Dr. Stephen Henson [Sun, 30 Dec 2012 16:04:51 +0000 (16:04 +0000)]
make no-comp compile
Dr. Stephen Henson [Sat, 29 Dec 2012 23:38:20 +0000 (23:38 +0000)]
make JPAKE work again, fix memory leaks
Dr. Stephen Henson [Sat, 29 Dec 2012 23:37:56 +0000 (23:37 +0000)]
stop warning when compiling with no-comp
Dr. Stephen Henson [Wed, 26 Dec 2012 23:51:56 +0000 (23:51 +0000)]
Portability fix: use BIO_snprintf and pick up strcasecmp alternative
definitions from e_os.h
Dr. Stephen Henson [Wed, 26 Dec 2012 19:12:57 +0000 (19:12 +0000)]
missing tab
Dr. Stephen Henson [Wed, 26 Dec 2012 15:23:42 +0000 (15:23 +0000)]
typo
Dr. Stephen Henson [Fri, 21 Dec 2012 18:32:33 +0000 (18:32 +0000)]
Fix tocsp: we don't need -trust_other any more.
Fix typo.
Dr. Stephen Henson [Fri, 21 Dec 2012 18:31:32 +0000 (18:31 +0000)]
Make partial chain checking work if we only have the EE certificate in
the trust store.
Dr. Stephen Henson [Fri, 21 Dec 2012 16:24:48 +0000 (16:24 +0000)]
add missing newline
Dr. Stephen Henson [Thu, 20 Dec 2012 18:51:00 +0000 (18:51 +0000)]
revert OCSP_basic_verify changes: they aren't needed now we support partial chain verification and can pass verify options to ocsp utility
Dr. Stephen Henson [Thu, 20 Dec 2012 18:48:11 +0000 (18:48 +0000)]
Update test OCSP script "tocsp" to use shell functions and to use
December 17th as check date to avoid certificate expiry errors.
Andy Polyakov [Wed, 19 Dec 2012 17:24:46 +0000 (17:24 +0000)]
gost_crypt.c: more intuitive ceiling.
Dr. Stephen Henson [Wed, 19 Dec 2012 14:34:39 +0000 (14:34 +0000)]
correct CHANGES
Andy Polyakov [Wed, 19 Dec 2012 11:06:00 +0000 (11:06 +0000)]
engines/cchost/gost_crypt.c: fix typo.
Andy Polyakov [Wed, 19 Dec 2012 10:54:47 +0000 (10:54 +0000)]
engines/e_capi.c: fix typo.
Submitted by: Pierre Delaage
Andy Polyakov [Wed, 19 Dec 2012 10:45:13 +0000 (10:45 +0000)]
engine/cchost: fix bugs.
PR: 2821
Submitted by: Dmitry Belyavsky, Serguei Leontiev
Andy Polyakov [Tue, 18 Dec 2012 18:19:54 +0000 (18:19 +0000)]
dso/dso_win32.c: fix compiler warning.
Andy Polyakov [Tue, 18 Dec 2012 18:07:20 +0000 (18:07 +0000)]
util/pl/VC-32.pl fix typo.
Dr. Stephen Henson [Tue, 18 Dec 2012 13:25:47 +0000 (13:25 +0000)]
Use client version when deciding which cipher suites to disable.
Andy Polyakov [Tue, 18 Dec 2012 09:42:31 +0000 (09:42 +0000)]
util/pl/VC-32.pl: refresh, switch to ws2, add crypt32, fix typo (based on
suggestions from Pierre Delaage).
Andy Polyakov [Sun, 16 Dec 2012 19:39:24 +0000 (19:39 +0000)]
VC-32.pl: fix typo.
Submitted by: Pierre Delaage
Andy Polyakov [Sun, 16 Dec 2012 19:02:59 +0000 (19:02 +0000)]
d1_lib.c,bss_dgram.c: eliminate dependency on _ftime.
Dr. Stephen Henson [Sun, 16 Dec 2012 00:10:03 +0000 (00:10 +0000)]
add -rmd option to set OCSP response signing digest
Dr. Stephen Henson [Sat, 15 Dec 2012 02:58:00 +0000 (02:58 +0000)]
Check chain is not NULL before assuming we have a validated chain.
The modification to the OCSP helper purpose breaks normal OCSP verification.
It is no longer needed now we can trust partial chains.
Dr. Stephen Henson [Sat, 15 Dec 2012 02:56:02 +0000 (02:56 +0000)]
Return success when the responder is active.
Don't verify our own responses.
Dr. Stephen Henson [Sat, 15 Dec 2012 00:29:12 +0000 (00:29 +0000)]
typo
Dr. Stephen Henson [Fri, 14 Dec 2012 23:30:56 +0000 (23:30 +0000)]
Add support for '-' as input and output filenames in ocsp utility.
Recognise verification arguments.
Dr. Stephen Henson [Fri, 14 Dec 2012 23:29:58 +0000 (23:29 +0000)]
oops, revert, committed in error
Dr. Stephen Henson [Fri, 14 Dec 2012 23:28:19 +0000 (23:28 +0000)]
apps/ocsp.c
Ben Laurie [Fri, 14 Dec 2012 13:28:49 +0000 (13:28 +0000)]
Documentation improvements by Chris Palmer (Google).
Andy Polyakov [Thu, 13 Dec 2012 22:51:01 +0000 (22:51 +0000)]
fips/fipsld: improve cross-compile support.
Dr. Stephen Henson [Thu, 13 Dec 2012 18:20:47 +0000 (18:20 +0000)]
Use new partial chain flag instead of modifying input parameters.
Dr. Stephen Henson [Thu, 13 Dec 2012 18:14:46 +0000 (18:14 +0000)]
New verify flag to return success if we have any certificate in the
trusted store instead of the default which is to return an error if
we can't build the complete chain.
Ben Laurie [Thu, 13 Dec 2012 16:17:55 +0000 (16:17 +0000)]
Document -pubkey.
Ben Laurie [Wed, 12 Dec 2012 14:14:43 +0000 (14:14 +0000)]
Improve my 64-bit debug target.
Dr. Stephen Henson [Wed, 12 Dec 2012 03:35:31 +0000 (03:35 +0000)]
add -crl_download option to s_server
Dr. Stephen Henson [Wed, 12 Dec 2012 00:50:26 +0000 (00:50 +0000)]
add -cert_chain option to s_client
Ben Laurie [Tue, 11 Dec 2012 16:05:14 +0000 (16:05 +0000)]
Make openssl verify return errors.
Ben Laurie [Tue, 11 Dec 2012 15:52:10 +0000 (15:52 +0000)]
Update ignores.
Ben Laurie [Mon, 10 Dec 2012 16:52:17 +0000 (16:52 +0000)]
Tabification. Remove accidental duplication.
Dr. Stephen Henson [Mon, 10 Dec 2012 02:02:16 +0000 (02:02 +0000)]
revert SUITEB128ONLY patch, anything wanting to use P-384 can use SUITEB128 instead
Dr. Stephen Henson [Sun, 9 Dec 2012 16:21:46 +0000 (16:21 +0000)]
add -badsig option to ocsp utility too.
Dr. Stephen Henson [Sun, 9 Dec 2012 16:03:34 +0000 (16:03 +0000)]
allow ECDSA+SHA384 signature algorithm in SUITEB128ONLY mode
Dr. Stephen Henson [Fri, 7 Dec 2012 23:42:33 +0000 (23:42 +0000)]
send out the raw SSL/TLS headers to the msg_callback and display them in SSL_trace
Ben Laurie [Fri, 7 Dec 2012 18:47:47 +0000 (18:47 +0000)]
Fix OCSP checking.
Dr. Stephen Henson [Fri, 7 Dec 2012 13:23:49 +0000 (13:23 +0000)]
typo
Dr. Stephen Henson [Fri, 7 Dec 2012 12:41:13 +0000 (12:41 +0000)]
really fix automatic ;-)
Dr. Stephen Henson [Thu, 6 Dec 2012 23:26:11 +0000 (23:26 +0000)]
documentation fixes
Dr. Stephen Henson [Thu, 6 Dec 2012 21:53:05 +0000 (21:53 +0000)]
fix handling of "automatic" in file mode
Dr. Stephen Henson [Thu, 6 Dec 2012 18:43:40 +0000 (18:43 +0000)]
Add code to download CRLs based on CRLDP extension.
Just a sample, real world applications would have to be cleverer.
Dr. Stephen Henson [Thu, 6 Dec 2012 18:36:51 +0000 (18:36 +0000)]
remove print_ssl_cert_checks() from openssl application: it is no longer used
Dr. Stephen Henson [Thu, 6 Dec 2012 18:24:28 +0000 (18:24 +0000)]
Fix two bugs which affect delta CRL handling:
Use -1 to check all extensions in CRLs.
Always set flag for freshest CRL.
Dr. Stephen Henson [Wed, 5 Dec 2012 18:35:20 +0000 (18:35 +0000)]
Integrate host, email and IP address checks into X509_verify.
Add new verify options to set checks.
Remove previous -check* commands from s_client and s_server.
Andy Polyakov [Wed, 5 Dec 2012 17:44:45 +0000 (17:44 +0000)]
aes-s390x.pl: fix XTS bugs in z196-specific code path.
Dr. Stephen Henson [Tue, 4 Dec 2012 23:18:44 +0000 (23:18 +0000)]
don't print verbose policy check messages when -quiet is selected even on error
Andy Polyakov [Tue, 4 Dec 2012 20:21:24 +0000 (20:21 +0000)]
ghash-sparcv9.pl: shave off one more xmulx, improve T3 performance by 7%.
Dr. Stephen Henson [Tue, 4 Dec 2012 18:35:36 +0000 (18:35 +0000)]
initial support for delta CRL generations by diffing two full CRLs
Dr. Stephen Henson [Tue, 4 Dec 2012 18:35:04 +0000 (18:35 +0000)]
make -subj always override config file
Dr. Stephen Henson [Tue, 4 Dec 2012 17:25:34 +0000 (17:25 +0000)]
check mval for NULL too
Dr. Stephen Henson [Mon, 3 Dec 2012 16:32:52 +0000 (16:32 +0000)]
fix leak
Dr. Stephen Henson [Mon, 3 Dec 2012 03:40:57 +0000 (03:40 +0000)]
oops, really check brief mode only ;-)
Dr. Stephen Henson [Mon, 3 Dec 2012 03:39:23 +0000 (03:39 +0000)]
don't check errno is zero, just print out message
Dr. Stephen Henson [Mon, 3 Dec 2012 03:33:44 +0000 (03:33 +0000)]
if no error code and -brief selected print out connection closed instead of read error
Dr. Stephen Henson [Sun, 2 Dec 2012 16:48:25 +0000 (16:48 +0000)]
add -badsig option to corrupt CRL signatures for testing too
Dr. Stephen Henson [Sun, 2 Dec 2012 16:16:28 +0000 (16:16 +0000)]
New option to add CRLs for s_client and s_server.
Dr. Stephen Henson [Sun, 2 Dec 2012 14:00:22 +0000 (14:00 +0000)]
add option to get a certificate or CRL from a URL
Dr. Stephen Henson [Sat, 1 Dec 2012 18:33:21 +0000 (18:33 +0000)]
return error if Suite B mode is selected and TLS 1.2 can't be used. Correct error coded
Andy Polyakov [Sat, 1 Dec 2012 18:24:20 +0000 (18:24 +0000)]
cryptlib.c: fix logical error.
Andy Polyakov [Sat, 1 Dec 2012 18:20:39 +0000 (18:20 +0000)]
aesni-x86_64.pl: CTR face lift, +25% on Bulldozer.
Andy Polyakov [Sat, 1 Dec 2012 11:06:19 +0000 (11:06 +0000)]
aes-s390x.pl: harmonize software-only code path [and minor optimization].
Dr. Stephen Henson [Fri, 30 Nov 2012 19:24:13 +0000 (19:24 +0000)]
Add new test option set the version in generated certificates: this
is needed to test some profiles/protocols which reject certificates
with unsupported versions.
Dr. Stephen Henson [Thu, 29 Nov 2012 19:15:14 +0000 (19:15 +0000)]
PR: 2803
Submitted by: jean-etienne.schwartz@bull.net
In OCSP_basic_varify return an error if X509_STORE_CTX_init fails.
Dr. Stephen Henson [Thu, 29 Nov 2012 01:15:09 +0000 (01:15 +0000)]
add wrapper function for certificate download
Dr. Stephen Henson [Thu, 29 Nov 2012 01:13:38 +0000 (01:13 +0000)]
constify
Dr. Stephen Henson [Wed, 28 Nov 2012 16:22:53 +0000 (16:22 +0000)]
Generalise OCSP I/O functions to support dowloading of other ASN1
structures using HTTP. Add wrapper function to handle CRL download.
Andy Polyakov [Wed, 28 Nov 2012 13:19:10 +0000 (13:19 +0000)]
C64x+ assembly pack: improve EABI support.
Andy Polyakov [Wed, 28 Nov 2012 13:05:13 +0000 (13:05 +0000)]
Update support for Intel compiler: add linux-x86_64-icc and fix problems.
Dr. Stephen Henson [Tue, 27 Nov 2012 23:47:48 +0000 (23:47 +0000)]
New functions to set lookup_crls callback and to retrieve internal X509_STORE
from X509_STORE_CTX.
Dr. Stephen Henson [Mon, 26 Nov 2012 18:39:38 +0000 (18:39 +0000)]
Print out point format list for clients too.
Dr. Stephen Henson [Mon, 26 Nov 2012 18:38:10 +0000 (18:38 +0000)]
Use default point formats extension for server side as well as client
side, if possible.
Don't advertise compressed char2 for SuiteB as it is not supported.
Dr. Stephen Henson [Mon, 26 Nov 2012 15:47:32 +0000 (15:47 +0000)]
change inaccurate error message
Dr. Stephen Henson [Mon, 26 Nov 2012 15:10:50 +0000 (15:10 +0000)]
set auto ecdh parameter selction for Suite B
Dr. Stephen Henson [Mon, 26 Nov 2012 12:51:12 +0000 (12:51 +0000)]
set cmdline flag in s_server
Dr. Stephen Henson [Sun, 25 Nov 2012 22:29:52 +0000 (22:29 +0000)]
option to output corrupted signature in certificates for testing purposes
Andy Polyakov [Sat, 24 Nov 2012 21:55:23 +0000 (21:55 +0000)]
AES for SPARC T4: add XTS, reorder subroutines to improve TLB locality.
Dr. Stephen Henson [Sat, 24 Nov 2012 00:59:51 +0000 (00:59 +0000)]
add Suite B 128 bit mode offering only combination 2
Dr. Stephen Henson [Fri, 23 Nov 2012 18:56:25 +0000 (18:56 +0000)]
Don't display messages about verify depth in s_server if -quiet it set.
Add support for separate verify and chain stores in s_client.
Dr. Stephen Henson [Thu, 22 Nov 2012 15:20:53 +0000 (15:20 +0000)]
Add support for printing out and retrieving EC point formats extension.
Dr. Stephen Henson [Thu, 22 Nov 2012 14:15:44 +0000 (14:15 +0000)]
reject zero length point format list or supported curves extensions
Dr. Stephen Henson [Wed, 21 Nov 2012 17:11:42 +0000 (17:11 +0000)]
support -quiet with -msg or -trace
Dr. Stephen Henson [Wed, 21 Nov 2012 17:01:46 +0000 (17:01 +0000)]
curves can be set in both client and server
Dr. Stephen Henson [Wed, 21 Nov 2012 16:59:33 +0000 (16:59 +0000)]
use correct return values when callin cmd
Dr. Stephen Henson [Wed, 21 Nov 2012 16:47:25 +0000 (16:47 +0000)]
only use a default curve if not already set
Dr. Stephen Henson [Wed, 21 Nov 2012 14:13:20 +0000 (14:13 +0000)]
Reorganise parameters for OPENSSL_gmtime_diff.
Make ASN1_UTCTIME_cmp_time_t more robust by using the new time functions.
Dr. Stephen Henson [Wed, 21 Nov 2012 14:10:48 +0000 (14:10 +0000)]
Submitted by: Florian Weimer <fweimer@redhat.com>
PR: 2909
Update test cases to cover internal error return values.
Remove IDNA wildcard filter.
Dr. Stephen Henson [Wed, 21 Nov 2012 14:02:40 +0000 (14:02 +0000)]
PR: 2908
Submitted by: Dmitry Belyavsky <beldmit@gmail.com>
Fix DH double free if parameter generation fails.
Dr. Stephen Henson [Tue, 20 Nov 2012 15:22:15 +0000 (15:22 +0000)]
fix printout of expiry days if -enddate is used in ca
Dr. Stephen Henson [Tue, 20 Nov 2012 15:20:40 +0000 (15:20 +0000)]
don't use psec or pdays if NULL
Dr. Stephen Henson [Tue, 20 Nov 2012 15:19:53 +0000 (15:19 +0000)]
first parameter is difference in days, not years
Dr. Stephen Henson [Tue, 20 Nov 2012 01:01:33 +0000 (01:01 +0000)]
reorganise SSL_CONF_cmd manual page and update some links