Commit graph

8223 commits

Author SHA1 Message Date
Dr. Stephen Henson
9a542ea01d don't add digest alias if signature algorithm is undefined 2010-03-06 20:52:33 +00:00
Dr. Stephen Henson
1939f83709 Fix memory leak: free up ENGINE functional reference if digest is not
found in an ENGINE.
2010-03-05 13:35:06 +00:00
Dr. Stephen Henson
b7c114f044 PR: 2183
PR#1999 broke fork detection by assuming HAVE_FORK was set for all platforms.
Include original HAVE_FORK detection logic while allowing it to be
overridden on specific platforms with -DHAVE_FORK=1 or -DHAVE_FORK=0
2010-03-03 19:56:00 +00:00
Dr. Stephen Henson
ede1351997 Submitted by: Tomas Hoger <thoger@redhat.com>
Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
could be crashed if the relevant tables were not present (e.g. chrooted).
2010-03-03 15:34:11 +00:00
Dr. Stephen Henson
7786ed6a64 don't mix definitions and code 2010-03-03 15:30:05 +00:00
Andy Polyakov
bdd08277b8 Fix s390x-specific HOST_l2c|c2l [from HEAD].
Submitted by: Andreas Krebbel
2010-03-02 16:26:13 +00:00
Dr. Stephen Henson
2bf4faa7e4 PR: 2178
Submitted by: "Kennedy, Brendan" <brendan.kennedy@intel.com>

Handle error codes correctly: cryptodev returns 0 for success whereas OpenSSL
returns 1.
2010-03-01 23:54:19 +00:00
Dr. Stephen Henson
2e5e604b0c load cryptodev if HAVE_CRYPTODEV is set too 2010-03-01 00:30:11 +00:00
Ben Laurie
ed4cd027f3 Fix warnings. 2010-02-28 13:37:15 +00:00
Dr. Stephen Henson
bab19a2ac2 quote HOSTCC in case it isn't defined 2010-02-26 19:56:10 +00:00
Dr. Stephen Henson
582eb96d15 Revert CFB block length change. Despite what SP800-38a says the input to
CFB mode does *not* have to be a multiple of the block length and several
other specifications (e.g. PKCS#11) do not require this.
2010-02-26 14:41:38 +00:00
Dr. Stephen Henson
2649ce1ebc Change versions for 0.9.8n-dev 2010-02-26 14:34:24 +00:00
Dr. Stephen Henson
7070cdba4e Prepare for 0.9.8m release 2010-02-25 17:18:23 +00:00
Richard Levitte
e885de28b1 Since crypto-lib.com is built to be executed in the crypto/ directory,
there's no need to specify that directory in the include path.
2010-02-24 01:20:04 +00:00
Dr. Stephen Henson
3038649ab2 The meaning of the X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY and
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT error codes were reversed in
the verify application documentation.
2010-02-23 14:09:32 +00:00
Bodo Möller
3e4da3f7cb Always check bn_wexpend() return values for failure (CVE-2009-3245).
(The CHANGES entry covers the change from PR #2111 as well, submitted by
Martin Olsson.)

Submitted by: Neel Mehta
2010-02-23 10:36:41 +00:00
Richard Levitte
53b5d04715 Apply changes from the 1.0.0 branch. 2010-02-23 07:51:39 +00:00
Richard Levitte
defede6080 Include [.CRYPTO.<ARCH>] instead of just [.<ARCH>] 2010-02-23 07:50:54 +00:00
Richard Levitte
1472f1427e In some environments, we need to defined sslroot locally. 2010-02-22 07:05:50 +00:00
Richard Levitte
00d1ecb1da Add t1_reneg to the VMS build.
Hack the symbols with long names.
2010-02-22 07:05:24 +00:00
Bodo Möller
739e0e934a Fix X509_STORE locking 2010-02-19 18:25:39 +00:00
Dr. Stephen Henson
6ae9770d34 clarify documentation 2010-02-18 12:42:03 +00:00
Dr. Stephen Henson
bec7184768 OR default SSL_OP_LEGACY_SERVER_CONNECT so existing options are preserved 2010-02-17 19:43:08 +00:00
Dr. Stephen Henson
442ac8d259 Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as
initial connection to unpatched servers. There are no additional security
concerns in doing this as clients don't see renegotiation during an
attack anyway.
2010-02-17 18:37:47 +00:00
Dr. Stephen Henson
657b02d0cf PR: 2100
Submitted by: James Baker <jbaker@tableausoftware.com> et al.

Workaround for slow Heap32Next on some versions of Windows.
2010-02-17 14:32:01 +00:00
Dr. Stephen Henson
b50ef8b216 PR: 2171
Submitted by: Tomas Mraz <tmraz@redhat.com>

Since SSLv2 doesn't support renegotiation at all don't reject it if
legacy renegotiation isn't enabled.

Also can now use SSL2 compatible client hello because RFC5746 supports it.
2010-02-16 14:19:42 +00:00
Dr. Stephen Henson
1b690c1a8b The "block length" for CFB mode was incorrectly coded as 1 all the time. It
should be the number of feedback bits expressed in bytes. For CFB1 mode set
this to 1 by rounding up to the nearest multiple of 8.
2010-02-15 19:40:45 +00:00
Dr. Stephen Henson
2873a53f5f Correct ECB mode EVP_CIPHER definition: IV length is 0 2010-02-15 19:25:37 +00:00
Dr. Stephen Henson
04a781e844 PR: 2164
Submitted by: "Noszticzius, Istvan" <inoszticzius@rightnow.com>

Don't clear the output buffer: ciphers should correctly the same input
and output buffers.
2010-02-15 19:02:53 +00:00
Dr. Stephen Henson
68be98d1a6 update references to new RI RFC 2010-02-12 22:02:07 +00:00
Dr. Stephen Henson
0bbbadf3f5 Fix memory leak in ENGINE autoconfig code. Improve error logging. 2010-02-09 14:18:15 +00:00
Dr. Stephen Henson
c0c1ce125a update year 2010-02-09 14:13:30 +00:00
Dr. Stephen Henson
105861186f Only use bufferoverflowu.lib when needed 2010-02-04 01:10:24 +00:00
Dr. Stephen Henson
4a9d335bb4 tolerate broken CMS/PKCS7 implementations using signature OID instead of digest 2010-02-02 14:19:54 +00:00
Dr. Stephen Henson
162f1e08f8 make no-rsa no-dsa compile again 2010-02-02 14:03:07 +00:00
Dr. Stephen Henson
0484ff5ec1 PR: 2160
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Make session tickets work with DTLS.
2010-02-01 16:48:40 +00:00
Dr. Stephen Henson
4acc2fed6c PR: 2159
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Typo in PR#1949 bug, oops!
2010-02-01 12:44:21 +00:00
Dr. Stephen Henson
0369804ffa In engine_table_select() don't clear out entire error queue: just clear
out any we added using ERR_set_mark() and ERR_pop_to_mark() otherwise
errors from other sources (e.g. SSL library) can be wiped.
2010-01-28 17:53:11 +00:00
Dr. Stephen Henson
33d7b5ec07 reword RI description 2010-01-27 18:53:59 +00:00
Dr. Stephen Henson
4b38f35e72 update documentation to reflect new renegotiation options 2010-01-27 17:50:47 +00:00
Dr. Stephen Henson
82c2773423 Some shells print out the directory name if CDPATH is set breaking the
pod2man test. Use ./util instead to avoid this.
2010-01-27 16:06:36 +00:00
Dr. Stephen Henson
ded27f709c typo 2010-01-27 14:04:51 +00:00
Dr. Stephen Henson
30dc3e112b stop warnings in fips_test_suite application 2010-01-27 14:03:26 +00:00
Dr. Stephen Henson
371b262f96 stop missing prototype warnings 2010-01-27 13:32:31 +00:00
Dr. Stephen Henson
b3fb2492d5 eliminate some warnings in fips build 2010-01-27 13:21:34 +00:00
Dr. Stephen Henson
93b810637b Bypass algorithm blocking with TLS MD5+SHA1 signature in FIPS mode by
calling underlying method directly.
2010-01-27 00:51:24 +00:00
Dr. Stephen Henson
cc62974182 PR: 1949
Submitted by: steve@openssl.org

More robust fix and workaround for PR#1949. Don't try to work out if there
is any write pending data as this can be unreliable: always flush.
2010-01-26 19:40:36 +00:00
Dr. Stephen Henson
9413788571 PR: 2138
Submitted by: Kevin Regan <k.regan@f5.com>

Clear stat structure if -DPURIFY is set to avoid problems on some
platforms which include unitialised fields.
2010-01-26 18:08:42 +00:00
Dr. Stephen Henson
e8387db0c4 Fix VC++ warning (change had already been made to other branches). 2010-01-26 13:24:08 +00:00
Dr. Stephen Henson
81f28ca567 Typo 2010-01-26 12:29:32 +00:00