Commits · 4d321e0767bc928e47803dbc1a32bdbd01b17386 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

16 May, 2012 2 commits
- s2_clnt.c: compensate for compiler bug [from HEAD]. · 4d321e07
  Andy Polyakov authored May 16, 2012
  
  4d321e07
- ppccap.c: assume no features under 32-bit AIX kernel [from HEAD]. · 67fda0c1
  Andy Polyakov authored May 16, 2012
```
PR: 2810
```
  67fda0c1
13 May, 2012 1 commit

Experimental multi-implementation support for FIPS capable OpenSSL. · 1dded7f7

Dr. Stephen Henson authored May 13, 2012

When in FIPS mode the approved implementations are used as normal,
when not in FIPS mode the internal unapproved versions are used instead.
This means that the FIPS capable OpenSSL isn't forced to use the
(often lower perfomance) FIPS implementations outside FIPS mode.

1dded7f7

11 May, 2012 2 commits

PR: 2813 · 482f2380

Dr. Stephen Henson authored May 11, 2012

Reported by: Constantine Sapuntzakis <csapuntz@gmail.com>

Fix possible deadlock when decoding public keys.

482f2380

PR: 2811 · 5e145e54

Dr. Stephen Henson authored May 11, 2012

Reported by: Phil Pennock <openssl-dev@spodhuis.org>

Make renegotiation work for TLS 1.2, 1.1 by not using a lower record
version client hello workaround if renegotiating.

5e145e54

10 May, 2012 4 commits
- PR: 2806 · df73e68a
  Dr. Stephen Henson authored May 10, 2012
```
Submitted by: PK <runningdoglackey@yahoo.com>

Correct ciphersuite signature algorithm definitions.
```
  df73e68a
- Sanity check record length before skipping explicit IV in TLS 1.2, 1.1 and · e7c84838
  Dr. Stephen Henson authored May 10, 2012
```
DTLS to fix DoS attack.

Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
(CVE-2012-2333)
```
  e7c84838
- Don't forget to install srtp.h as well · 712d5234
  Richard Levitte authored May 10, 2012
  
  712d5234
- Reported by: Solar Designer of Openwall · 24547c23
  Dr. Stephen Henson authored May 10, 2012
```
Make sure tkeylen is initialised properly when encrypting CMS messages.
```
  24547c23
04 May, 2012 1 commit
- Correct environment variable is OPENSSL_ALLOW_PROXY_CERTS. · 8baf604a
  Richard Levitte authored May 04, 2012
  
  8baf604a
27 Apr, 2012 1 commit

ppccpuid.pl: branch hints in OPENSSL_cleanse impact small block performance · 95416ce5

Andy Polyakov authored Apr 27, 2012

of digest algorithms, mosty SHA, on Power7. Mystery of century, why SHA,
why slower algorithm are affected more... [from HEAD].
PR: 2794
Submitted by: Ashley Lai

95416ce5

26 Apr, 2012 3 commits
- Don't try to use unvalidated composite ciphers in FIPS mode · a56f9a61
  Dr. Stephen Henson authored Apr 26, 2012
  
  a56f9a61
- CHANGES: clarify. · 0ae89cf3
  Andy Polyakov authored Apr 26, 2012
  
  0ae89cf3
- CHANGES: fix typos and clarify. · 7e0c9630
  Andy Polyakov authored Apr 26, 2012
  
  7e0c9630
25 Apr, 2012 2 commits
- Change value of SSL_OP_NO_TLSv1_1 to avoid clash with SSL_OP_ALL and · a6df6702
  Dr. Stephen Henson authored Apr 25, 2012
```
OpenSSL 1.0.0. Add CHANGES entry noting the consequences.
```
  a6df6702
- s23_clnt.c: ensure interoperability by maitaining client "version capability" · f69abd53
  Andy Polyakov authored Apr 25, 2012
```
vector contiguous [from HEAD].
PR: 2802
```
  f69abd53
24 Apr, 2012 1 commit
- Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr> · fe9ce2b7
  Dr. Stephen Henson authored Apr 24, 2012
```
Reviewed by: steve
Improved localisation of TLS extension handling and code tidy.
```
  fe9ce2b7
22 Apr, 2012 5 commits
- objxref.pl: improve portability [from HEAD]. · 8e7ccf6f
  Andy Polyakov authored Apr 22, 2012
  
  8e7ccf6f
- correct error code · 51b77c03
  Dr. Stephen Henson authored Apr 22, 2012
  
  51b77c03
- check correctness of errors before updating them so we don't get bogus errors added · 85d179d4
  Dr. Stephen Henson authored Apr 22, 2012
  
  85d179d4
- correct old FAQ answers, sync with HEAD · 890f5ada
  Dr. Stephen Henson authored Apr 22, 2012
  
  890f5ada
- PR: 2239 · 1cc8410e
  Dr. Stephen Henson authored Apr 22, 2012
```
Submitted by: Dominik Oepen <oepen@informatik.hu-berlin.de>

Add Brainpool curves from RFC5639.

Original patch by Annie Yousar <a.yousar@informatik.hu-berlin.de>
```
  1cc8410e
20 Apr, 2012 3 commits
- e_rc4_hmac_md5.c: reapply commit#21726, which was erroneously omitted [from 1.0.1]. · 6ca7af9e
  Andy Polyakov authored Apr 20, 2012
```
PR: 2797, 2792
```
  6ca7af9e
- call OPENSSL_init when calling FIPS_mode too · bc2c8efc
  Dr. Stephen Henson authored Apr 20, 2012
  
  bc2c8efc
- make ciphers work again for FIPS builds · 00bb8752
  Dr. Stephen Henson authored Apr 20, 2012
  
  00bb8752
19 Apr, 2012 4 commits
- e_rc4_hmac_md5.c: last commit was inappropriate for non-x86[_64] platforms · c3cb563d
  Andy Polyakov authored Apr 19, 2012
```
[from HEAD].
PR: 2792
```
  c3cb563d
- update date · d6ef8165
  Dr. Stephen Henson authored Apr 19, 2012
  
  d6ef8165
- Check for potentially exploitable overflows in asn1_d2i_read_bio · 564a503b
  Dr. Stephen Henson authored Apr 19, 2012
```
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
in CRYPTO_realloc_clean.

Thanks to Tavis Ormandy, Google Security Team, for discovering this
issue and to Adam Langley <agl@chromium.org> for fixing it. (CVE-2012-2110)
```
  564a503b
- Makefile.org: clear yet another environment variable [from HEAD]. · 56eeb1b2
  Andy Polyakov authored Apr 19, 2012
```
PR: 2793
```
  56eeb1b2
18 Apr, 2012 4 commits
- only call FIPS_cipherinit in FIPS mode · 068fc255
  Dr. Stephen Henson authored Apr 18, 2012
  
  068fc255
- e_rc4_hmac_md5.c: update from HEAD, fixes crash on legacy Intel CPUs. · cc8f2fb9
  Andy Polyakov authored Apr 18, 2012
```
PR: 2792
```
  cc8f2fb9
- recognise X9.42 DH certificates on servers · b583ebb7
  Dr. Stephen Henson authored Apr 18, 2012
  
  b583ebb7
- correct error code · f897fe41
  Dr. Stephen Henson authored Apr 18, 2012
  
  f897fe41
17 Apr, 2012 3 commits

Disable SHA-2 ciphersuites in < TLS 1.2 connections. · bb3add20

Bodo Möller authored Apr 17, 2012

(TLS 1.2 clients could end up negotiating these with an OpenSSL server
with TLS 1.2 disabled, which is problematic.)

Submitted by: Adam Langley

bb3add20

Additional workaround for PR#2771 · 48e0f666

Dr. Stephen Henson authored Apr 17, 2012

If OPENSSL_MAX_TLS1_2_CIPHER_LENGTH is set then limit the size of client
ciphersuites to this value. A value of 50 should be sufficient.

Document workarounds in CHANGES.

48e0f666

Partial workaround for PR#2771. · 32213fb2

Dr. Stephen Henson authored Apr 17, 2012

Some servers hang when presented with a client hello record length exceeding
255 bytes but will work with longer client hellos if the TLS record version
in client hello does not exceed TLS v1.0. Unfortunately this doesn't fix all
cases...

32213fb2

16 Apr, 2012 2 commits
- OPENSSL_NO_SOCK fixes [from HEAD]. · f6a1939f
  Andy Polyakov authored Apr 16, 2012
```
PR: 2791
Submitted by: Ben Noordhuis
```
  f6a1939f
- Minor compatibility fixes [from HEAD]. · 94c66647
  Andy Polyakov authored Apr 16, 2012
```
PR: 2790
Submitted by: Alexei Khlebnikov
```
  94c66647
15 Apr, 2012 2 commits
- s3_srvr.c: fix typo [from HEAD]. · 09f17419
  Andy Polyakov authored Apr 15, 2012
```
PR: 2538
```
  09f17419
- e_aes_cbc_hmac_sha1.c: handle zero-length payload and engage empty frag · eb8a65db
  Andy Polyakov authored Apr 15, 2012
```
countermeasure [from HEAD].

PR: 2778
```
  eb8a65db