Commits · a4dde824231befe5e2defffb2942e1faab631748 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

03 Jul, 2014 5 commits
- More doc fixes. · a4dde824
  Dr. Stephen Henson authored Jul 03, 2014
  
  a4dde824
- More bugfixes from the doc-fix merge; errors found by DrH, thanks. · eba0aa99
  Rich Salz authored Jul 03, 2014
  
  eba0aa99
- Fix errors with last cherry-pick; SSL_CONF_* and s_client · c9e6fffa
  Rich Salz authored Jul 03, 2014
```
-verify_return_error aren't in this release.
```
  c9e6fffa
- Merge branch 'rsalz-docfixes' · 85dcce7c
  Rich Salz authored Jul 03, 2014
```
(cherry picked from commit b5071dc2)

Conflicts:

	doc/apps/s_client.pod
	doc/apps/verify.pod
	doc/apps/x509v3_config.pod
	doc/crypto/ASN1_generate_nconf.pod
	doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod
	doc/ssl/SSL_CONF_cmd.pod
	doc/ssl/SSL_CONF_cmd_argv.pod
	doc/ssl/SSL_CTX_set_cert_cb.pod
	doc/ssl/SSL_CTX_set_security_level.pod
```
  85dcce7c
- Close 3170, remove reference to Ariel Glenn's old 0.9.8 doc · 2ed29615
  Rich Salz authored Jul 03, 2014
```
(cherry picked from commit f1112985)
```
  2ed29615
02 Jul, 2014 3 commits

Matt Smart authored Jul 02, 2014

ERR_get_error(3) references the non-existent
ERR_get_last_error_line_data instead of the one that does exist,
ERR_peek_last_error_line_data.

PR#3283
(cherry picked from commit 5cc99c6c)

d7080d62

util/mkerr.pl: fix perl warning · 5d7c8a48

Geoff Thorpe authored Apr 25, 2014



Gets rid of this;

defined(@array) is deprecated at ../util/mkerr.pl line 792.
        (Maybe you should just omit the defined()?)
defined(@array) is deprecated at ../util/mkerr.pl line 800.
        (Maybe you should just omit the defined()?)

Signed-off-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit 647f360e)

5d7c8a48

ASN1 sanity check. · 00e86a74

Dr. Stephen Henson authored Jul 02, 2014

Primitive encodings shouldn't use indefinite length constructed
form.

PR#2438 (partial).
(cherry picked from commit 398e99fe)

00e86a74

29 Jun, 2014 3 commits

Fix memory leak. · 9e6857a3
Dr. Stephen Henson authored Jun 29, 2014
```
PR#2531.
(cherry picked from commit 59899c4d)
```
9e6857a3
Typo. · 71525848
Ken Ballou authored Jun 29, 2014
```
PR#3173
(cherry picked from commit 76ed5a42)
```
71525848

Show errors on CSR verification failure. · 2daec41e

Dr. Stephen Henson authored Jun 29, 2014

If CSR verify fails in ca utility print out error messages.
Otherwise some errors give misleading output: for example
if the key size exceeds the library limit.

PR#2875
(cherry picked from commit a30bdb55)

2daec41e

28 Jun, 2014 1 commit
- Typo. · 85196359
  Dr. Stephen Henson authored Jun 28, 2014
```
PR#3107
(cherry picked from commit 7c206db9)
```
  85196359
27 Jun, 2014 8 commits
- Don't disable state strings with no-ssl2 · d0bdfdd8
  Dr. Stephen Henson authored Jun 28, 2014
```
Some state strings were erronously not compiled when no-ssl2
was set.

PR#3295
(cherry picked from commit 0518a3e1)
```
  d0bdfdd8
- Fix typo in ideatest.c · 4b98488e
  Andreas Westfeld authored Jun 28, 2014
```
(cherry picked from commit d1d4382d)
```
  4b98488e
- Remove redundant check. · 0e2458e1
  Ken Ballou authored Jun 27, 2014
```
PR#3174
(cherry picked from commit fd331c0bb9b557903dd2ce88398570a3327b5ef0)
```
  0e2458e1
- Handle IPv6 addresses in OCSP_parse_url. · 326de189
  Tom Greenslade authored Jun 27, 2014
```
PR#2783
(cherry picked from commit b36f35cd)
```
  326de189
- Don't advertise ECC ciphersuits in SSLv2 compatible client hello. · 1fcfd61e
  Tomas Mraz authored Jun 27, 2014
```
PR#3374
(cherry picked from commit 0436369f)
```
  1fcfd61e
- Clarify docs. · 121f386e
  Jeffrey Walton authored Jun 27, 2014
```
Document that the certificate passed to SSL_CTX_add_extra_chain_cert()
should not be freed by the application.

PR#3409

Add restrictions section present in other branches.

(cherry picked from commit 86cac6d3)
```
  121f386e
- Memory leak and NULL dereference fixes. · 9fb10cfe
  Dr. Stephen Henson authored Jun 27, 2014
```
PR#3403
(cherry picked from commit d2aea038)

Conflicts:

	apps/crl2p7.c
	crypto/asn1/a_utctm.c
	crypto/asn1/ameth_lib.c
	crypto/asn1/bio_asn1.c
```
  9fb10cfe
- Remove ancient obsolete files under pkcs7. · a20a6366
  Dr. Stephen Henson authored Jun 26, 2014
```
(cherry picked from commit 7be6b27a)
```
  a20a6366
26 Jun, 2014 1 commit
- Make sure BN_sqr can never return a negative value. · 54985b50
  Huzaifa Sidhpurwala authored Jun 26, 2014
```
PR#3410
(cherry picked from commit e14e764c0d5d469da63d0819c6ffc0e1e9e7f0bb)
```
  54985b50
22 Jun, 2014 2 commits

Fix off-by-one errors in ssl_cipher_get_evp() · b09db677

Miod Vallat authored Jun 12, 2014

In the ssl_cipher_get_evp() function, fix off-by-one errors in index validation before accessing arrays.

Bug discovered and fixed by Miod Vallat from the OpenBSD team.

PR#3375

b09db677

Revert " Fix off-by-one errors in ssl_cipher_get_evp()" · cdc59656
Matt Caswell authored Jun 22, 2014
```
This reverts commit def14907.

Incorrect attribution
```
cdc59656

14 Jun, 2014 1 commit

Accept CCS after sending finished. · 70d923fb

Dr. Stephen Henson authored Jun 14, 2014

Allow CCS after finished has been sent by client: at this point
keys have been correctly set up so it is OK to accept CCS from
server. Without this renegotiation can sometimes fail.

PR#3400
(cherry picked from commit 99cd6a91fcb0931feaebbb4832681d40a66fad41)

70d923fb

12 Jun, 2014 2 commits

Fix off-by-one errors in ssl_cipher_get_evp() · def14907

Kurt Cancemi authored Jun 12, 2014

    In the ssl_cipher_get_evp() function, fix off-by-one errors in index validation before accessing arrays.

    PR#3375

def14907

Allow the maximum value. · 7697d9b5

Ben Laurie authored May 19, 2014

(Backported as a result of PR#3377 reported by Rainer Jung <rainer.jung@kippdata.de>)

7697d9b5

10 Jun, 2014 1 commit
- Fix null pointer errors. · 0345354f
  Dr. Stephen Henson authored Jun 10, 2014
```
PR#3394
(cherry picked from commit 7a9d59c1)
```
  0345354f
09 Jun, 2014 1 commit
- Clarify NEWS. · 90aef443
  Dr. Stephen Henson authored Jun 09, 2014
  
  90aef443
06 Jun, 2014 3 commits
- Use correct wording for website scripts. · 60268907
  Dr. Stephen Henson authored Jun 06, 2014
  
  60268907
- Add two known issues to NEWS. · 810d2c7f
  Dr. Stephen Henson authored Jun 06, 2014
  
  810d2c7f
- Fix 0.9.8 FIPS capable OpenSSL build. · 0a9b8dd1
  Dr. Stephen Henson authored Jun 06, 2014
```
The object file bn_lib.o is excluded from FIPS builds which causes
a linker error for BN_consttime_swap. So move definition from bn_lib.c
to bn_gf2m.c

This change is *only* needed for OpenSSL 0.9.8 which uses the 1.2
FIPS module.
```
  0a9b8dd1
05 Jun, 2014 4 commits
- Fixed Windows compilation failure · bfce4e5d
  Matt Caswell authored May 27, 2014
  
  bfce4e5d
- Prepare for 0.9.8zb-dev · 4a1190be
  Dr. Stephen Henson authored Jun 05, 2014
  
  4a1190be
- Prepare for 0.9.8za release · 047ec5d1
  Dr. Stephen Henson authored Jun 05, 2014
  
  OpenSSL_0_9_8za
  
  047ec5d1
- Update CHANGES and NEWS · bb598893
  Dr. Stephen Henson authored Jun 05, 2014
  
  bb598893
03 Jun, 2014 5 commits

Fix CVE-2014-3470 · 141a5482
Dr. Stephen Henson authored May 29, 2014
```
Check session_cert is not NULL before dereferencing it.
```
141a5482

Fix CVE-2014-0221 · de2422af

Dr. Stephen Henson authored May 16, 2014

Unnecessary recursion when receiving a DTLS hello request can be used to
crash a DTLS client. Fixed by handling DTLS hello request without recursion.

Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.

de2422af

Additional CVE-2014-0224 protection. · 897169fd
Dr. Stephen Henson authored May 16, 2014
```
Return a fatal error if an attempt is made to use a zero length
master secret.
```
897169fd

Fix for CVE-2014-0224 · 410a49a4

Dr. Stephen Henson authored May 16, 2014

Only accept change cipher spec when it is expected instead of at any
time. This prevents premature setting of session keys before the master
secret is determined which an attacker could use as a MITM attack.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
and providing the initial fix this patch is based on.

410a49a4

Fix for CVE-2014-0195 · 82ba68c4

Dr. Stephen Henson authored May 13, 2014

A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Fixed by adding consistency check for DTLS fragments.

Thanks to Jüri Aedla for reporting this issue.

82ba68c4