| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
The original comparison contained a typo,
0x1000200fL == (ver & 0xfffff000L) and could never match.
Fix, and also match at compile time to not even reference
this flag on other OpenSSL versions.
|
|
|
|
|
| |
...in order to safely remove the obsolete OpenSSL flag
SSL_OP_SINGLE_DH_USE.
|
|
|
|
| |
See COPYING or NEWS.
|
|
|
|
| |
...of cross-signed certificate.
|
| |
|
| |
|
|
|
|
|
| |
the latter is deprecated in OpenSSL 3, and the user might use some
other key than RSA.
|
|
|
|
| |
to avoid compatibility issues with new OpenSSL versions later on.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL 1.0.2 is EOL since end of 2019, so warn if it is to be used
at configure and compile time.
The assumption is that 1.0.2 may still be in use by maintainers that
backport security fixes.
Also warn, at configure time, about "OpenSSL" API-compatible libraries
that do not declare TLS1_3_VERSION.
|
|
|
|
|
|
|
| |
and fix a typo in README.SSL. The reference will be printed if there is
no trust anchor.
Fixes #4 (Gitlab issue).
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 418cda65 from merge request !5 fixed an input buffer overrun but at the
same time caused the terminating NUL byte in the output buffer to be written
too late, 2 bytes per placeholder.
Fix the size calculation for correctness, and use the output index
and not the output length to terminate the output string.
Fixes #16, reported by Stefan Thurner. [All references for Gitlab.]
|
| |
|
| |
|
|
|
|
|
|
| |
* Normalize include order.
* Backport missed bug fixes.
* Remove dead code.
|
|
|
|
| |
Fixes Debian Bug#928916, reported by Paul Kimoto.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
...when deprecated functions are disabled, for instance,
through -DOPENSSL_API_COMPAT=0x10100000L.
|
| |
|
|
|
|
|
|
|
|
| |
parse_plugin() expands the % in plugin string to plugin_copy. It
checks that is does not write behind the end of the destination
memory, but the source length was not checked. This resulted in
reading from a possibly invalid memory location which may cause a
segmentation fault. Add a check for the string length of the source.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Ubuntu 16.04 LTS, in a misguided attempt to avoid SSLv3 without breaking
the API, does not declare SSLv3 unsupported through the headers, so
applications can only detect this situation at run-time.
The symptom is that SSL_CTX_new errors out with
SSL_R_NULL_SSL_METHOD_PASSED on the error stack, issue an additional
note telling the user to select a newer version.
|
|
|
|
|
|
|
| |
This avoids functions marked deprecated in OpenSSL 1.1.0.
At the same time, warn about unsupported use of LibreSSL, and treat
LibreSSL the same as OpenSSL 1.0.X WRT protocol version logic.
|
| |
|
| |
|
| |
|
|
|
|
| |
LibreSSL does not provide a TLS_MAX_VERSION, so do not refer to it.
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
by OpenSSL.
Uses TLS_MAX_VERSION checks against TLS1_1_VERSION or TLS1_2_VERSION.
|
|
|
|
| |
master branch.
|
|
|
|
|
|
| |
This condition does not leave traces in the SSL error queue,
and must be checked explicitly. Result from debugging Jerry Seibert's
issue with outlook.com/pop3.live.com.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Removes SSLv2, enables TLSv1.1 and v1.2 more easily,
permits SSLv3 (only if specified) and newer TLSv1.1+ for STLS/STARTTLS.
Only negotiates TLSv1 and newer by default, SSLv3 must now be specified
explicitly, as a consequence of the POODLE attack.
This is meant to be a minimally upgraded version, and cannot be usefully
done as a 6.3.X release.
It is strongly recommended that users review their configuration -
especially --sslproto - per instructions in the NEWS file and manual
page. It has changed semantics and in many cases --sslproto auto or
perhaps --sslproto tls1.2+ should be used now.
|
| |
|
|
|
|
| |
(socket.c cherry-pick from master)
|
|
|
|
|
| |
These are the macros OpenSSL defines when configured with no-ssl2 or no-ssl3,
the actual macro names are OPENSSL_NO_SSL2 and OPENSSL_NO_SSL3.
|
|
|
|
|
|
|
| |
providing that these also omit the declaration of SSLv3_client_method().
Related to Debian Bug#775255.
Version report lists -SSLv3 on +SSL builds that omit SSLv3_client_method().
Version report lists -SSLv2 on +SSL builds that omit SSLv2_client_method().
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While running a static code analysis tool (Parfait) on fetchmail, it found some
bugs:
Error: Memory leak (CWE 401)
Memory leak of pointer 'plugin_copy' allocated with malloc((plugin_copy_len + 1))
at line 137 of components/fetchmail/fetchmail-6.3.22/socket.c in function 'parse_plugin'.
'plugin_copy' allocated at line 107 with malloc((plugin_copy_len + 1)).
plugin_copy leaks when plugin_copy_offset >= plugin_copy_len at line 114.
Error: Null pointer dereference (CWE 476)
Read from null pointer 'argvec'
at line 189 of components/fetchmail/fetchmail-6.3.22/socket.c in function 'handle_plugin'.
Function 'parse_plugin' may return constant 'NULL' at line 137, called at line 188.
Null pointer introduced at line 137 in function 'parse_plugin'.
at line 190 of components/fetchmail/fetchmail-6.3.22/socket.c in function 'handle_plugin'.
Function 'parse_plugin' may return constant 'NULL' at line 137, called at line 188.
Null pointer introduced at line 137 in function 'parse_plugin'.
(I realize these are on 6.3.22; I checked and verified that this portion of
the code is the same in 6.3.24.)
The attached patch fixes each of these.
(Note by Matthias Andree:
The NULL pointer dereference fix does not require error reporting,
because parse_plugin() will already have reported the out-of-memory
error that causes the NULL to be returned.)
|
|
|
|
|
|
|
|
|
| |
* Improved reporting when SSL/TLS X.509 certificate validation has failed,
working around a not-so-recent swapping of two OpenSSL error codes, and
a practical impossibility to distinguish broken certification chains from
missing trust anchors (root certificates).
* OpenSSL decoded errors are now reported through report(), rather than dumped
to stderr, so that they should show up in logfiles and/or syslog.
|
|
|
|
|
|
|
|
|
|
|
| |
This would affect fetchmail configurations running with SSL in daemon mode
more than one-shot runs.
Reported by Erik Thiele, and pinned by Dominik, Debian Bug #688015.
This bug was introduced into fetchmail 6.2.9 (committed 2005-10-29)
when support for subjectAltName was added through a patch by Roland
Stigge, submitted as Debian Bug#201113.
|