Skip to content
  1. Feb 23, 2016
    • David Woodhouse's avatar
      RT4175: Fix PKCS7_verify() regression with Authenticode signatures · c436c990
      David Woodhouse authored
      This is a partial revert of commit c8491de3 ("GH354: Memory leak fixes"),
      which was cherry-picked from commit 55500ea7 in OpenSSL 1.1.
      
      That commit introduced a change in behaviour which is a regression for
      software implementing Microsoft Authenticode — which requires a PKCS#7
      signature to be validated against explicit external data, even though
      it's a non-detached signature with its own embedded data.
      
      The is fixed differently in OpenSSL 1.1 by commit 6b2ebe43
      
       ("Add
      PKCS7_NO_DUAL_CONTENT flag"), but that approach isn't viable in the
      1.0.2 stable branch, so just comment the offending check back out again.
      
      Signed-off-by: default avatarRich Salz <rsalz@openssl.org>
      Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
      c436c990
  2. Feb 22, 2016
  3. Feb 19, 2016
  4. Feb 18, 2016
  5. Feb 16, 2016
  6. Feb 13, 2016
  7. Feb 12, 2016
  8. Feb 11, 2016
  9. Feb 10, 2016
  10. Feb 08, 2016
    • Matt Caswell's avatar
      Handle SSL_shutdown while in init more appropriately #2 · 64193c82
      Matt Caswell authored
      Previous commit f73c737c attempted to "fix" a problem with the way
      SSL_shutdown() behaved whilst in mid-handshake. The original behaviour had
      SSL_shutdown() return immediately having taken no action if called mid-
      handshake with a return value of 1 (meaning everything was shutdown
      successfully). In fact the shutdown has not been successful.
      
      Commit f73c737c
      
       changed that to send a close_notify anyway and then
      return. This seems to be causing some problems for some applications so
      perhaps a better (much simpler) approach is revert to the previous
      behaviour (no attempt at a shutdown), but return -1 (meaning the shutdown
      was not successful).
      
      This also fixes a bug where SSL_shutdown always returns 0 when shutdown
      *very* early in the handshake (i.e. we are still using SSLv23_method).
      
      Reviewed-by: default avatarViktor Dukhovni <viktor@openssl.org>
      64193c82
  11. Feb 06, 2016
  12. Feb 05, 2016
    • Viktor Dukhovni's avatar
      Fix missing ok=0 with locally blacklisted CAs · a3baa171
      Viktor Dukhovni authored
      
      
      Also in X509_verify_cert() avoid using "i" not only as a loop
      counter, but also as a trust outcome and as an error ordinal.
      
      Finally, make sure that all "goto end" jumps return an error, with
      "end" renamed to "err" accordingly.
      
      [ The 1.1.0 version of X509_verify_cert() is major rewrite,
        which addresses these issues in a more systemic way. ]
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      a3baa171
  13. Feb 04, 2016
  14. Feb 02, 2016
  15. Feb 01, 2016
  16. Jan 30, 2016
  17. Jan 29, 2016
  18. Jan 28, 2016
  19. Jan 22, 2016
  20. Jan 21, 2016
  21. Jan 20, 2016