Skip to content
  1. Feb 23, 2016
    • David Woodhouse's avatar
      RT4175: Fix PKCS7_verify() regression with Authenticode signatures · c436c990
      David Woodhouse authored 
      This is a partial revert of commit c8491de3 ("GH354: Memory leak fixes"),
which was cherry-picked from commit 55500ea7 in OpenSSL 1.1.

That commit introduced a change in behaviour which is a regression for
software implementing Microsoft Authenticode — which requires a PKCS#7
signature to be validated against explicit external data, even though
it's a non-detached signature with its own embedded data.

The is fixed differently in OpenSSL 1.1 by commit 6b2ebe43

 ("Add
PKCS7_NO_DUAL_CONTENT flag"), but that approach isn't viable in the
1.0.2 stable branch, so just comment the offending check back out again.

Signed-off-by: default avatarRich Salz <rsalz@openssl.org>
Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
      c436c990
  3. Feb 22, 2016
  5. Feb 19, 2016
  7. Feb 18, 2016
  9. Feb 16, 2016
  11. Feb 13, 2016
  13. Feb 12, 2016
  15. Feb 11, 2016
  17. Feb 10, 2016
  19. Feb 08, 2016
    • Matt Caswell's avatar
      Handle SSL_shutdown while in init more appropriately #2 · 64193c82
      Matt Caswell authored 
      Previous commit f73c737c attempted to "fix" a problem with the way
SSL_shutdown() behaved whilst in mid-handshake. The original behaviour had
SSL_shutdown() return immediately having taken no action if called mid-
handshake with a return value of 1 (meaning everything was shutdown
successfully). In fact the shutdown has not been successful.

Commit f73c737c

 changed that to send a close_notify anyway and then
return. This seems to be causing some problems for some applications so
perhaps a better (much simpler) approach is revert to the previous
behaviour (no attempt at a shutdown), but return -1 (meaning the shutdown
was not successful).

This also fixes a bug where SSL_shutdown always returns 0 when shutdown
*very* early in the handshake (i.e. we are still using SSLv23_method).

Reviewed-by: default avatarViktor Dukhovni <viktor@openssl.org>
      64193c82
  21. Feb 06, 2016
  23. Feb 05, 2016
    • Viktor Dukhovni's avatar
      Fix missing ok=0 with locally blacklisted CAs · a3baa171
      Viktor Dukhovni authored 
      

Also in X509_verify_cert() avoid using "i" not only as a loop
counter, but also as a trust outcome and as an error ordinal.

Finally, make sure that all "goto end" jumps return an error, with
"end" renamed to "err" accordingly.

[ The 1.1.0 version of X509_verify_cert() is major rewrite,
  which addresses these issues in a more systemic way. ]

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      a3baa171
  25. Feb 04, 2016
  27. Feb 02, 2016
  29. Feb 01, 2016
  31. Jan 30, 2016
  33. Jan 29, 2016
  35. Jan 28, 2016
  37. Jan 22, 2016
  39. Jan 21, 2016
  41. Jan 20, 2016