After some messing around this seems to work but needs
a few more tests. Working out the syntax for sk_set_cmp_func()
(cast it to a function that itself returns a function pointer)
was painful :-(
Needs some testing to see what other compilers think of this
syntax.
Also needs similar stuff for ASN1_SET_OF etc etc.
was a really bad idea. For example, the following:
#include <x509.h>
#include <bio.h>
#include <asn1.h>
would make sure that things like ASN1_UTCTIME_print() wasn't defined
unless you moved the inclusion of bio.h to above the inclusion of
x509.h. The reason is that x509.h includes asn1.h, and the
declaration of ASN1_UTCTIME_print() depended on the definition of
HEADER_BIO_H. That's what I call an obscure bug.
Instead, this change makes sure that whatever header files are needed
for the correct process of one header file are included automagically,
and that the definitions of, for example, BIO-related things are
dependent on the absence of the NO_{foo} macros. This is also
consistent with the way parts of OpenSSL can be excluded at will.
"Jan Mikkelsen" <janm@transactionsite.com> correctly states that the
OpenSSL header files have #include's and extern "C"'s in an incorrect
order. Thusly fixed.
designed for that. This removes the potential error to mix data and
function pointers.
Please note that I'm a little unsure how incorrect calls to the old
ctrl functions should be handled, in som cases. I currently return 0
and that's it, but it may be more correct to generate a genuine error
in those cases.
as a shared library without RSA. Use #ifndef NO_SSL2 instead of
NO_RSA in ssl/s2*.c.
Submitted by: Kris Kennaway <kris@hub.freebsd.org>
Modified by Ulf Möller
returns int (1 = ok, 0 = not seeded). New function RAND_add() is the
same as RAND_seed() but takes an estimate of the entropy as an additional
argument.
yet.
Add a function X509_STORE_CTX_purpose_inherit() which implements the logic
of "inheriting" purpose and trust from a parent structure and using a default:
this will be used in the SSL code and possibly future S/MIME.
Partial documentation of the 'verify' utility. Still need to document how all
the extension checking works and the various error messages.
In case of a restart, v[0] and v[1] were incorrectly initialised.
This was interpreted by ssl3_get_client_key_exchange as an RSA decryption
failure (don't ask me why) and caused it to create a _random_ master key
instead (even weirder), which obviously led to incorrect input to
ssl3_generate_master_secret and thus caused "block cipher pad is
wrong" error messages from ssl3_enc for the client's Finished message.
Arrgh.
While modifying the sources, I found some inconsistencies on the use of
s->cert vs. s->session->sess_cert; I don't know if those could
really have caused problems, but possibly this is a proper bug-fix
and not just a clean-up.
called sess_cert instead of just cert. This is in preparation of further
changes: Probably often when s->session->sess_cert is used, we should
use s->cert instead; s->session->sess_cert should be a new structure
containing only the stuff that is for just one connection (e.g.
the peer's certificate, which the SSL client implementations currently
store in s->session->[sess_]cert, which is a very confusing thing to do).
Submitted by:
Reviewed by:
PR:
Bodo Möller
Richard Levitte
Dr. Stephen Henson
Geoff Thorpe
Ralf S. Engelschall
Ulf Möller
Ben Laurie