openssl - Mirror of https://github.com/openssl/openssl

Age	Commit message (Collapse)	Author
2014-04-07	VMS build fix for older compilers.	Steven M. Schweda

2014-04-07	Add heartbeat extension bounds check.	Dr. Stephen Henson
	A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix (CVE-2014-0160)
2014-04-05	Set TLS padding extension value.	Dr. Stephen Henson
	Enable TLS padding extension using official value from: http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml (cherry picked from commit cd6bd5ffda616822b52104fee0c4c7d623fd4f53) Conflicts: CHANGES ssl/tls1.h
2014-03-10	typo	Dr. Stephen Henson
	(cherry picked from commit a029788b0e0c19cee4007cc1f73201cf2c13addf)
2014-02-26	Fix for WIN32 builds with KRB5	Dr. Stephen Henson
	(cherry picked from commit 3eddd1706a30cdf3dc9278692d8ee9038eac8a0d)
2014-02-25	ssl/t1_enc.c: check EVP_MD_CTX_copy return value.	Andy Polyakov
	PR: 3201 (cherry picked from commit 03da57fe14f2de5bde9d4496a2ae9a4ae8879f88)
2014-02-05	Backport TLS padding extension from master.	Dr. Stephen Henson
	(cherry picked from commit 8c6d8c2a498146992123ef5407d7ba01a1e7224d) Conflicts: CHANGES ssl/t1_lib.c
2014-01-28	Check i before r[i].	Dr. Stephen Henson
	PR#3244
2014-01-16	Omit initial status request callback check.	Kaspar Brand
	PR#3178
2014-01-11	VMS fixes	Zoltan Arpadffy

2014-01-08	Fix warning	Dr. Stephen Henson
	PR#3220
2014-01-06	Fix for TLS record tampering bug CVE-2013-4353	Dr. Stephen Henson

2014-01-06	make update	Dr. Stephen Henson

2014-01-04	Restore SSL_OP_MSIE_SSLV2_RSA_PADDING	Dr. Stephen Henson
	The flag SSL_OP_MSIE_SSLV2_RSA_PADDING hasn't done anything since OpenSSL 0.9.7h but deleting it will break source compatibility with any software that references it. Restore it but #define to zero. (cherry picked from commit b17d6b8d1d49fa4732deff17cfd1833616af0d9c)
2014-01-02	Don't change version number if session established	Dr. Stephen Henson
	When sending an invalid version number alert don't change the version number to the client version if a session is already established. Thanks to Marek Majkowski for additional analysis of this issue. PR#3191
2013-12-20	Fix DTLS retransmission from previous session.	Dr. Stephen Henson
	For DTLS we might need to retransmit messages from the previous session so keep a copy of write context in DTLS retransmission buffers instead of replacing it after sending CCS. CVE-2013-6450.
2013-12-19	Use version in SSL_METHOD not SSL structure.	Dr. Stephen Henson
	When deciding whether to use TLS 1.2 PRF and record hash algorithms use the version number in the corresponding SSL_METHOD structure instead of the SSL structure. The SSL structure version is sometimes inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already. (CVE-2013-6449)
2013-12-18	Check EVP errors for handshake digests.	Dr. Stephen Henson
	Partial mitigation of PR#3200
2013-12-08	make update	Dr. Stephen Henson

2013-11-06	Enable PSK in FIPS mode.	Dr. Stephen Henson
	Enable PSK ciphersuites with AES or DES3 in FIPS mode. (cherry picked from commit e0ffd129c16af90eb5e2ce54e57832c0046d1aaf)
2013-11-01	DTLS/SCTP Finished Auth Bug	Robin Seggelmann
	PR: 2808 With DTLS/SCTP the SCTP extension SCTP-AUTH is used to protect DATA and FORWARD-TSN chunks. The key for this extension is derived from the master secret and changed with the next ChangeCipherSpec, whenever a new key has been negotiated. The following Finished then already uses the new key. Unfortunately, the ChangeCipherSpec and Finished are part of the same flight as the ClientKeyExchange, which is necessary for the computation of the new secret. Hence, these messages are sent immediately following each other, leaving the server very little time to compute the new secret and pass it to SCTP before the finished arrives. So the Finished is likely to be discarded by SCTP and a retransmission becomes necessary. To prevent this issue, the Finished of the client is still sent with the old key. (cherry picked from commit 9fb523adce6fd6015b68da2ca8e4ac4900ac2be2) (cherry picked from commit b9ef52b07897f249a9fa44943dba33fba8fb2721)
2013-10-20	Fix another gmt_unix_time case in server_random	Nick Mathewson

2013-10-20	Don't use RSA+MD5 with TLS 1.2	Dr. Stephen Henson
	Since the TLS 1.2 supported signature algorithms extension is less sophisticaed in OpenSSL 1.0.1 this has to be done in two stages. RSA+MD5 is removed from supported signature algorithms extension: any compliant implementation should never use RSA+MD5 as a result. To cover the case of a broken implementation using RSA+MD5 anyway disable lookup of MD5 algorithm in TLS 1.2.
2013-10-19	More cleanup.	Ben Laurie

2013-10-19	Cleanup.	Ben Laurie

2013-10-19	Merge branch 'no_gmt_unix_time' of git://github.com/nmathewson/openssl into ↵	Ben Laurie
	OpenSSL_1_0_1-stable
2013-10-09	Control sending time with SSL_SEND_{CLIENT,SERVER}RANDOM_MODE	Nick Mathewson
	(I'd rather use an option, but it appears that the options field is full.) Now, we send the time in the gmt_unix_time field if the appropriate one of these mode options is set, but randomize the field if the flag is not set.
2013-10-09	Refactor {client,server}_random to call an intermediate function	Nick Mathewson
	I'll be using this to make an option for randomizing the time.
2013-09-16	Do not include a timestamp in the ServerHello Random field.	Nick Mathewson
	Instead, send random bytes.
2013-09-16	Do not include a timestamp in the ClientHello Random field.	Nick Mathewson
	Instead, send random bytes. While the gmt_unix_time record was added in an ostensible attempt to mitigate the dangers of a bad RNG, its presence leaks the host's view of the current time in the clear. This minor leak can help fingerprint TLS instances across networks and protocols... and what's worse, it's doubtful thet the gmt_unix_time record does any good at all for its intended purpose, since: * It's quite possible to open two TLS connections in one second. * If the PRNG output is prone to repeat itself, ephemeral * handshakes (and who knows what else besides) are broken.
2013-09-16	Tidy up comments.	Rob Stradling

2013-09-16	Use TLS version supplied by client when fingerprinting Safari.	Rob Stradling

2013-09-16	Fix compilation with no-ec and/or no-tlsext.	Rob Stradling

2013-09-16	Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.	Rob Stradling
	OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
2013-08-13	DTLS message_sequence number wrong in rehandshake ServerHello	Michael Tuexen
	This fix ensures that * A HelloRequest is retransmitted if not responded by a ClientHello * The HelloRequest "consumes" the sequence number 0. The subsequent ServerHello uses the sequence number 1. * The client also expects the sequence number of the ServerHello to be 1 if a HelloRequest was received earlier. This patch fixes the RFC violation. (cherry picked from commit b62f4daac00303280361924b9cc19b3e27528b15)
2013-08-08	DTLS handshake fix.	Michael Tuexen
	Reported by: Prashant Jaikumar <rmstar@gmail.com> Fix handling of application data received before a handshake. (cherry picked from commit 0c75eeacd3285b395dc75b65c3e6fe6ffbef59f0)
2013-04-08	Set s->d1 to NULL after freeing it.	Dr. Stephen Henson
	(cherry picked from commit 04638f2fc335a6dc2af8e5d556d36e29c261dcd2)
2013-03-19	Disable compression for DTLS.	Dr. Stephen Henson
	The only standard compression method is stateful and is incompatible with DTLS. (cherry picked from commit e14b8410ca882da8e9579a2d928706f894c8e1ae)
2013-03-18	Avoid unnecessary fragmentation.	Michael Tuexen
	(cherry picked from commit 80ccc66d7eedb2d06050130c77c482ae1584199a)
2013-02-12	Check DTLS_BAD_VER for version number.	David Woodhouse
	The version check for DTLS1_VERSION was redundant as DTLS1_VERSION > TLS1_1_VERSION, however we do need to check for DTLS1_BAD_VER for compatibility. PR:2984 (cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
2013-02-11	Fix for SSL_get_certificate	Dr. Stephen Henson
	Now we set the current certificate to the one used by a server there is no need to call ssl_get_server_send_cert which will fail if we haven't sent a certificate yet.
2013-02-11	Fix in ssltest is no-ssl2 configured	Dr. Stephen Henson

2013-02-09	ssl/*: fix linking errors with no-srtp.	Andy Polyakov

2013-02-09	ssl/s3_[clnt\|srvr].c: fix warnings.	Andy Polyakov

2013-02-08	s3_cbc.c: make CBC_MAC_ROTATE_IN_PLACE universal.	Andy Polyakov
	(cherry picked from commit f93a41877d8d7a287debb7c63d7b646abaaf269c)
2013-02-08	s3_cbc.c: get rid of expensive divisions [from master].	Andy Polyakov
	(cherry picked from commit e9baceab5a385e570706ca98dec768b2d89d1ac6)
2013-02-07	Remove extraneous brackets (clang doesn't like them).	Ben Laurie

2013-02-07	ssl/[d1\|s3]_pkt.c: harmomize orig_len handling.	Andy Polyakov

2013-02-07	Fix IV check and padding removal.	Dr. Stephen Henson
	Fix the calculation that checks there is enough room in a record after removing padding and optional explicit IV. (by Steve) For AEAD remove the correct number of padding bytes (by Andy)
2013-02-06	Fix for EXP-RC2-CBC-MD5	Adam Langley
	MD5 should use little endian order. Fortunately the only ciphersuite affected is EXP-RC2-CBC-MD5 (TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5) which is a rarely used export grade ciphersuite.