Ben Laurie [Sun, 13 Nov 2011 20:19:21 +0000 (20:19 +0000)]
Fix one of the no-tlsext build errors (there are more).
Dr. Stephen Henson [Sun, 13 Nov 2011 13:13:14 +0000 (13:13 +0000)]
PR: 1794
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve
Document unknown_psk_identify alert, remove pre-RFC 5054 string from
ssl_stat.c
Andy Polyakov [Tue, 8 Nov 2011 21:28:14 +0000 (21:28 +0000)]
x86cpuid.pl: compensate for imaginary virtual machines [from HEAD].
PR: 2633
Andy Polyakov [Sat, 5 Nov 2011 10:44:25 +0000 (10:44 +0000)]
x86cpuid.pl: don't punish "last-year" OSes on "this-year" CPUs.
PR: 2633
Andy Polyakov [Sat, 5 Nov 2011 10:16:30 +0000 (10:16 +0000)]
ppc.pl: fix bug in bn_mul_comba4 [from HEAD].
PR: 2636
Submitted by: Charles Bryant
Richard Levitte [Sun, 30 Oct 2011 11:45:30 +0000 (11:45 +0000)]
Add missing algorithms to disable, and in particular, disable
EC_NISTP_64_GCC_128 by default, as GCC isn't currently supported on
VMS. Add CMAC to the modules to build, and synchronise with Unix.
Richard Levitte [Sun, 30 Oct 2011 11:40:56 +0000 (11:40 +0000)]
Teach mkshared.com to have a look for disabled algorithms in opensslconf.h
Dr. Stephen Henson [Thu, 27 Oct 2011 13:06:43 +0000 (13:06 +0000)]
PR: 2628
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve
Send alert instead of assertion failure for incorrectly formatted DTLS
fragments.
Dr. Stephen Henson [Thu, 27 Oct 2011 13:01:20 +0000 (13:01 +0000)]
PR: 2628
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve
Fix for ECC keys and DTLS.
Dr. Stephen Henson [Wed, 26 Oct 2011 16:43:23 +0000 (16:43 +0000)]
PR: 2632
Submitted by: emmanuel.azencot@bull.net
Reviewed by: steve
Return -1 immediately if not affine coordinates as BN_CTX has not been
set up.
Dr. Stephen Henson [Tue, 25 Oct 2011 12:52:47 +0000 (12:52 +0000)]
Use correct tag for SRP username.
Dr. Stephen Henson [Fri, 21 Oct 2011 13:04:27 +0000 (13:04 +0000)]
Update error codes for FIPS.
Add support for authentication in FIPS_mode_set().
Dr. Stephen Henson [Fri, 21 Oct 2011 12:53:07 +0000 (12:53 +0000)]
Recognise new ECC option (from HEAD).
Bodo Möller [Wed, 19 Oct 2011 15:24:44 +0000 (15:24 +0000)]
"make update"
Bodo Möller [Wed, 19 Oct 2011 14:58:59 +0000 (14:58 +0000)]
BN_BLINDING multi-threading fix.
Submitted by: Emilia Kasper (Google)
Bodo Möller [Wed, 19 Oct 2011 09:24:05 +0000 (09:24 +0000)]
Fix indentation
Bodo Möller [Wed, 19 Oct 2011 08:58:35 +0000 (08:58 +0000)]
Fix warnings.
Also, use the common Configure mechanism for enabling/disabling the 64-bit ECC code.
Bodo Möller [Tue, 18 Oct 2011 19:43:54 +0000 (19:43 +0000)]
Improve optional 64-bit NIST-P224 implementation, and add NIST-P256 and
NIST-P521. (Now -DEC_NISTP_64_GCC_128 enables all three of these;
-DEC_NISTP224_64_GCC_128 no longer works.)
Submitted by: Google Inc.
Dr. Stephen Henson [Sat, 15 Oct 2011 13:22:26 +0000 (13:22 +0000)]
Recognise no-rsax option.
Andy Polyakov [Fri, 14 Oct 2011 09:34:14 +0000 (09:34 +0000)]
e_aes.c: fix bug in aesni_gcm_tls_cipher [in HEAD].
Andy Polyakov [Fri, 14 Oct 2011 09:21:03 +0000 (09:21 +0000)]
aesni-x86[_64].pl: pull from HEAD.
Bodo Möller [Thu, 13 Oct 2011 15:07:05 +0000 (15:07 +0000)]
use -no_ecdhe when using -no_dhe
Bodo Möller [Thu, 13 Oct 2011 13:42:29 +0000 (13:42 +0000)]
Make CTR mode behaviour consistent with other modes:
clear ctx->num in EVP_CipherInit_ex
Submitted by: Emilia Kasper
Bodo Möller [Thu, 13 Oct 2011 13:25:03 +0000 (13:25 +0000)]
Clarify warning
Bodo Möller [Thu, 13 Oct 2011 13:05:35 +0000 (13:05 +0000)]
In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
Submitted by: Bob Buckholz <bbuckholz@google.com>
Dr. Stephen Henson [Thu, 13 Oct 2011 11:43:44 +0000 (11:43 +0000)]
For now disable RSAX ENGINE for FIPS builds: it sets a non-FIPS RSA
method which stops FIPS mode working.
Dr. Stephen Henson [Wed, 12 Oct 2011 21:55:42 +0000 (21:55 +0000)]
increase test RSA key size to 1024 bits
Dr. Stephen Henson [Tue, 11 Oct 2011 18:16:02 +0000 (18:16 +0000)]
update pkey method initialisation and copy
Dr. Stephen Henson [Mon, 10 Oct 2011 22:33:50 +0000 (22:33 +0000)]
Backport ossl_ssize_t type from HEAD.
Dr. Stephen Henson [Mon, 10 Oct 2011 20:34:17 +0000 (20:34 +0000)]
def_rsa_finish not used anymore.
Dr. Stephen Henson [Mon, 10 Oct 2011 14:09:05 +0000 (14:09 +0000)]
fix leak properly this time...
Dr. Stephen Henson [Mon, 10 Oct 2011 12:56:11 +0000 (12:56 +0000)]
add GCM ciphers in SSL_library_init
Dr. Stephen Henson [Mon, 10 Oct 2011 12:40:13 +0000 (12:40 +0000)]
disable GCM if not available
Dr. Stephen Henson [Mon, 10 Oct 2011 00:27:52 +0000 (00:27 +0000)]
Add some entries for 1.0.1 in NEWS.
Dr. Stephen Henson [Mon, 10 Oct 2011 00:23:14 +0000 (00:23 +0000)]
sync NEWS with 1.0.0 branch
Dr. Stephen Henson [Sun, 9 Oct 2011 23:28:25 +0000 (23:28 +0000)]
Don't disable TLS v1.2 by default any more.
Dr. Stephen Henson [Sun, 9 Oct 2011 23:14:20 +0000 (23:14 +0000)]
Update ordinals.
Dr. Stephen Henson [Sun, 9 Oct 2011 23:13:50 +0000 (23:13 +0000)]
Backport PSS signature support from HEAD.
Dr. Stephen Henson [Sun, 9 Oct 2011 23:11:09 +0000 (23:11 +0000)]
fix CHANGES entry
Dr. Stephen Henson [Sun, 9 Oct 2011 23:09:22 +0000 (23:09 +0000)]
fix memory leaks
Dr. Stephen Henson [Sun, 9 Oct 2011 16:04:17 +0000 (16:04 +0000)]
Fix memory leak. From HEAD.
Dr. Stephen Henson [Sun, 9 Oct 2011 15:28:52 +0000 (15:28 +0000)]
Update ordinals.
Dr. Stephen Henson [Sun, 9 Oct 2011 15:28:02 +0000 (15:28 +0000)]
Backport of password based CMS support from HEAD.
Dr. Stephen Henson [Sun, 9 Oct 2011 00:56:43 +0000 (00:56 +0000)]
PR: 2482
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve
Don't allow inverted ranges in RFC3779 code, discovered by Frank Ellermann.
Dr. Stephen Henson [Fri, 7 Oct 2011 15:07:36 +0000 (15:07 +0000)]
use client version when eliminating TLS v1.2 ciphersuites in client hello
Dr. Stephen Henson [Thu, 6 Oct 2011 20:45:08 +0000 (20:45 +0000)]
? crypto/aes/aes-armv4.S
? crypto/aes/aesni-sha1-x86_64.s
? crypto/aes/aesni-x86_64.s
? crypto/aes/foo.pl
? crypto/aes/vpaes-x86_64.s
? crypto/bn/.bn_lib.c.swp
? crypto/bn/armv4-gf2m.S
? crypto/bn/diffs
? crypto/bn/modexp512-x86_64.s
? crypto/bn/x86_64-gf2m.s
? crypto/bn/x86_64-mont5.s
? crypto/ec/bc.txt
? crypto/ec/diffs
? crypto/modes/a.out
? crypto/modes/diffs
? crypto/modes/ghash-armv4.S
? crypto/modes/ghash-x86_64.s
? crypto/modes/op.h
? crypto/modes/tst.c
? crypto/modes/x.h
? crypto/objects/.obj_xref.txt.swp
? crypto/rand/diffs
? crypto/sha/sha-512
? crypto/sha/sha1-armv4-large.S
? crypto/sha/sha256-armv4.S
? crypto/sha/sha512-armv4.S
Index: crypto/objects/obj_xref.c
===================================================================
RCS file: /v/openssl/cvs/openssl/crypto/objects/obj_xref.c,v
retrieving revision 1.9
diff -u -r1.9 obj_xref.c
--- crypto/objects/obj_xref.c 5 Nov 2008 18:38:58 -0000 1.9
+++ crypto/objects/obj_xref.c 6 Oct 2011 20:30:21 -0000
@@ -110,8 +110,10 @@
#endif
if (rv == NULL)
return 0;
- *pdig_nid = rv->hash_id;
- *ppkey_nid = rv->pkey_id;
+ if (pdig_nid)
+ *pdig_nid = rv->hash_id;
+ if (ppkey_nid)
+ *ppkey_nid = rv->pkey_id;
return 1;
}
@@ -144,7 +146,8 @@
#endif
if (rv == NULL)
return 0;
- *psignid = (*rv)->sign_id;
+ if (psignid)
+ *psignid = (*rv)->sign_id;
return 1;
}
Index: crypto/x509/x509type.c
===================================================================
RCS file: /v/openssl/cvs/openssl/crypto/x509/x509type.c,v
retrieving revision 1.10
diff -u -r1.10 x509type.c
--- crypto/x509/x509type.c 26 Oct 2007 12:06:33 -0000 1.10
+++ crypto/x509/x509type.c 6 Oct 2011 20:36:04 -0000
@@ -100,20 +100,26 @@
break;
}
- i=X509_get_signature_type(x);
- switch (i)
+ i=OBJ_obj2nid(x->sig_alg->algorithm);
+ if (i && OBJ_find_sigid_algs(i, NULL, &i))
{
- case EVP_PKEY_RSA:
- ret|=EVP_PKS_RSA;
- break;
- case EVP_PKEY_DSA:
- ret|=EVP_PKS_DSA;
- break;
- case EVP_PKEY_EC:
- ret|=EVP_PKS_EC;
- break;
- default:
- break;
+
+ switch (i)
+ {
+ case NID_rsaEncryption:
+ case NID_rsa:
+ ret|=EVP_PKS_RSA;
+ break;
+ case NID_dsa:
+ case NID_dsa_2:
+ ret|=EVP_PKS_DSA;
+ break;
+ case NID_X9_62_id_ecPublicKey:
+ ret|=EVP_PKS_EC;
+ break;
+ default:
+ break;
+ }
}
if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look
Dr. Stephen Henson [Mon, 26 Sep 2011 17:04:41 +0000 (17:04 +0000)]
fix signed/unsigned warning
Dr. Stephen Henson [Sat, 24 Sep 2011 23:06:35 +0000 (23:06 +0000)]
make sure eivlen is initialised
Dr. Stephen Henson [Fri, 23 Sep 2011 21:48:50 +0000 (21:48 +0000)]
use keyformat for -x509toreq, don't hard code PEM
Dr. Stephen Henson [Fri, 23 Sep 2011 13:39:35 +0000 (13:39 +0000)]
PR: 2606
Submitted by: Christoph Viethen <cv@kawo2.rwth-aachen.de>
Reviewed by: steve
Handle timezones correctly in UTCTime.
Dr. Stephen Henson [Fri, 23 Sep 2011 13:35:05 +0000 (13:35 +0000)]
PR: 2602
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve
Fix DTLS bug which prevents manual MTU setting
Dr. Stephen Henson [Fri, 23 Sep 2011 13:12:41 +0000 (13:12 +0000)]
PR: 2347
Submitted by: Tomas Mraz <tmraz@redhat.com>
Reviewed by: steve
Fix usage message.
Dr. Stephen Henson [Fri, 16 Sep 2011 23:15:22 +0000 (23:15 +0000)]
make depend
Dr. Stephen Henson [Fri, 16 Sep 2011 23:12:34 +0000 (23:12 +0000)]
Improved error checking for DRBG calls.
New functionality to allow default DRBG type to be set during compilation or during runtime.
Dr. Stephen Henson [Fri, 16 Sep 2011 23:08:57 +0000 (23:08 +0000)]
Improved error checking for DRBG calls.
New functionality to allow default DRBG type to be set during compilation
or during runtime.
Dr. Stephen Henson [Fri, 16 Sep 2011 23:04:07 +0000 (23:04 +0000)]
Typo.
Dr. Stephen Henson [Sat, 10 Sep 2011 21:18:37 +0000 (21:18 +0000)]
Fix warnings (from HEAD).
Dr. Stephen Henson [Tue, 6 Sep 2011 15:14:41 +0000 (15:14 +0000)]
Initialise X509_STORE_CTX properly so CRLs with nextUpdate date in the past
produce an error (CVE-2011-3207)
Andy Polyakov [Mon, 5 Sep 2011 16:33:48 +0000 (16:33 +0000)]
config: don't add -Wa options with no-asm [from HEAD].
Bodo Möller [Mon, 5 Sep 2011 13:43:53 +0000 (13:43 +0000)]
oops
Bodo Möller [Mon, 5 Sep 2011 13:36:55 +0000 (13:36 +0000)]
Fix session handling.
Bodo Möller [Mon, 5 Sep 2011 13:31:07 +0000 (13:31 +0000)]
Fix d2i_SSL_SESSION.
Bodo Möller [Mon, 5 Sep 2011 10:25:27 +0000 (10:25 +0000)]
(EC)DH memory handling fixes.
Submitted by: Adam Langley
Bodo Möller [Mon, 5 Sep 2011 09:57:15 +0000 (09:57 +0000)]
Fix memory leak on bad inputs.
Bodo Möller [Mon, 5 Sep 2011 09:44:54 +0000 (09:44 +0000)]
make update
Bodo Möller [Mon, 5 Sep 2011 09:43:56 +0000 (09:43 +0000)]
Fix expected DEFFLAG for default config.
Bodo Möller [Mon, 5 Sep 2011 09:42:55 +0000 (09:42 +0000)]
Fix error codes.
Dr. Stephen Henson [Fri, 2 Sep 2011 11:28:18 +0000 (11:28 +0000)]
Don't use *from++ in tolower as this is implemented as a macro on some
platforms. Thanks to Shayne Murray <Shayne.Murray@Polycom.com> for
reporting this issue.
Dr. Stephen Henson [Fri, 2 Sep 2011 11:20:32 +0000 (11:20 +0000)]
PR: 2576
Submitted by: Doug Goldstein <cardoe@gentoo.org>
Reviewed by: steve
Include header file stdlib.h which is needed on some platforms to get
getenv() declaration.
Dr. Stephen Henson [Thu, 1 Sep 2011 15:01:55 +0000 (15:01 +0000)]
PR: 2340
Submitted by: "Mauro H. Leggieri" <mxmauro@caiman.com.ar>
Reviewed by: steve
Stop warnings if OPENSSL_NO_DGRAM is defined.
Dr. Stephen Henson [Thu, 1 Sep 2011 14:23:22 +0000 (14:23 +0000)]
make timing attack protection unconditional
Dr. Stephen Henson [Thu, 1 Sep 2011 14:02:14 +0000 (14:02 +0000)]
PR: 2573
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve
Fix DTLS buffering and decryption bug.
Dr. Stephen Henson [Thu, 1 Sep 2011 13:52:38 +0000 (13:52 +0000)]
PR: 2589
Submitted by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Reviewed by: steve
Initialise p pointer.
Dr. Stephen Henson [Thu, 1 Sep 2011 13:49:08 +0000 (13:49 +0000)]
PR: 2588
Submitted by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Reviewed by: steve
Close file pointer.
Dr. Stephen Henson [Thu, 1 Sep 2011 13:45:35 +0000 (13:45 +0000)]
PR: 2586
Submitted by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Reviewed by: steve
Zero structure fields properly.
Dr. Stephen Henson [Thu, 1 Sep 2011 13:37:28 +0000 (13:37 +0000)]
PR: 2586
Submitted by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Reviewed by: steve
Fix brace mismatch.
Dr. Stephen Henson [Fri, 26 Aug 2011 10:45:17 +0000 (10:45 +0000)]
Update ordinals.
Andy Polyakov [Tue, 23 Aug 2011 20:53:34 +0000 (20:53 +0000)]
Add RC4-MD5 and AESNI-SHA1 "stitched" implementations [from HEAD].
Andy Polyakov [Mon, 22 Aug 2011 19:01:41 +0000 (19:01 +0000)]
eng_rsax.c: improve portability [from HEAD].
Andy Polyakov [Fri, 19 Aug 2011 06:31:27 +0000 (06:31 +0000)]
modexp512-x86_64.pl: make it work with ml64 [from HEAD].
Dr. Stephen Henson [Sun, 14 Aug 2011 13:47:30 +0000 (13:47 +0000)]
Remove hard coded ecdsaWithSHA1 hack in ssl routines and check for RSA
using OBJ xref utilities instead of string comparison with OID name.
This removes the arbitrary restriction on using SHA1 only with some ECC
ciphersuites.
Andy Polyakov [Sun, 14 Aug 2011 08:38:04 +0000 (08:38 +0000)]
eng_rsax.c: make it work on Win64.
Andy Polyakov [Sun, 14 Aug 2011 08:31:14 +0000 (08:31 +0000)]
eng_rdrand.c: make it link in './config 386' case [from HEAD].
Andy Polyakov [Fri, 12 Aug 2011 21:25:23 +0000 (21:25 +0000)]
x86_64-xlate.pl: fix movzw [from HEAD].
Andy Polyakov [Fri, 12 Aug 2011 12:31:08 +0000 (12:31 +0000)]
Alpha assembler fixed from HEAD.
PR: 2577
Dr. Stephen Henson [Thu, 11 Aug 2011 23:06:37 +0000 (23:06 +0000)]
aesni TLS GCM support
Dr. Stephen Henson [Thu, 11 Aug 2011 22:52:06 +0000 (22:52 +0000)]
Sync EVP AES modes from HEAD.
Dr. Stephen Henson [Thu, 11 Aug 2011 22:51:37 +0000 (22:51 +0000)]
Add XTS OIDs from HEAD.
Dr. Stephen Henson [Thu, 11 Aug 2011 22:36:19 +0000 (22:36 +0000)]
Sync ASM/modes to add CCM and XTS modes and assembly language optimisation
(from HEAD, original by Andy).
Dr. Stephen Henson [Thu, 11 Aug 2011 21:12:01 +0000 (21:12 +0000)]
prevent compilation errors and warnings
Andy Polyakov [Wed, 10 Aug 2011 18:53:13 +0000 (18:53 +0000)]
Add provisory support for RDRAND [from HEAD].
Dr. Stephen Henson [Thu, 4 Aug 2011 11:13:28 +0000 (11:13 +0000)]
Backport GCM support from HEAD.
Dr. Stephen Henson [Thu, 4 Aug 2011 11:12:38 +0000 (11:12 +0000)]
Backport GCM support from HEAD. Minimal support at present: no assembly
language optimisation. [original by Andy]
Dr. Stephen Henson [Wed, 3 Aug 2011 16:40:14 +0000 (16:40 +0000)]
fix memory leak
Dr. Stephen Henson [Thu, 28 Jul 2011 14:42:53 +0000 (14:42 +0000)]
recognise ecdsaWithSHA1 OID
Dr. Stephen Henson [Mon, 25 Jul 2011 23:45:49 +0000 (23:45 +0000)]
Disable rsax for Windows: it doesn't currently work.
Dr. Stephen Henson [Mon, 25 Jul 2011 21:45:17 +0000 (21:45 +0000)]
Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support and
prohibit use of these ciphersuites for TLS < 1.2
Andy Polyakov [Thu, 21 Jul 2011 19:22:57 +0000 (19:22 +0000)]
Back-port TLS AEAD framework [from HEAD].
Dr. Stephen Henson [Thu, 21 Jul 2011 13:45:17 +0000 (13:45 +0000)]
stop warnings
Andy Polyakov [Wed, 20 Jul 2011 21:51:33 +0000 (21:51 +0000)]
Add RSAX builtin engine [from HEAD].