little more often.
Changes between 0.9.6c and 0.9.6d [XX xxx XXXX]
+ *) Fix DH_generate_parameters() so that it works for 'non-standard'
+ generators, i.e. generators other than 2 and 5. (Previously, the
+ code did not properly initialise the 'add' and 'rem' values to
+ BN_generate_prime().)
+
+ In the new general case, we do not insist that 'generator' is
+ actually a primitive root: This requirement is rather pointless;
+ a generator of the order-q subgroup is just as good, if not
+ better.
+ [Bodo Moeller]
+
+ *) Map new X509 verification errors to alerts. Discovered and submitted by
+ Tom Wu <tom@arcot.com>.
+ [Lutz Jaenicke]
+
+ *) Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from
+ returning non-zero before the data has been completely received
+ when using non-blocking I/O.
+ [Bodo Moeller; problem pointed out by John Hughes]
+
+ *) Some of the ciphers missed the strength entry (SSL_LOW etc).
+ [Ben Laurie, Lutz Jaenicke]
+
*) Fix bug in SSL_clear(): bad sessions were not removed (found by
Yoram Zahavi <YoramZ@gilian.com>).
[Lutz Jaenicke]
"aix43-gcc", "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:",
#
-# Cray T90 (SDSC)
+# Cray T90 and similar (SDSC)
# It's Big-endian, but the algorithms work properly when B_ENDIAN is NOT
# defined. The T90 ints and longs are 8 bytes long, and apparently the
# B_ENDIAN code assumes 4 byte ints. Fortunately, the non-B_ENDIAN and
#'Taking the address of a bit field is not allowed. '
#'An expression with bit field exists as the operand of "sizeof" '
# (written by Wayne Schroeder <schroede@SDSC.EDU>)
-"cray-t90-cc", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT:::",
+#
+# j90 is considered the base machine type for unicos machines,
+# so this configuration is now called "cray-j90" ...
+"cray-j90", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT:::",
#
# Cray T3E (Research Center Juelich, beckman@acl.lanl.gov)
Note on shared libraries
------------------------
+ Shared library is currently an experimental feature. The only reason to
+ have them would be to conserve memory on systems where several program
+ are using OpenSSL. Binary backward compatibility can't be guaranteed
+ before OpenSSL version 1.0.
+
For some systems, the OpenSSL Configure script knows what is needed to
build shared libraries for libcrypto and libssl. On these systems,
the shared libraries are currently not created by default, but giving
There are various changes you can make to the Win32 compile environment. By
default the library is not compiled with debugging symbols. If you add 'debug'
- to the mk1mk.pl lines in the do_* batch file then debugging symbols will be
+ to the mk1mf.pl lines in the do_* batch file then debugging symbols will be
compiled in.
The default Win32 environment is to leave out any Windows NT specific
---------------
/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
$shared_extension =
$ranlib =
-*** cray-t3e
+*** cray-j90
$cc = cc
$cflags = -DBIT_FIELD_LIMITS -DTERMIOS
$unistd =
$thread_cflag = (unknown)
$lflags =
-$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT
+$bn_ops = SIXTY_FOUR_BIT_LONG DES_INT
$bn_obj =
$des_obj =
$bf_obj =
$shared_extension =
$ranlib =
-*** cray-t90-cc
+*** cray-t3e
$cc = cc
$cflags = -DBIT_FIELD_LIMITS -DTERMIOS
$unistd =
$thread_cflag = (unknown)
$lflags =
-$bn_ops = SIXTY_FOUR_BIT_LONG DES_INT
+$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT
$bn_obj =
$des_obj =
$bf_obj =
exit 0
;;
+ *"CRAY T3E")
+ echo "t3e-cray-unicosmk"; exit 0;
+ ;;
+
+ *CRAY*)
+ echo "j90-cray-unicos"; exit 0;
+ ;;
esac
#
mips-sony-newsos4) OUT="newsos4-gcc" ;;
*-*-cygwin_pre1.3) OUT="Cygwin-pre1.3" ;;
*-*-cygwin) OUT="Cygwin" ;;
+ t3e-cray-unicosmk) OUT="cray-t3e" ;;
+ j90-cray-unicos) OUT="cray-j90" ;;
*) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;;
esac
TOP= ..
CC= cc
INCLUDE= -I. -I../include
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I../.. -I../../include
CFLAG= -g
INSTALL_PREFIX=
OPENSSLDIR= /usr/local/ssl
#endif
#ifdef SO_MAXCONN
-#define MAX_LISTEN SOMAXCONN
-#elif defined(SO_MAXCONN)
#define MAX_LISTEN SO_MAXCONN
+#elif defined(SOMAXCONN)
+#define MAX_LISTEN SOMAXCONN
#else
#define MAX_LISTEN 32
#endif
DIR= conf
TOP= ../..
CC= cc
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I../.. -I../../include
CFLAG=-g
INSTALL_PREFIX=
OPENSSLDIR= /usr/local/ssl
#include <string.h>
#include <openssl/conf.h>
#include <openssl/conf_api.h>
+#include "e_os.h"
static void value_free_hash(CONF_VALUE *a, LHASH *conf);
static void value_free_stack(CONF_VALUE *a,LHASH *conf);
#define DH_F_DH_NEW 105
/* Reason codes. */
+#define DH_R_BAD_GENERATOR 101
#define DH_R_NO_PRIVATE_VALUE 100
#ifdef __cplusplus
/* crypto/dh/dh_err.c */
/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
static ERR_STRING_DATA DH_str_reasons[]=
{
+{DH_R_BAD_GENERATOR ,"bad generator"},
{DH_R_NO_PRIVATE_VALUE ,"no private value"},
{0,NULL}
};
* Since DH should be using a safe prime (both p and q are prime),
* this generator function can take a very very long time to run.
*/
-
+/* Actually there is no reason to insist that 'generator' be a generator.
+ * It's just as OK (and in some sense better) to use a generator of the
+ * order-q subgroup.
+ */
DH *DH_generate_parameters(int prime_len, int generator,
void (*callback)(int,int,void *), void *cb_arg)
{
t2 = BN_CTX_get(ctx);
if (t1 == NULL || t2 == NULL) goto err;
+ if (generator <= 1)
+ {
+ DHerr(DH_F_DH_GENERATE_PARAMETERS, DH_R_BAD_GENERATOR);
+ goto err;
+ }
if (generator == DH_GENERATOR_2)
{
- BN_set_word(t1,24);
- BN_set_word(t2,11);
+ if (!BN_set_word(t1,24)) goto err;
+ if (!BN_set_word(t2,11)) goto err;
g=2;
}
-#ifdef undef /* does not work for safe primes */
+#if 0 /* does not work for safe primes */
else if (generator == DH_GENERATOR_3)
{
- BN_set_word(t1,12);
- BN_set_word(t2,5);
+ if (!BN_set_word(t1,12)) goto err;
+ if (!BN_set_word(t2,5)) goto err;
g=3;
}
#endif
else if (generator == DH_GENERATOR_5)
{
- BN_set_word(t1,10);
- BN_set_word(t2,3);
+ if (!BN_set_word(t1,10)) goto err;
+ if (!BN_set_word(t2,3)) goto err;
/* BN_set_word(t3,7); just have to miss
* out on these ones :-( */
g=5;
}
else
+ {
+ /* in the general case, don't worry if 'generator' is a
+ * generator or not: since we are using safe primes,
+ * it will generate either an order-q or an order-2q group,
+ * which both is OK */
+ if (!BN_set_word(t1,2)) goto err;
+ if (!BN_set_word(t2,1)) goto err;
g=generator;
+ }
p=BN_generate_prime(NULL,prime_len,1,t1,t2,callback,cb_arg);
if (p == NULL) goto err;
#include <openssl/bio.h>
#include <openssl/bn.h>
#include <openssl/rand.h>
+#include <openssl/err.h>
#ifdef NO_DH
int main(int argc, char *argv[])
a=DH_generate_parameters(64,DH_GENERATOR_5,cb,out);
if (a == NULL) goto err;
+ if (!DH_check(a, &i)) goto err;
+ if (i & DH_CHECK_P_NOT_PRIME)
+ BIO_puts(out, "p value is not prime\n");
+ if (i & DH_CHECK_P_NOT_SAFE_PRIME)
+ BIO_puts(out, "p value is not a safe prime\n");
+ if (i & DH_UNABLE_TO_CHECK_GENERATOR)
+ BIO_puts(out, "unable to check the generator value\n");
+ if (i & DH_NOT_SUITABLE_GENERATOR)
+ BIO_puts(out, "the g value is not a generator\n");
+
BIO_puts(out,"\np =");
BN_print(out,a->p);
BIO_puts(out,"\ng =");
else
ret=0;
err:
+ ERR_print_errors_fp(stderr);
+
if (abuf != NULL) OPENSSL_free(abuf);
if (bbuf != NULL) OPENSSL_free(bbuf);
if(b != NULL) DH_free(b);
buf[0]='\0';
fgets(buf,256,stdin);
if (buf[0] == '\0') break;
- buf[256]='\0';
i=strlen(buf);
p=OPENSSL_malloc(i+1);
memcpy(p,buf,i+1);
pubKey[0] = ReadPublicKey(PUBFILE);
- if(!pubKey)
+ if(!pubKey[0])
{
fprintf(stderr,"Error: can't load public key");
exit(1);
case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_CRL_NOT_YET_VALID:
+ case X509_V_ERR_CERT_UNTRUSTED:
+ case X509_V_ERR_CERT_REJECTED:
al=SSL_AD_BAD_CERTIFICATE;
break;
case X509_V_ERR_CERT_SIGNATURE_FAILURE:
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
case X509_V_ERR_CERT_CHAIN_TOO_LONG:
+ case X509_V_ERR_PATH_LENGTH_EXCEEDED:
+ case X509_V_ERR_INVALID_CA:
al=SSL_AD_UNKNOWN_CA;
break;
case X509_V_ERR_APPLICATION_VERIFICATION:
al=SSL_AD_HANDSHAKE_FAILURE;
break;
+ case X509_V_ERR_INVALID_PURPOSE:
+ al=SSL_AD_UNSUPPORTED_CERTIFICATE;
+ break;
default:
al=SSL_AD_CERTIFICATE_UNKNOWN;
break;
* [including the GNU Public Licence.]
*/
/* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
SSL3_TXT_ADH_RC4_128_MD5,
SSL3_CK_ADH_RC4_128_MD5,
SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3,
- SSL_NOT_EXP,
+ SSL_NOT_EXP|SSL_MEDIUM,
0,
128,
128,
SSL3_TXT_ADH_DES_64_CBC_SHA,
SSL3_CK_ADH_DES_64_CBC_SHA,
SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3,
- SSL_NOT_EXP,
+ SSL_NOT_EXP|SSL_LOW,
0,
56,
56,
SSL3_TXT_ADH_DES_192_CBC_SHA,
SSL3_CK_ADH_DES_192_CBC_SHA,
SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
- SSL_NOT_EXP,
+ SSL_NOT_EXP|SSL_HIGH,
0,
168,
168,
SSL3_TXT_FZA_DMS_RC4_SHA,
SSL3_CK_FZA_DMS_RC4_SHA,
SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_SSLV3,
- SSL_NOT_EXP,
+ SSL_NOT_EXP|SSL_MEDIUM,
0,
128,
128,
TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
- SSL_NOT_EXP,
+ SSL_NOT_EXP|SSL_MEDIUM,
0,
128,
128,
int ssl3_pending(SSL *s)
{
+ if (s->rstate == SSL_ST_READ_BODY)
+ return 0;
+
return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0;
}
if (num > 1)
--num; /* test restartability even more thoroughly */
- r = BIO_nwrite(io1, &dataptr, (int)num);
+ r = BIO_nwrite0(io1, &dataptr);
assert(r > 0);
- assert(r <= (int)num);
- num = r;
+ if (r < num)
+ num = r;
r = BIO_read(io2, dataptr, (int)num);
if (r != (int)num) /* can't happen */
{
goto err;
}
progress = 1;
+ r = BIO_nwrite(io1, &dataptr, (int)num);
+ if (r != (int)num) /* can't happen */
+ {
+ fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
+ "BIO_nwrite0() bytes");
+ goto err;
+ }
if (debug)
printf((io2 == client_io) ?
projects / oweals / openssl.git / commitdiff