diff options
| author | marha <marha@users.sourceforge.net> | 2011-09-30 08:40:25 +0200 | 
|---|---|---|
| committer | marha <marha@users.sourceforge.net> | 2011-09-30 08:40:25 +0200 | 
| commit | 60adbfdea1ee754341d64454274e7aa83bae8971 (patch) | |
| tree | 1b56329c88f1a881b0e7297bb4283cfbb7e39c97 /openssl/ssl | |
| parent | af72dcd109d7610b96863035541250997c7a172e (diff) | |
| download | vcxsrv-60adbfdea1ee754341d64454274e7aa83bae8971.tar.gz vcxsrv-60adbfdea1ee754341d64454274e7aa83bae8971.tar.bz2 vcxsrv-60adbfdea1ee754341d64454274e7aa83bae8971.zip | |
Upgraded to openssl-1.0.0e
Diffstat (limited to 'openssl/ssl')
| -rw-r--r-- | openssl/ssl/bio_ssl.c | 4 | ||||
| -rw-r--r-- | openssl/ssl/d1_both.c | 28 | ||||
| -rw-r--r-- | openssl/ssl/d1_clnt.c | 6 | ||||
| -rw-r--r-- | openssl/ssl/d1_lib.c | 65 | ||||
| -rw-r--r-- | openssl/ssl/d1_pkt.c | 20 | ||||
| -rw-r--r-- | openssl/ssl/d1_srvr.c | 26 | ||||
| -rw-r--r-- | openssl/ssl/install-ssl.com | 136 | ||||
| -rw-r--r-- | openssl/ssl/install.com | 90 | ||||
| -rw-r--r-- | openssl/ssl/s3_clnt.c | 2 | ||||
| -rw-r--r-- | openssl/ssl/s3_lib.c | 6 | ||||
| -rw-r--r-- | openssl/ssl/s3_pkt.c | 6 | ||||
| -rw-r--r-- | openssl/ssl/s3_srvr.c | 23 | ||||
| -rw-r--r-- | openssl/ssl/ssl-lib.com | 306 | ||||
| -rw-r--r-- | openssl/ssl/ssl_lib.c | 32 | 
14 files changed, 484 insertions, 266 deletions
| diff --git a/openssl/ssl/bio_ssl.c b/openssl/ssl/bio_ssl.c index af319af30..eedac8a3f 100644 --- a/openssl/ssl/bio_ssl.c +++ b/openssl/ssl/bio_ssl.c @@ -348,7 +348,11 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)  		break;  	case BIO_C_SET_SSL:  		if (ssl != NULL) +			{  			ssl_free(b); +			if (!ssl_new(b)) +				return 0; +			}  		b->shutdown=(int)num;  		ssl=(SSL *)ptr;  		((BIO_SSL *)b->ptr)->ssl=ssl; diff --git a/openssl/ssl/d1_both.c b/openssl/ssl/d1_both.c index 4ce4064cc..2180c6d4d 100644 --- a/openssl/ssl/d1_both.c +++ b/openssl/ssl/d1_both.c @@ -153,7 +153,7 @@  #endif  static unsigned char bitmask_start_values[] = {0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80}; -static unsigned char bitmask_end_values[]   = {0x00, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f}; +static unsigned char bitmask_end_values[]   = {0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f};  /* XDTLS:  figure out the right values */  static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28}; @@ -464,20 +464,9 @@ again:  	memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); -	s->d1->handshake_read_seq++; -	/* we just read a handshake message from the other side: -	 * this means that we don't need to retransmit of the -	 * buffered messages.   -	 * XDTLS: may be able clear out this -	 * buffer a little sooner (i.e if an out-of-order -	 * handshake message/record is received at the record -	 * layer.   -	 * XDTLS: exception is that the server needs to -	 * know that change cipher spec and finished messages -	 * have been received by the client before clearing this -	 * buffer.  this can simply be done by waiting for the -	 * first data  segment, but is there a better way?  */ -	dtls1_clear_record_buffer(s); +	/* Don't change sequence numbers while listening */ +	if (!s->d1->listen) +		s->d1->handshake_read_seq++;  	s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;  	return s->init_num; @@ -813,9 +802,11 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)  	/*   	 * if this is a future (or stale) message it gets buffered -	 * (or dropped)--no further processing at this time  +	 * (or dropped)--no further processing at this time +	 * While listening, we accept seq 1 (ClientHello with cookie) +	 * although we're still expecting seq 0 (ClientHello)  	 */ -	if ( msg_hdr.seq != s->d1->handshake_read_seq) +	if (msg_hdr.seq != s->d1->handshake_read_seq && !(s->d1->listen && msg_hdr.seq == 1))  		return dtls1_process_out_of_seq_message(s, &msg_hdr, ok);  	len = msg_hdr.msg_len; @@ -1322,7 +1313,8 @@ unsigned char *  dtls1_set_message_header(SSL *s, unsigned char *p, unsigned char mt,  			unsigned long len, unsigned long frag_off, unsigned long frag_len)  	{ -	if ( frag_off == 0) +	/* Don't change sequence numbers while listening */ +	if (frag_off == 0 && !s->d1->listen)  		{  		s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;  		s->d1->next_handshake_write_seq++; diff --git a/openssl/ssl/d1_clnt.c b/openssl/ssl/d1_clnt.c index 5bc9eb660..089fa4c7f 100644 --- a/openssl/ssl/d1_clnt.c +++ b/openssl/ssl/d1_clnt.c @@ -407,7 +407,8 @@ int dtls1_connect(SSL *s)  		case SSL3_ST_CW_CHANGE_A:  		case SSL3_ST_CW_CHANGE_B: -			dtls1_start_timer(s); +			if (!s->hit) +				dtls1_start_timer(s);  			ret=dtls1_send_change_cipher_spec(s,  				SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);  			if (ret <= 0) goto end; @@ -442,7 +443,8 @@ int dtls1_connect(SSL *s)  		case SSL3_ST_CW_FINISHED_A:  		case SSL3_ST_CW_FINISHED_B: -			dtls1_start_timer(s); +			if (!s->hit) +				dtls1_start_timer(s);  			ret=dtls1_send_finished(s,  				SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,  				s->method->ssl3_enc->client_finished_label, diff --git a/openssl/ssl/d1_lib.c b/openssl/ssl/d1_lib.c index 96b220e87..48e8b6ffb 100644 --- a/openssl/ssl/d1_lib.c +++ b/openssl/ssl/d1_lib.c @@ -129,26 +129,33 @@ int dtls1_new(SSL *s)  	return(1);  	} -void dtls1_free(SSL *s) +static void dtls1_clear_queues(SSL *s)  	{      pitem *item = NULL;      hm_fragment *frag = NULL; - -	ssl3_free(s); +	DTLS1_RECORD_DATA *rdata;      while( (item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL)          { +		rdata = (DTLS1_RECORD_DATA *) item->data; +		if (rdata->rbuf.buf) +			{ +			OPENSSL_free(rdata->rbuf.buf); +			}          OPENSSL_free(item->data);          pitem_free(item);          } -    pqueue_free(s->d1->unprocessed_rcds.q);      while( (item = pqueue_pop(s->d1->processed_rcds.q)) != NULL)          { +		rdata = (DTLS1_RECORD_DATA *) item->data; +		if (rdata->rbuf.buf) +			{ +			OPENSSL_free(rdata->rbuf.buf); +			}          OPENSSL_free(item->data);          pitem_free(item);          } -    pqueue_free(s->d1->processed_rcds.q);      while( (item = pqueue_pop(s->d1->buffered_messages)) != NULL)          { @@ -157,7 +164,6 @@ void dtls1_free(SSL *s)          OPENSSL_free(frag);          pitem_free(item);          } -    pqueue_free(s->d1->buffered_messages);      while ( (item = pqueue_pop(s->d1->sent_messages)) != NULL)          { @@ -166,7 +172,6 @@ void dtls1_free(SSL *s)          OPENSSL_free(frag);          pitem_free(item);          } -	pqueue_free(s->d1->sent_messages);  	while ( (item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL)  		{ @@ -175,6 +180,18 @@ void dtls1_free(SSL *s)  		OPENSSL_free(frag);  		pitem_free(item);  		} +	} + +void dtls1_free(SSL *s) +	{ +	ssl3_free(s); + +	dtls1_clear_queues(s); + +    pqueue_free(s->d1->unprocessed_rcds.q); +    pqueue_free(s->d1->processed_rcds.q); +    pqueue_free(s->d1->buffered_messages); +	pqueue_free(s->d1->sent_messages);  	pqueue_free(s->d1->buffered_app_data.q);  	OPENSSL_free(s->d1); @@ -182,6 +199,36 @@ void dtls1_free(SSL *s)  void dtls1_clear(SSL *s)  	{ +    pqueue unprocessed_rcds; +    pqueue processed_rcds; +    pqueue buffered_messages; +	pqueue sent_messages; +	pqueue buffered_app_data; +	 +	if (s->d1) +		{ +		unprocessed_rcds = s->d1->unprocessed_rcds.q; +		processed_rcds = s->d1->processed_rcds.q; +		buffered_messages = s->d1->buffered_messages; +		sent_messages = s->d1->sent_messages; +		buffered_app_data = s->d1->buffered_app_data.q; + +		dtls1_clear_queues(s); + +		memset(s->d1, 0, sizeof(*(s->d1))); + +		if (s->server) +			{ +			s->d1->cookie_len = sizeof(s->d1->cookie); +			} + +		s->d1->unprocessed_rcds.q = unprocessed_rcds; +		s->d1->processed_rcds.q = processed_rcds; +		s->d1->buffered_messages = buffered_messages; +		s->d1->sent_messages = sent_messages; +		s->d1->buffered_app_data.q = buffered_app_data; +		} +  	ssl3_clear(s);  	if (s->options & SSL_OP_CISCO_ANYCONNECT)  		s->version=DTLS1_BAD_VER; @@ -330,6 +377,8 @@ void dtls1_stop_timer(SSL *s)  	memset(&(s->d1->next_timeout), 0, sizeof(struct timeval));  	s->d1->timeout_duration = 1;  	BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &(s->d1->next_timeout)); +	/* Clear retransmission buffer */ +	dtls1_clear_record_buffer(s);  	}  int dtls1_handle_timeout(SSL *s) @@ -349,7 +398,7 @@ int dtls1_handle_timeout(SSL *s)  		{  		/* fail the connection, enough alerts have been sent */  		SSLerr(SSL_F_DTLS1_HANDLE_TIMEOUT,SSL_R_READ_TIMEOUT_EXPIRED); -		return 0; +		return -1;  		}  	state->timeout.read_timeouts++; diff --git a/openssl/ssl/d1_pkt.c b/openssl/ssl/d1_pkt.c index c10514222..39aac73e1 100644 --- a/openssl/ssl/d1_pkt.c +++ b/openssl/ssl/d1_pkt.c @@ -409,13 +409,13 @@ dtls1_process_record(SSL *s)  	enc_err = s->method->ssl3_enc->enc(s,0);  	if (enc_err <= 0)  		{ -		if (enc_err == 0) -			/* SSLerr() and ssl3_send_alert() have been called */ -			goto err; - -		/* otherwise enc_err == -1 */ -		al=SSL_AD_BAD_RECORD_MAC; -		goto f_err; +		/* decryption failed, silently discard message */ +		if (enc_err < 0) +			{ +			rr->length = 0; +			s->packet_length = 0; +			} +		goto err;  		}  #ifdef TLS_DEBUG @@ -658,10 +658,12 @@ again:  	/* If this record is from the next epoch (either HM or ALERT),  	 * and a handshake is currently in progress, buffer it since it -	 * cannot be processed at this time. */ +	 * cannot be processed at this time. However, do not buffer +	 * anything while listening. +	 */  	if (is_next_epoch)  		{ -		if (SSL_in_init(s) || s->in_handshake) +		if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen)  			{  			dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);  			} diff --git a/openssl/ssl/d1_srvr.c b/openssl/ssl/d1_srvr.c index 301ceda7a..a6a4c87ea 100644 --- a/openssl/ssl/d1_srvr.c +++ b/openssl/ssl/d1_srvr.c @@ -150,6 +150,7 @@ int dtls1_accept(SSL *s)  	unsigned long alg_k;  	int ret= -1;  	int new_state,state,skip=0; +	int listen;  	RAND_add(&Time,sizeof(Time),0);  	ERR_clear_error(); @@ -159,11 +160,15 @@ int dtls1_accept(SSL *s)  		cb=s->info_callback;  	else if (s->ctx->info_callback != NULL)  		cb=s->ctx->info_callback; +	 +	listen = s->d1->listen;  	/* init things to blank */  	s->in_handshake++;  	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); +	s->d1->listen = listen; +  	if (s->cert == NULL)  		{  		SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_NO_CERTIFICATE_SET); @@ -273,11 +278,23 @@ int dtls1_accept(SSL *s)  			s->init_num=0; +			/* Reflect ClientHello sequence to remain stateless while listening */ +			if (listen) +				{ +				memcpy(s->s3->write_sequence, s->s3->read_sequence, sizeof(s->s3->write_sequence)); +				} +  			/* If we're just listening, stop here */ -			if (s->d1->listen && s->state == SSL3_ST_SW_SRVR_HELLO_A) +			if (listen && s->state == SSL3_ST_SW_SRVR_HELLO_A)  				{  				ret = 2;  				s->d1->listen = 0; +				/* Set expected sequence numbers +				 * to continue the handshake. +				 */ +				s->d1->handshake_read_seq = 2; +				s->d1->handshake_write_seq = 1; +				s->d1->next_handshake_write_seq = 1;  				goto end;  				} @@ -286,7 +303,6 @@ int dtls1_accept(SSL *s)  		case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:  		case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B: -			dtls1_start_timer(s);  			ret = dtls1_send_hello_verify_request(s);  			if ( ret <= 0) goto end;  			s->state=SSL3_ST_SW_FLUSH; @@ -736,9 +752,6 @@ int dtls1_send_hello_verify_request(SSL *s)  		/* number of bytes to write */  		s->init_num=p-buf;  		s->init_off=0; - -		/* buffer the message to handle re-xmits */ -		dtls1_buffer_message(s, 0);  		}  	/* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */ @@ -1017,12 +1030,11 @@ int dtls1_send_server_key_exchange(SSL *s)  				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);  				goto err;  				} -			if (!EC_KEY_up_ref(ecdhp)) +			if ((ecdh = EC_KEY_dup(ecdhp)) == NULL)  				{  				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);  				goto err;  				} -			ecdh = ecdhp;  			s->s3->tmp.ecdh=ecdh;  			if ((EC_KEY_get0_public_key(ecdh) == NULL) || diff --git a/openssl/ssl/install-ssl.com b/openssl/ssl/install-ssl.com new file mode 100644 index 000000000..1bd6ccaa7 --- /dev/null +++ b/openssl/ssl/install-ssl.com @@ -0,0 +1,136 @@ +$! INSTALL-SSL.COM -- Installs the files in a given directory tree +$! +$! Author: Richard Levitte <richard@levitte.org> +$! Time of creation: 22-MAY-1998 10:13 +$! +$! P1  root of the directory tree +$! P2  "64" for 64-bit pointers. +$! +$! +$! Announce/identify. +$! +$ proc = f$environment( "procedure") +$ write sys$output "@@@ "+ - +   f$parse( proc, , , "name")+ f$parse( proc, , , "type") +$! +$ on error then goto tidy +$ on control_c then goto tidy +$! +$ if p1 .eqs. "" +$ then +$   write sys$output "First argument missing." +$   write sys$output - +     "It should be the directory where you want things installed." +$   exit +$ endif +$! +$ if (f$getsyi( "cpu") .lt. 128) +$ then +$     arch = "VAX" +$ else +$     arch = f$edit( f$getsyi( "arch_name"), "upcase") +$     if (arch .eqs. "") then arch = "UNK" +$ endif +$! +$ archd = arch +$ lib32 = "32" +$ shr = "_SHR32" +$! +$ if (p2 .nes. "") +$ then +$   if (p2 .eqs. "64") +$   then +$     archd = arch+ "_64" +$     lib32 = "" +$     shr = "_SHR" +$   else +$     if (p2 .nes. "32") +$     then +$       write sys$output "Second argument invalid." +$       write sys$output "It should be "32", "64", or nothing." +$       exit +$     endif +$   endif +$ endif +$! +$ root = f$parse( p1, "[]A.;0", , , "syntax_only, no_conceal") - "A.;0" +$ root_dev = f$parse(root,,,"device","syntax_only") +$ root_dir = f$parse(root,,,"directory","syntax_only") - - +   "[000000." - "][" - "[" - "]" +$ root = root_dev + "[" + root_dir +$! +$ define /nolog wrk_sslroot 'root'.] /trans=conc +$ define /nolog wrk_sslinclude wrk_sslroot:[include] +$ define /nolog wrk_sslxexe wrk_sslroot:['archd'_exe] +$ define /nolog wrk_sslxlib wrk_sslroot:['arch'_lib] +$! +$ if f$parse("wrk_sslroot:[000000]") .eqs. "" then - +   create /directory /log wrk_sslroot:[000000] +$ if f$parse("wrk_sslinclude:") .eqs. "" then - +   create /directory /log wrk_sslinclude: +$ if f$parse("wrk_sslxexe:") .eqs. "" then - +   create /directory /log wrk_sslxexe: +$ if f$parse("wrk_sslxlib:") .eqs. "" then - +   create /directory /log wrk_sslxlib: +$! +$ exheader := ssl.h, ssl2.h, ssl3.h, ssl23.h, tls1.h, dtls1.h, kssl.h +$ e_exe := ssl_task +$ libs := ssl_libssl +$! +$ xexe_dir := [-.'archd'.exe.ssl] +$! +$ copy /protection = w:re 'exheader' wrk_sslinclude: /log +$! +$ i = 0 +$ loop_exe: +$   e = f$edit( f$element( i, ",", e_exe), "trim") +$   i = i + 1 +$   if e .eqs. "," then goto loop_exe_end +$   set noon +$   file = xexe_dir+ e+ ".exe" +$   if f$search( file) .nes. "" +$   then +$     copy /protection = w:re 'file' wrk_sslxexe: /log +$   endif +$   set on +$ goto loop_exe +$ loop_exe_end: +$! +$ i = 0 +$ loop_lib:  +$   e = f$edit(f$element(i, ",", libs),"trim") +$   i = i + 1 +$   if e .eqs. "," then goto loop_lib_end +$   set noon +$! Object library. +$   file = xexe_dir+ e+ lib32+ ".olb" +$   if f$search( file) .nes. "" +$   then +$     copy /protection = w:re 'file' wrk_sslxlib: /log +$   endif +$! Shareable image. +$   file = xexe_dir+ e+ shr+ ".exe" +$   if f$search( file) .nes. "" +$   then +$     copy /protection = w:re 'file' wrk_sslxlib: /log +$   endif +$   set on +$ goto loop_lib +$ loop_lib_end: +$! +$ tidy: +$! +$ call deass wrk_sslroot +$ call deass wrk_sslinclude +$ call deass wrk_sslxexe +$ call deass wrk_sslxlib +$! +$ exit +$! +$ deass: subroutine +$ if (f$trnlnm( p1, "LNM$PROCESS") .nes. "") +$ then +$   deassign /process 'p1' +$ endif +$ endsubroutine +$! diff --git a/openssl/ssl/install.com b/openssl/ssl/install.com deleted file mode 100644 index fe1d7268e..000000000 --- a/openssl/ssl/install.com +++ /dev/null @@ -1,90 +0,0 @@ -$! INSTALL.COM -- Installs the files in a given directory tree -$! -$! Author: Richard Levitte <richard@levitte.org> -$! Time of creation: 22-MAY-1998 10:13 -$! -$! P1	root of the directory tree -$! -$	IF P1 .EQS. "" -$	THEN -$	    WRITE SYS$OUTPUT "First argument missing." -$	    WRITE SYS$OUTPUT - -		  "It should be the directory where you want things installed." -$	    EXIT -$	ENDIF -$ -$	IF (F$GETSYI("CPU").LT.128) -$	THEN -$	    ARCH := VAX -$	ELSE -$	    ARCH = F$EDIT( F$GETSYI( "ARCH_NAME"), "UPCASE") -$	    IF (ARCH .EQS. "") THEN ARCH = "UNK" -$	ENDIF -$ -$	ROOT = F$PARSE(P1,"[]A.;0",,,"SYNTAX_ONLY,NO_CONCEAL") - "A.;0" -$	ROOT_DEV = F$PARSE(ROOT,,,"DEVICE","SYNTAX_ONLY") -$	ROOT_DIR = F$PARSE(ROOT,,,"DIRECTORY","SYNTAX_ONLY") - -		   - "[000000." - "][" - "[" - "]" -$	ROOT = ROOT_DEV + "[" + ROOT_DIR -$ -$	DEFINE/NOLOG WRK_SSLROOT 'ROOT'.] /TRANS=CONC -$	DEFINE/NOLOG WRK_SSLXLIB WRK_SSLROOT:['ARCH'_LIB] -$	DEFINE/NOLOG WRK_SSLINCLUDE WRK_SSLROOT:[INCLUDE] -$	DEFINE/NOLOG WRK_SSLXEXE WRK_SSLROOT:['ARCH'_EXE] -$ -$	IF F$PARSE("WRK_SSLROOT:[000000]") .EQS. "" THEN - -	   CREATE/DIR/LOG WRK_SSLROOT:[000000] -$	IF F$PARSE("WRK_SSLXLIB:") .EQS. "" THEN - -	   CREATE/DIR/LOG WRK_SSLXLIB: -$	IF F$PARSE("WRK_SSLINCLUDE:") .EQS. "" THEN - -	   CREATE/DIR/LOG WRK_SSLINCLUDE: -$	IF F$PARSE("WRK_SSLXEXE:") .EQS. "" THEN - -	   CREATE/DIR/LOG WRK_SSLXEXE: -$ -$	EXHEADER := ssl.h,ssl2.h,ssl3.h,ssl23.h,tls1.h,dtls1.h,kssl.h -$	E_EXE := ssl_task -$	LIBS := LIBSSL,LIBSSL32 -$ -$	XEXE_DIR := [-.'ARCH'.EXE.SSL] -$ -$	COPY 'EXHEADER' WRK_SSLINCLUDE:/LOG -$	SET FILE/PROT=WORLD:RE WRK_SSLINCLUDE:'EXHEADER' -$ -$	I = 0 -$ LOOP_EXE:  -$	E = F$EDIT(F$ELEMENT(I, ",", E_EXE),"TRIM") -$	I = I + 1 -$	IF E .EQS. "," THEN GOTO LOOP_EXE_END -$	SET NOON -$	IF F$SEARCH(XEXE_DIR+E+".EXE") .NES. "" -$	THEN -$	  COPY 'XEXE_DIR''E'.EXE WRK_SSLXEXE:'E'.EXE/log -$	  SET FILE/PROT=W:RE WRK_SSLXEXE:'E'.EXE -$	ENDIF -$	SET ON -$	GOTO LOOP_EXE -$ LOOP_EXE_END: -$ -$	I = 0 -$ LOOP_LIB:  -$	E = F$EDIT(F$ELEMENT(I, ",", LIBS),"TRIM") -$	I = I + 1 -$	IF E .EQS. "," THEN GOTO LOOP_LIB_END -$	SET NOON -$! Object library. -$	IF F$SEARCH(XEXE_DIR+E+".OLB") .NES. "" -$	THEN -$	  COPY 'XEXE_DIR''E'.OLB WRK_SSLXLIB:'E'.OLB/log -$	  SET FILE/PROT=W:RE WRK_SSLXLIB:'E'.OLB -$	ENDIF -$! Shareable image. -$	IF F$SEARCH(XEXE_DIR+E+".EXE") .NES. "" -$	THEN -$	  COPY 'XEXE_DIR''E'.EXE WRK_SSLXLIB:'E'.EXE/log -$	  SET FILE/PROT=W:RE WRK_SSLXLIB:'E'.EXE -$	ENDIF -$	SET ON -$	GOTO LOOP_LIB -$ LOOP_LIB_END: -$ -$	EXIT diff --git a/openssl/ssl/s3_clnt.c b/openssl/ssl/s3_clnt.c index c22837d05..50bd415b5 100644 --- a/openssl/ssl/s3_clnt.c +++ b/openssl/ssl/s3_clnt.c @@ -2243,6 +2243,7 @@ int ssl3_send_client_key_exchange(SSL *s)  			if (!DH_generate_key(dh_clnt))  				{  				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); +				DH_free(dh_clnt);  				goto err;  				} @@ -2254,6 +2255,7 @@ int ssl3_send_client_key_exchange(SSL *s)  			if (n <= 0)  				{  				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); +				DH_free(dh_clnt);  				goto err;  				} diff --git a/openssl/ssl/s3_lib.c b/openssl/ssl/s3_lib.c index d6b047c99..62c791cb7 100644 --- a/openssl/ssl/s3_lib.c +++ b/openssl/ssl/s3_lib.c @@ -2198,11 +2198,17 @@ void ssl3_clear(SSL *s)  		}  #ifndef OPENSSL_NO_DH  	if (s->s3->tmp.dh != NULL) +		{  		DH_free(s->s3->tmp.dh); +		s->s3->tmp.dh = NULL; +		}  #endif  #ifndef OPENSSL_NO_ECDH  	if (s->s3->tmp.ecdh != NULL) +		{  		EC_KEY_free(s->s3->tmp.ecdh); +		s->s3->tmp.ecdh = NULL; +		}  #endif  	rp = s->s3->rbuf.buf; diff --git a/openssl/ssl/s3_pkt.c b/openssl/ssl/s3_pkt.c index e3f6050a2..f9b3629cf 100644 --- a/openssl/ssl/s3_pkt.c +++ b/openssl/ssl/s3_pkt.c @@ -246,7 +246,8 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)  		if (i <= 0)  			{  			rb->left = left; -			if (s->mode & SSL_MODE_RELEASE_BUFFERS) +			if (s->mode & SSL_MODE_RELEASE_BUFFERS && +			    SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)  				if (len+left == 0)  					ssl3_release_read_buffer(s);  			return(i); @@ -846,7 +847,8 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,  			{  			wb->left=0;  			wb->offset+=i; -			if (s->mode & SSL_MODE_RELEASE_BUFFERS) +			if (s->mode & SSL_MODE_RELEASE_BUFFERS && +			    SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)  				ssl3_release_write_buffer(s);  			s->rwstate=SSL_NOTHING;  			return(s->s3->wpend_ret); diff --git a/openssl/ssl/s3_srvr.c b/openssl/ssl/s3_srvr.c index 514f72c97..c3b5ff33f 100644 --- a/openssl/ssl/s3_srvr.c +++ b/openssl/ssl/s3_srvr.c @@ -768,9 +768,7 @@ int ssl3_check_client_hello(SSL *s)  	if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)  		{  		/* Throw away what we have done so far in the current handshake, -		 * which will now be aborted. (A full SSL_clear would be too much.) -		 * I hope that tmp.dh is the only thing that may need to be cleared -		 * when a handshake is not completed ... */ +		 * which will now be aborted. (A full SSL_clear would be too much.) */  #ifndef OPENSSL_NO_DH  		if (s->s3->tmp.dh != NULL)  			{ @@ -778,6 +776,13 @@ int ssl3_check_client_hello(SSL *s)  			s->s3->tmp.dh = NULL;  			}  #endif +#ifndef OPENSSL_NO_ECDH +		if (s->s3->tmp.ecdh != NULL) +			{ +			EC_KEY_free(s->s3->tmp.ecdh); +			s->s3->tmp.ecdh = NULL; +			} +#endif  		return 2;  		}  	return 1; @@ -1491,7 +1496,6 @@ int ssl3_send_server_key_exchange(SSL *s)  			if (s->s3->tmp.dh != NULL)  				{ -				DH_free(dh);  				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);  				goto err;  				} @@ -1552,7 +1556,6 @@ int ssl3_send_server_key_exchange(SSL *s)  			if (s->s3->tmp.ecdh != NULL)  				{ -				EC_KEY_free(s->s3->tmp.ecdh);   				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);  				goto err;  				} @@ -1563,12 +1566,11 @@ int ssl3_send_server_key_exchange(SSL *s)  				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);  				goto err;  				} -			if (!EC_KEY_up_ref(ecdhp)) +			if ((ecdh = EC_KEY_dup(ecdhp)) == NULL)  				{  				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);  				goto err;  				} -			ecdh = ecdhp;  			s->s3->tmp.ecdh=ecdh;  			if ((EC_KEY_get0_public_key(ecdh) == NULL) || @@ -1731,6 +1733,7 @@ int ssl3_send_server_key_exchange(SSL *s)  			    (unsigned char *)encodedPoint,   			    encodedlen);  			OPENSSL_free(encodedPoint); +			encodedPoint = NULL;  			p += encodedlen;  			}  #endif @@ -2440,6 +2443,12 @@ int ssl3_get_client_key_exchange(SSL *s)  			/* Get encoded point length */  			i = *p;   			p += 1; +			if (n != 1 + i) +				{ +				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, +				    ERR_R_EC_LIB); +				goto err; +				}  			if (EC_POINT_oct2point(group,   			    clnt_ecpoint, p, i, bn_ctx) == 0)  				{ diff --git a/openssl/ssl/ssl-lib.com b/openssl/ssl/ssl-lib.com index 35bdd34de..180f3a2d8 100644 --- a/openssl/ssl/ssl-lib.com +++ b/openssl/ssl/ssl-lib.com @@ -42,18 +42,33 @@ $!	SOCKETSHR	for SOCKETSHR+NETLIB  $!  $!  P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)  $! -$!  For 64 bit architectures (Alpha and IA64), specify the pointer size as P6. -$!  For 32 bit architectures (VAX), P6 is ignored. -$!  Currently supported values are: +$!  P6, if defined, specifies the C pointer size.  Ignored on VAX. +$!      ("64=ARGV" gives more efficient code with HP C V7.3 or newer.) +$!      Supported values are:  $! -$!	32	To ge a library compiled with /POINTER_SIZE=32 -$!	64	To ge a library compiled with /POINTER_SIZE=64 +$!      ""       Compile with default (/NOPOINTER_SIZE) +$!      32       Compile with /POINTER_SIZE=32 (SHORT) +$!      64       Compile with /POINTER_SIZE=64[=ARGV] (LONG[=ARGV]) +$!               (Automatically select ARGV if compiler supports it.) +$!      64=      Compile with /POINTER_SIZE=64 (LONG). +$!      64=ARGV  Compile with /POINTER_SIZE=64=ARGV (LONG=ARGV).  $! +$!  P7, if defined, specifies a directory where ZLIB files (zlib.h, +$!  libz.olb) may be found.  Optionally, a non-default object library +$!  name may be included ("dev:[dir]libz_64.olb", for example). +$! +$! +$! Announce/identify. +$! +$ proc = f$environment( "procedure") +$ write sys$output "@@@ "+ - +   f$parse( proc, , , "name")+ f$parse( proc, , , "type")  $!  $! Define A TCP/IP Library That We Will Need To Link To.  $! (That Is, If We Need To Link To One.)  $!  $ TCPIP_LIB = "" +$ ZLIB_LIB = ""  $!  $! Check What Architecture We Are Using.  $! @@ -77,17 +92,33 @@ $! End The Architecture Check.  $!  $ ENDIF  $! -$! Define The OBJ Directory. +$ ARCHD = ARCH +$ LIB32 = "32" +$ OPT_FILE = "" +$ POINTER_SIZE = "" +$! +$! Check To Make Sure We Have Valid Command Line Parameters.  $! -$ OBJ_DIR := SYS$DISK:[-.'ARCH'.OBJ.SSL] +$ GOSUB CHECK_OPTIONS  $! -$! Define The EXE Directory. +$! Define The OBJ and EXE Directories.  $! -$ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.SSL] +$ OBJ_DIR := SYS$DISK:[-.'ARCHD'.OBJ.SSL] +$ EXE_DIR := SYS$DISK:[-.'ARCHD'.EXE.SSL]  $! -$! Check To Make Sure We Have Valid Command Line Parameters. +$! Specify the destination directory in any /MAP option.  $! -$ GOSUB CHECK_OPTIONS +$ if (LINKMAP .eqs. "MAP") +$ then +$   LINKMAP = LINKMAP+ "=''EXE_DIR'" +$ endif +$! +$! Add the location prefix to the linker options file name. +$! +$ if (OPT_FILE .nes. "") +$ then +$   OPT_FILE = EXE_DIR+ OPT_FILE +$ endif  $!  $! Initialise logical names and such  $! @@ -95,7 +126,7 @@ $ GOSUB INITIALISE  $!  $! Tell The User What Kind of Machine We Run On.  $! -$ WRITE SYS$OUTPUT "Compiling On A ",ARCH," Machine." +$ WRITE SYS$OUTPUT "Host system architecture: ''ARCHD'"  $!  $! Check To See If The Architecture Specific OBJ Directory Exists.  $! @@ -125,11 +156,15 @@ $ ENDIF  $!  $! Define The Library Name.  $! -$ SSL_LIB := 'EXE_DIR'LIBSSL'LIB32'.OLB +$ SSL_LIB := 'EXE_DIR'SSL_LIBSSL'LIB32'.OLB  $!  $! Define The CRYPTO-LIB We Are To Use.  $! -$ CRYPTO_LIB := SYS$DISK:[-.'ARCH'.EXE.CRYPTO]LIBCRYPTO'LIB32'.OLB +$ CRYPTO_LIB := SYS$DISK:[-.'ARCHD'.EXE.CRYPTO]SSL_LIBCRYPTO'LIB32'.OLB +$! +$! Set up exceptional compilations. +$! +$ CC5_SHOWN = 0  $!  $! Check To See What We Are To Do.  $! @@ -163,7 +198,7 @@ $! Compile The Library.  $!  $ LIBRARY:  $! -$! Check To See If We Already Have A "[.xxx.EXE.SSL]LIBSSL''LIB32'.OLB" Library... +$! Check To See If We Already Have A "[.xxx.EXE.SSL]SSL_LIBSSL''LIB32'.OLB" Library...  $!  $ IF (F$SEARCH(SSL_LIB).EQS."")  $ THEN @@ -189,6 +224,8 @@ $ LIB_SSL = "s2_meth,s2_srvr,s2_clnt,s2_lib,s2_enc,s2_pkt,"+ -  	    "ssl_asn1,ssl_txt,ssl_algs,"+ -  	    "bio_ssl,ssl_err,kssl,t1_reneg"  $! +$ COMPILEWITH_CC5 = "" +$!  $! Tell The User That We Are Compiling The Library.  $!  $ WRITE SYS$OUTPUT "Building The ",SSL_LIB," Library." @@ -302,42 +339,47 @@ $! End The SSL_TASK.C File Check.  $!  $ ENDIF  $! +$ COMPILEWITH_CC5 = "" !!! ",ssl_task," +$! +$! Tell The User We Are Creating The SSL_TASK. +$!  $! Tell The User We Are Creating The SSL_TASK.  $!  $ WRITE SYS$OUTPUT "Creating SSL_TASK OSU HTTP SSL Engine."	  $! +$!  Tell The User What File We Are Compiling. +$! +$ FILE_NAME = "ssl_task" +$ WRITE SYS$OUTPUT "	",FILE_NAME,".c" +$!  $! Compile The File.  $!  $ ON ERROR THEN GOTO SSL_TASK_END -$ CC5/OBJECT='OBJ_DIR'SSL_TASK.OBJ SYS$DISK:[]SSL_TASK.C  $! -$! Link The Program. -$! Check To See If We Are To Link With A Specific TCP/IP Library. -$! -$ IF (TCPIP_LIB.NES."") +$ FILE_NAME0 = ","+ F$ELEMENT(0,".",FILE_NAME)+ "," +$ IF COMPILEWITH_CC5 - FILE_NAME0 .NES. COMPILEWITH_CC5  $ THEN -$! -$!  Link With TCP/IP Library. -$! -$   LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR'SSL_TASK.EXE - -        'OBJ_DIR'SSL_TASK.OBJ, - -	'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, - -        'TCPIP_LIB','OPT_FILE'/OPTION -$! -$! Else... -$! +$   if (.not. CC5_SHOWN) +$   then +$     CC5_SHOWN = 1 +$     write sys$output "        \Using special rule (5)" +$     x = "    "+ CC5 +$     write /symbol sys$output x +$   endif +$   CC5 /OBJECT='OBJ_DIR''FILE_NAME'.OBJ SYS$DISK:[]'FILE_NAME'.C  $ ELSE +$   CC /OBJECT='OBJ_DIR''FILE_NAME'.OBJ SYS$DISK:[]'FILE_NAME'.C +$ ENDIF  $! -$!  Don't Link With TCP/IP Library. -$! -$   LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR'SSL_TASK.EXE - -        'OBJ_DIR'SSL_TASK.OBJ,- -	'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, - -        'OPT_FILE'/OPTION +$! Link The Program.  $! -$! End The TCP/IP Library Check. -$! -$ ENDIF +$ LINK /'DEBUGGER' /'LINKMAP' /'TRACEBACK' /EXE='EXE_DIR'SSL_TASK.EXE - +   'OBJ_DIR'SSL_TASK.OBJ, - +   'SSL_LIB'/LIBRARY, - +   'CRYPTO_LIB'/LIBRARY - +   'TCPIP_LIB' - +   'ZLIB_LIB' - +   ,'OPT_FILE' /OPTIONS  $!  $! Time To Return.  $! @@ -363,7 +405,7 @@ $!  $     CREATE 'OPT_FILE'  $DECK  ! -! Default System Options File To Link Agianst  +! Default System Options File To Link Against   ! The Sharable VAX C Runtime Library.  !  SYS$SHARE:VAXCRTL.EXE/SHARE @@ -392,7 +434,7 @@ $!  $     CREATE 'OPT_FILE'  $DECK  ! -! Default System Options File To Link Agianst  +! Default System Options File To Link Against   ! The Sharable C Runtime Library.  !  GNU_CC:[000000]GCCLIB/LIBRARY @@ -427,7 +469,7 @@ $!  $       CREATE 'OPT_FILE'  $DECK  ! -! Default System Options File To Link Agianst  +! Default System Options File To Link Against   ! The Sharable DEC C Runtime Library.  !  SYS$SHARE:DECC$SHR.EXE/SHARE @@ -442,7 +484,7 @@ $!  $       CREATE 'OPT_FILE'  $DECK  ! -! Default System Options File For non-VAX To Link Agianst  +! Default System Options File For non-VAX To Link Against   ! The Sharable C Runtime Library.  !  SYS$SHARE:CMA$OPEN_LIB_SHR/SHARE @@ -555,8 +597,8 @@ $     WRITE SYS$OUTPUT "    SSL_TASK :  To Compile Just The [.xxx.EXE.SSL]SSL_TA  $     WRITE SYS$OUTPUT ""  $     WRITE SYS$OUTPUT " Where 'xxx' Stands For:"  $     WRITE SYS$OUTPUT "" -$     WRITE SYS$OUTPUT "    ALPHA    :  Alpha Architecture." -$     WRITE SYS$OUTPUT "    IA64     :  IA64 Architecture." +$     WRITE SYS$OUTPUT "    ALPHA[64]:  Alpha Architecture." +$     WRITE SYS$OUTPUT "    IA64[64] :  IA64 Architecture."  $     WRITE SYS$OUTPUT "    VAX      :  VAX Architecture."  $     WRITE SYS$OUTPUT ""  $! @@ -577,14 +619,15 @@ $!  $ IF (P2.EQS."NODEBUG")  $ THEN  $! -$!   P2 Is NODEBUG, So Compile Without Debugger Information. +$!  P2 Is NODEBUG, So Compile Without Debugger Information.  $! -$    DEBUGGER  = "NODEBUG" -$    TRACEBACK = "NOTRACEBACK"  -$    GCC_OPTIMIZE = "OPTIMIZE" -$    CC_OPTIMIZE = "OPTIMIZE" -$    WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile." -$    WRITE SYS$OUTPUT "Compiling With Compiler Optimization." +$   DEBUGGER  = "NODEBUG" +$   LINKMAP = "NOMAP" +$   TRACEBACK = "NOTRACEBACK"  +$   GCC_OPTIMIZE = "OPTIMIZE" +$   CC_OPTIMIZE = "OPTIMIZE" +$   WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile." +$   WRITE SYS$OUTPUT "Compiling With Compiler Optimization."  $!  $! Else...  $! @@ -598,6 +641,7 @@ $!  $!    Compile With Debugger Information.  $!  $     DEBUGGER  = "DEBUG" +$     LINKMAP = "MAP"  $     TRACEBACK = "TRACEBACK"  $     GCC_OPTIMIZE = "NOOPTIMIZE"  $     CC_OPTIMIZE = "NOOPTIMIZE" @@ -605,7 +649,7 @@ $     WRITE SYS$OUTPUT "Debugger Information Will Be Produced During Compile."  $     WRITE SYS$OUTPUT "Compiling Without Compiler Optimization."  $   ELSE  $! -$!    Tell The User Entered An Invalid Option.. +$!    Tell The User Entered An Invalid Option.  $!  $     WRITE SYS$OUTPUT ""  $     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:" @@ -660,58 +704,59 @@ $! End The P5 Check.  $!  $ ENDIF  $! -$! Check To See If P6 Is Blank. +$! Check P6 (POINTER_SIZE).  $! -$ IF (P6.EQS."") +$ IF (P6 .NES. "") .AND. (ARCH .NES. "VAX")  $ THEN -$   POINTER_SIZE = "" -$ ELSE  $! -$!  Check is P6 Is Valid -$! -$   IF (P6.EQS."32") +$   IF (P6 .EQS. "32")  $   THEN -$     POINTER_SIZE = "/POINTER_SIZE=32" -$     IF ARCH .EQS. "VAX" -$     THEN -$       LIB32 = "" -$     ELSE -$       LIB32 = "32" -$     ENDIF +$     POINTER_SIZE = " /POINTER_SIZE=32"  $   ELSE -$     IF (P6.EQS."64") +$     POINTER_SIZE = F$EDIT( P6, "COLLAPSE, UPCASE") +$     IF ((POINTER_SIZE .EQS. "64") .OR. - +       (POINTER_SIZE .EQS. "64=") .OR. - +       (POINTER_SIZE .EQS. "64=ARGV"))  $     THEN +$       ARCHD = ARCH+ "_64"  $       LIB32 = "" -$       IF ARCH .EQS. "VAX" -$       THEN -$         POINTER_SIZE = "/POINTER_SIZE=32" -$       ELSE -$         POINTER_SIZE = "/POINTER_SIZE=64" -$       ENDIF +$       POINTER_SIZE = " /POINTER_SIZE=64"  $     ELSE  $! -$!      Tell The User Entered An Invalid Option.. +$!      Tell The User Entered An Invalid Option.  $!  $       WRITE SYS$OUTPUT "" -$       WRITE SYS$OUTPUT "The Option ",P6," Is Invalid.  The Valid Options Are:" +$       WRITE SYS$OUTPUT "The Option ", P6, - +         " Is Invalid.  The Valid Options Are:"  $       WRITE SYS$OUTPUT "" -$       WRITE SYS$OUTPUT "    32  :  Compile with 32 bit pointer size" -$       WRITE SYS$OUTPUT "    64  :  Compile with 64 bit pointer size" +$       WRITE SYS$OUTPUT - +         "    """"       :  Compile with default (short) pointers." +$       WRITE SYS$OUTPUT - +         "    32       :  Compile with 32-bit (short) pointers." +$       WRITE SYS$OUTPUT - +         "    64       :  Compile with 64-bit (long) pointers (auto ARGV)." +$       WRITE SYS$OUTPUT - +         "    64=      :  Compile with 64-bit (long) pointers (no ARGV)." +$       WRITE SYS$OUTPUT - +         "    64=ARGV  :  Compile with 64-bit (long) pointers (ARGV)."  $       WRITE SYS$OUTPUT "" -$! +$!   $!      Time To EXIT.  $! -$       GOTO TIDY -$! -$!      End The Valid Arguement Check. +$       EXIT  $!  $     ENDIF +$!  $   ENDIF  $! -$! End The P6 Check. +$! End The P6 (POINTER_SIZE) Check.  $!  $ ENDIF  $! +$! Set basic C compiler /INCLUDE directories. +$! +$ CC_INCLUDES = "SYS$DISK:[-.CRYPTO],SYS$DISK:[-]" +$!  $! Check To See If P3 Is Blank.  $!  $ IF (P3.EQS."") @@ -812,11 +857,64 @@ $ CCDEFS = "TCPIP_TYPE_''P4'"  $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS  $ CCEXTRAFLAGS = ""  $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS -$ CCDISABLEWARNINGS = "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR" +$ CCDISABLEWARNINGS = "" !!! "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"  $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -  	CCDISABLEWARNINGS = CCDISABLEWARNINGS + "," + USER_CCDISABLEWARNINGS  $! -$!  Check To See If The User Entered A Valid Paramter. +$! Check To See If We Have A ZLIB Option. +$! +$ ZLIB = P7 +$ IF (ZLIB .NES. "") +$ THEN +$! +$!  Check for expected ZLIB files. +$! +$   err = 0 +$   file1 = f$parse( "zlib.h", ZLIB, , , "SYNTAX_ONLY") +$   if (f$search( file1) .eqs. "") +$   then +$     WRITE SYS$OUTPUT "" +$     WRITE SYS$OUTPUT "The Option ", ZLIB, " Is Invalid." +$     WRITE SYS$OUTPUT "    Can't find header: ''file1'" +$     err = 1 +$   endif +$   file1 = f$parse( "A.;", ZLIB)- "A.;" +$! +$   file2 = f$parse( ZLIB, "libz.olb", , , "SYNTAX_ONLY") +$   if (f$search( file2) .eqs. "") +$   then +$     if (err .eq. 0) +$     then +$       WRITE SYS$OUTPUT "" +$       WRITE SYS$OUTPUT "The Option ", ZLIB, " Is Invalid." +$     endif +$     WRITE SYS$OUTPUT "    Can't find library: ''file2'" +$     WRITE SYS$OUTPUT "" +$     err = err+ 2 +$   endif +$   if (err .eq. 1) +$   then +$     WRITE SYS$OUTPUT "" +$   endif +$! +$   if (err .ne. 0) +$   then +$     EXIT +$   endif +$! +$   CCDEFS = """ZLIB=1"", "+ CCDEFS +$   CC_INCLUDES = CC_INCLUDES+ ", "+ file1 +$   ZLIB_LIB = ", ''file2' /library" +$! +$!  Print info +$! +$   WRITE SYS$OUTPUT "ZLIB library spec: ", file2 +$! +$! End The ZLIB Check. +$! +$ ENDIF +$! +$!  Check To See If The User Entered A Valid Parameter.  $!  $ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC")  $ THEN @@ -839,13 +937,13 @@ $!  $     CC = "CC"  $     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -  	 THEN CC = "CC/DECC" -$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89''POINTER_SIZE'" + - -           "/NOLIST/PREFIX=ALL" + - -	   "/INCLUDE=(SYS$DISK:[-.CRYPTO],SYS$DISK:[-])" + CCEXTRAFLAGS +$     CC = CC + " /''CC_OPTIMIZE' /''DEBUGGER' /STANDARD=RELAXED"+ - +       "''POINTER_SIZE' /NOLIST /PREFIX=ALL" + - +       " /INCLUDE=(''CC_INCLUDES') " + CCEXTRAFLAGS  $!  $!    Define The Linker Options File Name.  $! -$     OPT_FILE = "''EXE_DIR'VAX_DECC_OPTIONS.OPT" +$     OPT_FILE = "VAX_DECC_OPTIONS.OPT"  $!  $!  End DECC Check.  $! @@ -874,7 +972,7 @@ $	EXIT  $     ENDIF  $     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"  $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + - -	   "/INCLUDE=(SYS$DISK:[-.CRYPTO],SYS$DISK:[-])" + CCEXTRAFLAGS +	   "/INCLUDE=(''CC_INCLUDES')" + CCEXTRAFLAGS  $     CCDEFS = CCDEFS + ",""VAXC"""  $!  $!    Define <sys> As SYS$COMMON:[SYSLIB] @@ -883,7 +981,7 @@ $     DEFINE/NOLOG SYS SYS$COMMON:[SYSLIB]  $!  $!    Define The Linker Options File Name.  $! -$     OPT_FILE = "''EXE_DIR'VAX_VAXC_OPTIONS.OPT" +$     OPT_FILE = "VAX_VAXC_OPTIONS.OPT"  $!  $!  End VAXC Check  $! @@ -906,11 +1004,11 @@ $!    Use GNU C...  $!  $     IF F$TYPE(GCC) .EQS. "" THEN GCC := GCC  $     CC = GCC+"/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + - -	   "/INCLUDE=(SYS$DISK:[-.CRYPTO],SYS$DISK:[-])" + CCEXTRAFLAGS +	   "/INCLUDE=(''CC_INCLUDES')" + CCEXTRAFLAGS  $!  $!    Define The Linker Options File Name.  $! -$     OPT_FILE = "''EXE_DIR'VAX_GNUC_OPTIONS.OPT" +$     OPT_FILE = "VAX_GNUC_OPTIONS.OPT"  $!  $!  End The GNU C Check.  $! @@ -929,16 +1027,16 @@ $     THEN  $       CC4DISABLEWARNINGS = "DOLLARID"  $     ELSE  $       CC4DISABLEWARNINGS = CCDISABLEWARNINGS + ",DOLLARID" -$       CCDISABLEWARNINGS = "/WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))" +$       CCDISABLEWARNINGS = " /WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"  $     ENDIF -$     CC4DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))" +$     CC4DISABLEWARNINGS = " /WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))"  $   ELSE  $     CCDISABLEWARNINGS = ""  $     CC4DISABLEWARNINGS = ""  $   ENDIF -$   CC2 = CC + "/DEFINE=(" + CCDEFS + ",_POSIX_C_SOURCE)" + CCDISABLEWARNINGS -$   CC3 = CC + "/DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS -$   CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS +$   CC2 = CC + " /DEFINE=(" + CCDEFS + ",_POSIX_C_SOURCE)" + CCDISABLEWARNINGS +$   CC3 = CC + " /DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS +$   CC = CC + " /DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS  $   IF COMPILER .EQS. "DECC"  $   THEN  $     CC4 = CC - CCDISABLEWARNINGS + CC4DISABLEWARNINGS @@ -984,7 +1082,7 @@ $   THEN  $!  $!    Set the library to use SOCKETSHR  $! -$     TCPIP_LIB = "SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT/OPT" +$     TCPIP_LIB = ",SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT /OPTIONS"  $!  $!    Done with SOCKETSHR  $! @@ -1010,13 +1108,13 @@ $   THEN  $!  $!    Set the library to use UCX.  $! -$     TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT/OPT" +$     TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT /OPTIONS"  $     IF F$TRNLNM("UCX$IPC_SHR") .NES. ""  $     THEN -$       TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT" +$       TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT /OPTIONS"  $     ELSE  $       IF COMPILER .NES. "DECC" .AND. ARCH .EQS. "VAX" THEN - -	  TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT/OPT" +	  TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT /OPTIONS"  $     ENDIF  $!  $!    Done with UCX @@ -1030,7 +1128,7 @@ $   THEN  $!  $!    Set the library to use TCPIP (post UCX).  $! -$     TCPIP_LIB = "SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT/OPT" +$     TCPIP_LIB = ",SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT /OPTIONS"  $!  $!    Done with TCPIP  $! @@ -1051,7 +1149,7 @@ $   ENDIF  $!  $!  Print info  $! -$   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB +$   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB- ","  $!  $!  Else The User Entered An Invalid Argument.  $! diff --git a/openssl/ssl/ssl_lib.c b/openssl/ssl/ssl_lib.c index 912592b8b..46732791f 100644 --- a/openssl/ssl/ssl_lib.c +++ b/openssl/ssl/ssl_lib.c @@ -1833,7 +1833,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)  #endif  	X509 *x = NULL;  	EVP_PKEY *ecc_pkey = NULL; -	int signature_nid = 0; +	int signature_nid = 0, pk_nid = 0, md_nid = 0;  	if (c == NULL) return; @@ -1963,18 +1963,15 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)  		    EVP_PKEY_bits(ecc_pkey) : 0;  		EVP_PKEY_free(ecc_pkey);  		if ((x->sig_alg) && (x->sig_alg->algorithm)) +			{  			signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); +			OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid); +			}  #ifndef OPENSSL_NO_ECDH  		if (ecdh_ok)  			{ -			const char *sig = OBJ_nid2ln(signature_nid); -			if (sig == NULL) -				{ -				ERR_clear_error(); -				sig = "unknown"; -				} -				 -			if (strstr(sig, "WithRSA")) + +			if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa)  				{  				mask_k|=SSL_kECDHr;  				mask_a|=SSL_aECDH; @@ -1985,7 +1982,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)  					}  				} -			if (signature_nid == NID_ecdsa_with_SHA1) +			if (pk_nid == NID_X9_62_id_ecPublicKey)  				{  				mask_k|=SSL_kECDHe;  				mask_a|=SSL_aECDH; @@ -2039,7 +2036,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)  	unsigned long alg_k, alg_a;  	EVP_PKEY *pkey = NULL;  	int keysize = 0; -	int signature_nid = 0; +	int signature_nid = 0, md_nid = 0, pk_nid = 0;  	alg_k = cs->algorithm_mkey;  	alg_a = cs->algorithm_auth; @@ -2057,7 +2054,10 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)  	/* This call populates the ex_flags field correctly */  	X509_check_purpose(x, -1, 0);  	if ((x->sig_alg) && (x->sig_alg->algorithm)) +		{  		signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); +		OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid); +		}  	if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr)  		{  		/* key usage, if present, must allow key agreement */ @@ -2069,7 +2069,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)  		if (alg_k & SSL_kECDHe)  			{  			/* signature alg must be ECDSA */ -			if (signature_nid != NID_ecdsa_with_SHA1) +			if (pk_nid != NID_X9_62_id_ecPublicKey)  				{  				SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);  				return 0; @@ -2079,13 +2079,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)  			{  			/* signature alg must be RSA */ -			const char *sig = OBJ_nid2ln(signature_nid); -			if (sig == NULL) -				{ -				ERR_clear_error(); -				sig = "unknown"; -				} -			if (strstr(sig, "WithRSA") == NULL) +			if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa)  				{  				SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);  				return 0; | 
