openssl

Author	SHA1	Message	Date
Dr. Stephen Henson	28dd49faec	Expand range of ctrls for AES GCM to support retrieval and setting of invocation field. Add complete support for AES GCM ciphersuites including all those in RFC5288 and RFC5289.	2011-08-03 15:37:22 +00:00
Dr. Stephen Henson	fe8aeffa92	Update CHANGES.	2011-07-25 21:43:57 +00:00
Dr. Stephen Henson	01a9a7592e	Add functions to return FIPS module version.	2011-07-04 23:38:16 +00:00
Bodo Möller	e66cb363d6	Fix the version history: changes going into 1.1.0 that are also going into 1.0.1 should not be listed as "changes between 1.0.1 and 1.0.0". This makes the OpenSSL_1_0_1-stable and HEAD versions of this file consistent with each other (the HEAD version has the additional 1.1.0 section, but doesn't otherwise differ).	2011-06-15 14:49:17 +00:00
Dr. Stephen Henson	eda3766b53	Output supported curves in preference order instead of numerically.	2011-05-30 17:58:13 +00:00
Dr. Stephen Henson	992bdde62d	Fix the ECDSA timing attack mentioned in the paper at: http://eprint.iacr.org/2011/232.pdf Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for bringing this to our attention.	2011-05-25 14:41:56 +00:00
Dr. Stephen Henson	f37f20ffd3	PR: 2295 Submitted by: Alexei Khlebnikov <alexei.khlebnikov@opera.com> Reviewed by: steve OOM checking. Leak in OOM fix. Fall-through comment. Duplicate code elimination.	2011-05-20 14:56:29 +00:00
Dr. Stephen Henson	101e6e19f2	Add CHANGES entry: add FIPS support to ssl	2011-05-19 18:10:25 +00:00
Dr. Stephen Henson	086e32a6c7	Implement FIPS_mode and FIPS_mode_set	2011-05-19 18:09:02 +00:00
Dr. Stephen Henson	855a54a9a5	Provisional support for TLS v1.2 client authentication: client side only. Parse certificate request message and set digests appropriately. Generate new TLS v1.2 format certificate verify message. Keep handshake caches around for longer as they are needed for client auth.	2011-05-12 17:35:03 +00:00
Dr. Stephen Henson	c2fd598994	Rename FIPS_mode_set and FIPS_mode. Theses symbols will be defined in the FIPS capable OpenSSL.	2011-05-11 14:43:38 +00:00
Dr. Stephen Henson	a2f9200fba	Initial TLS v1.2 client support. Include a default supported signature algorithms extension (including everything we support). Swicth to new signature format where needed and relax ECC restrictions. Not TLS v1.2 client certifcate support yet but client will handle case where a certificate is requested and we don't have one.	2011-05-09 15:44:01 +00:00
Dr. Stephen Henson	6b7be581e5	Continuing TLS v1.2 support: add support for server parsing of signature algorithms extension and correct signature format for server key exchange. All ciphersuites should now work on the server but no client support and no client certificate support yet.	2011-05-06 13:00:07 +00:00
Dr. Stephen Henson	7409d7ad51	Initial incomplete TLS v1.2 support. New ciphersuites added, new version checking added, SHA256 PRF support added. At present only RSA key exchange ciphersuites work with TLS v1.2 as the new signature format is not yet implemented.	2011-04-29 22:56:51 +00:00
Dr. Stephen Henson	08557cf22c	Initial "opaque SSL" framework. If an application defines OPENSSL_NO_SSL_INTERN all ssl related structures are opaque and internals cannot be directly accessed. Many applications will need some modification to support this and most likely some additional functions added to OpenSSL. The advantage of this option is that any application supporting it will still be binary compatible if SSL structures change.	2011-04-29 22:37:12 +00:00
Dr. Stephen Henson	e0d1a2f80a	Always return multiple of block length bytes from default DRBG seed callback. Handle case where no multiple of the block size is in the interval [min_len, max_len].	2011-04-23 20:05:19 +00:00
Dr. Stephen Henson	cac4fb58e0	Add PRNG security strength checking.	2011-04-23 19:55:55 +00:00
Dr. Stephen Henson	b5dd178740	Fix EVP CCM decrypt. Add decrypt support to algorithm test program.	2011-04-18 22:48:40 +00:00
Dr. Stephen Henson	2391681082	Initial untested CCM support via EVP.	2011-04-18 14:25:11 +00:00
Dr. Stephen Henson	06b7e5a0e4	Add algorithm driver for XTS mode. Fix several bugs in EVP XTS implementation.	2011-04-15 02:49:30 +00:00
Dr. Stephen Henson	ac892b7aa6	Initial incomplete POST overhaul: add support for POST callback to allow status of POST to be monitored and/or failures induced.	2011-04-14 11:15:10 +00:00
Dr. Stephen Henson	32a2d8ddfe	Provisional AES XTS support.	2011-04-12 23:21:33 +00:00
Dr. Stephen Henson	d7a3ce989c	Update CHANGES.	2011-04-06 23:41:19 +00:00
Dr. Stephen Henson	05e24c87dd	Extensive reorganisation of PRNG handling in FIPS module: all calls now use an internal RAND_METHOD. All dependencies to OpenSSL standard PRNG are now removed: it is the applications resposibility to setup the FIPS PRNG and initalise it. Initial OpenSSL RAND_init_fips() function that will setup the DRBG for the "FIPS capable OpenSSL".	2011-04-05 15:24:10 +00:00
Dr. Stephen Henson	cab0595c14	Rename deprecated FIPS_rand functions to FIPS_x931. These shouldn't be used by applications directly and the X9.31 PRNG is deprecated by new FIPS140-2 rules anyway.	2011-04-05 12:42:31 +00:00
Dr. Stephen Henson	96ec46f7c0	Implement health checks needed by SP800-90. Fix warnings. Instantiate DRBGs at maximum strength.	2011-03-17 16:55:24 +00:00
Ben Laurie	d4f3dd5fb6	Fix Tom Wu's email.	2011-03-16 11:28:43 +00:00
Ben Laurie	0deea0e03c	Note SRP support.	2011-03-12 17:04:07 +00:00
Dr. Stephen Henson	8857b380e2	Add ECDH to validated module.	2011-03-09 23:44:06 +00:00
Dr. Stephen Henson	11e80de3ee	New initial DH algorithm test driver.	2011-03-08 19:10:17 +00:00
Dr. Stephen Henson	591cbfae3c	Initial, provisional, subject to wholesale change, untested, probably not working, incomplete and unused SP800-90 DRBGs for CTR and Hash modes. Did I say this was untested?	2011-03-04 18:00:21 +00:00
Dr. Stephen Henson	eead69f5ed	Make fipscanisteronly build only required files.	2011-02-21 14:07:15 +00:00
Dr. Stephen Henson	5d439d6955	Make -DOPENSSL_FIPSSYMS work for assembly language builds.	2011-02-17 19:03:52 +00:00
Dr. Stephen Henson	017bc57bf9	Experimental FIPS symbol renaming. Fixups under fips/ to make symbol renaming work.	2011-02-16 14:49:50 +00:00
Dr. Stephen Henson	25c6542944	Add non-FIPS algorithm blocking and selftest checking.	2011-02-15 16:03:47 +00:00
Dr. Stephen Henson	fe26d066ff	Add ECDSA functionality to fips module. Initial very incomplete version of algorithm test program.	2011-02-14 17:14:55 +00:00
Dr. Stephen Henson	b331016124	New option to disable characteristic two fields in EC code.	2011-02-12 17:23:32 +00:00
Dr. Stephen Henson	30b56225cc	New "fispcanisteronly" build option: only build fipscanister.o and associated utilities. This functionality will be used by the validated tarball.	2011-02-11 19:02:34 +00:00
Dr. Stephen Henson	b3d8022edd	Add GCM IV generator. Add some FIPS restrictions to GCM. Update fips_gcmtest.	2011-02-09 16:21:43 +00:00
Bodo Möller	c415adc26f	Sync with 1.0.1 branch. (CVE-2011-0014 OCSP stapling fix has been applied to HEAD as well.)	2011-02-08 19:09:08 +00:00
Dr. Stephen Henson	bdaa54155c	Initial very experimental EVP support for AES-GCM. Note: probably very broken and subject to change.	2011-02-07 18:16:33 +00:00
Dr. Stephen Henson	d45087c672	Use 0 not -1 (since type is size_t) for finalisation argument to do_cipher: the NULL value for the input buffer is sufficient to notice this case.	2011-02-07 18:04:27 +00:00
Dr. Stephen Henson	3da0ca796c	New flags EVP_CIPH_FLAG_CUSTOM_CIPHER in cipher structures if an underlying cipher handles all cipher symantics itself.	2011-02-07 14:36:08 +00:00
Bodo Möller	9bda745876	fix omissions	2011-02-03 11:13:29 +00:00
Bodo Möller	88f2a4cf9c	CVE-2010-4180 fix (from OpenSSL_1_0_0-stable)	2011-02-03 10:43:00 +00:00
Dr. Stephen Henson	968062b7d3	Fix escaping code for string printing. If any escaping is enabled we must escape the escape character itself (backslash).	2011-01-03 01:31:24 +00:00
Dr. Stephen Henson	2b3936e882	avoid verification loops in trusted store when path building	2010-12-25 20:45:59 +00:00
Dr. Stephen Henson	300b1d76fe	apply J-PKAKE fix to HEAD (original by Ben)	2010-11-29 18:32:05 +00:00
Dr. Stephen Henson	f830c68f4d	add "missing" functions to copy EVP_PKEY_METHOD and examine info	2010-11-24 16:08:20 +00:00
Dr. Stephen Henson	732d31beee	bring HEAD up to date, add CVE-2010-3864 fix, update NEWS files	2010-11-16 14:18:51 +00:00
Dr. Stephen Henson	e49af2ac38	move CHANGES entry to correct place	2010-10-10 12:24:13 +00:00
Dr. Stephen Henson	5759425810	PR: 2314 Submitted by: Mounir IDRASSI <mounir.idrassi@idrix.net> Reviewed by: steve Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939	2010-10-10 12:15:47 +00:00
Dr. Stephen Henson	39239280f3	Add call to ENGINE_register_all_complete() to ENGINE_load_builtin_engines(), this means that some implementations will be used automatically, e.g. aesni, we do this for cryptodev anyway. Setup cpuid in ENGINE_load_builtin_engines() too as some ENGINEs use it.	2010-10-03 18:58:09 +00:00
Bodo Möller	7b3a9b0099	Update version numbers	2010-08-26 18:45:45 +00:00
Bodo Möller	7c2d4fee25	For better forward-security support, add functions SSL_[CTX_]set_not_resumable_session_callback. Submitted by: Emilia Kasper (Google) [A part of this change affecting ssl/s3_lib.c was accidentally commited separately, together with a compilation fix for that file; see s3_lib.c CVS revision 1.133 (http://cvs.openssl.org/chngview?cn=19855).]	2010-08-26 15:15:47 +00:00
Bodo Möller	04daec862c	New 64-bit optimized implementation EC_GFp_nistp224_method(). This will only be compiled in if explicitly requested (#ifdef EC_NISTP224_64_GCC_128). Submitted by: Emilia Kasper (Google)	2010-08-26 14:29:55 +00:00
Dr. Stephen Henson	44959ee456	PR: 1833 Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de> Support for abbreviated handshakes when renegotiating.	2010-08-26 14:23:52 +00:00
Bodo Möller	c94f7f657b	ECC library bugfixes. Submitted by: Emilia Kasper (Google)	2010-08-26 12:11:01 +00:00
Bodo Möller	173350bcca	Harmonize with OpenSSL_1_0_1-stable version of CHANGES.	2010-08-26 11:22:33 +00:00
Ben Laurie	ee2ffc2794	Add Next Protocol Negotiation.	2010-07-28 10:06:55 +00:00
Dr. Stephen Henson	eb1c48be6f	Add new type ossl_ssize_t instead of ssize_t and move definitions to e_os2.h, this should fix WIN32 compilation issues and hopefully avoid conflicts with other headers which may workaround ssize_t in different ways.	2010-07-26 18:15:59 +00:00
Dr. Stephen Henson	223c59eae5	Fix WIN32 build system to correctly link ENGINE DLLs contained in a directory: currently the GOST ENGINE is the only case.	2010-07-24 17:52:43 +00:00
Dr. Stephen Henson	7bbd0de88d	Add call to ENGINE_register_all_complete() to ENGINE_load_builtin_engines(), this means that some implementations will be used automatically, e.g. aesni, we do this for cryptodev anyway. Setup cpuid in ENGINE_load_builtin_engines() too as some ENGINEs use it.	2010-07-21 16:14:48 +00:00
Dr. Stephen Henson	f96ccf36ff	PR: 1830 Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson Support for RFC5705 key extractor.	2010-07-18 17:43:18 +00:00
Dr. Stephen Henson	b9e7793dd7	oops, revert wrong patch..	2010-07-18 17:43:01 +00:00
Dr. Stephen Henson	d135da5192	Fix warnings (From HEAD, original patch by Ben).	2010-07-18 16:52:47 +00:00
Dr. Stephen Henson	3cbb15ee81	add CVE-2010-0742 and CVS-2010-1633 fixes	2010-06-01 14:39:01 +00:00
Andy Polyakov	3efe51a407	Revert previous Linux-specific/centric commit#19629. If it really has to be done, it's definitely not the way to do it. So far answer to the question was to ./config -Wa,--noexecstack (adopted by RedHat).	2010-05-05 22:05:39 +00:00
Ben Laurie	0e3ef596e5	Non-executable stack in asm.	2010-05-05 15:50:13 +00:00
Dr. Stephen Henson	1bf508c9cf	new function to diff tm structures	2010-04-15 13:25:26 +00:00
Dr. Stephen Henson	c0b8eb606f	Add SHA2 algorithms to SSL_library_init(). Although these aren't used directly by SSL/TLS SHA2 certificates are becoming more common and applications that only call SSL_library_init() and not OpenSSL_add_all_alrgorithms() will fail when verifying certificates. Update docs.	2010-04-07 13:18:07 +00:00
Bodo Möller	3e8b6485b3	Fix for "Record of death" vulnerability CVE-2010-0740. Also, add missing CHANGES entry for CVE-2009-3245 (code changes submitted to this branch on 23 Feb 2010), and further harmonize this version of CHANGES with the versions in the current branches.	2010-03-25 11:25:30 +00:00
Dr. Stephen Henson	be449448dc	update CHANGES	2010-03-14 12:55:15 +00:00
Dr. Stephen Henson	4c623cddbe	add -sigopt option to ca utility	2010-03-14 12:54:45 +00:00
Mark J. Cox	fb75f349b7	This entry was in 0.9.8m changelog but missing from here, since it's security relevent we'd better list it.	2010-03-12 08:36:44 +00:00
Dr. Stephen Henson	f26cf9957f	typo	2010-03-11 14:19:46 +00:00
Dr. Stephen Henson	17c63d1cca	RSA PSS ASN1 signing method	2010-03-11 14:06:46 +00:00
Dr. Stephen Henson	85522a074c	Algorithm specific ASN1 signing functions.	2010-03-11 13:32:38 +00:00
Dr. Stephen Henson	31904ecdf3	RSA PSS verification support including certificates and certificate requests. Add new ASN1 signature initialisation function to handle this case.	2010-03-08 18:10:35 +00:00
Dr. Stephen Henson	ff04bbe363	Add PSS algorithm printing. This is an initial step towards full PSS support. Uses ASN1 module in Martin Kaiser's PSS patch.	2010-03-06 19:55:25 +00:00
Dr. Stephen Henson	fa1ba589f3	Add algorithm specific signature printing. An individual ASN1 method can now print out signatures instead of the standard hex dump. More complex signatures (e.g. PSS) can print out more meaningful information. Sample DSA version included that prints out the signature parameters r, s. [Note EVP_PKEY_ASN1_METHOD is an application opaque structure so adding new fields in the middle has no compatibility issues]	2010-03-06 18:05:05 +00:00
Dr. Stephen Henson	cca1cd9a34	Submitted by: Tomas Hoger <thoger@redhat.com> Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL could be crashed if the relevant tables were not present (e.g. chrooted).	2010-03-03 15:41:18 +00:00
Dr. Stephen Henson	0f776277bc	oops, use correct date	2010-02-26 12:13:36 +00:00
Dr. Stephen Henson	db28aa86e0	add -trusted_first option and verify flag	2010-02-25 12:21:48 +00:00
Dr. Stephen Henson	fbd2164044	Experimental support for partial chain verification: if an intermediate certificate is explicitly trusted (using -addtrust option to x509 utility for example) the verification is sucessful even if the chain is not complete.	2010-02-25 00:17:22 +00:00
Bodo Möller	a839755329	Fix X509_STORE locking	2010-02-19 18:27:07 +00:00
Dr. Stephen Henson	c2c49969e2	Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as initial connection to unpatched servers. There are no additional security concerns in doing this as clients don't see renegotiation during an attack anyway.	2010-02-17 18:38:31 +00:00
Dr. Stephen Henson	47e0a1c335	PR: 2100 Submitted by: James Baker <jbaker@tableausoftware.com> et al. Workaround for slow Heap32Next on some versions of Windows.	2010-02-17 14:32:41 +00:00
Dr. Stephen Henson	f959598866	update references to new RI RFC	2010-02-12 21:59:31 +00:00
Dr. Stephen Henson	c8ef656df2	Make CMAC API similar to HMAC API. Add methods for CMAC.	2010-02-08 15:31:35 +00:00
Dr. Stephen Henson	8c968e0355	Initial experimental CMAC implementation.	2010-02-07 18:01:07 +00:00
Dr. Stephen Henson	c2bf720842	Add missing function EVP_CIPHER_CTX_copy(). Current code uses memcpy() to copy an EVP_CIPHER_CTX structure which may have problems with external ENGINEs who need to duplicate internal handles etc.	2010-02-07 13:39:39 +00:00
Dr. Stephen Henson	da454e4c67	typo	2010-01-29 00:09:33 +00:00
Dr. Stephen Henson	08c239701b	Experimental renegotiation support in s_server test -www server.	2010-01-28 19:48:36 +00:00
Dr. Stephen Henson	4ba1aa393b	typo	2010-01-27 14:05:39 +00:00
Dr. Stephen Henson	d5e7f2f2c3	PR: 1949 Submitted by: steve@openssl.org More robust fix and workaround for PR#1949. Don't try to work out if there is any write pending data as this can be unreliable: always flush.	2010-01-26 19:47:37 +00:00
Dr. Stephen Henson	58c0da84dd	Typo	2010-01-26 12:30:00 +00:00
Dr. Stephen Henson	ba64ae6cd1	Tolerate PKCS#8 DSA format with negative private key.	2010-01-22 20:17:12 +00:00
Dr. Stephen Henson	bd5f21a4ae	Fix version handling so it can cope with a major version >3. Although it will be many years before TLS v2.0 or later appears old versions of servers have a habit of hanging around for a considerable time so best if we handle this properly now.	2010-01-13 19:08:02 +00:00
Dr. Stephen Henson	1b31b5ad56	Modify compression code so it avoids using ex_data free functions. This stops applications that call CRYPTO_free_all_ex_data() prematurely leaking memory.	2010-01-13 18:57:40 +00:00
Dr. Stephen Henson	0e0c6821fa	PR: 2136 Submitted by: Willy Weisz <weisz@vcpc.univie.ac.at> Add options to output hash using older algorithm compatible with OpenSSL versions before 1.0.0	2010-01-12 17:29:34 +00:00
Dr. Stephen Henson	76998a71bc	Updates to conform with draft-ietf-tls-renegotiation-03.txt: 1. Add provisional SCSV value. 2. Don't send SCSV and RI at same time. 3. Fatal error is SCSV received when renegotiating.	2010-01-06 17:37:09 +00:00
Dr. Stephen Henson	e6f418bcb7	Compression handling on session resume was badly broken: it always used compression algorithms in client hello (a legacy from when the compression algorithm wasn't serialized with SSL_SESSION).	2009-12-31 14:13:30 +00:00
Dr. Stephen Henson	5e63121758	Include CHANGES entry for external cache	2009-12-31 13:58:57 +00:00
Bodo Möller	7427379e9b	Constify crypto/cast.	2009-12-22 10:58:33 +00:00
Dr. Stephen Henson	ef51b4b9b4	New option to enable/disable connection to unpatched servers	2009-12-16 20:25:59 +00:00
Dr. Stephen Henson	7661ccadf0	Add ctrls to clear options and mode. Change RI ctrl so it doesn't clash.	2009-12-09 13:25:16 +00:00
Dr. Stephen Henson	82e610e2cf	Send no_renegotiation alert as required by spec.	2009-12-08 19:06:26 +00:00
Dr. Stephen Henson	5430200b8b	Add ctrl and macro so we can determine if peer support secure renegotiation.	2009-12-08 13:42:08 +00:00
Dr. Stephen Henson	13f6d57b1e	Add support for magic cipher suite value (MCSV). Make secure renegotiation work in SSLv3: initial handshake has no extensions but includes MCSV, if server indicates RI support then renegotiation handshakes include RI. NB: current MCSV value is bogus for testing only, will be updated when we have an official value. Change mismatch alerts to handshake_failure as required by spec. Also have some debugging fprintfs so we can clearly see what is going on if OPENSSL_RI_DEBUG is set.	2009-12-08 13:14:03 +00:00
Dr. Stephen Henson	637f374ad4	Initial experimental TLSv1.1 support	2009-12-07 13:31:02 +00:00
Dr. Stephen Henson	9d9530255b	Update CHANGES.	2009-12-02 15:28:27 +00:00
Dr. Stephen Henson	d2a53c2238	Experimental CMS password based recipient Info support.	2009-11-26 18:57:39 +00:00
Bodo Möller	480af99ef4	Make CHANGES in CVS head consistent with the CHANGES files in the branches. This means that http://www.openssl.org/news/changelog.html will finally describe 0.9.8l.	2009-11-26 18:43:17 +00:00
Dr. Stephen Henson	3d63b3966f	Split PBES2 into cipher and PBKDF2 versions. This tidies the code somewhat and is a pre-requisite to adding password based CMS support.	2009-11-25 22:01:06 +00:00
Dr. Stephen Henson	e0e7997212	First cut of renegotiation extension. (port to HEAD)	2009-11-09 19:03:34 +00:00
Dr. Stephen Henson	befbd0619b	update CHANGES	2009-11-09 17:33:32 +00:00
Dr. Stephen Henson	245d2ee3d0	Add option to allow in-band CRL loading in verify utility. Add function load_crls and tidy up load_certs. Remove useless purpose variable from verify utility: now done with args_verify.	2009-10-31 13:33:57 +00:00
Dr. Stephen Henson	bb4060c5b5	Move CHANGES entry to 0.9.8l section	2009-10-30 13:29:30 +00:00
Dr. Stephen Henson	661dc1431f	Fix statless session resumption so it can coexist with SNI	2009-10-30 13:22:24 +00:00
Dr. Stephen Henson	18e503f30f	PR: 2064, 728 Submitted by: steve@openssl.org Add support for custom headers in OCSP requests.	2009-09-30 21:40:55 +00:00
Dr. Stephen Henson	b6dcdbfc94	Audit libcrypto for unchecked return values: fix all cases enountered	2009-09-23 23:43:49 +00:00
Dr. Stephen Henson	acf20c7dbd	Add attribute to check if return value of certain functions is incorrectly ignored.	2009-09-23 16:27:10 +00:00
Dr. Stephen Henson	a25f33d28a	Submitted by: Julia Lawall <julia@diku.dk> The functions ENGINE_ctrl(), OPENSSL_isservice(), EVP_PKEY_sign(), CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error fix so the return code is checked correctly.	2009-09-13 11:29:29 +00:00
Dr. Stephen Henson	0c28f277d1	Add new option --strict-warnings to Configure script. This is used to add in devteam warnings into other configurations.	2009-09-09 16:31:32 +00:00
Dr. Stephen Henson	1771668096	Tidy up and fix verify callbacks to avoid structure dereference, use of obsolete functions and enhance to handle new conditions such as policy printing.	2009-09-02 12:47:28 +00:00
Dr. Stephen Henson	6727565a84	PR: 2003 Make it possible to install OpenSSL in directories with name other than "lib" for example "lib64". Based on patch from Jeremy Utley.	2009-08-10 14:48:40 +00:00
Dr. Stephen Henson	d9d0f1b52c	Reject leading 0x80 in OID subidentifiers.	2009-08-06 16:32:54 +00:00
Dr. Stephen Henson	0e4bc56347	Document MD2 deprecation.	2009-07-13 11:58:05 +00:00
Dr. Stephen Henson	9de014a7f8	Update from 0.9.8-stable	2009-06-30 22:27:33 +00:00
Dr. Stephen Henson	d2f6d28298	Update from 0.9.8-stable.	2009-06-28 16:24:37 +00:00
Dr. Stephen Henson	f3be6c7b7d	Update from 1.0.0-stable.	2009-06-26 11:29:26 +00:00
Dr. Stephen Henson	e30dd20c0e	Update from 1.0.0-stable	2009-06-25 11:29:30 +00:00
Dr. Stephen Henson	c05353c50a	Rename asc2uni and uni2asc functions to avoid clashes.	2009-06-17 12:04:56 +00:00
Dr. Stephen Henson	31db43df08	Update from 0.9.8-stable.	2009-06-15 15:01:00 +00:00
Dr. Stephen Henson	d741ccadb5	Oops, update CHANGES entry.	2009-05-31 17:13:55 +00:00
Dr. Stephen Henson	d0b72cf45b	Add CHANGES entries from 0.9.8-stable.	2009-05-18 17:37:33 +00:00
Dr. Stephen Henson	5f8f94a661	Update from 1.0.0-stable.	2009-04-28 22:10:54 +00:00
Dr. Stephen Henson	e5fa864f62	Updates from 1.0.0-stable.	2009-04-15 15:27:03 +00:00
Dr. Stephen Henson	22c98d4aad	Update from 1.0.0-stable	2009-04-08 16:16:35 +00:00
Dr. Stephen Henson	cc7399e79c	Changes from 1.0.0-stable.	2009-04-07 16:33:26 +00:00
Dr. Stephen Henson	14023fe352	Merge from 1.0.0-stable branch.	2009-04-03 11:45:19 +00:00
Dr. Stephen Henson	aaf35f11d7	Allow use of algorithm and cipher names for dgsts and enc utilities instead of having to manually include each one.	2009-03-30 11:31:50 +00:00
Dr. Stephen Henson	77ea8c3002	Fix typo in CHANGES.	2009-03-25 22:21:12 +00:00
Dr. Stephen Henson	ddcfc25a6d	Update from stable branch.	2009-03-25 19:02:22 +00:00
Dr. Stephen Henson	4d7b7c62c3	Update CHANGES.	2009-03-25 12:57:50 +00:00
Dr. Stephen Henson	73ba116e96	Update from stable branch.	2009-03-25 12:54:14 +00:00
Dr. Stephen Henson	80b2ff978d	Update from stable branch.	2009-03-25 12:53:50 +00:00
Dr. Stephen Henson	7ce8c95d58	Update from stable branch.	2009-03-25 12:53:26 +00:00
Dr. Stephen Henson	b6af2c7e3e	Submitted by: "Victor B. Wagner" <vitus@cryptocom.ru> Reviewed by: steve@openssl.org Update ccgost engine to support parameter files.	2009-03-17 15:38:34 +00:00
Dr. Stephen Henson	237d7b6cae	Fix from stable branch.	2009-03-15 13:37:34 +00:00
Dr. Stephen Henson	854a225a27	Update from stable branch.	2009-03-14 18:33:49 +00:00
Dr. Stephen Henson	33ab2e31f3	PR: 1854 Submitted by: Oliver Martin <oliver@volatilevoid.net> Reviewed by: steve@openssl.org Support GeneralizedTime in ca utility.	2009-03-09 13:59:07 +00:00
Dr. Stephen Henson	77202a85a0	Update from stable branch.	2009-03-07 17:00:23 +00:00
Bodo Möller	7ca1cfbac3	-hex option for openssl rand PR: 1831 Submitted by: Damien Miller	2009-02-02 00:01:28 +00:00
Dr. Stephen Henson	57f39cc826	Print out UTF8 and NumericString types in ASN1 parsing utility.	2009-01-28 12:54:52 +00:00
Dr. Stephen Henson	6489573224	Update from stable branch.	2009-01-28 12:36:14 +00:00
Ben Laurie	7f62532030	Allow CC to be overridden.	2009-01-18 12:06:37 +00:00
Dr. Stephen Henson	c2c99e2860	Update certificate hash line format to handle canonical format and avoid MD5 dependency.	2009-01-15 13:22:39 +00:00
Dr. Stephen Henson	8125d9f99c	Make PKCS#8 the standard write format for private keys, replacing the ancient SSLeay format.	2009-01-15 12:52:38 +00:00
Dr. Stephen Henson	363bd0b48e	Add a set of standard gcc warning options which are designed to be the minimum requirement for committed code. Added to debug-steve* config targets for now.	2009-01-11 15:56:32 +00:00
Ben Laurie	60aee6ce15	Add missing entry.	2009-01-09 12:48:02 +00:00
Dr. Stephen Henson	bab534057b	Updatde from stable branch.	2009-01-07 23:44:27 +00:00
Bodo Möller	7a76219774	Implement Configure option pattern "experimental-foo" (specifically, "experimental-jpake").	2008-12-02 01:21:39 +00:00
Dr. Stephen Henson	79bd20fd17	Update from stable-branch.	2008-11-24 17:27:08 +00:00
Geoff Thorpe	31636a3ed1	Allow the CHIL engine to load even if dynamic locks aren't registered. Submitted by: Sander Temme	2008-11-19 14:21:27 +00:00
Dr. Stephen Henson	12bf56c017	PR: 1574 Submitted by: Jouni Malinen <j@w1.fi> Approved by: steve@openssl.org Ticket override support for EAP-FAST.	2008-11-15 17:18:12 +00:00
Dr. Stephen Henson	ed551cddf7	Update from stable branch.	2008-11-12 17:28:18 +00:00
Dr. Stephen Henson	87d52468aa	Update HMAC functions to return an error where relevant.	2008-11-02 16:00:39 +00:00
Ben Laurie	6caa4edd3e	Add JPAKE.	2008-10-26 18:40:52 +00:00
Ben Laurie	28b6d5020e	Set comparison function in v3_add_canonize().	2008-10-14 19:27:07 +00:00
Ben Laurie	d5bbead449	Add XMPP STARTTLS support.	2008-10-14 19:11:26 +00:00
Ben Laurie	1ea6472e60	Type-safe OBJ_bsearch_ex.	2008-10-14 08:10:52 +00:00
Ben Laurie	babb379849	Type-checked (and modern C compliant) OBJ_bsearch.	2008-10-12 14:32:47 +00:00
Dr. Stephen Henson	87d3a0cd90	Experimental new date handling routines. These fix issues with X509_time_adj() and should avoid any OS date limitations such as the year 2038 bug.	2008-10-07 22:55:27 +00:00
Bodo Möller	837f2fc7a4	Make sure that SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG can't enable disabled ciphersuites.	2008-09-22 21:22:47 +00:00
Bodo Möller	1a489c9af1	From branch OpenSSL_0_9_8-stable: Allow soft-loading engines. Also, fix CHANGES (consistency with stable branch).	2008-09-15 20:41:24 +00:00
Dr. Stephen Henson	8c864e5466	Add missing CHANGES entry.	2008-09-15 20:30:58 +00:00
Bodo Möller	e65bcbcef0	Fix SSL state transitions. Submitted by: Nagendra Modadugu	2008-09-14 14:02:07 +00:00
Bodo Möller	e710de12ce	Note about CVS branch inconsistency.	2008-09-14 13:53:18 +00:00
Bodo Möller	db99c52509	Really get rid of unsafe double-checked locking. Also, "CHANGES" clean-ups.	2008-09-14 13:51:44 +00:00
Bodo Möller	f8d6be3f81	Some precautions to avoid potential security-relevant problems.	2008-09-14 13:42:34 +00:00
Dr. Stephen Henson	d43c4497ce	Initial support for delta CRLs. If "use deltas" flag is set attempt to find a delta CRL in addition to a full CRL. Check and search delta in addition to the base.	2008-09-01 15:15:16 +00:00
Dr. Stephen Henson	4b96839f06	Add support for CRLs partitioned by reason code. Tidy CRL scoring system. Add new CRL path validation error.	2008-08-29 11:37:21 +00:00
Dr. Stephen Henson	249a77f5fb	Add support for freshest CRL extension.	2008-08-27 15:52:05 +00:00
Dr. Stephen Henson	d0fff69dc9	Initial indirect CRL support.	2008-08-20 16:42:19 +00:00
Bodo Möller	2ecd2edede	Mention ERR_remove_state() deprecation, and ERR_remove_thread_state(NULL).	2008-08-13 19:30:01 +00:00
Dr. Stephen Henson	9d84d4ed5e	Initial support for CRL path validation. This supports distinct certificate and CRL signing keys.	2008-08-13 16:00:11 +00:00
Dr. Stephen Henson	002e66c0e8	Support for policy mappings extension. Delete X509_POLICY_REF code. Fix handling of invalid policy extensions to return the correct error. Add command line option to inhibit policy mappings.	2008-08-12 10:32:56 +00:00
Dr. Stephen Henson	e9746e03ee	Initial support for name constraints certificate extension. TODO: robustness checking on name forms.	2008-08-08 15:35:29 +00:00
Geoff Thorpe	4c3296960d	Remove the dual-callback scheme for numeric and pointer thread IDs, deprecate the original (numeric-only) scheme, and replace with the CRYPTO_THREADID object. This hides the platform-specifics and should reduce the possibility for programming errors (where failing to explicitly check both thread ID forms could create subtle, platform-specific bugs). Thanks to Bodo, for invaluable review and feedback.	2008-08-06 15:54:15 +00:00
Dr. Stephen Henson	5cbd203302	Initial support for alternative CRL issuing certificates. Allow inibit any policy flag to be set in apps.	2008-07-30 15:49:12 +00:00
Geoff Thorpe	5f834ab123	Revert my earlier CRYPTO_THREADID commit, I will commit a reworked version some time soon.	2008-07-03 19:59:25 +00:00
Dr. Stephen Henson	8528128b2a	Update from stable branch.	2008-06-26 23:27:31 +00:00
Bodo Möller	8228fd89fc	avoid potential infinite loop in final reduction round of BN_GF2m_mod_arr() Submitted by: Huang Ying Reviewed by: Douglas Stebila	2008-06-23 20:46:24 +00:00
Dr. Stephen Henson	adb92d56eb	Add acknowledgement.	2008-06-09 16:48:42 +00:00
Dr. Stephen Henson	6bf79e30ea	Update CHANGES.	2008-06-05 15:34:24 +00:00
Ben Laurie	5ce278a77b	More type-checking.	2008-06-04 11:01:43 +00:00
Ben Laurie	8671b89860	Memory saving patch.	2008-06-03 02:48:34 +00:00
Dr. Stephen Henson	368888bcb6	Add client cert engine to SSL routines.	2008-06-01 22:33:24 +00:00
Bodo Möller	2cd81830ef	sync with 0.9.8 branch	2008-05-28 22:30:28 +00:00
Bodo Möller	e194fe8f47	From HEAD: Fix flaw if 'Server Key exchange message' is omitted from a TLS handshake which could lead to a cilent crash as found using the Codenomicon TLS test suite (CVE-2008-1672) Reviewed by: openssl-security@openssl.org Obtained from: mark@awe.com	2008-05-28 22:17:34 +00:00
Bodo Möller	40a706286f	From HEAD: Fix double-free in TLS server name extensions which could lead to a remote crash found by Codenomicon TLS test suite (CVE-2008-0891) Reviewed by: openssl-security@openssl.org Obtained from: jorton@redhat.com	2008-05-28 22:15:48 +00:00
Ben Laurie	3c1d6bbc92	LHASH revamp. make depend.	2008-05-26 11:24:29 +00:00
Lutz Jänicke	c2c2e7a438	Clear error queue when starting SSL_CTX_use_certificate_chain_file PR: 1417, 1513 Submitted by: Erik de Castro Lopo <mle+openssl@mega-nerd.com>	2008-05-23 10:37:52 +00:00
Lutz Jänicke	d18ef847f4	Remove all root CA files (beyond test CAs including private key) from the OpenSSL distribution.	2008-05-23 08:59:23 +00:00
Dr. Stephen Henson	5c0d90a699	Typo.	2008-05-20 18:49:00 +00:00
Dr. Stephen Henson	f434730524	Typo.	2008-05-20 16:13:57 +00:00
Dr. Stephen Henson	94fd382f8b	Fix two invalid memory reads in RSA OAEP mode. Submitted by: Ivan Nestlerode <inestlerode@us.ibm.com> Reviewed by: steve	2008-05-19 21:33:55 +00:00
Bodo Möller	4bd4afa34e	Change use of CRYPTO_THREADID so that we always use both the ulong and ptr members. (So if the id_callback is bogus, we still have &errno.)	2008-05-19 20:45:25 +00:00
Dr. Stephen Henson	8a2062fefe	Update from stable branch.	2008-04-30 16:14:02 +00:00
Geoff Thorpe	e7b097f558	Fix auto-discovery of ENGINEs. See the CHANGES entry for details (and/or ticket #1668). PR: 1668 Submitted by: Ian Lister Reviewed by: Geoff Thorpe	2008-04-28 21:39:09 +00:00
Geoff Thorpe	5ee6f96cea	Paul Sheer optimised the OpenSSL to/from libGMP conversions for the case where they both use the same limb size. I've tweaked his patch slightly, so blame me if it breaks. Submitted by: Paul Sheer Reviewed by: Geoff Thorpe	2008-04-27 18:41:23 +00:00
Dr. Stephen Henson	3df9357103	Update CHANGES.	2008-04-02 11:44:00 +00:00
Dr. Stephen Henson	992e92a46e	Update CHANGES.	2008-04-02 11:24:22 +00:00
Dr. Stephen Henson	eb9d8d8cd4	Support for verification of signed receipts.	2008-03-28 13:15:39 +00:00
Geoff Thorpe	f7ccba3edf	There was a need to support thread ID types that couldn't be reliably cast to 'unsigned long' (ie. odd platforms/compilers), so a pointer-typed version was added but it required portable code to check both modes to determine equality. This commit maintains the availability of both thread ID types, but deprecates the type-specific accessor APIs that invoke the callbacks - instead a single type-independent API is used. This simplifies software that calls into this interface, and should also make it less error-prone - as forgetting to call and compare both thread ID accessors could have led to hard-to-debug/infrequent bugs (that might only affect certain platforms or thread implementations). As the CHANGES note says, there were corresponding deprecations and replacements in the thread-related functions for BN_BLINDING and ERR too.	2008-03-28 02:49:43 +00:00
Dr. Stephen Henson	fd47c36136	Return error if no cipher set for encrypted data type. Update CHANGES.	2008-03-15 00:02:23 +00:00
Dr. Stephen Henson	8931b30d84	And so it begins... Initial support for CMS. Add zlib compression BIO. Add AES key wrap implementation. Generalize S/MIME MIME code to support CMS and/or PKCS7.	2008-03-12 21:14:28 +00:00
Bodo Möller	7c9882eb24	fix BIGNUM flag handling	2008-02-27 06:01:28 +00:00
Dr. Stephen Henson	7398053149	Experimental support for import of more options from Configure (via top level Makefile) into mk1mf builds. This avoids the need to duplicate the CFLAG handling and can auto build assembly language source files from perl scripts. Extend VC-WIN32 Configure entry to include new options.	2008-01-06 00:36:22 +00:00
Dr. Stephen Henson	76d761ccd3	Move CHANGES entry. Revert include file install line.	2008-01-03 22:57:50 +00:00
Dr. Stephen Henson	eef0c1f34c	Netware support. Submitted by: Guenter Knauf <eflash@gmx.net>	2008-01-03 22:43:04 +00:00
Dr. Stephen Henson	0e1dba934f	1. Changes for s_client.c to make it return non-zero exit code in case of handshake failure 2. Changes to x509_certificate_type function (crypto/x509/x509type.c) to make it recognize GOST certificates as EVP_PKT_SIGN\|EVP_PKT_EXCH (required for s3_srvr to accept GOST client certificates). 3. Changes to EVP - adding of function EVP_PKEY_CTX_get0_peerkey - Make function EVP_PKEY_derive_set_peerkey work for context with ENCRYPT operation, because we use peerkey field in the context to pass non-ephemeral secret key to GOST encrypt operation. - added EVP_PKEY_CTRL_SET_IV control command. It is really GOST-specific, but it is used in SSL code, so it has to go in some header file, available during libssl compilation 4. Fix to HMAC to avoid call of OPENSSL_cleanse on undefined data 5. Include des.h if KSSL_DEBUG is defined into some libssl files, to make debugging output which depends on constants defined there, work and other KSSL_DEBUG output fixes 6. Declaration of real GOST ciphersuites, two authentication methods SSL_aGOST94 and SSL_aGOST2001 and one key exchange method SSL_kGOST 7. Implementation of these methods. 8. Support for sending unsolicited serverhello extension if GOST ciphersuite is selected. It is require for interoperability with CryptoPro CSP 3.0 and 3.6 and controlled by SSL_OP_CRYPTOPRO_TLSEXT_BUG constant. This constant is added to SSL_OP_ALL, because it does nothing, if non-GOST ciphersuite is selected, and all implementation of GOST include compatibility with CryptoPro. 9. Support for CertificateVerify message without length field. It is another CryptoPro bug, but support is made unconditional, because it does no harm for draft-conforming implementation. 10. In tls1_mac extra copy of stream mac context is no more done. When I've written currently commited code I haven't read EVP_DigestSignFinal manual carefully enough and haven't noticed that it does an internal digest ctx copying. This implementation was tested against 1. CryptoPro CSP 3.6 client and server 2. Cryptopro CSP 3.0 server	2007-10-26 12:06:36 +00:00
Lutz Jänicke	11d01d371f	Release OpenSSL 0.9.8g with various fixes to issues introduced with 0.9.8f	2007-10-19 08:26:03 +00:00
Andy Polyakov	0d89e45690	Synchronize CHANGES between 0.9.8 and HEAD.	2007-10-13 10:55:30 +00:00
Dr. Stephen Henson	a6db6a0070	Update CHANGES. Keep ordinals consistent.	2007-10-12 00:15:09 +00:00
Andy Polyakov	0023adb47a	Switch to bn-s390x (it's faster on keys longer than 512 bits) and mention s390x assembler pack in CHANAGES.	2007-10-01 07:38:32 +00:00
Andy Polyakov	4c7c5ff667	ARMv4 assembler pack.	2007-09-27 07:09:46 +00:00
Dr. Stephen Henson	67c8e7f414	Support for certificate status TLS extension.	2007-09-26 21:56:59 +00:00
Bodo Möller	761772d7e1	Implement the Opaque PRF Input TLS extension (draft-rescorla-tls-opaque-prf-input-00.txt), and do some cleanups and bugfixes on the way. In particular, this fixes the buffer bounds checks in ssl_add_clienthello_tlsext() and in ssl_add_serverhello_tlsext(). Note that the opaque PRF Input TLS extension is not compiled by default; see CHANGES.	2007-09-21 06:54:24 +00:00
Dr. Stephen Henson	a6fbcb4220	Change safestack reimplementation to match 0.9.8. Fix additional gcc 4.2 value not used warnings.	2007-09-07 13:25:15 +00:00
Dr. Stephen Henson	81025661a9	Update ssl code to support digests other than MD5+SHA1 in handshake. Submitted by: Victor B. Wagner <vitus@cryptocom.ru>	2007-08-31 12:42:53 +00:00
Dr. Stephen Henson	ec5d747328	Add Google sponsorship note.	2007-08-27 23:41:36 +00:00
Dr. Stephen Henson	ba0e826d83	Update from stable branch.	2007-08-23 22:59:09 +00:00
Dr. Stephen Henson	6434abbfc6	RFC4507 (including RFC4507bis) TLS stateless session resumption support for OpenSSL.	2007-08-11 23:18:29 +00:00
Andy Polyakov	85a5668dba	CHANGES update from 098-stable.	2007-06-20 17:46:43 +00:00
Dr. Stephen Henson	3c07d3a3d3	Finish gcc 4.2 changes.	2007-06-07 13:14:42 +00:00
Dr. Stephen Henson	297e6f1917	Avoid use of function pointer casts in pem library. Modify safestack to always use inline functions.	2007-06-04 17:53:04 +00:00
Dr. Stephen Henson	b948e2c59e	Update ssl library to support EVP_PKEY MAC API. Include generic MAC support.	2007-06-04 17:04:40 +00:00
Bodo Möller	19f6c524bf	Fix crypto/ec/ec_mult.c to work properly with scalars of value 0	2007-05-22 09:47:43 +00:00
Ben Laurie	69ab085290	More IGE speedup.	2007-05-13 15:14:38 +00:00
Ben Laurie	5f09d0ecc2	AES IGE mode speedup.	2007-05-13 12:57:59 +00:00
Bodo Möller	96afc1cfd5	Add SEED encryption algorithm. PR: 1503 Submitted by: KISA Reviewed by: Bodo Moeller	2007-04-23 23:48:59 +00:00
Dr. Stephen Henson	9cfc8a9d5c	Update smime utility to support streaming for -encrypt and -sign -nodetach options. Add new streaming i2d (though strictly speaking it is BER format when streaming) and PEM functions. These all process content on the fly without storing it all in memory.	2007-04-13 01:06:41 +00:00
Dr. Stephen Henson	2022cfe07e	New -mac and -macopt options to dgst utility. Reimplement -hmac option in terms of new API.	2007-04-11 17:20:40 +00:00
Dr. Stephen Henson	47b71e6ee9	Update CHANGES.	2007-04-11 12:33:28 +00:00
Dr. Stephen Henson	d952c79a7b	New -sigopt option for dgst utility.	2007-04-08 12:47:18 +00:00
Bodo Möller	b002265ee3	make BN_FLG_CONSTTIME semantics more fool-proof	2007-03-28 18:41:23 +00:00
Bodo Möller	bd31fb2145	Change to mitigate branch prediction attacks Submitted by: Matthew D Wood Reviewed by: Bodo Moeller	2007-03-28 00:15:28 +00:00
Bodo Möller	0f32c841a6	stricter session ID context matching	2007-03-21 14:33:16 +00:00
Bodo Möller	dd2b6750db	include complete 0.9.7 history include release date of 0.9.8e	2007-02-26 10:49:59 +00:00
Lutz Jänicke	8d72476e2b	Extend SMTP and IMAP protocol handling to perform the required EHLO or CAPABILITY handshake before sending STARTTLS Submitted by: Goetz Babin-Ebell <goetz@shomitefo.de>	2007-02-21 18:20:41 +00:00
Dr. Stephen Henson	a2e623c011	Update from 0.9.7-stable.	2007-02-21 13:49:35 +00:00
Bodo Möller	fd5bc65cc8	Improve ciphersuite order stability when disabling ciphersuites. Change ssl_create_cipher_list() to prefer ephemeral ECDH over ephemeral DH.	2007-02-20 16:36:58 +00:00
Bodo Möller	0a05123a6c	Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a ciphersuite string such as "DEFAULT:RSA" cannot enable authentication-only ciphersuites. Also, change ssl_create_cipher_list() so that it no longer starts with an arbitrary ciphersuite ordering, but instead uses the logic that we previously had in SSL_DEFEAULT_CIPHER_LIST. SSL_DEFAULT_CIPHER_LIST simplifies into just "ALL:!aNULL:!eNULL".	2007-02-19 18:41:41 +00:00
Bodo Möller	52b8dad8ec	Reorganize the data used for SSL ciphersuite pattern matching. This change resolves a number of problems and obviates multiple kludges. A new feature is that you can now say "AES256" or "AES128" (not just "AES", which enables both). In some cases the ciphersuite list generated from a given string is affected by this change. I hope this is just in those cases where the previous behaviour did not make sense.	2007-02-17 06:45:38 +00:00
Nils Larsch	357d5de5b9	add support for DSA with SHA2	2007-02-03 14:41:12 +00:00
Dr. Stephen Henson	11d8cdc6ad	Experimental streaming PKCS#7 support. I thought it was about time I dusted this off. This stuff had been sitting on my hard drive for ages (2003 in fact). Hasn't been tested well and may not work properly. Nothing uses it at present which is just as well. Think of this as a traditional Christmas present which looks far more impressive in the adverts and on the box, some of the bits are missing and falls to bits if you play with it too much.	2006-12-24 16:22:56 +00:00
Nils Larsch	fec38ca4ed	fix typos PR: 1354, 1355, 1398, 1408	2006-12-21 21:13:27 +00:00
Nils Larsch	06e2dd037e	add support for ecdsa-with-sha256 etc.	2006-12-20 08:58:54 +00:00
Bodo Möller	772e3c07b4	Fix the BIT STRING encoding of EC points or parameter seeds (need to prevent the removal of trailing zero bits).	2006-12-19 15:11:37 +00:00
Bodo Möller	1e24b3a09e	fix support for receiving fragmented handshake messages	2006-11-29 14:45:50 +00:00
Ben Laurie	96ea4ae91c	Add RFC 3779 support.	2006-11-27 14:18:05 +00:00
Dr. Stephen Henson	47a9d527ab	Update from 0.9.8 stable. Eliminate duplicate error codes.	2006-11-21 21:29:44 +00:00
Dr. Stephen Henson	de12116417	Initial, incomplete support for typesafe macros without using function casts.	2006-11-16 00:19:39 +00:00
Andy Polyakov	3189772e07	Switch Win32/64 targets to Winsock2. Updates to ISNTALL.W32 cover even recent mingw modifications.	2006-10-23 07:38:30 +00:00
Bodo Möller	3c5406b35c	All 0.9.8d patches have been applied to HEAD now, so we no longer need the redundant entries under the 0.9.9 heading.	2006-09-28 13:50:41 +00:00
Bodo Möller	61118caa86	include 0.9.8d and 0.9.7l information	2006-09-28 13:35:01 +00:00
Mark J. Cox	348be7ec60	Fix ASN.1 parsing of certain invalid structures that can result in a denial of service. (CVE-2006-2937) [Steve Henson]	2006-09-28 13:20:44 +00:00
Mark J. Cox	3ff55e9680	Fix buffer overflow in SSL_get_shared_ciphers() function. (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] Fix SSL client code which could crash if connecting to a malicious SSLv2 server. (CVE-2006-4343) [Tavis Ormandy and Will Drewry, Google Security Team]	2006-09-28 13:18:43 +00:00
Dr. Stephen Henson	010fa0b331	Tidy up CRL handling by checking for critical extensions when it is loaded. Add new function X509_CRL_get0_by_serial() to lookup a revoked entry to avoid the need to access the structure directly. Add new X509_CRL_METHOD to allow common CRL operations (verify, lookup) to be redirected.	2006-09-21 12:42:15 +00:00
Dr. Stephen Henson	5d20c4fb35	Overhaul of by_dir code to handle dynamic loading of CRLs.	2006-09-17 17:16:28 +00:00
Dr. Stephen Henson	bc7535bc7f	Support for AKID in CRLs and partial support for IDP. Overhaul of CRL handling to support this.	2006-09-14 17:25:02 +00:00
Bodo Möller	b6699c3f07	Update	2006-09-12 14:42:19 +00:00
Bodo Möller	ed65f7dc34	ensure that ciphersuite strings such as "RC4-MD5" match the SSL 2.0 ciphersuite as well	2006-09-11 09:49:03 +00:00
Bodo Möller	6a2c471077	Every change so far that is in the 0.9.8 branch is (or should be) in HEAD	2006-09-06 06:34:52 +00:00
Mark J. Cox	b79aa05e3b	Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher (CVE-2006-4339) Submitted by: Ben Laurie, Google Security Team Reviewed by: bmoeller, mjc, shenson	2006-09-05 08:58:03 +00:00
Ben Laurie	aa6d1a0c19	Forward port of IGE mode.	2006-08-31 14:04:04 +00:00
Dr. Stephen Henson	f6e7d01450	Support for multiple CRLs with same issuer name in X509_STORE. Modify verify logic to try to use an unexpired CRL if possible.	2006-07-25 17:39:38 +00:00
Dr. Stephen Henson	edc540211c	Cache some CRL related extensions.	2006-07-24 12:39:22 +00:00
Dr. Stephen Henson	450ea83495	Store canonical encodings of Name structures. Update X509_NAME_cmp() to use them.	2006-07-18 12:36:19 +00:00
Dr. Stephen Henson	454dbbc593	Add -timeout option to ocsp utility.	2006-07-17 13:26:54 +00:00
Dr. Stephen Henson	c1c6c0bf45	New non-blocking OCSP functionality.	2006-07-17 12:18:28 +00:00
Dr. Stephen Henson	b7683e3a5d	Allow digests to supply S/MIME micalg values from a ctrl. Send ctrls to EVP_PKEY_METHOD during signing of PKCS7 structure so customisation is possible.	2006-07-10 18:36:55 +00:00
Dr. Stephen Henson	0ee2166cc5	New functions to add and free up application defined signature OIDs.	2006-07-09 16:05:43 +00:00
Dr. Stephen Henson	5ba4bf35c5	New functions to enumerate digests and ciphers.	2006-07-09 00:53:45 +00:00
Bodo Möller	e34aa5a3b3	always read in RAND_poll() if we can't use select because of a too large FD: it's non-blocking mode anyway	2006-06-28 14:50:12 +00:00
Richard Levitte	27a3d9f9aa	Use poll() when possible to gather Unix randomness entropy	2006-06-27 06:31:34 +00:00
Bodo Möller	48fc582f66	New functions CRYPTO_set_idptr_callback(), CRYPTO_get_idptr_callback(), CRYPTO_thread_idptr() for a 'void *' type thread ID, since the 'unsigned long' type of the existing thread ID does not always work well.	2006-06-23 15:21:36 +00:00
Bodo Möller	81de1028bc	Change in 0.9.8 branch: Put ECCdraft ciphersuites back into default build (but disabled unless specifically requested)	2006-06-22 12:37:28 +00:00
Bodo Möller	850815cb6e	Remove ECC ciphersuites from 0.9.8 branch (should use 0.9.9 branch)	2006-06-20 08:50:42 +00:00
Bodo Möller	c4e7870ac1	Change array representation of binary polynomials to make GF2m part of the BN library more generally useful. Submitted by: Douglas Stebila	2006-06-18 22:00:57 +00:00
Bodo Möller	5b57fe0a1e	Disable invalid ciphersuites	2006-06-14 17:51:46 +00:00
Bodo Möller	89bbe14c50	Ciphersuite string bugfixes, and ECC-related (re-)definitions.	2006-06-14 17:40:31 +00:00
Bodo Möller	675f605d44	Thread-safety fixes	2006-06-14 08:55:23 +00:00
Bodo Möller	f3dea9a595	Camellia cipher, contributed by NTT Submitted by: Masashi Fujita Reviewed by: Bodo Moeller	2006-06-09 15:44:59 +00:00
Dr. Stephen Henson	fb7b393278	Output MIME parameter micalg according to RFC3851 and RFC4490 instead of hard coding it to "sha1".	2006-06-06 13:27:36 +00:00
Dr. Stephen Henson	01b8b3c7d2	Complete EVP_PKEY_ASN1_METHOD ENGINE support.	2006-06-05 11:52:46 +00:00
Dr. Stephen Henson	de9fcfe348	Initial public key ASN1 method engine support. Not integrated yet.	2006-06-02 17:52:27 +00:00
Dr. Stephen Henson	c9777d2659	Add ENGINE support for EVP_PKEY_METHOD including lookups of ENGINE implementations and functional reference counting when a context is allocated, free or copied.	2006-06-02 12:33:39 +00:00
Dr. Stephen Henson	58aa573ac2	Add engine table for EVP_PKEY_METHOD. Doesn't do much yet.	2006-06-01 11:38:50 +00:00
Dr. Stephen Henson	91c9e62123	New functions for enchanced digest sign/verify.	2006-05-24 17:30:09 +00:00
Dr. Stephen Henson	5531192151	Add -resign and -md options to smime command to support resigning an existing structure and using alternative digest for signing.	2006-05-18 23:44:44 +00:00
Dr. Stephen Henson	a6e7fcd140	Multiple signer support in smime application.	2006-05-18 12:41:28 +00:00
Dr. Stephen Henson	121dd39f9f	New option to pkcs12 utility to set alternative MAC digest algorithm.	2006-05-17 18:46:22 +00:00
Dr. Stephen Henson	6d3a1eac3b	Add PRF preference ctrl to ciphers.	2006-05-15 18:35:13 +00:00
Dr. Stephen Henson	b8f702a0af	Change builting PBE to use static table. Add entries for HMAC and MD5, GOST.	2006-05-15 17:34:36 +00:00
Dr. Stephen Henson	856640b54f	Extend PBE code to support non default PKCS#5 v2.0 PRFs.	2006-05-14 18:40:53 +00:00
Dr. Stephen Henson	34b3c72e4e	Typo.	2006-05-14 16:50:22 +00:00
Dr. Stephen Henson	959e8dfe06	Update 'req' command to use new keygen API.	2006-05-11 21:39:00 +00:00
Dr. Stephen Henson	399a6f0bd1	Update PKCS#7 enveloped data to new API.	2006-05-08 12:44:25 +00:00
Dr. Stephen Henson	03919683f9	Add support for default public key digest type ctrl.	2006-05-07 17:09:39 +00:00
Dr. Stephen Henson	5cda6c4582	Fix from stable branch.	2006-05-07 12:30:37 +00:00
Dr. Stephen Henson	ee1d9ec019	Remove link between digests and signature algorithms. Use cross reference table in ASN1_item_sign(), ASN1_item_verify() to eliminate the need for algorithm specific code.	2006-04-19 17:05:59 +00:00
Dr. Stephen Henson	d202709808	Add OID cross reference table. Fix some typos in GOST OIDs. Update dependencies.	2006-04-18 23:36:07 +00:00
Dr. Stephen Henson	492a9e2415	Allow public key ASN1 methods to set PKCS#7 SignerInfo structures.	2006-04-17 17:12:23 +00:00
Dr. Stephen Henson	9ca7047d71	Provisional support for EC pkey method, supporting ECDH and ECDSA.	2006-04-16 16:15:59 +00:00
Dr. Stephen Henson	ba1ba5f0fb	If cipher list contains a match for an explicit ciphersuite only match that one suite.	2006-04-15 00:22:05 +00:00
Dr. Stephen Henson	ffb1ac674c	Complete key derivation support.	2006-04-13 20:16:56 +00:00
Dr. Stephen Henson	3ba0885a3e	Extend DH ASN1 method, add DH EVP_PKEY_METHOD.	2006-04-12 23:51:24 +00:00
Ulf Möller	4700aea951	Add BeOS support. PR: 1312 Submitted by: Oliver Tappe <zooey@hirschkaefer.de> Reviewed by: Ulf Moeller	2006-04-11 21:34:21 +00:00
Dr. Stephen Henson	f5cda4cbb1	Initial keygen support.	2006-04-11 13:28:52 +00:00
Dr. Stephen Henson	f733a5ef0e	Initial functions for main EVP_PKEY_METHOD operations. No method implementations yet.	2006-04-07 16:42:09 +00:00
Dr. Stephen Henson	0b6f3c66cd	Initial definitions and a few functions for EVP_PKEY_METHOD: an extension of the EVP routines to public key algorithms.	2006-04-06 13:02:06 +00:00
Dr. Stephen Henson	0b33dac310	New function to retrieve ASN1 info on public key algorithms. New command line option to print out info.	2006-04-04 18:16:03 +00:00
Bodo Möller	332737217a	Implement Supported Elliptic Curves Extension. Submitted by: Douglas Stebila	2006-03-30 02:44:56 +00:00
Dr. Stephen Henson	246e09319c	Fix bug where freed OIDs could be accessed in EVP_cleanup() by defering freeing in OBJ_cleanup().	2006-03-28 17:23:48 +00:00
Dr. Stephen Henson	3e4585c8fd	New utility pkeyparam. Enhance and bugfix algorithm specific parameter functions to support it.	2006-03-28 14:35:32 +00:00
Dr. Stephen Henson	3e84b6e15f	New general public key utility 'pkey'.	2006-03-28 12:34:45 +00:00
Dr. Stephen Henson	35208f368c	Gather printing routines into EVP_PKEY_ASN1_METHOD.	2006-03-22 13:09:35 +00:00
Dr. Stephen Henson	448be74335	Initial support for pluggable public key ASN1 support. Process most public key ASN1 handling through a single EVP_PKEY_ASN1_METHOD structure and move the spaghetti algorithm specific code to a single ASN1 module for each algorithm.	2006-03-20 12:22:24 +00:00
Bodo Möller	36ca4ba63d	Implement the Supported Point Formats Extension for ECC ciphersuites Submitted by: Douglas Stebila	2006-03-11 23:46:37 +00:00
Bodo Möller	ed4a1d12b9	clarification	2006-03-11 22:10:34 +00:00
Nils Larsch	ddac197404	add initial support for RFC 4279 PSK SSL ciphersuites PR: 1191 Submitted by: Mika Kousa and Pasi Eronen of Nokia Corporation Reviewed by: Nils Larsch	2006-03-10 23:06:27 +00:00
Ulf Möller	c7235be6e3	RFC 3161 compliant time stamp request creation, response generation and response verification. Submitted by: Zoltan Glozik <zglozik@opentsa.org> Reviewed by: Ulf Moeller	2006-02-12 23:11:56 +00:00
Dr. Stephen Henson	31676a3540	Update from stable branch.	2006-01-15 13:50:10 +00:00
Bodo Möller	241520e66d	More TLS extension related changes. Submitted by: Peter Sylvester	2006-01-11 06:10:40 +00:00
Bodo Möller	a13c20f603	Further TLS extension updates Submitted by: Peter Sylvester	2006-01-09 19:49:05 +00:00
Bodo Möller	1aeb3da83f	Fixes for TLS server_name extension Submitted by: Peter Sylvester	2006-01-06 09:08:59 +00:00
Bodo Möller	e8e5b46e2b	Add names for people who provided the TLS extension patch.	2006-01-04 17:35:51 +00:00
Bodo Möller	f1fd4544a3	Various changes in the new TLS extension code, including the following: - fix indentation - rename some functions and macros - fix up confusion between SSL_ERROR_... and SSL_AD_... values	2006-01-03 03:27:19 +00:00
Bodo Möller	b1277b9902	C style fix-up	2006-01-02 23:29:12 +00:00
Andy Polyakov	ed26604a71	Engage Whirlpool assembler and mention Whirlpool in CHANGES.	2005-12-16 12:55:33 +00:00
Andy Polyakov	0cb9d93d0c	Mention bn(64,64) to bn(64,32) switch on 64-bit SPARCv9 targets in CHANGES.	2005-12-16 11:12:42 +00:00
Bodo Möller	d56349a2aa	update TLS-ECC code Submitted by: Douglas Stebila	2005-12-13 07:33:35 +00:00
Dr. Stephen Henson	ad2695b1b7	Update from 0.9.8-stable.	2005-12-05 13:46:46 +00:00
Dr. Stephen Henson	b40228a61d	New functions to support opaque EVP_CIPHER_CTX handling.	2005-12-02 13:46:39 +00:00
Dr. Stephen Henson	452ae49db5	Extensive OID code enhancement and fixes.	2005-11-20 13:07:47 +00:00
Bodo Möller	d804f86b88	disable some invalid ciphersuites	2005-11-15 23:32:11 +00:00
Bodo Möller	8dee9f844f	deFUDify: don't require OPENSSL_EC_BIN_PT_COMP	2005-11-15 21:08:38 +00:00
Dr. Stephen Henson	fbf002bb88	Update from stable branch.	2005-11-06 17:58:26 +00:00
Richard Levitte	998ac55e19	Document it	2005-11-01 07:53:37 +00:00
Bodo Möller	a1006c373d	harmonize with 0.9.7-stable and 0.9.8-stable variants of CHANGES	2005-10-26 19:28:04 +00:00
Andy Polyakov	4d524040bc	Change bn_mul_mont declaration and BN_MONT_CTX. Update CHANGES.	2005-10-22 17:57:18 +00:00
Mark J. Cox	04fac37311	one time CAN->CVE update	2005-10-19 11:00:39 +00:00
Richard Levitte	89ec4332ec	Add in CHANGES for 0.9.7i.	2005-10-15 04:26:57 +00:00
Mark J. Cox	d357be38b9	Make sure head CHANGES is up to date, we refer to this in announce.txt	2005-10-11 11:10:19 +00:00
Dr. Stephen Henson	566dda07ba	New option SSL_OP_NO_COMP to disable compression. New ctrls to set maximum send fragment size. Allocate I/O buffers accordingly.	2005-10-08 00:18:53 +00:00
Bodo Möller	13e4670c29	new option "openssl ciphers -V"	2005-10-01 04:08:48 +00:00
Dr. Stephen Henson	f022c177db	Two new verify flags functions.	2005-09-02 22:49:54 +00:00
Dr. Stephen Henson	1ef7acfe92	Initial support for ASN1 print code. WARNING WARNING WARNING, experimental code, handle with care, use at your own risk, may contain nuts.	2005-09-01 13:59:16 +00:00
Dr. Stephen Henson	a0156a926f	Integrated support for PVK files.	2005-08-31 16:37:54 +00:00
Nils Larsch	6e119bb02e	Keep cipher lists sorted in the source instead of sorting them at runtime, thus removing the need for a lock. Add a test to ssltest to verify that the cipher lists are sorted.	2005-08-25 07:29:54 +00:00
Bodo Möller	770bc596e1	recent DH change does not avoid all possible small-subgroup attacks; let's be clear about that	2005-08-23 06:54:33 +00:00
Ben Laurie	bf3d6c0c9b	Make D-H safer, include well-known primes.	2005-08-21 16:00:17 +00:00
Dr. Stephen Henson	eea374fd19	Command line support for RSAPublicKey format.	2005-08-21 00:18:26 +00:00
Dr. Stephen Henson	45e2738585	Remove ASN1_METHOD code replace with new ASN1 alternative.	2005-08-20 18:12:45 +00:00
Nils Larsch	4ebb342fcd	Let the TLSv1_method() etc. functions return a const SSL_METHOD pointer and make the SSL_METHOD parameter in SSL_CTX_new, SSL_CTX_set_ssl_version and SSL_set_ssl_method const.	2005-08-14 21:48:33 +00:00
Andy Polyakov	0491e05833	Final(?) WinCE update.	2005-08-07 22:21:49 +00:00
Dr. Stephen Henson	f3b656b246	Initialize SSL_METHOD structures at compile time. This removes the need for locking code. The CRYPTO_LOCK_SSL_METHOD lock is now no longer used.	2005-08-05 23:56:11 +00:00
Dr. Stephen Henson	8f2e4fdf86	Allow PKCS7_decrypt() to work if no cert supplied.	2005-08-04 22:15:22 +00:00
Dr. Stephen Henson	0537f9689c	Add support for setting IDP too.	2005-07-25 22:35:36 +00:00
Dr. Stephen Henson	0745d0892d	Allow setting of all fields in CRLDP. Few cosmetic changes to output.	2005-07-25 18:42:29 +00:00
Dr. Stephen Henson	9aa9d70ddb	Print out previously unsupported fields in CRLDP by i2r instead of i2v. Cosmetic changes to IDP printout.	2005-07-24 00:23:57 +00:00
Dr. Stephen Henson	231493c93c	Initial print only support for IDP CRL extension.	2005-07-23 23:33:06 +00:00
Richard Levitte	2bd2cd9b78	Changes from the 0.9.8 branch.	2005-07-05 19:16:24 +00:00
Richard Levitte	c83101248a	Changes from the 0.9.8 branch.	2005-07-05 18:36:42 +00:00
Andy Polyakov	8d3509b937	CHANGES and TABLE sync with 0.9.8.	2005-07-05 11:48:38 +00:00
Dr. Stephen Henson	cbdac46d58	Update from stable branch.	2005-07-04 23:12:04 +00:00
Dr. Stephen Henson	5d6c4985d1	Typo.	2005-06-02 20:29:32 +00:00
Dr. Stephen Henson	b615ad90c8	Update CHANGES.	2005-06-02 20:11:16 +00:00
Geoff Thorpe	a2c32e2d7f	Change the source and output paths for 'chil' and '4758cca' engines so that dynamic loading is consistent with respect to engine ids.	2005-05-29 19:14:21 +00:00
Bodo Möller	0ebfcc8f92	make sure DSA signing exponentiations really are constant-time	2005-05-26 04:40:52 +00:00
Richard Levitte	28e4fe34e4	Version changes where needed.	2005-05-18 04:04:12 +00:00
Bodo Möller	91b17fbad4	Change wording for BN_mod_exp_mont_consttime() entry	2005-05-16 19:14:34 +00:00
Bodo Möller	46a643763d	Implement fixed-window exponentiation to mitigate hyper-threading timing attacks. BN_FLG_EXP_CONSTTIME requests this algorithm, and this done by default for RSA/DSA/DH private key computations unless RSA_FLAG_NO_EXP_CONSTTIME/DSA_FLAG_NO_EXP_CONSTTIME/ DH_FLAG_NO_EXP_CONSTTIME is set. Submitted by: Matthew D Wood Reviewed by: Bodo Moeller	2005-05-16 01:43:31 +00:00
Dr. Stephen Henson	b6995add5c	Make -CSP option work again in pkcs12 utility by checking for attribute in EVP_PKEY structure.	2005-05-15 00:54:45 +00:00
Bodo Möller	c6c2e3135d	Don't use the SSL 2.0 Client Hello format if SSL 2.0 is disabled with the SSL_OP_NO_SSLv2 option.	2005-05-11 18:25:49 +00:00
Nils Larsch	8b15c74018	give EC_GROUP_new_by_nid a more meanigful name: EC_GROUP_new_by_nid -> EC_GROUP_new_by_curve_name	2005-05-10 11:37:47 +00:00
Bodo Möller	0f4499360e	give EC_GROUP_*_nid functions a more meaningful name EC_GROUP_get_nid -> EC_GROUP_get_curve_name EC_GROUP_set_nid -> EC_GROUP_set_curve_name	2005-05-09 00:05:17 +00:00
Dr. Stephen Henson	05338b58ce	Support for smime-type MIME parameter.	2005-05-01 12:46:57 +00:00
Dr. Stephen Henson	6ec8e63af6	Port BN_MONT_CTX_set_locked() from stable branch. The function rsa_eay_mont_helper() has been removed because it is no longer needed after this change.	2005-04-26 23:58:54 +00:00
Nils Larsch	800e400de5	some updates for the blinding code; summary: - possibility of re-creation of the blinding parameters after a fixed number of uses (suggested by Bodo) - calculatition of the rsa::e in case it's absent and p and q are present (see bug report #785) - improve the performance when if one rsa structure is shared by more than a thread (see bug report #555) - fix the problem described in bug report #827 - hide the definition ot the BN_BLINDING structure in bn_blind.c	2005-04-26 22:31:48 +00:00
Ben Laurie	36d16f8ee0	Add DTLS support.	2005-04-26 16:02:40 +00:00
Bodo Möller	aa16a28631	first step to melt down ChangeLog.0_9_7-stable_not-in-head :-)	2005-04-25 21:06:05 +00:00
Nils Larsch	ff22e913a3	- use BN_set_negative and BN_is_negative instead of BN_set_sign and BN_get_sign - implement BN_set_negative as a function - always use "#define BN_is_zero(a) ((a)->top == 0)"	2005-04-22 20:02:44 +00:00
Dr. Stephen Henson	bc3cae7e7d	Include error library value in C error source files instead of fixing up at runtime.	2005-04-12 13:31:14 +00:00
Dr. Stephen Henson	0858b71b41	Make kerberos ciphersuite code work with newer header files	2005-04-09 23:55:55 +00:00
Richard Levitte	d9bfe4f97c	Added restrictions on the use of proxy certificates, as they may pose a security threat on unexpecting applications. Document and test.	2005-04-09 16:07:12 +00:00
Nils Larsch	dc0ed30cfe	add support for DER encoded private keys to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file() PR: 1035 Submitted by: Walter Goulet Reviewed by: Nils Larsch	2005-04-08 22:52:42 +00:00
Nils Larsch	6049399baf	get rid of very buggy and very imcomplete DH cert support Reviewed by: Bodo Moeller	2005-04-07 23:19:17 +00:00
Nils Larsch	12bdb64375	use SHA-1 as the default digest for the apps/openssl commands	2005-04-02 09:29:15 +00:00
Ben Laurie	41a15c4f0f	Give everything prototypes (well, everything that's actually used).	2005-03-31 09:26:39 +00:00
Bodo Möller	b0ef321cc8	Harmonize with CHANGES as distributed in OpenSSL 0.9.7f.	2005-03-24 01:37:07 +00:00
Ulf Möller	7a8c728860	undo Cygwin change	2005-03-24 00:14:59 +00:00
Dr. Stephen Henson	59b6836ab2	Ensure (SSL_RANDOM_BYTES - 4) of pseudo random data is used for server and client random values.	2005-03-22 14:11:06 +00:00
Ulf Möller	130db968b8	Use Windows randomness code on Cygwin	2005-03-19 11:39:17 +00:00
Bodo Möller	ecc5ef8793	In addition to RC5, also exclude MDC2 from compilation unless the algorithm is explicitly requested.	2005-03-02 20:11:31 +00:00
Bodo Möller	c9a112f540	Change ./Configure so that certain algorithms can be disabled by default. This is now the case for RC5. As a side effect, the OPTIONS in the Makefile will usually look a little different now, but they are essentially only for information anyway.	2005-02-22 10:29:51 +00:00
Lutz Jänicke	f69a8aebab	Fix hang in EGD/PRNGD query when communication socket is closed prematurely by EGD/PRNGD. PR: 1014 Submitted by: Darren Tucker <dtucker@zip.com.au>	2005-02-19 10:19:07 +00:00
Dr. Stephen Henson	e90faddaf8	Prompt for passphrases for PKCS12 input format	2004-12-29 01:07:14 +00:00
Richard Levitte	6951c23afd	Add functionality needed to process proxy certificates.	2004-12-28 00:21:35 +00:00
Dr. Stephen Henson	a0e7c8eede	Add lots of checks for memory allocation failure, error codes to indicate failure and freeing up memory if a failure occurs. PR:620	2004-12-05 01:03:15 +00:00
Dr. Stephen Henson	5b40d7dd97	Add -passin argument to dgst command.	2004-12-03 12:26:56 +00:00
Dr. Stephen Henson	1862dae862	Perform partial comparison of different character types in X509_NAME_cmp().	2004-12-01 01:45:30 +00:00
Richard Levitte	5022e4ecdf	Document the change.	2004-11-29 11:57:00 +00:00
Andy Polyakov	ea681ba872	Summarize recent RC4 tune-ups.	2004-11-26 15:26:09 +00:00
Dr. Stephen Henson	401ee37a3e	Allow alternative manual sections to be embedded in .pod file comments.	2004-11-25 17:47:31 +00:00
Dr. Stephen Henson	826a42a088	PR: 910 Add command line options -certform, -keyform and -pass to s_client and s_server. This supports the use of alternative passphrase sources, key formats and keys handled by an ENGINE. Update docs.	2004-11-16 17:30:59 +00:00
Dr. Stephen Henson	2f605e8d24	Fix race condition when CRL checking is enabled.	2004-10-04 16:30:12 +00:00
Dr. Stephen Henson	5d7c222db8	New X509_VERIFY_PARAM structure and associated functionality. This tidies up verify parameters and adds support for integrated policy checking. Add support for policy related command line options. Currently only in smime application. WARNING: experimental code subject to change.	2004-09-06 18:43:01 +00:00
Geoff Thorpe	30fe028f07	Make a note of the new engine.	2004-08-04 22:42:29 +00:00
Dr. Stephen Henson	637ff35ef6	Delta CRL support in extension code.	2004-07-06 17:16:40 +00:00
Geoff Thorpe	df11e1e921	Deprecate unused cruft, and "make update".	2004-06-17 23:50:25 +00:00
Andy Polyakov	ad5003409d	Mention new SHA algorithms in CHANGES. This completes the integration.	2004-05-31 14:03:02 +00:00
Dr. Stephen Henson	4843acc868	Fixes so alerts are sent properly in s3_pkt.c PR: 851	2004-05-15 17:55:07 +00:00
Andy Polyakov	e14f4aab0a	CHANGES to mention improved PowerPC platform support.	2004-05-13 13:58:44 +00:00
Bodo Möller	d5f686d808	- update from current 0.9.6-stable CHANGES file - update from current 0.9.7-stable CHANGES file: Now here we have "CHANGES between 0.9.7e and 0.9.8", and I hope that all patches mentioned for 0.9.7d and 0.9.7e actually are in the CVS HEAD, i.e. what is to become 0.9.8. I have rewritten the 'openssl ca -create_serial' entry (0.9.8) so that it explains the earlier change that is now listed (0.9.7e). The ENGINE_set_default typo bug entry has been moved from 0.9.8 to 0.9.7b, which is where it belongs.	2004-05-04 01:15:48 +00:00
Geoff Thorpe	bcfea9fb25	Allow RSA key-generation to specify an arbitrary public exponent. Jelte proposed the change and submitted the patch, I jiggled it slightly and adjusted the other parts of openssl that were affected. PR: 867 Submitted by: Jelte Jansen Reviewed by: Geoff Thorpe	2004-04-26 15:31:35 +00:00
Geoff Thorpe	955d465c2c	As far as I can tell, the bugfix this comment refers to was committed to 0.9.7-stable as well as HEAD (and doesn't apply to the 0.9.6-engine variant).	2004-04-21 15:12:20 +00:00
Dr. Stephen Henson	64674bcc8c	Reduce chances of issuer and serial number duplication by use of random initial serial numbers. PR: 842	2004-04-20 12:05:26 +00:00
Geoff Thorpe	3a87a9b9db	Reduce header interdependencies, initially in engine.h (the rest of the changes are the fallout). As this could break source code that doesn't directly include headers for interfaces it uses, changes to recursive includes are covered by the OPENSSL_NO_DEPRECATED symbol. It's better to define this when building and using openssl, and then adapt code where necessary - this is how to stay current. However the mechanism exists for the lethargic.	2004-04-19 17:46:04 +00:00
Dr. Stephen Henson	bf5773fa2d	Oops forgot CHANGES entry.	2004-03-31 12:55:33 +00:00
Dr. Stephen Henson	216659eb87	Enhance EVP code to generate random symmetric keys of the appropriate form, for example correct DES parity. Update S/MIME code and EVP_SealInit to use new functions. PR: 700	2004-03-28 17:38:00 +00:00
Dr. Stephen Henson	e1a27eb34a	Allow CRLs to be passed into X509_STORE_CTX. This is useful when the verified structure can contain its own CRLs (such as PKCS#7 signedData). Tidy up some of the verify code.	2004-03-27 22:49:28 +00:00
Dr. Stephen Henson	6446e0c3c8	Extend OID config module format.	2004-03-27 13:30:14 +00:00
Geoff Thorpe	5c98b2caf5	Replace the BN_CTX implementation with my current work. I'm leaving the little TODO list in there as well as the debugging code (only enabled if BN_CTX_DEBUG is defined). I'd appreciate as much review and testing as can be spared for this. I'll commit some changes to other parts of the bignum code shortly to make better use of this implementation (no more fixed size limitations). Note also that under identical optimisations, I'm seeing a noticable speed increase over openssl-0.9.7 - so any feedback to confirm/deny this on other systems would also be most welcome.	2004-03-25 04:16:14 +00:00
Geoff Thorpe	46ef873f0b	By adding a BN_CTX parameter to the 'rsa_mod_exp' callback, private key operations no longer require two distinct BN_CTX structures. This may put more "strain" on the current BN_CTX implementation (which has a fixed limit to the number of variables it will hold), but so far this limit is not triggered by any of the tests pass and I will be changing BN_CTX in the near future to avoid this problem anyway. This also changes the default RSA implementation code to use the BN_CTX in favour of initialising some of its variables locally in each function.	2004-03-25 02:52:04 +00:00
Dr. Stephen Henson	4acc3e907d	Initial support for certificate policy checking and evaluation. This is currently very experimental and needs to be more fully integrated with the main verification code.	2004-03-23 14:14:35 +00:00
Geoff Thorpe	7f663ce430	Note my bignum hijinx in case app maintainers are using CHANGES for their porting efforts. Also, add Richard's name to the prior change.	2004-03-17 18:30:47 +00:00
Richard Levitte	875a644a90	Constify d2i, s2i, c2i and r2i functions and other associated functions and macros. This change has associated tags: LEVITTE_before_const and LEVITTE_after_const. Those will be removed when this change has been properly reviewed.	2004-03-15 23:15:26 +00:00
Geoff Thorpe	b6358c89a1	Convert openssl code not to assume the deprecated form of BN_zero(). Remove certain redundant BN_zero() initialisations, because BN_CTX_get(), BN_init(), [etc] already initialise to zero. Correct error checking in bn_sqr.c, and be less wishy-wash about how/why the result's 'top' value is set (note also, 'max' is always > 0 at this point).	2004-03-13 23:57:20 +00:00
Geoff Thorpe	9e051bac13	Document a change I'd already made, and at the same time, correct the change to work properly; BN_zero() should set 'neg' to zero as well as 'top' to match the behaviour of BN_new().	2004-03-13 22:10:15 +00:00
Dr. Stephen Henson	edec614efd	Support for inhibitAnyPolicy extension.	2004-03-08 13:56:31 +00:00
Dr. Stephen Henson	bc50157010	Various X509 fixes. Disable broken certificate workarounds when X509_V_FLAG_X509_STRICT is set. Check for CRLSign in CRL issuer certificates. Reject CRLs with unhandled (any) critical extensions.	2004-03-05 17:16:35 +00:00
Dr. Stephen Henson	dc90f64d56	Use an OCTET STRING for the encoding of an OCSP nonce value. The old raw format can't be handled by some implementations and updates to RFC2560 will make this mandatory.	2004-02-19 18:16:38 +00:00
Dr. Stephen Henson	d4575825f1	Add flag to avoid continuous memory allocate when calling EVP_MD_CTX_copy_ex(). Without this HMAC is several times slower than < 0.9.7.	2004-02-01 13:39:51 +00:00
Dr. Stephen Henson	cd2e8a6f2d	Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex().	2003-11-10 01:37:23 +00:00
Geoff Thorpe	d870740cd7	Put the first stage of my bignum debugging adventures into CVS. This code is itself experimental, and in addition may cause execution to break on existing openssl "bugs" that previously were harmless or at least invisible.	2003-11-04 22:54:49 +00:00
Geoff Thorpe	2ce90b9b74	BN_CTX is opaque and the static initialiser BN_CTX_init() is not used except internally to the allocator BN_CTX_new(), as such this deprecates the use of BN_CTX_init() in the API. Moreover, the structure definition of BN_CTX is taken out of bn_lcl.h and moved into bn_ctx.c itself. NDEBUG should probably only be "forced" in the top-level configuration, but until it is I will avoid removing it from bn_ctx.c which might surprise people with massive slow-downs in their keygens. So I've left it in bn_ctx.c but tidied up the preprocessor logic a touch and made it more tolerant of debugging efforts.	2003-10-29 18:04:37 +00:00
Geoff Thorpe	8dc344ccbf	Relax some over-zealous constification that gave some lhash-based code no choice but to have to cast away "const" qualifiers from their prototypes. This does not remove constification restrictions from hash/compare callbacks, but allows destructor commands to be run over a tables' elements without bad casts.	2003-10-29 04:57:05 +00:00
Geoff Thorpe	0991f07034	For whatever reason (compiler or header bugs), at least one commonly-used linux system (namely mine) chokes on our definitions and uses of the "HZ" symbol in crypto/tmdiff.[ch] and apps/speed.c as a "bad function cast" (when in fact there is no function casting involved at all). In both cases, it is easily worked around by not defining a cast into the macro and jiggling the expressions slightly. In addition - this highlights some cruft in openssl that needs sorting out. The tmdiff.h header is exported as part of the openssl API despite the fact that it is ugly as the driven sludge and not used anywhere in the library, applications, or utilities. More weird still, almost identical code exists in apps/speed.c though it looks to be slightly tweaked - so either tmdiff should be updated and used by speed.c, or it should be dumped because it's obviously not useful enough. Rather than removing it for now, I've changed the API for tmdiff to at least make sense. This involves taking the object type (MS_TM) from the implementation and using it in the header rather than using "char " in the API and casting mercilessly in the code (ugh). If someone doesn't like "MS_TM" and the "ms_time_**" naming, by all means change it. This should be a harmless improvement, because the existing API is clearly not very useful (eg. we reimplement it rather than using it in our own utils). However, someone still needs to take a hack at consolidating speed.c and tmdiff.[ch] somehow.	2003-10-29 04:40:13 +00:00
Geoff Thorpe	2aaec9cced	Update any code that was using deprecated functions so that everything builds and links with OPENSSL_NO_DEPRECATED defined.	2003-10-29 04:14:08 +00:00
Geoff Thorpe	9d473aa2e4	When OPENSSL_NO_DEPRECATED is defined, deprecated functions are (or should be) precompiled out in the API headers. This change is to ensure that if it is defined when compiling openssl, the deprecated functions aren't implemented either.	2003-10-29 04:06:50 +00:00
Dr. Stephen Henson	c5a5546389	Add support for digested data PKCS#7 type.	2003-10-11 22:11:45 +00:00
Dr. Stephen Henson	8d9086dfa2	New function to initialize a PKCS7 structure of type other.	2003-10-10 23:40:47 +00:00
Dr. Stephen Henson	caf044cb3e	Retrieve correct content to sign when the type is "other".	2003-10-10 23:25:43 +00:00
Dr. Stephen Henson	2990244980	ASN1 parse fix and release file changes.	2003-09-30 16:47:33 +00:00
Ralf S. Engelschall	6bd27f8644	Fix prime generation loop in crypto/bn/bn_prime.pl by making sure the loop does correctly stop and breaking ("division by zero") modulus operations are not performed. The (pre-generated) prime table crypto/bn/bn_prime.h was already correct, but it could not be re-generated on some platforms because of the "division by zero" situation in the script.	2003-09-25 13:57:58 +00:00
Bodo Möller	a907751350	certain changes have to be listed twice in this file because OpenSSL 0.9.6h forked into 0.9.6i and 0.9.7 ...	2003-09-04 12:52:56 +00:00
Dr. Stephen Henson	560dfd2a02	New -ignore_err option in ocsp application to stop the server exiting on the first error in a request.	2003-09-03 23:56:01 +00:00
Dr. Stephen Henson	14f3d7c5cc	Only accept a client certificate if the server requests one, as required by SSL/TLS specs.	2003-09-03 23:47:34 +00:00
Bodo Möller	968766cad8	updates for draft-ietf-tls-ecc-03.txt Submitted by: Douglas Stebila Reviewed by: Bodo Moeller	2003-07-22 12:34:21 +00:00
Bodo Möller	652ae06bad	add test for secp160r1 add code for kP+lQ timings Submitted by: Douglas Stebila <douglas.stebila@sun.com> Reviewed by: Bodo Moeller	2003-07-22 10:39:10 +00:00
Bodo Möller	ddc38679ce	tolerate extra data at end of client hello for SSL 3.0 PR: 659	2003-07-21 15:17:46 +00:00
Bodo Möller	02e0559477	fix: 0.9.7 is based on 0.9.6h, not on 0.9.6k typo in 0.9.6k section	2003-07-21 15:08:01 +00:00
Richard Levitte	cf9a88cad7	Document the last change. PR: 587	2003-06-19 19:04:13 +00:00
Richard Levitte	4f1cd8324c	Prepare for changes in the 0.9.6 branch	2003-06-19 19:01:05 +00:00
Richard Levitte	ed7f1d0bc6	Prepare for changes in the 0.9.6 branch	2003-06-19 18:59:27 +00:00
Richard Levitte	e666c4599f	Add the possibility to have symbols loaded globally with DSO.	2003-06-11 22:42:28 +00:00
Richard Levitte	54f6451670	Add functionality to set marks on the error stack and to pop all errors to the next mark.	2003-06-11 20:49:58 +00:00
Richard Levitte	a069460015	Document the AES_cbc_encrypt() change	2003-06-10 04:42:38 +00:00
Dr. Stephen Henson	63b815583b	Update CHANGES to reflect base64 fix added to 0.9.7	2003-06-03 00:16:47 +00:00
Dr. Stephen Henson	beab098d53	Various S/MIME bug and compatibility fixes.	2003-06-01 20:51:58 +00:00
Richard Levitte	3bbb0212f3	Add STORE support in ENGINE.	2003-05-01 03:57:46 +00:00
Richard Levitte	a5db6fa576	Define a STORE type. For documentation, read the entry in CHANGES, crypto/store/README, crypto/store/store.h and crypto/store/str_locl.h.	2003-05-01 03:53:12 +00:00
Richard Levitte	535fba4907	Define the OPENSSL_ITEM structure.	2003-05-01 03:45:18 +00:00
Richard Levitte	1ae0a83bdd	Add BUF_strndup() and BUF_memdup(). Not currently used, but I've code that uses them that I'll commit in a few days.	2003-04-29 22:08:57 +00:00
Richard Levitte	9d6c32d6d1	Correct documentation. sk_find_ex() doesn't return a pointer, it returns an index.	2003-04-29 20:31:58 +00:00
Richard Levitte	ea5240a5ed	Add an extended variant of OBJ_bsearch() that can be given a few flags.	2003-04-29 20:25:21 +00:00
Bodo Möller	7a04fdd87f	include 'Changes between 0.9.6i and 0.9.6j'	2003-04-11 15:03:12 +00:00
Richard Levitte	16b1b03543	Implement self-signing in 'openssl ca'. This makes it easier to have the CA certificate part of the CA database, and combined with 'unique_subject=no', it should make operations like CA certificate roll-over easier.	2003-04-03 22:33:59 +00:00
Richard Levitte	e6526fbf4d	Add functionality to help making self-signed certificate.	2003-04-03 22:27:24 +00:00
Richard Levitte	f85b68cd49	Make it possible to have multiple active certificates with the same subject.	2003-04-03 16:33:03 +00:00
Bodo Möller	5679bcce07	make RSA blinding thread-safe	2003-04-02 09:50:22 +00:00
Dr. Stephen Henson	1a15c89988	Multi valued AVA support.	2003-03-30 01:51:16 +00:00
Dr. Stephen Henson	520b76ffd9	Support for name constraints.	2003-03-24 17:04:44 +00:00
Dr. Stephen Henson	f80153e20b	Support for policy constraints.	2003-03-21 16:26:20 +00:00
Bodo Möller	c554155b58	make sure RSA blinding works when the PRNG is not properly seeded; enable it automatically for the built-in engine	2003-03-20 17:31:30 +00:00
Dr. Stephen Henson	a1d12daed2	Support for policyMappings	2003-03-20 17:26:44 +00:00
Bodo Möller	02da5bcd83	countermeasure against new Klima-Pokorny-Rosa atack	2003-03-19 19:19:53 +00:00
Geoff Thorpe	bba2cb3ada	Fix a bone-head bug. This warrants a CHANGES entry because it could affect applications if they were passing a bogus 'flags' parameter yet having things work as they wanted anyway.	2003-03-13 20:28:42 +00:00
Geoff Thorpe	879650b866	The default implementation of DSA_METHOD has an interdependence on the dsa_mod_exp() and bn_mod_exp() handlers from dsa_do_verify() and dsa_sign_setup(). When another DSA_METHOD implementation does not define these lower-level handlers, it becomes impossible to do a fallback to software on errors using a simple DSA_OpenSSL()->fn(key). This change allows the default DSA_METHOD to function in such circumstances by only using dsa_mod_exp() and bn_mod_exp() handlers if they exist, otherwise using BIGNUM implementations directly (which is what those handlers did before this change). There should be no noticable difference for the software case, or indeed any custom case that didn't already segfault, except perhaps that there is now one less level of indirection in all cases. PR: 507	2003-03-11 01:49:21 +00:00
Bodo Möller	176f31ddec	- new ECDH_compute_key interface (KDF is no longer a fixed built-in) - bugfix: in ECDH_compute_key, pad x coordinate with leading zeros if necessary	2003-02-28 15:37:10 +00:00
Dr. Stephen Henson	f0dc08e656	Support for dirName from config files in GeneralName extensions.	2003-02-27 01:54:11 +00:00
Dr. Stephen Henson	e9ec63961b	Fix indefinite length encoding so EOC correctly updates the buffer pointer. Rename PKCS7_PARTSIGN to PKCS7_STREAM. Guess what that's for :-)	2003-02-25 19:03:31 +00:00
Ulf Möller	63ff3e83fc	Add instructions for building the MinGW target in Cygwin, and rearrange some of the other text for better readability.	2003-02-22 23:03:42 +00:00
Richard Levitte	132eaa59da	Allow building applications against static libraries with Makefile.shared.	2003-02-22 14:41:34 +00:00
Dr. Stephen Henson	5562cfaca4	Base64 bio fixes. The base64 bio was seriously broken when reading from a non blocking BIO. It would incorrectly interpret retries as EOF, incorrectly buffer initial data and have no buffering at all after initial data (data would be sent one byte at a time to EVP_DecodeUpdate).	2003-02-22 02:12:52 +00:00
Richard Levitte	5b0b0e98ce	Security fix: Vaudenay timing attack on CBC. An advisory will be posted to the web. Expect a release within the hour.	2003-02-19 12:03:59 +00:00
Richard Levitte	758f942b88	Make the no-err option work properly	2003-02-18 12:14:57 +00:00
Dr. Stephen Henson	27068df7e0	Single pass processing to cleartext S/MIME signing.	2003-02-15 00:50:55 +00:00
Richard Levitte	b7bbac72c4	Add support for IA64. PR: 454	2003-02-14 13:30:35 +00:00
Richard Levitte	2d3de726c5	Add full support for -rpath/-R, both in shared libraries and applications, at least on the platforms where it's known how to do it. Note: this has only been tested on GNU-based platforms (Linux), and needs to be tested on all others. Additionally, it's not yet supported on the following platforms, for lack of information: Darwin (MacOS X) Cygwin OSF1/Alpha SVR3 ReliantUNIX Please help out with testing and the platforms we don't yet know well enough.	2003-02-13 23:52:54 +00:00
Richard Levitte	9ec1d35f29	Adjust DES_cbc_cksum() so the returned value is the same as MIT's mit_des_cbc_cksum(). The difference was first observed, then verified by looking at the MIT source.	2003-02-12 17:20:39 +00:00
Dr. Stephen Henson	cf56663fb7	Option to disable SSL auto chain build	2003-02-12 17:06:02 +00:00
Bodo Möller	8537943e8b	first section is now "Changes between 0.9.7a and 0.9.8", not "... 0.9.7 and 0.9.8"	2003-02-11 16:42:30 +00:00
Bodo Möller	24893ca999	typo	2003-02-06 19:32:06 +00:00
Bodo Möller	37c660ff9b	implement fast point multiplication with precomputation Submitted by: Nils Larsch Reviewed by: Bodo Moeller	2003-02-06 19:25:12 +00:00
Dr. Stephen Henson	4e5d3a7f98	IPv6 display and input support for extensions usingh GeneralName.	2003-02-05 00:34:31 +00:00
Richard Levitte	0b13e9f055	Add the possibility to build without the ENGINE framework. PR: 287	2003-01-30 17:39:26 +00:00
Geoff Thorpe	96f7065f63	Summarise the last couple of commits.	2003-01-30 15:52:40 +00:00
Bodo Möller	c1862f9136	consistency	2003-01-24 22:28:32 +00:00
Dr. Stephen Henson	d3b5cb5343	Check return value of gmtime() and add error codes where it fails in ASN1_TIME_set(). Edit asn1.h so the new error code is the same in 0.9.7 and 0.9.8, rebuild new error codes. Clear error queue in req.c if _min or _max is absent.	2003-01-24 01:12:01 +00:00
Lutz Jänicke	a74333f905	Fix initialization sequence to prevent freeing of unitialized objects. Submitted by: Nils Larsch <nla@trustcenter.de> PR: 459	2003-01-15 14:54:59 +00:00
Lutz Jänicke	8ec16ce711	Really fix SSLv2 session ID handling PR: 377	2003-01-15 09:51:22 +00:00
Geoff Thorpe	0e4aa0d2d2	As with RSA, which was modified recently, this change makes it possible to override key-generation implementations by placing handlers in the methods for DSA and DH. Also, parameter generation for DSA and DH is possible by another new handler for each method.	2003-01-15 02:01:55 +00:00
Richard Levitte	04aff67de4	Merge from 0.9.7-stable.	2003-01-13 17:16:25 +00:00
Bodo Möller	9d5390a049	document BN_GENCB API by adding an example	2003-01-13 13:44:20 +00:00
Richard Levitte	afd41c9fc7	Add better support for FreeBSD on non-x86 machines. Add specific support for FreeBSD on sparc64. PR: 427	2003-01-12 04:43:44 +00:00
Richard Levitte	4a9476dd8d	When preparing a separate build tree, don't make softlinks to softlinks. Add instructions in INSTALL, for easy access. PR: 437	2003-01-10 10:56:14 +00:00
Richard Levitte	7a1c6aa2a3	It's rather silly to believe we'd release 0.9.7a in 2002 :-). It's even more silly to pretend we know which year 0.9.8 will be released.	2002-12-31 01:00:06 +00:00
Richard Levitte	948dcdb81b	Merge in changes from 0.9.7-stable.	2002-12-31 00:02:10 +00:00
Richard Levitte	08101d72ce	Merge in changes from 0.9.7-stable.	2002-12-30 23:56:09 +00:00
Lutz Jänicke	21cde7a41c	Fix wrong handling of session ID in SSLv2 client code. PR: 377	2002-12-29 20:59:35 +00:00
Richard Levitte	9cd16b1dea	We stupidly had a separate LIBKRB5 variable for KRB5 library dependencies, and then didn't support it very well. And that when there already is a useful variable for exactly this kind of thing; EX_LIBS...	2002-12-19 22:10:12 +00:00
Richard Levitte	a1457874c6	OK, there's at least one application author who has provided dynamic locking callbacks	2002-12-13 07:30:53 +00:00
Richard Levitte	14676ffcd6	Document the modifications in 0.9.7 that will make the hw_ncipher.c engine work properly even in bad situations.	2002-12-12 17:40:15 +00:00
Richard Levitte	fdaea9ed2e	Since it's defined in draft-ietf-tls-compression-04.txt, let's make ZLIB a known compression method, with the identity 1.	2002-12-08 09:31:41 +00:00
Geoff Thorpe	e9224c7177	This is a first-cut at improving the callback mechanisms used in key-generation and prime-checking functions. Rather than explicitly passing callback functions and caller-defined context data for the callbacks, a new structure BN_GENCB is defined that encapsulates this; a pointer to the structure is passed to all such functions instead. This wrapper structure allows the encapsulation of "old" and "new" style callbacks - "new" callbacks return a boolean result on the understanding that returning FALSE should terminate keygen/primality processing. The BN_GENCB abstraction will allow future callback modifications without needing to break binary compatibility nor change the API function prototypes. The new API functions have been given names ending in "_ex" and the old functions are implemented as wrappers to the new ones. The OPENSSL_NO_DEPRECATED symbol has been introduced so that, if defined, declaration of the older functions will be skipped. NB: Some openssl-internal code will stick with the older callbacks for now, so appropriate "#undef" logic will be put in place - this is in case the user is building openssl (rather than including its headers) with this symbol defined. There is another change in the new _ex functions; the key-generation functions do not return key structures but operate on structures passed by the caller, the return value is a boolean. This will allow for a smoother transition to having key-generation as "virtual function" in the various ***_METHOD tables.	2002-12-08 05:24:31 +00:00
Richard Levitte	43ecece595	Merge in relevant changes from the OpenSSL 0.9.6h release.	2002-12-05 21:50:13 +00:00
Dr. Stephen Henson	2053c43de2	In asn1_d2i_read_bio, don't assume BIO_read will return the requested number of bytes when reading content.	2002-12-03 23:50:59 +00:00
Richard Levitte	df29cc8f77	Add OPENSSL_cleanse() to help cleanse memory and avoid certain compiler and linker optimizations. PR: 343	2002-11-27 12:24:05 +00:00
Richard Levitte	17582ccf21	Heimdal isn't really supported right now. Say so, and offer a possibility to force the use of Heimdal, and warn if that's used. PR: 346	2002-11-26 10:11:58 +00:00
Lutz Jänicke	6a8afe2201	Fix bug introduced by the attempt to fix client side external session caching (#288): now internal caching failed (#351): Make sure, that cipher_id is set before comparing. Submitted by: Reviewed by: PR: 288 (and 351)	2002-11-20 10:48:58 +00:00
Richard Levitte	20199ca809	Document the addition of certificate pairs.	2002-11-18 23:56:15 +00:00
Richard Levitte	0bf23d9b20	WinCE patches	2002-11-15 22:37:18 +00:00
Richard Levitte	6f17f16fd5	Changes to make shared library building and use work better with Cygwin	2002-11-15 16:48:38 +00:00
Richard Levitte	84034f7aec	Document the change to remove the 'done' flag variable in the OpenSSL_add_all_*() routines	2002-11-15 13:58:11 +00:00
Richard Levitte	0a5942093e	We need to read one more byte of the REQUEST-CERTIFICATE message. PR: 300	2002-11-15 09:15:55 +00:00
Bodo Möller	2b2ab52354	harmonize with 0.9.7 tree	2002-11-14 12:17:47 +00:00
Richard Levitte	83411793b6	Handle last lines that aren't properly terminated. PR: 308	2002-11-14 06:51:18 +00:00
Ben Laurie	54a656ef08	Security fixes brought forward from 0.9.7.	2002-11-13 15:43:43 +00:00
Richard Levitte	c81a15099a	X509_NAME_cmp() now compares PrintableString and emailAddress with a value of type ia5String correctly. PR: 244	2002-11-09 21:52:20 +00:00
Bodo Möller	b53e44e572	implement and use new macros BN_get_sign(), BN_set_sign() Submitted by: Nils Larsch	2002-11-04 13:17:22 +00:00
Geoff Thorpe	9c3db400dc	The recent CHANGES note between 0.9.6g and 0.9.6h needs copying into the other branches.	2002-10-29 18:01:08 +00:00
Bodo Möller	19b8d06a79	clean up new code for NIST primes create new lock CRYPTO_LOCK_BN to avoid race condition	2002-10-28 14:02:19 +00:00
Bodo Möller	5c6bf03117	fast reduction for NIST curves Submitted by: Nils Larsch	2002-10-28 13:23:24 +00:00
Richard Levitte	874fee478c	Clarify where the engines are by default.	2002-10-12 16:07:31 +00:00

... 9 10 11 12 13 ...

2123 commits