- Mar 28, 2014
-
-
Dr. Stephen Henson authored
Allow setting of security level in cipher string using the @SECLEVEL=N syntax.
-
Dr. Stephen Henson authored
Since ssltest needs to test low security ciphersuites and keys set security level to zero so they aren't rejected.
-
Dr. Stephen Henson authored
Add a debugging security callback option to s_client/s_server. This will print out each security parameter as it is accepted or rejected.
-
Dr. Stephen Henson authored
Security callback: selects which parameters are permitted including sensible defaults based on bits of security. The "parameters" which can be selected include: ciphersuites, curves, key sizes, certificate signature algorithms, supported signature algorithms, DH parameters, SSL/TLS version, session tickets and compression. In some cases prohibiting the use of a parameters will mean they are not advertised to the peer: for example cipher suites and ECC curves. In other cases it will abort the handshake: e.g DH parameters or the peer key size. Documentation to follow...
-
Dr. Stephen Henson authored
-
Dr. Stephen Henson authored
New function ssl_cipher_disabled. Check for disabled client ciphers using ssl_cipher_disabled. New function to return only supported ciphers. New option to ciphers utility to print only supported ciphers.
-
Dr. Stephen Henson authored
Add auto DH parameter support. This is roughly equivalent to the ECDH auto curve selection but for DH. An application can just call SSL_CTX_set_auto_dh(ctx, 1); and appropriate DH parameters will be used based on the size of the server key. Unlike ECDH there is no way a peer can indicate the range of DH parameters it supports. Some peers cannot handle DH keys larger that 1024 bits for example. In this case if you call: SSL_CTX_set_auto_dh(ctx, 2); Only 1024 bit DH parameters will be used. If the server key is 7680 bits or more in size then 8192 bit DH parameters will be used: these will be *very* slow. The old export ciphersuites aren't supported but those are very insecure anyway.
-
Dr. Stephen Henson authored
Add functions to return the "bits of security" for various public key algorithms. Based on SP800-57.
-
- Mar 27, 2014
-
-
Dr. Stephen Henson authored
(cherry picked from commit bc5ec653ba65fedb1619c8182088497de8a97a70)
-
Dr. Stephen Henson authored
(cherry picked from commit 1f44dac2)
-
Dr. Stephen Henson authored
Don't clear verification errors from the error queue unless SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR is set. If errors occur during verification and SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR is set return 2 so applications can issue warnings. (cherry picked from commit 2dd6976f6d02f98b30c376951ac38f780a86b3b5)
-
- Mar 24, 2014
-
-
Emilia Kasper authored
-
- Mar 19, 2014
-
-
Dr. Stephen Henson authored
Some CMS SignedData structure use a signature algorithm OID such as SHA1WithRSA instead of the RSA algorithm OID. Workaround this case by tolerating the signature if we recognise the OID.
-
- Mar 18, 2014
-
-
Piotr Sikora authored
-
- Mar 12, 2014
-
-
Dr. Stephen Henson authored
Use a previously unused value as we will be updating multiple released branches. (cherry picked from commit 0737acd2a8cc688902b5151cab5dc6737b82fb96)
-
Dr. Stephen Henson authored
Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix. (cherry picked from commit 2198be34) Conflicts: CHANGES
-
- Mar 10, 2014
-
-
Dr. Stephen Henson authored
-
Dr. Stephen Henson authored
-
- Mar 07, 2014
-
-
Dr. Stephen Henson authored
(cherry picked from commit 7a3e67f029969620966b8a627b8485d83692cca5)
-
Andy Polyakov authored
PR: 3275
-
Andy Polyakov authored
The problem is that OpenSSH calls EVP_Cipher, which is not as protective as EVP_CipherUpdate. Formally speaking we ought to do more checks in *_cipher methods, including rejecting lengths not divisible by block size (unless ciphertext stealing is in place). But for now I implement check for zero length in low-level based on precedent. PR: 3087, 2775
-
- Mar 06, 2014
-
-
Andy Polyakov authored
-
Andy Polyakov authored
Submitted by: Roumen Petrov
-
Andy Polyakov authored
Submitted by: Roumen Petrov
-
- Mar 03, 2014
-
-
Dr. Stephen Henson authored
(cherry picked from commit bdfc0e284c89dd5781259cc19aa264aded538492)
-
- Mar 01, 2014
-
-
Dr. Stephen Henson authored
Add option to set an alternative to the default hmacWithSHA1 PRF for PKCS#8 private key encryptions. This is used automatically by PKCS8_encrypt if the nid specified is a PRF. Add option to pkcs8 utility. Update docs. (cherry picked from commit b60272b0)
-
Dr. Stephen Henson authored
(cherry picked from commit 124d218889dfca33d277404612f1319afe04107e)
-
Dr. Stephen Henson authored
Although the memory allocated by compression methods is fixed and cannot grow over time it can cause warnings in some leak checking tools. The function SSL_COMP_free_compression_methods() will free and zero the list of supported compression methods. This should *only* be called in a single threaded context when an application is shutting down to avoid interfering with existing contexts attempting to look up compression methods. (cherry picked from commit 976c5830)
-
- Feb 28, 2014
-
-
Andy Polyakov authored
PR: 3271
-
- Feb 27, 2014
-
-
Andy Polyakov authored
-
Andy Polyakov authored
-
Andy Polyakov authored
-
Andy Polyakov authored
-
Andy Polyakov authored
-
- Feb 26, 2014
-
-
Rob Stradling authored
-
Dr. Stephen Henson authored
(cherry picked from commit 3eddd1706a30cdf3dc9278692d8ee9038eac8a0d)
-
Andy Polyakov authored
-
Andy Polyakov authored
-
Andy Polyakov authored
-
- Feb 25, 2014
-
-
Andy Polyakov authored
PR: 3201
-