Ben Laurie
801fea5f11
Constification.
2005-03-23 08:21:30 +00:00
Dr. Stephen Henson
d0edffc7da
FIPS algorithm blocking.
...
Non FIPS algorithms are not normally allowed in FIPS mode.
Any attempt to use them via high level functions will return an error.
The low level non-FIPS algorithm functions cannot return errors so they
produce assertion failures. HMAC also has to give an assertion error because
it (erroneously) can't return an error either.
There are exceptions (such as MD5 in TLS and non cryptographic use of
algorithms) and applications can override the blocking and use non FIPS
algorithms anyway.
For low level functions the override is perfomed by prefixing the algorithm
initalization function with "private_" for example private_MD5_Init().
For high level functions an override is performed by setting a flag in
the context.
2005-01-26 20:00:40 +00:00
Dr. Stephen Henson
a4c9668f3c
Automatically mark the CRL cached encoding as invalid when some operations
...
are performed.
2004-12-09 13:34:41 +00:00
Dr. Stephen Henson
da8534693c
Add lots of checks for memory allocation failure, error codes to indicate
...
failure and freeing up memory if a failure occurs.
PR:620
2004-12-05 01:04:44 +00:00
Dr. Stephen Henson
c98175bf88
In by_file.c check last error for no start line, not first error.
2004-12-04 21:26:11 +00:00
Dr. Stephen Henson
41191d14ce
Perform partial comparison of different character types in X509_NAME_cmp().
2004-12-01 01:45:57 +00:00
Richard Levitte
cd52956357
Make an explicit check during certificate validation to see that the
...
CA setting in each certificate on the chain is correct. As a side-
effect always do the following basic checks on extensions, not just
when there's an associated purpose to the check:
- if there is an unhandled critical extension (unless the user has
chosen to ignore this fault)
- if the path length has been exceeded (if one is set at all)
- that certain extensions fit the associated purpose (if one has been
given)
2004-11-29 11:18:00 +00:00
Richard Levitte
a2617f727d
Don't use $(EXHEADER) directly in for loops, as most shells will break
...
if $(EXHEADER) is empty.
Notified by many, solution suggested by Carson Gaspar <carson@taltos.org>
2004-11-02 23:53:31 +00:00
Dr. Stephen Henson
8de8bcbe2c
Fix race condition when CRL checking is enabled.
2004-10-04 16:27:36 +00:00
Dr. Stephen Henson
ffa8e7b74c
Oops, forgot to reorder extension request nids.
2004-09-13 22:39:49 +00:00
Dr. Stephen Henson
8f349c58f7
Stop warning.
2004-09-10 20:27:45 +00:00
Dr. Stephen Henson
cfafb6a73d
When looking for request extensions in a certificate look first
...
for the PKCS#9 OID then the non standard MS OID.
2004-09-10 20:26:30 +00:00
Ben Laurie
3642f632d3
Pull FIPS back into stable.
2004-05-11 12:46:24 +00:00
Dr. Stephen Henson
01fc051e8a
Various X509 fixes. Disable broken certificate workarounds
...
when X509_V_FLAG_X509_STRICT is set. Check for CRLSign in
CRL issuer certificates. Reject CRLs with unhandled (any)
critical extensions.
2004-03-05 17:16:06 +00:00
Richard Levitte
a1d37a96df
Typo...
2004-01-22 22:36:48 +00:00
Richard Levitte
8ba5c63de9
Adding a slash between the directoryt and the file is a problem with
...
VMS. The C RTL can handle it well if the "directory" is a logical
name with no colon, therefore ending being 'logname/file'. However,
if the given logical names actually has a colon, or if you use a full
VMS-syntax directory, you end up with 'logname:/file' or
'dev:[dir1.dir2]/file', and that isn't handled in any good way.
So, on VMS, we need to check if the directory string ends with a
separator (one of ':', ']' or '>' (< and > can be used instead [ and
])), and handle that by not inserting anything between the directory
spec and the file name. In all other cases, it's assumed the
directory spec is a logical name, so we need to place a colon between
it and the file.
Notified by Kevin Greaney <kevin.greaney@hp.com>.
2004-01-10 18:04:36 +00:00
Richard Levitte
cc056d6395
Use sh explicitely to run point.sh
...
This is part of a large change submitted by Markus Friedl <markus@openbsd.org>
2003-12-27 15:00:24 +00:00
Richard Levitte
394178c94c
Use BUF_strlcpy() instead of strcpy().
...
Use BUF_strlcat() instead of strcat().
Use BIO_snprintf() instead of sprintf().
In some cases, keep better track of buffer lengths.
This is part of a large change submitted by Markus Friedl <markus@openbsd.org>
2003-12-27 14:40:57 +00:00
Richard Levitte
753cbc2857
1024 is the export key bits limit according to current regulations, not 512.
...
PR: 771
Submitted by: c zhang <czhang2005@hotmail.com>
2003-11-28 22:39:23 +00:00
Geoff Thorpe
77cc150b61
Remove duplicate prototypes have already been (correctly) added to rsa.h,
...
as this is already included by x509.h anyway.
2003-11-19 05:18:54 +00:00
Dr. Stephen Henson
662ede2370
Fix for ASN1 parsing bugs.
2003-09-30 12:05:44 +00:00
Richard Levitte
4aae637f6c
We set the export flag for 512 *bit* keys, not 512 *byte* ones.
...
PR: 587
2003-06-19 18:55:56 +00:00
Richard Levitte
6e260c4093
Add an entry for X509_TRUST_OBJECT_SIGN in trstandard[].
...
PR: 617
2003-06-11 21:22:34 +00:00
Dr. Stephen Henson
476f09712c
Really get X509_CRL_CHECK_ALL right this time...
2003-06-04 00:40:47 +00:00
Bodo Möller
ce8a202831
fix typo
...
Submitted by: Nils Larsch
2003-04-22 12:44:58 +00:00
Dr. Stephen Henson
1e2b14e9ca
Get X509_V_FLAG_CRL_CHECK_ALL logic the right way round.
...
PR:544
2003-03-24 16:58:01 +00:00
Dr. Stephen Henson
4fe70c7812
Get X509_V_FLAG_CRL_CHECK_ALL logic the right way round.
...
PR:544
2003-03-24 16:57:08 +00:00
Dr. Stephen Henson
5250725ba5
Fix Certificate and CRL adding in X509_load_cert_crl_file:
...
an X509_INFO structure can contain more than one object,
for example a certififcate and a CRL.
2003-03-19 13:56:32 +00:00
Richard Levitte
2581aacd52
A memset() too many got converted into a OPENSSL_cleanse().
...
PR: 393
2002-12-10 08:26:10 +00:00
Richard Levitte
b3dd9f3bb5
SSL_CERT_FILE should be used in place of the system default file, not as
...
a first alternative to try
2002-12-05 21:07:35 +00:00
Richard Levitte
2589b74fd8
Make sure using SSL_CERT_FILE actually works, and has priority over system defaults.
...
PR: 376
2002-12-05 01:20:59 +00:00
Dr. Stephen Henson
e758ce69a3
Typo in X509v3_get_ext_by_critical
2002-12-04 00:14:00 +00:00
Richard Levitte
75e3026a14
Cleanse memory using the new OPENSSL_cleanse() function.
...
I've covered all the memset()s I felt safe modifying, but may have missed some.
2002-11-28 08:09:03 +00:00
Richard Levitte
c83d8e2ba6
A variable of type time_t is supposed to be a time measurement starting at
...
Epoch. offset isn't such a measurement, so let's stop pretend it is.
2002-11-18 13:04:29 +00:00
Ben Laurie
9831d941ca
Many security improvements (CHATS) and a warning fix.
2002-11-12 13:23:40 +00:00
Richard Levitte
8bcc049399
X509_NAME_cmp() now compares PrintableString and emailAddress with a value of type
...
ia5String correctly.
PR: 244
2002-11-09 21:55:12 +00:00
Richard Levitte
f6733ae577
makedepend complains when a header file is included more than once in
...
the same source file.
2002-10-14 09:53:46 +00:00
Richard Levitte
ff90d659e6
Use double dashes so makedepend doesn't misunderstand the flags we
...
give it.
For 0.9.7 and up, that means util/domd needs to remove those double
dashes from the argument list when gcc is used to find the
dependencies.
2002-10-09 13:21:33 +00:00
Dr. Stephen Henson
a98beb3a2d
Apply -nameopt patches to 0.9.7
2002-08-30 18:26:26 +00:00
Lutz Jänicke
3720ea24f0
"make update"
...
Submitted by:
Reviewed by:
PR:
2002-07-30 07:18:03 +00:00
Richard Levitte
ca55c617e5
Pass CFLAG to dependency makers, so non-standard system include paths are
...
handled properly.
Part of PR 75
2002-06-27 16:44:52 +00:00
Richard Levitte
421d474332
Increase internal security when using strncpy, by making sure the resulting string is NUL-terminated
2002-02-28 12:44:05 +00:00
Dr. Stephen Henson
14e14ea68c
Allow a NULL store parameter to X509_STORE_CTX_init().
2002-02-15 00:58:14 +00:00
Bodo Möller
4d7072f4b5
remove redundant ERR_load_... declarations
2001-12-17 19:22:23 +00:00
Dr. Stephen Henson
f1558bb424
Reject certificates with unhandled critical extensions.
2001-10-21 02:09:15 +00:00
Dr. Stephen Henson
98e6654938
Typo.
2001-10-20 16:22:28 +00:00
Dr. Stephen Henson
20d2186c87
Retain compatibility of EVP_DigestInit() and EVP_DigestFinal()
...
with existing code.
Modify library to use digest *_ex() functions.
2001-10-16 01:24:29 +00:00
Lutz Jänicke
e1c279b63d
Small documentation fixes (Howard Lum <howard@pumpkin.canada.sun.com>)
2001-10-08 08:37:24 +00:00
Richard Levitte
f8000b9345
'make update'
2001-10-04 07:49:09 +00:00
Richard Levitte
2aa9043ad3
Because there's chances we clash with the system's types.h, rename our
...
types.h to ossl_typ.h.
2001-10-04 07:32:46 +00:00