openssl.git
8 years agotools and rehash not needed for fips build.
Dr. Stephen Henson [Mon, 21 Feb 2011 16:00:21 +0000 (16:00 +0000)]
tools and rehash not needed for fips build.

8 years ago*** empty log message ***
Dr. Stephen Henson [Mon, 21 Feb 2011 15:15:58 +0000 (15:15 +0000)]
*** empty log message ***

8 years agoMake fipscanisteronly build only required files.
Dr. Stephen Henson [Mon, 21 Feb 2011 14:07:15 +0000 (14:07 +0000)]
Make fipscanisteronly build only required files.

8 years agoMove gcm128_context definition to modes_lcl.h (along with some related
Dr. Stephen Henson [Sat, 19 Feb 2011 22:16:52 +0000 (22:16 +0000)]
Move gcm128_context definition to modes_lcl.h (along with some related
definitions) so we can use it in EVP GCM code avoiding need to allocate
it.

8 years agoadd ECDSA POST
Dr. Stephen Henson [Fri, 18 Feb 2011 17:25:00 +0000 (17:25 +0000)]
add ECDSA POST

8 years agoAES GCM selftests.
Dr. Stephen Henson [Fri, 18 Feb 2011 17:09:33 +0000 (17:09 +0000)]
AES GCM selftests.

8 years agoMake -DOPENSSL_FIPSSYMS work for assembly language builds.
Dr. Stephen Henson [Thu, 17 Feb 2011 19:03:52 +0000 (19:03 +0000)]
Make -DOPENSSL_FIPSSYMS work for assembly language builds.

8 years agoExperimental perl script to edit assembly language source files,
Dr. Stephen Henson [Thu, 17 Feb 2011 18:08:59 +0000 (18:08 +0000)]
Experimental perl script to edit assembly language source files,
call the assembler, then restore original file.

This makes OPENSSL_FIPSSYMS work for assembly language builds.

8 years agoCorrect fipssyms.h for more assembly language symbols.
Dr. Stephen Henson [Thu, 17 Feb 2011 17:45:09 +0000 (17:45 +0000)]
Correct fipssyms.h for more assembly language symbols.

8 years agoUpdate auto generated comment.
Dr. Stephen Henson [Thu, 17 Feb 2011 15:35:43 +0000 (15:35 +0000)]
Update auto generated comment.

8 years agoRemove debugging command.
Dr. Stephen Henson [Thu, 17 Feb 2011 15:33:32 +0000 (15:33 +0000)]
Remove debugging command.

Reorder fipssyms.h to include assembly language symbols at the end.

8 years agoDon't need err library for Makefile.fips
Dr. Stephen Henson [Wed, 16 Feb 2011 18:07:57 +0000 (18:07 +0000)]
Don't need err library for Makefile.fips

8 years agoInclude openssl/crypto.h first in several other files so FIPS renaming
Dr. Stephen Henson [Wed, 16 Feb 2011 17:25:01 +0000 (17:25 +0000)]
Include openssl/crypto.h first in several other files so FIPS renaming
is picked up.

8 years agoExperimental FIPS symbol renaming.
Dr. Stephen Henson [Wed, 16 Feb 2011 14:49:50 +0000 (14:49 +0000)]
Experimental FIPS symbol renaming.

Fixups under fips/ to make symbol renaming work.

8 years agoExperimental symbol renaming to avoid clashes with regular OpenSSL.
Dr. Stephen Henson [Wed, 16 Feb 2011 14:40:06 +0000 (14:40 +0000)]
Experimental symbol renaming to avoid clashes with regular OpenSSL.

Make sure crypto.h is included first in any affected files.

8 years agoAdd pairwise consistency test to EC.
Dr. Stephen Henson [Tue, 15 Feb 2011 16:58:28 +0000 (16:58 +0000)]
Add pairwise consistency test to EC.

8 years agoUse SHA-256 in fips_test_suite.
Dr. Stephen Henson [Tue, 15 Feb 2011 16:58:06 +0000 (16:58 +0000)]
Use SHA-256 in fips_test_suite.

8 years agoUpdate pairwise consistency checks to use SHA-256.
Dr. Stephen Henson [Tue, 15 Feb 2011 16:18:18 +0000 (16:18 +0000)]
Update pairwise consistency checks to use SHA-256.

8 years agoAdd non-FIPS algorithm blocking and selftest checking.
Dr. Stephen Henson [Tue, 15 Feb 2011 16:03:47 +0000 (16:03 +0000)]
Add non-FIPS algorithm blocking and selftest checking.

8 years agoAdd FIPS flags to AES ciphers and SHA* digests.
Dr. Stephen Henson [Tue, 15 Feb 2011 15:57:54 +0000 (15:57 +0000)]
Add FIPS flags to AES ciphers and SHA* digests.

8 years agoIgnore final '\n' when checking if hex line length is odd.
Dr. Stephen Henson [Tue, 15 Feb 2011 15:56:13 +0000 (15:56 +0000)]
Ignore final '\n' when checking if hex line length is odd.

8 years agoAdd support for SigGen and KeyPair tests.
Dr. Stephen Henson [Tue, 15 Feb 2011 14:16:57 +0000 (14:16 +0000)]
Add support for SigGen and KeyPair tests.

8 years agoUpdate ECDSA test program to handle ECDSA2 format files.
Dr. Stephen Henson [Mon, 14 Feb 2011 19:42:49 +0000 (19:42 +0000)]
Update ECDSA test program to handle ECDSA2 format files.
Correctly handle hex strings with an odd number of digits.

8 years agoAdd .cvsignore.
Dr. Stephen Henson [Mon, 14 Feb 2011 17:28:28 +0000 (17:28 +0000)]
Add .cvsignore.

8 years agoAdd ECDSA functionality to fips module. Initial very incomplete version
Dr. Stephen Henson [Mon, 14 Feb 2011 17:14:55 +0000 (17:14 +0000)]
Add ECDSA functionality to fips module. Initial very incomplete version
of algorithm test program.

8 years agoInclude support for an add_lock callback to tiny FIPS locking API.
Dr. Stephen Henson [Mon, 14 Feb 2011 17:05:42 +0000 (17:05 +0000)]
Include support for an add_lock callback to tiny FIPS locking API.

8 years agoDon't use FIPS api for ec2_oct.c
Dr. Stephen Henson [Mon, 14 Feb 2011 16:55:28 +0000 (16:55 +0000)]
Don't use FIPS api for ec2_oct.c

8 years agoReorganise ECC code for inclusion in FIPS module.
Dr. Stephen Henson [Mon, 14 Feb 2011 16:52:12 +0000 (16:52 +0000)]
Reorganise ECC code for inclusion in FIPS module.

Move compression, point2oct and oct2point functions into separate files.

Add a flags field to EC_METHOD.

Add a flag EC_FLAGS_DEFAULT_OCT to use the default compession and oct
functions (all existing methods do this). This removes dependencies from
EC_METHOD while keeping original functionality.

8 years agoUse BN_nist_mod_func to avoid need to peek error queue.
Dr. Stephen Henson [Mon, 14 Feb 2011 16:45:28 +0000 (16:45 +0000)]
Use BN_nist_mod_func to avoid need to peek error queue.

8 years agoNew function BN_nist_mod_func which returns an appropriate function
Dr. Stephen Henson [Mon, 14 Feb 2011 16:44:29 +0000 (16:44 +0000)]
New function BN_nist_mod_func which returns an appropriate function
if the passed prime is a NIST prime.

8 years agoRemove dependency of dsa_sign.o and dsa_vrf.o: new functions FIPS_dsa_sig_new
Dr. Stephen Henson [Sun, 13 Feb 2011 18:45:41 +0000 (18:45 +0000)]
Remove dependency of dsa_sign.o and dsa_vrf.o: new functions FIPS_dsa_sig_new
and FIPS_dsa_sig_free, reimplment DSA_SIG_new and DSA_SIG_free from ASN1
library.

8 years agoChange FIPS source and utilities to use the "FIPS_" names directly
Dr. Stephen Henson [Sat, 12 Feb 2011 18:25:18 +0000 (18:25 +0000)]
Change FIPS source and utilities to use the "FIPS_" names directly
instead of using regular OpenSSL API names.

8 years agoMake no-ec2m work on Win32 build. Add nexprotoneg support too.
Dr. Stephen Henson [Sat, 12 Feb 2011 17:38:40 +0000 (17:38 +0000)]
Make no-ec2m work on Win32 build. Add nexprotoneg support too.

8 years agoDisable some functions in headers with no-ec2m
Dr. Stephen Henson [Sat, 12 Feb 2011 17:38:06 +0000 (17:38 +0000)]
Disable some functions in headers with no-ec2m

8 years agoNew option to disable characteristic two fields in EC code.
Dr. Stephen Henson [Sat, 12 Feb 2011 17:23:32 +0000 (17:23 +0000)]
New option to disable characteristic two fields in EC code.

8 years agodso_dlfcn.c: make it work on Tru64 4.0.
Andy Polyakov [Sat, 12 Feb 2011 16:43:41 +0000 (16:43 +0000)]
dso_dlfcn.c: make it work on Tru64 4.0.
PR: 2316

8 years agoConfigure: engage assembler in Android target.
Andy Polyakov [Sat, 12 Feb 2011 16:13:59 +0000 (16:13 +0000)]
Configure: engage assembler in Android target.

8 years agogcm128.c: make it work with no-sse2.
Andy Polyakov [Sat, 12 Feb 2011 11:47:55 +0000 (11:47 +0000)]
gcm128.c: make it work with no-sse2.

8 years agoAdd Makefile.fips.
Dr. Stephen Henson [Fri, 11 Feb 2011 20:56:24 +0000 (20:56 +0000)]
Add Makefile.fips.

8 years agoNew "fispcanisteronly" build option: only build fipscanister.o and
Dr. Stephen Henson [Fri, 11 Feb 2011 19:02:34 +0000 (19:02 +0000)]
New "fispcanisteronly" build option: only build fipscanister.o and
associated utilities. This functionality will be used by the validated
tarball.

8 years agoMake Windows build work with GCM.
Dr. Stephen Henson [Fri, 11 Feb 2011 16:49:01 +0000 (16:49 +0000)]
Make Windows build work with GCM.

8 years agoIn FIPS mode only use "Generation by Testing Candidates" equivalent.
Dr. Stephen Henson [Fri, 11 Feb 2011 15:19:54 +0000 (15:19 +0000)]
In FIPS mode only use "Generation by Testing Candidates" equivalent.

8 years agoReturn security strength for supported DSA parameters: will be used
Dr. Stephen Henson [Fri, 11 Feb 2011 14:38:39 +0000 (14:38 +0000)]
Return security strength for supported DSA parameters: will be used
later.

8 years agoFree keys if DSA pairwise error.
Dr. Stephen Henson [Fri, 11 Feb 2011 14:21:01 +0000 (14:21 +0000)]
Free keys if DSA pairwise error.

8 years agox86gas.pl: make data_short work on legacy systems.
Andy Polyakov [Thu, 10 Feb 2011 21:24:24 +0000 (21:24 +0000)]
x86gas.pl: make data_short work on legacy systems.

8 years agoxts128.c: initial draft.
Andy Polyakov [Thu, 10 Feb 2011 21:16:21 +0000 (21:16 +0000)]
xts128.c: initial draft.

8 years agoDisable FIPS restrictions when doing GCM testing.
Dr. Stephen Henson [Thu, 10 Feb 2011 01:46:25 +0000 (01:46 +0000)]
Disable FIPS restrictions when doing GCM testing.

8 years agoAdd GCM IV generator. Add some FIPS restrictions to GCM. Update fips_gcmtest.
Dr. Stephen Henson [Wed, 9 Feb 2011 16:21:43 +0000 (16:21 +0000)]
Add GCM IV generator. Add some FIPS restrictions to GCM. Update fips_gcmtest.

8 years agoccm128.c: initialize ctx->block (what I was smoking?).
Andy Polyakov [Tue, 8 Feb 2011 23:08:02 +0000 (23:08 +0000)]
ccm128.c: initialize ctx->block (what I was smoking?).

8 years agoccm128.c: initial draft.
Andy Polyakov [Tue, 8 Feb 2011 23:02:45 +0000 (23:02 +0000)]
ccm128.c: initial draft.

8 years agoEqually experimental encrypt side for fips_gcmtest. Currently this uses IVs
Dr. Stephen Henson [Tue, 8 Feb 2011 19:25:24 +0000 (19:25 +0000)]
Equally experimental encrypt side for fips_gcmtest. Currently this uses IVs
in the request file need to update it to generate IVs once we have an IV
generator in place.

8 years agoSync with 1.0.1 branch.
Bodo Möller [Tue, 8 Feb 2011 19:09:08 +0000 (19:09 +0000)]
Sync with 1.0.1 branch.
(CVE-2011-0014 OCSP stapling fix has been applied to HEAD as well.)

8 years agoSet values to NULL after freeing them.
Dr. Stephen Henson [Tue, 8 Feb 2011 18:25:57 +0000 (18:25 +0000)]
Set values to NULL after freeing them.

8 years agoExperimental incomplete AES GCM algorithm test program.
Dr. Stephen Henson [Tue, 8 Feb 2011 18:15:59 +0000 (18:15 +0000)]
Experimental incomplete AES GCM algorithm test program.

8 years agoOCSP stapling fix (OpenSSL 0.9.8r/1.0.0d)
Bodo Möller [Tue, 8 Feb 2011 17:48:57 +0000 (17:48 +0000)]
OCSP stapling fix (OpenSSL 0.9.8r/1.0.0d)

Submitted by: Neel Mehta, Adam Langley, Bodo Moeller

8 years agoLink GCM into FIPS module. Check return value in EVP gcm.
Dr. Stephen Henson [Tue, 8 Feb 2011 15:10:42 +0000 (15:10 +0000)]
Link GCM into FIPS module. Check return value in EVP gcm.

8 years agoSynchronize with 1.0.0 branch
Bodo Möller [Tue, 8 Feb 2011 08:48:51 +0000 (08:48 +0000)]
Synchronize with 1.0.0 branch

8 years agogcm128.c: add boundary condition checks.
Andy Polyakov [Mon, 7 Feb 2011 19:11:13 +0000 (19:11 +0000)]
gcm128.c: add boundary condition checks.

8 years agoInitial *very* experimental EVP support for AES-GCM. Note: probably very
Dr. Stephen Henson [Mon, 7 Feb 2011 18:16:33 +0000 (18:16 +0000)]
Initial *very* experimental EVP support for AES-GCM. Note: probably very
broken and subject to change.

8 years agoAdd CRYPTO_gcm128_tag() function to retrieve the tag.
Dr. Stephen Henson [Mon, 7 Feb 2011 18:05:27 +0000 (18:05 +0000)]
Add CRYPTO_gcm128_tag() function to retrieve the tag.

8 years agoUse 0 not -1 (since type is size_t) for finalisation argument to do_cipher:
Dr. Stephen Henson [Mon, 7 Feb 2011 18:04:27 +0000 (18:04 +0000)]
Use 0 not -1 (since type is size_t) for finalisation argument to do_cipher:
the NULL value for the input buffer is sufficient to notice this case.

8 years agoTypo.
Dr. Stephen Henson [Mon, 7 Feb 2011 14:36:55 +0000 (14:36 +0000)]
Typo.

8 years agoNew flags EVP_CIPH_FLAG_CUSTOM_CIPHER in cipher structures if an underlying
Dr. Stephen Henson [Mon, 7 Feb 2011 14:36:08 +0000 (14:36 +0000)]
New flags EVP_CIPH_FLAG_CUSTOM_CIPHER in cipher structures if an underlying
cipher handles all cipher symantics itself.

8 years agoFix memory leak.
Dr. Stephen Henson [Mon, 7 Feb 2011 13:34:00 +0000 (13:34 +0000)]
Fix memory leak.

8 years agoUse default ASN1 if flag set.
Dr. Stephen Henson [Mon, 7 Feb 2011 12:47:16 +0000 (12:47 +0000)]
Use default ASN1 if flag set.

8 years agogcm128.c: allow multiple calls to CRYPTO_gcm128_aad.
Andy Polyakov [Sun, 6 Feb 2011 23:50:05 +0000 (23:50 +0000)]
gcm128.c: allow multiple calls to CRYPTO_gcm128_aad.

8 years agogcm128.c: fix bug in OPENSSL_SMALL_FOOTPRINT decrypt.
Andy Polyakov [Sun, 6 Feb 2011 23:48:32 +0000 (23:48 +0000)]
gcm128.c: fix bug in OPENSSL_SMALL_FOOTPRINT decrypt.
PR: 2432
Submitted by: Michael Heyman

8 years agoFix duplicate code and typo.
Dr. Stephen Henson [Sun, 6 Feb 2011 00:51:05 +0000 (00:51 +0000)]
Fix duplicate code and typo.

8 years agoRemove unneeded functions, make some functions and variables static.
Dr. Stephen Henson [Fri, 4 Feb 2011 17:56:57 +0000 (17:56 +0000)]
Remove unneeded functions, make some functions and variables static.

8 years agoAdd FIPS support to the WIN32 build system.
Dr. Stephen Henson [Thu, 3 Feb 2011 23:12:04 +0000 (23:12 +0000)]
Add FIPS support to the WIN32 build system.

8 years agoTransfer error redirection to fips.h, add OPENSSL_FIPSAPI to source files
Dr. Stephen Henson [Thu, 3 Feb 2011 17:00:24 +0000 (17:00 +0000)]
Transfer error redirection to fips.h, add OPENSSL_FIPSAPI to source files
that use it.

8 years agoRename crypto/fips_err.c to fips_ers.c to avoid clash with other fips_err.c
Dr. Stephen Henson [Thu, 3 Feb 2011 16:16:30 +0000 (16:16 +0000)]
Rename crypto/fips_err.c to fips_ers.c to avoid clash with other fips_err.c

8 years agoInclude fips header file in err_all.c if needed.
Dr. Stephen Henson [Thu, 3 Feb 2011 16:03:21 +0000 (16:03 +0000)]
Include fips header file in err_all.c if needed.

8 years agoAdd FIPS error codes.
Dr. Stephen Henson [Thu, 3 Feb 2011 15:58:43 +0000 (15:58 +0000)]
Add FIPS error codes.

8 years agoadd -stripcr option to copy.pl from 0.9.8
Dr. Stephen Henson [Thu, 3 Feb 2011 14:57:51 +0000 (14:57 +0000)]
add -stripcr option to copy.pl from 0.9.8

8 years agoAdd Windows FIPS build utilities.
Dr. Stephen Henson [Thu, 3 Feb 2011 14:20:59 +0000 (14:20 +0000)]
Add Windows FIPS build utilities.

8 years agoFor now disable EC_GFp_nistp224_method() for WIN32 so the WIN32 build
Dr. Stephen Henson [Thu, 3 Feb 2011 13:00:08 +0000 (13:00 +0000)]
For now disable EC_GFp_nistp224_method() for WIN32 so the WIN32 build
completes without linker errors.

8 years agoAdd FIPS support to mkdef.pl script, update ordinals.
Dr. Stephen Henson [Thu, 3 Feb 2011 12:59:01 +0000 (12:59 +0000)]
Add FIPS support to mkdef.pl script, update ordinals.

8 years agoUse single X931 key generation source file for FIPS and non-FIPS builds.
Dr. Stephen Henson [Thu, 3 Feb 2011 12:47:56 +0000 (12:47 +0000)]
Use single X931 key generation source file for FIPS and non-FIPS builds.

8 years agoAssorted bugfixes:
Bodo Möller [Thu, 3 Feb 2011 12:03:51 +0000 (12:03 +0000)]
Assorted bugfixes:
- safestack macro changes for C++ were incomplete
- RLE decompression boundary case
- SSL 2.0 key arg length check

Submitted by: Google (Adam Langley, Neel Mehta, Bodo Moeller)

8 years agofix omissions
Bodo Möller [Thu, 3 Feb 2011 11:13:29 +0000 (11:13 +0000)]
fix omissions

8 years agoCVE-2010-4180 fix (from OpenSSL_1_0_0-stable)
Bodo Möller [Thu, 3 Feb 2011 10:43:00 +0000 (10:43 +0000)]
CVE-2010-4180 fix (from OpenSSL_1_0_0-stable)

8 years agomake update
Bodo Möller [Thu, 3 Feb 2011 10:17:53 +0000 (10:17 +0000)]
make update

8 years agoFix error codes.
Bodo Möller [Thu, 3 Feb 2011 10:03:23 +0000 (10:03 +0000)]
Fix error codes.

8 years agoCope with new DSA2 file format where some p/q only tests are made.
Dr. Stephen Henson [Wed, 2 Feb 2011 17:48:03 +0000 (17:48 +0000)]
Cope with new DSA2 file format where some p/q only tests are made.

8 years agoFix target config errors.
Dr. Stephen Henson [Wed, 2 Feb 2011 15:11:40 +0000 (15:11 +0000)]
Fix target config errors.

8 years agoMake no-asm work in fips mode. Add android platform.
Dr. Stephen Henson [Wed, 2 Feb 2011 15:07:13 +0000 (15:07 +0000)]
Make no-asm work in fips mode. Add android platform.

8 years agoAdd sign/verify digest API to handle an explicit digest instead of finalising
Dr. Stephen Henson [Wed, 2 Feb 2011 14:21:33 +0000 (14:21 +0000)]
Add sign/verify digest API to handle an explicit digest instead of finalising
a context.

8 years agoRemove DSA parameter generation from DSA selftest. It is unnecessary and
Dr. Stephen Henson [Wed, 2 Feb 2011 14:20:45 +0000 (14:20 +0000)]
Remove DSA parameter generation from DSA selftest. It is unnecessary and
can be very slow on embedded platforms. Hard code DSA parameters instead.

8 years agoDon't try to set pmd if it is NULL.
Dr. Stephen Henson [Tue, 1 Feb 2011 19:15:12 +0000 (19:15 +0000)]
Don't try to set pmd if it is NULL.

8 years agoAdd DSA2 support to final algorithm tests: keypair and keyver.
Dr. Stephen Henson [Tue, 1 Feb 2011 18:53:48 +0000 (18:53 +0000)]
Add DSA2 support to final algorithm tests: keypair and keyver.

8 years agoSupport more DSA2 tests.
Dr. Stephen Henson [Tue, 1 Feb 2011 17:54:23 +0000 (17:54 +0000)]
Support more DSA2 tests.

8 years agoTolerate mixed case and leading zeroes when comparing.
Dr. Stephen Henson [Tue, 1 Feb 2011 17:15:53 +0000 (17:15 +0000)]
Tolerate mixed case and leading zeroes when comparing.

8 years agofixes for DSA2 parameter generation
Dr. Stephen Henson [Tue, 1 Feb 2011 17:15:19 +0000 (17:15 +0000)]
fixes for DSA2 parameter generation

8 years agoupdate README.FIPS
Dr. Stephen Henson [Tue, 1 Feb 2011 17:14:07 +0000 (17:14 +0000)]
update README.FIPS

8 years agoSince FIPS 186-3 specifies we use the leftmost bits of the digest
Dr. Stephen Henson [Tue, 1 Feb 2011 12:52:01 +0000 (12:52 +0000)]
Since FIPS 186-3 specifies we use the leftmost bits of the digest
we shouldn't reject digest lengths larger than SHA256: the FIPS
algorithm tests include SHA384 and SHA512 tests.

8 years agoProvisional, experimental support for DSA2 parameter generation algorithm.
Dr. Stephen Henson [Mon, 31 Jan 2011 19:44:09 +0000 (19:44 +0000)]
Provisional, experimental support for DSA2 parameter generation algorithm.
Not properly integrated or tested yet.

8 years agostop warnings about no previous prototype when compiling shared engines
Dr. Stephen Henson [Sun, 30 Jan 2011 01:30:48 +0000 (01:30 +0000)]
stop warnings about no previous prototype when compiling shared engines

8 years agoFix shared build for fips
Dr. Stephen Henson [Sun, 30 Jan 2011 01:14:34 +0000 (01:14 +0000)]
Fix shared build for fips

8 years agoAdd fips option into Configure, disable endian code for no-asm and FIPS.
Dr. Stephen Henson [Sun, 30 Jan 2011 00:01:09 +0000 (00:01 +0000)]
Add fips option into Configure, disable endian code for no-asm and FIPS.
Make shared library default for fips.