diff -urN globus_2_4_3/gsi/openssl_gpt/CHANGES globus_2_4_3_adv2003/gsi/openssl_gpt/CHANGES --- globus_2_4_3/gsi/openssl_gpt/CHANGES Fri Apr 11 00:04:00 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/CHANGES Fri Dec 12 21:15:36 2003 @@ -2,6 +2,40 @@ OpenSSL CHANGES _______________ + Changes between 0.9.6k and 0.9.6l [04 Nov 2003] + + *) Fix additional bug revealed by the NISCC test suite: + + Stop bug triggering large recursion when presented with + certain ASN.1 tags (CAN-2003-0851) + [Steve Henson] + + Changes between 0.9.6j and 0.9.6k [30 Sep 2003] + + *) Fix various bugs revealed by running the NISCC test suite: + + Stop out of bounds reads in the ASN1 code when presented with + invalid tags (CAN-2003-0543 and CAN-2003-0544). + + If verify callback ignores invalid public key errors don't try to check + certificate signature with the NULL public key. + + [Steve Henson] + + *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate + if the server requested one: as stated in TLS 1.0 and SSL 3.0 + specifications. + [Steve Henson] + + *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional + extra data after the compression methods not only for TLS 1.0 + but also for SSL 3.0 (as required by the specification). + [Bodo Moeller; problem pointed out by Matthias Loepfe] + + *) Change X509_certificate_type() to mark the key as exported/exportable + when it's 512 *bits* long, not 512 bytes. + [Richard Levitte] + Changes between 0.9.6i and 0.9.6j [10 Apr 2003] *) Countermeasure against the Klima-Pokorny-Rosa extension of diff -urN globus_2_4_3/gsi/openssl_gpt/NEWS globus_2_4_3_adv2003/gsi/openssl_gpt/NEWS --- globus_2_4_3/gsi/openssl_gpt/NEWS Fri Apr 11 00:04:00 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/NEWS Fri Dec 12 21:15:38 2003 @@ -5,6 +5,15 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.6k and OpenSSL 0.9.6l: + + o Security: fix ASN1 bug leading to large recursion + + Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k: + + o Security: fix various ASN1 parsing bugs. + o SSL/TLS protocol fix for unrequested client certificates. + Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j: o Security: counter the Klima-Pokorny-Rosa extension of diff -urN globus_2_4_3/gsi/openssl_gpt/README globus_2_4_3_adv2003/gsi/openssl_gpt/README --- globus_2_4_3/gsi/openssl_gpt/README Fri Apr 11 00:04:01 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/README Fri Dec 12 21:15:38 2003 @@ -1,5 +1,5 @@ - OpenSSL 0.9.6j 10 Apr 2003 + OpenSSL 0.9.6l 04 Nov 2003 Copyright (c) 1998-2003 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff -urN globus_2_4_3/gsi/openssl_gpt/apps/CA.pl globus_2_4_3_adv2003/gsi/openssl_gpt/apps/CA.pl --- globus_2_4_3/gsi/openssl_gpt/apps/CA.pl Fri Aug 9 16:00:35 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/apps/CA.pl Wed Dec 17 02:10:22 2003 @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/perl # # CA - wrapper around ca to make it easier to use ... basically ca requires # some setup stuff to be done before you can use it and this makes diff -urN globus_2_4_3/gsi/openssl_gpt/apps/der_chop globus_2_4_3_adv2003/gsi/openssl_gpt/apps/der_chop --- globus_2_4_3/gsi/openssl_gpt/apps/der_chop Fri Aug 9 16:00:38 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/apps/der_chop Fri Dec 12 21:15:41 2003 @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/perl # # der_chop ... this is one total hack that Eric is really not proud of # so don't look at it and don't ask for support diff -urN globus_2_4_3/gsi/openssl_gpt/apps/pkcs8.c globus_2_4_3_adv2003/gsi/openssl_gpt/apps/pkcs8.c --- globus_2_4_3/gsi/openssl_gpt/apps/pkcs8.c Fri Feb 21 21:45:51 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/apps/pkcs8.c Wed Oct 1 14:48:19 2003 @@ -219,7 +219,7 @@ } BIO_free(in); if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) { - BIO_printf(bio_err, "Error converting key\n", outfile); + BIO_printf(bio_err, "Error converting key\n"); ERR_print_errors(bio_err); return (1); } @@ -243,8 +243,7 @@ if (!(p8 = PKCS8_encrypt(pbe_nid, cipher, p8pass, strlen(p8pass), NULL, 0, iter, p8inf))) { - BIO_printf(bio_err, "Error encrypting key\n", - outfile); + BIO_printf(bio_err, "Error encrypting key\n"); ERR_print_errors(bio_err); return (1); } @@ -287,7 +286,7 @@ } if (!p8) { - BIO_printf (bio_err, "Error reading key\n", outfile); + BIO_printf (bio_err, "Error reading key\n"); ERR_print_errors(bio_err); return (1); } @@ -301,13 +300,13 @@ } if (!p8inf) { - BIO_printf(bio_err, "Error decrypting key\n", outfile); + BIO_printf(bio_err, "Error decrypting key\n"); ERR_print_errors(bio_err); return (1); } if (!(pkey = EVP_PKCS82PKEY(p8inf))) { - BIO_printf(bio_err, "Error converting key\n", outfile); + BIO_printf(bio_err, "Error converting key\n"); ERR_print_errors(bio_err); return (1); } diff -urN globus_2_4_3/gsi/openssl_gpt/apps/x509.c globus_2_4_3_adv2003/gsi/openssl_gpt/apps/x509.c --- globus_2_4_3/gsi/openssl_gpt/apps/x509.c Fri Feb 21 21:46:19 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/apps/x509.c Wed Oct 1 14:48:20 2003 @@ -1063,7 +1063,7 @@ BIO_free(io); io=NULL; - if (!X509_STORE_add_cert(ctx,x)) goto end; + /*if (!X509_STORE_add_cert(ctx,x)) goto end;*/ /* NOTE: this certificate can/should be self signed, unless it was * a certificate request in which case it is not. */ diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/asn1/a_bytes.c globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/asn1/a_bytes.c --- globus_2_4_3/gsi/openssl_gpt/crypto/asn1/a_bytes.c Fri Mar 1 16:19:47 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/asn1/a_bytes.c Fri Dec 12 21:15:46 2003 @@ -201,7 +201,10 @@ c.pp=pp; c.p=p; c.inf=inf; - c.slen=len; + if (inf & 1) + c.slen = length - (p - *pp); + else + c.slen=len; c.tag=Ptag; c.xclass=Pclass; c.max=(length == 0)?0:(p+length); @@ -279,8 +282,7 @@ { if (c->inf & 1) { - c->eos=ASN1_check_infinite_end(&c->p, - (long)(c->max-c->p)); + c->eos=ASN1_check_infinite_end(&c->p, c->slen); if (c->eos) break; } else @@ -289,7 +291,7 @@ } c->q=c->p; - if (d2i_ASN1_bytes(&os,&c->p,c->max-c->p,c->tag,c->xclass) + if (d2i_ASN1_bytes(&os,&c->p,c->slen,c->tag,c->xclass) == NULL) { c->error=ERR_R_ASN1_LIB; @@ -302,8 +304,7 @@ goto err; } memcpy(&(b.data[num]),os->data,os->length); - if (!(c->inf & 1)) - c->slen-=(c->p-c->q); + c->slen-=(c->p-c->q); num+=os->length; } diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/asn1/a_strex.c globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/asn1/a_strex.c --- globus_2_4_3/gsi/openssl_gpt/crypto/asn1/a_strex.c Fri Feb 21 21:46:58 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/asn1/a_strex.c Wed Oct 1 14:48:27 2003 @@ -274,7 +274,7 @@ * otherwise it is the number of bytes per character */ -const static char tag2nbyte[] = { +const static signed char tag2nbyte[] = { -1, -1, -1, -1, -1, /* 0-4 */ -1, -1, -1, -1, -1, /* 5-9 */ -1, -1, 0, -1, /* 10-13 */ diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/asn1/asn1.h globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/asn1/asn1.h --- globus_2_4_3/gsi/openssl_gpt/crypto/asn1/asn1.h Fri Mar 1 16:19:59 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/asn1/asn1.h Wed Oct 1 14:48:28 2003 @@ -123,7 +123,7 @@ #define B_ASN1_NUMERICSTRING 0x0001 #define B_ASN1_PRINTABLESTRING 0x0002 #define B_ASN1_T61STRING 0x0004 -#define B_ASN1_TELETEXSTRING 0x0008 +#define B_ASN1_TELETEXSTRING 0x0004 #define B_ASN1_VIDEOTEXSTRING 0x0008 #define B_ASN1_IA5STRING 0x0010 #define B_ASN1_GRAPHICSTRING 0x0020 diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/asn1/asn1_lib.c globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/asn1/asn1_lib.c --- globus_2_4_3/gsi/openssl_gpt/crypto/asn1/asn1_lib.c Fri Aug 9 16:02:03 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/asn1/asn1_lib.c Wed Oct 1 14:48:30 2003 @@ -104,10 +104,12 @@ l<<=7L; l|= *(p++)&0x7f; if (--max == 0) goto err; + if (l > (INT_MAX >> 7L)) goto err; } l<<=7L; l|= *(p++)&0x7f; tag=(int)l; + if (--max == 0) goto err; } else { diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/bio/b_print.c globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/bio/b_print.c --- globus_2_4_3/gsi/openssl_gpt/crypto/bio/b_print.c Fri Aug 9 16:02:56 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/bio/b_print.c Wed Oct 1 14:48:32 2003 @@ -825,5 +825,5 @@ * had the buffer been large enough.) */ return -1; else - return (retlen <= INT_MAX) ? retlen : -1; + return (retlen <= INT_MAX) ? (int)retlen : -1; } diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/bio/bf_buff.c globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/bio/bf_buff.c --- globus_2_4_3/gsi/openssl_gpt/crypto/bio/bf_buff.c Fri Mar 1 16:20:50 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/bio/bf_buff.c Wed Oct 1 14:48:33 2003 @@ -495,6 +495,7 @@ if (i <= 0) { BIO_copy_next_retry(b); + *buf='\0'; if (i < 0) return((num > 0)?num:i); if (i == 0) return(num); } diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/bio/bss_bio.c globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/bio/bss_bio.c --- globus_2_4_3/gsi/openssl_gpt/crypto/bio/bss_bio.c Mon Aug 5 18:25:56 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/bio/bss_bio.c Wed Oct 1 14:48:33 2003 @@ -1,4 +1,57 @@ /* crypto/bio/bss_bio.c -*- Mode: C; c-file-style: "eay" -*- */ +/* ==================================================================== + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ /* Special method for a BIO where the other endpoint is also a BIO * of this kind, handled by the same thread (i.e. the "peer" is actually @@ -503,7 +556,7 @@ break; case BIO_C_DESTROY_BIO_PAIR: - /* Effects both BIOs in the pair -- call just once! + /* Affects both BIOs in the pair -- call just once! * Or let BIO_free(bio1); BIO_free(bio2); do the job. */ bio_destroy_pair(bio); ret = 1; diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/bn/bn_mul.c globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/bn/bn_mul.c --- globus_2_4_3/gsi/openssl_gpt/crypto/bn/bn_mul.c Mon Aug 5 18:26:15 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/bn/bn_mul.c Wed Oct 1 14:48:35 2003 @@ -224,7 +224,7 @@ int n, BN_ULONG *t) { int i,j,n2=n*2; - unsigned int c1,c2,neg,zero; + int c1,c2,neg,zero; BN_ULONG ln,lo,*p; # ifdef BN_COUNT @@ -376,7 +376,7 @@ /* The overflow will stop before we over write * words we should not overwrite */ - if (ln < c1) + if (ln < (BN_ULONG)c1) { do { p++; diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/des/cfb_enc.c globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/des/cfb_enc.c --- globus_2_4_3/gsi/openssl_gpt/crypto/des/cfb_enc.c Fri Mar 1 16:22:30 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/des/cfb_enc.c Wed Dec 17 01:56:37 2003 @@ -56,6 +56,7 @@ * [including the GNU Public Licence.] */ +#include "openssl/e_os.h" #include "des_locl.h" /* The input and output are loaded in multiples of 8 bits. diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/dso/dso_dlfcn.c globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/dso/dso_dlfcn.c --- globus_2_4_3/gsi/openssl_gpt/crypto/dso/dso_dlfcn.c Mon Aug 5 18:28:00 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/dso/dso_dlfcn.c Wed Oct 1 14:48:41 2003 @@ -123,7 +123,11 @@ # endif # endif #else -# define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */ +# ifdef OPENSSL_SYS_SUNOS +# define DLOPEN_FLAG 1 +# else +# define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */ +# endif #endif /* For this DSO_METHOD, our meth_data STACK will contain; diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/md5/asm/md5-586.pl globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/md5/asm/md5-586.pl --- globus_2_4_3/gsi/openssl_gpt/crypto/md5/asm/md5-586.pl Fri Mar 1 16:23:57 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/md5/asm/md5-586.pl Wed Oct 1 14:48:44 2003 @@ -293,7 +293,7 @@ &mov(&DWP(12,$tmp2,"",0),$D); &cmp($tmp1,$X) unless $normal; # check count - &jge(&label("start")) unless $normal; + &jae(&label("start")) unless $normal; &pop("eax"); # pop the temp variable off the stack &pop("ebx"); diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/opensslconf.h globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/opensslconf.h --- globus_2_4_3/gsi/openssl_gpt/crypto/opensslconf.h Fri Mar 1 16:19:43 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/opensslconf.h Wed Dec 17 02:10:28 2003 @@ -1,167 +1,111 @@ -/* opensslconf.h */ -/* WARNING: Generated automatically from opensslconf.h.in by Configure. */ +/* crypto/opensslconf.h. Generated by configure. */ -/* OpenSSL was configured with the following options: */ -#ifdef OPENSSL_ALGORITHM_DEFINES - /* no ciphers excluded */ +/* use unistd by default, this test should be done by AC_CHECK_HEADERS */ + +#ifndef OPENSSL_UNISTD +# define OPENSSL_UNISTD #endif -#ifdef OPENSSL_THREAD_DEFINES + +#ifdef HEADER_CRYPTLIB_H +# ifndef OPENSSLDIR +# define OPENSSLDIR "/sandbox/globus/globus" +# endif #endif -#ifdef OPENSSL_OTHER_DEFINES + + +#ifdef HEADER_BN_H +# ifndef SIXTY_FOUR_BIT_LONG +/* # undef SIXTY_FOUR_BIT_LONG */ +# endif +# ifndef SIXTY_FOUR_BIT +/* # undef SIXTY_FOUR_BIT */ +# endif +# ifndef THIRTY_TWO_BIT +# define THIRTY_TWO_BIT 1 +# endif +# ifndef BN_LLONG +# define BN_LLONG 1 +# endif +# ifndef BN_DIV2W +/* # undef BN_DIV2W */ +# endif +# ifndef BN_DIV3W +/* # undef BN_DIV3W */ +# endif +#endif + +#ifdef HEADER_DES_LOCL_H +# ifndef DES_PTR +# define DES_PTR 1 +# endif +# ifndef DES_RISC1 +# define DES_RISC1 1 +# endif +# ifndef DES_RISC2 +/* # undef DES_RISC2 */ +# endif +# ifndef DES_UNROLL +# define DES_UNROLL 1 +# endif +#endif + +#ifdef HEADER_DES_H +# ifndef DES_LONG +# define DES_LONG unsigned long +# endif +#endif + +#ifdef HEADER_BF_LOCL_H +# ifndef BF_PTR +/* # undef BF_PTR */ +# endif +#endif + +#ifdef HEADER_RC4_H +# ifndef RC4_CHUNK +/* # undef RC4_CHUNK */ +# endif +# ifndef RC4_INT +# define RC4_INT unsigned int +# endif +#endif + +#ifdef HEADER_RC4_LOCL_H +# ifndef RC4_INDEX +# define RC4_INDEX 1 +# endif +#endif + +#ifdef HEADER_RC2_H +# ifndef RC2_INT +# define RC2_INT unsigned int +# endif +#endif + +#ifdef HEADER_MD2_H +# ifndef MD2_INT +# define MD2_INT unsigned int +# endif #endif -/* crypto/opensslconf.h.in */ -/* Generate 80386 code? */ -#undef I386_ONLY +#ifdef HEADER_IDEA_H +# ifndef IDEA_INT +# define IDEA_INT unsigned int +# endif +#endif -#if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */ -#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) -#define OPENSSLDIR "/usr/local/ssl" -#endif -#endif - -#define OPENSSL_UNISTD - -#if defined(HEADER_IDEA_H) && !defined(IDEA_INT) -#define IDEA_INT unsigned int -#endif - -#if defined(HEADER_MD2_H) && !defined(MD2_INT) -#define MD2_INT unsigned int -#endif - -#if defined(HEADER_RC2_H) && !defined(RC2_INT) -/* I need to put in a mod for the alpha - eay */ -#define RC2_INT unsigned int -#endif - -#if defined(HEADER_RC4_H) -#if !defined(RC4_INT) -/* using int types make the structure larger but make the code faster - * on most boxes I have tested - up to %20 faster. */ -/* - * I don't know what does "most" mean, but declaring "int" is a must on: - * - Intel P6 because partial register stalls are very expensive; - * - elder Alpha because it lacks byte load/store instructions; - */ -#define RC4_INT unsigned int -#endif -#if !defined(RC4_CHUNK) -/* - * This enables code handling data aligned at natural CPU word - * boundary. See crypto/rc4/rc4_enc.c for further details. - */ -#undef RC4_CHUNK -#endif -#endif - -#if defined(HEADER_DES_H) && !defined(DES_LONG) -/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a - * %20 speed up (longs are 8 bytes, int's are 4). */ -#ifndef DES_LONG -#define DES_LONG unsigned long -#endif -#endif - -#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) -#define CONFIG_HEADER_BN_H -#undef BN_LLONG - -/* Should we define BN_DIV2W here? */ - -/* Only one for the following should be defined */ -/* The prime number generation stuff may not work when - * EIGHT_BIT but I don't care since I've only used this mode - * for debuging the bignum libraries */ -#undef SIXTY_FOUR_BIT_LONG -#undef SIXTY_FOUR_BIT -#define THIRTY_TWO_BIT -#undef SIXTEEN_BIT -#undef EIGHT_BIT -#endif - -#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) -#define CONFIG_HEADER_RC4_LOCL_H -/* if this is defined data[i] is used instead of *data, this is a %20 - * speedup on x86 */ -#undef RC4_INDEX -#endif - -#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) -#define CONFIG_HEADER_BF_LOCL_H -#undef BF_PTR -#endif /* HEADER_BF_LOCL_H */ - -#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) -#define CONFIG_HEADER_DES_LOCL_H -#ifndef DES_DEFAULT_OPTIONS -/* the following is tweaked from a config script, that is why it is a - * protected undef/define */ -#ifndef DES_PTR -#undef DES_PTR -#endif - -/* This helps C compiler generate the correct code for multiple functional - * units. It reduces register dependancies at the expense of 2 more - * registers */ -#ifndef DES_RISC1 -#undef DES_RISC1 -#endif - -#ifndef DES_RISC2 -#undef DES_RISC2 -#endif - -#if defined(DES_RISC1) && defined(DES_RISC2) -YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! -#endif - -/* Unroll the inner loop, this sometimes helps, sometimes hinders. - * Very mucy CPU dependant */ -#ifndef DES_UNROLL -#undef DES_UNROLL -#endif - -/* These default values were supplied by - * Peter Gutman - * They are only used if nothing else has been defined */ -#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) -/* Special defines which change the way the code is built depending on the - CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find - even newer MIPS CPU's, but at the moment one size fits all for - optimization options. Older Sparc's work better with only UNROLL, but - there's no way to tell at compile time what it is you're running on */ - -#if defined( sun ) /* Newer Sparc's */ -# define DES_PTR -# define DES_RISC1 -# define DES_UNROLL -#elif defined( __ultrix ) /* Older MIPS */ -# define DES_PTR -# define DES_RISC2 -# define DES_UNROLL -#elif defined( __osf1__ ) /* Alpha */ -# define DES_PTR -# define DES_RISC2 -#elif defined ( _AIX ) /* RS6000 */ - /* Unknown */ -#elif defined( __hpux ) /* HP-PA */ - /* Unknown */ -#elif defined( __aux ) /* 68K */ - /* Unknown */ -#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ -# define DES_UNROLL -#elif defined( __sgi ) /* Newer MIPS */ -# define DES_PTR -# define DES_RISC2 -# define DES_UNROLL -#elif defined( i386 ) /* x86 boxes, should be gcc */ -# define DES_PTR -# define DES_RISC1 -# define DES_UNROLL -#endif /* Systems-specific speed defines */ +#ifdef OPENSSL_THREAD_DEFINES +# ifndef THREADS +/* # undef THREADS */ +# endif #endif -#endif /* DES_DEFAULT_OPTIONS */ -#endif /* HEADER_DES_LOCL_H */ +#ifdef OPENSSL_OTHER_DEFINES +# ifndef DSO_DLFCN +# define DSO_DLFCN 1 +# endif +# ifndef HAVE_DLFCN_H +# define HAVE_DLFCN_H 1 +# endif +#endif diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/opensslv.h globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/opensslv.h --- globus_2_4_3/gsi/openssl_gpt/crypto/opensslv.h Fri Apr 11 00:04:03 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/opensslv.h Fri Dec 12 21:15:44 2003 @@ -25,8 +25,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x009060afL -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6j 10 Apr 2003" +#define OPENSSL_VERSION_NUMBER 0x009060cfL +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6l 04 Nov 2003" #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/perlasm/x86ms.pl globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/perlasm/x86ms.pl --- globus_2_4_3/gsi/openssl_gpt/crypto/perlasm/x86ms.pl Fri Mar 1 16:24:30 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/perlasm/x86ms.pl Wed Oct 1 14:48:47 2003 @@ -141,7 +141,10 @@ sub main'jz { &out1("jz",@_); } sub main'jge { &out1("jge",@_); } sub main'jl { &out1("jl",@_); } +sub main'ja { &out1("ja",@_); } +sub main'jae { &out1("jae",@_); } sub main'jb { &out1("jb",@_); } +sub main'jbe { &out1("jbe",@_); } sub main'jc { &out1("jc",@_); } sub main'jnc { &out1("jnc",@_); } sub main'jnz { &out1("jnz",@_); } diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/perlasm/x86nasm.pl globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/perlasm/x86nasm.pl --- globus_2_4_3/gsi/openssl_gpt/crypto/perlasm/x86nasm.pl Mon Aug 5 18:29:22 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/perlasm/x86nasm.pl Wed Oct 1 14:48:47 2003 @@ -149,7 +149,10 @@ sub main'jz { &out1("jz NEAR",@_); } sub main'jge { &out1("jge NEAR",@_); } sub main'jl { &out1("jl NEAR",@_); } +sub main'ja { &out1("ja NEAR",@_); } +sub main'jae { &out1("jae NEAR",@_); } sub main'jb { &out1("jb NEAR",@_); } +sub main'jbe { &out1("jbe NEAR",@_); } sub main'jc { &out1("jc NEAR",@_); } sub main'jnc { &out1("jnc NEAR",@_); } sub main'jnz { &out1("jnz NEAR",@_); } diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/perlasm/x86unix.pl globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/perlasm/x86unix.pl --- globus_2_4_3/gsi/openssl_gpt/crypto/perlasm/x86unix.pl Fri Mar 1 16:24:31 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/perlasm/x86unix.pl Wed Oct 1 14:48:47 2003 @@ -154,7 +154,10 @@ sub main'jz { &out1("jz",@_); } sub main'jge { &out1("jge",@_); } sub main'jl { &out1("jl",@_); } +sub main'ja { &out1("ja",@_); } +sub main'jae { &out1("jae",@_); } sub main'jb { &out1("jb",@_); } +sub main'jbe { &out1("jbe",@_); } sub main'jc { &out1("jc",@_); } sub main'jnc { &out1("jnc",@_); } sub main'jno { &out1("jno",@_); } diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/rand/md_rand.c globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/rand/md_rand.c --- globus_2_4_3/gsi/openssl_gpt/crypto/rand/md_rand.c Fri Feb 21 21:51:52 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/rand/md_rand.c Wed Oct 1 14:48:49 2003 @@ -292,7 +292,7 @@ st_idx=0; } } - memset((char *)&m,0,sizeof(m)); + OPENSSL_cleanse((char *)&m,sizeof(m)); if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND); /* Don't just copy back local_md into md -- this could mean that @@ -493,7 +493,7 @@ MD_Final(md,&m); CRYPTO_w_unlock(CRYPTO_LOCK_RAND); - memset(&m,0,sizeof(m)); + OPENSSL_cleanse(&m,sizeof(m)); if (ok) return(1); else diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/rand/rand_egd.c globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/rand/rand_egd.c --- globus_2_4_3/gsi/openssl_gpt/crypto/rand/rand_egd.c Fri Feb 21 21:51:52 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/rand/rand_egd.c Wed Oct 1 14:48:49 2003 @@ -102,7 +102,7 @@ memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; - if (strlen(path) > sizeof(addr.sun_path)) + if (strlen(path) >= sizeof(addr.sun_path)) return (-1); strcpy(addr.sun_path,path); len = offsetof(struct sockaddr_un, sun_path) + strlen(path); @@ -134,7 +134,7 @@ memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; - if (strlen(path) > sizeof(addr.sun_path)) + if (strlen(path) >= sizeof(addr.sun_path)) return (-1); strcpy(addr.sun_path,path); len = offsetof(struct sockaddr_un, sun_path) + strlen(path); diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/rand/rand_win.c globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/rand/rand_win.c --- globus_2_4_3/gsi/openssl_gpt/crypto/rand/rand_win.c Fri Feb 21 21:51:56 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/rand/rand_win.c Wed Oct 1 14:48:49 2003 @@ -162,6 +162,7 @@ typedef DWORD (WINAPI *GETQUEUESTATUS)(UINT); typedef HANDLE (WINAPI *CREATETOOLHELP32SNAPSHOT)(DWORD, DWORD); +typedef BOOL (WINAPI *CLOSETOOLHELP32SNAPSHOT)(HANDLE); typedef BOOL (WINAPI *HEAP32FIRST)(LPHEAPENTRY32, DWORD, DWORD); typedef BOOL (WINAPI *HEAP32NEXT)(LPHEAPENTRY32); typedef BOOL (WINAPI *HEAP32LIST)(HANDLE, LPHEAPLIST32); @@ -414,7 +415,7 @@ * This seeding method was proposed in Peter Gutmann, Software * Generation of Practically Strong Random Numbers, * http://www.usenix.org/publications/library/proceedings/sec98/gutmann.html - * revised version at http://www.cryptoengines.com/~peter/06_random.pdf + * revised version at http://www.cryptoengines.com/~peter/06_random.pdf * (The assignment of entropy estimates below is arbitrary, but based * on Peter's analysis the full poll appears to be safe. Additional * interactive seeding is encouraged.) @@ -423,6 +424,7 @@ if (kernel) { CREATETOOLHELP32SNAPSHOT snap; + CLOSETOOLHELP32SNAPSHOT close_snap; HANDLE handle; HEAP32FIRST heap_first; @@ -440,6 +442,8 @@ snap = (CREATETOOLHELP32SNAPSHOT) GetProcAddress(kernel, "CreateToolhelp32Snapshot"); + close_snap = (CLOSETOOLHELP32SNAPSHOT) + GetProcAddress(kernel, "CloseToolhelp32Snapshot"); heap_first = (HEAP32FIRST) GetProcAddress(kernel, "Heap32First"); heap_next = (HEAP32NEXT) GetProcAddress(kernel, "Heap32Next"); heaplist_first = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListFirst"); @@ -455,7 +459,7 @@ heaplist_next && process_first && process_next && thread_first && thread_next && module_first && module_next && (handle = snap(TH32CS_SNAPALL,0)) - != NULL) + != INVALID_HANDLE_VALUE) { /* heap list and heap walking */ /* HEAPLIST32 contains 3 fields that will change with @@ -517,8 +521,10 @@ do RAND_add(&m, m.dwSize, 9); while (module_next(handle, &m)); - - CloseHandle(handle); + if (close_snap) + close_snap(handle); + else + CloseHandle(handle); } FreeLibrary(kernel); diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/rsa/rsa.h globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/rsa/rsa.h --- globus_2_4_3/gsi/openssl_gpt/crypto/rsa/rsa.h Fri Apr 11 00:04:14 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/rsa/rsa.h Wed Oct 1 14:48:51 2003 @@ -152,11 +152,6 @@ #define RSA_FLAG_CACHE_PUBLIC 0x02 #define RSA_FLAG_CACHE_PRIVATE 0x04 #define RSA_FLAG_BLINDING 0x08 -#define RSA_FLAG_NO_BLINDING 0x80 /* new with 0.9.6j and 0.9.7b; the built-in - * RSA implementation now uses blinding by - * default (ignoring RSA_FLAG_BLINDING), - * but other engines might not need it - */ #define RSA_FLAG_THREAD_SAFE 0x10 /* This flag means the private key operations will be handled by rsa_mod_exp * and that they do not depend on the private key components being present: @@ -169,7 +164,11 @@ */ #define RSA_FLAG_SIGN_VER 0x40 -#define RSA_FLAG_NO_BLINDING 0x80 +#define RSA_FLAG_NO_BLINDING 0x80 /* new with 0.9.6j and 0.9.7b; the built-in + * RSA implementation now uses blinding by + * default (ignoring RSA_FLAG_BLINDING), + * but other engines might not need it + */ #define RSA_PKCS1_PADDING 1 #define RSA_SSLV23_PADDING 2 diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/rsa/rsa_eay.c globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/rsa/rsa_eay.c --- globus_2_4_3/gsi/openssl_gpt/crypto/rsa/rsa_eay.c Fri Apr 11 00:04:14 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/rsa/rsa_eay.c Wed Oct 1 14:48:52 2003 @@ -482,6 +482,8 @@ if (ctx != NULL) BN_CTX_free(ctx); BN_clear_free(&f); BN_clear_free(&ret); + if (local_blinding) + BN_BLINDING_free(blinding); if (buf != NULL) { OPENSSL_cleanse(buf,num); diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/rsa/rsa_lib.c globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/rsa/rsa_lib.c --- globus_2_4_3/gsi/openssl_gpt/crypto/rsa/rsa_lib.c Fri Apr 11 00:04:14 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/rsa/rsa_lib.c Wed Oct 1 14:48:52 2003 @@ -260,7 +260,7 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) { - BIGNUM *A,*Ai; + BIGNUM *A,*Ai = NULL; BN_CTX *ctx; int ret=0; @@ -271,8 +271,12 @@ else ctx=p_ctx; + /* XXXXX: Shouldn't this be RSA_blinding_off(rsa)? */ if (rsa->blinding != NULL) + { BN_BLINDING_free(rsa->blinding); + rsa->blinding = NULL; + } /* NB: similar code appears in setup_blinding (rsa_eay.c); * this should be placed in a new function of its own, but for reasons @@ -300,9 +304,9 @@ rsa->blinding->thread_id = CRYPTO_thread_id(); rsa->flags |= RSA_FLAG_BLINDING; rsa->flags &= ~RSA_FLAG_NO_BLINDING; - BN_free(Ai); ret=1; err: + if (Ai != NULL) BN_free(Ai); BN_CTX_end(ctx); if (ctx != p_ctx) BN_CTX_free(ctx); return(ret); diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/x509/by_file.c globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/x509/by_file.c --- globus_2_4_3/gsi/openssl_gpt/crypto/x509/by_file.c Sat Feb 22 17:10:33 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/x509/by_file.c Wed Oct 1 14:48:54 2003 @@ -164,18 +164,7 @@ } } i=X509_STORE_add_cert(ctx->store_ctx,x); - if (!i) - { - if ((ERR_GET_REASON(ERR_peek_error()) == - X509_R_CERT_ALREADY_IN_HASH_TABLE)) - { - ERR_clear_error(); - } - else - { - goto err; - } - } + if (!i) goto err; count++; X509_free(x); x=NULL; @@ -191,19 +180,8 @@ goto err; } i=X509_STORE_add_cert(ctx->store_ctx,x); - if (!i) - { - if ((ERR_GET_REASON(ERR_peek_error()) == - X509_R_CERT_ALREADY_IN_HASH_TABLE)) - { - ERR_clear_error(); - } - else - { - goto err; - } - } - ret=1; + if (!i) goto err; + ret=i; } else { diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/x509/x509_obj.c globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/x509/x509_obj.c --- globus_2_4_3/gsi/openssl_gpt/crypto/x509/x509_obj.c Fri Mar 1 16:26:01 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/x509/x509_obj.c Wed Oct 1 14:48:54 2003 @@ -94,6 +94,7 @@ OPENSSL_free(b); } strncpy(buf,"NO X509_NAME",len); + buf[len-1]='\0'; return buf; } diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/x509/x509_vfy.c globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/x509/x509_vfy.c --- globus_2_4_3/gsi/openssl_gpt/crypto/x509/x509_vfy.c Fri Feb 21 21:52:59 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/x509/x509_vfy.c Wed Oct 1 14:48:54 2003 @@ -490,7 +490,7 @@ ok=(*cb)(0,ctx); if (!ok) goto end; } - if (X509_verify(xs,pkey) <= 0) + else if (X509_verify(xs,pkey) <= 0) { ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; ctx->current_cert=xs; diff -urN globus_2_4_3/gsi/openssl_gpt/crypto/x509/x509type.c globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/x509/x509type.c --- globus_2_4_3/gsi/openssl_gpt/crypto/x509/x509type.c Fri Mar 1 16:26:04 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/crypto/x509/x509type.c Wed Oct 1 14:48:55 2003 @@ -99,14 +99,15 @@ case EVP_PKEY_RSA: ret|=EVP_PKS_RSA; break; - case EVP_PKS_DSA: + case EVP_PKEY_DSA: ret|=EVP_PKS_DSA; break; default: break; } - if (EVP_PKEY_size(pk) <= 512) + if (EVP_PKEY_size(pk) <= 512/8) /* /8 because it's 512 bits we look + for, not bytes */ ret|=EVP_PKT_EXP; if(pkey==NULL) EVP_PKEY_free(pk); return(ret); diff -urN globus_2_4_3/gsi/openssl_gpt/dirt.sh globus_2_4_3_adv2003/gsi/openssl_gpt/dirt.sh --- globus_2_4_3/gsi/openssl_gpt/dirt.sh Fri May 23 22:47:26 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/dirt.sh Wed Dec 17 01:56:37 2003 @@ -1,2 +1,2 @@ -DIRT_TIMESTAMP=1053722846 +DIRT_TIMESTAMP=1071622597 DIRT_BRANCH_ID=42 diff -urN globus_2_4_3/gsi/openssl_gpt/e_os.h globus_2_4_3_adv2003/gsi/openssl_gpt/e_os.h --- globus_2_4_3/gsi/openssl_gpt/e_os.h Fri Feb 21 21:45:04 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/e_os.h Wed Oct 1 14:48:16 2003 @@ -301,6 +301,8 @@ # define pid_t int /* pid_t is missing on NEXTSTEP/OPENSTEP * (unless when compiling with -D_POSIX_SOURCE, * which doesn't work for us) */ +# endif +# if defined(NeXT) || defined(OPENSSL_SYS_NEWS4) || defined(OPENSSL_SYS_SUNOS) # define ssize_t int /* ditto */ # endif # ifdef NEWS4 /* setvbuf is missing on mips-sony-bsd */ diff -urN globus_2_4_3/gsi/openssl_gpt/pkgdata/pkg_data_src.gpt.in globus_2_4_3_adv2003/gsi/openssl_gpt/pkgdata/pkg_data_src.gpt.in --- globus_2_4_3/gsi/openssl_gpt/pkgdata/pkg_data_src.gpt.in Fri May 23 22:47:26 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/pkgdata/pkg_data_src.gpt.in Fri Dec 12 21:15:50 2003 @@ -3,13 +3,15 @@ - + Openssl Library Openssl + 0.9.6l + diff -urN globus_2_4_3/gsi/openssl_gpt/ssl/s3_clnt.c globus_2_4_3_adv2003/gsi/openssl_gpt/ssl/s3_clnt.c --- globus_2_4_3/gsi/openssl_gpt/ssl/s3_clnt.c Fri Feb 21 21:55:54 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/ssl/s3_clnt.c Wed Oct 1 14:49:03 2003 @@ -1608,6 +1608,7 @@ *(d++)=SSL3_MT_CERTIFICATE_VERIFY; l2n3(n,d); + s->state=SSL3_ST_CW_CERT_VRFY_B; s->init_num=(int)n+4; s->init_off=0; } diff -urN globus_2_4_3/gsi/openssl_gpt/ssl/s3_srvr.c globus_2_4_3_adv2003/gsi/openssl_gpt/ssl/s3_srvr.c --- globus_2_4_3/gsi/openssl_gpt/ssl/s3_srvr.c Fri Apr 11 00:04:21 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/ssl/s3_srvr.c Wed Oct 1 14:49:04 2003 @@ -420,10 +420,11 @@ if (ret == 2) s->state = SSL3_ST_SR_CLNT_HELLO_C; else { - /* could be sent for a DH cert, even if we - * have not asked for it :-) */ - ret=ssl3_get_client_certificate(s); - if (ret <= 0) goto end; + if (s->s3->tmp.cert_request) + { + ret=ssl3_get_client_certificate(s); + if (ret <= 0) goto end; + } s->init_num=0; s->state=SSL3_ST_SR_KEY_EXCH_A; } @@ -828,6 +829,9 @@ } /* TLS does not mind if there is extra stuff */ +#if 0 /* SSL 3.0 does not mind either, so we should disable this test + * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, + * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */ if (s->version == SSL3_VERSION) { if (p < (d+n)) @@ -839,6 +843,7 @@ goto f_err; } } +#endif /* Given s->session->ciphers and ssl_get_ciphers_by_id(s), we must * pick a cipher */ @@ -1333,6 +1338,7 @@ s->init_num += 4; #endif + s->state = SSL3_ST_SW_CERT_REQ_B; } /* SSL3_ST_SW_CERT_REQ_B */ diff -urN globus_2_4_3/gsi/openssl_gpt/ssl/ssl_ciph.c globus_2_4_3_adv2003/gsi/openssl_gpt/ssl/ssl_ciph.c --- globus_2_4_3/gsi/openssl_gpt/ssl/ssl_ciph.c Fri Mar 1 16:29:21 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/ssl/ssl_ciph.c Fri Dec 12 21:15:53 2003 @@ -1063,9 +1063,9 @@ if ((sk == NULL) || !sk_SSL_COMP_push(sk,comp)) { SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE); - return(0); + return(1); } else - return(1); + return(0); } diff -urN globus_2_4_3/gsi/openssl_gpt/ssl/ssl_rsa.c globus_2_4_3_adv2003/gsi/openssl_gpt/ssl/ssl_rsa.c --- globus_2_4_3/gsi/openssl_gpt/ssl/ssl_rsa.c Fri Mar 1 16:29:37 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/ssl/ssl_rsa.c Wed Oct 1 14:49:04 2003 @@ -207,7 +207,7 @@ ok=1; else #endif - if (!X509_check_private_key(c->pkeys[i].x509,pkey)) + if (!X509_check_private_key(c->pkeys[i].x509,pkey)) { if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA)) { @@ -241,6 +241,8 @@ return(0); } + ERR_clear_error(); /* make sure no error from X509_check_private_key() + * is left if we have chosen to ignore it */ if (c->pkeys[i].privatekey != NULL) EVP_PKEY_free(c->pkeys[i].privatekey); CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY); diff -urN globus_2_4_3/gsi/openssl_gpt/ssl/ssl_sess.c globus_2_4_3_adv2003/gsi/openssl_gpt/ssl/ssl_sess.c --- globus_2_4_3/gsi/openssl_gpt/ssl/ssl_sess.c Fri Feb 21 21:56:28 2003 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/ssl/ssl_sess.c Wed Oct 1 14:49:05 2003 @@ -81,11 +81,11 @@ /* Need to lock this all up rather than just use CRYPTO_add so that * somebody doesn't free ssl->session between when we check it's * non-null and when we up the reference count. */ - CRYPTO_r_lock(CRYPTO_LOCK_SSL_SESSION); + CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION); sess = ssl->session; if(sess) sess->references++; - CRYPTO_r_unlock(CRYPTO_LOCK_SSL_SESSION); + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION); return(sess); } diff -urN globus_2_4_3/gsi/openssl_gpt/test/testenc globus_2_4_3_adv2003/gsi/openssl_gpt/test/testenc --- globus_2_4_3/gsi/openssl_gpt/test/testenc Thu Mar 7 23:13:53 2002 +++ globus_2_4_3_adv2003/gsi/openssl_gpt/test/testenc Wed Oct 1 14:49:07 2003 @@ -1,6 +1,6 @@ #!/bin/sh -testsrc=Makefile +testsrc=Makefile.ssl test=./p cmd=../apps/openssl