openssl.git
8 years agomake update
Bodo Möller [Thu, 3 Feb 2011 10:17:53 +0000 (10:17 +0000)]
make update

8 years agoFix error codes.
Bodo Möller [Thu, 3 Feb 2011 10:03:23 +0000 (10:03 +0000)]
Fix error codes.

8 years agoCope with new DSA2 file format where some p/q only tests are made.
Dr. Stephen Henson [Wed, 2 Feb 2011 17:48:03 +0000 (17:48 +0000)]
Cope with new DSA2 file format where some p/q only tests are made.

8 years agoFix target config errors.
Dr. Stephen Henson [Wed, 2 Feb 2011 15:11:40 +0000 (15:11 +0000)]
Fix target config errors.

8 years agoMake no-asm work in fips mode. Add android platform.
Dr. Stephen Henson [Wed, 2 Feb 2011 15:07:13 +0000 (15:07 +0000)]
Make no-asm work in fips mode. Add android platform.

8 years agoAdd sign/verify digest API to handle an explicit digest instead of finalising
Dr. Stephen Henson [Wed, 2 Feb 2011 14:21:33 +0000 (14:21 +0000)]
Add sign/verify digest API to handle an explicit digest instead of finalising
a context.

8 years agoRemove DSA parameter generation from DSA selftest. It is unnecessary and
Dr. Stephen Henson [Wed, 2 Feb 2011 14:20:45 +0000 (14:20 +0000)]
Remove DSA parameter generation from DSA selftest. It is unnecessary and
can be very slow on embedded platforms. Hard code DSA parameters instead.

8 years agoDon't try to set pmd if it is NULL.
Dr. Stephen Henson [Tue, 1 Feb 2011 19:15:12 +0000 (19:15 +0000)]
Don't try to set pmd if it is NULL.

8 years agoAdd DSA2 support to final algorithm tests: keypair and keyver.
Dr. Stephen Henson [Tue, 1 Feb 2011 18:53:48 +0000 (18:53 +0000)]
Add DSA2 support to final algorithm tests: keypair and keyver.

8 years agoSupport more DSA2 tests.
Dr. Stephen Henson [Tue, 1 Feb 2011 17:54:23 +0000 (17:54 +0000)]
Support more DSA2 tests.

8 years agoTolerate mixed case and leading zeroes when comparing.
Dr. Stephen Henson [Tue, 1 Feb 2011 17:15:53 +0000 (17:15 +0000)]
Tolerate mixed case and leading zeroes when comparing.

8 years agofixes for DSA2 parameter generation
Dr. Stephen Henson [Tue, 1 Feb 2011 17:15:19 +0000 (17:15 +0000)]
fixes for DSA2 parameter generation

8 years agoupdate README.FIPS
Dr. Stephen Henson [Tue, 1 Feb 2011 17:14:07 +0000 (17:14 +0000)]
update README.FIPS

8 years agoSince FIPS 186-3 specifies we use the leftmost bits of the digest
Dr. Stephen Henson [Tue, 1 Feb 2011 12:52:01 +0000 (12:52 +0000)]
Since FIPS 186-3 specifies we use the leftmost bits of the digest
we shouldn't reject digest lengths larger than SHA256: the FIPS
algorithm tests include SHA384 and SHA512 tests.

8 years agoProvisional, experimental support for DSA2 parameter generation algorithm.
Dr. Stephen Henson [Mon, 31 Jan 2011 19:44:09 +0000 (19:44 +0000)]
Provisional, experimental support for DSA2 parameter generation algorithm.
Not properly integrated or tested yet.

8 years agostop warnings about no previous prototype when compiling shared engines
Dr. Stephen Henson [Sun, 30 Jan 2011 01:30:48 +0000 (01:30 +0000)]
stop warnings about no previous prototype when compiling shared engines

8 years agoFix shared build for fips
Dr. Stephen Henson [Sun, 30 Jan 2011 01:14:34 +0000 (01:14 +0000)]
Fix shared build for fips

8 years agoAdd fips option into Configure, disable endian code for no-asm and FIPS.
Dr. Stephen Henson [Sun, 30 Jan 2011 00:01:09 +0000 (00:01 +0000)]
Add fips option into Configure, disable endian code for no-asm and FIPS.
Make shared library default for fips.

8 years agoadd fiplibdir and basedir options to Configure
Dr. Stephen Henson [Sat, 29 Jan 2011 23:45:02 +0000 (23:45 +0000)]
add fiplibdir and basedir options to Configure

8 years agouse different default fips install directory
Dr. Stephen Henson [Sat, 29 Jan 2011 23:05:15 +0000 (23:05 +0000)]
use different default fips install directory

8 years agoupdate version to 2.0
Dr. Stephen Henson [Sat, 29 Jan 2011 21:51:59 +0000 (21:51 +0000)]
update version to 2.0

8 years agotypo
Dr. Stephen Henson [Sat, 29 Jan 2011 21:45:04 +0000 (21:45 +0000)]
typo

8 years agodon't descend fips directory if not in fips mode
Dr. Stephen Henson [Sat, 29 Jan 2011 21:39:33 +0000 (21:39 +0000)]
don't descend fips directory if not in fips mode

8 years agoAdd preliminary FIPS information.
Dr. Stephen Henson [Sat, 29 Jan 2011 17:05:25 +0000 (17:05 +0000)]
Add preliminary FIPS information.

8 years agoMove all FIPSAPI renames into fips.h header file, include early in
Dr. Stephen Henson [Thu, 27 Jan 2011 19:10:56 +0000 (19:10 +0000)]
Move all FIPSAPI renames into fips.h header file, include early in
crypto.h if needed.

Modify source tree to handle change.

8 years agoadd .cvsignore
Dr. Stephen Henson [Thu, 27 Jan 2011 18:11:36 +0000 (18:11 +0000)]
add .cvsignore

8 years agoadd FIPS API malloc/free
Dr. Stephen Henson [Thu, 27 Jan 2011 18:09:05 +0000 (18:09 +0000)]
add FIPS API malloc/free

8 years agoRedirect FIPS memory allocation to FIPS_malloc() routine, remove
Dr. Stephen Henson [Thu, 27 Jan 2011 17:23:43 +0000 (17:23 +0000)]
Redirect FIPS memory allocation to FIPS_malloc() routine, remove
OpenSSL malloc dependencies.

8 years agoadd fips_dsatest.c file
Dr. Stephen Henson [Thu, 27 Jan 2011 16:52:49 +0000 (16:52 +0000)]
add fips_dsatest.c file

8 years agoUpdate source files to handle new FIPS_lock() location. Add FIPS_lock()
Dr. Stephen Henson [Thu, 27 Jan 2011 15:57:31 +0000 (15:57 +0000)]
Update source files to handle new FIPS_lock() location. Add FIPS_lock()
definition. Remove stale function references from fips.h

8 years agoChange OPENSSL_FIPSEVP to OPENSSL_FIPSAPI as it doesn't just refer
Dr. Stephen Henson [Thu, 27 Jan 2011 15:22:26 +0000 (15:22 +0000)]
Change OPENSSL_FIPSEVP to OPENSSL_FIPSAPI as it doesn't just refer
to EVP any more.

Move locking #define into fips.h.

Set FIPS locking callbacks at same time as OpenSSL locking callbacks.

8 years agoInclude thread ID code in fips module.
Dr. Stephen Henson [Thu, 27 Jan 2011 14:50:41 +0000 (14:50 +0000)]
Include thread ID code in fips module.

8 years agoNew FIPS_lock() function for minimal FIPS locking API: to avoid dependencies
Dr. Stephen Henson [Thu, 27 Jan 2011 14:29:48 +0000 (14:29 +0000)]
New FIPS_lock() function for minimal FIPS locking API: to avoid dependencies
on OpenSSL locking code. Use API in some internal FIPS files.

Remove redundant ENGINE defines from fips.h

8 years agoMove locking and thread ID functions into new files lock.c and thr_id.c,
Dr. Stephen Henson [Thu, 27 Jan 2011 14:27:24 +0000 (14:27 +0000)]
Move locking and thread ID functions into new files lock.c and thr_id.c,
redirect locking to minimal FIPS_lock() function where required.

8 years agouse FIPSEVP in some bn and rsa files
Dr. Stephen Henson [Thu, 27 Jan 2011 14:24:42 +0000 (14:24 +0000)]
use FIPSEVP in some bn and rsa files

8 years agoupdate .cvsignore
Dr. Stephen Henson [Thu, 27 Jan 2011 13:33:47 +0000 (13:33 +0000)]
update .cvsignore

8 years agoInternal version of BN_mod_inverse allowing checking of no-inverse without
Dr. Stephen Henson [Wed, 26 Jan 2011 16:59:47 +0000 (16:59 +0000)]
Internal version of BN_mod_inverse allowing checking of no-inverse without
need to inspect error queue.

8 years agoFIPS changes to test/Makefile: rules to build FIPS test applications.
Dr. Stephen Henson [Wed, 26 Jan 2011 16:47:51 +0000 (16:47 +0000)]
FIPS changes to test/Makefile: rules to build FIPS test applications.

8 years agoUse ARX in crypto/Makefile
Dr. Stephen Henson [Wed, 26 Jan 2011 16:22:03 +0000 (16:22 +0000)]
Use ARX in crypto/Makefile

8 years agoFIPS HMAC changes:
Dr. Stephen Henson [Wed, 26 Jan 2011 16:15:38 +0000 (16:15 +0000)]
FIPS HMAC changes:

Use EVP macros.

Use tiny EVP in FIPS mode.

8 years agoChange AR to ARX to allow exclusion of fips object modules
Dr. Stephen Henson [Wed, 26 Jan 2011 16:08:08 +0000 (16:08 +0000)]
Change AR to ARX to allow exclusion of fips object modules

8 years agoFIPS mode ERR changes. Redirect errors to tiny FIPS callbacks to avoid ERR
Dr. Stephen Henson [Wed, 26 Jan 2011 15:53:07 +0000 (15:53 +0000)]
FIPS mode ERR changes. Redirect errors to tiny FIPS callbacks to avoid ERR
library dependencies.

8 years agoFIPS DH changes: selftest checks and key range checks.
Dr. Stephen Henson [Wed, 26 Jan 2011 15:47:19 +0000 (15:47 +0000)]
FIPS DH changes: selftest checks and key range checks.

8 years agoFIPS mode DSA changes:
Dr. Stephen Henson [Wed, 26 Jan 2011 15:46:26 +0000 (15:46 +0000)]
FIPS mode DSA changes:

Check for selftest failures.

Pairwise consistency test for RSA key generation.

Use some EVP macros instead of EVP functions.

Use minimal FIPS EVP where needed.

Key size restrictions.

8 years agoFIPS mode RSA changes:
Dr. Stephen Henson [Wed, 26 Jan 2011 15:37:41 +0000 (15:37 +0000)]
FIPS mode RSA changes:

Check for selftest failures.

Pairwise consistency test for RSA key generation.

Use some EVP macros instead of EVP functions.

Use minimal FIPS EVP where needed.

8 years agoadd new RAND errors
Dr. Stephen Henson [Wed, 26 Jan 2011 15:33:51 +0000 (15:33 +0000)]
add new RAND errors

8 years agoFIPS mode EVP changes:
Dr. Stephen Henson [Wed, 26 Jan 2011 15:25:33 +0000 (15:25 +0000)]
FIPS mode EVP changes:

Set EVP_CIPH_FLAG_FIPS on approved ciphers.

Support "default ASN1" flag which avoids need for ASN1 dependencies in FIPS
code.

Include some defines to redirect operations to a "tiny EVP" implementation
in some FIPS source files.

Change m_sha1.c to use EVP_PKEY_NULL_method: the EVP_MD sign/verify functions
are not used in OpenSSL 1.0 and later for SHA1 and SHA2 ciphers: the EVP_PKEY
API is used instead.

8 years agoFIPS mode changes to make RNG compile (this will need updating later as we
Dr. Stephen Henson [Wed, 26 Jan 2011 14:52:04 +0000 (14:52 +0000)]
FIPS mode changes to make RNG compile (this will need updating later as we
need a whole new PRNG for FIPS).

1. avoid use of ERR_peek().

2. If compiling with FIPS use small FIPS EVP and disable ENGINE

8 years agoAdd fipscanisterbuild configuration option and update Makefile.org: doesn't compile yet
Dr. Stephen Henson [Wed, 26 Jan 2011 12:31:30 +0000 (12:31 +0000)]
Add fipscanisterbuild configuration option and update Makefile.org: doesn't compile yet

8 years agoFIPS_allow_md5() no longer exists and is no longer required
Dr. Stephen Henson [Wed, 26 Jan 2011 12:23:58 +0000 (12:23 +0000)]
FIPS_allow_md5() no longer exists and is no longer required

8 years agoAdd rsa_crpt
Richard Levitte [Wed, 26 Jan 2011 06:51:35 +0000 (06:51 +0000)]
Add rsa_crpt

8 years agoupdate mkerr.pl for use fips directory, add arx.pl script
Dr. Stephen Henson [Wed, 26 Jan 2011 01:35:07 +0000 (01:35 +0000)]
update mkerr.pl for use fips directory, add arx.pl script

8 years agoadd fips_premain.c.sha1
Dr. Stephen Henson [Wed, 26 Jan 2011 01:15:54 +0000 (01:15 +0000)]
add fips_premain.c.sha1

8 years agoadd fips_sha1_selftest.c
Dr. Stephen Henson [Wed, 26 Jan 2011 01:11:12 +0000 (01:11 +0000)]
add fips_sha1_selftest.c

8 years agoadd fips/sha files
Dr. Stephen Henson [Wed, 26 Jan 2011 01:09:52 +0000 (01:09 +0000)]
add fips/sha files

8 years agoadd fips/aes/Makefile
Dr. Stephen Henson [Wed, 26 Jan 2011 01:05:48 +0000 (01:05 +0000)]
add fips/aes/Makefile

8 years agoadd fips/des/Makefile
Dr. Stephen Henson [Wed, 26 Jan 2011 01:04:53 +0000 (01:04 +0000)]
add fips/des/Makefile

8 years agoadd fips/Makefile
Dr. Stephen Henson [Wed, 26 Jan 2011 01:03:54 +0000 (01:03 +0000)]
add fips/Makefile

8 years agoadd some missing fips files
Dr. Stephen Henson [Wed, 26 Jan 2011 00:58:09 +0000 (00:58 +0000)]
add some missing fips files

8 years agoAnd so it begins... again.
Dr. Stephen Henson [Wed, 26 Jan 2011 00:56:19 +0000 (00:56 +0000)]
And so it begins... again.

Initial FIPS 140-2 code ported to HEAD. Doesn't even compile yet, may have
missing files, extraneous files and other nastiness.

In other words: it's experimental ATM, OK?

8 years agoMove RSA encryption functions to new file crypto/rsa/rsa_crpt.c to separate
Dr. Stephen Henson [Tue, 25 Jan 2011 17:35:10 +0000 (17:35 +0000)]
Move RSA encryption functions to new file crypto/rsa/rsa_crpt.c to separate
crypto and ENGINE dependencies in RSA library.

8 years agoMove BN_options function to bn_print.c to remove dependency for BIO printf
Dr. Stephen Henson [Tue, 25 Jan 2011 17:10:30 +0000 (17:10 +0000)]
Move BN_options function to bn_print.c to remove dependency for BIO printf
routines from bn_lib.c

8 years agoMove DSA_sign, DSA_verify to dsa_asn1.c and include separate versions of
Dr. Stephen Henson [Tue, 25 Jan 2011 16:55:15 +0000 (16:55 +0000)]
Move DSA_sign, DSA_verify to dsa_asn1.c and include separate versions of
DSA_SIG_new() and DSA_SIG_free() to remove ASN1 dependencies from DSA_do_sign()
and DSA_do_verify().

8 years agorecalculate DSA signature if r or s is zero (FIPS 186-3 requirement)
Dr. Stephen Henson [Tue, 25 Jan 2011 16:01:29 +0000 (16:01 +0000)]
recalculate DSA signature if r or s is zero (FIPS 186-3 requirement)

8 years agorevert Makefile change
Dr. Stephen Henson [Tue, 25 Jan 2011 12:15:10 +0000 (12:15 +0000)]
revert Makefile change

8 years agoPR: 2433
Dr. Stephen Henson [Mon, 24 Jan 2011 16:19:52 +0000 (16:19 +0000)]
PR: 2433
Submitted by: Chris Wilson <chris@qwirx.com>
Reviewed by: steve

Constify ASN1_STRING_set_default_mask_asc().

8 years agoNew function EC_KEY_set_affine_coordinates() this performs all the
Dr. Stephen Henson [Mon, 24 Jan 2011 16:07:40 +0000 (16:07 +0000)]
New function EC_KEY_set_affine_coordinates() this performs all the
NIST PKV tests.

8 years agocheck EC public key isn't point at infinity
Dr. Stephen Henson [Mon, 24 Jan 2011 15:04:34 +0000 (15:04 +0000)]
check EC public key isn't point at infinity

8 years agoPR: 1612
Dr. Stephen Henson [Mon, 24 Jan 2011 14:41:34 +0000 (14:41 +0000)]
PR: 1612
Submitted by: Robert Jackson <robert@rjsweb.net>
Reviewed by: steve

Fix EC_POINT_cmp function for case where b but not a is the point at infinity.

8 years agooops, revert mistakenly committed EC changes
Dr. Stephen Henson [Wed, 19 Jan 2011 14:42:42 +0000 (14:42 +0000)]
oops, revert mistakenly committed EC changes

8 years agoAdd additional parameter to dsa_builtin_paramgen to output the generated
Dr. Stephen Henson [Wed, 19 Jan 2011 14:35:53 +0000 (14:35 +0000)]
Add additional parameter to dsa_builtin_paramgen to output the generated
seed to: this doesn't introduce any binary compatibility issues as the
function is only used internally.

The seed output is needed for FIPS 140-2 algorithm testing: the functionality
used to be in DSA_generate_parameters_ex() but was removed in OpenSSL 1.0.0

8 years agoadd va_list version of ERR_add_error_data
Dr. Stephen Henson [Fri, 14 Jan 2011 15:13:37 +0000 (15:13 +0000)]
add va_list version of ERR_add_error_data

8 years agostop warning with no-engine
Dr. Stephen Henson [Thu, 13 Jan 2011 15:41:58 +0000 (15:41 +0000)]
stop warning with no-engine

8 years agoPR: 2425
Richard Levitte [Mon, 10 Jan 2011 20:55:21 +0000 (20:55 +0000)]
PR: 2425
Synchronise VMS build with Unixly build.

8 years agoConstify.
Ben Laurie [Sun, 9 Jan 2011 17:50:18 +0000 (17:50 +0000)]
Constify.

8 years agoFix warning.
Ben Laurie [Sun, 9 Jan 2011 17:50:06 +0000 (17:50 +0000)]
Fix warning.

8 years agomissed change in ACKNOWLEDGEMENTS file
Dr. Stephen Henson [Sun, 9 Jan 2011 13:37:09 +0000 (13:37 +0000)]
missed change in ACKNOWLEDGEMENTS file

8 years agomove some string utilities to buf_str.c to reduce some dependencies (from 0.9.8 branch).
Dr. Stephen Henson [Sun, 9 Jan 2011 13:32:57 +0000 (13:32 +0000)]
move some string utilities to buf_str.c to reduce some dependencies (from 0.9.8 branch).

8 years agoadd X9.31 prime generation routines from 0.9.8 branch
Dr. Stephen Henson [Sun, 9 Jan 2011 13:02:14 +0000 (13:02 +0000)]
add X9.31 prime generation routines from 0.9.8 branch

8 years agoPR: 2407
Richard Levitte [Thu, 6 Jan 2011 20:56:02 +0000 (20:56 +0000)]
PR: 2407
Fix fault include.
Submitted by Arpadffy Zoltan <Zoltan.Arpadffy@scientificgames.se>

8 years agoDon't use decryption_failed alert for TLS v1.1 or later.
Dr. Stephen Henson [Tue, 4 Jan 2011 19:39:27 +0000 (19:39 +0000)]
Don't use decryption_failed alert for TLS v1.1 or later.

8 years agoSince DTLS 1.0 is based on TLS 1.1 we should never return a decryption_failed
Dr. Stephen Henson [Tue, 4 Jan 2011 19:34:20 +0000 (19:34 +0000)]
Since DTLS 1.0 is based on TLS 1.1 we should never return a decryption_failed
alert.

8 years agooops missed an assert
Dr. Stephen Henson [Mon, 3 Jan 2011 12:54:08 +0000 (12:54 +0000)]
oops missed an assert

8 years agoPR: 2411
Dr. Stephen Henson [Mon, 3 Jan 2011 01:40:53 +0000 (01:40 +0000)]
PR: 2411
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve

Fix corner cases in RFC3779 code.

8 years agoFix escaping code for string printing. If *any* escaping is enabled we
Dr. Stephen Henson [Mon, 3 Jan 2011 01:31:24 +0000 (01:31 +0000)]
Fix escaping code for string printing. If *any* escaping is enabled we
must escape the escape character itself (backslash).

8 years agoPR: 2410
Dr. Stephen Henson [Mon, 3 Jan 2011 01:22:41 +0000 (01:22 +0000)]
PR: 2410
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve

Use OPENSSL_assert() instead of assert().

8 years agoPR: 2413
Dr. Stephen Henson [Mon, 3 Jan 2011 01:07:35 +0000 (01:07 +0000)]
PR: 2413
Submitted by: Michael Bergandi <mbergandi@gmail.com>
Reviewed by: steve

Fix typo in crypto/bio/bss_dgram.c

8 years agoavoid verification loops in trusted store when path building
Dr. Stephen Henson [Sat, 25 Dec 2010 20:45:59 +0000 (20:45 +0000)]
avoid verification loops in trusted store when path building

8 years agoPart of the IF structure didn't get pasted here...
Richard Levitte [Tue, 14 Dec 2010 21:44:31 +0000 (21:44 +0000)]
Part of the IF structure didn't get pasted here...
PR: 2393

8 years agoe_capi.c: rearrange #include-s to improve portability.
Andy Polyakov [Tue, 14 Dec 2010 20:39:17 +0000 (20:39 +0000)]
e_capi.c: rearrange #include-s to improve portability.
PR: 2394

8 years agoFirst attempt at adding the possibility to set the pointer size for the builds on...
Richard Levitte [Tue, 14 Dec 2010 19:19:04 +0000 (19:19 +0000)]
First attempt at adding the possibility to set the pointer size for the builds on VMS.
PR: 2393

8 years agoSupport routines for ASN1 scanning function, doesn't do much yet.
Dr. Stephen Henson [Mon, 13 Dec 2010 18:15:28 +0000 (18:15 +0000)]
Support routines for ASN1 scanning function, doesn't do much yet.

8 years agoe_capi.c: change from ANSI to TCHAR domain. This makes it compilable on
Andy Polyakov [Sun, 12 Dec 2010 20:26:09 +0000 (20:26 +0000)]
e_capi.c: change from ANSI to TCHAR domain. This makes it compilable on
Windows CE/Mobile, yet keeps it normal Windows loop.
PR: 2350

8 years agoapps/x590.c: harmonize usage of STDout and out_err.
Andy Polyakov [Sun, 12 Dec 2010 10:52:56 +0000 (10:52 +0000)]
apps/x590.c: harmonize usage of STDout and out_err.
PR: 2323

8 years agobss_file.c: refine UTF8 logic.
Andy Polyakov [Sat, 11 Dec 2010 14:53:14 +0000 (14:53 +0000)]
bss_file.c: refine UTF8 logic.
PR: 2382

8 years agoignore leading null fields
Dr. Stephen Henson [Fri, 3 Dec 2010 19:31:34 +0000 (19:31 +0000)]
ignore leading null fields

8 years agoupdate FAQ
Dr. Stephen Henson [Thu, 2 Dec 2010 19:55:56 +0000 (19:55 +0000)]
update FAQ

8 years agoPR: 2386
Dr. Stephen Henson [Thu, 2 Dec 2010 18:02:29 +0000 (18:02 +0000)]
PR: 2386
Submitted by: Stefan Birrer <stefan.birrer@adnovum.ch>
Reviewed by: steve

Correct SKM_ASN1_SET_OF_d2i macro.

8 years agofix doc typos
Dr. Stephen Henson [Thu, 2 Dec 2010 13:44:53 +0000 (13:44 +0000)]
fix doc typos

8 years agouse right version this time in FAQ
Dr. Stephen Henson [Thu, 2 Dec 2010 00:08:12 +0000 (00:08 +0000)]
use right version this time in FAQ