Commit Graph

10771 Commits

Author SHA1 Message Date
Dr. Stephen Henson
5421196eca ABI compliance fixes.
Move new structure fields to end of structures.
2012-02-22 15:39:54 +00:00
Dr. Stephen Henson
74b4b49494 SSL export fixes (from Adam Langley) [original from 1.0.1] 2012-02-22 15:06:56 +00:00
Dr. Stephen Henson
de2b5b7439 initialise i if n == 0 2012-02-22 15:03:44 +00:00
Dr. Stephen Henson
64095ce9d7 Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
between NIDs and the more common NIST names such as "P-256". Enhance
ecparam utility and ECC method to recognise the NIST names for curves.
2012-02-21 14:41:13 +00:00
Dr. Stephen Henson
206310c305 Fix bug in CVE-2011-4619: check we have really received a client hello
before rejecting multiple SGC restarts.
2012-02-16 15:26:04 +00:00
Dr. Stephen Henson
5863163732 Additional compatibility fix for MDC2 signature format.
Update RSA EVP_PKEY_METHOD to use the OCTET STRING form of MDC2 signature:
this will make all versions of MDC2 signature equivalent.
2012-02-15 14:27:25 +00:00
Dr. Stephen Henson
83cb7c4635 An incompatibility has always existed between the format used for RSA
signatures and MDC2 using EVP or RSA_sign. This has become more apparent
when the dgst utility in OpenSSL 1.0.0 and later switched to using the
EVP_DigestSign functions which call RSA_sign.

This means that the signature format OpenSSL 1.0.0 and later used with
dgst -sign and MDC2 is incompatible with previous versions.

Add detection in RSA_verify so either format works.

Note: MDC2 is disabled by default in OpenSSL and very rarely used in practice.
2012-02-15 14:04:00 +00:00
Dr. Stephen Henson
04296664e0 PR: 2713
Submitted by: Tomas Mraz <tmraz@redhat.com>

Move libraries that are not needed for dynamic linking to Libs.private in
the .pc files
2012-02-12 18:47:47 +00:00
Dr. Stephen Henson
fc7dae5229 PR: 2717
Submitted by: Tim Rice <tim@multitalents.net>

Make compilation work on OpenServer 5.0.7
2012-02-11 23:41:19 +00:00
Dr. Stephen Henson
be81f4dd81 PR: 2716
Submitted by: Adam Langley <agl@google.com>

Fix handling of exporter return value and use OpenSSL indentation in
s_client, s_server.
2012-02-11 23:20:53 +00:00
Dr. Stephen Henson
e626c77808 PR: 2703
Submitted by: Alexey Melnikov <alexey.melnikov@isode.com>

Fix some memory and resource leaks in CAPI ENGINE.
2012-02-11 23:13:10 +00:00
Dr. Stephen Henson
da2a5a79ef PR: 2705
Submitted by: Alexey Melnikov <alexey.melnikov@isode.com>

Only create ex_data indices once for CAPI engine.
2012-02-11 23:08:08 +00:00
Dr. Stephen Henson
11eaec9ae4 Submitted by: Eric Rescorla <ekr@rtfm.com>
Further fixes for use_srtp extension.
2012-02-11 22:53:31 +00:00
Andy Polyakov
cbc0b0ec2d apps/s_cb.c: recognized latest TLS version. 2012-02-11 13:30:47 +00:00
Dr. Stephen Henson
1df80b6561 PR: 2704
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>

Fix srp extension.
2012-02-10 20:08:36 +00:00
Dr. Stephen Henson
3770b988c0 PR: 2710
Submitted by: Tomas Mraz <tmraz@redhat.com>

Check return codes for load_certs_crls.
2012-02-10 19:54:54 +00:00
Dr. Stephen Henson
9641be2aac PR: 2714
Submitted by: Tomas Mraz <tmraz@redhat.com>

Make no-srp work.
2012-02-10 19:43:14 +00:00
Dr. Stephen Henson
f94cfe6a12 only cleanup ctx if we need to, save ctx flags when we do 2012-02-10 16:55:17 +00:00
Dr. Stephen Henson
7951c2699f add fips blocking overrides to command line utilities 2012-02-10 16:47:40 +00:00
Dr. Stephen Henson
5997efca83 Submitted by: Eric Rescorla <ekr@rtfm.com>
Fix encoding of use_srtp extension to be compliant with RFC5764
2012-02-10 00:07:18 +00:00
Dr. Stephen Henson
57559471bf oops, revert unrelated changes 2012-02-09 15:43:58 +00:00
Dr. Stephen Henson
f4e1169341 Modify client hello version when renegotiating to enhance interop with
some servers.
2012-02-09 15:42:10 +00:00
Dr. Stephen Henson
febec8ff23 typo 2012-02-02 19:18:24 +00:00
Andy Polyakov
0208ab2e3f bn_nist.c: make new optimized code dependent on BN_LLONG. 2012-02-02 07:46:05 +00:00
Andy Polyakov
faed798c32 hpux-parisc2-*: engage assembler. 2012-02-02 07:41:29 +00:00
Dr. Stephen Henson
f71c6e52f7 Add support for distinct certificate chains per key type and per SSL
structure.

Before this the only way to add a custom chain was in the parent SSL_CTX
(which is shared by all key types and SSL structures) or rely on auto
chain building (which is performed on each handshake) from the trust store.
2012-01-31 14:00:10 +00:00
Dr. Stephen Henson
9ade64dedf code tidy 2012-01-27 14:21:38 +00:00
Dr. Stephen Henson
c526ed410c Revise ssl code to use a CERT_PKEY structure when outputting a
certificate chain instead of an X509 structure.

This makes it easier to enhance code in future and the chain
output functions have access to the CERT_PKEY structure being
used.
2012-01-26 16:00:34 +00:00
Dr. Stephen Henson
4379d0e457 Tidy/enhance certificate chain output code.
New function ssl_add_cert_chain which adds a certificate chain to
SSL internal BUF_MEM. Use this function in ssl3_output_cert_chain
and dtls1_output_cert_chain instead of partly duplicating code.
2012-01-26 15:47:32 +00:00
Dr. Stephen Henson
7568d15acd allow key agreement for SSL/TLS certificates 2012-01-26 14:57:45 +00:00
Dr. Stephen Henson
08e4ea4884 initialise dh_clnt 2012-01-26 14:37:46 +00:00
Andy Polyakov
98909c1d5b ghash-x86.pl: engage original MMX version in no-sse2 builds. 2012-01-25 17:56:08 +00:00
Dr. Stephen Henson
ccd395cbcc add example for DH certificate generation 2012-01-25 16:33:39 +00:00
Dr. Stephen Henson
0d60939515 add support for use of fixed DH client certificates 2012-01-25 14:51:49 +00:00
Dr. Stephen Henson
2ff5ac55c5 oops revert debug change 2012-01-22 13:52:39 +00:00
Dr. Stephen Henson
1db5f356f5 return error if md is NULL 2012-01-22 13:12:14 +00:00
Andy Polyakov
e6903980af x86_64-xlate.pl: proper solution for RT#2620. 2012-01-21 11:34:53 +00:00
Dr. Stephen Henson
855d29184e Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
Thanks to Antonio Martin, Enterprise Secure Access Research and
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix. (CVE-2012-0050)
2012-01-18 18:15:27 +00:00
Dr. Stephen Henson
ac07bc8602 fix CHANGES entry 2012-01-17 14:20:32 +00:00
Dr. Stephen Henson
8e1dc4d7ca Support for fixed DH ciphersuites.
The cipher definitions of these ciphersuites have been around since SSLeay
but were always disabled. Now OpenSSL supports DH certificates they can be
finally enabled.

Various additional changes were needed to make them work properly: many
unused fixed DH sections of code were untested.
2012-01-16 18:19:14 +00:00
Andy Polyakov
a985410d2d cryptlib.c: sscanf warning. 2012-01-15 17:13:57 +00:00
Andy Polyakov
0ecedec82d Fix OPNESSL vs. OPENSSL typos.
PR: 2613
Submitted by: Leena Heino
2012-01-15 13:39:10 +00:00
Dr. Stephen Henson
9bd20155ba fix warning 2012-01-15 13:30:41 +00:00
Andy Polyakov
5d13669a2c cryptlib.c: make even non-Windows builds "strtoull-agnostic". 2012-01-14 18:46:15 +00:00
Andy Polyakov
adb5a2694a sha512-sparcv9.pl: work around V8+ warning. 2012-01-13 09:18:05 +00:00
Andy Polyakov
23b93b587b aes-ppc.pl, sha512-ppc.pl: comply even with Embedded ABI specification
(most restrictive about r2 and r13 usage).
2012-01-13 09:16:52 +00:00
Andy Polyakov
a50bce82ec Sanitize usage of <ctype.h> functions. It's important that characters
are passed zero-extended, not sign-extended.
PR: 2682
2012-01-12 16:21:35 +00:00
Andy Polyakov
713f49119f ec_pmeth.c: fix typo in commentary.
PR: 2677
Submitted by: Annue Yousar
2012-01-12 13:22:51 +00:00
Andy Polyakov
677741f87a doc/apps: formatting fixes.
PR: 2683
Submitted by: Annie Yousar
2012-01-11 21:58:19 +00:00
Andy Polyakov
5beb93e114 speed.c: typo in pkey_print_message.
PR: 2681
Submitted by: Annie Yousar
2012-01-11 21:48:31 +00:00