1107. He says:
This is a followup to the NetWare patch that was applied to beta3. It
does the following:
- Fixes a problem in the CLib build with undefined symbols.
- Adds the ability to use BSD sockets as the default for the OpenSSL
socket BIO. NetWare supports 2 flavors of sockets and our Apache
developers need BSD sockets as a configurable option when building
OpenSSL. This adds that for them.
- Updates to the INSTALL.NW file to explain new options.
I have tried very hard to make sure all the changes are in NetWare
specific files or guarded carefully to make sure they only impact
NetWare builds. I have tested the Windows build to make sure it does
not break that since we have made changes to mk1mf.pl.
We are still working the gcc cross compile for NetWare issue and hope
to have a patch for that before beta 6 is released.
compiled into *our* aplpications. That's because mingw is always
consistent with itself. Having library-side code linked into .dll
makes it possible to deploy the .dll with user-code compiled with
another compiler [which is pretty much the whole point behind Applink].
- hide the EC_KEY structure definition in ec_lcl.c + add
some functions to use/access the EC_KEY fields
- change the way how method specific data (ecdsa/ecdh) is
attached to a EC_KEY
- add ECDSA_sign_ex and ECDSA_do_sign_ex functions with
additional parameters for pre-computed values
- rebuild libeay.num from 0.9.7
during "make errors" and thus during "make update".
Fix lots of bugs that util/ck_errf.pl can detect automatically.
Various others of these are still left to fix; that's why
"make update" will complain loudly when run now.
1. "unsigned long long" isn't portable changed: to BN_ULLONG.
2. The LL prefix isn't allowed in VC++ but it isn't needed where it is used.
2. Avoid lots of compiler warnings about signed/unsigned mismatches.
3. Include new library directory pqueue in mk1mf build system.
4. Update symbols.
- possibility of re-creation of the blinding parameters after a
fixed number of uses (suggested by Bodo)
- calculatition of the rsa::e in case it's absent and p and q
are present (see bug report #785)
- improve the performance when if one rsa structure is shared by
more than a thread (see bug report #555)
- fix the problem described in bug report #827
- hide the definition ot the BN_BLINDING structure in bn_blind.c
- Enforce that there should be no policy settings when the language
is one of id-ppl-independent or id-ppl-inheritAll.
- Add functionality to ssltest.c so that it can process proxy rights
and check that they are set correctly. Rights consist of ASCII
letters, and the condition is a boolean expression that includes
letters, parenthesis, &, | and ^.
- Change the proxy certificate configurations so they get proxy
rights that are understood by ssltest.c.
- Add a script that tests proxy certificates with SSL operations.
Other changes:
- Change the copyright end year in mkerr.pl.
- make update.
we need to have them among the symbols that should appear in the
transfer table, at least on VMS (and it wouldn't surprise me if
Windows would whine as well).
PR: 732
Submitted by: Ilya Zakharevich <nospam-abuse@ilyaz.org>
Submitter's comment:
This patch:
a) Introduces a new file os2/backwardify.pl.
b) Introduces a new mk1mf.pl variable $preamble. As you can see, it may
be used also to move some OS-specific code to VC-CE too (the the
first chunk of the patch);
c) The DESCRIPTION specifier of the .def file is made more informative:
now it contains the version number too. On OS/2 it is made conformant
to OS/2 conventions; in particular, when one runs the standard command
BLDLEVEL this.DLL
one can see:
Vendor: www.openssl.org/
Revision: 0.9.7c
Description: OpenSSL: implementation of Secure Socket Layer; DLL for library crypto. Build for EMX -Zmtd
[I did not make Win32 descriptions as informative as this - I'm afraid to
break something. Be welcome to fix this.]
d) On OS/2 the generated DLL was hardly usable (it had a shared initialized
data segment).
e) On OS/2 the generated DLLs had names like ssl.dll. However, DLL names on
OS/2 are "global data". It is hard to have several DLLs with the same
name on the system. Thus this precluded coexistence of OpenSSL with DLLs
for other SLL implementations - or other name clashes. I transparently
changed the names of the DLLs to open_ssl.dll and cryptssl.dll.
f) The file added in (a) is used to create "forwarder" DLLs, so the
applications expecting the "old" DLL names may use the new DLLs
transparently. (A presence of these DLLs on the system nullifies (e),
but makes old applications work. This is a stopgap measure until the
old applications are relinked. Systems with no old applications do not
need these DLLs, so may enjoy all the benefits of (e).)
The new DLLs are placed in os2/ and os2/noname subdirectories.
g) The makefiles created with os2/OS2-EMX.cmd did not work (some mysterious
meaningless failures). The change to util/pl/OS2-EMX.pl uses the
variable introduced in (b) to switch the Makefiles to SHELL=sh syntax.
All these backslashes are removed, and the generated Makefiles started to
work.
h) Running os2/OS2-EMX.cmd now prints out what to do next.
compression identity is already present among the registered
compression methods, and if so, reject the addition request.
Declare SSL_COMP_get_compression_method() so it can be used properly.
Change ssltest.c so it checks what compression methods are available
and enumerates them. As a side-effect, built-in compression methods
will be automagically loaded that way. Additionally, change the
identities for ZLIB and RLE to be conformant to
draft-ietf-tls-compression-05.txt.
Finally, make update.
Next on my list: have the built-in compression methods added
"automatically" instead of requiring that the author call
SSL_COMP_add_compression_method() or
SSL_COMP_get_compression_methods().
behaviour was not quite consistent with the conventions
for d2i and i2d functions as far as handling of the 'out'
or 'in' pointer is concerned.
This patch changes this behaviour, and renames the functions to
o2i_ECPublicKey and i2o_ECPublicKey (not 'd2i' and 'i2d' because the
external encoding is just a raw object string without any DER icing).
Submitted by: Nils Larsch
normal 'structural' case (ENGINE_init() satisfies this in the less normal
'functional' case). This change provides such a function.
- Correct some "read" locks that should actually be "write" locks.
- make update.
engine with something they claim is better. I have nothing to compare to,
and I assume they know what they're talking about. The interesting part with
this one is that it's loaded by default on OpenBSD systems.
This change was originally introduced in OpenBSD's tracking of OpenSSL.
Additional changes:
- use EC_GROUP_get_degree() in apps/req.c
- add ECDSA and ECDH to apps/speed.c
- adds support for EC curves over binary fields to ECDSA
- new function EC_KEY_up_ref() in crypto/ec/ec_key.c
- reorganize crypto/ecdsa/ecdsatest.c
- add engine support for ECDH
- fix a few bugs in ECDSA engine support
Submitted by: Douglas Stebila <douglas.stebila@sun.com>
(the same keys can be used for ECC schemes other than ECDSA)
and add some new options.
Similarly, use string "EC PARAMETERS" instead of "ECDSA PARAMETERS"
in 'PEM' format.
Fix ec_asn1.c (take into account the desired conversion form).
'make update'.
Submitted by: Nils Larsch
crypto/rijndael. Additionally, I applied the AES integration patch
from Stephen Sprunk <stephen@sprunk.org> and fiddled it to work
properly with the normal EVP constructs (and incidently work the same
way as all other symmetric cipher implementations).
This results in an API that looks a lot like the rest of the OpenSSL
cipher suite.
libdes (which is still used out there) or other des implementations,
the OpenSSL DES functions are renamed to begin with DES_ instead of
des_. Compatibility routines are provided and declared by including
openssl/des_old.h. Those declarations are the same as were in des.h
when the OpenSSL project started, which is exactly how libdes looked
at that time, and hopefully still looks today.
The compatibility functions will be removed in some future release, at
the latest in version 1.0.
specifically, a starting './' is removed. makedepend doesn't do this,
resulting in another possible commit war, so let's fix that by doing a
poor mans canonicalisation of file names that gives the same effect as
doing dependencies through gcc.
1. if there are several symbols with the same entry number, sort those
symbols in ASCII order.
2. Do not stop reading the header files when "BEGIN ERROR CODES" is
found, since mkerr.pl will add a function declaration after that
comment. Instead, trigger on "Error codes for the \w+ function",
which is the actual start of the error code macros.
Additionally, a few more debugging printouts that helped.
declaration and implementation had not. So a recent update recreated the
original definition in libeay.num ... this corrects it and changes the "dh"
code to the "up_ref" variant.
See the commit log message for that for more information.
NB: X509_STORE_CTX's use of "ex_data" support was actually misimplemented
(initialisation by "memset" won't/can't/doesn't work). This fixes that but
requires that X509_STORE_CTX_init() be able to handle errors - so its
prototype has been changed to return 'int' rather than 'void'. All uses of
that function throughout the source code have been tracked down and
adjusted.
Note that since some private kssl functions were exported, the
simplest way to rebuild the number table was to toss everything that
was new since OpenSSL 0.9.6b. This is safe, since those functions
have not yet been exported in an OpenSSL release. Beware, people who
trust intermediary snapshots!
like des_read_password and friends (backward compatibility functions
using this new API are provided). The purpose is to remove prompting
functions from the DES code section as well as provide for prompting
through dialog boxes in a window system and the like.