014
```
(cherry picked from commit 2c575907d2c8601a18716f718ce309ed4e1f1783)
```
  46bfc054
30 May, 2014 2 commits

add description of -attime to man page · 427a37ca

Hubert Kario authored Sep 12, 2013

the verify app man page didn't describe the usage of attime option
even though it was listed as a valid option in the -help message.

This patch fixes this omission.

427a37ca

add description of -no_ecdhe option to s_server man page · 39ae3b33

Hubert Kario authored Sep 10, 2013

While the -help message references this option, the man page
doesn't mention the -no_ecdhe option.
This patch fixes this omission.

39ae3b33

29 May, 2014 3 commits
- Set version number correctly. · 48f5b3ef
  Dr. Stephen Henson authored May 29, 2014
```
PR#3249
(cherry picked from commit 8909bf20269035d295743fca559207ef2eb84eb3)
```
  48f5b3ef
- Fix memory leak. · f8dc0006
  František Bořánek authored May 29, 2014
```
PR#3278
(cherry picked from commit de56fe797081fc09ebd1add06d6e2df42a324fd5)
```
  f8dc0006
- remove duplicate 0x for default RSASSA-PSS salt len · bf8d6f9a
  Martin Kaiser authored May 28, 2014
```
(cherry picked from commit 3820fec3a09faecba7fe9912aa20ef7fcda8337b)
```
  bf8d6f9a
27 May, 2014 1 commit
- Fix for test_bn regular expression to work on Windows using MSYS. PR#3346 · 17e844a4
  Peter Mosmans authored May 27, 2014
  
  17e844a4
26 May, 2014 1 commit
- Fixed Windows compilation failure · 8ca7d124
  Matt Caswell authored May 27, 2014
  
  8ca7d124
25 May, 2014 1 commit
- Fixed error in args for SSL_set_msg_callback and SSL_set_msg_callback_arg · 67b9c82e
  Matt Caswell authored May 25, 2014
  
  67b9c82e
24 May, 2014 1 commit
- Fix for non compilation with TLS_DEBUG defined · a6f5b991
  Matt Caswell authored May 24, 2014
  
  a6f5b991
22 May, 2014 1 commit
- Fix heartbeat_test for -DOPENSSL_NO_HEARTBEATS · 756587dc
  Mike Bland authored May 22, 2014
```
Replaces the entire test with a trivial implementation when
OPENSSL_NO_HEARTBEATS is defined.
```
  756587dc
21 May, 2014 3 commits
- Fixed minor copy&paste error, and stray space causing rendering problem · 0a084f7b
  Matt Caswell authored May 22, 2014
  
  0a084f7b
- Fix for PKCS12_create if no-rc2 specified. · da0a95b2
  Dr. Stephen Henson authored May 21, 2014
```
Use triple DES for certificate encryption if no-rc2 is
specified.

PR#3357
(cherry picked from commit 4689c08453e95eeefcc88c9f32dc6e509f95caff)
```
  da0a95b2
- Change default cipher in smime app to des3. · 599fe418
  Dr. Stephen Henson authored May 21, 2014
```
PR#3357
(cherry picked from commit ca3ffd9670f2b589bf8cc04923f953e06d6fbc58)
```
  599fe418
20 May, 2014 1 commit
- For portability use BUF_strndup instead of strndup. · 4519e7b8
  Dr. Stephen Henson authored May 20, 2014
```
(cherry picked from commit dcca7b13)
```
  4519e7b8
19 May, 2014 4 commits
- Fix a wrong parameter count ERR_add_error_data · 4659b53e
  Janpopan authored May 04, 2014
  
  4659b53e
- Merge branch 'mbland-heartbeat-test-1.0.1' into OpenSSL_1_0_1-stable · dc22495d
  Ben Laurie authored May 19, 2014
  
  dc22495d
- Unit/regression test for TLS heartbeats. · ab0d9642
  Mike Bland authored Apr 16, 2014
```
Regression test against CVE-2014-0160 (Heartbleed).

More info: http://mike-bland.com/tags/heartbleed.html

(based on commit 35cb55988b75573105eefd00d27d0138eebe40b1)
```
  ab0d9642
- Allow the maximum value. · dac3654e
  Ben Laurie authored May 19, 2014
  
  dac3654e