Commits · 96db9023b881d7cd9f379b0c154650d6c108e9a3 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

07 Apr, 2014 2 commits

Add heartbeat extension bounds check. · 96db9023

Dr. Stephen Henson authored Apr 06, 2014

A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)

96db9023

Document -verify_return_error option. · 0d7717fc
Dr. Stephen Henson authored Apr 07, 2014
```
(cherry picked from commit 4e6c12f3)
```
0d7717fc

06 Apr, 2014 2 commits
- crypto/modes/gcm128.c: more strict aliasing fixes. · aba76000
  Andy Polyakov authored Apr 06, 2014
```
(cherry picked from commit 997d1aac)
```
  aba76000
- vpaes-x86_64.pl: fix typo, which for some reason triggers rkhunter. · 00acdfbf
  Andy Polyakov authored Apr 06, 2014
```
(cherry picked from commit 6eebcf34)
```
  00acdfbf
05 Apr, 2014 1 commit

Set TLS padding extension value. · 51624dbd

Dr. Stephen Henson authored Apr 05, 2014

Enable TLS padding extension using official value from:

http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
(cherry picked from commit cd6bd5ff)

Conflicts:

	CHANGES
	ssl/tls1.h

51624dbd

04 Apr, 2014 2 commits

Update FAQ. · 9e29df00
Dr. Stephen Henson authored Apr 04, 2014
```
(cherry picked from commit 6cc00684)
```
9e29df00

Use correct length when prompting for password. · f54167d1

Dr. Stephen Henson authored Apr 04, 2014

Use bufsiz - 1 not BUFSIZ - 1 when prompting for a password in
the openssl utility.

Thanks to Rob Mackinnon, Leviathan Security for reporting this issue.
(cherry picked from commit 7ba08a4d)

f54167d1

03 Apr, 2014 2 commits
- Document new crl option. · 6042582b
  Dr. Stephen Henson authored Apr 03, 2014
```
(cherry picked from commit dbb7654d)
```
  6042582b
- Add option to generate old hash format. · 50522642
  Tim Hudson authored Apr 03, 2014
```
New -hash_old to generate CRL hashes using old
(before OpenSSL 1.0.0) algorithm.
(cherry picked from commit de2d97cd)
```
  50522642
02 Apr, 2014 1 commit

Fix base64 decoding bug. · bfc3424d

Eric Young authored Apr 02, 2014

A short PEM encoded sequence if passed to the BIO, and the file
had 2 \n following would fail.

PR#3289
(cherry picked from commit 10378fb5)

bfc3424d

12 Mar, 2014 3 commits

update NEWS · 1c659368
Dr. Stephen Henson authored Mar 12, 2014

1c659368

Update ordinals. · 40acdb19

Dr. Stephen Henson authored Mar 12, 2014

Use a previously unused value as we will be updating multiple released
branches.
(cherry picked from commit 0737acd2)

40acdb19

Fix for CVE-2014-0076 · 4b7a4ba2

Dr. Stephen Henson authored Mar 12, 2014

Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140

Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix.
(cherry picked from commit 2198be34)

Conflicts:

	CHANGES

4b7a4ba2

10 Mar, 2014 1 commit
- typo · e0660c62
  Dr. Stephen Henson authored Mar 10, 2014
```
(cherry picked from commit a029788b)
```
  e0660c62
07 Mar, 2014 2 commits
- Remove -WX option from debug-VC-WIN32 · b4ada742
  Dr. Stephen Henson authored Mar 07, 2014
  
  b4ada742
- engines/ccgost/gosthash.c: simplify and avoid SEGV. · a93d952c
  Andy Polyakov authored Mar 07, 2014
```
PR: 3275
(cherry picked from commit ea38f020)
```
  a93d952c
27 Feb, 2014 1 commit
- Makefile.org: mask touch's exit code · 5b56fec6
  Andy Polyakov authored Feb 27, 2014
```
[but don't let it mask make's].

PR: 3269
(cherry picked from commit 2f34088e)
```
  5b56fec6
26 Feb, 2014 1 commit
- Fix for WIN32 builds with KRB5 · 32171e4e
  Dr. Stephen Henson authored Feb 26, 2014
```
(cherry picked from commit 3eddd1706a30cdf3dc9278692d8ee9038eac8a0d)
```
  32171e4e
25 Feb, 2014 3 commits

ssl/t1_enc.c: check EVP_MD_CTX_copy return value. · 48e6edab
Andy Polyakov authored Feb 25, 2014
```
PR: 3201
(cherry picked from commit 03da57fe)
```
48e6edab
update NEWS · 06960712
Dr. Stephen Henson authored Feb 25, 2014

06960712

Avoid Windows 8 Getversion deprecated errors. · caf55bfa

Dr. Stephen Henson authored Feb 25, 2014

Windows 8 SDKs complain that GetVersion() is deprecated.

We only use GetVersion like this:

	(GetVersion() < 0x80000000)

which checks if the Windows version is NT based. Use a macro check_winnt()
which uses GetVersion() on older SDK versions and true otherwise.
(cherry picked from commit a4cc3c80)

caf55bfa

24 Feb, 2014 4 commits
- ms/do_win64a.bat: forward to NUL, not NUL:. · ce363101
  Andy Polyakov authored Feb 24, 2014
```
Allegedly formwarding to NUL: sometimes creates NUL file in file
system.

PR: 3250
(cherry picked from commit 63aff300)
```
  ce363101
- BC-32.pl: pre-1.0.2-specific refresh for Borland C. · 3ae1b534
  Andy Polyakov authored Feb 24, 2014
```
PR: 3251
Suggested by: Thorsten Schöning
```
  3ae1b534
- BC-32.pl: refresh Borland C support. · 79bb0053
  Andy Polyakov authored Feb 24, 2014
```
PR: 3251
Suggested by: Thorsten Schning
(cherry picked from commit 779c51c6)
```
  79bb0053
- x509/by_dir.c: fix run-away pointer (and potential SEGV) · c4b16ddc
  Andy Polyakov authored Feb 24, 2014
```
when adding duplicates in add_cert_dir.

PR: 3261
Reported by: Marian Done
(cherry picked from commit 758954e0)
```
  c4b16ddc
15 Feb, 2014 2 commits
- Add /fixed flag for FIPS links where appropriate. · deb3b08f
  Dr. Stephen Henson authored Feb 15, 2014
```
(cherry picked from commit c55fef76)

Conflicts:

	util/pl/VC-32.pl
```
  deb3b08f
- Remove duplicate statement. · b45b3efd
  Dr. Stephen Henson authored Feb 15, 2014
```
(cherry picked from commit 5a7652c3)
```
  b45b3efd
14 Feb, 2014 5 commits

Use defaults bits in req when not given · e420060a

Kurt Roeckx authored Dec 23, 2013

If you use "-newkey rsa" it's supposed to read the default number of bits from the
config file.  However the value isn't used to generate the key, but it does
print it's generating such a key.  The set_keygen_ctx() doesn't call
EVP_PKEY_CTX_set_rsa_keygen_bits() and you end up with the default set in
pkey_rsa_init() (1024).  Afterwards the number of bits gets read from the config
file, but nothing is done with that anymore.

We now read the config first and use the value from the config file when no size
is given.

PR: 2592
(cherry picked from commit 33432203)

e420060a

Fix additional pod errors with numbered items. · d8ec8a4a
Kurt Roeckx authored Dec 23, 2013
```
(cherry picked from commit e547c45f)
```
d8ec8a4a
Fix various spelling errors · 040ed7b4
Scott Schaefer authored Dec 23, 2013
```
(cherry picked from commit 2b4ffc65)
```
040ed7b4

Document pkcs12 -password behavior · c76e5b08

Scott Schaefer authored Dec 23, 2013

apps/pkcs12.c accepts -password as an argument.  The document author
almost certainly meant to write "-password, -passin".

However, that is not correct, either.  Actually the code treats
-password as equivalent to -passin, EXCEPT when -export is also
specified, in which case -password as equivalent to -passout.
(cherry picked from commit 856c6dfb)

c76e5b08

Backport TLS padding extension from master. · 00712158
Dr. Stephen Henson authored Dec 13, 2013
```
(cherry picked from commit 8c6d8c2a)

Conflicts:

	CHANGES
	ssl/t1_lib.c
```
00712158

05 Feb, 2014 1 commit
- Backport TLS padding extension from master. · 4a55631e
  Dr. Stephen Henson authored Dec 13, 2013
```
(cherry picked from commit 8c6d8c2a)

Conflicts:

	CHANGES
	ssl/t1_lib.c
```
  4a55631e
03 Feb, 2014 1 commit
- Add quotes as CC can contain spaces. · 19a68574
  Dr. Stephen Henson authored Feb 03, 2014
```
PR#3253
(cherry picked from commit 7f6e09b5)
```
  19a68574
29 Jan, 2014 1 commit

Clarify docs. · f21e6b6e

Dr. Stephen Henson authored Jan 29, 2014

Remove reference to ERR_TXT_MALLOCED in the error library as that is
only used internally. Indicate that returned error data must not be
freed.
(cherry picked from commit f2d678e6)

f21e6b6e

28 Jan, 2014 4 commits

typo · e1549a01
Dr. Stephen Henson authored Jan 28, 2014
```
(cherry picked from commit cb218267)
```
e1549a01
Fix demo comment: 0.9.9 never released. · 765be74d
Dr. Stephen Henson authored Jan 28, 2014
```
(cherry picked from commit 717cc858)
```
765be74d
Check i before r[i]. · 9614d2c6
Dr. Stephen Henson authored Jan 28, 2014
```
PR#3244
```
9614d2c6

Add loaded dynamic ENGINEs to list. · ad03c71e

Dr. Stephen Henson authored Jan 28, 2014

Always add a dynamically loaded ENGINE to list. Otherwise it can cause
problems when multiply loaded, especially if it adds new public key methods.
For all current engines we only want a single implementation anyway.
(cherry picked from commit e933f91f)

ad03c71e

23 Jan, 2014 1 commit

Use default digest implementation in dgst.c · 4eedf86a

Dr. Stephen Henson authored Jan 23, 2014

Use default instead of ENGINE version of digest. Without this
errors will occur if you use an ENGINE for a private key and
it doesn't implement the digest in question.

4eedf86a