Commit Graph

785 Commits

Author SHA1 Message Date
Dr. Stephen Henson
ba8e28248f Fix to stop X509_time_adj() using GeneralizedTime. 2001-01-20 13:38:45 +00:00
Dr. Stephen Henson
8e8972bb68 Fixes to various ASN1_INTEGER routines for negative case.
Enhance s2i_ASN1_INTEGER().
2001-01-19 14:21:48 +00:00
Bodo Möller
57108f0ad5 Fix openssl passwd -1 2001-01-19 07:37:56 +00:00
Dr. Stephen Henson
73758d435b Additional functionality in ocsp utility: print summary
of status info. Check nonce values. Option to disable
verify. Update usage message.

Rename status to string functions and make them global.
2001-01-19 01:32:23 +00:00
Dr. Stephen Henson
e8af92fcb1 Implement remaining OCSP verify checks in
accordance with RFC2560.
2001-01-18 01:35:39 +00:00
Richard Levitte
361ef5f4dc Make the change log on the RAND_poll change a bit more explicit. Suggested by Bodo Moeller. 2001-01-17 13:43:18 +00:00
Dr. Stephen Henson
81f169e95c Initial OCSP certificate verify. Not complete,
it just supports a "trusted OCSP global root CA".
2001-01-17 01:31:34 +00:00
Bodo Möller
dfebac32c0 New '-extfile' option for 'openssl ca'.
This allows keeping extensions in a separate configuration file.

Submitted by: Massimiliano Pala <madwolf@comune.modena.it>
2001-01-15 11:35:24 +00:00
Dr. Stephen Henson
6308af199d Change PKCS#12 key derivation routines to cope with
non null terminated passwords.
2001-01-14 14:07:10 +00:00
Dr. Stephen Henson
5782ceb298 New OCSP utility. This can generate, parse and print
OCSP requests. It can also query reponders and parse or
print out responses.

Still needs some more work: OCSP response checks and
of course documentation.
2001-01-13 01:48:38 +00:00
Bodo Möller
c67cdb50d2 New 'openssl ca -status <serial>' and 'openssl ca -updatedb'
commands.

Submitted by: Massimiliano Pala <madwolf@comune.modena.it>
2001-01-12 14:50:44 +00:00
Bodo Möller
d199858e89 New -newreq-nodes option to CA.pl.
Submitted by: Damien Miller <djm@mindrot.org>
2001-01-11 13:23:19 +00:00
Richard Levitte
10a2975a27 Add configuration for GNU Hurd. 2001-01-11 12:58:37 +00:00
Dr. Stephen Henson
9b4dc8308f OCSP basic response verify. Very incomplete
but will verify the signatures on a response
and locate the signers certifcate.

Still needs to implement a proper OCSP certificate
verify.

Fix warning in RAND_egd().
2001-01-11 00:52:50 +00:00
Bodo Möller
a5435e8b29 After discussion with Richard, change the new API for extended memory
allocation callbacks so that it is no longer visible to applications
that these live at a different call level than conventional memory
allocation callbacks.
2001-01-10 18:09:57 +00:00
Bodo Möller
673b3fde82 Add SSLEAY_DIR argument code for SSLeay_version.
Add '-d' option for 'openssl version' (included in '-a').
2001-01-10 15:15:36 +00:00
Bodo Möller
c06648f7f0 Fix C code generate by 'openssl dsaparam -C'. 2001-01-10 14:26:32 +00:00
Richard Levitte
65a22e8e4d As response to a user request to be able to use external memory
handling routines that need file name and line number information,
I've added a call level to our memory handling routines to allow that
kind of hooking.
2001-01-10 13:14:58 +00:00
Dr. Stephen Henson
cbf0f45f90 Fix uni2asc() so it can properly convert zero length
unicode strings. Certain PKCS#12 files contain these
in BMPStrings and it used to crash on them.
2001-01-10 01:06:31 +00:00
Lutz Jänicke
599c03530a Add automatic query of EGD sockets to RAND_poll(). The EGD sockets are
only queried when the /dev/[u]random devices did not return enough
entropy. Only the amount of entropy missing to reach the required minimum
is queried, as EGD may be drained.
Queried locations are: /etc/entropy, /var/run/egd-pool
2001-01-09 16:44:59 +00:00
Geoff Thorpe
56a67adb64 It was correctly pointed out to me that my CHANGES entry was a little thin
on details. :-)
2001-01-09 16:39:04 +00:00
Geoff Thorpe
3c91484052 Move all the existing function pointer casts associated with LHASH's two
"doall" functions to using type-safe wrappers. As and where required, this
can be replaced by redeclaring the underlying callbacks to use the
underlying "void"-based prototypes (eg. if performance suffers from an
extra level of function invocation).
2001-01-09 00:24:38 +00:00
Richard Levitte
0c61e299b3 Change RAND_poll for Unix to try a number of devices and only read
them for a short period of time (actually, poll them with select(),
then read() whatever is there), which is about 10ms (hard-coded value)
each.

Separate Windows and Unixly code, and start on a VMS variant that
currently just returns 0.
2001-01-08 10:59:26 +00:00
Dr. Stephen Henson
0b33bc65cd Add set of OCSP client functions. All experimental
and subject to addition, modifcation or deletion.

Add two OCSP nonce utility functions.

Fix typo in status code name.
2001-01-08 01:21:55 +00:00
Dr. Stephen Henson
8e96183506 Modify OCSP API to more closely reflect
application needs.

Add OCSP library name to error code.
2001-01-05 03:31:51 +00:00
Dr. Stephen Henson
bf0d176e48 Update OCSP API.
Remove extensions argument from various functions
because it is not needed with the new extension
code.

New function OCSP_cert_to_id() to convert a pair
of certificates into an OCSP_CERTID.

New simple OCSP HTTP function. This is rather primitive
but just about adequate to send OCSP requests and
parse the response.

Fix typo in CRL distribution points extension.

Fix ASN1 code so it adds a final null to constructed
strings.
2001-01-04 01:46:36 +00:00
Dr. Stephen Henson
ec5add8784 Fix the S/MIME code so it now works again and
uses the new ASN1 code.
2000-12-31 17:31:57 +00:00
Dr. Stephen Henson
ecbe07817a Rewrite PKCS#12 code and remove some of the old
horrible macros.

Fix two evil ASN1 bugs. Attempt to use 'ctx' when
NULL if input is indefinite length constructed
in asn1_check_tlen() and invalid pointer to ASN1_TYPE
when reusing existing structure (this took *ages* to
find because the new PKCS#12 code triggered it).
2000-12-31 01:13:04 +00:00
Richard Levitte
a6574c21eb Document. 2000-12-31 00:26:18 +00:00
Dr. Stephen Henson
4e1209ebf8 ASN1_ITEM versions of ASN1_d2i_{fp, bio} and replacement of
most of the old wrappers. A few of the old versions remain
because they are non standard and the corresponding ASN1
code has not been reimplemented yet.
2000-12-30 02:40:26 +00:00
Dr. Stephen Henson
78d3b819f0 Replace the old ASN1_dup() with ASN1_item_dup() and
zap some evil function pointers casts along the way...
2000-12-29 18:23:55 +00:00
Richard Levitte
3f07fe09b5 Enhancements to mkdef.pl:
* detect "unknown" algorithms (any C macro starting with NO_ that is
  not explicitely mentioned in mkdef.pl as a known algorithm) and
  report.
* add a number of algorithms that can be deselected.
* look in ssl/kssl.h as well.
* accept multiple whitespace (not just one SPC) in preprocessor lines.
2000-12-29 00:05:14 +00:00
Dr. Stephen Henson
73e92de577 Add NO_ASN1_OLD to remove some old style functions:
currently OpenSSL itself wont compile with this set
because some old style stuff remains.

Change old functions X509_sign(), X509_verify() etc
to use new item based functions.

Replace OCSP function declarations with DECLARE macros.
2000-12-28 22:24:50 +00:00
Dr. Stephen Henson
09ab755c55 ASN1_ITEM versions of sign, verify, pack and unpack.
The old function pointer versions will eventually go
away.
2000-12-28 19:18:48 +00:00
Dr. Stephen Henson
ec558b6548 New OCSP extension functions. 2000-12-28 01:05:05 +00:00
Bodo Möller
725c88879c Finish SSL_peek/SSL_pending fixes. 2000-12-26 12:07:23 +00:00
Bodo Möller
a0aae68cf6 Fix SSL_peek and SSL_pending. 2000-12-25 18:40:46 +00:00
Dr. Stephen Henson
57d2f21782 New function X509V3_add_i2d() this is used for
encoding, replacing and deleting extensions.

Fix X509V3_get_d2i() so it uses takes note of
new critical behaviour.
2000-12-24 18:02:33 +00:00
Bodo Möller
1456d1860e Split a CHANGES entry so that one of the halves matches the
corresponding new entry in the OpenSSL_0_9_6-stable branch.
2000-12-20 10:09:08 +00:00
Dr. Stephen Henson
5755cab49d Fixes to OCSP print code.
Don't try to print request certificates if signature is not present.

Remove unnecessary test for certificates being NULL.

Fix typos in printed output.

Tidy up output.

Fix for typo in OCSP_SERVICELOC ASN1 template.

Also give a bit more info in CHANGES about the ASN1 revision.
2000-12-20 00:46:44 +00:00
Bodo Möller
126fe085db Don't hold CRYPTO_LOCK_RSA during time-consuming operations. 2000-12-19 12:31:41 +00:00
Bodo Möller
3880cd35ad Import s2_pkt.c wbuf fixes from OpenSSL_0_9_6-stable branch. 2000-12-18 11:35:32 +00:00
Bodo Möller
f640ee90c3 Obtain lock CRYPTO_LOCK_RSA before creating BN_MONT_CTX
structures and setting rsa->_method_mod_{n,p,q}.

Submitted by: "Reddie, Steven" <Steven.Reddie@ca.com>
2000-12-18 09:00:48 +00:00
Dr. Stephen Henson
9c67ab2f26 Make mkdef.pl parse some ASN1 IMPLEMENT macros.
Initial support for variables in DEF files.
2000-12-16 01:19:24 +00:00
Bodo Möller
3ac82faae5 Locking issues. 2000-12-15 16:40:35 +00:00
Dr. Stephen Henson
c08523d862 Implement some standard OCSP extensions in the v3 code. These
are all raw print only extensions at present.
2000-12-15 13:42:00 +00:00
Geoff Thorpe
2a86064f95 Make a note of the new engine. 2000-12-14 21:49:48 +00:00
Dr. Stephen Henson
2c15d426b9 New function X509V3_extensions_print() this removes extension duplication
from the print routines.

Reorganisation of OCSP code: initial print routines in ocsp_prn.c. Doesn't
work fully because OCSP extensions aren't reimplemented yet.

Implement some ASN1 functions needed to compile OCSP code.
2000-12-14 18:42:28 +00:00
Bodo Möller
5a4fbc69c3 First step towards SSL_peek fix. 2000-12-14 17:36:59 +00:00
Dr. Stephen Henson
de487514ae New function X509_signature_print() to remove some duplicate
code from certificate, CRL and request printing routines.
2000-12-14 00:53:10 +00:00
Dr. Stephen Henson
06db4253e2 Change the PKCS7 structure to use SEQUENCE OF for the
authenticated attributes: this is used to retain the
original encoding and not break signatures.

Support for a SET OF which reorders the STACK when
encoding a structure. This will be used with the
PKCS7 code.
2000-12-13 23:54:30 +00:00
Dr. Stephen Henson
36f554d43c Replace the old style OCSP ASN1 module. 2000-12-13 18:21:51 +00:00
Dr. Stephen Henson
2aff7727f7 Rewrite the extension code to use an ASN1_ITEM structure
for its ASN1 operations as well as the old style function
pointers (i2d, d2i, new, free). Change standard extensions
to support this.

Fix a warning in BN_mul(), bn_mul.c about uninitialised 'j'.
2000-12-13 13:47:33 +00:00
Dr. Stephen Henson
9d6b1ce644 Merge from the ASN1 branch of new ASN1 code
to main trunk.

Lets see if the makes it to openssl-cvs :-)
2000-12-08 19:09:35 +00:00
Bodo Möller
8dea52fa42 Fix some things that look like bugs.
One problem that looked like a problem in bn_recp.c at first turned
out to be a BN_mul bug.  An example is given in bn_recp.c; finding
the bug responsible for this is left as an exercise.
2000-12-07 22:06:09 +00:00
Bodo Möller
80d89e6a6a Sign-related fixes (and tests).
BN_mod_exp_mont does not work properly yet if modulus m
is negative (we want computations to be carried out
modulo |m|).
2000-12-07 08:48:58 +00:00
Bodo Möller
aa66eba7c8 BN_mod_sqrt documentation/comment 2000-12-06 21:33:58 +00:00
Bodo Möller
bac685417a Faster BN_mod_sqrt algorithm for p == 5 (8). 2000-12-06 12:25:33 +00:00
Bodo Möller
a47b505e37 Improve formatting. 2000-12-04 19:04:55 +00:00
Geoff Thorpe
f1919c3df9 Make a note of the LHASH changes. 2000-12-04 03:35:35 +00:00
Ulf Möller
1946cd8bc2 Note the bntest change.
The *_part_words functions are not static.
2000-12-02 07:50:30 +00:00
Richard Levitte
2efff10cfa Correct a mail address... 2000-12-01 16:49:53 +00:00
Richard Levitte
33479d275a Document the addition of Kerberos stuff. 2000-12-01 14:40:45 +00:00
Ulf Möller
a023052580 Borland C fix. 2000-12-01 01:53:08 +00:00
Ulf Möller
4b757c830d typo 2000-12-01 01:51:04 +00:00
Bodo Möller
fc2e05c2d5 Fix BN_rshift, which caused lots of trouble. 2000-11-30 22:34:57 +00:00
Richard Levitte
0ae485dc07 New format for the FAQ. We now have different sections for different
types of questions.  Hopefully, that'll make them easier to spot, and
specially, easier to refer to.
2000-11-30 13:04:14 +00:00
Richard Levitte
20f88b9bd4 Changes to c_zlib.c to make ZLIB.DLL dynamically loadable under
Windows.  Really, this should probably be done on Unix as well, but
that will be a later story...
2000-11-30 10:25:45 +00:00
Bodo Möller
6b5d39e82d BN_mod_sqrt 2000-11-30 00:20:20 +00:00
Geoff Thorpe
ef8b601789 Amend the original CHANGES log entry. The ex_data handling has been
similarly modified now on DH and DSA.
2000-11-29 20:02:00 +00:00
Lutz Jänicke
c6a926d9e2 Log security relevant change. 2000-11-29 18:06:18 +00:00
Bodo Möller
9161672950 BN_bin2bn did *not* contain an off-by-one error;
I'm still investigating what caused the segementation fault
(maybe "make clean; make" will cure it ...).
But BN_bin2bn should always reset ret->neg.
2000-11-29 12:53:41 +00:00
Bodo Möller
a08bcccc67 Expand expspeed.c to make BN_kronecker timings.
This caused a segmentation fault in calls to malloc, so I cleaned up
bn_lib.c a little so that it is easier to see what is going on.
The bug turned out to be an off-by-one error in BN_bin2bn.
2000-11-29 12:32:10 +00:00
Bodo Möller
bdec3c5323 Implement BN_kronecker test.
Modify "CHANGES" entry for BN_mod_inverse (it's not just avoiding BN_div
that increases performance, avoiding BN_mul also helps)
2000-11-29 11:06:50 +00:00
Bodo Möller
499e167fda Improve BN_mod_inverse performance.
Get the BN_mod_exp_mont bugfix (for handling negative inputs) correct
this time.
2000-11-29 09:41:19 +00:00
Bodo Möller
000e21779c Note that SSL_peek has been disabled. 2000-11-28 11:13:06 +00:00
Bodo Möller
dcbd0d74d5 Fix BN_is_... macros.
Fix BN_gcd.
Analyze BN_mod_inverse.
Add BN_kronecker.
"make update".
2000-11-27 21:17:20 +00:00
Geoff Thorpe
0ac87024e3 It was a small change, but it *could* conceivably affect people - so I'm
making a note in the CHANGES file.
2000-11-26 18:39:27 +00:00
Bodo Möller
5acaa49504 More BN_mod_... functions. 2000-11-26 18:31:32 +00:00
Bodo Möller
78a0c1f18d modular arithmetics
"make update"
2000-11-26 16:42:38 +00:00
Richard Levitte
baa257f1ed Remove two bn_wexpand() from BN_mul(), which is a step toward getting
BN_mul() correctly constified, avoids two realloc()'s that aren't
really necessary and saves memory to boot.  This required a small
change in bn_mul_part_recursive() and the addition of variants of
bn_cmp_words(), bn_add_words() and bn_sub_words() that can take arrays
with differing sizes.

The test results show a performance that very closely matches the
original code from before my constification.  This may seem like a
very small win from a performance point of view, but if one remembers
that the variants of bn_cmp_words(), bn_add_words() and bn_sub_words()
are not at all optimized for the moment (and there's no corresponding
assembler code), and that their use may be just as non-optimal, I'm
pretty confident there are possibilities...

This code needs reviewing!
2000-11-18 22:58:26 +00:00
Bodo Möller
db70a3fd6e Improve usability of 'openssl passwd' by including
password verification where it makes sense.
2000-11-17 09:03:02 +00:00
Richard Levitte
ccb9643f02 Remove references to RSAref. The glue library is but a memory to fade
away now...
2000-11-08 17:51:37 +00:00
Bodo Möller
7f7b8d6871 BN_CTX-related fixes. 2000-11-08 10:05:34 +00:00
Richard Levitte
e06433d9ba shl_load() also needs to load along a path given through an
environment variable, SHLIB_PATH.  This change makes that possible.
2000-11-07 11:25:26 +00:00
Richard Levitte
55b3c877c7 Document recent constifications. 2000-11-06 23:29:52 +00:00
Richard Levitte
10e473e930 As a consequence of the BIGNUM constification, the ENGINE code needs a
few small constifying changes, and why not throw in a couple of extras
while I'm at it?
2000-11-06 22:15:50 +00:00
Richard Levitte
e7ef1a561a Make all engines available in the openssl application. 2000-11-06 22:03:00 +00:00
Richard Levitte
020fc820dc Constify the BIGNUM routines a bit more. The only trouble were the
two functions that did expansion on in parameters (BN_mul() and
BN_sqr()).  The problem was solved by making bn_dup_expand() which is
a mix of bn_expand2() and BN_dup().
2000-11-06 21:15:54 +00:00
Richard Levitte
6b77e6d7f3 Make sure that shared libraries get the internal name engine with the
full version number and not just 0.  This should mark the shared
libraries as not backward compatible.  Of course, this should be
changed again when we can guarantee backward binary compatibility.
2000-11-06 06:52:47 +00:00
Richard Levitte
11c0f1201c Change the engine library so the application writer has to explicitely
load the "external" built-in engines (those that require DSO).  This
makes linking with libdl or other dso libraries non-mandatory.

Change 'openssl engine' accordingly.

Change the engine header files so some declarations (that differed at
that!) aren't duplicated, and make sure engine_int.h includes
engine.h.  That way, there should be no way of missing the needed
info.
2000-11-02 20:33:04 +00:00
Richard Levitte
69e7805f54 'openssl engine' can now list engine capabilities. The current
implementation is contained in the application, and the capability
string building part should really be part of the engine library.
This is therefore an experimental hack, and will be changed in the
near future.
2000-11-02 19:24:48 +00:00
Richard Levitte
e264cfe17a Better error reporting in 'openssl engine' 2000-11-02 18:58:43 +00:00
Bodo Möller
15d52ddb55 Never call load_dh_param(NULL) because this leads to an illegal
fopen(NULL).
2000-11-02 10:35:10 +00:00
Richard Levitte
14c6d27d63 Add application to enumerate, list and test engines with. 2000-11-01 02:57:35 +00:00
Richard Levitte
dcea8e12e2 Add support for shared libraries under Irix.
Submitted by Albert Chin-A-Young <china@thewrittenword.com>
2000-11-01 00:05:04 +00:00
Richard Levitte
501ebf16b6 Improvements to openssl.spec.
Submitted by Damien Miller <djm@mindrot.org>
This change has been CC:ed to crypt@bxa.doc.gov
2000-10-31 23:26:32 +00:00
Richard Levitte
815c83f70a Add configuration option to build on Linux on both big-endian and
little-endian MIPS.
Submitted by Ralf Baechle <ralf@uni-koblenz.de>
2000-10-31 23:14:19 +00:00
Richard Levitte
3aba98e787 Document the change. 2000-10-28 22:44:03 +00:00
Richard Levitte
7c155330de Document the OCSP addition. 2000-10-27 11:22:17 +00:00