Dr. Stephen Henson
916e56208b
remove FIPS module code from crypto/evp
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:25:38 +00:00
Dr. Stephen Henson
ebdf37e4b1
remove FIPS module code from crypto/bn
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:25:38 +00:00
Dr. Stephen Henson
1c98de6d81
remove FIPS module code from crypto/ecdh
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:25:38 +00:00
Dr. Stephen Henson
dbfbe10a1f
remove FIPS module code from crypto/ecdsa
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:25:38 +00:00
Dr. Stephen Henson
1bfffe9bd0
Remove FIPS module code from crypto/dh
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:25:38 +00:00
Dr. Stephen Henson
fce8311cae
remove FIPS module code from crypto/dsa
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:25:38 +00:00
Dr. Stephen Henson
8d73db288f
remove FIPS module code from crypto/rsa
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:25:38 +00:00
Dr. Stephen Henson
05417a3476
Remove FIPS error library from openssl.ec mkerr.pl
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:25:38 +00:00
Dr. Stephen Henson
cc2f1045d1
make depend
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:25:38 +00:00
Dr. Stephen Henson
4fa579c58d
Remove fips.h reference.
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:25:38 +00:00
Dr. Stephen Henson
e4e5bc39f9
Remove fips_constseg references.
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:25:38 +00:00
Dr. Stephen Henson
85129ab579
remove another FIPSCANISTER reference
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:25:37 +00:00
Dr. Stephen Henson
b3da6f496b
remove unnecessary OPENSSL_FIPS reference
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:25:37 +00:00
Dr. Stephen Henson
c603c723ce
Remove OPENSSL_FIPSCANISTER code.
...
OPENSSL_FIPSCANISTER is only set if the fips module is being built
(as opposed to being used). Since the fips module wont be built in
master this is redundant.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:25:16 +00:00
Dr. Stephen Henson
225fce8a98
Remove FIPSCANISTERINTERNAL reference.
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:23:54 +00:00
Dr. Stephen Henson
a42366a406
Remove fips utility build rules from test/Makefile
...
The fips test utilities are only build if an FIPS module is being
built from source. As this isn't done in master these are redundant.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:23:48 +00:00
Dr. Stephen Henson
f072785eb4
Remove fipscanister build functionality from makefiles.
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:23:45 +00:00
Dr. Stephen Henson
78c990c156
Remove fipscanister from Configure, delete fips directory
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:18:43 +00:00
Dr. Stephen Henson
00b4ee7664
Remove some unnecessary OPENSSL_FIPS references
...
FIPS_mode() exists in all versions of OpenSSL but always returns 0 if OpenSSL is not FIPS
capable.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:18:43 +00:00
Matt Caswell
0c1bd7f03f
Add CHANGES entry for OCB
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 10:29:11 +00:00
Matt Caswell
3feb63054a
Added OPENSSL_NO_OCB guards
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 10:29:03 +00:00
Matt Caswell
e4bbee9633
Add documentation for OCB mode
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 10:28:56 +00:00
Matt Caswell
d827c5edb5
Add tests for OCB mode
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 10:28:47 +00:00
Matt Caswell
e6b336efa3
Add EVP support for OCB mode
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 10:28:34 +00:00
Matt Caswell
c857a80c9d
Add support for OCB mode as per RFC7253
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 10:27:56 +00:00
Emilia Kasper
376e2ca3e3
Clarify the return values for SSL_get_shared_curve.
...
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-05 18:31:21 +01:00
Emilia Kasper
740580c2b2
Add extra checks for odd-length EC curve lists.
...
Odd-length lists should be rejected everywhere upon parsing. Nevertheless,
be extra careful and add guards against off-by-one reads.
Also, drive-by replace inexplicable double-negation with an explicit comparison.
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-05 16:57:58 +01:00
Emilia Kasper
33d5ba8629
Reject elliptic curve lists of odd lengths.
...
The Supported Elliptic Curves extension contains a vector of NamedCurves
of 2 bytes each, so the total length must be even. Accepting odd-length
lists was observed to lead to a non-exploitable one-byte out-of-bounds
read in the latest development branches (1.0.2 and master). Released
versions of OpenSSL are not affected.
Thanks to Felix Groebert of the Google Security Team for reporting this issue.
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-05 16:32:39 +01:00
Emilia Kasper
f50ffd10fa
Fix broken build
...
Add includes missing from commit 33eab3f6af
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
2014-12-05 16:18:20 +01:00
Kurt Roeckx
33eab3f6af
Replace GOST_R_MALLOC_FAILURE and GOST_R_NO_MEMORY with ERR_R_MALLOC_FAILURE
...
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 23:48:44 +01:00
Kurt Roeckx
f6fa7c5347
capi_get_provname: Check return values
...
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 23:48:44 +01:00
Jonas Maebe
f5905ba341
ssl_create_cipher_list: check whether push onto cipherstack succeeds
...
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 23:48:44 +01:00
Jonas Maebe
b3b966fb87
ssl_cert_dup: Fix memory leak
...
Always use goto err on failure and call ssl_cert_free() on the error path so all
fields and "ret" itself are freed
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 23:48:44 +01:00
Kurt Roeckx
6c42b39c95
dtls1_new: free s on error path
...
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 23:48:44 +01:00
Jonas Maebe
241e2dc936
dtls1_heartbeat: check for NULL after allocating s->cert->ctypes
...
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 23:48:44 +01:00
Jonas Maebe
d15f5df70d
dtls1_process_heartbeat: check for NULL after allocating buffer
...
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 23:48:44 +01:00
Jonas Maebe
b1a08ac71f
capi_get_key: check for NULL after allocating key
...
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 23:48:44 +01:00
Jonas Maebe
8607322765
capi_cert_get_fname: check for NULL after allocating wfname
...
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 23:48:44 +01:00
Jonas Maebe
e2140501fd
capi_get_provname: free name on error if it was malloc'ed
...
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 23:48:44 +01:00
Jonas Maebe
0716f9e405
pkey_gost_mac_keygen: check for NULL after allocating keydata
...
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 23:48:44 +01:00
Jonas Maebe
787e992965
pkey_gost_ctrl: check for NULL after allocating pctx->shared_ukm
...
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 23:48:43 +01:00
Kurt Roeckx
12478cc449
Update changes to indicate that SSLv2 support has been removed
...
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-04 15:51:28 +01:00
Matt Caswell
71c16698fa
Remove incorrect code inadvertently introduced through commit 59669b6ab
.
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-04 14:17:50 +00:00
Kurt Roeckx
45f55f6a5b
Remove SSLv2 support
...
The only support for SSLv2 left is receiving a SSLv2 compatible client hello.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 11:55:03 +01:00
Rich Salz
616f71e486
New location on website for binaries.
...
Reviewed-by: Bodo Moeller <bodo@openssl.org>
2014-12-03 10:55:31 -05:00
Matt Caswell
4bb8eb9ce4
Remove "#if 0" code
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-03 09:25:00 +00:00
Matt Caswell
047f21593e
Only use the fallback mtu after 2 unsuccessful retransmissions if it is less
...
than the mtu we are already using
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-03 09:24:53 +00:00
Matt Caswell
464ce92026
Updates to s_client and s_server to remove the constant 28 (for IPv4 header
...
and UDP header) when setting an mtu. This constant is not always correct (e.g.
if using IPv6). Use the new DTLS_CTRL functions instead.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-03 09:24:41 +00:00
Matt Caswell
d3d9eef316
If we really get a situation where the underlying mtu is less than the minimum
...
we will support then dtls1_do_write can go into an infinite loop. This commit
fixes that.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-03 09:24:28 +00:00
Matt Caswell
1620a2e49c
Fix dtls_query_mtu so that it will always either complete with an mtu that is
...
at least the minimum or it will fail.
There were some instances in dtls1_query_mtu where the final mtu can end up
being less than the minimum, i.e. where the user has set an mtu manually. This
shouldn't be allowed. Also remove dtls1_guess_mtu that, despite having
logic for guessing an mtu, was actually only ever used to work out the minimum
mtu to use.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-03 09:24:20 +00:00