Merge from main trunk.
This commit is contained in:
Richard Levitte
parent
e1db7a5e30
commit
3476515195
11 changed files with 57 additions and 26 deletions
18
CHANGES
18
CHANGES
|
|
@ -4,6 +4,24 @@
|
|||
|
||||
Changes between 0.9.5a and 0.9.6 [xx XXX 2000]
|
||||
|
||||
*) In ssl23_get_client_hello, generate an error message when faced
|
||||
with an initial SSL 3.0/TLS record that is too small to contain the
|
||||
first two bytes of the ClientHello message, i.e. client_version.
|
||||
(Note that this is a pathologic case that probably has never happened
|
||||
in real life.) The previous approach was to use the version number
|
||||
from the record header as a substitute; but our protocol choice
|
||||
should not depend on that one because it is not authenticated
|
||||
by the Finished messages.
|
||||
[Bodo Moeller]
|
||||
|
||||
*) For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is
|
||||
not set then we don't setup the error code for issuer check errors
|
||||
to avoid possibly overwriting other errors which the callback does
|
||||
handle. If an application does set the flag then we assume it knows
|
||||
what it is doing and can handle the new informational codes
|
||||
appropriately.
|
||||
[Steve Henson]
|
||||
|
||||
*) Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for
|
||||
a general "ANY" type, as such it should be able to decode anything
|
||||
including tagged types. However it didn't check the class so it would
|
||||
|
|
|
|||
|
|
@ -274,7 +274,7 @@ my %table=(
|
|||
"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:asm/alpha.o:::::::::dlfcn:true64-shared",
|
||||
"alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o:::::::::dlfcn:true64-shared",
|
||||
"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o:::::::::dlfcn:true64-shared",
|
||||
"FreeBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2:::",
|
||||
"FreeBSD-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2:::",
|
||||
|
||||
#### Alpha Linux with GNU C and Compaq C setups
|
||||
# Special notes:
|
||||
|
|
|
|||
1
NEWS
1
NEWS
|
|
@ -15,6 +15,7 @@
|
|||
o MD4 now included.
|
||||
o Bugfix for SSL rollback padding check.
|
||||
o Support for external crypto device[1].
|
||||
o Enhanced EVP interafce.
|
||||
|
||||
[1] The support for external crypto devices is currently a separate
|
||||
distribution. See the file README.ENGINE.
|
||||
|
|
|
|||
4
STATUS
4
STATUS
|
|
@ -1,6 +1,6 @@
|
|||
|
||||
OpenSSL STATUS Last modified at
|
||||
______________ $Date: 2000/09/21 21:00:19 $
|
||||
______________ $Date: 2000/09/24 09:50:28 $
|
||||
|
||||
DEVELOPMENT STATE
|
||||
|
||||
|
|
@ -126,7 +126,7 @@
|
|||
The USE_TOD fix needed to be applied.
|
||||
There were warnings about -O3 triggering
|
||||
known optimizer bugs on that
|
||||
platform.
|
||||
platform. [FIXED]
|
||||
OpenBSD-x86 (2.7, gcc 2.95.2) - success
|
||||
alpha-cc (OSF1 V4.0) - success
|
||||
solaris-x86-gcc (5.8, gcc 2.95.2) - success
|
||||
|
|
|
|||
|
|
@ -315,6 +315,8 @@ static void ASN1_TYPE_component_free(ASN1_TYPE *a)
|
|||
case V_ASN1_OBJECT:
|
||||
ASN1_OBJECT_free(a->value.object);
|
||||
break;
|
||||
case V_ASN1_NULL:
|
||||
break;
|
||||
case V_ASN1_INTEGER:
|
||||
case V_ASN1_NEG_INTEGER:
|
||||
case V_ASN1_ENUMERATED:
|
||||
|
|
|
|||
|
|
@ -339,16 +339,15 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
|
|||
ret = X509_check_issued(issuer, x);
|
||||
if (ret == X509_V_OK)
|
||||
return 1;
|
||||
else
|
||||
{
|
||||
ctx->error = ret;
|
||||
ctx->current_cert = x;
|
||||
ctx->current_issuer = issuer;
|
||||
if ((ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK) && ctx->verify_cb)
|
||||
return ctx->verify_cb(0, ctx);
|
||||
else
|
||||
return 0;
|
||||
}
|
||||
/* If we haven't asked for issuer errors don't set ctx */
|
||||
if (!(ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK))
|
||||
return 0;
|
||||
|
||||
ctx->error = ret;
|
||||
ctx->current_cert = x;
|
||||
ctx->current_issuer = issuer;
|
||||
if (ctx->verify_cb)
|
||||
return ctx->verify_cb(0, ctx);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -325,7 +325,7 @@ Send encrypted mail using triple DES:
|
|||
Sign and encrypt mail:
|
||||
|
||||
openssl smime -sign -in ml.txt -signer my.pem -text \
|
||||
| openssl -encrypt -out mail.msg \
|
||||
| openssl smime -encrypt -out mail.msg \
|
||||
-from steve@openssl.org -to someone@somewhere \
|
||||
-subject "Signed and Encrypted message" -des3 user.pem
|
||||
|
||||
|
|
|
|||
|
|
@ -348,16 +348,21 @@ int ssl23_get_client_hello(SSL *s)
|
|||
* SSLv3 or tls1 header
|
||||
*/
|
||||
|
||||
v[0]=p[1]; /* major version */
|
||||
v[0]=p[1]; /* major version (= SSL3_VERSION_MAJOR) */
|
||||
/* We must look at client_version inside the Client Hello message
|
||||
* to get the correct minor version: */
|
||||
v[1]=p[10];
|
||||
/* However if we have only a pathologically small fragment of the
|
||||
* Client Hello message, we simply use the version from the
|
||||
* record header -- this is incorrect but unlikely to fail in
|
||||
* practice */
|
||||
* to get the correct minor version.
|
||||
* However if we have only a pathologically small fragment of the
|
||||
* Client Hello message, this would be difficult, we'd have
|
||||
* to read at least one additional record to find out.
|
||||
* This doesn't usually happen in real life, so we just complain
|
||||
* for now.
|
||||
*/
|
||||
if (p[3] == 0 && p[4] < 6)
|
||||
v[1]=p[2];
|
||||
{
|
||||
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL);
|
||||
goto err;
|
||||
}
|
||||
v[1]=p[10]; /* minor version according to client_version */
|
||||
if (v[1] >= TLS1_VERSION_MINOR)
|
||||
{
|
||||
if (!(s->options & SSL_OP_NO_TLSv1))
|
||||
|
|
|
|||
|
|
@ -1471,6 +1471,7 @@ int SSL_COMP_add_compression_method(int id,char *cm);
|
|||
#define SSL_R_READ_WRONG_PACKET_TYPE 212
|
||||
#define SSL_R_RECORD_LENGTH_MISMATCH 213
|
||||
#define SSL_R_RECORD_TOO_LARGE 214
|
||||
#define SSL_R_RECORD_TOO_SMALL 1093
|
||||
#define SSL_R_REQUIRED_CIPHER_MISSING 215
|
||||
#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216
|
||||
#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217
|
||||
|
|
|
|||
|
|
@ -327,6 +327,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
|
|||
{SSL_R_READ_WRONG_PACKET_TYPE ,"read wrong packet type"},
|
||||
{SSL_R_RECORD_LENGTH_MISMATCH ,"record length mismatch"},
|
||||
{SSL_R_RECORD_TOO_LARGE ,"record too large"},
|
||||
{SSL_R_RECORD_TOO_SMALL ,"record too small"},
|
||||
{SSL_R_REQUIRED_CIPHER_MISSING ,"required cipher missing"},
|
||||
{SSL_R_REUSE_CERT_LENGTH_NOT_ZERO ,"reuse cert length not zero"},
|
||||
{SSL_R_REUSE_CERT_TYPE_NOT_ZERO ,"reuse cert type not zero"},
|
||||
|
|
|
|||
|
|
@ -366,10 +366,6 @@ all: banner \$(TMP_D) \$(BIN_D) \$(TEST_D) \$(LIB_D) \$(INCO_D) headers lib exe
|
|||
banner:
|
||||
$banner
|
||||
|
||||
# Generate perlasm output files
|
||||
%.cpp:
|
||||
(cd \$(\@D)/..; PERL=perl make -f Makefile.ssl asm/\$(\@F))
|
||||
|
||||
\$(TMP_D):
|
||||
\$(MKDIR) \$(TMP_D)
|
||||
# NB: uncomment out these lines if BIN_D, TEST_D and LIB_D are different
|
||||
|
|
@ -617,6 +613,14 @@ $rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPT
|
|||
$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
|
||||
|
||||
print $defs;
|
||||
|
||||
if ($platform eq "linux-elf") {
|
||||
print <<"EOF";
|
||||
# Generate perlasm output files
|
||||
%.cpp:
|
||||
(cd \$(\@D)/..; PERL=perl make -f Makefile.ssl asm/\$(\@F))
|
||||
EOF
|
||||
}
|
||||
print "###################################################################\n";
|
||||
print $rules;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue