chromiumos/third_party/openssl.git
19 months ago[openssl] add blacklist-by-sha1 support factory-2914.B factory-2985.B factory-2993.B factory-3004.B factory-3536.B factory-4128.B factory-4290.B factory-4455.B factory-pit-4280.B factory-pit-4390.B factory-pit-4471.B factory-spring-3842.B factory-spring-4131.B factory-spring-4262.B firmware-falco_peppy-4389.B firmware-leon-4389.26.B firmware-pit-4482.B firmware-spring-3824.4.B firmware-spring-3824.55.B firmware-spring-3824.84.B firmware-spring-3824.B firmware-wolf-4389.24.B master release-R23-2913.B release-R25-3428.B release-R26-3701.B release-R27-3912.B release-R28-4100.B release-R29-4319.B release-R30-4537.B stabilize stabilize-3428.110.0 stabilize-3428.149 stabilize-3428.149.B stabilize-3428.193 stabilize-3658.0.0 stabilize-3701.30.0 stabilize-3701.30.0b stabilize-3701.46.B stabilize-3701.81.B stabilize-3881.0.B stabilize-3912.79.B stabilize-4008.0.B stabilize-4035.0.B stabilize-4068.0.B stabilize-4100.38.B stabilize-4255.B stabilize-4287.B stabilize-4443.B stabilize-4512.B stabilize-bluetooth-smart stabilize-daisy stabilize-link stabilize-link-2913.278 stabilize-spring-4100.53.B stabilize2 toolchain-3428.65.B toolchain-3701.42.B toolchainA toolchainB
Elly Fong-Jones [Wed, 12 Sep 2012 20:57:17 +0000 (16:57 -0400)]
[openssl] add blacklist-by-sha1 support

BUG=chromium-os:26806
TEST=unit

Change-Id: I8736bf9509240c7da5cafd0eaaf750c49adacbd2
Signed-off-by: Elly Fong-Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/33124
Reviewed-by: Will Drewry <wad@chromium.org>
22 months ago[openssl] uprev to 1.0.1c 09/22709/4 factory-2368.B factory-2394.B factory-2460.B factory-2475.B factory-2569.B factory-2717.B factory-2723.14.B factory-2846.B factory-2848.B firmware-butterfly-2788.B firmware-link-2348.B firmware-link-2695.2.B firmware-link-2695.B firmware-parrot-2685.B firmware-snow-2695.90.B firmware-snow-2695.B firmware-stout-2817.B release-R21-2465.B release-R22-2723.B
Elly Jones [Tue, 15 May 2012 17:37:34 +0000 (13:37 -0400)]
[openssl] uprev to 1.0.1c

Only real merge conflicts were ih /apps/verify.c, where a function argument's
type had changed.

TEST=security_OpenSSL*,trybot
BUG=chromium-os:21100

Change-Id: I9f3d8638cfcab7b4b3c2906a62a5d3a7b2ba3ec6
Signed-off-by: Elly Jones <ellyjones@chromium.org>
23 months agoMerge "CHROMIUM: openssl: make 'verify' easier to use" factory-2305.B factory-2338.B
Gerrit [Mon, 14 May 2012 19:39:45 +0000 (12:39 -0700)]
Merge "CHROMIUM: openssl: make 'verify' easier to use"

23 months agoCHROMIUM: openssl: make 'verify' easier to use 73/22573/1
Elly Jones [Mon, 14 May 2012 13:13:23 +0000 (09:13 -0400)]
CHROMIUM: openssl: make 'verify' easier to use

1) Make it print a newline after the end of its error output; if there is no
   BIO error, the output is printed with no newline.
2) Return a nonzero exit code if any cert failed to verify - 0 for all okay,
   1 for a usage error, and 2 for a verification failure.

This patch was originally added in
chromiumos-overlay:2ea51e44669062977689ff09a43ac8438f55673f

BUG=chromium-os:15581,chromium-os:21100
TEST=security_OpenSSLRegression

Reviewed-on: http://gerrit.chromium.org/gerrit/2224
Change-Id: Ibb6866634b5ae649441db87ffdb3ee5a2ebfb687
Signed-off-by: Elly Jones <ellyjones@chromium.org>
23 months agoCHROMIUM: openssl: re-enable blacklisting. 75/22475/2
Elly Jones [Mon, 19 Sep 2011 18:52:44 +0000 (14:52 -0400)]
CHROMIUM: openssl: re-enable blacklisting.

We can add certs to the blacklist by serial (with 'serial <n>') or by sha256sum
with ('sha256 <n>').

TEST=script (added to package tests),security_OpenSSLBlacklist
BUG=chromium-os:20060

Change-Id: I432e9b20387ff35e3e4d30eed0db69ce5aba59fa
Signed-off-by: Elly Jones <ellyjones@chromium.org>
23 months agoBACKPORT: Apply fix for CVE-2012-2131 10/21410/1 factory-2268.16.B release-R20-2268.B
Gaurav Shah [Fri, 27 Apr 2012 22:10:49 +0000 (15:10 -0700)]
BACKPORT: Apply fix for CVE-2012-2131

Fix is from http://cvs.openssl.org/chngview?cn=22479

The previous fix for CVE-2012-221 did not handle the 'len' argument to
BUF_MEM_grow and BUF_MEM_grow_clean being negative. This patch fixes that
by rejecting a negative len parameter.

BUG=chromium-os:30134
TEST=patched; emerge-amd64-generic openssl;
     chroot /build/amd64-generic/ /usr/bin/curl -Iv https://encrypted.google.com;
     chroot /build/amd64-generic/ /usr/bin/openssl s_client -connect encrypted.google.com:443 -debug;
     Outside the chroot:
        make all && make tests

Change-Id: I4a45d21c4fdf611d52be7c12e5f623e9771394f1

23 months agoBACKPORT: Apply fix for CVE-2012-2110 74/20574/1
Will Drewry [Thu, 19 Apr 2012 00:56:29 +0000 (19:56 -0500)]
BACKPORT: Apply fix for CVE-2012-2110

asn1_d2i_read_bio in OpenSSL contains multiple integer errors that can
cause memory corruption when parsing encoded ASN.1 data. This error can
be exploited on systems that parse untrusted data, such as X.509
certificates or RSA public keys.

This change fixes these integer errors.

Change-Id: I681f02d8ef46e1015b34b41debf5f76e8fb5f29a
Signed-off-by: Tavis Ormandy <taviso@chromium.org
Signed-off-by: Will Drewry <wad@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
BUG=chromium-os:29675
TEST=patched; emerge-amd64-generic openssl;
     chroot /build/amd64-generic/ /usr/bin/curl -Iv https://encrypted.google.com;
     chroot /build/amd64-generic/ /usr/bin/openssl s_client -connect encrypted.google.com:443 -debug;
     Outside the chroot:
        make all && make tests

2 years agoopenssl: move to 0.9.8t 57/15357/2 factory-1987.B
Elly Jones [Mon, 6 Feb 2012 22:42:30 +0000 (17:42 -0500)]
openssl: move to 0.9.8t

This drops our patches to add blacklist support. I will re-add them shortly.

BUG=chromium-os:24755
TEST=build

Change-Id: I70d3205f319bd5bb5816a7722cef1f0a993e3c2b
Signed-off-by: Elly Jones <ellyjones@chromium.org>
2 years agoopenssl: add blacklist-by-serial. 39/7939/3 factory-1235.B factory-1284.B factory-1412.B firmware-kiev-2.112.B firmware-uboot_v2-1299.B release-R16-1193.B
Elly Jones [Mon, 19 Sep 2011 18:52:44 +0000 (14:52 -0400)]
openssl: add blacklist-by-serial.

This lets us blacklist certs by serial as well as by sha256 fingerprint, and
adds the ability to comment in the blacklist file.

TEST=script (added to package tests)
BUG=chromium-os:20060

Change-Id: I57e98aa856a14d76341f41050d38477238649f37
Signed-off-by: Elly Jones <ellyjones@chromium.org>
2 years agoopenssl: remove skip-patch-local-blacklist 89/7789/1
Elly Jones [Thu, 15 Sep 2011 18:18:01 +0000 (14:18 -0400)]
openssl: remove skip-patch-local-blacklist

With the logic and patch gone from the ebuild, there's no need for this file any
more.

This is phase 4 of a four-step dance:
1) Make the patch conditional on a file in the openssl repo
2) Apply the patch and touch the file to inhibit patching
3) Remove the patching logic in the openssl ebuild
4) Remove the file

BUG=chromium-os:20060
TEST=Build

Change-Id: I8234f7b7a3f4447b5a3d81ef4cee135f5deca258
Signed-off-by: Elly Jones <ellyjones@chromium.org>
2 years agoopenssl: add local blacklist support. 84/7784/1
Elly Jones [Thu, 15 Sep 2011 18:07:27 +0000 (14:07 -0400)]
openssl: add local blacklist support.

Add support for blacklisting certificates (even if otherwise trusted) by
sha256sum. Cert fingerprints can be generated with 'openssl x509 -in $cert
-fingerprint -sha256'.

This is phase 2 of a four-step dance:
1) Make the patch conditional on a file in the openssl repo
2) Apply the patch and touch the file to inhibit patching
3) Remove the patching logic in the openssl ebuild
4) Remove the file

BUG=chromium-os:20060
TEST=Adhoc
This code was already tested as part of the openssl ebuild.

Change-Id: I27b2c7c6709d4c4748f607d03f50a1c6a7cb6d7d
Signed-off-by: Elly Jones <ellyjones@chromium.org>
2 years agoopenssl: add openssl 0.9.8r 29/7629/1
Elly Jones [Tue, 13 Sep 2011 19:50:36 +0000 (15:50 -0400)]
openssl: add openssl 0.9.8r

From openssl-0.9.8r.tar.gz (sha1sum a02411e5f4d463cac4a2a4a357a4a0b93bf65e72).

TEST=None
BUG=chromium-os:20060

Change-Id: I2c75cdec81111fd22b6800f6ad929399a1257e96
Signed-off-by: Elly Jones <ellyjones@chromium.org>
2 years agoInitial commit. Add PRESUBMIT. 12/7612/1
Elly Jones [Tue, 13 Sep 2011 18:30:00 +0000 (14:30 -0400)]
Initial commit. Add PRESUBMIT.