Commit graph

392 commits

Author SHA1 Message Date
Ben Laurie
43048d13c8 Fix warning. 2008-09-07 13:22:34 +00:00
Dr. Stephen Henson
d43c4497ce Initial support for delta CRLs. If "use deltas" flag is set attempt to find
a delta CRL in addition to a full CRL. Check and search delta in addition to
the base.
2008-09-01 15:15:16 +00:00
Dr. Stephen Henson
4b96839f06 Add support for CRLs partitioned by reason code.
Tidy CRL scoring system.

Add new CRL path validation error.
2008-08-29 11:37:21 +00:00
Dr. Stephen Henson
d0fff69dc9 Initial indirect CRL support. 2008-08-20 16:42:19 +00:00
Dr. Stephen Henson
9d84d4ed5e Initial support for CRL path validation. This supports distinct certificate
and CRL signing keys.
2008-08-13 16:00:11 +00:00
Dr. Stephen Henson
2e0c7db950 Initial code to support distinct certificate and CRL signing keys where the
CRL issuer is not part of the main path.

Not complete yet and not compiled in because the CRL issuer certificate is
not validated.
2008-08-12 16:07:52 +00:00
Dr. Stephen Henson
002e66c0e8 Support for policy mappings extension.
Delete X509_POLICY_REF code.

Fix handling of invalid policy extensions to return the correct error.

Add command line option to inhibit policy mappings.
2008-08-12 10:32:56 +00:00
Dr. Stephen Henson
e9746e03ee Initial support for name constraints certificate extension.
TODO: robustness checking on name forms.
2008-08-08 15:35:29 +00:00
Dr. Stephen Henson
3e727a3b37 Add support for nameRelativeToCRLIssuer field in distribution point name
fields.
2008-08-04 15:34:27 +00:00
Dr. Stephen Henson
5cbd203302 Initial support for alternative CRL issuing certificates.
Allow inibit any policy flag to be set in apps.
2008-07-30 15:49:12 +00:00
Dr. Stephen Henson
db50661fce X509 verification fixes.
Ignore self issued certificates when checking path length constraints.

Duplicate OIDs in policy tree in case they are allocated.

Use anyPolicy from certificate cache and not current tree level.
2008-07-13 14:25:36 +00:00
Dr. Stephen Henson
8528128b2a Update from stable branch. 2008-06-26 23:27:31 +00:00
Dr. Stephen Henson
83574cf808 Fix from stable branch. 2008-05-30 10:57:49 +00:00
Lutz Jänicke
4c1a6e004a Apply mingw patches as supplied by Roumen Petrov an Alon Bar-Lev
PR: 1552
Submitted by: Roumen Petrov <openssl@roumenpetrov.info>, "Alon Bar-Lev" <alon.barlev@gmail.com>
2008-04-17 10:19:16 +00:00
Dr. Stephen Henson
8931b30d84 And so it begins...
Initial support for CMS.

Add zlib compression BIO.

Add AES key wrap implementation.

Generalize S/MIME MIME code to support CMS and/or PKCS7.
2008-03-12 21:14:28 +00:00
Dr. Stephen Henson
56c7754cab Avoid warnings. 2008-02-28 14:05:01 +00:00
Dr. Stephen Henson
a70a49a018 Fix typo and avoid warning. 2008-02-28 13:18:26 +00:00
Dr. Stephen Henson
9536b85c07 Typo. 2008-02-12 01:24:50 +00:00
Dr. Stephen Henson
4d318c79b2 Utility attribute function to retrieve attribute data from an expected
type. Useful for many attributes which are single valued and can only
have one type.
2008-02-11 17:52:38 +00:00
Dr. Stephen Henson
1ad90a916b Extend attribute setting routines to support non-string types. 2008-02-11 13:59:33 +00:00
Dr. Stephen Henson
0e1dba934f 1. Changes for s_client.c to make it return non-zero exit code in case
of handshake failure

2. Changes to x509_certificate_type function (crypto/x509/x509type.c) to
make it recognize GOST certificates as EVP_PKT_SIGN|EVP_PKT_EXCH
(required for s3_srvr to accept GOST client certificates).

3. Changes to EVP
	- adding of function EVP_PKEY_CTX_get0_peerkey
	- Make function EVP_PKEY_derive_set_peerkey work for context with
	  ENCRYPT operation, because we use peerkey field in the context to
	  pass non-ephemeral secret key to GOST encrypt operation.
	- added EVP_PKEY_CTRL_SET_IV control command. It is really
	  GOST-specific, but it is used in SSL code, so it has to go
	  in some header file, available during libssl compilation

4. Fix to HMAC to avoid call of OPENSSL_cleanse on undefined data

5. Include des.h if KSSL_DEBUG is defined into some libssl files, to
  make debugging output which depends on constants defined there, work
  and other KSSL_DEBUG output fixes

6. Declaration of real GOST ciphersuites, two authentication methods
   SSL_aGOST94 and SSL_aGOST2001 and one key exchange method SSL_kGOST

7. Implementation  of these methods.

8. Support for sending unsolicited serverhello extension if GOST
  ciphersuite is selected. It is require for interoperability with
  CryptoPro CSP 3.0 and 3.6 and controlled by
  SSL_OP_CRYPTOPRO_TLSEXT_BUG constant.
  This constant is added to SSL_OP_ALL, because it does nothing, if
  non-GOST ciphersuite is selected, and all implementation of GOST
  include compatibility with CryptoPro.

9. Support for CertificateVerify message without length field. It is
   another CryptoPro bug, but support is made unconditional, because it
   does no harm for draft-conforming implementation.

10. In tls1_mac extra copy of stream mac context is no more done.
  When I've written currently commited code I haven't read
  EVP_DigestSignFinal manual carefully enough and haven't noticed that
  it does an internal digest ctx copying.

This implementation was tested against
1. CryptoPro CSP 3.6 client and server
2. Cryptopro CSP 3.0 server
2007-10-26 12:06:36 +00:00
Andy Polyakov
ebc06fba67 Bunch of constifications. 2007-10-13 15:51:32 +00:00
Dr. Stephen Henson
67c8e7f414 Support for certificate status TLS extension. 2007-09-26 21:56:59 +00:00
Ben Laurie
9311c4421a Fix dependencies. Make depend. 2007-09-19 14:53:18 +00:00
Dr. Stephen Henson
a6fbcb4220 Change safestack reimplementation to match 0.9.8.
Fix additional gcc 4.2 value not used warnings.
2007-09-07 13:25:15 +00:00
Dr. Stephen Henson
3c07d3a3d3 Finish gcc 4.2 changes. 2007-06-07 13:14:42 +00:00
Andy Polyakov
3005764c18 Typo in x509_txt.c.
Submitted by: Martin.Kraemer@Fujitsu-Siemens.com
2007-05-19 18:03:21 +00:00
Dr. Stephen Henson
5d5ca32fa1 Updates from 0.9.8-stable branch. 2007-02-18 18:21:57 +00:00
Richard Levitte
82bf227e91 After objects have been freed, NULLify the pointers so there will be no double
free of those objects
2007-02-07 01:42:46 +00:00
Dr. Stephen Henson
560b79cbff Constify version strings and some structures. 2007-01-21 13:07:17 +00:00
Nils Larsch
91b73acb19 use const ASN1_TIME * 2006-12-11 22:35:51 +00:00
Dr. Stephen Henson
10ca15f3fa Fix change to OPENSSL_NO_RFC3779 2006-12-06 13:36:48 +00:00
Nils Larsch
fa9ac569b8 avoid duplicate entries in add_cert_dir()
PR: 1407
Submitted by: Tomas Mraz <tmraz@redhat.com>
2006-12-05 21:21:37 +00:00
Nils Larsch
0f997d0dc3 allocate a new attributes entry in X509_REQ_add_extensions()
if it's NULL (in case of a malformed pkcs10 request)

PR: 1347
Submitted by: Remo Inverardi <invi@your.toilet.ch>
2006-12-04 19:11:57 +00:00
Ben Laurie
96ea4ae91c Add RFC 3779 support. 2006-11-27 14:18:05 +00:00
Dr. Stephen Henson
47a9d527ab Update from 0.9.8 stable. Eliminate duplicate error codes. 2006-11-21 21:29:44 +00:00
Dr. Stephen Henson
14975faa60 Remove illegal IMPLEMENT macros from header file. 2006-11-16 00:55:33 +00:00
Nils Larsch
1611b9ed80 remove SSLEAY_MACROS code 2006-11-06 19:53:39 +00:00
Dr. Stephen Henson
f4c630abb3 Place standard CRL behaviour in default X509_CRL_METHOD new functions to
create, free and set default CRL method.
2006-10-03 02:47:59 +00:00
Dr. Stephen Henson
019bfef899 Initialize new callbacks and make sure hent is always initialized. 2006-09-26 13:25:19 +00:00
Richard Levitte
0709249f4c Complete the change for VMS. 2006-09-25 08:35:35 +00:00
Dr. Stephen Henson
010fa0b331 Tidy up CRL handling by checking for critical extensions when it is
loaded. Add new function X509_CRL_get0_by_serial() to lookup a revoked
entry to avoid the need to access the structure directly.

Add new X509_CRL_METHOD to allow common CRL operations (verify, lookup) to be
redirected.
2006-09-21 12:42:15 +00:00
Dr. Stephen Henson
5d20c4fb35 Overhaul of by_dir code to handle dynamic loading of CRLs. 2006-09-17 17:16:28 +00:00
Dr. Stephen Henson
bc7535bc7f Support for AKID in CRLs and partial support for IDP. Overhaul of CRL
handling to support this.
2006-09-14 17:25:02 +00:00
Dr. Stephen Henson
016bc5ceb3 Fixes for new CRL/cert callbacks. Update CRL processing code to use new
callbacks.
2006-09-11 13:00:52 +00:00
Dr. Stephen Henson
4d50a2b4d6 Add verify callback functions to lookup a STACK of matching certs or CRLs
based on subject name.

New thread safe functions to retrieve matching STACK from X509_STORE.

Cache some IDP components.
2006-09-10 12:38:37 +00:00
Dr. Stephen Henson
f6e7d01450 Support for multiple CRLs with same issuer name in X509_STORE. Modify
verify logic to try to use an unexpired CRL if possible.
2006-07-25 17:39:38 +00:00
Dr. Stephen Henson
edc540211c Cache some CRL related extensions. 2006-07-24 12:39:22 +00:00
Dr. Stephen Henson
786aa98da1 Use correct pointer types for various functions. 2006-07-20 16:56:47 +00:00
Dr. Stephen Henson
450ea83495 Store canonical encodings of Name structures. Update X509_NAME_cmp() to use
them.
2006-07-18 12:36:19 +00:00