client code certificates to use to only check response signatures.
I'm not entirely sure if the way I just implemented the verification
is the right way to do it, and would be happy if someone would like to
review this.
Bleichenbacher's DSA attack. With this implementation, the expected
number of iterations never exceeds 2.
New semantics for BN_rand_range():
BN_rand_range(r, min, range) now generates r such that
min <= r < min+range.
(Previously, BN_rand_range(r, min, max) generated r such that
min <= r < max.
It is more convenient to have the range; also the previous
prototype was misleading because max was larger than
the actual maximum.)
certificates.
One is a valid CA which has no basicConstraints
but does have certSign keyUsage.
Other is S/MIME signer with nonRepudiation but
no digitalSignature.
OCSP requests. It can also query reponders and parse or
print out responses.
Still needs some more work: OCSP response checks and
of course documentation.
but will verify the signatures on a response
and locate the signers certifcate.
Still needs to implement a proper OCSP certificate
verify.
Fix warning in RAND_egd().
allocation callbacks so that it is no longer visible to applications
that these live at a different call level than conventional memory
allocation callbacks.
handling routines that need file name and line number information,
I've added a call level to our memory handling routines to allow that
kind of hooking.
only queried when the /dev/[u]random devices did not return enough
entropy. Only the amount of entropy missing to reach the required minimum
is queried, as EGD may be drained.
Queried locations are: /etc/entropy, /var/run/egd-pool
"doall" functions to using type-safe wrappers. As and where required, this
can be replaced by redeclaring the underlying callbacks to use the
underlying "void"-based prototypes (eg. if performance suffers from an
extra level of function invocation).
them for a short period of time (actually, poll them with select(),
then read() whatever is there), which is about 10ms (hard-coded value)
each.
Separate Windows and Unixly code, and start on a VMS variant that
currently just returns 0.
Remove extensions argument from various functions
because it is not needed with the new extension
code.
New function OCSP_cert_to_id() to convert a pair
of certificates into an OCSP_CERTID.
New simple OCSP HTTP function. This is rather primitive
but just about adequate to send OCSP requests and
parse the response.
Fix typo in CRL distribution points extension.
Fix ASN1 code so it adds a final null to constructed
strings.
horrible macros.
Fix two evil ASN1 bugs. Attempt to use 'ctx' when
NULL if input is indefinite length constructed
in asn1_check_tlen() and invalid pointer to ASN1_TYPE
when reusing existing structure (this took *ages* to
find because the new PKCS#12 code triggered it).
most of the old wrappers. A few of the old versions remain
because they are non standard and the corresponding ASN1
code has not been reimplemented yet.
