Commits · 83cb7c46353b849b9511f1328a06a1ef33baf5c8 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Feb 15, 2012

An incompatibility has always existed between the format used for RSA · 83cb7c46

Dr. Stephen Henson authored Feb 15, 2012

signatures and MDC2 using EVP or RSA_sign. This has become more apparent
when the dgst utility in OpenSSL 1.0.0 and later switched to using the
EVP_DigestSign functions which call RSA_sign.

This means that the signature format OpenSSL 1.0.0 and later used with
dgst -sign and MDC2 is incompatible with previous versions.

Add detection in RSA_verify so either format works.

Note: MDC2 is disabled by default in OpenSSL and very rarely used in practice.

83cb7c46

Feb 09, 2012
- Modify client hello version when renegotiating to enhance interop with · f4e11693
  Dr. Stephen Henson authored Feb 09, 2012
```
some servers.
```
  f4e11693
Jan 31, 2012

Add support for distinct certificate chains per key type and per SSL · f71c6e52

Dr. Stephen Henson authored Jan 31, 2012

structure.

Before this the only way to add a custom chain was in the parent SSL_CTX
(which is shared by all key types and SSL structures) or rely on auto
chain building (which is performed on each handshake) from the trust store.

f71c6e52

Jan 25, 2012
- add support for use of fixed DH client certificates · 0d609395
  Dr. Stephen Henson authored Jan 25, 2012
  
  0d609395
Jan 18, 2012

Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. · 855d2918

Dr. Stephen Henson authored Jan 18, 2012

Thanks to Antonio Martin, Enterprise Secure Access Research and
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix. (CVE-2012-0050)

855d2918

Jan 17, 2012
- fix CHANGES entry · ac07bc86
  Dr. Stephen Henson authored Jan 17, 2012
  
  ac07bc86
Jan 16, 2012

Support for fixed DH ciphersuites. · 8e1dc4d7

Dr. Stephen Henson authored Jan 16, 2012

The cipher definitions of these ciphersuites have been around since SSLeay
but were always disabled. Now OpenSSL supports DH certificates they can be
finally enabled.

Various additional changes were needed to make them work properly: many
unused fixed DH sections of code were untested.

8e1dc4d7

Jan 05, 2012

Update for 0.9.8s and 1.0.0f, and for 1.0.1 branch. · 8e855452

Bodo Möller authored Jan 05, 2012

(While the 1.0.0f CHANGES entry on VOS PRNG seeding was missing
in HEAD, the actual code is here already.)

8e855452

Jan 04, 2012
- update CHANGES · 4d0bafb4
  Dr. Stephen Henson authored Jan 04, 2012
  
  4d0bafb4
- Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>, Michael Tuexen <tuexen@fh-muenster.de> · e7455724
  Dr. Stephen Henson authored Jan 04, 2012
```
Reviewed by: steve

Fix for DTLS plaintext recovery attack discovered by Nadhem Alfardan and
Kenny Paterson.
```
  e7455724
- Clear bytes used for block padding of SSL 3.0 records. (CVE-2011-4576) · 27dfffd5
  Dr. Stephen Henson authored Jan 04, 2012
  
  27dfffd5
- fix CHANGES · 2ec0497f
  Dr. Stephen Henson authored Jan 04, 2012
  
  2ec0497f
- Check GOST parameters are not NULL (CVE-2012-0027) · 6bf896d9
  Dr. Stephen Henson authored Jan 04, 2012
  
  6bf896d9
- Prevent malformed RFC3779 data triggering an assertion failure (CVE-2011-4577) · be71c372
  Dr. Stephen Henson authored Jan 04, 2012
  
  be71c372
Dec 31, 2011
- update CHANGES · 0b9f5ef8
  Dr. Stephen Henson authored Dec 31, 2011
  
  0b9f5ef8
- PR: 2658 · 4817504d
  Dr. Stephen Henson authored Dec 31, 2011
```
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Support for TLS/DTLS heartbeats.
```
  4817504d
Dec 19, 2011
- PR: 2563 · ad89bf78
  Dr. Stephen Henson authored Dec 19, 2011
```
Submitted by: Paul Green <Paul.Green@stratus.com>
Reviewed by: steve

Improved PRNG seeding for VOS.
```
  ad89bf78
- update CHANGES. · e75440d2
  Andy Polyakov authored Dec 19, 2011
  
  e75440d2
- update CHANGES · 188c53f7
  Dr. Stephen Henson authored Dec 19, 2011
  
  188c53f7
Dec 13, 2011
- Back out redundant verification time change. · 9a436c0f
  Ben Laurie authored Dec 13, 2011
  
  9a436c0f
- Make it possible to set a time for verification. · 7fd5df6b
  Ben Laurie authored Dec 13, 2011
  
  7fd5df6b
Dec 10, 2011
- update CHANGES · 627b0445
  Dr. Stephen Henson authored Dec 10, 2011
  
  627b0445
Dec 07, 2011
- transparently handle X9.42 DH parameters · 2ca873e8
  Dr. Stephen Henson authored Dec 07, 2011
  
  2ca873e8
- Initial experimental support for X9.42 DH parameter format to handle · afb14cda
  Dr. Stephen Henson authored Dec 07, 2011
```
RFC5114 parameters and X9.42 DH public and private keys.
```
  afb14cda
Dec 02, 2011
- Resolve a stack set-up race condition (if the list of compression · 19b0d0e7
  Bodo Möller authored Dec 02, 2011
```
methods isn't presorted, it will be sorted on first read).

Submitted by: Adam Langley
```
  19b0d0e7
- Fix ecdsatest.c. · ea8c77a5
  Bodo Möller authored Dec 02, 2011
```
Submitted by: Emilia Kasper
```
  ea8c77a5
- Update HEAD CHANGES file. · a7c71d89
  Bodo Möller authored Dec 02, 2011
  
  a7c71d89
- Fix BIO_f_buffer(). · 390c5795
  Bodo Möller authored Dec 02, 2011
```
Submitted by: Adam Langley
Reviewed by: Bodo Moeller
```
  390c5795
Nov 15, 2011
- Add TLS exporter. · e0af0405
  Ben Laurie authored Nov 15, 2011
  
  e0af0405
- Add DTLS-SRTP. · 333f926d
  Ben Laurie authored Nov 15, 2011
  
  333f926d
Nov 13, 2011
- Add RFC5114 DH parameters to OpenSSL. Add test data to dhtest. · 20bee968
  Dr. Stephen Henson authored Nov 13, 2011
  
  20bee968
Nov 06, 2011
- Update fips_test_suite to take multiple command line options and · a98b8ce6
  Dr. Stephen Henson authored Nov 06, 2011
```
an induced error checking function.
```
  a98b8ce6
Nov 05, 2011
- Add single call public key sign and verify functions. · f4324e51
  Dr. Stephen Henson authored Nov 05, 2011
  
  f4324e51
Nov 02, 2011
- Add fips_algvs utility (from FIPS 2.0 stable branch). · 3ec9dceb
  Dr. Stephen Henson authored Nov 02, 2011
  
  3ec9dceb
Oct 19, 2011
- add authentication parameter to FIPS_module_mode_set · 5e4eb995
  Dr. Stephen Henson authored Oct 19, 2011
  
  5e4eb995
- BN_BLINDING multi-threading fix. · e5641d7f
  Bodo Möller authored Oct 19, 2011
```
Submitted by: Emilia Kasper (Google)
```
  e5641d7f
- Fix warnings. · e0d6132b
  Bodo Möller authored Oct 19, 2011
```
Also, use the common Configure mechanism for enabling/disabling the 64-bit ECC code.
```
  e0d6132b
Oct 18, 2011

Improve optional 64-bit NIST-P224 implementation, and add NIST-P256 and · 3e00b4c9

Bodo Möller authored Oct 18, 2011

NIST-P521. (Now -DEC_NISTP_64_GCC_128 enables all three of these;
-DEC_NISTP224_64_GCC_128 no longer works.)

Submitted by: Google Inc.

3e00b4c9

Oct 13, 2011
- typo · 8b37d33a
  Bodo Möller authored Oct 13, 2011
  
  8b37d33a
- In ssl3_clear, preserve s3->init_extra along with s3->rbuf. · 3ddc06f0
  Bodo Möller authored Oct 13, 2011
```
Submitted by: Bob Buckholz <bbuckholz@google.com>
```
  3ddc06f0