Richard Levitte [Fri, 29 Jan 2010 11:43:53 +0000 (11:43 +0000)]
If opensslconf.h and buildinf.h are to be in an architecture specific
directory, place it in the same tree as the other architecture
specific things.
Dr. Stephen Henson [Thu, 28 Jan 2010 17:52:18 +0000 (17:52 +0000)]
oops, revert more test code arghh!
Dr. Stephen Henson [Thu, 28 Jan 2010 17:50:23 +0000 (17:50 +0000)]
In engine_table_select() don't clear out entire error queue: just clear
out any we added using ERR_set_mark() and ERR_pop_to_mark() otherwise
errors from other sources (e.g. SSL library) can be wiped.
Dr. Stephen Henson [Wed, 27 Jan 2010 18:53:49 +0000 (18:53 +0000)]
reword RI description
Dr. Stephen Henson [Wed, 27 Jan 2010 17:50:20 +0000 (17:50 +0000)]
update documentation to reflect new renegotiation options
Dr. Stephen Henson [Wed, 27 Jan 2010 16:06:58 +0000 (16:06 +0000)]
Some shells print out the directory name if CDPATH is set breaking the
pod2man test. Use ./util instead to avoid this.
Dr. Stephen Henson [Wed, 27 Jan 2010 14:05:15 +0000 (14:05 +0000)]
typo
Dr. Stephen Henson [Wed, 27 Jan 2010 12:55:52 +0000 (12:55 +0000)]
PR: 2157
Submitted by: "Green, Paul" <Paul.Green@stratus.com>
Typo.
Richard Levitte [Wed, 27 Jan 2010 09:18:05 +0000 (09:18 +0000)]
Cosmetic changes, including changing a confusing example.
Richard Levitte [Wed, 27 Jan 2010 01:19:12 +0000 (01:19 +0000)]
Apparently, test/testtsa.com was only half done
Richard Levitte [Wed, 27 Jan 2010 01:18:26 +0000 (01:18 +0000)]
size_t doesn't compare less than zero...
Dr. Stephen Henson [Tue, 26 Jan 2010 19:48:10 +0000 (19:48 +0000)]
add CHANGES entry
Dr. Stephen Henson [Tue, 26 Jan 2010 19:46:30 +0000 (19:46 +0000)]
PR: 1949
Submitted by: steve@openssl.org
More robust fix and workaround for PR#1949. Don't try to work out if there
is any write pending data as this can be unreliable: always flush.
Dr. Stephen Henson [Tue, 26 Jan 2010 18:07:41 +0000 (18:07 +0000)]
PR: 2138
Submitted by: Kevin Regan <k.regan@f5.com>
Clear stat structure if -DPURIFY is set to avoid problems on some
platforms which include unitialised fields.
Dr. Stephen Henson [Tue, 26 Jan 2010 14:33:52 +0000 (14:33 +0000)]
Add flags functions which were added to 0.9.8 for fips but not 1.0.0 and
later.
Dr. Stephen Henson [Tue, 26 Jan 2010 13:58:49 +0000 (13:58 +0000)]
OPENSSL_isservice is now defined on all platforms not just WIN32
Dr. Stephen Henson [Tue, 26 Jan 2010 13:56:15 +0000 (13:56 +0000)]
oops
Dr. Stephen Henson [Tue, 26 Jan 2010 13:55:33 +0000 (13:55 +0000)]
export OPENSSL_isservice and make update
Dr. Stephen Henson [Tue, 26 Jan 2010 12:29:48 +0000 (12:29 +0000)]
Typo
Dr. Stephen Henson [Mon, 25 Jan 2010 16:07:51 +0000 (16:07 +0000)]
PR: 2149
Submitted by: Douglas Stebila <douglas@stebila.ca>
Fix wap OIDs.
Richard Levitte [Mon, 25 Jan 2010 00:22:52 +0000 (00:22 +0000)]
There's really no need to use $ENV::HOME
Richard Levitte [Mon, 25 Jan 2010 00:21:14 +0000 (00:21 +0000)]
Forgot to correct the definition of __arch in this file.
Submitted by Steven M. Schweda <sms@antinode.info>
Richard Levitte [Mon, 25 Jan 2010 00:20:32 +0000 (00:20 +0000)]
It seems like sslroot: needs to be defined for some tests to work.
Submitted by Steven M. Schweda <sms@antinode.info>
Richard Levitte [Mon, 25 Jan 2010 00:19:33 +0000 (00:19 +0000)]
Compile t1_reneg on VMS as well.
Submitted by Steven M. Schweda <sms@antinode.info>
Richard Levitte [Mon, 25 Jan 2010 00:18:31 +0000 (00:18 +0000)]
A few more macros for long symbols.
Submitted by Steven M. Schweda <sms@antinode.info>
Dr. Stephen Henson [Sun, 24 Jan 2010 16:57:38 +0000 (16:57 +0000)]
PR: 2153, 2125
Submitted by: steve@openssl.org
The original fix for PR#2125 broke compilation on some Unixware platforms:
revert and make conditional on VMS.
Dr. Stephen Henson [Sun, 24 Jan 2010 13:54:07 +0000 (13:54 +0000)]
The fix for PR#1949 unfortunately broke cases where the BIO_CTRL_WPENDING
ctrl is incorrectly implemented (e.g. some versions of Apache). As a workaround
call both BIO_CTRL_INFO and BIO_CTRL_WPENDING if it returns zero. This should
both address the original bug and retain compatibility with the old behaviour.
Dr. Stephen Henson [Fri, 22 Jan 2010 20:17:30 +0000 (20:17 +0000)]
Tolerate PKCS#8 DSA format with negative private key.
Dr. Stephen Henson [Fri, 22 Jan 2010 18:49:19 +0000 (18:49 +0000)]
If legacy renegotiation is not permitted then send a fatal alert if a patched
server attempts to renegotiate with an unpatched client.
Dr. Stephen Henson [Thu, 21 Jan 2010 18:46:28 +0000 (18:46 +0000)]
typo
Dr. Stephen Henson [Thu, 21 Jan 2010 01:17:45 +0000 (01:17 +0000)]
fix comments
Dr. Stephen Henson [Wed, 20 Jan 2010 15:40:27 +0000 (15:40 +0000)]
update version for next beta if we have one...
Dr. Stephen Henson [Wed, 20 Jan 2010 15:05:52 +0000 (15:05 +0000)]
make update
Dr. Stephen Henson [Wed, 20 Jan 2010 15:00:49 +0000 (15:00 +0000)]
Prepare for beta5 release
Dr. Stephen Henson [Wed, 20 Jan 2010 14:05:56 +0000 (14:05 +0000)]
Update demo
Dr. Stephen Henson [Wed, 20 Jan 2010 14:04:55 +0000 (14:04 +0000)]
Support -L options in VC++ link.
Andy Polyakov [Tue, 19 Jan 2010 21:44:07 +0000 (21:44 +0000)]
rand_win.c: handel GetTickCount wrap-around [from HEAD].
Andy Polyakov [Tue, 19 Jan 2010 21:43:05 +0000 (21:43 +0000)]
x86_64-xlate.pl: refine sign extension logic when handling lea [from HEAD].
PR: 2094,2095
Andy Polyakov [Tue, 19 Jan 2010 21:40:58 +0000 (21:40 +0000)]
s390x assembler update: add support for run-time facility detection [from HEAD].
Dr. Stephen Henson [Tue, 19 Jan 2010 19:55:47 +0000 (19:55 +0000)]
The use of NIDs in the password based encryption table can result in
algorithms not found when an application uses PKCS#12 and only calls
SSL_library_init() instead of OpenSSL_add_all_algorithms(). Simple
work around is to add the missing algorithm (40 bit RC2) in
SSL_library_init().
Dr. Stephen Henson [Tue, 19 Jan 2010 19:28:03 +0000 (19:28 +0000)]
PR: 2141
Submitted by: "NARUSE, Yui" <naruse@airemix.jp>
Remove non-ASCII comment which causes compilation errors on some versions
of VC++.
Dr. Stephen Henson [Tue, 19 Jan 2010 19:25:16 +0000 (19:25 +0000)]
stop asn1test compilation producing link errors
Dr. Stephen Henson [Tue, 19 Jan 2010 19:11:21 +0000 (19:11 +0000)]
PR: 2144
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Better fix for PR#2144
Dr. Stephen Henson [Sun, 17 Jan 2010 16:58:56 +0000 (16:58 +0000)]
Reverted patch for PR#2095. Addressed by Andy now in x86_64-xlate.pl
Dr. Stephen Henson [Sat, 16 Jan 2010 20:06:10 +0000 (20:06 +0000)]
PR: 2135
Submitted by: Mike Frysinger <vapier@gentoo.org>
Change missed references to lib to $(LIBDIR)
Dr. Stephen Henson [Sat, 16 Jan 2010 19:45:59 +0000 (19:45 +0000)]
PR: 2144
Submitted by: steve@openssl.org
Fix DTLS connection so new_session is reset if we read second client hello:
new_session is used to detect renegotiation.
Dr. Stephen Henson [Sat, 16 Jan 2010 19:20:38 +0000 (19:20 +0000)]
PR: 2133
Submitted by: steve@openssl.org
Add missing DTLS state strings.
Ben Laurie [Sat, 16 Jan 2010 13:32:14 +0000 (13:32 +0000)]
Fix type-checking/casting issue.
Dr. Stephen Henson [Fri, 15 Jan 2010 15:26:32 +0000 (15:26 +0000)]
convert to Unix EOL form
Dr. Stephen Henson [Thu, 14 Jan 2010 17:51:52 +0000 (17:51 +0000)]
PR: 2125
Submitted by: "Alon Bar-Lev" <alon.barlev@gmail.com>
Fix gcc-aix compilation issue.
Dr. Stephen Henson [Wed, 13 Jan 2010 19:08:29 +0000 (19:08 +0000)]
Fix version handling so it can cope with a major version >3.
Although it will be many years before TLS v2.0 or later appears old versions
of servers have a habit of hanging around for a considerable time so best
if we handle this properly now.
Dr. Stephen Henson [Wed, 13 Jan 2010 18:46:01 +0000 (18:46 +0000)]
Modify compression code so it avoids using ex_data free functions. This
stops applications that call CRYPTO_free_all_ex_data() prematurely leaking
memory.
Dr. Stephen Henson [Tue, 12 Jan 2010 17:33:59 +0000 (17:33 +0000)]
update ordinals
Dr. Stephen Henson [Tue, 12 Jan 2010 17:27:11 +0000 (17:27 +0000)]
PR: 2136
Submitted by: Willy Weisz <weisz@vcpc.univie.ac.at>
Add options to output hash using older algorithm compatible with OpenSSL
versions before 1.0.0
Dr. Stephen Henson [Tue, 12 Jan 2010 01:59:11 +0000 (01:59 +0000)]
make update
Dr. Stephen Henson [Thu, 7 Jan 2010 19:05:03 +0000 (19:05 +0000)]
Simplify RI+SCSV logic:
1. Send SCSV is not renegotiating, never empty RI.
2. Send RI if renegotiating.
Andy Polyakov [Thu, 7 Jan 2010 13:15:39 +0000 (13:15 +0000)]
b_sock.c: bind/connect are picky about socket address length [from HEAD].
Andy Polyakov [Thu, 7 Jan 2010 10:44:21 +0000 (10:44 +0000)]
sendto is reportedly picky about destination socket address length [from HEAD].
PR: 2114
Submitted by: Robin Seggelmann
Andy Polyakov [Wed, 6 Jan 2010 21:25:22 +0000 (21:25 +0000)]
Fix compilation on older Linux [from HEAD].
Dr. Stephen Henson [Wed, 6 Jan 2010 17:37:38 +0000 (17:37 +0000)]
Updates to conform with draft-ietf-tls-renegotiation-03.txt:
1. Add provisional SCSV value.
2. Don't send SCSV and RI at same time.
3. Fatal error is SCSV received when renegotiating.
Dr. Stephen Henson [Wed, 6 Jan 2010 13:20:52 +0000 (13:20 +0000)]
ENGINE_load_capi() now exists on all platforms (but no op on non-WIN32)
Dr. Stephen Henson [Tue, 5 Jan 2010 17:58:15 +0000 (17:58 +0000)]
PR: 2102
Submitted by: John Fitzgibbon <john_fitzgibbon@yahoo.com>
Remove duplicate definitions.
Dr. Stephen Henson [Tue, 5 Jan 2010 17:50:01 +0000 (17:50 +0000)]
Typo
Dr. Stephen Henson [Tue, 5 Jan 2010 17:33:09 +0000 (17:33 +0000)]
PR: 2132
Submitted by: steve
Fix bundled pod2man.pl to handle alternative comment formats.
Dr. Stephen Henson [Tue, 5 Jan 2010 17:17:20 +0000 (17:17 +0000)]
Remove tabs on blank lines: they produce warnings in pod2man
Dr. Stephen Henson [Tue, 5 Jan 2010 16:46:39 +0000 (16:46 +0000)]
compress_meth should be unsigned
Dr. Stephen Henson [Fri, 1 Jan 2010 14:39:51 +0000 (14:39 +0000)]
Client side compression algorithm sanity checks: ensure old compression
algorithm matches current and give error if compression is disabled and
server requests it (shouldn't happen unless server is broken).
Dr. Stephen Henson [Fri, 1 Jan 2010 00:44:36 +0000 (00:44 +0000)]
Compression handling on session resume was badly broken: it always
used compression algorithms in client hello (a legacy from when
the compression algorithm wasn't serialized with SSL_SESSION).
Andy Polyakov [Wed, 30 Dec 2009 12:56:16 +0000 (12:56 +0000)]
b_sock.c: correct indirect calls on WinSock platforms [from HEAD].
PR: 2130
Submitted by: Eugeny Gostyukhin
Andy Polyakov [Wed, 30 Dec 2009 11:57:39 +0000 (11:57 +0000)]
Adapt mingw config for newer mingw environment [from HEAD].
PR: 2113
Andy Polyakov [Wed, 30 Dec 2009 11:53:33 +0000 (11:53 +0000)]
sha512.c update for esoteric PPC platfrom(s) [from HEAD].
PR: 1998
Andy Polyakov [Tue, 29 Dec 2009 10:46:46 +0000 (10:46 +0000)]
Deploy multilib config-line parameter [from HEAD].
Dr. Stephen Henson [Sun, 27 Dec 2009 23:03:25 +0000 (23:03 +0000)]
Typo
Dr. Stephen Henson [Sun, 27 Dec 2009 22:59:09 +0000 (22:59 +0000)]
Update RI to match latest spec.
MCSV is now called SCSV.
Don't send SCSV if renegotiating.
Also note if RI is empty in debug messages.
Dr. Stephen Henson [Fri, 25 Dec 2009 14:12:24 +0000 (14:12 +0000)]
Traditional Yuletide commit ;-)
Add Triple DES CFB1 and CFB8 to algorithm list and NID translation.
Bodo Möller [Tue, 22 Dec 2009 11:52:15 +0000 (11:52 +0000)]
Use properly local variables for thread-safety.
Submitted by: Martin Rex
Bodo Möller [Tue, 22 Dec 2009 11:45:59 +0000 (11:45 +0000)]
Constify crypto/cast.
Bodo Möller [Tue, 22 Dec 2009 10:58:01 +0000 (10:58 +0000)]
Constify crypto/cast.
Dr. Stephen Henson [Thu, 17 Dec 2009 15:42:43 +0000 (15:42 +0000)]
Alert to use is now defined in spec: update code
Dr. Stephen Henson [Thu, 17 Dec 2009 15:28:45 +0000 (15:28 +0000)]
PR: 2127
Submitted by: Tomas Mraz <tmraz@redhat.com>
Check for lookup failures in EVP_PBE_CipherInit().
Dr. Stephen Henson [Wed, 16 Dec 2009 20:33:11 +0000 (20:33 +0000)]
Ooops revert stuff which shouldn't have been part of previous commit.
Dr. Stephen Henson [Wed, 16 Dec 2009 20:28:30 +0000 (20:28 +0000)]
New option to enable/disable connection to unpatched servers
Dr. Stephen Henson [Mon, 14 Dec 2009 13:55:39 +0000 (13:55 +0000)]
Allow initial connection (but no renegoriation) to servers which don't support
RI.
Reorganise RI checking code and handle some missing cases.
Ben Laurie [Sat, 12 Dec 2009 15:57:53 +0000 (15:57 +0000)]
Missing error code.
Ben Laurie [Sat, 12 Dec 2009 15:57:19 +0000 (15:57 +0000)]
Use gcc 4.4.
Dr. Stephen Henson [Fri, 11 Dec 2009 00:20:58 +0000 (00:20 +0000)]
Move SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION out of SSL_OP_ALL
Dr. Stephen Henson [Wed, 9 Dec 2009 18:17:09 +0000 (18:17 +0000)]
clarify docs
Dr. Stephen Henson [Wed, 9 Dec 2009 18:00:52 +0000 (18:00 +0000)]
Document option clearning functions.
Initial secure renegotiation documentation.
Dr. Stephen Henson [Wed, 9 Dec 2009 15:02:14 +0000 (15:02 +0000)]
Add patch to crypto/evp which didn't apply from PR#2124
Dr. Stephen Henson [Wed, 9 Dec 2009 15:00:20 +0000 (15:00 +0000)]
Revert lhash patch for PR#2124
Dr. Stephen Henson [Wed, 9 Dec 2009 14:53:51 +0000 (14:53 +0000)]
Check s3 is not NULL
Dr. Stephen Henson [Wed, 9 Dec 2009 13:38:20 +0000 (13:38 +0000)]
PR: 2124
Submitted by: Jan Pechanec <Jan.Pechanec@Sun.COM>
Check for memory allocation failures.
Dr. Stephen Henson [Wed, 9 Dec 2009 13:25:38 +0000 (13:25 +0000)]
Add ctrls to clear options and mode.
Change RI ctrl so it doesn't clash.
Dr. Stephen Henson [Tue, 8 Dec 2009 19:06:09 +0000 (19:06 +0000)]
Send no_renegotiation alert as required by spec.
Dr. Stephen Henson [Tue, 8 Dec 2009 13:42:32 +0000 (13:42 +0000)]
Add ctrl and macro so we can determine if peer support secure renegotiation.
Dr. Stephen Henson [Tue, 8 Dec 2009 13:15:12 +0000 (13:15 +0000)]
Add support for magic cipher suite value (MCSV). Make secure renegotiation
work in SSLv3: initial handshake has no extensions but includes MCSV, if
server indicates RI support then renegotiation handshakes include RI.
NB: current MCSV value is bogus for testing only, will be updated when we
have an official value.
Change mismatch alerts to handshake_failure as required by spec.
Also have some debugging fprintfs so we can clearly see what is going on
if OPENSSL_RI_DEBUG is set.
Dr. Stephen Henson [Tue, 8 Dec 2009 11:38:18 +0000 (11:38 +0000)]
PR: 2121
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Add extension support to DTLS code mainly using existing implementation for
TLS.
Dr. Stephen Henson [Wed, 2 Dec 2009 15:28:05 +0000 (15:28 +0000)]
PR: 2111
Submitted by: Martin Olsson <molsson@opera.com>
Check for bn_wexpand errors in bn_mul.c
Dr. Stephen Henson [Wed, 2 Dec 2009 14:41:24 +0000 (14:41 +0000)]
Replace the broken SPKAC certification with the correct version.
Dr. Stephen Henson [Wed, 2 Dec 2009 14:25:55 +0000 (14:25 +0000)]
Check it actually compiles this time ;-)