From 14f4feb05b16b90091d5c0d09cbc2a461b472e99 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Sat, 9 Nov 2002 23:32:54 +0000 Subject: [PATCH] Recent changes from 0.9.6-stable. --- CHANGES | 5 ++ Makefile.org | 2 +- apps/x509.c | 2 +- config | 9 ++-- crypto/x509/x509_cmp.c | 109 +++++++++++++++++++++++++++++++++++++-- doc/apps/req.pod | 8 +-- doc/apps/smime.pod | 4 +- doc/apps/x509.pod | 14 ++--- shlib/Makefile.hpux10-cc | 2 +- shlib/hpux10-cc.sh | 6 +-- 10 files changed, 136 insertions(+), 25 deletions(-) diff --git a/CHANGES b/CHANGES index 70e22b7da8..0adfcaa970 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,11 @@ Changes between 0.9.6g and 0.9.6h [xx XXX xxxx] + *) Change X509_NAME_cmp() so it applies the special rules on handling + DN values that are of type PrintableString, as well as RDNs of type + emailAddress where the value has the type ia5String. + [stefank@valicert.com via Richard Levitte] + *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be diff --git a/Makefile.org b/Makefile.org index a184f43eda..cd686a04d2 100644 --- a/Makefile.org +++ b/Makefile.org @@ -270,7 +270,7 @@ do_gnu-shared: done DETECT_GNU_LD=${CC} -v 2>&1 | grep '^gcc' >/dev/null 2>&1 && \ - my_ld=`gcc -print-prog-name=ld 2>&1` && \ + my_ld=`${CC} -print-prog-name=ld 2>&1` && \ [ -n "$$my_ld" ] && \ $$my_ld -v 2>&1 | grep 'GNU ld' >/dev/null 2>&1 diff --git a/apps/x509.c b/apps/x509.c index 0833b5453e..802e079dc7 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -122,7 +122,7 @@ static char *x509_usage[]={ " -CAkey arg - set the CA key, must be PEM format\n", " missing, it is assumed to be in the CA file.\n", " -CAcreateserial - create serial number file if it does not exist\n", -" -CAserial - serial file\n", +" -CAserial arg - serial file\n", " -text - print the certificate in text form\n", " -C - print out C code forms\n", " -md2/-md5/-sha1/-mdc2 - digest to use\n", diff --git a/config b/config index 09b6be1f02..bff3cc9de7 100755 --- a/config +++ b/config @@ -473,7 +473,8 @@ case "$GUESSOS" in echo "WARNING! If you wish to build 64-bit library, then you have to" echo " invoke './Configure irix64-mips4-$CC' *manually*." echo " Type return if you want to continue, Ctrl-C to abort." - read waste < /dev/tty + # Do not stop if /dev/tty is unavailable + (read waste < /dev/tty) || true CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` CPU=${CPU:-0} if [ $CPU -ge 5000 ]; then @@ -528,7 +529,8 @@ EOF #echo "WARNING! If you wish to build 64-bit library, then you have to" #echo " invoke './Configure linux64-sparcv9' *manually*." #echo " Type return if you want to continue, Ctrl-C to abort." - #read waste < /dev/tty + # Do not stop if /dev/tty is unavailable + #(read waste < /dev/tty) || true OUT="linux-sparcv9" ;; sparc-*-linux2) KARCH=`awk '/^type/{print$3}' /proc/cpuinfo` @@ -569,7 +571,8 @@ EOF echo "WARNING! If you wish to build 64-bit library, then you have to" echo " invoke './Configure solaris64-sparcv9-cc' *manually*." echo " Type return if you want to continue, Ctrl-C to abort." - read waste < /dev/tty + # Do not stop if /dev/tty is unavailable + (read waste < /dev/tty) || true fi OUT="solaris-sparcv9-$CC" ;; sun4m-*-solaris2) OUT="solaris-sparcv8-$CC" ;; diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 3f9f9b3d47..1a7691d2a8 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -157,6 +157,99 @@ int X509_cmp(const X509 *a, const X509 *b) } #endif + +/* Case insensitive string comparision */ +static int nocase_cmp(const ASN1_STRING *a, const ASN1_STRING *b) +{ + int i; + + if (a->length != b->length) + return (a->length - b->length); + + for (i=0; ilength; i++) + { + int ca, cb; + + ca = tolower(a->data[i]); + cb = tolower(b->data[i]); + + if (ca != cb) + return(ca-cb); + } + return 0; +} + +/* Case insensitive string comparision with space normalization + * Space normalization - ignore leading, trailing spaces, + * multiple spaces between characters are replaced by single space + */ +static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b) +{ + unsigned char *pa = NULL, *pb = NULL; + int la, lb; + + la = a->length; + lb = b->length; + pa = a->data; + pb = b->data; + + /* skip leading spaces */ + while (la > 0 && isspace(*pa)) + { + la--; + pa++; + } + while (lb > 0 && isspace(*pb)) + { + lb--; + pb++; + } + + /* skip trailing spaces */ + while (la > 0 && isspace(pa[la-1])) + la--; + while (lb > 0 && isspace(pb[lb-1])) + lb--; + + /* compare strings with space normalization */ + while (la > 0 && lb > 0) + { + int ca, cb; + + /* compare character */ + ca = tolower(*pa); + cb = tolower(*pb); + if (ca != cb) + return (ca - cb); + + pa++; pb++; + la--; lb--; + + if (la <= 0 || lb <= 0) + break; + + /* is white space next character ? */ + if (isspace(*pa) && isspace(*pb)) + { + /* skip remaining white spaces */ + while (la > 0 && isspace(*pa)) + { + la--; + pa++; + } + while (lb > 0 && isspace(*pb)) + { + lb--; + pb++; + } + } + } + if (la > 0 || lb > 0) + return la - lb; + + return 0; +} + int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) { int i,j; @@ -170,10 +263,20 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) { na=sk_X509_NAME_ENTRY_value(a->entries,i); nb=sk_X509_NAME_ENTRY_value(b->entries,i); - j=na->value->length-nb->value->length; + j=na->value->type-nb->value->type; if (j) return(j); - j=memcmp(na->value->data,nb->value->data, - na->value->length); + if (na->value->type == V_ASN1_PRINTABLESTRING) + j=nocase_spacenorm_cmp(na->value, nb->value); + else if (na->value->type == V_ASN1_IA5STRING + && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress) + j=nocase_cmp(na->value, nb->value); + else + { + j=na->value->length-nb->value->length; + if (j) return(j); + j=memcmp(na->value->data,nb->value->data, + na->value->length); + } if (j) return(j); j=na->set-nb->set; if (j) return(j); diff --git a/doc/apps/req.pod b/doc/apps/req.pod index a3f54f45a3..ed5c7effb8 100644 --- a/doc/apps/req.pod +++ b/doc/apps/req.pod @@ -457,13 +457,13 @@ Sample configuration containing all field values: The header and footer lines in the B format are normally: - -----BEGIN CERTIFICATE REQUEST---- - -----END CERTIFICATE REQUEST---- + -----BEGIN CERTIFICATE REQUEST----- + -----END CERTIFICATE REQUEST----- some software (some versions of Netscape certificate server) instead needs: - -----BEGIN NEW CERTIFICATE REQUEST---- - -----END NEW CERTIFICATE REQUEST---- + -----BEGIN NEW CERTIFICATE REQUEST----- + -----END NEW CERTIFICATE REQUEST----- which is produced with the B<-newhdr> option but is otherwise compatible. Either form is accepted transparently on input. diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index fa5d23e8dc..2453dd2738 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod @@ -340,8 +340,8 @@ detached signature format. You can use this program to verify the signature by line wrapping the base64 encoded structure and surrounding it with: - -----BEGIN PKCS7---- - -----END PKCS7---- + -----BEGIN PKCS7----- + -----END PKCS7----- and using the command, diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod index 84f76cb421..3a05fdc828 100644 --- a/doc/apps/x509.pod +++ b/doc/apps/x509.pod @@ -321,7 +321,7 @@ The default filename consists of the CA certificate file base name with ".srl" appended. For example if the CA certificate file is called "mycacert.pem" it expects to find a serial number file called "mycacert.srl". -=item B<-CAcreateserial filename> +=item B<-CAcreateserial> with this option the CA serial number file is created if it does not exist: it will contain the serial number "02" and the certificate being signed will @@ -539,18 +539,18 @@ Set a certificate to be trusted for SSL client use and change set its alias to The PEM format uses the header and footer lines: - -----BEGIN CERTIFICATE---- - -----END CERTIFICATE---- + -----BEGIN CERTIFICATE----- + -----END CERTIFICATE----- it will also handle files containing: - -----BEGIN X509 CERTIFICATE---- - -----END X509 CERTIFICATE---- + -----BEGIN X509 CERTIFICATE----- + -----END X509 CERTIFICATE----- Trusted certificates have the lines - -----BEGIN TRUSTED CERTIFICATE---- - -----END TRUSTED CERTIFICATE---- + -----BEGIN TRUSTED CERTIFICATE----- + -----END TRUSTED CERTIFICATE----- The conversion to UTF8 format used with the name options assumes that T61Strings use the ISO8859-1 character set. This is wrong but Netscape diff --git a/shlib/Makefile.hpux10-cc b/shlib/Makefile.hpux10-cc index 3b8a70259c..c6cb33c783 100644 --- a/shlib/Makefile.hpux10-cc +++ b/shlib/Makefile.hpux10-cc @@ -1,6 +1,6 @@ # Makefile.hpux-cc -major=0.9.6e +major=0.9.6h slib=libssl sh_slib=$(slib).sl.$(major) diff --git a/shlib/hpux10-cc.sh b/shlib/hpux10-cc.sh index a5b850fb21..42bbe03257 100644 --- a/shlib/hpux10-cc.sh +++ b/shlib/hpux10-cc.sh @@ -60,9 +60,9 @@ mkdir /usr/local mkdir /usr/local/ssl mkdir /usr/local/ssl/lib chmod 444 lib*_pic.a -chmod 555 lib*.sl.0.9.6e -cp -p lib*_pic.a lib*.sl.0.9.6e /usr/local/ssl/lib -(cd /usr/local/ssl/lib ; ln -sf libcrypto.sl.0.9.6e libcrypto.sl ; ln -sf libssl.sl.0.9.6e libssl.sl) +chmod 555 lib*.sl.0.9.6h +cp -p lib*_pic.a lib*.sl.0.9.6h /usr/local/ssl/lib +(cd /usr/local/ssl/lib ; ln -sf libcrypto.sl.0.9.6h libcrypto.sl ; ln -sf libssl.sl.0.9.6h libssl.sl) # Reconfigure without pic to compile the executables. Unfortunately, while # performing this task we have to recompile the library components, even -- 2.25.1