[openssl-commits] [web] master update

[Mark J . Cox]

The branch master has been updated
   via  9da4a32ecfc59dfae1476ac8af43ca5f6e2069a6 (commit)
  from  33850da7c04593eaecb7ea9dacb6887989ad81d0 (commit)


- Log -
commit 9da4a32ecfc59dfae1476ac8af43ca5f6e2069a6
Author: Mark J. Cox 
Date:   Thu Jan 28 16:30:24 2016 +

Link to sec adv

---

Summary of changes:
 news/newsflash.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/news/newsflash.txt b/news/newsflash.txt
index 0a9c18b..14e67a1 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -4,6 +4,7 @@
 # Format is two fields, colon-separated; the first line is the column
 # headings.  URL paths must all be absolute.
 Date: Item
+28-Jan-2016: Security Advisory: two 
security fixes
 28-Jan-2016: OpenSSL 1.0.2f is now available, including bug and security fixes
 28-Jan-2016: OpenSSL 1.0.1r is now available, including bug and security fixes
 25-Jan-2016: OpenSSL 1.0.2f and 1.0.1r https://mta.openssl.org/pipermail/openssl-announce/2016-January/58.html;>security
 releases due 28th Jan 2016
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1r delete

[Matt Caswell]

The annotated tag OpenSSL_1_0_1r has been deleted
   was  c091f787c167eb8e570d5f5e8a1d35c3f57deef0

- Log -
73008bc6ef3f3490368ad2ab844f827e73a6198d Prepare for 1.0.1r release
---
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [web] master update

[Matt Caswell]

The branch master has been updated
   via  f22bb490115a71b980e4da6e35da76c678c99b98 (commit)
  from  61bead2a571724dab0540bcd2b390a559f1fd515 (commit)


- Log -
commit f22bb490115a71b980e4da6e35da76c678c99b98
Author: Matt Caswell 
Date:   Thu Jan 28 15:50:07 2016 +

Update wording on download page

---

Summary of changes:
 source/index.html | 9 +
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/source/index.html b/source/index.html
index 971c2c6..39bcdb8 100644
--- a/source/index.html
+++ b/source/index.html
@@ -34,11 +34,12 @@
releases. This is also our Long Term Support (LTS) version (support 
will
be provided until 31st December 2019). Support for the 1.0.1 series 
will
be provided until 31st December 2016 (with security bug fixes only 
for
-   the final year). The 0.9.8 and 1.0.0 series are currently only 
receiving
-   security bug fixes and all support will be discontinued for these on
-   31st December 2015. Our newest version is 1.1.0 which is currently 
in
+   the final year). The 1.0.1 version is currently only receiving
+   security bug fixes and all support will be discontinued for this 
version
+   on 31st December 2016. Our newest version is 1.1.0 which is 
currently in
alpha testing and should not be used for production purposes at this
-   time.
+   time. The 0.9.8 and 1.0.0 versions are now out of support and 
should not
+be used.
 

  
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  69ff2444908e73d4b973f42daf989b46c774772e (commit)
   via  09ccb58518e84f76939f7e69929723263a42ca2e (commit)
   via  6210c70992011d6f4c52b63b0a1da3c3471ba5b0 (commit)
   via  bea4cb2e804160f08bd7f10286946c422e38ac3c (commit)
   via  5fed60f9622c023c358f2f8e5cb6692b5cc2d9bb (commit)
   via  4040a7fd104b412bd446338c6c28a62eb7d8e852 (commit)
   via  8bc643efc89cbcfba17369801cf4eeca037b6cc1 (commit)
  from  126ac21c80967ec00f802d356462c1b83fa0f54c (commit)


- Log -
commit 69ff2444908e73d4b973f42daf989b46c774772e
Author: Matt Caswell 
Date:   Thu Jan 28 14:22:09 2016 +

Prepare for 1.0.1s-dev

Reviewed-by: Richard Levitte 

commit 09ccb58518e84f76939f7e69929723263a42ca2e
Author: Matt Caswell 
Date:   Thu Jan 28 14:21:21 2016 +

Prepare for 1.0.1r release

Reviewed-by: Richard Levitte 

commit 6210c70992011d6f4c52b63b0a1da3c3471ba5b0
Author: Richard Levitte 
Date:   Thu Jan 28 15:18:50 2016 +0100

TARFILE wasn't correctly set

This solves an earlier cherry-pick mistake.

Reviewed-by: Matt Caswell 

commit bea4cb2e804160f08bd7f10286946c422e38ac3c
Author: Matt Caswell 
Date:   Thu Jan 28 12:28:53 2016 +

Further updates to CHANGES and NEWS

Reviewed-by: Richard Levitte 

commit 5fed60f9622c023c358f2f8e5cb6692b5cc2d9bb
Author: Matt Caswell 
Date:   Wed Jan 27 13:55:05 2016 +

Update CHANGES and NEWS ready for release

Update CHANGES and NEWS with details of the issues fixed in the forthcoming
release.

Reviewed-by: Rich Salz 

commit 4040a7fd104b412bd446338c6c28a62eb7d8e852
Author: Viktor Dukhovni 
Date:   Wed Dec 30 22:44:51 2015 -0500

Better SSLv2 cipher-suite enforcement

Based on patch by: Nimrod Aviram 

CVE-2015-3197

Reviewed-by: Tim Hudson 
Reviewed-by: Richard Levitte 

commit 8bc643efc89cbcfba17369801cf4eeca037b6cc1
Author: Matt Caswell 
Date:   Thu Dec 17 02:57:20 2015 +

Always generate DH keys for ephemeral DH cipher suites

Modified version of the commit ffaef3f15 in the master branch by Stephen
Henson. This makes the SSL_OP_SINGLE_DH_USE option a no-op and always
generates a new DH key for every handshake regardless.

This is a follow on from CVE-2016-0701. This branch is not impacted by
that CVE because it does not support X9.42 style parameters. It is still
possible to generate parameters based on primes that are not "safe",
although by default OpenSSL does not do this. The documentation does
sign post that using such parameters is unsafe if the private DH key is
reused. However to avoid accidental problems or future attacks this commit
has been backported to this branch.

Issue reported by Antonio Sanso

Reviewed-by: Viktor Dukhovni 

---

Summary of changes:
 CHANGES | 25 -
 Makefile.org|  2 +-
 NEWS|  7 ++-
 README  |  2 +-
 crypto/opensslv.h   |  6 +++---
 doc/ssl/SSL_CTX_set_tmp_dh_callback.pod | 29 +
 openssl.spec|  2 +-
 ssl/s2_srvr.c   | 15 +--
 ssl/s3_lib.c| 14 --
 ssl/s3_srvr.c   | 17 +++--
 ssl/ssl.h   |  2 +-
 11 files changed, 58 insertions(+), 63 deletions(-)

diff --git a/CHANGES b/CHANGES
index 23ca912..39ab8bd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,30 @@
  OpenSSL CHANGES
  ___
 
- Changes between 1.0.1q and 1.0.1r [xx XXX ]
+ Changes between 1.0.1r and 1.0.1s [xx XXX ]
+
+  *)
+
+ Changes between 1.0.1q and 1.0.1r [28 Jan 2016]
+
+  *) Protection for DH small subgroup attacks
+
+ As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been
+ switched on by default and cannot be disabled. This could have some
+ performance impact.
+ [Matt Caswell]
+
+  *) SSLv2 doesn't block disabled ciphers
+
+ A malicious client can negotiate SSLv2 ciphers that have been disabled on
+ the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
+ been disabled, provided that the SSLv2 protocol was not also disabled via
+ SSL_OP_NO_SSLv2.
+
+ This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
+ 

[openssl-commits] Build failed: openssl master.678

[AppVeyor]

Build openssl master.678 failed


Commit 35ade23b02 by Viktor Dukhovni on 1/29/2016 2:39 AM:

Keep RC5 bit shifts in [0..31]


Configure your notification preferences

_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

[Richard Levitte]

The branch OpenSSL_1_0_2-stable has been updated
   via  da7947e8c6915d86616425ecbc4906f079ef122f (commit)
  from  22d192f106fe0d6e43a41a65278e76f612e2eca3 (commit)


- Log -
commit da7947e8c6915d86616425ecbc4906f079ef122f
Author: Richard Levitte 
Date:   Thu Jan 28 17:55:11 2016 +0100

Correct number of arguments in BIO_get_conn_int_port macro

Reviewed-by: Rich Salz 
(cherry picked from commit 41a28cb2944a4e1c9d13889757a3bd9f72abeca1)

---

Summary of changes:
 crypto/bio/bio.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/bio/bio.h b/crypto/bio/bio.h
index 6e2293b..498cc32 100644
--- a/crypto/bio/bio.h
+++ b/crypto/bio/bio.h
@@ -479,7 +479,7 @@ struct bio_dgram_sctp_prinfo {
 # define BIO_get_conn_hostname(b)  BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0)
 # define BIO_get_conn_port(b)  BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1)
 # define BIO_get_conn_ip(b)   BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2)
-# define BIO_get_conn_int_port(b) BIO_ctrl(b,BIO_C_GET_CONNECT,3,0,NULL)
+# define BIO_get_conn_int_port(b) BIO_ctrl(b,BIO_C_GET_CONNECT,3,NULL)
 
 # define BIO_set_nbio(b,n)   BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL)
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

[Kurt Roeckx]

The branch OpenSSL_1_0_2-stable has been updated
   via  2b0c11a620c3a3431410c5d56799286f60f60d8d (commit)
  from  da7947e8c6915d86616425ecbc4906f079ef122f (commit)


- Log -
commit 2b0c11a620c3a3431410c5d56799286f60f60d8d
Author: Kurt Roeckx 
Date:   Wed Jan 27 20:31:57 2016 +0100

Fix CHANGES entry about DSA_generate_parameters_ex

Reviewed-by: Viktor Dukhovni 

---

Summary of changes:
 CHANGES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 0cfd730..f2126bc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -109,7 +109,7 @@
  [Emilia Käsper]
 
   *) In DSA_generate_parameters_ex, if the provided seed is too short,
- return an error
+ use a random seed, as already documented.
  [Rich Salz and Ismo Puustinen ]
 
  Changes between 1.0.2c and 1.0.2d [9 Jul 2015]
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Kurt Roeckx]

The branch OpenSSL_1_0_1-stable has been updated
   via  99a5c8a6592b18ce9b06be8d623d7e85f3e62e63 (commit)
  from  5d5de781a5e091ecc60b9171ce3fb8daf8c31156 (commit)


- Log -
commit 99a5c8a6592b18ce9b06be8d623d7e85f3e62e63
Author: Kurt Roeckx 
Date:   Wed Jan 27 20:31:57 2016 +0100

Fix CHANGES entry about DSA_generate_parameters_ex

Reviewed-by: Viktor Dukhovni 
(cherry picked from commit 2b0c11a620c3a3431410c5d56799286f60f60d8d)

---

Summary of changes:
 CHANGES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 39ab8bd..cdc4e6f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -66,7 +66,7 @@
  [Emilia Käsper]
 
   *) In DSA_generate_parameters_ex, if the provided seed is too short,
- return an error
+ use a random seed, as already documented.
  [Rich Salz and Ismo Puustinen ]
 
  Changes between 1.0.1o and 1.0.1p [9 Jul 2015]
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] Fixed: mouse07410/openssl#8 (OpenSSL_1_0_2-stable - 685084c)

[Travis CI]

Build Update for mouse07410/openssl
-

Build: #8
Status: Fixed

Duration: 5 minutes and 26 seconds
Commit: 685084c (OpenSSL_1_0_2-stable)
Author: Uri Blumenthal
Message: Merge remote-tracking branch 'upstream/OpenSSL_1_0_2-stable' into 
OpenSSL_1_0_2-stable

View the changeset: 
https://github.com/mouse07410/openssl/compare/44cff93b59fe...685084cf627d

View the full build log and details: 
https://travis-ci.org/mouse07410/openssl/builds/105471869

--

You can configure recipients for build notifications in your .travis.yml file. 
See https://docs.travis-ci.com/user/notifications

_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] Errored: openssl/openssl#1369 (master - cc373a3)

[Travis CI]

Build Update for openssl/openssl
-

Build: #1369
Status: Errored

Duration: 57 minutes and 46 seconds
Commit: cc373a3 (master)
Author: Rich Salz
Message: Remove extraneous output from util/mk scripts

Reviewed-by: Richard Levitte 

View the changeset: 
https://github.com/openssl/openssl/compare/45bf87a0b985...cc373a37a193

View the full build log and details: 
https://travis-ci.org/openssl/openssl/builds/105517782

--

You can configure recipients for build notifications in your .travis.yml file. 
See https://docs.travis-ci.com/user/notifications

_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[Rich Salz]

The branch master has been updated
   via  45bf87a0b985c79c4fe84722df7e3f50cde00dae (commit)
  from  1119ddff84a4e65327073991a8052002dd71fe00 (commit)


- Log -
commit 45bf87a0b985c79c4fe84722df7e3f50cde00dae
Author: Rich Salz 
Date:   Wed Jan 27 22:00:55 2016 -0500

Remove outdated tests

These tests are not built, and only usable as hand-tests so not
worth moving into our test framework.
This closes https://github.com/openssl/openssl/pull/561 and RT 4252

Reviewed-by: Richard Levitte 

---

Summary of changes:
 crypto/lhash/lh_test.c | 89 --
 crypto/o_dir_test.c| 67 -
 2 files changed, 156 deletions(-)
 delete mode 100644 crypto/lhash/lh_test.c
 delete mode 100644 crypto/o_dir_test.c

diff --git a/crypto/lhash/lh_test.c b/crypto/lhash/lh_test.c
deleted file mode 100644
index c1d4578..000
--- a/crypto/lhash/lh_test.c
+++ /dev/null
@@ -1,89 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (e...@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (e...@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (t...@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *notice, this list of conditions and the following disclaimer in the
- *documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *must display the following acknowledgement:
- *"This product includes cryptographic software written by
- * Eric Young (e...@cryptsoft.com)"
- *The word 'cryptographic' can be left out if the rouines from the library
- *being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *the apps directory (application code) you must include an 
acknowledgement:
- *"This product includes software written by Tim Hudson 
(t...@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include 
-#include 
-#include 
-#include 
-
-main()
-{
-LHASH *conf;
-char buf[256];
-int i;
-
-conf = lh_new(lh_strhash, strcmp);
-for (;;) {
-char *p;
-
-buf[0] = '\0';
-fgets(buf, 256, stdin);
-if (buf[0] == '\0')
-break;
-i = strlen(buf);
-p = OPENSSL_malloc(i + 1);
-if (p == NULL)
-abort();
-memcpy(p, buf, i + 1);
-lh_insert(conf, p);
-}
-
-lh_node_stats(conf, stdout);
-lh_stats(conf, stdout);
-lh_node_usage_stats(conf, stdout);
-exit(0);
-}
diff --git 

[openssl-commits] [openssl] master update

[Rich Salz]

The branch master has been updated
   via  cc373a37a193dbd00be20fc358b03403338ff873 (commit)
  from  45bf87a0b985c79c4fe84722df7e3f50cde00dae (commit)


- Log -
commit cc373a37a193dbd00be20fc358b03403338ff873
Author: Rich Salz 
Date:   Thu Jan 28 14:17:19 2016 -0500

Remove extraneous output from util/mk scripts

Reviewed-by: Richard Levitte 

---

Summary of changes:
 util/mkdef.pl | 21 +
 util/mkerr.pl |  1 -
 2 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/util/mkdef.pl b/util/mkdef.pl
index 097d252..3151800 100755
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -1028,7 +1028,8 @@ sub reduce_platforms
return $ret;
 }
 
-sub info_string {
+sub info_string
+{
(my $symbol, my $exist, my $platforms, my $kind, my $algorithms) = @_;
 
my %a = defined($algorithms) ?
@@ -1046,13 +1047,13 @@ sub info_string {
return $ret;
 }
 
-sub maybe_add_info {
+sub maybe_add_info
+{
(my $name, *nums, my @symbols) = @_;
my $sym;
my $new_info = 0;
my %syms=();
 
-   print STDERR "Updating $name info\n";
foreach $sym (@symbols) {
(my $s, my $i) = split /\\/, $sym;
if (defined($nums{$s})) {
@@ -1076,12 +1077,11 @@ sub maybe_add_info {
}
}
if ($new_info) {
-   print STDERR "$new_info old symbols got an info update\n";
+   print STDERR "$name: $new_info old symbols have updated info\n";
if (!$do_rewrite) {
print STDERR "You should do a rewrite to fix this.\n";
}
} else {
-   print STDERR "No old symbols needed info update\n";
}
 }
 
@@ -1171,7 +1171,8 @@ sub print_test_file
}
 }
 
-sub get_version {
+sub get_version
+{
return $config{version};
 }
 
@@ -1431,8 +1432,6 @@ sub rewrite_numbers
(*OUT,$name,*nums,@symbols)=@_;
my $thing;
 
-   print STDERR "Rewriting $name\n";
-
my @r = grep(/^\w+(\{[0-9]+\})?\\.*?:.*?:\w+\(\w+\)/,@symbols);
my $r; my %r; my %rsyms;
foreach $r (@r) {
@@ -1481,8 +1480,6 @@ sub update_numbers
 
($basevers, $vers) = get_openssl_version();
 
-   print STDERR "Updating $name numbers\n";
-
my @r = grep(/^\w+(\{[0-9]+\})?\\.*?:.*?:\w+\(\w+\)/,@symbols);
my $r; my %r; my %rsyms;
foreach $r (@r) {
@@ -1512,9 +1509,9 @@ sub update_numbers
}
}
if($new_syms) {
-   print STDERR "$new_syms New symbols added\n";
+   print STDERR "$name: Added $new_syms new symbols\n";
} else {
-   print STDERR "No New symbols Added\n";
+   print STDERR "$name: No new symbols added\n";
}
 }
 
diff --git a/util/mkerr.pl b/util/mkerr.pl
index 4b41c6c..7e84de9 100644
--- a/util/mkerr.pl
+++ b/util/mkerr.pl
@@ -384,7 +384,6 @@ foreach $lib (keys %csrc)
my $hfile = $hinc{$lib};
my $cfile = $csrc{$lib};
if(!$fnew{$lib} && !$rnew{$lib}) {
-   print STDERR "$lib:\t\tNo new error codes\n";
next unless $rebuild;
} else {
print STDERR "$lib:\t\t$fnew{$lib} New Functions,";
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[Rich Salz]

The branch master has been updated
   via  1119ddff84a4e65327073991a8052002dd71fe00 (commit)
  from  78d6a74a6caffb1949da68e599de94a9d309e49a (commit)


- Log -
commit 1119ddff84a4e65327073991a8052002dd71fe00
Author: Rich Salz 
Date:   Thu Jan 28 14:26:50 2016 -0500

Add more components to build.

Add enable-crypto-mdebug enable-rc5 enable-md2 to any target that was
--strict-warnings.

Reviewed-by: Richard Levitte 

---

Summary of changes:
 .travis.yml | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index b16998b..e3ab38f 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -28,7 +28,7 @@ env:
 - CONFIG_OPTS=""
 - CONFIG_OPTS="shared"
 - CONFIG_OPTS="no-asm"
-- CONFIG_OPTS="--debug --strict-warnings"
+- CONFIG_OPTS="--debug --strict-warnings enable-crypto-mdebug enable-rc5 
enable-md2"
 
 matrix:
 include:
@@ -37,13 +37,13 @@ matrix:
   env: CONFIG_OPTS="-fsanitize=address"
 - os: linux
   compiler: clang-3.6
-  env: CONFIG_OPTS="no-asm --debug --strict-warnings 
-fno-sanitize-recover -fsanitize=address -fsanitize=undefined"
+  env: CONFIG_OPTS="no-asm --debug --strict-warnings 
-fno-sanitize-recover -fsanitize=address -fsanitize=undefined 
enable-crypto-mdebug enable-rc5 enable-md2"
 - os: linux
   compiler: gcc-5
   env: CONFIG_OPTS="-fsanitize=address"
 - os: linux
   compiler: gcc-5
-  env: CONFIG_OPTS="no-asm --debug --strict-warnings 
-fno-sanitize-recover -fsanitize=address -fsanitize=undefined"
+  env: CONFIG_OPTS="no-asm --debug --strict-warnings 
-fno-sanitize-recover -fsanitize=address -fsanitize=undefined 
enable-crypto-mdebug enable-rc5 enable-md2"
 exclude:
 - os: osx
   compiler: clang-3.6
@@ -63,9 +63,9 @@ matrix:
   env: CONFIG_OPTS="no-asm"
 allow_failures:
 - compiler: i686-w64-mingw32-gcc
-  env: CONFIG_OPTS="--debug --strict-warnings"
+  env: CONFIG_OPTS="--debug --strict-warnings enable-crypto-mdebug 
enable-rc5 enable-md2"
 - compiler: x86_64-w64-mingw32-gcc
-  env: CONFIG_OPTS="--debug --strict-warnings"
+  env: CONFIG_OPTS="--debug --strict-warnings enable-crypto-mdebug 
enable-rc5 enable-md2"
 
 before_script:
 - sh .travis-create-release.sh $TRAVIS_OS_NAME
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] Errored: openssl/openssl#1354 (OpenSSL_1_0_2-stable - 22d192f)

[Travis CI]

Build Update for openssl/openssl
-

Build: #1354
Status: Errored

Duration: 11 minutes and 14 seconds
Commit: 22d192f (OpenSSL_1_0_2-stable)
Author: Matt Caswell
Message: Prepare for 1.0.2g-dev

Reviewed-by: Richard Levitte 

View the changeset: 
https://github.com/openssl/openssl/compare/3665fa25436f...22d192f106fe

View the full build log and details: 
https://travis-ci.org/openssl/openssl/builds/105432403

--

You can configure recipients for build notifications in your .travis.yml file. 
See https://docs.travis-ci.com/user/notifications

_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] Still Failing: openssl/openssl#1368 (master - 45bf87a)

[Travis CI]

Build Update for openssl/openssl
-

Build: #1368
Status: Still Failing

Duration: 47 minutes and 50 seconds
Commit: 45bf87a (master)
Author: Rich Salz
Message: Remove outdated tests

These tests are not built, and only usable as hand-tests so not
worth moving into our test framework.
This closes https://github.com/openssl/openssl/pull/561 and RT 4252

Reviewed-by: Richard Levitte 

View the changeset: 
https://github.com/openssl/openssl/compare/1119ddff84a4...45bf87a0b985

View the full build log and details: 
https://travis-ci.org/openssl/openssl/builds/105515411

--

You can configure recipients for build notifications in your .travis.yml file. 
See https://docs.travis-ci.com/user/notifications

_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] Still Failing: openssl/openssl#1369 (master - cc373a3)

[Travis CI]

Build Update for openssl/openssl
-

Build: #1369
Status: Still Failing

Duration: 4 minutes and 21 seconds
Commit: cc373a3 (master)
Author: Rich Salz
Message: Remove extraneous output from util/mk scripts

Reviewed-by: Richard Levitte 

View the changeset: 
https://github.com/openssl/openssl/compare/45bf87a0b985...cc373a37a193

View the full build log and details: 
https://travis-ci.org/openssl/openssl/builds/105517782

--

You can configure recipients for build notifications in your .travis.yml file. 
See https://docs.travis-ci.com/user/notifications

_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [web] master update

[Richard Levitte]

The branch master has been updated
   via  4f41f34a62a93b93f5001aa56cd25dc17f4a58ad (commit)
  from  b26f6369ab93a176b282c44961303172fbce3d07 (commit)


- Log -
commit 4f41f34a62a93b93f5001aa56cd25dc17f4a58ad
Author: Richard Levitte 
Date:   Thu Jan 28 13:44:14 2016 +0100

Updated release dates

---

Summary of changes:
 policies/releasestrat.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/policies/releasestrat.html b/policies/releasestrat.html
index 11220ab..35f644f 100644
--- a/policies/releasestrat.html
+++ b/policies/releasestrat.html
@@ -85,9 +85,9 @@
 
  
10th December 2015, alpha release 1
-   7th January 2016, alpha release 2
-   4th February 2016, alpha release 3
-   3rd March 2016, 1.1.0 beta 1 release
+   14th January 2016, alpha release 2
+   11th February 2016, alpha release 3
+   10th March 2016, 1.1.0 beta 1 release
31st March 2016, 1.1.0 beta 2 release
28th April 2016, 1.1.0 public release
  
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [web] master update

[Richard Levitte]

The branch master has been updated
   via  e7fa3cd70c15cfc026bb84142e39b3202f1e2526 (commit)
  from  1472515d626a47fd37cb94fe723c6c7ddd05445f (commit)


- Log -
commit e7fa3cd70c15cfc026bb84142e39b3202f1e2526
Author: Richard Levitte 
Date:   Thu Jan 28 13:51:20 2016 +0100

This year!

---

Summary of changes:
 policies/releasestrat.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policies/releasestrat.html b/policies/releasestrat.html
index 794be50..1df590a 100644
--- a/policies/releasestrat.html
+++ b/policies/releasestrat.html
@@ -13,7 +13,7 @@
  Release Strategy
  
First issued 23rd December 2014
-   Last modified 28th January 2015
+   Last modified 28th January 2016
  

 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [web] master update

[Richard Levitte]

The branch master has been updated
   via  1472515d626a47fd37cb94fe723c6c7ddd05445f (commit)
  from  4f41f34a62a93b93f5001aa56cd25dc17f4a58ad (commit)


- Log -
commit 1472515d626a47fd37cb94fe723c6c7ddd05445f
Author: Richard Levitte 
Date:   Thu Jan 28 13:49:28 2016 +0100

Forgot to update the "Last modified" date

---

Summary of changes:
 policies/releasestrat.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policies/releasestrat.html b/policies/releasestrat.html
index 35f644f..794be50 100644
--- a/policies/releasestrat.html
+++ b/policies/releasestrat.html
@@ -13,7 +13,7 @@
  Release Strategy
  
First issued 23rd December 2014
-   Last modified 10th December 2015
+   Last modified 28th January 2015
  

 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] Passed: openssl/openssl#1351 (master - 7eba4e6)

[Travis CI]

Build Update for openssl/openssl
-

Build: #1351
Status: Passed

Duration: 40 minutes and 49 seconds
Commit: 7eba4e6 (master)
Author: Viktor Dukhovni
Message: Restore NUMPRIMES as a numeric literal

This fixes clang compilation problem with size_t NUMPRIMES and int
loop counters.

Reviewed-by: Rich Salz 

View the changeset: 
https://github.com/openssl/openssl/compare/3538c7da3d53...7eba4e620774

View the full build log and details: 
https://travis-ci.org/openssl/openssl/builds/105393871

--

You can configure recipients for build notifications in your .travis.yml file. 
See https://docs.travis-ci.com/user/notifications

_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[Viktor Dukhovni]

The branch master has been updated
   via  7eba4e62077484aebec010157424287f1963c88f (commit)
  from  3538c7da3d53dca70be5f507376299843046d2b7 (commit)


- Log -
commit 7eba4e62077484aebec010157424287f1963c88f
Author: Viktor Dukhovni 
Date:   Thu Jan 28 00:10:11 2016 -0500

Restore NUMPRIMES as a numeric literal

This fixes clang compilation problem with size_t NUMPRIMES and int
loop counters.

Reviewed-by: Rich Salz 

---

Summary of changes:
 Makefile.in   | 6 +++---
 crypto/bn/bn_prime.c  | 2 --
 crypto/bn/bn_prime.h  | 5 -
 crypto/bn/bn_prime.pl | 3 ++-
 4 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/Makefile.in b/Makefile.in
index 629141d..80d5f17 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -442,9 +442,9 @@ depend:
 update: generate errors ordinals depend
 
 generate:
-   (cd apps && $(MAKE) generate)
-   (cd crypto/bn && $(MAKE) generate)
-   (cd crypto/objects && $(MAKE) generate)
+   (cd apps && PERL='${PERL}' $(MAKE) generate)
+   (cd crypto/bn && PERL='${PERL}' $(MAKE) generate)
+   (cd crypto/objects && PERL='${PERL}' $(MAKE) generate)
 
 errors:
$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c
index 8d1294f..a5887d9 100644
--- a/crypto/bn/bn_prime.c
+++ b/crypto/bn/bn_prime.c
@@ -121,8 +121,6 @@
  */
 #include "bn_prime.h"
 
-#define NUMPRIMES OSSL_NELEM(primes)
-
 static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
const BIGNUM *a1_odd, int k, BN_CTX *ctx,
BN_MONT_CTX *mont);
diff --git a/crypto/bn/bn_prime.h b/crypto/bn/bn_prime.h
index d1fbcd1..6f6949c 100644
--- a/crypto/bn/bn_prime.h
+++ b/crypto/bn/bn_prime.h
@@ -57,7 +57,10 @@
  */
 
 typedef unsigned short prime_t;
-static const prime_t primes[] = {
+# define NUMPRIMES 2048
+
+static const prime_t primes[2048] = {
+
2,3,5,7,   11,   13,   17,   19, 
   23,   29,   31,   37,   41,   43,   47,   53, 
   59,   61,   67,   71,   73,   79,   83,   89, 
diff --git a/crypto/bn/bn_prime.pl b/crypto/bn/bn_prime.pl
index add6ffb..3a5f064 100644
--- a/crypto/bn/bn_prime.pl
+++ b/crypto/bn/bn_prime.pl
@@ -76,8 +76,9 @@ loop: while ($#primes < $num-1) {
 }
 
 print "typedef unsigned short prime_t;\n";
+printf "# define NUMPRIMES %d\n\n", $num;
 
-print "static const prime_t primes[] = {";
+printf "static const prime_t primes[%d] = {\n", $num;
 for (my $i = 0; $i <= $#primes; $i++) {
 printf "\n" if ($i % 8) == 0;
 printf "%4d, ", $primes[$i];
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[Viktor Dukhovni]

The branch master has been updated
   via  35ade23b02a02b5514941586030016b67ac0934e (commit)
  from  987157f6f63fa70dbeffca3c8bc62f26e9767ff2 (commit)


- Log -
commit 35ade23b02a02b5514941586030016b67ac0934e
Author: Viktor Dukhovni 
Date:   Thu Jan 28 19:04:49 2016 -0500

Keep RC5 bit shifts in [0..31]

Reviewed-by: Richard Levitte 

---

Summary of changes:
 crypto/rc5/rc5_locl.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/rc5/rc5_locl.h b/crypto/rc5/rc5_locl.h
index 990..6b34f92 100644
--- a/crypto/rc5/rc5_locl.h
+++ b/crypto/rc5/rc5_locl.h
@@ -170,10 +170,10 @@
 # endif
 #endif
 #ifndef ROTATE_l32
-# define ROTATE_l32(a,n) 
(((a)<<(n&0x1f))|(((a)&0x)>>(32-(n&0x1f
+# define ROTATE_l32(a,n) 
(((a)<<(n&0x1f))|(((a)&0x)>>((32-n)&0x1f)))
 #endif
 #ifndef ROTATE_r32
-# define ROTATE_r32(a,n) 
(((a)<<(32-(n&0x1f)))|(((a)&0x)>>(n&0x1f)))
+# define ROTATE_r32(a,n) 
(((a)<<((32-n)&0x1f))|(((a)&0x)>>(n&0x1f)))
 #endif
 
 #define RC5_32_MASK 0xL
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] Fixed: openssl/openssl#1371 (master - 35ade23)

[Travis CI]

Build Update for openssl/openssl
-

Build: #1371
Status: Fixed

Duration: 44 minutes and 31 seconds
Commit: 35ade23 (master)
Author: Viktor Dukhovni
Message: Keep RC5 bit shifts in [0..31]

Reviewed-by: Richard Levitte 

View the changeset: 
https://github.com/openssl/openssl/compare/987157f6f63f...35ade23b02a0

View the full build log and details: 
https://travis-ci.org/openssl/openssl/builds/105587507

--

You can configure recipients for build notifications in your .travis.yml file. 
See https://docs.travis-ci.com/user/notifications

_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] Build failed: openssl master.658

[AppVeyor]

Build openssl master.658 failed


Commit 7eba4e6207 by Viktor Dukhovni on 1/28/2016 11:36 AM:

Restore NUMPRIMES as a numeric literal


Configure your notification preferences

_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[Rich Salz]

The branch master has been updated
   via  3444c36ab489b7084832254723a356e3c2eb023a (commit)
  from  7eba4e62077484aebec010157424287f1963c88f (commit)


- Log -
commit 3444c36ab489b7084832254723a356e3c2eb023a
Author: Rich Salz 
Date:   Thu Jan 28 09:18:21 2016 -0500

Fix typo in md2.h

Reviewed-by: Matt Caswell 

---

Summary of changes:
 include/openssl/md2.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/openssl/md2.h b/include/openssl/md2.h
index 4104d0e..1dba7cf 100644
--- a/include/openssl/md2.h
+++ b/include/openssl/md2.h
@@ -64,7 +64,7 @@
 # endif
 # include 
 
-typdef unsigned char MD2_INT;
+typedef unsigned char MD2_INT;
 
 # define MD2_DIGEST_LENGTH   16
 # define MD2_BLOCK   16
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] Build failed: openssl master.677

[AppVeyor]

Build openssl master.677 failed


Commit 987157f6f6 by Dr. Stephen Henson on 1/28/2016 11:41 PM:

Use callback for DSAPublicKey


Configure your notification preferences

_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [web] master update

[Matt Caswell]

The branch master has been updated
   via  61bead2a571724dab0540bcd2b390a559f1fd515 (commit)
  from  e7fa3cd70c15cfc026bb84142e39b3202f1e2526 (commit)


- Log -
commit 61bead2a571724dab0540bcd2b390a559f1fd515
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Jan 28 14:37:36 2016 +

Updates for the new release

---

Summary of changes:
 news/newsflash.txt   |   2 +
 news/secadv/20160128.txt | 138 +++
 news/vulnerabilities.xml | 103 ++-
 3 files changed, 242 insertions(+), 1 deletion(-)
 create mode 100644 news/secadv/20160128.txt

diff --git a/news/newsflash.txt b/news/newsflash.txt
index 4ec145d..0a9c18b 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -4,6 +4,8 @@
 # Format is two fields, colon-separated; the first line is the column
 # headings.  URL paths must all be absolute.
 Date: Item
+28-Jan-2016: OpenSSL 1.0.2f is now available, including bug and security fixes
+28-Jan-2016: OpenSSL 1.0.1r is now available, including bug and security fixes
 25-Jan-2016: OpenSSL 1.0.2f and 1.0.1r https://mta.openssl.org/pipermail/openssl-announce/2016-January/58.html;>security
 releases due 28th Jan 2016
 14-Jan-2016: Alpha 2 of OpenSSL 1.1.0 is now available: please download and 
test it
 10-Dec-2015: Alpha 1 of OpenSSL 1.1.0 is now available: please download and 
test it
diff --git a/news/secadv/20160128.txt b/news/secadv/20160128.txt
new file mode 100644
index 000..43a8933
--- /dev/null
+++ b/news/secadv/20160128.txt
@@ -0,0 +1,138 @@
+OpenSSL Security Advisory [28th Jan 2016]
+=
+
+NOTE: SUPPORT FOR VERSION 1.0.1 WILL BE ENDING ON 31ST DECEMBER 2016. NO
+SECURITY FIXES WILL BE PROVIDED AFTER THAT DATE. UNTIL THAT TIME SECURITY FIXES
+ONLY ARE BEING APPLIED.
+
+DH small subgroups (CVE-2016-0701)
+==
+
+Severity: High
+
+Historically OpenSSL usually only ever generated DH parameters based on "safe"
+primes. More recently (in version 1.0.2) support was provided for generating
+X9.42 style parameter files such as those required for RFC 5114 support. The
+primes used in such files may not be "safe". Where an application is using DH
+configured with parameters based on primes that are not "safe" then an attacker
+could use this fact to find a peer's private DH exponent. This attack requires
+that the attacker complete multiple handshakes in which the peer uses the same
+private DH exponent. For example this could be used to discover a TLS server's
+private DH exponent if it's reusing the private DH exponent or it's using a
+static DH ciphersuite.
+
+OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS.
+It is not on by default. If the option is not set then the server reuses the
+same private DH exponent for the life of the server process and would be
+vulnerable to this attack. It is believed that many popular applications do set
+this option and would therefore not be at risk.
+
+OpenSSL before 1.0.2f will reuse the key if:
+- SSL_CTX_set_tmp_dh()/SSL_set_tmp_dh() is used and SSL_OP_SINGLE_DH_USE is not
+  set.
+- SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used, and both the
+  parameters and the key are set and SSL_OP_SINGLE_DH_USE is not used. This is
+  an undocumted feature and parameter files don't contain the key.
+- Static DH ciphersuites are used. The key is part of the certificate and
+  so it will always reuse it. This is only supported in 1.0.2.
+
+It will not reuse the key for DHE ciphers suites if:
+- SSL_OP_SINGLE_DH_USE is set
+- SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used and the
+  callback does not provide the key, only the parameters. The callback is
+  almost always used like this.
+
+Non-safe primes are generated by OpenSSL when using:
+- genpkey with the dh_rfc5114 option. This will write an X9.42 style file
+  including the prime-order subgroup size "q". This is supported since the 
1.0.2
+  version. Older versions can't read files generated in this way.
+- dhparam with the -dsaparam option. This has always been documented as
+  requiring the single use.
+
+The fix for this issue adds an additional check where a "q" parameter is
+available (as is the case in X9.42 based parameters). This detects the
+only known attack, and is the only possible defense for static DH ciphersuites.
+This could have some performance impact.
+
+Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by default
+and cannot be disabled. This could have some performance impact.
+
+This issue affects OpenSSL version 1.0.2.
+
+OpenSSL 1.0.2 users should upgrade to 1.0.2f
+
+OpenSSL 1.0.1 is not affected by this CVE because it does not support X9.42
+based parameters. It