Ben Laurie
949fbf073a
Disable renegotiation.
2009-11-05 11:28:37 +00:00
Dr. Stephen Henson
2a8834cf89
Fix stateless session resumption so it can coexist with SNI
2009-10-30 13:28:07 +00:00
Dr. Stephen Henson
afff063a14
Add CHANGES entry.
2009-09-13 11:23:37 +00:00
Dr. Stephen Henson
d0969d24cf
Add new option --strict-warnings to Configure script. This is used to add
...
in devteam warnings into other configurations.
2009-09-09 16:30:49 +00:00
Dr. Stephen Henson
985b5ee735
PR: 2003
...
Make it possible to install OpenSSL in directories with name other
than "lib" for example "lib64". Based on patch from Jeremy Utley.
2009-08-10 14:37:51 +00:00
Dr. Stephen Henson
136b5dc7c7
Add missing CHANGES entry for OID 0x80 fix.
2009-08-09 15:40:03 +00:00
Dr. Stephen Henson
856f3005de
Document MD2 deprecation.
2009-07-13 11:53:53 +00:00
Dr. Stephen Henson
e7e7f5de4b
PR: 1960
...
Approved by: steve@openssl.org
Encode compression id in {i2d,d2i}_SSL_SESSION().
2009-06-30 22:20:46 +00:00
Dr. Stephen Henson
ab8fe43fa2
PR: 1942
...
Submitted by: David Woodhouse <dwmw2@infradead.org>
Approved by: steve@openssl.org
Replace ad-hoc chain builder with X509_verify_cert().
2009-06-28 16:23:05 +00:00
Dr. Stephen Henson
9aecc3e5ff
Update from 1.0.0-stable.
2009-06-26 11:34:22 +00:00
Dr. Stephen Henson
51ebaa9f82
Correct CHANGES entry.
2009-06-17 11:58:17 +00:00
Dr. Stephen Henson
efaa569c3b
PR: 1943
...
Submitted by: Guenter <lists@gknw.net>
Approved by: steve@openssl.org
Rename uni2asc and asc2uni on Netware to avoid a name clash.
2009-06-17 11:55:51 +00:00
Dr. Stephen Henson
1e53b797f6
Don't check self-signed signature in X509_verify_cert(), the check just
...
wastes processing time and doesn't add any security.
2009-06-15 14:52:38 +00:00
Mark J. Cox
0b8eca58b9
Update changelog to show fix for PR1679 as per Tomas Hoger's testing:
...
http://thread.gmane.org/gmane.comp.security.oss.general/1769/focus=1814
2009-06-02 09:20:52 +00:00
Mark J. Cox
a176be48a2
Add the corresponding CVE names to the CHANGES entry for 0.9.8 branch
2009-05-26 08:21:56 +00:00
Dr. Stephen Henson
f47bce27e3
Add CHANGES entries for security relate issues PR#1923, PR#1930 and PR#1931.
2009-05-18 17:34:16 +00:00
Dr. Stephen Henson
0d399f97dd
Submitted by: Darryl Miles <darryl-mailinglists@netbauds.net>
...
Approved by: steve@openssl.org
Handle non-blocking I/O properly in SSL_shutdown() call.
2009-04-07 16:28:30 +00:00
Dr. Stephen Henson
7a746ecf3e
Typo.
2009-03-25 22:22:42 +00:00
Dr. Stephen Henson
aca8bf43ce
Submitted by: Ilya O. <vrghost@gmail.com>
...
Approved by: steve@openssl.org
Add 2.5.4.* OIDs.
2009-03-25 19:01:03 +00:00
Dr. Stephen Henson
7de0df694f
Prepare for next version.
2009-03-25 13:02:49 +00:00
Dr. Stephen Henson
e10051ef3f
Prepare for 0.9.8k release.
2009-03-25 10:46:56 +00:00
Dr. Stephen Henson
c60dca1f95
PR: 1868
...
Submitted by: Paolo Ganci <Paolo.Ganci@AdNovum.CH>
Approved by: steve@openssl.org
Don't set fields to NULL when freeing them up in ASN1 code. On some platforms
with sizeof(long) < sizeof(char *) this can cause a crash.
2009-03-25 10:42:34 +00:00
Dr. Stephen Henson
188abf7e2a
Submitted by: Ivan Nestlerode <inestlerode@us.ibm.com>
...
Approved by: steve@openssl.org
Check return code properly in CMS_SignerInfo_verify_content().
2009-03-25 10:40:32 +00:00
Dr. Stephen Henson
f021b7cca6
Reject BMPStrings and UniversalStrings of invalid length. This prevents
...
a crash in ASN1_STRING_print_ex() which assumes they are valid.
2009-03-25 10:35:57 +00:00
Dr. Stephen Henson
37afdc953e
Don't force S/MIME signing purpose: allow it to be overridden by store
...
settings.
Don't set default values in X509_VERIFY_PARAM_new(): it stops parameters
being inherited properly.
2009-03-15 13:36:01 +00:00
Dr. Stephen Henson
044855e146
Permit nested ASN1 string encoding but with a maximum depth to avoid
...
stack overflow.
2009-03-14 18:33:25 +00:00
Dr. Stephen Henson
4fcf8d8b07
Submitted by: Jeremy Shapiro <jnshapir@us.ibm.com>
...
Reviewed by: steve@openssl.org
Improve efficientcy of mem_gets().
2009-03-07 16:58:43 +00:00
Bodo Möller
59689735a6
-hex option for openssl rand
...
PR: 1831
Submitted by: Damien Miller
2009-02-02 00:27:56 +00:00
Dr. Stephen Henson
73cb37295d
Update from HEAD.
2009-01-28 12:55:36 +00:00
Dr. Stephen Henson
1f35508ae6
Support NumericString for name components.
2009-01-28 12:35:10 +00:00
Ben Laurie
dc0cb7e74f
Make it possible to override CC.
2009-01-17 14:36:17 +00:00
Dr. Stephen Henson
367316c723
Oops, remove duplicate entry.
2009-01-07 23:45:19 +00:00
Dr. Stephen Henson
d34353cc91
Prepare for next version.
2009-01-07 23:38:34 +00:00
Dr. Stephen Henson
6287fa5396
Prepare for 0.9.8j release.
2009-01-07 10:50:54 +00:00
Dr. Stephen Henson
a00c3c4019
Properly check EVP_VerifyFinal() and similar return values
...
(CVE-2008-5077).
Submitted by: Ben Laurie, Bodo Moeller, Google Security Team
2009-01-07 10:48:23 +00:00
Ben Laurie
c153422388
Enable TLS Extensions by default.
2008-12-26 15:27:51 +00:00
Bodo Möller
505ed2b076
Implement Configure option pattern "experimental-foo"
...
(specifically, "experimental-jpake").
2008-12-02 01:21:06 +00:00
Dr. Stephen Henson
5a02ac6e5b
Revert OPENSSL_EXPERIMENTAL patch.
...
Change it so JPAKE uses the standard OPENSSL_NO_JPAKE instead.
2008-11-24 16:14:15 +00:00
Geoff Thorpe
bfc6482a7a
Allow the CHIL engine to load even if dynamic locks aren't registered.
...
Submitted by: Sander Temme
2008-11-19 14:08:06 +00:00
Dr. Stephen Henson
81dde5e8fe
Add support for experimental code, not compiled in by default and
...
with OPENSSL_EXPERIMENTAL_FOO around it. Make JPAKE experimental.
2008-11-12 16:54:35 +00:00
Dr. Stephen Henson
4e98f8863f
Oops...
2008-10-31 12:18:42 +00:00
Dr. Stephen Henson
582ef3dbdb
Fix from HEAD.
2008-10-31 12:09:18 +00:00
Ben Laurie
2124e869a8
Add JPAKE.
2008-10-26 18:42:05 +00:00
Ben Laurie
cdffc716c9
Set the comparison function in v3_addr_canonize().
2008-10-14 19:21:30 +00:00
Ben Laurie
5dffc13f55
Add XMPP STARTTLS support.
2008-10-14 19:09:47 +00:00
Bodo Möller
d875413a0b
Make sure that SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG can't
...
enable disabled ciphersuites.
2008-09-22 21:22:51 +00:00
Bodo Möller
4ea574fdf3
Now that we're changing the 0.9.8i CHANGES anyway, reorder them
...
according to the usual convention (reverse chronological order)
2008-09-15 20:34:13 +00:00
Dr. Stephen Henson
cf8115deb0
Add missing CHANGES entry.
2008-09-15 20:28:58 +00:00
Dr. Stephen Henson
6d3b70c8da
Prepare for next version...
2008-09-15 15:30:20 +00:00
Dr. Stephen Henson
0a4fda742b
Oops... use correct version number this time....
2008-09-15 14:26:34 +00:00
Dr. Stephen Henson
3745e57bf9
Prepare for next version....
2008-09-15 12:19:09 +00:00
Dr. Stephen Henson
b7e7aa00de
Begin release of OpenSSL 0.9.8i.
2008-09-15 10:28:13 +00:00
Bodo Möller
200d00c854
Fix SSL state transitions.
...
Submitted by: Nagendra Modadugu
2008-09-14 14:02:01 +00:00
Bodo Möller
669b912dea
Really get rid of unsafe double-checked locking.
...
Also, "CHANGES" clean-ups.
2008-09-14 13:51:49 +00:00
Bodo Möller
36a4a67b2b
Some precautions to avoid potential security-relevant problems.
2008-09-14 13:42:40 +00:00
Ben Laurie
b7c8b4fc95
Allow soft-loading engines.
2008-09-12 13:29:59 +00:00
Dr. Stephen Henson
dd6e90465d
Add support for Local Machine Keyset attribute in PKCS#12 files.
2008-06-26 23:26:52 +00:00
Bodo Möller
4afcee8b4b
avoid potential infinite loop in final reduction round of BN_GF2m_mod_arr()
...
Submitted by: Huang Ying
Reviewed by: Douglas Stebila
2008-06-23 20:46:28 +00:00
Dr. Stephen Henson
1f3206216b
Add acknowledgement.
2008-06-09 16:50:48 +00:00
Dr. Stephen Henson
1a12ce8ea5
Update CHANGES.
2008-06-05 15:32:05 +00:00
Mark J. Cox
3f79793b7e
After tagging, bump ready for 0.9.8i development
2008-05-28 07:47:50 +00:00
Mark J. Cox
0d01d8a735
Prepare for 0.9.8h release
2008-05-28 07:37:14 +00:00
Mark J. Cox
2c0fa03dc6
Fix flaw if 'Server Key exchange message' is omitted from a TLS
...
handshake which could lead to a cilent crash as found using the
Codenomicon TLS test suite (CVE-2008-1672)
Reviewed by: openssl-security@openssl.org
Obtained from: mark@awe.com
2008-05-28 07:29:27 +00:00
Mark J. Cox
d3b3a6d389
Fix double-free in TLS server name extensions which could lead to a remote
...
crash found by Codenomicon TLS test suite (CVE-2008-0891)
Reviewed by: openssl-security@openssl.org
Obtained from: jorton@redhat.com
2008-05-28 07:26:33 +00:00
Lutz Jänicke
5f23288692
Clear error queue when starting SSL_CTX_use_certificate_chain_file
...
PR: 1417, 1513
Submitted by: Erik de Castro Lopo <mle+openssl@mega-nerd.com>
2008-05-23 10:37:22 +00:00
Lutz Jänicke
45c58c7d10
Remove all root CA files (beyond test CAs including private key)
...
from the OpenSSL distribution.
2008-05-23 08:59:56 +00:00
Dr. Stephen Henson
112591be76
Fix off by one error ;-)
2008-05-20 18:48:22 +00:00
Dr. Stephen Henson
1b8daa3693
Typo.
2008-05-20 16:13:11 +00:00
Dr. Stephen Henson
10d3886c51
Fix two invalid memory reads in RSA OAEP mode.
...
Submitted by: Ivan Nestlerode <inestlerode@us.ibm.com>
Reviewed by: steve
2008-05-19 21:26:28 +00:00
Bodo Möller
c3031a4610
Avoid BN_MONT_CTX incompatibility.
2008-05-02 18:47:19 +00:00
Bodo Möller
812d8a176c
Unobtrusive backport of 32-bit x86 Montgomery improvements from 0.9.9-dev:
...
you need to use "enable-montasm" to see a difference. (Huge speed
advantage, but BN_MONT_CTX is not binary compatible, so this can't be
enabled by default in the 0.9.8 branch.)
The CHANGES entry also covers the 64-bit x86 backport in November 2007
by appro.
2008-05-01 23:11:34 +00:00
Dr. Stephen Henson
db533c96e3
TLS ticket key setting callback: this allows and application to set
...
its own TLS ticket keys.
2008-04-30 16:11:33 +00:00
Geoff Thorpe
98bd148b1a
Fix auto-discovery of ENGINEs, ported from HEAD.
...
NB, this fixes a regression relative to 0.9.7 and the documented behaviour,
but it would make sense for distro maintainers and others with an interest
in system behaviour to test with this change. The fix re-enables behaviour
that was broken and thus inherently disabled. In particular, if you
register an ENGINE implementation, and that ENGINE is able to successfully
self-initialise on the host, it will get used automatically (as claimed in
the documentation and as was the case for 0.9.7) - this was not the case
with 0.9.8 until now because of a bug.
PR: 1668
Submitted by: Ian Lister
Reviewed by: Geoff Thorpe
2008-04-28 21:45:43 +00:00
Geoff Thorpe
292248b8c2
Update from HEAD.
2008-04-27 18:52:14 +00:00
Dr. Stephen Henson
94b2c29f9d
Backport of CMS code to 0.9.8-stable branch. Disabled by default.
2008-04-03 23:03:56 +00:00
Dr. Stephen Henson
6b8be6da76
Update CHANGES.
2008-04-02 11:45:34 +00:00
Dr. Stephen Henson
7ec2d392e7
Backport of zlib compression BIO from HEAD. Update mkdef.pl script to handle
...
ZLIB. Update ordinals.
2008-04-02 11:37:25 +00:00
Dr. Stephen Henson
e88f66bb49
Add CHANGES entry for key wrap.
2008-04-02 11:21:53 +00:00
Dr. Stephen Henson
9e7459fc5d
Backport some useful ASN1 utility functions from HEAD.
2008-04-02 11:11:51 +00:00
Mark J. Cox
216ac24bd3
Add missing changelog entry for http://cvs.openssl.org/chngview?cn=16587
2008-02-28 13:35:58 +00:00
Bodo Möller
19398a175a
fix BIGNUM flag handling
2008-02-27 06:02:00 +00:00
Dr. Stephen Henson
3b0e61a812
Netware support.
...
Submitted by: Guenter Knauf <eflash@gmx.net>
2008-01-03 22:53:06 +00:00
Lutz Jänicke
32f1f622f6
Release OpenSSL 0.9.8g with various fixes to issues introduced with 0.9.8f
2007-10-19 08:25:53 +00:00
Dr. Stephen Henson
a523276786
Backport certificate status request TLS extension support to 0.9.8.
2007-10-12 00:00:36 +00:00
Ben Laurie
2339c5d722
Next version.
2007-10-11 15:04:32 +00:00
Ben Laurie
dd00266757
Ready to roll.
2007-10-11 14:58:15 +00:00
Ben Laurie
bb99ce5f80
make update, and more DTLS stuff.
2007-10-11 14:36:59 +00:00
Dr. Stephen Henson
294f03a812
Reimplement safestack to avoid function pointer casts.
2007-09-06 21:07:43 +00:00
Dr. Stephen Henson
927a28ba3b
gcc 4.2 fixes to avoid use or function pointer casts in OpenSSL.
...
Fix various "computed value not used" warnings too.
2007-09-06 12:43:54 +00:00
Dr. Stephen Henson
967ead7269
Update from HEAD.
2007-08-27 23:47:10 +00:00
Dr. Stephen Henson
5b96d1ccf9
Clarify CHANGES entry.
2007-08-23 22:58:24 +00:00
Dr. Stephen Henson
865a90eb4f
Backport of TLS extension code to OpenSSL 0.9.8.
...
Include server name and RFC4507bis support.
This is not compiled in by default and must be explicitly enabled with
the Configure option enable-tlsext
2007-08-12 18:59:03 +00:00
Dr. Stephen Henson
f805d30769
SSE2 and AES assembly language support for VC++ build.
2007-07-19 17:39:07 +00:00
Andy Polyakov
4c5979a107
Mention recent changes to bn_mont.c in CHANGES.
2007-06-20 17:44:43 +00:00
Bodo Möller
b22250bb67
Fix crypto/ec/ec_mult.c to work properly with scalars of value 0
2007-05-22 09:48:06 +00:00
Ben Laurie
8957121c14
More IGE speedup.
2007-05-13 15:04:16 +00:00
Ben Laurie
50241bc84e
AES IGE mode speedup.
2007-05-13 12:03:57 +00:00
Bodo Möller
c3cc4662af
Add SEED encryption algorithm.
...
PR: 1503
Submitted by: KISA
Reviewed by: Bodo Moeller
2007-04-23 23:50:26 +00:00
Bodo Möller
2ac061e487
make BN_FLG_CONSTTIME semantics more fool-proof
2007-03-28 18:44:01 +00:00
Bodo Möller
7cdb81582c
Change to mitigate branch prediction attacks
...
Submitted by: Matthew D Wood
Reviewed by: Bodo Moeller
2007-03-28 00:14:25 +00:00