Loading FAQ +1 −1 Original line number Diff line number Diff line Loading @@ -82,7 +82,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from <URL: http://www.openssl.org>. OpenSSL 1.0.0f was released on Jan 4th, 2012. OpenSSL 1.0.1 was released on Mar 14th, 2012. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at <URL: Loading NEWS +13 −0 Original line number Diff line number Diff line Loading @@ -5,6 +5,19 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1: o TLS/DTLS heartbeat support. o SCTP support. o RFC 5705 TLS key material exporter. o RFC 5764 DTLS-SRTP negotiation. o Next Protocol Negotiation. o PSS signatures in certificates, requests and CRLs. o Support for password based recipient info for CMS. o Support TLS v1.2 and TLS v1.1. o Preliminary FIPS capability for unvalidated 2.0 FIPS module. o SRP support. Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h: o Fix for CMS/PKCS#7 MMA CVE-2012-0884 Loading apps/s_client.c +15 −0 Original line number Diff line number Diff line Loading @@ -1209,6 +1209,21 @@ bad: #endif con=SSL_new(ctx); #if 0 { int curves[3]; int rv; curves[0] = EC_curve_nist2nid("P-256"); curves[1] = EC_curve_nist2nid("P-521"); curves[2] = EC_curve_nist2nid("P-384"); rv = SSL_set1_curvelist(con, curves, sizeof(curves)/sizeof(int)); if (rv == 0) { fprintf(stderr, "Error setting curve list\n"); exit(1); } } #endif if (sess_in) { SSL_SESSION *sess; Loading ssl/s3_lib.c +88 −0 Original line number Diff line number Diff line Loading @@ -3391,6 +3391,94 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return (int)clistlen; } case SSL_CTRL_SET_CURVELIST: { int *nid_list = parg; size_t nid_listlen = larg, i; unsigned char *clist, *p; /* Bitmap of curves included to detect duplicates: only works * while curve ids < 32 */ unsigned long dup_list = 0; clist = OPENSSL_malloc(nid_listlen * 2); for (i = 0, p = clist; i < nid_listlen; i++) { unsigned long idmask; int id; id = tls1_ec_nid2curve_id(nid_list[i]); idmask = 1L << id; if (!id || (dup_list & idmask)) { OPENSSL_free(clist); return 0; } dup_list |= idmask; s2n(id, p); } if (s->tlsext_ellipticcurvelist) OPENSSL_free(s->tlsext_ellipticcurvelist); s->tlsext_ellipticcurvelist = clist; s->tlsext_ellipticcurvelist_length = nid_listlen * 2; return 1; } case SSL_CTRL_SHARED_CURVES: { unsigned long mask = 0; unsigned char *pmask, *pref; size_t pmasklen, preflen, i; int nmatch = 0; /* Must be server */ if (!s->server) return 0; /* No curves if client didn't sent supported curves extension */ if (!s->session->tlsext_ellipticcurvelist) return 0; if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { pref = s->tlsext_ellipticcurvelist; preflen = s->tlsext_ellipticcurvelist_length; pmask = s->session->tlsext_ellipticcurvelist; pmasklen = s->session->tlsext_ellipticcurvelist_length; } else { pref = s->session->tlsext_ellipticcurvelist; preflen = s->session->tlsext_ellipticcurvelist_length; pmask = s->tlsext_ellipticcurvelist; pmasklen = s->tlsext_ellipticcurvelist_length; } /* Build a mask of supported curves */ for (i = 0; i < pmasklen; i+=2, pmask+=2) { /* Skip any curves that wont fit in mask */ if (pmask[0] || (pmask[1] > 31)) continue; mask |= 1L << pmask[1]; } /* Check preference order against mask */ for (i = 0; i < preflen; i+=2, pref+=2) { if (pref[0] || (pref[1] > 30)) continue; /* Search for matching curves in preference order */ if (mask & (1L << pref[1])) { int id = tls1_ec_curve_id2nid(pref[1]); if (id && parg && nmatch == larg) { *((int *)parg) = id; return 1; } nmatch++; } } if (parg) return 0; return nmatch; } default: break; } Loading ssl/ssl.h +4 −0 Original line number Diff line number Diff line Loading @@ -1619,6 +1619,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) #define SSL_CTRL_CHAIN_CERT 89 #define SSL_CTRL_GET_CURVELIST 90 #define SSL_CTRL_SET_CURVELIST 91 #define SSL_CTRL_SHARED_CURVES 92 #define DTLSv1_get_timeout(ssl, arg) \ SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) Loading Loading @@ -1680,6 +1682,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) SSL_ctrl(ctx,SSL_CTRL_CHAIN_CERT,1,(char *)x509) #define SSL_get1_curvelist(ctx, s) \ SSL_ctrl(ctx,SSL_CTRL_GET_CURVELIST,0,(char *)s) #define SSL_set1_curvelist(ctx, clist, clistlen) \ SSL_ctrl(ctx,SSL_CTRL_SET_CURVELIST,clistlen,(char *)clist) #ifndef OPENSSL_NO_BIO Loading Loading
FAQ +1 −1 Original line number Diff line number Diff line Loading @@ -82,7 +82,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from <URL: http://www.openssl.org>. OpenSSL 1.0.0f was released on Jan 4th, 2012. OpenSSL 1.0.1 was released on Mar 14th, 2012. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at <URL: Loading
NEWS +13 −0 Original line number Diff line number Diff line Loading @@ -5,6 +5,19 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1: o TLS/DTLS heartbeat support. o SCTP support. o RFC 5705 TLS key material exporter. o RFC 5764 DTLS-SRTP negotiation. o Next Protocol Negotiation. o PSS signatures in certificates, requests and CRLs. o Support for password based recipient info for CMS. o Support TLS v1.2 and TLS v1.1. o Preliminary FIPS capability for unvalidated 2.0 FIPS module. o SRP support. Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h: o Fix for CMS/PKCS#7 MMA CVE-2012-0884 Loading
apps/s_client.c +15 −0 Original line number Diff line number Diff line Loading @@ -1209,6 +1209,21 @@ bad: #endif con=SSL_new(ctx); #if 0 { int curves[3]; int rv; curves[0] = EC_curve_nist2nid("P-256"); curves[1] = EC_curve_nist2nid("P-521"); curves[2] = EC_curve_nist2nid("P-384"); rv = SSL_set1_curvelist(con, curves, sizeof(curves)/sizeof(int)); if (rv == 0) { fprintf(stderr, "Error setting curve list\n"); exit(1); } } #endif if (sess_in) { SSL_SESSION *sess; Loading
ssl/s3_lib.c +88 −0 Original line number Diff line number Diff line Loading @@ -3391,6 +3391,94 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return (int)clistlen; } case SSL_CTRL_SET_CURVELIST: { int *nid_list = parg; size_t nid_listlen = larg, i; unsigned char *clist, *p; /* Bitmap of curves included to detect duplicates: only works * while curve ids < 32 */ unsigned long dup_list = 0; clist = OPENSSL_malloc(nid_listlen * 2); for (i = 0, p = clist; i < nid_listlen; i++) { unsigned long idmask; int id; id = tls1_ec_nid2curve_id(nid_list[i]); idmask = 1L << id; if (!id || (dup_list & idmask)) { OPENSSL_free(clist); return 0; } dup_list |= idmask; s2n(id, p); } if (s->tlsext_ellipticcurvelist) OPENSSL_free(s->tlsext_ellipticcurvelist); s->tlsext_ellipticcurvelist = clist; s->tlsext_ellipticcurvelist_length = nid_listlen * 2; return 1; } case SSL_CTRL_SHARED_CURVES: { unsigned long mask = 0; unsigned char *pmask, *pref; size_t pmasklen, preflen, i; int nmatch = 0; /* Must be server */ if (!s->server) return 0; /* No curves if client didn't sent supported curves extension */ if (!s->session->tlsext_ellipticcurvelist) return 0; if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { pref = s->tlsext_ellipticcurvelist; preflen = s->tlsext_ellipticcurvelist_length; pmask = s->session->tlsext_ellipticcurvelist; pmasklen = s->session->tlsext_ellipticcurvelist_length; } else { pref = s->session->tlsext_ellipticcurvelist; preflen = s->session->tlsext_ellipticcurvelist_length; pmask = s->tlsext_ellipticcurvelist; pmasklen = s->tlsext_ellipticcurvelist_length; } /* Build a mask of supported curves */ for (i = 0; i < pmasklen; i+=2, pmask+=2) { /* Skip any curves that wont fit in mask */ if (pmask[0] || (pmask[1] > 31)) continue; mask |= 1L << pmask[1]; } /* Check preference order against mask */ for (i = 0; i < preflen; i+=2, pref+=2) { if (pref[0] || (pref[1] > 30)) continue; /* Search for matching curves in preference order */ if (mask & (1L << pref[1])) { int id = tls1_ec_curve_id2nid(pref[1]); if (id && parg && nmatch == larg) { *((int *)parg) = id; return 1; } nmatch++; } } if (parg) return 0; return nmatch; } default: break; } Loading
ssl/ssl.h +4 −0 Original line number Diff line number Diff line Loading @@ -1619,6 +1619,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) #define SSL_CTRL_CHAIN_CERT 89 #define SSL_CTRL_GET_CURVELIST 90 #define SSL_CTRL_SET_CURVELIST 91 #define SSL_CTRL_SHARED_CURVES 92 #define DTLSv1_get_timeout(ssl, arg) \ SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) Loading Loading @@ -1680,6 +1682,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) SSL_ctrl(ctx,SSL_CTRL_CHAIN_CERT,1,(char *)x509) #define SSL_get1_curvelist(ctx, s) \ SSL_ctrl(ctx,SSL_CTRL_GET_CURVELIST,0,(char *)s) #define SSL_set1_curvelist(ctx, clist, clistlen) \ SSL_ctrl(ctx,SSL_CTRL_SET_CURVELIST,clistlen,(char *)clist) #ifndef OPENSSL_NO_BIO Loading
