* Which is the current version of OpenSSL?
The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.0f was released on Jan 4th, 2012.
+OpenSSL 1.0.1 was released on Mar 14th, 2012.
In addition to the current stable release, you can also access daily
snapshots of the OpenSSL development version at <URL:
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1:
+
+ o TLS/DTLS heartbeat support.
+ o SCTP support.
+ o RFC 5705 TLS key material exporter.
+ o RFC 5764 DTLS-SRTP negotiation.
+ o Next Protocol Negotiation.
+ o PSS signatures in certificates, requests and CRLs.
+ o Support for password based recipient info for CMS.
+ o Support TLS v1.2 and TLS v1.1.
+ o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
+ o SRP support.
+
Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h:
o Fix for CMS/PKCS#7 MMA CVE-2012-0884
#endif
con=SSL_new(ctx);
+#if 0
+{
+int curves[3];
+int rv;
+curves[0] = EC_curve_nist2nid("P-256");
+curves[1] = EC_curve_nist2nid("P-521");
+curves[2] = EC_curve_nist2nid("P-384");
+rv = SSL_set1_curvelist(con, curves, sizeof(curves)/sizeof(int));
+if (rv == 0)
+ {
+ fprintf(stderr, "Error setting curve list\n");
+ exit(1);
+ }
+}
+#endif
if (sess_in)
{
SSL_SESSION *sess;
return (int)clistlen;
}
+ case SSL_CTRL_SET_CURVELIST:
+ {
+ int *nid_list = parg;
+ size_t nid_listlen = larg, i;
+ unsigned char *clist, *p;
+ /* Bitmap of curves included to detect duplicates: only works
+ * while curve ids < 32
+ */
+ unsigned long dup_list = 0;
+ clist = OPENSSL_malloc(nid_listlen * 2);
+ for (i = 0, p = clist; i < nid_listlen; i++)
+ {
+ unsigned long idmask;
+ int id;
+ id = tls1_ec_nid2curve_id(nid_list[i]);
+ idmask = 1L << id;
+ if (!id || (dup_list & idmask))
+ {
+ OPENSSL_free(clist);
+ return 0;
+ }
+ dup_list |= idmask;
+ s2n(id, p);
+ }
+ if (s->tlsext_ellipticcurvelist)
+ OPENSSL_free(s->tlsext_ellipticcurvelist);
+ s->tlsext_ellipticcurvelist = clist;
+ s->tlsext_ellipticcurvelist_length = nid_listlen * 2;
+ return 1;
+ }
+
+ case SSL_CTRL_SHARED_CURVES:
+ {
+ unsigned long mask = 0;
+ unsigned char *pmask, *pref;
+ size_t pmasklen, preflen, i;
+ int nmatch = 0;
+ /* Must be server */
+ if (!s->server)
+ return 0;
+ /* No curves if client didn't sent supported curves extension */
+ if (!s->session->tlsext_ellipticcurvelist)
+ return 0;
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
+ {
+ pref = s->tlsext_ellipticcurvelist;
+ preflen = s->tlsext_ellipticcurvelist_length;
+ pmask = s->session->tlsext_ellipticcurvelist;
+ pmasklen = s->session->tlsext_ellipticcurvelist_length;
+ }
+ else
+ {
+ pref = s->session->tlsext_ellipticcurvelist;
+ preflen = s->session->tlsext_ellipticcurvelist_length;
+ pmask = s->tlsext_ellipticcurvelist;
+ pmasklen = s->tlsext_ellipticcurvelist_length;
+ }
+ /* Build a mask of supported curves */
+ for (i = 0; i < pmasklen; i+=2, pmask+=2)
+ {
+ /* Skip any curves that wont fit in mask */
+ if (pmask[0] || (pmask[1] > 31))
+ continue;
+ mask |= 1L << pmask[1];
+ }
+ /* Check preference order against mask */
+ for (i = 0; i < preflen; i+=2, pref+=2)
+ {
+ if (pref[0] || (pref[1] > 30))
+ continue;
+ /* Search for matching curves in preference order */
+ if (mask & (1L << pref[1]))
+ {
+ int id = tls1_ec_curve_id2nid(pref[1]);
+ if (id && parg && nmatch == larg)
+ {
+ *((int *)parg) = id;
+ return 1;
+ }
+ nmatch++;
+ }
+ }
+ if (parg)
+ return 0;
+ return nmatch;
+
+ }
+
default:
break;
}
#define SSL_CTRL_CHAIN_CERT 89
#define SSL_CTRL_GET_CURVELIST 90
+#define SSL_CTRL_SET_CURVELIST 91
+#define SSL_CTRL_SHARED_CURVES 92
#define DTLSv1_get_timeout(ssl, arg) \
SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
SSL_ctrl(ctx,SSL_CTRL_CHAIN_CERT,1,(char *)x509)
#define SSL_get1_curvelist(ctx, s) \
SSL_ctrl(ctx,SSL_CTRL_GET_CURVELIST,0,(char *)s)
+#define SSL_set1_curvelist(ctx, clist, clistlen) \
+ SSL_ctrl(ctx,SSL_CTRL_SET_CURVELIST,clistlen,(char *)clist)
#ifndef OPENSSL_NO_BIO
s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
/* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
- if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
- s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
- if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
+ if (s->tlsext_ellipticcurvelist == NULL)
{
+ unsigned char *clist;
+ size_t clistlen;
s->tlsext_ellipticcurvelist_length = 0;
- SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
- return -1;
- }
- for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
- sizeof(pref_list)/sizeof(pref_list[0]); i++)
- {
- int id = tls1_ec_nid2curve_id(pref_list[i]);
- s2n(id,j);
- }
+ clistlen = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
+ clist = OPENSSL_malloc(clistlen);
+ if (!clist)
+ {
+ SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
+ return -1;
+ }
+ for (i = 0, j = clist; i < (int)clistlen/2; i++)
+ {
+ int id = tls1_ec_nid2curve_id(pref_list[i]);
+ s2n(id,j);
+ }
+ s->tlsext_ellipticcurvelist = clist;
+ s->tlsext_ellipticcurvelist_length = clistlen;
+ }
}
#endif /* OPENSSL_NO_EC */
projects / openssl.git / commitdiff