Bring 0.9.6 [engine] up to date with 0.9.6.

14 files changed, 38 insertions, 20 deletions

diff --git a/CHANGES b/CHANGES
index 116f27895..208ec0831 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,9 @@
 
  Changes between 0.9.6j and 0.9.6k  [xx XXX 2003]
 
-  *) 
+  *) Change X509_cretificate_type() to mark the key as exported/exportable
+     when it's 512 *bits* long, not 512 bytes.
+     [Richard Levitte]
 
  Changes between 0.9.6i and 0.9.6j  [10 Apr 2003]
 
diff --git a/bugs/SSLv3 b/bugs/SSLv3
index 2e22a65cd..a75a1652d 100644
--- a/bugs/SSLv3
+++ b/bugs/SSLv3
@@ -29,7 +29,7 @@ RC4-MD5, but a re-connect tries to use DES-CBC-SHA.  So netscape, when
 doing a re-connect, always takes the first cipher in the cipher list.
 
 If we accept a netscape connection, demand a client cert, have a
-non-self-sighed CA which does not have it's CA in netscape, and the
+non-self-signed CA which does not have it's CA in netscape, and the
 browser has a cert, it will crash/hang.  Works for 3.x and 4.xbeta
 
 Netscape browsers do not really notice the server sending a
@@ -39,3 +39,11 @@ SSL_shutdown() and still sharing the socket with its parent).
 
 Netscape, when using export ciphers, will accept a 1024 bit temporary
 RSA key.  It is supposed to only accept 512.
+
+If Netscape connects to a server which requests a client certificate
+it will frequently hang after the user has selected one and never
+complete the connection. Hitting "Stop" and reload fixes this and
+all subsequent connections work fine. This appears to be because 
+Netscape wont read any new records in when it is awaiting a server
+done message at this point. The fix is to send the certificate request
+and server done messages in one record.
diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c
index 9a57eba27..91fcbb433 100644
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@@ -274,7 +274,7 @@ int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str)
  * otherwise it is the number of bytes per character
  */
 
-const static char tag2nbyte[] = {
+const static signed char tag2nbyte[] = {
 	-1, -1, -1, -1, -1,	/* 0-4 */
 	-1, -1, -1, -1, -1,	/* 5-9 */
 	-1, -1, 0, -1,		/* 10-13 */
diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
index 65dc5eda2..c61991a78 100644
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -123,7 +123,7 @@ extern "C" {
 #define B_ASN1_NUMERICSTRING	0x0001
 #define B_ASN1_PRINTABLESTRING	0x0002
 #define B_ASN1_T61STRING	0x0004
-#define B_ASN1_TELETEXSTRING	0x0008
+#define B_ASN1_TELETEXSTRING	0x0004
 #define B_ASN1_VIDEOTEXSTRING	0x0008
 #define B_ASN1_IA5STRING	0x0010
 #define B_ASN1_GRAPHICSTRING	0x0020
diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c
index fa4e350a7..b40d494fa 100644
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -825,5 +825,5 @@ int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
 		 * had the buffer been large enough.) */
 		return -1;
 	else
-		return (retlen <= INT_MAX) ? retlen : -1;
+		return (retlen <= INT_MAX) ? (int)retlen : -1;
 	}
diff --git a/crypto/bio/bf_buff.c b/crypto/bio/bf_buff.c
index c90238bae..096b84ca8 100644
--- a/crypto/bio/bf_buff.c
+++ b/crypto/bio/bf_buff.c
@@ -495,6 +495,7 @@ static int buffer_gets(BIO *b, char *buf, int size)
 			if (i <= 0)
 				{
 				BIO_copy_next_retry(b);
+				*buf='\0';
 				if (i < 0) return((num > 0)?num:i);
 				if (i == 0) return(num);
 				}
diff --git a/crypto/bn/bn_mul.c b/crypto/bn/bn_mul.c
index 90592718d..f8a5ba7c7 100644
--- a/crypto/bn/bn_mul.c
+++ b/crypto/bn/bn_mul.c
@@ -224,7 +224,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
 	     int n, BN_ULONG *t)
 	{
 	int i,j,n2=n*2;
-	unsigned int c1,c2,neg,zero;
+	int c1,c2,neg,zero;
 	BN_ULONG ln,lo,*p;
 
 # ifdef BN_COUNT
diff --git a/crypto/dso/dso_dlfcn.c b/crypto/dso/dso_dlfcn.c
index acf09f5a0..1e38e8777 100644
--- a/crypto/dso/dso_dlfcn.c
+++ b/crypto/dso/dso_dlfcn.c
@@ -123,7 +123,11 @@ DSO_METHOD *DSO_METHOD_dlfcn(void)
 #		endif
 #	endif
 #else
-#	define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */
+#	ifdef OPENSSL_SYS_SUNOS
+#		define DLOPEN_FLAG 1
+#	else
+#		define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */
+#	endif
 #endif
 
 /* For this DSO_METHOD, our meth_data STACK will contain;
diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
index 5df32b4fe..ad6d31f0f 100644
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -292,7 +292,7 @@ static void ssleay_rand_add(const void *buf, int num, double add)
 				st_idx=0;
 			}
 		}
-	memset((char *)&m,0,sizeof(m));
+	OPENSSL_cleanse((char *)&m,sizeof(m));
 
 	if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 	/* Don't just copy back local_md into md -- this could mean that
@@ -493,7 +493,7 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 	MD_Final(md,&m);
 	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
-	memset(&m,0,sizeof(m));
+	OPENSSL_cleanse(&m,sizeof(m));
 	if (ok)
 		return(1);
 	else
diff --git a/crypto/rand/rand_egd.c b/crypto/rand/rand_egd.c
index ce1693678..62229d97d 100644
--- a/crypto/rand/rand_egd.c
+++ b/crypto/rand/rand_egd.c
@@ -102,7 +102,7 @@ int RAND_egd(const char *path)
 
 	memset(&addr, 0, sizeof(addr));
 	addr.sun_family = AF_UNIX;
-	if (strlen(path) > sizeof(addr.sun_path))
+	if (strlen(path) >= sizeof(addr.sun_path))
 		return (-1);
 	strcpy(addr.sun_path,path);
 	len = offsetof(struct sockaddr_un, sun_path) + strlen(path);
@@ -134,7 +134,7 @@ int RAND_egd_bytes(const char *path,int bytes)
 
 	memset(&addr, 0, sizeof(addr));
 	addr.sun_family = AF_UNIX;
-	if (strlen(path) > sizeof(addr.sun_path))
+	if (strlen(path) >= sizeof(addr.sun_path))
 		return (-1);
 	strcpy(addr.sun_path,path);
 	len = offsetof(struct sockaddr_un, sun_path) + strlen(path);
diff --git a/crypto/x509/x509_obj.c b/crypto/x509/x509_obj.c
index f0271fdfa..1e718f76e 100644
--- a/crypto/x509/x509_obj.c
+++ b/crypto/x509/x509_obj.c
@@ -94,6 +94,7 @@ int i;
 		OPENSSL_free(b);
 		}
 	    strncpy(buf,"NO X509_NAME",len);
+	    buf[len-1]='\0';
 	    return buf;
 	    }
 
diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c
index 42c23bcfc..f78c2a6b4 100644
--- a/crypto/x509/x509type.c
+++ b/crypto/x509/x509type.c
@@ -58,13 +58,11 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
-#include "evp.h"
-#include "objects.h"
-#include "x509.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
 
-int X509_certificate_type(x,pkey)
-X509 *x;
-EVP_PKEY *pkey;
+int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
 	{
 	EVP_PKEY *pk;
 	int ret=0,i;
@@ -101,15 +99,17 @@ EVP_PKEY *pkey;
 	case EVP_PKEY_RSA:
 		ret|=EVP_PKS_RSA;
 		break;
-	case EVP_PKS_DSA:
+	case EVP_PKEY_DSA:
 		ret|=EVP_PKS_DSA;
 		break;
 	default:
 		break;
 		}
 
-	if (EVP_PKEY_size(pkey) <= 512)
+	if (EVP_PKEY_size(pk) <= 512/8)	/* /8 because it's 512 bits we look
+					   for, not bytes */
 		ret|=EVP_PKT_EXP;
+	if(pkey==NULL) EVP_PKEY_free(pk);
 	return(ret);
 	}
 
diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
index 5c07e53f6..67c9c9630 100644
--- a/doc/ssl/SSL_CTX_set_options.pod
+++ b/doc/ssl/SSL_CTX_set_options.pod
@@ -168,7 +168,7 @@ Diffie-Hellman) key exchange should be used instead.
 =item SSL_OP_NETSCAPE_CA_DN_BUG
 
 If we accept a netscape connection, demand a client cert, have a
-non-self-sighed CA which does not have it's CA in netscape, and the
+non-self-signed CA which does not have it's CA in netscape, and the
 browser has a cert, it will crash/hang.  Works for 3.x and 4.xbeta 
 
 =item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
diff --git a/e_os.h b/e_os.h
index a0ea45fbe..b4441bc05 100644
--- a/e_os.h
+++ b/e_os.h
@@ -303,6 +303,8 @@ extern "C" {
 #      define pid_t int /* pid_t is missing on NEXTSTEP/OPENSTEP
                          * (unless when compiling with -D_POSIX_SOURCE,
                          * which doesn't work for us) */
+#    endif
+#    if defined(NeXT) || defined(OPENSSL_SYS_NEWS4) || defined(OPENSSL_SYS_SUNOS)
 #      define ssize_t int /* ditto */
 #    endif
 #    ifdef NEWS4 /* setvbuf is missing on mips-sony-bsd */