openssl.git
9 years agoPR: 2178
Dr. Stephen Henson [Mon, 1 Mar 2010 23:54:47 +0000 (23:54 +0000)]
PR: 2178
Submitted by: "Kennedy, Brendan" <brendan.kennedy@intel.com>

Handle error codes correctly: cryptodev returns 0 for success whereas OpenSSL
returns 1.

9 years agouse supplied ENGINE in genrsa
Dr. Stephen Henson [Mon, 1 Mar 2010 14:22:21 +0000 (14:22 +0000)]
use supplied ENGINE in genrsa

9 years agooops, reinstate correct prototype
Dr. Stephen Henson [Mon, 1 Mar 2010 03:01:27 +0000 (03:01 +0000)]
oops, reinstate correct prototype

9 years ago'typo'
Dr. Stephen Henson [Mon, 1 Mar 2010 01:53:34 +0000 (01:53 +0000)]
'typo'

9 years agomake USE_CRYPTODEV_DIGESTS work
Dr. Stephen Henson [Mon, 1 Mar 2010 01:19:18 +0000 (01:19 +0000)]
make USE_CRYPTODEV_DIGESTS work

9 years agoload cryptodev if HAVE_CRYPTODEV is set too
Dr. Stephen Henson [Mon, 1 Mar 2010 00:40:10 +0000 (00:40 +0000)]
load cryptodev if HAVE_CRYPTODEV is set too

9 years agoupdate cryptodev to match 1.0.0 stable branch version
Dr. Stephen Henson [Mon, 1 Mar 2010 00:37:58 +0000 (00:37 +0000)]
update cryptodev to match 1.0.0 stable branch version

9 years agoFix warnings (note that gcc 4.2 has a bug that makes one of its
Ben Laurie [Sun, 28 Feb 2010 14:22:56 +0000 (14:22 +0000)]
Fix warnings (note that gcc 4.2 has a bug that makes one of its
warnings hard to fix without major surgery).

9 years agoalgorithms field has changed in 1.0.0 and later: update
Dr. Stephen Henson [Sun, 28 Feb 2010 00:24:04 +0000 (00:24 +0000)]
algorithms field has changed in 1.0.0 and later: update

9 years agooops, revert verify.c change
Dr. Stephen Henson [Sat, 27 Feb 2010 23:03:26 +0000 (23:03 +0000)]
oops, revert verify.c change

9 years agoAdd Kerberos fix which was in 0.9.8-stable but never committed to HEAD and
Dr. Stephen Henson [Sat, 27 Feb 2010 23:02:41 +0000 (23:02 +0000)]
Add Kerberos fix which was in 0.9.8-stable but never committed to HEAD and
1.0.0. Original fix was on 2007-Mar-09 and had the log message: "Fix kerberos
ciphersuite bugs introduced with PR:1336."

9 years agoinclude TVS 1.1 version string
Dr. Stephen Henson [Fri, 26 Feb 2010 19:38:33 +0000 (19:38 +0000)]
include TVS 1.1 version string

9 years agoRevert CFB block length change. Despite what SP800-38a says the input to
Dr. Stephen Henson [Fri, 26 Feb 2010 14:41:58 +0000 (14:41 +0000)]
Revert CFB block length change. Despite what SP800-38a says the input to
CFB mode does *not* have to be a multiple of the block length and several
other specifications (e.g. PKCS#11) do not require this.

9 years agooops, use correct date
Dr. Stephen Henson [Fri, 26 Feb 2010 12:13:36 +0000 (12:13 +0000)]
oops, use correct date

9 years agoupdate NEWS
Dr. Stephen Henson [Thu, 25 Feb 2010 18:20:30 +0000 (18:20 +0000)]
update NEWS

9 years agoupdate FAQ
Dr. Stephen Henson [Thu, 25 Feb 2010 18:18:46 +0000 (18:18 +0000)]
update FAQ

9 years agoadd -trusted_first option and verify flag
Dr. Stephen Henson [Thu, 25 Feb 2010 12:21:48 +0000 (12:21 +0000)]
add -trusted_first option and verify flag

9 years agotidy verify code. xn not used any more and check for self signed more efficiently
Dr. Stephen Henson [Thu, 25 Feb 2010 11:18:26 +0000 (11:18 +0000)]
tidy verify code. xn not used any more and check for self signed more efficiently

9 years agoExperimental support for partial chain verification: if an intermediate
Dr. Stephen Henson [Thu, 25 Feb 2010 00:17:22 +0000 (00:17 +0000)]
Experimental support for partial chain verification: if an intermediate
certificate is explicitly trusted (using -addtrust option to x509 utility
for example) the verification is sucessful even if the chain is not complete.

9 years agoallow setting of verify names in command line utilities and print out verify names...
Dr. Stephen Henson [Thu, 25 Feb 2010 00:11:32 +0000 (00:11 +0000)]
allow setting of verify names in command line utilities and print out verify names in verify utility

9 years agoverify parameter enumeration functions
Dr. Stephen Henson [Thu, 25 Feb 2010 00:08:23 +0000 (00:08 +0000)]
verify parameter enumeration functions

9 years agoInclude self-signed flag in certificates by checking SKID/AKID as well
Dr. Stephen Henson [Thu, 25 Feb 2010 00:01:38 +0000 (00:01 +0000)]
Include self-signed flag in certificates by checking SKID/AKID as well
as issuer and subject names. Although this is an incompatible change
it should have little impact in pratice because self-issued certificates
that are not self-signed are rarely encountered.

9 years agoadd anyExtendedKeyUsage OID
Dr. Stephen Henson [Wed, 24 Feb 2010 15:53:58 +0000 (15:53 +0000)]
add anyExtendedKeyUsage OID

9 years agoprevent warning
Dr. Stephen Henson [Wed, 24 Feb 2010 15:24:19 +0000 (15:24 +0000)]
prevent warning

9 years agoReserve for option to implement AES counter in assembler.
Andy Polyakov [Tue, 23 Feb 2010 16:51:24 +0000 (16:51 +0000)]
Reserve for option to implement AES counter in assembler.

9 years agoAdd AES counter mode to EVP.
Andy Polyakov [Tue, 23 Feb 2010 16:48:41 +0000 (16:48 +0000)]
Add AES counter mode to EVP.

9 years agoAdd assigned OIDs, as well as "anonymous" ones for AES counter mode.
Andy Polyakov [Tue, 23 Feb 2010 16:47:17 +0000 (16:47 +0000)]
Add assigned OIDs, as well as "anonymous" ones for AES counter mode.

9 years agoThe meaning of the X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY and
Dr. Stephen Henson [Tue, 23 Feb 2010 14:09:09 +0000 (14:09 +0000)]
The meaning of the X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY and
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT error codes were reversed in
the verify application documentation.

9 years agoAlways check bn_wexpend() return values for failure (CVE-2009-3245).
Bodo Möller [Tue, 23 Feb 2010 10:36:35 +0000 (10:36 +0000)]
Always check bn_wexpend() return values for failure (CVE-2009-3245).

(The CHANGES entry covers the change from PR #2111 as well, submitted by
Martin Olsson.)

Submitted by: Neel Mehta

9 years agoFix X509_STORE locking
Bodo Möller [Fri, 19 Feb 2010 18:27:07 +0000 (18:27 +0000)]
Fix X509_STORE locking

9 years agoclarify documentation
Dr. Stephen Henson [Thu, 18 Feb 2010 12:41:33 +0000 (12:41 +0000)]
clarify documentation

9 years agoOR default SSL_OP_LEGACY_SERVER_CONNECT so existing options are preserved
Dr. Stephen Henson [Wed, 17 Feb 2010 19:43:56 +0000 (19:43 +0000)]
OR default SSL_OP_LEGACY_SERVER_CONNECT so existing options are preserved

9 years agoAllow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as
Dr. Stephen Henson [Wed, 17 Feb 2010 18:38:31 +0000 (18:38 +0000)]
Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as
initial connection to unpatched servers. There are no additional security
concerns in doing this as clients don't see renegotiation during an
attack anyway.

9 years agoPR: 2100
Dr. Stephen Henson [Wed, 17 Feb 2010 14:32:41 +0000 (14:32 +0000)]
PR: 2100
Submitted by: James Baker <jbaker@tableausoftware.com> et al.

Workaround for slow Heap32Next on some versions of Windows.

9 years agoSubmitted by: Dmitry Ivanov <vonami@gmail.com>
Dr. Stephen Henson [Tue, 16 Feb 2010 14:30:29 +0000 (14:30 +0000)]
Submitted by:  Dmitry Ivanov <vonami@gmail.com>

Don't leave dangling pointers in GOST engine if calls fail.

9 years agoPR: 2171
Dr. Stephen Henson [Tue, 16 Feb 2010 14:21:11 +0000 (14:21 +0000)]
PR: 2171
Submitted by: Tomas Mraz <tmraz@redhat.com>

Since SSLv2 doesn't support renegotiation at all don't reject it if
legacy renegotiation isn't enabled.

Also can now use SSL2 compatible client hello because RFC5746 supports it.

9 years agoThe "block length" for CFB mode was incorrectly coded as 1 all the time. It
Dr. Stephen Henson [Mon, 15 Feb 2010 19:40:16 +0000 (19:40 +0000)]
The "block length" for CFB mode was incorrectly coded as 1 all the time. It
should be the number of feedback bits expressed in bytes. For CFB1 mode set
this to 1 by rounding up to the nearest multiple of 8.

9 years agoCorrect ECB mode EVP_CIPHER definition: IV length is 0
Dr. Stephen Henson [Mon, 15 Feb 2010 19:26:02 +0000 (19:26 +0000)]
Correct ECB mode EVP_CIPHER definition: IV length is 0

9 years agoadd EVP_CIPH_FLAG_LENGTH_BITS from 0.9.8-stable
Dr. Stephen Henson [Mon, 15 Feb 2010 19:20:13 +0000 (19:20 +0000)]
add EVP_CIPH_FLAG_LENGTH_BITS from 0.9.8-stable

9 years agoPR: 2164
Dr. Stephen Henson [Mon, 15 Feb 2010 19:00:12 +0000 (19:00 +0000)]
PR: 2164
Submitted by: "Noszticzius, Istvan" <inoszticzius@rightnow.com>

Don't clear the output buffer: ciphers should correctly the same input
and output buffers.

9 years agoupdate references to new RI RFC
Dr. Stephen Henson [Fri, 12 Feb 2010 21:59:31 +0000 (21:59 +0000)]
update references to new RI RFC

9 years agoPR: 2170
Dr. Stephen Henson [Fri, 12 Feb 2010 17:07:16 +0000 (17:07 +0000)]
PR: 2170
Submitted by: Magnus Lilja <lilja.magnus@gmail.com>

Make -c option in dgst work again.

9 years agoFix memory leak in ENGINE autoconfig code. Improve error logging.
Dr. Stephen Henson [Tue, 9 Feb 2010 14:17:14 +0000 (14:17 +0000)]
Fix memory leak in ENGINE autoconfig code. Improve error logging.

9 years agoupdate year
Dr. Stephen Henson [Tue, 9 Feb 2010 14:12:49 +0000 (14:12 +0000)]
update year

9 years agoUse supplied ENGINE when initialising CMAC. Restore pctx setting.
Dr. Stephen Henson [Mon, 8 Feb 2010 16:31:28 +0000 (16:31 +0000)]
Use supplied ENGINE when initialising CMAC. Restore pctx setting.

9 years agoadd cvsignore
Dr. Stephen Henson [Mon, 8 Feb 2010 15:34:02 +0000 (15:34 +0000)]
add cvsignore

9 years agoMake update.
Dr. Stephen Henson [Mon, 8 Feb 2010 15:33:23 +0000 (15:33 +0000)]
Make update.

9 years agoMake CMAC API similar to HMAC API. Add methods for CMAC.
Dr. Stephen Henson [Mon, 8 Feb 2010 15:31:35 +0000 (15:31 +0000)]
Make CMAC API similar to HMAC API. Add methods for CMAC.

9 years agoInitial experimental CMAC implementation.
Dr. Stephen Henson [Sun, 7 Feb 2010 18:01:07 +0000 (18:01 +0000)]
Initial experimental CMAC implementation.

9 years agomake update
Dr. Stephen Henson [Sun, 7 Feb 2010 13:54:30 +0000 (13:54 +0000)]
make update

9 years agooops, use new value for new flag
Dr. Stephen Henson [Sun, 7 Feb 2010 13:50:36 +0000 (13:50 +0000)]
oops, use new value for new flag

9 years agoAdd missing function EVP_CIPHER_CTX_copy(). Current code uses memcpy() to copy
Dr. Stephen Henson [Sun, 7 Feb 2010 13:39:39 +0000 (13:39 +0000)]
Add missing function EVP_CIPHER_CTX_copy(). Current code uses memcpy() to copy
an EVP_CIPHER_CTX structure which may have problems with external ENGINEs
who need to duplicate internal handles etc.

9 years agodon't assume 0x is at start of string
Dr. Stephen Henson [Wed, 3 Feb 2010 18:19:22 +0000 (18:19 +0000)]
don't assume 0x is at start of string

9 years agotolerate broken CMS/PKCS7 implementations using signature OID instead of digest
Dr. Stephen Henson [Tue, 2 Feb 2010 14:30:39 +0000 (14:30 +0000)]
tolerate broken CMS/PKCS7 implementations using signature OID instead of digest

9 years agoPR: 2161
Dr. Stephen Henson [Tue, 2 Feb 2010 13:35:27 +0000 (13:35 +0000)]
PR: 2161
Submitted by: Doug Goldstein <cardoe@gentoo.org>, Steve.

Make no-dsa, no-ecdsa and no-rsa compile again.

9 years agoPR: 2160
Dr. Stephen Henson [Mon, 1 Feb 2010 16:51:09 +0000 (16:51 +0000)]
PR: 2160
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Make session tickets work with DTLS.

9 years agoPR: 2159
Dr. Stephen Henson [Mon, 1 Feb 2010 12:43:45 +0000 (12:43 +0000)]
PR: 2159
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Typo in PR#1949 bug, oops!

9 years agoTypo.
Richard Levitte [Fri, 29 Jan 2010 12:07:46 +0000 (12:07 +0000)]
Typo.

9 years agoThe previous take went wrong, try again.
Richard Levitte [Fri, 29 Jan 2010 12:02:50 +0000 (12:02 +0000)]
The previous take went wrong, try again.

9 years agoArchitecture specific header files need special handling.
Richard Levitte [Fri, 29 Jan 2010 11:44:36 +0000 (11:44 +0000)]
Architecture specific header files need special handling.

9 years agoIf opensslconf.h and buildinf.h are to be in an architecture specific
Richard Levitte [Fri, 29 Jan 2010 11:43:50 +0000 (11:43 +0000)]
If opensslconf.h and buildinf.h are to be in an architecture specific
directory, place it in the same tree as the other architecture
specific things.

9 years agotypo
Dr. Stephen Henson [Fri, 29 Jan 2010 00:09:33 +0000 (00:09 +0000)]
typo

9 years agoExperimental renegotiation support in s_server test -www server.
Dr. Stephen Henson [Thu, 28 Jan 2010 19:48:36 +0000 (19:48 +0000)]
Experimental renegotiation support in s_server test -www server.

9 years agoIn engine_table_select() don't clear out entire error queue: just clear
Dr. Stephen Henson [Thu, 28 Jan 2010 17:49:25 +0000 (17:49 +0000)]
In engine_table_select() don't clear out entire error queue: just clear
out any we added using ERR_set_mark() and ERR_pop_to_mark() otherwise
errors from other sources (e.g. SSL library) can be wiped.

9 years agooops revert test code accidentally committed
Dr. Stephen Henson [Thu, 28 Jan 2010 16:48:39 +0000 (16:48 +0000)]
oops revert test code accidentally committed

9 years agorevert previous change
Dr. Stephen Henson [Thu, 28 Jan 2010 14:17:39 +0000 (14:17 +0000)]
revert previous change

9 years agoreword RI description
Dr. Stephen Henson [Wed, 27 Jan 2010 18:53:33 +0000 (18:53 +0000)]
reword RI description

9 years agorevert wrongly committed test code
Dr. Stephen Henson [Wed, 27 Jan 2010 17:49:33 +0000 (17:49 +0000)]
revert wrongly committed test code

9 years agoupdate documentation to reflect new renegotiation options
Dr. Stephen Henson [Wed, 27 Jan 2010 17:46:24 +0000 (17:46 +0000)]
update documentation to reflect new renegotiation options

9 years agoSome shells print out the directory name if CDPATH is set breaking the
Dr. Stephen Henson [Wed, 27 Jan 2010 16:07:17 +0000 (16:07 +0000)]
Some shells print out the directory name if CDPATH is set breaking the
pod2man test. Use ./util instead to avoid this.

9 years agotypo
Dr. Stephen Henson [Wed, 27 Jan 2010 14:05:39 +0000 (14:05 +0000)]
typo

9 years agoPR: 2157
Dr. Stephen Henson [Wed, 27 Jan 2010 12:54:58 +0000 (12:54 +0000)]
PR: 2157
Submitted by: "Green, Paul" <Paul.Green@stratus.com>

Typo.

9 years agoHave the VMS build system catch up with the 1.0.0-stable branch.
Richard Levitte [Wed, 27 Jan 2010 09:18:42 +0000 (09:18 +0000)]
Have the VMS build system catch up with the 1.0.0-stable branch.

9 years agoApparently, test/testtsa.com was only half done
Richard Levitte [Wed, 27 Jan 2010 01:19:07 +0000 (01:19 +0000)]
Apparently, test/testtsa.com was only half done

9 years agosize_t doesn't compare less than zero...
Richard Levitte [Wed, 27 Jan 2010 01:18:21 +0000 (01:18 +0000)]
size_t doesn't compare less than zero...

9 years agoPR: 1949
Dr. Stephen Henson [Tue, 26 Jan 2010 19:47:37 +0000 (19:47 +0000)]
PR: 1949
Submitted by: steve@openssl.org

More robust fix and workaround for PR#1949. Don't try to work out if there
is any write pending data as this can be unreliable: always flush.

9 years agoPR: 2138
Dr. Stephen Henson [Tue, 26 Jan 2010 18:07:26 +0000 (18:07 +0000)]
PR: 2138
Submitted by: Kevin Regan <k.regan@f5.com>

Clear stat structure if -DPURIFY is set to avoid problems on some
platforms which include unitialised fields.

9 years agoAdd flags functions which were added to 0.9.8 for fips but not 1.0.0 and
Dr. Stephen Henson [Tue, 26 Jan 2010 14:29:06 +0000 (14:29 +0000)]
Add flags functions which were added to 0.9.8 for fips but not 1.0.0 and
later.

9 years agoOPENSSL_isservice is now defined on all platforms not just WIN32
Dr. Stephen Henson [Tue, 26 Jan 2010 13:59:32 +0000 (13:59 +0000)]
OPENSSL_isservice is now defined on all platforms not just WIN32

9 years agoexport OPENSSL_isservice and make update
Dr. Stephen Henson [Tue, 26 Jan 2010 13:52:36 +0000 (13:52 +0000)]
export OPENSSL_isservice and make update

9 years agoTypo
Dr. Stephen Henson [Tue, 26 Jan 2010 12:30:00 +0000 (12:30 +0000)]
Typo

9 years agoparisc-mont.pl: PA-RISC 2.0 code path optimization based on intruction-
Andy Polyakov [Mon, 25 Jan 2010 23:12:00 +0000 (23:12 +0000)]
parisc-mont.pl: PA-RISC 2.0 code path optimization based on intruction-
level profiling data resulted in almost 50% performance improvement.
PA-RISC 1.1 is also reordered in same manner, mostly to be consistent,
as no gain was observed, not on PA-7100LC.

9 years agoPR: 2149
Dr. Stephen Henson [Mon, 25 Jan 2010 16:07:42 +0000 (16:07 +0000)]
PR: 2149
Submitted by: Douglas Stebila <douglas@stebila.ca>

Fix wap OIDs.

9 years agoThere's really no need to use $ENV::HOME
Richard Levitte [Mon, 25 Jan 2010 00:22:57 +0000 (00:22 +0000)]
There's really no need to use $ENV::HOME

9 years agoForgot to correct the definition of __arch in this file.
Richard Levitte [Mon, 25 Jan 2010 00:21:12 +0000 (00:21 +0000)]
Forgot to correct the definition of __arch in this file.
Submitted by Steven M. Schweda <sms@antinode.info>

9 years agoIt seems like sslroot: needs to be defined for some tests to work.
Richard Levitte [Mon, 25 Jan 2010 00:20:29 +0000 (00:20 +0000)]
It seems like sslroot: needs to be defined for some tests to work.
Submitted by Steven M. Schweda <sms@antinode.info>

9 years agoCompile t1_reneg on VMS as well.
Richard Levitte [Mon, 25 Jan 2010 00:19:31 +0000 (00:19 +0000)]
Compile t1_reneg on VMS as well.
Submitted by Steven M. Schweda <sms@antinode.info>

9 years agoA few more macros for long symbols.
Richard Levitte [Mon, 25 Jan 2010 00:18:29 +0000 (00:18 +0000)]
A few more macros for long symbols.
Submitted by Steven M. Schweda <sms@antinode.info>

9 years agoia64cpuid.S: OPENSSL_cleanse to accept zero length parameter.
Andy Polyakov [Sun, 24 Jan 2010 17:08:52 +0000 (17:08 +0000)]
ia64cpuid.S: OPENSSL_cleanse to accept zero length parameter.

9 years agoPR: 2153, 2125
Dr. Stephen Henson [Sun, 24 Jan 2010 16:57:20 +0000 (16:57 +0000)]
PR: 2153, 2125
Submitted by: steve@openssl.org

The original fix for PR#2125 broke compilation on some Unixware platforms:
revert and make conditional on VMS.

9 years agopariscid.pl: OPENSSL_cleanse to compile on PA-RISC 2.0W and to accept zero
Andy Polyakov [Sun, 24 Jan 2010 15:04:28 +0000 (15:04 +0000)]
pariscid.pl: OPENSSL_cleanse to compile on PA-RISC 2.0W and to accept zero
length parameter.

9 years agoOPENSSL_cleanse to accept zero length parameter [matching C implementation].
Andy Polyakov [Sun, 24 Jan 2010 14:54:24 +0000 (14:54 +0000)]
OPENSSL_cleanse to accept zero length parameter [matching C implementation].

9 years agoThe fix for PR#1949 unfortunately broke cases where the BIO_CTRL_WPENDING
Dr. Stephen Henson [Sun, 24 Jan 2010 13:54:20 +0000 (13:54 +0000)]
The fix for PR#1949 unfortunately broke cases where the BIO_CTRL_WPENDING
ctrl is incorrectly implemented (e.g. some versions of Apache). As a workaround
call both BIO_CTRL_INFO and BIO_CTRL_WPENDING if it returns zero. This should
both address the original bug and retain compatibility with the old behaviour.

9 years agoTolerate PKCS#8 DSA format with negative private key.
Dr. Stephen Henson [Fri, 22 Jan 2010 20:17:12 +0000 (20:17 +0000)]
Tolerate PKCS#8 DSA format with negative private key.

9 years agoIf legacy renegotiation is not permitted then send a fatal alert if a patched
Dr. Stephen Henson [Fri, 22 Jan 2010 18:49:34 +0000 (18:49 +0000)]
If legacy renegotiation is not permitted then send a fatal alert if a patched
server attempts to renegotiate with an unpatched client.

9 years agotypo
Dr. Stephen Henson [Thu, 21 Jan 2010 18:46:15 +0000 (18:46 +0000)]
typo

9 years agofix comments
Dr. Stephen Henson [Thu, 21 Jan 2010 01:17:17 +0000 (01:17 +0000)]
fix comments

9 years agooops
Dr. Stephen Henson [Wed, 20 Jan 2010 17:59:53 +0000 (17:59 +0000)]
oops

9 years agoupdate NEWS file
Dr. Stephen Henson [Wed, 20 Jan 2010 17:56:34 +0000 (17:56 +0000)]
update NEWS file

9 years agoUpdate demo
Dr. Stephen Henson [Wed, 20 Jan 2010 14:06:21 +0000 (14:06 +0000)]
Update demo