- Dec 18, 2013
-
-
Andy Polyakov authored
SHA512_Transform was initially added rather as tribute to tradition than for practucal reasons. But use was recently found in ssl/s3_cbc.c and it turned to be problematic on platforms that don't tolerate misasligned references to memory and lack assembly subroutine. (cherry picked from commit cdd1acd7)
-
Dr. Stephen Henson authored
Partial mitigation of PR#3200
-
- Dec 10, 2013
-
-
Dr. Stephen Henson authored
We need to lock when *not* in FIPS mode. (cherry picked from commit 57c4e42d)
-
Dr. Stephen Henson authored
-
- Dec 09, 2013
-
-
Dr. Stephen Henson authored
-
- Dec 08, 2013
-
-
Dr. Stephen Henson authored
-
Dr. Stephen Henson authored
PR: 3176. In FIPS mode ssleay_rand_bytes is only used for PRNG seeding and is performed in either a single threaded context (when the PRNG is first initialised) or under a lock (reseeding). To avoid multiple locks disable use of CRYPTO_LOCK_RAND in FIPS mode in ssleay_rand_bytes. (cherry picked from commit 53142f72c9b9c9bad2f39ca6200a4f04f5c8001c)
-
- Dec 03, 2013
-
-
Andy Polyakov authored
PR: 3189 Submitted by: Oscar Ciurana (cherry picked from commit c5d5f5bd)
-
- Nov 27, 2013
-
-
Dr. Stephen Henson authored
-
- Nov 12, 2013
-
-
Andy Polyakov authored
PR: 3165 Submitted by: Daniel Richard G. (cherry picked from commit 2df9ec01) (cherry picked from commit 0de70011)
-
Andy Polyakov authored
PR: 3165 (cherry picked from commit 220d1e53)
-
Andy Polyakov authored
PR: 3165 (cherry picked from commit d1cf23ac)
-
- Nov 11, 2013
-
-
Dr. Stephen Henson authored
(cherry picked from commit 16bc45ba)
-
Dr. Stephen Henson authored
(cherry picked from commit 5c50462e)
-
- Nov 10, 2013
-
-
Andy Polyakov authored
(cherry picked from commit 60adefa6)
-
- Nov 09, 2013
-
-
Dr. Stephen Henson authored
(cherry picked from commit 01be36ef70525e81fc358d2e559bdd0a0d9427a5)
-
Dr. Stephen Henson authored
(cherry picked from commit 7040d73d22987532faa503630d6616cf2788c975)
-
- Nov 08, 2013
-
-
Andy Polyakov authored
Original definition depended on __LONG_MAX__ that is not guaranteed to be present. As we don't support platforms with int narrower that 32 bits it's appropriate to make defition inconditional. PR: 3165 (cherry picked from commit 96180cac)
-
Andy Polyakov authored
PR: 3165 (cherry picked from commit d24d1d7d)
-
- Nov 06, 2013
-
-
Dr. Stephen Henson authored
Enable PSK ciphersuites with AES or DES3 in FIPS mode. (cherry picked from commit e0ffd129)
-
Dr. Stephen Henson authored
(cherry picked from commit a4947e4e)
-
- Nov 03, 2013
-
-
Ben Laurie authored
<christian@python.org>.
-
- Nov 01, 2013
-
-
Robin Seggelmann authored
PR: 2808 With DTLS/SCTP the SCTP extension SCTP-AUTH is used to protect DATA and FORWARD-TSN chunks. The key for this extension is derived from the master secret and changed with the next ChangeCipherSpec, whenever a new key has been negotiated. The following Finished then already uses the new key. Unfortunately, the ChangeCipherSpec and Finished are part of the same flight as the ClientKeyExchange, which is necessary for the computation of the new secret. Hence, these messages are sent immediately following each other, leaving the server very little time to compute the new secret and pass it to SCTP before the finished arrives. So the Finished is likely to be discarded by SCTP and a retransmission becomes necessary. To prevent this issue, the Finished of the client is still sent with the old key. (cherry picked from commit 9fb523ad) (cherry picked from commit b9ef52b0)
-
Robin Seggelmann authored
PR: 2809 DTLS/SCTP requires DATA and FORWARD-TSN chunks to be protected with SCTP-AUTH. It is checked if this has been activated successfully for the local and remote peer. Due to a bug, however, the gauth_number_of_chunks field of the authchunks struct is missing on FreeBSD, and was therefore not considered in the OpenSSL implementation. This patch sets the corresponding pointer for the check correctly whether or not this bug is present. (cherry picked from commit f596e3c4) (cherry picked from commit b8140811)
-
- Oct 20, 2013
-
-
Nick Mathewson authored
-
Dr. Stephen Henson authored
Since the TLS 1.2 supported signature algorithms extension is less sophisticaed in OpenSSL 1.0.1 this has to be done in two stages. RSA+MD5 is removed from supported signature algorithms extension: any compliant implementation should never use RSA+MD5 as a result. To cover the case of a broken implementation using RSA+MD5 anyway disable lookup of MD5 algorithm in TLS 1.2.
-
- Oct 19, 2013
-
-
Ben Laurie authored
-
Ben Laurie authored
-
-
- Oct 13, 2013
-
-
Andy Polyakov authored
Latest MIPS ISA specification declared 'branch likely' instructions obsolete. To makes code future-proof replace them with equivalent. (cherry picked from commit 0c2adb0a)
-
- Oct 12, 2013
-
-
Andy Polyakov authored
Performance improvement and Windows-specific bugfix (PR#3139). (cherry picked from commit 9ed6fba2)
-
- Oct 09, 2013
-
-
Nick Mathewson authored
(I'd rather use an option, but it appears that the options field is full.) Now, we send the time in the gmt_unix_time field if the appropriate one of these mode options is set, but randomize the field if the flag is not set.
-
Nick Mathewson authored
I'll be using this to make an option for randomizing the time.
-
- Oct 03, 2013
-
-
Andy Polyakov authored
Submitted by: Yuriy Kaminskiy (cherry picked from commit 524b00c0) Resolved conflicts: crypto/evp/e_des3.c
-
- Oct 01, 2013
-
-
Ben Laurie authored
-
- Sep 30, 2013
-
-
Dr. Stephen Henson authored
(cherry picked from commit 415ece73)
-
- Sep 22, 2013
-
-
Dr. Stephen Henson authored
Return an error if an attempt is made to enable the Dual EC DRBG: it is not used by default.
-
Dr. Stephen Henson authored
-
- Sep 16, 2013
-
-
Nick Mathewson authored
Instead, send random bytes.
-
Nick Mathewson authored
Instead, send random bytes. While the gmt_unix_time record was added in an ostensible attempt to mitigate the dangers of a bad RNG, its presence leaks the host's view of the current time in the clear. This minor leak can help fingerprint TLS instances across networks and protocols... and what's worse, it's doubtful thet the gmt_unix_time record does any good at all for its intended purpose, since: * It's quite possible to open two TLS connections in one second. * If the PRNG output is prone to repeat itself, ephemeral * handshakes (and who knows what else besides) are broken.
-