Commit Graph

761 Commits

Author SHA1 Message Date
Dr. Stephen Henson
67c1801924 New function OCSP_parse_url() and -url option for ocsp utility.
Doesn't handle SSL URLs yet.
2001-02-13 00:37:44 +00:00
Dr. Stephen Henson
46a58ab946 Modify OCSP nonce behaviour. 2001-02-12 23:28:45 +00:00
Dr. Stephen Henson
94fcd01349 Work around for libsafe "error". 2001-02-12 03:22:49 +00:00
Bodo Möller
620cea37e0 disable stdin buffering in load_cert 2001-02-10 13:12:35 +00:00
Dr. Stephen Henson
ccb08f98ae Fix CRL printing to correctly show when there are no revoked certificates.
Make ca.c correctly initialize the revocation date.

Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string() set the
string type: so they can initialize ASN1_TIME structures properly.
2001-02-10 00:56:45 +00:00
Lutz Jänicke
836f996010 New Option SSL_OP_CIPHER_SERVER_PREFERENCE allows TLS/SSLv3 server to override
the clients choice; in SSLv2 the client uses the server's preferences.
2001-02-09 19:56:31 +00:00
Dr. Stephen Henson
c47c619680 Various updates to mkdef.pl to cope with new aes
and ASN1 code.
2001-02-09 13:16:21 +00:00
Dr. Stephen Henson
8c950429a9 Allow various options to be included for signing and verify of
OCSP responses.

Documentation to follow...

Urgh.. this conflicted with the -VAfile patch I hope I haven't
broken it.
2001-02-08 19:36:10 +00:00
Richard Levitte
9235adbf47 Add the -VAfile option to 'openssl ocsp'. This option will give the
client code certificates to use to only check response signatures.
I'm not entirely sure if the way I just implemented the verification
is the right way to do it, and would be happy if someone would like to
review this.
2001-02-08 17:59:29 +00:00
Bodo Möller
35ed8cb8b6 Integrate my implementation of a countermeasure against
Bleichenbacher's DSA attack.  With this implementation, the expected
number of iterations never exceeds 2.

New semantics for BN_rand_range():
BN_rand_range(r, min, range) now generates r such that
     min <= r < min+range.
(Previously, BN_rand_range(r, min, max) generated r such that
     min <= r < max.
It is more convenient to have the range; also the previous
prototype was misleading because max was larger than
the actual maximum.)
2001-02-08 12:14:51 +00:00
Ulf Möller
57e7d3ce15 Bleichenbacher's DSA attack 2001-02-07 22:24:35 +00:00
Dr. Stephen Henson
deb2c1a1c5 Fix AES code.
Update Rijndael source to v3.0

Add AES OIDs.

Change most references of Rijndael to AES.

Add new draft AES ciphersuites.
2001-02-07 18:15:18 +00:00
Bodo Möller
9eea2be6f1 Avoid coredumps for CONF_get_...(NULL, ...) 2001-02-06 10:26:34 +00:00
Ulf Möller
741a9690df Fix potential buffer overrun for EBCDIC. 2001-02-06 02:54:02 +00:00
Dr. Stephen Henson
26e083ccb7 New function to copy nonce values from OCSP
request to response.
2001-02-05 00:35:06 +00:00
Dr. Stephen Henson
02e4fbed3d Various OCSP responder utility functions.
Delete obsolete OCSP functions.

Largely untested at present...
2001-02-03 19:20:45 +00:00
Dr. Stephen Henson
88ce56f8c1 Various function for commmon operations. 2001-02-02 00:45:54 +00:00
Dr. Stephen Henson
8cff6331c9 Tolerate some "variations" used in some
certificates.

One is a valid CA which has no basicConstraints
but does have certSign keyUsage.

Other is S/MIME signer with nonRepudiation but
no digitalSignature.
2001-02-01 01:57:32 +00:00
Richard Levitte
903872d65e Document the change. 2001-01-30 13:47:59 +00:00
Dr. Stephen Henson
b847024026 Make sk_sort tolearate a NULL argument. 2001-01-28 14:20:13 +00:00
Dr. Stephen Henson
50d5199120 New OCSP response verify option OCSP_TRUSTOTHER 2001-01-26 01:55:52 +00:00
Dr. Stephen Henson
a342cc5a70 Zero the premaster secret after deriving the master secret in DH
ciphersuites.
2001-01-25 13:15:01 +00:00
Dr. Stephen Henson
a43cf9fae9 Add debugging info to new ASN1 code to trace memory leaks.
Fix PKCS7 and PKCS12 memory leaks.

Initialise encapsulated content type properly.
2001-01-24 18:39:54 +00:00
Bodo Möller
ae0665b8f1 EVP_add_digest_alias additions to SS_library_init 2001-01-23 16:39:59 +00:00
Ulf Möller
75802000c8 There is no C version of bn_div_3_words 2001-01-23 16:26:15 +00:00
Ulf Möller
893b76c544 Mention the ./config script fixes. 2001-01-21 18:45:23 +00:00
Dr. Stephen Henson
ba8e28248f Fix to stop X509_time_adj() using GeneralizedTime. 2001-01-20 13:38:45 +00:00
Dr. Stephen Henson
8e8972bb68 Fixes to various ASN1_INTEGER routines for negative case.
Enhance s2i_ASN1_INTEGER().
2001-01-19 14:21:48 +00:00
Bodo Möller
57108f0ad5 Fix openssl passwd -1 2001-01-19 07:37:56 +00:00
Dr. Stephen Henson
73758d435b Additional functionality in ocsp utility: print summary
of status info. Check nonce values. Option to disable
verify. Update usage message.

Rename status to string functions and make them global.
2001-01-19 01:32:23 +00:00
Dr. Stephen Henson
e8af92fcb1 Implement remaining OCSP verify checks in
accordance with RFC2560.
2001-01-18 01:35:39 +00:00
Richard Levitte
361ef5f4dc Make the change log on the RAND_poll change a bit more explicit. Suggested by Bodo Moeller. 2001-01-17 13:43:18 +00:00
Dr. Stephen Henson
81f169e95c Initial OCSP certificate verify. Not complete,
it just supports a "trusted OCSP global root CA".
2001-01-17 01:31:34 +00:00
Bodo Möller
dfebac32c0 New '-extfile' option for 'openssl ca'.
This allows keeping extensions in a separate configuration file.

Submitted by: Massimiliano Pala <madwolf@comune.modena.it>
2001-01-15 11:35:24 +00:00
Dr. Stephen Henson
6308af199d Change PKCS#12 key derivation routines to cope with
non null terminated passwords.
2001-01-14 14:07:10 +00:00
Dr. Stephen Henson
5782ceb298 New OCSP utility. This can generate, parse and print
OCSP requests. It can also query reponders and parse or
print out responses.

Still needs some more work: OCSP response checks and
of course documentation.
2001-01-13 01:48:38 +00:00
Bodo Möller
c67cdb50d2 New 'openssl ca -status <serial>' and 'openssl ca -updatedb'
commands.

Submitted by: Massimiliano Pala <madwolf@comune.modena.it>
2001-01-12 14:50:44 +00:00
Bodo Möller
d199858e89 New -newreq-nodes option to CA.pl.
Submitted by: Damien Miller <djm@mindrot.org>
2001-01-11 13:23:19 +00:00
Richard Levitte
10a2975a27 Add configuration for GNU Hurd. 2001-01-11 12:58:37 +00:00
Dr. Stephen Henson
9b4dc8308f OCSP basic response verify. Very incomplete
but will verify the signatures on a response
and locate the signers certifcate.

Still needs to implement a proper OCSP certificate
verify.

Fix warning in RAND_egd().
2001-01-11 00:52:50 +00:00
Bodo Möller
a5435e8b29 After discussion with Richard, change the new API for extended memory
allocation callbacks so that it is no longer visible to applications
that these live at a different call level than conventional memory
allocation callbacks.
2001-01-10 18:09:57 +00:00
Bodo Möller
673b3fde82 Add SSLEAY_DIR argument code for SSLeay_version.
Add '-d' option for 'openssl version' (included in '-a').
2001-01-10 15:15:36 +00:00
Bodo Möller
c06648f7f0 Fix C code generate by 'openssl dsaparam -C'. 2001-01-10 14:26:32 +00:00
Richard Levitte
65a22e8e4d As response to a user request to be able to use external memory
handling routines that need file name and line number information,
I've added a call level to our memory handling routines to allow that
kind of hooking.
2001-01-10 13:14:58 +00:00
Dr. Stephen Henson
cbf0f45f90 Fix uni2asc() so it can properly convert zero length
unicode strings. Certain PKCS#12 files contain these
in BMPStrings and it used to crash on them.
2001-01-10 01:06:31 +00:00
Lutz Jänicke
599c03530a Add automatic query of EGD sockets to RAND_poll(). The EGD sockets are
only queried when the /dev/[u]random devices did not return enough
entropy. Only the amount of entropy missing to reach the required minimum
is queried, as EGD may be drained.
Queried locations are: /etc/entropy, /var/run/egd-pool
2001-01-09 16:44:59 +00:00
Geoff Thorpe
56a67adb64 It was correctly pointed out to me that my CHANGES entry was a little thin
on details. :-)
2001-01-09 16:39:04 +00:00
Geoff Thorpe
3c91484052 Move all the existing function pointer casts associated with LHASH's two
"doall" functions to using type-safe wrappers. As and where required, this
can be replaced by redeclaring the underlying callbacks to use the
underlying "void"-based prototypes (eg. if performance suffers from an
extra level of function invocation).
2001-01-09 00:24:38 +00:00
Richard Levitte
0c61e299b3 Change RAND_poll for Unix to try a number of devices and only read
them for a short period of time (actually, poll them with select(),
then read() whatever is there), which is about 10ms (hard-coded value)
each.

Separate Windows and Unixly code, and start on a VMS variant that
currently just returns 0.
2001-01-08 10:59:26 +00:00
Dr. Stephen Henson
0b33bc65cd Add set of OCSP client functions. All experimental
and subject to addition, modifcation or deletion.

Add two OCSP nonce utility functions.

Fix typo in status code name.
2001-01-08 01:21:55 +00:00