From: Dr. Stephen Henson <steve@openssl.org>
Date: Wed, 7 Apr 2010 13:18:07 +0000 (+0000)
Subject: Add SHA2 algorithms to SSL_library_init(). Although these aren't used
X-Git-Tag: OpenSSL-fips-2_0-rc1~1149
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c0b8eb606fc6e31bff2f7ceadcd8441a646fdcee;p=openssl

Add SHA2 algorithms to SSL_library_init(). Although these aren't used
directly by SSL/TLS SHA2 certificates are becoming more common and
applications that only call SSL_library_init() and not
OpenSSL_add_all_alrgorithms() will fail when verifying certificates.

Update docs.
---

diff --git a/CHANGES b/CHANGES
index 79ef46254f..a0736f43f3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -940,6 +940,13 @@
   *) Change 'Configure' script to enable Camellia by default.
      [NTT]
   
+ Changes between 0.9.8n and 0.9.8o [xx XXX xxxx]
+
+  *) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more
+     common in certificates and some applications which only call
+     SSL_library_init and not OpenSSL_add_all_algorithms() will fail.
+     [Steve Henson]
+
  Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
 
   *) When rejecting SSL/TLS records due to an incorrect version number, never
diff --git a/doc/ssl/SSL_library_init.pod b/doc/ssl/SSL_library_init.pod
index e7fbefbfac..8766776fea 100644
--- a/doc/ssl/SSL_library_init.pod
+++ b/doc/ssl/SSL_library_init.pod
@@ -27,25 +27,28 @@ SSL_library_init() is not reentrant.
 
 =head1 WARNING
 
-SSL_library_init() mainly adds ciphers and digests used directly by SSL/TLS.
-In some cases this is not sufficient and errors about unknown algorithms
-will occur: for example when an attempt is made to use a certificate using
-SHA256. This can be resolved by also calling OpenSSL_add_all_algorithms().
+SSL_library_init() adds ciphers and digests used directly and indirectly by
+SSL/TLS.
 
 =head1 EXAMPLES
 
 A typical TLS/SSL application will start with the library initialization,
-will provide readable error messages and will seed the PRNG.
+and provide readable error messages.
 
  SSL_load_error_strings();                /* readable error messages */
  SSL_library_init();                      /* initialize library */
- actions_to_seed_PRNG(); 
 
 =head1 RETURN VALUES
 
 SSL_library_init() always returns "1", so it is safe to discard the return
 value.
 
+=head1 NOTES
+
+OpenSSL 0.9.8o and 1.0.0a and later added SHA2 algorithms to SSL_library_init().
+Applications which need to use SHA2 in earlier versions of OpenSSL should call
+OpenSSL_add_all_algorithms() as well.
+
 =head1 SEE ALSO
 
 L<ssl(3)|ssl(3)>, L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>,
diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c
index a26ae43957..0967b2dfe4 100644
--- a/ssl/ssl_algs.c
+++ b/ssl/ssl_algs.c
@@ -105,6 +105,14 @@ int SSL_library_init(void)
 	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
 	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
 #endif
+#ifndef OPENSSL_NO_SHA256
+	EVP_add_digest(EVP_sha224());
+	EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+	EVP_add_digest(EVP_sha384());
+	EVP_add_digest(EVP_sha512());
+#endif
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
 	EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
 	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);