Skip to main content
swh:1:snp:dc2a5002442a00b1c0eda7c65d04ea7455e166cd
sort by:
RevisionAuthorDateMessageCommit Date
6b72417 Dr. Stephen Henson05 June 2014, 09:45:00 UTCPrepare for 1.0.1h release05 June 2014, 09:45:00 UTC
aabbe99 Dr. Stephen Henson05 June 2014, 07:56:20 UTCUpdate CHANGES and NEWS05 June 2014, 08:04:27 UTC
8011cd5 Dr. Stephen Henson29 May 2014, 14:00:05 UTCFix CVE-2014-3470 Check session_cert is not NULL before dereferencing it.05 June 2014, 08:04:27 UTC
d315265 Dr. Stephen Henson16 May 2014, 12:00:45 UTCFix CVE-2014-0221 Unnecessary recursion when receiving a DTLS hello request can be used to crash a DTLS client. Fixed by handling DTLS hello request without recursion. Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.05 June 2014, 08:04:27 UTC
006cd70 Dr. Stephen Henson16 May 2014, 11:55:16 UTCAdditional CVE-2014-0224 protection. Return a fatal error if an attempt is made to use a zero length master secret.05 June 2014, 08:04:27 UTC
bc8923b Dr. Stephen Henson16 May 2014, 11:49:48 UTCFix for CVE-2014-0224 Only accept change cipher spec when it is expected instead of at any time. This prevents premature setting of session keys before the master secret is determined which an attacker could use as a MITM attack. Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue and providing the initial fix this patch is based on.05 June 2014, 08:04:27 UTC
1632ef7 Dr. Stephen Henson13 May 2014, 17:48:31 UTCFix for CVE-2014-0195 A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Fixed by adding consistency check for DTLS fragments. Thanks to Jüri Aedla for reporting this issue.05 June 2014, 08:04:27 UTC
f1f4fbd Dr. Stephen Henson05 June 2014, 08:01:33 UTCmake update05 June 2014, 08:02:03 UTC
1854c48 Libor Krystek03 June 2014, 22:14:40 UTCCorrected OPENSSL_NO_EC_NISTP_64_GCC_128 usage in ec_lcl.h. PR#337003 June 2014, 22:19:21 UTC
ebda73f David Benjamin02 June 2014, 17:55:20 UTCCheck there is enough room for extension. (cherry picked from commit 7d89b3bf42e4b4067371ab33ef7631434e41d1e4)02 June 2014, 18:00:02 UTC
bcc3116 zhu qun-ying02 June 2014, 13:38:52 UTCFree up s->d1->buffered_app_data.q properly. PR#3286 (cherry picked from commit 71e95000afb2227fe5cac1c79ae884338bcd8d0b)02 June 2014, 13:40:18 UTC
1dd2641 Sami Farin02 June 2014, 11:24:19 UTCTypo: set i to -1 before goto. PR#3302 (cherry picked from commit 9717f01951f976f76dd40a38d9fc7307057fa4c4)02 June 2014, 13:22:06 UTC
056389e Matt Caswell01 June 2014, 20:32:19 UTCAdded SSLErr call for internal error in dtls1_buffer_record01 June 2014, 20:38:01 UTC
a07856a David Ramos01 June 2014, 20:28:41 UTCDelays the queue insertion until after the ssl3_setup_buffers() call due to use-after-free bug. PR#336201 June 2014, 20:37:47 UTC
19ce768 Dr. Stephen Henson01 June 2014, 15:25:43 UTCRecognise padding extension. (cherry picked from commit ea2bb861f0daaa20819bf9ac8c146f7593feacd4) Conflicts: apps/s_cb.c (cherry picked from commit 14dc83ca779e91a267701a1fb05b2bbcf2cb63c4)01 June 2014, 15:50:37 UTC
aaed77c Dr. Stephen Henson01 June 2014, 15:36:24 UTCOption to disable padding extension. Add TLS padding extension to SSL_OP_ALL so it is used with other "bugs" options and can be turned off. This replaces SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG which is an ancient option referring to SSLv2 and SSLREF. PR#333601 June 2014, 15:50:37 UTC
49270d0 Dr. Stephen Henson01 June 2014, 14:03:00 UTCSet default global mask to UTF8 only. (cherry picked from commit 3009244da47b989c4cc59ba02cf81a4e9d8f8431)01 June 2014, 14:04:29 UTC
673c42b David Ramos01 June 2014, 13:30:10 UTCAllocate extra space when NETSCAPE_HANG_BUG defined. Make sure there is an extra 4 bytes for server done message when NETSCAPE_HANG_BUG is defined. PR#336101 June 2014, 13:30:10 UTC
5541b18 David Ramos01 June 2014, 12:03:05 UTCInitialise alg. PR#3313 (cherry picked from commit 7e2c6f7eb01515a990f77fbc5441be8e1a17152a)01 June 2014, 12:05:20 UTC
28e117f Dr. Stephen Henson30 May 2014, 12:21:43 UTCUse correct digest when exporting keying material. PR#3319 (cherry picked from commit 84691390eae86befd33c83721dacedb539ae34e6)31 May 2014, 12:43:01 UTC
46bfc05 Dr. Stephen Henson30 May 2014, 12:10:08 UTCDon't compile heartbeat test code on Windows (for now). (cherry picked from commit 2c575907d2c8601a18716f718ce309ed4e1f1783)31 May 2014, 12:43:01 UTC
427a37c Hubert Kario12 September 2013, 09:37:12 UTCadd description of -attime to man page the verify app man page didn't describe the usage of attime option even though it was listed as a valid option in the -help message. This patch fixes this omission.30 May 2014, 22:33:10 UTC
39ae3b3 Hubert Kario10 September 2013, 13:59:13 UTCadd description of -no_ecdhe option to s_server man page While the -help message references this option, the man page doesn't mention the -no_ecdhe option. This patch fixes this omission.30 May 2014, 22:32:54 UTC
48f5b3e Dr. Stephen Henson29 May 2014, 13:07:49 UTCSet version number correctly. PR#3249 (cherry picked from commit 8909bf20269035d295743fca559207ef2eb84eb3)29 May 2014, 13:12:14 UTC
f8dc000 František Bořánek29 May 2014, 12:49:10 UTCFix memory leak. PR#3278 (cherry picked from commit de56fe797081fc09ebd1add06d6e2df42a324fd5)29 May 2014, 13:12:14 UTC
bf8d6f9 Martin Kaiser28 May 2014, 09:16:06 UTCremove duplicate 0x for default RSASSA-PSS salt len (cherry picked from commit 3820fec3a09faecba7fe9912aa20ef7fcda8337b)29 May 2014, 13:12:14 UTC
17e844a Peter Mosmans27 May 2014, 22:26:11 UTCFix for test_bn regular expression to work on Windows using MSYS. PR#334627 May 2014, 22:26:11 UTC
8ca7d12 Matt Caswell26 May 2014, 23:26:55 UTCFixed Windows compilation failure26 May 2014, 23:26:55 UTC
67b9c82 Matt Caswell25 May 2014, 22:37:53 UTCFixed error in args for SSL_set_msg_callback and SSL_set_msg_callback_arg25 May 2014, 22:48:15 UTC
a6f5b99 Matt Caswell24 May 2014, 22:55:27 UTCFix for non compilation with TLS_DEBUG defined24 May 2014, 22:56:58 UTC
756587d Mike Bland22 May 2014, 18:41:47 UTCFix heartbeat_test for -DOPENSSL_NO_HEARTBEATS Replaces the entire test with a trivial implementation when OPENSSL_NO_HEARTBEATS is defined.22 May 2014, 21:05:26 UTC
0a084f7 Matt Caswell21 May 2014, 23:07:35 UTCFixed minor copy&paste error, and stray space causing rendering problem21 May 2014, 23:12:14 UTC
da0a95b Dr. Stephen Henson21 May 2014, 09:50:19 UTCFix for PKCS12_create if no-rc2 specified. Use triple DES for certificate encryption if no-rc2 is specified. PR#3357 (cherry picked from commit 4689c08453e95eeefcc88c9f32dc6e509f95caff)21 May 2014, 10:14:33 UTC
599fe41 Dr. Stephen Henson21 May 2014, 09:39:11 UTCChange default cipher in smime app to des3. PR#3357 (cherry picked from commit ca3ffd9670f2b589bf8cc04923f953e06d6fbc58)21 May 2014, 10:14:33 UTC
4519e7b Dr. Stephen Henson20 May 2014, 10:18:30 UTCFor portability use BUF_strndup instead of strndup. (cherry picked from commit dcca7b13e9066443237dd3001ae52fd103151c98)20 May 2014, 10:23:23 UTC
4659b53 Janpopan04 May 2014, 16:13:43 UTCFix a wrong parameter count ERR_add_error_data19 May 2014, 21:17:00 UTC
dc22495 Ben Laurie19 May 2014, 17:26:04 UTCMerge branch 'mbland-heartbeat-test-1.0.1' into OpenSSL_1_0_1-stable19 May 2014, 17:26:04 UTC
ab0d964 Mike Bland16 April 2014, 11:21:26 UTCUnit/regression test for TLS heartbeats. Regression test against CVE-2014-0160 (Heartbleed). More info: http://mike-bland.com/tags/heartbleed.html (based on commit 35cb55988b75573105eefd00d27d0138eebe40b1)19 May 2014, 17:23:24 UTC
dac3654 Ben Laurie19 May 2014, 17:21:39 UTCAllow the maximum value.19 May 2014, 17:21:39 UTC
989d87c Ben Laurie19 May 2014, 17:20:54 UTCFix signed/unsigned warning.19 May 2014, 17:20:54 UTC
d6934a0 Matt Caswell15 May 2014, 20:13:38 UTCMoved note about lack of support for AEAD modes out of BUGS section to SUPPORTED CIPHERS section (bug has been fixed, but still no support for AEAD)15 May 2014, 20:17:19 UTC
f9986e9 Dr. Stephen Henson15 May 2014, 13:05:47 UTCEnc doesn't support AEAD ciphers.15 May 2014, 13:16:44 UTC
1f5e321 Jeffrey Walton14 May 2014, 21:49:30 UTCFix grammar error in verify pod. PR#335514 May 2014, 21:59:48 UTC
b6adb6e Jeffrey Walton14 May 2014, 21:48:26 UTCAdd information to BUGS section of enc documentation. PR#335414 May 2014, 21:59:48 UTC
bfdaf45 Michal Bozon14 May 2014, 20:07:51 UTCCorrected POD syntax errors. PR#335314 May 2014, 21:59:48 UTC
69526a3 Kurt Roeckx12 May 2014, 16:19:14 UTCCheck sk_SSL_CIPHER_num() after assigning sk.12 May 2014, 22:01:06 UTC
778f2b6 Jean-Paul Calderone03 April 2014, 00:47:38 UTCCorrect the return type on the signature for X509_STORE_CTX_get_ex_data given in the pod file.12 May 2014, 21:48:34 UTC
2223317 Serguei E. Leontiev11 May 2014, 18:46:42 UTCReplace manual ASN1 decoder with ASN1_get_object Replace manual ASN.1 decoder with ASN1_get object. This will decode the tag and length properly and check against it does not exceed the supplied buffer length. PR#3335 (cherry picked from commit b0308dddd1cc6a8e1de803ef29ba6da25ee072c2)12 May 2014, 17:41:50 UTC
b107586 Matt Caswell11 May 2014, 23:38:37 UTCFixed NULL pointer dereference. See PR#332111 May 2014, 23:43:33 UTC
d544755 Kurt Roeckx01 May 2014, 11:10:01 UTCSet authkey to NULL and check malloc return value.11 May 2014, 23:24:59 UTC
88398e9 Martin Brejcha01 May 2014, 10:07:09 UTCdgram_sctp_ctrl: authkey memory leak PR: 332711 May 2014, 23:24:59 UTC
15c1ac0 Günther Noack01 May 2014, 11:33:11 UTCAvoid out-of-bounds write in SSL_get_shared_ciphers PR: 331711 May 2014, 22:57:14 UTC
c3c6fc7 Viktor Dukhovni11 May 2014, 19:28:56 UTCFix infinite loop. PR#334711 May 2014, 20:13:18 UTC
4d8cca8 Tim Hudson11 May 2014, 12:29:59 UTCsafety check to ensure we dont send out beyond the users buffer11 May 2014, 12:29:59 UTC
d61be85 Dr. Stephen Henson08 May 2014, 12:17:11 UTCReturn an error if no recipient type matches. If the key type does not match any CMS recipient type return an error instead of using a random key (MMA mitigation). This does not leak any useful information to an attacker. PR#334809 May 2014, 13:24:51 UTC
9e456a8 Tim Hudson05 May 2014, 00:53:39 UTCcoverity 966576 - close socket in error path08 May 2014, 22:19:19 UTC
f179e2b Tim Hudson05 May 2014, 00:39:30 UTCPR#3342 fix resource leak coverity issue 96657708 May 2014, 22:18:44 UTC
6a60b41 Tim Hudson04 May 2014, 22:22:42 UTCfix coverity issue 966597 - error line is not always initialised07 May 2014, 23:00:08 UTC
c6a47f9 Matt Caswell07 May 2014, 22:21:02 UTCFixed NULL pointer dereference in PKCS7_dataDecode reported by David Ramos in PR#333907 May 2014, 22:25:46 UTC
d0666f2 Geoff Thorpe04 May 2014, 22:44:14 UTCevp: prevent underflow in base64 decoding This patch resolves RT ticket #2608. Thanks to Robert Dugal for originally spotting this, and to David Ramos for noticing that the ball had been dropped. Signed-off-by: Geoff Thorpe <geoff@openssl.org>06 May 2014, 22:10:23 UTC
d8afda6 Geoff Thorpe04 May 2014, 20:19:22 UTCbignum: allow concurrent BN_MONT_CTX_set_locked() The lazy-initialisation of BN_MONT_CTX was serialising all threads, as noted by Daniel Sands and co at Sandia. This was to handle the case that 2 or more threads race to lazy-init the same context, but stunted all scalability in the case where 2 or more threads are doing unrelated things! We favour the latter case by punishing the former. The init work gets done by each thread that finds the context to be uninitialised, and we then lock the "set" logic after that work is done - the winning thread's work gets used, the losing threads throw away what they've done. Signed-off-by: Geoff Thorpe <geoff@openssl.org>06 May 2014, 22:10:21 UTC
804ab36 Geoff Thorpe27 April 2014, 20:06:50 UTCdso: eliminate VMS code on non-VMS systems Even though the meat of dso_vms.c is compiled out on non-VMS builds, the (pre-)compiler still traverses some of the macro handling. This trips up at least one non-VMS build configuration, so this commit makes the skip-VMS case more robust. Signed-off-by: Geoff Thorpe <geoff@openssl.org>06 May 2014, 22:10:17 UTC
a41d517 Dr. Stephen Henson06 May 2014, 13:07:37 UTCInitialize num properly. PR#3289 PR#3345 (cherry picked from commit 3ba1e406c2309adb427ced9815ebf05f5b58d155)06 May 2014, 13:09:14 UTC
9c5d953 Dr. Stephen Henson06 May 2014, 13:02:17 UTCSet Enveloped data version to 2 if ktri version not zero.06 May 2014, 13:02:38 UTC
7b7b18c Tim Hudson04 May 2014, 20:41:22 UTC- fix coverity issues 966593-96659605 May 2014, 23:07:34 UTC
8eb094b David Ramos03 May 2014, 10:00:27 UTCDouble free in i2o_ECPublicKey PR: 333803 May 2014, 23:53:19 UTC
7fa18a6 Jeff Trawick13 April 2014, 13:10:17 UTCtypo in SSL_get_peer_cert_chain docs RT: 330401 May 2014, 23:27:37 UTC
90600a5 Matt Caswell30 April 2014, 23:23:57 UTCFixed spelling error in error message. Fix supplied by Marcos Marado30 April 2014, 23:23:57 UTC
23f5908 Lubomir Rintel21 October 2013, 09:03:01 UTCPOD: Fix item numbering Newer pod2man considers =item [1-9] part of a numbered list, while =item 0 starts an unnumbered list. Add a zero effect formatting mark to override this. doc/apps/smime.pod around line 315: Expected text after =item, not a number ... PR#314630 April 2014, 22:47:29 UTC
e622237 mancha25 April 2014, 14:58:49 UTCFix version documentation. Specify -f is for compilation flags. Add -d to synopsis section. (cherry picked from commit 006397ea62bbcae22c8664d53c2222b808c4bdd1) Closes #79.26 April 2014, 10:21:34 UTC
f081617 mancha24 April 2014, 19:06:20 UTCFix eckey_priv_encode() Fix eckey_priv_encode to return an error on failure of i2d_ECPrivateKey.24 April 2014, 19:32:17 UTC
057444f Steve Marquess24 April 2014, 11:13:05 UTCAdd new sponsors (cherry picked from commit 351f0a124bffaa94d2a8abdec2e7dde5ae9c457d)24 April 2014, 11:32:59 UTC
725c5f1 Ben Laurie23 April 2014, 06:24:03 UTCFix use after free.23 April 2014, 06:33:17 UTC
9c8dc84 Ben Laurie22 April 2014, 12:11:56 UTCFix double frees.22 April 2014, 16:02:37 UTC
e3899ab Dr. Stephen Henson16 April 2014, 11:15:43 UTCDocument -debug_decrypt option. (cherry picked from commit 0dd5b94aeb77c2982bdf6886962b7a8491c6c9ed)16 April 2014, 11:36:06 UTC
3fc880a Dr. Stephen Henson15 April 2014, 17:48:54 UTCExtension checking fixes. When looking for an extension we need to set the last found position to -1 to properly search all extensions. PR#3309. (cherry picked from commit 300b9f0b704048f60776881f1d378c74d9c32fbd)15 April 2014, 17:53:04 UTC
602b279 Dr. Stephen Henson15 April 2014, 17:17:12 UTCClarify CMS_decrypt behaviour. (cherry picked from commit 5f8e9a477a18551052f2019c1f374061acbaa5e6)15 April 2014, 17:19:40 UTC
b05a3ad Dr. Stephen Henson11 April 2014, 01:50:51 UTCAdd new key fingerprint. (cherry picked from commit 3143a332e8f2f5ca1a6f0262a1a1a66103f2adf7)11 April 2014, 01:51:48 UTC
3d8f4f2 Dr. Stephen Henson09 April 2014, 14:42:40 UTCFix free errors in ocsp utility. Keep copy of any host, path and port values allocated by OCSP_parse_url and free as necessary. (cherry picked from commit 5219d3dd350cc74498dd49daef5e6ee8c34d9857)09 April 2014, 14:45:35 UTC
a74bee5 Steven M. Schweda08 April 2014, 16:23:03 UTCVMS build fix #2.08 April 2014, 16:23:03 UTC
55c9e24 Steven M. Schweda07 April 2014, 22:14:11 UTCVMS build fix for older compilers.07 April 2014, 22:14:11 UTC
ebe2219 Dr. Stephen Henson07 April 2014, 16:58:39 UTCPrepare for 1.0.1h-dev07 April 2014, 16:58:39 UTC
b2d951e Dr. Stephen Henson07 April 2014, 16:55:44 UTCPrepare for 1.0.1g release07 April 2014, 16:55:44 UTC
c5993d1 Dr. Stephen Henson06 April 2014, 11:59:14 UTCUpdate NEWS.07 April 2014, 16:53:31 UTC
5be1ae2 Dr. Stephen Henson06 April 2014, 22:11:20 UTCReturn if ssleay_rand_add called with zero num. Treat a zero length passed to ssleay_rand_add a no op: the existing logic zeroes the md value which is very bad. OpenSSL itself never does this internally and the actual call doesn't make sense as it would be passing zero bytes of entropy. Thanks to Marcus Meissner <meissner@suse.de> for reporting this bug.07 April 2014, 16:53:31 UTC
96db902 Dr. Stephen Henson05 April 2014, 23:51:06 UTCAdd heartbeat extension bounds check. A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix (CVE-2014-0160)07 April 2014, 16:53:31 UTC
0d7717f Dr. Stephen Henson07 April 2014, 12:02:10 UTCDocument -verify_return_error option. (cherry picked from commit 4e6c12f3088d3ee5747ec9e16d03fc671b8f40be)07 April 2014, 12:04:21 UTC
aba7600 Andy Polyakov06 April 2014, 15:19:54 UTCcrypto/modes/gcm128.c: more strict aliasing fixes. (cherry picked from commit 997d1aac7cfb957decb62d8f0034a7eca6177fec)06 April 2014, 15:22:46 UTC
00acdfb Andy Polyakov06 April 2014, 10:50:36 UTCvpaes-x86_64.pl: fix typo, which for some reason triggers rkhunter. (cherry picked from commit 6eebcf345933694e08aba400faf6f639fb4db196)06 April 2014, 10:55:22 UTC
51624db Dr. Stephen Henson05 April 2014, 19:43:54 UTCSet TLS padding extension value. Enable TLS padding extension using official value from: http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml (cherry picked from commit cd6bd5ffda616822b52104fee0c4c7d623fd4f53) Conflicts: CHANGES ssl/tls1.h05 April 2014, 19:52:59 UTC
9e29df0 Dr. Stephen Henson04 April 2014, 11:46:39 UTCUpdate FAQ. (cherry picked from commit 6cc0068430d0a4abdef0b466d422e6a4d154a5fe)04 April 2014, 12:07:22 UTC
f54167d Dr. Stephen Henson04 April 2014, 11:44:43 UTCUse correct length when prompting for password. Use bufsiz - 1 not BUFSIZ - 1 when prompting for a password in the openssl utility. Thanks to Rob Mackinnon, Leviathan Security for reporting this issue. (cherry picked from commit 7ba08a4d73c1bdfd3aced09a628b1d7d7747cdca)04 April 2014, 12:07:17 UTC
6042582 Dr. Stephen Henson03 April 2014, 12:27:08 UTCDocument new crl option. (cherry picked from commit dbb7654dc189992966ecd95ca66f7a3bb011ab9b)03 April 2014, 12:37:11 UTC
5052264 Tim Hudson03 April 2014, 12:23:51 UTCAdd option to generate old hash format. New -hash_old to generate CRL hashes using old (before OpenSSL 1.0.0) algorithm. (cherry picked from commit de2d97cd799f38024d70847bab37d91aa5a2536e)03 April 2014, 12:37:04 UTC
bfc3424 Eric Young02 April 2014, 18:50:33 UTCFix base64 decoding bug. A short PEM encoded sequence if passed to the BIO, and the file had 2 \n following would fail. PR#3289 (cherry picked from commit 10378fb5f4c67270b800e8f7c600cd0548874811)02 April 2014, 18:57:27 UTC
1c65936 Dr. Stephen Henson12 March 2014, 14:43:52 UTCupdate NEWS12 March 2014, 14:43:52 UTC
40acdb1 Dr. Stephen Henson12 March 2014, 14:35:54 UTCUpdate ordinals. Use a previously unused value as we will be updating multiple released branches. (cherry picked from commit 0737acd2a8cc688902b5151cab5dc6737b82fb96)12 March 2014, 14:41:37 UTC
4b7a4ba Dr. Stephen Henson12 March 2014, 14:16:19 UTCFix for CVE-2014-0076 Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix. (cherry picked from commit 2198be3483259de374f91e57d247d0fc667aef29) Conflicts: CHANGES12 March 2014, 14:19:54 UTC
e0660c6 Dr. Stephen Henson10 March 2014, 15:45:30 UTCtypo (cherry picked from commit a029788b0e0c19cee4007cc1f73201cf2c13addf)10 March 2014, 15:48:43 UTC
b4ada74 Dr. Stephen Henson07 March 2014, 19:04:45 UTCRemove -WX option from debug-VC-WIN3207 March 2014, 19:07:51 UTC
back to top