Commit Graph

2048 Commits

Author SHA1 Message Date
Richard Levitte
6761890195 OpenSSL 1.1.1-pre5: update CHANGES with recent user visible changes
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5989)
2018-04-17 15:14:42 +02:00
Matt Caswell
fdb8113dae Document the change in the previous commit about loading the config file
When libssl is initialised it will attempt to load any config file. This
ensures any system_default configuration (as per
https://github.com/openssl/openssl/pull/4848) is used.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5818)
2018-04-05 15:30:12 +01:00
Bernd Edlinger
284f4f6b70 Don't use getenv for critical functions when run as setuid/setgid
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5856)
2018-04-04 14:45:49 +02:00
Matt Caswell
bcc6371443 Fix a text canonicalisation bug in CMS
Where a CMS detached signature is used with text content the text goes
through a canonicalisation process first prior to signing or verifying a
signature. This process strips trailing space at the end of lines, converts
line terminators to CRLF and removes additional trailing line terminators
at the end of a file. A bug in the canonicalisation process meant that
some characters, such as form-feed, were incorrectly treated as whitespace
and removed. This is contrary to the specification (RFC5485). This fix
could mean that detached text data signed with an earlier version of
OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
signed with a fixed OpenSSL may fail to verify with an earlier version of
OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
and use the "-binary" flag (for the "cms" command line application) or set
the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5790)
2018-04-03 15:52:31 +01:00
Matt Caswell
ba50543550 Fix CHANGES
Fix the last release version number in CHANGES

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5852)
2018-04-03 14:07:02 +01:00
Dr. Matthias St. Pierre
a73d990e2b Add documentation for the RAND_DRBG API
The RAND_DRBG API was added in PR #5462 and modified by PR #5547.
This commit adds the corresponding documention.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5461)
2018-03-30 00:10:38 +02:00
Matt Caswell
f6c024c2e7 Update CHANGES and NEWS for the new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2018-03-27 13:31:51 +01:00
Rich Salz
faec5c4a8a Remove QNX support
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5756)
2018-03-26 14:10:57 -04:00
Matt Caswell
3ec9e4ec46 Add a CHANGES entry to mention the replay protection capabilities
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5644)
2018-03-19 12:21:42 +00:00
Matt Caswell
2b527b9b32 Update CHANGES with details of TLSv1.3 ciphersuite configuration
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5392)
2018-03-14 10:15:50 +00:00
Viktor Dukhovni
3e3c7c3646 Implement multi-process OCSP responder.
With "-multi" the OCSP responder forks multiple child processes,
and respawns them as needed.  This can be used as a long-running
service, not just a demo program.  Therefore the index file is
automatically re-read when changed.  The responder also now optionally
times out client requests.

Reviewed-by: Matt Caswell <matt@openssl.org>
2018-03-07 11:03:43 -05:00
Matt Caswell
c04c60217a Update CHANGES for X448/Ed448 support in libssl
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5470)
2018-03-05 11:39:44 +00:00
Rich Salz
3e8fcd3d1f Fix credit for SRP code
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5504)
2018-03-04 18:51:57 -05:00
Matt Caswell
21c03ee534 Update CHANGES for X448 and Ed448
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5481)
2018-03-02 10:14:31 +00:00
Richard Levitte
0764e41312 Add a note in CHANGES
[extended tests]

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2688)
2018-02-23 07:40:42 +01:00
Matt Caswell
d6d605e32a Update last release letter for CHANGES and NEWS
Reviewed-by: Richard Levitte <levitte@openssl.org>
2018-02-13 13:59:25 +00:00
Dr. Matthias St. Pierre
87411f0595 Fix whitespace issues in CHANGES and NEWS
Removed mixed tabs (converted tabs to eight spaces)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5344)
2018-02-13 09:14:00 +00:00
Dr. Matthias St. Pierre
53010ea150 Document new random generator in NEWS and CHANGES
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5344)
2018-02-13 09:14:00 +00:00
Matt Caswell
034d55cd5c Some minor tweaks following TLSv1.3 becoming default
Fix a typo in INSTALL and update the link in CHANGES

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5329)
2018-02-12 14:56:45 +00:00
Matt Caswell
f518cef40c Enable TLSv1.3 by default
[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5266)
2018-02-07 21:34:18 +00:00
Richard Levitte
917a1b2e06 Document the use of configdata.pm as a script
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5185)
2018-01-29 21:56:48 +01:00
Richard Levitte
3c0c6b97e1 Add a note on Configure variable processing in NEWS and CHANGES
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5177)
2018-01-28 07:26:11 +01:00
Pauli
4bed94f0c1 SHA512/224 and SHA512/256
Support added for these two digests, available only via the EVP interface.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5093)
2018-01-24 07:09:46 +10:00
Richard Levitte
4b9e91b02b CHANGES: Document the removal of OS390-Unix
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5031)
2018-01-07 22:36:12 +01:00
Rich Salz
617b49db14 Remove remaining NETWARE ifdef's
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5028)
2018-01-07 09:51:54 -05:00
Daniel Bevenius
436ad81f05 Fix minor 'the the' typos
Similar to commit 17b602802114d53017ff7894319498934a580b17(
"Remove extra `the` in SSL_SESSION_set1_id.pod"), this commit removes
typos where additional 'the' have been added.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4999)
2018-01-02 15:30:22 +00:00
Richard Levitte
5f0e171a10 Note the removal of Makefile.shared in CHANGES
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)
2017-12-12 17:18:07 +01:00
Richard Levitte
1786733e51 Document the possibility for command line argument env assignments
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)
2017-12-08 00:36:21 +01:00
Matt Caswell
f47270e10b Update CHANGES and NEWS for new release
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-12-06 15:44:39 +00:00
Paul Yang
665d899fa6 Support multi-prime RSA (RFC 8017)
* Introduce RSA_generate_multi_prime_key to generate multi-prime
  RSA private key. As well as the following functions:
    RSA_get_multi_prime_extra_count
    RSA_get0_multi_prime_factors
    RSA_get0_multi_prime_crt_params
    RSA_set0_multi_prime_params
    RSA_get_version
* Support EVP operations for multi-prime RSA
* Support ASN.1 operations for multi-prime RSA
* Support multi-prime check in RSA_check_key_ex
* Support multi-prime RSA in apps/genrsa and apps/speed
* Support multi-prime RSA manipulation functions
* Test cases and documentation are added
* CHANGES is updated

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4241)
2017-11-21 14:38:42 +08:00
Josh Soref
46f4e1bec5 Many spelling fixes/typo's corrected.
Around 138 distinct errors found and fixed; thanks!

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3459)
2017-11-11 19:03:10 -05:00
Jack Lloyd
a0c3e4fa90 SM3: Add SM3 hash function
SM3 is a secure hash function which is part of the Chinese
"Commercial Cryptography" suite of algorithms which use is
required for certain commercial applications in China.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4616)
2017-11-06 07:21:11 +08:00
FdaSilvaYY
cf72c75792 Implement Maximum Fragment Length TLS extension.
Based on patch from Tomasz Moń:
https://groups.google.com/forum/#!topic/mailing.openssl.dev/fQxXvCg1uQY

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/1008)
2017-11-05 17:46:48 +01:00
Matt Caswell
de8c19cddd Update CHANGES and NEWS for new release
Reviewed-by: Andy Polyakov <appro@openssl.org>
2017-11-02 12:01:15 +00:00
Ronald Tse
f19a5ff9ab SM4: Add SM4 block cipher to EVP
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4552)
2017-10-31 15:19:14 +10:00
Ronald Tse
7f111b8b2a CHANGES: remove empty whitespaces
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4581)
2017-10-26 07:54:02 +10:00
Rich Salz
fa4dd546c5 Rewrite some code
Rewrite the -req-nodes flag from CA.pl (idea from Andy)
Rewrite ERR_string_error_n

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4478)
2017-10-07 11:26:35 -04:00
Jon Spillett
bc32673869 Implement Aria GCM/CCM Modes and TLS cipher suites
AEAD cipher mode implementation is based on that used for AES:

  https://tools.ietf.org/html/rfc5116

TLS GCM cipher suites as specified in:

  https://tools.ietf.org/html/rfc6209

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4287)
2017-08-30 12:33:53 +02:00
Rich Salz
b2db9c18b2 MSC_VER <= 1200 isn't supported; remove dead code
VisualStudio 6 and earlier aren't supported.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4263)
2017-08-27 11:35:39 -04:00
Richard Levitte
e1a4ff7678 Add ERR_clear_last_mark()
This allows callers to set a mark, and then clear it without removing
the errors.  Useful in case an error is encountered that should be
returned up the call stack.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4094)
2017-08-15 14:26:12 +02:00
Rich Salz
a35f607c9f Make RAND_DRBG fork-safe
Use atfork to count child forks, and reseed DRBG when the counts don't
match.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4101)
2017-08-07 08:30:28 -04:00
Andy Polyakov
e4adad92b3 Wire SHA3 EVPs and add tests.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3943)
2017-07-25 21:40:30 +02:00
Richard Levitte
48feaceb53 Remove the possibility to disable the UI module entirely
Instead, make it possible to disable the console reader that's part of
the UI module.  This makes it possible to use the UI API and other UI
methods in environments where the console reader isn't useful.

To disable the console reader, configure with 'no-ui-console' /
'disable-ui-console'.

'no-ui' / 'disable-ui' is now an alias for  'no-ui-console' /
'disable-ui-console'.

Fixes #3806

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3820)
2017-07-03 07:51:04 +02:00
Richard Levitte
f95c439804 STORE: Add an entry in NEWS and CHANGES
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3542)
2017-06-29 11:55:33 +02:00
Richard Levitte
e041f3b8ba Document the added devcrypto engine in CHANGES
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3744)
2017-06-28 12:54:33 +02:00
Richard Levitte
4b2799c13c util/mkerr.pl: allow module names prefixed with OSSL_ or OPENSSL_
To make sure that our symbols don't clash with other libraries, we
claim the namespaces OSSL and OPENSSL.  Because C doesn't provide
namespaces, the only solution is to have them as prefixes on symbols,
thus we allow OSSL_ and OPENSSL_ as prefixes.

These namespace prefixes are optional for the foreseeable future, and
will only be used for new modules as needed on a case by case basis,
until further notice.

For extra safety, there's an added requirement that module names -
apart from the namespace prefix - be at least 2 characters long.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3781)
2017-06-27 14:49:06 +02:00
Rich Salz
f39a5501ce Remove bsd_cryptodev engine
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3699)
2017-06-19 09:31:45 -04:00
Richard Levitte
9b03b91b84 Add the target 'build_all_generated'
This new target is used to build all generated files and only that.
This can be used to prepare everything that requires things like perl
for a system that lacks perl and then move everything to that system
and do the rest of the build there.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3695)
2017-06-16 03:48:55 +02:00
Tomas Mraz
1c7aa0dbf1 Ignore -named_curve auto value to improve backwards compatibility
Fixes #3490

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3518)
2017-06-08 21:28:36 +01:00
Rich Salz
01dfaa08b1 Add text pointing to full change list.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3606)
2017-06-02 10:30:44 -04:00