update to openssl-0.9.8i; tested by several, especially krw@

author: djm <> 2009-01-05 21:36:39 +0000
committer: djm <> 2009-01-05 21:36:39 +0000
commit: 3be551b5922b665fd4e18cd65b857b9f92a0b6c8 (patch)
tree: e0d2d687fbd4e4e9eb6bc4b178ea069817f0aba4 /src/lib/libssl/ssl_lib.c
parent: 822633f8798a6b4646a8b092e7c67f511cdbdba2 (diff)
download: openbsd-3be551b5922b665fd4e18cd65b857b9f92a0b6c8.tar.gz
openbsd-3be551b5922b665fd4e18cd65b857b9f92a0b6c8.tar.bz2
openbsd-3be551b5922b665fd4e18cd65b857b9f92a0b6c8.zip
1 files changed, 36 insertions, 0 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 31f6318357..1ac7d6f951 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -130,6 +130,9 @@
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
 #endif
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
 const char *SSL_version_str=OPENSSL_VERSION_TEXT;
@@ -1390,6 +1393,14 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
                return(NULL);
                }
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && (meth->version < TLS1_VERSION))      
+                {
+                SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                return NULL;
+                }
+#endif
        if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
                {
                SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
@@ -1510,6 +1521,27 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
 #endif
+#ifndef OPENSSL_NO_ENGINE
+        ret->client_cert_engine = NULL;
+#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
+#define eng_strx(x)     #x
+#define eng_str(x)      eng_strx(x)
+        /* Use specific client engine automatically... ignore errors */
+        {
+        ENGINE *eng;
+        eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
+        if (!eng)
+                {
+                ERR_clear_error();
+                ENGINE_load_builtin_engines();
+                eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
+                }
+        if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
+                ERR_clear_error();
+        }
+#endif
+#endif
        return(ret);
 err:
        SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
@@ -1580,6 +1612,10 @@ void SSL_CTX_free(SSL_CTX *a)
 #else
        a->comp_methods = NULL;
 #endif
+#ifndef OPENSSL_NO_ENGINE
+        if (a->client_cert_engine)
+                ENGINE_finish(a->client_cert_engine);
+#endif
        OPENSSL_free(a);
        }
author	djm <>	2009-01-05 21:36:39 +0000
committer	djm <>	2009-01-05 21:36:39 +0000
commit	3be551b5922b665fd4e18cd65b857b9f92a0b6c8 (patch)
tree	e0d2d687fbd4e4e9eb6bc4b178ea069817f0aba4 /src/lib/libssl/ssl_lib.c
parent	822633f8798a6b4646a8b092e7c67f511cdbdba2 (diff)
download	openbsd-3be551b5922b665fd4e18cd65b857b9f92a0b6c8.tar.gz openbsd-3be551b5922b665fd4e18cd65b857b9f92a0b6c8.tar.bz2 openbsd-3be551b5922b665fd4e18cd65b857b9f92a0b6c8.zip

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 31f6318357..1ac7d6f951 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -130,6 +130,9 @@
130	#ifndef OPENSSL_NO_DH	130	#ifndef OPENSSL_NO_DH
131	#include <openssl/dh.h>	131	#include <openssl/dh.h>
132	#endif	132	#endif
		133	#ifndef OPENSSL_NO_ENGINE
		134	#include <openssl/engine.h>
		135	#endif
133		136
134	const char *SSL_version_str=OPENSSL_VERSION_TEXT;	137	const char *SSL_version_str=OPENSSL_VERSION_TEXT;
135		138
@@ -1390,6 +1393,14 @@ SSL_CTX SSL_CTX_new(SSL_METHOD meth)
1390	return(NULL);	1393	return(NULL);
1391	}	1394	}
1392		1395
		1396	#ifdef OPENSSL_FIPS
		1397	if (FIPS_mode() && (meth->version < TLS1_VERSION))
		1398	{
		1399	SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
		1400	return NULL;
		1401	}
		1402	#endif
		1403
1393	if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)	1404	if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
1394	{	1405	{
1395	SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);	1406	SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
@@ -1510,6 +1521,27 @@ SSL_CTX SSL_CTX_new(SSL_METHOD meth)
1510		1521
1511	#endif	1522	#endif
1512		1523
		1524	#ifndef OPENSSL_NO_ENGINE
		1525	ret->client_cert_engine = NULL;
		1526	#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
		1527	#define eng_strx(x) #x
		1528	#define eng_str(x) eng_strx(x)
		1529	/* Use specific client engine automatically... ignore errors */
		1530	{
		1531	ENGINE *eng;
		1532	eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
		1533	if (!eng)
		1534	{
		1535	ERR_clear_error();
		1536	ENGINE_load_builtin_engines();
		1537	eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
		1538	}
		1539	if (!eng \|\| !SSL_CTX_set_client_cert_engine(ret, eng))
		1540	ERR_clear_error();
		1541	}
		1542	#endif
		1543	#endif
		1544
1513	return(ret);	1545	return(ret);
1514	err:	1546	err:
1515	SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);	1547	SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
@@ -1580,6 +1612,10 @@ void SSL_CTX_free(SSL_CTX *a)
1580	#else	1612	#else
1581	a->comp_methods = NULL;	1613	a->comp_methods = NULL;
1582	#endif	1614	#endif
		1615	#ifndef OPENSSL_NO_ENGINE
		1616	if (a->client_cert_engine)
		1617	ENGINE_finish(a->client_cert_engine);
		1618	#endif
1583	OPENSSL_free(a);	1619	OPENSSL_free(a);
1584	}	1620	}
1585		1621