Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src sync w/ openssl 0.9.7c. shlib minor bump for libcrypto.
details: https://anonhg.NetBSD.org/src/rev/bd9b77aa2078
branches: trunk
changeset: 554933:bd9b77aa2078
user: itojun <itojun%NetBSD.org@localhost>
date: Tue Nov 04 23:54:26 2003 +0000
description:
sync w/ openssl 0.9.7c. shlib minor bump for libcrypto.
(ERR_release_err_state_table() added)
diffstat:
crypto/dist/openssl/CHANGES | 105 ++++
crypto/dist/openssl/FAQ | 2 +-
crypto/dist/openssl/apps/progs.h | 10 -
crypto/dist/openssl/apps/s_apps.h | 6 -
crypto/dist/openssl/apps/smime.c | 4 +
crypto/dist/openssl/crypto/aes/aes.h | 2 +-
crypto/dist/openssl/crypto/asn1/a_mbstr.c | 2 +-
crypto/dist/openssl/crypto/asn1/a_strnid.c | 5 +-
crypto/dist/openssl/crypto/bio/bss_bio.c | 55 ++-
crypto/dist/openssl/crypto/bio/bss_file.c | 21 +-
crypto/dist/openssl/crypto/des/des_locl.h | 3 -
crypto/dist/openssl/crypto/des/destest.c | 2 +-
crypto/dist/openssl/crypto/dso/dso_dlfcn.c | 6 +-
crypto/dist/openssl/crypto/engine/engine.h | 8 +-
crypto/dist/openssl/crypto/engine/vendor_defns/cswift.h | 26 -
crypto/dist/openssl/crypto/engine/vendor_defns/hw_4758_cca.h | 15 -
crypto/dist/openssl/crypto/engine/vendor_defns/sureware.h | 4 -
crypto/dist/openssl/crypto/err/err.c | 42 +-
crypto/dist/openssl/crypto/err/err.h | 1 +
crypto/dist/openssl/crypto/md2/md2test.c | 2 +-
crypto/dist/openssl/crypto/pkcs7/pk7_mime.c | 105 ++-
crypto/dist/openssl/crypto/pkcs7/pk7_smime.c | 2 +-
crypto/dist/openssl/crypto/pkcs7/pkcs7.h | 2 +
crypto/dist/openssl/crypto/rand/rand_lcl.h | 10 -
crypto/dist/openssl/crypto/rsa/rsa.h | 11 +-
crypto/dist/openssl/crypto/rsa/rsa_eay.c | 2 +
crypto/dist/openssl/crypto/rsa/rsa_lib.c | 8 +-
crypto/dist/openssl/crypto/x509/x509_trs.c | 1 +
crypto/dist/openssl/crypto/x509/x509_vfy.c | 4 +-
crypto/dist/openssl/demos/engines/ibmca/ica_openssl_api.h | 18 -
crypto/dist/openssl/demos/engines/zencod/hw_zencod.h | 2 +-
crypto/dist/openssl/doc/apps/ca.pod | 8 +-
crypto/dist/openssl/doc/apps/s_client.pod | 2 +-
crypto/dist/openssl/e_os.h | 263 +----------
crypto/dist/openssl/ssl/s3_srvr.c | 10 +-
crypto/dist/openssl/ssl/ssl_sess.c | 4 +-
distrib/sets/lists/base/shl.mi | 6 +-
distrib/sets/lists/comp/obsolete.mi | 4 +-
lib/libcrypto/shlib_version | 4 +-
39 files changed, 350 insertions(+), 437 deletions(-)
diffs (truncated from 1587 to 300 lines):
diff -r 6379d5beed56 -r bd9b77aa2078 crypto/dist/openssl/CHANGES
--- a/crypto/dist/openssl/CHANGES Tue Nov 04 23:45:56 2003 +0000
+++ b/crypto/dist/openssl/CHANGES Tue Nov 04 23:54:26 2003 +0000
@@ -2,6 +2,57 @@
OpenSSL CHANGES
_______________
+ Changes between 0.9.7b and 0.9.7c [30 Sep 2003]
+
+ *) Fix various bugs revealed by running the NISCC test suite:
+
+ Stop out of bounds reads in the ASN1 code when presented with
+ invalid tags (CAN-2003-0543 and CAN-2003-0544).
+
+ Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545).
+
+ If verify callback ignores invalid public key errors don't try to check
+ certificate signature with the NULL public key.
+
+ [Steve Henson]
+
+ *) New -ignore_err option in ocsp application to stop the server
+ exiting on the first error in a request.
+ [Steve Henson]
+
+ *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+ if the server requested one: as stated in TLS 1.0 and SSL 3.0
+ specifications.
+ [Steve Henson]
+
+ *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
+ extra data after the compression methods not only for TLS 1.0
+ but also for SSL 3.0 (as required by the specification).
+ [Bodo Moeller; problem pointed out by Matthias Loepfe]
+
+ *) Change X509_certificate_type() to mark the key as exported/exportable
+ when it's 512 *bits* long, not 512 bytes.
+ [Richard Levitte]
+
+ *) Change AES_cbc_encrypt() so it outputs exact multiple of
+ blocks during encryption.
+ [Richard Levitte]
+
+ *) Various fixes to base64 BIO and non blocking I/O. On write
+ flushes were not handled properly if the BIO retried. On read
+ data was not being buffered properly and had various logic bugs.
+ This also affects blocking I/O when the data being decoded is a
+ certain size.
+ [Steve Henson]
+
+ *) Various S/MIME bugfixes and compatibility changes:
+ output correct application/pkcs7 MIME type if
+ PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures.
+ Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening
+ of files as .eml work). Correctly handle very long lines in MIME
+ parser.
+ [Steve Henson]
+
Changes between 0.9.7a and 0.9.7b [10 Apr 2003]
*) Countermeasure against the Klima-Pokorny-Rosa extension of
@@ -120,6 +171,9 @@
Changes between 0.9.6h and 0.9.7 [31 Dec 2002]
+ [NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after
+ OpenSSL 0.9.7.]
+
*) Fix session ID handling in SSLv2 client code: the SERVER FINISHED
code (06) was taken as the first octet of the session ID and the last
octet was ignored consequently. As a result SSLv2 client side session
@@ -1938,6 +1992,57 @@
*) Clean old EAY MD5 hack from e_os.h.
[Richard Levitte]
+ Changes between 0.9.6j and 0.9.6k [30 Sep 2003]
+
+ *) Fix various bugs revealed by running the NISCC test suite:
+
+ Stop out of bounds reads in the ASN1 code when presented with
+ invalid tags (CAN-2003-0543 and CAN-2003-0544).
+
+ If verify callback ignores invalid public key errors don't try to check
+ certificate signature with the NULL public key.
+
+ [Steve Henson]
+
+ *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+ if the server requested one: as stated in TLS 1.0 and SSL 3.0
+ specifications.
+ [Steve Henson]
+
+ *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
+ extra data after the compression methods not only for TLS 1.0
+ but also for SSL 3.0 (as required by the specification).
+ [Bodo Moeller; problem pointed out by Matthias Loepfe]
+
+ *) Change X509_certificate_type() to mark the key as exported/exportable
+ when it's 512 *bits* long, not 512 bytes.
+ [Richard Levitte]
+
+ Changes between 0.9.6i and 0.9.6j [10 Apr 2003]
+
+ *) Countermeasure against the Klima-Pokorny-Rosa extension of
+ Bleichbacher's attack on PKCS #1 v1.5 padding: treat
+ a protocol version number mismatch like a decryption error
+ in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
+ [Bodo Moeller]
+
+ *) Turn on RSA blinding by default in the default implementation
+ to avoid a timing attack. Applications that don't want it can call
+ RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
+ They would be ill-advised to do so in most cases.
+ [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
+
+ *) Change RSA blinding code so that it works when the PRNG is not
+ seeded (in this case, the secret RSA exponent is abused as
+ an unpredictable seed -- if it is not unpredictable, there
+ is no point in blinding anyway). Make RSA blinding thread-safe
+ by remembering the creator's thread ID in rsa->blinding and
+ having all other threads use local one-time blinding factors
+ (this requires more computation than sharing rsa->blinding, but
+ avoids excessive locking; and if an RSA object is not shared
+ between threads, blinding will still be very fast).
+ [Bodo Moeller]
+
Changes between 0.9.6h and 0.9.6i [19 Feb 2003]
*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
diff -r 6379d5beed56 -r bd9b77aa2078 crypto/dist/openssl/FAQ
--- a/crypto/dist/openssl/FAQ Tue Nov 04 23:45:56 2003 +0000
+++ b/crypto/dist/openssl/FAQ Tue Nov 04 23:54:26 2003 +0000
@@ -68,7 +68,7 @@
* Which is the current version of OpenSSL?
The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.7b was released on April 10, 2003.
+OpenSSL 0.9.7c was released on September 30, 2003.
In addition to the current stable release, you can also access daily
snapshots of the OpenSSL development version at <URL:
diff -r 6379d5beed56 -r bd9b77aa2078 crypto/dist/openssl/apps/progs.h
--- a/crypto/dist/openssl/apps/progs.h Tue Nov 04 23:45:56 2003 +0000
+++ b/crypto/dist/openssl/apps/progs.h Tue Nov 04 23:54:26 2003 +0000
@@ -90,9 +90,7 @@
{FUNC_TYPE_MD,"md5",dgst_main},
{FUNC_TYPE_MD,"sha",dgst_main},
{FUNC_TYPE_MD,"sha1",dgst_main},
-#ifndef OPENSSL_NO_MDC2
{FUNC_TYPE_MD,"mdc2",dgst_main},
-#endif
{FUNC_TYPE_MD,"rmd160",dgst_main},
{FUNC_TYPE_CIPHER,"aes-128-cbc",enc_main},
{FUNC_TYPE_CIPHER,"aes-128-ecb",enc_main},
@@ -104,17 +102,13 @@
{FUNC_TYPE_CIPHER,"des",enc_main},
{FUNC_TYPE_CIPHER,"des3",enc_main},
{FUNC_TYPE_CIPHER,"desx",enc_main},
-#ifndef OPENSSL_NO_IDEA
{FUNC_TYPE_CIPHER,"idea",enc_main},
-#endif
{FUNC_TYPE_CIPHER,"rc4",enc_main},
{FUNC_TYPE_CIPHER,"rc4-40",enc_main},
{FUNC_TYPE_CIPHER,"rc2",enc_main},
{FUNC_TYPE_CIPHER,"bf",enc_main},
{FUNC_TYPE_CIPHER,"cast",enc_main},
-#ifndef OPENSSL_NO_RC5
{FUNC_TYPE_CIPHER,"rc5",enc_main},
-#endif
{FUNC_TYPE_CIPHER,"des-ecb",enc_main},
{FUNC_TYPE_CIPHER,"des-ede",enc_main},
{FUNC_TYPE_CIPHER,"des-ede3",enc_main},
@@ -127,12 +121,10 @@
{FUNC_TYPE_CIPHER,"des-ofb",enc_main},
{FUNC_TYPE_CIPHER,"des-ede-ofb",enc_main},
{FUNC_TYPE_CIPHER,"des-ede3-ofb",enc_main},
-#ifndef OPENSSL_NO_IDEA
{FUNC_TYPE_CIPHER,"idea-cbc",enc_main},
{FUNC_TYPE_CIPHER,"idea-ecb",enc_main},
{FUNC_TYPE_CIPHER,"idea-cfb",enc_main},
{FUNC_TYPE_CIPHER,"idea-ofb",enc_main},
-#endif
{FUNC_TYPE_CIPHER,"rc2-cbc",enc_main},
{FUNC_TYPE_CIPHER,"rc2-ecb",enc_main},
{FUNC_TYPE_CIPHER,"rc2-cfb",enc_main},
@@ -148,11 +140,9 @@
{FUNC_TYPE_CIPHER,"cast5-cfb",enc_main},
{FUNC_TYPE_CIPHER,"cast5-ofb",enc_main},
{FUNC_TYPE_CIPHER,"cast-cbc",enc_main},
-#ifndef OPENSSL_NO_RC5
{FUNC_TYPE_CIPHER,"rc5-cbc",enc_main},
{FUNC_TYPE_CIPHER,"rc5-ecb",enc_main},
{FUNC_TYPE_CIPHER,"rc5-cfb",enc_main},
{FUNC_TYPE_CIPHER,"rc5-ofb",enc_main},
-#endif
{0,NULL,NULL}
};
diff -r 6379d5beed56 -r bd9b77aa2078 crypto/dist/openssl/apps/s_apps.h
--- a/crypto/dist/openssl/apps/s_apps.h Tue Nov 04 23:45:56 2003 +0000
+++ b/crypto/dist/openssl/apps/s_apps.h Tue Nov 04 23:54:26 2003 +0000
@@ -112,13 +112,7 @@
#include <sys/types.h>
#include <openssl/opensslconf.h>
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
-#include <conio.h>
-#endif
-#ifdef OPENSSL_SYS_MSDOS
-#define _kbhit kbhit
-#endif
#if defined(OPENSSL_SYS_VMS) && !defined(FD_SET)
/* VAX C does not defined fd_set and friends, but it's actually quite simple */
diff -r 6379d5beed56 -r bd9b77aa2078 crypto/dist/openssl/apps/smime.c
--- a/crypto/dist/openssl/apps/smime.c Tue Nov 04 23:45:56 2003 +0000
+++ b/crypto/dist/openssl/apps/smime.c Tue Nov 04 23:54:26 2003 +0000
@@ -168,6 +168,10 @@
flags |= PKCS7_BINARY;
else if (!strcmp (*args, "-nosigs"))
flags |= PKCS7_NOSIGS;
+ else if (!strcmp (*args, "-nooldmime"))
+ flags |= PKCS7_NOOLDMIMETYPE;
+ else if (!strcmp (*args, "-crlfeol"))
+ flags |= PKCS7_CRLFEOL;
else if (!strcmp (*args, "-crl_check"))
store_flags |= X509_V_FLAG_CRL_CHECK;
else if (!strcmp (*args, "-crl_check_all"))
diff -r 6379d5beed56 -r bd9b77aa2078 crypto/dist/openssl/crypto/aes/aes.h
--- a/crypto/dist/openssl/crypto/aes/aes.h Tue Nov 04 23:45:56 2003 +0000
+++ b/crypto/dist/openssl/crypto/aes/aes.h Tue Nov 04 23:54:26 2003 +0000
@@ -98,7 +98,7 @@
unsigned char *ivec, int *num);
void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
const unsigned long length, const AES_KEY *key,
- unsigned char counter[AES_BLOCK_SIZE],
+ unsigned char ivec[AES_BLOCK_SIZE],
unsigned char ecount_buf[AES_BLOCK_SIZE],
unsigned int *num);
diff -r 6379d5beed56 -r bd9b77aa2078 crypto/dist/openssl/crypto/asn1/a_mbstr.c
--- a/crypto/dist/openssl/crypto/asn1/a_mbstr.c Tue Nov 04 23:45:56 2003 +0000
+++ b/crypto/dist/openssl/crypto/asn1/a_mbstr.c Tue Nov 04 23:54:26 2003 +0000
@@ -296,7 +296,7 @@
static int out_utf8(unsigned long value, void *arg)
{
- long *outlen;
+ int *outlen;
outlen = arg;
*outlen += UTF8_putc(NULL, -1, value);
return 1;
diff -r 6379d5beed56 -r bd9b77aa2078 crypto/dist/openssl/crypto/asn1/a_strnid.c
--- a/crypto/dist/openssl/crypto/asn1/a_strnid.c Tue Nov 04 23:45:56 2003 +0000
+++ b/crypto/dist/openssl/crypto/asn1/a_strnid.c Tue Nov 04 23:54:26 2003 +0000
@@ -143,7 +143,7 @@
/* Now the tables and helper functions for the string table:
*/
-/* size limits: this stuff is taken straight from RFC2459 */
+/* size limits: this stuff is taken straight from RFC3280 */
#define ub_name 32768
#define ub_common_name 64
@@ -153,6 +153,8 @@
#define ub_organization_unit_name 64
#define ub_title 64
#define ub_email_address 128
+#define ub_serial_number 64
+
/* This table must be kept in NID order */
@@ -170,6 +172,7 @@
{NID_givenName, 1, ub_name, DIRSTRING_TYPE, 0},
{NID_surname, 1, ub_name, DIRSTRING_TYPE, 0},
{NID_initials, 1, ub_name, DIRSTRING_TYPE, 0},
+{NID_serialNumber, 1, ub_serial_number, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK},
{NID_friendlyName, -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK},
{NID_name, 1, ub_name, DIRSTRING_TYPE, 0},
{NID_dnQualifier, -1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK},
diff -r 6379d5beed56 -r bd9b77aa2078 crypto/dist/openssl/crypto/bio/bss_bio.c
--- a/crypto/dist/openssl/crypto/bio/bss_bio.c Tue Nov 04 23:45:56 2003 +0000
+++ b/crypto/dist/openssl/crypto/bio/bss_bio.c Tue Nov 04 23:54:26 2003 +0000
@@ -1,4 +1,57 @@
/* crypto/bio/bss_bio.c -*- Mode: C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
Home |
Main Index |
Thread Index |
Old Index