diff options
author | levitte <levitte> | 2003-06-19 23:25:55 +0000 |
---|---|---|
committer | levitte <levitte> | 2003-06-19 23:25:55 +0000 |
commit | c4bb3e1e168638117159d6049ae2927f37cd90cb (patch) | |
tree | d04911f77eea9e37fe33522d17f0f424143c875a | |
parent | 877299d27eb0842ca25dfb09b5ff786c0695d833 (diff) | |
download | openssl-c4bb3e1e168638117159d6049ae2927f37cd90cb.tar.gz |
Bring 0.9.6 [engine] up to date with 0.9.6.
-rw-r--r-- | CHANGES | 4 | ||||
-rw-r--r-- | bugs/SSLv3 | 10 | ||||
-rw-r--r-- | crypto/asn1/a_strex.c | 2 | ||||
-rw-r--r-- | crypto/asn1/asn1.h | 2 | ||||
-rw-r--r-- | crypto/bio/b_print.c | 2 | ||||
-rw-r--r-- | crypto/bio/bf_buff.c | 1 | ||||
-rw-r--r-- | crypto/bn/bn_mul.c | 2 | ||||
-rw-r--r-- | crypto/dso/dso_dlfcn.c | 6 | ||||
-rw-r--r-- | crypto/rand/md_rand.c | 4 | ||||
-rw-r--r-- | crypto/rand/rand_egd.c | 4 | ||||
-rw-r--r-- | crypto/x509/x509_obj.c | 1 | ||||
-rw-r--r-- | crypto/x509/x509type.c | 16 | ||||
-rw-r--r-- | doc/ssl/SSL_CTX_set_options.pod | 2 | ||||
-rw-r--r-- | e_os.h | 2 |
14 files changed, 38 insertions, 20 deletions
@@ -4,7 +4,9 @@ Changes between 0.9.6j and 0.9.6k [xx XXX 2003] - *) + *) Change X509_cretificate_type() to mark the key as exported/exportable + when it's 512 *bits* long, not 512 bytes. + [Richard Levitte] Changes between 0.9.6i and 0.9.6j [10 Apr 2003] diff --git a/bugs/SSLv3 b/bugs/SSLv3 index 2e22a65cd..a75a1652d 100644 --- a/bugs/SSLv3 +++ b/bugs/SSLv3 @@ -29,7 +29,7 @@ RC4-MD5, but a re-connect tries to use DES-CBC-SHA. So netscape, when doing a re-connect, always takes the first cipher in the cipher list. If we accept a netscape connection, demand a client cert, have a -non-self-sighed CA which does not have it's CA in netscape, and the +non-self-signed CA which does not have it's CA in netscape, and the browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta Netscape browsers do not really notice the server sending a @@ -39,3 +39,11 @@ SSL_shutdown() and still sharing the socket with its parent). Netscape, when using export ciphers, will accept a 1024 bit temporary RSA key. It is supposed to only accept 512. + +If Netscape connects to a server which requests a client certificate +it will frequently hang after the user has selected one and never +complete the connection. Hitting "Stop" and reload fixes this and +all subsequent connections work fine. This appears to be because +Netscape wont read any new records in when it is awaiting a server +done message at this point. The fix is to send the certificate request +and server done messages in one record. diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c index 9a57eba27..91fcbb433 100644 --- a/crypto/asn1/a_strex.c +++ b/crypto/asn1/a_strex.c @@ -274,7 +274,7 @@ int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str) * otherwise it is the number of bytes per character */ -const static char tag2nbyte[] = { +const static signed char tag2nbyte[] = { -1, -1, -1, -1, -1, /* 0-4 */ -1, -1, -1, -1, -1, /* 5-9 */ -1, -1, 0, -1, /* 10-13 */ diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h index 65dc5eda2..c61991a78 100644 --- a/crypto/asn1/asn1.h +++ b/crypto/asn1/asn1.h @@ -123,7 +123,7 @@ extern "C" { #define B_ASN1_NUMERICSTRING 0x0001 #define B_ASN1_PRINTABLESTRING 0x0002 #define B_ASN1_T61STRING 0x0004 -#define B_ASN1_TELETEXSTRING 0x0008 +#define B_ASN1_TELETEXSTRING 0x0004 #define B_ASN1_VIDEOTEXSTRING 0x0008 #define B_ASN1_IA5STRING 0x0010 #define B_ASN1_GRAPHICSTRING 0x0020 diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c index fa4e350a7..b40d494fa 100644 --- a/crypto/bio/b_print.c +++ b/crypto/bio/b_print.c @@ -825,5 +825,5 @@ int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args) * had the buffer been large enough.) */ return -1; else - return (retlen <= INT_MAX) ? retlen : -1; + return (retlen <= INT_MAX) ? (int)retlen : -1; } diff --git a/crypto/bio/bf_buff.c b/crypto/bio/bf_buff.c index c90238bae..096b84ca8 100644 --- a/crypto/bio/bf_buff.c +++ b/crypto/bio/bf_buff.c @@ -495,6 +495,7 @@ static int buffer_gets(BIO *b, char *buf, int size) if (i <= 0) { BIO_copy_next_retry(b); + *buf='\0'; if (i < 0) return((num > 0)?num:i); if (i == 0) return(num); } diff --git a/crypto/bn/bn_mul.c b/crypto/bn/bn_mul.c index 90592718d..f8a5ba7c7 100644 --- a/crypto/bn/bn_mul.c +++ b/crypto/bn/bn_mul.c @@ -224,7 +224,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn, int n, BN_ULONG *t) { int i,j,n2=n*2; - unsigned int c1,c2,neg,zero; + int c1,c2,neg,zero; BN_ULONG ln,lo,*p; # ifdef BN_COUNT diff --git a/crypto/dso/dso_dlfcn.c b/crypto/dso/dso_dlfcn.c index acf09f5a0..1e38e8777 100644 --- a/crypto/dso/dso_dlfcn.c +++ b/crypto/dso/dso_dlfcn.c @@ -123,7 +123,11 @@ DSO_METHOD *DSO_METHOD_dlfcn(void) # endif # endif #else -# define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */ +# ifdef OPENSSL_SYS_SUNOS +# define DLOPEN_FLAG 1 +# else +# define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */ +# endif #endif /* For this DSO_METHOD, our meth_data STACK will contain; diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index 5df32b4fe..ad6d31f0f 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -292,7 +292,7 @@ static void ssleay_rand_add(const void *buf, int num, double add) st_idx=0; } } - memset((char *)&m,0,sizeof(m)); + OPENSSL_cleanse((char *)&m,sizeof(m)); if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND); /* Don't just copy back local_md into md -- this could mean that @@ -493,7 +493,7 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) MD_Final(md,&m); CRYPTO_w_unlock(CRYPTO_LOCK_RAND); - memset(&m,0,sizeof(m)); + OPENSSL_cleanse(&m,sizeof(m)); if (ok) return(1); else diff --git a/crypto/rand/rand_egd.c b/crypto/rand/rand_egd.c index ce1693678..62229d97d 100644 --- a/crypto/rand/rand_egd.c +++ b/crypto/rand/rand_egd.c @@ -102,7 +102,7 @@ int RAND_egd(const char *path) memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; - if (strlen(path) > sizeof(addr.sun_path)) + if (strlen(path) >= sizeof(addr.sun_path)) return (-1); strcpy(addr.sun_path,path); len = offsetof(struct sockaddr_un, sun_path) + strlen(path); @@ -134,7 +134,7 @@ int RAND_egd_bytes(const char *path,int bytes) memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; - if (strlen(path) > sizeof(addr.sun_path)) + if (strlen(path) >= sizeof(addr.sun_path)) return (-1); strcpy(addr.sun_path,path); len = offsetof(struct sockaddr_un, sun_path) + strlen(path); diff --git a/crypto/x509/x509_obj.c b/crypto/x509/x509_obj.c index f0271fdfa..1e718f76e 100644 --- a/crypto/x509/x509_obj.c +++ b/crypto/x509/x509_obj.c @@ -94,6 +94,7 @@ int i; OPENSSL_free(b); } strncpy(buf,"NO X509_NAME",len); + buf[len-1]='\0'; return buf; } diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c index 42c23bcfc..f78c2a6b4 100644 --- a/crypto/x509/x509type.c +++ b/crypto/x509/x509type.c @@ -58,13 +58,11 @@ #include <stdio.h> #include "cryptlib.h" -#include "evp.h" -#include "objects.h" -#include "x509.h" +#include <openssl/evp.h> +#include <openssl/objects.h> +#include <openssl/x509.h> -int X509_certificate_type(x,pkey) -X509 *x; -EVP_PKEY *pkey; +int X509_certificate_type(X509 *x, EVP_PKEY *pkey) { EVP_PKEY *pk; int ret=0,i; @@ -101,15 +99,17 @@ EVP_PKEY *pkey; case EVP_PKEY_RSA: ret|=EVP_PKS_RSA; break; - case EVP_PKS_DSA: + case EVP_PKEY_DSA: ret|=EVP_PKS_DSA; break; default: break; } - if (EVP_PKEY_size(pkey) <= 512) + if (EVP_PKEY_size(pk) <= 512/8) /* /8 because it's 512 bits we look + for, not bytes */ ret|=EVP_PKT_EXP; + if(pkey==NULL) EVP_PKEY_free(pk); return(ret); } diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index 5c07e53f6..67c9c9630 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -168,7 +168,7 @@ Diffie-Hellman) key exchange should be used instead. =item SSL_OP_NETSCAPE_CA_DN_BUG If we accept a netscape connection, demand a client cert, have a -non-self-sighed CA which does not have it's CA in netscape, and the +non-self-signed CA which does not have it's CA in netscape, and the browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta =item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG @@ -303,6 +303,8 @@ extern "C" { # define pid_t int /* pid_t is missing on NEXTSTEP/OPENSTEP * (unless when compiling with -D_POSIX_SOURCE, * which doesn't work for us) */ +# endif +# if defined(NeXT) || defined(OPENSSL_SYS_NEWS4) || defined(OPENSSL_SYS_SUNOS) # define ssize_t int /* ditto */ # endif # ifdef NEWS4 /* setvbuf is missing on mips-sony-bsd */ |