Age | Commit message (Collapse) | Author |
|
|
|
|
|
``The probability that a randomly generated key is weak is -1/2^52,
so it is not really worth checking for them.''
This kind of naively optimistic attitude is not compatible with security.
|
|
Jeff Trawick, Jean-Paul Calderone, Michal Bozon, Jeffrey Walton and Rich Salz,
via OpenSSL trunk (with some parts not applying to us, such as SSLv2 support,
at least partially removed).
|
|
|
|
|
|
|
|
Instead, fold their description in the main documentation, and update the
history section to mention them as well.
|
|
When EVP_des_cbc() was suggested, suggest EVP_aes_256_cbc() instead.
Remove mention of EVP_des_ede3_cbc() being the algorithm of choice for S/MIME.
Don't mention US-export limited RC2 algorithms, you'd better not know about
them.
|
|
RAND_event and RAND_screen.
|
|
functions.
|
|
|
|
|
|
|
|
ok jmc@
|
|
fine jmc@
|
|
|
|
pages instead of doing it in the Makefiles and move a libssl page where
it belongs.
ok miod@
|
|
existing RAND interfaces unchanged.
All interfaces allowing external feed or seed of the RNG (either from a file
or a local entropy gathering daemon) are kept for ABI compatibility, but are
no longer do anything.
While the OpenSSL PRNG was required 15+ years ago when many systems lacked
proper entropy collection, things have evolved and one can reasonably assume
it is better to use the kernel (system global) entropy pool rather than trying
to build one's own and having to compensate for thread scheduling...
<RANT>
Whoever thought that RAND_screen(), feeding the PRNG with the contents of the
local workstation's display, under Win32, was a smart idea, ought to be banned
from security programming.
</RANT>
ok beck@ deraadt@ tedu@
|
|
an alternative backend for BIGNUM calculations. It is PoC code that
is not enabled in OpenSSL and probably not used by anymore.
ok deraadt@
|
|
FPGA-based device is long obsolete.
|
|
external libraries that aren't covered by the same license.
|
|
relevant anymore. OpenSSL should have a better way to include 3rd
party engines: either completely and free or external. But including
a wrapper for a non-free wrapper in the code base does not make much
sense and could also be provided by the vendor.
ok deraadt@
|
|
non-free libraries. OpenSSL should have a better way to include 3rd
party engines: either completely free or external. But including a
wrapper for a non-free wrapper in the code base does not make much
sense and could also be provided by the vendor.
ok deraadt@
|
|
hardware.
The vendor_defns/cswift.h does not specify a copyright and
theoretically defaults to the OpenSSL license, but it also mentions
that it includes parts that have been "clipped" from CryptoSwift's
proprietary headers. This file should better include an explicit
copyright statement or mention OpenSSL's library instead of the
ambiguous "Attribution notice".
ok deraadt@
|
|
The vendor_defns/sureware.h file by Baltimore Technologies Ltd. has a
copyright that does not grant rights!
Vendor files should either include a compatible license in the
copyright statement or use OpenSSL's defaults, but adding a copyright
statement without any terms is not acceptable. It should not have
been included in the first place.
ok deraadt@
|
|
The vendor_defns/hw_ubsec.h file has a copyright that does not grant rights!
Vendor files should either include a compatible license in the
copyright statement or use OpenSSL's defaults, but adding a copyright
statement without any terms is not acceptable. It should not have
been included in the first place.
(The ubsec(4) kernel driver is not affected by this change)
ok deraadt@
|
|
old PCI accelerator that was EOL'ed in 2005.
ok deraadt@
|
|
|
|
|
|
Note that I missed two of these in the diff shown initially, thx
to the atrocious Makefile rule...
okay millert@, sthen@, basically
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ok deraadt@
|
|
new minor for libcrypto (_X509_REQ_print_ex)
tested by miod@, pb@
|
|
|
|
|
|
|
|
|
|
|
|
|