wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
10784 commits 20 branches 302 tags 153 MiB
Commit graph

1683 commits

Author SHA1 Message Date
Dr. Stephen Henson
64095ce9d7 Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert 
between NIDs and the more common NIST names such as "P-256". Enhance
ecparam utility and ECC method to recognise the NIST names for curves.
 2012-02-21 14:41:13 +00:00
Dr. Stephen Henson
206310c305 Fix bug in CVE-2011-4619: check we have really received a client hello 
before rejecting multiple SGC restarts.
 2012-02-16 15:26:04 +00:00
Dr. Stephen Henson
5863163732 Additional compatibility fix for MDC2 signature format. 
Update RSA EVP_PKEY_METHOD to use the OCTET STRING form of MDC2 signature:
this will make all versions of MDC2 signature equivalent.
 2012-02-15 14:27:25 +00:00
Dr. Stephen Henson
83cb7c4635 An incompatibility has always existed between the format used for RSA 
signatures and MDC2 using EVP or RSA_sign. This has become more apparent
when the dgst utility in OpenSSL 1.0.0 and later switched to using the
EVP_DigestSign functions which call RSA_sign.

This means that the signature format OpenSSL 1.0.0 and later used with
dgst -sign and MDC2 is incompatible with previous versions.

Add detection in RSA_verify so either format works.

Note: MDC2 is disabled by default in OpenSSL and very rarely used in practice.
 2012-02-15 14:04:00 +00:00
Dr. Stephen Henson
f4e1169341 Modify client hello version when renegotiating to enhance interop with 
some servers.
 2012-02-09 15:42:10 +00:00
Dr. Stephen Henson
f71c6e52f7 Add support for distinct certificate chains per key type and per SSL 
structure.

Before this the only way to add a custom chain was in the parent SSL_CTX
(which is shared by all key types and SSL structures) or rely on auto
chain building (which is performed on each handshake) from the trust store.
 2012-01-31 14:00:10 +00:00
Dr. Stephen Henson
0d60939515 add support for use of fixed DH client certificates 2012-01-25 14:51:49 +00:00
Dr. Stephen Henson
855d29184e Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. 
Thanks to Antonio Martin, Enterprise Secure Access Research and
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix. (CVE-2012-0050)
 2012-01-18 18:15:27 +00:00
Dr. Stephen Henson
ac07bc8602 fix CHANGES entry 2012-01-17 14:20:32 +00:00
Dr. Stephen Henson
8e1dc4d7ca Support for fixed DH ciphersuites. 
The cipher definitions of these ciphersuites have been around since SSLeay
but were always disabled. Now OpenSSL supports DH certificates they can be
finally enabled.

Various additional changes were needed to make them work properly: many
unused fixed DH sections of code were untested.
 2012-01-16 18:19:14 +00:00
Bodo Möller
8e85545284 Update for 0.9.8s and 1.0.0f, and for 1.0.1 branch. 
(While the 1.0.0f CHANGES entry on VOS PRNG seeding was missing
in HEAD, the actual code is here already.)
 2012-01-05 13:48:55 +00:00
Dr. Stephen Henson
4d0bafb4ae update CHANGES 2012-01-04 23:54:17 +00:00
Dr. Stephen Henson
e745572493 Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>, Michael Tuexen <tuexen@fh-muenster.de> 
Reviewed by: steve

Fix for DTLS plaintext recovery attack discovered by Nadhem Alfardan and
Kenny Paterson.
 2012-01-04 23:52:26 +00:00
Dr. Stephen Henson
27dfffd5b7 Clear bytes used for block padding of SSL 3.0 records. (CVE-2011-4576) 2012-01-04 23:16:15 +00:00
Dr. Stephen Henson
2ec0497f08 fix CHANGES 2012-01-04 23:10:44 +00:00
Dr. Stephen Henson
6bf896d9b1 Check GOST parameters are not NULL (CVE-2012-0027) 2012-01-04 23:03:40 +00:00
Dr. Stephen Henson
be71c37296 Prevent malformed RFC3779 data triggering an assertion failure (CVE-2011-4577) 2012-01-04 23:01:54 +00:00
Dr. Stephen Henson
0b9f5ef809 update CHANGES 2011-12-31 23:08:15 +00:00
Dr. Stephen Henson
4817504d06 PR: 2658 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Support for TLS/DTLS heartbeats.
 2011-12-31 22:59:57 +00:00
Dr. Stephen Henson
ad89bf7894 PR: 2563 
Submitted by: Paul Green <Paul.Green@stratus.com>
Reviewed by: steve

Improved PRNG seeding for VOS.
 2011-12-19 17:01:37 +00:00
Andy Polyakov
e75440d2c9 update CHANGES. 2011-12-19 14:48:49 +00:00
Dr. Stephen Henson
188c53f7e8 update CHANGES 2011-12-19 14:41:03 +00:00
Ben Laurie
9a436c0f89 Back out redundant verification time change. 2011-12-13 15:00:43 +00:00
Ben Laurie
7fd5df6b12 Make it possible to set a time for verification. 2011-12-13 14:38:12 +00:00
Dr. Stephen Henson
627b044536 update CHANGES 2011-12-10 00:49:05 +00:00
Dr. Stephen Henson
2ca873e8d8 transparently handle X9.42 DH parameters 2011-12-07 12:44:03 +00:00
Dr. Stephen Henson
afb14cda8c Initial experimental support for X9.42 DH parameter format to handle 
RFC5114 parameters and X9.42 DH public and private keys.
 2011-12-07 00:32:34 +00:00
Bodo Möller
19b0d0e75b Resolve a stack set-up race condition (if the list of compression 
methods isn't presorted, it will be sorted on first read).

Submitted by: Adam Langley
 2011-12-02 12:52:00 +00:00
Bodo Möller
ea8c77a55b Fix ecdsatest.c. 
Submitted by: Emilia Kasper
 2011-12-02 12:41:17 +00:00
Bodo Möller
a7c71d8955 Update HEAD CHANGES file. 2011-12-02 12:28:20 +00:00
Bodo Möller
390c579568 Fix BIO_f_buffer(). 
Submitted by: Adam Langley
Reviewed by: Bodo Moeller
 2011-12-02 12:25:03 +00:00
Ben Laurie
e0af04056c Add TLS exporter. 2011-11-15 23:50:52 +00:00
Ben Laurie
333f926d67 Add DTLS-SRTP. 2011-11-15 22:59:20 +00:00
Dr. Stephen Henson
20bee9684d Add RFC5114 DH parameters to OpenSSL. Add test data to dhtest. 2011-11-13 14:07:36 +00:00
Dr. Stephen Henson
a98b8ce652 Update fips_test_suite to take multiple command line options and 
an induced error checking function.
 2011-11-06 12:53:13 +00:00
Dr. Stephen Henson
f4324e51dd Add single call public key sign and verify functions. 2011-11-05 01:34:36 +00:00
Dr. Stephen Henson
3ec9dceb15 Add fips_algvs utility (from FIPS 2.0 stable branch). 2011-11-02 00:57:22 +00:00
Dr. Stephen Henson
5e4eb9954b add authentication parameter to FIPS_module_mode_set 2011-10-19 22:34:53 +00:00
Bodo Möller
e5641d7f05 BN_BLINDING multi-threading fix. 
Submitted by: Emilia Kasper (Google)
 2011-10-19 14:59:27 +00:00
Bodo Möller
e0d6132b8c Fix warnings. 
Also, use the common Configure mechanism for enabling/disabling the 64-bit ECC code.
 2011-10-19 08:59:53 +00:00
Bodo Möller
3e00b4c9db Improve optional 64-bit NIST-P224 implementation, and add NIST-P256 and 
NIST-P521. (Now -DEC_NISTP_64_GCC_128 enables all three of these;
-DEC_NISTP224_64_GCC_128 no longer works.)

Submitted by: Google Inc.
 2011-10-18 19:43:16 +00:00
Bodo Möller
8b37d33a94 typo 2011-10-13 13:20:33 +00:00
Bodo Möller
3ddc06f082 In ssl3_clear, preserve s3->init_extra along with s3->rbuf. 
Submitted by: Bob Buckholz <bbuckholz@google.com>
 2011-10-13 13:05:58 +00:00
Dr. Stephen Henson
ccbb9badba fix CHANGES entry 2011-10-09 23:11:55 +00:00
Dr. Stephen Henson
2bfeb7dc83 Add FIPS selftests for ECDH algorithm. 2011-09-29 23:08:23 +00:00
Dr. Stephen Henson
cb71870dfa Use function name FIPS_drbg_health_check() for health check function. 
Add explanatory comments to health check code.
 2011-09-22 14:01:25 +00:00
Dr. Stephen Henson
4420b3b17a Revise DRBG to split between internal and external flags. 
One demand health check function.

Perform generation test in fips_test_suite.

Option to skip dh test if fips_test_suite.
 2011-09-21 17:04:56 +00:00
Dr. Stephen Henson
15094852de new function to lookup FIPS supported ciphers by NID 2011-09-14 13:25:48 +00:00
Dr. Stephen Henson
a11f06b2dc More extensive DRBG health check. New function to call health check 
for all DRBG combinations.
 2011-09-12 18:47:39 +00:00
Dr. Stephen Henson
7fdcb45745 Add support for Dual EC DRBG from SP800-90. Include updates to algorithm 
tests and POST code.
 2011-09-09 17:16:43 +00:00