diff --git a/CHANGES b/CHANGES index 116f278955..208ec0831c 100644 --- a/CHANGES +++ b/CHANGES @@ -4,7 +4,9 @@ Changes between 0.9.6j and 0.9.6k [xx XXX 2003] - *) + *) Change X509_cretificate_type() to mark the key as exported/exportable + when it's 512 *bits* long, not 512 bytes. + [Richard Levitte] Changes between 0.9.6i and 0.9.6j [10 Apr 2003] diff --git a/bugs/SSLv3 b/bugs/SSLv3 index db53e1343a..a75a1652d9 100644 --- a/bugs/SSLv3 +++ b/bugs/SSLv3 @@ -29,7 +29,7 @@ RC4-MD5, but a re-connect tries to use DES-CBC-SHA. So netscape, when doing a re-connect, always takes the first cipher in the cipher list. If we accept a netscape connection, demand a client cert, have a -non-self-sighed CA which does not have it's CA in netscape, and the +non-self-signed CA which does not have it's CA in netscape, and the browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta Netscape browsers do not really notice the server sending a diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c index 9a57eba270..91fcbb4335 100644 --- a/crypto/asn1/a_strex.c +++ b/crypto/asn1/a_strex.c @@ -274,7 +274,7 @@ int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str) * otherwise it is the number of bytes per character */ -const static char tag2nbyte[] = { +const static signed char tag2nbyte[] = { -1, -1, -1, -1, -1, /* 0-4 */ -1, -1, -1, -1, -1, /* 5-9 */ -1, -1, 0, -1, /* 10-13 */ diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h index 65dc5eda27..c61991a78d 100644 --- a/crypto/asn1/asn1.h +++ b/crypto/asn1/asn1.h @@ -123,7 +123,7 @@ extern "C" { #define B_ASN1_NUMERICSTRING 0x0001 #define B_ASN1_PRINTABLESTRING 0x0002 #define B_ASN1_T61STRING 0x0004 -#define B_ASN1_TELETEXSTRING 0x0008 +#define B_ASN1_TELETEXSTRING 0x0004 #define B_ASN1_VIDEOTEXSTRING 0x0008 #define B_ASN1_IA5STRING 0x0010 #define B_ASN1_GRAPHICSTRING 0x0020 diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c index fa4e350a7f..b40d494fa9 100644 --- a/crypto/bio/b_print.c +++ b/crypto/bio/b_print.c @@ -825,5 +825,5 @@ int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args) * had the buffer been large enough.) */ return -1; else - return (retlen <= INT_MAX) ? retlen : -1; + return (retlen <= INT_MAX) ? (int)retlen : -1; } diff --git a/crypto/bio/bf_buff.c b/crypto/bio/bf_buff.c index c90238bae1..096b84ca89 100644 --- a/crypto/bio/bf_buff.c +++ b/crypto/bio/bf_buff.c @@ -495,6 +495,7 @@ static int buffer_gets(BIO *b, char *buf, int size) if (i <= 0) { BIO_copy_next_retry(b); + *buf='\0'; if (i < 0) return((num > 0)?num:i); if (i == 0) return(num); } diff --git a/crypto/bn/bn_mul.c b/crypto/bn/bn_mul.c index 90592718d6..f8a5ba7c75 100644 --- a/crypto/bn/bn_mul.c +++ b/crypto/bn/bn_mul.c @@ -224,7 +224,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn, int n, BN_ULONG *t) { int i,j,n2=n*2; - unsigned int c1,c2,neg,zero; + int c1,c2,neg,zero; BN_ULONG ln,lo,*p; # ifdef BN_COUNT diff --git a/crypto/dso/dso_dlfcn.c b/crypto/dso/dso_dlfcn.c index acf09f5a08..1e38e87773 100644 --- a/crypto/dso/dso_dlfcn.c +++ b/crypto/dso/dso_dlfcn.c @@ -123,7 +123,11 @@ DSO_METHOD *DSO_METHOD_dlfcn(void) # endif # endif #else -# define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */ +# ifdef OPENSSL_SYS_SUNOS +# define DLOPEN_FLAG 1 +# else +# define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */ +# endif #endif /* For this DSO_METHOD, our meth_data STACK will contain; diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index 5df32b4fe6..ad6d31f0f2 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -292,7 +292,7 @@ static void ssleay_rand_add(const void *buf, int num, double add) st_idx=0; } } - memset((char *)&m,0,sizeof(m)); + OPENSSL_cleanse((char *)&m,sizeof(m)); if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND); /* Don't just copy back local_md into md -- this could mean that @@ -493,7 +493,7 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) MD_Final(md,&m); CRYPTO_w_unlock(CRYPTO_LOCK_RAND); - memset(&m,0,sizeof(m)); + OPENSSL_cleanse(&m,sizeof(m)); if (ok) return(1); else diff --git a/crypto/rand/rand_egd.c b/crypto/rand/rand_egd.c index ce16936785..62229d97da 100644 --- a/crypto/rand/rand_egd.c +++ b/crypto/rand/rand_egd.c @@ -102,7 +102,7 @@ int RAND_egd(const char *path) memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; - if (strlen(path) > sizeof(addr.sun_path)) + if (strlen(path) >= sizeof(addr.sun_path)) return (-1); strcpy(addr.sun_path,path); len = offsetof(struct sockaddr_un, sun_path) + strlen(path); @@ -134,7 +134,7 @@ int RAND_egd_bytes(const char *path,int bytes) memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; - if (strlen(path) > sizeof(addr.sun_path)) + if (strlen(path) >= sizeof(addr.sun_path)) return (-1); strcpy(addr.sun_path,path); len = offsetof(struct sockaddr_un, sun_path) + strlen(path); diff --git a/crypto/x509/x509_obj.c b/crypto/x509/x509_obj.c index f0271fdfa1..1e718f76eb 100644 --- a/crypto/x509/x509_obj.c +++ b/crypto/x509/x509_obj.c @@ -94,6 +94,7 @@ int i; OPENSSL_free(b); } strncpy(buf,"NO X509_NAME",len); + buf[len-1]='\0'; return buf; } diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c index 8e78b34458..f78c2a6b43 100644 --- a/crypto/x509/x509type.c +++ b/crypto/x509/x509type.c @@ -99,14 +99,15 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) case EVP_PKEY_RSA: ret|=EVP_PKS_RSA; break; - case EVP_PKS_DSA: + case EVP_PKEY_DSA: ret|=EVP_PKS_DSA; break; default: break; } - if (EVP_PKEY_size(pk) <= 512) + if (EVP_PKEY_size(pk) <= 512/8) /* /8 because it's 512 bits we look + for, not bytes */ ret|=EVP_PKT_EXP; if(pkey==NULL) EVP_PKEY_free(pk); return(ret); diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index 5c07e53f66..67c9c96305 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -168,7 +168,7 @@ Diffie-Hellman) key exchange should be used instead. =item SSL_OP_NETSCAPE_CA_DN_BUG If we accept a netscape connection, demand a client cert, have a -non-self-sighed CA which does not have it's CA in netscape, and the +non-self-signed CA which does not have it's CA in netscape, and the browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta =item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG diff --git a/e_os.h b/e_os.h index a0ea45fbee..b4441bc052 100644 --- a/e_os.h +++ b/e_os.h @@ -303,6 +303,8 @@ extern "C" { # define pid_t int /* pid_t is missing on NEXTSTEP/OPENSTEP * (unless when compiling with -D_POSIX_SOURCE, * which doesn't work for us) */ +# endif +# if defined(NeXT) || defined(OPENSSL_SYS_NEWS4) || defined(OPENSSL_SYS_SUNOS) # define ssize_t int /* ditto */ # endif # ifdef NEWS4 /* setvbuf is missing on mips-sony-bsd */