oweals/openssl.git
13 years agoDon't round up partitioned premaster secret length if there is only one
Dr. Stephen Henson [Tue, 31 May 2011 10:35:22 +0000 (10:35 +0000)]
Don't round up partitioned premaster secret length if there is only one
digest in use: this caused the PRF to fail for an odd premaster secret
length.

13 years agoOutput supported curves in preference order instead of numerically.
Dr. Stephen Henson [Mon, 30 May 2011 17:58:29 +0000 (17:58 +0000)]
Output supported curves in preference order instead of numerically.

13 years agoRedirect cipher operations to FIPS module for FIPS builds.
Dr. Stephen Henson [Sun, 29 May 2011 16:18:38 +0000 (16:18 +0000)]
Redirect cipher operations to FIPS module for FIPS builds.

13 years agoUse approved API for EVP digest operations in FIPS builds.
Dr. Stephen Henson [Sun, 29 May 2011 15:55:13 +0000 (15:55 +0000)]
Use approved API for EVP digest operations in FIPS builds.

Call OPENSSL_init() in a few more places to make sure it is always called
at least once.

Initial cipher API redirection (incomplete).

13 years agoAdd default ASN1 handling to support FIPS.
Dr. Stephen Henson [Sun, 29 May 2011 02:32:05 +0000 (02:32 +0000)]
Add default ASN1 handling to support FIPS.

13 years agoRedirect digests to FIPS module for FIPS builds.
Dr. Stephen Henson [Sat, 28 May 2011 23:01:26 +0000 (23:01 +0000)]
Redirect digests to FIPS module for FIPS builds.

Use FIPS API when initialising digests.

Sync header file evp.h and error codes with HEAD for necessary FIPS
definitions.

13 years agoUse || instead of && so build doesn't fail.
Dr. Stephen Henson [Thu, 26 May 2011 22:10:28 +0000 (22:10 +0000)]
Use || instead of && so build doesn't fail.

13 years agoSupport shared library builds of FIPS capable OpenSSL, add fipscanister.o
Dr. Stephen Henson [Thu, 26 May 2011 21:23:11 +0000 (21:23 +0000)]
Support shared library builds of FIPS capable OpenSSL, add fipscanister.o
to libcrypto.a so linking to libcrypto.a works.

13 years agoMake test utility link work for fips build.
Dr. Stephen Henson [Thu, 26 May 2011 14:36:56 +0000 (14:36 +0000)]
Make test utility link work for fips build.

13 years agoThe first of many changes to make OpenSSL 1.0.1 FIPS capable.
Dr. Stephen Henson [Thu, 26 May 2011 14:19:19 +0000 (14:19 +0000)]
The first of many changes to make OpenSSL 1.0.1 FIPS capable.

Add static build support to openssl utility.

Add new "fips" option to Configure.

Make use of installed fipsld and fips_standalone_sha1

Initialise FIPS error callbacks, locking and DRBG.

Doesn't do anything much yet: no crypto is redirected to the FIPS module.

Doesn't completely build either but the openssl utility can enter FIPS mode:
which doesn't do anything much either.

13 years agoDon't advertise or use MD5 for TLS v1.2 in FIPS mode
Dr. Stephen Henson [Wed, 25 May 2011 15:33:29 +0000 (15:33 +0000)]
Don't advertise or use MD5 for TLS v1.2 in FIPS mode

13 years agoPR: 2533
Dr. Stephen Henson [Wed, 25 May 2011 15:21:01 +0000 (15:21 +0000)]
PR: 2533
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Setting SSL_MODE_RELEASE_BUFFERS should be ignored for DTLS, but instead causes
the program to crash. This is due to missing version checks and is fixed with
this patch.

13 years agoPR: 2529
Dr. Stephen Henson [Wed, 25 May 2011 15:16:01 +0000 (15:16 +0000)]
PR: 2529
Submitted by: Marcus Meissner <meissner@suse.de>
Reviewed by: steve

Call ssl_new() to reallocate SSL BIO internals if we want to replace
the existing internal SSL structure.

13 years agoPR: 2527
Dr. Stephen Henson [Wed, 25 May 2011 15:05:56 +0000 (15:05 +0000)]
PR: 2527
Submitted by: Marcus Meissner <meissner@suse.de>
Reviewed by: steve

Set cnf to NULL to avoid possible double free.

13 years agoFix the ECDSA timing attack mentioned in the paper at:
Dr. Stephen Henson [Wed, 25 May 2011 14:52:33 +0000 (14:52 +0000)]
Fix the ECDSA timing attack mentioned in the paper at:

http://eprint.iacr.org/2011/232.pdf

Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for
bringing this to our attention.

13 years agoFix the ECDSA timing attack mentioned in the paper at:
Dr. Stephen Henson [Wed, 25 May 2011 14:42:27 +0000 (14:42 +0000)]
Fix the ECDSA timing attack mentioned in the paper at:

http://eprint.iacr.org/2011/232.pdf

Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for
bringing this to our attention.

13 years agoOops use up to date patch for PR#2506
Dr. Stephen Henson [Wed, 25 May 2011 14:30:05 +0000 (14:30 +0000)]
Oops use up to date patch for PR#2506

13 years agoPR: 2512
Dr. Stephen Henson [Wed, 25 May 2011 12:36:59 +0000 (12:36 +0000)]
PR: 2512
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix BIO_accept so it can be bound to IPv4 or IPv6 sockets consistently.

13 years agoPR: 2506
Dr. Stephen Henson [Wed, 25 May 2011 12:28:16 +0000 (12:28 +0000)]
PR: 2506
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fully implement SSL_clear for DTLS.

13 years agoPR: 2505
Dr. Stephen Henson [Wed, 25 May 2011 12:24:43 +0000 (12:24 +0000)]
PR: 2505
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS session resumption timer bug.

13 years agouse TLS1_get_version macro to check version so TLS v1.2 changes don't interfere with...
Dr. Stephen Henson [Wed, 25 May 2011 11:43:17 +0000 (11:43 +0000)]
use TLS1_get_version macro to check version so TLS v1.2 changes don't interfere with DTLS

13 years agoAdd tls12_sigalgs which somehow didn't get added to the backport.
Dr. Stephen Henson [Sat, 21 May 2011 17:40:23 +0000 (17:40 +0000)]
Add tls12_sigalgs which somehow didn't get added to the backport.

13 years agoLIBOBJ contained o_fips.c, now o_fips.o.
Richard Levitte [Sat, 21 May 2011 09:17:54 +0000 (09:17 +0000)]
LIBOBJ contained o_fips.c, now o_fips.o.

13 years agoAdd server client certificate support for TLS v1.2 . This is more complex
Dr. Stephen Henson [Fri, 20 May 2011 14:58:45 +0000 (14:58 +0000)]
Add server client certificate support for TLS v1.2 . This is more complex
than client side as we need to keep the handshake record cache frozen when
it contains all the records need to process the certificate verify message.
(backport from HEAD).

13 years agoadd FIPS support to openssl utility (backport from HEAD)
Dr. Stephen Henson [Thu, 19 May 2011 18:23:24 +0000 (18:23 +0000)]
add FIPS support to openssl utility (backport from HEAD)

13 years agoadd FIPS support to ssl: doesn't do anything on this branch yet as there is no FIPS...
Dr. Stephen Henson [Thu, 19 May 2011 18:22:16 +0000 (18:22 +0000)]
add FIPS support to ssl: doesn't do anything on this branch yet as there is no FIPS compilation support

13 years agoImplement FIPS_mode and FIPS_mode_set
Dr. Stephen Henson [Thu, 19 May 2011 18:19:07 +0000 (18:19 +0000)]
Implement FIPS_mode and FIPS_mode_set

13 years agoupdate date
Dr. Stephen Henson [Thu, 19 May 2011 17:56:12 +0000 (17:56 +0000)]
update date

13 years agoinherit HMAC flags from MD_CTX
Dr. Stephen Henson [Thu, 19 May 2011 17:38:57 +0000 (17:38 +0000)]
inherit HMAC flags from MD_CTX

13 years agoset encodedPoint to NULL after freeing it
Dr. Stephen Henson [Thu, 19 May 2011 16:18:11 +0000 (16:18 +0000)]
set encodedPoint to NULL after freeing it

13 years agonew flag to stop ENGINE methods being registered
Dr. Stephen Henson [Sun, 15 May 2011 15:58:38 +0000 (15:58 +0000)]
new flag to stop ENGINE methods being registered

13 years agoRecognise and ignore no-ec-nistp224-64-gcc-128 (from HEAD).
Dr. Stephen Henson [Fri, 13 May 2011 12:46:12 +0000 (12:46 +0000)]
Recognise and ignore no-ec-nistp224-64-gcc-128 (from HEAD).

13 years agotypo
Dr. Stephen Henson [Fri, 13 May 2011 12:44:37 +0000 (12:44 +0000)]
typo

13 years agoRecognise NO_NISTP224-64-GCC-128
Dr. Stephen Henson [Fri, 13 May 2011 12:38:02 +0000 (12:38 +0000)]
Recognise NO_NISTP224-64-GCC-128

13 years agoProvisional support for TLS v1.2 client authentication: client side only.
Dr. Stephen Henson [Thu, 12 May 2011 17:49:15 +0000 (17:49 +0000)]
Provisional support for TLS v1.2 client authentication: client side only.

Parse certificate request message and set digests appropriately.

Generate new TLS v1.2 format certificate verify message.

Keep handshake caches around for longer as they are needed for client auth.

13 years agoProcess signature algorithms during TLS v1.2 client authentication.
Dr. Stephen Henson [Thu, 12 May 2011 17:44:59 +0000 (17:44 +0000)]
Process signature algorithms during TLS v1.2 client authentication.

Make sure message is long enough for signature algorithms.

(backport from HEAD).

13 years agoOoops fix typo.
Dr. Stephen Henson [Thu, 12 May 2011 13:59:04 +0000 (13:59 +0000)]
Ooops fix typo.

13 years agoSRP fixes from HEAD which weren't in 1.0.1-stable.
Dr. Stephen Henson [Thu, 12 May 2011 13:46:40 +0000 (13:46 +0000)]
SRP fixes from HEAD which weren't in 1.0.1-stable.

13 years agoAdd SSL_INTERN definition.
Dr. Stephen Henson [Thu, 12 May 2011 13:12:49 +0000 (13:12 +0000)]
Add SSL_INTERN definition.

13 years agoHave EC_NISTP224_64_GCC_128 treated like any algorithm, and have disabled by
Dr. Stephen Henson [Thu, 12 May 2011 13:10:27 +0000 (13:10 +0000)]
Have EC_NISTP224_64_GCC_128 treated like any algorithm, and have disabled by
default. If we don't do it this way, it screws up libeay.num.
(update from HEAD, original from levitte).

13 years agoOops, add missing declaration.
Dr. Stephen Henson [Thu, 12 May 2011 13:02:25 +0000 (13:02 +0000)]
Oops, add missing declaration.

13 years agoUpdate ordinals.
Dr. Stephen Henson [Wed, 11 May 2011 23:03:06 +0000 (23:03 +0000)]
Update ordinals.

13 years agomake kerberos work with OPENSSL_NO_SSL_INTERN
Dr. Stephen Henson [Wed, 11 May 2011 22:52:34 +0000 (22:52 +0000)]
make kerberos work with OPENSSL_NO_SSL_INTERN

13 years agoBackport TLS v1.2 support from HEAD.
Dr. Stephen Henson [Wed, 11 May 2011 13:37:52 +0000 (13:37 +0000)]
Backport TLS v1.2 support from HEAD.

This includes TLS v1.2 server and client support but at present
client certificate support is not implemented.

13 years agoTypo.
Dr. Stephen Henson [Wed, 11 May 2011 13:22:54 +0000 (13:22 +0000)]
Typo.

13 years agoInitial "opaque SSL" framework. If an application defines OPENSSL_NO_SSL_INTERN
Dr. Stephen Henson [Wed, 11 May 2011 12:56:38 +0000 (12:56 +0000)]
Initial "opaque SSL" framework. If an application defines OPENSSL_NO_SSL_INTERN
all ssl related structures are opaque and internals cannot be directly
accessed. Many applications will need some modification to support this and
most likely some additional functions added to OpenSSL.

The advantage of this option is that any application supporting it will still
be binary compatible if SSL structures change.

(backport from HEAD).

13 years agoallow SHA384, SHA512 with DSA
Dr. Stephen Henson [Sun, 8 May 2011 12:38:51 +0000 (12:38 +0000)]
allow SHA384, SHA512 with DSA

13 years agono need to include memory.h
Dr. Stephen Henson [Sat, 30 Apr 2011 23:38:05 +0000 (23:38 +0000)]
no need to include memory.h

13 years agocheck buffer is larger enough before overwriting
Dr. Stephen Henson [Wed, 6 Apr 2011 18:06:54 +0000 (18:06 +0000)]
check buffer is larger enough before overwriting

13 years agoPR: 2462
Dr. Stephen Henson [Sun, 3 Apr 2011 17:14:48 +0000 (17:14 +0000)]
PR: 2462
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS Retransmission Buffer Bug

13 years agoPR: 2458
Dr. Stephen Henson [Sun, 3 Apr 2011 16:25:54 +0000 (16:25 +0000)]
PR: 2458
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Don't change state when answering DTLS ClientHello.

13 years agoPR: 2457
Dr. Stephen Henson [Sun, 3 Apr 2011 15:48:32 +0000 (15:48 +0000)]
PR: 2457
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS fragment reassembly bug.

13 years agoCorrections to the VMS build system.
Richard Levitte [Fri, 25 Mar 2011 16:21:08 +0000 (16:21 +0000)]
Corrections to the VMS build system.
Submitted by Steven M. Schweda <sms@antinode.info>

13 years agomake some non-VMS builds work again
Dr. Stephen Henson [Fri, 25 Mar 2011 15:07:18 +0000 (15:07 +0000)]
make some non-VMS builds work again

13 years agoFor VMS, implement the possibility to choose 64-bit pointers with
Richard Levitte [Fri, 25 Mar 2011 09:39:46 +0000 (09:39 +0000)]
For VMS, implement the possibility to choose 64-bit pointers with
different options:
"64" The build system will choose /POINTER_SIZE=64=ARGV if
the compiler supports it, otherwise /POINTER_SIZE=64.
"64=" The build system will force /POINTER_SIZE=64.
"64=ARGV" The build system will force /POINTER_SIZE=64=ARGV.

13 years agomake update (1.0.1-stable)
Richard Levitte [Wed, 23 Mar 2011 00:06:04 +0000 (00:06 +0000)]
make update (1.0.1-stable)

This meant a slight renumbering in util/libeay.num due to symbols
appearing in 1.0.0-stable.  However, since there's been no release on
this branch yet, it should be harmless.

13 years ago* util/mkdef.pl: Add crypto/o_str.h and crypto/o_time.h. Maybe some
Richard Levitte [Tue, 22 Mar 2011 23:54:15 +0000 (23:54 +0000)]
* util/mkdef.pl: Add crypto/o_str.h and crypto/o_time.h.  Maybe some
  more need to be added...

13 years ago* apps/makeapps.com: Add srp.
Richard Levitte [Sun, 20 Mar 2011 17:34:06 +0000 (17:34 +0000)]
* apps/makeapps.com: Add srp.

13 years ago* apps/makeapps.com: Forgot to end the check for /POINTER_SIZE=64=ARGV
Richard Levitte [Sun, 20 Mar 2011 14:01:49 +0000 (14:01 +0000)]
* apps/makeapps.com: Forgot to end the check for /POINTER_SIZE=64=ARGV
  with turning trapping back on.
* test/maketests.com: Do the same check for /POINTER_SIZE=64=ARGV
  here.
* test/clean-test.com: A new script for cleaning up.

13 years agofile clean_test.com was added on branch OpenSSL_1_0_1-stable on 2011-03-20 14:01...
Richard Levitte [Sun, 20 Mar 2011 14:01:18 +0000 (14:01 +0000)]
file clean_test.com was added on branch OpenSSL_1_0_1-stable on 2011-03-20 14:01:48 +0000

13 years ago* apps/openssl.c: For VMS, take care of copying argv if needed much earlier,
Richard Levitte [Sun, 20 Mar 2011 13:15:37 +0000 (13:15 +0000)]
* apps/openssl.c: For VMS, take care of copying argv if needed much earlier,
  directly in main().  'if needed' also includes when argv is a 32 bit
  pointer in an otherwise 64 bit environment.
* apps/makeapps.com: When using /POINTER_SIZE=64, try to use the additional
  =ARGV, but only if it's supported.  Fortunately, DCL is very helpful
  telling us in this case.

13 years agoA few more long symbols needing shortening.
Richard Levitte [Sat, 19 Mar 2011 11:03:41 +0000 (11:03 +0000)]
A few more long symbols needing shortening.

13 years agoKeep file references in the VMS build files in the same order as they
Richard Levitte [Sat, 19 Mar 2011 10:46:21 +0000 (10:46 +0000)]
Keep file references in the VMS build files in the same order as they
are in the Unix Makefiles, and add SRP tests.

13 years agoSRP was introduced, add it for OpenVMS.
Richard Levitte [Sat, 19 Mar 2011 09:55:35 +0000 (09:55 +0000)]
SRP was introduced, add it for OpenVMS.

13 years agoA few more symbols that need shorter versions on OpenVMS.
Richard Levitte [Sat, 19 Mar 2011 09:54:47 +0000 (09:54 +0000)]
A few more symbols that need shorter versions on OpenVMS.

13 years agoChange INSTALL.VMS to reflect the changes done on the build and
Richard Levitte [Sat, 19 Mar 2011 09:48:15 +0000 (09:48 +0000)]
Change INSTALL.VMS to reflect the changes done on the build and
install scripts.  This could need some more work.

13 years agoApply all the changes submitted by Steven M. Schweda <sms@antinode.info>
Richard Levitte [Sat, 19 Mar 2011 09:47:47 +0000 (09:47 +0000)]
Apply all the changes submitted by Steven M. Schweda <sms@antinode.info>

13 years agofile install-ssl.com was added on branch OpenSSL_1_0_1-stable on 2011-03-19 09:47...
Richard Levitte [Sat, 19 Mar 2011 09:44:39 +0000 (09:44 +0000)]
file install-ssl.com was added on branch OpenSSL_1_0_1-stable on 2011-03-19 09:47:33 +0000

13 years agofile vms_rms.h was added on branch OpenSSL_1_0_1-stable on 2011-03-19 09:47:25 +0000
Richard Levitte [Sat, 19 Mar 2011 09:44:30 +0000 (09:44 +0000)]
file vms_rms.h was added on branch OpenSSL_1_0_1-stable on 2011-03-19 09:47:25 +0000

13 years agofile install-crypto.com was added on branch OpenSSL_1_0_1-stable on 2011-03-19 09...
Richard Levitte [Sat, 19 Mar 2011 09:44:29 +0000 (09:44 +0000)]
file install-crypto.com was added on branch OpenSSL_1_0_1-stable on 2011-03-19 09:47:25 +0000

13 years agofile vms_decc_init.c was added on branch OpenSSL_1_0_1-stable on 2011-03-19 09:47...
Richard Levitte [Sat, 19 Mar 2011 09:44:27 +0000 (09:44 +0000)]
file vms_decc_init.c was added on branch OpenSSL_1_0_1-stable on 2011-03-19 09:47:21 +0000

13 years agofile install-apps.com was added on branch OpenSSL_1_0_1-stable on 2011-03-19 09:47...
Richard Levitte [Sat, 19 Mar 2011 09:44:26 +0000 (09:44 +0000)]
file install-apps.com was added on branch OpenSSL_1_0_1-stable on 2011-03-19 09:47:21 +0000

13 years agofile openssl_undo.com was added on branch OpenSSL_1_0_1-stable on 2011-03-19 09:47...
Richard Levitte [Sat, 19 Mar 2011 09:44:25 +0000 (09:44 +0000)]
file openssl_undo.com was added on branch OpenSSL_1_0_1-stable on 2011-03-19 09:47:19 +0000

13 years agofile openssl_startup.com was added on branch OpenSSL_1_0_1-stable on 2011-03-19 09...
Richard Levitte [Sat, 19 Mar 2011 09:44:24 +0000 (09:44 +0000)]
file openssl_startup.com was added on branch OpenSSL_1_0_1-stable on 2011-03-19 09:47:19 +0000

13 years agofile install-vms.com was added on branch OpenSSL_1_0_1-stable on 2011-03-19 09:47...
Richard Levitte [Sat, 19 Mar 2011 09:44:23 +0000 (09:44 +0000)]
file install-vms.com was added on branch OpenSSL_1_0_1-stable on 2011-03-19 09:47:19 +0000

13 years agoFix SRP error codes (from HEAD).
Dr. Stephen Henson [Wed, 16 Mar 2011 16:55:12 +0000 (16:55 +0000)]
Fix SRP error codes (from HEAD).

13 years agoAdd SRP.
Ben Laurie [Wed, 16 Mar 2011 11:26:40 +0000 (11:26 +0000)]
Add SRP.

13 years agoPR: 2469
Dr. Stephen Henson [Sun, 13 Mar 2011 18:20:23 +0000 (18:20 +0000)]
PR: 2469
Submitted by: Jim Studt <jim@studt.net>
Reviewed by: steve

Check mac is present before trying to retrieve mac iteration count.

13 years agoRemove redundant check to stop compiler warning.
Dr. Stephen Henson [Sat, 12 Mar 2011 17:05:58 +0000 (17:05 +0000)]
Remove redundant check to stop compiler warning.

13 years agoFix warning.
Ben Laurie [Sat, 12 Mar 2011 12:18:34 +0000 (12:18 +0000)]
Fix warning.

13 years agomake no-dsa work again
Dr. Stephen Henson [Thu, 10 Mar 2011 18:27:13 +0000 (18:27 +0000)]
make no-dsa work again

13 years agos390x-mont.pl: optimize for z196.
Andy Polyakov [Fri, 4 Mar 2011 13:13:04 +0000 (13:13 +0000)]
s390x-mont.pl: optimize for z196.

13 years agodso_dlfcn.c: make it work on Tru64 4.0 [from HEAD].
Andy Polyakov [Sat, 12 Feb 2011 16:47:12 +0000 (16:47 +0000)]
dso_dlfcn.c: make it work on Tru64 4.0 [from HEAD].

13 years agoSync with 1.0.0 branch.
Bodo Möller [Tue, 8 Feb 2011 19:08:32 +0000 (19:08 +0000)]
Sync with 1.0.0 branch.
(CVE-2011-0014 OCSP stapling fix has been applied to the 1.0.1 branch as well.)

13 years agoOCSP stapling fix (OpenSSL 0.9.8r/1.0.0d)
Bodo Möller [Tue, 8 Feb 2011 17:48:41 +0000 (17:48 +0000)]
OCSP stapling fix (OpenSSL 0.9.8r/1.0.0d)

Submitted by: Neel Mehta, Adam Langley, Bodo Moeller

13 years agoSynchronize with 1.0.0 branch
Bodo Möller [Tue, 8 Feb 2011 08:48:34 +0000 (08:48 +0000)]
Synchronize with 1.0.0 branch

13 years agoadd -stripcr option to copy.pl from 0.9.8
Dr. Stephen Henson [Thu, 3 Feb 2011 14:58:02 +0000 (14:58 +0000)]
add -stripcr option to copy.pl from 0.9.8

13 years agoAssorted bugfixes:
Bodo Möller [Thu, 3 Feb 2011 12:03:57 +0000 (12:03 +0000)]
Assorted bugfixes:
- safestack macro changes for C++ were incomplete
- RLE decompression boundary case
- SSL 2.0 key arg length check

Submitted by: Google (Adam Langley, Neel Mehta, Bodo Moeller)

13 years agofix omission
Bodo Möller [Thu, 3 Feb 2011 11:19:52 +0000 (11:19 +0000)]
fix omission

13 years agoCVE-2010-4180 fix (from OpenSSL_1_0_0-stable)
Bodo Möller [Thu, 3 Feb 2011 10:42:00 +0000 (10:42 +0000)]
CVE-2010-4180 fix (from OpenSSL_1_0_0-stable)

13 years agoSince FIPS 186-3 specifies we use the leftmost bits of the digest
Dr. Stephen Henson [Tue, 1 Feb 2011 12:53:47 +0000 (12:53 +0000)]
Since FIPS 186-3 specifies we use the leftmost bits of the digest
we shouldn't reject digest lengths larger than SHA256: the FIPS
algorithm tests include SHA384 and SHA512 tests.

13 years agostop warnings about no previous prototype when compiling shared engines
Dr. Stephen Henson [Sun, 30 Jan 2011 01:55:29 +0000 (01:55 +0000)]
stop warnings about no previous prototype when compiling shared engines

13 years agoFIPS mode changes to make RNG compile (this will need updating later as we
Dr. Stephen Henson [Wed, 26 Jan 2011 14:55:23 +0000 (14:55 +0000)]
FIPS mode changes to make RNG compile (this will need updating later as we
need a whole new PRNG for FIPS).

1. avoid use of ERR_peek().

2. If compiling with FIPS use small FIPS EVP and disable ENGINE

13 years agoFIPS_allow_md5() no longer exists and is no longer required
Dr. Stephen Henson [Wed, 26 Jan 2011 12:25:51 +0000 (12:25 +0000)]
FIPS_allow_md5() no longer exists and is no longer required

13 years agoAdd rsa_crpt
Richard Levitte [Wed, 26 Jan 2011 06:32:22 +0000 (06:32 +0000)]
Add rsa_crpt

13 years agoMove RSA encryption functions to new file crypto/rsa/rsa_crpt.c to separate
Dr. Stephen Henson [Tue, 25 Jan 2011 17:43:20 +0000 (17:43 +0000)]
Move RSA encryption functions to new file crypto/rsa/rsa_crpt.c to separate
crypto and ENGINE dependencies in RSA library.

13 years agoMove BN_options function to bn_print.c to remove dependency for BIO printf
Dr. Stephen Henson [Tue, 25 Jan 2011 17:10:42 +0000 (17:10 +0000)]
Move BN_options function to bn_print.c to remove dependency for BIO printf
routines from bn_lib.c

13 years agoMove DSA_sign, DSA_verify to dsa_asn1.c and include separate versions of
Dr. Stephen Henson [Tue, 25 Jan 2011 16:55:27 +0000 (16:55 +0000)]
Move DSA_sign, DSA_verify to dsa_asn1.c and include separate versions of
DSA_SIG_new() and DSA_SIG_free() to remove ASN1 dependencies from DSA_do_sign()
and DSA_do_verify().

13 years agorecalculate DSA signature if r or s is zero (FIPS 186-3 requirement)
Dr. Stephen Henson [Tue, 25 Jan 2011 16:02:27 +0000 (16:02 +0000)]
recalculate DSA signature if r or s is zero (FIPS 186-3 requirement)

13 years agoPR: 2433
Dr. Stephen Henson [Mon, 24 Jan 2011 16:20:05 +0000 (16:20 +0000)]
PR: 2433
Submitted by: Chris Wilson <chris@qwirx.com>
Reviewed by: steve

Constify ASN1_STRING_set_default_mask_asc().