Dr. Stephen Henson
7978dc989d
fix error discrepancy
2011-06-03 18:50:49 +00:00
Dr. Stephen Henson
d99e6b5014
New function X509_ALGOR_set_md() to set X509_ALGOR (DigestAlgorithmIdentifier) from a digest algorithm (backport from HEAD).
2011-06-03 18:35:49 +00:00
Dr. Stephen Henson
2cf40fc2b8
license correction, no EAY code included in this file
2011-06-03 17:56:51 +00:00
Dr. Stephen Henson
260d08b814
Backport CMAC support from HEAD.
2011-06-03 15:08:42 +00:00
Dr. Stephen Henson
53dd05d8f6
Redirect RSA keygen, sign, verify to FIPS module.
2011-06-03 13:16:16 +00:00
Dr. Stephen Henson
fbe7055370
Redirection of low level APIs to FIPS module.
...
Digest sign, verify operations are not redirected at this stage.
2011-06-02 18:22:42 +00:00
Dr. Stephen Henson
a5b386205f
Backport extended PSS support from HEAD: allow setting of mgf1Hash explicitly.
...
This is needed to handle FIPS redirection fully.
2011-06-02 18:13:33 +00:00
Dr. Stephen Henson
916bcab28e
Prohibit low level cipher APIs in FIPS mode.
...
Not complete: ciphers with assembly language key setup are not
covered yet.
2011-06-01 16:54:06 +00:00
Dr. Stephen Henson
c7373c3dee
For consistency define clone digests in evp_fips.c
2011-06-01 15:11:00 +00:00
Dr. Stephen Henson
9f2c8eb2a1
Redirect clone digests to FIPS module for FIPS builds.
2011-06-01 14:28:21 +00:00
Dr. Stephen Henson
65300dcfb0
Prohibit use of low level digest APIs in FIPS mode.
2011-06-01 13:39:45 +00:00
Dr. Stephen Henson
9ddc574f9a
typo
2011-06-01 11:10:50 +00:00
Dr. Stephen Henson
2dd9e67874
set FIPS permitted flag before initalising digest
2011-05-31 16:24:06 +00:00
Dr. Stephen Henson
f93b03a5e6
Don't round up partitioned premaster secret length if there is only one
...
digest in use: this caused the PRF to fail for an odd premaster secret
length.
2011-05-31 10:35:22 +00:00
Dr. Stephen Henson
55a47cd30f
Output supported curves in preference order instead of numerically.
2011-05-30 17:58:29 +00:00
Dr. Stephen Henson
5792219d1d
Redirect cipher operations to FIPS module for FIPS builds.
2011-05-29 16:18:38 +00:00
Dr. Stephen Henson
293c58c1e7
Use approved API for EVP digest operations in FIPS builds.
...
Call OPENSSL_init() in a few more places to make sure it is always called
at least once.
Initial cipher API redirection (incomplete).
2011-05-29 15:55:13 +00:00
Dr. Stephen Henson
9f375a752e
Add default ASN1 handling to support FIPS.
2011-05-29 02:32:05 +00:00
Dr. Stephen Henson
04dc5a9ca6
Redirect digests to FIPS module for FIPS builds.
...
Use FIPS API when initialising digests.
Sync header file evp.h and error codes with HEAD for necessary FIPS
definitions.
2011-05-28 23:01:26 +00:00
Dr. Stephen Henson
ae6cb5483e
Use || instead of && so build doesn't fail.
2011-05-26 22:10:28 +00:00
Dr. Stephen Henson
a168ec1d27
Support shared library builds of FIPS capable OpenSSL, add fipscanister.o
...
to libcrypto.a so linking to libcrypto.a works.
2011-05-26 21:23:11 +00:00
Dr. Stephen Henson
2a35144327
Make test utility link work for fips build.
2011-05-26 14:36:56 +00:00
Dr. Stephen Henson
7207eca1ee
The first of many changes to make OpenSSL 1.0.1 FIPS capable.
...
Add static build support to openssl utility.
Add new "fips" option to Configure.
Make use of installed fipsld and fips_standalone_sha1
Initialise FIPS error callbacks, locking and DRBG.
Doesn't do anything much yet: no crypto is redirected to the FIPS module.
Doesn't completely build either but the openssl utility can enter FIPS mode:
which doesn't do anything much either.
2011-05-26 14:19:19 +00:00
Dr. Stephen Henson
9c34782478
Don't advertise or use MD5 for TLS v1.2 in FIPS mode
2011-05-25 15:33:29 +00:00
Dr. Stephen Henson
20e6d22709
PR: 2533
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve
Setting SSL_MODE_RELEASE_BUFFERS should be ignored for DTLS, but instead causes
the program to crash. This is due to missing version checks and is fixed with
this patch.
2011-05-25 15:21:01 +00:00
Dr. Stephen Henson
24dd0c61ef
PR: 2529
...
Submitted by: Marcus Meissner <meissner@suse.de>
Reviewed by: steve
Call ssl_new() to reallocate SSL BIO internals if we want to replace
the existing internal SSL structure.
2011-05-25 15:16:01 +00:00
Dr. Stephen Henson
565c15363c
PR: 2527
...
Submitted by: Marcus Meissner <meissner@suse.de>
Reviewed by: steve
Set cnf to NULL to avoid possible double free.
2011-05-25 15:05:56 +00:00
Dr. Stephen Henson
ed67f7b7a7
Fix the ECDSA timing attack mentioned in the paper at:
...
http://eprint.iacr.org/2011/232.pdf
Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for
bringing this to our attention.
2011-05-25 14:52:33 +00:00
Dr. Stephen Henson
6ea8d138d3
Fix the ECDSA timing attack mentioned in the paper at:
...
http://eprint.iacr.org/2011/232.pdf
Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for
bringing this to our attention.
2011-05-25 14:42:27 +00:00
Dr. Stephen Henson
4159ac43aa
Oops use up to date patch for PR#2506
2011-05-25 14:30:05 +00:00
Dr. Stephen Henson
419b09b053
PR: 2512
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve
Fix BIO_accept so it can be bound to IPv4 or IPv6 sockets consistently.
2011-05-25 12:36:59 +00:00
Dr. Stephen Henson
88530f6b76
PR: 2506
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve
Fully implement SSL_clear for DTLS.
2011-05-25 12:28:16 +00:00
Dr. Stephen Henson
a8cb8177f6
PR: 2505
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve
Fix DTLS session resumption timer bug.
2011-05-25 12:24:43 +00:00
Dr. Stephen Henson
277f8a34f4
use TLS1_get_version macro to check version so TLS v1.2 changes don't interfere with DTLS
2011-05-25 11:43:17 +00:00
Dr. Stephen Henson
4dde470865
Add tls12_sigalgs which somehow didn't get added to the backport.
2011-05-21 17:40:23 +00:00
Richard Levitte
ab08405984
LIBOBJ contained o_fips.c, now o_fips.o.
2011-05-21 09:17:54 +00:00
Dr. Stephen Henson
b81fde02aa
Add server client certificate support for TLS v1.2 . This is more complex
...
than client side as we need to keep the handshake record cache frozen when
it contains all the records need to process the certificate verify message.
(backport from HEAD).
2011-05-20 14:58:45 +00:00
Dr. Stephen Henson
57dd2ea808
add FIPS support to openssl utility (backport from HEAD)
2011-05-19 18:23:24 +00:00
Dr. Stephen Henson
7043fa702f
add FIPS support to ssl: doesn't do anything on this branch yet as there is no FIPS compilation support
2011-05-19 18:22:16 +00:00
Dr. Stephen Henson
f98d2e5cc1
Implement FIPS_mode and FIPS_mode_set
2011-05-19 18:19:07 +00:00
Dr. Stephen Henson
1a5538251f
update date
2011-05-19 17:56:12 +00:00
Dr. Stephen Henson
f4ddbb5ad1
inherit HMAC flags from MD_CTX
2011-05-19 17:38:57 +00:00
Dr. Stephen Henson
74bf705ea8
set encodedPoint to NULL after freeing it
2011-05-19 16:18:11 +00:00
Dr. Stephen Henson
676cd3a283
new flag to stop ENGINE methods being registered
2011-05-15 15:58:38 +00:00
Dr. Stephen Henson
c6ead3cdd3
Recognise and ignore no-ec-nistp224-64-gcc-128 (from HEAD).
2011-05-13 12:46:12 +00:00
Dr. Stephen Henson
2d53648ce7
typo
2011-05-13 12:44:37 +00:00
Dr. Stephen Henson
64ca6ac26b
Recognise NO_NISTP224-64-GCC-128
2011-05-13 12:38:02 +00:00
Dr. Stephen Henson
4fe4c00eca
Provisional support for TLS v1.2 client authentication: client side only.
...
Parse certificate request message and set digests appropriately.
Generate new TLS v1.2 format certificate verify message.
Keep handshake caches around for longer as they are needed for client auth.
2011-05-12 17:49:15 +00:00
Dr. Stephen Henson
376838a606
Process signature algorithms during TLS v1.2 client authentication.
...
Make sure message is long enough for signature algorithms.
(backport from HEAD).
2011-05-12 17:44:59 +00:00
Dr. Stephen Henson
d768a816aa
Ooops fix typo.
2011-05-12 13:59:04 +00:00