wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
8418 commits 20 branches 302 tags 153 MiB
Commit graph

1473 commits

Author SHA1 Message Date
Dr. Stephen Henson
68be98d1a6 update references to new RI RFC 2010-02-12 22:02:07 +00:00
Dr. Stephen Henson
ded27f709c typo 2010-01-27 14:04:51 +00:00
Dr. Stephen Henson
cc62974182 PR: 1949 
Submitted by: steve@openssl.org

More robust fix and workaround for PR#1949. Don't try to work out if there
is any write pending data as this can be unreliable: always flush.
 2010-01-26 19:40:36 +00:00
Dr. Stephen Henson
81f28ca567 Typo 2010-01-26 12:29:32 +00:00
Dr. Stephen Henson
8b8a2928af prepare for release 2010-01-20 17:26:02 +00:00
Dr. Stephen Henson
c3c3b28818 Fix version handling so it can cope with a major version >3. 
Although it will be many years before TLS v2.0 or later appears old versions
of servers have a habit of hanging around for a considerable time so best
if we handle this properly now.
 2010-01-13 19:08:45 +00:00
Dr. Stephen Henson
06e2670a57 Modify compression code so it avoids using ex_data free functions. This 
stops applications that call CRYPTO_free_all_ex_data() prematurely leaking
memory.
 2010-01-13 18:45:03 +00:00
Dr. Stephen Henson
50a095ed16 Updates to conform with draft-ietf-tls-renegotiation-03.txt: 
1. Add provisional SCSV value.
2. Don't send SCSV and RI at same time.
3. Fatal error is SCSV received when renegotiating.
 2010-01-06 17:59:41 +00:00
Bodo Möller
d0e79d7e2c Constify crypto/cast. 2009-12-22 10:59:03 +00:00
Dr. Stephen Henson
ccc3df8c33 New option to enable/disable connection to unpatched servers 2009-12-16 20:34:20 +00:00
Dr. Stephen Henson
cb4823fdd6 Add ctrls to clear options and mode. 
Change RI ctrl so it doesn't clash.
 2009-12-09 13:15:01 +00:00
Dr. Stephen Henson
17bb051628 Send no_renegotiation alert as required by spec. 2009-12-08 19:05:49 +00:00
Dr. Stephen Henson
59f44e810b Add ctrl and macro so we can determine if peer support secure renegotiation. 
Fix SSL_CIPHER initialiser for mcsv
 2009-12-08 13:47:28 +00:00
Dr. Stephen Henson
7a014dceb6 Add support for magic cipher suite value (MCSV). Make secure renegotiation 
work in SSLv3: initial handshake has no extensions but includes MCSV, if
server indicates RI support then renegotiation handshakes include RI.

NB: current MCSV value is bogus for testing only, will be updated when we
have an official value.

Change mismatch alerts to handshake_failure as required by spec.

Also have some debugging fprintfs so we can clearly see what is going on
if OPENSSL_RI_DEBUG is set.
 2009-12-08 13:15:38 +00:00
Dr. Stephen Henson
1ff44a99a4 PR: 2111 
Submitted by: Martin Olsson <molsson@opera.com>

Check for bn_wexpand errors in bn_mul.c
 2009-12-02 15:27:19 +00:00
Bodo Möller
553d2e3280 (whitespace) 2009-11-26 18:35:33 +00:00
Bodo Möller
82fb4ee89d The version numbering may change, again; so be careful about what we 
announce in CHANGES.
 2009-11-26 17:30:07 +00:00
Bodo Möller
389fef6c9c Remove attribution -- this wasn't my patch, I only edited and applied it. 2009-11-26 17:28:27 +00:00
Bodo Möller
b6622f9623 Remove obsolete information about a change for 0.9.7n. 
(No further releases from the 0.9.7 branch are planned.  Note that the
"deleted" change is also in 0.9.8f.)
 2009-11-26 17:25:38 +00:00
Ben Laurie
c2b78c31d6 First cut of renegotiation extension. 2009-11-08 14:51:54 +00:00
Ben Laurie
949fbf073a Disable renegotiation. 2009-11-05 11:28:37 +00:00
Dr. Stephen Henson
2a8834cf89 Fix stateless session resumption so it can coexist with SNI 2009-10-30 13:28:07 +00:00
Dr. Stephen Henson
afff063a14 Add CHANGES entry. 2009-09-13 11:23:37 +00:00
Dr. Stephen Henson
d0969d24cf Add new option --strict-warnings to Configure script. This is used to add 
in devteam warnings into other configurations.
 2009-09-09 16:30:49 +00:00
Dr. Stephen Henson
985b5ee735 PR: 2003 
Make it possible to install OpenSSL in directories with name other
than "lib" for example "lib64". Based on patch from Jeremy Utley.
 2009-08-10 14:37:51 +00:00
Dr. Stephen Henson
136b5dc7c7 Add missing CHANGES entry for OID 0x80 fix. 2009-08-09 15:40:03 +00:00
Dr. Stephen Henson
856f3005de Document MD2 deprecation. 2009-07-13 11:53:53 +00:00
Dr. Stephen Henson
e7e7f5de4b PR: 1960 
Approved by: steve@openssl.org

Encode compression id in {i2d,d2i}_SSL_SESSION().
 2009-06-30 22:20:46 +00:00
Dr. Stephen Henson
ab8fe43fa2 PR: 1942 
Submitted by: David Woodhouse <dwmw2@infradead.org>
Approved by: steve@openssl.org

Replace ad-hoc chain builder with X509_verify_cert().
 2009-06-28 16:23:05 +00:00
Dr. Stephen Henson
9aecc3e5ff Update from 1.0.0-stable. 2009-06-26 11:34:22 +00:00
Dr. Stephen Henson
51ebaa9f82 Correct CHANGES entry. 2009-06-17 11:58:17 +00:00
Dr. Stephen Henson
efaa569c3b PR: 1943 
Submitted by: Guenter <lists@gknw.net>
Approved by: steve@openssl.org

Rename uni2asc and asc2uni on Netware to avoid a name clash.
 2009-06-17 11:55:51 +00:00
Dr. Stephen Henson
1e53b797f6 Don't check self-signed signature in X509_verify_cert(), the check just 
wastes processing time and doesn't add any security.
 2009-06-15 14:52:38 +00:00
Mark J. Cox
0b8eca58b9 Update changelog to show fix for PR1679 as per Tomas Hoger's testing: 
http://thread.gmane.org/gmane.comp.security.oss.general/1769/focus=1814
 2009-06-02 09:20:52 +00:00
Mark J. Cox
a176be48a2 Add the corresponding CVE names to the CHANGES entry for 0.9.8 branch 2009-05-26 08:21:56 +00:00
Dr. Stephen Henson
f47bce27e3 Add CHANGES entries for security relate issues PR#1923, PR#1930 and PR#1931. 2009-05-18 17:34:16 +00:00
Dr. Stephen Henson
0d399f97dd Submitted by: Darryl Miles <darryl-mailinglists@netbauds.net> 
Approved by: steve@openssl.org

Handle non-blocking I/O properly in SSL_shutdown() call.
 2009-04-07 16:28:30 +00:00
Dr. Stephen Henson
7a746ecf3e Typo. 2009-03-25 22:22:42 +00:00
Dr. Stephen Henson
aca8bf43ce Submitted by: Ilya O. <vrghost@gmail.com> 
Approved by: steve@openssl.org

Add 2.5.4.* OIDs.
 2009-03-25 19:01:03 +00:00
Dr. Stephen Henson
7de0df694f Prepare for next version. 2009-03-25 13:02:49 +00:00
Dr. Stephen Henson
e10051ef3f Prepare for 0.9.8k release. 2009-03-25 10:46:56 +00:00
Dr. Stephen Henson
c60dca1f95 PR: 1868 
Submitted by: Paolo Ganci <Paolo.Ganci@AdNovum.CH>
Approved by: steve@openssl.org

Don't set fields to NULL when freeing them up in ASN1 code. On some platforms
with sizeof(long) < sizeof(char *) this can cause a crash.
 2009-03-25 10:42:34 +00:00
Dr. Stephen Henson
188abf7e2a Submitted by: Ivan Nestlerode <inestlerode@us.ibm.com> 
Approved by: steve@openssl.org

Check return code properly in CMS_SignerInfo_verify_content().
 2009-03-25 10:40:32 +00:00
Dr. Stephen Henson
f021b7cca6 Reject BMPStrings and UniversalStrings of invalid length. This prevents 
a crash in ASN1_STRING_print_ex() which assumes they are valid.
 2009-03-25 10:35:57 +00:00
Dr. Stephen Henson
37afdc953e Don't force S/MIME signing purpose: allow it to be overridden by store 
settings.

Don't set default values in X509_VERIFY_PARAM_new(): it stops parameters
being inherited properly.
 2009-03-15 13:36:01 +00:00
Dr. Stephen Henson
044855e146 Permit nested ASN1 string encoding but with a maximum depth to avoid 
stack overflow.
 2009-03-14 18:33:25 +00:00
Dr. Stephen Henson
4fcf8d8b07 Submitted by: Jeremy Shapiro <jnshapir@us.ibm.com> 
Reviewed by: steve@openssl.org

Improve efficientcy of mem_gets().
 2009-03-07 16:58:43 +00:00
Bodo Möller
59689735a6 -hex option for openssl rand 
PR: 1831
Submitted by: Damien Miller
 2009-02-02 00:27:56 +00:00
Dr. Stephen Henson
73cb37295d Update from HEAD. 2009-01-28 12:55:36 +00:00
Dr. Stephen Henson
1f35508ae6 Support NumericString for name components. 2009-01-28 12:35:10 +00:00
Ben Laurie
dc0cb7e74f Make it possible to override CC. 2009-01-17 14:36:17 +00:00
Dr. Stephen Henson
367316c723 Oops, remove duplicate entry. 2009-01-07 23:45:19 +00:00
Dr. Stephen Henson
d34353cc91 Prepare for next version. 2009-01-07 23:38:34 +00:00
Dr. Stephen Henson
6287fa5396 Prepare for 0.9.8j release. 2009-01-07 10:50:54 +00:00
Dr. Stephen Henson
a00c3c4019 Properly check EVP_VerifyFinal() and similar return values 
(CVE-2008-5077).
Submitted by: Ben Laurie, Bodo Moeller, Google Security Team
 2009-01-07 10:48:23 +00:00
Ben Laurie
c153422388 Enable TLS Extensions by default. 2008-12-26 15:27:51 +00:00
Bodo Möller
505ed2b076 Implement Configure option pattern "experimental-foo" 
(specifically, "experimental-jpake").
 2008-12-02 01:21:06 +00:00
Dr. Stephen Henson
5a02ac6e5b Revert OPENSSL_EXPERIMENTAL patch. 
Change it so JPAKE uses the standard OPENSSL_NO_JPAKE instead.
 2008-11-24 16:14:15 +00:00
Geoff Thorpe
bfc6482a7a Allow the CHIL engine to load even if dynamic locks aren't registered. 
Submitted by: Sander Temme
 2008-11-19 14:08:06 +00:00
Dr. Stephen Henson
81dde5e8fe Add support for experimental code, not compiled in by default and 
with OPENSSL_EXPERIMENTAL_FOO around it. Make JPAKE experimental.
 2008-11-12 16:54:35 +00:00
Dr. Stephen Henson
4e98f8863f Oops... 2008-10-31 12:18:42 +00:00
Dr. Stephen Henson
582ef3dbdb Fix from HEAD. 2008-10-31 12:09:18 +00:00
Ben Laurie
2124e869a8 Add JPAKE. 2008-10-26 18:42:05 +00:00
Ben Laurie
cdffc716c9 Set the comparison function in v3_addr_canonize(). 2008-10-14 19:21:30 +00:00
Ben Laurie
5dffc13f55 Add XMPP STARTTLS support. 2008-10-14 19:09:47 +00:00
Bodo Möller
d875413a0b Make sure that SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG can't 
enable disabled ciphersuites.
 2008-09-22 21:22:51 +00:00
Bodo Möller
4ea574fdf3 Now that we're changing the 0.9.8i CHANGES anyway, reorder them 
according to the usual convention (reverse chronological order)
 2008-09-15 20:34:13 +00:00
Dr. Stephen Henson
cf8115deb0 Add missing CHANGES entry. 2008-09-15 20:28:58 +00:00
Dr. Stephen Henson
6d3b70c8da Prepare for next version... 2008-09-15 15:30:20 +00:00
Dr. Stephen Henson
0a4fda742b Oops... use correct version number this time.... 2008-09-15 14:26:34 +00:00
Dr. Stephen Henson
3745e57bf9 Prepare for next version.... 2008-09-15 12:19:09 +00:00
Dr. Stephen Henson
b7e7aa00de Begin release of OpenSSL 0.9.8i. 2008-09-15 10:28:13 +00:00
Bodo Möller
200d00c854 Fix SSL state transitions. 
Submitted by: Nagendra Modadugu
 2008-09-14 14:02:01 +00:00
Bodo Möller
669b912dea Really get rid of unsafe double-checked locking. 
Also, "CHANGES" clean-ups.
 2008-09-14 13:51:49 +00:00
Bodo Möller
36a4a67b2b Some precautions to avoid potential security-relevant problems. 2008-09-14 13:42:40 +00:00
Ben Laurie
b7c8b4fc95 Allow soft-loading engines. 2008-09-12 13:29:59 +00:00
Dr. Stephen Henson
dd6e90465d Add support for Local Machine Keyset attribute in PKCS#12 files. 2008-06-26 23:26:52 +00:00
Bodo Möller
4afcee8b4b avoid potential infinite loop in final reduction round of BN_GF2m_mod_arr() 
Submitted by: Huang Ying
Reviewed by: Douglas Stebila
 2008-06-23 20:46:28 +00:00
Dr. Stephen Henson
1f3206216b Add acknowledgement. 2008-06-09 16:50:48 +00:00
Dr. Stephen Henson
1a12ce8ea5 Update CHANGES. 2008-06-05 15:32:05 +00:00
Mark J. Cox
3f79793b7e After tagging, bump ready for 0.9.8i development 2008-05-28 07:47:50 +00:00
Mark J. Cox
0d01d8a735 Prepare for 0.9.8h release 2008-05-28 07:37:14 +00:00
Mark J. Cox
2c0fa03dc6 Fix flaw if 'Server Key exchange message' is omitted from a TLS 
handshake which could lead to a cilent crash as found using the
Codenomicon TLS test suite (CVE-2008-1672)

Reviewed by: openssl-security@openssl.org

Obtained from: mark@awe.com
 2008-05-28 07:29:27 +00:00
Mark J. Cox
d3b3a6d389 Fix double-free in TLS server name extensions which could lead to a remote 
crash found by Codenomicon TLS test suite (CVE-2008-0891)

Reviewed by: openssl-security@openssl.org

Obtained from: jorton@redhat.com
 2008-05-28 07:26:33 +00:00
Lutz Jänicke
5f23288692 Clear error queue when starting SSL_CTX_use_certificate_chain_file 
PR: 1417, 1513
Submitted by: Erik de Castro Lopo <mle+openssl@mega-nerd.com>
 2008-05-23 10:37:22 +00:00
Lutz Jänicke
45c58c7d10 Remove all root CA files (beyond test CAs including private key) 
from the OpenSSL distribution.
 2008-05-23 08:59:56 +00:00
Dr. Stephen Henson
112591be76 Fix off by one error ;-) 2008-05-20 18:48:22 +00:00
Dr. Stephen Henson
1b8daa3693 Typo. 2008-05-20 16:13:11 +00:00
Dr. Stephen Henson
10d3886c51 Fix two invalid memory reads in RSA OAEP mode. 
Submitted by: Ivan Nestlerode <inestlerode@us.ibm.com>
Reviewed by: steve
 2008-05-19 21:26:28 +00:00
Bodo Möller
c3031a4610 Avoid BN_MONT_CTX incompatibility. 2008-05-02 18:47:19 +00:00
Bodo Möller
812d8a176c Unobtrusive backport of 32-bit x86 Montgomery improvements from 0.9.9-dev: 
you need to use "enable-montasm" to see a difference.  (Huge speed
advantage, but BN_MONT_CTX is not binary compatible, so this can't be
enabled by default in the 0.9.8 branch.)

The CHANGES entry also covers the 64-bit x86 backport in November 2007
by appro.
 2008-05-01 23:11:34 +00:00
Dr. Stephen Henson
db533c96e3 TLS ticket key setting callback: this allows and application to set 
its own TLS ticket keys.
 2008-04-30 16:11:33 +00:00
Geoff Thorpe
98bd148b1a Fix auto-discovery of ENGINEs, ported from HEAD. 
NB, this fixes a regression relative to 0.9.7 and the documented behaviour,
but it would make sense for distro maintainers and others with an interest
in system behaviour to test with this change. The fix re-enables behaviour
that was broken and thus inherently disabled. In particular, if you
register an ENGINE implementation, and that ENGINE is able to successfully
self-initialise on the host, it will get used automatically (as claimed in
the documentation and as was the case for 0.9.7) - this was not the case
with 0.9.8 until now because of a bug.

PR: 1668
Submitted by: Ian Lister
Reviewed by: Geoff Thorpe
 2008-04-28 21:45:43 +00:00
Geoff Thorpe
292248b8c2 Update from HEAD. 2008-04-27 18:52:14 +00:00
Dr. Stephen Henson
94b2c29f9d Backport of CMS code to 0.9.8-stable branch. Disabled by default. 2008-04-03 23:03:56 +00:00
Dr. Stephen Henson
6b8be6da76 Update CHANGES. 2008-04-02 11:45:34 +00:00
Dr. Stephen Henson
7ec2d392e7 Backport of zlib compression BIO from HEAD. Update mkdef.pl script to handle 
ZLIB. Update ordinals.
 2008-04-02 11:37:25 +00:00
Dr. Stephen Henson
e88f66bb49 Add CHANGES entry for key wrap. 2008-04-02 11:21:53 +00:00
Dr. Stephen Henson
9e7459fc5d Backport some useful ASN1 utility functions from HEAD. 2008-04-02 11:11:51 +00:00
Mark J. Cox
216ac24bd3 Add missing changelog entry for http://cvs.openssl.org/chngview?cn=16587 2008-02-28 13:35:58 +00:00