From: Richard Levitte Date: Sat, 9 Sep 2000 18:10:35 +0000 (+0000) Subject: Merge of main trunk, no conflicts this time X-Git-Tag: OpenSSL-engine-0_9_6-beta1~4 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ef413a7ee83122dc6600b054d09fb6909f51707f;p=openssl Merge of main trunk, no conflicts this time --- diff --git a/FAQ b/FAQ index 4497b1c7f4..a381d1d862 100644 --- a/FAQ +++ b/FAQ @@ -10,6 +10,7 @@ OpenSSL - Frequently Asked Questions * Why does the linker complain about undefined symbols? * Where can I get a compiled version of OpenSSL? * I've compiled a program under Windows and it crashes: why? +* How do I read or write a DER encoded buffer using the ASN1 functions? * I've tried using and I get errors why? * I've called and it fails, why? * I just get a load of numbers for the error output, what do they mean? @@ -182,6 +183,43 @@ otherwise the conflict will cause a program to crash: typically on the first BIO related read or write operation. +* How do I read or write a DER encoded buffer using the ASN1 functions? + +You have two options. You can either use a memory BIO in conjunction +with the i2d_XXX_bio() or d2i_XXX_bio() functions or you can use the +i2d_XXX(), d2i_XXX() functions directly. Since these are often the +cause of grief here are some code fragments using PKCS7 as an example: + +unsigned char *buf, *p; +int len; + +len = i2d_PKCS7(p7, NULL); +buf = OPENSSL_Malloc(len); /* or Malloc, error checking omitted */ +p = buf; +i2d_PKCS7(p7, &p); + +At this point buf contains the len bytes of the DER encoding of +p7. + +The opposite assumes we already have len bytes in buf: + +unsigned char *p; +p = buf; +p7 = d2i_PKCS7(NULL, &p, len); + +At this point p7 contains a valid PKCS7 structure of NULL if an error +occurred. If an error occurred ERR_print_errors(bio) should give more +information. + +The reason for the temporary variable 'p' is that the ASN1 functions +increment the passed pointer so it is ready to read or write the next +structure. This is often a cause of problems: without the temporary +variable the buffer pointer is changed to point just after the data +that has been read or written. This may well be uninitialized data +and attempts to free the buffer will have unpredictable results +because it no longer points to the same address. + + * I've tried using and I get errors why? This usually happens when you try compiling something using the PKCS#12 diff --git a/INSTALL b/INSTALL index 3fcddbbf03..ea9b8a3844 100644 --- a/INSTALL +++ b/INSTALL @@ -124,9 +124,12 @@ OpenSSL binary ("openssl"). The libraries will be built in the top-level directory, and the binary will be in the "apps" directory. - If "make" fails, please report the problem to - (note that your message will be forwarded to a public mailing list). - Include the output of "make report" in your message. + If "make" fails, look at the output. There may be reasons for + the failure that isn't a problem in OpenSSL itself (like missing + standard headers). If it is a problem with OpenSSL itself, please + report the problem to (note that your + message will be forwarded to a public mailing list). Include the + output of "make report" in your message. [If you encounter assembler error messages, try the "no-asm" configuration option as an immediate fix.] @@ -138,10 +141,13 @@ $ make test - If a test fails, try removing any compiler optimization flags from - the CFLAGS line in Makefile.ssl and run "make clean; make". Please - send a bug report to , including the - output of "make report". + If a test fails, look at the output. There may be reasons for + the failure that isn't a problem in OpenSSL itself (like a missing + or malfunctioning bc). If it is a problem with OpenSSL itself, + try removing any compiler optimization flags from the CFLAGS line + in Makefile.ssl and run "make clean; make". Please send a bug + report to , including the output of + "make report". 4. If everything tests ok, install OpenSSL with diff --git a/apps/rsautl.c b/apps/rsautl.c index ebb3cc1cf1..3d87423da3 100644 --- a/apps/rsautl.c +++ b/apps/rsautl.c @@ -56,6 +56,7 @@ * */ #include "apps.h" +#include #include #include #include diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c index af77b09194..569b811998 100644 --- a/crypto/asn1/a_strex.c +++ b/crypto/asn1/a_strex.c @@ -57,6 +57,7 @@ */ #include +#include #include #include #include diff --git a/crypto/asn1/a_time.c b/crypto/asn1/a_time.c index b193f1c71f..8c0ddee4ac 100644 --- a/crypto/asn1/a_time.c +++ b/crypto/asn1/a_time.c @@ -113,11 +113,9 @@ ASN1_TIME *d2i_ASN1_TIME(ASN1_TIME **a, unsigned char **pp, long length) ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t) { struct tm *ts; -#if defined(THREADS) && !defined(WIN32) +#if defined(THREADS) && !defined(WIN32) && !defined(__CYGWIN32__) struct tm data; -#endif -#if defined(THREADS) && !defined(WIN32) gmtime_r(&t,&data); ts=&data; /* should return &data, but doesn't on some systems, so we don't even look at the return value */ #else diff --git a/crypto/asn1/a_utctm.c b/crypto/asn1/a_utctm.c index b9b4d9a005..d381c9e0d1 100644 --- a/crypto/asn1/a_utctm.c +++ b/crypto/asn1/a_utctm.c @@ -193,7 +193,8 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t) { char *p; struct tm *ts; -#if defined(THREADS) && !defined(WIN32) +#if defined(THREADS) && !defined(WIN32) && !defined(__CYGWIN32__) + struct tm data; #endif @@ -202,7 +203,7 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t) if (s == NULL) return(NULL); -#if defined(THREADS) && !defined(WIN32) +#if defined(THREADS) && !defined(WIN32) && !defined(__CYGWIN32__) gmtime_r(&t,&data); /* should return &data, but doesn't on some systems, so we don't even look at the return value */ ts=&data; #else @@ -285,7 +286,7 @@ int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t) t -= offset*60; /* FIXME: may overflow in extreme cases */ -#if defined(THREADS) && !defined(WIN32) +#if defined(THREADS) && !defined(WIN32) && !defined(__CYGWIN32__) { struct tm data; gmtime_r(&t, &data); tm = &data; } #else tm = gmtime(&t); diff --git a/crypto/bio/bss_rtcp.c b/crypto/bio/bss_rtcp.c index 1a0078ad6e..7dae485564 100644 --- a/crypto/bio/bss_rtcp.c +++ b/crypto/bio/bss_rtcp.c @@ -88,11 +88,11 @@ struct rpc_ctx { struct rpc_msg msg; }; -static int rtcp_write(BIO *h,char *buf,int num); +static int rtcp_write(BIO *h,const char *buf,int num); static int rtcp_read(BIO *h,char *buf,int size); -static int rtcp_puts(BIO *h,char *str); +static int rtcp_puts(BIO *h,const char *str); static int rtcp_gets(BIO *h,char *str,int size); -static long rtcp_ctrl(BIO *h,int cmd,long arg1,char *arg2); +static long rtcp_ctrl(BIO *h,int cmd,long arg1,void *arg2); static int rtcp_new(BIO *h); static int rtcp_free(BIO *data); @@ -218,7 +218,7 @@ static int rtcp_read(BIO *b, char *out, int outl) return length; } -static int rtcp_write(BIO *b, char *in, int inl) +static int rtcp_write(BIO *b, const char *in, int inl) { int status, i, segment, length; struct rpc_ctx *ctx; @@ -247,7 +247,7 @@ static int rtcp_write(BIO *b, char *in, int inl) return(i); } -static long rtcp_ctrl(BIO *b, int cmd, long num, char *ptr) +static long rtcp_ctrl(BIO *b, int cmd, long num, void *ptr) { long ret=1; @@ -283,7 +283,7 @@ static int rtcp_gets(BIO *bp, char *buf, int size) return(0); } -static int rtcp_puts(BIO *bp, char *str) +static int rtcp_puts(BIO *bp, const char *str) { int length; if (str == NULL) return(0); diff --git a/crypto/conf/conf_api.c b/crypto/conf/conf_api.c index 919aebe313..d05a778ff6 100644 --- a/crypto/conf/conf_api.c +++ b/crypto/conf/conf_api.c @@ -64,6 +64,7 @@ #endif #include +#include #include #include diff --git a/crypto/crypto-lib.com b/crypto/crypto-lib.com index 79a50f96b8..9286cda3aa 100644 --- a/crypto/crypto-lib.com +++ b/crypto/crypto-lib.com @@ -215,13 +215,13 @@ $ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ - "b_sock,bss_acpt,bf_nbio,bss_rtcp,bss_bio,bss_log" $ LIB_STACK = "stack" $ LIB_LHASH = "lhash,lh_stats" -$ LIB_RAND = "md_rand,randfile,rand_lib,rand_err,rand_egd" +$ LIB_RAND = "md_rand,randfile,rand_lib,rand_err,rand_egd,rand_win" $ LIB_ERR = "err,err_all,err_prn" $ LIB_OBJECTS = "o_names,obj_dat,obj_lib,obj_err" $ LIB_EVP = "encode,digest,evp_enc,evp_key,"+ - "e_des,e_bf,e_idea,e_des3,"+ - "e_rc4,names,"+ - - "e_xcbc_d,e_rc2,e_cast,e_rc5," + "e_xcbc_d,e_rc2,e_cast,e_rc5" $ LIB_EVP_2 = "m_null,m_md2,m_md4,m_md5,m_sha,m_sha1," + - "m_dss,m_dss1,m_mdc2,m_ripemd,"+ - "p_open,p_seal,p_sign,p_verify,p_lib,p_enc,p_dec,"+ - @@ -280,10 +280,10 @@ $! $ IF (F$SEARCH("SYS$DISK:[-.RSAREF]RSAREF.C").EQS."") $ THEN $! -$! Tell The User That The File Dosen't Exist. +$! Tell The User That The File Doesn't Exist. $! $ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The File [-.RSAREF]RSAREF.C Dosen't Exist." +$ WRITE SYS$OUTPUT "The File [-.RSAREF]RSAREF.C Doesn't Exist." $ WRITE SYS$OUTPUT "" $! $! Exit The Build. @@ -315,10 +315,10 @@ $! $ IF (F$SEARCH("SYS$DISK:[-.RSAREF]RSAR_ERR.C").EQS."") $ THEN $! -$! Tell The User That The File Dosen't Exist. +$! Tell The User That The File Doesn't Exist. $! $ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The File [-.RSAREF]RSAR_ERR.C Dosen't Exist." +$ WRITE SYS$OUTPUT "The File [-.RSAREF]RSAR_ERR.C Doesn't Exist." $ WRITE SYS$OUTPUT "" $! $! Exit The Build. @@ -531,10 +531,10 @@ $! $ IF (F$SEARCH(SOURCE_FILE).EQS."") $ THEN $! -$! Tell The User That The File Dosen't Exist. +$! Tell The User That The File Doesn't Exist. $! $ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The File ",SOURCE_FILE," Dosen't Exist." +$ WRITE SYS$OUTPUT "The File ",SOURCE_FILE," Doesn't Exist." $ WRITE SYS$OUTPUT "" $! $! Exit The Build. @@ -917,7 +917,7 @@ $! $ WRITE SYS$OUTPUT "" $ WRITE SYS$OUTPUT "It appears that you don't have the RSAREF Souce Code." $ WRITE SYS$OUTPUT "You need to go to 'ftp://ftp.rsa.com/rsaref'. You have to" -$ WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file dosen't have the" +$ WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file doesn't have the" $ WRITE SYS$OUTPUT "directory structure stored. You have to extract the file" $ WRITE SYS$OUTPUT "into the [.RSAREF] directory under the root directory" $ WRITE SYS$OUTPUT "as that is where the scripts will look for the files." diff --git a/crypto/des/read_pwd.c b/crypto/des/read_pwd.c index 789493f0c9..9555abe3a5 100644 --- a/crypto/des/read_pwd.c +++ b/crypto/des/read_pwd.c @@ -161,7 +161,7 @@ #include #endif -#ifdef MSDOS +#if defined(MSDOS) && !defined(__CYGWIN32__) #include #define fgets(a,b,c) noecho_fgets(a,b,c) #endif diff --git a/crypto/symhacks.h b/crypto/symhacks.h index aeedf8f6fb..5b66d0f1ba 100644 --- a/crypto/symhacks.h +++ b/crypto/symhacks.h @@ -64,23 +64,29 @@ #undef ASN1_STRING_set_default_mask_asc #define ASN1_STRING_set_default_mask_asc ASN1_STRING_set_def_mask_asc +#if 0 /* No longer needed, since safestack macro magic does the job */ /* Hack the names created with DECLARE_ASN1_SET_OF(PKCS7_SIGNER_INFO) */ #undef i2d_ASN1_SET_OF_PKCS7_SIGNER_INFO #define i2d_ASN1_SET_OF_PKCS7_SIGNER_INFO i2d_ASN1_SET_OF_PKCS7_SIGINF #undef d2i_ASN1_SET_OF_PKCS7_SIGNER_INFO #define d2i_ASN1_SET_OF_PKCS7_SIGNER_INFO d2i_ASN1_SET_OF_PKCS7_SIGINF +#endif +#if 0 /* No longer needed, since safestack macro magic does the job */ /* Hack the names created with DECLARE_ASN1_SET_OF(PKCS7_RECIP_INFO) */ #undef i2d_ASN1_SET_OF_PKCS7_RECIP_INFO -#define i2d_ASN1_SET_OF_PKCS7_RECIP_INFO i2d_ASN1_SET_OF_PKCS7_RECGINF +#define i2d_ASN1_SET_OF_PKCS7_RECIP_INFO i2d_ASN1_SET_OF_PKCS7_RECINF #undef d2i_ASN1_SET_OF_PKCS7_RECIP_INFO -#define d2i_ASN1_SET_OF_PKCS7_RECIP_INFO d2i_ASN1_SET_OF_PKCS7_RECGINF +#define d2i_ASN1_SET_OF_PKCS7_RECIP_INFO d2i_ASN1_SET_OF_PKCS7_RECINF +#endif +#if 0 /* No longer needed, since safestack macro magic does the job */ /* Hack the names created with DECLARE_ASN1_SET_OF(ACCESS_DESCRIPTION) */ #undef i2d_ASN1_SET_OF_ACCESS_DESCRIPTION #define i2d_ASN1_SET_OF_ACCESS_DESCRIPTION i2d_ASN1_SET_OF_ACC_DESC #undef d2i_ASN1_SET_OF_ACCESS_DESCRIPTION #define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION d2i_ASN1_SET_OF_ACC_DESC +#endif /* Hack the names created with DECLARE_PEM_rw(NETSCAPE_CERT_SEQUENCE) */ #undef PEM_read_NETSCAPE_CERT_SEQUENCE @@ -114,6 +120,23 @@ #undef X509_REVOKED_get_ext_by_critical #define X509_REVOKED_get_ext_by_critical X509_REVOKED_get_ext_by_critic +/* Hack some long CRYPTO names */ +#define CRYPTO_set_dynlock_destroy_callback CRYPTO_set_dynlock_destroy_cb +#define CRYPTO_set_dynlock_create_callback CRYPTO_set_dynlock_create_cb +#define CRYPTO_set_dynlock_lock_callback CRYPTO_set_dynlock_lock_cb +#define CRYPTO_get_dynlock_lock_callback CRYPTO_get_dynlock_lock_cb +#define CRYPTO_get_dynlock_destroy_callback CRYPTO_get_dynlock_destroy_cb +#define CRYPTO_get_dynlock_create_callback CRYPTO_get_dynlock_create_cb + +/* Hack some long SSL names */ +#define SSL_CTX_set_default_verify_paths SSL_CTX_set_def_verify_paths +#define SSL_get_ex_data_X509_STORE_CTX_idx SSL_get_ex_d_X509_STORE_CTX_idx +#define SSL_add_file_cert_subjects_to_stack SSL_add_file_cert_subjs_to_stk +#define SSL_add_dir_cert_subjects_to_stack SSL_add_dir_cert_subjs_to_stk +#define SSL_CTX_use_certificate_chain_file SSL_CTX_use_cert_chain_file +#define SSL_CTX_set_cert_verify_callback SSL_CTX_set_cert_verify_cb +#define SSL_CTX_set_default_passwd_cb_userdata SSL_CTX_set_def_passwd_cb_ud + #endif /* defined VMS */ diff --git a/doc/openssl.txt b/doc/openssl.txt index 880eace4da..e8c0cd7ea6 100644 --- a/doc/openssl.txt +++ b/doc/openssl.txt @@ -355,6 +355,24 @@ that would not make sense. It does support an additional issuer:copy option that will copy all the subject alternative name values from the issuer certificate (if possible). +Example: + +issuserAltName = issuer:copy + +Authority Info Access. + +The authority information access extension gives details about how to access +certain information relating to the CA. Its syntax is accessOID;location +where 'location' has the same syntax as subject alternative name (except +that email:copy is not supported). accessOID can be any valid OID but only +certain values are meaningful for example OCSP and caIssuers. OCSP gives the +location of an OCSP responder: this is used by Netscape PSM and other software. + +Example: + +authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ +authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html + CRL distribution points. This is a multi-valued extension that supports all the literal options of