| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
tested by jasper
|
| |
|
|
| |
tested by bcook jsg
|
| |
|
|
|
|
| |
"Avoid a buffer overflow that can be triggered by sending specially crafted
DTLS fragments. Fix for CVE-2014-0195, from OpenSSL. Reported to OpenSSL
by Juri Aedla." From d1_both.c r1.19
|
| |
|
|
|
|
|
|
| |
"Do not recurse when a 'Hello Request' message is received while getting
DTLS fragments. A stream of 'Hello Request' messages will result in
infinite recursion, eventually crashing the DTLS client or server.
Fixes CVE-2014-0221, from OpenSSL. Reported to OpenSSL by Imre Rad."
From d1_both.c r1.20
|
| |
|
|
|
| |
"Ensure that sess_cert is not NULL before trying to use it.
Fixes CVE-2014-3470, from OpenSSL." From s3_clnt.c r1.66
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
"Be selective as to when ChangeCipherSpec messages will be accepted.
Without this an early ChangeCipherSpec message would result in session
keys being generated, along with the Finished hash for the handshake,
using an empty master secret." From s3_clnt.c r1.64, s3_pkt.c r1.42,
s3_srvr.c r1.59, ssl3.h r1.19 - note that the ssl3.h change has been
applied to s3_locl.h instead to simplify patching.
"Ensure that we do not process a ChangeCipherSpec with an empty master
secret. This is an additional safeguard against early ChangeCipherSpec
handling." From s3_pkt.c:1.43
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-/--------------------------
revision 1.33
date: 2014/04/24 04:31:30; author: tedu; state: Exp; lines: +4 -0;
on today's episode of things you didn't want to learn:
do_ssl3_write() is recursive. and not in the simple, obvious way, but in
the sneaky called through ssl3_dispatch_alert way. (alert level: fuchsia)
this then has a decent chance of releasing the buffer that we thought we
were going to use. check for this happening, and if the buffer has gone
missing, put another one back in place.
the direct recursive call is safe because it won't call ssl3_write_pending
which is the function that actually does do the writing and releasing.
as reported by David Ramos to openssl-dev:
http://marc.info/?l=openssl-dev&m=139809493725682&w=2
ok beck
-/--------------------------
|
| |
|
|
|
|
|
|
| |
Changes by: tedu@cvs.openbsd.org 2014/04/10 13:01:37
Piotr Sikora pointed me at a more refined diff for the buffer release
issue. Apply that version. Maybe someday upstream will wake up and then
we can have the same code.
https://rt.openssl.org/Ticket/Display.html?id=2167&user=guest&pass=guest
|
| |
|
|
|
| |
cherrypick fix for CVE-2014-0160 "heartbleed" vulnerability from
OpenSSL git; ok sthen@
|
| |
|
|
| |
architectures. ok miod@ djm@
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
hyphen in their official programming guide sometime between 2003 and
2005, and Clang's integrated assembler does not support hyphenated
mnemonics.
ok jsg, deraadt
|
| |
|
|
|
| |
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- additional cert's from GlobalSign.
- additional cert's from VeriSign and replace existing ones with
'Signature Algorithm: md2WithRSAEncryption' with their currently
distributed sha1WithRSAEncryption versions.
- new CAs: AddTrust (root for most Comodo certificates also heavily
used in academic networks), Comodo (most of their certs are rooted in
AddTrust but TERENA use the Comodo AAA Certificate Services root
for some things so add that separately), UserTrust Network/UTN
(part of Comodo) and Starfield (part of Go Daddy).
|
| |
|
|
| |
ok beck@ william@ todd@
|
| |
|
|
|
|
| |
and include sha1 signatures for all certs (some were missing).
No certificate changes, this is just for consistency. ok beck@
|
| |
|
|
|
|
| |
Remove intermediate GoDaddy certificate, this file should just contain roots.
ok beck@ phessler@
|
| |
|
|
|
|
|
|
|
|
| |
have to go through the PLT/GOT to get at them anymore. In fact going through
the GOT now fails since we no longer have a GOT entry for OPENSSL_ia32cap_P.
Fixes the problem spotted by jasper@ and sthen@. Based on a diff from mikeb@
who did most of the actual work of tracking down the issue.
ok millert@, mikeb@
|
| |
|
|
| |
Disable use of dladdr() on a.out arches, they do not provide it (yet);
|
| |
|
|
| |
major cranks
|
| | |
|
| | |
|
| |\
| |
| | |
branch.
|
| | | |
|
| |\ \
| | |
| | | |
branch.
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
branch.
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
and __PIC__ defines. Makes things easier for PIE.
ok djm@
|
| | | | |
| | | |
| | | |
| | | | |
ok guenther@
|
| | | | |
| | | |
| | | |
| | | | |
jmc@ noticed this in the manpage while updating it, but it applies here too.
|
| | | | |
| | | |
| | | |
| | | | |
Brad, jasper and naddy helped with test builds, fixing ports, etc.
|
| | | | |
| | | |
| | | |
| | | | |
ok miod@ deraadt@
|
| | | | | |
|
| | | | | |
|
| |\| | |
| | | |
| | | | |
branch.
|
| | | | | |
|
| |\ \ \ \
| | |_|/
| |/| | |
branch.
|
| | | | | |
|
| |\ \ \ \
| | |_|/
| |/| | |
branch.
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| |\ \ \ \
| | |/ /
| |/| | |
branch.
|
| | | | | |
|
| |\ \ \ \
| | |_|/
| |/| | |
branch.
|
| | | | | |
|
