openssl.git
9 years agoupdate references to new RI RFC
Dr. Stephen Henson [Fri, 12 Feb 2010 21:59:57 +0000 (21:59 +0000)]
update references to new RI RFC

9 years agoPR: 2170
Dr. Stephen Henson [Fri, 12 Feb 2010 17:07:24 +0000 (17:07 +0000)]
PR: 2170
Submitted by: Magnus Lilja <lilja.magnus@gmail.com>

Make -c option in dgst work again.

9 years agoMake assembly language versions of OPENSSL_cleanse() accept zero length
Dr. Stephen Henson [Fri, 12 Feb 2010 17:02:13 +0000 (17:02 +0000)]
Make assembly language versions of OPENSSL_cleanse() accept zero length
parameter. Backport from HEAD, orginal by appro.

9 years agoFix memory leak in ENGINE autoconfig code. Improve error logging.
Dr. Stephen Henson [Tue, 9 Feb 2010 14:17:57 +0000 (14:17 +0000)]
Fix memory leak in ENGINE autoconfig code. Improve error logging.

9 years agoupdate year
Dr. Stephen Henson [Tue, 9 Feb 2010 14:13:00 +0000 (14:13 +0000)]
update year

9 years agooops, use new value for new flag
Dr. Stephen Henson [Sun, 7 Feb 2010 13:54:54 +0000 (13:54 +0000)]
oops, use new value for new flag

9 years agomake update
Dr. Stephen Henson [Sun, 7 Feb 2010 13:47:08 +0000 (13:47 +0000)]
make update

9 years agoAdd missing function EVP_CIPHER_CTX_copy(). Current code uses memcpy() to copy
Dr. Stephen Henson [Sun, 7 Feb 2010 13:41:23 +0000 (13:41 +0000)]
Add missing function EVP_CIPHER_CTX_copy(). Current code uses memcpy() to copy
an EVP_CIPHER_CTX structure which may have problems with external ENGINEs
who need to duplicate internal handles etc.

9 years agodon't assume 0x is at start of string
Dr. Stephen Henson [Wed, 3 Feb 2010 18:19:05 +0000 (18:19 +0000)]
don't assume 0x is at start of string

9 years agotolerate broken CMS/PKCS7 implementations using signature OID instead of digest
Dr. Stephen Henson [Tue, 2 Feb 2010 14:26:32 +0000 (14:26 +0000)]
tolerate broken CMS/PKCS7 implementations using signature OID instead of digest

9 years agoPR: 2161
Dr. Stephen Henson [Tue, 2 Feb 2010 13:36:05 +0000 (13:36 +0000)]
PR: 2161
Submitted by: Doug Goldstein <cardoe@gentoo.org>, Steve.

Make no-dsa, no-ecdsa and no-rsa compile again.

9 years agoPR: 2160
Dr. Stephen Henson [Mon, 1 Feb 2010 16:49:42 +0000 (16:49 +0000)]
PR: 2160
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Make session tickets work with DTLS.

9 years agoPR: 2159
Dr. Stephen Henson [Mon, 1 Feb 2010 12:44:11 +0000 (12:44 +0000)]
PR: 2159
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Typo in PR#1949 bug, oops!

9 years agoTypo.
Richard Levitte [Fri, 29 Jan 2010 12:07:50 +0000 (12:07 +0000)]
Typo.

9 years agoThe previous take went wrong, try again.
Richard Levitte [Fri, 29 Jan 2010 12:02:54 +0000 (12:02 +0000)]
The previous take went wrong, try again.

9 years agoArchitecture specific header files need special handling.
Richard Levitte [Fri, 29 Jan 2010 11:44:40 +0000 (11:44 +0000)]
Architecture specific header files need special handling.

9 years agoIf opensslconf.h and buildinf.h are to be in an architecture specific
Richard Levitte [Fri, 29 Jan 2010 11:43:53 +0000 (11:43 +0000)]
If opensslconf.h and buildinf.h are to be in an architecture specific
directory, place it in the same tree as the other architecture
specific things.

9 years agooops, revert more test code arghh!
Dr. Stephen Henson [Thu, 28 Jan 2010 17:52:18 +0000 (17:52 +0000)]
oops, revert more test code arghh!

9 years agoIn engine_table_select() don't clear out entire error queue: just clear
Dr. Stephen Henson [Thu, 28 Jan 2010 17:50:23 +0000 (17:50 +0000)]
In engine_table_select() don't clear out entire error queue: just clear
out any we added using ERR_set_mark() and ERR_pop_to_mark() otherwise
errors from other sources (e.g. SSL library) can be wiped.

9 years agoreword RI description
Dr. Stephen Henson [Wed, 27 Jan 2010 18:53:49 +0000 (18:53 +0000)]
reword RI description

9 years agoupdate documentation to reflect new renegotiation options
Dr. Stephen Henson [Wed, 27 Jan 2010 17:50:20 +0000 (17:50 +0000)]
update documentation to reflect new renegotiation options

9 years agoSome shells print out the directory name if CDPATH is set breaking the
Dr. Stephen Henson [Wed, 27 Jan 2010 16:06:58 +0000 (16:06 +0000)]
Some shells print out the directory name if CDPATH is set breaking the
pod2man test. Use ./util instead to avoid this.

9 years agotypo
Dr. Stephen Henson [Wed, 27 Jan 2010 14:05:15 +0000 (14:05 +0000)]
typo

9 years agoPR: 2157
Dr. Stephen Henson [Wed, 27 Jan 2010 12:55:52 +0000 (12:55 +0000)]
PR: 2157
Submitted by: "Green, Paul" <Paul.Green@stratus.com>

Typo.

9 years agoCosmetic changes, including changing a confusing example.
Richard Levitte [Wed, 27 Jan 2010 09:18:05 +0000 (09:18 +0000)]
Cosmetic changes, including changing a confusing example.

9 years agoApparently, test/testtsa.com was only half done
Richard Levitte [Wed, 27 Jan 2010 01:19:12 +0000 (01:19 +0000)]
Apparently, test/testtsa.com was only half done

9 years agosize_t doesn't compare less than zero...
Richard Levitte [Wed, 27 Jan 2010 01:18:26 +0000 (01:18 +0000)]
size_t doesn't compare less than zero...

9 years agoadd CHANGES entry
Dr. Stephen Henson [Tue, 26 Jan 2010 19:48:10 +0000 (19:48 +0000)]
add CHANGES entry

9 years agoPR: 1949
Dr. Stephen Henson [Tue, 26 Jan 2010 19:46:30 +0000 (19:46 +0000)]
PR: 1949
Submitted by: steve@openssl.org

More robust fix and workaround for PR#1949. Don't try to work out if there
is any write pending data as this can be unreliable: always flush.

9 years agoPR: 2138
Dr. Stephen Henson [Tue, 26 Jan 2010 18:07:41 +0000 (18:07 +0000)]
PR: 2138
Submitted by: Kevin Regan <k.regan@f5.com>

Clear stat structure if -DPURIFY is set to avoid problems on some
platforms which include unitialised fields.

9 years agoAdd flags functions which were added to 0.9.8 for fips but not 1.0.0 and
Dr. Stephen Henson [Tue, 26 Jan 2010 14:33:52 +0000 (14:33 +0000)]
Add flags functions which were added to 0.9.8 for fips but not 1.0.0 and
later.

9 years agoOPENSSL_isservice is now defined on all platforms not just WIN32
Dr. Stephen Henson [Tue, 26 Jan 2010 13:58:49 +0000 (13:58 +0000)]
OPENSSL_isservice is now defined on all platforms not just WIN32

9 years agooops
Dr. Stephen Henson [Tue, 26 Jan 2010 13:56:15 +0000 (13:56 +0000)]
oops

9 years agoexport OPENSSL_isservice and make update
Dr. Stephen Henson [Tue, 26 Jan 2010 13:55:33 +0000 (13:55 +0000)]
export OPENSSL_isservice and make update

9 years agoTypo
Dr. Stephen Henson [Tue, 26 Jan 2010 12:29:48 +0000 (12:29 +0000)]
Typo

9 years agoPR: 2149
Dr. Stephen Henson [Mon, 25 Jan 2010 16:07:51 +0000 (16:07 +0000)]
PR: 2149
Submitted by: Douglas Stebila <douglas@stebila.ca>

Fix wap OIDs.

9 years agoThere's really no need to use $ENV::HOME
Richard Levitte [Mon, 25 Jan 2010 00:22:52 +0000 (00:22 +0000)]
There's really no need to use $ENV::HOME

9 years agoForgot to correct the definition of __arch in this file.
Richard Levitte [Mon, 25 Jan 2010 00:21:14 +0000 (00:21 +0000)]
Forgot to correct the definition of __arch in this file.
Submitted by Steven M. Schweda <sms@antinode.info>

9 years agoIt seems like sslroot: needs to be defined for some tests to work.
Richard Levitte [Mon, 25 Jan 2010 00:20:32 +0000 (00:20 +0000)]
It seems like sslroot: needs to be defined for some tests to work.
Submitted by Steven M. Schweda <sms@antinode.info>

9 years agoCompile t1_reneg on VMS as well.
Richard Levitte [Mon, 25 Jan 2010 00:19:33 +0000 (00:19 +0000)]
Compile t1_reneg on VMS as well.
Submitted by Steven M. Schweda <sms@antinode.info>

9 years agoA few more macros for long symbols.
Richard Levitte [Mon, 25 Jan 2010 00:18:31 +0000 (00:18 +0000)]
A few more macros for long symbols.
Submitted by Steven M. Schweda <sms@antinode.info>

9 years agoPR: 2153, 2125
Dr. Stephen Henson [Sun, 24 Jan 2010 16:57:38 +0000 (16:57 +0000)]
PR: 2153, 2125
Submitted by: steve@openssl.org

The original fix for PR#2125 broke compilation on some Unixware platforms:
revert and make conditional on VMS.

9 years agoThe fix for PR#1949 unfortunately broke cases where the BIO_CTRL_WPENDING
Dr. Stephen Henson [Sun, 24 Jan 2010 13:54:07 +0000 (13:54 +0000)]
The fix for PR#1949 unfortunately broke cases where the BIO_CTRL_WPENDING
ctrl is incorrectly implemented (e.g. some versions of Apache). As a workaround
call both BIO_CTRL_INFO and BIO_CTRL_WPENDING if it returns zero. This should
both address the original bug and retain compatibility with the old behaviour.

9 years agoTolerate PKCS#8 DSA format with negative private key.
Dr. Stephen Henson [Fri, 22 Jan 2010 20:17:30 +0000 (20:17 +0000)]
Tolerate PKCS#8 DSA format with negative private key.

9 years agoIf legacy renegotiation is not permitted then send a fatal alert if a patched
Dr. Stephen Henson [Fri, 22 Jan 2010 18:49:19 +0000 (18:49 +0000)]
If legacy renegotiation is not permitted then send a fatal alert if a patched
server attempts to renegotiate with an unpatched client.

9 years agotypo
Dr. Stephen Henson [Thu, 21 Jan 2010 18:46:28 +0000 (18:46 +0000)]
typo

9 years agofix comments
Dr. Stephen Henson [Thu, 21 Jan 2010 01:17:45 +0000 (01:17 +0000)]
fix comments

9 years agoupdate version for next beta if we have one...
Dr. Stephen Henson [Wed, 20 Jan 2010 15:40:27 +0000 (15:40 +0000)]
update version for next beta if we have one...

9 years agomake update OpenSSL_1_0_0-beta5
Dr. Stephen Henson [Wed, 20 Jan 2010 15:05:52 +0000 (15:05 +0000)]
make update

9 years agoPrepare for beta5 release
Dr. Stephen Henson [Wed, 20 Jan 2010 15:00:49 +0000 (15:00 +0000)]
Prepare for beta5 release

9 years agoUpdate demo
Dr. Stephen Henson [Wed, 20 Jan 2010 14:05:56 +0000 (14:05 +0000)]
Update demo

9 years agoSupport -L options in VC++ link.
Dr. Stephen Henson [Wed, 20 Jan 2010 14:04:55 +0000 (14:04 +0000)]
Support -L options in VC++ link.

9 years agorand_win.c: handel GetTickCount wrap-around [from HEAD].
Andy Polyakov [Tue, 19 Jan 2010 21:44:07 +0000 (21:44 +0000)]
rand_win.c: handel GetTickCount wrap-around [from HEAD].

9 years agox86_64-xlate.pl: refine sign extension logic when handling lea [from HEAD].
Andy Polyakov [Tue, 19 Jan 2010 21:43:05 +0000 (21:43 +0000)]
x86_64-xlate.pl: refine sign extension logic when handling lea [from HEAD].
PR: 2094,2095

9 years agos390x assembler update: add support for run-time facility detection [from HEAD].
Andy Polyakov [Tue, 19 Jan 2010 21:40:58 +0000 (21:40 +0000)]
s390x assembler update: add support for run-time facility detection [from HEAD].

9 years agoThe use of NIDs in the password based encryption table can result in
Dr. Stephen Henson [Tue, 19 Jan 2010 19:55:47 +0000 (19:55 +0000)]
The use of NIDs in the password based encryption table can result in
algorithms not found when an application uses PKCS#12 and only calls
SSL_library_init() instead of OpenSSL_add_all_algorithms(). Simple
work around is to add the missing algorithm (40 bit RC2) in
SSL_library_init().

9 years agoPR: 2141
Dr. Stephen Henson [Tue, 19 Jan 2010 19:28:03 +0000 (19:28 +0000)]
PR: 2141
Submitted by: "NARUSE, Yui" <naruse@airemix.jp>

Remove non-ASCII comment which causes compilation errors on some versions
of VC++.

9 years agostop asn1test compilation producing link errors
Dr. Stephen Henson [Tue, 19 Jan 2010 19:25:16 +0000 (19:25 +0000)]
stop asn1test compilation producing link errors

9 years agoPR: 2144
Dr. Stephen Henson [Tue, 19 Jan 2010 19:11:21 +0000 (19:11 +0000)]
PR: 2144
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Better fix for PR#2144

9 years agoReverted patch for PR#2095. Addressed by Andy now in x86_64-xlate.pl
Dr. Stephen Henson [Sun, 17 Jan 2010 16:58:56 +0000 (16:58 +0000)]
Reverted patch for PR#2095. Addressed by Andy now in x86_64-xlate.pl

9 years agoPR: 2135
Dr. Stephen Henson [Sat, 16 Jan 2010 20:06:10 +0000 (20:06 +0000)]
PR: 2135
Submitted by: Mike Frysinger <vapier@gentoo.org>

Change missed references to lib to $(LIBDIR)

9 years agoPR: 2144
Dr. Stephen Henson [Sat, 16 Jan 2010 19:45:59 +0000 (19:45 +0000)]
PR: 2144
Submitted by: steve@openssl.org

Fix DTLS connection so new_session is reset if we read second client hello:
new_session is used to detect renegotiation.

9 years agoPR: 2133
Dr. Stephen Henson [Sat, 16 Jan 2010 19:20:38 +0000 (19:20 +0000)]
PR: 2133
Submitted by: steve@openssl.org

Add missing DTLS state strings.

9 years agoFix type-checking/casting issue.
Ben Laurie [Sat, 16 Jan 2010 13:32:14 +0000 (13:32 +0000)]
Fix type-checking/casting issue.

9 years agoconvert to Unix EOL form
Dr. Stephen Henson [Fri, 15 Jan 2010 15:26:32 +0000 (15:26 +0000)]
convert to Unix EOL form

9 years agoPR: 2125
Dr. Stephen Henson [Thu, 14 Jan 2010 17:51:52 +0000 (17:51 +0000)]
PR: 2125
Submitted by: "Alon Bar-Lev" <alon.barlev@gmail.com>

Fix gcc-aix compilation issue.

9 years agoFix version handling so it can cope with a major version >3.
Dr. Stephen Henson [Wed, 13 Jan 2010 19:08:29 +0000 (19:08 +0000)]
Fix version handling so it can cope with a major version >3.

Although it will be many years before TLS v2.0 or later appears old versions
of servers have a habit of hanging around for a considerable time so best
if we handle this properly now.

9 years agoModify compression code so it avoids using ex_data free functions. This
Dr. Stephen Henson [Wed, 13 Jan 2010 18:46:01 +0000 (18:46 +0000)]
Modify compression code so it avoids using ex_data free functions. This
stops applications that call CRYPTO_free_all_ex_data() prematurely leaking
memory.

9 years agoupdate ordinals
Dr. Stephen Henson [Tue, 12 Jan 2010 17:33:59 +0000 (17:33 +0000)]
update ordinals

9 years agoPR: 2136
Dr. Stephen Henson [Tue, 12 Jan 2010 17:27:11 +0000 (17:27 +0000)]
PR: 2136
Submitted by: Willy Weisz <weisz@vcpc.univie.ac.at>

Add options to output hash using older algorithm compatible with OpenSSL
versions before 1.0.0

9 years agomake update
Dr. Stephen Henson [Tue, 12 Jan 2010 01:59:11 +0000 (01:59 +0000)]
make update

9 years agoSimplify RI+SCSV logic:
Dr. Stephen Henson [Thu, 7 Jan 2010 19:05:03 +0000 (19:05 +0000)]
Simplify RI+SCSV logic:

1. Send SCSV is not renegotiating, never empty RI.
2. Send RI if renegotiating.

9 years agob_sock.c: bind/connect are picky about socket address length [from HEAD].
Andy Polyakov [Thu, 7 Jan 2010 13:15:39 +0000 (13:15 +0000)]
b_sock.c: bind/connect are picky about socket address length [from HEAD].

9 years agosendto is reportedly picky about destination socket address length [from HEAD].
Andy Polyakov [Thu, 7 Jan 2010 10:44:21 +0000 (10:44 +0000)]
sendto is reportedly picky about destination socket address length [from HEAD].
PR: 2114
Submitted by: Robin Seggelmann

9 years agoFix compilation on older Linux [from HEAD].
Andy Polyakov [Wed, 6 Jan 2010 21:25:22 +0000 (21:25 +0000)]
Fix compilation on older Linux [from HEAD].

9 years agoUpdates to conform with draft-ietf-tls-renegotiation-03.txt:
Dr. Stephen Henson [Wed, 6 Jan 2010 17:37:38 +0000 (17:37 +0000)]
Updates to conform with draft-ietf-tls-renegotiation-03.txt:

1. Add provisional SCSV value.
2. Don't send SCSV and RI at same time.
3. Fatal error is SCSV received when renegotiating.

9 years agoENGINE_load_capi() now exists on all platforms (but no op on non-WIN32)
Dr. Stephen Henson [Wed, 6 Jan 2010 13:20:52 +0000 (13:20 +0000)]
ENGINE_load_capi() now exists on all platforms (but no op on non-WIN32)

9 years agoPR: 2102
Dr. Stephen Henson [Tue, 5 Jan 2010 17:58:15 +0000 (17:58 +0000)]
PR: 2102
Submitted by: John Fitzgibbon <john_fitzgibbon@yahoo.com>

Remove duplicate definitions.

9 years agoTypo
Dr. Stephen Henson [Tue, 5 Jan 2010 17:50:01 +0000 (17:50 +0000)]
Typo

9 years agoPR: 2132
Dr. Stephen Henson [Tue, 5 Jan 2010 17:33:09 +0000 (17:33 +0000)]
PR: 2132
Submitted by: steve

Fix bundled pod2man.pl to handle alternative comment formats.

9 years agoRemove tabs on blank lines: they produce warnings in pod2man
Dr. Stephen Henson [Tue, 5 Jan 2010 17:17:20 +0000 (17:17 +0000)]
Remove tabs on blank lines: they produce warnings in pod2man

9 years agocompress_meth should be unsigned
Dr. Stephen Henson [Tue, 5 Jan 2010 16:46:39 +0000 (16:46 +0000)]
compress_meth should be unsigned

9 years agoClient side compression algorithm sanity checks: ensure old compression
Dr. Stephen Henson [Fri, 1 Jan 2010 14:39:51 +0000 (14:39 +0000)]
Client side compression algorithm sanity checks: ensure old compression
algorithm matches current and give error if compression is disabled and
server requests it (shouldn't happen unless server is broken).

9 years agoCompression handling on session resume was badly broken: it always
Dr. Stephen Henson [Fri, 1 Jan 2010 00:44:36 +0000 (00:44 +0000)]
Compression handling on session resume was badly broken: it always
used compression algorithms in client hello (a legacy from when
the compression algorithm wasn't serialized with SSL_SESSION).

9 years agob_sock.c: correct indirect calls on WinSock platforms [from HEAD].
Andy Polyakov [Wed, 30 Dec 2009 12:56:16 +0000 (12:56 +0000)]
b_sock.c: correct indirect calls on WinSock platforms [from HEAD].
PR: 2130
Submitted by: Eugeny Gostyukhin

9 years agoAdapt mingw config for newer mingw environment [from HEAD].
Andy Polyakov [Wed, 30 Dec 2009 11:57:39 +0000 (11:57 +0000)]
Adapt mingw config for newer mingw environment [from HEAD].
PR: 2113

9 years agosha512.c update for esoteric PPC platfrom(s) [from HEAD].
Andy Polyakov [Wed, 30 Dec 2009 11:53:33 +0000 (11:53 +0000)]
sha512.c update for esoteric PPC platfrom(s) [from HEAD].
PR: 1998

9 years agoDeploy multilib config-line parameter [from HEAD].
Andy Polyakov [Tue, 29 Dec 2009 10:46:46 +0000 (10:46 +0000)]
Deploy multilib config-line parameter [from HEAD].

9 years agoTypo
Dr. Stephen Henson [Sun, 27 Dec 2009 23:03:25 +0000 (23:03 +0000)]
Typo

9 years agoUpdate RI to match latest spec.
Dr. Stephen Henson [Sun, 27 Dec 2009 22:59:09 +0000 (22:59 +0000)]
Update RI to match latest spec.

MCSV is now called SCSV.

Don't send SCSV if renegotiating.

Also note if RI is empty in debug messages.

9 years agoTraditional Yuletide commit ;-)
Dr. Stephen Henson [Fri, 25 Dec 2009 14:12:24 +0000 (14:12 +0000)]
Traditional Yuletide commit ;-)

Add Triple DES CFB1 and CFB8 to algorithm list and NID translation.

9 years agoUse properly local variables for thread-safety.
Bodo Möller [Tue, 22 Dec 2009 11:52:15 +0000 (11:52 +0000)]
Use properly local variables for thread-safety.

Submitted by: Martin Rex

9 years agoConstify crypto/cast.
Bodo Möller [Tue, 22 Dec 2009 11:45:59 +0000 (11:45 +0000)]
Constify crypto/cast.

9 years agoConstify crypto/cast.
Bodo Möller [Tue, 22 Dec 2009 10:58:01 +0000 (10:58 +0000)]
Constify crypto/cast.

9 years agoAlert to use is now defined in spec: update code
Dr. Stephen Henson [Thu, 17 Dec 2009 15:42:43 +0000 (15:42 +0000)]
Alert to use is now defined in spec: update code

9 years agoPR: 2127
Dr. Stephen Henson [Thu, 17 Dec 2009 15:28:45 +0000 (15:28 +0000)]
PR: 2127
Submitted by: Tomas Mraz <tmraz@redhat.com>

Check for lookup failures in EVP_PBE_CipherInit().

9 years agoOoops revert stuff which shouldn't have been part of previous commit.
Dr. Stephen Henson [Wed, 16 Dec 2009 20:33:11 +0000 (20:33 +0000)]
Ooops revert stuff which shouldn't have been part of previous commit.

9 years agoNew option to enable/disable connection to unpatched servers
Dr. Stephen Henson [Wed, 16 Dec 2009 20:28:30 +0000 (20:28 +0000)]
New option to enable/disable connection to unpatched servers

9 years agoAllow initial connection (but no renegoriation) to servers which don't support
Dr. Stephen Henson [Mon, 14 Dec 2009 13:55:39 +0000 (13:55 +0000)]
Allow initial connection (but no renegoriation) to servers which don't support
RI.

Reorganise RI checking code and handle some missing cases.

9 years agoMissing error code.
Ben Laurie [Sat, 12 Dec 2009 15:57:53 +0000 (15:57 +0000)]
Missing error code.