Commit graph

629 commits

Author SHA1 Message Date
Andy Polyakov
08f7417a98 Eliminate dependency on UNICODE macro. 2005-06-27 21:14:15 +00:00
Richard Levitte
f840728f43 Do not undefine _XOPEN_SOURCE. This is currently experimental, and
will be firmed up as soon as it's been verified not to break anything.
2005-06-16 22:21:39 +00:00
Nils Larsch
e85e5ca5ec - let SSL_CTX_set_cipher_list and SSL_set_cipher_list return an
error if the cipher list is empty
- fix last commit in ssl_create_cipher_list
- clean up ssl_create_cipher_list
2005-06-10 20:00:39 +00:00
Nils Larsch
0eb8e0058c use "=" instead of "|=", fix typo 2005-06-08 22:24:27 +00:00
Nils Larsch
e32b08abc3 ssl_create_cipher_list should return an error if no cipher could be
collected (see SSL_CTX_set_cipher_list manpage). Fix handling of
"cipher1+cipher2" expressions in ssl_cipher_process_rulestr.

PR: 836 + 1005
2005-06-08 21:16:32 +00:00
Nils Larsch
0dfe532ea9 clear error queue on success and return NULL if cert could be read
PR: 1088
2005-06-01 08:36:38 +00:00
Richard Levitte
c3d03b70af We have some source with \r\n as line ends. DEC C informs about that,
and I really can't be bothered...
2005-05-29 12:13:05 +00:00
Richard Levitte
48a3f2818e When _XOPEN_SOURCE is defined, make sure it's defined to 500. Required in
http://www.opengroup.org/onlinepubs/007908799/xsh/compilation.html.

Notified by David Wolfe <dwolfe5272@yahoo.com>
2005-05-21 17:39:48 +00:00
Bodo Möller
c4d9c13a31 fix msg_callback() arguments for SSL 2.0 compatible client hello
(previous revision got this wrong)
2005-05-12 06:24:26 +00:00
Bodo Möller
00c1c6cb28 PR:Don't use the SSL 2.0 Client Hello format if SSL 2.0 is disabled
with the SSL_OP_NO_SSLv2 option.
2005-05-11 18:26:08 +00:00
Dr. Stephen Henson
765863f0bf Stop warnings. 2005-05-11 00:35:55 +00:00
Nils Larsch
fcec494072 use 'p' as conversion specifier for printf to avoid truncation of
pointers on 64 bit platforms. Patch supplied by Daniel Gryniewicz
via Mike Frysinger <vapier@gentoo.org>.

PR: 1064
2005-05-10 11:57:19 +00:00
Richard Levitte
7590f37fd7 Apparently, isascii() is an X/Open function, so to get it properly
declared, we need to define _XOPEN_SOURCE before including ctype.h.

Ported from HEAD.
2005-04-17 09:15:33 +00:00
Andy Polyakov
0174c56851 More cover-ups, removing OPENSSL_GLOBAL/EXTERNS. 2005-04-13 21:48:12 +00:00
Dr. Stephen Henson
342b7e0458 Rebuild error codes. 2005-04-12 13:47:58 +00:00
Dr. Stephen Henson
4ecd7d2b7e Ooops, shoudln't have deleted this line. 2005-04-12 11:34:21 +00:00
Dr. Stephen Henson
9d728b8d10 Not sure what this is doing here... 2005-04-11 22:22:51 +00:00
Richard Levitte
93aeac64ce Merge RFC3820 source into mainstream 0.9.7-stable. 2005-04-11 15:03:37 +00:00
Richard Levitte
9addd9b6fb Add emacs cache files to .cvsignore. 2005-04-11 14:18:14 +00:00
Dr. Stephen Henson
657129f748 Typo.. 2005-04-09 23:52:53 +00:00
Dr. Stephen Henson
c710c7b3a3 Make kerberos ciphersuites work with newer headers. 2005-04-09 23:32:37 +00:00
Nils Larsch
8298632d14 really clear the error queue here
PR: 860
2005-04-01 17:49:33 +00:00
Nils Larsch
62a25c6129 use SSL3_VERSION_MAJOR instead of SSL3_VERSION etc.
PR: 658
2005-04-01 17:33:39 +00:00
Dr. Stephen Henson
8c04994bfe Allow 'null' cipher and appropriate Kerberos ciphersuites in FIPS mode. 2005-03-27 03:36:14 +00:00
Ben Laurie
801fea5f11 Constification. 2005-03-23 08:21:30 +00:00
Dr. Stephen Henson
61823b6a74 Ensure (SSL_RANDOM_BYTES - 4) of pseudo random data is used for server and
client random values.
2005-03-22 14:10:32 +00:00
Dr. Stephen Henson
ecc3d2734d Only allow TLS is FIPS mode.
Remove old FIPS_allow_md5() calls.
2005-01-31 01:33:36 +00:00
Dr. Stephen Henson
d0edffc7da FIPS algorithm blocking.
Non FIPS algorithms are not normally allowed in FIPS mode.

Any attempt to use them via high level functions will return an error.

The low level non-FIPS algorithm functions cannot return errors so they
produce assertion failures. HMAC also has to give an assertion error because
it (erroneously) can't return an error either.

There are exceptions (such as MD5 in TLS and non cryptographic use of
algorithms) and applications can override the blocking and use non FIPS
algorithms anyway.

For low level functions the override is perfomed by prefixing the algorithm
initalization function with "private_" for example private_MD5_Init().

For high level functions an override is performed by setting a flag in
the context.
2005-01-26 20:00:40 +00:00
Richard Levitte
630b9d70fb Use EXIT() instead of exit(). 2005-01-11 18:25:28 +00:00
Richard Levitte
a2617f727d Don't use $(EXHEADER) directly in for loops, as most shells will break
if $(EXHEADER) is empty.

Notified by many, solution suggested by Carson Gaspar <carson@taltos.org>
2004-11-02 23:53:31 +00:00
Dr. Stephen Henson
ac4fb4a138 Fix race condition. 2004-10-25 11:15:49 +00:00
Richard Levitte
1033449613 make update 2004-08-10 09:09:08 +00:00
Richard Levitte
7f9c37457a To protect FIPS-related global variables, add locking mechanisms
around them.

NOTE: because two new locks are added, this adds potential binary
incompatibility with earlier versions in the 0.9.7 series.  However,
those locks will only ever be touched when FIPS_mode_set() is called
and after, thanks to a variable that's only changed from 0 to 1 once
(when FIPS_mode_set() is called).  So basically, as long as FIPS mode
hasn't been engaged explicitely by the calling application, the new
locks are treated as if they didn't exist at all, thus not becoming a
problem.  Applications that are built or rebuilt to use FIPS
functionality will need to be recompiled in any case, thus not being a
problem either.
2004-07-30 14:38:02 +00:00
Dr. Stephen Henson
0b948f3677 New cipher "strength" FIPS which specifies that a
cipher suite is FIPS compatible.

New cipherstring "FIPS" is all FIPS compatible ciphersuites except eNULL.

Only allow FIPS ciphersuites in FIPS mode.
2004-07-27 18:28:49 +00:00
Andy Polyakov
1ecb88b95a Add casts where casts due. It's "safe" to cast, because "wrong" casts
will either be optimized away or never performed. The trouble is that
compiler first parses code, then optimizes, not both at once...
2004-07-24 13:40:47 +00:00
Andy Polyakov
64c6865427 Proper WinCE support for listing files. "Backported" from HEAD. 2004-07-22 16:39:48 +00:00
Dr. Stephen Henson
bdb4a7e092 Fixes so alerts are sent properly in s3_pkt.c
PR: 851
2004-05-15 17:46:50 +00:00
Ben Laurie
0163602573 Check error returns. 2004-05-15 16:39:23 +00:00
Ben Laurie
3642f632d3 Pull FIPS back into stable. 2004-05-11 12:46:24 +00:00
Mark J. Cox
82d63d3028 Fix null-pointer assignment in do_change_cipher_spec() revealed
by using the Codenomicon TLS Test Tool (CAN-2004-0079)
Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites
(CAN-2004-0112)
Ready for 0.9.7d build

Submitted by: Steven Henson
Reviewed by: Joe Orton
Approved by: Mark Cox
2004-03-17 12:01:19 +00:00
Dr. Stephen Henson
8e6a84e730 Avoid warnings. 2004-03-16 13:50:18 +00:00
Richard Levitte
381a693c39 make update 2004-01-29 10:23:54 +00:00
Lutz Jänicke
3fbbd1e1d7 unintptr_t and <inttypes.h> are not strictly portable with respect to
ANSI C 89.
Undo change to maintain compatibility.
2004-01-04 17:54:02 +00:00
Richard Levitte
d2c786db37 Avoid including cryptlib.h, it's not really needed.
Check if IDEA is being built or not.
This is part of a large change submitted by Markus Friedl <markus@openbsd.org>
2003-12-27 16:09:59 +00:00
Richard Levitte
cc056d6395 Use sh explicitely to run point.sh
This is part of a large change submitted by Markus Friedl <markus@openbsd.org>
2003-12-27 15:00:24 +00:00
Richard Levitte
ec2a595627 Change 'exp' to something else, as 'exp' is predefined by GNU C. This
was already done in HEAD, but not in this branch (I wonder why...).
2003-12-27 14:24:20 +00:00
Lutz Jänicke
325829a9bc Restructure make targets to allow parallel make.
Submitted by: Witold Filipczyk <witekfl@poczta.gazeta.pl>

PR: #513
2003-12-03 16:29:16 +00:00
Richard Levitte
b64614adfe We're getting a clash with C++ because it has a type called 'list'.
Therefore, change all instances of the symbol 'list' to something else.

PR: 758
Submitted by: Frédéric Giudicelli <groups@newpki.org>
2003-11-29 10:25:42 +00:00
Richard Levitte
6a6a08cbea RSA_size() and DH_size() return the amount of bytes in a key, and we
compared it to the amount of bits required...
PR: 770
Submitted by: c zhang <czhang2005@hotmail.com>
2003-11-28 23:03:19 +00:00
Richard Levitte
c9d3957986 Check for errors from SSL_COMP_add_compression_method().
Notified by Andrew Marlow <AMARLOW1@bloomberg.net>
2003-10-02 10:41:50 +00:00