openssl.git
8 years agofix memory leak
Dr. Stephen Henson [Wed, 8 Jun 2011 15:55:43 +0000 (15:55 +0000)]
fix memory leak

8 years agoAdd flags for DH FIPS method.
Dr. Stephen Henson [Wed, 8 Jun 2011 15:53:08 +0000 (15:53 +0000)]
Add flags for DH FIPS method.

Update/fix prototypes in fips.h

8 years agoSet flags in ECDH and ECDSA methods for FIPS.
Dr. Stephen Henson [Wed, 8 Jun 2011 13:52:36 +0000 (13:52 +0000)]
Set flags in ECDH and ECDSA methods for FIPS.

8 years agorc4_skey.c: remove dead/redundant code (it's never compiled) and
Andy Polyakov [Mon, 6 Jun 2011 20:02:26 +0000 (20:02 +0000)]
rc4_skey.c: remove dead/redundant code (it's never compiled) and
misleading/obsolete comment.

8 years agoAdd prototypes for some FIPS EC functions.
Dr. Stephen Henson [Mon, 6 Jun 2011 15:24:02 +0000 (15:24 +0000)]
Add prototypes for some FIPS EC functions.

8 years agoSet SSL_FIPS flag in ECC ciphersuites.
Dr. Stephen Henson [Mon, 6 Jun 2011 14:14:41 +0000 (14:14 +0000)]
Set SSL_FIPS flag in ECC ciphersuites.

8 years agoMove function prototype to fips.h
Dr. Stephen Henson [Mon, 6 Jun 2011 11:56:58 +0000 (11:56 +0000)]
Move function prototype to fips.h

8 years agoe_aes.c: move AES-NI run-time switch and implement the switch for remaining modes.
Andy Polyakov [Mon, 6 Jun 2011 11:40:03 +0000 (11:40 +0000)]
e_aes.c: move AES-NI run-time switch and implement the switch for remaining modes.

8 years agox86_64cpuid.pl: fix typo.
Andy Polyakov [Sat, 4 Jun 2011 13:08:25 +0000 (13:08 +0000)]
x86_64cpuid.pl: fix typo.

8 years agox86[_64]cpuid.pl: add function accessing rdrand instruction.
Andy Polyakov [Sat, 4 Jun 2011 12:20:45 +0000 (12:20 +0000)]
x86[_64]cpuid.pl: add function accessing rdrand instruction.

8 years agoNo spaces in assignements in a shell script...
Richard Levitte [Sat, 4 Jun 2011 09:00:59 +0000 (09:00 +0000)]
No spaces in assignements in a shell script...

8 years agofix error discrepancy
Dr. Stephen Henson [Fri, 3 Jun 2011 18:50:24 +0000 (18:50 +0000)]
fix error discrepancy

8 years agolicense correction, no EAY code included in this file
Dr. Stephen Henson [Fri, 3 Jun 2011 17:56:17 +0000 (17:56 +0000)]
license correction, no EAY code included in this file

8 years agoAdd "OPENSSL_FIPSCAPABLE" define for a version of OpenSSL which is
Dr. Stephen Henson [Fri, 3 Jun 2011 16:26:58 +0000 (16:26 +0000)]
Add "OPENSSL_FIPSCAPABLE" define for a version of OpenSSL which is
FIPS capable: i.e. FIPS module is supplied externally.

8 years agoConstify RSA signature buffer.
Dr. Stephen Henson [Fri, 3 Jun 2011 12:38:18 +0000 (12:38 +0000)]
Constify RSA signature buffer.

8 years agoTypo.
Dr. Stephen Henson [Thu, 2 Jun 2011 18:20:55 +0000 (18:20 +0000)]
Typo.

8 years agoRemove FIPS RSA functions from crypto/rsa.
Dr. Stephen Henson [Thu, 2 Jun 2011 17:52:39 +0000 (17:52 +0000)]
Remove FIPS RSA functions from crypto/rsa.

8 years agoMove FIPS RSA function definitions to fips.h
Dr. Stephen Henson [Thu, 2 Jun 2011 17:30:22 +0000 (17:30 +0000)]
Move FIPS RSA function definitions to fips.h

New function to lookup digests by NID in module.

Minor optimisation: if supplied hash is NULL to FIPS RSA functions and
we are using PKCS padding get digest NID from otherwise unused saltlen
parameter instead.

8 years agoSimple automated certificate creation demo.
Dr. Stephen Henson [Wed, 1 Jun 2011 18:36:49 +0000 (18:36 +0000)]
Simple automated certificate creation demo.

8 years agoClone digest prototypes.
Dr. Stephen Henson [Wed, 1 Jun 2011 14:18:28 +0000 (14:18 +0000)]
Clone digest prototypes.

8 years agoAdd DSA and ECDSA "clone digests" to module for compatibility with old
Dr. Stephen Henson [Wed, 1 Jun 2011 14:07:32 +0000 (14:07 +0000)]
Add DSA and ECDSA "clone digests" to module for compatibility with old
applications.

8 years agotypo
Dr. Stephen Henson [Wed, 1 Jun 2011 11:10:35 +0000 (11:10 +0000)]
typo

8 years agoset FIPS permitted flag before initalising digest
Dr. Stephen Henson [Tue, 31 May 2011 16:24:19 +0000 (16:24 +0000)]
set FIPS permitted flag before initalising digest

8 years agoFake CPU caps so fips_standalone_sha1 compiles.
Dr. Stephen Henson [Tue, 31 May 2011 16:22:21 +0000 (16:22 +0000)]
Fake CPU caps so fips_standalone_sha1 compiles.

Initialise update function for bad digest inits.

8 years agoDon't round up partitioned premaster secret length if there is only one
Dr. Stephen Henson [Tue, 31 May 2011 10:34:43 +0000 (10:34 +0000)]
Don't round up partitioned premaster secret length if there is only one
digest in use: this caused the PRF to fail for an odd premaster secret
length.

8 years agoOutput supported curves in preference order instead of numerically.
Dr. Stephen Henson [Mon, 30 May 2011 17:58:13 +0000 (17:58 +0000)]
Output supported curves in preference order instead of numerically.

8 years agoe_aes.c: fix typo.
Andy Polyakov [Mon, 30 May 2011 10:13:42 +0000 (10:13 +0000)]
e_aes.c: fix typo.

8 years agoe_aes.c: fix aes_cfb1_cipher.
Andy Polyakov [Mon, 30 May 2011 10:10:05 +0000 (10:10 +0000)]
e_aes.c: fix aes_cfb1_cipher.

8 years agoe_aes.c: integrate AESNI directly into EVP.
Andy Polyakov [Mon, 30 May 2011 09:16:01 +0000 (09:16 +0000)]
e_aes.c: integrate AESNI directly into EVP.

8 years agoaesni-x86[_64].pl: relax alignment requirement.
Andy Polyakov [Mon, 30 May 2011 09:15:16 +0000 (09:15 +0000)]
aesni-x86[_64].pl: relax alignment requirement.

8 years agoAdd more cipher prototypes.
Dr. Stephen Henson [Sun, 29 May 2011 16:16:55 +0000 (16:16 +0000)]
Add more cipher prototypes.

8 years agoPrototypes for more FIPS functions for use in FIPS capable OpenSSL.
Dr. Stephen Henson [Sun, 29 May 2011 15:56:23 +0000 (15:56 +0000)]
Prototypes for more FIPS functions for use in FIPS capable OpenSSL.

8 years agoVarious mingw64 fixes.
Andy Polyakov [Sun, 29 May 2011 13:51:14 +0000 (13:51 +0000)]
Various mingw64 fixes.

8 years agosha1-586|x86_64.pl: minor portability fix.
Andy Polyakov [Sun, 29 May 2011 13:48:57 +0000 (13:48 +0000)]
sha1-586|x86_64.pl: minor portability fix.

8 years agox86cpuid.pl: last commit broke platforms with perl with 64-bit integer.
Andy Polyakov [Sun, 29 May 2011 12:50:02 +0000 (12:50 +0000)]
x86cpuid.pl: last commit broke platforms with perl with 64-bit integer.

8 years agosha1-586|x86_64.pl: add SSSE3 and AVX code paths.
Andy Polyakov [Sun, 29 May 2011 12:39:48 +0000 (12:39 +0000)]
sha1-586|x86_64.pl: add SSSE3 and AVX code paths.

8 years agoAdd FIPS_digestinit prototype for FIPS capable OpenSSL.
Dr. Stephen Henson [Sat, 28 May 2011 23:02:23 +0000 (23:02 +0000)]
Add FIPS_digestinit prototype for FIPS capable OpenSSL.

8 years agoAdd prototypes for FIPS EVP implementations: for use in FIPS capable
Dr. Stephen Henson [Sat, 28 May 2011 21:03:31 +0000 (21:03 +0000)]
Add prototypes for FIPS EVP implementations: for use in FIPS capable
OpenSSL.

8 years agoaes-ppc.pl: handle unaligned data on page boundaries.
Andy Polyakov [Sat, 28 May 2011 09:41:36 +0000 (09:41 +0000)]
aes-ppc.pl: handle unaligned data on page boundaries.

8 years agoRename many internal only module functions from FIPS_* to fips_*.
Dr. Stephen Henson [Fri, 27 May 2011 21:11:54 +0000 (21:11 +0000)]
Rename many internal only module functions from FIPS_* to fips_*.

8 years agorc4-x86_64.pl: fix due credit.
Andy Polyakov [Fri, 27 May 2011 18:58:37 +0000 (18:58 +0000)]
rc4-x86_64.pl: fix due credit.

8 years agorc4-x86_64.pl: RC4_options fix-up.
Andy Polyakov [Fri, 27 May 2011 16:15:12 +0000 (16:15 +0000)]
rc4-x86_64.pl: RC4_options fix-up.

8 years agox86[_64]cpuid.pl: harmonize usage of reserved bits #20 and #30.
Andy Polyakov [Fri, 27 May 2011 15:32:43 +0000 (15:32 +0000)]
x86[_64]cpuid.pl: harmonize usage of reserved bits #20 and #30.

8 years agoPPC assembler pack: adhere closer to ABI specs, add PowerOpen traceback data.
Andy Polyakov [Fri, 27 May 2011 13:32:34 +0000 (13:32 +0000)]
PPC assembler pack: adhere closer to ABI specs, add PowerOpen traceback data.

8 years agorc4-x86_64.pl: major optimization for contemporary Intel CPUs.
Andy Polyakov [Fri, 27 May 2011 09:51:09 +0000 (09:51 +0000)]
rc4-x86_64.pl: major optimization for contemporary Intel CPUs.

8 years agorc4-586.pl: optimize even further...
Andy Polyakov [Fri, 27 May 2011 09:46:19 +0000 (09:46 +0000)]
rc4-586.pl: optimize even further...

8 years agoTypo.
Dr. Stephen Henson [Thu, 26 May 2011 22:01:49 +0000 (22:01 +0000)]
Typo.

8 years agoUse FIPSLD_LIBCRYPTO for consistency with other env variables in fipsld.
Dr. Stephen Henson [Thu, 26 May 2011 21:20:14 +0000 (21:20 +0000)]
Use FIPSLD_LIBCRYPTO for consistency with other env variables in fipsld.
Use current directory for fips_premain_dso

8 years agoIn fipsld use FIPSLIBCRYPTO environment variable to specify an alternative
Dr. Stephen Henson [Thu, 26 May 2011 21:15:45 +0000 (21:15 +0000)]
In fipsld use FIPSLIBCRYPTO environment variable to specify an alternative
location for libcrypto.a, support shared library builds in different
source tree.

8 years agoInstall fips_standalone_sha1 and make use of it in fipsld script.
Dr. Stephen Henson [Thu, 26 May 2011 13:59:11 +0000 (13:59 +0000)]
Install fips_standalone_sha1 and make use of it in fipsld script.

8 years agox86_64cpuid.pl: get AVX masking right.
Andy Polyakov [Thu, 26 May 2011 13:16:26 +0000 (13:16 +0000)]
x86_64cpuid.pl: get AVX masking right.

8 years agoOnly install FIPS related files for fipscanisteronly build.
Dr. Stephen Henson [Thu, 26 May 2011 11:00:06 +0000 (11:00 +0000)]
Only install FIPS related files for fipscanisteronly build.

8 years agoMore symbol renaming.
Dr. Stephen Henson [Wed, 25 May 2011 16:01:37 +0000 (16:01 +0000)]
More symbol renaming.

8 years agoDon't advertise or use MD5 for TLS v1.2 in FIPS mode
Dr. Stephen Henson [Wed, 25 May 2011 15:31:32 +0000 (15:31 +0000)]
Don't advertise or use MD5 for TLS v1.2 in FIPS mode

8 years agoPR: 2533
Dr. Stephen Henson [Wed, 25 May 2011 15:20:49 +0000 (15:20 +0000)]
PR: 2533
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Setting SSL_MODE_RELEASE_BUFFERS should be ignored for DTLS, but instead causes
the program to crash. This is due to missing version checks and is fixed with
this patch.

8 years agoPR: 2529
Dr. Stephen Henson [Wed, 25 May 2011 15:16:10 +0000 (15:16 +0000)]
PR: 2529
Submitted by: Marcus Meissner <meissner@suse.de>
Reviewed by: steve

Call ssl_new() to reallocate SSL BIO internals if we want to replace
the existing internal SSL structure.

8 years agoPR: 2527
Dr. Stephen Henson [Wed, 25 May 2011 15:05:39 +0000 (15:05 +0000)]
PR: 2527
Submitted by: Marcus Meissner <meissner@suse.de>
Reviewed by: steve

Set cnf to NULL to avoid possible double free.

8 years agoFix the ECDSA timing attack mentioned in the paper at:
Dr. Stephen Henson [Wed, 25 May 2011 14:52:21 +0000 (14:52 +0000)]
Fix the ECDSA timing attack mentioned in the paper at:

http://eprint.iacr.org/2011/232.pdf

Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for
bringing this to our attention.

8 years agoFix the ECDSA timing attack mentioned in the paper at:
Dr. Stephen Henson [Wed, 25 May 2011 14:41:56 +0000 (14:41 +0000)]
Fix the ECDSA timing attack mentioned in the paper at:

http://eprint.iacr.org/2011/232.pdf

Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for
bringing this to our attention.

8 years agoSome nextproto patches broke DTLS: fix
Dr. Stephen Henson [Wed, 25 May 2011 14:31:47 +0000 (14:31 +0000)]
Some nextproto patches broke DTLS: fix

8 years agoOops use up to date patch for PR#2506
Dr. Stephen Henson [Wed, 25 May 2011 14:30:20 +0000 (14:30 +0000)]
Oops use up to date patch for PR#2506

8 years agoPR: 2512
Dr. Stephen Henson [Wed, 25 May 2011 12:37:07 +0000 (12:37 +0000)]
PR: 2512
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix BIO_accept so it can be bound to IPv4 or IPv6 sockets consistently.

8 years agoPR: 2506
Dr. Stephen Henson [Wed, 25 May 2011 12:28:06 +0000 (12:28 +0000)]
PR: 2506
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fully implement SSL_clear for DTLS.

8 years agoPR: 2505
Dr. Stephen Henson [Wed, 25 May 2011 12:25:01 +0000 (12:25 +0000)]
PR: 2505
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS session resumption timer bug.

8 years agouse TLS1_get_version macro to check version so TLS v1.2 changes don't interfere with...
Dr. Stephen Henson [Wed, 25 May 2011 11:43:07 +0000 (11:43 +0000)]
use TLS1_get_version macro to check version so TLS v1.2 changes don't interfere with DTLS

8 years agoe_padlock.c: fix typo.
Andy Polyakov [Wed, 25 May 2011 10:02:20 +0000 (10:02 +0000)]
e_padlock.c: fix typo.

8 years agorc4-586.pl: optimize unused code path.
Andy Polyakov [Wed, 25 May 2011 09:36:13 +0000 (09:36 +0000)]
rc4-586.pl: optimize unused code path.

8 years agoe_padlock.c: last x86_64 commit didn't work with some optimizers.
Andy Polyakov [Tue, 24 May 2011 17:18:19 +0000 (17:18 +0000)]
e_padlock.c: last x86_64 commit didn't work with some optimizers.

8 years agorc4-586.pl: 50% improvement on Core2 and 80% on Westmere.
Andy Polyakov [Tue, 24 May 2011 13:07:29 +0000 (13:07 +0000)]
rc4-586.pl: 50% improvement on Core2 and 80% on Westmere.

8 years agoPR: 2522
Dr. Stephen Henson [Mon, 23 May 2011 12:27:43 +0000 (12:27 +0000)]
PR: 2522
Submitted by: Henrik Grindal Bakken <henribak@cisco.com>

Don't compare past end of buffer.

8 years agospacrv9cap.c: addenum to recent EC optimizations.
Andy Polyakov [Mon, 23 May 2011 08:14:32 +0000 (08:14 +0000)]
spacrv9cap.c: addenum to recent EC optimizations.

8 years agoaesni-x86[_64].pl: optimize for Sandy Bridge and add XTS mode.
Andy Polyakov [Sun, 22 May 2011 18:38:00 +0000 (18:38 +0000)]
aesni-x86[_64].pl: optimize for Sandy Bridge and add XTS mode.

8 years agox86_64-gf2m.pl: add Win64 SEH.
Andy Polyakov [Sun, 22 May 2011 18:29:11 +0000 (18:29 +0000)]
x86_64-gf2m.pl: add Win64 SEH.

8 years agoppccap.c: addenum to recent EC optimizations.
Andy Polyakov [Sat, 21 May 2011 10:17:02 +0000 (10:17 +0000)]
ppccap.c: addenum to recent EC optimizations.

8 years agoec_cvt.c: ARM comparison results were wrong, clarify the background.
Andy Polyakov [Sat, 21 May 2011 08:40:18 +0000 (08:40 +0000)]
ec_cvt.c: ARM comparison results were wrong, clarify the background.

8 years agoec_cvt.c: avoid EC_GFp_nist_method on platforms with bn_mul_mont [see
Andy Polyakov [Fri, 20 May 2011 20:31:37 +0000 (20:31 +0000)]
ec_cvt.c: avoid EC_GFp_nist_method on platforms with bn_mul_mont [see
commentary for details].

8 years agoPR: 2295
Dr. Stephen Henson [Fri, 20 May 2011 14:56:29 +0000 (14:56 +0000)]
PR: 2295
Submitted by: Alexei Khlebnikov <alexei.khlebnikov@opera.com>
Reviewed by: steve

OOM checking. Leak in OOM fix. Fall-through comment. Duplicate code
elimination.

8 years agoAdd CHANGES entry: add FIPS support to ssl
Dr. Stephen Henson [Thu, 19 May 2011 18:10:25 +0000 (18:10 +0000)]
Add CHANGES entry: add FIPS support to ssl

8 years agoImplement FIPS_mode and FIPS_mode_set
Dr. Stephen Henson [Thu, 19 May 2011 18:09:02 +0000 (18:09 +0000)]
Implement FIPS_mode and FIPS_mode_set

8 years agooops
Dr. Stephen Henson [Thu, 19 May 2011 17:55:15 +0000 (17:55 +0000)]
oops

8 years agoupdate date
Dr. Stephen Henson [Thu, 19 May 2011 17:53:04 +0000 (17:53 +0000)]
update date

8 years agoinherit HMAC flags from MD_CTX
Dr. Stephen Henson [Thu, 19 May 2011 17:38:25 +0000 (17:38 +0000)]
inherit HMAC flags from MD_CTX

8 years agoset encodedPoint to NULL after freeing it
Dr. Stephen Henson [Thu, 19 May 2011 16:17:47 +0000 (16:17 +0000)]
set encodedPoint to NULL after freeing it

8 years agoaesni-x86_64.pl: make it compile on MacOS X.
Andy Polyakov [Wed, 18 May 2011 17:05:24 +0000 (17:05 +0000)]
aesni-x86_64.pl: make it compile on MacOS X.

8 years agox86gas.pl: don't omit .comm OPENSSL_ia32cap_P on MacOS X.
Andy Polyakov [Wed, 18 May 2011 16:28:53 +0000 (16:28 +0000)]
x86gas.pl: don't omit .comm OPENSSL_ia32cap_P on MacOS X.

8 years agox86_64-xlate.pl: add inter-register movq and make x86_64-gfm.s compile on
Andy Polyakov [Wed, 18 May 2011 16:26:03 +0000 (16:26 +0000)]
x86_64-xlate.pl: add inter-register movq and make x86_64-gfm.s compile on
Solaris, MacOS X, elderly gas...

8 years agox86_64cpuid.pl: allow shared build to work without -Bsymbolic.
Andy Polyakov [Wed, 18 May 2011 16:24:19 +0000 (16:24 +0000)]
x86_64cpuid.pl: allow shared build to work without -Bsymbolic.
PR: 2466

8 years agoe_padlock.c: make it compile on MacOS X.
Andy Polyakov [Wed, 18 May 2011 16:21:54 +0000 (16:21 +0000)]
e_padlock.c: make it compile on MacOS X.

8 years agox86[_64]cpuid.pl: handle new extensions.
Andy Polyakov [Mon, 16 May 2011 20:35:11 +0000 (20:35 +0000)]
x86[_64]cpuid.pl: handle new extensions.

8 years agoppc-xlate.pl: get linux64 declaration right.
Andy Polyakov [Mon, 16 May 2011 19:52:41 +0000 (19:52 +0000)]
ppc-xlate.pl: get linux64 declaration right.

8 years agocms-test.pl: make it work with not-so-latest perl.
Andy Polyakov [Mon, 16 May 2011 18:11:45 +0000 (18:11 +0000)]
cms-test.pl: make it work with not-so-latest perl.

8 years agox86gas.pl: add palignr and move pclmulqdq.
Andy Polyakov [Mon, 16 May 2011 18:07:00 +0000 (18:07 +0000)]
x86gas.pl: add palignr and move pclmulqdq.

8 years agox86_64 assembler pack: add x86_64-gf2m module.
Andy Polyakov [Mon, 16 May 2011 17:46:45 +0000 (17:46 +0000)]
x86_64 assembler pack: add x86_64-gf2m module.

8 years agox86_64-xlate.pl: allow "base-less" effective address, add palignr, move
Andy Polyakov [Mon, 16 May 2011 17:44:38 +0000 (17:44 +0000)]
x86_64-xlate.pl: allow "base-less" effective address, add palignr, move
pclmulqdq.

8 years agonew flag to stop ENGINE methods being registered
Dr. Stephen Henson [Sun, 15 May 2011 15:56:49 +0000 (15:56 +0000)]
new flag to stop ENGINE methods being registered

8 years agoNULL is a valid cspname
Dr. Stephen Henson [Sun, 15 May 2011 11:44:14 +0000 (11:44 +0000)]
NULL is a valid cspname

8 years agoTypo.
Dr. Stephen Henson [Fri, 13 May 2011 12:43:41 +0000 (12:43 +0000)]
Typo.

8 years agotypo
Dr. Stephen Henson [Fri, 13 May 2011 12:37:40 +0000 (12:37 +0000)]
typo

8 years agoRecognise NO_NISTP224-64-GCC-128
Dr. Stephen Henson [Fri, 13 May 2011 12:35:05 +0000 (12:35 +0000)]
Recognise NO_NISTP224-64-GCC-128

8 years agoEnter FIPS mode by calling FIPS_module_mode_set in openssl.c until
Dr. Stephen Henson [Thu, 12 May 2011 17:59:47 +0000 (17:59 +0000)]
Enter FIPS mode by calling FIPS_module_mode_set in openssl.c until
FIPS_mode_set is implemented.