Commits · c7395fb9997efe924de62ec4d5c7b92aad510869 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

19 Mar, 2015 5 commits

Matt Caswell authored Mar 17, 2015



Update the NEWS file with the latest entries from CHANGES ready for the
release.

Reviewed-by: Richard Levitte <levitte@openssl.org>

c7395fb9

Update CHANGES for release · d53f9203

Matt Caswell authored Mar 17, 2015



Update CHANGES fiel with all the latest fixes ready for the release.

Conflicts:
	CHANGES

Conflicts:
	CHANGES

Reviewed-by: Richard Levitte <levitte@openssl.org>

d53f9203

Fix reachable assert in SSLv2 servers. · 65c588c1

Emilia Kasper authored Mar 04, 2015



This assert is reachable for servers that support SSLv2 and export ciphers.
Therefore, such servers can be DoSed by sending a specially crafted
SSLv2 CLIENT-MASTER-KEY.

Also fix s2_srvr.c to error out early if the key lengths are malformed.
These lengths are sent unencrypted, so this does not introduce an oracle.

CVE-2015-0293

This issue was discovered by Sean Burford (Google) and Emilia Käsper of
the OpenSSL development team.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

65c588c1

PKCS#7: avoid NULL pointer dereferences with missing content · 544e3e3b

Emilia Kasper authored Feb 27, 2015



In PKCS#7, the ASN.1 content component is optional.
This typically applies to inner content (detached signatures),
however we must also handle unexpected missing outer content
correctly.

This patch only addresses functions reachable from parsing,
decryption and verification, and functions otherwise associated
with reading potentially untrusted data.

Correcting all low-level API calls requires further work.

CVE-2015-0289

Thanks to Michal Zalewski (Google) for reporting this issue.

Reviewed-by: Steve Henson <steve@openssl.org>

Conflicts:
	crypto/pkcs7/pk7_doit.c

544e3e3b

Fix ASN1_TYPE_cmp · 497d0b00

Dr. Stephen Henson authored Mar 09, 2015



Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

CVE-2015-0286

Reviewed-by: Richard Levitte <levitte@openssl.org>

497d0b00

18 Mar, 2015 1 commit

Free up ADB and CHOICE if already initialised. · 674341f1

Dr. Stephen Henson authored Feb 23, 2015



CVE-2015-0287

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

674341f1

14 Mar, 2015 2 commits
- Tolerate test_sqr errors for FIPS builds. · c58f4f73
  Dr. Stephen Henson authored Mar 14, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  c58f4f73
- Disable export and SSLv2 ciphers by default · c85c1e08
  Kurt Roeckx authored Mar 08, 2015
```
They are moved to the COMPLEMENTOFDEFAULT instead.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
```
  c85c1e08
11 Mar, 2015 1 commit

Cleanse buffers · c2f5de13

Matt Caswell authored Mar 09, 2015



Cleanse various intermediate buffers used by the PRF (backported version
from master).

Conflicts:
	ssl/s3_enc.c

Conflicts:
	ssl/t1_enc.c

Conflicts:
	ssl/t1_enc.c

Reviewed-by: Richard Levitte <levitte@openssl.org>

c2f5de13

08 Mar, 2015 1 commit

Fix warnings. · 01320ad3

Dr. Stephen Henson authored Mar 08, 2015

Fix compiler warnings (similar to commit 25012d5e

)

Reviewed-by: Richard Levitte <levitte@openssl.org>

01320ad3

06 Mar, 2015 1 commit

Update mkerr.pl for new format · a065737a

Matt Caswell authored Mar 06, 2015



Make the output from mkerr.pl consistent with the newly reformatted code.

Reviewed-by: Richard Levitte <levitte@openssl.org>

a065737a

02 Mar, 2015 2 commits

Check public key is not NULL. · 241cff62

Dr. Stephen Henson authored Feb 18, 2015



CVE-2015-0288
PR#3708

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 28a00bcd)

241cff62

Fix format script. · 8a8ba071

Dr. Stephen Henson authored Mar 02, 2015



The format script didn't correctly recognise some ASN.1 macros and
didn't reformat some files as a result. Fix script and reformat
affected files.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 437b14b5)

Conflicts:
	crypto/asn1/x_long.c

8a8ba071

25 Feb, 2015 1 commit

Fix a failure to NULL a pointer freed on error. · 1b4a8df3

Matt Caswell authored Feb 09, 2015



Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman@chromium.org>

CVE-2015-0209

Reviewed-by: Emilia Käsper <emilia@openssl.org>

1b4a8df3

09 Feb, 2015 2 commits
- Bring objects.pl output even closer to new format. · 6d4655c2
  Andy Polyakov authored Feb 09, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 84903716)
```
  6d4655c2
- Harmonize objects.pl output with new format. · 9eca2cbc
  Andy Polyakov authored Feb 07, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 7ce38623)
```
  9eca2cbc
06 Feb, 2015 1 commit

Fix error handling in ssltest · d7efe7ea

Matt Caswell authored Feb 05, 2015



Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit ae632974)

d7efe7ea

05 Feb, 2015 1 commit

Fixed bad formatting in crypto/des/spr.h · 49fa6b6c

Rich Salz authored Feb 05, 2015



Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 7e35f06e)

49fa6b6c

03 Feb, 2015 1 commit
- Check PKCS#8 pkey field is valid before cleansing. · d64a227f
  Dr. Stephen Henson authored Feb 01, 2015
```
PR:3683
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 52e028b9)
```
  d64a227f
22 Jan, 2015 21 commits
- Fix for reformat problems with e_padlock.c · 6844c129
  Matt Caswell authored Jan 22, 2015
```
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit d3b7cac4)
```
  6844c129
- Fix formatting error in pem.h · ead95e76
  Matt Caswell authored Jan 22, 2015
```
Reviewed-by: Andy Polyakov <appro@openssl.org>

Conflicts:
	crypto/pem/pem.h

Conflicts:
	crypto/pem/pem.h
```
  ead95e76
- Re-align some comments after running the reformat script. · 02f0c26c
  Matt Caswell authored Jan 05, 2015
```
This should be a one off operation (subsequent invokation of the
script should not move them)

This commit is for the 0.9.8 changes

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  OpenSSL_0_9_8-post-reformat
  
  02f0c26c
- Rerun util/openssl-format-source -v -c . · 6f1f3c66
  Matt Caswell authored Jan 22, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  OpenSSL_0_9_8-post-auto-reformat
  
  6f1f3c66
- Run util/openssl-format-source -v -c . · 40720ce3
  Matt Caswell authored Jan 22, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  40720ce3
- More comment changes required for indent · 9d03aabe
  Matt Caswell authored Jan 22, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  OpenSSL_0_9_8-pre-auto-reformat
  
  9d03aabe
- Yet more changes to comments · 117e79dd
  Matt Caswell authored Jan 22, 2015
```
Conflicts:
	ssl/t1_enc.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  117e79dd
- More tweaks for comments due indent issues · bc912216
  Matt Caswell authored Jan 21, 2015
```
Conflicts:
	ssl/ssl_ciph.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  bc912216
- Backport hw_ibmca.c from master due to failed merge · b9006da5
  Matt Caswell authored Jan 21, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  b9006da5
- Tweaks for comments due to indent's inability to handle them · d26667b2
  Matt Caswell authored Jan 21, 2015
```
Conflicts:
	ssl/s3_srvr.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  d26667b2
- Move more comments that confuse indent · 13270477
  Matt Caswell authored Jan 21, 2015
```
Conflicts:
	crypto/dsa/dsa.h
	demos/engines/ibmca/hw_ibmca.c
	ssl/ssl_locl.h

Conflicts:
	crypto/bn/rsaz_exp.c
	crypto/evp/e_aes_cbc_hmac_sha1.c
	crypto/evp/e_aes_cbc_hmac_sha256.c
	ssl/ssl_locl.h

Conflicts:
	crypto/ec/ec2_oct.c
	crypto/ec/ecp_nistp256.c
	crypto/ec/ecp_nistp521.c
	crypto/ec/ecp_nistputil.c
	crypto/ec/ecp_oct.c
	crypto/modes/gcm128.c
	ssl/ssl_locl.h

Conflicts:
	apps/apps.c
	crypto/crypto.h
	crypto/rand/md_rand.c
	ssl/d1_pkt.c
	ssl/ssl.h
	ssl/ssl_locl.h
	ssl/ssltest.c
	ssl/t1_enc.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  13270477
- Delete trailing whitespace from output. · 3600d5a7
  Dr. Stephen Henson authored Jan 21, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  3600d5a7
- Add -d debug option to save preprocessed files. · 2b2f5ac0
  Dr. Stephen Henson authored Jan 20, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  2b2f5ac0
- Test option -nc · 7d3081c5
  Dr. Stephen Henson authored Jan 20, 2015
```
Add option -nc which sets COMMENTS=true but disables all indent comment
reformatting options.

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  7d3081c5
- Add ecp_nistz256.c to list of files skipped by openssl-format-source · 9a5d7753
  Matt Caswell authored Jan 21, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  9a5d7753
- Manually reformat aes_x86core.c and add it to the list of files skipped by · e29126f9
  Matt Caswell authored Jan 21, 2015
```
openssl-format-source

Conflicts:
	crypto/aes/aes_x86core.c

Conflicts:
	crypto/aes/aes_x86core.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  e29126f9
- Fix indent comment corruption issue · 175af9de
  Matt Caswell authored Jan 21, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  175af9de
- Amend openssl-format-source so that it give more repeatable output · 53d6e678
  Matt Caswell authored Jan 21, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  53d6e678
- bn/bn_const.c: make it indent-friendly. · 4191a11f
  Andy Polyakov authored Jan 21, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  4191a11f
- bn/asm/x86_64-gcc.cL make it indent-friendly. · f6e4701f
  Andy Polyakov authored Jan 21, 2015
```
Conflicts:
	crypto/bn/asm/x86_64-gcc.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  f6e4701f
- bn/bn_asm.c: make it indent-friendly. · 86183798
  Andy Polyakov authored Jan 21, 2015
```
Conflicts:
	crypto/bn/bn_asm.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  86183798