From: Richard Levitte Date: Sun, 24 Sep 2000 09:50:31 +0000 (+0000) Subject: Merge from main trunk. X-Git-Tag: OpenSSL-engine-0_9_6~1 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=34765151958228ce88934adad72f0877b7c4ded8;p=oweals%2Fopenssl.git Merge from main trunk. --- diff --git a/CHANGES b/CHANGES index 7645d6f5f9..b041211314 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,24 @@ Changes between 0.9.5a and 0.9.6 [xx XXX 2000] + *) In ssl23_get_client_hello, generate an error message when faced + with an initial SSL 3.0/TLS record that is too small to contain the + first two bytes of the ClientHello message, i.e. client_version. + (Note that this is a pathologic case that probably has never happened + in real life.) The previous approach was to use the version number + from the record header as a substitute; but our protocol choice + should not depend on that one because it is not authenticated + by the Finished messages. + [Bodo Moeller] + + *) For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is + not set then we don't setup the error code for issuer check errors + to avoid possibly overwriting other errors which the callback does + handle. If an application does set the flag then we assume it knows + what it is doing and can handle the new informational codes + appropriately. + [Steve Henson] + *) Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for a general "ANY" type, as such it should be able to decode anything including tagged types. However it didn't check the class so it would diff --git a/Configure b/Configure index c9c1f127cb..f6aefa204a 100755 --- a/Configure +++ b/Configure @@ -274,7 +274,7 @@ my %table=( "alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:asm/alpha.o:::::::::dlfcn:true64-shared", "alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o:::::::::dlfcn:true64-shared", "alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o:::::::::dlfcn:true64-shared", -"FreeBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2:::", +"FreeBSD-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2:::", #### Alpha Linux with GNU C and Compaq C setups # Special notes: diff --git a/NEWS b/NEWS index 674703e80c..ce1ba34436 100644 --- a/NEWS +++ b/NEWS @@ -15,6 +15,7 @@ o MD4 now included. o Bugfix for SSL rollback padding check. o Support for external crypto device[1]. + o Enhanced EVP interafce. [1] The support for external crypto devices is currently a separate distribution. See the file README.ENGINE. diff --git a/STATUS b/STATUS index 7495689ddf..0dca957fa5 100644 --- a/STATUS +++ b/STATUS @@ -1,6 +1,6 @@ OpenSSL STATUS Last modified at - ______________ $Date: 2000/09/21 21:00:19 $ + ______________ $Date: 2000/09/24 09:50:28 $ DEVELOPMENT STATE @@ -126,7 +126,7 @@ The USE_TOD fix needed to be applied. There were warnings about -O3 triggering known optimizer bugs on that - platform. + platform. [FIXED] OpenBSD-x86 (2.7, gcc 2.95.2) - success alpha-cc (OSF1 V4.0) - success solaris-x86-gcc (5.8, gcc 2.95.2) - success diff --git a/crypto/asn1/a_type.c b/crypto/asn1/a_type.c index cf716027d3..e72a6b29e0 100644 --- a/crypto/asn1/a_type.c +++ b/crypto/asn1/a_type.c @@ -315,6 +315,8 @@ static void ASN1_TYPE_component_free(ASN1_TYPE *a) case V_ASN1_OBJECT: ASN1_OBJECT_free(a->value.object); break; + case V_ASN1_NULL: + break; case V_ASN1_INTEGER: case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index db62c9f6a3..0f4110cc64 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -339,16 +339,15 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) ret = X509_check_issued(issuer, x); if (ret == X509_V_OK) return 1; - else - { - ctx->error = ret; - ctx->current_cert = x; - ctx->current_issuer = issuer; - if ((ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK) && ctx->verify_cb) - return ctx->verify_cb(0, ctx); - else - return 0; - } + /* If we haven't asked for issuer errors don't set ctx */ + if (!(ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK)) + return 0; + + ctx->error = ret; + ctx->current_cert = x; + ctx->current_issuer = issuer; + if (ctx->verify_cb) + return ctx->verify_cb(0, ctx); return 0; } diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index 4ab53322c5..ce99b5c345 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod @@ -325,7 +325,7 @@ Send encrypted mail using triple DES: Sign and encrypt mail: openssl smime -sign -in ml.txt -signer my.pem -text \ - | openssl -encrypt -out mail.msg \ + | openssl smime -encrypt -out mail.msg \ -from steve@openssl.org -to someone@somewhere \ -subject "Signed and Encrypted message" -des3 user.pem diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index a81544a1b6..050618235f 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -348,16 +348,21 @@ int ssl23_get_client_hello(SSL *s) * SSLv3 or tls1 header */ - v[0]=p[1]; /* major version */ + v[0]=p[1]; /* major version (= SSL3_VERSION_MAJOR) */ /* We must look at client_version inside the Client Hello message - * to get the correct minor version: */ - v[1]=p[10]; - /* However if we have only a pathologically small fragment of the - * Client Hello message, we simply use the version from the - * record header -- this is incorrect but unlikely to fail in - * practice */ + * to get the correct minor version. + * However if we have only a pathologically small fragment of the + * Client Hello message, this would be difficult, we'd have + * to read at least one additional record to find out. + * This doesn't usually happen in real life, so we just complain + * for now. + */ if (p[3] == 0 && p[4] < 6) - v[1]=p[2]; + { + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL); + goto err; + } + v[1]=p[10]; /* minor version according to client_version */ if (v[1] >= TLS1_VERSION_MINOR) { if (!(s->options & SSL_OP_NO_TLSv1)) diff --git a/ssl/ssl.h b/ssl/ssl.h index 6ffeca4d31..fdbdc70ba7 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -1471,6 +1471,7 @@ int SSL_COMP_add_compression_method(int id,char *cm); #define SSL_R_READ_WRONG_PACKET_TYPE 212 #define SSL_R_RECORD_LENGTH_MISMATCH 213 #define SSL_R_RECORD_TOO_LARGE 214 +#define SSL_R_RECORD_TOO_SMALL 1093 #define SSL_R_REQUIRED_CIPHER_MISSING 215 #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216 #define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 642c3f93e7..17b4caf528 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -327,6 +327,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_READ_WRONG_PACKET_TYPE ,"read wrong packet type"}, {SSL_R_RECORD_LENGTH_MISMATCH ,"record length mismatch"}, {SSL_R_RECORD_TOO_LARGE ,"record too large"}, +{SSL_R_RECORD_TOO_SMALL ,"record too small"}, {SSL_R_REQUIRED_CIPHER_MISSING ,"required cipher missing"}, {SSL_R_REUSE_CERT_LENGTH_NOT_ZERO ,"reuse cert length not zero"}, {SSL_R_REUSE_CERT_TYPE_NOT_ZERO ,"reuse cert type not zero"}, diff --git a/util/mk1mf.pl b/util/mk1mf.pl index 72e47af9b4..46755fa287 100755 --- a/util/mk1mf.pl +++ b/util/mk1mf.pl @@ -366,10 +366,6 @@ all: banner \$(TMP_D) \$(BIN_D) \$(TEST_D) \$(LIB_D) \$(INCO_D) headers lib exe banner: $banner -# Generate perlasm output files -%.cpp: - (cd \$(\@D)/..; PERL=perl make -f Makefile.ssl asm/\$(\@F)) - \$(TMP_D): \$(MKDIR) \$(TMP_D) # NB: uncomment out these lines if BIN_D, TEST_D and LIB_D are different @@ -617,6 +613,14 @@ $rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPT $rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)"); print $defs; + +if ($platform eq "linux-elf") { + print <<"EOF"; +# Generate perlasm output files +%.cpp: + (cd \$(\@D)/..; PERL=perl make -f Makefile.ssl asm/\$(\@F)) +EOF +} print "###################################################################\n"; print $rules;