update FAQ, NEWS
authorDr. Stephen Henson <steve@openssl.org>
Wed, 14 Mar 2012 13:44:57 +0000 (13:44 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Wed, 14 Mar 2012 13:44:57 +0000 (13:44 +0000)
FAQ
NEWS
apps/s_client.c
ssl/s3_lib.c
ssl/ssl.h
ssl/t1_lib.c

diff --git a/FAQ b/FAQ
index 3b07cd3..b9243a6 100644 (file)
--- a/FAQ
+++ b/FAQ
@@ -82,7 +82,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.0f was released on Jan 4th, 2012.
+OpenSSL 1.0.1 was released on Mar 14th, 2012.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
diff --git a/NEWS b/NEWS
index 82a6c85..a463611 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,19 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1:
+
+      o TLS/DTLS heartbeat support.
+      o SCTP support.
+      o RFC 5705 TLS key material exporter.
+      o RFC 5764 DTLS-SRTP negotiation.
+      o Next Protocol Negotiation.
+      o PSS signatures in certificates, requests and CRLs.
+      o Support for password based recipient info for CMS.
+      o Support TLS v1.2 and TLS v1.1.
+      o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
+      o SRP support.
+
   Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h:
 
       o Fix for CMS/PKCS#7 MMA CVE-2012-0884
index ce199be..30588cc 100644 (file)
@@ -1209,6 +1209,21 @@ bad:
 #endif
 
        con=SSL_new(ctx);
+#if 0
+{
+int curves[3];
+int rv;
+curves[0] = EC_curve_nist2nid("P-256");
+curves[1] = EC_curve_nist2nid("P-521");
+curves[2] = EC_curve_nist2nid("P-384");
+rv = SSL_set1_curvelist(con, curves, sizeof(curves)/sizeof(int));
+if (rv == 0)
+       {
+       fprintf(stderr, "Error setting curve list\n");
+       exit(1);
+       }
+}
+#endif
        if (sess_in)
                {
                SSL_SESSION *sess;
index 248bb94..e9addc4 100644 (file)
@@ -3391,6 +3391,94 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                return (int)clistlen;
                }
 
+       case SSL_CTRL_SET_CURVELIST:
+               {
+               int *nid_list = parg;
+               size_t nid_listlen = larg, i;
+               unsigned char *clist, *p;
+               /* Bitmap of curves included to detect duplicates: only works
+                * while curve ids < 32 
+                */
+               unsigned long dup_list = 0;
+               clist = OPENSSL_malloc(nid_listlen * 2);
+               for (i = 0, p = clist; i < nid_listlen; i++)
+                       {
+                       unsigned long idmask;
+                       int id;
+                       id = tls1_ec_nid2curve_id(nid_list[i]);
+                       idmask = 1L << id;
+                       if (!id || (dup_list & idmask))
+                               {
+                               OPENSSL_free(clist);
+                               return 0;
+                               }
+                       dup_list |= idmask;
+                       s2n(id, p);
+                       }
+               if (s->tlsext_ellipticcurvelist)
+                       OPENSSL_free(s->tlsext_ellipticcurvelist);
+               s->tlsext_ellipticcurvelist = clist;
+               s->tlsext_ellipticcurvelist_length = nid_listlen * 2;
+               return 1;
+               }
+
+       case SSL_CTRL_SHARED_CURVES:
+               {
+               unsigned long mask = 0;
+               unsigned char *pmask, *pref;
+               size_t pmasklen, preflen, i;
+               int nmatch = 0;
+               /* Must be server */
+               if (!s->server)
+                       return 0;
+               /* No curves if client didn't sent supported curves extension */
+               if (!s->session->tlsext_ellipticcurvelist)
+                       return 0;
+               if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
+                       {
+                       pref = s->tlsext_ellipticcurvelist;
+                       preflen = s->tlsext_ellipticcurvelist_length;
+                       pmask = s->session->tlsext_ellipticcurvelist;
+                       pmasklen = s->session->tlsext_ellipticcurvelist_length;
+                       }
+               else
+                       {
+                       pref = s->session->tlsext_ellipticcurvelist;
+                       preflen = s->session->tlsext_ellipticcurvelist_length;
+                       pmask = s->tlsext_ellipticcurvelist;
+                       pmasklen = s->tlsext_ellipticcurvelist_length;
+                       }
+               /* Build a mask of supported curves */
+               for (i = 0; i < pmasklen; i+=2, pmask+=2)
+                       {
+                       /* Skip any curves that wont fit in mask */
+                       if (pmask[0] || (pmask[1] > 31))
+                               continue;
+                       mask |= 1L << pmask[1];
+                       }
+               /* Check preference order against mask */
+               for (i = 0; i < preflen; i+=2, pref+=2)
+                       {
+                       if (pref[0] || (pref[1] > 30))
+                               continue;
+                       /* Search for matching curves in preference order */
+                       if (mask & (1L << pref[1]))
+                               {
+                               int id = tls1_ec_curve_id2nid(pref[1]);
+                               if (id && parg && nmatch == larg)
+                                       {
+                                       *((int *)parg) = id;
+                                       return 1;
+                                       }
+                               nmatch++;
+                               }
+                       }
+               if (parg)
+                       return 0;
+               return nmatch;
+
+               }
+
        default:
                break;
                }
index 3e255fc..4215dda 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1619,6 +1619,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_CTRL_CHAIN_CERT                    89
 
 #define SSL_CTRL_GET_CURVELIST                 90
+#define SSL_CTRL_SET_CURVELIST                 91
+#define SSL_CTRL_SHARED_CURVES                 92
 
 #define DTLSv1_get_timeout(ssl, arg) \
        SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
@@ -1680,6 +1682,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
        SSL_ctrl(ctx,SSL_CTRL_CHAIN_CERT,1,(char *)x509)
 #define SSL_get1_curvelist(ctx, s) \
        SSL_ctrl(ctx,SSL_CTRL_GET_CURVELIST,0,(char *)s)
+#define SSL_set1_curvelist(ctx, clist, clistlen) \
+       SSL_ctrl(ctx,SSL_CTRL_SET_CURVELIST,clistlen,(char *)clist)
 
 
 #ifndef OPENSSL_NO_BIO
index dfd397f..33c0b65 100644 (file)
@@ -1678,20 +1678,26 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
                s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
 
                /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
-               if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
-               s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
-               if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
+               if (s->tlsext_ellipticcurvelist == NULL)
                        {
+                       unsigned char *clist;
+                       size_t clistlen;
                        s->tlsext_ellipticcurvelist_length = 0;
-                       SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
-                       return -1;
-                       }
-               for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
-                               sizeof(pref_list)/sizeof(pref_list[0]); i++)
-                       {
-                       int id = tls1_ec_nid2curve_id(pref_list[i]);
-                       s2n(id,j);
-                       }
+                       clistlen = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
+                       clist = OPENSSL_malloc(clistlen);
+                       if (!clist)
+                               {
+                               SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
+                               return -1;
+                               }
+                       for (i = 0, j = clist; i < (int)clistlen/2; i++)
+                               {
+                               int id = tls1_ec_nid2curve_id(pref_list[i]);
+                               s2n(id,j);
+                               }
+                       s->tlsext_ellipticcurvelist = clist;
+                       s->tlsext_ellipticcurvelist_length = clistlen;
+                       }       
                }
 #endif /* OPENSSL_NO_EC */