From bc06baca76534abc2048a3ac4d109b144da4b706 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 7 Apr 2010 13:19:48 +0000 Subject: [PATCH] Add SHA2 algorithms to SSL_library_init(). Although these aren't used directly by SSL/TLS SHA2 certificates are becoming more common and applications that only call SSL_library_init() and not OpenSSL_add_all_alrgorithms() will fail when verifying certificates. Update docs. --- CHANGES | 5 +++++ doc/ssl/SSL_library_init.pod | 15 +++++++++------ ssl/ssl_algs.c | 8 ++++++++ 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index bf2af58a47..a20fe1759c 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,11 @@ Changes between 0.9.8n and 0.9.8o [xx XXX xxxx] + *) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more + common in certificates and some applications which only call + SSL_library_init and not OpenSSL_add_all_algorithms() will fail. + [Steve Henson] + *) VMS fixes: Reduce copying into .apps and .test in makevms.com Don't try to use blank CA certificate in CA.com diff --git a/doc/ssl/SSL_library_init.pod b/doc/ssl/SSL_library_init.pod index 0e9b035884..7f1356a7b5 100644 --- a/doc/ssl/SSL_library_init.pod +++ b/doc/ssl/SSL_library_init.pod @@ -26,25 +26,28 @@ SSL_library_init() must be called before any other action takes place. =head1 WARNING -SSL_library_init() mainly adds ciphers and digests used directly by SSL/TLS. -In some cases this is not sufficient and errors about unknown algorithms -will occur: for example when an attempt is made to use a certificate using -SHA256. This can be resolved by also calling OpenSSL_add_all_algorithms(). +SSL_library_init() adds ciphers and digests used directly and indirectly by +SSL/TLS. =head1 EXAMPLES A typical TLS/SSL application will start with the library initialization, -will provide readable error messages and will seed the PRNG. +and provide readable error messages. SSL_load_error_strings(); /* readable error messages */ SSL_library_init(); /* initialize library */ - actions_to_seed_PRNG(); =head1 RETURN VALUES SSL_library_init() always returns "1", so it is safe to discard the return value. +=head1 NOTES + +OpenSSL 0.9.8o and 1.0.0a and later added SHA2 algorithms to SSL_library_init(). +Applications which need to use SHA2 in earlier versions of OpenSSL should call +OpenSSL_add_all_algorithms() as well. + =head1 SEE ALSO L, L, diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c index 2d9077e303..6488cdfa9c 100644 --- a/ssl/ssl_algs.c +++ b/ssl/ssl_algs.c @@ -102,6 +102,14 @@ int SSL_library_init(void) EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); #endif +#ifndef OPENSSL_NO_SHA256 + EVP_add_digest(EVP_sha224()); + EVP_add_digest(EVP_sha256()); +#endif +#ifndef OPENSSL_NO_SHA512 + EVP_add_digest(EVP_sha384()); + EVP_add_digest(EVP_sha512()); +#endif #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA) EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2); -- 2.25.1