of handshake failure
2. Changes to x509_certificate_type function (crypto/x509/x509type.c) to
make it recognize GOST certificates as EVP_PKT_SIGN|EVP_PKT_EXCH
(required for s3_srvr to accept GOST client certificates).
3. Changes to EVP
- adding of function EVP_PKEY_CTX_get0_peerkey
- Make function EVP_PKEY_derive_set_peerkey work for context with
ENCRYPT operation, because we use peerkey field in the context to
pass non-ephemeral secret key to GOST encrypt operation.
- added EVP_PKEY_CTRL_SET_IV control command. It is really
GOST-specific, but it is used in SSL code, so it has to go
in some header file, available during libssl compilation
4. Fix to HMAC to avoid call of OPENSSL_cleanse on undefined data
5. Include des.h if KSSL_DEBUG is defined into some libssl files, to
make debugging output which depends on constants defined there, work
and other KSSL_DEBUG output fixes
6. Declaration of real GOST ciphersuites, two authentication methods
SSL_aGOST94 and SSL_aGOST2001 and one key exchange method SSL_kGOST
7. Implementation of these methods.
8. Support for sending unsolicited serverhello extension if GOST
ciphersuite is selected. It is require for interoperability with
CryptoPro CSP 3.0 and 3.6 and controlled by
SSL_OP_CRYPTOPRO_TLSEXT_BUG constant.
This constant is added to SSL_OP_ALL, because it does nothing, if
non-GOST ciphersuite is selected, and all implementation of GOST
include compatibility with CryptoPro.
9. Support for CertificateVerify message without length field. It is
another CryptoPro bug, but support is made unconditional, because it
does no harm for draft-conforming implementation.
10. In tls1_mac extra copy of stream mac context is no more done.
When I've written currently commited code I haven't read
EVP_DigestSignFinal manual carefully enough and haven't noticed that
it does an internal digest ctx copying.
This implementation was tested against
1. CryptoPro CSP 3.6 client and server
2. Cryptopro CSP 3.0 server
CRYPTO_get_idptr_callback(), CRYPTO_thread_idptr() for a 'void *' type
thread ID, since the 'unsigned long' type of the existing thread ID
does not always work well.
Submitted by Tim Rice <tim@multitalents.net>. His comment is:
I noticed "make report" didn't show the cc version on most of
my System V platforms. This patch corrects this.
1107. He says:
This is a followup to the NetWare patch that was applied to beta3. It
does the following:
- Fixes a problem in the CLib build with undefined symbols.
- Adds the ability to use BSD sockets as the default for the OpenSSL
socket BIO. NetWare supports 2 flavors of sockets and our Apache
developers need BSD sockets as a configurable option when building
OpenSSL. This adds that for them.
- Updates to the INSTALL.NW file to explain new options.
I have tried very hard to make sure all the changes are in NetWare
specific files or guarded carefully to make sure they only impact
NetWare builds. I have tested the Windows build to make sure it does
not break that since we have made changes to mk1mf.pl.
We are still working the gcc cross compile for NetWare issue and hope
to have a patch for that before beta 6 is released.
compiled into *our* aplpications. That's because mingw is always
consistent with itself. Having library-side code linked into .dll
makes it possible to deploy the .dll with user-code compiled with
another compiler [which is pretty much the whole point behind Applink].
- hide the EC_KEY structure definition in ec_lcl.c + add
some functions to use/access the EC_KEY fields
- change the way how method specific data (ecdsa/ecdh) is
attached to a EC_KEY
- add ECDSA_sign_ex and ECDSA_do_sign_ex functions with
additional parameters for pre-computed values
- rebuild libeay.num from 0.9.7
during "make errors" and thus during "make update".
Fix lots of bugs that util/ck_errf.pl can detect automatically.
Various others of these are still left to fix; that's why
"make update" will complain loudly when run now.
1. "unsigned long long" isn't portable changed: to BN_ULLONG.
2. The LL prefix isn't allowed in VC++ but it isn't needed where it is used.
2. Avoid lots of compiler warnings about signed/unsigned mismatches.
3. Include new library directory pqueue in mk1mf build system.
4. Update symbols.
- possibility of re-creation of the blinding parameters after a
fixed number of uses (suggested by Bodo)
- calculatition of the rsa::e in case it's absent and p and q
are present (see bug report #785)
- improve the performance when if one rsa structure is shared by
more than a thread (see bug report #555)
- fix the problem described in bug report #827
- hide the definition ot the BN_BLINDING structure in bn_blind.c
- Enforce that there should be no policy settings when the language
is one of id-ppl-independent or id-ppl-inheritAll.
- Add functionality to ssltest.c so that it can process proxy rights
and check that they are set correctly. Rights consist of ASCII
letters, and the condition is a boolean expression that includes
letters, parenthesis, &, | and ^.
- Change the proxy certificate configurations so they get proxy
rights that are understood by ssltest.c.
- Add a script that tests proxy certificates with SSL operations.
Other changes:
- Change the copyright end year in mkerr.pl.
- make update.
we need to have them among the symbols that should appear in the
transfer table, at least on VMS (and it wouldn't surprise me if
Windows would whine as well).
PR: 732
Submitted by: Ilya Zakharevich <nospam-abuse@ilyaz.org>
Submitter's comment:
This patch:
a) Introduces a new file os2/backwardify.pl.
b) Introduces a new mk1mf.pl variable $preamble. As you can see, it may
be used also to move some OS-specific code to VC-CE too (the the
first chunk of the patch);
c) The DESCRIPTION specifier of the .def file is made more informative:
now it contains the version number too. On OS/2 it is made conformant
to OS/2 conventions; in particular, when one runs the standard command
BLDLEVEL this.DLL
one can see:
Vendor: www.openssl.org/
Revision: 0.9.7c
Description: OpenSSL: implementation of Secure Socket Layer; DLL for library crypto. Build for EMX -Zmtd
[I did not make Win32 descriptions as informative as this - I'm afraid to
break something. Be welcome to fix this.]
d) On OS/2 the generated DLL was hardly usable (it had a shared initialized
data segment).
e) On OS/2 the generated DLLs had names like ssl.dll. However, DLL names on
OS/2 are "global data". It is hard to have several DLLs with the same
name on the system. Thus this precluded coexistence of OpenSSL with DLLs
for other SLL implementations - or other name clashes. I transparently
changed the names of the DLLs to open_ssl.dll and cryptssl.dll.
f) The file added in (a) is used to create "forwarder" DLLs, so the
applications expecting the "old" DLL names may use the new DLLs
transparently. (A presence of these DLLs on the system nullifies (e),
but makes old applications work. This is a stopgap measure until the
old applications are relinked. Systems with no old applications do not
need these DLLs, so may enjoy all the benefits of (e).)
The new DLLs are placed in os2/ and os2/noname subdirectories.
g) The makefiles created with os2/OS2-EMX.cmd did not work (some mysterious
meaningless failures). The change to util/pl/OS2-EMX.pl uses the
variable introduced in (b) to switch the Makefiles to SHELL=sh syntax.
All these backslashes are removed, and the generated Makefiles started to
work.
h) Running os2/OS2-EMX.cmd now prints out what to do next.
compression identity is already present among the registered
compression methods, and if so, reject the addition request.
Declare SSL_COMP_get_compression_method() so it can be used properly.
Change ssltest.c so it checks what compression methods are available
and enumerates them. As a side-effect, built-in compression methods
will be automagically loaded that way. Additionally, change the
identities for ZLIB and RLE to be conformant to
draft-ietf-tls-compression-05.txt.
Finally, make update.
Next on my list: have the built-in compression methods added
"automatically" instead of requiring that the author call
SSL_COMP_add_compression_method() or
SSL_COMP_get_compression_methods().