Dr. Stephen Henson [Sun, 24 Jan 2010 13:54:07 +0000 (13:54 +0000)]
The fix for PR#1949 unfortunately broke cases where the BIO_CTRL_WPENDING
ctrl is incorrectly implemented (e.g. some versions of Apache). As a workaround
call both BIO_CTRL_INFO and BIO_CTRL_WPENDING if it returns zero. This should
both address the original bug and retain compatibility with the old behaviour.
Dr. Stephen Henson [Fri, 22 Jan 2010 20:17:30 +0000 (20:17 +0000)]
Tolerate PKCS#8 DSA format with negative private key.
Dr. Stephen Henson [Fri, 22 Jan 2010 18:49:19 +0000 (18:49 +0000)]
If legacy renegotiation is not permitted then send a fatal alert if a patched
server attempts to renegotiate with an unpatched client.
Dr. Stephen Henson [Thu, 21 Jan 2010 18:46:28 +0000 (18:46 +0000)]
typo
Dr. Stephen Henson [Thu, 21 Jan 2010 01:17:45 +0000 (01:17 +0000)]
fix comments
Dr. Stephen Henson [Wed, 20 Jan 2010 15:40:27 +0000 (15:40 +0000)]
update version for next beta if we have one...
Dr. Stephen Henson [Wed, 20 Jan 2010 15:05:52 +0000 (15:05 +0000)]
make update
Dr. Stephen Henson [Wed, 20 Jan 2010 15:00:49 +0000 (15:00 +0000)]
Prepare for beta5 release
Dr. Stephen Henson [Wed, 20 Jan 2010 14:05:56 +0000 (14:05 +0000)]
Update demo
Dr. Stephen Henson [Wed, 20 Jan 2010 14:04:55 +0000 (14:04 +0000)]
Support -L options in VC++ link.
Andy Polyakov [Tue, 19 Jan 2010 21:44:07 +0000 (21:44 +0000)]
rand_win.c: handel GetTickCount wrap-around [from HEAD].
Andy Polyakov [Tue, 19 Jan 2010 21:43:05 +0000 (21:43 +0000)]
x86_64-xlate.pl: refine sign extension logic when handling lea [from HEAD].
PR: 2094,2095
Andy Polyakov [Tue, 19 Jan 2010 21:40:58 +0000 (21:40 +0000)]
s390x assembler update: add support for run-time facility detection [from HEAD].
Dr. Stephen Henson [Tue, 19 Jan 2010 19:55:47 +0000 (19:55 +0000)]
The use of NIDs in the password based encryption table can result in
algorithms not found when an application uses PKCS#12 and only calls
SSL_library_init() instead of OpenSSL_add_all_algorithms(). Simple
work around is to add the missing algorithm (40 bit RC2) in
SSL_library_init().
Dr. Stephen Henson [Tue, 19 Jan 2010 19:28:03 +0000 (19:28 +0000)]
PR: 2141
Submitted by: "NARUSE, Yui" <naruse@airemix.jp>
Remove non-ASCII comment which causes compilation errors on some versions
of VC++.
Dr. Stephen Henson [Tue, 19 Jan 2010 19:25:16 +0000 (19:25 +0000)]
stop asn1test compilation producing link errors
Dr. Stephen Henson [Tue, 19 Jan 2010 19:11:21 +0000 (19:11 +0000)]
PR: 2144
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Better fix for PR#2144
Dr. Stephen Henson [Sun, 17 Jan 2010 16:58:56 +0000 (16:58 +0000)]
Reverted patch for PR#2095. Addressed by Andy now in x86_64-xlate.pl
Dr. Stephen Henson [Sat, 16 Jan 2010 20:06:10 +0000 (20:06 +0000)]
PR: 2135
Submitted by: Mike Frysinger <vapier@gentoo.org>
Change missed references to lib to $(LIBDIR)
Dr. Stephen Henson [Sat, 16 Jan 2010 19:45:59 +0000 (19:45 +0000)]
PR: 2144
Submitted by: steve@openssl.org
Fix DTLS connection so new_session is reset if we read second client hello:
new_session is used to detect renegotiation.
Dr. Stephen Henson [Sat, 16 Jan 2010 19:20:38 +0000 (19:20 +0000)]
PR: 2133
Submitted by: steve@openssl.org
Add missing DTLS state strings.
Ben Laurie [Sat, 16 Jan 2010 13:32:14 +0000 (13:32 +0000)]
Fix type-checking/casting issue.
Dr. Stephen Henson [Fri, 15 Jan 2010 15:26:32 +0000 (15:26 +0000)]
convert to Unix EOL form
Dr. Stephen Henson [Thu, 14 Jan 2010 17:51:52 +0000 (17:51 +0000)]
PR: 2125
Submitted by: "Alon Bar-Lev" <alon.barlev@gmail.com>
Fix gcc-aix compilation issue.
Dr. Stephen Henson [Wed, 13 Jan 2010 19:08:29 +0000 (19:08 +0000)]
Fix version handling so it can cope with a major version >3.
Although it will be many years before TLS v2.0 or later appears old versions
of servers have a habit of hanging around for a considerable time so best
if we handle this properly now.
Dr. Stephen Henson [Wed, 13 Jan 2010 18:46:01 +0000 (18:46 +0000)]
Modify compression code so it avoids using ex_data free functions. This
stops applications that call CRYPTO_free_all_ex_data() prematurely leaking
memory.
Dr. Stephen Henson [Tue, 12 Jan 2010 17:33:59 +0000 (17:33 +0000)]
update ordinals
Dr. Stephen Henson [Tue, 12 Jan 2010 17:27:11 +0000 (17:27 +0000)]
PR: 2136
Submitted by: Willy Weisz <weisz@vcpc.univie.ac.at>
Add options to output hash using older algorithm compatible with OpenSSL
versions before 1.0.0
Dr. Stephen Henson [Tue, 12 Jan 2010 01:59:11 +0000 (01:59 +0000)]
make update
Dr. Stephen Henson [Thu, 7 Jan 2010 19:05:03 +0000 (19:05 +0000)]
Simplify RI+SCSV logic:
1. Send SCSV is not renegotiating, never empty RI.
2. Send RI if renegotiating.
Andy Polyakov [Thu, 7 Jan 2010 13:15:39 +0000 (13:15 +0000)]
b_sock.c: bind/connect are picky about socket address length [from HEAD].
Andy Polyakov [Thu, 7 Jan 2010 10:44:21 +0000 (10:44 +0000)]
sendto is reportedly picky about destination socket address length [from HEAD].
PR: 2114
Submitted by: Robin Seggelmann
Andy Polyakov [Wed, 6 Jan 2010 21:25:22 +0000 (21:25 +0000)]
Fix compilation on older Linux [from HEAD].
Dr. Stephen Henson [Wed, 6 Jan 2010 17:37:38 +0000 (17:37 +0000)]
Updates to conform with draft-ietf-tls-renegotiation-03.txt:
1. Add provisional SCSV value.
2. Don't send SCSV and RI at same time.
3. Fatal error is SCSV received when renegotiating.
Dr. Stephen Henson [Wed, 6 Jan 2010 13:20:52 +0000 (13:20 +0000)]
ENGINE_load_capi() now exists on all platforms (but no op on non-WIN32)
Dr. Stephen Henson [Tue, 5 Jan 2010 17:58:15 +0000 (17:58 +0000)]
PR: 2102
Submitted by: John Fitzgibbon <john_fitzgibbon@yahoo.com>
Remove duplicate definitions.
Dr. Stephen Henson [Tue, 5 Jan 2010 17:50:01 +0000 (17:50 +0000)]
Typo
Dr. Stephen Henson [Tue, 5 Jan 2010 17:33:09 +0000 (17:33 +0000)]
PR: 2132
Submitted by: steve
Fix bundled pod2man.pl to handle alternative comment formats.
Dr. Stephen Henson [Tue, 5 Jan 2010 17:17:20 +0000 (17:17 +0000)]
Remove tabs on blank lines: they produce warnings in pod2man
Dr. Stephen Henson [Tue, 5 Jan 2010 16:46:39 +0000 (16:46 +0000)]
compress_meth should be unsigned
Dr. Stephen Henson [Fri, 1 Jan 2010 14:39:51 +0000 (14:39 +0000)]
Client side compression algorithm sanity checks: ensure old compression
algorithm matches current and give error if compression is disabled and
server requests it (shouldn't happen unless server is broken).
Dr. Stephen Henson [Fri, 1 Jan 2010 00:44:36 +0000 (00:44 +0000)]
Compression handling on session resume was badly broken: it always
used compression algorithms in client hello (a legacy from when
the compression algorithm wasn't serialized with SSL_SESSION).
Andy Polyakov [Wed, 30 Dec 2009 12:56:16 +0000 (12:56 +0000)]
b_sock.c: correct indirect calls on WinSock platforms [from HEAD].
PR: 2130
Submitted by: Eugeny Gostyukhin
Andy Polyakov [Wed, 30 Dec 2009 11:57:39 +0000 (11:57 +0000)]
Adapt mingw config for newer mingw environment [from HEAD].
PR: 2113
Andy Polyakov [Wed, 30 Dec 2009 11:53:33 +0000 (11:53 +0000)]
sha512.c update for esoteric PPC platfrom(s) [from HEAD].
PR: 1998
Andy Polyakov [Tue, 29 Dec 2009 10:46:46 +0000 (10:46 +0000)]
Deploy multilib config-line parameter [from HEAD].
Dr. Stephen Henson [Sun, 27 Dec 2009 23:03:25 +0000 (23:03 +0000)]
Typo
Dr. Stephen Henson [Sun, 27 Dec 2009 22:59:09 +0000 (22:59 +0000)]
Update RI to match latest spec.
MCSV is now called SCSV.
Don't send SCSV if renegotiating.
Also note if RI is empty in debug messages.
Dr. Stephen Henson [Fri, 25 Dec 2009 14:12:24 +0000 (14:12 +0000)]
Traditional Yuletide commit ;-)
Add Triple DES CFB1 and CFB8 to algorithm list and NID translation.
Bodo Möller [Tue, 22 Dec 2009 11:52:15 +0000 (11:52 +0000)]
Use properly local variables for thread-safety.
Submitted by: Martin Rex
Bodo Möller [Tue, 22 Dec 2009 11:45:59 +0000 (11:45 +0000)]
Constify crypto/cast.
Bodo Möller [Tue, 22 Dec 2009 10:58:01 +0000 (10:58 +0000)]
Constify crypto/cast.
Dr. Stephen Henson [Thu, 17 Dec 2009 15:42:43 +0000 (15:42 +0000)]
Alert to use is now defined in spec: update code
Dr. Stephen Henson [Thu, 17 Dec 2009 15:28:45 +0000 (15:28 +0000)]
PR: 2127
Submitted by: Tomas Mraz <tmraz@redhat.com>
Check for lookup failures in EVP_PBE_CipherInit().
Dr. Stephen Henson [Wed, 16 Dec 2009 20:33:11 +0000 (20:33 +0000)]
Ooops revert stuff which shouldn't have been part of previous commit.
Dr. Stephen Henson [Wed, 16 Dec 2009 20:28:30 +0000 (20:28 +0000)]
New option to enable/disable connection to unpatched servers
Dr. Stephen Henson [Mon, 14 Dec 2009 13:55:39 +0000 (13:55 +0000)]
Allow initial connection (but no renegoriation) to servers which don't support
RI.
Reorganise RI checking code and handle some missing cases.
Ben Laurie [Sat, 12 Dec 2009 15:57:53 +0000 (15:57 +0000)]
Missing error code.
Ben Laurie [Sat, 12 Dec 2009 15:57:19 +0000 (15:57 +0000)]
Use gcc 4.4.
Dr. Stephen Henson [Fri, 11 Dec 2009 00:20:58 +0000 (00:20 +0000)]
Move SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION out of SSL_OP_ALL
Dr. Stephen Henson [Wed, 9 Dec 2009 18:17:09 +0000 (18:17 +0000)]
clarify docs
Dr. Stephen Henson [Wed, 9 Dec 2009 18:00:52 +0000 (18:00 +0000)]
Document option clearning functions.
Initial secure renegotiation documentation.
Dr. Stephen Henson [Wed, 9 Dec 2009 15:02:14 +0000 (15:02 +0000)]
Add patch to crypto/evp which didn't apply from PR#2124
Dr. Stephen Henson [Wed, 9 Dec 2009 15:00:20 +0000 (15:00 +0000)]
Revert lhash patch for PR#2124
Dr. Stephen Henson [Wed, 9 Dec 2009 14:53:51 +0000 (14:53 +0000)]
Check s3 is not NULL
Dr. Stephen Henson [Wed, 9 Dec 2009 13:38:20 +0000 (13:38 +0000)]
PR: 2124
Submitted by: Jan Pechanec <Jan.Pechanec@Sun.COM>
Check for memory allocation failures.
Dr. Stephen Henson [Wed, 9 Dec 2009 13:25:38 +0000 (13:25 +0000)]
Add ctrls to clear options and mode.
Change RI ctrl so it doesn't clash.
Dr. Stephen Henson [Tue, 8 Dec 2009 19:06:09 +0000 (19:06 +0000)]
Send no_renegotiation alert as required by spec.
Dr. Stephen Henson [Tue, 8 Dec 2009 13:42:32 +0000 (13:42 +0000)]
Add ctrl and macro so we can determine if peer support secure renegotiation.
Dr. Stephen Henson [Tue, 8 Dec 2009 13:15:12 +0000 (13:15 +0000)]
Add support for magic cipher suite value (MCSV). Make secure renegotiation
work in SSLv3: initial handshake has no extensions but includes MCSV, if
server indicates RI support then renegotiation handshakes include RI.
NB: current MCSV value is bogus for testing only, will be updated when we
have an official value.
Change mismatch alerts to handshake_failure as required by spec.
Also have some debugging fprintfs so we can clearly see what is going on
if OPENSSL_RI_DEBUG is set.
Dr. Stephen Henson [Tue, 8 Dec 2009 11:38:18 +0000 (11:38 +0000)]
PR: 2121
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Add extension support to DTLS code mainly using existing implementation for
TLS.
Dr. Stephen Henson [Wed, 2 Dec 2009 15:28:05 +0000 (15:28 +0000)]
PR: 2111
Submitted by: Martin Olsson <molsson@opera.com>
Check for bn_wexpand errors in bn_mul.c
Dr. Stephen Henson [Wed, 2 Dec 2009 14:41:24 +0000 (14:41 +0000)]
Replace the broken SPKAC certification with the correct version.
Dr. Stephen Henson [Wed, 2 Dec 2009 14:25:55 +0000 (14:25 +0000)]
Check it actually compiles this time ;-)
Dr. Stephen Henson [Wed, 2 Dec 2009 13:57:03 +0000 (13:57 +0000)]
PR: 2120
Submitted by: steve@openssl.org
Initialize fields correctly if pem_str or info are NULL in EVP_PKEY_asn1_new().
Dr. Stephen Henson [Tue, 1 Dec 2009 18:41:50 +0000 (18:41 +0000)]
check DSA_sign() return value properly
Dr. Stephen Henson [Tue, 1 Dec 2009 17:41:42 +0000 (17:41 +0000)]
PR: 2115
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org
Add Renegotiation extension to DTLS, fix DTLS ClientHello processing bug.
Dr. Stephen Henson [Tue, 1 Dec 2009 17:32:33 +0000 (17:32 +0000)]
PR: 1432
Submitted by: "Andrzej Chmielowiec" <achmielowiec@enigma.com.pl>, steve@openssl.org
Approved by: steve@openssl.org
Truncate hash if it is too large: as required by FIPS 186-3.
Dr. Stephen Henson [Mon, 30 Nov 2009 13:53:42 +0000 (13:53 +0000)]
PR: 2118
Submitted by: Mounir IDRASSI <mounir.idrassi@idrix.net>
Approved by: steve@openssl.org
Check return value of ECDSA_sign() properly.
Dr. Stephen Henson [Sun, 29 Nov 2009 13:45:18 +0000 (13:45 +0000)]
typo
Andy Polyakov [Thu, 26 Nov 2009 21:12:12 +0000 (21:12 +0000)]
cms-test.pl: use EXE_EXT (from HEAD).
PR: 2107
Andy Polyakov [Thu, 26 Nov 2009 20:56:05 +0000 (20:56 +0000)]
bss_dgram.c: re-fix BIO_CTRL_DGRAM_GET_PEER (from HEAD).
Bodo Möller [Thu, 26 Nov 2009 18:37:11 +0000 (18:37 +0000)]
Make CHANGES in the OpenSSL_1_0_0-stable branch consistent with the
one in the OpenSSL_0_9_8-stable branch.
Andy Polyakov [Mon, 23 Nov 2009 19:51:24 +0000 (19:51 +0000)]
x86_64-xlate.pl: fix typo introduced in last commit.
PR: 2109
Andy Polyakov [Sun, 22 Nov 2009 12:52:18 +0000 (12:52 +0000)]
x86_64-xlate.pl: new gas requires sign extension.
x86masm.pl: fix linker warning.
PR: 2094,2095
Andy Polyakov [Sun, 22 Nov 2009 12:26:15 +0000 (12:26 +0000)]
VC-32.pl: bufferoverlowu.lib only when needed and remove duplicate code
(update from HEAD).
PR: 2086
Andy Polyakov [Sun, 22 Nov 2009 12:24:43 +0000 (12:24 +0000)]
bio_sock.c and bss_dgram.c: update from HEAD.
PR: 2069
Dr. Stephen Henson [Wed, 18 Nov 2009 15:09:35 +0000 (15:09 +0000)]
Servers can't end up talking SSLv2 with legacy renegotiation disabled
Dr. Stephen Henson [Wed, 18 Nov 2009 14:45:32 +0000 (14:45 +0000)]
Don't use SSLv2 compatible client hello if we don't tolerate legacy renegotiation
Dr. Stephen Henson [Wed, 18 Nov 2009 14:19:52 +0000 (14:19 +0000)]
Include a more meaningful error message when rejecting legacy renegotiation
Dr. Stephen Henson [Tue, 17 Nov 2009 13:25:35 +0000 (13:25 +0000)]
PR: 2103
Submitted by: Rob Austein <sra@hactrn.net>
Approved by: steve@openssl.org
Initialise atm.flags to 0.
Dr. Stephen Henson [Sun, 15 Nov 2009 19:06:21 +0000 (19:06 +0000)]
PR: 2101 (additional)
Submitted by: Roumen Petrov <openssl@roumenpetrov.info>
Approved by: steve@openssl.org
Another mingw fix.
Dr. Stephen Henson [Fri, 13 Nov 2009 14:23:44 +0000 (14:23 +0000)]
PR: 2095
Submitted by: Arkadiusz Miskiewicz <arekm@maven.pl>
Approved by: steve@openssl.org
Fix for out range of signed 32bit displacement error on newer binutils
in file sha1-x86_64.pl
Dr. Stephen Henson [Fri, 13 Nov 2009 13:44:14 +0000 (13:44 +0000)]
PR: 2101
Submitted by: Doug Kaufman <dkaufman@rahul.net>
Approved by: steve@openssl.org
Fixes for tests in cms-test.pl
Richard Levitte [Fri, 13 Nov 2009 08:45:52 +0000 (08:45 +0000)]
Add test_cms
Dr. Stephen Henson [Thu, 12 Nov 2009 19:57:39 +0000 (19:57 +0000)]
PR: 2088
Submitted by: Aleksey Samsonov <s4ms0n0v@gmail.com>
Approved by: steve@openssl.org
Fix memory leak in d2i_PublicKey().
Dr. Stephen Henson [Thu, 12 Nov 2009 19:24:34 +0000 (19:24 +0000)]
set engine to NULL after releasing it
Richard Levitte [Thu, 12 Nov 2009 14:05:04 +0000 (14:05 +0000)]
Compiling vms.mar doesn't work on other than VAX.
Richard Levitte [Thu, 12 Nov 2009 14:04:26 +0000 (14:04 +0000)]
Another symbol longer than 31 characters.
Richard Levitte [Thu, 12 Nov 2009 14:03:57 +0000 (14:03 +0000)]
Typo