ssl/t1_lib.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

---

ssl/s23_srvr.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

---

crypto/asn1/a_bitstr.c | 7 6 + 1 - 0 !
crypto/asn1/asn1.h | 1 1 + 0 - 0 !
crypto/asn1/asn1_err.c | 1 1 + 0 - 0 !
3 files changed, 8 insertions(+), 1 deletion(-)

 [patch 01/15] return error when a bit string indicates an invalid
 amount of bits left

crypto/asn1/a_type.c | 46 46 + 0 - 0 !
crypto/asn1/asn1.h | 1 1 + 0 - 0 !
crypto/asn1/x_algor.c | 10 10 + 0 - 0 !
crypto/x509/x509.h | 1 1 + 0 - 0 !
4 files changed, 58 insertions(+)

 [patch 02/15] add asn1_type_cmp and x509_algor_cmp.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

(these are needed for certificate fingerprint fixes)

crypto/asn1/a_verify.c | 12 12 + 0 - 0 !
crypto/dsa/dsa_asn1.c | 16 14 + 2 - 0 !
crypto/ecdsa/ecs_vrf.c | 15 14 + 1 - 0 !
crypto/x509/x_all.c | 2 2 + 0 - 0 !
4 files changed, 42 insertions(+), 3 deletions(-)

 [patch 04/15] fix various certificate fingerprint issues.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.
Although no details of the signed portion of the certificate can be changed
this can cause problems with some applications: e.g. those using the
certificate fingerprint for blacklists.

1. Reject signatures with non zero unused bits.

If the BIT STRING containing the signature has non zero unused bits reject
the signature. All current signature algorithms require zero unused bits.

2. Check certificate algorithm consistency.

Check the AlgorithmIdentifier inside TBS matches the one in the
certificate signature. NB: this will result in signature failure
errors for some broken certificates.

3. Check DSA/ECDSA signatures use DER.

Reencode DSA/ECDSA signatures and compare with the original received
signature. Return an error if there is a mismatch.

This will reject various cases including garbage after signature
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
(negative or with leading zeroes).

CVE-2014-8275

ssl/s3_clnt.c | 15 13 + 2 - 0 !
1 file changed, 13 insertions(+), 2 deletions(-)

 [patch 05/15] ecdh downgrade bug fix.

Fix bug where an OpenSSL client would accept a handshake using an
ephemeral ECDH ciphersuites with the server key exchange message omitted.

Thanks to Karthikeyan Bhargavan for reporting this issue.

CVE-2014-3572

doc/ssl/SSL_CTX_set_options.pod | 10 1 + 9 - 0 !
doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod | 23 8 + 15 - 0 !
ssl/d1_srvr.c | 16 2 + 14 - 0 !
ssl/s3_clnt.c | 7 7 + 0 - 0 !
ssl/s3_srvr.c | 16 2 + 14 - 0 !
ssl/ssl.h | 5 2 + 3 - 0 !
6 files changed, 22 insertions(+), 55 deletions(-)

 [patch 06/15] only allow ephemeral rsa keys in export ciphersuites.

OpenSSL clients would tolerate temporary RSA keys in non-export
ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
enabled this server side. Remove both options as they are a
protocol violation.

Thanks to Karthikeyan Bhargavan for reporting this issue.
(CVE-2015-0204)

crypto/asn1/a_verify.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 07/15] use correct function name

ssl/s3_clnt.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 09/15] fix error discrepancy

crypto/bn/asm/mips3.s | 514 257 + 257 - 0 !
crypto/bn/asm/x86_64-gcc.c | 34 15 + 19 - 0 !
crypto/bn/bn_asm.c | 16 10 + 6 - 0 !
crypto/bn/bntest.c | 102 78 + 24 - 0 !
4 files changed, 360 insertions(+), 306 deletions(-)

 [patch 10/15] fix for cve-2014-3570.

ssl/d1_pkt.c | 2 0 + 2 - 0 !
ssl/s3_pkt.c | 2 2 + 0 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 [patch 11/15] fix crash in dtls1_get_record whilst in the listen
 state where you get two separate reads performed - one for the header and one
 for the body of the handshake record.

CVE-2014-3571

ssl/d1_pkt.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch 12/15] follow on from cve-2014-3571. this fixes the code that
 was the original source of the crash due to p being NULL. Steve's fix
 prevents this situation from occuring - however this is by no means obvious
 by looking at the code for dtls1_get_record. This fix just makes things look
 a bit more sane.

Conflicts:
	ssl/d1_pkt.c

ssl/s3_srvr.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 13/15] fix typo.

Fix typo in ssl3_get_cert_verify: we can only skip certificate verify
message if certificate is absent.

NB: OpenSSL 0.9.8 is NOT vulnerable to CVE-2015-0205 as it doesn't
support DH certificates and this typo prohibits skipping of
certificate verify message for sign only certificates anyway.

ssl/s2_lib.c | 2 1 + 1 - 0 !
ssl/s2_srvr.c | 55 46 + 9 - 0 !
2 files changed, 47 insertions(+), 10 deletions(-)

 [patch 6/6] fix reachable assert in sslv2 servers.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This assert is reachable for servers that support SSLv2 and export ciphers.
Therefore, such servers can be DoSed by sending a specially crafted
SSLv2 CLIENT-MASTER-KEY.

Also fix s2_srvr.c to error out early if the key lengths are malformed.
These lengths are sent unencrypted, so this does not introduce an oracle.

CVE-2015-0293

This issue was discovered by Sean Burford (Google) and Emilia Ksper of
the OpenSSL development team.

ssl/s2_srvr.c | 9 5 + 4 - 0 !
1 file changed, 5 insertions(+), 4 deletions(-)

 [patch 09/12] fix unsigned/signed warnings

Fix some unsigned/signed warnings introduced as part of the fix
for CVE-2015-0293

crypto/pkcs7/pk7_doit.c | 57 57 + 0 - 0 !
crypto/pkcs7/pk7_lib.c | 3 3 + 0 - 0 !
2 files changed, 60 insertions(+)

 [patch] pkcs#7: avoid null pointer dereferences with missing content

In PKCS#7, the ASN.1 content component is optional.
This typically applies to inner content (detached signatures),
however we must also handle unexpected missing outer content
correctly.

This patch only addresses functions reachable from parsing,
decryption and verification, and functions otherwise associated
with reading potentially untrusted data.

Correcting all low-level API calls requires further work.

CVE-2015-0289

Thanks to Michal Zalewski (Google) for reporting this issue.

crypto/asn1/a_type.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [patch 4/6] fix asn1_type_cmp

Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

CVE-2015-0286

crypto/asn1/tasn_dec.c | 24 21 + 3 - 0 !
1 file changed, 21 insertions(+), 3 deletions(-)

 [patch 2/6] free up adb and choice if already initialised.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2015-0287

crypto/ec/ec_asn1.c | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 [patch] fix a failure to null a pointer freed on error.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman@chromium.org>

CVE-2015-0209

crypto/x509/x509_req.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] check public key is not null.

CVE-2015-0288
PR#3708

crypto/evp/encode.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch] evp: prevent underflow in base64 decoding

This patch resolves RT ticket #2608.

Thanks to Robert Dugal for originally spotting this, and to David
Ramos for noticing that the ball had been dropped.

Signed-off-by: Geoff Thorpe <geoff@openssl.org>

crypto/asn1/x_x509.c | 12 11 + 1 - 0 !
crypto/ec/ec_asn1.c | 7 5 + 2 - 0 !
2 files changed, 16 insertions(+), 3 deletions(-)

 [patch 08/12] fix a failure to null a pointer freed on error.

Reported by the LibreSSL project as a follow on to CVE-2015-0209

doc/apps/ciphers.pod | 2 1 + 1 - 0 !
ssl/ssl.h | 2 1 + 1 - 0 !
ssl/ssl_ciph.c | 16 14 + 2 - 0 !
ssl/ssl_lib.c | 1 1 + 0 - 0 !
4 files changed, 17 insertions(+), 4 deletions(-)

 [patch] disable export and sslv2 ciphers by default

They are moved to the COMPLEMENTOFDEFAULT instead.

ssl/d1_lib.c | 10 7 + 3 - 0 !
1 file changed, 7 insertions(+), 3 deletions(-)

 [patch] free up s->d1->buffered_app_data.q properly.

PR#3286
(cherry picked from commit 71e95000afb2227fe5cac1c79ae884338bcd8d0b)

ssl/s3_clnt.c | 33 20 + 13 - 0 !
ssl/ssl.h | 1 1 + 0 - 0 !
ssl/ssl_err.c | 1 1 + 0 - 0 !
3 files changed, 22 insertions(+), 13 deletions(-)

 [patch] client: reject handshakes with dh parameters < 768 bits.

Since the client has no way of communicating her supported parameter
range to the server, connections to servers that choose weak DH will
simply fail.

crypto/x509/x509_vfy.c | 77 58 + 19 - 0 !
1 file changed, 58 insertions(+), 19 deletions(-)

 [patch] fix length checks in x509_cmp_time to avoid out-of-bounds
 reads.

Also tighten X509_cmp_time to reject more than three fractional
seconds in the time; and to reject trailing garbage after the offset.

CVE-2015-1789

crypto/cms/cms_smime.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] fix infinite loop in cms

Fix loop in do_free_upto if cmsbio is NULL: this will happen when attempting
to verify and a digest is not recognised. Reported by Johannes Bauer.

CVE-2015-1792

ssl/s3_clnt.c | 32 32 + 0 - 0 !
ssl/ssl.h | 1 1 + 0 - 0 !
ssl/ssl_err.c | 1 1 + 0 - 0 !
ssl/ssl_locl.h | 1 1 + 0 - 0 !
ssl/ssl_sess.c | 74 74 + 0 - 0 !
5 files changed, 109 insertions(+)

---

crypto/pkcs7/pk7_doit.c | 16 15 + 1 - 0 !
1 file changed, 15 insertions(+), 1 deletion(-)

 [patch] pkcs#7: fix null dereference with missing encryptedcontent.

CVE-2015-1790

crypto/asn1/tasn_dec.c | 7 5 + 2 - 0 !
1 file changed, 5 insertions(+), 2 deletions(-)

 [patch 1/2] fix leak with asn.1 combine.

When parsing a combined structure pass a flag to the decode routine
so on error a pointer to the parent structure is not zeroed as
this will leak any additional components in the parent.

This can leak memory in any application parsing PKCS#7 or CMS structures.

CVE-2015-3195.

Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
libFuzzer.

PR#4131

ssl/s3_lib.c | 18 0 + 18 - 0 !
ssl/s3_srvr.c | 27 5 + 22 - 0 !
2 files changed, 5 insertions(+), 40 deletions(-)

 [patch 1/2] always generate dh keys for ephemeral dh cipher suites

Modified version of the commit ffaef3f15 in the master branch by Stephen
Henson. This makes the SSL_OP_SINGLE_DH_USE option a no-op and always
generates a new DH key for every handshake regardless.

This is a follow on from CVE-2016-0701. This branch is not impacted by
that CVE because it does not support X9.42 style parameters. It is still
possible to generate parameters based on primes that are not "safe",
although by default OpenSSL does not do this. The documentation does
sign post that using such parameters is unsafe if the private DH key is
reused. However to avoid accidental problems or future attacks this commit
has been backported to this branch.

Issue reported by Antonio Sanso

ssl/s2_srvr.c | 15 13 + 2 - 0 !
1 file changed, 13 insertions(+), 2 deletions(-)

 [patch 2/2] better sslv2 cipher-suite enforcement

Based on patch by: Nimrod Aviram <nimrod.aviram@gmail.com>

CVE-2015-3197