Richard Levitte
cf9a88cad7
Document the last change.
...
PR: 587
2003-06-19 19:04:13 +00:00
Richard Levitte
4f1cd8324c
Prepare for changes in the 0.9.6 branch
2003-06-19 19:01:05 +00:00
Richard Levitte
ed7f1d0bc6
Prepare for changes in the 0.9.6 branch
2003-06-19 18:59:27 +00:00
Richard Levitte
e666c4599f
Add the possibility to have symbols loaded globally with DSO.
2003-06-11 22:42:28 +00:00
Richard Levitte
54f6451670
Add functionality to set marks on the error stack and to pop all errors to the next mark.
2003-06-11 20:49:58 +00:00
Richard Levitte
a069460015
Document the AES_cbc_encrypt() change
2003-06-10 04:42:38 +00:00
Dr. Stephen Henson
63b815583b
Update CHANGES to reflect base64 fix added to 0.9.7
2003-06-03 00:16:47 +00:00
Dr. Stephen Henson
beab098d53
Various S/MIME bug and compatibility fixes.
2003-06-01 20:51:58 +00:00
Richard Levitte
3bbb0212f3
Add STORE support in ENGINE.
2003-05-01 03:57:46 +00:00
Richard Levitte
a5db6fa576
Define a STORE type. For documentation, read the entry in CHANGES,
...
crypto/store/README, crypto/store/store.h and crypto/store/str_locl.h.
2003-05-01 03:53:12 +00:00
Richard Levitte
535fba4907
Define the OPENSSL_ITEM structure.
2003-05-01 03:45:18 +00:00
Richard Levitte
1ae0a83bdd
Add BUF_strndup() and BUF_memdup(). Not currently used, but I've code
...
that uses them that I'll commit in a few days.
2003-04-29 22:08:57 +00:00
Richard Levitte
9d6c32d6d1
Correct documentation. sk_find_ex() doesn't return a pointer, it
...
returns an index.
2003-04-29 20:31:58 +00:00
Richard Levitte
ea5240a5ed
Add an extended variant of OBJ_bsearch() that can be given a few
...
flags.
2003-04-29 20:25:21 +00:00
Bodo Möller
7a04fdd87f
include 'Changes between 0.9.6i and 0.9.6j'
2003-04-11 15:03:12 +00:00
Richard Levitte
16b1b03543
Implement self-signing in 'openssl ca'. This makes it easier to have
...
the CA certificate part of the CA database, and combined with
'unique_subject=no', it should make operations like CA certificate
roll-over easier.
2003-04-03 22:33:59 +00:00
Richard Levitte
e6526fbf4d
Add functionality to help making self-signed certificate.
2003-04-03 22:27:24 +00:00
Richard Levitte
f85b68cd49
Make it possible to have multiple active certificates with the same
...
subject.
2003-04-03 16:33:03 +00:00
Bodo Möller
5679bcce07
make RSA blinding thread-safe
2003-04-02 09:50:22 +00:00
Dr. Stephen Henson
1a15c89988
Multi valued AVA support.
2003-03-30 01:51:16 +00:00
Dr. Stephen Henson
520b76ffd9
Support for name constraints.
2003-03-24 17:04:44 +00:00
Dr. Stephen Henson
f80153e20b
Support for policy constraints.
2003-03-21 16:26:20 +00:00
Bodo Möller
c554155b58
make sure RSA blinding works when the PRNG is not properly seeded;
...
enable it automatically for the built-in engine
2003-03-20 17:31:30 +00:00
Dr. Stephen Henson
a1d12daed2
Support for policyMappings
2003-03-20 17:26:44 +00:00
Bodo Möller
02da5bcd83
countermeasure against new Klima-Pokorny-Rosa atack
2003-03-19 19:19:53 +00:00
Geoff Thorpe
bba2cb3ada
Fix a bone-head bug. This warrants a CHANGES entry because it could affect
...
applications if they were passing a bogus 'flags' parameter yet having
things work as they wanted anyway.
2003-03-13 20:28:42 +00:00
Geoff Thorpe
879650b866
The default implementation of DSA_METHOD has an interdependence on the
...
dsa_mod_exp() and bn_mod_exp() handlers from dsa_do_verify() and
dsa_sign_setup(). When another DSA_METHOD implementation does not define
these lower-level handlers, it becomes impossible to do a fallback to
software on errors using a simple DSA_OpenSSL()->fn(key).
This change allows the default DSA_METHOD to function in such circumstances
by only using dsa_mod_exp() and bn_mod_exp() handlers if they exist,
otherwise using BIGNUM implementations directly (which is what those
handlers did before this change). There should be no noticable difference
for the software case, or indeed any custom case that didn't already
segfault, except perhaps that there is now one less level of indirection in
all cases.
PR: 507
2003-03-11 01:49:21 +00:00
Bodo Möller
176f31ddec
- new ECDH_compute_key interface (KDF is no longer a fixed built-in)
...
- bugfix: in ECDH_compute_key, pad x coordinate with leading zeros if necessary
2003-02-28 15:37:10 +00:00
Dr. Stephen Henson
f0dc08e656
Support for dirName from config files in GeneralName extensions.
2003-02-27 01:54:11 +00:00
Dr. Stephen Henson
e9ec63961b
Fix indefinite length encoding so EOC correctly updates
...
the buffer pointer.
Rename PKCS7_PARTSIGN to PKCS7_STREAM.
Guess what that's for :-)
2003-02-25 19:03:31 +00:00
Ulf Möller
63ff3e83fc
Add instructions for building the MinGW target in Cygwin, and
...
rearrange some of the other text for better readability.
2003-02-22 23:03:42 +00:00
Richard Levitte
132eaa59da
Allow building applications against static libraries with Makefile.shared.
2003-02-22 14:41:34 +00:00
Dr. Stephen Henson
5562cfaca4
Base64 bio fixes. The base64 bio was seriously broken
...
when reading from a non blocking BIO.
It would incorrectly interpret retries as EOF, incorrectly
buffer initial data and have no buffering at all after initial
data (data would be sent one byte at a time to EVP_DecodeUpdate).
2003-02-22 02:12:52 +00:00
Richard Levitte
5b0b0e98ce
Security fix: Vaudenay timing attack on CBC.
...
An advisory will be posted to the web. Expect a release within the hour.
2003-02-19 12:03:59 +00:00
Richard Levitte
758f942b88
Make the no-err option work properly
2003-02-18 12:14:57 +00:00
Dr. Stephen Henson
27068df7e0
Single pass processing to cleartext S/MIME signing.
2003-02-15 00:50:55 +00:00
Richard Levitte
b7bbac72c4
Add support for IA64.
...
PR: 454
2003-02-14 13:30:35 +00:00
Richard Levitte
2d3de726c5
Add full support for -rpath/-R, both in shared libraries and
...
applications, at least on the platforms where it's known how
to do it.
Note: this has only been tested on GNU-based platforms (Linux), and
needs to be tested on all others. Additionally, it's not yet
supported on the following platforms, for lack of information:
Darwin (MacOS X)
Cygwin
OSF1/Alpha
SVR3
ReliantUNIX
Please help out with testing and the platforms we don't yet know well
enough.
2003-02-13 23:52:54 +00:00
Richard Levitte
9ec1d35f29
Adjust DES_cbc_cksum() so the returned value is the same as MIT's
...
mit_des_cbc_cksum(). The difference was first observed, then verified by
looking at the MIT source.
2003-02-12 17:20:39 +00:00
Dr. Stephen Henson
cf56663fb7
Option to disable SSL auto chain build
2003-02-12 17:06:02 +00:00
Bodo Möller
8537943e8b
first section is now "Changes between 0.9.7a and 0.9.8", not "... 0.9.7 and 0.9.8"
2003-02-11 16:42:30 +00:00
Bodo Möller
24893ca999
typo
2003-02-06 19:32:06 +00:00
Bodo Möller
37c660ff9b
implement fast point multiplication with precomputation
...
Submitted by: Nils Larsch
Reviewed by: Bodo Moeller
2003-02-06 19:25:12 +00:00
Dr. Stephen Henson
4e5d3a7f98
IPv6 display and input support for extensions usingh GeneralName.
2003-02-05 00:34:31 +00:00
Richard Levitte
0b13e9f055
Add the possibility to build without the ENGINE framework.
...
PR: 287
2003-01-30 17:39:26 +00:00
Geoff Thorpe
96f7065f63
Summarise the last couple of commits.
2003-01-30 15:52:40 +00:00
Bodo Möller
c1862f9136
consistency
2003-01-24 22:28:32 +00:00
Dr. Stephen Henson
d3b5cb5343
Check return value of gmtime() and add error codes
...
where it fails in ASN1_TIME_set().
Edit asn1.h so the new error code is the same in 0.9.7
and 0.9.8, rebuild new error codes.
Clear error queue in req.c if *_min or *_max is absent.
2003-01-24 01:12:01 +00:00
Lutz Jänicke
a74333f905
Fix initialization sequence to prevent freeing of unitialized objects.
...
Submitted by: Nils Larsch <nla@trustcenter.de>
PR: 459
2003-01-15 14:54:59 +00:00
Lutz Jänicke
8ec16ce711
Really fix SSLv2 session ID handling
...
PR: 377
2003-01-15 09:51:22 +00:00
Geoff Thorpe
0e4aa0d2d2
As with RSA, which was modified recently, this change makes it possible to
...
override key-generation implementations by placing handlers in the methods
for DSA and DH. Also, parameter generation for DSA and DH is possible by
another new handler for each method.
2003-01-15 02:01:55 +00:00
Richard Levitte
04aff67de4
Merge from 0.9.7-stable.
2003-01-13 17:16:25 +00:00
Bodo Möller
9d5390a049
document BN_GENCB API by adding an example
2003-01-13 13:44:20 +00:00
Richard Levitte
afd41c9fc7
Add better support for FreeBSD on non-x86 machines.
...
Add specific support for FreeBSD on sparc64.
PR: 427
2003-01-12 04:43:44 +00:00
Richard Levitte
4a9476dd8d
When preparing a separate build tree, don't make softlinks to softlinks.
...
Add instructions in INSTALL, for easy access.
PR: 437
2003-01-10 10:56:14 +00:00
Richard Levitte
7a1c6aa2a3
It's rather silly to believe we'd release 0.9.7a in 2002 :-).
...
It's even more silly to pretend we know which year 0.9.8 will be
released.
2002-12-31 01:00:06 +00:00
Richard Levitte
948dcdb81b
Merge in changes from 0.9.7-stable.
2002-12-31 00:02:10 +00:00
Richard Levitte
08101d72ce
Merge in changes from 0.9.7-stable.
2002-12-30 23:56:09 +00:00
Lutz Jänicke
21cde7a41c
Fix wrong handling of session ID in SSLv2 client code.
...
PR: 377
2002-12-29 20:59:35 +00:00
Richard Levitte
9cd16b1dea
We stupidly had a separate LIBKRB5 variable for KRB5 library dependencies,
...
and then didn't support it very well. And that when there already is a
useful variable for exactly this kind of thing; EX_LIBS...
2002-12-19 22:10:12 +00:00
Richard Levitte
a1457874c6
OK, there's at least one application author who has provided dynamic locking
...
callbacks
2002-12-13 07:30:53 +00:00
Richard Levitte
14676ffcd6
Document the modifications in 0.9.7 that will make the hw_ncipher.c
...
engine work properly even in bad situations.
2002-12-12 17:40:15 +00:00
Richard Levitte
fdaea9ed2e
Since it's defined in draft-ietf-tls-compression-04.txt, let's make
...
ZLIB a known compression method, with the identity 1.
2002-12-08 09:31:41 +00:00
Geoff Thorpe
e9224c7177
This is a first-cut at improving the callback mechanisms used in
...
key-generation and prime-checking functions. Rather than explicitly passing
callback functions and caller-defined context data for the callbacks, a new
structure BN_GENCB is defined that encapsulates this; a pointer to the
structure is passed to all such functions instead.
This wrapper structure allows the encapsulation of "old" and "new" style
callbacks - "new" callbacks return a boolean result on the understanding
that returning FALSE should terminate keygen/primality processing. The
BN_GENCB abstraction will allow future callback modifications without
needing to break binary compatibility nor change the API function
prototypes. The new API functions have been given names ending in "_ex" and
the old functions are implemented as wrappers to the new ones. The
OPENSSL_NO_DEPRECATED symbol has been introduced so that, if defined,
declaration of the older functions will be skipped. NB: Some
openssl-internal code will stick with the older callbacks for now, so
appropriate "#undef" logic will be put in place - this is in case the user
is *building* openssl (rather than *including* its headers) with this
symbol defined.
There is another change in the new _ex functions; the key-generation
functions do not return key structures but operate on structures passed by
the caller, the return value is a boolean. This will allow for a smoother
transition to having key-generation as "virtual function" in the various
***_METHOD tables.
2002-12-08 05:24:31 +00:00
Richard Levitte
43ecece595
Merge in relevant changes from the OpenSSL 0.9.6h release.
2002-12-05 21:50:13 +00:00
Dr. Stephen Henson
2053c43de2
In asn1_d2i_read_bio, don't assume BIO_read will
...
return the requested number of bytes when reading
content.
2002-12-03 23:50:59 +00:00
Richard Levitte
df29cc8f77
Add OPENSSL_cleanse() to help cleanse memory and avoid certain compiler
...
and linker optimizations.
PR: 343
2002-11-27 12:24:05 +00:00
Richard Levitte
17582ccf21
Heimdal isn't really supported right now. Say so, and offer a possibility
...
to force the use of Heimdal, and warn if that's used.
PR: 346
2002-11-26 10:11:58 +00:00
Lutz Jänicke
6a8afe2201
Fix bug introduced by the attempt to fix client side external session
...
caching (#288 ): now internal caching failed (#351 ):
Make sure, that cipher_id is set before comparing.
Submitted by:
Reviewed by:
PR: 288 (and 351)
2002-11-20 10:48:58 +00:00
Richard Levitte
20199ca809
Document the addition of certificate pairs.
2002-11-18 23:56:15 +00:00
Richard Levitte
0bf23d9b20
WinCE patches
2002-11-15 22:37:18 +00:00
Richard Levitte
6f17f16fd5
Changes to make shared library building and use work better with Cygwin
2002-11-15 16:48:38 +00:00
Richard Levitte
84034f7aec
Document the change to remove the 'done' flag variable in the
...
OpenSSL_add_all_*() routines
2002-11-15 13:58:11 +00:00
Richard Levitte
0a5942093e
We need to read one more byte of the REQUEST-CERTIFICATE message.
...
PR: 300
2002-11-15 09:15:55 +00:00
Bodo Möller
2b2ab52354
harmonize with 0.9.7 tree
2002-11-14 12:17:47 +00:00
Richard Levitte
83411793b6
Handle last lines that aren't properly terminated.
...
PR: 308
2002-11-14 06:51:18 +00:00
Ben Laurie
54a656ef08
Security fixes brought forward from 0.9.7.
2002-11-13 15:43:43 +00:00
Richard Levitte
c81a15099a
X509_NAME_cmp() now compares PrintableString and emailAddress with a value of type
...
ia5String correctly.
PR: 244
2002-11-09 21:52:20 +00:00
Bodo Möller
b53e44e572
implement and use new macros BN_get_sign(), BN_set_sign()
...
Submitted by: Nils Larsch
2002-11-04 13:17:22 +00:00
Geoff Thorpe
9c3db400dc
The recent CHANGES note between 0.9.6g and 0.9.6h needs copying into the
...
other branches.
2002-10-29 18:01:08 +00:00
Bodo Möller
19b8d06a79
clean up new code for NIST primes
...
create new lock CRYPTO_LOCK_BN to avoid race condition
2002-10-28 14:02:19 +00:00
Bodo Möller
5c6bf03117
fast reduction for NIST curves
...
Submitted by: Nils Larsch
2002-10-28 13:23:24 +00:00
Richard Levitte
874fee478c
Clarify where the engines are by default.
2002-10-12 16:07:31 +00:00
Richard Levitte
6f7c2cb31e
Step 14 of move of engines: Final step, document the change.
2002-10-11 22:06:44 +00:00
Bodo Möller
3e06fb754e
synchronize with 0.9.7-stable version of this file
2002-10-11 17:56:34 +00:00
Richard Levitte
30afcc072a
Move the shared library construction stuff to Makefile.shared, a
...
helper makefile that generalises our way of building shared libraries
and is designed to take care of almost anything (I hope).
2002-10-11 00:37:11 +00:00
Richard Levitte
7ba3a4c3d2
RFC 2712 redefines the codes for use of Kerberos 5 in SSL/TLS.
...
PR: 189
2002-10-10 07:59:03 +00:00
Dr. Stephen Henson
fc6a6a1030
Add version info to Win32 DLLs.
...
We might want to edit the strings a bit...
Maybe add to 0.9.7 too?
2002-10-04 21:22:47 +00:00
Dr. Stephen Henson
9a48b07ee4
Various enhancements to PKCS#12 code, new
...
medium level API, improved PKCS12_create
and additional functionality in pkcs12
utility.
2002-10-03 23:53:52 +00:00
Dr. Stephen Henson
230fd6b7b6
Preliminary streaming ASN1 encode support.
2002-10-03 12:38:52 +00:00
Bodo Möller
929f116733
fix more race conditions
...
Submitted by: "Patrick McCormick" <patrick@tellme.com>
PR: 262
2002-09-26 15:52:34 +00:00
Bodo Möller
b8565a9af9
really fix race conditions
...
Submitted by: "Patrick McCormick" <patrick@tellme.com>
PR: 262
PR: 291
2002-09-25 15:38:57 +00:00
Bodo Möller
e78f137899
really fix race condition
...
PR: 262
2002-09-23 14:25:07 +00:00
Bodo Möller
a4f53a1c73
there is no minimum length for session IDs
...
PR: 274
2002-09-19 11:44:07 +00:00
Bodo Möller
a90ae02454
fix race condition
...
PR: 262
2002-09-19 11:26:45 +00:00
Bodo Möller
9226e2187c
Let 'openssl req' fail if an argument to '-newkey' is not
...
recognized instead of using RSA as a default.
2002-09-10 07:34:45 +00:00
Bodo Möller
ba11121731
-nameopt fix has been moved to 0.9.7
2002-09-02 14:22:51 +00:00
Bodo Möller
ed5e37c309
mention EC_get_builtin_curves()
2002-09-02 07:12:08 +00:00
Dr. Stephen Henson
fc85ac20c7
Make -nameopt work in req and add support for -reqopt
2002-08-22 23:43:48 +00:00
Lutz Jänicke
82a20fb0f0
Reorder cleanup sequence in SSL_CTX_free() to leave ex_data for remove_cb().
...
Submitted by:
Reviewed by:
PR: 212
2002-08-16 17:04:04 +00:00
Dr. Stephen Henson
3f6db7f518
Fix block_size field for CFB and OFB modes: it should be 1.
2002-08-16 01:53:24 +00:00
Bodo Möller
7eb18f1237
Simplify handling of named curves: get rid of EC_GROUP_new_by_name(),
...
EC_GROUP_new_by_nid() should be enough. This avoids a lot of
redundancy.
Submitted by: Nils Larsch
2002-08-15 09:21:31 +00:00
Bodo Möller
749d055eba
move a TODO from CHANGES to STATUS
2002-08-14 11:07:29 +00:00
Bodo Möller
49a0f77867
add 'TODO' items
2002-08-14 10:49:29 +00:00
Dr. Stephen Henson
2af52de7b5
Fix typo in OBJ_txt2obj which incorrectly passed the content
...
length, instead of the encoding length to d2i_ASN1_OBJECT.
This wasn't visible before becuse ASN1_get_object() used
to read past the length of the supplied buffer.
2002-08-14 00:48:02 +00:00
Bodo Möller
8e28c67155
add 0.9.6g information
2002-08-12 08:45:00 +00:00
Bodo Möller
ea26226046
ECC ciphersuite support
...
Submitted by: Douglas Stebila <douglas.stebila@sun.com>
(Authors: Vipul Gupta and Sumit Gupta, Sun Microsystems Laboratories)
2002-08-09 08:56:08 +00:00
Bodo Möller
e172d60ddb
Add ECDH support.
...
Additional changes:
- use EC_GROUP_get_degree() in apps/req.c
- add ECDSA and ECDH to apps/speed.c
- adds support for EC curves over binary fields to ECDSA
- new function EC_KEY_up_ref() in crypto/ec/ec_key.c
- reorganize crypto/ecdsa/ecdsatest.c
- add engine support for ECDH
- fix a few bugs in ECDSA engine support
Submitted by: Douglas Stebila <douglas.stebila@sun.com>
2002-08-09 08:43:04 +00:00
Richard Levitte
fbe792f0ac
0.9.6f is released
2002-08-08 22:55:28 +00:00
Dr. Stephen Henson
f908226898
Fix the ASN1 sanity check: correct header length
...
calculation and check overflow against LONG_MAX.
2002-08-02 18:48:55 +00:00
Bodo Möller
909abce800
disable Sun divison algorithm by default
2002-08-02 18:26:02 +00:00
Bodo Möller
95ecacf8a2
Let BN_rand_range() abort with an error after 100 iterations
...
without success.
2002-08-02 15:02:03 +00:00
Bodo Möller
6fb60a84dd
Change BN_mod_sqrt() so that it verifies that the input value is
...
really the square of the return value.
2002-08-02 14:57:53 +00:00
Bodo Möller
35b73a1f20
Rename implementations of method functions so that they match
...
the new method names where _GF... suffixes have been removed.
Revert changes to ..._{get/set}_Jprojective_coordinates_...:
The current implementation for ECC over binary fields does not use
projective coordinates, and if it did, it would not use Jacobian
projective coordinates; so it's OK to use the ..._GFp prefix for all
this.
Add author attributions to some files so that it doesn't look
as if Sun wrote all of this :-)
2002-08-02 14:28:37 +00:00
Bodo Möller
9e4f9b36fc
typos
2002-08-02 13:52:19 +00:00
Bodo Möller
7793f30e09
add support for elliptic curves over binary fields
...
Submitted by: Duglas Stebila <douglas.stebila@sun.com>,
Sheueling Chang <sheueling.chang@sun.com>
(CHANGES entries by Bodo Moeller)
2002-08-02 13:42:24 +00:00
Bodo Möller
1dc920c8de
Binary field arithmetic contributed by Sun Microsystems.
...
The 'OPENSSL_NO_SUN_DIV' default is still subject to change,
so I didn't bother to finish the CHANGES entry yet.
Submitted by: Douglas Stebila <douglas.stebila@sun.com>, Sheueling Chang <sheueling.chang@sun.com>
(CHANGES entry by Bodo Moeller)
2002-08-02 13:03:55 +00:00
Bodo Möller
16dc1cfb5c
Add more WAP/WTLS elliptic curve OIDs.
...
Submitted by: Douglas Stebila <douglas.stebila@sun.com>
2002-08-02 12:28:34 +00:00
Bodo Möller
5574e0ed41
get rid of OpenSSLDie
2002-08-02 11:48:15 +00:00
Lutz Jänicke
c046fffa16
OpenSSL Security Advisory [30 July 2002]
...
Changes marked "(CHATS)" were sponsored by the Defense Advanced
Research Projects Agency (DARPA) and Air Force Research Laboratory,
Air Force Materiel Command, USAF, under agreement number
F30602-01-2-0537.
2002-07-30 13:04:04 +00:00
Richard Levitte
f013c7f2a6
Document the recent DJGPP-related changes
2002-07-23 13:45:38 +00:00
Bodo Möller
648765ba2f
add an explanation and fix a typo
2002-07-22 08:39:44 +00:00
Lutz Jänicke
c6ccf055ba
New cipher selection options COMPLEMENTOFALL and COMPLEMENTOFDEFAULT.
...
Submitted by:
Reviewed by:
PR: 127
2002-07-19 19:55:34 +00:00
Richard Levitte
041843e47e
For those wanting to build for several platforms with the same source
...
directory, making a separate directory tree with lots of symbolic links
seems to be the solution. Unfortunately, Configure doesn't take appropriate
steps to support this solution (as in removing a file that's going to be
rewritten). This change corrects that situation. Now I just have to
find all other places where there's lack of support for this.
2002-07-16 09:19:37 +00:00
Bodo Möller
5dbd3efce7
Replace 'ecdsaparam' commandline utility by 'ecparam'
...
(the same keys can be used for ECC schemes other than ECDSA)
and add some new options.
Similarly, use string "EC PARAMETERS" instead of "ECDSA PARAMETERS"
in 'PEM' format.
Fix ec_asn1.c (take into account the desired conversion form).
'make update'.
Submitted by: Nils Larsch
2002-07-14 16:54:31 +00:00
Lutz Jänicke
063a8905bf
Ciphers with NULL encryption were not properly handled because they were
...
not covered by the strength bit mask.
Submitted by:
Reviewed by:
PR: 130
2002-07-10 06:41:55 +00:00
Bodo Möller
ea4f109c99
AES cipher suites are now official (RFC3268)
2002-07-04 08:51:09 +00:00
Bodo Möller
76f8a1f51d
update an entry on EVP changes
2002-06-26 14:21:16 +00:00
Geoff Thorpe
a6c6874a1a
Make sure any ENGINE control commands make local copies of string
...
pointers passed to them whenever necessary. Otherwise it is possible the
caller may have overwritten (or deallocated) the original string data
when a later ENGINE operation tries to use the stored values.
Submitted by: Götz Babin-Ebell <babinebell@trustcenter.de>
Reviewed by: Geoff Thorpe
PR: 98
2002-06-21 02:38:08 +00:00
Bodo Möller
5f3d6f70f6
Implement handling of EC parameter seeds (new functions
...
EC_GROUP_set_seed(), EC_GROUP_get0_seed(), EC_GROUP_get_seed_len()).
New functions ECPKParameters_print(), ECPKParameters_print_fp().
Submitted by: Nils Larsch
2002-06-18 08:38:59 +00:00
Bodo Möller
c21506ba02
New option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS for disabling CBC
...
vulnerability workaround (included in SSL_OP_ALL).
PR: #90
2002-06-14 12:21:11 +00:00
Lutz Jänicke
e1f7ea25d2
Make change uniqueIdentifier -> x500UniqueIdentifier clearly visible.
...
Submitted by:
Reviewed by:
PR: 82
2002-06-12 20:46:38 +00:00
Bodo Möller
b8e0e12399
typo
2002-06-12 14:19:01 +00:00
Bodo Möller
254ef80db1
simplify asn1_flag
...
Submitted by: Nils Larsch
Reviewed by: Bodo Moeller
2002-06-12 14:01:17 +00:00
Ben Laurie
d15711efc6
Handle read errors.
2002-06-11 12:41:37 +00:00
Bodo Möller
458c29175e
move ECC ASN1 that is not specific to ECDSA into crypto/ec/,
...
and make some appropriate changes to the EC library.
Submitted by: Nils Larsch
2002-06-10 12:18:21 +00:00
Richard Levitte
fbb56e5b1d
Document the AES changes.
2002-05-31 13:16:10 +00:00
Bodo Möller
6cbe638294
New functions EC_POINT_point2bn(), EC_POINT_bn2point(), EC_POINT_point2hex(), EC_POINT_hex2point()
...
Submitted by: Nils Larsch
2002-05-30 13:16:03 +00:00
Bodo Möller
46ffee4792
fix EVP_dsa_sha macro
...
Submitted by: Nils Larsch
2002-05-16 12:51:18 +00:00
Dr. Stephen Henson
544a2aea4b
Zero cipher_data in EVP_CIPHER_CTX_cleanup
...
Add cleanup calls to evp_test.c
Allow reuse of cipher contexts by removing
automatic cleanup in EVP_*Final().
2002-05-15 18:49:25 +00:00
Dr. Stephen Henson
dc014d43af
Fallback to normal multiply if n2 == 8 and dna or dnb is not zero
...
in bn_mul_recursive.
This is (hopefully) what was triggering bignum errors on 64 bit
platforms and causing the BN_mod_mul test to fail.
2002-05-10 22:18:13 +00:00
Bodo Möller
b6db386ffd
Change internals of the EC library so that the functions
...
EC_GROUP_{set_generator,get_generator,get_order,get_cofactor} are
implemented directly in crypto/ec/ec_lib.c and not dispatched to
methods.
Also fix EC_GROUP_copy to copy the NID.
2002-05-08 11:54:24 +00:00
Bodo Möller
f257d984b7
refer to latest draft for AES ciphersuites
2002-05-07 07:55:36 +00:00
Bodo Möller
47234cd3d2
update
2002-05-05 23:47:46 +00:00
Lutz Jänicke
c0455cbb18
Fix escaping when using the -subj option of "openssl req", document
...
'hidden' -nameopt support. (Robert Joop <joop@fokus.gmd.de>)
2002-04-30 12:08:18 +00:00
Bodo Möller
8df61b5011
Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not
...
encoded as NULL) with id-dsa-with-sha1.
Submitted by: Nils Larsch
2002-04-26 08:28:34 +00:00
Bodo Möller
1064acafc4
check return values
...
Submitted by: Nils Larsch
2002-04-17 09:31:34 +00:00
Lutz Jänicke
e9cbcb1d98
Document OID changes.
2002-04-15 14:18:30 +00:00
Lutz Jänicke
30911232c1
Some more OID enhancements.
2002-04-15 10:41:38 +00:00
Lutz Jänicke
2940a1298e
Fix CRLF problem in BASE64 decode.
2002-04-15 09:55:40 +00:00
Bodo Möller
82b0bf0b87
Implement known-IV countermeasure.
...
Fix length checks in ssl3_get_client_hello().
Use s->s3->in_read_app_data differently to fix ssl3_read_internal().
2002-04-13 22:47:20 +00:00
Bodo Möller
08b977b5a5
looks like a typo
2002-04-12 13:52:40 +00:00
Bodo Möller
85fb12d554
clean up and synchronize with 0.9.6-stable
2002-04-12 13:45:29 +00:00
Lutz Jänicke
381a146dc6
Synchronize with 0.9.7-stable branch
2002-04-10 19:52:40 +00:00
Bodo Möller
4f4b192402
add usage examples
2002-04-09 11:54:24 +00:00
Lutz Jänicke
4825092bbe
Fix buggy object definitions (Svenning Sorensen <sss@sss.dnsalias.net>).
2002-04-04 17:48:37 +00:00
Lutz Jänicke
ffbe98b763
Make short names of objects RFC2256-compliant.
2002-03-26 17:18:48 +00:00
Richard Levitte
0d81c69b8e
Add the possibility to enable olde des support, not just disable it, for future support. Redocument
2002-03-26 14:28:04 +00:00
Bodo Möller
82652aaf17
fix DH_generate_parameters for general 'generator'
2002-03-20 16:04:04 +00:00
Lutz Jänicke
11c26ecf81
Map new X509 verification errors to alert codes (Tom Wu <tom@arcot.com>).
2002-03-19 16:42:09 +00:00
Bodo Möller
af28dd6c75
Fix bugs and typos.
...
Add some WTLS curves.
New function EC_GROUP_check() (this will probably
be implemented differently soon).
Submitted by: Nils Larsch
Reviewed by: Bodo Moeller
2002-03-18 13:10:45 +00:00
Bodo Möller
304d90425f
fix ssl3_pending
2002-03-15 10:52:32 +00:00
Lutz Jänicke
bfaa8a89e1
Add missing strength entries.
2002-03-14 18:53:15 +00:00
Bodo Möller
9bc448546e
Add more curves.
...
Submitted by: Nils Larsch
Remove unnecessary 'const'.
2002-03-07 12:14:03 +00:00
Dr. Stephen Henson
0dc092334b
ENGINE module additions.
...
Add "init" command to control ENGINE
initialization.
Call ENGINE_finish on initialized ENGINEs on exit.
Reorder shutdown in apps.c: modules should be shut
down first.
Add test private key loader to openssl ENGINE: this
just loads a private key in PEM format.
Fix print format for dh length parameter.
2002-03-06 14:15:13 +00:00
Bodo Möller
36c194638e
add SECG OIDs
...
Submitted by: Nils Larsch
2002-03-06 13:47:32 +00:00
Bodo Möller
45fb737950
reference counting for EC_GROUP structures is not needed (at the
...
moment at least), so remove it
2002-03-06 09:46:17 +00:00
Bodo Möller
2d9b1b3ffa
more X9.62 OIDs
...
Submitted by: Nils Larsch <nla@trustcenter.de>
2002-03-05 12:39:19 +00:00
Richard Levitte
0d22b5dace
Document the added modes for AES
2002-02-28 11:29:55 +00:00
Bodo Möller
023ec151df
Add 'void *' argument to app_verify_callback.
...
Submitted by: D. K. Smetters <smetters@parc.xerox.com>
Reviewed by: Bodo Moeller
2002-02-28 10:52:56 +00:00
Geoff Thorpe
92d1bc09cb
This adds a new ENGINE to support IBM 4758 cards, contributed by Maurice
...
Gittens.
2002-02-27 22:55:28 +00:00
Lutz Jänicke
334f1842fc
Make sure to remove bad sessions in SSL_clear() (found by Yoram Zahavi).
2002-02-26 21:40:09 +00:00
Dr. Stephen Henson
e84be9b495
New OPENSSL_LOAD_CONF define to load openssl.cnf
...
when OpenSSL_add_all_algorithms() is called.
2002-02-23 01:00:44 +00:00
Dr. Stephen Henson
3647bee263
Config code updates.
...
CONF_modules_unload() now calls CONF_modules_finish()
automatically.
Default use of section openssl_conf moved to
CONF_modules_load()
Load config file in several openssl utilities.
Most utilities now load modules from the config file,
though in a few (such as version) this isn't done
because it couldn't be used for anything.
In the case of ca and req the config file used is
the same as the utility itself: that is the -config
command line option can be used to specify an
alternative file.
2002-02-22 14:01:21 +00:00
Dr. Stephen Henson
92f91ff48b
Config file updates from stable branch
2002-02-21 00:54:54 +00:00
Bodo Möller
f8e21776f9
typo
2002-02-20 12:38:00 +00:00
Richard Levitte
49e045482a
At Corinna Vinschen's request, change CygWin32 to Cygwin
2002-02-14 12:28:24 +00:00
Bodo Möller
4d94ae00d5
ECDSA support
...
Submitted by: Nils Larsch <nla@trustcenter.de>
2002-02-13 18:21:51 +00:00
Richard Levitte
0caec9e8f8
Modify the main trunk version to 0.9.8-dev.
...
0.9.7 now lives in the branch OpenSSL_0_9_7-stable.
2002-02-13 17:46:38 +00:00
Richard Levitte
1fe198b6f9
Update the configuration of CygWin32 to use the new capabilities of
...
CygWin 1.3.x, which includes thread and shared library support.
Submitted by Corinna Vinschen <vinschen@redhat.com> and modified a
little bit.
2002-02-13 14:44:33 +00:00
Lutz Jänicke
acfe628b6e
Make removal from session cache more robust.
2002-02-10 12:46:41 +00:00
Lutz Jänicke
4de920c91d
Do not store unneeded data.
2002-02-08 15:15:04 +00:00
Richard Levitte
3cd039dd8f
Add notes on the added support for aep and sureware crypto cards in
...
0.9.7.
2002-02-07 22:15:53 +00:00
Richard Levitte
b9a3ef4c6e
ASN1_BIT_STRING_set_bit() didn't clear previously set bits
2002-02-03 21:31:41 +00:00
Richard Levitte
1199e2d8cf
Apply patch from Toomas Kiisk <vix@cyber.ee> and complete it.
2002-01-29 12:36:01 +00:00
Richard Levitte
a3fffd648b
Add old patch from Robert Dahlem <Robert.Dahlem@ffm2.siemens.de> to
...
make it possible to produce shared libraries on ReliantUNIX.
2002-01-26 03:17:27 +00:00
Richard Levitte
2d57b73a50
I got a request to make the "old des" symbols more closely tied to
...
OpenSSL. Adding '_ossl' in the name seems to be a good way to do
this.
2002-01-26 01:14:09 +00:00
Richard Levitte
f14845d999
Apply Neale Ferguson's patch to add a configuration target for linux-s390x
2002-01-25 22:06:59 +00:00
Richard Levitte
80bb905d3d
Apply the following changes by Toomas Kiisk <vix@cyber.ee>:
...
* make openssl rsa work with -engine chil
* misc changes, including debug-linux-ppro Configure target
and FORMAT_NETSCAPE-aware load_{,pub}key()
This completes the application of his changes.
2002-01-25 19:43:52 +00:00
Richard Levitte
8242a6a9fc
Document the change in rsautl.
2002-01-25 17:00:56 +00:00
Bodo Möller
a14e2d9dfe
New functions
...
ERR_peek_last_error
ERR_peek_last_error_line
ERR_peek_last_error_line_data
(supersedes ERR_peek_top_error).
Rename OPENSSL_NO_OLD_DES_SUPPORT into OPENSSL_DISABLE_OLD_DES_SUPPORT
because OPENSSL_NO_... indicates disabled algorithms (according to
mkdef.pl).
2002-01-24 16:16:43 +00:00
Bodo Möller
a8b94d6409
Reword CHANGES entry for _old_des_..., as it was a little complicated
...
syntactically.
2002-01-24 14:05:55 +00:00
Richard Levitte
1285221370
To avoid all kinds of link-level clashes, rename all old des_*
...
functions to _old_des_*.
2002-01-24 12:26:50 +00:00
Lutz Jänicke
9b2f486c9e
Document the current behaviour of the DES interface.
2002-01-23 10:12:45 +00:00
Dr. Stephen Henson
df5eaa8a52
default_algorithms option in ENGINE config.
2002-01-22 01:40:18 +00:00
Dr. Stephen Henson
c9501c223f
Initial ENGINE config module, docs to follow.
...
Fix buffer overrun errors in OPENSSL_conf().
2002-01-21 03:02:36 +00:00
Bodo Möller
8c74b5e56c
Bugfix: In ssl3_accept, don't use a local variable 'got_new_session'
...
to indicate that a real handshake is taking place (the value will be
lost during multiple invocations). Set s->new_session to 2 instead.
2002-01-14 23:40:26 +00:00
Bodo Möller
c59ba5b528
Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c) if
...
the SSL_R_LENGTH_MISMATCH error is detected.
2002-01-14 12:37:59 +00:00
Dr. Stephen Henson
bc37d996fc
Experimental configuration code.
...
Incomplete, largely untested and subject to change/deletion.
2002-01-05 01:37:16 +00:00
Bodo Möller
d59fb0dd2f
Changes that break something should be included in CHANGES
...
to make it easier to fix things.
2002-01-04 13:27:52 +00:00
Bodo Möller
e5d6528a12
fix EVP_CIPHER_mode macro
...
Submitted by: "Dan S. Camper" <dan@bti.net>
2002-01-04 13:04:45 +00:00
Richard Levitte
6f9079fd50
Because Rijndael is more known as AES, use crypto/aes instead of
...
crypto/rijndael. Additionally, I applied the AES integration patch
from Stephen Sprunk <stephen@sprunk.org> and fiddled it to work
properly with the normal EVP constructs (and incidently work the same
way as all other symmetric cipher implementations).
This results in an API that looks a lot like the rest of the OpenSSL
cipher suite.
2002-01-02 16:55:35 +00:00
Ulf Möller
dcbbf83dba
ssl3_read_bytes bug fix
...
Submitted by: D P Chang <dpc@qualys.com>
Reviewed by: Bodo
2001-12-28 17:14:35 +00:00
Bodo Möller
3c89d78dba
update FAQ and CHANGES file (0.9.6c has been released)
2001-12-21 12:29:52 +00:00
Ben Laurie
7c517a04b1
Security fix.
2001-12-20 12:18:08 +00:00
Bodo Möller
b5348a095d
consistency with 0.9.6 stable "CHANGES"
2001-12-17 19:11:03 +00:00
Bodo Möller
66df02fd98
fix BN_rand_range
2001-12-14 10:09:29 +00:00
Dr. Stephen Henson
f3e24baddf
Don't overwrite signing time.
2001-12-07 00:36:32 +00:00
Bodo Möller
35e25255e0
crypto/objects stuff
2001-12-03 14:03:23 +00:00
Dr. Stephen Henson
21a85f1977
Add -pubkey option to req command.
2001-12-01 23:03:30 +00:00
Bodo Möller
898f856c44
info on 0.9.6 engine branch
2001-11-23 21:12:44 +00:00
Bodo Möller
883b0c2274
fix submitted by Andy Schneider <andy.schneider@bjss.co.uk>
...
(in main branch, hn_ncipher.c is already correct)
2001-11-23 20:58:40 +00:00
Bodo Möller
1d4581c2dd
OS/390 support
...
Submitted by: Richard Shapiro <rshapiro@abinitio.com>
2001-11-22 11:09:42 +00:00
Bodo Möller
76c4336c43
wNAFs use does not bring that much performance on Sparcs (where
...
elliptic curves are are relatively faster than on PCs anyway)
2001-11-16 12:02:01 +00:00
Bodo Möller
3ba1f11147
Improve EC efficiency.
2001-11-15 22:32:11 +00:00
Bodo Möller
1b28ed575b
consistency between main branch and stable branch
2001-11-14 21:17:39 +00:00
Bodo Möller
b26ca3408c
synchronise with 0.9.6 stable branch
2001-11-12 23:22:29 +00:00
Bodo Möller
83978bd37a
information on 0.9.6c-engine
2001-11-12 22:10:15 +00:00
Bodo Möller
c5571db0c2
Add unixware-7-gcc as in 0.9.6 branch (except that we need a 'sys_id'
...
field here, which is left empty).
Various configurations are *only* in the 0.9.6 branch at the moment:
OpenUNIX
OpenUNIX-8-gcc-shared
OpenUNIX-8-shared
Either Configure or CHANGES must be changed to rectify the situation.
2001-11-12 15:31:39 +00:00
Bodo Möller
7aa983c6db
Order chronologically: move entry for recent s2_clnt.c/s2_srvr.c fixes
...
(nearly) to the top.
Move msg_callback entry to the top as the implementation for SSL 2.0
is based on the s2_clnt.c/s2_srvr.c changes.
2001-11-10 15:14:00 +00:00
Bodo Möller
2b90b1f344
make code a little more similar to what it looked like before the fixes,
...
call ssl2_part_read again to parse error message
2001-11-10 10:44:15 +00:00
Bodo Möller
cf82191d77
Implement msg_callback for SSL 2.0.
...
Important SSL 2.0 bugfixes (bugs found while implementing msg_callback).
2001-11-10 01:16:28 +00:00
Richard Levitte
a7b42009c4
Change the shared library support so the shared libraries get built
...
sooner and the programs get built against the shared libraries.
This requires a bit more work. Things like -rpath and the possibility
to still link the programs statically should be included. Some
cleanup is also needed. This will be worked on.
2001-10-30 08:00:59 +00:00
Dr. Stephen Henson
7d5b04db4e
Add support for Subject Info Acess extension.
2001-10-27 00:16:53 +00:00
Bodo Möller
48b0cf8b10
Note BUF_MEM_grow() consistency fix.
2001-10-26 14:06:33 +00:00
Bodo Möller
c602e7f4e8
disable caching in BIO_gethostbyname
2001-10-26 13:04:23 +00:00
Dr. Stephen Henson
1fc6d41bf6
New options to allow req to accept UTF8 strings as input.
2001-10-26 12:40:38 +00:00
Ben Laurie
0e21156333
Add paralellism to speed - note that this currently causes a weird memory leak.
2001-10-25 14:27:17 +00:00
Bodo Möller
89da653fa6
Add '-noemailDN' option to 'openssl ca'. This prevents inclusion of
...
the e-mail address in the DN (i.e., it will go into a certificate
extension only). The new configuration file option 'email_in_dn = no'
has the same effect.
Submitted by: Massimiliano Pala madwolf@openca.org
2001-10-25 08:25:19 +00:00
Bodo Möller
ba1c602281
Assume TLS 1.0 when ClientHello fragment is too short.
2001-10-25 06:09:51 +00:00
Richard Levitte
c2e4f17c1a
Due to an increasing number of clashes between modern OpenSSL and
...
libdes (which is still used out there) or other des implementations,
the OpenSSL DES functions are renamed to begin with DES_ instead of
des_. Compatibility routines are provided and declared by including
openssl/des_old.h. Those declarations are the same as were in des.h
when the OpenSSL project started, which is exactly how libdes looked
at that time, and hopefully still looks today.
The compatibility functions will be removed in some future release, at
the latest in version 1.0.
2001-10-24 21:21:12 +00:00
Bodo Möller
979689aa5c
Fix SSL handshake functions and SSL_clear() such that SSL_clear()
...
never resets s->method to s->ctx->method when called from within
one of the SSL handshake functions.
2001-10-24 19:03:22 +00:00
Dr. Stephen Henson
50d194af4d
Sanitize CHANGES entry.
2001-10-23 00:54:58 +00:00
Dr. Stephen Henson
f1558bb424
Reject certificates with unhandled critical extensions.
2001-10-21 02:09:15 +00:00
Bodo Möller
a661b65357
New functions SSL[_CTX]_set_msg_callback().
...
New macros SSL[_CTX]_set_msg_callback_arg().
Message callback imlementation for SSL 3.0/TLS 1.0 (no SSL 2.0 yet).
New '-msg' option for 'openssl s_client' and 'openssl s_server'
that enable a message callback that displays all protocol messages.
In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert if
client_version is smaller than the protocol version in use.
Also change ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0
if the client demanded SSL 3.0 but only TLS 1.0 is enabled; then the
client will at least see that alert.
Fix SSL[_CTX]_ctrl prototype (void * instead of char * for generic
pointer).
Add/update some OpenSSL copyright notices.
2001-10-20 17:56:36 +00:00
Dr. Stephen Henson
581f1c8494
Modify EVP cipher behaviour in a similar way
...
to digests to retain compatibility.
2001-10-17 00:37:12 +00:00
Dr. Stephen Henson
20d2186c87
Retain compatibility of EVP_DigestInit() and EVP_DigestFinal()
...
with existing code.
Modify library to use digest *_ex() functions.
2001-10-16 01:24:29 +00:00
Bodo Möller
48948d53b6
Change ssl3_get_message and the functions using it so that complete
...
'Handshake' protocol structures are kept in memory, including
'msg_type' and 'length'.
(This is in preparation of future support for callbacks that get to
peek at handshake messages and the like.)
2001-10-15 19:49:25 +00:00
Richard Levitte
285046ec51
SSL_add_dir_cert_subjects_to_stack for Win32 finally implemented.
...
Submitted by Massimo Santin <msantin@santineassociati.com>.
2001-10-04 12:27:39 +00:00
Geoff Thorpe
07cee70258
Make an (overdue) note about the recent ENGINE restructuring. Apart from
...
a few items however, most of the details are deferred to the
crypto/engine/README file.
2001-10-01 15:56:25 +00:00
Dr. Stephen Henson
d46c1a8126
Support fractional seconds in GeneralizedTime
2001-09-28 00:44:44 +00:00
Richard Levitte
89eeccacde
Two changes:
...
1. if there are several symbols with the same entry number, sort those
symbols in ASCII order.
2. Do not stop reading the header files when "BEGIN ERROR CODES" is
found, since mkerr.pl will add a function declaration after that
comment. Instead, trigger on "Error codes for the \w+ function",
which is the actual start of the error code macros.
Additionally, a few more debugging printouts that helped.
2001-09-26 15:06:45 +00:00
Bodo Möller
3b0b5abae3
bugfix: handle HelloRequest received during handshake correctly
2001-09-21 11:18:40 +00:00
Bodo Möller
b49124f6d9
Disable session related stuff in SSL_ST_OK case of ssl3_accept if we
...
just sent a HelloRequest.
2001-09-21 07:01:25 +00:00
Bodo Möller
2260ad21fb
Bugfix: correct cleanup after sending a HelloRequest
2001-09-21 00:04:15 +00:00
Bodo Möller
6b0e9facf4
New function SSL_renegotiate_pending().
...
New option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.
2001-09-20 22:54:09 +00:00
Bodo Möller
8e2f6b79ea
fix ssl3_accept: don't call ssl_init_wbio_buffer() in HelloRequest case
2001-09-20 21:37:13 +00:00
Bodo Möller
ee60d9fb28
Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
...
reveal whether illegal block cipher padding was found or a MAC
verification error occured.
In ssl/s2_pkt.c, verify that the purported number of padding bytes is in
the legal range.
2001-09-20 18:35:52 +00:00
Dr. Stephen Henson
96bd6f730a
Add certificate and request demos.
...
Fix X509V3 macro so they compile.
2001-09-12 00:19:20 +00:00
Lutz Jänicke
c0f5dd070b
Make maximum certifcate chain size accepted from the peer application
...
settable (proposed by "Douglas E. Engert" <deengert@anl.gov>).
2001-09-11 13:08:51 +00:00