Dr. Stephen Henson
6f9076ff37
Generalise OCSP I/O functions to support dowloading of other ASN1
...
structures using HTTP. Add wrapper function to handle CRL download.
2012-11-28 16:22:53 +00:00
Dr. Stephen Henson
2c340864be
New functions to set lookup_crls callback and to retrieve internal X509_STORE
...
from X509_STORE_CTX.
2012-11-27 23:47:48 +00:00
Dr. Stephen Henson
20b431e3a9
Add support for printing out and retrieving EC point formats extension.
2012-11-22 15:20:53 +00:00
Dr. Stephen Henson
1c455bc084
new function ASN1_TIME_diff to calculate difference between two ASN1_TIME structures
2012-11-19 15:12:07 +00:00
Dr. Stephen Henson
d88926f181
PR: 2909
...
Contributed by: Florian Weimer <fweimer@redhat.com>
Fixes to X509 hostname and email address checking. Wildcard matching support.
New test program and manual page.
2012-11-18 15:13:55 +00:00
Dr. Stephen Henson
3db935a9e5
add SSL_CONF functions and documentation
2012-11-16 19:12:24 +00:00
Dr. Stephen Henson
a70da5b3ec
New functions to check a hostname email or IP address against a
...
certificate. Add options to s_client, s_server and x509 utilities
to print results of checks.
2012-10-08 15:10:07 +00:00
Andy Polyakov
b8c5929130
config: detect linux-mips* targets.
2012-09-19 20:58:07 +00:00
Dr. Stephen Henson
4f3df8bea2
Add -rev test option to s_server to just reverse order of characters received
...
by client and send back to server. Also prints an abbreviated summary of
the connection parameters.
2012-09-14 13:27:05 +00:00
Dr. Stephen Henson
2a7cbe77b3
Add -brief option to s_client and s_server to summarise connection details.
...
New option -verify_quiet to shut up the verify callback unless there is
an error.
2012-09-12 23:14:28 +00:00
Dr. Stephen Henson
94a209d8e1
Add ctrl and utility functions to retrieve raw cipher list sent by client in
...
client hello message. Previously this could only be retrieved on an initial
connection and it was impossible to determine the cipher IDs of any uknown
ciphersuites.
2012-09-12 13:57:48 +00:00
Dr. Stephen Henson
e5db9c3b67
Minor enhancement to PR#2836 fix. Instead of modifying SSL_get_certificate
...
change the current certificate (in s->cert->key) to the one used and then
SSL_get_certificate and SSL_get_privatekey will automatically work.
2012-09-11 13:34:08 +00:00
Ben Laurie
2daceb0342
Call OCSP Stapling callback after ciphersuite has been chosen, so the
...
right response is stapled. Also change SSL_get_certificate() so it
returns the certificate actually sent. See
http://rt.openssl.org/Ticket/Display.html?id=2836 .
2012-09-11 12:57:46 +00:00
Andy Polyakov
0e1f390bad
Harmonize CHANGES in HEAD.
2012-08-29 14:14:05 +00:00
Dr. Stephen Henson
2ea8035460
Add three Suite B modes to TLS code, supporting RFC6460.
2012-08-15 15:15:05 +00:00
Dr. Stephen Henson
3ad344a517
add suite B chain validation flags and associated verify errors
2012-08-03 13:51:43 +00:00
Dr. Stephen Henson
6dbb6219e7
Make tls1_check_chain return a set of flags indicating checks passed
...
by a certificate chain. Add additional tests to handle client
certificates: checks for matching certificate type and issuer name
comparison.
Print out results of checks for each candidate chain tested in
s_server/s_client.
2012-07-27 13:39:23 +00:00
Dr. Stephen Henson
ec4a50b3c3
Abort handshake if signature algorithm used not supported by peer.
2012-07-24 18:11:27 +00:00
Dr. Stephen Henson
d18b716d25
check EC tmp key matches preferences
2012-07-24 13:47:40 +00:00
Dr. Stephen Henson
74ecfab401
Add support for certificate stores in CERT structure. This makes it
...
possible to have different stores per SSL structure or one store in
the parent SSL_CTX. Include distint stores for certificate chain
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
to build and store a certificate chain in CERT structure: returing
an error if the chain cannot be built: this will allow applications
to test if a chain is correctly configured.
Note: if the CERT based stores are not set then the parent SSL_CTX
store is used to retain compatibility with existing behaviour.
2012-07-23 23:34:28 +00:00
Dr. Stephen Henson
b7bfe69b66
New function ssl_set_client_disabled to set masks for any ciphersuites
...
that are disabled for this session (as opposed to always disabled by
configuration).
2012-07-18 14:09:46 +00:00
Dr. Stephen Henson
9f27b1eec3
Add new ctrl to retrieve client certificate types, print out
...
details in s_client.
Also add ctrl to set client certificate types. If not used sensible values
will be included based on supported signature algorithms: for example if
we don't include any DSA signing algorithms the DSA certificate type is
omitted.
Fix restriction in old code where certificate types would be truncated
if it exceeded TLS_CT_NUMBER.
2012-07-08 14:22:45 +00:00
Dr. Stephen Henson
3dbc46dfcd
Separate client and server permitted signature algorithm support: by default
...
the permitted signature algorithms for server and client authentication
are the same but it is now possible to set different algorithms for client
authentication only.
2012-07-03 12:51:14 +00:00
Dr. Stephen Henson
18d7158809
Add certificate callback. If set this is called whenever a certificate
...
is required by client or server. An application can decide which
certificate chain to present based on arbitrary criteria: for example
supported signature algorithms. Add very simple example to s_server.
This fixes many of the problems and restrictions of the existing client
certificate callback: for example you can now clear existing certificates
and specify the whole chain.
2012-06-29 14:24:42 +00:00
Dr. Stephen Henson
d61ff83be9
Add new "valid_flags" field to CERT_PKEY structure which determines what
...
the certificate can be used for (if anything). Set valid_flags field
in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
to have similar checks in it.
Add new "cert_flags" field to CERT structure and include a "strict mode".
This enforces some TLS certificate requirements (such as only permitting
certificate signature algorithms contained in the supported algorithms
extension) which some implementations ignore: this option should be used
with caution as it could cause interoperability issues.
2012-06-28 12:45:49 +00:00
Dr. Stephen Henson
4453cd8c73
Reorganise supported signature algorithm extension processing.
...
Only store encoded versions of peer and configured signature algorithms.
Determine shared signature algorithms and cache the result along with NID
equivalents of each algorithm.
2012-06-25 14:32:30 +00:00
Dr. Stephen Henson
0f229cce65
Add support for application defined signature algorithms for use with
...
TLS v1.2. These are sent as an extension for clients and during a certificate
request for servers.
TODO: add support for shared signature algorithms, respect shared algorithms
when deciding which ciphersuites and certificates to permit.
2012-06-22 14:03:31 +00:00
Dr. Stephen Henson
a5ee80b910
Make it possible to delete all certificates from an SSL structure.
2012-06-18 12:56:59 +00:00
Dr. Stephen Henson
93ab9e421e
Initial record tracing code. Print out all fields in SSL/TLS records
...
for debugging purposes. Needs "enable-ssl-trace" configuration option.
2012-06-15 12:46:09 +00:00
Dr. Stephen Henson
dfcf48f499
New functions to retrieve certificate signatures and signature OID NID.
2012-06-13 13:08:12 +00:00
Dr. Stephen Henson
4b9e0b5f74
print out issuer and subject unique identifier fields in certificates
2012-06-12 13:41:18 +00:00
Ben Laurie
a9e1c50bb0
RFC 5878 support.
2012-05-30 10:10:58 +00:00
Dr. Stephen Henson
4242a090c7
PR: 2813
...
Reported by: Constantine Sapuntzakis <csapuntz@gmail.com>
Fix possible deadlock when decoding public keys.
2012-05-11 13:53:37 +00:00
Dr. Stephen Henson
c3b1303387
PR: 2811
...
Reported by: Phil Pennock <openssl-dev@spodhuis.org>
Make renegotiation work for TLS 1.2, 1.1 by not using a lower record
version client hello workaround if renegotiating.
2012-05-11 13:34:29 +00:00
Dr. Stephen Henson
c46ecc3a55
Sanity check record length before skipping explicit IV in TLS 1.2, 1.1 and
...
DTLS to fix DoS attack.
Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
(CVE-2012-2333)
2012-05-10 16:03:52 +00:00
Dr. Stephen Henson
225055c30b
Reported by: Solar Designer of Openwall
...
Make sure tkeylen is initialised properly when encrypting CMS messages.
2012-05-10 13:46:09 +00:00
Dr. Stephen Henson
a708609945
Don't try to use unvalidated composite ciphers in FIPS mode
2012-04-26 18:55:01 +00:00
Andy Polyakov
a2b21191d9
CHANGES: clarify.
2012-04-26 07:33:26 +00:00
Andy Polyakov
396f8b71ac
CHANGES: fix typos and clarify.
2012-04-26 07:20:06 +00:00
Dr. Stephen Henson
43d5b4ff31
Change value of SSL_OP_NO_TLSv1_1 to avoid clash with SSL_OP_ALL and
...
OpenSSL 1.0.0. Add CHANGES entry noting the consequences.
2012-04-25 23:04:42 +00:00
Andy Polyakov
f2ad35821c
s23_clnt.c: ensure interoperability by maitaining client "version capability"
...
vector contiguous.
PR: 2802
2012-04-25 22:06:32 +00:00
Dr. Stephen Henson
d9a9d10f4f
Check for potentially exploitable overflows in asn1_d2i_read_bio
...
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
in CRYPTO_realloc_clean.
Thanks to Tavis Ormandy, Google Security Team, for discovering this
issue and to Adam Langley <agl@chromium.org> for fixing it. (CVE-2012-2110)
2012-04-19 16:19:56 +00:00
Bodo Möller
d3ddf0228e
Disable SHA-2 ciphersuites in < TLS 1.2 connections.
...
(TLS 1.2 clients could end up negotiating these with an OpenSSL server
with TLS 1.2 disabled, which is problematic.)
Submitted by: Adam Langley
2012-04-17 15:23:03 +00:00
Dr. Stephen Henson
800e1cd969
Additional workaround for PR#2771
...
If OPENSSL_MAX_TLS1_2_CIPHER_LENGTH is set then limit the size of client
ciphersuites to this value. A value of 50 should be sufficient.
Document workarounds in CHANGES.
2012-04-17 15:12:09 +00:00
Dr. Stephen Henson
a43526302f
Add support for automatic ECDH temporary key parameter selection. When
...
enabled instead of requiring an application to hard code a (possibly
inappropriate) parameter set and delve into EC internals we just
automatically use the preferred curve.
2012-04-05 13:38:27 +00:00
Andy Polyakov
82c5ac4599
CHANGES: harmonize with 1.0.0 and 1.0.1.
2012-03-31 18:56:27 +00:00
Dr. Stephen Henson
d0595f170c
Initial revision of ECC extension handling.
...
Tidy some code up.
Don't allocate a structure to handle ECC extensions when it is used for
default values.
Make supported curves configurable.
Add ctrls to retrieve shared curves: not fully integrated with rest of
ECC code yet.
2012-03-28 15:05:04 +00:00
Dr. Stephen Henson
e7f8ff4382
New ctrls to retrieve supported signature algorithms and curves and
...
extensions to s_client and s_server to print out retrieved valued.
Extend CERT structure to cache supported signature algorithm data.
2012-03-06 14:28:21 +00:00
Dr. Stephen Henson
64095ce9d7
Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
...
between NIDs and the more common NIST names such as "P-256". Enhance
ecparam utility and ECC method to recognise the NIST names for curves.
2012-02-21 14:41:13 +00:00
Dr. Stephen Henson
206310c305
Fix bug in CVE-2011-4619: check we have really received a client hello
...
before rejecting multiple SGC restarts.
2012-02-16 15:26:04 +00:00
Dr. Stephen Henson
5863163732
Additional compatibility fix for MDC2 signature format.
...
Update RSA EVP_PKEY_METHOD to use the OCTET STRING form of MDC2 signature:
this will make all versions of MDC2 signature equivalent.
2012-02-15 14:27:25 +00:00
Dr. Stephen Henson
83cb7c4635
An incompatibility has always existed between the format used for RSA
...
signatures and MDC2 using EVP or RSA_sign. This has become more apparent
when the dgst utility in OpenSSL 1.0.0 and later switched to using the
EVP_DigestSign functions which call RSA_sign.
This means that the signature format OpenSSL 1.0.0 and later used with
dgst -sign and MDC2 is incompatible with previous versions.
Add detection in RSA_verify so either format works.
Note: MDC2 is disabled by default in OpenSSL and very rarely used in practice.
2012-02-15 14:04:00 +00:00
Dr. Stephen Henson
f4e1169341
Modify client hello version when renegotiating to enhance interop with
...
some servers.
2012-02-09 15:42:10 +00:00
Dr. Stephen Henson
f71c6e52f7
Add support for distinct certificate chains per key type and per SSL
...
structure.
Before this the only way to add a custom chain was in the parent SSL_CTX
(which is shared by all key types and SSL structures) or rely on auto
chain building (which is performed on each handshake) from the trust store.
2012-01-31 14:00:10 +00:00
Dr. Stephen Henson
0d60939515
add support for use of fixed DH client certificates
2012-01-25 14:51:49 +00:00
Dr. Stephen Henson
855d29184e
Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
...
Thanks to Antonio Martin, Enterprise Secure Access Research and
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix. (CVE-2012-0050)
2012-01-18 18:15:27 +00:00
Dr. Stephen Henson
ac07bc8602
fix CHANGES entry
2012-01-17 14:20:32 +00:00
Dr. Stephen Henson
8e1dc4d7ca
Support for fixed DH ciphersuites.
...
The cipher definitions of these ciphersuites have been around since SSLeay
but were always disabled. Now OpenSSL supports DH certificates they can be
finally enabled.
Various additional changes were needed to make them work properly: many
unused fixed DH sections of code were untested.
2012-01-16 18:19:14 +00:00
Bodo Möller
8e85545284
Update for 0.9.8s and 1.0.0f, and for 1.0.1 branch.
...
(While the 1.0.0f CHANGES entry on VOS PRNG seeding was missing
in HEAD, the actual code is here already.)
2012-01-05 13:48:55 +00:00
Dr. Stephen Henson
4d0bafb4ae
update CHANGES
2012-01-04 23:54:17 +00:00
Dr. Stephen Henson
e745572493
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>, Michael Tuexen <tuexen@fh-muenster.de>
...
Reviewed by: steve
Fix for DTLS plaintext recovery attack discovered by Nadhem Alfardan and
Kenny Paterson.
2012-01-04 23:52:26 +00:00
Dr. Stephen Henson
27dfffd5b7
Clear bytes used for block padding of SSL 3.0 records. (CVE-2011-4576)
2012-01-04 23:16:15 +00:00
Dr. Stephen Henson
2ec0497f08
fix CHANGES
2012-01-04 23:10:44 +00:00
Dr. Stephen Henson
6bf896d9b1
Check GOST parameters are not NULL (CVE-2012-0027)
2012-01-04 23:03:40 +00:00
Dr. Stephen Henson
be71c37296
Prevent malformed RFC3779 data triggering an assertion failure (CVE-2011-4577)
2012-01-04 23:01:54 +00:00
Dr. Stephen Henson
0b9f5ef809
update CHANGES
2011-12-31 23:08:15 +00:00
Dr. Stephen Henson
4817504d06
PR: 2658
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve
Support for TLS/DTLS heartbeats.
2011-12-31 22:59:57 +00:00
Dr. Stephen Henson
ad89bf7894
PR: 2563
...
Submitted by: Paul Green <Paul.Green@stratus.com>
Reviewed by: steve
Improved PRNG seeding for VOS.
2011-12-19 17:01:37 +00:00
Andy Polyakov
e75440d2c9
update CHANGES.
2011-12-19 14:48:49 +00:00
Dr. Stephen Henson
188c53f7e8
update CHANGES
2011-12-19 14:41:03 +00:00
Ben Laurie
9a436c0f89
Back out redundant verification time change.
2011-12-13 15:00:43 +00:00
Ben Laurie
7fd5df6b12
Make it possible to set a time for verification.
2011-12-13 14:38:12 +00:00
Dr. Stephen Henson
627b044536
update CHANGES
2011-12-10 00:49:05 +00:00
Dr. Stephen Henson
2ca873e8d8
transparently handle X9.42 DH parameters
2011-12-07 12:44:03 +00:00
Dr. Stephen Henson
afb14cda8c
Initial experimental support for X9.42 DH parameter format to handle
...
RFC5114 parameters and X9.42 DH public and private keys.
2011-12-07 00:32:34 +00:00
Bodo Möller
19b0d0e75b
Resolve a stack set-up race condition (if the list of compression
...
methods isn't presorted, it will be sorted on first read).
Submitted by: Adam Langley
2011-12-02 12:52:00 +00:00
Bodo Möller
ea8c77a55b
Fix ecdsatest.c.
...
Submitted by: Emilia Kasper
2011-12-02 12:41:17 +00:00
Bodo Möller
a7c71d8955
Update HEAD CHANGES file.
2011-12-02 12:28:20 +00:00
Bodo Möller
390c579568
Fix BIO_f_buffer().
...
Submitted by: Adam Langley
Reviewed by: Bodo Moeller
2011-12-02 12:25:03 +00:00
Ben Laurie
e0af04056c
Add TLS exporter.
2011-11-15 23:50:52 +00:00
Ben Laurie
333f926d67
Add DTLS-SRTP.
2011-11-15 22:59:20 +00:00
Dr. Stephen Henson
20bee9684d
Add RFC5114 DH parameters to OpenSSL. Add test data to dhtest.
2011-11-13 14:07:36 +00:00
Dr. Stephen Henson
a98b8ce652
Update fips_test_suite to take multiple command line options and
...
an induced error checking function.
2011-11-06 12:53:13 +00:00
Dr. Stephen Henson
f4324e51dd
Add single call public key sign and verify functions.
2011-11-05 01:34:36 +00:00
Dr. Stephen Henson
3ec9dceb15
Add fips_algvs utility (from FIPS 2.0 stable branch).
2011-11-02 00:57:22 +00:00
Dr. Stephen Henson
5e4eb9954b
add authentication parameter to FIPS_module_mode_set
2011-10-19 22:34:53 +00:00
Bodo Möller
e5641d7f05
BN_BLINDING multi-threading fix.
...
Submitted by: Emilia Kasper (Google)
2011-10-19 14:59:27 +00:00
Bodo Möller
e0d6132b8c
Fix warnings.
...
Also, use the common Configure mechanism for enabling/disabling the 64-bit ECC code.
2011-10-19 08:59:53 +00:00
Bodo Möller
3e00b4c9db
Improve optional 64-bit NIST-P224 implementation, and add NIST-P256 and
...
NIST-P521. (Now -DEC_NISTP_64_GCC_128 enables all three of these;
-DEC_NISTP224_64_GCC_128 no longer works.)
Submitted by: Google Inc.
2011-10-18 19:43:16 +00:00
Bodo Möller
8b37d33a94
typo
2011-10-13 13:20:33 +00:00
Bodo Möller
3ddc06f082
In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
...
Submitted by: Bob Buckholz <bbuckholz@google.com>
2011-10-13 13:05:58 +00:00
Dr. Stephen Henson
ccbb9badba
fix CHANGES entry
2011-10-09 23:11:55 +00:00
Dr. Stephen Henson
2bfeb7dc83
Add FIPS selftests for ECDH algorithm.
2011-09-29 23:08:23 +00:00
Dr. Stephen Henson
cb71870dfa
Use function name FIPS_drbg_health_check() for health check function.
...
Add explanatory comments to health check code.
2011-09-22 14:01:25 +00:00
Dr. Stephen Henson
4420b3b17a
Revise DRBG to split between internal and external flags.
...
One demand health check function.
Perform generation test in fips_test_suite.
Option to skip dh test if fips_test_suite.
2011-09-21 17:04:56 +00:00
Dr. Stephen Henson
15094852de
new function to lookup FIPS supported ciphers by NID
2011-09-14 13:25:48 +00:00
Dr. Stephen Henson
a11f06b2dc
More extensive DRBG health check. New function to call health check
...
for all DRBG combinations.
2011-09-12 18:47:39 +00:00
Dr. Stephen Henson
7fdcb45745
Add support for Dual EC DRBG from SP800-90. Include updates to algorithm
...
tests and POST code.
2011-09-09 17:16:43 +00:00
Dr. Stephen Henson
0486cce653
Initialise X509_STORE_CTX properly so CRLs with nextUpdate date in the past
...
produce an error (CVE-2011-3207)
2011-09-06 15:15:09 +00:00
Bodo Möller
c519e89f5c
Fix session handling.
2011-09-05 13:36:23 +00:00
Bodo Möller
612fcfbd29
Fix d2i_SSL_SESSION.
2011-09-05 13:31:17 +00:00
Bodo Möller
e7928282d0
(EC)DH memory handling fixes.
...
Submitted by: Adam Langley
2011-09-05 10:25:31 +00:00
Bodo Möller
837e1b6812
Fix memory leak on bad inputs.
2011-09-05 09:57:20 +00:00
Bodo Möller
acb4ab34a4
Synchronize with 1.0.1 CHANGES file.
2011-09-05 09:30:50 +00:00
Dr. Stephen Henson
f55f5f775e
Add support for canonical generation of DSA parameter g.
...
Modify fips_dssvs to support appropriate file format.
2011-08-26 14:51:49 +00:00
Andy Polyakov
c608171d9c
Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
2011-08-23 20:51:38 +00:00
Dr. Stephen Henson
1f59a84308
Remove hard coded ecdsaWithSHA1 hack in ssl routines and check for RSA
...
using OBJ xref utilities instead of string comparison with OID name.
This removes the arbitrary restriction on using SHA1 only with some ECC
ciphersuites.
2011-08-14 13:45:19 +00:00
Dr. Stephen Henson
20f12e63ff
Add HMAC DRBG from SP800-90
2011-08-08 22:07:38 +00:00
Dr. Stephen Henson
28dd49faec
Expand range of ctrls for AES GCM to support retrieval and setting of
...
invocation field.
Add complete support for AES GCM ciphersuites including all those in
RFC5288 and RFC5289.
2011-08-03 15:37:22 +00:00
Dr. Stephen Henson
fe8aeffa92
Update CHANGES.
2011-07-25 21:43:57 +00:00
Dr. Stephen Henson
01a9a7592e
Add functions to return FIPS module version.
2011-07-04 23:38:16 +00:00
Bodo Möller
e66cb363d6
Fix the version history: changes going into 1.1.0 that are also going
...
into 1.0.1 should not be listed as "changes between 1.0.1 and 1.0.0".
This makes the OpenSSL_1_0_1-stable and HEAD versions of this file
consistent with each other (the HEAD version has the additional 1.1.0
section, but doesn't otherwise differ).
2011-06-15 14:49:17 +00:00
Dr. Stephen Henson
eda3766b53
Output supported curves in preference order instead of numerically.
2011-05-30 17:58:13 +00:00
Dr. Stephen Henson
992bdde62d
Fix the ECDSA timing attack mentioned in the paper at:
...
http://eprint.iacr.org/2011/232.pdf
Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for
bringing this to our attention.
2011-05-25 14:41:56 +00:00
Dr. Stephen Henson
f37f20ffd3
PR: 2295
...
Submitted by: Alexei Khlebnikov <alexei.khlebnikov@opera.com>
Reviewed by: steve
OOM checking. Leak in OOM fix. Fall-through comment. Duplicate code
elimination.
2011-05-20 14:56:29 +00:00
Dr. Stephen Henson
101e6e19f2
Add CHANGES entry: add FIPS support to ssl
2011-05-19 18:10:25 +00:00
Dr. Stephen Henson
086e32a6c7
Implement FIPS_mode and FIPS_mode_set
2011-05-19 18:09:02 +00:00
Dr. Stephen Henson
855a54a9a5
Provisional support for TLS v1.2 client authentication: client side only.
...
Parse certificate request message and set digests appropriately.
Generate new TLS v1.2 format certificate verify message.
Keep handshake caches around for longer as they are needed for client auth.
2011-05-12 17:35:03 +00:00
Dr. Stephen Henson
c2fd598994
Rename FIPS_mode_set and FIPS_mode. Theses symbols will be defined in
...
the FIPS capable OpenSSL.
2011-05-11 14:43:38 +00:00
Dr. Stephen Henson
a2f9200fba
Initial TLS v1.2 client support. Include a default supported signature
...
algorithms extension (including everything we support). Swicth to new
signature format where needed and relax ECC restrictions.
Not TLS v1.2 client certifcate support yet but client will handle case
where a certificate is requested and we don't have one.
2011-05-09 15:44:01 +00:00
Dr. Stephen Henson
6b7be581e5
Continuing TLS v1.2 support: add support for server parsing of
...
signature algorithms extension and correct signature format for
server key exchange.
All ciphersuites should now work on the server but no client support and
no client certificate support yet.
2011-05-06 13:00:07 +00:00
Dr. Stephen Henson
7409d7ad51
Initial incomplete TLS v1.2 support. New ciphersuites added, new version
...
checking added, SHA256 PRF support added.
At present only RSA key exchange ciphersuites work with TLS v1.2 as the
new signature format is not yet implemented.
2011-04-29 22:56:51 +00:00
Dr. Stephen Henson
08557cf22c
Initial "opaque SSL" framework. If an application defines
...
OPENSSL_NO_SSL_INTERN all ssl related structures are opaque
and internals cannot be directly accessed. Many applications
will need some modification to support this and most likely some
additional functions added to OpenSSL.
The advantage of this option is that any application supporting
it will still be binary compatible if SSL structures change.
2011-04-29 22:37:12 +00:00
Dr. Stephen Henson
e0d1a2f80a
Always return multiple of block length bytes from default DRBG seed
...
callback.
Handle case where no multiple of the block size is in the interval
[min_len, max_len].
2011-04-23 20:05:19 +00:00
Dr. Stephen Henson
cac4fb58e0
Add PRNG security strength checking.
2011-04-23 19:55:55 +00:00
Dr. Stephen Henson
b5dd178740
Fix EVP CCM decrypt. Add decrypt support to algorithm test program.
2011-04-18 22:48:40 +00:00
Dr. Stephen Henson
2391681082
Initial untested CCM support via EVP.
2011-04-18 14:25:11 +00:00
Dr. Stephen Henson
06b7e5a0e4
Add algorithm driver for XTS mode. Fix several bugs in EVP XTS implementation.
2011-04-15 02:49:30 +00:00
Dr. Stephen Henson
ac892b7aa6
Initial incomplete POST overhaul: add support for POST callback to
...
allow status of POST to be monitored and/or failures induced.
2011-04-14 11:15:10 +00:00
Dr. Stephen Henson
32a2d8ddfe
Provisional AES XTS support.
2011-04-12 23:21:33 +00:00
Dr. Stephen Henson
d7a3ce989c
Update CHANGES.
2011-04-06 23:41:19 +00:00
Dr. Stephen Henson
05e24c87dd
Extensive reorganisation of PRNG handling in FIPS module: all calls
...
now use an internal RAND_METHOD. All dependencies to OpenSSL standard
PRNG are now removed: it is the applications resposibility to setup
the FIPS PRNG and initalise it.
Initial OpenSSL RAND_init_fips() function that will setup the DRBG
for the "FIPS capable OpenSSL".
2011-04-05 15:24:10 +00:00
Dr. Stephen Henson
cab0595c14
Rename deprecated FIPS_rand functions to FIPS_x931. These shouldn't be
...
used by applications directly and the X9.31 PRNG is deprecated by new
FIPS140-2 rules anyway.
2011-04-05 12:42:31 +00:00
Dr. Stephen Henson
96ec46f7c0
Implement health checks needed by SP800-90.
...
Fix warnings.
Instantiate DRBGs at maximum strength.
2011-03-17 16:55:24 +00:00
Ben Laurie
d4f3dd5fb6
Fix Tom Wu's email.
2011-03-16 11:28:43 +00:00
Ben Laurie
0deea0e03c
Note SRP support.
2011-03-12 17:04:07 +00:00
Dr. Stephen Henson
8857b380e2
Add ECDH to validated module.
2011-03-09 23:44:06 +00:00
Dr. Stephen Henson
11e80de3ee
New initial DH algorithm test driver.
2011-03-08 19:10:17 +00:00
Dr. Stephen Henson
591cbfae3c
Initial, provisional, subject to wholesale change, untested, probably
...
not working, incomplete and unused SP800-90 DRBGs for CTR and Hash modes.
Did I say this was untested?
2011-03-04 18:00:21 +00:00
Dr. Stephen Henson
eead69f5ed
Make fipscanisteronly build only required files.
2011-02-21 14:07:15 +00:00
Dr. Stephen Henson
5d439d6955
Make -DOPENSSL_FIPSSYMS work for assembly language builds.
2011-02-17 19:03:52 +00:00
Dr. Stephen Henson
017bc57bf9
Experimental FIPS symbol renaming.
...
Fixups under fips/ to make symbol renaming work.
2011-02-16 14:49:50 +00:00
Dr. Stephen Henson
25c6542944
Add non-FIPS algorithm blocking and selftest checking.
2011-02-15 16:03:47 +00:00
Dr. Stephen Henson
fe26d066ff
Add ECDSA functionality to fips module. Initial very incomplete version
...
of algorithm test program.
2011-02-14 17:14:55 +00:00
Dr. Stephen Henson
b331016124
New option to disable characteristic two fields in EC code.
2011-02-12 17:23:32 +00:00
Dr. Stephen Henson
30b56225cc
New "fispcanisteronly" build option: only build fipscanister.o and
...
associated utilities. This functionality will be used by the validated
tarball.
2011-02-11 19:02:34 +00:00
Dr. Stephen Henson
b3d8022edd
Add GCM IV generator. Add some FIPS restrictions to GCM. Update fips_gcmtest.
2011-02-09 16:21:43 +00:00
Bodo Möller
c415adc26f
Sync with 1.0.1 branch.
...
(CVE-2011-0014 OCSP stapling fix has been applied to HEAD as well.)
2011-02-08 19:09:08 +00:00
Dr. Stephen Henson
bdaa54155c
Initial *very* experimental EVP support for AES-GCM. Note: probably very
...
broken and subject to change.
2011-02-07 18:16:33 +00:00
Dr. Stephen Henson
d45087c672
Use 0 not -1 (since type is size_t) for finalisation argument to do_cipher:
...
the NULL value for the input buffer is sufficient to notice this case.
2011-02-07 18:04:27 +00:00
Dr. Stephen Henson
3da0ca796c
New flags EVP_CIPH_FLAG_CUSTOM_CIPHER in cipher structures if an underlying
...
cipher handles all cipher symantics itself.
2011-02-07 14:36:08 +00:00
Bodo Möller
9bda745876
fix omissions
2011-02-03 11:13:29 +00:00
Bodo Möller
88f2a4cf9c
CVE-2010-4180 fix (from OpenSSL_1_0_0-stable)
2011-02-03 10:43:00 +00:00
Dr. Stephen Henson
968062b7d3
Fix escaping code for string printing. If *any* escaping is enabled we
...
must escape the escape character itself (backslash).
2011-01-03 01:31:24 +00:00
Dr. Stephen Henson
2b3936e882
avoid verification loops in trusted store when path building
2010-12-25 20:45:59 +00:00
Dr. Stephen Henson
300b1d76fe
apply J-PKAKE fix to HEAD (original by Ben)
2010-11-29 18:32:05 +00:00
Dr. Stephen Henson
f830c68f4d
add "missing" functions to copy EVP_PKEY_METHOD and examine info
2010-11-24 16:08:20 +00:00
Dr. Stephen Henson
732d31beee
bring HEAD up to date, add CVE-2010-3864 fix, update NEWS files
2010-11-16 14:18:51 +00:00
Dr. Stephen Henson
e49af2ac38
move CHANGES entry to correct place
2010-10-10 12:24:13 +00:00
Dr. Stephen Henson
5759425810
PR: 2314
...
Submitted by: Mounir IDRASSI <mounir.idrassi@idrix.net>
Reviewed by: steve
Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
2010-10-10 12:15:47 +00:00
Dr. Stephen Henson
39239280f3
Add call to ENGINE_register_all_complete() to ENGINE_load_builtin_engines(),
...
this means that some implementations will be used automatically, e.g. aesni,
we do this for cryptodev anyway.
Setup cpuid in ENGINE_load_builtin_engines() too as some ENGINEs use it.
2010-10-03 18:58:09 +00:00
Bodo Möller
7b3a9b0099
Update version numbers
2010-08-26 18:45:45 +00:00
Bodo Möller
7c2d4fee25
For better forward-security support, add functions
...
SSL_[CTX_]set_not_resumable_session_callback.
Submitted by: Emilia Kasper (Google)
[A part of this change affecting ssl/s3_lib.c was accidentally commited
separately, together with a compilation fix for that file;
see s3_lib.c CVS revision 1.133 (http://cvs.openssl.org/chngview?cn=19855 ).]
2010-08-26 15:15:47 +00:00
Bodo Möller
04daec862c
New 64-bit optimized implementation EC_GFp_nistp224_method().
...
This will only be compiled in if explicitly requested
(#ifdef EC_NISTP224_64_GCC_128).
Submitted by: Emilia Kasper (Google)
2010-08-26 14:29:55 +00:00
Dr. Stephen Henson
44959ee456
PR: 1833
...
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>
Support for abbreviated handshakes when renegotiating.
2010-08-26 14:23:52 +00:00
Bodo Möller
c94f7f657b
ECC library bugfixes.
...
Submitted by: Emilia Kasper (Google)
2010-08-26 12:11:01 +00:00
Bodo Möller
173350bcca
Harmonize with OpenSSL_1_0_1-stable version of CHANGES.
2010-08-26 11:22:33 +00:00
Ben Laurie
ee2ffc2794
Add Next Protocol Negotiation.
2010-07-28 10:06:55 +00:00
Dr. Stephen Henson
eb1c48be6f
Add new type ossl_ssize_t instead of ssize_t and move definitions to
...
e_os2.h, this should fix WIN32 compilation issues and hopefully avoid
conflicts with other headers which may workaround ssize_t in different ways.
2010-07-26 18:15:59 +00:00
Dr. Stephen Henson
223c59eae5
Fix WIN32 build system to correctly link ENGINE DLLs contained in a
...
directory: currently the GOST ENGINE is the only case.
2010-07-24 17:52:43 +00:00
Dr. Stephen Henson
7bbd0de88d
Add call to ENGINE_register_all_complete() to ENGINE_load_builtin_engines(),
...
this means that some implementations will be used automatically, e.g. aesni,
we do this for cryptodev anyway.
Setup cpuid in ENGINE_load_builtin_engines() too as some ENGINEs use it.
2010-07-21 16:14:48 +00:00
Dr. Stephen Henson
f96ccf36ff
PR: 1830
...
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson
Support for RFC5705 key extractor.
2010-07-18 17:43:18 +00:00
Dr. Stephen Henson
b9e7793dd7
oops, revert wrong patch..
2010-07-18 17:43:01 +00:00
Dr. Stephen Henson
d135da5192
Fix warnings (From HEAD, original patch by Ben).
2010-07-18 16:52:47 +00:00
Dr. Stephen Henson
3cbb15ee81
add CVE-2010-0742 and CVS-2010-1633 fixes
2010-06-01 14:39:01 +00:00
Andy Polyakov
3efe51a407
Revert previous Linux-specific/centric commit#19629. If it really has to
...
be done, it's definitely not the way to do it. So far answer to the
question was to ./config -Wa,--noexecstack (adopted by RedHat).
2010-05-05 22:05:39 +00:00
Ben Laurie
0e3ef596e5
Non-executable stack in asm.
2010-05-05 15:50:13 +00:00
Dr. Stephen Henson
1bf508c9cf
new function to diff tm structures
2010-04-15 13:25:26 +00:00
Dr. Stephen Henson
c0b8eb606f
Add SHA2 algorithms to SSL_library_init(). Although these aren't used
...
directly by SSL/TLS SHA2 certificates are becoming more common and
applications that only call SSL_library_init() and not
OpenSSL_add_all_alrgorithms() will fail when verifying certificates.
Update docs.
2010-04-07 13:18:07 +00:00
Bodo Möller
3e8b6485b3
Fix for "Record of death" vulnerability CVE-2010-0740.
...
Also, add missing CHANGES entry for CVE-2009-3245 (code changes submitted to this branch on 23 Feb 2010),
and further harmonize this version of CHANGES with the versions in the current branches.
2010-03-25 11:25:30 +00:00
Dr. Stephen Henson
be449448dc
update CHANGES
2010-03-14 12:55:15 +00:00
Dr. Stephen Henson
4c623cddbe
add -sigopt option to ca utility
2010-03-14 12:54:45 +00:00
Mark J. Cox
fb75f349b7
This entry was in 0.9.8m changelog but missing from here, since it's
...
security relevent we'd better list it.
2010-03-12 08:36:44 +00:00
Dr. Stephen Henson
f26cf9957f
typo
2010-03-11 14:19:46 +00:00
Dr. Stephen Henson
17c63d1cca
RSA PSS ASN1 signing method
2010-03-11 14:06:46 +00:00
Dr. Stephen Henson
85522a074c
Algorithm specific ASN1 signing functions.
2010-03-11 13:32:38 +00:00
Dr. Stephen Henson
31904ecdf3
RSA PSS verification support including certificates and certificate
...
requests. Add new ASN1 signature initialisation function to handle this
case.
2010-03-08 18:10:35 +00:00
Dr. Stephen Henson
ff04bbe363
Add PSS algorithm printing. This is an initial step towards full PSS support.
...
Uses ASN1 module in Martin Kaiser's PSS patch.
2010-03-06 19:55:25 +00:00
Dr. Stephen Henson
fa1ba589f3
Add algorithm specific signature printing. An individual ASN1 method can
...
now print out signatures instead of the standard hex dump.
More complex signatures (e.g. PSS) can print out more meaningful information.
Sample DSA version included that prints out the signature parameters r, s.
[Note EVP_PKEY_ASN1_METHOD is an application opaque structure so adding
new fields in the middle has no compatibility issues]
2010-03-06 18:05:05 +00:00
Dr. Stephen Henson
cca1cd9a34
Submitted by: Tomas Hoger <thoger@redhat.com>
...
Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
could be crashed if the relevant tables were not present (e.g. chrooted).
2010-03-03 15:41:18 +00:00
Dr. Stephen Henson
0f776277bc
oops, use correct date
2010-02-26 12:13:36 +00:00
Dr. Stephen Henson
db28aa86e0
add -trusted_first option and verify flag
2010-02-25 12:21:48 +00:00
Dr. Stephen Henson
fbd2164044
Experimental support for partial chain verification: if an intermediate
...
certificate is explicitly trusted (using -addtrust option to x509 utility
for example) the verification is sucessful even if the chain is not complete.
2010-02-25 00:17:22 +00:00
Bodo Möller
a839755329
Fix X509_STORE locking
2010-02-19 18:27:07 +00:00
Dr. Stephen Henson
c2c49969e2
Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as
...
initial connection to unpatched servers. There are no additional security
concerns in doing this as clients don't see renegotiation during an
attack anyway.
2010-02-17 18:38:31 +00:00
Dr. Stephen Henson
47e0a1c335
PR: 2100
...
Submitted by: James Baker <jbaker@tableausoftware.com> et al.
Workaround for slow Heap32Next on some versions of Windows.
2010-02-17 14:32:41 +00:00
Dr. Stephen Henson
f959598866
update references to new RI RFC
2010-02-12 21:59:31 +00:00
Dr. Stephen Henson
c8ef656df2
Make CMAC API similar to HMAC API. Add methods for CMAC.
2010-02-08 15:31:35 +00:00
Dr. Stephen Henson
8c968e0355
Initial experimental CMAC implementation.
2010-02-07 18:01:07 +00:00
Dr. Stephen Henson
c2bf720842
Add missing function EVP_CIPHER_CTX_copy(). Current code uses memcpy() to copy
...
an EVP_CIPHER_CTX structure which may have problems with external ENGINEs
who need to duplicate internal handles etc.
2010-02-07 13:39:39 +00:00
Dr. Stephen Henson
da454e4c67
typo
2010-01-29 00:09:33 +00:00
Dr. Stephen Henson
08c239701b
Experimental renegotiation support in s_server test -www server.
2010-01-28 19:48:36 +00:00
Dr. Stephen Henson
4ba1aa393b
typo
2010-01-27 14:05:39 +00:00
Dr. Stephen Henson
d5e7f2f2c3
PR: 1949
...
Submitted by: steve@openssl.org
More robust fix and workaround for PR#1949. Don't try to work out if there
is any write pending data as this can be unreliable: always flush.
2010-01-26 19:47:37 +00:00
Dr. Stephen Henson
58c0da84dd
Typo
2010-01-26 12:30:00 +00:00
Dr. Stephen Henson
ba64ae6cd1
Tolerate PKCS#8 DSA format with negative private key.
2010-01-22 20:17:12 +00:00
Dr. Stephen Henson
bd5f21a4ae
Fix version handling so it can cope with a major version >3.
...
Although it will be many years before TLS v2.0 or later appears old versions
of servers have a habit of hanging around for a considerable time so best
if we handle this properly now.
2010-01-13 19:08:02 +00:00
Dr. Stephen Henson
1b31b5ad56
Modify compression code so it avoids using ex_data free functions. This
...
stops applications that call CRYPTO_free_all_ex_data() prematurely leaking
memory.
2010-01-13 18:57:40 +00:00
Dr. Stephen Henson
0e0c6821fa
PR: 2136
...
Submitted by: Willy Weisz <weisz@vcpc.univie.ac.at>
Add options to output hash using older algorithm compatible with OpenSSL
versions before 1.0.0
2010-01-12 17:29:34 +00:00
Dr. Stephen Henson
76998a71bc
Updates to conform with draft-ietf-tls-renegotiation-03.txt:
...
1. Add provisional SCSV value.
2. Don't send SCSV and RI at same time.
3. Fatal error is SCSV received when renegotiating.
2010-01-06 17:37:09 +00:00
Dr. Stephen Henson
e6f418bcb7
Compression handling on session resume was badly broken: it always
...
used compression algorithms in client hello (a legacy from when
the compression algorithm wasn't serialized with SSL_SESSION).
2009-12-31 14:13:30 +00:00
Dr. Stephen Henson
5e63121758
Include CHANGES entry for external cache
2009-12-31 13:58:57 +00:00
Bodo Möller
7427379e9b
Constify crypto/cast.
2009-12-22 10:58:33 +00:00
Dr. Stephen Henson
ef51b4b9b4
New option to enable/disable connection to unpatched servers
2009-12-16 20:25:59 +00:00
Dr. Stephen Henson
7661ccadf0
Add ctrls to clear options and mode.
...
Change RI ctrl so it doesn't clash.
2009-12-09 13:25:16 +00:00
Dr. Stephen Henson
82e610e2cf
Send no_renegotiation alert as required by spec.
2009-12-08 19:06:26 +00:00
Dr. Stephen Henson
5430200b8b
Add ctrl and macro so we can determine if peer support secure renegotiation.
2009-12-08 13:42:08 +00:00
Dr. Stephen Henson
13f6d57b1e
Add support for magic cipher suite value (MCSV). Make secure renegotiation
...
work in SSLv3: initial handshake has no extensions but includes MCSV, if
server indicates RI support then renegotiation handshakes include RI.
NB: current MCSV value is bogus for testing only, will be updated when we
have an official value.
Change mismatch alerts to handshake_failure as required by spec.
Also have some debugging fprintfs so we can clearly see what is going on
if OPENSSL_RI_DEBUG is set.
2009-12-08 13:14:03 +00:00
Dr. Stephen Henson
637f374ad4
Initial experimental TLSv1.1 support
2009-12-07 13:31:02 +00:00
Dr. Stephen Henson
9d9530255b
Update CHANGES.
2009-12-02 15:28:27 +00:00
Dr. Stephen Henson
d2a53c2238
Experimental CMS password based recipient Info support.
2009-11-26 18:57:39 +00:00
Bodo Möller
480af99ef4
Make CHANGES in CVS head consistent with the CHANGES files in the
...
branches.
This means that http://www.openssl.org/news/changelog.html will
finally describe 0.9.8l.
2009-11-26 18:43:17 +00:00
Dr. Stephen Henson
3d63b3966f
Split PBES2 into cipher and PBKDF2 versions. This tidies the code somewhat
...
and is a pre-requisite to adding password based CMS support.
2009-11-25 22:01:06 +00:00
Dr. Stephen Henson
e0e7997212
First cut of renegotiation extension. (port to HEAD)
2009-11-09 19:03:34 +00:00
Dr. Stephen Henson
befbd0619b
update CHANGES
2009-11-09 17:33:32 +00:00
Dr. Stephen Henson
245d2ee3d0
Add option to allow in-band CRL loading in verify utility. Add function
...
load_crls and tidy up load_certs. Remove useless purpose variable from
verify utility: now done with args_verify.
2009-10-31 13:33:57 +00:00
Dr. Stephen Henson
bb4060c5b5
Move CHANGES entry to 0.9.8l section
2009-10-30 13:29:30 +00:00
Dr. Stephen Henson
661dc1431f
Fix statless session resumption so it can coexist with SNI
2009-10-30 13:22:24 +00:00
Dr. Stephen Henson
18e503f30f
PR: 2064, 728
...
Submitted by: steve@openssl.org
Add support for custom headers in OCSP requests.
2009-09-30 21:40:55 +00:00
Dr. Stephen Henson
b6dcdbfc94
Audit libcrypto for unchecked return values: fix all cases enountered
2009-09-23 23:43:49 +00:00
Dr. Stephen Henson
acf20c7dbd
Add attribute to check if return value of certain functions is incorrectly
...
ignored.
2009-09-23 16:27:10 +00:00
Dr. Stephen Henson
a25f33d28a
Submitted by: Julia Lawall <julia@diku.dk>
...
The functions ENGINE_ctrl(), OPENSSL_isservice(), EVP_PKEY_sign(),
CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error fix
so the return code is checked correctly.
2009-09-13 11:29:29 +00:00
Dr. Stephen Henson
0c28f277d1
Add new option --strict-warnings to Configure script. This is used to add
...
in devteam warnings into other configurations.
2009-09-09 16:31:32 +00:00
Dr. Stephen Henson
1771668096
Tidy up and fix verify callbacks to avoid structure dereference, use of
...
obsolete functions and enhance to handle new conditions such as policy printing.
2009-09-02 12:47:28 +00:00
Dr. Stephen Henson
6727565a84
PR: 2003
...
Make it possible to install OpenSSL in directories with name other
than "lib" for example "lib64". Based on patch from Jeremy Utley.
2009-08-10 14:48:40 +00:00
Dr. Stephen Henson
d9d0f1b52c
Reject leading 0x80 in OID subidentifiers.
2009-08-06 16:32:54 +00:00
Dr. Stephen Henson
0e4bc56347
Document MD2 deprecation.
2009-07-13 11:58:05 +00:00
Dr. Stephen Henson
9de014a7f8
Update from 0.9.8-stable
2009-06-30 22:27:33 +00:00
Dr. Stephen Henson
d2f6d28298
Update from 0.9.8-stable.
2009-06-28 16:24:37 +00:00
Dr. Stephen Henson
f3be6c7b7d
Update from 1.0.0-stable.
2009-06-26 11:29:26 +00:00
Dr. Stephen Henson
e30dd20c0e
Update from 1.0.0-stable
2009-06-25 11:29:30 +00:00
Dr. Stephen Henson
c05353c50a
Rename asc2uni and uni2asc functions to avoid clashes.
2009-06-17 12:04:56 +00:00
Dr. Stephen Henson
31db43df08
Update from 0.9.8-stable.
2009-06-15 15:01:00 +00:00
Dr. Stephen Henson
d741ccadb5
Oops, update CHANGES entry.
2009-05-31 17:13:55 +00:00
Dr. Stephen Henson
d0b72cf45b
Add CHANGES entries from 0.9.8-stable.
2009-05-18 17:37:33 +00:00
Dr. Stephen Henson
5f8f94a661
Update from 1.0.0-stable.
2009-04-28 22:10:54 +00:00
Dr. Stephen Henson
e5fa864f62
Updates from 1.0.0-stable.
2009-04-15 15:27:03 +00:00
Dr. Stephen Henson
22c98d4aad
Update from 1.0.0-stable
2009-04-08 16:16:35 +00:00
Dr. Stephen Henson
cc7399e79c
Changes from 1.0.0-stable.
2009-04-07 16:33:26 +00:00
Dr. Stephen Henson
14023fe352
Merge from 1.0.0-stable branch.
2009-04-03 11:45:19 +00:00