Dr. Stephen Henson
9a542ea01d
don't add digest alias if signature algorithm is undefined
2010-03-06 20:52:33 +00:00
Dr. Stephen Henson
1939f83709
Fix memory leak: free up ENGINE functional reference if digest is not
...
found in an ENGINE.
2010-03-05 13:35:06 +00:00
Dr. Stephen Henson
b7c114f044
PR: 2183
...
PR#1999 broke fork detection by assuming HAVE_FORK was set for all platforms.
Include original HAVE_FORK detection logic while allowing it to be
overridden on specific platforms with -DHAVE_FORK=1 or -DHAVE_FORK=0
2010-03-03 19:56:00 +00:00
Dr. Stephen Henson
ede1351997
Submitted by: Tomas Hoger <thoger@redhat.com>
...
Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
could be crashed if the relevant tables were not present (e.g. chrooted).
2010-03-03 15:34:11 +00:00
Dr. Stephen Henson
7786ed6a64
don't mix definitions and code
2010-03-03 15:30:05 +00:00
Andy Polyakov
bdd08277b8
Fix s390x-specific HOST_l2c|c2l [from HEAD].
...
Submitted by: Andreas Krebbel
2010-03-02 16:26:13 +00:00
Dr. Stephen Henson
2bf4faa7e4
PR: 2178
...
Submitted by: "Kennedy, Brendan" <brendan.kennedy@intel.com>
Handle error codes correctly: cryptodev returns 0 for success whereas OpenSSL
returns 1.
2010-03-01 23:54:19 +00:00
Dr. Stephen Henson
2e5e604b0c
load cryptodev if HAVE_CRYPTODEV is set too
2010-03-01 00:30:11 +00:00
Ben Laurie
ed4cd027f3
Fix warnings.
2010-02-28 13:37:15 +00:00
Dr. Stephen Henson
bab19a2ac2
quote HOSTCC in case it isn't defined
2010-02-26 19:56:10 +00:00
Dr. Stephen Henson
582eb96d15
Revert CFB block length change. Despite what SP800-38a says the input to
...
CFB mode does *not* have to be a multiple of the block length and several
other specifications (e.g. PKCS#11) do not require this.
2010-02-26 14:41:38 +00:00
Dr. Stephen Henson
2649ce1ebc
Change versions for 0.9.8n-dev
2010-02-26 14:34:24 +00:00
Dr. Stephen Henson
7070cdba4e
Prepare for 0.9.8m release
2010-02-25 17:18:23 +00:00
Richard Levitte
e885de28b1
Since crypto-lib.com is built to be executed in the crypto/ directory,
...
there's no need to specify that directory in the include path.
2010-02-24 01:20:04 +00:00
Dr. Stephen Henson
3038649ab2
The meaning of the X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY and
...
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT error codes were reversed in
the verify application documentation.
2010-02-23 14:09:32 +00:00
Bodo Möller
3e4da3f7cb
Always check bn_wexpend() return values for failure (CVE-2009-3245).
...
(The CHANGES entry covers the change from PR #2111 as well, submitted by
Martin Olsson.)
Submitted by: Neel Mehta
2010-02-23 10:36:41 +00:00
Richard Levitte
53b5d04715
Apply changes from the 1.0.0 branch.
2010-02-23 07:51:39 +00:00
Richard Levitte
defede6080
Include [.CRYPTO.<ARCH>] instead of just [.<ARCH>]
2010-02-23 07:50:54 +00:00
Richard Levitte
1472f1427e
In some environments, we need to defined sslroot locally.
2010-02-22 07:05:50 +00:00
Richard Levitte
00d1ecb1da
Add t1_reneg to the VMS build.
...
Hack the symbols with long names.
2010-02-22 07:05:24 +00:00
Bodo Möller
739e0e934a
Fix X509_STORE locking
2010-02-19 18:25:39 +00:00
Dr. Stephen Henson
6ae9770d34
clarify documentation
2010-02-18 12:42:03 +00:00
Dr. Stephen Henson
bec7184768
OR default SSL_OP_LEGACY_SERVER_CONNECT so existing options are preserved
2010-02-17 19:43:08 +00:00
Dr. Stephen Henson
442ac8d259
Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as
...
initial connection to unpatched servers. There are no additional security
concerns in doing this as clients don't see renegotiation during an
attack anyway.
2010-02-17 18:37:47 +00:00
Dr. Stephen Henson
657b02d0cf
PR: 2100
...
Submitted by: James Baker <jbaker@tableausoftware.com> et al.
Workaround for slow Heap32Next on some versions of Windows.
2010-02-17 14:32:01 +00:00
Dr. Stephen Henson
b50ef8b216
PR: 2171
...
Submitted by: Tomas Mraz <tmraz@redhat.com>
Since SSLv2 doesn't support renegotiation at all don't reject it if
legacy renegotiation isn't enabled.
Also can now use SSL2 compatible client hello because RFC5746 supports it.
2010-02-16 14:19:42 +00:00
Dr. Stephen Henson
1b690c1a8b
The "block length" for CFB mode was incorrectly coded as 1 all the time. It
...
should be the number of feedback bits expressed in bytes. For CFB1 mode set
this to 1 by rounding up to the nearest multiple of 8.
2010-02-15 19:40:45 +00:00
Dr. Stephen Henson
2873a53f5f
Correct ECB mode EVP_CIPHER definition: IV length is 0
2010-02-15 19:25:37 +00:00
Dr. Stephen Henson
04a781e844
PR: 2164
...
Submitted by: "Noszticzius, Istvan" <inoszticzius@rightnow.com>
Don't clear the output buffer: ciphers should correctly the same input
and output buffers.
2010-02-15 19:02:53 +00:00
Dr. Stephen Henson
68be98d1a6
update references to new RI RFC
2010-02-12 22:02:07 +00:00
Dr. Stephen Henson
0bbbadf3f5
Fix memory leak in ENGINE autoconfig code. Improve error logging.
2010-02-09 14:18:15 +00:00
Dr. Stephen Henson
c0c1ce125a
update year
2010-02-09 14:13:30 +00:00
Dr. Stephen Henson
105861186f
Only use bufferoverflowu.lib when needed
2010-02-04 01:10:24 +00:00
Dr. Stephen Henson
4a9d335bb4
tolerate broken CMS/PKCS7 implementations using signature OID instead of digest
2010-02-02 14:19:54 +00:00
Dr. Stephen Henson
162f1e08f8
make no-rsa no-dsa compile again
2010-02-02 14:03:07 +00:00
Dr. Stephen Henson
0484ff5ec1
PR: 2160
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Make session tickets work with DTLS.
2010-02-01 16:48:40 +00:00
Dr. Stephen Henson
4acc2fed6c
PR: 2159
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Typo in PR#1949 bug, oops!
2010-02-01 12:44:21 +00:00
Dr. Stephen Henson
0369804ffa
In engine_table_select() don't clear out entire error queue: just clear
...
out any we added using ERR_set_mark() and ERR_pop_to_mark() otherwise
errors from other sources (e.g. SSL library) can be wiped.
2010-01-28 17:53:11 +00:00
Dr. Stephen Henson
33d7b5ec07
reword RI description
2010-01-27 18:53:59 +00:00
Dr. Stephen Henson
4b38f35e72
update documentation to reflect new renegotiation options
2010-01-27 17:50:47 +00:00
Dr. Stephen Henson
82c2773423
Some shells print out the directory name if CDPATH is set breaking the
...
pod2man test. Use ./util instead to avoid this.
2010-01-27 16:06:36 +00:00
Dr. Stephen Henson
ded27f709c
typo
2010-01-27 14:04:51 +00:00
Dr. Stephen Henson
30dc3e112b
stop warnings in fips_test_suite application
2010-01-27 14:03:26 +00:00
Dr. Stephen Henson
371b262f96
stop missing prototype warnings
2010-01-27 13:32:31 +00:00
Dr. Stephen Henson
b3fb2492d5
eliminate some warnings in fips build
2010-01-27 13:21:34 +00:00
Dr. Stephen Henson
93b810637b
Bypass algorithm blocking with TLS MD5+SHA1 signature in FIPS mode by
...
calling underlying method directly.
2010-01-27 00:51:24 +00:00
Dr. Stephen Henson
cc62974182
PR: 1949
...
Submitted by: steve@openssl.org
More robust fix and workaround for PR#1949. Don't try to work out if there
is any write pending data as this can be unreliable: always flush.
2010-01-26 19:40:36 +00:00
Dr. Stephen Henson
9413788571
PR: 2138
...
Submitted by: Kevin Regan <k.regan@f5.com>
Clear stat structure if -DPURIFY is set to avoid problems on some
platforms which include unitialised fields.
2010-01-26 18:08:42 +00:00
Dr. Stephen Henson
e8387db0c4
Fix VC++ warning (change had already been made to other branches).
2010-01-26 13:24:08 +00:00
Dr. Stephen Henson
81f28ca567
Typo
2010-01-26 12:29:32 +00:00