oweals/openssl.git
16 years agoFix SSL state transitions.
Bodo Möller [Sun, 14 Sep 2008 14:02:07 +0000 (14:02 +0000)]
Fix SSL state transitions.

Submitted by: Nagendra Modadugu

16 years agoNote about CVS branch inconsistency.
Bodo Möller [Sun, 14 Sep 2008 13:53:18 +0000 (13:53 +0000)]
Note about CVS branch inconsistency.

16 years agoReally get rid of unsafe double-checked locking.
Bodo Möller [Sun, 14 Sep 2008 13:51:44 +0000 (13:51 +0000)]
Really get rid of unsafe double-checked locking.

Also, "CHANGES" clean-ups.

16 years agoSome precautions to avoid potential security-relevant problems.
Bodo Möller [Sun, 14 Sep 2008 13:42:34 +0000 (13:42 +0000)]
Some precautions to avoid potential security-relevant problems.

16 years agoDTLS didn't handle alerts correctly.
Andy Polyakov [Sat, 13 Sep 2008 18:24:38 +0000 (18:24 +0000)]
DTLS didn't handle alerts correctly.
PR: 1632

16 years agoAIX build updates.
Andy Polyakov [Fri, 12 Sep 2008 14:45:54 +0000 (14:45 +0000)]
AIX build updates.

16 years agoAdd SSL_FIPS flag for FIPS 140-2 approved ciphersuites and add a new
Dr. Stephen Henson [Wed, 10 Sep 2008 16:02:09 +0000 (16:02 +0000)]
Add SSL_FIPS flag for FIPS 140-2 approved ciphersuites and add a new
strength "FIPS" to represent all FIPS approved ciphersuites without NULL
encryption.

16 years agoIgnoring errors in makedepend can hide problems.
Ben Laurie [Tue, 9 Sep 2008 19:08:40 +0000 (19:08 +0000)]
Ignoring errors in makedepend can hide problems.

16 years agoFix warning.
Ben Laurie [Sun, 7 Sep 2008 13:22:34 +0000 (13:22 +0000)]
Fix warning.

16 years agoFix from stable branch.
Dr. Stephen Henson [Wed, 3 Sep 2008 22:17:11 +0000 (22:17 +0000)]
Fix from stable branch.

16 years agoDo not discard cached handshake records during resumed sessions:
Dr. Stephen Henson [Wed, 3 Sep 2008 12:36:16 +0000 (12:36 +0000)]
Do not discard cached handshake records during resumed sessions:
they are used for mac computation.

16 years agoMake no-tlsext compile.
Dr. Stephen Henson [Wed, 3 Sep 2008 12:29:57 +0000 (12:29 +0000)]
Make no-tlsext compile.

16 years agoPerl script to run and verify OpenSSL against PKITS RFC3280 compliance
Dr. Stephen Henson [Mon, 1 Sep 2008 15:53:53 +0000 (15:53 +0000)]
Perl script to run and verify OpenSSL against PKITS RFC3280 compliance
test suite.

16 years agoInitial support for delta CRLs. If "use deltas" flag is set attempt to find
Dr. Stephen Henson [Mon, 1 Sep 2008 15:15:16 +0000 (15:15 +0000)]
Initial support for delta CRLs. If "use deltas" flag is set attempt to find
a delta CRL in addition to a full CRL. Check and search delta in addition to
the base.

16 years agoAdd support for CRLs partitioned by reason code.
Dr. Stephen Henson [Fri, 29 Aug 2008 11:37:21 +0000 (11:37 +0000)]
Add support for CRLs partitioned by reason code.

Tidy CRL scoring system.

Add new CRL path validation error.

16 years agoAdd support for freshest CRL extension.
Dr. Stephen Henson [Wed, 27 Aug 2008 15:52:05 +0000 (15:52 +0000)]
Add support for freshest CRL extension.

16 years agoInitial indirect CRL support.
Dr. Stephen Henson [Wed, 20 Aug 2008 16:42:19 +0000 (16:42 +0000)]
Initial indirect CRL support.

16 years agoSupport for certificateIssuer CRL entry extension.
Dr. Stephen Henson [Mon, 18 Aug 2008 16:48:47 +0000 (16:48 +0000)]
Support for certificateIssuer CRL entry extension.

16 years agoDon't use assertions to check application-provided arguments;
Bodo Möller [Thu, 14 Aug 2008 21:37:51 +0000 (21:37 +0000)]
Don't use assertions to check application-provided arguments;
and don't unnecessarily fail on input size 0.

16 years agosanity check
Bodo Möller [Wed, 13 Aug 2008 19:45:06 +0000 (19:45 +0000)]
sanity check

PR: 1679

16 years agofix error function codes
Bodo Möller [Wed, 13 Aug 2008 19:44:15 +0000 (19:44 +0000)]
fix error function codes

16 years agoMention ERR_remove_state() deprecation, and ERR_remove_thread_state(NULL).
Bodo Möller [Wed, 13 Aug 2008 19:30:01 +0000 (19:30 +0000)]
Mention ERR_remove_state() deprecation, and ERR_remove_thread_state(NULL).

16 years agoInitial support for CRL path validation. This supports distinct certificate
Dr. Stephen Henson [Wed, 13 Aug 2008 16:00:11 +0000 (16:00 +0000)]
Initial support for CRL path validation. This supports distinct certificate
and CRL signing keys.

16 years agoInitial code to support distinct certificate and CRL signing keys where the
Dr. Stephen Henson [Tue, 12 Aug 2008 16:07:52 +0000 (16:07 +0000)]
Initial code to support distinct certificate and CRL signing keys where the
CRL issuer is not part of the main path.

Not complete yet and not compiled in because the CRL issuer certificate is
not validated.

16 years agoSupport for policy mappings extension.
Dr. Stephen Henson [Tue, 12 Aug 2008 10:32:56 +0000 (10:32 +0000)]
Support for policy mappings extension.

Delete X509_POLICY_REF code.

Fix handling of invalid policy extensions to return the correct error.

Add command line option to inhibit policy mappings.

16 years agoInitial support for name constraints certificate extension.
Dr. Stephen Henson [Fri, 8 Aug 2008 15:35:29 +0000 (15:35 +0000)]
Initial support for name constraints certificate extension.

TODO: robustness checking on name forms.

16 years agoCorrect the FAQ and the threads man page re: CRYPTO_THREADID changes.
Geoff Thorpe [Wed, 6 Aug 2008 16:41:50 +0000 (16:41 +0000)]
Correct the FAQ and the threads man page re: CRYPTO_THREADID changes.

16 years agoRemove the dual-callback scheme for numeric and pointer thread IDs,
Geoff Thorpe [Wed, 6 Aug 2008 15:54:15 +0000 (15:54 +0000)]
Remove the dual-callback scheme for numeric and pointer thread IDs,
deprecate the original (numeric-only) scheme, and replace with the
CRYPTO_THREADID object. This hides the platform-specifics and should reduce
the possibility for programming errors (where failing to explicitly check
both thread ID forms could create subtle, platform-specific bugs).

Thanks to Bodo, for invaluable review and feedback.

16 years agosha1-armv4-large cosmetics.
Andy Polyakov [Wed, 6 Aug 2008 08:58:45 +0000 (08:58 +0000)]
sha1-armv4-large cosmetics.

16 years agosha1-armv4-large.pl performance improvement. On PXA255 it gives +10% on
Andy Polyakov [Wed, 6 Aug 2008 08:47:07 +0000 (08:47 +0000)]
sha1-armv4-large.pl performance improvement. On PXA255 it gives +10% on
8KB block, +60% on 1KB, +160% on 256B...

16 years agoFix signed/unsigned warning.
Geoff Thorpe [Tue, 5 Aug 2008 17:48:02 +0000 (17:48 +0000)]
Fix signed/unsigned warning.

16 years agoCorrectly handle errors in CMS I/O code.
Dr. Stephen Henson [Tue, 5 Aug 2008 15:55:53 +0000 (15:55 +0000)]
Correctly handle errors in CMS I/O code.

16 years agoFix error codes for memory-saving patch.
Bodo Möller [Mon, 4 Aug 2008 22:10:38 +0000 (22:10 +0000)]
Fix error codes for memory-saving patch.

Also, get rid of compile-time switch OPENSSL_NO_RELEASE_BUFFERS
because it was rather pointless (the new behavior has to be explicitly
requested by setting SSL_MODE_RELEASE_BUFFERS anyway).

16 years agoAdd support for nameRelativeToCRLIssuer field in distribution point name
Dr. Stephen Henson [Mon, 4 Aug 2008 15:34:27 +0000 (15:34 +0000)]
Add support for nameRelativeToCRLIssuer field in distribution point name
fields.

16 years agoMake explicit_policy handling match expected RFC3280 behaviour.
Dr. Stephen Henson [Sat, 2 Aug 2008 11:16:35 +0000 (11:16 +0000)]
Make explicit_policy handling match expected RFC3280 behaviour.

16 years agoRefer to SSL_pending from the man page for SSL_read
Lutz Jänicke [Fri, 1 Aug 2008 15:03:20 +0000 (15:03 +0000)]
Refer to SSL_pending from the man page for SSL_read

16 years agoInitial support for alternative CRL issuing certificates.
Dr. Stephen Henson [Wed, 30 Jul 2008 15:49:12 +0000 (15:49 +0000)]
Initial support for alternative CRL issuing certificates.

Allow inibit any policy flag to be set in apps.

16 years agoPolicy validation fixes.
Dr. Stephen Henson [Wed, 30 Jul 2008 15:41:42 +0000 (15:41 +0000)]
Policy validation fixes.

Inhibit any policy count should ignore self issued certificates.
Require explicit policy is the number certificate before an explict policy
is required.

16 years agoremove a doubled entry for '-binary' in the usage message
Ralf S. Engelschall [Sun, 27 Jul 2008 15:51:35 +0000 (15:51 +0000)]
remove a doubled entry for '-binary' in the usage message

16 years agoSplit ms/uplink.pl to corresponding platform versions.
Andy Polyakov [Tue, 22 Jul 2008 08:47:35 +0000 (08:47 +0000)]
Split ms/uplink.pl to corresponding platform versions.

16 years agoperlasm update: implement dataseg directive.
Andy Polyakov [Tue, 22 Jul 2008 08:44:31 +0000 (08:44 +0000)]
perlasm update: implement dataseg directive.

16 years agox86_64-xlate.pl: implement indirect jump/calls, support for Win64 SEH.
Andy Polyakov [Tue, 22 Jul 2008 08:42:06 +0000 (08:42 +0000)]
x86_64-xlate.pl: implement indirect jump/calls, support for Win64 SEH.

16 years agoWe should check the eight bytes starting at p[-9] for rollback attack
Bodo Möller [Thu, 17 Jul 2008 22:11:53 +0000 (22:11 +0000)]
We should check the eight bytes starting at p[-9] for rollback attack
detection, or the probability for an erroneous RSA_R_SSLV3_ROLLBACK_ATTACK
will be larger than necessary.

PR: 1695

16 years agomem_dbg.c: avoid compiler warnings.
Andy Polyakov [Thu, 17 Jul 2008 13:58:21 +0000 (13:58 +0000)]
mem_dbg.c: avoid compiler warnings.
PR: 1693
Submitted by: Stefan Neis

16 years agoRemove junk argument to function_begin in sha/asm/*-586.pl.
Andy Polyakov [Thu, 17 Jul 2008 09:50:56 +0000 (09:50 +0000)]
Remove junk argument to function_begin in sha/asm/*-586.pl.
PR: 1681

16 years agox86masm.pl: harmonize functions' alignment.
Andy Polyakov [Thu, 17 Jul 2008 09:46:09 +0000 (09:46 +0000)]
x86masm.pl: harmonize functions' alignment.

16 years agoMake sure not to read beyond end of buffer
Bodo Möller [Wed, 16 Jul 2008 18:10:27 +0000 (18:10 +0000)]
Make sure not to read beyond end of buffer

16 years agox86_64cpuid.pl cosmetics: harmonize $dir treatment with other modules.
Andy Polyakov [Tue, 15 Jul 2008 19:52:20 +0000 (19:52 +0000)]
x86_64cpuid.pl cosmetics: harmonize $dir treatment with other modules.

16 years agodes-596.pl update: short-circuit reference to DES_SPtrans.
Andy Polyakov [Tue, 15 Jul 2008 13:24:16 +0000 (13:24 +0000)]
des-596.pl update: short-circuit reference to DES_SPtrans.

16 years agox86masm.pl cosmetics.
Andy Polyakov [Tue, 15 Jul 2008 13:16:42 +0000 (13:16 +0000)]
x86masm.pl cosmetics.

16 years agox86nasm.pl update: use pre-defined macros and allow for /safeseh link.
Andy Polyakov [Tue, 15 Jul 2008 12:50:44 +0000 (12:50 +0000)]
x86nasm.pl update: use pre-defined macros and allow for /safeseh link.

16 years agoReaffirm that NASM is the only supported assembler for Win32 build.
Andy Polyakov [Tue, 15 Jul 2008 12:48:53 +0000 (12:48 +0000)]
Reaffirm that NASM is the only supported assembler for Win32 build.

16 years agoZero is a valid value for any_skip and map_skip
Dr. Stephen Henson [Sun, 13 Jul 2008 22:38:18 +0000 (22:38 +0000)]
Zero is a valid value for any_skip and map_skip

16 years agoWe support inhibit any policy extension, add to table.
Dr. Stephen Henson [Sun, 13 Jul 2008 15:55:37 +0000 (15:55 +0000)]
We support inhibit any policy extension, add to table.

16 years agoX509 verification fixes.
Dr. Stephen Henson [Sun, 13 Jul 2008 14:25:36 +0000 (14:25 +0000)]
X509 verification fixes.

Ignore self issued certificates when checking path length constraints.

Duplicate OIDs in policy tree in case they are allocated.

Use anyPolicy from certificate cache and not current tree level.

16 years agoIf --prefix="C:\foo\bar" is supplied to Configure for a windows target,
Geoff Thorpe [Thu, 10 Jul 2008 20:08:47 +0000 (20:08 +0000)]
If --prefix="C:\foo\bar" is supplied to Configure for a windows target,
then the backslashes need escaping to avoid being treated as switches in
the auto-generated strings in opensslconf.h. Perl users are welcome to
suggest a less hokey way of doing this ...

16 years agoAvoid warnings with -pedantic, specifically:
Dr. Stephen Henson [Fri, 4 Jul 2008 23:12:52 +0000 (23:12 +0000)]
Avoid warnings with -pedantic, specifically:

Conversion between void * and function pointer.
Value computed not used.
Signed/unsigned argument.

16 years agoRevert my earlier CRYPTO_THREADID commit, I will commit a reworked
Geoff Thorpe [Thu, 3 Jul 2008 19:59:25 +0000 (19:59 +0000)]
Revert my earlier CRYPTO_THREADID commit, I will commit a reworked
version some time soon.

16 years agoUpdate from stable branch.
Dr. Stephen Henson [Thu, 26 Jun 2008 23:27:31 +0000 (23:27 +0000)]
Update from stable branch.

16 years agoUpdate from stable branch.
Dr. Stephen Henson [Wed, 25 Jun 2008 10:43:07 +0000 (10:43 +0000)]
Update from stable branch.

16 years agoavoid potential infinite loop in final reduction round of BN_GF2m_mod_arr()
Bodo Möller [Mon, 23 Jun 2008 20:46:24 +0000 (20:46 +0000)]
avoid potential infinite loop in final reduction round of BN_GF2m_mod_arr()

Submitted by: Huang Ying
Reviewed by: Douglas Stebila

16 years agoUpdate ordinals.
Dr. Stephen Henson [Sun, 22 Jun 2008 01:09:14 +0000 (01:09 +0000)]
Update ordinals.

16 years agoFix from stable branch.
Dr. Stephen Henson [Sat, 21 Jun 2008 23:28:55 +0000 (23:28 +0000)]
Fix from stable branch.

16 years agoUpdate from stable branch.
Dr. Stephen Henson [Wed, 18 Jun 2008 15:08:41 +0000 (15:08 +0000)]
Update from stable branch.

16 years agoUpdate from stable branch.
Dr. Stephen Henson [Wed, 18 Jun 2008 12:06:10 +0000 (12:06 +0000)]
Update from stable branch.

16 years agoUpdate from stable branch.
Dr. Stephen Henson [Mon, 16 Jun 2008 15:51:48 +0000 (15:51 +0000)]
Update from stable branch.

16 years agoAdd acknowledgement.
Dr. Stephen Henson [Mon, 9 Jun 2008 16:48:42 +0000 (16:48 +0000)]
Add acknowledgement.

16 years agoSync ordinals.
Dr. Stephen Henson [Fri, 6 Jun 2008 15:57:16 +0000 (15:57 +0000)]
Sync ordinals.

16 years agoFix memory leak. The canonical X509_NAME_ENTRY STACK is reallocated rather
Dr. Stephen Henson [Fri, 6 Jun 2008 11:26:07 +0000 (11:26 +0000)]
Fix memory leak. The canonical X509_NAME_ENTRY STACK is reallocated rather
than referencing existing X509_NAME_ENTRY structures so needs to be
completely freed.

16 years agoRemove uidlg library from VC-32.pl, it is now bound at runtime.
Dr. Stephen Henson [Thu, 5 Jun 2008 23:42:04 +0000 (23:42 +0000)]
Remove uidlg library from VC-32.pl, it is now bound at runtime.

16 years agoDon't change _WIN32_WINNT and detect GetConsoleWindow() and
Dr. Stephen Henson [Thu, 5 Jun 2008 23:19:56 +0000 (23:19 +0000)]
Don't change _WIN32_WINNT and detect GetConsoleWindow() and
CryptUIDlgSelectCertificateFromStore() at runtime. Add callback function
for selection mechanism.

16 years agoUpdate from stable branch.
Dr. Stephen Henson [Thu, 5 Jun 2008 17:04:16 +0000 (17:04 +0000)]
Update from stable branch.

16 years agoUpdate CHANGES.
Dr. Stephen Henson [Thu, 5 Jun 2008 15:34:24 +0000 (15:34 +0000)]
Update CHANGES.

16 years agoUpdate from stable branch.
Dr. Stephen Henson [Thu, 5 Jun 2008 15:13:45 +0000 (15:13 +0000)]
Update from stable branch.

16 years agoUpdate from stable branch.
Dr. Stephen Henson [Thu, 5 Jun 2008 11:45:25 +0000 (11:45 +0000)]
Update from stable branch.

16 years agoSync ordinals with stable branch.
Dr. Stephen Henson [Thu, 5 Jun 2008 11:10:49 +0000 (11:10 +0000)]
Sync ordinals with stable branch.

16 years agoLink in extra CryptoAPI related libraries if needed.
Dr. Stephen Henson [Thu, 5 Jun 2008 10:51:48 +0000 (10:51 +0000)]
Link in extra CryptoAPI related libraries if needed.

16 years agoUpdate from stable branch.
Dr. Stephen Henson [Wed, 4 Jun 2008 23:03:28 +0000 (23:03 +0000)]
Update from stable branch.

16 years agoRemove test fprintf.
Dr. Stephen Henson [Wed, 4 Jun 2008 22:39:05 +0000 (22:39 +0000)]
Remove test fprintf.

16 years agoCompilation option to use a specific ssl client auth engine automatically.
Dr. Stephen Henson [Wed, 4 Jun 2008 22:34:38 +0000 (22:34 +0000)]
Compilation option to use a specific ssl client auth engine automatically.

16 years agoUse an appropriate Window for selection dialog.
Dr. Stephen Henson [Wed, 4 Jun 2008 16:45:05 +0000 (16:45 +0000)]
Use an appropriate Window for selection dialog.

16 years agoAdd support for Windoes dialog box based certificate selection.
Dr. Stephen Henson [Wed, 4 Jun 2008 16:10:09 +0000 (16:10 +0000)]
Add support for Windoes dialog box based certificate selection.

16 years agoRemove old non-safestack code.
Dr. Stephen Henson [Wed, 4 Jun 2008 14:34:39 +0000 (14:34 +0000)]
Remove old non-safestack code.

16 years agoTidy up and add comments to selection code.
Dr. Stephen Henson [Wed, 4 Jun 2008 12:03:57 +0000 (12:03 +0000)]
Tidy up and add comments to selection code.

16 years agoMake DSO WIN32 compile again.
Dr. Stephen Henson [Wed, 4 Jun 2008 11:53:14 +0000 (11:53 +0000)]
Make DSO WIN32 compile again.

16 years agoUpdate ordinals.
Dr. Stephen Henson [Wed, 4 Jun 2008 11:52:36 +0000 (11:52 +0000)]
Update ordinals.

16 years agoRemove store from Windows build.
Dr. Stephen Henson [Wed, 4 Jun 2008 11:45:15 +0000 (11:45 +0000)]
Remove store from Windows build.

16 years agoMore type-checking.
Ben Laurie [Wed, 4 Jun 2008 11:01:43 +0000 (11:01 +0000)]
More type-checking.

16 years agoAvoid name clash.
Dr. Stephen Henson [Wed, 4 Jun 2008 10:57:38 +0000 (10:57 +0000)]
Avoid name clash.

16 years agoOnly include windows headers when under windows.
Ben Laurie [Wed, 4 Jun 2008 05:21:13 +0000 (05:21 +0000)]
Only include windows headers when under windows.

16 years agoAdd initial support for multiple SSL client certifcate selection in
Dr. Stephen Henson [Tue, 3 Jun 2008 23:54:31 +0000 (23:54 +0000)]
Add initial support for multiple SSL client certifcate selection in
CryptoAPI ENGINE.

16 years agoMatch empty CA list to anything for ssl client auth in CryptoAPI engine.
Dr. Stephen Henson [Tue, 3 Jun 2008 11:37:52 +0000 (11:37 +0000)]
Match empty CA list to anything for ssl client auth in CryptoAPI engine.

16 years agoAdd support for client cert engine setting in s_client app.
Dr. Stephen Henson [Tue, 3 Jun 2008 11:26:27 +0000 (11:26 +0000)]
Add support for client cert engine setting in s_client app.
Add appropriate #ifdefs round client cert functions in headers.

16 years agoAdd preliminary SSL client auth callback to CryptoAPI ENGINE.
Dr. Stephen Henson [Tue, 3 Jun 2008 10:27:39 +0000 (10:27 +0000)]
Add preliminary SSL client auth callback to CryptoAPI ENGINE.

16 years agoPrevent signed/unsigned warning on VC++
Dr. Stephen Henson [Tue, 3 Jun 2008 10:17:45 +0000 (10:17 +0000)]
Prevent signed/unsigned warning on VC++

16 years agoMemory saving patch.
Ben Laurie [Tue, 3 Jun 2008 02:48:34 +0000 (02:48 +0000)]
Memory saving patch.

16 years agoUpdate year.
Dr. Stephen Henson [Mon, 2 Jun 2008 23:41:38 +0000 (23:41 +0000)]
Update year.

16 years agoWindows batch file to rebuild error codes for CryptoAPI ENGINE.
Dr. Stephen Henson [Mon, 2 Jun 2008 23:10:34 +0000 (23:10 +0000)]
Windows batch file to rebuild error codes for CryptoAPI ENGINE.

16 years ago#undef OCSP_RESPONSE: CryptoAPI uses this too.
Dr. Stephen Henson [Mon, 2 Jun 2008 23:09:04 +0000 (23:09 +0000)]
#undef OCSP_RESPONSE: CryptoAPI uses this too.

16 years agoFix indentation.
Dr. Stephen Henson [Mon, 2 Jun 2008 14:29:32 +0000 (14:29 +0000)]
Fix indentation.