提交 14023fe3 编写于 作者: D Dr. Stephen Henson

Merge from 1.0.0-stable branch.

上级 b6b0b0d7
......@@ -4,6 +4,13 @@
Changes between 0.9.8k and 1.0 [xx XXX xxxx]
*) Alter match criteria in PKCS12_parse(). It used to try to use local
key ids to find matching certificates and keys but some PKCS#12 files
don't follow the (somewhat unwritten) rules and this strategy fails.
Now just gather all certificates together and the first private key
then look for the first certificate that matches the key.
[Steve Henson]
*) Support use of registered digest and cipher names for dgst and cipher
commands instead of having to add each one as a special case. So now
you can do:
......
......@@ -27,6 +27,7 @@
o ecdsa-with-SHA224/256/384/512 signature types.
o dsa-with-SHA224 and dsa-with-SHA256 signature types.
o Opaque PRF Input TLS extension support.
o Updated time routines to avoid OS limitations.
Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k:
......
OpenSSL STATUS Last modified at
______________ $Date: 2009/03/30 11:33:03 $
______________ $Date: 2009/04/03 11:45:14 $
DEVELOPMENT STATE
o OpenSSL 1.0: Under development...
o OpenSSL 1.0.0-beta1: Released on April 1st, 2009
o OpenSSL 0.9.8h: Released on May 28th, 2008
o OpenSSL 0.9.8g: Released on October 19th, 2007
o OpenSSL 0.9.8f: Released on October 11th, 2007
......
......@@ -1366,7 +1366,7 @@ $multilib =
*** debug-ben-debug
$cc = gcc
$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe
$cflags = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -DBN_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -g3 -O2 -pipe
$unistd =
$thread_cflag = (unknown)
$sys_id =
......
......@@ -62,6 +62,8 @@
on OpenVMS */
#endif
#define USE_SOCKETS
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
......
......@@ -1278,7 +1278,7 @@ void ERR_load_ASN1_strings(void);
#define ASN1_R_BAD_OBJECT_HEADER 102
#define ASN1_R_BAD_PASSWORD_READ 103
#define ASN1_R_BAD_TAG 104
#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210
#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 214
#define ASN1_R_BN_LIB 105
#define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106
#define ASN1_R_BUFFER_TOO_SMALL 107
......@@ -1370,7 +1370,7 @@ void ERR_load_ASN1_strings(void);
#define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157
#define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158
#define ASN1_R_UNEXPECTED_EOC 159
#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211
#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 215
#define ASN1_R_UNKNOWN_FORMAT 160
#define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161
#define ASN1_R_UNKNOWN_OBJECT_TYPE 162
......
/* crypto/asn1/asn1_err.c */
/* ====================================================================
* Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
* Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
......@@ -176,7 +176,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
{ERR_FUNC(ASN1_F_PKCS5_PBE2_SET_IV), "PKCS5_pbe2_set_iv"},
{ERR_FUNC(ASN1_F_PKCS5_PBE_SET), "PKCS5_pbe_set"},
{ERR_FUNC(ASN1_F_PKCS5_PBE_SET0_ALGOR), "PKCS5_pbe_set0_algor"},
{ERR_FUNC(ASN1_F_SMIME_READ_ASN1), "SMIME_read_asn1"},
{ERR_FUNC(ASN1_F_SMIME_READ_ASN1), "SMIME_read_ASN1"},
{ERR_FUNC(ASN1_F_SMIME_TEXT), "SMIME_text"},
{ERR_FUNC(ASN1_F_X509_CINF_NEW), "X509_CINF_NEW"},
{ERR_FUNC(ASN1_F_X509_CRL_ADD0_REVOKED), "X509_CRL_add0_revoked"},
......
......@@ -150,7 +150,7 @@ int DES_enc_read(int fd, void *buf, int len, DES_key_schedule *sched,
/* first - get the length */
while (net_num < HDRSIZE)
{
#ifndef _WIN32
#ifndef OPENSSL_SYS_WIN32
i=read(fd,(void *)&(net[net_num]),HDRSIZE-net_num);
#else
i=_read(fd,(void *)&(net[net_num]),HDRSIZE-net_num);
......
/* AUTOGENERATED BY objxref.pl, DO NOT EDIT */
/* AUTOGENERATED BY crypto/objects/objxref.pl, DO NOT EDIT */
typedef struct
{
......
......@@ -63,16 +63,13 @@
/* Simplified PKCS#12 routines */
static int parse_pk12( PKCS12 *p12, const char *pass, int passlen,
EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca);
EVP_PKEY **pkey, STACK_OF(X509) *ocerts);
static int parse_bags( STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
int passlen, EVP_PKEY **pkey, X509 **cert,
STACK_OF(X509) **ca, ASN1_OCTET_STRING **keyid,
char *keymatch);
int passlen, EVP_PKEY **pkey, STACK_OF(X509) *ocerts);
static int parse_bag( PKCS12_SAFEBAG *bag, const char *pass, int passlen,
EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca,
ASN1_OCTET_STRING **keyid, char *keymatch);
EVP_PKEY **pkey, STACK_OF(X509) *ocerts);
/* Parse and decrypt a PKCS#12 structure returning user key, user cert
* and other (CA) certs. Note either ca should be NULL, *ca should be NULL,
......@@ -83,24 +80,20 @@ static int parse_bag( PKCS12_SAFEBAG *bag, const char *pass, int passlen,
int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
STACK_OF(X509) **ca)
{
STACK_OF(X509) *ocerts = NULL;
X509 *x;
/* Check for NULL PKCS12 structure */
if(!p12) {
if(!p12)
{
PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_INVALID_NULL_PKCS12_POINTER);
return 0;
}
/* Allocate stack for ca certificates if needed */
if ((ca != NULL) && (*ca == NULL)) {
if (!(*ca = sk_X509_new_null())) {
PKCS12err(PKCS12_F_PKCS12_PARSE,ERR_R_MALLOC_FAILURE);
return 0;
}
}
if(pkey) *pkey = NULL;
if(cert) *cert = NULL;
if(pkey)
*pkey = NULL;
if(cert)
*cert = NULL;
/* Check the mac */
......@@ -122,19 +115,61 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
goto err;
}
if (!parse_pk12 (p12, pass, -1, pkey, cert, ca))
/* Allocate stack for other certificates */
ocerts = sk_X509_new_null();
if (!ocerts)
{
PKCS12err(PKCS12_F_PKCS12_PARSE,ERR_R_MALLOC_FAILURE);
return 0;
}
if (!parse_pk12 (p12, pass, -1, pkey, ocerts))
{
PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_PARSE_ERROR);
goto err;
}
while ((x = sk_X509_pop(ocerts)))
{
if (pkey && *pkey && cert && !*cert)
{
if (X509_check_private_key(x, *pkey))
{
*cert = x;
x = NULL;
}
}
if (ca && x)
{
if (!*ca)
*ca = sk_X509_new_null();
if (!*ca)
goto err;
if (!sk_X509_push(*ca, x))
goto err;
x = NULL;
}
if (x)
X509_free(x);
}
if (ocerts)
sk_X509_pop_free(ocerts, X509_free);
return 1;
err:
if (pkey && *pkey) EVP_PKEY_free(*pkey);
if (cert && *cert) X509_free(*cert);
if (ca) sk_X509_pop_free(*ca, X509_free);
if (pkey && *pkey)
EVP_PKEY_free(*pkey);
if (cert && *cert)
X509_free(*cert);
if (x)
X509_free(*cert);
if (ocerts)
sk_X509_pop_free(ocerts, X509_free);
return 0;
}
......@@ -142,15 +177,13 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
/* Parse the outer PKCS#12 structure */
static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
EVP_PKEY **pkey, STACK_OF(X509) *ocerts)
{
STACK_OF(PKCS7) *asafes;
STACK_OF(PKCS12_SAFEBAG) *bags;
int i, bagnid;
PKCS7 *p7;
ASN1_OCTET_STRING *keyid = NULL;
char keymatch = 0;
if (!(asafes = PKCS12_unpack_authsafes (p12))) return 0;
for (i = 0; i < sk_PKCS7_num (asafes); i++) {
p7 = sk_PKCS7_value (asafes, i);
......@@ -164,8 +197,7 @@ static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
sk_PKCS7_pop_free(asafes, PKCS7_free);
return 0;
}
if (!parse_bags(bags, pass, passlen, pkey, cert, ca,
&keyid, &keymatch)) {
if (!parse_bags(bags, pass, passlen, pkey, ocerts)) {
sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
sk_PKCS7_pop_free(asafes, PKCS7_free);
return 0;
......@@ -173,89 +205,65 @@ static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
}
sk_PKCS7_pop_free(asafes, PKCS7_free);
if (keyid) M_ASN1_OCTET_STRING_free(keyid);
return 1;
}
static int parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
int passlen, EVP_PKEY **pkey, X509 **cert,
STACK_OF(X509) **ca, ASN1_OCTET_STRING **keyid,
char *keymatch)
int passlen, EVP_PKEY **pkey, STACK_OF(X509) *ocerts)
{
int i;
for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
if (!parse_bag(sk_PKCS12_SAFEBAG_value (bags, i),
pass, passlen, pkey, cert, ca, keyid,
keymatch)) return 0;
pass, passlen, pkey, ocerts))
return 0;
}
return 1;
}
#define MATCH_KEY 0x1
#define MATCH_CERT 0x2
#define MATCH_ALL 0x3
static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca,
ASN1_OCTET_STRING **keyid,
char *keymatch)
EVP_PKEY **pkey, STACK_OF(X509) *ocerts)
{
PKCS8_PRIV_KEY_INFO *p8;
X509 *x509;
ASN1_OCTET_STRING *lkey = NULL, *ckid = NULL;
ASN1_TYPE *attrib;
ASN1_BMPSTRING *fname = NULL;
ASN1_OCTET_STRING *lkid = NULL;
if ((attrib = PKCS12_get_attr (bag, NID_friendlyName)))
fname = attrib->value.bmpstring;
if ((attrib = PKCS12_get_attr (bag, NID_localKeyID))) {
lkey = attrib->value.octet_string;
ckid = lkey;
}
if ((attrib = PKCS12_get_attr (bag, NID_localKeyID)))
lkid = attrib->value.octet_string;
/* Check for any local key id matching (if needed) */
if (lkey && ((*keymatch & MATCH_ALL) != MATCH_ALL)) {
if (*keyid) {
if (M_ASN1_OCTET_STRING_cmp(*keyid, lkey)) lkey = NULL;
} else {
if (!(*keyid = M_ASN1_OCTET_STRING_dup(lkey))) {
PKCS12err(PKCS12_F_PARSE_BAG,ERR_R_MALLOC_FAILURE);
return 0;
}
}
}
switch (M_PKCS12_bag_type(bag))
{
case NID_keyBag:
if (!lkey || !pkey) return 1;
if (!(*pkey = EVP_PKCS82PKEY(bag->value.keybag))) return 0;
*keymatch |= MATCH_KEY;
if (!pkey || *pkey)
return 1;
if (!(*pkey = EVP_PKCS82PKEY(bag->value.keybag)))
return 0;
break;
case NID_pkcs8ShroudedKeyBag:
if (!lkey || !pkey) return 1;
if (!pkey || *pkey)
return 1;
if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
return 0;
*pkey = EVP_PKCS82PKEY(p8);
PKCS8_PRIV_KEY_INFO_free(p8);
if (!(*pkey)) return 0;
*keymatch |= MATCH_KEY;
break;
case NID_certBag:
if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
return 1;
if (!(x509 = PKCS12_certbag2x509(bag))) return 0;
if(ckid)
return 1;
if (!(x509 = PKCS12_certbag2x509(bag)))
return 0;
if(lkid && !X509_keyid_set1(x509, lkid->data, lkid->length))
{
if (!X509_keyid_set1(x509, ckid->data, ckid->length))
{
X509_free(x509);
return 0;
}
X509_free(x509);
return 0;
}
if(fname) {
int len, r;
......@@ -272,20 +280,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
}
}
if(!sk_X509_push(ocerts, x509))
{
X509_free(x509);
return 0;
}
if (lkey) {
*keymatch |= MATCH_CERT;
if (cert) *cert = x509;
else X509_free(x509);
} else {
if(ca) sk_X509_push (*ca, x509);
else X509_free(x509);
}
break;
case NID_safeContentsBag:
return parse_bags(bag->value.safes, pass, passlen,
pkey, cert, ca, keyid, keymatch);
pkey, ocerts);
break;
default:
......
......@@ -1967,29 +1967,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
#define sk_X509_POLICY_NODE_sort(st) SKM_sk_sort(X509_POLICY_NODE, (st))
#define sk_X509_POLICY_NODE_is_sorted(st) SKM_sk_is_sorted(X509_POLICY_NODE, (st))
#define sk_X509_POLICY_REF_new(cmp) SKM_sk_new(X509_POLICY_REF, (cmp))
#define sk_X509_POLICY_REF_new_null() SKM_sk_new_null(X509_POLICY_REF)
#define sk_X509_POLICY_REF_free(st) SKM_sk_free(X509_POLICY_REF, (st))
#define sk_X509_POLICY_REF_num(st) SKM_sk_num(X509_POLICY_REF, (st))
#define sk_X509_POLICY_REF_value(st, i) SKM_sk_value(X509_POLICY_REF, (st), (i))
#define sk_X509_POLICY_REF_set(st, i, val) SKM_sk_set(X509_POLICY_REF, (st), (i), (val))
#define sk_X509_POLICY_REF_zero(st) SKM_sk_zero(X509_POLICY_REF, (st))
#define sk_X509_POLICY_REF_push(st, val) SKM_sk_push(X509_POLICY_REF, (st), (val))
#define sk_X509_POLICY_REF_unshift(st, val) SKM_sk_unshift(X509_POLICY_REF, (st), (val))
#define sk_X509_POLICY_REF_find(st, val) SKM_sk_find(X509_POLICY_REF, (st), (val))
#define sk_X509_POLICY_REF_find_ex(st, val) SKM_sk_find_ex(X509_POLICY_REF, (st), (val))
#define sk_X509_POLICY_REF_delete(st, i) SKM_sk_delete(X509_POLICY_REF, (st), (i))
#define sk_X509_POLICY_REF_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_POLICY_REF, (st), (ptr))
#define sk_X509_POLICY_REF_insert(st, val, i) SKM_sk_insert(X509_POLICY_REF, (st), (val), (i))
#define sk_X509_POLICY_REF_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_POLICY_REF, (st), (cmp))
#define sk_X509_POLICY_REF_dup(st) SKM_sk_dup(X509_POLICY_REF, st)
#define sk_X509_POLICY_REF_pop_free(st, free_func) SKM_sk_pop_free(X509_POLICY_REF, (st), (free_func))
#define sk_X509_POLICY_REF_free(st) SKM_sk_free(X509_POLICY_REF, (st))
#define sk_X509_POLICY_REF_shift(st) SKM_sk_shift(X509_POLICY_REF, (st))
#define sk_X509_POLICY_REF_pop(st) SKM_sk_pop(X509_POLICY_REF, (st))
#define sk_X509_POLICY_REF_sort(st) SKM_sk_sort(X509_POLICY_REF, (st))
#define sk_X509_POLICY_REF_is_sorted(st) SKM_sk_is_sorted(X509_POLICY_REF, (st))
#define sk_X509_PURPOSE_new(cmp) SKM_sk_new(X509_PURPOSE, (cmp))
#define sk_X509_PURPOSE_new_null() SKM_sk_new_null(X509_PURPOSE)
#define sk_X509_PURPOSE_free(st) SKM_sk_free(X509_PURPOSE, (st))
......
......@@ -231,7 +231,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
tree->auth_policies = NULL;
tree->user_policies = NULL;
if (!tree)
if (!tree->levels)
{
OPENSSL_free(tree);
return 0;
......
......@@ -51,7 +51,7 @@ int main(int argc, char **argv)
fprintf(fp, "***User Certificate***\n");
PEM_write_X509_AUX(fp, cert);
}
if (ca && sk_num(ca)) {
if (ca && sk_X509_num(ca)) {
fprintf(fp, "***Other Certificates***\n");
for (i = 0; i < sk_X509_num(ca); i++)
PEM_write_X509_AUX(fp, sk_X509_value(ca, i));
......
......@@ -23,6 +23,7 @@ B<openssl> B<x509>
[B<-issuer>]
[B<-nameopt option>]
[B<-email>]
[B<-ocsp_uri>]
[B<-startdate>]
[B<-enddate>]
[B<-purpose>]
......@@ -176,6 +177,10 @@ set multiple options. See the B<NAME OPTIONS> section for more information.
outputs the email address(es) if any.
=item B<-ocsp_uri>
outputs the OCSP responder address(es) if any.
=item B<-startdate>
prints out the start date of the certificate, that is the notBefore date.
......
......@@ -55,7 +55,7 @@ install:
esac; \
cp $${pfx}$(LIBNAME)$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$${pfx}$(LIBNAME)$$sfx.new; \
else \
sfx="so"; \
sfx=".so"; \
cp cyg$(LIBNAME).dll $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$${pfx}$(LIBNAME)$$sfx.new; \
fi; \
chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$${pfx}$(LIBNAME)$$sfx.new; \
......
......@@ -425,8 +425,6 @@ int dtls1_connect(SSL *s)
s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
}
s->init_num=0;
/* mark client_random uninitialized */
memset (s->s3->client_random,0,sizeof(s->s3->client_random));
break;
case SSL3_ST_CR_FINISHED_A:
......
......@@ -573,7 +573,11 @@ ideatest.o: ../include/openssl/opensslconf.h ideatest.c
igetest.o: ../include/openssl/aes.h ../include/openssl/e_os2.h
igetest.o: ../include/openssl/opensslconf.h ../include/openssl/ossl_typ.h
igetest.o: ../include/openssl/rand.h igetest.c
jpaketest.o: ../include/openssl/opensslconf.h jpaketest.c
jpaketest.o: ../include/openssl/buffer.h ../include/openssl/crypto.h
jpaketest.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
jpaketest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
jpaketest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
jpaketest.o: ../include/openssl/symhacks.h jpaketest.c
md2test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
md2test.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
md2test.o: ../include/openssl/evp.h ../include/openssl/md2.h
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册