Dr. Stephen Henson [Mon, 31 Jan 2005 01:28:17 +0000 (01:28 +0000)]
Update year.
Dr. Stephen Henson [Fri, 28 Jan 2005 14:03:54 +0000 (14:03 +0000)]
Further FIPS algorithm blocking.
Fixes to cipher blocking and enabling code.
Add option -non-fips-allow to 'enc' and update testenc.
Richard Levitte [Thu, 27 Jan 2005 11:42:25 +0000 (11:42 +0000)]
The first argument to load_iv should really be a char ** instead of an
unsigned char **, since it points at text.
Thanks to Nils Larsch <nils.larsch@cybertrust.com> for pointing out
the inelegance of our code :-)
Dr. Stephen Henson [Thu, 27 Jan 2005 01:49:42 +0000 (01:49 +0000)]
More FIPS algorithm blocking.
Catch attempted use of non FIPS algorithms with HMAC.
Give an assertion error for applications that ignore FIPS digest errors.
Make -non-fips-allow work with dgst and HMAC.
Richard Levitte [Thu, 27 Jan 2005 01:49:23 +0000 (01:49 +0000)]
Check for errors from EVP_VerifyInit_ex(), or EVP_VerifyUpdate might
cause a segfault... This was uncovered because EVP_VerifyInit() may fail
in FIPS mode if the wrong algorithm is chosen...
Richard Levitte [Thu, 27 Jan 2005 01:47:27 +0000 (01:47 +0000)]
Get rid if the annoying warning
Dr. Stephen Henson [Wed, 26 Jan 2005 20:05:46 +0000 (20:05 +0000)]
make update
Dr. Stephen Henson [Wed, 26 Jan 2005 20:00:40 +0000 (20:00 +0000)]
FIPS algorithm blocking.
Non FIPS algorithms are not normally allowed in FIPS mode.
Any attempt to use them via high level functions will return an error.
The low level non-FIPS algorithm functions cannot return errors so they
produce assertion failures. HMAC also has to give an assertion error because
it (erroneously) can't return an error either.
There are exceptions (such as MD5 in TLS and non cryptographic use of
algorithms) and applications can override the blocking and use non FIPS
algorithms anyway.
For low level functions the override is perfomed by prefixing the algorithm
initalization function with "private_" for example private_MD5_Init().
For high level functions an override is performed by setting a flag in
the context.
Andy Polyakov [Wed, 26 Jan 2005 19:58:02 +0000 (19:58 +0000)]
Respect the fact that most interactive shells don't restore stty settings
and make it work in non-interactive mode...
Andy Polyakov [Tue, 18 Jan 2005 00:24:55 +0000 (00:24 +0000)]
Don't zap AES CBC IV, when decrypting truncated content in place.
Dr. Stephen Henson [Fri, 14 Jan 2005 17:53:16 +0000 (17:53 +0000)]
PKCS7_verify() performance optimization. When the content is large and a
memory BIO (for example from SMIME_read_PKCS7 and detached data) avoid lots
of slow memory copies from the memory BIO by saving the content in a
temporary read only memory BIO.
Andy Polyakov [Fri, 14 Jan 2005 16:24:45 +0000 (16:24 +0000)]
INSTALL.DJGPP update.
PR: 989
Andy Polyakov [Fri, 14 Jan 2005 16:22:02 +0000 (16:22 +0000)]
Rely on e_os.h to appropriately define str[n]casecmp in non-POSIX
environments.
Andy Polyakov [Fri, 14 Jan 2005 16:19:47 +0000 (16:19 +0000)]
O_NOFOLLOW is not appropriate when opening /dev/* entries on Solaris.
PR: 998
Richard Levitte [Fri, 14 Jan 2005 00:16:31 +0000 (00:16 +0000)]
make update
Richard Levitte [Wed, 12 Jan 2005 09:51:31 +0000 (09:51 +0000)]
Correct a faulty address assignment, and add a length check (not
really needed now, but may be needed in the future, who knows?).
Richard Levitte [Tue, 11 Jan 2005 18:25:28 +0000 (18:25 +0000)]
Use EXIT() instead of exit().
Richard Levitte [Tue, 11 Jan 2005 16:54:35 +0000 (16:54 +0000)]
Clear signed vs. unsigned conflicts.
Change the fingerprint accordingly.
Richard Levitte [Tue, 11 Jan 2005 06:53:30 +0000 (06:53 +0000)]
Remove VMS_strcasecmp() from apps.c, it's not used any more. And
besides, the implementation is bogus.
Andy Polyakov [Sun, 9 Jan 2005 20:43:49 +0000 (20:43 +0000)]
FAQ update to mention no-sha0 as possible workaround for Tru64 compiler bug.
Andy Polyakov [Sun, 9 Jan 2005 20:13:11 +0000 (20:13 +0000)]
DJGPP documentation note update.
Andy Polyakov [Sun, 9 Jan 2005 17:58:18 +0000 (17:58 +0000)]
Allow for ./config no-sha0.
PR: 993
Andy Polyakov [Tue, 4 Jan 2005 10:21:55 +0000 (10:21 +0000)]
DJGPP update.
PR: 989
Submitted by: Doug Kaufman
Dr. Stephen Henson [Mon, 3 Jan 2005 17:46:45 +0000 (17:46 +0000)]
RSA KAT.
Andy Polyakov [Fri, 31 Dec 2004 00:01:23 +0000 (00:01 +0000)]
Borrow #include <string[s].h> from e_os.h.
Andy Polyakov [Thu, 30 Dec 2004 23:39:06 +0000 (23:39 +0000)]
Make whiny compilers stop complaining about missing prototype.
Andy Polyakov [Thu, 30 Dec 2004 22:57:19 +0000 (22:57 +0000)]
AES CBC and CFB performance tune-up from HEAD.
Andy Polyakov [Thu, 30 Dec 2004 22:53:57 +0000 (22:53 +0000)]
Fix Win32 test-suit.
Andy Polyakov [Thu, 30 Dec 2004 11:08:27 +0000 (11:08 +0000)]
Remove naming conflict between variable and label.
Dr. Stephen Henson [Wed, 29 Dec 2004 01:05:35 +0000 (01:05 +0000)]
Prompt for passphrases with PKCS12 input format.
Andy Polyakov [Mon, 27 Dec 2004 23:48:33 +0000 (23:48 +0000)]
Cosmetic mingw update.
PR: 924
Andy Polyakov [Mon, 27 Dec 2004 21:26:10 +0000 (21:26 +0000)]
Minor cygwin update.
PR: 949
Andy Polyakov [Mon, 27 Dec 2004 14:55:19 +0000 (14:55 +0000)]
Remove CPU detect for IRIX targets. Performance gain is less than 1%, it
doesn't pay off...
Andy Polyakov [Mon, 27 Dec 2004 14:51:20 +0000 (14:51 +0000)]
As new major IRIX release is highly unlikely to appear [and break following],
I change from -notall to -none synonym in do_irix-shared to improve backward
compatibility with IRIX 5.x.
PR: 987
Andy Polyakov [Mon, 20 Dec 2004 13:21:25 +0000 (13:21 +0000)]
Summarize recent backports in CHANGES.
Andy Polyakov [Mon, 20 Dec 2004 13:20:22 +0000 (13:20 +0000)]
Improved PowerPC platform support.
Andy Polyakov [Mon, 20 Dec 2004 13:18:56 +0000 (13:18 +0000)]
When re-linking files, really relink them. In other words, emulate ln -f.
Andy Polyakov [Mon, 20 Dec 2004 13:15:51 +0000 (13:15 +0000)]
Backport of PPC BN module from HEAD.
Andy Polyakov [Mon, 20 Dec 2004 13:13:14 +0000 (13:13 +0000)]
Backport of cvs.openssl.org/chngview?cn=12323, as well as eliminate
message size limitations on 64-bit platforms.
Andy Polyakov [Mon, 20 Dec 2004 13:10:27 +0000 (13:10 +0000)]
Backport of cvs.openssl.org/chngview?cn=12449, essentially
a bug-fix for Win64/ia64.
Richard Levitte [Mon, 13 Dec 2004 22:48:01 +0000 (22:48 +0000)]
make update
Dr. Stephen Henson [Sun, 12 Dec 2004 13:18:23 +0000 (13:18 +0000)]
Remove duplicate lines.
Andy Polyakov [Fri, 10 Dec 2004 16:30:34 +0000 (16:30 +0000)]
Adapt FIPS sub-tree for mingw.
Andy Polyakov [Fri, 10 Dec 2004 13:15:55 +0000 (13:15 +0000)]
Solaris x86 assembler update.
Andy Polyakov [Fri, 10 Dec 2004 11:37:25 +0000 (11:37 +0000)]
Respect no-asm with fips option and disable FIPS DES assembler in
shared context [because it's not PIC].
Andy Polyakov [Fri, 10 Dec 2004 11:27:09 +0000 (11:27 +0000)]
olaris x86 perlasm update [from HEAD].
Andy Polyakov [Thu, 9 Dec 2004 22:43:29 +0000 (22:43 +0000)]
Eliminate false dependency on 386 config option is FIPS context.
At the same time limit assembler support to ELF platforms [that's
what is there, ELF modules].
Andy Polyakov [Thu, 9 Dec 2004 21:05:14 +0000 (21:05 +0000)]
Engage SHA1 IA64 assembler on IA64 platforms [from HEAD].
Andy Polyakov [Thu, 9 Dec 2004 20:55:52 +0000 (20:55 +0000)]
SHA1 assember for IA64 [from HEAD].
Andy Polyakov [Thu, 9 Dec 2004 18:13:46 +0000 (18:13 +0000)]
Cygwin specific FIPS fix-ups.
Andy Polyakov [Thu, 9 Dec 2004 18:03:23 +0000 (18:03 +0000)]
Postpone linking of shared libcrypto in FIPS build.
Andy Polyakov [Thu, 9 Dec 2004 18:00:26 +0000 (18:00 +0000)]
Eliminate dependency on UNICODE macro.
Dr. Stephen Henson [Thu, 9 Dec 2004 13:34:41 +0000 (13:34 +0000)]
Automatically mark the CRL cached encoding as invalid when some operations
are performed.
cvs2svn [Thu, 9 Dec 2004 11:57:39 +0000 (11:57 +0000)]
This commit was manufactured by cvs2svn to create branch
'OpenSSL_0_9_7-stable'.
Andy Polyakov [Thu, 9 Dec 2004 11:57:38 +0000 (11:57 +0000)]
SHA1 assembler for IA-64.
Andy Polyakov [Tue, 7 Dec 2004 11:55:56 +0000 (11:55 +0000)]
Extend RC4 test.
Dr. Stephen Henson [Sun, 5 Dec 2004 19:53:40 +0000 (19:53 +0000)]
More CA updates.
Dr. Stephen Henson [Sun, 5 Dec 2004 19:51:56 +0000 (19:51 +0000)]
Update 'certs' directory. Move expired certificates to expired directory
and zero assurance demontrations CAs to 'demo'.
cvs2svn [Sun, 5 Dec 2004 19:48:03 +0000 (19:48 +0000)]
This commit was manufactured by cvs2svn to create branch
'OpenSSL_0_9_7-stable'.
Dr. Stephen Henson [Sun, 5 Dec 2004 19:48:02 +0000 (19:48 +0000)]
Update 'certs' directory. Move expired certificates to expired directory
and zero assurance demontrations CAs to 'demo'.
Dr. Stephen Henson [Sun, 5 Dec 2004 18:26:48 +0000 (18:26 +0000)]
Use X509_cmp_time() in -checkend option, to support GeneralizedTime.
Dr. Stephen Henson [Sun, 5 Dec 2004 18:26:19 +0000 (18:26 +0000)]
Use X509_cmp_time() in -checkend option, to support GeneralizedTime.
Dr. Stephen Henson [Sun, 5 Dec 2004 01:50:56 +0000 (01:50 +0000)]
Remaing bits of PR:620 relevant to 0.9.8.
Dr. Stephen Henson [Sun, 5 Dec 2004 01:46:03 +0000 (01:46 +0000)]
Remaining parts of PR:620
Dr. Stephen Henson [Sun, 5 Dec 2004 01:04:44 +0000 (01:04 +0000)]
Add lots of checks for memory allocation failure, error codes to indicate
failure and freeing up memory if a failure occurs.
PR:620
Dr. Stephen Henson [Sun, 5 Dec 2004 01:03:15 +0000 (01:03 +0000)]
Add lots of checks for memory allocation failure, error codes to indicate
failure and freeing up memory if a failure occurs.
PR:620
Dr. Stephen Henson [Sun, 5 Dec 2004 00:52:18 +0000 (00:52 +0000)]
Update year.
Dr. Stephen Henson [Sun, 5 Dec 2004 00:51:41 +0000 (00:51 +0000)]
Update year.
Dr. Stephen Henson [Sat, 4 Dec 2004 21:26:11 +0000 (21:26 +0000)]
In by_file.c check last error for no start line, not first error.
Dr. Stephen Henson [Sat, 4 Dec 2004 21:25:51 +0000 (21:25 +0000)]
In by_file.c check last error for no start line, not first error.
Dr. Stephen Henson [Fri, 3 Dec 2004 12:29:17 +0000 (12:29 +0000)]
Add -passin argument to dgst command.
Dr. Stephen Henson [Fri, 3 Dec 2004 12:26:56 +0000 (12:26 +0000)]
Add -passin argument to dgst command.
Dr. Stephen Henson [Fri, 3 Dec 2004 00:10:59 +0000 (00:10 +0000)]
V1 certificates that aren't self signed can't be accepted as CAs.
Dr. Stephen Henson [Fri, 3 Dec 2004 00:10:34 +0000 (00:10 +0000)]
V1 certificates that aren't self signed can't be accepted as CAs.
Andy Polyakov [Thu, 2 Dec 2004 17:05:38 +0000 (17:05 +0000)]
sha1_block_asm_data_order can't hash if message crosses 2GB boundary.
[back-port from HEAD branch]
Andy Polyakov [Thu, 2 Dec 2004 10:54:36 +0000 (10:54 +0000)]
Back-port of RC4 assembler support for IA-64 from HEAD branch.
Andy Polyakov [Thu, 2 Dec 2004 10:09:50 +0000 (10:09 +0000)]
Downstream update from HEAD
Andy Polyakov [Thu, 2 Dec 2004 10:07:55 +0000 (10:07 +0000)]
Fix rc4-ia64.S to pass more exhaustive regression tests.
Dr. Stephen Henson [Wed, 1 Dec 2004 18:09:53 +0000 (18:09 +0000)]
Add couple of OIDs. Resync NIDs for consistency with 0.9.7.
Dr. Stephen Henson [Wed, 1 Dec 2004 17:55:07 +0000 (17:55 +0000)]
Add two OIDs, make update
Andy Polyakov [Wed, 1 Dec 2004 15:45:34 +0000 (15:45 +0000)]
Complete backport of i386 RC4 assembler module from HEAD.
Andy Polyakov [Wed, 1 Dec 2004 15:30:50 +0000 (15:30 +0000)]
Downstream update from HEAD.
Andy Polyakov [Wed, 1 Dec 2004 15:28:18 +0000 (15:28 +0000)]
I've introduced a bug to i386 RC4 assembler, which would emerge with
certain mix of calls to RC4 routine not covered by rc4test.c.
It's fixed now. In addition this patch inadvertently fixes minor
performance problem: in 0.9.7 context P4 was performing 12% slower
than the original implementation...
Dr. Stephen Henson [Wed, 1 Dec 2004 01:45:57 +0000 (01:45 +0000)]
Perform partial comparison of different character types in X509_NAME_cmp().
Dr. Stephen Henson [Wed, 1 Dec 2004 01:45:30 +0000 (01:45 +0000)]
Perform partial comparison of different character types in X509_NAME_cmp().
Andy Polyakov [Tue, 30 Nov 2004 18:00:33 +0000 (18:00 +0000)]
Back-port of RC4 assembler support for AMD64 from HEAD branch.
Andy Polyakov [Tue, 30 Nov 2004 17:53:44 +0000 (17:53 +0000)]
Downsync new and updated RC4 assembler modules from HEAD.
cvs2svn [Tue, 30 Nov 2004 15:46:47 +0000 (15:46 +0000)]
This commit was manufactured by cvs2svn to create branch
'OpenSSL_0_9_7-stable'.
Andy Polyakov [Tue, 30 Nov 2004 15:46:46 +0000 (15:46 +0000)]
Add 0.9.7 specific comments to RC4 assembler modules.
Mark J. Cox [Tue, 30 Nov 2004 14:34:16 +0000 (14:34 +0000)]
Mention that the keys likely to have signed the distribution are now
listed on the web site for easy finding and downloading
Richard Levitte [Tue, 30 Nov 2004 12:18:55 +0000 (12:18 +0000)]
Split X509_check_ca() into a small self and an internal function
check_ca(), to resolve constness issue. check_ca() is called from the
purpose checkers instead of X509_check_ca(), since the stuff done by
the latter (except for calling check_ca()) is also done by
X509_check_purpose().
Richard Levitte [Tue, 30 Nov 2004 12:18:53 +0000 (12:18 +0000)]
Split X509_check_ca() into a small self and an internal function
check_ca(), to resolve constness issue. check_ca() is called from the
purpose checkers instead of X509_check_ca(), since the stuff done by
the latter (except for calling check_ca()) is also done by
X509_check_purpose().
Andy Polyakov [Mon, 29 Nov 2004 21:19:56 +0000 (21:19 +0000)]
sha1_block_asm_data_order can't hash if message crosses 2GB boundary.
Andy Polyakov [Mon, 29 Nov 2004 21:12:58 +0000 (21:12 +0000)]
Final touches to rc4/asm/rc4-596.pl, +52% better performance on AMD core.
Richard Levitte [Mon, 29 Nov 2004 11:57:00 +0000 (11:57 +0000)]
Document the change.
Richard Levitte [Mon, 29 Nov 2004 11:56:57 +0000 (11:56 +0000)]
Document the change.
Richard Levitte [Mon, 29 Nov 2004 11:28:08 +0000 (11:28 +0000)]
Make an explicit check during certificate validation to see that the
CA setting in each certificate on the chain is correct. As a side-
effect always do the following basic checks on extensions, not just
when there's an associated purpose to the check:
- if there is an unhandled critical extension (unless the user has
chosen to ignore this fault)
- if the path length has been exceeded (if one is set at all)
- that certain extensions fit the associated purpose (if one has been
given)
Richard Levitte [Mon, 29 Nov 2004 11:18:00 +0000 (11:18 +0000)]
Make an explicit check during certificate validation to see that the
CA setting in each certificate on the chain is correct. As a side-
effect always do the following basic checks on extensions, not just
when there's an associated purpose to the check:
- if there is an unhandled critical extension (unless the user has
chosen to ignore this fault)
- if the path length has been exceeded (if one is set at all)
- that certain extensions fit the associated purpose (if one has been
given)
Andy Polyakov [Sat, 27 Nov 2004 15:14:58 +0000 (15:14 +0000)]
perlasm/x86[ms|nasm] update to accomodate updated RC4 assembler module.
Dr. Stephen Henson [Sat, 27 Nov 2004 13:02:34 +0000 (13:02 +0000)]
Remove unnecessary check and call BIO_free_all() on bio_out to avoid a
leak on VMS.