Commit graph

654 commits

Author SHA1 Message Date
Dr. Stephen Henson
30e5e39a3d PR: 1778
Increase default verify depth to 100.
2009-02-16 23:23:21 +00:00
Dr. Stephen Henson
b5d5c0a21f PR: 1843
Use correct array size for SHA1 hash.
2009-02-16 21:42:48 +00:00
Dr. Stephen Henson
c2c99e2860 Update certificate hash line format to handle canonical format
and avoid MD5 dependency.
2009-01-15 13:22:39 +00:00
Andy Polyakov
e527201f6b This _WIN32-specific patch makes it possible to "wrap" OpenSSL in another
.DLL, in particular static build. The issue has been discussed in RT#1230
and later on openssl-dev, and mutually exclusive approaches were suggested.
This completes compromise solution suggested in RT#1230.
PR: 1230
2008-12-22 13:54:12 +00:00
Geoff Thorpe
6343829a39 Revert the size_t modifications from HEAD that had led to more
knock-on work than expected - they've been extracted into a patch
series that can be completed elsewhere, or in a different branch,
before merging back to HEAD.
2008-11-12 03:58:08 +00:00
Dr. Stephen Henson
2e5975285e Update obsolete email address... 2008-11-05 18:39:08 +00:00
Ben Laurie
5e4430e70d More size_tification. 2008-11-01 16:40:37 +00:00
Dr. Stephen Henson
e19106f5fb Create function of the form OBJ_bsearch_xxx() in bsearch typesafe macros
with the appropriate parameters which calls OBJ_bsearch(). A compiler will
typically inline this.

This avoids the need for cmp_xxx variables and fixes unchecked const issues
with CHECKED_PTR_OF()
2008-10-22 15:43:01 +00:00
Dr. Stephen Henson
606f6c477a Fix a shed load or warnings:
Duplicate const.
Use of ; outside function.
2008-10-20 15:12:00 +00:00
Ben Laurie
babb379849 Type-checked (and modern C compliant) OBJ_bsearch. 2008-10-12 14:32:47 +00:00
Dr. Stephen Henson
87d3a0cd90 Experimental new date handling routines. These fix issues with X509_time_adj()
and should avoid any OS date limitations such as the year 2038 bug.
2008-10-07 22:55:27 +00:00
Geoff Thorpe
fa0f834c20 Fix build warnings. 2008-09-15 04:02:37 +00:00
Ben Laurie
43048d13c8 Fix warning. 2008-09-07 13:22:34 +00:00
Dr. Stephen Henson
d43c4497ce Initial support for delta CRLs. If "use deltas" flag is set attempt to find
a delta CRL in addition to a full CRL. Check and search delta in addition to
the base.
2008-09-01 15:15:16 +00:00
Dr. Stephen Henson
4b96839f06 Add support for CRLs partitioned by reason code.
Tidy CRL scoring system.

Add new CRL path validation error.
2008-08-29 11:37:21 +00:00
Dr. Stephen Henson
d0fff69dc9 Initial indirect CRL support. 2008-08-20 16:42:19 +00:00
Dr. Stephen Henson
9d84d4ed5e Initial support for CRL path validation. This supports distinct certificate
and CRL signing keys.
2008-08-13 16:00:11 +00:00
Dr. Stephen Henson
2e0c7db950 Initial code to support distinct certificate and CRL signing keys where the
CRL issuer is not part of the main path.

Not complete yet and not compiled in because the CRL issuer certificate is
not validated.
2008-08-12 16:07:52 +00:00
Dr. Stephen Henson
002e66c0e8 Support for policy mappings extension.
Delete X509_POLICY_REF code.

Fix handling of invalid policy extensions to return the correct error.

Add command line option to inhibit policy mappings.
2008-08-12 10:32:56 +00:00
Dr. Stephen Henson
e9746e03ee Initial support for name constraints certificate extension.
TODO: robustness checking on name forms.
2008-08-08 15:35:29 +00:00
Dr. Stephen Henson
3e727a3b37 Add support for nameRelativeToCRLIssuer field in distribution point name
fields.
2008-08-04 15:34:27 +00:00
Dr. Stephen Henson
5cbd203302 Initial support for alternative CRL issuing certificates.
Allow inibit any policy flag to be set in apps.
2008-07-30 15:49:12 +00:00
Dr. Stephen Henson
db50661fce X509 verification fixes.
Ignore self issued certificates when checking path length constraints.

Duplicate OIDs in policy tree in case they are allocated.

Use anyPolicy from certificate cache and not current tree level.
2008-07-13 14:25:36 +00:00
Dr. Stephen Henson
8528128b2a Update from stable branch. 2008-06-26 23:27:31 +00:00
Dr. Stephen Henson
83574cf808 Fix from stable branch. 2008-05-30 10:57:49 +00:00
Lutz Jänicke
4c1a6e004a Apply mingw patches as supplied by Roumen Petrov an Alon Bar-Lev
PR: 1552
Submitted by: Roumen Petrov <openssl@roumenpetrov.info>, "Alon Bar-Lev" <alon.barlev@gmail.com>
2008-04-17 10:19:16 +00:00
Dr. Stephen Henson
8931b30d84 And so it begins...
Initial support for CMS.

Add zlib compression BIO.

Add AES key wrap implementation.

Generalize S/MIME MIME code to support CMS and/or PKCS7.
2008-03-12 21:14:28 +00:00
Dr. Stephen Henson
56c7754cab Avoid warnings. 2008-02-28 14:05:01 +00:00
Dr. Stephen Henson
a70a49a018 Fix typo and avoid warning. 2008-02-28 13:18:26 +00:00
Dr. Stephen Henson
9536b85c07 Typo. 2008-02-12 01:24:50 +00:00
Dr. Stephen Henson
4d318c79b2 Utility attribute function to retrieve attribute data from an expected
type. Useful for many attributes which are single valued and can only
have one type.
2008-02-11 17:52:38 +00:00
Dr. Stephen Henson
1ad90a916b Extend attribute setting routines to support non-string types. 2008-02-11 13:59:33 +00:00
Dr. Stephen Henson
0e1dba934f 1. Changes for s_client.c to make it return non-zero exit code in case
of handshake failure

2. Changes to x509_certificate_type function (crypto/x509/x509type.c) to
make it recognize GOST certificates as EVP_PKT_SIGN|EVP_PKT_EXCH
(required for s3_srvr to accept GOST client certificates).

3. Changes to EVP
	- adding of function EVP_PKEY_CTX_get0_peerkey
	- Make function EVP_PKEY_derive_set_peerkey work for context with
	  ENCRYPT operation, because we use peerkey field in the context to
	  pass non-ephemeral secret key to GOST encrypt operation.
	- added EVP_PKEY_CTRL_SET_IV control command. It is really
	  GOST-specific, but it is used in SSL code, so it has to go
	  in some header file, available during libssl compilation

4. Fix to HMAC to avoid call of OPENSSL_cleanse on undefined data

5. Include des.h if KSSL_DEBUG is defined into some libssl files, to
  make debugging output which depends on constants defined there, work
  and other KSSL_DEBUG output fixes

6. Declaration of real GOST ciphersuites, two authentication methods
   SSL_aGOST94 and SSL_aGOST2001 and one key exchange method SSL_kGOST

7. Implementation  of these methods.

8. Support for sending unsolicited serverhello extension if GOST
  ciphersuite is selected. It is require for interoperability with
  CryptoPro CSP 3.0 and 3.6 and controlled by
  SSL_OP_CRYPTOPRO_TLSEXT_BUG constant.
  This constant is added to SSL_OP_ALL, because it does nothing, if
  non-GOST ciphersuite is selected, and all implementation of GOST
  include compatibility with CryptoPro.

9. Support for CertificateVerify message without length field. It is
   another CryptoPro bug, but support is made unconditional, because it
   does no harm for draft-conforming implementation.

10. In tls1_mac extra copy of stream mac context is no more done.
  When I've written currently commited code I haven't read
  EVP_DigestSignFinal manual carefully enough and haven't noticed that
  it does an internal digest ctx copying.

This implementation was tested against
1. CryptoPro CSP 3.6 client and server
2. Cryptopro CSP 3.0 server
2007-10-26 12:06:36 +00:00
Andy Polyakov
ebc06fba67 Bunch of constifications. 2007-10-13 15:51:32 +00:00
Dr. Stephen Henson
67c8e7f414 Support for certificate status TLS extension. 2007-09-26 21:56:59 +00:00
Ben Laurie
9311c4421a Fix dependencies. Make depend. 2007-09-19 14:53:18 +00:00
Dr. Stephen Henson
a6fbcb4220 Change safestack reimplementation to match 0.9.8.
Fix additional gcc 4.2 value not used warnings.
2007-09-07 13:25:15 +00:00
Dr. Stephen Henson
3c07d3a3d3 Finish gcc 4.2 changes. 2007-06-07 13:14:42 +00:00
Andy Polyakov
3005764c18 Typo in x509_txt.c.
Submitted by: Martin.Kraemer@Fujitsu-Siemens.com
2007-05-19 18:03:21 +00:00
Dr. Stephen Henson
5d5ca32fa1 Updates from 0.9.8-stable branch. 2007-02-18 18:21:57 +00:00
Richard Levitte
82bf227e91 After objects have been freed, NULLify the pointers so there will be no double
free of those objects
2007-02-07 01:42:46 +00:00
Dr. Stephen Henson
560b79cbff Constify version strings and some structures. 2007-01-21 13:07:17 +00:00
Nils Larsch
91b73acb19 use const ASN1_TIME * 2006-12-11 22:35:51 +00:00
Dr. Stephen Henson
10ca15f3fa Fix change to OPENSSL_NO_RFC3779 2006-12-06 13:36:48 +00:00
Nils Larsch
fa9ac569b8 avoid duplicate entries in add_cert_dir()
PR: 1407
Submitted by: Tomas Mraz <tmraz@redhat.com>
2006-12-05 21:21:37 +00:00
Nils Larsch
0f997d0dc3 allocate a new attributes entry in X509_REQ_add_extensions()
if it's NULL (in case of a malformed pkcs10 request)

PR: 1347
Submitted by: Remo Inverardi <invi@your.toilet.ch>
2006-12-04 19:11:57 +00:00
Ben Laurie
96ea4ae91c Add RFC 3779 support. 2006-11-27 14:18:05 +00:00
Dr. Stephen Henson
47a9d527ab Update from 0.9.8 stable. Eliminate duplicate error codes. 2006-11-21 21:29:44 +00:00
Dr. Stephen Henson
14975faa60 Remove illegal IMPLEMENT macros from header file. 2006-11-16 00:55:33 +00:00
Nils Larsch
1611b9ed80 remove SSLEAY_MACROS code 2006-11-06 19:53:39 +00:00
Dr. Stephen Henson
f4c630abb3 Place standard CRL behaviour in default X509_CRL_METHOD new functions to
create, free and set default CRL method.
2006-10-03 02:47:59 +00:00
Dr. Stephen Henson
019bfef899 Initialize new callbacks and make sure hent is always initialized. 2006-09-26 13:25:19 +00:00
Richard Levitte
0709249f4c Complete the change for VMS. 2006-09-25 08:35:35 +00:00
Dr. Stephen Henson
010fa0b331 Tidy up CRL handling by checking for critical extensions when it is
loaded. Add new function X509_CRL_get0_by_serial() to lookup a revoked
entry to avoid the need to access the structure directly.

Add new X509_CRL_METHOD to allow common CRL operations (verify, lookup) to be
redirected.
2006-09-21 12:42:15 +00:00
Dr. Stephen Henson
5d20c4fb35 Overhaul of by_dir code to handle dynamic loading of CRLs. 2006-09-17 17:16:28 +00:00
Dr. Stephen Henson
bc7535bc7f Support for AKID in CRLs and partial support for IDP. Overhaul of CRL
handling to support this.
2006-09-14 17:25:02 +00:00
Dr. Stephen Henson
016bc5ceb3 Fixes for new CRL/cert callbacks. Update CRL processing code to use new
callbacks.
2006-09-11 13:00:52 +00:00
Dr. Stephen Henson
4d50a2b4d6 Add verify callback functions to lookup a STACK of matching certs or CRLs
based on subject name.

New thread safe functions to retrieve matching STACK from X509_STORE.

Cache some IDP components.
2006-09-10 12:38:37 +00:00
Dr. Stephen Henson
f6e7d01450 Support for multiple CRLs with same issuer name in X509_STORE. Modify
verify logic to try to use an unexpired CRL if possible.
2006-07-25 17:39:38 +00:00
Dr. Stephen Henson
edc540211c Cache some CRL related extensions. 2006-07-24 12:39:22 +00:00
Dr. Stephen Henson
786aa98da1 Use correct pointer types for various functions. 2006-07-20 16:56:47 +00:00
Dr. Stephen Henson
450ea83495 Store canonical encodings of Name structures. Update X509_NAME_cmp() to use
them.
2006-07-18 12:36:19 +00:00
Dr. Stephen Henson
ae519a247f Extended PBES2 function supporting application supplied IV and PRF NID. 2006-05-17 12:47:17 +00:00
Dr. Stephen Henson
e881f6175a Update from stable branch. 2006-05-03 13:19:06 +00:00
Dr. Stephen Henson
b46343583c Update EVP_PKEY_cmp() and X509_check_private() to return sensible values and
handle unsupported key types.
2006-04-28 12:27:37 +00:00
Dr. Stephen Henson
448be74335 Initial support for pluggable public key ASN1 support. Process most public
key ASN1 handling through a single EVP_PKEY_ASN1_METHOD structure and move
the spaghetti algorithm specific code to a single ASN1 module for each
algorithm.
2006-03-20 12:22:24 +00:00
Nils Larsch
036bbcc53f no need to cast away the const 2006-03-04 13:55:55 +00:00
Ulf Möller
c7235be6e3 RFC 3161 compliant time stamp request creation, response generation
and response verification.

Submitted by: Zoltan Glozik <zglozik@opentsa.org>
Reviewed by: Ulf Moeller
2006-02-12 23:11:56 +00:00
Dr. Stephen Henson
15ac971681 Update filenames in makefiles. 2006-02-04 01:45:59 +00:00
Nils Larsch
8c5a2bd6bb add additional checks + cleanup
Submitted by: David Hartman <david_hartman@symantec.com>
2006-01-29 23:12:22 +00:00
Andy Polyakov
be7b4458f2 Keep disclaiming 16-bit platform support. For now remove WIN16 references
from .h files...
2005-12-18 19:11:37 +00:00
Andy Polyakov
49e3c9d8e6 Mask libcrypto references to stat with OPENSSL_NO_POSIX_IO. 2005-11-03 16:22:40 +00:00
Dr. Stephen Henson
f022c177db Two new verify flags functions. 2005-09-02 22:49:54 +00:00
Nils Larsch
c755c5fd8b improved error checking and some fixes
PR: 1170
Submitted by: Yair Elharrar
Reviewed and edited by: Nils Larsch
2005-07-26 21:10:34 +00:00
Nils Larsch
3eeaab4bed make
./configure no-deprecated [no-dsa] [no-dh] [no-ec] [no-rsa]
    	make depend all test
work again

PR: 1159
2005-07-16 12:37:36 +00:00
Andy Polyakov
109080ae48 Fix bugs in bug-fix to x509/by_dir.c.
PR: 1131
2005-07-03 13:10:45 +00:00
Richard Levitte
816f74d1c7 Initialise dir to avoid a compiler warning. 2005-06-23 21:49:21 +00:00
Richard Levitte
0e441bc2be Change dir_ctrl to check for the environment variable before using the default
directory instead of the other way around.

PR: 1131
2005-06-23 21:14:15 +00:00
Richard Levitte
0b0a60d861 Old typo...
PR: 1097
2005-06-05 21:54:48 +00:00
Dr. Stephen Henson
3f791ca818 Assing check_{cert,crl}_time to 'ok' variable so it returns errors on
expiry.
2005-05-27 13:19:25 +00:00
Andy Polyakov
ce92b6eb9c Further BUILDENV refinement, further fool-proofing of Makefiles and
[most importantly] put back dependencies accidentaly eliminated in
check-in #13342.
2005-05-16 16:55:47 +00:00
Andy Polyakov
81a86fcf17 Fool-proofing Makefiles 2005-05-15 22:23:26 +00:00
Dr. Stephen Henson
b6995add5c Make -CSP option work again in pkcs12 utility by checking for
attribute in EVP_PKEY structure.
2005-05-15 00:54:45 +00:00
Bodo Möller
8afca8d9c6 Fix more error codes.
(Also improve util/ck_errf.pl script, and occasionally
fix source code formatting.)
2005-05-11 03:45:39 +00:00
Dr. Stephen Henson
2c45bf2bc9 Rename typed version of M_ASN1_get M_ASN1_get_x to avoid conflicts.
Remove more bogus shadow warnings.
2005-04-20 21:48:06 +00:00
Dr. Stephen Henson
f68854b4c3 Various Win32 and other fixes for warnings and compilation errors.
Fix Win32 build system to use 'Makefile' instead of 'Makefile.ssl'.
2005-04-19 00:12:36 +00:00
Dr. Stephen Henson
29dc350813 Rebuild error codes. 2005-04-12 16:15:22 +00:00
Richard Levitte
4bb61becbb Add emacs cache files to .cvsignore. 2005-04-11 14:17:07 +00:00
Dr. Stephen Henson
b392e52050 Move allow_proxy_certs declaration to start of function. 2005-04-10 23:41:09 +00:00
Richard Levitte
d9bfe4f97c Added restrictions on the use of proxy certificates, as they may pose
a security threat on unexpecting applications.  Document and test.
2005-04-09 16:07:12 +00:00
Ben Laurie
8bb826ee53 Consistency. 2005-03-31 13:57:54 +00:00
Ben Laurie
41a15c4f0f Give everything prototypes (well, everything that's actually used). 2005-03-31 09:26:39 +00:00
Ben Laurie
42ba5d2329 Blow away Makefile.ssl. 2005-03-30 13:05:57 +00:00
Ben Laurie
0821bcd4de Constification. 2005-03-30 10:26:02 +00:00
Richard Levitte
a7201e9a1b Changes concering RFC 3820 (proxy certificates) integration:
- Enforce that there should be no policy settings when the language
   is one of id-ppl-independent or id-ppl-inheritAll.
 - Add functionality to ssltest.c so that it can process proxy rights
   and check that they are set correctly.  Rights consist of ASCII
   letters, and the condition is a boolean expression that includes
   letters, parenthesis, &, | and ^.
 - Change the proxy certificate configurations so they get proxy
   rights that are understood by ssltest.c.
 - Add a script that tests proxy certificates with SSL operations.

Other changes:

 - Change the copyright end year in mkerr.pl.
 - make update.
2005-01-17 17:06:58 +00:00
Richard Levitte
6951c23afd Add functionality needed to process proxy certificates. 2004-12-28 00:21:35 +00:00
Dr. Stephen Henson
c162b132eb Automatically mark the CRL cached encoding as invalid when some operations
are performed.
2004-12-09 13:35:06 +00:00
Dr. Stephen Henson
a0e7c8eede Add lots of checks for memory allocation failure, error codes to indicate
failure and freeing up memory if a failure occurs.

PR:620
2004-12-05 01:03:15 +00:00
Dr. Stephen Henson
3e66ee9f01 In by_file.c check last error for no start line, not first error. 2004-12-04 21:25:51 +00:00
Dr. Stephen Henson
1862dae862 Perform partial comparison of different character types in X509_NAME_cmp(). 2004-12-01 01:45:30 +00:00
Richard Levitte
30b415b076 Make an explicit check during certificate validation to see that the
CA setting in each certificate on the chain is correct.  As a side-
effect always do the following basic checks on extensions, not just
when there's an associated purpose to the check:
- if there is an unhandled critical extension (unless the user has
  chosen to ignore this fault)
- if the path length has been exceeded (if one is set at all)
- that certain extensions fit the associated purpose (if one has been
  given)
2004-11-29 11:28:08 +00:00
Richard Levitte
a2ac429da2 Don't use $(EXHEADER) directly in for loops, as most shells will break
if $(EXHEADER) is empty.

Notified by many, solution suggested by Carson Gaspar <carson@taltos.org>
2004-11-02 23:55:01 +00:00
Dr. Stephen Henson
2f605e8d24 Fix race condition when CRL checking is enabled. 2004-10-04 16:30:12 +00:00
Dr. Stephen Henson
175ac6811a Don't use C++ reserved work "explicit". 2004-10-01 11:21:53 +00:00
Geoff Thorpe
6ef2ff62fc Make -Werror happy again. 2004-09-18 01:32:32 +00:00
Dr. Stephen Henson
58606421ae When looking for request extensions in a certificate look first
for the PKCS#9 OID then the non standard MS OID.
2004-09-10 20:20:54 +00:00
Richard Levitte
d813ff2ac1 make update 2004-09-10 10:30:33 +00:00
Dr. Stephen Henson
5d7c222db8 New X509_VERIFY_PARAM structure and associated functionality.
This tidies up verify parameters and adds support for integrated policy
checking.

Add support for policy related command line options. Currently only in smime
application.

WARNING: experimental code subject to change.
2004-09-06 18:43:01 +00:00
Dr. Stephen Henson
eda52e175a Delete obsolete and unimplemented function. 2004-05-19 17:05:02 +00:00
Richard Levitte
c4fc8b5bf4 X509_policy_lib_init is declared but not defined, so it raises havoc
when trying to build a shared library on VMS or Windows...
2004-05-19 14:19:51 +00:00
Geoff Thorpe
9c52d2cc75 After the latest round of header-hacking, regenerate the dependencies in
the Makefiles. NB: this commit is probably going to generate a huge posting
and it is highly uninteresting to read.
2004-05-17 19:26:06 +00:00
Geoff Thorpe
c57bc2dc51 make update 2004-04-19 18:33:41 +00:00
Geoff Thorpe
60a938c6bc (oops) Apologies all, that last header-cleanup commit was from the wrong
tree. This further reduces header interdependencies, and makes some
associated cleanups.
2004-04-19 18:09:28 +00:00
Dr. Stephen Henson
b6a5fdb8a7 Don't use C++ reserved word. 2004-04-01 22:23:46 +00:00
Dr. Stephen Henson
e1a27eb34a Allow CRLs to be passed into X509_STORE_CTX. This is useful when the
verified structure can contain its own CRLs (such as PKCS#7 signedData).

Tidy up some of the verify code.
2004-03-27 22:49:28 +00:00
Dr. Stephen Henson
b79c82eaab Fix loads of warnings in policy code.
I'll remember to try to compile this with warnings enabled next time :-)
2004-03-25 13:45:58 +00:00
Dr. Stephen Henson
4acc3e907d Initial support for certificate policy checking and evaluation.
This is currently *very* experimental and needs to be more fully integrated
with the main verification code.
2004-03-23 14:14:35 +00:00
Richard Levitte
875a644a90 Constify d2i, s2i, c2i and r2i functions and other associated
functions and macros.

This change has associated tags: LEVITTE_before_const and
LEVITTE_after_const.  Those will be removed when this change has been
properly reviewed.
2004-03-15 23:15:26 +00:00
Dr. Stephen Henson
bc50157010 Various X509 fixes. Disable broken certificate workarounds
when X509_V_FLAG_X509_STRICT is set. Check for CRLSign in
CRL issuer certificates. Reject CRLs with unhandled (any)
critical extensions.
2004-03-05 17:16:35 +00:00
Richard Levitte
9d5c3c1939 Typo... 2004-01-22 22:36:46 +00:00
Richard Levitte
af6dab9b00 Adding a slash between the directoryt and the file is a problem with
VMS.  The C RTL can handle it well if the "directory" is a logical
name with no colon, therefore ending being 'logname/file'.  However,
if the given logical names actually has a colon, or if you use a full
VMS-syntax directory, you end up with 'logname:/file' or
'dev:[dir1.dir2]/file', and that isn't handled in any good way.

So, on VMS, we need to check if the directory string ends with a
separator (one of ':', ']' or '>' (< and > can be used instead [ and
])), and handle that by not inserting anything between the directory
spec and the file name.  In all other cases, it's assumed the
directory spec is a logical name, so we need to place a colon between
it and the file.

Notified by Kevin Greaney <kevin.greaney@hp.com>.
2004-01-10 18:04:38 +00:00
Richard Levitte
79b42e7654 Use sh explicitely to run point.sh
This is part of a large change submitted by Markus Friedl <markus@openbsd.org>
2003-12-27 14:59:07 +00:00
Richard Levitte
d420ac2c7d Use BUF_strlcpy() instead of strcpy().
Use BUF_strlcat() instead of strcat().
Use BIO_snprintf() instead of sprintf().
In some cases, keep better track of buffer lengths.
This is part of a large change submitted by Markus Friedl <markus@openbsd.org>
2003-12-27 14:40:17 +00:00
Richard Levitte
b727907ae8 1024 is the export key bits limit according to current regulations, not 512.
PR: 771
Submitted by: c zhang <czhang2005@hotmail.com>
2003-11-28 22:39:19 +00:00
Geoff Thorpe
2754597013 A general spring-cleaning (in autumn) to fix up signed/unsigned warnings.
I have tried to convert 'len' type variable declarations to unsigned as a
means to address these warnings when appropriate, but when in doubt I have
used casts in the comparisons instead. The better solution (that would get
us all lynched by API users) would be to go through and convert all the
function prototypes and structure definitions to use unsigned variables
except when signed is necessary. The proliferation of (signed) "int" for
strictly non-negative uses is unfortunate.
2003-10-29 20:24:15 +00:00
Geoff Thorpe
8ad7e3ad2a Remove duplicate prototypes have already been (correctly) added to rsa.h,
as this is already included by x509.h anyway.
2003-10-24 16:17:11 +00:00
Dr. Stephen Henson
2990244980 ASN1 parse fix and release file changes. 2003-09-30 16:47:33 +00:00
Dr. Stephen Henson
f96d1af449 Avoid clashes with Win32 names in WinCrypt.h 2003-07-23 00:10:43 +00:00
Richard Levitte
f6b9cd7f82 We set the export flag for 512 *bit* keys, not 512 *byte* ones.
PR: 587
2003-06-19 18:55:50 +00:00
Richard Levitte
33862b90bb Add an entry for X509_TRUST_OBJECT_SIGN in trstandard[].
PR: 617
2003-06-11 21:22:30 +00:00
Dr. Stephen Henson
50078051bd Really get X509_CRL_CHECK_ALL right this time... 2003-06-04 00:40:05 +00:00
Bodo Möller
eec7968f18 fix typo
Submitted by: Nils Larsch
2003-04-22 08:29:21 +00:00
Richard Levitte
e6526fbf4d Add functionality to help making self-signed certificate. 2003-04-03 22:27:24 +00:00
Richard Levitte
d5ef144222 Make sure we get the definition of a number of OPENSSL_NO_* macros. 2003-03-20 23:27:17 +00:00
Dr. Stephen Henson
9ed1fa4813 Fix Certificate and CRL adding in X509_load_cert_crl_file:
an X509_INFO structure can contain more than one object,
for example a certififcate and a CRL.
2003-03-19 13:55:48 +00:00
Richard Levitte
5e42f9ab46 make update 2002-12-29 01:38:15 +00:00
Richard Levitte
c17810b087 A memset() too many got converted into a OPENSSL_cleanse().
PR: 393
2002-12-10 08:26:05 +00:00
Richard Levitte
4ba8cabf62 SSL_CERT_FILE should be used in place of the system default file, not as
a first alternative to try
2002-12-05 21:07:26 +00:00
Richard Levitte
4387f47832 Make sure using SSL_CERT_FILE actually works, and has priority over system defaults.
PR: 376
2002-12-05 01:20:47 +00:00
Dr. Stephen Henson
e7b6228fd3 Typo in X509v3_get_ext_by_critical 2002-12-04 00:16:00 +00:00
Richard Levitte
4579924b7e Cleanse memory using the new OPENSSL_cleanse() function.
I've covered all the memset()s I felt safe modifying, but may have missed some.
2002-11-28 08:04:36 +00:00
Richard Levitte
711f1a3c26 Add the ASN.1 structures and functions for CertificatePair, which is
defined as follows (according to X.509_4thEditionDraftV6.pdf):

CertificatePair ::= SEQUENCE {
	forward		[0]	Certificate OPTIONAL,
	reverse		[1]	Certificate OPTIONAL,
	-- at least one of the pair shall be present -- }

The only thing I'm not sure about is if it's implicit or explicit tags
that I should count on.  For now, I'm thinking explicit, but will
gladly stand corrected.

Also implement the PEM functions to read and write certificate pairs,
and defined the PEM tag as "CERTIFICATE PAIR".

This needed to be defined, mostly for the sake of the LDAP attribute
crossCertificatePair, but may prove useful elsewhere as well.
2002-11-18 23:54:27 +00:00
Richard Levitte
527497a722 A variable of type time_t is supposed to be a time measurement starting at
Epoch.  offset isn't such a measurement, so let's stop pretend it is.
2002-11-18 13:04:08 +00:00
Ben Laurie
54a656ef08 Security fixes brought forward from 0.9.7. 2002-11-13 15:43:43 +00:00
Dr. Stephen Henson
c99935e32c Add header ctype.h 2002-11-13 00:42:11 +00:00
Richard Levitte
c81a15099a X509_NAME_cmp() now compares PrintableString and emailAddress with a value of type
ia5String correctly.
PR: 244
2002-11-09 21:52:20 +00:00
Richard Levitte
677532629d makedepend complains when a header file is included more than once in
the same source file.
2002-10-14 10:02:36 +00:00
Richard Levitte
001ab3abad Use double dashes so makedepend doesn't misunderstand the flags we
give it.
For 0.9.7 and up, that means util/domd needs to remove those double
dashes from the argument list when gcc is used to find the
dependencies.
2002-10-09 13:25:12 +00:00
Dr. Stephen Henson
9a48b07ee4 Various enhancements to PKCS#12 code, new
medium level API, improved PKCS12_create
and additional functionality in pkcs12
utility.
2002-10-03 23:53:52 +00:00
Dr. Stephen Henson
fc85ac20c7 Make -nameopt work in req and add support for -reqopt 2002-08-22 23:43:48 +00:00
Bodo Möller
5488bb6197 get rid of EVP_PKEY_ECDSA (now we have EVP_PKEY_EC instead)
Submitted by: Nils Larsch
2002-08-12 08:47:41 +00:00
Bodo Möller
74cc4903ef make update 2002-08-09 12:16:15 +00:00
Bodo Möller
e172d60ddb Add ECDH support.
Additional changes:
 - use EC_GROUP_get_degree() in apps/req.c
 - add ECDSA and ECDH to apps/speed.c
 - adds support for EC curves over binary fields to ECDSA
 - new function EC_KEY_up_ref() in crypto/ec/ec_key.c
 - reorganize crypto/ecdsa/ecdsatest.c
 - add engine support for ECDH
 - fix a few bugs in ECDSA engine support

Submitted by: Douglas Stebila <douglas.stebila@sun.com>
2002-08-09 08:43:04 +00:00
Bodo Möller
14a7cfb32a use a generic EC_KEY structure (EC keys are not ECDSA specific)
Submitted by: Nils Larsch
2002-08-07 10:49:54 +00:00
Lutz Jänicke
3aecef7697 "make update" 2002-07-30 12:44:33 +00:00
Bodo Möller
5dbd3efce7 Replace 'ecdsaparam' commandline utility by 'ecparam'
(the same keys can be used for ECC schemes other than ECDSA)
and add some new options.

Similarly, use string "EC PARAMETERS" instead of "ECDSA PARAMETERS"
in 'PEM' format.

Fix ec_asn1.c (take into account the desired conversion form).

'make update'.

Submitted by: Nils Larsch
2002-07-14 16:54:31 +00:00
Richard Levitte
17085b022c Pass CFLAG to dependency makers, so non-standard system include paths are
handled properly.
Part of PR 75
2002-06-27 16:39:25 +00:00
Richard Levitte
26414ee013 Increase internal security when using strncpy, by making sure the resulting string is NUL-terminated 2002-02-28 12:42:19 +00:00
Dr. Stephen Henson
a3829cb720 Updates from stable branch. 2002-02-23 13:50:29 +00:00
Bodo Möller
4d94ae00d5 ECDSA support
Submitted by: Nils Larsch <nla@trustcenter.de>
2002-02-13 18:21:51 +00:00
Bodo Möller
4d7072f4b5 remove redundant ERR_load_... declarations 2001-12-17 19:22:23 +00:00
Dr. Stephen Henson
f1558bb424 Reject certificates with unhandled critical extensions. 2001-10-21 02:09:15 +00:00
Dr. Stephen Henson
98e6654938 Typo. 2001-10-20 16:22:28 +00:00
Dr. Stephen Henson
20d2186c87 Retain compatibility of EVP_DigestInit() and EVP_DigestFinal()
with existing code.

Modify library to use digest *_ex() functions.
2001-10-16 01:24:29 +00:00
Lutz Jänicke
e1c279b63d Small documentation fixes (Howard Lum <howard@pumpkin.canada.sun.com>) 2001-10-08 08:37:24 +00:00
Richard Levitte
f8000b9345 'make update' 2001-10-04 07:49:09 +00:00
Richard Levitte
2aa9043ad3 Because there's chances we clash with the system's types.h, rename our
types.h to ossl_typ.h.
2001-10-04 07:32:46 +00:00
Geoff Thorpe
79aa04ef27 Make the necessary changes to work with the recent "ex_data" overhaul.
See the commit log message for that for more information.

NB: X509_STORE_CTX's use of "ex_data" support was actually misimplemented
(initialisation by "memset" won't/can't/doesn't work). This fixes that but
requires that X509_STORE_CTX_init() be able to handle errors - so its
prototype has been changed to return 'int' rather than 'void'. All uses of
that function throughout the source code have been tracked down and
adjusted.
2001-09-01 20:02:13 +00:00
Ben Laurie
354c3ace73 Add first cut symmetric crypto support. 2001-08-18 10:22:54 +00:00
Dr. Stephen Henson
35bf35411c Add CRL utility functions to allow CRLs to be
built up without accessing structures directly.

Update ca.c to use new functions.

Fix ca.c so it now build CRLs correctly again.
2001-08-17 00:33:43 +00:00
Geoff Thorpe
b7727ee616 The indexes returned by ***_get_ex_new_index() functions are used when
setting stack (actually, array) values in ex_data. So only increment the
global counters if the underlying CRYPTO_get_ex_new_index() call succeeds.
This change doesn't make "ex_data" right (see the comment at the head of
ex_data.c to know why), but at least makes the source code marginally less
frustrating.
2001-08-12 16:52:00 +00:00
Bodo Möller
e51d1321fc More typedef'd struct names as search targets 2001-08-06 11:57:08 +00:00
Bodo Möller
b9fdb3eb99 Reinsert typedef'ed names for structs to help those trying to read the
sourcecode (including fgrep)
2001-08-06 11:49:31 +00:00
Ben Laurie
d66ace9da5 Start to reduce some of the header bloat. 2001-08-05 18:02:16 +00:00
Richard Levitte
710e5d5639 make update 2001-07-31 17:07:24 +00:00
Ben Laurie
dbad169019 Really add the EVP and all of the DES changes. 2001-07-30 23:57:25 +00:00
Lutz Jänicke
db089ad60d Don't miss files... 2001-07-30 11:50:37 +00:00
Lutz Jänicke
1f0c9ad7e1 Fix inconsistent behaviour with respect to verify_callback handling. 2001-07-30 11:45:34 +00:00
Dr. Stephen Henson
1241126adf More linker bloat reorganisation:
Split private key PEM and normal PEM handling. Private key
handling needs to link in stuff like PKCS#8.

Relocate the ASN1 *_dup() functions, to the relevant ASN1
modules using new macro IMPLEMENT_ASN1_DUP_FUNCTION. Previously
these were all in crypto/x509/x_all.c along with every ASN1
BIO/fp function which linked in *every* ASN1 function if
a single dup was used.

Move the authority key id ASN1 structure to a separate file.
This is used in the X509 routines and its previous location
linked in all the v3 extension code.

Also move ASN1_tag2bit to avoid linking in a_bytes.c which
is now largely obsolete.

So far under Linux stripped binary with single PEM_read_X509
is now 238K compared to 380K before these changes.
2001-07-27 02:22:42 +00:00
Dr. Stephen Henson
1e325f6149 Handle empty X509_NAME in printing routines. 2001-06-26 12:04:35 +00:00
Dr. Stephen Henson
323f289c48 Change all calls to low level digest routines in the library and
applications to use EVP. Add missing calls to HMAC_cleanup() and
don't assume HMAC_CTX can be copied using memcpy().

Note: this is almost identical to the patch submitted to openssl-dev
by Verdon Walker <VWalker@novell.com> except some redundant
EVP_add_digest_()/EVP_cleanup() calls were removed and some changes
made to avoid compiler warnings.
2001-06-19 22:30:40 +00:00
Dr. Stephen Henson
f2a253e0dd Add support for MS CSP Name PKCS#12 attribute. 2001-06-11 00:43:20 +00:00
Dr. Stephen Henson
76c919c1a3 Add missing variable length cipher flag for Blowfish.
Only use trust settings if either trust or reject settings
are present, otherwise use compatibility mode. This stops
root CAs being rejected if they have alias of keyid set.
2001-05-24 22:58:35 +00:00
Dr. Stephen Henson
4831e626aa Change Win32 to use EXPORT_VAR_AS_FN.
Fix OPENSSL_IMPLEMENT_GLOBAL.

Allow Win32 to use EXPORT_VAR_AS_FN in mkdef.pl

make update.
2001-05-12 23:57:41 +00:00
Dr. Stephen Henson
926a56bfe3 Purpose and trust setting functions for X509_STORE.
Tidy existing code.
2001-05-10 00:13:59 +00:00
Dr. Stephen Henson
bdee69f718 Allow various X509_STORE_CTX properties to be
inherited from X509_STORE.

Add CRL checking options to other applications.
2001-05-09 00:30:39 +00:00
Dr. Stephen Henson
b545dc6775 Initial CRL based revocation checking. 2001-05-07 22:52:50 +00:00
Dr. Stephen Henson
535d79da63 Overhaul the display of certificate details in
the 'ca' utility. This can now be extensively
customised in the configuration file and handles
multibyte strings and extensions properly.

This is required when extensions copying from
certificate requests is supported: the user
must be able to view the extensions before
allowing a certificate to be issued.
2001-03-15 19:13:40 +00:00
Bodo Möller
4e20b1a656 Instead of telling both 'make' and the user that ranlib
errors can be tolerated, hide the error from 'make'.
This gives shorter output both if ranlib fails and if
it works.
2001-03-09 14:01:42 +00:00
Dr. Stephen Henson
fafc7f9875 Enhance OCSP_request_verify() so it finds the signers certificate
properly and supports several flags.
2001-02-26 14:17:58 +00:00
Richard Levitte
d88a26c489 make update
Note that all *_it variables are suddenly non-existant according to
libeay.num.  This is a bug that will be corrected.  Please be patient.
2001-02-26 10:54:08 +00:00
Dr. Stephen Henson
bb5ea36b96 Initial support for ASN1_ITEM_FUNCTION option to
change the way ASN1 modules are exported.

Still needs a bit of work for example the hack which a
dummy function prototype to avoid compilers warning about
multiple ;s.
2001-02-23 03:16:09 +00:00
Richard Levitte
41d2a336ee e_os.h does not belong with the exported headers. Do not put it there
and make all files the depend on it include it without prefixing it
with openssl/.

This means that all Makefiles will have $(TOP) as one of the include
directories.
2001-02-22 14:45:02 +00:00
Richard Levitte
cf1b7d9664 Make all configuration macros available for application by making
sure they are available in opensslconf.h, by giving them names starting
with "OPENSSL_" to avoid conflicts with other packages and by making
sure e_os2.h will cover all platform-specific cases together with
opensslconf.h.

I've checked fairly well that nothing breaks with this (apart from
external software that will adapt if they have used something like
NO_KRB5), but I can't guarantee it completely, so a review of this
change would be a good thing.
2001-02-19 16:06:34 +00:00
Dr. Stephen Henson
94fcd01349 Work around for libsafe "error". 2001-02-12 03:22:49 +00:00
Ben Laurie
4978361212 Make depend. 2001-02-04 21:06:55 +00:00
Dr. Stephen Henson
88ce56f8c1 Various function for commmon operations. 2001-02-02 00:45:54 +00:00
Bodo Möller
78f3a2aad7 Comment and indentation 2001-01-28 14:38:11 +00:00
Dr. Stephen Henson
ba8e28248f Fix to stop X509_time_adj() using GeneralizedTime. 2001-01-20 13:38:45 +00:00
Dr. Stephen Henson
81f169e95c Initial OCSP certificate verify. Not complete,
it just supports a "trusted OCSP global root CA".
2001-01-17 01:31:34 +00:00
Dr. Stephen Henson
4e1209ebf8 ASN1_ITEM versions of ASN1_d2i_{fp, bio} and replacement of
most of the old wrappers. A few of the old versions remain
because they are non standard and the corresponding ASN1
code has not been reimplemented yet.
2000-12-30 02:40:26 +00:00
Dr. Stephen Henson
78d3b819f0 Replace the old ASN1_dup() with ASN1_item_dup() and
zap some evil function pointers casts along the way...
2000-12-29 18:23:55 +00:00
Dr. Stephen Henson
73e92de577 Add NO_ASN1_OLD to remove some old style functions:
currently OpenSSL itself wont compile with this set
because some old style stuff remains.

Change old functions X509_sign(), X509_verify() etc
to use new item based functions.

Replace OCSP function declarations with DECLARE macros.
2000-12-28 22:24:50 +00:00
Dr. Stephen Henson
09ab755c55 ASN1_ITEM versions of sign, verify, pack and unpack.
The old function pointer versions will eventually go
away.
2000-12-28 19:18:48 +00:00
Dr. Stephen Henson
28ddfc61dc X509V3_add_i2d() needs to be able to allocate a
STACK_OF(X509_EXTENSION) so it should be passed
STACK_OF(X509_EXTENSION) ** in the first argument.

Modify wrappers appropriately.
2000-12-27 13:42:43 +00:00
Dr. Stephen Henson
57d2f21782 New function X509V3_add_i2d() this is used for
encoding, replacing and deleting extensions.

Fix X509V3_get_d2i() so it uses takes note of
new critical behaviour.
2000-12-24 18:02:33 +00:00
Bodo Möller
3ac82faae5 Locking issues. 2000-12-15 16:40:35 +00:00
Dr. Stephen Henson
de487514ae New function X509_signature_print() to remove some duplicate
code from certificate, CRL and request printing routines.
2000-12-14 00:53:10 +00:00
Dr. Stephen Henson
9d6b1ce644 Merge from the ASN1 branch of new ASN1 code
to main trunk.

Lets see if the makes it to openssl-cvs :-)
2000-12-08 19:09:35 +00:00
Ulf Möller
6a8ba34f9d in some new file names the first 8 characters were not unique 2000-11-12 22:32:18 +00:00
Richard Levitte
eb64730b9c The majority of the OCSP code from CertCo. 2000-10-27 11:05:35 +00:00
Dr. Stephen Henson
71d525c9f6 Fix for typo in certificate directory lookup code. 2000-10-14 23:51:52 +00:00
Richard Levitte
3ab5651112 The experimental Rijndael code moved to the main trunk.
make update done.
2000-10-14 20:09:54 +00:00
Dr. Stephen Henson
d0c9858914 Global DirectoryString mask fix.
Add support for X509_NAME_print_ex() in req.

Initial code for cutomizable X509 print routines.
2000-10-04 01:16:32 +00:00
Richard Levitte
4e20a4e688 'ranlib' doesn't always run on some systems. That's actually
acceptable, since all that happens if it fails is a library with
an index, which makes linking slower, but still working correctly.
2000-09-25 08:53:15 +00:00
Dr. Stephen Henson
dbba890cf1 Only use the new informational verify codes if we
specifically ask for them.

Fix typo in docs.
2000-09-22 21:32:08 +00:00
Dr. Stephen Henson
84b65340e1 Two new PKCS#12 demo programs.
Update PKCS12_parse().

Make the keyid in certificate aux info more usable.
2000-09-07 23:14:26 +00:00
Richard Levitte
62ab514e98 'make update' 2000-09-07 08:46:51 +00:00
Richard Levitte
9fc2570677 It's not just VMS that needs some symbols to be hacked. Let's
centralise those hacks in crypto/symhacks.h and use it everywhere it's
needed.
2000-09-07 08:18:05 +00:00
Bodo Möller
15387be289 Another superfluous pair of parentheses. 2000-09-06 14:34:32 +00:00
Bodo Möller
f684090cbe Another round of indentation changes: Position braces consistently,
add some whitespace for 'if ()', 'for ()', 'while ()' to distinguish
keywords from function names, and finally remove parens around return
values (why be stingy with whitespace but fill the source code
with an abundance of parentheses that are not needed to structure
expressions for readability?).
2000-09-06 14:14:20 +00:00
Bodo Möller
b7c190d97b More indentation consistency: for (), while (), if (), return ()
usually get a space between keyword and opening paranthesis
so that they don't look like function calls, where no space is
used.
2000-09-06 13:31:44 +00:00
Bodo Möller
82aec1cc35 Fix X509_STORE_CTX_init. Make indentation more consistent. Dump core less often. 2000-09-06 13:24:10 +00:00
Dr. Stephen Henson
bbb720034a Fix typo in rsautl.
Add support for settable verify time in X509_verify_cert().

Document rsautl utility.
2000-09-05 22:30:38 +00:00
Dr. Stephen Henson
2f043896d1 *BIG* verify code reorganisation.
The old code was painfully primitive and couldn't handle
distinct certificates using the same subject name.

The new code performs several tests on a candidate issuer
certificate based on certificate extensions.

It also adds several callbacks to X509_VERIFY_CTX so its
behaviour can be customised.

Unfortunately some hackery was needed to persuade X509_STORE
to tolerate this. This should go away when X509_STORE is
replaced, sometime...

This must have broken something though :-(
2000-09-05 17:53:58 +00:00
Dr. Stephen Henson
34216c0422 Keep a not of original encoding in certificate requests.
Add new option to PKCS7_sign to exclude S/MIME capabilities.
2000-09-05 13:27:57 +00:00
Bodo Möller
bbb8de0966 Avoid abort() throughout the library, except when preprocessor
symbols for debugging are defined.
2000-09-04 15:34:43 +00:00
Dr. Stephen Henson
bd08a2bd0c Add 'rsautl' low level RSA utility.
Add DER public key routines.

Add -passin argument to 'ca' utility.

Document sign and verify options to dgst.
2000-09-03 23:13:48 +00:00
Dr. Stephen Henson
eaa2818189 Various fixes...
initialize ex_pathlen to -1 so it isn't checked if pathlen
is not present.

set ucert to NULL in apps/pkcs12.c otherwise it gets freed
twice.

remove extraneous '\r' in MIME encoder.

Allow a NULL to be passed to X509_gmtime_adj()


Make PKCS#7 code use definite length encoding rather then
the indefinite stuff it used previously.
2000-08-21 22:02:23 +00:00
Richard Levitte
3009458e2f MD4 implemented. Assar Westerlund provided the digest code itself and the test utility, I added the bits to get a EVP interface, the command line utility and the speed test 2000-08-14 14:05:53 +00:00
Dr. Stephen Henson
bd4e152791 Document the new DN printing options.
Change a few names to be more meaningful.

Fix typos in CA.pl docs.
2000-07-30 01:27:59 +00:00
Dr. Stephen Henson
a657546f9c New ASN1_STRING_print_ex() and X509_NAME_print_ex()
functions. These are intended to be replacements
for the ancient ASN1_STRING_print() and X509_NAME_print()
functions.

The new functions support RFC2253 and various pretty
printing options. It is also possible to display
international characters if the terminal properly handles
UTF8 encoding (Linux seems to tolerate this if the
"unicode_start" script is run).

Still needs to be documented, integrated into other
utilities and extensively tested.
2000-07-28 01:58:15 +00:00
Dr. Stephen Henson
284ef5f357 Make NEG_PUBKEY_BUG on by default.
ASN1_TIME fixes.

New function c2i_ASN1_OBJECT().
2000-07-26 01:18:37 +00:00
Richard Levitte
c2bbf9cf6c I got sick and tired of having to keep track of NIDs when such a thing
could be done automagically, much like the numbering in libeay.num and
ssleay.num.  The solution works as follows:

  - New object identifiers are inserted in objects.txt, following the
    syntax given in objects.README.
  - objects.pl is used to process obj_mac.num and create a new
    obj_mac.h.
  - obj_dat.pl is used to create a new obj_dat.h, using the data in
    obj_mac.h.

This is currently kind of a hack, and the perl code in objects.pl
isn't very elegant, but it works as I intended.  The simplest way to
check that it worked correctly is to look in obj_dat.h and check the
array nid_objs and make sure the objects haven't moved around (this is
important!).  Additions are OK, as well as consistent name changes.
2000-07-05 02:45:36 +00:00
Dr. Stephen Henson
7ef8206859 Handle ASN1_SET_OF and PKCS12_STACK_OF using function
casts in the same way as STACK_OF.
2000-06-20 18:45:28 +00:00
Dr. Stephen Henson
3aceb94b9e Safe stack reorganisation in terms of function casts.
After some messing around this seems to work but needs
a few more tests. Working out the syntax for sk_set_cmp_func()
(cast it to a function that itself returns a function pointer)
was painful :-(

Needs some testing to see what other compilers think of this
syntax.

Also needs similar stuff for ASN1_SET_OF etc etc.
2000-06-16 23:29:26 +00:00
Geoff Thorpe
1c4f90a05d Enable DSO support on alpha (OSF1), cc and gcc.
Also, "make update" has added some missing functions to libeay.num,
updated the TABLE for the alpha changes, and updated thousands of
dependancies that have changed from recent commits.
2000-06-13 12:59:38 +00:00
Richard Levitte
ef33b97050 Using checks of the existence of HEADER_{foo}_H in other header files
was a really bad idea.  For example, the following:

	#include <x509.h>
	#include <bio.h>
	#include <asn1.h>

would make sure that things like ASN1_UTCTIME_print() wasn't defined
unless you moved the inclusion of bio.h to above the inclusion of
x509.h.  The reason is that x509.h includes asn1.h, and the
declaration of ASN1_UTCTIME_print() depended on the definition of
HEADER_BIO_H.  That's what I call an obscure bug.

Instead, this change makes sure that whatever header files are needed
for the correct process of one header file are included automagically,
and that the definitions of, for example, BIO-related things are
dependent on the absence of the NO_{foo} macros.  This is also
consistent with the way parts of OpenSSL can be excluded at will.
2000-06-09 10:41:35 +00:00
Richard Levitte
26a3a48d65 There have been a number of complaints from a number of sources that names
like Malloc, Realloc and especially Free conflict with already existing names
on some operating systems or other packages.  That is reason enough to change
the names of the OpenSSL memory allocation macros to something that has a
better chance of being unique, like prepending them with OPENSSL_.

This change includes all the name changes needed throughout all C files.
2000-06-01 22:19:21 +00:00
Geoff Thorpe
7edd20916a "make update" + stripping the type-specific stack functions out of
libeay.num and ssleay.num.
2000-06-01 06:07:19 +00:00
Geoff Thorpe
ccd86b68ef The previous commit to crypto/stack/*.[ch] pulled the type-safety strings
yet tighter, and also put some heat on the rest of the library by
insisting (correctly) that compare callbacks used in stacks are prototyped
with "const" parameters. This has led to a depth-first explosion of
compiler warnings in the code where 1 constification has led to 3 or 4
more. Fortunately these have all been resolved to completion and the code
seems cleaner as a result - in particular many of the _cmp() functions
should have been prototyped with "const"s, and now are. There was one
little problem however;

X509_cmp() should by rights compare "const X509 *" pointers, and it is now
declared as such. However, it's internal workings can involve
recalculating hash values and extensions if they have not already been
setup. Someone with a more intricate understanding of the flow control of
X509 might be able to tighten this up, but for now - this seemed the
obvious place to stop the "depth-first" constification of the code by
using an evil cast (they have migrated all the way here from safestack.h).

Fortunately, this is the only place in the code where this was required
to complete these type-safety changes, and it's reasonably clear and
commented, and seemed the least unacceptable of the options. Trying to
take the constification further ends up exploding out considerably, and
indeed leads directly into generalised ASN functions which are not likely
to cooperate well with this.
2000-06-01 02:36:58 +00:00
Dr. Stephen Henson
439df5087f Fix c_rehash script, add -fingerprint option to crl. 2000-05-18 00:33:00 +00:00
Ben Laurie
5de603abc8 Typesafety Thought Police part 3. 2000-05-16 21:22:45 +00:00
Richard Levitte
82271cee5b In Message-ID: <003201bfb332$14a07520$0801a8c0@janm.transactionsite.com>,
"Jan Mikkelsen" <janm@transactionsite.com> correctly states that the
OpenSSL header files have #include's and extern "C"'s in an incorrect
order.  Thusly fixed.
2000-05-02 12:16:01 +00:00
Richard Levitte
7a807ad8a7 "make update" 2000-04-09 12:52:40 +00:00
Dr. Stephen Henson
80870566cf Make V_ASN1_APP_CHOOSE work again. 2000-03-14 03:29:57 +00:00
Dr. Stephen Henson
068fdce877 New compatability trust and purpose settings. 2000-03-07 14:04:29 +00:00
Bodo Möller
59fc2b0fc2 Preserve reason strings in automatically build tables. 2000-03-05 00:19:36 +00:00
Dr. Stephen Henson
582e592924 Fix bug which would free up a public key
twice if the verify callback tried to
continue after a signature failure.
2000-03-02 00:37:53 +00:00
Bodo Möller
6d0d5431d4 More get0 et al. changes. Also provide fgrep targets in CHANGES
where the new functions are mentioned.
2000-02-26 08:36:46 +00:00
Dr. Stephen Henson
c7cb16a8ff Rename functions for new convention. 2000-02-26 01:55:33 +00:00
Dr. Stephen Henson
d754b3850f Change the 'other' structure in certificate aux info. 2000-02-20 18:27:23 +00:00
Bodo Möller
5c2ec54f12 Make sure the return value of by_file_ctrl(..., X509_L_FILE_LOAD, ...)
aka X509_LOOKUP_load_file(...) is always 0 or 1, not the counter
returned from the recently introduced function X509_load_cert_crl_file.
X509_STORE_load_locations expects X509_LOOKUP_load_file to return 1 on
success, and possibly there's other software that relies on this too.
2000-02-17 21:04:40 +00:00
Bodo Möller
cbcc5c01f9 Update. 2000-02-11 16:31:04 +00:00
Ben Laurie
b1f8affbd5 Correct time in seconds instead of minutes. 2000-02-11 16:08:40 +00:00
Dr. Stephen Henson
ff8a4c47ce Rename the X509V3_*_d2i functions to X509_get_ext_d2i() etc.
This better reflects their behaviour.
2000-02-07 01:17:22 +00:00
Dr. Stephen Henson
66430207a4 Add support for some broken PKCS#8 formats. 2000-02-05 21:07:56 +00:00
Ulf Möller
657e60fa00 ispell (and minor modifications) 2000-02-03 23:23:24 +00:00
Ulf Möller
51ca375e7e Seek out and destroy another evil cast. 2000-01-30 23:33:40 +00:00
Ulf Möller
9d1a01be8f Source code cleanups: Use void * rather than char * in lhash,
eliminate some of the -Wcast-qual warnings (debug-ben-strict target)
2000-01-30 22:20:28 +00:00
Dr. Stephen Henson
dd9d233e2a Tidy up CRYPTO_EX_DATA structures. 2000-01-23 23:41:49 +00:00
Ulf Möller
731d9c5fb5 Some more ifdefs for no-xxx options. 2000-01-21 00:03:51 +00:00
Dr. Stephen Henson
281959aa61 Oops... undo change to wrong prototype. 2000-01-20 02:27:36 +00:00
Dr. Stephen Henson
6e6bc352b1 Finish off the X509_ATTRIBUTE string stuff. 2000-01-20 01:37:17 +00:00
Dr. Stephen Henson
77b47b9036 Rename X509_att*() stuff to X509at_*(), add X509_REQ wrappers. 2000-01-19 01:02:13 +00:00
Bodo Möller
a8eeb155b5 Avoid some warnings, and run "make update". 2000-01-14 17:28:48 +00:00
Ulf Möller
eb952088f0 Precautions against using the PRNG uninitialized: RAND_bytes() now
returns int (1 = ok, 0 = not seeded). New function RAND_add() is the
same as RAND_seed() but takes an estimate of the entropy as an additional
argument.
2000-01-13 20:59:17 +00:00
Dr. Stephen Henson
25f923ddd1 New function X509_CTX_rget_chain(), make SSL_SESSION_print() display return code.
Remove references to 'TXT' in -inform and -outform switches.
2000-01-09 14:21:40 +00:00
Dr. Stephen Henson
35f4850ae0 More X509_ATTRIBUTE changes. 2000-01-07 00:55:54 +00:00
Dr. Stephen Henson
b38f9f66c3 Initial automation changes to 'req' and X509_ATTRIBUTE functions. 2000-01-06 01:26:48 +00:00
Dr. Stephen Henson
20432eae41 Fix some of the command line password stuff. New function
that can automatically determine the type of a DER encoded
"traditional" format private key and change some of the
d2i functions to use it instead of requiring the application
to work out the key type.
2000-01-01 16:42:49 +00:00
Dr. Stephen Henson
6447cce372 Simplify the trust structure: basically zap the bit strings and
represent everything by OIDs.
1999-12-29 00:40:28 +00:00
Dr. Stephen Henson
e6f3c5850e New {i2d,d2i}_PrivateKey_{bio, fp} functions. 1999-12-26 19:20:03 +00:00
Dr. Stephen Henson
36217a9424 Allow passwords to be included on command line for a few
more utilities.
1999-12-24 23:53:57 +00:00
Dr. Stephen Henson
12aefe78f0 Fixes so NO_RSA works again. 1999-12-24 17:26:33 +00:00
Dr. Stephen Henson
dd4134101f Change the trust and purpose code so it doesn't need init
either and has a static and dynamic mix.
1999-12-02 02:33:56 +00:00
Dr. Stephen Henson
bb7cd4e3eb Remainder of SSL purpose and trust code: trust and purpose setting in
SSL_CTX and SSL, functions to set them and defaults if no values set.
1999-11-29 22:35:00 +00:00
Dr. Stephen Henson
13938aceca Add part of chain verify SSL support code: not complete or doing anything
yet.

Add a function X509_STORE_CTX_purpose_inherit() which implements the logic
of "inheriting" purpose and trust from a parent structure and using a default:
this will be used in the SSL code and possibly future S/MIME.

Partial documentation of the 'verify' utility. Still need to document how all
the extension checking works and the various error messages.
1999-11-29 01:09:25 +00:00
Dr. Stephen Henson
51630a3706 Add trust setting support to the verify code. It now checks the
trust settings of the root CA.

After a few fixes it seems to work OK.

Still need to add support to SSL and S/MIME code though.
1999-11-27 19:43:10 +00:00
Dr. Stephen Henson
21f775522b Oops! Commit died on me :-( 1999-11-27 01:18:39 +00:00
Dr. Stephen Henson
9868232ae1 Initial trust code: allow setting of trust checking functions
in a table. Doesn't do too much yet.

Make the -<digestname> options in 'x509' affect all relevant
options.

Change the name of the 'notrust' options to 'reject' as this
causes less confusion and is a better description of the
effect.

A few constification changes.
1999-11-27 01:14:04 +00:00
Dr. Stephen Henson
d4cec6a13d New options to the -verify program which can be used for chain verification.
Extend the X509_PURPOSE structure to include shortnames for purposed and default
trust ids.

Still need some extendable trust checking code and integration with the SSL and
S/MIME code.
1999-11-26 00:27:07 +00:00
Dr. Stephen Henson
1126239111 Initial chain verify code: not tested probably not working
at present. However nothing enables it yet so this doesn't
matter :-)
1999-11-24 01:31:49 +00:00
Dr. Stephen Henson
52664f5081 Transparent support for PKCS#8 private keys in RSA/DSA.
New universal public key format.

Fix CRL+cert load problem in by_file.c

Make verify report errors when loading files or dirs
1999-11-21 22:28:31 +00:00
Ben Laurie
44eca70641 Update dependencies. 1999-11-18 14:32:54 +00:00
Dr. Stephen Henson
f76d8c4747 Modify verify code to handle self signed certificates. 1999-11-17 01:20:29 +00:00
Bodo Möller
b1fe6ca175 Store verify_result with sessions to avoid potential security hole. 1999-11-16 23:15:41 +00:00
Dr. Stephen Henson
e947f39689 New function X509_cmp(). 1999-11-16 00:56:03 +00:00
Dr. Stephen Henson
06556a1744 'req' fixes. Reinstate length check one request fields.
Fix to stop null being added to attributes.
Modify X509_LOOKUP, X509_INFO to handle auxiliary info.
1999-11-14 23:10:50 +00:00
Dr. Stephen Henson
a0ad17bb6c Fix to the -revoke option in ca. It was leaking memory, crashing and just
plain not working :-(

Also fix some memory leaks in the new X509_NAME code.

Fix so new app_rand code doesn't crash 'x509' and move #include so it compiles
under Win32.
1999-11-08 13:58:08 +00:00
Dr. Stephen Henson
ce1b4fe146 Allow additional information to be attached to a
certificate: currently this includes trust settings
and a "friendly name".
1999-11-04 00:45:35 +00:00
Dr. Stephen Henson
74400f7348 Continued multibyte character support.
Add a bunch of functions to simplify the creation of X509_NAME structures.

Change the X509_NAME_entry_add stuff in req/ca so it no longer uses
X509_NAME_entry_count(): passing -1 has the same effect.
1999-10-27 00:15:11 +00:00
Bodo Möller
38899535f8 Report an error from X509_STORE_load_locations
when X509_LOOKUP_load_file or X509_LOOKUP_add_dir failed.
1999-10-26 01:52:16 +00:00
Dr. Stephen Henson
f769ce3ea4 More multibyte character support.
Functions to get keys from EVP_PKEY structures.
1999-10-25 02:00:09 +00:00
Dr. Stephen Henson
08e9c1af6c Replace the macros in asn1.h with function equivalents. Also make UTF8Strings
tolerated in certificates.
1999-10-20 01:50:23 +00:00
Dr. Stephen Henson
673b102c5b Initial support for certificate purpose checking: this will
ultimately lead to certificate chain verification. It is
VERY EXPERIMENTAL at present though.
1999-10-13 01:11:56 +00:00
Dr. Stephen Henson
56a3fec1b1 Add EX_DATA support to X509.
Fix a bug in the X509_get_d2i() functions which didn't check if crit was NULL.
1999-10-11 01:30:04 +00:00
Dr. Stephen Henson
3ea23631d4 Add support for public key input and output in rsa and dsa utilities with some
new DSA public key functions that were missing.

Also beginning of a cache for X509_EXTENSION structures: this will allow them
to be accessed more quickly for things like certificate chain verification...
1999-10-04 21:17:47 +00:00
Dr. Stephen Henson
393f2c651d Fix for d2i_ASN1_bytes and stop PKCS#7 routines crashing is signed message
contains no certificates.

Also fix typo in RANLIB changes.
1999-10-04 12:08:59 +00:00
Andy Polyakov
17f389bbbf Initial support for MacOS.
This will soon be complemented with MacOS specific source code files and
INSTALL.MacOS.

I (Andy) have decided to get rid of a number of #include <sys/types.h>.
I've verified it's ok (both by examining /usr/include/*.h and compiling)
on a number of Unix platforms. Unfortunately I don't have Windows box
to verify this on. I really appreciate if somebody could try to compile
it and contact me a.s.a.p. in case a problem occurs.

Submitted by: Roy Wood <roy@centricsystems.ca>
Reviewed by: Andy Polyakov <appro@fy.chalmers.se>
1999-09-11 17:54:18 +00:00