Skip to content
  1. Mar 11, 2015
    • Richard Levitte's avatar
      Move Configurations* out of the way and rename them. · 97a0cc52
      Richard Levitte authored
      
      
      Configure would load the glob "Configurations*".  The problem with
      this is that it also loads all kinds of backups of those
      configurations that some editors do, like emacs' classic
      'Configurations~'.  The solution is to give them an extension, such as
      '.conf', and make sure to end the glob with that.
      
      Also, because 'Configurations.conf' makes for a silly name, and
      because a possibly large number of configurations will become clutter,
      move them to a subdirectory 'Configurations/', and rename them to
      something more expressive, as well as something that sets up some form
      of sorting order.  Thus:
      
          Configurations	->	Configurations/10-main.conf
          Configurations.team	->	Configurations/90-team.conf
      
      Finally, make sure that Configure sorts the list of files that 'glob'
      produces, and adapt Makefile.org.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      97a0cc52
    • Matt Caswell's avatar
      Cleanse buffers · c9dd49a7
      Matt Caswell authored
      
      
      Cleanse various intermediate buffers used by the PRF.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      c9dd49a7
  2. Mar 10, 2015
    • Emilia Kasper's avatar
      Harmonize return values in dtls1_buffer_record · 06c6a2b4
      Emilia Kasper authored
      
      
      Ensure all malloc failures return -1.
      
      Reported by Adam Langley (Google).
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      06c6a2b4
    • Richard Godbee's avatar
      BIO_debug_callback: Fix output on 64-bit machines · 460e920d
      Richard Godbee authored
      
      
      BIO_debug_callback() no longer assumes the hexadecimal representation of
      a pointer fits in 8 characters.
      
      Signed-off-by: default avatarRichard Levitte <levitte@openssl.org>
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      460e920d
    • Matt Caswell's avatar
      Prevent handshake with unseeded PRNG · e1b568dd
      Matt Caswell authored
      
      
      Fix security issue where under certain conditions a client can complete a
      handshake with an unseeded PRNG. The conditions are:
      - Client is on a platform where the PRNG has not been seeded, and the
      user has not seeded manually
      - A protocol specific client method version has been used (i.e. not
      SSL_client_methodv23)
      - A ciphersuite is used that does not require additional random data
      from the PRNG beyond the initial ClientHello client random
      (e.g. PSK-RC4-SHA)
      
      If the handshake succeeds then the client random that has been used will
      have been generated from a PRNG with insufficient entropy and therefore
      the output may be predictable.
      
      For example using the following command with an unseeded openssl will
      succeed on an unpatched platform:
      
      openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
      
      CVE-2015-0285
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      e1b568dd
  3. Mar 09, 2015
  4. Mar 08, 2015
  5. Mar 06, 2015
  6. Mar 05, 2015
  7. Mar 04, 2015
  8. Mar 02, 2015
  9. Mar 01, 2015
    • Rich Salz's avatar
      Remove experimental 56bit export ciphers · a258afaf
      Rich Salz authored
      
      
      These ciphers are removed:
          TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5
          TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
          TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA
          TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
          TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA
          TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
          TLS1_CK_DHE_DSS_WITH_RC4_128_SHA
      They were defined in a long-expired IETF internet-draft:
      draft-ietf-tls-56-bit-ciphersuites-01.txt
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      a258afaf
  10. Feb 27, 2015
  11. Feb 26, 2015
    • Matt Caswell's avatar
      Fix evp_extra_test.c with no-ec · a9880362
      Matt Caswell authored
      
      When OpenSSL is configured with no-ec, then the new evp_extra_test fails to
      pass. This change adds appropriate OPENSSL_NO_EC guards around the code.
      
      Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
      a9880362
    • Matt Caswell's avatar
      Remove NETSCAPE_HANG_BUG · cf61ef75
      Matt Caswell authored
      
      NETSCAPE_HANG_BUG is a workaround for a browser bug from many years ago
      (2000).
      It predates DTLS, so certainly has no place in d1_srvr.c.
      In s3_srvr.c it forces the ServerDone to appear in the same record as the
      CertificateRequest when doing client auth.
      
      BoringSSL have already made the same commit:
      79ae85e4f777f94d91b7be19e8a62016cb55b3c5
      
      Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
      cf61ef75