root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity
10,893 Commits 32 Branches 398 Tags 545 MiB
Commit Graph

10893 Commits

Author SHA1 Message Date
Ben Laurie 03c1d9f99d Build on FreeBSD with gcc 4.6. 2012-05-30 09:34:44 +00:00
Andy Polyakov f889bb0384 sha256-586.pl: full unroll to deliver additional ~16%, add Sandy Bridge- 
specific code path.
 2012-05-28 17:50:57 +00:00
Andy Polyakov 83698d3191 sha512-x86_64.pl: >5% better performance. 2012-05-28 17:47:15 +00:00
Andy Polyakov 6a40ebe86b aesni-x86_64.pl: make it possibel to use in Linux kernel. 2012-05-24 07:39:44 +00:00
Andy Polyakov d4bb6bddf8 sha256-586.pl: tune away regression on Nehalem core and incidentally 
improve performance on Atom and P4.
 2012-05-24 07:39:04 +00:00
Andy Polyakov ee9bf3eb6c sha256-586.pl optimization. 2012-05-19 10:10:30 +00:00
Andy Polyakov 41409651be s2_clnt.c: compensate for compiler bug. 2012-05-16 12:47:36 +00:00
Andy Polyakov fd05495748 ppccap.c: assume no features under 32-bit AIX kernel. 
PR: 2810
 2012-05-16 12:42:32 +00:00
Dr. Stephen Henson 4242a090c7 PR: 2813 
Reported by: Constantine Sapuntzakis <csapuntz@gmail.com>

Fix possible deadlock when decoding public keys.
 2012-05-11 13:53:37 +00:00
Dr. Stephen Henson c3b1303387 PR: 2811 
Reported by: Phil Pennock <openssl-dev@spodhuis.org>

Make renegotiation work for TLS 1.2, 1.1 by not using a lower record
version client hello workaround if renegotiating.
 2012-05-11 13:34:29 +00:00
Ben Laurie 5762f7778d Fix warning. 2012-05-10 20:29:00 +00:00
Ben Laurie 7a412ded50 Padlock doesn't build. I don't even know what it is. 2012-05-10 20:28:02 +00:00
Dr. Stephen Henson efb19e1330 PR: 2806 
Submitted by: PK <runningdoglackey@yahoo.com>

Correct ciphersuite signature algorithm definitions.
 2012-05-10 18:25:39 +00:00
Dr. Stephen Henson c46ecc3a55 Sanity check record length before skipping explicit IV in TLS 1.2, 1.1 and 
DTLS to fix DoS attack.

Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
(CVE-2012-2333)
 2012-05-10 16:03:52 +00:00
Dr. Stephen Henson 7388b43cae update FAQ 2012-05-10 15:37:16 +00:00
Dr. Stephen Henson 225055c30b Reported by: Solar Designer of Openwall 
Make sure tkeylen is initialised properly when encrypting CMS messages.
 2012-05-10 13:46:09 +00:00
Richard Levitte e0311481b8 Correct environment variable is OPENSSL_ALLOW_PROXY_CERTS. 2012-05-04 10:43:15 +00:00
Andy Polyakov f9c5e5d92e perlasm: fix symptom-less bugs, missing semicolons and 'my' declarations. 2012-04-28 10:36:58 +00:00
Andy Polyakov 9474483ab7 ppccpuid.pl: branch hints in OPENSSL_cleanse impact small block performance 
of digest algorithms, mosty SHA, on Power7. Mystery of century, why SHA,
why slower algorithm are affected more...
PR: 2794
Submitted by: Ashley Lai
 2012-04-27 20:17:45 +00:00
Dr. Stephen Henson a708609945 Don't try to use unvalidated composite ciphers in FIPS mode 2012-04-26 18:55:01 +00:00
Dr. Stephen Henson a9e6c091d5 update NEWS 2012-04-26 11:13:30 +00:00
Dr. Stephen Henson df5705442c update FAQ 2012-04-26 11:10:24 +00:00
Andy Polyakov a2b21191d9 CHANGES: clarify. 2012-04-26 07:33:26 +00:00
Andy Polyakov 396f8b71ac CHANGES: fix typos and clarify. 2012-04-26 07:20:06 +00:00
Dr. Stephen Henson 43d5b4ff31 Change value of SSL_OP_NO_TLSv1_1 to avoid clash with SSL_OP_ALL and 
OpenSSL 1.0.0. Add CHANGES entry noting the consequences.
 2012-04-25 23:04:42 +00:00
Andy Polyakov f2ad35821c s23_clnt.c: ensure interoperability by maitaining client "version capability" 
vector contiguous.
PR: 2802
 2012-04-25 22:06:32 +00:00
Dr. Stephen Henson 09e4e4b98e Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr> 
Reviewed by: steve
Improved localisation of TLS extension handling and code tidy.
 2012-04-24 12:22:23 +00:00
Dr. Stephen Henson ce33b42bc6 oops, not yet ;-) 2012-04-23 21:58:29 +00:00
Dr. Stephen Henson 579d553464 update NEWS 2012-04-23 21:56:33 +00:00
Andy Polyakov 71fa3bc5ec objxref.pl: improve portability. 2012-04-22 21:18:30 +00:00
Dr. Stephen Henson e2f53b675a correct error code 2012-04-22 13:31:09 +00:00
Dr. Stephen Henson 797c61aa2d check correctness of errors before updating them so we don't get bogus errors added 2012-04-22 13:25:51 +00:00
Dr. Stephen Henson 597dab0fa8 correct old FAQ answers 2012-04-22 13:20:28 +00:00
Dr. Stephen Henson b36bab7812 PR: 2239 
Submitted by: Dominik Oepen <oepen@informatik.hu-berlin.de>

Add Brainpool curves from RFC5639.

Original patch by Annie Yousar <a.yousar@informatik.hu-berlin.de>
 2012-04-22 13:06:51 +00:00
Andy Polyakov 8ea92ddd13 e_rc4_hmac_md5.c: last commit was inappropriate for non-x86[_64] platforms. 
PR: 2792
 2012-04-19 20:38:05 +00:00
Dr. Stephen Henson d9a9d10f4f Check for potentially exploitable overflows in asn1_d2i_read_bio 
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
in CRYPTO_realloc_clean.

Thanks to Tavis Ormandy, Google Security Team, for discovering this
issue and to Adam Langley <agl@chromium.org> for fixing it. (CVE-2012-2110)
 2012-04-19 16:19:56 +00:00
Dr. Stephen Henson 0d2baadfb4 update FAQ 2012-04-19 12:33:23 +00:00
Andy Polyakov dce1cc2a59 Makefile.org: clear yet another environment variable. 
PR: 2793
 2012-04-19 06:39:40 +00:00
Dr. Stephen Henson b214184160 recognise X9.42 DH certificates on servers 2012-04-18 17:03:29 +00:00
Dr. Stephen Henson aa09c2c631 correct error codes 2012-04-18 15:36:12 +00:00
Andy Polyakov 6dd9b0fc43 e_rc4_hmac_md5.c: harmonize zero-length fragment handling with 
e_aes_cbc_hmac_sha1.c (mostly for aesthetic reasons).
 2012-04-18 14:55:39 +00:00
Andy Polyakov e36f6b9cfa e_rc4_hmac_md5.c: oops, can't use rc4_hmac_md5_cipher on legacy Intel CPUs. 
PR: 2792
 2012-04-18 14:50:28 +00:00
Andy Polyakov 3e181369dd C64x+ assembler pack. linux-c64xplus build is *not* tested nor can it be 
tested, because kernel is not in shape to handle it *yet*. The code is
committed mostly to stimulate the kernel development.
 2012-04-18 13:01:36 +00:00
Bodo Möller d3ddf0228e Disable SHA-2 ciphersuites in < TLS 1.2 connections. 
(TLS 1.2 clients could end up negotiating these with an OpenSSL server
with TLS 1.2 disabled, which is problematic.)

Submitted by: Adam Langley
 2012-04-17 15:23:03 +00:00
Dr. Stephen Henson 800e1cd969 Additional workaround for PR#2771 
If OPENSSL_MAX_TLS1_2_CIPHER_LENGTH is set then limit the size of client
ciphersuites to this value. A value of 50 should be sufficient.

Document workarounds in CHANGES.
 2012-04-17 15:12:09 +00:00
Dr. Stephen Henson 293706e72c Partial workaround for PR#2771. 
Some servers hang when presented with a client hello record length exceeding
255 bytes but will work with longer client hellos if the TLS record version
in client hello does not exceed TLS v1.0. Unfortunately this doesn't fix all
cases...
 2012-04-17 13:21:19 +00:00
Andy Polyakov 4a1fbd13ee OPENSSL_NO_SOCK fixes. 
PR: 2791
Submitted by: Ben Noordhuis
 2012-04-16 17:42:36 +00:00
Andy Polyakov 9eba5614fe Minor compatibility fixes. 
PR: 2790
Submitted by: Alexei Khlebnikov
 2012-04-16 17:35:30 +00:00
Andy Polyakov 3b1fb1a022 s3_srvr.c: fix typo. 
PR: 2538
 2012-04-15 17:22:57 +00:00
Andy Polyakov fc90e42c86 e_aes_cbc_hmac_sha1.c: handle zero-length payload and engage empty frag 
countermeasure.

PR: 2778
 2012-04-15 14:14:22 +00:00