Commit graph

9604 commits

Author SHA1 Message Date
Dr. Stephen Henson
bb845ee044 Add -engine_impl option to dgst which will use an implementation of
an algorithm from the supplied engine instead of just the default one.
2010-03-05 13:28:21 +00:00
Dr. Stephen Henson
b5cfc2f590 option to replace extensions with new ones: mainly for creating cross-certificates 2010-03-03 20:13:30 +00:00
Dr. Stephen Henson
ebaa2cf5b2 PR: 2183
PR#1999 broke fork detection by assuming HAVE_FORK was set for all platforms.
Include original HAVE_FORK detection logic while allowing it to be
overridden on specific platforms with -DHAVE_FORK=1 or -DHAVE_FORK=0
2010-03-03 19:56:34 +00:00
Dr. Stephen Henson
cca1cd9a34 Submitted by: Tomas Hoger <thoger@redhat.com>
Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
could be crashed if the relevant tables were not present (e.g. chrooted).
2010-03-03 15:41:18 +00:00
Dr. Stephen Henson
2c772c8700 don't mix definitions and code 2010-03-03 15:30:42 +00:00
Andy Polyakov
e7f5b1cd42 Initial version of Galois Counter Mode implementation. Interface is still
subject to change...
2010-03-02 16:33:25 +00:00
Andy Polyakov
80dfadfdf3 ppccap.c: portability fix. 2010-03-02 16:28:29 +00:00
Andy Polyakov
d8c7bd6e11 Fix s390x-specific HOST_l2c|c2l.
Submitted by: Andreas Krebbel
2010-03-02 16:23:40 +00:00
Dr. Stephen Henson
f84c85b0e3 PR: 2178
Submitted by: "Kennedy, Brendan" <brendan.kennedy@intel.com>

Handle error codes correctly: cryptodev returns 0 for success whereas OpenSSL
returns 1.
2010-03-01 23:54:47 +00:00
Dr. Stephen Henson
a05b8d0ede use supplied ENGINE in genrsa 2010-03-01 14:22:21 +00:00
Dr. Stephen Henson
ff2fdbf2f8 oops, reinstate correct prototype 2010-03-01 03:01:27 +00:00
Dr. Stephen Henson
da3955256d 'typo' 2010-03-01 01:53:34 +00:00
Dr. Stephen Henson
5e28ccb798 make USE_CRYPTODEV_DIGESTS work 2010-03-01 01:19:18 +00:00
Dr. Stephen Henson
a6575572c6 load cryptodev if HAVE_CRYPTODEV is set too 2010-03-01 00:40:10 +00:00
Dr. Stephen Henson
c3951d8973 update cryptodev to match 1.0.0 stable branch version 2010-03-01 00:37:58 +00:00
Ben Laurie
19ec2f4194 Fix warnings (note that gcc 4.2 has a bug that makes one of its
warnings hard to fix without major surgery).
2010-02-28 14:22:56 +00:00
Dr. Stephen Henson
2b13f80360 algorithms field has changed in 1.0.0 and later: update 2010-02-28 00:24:04 +00:00
Dr. Stephen Henson
40c5eaeeec oops, revert verify.c change 2010-02-27 23:03:26 +00:00
Dr. Stephen Henson
c1ca9d3238 Add Kerberos fix which was in 0.9.8-stable but never committed to HEAD and
1.0.0. Original fix was on 2007-Mar-09 and had the log message: "Fix kerberos
ciphersuite bugs introduced with PR:1336."
2010-02-27 23:02:41 +00:00
Dr. Stephen Henson
48435b2098 include TVS 1.1 version string 2010-02-26 19:38:33 +00:00
Dr. Stephen Henson
37c541faed Revert CFB block length change. Despite what SP800-38a says the input to
CFB mode does *not* have to be a multiple of the block length and several
other specifications (e.g. PKCS#11) do not require this.
2010-02-26 14:41:58 +00:00
Dr. Stephen Henson
0f776277bc oops, use correct date 2010-02-26 12:13:36 +00:00
Dr. Stephen Henson
5814d829e6 update NEWS 2010-02-25 18:20:30 +00:00
Dr. Stephen Henson
f6bb465f87 update FAQ 2010-02-25 18:18:46 +00:00
Dr. Stephen Henson
db28aa86e0 add -trusted_first option and verify flag 2010-02-25 12:21:48 +00:00
Dr. Stephen Henson
2da2ff5065 tidy verify code. xn not used any more and check for self signed more efficiently 2010-02-25 11:18:26 +00:00
Dr. Stephen Henson
fbd2164044 Experimental support for partial chain verification: if an intermediate
certificate is explicitly trusted (using -addtrust option to x509 utility
for example) the verification is sucessful even if the chain is not complete.
2010-02-25 00:17:22 +00:00
Dr. Stephen Henson
04e4b82726 allow setting of verify names in command line utilities and print out verify names in verify utility 2010-02-25 00:11:32 +00:00
Dr. Stephen Henson
9b3d75706e verify parameter enumeration functions 2010-02-25 00:08:23 +00:00
Dr. Stephen Henson
b1efb7161f Include self-signed flag in certificates by checking SKID/AKID as well
as issuer and subject names. Although this is an incompatible change
it should have little impact in pratice because self-issued certificates
that are not self-signed are rarely encountered.
2010-02-25 00:01:38 +00:00
Dr. Stephen Henson
df4c395c6d add anyExtendedKeyUsage OID 2010-02-24 15:53:58 +00:00
Dr. Stephen Henson
385a488c43 prevent warning 2010-02-24 15:24:19 +00:00
Andy Polyakov
ea746dad5e Reserve for option to implement AES counter in assembler. 2010-02-23 16:51:24 +00:00
Andy Polyakov
d976f99294 Add AES counter mode to EVP. 2010-02-23 16:48:41 +00:00
Andy Polyakov
e5a4de9e44 Add assigned OIDs, as well as "anonymous" ones for AES counter mode. 2010-02-23 16:47:17 +00:00
Dr. Stephen Henson
7d3d1788a5 The meaning of the X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY and
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT error codes were reversed in
the verify application documentation.
2010-02-23 14:09:09 +00:00
Bodo Möller
2d9dcd4ff0 Always check bn_wexpend() return values for failure (CVE-2009-3245).
(The CHANGES entry covers the change from PR #2111 as well, submitted by
Martin Olsson.)

Submitted by: Neel Mehta
2010-02-23 10:36:35 +00:00
Bodo Möller
a839755329 Fix X509_STORE locking 2010-02-19 18:27:07 +00:00
Dr. Stephen Henson
69582a592e clarify documentation 2010-02-18 12:41:33 +00:00
Dr. Stephen Henson
7512141162 OR default SSL_OP_LEGACY_SERVER_CONNECT so existing options are preserved 2010-02-17 19:43:56 +00:00
Dr. Stephen Henson
c2c49969e2 Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as
initial connection to unpatched servers. There are no additional security
concerns in doing this as clients don't see renegotiation during an
attack anyway.
2010-02-17 18:38:31 +00:00
Dr. Stephen Henson
47e0a1c335 PR: 2100
Submitted by: James Baker <jbaker@tableausoftware.com> et al.

Workaround for slow Heap32Next on some versions of Windows.
2010-02-17 14:32:41 +00:00
Dr. Stephen Henson
439aab3afc Submitted by: Dmitry Ivanov <vonami@gmail.com>
Don't leave dangling pointers in GOST engine if calls fail.
2010-02-16 14:30:29 +00:00
Dr. Stephen Henson
8d934c2585 PR: 2171
Submitted by: Tomas Mraz <tmraz@redhat.com>

Since SSLv2 doesn't support renegotiation at all don't reject it if
legacy renegotiation isn't enabled.

Also can now use SSL2 compatible client hello because RFC5746 supports it.
2010-02-16 14:21:11 +00:00
Dr. Stephen Henson
1458b931eb The "block length" for CFB mode was incorrectly coded as 1 all the time. It
should be the number of feedback bits expressed in bytes. For CFB1 mode set
this to 1 by rounding up to the nearest multiple of 8.
2010-02-15 19:40:16 +00:00
Dr. Stephen Henson
20eb7238cb Correct ECB mode EVP_CIPHER definition: IV length is 0 2010-02-15 19:26:02 +00:00
Dr. Stephen Henson
79cfc3ac54 add EVP_CIPH_FLAG_LENGTH_BITS from 0.9.8-stable 2010-02-15 19:20:13 +00:00
Dr. Stephen Henson
918a5d04e4 PR: 2164
Submitted by: "Noszticzius, Istvan" <inoszticzius@rightnow.com>

Don't clear the output buffer: ciphers should correctly the same input
and output buffers.
2010-02-15 19:00:12 +00:00
Dr. Stephen Henson
f959598866 update references to new RI RFC 2010-02-12 21:59:31 +00:00
Dr. Stephen Henson
5a9e3f05ff PR: 2170
Submitted by: Magnus Lilja <lilja.magnus@gmail.com>

Make -c option in dgst work again.
2010-02-12 17:07:16 +00:00