Changes between 0.9.5a and 0.9.6 [xx XXX 2000]
+ *) In ssl23_get_client_hello, generate an error message when faced
+ with an initial SSL 3.0/TLS record that is too small to contain the
+ first two bytes of the ClientHello message, i.e. client_version.
+ (Note that this is a pathologic case that probably has never happened
+ in real life.) The previous approach was to use the version number
+ from the record header as a substitute; but our protocol choice
+ should not depend on that one because it is not authenticated
+ by the Finished messages.
+ [Bodo Moeller]
+
+ *) For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is
+ not set then we don't setup the error code for issuer check errors
+ to avoid possibly overwriting other errors which the callback does
+ handle. If an application does set the flag then we assume it knows
+ what it is doing and can handle the new informational codes
+ appropriately.
+ [Steve Henson]
+
*) Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for
a general "ANY" type, as such it should be able to decode anything
including tagged types. However it didn't check the class so it would
"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:asm/alpha.o:::::::::dlfcn:true64-shared",
"alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o:::::::::dlfcn:true64-shared",
"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o:::::::::dlfcn:true64-shared",
-"FreeBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2:::",
+"FreeBSD-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2:::",
#### Alpha Linux with GNU C and Compaq C setups
# Special notes:
o MD4 now included.
o Bugfix for SSL rollback padding check.
o Support for external crypto device[1].
+ o Enhanced EVP interafce.
[1] The support for external crypto devices is currently a separate
distribution. See the file README.ENGINE.
OpenSSL STATUS Last modified at
- ______________ $Date: 2000/09/21 21:00:19 $
+ ______________ $Date: 2000/09/24 09:50:28 $
DEVELOPMENT STATE
The USE_TOD fix needed to be applied.
There were warnings about -O3 triggering
known optimizer bugs on that
- platform.
+ platform. [FIXED]
OpenBSD-x86 (2.7, gcc 2.95.2) - success
alpha-cc (OSF1 V4.0) - success
solaris-x86-gcc (5.8, gcc 2.95.2) - success
case V_ASN1_OBJECT:
ASN1_OBJECT_free(a->value.object);
break;
+ case V_ASN1_NULL:
+ break;
case V_ASN1_INTEGER:
case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
ret = X509_check_issued(issuer, x);
if (ret == X509_V_OK)
return 1;
- else
- {
- ctx->error = ret;
- ctx->current_cert = x;
- ctx->current_issuer = issuer;
- if ((ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK) && ctx->verify_cb)
- return ctx->verify_cb(0, ctx);
- else
- return 0;
- }
+ /* If we haven't asked for issuer errors don't set ctx */
+ if (!(ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK))
+ return 0;
+
+ ctx->error = ret;
+ ctx->current_cert = x;
+ ctx->current_issuer = issuer;
+ if (ctx->verify_cb)
+ return ctx->verify_cb(0, ctx);
return 0;
}
Sign and encrypt mail:
openssl smime -sign -in ml.txt -signer my.pem -text \
- | openssl -encrypt -out mail.msg \
+ | openssl smime -encrypt -out mail.msg \
-from steve@openssl.org -to someone@somewhere \
-subject "Signed and Encrypted message" -des3 user.pem
* SSLv3 or tls1 header
*/
- v[0]=p[1]; /* major version */
+ v[0]=p[1]; /* major version (= SSL3_VERSION_MAJOR) */
/* We must look at client_version inside the Client Hello message
- * to get the correct minor version: */
- v[1]=p[10];
- /* However if we have only a pathologically small fragment of the
- * Client Hello message, we simply use the version from the
- * record header -- this is incorrect but unlikely to fail in
- * practice */
+ * to get the correct minor version.
+ * However if we have only a pathologically small fragment of the
+ * Client Hello message, this would be difficult, we'd have
+ * to read at least one additional record to find out.
+ * This doesn't usually happen in real life, so we just complain
+ * for now.
+ */
if (p[3] == 0 && p[4] < 6)
- v[1]=p[2];
+ {
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL);
+ goto err;
+ }
+ v[1]=p[10]; /* minor version according to client_version */
if (v[1] >= TLS1_VERSION_MINOR)
{
if (!(s->options & SSL_OP_NO_TLSv1))
#define SSL_R_READ_WRONG_PACKET_TYPE 212
#define SSL_R_RECORD_LENGTH_MISMATCH 213
#define SSL_R_RECORD_TOO_LARGE 214
+#define SSL_R_RECORD_TOO_SMALL 1093
#define SSL_R_REQUIRED_CIPHER_MISSING 215
#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216
#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217
{SSL_R_READ_WRONG_PACKET_TYPE ,"read wrong packet type"},
{SSL_R_RECORD_LENGTH_MISMATCH ,"record length mismatch"},
{SSL_R_RECORD_TOO_LARGE ,"record too large"},
+{SSL_R_RECORD_TOO_SMALL ,"record too small"},
{SSL_R_REQUIRED_CIPHER_MISSING ,"required cipher missing"},
{SSL_R_REUSE_CERT_LENGTH_NOT_ZERO ,"reuse cert length not zero"},
{SSL_R_REUSE_CERT_TYPE_NOT_ZERO ,"reuse cert type not zero"},
banner:
$banner
-# Generate perlasm output files
-%.cpp:
- (cd \$(\@D)/..; PERL=perl make -f Makefile.ssl asm/\$(\@F))
-
\$(TMP_D):
\$(MKDIR) \$(TMP_D)
# NB: uncomment out these lines if BIN_D, TEST_D and LIB_D are different
$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
print $defs;
+
+if ($platform eq "linux-elf") {
+ print <<"EOF";
+# Generate perlasm output files
+%.cpp:
+ (cd \$(\@D)/..; PERL=perl make -f Makefile.ssl asm/\$(\@F))
+EOF
+}
print "###################################################################\n";
print $rules;
projects / oweals / openssl.git / commitdiff