Merge of main trunk, no conflicts this time

2000-09-09 18:10:35 +00:00 · 2000-09-09 18:10:35 +00:00 · ef413a7ee8
commit ef413a7ee8
parent dcd4d341e1
12 changed files with 118 additions and 31 deletions
--- a/38
+++ b/38
@ -10,6 +10,7 @@ OpenSSL  -  Frequently Asked Questions
 * Why does the linker complain about undefined symbols?
 * Where can I get a compiled version of OpenSSL?
 * I've compiled a program under Windows and it crashes: why?
+* How do I read or write a DER encoded buffer using the ASN1 functions?
 * I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
 * I've called <some function> and it fails, why?
 * I just get a load of numbers for the error output, what do they mean?
@ -182,6 +183,43 @@ otherwise the conflict will cause a program to crash: typically on the
 first BIO related read or write operation.


+* How do I read or write a DER encoded buffer using the ASN1 functions?
+
+You have two options. You can either use a memory BIO in conjunction
+with the i2d_XXX_bio() or d2i_XXX_bio() functions or you can use the
+i2d_XXX(), d2i_XXX() functions directly. Since these are often the
+cause of grief here are some code fragments using PKCS7 as an example:
+
+unsigned char *buf, *p;
+int len;
+
+len = i2d_PKCS7(p7, NULL);
+buf = OPENSSL_Malloc(len); /* or Malloc, error checking omitted */
+p = buf;
+i2d_PKCS7(p7, &p);
+
+At this point buf contains the len bytes of the DER encoding of
+p7.
+
+The opposite assumes we already have len bytes in buf:
+
+unsigned char *p;
+p = buf;
+p7 = d2i_PKCS7(NULL, &p, len);
+
+At this point p7 contains a valid PKCS7 structure of NULL if an error
+occurred. If an error occurred ERR_print_errors(bio) should give more
+information.
+
+The reason for the temporary variable 'p' is that the ASN1 functions
+increment the passed pointer so it is ready to read or write the next
+structure. This is often a cause of problems: without the temporary
+variable the buffer pointer is changed to point just after the data
+that has been read or written. This may well be uninitialized data
+and attempts to free the buffer will have unpredictable results
+because it no longer points to the same address.
+
+
 * I've tried using <M_some_evil_pkcs12_macro> and I get errors why?

 This usually happens when you try compiling something using the PKCS#12
--- a/20
+++ b/20
@ -124,9 +124,12 @@
     OpenSSL binary ("openssl"). The libraries will be built in the top-level
     directory, and the binary will be in the "apps" directory.

-     If "make" fails, please report the problem to <openssl-bugs@openssl.org>
-     (note that your message will be forwarded to a public mailing list).
-     Include the output of "make report" in your message.
+     If "make" fails, look at the output.  There may be reasons for
+     the failure that isn't a problem in OpenSSL itself (like missing
+     standard headers).  If it is a problem with OpenSSL itself, please
+     report the problem to <openssl-bugs@openssl.org> (note that your
+     message will be forwarded to a public mailing list).  Include the
+     output of "make report" in your message.

     [If you encounter assembler error messages, try the "no-asm"
     configuration option as an immediate fix.]
@ -138,10 +141,13 @@

       $ make test

-    If a test fails, try removing any compiler optimization flags from
-    the CFLAGS line in Makefile.ssl and run "make clean; make". Please
-    send a bug report to <openssl-bugs@openssl.org>, including the
-    output of "make report".
+     If a test fails, look at the output.  There may be reasons for
+     the failure that isn't a problem in OpenSSL itself (like a missing
+     or malfunctioning bc).  If it is a problem with OpenSSL itself,
+     try removing any compiler optimization flags from the CFLAGS line
+     in Makefile.ssl and run "make clean; make". Please send a bug
+     report to <openssl-bugs@openssl.org>, including the output of
+     "make report".

  4. If everything tests ok, install OpenSSL with

--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@ -56,6 +56,7 @@
 *
 */
 #include "apps.h"
+#include <string.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@ -57,6 +57,7 @@
 */

 #include <stdio.h>
+#include <string.h>
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
--- a/crypto/asn1/a_time.c
+++ b/crypto/asn1/a_time.c
@ -113,11 +113,9 @@ ASN1_TIME *d2i_ASN1_TIME(ASN1_TIME **a, unsigned char **pp, long length)
 ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t)
 	{
 	struct tm *ts;
-#if defined(THREADS) && !defined(WIN32)
+#if defined(THREADS) && !defined(WIN32) && !defined(__CYGWIN32__)
 	struct tm data;
-#endif

-#if defined(THREADS) && !defined(WIN32)
 	gmtime_r(&t,&data);
 	ts=&data; /* should return &data, but doesn't on some systems, so we don't even look at the return value */
 #else
--- a/crypto/asn1/a_utctm.c
+++ b/crypto/asn1/a_utctm.c
@ -193,7 +193,8 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
 	{
 	char *p;
 	struct tm *ts;
-#if defined(THREADS) && !defined(WIN32)
+#if defined(THREADS) && !defined(WIN32) && !defined(__CYGWIN32__)
+
 	struct tm data;
 #endif

@ -202,7 +203,7 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
 	if (s == NULL)
 		return(NULL);

-#if defined(THREADS) && !defined(WIN32)
+#if defined(THREADS) && !defined(WIN32) && !defined(__CYGWIN32__)
 	gmtime_r(&t,&data); /* should return &data, but doesn't on some systems, so we don't even look at the return value */
 	ts=&data;
 #else
@ -285,7 +286,7 @@ int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)

 	t -= offset*60; /* FIXME: may overflow in extreme cases */

-#if defined(THREADS) && !defined(WIN32)
+#if defined(THREADS) && !defined(WIN32) && !defined(__CYGWIN32__)
 	{ struct tm data; gmtime_r(&t, &data); tm = &data; }
 #else
 	tm = gmtime(&t);
--- a/crypto/bio/bss_rtcp.c
+++ b/crypto/bio/bss_rtcp.c
@ -88,11 +88,11 @@ struct rpc_ctx {
    struct rpc_msg msg;
 };

-static int rtcp_write(BIO *h,char *buf,int num);
+static int rtcp_write(BIO *h,const char *buf,int num);
 static int rtcp_read(BIO *h,char *buf,int size);
-static int rtcp_puts(BIO *h,char *str);
+static int rtcp_puts(BIO *h,const char *str);
 static int rtcp_gets(BIO *h,char *str,int size);
-static long rtcp_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static long rtcp_ctrl(BIO *h,int cmd,long arg1,void *arg2);
 static int rtcp_new(BIO *h);
 static int rtcp_free(BIO *data);

@ -218,7 +218,7 @@ static int rtcp_read(BIO *b, char *out, int outl)
    return length;
 }

-static int rtcp_write(BIO *b, char *in, int inl)
+static int rtcp_write(BIO *b, const char *in, int inl)
 {
    int status, i, segment, length;
    struct rpc_ctx *ctx;
@ -247,7 +247,7 @@ static int rtcp_write(BIO *b, char *in, int inl)
    return(i);
 }

-static long rtcp_ctrl(BIO *b, int cmd, long num, char *ptr)
+static long rtcp_ctrl(BIO *b, int cmd, long num, void *ptr)
 	{
 	long ret=1;

@ -283,7 +283,7 @@ static int rtcp_gets(BIO *bp, char *buf, int size)
 	return(0);
 	}

-static int rtcp_puts(BIO *bp, char *str)
+static int rtcp_puts(BIO *bp, const char *str)
 {
    int length;
    if (str == NULL) return(0);
--- a/crypto/conf/conf_api.c
+++ b/crypto/conf/conf_api.c
@ -64,6 +64,7 @@
 #endif

 #include <assert.h>
+#include <string.h>
 #include <openssl/conf.h>
 #include <openssl/conf_api.h>

--- a/crypto/crypto-lib.com
+++ b/crypto/crypto-lib.com
@ -215,13 +215,13 @@ $ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ -
 	"b_sock,bss_acpt,bf_nbio,bss_rtcp,bss_bio,bss_log"
 $ LIB_STACK = "stack"
 $ LIB_LHASH = "lhash,lh_stats"
-$ LIB_RAND = "md_rand,randfile,rand_lib,rand_err,rand_egd"
+$ LIB_RAND = "md_rand,randfile,rand_lib,rand_err,rand_egd,rand_win"
 $ LIB_ERR = "err,err_all,err_prn"
 $ LIB_OBJECTS = "o_names,obj_dat,obj_lib,obj_err"
 $ LIB_EVP = "encode,digest,evp_enc,evp_key,"+ -
 	"e_des,e_bf,e_idea,e_des3,"+ -
 	"e_rc4,names,"+ -
-	"e_xcbc_d,e_rc2,e_cast,e_rc5,"
+	"e_xcbc_d,e_rc2,e_cast,e_rc5"
 $ LIB_EVP_2 = "m_null,m_md2,m_md4,m_md5,m_sha,m_sha1," + -
 	"m_dss,m_dss1,m_mdc2,m_ripemd,"+ -
 	"p_open,p_seal,p_sign,p_verify,p_lib,p_enc,p_dec,"+ -
@ -280,10 +280,10 @@ $!
 $   IF (F$SEARCH("SYS$DISK:[-.RSAREF]RSAREF.C").EQS."")
 $   THEN
 $!
-$!    Tell The User That The File Dosen't Exist.
+$!    Tell The User That The File Doesn't Exist.
 $!
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The File [-.RSAREF]RSAREF.C Dosen't Exist."
+$     WRITE SYS$OUTPUT "The File [-.RSAREF]RSAREF.C Doesn't Exist."
 $     WRITE SYS$OUTPUT ""
 $!
 $!    Exit The Build.
@ -315,10 +315,10 @@ $!
 $   IF (F$SEARCH("SYS$DISK:[-.RSAREF]RSAR_ERR.C").EQS."")
 $   THEN
 $!
-$!    Tell The User That The File Dosen't Exist.
+$!    Tell The User That The File Doesn't Exist.
 $!
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The File [-.RSAREF]RSAR_ERR.C Dosen't Exist."
+$     WRITE SYS$OUTPUT "The File [-.RSAREF]RSAR_ERR.C Doesn't Exist."
 $     WRITE SYS$OUTPUT ""
 $!
 $!    Exit The Build.
@ -531,10 +531,10 @@ $!
 $ IF (F$SEARCH(SOURCE_FILE).EQS."")
 $ THEN
 $!
-$!  Tell The User That The File Dosen't Exist.
+$!  Tell The User That The File Doesn't Exist.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The File ",SOURCE_FILE," Dosen't Exist."
+$   WRITE SYS$OUTPUT "The File ",SOURCE_FILE," Doesn't Exist."
 $   WRITE SYS$OUTPUT ""
 $!
 $!  Exit The Build.
@ -917,7 +917,7 @@ $!
 $       WRITE SYS$OUTPUT ""
 $       WRITE SYS$OUTPUT "It appears that you don't have the RSAREF Souce Code."
 $       WRITE SYS$OUTPUT "You need to go to 'ftp://ftp.rsa.com/rsaref'.  You have to"
-$       WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file dosen't have the"
+$       WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file doesn't have the"
 $       WRITE SYS$OUTPUT "directory structure stored.  You have to extract the file"
 $       WRITE SYS$OUTPUT "into the [.RSAREF] directory under the root directory"
 $       WRITE SYS$OUTPUT "as that is where the scripts will look for the files."
--- a/crypto/des/read_pwd.c
+++ b/crypto/des/read_pwd.c
@ -161,7 +161,7 @@
 #include <sys/ioctl.h>
 #endif

-#ifdef MSDOS
+#if defined(MSDOS) && !defined(__CYGWIN32__)
 #include <conio.h>
 #define fgets(a,b,c) noecho_fgets(a,b,c)
 #endif
--- a/crypto/symhacks.h
+++ b/crypto/symhacks.h
@ -64,23 +64,29 @@
 #undef ASN1_STRING_set_default_mask_asc
 #define ASN1_STRING_set_default_mask_asc	ASN1_STRING_set_def_mask_asc

+#if 0 /* No longer needed, since safestack macro magic does the job */
 /* Hack the names created with DECLARE_ASN1_SET_OF(PKCS7_SIGNER_INFO) */
 #undef i2d_ASN1_SET_OF_PKCS7_SIGNER_INFO
 #define i2d_ASN1_SET_OF_PKCS7_SIGNER_INFO	i2d_ASN1_SET_OF_PKCS7_SIGINF
 #undef d2i_ASN1_SET_OF_PKCS7_SIGNER_INFO
 #define d2i_ASN1_SET_OF_PKCS7_SIGNER_INFO	d2i_ASN1_SET_OF_PKCS7_SIGINF
+#endif

+#if 0 /* No longer needed, since safestack macro magic does the job */
 /* Hack the names created with DECLARE_ASN1_SET_OF(PKCS7_RECIP_INFO) */
 #undef i2d_ASN1_SET_OF_PKCS7_RECIP_INFO
-#define i2d_ASN1_SET_OF_PKCS7_RECIP_INFO	i2d_ASN1_SET_OF_PKCS7_RECGINF
+#define i2d_ASN1_SET_OF_PKCS7_RECIP_INFO	i2d_ASN1_SET_OF_PKCS7_RECINF
 #undef d2i_ASN1_SET_OF_PKCS7_RECIP_INFO
-#define d2i_ASN1_SET_OF_PKCS7_RECIP_INFO	d2i_ASN1_SET_OF_PKCS7_RECGINF
+#define d2i_ASN1_SET_OF_PKCS7_RECIP_INFO	d2i_ASN1_SET_OF_PKCS7_RECINF
+#endif

+#if 0 /* No longer needed, since safestack macro magic does the job */
 /* Hack the names created with DECLARE_ASN1_SET_OF(ACCESS_DESCRIPTION) */
 #undef i2d_ASN1_SET_OF_ACCESS_DESCRIPTION
 #define i2d_ASN1_SET_OF_ACCESS_DESCRIPTION	i2d_ASN1_SET_OF_ACC_DESC
 #undef d2i_ASN1_SET_OF_ACCESS_DESCRIPTION
 #define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION	d2i_ASN1_SET_OF_ACC_DESC
+#endif

 /* Hack the names created with DECLARE_PEM_rw(NETSCAPE_CERT_SEQUENCE) */
 #undef PEM_read_NETSCAPE_CERT_SEQUENCE
@ -114,6 +120,23 @@
 #undef X509_REVOKED_get_ext_by_critical
 #define X509_REVOKED_get_ext_by_critical	X509_REVOKED_get_ext_by_critic

+/* Hack some long CRYPTO names */
+#define CRYPTO_set_dynlock_destroy_callback     CRYPTO_set_dynlock_destroy_cb
+#define CRYPTO_set_dynlock_create_callback      CRYPTO_set_dynlock_create_cb
+#define CRYPTO_set_dynlock_lock_callback        CRYPTO_set_dynlock_lock_cb
+#define CRYPTO_get_dynlock_lock_callback        CRYPTO_get_dynlock_lock_cb
+#define CRYPTO_get_dynlock_destroy_callback     CRYPTO_get_dynlock_destroy_cb
+#define CRYPTO_get_dynlock_create_callback      CRYPTO_get_dynlock_create_cb
+
+/* Hack some long SSL names */
+#define SSL_CTX_set_default_verify_paths        SSL_CTX_set_def_verify_paths
+#define SSL_get_ex_data_X509_STORE_CTX_idx      SSL_get_ex_d_X509_STORE_CTX_idx
+#define SSL_add_file_cert_subjects_to_stack     SSL_add_file_cert_subjs_to_stk
+#define SSL_add_dir_cert_subjects_to_stack      SSL_add_dir_cert_subjs_to_stk
+#define SSL_CTX_use_certificate_chain_file      SSL_CTX_use_cert_chain_file
+#define SSL_CTX_set_cert_verify_callback        SSL_CTX_set_cert_verify_cb
+#define SSL_CTX_set_default_passwd_cb_userdata  SSL_CTX_set_def_passwd_cb_ud
+
 #endif /* defined VMS */


--- a/doc/openssl.txt
+++ b/doc/openssl.txt
@ -355,6 +355,24 @@ that would not make sense. It does support an additional issuer:copy option
 that will copy all the subject alternative name values from the issuer 
 certificate (if possible).

+Example:
+
+issuserAltName = issuer:copy
+
+Authority Info Access.
+
+The authority information access extension gives details about how to access
+certain information relating to the CA. Its syntax is accessOID;location
+where 'location' has the same syntax as subject alternative name (except
+that email:copy is not supported). accessOID can be any valid OID but only
+certain values are meaningful for example OCSP and caIssuers. OCSP gives the
+location of an OCSP responder: this is used by Netscape PSM and other software.
+
+Example:
+
+authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
+authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html
+
 CRL distribution points.

 This is a multi-valued extension that supports all the literal options of