Dr. Stephen Henson
1708456220
don't add digest alias if signature algorithm is undefined
2010-03-06 20:47:30 +00:00
Dr. Stephen Henson
ff04bbe363
Add PSS algorithm printing. This is an initial step towards full PSS support.
...
Uses ASN1 module in Martin Kaiser's PSS patch.
2010-03-06 19:55:25 +00:00
Dr. Stephen Henson
148924c1f4
fix indent, newline
2010-03-06 18:14:13 +00:00
Dr. Stephen Henson
fa1ba589f3
Add algorithm specific signature printing. An individual ASN1 method can
...
now print out signatures instead of the standard hex dump.
More complex signatures (e.g. PSS) can print out more meaningful information.
Sample DSA version included that prints out the signature parameters r, s.
[Note EVP_PKEY_ASN1_METHOD is an application opaque structure so adding
new fields in the middle has no compatibility issues]
2010-03-06 18:05:05 +00:00
Dr. Stephen Henson
8c4ce7bab2
Fix memory leak: free up ENGINE functional reference if digest is not
...
found in an ENGINE.
2010-03-05 13:33:21 +00:00
Dr. Stephen Henson
bb845ee044
Add -engine_impl option to dgst which will use an implementation of
...
an algorithm from the supplied engine instead of just the default one.
2010-03-05 13:28:21 +00:00
Dr. Stephen Henson
b5cfc2f590
option to replace extensions with new ones: mainly for creating cross-certificates
2010-03-03 20:13:30 +00:00
Dr. Stephen Henson
ebaa2cf5b2
PR: 2183
...
PR#1999 broke fork detection by assuming HAVE_FORK was set for all platforms.
Include original HAVE_FORK detection logic while allowing it to be
overridden on specific platforms with -DHAVE_FORK=1 or -DHAVE_FORK=0
2010-03-03 19:56:34 +00:00
Dr. Stephen Henson
cca1cd9a34
Submitted by: Tomas Hoger <thoger@redhat.com>
...
Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
could be crashed if the relevant tables were not present (e.g. chrooted).
2010-03-03 15:41:18 +00:00
Dr. Stephen Henson
2c772c8700
don't mix definitions and code
2010-03-03 15:30:42 +00:00
Andy Polyakov
e7f5b1cd42
Initial version of Galois Counter Mode implementation. Interface is still
...
subject to change...
2010-03-02 16:33:25 +00:00
Andy Polyakov
80dfadfdf3
ppccap.c: portability fix.
2010-03-02 16:28:29 +00:00
Andy Polyakov
d8c7bd6e11
Fix s390x-specific HOST_l2c|c2l.
...
Submitted by: Andreas Krebbel
2010-03-02 16:23:40 +00:00
Dr. Stephen Henson
f84c85b0e3
PR: 2178
...
Submitted by: "Kennedy, Brendan" <brendan.kennedy@intel.com>
Handle error codes correctly: cryptodev returns 0 for success whereas OpenSSL
returns 1.
2010-03-01 23:54:47 +00:00
Dr. Stephen Henson
a05b8d0ede
use supplied ENGINE in genrsa
2010-03-01 14:22:21 +00:00
Dr. Stephen Henson
ff2fdbf2f8
oops, reinstate correct prototype
2010-03-01 03:01:27 +00:00
Dr. Stephen Henson
da3955256d
'typo'
2010-03-01 01:53:34 +00:00
Dr. Stephen Henson
5e28ccb798
make USE_CRYPTODEV_DIGESTS work
2010-03-01 01:19:18 +00:00
Dr. Stephen Henson
a6575572c6
load cryptodev if HAVE_CRYPTODEV is set too
2010-03-01 00:40:10 +00:00
Dr. Stephen Henson
c3951d8973
update cryptodev to match 1.0.0 stable branch version
2010-03-01 00:37:58 +00:00
Ben Laurie
19ec2f4194
Fix warnings (note that gcc 4.2 has a bug that makes one of its
...
warnings hard to fix without major surgery).
2010-02-28 14:22:56 +00:00
Dr. Stephen Henson
2b13f80360
algorithms field has changed in 1.0.0 and later: update
2010-02-28 00:24:04 +00:00
Dr. Stephen Henson
40c5eaeeec
oops, revert verify.c change
2010-02-27 23:03:26 +00:00
Dr. Stephen Henson
c1ca9d3238
Add Kerberos fix which was in 0.9.8-stable but never committed to HEAD and
...
1.0.0. Original fix was on 2007-Mar-09 and had the log message: "Fix kerberos
ciphersuite bugs introduced with PR:1336."
2010-02-27 23:02:41 +00:00
Dr. Stephen Henson
48435b2098
include TVS 1.1 version string
2010-02-26 19:38:33 +00:00
Dr. Stephen Henson
37c541faed
Revert CFB block length change. Despite what SP800-38a says the input to
...
CFB mode does *not* have to be a multiple of the block length and several
other specifications (e.g. PKCS#11) do not require this.
2010-02-26 14:41:58 +00:00
Dr. Stephen Henson
0f776277bc
oops, use correct date
2010-02-26 12:13:36 +00:00
Dr. Stephen Henson
5814d829e6
update NEWS
2010-02-25 18:20:30 +00:00
Dr. Stephen Henson
f6bb465f87
update FAQ
2010-02-25 18:18:46 +00:00
Dr. Stephen Henson
db28aa86e0
add -trusted_first option and verify flag
2010-02-25 12:21:48 +00:00
Dr. Stephen Henson
2da2ff5065
tidy verify code. xn not used any more and check for self signed more efficiently
2010-02-25 11:18:26 +00:00
Dr. Stephen Henson
fbd2164044
Experimental support for partial chain verification: if an intermediate
...
certificate is explicitly trusted (using -addtrust option to x509 utility
for example) the verification is sucessful even if the chain is not complete.
2010-02-25 00:17:22 +00:00
Dr. Stephen Henson
04e4b82726
allow setting of verify names in command line utilities and print out verify names in verify utility
2010-02-25 00:11:32 +00:00
Dr. Stephen Henson
9b3d75706e
verify parameter enumeration functions
2010-02-25 00:08:23 +00:00
Dr. Stephen Henson
b1efb7161f
Include self-signed flag in certificates by checking SKID/AKID as well
...
as issuer and subject names. Although this is an incompatible change
it should have little impact in pratice because self-issued certificates
that are not self-signed are rarely encountered.
2010-02-25 00:01:38 +00:00
Dr. Stephen Henson
df4c395c6d
add anyExtendedKeyUsage OID
2010-02-24 15:53:58 +00:00
Dr. Stephen Henson
385a488c43
prevent warning
2010-02-24 15:24:19 +00:00
Andy Polyakov
ea746dad5e
Reserve for option to implement AES counter in assembler.
2010-02-23 16:51:24 +00:00
Andy Polyakov
d976f99294
Add AES counter mode to EVP.
2010-02-23 16:48:41 +00:00
Andy Polyakov
e5a4de9e44
Add assigned OIDs, as well as "anonymous" ones for AES counter mode.
2010-02-23 16:47:17 +00:00
Dr. Stephen Henson
7d3d1788a5
The meaning of the X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY and
...
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT error codes were reversed in
the verify application documentation.
2010-02-23 14:09:09 +00:00
Bodo Möller
2d9dcd4ff0
Always check bn_wexpend() return values for failure (CVE-2009-3245).
...
(The CHANGES entry covers the change from PR #2111 as well, submitted by
Martin Olsson.)
Submitted by: Neel Mehta
2010-02-23 10:36:35 +00:00
Bodo Möller
a839755329
Fix X509_STORE locking
2010-02-19 18:27:07 +00:00
Dr. Stephen Henson
69582a592e
clarify documentation
2010-02-18 12:41:33 +00:00
Dr. Stephen Henson
7512141162
OR default SSL_OP_LEGACY_SERVER_CONNECT so existing options are preserved
2010-02-17 19:43:56 +00:00
Dr. Stephen Henson
c2c49969e2
Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as
...
initial connection to unpatched servers. There are no additional security
concerns in doing this as clients don't see renegotiation during an
attack anyway.
2010-02-17 18:38:31 +00:00
Dr. Stephen Henson
47e0a1c335
PR: 2100
...
Submitted by: James Baker <jbaker@tableausoftware.com> et al.
Workaround for slow Heap32Next on some versions of Windows.
2010-02-17 14:32:41 +00:00
Dr. Stephen Henson
439aab3afc
Submitted by: Dmitry Ivanov <vonami@gmail.com>
...
Don't leave dangling pointers in GOST engine if calls fail.
2010-02-16 14:30:29 +00:00
Dr. Stephen Henson
8d934c2585
PR: 2171
...
Submitted by: Tomas Mraz <tmraz@redhat.com>
Since SSLv2 doesn't support renegotiation at all don't reject it if
legacy renegotiation isn't enabled.
Also can now use SSL2 compatible client hello because RFC5746 supports it.
2010-02-16 14:21:11 +00:00
Dr. Stephen Henson
1458b931eb
The "block length" for CFB mode was incorrectly coded as 1 all the time. It
...
should be the number of feedback bits expressed in bytes. For CFB1 mode set
this to 1 by rounding up to the nearest multiple of 8.
2010-02-15 19:40:16 +00:00