From 06ddf8eb08af58e00032a5f8d381d837b82fa644 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sat, 4 Apr 2009 19:54:06 +0000 Subject: [PATCH] Updates from 1.0.0-stable --- apps/apps.c | 14 +++++++------- apps/openssl.cnf | 6 +++--- crypto/bio/b_sock.c | 2 +- crypto/objects/objects.h | 22 ++++++++++++++++------ crypto/pkcs12/p12_kiss.c | 2 +- crypto/x509/x509.h | 1 + crypto/x509v3/v3_alt.c | 1 + ssl/s2_lib.c | 3 --- ssl/ssl.h | 2 ++ ssl/ssl_lib.c | 3 +++ util/mk1mf.pl | 4 ++-- util/mkdef.pl | 6 +++++- 12 files changed, 42 insertions(+), 24 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index 957939599..7294c26f3 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -259,13 +259,6 @@ int str2fmt(char *s) return(FORMAT_ASN1); else if ((*s == 'T') || (*s == 't')) return(FORMAT_TEXT); - else if ((*s == 'P') || (*s == 'p')) - { - if (s[1] == 'V' || s[1] == 'v') - return FORMAT_PVK; - else - return(FORMAT_PEM); - } else if ((*s == 'N') || (*s == 'n')) return(FORMAT_NETSCAPE); else if ((*s == 'S') || (*s == 's')) @@ -278,6 +271,13 @@ int str2fmt(char *s) return(FORMAT_PKCS12); else if ((*s == 'E') || (*s == 'e')) return(FORMAT_ENGINE); + else if ((*s == 'P') || (*s == 'p')) + { + if (s[1] == 'V' || s[1] == 'v') + return FORMAT_PVK; + else + return(FORMAT_PEM); + } else return(FORMAT_UNDEF); } diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 7bcaa53ed..9d2cd5bfa 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -231,7 +231,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always +authorityKeyIdentifier=keyid:always,issuer # This is what PKIX recommends but some broken software chokes on critical # extensions. @@ -264,7 +264,7 @@ basicConstraints = CA:true # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always +authorityKeyIdentifier=keyid:always [ proxy_cert_ext ] # These extensions should be added when creating a proxy certificate @@ -297,7 +297,7 @@ nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always +authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address. diff --git a/crypto/bio/b_sock.c b/crypto/bio/b_sock.c index 0eee25a0b..da0f126f1 100644 --- a/crypto/bio/b_sock.c +++ b/crypto/bio/b_sock.c @@ -810,7 +810,7 @@ int BIO_accept(int sock, char **addr) #ifdef EAI_FAMILY # if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_BEOS_BONE) || defined(OPENSSL_SYS_MSDOS) # define SOCKLEN_T size_t -# else +# elif !defined(SOCKLEN_T) # define SOCKLEN_T socklen_t #endif do { diff --git a/crypto/objects/objects.h b/crypto/objects/objects.h index 65b6f0135..bd0ee52fe 100644 --- a/crypto/objects/objects.h +++ b/crypto/objects/objects.h @@ -1054,24 +1054,34 @@ const void * OBJ_bsearch_ex_(const void *key,const void *base,int num, * the non-constness means a lot of complication, and in practice * comparison routines do always not touch their arguments. */ -#define _IMPLEMENT_OBJ_BSEARCH_CMP_FN(scope, type1, type2, nm) \ + +#define IMPLEMENT_OBJ_BSEARCH_CMP_FN(type1, type2, nm) \ static int nm##_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_) \ { \ type1 const *a = a_; \ type2 const *b = b_; \ return nm##_cmp(a,b); \ } \ - scope type2 *OBJ_bsearch_##nm(type1 *key, type2 const *base, int num) \ + static type2 *OBJ_bsearch_##nm(type1 *key, type2 const *base, int num) \ { \ return (type2 *)OBJ_bsearch_(key, base, num, sizeof(type2), \ nm##_cmp_BSEARCH_CMP_FN); \ } \ extern void dummy_prototype(void) -#define IMPLEMENT_OBJ_BSEARCH_CMP_FN(type1, type2, cmp) \ - _IMPLEMENT_OBJ_BSEARCH_CMP_FN(static, type1, type2, cmp) -#define IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(type1, type2, cmp) \ - _IMPLEMENT_OBJ_BSEARCH_CMP_FN(, type1, type2, cmp) +#define IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(type1, type2, nm) \ + static int nm##_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_) \ + { \ + type1 const *a = a_; \ + type2 const *b = b_; \ + return nm##_cmp(a,b); \ + } \ + type2 *OBJ_bsearch_##nm(type1 *key, type2 const *base, int num) \ + { \ + return (type2 *)OBJ_bsearch_(key, base, num, sizeof(type2), \ + nm##_cmp_BSEARCH_CMP_FN); \ + } \ + extern void dummy_prototype(void) #define OBJ_bsearch(type1,key,type2,base,num,cmp) \ ((type2 *)OBJ_bsearch_(CHECKED_PTR_OF(type1,key),CHECKED_PTR_OF(type2,base), \ diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c index 10ee5e7b9..292cc3ed4 100644 --- a/crypto/pkcs12/p12_kiss.c +++ b/crypto/pkcs12/p12_kiss.c @@ -81,7 +81,7 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca) { STACK_OF(X509) *ocerts = NULL; - X509 *x; + X509 *x = NULL; /* Check for NULL PKCS12 structure */ if(!p12) diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index e779c334e..3beb69965 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -116,6 +116,7 @@ extern "C" { /* Under Win32 these are defined in wincrypt.h */ #undef X509_NAME #undef X509_CERT_PAIR +#undef X509_EXTENSIONS #endif #define X509_FILETYPE_PEM 1 diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c index 19b3a8b62..b13c5674a 100644 --- a/crypto/x509v3/v3_alt.c +++ b/crypto/x509v3/v3_alt.c @@ -605,6 +605,7 @@ static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx) if (!ret) X509_NAME_free(nm); gen->d.dirn = nm; + X509V3_section_free(ctx, sk); return ret; } diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c index 907e30525..991460410 100644 --- a/ssl/s2_lib.c +++ b/ssl/s2_lib.c @@ -412,9 +412,6 @@ long ssl2_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) return(0); } -IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, - ssl_cipher_id); - /* This function needs to check if the ciphers required are actually * available */ const SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p) diff --git a/ssl/ssl.h b/ssl/ssl.h index 893eb6ece..e8d03bf91 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -1595,9 +1595,11 @@ const char *SSL_get_version(const SSL *s); /* This sets the 'default' SSL version that SSL_new() will create */ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth); +#ifndef OPENSSL_NO_SSL2 const SSL_METHOD *SSLv2_method(void); /* SSLv2 */ const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */ const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */ +#endif const SSL_METHOD *SSLv3_method(void); /* SSLv3 */ const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */ diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 17fc53663..24cd4268e 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2986,3 +2986,6 @@ void ssl_clear_hash_ctx(EVP_MD_CTX **hash) IMPLEMENT_STACK_OF(SSL_CIPHER) IMPLEMENT_STACK_OF(SSL_COMP) +IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, + ssl_cipher_id); + diff --git a/util/mk1mf.pl b/util/mk1mf.pl index 0ed7cb4ac..6b052fa31 100755 --- a/util/mk1mf.pl +++ b/util/mk1mf.pl @@ -736,8 +736,8 @@ sub var_add @a=grep(!/^e_camellia$/,@a) if $no_camellia; @a=grep(!/^e_seed$/,@a) if $no_seed; - @a=grep(!/(^s2_)|(^s23_)/,@a) if $no_ssl2; - @a=grep(!/(^s3_)|(^s23_)/,@a) if $no_ssl3; + #@a=grep(!/(^s2_)|(^s23_)/,@a) if $no_ssl2; + #@a=grep(!/(^s3_)|(^s23_)/,@a) if $no_ssl3; @a=grep(!/(_sock$)|(_acpt$)|(_conn$)|(^pxy_)/,@a) if $no_sock; diff --git a/util/mkdef.pl b/util/mkdef.pl index 96aa51af2..29a5b9657 100755 --- a/util/mkdef.pl +++ b/util/mkdef.pl @@ -103,6 +103,8 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF", "CMS", # CryptoAPI Engine "CAPIENG", + # SSL v2 + "SSL2", # JPAKE "JPAKE", # Deprecated functions @@ -125,7 +127,7 @@ my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5; my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw; my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated; my $no_rfc3779; my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng; -my $no_jpake; +my $no_jpake; my $no_ssl2; my $zlib; @@ -213,6 +215,7 @@ foreach (@ARGV, split(/ /, $options)) elsif (/^no-rfc3779$/) { $no_rfc3779=1; } elsif (/^no-tlsext$/) { $no_tlsext=1; } elsif (/^no-cms$/) { $no_cms=1; } + elsif (/^no-ssl2$/) { $no_ssl2=1; } elsif (/^no-capieng$/) { $no_capieng=1; } elsif (/^no-jpake$/) { $no_jpake=1; } } @@ -1145,6 +1148,7 @@ sub is_valid if ($keyword eq "TLSEXT" && $no_tlsext) { return 0; } if ($keyword eq "PSK" && $no_psk) { return 0; } if ($keyword eq "CMS" && $no_cms) { return 0; } + if ($keyword eq "SSL2" && $no_ssl2) { return 0; } if ($keyword eq "CAPIENG" && $no_capieng) { return 0; } if ($keyword eq "JPAKE" && $no_jpake) { return 0; } if ($keyword eq "DEPRECATED" && $no_deprecated) { return 0; }