Bodo Möller
0f32c841a6
stricter session ID context matching
2007-03-21 14:33:16 +00:00
Bodo Möller
dd2b6750db
include complete 0.9.7 history
...
include release date of 0.9.8e
2007-02-26 10:49:59 +00:00
Lutz Jänicke
8d72476e2b
Extend SMTP and IMAP protocol handling to perform the required
...
EHLO or CAPABILITY handshake before sending STARTTLS
Submitted by: Goetz Babin-Ebell <goetz@shomitefo.de>
2007-02-21 18:20:41 +00:00
Dr. Stephen Henson
a2e623c011
Update from 0.9.7-stable.
2007-02-21 13:49:35 +00:00
Bodo Möller
fd5bc65cc8
Improve ciphersuite order stability when disabling ciphersuites.
...
Change ssl_create_cipher_list() to prefer ephemeral ECDH over
ephemeral DH.
2007-02-20 16:36:58 +00:00
Bodo Möller
0a05123a6c
Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a
...
ciphersuite string such as "DEFAULT:RSA" cannot enable
authentication-only ciphersuites.
Also, change ssl_create_cipher_list() so that it no longer
starts with an arbitrary ciphersuite ordering, but instead
uses the logic that we previously had in SSL_DEFEAULT_CIPHER_LIST.
SSL_DEFAULT_CIPHER_LIST simplifies into just "ALL:!aNULL:!eNULL".
2007-02-19 18:41:41 +00:00
Bodo Möller
52b8dad8ec
Reorganize the data used for SSL ciphersuite pattern matching.
...
This change resolves a number of problems and obviates multiple kludges.
A new feature is that you can now say "AES256" or "AES128" (not just
"AES", which enables both).
In some cases the ciphersuite list generated from a given string is
affected by this change. I hope this is just in those cases where the
previous behaviour did not make sense.
2007-02-17 06:45:38 +00:00
Nils Larsch
357d5de5b9
add support for DSA with SHA2
2007-02-03 14:41:12 +00:00
Dr. Stephen Henson
11d8cdc6ad
Experimental streaming PKCS#7 support.
...
I thought it was about time I dusted this off. This stuff had been sitting on
my hard drive for *ages* (2003 in fact). Hasn't been tested well and may not
work properly.
Nothing uses it at present which is just as well.
Think of this as a traditional Christmas present which looks far more
impressive in the adverts and on the box, some of the bits are missing and
falls to bits if you play with it too much.
2006-12-24 16:22:56 +00:00
Nils Larsch
fec38ca4ed
fix typos
...
PR: 1354, 1355, 1398, 1408
2006-12-21 21:13:27 +00:00
Nils Larsch
06e2dd037e
add support for ecdsa-with-sha256 etc.
2006-12-20 08:58:54 +00:00
Bodo Möller
772e3c07b4
Fix the BIT STRING encoding of EC points or parameter seeds
...
(need to prevent the removal of trailing zero bits).
2006-12-19 15:11:37 +00:00
Bodo Möller
1e24b3a09e
fix support for receiving fragmented handshake messages
2006-11-29 14:45:50 +00:00
Ben Laurie
96ea4ae91c
Add RFC 3779 support.
2006-11-27 14:18:05 +00:00
Dr. Stephen Henson
47a9d527ab
Update from 0.9.8 stable. Eliminate duplicate error codes.
2006-11-21 21:29:44 +00:00
Dr. Stephen Henson
de12116417
Initial, incomplete support for typesafe macros without using function
...
casts.
2006-11-16 00:19:39 +00:00
Andy Polyakov
3189772e07
Switch Win32/64 targets to Winsock2. Updates to ISNTALL.W32 cover even
...
recent mingw modifications.
2006-10-23 07:38:30 +00:00
Bodo Möller
3c5406b35c
All 0.9.8d patches have been applied to HEAD now, so we no longer need
...
the redundant entries under the 0.9.9 heading.
2006-09-28 13:50:41 +00:00
Bodo Möller
61118caa86
include 0.9.8d and 0.9.7l information
2006-09-28 13:35:01 +00:00
Mark J. Cox
348be7ec60
Fix ASN.1 parsing of certain invalid structures that can result
...
in a denial of service. (CVE-2006-2937) [Steve Henson]
2006-09-28 13:20:44 +00:00
Mark J. Cox
3ff55e9680
Fix buffer overflow in SSL_get_shared_ciphers() function.
...
(CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
Fix SSL client code which could crash if connecting to a
malicious SSLv2 server. (CVE-2006-4343)
[Tavis Ormandy and Will Drewry, Google Security Team]
2006-09-28 13:18:43 +00:00
Dr. Stephen Henson
010fa0b331
Tidy up CRL handling by checking for critical extensions when it is
...
loaded. Add new function X509_CRL_get0_by_serial() to lookup a revoked
entry to avoid the need to access the structure directly.
Add new X509_CRL_METHOD to allow common CRL operations (verify, lookup) to be
redirected.
2006-09-21 12:42:15 +00:00
Dr. Stephen Henson
5d20c4fb35
Overhaul of by_dir code to handle dynamic loading of CRLs.
2006-09-17 17:16:28 +00:00
Dr. Stephen Henson
bc7535bc7f
Support for AKID in CRLs and partial support for IDP. Overhaul of CRL
...
handling to support this.
2006-09-14 17:25:02 +00:00
Bodo Möller
b6699c3f07
Update
2006-09-12 14:42:19 +00:00
Bodo Möller
ed65f7dc34
ensure that ciphersuite strings such as "RC4-MD5" match the SSL 2.0
...
ciphersuite as well
2006-09-11 09:49:03 +00:00
Bodo Möller
6a2c471077
Every change so far that is in the 0.9.8 branch is (or should be) in HEAD
2006-09-06 06:34:52 +00:00
Mark J. Cox
b79aa05e3b
Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
...
(CVE-2006-4339)
Submitted by: Ben Laurie, Google Security Team
Reviewed by: bmoeller, mjc, shenson
2006-09-05 08:58:03 +00:00
Ben Laurie
aa6d1a0c19
Forward port of IGE mode.
2006-08-31 14:04:04 +00:00
Dr. Stephen Henson
f6e7d01450
Support for multiple CRLs with same issuer name in X509_STORE. Modify
...
verify logic to try to use an unexpired CRL if possible.
2006-07-25 17:39:38 +00:00
Dr. Stephen Henson
edc540211c
Cache some CRL related extensions.
2006-07-24 12:39:22 +00:00
Dr. Stephen Henson
450ea83495
Store canonical encodings of Name structures. Update X509_NAME_cmp() to use
...
them.
2006-07-18 12:36:19 +00:00
Dr. Stephen Henson
454dbbc593
Add -timeout option to ocsp utility.
2006-07-17 13:26:54 +00:00
Dr. Stephen Henson
c1c6c0bf45
New non-blocking OCSP functionality.
2006-07-17 12:18:28 +00:00
Dr. Stephen Henson
b7683e3a5d
Allow digests to supply S/MIME micalg values from a ctrl.
...
Send ctrls to EVP_PKEY_METHOD during signing of PKCS7 structure so
customisation is possible.
2006-07-10 18:36:55 +00:00
Dr. Stephen Henson
0ee2166cc5
New functions to add and free up application defined signature OIDs.
2006-07-09 16:05:43 +00:00
Dr. Stephen Henson
5ba4bf35c5
New functions to enumerate digests and ciphers.
2006-07-09 00:53:45 +00:00
Bodo Möller
e34aa5a3b3
always read in RAND_poll() if we can't use select because of a too
...
large FD: it's non-blocking mode anyway
2006-06-28 14:50:12 +00:00
Richard Levitte
27a3d9f9aa
Use poll() when possible to gather Unix randomness entropy
2006-06-27 06:31:34 +00:00
Bodo Möller
48fc582f66
New functions CRYPTO_set_idptr_callback(),
...
CRYPTO_get_idptr_callback(), CRYPTO_thread_idptr() for a 'void *' type
thread ID, since the 'unsigned long' type of the existing thread ID
does not always work well.
2006-06-23 15:21:36 +00:00
Bodo Möller
81de1028bc
Change in 0.9.8 branch:
...
Put ECCdraft ciphersuites back into default build (but disabled
unless specifically requested)
2006-06-22 12:37:28 +00:00
Bodo Möller
850815cb6e
Remove ECC ciphersuites from 0.9.8 branch (should use 0.9.9 branch)
2006-06-20 08:50:42 +00:00
Bodo Möller
c4e7870ac1
Change array representation of binary polynomials to make GF2m part of
...
the BN library more generally useful.
Submitted by: Douglas Stebila
2006-06-18 22:00:57 +00:00
Bodo Möller
5b57fe0a1e
Disable invalid ciphersuites
2006-06-14 17:51:46 +00:00
Bodo Möller
89bbe14c50
Ciphersuite string bugfixes, and ECC-related (re-)definitions.
2006-06-14 17:40:31 +00:00
Bodo Möller
675f605d44
Thread-safety fixes
2006-06-14 08:55:23 +00:00
Bodo Möller
f3dea9a595
Camellia cipher, contributed by NTT
...
Submitted by: Masashi Fujita
Reviewed by: Bodo Moeller
2006-06-09 15:44:59 +00:00
Dr. Stephen Henson
fb7b393278
Output MIME parameter micalg according to RFC3851 and RFC4490 instead of hard
...
coding it to "sha1".
2006-06-06 13:27:36 +00:00
Dr. Stephen Henson
01b8b3c7d2
Complete EVP_PKEY_ASN1_METHOD ENGINE support.
2006-06-05 11:52:46 +00:00
Dr. Stephen Henson
de9fcfe348
Initial public key ASN1 method engine support. Not integrated yet.
2006-06-02 17:52:27 +00:00