7070cdb | Dr. Stephen Henson | 25 February 2010, 17:18:23 UTC | Prepare for 0.9.8m release | 25 February 2010, 17:18:23 UTC |
e885de2 | Richard Levitte | 24 February 2010, 01:20:04 UTC | Since crypto-lib.com is built to be executed in the crypto/ directory, there's no need to specify that directory in the include path. | 24 February 2010, 01:20:04 UTC |
3038649 | Dr. Stephen Henson | 23 February 2010, 14:09:32 UTC | The meaning of the X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY and X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT error codes were reversed in the verify application documentation. | 23 February 2010, 14:09:32 UTC |
3e4da3f | Bodo Möller | 23 February 2010, 10:36:41 UTC | Always check bn_wexpend() return values for failure (CVE-2009-3245). (The CHANGES entry covers the change from PR #2111 as well, submitted by Martin Olsson.) Submitted by: Neel Mehta | 23 February 2010, 10:36:41 UTC |
53b5d04 | Richard Levitte | 23 February 2010, 07:51:39 UTC | Apply changes from the 1.0.0 branch. | 23 February 2010, 07:51:39 UTC |
defede6 | Richard Levitte | 23 February 2010, 07:50:54 UTC | Include [.CRYPTO.<ARCH>] instead of just [.<ARCH>] | 23 February 2010, 07:50:54 UTC |
1472f14 | Richard Levitte | 22 February 2010, 07:05:50 UTC | In some environments, we need to defined sslroot locally. | 22 February 2010, 07:05:50 UTC |
00d1ecb | Richard Levitte | 22 February 2010, 07:05:24 UTC | Add t1_reneg to the VMS build. Hack the symbols with long names. | 22 February 2010, 07:05:24 UTC |
739e0e9 | Bodo Möller | 19 February 2010, 18:25:39 UTC | Fix X509_STORE locking | 19 February 2010, 18:25:39 UTC |
6ae9770 | Dr. Stephen Henson | 18 February 2010, 12:42:03 UTC | clarify documentation | 18 February 2010, 12:42:03 UTC |
bec7184 | Dr. Stephen Henson | 17 February 2010, 19:43:08 UTC | OR default SSL_OP_LEGACY_SERVER_CONNECT so existing options are preserved | 17 February 2010, 19:43:08 UTC |
442ac8d | Dr. Stephen Henson | 17 February 2010, 18:37:47 UTC | Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as initial connection to unpatched servers. There are no additional security concerns in doing this as clients don't see renegotiation during an attack anyway. | 17 February 2010, 18:37:47 UTC |
657b02d | Dr. Stephen Henson | 17 February 2010, 14:32:01 UTC | PR: 2100 Submitted by: James Baker <jbaker@tableausoftware.com> et al. Workaround for slow Heap32Next on some versions of Windows. | 17 February 2010, 14:32:01 UTC |
b50ef8b | Dr. Stephen Henson | 16 February 2010, 14:19:42 UTC | PR: 2171 Submitted by: Tomas Mraz <tmraz@redhat.com> Since SSLv2 doesn't support renegotiation at all don't reject it if legacy renegotiation isn't enabled. Also can now use SSL2 compatible client hello because RFC5746 supports it. | 16 February 2010, 14:19:42 UTC |
1b690c1 | Dr. Stephen Henson | 15 February 2010, 19:40:45 UTC | The "block length" for CFB mode was incorrectly coded as 1 all the time. It should be the number of feedback bits expressed in bytes. For CFB1 mode set this to 1 by rounding up to the nearest multiple of 8. | 15 February 2010, 19:40:45 UTC |
2873a53 | Dr. Stephen Henson | 15 February 2010, 19:25:37 UTC | Correct ECB mode EVP_CIPHER definition: IV length is 0 | 15 February 2010, 19:25:37 UTC |
04a781e | Dr. Stephen Henson | 15 February 2010, 19:02:53 UTC | PR: 2164 Submitted by: "Noszticzius, Istvan" <inoszticzius@rightnow.com> Don't clear the output buffer: ciphers should correctly the same input and output buffers. | 15 February 2010, 19:02:53 UTC |
68be98d | Dr. Stephen Henson | 12 February 2010, 22:02:07 UTC | update references to new RI RFC | 12 February 2010, 22:02:07 UTC |
0bbbadf | Dr. Stephen Henson | 09 February 2010, 14:18:15 UTC | Fix memory leak in ENGINE autoconfig code. Improve error logging. | 09 February 2010, 14:18:15 UTC |
c0c1ce1 | Dr. Stephen Henson | 09 February 2010, 14:13:30 UTC | update year | 09 February 2010, 14:13:30 UTC |
1058611 | Dr. Stephen Henson | 04 February 2010, 01:10:24 UTC | Only use bufferoverflowu.lib when needed | 04 February 2010, 01:10:24 UTC |
4a9d335 | Dr. Stephen Henson | 02 February 2010, 14:19:54 UTC | tolerate broken CMS/PKCS7 implementations using signature OID instead of digest | 02 February 2010, 14:19:54 UTC |
162f1e0 | Dr. Stephen Henson | 02 February 2010, 14:03:07 UTC | make no-rsa no-dsa compile again | 02 February 2010, 14:03:07 UTC |
0484ff5 | Dr. Stephen Henson | 01 February 2010, 16:48:40 UTC | PR: 2160 Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de> Make session tickets work with DTLS. | 01 February 2010, 16:48:40 UTC |
4acc2fe | Dr. Stephen Henson | 01 February 2010, 12:44:21 UTC | PR: 2159 Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de> Typo in PR#1949 bug, oops! | 01 February 2010, 12:44:21 UTC |
0369804 | Dr. Stephen Henson | 28 January 2010, 17:53:11 UTC | In engine_table_select() don't clear out entire error queue: just clear out any we added using ERR_set_mark() and ERR_pop_to_mark() otherwise errors from other sources (e.g. SSL library) can be wiped. | 28 January 2010, 17:53:11 UTC |
33d7b5e | Dr. Stephen Henson | 27 January 2010, 18:53:59 UTC | reword RI description | 27 January 2010, 18:53:59 UTC |
4b38f35 | Dr. Stephen Henson | 27 January 2010, 17:50:47 UTC | update documentation to reflect new renegotiation options | 27 January 2010, 17:50:47 UTC |
82c2773 | Dr. Stephen Henson | 27 January 2010, 16:06:36 UTC | Some shells print out the directory name if CDPATH is set breaking the pod2man test. Use ./util instead to avoid this. | 27 January 2010, 16:06:36 UTC |
ded27f7 | Dr. Stephen Henson | 27 January 2010, 14:04:51 UTC | typo | 27 January 2010, 14:04:51 UTC |
30dc3e1 | Dr. Stephen Henson | 27 January 2010, 14:03:26 UTC | stop warnings in fips_test_suite application | 27 January 2010, 14:03:26 UTC |
371b262 | Dr. Stephen Henson | 27 January 2010, 13:32:31 UTC | stop missing prototype warnings | 27 January 2010, 13:32:31 UTC |
b3fb249 | Dr. Stephen Henson | 27 January 2010, 13:21:34 UTC | eliminate some warnings in fips build | 27 January 2010, 13:21:34 UTC |
93b8106 | Dr. Stephen Henson | 27 January 2010, 00:51:24 UTC | Bypass algorithm blocking with TLS MD5+SHA1 signature in FIPS mode by calling underlying method directly. | 27 January 2010, 00:51:24 UTC |
cc62974 | Dr. Stephen Henson | 26 January 2010, 19:40:36 UTC | PR: 1949 Submitted by: steve@openssl.org More robust fix and workaround for PR#1949. Don't try to work out if there is any write pending data as this can be unreliable: always flush. | 26 January 2010, 19:40:36 UTC |
9413788 | Dr. Stephen Henson | 26 January 2010, 18:08:42 UTC | PR: 2138 Submitted by: Kevin Regan <k.regan@f5.com> Clear stat structure if -DPURIFY is set to avoid problems on some platforms which include unitialised fields. | 26 January 2010, 18:08:42 UTC |
e8387db | Dr. Stephen Henson | 26 January 2010, 13:24:08 UTC | Fix VC++ warning (change had already been made to other branches). | 26 January 2010, 13:24:08 UTC |
81f28ca | Dr. Stephen Henson | 26 January 2010, 12:29:32 UTC | Typo | 26 January 2010, 12:29:32 UTC |
1b32943 | Dr. Stephen Henson | 25 January 2010, 16:08:52 UTC | Update OID table too. | 25 January 2010, 16:08:52 UTC |
a231d99 | Dr. Stephen Henson | 25 January 2010, 16:08:01 UTC | PR: 2149 Submitted by: Douglas Stebila <douglas@stebila.ca> Fix wap OIDs. | 25 January 2010, 16:08:01 UTC |
714044c | Dr. Stephen Henson | 24 January 2010, 13:52:38 UTC | oops revert test code from previous commit | 24 January 2010, 13:52:38 UTC |
5598b99 | Dr. Stephen Henson | 24 January 2010, 13:50:57 UTC | The fix for PR#1949 unfortunately broke cases where the BIO_CTRL_WPENDING ctrl is incorrectly implemented (e.g. some versions of Apache). As a workaround call both BIO_CTRL_INFO and BIO_CTRL_WPENDING if it returns zero. This should both address the original bug and retain compatibility with the old behaviour. | 24 January 2010, 13:50:57 UTC |
6899d9b | Dr. Stephen Henson | 22 January 2010, 18:49:43 UTC | If legacy renegotiation is not permitted then send a fatal alert if a patched server attempts to renegotiate with an unpatched client. | 22 January 2010, 18:49:43 UTC |
cf876a9 | Dr. Stephen Henson | 20 January 2010, 18:22:04 UTC | change versions back to 0.9.8m-dev | 20 January 2010, 18:22:04 UTC |
8b8a292 | Dr. Stephen Henson | 20 January 2010, 17:26:02 UTC | prepare for release | 20 January 2010, 17:26:02 UTC |
0317744 | Dr. Stephen Henson | 20 January 2010, 17:16:52 UTC | update TABLE | 20 January 2010, 17:16:52 UTC |
dd28d12 | Dr. Stephen Henson | 20 January 2010, 16:35:30 UTC | make update | 20 January 2010, 16:35:30 UTC |
6c61ee8 | Dr. Stephen Henson | 20 January 2010, 14:04:29 UTC | Support -L options in VC++ link. | 20 January 2010, 14:04:29 UTC |
b86ebb5 | Andy Polyakov | 19 January 2010, 21:45:45 UTC | rand_win.c: handel GetTickCount wrap-around [from HEAD]. | 19 January 2010, 21:45:45 UTC |
66956ea | Andy Polyakov | 19 January 2010, 21:45:16 UTC | x86_64-xlate.pl: refine sign extension logic when handling lea [from HEAD]. PR: 2094,2095 | 19 January 2010, 21:45:16 UTC |
444ff35 | Dr. Stephen Henson | 19 January 2010, 19:10:53 UTC | revert patch | 19 January 2010, 19:10:53 UTC |
ff2549b | Dr. Stephen Henson | 19 January 2010, 19:10:03 UTC | PR: 2144 Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de> Better fix for PR#2144 | 19 January 2010, 19:10:03 UTC |
2557c6a | Andy Polyakov | 17 January 2010, 19:43:49 UTC | Valgrind fix to aes-x86_64.pl in 0.9.8. For reference, newer aes-x86_64.pl don't suffer from the problem after Win64 SEH support was added. PR: 2075 Submitted by: Peter Klotz | 17 January 2010, 19:43:49 UTC |
aae48de | Dr. Stephen Henson | 16 January 2010, 19:45:46 UTC | PR: 2144 Submitted by: steve@openssl.org Fix DTLS connection so new_session is reset if we read second client hello: new_session is used to detect renegotiation. | 16 January 2010, 19:45:46 UTC |
766708f | Dr. Stephen Henson | 16 January 2010, 19:18:31 UTC | PR: 2133 Submitted by: steve@openssl.org Add missing DTLS state strings. | 16 January 2010, 19:18:31 UTC |
fbeb4a9 | Dr. Stephen Henson | 16 January 2010, 19:02:43 UTC | Add strings for DTLS protocol versions | 16 January 2010, 19:02:43 UTC |
24fc4f6 | Dr. Stephen Henson | 14 January 2010, 17:44:46 UTC | PR: 1618 Submitted by: steve@openssl.org Fix bug in 0.9.8-stable time handling in ca.c . NB: this only handles cases where times are not being checked or printed properly. Issues relating to time_t becoming negative or wrapping around are *NOT* addressed. OpenSSL 1.0.0 and later does fix these issues by using its own time routines. | 14 January 2010, 17:44:46 UTC |
c3c3b28 | Dr. Stephen Henson | 13 January 2010, 19:08:45 UTC | Fix version handling so it can cope with a major version >3. Although it will be many years before TLS v2.0 or later appears old versions of servers have a habit of hanging around for a considerable time so best if we handle this properly now. | 13 January 2010, 19:08:45 UTC |
06e2670 | Dr. Stephen Henson | 13 January 2010, 18:45:03 UTC | Modify compression code so it avoids using ex_data free functions. This stops applications that call CRYPTO_free_all_ex_data() prematurely leaking memory. | 13 January 2010, 18:45:03 UTC |
3798a4d | Dr. Stephen Henson | 07 January 2010, 19:09:32 UTC | Simplify RI+SCSV logic: 1. Send SCSV is not renegotiating, never empty RI. 2. Send RI if renegotiating. | 07 January 2010, 19:09:32 UTC |
5b8246d | Andy Polyakov | 07 January 2010, 11:22:25 UTC | x86_64-xlate.pl: new gas requires sign extention in lea instruction [from HEAD]. PR: 2094,2095 | 07 January 2010, 11:22:25 UTC |
2e24bc4 | Andy Polyakov | 07 January 2010, 11:04:49 UTC | util/pl/VC-32.pl: bufferoverflowu.lib only when actually needed [from HEAD]. PR: 2086 | 07 January 2010, 11:04:49 UTC |
f244ed3 | Dr. Stephen Henson | 06 January 2010, 18:02:07 UTC | correct error codes | 06 January 2010, 18:02:07 UTC |
50a095e | Dr. Stephen Henson | 06 January 2010, 17:59:41 UTC | Updates to conform with draft-ietf-tls-renegotiation-03.txt: 1. Add provisional SCSV value. 2. Don't send SCSV and RI at same time. 3. Fatal error is SCSV received when renegotiating. | 06 January 2010, 17:59:41 UTC |
37aff21 | Dr. Stephen Henson | 05 January 2010, 17:50:12 UTC | Typo | 05 January 2010, 17:50:12 UTC |
309aa5f | Dr. Stephen Henson | 05 January 2010, 17:33:20 UTC | PR: 2132 Submitted by: steve Fix bundled pod2man.pl to handle alternative comment formats. | 05 January 2010, 17:33:20 UTC |
5f40948 | Dr. Stephen Henson | 27 December 2009, 23:03:40 UTC | Update RI to match latest spec. MCSV is now called SCSV. Don't send SCSV if renegotiating. Also note if RI is empty in debug messages. | 27 December 2009, 23:03:40 UTC |
c22050b | Dr. Stephen Henson | 25 December 2009, 14:11:18 UTC | Traditional Yuletide commit ;-) Add Triple DES CFB1 and CFB8 to algorithm list and NID translation. | 25 December 2009, 14:11:18 UTC |
54ca55f | Bodo Möller | 22 December 2009, 11:45:57 UTC | Constify crypto/cast. | 22 December 2009, 11:45:57 UTC |
d0e79d7 | Bodo Möller | 22 December 2009, 10:59:03 UTC | Constify crypto/cast. | 22 December 2009, 10:59:03 UTC |
c1003df | Dr. Stephen Henson | 17 December 2009, 16:38:18 UTC | Ooops, engage ENGINE initialisation code correctly in FIPS builds. | 17 December 2009, 16:38:18 UTC |
98809a1 | Dr. Stephen Henson | 17 December 2009, 15:42:25 UTC | Alert to use is now defined in spec: update code | 17 December 2009, 15:42:25 UTC |
ccc3df8 | Dr. Stephen Henson | 16 December 2009, 20:34:20 UTC | New option to enable/disable connection to unpatched servers | 16 December 2009, 20:34:20 UTC |
593a6db | Dr. Stephen Henson | 14 December 2009, 01:32:47 UTC | add another missed case | 14 December 2009, 01:32:47 UTC |
efbe446 | Dr. Stephen Henson | 14 December 2009, 01:28:51 UTC | simplify RI error code and catch extra error case ignored before | 14 December 2009, 01:28:51 UTC |
725745d | Dr. Stephen Henson | 14 December 2009, 01:09:01 UTC | Allow initial connection (but no renegoriation) to servers which don't support RI. | 14 December 2009, 01:09:01 UTC |
c0e94f8 | Ben Laurie | 12 December 2009, 11:10:25 UTC | Missing newline. | 12 December 2009, 11:10:25 UTC |
ef4bd01 | Dr. Stephen Henson | 11 December 2009, 00:22:12 UTC | Move SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION out of SSL_OP_ALL | 11 December 2009, 00:22:12 UTC |
7a8a3ef | Dr. Stephen Henson | 09 December 2009, 18:17:21 UTC | clarify docs | 09 December 2009, 18:17:21 UTC |
98c7b03 | Dr. Stephen Henson | 09 December 2009, 18:01:07 UTC | Document option clearning functions. Initial secure renegotiation documentation. | 09 December 2009, 18:01:07 UTC |
9e5dea0 | Dr. Stephen Henson | 09 December 2009, 13:41:50 UTC | PR: 2124 Submitted by: Jan Pechanec <Jan.Pechanec@Sun.COM> Check for memory allocation failures. | 09 December 2009, 13:41:50 UTC |
cb4823f | Dr. Stephen Henson | 09 December 2009, 13:15:01 UTC | Add ctrls to clear options and mode. Change RI ctrl so it doesn't clash. | 09 December 2009, 13:15:01 UTC |
17bb051 | Dr. Stephen Henson | 08 December 2009, 19:05:49 UTC | Send no_renegotiation alert as required by spec. | 08 December 2009, 19:05:49 UTC |
59f44e8 | Dr. Stephen Henson | 08 December 2009, 13:47:28 UTC | Add ctrl and macro so we can determine if peer support secure renegotiation. Fix SSL_CIPHER initialiser for mcsv | 08 December 2009, 13:47:28 UTC |
7a014dc | Dr. Stephen Henson | 08 December 2009, 13:15:38 UTC | Add support for magic cipher suite value (MCSV). Make secure renegotiation work in SSLv3: initial handshake has no extensions but includes MCSV, if server indicates RI support then renegotiation handshakes include RI. NB: current MCSV value is bogus for testing only, will be updated when we have an official value. Change mismatch alerts to handshake_failure as required by spec. Also have some debugging fprintfs so we can clearly see what is going on if OPENSSL_RI_DEBUG is set. | 08 December 2009, 13:15:38 UTC |
1ff44a9 | Dr. Stephen Henson | 02 December 2009, 15:27:19 UTC | PR: 2111 Submitted by: Martin Olsson <molsson@opera.com> Check for bn_wexpand errors in bn_mul.c | 02 December 2009, 15:27:19 UTC |
6cf6161 | Dr. Stephen Henson | 02 December 2009, 14:39:12 UTC | Replace the broken SPKAC certification with the correct version. | 02 December 2009, 14:39:12 UTC |
82e448b | Dr. Stephen Henson | 01 December 2009, 17:40:46 UTC | PR: 2115 Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de> Approved by: steve@openssl.org Add Renegotiation extension to DTLS, fix DTLS ClientHello processing bug. | 01 December 2009, 17:40:46 UTC |
b172352 | Dr. Stephen Henson | 01 December 2009, 17:32:16 UTC | PR: 1432 Submitted by: "Andrzej Chmielowiec" <achmielowiec@enigma.com.pl>, steve@openssl.org Approved by: steve@openssl.org Truncate hash if it is too large: as required by FIPS 186-3. | 01 December 2009, 17:32:16 UTC |
95b14fd | Dr. Stephen Henson | 29 November 2009, 13:44:59 UTC | typo | 29 November 2009, 13:44:59 UTC |
553d2e3 | Bodo Möller | 26 November 2009, 18:35:33 UTC | (whitespace) | 26 November 2009, 18:35:33 UTC |
82fb4ee | Bodo Möller | 26 November 2009, 17:30:07 UTC | The version numbering may change, again; so be careful about what we announce in CHANGES. | 26 November 2009, 17:30:07 UTC |
389fef6 | Bodo Möller | 26 November 2009, 17:28:27 UTC | Remove attribution -- this wasn't my patch, I only edited and applied it. | 26 November 2009, 17:28:27 UTC |
b6622f9 | Bodo Möller | 26 November 2009, 17:25:38 UTC | Remove obsolete information about a change for 0.9.7n. (No further releases from the 0.9.7 branch are planned. Note that the "deleted" change is also in 0.9.8f.) | 26 November 2009, 17:25:38 UTC |
7f5448e | Dr. Stephen Henson | 18 November 2009, 15:08:49 UTC | Servers can't end up talking SSLv2 with legacy renegotiation disabled | 18 November 2009, 15:08:49 UTC |
5d965f0 | Dr. Stephen Henson | 18 November 2009, 14:43:27 UTC | Don't use SSLv2 compatible client hello if we don't tolerate legacy renegotiation | 18 November 2009, 14:43:27 UTC |
b14713c | Dr. Stephen Henson | 18 November 2009, 14:24:00 UTC | Include a more meaningful error message when rejecting legacy renegotiation | 18 November 2009, 14:24:00 UTC |
637e0ba | Dr. Stephen Henson | 13 November 2009, 14:14:46 UTC | PR: 2094 Submitted by: Arkadiusz Miskiewicz <arekm@maven.pl> Approved by: steve@openssl.org Fix for out range of signed 32bit displacement error on newer binutils. | 13 November 2009, 14:14:46 UTC |
9ac37cb | Dr. Stephen Henson | 13 November 2009, 14:09:45 UTC | PR: 2084 Submitted by: Mike Frysinger <vapier@gentoo.org> Approved by: steve@openssl.org Parallel build fix. | 13 November 2009, 14:09:45 UTC |
fb7751b | Dr. Stephen Henson | 13 November 2009, 14:09:09 UTC | PR: 2101 Submitted by: Doug Kaufman <dkaufman@rahul.net> Approved by: steve@openssl.org Fixes for tests in cms-test.pl | 13 November 2009, 14:09:09 UTC |