summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Elly Fong-Jones [Wed, 12 Sep 2012 20:57:17 +0000 (16:57 -0400)]
[openssl] add blacklist-by-sha1 support
BUG=chromium-os:26806
TEST=unit
Change-Id: I8736bf9509240c7da5cafd0eaaf750c49adacbd2
Signed-off-by: Elly Fong-Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/33124
Reviewed-by: Will Drewry <wad@chromium.org>
Elly Jones [Tue, 15 May 2012 17:37:34 +0000 (13:37 -0400)]
[openssl] uprev to 1.0.1c
Only real merge conflicts were ih /apps/verify.c, where a function argument's
type had changed.
TEST=security_OpenSSL*,trybot
BUG=chromium-os:21100
Change-Id: I9f3d8638cfcab7b4b3c2906a62a5d3a7b2ba3ec6
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Gerrit [Mon, 14 May 2012 19:39:45 +0000 (12:39 -0700)]
Merge "CHROMIUM: openssl: make 'verify' easier to use"
Elly Jones [Mon, 14 May 2012 13:13:23 +0000 (09:13 -0400)]
CHROMIUM: openssl: make 'verify' easier to use
1) Make it print a newline after the end of its error output; if there is no
BIO error, the output is printed with no newline.
2) Return a nonzero exit code if any cert failed to verify - 0 for all okay,
1 for a usage error, and 2 for a verification failure.
This patch was originally added in
chromiumos-overlay:
2ea51e44669062977689ff09a43ac8438f55673f
BUG=chromium-os:15581,chromium-os:21100
TEST=security_OpenSSLRegression
Reviewed-on: http://gerrit.chromium.org/gerrit/2224
Change-Id: Ibb6866634b5ae649441db87ffdb3ee5a2ebfb687
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Elly Jones [Mon, 19 Sep 2011 18:52:44 +0000 (14:52 -0400)]
CHROMIUM: openssl: re-enable blacklisting.
We can add certs to the blacklist by serial (with 'serial <n>') or by sha256sum
with ('sha256 <n>').
TEST=script (added to package tests),security_OpenSSLBlacklist
BUG=chromium-os:20060
Change-Id: I432e9b20387ff35e3e4d30eed0db69ce5aba59fa
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Gaurav Shah [Fri, 27 Apr 2012 22:10:49 +0000 (15:10 -0700)]
BACKPORT: Apply fix for CVE-2012-2131
Fix is from http://cvs.openssl.org/chngview?cn=22479
The previous fix for CVE-2012-221 did not handle the 'len' argument to
BUF_MEM_grow and BUF_MEM_grow_clean being negative. This patch fixes that
by rejecting a negative len parameter.
BUG=chromium-os:30134
TEST=patched; emerge-amd64-generic openssl;
chroot /build/amd64-generic/ /usr/bin/curl -Iv https://encrypted.google.com;
chroot /build/amd64-generic/ /usr/bin/openssl s_client -connect encrypted.google.com:443 -debug;
Outside the chroot:
make all && make tests
Change-Id: I4a45d21c4fdf611d52be7c12e5f623e9771394f1
Will Drewry [Thu, 19 Apr 2012 00:56:29 +0000 (19:56 -0500)]
BACKPORT: Apply fix for CVE-2012-2110
asn1_d2i_read_bio in OpenSSL contains multiple integer errors that can
cause memory corruption when parsing encoded ASN.1 data. This error can
be exploited on systems that parse untrusted data, such as X.509
certificates or RSA public keys.
This change fixes these integer errors.
Change-Id: I681f02d8ef46e1015b34b41debf5f76e8fb5f29a
Signed-off-by: Tavis Ormandy <taviso@chromium.org
Signed-off-by: Will Drewry <wad@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
BUG=chromium-os:29675
TEST=patched; emerge-amd64-generic openssl;
chroot /build/amd64-generic/ /usr/bin/curl -Iv https://encrypted.google.com;
chroot /build/amd64-generic/ /usr/bin/openssl s_client -connect encrypted.google.com:443 -debug;
Outside the chroot:
make all && make tests
Elly Jones [Mon, 6 Feb 2012 22:42:30 +0000 (17:42 -0500)]
openssl: move to 0.9.8t
This drops our patches to add blacklist support. I will re-add them shortly.
BUG=chromium-os:24755
TEST=build
Change-Id: I70d3205f319bd5bb5816a7722cef1f0a993e3c2b
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Elly Jones [Mon, 19 Sep 2011 18:52:44 +0000 (14:52 -0400)]
openssl: add blacklist-by-serial.
This lets us blacklist certs by serial as well as by sha256 fingerprint, and
adds the ability to comment in the blacklist file.
TEST=script (added to package tests)
BUG=chromium-os:20060
Change-Id: I57e98aa856a14d76341f41050d38477238649f37
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Elly Jones [Thu, 15 Sep 2011 18:18:01 +0000 (14:18 -0400)]
openssl: remove skip-patch-local-blacklist
With the logic and patch gone from the ebuild, there's no need for this file any
more.
This is phase 4 of a four-step dance:
1) Make the patch conditional on a file in the openssl repo
2) Apply the patch and touch the file to inhibit patching
3) Remove the patching logic in the openssl ebuild
4) Remove the file
BUG=chromium-os:20060
TEST=Build
Change-Id: I8234f7b7a3f4447b5a3d81ef4cee135f5deca258
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Elly Jones [Thu, 15 Sep 2011 18:07:27 +0000 (14:07 -0400)]
openssl: add local blacklist support.
Add support for blacklisting certificates (even if otherwise trusted) by
sha256sum. Cert fingerprints can be generated with 'openssl x509 -in $cert
-fingerprint -sha256'.
This is phase 2 of a four-step dance:
1) Make the patch conditional on a file in the openssl repo
2) Apply the patch and touch the file to inhibit patching
3) Remove the patching logic in the openssl ebuild
4) Remove the file
BUG=chromium-os:20060
TEST=Adhoc
This code was already tested as part of the openssl ebuild.
Change-Id: I27b2c7c6709d4c4748f607d03f50a1c6a7cb6d7d
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Elly Jones [Tue, 13 Sep 2011 19:50:36 +0000 (15:50 -0400)]
openssl: add openssl 0.9.8r
From openssl-0.9.8r.tar.gz (sha1sum
a02411e5f4d463cac4a2a4a357a4a0b93bf65e72).
TEST=None
BUG=chromium-os:20060
Change-Id: I2c75cdec81111fd22b6800f6ad929399a1257e96
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Elly Jones [Tue, 13 Sep 2011 18:30:00 +0000 (14:30 -0400)]
Initial commit. Add PRESUBMIT.
projects / chromiumos / third_party / openssl.git / log