summaryrefslogtreecommitdiffstats
path: root/crypto/openssl
Commit message (Collapse)AuthorAgeFilesLines
* Fix OpenSSL RC4_MD5 cipher vulnerability.delphij2017-02-231-0/+2
| | | | Approved by: so
* Fix OpenSSH remote Denial of Service vulnerability. [SA-16:33]delphij2016-11-025-0/+35
| | | | | | | | Fix OpenSSL remote DoS vulnerability. [SA-16:35] Security: FreeBSD-SA-16:33.openssh Security: FreeBSD-SA-16:35.openssl Approved by: so
* Apply upstream revision 3612ff6fcec0e3d1f2a598135fe12177c0419582:delphij2016-09-261-3/+2
| | | | | | | | | | | | Fix overflow check in BN_bn2dec() Fix an off by one error in the overflow check added by 07bed46 ("Check for errors in BN_bn2dec()"). This fixes a regression introduced in SA-16:26.openssl. Submitted by: jkim PR: 212921 Approved by: so
* Fix multiple OpenSSL vulnerabilitites.delphij2016-09-2316-91/+218
| | | | | Approved by: so Security: FreeBSD-SA-16:26.openssl
* Fix multiple OpenSSL vulnerabilitites. [SA-16:17]delphij2016-05-047-12/+16
| | | | | | | | | | Fix performance regression in libc hash(3). [EN-16:06] Fix excessive latency in x86 IPI delivery. [EN-16:07] Fix memory leak in ZFS. [EN-16:08] Approved by: so
* Merge OpenSSL 1.0.1s. This is a security update.delphij2016-03-0242-518/+1141
| | | | | Relnotes: yes Approved by: re (so@ implicit)
* Merge OpenSSL 1.0.1r.jkim2016-01-28107-385/+621
| | | | Relnotes: yes
* Merge OpenSSL 1.0.1q.jkim2015-12-03151-1997/+1769
|
* MFC: r285329jkim2015-07-0921-233/+475
| | | | | | | Merge OpenSSL 1.0.1p. Approved by: re (gjb) Relnotes: yes
* MFC: r284329jkim2015-06-129-25/+34
| | | | | | | | | Merge OpenSSL 1.0.1o. Note it is instantly merged because it restores ABI compatibility broken by the previous OpenSSL 1.0.1n. Relnotes: yes
* MFC: r284283jkim2015-06-11204-903/+2348
| | | | Merge OpenSSL 1.0.1n.
* MFC: r280297jkim2015-03-201009-268371/+272042
| | | | | | Merge OpenSSL 1.0.1m. Relnotes: yes
* Fix issues with original SA-15:06.openssl commit:delphij2015-03-203-15/+11
| | | | | | | | | - Revert a portion of ASN1 change per suggested by OpenBSD and OpenSSL developers. The change was removed from the formal OpenSSL release and does not solve security issue. - Properly fix CVE-2015-0209 and CVE-2015-0288. Pointy hat to: delphij
* Fix multiple OpenSSL vulnerabilities.delphij2015-03-197-41/+172
| | | | | | | | | | Security: FreeBSD-SA-15:06.openssl Security: CVE-2015-0209 Security: CVE-2015-0286 Security: CVE-2015-0287 Security: CVE-2015-0288 Security: CVE-2015-0289 Security: CVE-2015-0293
* MFC: r277270jkim2015-01-2311-17/+27
| | | | | | Merge OpenSSL 1.0.1l. Relnotes: yes
* MFC: r276861, r276863jkim2015-01-09108-3630/+1760
| | | | Merge OpenSSL 1.0.1k.
* MFC: r273144, r273146jkim2014-10-1579-613/+1824
| | | | | | Merge OpenSSL 1.0.1j. Relnotes: yes
* MFC: r269682jkim2014-08-07158-4989/+3288
| | | | Merge OpenSSL 1.0.1i.
* MFC: r267256jkim2014-06-0966-141/+824
| | | | | | Merge OpenSSL 1.0.1h. Approved by: so (delphij)
* Fix OpenSSL multiple vulnerabilities.delphij2014-06-055-3/+36
| | | | | | Security: CVE-2014-0195, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470 Security: SA-14:14.openssl
* Fix OpenSSL NULL pointer deference vulnerability.delphij2014-05-131-0/+4
| | | | | | Obtained from: OpenBSD Security: FreeBSD-SA-14:09.openssl Security: CVE-2014-0198
* Fix devfs rules not applied by default for jails.delphij2014-04-301-1/+1
| | | | | | | | | | | | | Fix OpenSSL use-after-free vulnerability. Fix TCP reassembly vulnerability. Security: FreeBSD-SA-14:07.devfs Security: CVE-2014-3001 Security: FreeBSD-SA-14:08.tcp Security: CVE-2014-3000 Security: FreeBSD-SA-14:09.openssl Security: CVE-2010-5298
* MFC: r261037, r264278jkim2014-04-10148-920/+1786
| | | | Merge OpenSSL 1.0.1f and 1.0.1g.
* Fix NFS deadlock vulnerability. [SA-14:05]delphij2014-04-085-24/+106
| | | | | Fix "Heartbleed" vulnerability and ECDSA Cache Side-channel Attack in OpenSSL. [SA-14:06]
* MFC r260403 (MFV r260399):delphij2014-01-075-8/+25
| | | | | | | | | | | | | | | | | | | | Apply vendor commits: 197e0ea Fix for TLS record tampering bug. (CVE-2013-4353). 3462896 For DTLS we might need to retransmit messages from the previous session so keep a copy of write context in DTLS retransmission buffers instead of replacing it after sending CCS. (CVE-2013-6450). ca98926 When deciding whether to use TLS 1.2 PRF and record hash algorithms use the version number in the corresponding SSL_METHOD structure instead of the SSL structure. The SSL structure version is sometimes inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already. (CVE-2013-6449). Security: CVE-2013-4353 Security: CVE-2013-6449 Security: CVE-2013-6450
* MFV r254106 (OpenSSL bugfix for RT #2984):delphij2013-08-081-1/+1
| | | | | | | | | | | Check DTLS_BAD_VER for version number. The version check for DTLS1_VERSION was redundant as DTLS1_VERSION > TLS1_1_VERSION, however we do need to check for DTLS1_BAD_VER for compatibility. Requested by: zi Approved by: benl
* Merge OpenSSL 1.0.1e.jkim2013-02-13174-871/+2669
|\ | | | | | | Approved by: secteam (simon), benl (silence)
* | Change "the the" to "the". It is a continuation of r226436 and missed injkim2013-02-131-1/+1
| | | | | | | | | | | | r237658. Approved by: benl (maintainer, implicit)
* | Clean some 'svn:executable' properties in the tree.pfg2013-01-2610-0/+0
| | | | | | | | | | Submitted by: Christoph Mallon MFC after: 3 days
* | Indicate that we are using OpenSSL with some local modifications.delphij2013-01-021-1/+1
| | | | | | | | X-MFC after: with r244974
* | MFV r244973:delphij2013-01-021-17/+8
| | | | | | | | | | | | | | | | Integrate OpenSSL changeset 22950 (appro): bn_word.c: fix overflow bug in BN_add_word. MFC after: 2 weeks
* | Clean up hardcoded ar(1) flags in the tree to use the global ARFLAGS ineadler2012-12-062-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | share/mk/sys.mk instead. This is part of a medium term project to permit deterministic builds of FreeBSD. Submitted by: Erik Cederstrand <erik@cederstrand.dk> Reviewed by: imp, toolchain@ Approved by: cperciva MFC after: 2 weeks
* | Allow OpenSSL to use arc4random(3) on FreeBSD. arc4random(3) was modifiedpjd2012-11-301-3/+3
| | | | | | | | | | | | | | | | | | some time ago to use sysctl instead of /dev/random to get random data, so is now much better choice, especially for sandboxed processes that have no direct access to /dev/random. Approved by: benl MFC after: 2 weeks
* | openssl: change SHLIB_VERSION_NUMBER to reflect the realityavg2012-09-111-1/+1
| | | | | | | | | | | | | | | | Note: I timed out waiting for an exp-run for this change but I survived having it locally for quite a long time. MFC after: 1 month X-MFC note: SHLIB_MAJOR is 6 in stable/8 and stable/9
* | Merge OpenSSL 1.0.1c.jkim2012-07-121335-79732/+167672
|\ \ | |/ | | | | Approved by: benl (maintainer)
* | Partially redo r226436, i. e., change "the the" to "the". ca(1), dgst(1),jkim2012-06-273-3/+3
| | | | | | | | | | | | | | and engine(3) are generated from these pod files during merge process and we do not want to re-apply these changes over and over again. Approved by: benl (maintainer, implicit)
* | Merge OpenSSL 0.9.8x.jkim2012-06-2782-964/+1642
| | | | | | | | | | | | Reviewed by: stas Approved by: benl (maintainer) MFC after: 3 days
* | Update the previous openssl fix. [12:01]bz2012-05-302-9/+8
| | | | | | | | | | | | | | | | Fix a bug in crypt(3) ignoring characters of a passphrase. [12:02] Security: FreeBSD-SA-12:01.openssl (revised) Security: FreeBSD-SA-12:02.crypt Approved by: so (bz, simon)
* | Fix multiple OpenSSL vulnerabilities.bz2012-05-0311-39/+162
| | | | | | | | | | | | | | Security: CVE-2011-4576, CVE-2011-4619, CVE-2011-4109 Security: CVE-2012-0884, CVE-2012-2110 Security: FreeBSD-SA-12:01.openssl Approved by: so (bz,simon)
* | Fix SSL memory handlig for (EC)DH cipher suites, in particular fordelphij2011-09-082-7/+21
| | | | | | | | | | | | | | | | | | multi-threaded use of ECDH. Security: CVE-2011-3210 Reviewed by: stas Obtained from: OpenSSL CVS Approved by: re (kib)
* | Fix Incorrectly formatted ClientHello SSL/TLS handshake messages couldsimon2011-02-121-1/+7
| | | | | | | | | | | | | | | | | | | | | | | | cause OpenSSL to parse past the end of the message. Note: Applications are only affected if they act as a server and call SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. This includes Apache httpd >= 2.3.3, if configured with "SSLUseStapling On". Security: http://www.openssl.org/news/secadv_20110208.txt Security: CVE-2011-0014 Obtained from: OpenSSL CVS
* | Merge OpenSSL 0.9.8q into head.simon2010-12-0317-30/+146
|\ \ | |/ | | | | | | | | Security: CVE-2010-4180 Security: http://www.openssl.org/news/secadv_20101202.txt MFC after: 3 days
* | Merge OpenSSL 0.9.8p into head.simon2010-11-22127-535/+876
| | | | | | | | | | Security: CVE-2010-3864 Security: http://www.openssl.org/news/secadv_20101116.txt
* | Fix double-free in OpenSSL's SSL ECDH code.simon2010-11-141-0/+1
| | | | | | | | | | | | | | | | | | It has yet to be determined if this warrants a FreeBSD Security Advisory, but we might as well get it fixed in the normal branches. Obtained from: OpenSSL CVS Security: CVE-2010-2939 X-MFC after: Not long...
* | Bring in OpenSSL checkin 19821:rpaulo2010-09-212-6/+13
| | | | | | | | | | | | | | | | | | Make inline assembler clang-friendly [from HEAD]. openssl/crypto/md32_common.h 1.45.2.1 -> 1.45.2.2 openssl/crypto/rc5/rc5_locl.h 1.8 -> 1.8.8.1 Approved by: simon
* | Merge OpenSSL 0.9.8n into head.simon2010-04-0128-37/+115
| | | | | | | | | | | | | | | | | | | | | | This fixes CVE-2010-0740 which only affected -CURRENT (OpenSSL 0.9.8m) but not -STABLE branches. I have not yet been able to find out if CVE-2010-0433 impacts FreeBSD. This will be investigated further. Security: CVE-2010-0433, CVE-2010-0740 Security: http://www.openssl.org/news/secadv_20100324.txt
* | Readd $FreeBSD$ to the OpenSSL config file as that's useful forsimon2010-03-131-0/+1
| | | | | | | | | | | | mergemaster. Suggested by: dougb
* | Merge OpenSSL 0.9.8m into head.simon2010-03-13238-19819/+4290
|\ \ | |/ | | | | | | | | | | | | | | | | | | This also "reverts" some FreeBSD local changes so we should now be back to using entirely stock OpenSSL. The local changes were simple $FreeBSD$ lines additions, which were required in the CVS days, and the patch for FreeBSD-SA-09:15.ssl which has been superseded with OpenSSL 0.9.8m's RFC5746 'TLS renegotiation extension' support. MFC after: 3 weeks
* | Disable SSL renegotiation in order to protect against a seriouscperciva2009-12-033-5/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | protocol flaw. [09:15] Correctly handle failures from unsetenv resulting from a corrupt environment in rtld-elf. [09:16] Fix permissions in freebsd-update in order to prevent leakage of sensitive files. [09:17] Approved by: so (cperciva) Security: FreeBSD-SA-09:15.ssl Security: FreeBSD-SA-09:16.rtld Security: FreeBSD-SA-09:17.freebsd-udpate
* | Merge DTLS fixes from vendor-crypto/openssl/dist:simon2009-08-234-17/+47
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Fix memory consumption bug with "future epoch" DTLS records. - Fix fragment handling memory leak. - Do not access freed data structure. - Fix DTLS fragment bug - out-of-sequence message handling which could result in NULL pointer dereference in dtls1_process_out_of_seq_message(). Note that this will not get FreeBSD Security Advisory as DTLS is experimental in OpenSSL. MFC after: 1 week Security: CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1387
OpenPOWER on IntegriCloud