Eric Young [Wed, 2 Apr 2014 18:50:33 +0000 (19:50 +0100)]
Fix base64 decoding bug.
A short PEM encoded sequence if passed to the BIO, and the file
had 2 \n following would fail.
PR#3289
(cherry picked from commit
10378fb5f4c67270b800e8f7c600cd0548874811)
Dr. Stephen Henson [Wed, 12 Mar 2014 14:43:52 +0000 (14:43 +0000)]
update NEWS
Dr. Stephen Henson [Wed, 12 Mar 2014 14:35:54 +0000 (14:35 +0000)]
Update ordinals.
Use a previously unused value as we will be updating multiple released
branches.
(cherry picked from commit
0737acd2a8cc688902b5151cab5dc6737b82fb96)
Dr. Stephen Henson [Wed, 12 Mar 2014 14:16:19 +0000 (14:16 +0000)]
Fix for CVE-2014-0076
Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140
Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix.
(cherry picked from commit
2198be3483259de374f91e57d247d0fc667aef29)
Conflicts:
CHANGES
Dr. Stephen Henson [Mon, 10 Mar 2014 15:45:30 +0000 (15:45 +0000)]
Dr. Stephen Henson [Fri, 7 Mar 2014 19:04:45 +0000 (19:04 +0000)]
Remove -WX option from debug-VC-WIN32
Andy Polyakov [Fri, 7 Mar 2014 10:02:25 +0000 (11:02 +0100)]
engines/ccgost/gosthash.c: simplify and avoid SEGV.
PR: 3275
(cherry picked from commit
ea38f020492042bc1d1adc26ef197b0b9cadf968)
Andy Polyakov [Thu, 27 Feb 2014 11:35:02 +0000 (12:35 +0100)]
Makefile.org: mask touch's exit code
[but don't let it mask make's].
PR: 3269
(cherry picked from commit
2f34088e5e9ff02ad20df50571073abac04f1431)
Dr. Stephen Henson [Wed, 26 Feb 2014 15:28:20 +0000 (15:28 +0000)]
Fix for WIN32 builds with KRB5
(cherry picked from commit
3eddd1706a30cdf3dc9278692d8ee9038eac8a0d)
Andy Polyakov [Tue, 25 Feb 2014 21:21:54 +0000 (22:21 +0100)]
ssl/t1_enc.c: check EVP_MD_CTX_copy return value.
PR: 3201
(cherry picked from commit
03da57fe14f2de5bde9d4496a2ae9a4ae8879f88)
Dr. Stephen Henson [Tue, 25 Feb 2014 14:27:18 +0000 (14:27 +0000)]
update NEWS
Dr. Stephen Henson [Tue, 25 Feb 2014 12:11:22 +0000 (12:11 +0000)]
Avoid Windows 8 Getversion deprecated errors.
Windows 8 SDKs complain that GetVersion() is deprecated.
We only use GetVersion like this:
(GetVersion() < 0x80000000)
which checks if the Windows version is NT based. Use a macro check_winnt()
which uses GetVersion() on older SDK versions and true otherwise.
(cherry picked from commit
a4cc3c8041104896d51ae12ef7b678c31808ce52)
Andy Polyakov [Mon, 24 Feb 2014 18:29:49 +0000 (19:29 +0100)]
ms/do_win64a.bat: forward to NUL, not NUL:.
Allegedly formwarding to NUL: sometimes creates NUL file in file
system.
PR: 3250
(cherry picked from commit
63aff3001ef6ba2ac376cd3f237fb0d0b3e77f30)
Andy Polyakov [Mon, 24 Feb 2014 15:54:10 +0000 (16:54 +0100)]
BC-32.pl: pre-1.0.2-specific refresh for Borland C.
PR: 3251
Suggested by: Thorsten Schöning
Andy Polyakov [Mon, 24 Feb 2014 15:42:40 +0000 (16:42 +0100)]
BC-32.pl: refresh Borland C support.
PR: 3251
Suggested by: Thorsten Schöning
(cherry picked from commit
779c51c6446f384c2f2a7bd5cc4c3e0366baf628)
Andy Polyakov [Mon, 24 Feb 2014 14:16:56 +0000 (15:16 +0100)]
x509/by_dir.c: fix run-away pointer (and potential SEGV)
when adding duplicates in add_cert_dir.
PR: 3261
Reported by: Marian Done
(cherry picked from commit
758954e0d8232d370ed72b7f86640e40443e1778)
Dr. Stephen Henson [Sat, 15 Feb 2014 17:16:19 +0000 (17:16 +0000)]
Add /fixed flag for FIPS links where appropriate.
(cherry picked from commit
c55fef76f77aa54e85ca534785b2b19cebbe940c)
Conflicts:
util/pl/VC-32.pl
Dr. Stephen Henson [Sat, 15 Feb 2014 01:27:56 +0000 (01:27 +0000)]
Remove duplicate statement.
(cherry picked from commit
5a7652c3e585e970e5b778074c92e617e48fde38)
Kurt Roeckx [Mon, 23 Dec 2013 18:45:26 +0000 (19:45 +0100)]
Use defaults bits in req when not given
If you use "-newkey rsa" it's supposed to read the default number of bits from the
config file. However the value isn't used to generate the key, but it does
print it's generating such a key. The set_keygen_ctx() doesn't call
EVP_PKEY_CTX_set_rsa_keygen_bits() and you end up with the default set in
pkey_rsa_init() (1024). Afterwards the number of bits gets read from the config
file, but nothing is done with that anymore.
We now read the config first and use the value from the config file when no size
is given.
PR: 2592
(cherry picked from commit
3343220327664680420d4068e1fbe46d2236f1b0)
Kurt Roeckx [Mon, 23 Dec 2013 18:41:28 +0000 (19:41 +0100)]
Fix additional pod errors with numbered items.
(cherry picked from commit
e547c45f1c74e976656c042ec9d873f6eea0e756)
Scott Schaefer [Mon, 23 Dec 2013 18:28:30 +0000 (19:28 +0100)]
Fix various spelling errors
(cherry picked from commit
2b4ffc659eabec29f76821f0ac624a2b8c19e4c7)
Scott Schaefer [Mon, 23 Dec 2013 18:01:38 +0000 (19:01 +0100)]
Document pkcs12 -password behavior
apps/pkcs12.c accepts -password as an argument. The document author
almost certainly meant to write "-password, -passin".
However, that is not correct, either. Actually the code treats
-password as equivalent to -passin, EXCEPT when -export is also
specified, in which case -password as equivalent to -passout.
(cherry picked from commit
856c6dfb09d69fc82ada2611c6cd792dfc60e355)
Dr. Stephen Henson [Fri, 13 Dec 2013 14:41:32 +0000 (14:41 +0000)]
Backport TLS padding extension from master.
(cherry picked from commit
8c6d8c2a498146992123ef5407d7ba01a1e7224d)
Conflicts:
CHANGES
ssl/t1_lib.c
Dr. Stephen Henson [Fri, 13 Dec 2013 14:41:32 +0000 (14:41 +0000)]
Backport TLS padding extension from master.
(cherry picked from commit
8c6d8c2a498146992123ef5407d7ba01a1e7224d)
Conflicts:
CHANGES
ssl/t1_lib.c
Dr. Stephen Henson [Mon, 3 Feb 2014 14:13:04 +0000 (14:13 +0000)]
Add quotes as CC can contain spaces.
PR#3253
(cherry picked from commit
7f6e09b5316928a9da24d2f695d1885a26dd38ec)
Dr. Stephen Henson [Wed, 29 Jan 2014 00:59:35 +0000 (00:59 +0000)]
Clarify docs.
Remove reference to ERR_TXT_MALLOCED in the error library as that is
only used internally. Indicate that returned error data must not be
freed.
(cherry picked from commit
f2d678e6e89b6508147086610e985d4e8416e867)
Dr. Stephen Henson [Tue, 28 Jan 2014 15:35:16 +0000 (15:35 +0000)]
Dr. Stephen Henson [Tue, 28 Jan 2014 15:15:26 +0000 (15:15 +0000)]
Fix demo comment: 0.9.9 never released.
(cherry picked from commit
717cc8589540b95122a652dee68e6a75b6262d93)
Dr. Stephen Henson [Tue, 28 Jan 2014 15:10:27 +0000 (15:10 +0000)]
Check i before r[i].
PR#3244
Dr. Stephen Henson [Tue, 28 Jan 2014 13:51:58 +0000 (13:51 +0000)]
Add loaded dynamic ENGINEs to list.
Always add a dynamically loaded ENGINE to list. Otherwise it can cause
problems when multiply loaded, especially if it adds new public key methods.
For all current engines we only want a single implementation anyway.
(cherry picked from commit
e933f91f50108a43c0198cdc63ecdfdbc77b4d0d)
Dr. Stephen Henson [Thu, 23 Jan 2014 18:36:33 +0000 (18:36 +0000)]
Use default digest implementation in dgst.c
Use default instead of ENGINE version of digest. Without this
errors will occur if you use an ENGINE for a private key and
it doesn't implement the digest in question.
Kaspar Brand [Thu, 16 Jan 2014 13:49:38 +0000 (13:49 +0000)]
Omit initial status request callback check.
PR#3178
Zoltan Arpadffy [Sat, 11 Jan 2014 22:42:37 +0000 (22:42 +0000)]
VMS fixes
Dr. Stephen Henson [Thu, 9 Jan 2014 22:47:22 +0000 (22:47 +0000)]
Fix bug in X509_V_FLAG_IGNORE_CRITICAL CRL handling.
(cherry picked from commit
8f4077ca69076cebaca51b7b666db1ed49e46b9e)
Dr. Stephen Henson [Wed, 8 Jan 2014 14:24:21 +0000 (14:24 +0000)]
Update NEWS.
Dr. Stephen Henson [Wed, 8 Jan 2014 13:39:48 +0000 (13:39 +0000)]
Update NEWS.
Dr. Stephen Henson [Wed, 8 Jan 2014 13:07:20 +0000 (13:07 +0000)]
Fix warning
PR#3220
Dr. Stephen Henson [Mon, 6 Jan 2014 15:37:02 +0000 (15:37 +0000)]
Update NEWS: removal of time in handshakes.
Dr. Stephen Henson [Mon, 6 Jan 2014 14:37:03 +0000 (14:37 +0000)]
Prepare for 1.0.1g-dev
Dr. Stephen Henson [Mon, 6 Jan 2014 14:36:07 +0000 (14:36 +0000)]
Prepare for 1.0.1f release
Dr. Stephen Henson [Mon, 6 Jan 2014 14:35:04 +0000 (14:35 +0000)]
Fix for TLS record tampering bug CVE-2013-4353
Dr. Stephen Henson [Mon, 6 Jan 2014 13:33:27 +0000 (13:33 +0000)]
make update
Dr. Stephen Henson [Sat, 4 Jan 2014 13:50:52 +0000 (13:50 +0000)]
Restore SSL_OP_MSIE_SSLV2_RSA_PADDING
The flag SSL_OP_MSIE_SSLV2_RSA_PADDING hasn't done anything since OpenSSL
0.9.7h but deleting it will break source compatibility with any software
that references it. Restore it but #define to zero.
(cherry picked from commit
b17d6b8d1d49fa4732deff17cfd1833616af0d9c)
Dr. Stephen Henson [Thu, 2 Jan 2014 19:02:28 +0000 (19:02 +0000)]
update NEWS
Dr. Stephen Henson [Tue, 24 Dec 2013 18:17:00 +0000 (18:17 +0000)]
Don't change version number if session established
When sending an invalid version number alert don't change the
version number to the client version if a session is already
established.
Thanks to Marek Majkowski for additional analysis of this issue.
PR#3191
Dr. Stephen Henson [Wed, 11 Dec 2013 14:45:12 +0000 (14:45 +0000)]
Don't use rdrand engine as default unless explicitly requested.
(cherry picked from commit
8f68678989a198ead3ab59a698302ecb0f1c8fb1)
Dr. Stephen Henson [Fri, 20 Dec 2013 15:26:50 +0000 (15:26 +0000)]
Fix DTLS retransmission from previous session.
For DTLS we might need to retransmit messages from the previous session
so keep a copy of write context in DTLS retransmission buffers instead
of replacing it after sending CCS. CVE-2013-6450.
Dr. Stephen Henson [Fri, 20 Dec 2013 15:12:26 +0000 (15:12 +0000)]
Ignore NULL parameter in EVP_MD_CTX_destroy.
Dr. Stephen Henson [Thu, 19 Dec 2013 14:37:39 +0000 (14:37 +0000)]
Use version in SSL_METHOD not SSL structure.
When deciding whether to use TLS 1.2 PRF and record hash algorithms
use the version number in the corresponding SSL_METHOD structure
instead of the SSL structure. The SSL structure version is sometimes
inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already.
(CVE-2013-6449)
Andy Polyakov [Wed, 18 Dec 2013 20:27:35 +0000 (21:27 +0100)]
sha512.c: fullfull implicit API contract in SHA512_Transform.
SHA512_Transform was initially added rather as tribute to tradition
than for practucal reasons. But use was recently found in ssl/s3_cbc.c
and it turned to be problematic on platforms that don't tolerate
misasligned references to memory and lack assembly subroutine.
(cherry picked from commit
cdd1acd788020d2c525331da1712ada778f1373c)
Dr. Stephen Henson [Sat, 14 Dec 2013 13:55:48 +0000 (13:55 +0000)]
Check EVP errors for handshake digests.
Partial mitigation of PR#3200
Dr. Stephen Henson [Tue, 10 Dec 2013 12:52:27 +0000 (12:52 +0000)]
Get FIPS checking logic right.
We need to lock when *not* in FIPS mode.
(cherry picked from commit
57c4e42d7545b51cbc00015defc81db7236dc15f)
Dr. Stephen Henson [Tue, 10 Dec 2013 00:10:53 +0000 (00:10 +0000)]
remove obsolete STATUS file
Dr. Stephen Henson [Mon, 9 Dec 2013 23:55:12 +0000 (23:55 +0000)]
Add release dates to NEWS
Dr. Stephen Henson [Sun, 8 Dec 2013 13:13:29 +0000 (13:13 +0000)]
make update
Dr. Stephen Henson [Wed, 4 Dec 2013 13:39:04 +0000 (13:39 +0000)]
Avoid multiple locks in FIPS mode.
PR: 3176.
In FIPS mode ssleay_rand_bytes is only used for PRNG seeding and is
performed in either a single threaded context (when the PRNG is first
initialised) or under a lock (reseeding). To avoid multiple locks disable
use of CRYPTO_LOCK_RAND in FIPS mode in ssleay_rand_bytes.
(cherry picked from commit
53142f72c9b9c9bad2f39ca6200a4f04f5c8001c)
Andy Polyakov [Tue, 3 Dec 2013 22:59:55 +0000 (23:59 +0100)]
bn/asm/x86_64-mont5.pl: comply with Win64 ABI.
PR: 3189
Submitted by: Oscar Ciurana
(cherry picked from commit
c5d5f5bd0fe8b2313bec844c0f80f3d49562bfa8)
Dr. Stephen Henson [Wed, 27 Nov 2013 15:35:56 +0000 (15:35 +0000)]
Simplify and update openssl.spec
Andy Polyakov [Tue, 12 Nov 2013 21:09:55 +0000 (22:09 +0100)]
srp/srp_grps.h: make it Compaq C-friendly.
PR: 3165
Submitted by: Daniel Richard G.
(cherry picked from commit
2df9ec01d563f9cc2deab07e8c3391059d476592)
(cherry picked from commit
0de70011adf6952e3b975d1a8a383879b64f3b77)
Andy Polyakov [Tue, 12 Nov 2013 20:59:01 +0000 (21:59 +0100)]
modes/asm/ghash-alpha.pl: update from HEAD.
PR: 3165
(cherry picked from commit
220d1e5353409d9af938111b22d6b58e6a42f633)
Andy Polyakov [Tue, 12 Nov 2013 20:49:15 +0000 (21:49 +0100)]
Make Makefiles OSF-make-friendly.
PR: 3165
(cherry picked from commit
d1cf23ac86c05b22b8780e2c03b67230564d2d34)
Dr. Stephen Henson [Mon, 11 Nov 2013 22:39:40 +0000 (22:39 +0000)]
Fix memory leak.
(cherry picked from commit
16bc45ba956fdf07c7cda7feda88de597569df63)
Dr. Stephen Henson [Mon, 11 Nov 2013 22:24:08 +0000 (22:24 +0000)]
Andy Polyakov [Sun, 10 Nov 2013 22:06:41 +0000 (23:06 +0100)]
Makefile.org: make FIPS build work with BSD make.
(cherry picked from commit
60adefa61025ffd7d56cf7ff8491008f783282bf)
Dr. Stephen Henson [Thu, 7 Nov 2013 15:15:20 +0000 (15:15 +0000)]
Check for missing components in RSA_check.
(cherry picked from commit
01be36ef70525e81fc358d2e559bdd0a0d9427a5)
Dr. Stephen Henson [Thu, 7 Nov 2013 17:27:07 +0000 (17:27 +0000)]
Document RSAPublicKey_{in,out} options.
(cherry picked from commit
7040d73d22987532faa503630d6616cf2788c975)
Andy Polyakov [Fri, 8 Nov 2013 22:00:35 +0000 (23:00 +0100)]
engines/ccgost/gost89.h: make word32 defintion unconditional.
Original definition depended on __LONG_MAX__ that is not guaranteed to
be present. As we don't support platforms with int narrower that 32 bits
it's appropriate to make defition inconditional.
PR: 3165
(cherry picked from commit
96180cac04591abfe50fc86096365553484bde65)
Andy Polyakov [Fri, 8 Nov 2013 21:56:44 +0000 (22:56 +0100)]
modes/asm/ghash-alpha.pl: make it work with older assembler.
PR: 3165
(cherry picked from commit
d24d1d7daf515aa19fbf18f6371e3e617028a07c)
Dr. Stephen Henson [Wed, 6 Nov 2013 14:38:28 +0000 (14:38 +0000)]
Enable PSK in FIPS mode.
Enable PSK ciphersuites with AES or DES3 in FIPS mode.
(cherry picked from commit
e0ffd129c16af90eb5e2ce54e57832c0046d1aaf)
Dr. Stephen Henson [Wed, 6 Nov 2013 13:16:50 +0000 (13:16 +0000)]
Initialise context before using it.
(cherry picked from commit
a4947e4e064d2d5bb622ac64cf13edc4a46ed196)
Ben Laurie [Sun, 3 Nov 2013 17:23:50 +0000 (17:23 +0000)]
PBKDF2 should be efficient. Contributed by Christian Heimes
<christian@python.org>.
Robin Seggelmann [Wed, 9 May 2012 17:28:41 +0000 (19:28 +0200)]
DTLS/SCTP Finished Auth Bug
PR: 2808
With DTLS/SCTP the SCTP extension SCTP-AUTH is used to protect DATA and
FORWARD-TSN chunks. The key for this extension is derived from the
master secret and changed with the next ChangeCipherSpec, whenever a new
key has been negotiated. The following Finished then already uses the
new key. Unfortunately, the ChangeCipherSpec and Finished are part of
the same flight as the ClientKeyExchange, which is necessary for the
computation of the new secret. Hence, these messages are sent
immediately following each other, leaving the server very little time to
compute the new secret and pass it to SCTP before the finished arrives.
So the Finished is likely to be discarded by SCTP and a retransmission
becomes necessary. To prevent this issue, the Finished of the client is
still sent with the old key.
(cherry picked from commit
9fb523adce6fd6015b68da2ca8e4ac4900ac2be2)
(cherry picked from commit
b9ef52b07897f249a9fa44943dba33fba8fb2721)
Robin Seggelmann [Wed, 9 May 2012 17:28:44 +0000 (19:28 +0200)]
DTLS/SCTP struct authchunks Bug
PR: 2809
DTLS/SCTP requires DATA and FORWARD-TSN chunks to be protected with
SCTP-AUTH. It is checked if this has been activated successfully for
the local and remote peer. Due to a bug, however, the
gauth_number_of_chunks field of the authchunks struct is missing on
FreeBSD, and was therefore not considered in the OpenSSL implementation.
This patch sets the corresponding pointer for the check correctly
whether or not this bug is present.
(cherry picked from commit
f596e3c491035fe80db5fc0c3ff6b647662b0003)
(cherry picked from commit
b8140811367f6e1ef13afa6ffe9625309c46946c)
Nick Mathewson [Sun, 20 Oct 2013 22:08:58 +0000 (15:08 -0700)]
Fix another gmt_unix_time case in server_random
Dr. Stephen Henson [Tue, 15 Oct 2013 13:15:54 +0000 (14:15 +0100)]
Don't use RSA+MD5 with TLS 1.2
Since the TLS 1.2 supported signature algorithms extension is less
sophisticaed in OpenSSL 1.0.1 this has to be done in two stages.
RSA+MD5 is removed from supported signature algorithms extension:
any compliant implementation should never use RSA+MD5 as a result.
To cover the case of a broken implementation using RSA+MD5 anyway
disable lookup of MD5 algorithm in TLS 1.2.
Ben Laurie [Sat, 19 Oct 2013 11:37:15 +0000 (12:37 +0100)]
More cleanup.
Ben Laurie [Sat, 19 Oct 2013 11:34:15 +0000 (12:34 +0100)]
Cleanup.
Ben Laurie [Sat, 19 Oct 2013 10:46:32 +0000 (11:46 +0100)]
Merge branch 'no_gmt_unix_time' of git://github.com/nmathewson/openssl into OpenSSL_1_0_1-stable
Andy Polyakov [Sun, 13 Oct 2013 11:14:52 +0000 (13:14 +0200)]
MIPS assembly pack: get rid of deprecated instructions.
Latest MIPS ISA specification declared 'branch likely' instructions
obsolete. To makes code future-proof replace them with equivalent.
(cherry picked from commit
0c2adb0a9be76da8de9bbfd5377215f71711a52e)
Andy Polyakov [Sat, 12 Oct 2013 19:47:54 +0000 (21:47 +0200)]
aes/asm/bsaes-x86_64.pl: update from master.
Performance improvement and Windows-specific bugfix (PR#3139).
(cherry picked from commit
9ed6fba2b4685ced2340feff03da5a12ed14b003)
Nick Mathewson [Wed, 9 Oct 2013 14:37:53 +0000 (10:37 -0400)]
Control sending time with SSL_SEND_{CLIENT,SERVER}RANDOM_MODE
(I'd rather use an option, but it appears that the options field is
full.)
Now, we send the time in the gmt_unix_time field if the appropriate
one of these mode options is set, but randomize the field if the flag
is not set.
Nick Mathewson [Wed, 9 Oct 2013 14:28:42 +0000 (10:28 -0400)]
Refactor {client,server}_random to call an intermediate function
I'll be using this to make an option for randomizing the time.
Andy Polyakov [Thu, 3 Oct 2013 08:55:49 +0000 (10:55 +0200)]
evp/e_des3.c: fix typo with potential integer overflow on 32-bit platforms.
Submitted by: Yuriy Kaminskiy
(cherry picked from commit
524b00c0da42b129ed8622dfb3f5eab9cc5d6617)
Resolved conflicts:
crypto/evp/e_des3.c
Ben Laurie [Tue, 1 Oct 2013 13:51:04 +0000 (14:51 +0100)]
Constification.
Dr. Stephen Henson [Wed, 17 Jul 2013 13:19:40 +0000 (14:19 +0100)]
Dr. Stephen Henson [Mon, 16 Sep 2013 04:23:44 +0000 (05:23 +0100)]
Disable Dual EC DRBG.
Return an error if an attempt is made to enable the Dual EC DRBG: it
is not used by default.
Dr. Stephen Henson [Mon, 16 Sep 2013 05:12:00 +0000 (06:12 +0100)]
Fix warning.
Nick Mathewson [Mon, 16 Sep 2013 17:32:54 +0000 (13:32 -0400)]
Do not include a timestamp in the ServerHello Random field.
Instead, send random bytes.
Nick Mathewson [Sun, 8 Sep 2013 00:40:59 +0000 (20:40 -0400)]
Do not include a timestamp in the ClientHello Random field.
Instead, send random bytes.
While the gmt_unix_time record was added in an ostensible attempt to
mitigate the dangers of a bad RNG, its presence leaks the host's view
of the current time in the clear. This minor leak can help
fingerprint TLS instances across networks and protocols... and what's
worse, it's doubtful thet the gmt_unix_time record does any good at
all for its intended purpose, since:
* It's quite possible to open two TLS connections in one second.
* If the PRNG output is prone to repeat itself, ephemeral
* handshakes (and who knows what else besides) are broken.
Rob Stradling [Thu, 12 Sep 2013 21:05:17 +0000 (22:05 +0100)]
Update CHANGES.
Rob Stradling [Tue, 10 Sep 2013 10:06:55 +0000 (11:06 +0100)]
Tidy up comments.
Rob Stradling [Tue, 10 Sep 2013 10:03:29 +0000 (11:03 +0100)]
Use TLS version supplied by client when fingerprinting Safari.
Rob Stradling [Tue, 10 Sep 2013 10:00:57 +0000 (11:00 +0100)]
Fix compilation with no-ec and/or no-tlsext.
Rob Stradling [Mon, 9 Sep 2013 11:52:41 +0000 (12:52 +0100)]
Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
Ben Laurie [Mon, 16 Sep 2013 14:05:21 +0000 (15:05 +0100)]
Remove AVX and VIS3 support.
Andy Polyakov [Sun, 19 May 2013 19:55:30 +0000 (21:55 +0200)]
gcm128.c: update from master (add AVX and VIS3 support).
Andy Polyakov [Mon, 5 Nov 2012 17:03:39 +0000 (17:03 +0000)]
crypto/modes: even more strict aliasing fixes [and fix bug in cbc128.c from
previous cbc128.c commit].
Andy Polyakov [Mon, 5 Nov 2012 10:04:02 +0000 (10:04 +0000)]
cbc128.c: fix strict aliasing warning.
Bodo Moeller [Mon, 16 Sep 2013 12:47:56 +0000 (14:47 +0200)]
Sync CHANGES and NEWS files.
Bodo Moeller [Mon, 16 Sep 2013 11:03:27 +0000 (13:03 +0200)]
Fix overly lenient comparisons:
- EC_GROUP_cmp shouldn't consider curves equal just because
the curve name is the same. (They really *should* be the same
in this case, but there's an EC_GROUP_set_curve_name API,
which could be misused.)
- EC_POINT_cmp shouldn't return 0 for ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
or EC_R_INCOMPATIBLE_OBJECTS errors because in a cmp API, 0 indicates
equality (not an error).
Reported by: king cope
(cherry picked from commit
312a46791ab465cfa3bf26764361faed0e5df014)