Changes between 0.9.6g and 0.9.6h [xx XXX xxxx]
+ *) Change X509_NAME_cmp() so it applies the special rules on handling
+ DN values that are of type PrintableString, as well as RDNs of type
+ emailAddress where the value has the type ia5String.
+ [stefank@valicert.com via Richard Levitte]
+
*) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
done
DETECT_GNU_LD=${CC} -v 2>&1 | grep '^gcc' >/dev/null 2>&1 && \
- my_ld=`gcc -print-prog-name=ld 2>&1` && \
+ my_ld=`${CC} -print-prog-name=ld 2>&1` && \
[ -n "$$my_ld" ] && \
$$my_ld -v 2>&1 | grep 'GNU ld' >/dev/null 2>&1
" -CAkey arg - set the CA key, must be PEM format\n",
" missing, it is assumed to be in the CA file.\n",
" -CAcreateserial - create serial number file if it does not exist\n",
-" -CAserial - serial file\n",
+" -CAserial arg - serial file\n",
" -text - print the certificate in text form\n",
" -C - print out C code forms\n",
" -md2/-md5/-sha1/-mdc2 - digest to use\n",
echo "WARNING! If you wish to build 64-bit library, then you have to"
echo " invoke './Configure irix64-mips4-$CC' *manually*."
echo " Type return if you want to continue, Ctrl-C to abort."
- read waste < /dev/tty
+ # Do not stop if /dev/tty is unavailable
+ (read waste < /dev/tty) || true
CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
CPU=${CPU:-0}
if [ $CPU -ge 5000 ]; then
#echo "WARNING! If you wish to build 64-bit library, then you have to"
#echo " invoke './Configure linux64-sparcv9' *manually*."
#echo " Type return if you want to continue, Ctrl-C to abort."
- #read waste < /dev/tty
+ # Do not stop if /dev/tty is unavailable
+ #(read waste < /dev/tty) || true
OUT="linux-sparcv9" ;;
sparc-*-linux2)
KARCH=`awk '/^type/{print$3}' /proc/cpuinfo`
echo "WARNING! If you wish to build 64-bit library, then you have to"
echo " invoke './Configure solaris64-sparcv9-cc' *manually*."
echo " Type return if you want to continue, Ctrl-C to abort."
- read waste < /dev/tty
+ # Do not stop if /dev/tty is unavailable
+ (read waste < /dev/tty) || true
fi
OUT="solaris-sparcv9-$CC" ;;
sun4m-*-solaris2) OUT="solaris-sparcv8-$CC" ;;
}
#endif
+
+/* Case insensitive string comparision */
+static int nocase_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
+{
+ int i;
+
+ if (a->length != b->length)
+ return (a->length - b->length);
+
+ for (i=0; i<a->length; i++)
+ {
+ int ca, cb;
+
+ ca = tolower(a->data[i]);
+ cb = tolower(b->data[i]);
+
+ if (ca != cb)
+ return(ca-cb);
+ }
+ return 0;
+}
+
+/* Case insensitive string comparision with space normalization
+ * Space normalization - ignore leading, trailing spaces,
+ * multiple spaces between characters are replaced by single space
+ */
+static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
+{
+ unsigned char *pa = NULL, *pb = NULL;
+ int la, lb;
+
+ la = a->length;
+ lb = b->length;
+ pa = a->data;
+ pb = b->data;
+
+ /* skip leading spaces */
+ while (la > 0 && isspace(*pa))
+ {
+ la--;
+ pa++;
+ }
+ while (lb > 0 && isspace(*pb))
+ {
+ lb--;
+ pb++;
+ }
+
+ /* skip trailing spaces */
+ while (la > 0 && isspace(pa[la-1]))
+ la--;
+ while (lb > 0 && isspace(pb[lb-1]))
+ lb--;
+
+ /* compare strings with space normalization */
+ while (la > 0 && lb > 0)
+ {
+ int ca, cb;
+
+ /* compare character */
+ ca = tolower(*pa);
+ cb = tolower(*pb);
+ if (ca != cb)
+ return (ca - cb);
+
+ pa++; pb++;
+ la--; lb--;
+
+ if (la <= 0 || lb <= 0)
+ break;
+
+ /* is white space next character ? */
+ if (isspace(*pa) && isspace(*pb))
+ {
+ /* skip remaining white spaces */
+ while (la > 0 && isspace(*pa))
+ {
+ la--;
+ pa++;
+ }
+ while (lb > 0 && isspace(*pb))
+ {
+ lb--;
+ pb++;
+ }
+ }
+ }
+ if (la > 0 || lb > 0)
+ return la - lb;
+
+ return 0;
+}
+
int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
{
int i,j;
{
na=sk_X509_NAME_ENTRY_value(a->entries,i);
nb=sk_X509_NAME_ENTRY_value(b->entries,i);
- j=na->value->length-nb->value->length;
+ j=na->value->type-nb->value->type;
if (j) return(j);
- j=memcmp(na->value->data,nb->value->data,
- na->value->length);
+ if (na->value->type == V_ASN1_PRINTABLESTRING)
+ j=nocase_spacenorm_cmp(na->value, nb->value);
+ else if (na->value->type == V_ASN1_IA5STRING
+ && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress)
+ j=nocase_cmp(na->value, nb->value);
+ else
+ {
+ j=na->value->length-nb->value->length;
+ if (j) return(j);
+ j=memcmp(na->value->data,nb->value->data,
+ na->value->length);
+ }
if (j) return(j);
j=na->set-nb->set;
if (j) return(j);
The header and footer lines in the B<PEM> format are normally:
- -----BEGIN CERTIFICATE REQUEST----
- -----END CERTIFICATE REQUEST----
+ -----BEGIN CERTIFICATE REQUEST-----
+ -----END CERTIFICATE REQUEST-----
some software (some versions of Netscape certificate server) instead needs:
- -----BEGIN NEW CERTIFICATE REQUEST----
- -----END NEW CERTIFICATE REQUEST----
+ -----BEGIN NEW CERTIFICATE REQUEST-----
+ -----END NEW CERTIFICATE REQUEST-----
which is produced with the B<-newhdr> option but is otherwise compatible.
Either form is accepted transparently on input.
signature by line wrapping the base64 encoded structure and surrounding
it with:
- -----BEGIN PKCS7----
- -----END PKCS7----
+ -----BEGIN PKCS7-----
+ -----END PKCS7-----
and using the command,
".srl" appended. For example if the CA certificate file is called
"mycacert.pem" it expects to find a serial number file called "mycacert.srl".
-=item B<-CAcreateserial filename>
+=item B<-CAcreateserial>
with this option the CA serial number file is created if it does not exist:
it will contain the serial number "02" and the certificate being signed will
The PEM format uses the header and footer lines:
- -----BEGIN CERTIFICATE----
- -----END CERTIFICATE----
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
it will also handle files containing:
- -----BEGIN X509 CERTIFICATE----
- -----END X509 CERTIFICATE----
+ -----BEGIN X509 CERTIFICATE-----
+ -----END X509 CERTIFICATE-----
Trusted certificates have the lines
- -----BEGIN TRUSTED CERTIFICATE----
- -----END TRUSTED CERTIFICATE----
+ -----BEGIN TRUSTED CERTIFICATE-----
+ -----END TRUSTED CERTIFICATE-----
The conversion to UTF8 format used with the name options assumes that
T61Strings use the ISO8859-1 character set. This is wrong but Netscape
# Makefile.hpux-cc
-major=0.9.6e
+major=0.9.6h
slib=libssl
sh_slib=$(slib).sl.$(major)
mkdir /usr/local/ssl
mkdir /usr/local/ssl/lib
chmod 444 lib*_pic.a
-chmod 555 lib*.sl.0.9.6e
-cp -p lib*_pic.a lib*.sl.0.9.6e /usr/local/ssl/lib
-(cd /usr/local/ssl/lib ; ln -sf libcrypto.sl.0.9.6e libcrypto.sl ; ln -sf libssl.sl.0.9.6e libssl.sl)
+chmod 555 lib*.sl.0.9.6h
+cp -p lib*_pic.a lib*.sl.0.9.6h /usr/local/ssl/lib
+(cd /usr/local/ssl/lib ; ln -sf libcrypto.sl.0.9.6h libcrypto.sl ; ln -sf libssl.sl.0.9.6h libssl.sl)
# Reconfigure without pic to compile the executables. Unfortunately, while
# performing this task we have to recompile the library components, even
projects / openssl / commitdiff