From: Richard Levitte Date: Wed, 8 May 2002 15:54:01 +0000 (+0000) Subject: Apply all the recent changes from 0.9.6-stable. X-Git-Tag: OpenSSL-engine-0_9_6d~3 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=e27fd320fcd59b97416941aba88bdbc68aceb020;p=oweals%2Fopenssl.git Apply all the recent changes from 0.9.6-stable. --- diff --git a/CHANGES b/CHANGES index cf4a885415..5df8e1a667 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,10 @@ Changes between 0.9.6c and 0.9.6d [XX xxx XXXX] + *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not + encoded as NULL) with id-dsa-with-sha1. + [Nils Larsch ; problem pointed out by Bodo Moeller] + *) Check various X509_...() return values in apps/req.c. [Nils Larsch ] diff --git a/Configure b/Configure index 09f3afa2c3..d2e9e03d99 100755 --- a/Configure +++ b/Configure @@ -445,7 +445,7 @@ my %table=( "sco5-cc-pentium", "cc:-Kpentium::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options? "sco5-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ... "sco5-cc-shared","cc:-belf:::-lsocket -lresolv -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr3-shared:-Kpic", -"sco5-gcc-shared","gcc:-O3 -DFILIO_H -fomit-frame-pointer:::-lsocket -lresolv -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-fPIC", +"sco5-gcc-shared","gcc:-O3 -DFILIO_H -fomit-frame-pointer:::-lsocket -lresolv -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:svr3-shared:-fPIC", # the SCO assembler doesn't seem to like our assembler files ... # Sinix/ReliantUNIX RM400 # NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer problem. Better use -g */ diff --git a/Makefile.org b/Makefile.org index 594f9d52f4..fdf95d6d01 100644 --- a/Makefile.org +++ b/Makefile.org @@ -646,7 +646,7 @@ install: all install_docs cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ - fi \ + fi; \ done @if [ -n "$(SHARED_LIBS)" ]; then \ tmp="$(SHARED_LIBS)"; \ @@ -664,7 +664,7 @@ install: all install_docs cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \ fi ); \ - fi \ + fi; \ done; \ ( here="`pwd`"; \ cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ diff --git a/NEWS b/NEWS index ca343e652f..908d063cfc 100644 --- a/NEWS +++ b/NEWS @@ -5,12 +5,12 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. - Changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d: + Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d: o Various SSL/TLS library bugfixes. o Fix DH parameter generation for 'non-standard' generators. - Changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c: + Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c: o Various SSL/TLS library bugfixes. o BIGNUM library fixes. @@ -23,7 +23,7 @@ Broadcom and Cryptographic Appliance's keyserver [in 0.9.6c-engine release]. - Changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b: + Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b: o Security fix: PRNG improvements. o Security fix: RSA OAEP check. diff --git a/STATUS b/STATUS index 1d5dca99f0..938f058dcf 100644 --- a/STATUS +++ b/STATUS @@ -1,6 +1,6 @@ OpenSSL STATUS Last modified at - ______________ $Date: 2002/04/17 12:52:31 $ + ______________ $Date: 2002/05/08 15:53:53 $ DEVELOPMENT STATE diff --git a/TABLE b/TABLE index d352ff7c53..cce12757cf 100644 --- a/TABLE +++ b/TABLE @@ -1,4 +1,3 @@ -Output of `Configure TABLE': *** BC-16 $cc = bcc @@ -2790,15 +2789,15 @@ $unistd = $thread_cflag = $lflags = -lsocket -lresolv -lnsl $bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT -$bn_obj = asm/bn86-elf.o asm/co86-elf.o -$des_obj = asm/dx86-elf.o asm/yx86-elf.o -$bf_obj = asm/bx86-elf.o -$md5_obj = asm/mx86-elf.o -$sha1_obj = asm/sx86-elf.o -$cast_obj = asm/cx86-elf.o -$rc4_obj = asm/rx86-elf.o -$rmd160_obj = asm/rm86-elf.o -$rc5_obj = asm/r586-elf.o +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = $dso_scheme = dlfcn $shared_target= svr3-shared $shared_cflag = -fPIC diff --git a/apps/dsaparam.c b/apps/dsaparam.c index 4e8dcd3a68..0c2529e285 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -176,7 +176,7 @@ bad: BIO_printf(bio_err," -outform arg output format - DER or PEM\n"); BIO_printf(bio_err," -in arg input file\n"); BIO_printf(bio_err," -out arg output file\n"); - BIO_printf(bio_err," -text print the key in text\n"); + BIO_printf(bio_err," -text print as text\n"); BIO_printf(bio_err," -C Output C code\n"); BIO_printf(bio_err," -noout no output\n"); BIO_printf(bio_err," -rand files to use for random number input\n"); diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 365a8ada93..db34f0ef50 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -772,7 +772,10 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass, print_attribs (out, bag->attrib, "Bag Attributes"); if (!(p8 = M_PKCS12_decrypt_skey (bag, pass, passlen))) return 0; - if (!(pkey = EVP_PKCS82PKEY (p8))) return 0; + if (!(pkey = EVP_PKCS82PKEY (p8))) { + PKCS8_PRIV_KEY_INFO_free(p8); + return 0; + } print_attribs (out, p8->attributes, "Key Attributes"); PKCS8_PRIV_KEY_INFO_free(p8); PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, pempass); diff --git a/apps/smime.c b/apps/smime.c index 61029a475d..1e84253f88 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -441,7 +441,10 @@ int MAIN(int argc, char **argv) p7 = PKCS7_encrypt(encerts, in, cipher, flags); } else if(operation == SMIME_SIGN) { p7 = PKCS7_sign(signer, key, other, in, flags); - BIO_reset(in); + if (BIO_reset(in) != 0 && (flags & PKCS7_DETACHED)) { + BIO_printf(bio_err, "Can't rewind input file\n"); + goto end; + } } else { if(informat == FORMAT_SMIME) p7 = SMIME_read_PKCS7(in, &indata); diff --git a/crypto/Makefile.ssl b/crypto/Makefile.ssl index ac3b27c180..f4fe47e260 100644 --- a/crypto/Makefile.ssl +++ b/crypto/Makefile.ssl @@ -54,7 +54,7 @@ buildinf.h: ../Makefile.ssl echo " /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */"; \ echo " #define CFLAGS \"$(CC) $(CFLAG)\""; \ echo " #define PLATFORM \"$(PLATFORM)\""; \ - echo " #define DATE \"`date`\""; \ + echo " #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \ echo "#endif" ) >buildinf.h testapps: diff --git a/crypto/asn1/a_sign.c b/crypto/asn1/a_sign.c index 4c651706d2..94829d889e 100644 --- a/crypto/asn1/a_sign.c +++ b/crypto/asn1/a_sign.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include #include @@ -87,7 +140,14 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2, else a=algor2; if (a == NULL) continue; - if ( (a->parameter == NULL) || + if (type->pkey_type == NID_dsaWithSHA1) + { + /* special case: RFC 2459 tells us to omit 'parameters' + * with id-dsa-with-sha1 */ + ASN1_TYPE_free(a->parameter); + a->parameter = NULL; + } + else if ((a->parameter == NULL) || (a->parameter->type != V_ASN1_NULL)) { ASN1_TYPE_free(a->parameter); diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c index 4d82378b9d..d802c4d09c 100644 --- a/crypto/objects/obj_dat.c +++ b/crypto/objects/obj_dat.c @@ -437,8 +437,7 @@ int OBJ_obj2txt(char *buf, int buf_len, ASN1_OBJECT *a, int no_name) return(0); } - nid=OBJ_obj2nid(a); - if ((nid == NID_undef) || no_name) { + if (no_name || (nid=OBJ_obj2nid(a)) == NID_undef) { len=a->length; p=a->data; diff --git a/crypto/pem/pem_info.c b/crypto/pem/pem_info.c index 98a8510e15..ef02599d55 100644 --- a/crypto/pem/pem_info.c +++ b/crypto/pem/pem_info.c @@ -346,7 +346,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc, } /* if we have a certificate then write it out now */ - if ((xi->x509 != NULL) || (PEM_write_bio_X509(bp,xi->x509) <= 0)) + if ((xi->x509 != NULL) && (PEM_write_bio_X509(bp,xi->x509) <= 0)) goto err; /* we are ignoring anything else that is loaded into the X509_INFO diff --git a/doc/crypto/EVP_EncryptInit.pod b/doc/crypto/EVP_EncryptInit.pod index 9afe2396e2..483ff62b84 100644 --- a/doc/crypto/EVP_EncryptInit.pod +++ b/doc/crypto/EVP_EncryptInit.pod @@ -192,7 +192,7 @@ EVP_DecryptInit() and EVP_DecryptUpdate() return 1 for success and 0 for failure EVP_DecryptFinal() returns 0 if the decrypt failed or 1 for success. EVP_CipherInit() and EVP_CipherUpdate() return 1 for success and 0 for failure. -EVP_CipherFinal() returns 1 for a decryption failure or 1 for success. +EVP_CipherFinal() returns 0 for a decryption failure or 1 for success. EVP_CIPHER_CTX_cleanup() returns 1 for success and 0 for failure. diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index fb086dcc86..f52303c7c3 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -236,7 +236,8 @@ static int ssl3_get_record(SSL *s) unsigned char md[EVP_MAX_MD_SIZE]; short version; unsigned int mac_size; - int clear=0,extra; + int clear=0; + size_t extra; rr= &(s->s3->rrec); sess=s->session; @@ -245,7 +246,7 @@ static int ssl3_get_record(SSL *s) extra=SSL3_RT_MAX_EXTRA; else extra=0; - if (extra != (s->s3->rbuf_len - SSL3_RT_MAX_PACKET_SIZE)) + if (extra != s->s3->rbuf_len - SSL3_RT_MAX_PACKET_SIZE) { /* actually likely an application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER * set after ssl3_setup_buffers() was done */ @@ -295,8 +296,7 @@ again: goto err; } - if (rr->length > - (unsigned int)SSL3_RT_MAX_ENCRYPTED_LENGTH+extra) + if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra) { al=SSL_AD_RECORD_OVERFLOW; SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG); @@ -308,7 +308,7 @@ again: /* s->rstate == SSL_ST_READ_BODY, get and decode the data */ - if (rr->length > (s->packet_length-SSL3_RT_HEADER_LENGTH)) + if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH) { /* now s->packet_length == SSL3_RT_HEADER_LENGTH */ i=rr->length; @@ -336,7 +336,7 @@ again: * rr->length bytes of encrypted compressed stuff. */ /* check is not needed I believe */ - if (rr->length > (unsigned int)SSL3_RT_MAX_ENCRYPTED_LENGTH+extra) + if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra) { al=SSL_AD_RECORD_OVERFLOW; SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG); @@ -405,8 +405,7 @@ printf("\n"); /* r->length is now just compressed */ if (s->expand != NULL) { - if (rr->length > - (unsigned int)SSL3_RT_MAX_COMPRESSED_LENGTH+extra) + if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra) { al=SSL_AD_RECORD_OVERFLOW; SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG); @@ -420,7 +419,7 @@ printf("\n"); } } - if (rr->length > (unsigned int)SSL3_RT_MAX_PLAIN_LENGTH+extra) + if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra) { al=SSL_AD_RECORD_OVERFLOW; SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG); @@ -605,7 +604,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, if (prefix_len <= 0) goto err; - if (s->s3->wbuf_len < prefix_len + SSL3_RT_MAX_PACKET_SIZE) + if (s->s3->wbuf_len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE) { /* insufficient space */ SSLerr(SSL_F_DO_SSL3_WRITE, SSL_R_INTERNAL_ERROR); diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index be3acabf3e..bb4cb2fdf0 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -751,6 +751,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, ret = 1; err: + if (d) closedir(d); CRYPTO_w_unlock(CRYPTO_LOCK_READDIR); return ret; } diff --git a/ssl/ssltest.c b/ssl/ssltest.c index ebd3b527df..5f91ed19c7 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -850,7 +850,7 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, r = BIO_nwrite0(io1, &dataptr); assert(r > 0); - if (r < num) + if (r < (int)num) num = r; r = BIO_read(io2, dataptr, (int)num); if (r != (int)num) /* can't happen */