Skip to content
  1. Jul 21, 2001
    • Richard Levitte's avatar
      More Kerberos SSL patches from Vern Staats <staatsvr@asc.hpc.mil>. · acdf4afb
      Richard Levitte authored
      His comments are:
      
      This patch fixes the problem of modern Kerberos using "derived keys"
      to encrypt the authenticator by disabling the authenticator check
      for all derived keys enctypes.
      
      I think I've got all the bugfixes that Jeffrey and I discussed rolled
      into this.  There were some problems with Jeffrey's code to convert
      the authenticator's Kerberos timestring into struct tm (e.g. Z, -1900;
      it helps to have an actual decryptable authenticator to play with).
      So I've shamelessly pushed in my code, while stealing some bits from
      Jeffrey.
      acdf4afb
  2. Jul 20, 2001
    • Lutz Jänicke's avatar
      Updated explanation. · 6d3dec92
      Lutz Jänicke authored
      6d3dec92
    • Lutz Jänicke's avatar
      Some more documentation bits. · 2d3b6a5b
      Lutz Jänicke authored
      2d3b6a5b
    • Geoff Thorpe's avatar
      Currently, RSA code, when using no padding scheme, simply checks that input · 81d1998e
      Geoff Thorpe authored
      does not contain more bytes than the RSA modulus 'n' - it does not check
      that the input is strictly *less* than 'n'. Whether this should be the
      case or not is open to debate - however, due to security problems with
      returning miscalculated CRT results, the 'rsa_mod_exp' implementation in
      rsa_eay.c now performs a public-key exponentiation to verify the CRT result
      and in the event of an error will instead recalculate and return a non-CRT
      (more expensive) mod_exp calculation. As the mod_exp of 'I' is equivalent
      to the mod_exp of 'I mod n', and the verify result is automatically between
      0 and n-1 inclusive, the verify only matches the input if 'I' was less than
      'n', otherwise even a correct CRT calculation is only congruent to 'I' (ie.
      they differ by a multiple of 'n'). Rather than rejecting correct
      calculations and doing redundant and slower ones instead, this changes the
      equality check in the verification code to a congruence check.
      81d1998e
  3. Jul 17, 2001
  4. Jul 16, 2001
  5. Jul 15, 2001
  6. Jul 13, 2001
    • Dr. Stephen Henson's avatar
      · 534a1ed0
      Dr. Stephen Henson authored
      Allow OCSP server to handle multiple requests.
      
      Document new OCSP options.
      534a1ed0
  7. Jul 12, 2001
  8. Jul 11, 2001
  9. Jul 10, 2001