Commit graph

9558 commits

Author SHA1 Message Date
Dr. Stephen Henson
3b3f71121b PR: 2183
PR#1999 broke fork detection by assuming HAVE_FORK was set for all platforms.
Include original HAVE_FORK detection logic while allowing it to be
overridden on specific platforms with -DHAVE_FORK=1 or -DHAVE_FORK=0
2010-03-03 19:56:17 +00:00
Dr. Stephen Henson
47333a34d5 Submitted by: Tomas Hoger <thoger@redhat.com>
Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
could be crashed if the relevant tables were not present (e.g. chrooted).
2010-03-03 15:41:00 +00:00
Dr. Stephen Henson
d92138f703 don't mix definitions and code 2010-03-03 15:30:26 +00:00
Andy Polyakov
b2bf335327 Fix s390x-specific HOST_l2c|c2l [from HEAD].
Submitted by: Andreas Krebbel
2010-03-02 16:25:10 +00:00
Dr. Stephen Henson
33bec62a20 PR: 2178
Submitted by: "Kennedy, Brendan" <brendan.kennedy@intel.com>

Handle error codes correctly: cryptodev returns 0 for success whereas OpenSSL
returns 1.
2010-03-01 23:54:34 +00:00
Dr. Stephen Henson
2e630b1847 use supplied ENGINE in genrsa 2010-03-01 14:22:02 +00:00
Dr. Stephen Henson
002d3fe863 use correct prototype as in HEAD 2010-03-01 03:01:56 +00:00
Dr. Stephen Henson
fb24311e7c 'typo' 2010-03-01 01:52:47 +00:00
Dr. Stephen Henson
90278430d9 make USE_CRYPTODEV_DIGESTS work 2010-03-01 01:19:36 +00:00
Ben Laurie
bcd9d12a8d Fix warning. 2010-02-28 13:38:16 +00:00
Dr. Stephen Henson
79363339b7 algorithms field has changed in 1.0.0 and later: update 2010-02-28 00:24:24 +00:00
Dr. Stephen Henson
fbe2c6b33e Add Kerberos fix which was in 0.9.8-stable but never committed to HEAD and
1.0.0. Original fix was on 2007-Mar-09 and had the log message: "Fix kerberos
ciphersuite bugs introduced with PR:1336."
2010-02-27 23:04:10 +00:00
Dr. Stephen Henson
fc11f47229 Revert CFB block length change. Despite what SP800-38a says the input to
CFB mode does *not* have to be a multiple of the block length and several
other specifications (e.g. PKCS#11) do not require this.
2010-02-26 14:41:48 +00:00
Dr. Stephen Henson
2b23d89d14 oops, use correct date 2010-02-26 12:14:30 +00:00
Dr. Stephen Henson
9cfa3cff54 update FAQ, NEWS 2010-02-25 18:21:20 +00:00
Dr. Stephen Henson
6507653e72 The meaning of the X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY and
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT error codes were reversed in
the verify application documentation.
2010-02-23 14:09:22 +00:00
Bodo Möller
7fe747d1eb Always check bn_wexpend() return values for failure (CVE-2009-3245).
(The CHANGES entry covers the change from PR #2111 as well, submitted by
Martin Olsson.)

Submitted by: Neel Mehta
2010-02-23 10:36:30 +00:00
Bodo Möller
32567c9f3b Fix X509_STORE locking 2010-02-19 18:26:23 +00:00
Dr. Stephen Henson
4f3d52fedc clarify documentation 2010-02-18 12:41:50 +00:00
Dr. Stephen Henson
8321bab39c OR default SSL_OP_LEGACY_SERVER_CONNECT so existing options are preserved 2010-02-17 19:43:46 +00:00
Dr. Stephen Henson
989238802a Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as
initial connection to unpatched servers. There are no additional security
concerns in doing this as clients don't see renegotiation during an
attack anyway.
2010-02-17 18:38:10 +00:00
Dr. Stephen Henson
9051fc538f PR: 2100
Submitted by: James Baker <jbaker@tableausoftware.com> et al.

Workaround for slow Heap32Next on some versions of Windows.
2010-02-17 14:32:25 +00:00
Dr. Stephen Henson
03fd7f27db Submitted by: Dmitry Ivanov <vonami@gmail.com>
Don't leave dangling pointers in GOST engine if calls fail.
2010-02-16 14:30:19 +00:00
Dr. Stephen Henson
45d6a15ae9 PR: 2171
Submitted by: Tomas Mraz <tmraz@redhat.com>

Since SSLv2 doesn't support renegotiation at all don't reject it if
legacy renegotiation isn't enabled.

Also can now use SSL2 compatible client hello because RFC5746 supports it.
2010-02-16 14:20:40 +00:00
Dr. Stephen Henson
6c6ca18664 The "block length" for CFB mode was incorrectly coded as 1 all the time. It
should be the number of feedback bits expressed in bytes. For CFB1 mode set
this to 1 by rounding up to the nearest multiple of 8.
2010-02-15 19:40:30 +00:00
Dr. Stephen Henson
97fe2b40c1 Correct ECB mode EVP_CIPHER definition: IV length is 0 2010-02-15 19:25:52 +00:00
Dr. Stephen Henson
f689ab5017 add EVP_CIPH_FLAG_LENGTH_BITS from 0.9.8-stable 2010-02-15 19:17:55 +00:00
Dr. Stephen Henson
edb7cac271 PR: 2164
Submitted by: "Noszticzius, Istvan" <inoszticzius@rightnow.com>

Don't clear the output buffer: ciphers should correctly the same input
and output buffers.
2010-02-15 19:01:56 +00:00
Dr. Stephen Henson
81d87a2a28 update references to new RI RFC 2010-02-12 21:59:57 +00:00
Dr. Stephen Henson
7366f0b304 PR: 2170
Submitted by: Magnus Lilja <lilja.magnus@gmail.com>

Make -c option in dgst work again.
2010-02-12 17:07:24 +00:00
Dr. Stephen Henson
1d8fa09c80 Make assembly language versions of OPENSSL_cleanse() accept zero length
parameter. Backport from HEAD, orginal by appro.
2010-02-12 17:02:13 +00:00
Dr. Stephen Henson
e085e6c84c Fix memory leak in ENGINE autoconfig code. Improve error logging. 2010-02-09 14:17:57 +00:00
Dr. Stephen Henson
008fa4584d update year 2010-02-09 14:13:00 +00:00
Dr. Stephen Henson
c8c49133d9 oops, use new value for new flag 2010-02-07 13:54:54 +00:00
Dr. Stephen Henson
961f1dea06 make update 2010-02-07 13:47:08 +00:00
Dr. Stephen Henson
1700426256 Add missing function EVP_CIPHER_CTX_copy(). Current code uses memcpy() to copy
an EVP_CIPHER_CTX structure which may have problems with external ENGINEs
who need to duplicate internal handles etc.
2010-02-07 13:41:23 +00:00
Dr. Stephen Henson
aa7f5baad2 don't assume 0x is at start of string 2010-02-03 18:19:05 +00:00
Dr. Stephen Henson
45acdd6f6d tolerate broken CMS/PKCS7 implementations using signature OID instead of digest 2010-02-02 14:26:32 +00:00
Dr. Stephen Henson
8b354e776b PR: 2161
Submitted by: Doug Goldstein <cardoe@gentoo.org>, Steve.

Make no-dsa, no-ecdsa and no-rsa compile again.
2010-02-02 13:36:05 +00:00
Dr. Stephen Henson
868f5e44ca PR: 2160
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Make session tickets work with DTLS.
2010-02-01 16:49:42 +00:00
Dr. Stephen Henson
4e5fdd11ea PR: 2159
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Typo in PR#1949 bug, oops!
2010-02-01 12:44:11 +00:00
Richard Levitte
d552a3391a Typo. 2010-01-29 12:07:50 +00:00
Richard Levitte
d023b4e2dd The previous take went wrong, try again. 2010-01-29 12:02:54 +00:00
Richard Levitte
fa79cc9c23 Architecture specific header files need special handling. 2010-01-29 11:44:40 +00:00
Richard Levitte
06daa75fb9 If opensslconf.h and buildinf.h are to be in an architecture specific
directory, place it in the same tree as the other architecture
specific things.
2010-01-29 11:43:53 +00:00
Dr. Stephen Henson
ffa304c838 oops, revert more test code arghh! 2010-01-28 17:52:18 +00:00
Dr. Stephen Henson
df21765a3e In engine_table_select() don't clear out entire error queue: just clear
out any we added using ERR_set_mark() and ERR_pop_to_mark() otherwise
errors from other sources (e.g. SSL library) can be wiped.
2010-01-28 17:50:23 +00:00
Dr. Stephen Henson
5a6ae115f8 reword RI description 2010-01-27 18:53:49 +00:00
Dr. Stephen Henson
5e5df40b9b update documentation to reflect new renegotiation options 2010-01-27 17:50:20 +00:00
Dr. Stephen Henson
6d4943e81f Some shells print out the directory name if CDPATH is set breaking the
pod2man test. Use ./util instead to avoid this.
2010-01-27 16:06:58 +00:00