generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
10,112 Commits 16 Branches 258 Tags 86 MiB
067400b16e
Commit Graph

1634 Commits

Author SHA1 Message Date
Andy Polyakov
748628ced0 CHANGES: clarify. 2012-04-26 07:34:39 +00:00
Andy Polyakov
6791060eae CHANGEs: fix typos and clarify. 2012-04-26 07:25:04 +00:00
Dr. Stephen Henson
502dfeb8de Change value of SSL_OP_NO_TLSv1_1 to avoid clash with SSL_OP_ALL and 
OpenSSL 1.0.0. Add CHANGES entry noting the consequences.
 2012-04-25 23:08:44 +00:00
Andy Polyakov
5bbed29518 s23_clnt.c: ensure interoperability by maitaining client "version capability" 
vector contiguous [from HEAD].
PR: 2802
 2012-04-25 22:07:23 +00:00
Dr. Stephen Henson
e7d2a37158 update for next version 2012-04-19 16:53:43 +00:00
Dr. Stephen Henson
531c6fc8f3 prepare for 1.0.1a release 2012-04-19 12:17:19 +00:00
Dr. Stephen Henson
8d5505d099 Check for potentially exploitable overflows in asn1_d2i_read_bio 
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
in CRYPTO_realloc_clean.

Thanks to Tavis Ormandy, Google Security Team, for discovering this
issue and to Adam Langley <agl@chromium.org> for fixing it. (CVE-2012-2110)
 2012-04-19 12:13:59 +00:00
Bodo Möller
4d936ace08 Disable SHA-2 ciphersuites in < TLS 1.2 connections. 
(TLS 1.2 clients could end up negotiating these with an OpenSSL server
with TLS 1.2 disabled, which is problematic.)

Submitted by: Adam Langley
 2012-04-17 15:20:17 +00:00
Dr. Stephen Henson
89bd25eb26 Additional workaround for PR#2771 
If OPENSSL_MAX_TLS1_2_CIPHER_LENGTH is set then limit the size of client
ciphersuites to this value. A value of 50 should be sufficient.

Document workarounds in CHANGES.
 2012-04-17 14:41:23 +00:00
Andy Polyakov
d2f950c984 CHANGES: mention vpaes fix and harmonize with 1.0.0. 
PR: 2775
 2012-03-31 18:55:41 +00:00
Dr. Stephen Henson
e733dea3ce update version to 1.0.1a-dev 2012-03-22 15:18:19 +00:00
Dr. Stephen Henson
f3dcae15ac prepare for 1.0.1 release 2012-03-14 12:04:40 +00:00
Dr. Stephen Henson
08e4c7a967 correct CHANGES 2012-02-23 22:13:59 +00:00
Dr. Stephen Henson
a8314df902 Fix bug in CVE-2011-4619: check we have really received a client hello 
before rejecting multiple SGC restarts.
 2012-02-16 15:25:39 +00:00
Dr. Stephen Henson
0cd7a0325f Additional compatibility fix for MDC2 signature format. 
Update RSA EVP_PKEY_METHOD to use the OCTET STRING form of MDC2 signature:
this will make all versions of MDC2 signature equivalent.
 2012-02-15 14:14:01 +00:00
Dr. Stephen Henson
16b7c81d55 An incompatibility has always existed between the format used for RSA 
signatures and MDC2 using EVP or RSA_sign. This has become more apparent
when the dgst utility in OpenSSL 1.0.0 and later switched to using the
EVP_DigestSign functions which call RSA_sign.

This means that the signature format OpenSSL 1.0.0 and later used with
dgst -sign and MDC2 is incompatible with previous versions.

Add detection in RSA_verify so either format works.

Note: MDC2 is disabled by default in OpenSSL and very rarely used in practice.
 2012-02-15 14:00:09 +00:00
Dr. Stephen Henson
fc6800d19f Modify client hello version when renegotiating to enhance interop with 
some servers.
 2012-02-09 15:41:44 +00:00
Dr. Stephen Henson
2dc4b0dbe8 Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. 
Thanks to Antonio Martin, Enterprise Secure Access Research and
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix. (CVE-2012-0050)
 2012-01-18 18:14:56 +00:00
Dr. Stephen Henson
25e3d2225a fix CHANGES entry 2012-01-17 14:19:09 +00:00
Bodo Möller
767d3e0054 Update for 0.9.8s and 1.0.0f. 
(While the 1.0.0f CHANGES entry on VOS PRNG seeding was missing
in the 1.0.1 branch, the actual code is here already.)
 2012-01-05 13:46:27 +00:00
Dr. Stephen Henson
801e5ef840 update CHANGES 2012-01-04 23:53:52 +00:00
Dr. Stephen Henson
0044739ae5 Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>, Michael Tuexen <tuexen@fh-muenster.de> 
Reviewed by: steve

Fix for DTLS plaintext recovery attack discovered by Nadhem Alfardan and
Kenny Paterson.
 2012-01-04 23:52:05 +00:00
Dr. Stephen Henson
4e44bd3650 Clear bytes used for block padding of SSL 3.0 records. (CVE-2011-4576) 2012-01-04 23:13:29 +00:00
Dr. Stephen Henson
0cffb0cd3e fix CHANGES 2012-01-04 23:11:43 +00:00
Dr. Stephen Henson
aaa3850ccd Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619) 2012-01-04 23:07:54 +00:00
Dr. Stephen Henson
a17b5d5a4f Check GOST parameters are not NULL (CVE-2012-0027) 2012-01-04 23:03:20 +00:00
Dr. Stephen Henson
2f97765bc3 Prevent malformed RFC3779 data triggering an assertion failure (CVE-2011-4577) 2012-01-04 23:01:19 +00:00
Dr. Stephen Henson
6e750fcb1e update CHANGES 2011-12-31 23:07:28 +00:00
Dr. Stephen Henson
bd6941cfaa PR: 2658 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Support for TLS/DTLS heartbeats.
 2011-12-31 23:00:36 +00:00
Dr. Stephen Henson
62308f3f4a PR: 2563 
Submitted by: Paul Green <Paul.Green@stratus.com>
Reviewed by: steve

Improved PRNG seeding for VOS.
 2011-12-19 17:02:35 +00:00
Andy Polyakov
cecafcce94 update CHANGES. 2011-12-19 14:49:05 +00:00
Dr. Stephen Henson
ca0efb7594 update CHANGES 2011-12-19 14:40:02 +00:00
Dr. Stephen Henson
8173960305 remove old -attime code, new version includes all old functionality 2011-12-10 00:42:48 +00:00
Bodo Möller
9f2b453338 Resolve a stack set-up race condition (if the list of compression 
methods isn't presorted, it will be sorted on first read).

Submitted by: Adam Langley
 2011-12-02 12:51:41 +00:00
Bodo Möller
a0dce9be76 Fix ecdsatest.c. 
Submitted by: Emilia Kasper
 2011-12-02 12:40:42 +00:00
Bodo Möller
cf2b938529 Fix BIO_f_buffer(). 
Submitted by: Adam Langley
Reviewed by: Bodo Moeller
 2011-12-02 12:24:48 +00:00
Ben Laurie
b1d7429186 Add TLS exporter. 2011-11-15 23:51:22 +00:00
Ben Laurie
060a38a2c0 Add DTLS-SRTP. 2011-11-15 23:02:16 +00:00
Ben Laurie
e2809bfb42 Next Protocol Negotiation. 2011-11-14 02:25:04 +00:00
Bodo Möller
2d95ceedc5 BN_BLINDING multi-threading fix. 
Submitted by: Emilia Kasper (Google)
 2011-10-19 14:58:59 +00:00
Bodo Möller
3d520f7c2d Fix warnings. 
Also, use the common Configure mechanism for enabling/disabling the 64-bit ECC code.
 2011-10-19 08:58:35 +00:00
Bodo Möller
9c37519b55 Improve optional 64-bit NIST-P224 implementation, and add NIST-P256 and 
NIST-P521. (Now -DEC_NISTP_64_GCC_128 enables all three of these;
-DEC_NISTP224_64_GCC_128 no longer works.)

Submitted by: Google Inc.
 2011-10-18 19:43:54 +00:00
Bodo Möller
f72c1a58cb In ssl3_clear, preserve s3->init_extra along with s3->rbuf. 
Submitted by: Bob Buckholz <bbuckholz@google.com>
 2011-10-13 13:05:35 +00:00
Dr. Stephen Henson
cb70355d87 Backport ossl_ssize_t type from HEAD. 2011-10-10 22:33:50 +00:00
Dr. Stephen Henson
9309ea6617 Backport PSS signature support from HEAD. 2011-10-09 23:13:50 +00:00
Dr. Stephen Henson
05c9e3aea5 fix CHANGES entry 2011-10-09 23:11:09 +00:00
Dr. Stephen Henson
dc100d87b5 Backport of password based CMS support from HEAD. 2011-10-09 15:28:02 +00:00
Dr. Stephen Henson
cd447875e6 Initialise X509_STORE_CTX properly so CRLs with nextUpdate date in the past 
produce an error (CVE-2011-3207)
 2011-09-06 15:14:41 +00:00
Bodo Möller
3c3f025923 Fix session handling. 2011-09-05 13:36:55 +00:00
Bodo Möller
5ff6e2dfbb Fix d2i_SSL_SESSION. 2011-09-05 13:31:07 +00:00