[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-cvs
Subject: [CVS] OpenSSL: OpenSSL_0_9_7-stable: openssl/ CHANGES openssl/crypto/o...
From: "Dr. Stephen Henson" <steve () openssl ! org>
Date: 2004-02-19 18:17:35
Message-ID: 20040219181735.92949203EBE () master ! openssl ! org
[Download RAW message or body]
OpenSSL CVS Repository
http://cvs.openssl.org/
____________________________________________________________________________
Server: cvs.openssl.org Name: Dr. Stephen Henson
Root: /e/openssl/cvs Email: steve@openssl.org
Module: openssl Date: 19-Feb-2004 19:17:35
Branch: OpenSSL_0_9_7-stable Handle: 2004021918173302
Modified files: (Branch: OpenSSL_0_9_7-stable)
openssl CHANGES
openssl/crypto/ocsp ocsp_ext.c
Log:
Use an OCTET STRING for the encoding of an OCSP nonce value.
The old raw format can't be handled by some implementations
and updates to RFC2560 will make the OCTET STRING mandatory.
Summary:
Revision Changes Path
1.977.2.125 +7 -0 openssl/CHANGES
1.11.2.1 +17 -7 openssl/crypto/ocsp/ocsp_ext.c
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openssl/CHANGES
============================================================================
$ cvs diff -u -r1.977.2.124 -r1.977.2.125 CHANGES
--- openssl/CHANGES 1 Feb 2004 13:37:52 -0000 1.977.2.124
+++ openssl/CHANGES 19 Feb 2004 18:17:33 -0000 1.977.2.125
@@ -4,6 +4,13 @@
Changes between 0.9.7c and 0.9.7d [xx XXX XXXX]
+ *) When creating an OCSP nonce use an OCTET STRING inside the extnValue.
+ A clarification of RFC2560 will require the use of OCTET STRINGs and
+ some implementations cannot handle the current raw format. Since OpenSSL
+ copies and compares OCSP nonces as opaque blobs without any attempt at
+ parsing them this should not create any compatibility issues.
+ [Steve Henson]
+
*) New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when
calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without
this HMAC (and other) operations are several times slower than OpenSSL
@@ .
patch -p0 <<'@@ .'
Index: openssl/crypto/ocsp/ocsp_ext.c
============================================================================
$ cvs diff -u -r1.11 -r1.11.2.1 ocsp_ext.c
--- openssl/crypto/ocsp/ocsp_ext.c 20 Feb 2001 13:06:10 -0000 1.11
+++ openssl/crypto/ocsp/ocsp_ext.c 19 Feb 2004 18:17:35 -0000 1.11.2.1
@@ -305,6 +305,8 @@
/* Add a nonce to an extension stack. A nonce can be specificed or if NULL
* a random nonce will be generated.
+ * Note: OpenSSL 0.9.7d and later create an OCTET STRING containing the
+ * nonce, previous versions used the raw nonce.
*/
static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
@@ -313,20 +315,28 @@
ASN1_OCTET_STRING os;
int ret = 0;
if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH;
- if (val) tmpval = val;
+ /* Create the OCTET STRING manually by writing out the header and
+ * appending the content octets. This avoids an extra memory allocation
+ * operation in some cases. Applications should *NOT* do this because
+ * it relies on library internals.
+ */
+ os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
+ os.data = OPENSSL_malloc(os.length);
+ if (os.data == NULL)
+ goto err;
+ tmpval = os.data;
+ ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
+ if (val)
+ memcpy(tmpval, val, len);
else
- {
- if (!(tmpval = OPENSSL_malloc(len))) goto err;
RAND_pseudo_bytes(tmpval, len);
- }
- os.data = tmpval;
- os.length = len;
if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
&os, 0, X509V3_ADD_REPLACE))
goto err;
ret = 1;
err:
- if(!val) OPENSSL_free(tmpval);
+ if (os.data)
+ OPENSSL_free(os.data);
return ret;
}
@@ .
______________________________________________________________________
OpenSSL Project http://www.openssl.org
CVS Repository Commit List openssl-cvs@openssl.org
Automated List Manager majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic