oweals/openssl.git
10 years agoPrepare for 1.0.1f release OpenSSL_1_0_1f
Dr. Stephen Henson [Mon, 6 Jan 2014 14:36:07 +0000 (14:36 +0000)]
Prepare for 1.0.1f release

10 years agoFix for TLS record tampering bug CVE-2013-4353
Dr. Stephen Henson [Mon, 6 Jan 2014 14:35:04 +0000 (14:35 +0000)]
Fix for TLS record tampering bug CVE-2013-4353

10 years agomake update
Dr. Stephen Henson [Mon, 6 Jan 2014 13:33:27 +0000 (13:33 +0000)]
make update

10 years agoRestore SSL_OP_MSIE_SSLV2_RSA_PADDING
Dr. Stephen Henson [Sat, 4 Jan 2014 13:50:52 +0000 (13:50 +0000)]
Restore SSL_OP_MSIE_SSLV2_RSA_PADDING

The flag SSL_OP_MSIE_SSLV2_RSA_PADDING hasn't done anything since OpenSSL
0.9.7h but deleting it will break source compatibility with any software
that references it. Restore it but #define to zero.
(cherry picked from commit b17d6b8d1d49fa4732deff17cfd1833616af0d9c)

10 years agoupdate NEWS
Dr. Stephen Henson [Thu, 2 Jan 2014 19:02:28 +0000 (19:02 +0000)]
update NEWS

10 years agoDon't change version number if session established
Dr. Stephen Henson [Tue, 24 Dec 2013 18:17:00 +0000 (18:17 +0000)]
Don't change version number if session established

When sending an invalid version number alert don't change the
version number to the client version if a session is already
established.

Thanks to Marek Majkowski for additional analysis of this issue.

PR#3191

10 years agoDon't use rdrand engine as default unless explicitly requested.
Dr. Stephen Henson [Wed, 11 Dec 2013 14:45:12 +0000 (14:45 +0000)]
Don't use rdrand engine as default unless explicitly requested.
(cherry picked from commit 8f68678989a198ead3ab59a698302ecb0f1c8fb1)

10 years agoFix DTLS retransmission from previous session.
Dr. Stephen Henson [Fri, 20 Dec 2013 15:26:50 +0000 (15:26 +0000)]
Fix DTLS retransmission from previous session.

For DTLS we might need to retransmit messages from the previous session
so keep a copy of write context in DTLS retransmission buffers instead
of replacing it after sending CCS. CVE-2013-6450.

10 years agoIgnore NULL parameter in EVP_MD_CTX_destroy.
Dr. Stephen Henson [Fri, 20 Dec 2013 15:12:26 +0000 (15:12 +0000)]
Ignore NULL parameter in EVP_MD_CTX_destroy.

10 years agoUse version in SSL_METHOD not SSL structure.
Dr. Stephen Henson [Thu, 19 Dec 2013 14:37:39 +0000 (14:37 +0000)]
Use version in SSL_METHOD not SSL structure.

When deciding whether to use TLS 1.2 PRF and record hash algorithms
use the version number in the corresponding SSL_METHOD structure
instead of the SSL structure. The SSL structure version is sometimes
inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already.
(CVE-2013-6449)

10 years agosha512.c: fullfull implicit API contract in SHA512_Transform.
Andy Polyakov [Wed, 18 Dec 2013 20:27:35 +0000 (21:27 +0100)]
sha512.c: fullfull implicit API contract in SHA512_Transform.

SHA512_Transform was initially added rather as tribute to tradition
than for practucal reasons. But use was recently found in ssl/s3_cbc.c
and it turned to be problematic on platforms that don't tolerate
misasligned references to memory and lack assembly subroutine.
(cherry picked from commit cdd1acd788020d2c525331da1712ada778f1373c)

10 years agoCheck EVP errors for handshake digests.
Dr. Stephen Henson [Sat, 14 Dec 2013 13:55:48 +0000 (13:55 +0000)]
Check EVP errors for handshake digests.

Partial mitigation of PR#3200

10 years agoGet FIPS checking logic right.
Dr. Stephen Henson [Tue, 10 Dec 2013 12:52:27 +0000 (12:52 +0000)]
Get FIPS checking logic right.

We need to lock when *not* in FIPS mode.
(cherry picked from commit 57c4e42d7545b51cbc00015defc81db7236dc15f)

10 years agoremove obsolete STATUS file
Dr. Stephen Henson [Tue, 10 Dec 2013 00:10:53 +0000 (00:10 +0000)]
remove obsolete STATUS file

10 years agoAdd release dates to NEWS
Dr. Stephen Henson [Mon, 9 Dec 2013 23:55:12 +0000 (23:55 +0000)]
Add release dates to NEWS

10 years agomake update
Dr. Stephen Henson [Sun, 8 Dec 2013 13:13:29 +0000 (13:13 +0000)]
make update

10 years agoAvoid multiple locks in FIPS mode.
Dr. Stephen Henson [Wed, 4 Dec 2013 13:39:04 +0000 (13:39 +0000)]
Avoid multiple locks in FIPS mode.

PR: 3176.

In FIPS mode ssleay_rand_bytes is only used for PRNG seeding and is
performed in either a single threaded context (when the PRNG is first
initialised) or under a lock (reseeding). To avoid multiple locks disable
use of CRYPTO_LOCK_RAND in FIPS mode in ssleay_rand_bytes.
(cherry picked from commit 53142f72c9b9c9bad2f39ca6200a4f04f5c8001c)

10 years agobn/asm/x86_64-mont5.pl: comply with Win64 ABI.
Andy Polyakov [Tue, 3 Dec 2013 22:59:55 +0000 (23:59 +0100)]
bn/asm/x86_64-mont5.pl: comply with Win64 ABI.

PR: 3189
Submitted by: Oscar Ciurana
(cherry picked from commit c5d5f5bd0fe8b2313bec844c0f80f3d49562bfa8)

10 years agoSimplify and update openssl.spec
Dr. Stephen Henson [Wed, 27 Nov 2013 15:35:56 +0000 (15:35 +0000)]
Simplify and update openssl.spec

11 years agosrp/srp_grps.h: make it Compaq C-friendly.
Andy Polyakov [Tue, 12 Nov 2013 21:09:55 +0000 (22:09 +0100)]
srp/srp_grps.h: make it Compaq C-friendly.

PR: 3165
Submitted by: Daniel Richard G.
(cherry picked from commit 2df9ec01d563f9cc2deab07e8c3391059d476592)
(cherry picked from commit 0de70011adf6952e3b975d1a8a383879b64f3b77)

11 years agomodes/asm/ghash-alpha.pl: update from HEAD.
Andy Polyakov [Tue, 12 Nov 2013 20:59:01 +0000 (21:59 +0100)]
modes/asm/ghash-alpha.pl: update from HEAD.

PR: 3165
(cherry picked from commit 220d1e5353409d9af938111b22d6b58e6a42f633)

11 years agoMake Makefiles OSF-make-friendly.
Andy Polyakov [Tue, 12 Nov 2013 20:49:15 +0000 (21:49 +0100)]
Make Makefiles OSF-make-friendly.

PR: 3165
(cherry picked from commit d1cf23ac86c05b22b8780e2c03b67230564d2d34)

11 years agoFix memory leak.
Dr. Stephen Henson [Mon, 11 Nov 2013 22:39:40 +0000 (22:39 +0000)]
Fix memory leak.
(cherry picked from commit 16bc45ba956fdf07c7cda7feda88de597569df63)

11 years agoTypo.
Dr. Stephen Henson [Mon, 11 Nov 2013 22:24:08 +0000 (22:24 +0000)]
Typo.
(cherry picked from commit 5c50462e1e23eeb6d91e1e5311f5da0b79b04fb4)

11 years agoMakefile.org: make FIPS build work with BSD make.
Andy Polyakov [Sun, 10 Nov 2013 22:06:41 +0000 (23:06 +0100)]
Makefile.org: make FIPS build work with BSD make.
(cherry picked from commit 60adefa61025ffd7d56cf7ff8491008f783282bf)

11 years agoCheck for missing components in RSA_check.
Dr. Stephen Henson [Thu, 7 Nov 2013 15:15:20 +0000 (15:15 +0000)]
Check for missing components in RSA_check.
(cherry picked from commit 01be36ef70525e81fc358d2e559bdd0a0d9427a5)

11 years agoDocument RSAPublicKey_{in,out} options.
Dr. Stephen Henson [Thu, 7 Nov 2013 17:27:07 +0000 (17:27 +0000)]
Document RSAPublicKey_{in,out} options.
(cherry picked from commit 7040d73d22987532faa503630d6616cf2788c975)

11 years agoengines/ccgost/gost89.h: make word32 defintion unconditional.
Andy Polyakov [Fri, 8 Nov 2013 22:00:35 +0000 (23:00 +0100)]
engines/ccgost/gost89.h: make word32 defintion unconditional.

Original definition depended on __LONG_MAX__ that is not guaranteed to
be present. As we don't support platforms with int narrower that 32 bits
it's appropriate to make defition inconditional.

PR: 3165
(cherry picked from commit 96180cac04591abfe50fc86096365553484bde65)

11 years agomodes/asm/ghash-alpha.pl: make it work with older assembler.
Andy Polyakov [Fri, 8 Nov 2013 21:56:44 +0000 (22:56 +0100)]
modes/asm/ghash-alpha.pl: make it work with older assembler.

PR: 3165
(cherry picked from commit d24d1d7daf515aa19fbf18f6371e3e617028a07c)

11 years agoEnable PSK in FIPS mode.
Dr. Stephen Henson [Wed, 6 Nov 2013 14:38:28 +0000 (14:38 +0000)]
Enable PSK in FIPS mode.

Enable PSK ciphersuites with AES or DES3 in FIPS mode.
(cherry picked from commit e0ffd129c16af90eb5e2ce54e57832c0046d1aaf)

11 years agoInitialise context before using it.
Dr. Stephen Henson [Wed, 6 Nov 2013 13:16:50 +0000 (13:16 +0000)]
Initialise context before using it.
(cherry picked from commit a4947e4e064d2d5bb622ac64cf13edc4a46ed196)

11 years agoPBKDF2 should be efficient. Contributed by Christian Heimes
Ben Laurie [Sun, 3 Nov 2013 17:23:50 +0000 (17:23 +0000)]
PBKDF2 should be efficient. Contributed by Christian Heimes
<christian@python.org>.

11 years agoDTLS/SCTP Finished Auth Bug
Robin Seggelmann [Wed, 9 May 2012 17:28:41 +0000 (19:28 +0200)]
DTLS/SCTP Finished Auth Bug

PR: 2808

With DTLS/SCTP the SCTP extension SCTP-AUTH is used to protect DATA and
FORWARD-TSN chunks. The key for this extension is derived from the
master secret and changed with the next ChangeCipherSpec, whenever a new
key has been negotiated. The following Finished then already uses the
new key.  Unfortunately, the ChangeCipherSpec and Finished are part of
the same flight as the ClientKeyExchange, which is necessary for the
computation of the new secret. Hence, these messages are sent
immediately following each other, leaving the server very little time to
compute the new secret and pass it to SCTP before the finished arrives.
So the Finished is likely to be discarded by SCTP and a retransmission
becomes necessary. To prevent this issue, the Finished of the client is
still sent with the old key.
(cherry picked from commit 9fb523adce6fd6015b68da2ca8e4ac4900ac2be2)
(cherry picked from commit b9ef52b07897f249a9fa44943dba33fba8fb2721)

11 years agoDTLS/SCTP struct authchunks Bug
Robin Seggelmann [Wed, 9 May 2012 17:28:44 +0000 (19:28 +0200)]
DTLS/SCTP struct authchunks Bug

PR: 2809

DTLS/SCTP requires DATA and FORWARD-TSN chunks to be protected with
SCTP-AUTH.  It is checked if this has been activated successfully for
the local and remote peer. Due to a bug, however, the
gauth_number_of_chunks field of the authchunks struct is missing on
FreeBSD, and was therefore not considered in the OpenSSL implementation.
This patch sets the corresponding pointer for the check correctly
whether or not this bug is present.
(cherry picked from commit f596e3c491035fe80db5fc0c3ff6b647662b0003)
(cherry picked from commit b8140811367f6e1ef13afa6ffe9625309c46946c)

11 years agoFix another gmt_unix_time case in server_random
Nick Mathewson [Sun, 20 Oct 2013 22:08:58 +0000 (15:08 -0700)]
Fix another gmt_unix_time case in server_random

11 years agoDon't use RSA+MD5 with TLS 1.2
Dr. Stephen Henson [Tue, 15 Oct 2013 13:15:54 +0000 (14:15 +0100)]
Don't use RSA+MD5 with TLS 1.2

Since the TLS 1.2 supported signature algorithms extension is less
sophisticaed in OpenSSL 1.0.1 this has to be done in two stages.

RSA+MD5 is removed from supported signature algorithms extension:
any compliant implementation should never use RSA+MD5 as a result.

To cover the case of a broken implementation using RSA+MD5 anyway
disable lookup of MD5 algorithm in TLS 1.2.

11 years agoMore cleanup.
Ben Laurie [Sat, 19 Oct 2013 11:37:15 +0000 (12:37 +0100)]
More cleanup.

11 years agoCleanup.
Ben Laurie [Sat, 19 Oct 2013 11:34:15 +0000 (12:34 +0100)]
Cleanup.

11 years agoMerge branch 'no_gmt_unix_time' of git://github.com/nmathewson/openssl into OpenSSL_1...
Ben Laurie [Sat, 19 Oct 2013 10:46:32 +0000 (11:46 +0100)]
Merge branch 'no_gmt_unix_time' of git://github.com/nmathewson/openssl into OpenSSL_1_0_1-stable

11 years agoMIPS assembly pack: get rid of deprecated instructions.
Andy Polyakov [Sun, 13 Oct 2013 11:14:52 +0000 (13:14 +0200)]
MIPS assembly pack: get rid of deprecated instructions.

Latest MIPS ISA specification declared 'branch likely' instructions
obsolete. To makes code future-proof replace them with equivalent.
(cherry picked from commit 0c2adb0a9be76da8de9bbfd5377215f71711a52e)

11 years agoaes/asm/bsaes-x86_64.pl: update from master.
Andy Polyakov [Sat, 12 Oct 2013 19:47:54 +0000 (21:47 +0200)]
aes/asm/bsaes-x86_64.pl: update from master.

Performance improvement and Windows-specific bugfix (PR#3139).
(cherry picked from commit 9ed6fba2b4685ced2340feff03da5a12ed14b003)

11 years agoControl sending time with SSL_SEND_{CLIENT,SERVER}RANDOM_MODE
Nick Mathewson [Wed, 9 Oct 2013 14:37:53 +0000 (10:37 -0400)]
Control sending time with SSL_SEND_{CLIENT,SERVER}RANDOM_MODE

(I'd rather use an option, but it appears that the options field is
full.)

Now, we send the time in the gmt_unix_time field if the appropriate
one of these mode options is set, but randomize the field if the flag
is not set.

11 years agoRefactor {client,server}_random to call an intermediate function
Nick Mathewson [Wed, 9 Oct 2013 14:28:42 +0000 (10:28 -0400)]
Refactor {client,server}_random to call an intermediate function

I'll be using this to make an option for randomizing the time.

11 years agoevp/e_des3.c: fix typo with potential integer overflow on 32-bit platforms.
Andy Polyakov [Thu, 3 Oct 2013 08:55:49 +0000 (10:55 +0200)]
evp/e_des3.c: fix typo with potential integer overflow on 32-bit platforms.

Submitted by: Yuriy Kaminskiy
(cherry picked from commit 524b00c0da42b129ed8622dfb3f5eab9cc5d6617)

Resolved conflicts:

crypto/evp/e_des3.c

11 years agoConstification.
Ben Laurie [Tue, 1 Oct 2013 13:51:04 +0000 (14:51 +0100)]
Constification.

11 years agoTypo.
Dr. Stephen Henson [Wed, 17 Jul 2013 13:19:40 +0000 (14:19 +0100)]
Typo.
(cherry picked from commit 415ece73015a0e24ea934ecfb857d022952bb65b)

11 years agoDisable Dual EC DRBG.
Dr. Stephen Henson [Mon, 16 Sep 2013 04:23:44 +0000 (05:23 +0100)]
Disable Dual EC DRBG.

Return an error if an attempt is made to enable the Dual EC DRBG: it
is not used by default.

11 years agoFix warning.
Dr. Stephen Henson [Mon, 16 Sep 2013 05:12:00 +0000 (06:12 +0100)]
Fix warning.

11 years agoDo not include a timestamp in the ServerHello Random field.
Nick Mathewson [Mon, 16 Sep 2013 17:32:54 +0000 (13:32 -0400)]
Do not include a timestamp in the ServerHello Random field.

Instead, send random bytes.

11 years agoDo not include a timestamp in the ClientHello Random field.
Nick Mathewson [Sun, 8 Sep 2013 00:40:59 +0000 (20:40 -0400)]
Do not include a timestamp in the ClientHello Random field.

Instead, send random bytes.

While the gmt_unix_time record was added in an ostensible attempt to
mitigate the dangers of a bad RNG, its presence leaks the host's view
of the current time in the clear.  This minor leak can help
fingerprint TLS instances across networks and protocols... and what's
worse, it's doubtful thet the gmt_unix_time record does any good at
all for its intended purpose, since:

    * It's quite possible to open two TLS connections in one second.
    * If the PRNG output is prone to repeat itself, ephemeral
    * handshakes (and who knows what else besides) are broken.

11 years agoUpdate CHANGES.
Rob Stradling [Thu, 12 Sep 2013 21:05:17 +0000 (22:05 +0100)]
Update CHANGES.

11 years agoTidy up comments.
Rob Stradling [Tue, 10 Sep 2013 10:06:55 +0000 (11:06 +0100)]
Tidy up comments.

11 years agoUse TLS version supplied by client when fingerprinting Safari.
Rob Stradling [Tue, 10 Sep 2013 10:03:29 +0000 (11:03 +0100)]
Use TLS version supplied by client when fingerprinting Safari.

11 years agoFix compilation with no-ec and/or no-tlsext.
Rob Stradling [Tue, 10 Sep 2013 10:00:57 +0000 (11:00 +0100)]
Fix compilation with no-ec and/or no-tlsext.

11 years agoDon't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
Rob Stradling [Mon, 9 Sep 2013 11:52:41 +0000 (12:52 +0100)]
Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.

11 years agoRemove AVX and VIS3 support.
Ben Laurie [Mon, 16 Sep 2013 14:05:21 +0000 (15:05 +0100)]
Remove AVX and VIS3 support.

11 years agogcm128.c: update from master (add AVX and VIS3 support).
Andy Polyakov [Sun, 19 May 2013 19:55:30 +0000 (21:55 +0200)]
gcm128.c: update from master (add AVX and VIS3 support).

11 years agocrypto/modes: even more strict aliasing fixes [and fix bug in cbc128.c from
Andy Polyakov [Mon, 5 Nov 2012 17:03:39 +0000 (17:03 +0000)]
crypto/modes: even more strict aliasing fixes [and fix bug in cbc128.c from
previous cbc128.c commit].

11 years agocbc128.c: fix strict aliasing warning.
Andy Polyakov [Mon, 5 Nov 2012 10:04:02 +0000 (10:04 +0000)]
cbc128.c: fix strict aliasing warning.

11 years agoSync CHANGES and NEWS files.
Bodo Moeller [Mon, 16 Sep 2013 12:47:56 +0000 (14:47 +0200)]
Sync CHANGES and NEWS files.

11 years ago Fix overly lenient comparisons:
Bodo Moeller [Mon, 16 Sep 2013 11:03:27 +0000 (13:03 +0200)]
Fix overly lenient comparisons:

    - EC_GROUP_cmp shouldn't consider curves equal just because
      the curve name is the same. (They really *should* be the same
      in this case, but there's an EC_GROUP_set_curve_name API,
      which could be misused.)

    - EC_POINT_cmp shouldn't return 0 for ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
      or EC_R_INCOMPATIBLE_OBJECTS errors because in a cmp API, 0 indicates
      equality (not an error).

    Reported by: king cope

(cherry picked from commit 312a46791ab465cfa3bf26764361faed0e5df014)

11 years agocrypto/armcap.c: fix typo in rdtsc subroutine.
Andy Polyakov [Sun, 15 Sep 2013 20:07:49 +0000 (22:07 +0200)]
crypto/armcap.c: fix typo in rdtsc subroutine.

PR: 3125
Submitted by: Kyle McMartin
(cherry picked from commit 8e52a9063a8a016bdac780005256994d26f9c2f9)

11 years agoCorrect ECDSA example.
Dr. Stephen Henson [Tue, 20 Aug 2013 15:33:02 +0000 (16:33 +0100)]
Correct ECDSA example.
(cherry picked from commit 3a918ea2bbf4175d9461f81be1403d3781b2c0dc)

11 years agoDTLS message_sequence number wrong in rehandshake ServerHello
Michael Tuexen [Tue, 13 Aug 2013 17:53:19 +0000 (18:53 +0100)]
DTLS message_sequence number wrong in rehandshake ServerHello

This fix ensures that
* A HelloRequest is retransmitted if not responded by a ClientHello
* The HelloRequest "consumes" the sequence number 0. The subsequent
ServerHello uses the sequence number 1.
* The client also expects the sequence number of the ServerHello to
be 1 if a HelloRequest was received earlier.
This patch fixes the RFC violation.
(cherry picked from commit b62f4daac00303280361924b9cc19b3e27528b15)

11 years agoDTLS handshake fix.
Michael Tuexen [Thu, 8 Aug 2013 12:28:55 +0000 (13:28 +0100)]
DTLS handshake fix.

Reported by: Prashant Jaikumar <rmstar@gmail.com>

Fix handling of application data received before a handshake.
(cherry picked from commit 0c75eeacd3285b395dc75b65c3e6fe6ffbef59f0)

11 years agoFix verify loop with CRL checking.
Dr. Stephen Henson [Fri, 12 Jul 2013 16:35:08 +0000 (17:35 +0100)]
Fix verify loop with CRL checking.

PR #3090
Reported by: Franck Youssef <fry@open.ch>

If no new reason codes are obtained after checking a CRL exit with an
error to avoid repeatedly checking the same CRL.

This will only happen if verify errors such as invalid CRL scope are
overridden in a callback.
(cherry picked from commit 4b26645c1a71cf9ce489e4f79fc836760b670ffe)

11 years agoFix for PEM_X509_INFO_read_bio.
Kaspar Brand [Tue, 6 Aug 2013 15:01:47 +0000 (16:01 +0100)]
Fix for PEM_X509_INFO_read_bio.

PR: 3028
Fix bug introduced in PEM_X509_INFO_bio which wouldn't process RSA keys
correctly if they appeared first.
(cherry picked from commit 5ae8d6bcbaff99423a2608559d738a3fcf7ed6dc)

11 years agocrypto/evp/e_aes.c: fix logical pre-processor bug and formatting.
Andy Polyakov [Sat, 3 Aug 2013 14:56:58 +0000 (16:56 +0200)]
crypto/evp/e_aes.c: fix logical pre-processor bug and formatting.

Bug would emerge when XTS is added to bsaes-armv7.pl. Pointed out by
Ard Biesheuvel of Linaro.
(cherry picked from commit 044f63086051d7542fa9485a1432498c39c4d8fa)

11 years agocrypto/sha/asm/sha1-x86_64.pl: comply with Win64 ABI.
Andy Polyakov [Wed, 31 Jul 2013 21:53:49 +0000 (23:53 +0200)]
crypto/sha/asm/sha1-x86_64.pl: comply with Win64 ABI.

11 years agoconfig: fix executable format detection on latest FreeBSD.
Andy Polyakov [Sun, 30 Jun 2013 21:55:55 +0000 (23:55 +0200)]
config: fix executable format detection on latest FreeBSD.

Submitted by: Bryan Drewery
PR: 3075
(cherry picked from commit c256e69d3f3acd0794ae9c1f353f4093bd4c8878)

11 years agoPA-RISC assembler pack: switch to bve in 64-bit builds.
Andy Polyakov [Tue, 18 Jun 2013 08:37:00 +0000 (10:37 +0200)]
PA-RISC assembler pack: switch to bve in 64-bit builds.

PR: 3074
(cherry picked from commit 02450ec69dda7815ba1e7bd74eb30f0ae1eb3042)

11 years agoTypo: don't call RAND_cleanup during app startup.
Dr. Stephen Henson [Wed, 12 Jun 2013 20:16:31 +0000 (21:16 +0100)]
Typo: don't call RAND_cleanup during app startup.
(cherry picked from commit 90e7f983b573c3f3c722a02db4491a1b1cd87e8c)

11 years agoDon't use RC2 with PKCS#12 files in FIPS mode.
Dr. Stephen Henson [Thu, 30 May 2013 20:39:50 +0000 (21:39 +0100)]
Don't use RC2 with PKCS#12 files in FIPS mode.

11 years agoFix PSS signature printing.
Dr. Stephen Henson [Sun, 5 May 2013 12:34:03 +0000 (13:34 +0100)]
Fix PSS signature printing.

Fix PSS signature printing: consistently use 0x prefix for hex values for
padding length and trailer fields.
(cherry picked from commit deb24ad53147f5a8dd63416224a5edd7bbc0e74a)

11 years agoReencode with X509_CRL_ctx_sign too.
Dr. Stephen Henson [Fri, 3 May 2013 11:31:47 +0000 (12:31 +0100)]
Reencode with X509_CRL_ctx_sign too.
(cherry picked from commit 96940f4f2d0300c033379a87db0ff19e598c6264)

11 years agoReencode certificates in X509_sign_ctx.
Dr. Stephen Henson [Thu, 2 May 2013 11:18:46 +0000 (12:18 +0100)]
Reencode certificates in X509_sign_ctx.

Reencode certificates in X509_sign_ctx as well as X509_sign.

This was causing a problem in the x509 application when it modified an
existing certificate.
(cherry picked from commit c6d8adb8a45186617e0a8e2c09469bd164b92b31)

11 years agocrypto/modes/modes_lcl.h: let STRICT_ALIGNMENT be on ARMv7.
Andy Polyakov [Sat, 13 Apr 2013 18:57:37 +0000 (20:57 +0200)]
crypto/modes/modes_lcl.h: let STRICT_ALIGNMENT be on ARMv7.

While ARMv7 in general is capable of unaligned access, not all instructions
actually are. And trouble is that compiler doesn't seem to differentiate
those capable and incapable of unaligned access. Side effect is that kernel
goes into endless loop retrying same instruction triggering unaligned trap.
Problem was observed in xts128.c and ccm128.c modules. It's possible to
resolve it by using (volatile u32*) casts, but letting STRICT_ALIGNMENT
be feels more appropriate.
(cherry picked from commit 3bdd80521a81d50ade4214053cd9b293f920a77b)

11 years agoSet s->d1 to NULL after freeing it.
Dr. Stephen Henson [Mon, 8 Apr 2013 17:03:12 +0000 (18:03 +0100)]
Set s->d1 to NULL after freeing it.
(cherry picked from commit 04638f2fc335a6dc2af8e5d556d36e29c261dcd2)

11 years agoTypo.
Dr. Stephen Henson [Sun, 31 Mar 2013 16:42:46 +0000 (17:42 +0100)]
Typo.
(cherry picked from commit 0ded2a06891a4d5a207d8f29aa9a89a755158170)

11 years agoCall RAND_cleanup in openssl application.
Dr. Stephen Henson [Thu, 28 Mar 2013 14:28:06 +0000 (14:28 +0000)]
Call RAND_cleanup in openssl application.

11 years agoMake binary curve ASN.1 work in FIPS mode.
Matt Caswell [Tue, 26 Mar 2013 15:39:50 +0000 (15:39 +0000)]
Make binary curve ASN.1 work in FIPS mode.

Don't check for binary curves by checking methods: the values will
be different in FIPS mode as they are redirected to the validated module
version.
(cherry picked from commit 94782e0e9c28bd872107b8f814f4db68c9fbf5ab)

11 years agoDisable compression for DTLS.
Dr. Stephen Henson [Tue, 19 Mar 2013 13:46:28 +0000 (13:46 +0000)]
Disable compression for DTLS.

The only standard compression method is stateful and is incompatible with
DTLS.
(cherry picked from commit e14b8410ca882da8e9579a2d928706f894c8e1ae)

11 years agox86cpuid.pl: make it work with older CPUs.
Andy Polyakov [Mon, 4 Mar 2013 19:05:04 +0000 (20:05 +0100)]
x86cpuid.pl: make it work with older CPUs.

PR: 3005
(cherry picked from commit 5702e965d759dde8a098d8108660721ba2b93a7d)

11 years agoe_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI plaforms.
Andy Polyakov [Mon, 18 Mar 2013 18:29:41 +0000 (19:29 +0100)]
e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI plaforms.

PR: 3002
(cherry picked from commit 5c60046553716fcf160718f59160493194f212dc)

11 years agoAvoid unnecessary fragmentation.
Michael Tuexen [Mon, 18 Mar 2013 14:30:38 +0000 (14:30 +0000)]
Avoid unnecessary fragmentation.
(cherry picked from commit 80ccc66d7eedb2d06050130c77c482ae1584199a)

11 years agoEncode INTEGER correctly.
Dr. Stephen Henson [Mon, 18 Mar 2013 14:19:40 +0000 (14:19 +0000)]
Encode INTEGER correctly.

If an ASN1_INTEGER structure is allocated but not explicitly set encode
it as zero: don't generate an invalid zero length INTEGER.
(cherry picked from commit 1643edc63c3e15b6db5a15a728bc288f2cc2bbc7)

11 years agoMerge branch 'OpenSSL_1_0_1-stable' of ../openssl into OpenSSL_1_0_1-stable
Dr. Stephen Henson [Mon, 18 Mar 2013 14:00:13 +0000 (14:00 +0000)]
Merge branch 'OpenSSL_1_0_1-stable' of ../openssl into OpenSSL_1_0_1-stable

11 years agoTypo.
Dr. Stephen Henson [Mon, 18 Mar 2013 13:58:32 +0000 (13:58 +0000)]
Typo.
(cherry picked from commit 1546fb780bc11556a18d70c5fb29af4a9d5beaff)

11 years agox86_64-gf2m.pl: fix typo.
Andy Polyakov [Fri, 1 Mar 2013 21:36:36 +0000 (22:36 +0100)]
x86_64-gf2m.pl: fix typo.
(cherry picked from commit 342dbbbe4eb82b6e12163965a12f580c2deb03ad)

11 years agox86_64-gf2m.pl: add missing Windows build fix for #2963.
Andy Polyakov [Fri, 1 Mar 2013 20:43:10 +0000 (21:43 +0100)]
x86_64-gf2m.pl: add missing Windows build fix for #2963.

PR: 3004
(cherry picked from commit 7c43601d4424575d589f028aed0d5a4ae337527f)

11 years agobn_nist.c: cumulative update from master.
Andy Polyakov [Sat, 16 Feb 2013 10:38:46 +0000 (11:38 +0100)]
bn_nist.c: cumulative update from master.

PR: 2981, 2837

11 years agoFix POD errors to stop make install_docs dying with pod2man 2.5.0+
Nick Alcock [Fri, 15 Feb 2013 17:44:11 +0000 (17:44 +0000)]
Fix POD errors to stop make install_docs dying with pod2man 2.5.0+

podlators 2.5.0 has switched to dying on POD syntax errors. This means
that a bunch of long-standing erroneous POD in the openssl documentation
now leads to fatal errors from pod2man, halting installation.

Unfortunately POD constraints mean that you have to sort numeric lists
in ascending order if they start with 1: you cannot do 1, 0, 2 even if
you want 1 to appear first. I've reshuffled such (alas, I wish there
were a better way but I don't know of one).
(cherry picked from commit 5cc270774258149235f69e1789b3370f57b0e27b)

11 years agocms-test.pl: make it work with not-so-latest perl.
Andy Polyakov [Mon, 16 May 2011 18:11:45 +0000 (18:11 +0000)]
cms-test.pl: make it work with not-so-latest perl.
(cherry picked from commit 9c437e2faded18b4ef6499d7041c65d6e216955b)

11 years agoCheck DTLS_BAD_VER for version number.
David Woodhouse [Tue, 12 Feb 2013 14:55:32 +0000 (14:55 +0000)]
Check DTLS_BAD_VER for version number.

The version check for DTLS1_VERSION was redundant as
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
check for DTLS1_BAD_VER for compatibility.

PR:2984
(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)

11 years agoFix for SSL_get_certificate
Dr. Stephen Henson [Mon, 11 Feb 2013 18:24:03 +0000 (18:24 +0000)]
Fix for SSL_get_certificate

Now we set the current certificate to the one used by a server
there is no need to call ssl_get_server_send_cert which will
fail if we haven't sent a certificate yet.

11 years agoFix in ssltest is no-ssl2 configured
Dr. Stephen Henson [Mon, 11 Feb 2013 18:17:50 +0000 (18:17 +0000)]
Fix in ssltest is no-ssl2 configured

11 years agoupdate CHANGES
Dr. Stephen Henson [Mon, 11 Feb 2013 16:35:10 +0000 (16:35 +0000)]
update CHANGES

11 years agoprepare for next version
Dr. Stephen Henson [Mon, 11 Feb 2013 16:14:11 +0000 (16:14 +0000)]
prepare for next version

11 years agouse 10240 for record size OpenSSL_1_0_1e
Dr. Stephen Henson [Mon, 11 Feb 2013 15:15:58 +0000 (15:15 +0000)]
use 10240 for record size

Workaround for non-compliant tar files sometimes created by "make dist".

11 years agoprepare for release
Dr. Stephen Henson [Mon, 11 Feb 2013 11:57:46 +0000 (11:57 +0000)]
prepare for release