Age | Commit message (Collapse) | Author |
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 740b2b9a6cf31b02916a4d18f868e8a95934c083)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Update the CHANGES and NEWS files for the new release.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
Change the "reuse" behaviour in ASN1_item_d2i: if successful the old
structure is freed and a pointer to the new one used. If it is not
successful then the passed structure is untouched.
Exception made for primitive types so ssl_asn1.c still works.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Conflicts:
doc/crypto/d2i_X509.pod
|
|
When parsing a combined structure pass a flag to the decode routine
so on error a pointer to the parent structure is not zeroed as
this will leak any additional components in the parent.
This can leak memory in any application parsing PKCS#7 or CMS structures.
CVE-2015-3195.
Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
libFuzzer.
PR#4131
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
The feature_test_macros(7) manual tells us that _BSD_SOURCE is
deprecated since glibc 2.20 and that the compiler will warn about it
being used, unless _DEFAULT_SOURCE is defined as well.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f9fd35248c9a3b1125d9ab82ffb19d62e86533ac)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 63eb10a07ee29a312e50a227f5b3a290b1ad22b4)
|
|
Thanks to Guido Vranken <guidovranken@gmail.com> for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 158e5207a794603f5d64ffa95e0247c7808ab445)
Conflicts:
crypto/asn1/asn1_par.c
|
|
PR#4079
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit c69ce9351336f5b4a8b33890756b3fd185528210)
Conflicts:
crypto/evp/e_des3.c
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e58c4d3cdde7a0a01df2884bfeec31a2b07be22d)
|
|
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 6f997dc36504d67d1339ceb6bce4ecba673d8568)
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 1d4ddb4e1a088f1333c4bb155c52c7f94e572bca)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 68d53e4f303c0b4926ad109e75ff728db229f497)
|
|
For all release branches. It adds travis build support. If you don't
have a config file it uses the default (because we enabled travis for the
project), which uses ruby/rake/rakefiles, and you get confusing "build
still failing" messages.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit db9defdfe306e1adf0af7188b187d535eb0268da)
|
|
In master we have the function OPENSSL_clear_free(x,y), which immediately
returns if x == NULL. In <=1.0.2 this function does not exist so we have to
do:
OPENSSL_cleanse(x, y);
OPENSSL_free(x);
However, previously, OPENSSL_cleanse did not check that if x == NULL, so
the real equivalent check would have to be:
if (x != NULL)
OPENSSL_cleanse(x, y);
OPENSSL_free(x);
It would be easy to get this wrong during cherry-picking to other branches
and therefore, for safety, it is best to just ensure OPENSSL_cleanse also
checks for NULL.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 020d8fc83fe1a94232db1ee1166309e2458a8a18)
|
|
PR#4035
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit 929f6d6f55275b17cfdd5c405ef403bce87c9aef)
|
|
If the field separator isn't specified through -nameopt then use
XN_FLAG_SEP_CPLUS_SPC instead of printing nothing and returing an error.
PR#2397
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 03706afa30aeb4407287171a9d6f9a765395d0a2)
|
|
Builds using no-tlsext in 1.0.0 and 0.9.8 are broken. This commit fixes the
issue. The same commit is applied to 1.0.1 and 1.0.2 branches for code
consistency. However this commit will not fix no-tlsext in those branches
which have always been broken for other reasons. The commit is not applied
to master at all, because no-tlsext has been completely removed from that
branch.
Based on a patch by Marc Branchaud <marcnarc@xiplink.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 9a931208d7fc8a3596dda005cdbd6439938f01b0)
Conflicts:
ssl/ssl_sess.c
|
|
Because we recently encourage people to have a .dir-locals.el, it's a good
idea to ignore it on a git level.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit d7c02691a5e6f2716759eacb6f48c39f15ee57c8)
|
|
Apparently, emacs sees changes to auto-fill-mode as insecure
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6dc08048d93ff35de882878f190ae49aa698b5d2)
|
|
This file, when copied to .dir-locals.el in the OpenSSL source top,
will make sure that the CC mode style "OpenSSL-II" will be used for
all C files.
Additionally, I makes sure that tabs are never used as indentation
character, regardless of the emacs mode, and that the fill column is
78.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 0927f0d822b1e0f55cb7d8bacf9004ad3495514b)
|
|
This hopefully conforms closely enough to the current code style.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit d9b3554b2d9724bc2d1621a026ddaf0223e2d191)
|
|
Best hope of keeping current.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 4f46473a86c9e3741203b22d4d401a3763583494)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e36ce2d986a5edbd33d6d176fb95c8046fae9725)
|
|
From a CloudFlare patch.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 1a586b3942de1c0bd64203d09385d5e74f499d8d)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit fa4629b6a2518d202fd051f228c3d8770682b3be)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 932af1617e277904bcca6e47729a420bba39785b)
|
|
Fixes GH#330
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit eeb97bce751296b2e04a92d00c0d0a792ba61834)
Conflicts:
apps/Makefile
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit da24e6f8a05ea657684094e04c1a54efa04c2962)
|
|
Instead of piping through tardy, and possibly suffering from bugs in certain
versions, use --transform, --owner and --group directly with GNU tar (we
already expect that tar variant).
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 27f98436b9a84b94fbdd8e32960504634ae44cc0)
Conflicts:
Makefile.org
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2a7059c56f885a3fa0842e886f5178def8e5481d)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5727582cf51e98e5e0faa435e7da2c8929533c0d)
Conflicts:
doc/crypto/X509_NAME_get_index_by_NID.pod
|
|
The PSK identity hint should be stored in the SSL_SESSION structure
and not in the parent context (which will overwrite values used
by other SSL structures with the same SSL_CTX).
Use BUF_strndup when copying identity as it may not be null terminated.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 3c66a669dfc7b3792f7af0758ea26fe8502ce70c)
|
|
PR#3923
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit ffbf304d4832bd51bb0618f8ca5b7c26647ee664)
|
|
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit b4f0d1a4a89b964dba80036a6348ca0a1913c526)
|
|
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 30cf91784bfde82622f79d87d17d20ce73329532)
|
|
Reviewed-by: Stephen Henson <steve@openssl.org>
|
|
Reviewed-by: Stephen Henson <steve@openssl.org>
|
|
Updates to CHANGES and NEWS to take account of the latest security fixes.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
CVE-2015-1790
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
Also tighten X509_cmp_time to reject more than three fractional
seconds in the time; and to reject trailing garbage after the offset.
CVE-2015-1789
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Fix loop in do_free_upto if cmsbio is NULL: this will happen when attempting
to verify and a digest is not recognised. Reported by Johannes Bauer.
CVE-2015-1792
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
$(PROGS) was mistakenly removed, adding it back.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 5ef5b9ffa91ad6061c42291564a1dc786300ebdd)
|
|
Fix error handling in ssl_session_dup, as well as incorrect setting up of
the session ticket. Follow on from CVE-2015-1791.
Thanks to LibreSSL project for reporting these issues.
Conflicts:
ssl/ssl_sess.c
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
The function EC_POINT_is_on_curve does not return a boolean value.
It returns 1 if the point is on the curve, 0 if it is not, and -1
on error. Many usages within OpenSSL were incorrectly using this
function and therefore not correctly handling error conditions.
With thanks to the Open Crypto Audit Project for reporting this issue.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 68886be7e2cd395a759fcd41d2cede461b68843d)
Conflicts:
crypto/ec/ec2_oct.c
crypto/ec/ecp_oct.c
crypto/ec/ectest.c
|
|
The fix for CVE-2015-1791 introduced an error in ssl_session_dup for
Kerberos.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit dcad51bc13c9b716d9a66248bcc4038c071ff158)
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 0fb9990480919163cc375a2b6c0df1d8d901a77b)
|
|
Remove a comment that suggested further clean up was required.
DH_free() performs the necessary cleanup.
With thanks to the Open Crypto Audit Project for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f3d889523ee84f1e87e4da0d59e2702a4bee7907)
|
|
Ensure OPENSSL_cleanse() is called on the premaster secret value calculated for GOST.
With thanks to the Open Crypto Audit Project for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit b7ee4815f2452c854cc859e8dda88f2673cdddea)
Conflicts:
ssl/s3_srvr.c
|