Can we imply from this commit that the 1.0.2 release is imminent? If not, can anyone provide a rough estimate on when 1.0.2 will be released (1 month, 3 months, 6 months from now)?
On 06/10/2014 10:17 AM, Dr. Stephen Henson wrote: > This is an automated email from the git hooks/post-receive script. It was > generated because a ref change was pushed to the repository containing > the project "OpenSSL source code". > > The branch, OpenSSL_1_0_2-stable has been updated > via e3beef1e1bdd70031d009dc61ab88b74a4c884c8 (commit) > via cea5a1d5f255a6a186cd7944c4a312612da965f3 (commit) > from f472ada00681d0de7c68d13ecbd404d822afa8b1 (commit) > > Those revisions listed above that are new to this repository have > not appeared on any other notification email; so we list those > revisions in full, below. > > - Log ----------------------------------------------------------------- > commit e3beef1e1bdd70031d009dc61ab88b74a4c884c8 > Author: Dr. Stephen Henson <st...@openssl.org> > Date: Fri Jun 6 18:56:24 2014 +0100 > > Remove experimental DANE code. > > Remove experimental DANE/dnssec code: not ready for use in an > official release yet. > > commit cea5a1d5f255a6a186cd7944c4a312612da965f3 > Author: Dr. Stephen Henson <st...@openssl.org> > Date: Tue Jun 10 14:47:29 2014 +0100 > > Fix null pointer errors. > > PR#3394 > (cherry picked from commit 7a9d59c148b773f59a41f8697eeecf369a0974c2) > > ----------------------------------------------------------------------- > > Summary of changes: > Configure | 3 +- > crypto/ocsp/ocsp_ht.c | 3 + > ssl/Makefile | 23 +---- > ssl/d1_both.c | 2 + > ssl/dnssec.c | 182 ---------------------------------- > ssl/ssl_cert.c | 264 > ------------------------------------------------- > ssl/ssl_lib.c | 38 ------- > ssl/ssl_locl.h | 11 --- > util/mk1mf.pl | 1 - > 9 files changed, 8 insertions(+), 519 deletions(-) > delete mode 100644 ssl/dnssec.c > > diff --git a/Configure b/Configure > index ca45eb2..885e341 100755 > --- a/Configure > +++ b/Configure > @@ -724,7 +724,6 @@ if (exists $ENV{FIPSDIR}) > # All of the following is disabled by default (RC5 was enabled before 0.9.8): > > my %disabled = ( # "what" => "comment" [or special keyword > "experimental"] > - "dane" => "experimental", > "ec_nistp_64_gcc_128" => "default", > "gmp" => "default", > "jpake" => "experimental", > @@ -744,7 +743,7 @@ my @experimental = (); > > # This is what $depflags will look like with the above defaults > # (we need this to see if we should advise the user to run "make depend"): > -my $default_depflags = " -DOPENSSL_NO_DANE -DOPENSSL_NO_EC_NISTP_64_GCC_128 > -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 > -DOPENSSL_NO_MULTIBLOCK -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 > -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE"; > +my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP > -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 > -DOPENSSL_NO_MULTIBLOCK -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 > -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE"; > > # Explicit "no-..." options will be collected in %disabled along with the > defaults. > # To remove something from %disabled, use "enable-foo" (unless it's > experimental). > diff --git a/crypto/ocsp/ocsp_ht.c b/crypto/ocsp/ocsp_ht.c > index a053047..bac35f8 100644 > --- a/crypto/ocsp/ocsp_ht.c > +++ b/crypto/ocsp/ocsp_ht.c > @@ -571,6 +571,9 @@ OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, > OCSP_REQUEST *req) > > ctx = OCSP_sendreq_new(b, path, req, -1); > > + if (!ctx) > + return NULL; > + > do > { > rv = OCSP_sendreq_nbio(&resp, ctx); > diff --git a/ssl/Makefile b/ssl/Makefile > index b1d20b0..be14603 100644 > --- a/ssl/Makefile > +++ b/ssl/Makefile > @@ -30,7 +30,7 @@ LIBSRC= \ > ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \ > ssl_ciph.c ssl_stat.c ssl_rsa.c \ > ssl_asn1.c ssl_txt.c ssl_algs.c ssl_conf.c \ > - bio_ssl.c ssl_err.c kssl.c t1_reneg.c tls_srp.c t1_trce.c dnssec.c > + bio_ssl.c ssl_err.c kssl.c t1_reneg.c tls_srp.c t1_trce.c > LIBOBJ= \ > s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \ > s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o > s3_cbc.o \ > @@ -41,7 +41,7 @@ LIBOBJ= \ > ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \ > ssl_ciph.o ssl_stat.o ssl_rsa.o \ > ssl_asn1.o ssl_txt.o ssl_algs.o ssl_conf.o \ > - bio_ssl.o ssl_err.o kssl.o t1_reneg.o tls_srp.o t1_trce.o dnssec.o > + bio_ssl.o ssl_err.o kssl.o t1_reneg.o tls_srp.o t1_trce.o > > SRC= $(LIBSRC) > > @@ -288,25 +288,6 @@ d1_srvr.o: ../include/openssl/ssl3.h > ../include/openssl/stack.h > d1_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h > d1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_srvr.c > d1_srvr.o: ssl_locl.h > -dnssec.o: ../include/openssl/asn1.h ../include/openssl/bio.h > -dnssec.o: ../include/openssl/buffer.h ../include/openssl/comp.h > -dnssec.o: ../include/openssl/crypto.h ../include/openssl/dso.h > -dnssec.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h > -dnssec.o: ../include/openssl/ec.h ../include/openssl/ecdh.h > -dnssec.o: ../include/openssl/ecdsa.h ../include/openssl/evp.h > -dnssec.o: ../include/openssl/hmac.h ../include/openssl/kssl.h > -dnssec.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h > -dnssec.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h > -dnssec.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h > -dnssec.o: ../include/openssl/pem.h ../include/openssl/pem2.h > -dnssec.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h > -dnssec.o: ../include/openssl/safestack.h ../include/openssl/sha.h > -dnssec.o: ../include/openssl/srtp.h ../include/openssl/ssl.h > -dnssec.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h > -dnssec.o: ../include/openssl/ssl3.h ../include/openssl/stack.h > -dnssec.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h > -dnssec.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h dnssec.c > -dnssec.o: ssl.h > kssl.o: ../include/openssl/asn1.h ../include/openssl/bio.h > kssl.o: ../include/openssl/buffer.h ../include/openssl/comp.h > kssl.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h > diff --git a/ssl/d1_both.c b/ssl/d1_both.c > index 228af21..51d484d 100644 > --- a/ssl/d1_both.c > +++ b/ssl/d1_both.c > @@ -1051,6 +1051,8 @@ dtls1_buffer_message(SSL *s, int is_ccs) > OPENSSL_assert(s->init_off == 0); > > frag = dtls1_hm_fragment_new(s->init_num, 0); > + if (!frag) > + return 0; > > memcpy(frag->fragment, s->init_buf->data, s->init_num); > > diff --git a/ssl/dnssec.c b/ssl/dnssec.c > deleted file mode 100644 > index 62b04b4..0000000 > --- a/ssl/dnssec.c > +++ /dev/null > @@ -1,182 +0,0 @@ > -#include <openssl/opensslconf.h> > - > -#include <string.h> > -#include <openssl/bio.h> > -#include <openssl/dso.h> > - > -#include "ssl.h" > - > -#ifndef OPENSSL_SYS_WIN32 > -#include <netdb.h> > -#include <sys/socket.h> > -#endif > - > -#ifndef OPENSSL_NO_LIBUNBOUND > -#include <unbound.h> > - > -static struct ub_ctx *ctx = NULL; > -static DSO *unbound_dso = NULL; > - > -static union { > - void *p; struct ub_ctx *(*f)(); } > - p_ub_ctx_create = {NULL}; > - > -static union { > - void *p; int (*f)(struct ub_ctx *,const char *); } > - p_ub_ctx_resolvconf = {NULL}; > - > -static union { > - void *p; int (*f)(struct ub_ctx *,const char *); } > - p_ub_ctx_add_ta_file = {NULL}; > - > -static union { > - void *p; void (*f)(struct ub_ctx *); } > - p_ub_ctx_delete = {NULL}; > - > -static union { > - void *p; int (*f)(struct ub_ctx *,const char *,int,int,struct > ub_result**); } > - p_ub_resolve = {NULL}; > - > -static union { > - void *p; void (*f)(struct ub_result*); } > - p_ub_resolve_free = {NULL}; > - > -#if defined(__GNUC__) && __GNUC__>=2 > - static void unbound_init(void) __attribute__((constructor)); > - static void unbound_fini(void) __attribute__((destructor)); > -#endif > - > -static void unbound_init(void) > -{ > - DSO *dso; > - > - if ((dso = DSO_load(NULL, "unbound", NULL, 0)) == NULL) return; > - > - if ((p_ub_ctx_create.p = DSO_bind_func(dso,"ub_ctx_create")) == NULL || > - (p_ub_ctx_resolvconf.p = DSO_bind_func(dso,"ub_ctx_resolvconf")) == > NULL || > - (p_ub_ctx_add_ta_file.p = DSO_bind_func(dso,"ub_ctx_add_ta_file")) > == NULL || > - (p_ub_ctx_delete.p = DSO_bind_func(dso,"ub_ctx_delete")) == NULL || > - (p_ub_resolve.p = DSO_bind_func(dso,"ub_resolve")) == NULL || > - (p_ub_resolve_free.p = DSO_bind_func(dso,"ub_resolve_free")) == > NULL || > - (ctx = p_ub_ctx_create.f()) == NULL) { > - DSO_free(dso); > - return; > - } > - > - unbound_dso = dso; > - > - /* FIXME: parameterize these through CONF */ > - p_ub_ctx_resolvconf.f(ctx,"/etc/resolv.conf"); > - p_ub_ctx_add_ta_file.f(ctx,"/var/lib/unbound/root.key"); > -} > - > -static void unbound_fini(void) > -{ > - if (ctx != NULL) p_ub_ctx_delete.f(ctx); > - if (unbound_dso != NULL) DSO_free(unbound_dso); > -} > -#endif > - > -/* > - * Output is array packed as [len][data][len][data][0] > - */ > -unsigned char *SSL_get_tlsa_record_byname (const char *name,int port,int > type) > -{ > - unsigned char *ret=NULL; > - char *query=NULL; > - size_t qlen; > - > -#ifndef OPENSSL_NO_LIBUNBOUND > - if (ctx == NULL) return NULL; > -#elif defined(RRSET_VALIDATED) > - static union { > - void *p; int (*f)(const char*,unsigned int,unsigned > int,unsigned int,struct rrsetinfo **); } > - p_getrrsetbyname = {NULL}; > - static union { > - void *p; void (*f)(struct rrsetinfo *); } > - p_freerrset = {NULL}; > - > - if (p_getrrsetbyname.p==NULL) { > - if ((p_getrrsetbyname.p = DSO_global_lookup("getrrsetbyname")) > == NULL || > - (p_freerrset.p = DSO_global_lookup("freerrset")) == NULL) > - p_getrrsetbyname.p = (void*)-1; > - } > - > - if (p_getrrsetbyname.p == (void *)-1) return NULL; > -#endif > - > - qlen = 7+5+strlen(name)+1; > - if ((query = OPENSSL_malloc(qlen)) == NULL) > - return NULL; > - > - > BIO_snprintf(query,qlen,"_%u._%s.%s",port&0xffff,type==SOCK_STREAM?"tcp":"udp",name); > - > -#ifndef OPENSSL_NO_LIBUNBOUND > - { > - struct ub_result *tlsa=NULL; > - > - if (p_ub_resolve.f(ctx,query,52,1,&tlsa)==0 && > - tlsa->havedata && tlsa->data[0]!=NULL) { > - ret=(void*)-1; /* -1 means insecure */ > - if (tlsa->secure) do { > - unsigned char *data; > - unsigned int dlen, i; > - > - for (dlen=0, i=0; tlsa->data[i]; i++) > - dlen += sizeof(int)+(unsigned int)tlsa->len[i]; > - dlen +=sizeof(int); > - > - if ((ret = OPENSSL_malloc(dlen)) == NULL) break; > - > - for (data=ret, i=0; tlsa->data[i]; i++) { > - dlen = (unsigned int)tlsa->len[i]; > - memcpy(data,&dlen,sizeof(dlen)); > - data += sizeof(dlen); > - memcpy(data,tlsa->data[i],dlen); > - data += dlen; > - } > - dlen = 0; > - memcpy(data,&dlen,sizeof(dlen)); /* trailing zero */ > - } while (0); > - p_ub_resolve_free.f(tlsa); > - } > - } > -#elif defined(RRSET_VALIDATED) > - { > - struct rrsetinfo *rrset=NULL; > - > - if (p_getrrsetbyname.f(query,1,52,RRSET_VALIDATED,&rrset) == 0 && > rrset->rri_nrdatas) { > - ret=(void*)-1; /* -1 means insecure */ > - if ((rrset->rri_flags&RRSET_VALIDATED)) do { > - unsigned char *data; > - unsigned int dlen, i; > - > - for (dlen=0, i=0; i<rrset->rri_nrdatas; i++) > - dlen += > sizeof(int)+rrset->rri_rdatas[i].rdi_length; > - dlen +=sizeof(int); > - > - if ((ret = OPENSSL_malloc(sizeof(int)+dlen)) == NULL) > break; > - > - for (data=ret, i=0; i<rrset->rri_rdatas[i].rdi_length; > i++) { > - *(unsigned int *)data = dlen = > rrset->rri_rdatas[i].rdi_length; > - data += sizeof(unsigned int); > - memcpy(data,rrset->rri_rdatas[i].rdi_data,dlen); > - data += dlen; > - } > - *(unsigned int *)data = 0; /* trailing zero */ > - } while (0); > - p_freerrset.f(rrset); > - } > - } > -#elif defined(_WIN32_NOT_YET) > - { > - PDNS_RECORD rrset; > - > - DnsQuery_A(query,52,DNS_QUERY_STANDARD,NULL,&rrset,NULL); > - DnsRecordListFree(rrset,DnsFreeRecordList); > - } > -#endif > - CRYPTO_free(query); > - > - return ret; > -} > diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c > index dcfdcde..fc63bdb 100644 > --- a/ssl/ssl_cert.c > +++ b/ssl/ssl_cert.c > @@ -756,238 +756,12 @@ int ssl_set_peer_cert_type(SESS_CERT *sc,int type) > return(1); > } > > -#ifndef OPENSSL_NO_DANE > -static void tlsa_free(void *parent,void *ptr,CRYPTO_EX_DATA *ad,int idx,long > argl,void *argp) > - { > - TLSA_EX_DATA *ex = ptr; > - > - if (ex!=NULL) > - { > - if (ex->tlsa_record!=NULL && ex->tlsa_record!=(void *)-1) > - OPENSSL_free(ex->tlsa_record); > - > - OPENSSL_free(ex); > - } > - } > - > -int SSL_get_TLSA_ex_data_idx(void) > - { > - static volatile int ssl_tlsa_idx= -1; > - int got_write_lock = 0; > - > - if (((size_t)&ssl_tlsa_idx&(sizeof(ssl_tlsa_idx)-1)) > - ==0) /* check alignment, practically always true */ > - { > - int ret; > - > - if ((ret=ssl_tlsa_idx) < 0) > - { > - CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); > - if ((ret=ssl_tlsa_idx) < 0) > - { > - ret=ssl_tlsa_idx=SSL_get_ex_new_index( > - 0,"per-SSL TLSA",NULL,NULL,tlsa_free); > - } > - CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); > - } > - > - return ret; > - } > - else /* commonly eliminated */ > - { > - CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); > - > - if (ssl_tlsa_idx < 0) > - { > - CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); > - CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); > - got_write_lock = 1; > - > - if (ssl_tlsa_idx < 0) > - { > - ssl_tlsa_idx=SSL_get_ex_new_index( > - 0,"pre-SSL TLSA",NULL,NULL,tlsa_free); > - } > - } > - > - if (got_write_lock) > - CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); > - else > - CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); > - > - return ssl_tlsa_idx; > - } > - } > - > -TLSA_EX_DATA *SSL_get_TLSA_ex_data(SSL *ssl) > - { > - int idx = SSL_get_TLSA_ex_data_idx(); > - TLSA_EX_DATA *ex; > - > - if ((ex=SSL_get_ex_data(ssl,idx)) == NULL) > - { > - ex = OPENSSL_malloc(sizeof(TLSA_EX_DATA)); > - ex->tlsa_record = NULL; > - ex->tlsa_witness = -1; > - SSL_set_ex_data(ssl,idx,ex); > - } > - > - return ex; > - } > - > -/* > - * return value: > - * -1: format or digest error > - * 0: match > - * 1: no match > - */ > -static int tlsa_cmp(const X509 *cert, const unsigned char *tlsa_record, > - int reclen) > - { > - const EVP_MD *md; > - unsigned char digest[EVP_MAX_MD_SIZE]; > - unsigned int len, selector, matching_type; > - int ret; > - > - if (reclen<3 || tlsa_record[0]>3) return -1; > - > - selector = tlsa_record[1]; > - matching_type = tlsa_record[2]; > - tlsa_record += 3; > - reclen -= 3; > - > - switch (matching_type) { > - case 0: /* exact match */ > - if (selector==0) { /* full certificate */ > - ret = > EVP_Digest(tlsa_record,reclen,digest,&len,EVP_sha1(),NULL); > - return ret ? memcmp(cert->sha1_hash,digest,len)!=0 : -1; > - } > - else if (selector==1) { /* SubjectPublicKeyInfo */ > - ASN1_BIT_STRING *key = X509_get0_pubkey_bitstr(cert); > - > - if (key == NULL) return -1; > - if (key->length != reclen) return 1; > - > - return memcmp(key->data,tlsa_record,reclen)!=0; > - } > - return -1; > - > - case 1: /* SHA256 */ > - case 2: /* SHA512 */ > - md = matching_type==1 ? EVP_sha256() : EVP_sha512(); > - > - if (reclen!=EVP_MD_size(md)) return -1; > - > - if (selector==0) { /* full certificate */ > - ret = X509_digest(cert,md,digest,&len); > - } > - else if (selector==1) { /* SubjectPublicKeyInfo */ > - ret = X509_pubkey_digest(cert,md,digest,&len); > - } > - else > - return -1; > - > - return ret ? memcmp(tlsa_record,digest,len)!=0 : -1; > - default: > - return -1; > - } > - } > - > -static int dane_verify_callback(int ok, X509_STORE_CTX *ctx) > - { > - SSL *s = > X509_STORE_CTX_get_ex_data(ctx,SSL_get_ex_data_X509_STORE_CTX_idx()); > - int depth=X509_STORE_CTX_get_error_depth(ctx); > - X509 *cert = sk_X509_value(ctx->chain,depth); > - TLSA_EX_DATA *ex; > - const unsigned char *tlsa_record; > - int tlsa_ret=-1, mask=1; > - > - > - if ((ex=SSL_get_ex_data(s, SSL_get_TLSA_ex_data_idx())) == NULL || > - (tlsa_record=ex->tlsa_record) == NULL || > - (tlsa_record==(void *)-1 && > (ok=0,ctx->error=X509_V_ERR_INVALID_CA)) || /* temporary code? */ > - /* > - * X509_verify_cert initially starts throwing ok=0 upon > - * failure to build certificate chain. As all certificate > - * usages except for 3 require verifiable chain, ok=0 at > - * non-zero depth is fatal. More specifically ok=0 at zero > - * depth is allowed only for usage 3. Special note about > - * usage 2. The chain is supposed to be filled by > - * dane_get_issuer, or once again we should tolerate ok=0 > - * only in usage 3 case. > - */ > - (!ok && depth!=0)) { > - if (s->verify_callback) return s->verify_callback(ok,ctx); > - else return ok; > - } > - > - while (1) { > - unsigned int reclen, certificate_usage; > - > - memcpy(&reclen,tlsa_record,sizeof(reclen)); > - > - if (reclen==0) break; > - > - tlsa_record += sizeof(reclen); > - > - if (!(ex->tlsa_mask&mask)) { /* not matched yet */ > - /* > - * tlsa_record[0] Certificate Usage field > - * tlsa_record[1] Selector field > - * tlsa_record[2] Matching Type Field > - * tlsa_record+3 Certificate Association data > - */ > - certificate_usage = tlsa_record[0]; > - > - if (depth==0 || certificate_usage==0 || certificate_usage==2) { > - tlsa_ret = tlsa_cmp(cert,tlsa_record,reclen); > - if (tlsa_ret==0) { > - ex->tlsa_witness = depth<<8|certificate_usage; > - ex->tlsa_mask |= mask; > - break; > - } > - else if (tlsa_ret==-1) { > - ex->tlsa_witness = -1; /* something phishy? */ > - ex->tlsa_mask |= mask; > - } > - } > - > - } > - tlsa_record += reclen; > - mask <<= 1; > - } > - > - if (depth==0) { > - if (ex->tlsa_witness==-1) /* no match */ > - ctx->error = X509_V_ERR_CERT_UNTRUSTED, ok=0; > - else > - ctx->error = X509_V_OK, ok=1; > - } > - > - if (s->verify_callback) return s->verify_callback(ok,ctx); > - else return ok; > - } > - > -static int dane_get_issuer(X509 **issuer,X509_STORE_CTX *ctx,X509 *x) > - { > - SSL *s = > X509_STORE_CTX_get_ex_data(ctx,SSL_get_ex_data_X509_STORE_CTX_idx()); > - TLSA_EX_DATA *ex=SSL_get_ex_data(s, SSL_get_TLSA_ex_data_idx()); > - > - /* XXX TODO */ > - > - return ex->get_issuer(issuer,ctx,x); > - } > -#endif > - > int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) > { > X509 *x; > int i; > X509_STORE *verify_store; > X509_STORE_CTX ctx; > -#ifndef OPENSSL_NO_DANE > - TLSA_EX_DATA *ex; > -#endif > > if (s->cert->verify_store) > verify_store = s->cert->verify_store; > @@ -1023,44 +797,6 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) > */ > X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param); > > -#ifndef OPENSSL_NO_DANE > - if (!s->server && > - (ex=SSL_get_ex_data(s, SSL_get_TLSA_ex_data_idx()))!=NULL) > - { > - const unsigned char *tlsa_record = ex->tlsa_record; > - > - /* > - * See if there are usable certificates we can add > - * to chain. > - */ > - while (tlsa_record!=(void *)-1) > - { > - unsigned int reclen; > - > - memcpy (&reclen,tlsa_record,sizeof(reclen)); > - > - if (reclen==0) break; > - > - tlsa_record += sizeof(reclen); > - > - if (tlsa_record[0]==2 && > - tlsa_record[1]==0 && /* full certificate */ > - tlsa_record[2]==0) /* itself */ > - { > - ex->get_issuer = ctx.get_issuer; > - ctx.get_issuer = dane_get_issuer; > - > - break; > - } > - tlsa_record += reclen; > - } > - > - ex->tlsa_mask = 0; > - ex->tlsa_witness = -1; > - X509_STORE_CTX_set_verify_cb(&ctx, dane_verify_callback); > - } > - else > -#endif > if (s->verify_callback) > X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback); > > diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c > index 00b26ba..3c2c471 100644 > --- a/ssl/ssl_lib.c > +++ b/ssl/ssl_lib.c > @@ -1100,9 +1100,6 @@ int SSL_renegotiate_pending(SSL *s) > long SSL_ctrl(SSL *s,int cmd,long larg,void *parg) > { > long l; > -#ifndef OPENSSL_NO_DANE > - const char *hostname = NULL; > -#endif > > switch (cmd) > { > @@ -1167,41 +1164,6 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg) > } > else > return ssl_put_cipher_by_char(s,NULL,NULL); > -#ifndef OPENSSL_NO_DANE > - case SSL_CTRL_PULL_TLSA_RECORD: > - hostname = parg; > - parg = SSL_get_tlsa_record_byname > (parg,larg,s->version<0xF000?1:0); > - /* yes, fall through */ > - case SSL_CTRL_SET_TLSA_RECORD: > - if (parg!=NULL) > - { > - TLSA_EX_DATA *ex = SSL_get_TLSA_ex_data(s); > - unsigned char *tlsa_rec = parg; > - int tlsa_len = 0; > - > - if (hostname==NULL) > - { > - while (1) > - { > - int dlen; > - > - memcpy(&dlen,tlsa_rec,sizeof(dlen)); > - tlsa_rec += sizeof(dlen)+dlen; > - > - if (dlen==0) break; > - } > - if ((tlsa_rec = OPENSSL_malloc(tlsa_len))) > - memcpy(tlsa_rec,parg,tlsa_len); > - else > - { > - > SSLerr(SSL_F_SSL_CTRL,SSL_R_UNINITIALIZED); > - return 0; > - } > - } > - ex->tlsa_record = tlsa_rec; > - } > - return 1; > -#endif > default: > return(s->method->ssl_ctrl(s,cmd,larg,parg)); > } > diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h > index 1d90ddd..adb1f32 100644 > --- a/ssl/ssl_locl.h > +++ b/ssl/ssl_locl.h > @@ -1357,15 +1357,4 @@ void tls_fips_digest_extra( > const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx, > const unsigned char *data, size_t data_len, size_t orig_len); > > -#ifndef OPENSSL_NO_DANE > - > -typedef struct { > - unsigned char *tlsa_record; > - int tlsa_witness, tlsa_mask; > - int (*get_issuer)(X509 **issuer,X509_STORE_CTX *ctx,X509 *x); > - } TLSA_EX_DATA; > - > -TLSA_EX_DATA *SSL_get_TLSA_ex_data(SSL *); > -int SSL_get_TLSA_ex_data_idx(void); > -#endif > #endif > diff --git a/util/mk1mf.pl b/util/mk1mf.pl > index 324871f..af1904b 100755 > --- a/util/mk1mf.pl > +++ b/util/mk1mf.pl > @@ -1231,7 +1231,6 @@ sub read_options > "no-zlib" => 0, > "no-zlib-dynamic" => 0, > "no-ssl-trace" => 0, > - "no-dane" => 0, > "no-libunbound" => 0, > "no-multiblock" => 0, > "fips" => \$fips > > > hooks/post-receive ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org