OCSP requests. It can also query reponders and parse or
print out responses.
Still needs some more work: OCSP response checks and
of course documentation.
but will verify the signatures on a response
and locate the signers certifcate.
Still needs to implement a proper OCSP certificate
verify.
Fix warning in RAND_egd().
allocation callbacks so that it is no longer visible to applications
that these live at a different call level than conventional memory
allocation callbacks.
handling routines that need file name and line number information,
I've added a call level to our memory handling routines to allow that
kind of hooking.
only queried when the /dev/[u]random devices did not return enough
entropy. Only the amount of entropy missing to reach the required minimum
is queried, as EGD may be drained.
Queried locations are: /etc/entropy, /var/run/egd-pool
"doall" functions to using type-safe wrappers. As and where required, this
can be replaced by redeclaring the underlying callbacks to use the
underlying "void"-based prototypes (eg. if performance suffers from an
extra level of function invocation).
them for a short period of time (actually, poll them with select(),
then read() whatever is there), which is about 10ms (hard-coded value)
each.
Separate Windows and Unixly code, and start on a VMS variant that
currently just returns 0.
Remove extensions argument from various functions
because it is not needed with the new extension
code.
New function OCSP_cert_to_id() to convert a pair
of certificates into an OCSP_CERTID.
New simple OCSP HTTP function. This is rather primitive
but just about adequate to send OCSP requests and
parse the response.
Fix typo in CRL distribution points extension.
Fix ASN1 code so it adds a final null to constructed
strings.
horrible macros.
Fix two evil ASN1 bugs. Attempt to use 'ctx' when
NULL if input is indefinite length constructed
in asn1_check_tlen() and invalid pointer to ASN1_TYPE
when reusing existing structure (this took *ages* to
find because the new PKCS#12 code triggered it).
most of the old wrappers. A few of the old versions remain
because they are non standard and the corresponding ASN1
code has not been reimplemented yet.
* detect "unknown" algorithms (any C macro starting with NO_ that is
not explicitely mentioned in mkdef.pl as a known algorithm) and
report.
* add a number of algorithms that can be deselected.
* look in ssl/kssl.h as well.
* accept multiple whitespace (not just one SPC) in preprocessor lines.
currently OpenSSL itself wont compile with this set
because some old style stuff remains.
Change old functions X509_sign(), X509_verify() etc
to use new item based functions.
Replace OCSP function declarations with DECLARE macros.
Don't try to print request certificates if signature is not present.
Remove unnecessary test for certificates being NULL.
Fix typos in printed output.
Tidy up output.
Fix for typo in OCSP_SERVICELOC ASN1 template.
Also give a bit more info in CHANGES about the ASN1 revision.
from the print routines.
Reorganisation of OCSP code: initial print routines in ocsp_prn.c. Doesn't
work fully because OCSP extensions aren't reimplemented yet.
Implement some ASN1 functions needed to compile OCSP code.
authenticated attributes: this is used to retain the
original encoding and not break signatures.
Support for a SET OF which reorders the STACK when
encoding a structure. This will be used with the
PKCS7 code.
for its ASN1 operations as well as the old style function
pointers (i2d, d2i, new, free). Change standard extensions
to support this.
Fix a warning in BN_mul(), bn_mul.c about uninitialised 'j'.
One problem that looked like a problem in bn_recp.c at first turned
out to be a BN_mul bug. An example is given in bn_recp.c; finding
the bug responsible for this is left as an exercise.
This caused a segmentation fault in calls to malloc, so I cleaned up
bn_lib.c a little so that it is easier to see what is going on.
The bug turned out to be an off-by-one error in BN_bin2bn.
BN_mul() correctly constified, avoids two realloc()'s that aren't
really necessary and saves memory to boot. This required a small
change in bn_mul_part_recursive() and the addition of variants of
bn_cmp_words(), bn_add_words() and bn_sub_words() that can take arrays
with differing sizes.
The test results show a performance that very closely matches the
original code from before my constification. This may seem like a
very small win from a performance point of view, but if one remembers
that the variants of bn_cmp_words(), bn_add_words() and bn_sub_words()
are not at all optimized for the moment (and there's no corresponding
assembler code), and that their use may be just as non-optimal, I'm
pretty confident there are possibilities...
This code needs reviewing!
two functions that did expansion on in parameters (BN_mul() and
BN_sqr()). The problem was solved by making bn_dup_expand() which is
a mix of bn_expand2() and BN_dup().
full version number and not just 0. This should mark the shared
libraries as not backward compatible. Of course, this should be
changed again when we can guarantee backward binary compatibility.
load the "external" built-in engines (those that require DSO). This
makes linking with libdl or other dso libraries non-mandatory.
Change 'openssl engine' accordingly.
Change the engine header files so some declarations (that differed at
that!) aren't duplicated, and make sure engine_int.h includes
engine.h. That way, there should be no way of missing the needed
info.
implementation is contained in the application, and the capability
string building part should really be part of the engine library.
This is therefore an experimental hack, and will be changed in the
near future.
