OpenSSL CHANGES
_______________
+ Changes between 0.9.6a and 0.9.6b [XX xxx XXXX]
+
+ *) Move 'if (!initialized) RAND_poll()' into regions protected by
+ CRYPTO_LOCK_RAND. This is not strictly necessary, but avoids
+ having multiple threads call RAND_poll() concurrently.
+ [Bodo Moeller]
+
+ *) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a
+ combination of a flag and a thread ID variable.
+ Otherwise while one thread is in ssleay_rand_bytes (which sets the
+ flag), *other* threads can enter ssleay_add_bytes without obeying
+ the CRYPTO_LOCK_RAND lock (and may even illegaly release the lock
+ that they do not hold after the first thread unsets add_do_not_lock).
+ [Bodo Moeller]
+
+ *) Change bctest again: '-x' expressions are not available in all
+ versions of 'test'.
+ [Bodo Moeller]
+
Changes between 0.9.6 and 0.9.6a [5 Apr 2001]
*) Fix a couple of memory leaks in PKCS7_dataDecode()
* Why do I get errors about unknown algorithms?
* Why can't the OpenSSH configure script detect OpenSSL?
* Can I use OpenSSL's SSL library with non-blocking I/O?
+* Why doesn't my server application receive a client certificate?
===============================================================================
SSL_write() will try to continue any pending handshake.
+* Why doesn't my server application receive a client certificate?
+
+Due to the TLS protocol definition, a client will only send a certificate,
+if explicitely asked by the server. Use the SSL_VERIFY_PEER flag of the
+SSL_CTX_set_verify() function to enable the use of client certificates.
+
+
===============================================================================
$(INSTALL_PREFIX)$(MANDIR)/man3 \
$(INSTALL_PREFIX)$(MANDIR)/man5 \
$(INSTALL_PREFIX)$(MANDIR)/man7
- @echo installing man 1 and man 5
@for i in doc/apps/*.pod; do \
fn=`basename $$i .pod`; \
- sec=`[ "$$fn" = "config" ] && echo 5 || echo 1`; \
+ if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
+ echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
(cd `dirname $$i`; \
$(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \
--release=$(VERSION) `basename $$i`) \
> $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
done
- @echo installing man 3 and man 7
@for i in doc/crypto/*.pod doc/ssl/*.pod; do \
fn=`basename $$i .pod`; \
- sec=`[ "$$fn" = "des_modes" ] && echo 7 || echo 3`; \
+ if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
+ echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
(cd `dirname $$i`; \
$(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \
--release=$(VERSION) `basename $$i`) \
- OpenSSL 0.9.6a [engine] 5 Apr 2001
+ OpenSSL 0.9.6b-dev [engine] XX xxx XXXX
Copyright (c) 1998-2000 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
#undef PROG
#define PROG dgst_main
-void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, char binout,
+void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
EVP_PKEY *key, unsigned char *sigin, int siglen);
int MAIN(int, char **);
int debug=0;
const char *outfile = NULL, *keyfile = NULL;
const char *sigfile = NULL, *randfile = NULL;
- char out_bin = -1, want_pub = 0, do_verify = 0;
+ int out_bin = -1, want_pub = 0, do_verify = 0;
EVP_PKEY *sigkey = NULL;
unsigned char *sigbuf = NULL;
int siglen = 0;
EXIT(err);
}
-void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, char binout,
+void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
EVP_PKEY *key, unsigned char *sigin, int siglen)
{
int len;
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
BIO_printf (bio_err, "-engine e use engine e, possibly a hardware device.\n");
+ BIO_printf (bio_err, "-passin arg input file pass phrase source\n");
BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
BIO_printf(bio_err, " load the file (or the files in the directory) into\n");
BIO_printf(bio_err, " the random number generator\n");
#include <openssl/err.h>
#include <openssl/engine.h>
-#if defined(__FreeBSD__)
+#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__)
# define USE_TOD
#elif !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
# define TIMES
#endif
-#if !defined(_UNICOS) && !defined(__OpenBSD__) && !defined(sgi) && !defined(__FreeBSD__) && !(defined(__bsdi) || defined(__bsdi__)) && !defined(_AIX) && !defined(MPE)
+#if !defined(_UNICOS) && !defined(__OpenBSD__) && !defined(sgi) && !defined(__FreeBSD__) && !(defined(__bsdi) || defined(__bsdi__)) && !defined(_AIX) && !defined(MPE) && !defined(__NetBSD__)
# define TIMEB
#endif
#endif
#if HAVE_LONG_LONG
-#define LLONG long long
+# if defined(WIN32) && !defined(__GNUC__)
+# define LLONG _int64
+# else
+# define LLONG long long
+# endif
#else
#define LLONG long
#endif
/* some handy macros */
#define char_to_int(p) (p - '0')
-#define MAX(p,q) ((p >= q) ? p : q)
+#define OSSL_MAX(p,q) ((p >= q) ? p : q)
static void
_dopr(
convert[place] = 0;
zpadlen = max - place;
- spadlen = min - MAX(max, place) - (signvalue ? 1 : 0);
+ spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0);
if (zpadlen < 0)
zpadlen = 0;
if (spadlen < 0)
spadlen = 0;
if (flags & DP_F_ZERO) {
- zpadlen = MAX(zpadlen, spadlen);
+ zpadlen = OSSL_MAX(zpadlen, spadlen);
spadlen = 0;
}
if (flags & DP_F_MINUS)
(caps ? "0123456789ABCDEF"
: "0123456789abcdef")[fracpart % 10];
fracpart = (fracpart / 10);
- } while (fracpart && (fplace < 20));
+ } while (fplace < max);
if (fplace == 20)
fplace--;
fconvert[fplace] = 0;
void EVP_set_pw_prompt(char *prompt);
char * EVP_get_pw_prompt(void);
-int EVP_BytesToKey(const EVP_CIPHER *type,EVP_MD *md,unsigned char *salt,
- unsigned char *data, int datal, int count,
- unsigned char *key,unsigned char *iv);
+int EVP_BytesToKey(const EVP_CIPHER *type, EVP_MD *md,
+ const unsigned char *salt, const unsigned char *data, int datal,
+ int count, unsigned char *key, unsigned char *iv);
int EVP_EncryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type,
unsigned char *key, unsigned char *iv);
#endif
}
-int EVP_BytesToKey(const EVP_CIPHER *type, EVP_MD *md, unsigned char *salt,
- unsigned char *data, int datal, int count, unsigned char *key,
- unsigned char *iv)
+int EVP_BytesToKey(const EVP_CIPHER *type, EVP_MD *md,
+ const unsigned char *salt, const unsigned char *data, int datal,
+ int count, unsigned char *key, unsigned char *iv)
{
EVP_MD_CTX c;
unsigned char md_buf[EVP_MAX_MD_SIZE];
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-#define OPENSSL_VERSION_NUMBER 0x0090601fL
-#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6a [engine] 5 Apr 2001"
+#define OPENSSL_VERSION_NUMBER 0x00906020L
+#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6b-dev [engine] XX xxx XXXX"
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
static double entropy=0;
static int initialized=0;
-/* This should be set to 1 only when ssleay_rand_add() is called inside
- an already locked state, so it doesn't try to lock and thereby cause
- a hang. And it should always be reset back to 0 before unlocking. */
-static int add_do_not_lock=0;
+static unsigned int crypto_lock_rand = 0; /* may be set only when a thread
+ * holds CRYPTO_LOCK_RAND
+ * (to prevent double locking) */
+static unsigned long locking_thread = 0; /* valid iff crypto_lock_rand is set */
+
#ifdef PREDICT
int rand_predictable=0;
long md_c[2];
unsigned char local_md[MD_DIGEST_LENGTH];
MD_CTX m;
+ int do_not_lock;
/*
* (Based on the rand(3) manpage)
* hash function.
*/
- if (!add_do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+ /* check if we already have the lock */
+ do_not_lock = crypto_lock_rand && (locking_thread == CRYPTO_thread_id());
+
+ if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
st_idx=state_index;
/* use our own copies of the counters so that even
md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0);
- if (!add_do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
for (i=0; i<num; i+=MD_DIGEST_LENGTH)
{
}
memset((char *)&m,0,sizeof(m));
- if (!add_do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+ if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
/* Don't just copy back local_md into md -- this could mean that
* other thread's seeding remains without effect (except for
* the incremented counter). By XORing it we keep at least as
}
if (entropy < ENTROPY_NEEDED) /* stop counting when we have enough */
entropy += add;
- if (!add_do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
#if !defined(THREADS) && !defined(WIN32)
assert(md_c[1] == md_count[1]);
* global 'md'.
*/
- if (!initialized)
- RAND_poll();
-
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
- add_do_not_lock = 1; /* Since we call ssleay_rand_add while in
- this locked state. */
- initialized = 1;
+ /* prevent ssleay_rand_bytes() from trying to obtain the lock again */
+ crypto_lock_rand = 1;
+ locking_thread = CRYPTO_thread_id();
+
+ if (!initialized)
+ {
+ RAND_poll();
+ initialized = 1;
+ }
+
if (!stirred_pool)
do_stir_pool = 1;
md_count[0] += 1;
- add_do_not_lock = 0; /* If this would ever be forgotten, we can
- expect any evil god to eat our souls. */
+ /* before unlocking, we must clear 'crypto_lock_rand' */
+ crypto_lock_rand = 0;
+ locking_thread = 0;
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
while (num > 0)
static int ssleay_rand_status(void)
{
int ret;
+ int do_not_lock;
+ /* check if we already have the lock
+ * (could happen if a RAND_poll() implementation calls RAND_status()) */
+ do_not_lock = crypto_lock_rand && (locking_thread == CRYPTO_thread_id());
+
+ if (!do_not_lock)
+ {
+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+
+ /* prevent ssleay_rand_bytes() from trying to obtain the lock again */
+ crypto_lock_rand = 1;
+ locking_thread = CRYPTO_thread_id();
+ }
+
if (!initialized)
+ {
RAND_poll();
+ initialized = 1;
+ }
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
- initialized = 1;
ret = entropy >= ENTROPY_NEEDED;
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ if (!do_not_lock)
+ {
+ /* before unlocking, we must clear 'crypto_lock_rand' */
+ crypto_lock_rand = 0;
+ locking_thread = 0;
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ }
+
return ret;
}
Recover the signed data
- openssl rsautl -sign -in sig -inkey key.pem
+ openssl rsautl -verify -in sig -inkey key.pem
Examine the raw signed data:
- openssl rsautl -sign -in file -inkey key.pem -raw -hexdump
+ openssl rsautl -verify -in file -inkey key.pem -raw -hexdump
0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
=head1 SYNOPSIS
-B<openssl> B<s_client>
+B<openssl> B<s_server>
[B<-accept port>]
[B<-context id>]
[B<-verify depth>]
=head1 SEE ALSO
L<BIO_ctrl(3)|BIO_ctrl(3)>,
-L<BIO_f_base64(3)|BIO_f_base64(3)>,
+L<BIO_f_base64(3)|BIO_f_base64(3)>, L<BIO_f_buffer(3)|BIO_f_buffer(3)>,
L<BIO_f_cipher(3)|BIO_f_cipher(3)>, L<BIO_f_md(3)|BIO_f_md(3)>,
L<BIO_f_null(3)|BIO_f_null(3)>, L<BIO_f_ssl(3)|BIO_f_ssl(3)>,
L<BIO_find_type(3)|BIO_find_type(3)>, L<BIO_new(3)|BIO_new(3)>,
The B<CAfile> is processed on execution of the SSL_CTX_load_verify_locations()
function.
-If on an TLS/SSL server no special setting is performed using *client_CA_list()
-functions, the certificates contained in B<CAfile> are listed to the client
-as available CAs during the TLS/SSL handshake.
-
If B<CApath> is not NULL, it points to a directory containing CA certificates
in PEM format. The files each contain one CA certificate. The files are
looked up by the CA subject name hash value, which must hence be available.
building the certificate chain or when actually performing the verification
of a peer certificate.
-On a server, the certificates in B<CApath> are not listed as available
-CA certificates to a client during a TLS/SSL handshake.
-
When looking up CA certificates, the OpenSSL library will first search the
certificates in B<CAfile>, then those in B<CApath>. Certificate matching
is done based on the subject name, the key identifier (if present), and the
no other certificates for the same parameters will be searched in case of
failure.
+In server mode, when requesting a client certificate, the server must send
+the list of CAs of which it will accept client certificates. This list
+is not influenced by the contents of B<CAfile> or B<CApath> and must
+explicitely be set using the
+L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>
+family of functions.
+
When building its own certificate chain, an OpenSSL client/server will
try to fill in missing certificates from B<CAfile>/B<CApath>, if the
certificate chain was not explicitly specified (see
When a TLS/SSL server requests a client certificate (see
B<SSL_CTX_set_verify_options()>), it sends a list of CAs, for which
-it will accept certificates, to the client. If no special list is provided,
-the CAs available using the B<CAfile> option in
-L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
-are sent.
+it will accept certificates, to the client.
-This list can be explicitly set using the SSL_CTX_set_client_CA_list() for
+This list must explicitly be set using SSL_CTX_set_client_CA_list() for
B<ctx> and SSL_set_client_CA_list() for the specific B<ssl>. The list
specified overrides the previous setting. The CAs listed do not become
trusted (B<list> only contains the names, not the complete certificates); use
L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
to additionally load them for verification.
+If the list of acceptable CAs is compiled in a file, the
+L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>
+function can be used to help importing the necessary data.
+
SSL_CTX_add_client_CA() and SSL_add_client_CA() can be used to add additional
items the list of client CAs. If no list was specified before using
SSL_CTX_set_client_CA_list() or SSL_set_client_CA_list(), a new client
-CA list for B<ctx> or B<ssl> (as appropriate) is opened. The CAs implicitly
-specified using
-L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
-are no longer used automatically.
+CA list for B<ctx> or B<ssl> (as appropriate) is opened.
These functions are only useful for TLS/SSL servers.
=back
+=head1 EXAMPLES
+
+Scan all certificates in B<CAfile> and list them as acceptable CAs:
+
+ SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
+
=head1 SEE ALSO
L<ssl(3)|ssl(3)>,
L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>,
-L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>
+L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>,
L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
=cut
=head1 NOTES
+Due to the protocol definition, a TLS/SSL server will always send a
+certificate, if present. A client will only send a certificate when
+explicitely requested to do so by the server (see
+L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>). If an anonymous cipher
+is used, no certificates are sent.
+
That a certificate is returned does not indicate information about the
verification state, use L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>
to check the verification state.
=head1 SEE ALSO
-L<ssl(3)|ssl(3)>, L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>
+L<ssl(3)|ssl(3)>, L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
+L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
=cut
L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_connect(3)|SSL_connect(3)>,
L<SSL_accept(3)|SSL_accept(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
-L<SSL_clear(3)|SSL_clear(3), L<SSL_free(3)|SSL_free(3)>,
+L<SSL_clear(3)|SSL_clear(3)>, L<SSL_free(3)|SSL_free(3)>,
L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
=cut
@./$(BNTEST) >tmp.bntest
@echo quit >>tmp.bntest
@echo "running bc"
- @<tmp.bntest sh -c "`sh ./bctest || true`" | $(PERL) -e '$$i=0; while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"'
+ @<tmp.bntest sh -c "`sh ./bctest; true`" | $(PERL) -e '$$i=0; while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"'
@echo 'test a^b%c implementations'
./$(EXPTEST)
IFS=:
-for dir in $PATH; do
- bc="$dir/bc"
+try_without_dir=true
+# First we try "bc", then "$dir/bc" for each item in $PATH.
+for dir in dummy:$PATH; do
+ if [ "$try_without_dir" = true ]; then
+ # first iteration
+ bc=bc
+ try_without_dir=false
+ else
+ # second and later iterations
+ bc="$dir/bc"
+ if [ ! -f "$bc" ]; then # '-x' is not available on Ultrix
+ bc=''
+ fi
+ fi
- if [ -x "$bc" -a ! -d "$bc" ]; then
+ if [ ! "$bc" = '' ]; then
failure=none
projects / oweals / openssl.git / commitdiff