mirrors/openssl
0
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-23 18:13:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

update FAQ, NEWS

Browse Source
This commit is contained in:
Dr. Stephen Henson 2012-03-14 13:44:57 +00:00
parent 5c88dcca5b
commit 61ad8262a0
6 changed files with 139 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
FAQ
View File

@ -82,7 +82,7 @@ OpenSSL - Frequently Asked Questions
* Which is the current version of OpenSSL?
The current version is available from <URL: http://www.openssl.org>.
OpenSSL 1.0.0f was released on Jan 4th, 2012.
OpenSSL 1.0.1 was released on Mar 14th, 2012.
In addition to the current stable release, you can also access daily
snapshots of the OpenSSL development version at <URL:

13
NEWS
View File

@ -5,6 +5,19 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1:
o TLS/DTLS heartbeat support.
o SCTP support.
o RFC 5705 TLS key material exporter.
o RFC 5764 DTLS-SRTP negotiation.
o Next Protocol Negotiation.
o PSS signatures in certificates, requests and CRLs.
o Support for password based recipient info for CMS.
o Support TLS v1.2 and TLS v1.1.
o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
o SRP support.
Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h:
o Fix for CMS/PKCS#7 MMA CVE-2012-0884

15
apps/s_client.c
View File

@ -1209,6 +1209,21 @@ bad:
#endif
con=SSL_new(ctx);
#if 0
{
int curves[3];
int rv;
curves[0] = EC_curve_nist2nid("P-256");
curves[1] = EC_curve_nist2nid("P-521");
curves[2] = EC_curve_nist2nid("P-384");
rv = SSL_set1_curvelist(con, curves, sizeof(curves)/sizeof(int));
if (rv == 0)
{
fprintf(stderr, "Error setting curve list\n");
exit(1);
}
}
#endif
if (sess_in)
{
SSL_SESSION *sess;

88
ssl/s3_lib.c
View File

@ -3391,6 +3391,94 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
return (int)clistlen;
}
case SSL_CTRL_SET_CURVELIST:
{
int *nid_list = parg;
size_t nid_listlen = larg, i;
unsigned char *clist, *p;
/* Bitmap of curves included to detect duplicates: only works
* while curve ids < 32
*/
unsigned long dup_list = 0;
clist = OPENSSL_malloc(nid_listlen * 2);
for (i = 0, p = clist; i < nid_listlen; i++)
{
unsigned long idmask;
int id;
id = tls1_ec_nid2curve_id(nid_list[i]);
idmask = 1L << id;
if (!id || (dup_list & idmask))
{
OPENSSL_free(clist);
return 0;
}
dup_list |= idmask;
s2n(id, p);
}
if (s->tlsext_ellipticcurvelist)
OPENSSL_free(s->tlsext_ellipticcurvelist);
s->tlsext_ellipticcurvelist = clist;
s->tlsext_ellipticcurvelist_length = nid_listlen * 2;
return 1;
}
case SSL_CTRL_SHARED_CURVES:
{
unsigned long mask = 0;
unsigned char *pmask, *pref;
size_t pmasklen, preflen, i;
int nmatch = 0;
/* Must be server */
if (!s->server)
return 0;
/* No curves if client didn't sent supported curves extension */
if (!s->session->tlsext_ellipticcurvelist)
return 0;
if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
{
pref = s->tlsext_ellipticcurvelist;
preflen = s->tlsext_ellipticcurvelist_length;
pmask = s->session->tlsext_ellipticcurvelist;
pmasklen = s->session->tlsext_ellipticcurvelist_length;
}
else
{
pref = s->session->tlsext_ellipticcurvelist;
preflen = s->session->tlsext_ellipticcurvelist_length;
pmask = s->tlsext_ellipticcurvelist;
pmasklen = s->tlsext_ellipticcurvelist_length;
}
/* Build a mask of supported curves */
for (i = 0; i < pmasklen; i+=2, pmask+=2)
{
/* Skip any curves that wont fit in mask */
if (pmask[0] || (pmask[1] > 31))
continue;
mask |= 1L << pmask[1];
}
/* Check preference order against mask */
for (i = 0; i < preflen; i+=2, pref+=2)
{
if (pref[0] || (pref[1] > 30))
continue;
/* Search for matching curves in preference order */
if (mask & (1L << pref[1]))
{
int id = tls1_ec_curve_id2nid(pref[1]);
if (id && parg && nmatch == larg)
{
*((int *)parg) = id;
return 1;
}
nmatch++;
}
}
if (parg)
return 0;
return nmatch;
}
default:
break;
}

4
ssl/ssl.h
View File

@ -1619,6 +1619,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
#define SSL_CTRL_CHAIN_CERT 89
#define SSL_CTRL_GET_CURVELIST 90
#define SSL_CTRL_SET_CURVELIST 91
#define SSL_CTRL_SHARED_CURVES 92
#define DTLSv1_get_timeout(ssl, arg) \
SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
@ -1680,6 +1682,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
SSL_ctrl(ctx,SSL_CTRL_CHAIN_CERT,1,(char *)x509)
#define SSL_get1_curvelist(ctx, s) \
SSL_ctrl(ctx,SSL_CTRL_GET_CURVELIST,0,(char *)s)
#define SSL_set1_curvelist(ctx, clist, clistlen) \
SSL_ctrl(ctx,SSL_CTRL_SET_CURVELIST,clistlen,(char *)clist)
#ifndef OPENSSL_NO_BIO

30
ssl/t1_lib.c
View File

@ -1678,20 +1678,26 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
/* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
if (s->tlsext_ellipticcurvelist == NULL)
{
unsigned char *clist;
size_t clistlen;
s->tlsext_ellipticcurvelist_length = 0;
SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
return -1;
}
for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
sizeof(pref_list)/sizeof(pref_list[0]); i++)
{
int id = tls1_ec_nid2curve_id(pref_list[i]);
s2n(id,j);
}
clistlen = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
clist = OPENSSL_malloc(clistlen);
if (!clist)
{
SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
return -1;
}
for (i = 0, j = clist; i < (int)clistlen/2; i++)
{
int id = tls1_ec_nid2curve_id(pref_list[i]);
s2n(id,j);
}
s->tlsext_ellipticcurvelist = clist;
s->tlsext_ellipticcurvelist_length = clistlen;
}
}
#endif /* OPENSSL_NO_EC */