Dr. Stephen Henson
9309ea6617
Backport PSS signature support from HEAD.
2011-10-09 23:13:50 +00:00
Dr. Stephen Henson
05c9e3aea5
fix CHANGES entry
2011-10-09 23:11:09 +00:00
Dr. Stephen Henson
dc100d87b5
Backport of password based CMS support from HEAD.
2011-10-09 15:28:02 +00:00
Dr. Stephen Henson
cd447875e6
Initialise X509_STORE_CTX properly so CRLs with nextUpdate date in the past
...
produce an error (CVE-2011-3207)
2011-09-06 15:14:41 +00:00
Bodo Möller
3c3f025923
Fix session handling.
2011-09-05 13:36:55 +00:00
Bodo Möller
5ff6e2dfbb
Fix d2i_SSL_SESSION.
2011-09-05 13:31:07 +00:00
Bodo Möller
61ac68f9f6
(EC)DH memory handling fixes.
...
Submitted by: Adam Langley
2011-09-05 10:25:27 +00:00
Bodo Möller
7f1022a8b1
Fix memory leak on bad inputs.
2011-09-05 09:57:15 +00:00
Andy Polyakov
84e7485bfb
Add RC4-MD5 and AESNI-SHA1 "stitched" implementations [from HEAD].
2011-08-23 20:53:34 +00:00
Dr. Stephen Henson
cf199fec52
Remove hard coded ecdsaWithSHA1 hack in ssl routines and check for RSA
...
using OBJ xref utilities instead of string comparison with OID name.
This removes the arbitrary restriction on using SHA1 only with some ECC
ciphersuites.
2011-08-14 13:47:30 +00:00
Dr. Stephen Henson
aed53d6c5a
Backport GCM support from HEAD.
2011-08-04 11:13:28 +00:00
Dr. Stephen Henson
c8c6e9ecd9
Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support and
...
prohibit use of these ciphersuites for TLS < 1.2
2011-07-25 21:45:17 +00:00
Dr. Stephen Henson
3a5b97b7f1
Don't set default public key methods in FIPS mode so applications
...
can switch between modes.
2011-06-20 19:41:13 +00:00
Bodo Möller
5cacc82f61
Fix the version history: given that 1.0.1 has yet to be released,
...
we should list "Changes between 1.0.0e and 1.0.1",
not "between 1.0.0d and 1.0.1".
2011-06-15 14:23:44 +00:00
Dr. Stephen Henson
e8d23f7811
Redirect HMAC and CMAC operations to module.
2011-06-12 15:07:26 +00:00
Ben Laurie
be23b71e87
Add -attime.
2011-06-09 17:09:31 +00:00
Dr. Stephen Henson
752c1a0ce9
Redirect DSA operations to FIPS module in FIPS mode.
2011-06-09 13:54:09 +00:00
Dr. Stephen Henson
6342b6e332
Redirection of ECDSA, ECDH operations to FIPS module.
...
Also use FIPS EC methods unconditionally for now: might want to use them
only in FIPS mode or with a switch later.
2011-06-06 15:39:17 +00:00
Dr. Stephen Henson
f610a516a0
Backport from HEAD:
...
New option to disable characteristic two fields in EC code.
Make no-ec2m work on Win32 build.
2011-06-06 11:49:36 +00:00
Dr. Stephen Henson
24d7159abd
Backport libcrypto audit: check return values of EVP functions instead
...
of assuming they will always suceed.
2011-06-03 20:53:00 +00:00
Dr. Stephen Henson
53dd05d8f6
Redirect RSA keygen, sign, verify to FIPS module.
2011-06-03 13:16:16 +00:00
Dr. Stephen Henson
fbe7055370
Redirection of low level APIs to FIPS module.
...
Digest sign, verify operations are not redirected at this stage.
2011-06-02 18:22:42 +00:00
Dr. Stephen Henson
916bcab28e
Prohibit low level cipher APIs in FIPS mode.
...
Not complete: ciphers with assembly language key setup are not
covered yet.
2011-06-01 16:54:06 +00:00
Dr. Stephen Henson
65300dcfb0
Prohibit use of low level digest APIs in FIPS mode.
2011-06-01 13:39:45 +00:00
Dr. Stephen Henson
55a47cd30f
Output supported curves in preference order instead of numerically.
2011-05-30 17:58:29 +00:00
Dr. Stephen Henson
5792219d1d
Redirect cipher operations to FIPS module for FIPS builds.
2011-05-29 16:18:38 +00:00
Dr. Stephen Henson
04dc5a9ca6
Redirect digests to FIPS module for FIPS builds.
...
Use FIPS API when initialising digests.
Sync header file evp.h and error codes with HEAD for necessary FIPS
definitions.
2011-05-28 23:01:26 +00:00
Dr. Stephen Henson
6ea8d138d3
Fix the ECDSA timing attack mentioned in the paper at:
...
http://eprint.iacr.org/2011/232.pdf
Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for
bringing this to our attention.
2011-05-25 14:42:27 +00:00
Dr. Stephen Henson
b81fde02aa
Add server client certificate support for TLS v1.2 . This is more complex
...
than client side as we need to keep the handshake record cache frozen when
it contains all the records need to process the certificate verify message.
(backport from HEAD).
2011-05-20 14:58:45 +00:00
Dr. Stephen Henson
7043fa702f
add FIPS support to ssl: doesn't do anything on this branch yet as there is no FIPS compilation support
2011-05-19 18:22:16 +00:00
Dr. Stephen Henson
f98d2e5cc1
Implement FIPS_mode and FIPS_mode_set
2011-05-19 18:19:07 +00:00
Dr. Stephen Henson
4fe4c00eca
Provisional support for TLS v1.2 client authentication: client side only.
...
Parse certificate request message and set digests appropriately.
Generate new TLS v1.2 format certificate verify message.
Keep handshake caches around for longer as they are needed for client auth.
2011-05-12 17:49:15 +00:00
Dr. Stephen Henson
9472baae0d
Backport TLS v1.2 support from HEAD.
...
This includes TLS v1.2 server and client support but at present
client certificate support is not implemented.
2011-05-11 13:37:52 +00:00
Dr. Stephen Henson
74096890ba
Initial "opaque SSL" framework. If an application defines OPENSSL_NO_SSL_INTERN
...
all ssl related structures are opaque and internals cannot be directly
accessed. Many applications will need some modification to support this and
most likely some additional functions added to OpenSSL.
The advantage of this option is that any application supporting it will still
be binary compatible if SSL structures change.
(backport from HEAD).
2011-05-11 12:56:38 +00:00
Ben Laurie
a149b2466e
Add SRP.
2011-03-16 11:26:40 +00:00
Bodo Möller
cd77b3e88b
Sync with 1.0.0 branch.
...
(CVE-2011-0014 OCSP stapling fix has been applied to the 1.0.1 branch as well.)
2011-02-08 19:08:32 +00:00
Bodo Möller
346601bc32
CVE-2010-4180 fix (from OpenSSL_1_0_0-stable)
2011-02-03 10:42:00 +00:00
Dr. Stephen Henson
e501dbb658
Fix escaping code for string printing. If *any* escaping is enabled we
...
must escape the escape character itself (backslash).
2011-01-03 01:30:58 +00:00
Dr. Stephen Henson
2c5c4fca14
apply J-PKAKE fix to HEAD (original by Ben)
2010-11-29 18:33:28 +00:00
Dr. Stephen Henson
a618011ca1
add "missing" functions to copy EVP_PKEY_METHOD and examine info
2010-11-24 16:07:45 +00:00
Dr. Stephen Henson
6e21ce592e
fix CVE-2010-3864
2010-11-17 17:36:29 +00:00
Dr. Stephen Henson
3fa29765fd
PR: 2314
...
Submitted by: Mounir IDRASSI <mounir.idrassi@idrix.net>
Reviewed by: steve
Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
2010-10-10 12:27:19 +00:00
Dr. Stephen Henson
945ba0300d
Add call to ENGINE_register_all_complete() to ENGINE_load_builtin_engines(),
...
this means that some implementations will be used automatically, e.g. aesni,
we do this for cryptodev anyway.
Setup cpuid in ENGINE_load_builtin_engines() too as some ENGINEs use it.
2010-10-03 18:56:25 +00:00
Bodo Möller
9b0e97ae10
Update version numbers
2010-08-26 18:45:21 +00:00
Bodo Möller
48ce525d16
New 64-bit optimized implementation EC_GFp_nistp224_method().
...
Binary compatibility is not affected as this will only be
compiled in if explicitly requested (#ifdef EC_NISTP224_64_GCC_128).
Submitted by: Emilia Kasper (Google)
2010-08-26 14:29:27 +00:00
Dr. Stephen Henson
48ae85b6ff
PR: 1833
...
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>
Support for abbreviated handshakes when renegotiating.
2010-08-26 14:22:40 +00:00
Bodo Möller
82281ce47d
ECC library bugfixes.
...
Submitted by: Emilia Kapser (Google)
2010-08-26 12:10:57 +00:00
Bodo Möller
4ecd2bafbb
Harmonize with OpenSSL_1_0_0-stable version of CHANGES.
2010-08-26 11:21:49 +00:00
Dr. Stephen Henson
f6c29ba3dc
Fix WIN32 build system to correctly link ENGINE DLLs contained in a
...
directory: currently the GOST ENGINE is the only case.
2010-07-24 17:55:47 +00:00
Dr. Stephen Henson
160f9b5bf6
Add call to ENGINE_register_all_complete() to ENGINE_load_builtin_engines(),
...
this means that some implementations will be used automatically, e.g. aesni,
we do this for cryptodev anyway.
Setup cpuid in ENGINE_load_builtin_engines() too as some ENGINEs use it.
2010-07-21 16:23:59 +00:00