Can we imply from this commit that the 1.0.2 release is imminent? If
not, can anyone provide a rough estimate on when 1.0.2 will be released
(1 month, 3 months, 6 months from now)?
On 06/10/2014 10:17 AM, Dr. Stephen Henson wrote:
> This is an automated email from the git hooks/post-receive script. It was
> generated because a ref change was pushed to the repository containing
> the project "OpenSSL source code".
>
> The branch, OpenSSL_1_0_2-stable has been updated
> via e3beef1e1bdd70031d009dc61ab88b74a4c884c8 (commit)
> via cea5a1d5f255a6a186cd7944c4a312612da965f3 (commit)
> from f472ada00681d0de7c68d13ecbd404d822afa8b1 (commit)
>
> Those revisions listed above that are new to this repository have
> not appeared on any other notification email; so we list those
> revisions in full, below.
>
> - Log -----------------------------------------------------------------
> commit e3beef1e1bdd70031d009dc61ab88b74a4c884c8
> Author: Dr. Stephen Henson <st...@openssl.org>
> Date: Fri Jun 6 18:56:24 2014 +0100
>
> Remove experimental DANE code.
>
> Remove experimental DANE/dnssec code: not ready for use in an
> official release yet.
>
> commit cea5a1d5f255a6a186cd7944c4a312612da965f3
> Author: Dr. Stephen Henson <st...@openssl.org>
> Date: Tue Jun 10 14:47:29 2014 +0100
>
> Fix null pointer errors.
>
> PR#3394
> (cherry picked from commit 7a9d59c148b773f59a41f8697eeecf369a0974c2)
>
> -----------------------------------------------------------------------
>
> Summary of changes:
> Configure | 3 +-
> crypto/ocsp/ocsp_ht.c | 3 +
> ssl/Makefile | 23 +----
> ssl/d1_both.c | 2 +
> ssl/dnssec.c | 182 ----------------------------------
> ssl/ssl_cert.c | 264
> -------------------------------------------------
> ssl/ssl_lib.c | 38 -------
> ssl/ssl_locl.h | 11 ---
> util/mk1mf.pl | 1 -
> 9 files changed, 8 insertions(+), 519 deletions(-)
> delete mode 100644 ssl/dnssec.c
>
> diff --git a/Configure b/Configure
> index ca45eb2..885e341 100755
> --- a/Configure
> +++ b/Configure
> @@ -724,7 +724,6 @@ if (exists $ENV{FIPSDIR})
> # All of the following is disabled by default (RC5 was enabled before 0.9.8):
>
> my %disabled = ( # "what" => "comment" [or special keyword
> "experimental"]
> - "dane" => "experimental",
> "ec_nistp_64_gcc_128" => "default",
> "gmp" => "default",
> "jpake" => "experimental",
> @@ -744,7 +743,7 @@ my @experimental = ();
>
> # This is what $depflags will look like with the above defaults
> # (we need this to see if we should advise the user to run "make depend"):
> -my $default_depflags = " -DOPENSSL_NO_DANE -DOPENSSL_NO_EC_NISTP_64_GCC_128
> -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2
> -DOPENSSL_NO_MULTIBLOCK -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779
> -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE";
> +my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP
> -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2
> -DOPENSSL_NO_MULTIBLOCK -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779
> -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE";
>
> # Explicit "no-..." options will be collected in %disabled along with the
> defaults.
> # To remove something from %disabled, use "enable-foo" (unless it's
> experimental).
> diff --git a/crypto/ocsp/ocsp_ht.c b/crypto/ocsp/ocsp_ht.c
> index a053047..bac35f8 100644
> --- a/crypto/ocsp/ocsp_ht.c
> +++ b/crypto/ocsp/ocsp_ht.c
> @@ -571,6 +571,9 @@ OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path,
> OCSP_REQUEST *req)
>
> ctx = OCSP_sendreq_new(b, path, req, -1);
>
> + if (!ctx)
> + return NULL;
> +
> do
> {
> rv = OCSP_sendreq_nbio(&resp, ctx);
> diff --git a/ssl/Makefile b/ssl/Makefile
> index b1d20b0..be14603 100644
> --- a/ssl/Makefile
> +++ b/ssl/Makefile
> @@ -30,7 +30,7 @@ LIBSRC= \
> ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
> ssl_ciph.c ssl_stat.c ssl_rsa.c \
> ssl_asn1.c ssl_txt.c ssl_algs.c ssl_conf.c \
> - bio_ssl.c ssl_err.c kssl.c t1_reneg.c tls_srp.c t1_trce.c dnssec.c
> + bio_ssl.c ssl_err.c kssl.c t1_reneg.c tls_srp.c t1_trce.c
> LIBOBJ= \
> s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \
> s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o
> s3_cbc.o \
> @@ -41,7 +41,7 @@ LIBOBJ= \
> ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
> ssl_ciph.o ssl_stat.o ssl_rsa.o \
> ssl_asn1.o ssl_txt.o ssl_algs.o ssl_conf.o \
> - bio_ssl.o ssl_err.o kssl.o t1_reneg.o tls_srp.o t1_trce.o dnssec.o
> + bio_ssl.o ssl_err.o kssl.o t1_reneg.o tls_srp.o t1_trce.o
>
> SRC= $(LIBSRC)
>
> @@ -288,25 +288,6 @@ d1_srvr.o: ../include/openssl/ssl3.h
> ../include/openssl/stack.h
> d1_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
> d1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_srvr.c
> d1_srvr.o: ssl_locl.h
> -dnssec.o: ../include/openssl/asn1.h ../include/openssl/bio.h
> -dnssec.o: ../include/openssl/buffer.h ../include/openssl/comp.h
> -dnssec.o: ../include/openssl/crypto.h ../include/openssl/dso.h
> -dnssec.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
> -dnssec.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
> -dnssec.o: ../include/openssl/ecdsa.h ../include/openssl/evp.h
> -dnssec.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
> -dnssec.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
> -dnssec.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
> -dnssec.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
> -dnssec.o: ../include/openssl/pem.h ../include/openssl/pem2.h
> -dnssec.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
> -dnssec.o: ../include/openssl/safestack.h ../include/openssl/sha.h
> -dnssec.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
> -dnssec.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
> -dnssec.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
> -dnssec.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
> -dnssec.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h dnssec.c
> -dnssec.o: ssl.h
> kssl.o: ../include/openssl/asn1.h ../include/openssl/bio.h
> kssl.o: ../include/openssl/buffer.h ../include/openssl/comp.h
> kssl.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
> diff --git a/ssl/d1_both.c b/ssl/d1_both.c
> index 228af21..51d484d 100644
> --- a/ssl/d1_both.c
> +++ b/ssl/d1_both.c
> @@ -1051,6 +1051,8 @@ dtls1_buffer_message(SSL *s, int is_ccs)
> OPENSSL_assert(s->init_off == 0);
>
> frag = dtls1_hm_fragment_new(s->init_num, 0);
> + if (!frag)
> + return 0;
>
> memcpy(frag->fragment, s->init_buf->data, s->init_num);
>
> diff --git a/ssl/dnssec.c b/ssl/dnssec.c
> deleted file mode 100644
> index 62b04b4..0000000
> --- a/ssl/dnssec.c
> +++ /dev/null
> @@ -1,182 +0,0 @@
> -#include <openssl/opensslconf.h>
> -
> -#include <string.h>
> -#include <openssl/bio.h>
> -#include <openssl/dso.h>
> -
> -#include "ssl.h"
> -
> -#ifndef OPENSSL_SYS_WIN32
> -#include <netdb.h>
> -#include <sys/socket.h>
> -#endif
> -
> -#ifndef OPENSSL_NO_LIBUNBOUND
> -#include <unbound.h>
> -
> -static struct ub_ctx *ctx = NULL;
> -static DSO *unbound_dso = NULL;
> -
> -static union {
> - void *p; struct ub_ctx *(*f)(); }
> - p_ub_ctx_create = {NULL};
> -
> -static union {
> - void *p; int (*f)(struct ub_ctx *,const char *); }
> - p_ub_ctx_resolvconf = {NULL};
> -
> -static union {
> - void *p; int (*f)(struct ub_ctx *,const char *); }
> - p_ub_ctx_add_ta_file = {NULL};
> -
> -static union {
> - void *p; void (*f)(struct ub_ctx *); }
> - p_ub_ctx_delete = {NULL};
> -
> -static union {
> - void *p; int (*f)(struct ub_ctx *,const char *,int,int,struct
> ub_result**); }
> - p_ub_resolve = {NULL};
> -
> -static union {
> - void *p; void (*f)(struct ub_result*); }
> - p_ub_resolve_free = {NULL};
> -
> -#if defined(__GNUC__) && __GNUC__>=2
> - static void unbound_init(void) __attribute__((constructor));
> - static void unbound_fini(void) __attribute__((destructor));
> -#endif
> -
> -static void unbound_init(void)
> -{
> - DSO *dso;
> -
> - if ((dso = DSO_load(NULL, "unbound", NULL, 0)) == NULL) return;
> -
> - if ((p_ub_ctx_create.p = DSO_bind_func(dso,"ub_ctx_create")) == NULL ||
> - (p_ub_ctx_resolvconf.p = DSO_bind_func(dso,"ub_ctx_resolvconf")) ==
> NULL ||
> - (p_ub_ctx_add_ta_file.p = DSO_bind_func(dso,"ub_ctx_add_ta_file"))
> == NULL ||
> - (p_ub_ctx_delete.p = DSO_bind_func(dso,"ub_ctx_delete")) == NULL ||
> - (p_ub_resolve.p = DSO_bind_func(dso,"ub_resolve")) == NULL ||
> - (p_ub_resolve_free.p = DSO_bind_func(dso,"ub_resolve_free")) ==
> NULL ||
> - (ctx = p_ub_ctx_create.f()) == NULL) {
> - DSO_free(dso);
> - return;
> - }
> -
> - unbound_dso = dso;
> -
> - /* FIXME: parameterize these through CONF */
> - p_ub_ctx_resolvconf.f(ctx,"/etc/resolv.conf");
> - p_ub_ctx_add_ta_file.f(ctx,"/var/lib/unbound/root.key");
> -}
> -
> -static void unbound_fini(void)
> -{
> - if (ctx != NULL) p_ub_ctx_delete.f(ctx);
> - if (unbound_dso != NULL) DSO_free(unbound_dso);
> -}
> -#endif
> -
> -/*
> - * Output is array packed as [len][data][len][data][0]
> - */
> -unsigned char *SSL_get_tlsa_record_byname (const char *name,int port,int
> type)
> -{
> - unsigned char *ret=NULL;
> - char *query=NULL;
> - size_t qlen;
> -
> -#ifndef OPENSSL_NO_LIBUNBOUND
> - if (ctx == NULL) return NULL;
> -#elif defined(RRSET_VALIDATED)
> - static union {
> - void *p; int (*f)(const char*,unsigned int,unsigned
> int,unsigned int,struct rrsetinfo **); }
> - p_getrrsetbyname = {NULL};
> - static union {
> - void *p; void (*f)(struct rrsetinfo *); }
> - p_freerrset = {NULL};
> -
> - if (p_getrrsetbyname.p==NULL) {
> - if ((p_getrrsetbyname.p = DSO_global_lookup("getrrsetbyname"))
> == NULL ||
> - (p_freerrset.p = DSO_global_lookup("freerrset")) == NULL)
> - p_getrrsetbyname.p = (void*)-1;
> - }
> -
> - if (p_getrrsetbyname.p == (void *)-1) return NULL;
> -#endif
> -
> - qlen = 7+5+strlen(name)+1;
> - if ((query = OPENSSL_malloc(qlen)) == NULL)
> - return NULL;
> -
> -
> BIO_snprintf(query,qlen,"_%u._%s.%s",port&0xffff,type==SOCK_STREAM?"tcp":"udp",name);
> -
> -#ifndef OPENSSL_NO_LIBUNBOUND
> - {
> - struct ub_result *tlsa=NULL;
> -
> - if (p_ub_resolve.f(ctx,query,52,1,&tlsa)==0 &&
> - tlsa->havedata && tlsa->data[0]!=NULL) {
> - ret=(void*)-1; /* -1 means insecure */
> - if (tlsa->secure) do {
> - unsigned char *data;
> - unsigned int dlen, i;
> -
> - for (dlen=0, i=0; tlsa->data[i]; i++)
> - dlen += sizeof(int)+(unsigned int)tlsa->len[i];
> - dlen +=sizeof(int);
> -
> - if ((ret = OPENSSL_malloc(dlen)) == NULL) break;
> -
> - for (data=ret, i=0; tlsa->data[i]; i++) {
> - dlen = (unsigned int)tlsa->len[i];
> - memcpy(data,&dlen,sizeof(dlen));
> - data += sizeof(dlen);
> - memcpy(data,tlsa->data[i],dlen);
> - data += dlen;
> - }
> - dlen = 0;
> - memcpy(data,&dlen,sizeof(dlen)); /* trailing zero */
> - } while (0);
> - p_ub_resolve_free.f(tlsa);
> - }
> - }
> -#elif defined(RRSET_VALIDATED)
> - {
> - struct rrsetinfo *rrset=NULL;
> -
> - if (p_getrrsetbyname.f(query,1,52,RRSET_VALIDATED,&rrset) == 0 &&
> rrset->rri_nrdatas) {
> - ret=(void*)-1; /* -1 means insecure */
> - if ((rrset->rri_flags&RRSET_VALIDATED)) do {
> - unsigned char *data;
> - unsigned int dlen, i;
> -
> - for (dlen=0, i=0; i<rrset->rri_nrdatas; i++)
> - dlen +=
> sizeof(int)+rrset->rri_rdatas[i].rdi_length;
> - dlen +=sizeof(int);
> -
> - if ((ret = OPENSSL_malloc(sizeof(int)+dlen)) == NULL)
> break;
> -
> - for (data=ret, i=0; i<rrset->rri_rdatas[i].rdi_length;
> i++) {
> - *(unsigned int *)data = dlen =
> rrset->rri_rdatas[i].rdi_length;
> - data += sizeof(unsigned int);
> - memcpy(data,rrset->rri_rdatas[i].rdi_data,dlen);
> - data += dlen;
> - }
> - *(unsigned int *)data = 0; /* trailing zero */
> - } while (0);
> - p_freerrset.f(rrset);
> - }
> - }
> -#elif defined(_WIN32_NOT_YET)
> - {
> - PDNS_RECORD rrset;
> -
> - DnsQuery_A(query,52,DNS_QUERY_STANDARD,NULL,&rrset,NULL);
> - DnsRecordListFree(rrset,DnsFreeRecordList);
> - }
> -#endif
> - CRYPTO_free(query);
> -
> - return ret;
> -}
> diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
> index dcfdcde..fc63bdb 100644
> --- a/ssl/ssl_cert.c
> +++ b/ssl/ssl_cert.c
> @@ -756,238 +756,12 @@ int ssl_set_peer_cert_type(SESS_CERT *sc,int type)
> return(1);
> }
>
> -#ifndef OPENSSL_NO_DANE
> -static void tlsa_free(void *parent,void *ptr,CRYPTO_EX_DATA *ad,int idx,long
> argl,void *argp)
> - {
> - TLSA_EX_DATA *ex = ptr;
> -
> - if (ex!=NULL)
> - {
> - if (ex->tlsa_record!=NULL && ex->tlsa_record!=(void *)-1)
> - OPENSSL_free(ex->tlsa_record);
> -
> - OPENSSL_free(ex);
> - }
> - }
> -
> -int SSL_get_TLSA_ex_data_idx(void)
> - {
> - static volatile int ssl_tlsa_idx= -1;
> - int got_write_lock = 0;
> -
> - if (((size_t)&ssl_tlsa_idx&(sizeof(ssl_tlsa_idx)-1))
> - ==0) /* check alignment, practically always true */
> - {
> - int ret;
> -
> - if ((ret=ssl_tlsa_idx) < 0)
> - {
> - CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
> - if ((ret=ssl_tlsa_idx) < 0)
> - {
> - ret=ssl_tlsa_idx=SSL_get_ex_new_index(
> - 0,"per-SSL TLSA",NULL,NULL,tlsa_free);
> - }
> - CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
> - }
> -
> - return ret;
> - }
> - else /* commonly eliminated */
> - {
> - CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
> -
> - if (ssl_tlsa_idx < 0)
> - {
> - CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
> - CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
> - got_write_lock = 1;
> -
> - if (ssl_tlsa_idx < 0)
> - {
> - ssl_tlsa_idx=SSL_get_ex_new_index(
> - 0,"pre-SSL TLSA",NULL,NULL,tlsa_free);
> - }
> - }
> -
> - if (got_write_lock)
> - CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
> - else
> - CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
> -
> - return ssl_tlsa_idx;
> - }
> - }
> -
> -TLSA_EX_DATA *SSL_get_TLSA_ex_data(SSL *ssl)
> - {
> - int idx = SSL_get_TLSA_ex_data_idx();
> - TLSA_EX_DATA *ex;
> -
> - if ((ex=SSL_get_ex_data(ssl,idx)) == NULL)
> - {
> - ex = OPENSSL_malloc(sizeof(TLSA_EX_DATA));
> - ex->tlsa_record = NULL;
> - ex->tlsa_witness = -1;
> - SSL_set_ex_data(ssl,idx,ex);
> - }
> -
> - return ex;
> - }
> -
> -/*
> - * return value:
> - * -1: format or digest error
> - * 0: match
> - * 1: no match
> - */
> -static int tlsa_cmp(const X509 *cert, const unsigned char *tlsa_record,
> - int reclen)
> - {
> - const EVP_MD *md;
> - unsigned char digest[EVP_MAX_MD_SIZE];
> - unsigned int len, selector, matching_type;
> - int ret;
> -
> - if (reclen<3 || tlsa_record[0]>3) return -1;
> -
> - selector = tlsa_record[1];
> - matching_type = tlsa_record[2];
> - tlsa_record += 3;
> - reclen -= 3;
> -
> - switch (matching_type) {
> - case 0: /* exact match */
> - if (selector==0) { /* full certificate */
> - ret =
> EVP_Digest(tlsa_record,reclen,digest,&len,EVP_sha1(),NULL);
> - return ret ? memcmp(cert->sha1_hash,digest,len)!=0 : -1;
> - }
> - else if (selector==1) { /* SubjectPublicKeyInfo */
> - ASN1_BIT_STRING *key = X509_get0_pubkey_bitstr(cert);
> -
> - if (key == NULL) return -1;
> - if (key->length != reclen) return 1;
> -
> - return memcmp(key->data,tlsa_record,reclen)!=0;
> - }
> - return -1;
> -
> - case 1: /* SHA256 */
> - case 2: /* SHA512 */
> - md = matching_type==1 ? EVP_sha256() : EVP_sha512();
> -
> - if (reclen!=EVP_MD_size(md)) return -1;
> -
> - if (selector==0) { /* full certificate */
> - ret = X509_digest(cert,md,digest,&len);
> - }
> - else if (selector==1) { /* SubjectPublicKeyInfo */
> - ret = X509_pubkey_digest(cert,md,digest,&len);
> - }
> - else
> - return -1;
> -
> - return ret ? memcmp(tlsa_record,digest,len)!=0 : -1;
> - default:
> - return -1;
> - }
> - }
> -
> -static int dane_verify_callback(int ok, X509_STORE_CTX *ctx)
> - {
> - SSL *s =
> X509_STORE_CTX_get_ex_data(ctx,SSL_get_ex_data_X509_STORE_CTX_idx());
> - int depth=X509_STORE_CTX_get_error_depth(ctx);
> - X509 *cert = sk_X509_value(ctx->chain,depth);
> - TLSA_EX_DATA *ex;
> - const unsigned char *tlsa_record;
> - int tlsa_ret=-1, mask=1;
> -
> -
> - if ((ex=SSL_get_ex_data(s, SSL_get_TLSA_ex_data_idx())) == NULL ||
> - (tlsa_record=ex->tlsa_record) == NULL ||
> - (tlsa_record==(void *)-1 &&
> (ok=0,ctx->error=X509_V_ERR_INVALID_CA)) || /* temporary code? */
> - /*
> - * X509_verify_cert initially starts throwing ok=0 upon
> - * failure to build certificate chain. As all certificate
> - * usages except for 3 require verifiable chain, ok=0 at
> - * non-zero depth is fatal. More specifically ok=0 at zero
> - * depth is allowed only for usage 3. Special note about
> - * usage 2. The chain is supposed to be filled by
> - * dane_get_issuer, or once again we should tolerate ok=0
> - * only in usage 3 case.
> - */
> - (!ok && depth!=0)) {
> - if (s->verify_callback) return s->verify_callback(ok,ctx);
> - else return ok;
> - }
> -
> - while (1) {
> - unsigned int reclen, certificate_usage;
> -
> - memcpy(&reclen,tlsa_record,sizeof(reclen));
> -
> - if (reclen==0) break;
> -
> - tlsa_record += sizeof(reclen);
> -
> - if (!(ex->tlsa_mask&mask)) { /* not matched yet */
> - /*
> - * tlsa_record[0] Certificate Usage field
> - * tlsa_record[1] Selector field
> - * tlsa_record[2] Matching Type Field
> - * tlsa_record+3 Certificate Association data
> - */
> - certificate_usage = tlsa_record[0];
> -
> - if (depth==0 || certificate_usage==0 || certificate_usage==2) {
> - tlsa_ret = tlsa_cmp(cert,tlsa_record,reclen);
> - if (tlsa_ret==0) {
> - ex->tlsa_witness = depth<<8|certificate_usage;
> - ex->tlsa_mask |= mask;
> - break;
> - }
> - else if (tlsa_ret==-1) {
> - ex->tlsa_witness = -1; /* something phishy? */
> - ex->tlsa_mask |= mask;
> - }
> - }
> -
> - }
> - tlsa_record += reclen;
> - mask <<= 1;
> - }
> -
> - if (depth==0) {
> - if (ex->tlsa_witness==-1) /* no match */
> - ctx->error = X509_V_ERR_CERT_UNTRUSTED, ok=0;
> - else
> - ctx->error = X509_V_OK, ok=1;
> - }
> -
> - if (s->verify_callback) return s->verify_callback(ok,ctx);
> - else return ok;
> - }
> -
> -static int dane_get_issuer(X509 **issuer,X509_STORE_CTX *ctx,X509 *x)
> - {
> - SSL *s =
> X509_STORE_CTX_get_ex_data(ctx,SSL_get_ex_data_X509_STORE_CTX_idx());
> - TLSA_EX_DATA *ex=SSL_get_ex_data(s, SSL_get_TLSA_ex_data_idx());
> -
> - /* XXX TODO */
> -
> - return ex->get_issuer(issuer,ctx,x);
> - }
> -#endif
> -
> int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
> {
> X509 *x;
> int i;
> X509_STORE *verify_store;
> X509_STORE_CTX ctx;
> -#ifndef OPENSSL_NO_DANE
> - TLSA_EX_DATA *ex;
> -#endif
>
> if (s->cert->verify_store)
> verify_store = s->cert->verify_store;
> @@ -1023,44 +797,6 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
> */
> X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param);
>
> -#ifndef OPENSSL_NO_DANE
> - if (!s->server &&
> - (ex=SSL_get_ex_data(s, SSL_get_TLSA_ex_data_idx()))!=NULL)
> - {
> - const unsigned char *tlsa_record = ex->tlsa_record;
> -
> - /*
> - * See if there are usable certificates we can add
> - * to chain.
> - */
> - while (tlsa_record!=(void *)-1)
> - {
> - unsigned int reclen;
> -
> - memcpy (&reclen,tlsa_record,sizeof(reclen));
> -
> - if (reclen==0) break;
> -
> - tlsa_record += sizeof(reclen);
> -
> - if (tlsa_record[0]==2 &&
> - tlsa_record[1]==0 && /* full certificate */
> - tlsa_record[2]==0) /* itself */
> - {
> - ex->get_issuer = ctx.get_issuer;
> - ctx.get_issuer = dane_get_issuer;
> -
> - break;
> - }
> - tlsa_record += reclen;
> - }
> -
> - ex->tlsa_mask = 0;
> - ex->tlsa_witness = -1;
> - X509_STORE_CTX_set_verify_cb(&ctx, dane_verify_callback);
> - }
> - else
> -#endif
> if (s->verify_callback)
> X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
>
> diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
> index 00b26ba..3c2c471 100644
> --- a/ssl/ssl_lib.c
> +++ b/ssl/ssl_lib.c
> @@ -1100,9 +1100,6 @@ int SSL_renegotiate_pending(SSL *s)
> long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
> {
> long l;
> -#ifndef OPENSSL_NO_DANE
> - const char *hostname = NULL;
> -#endif
>
> switch (cmd)
> {
> @@ -1167,41 +1164,6 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
> }
> else
> return ssl_put_cipher_by_char(s,NULL,NULL);
> -#ifndef OPENSSL_NO_DANE
> - case SSL_CTRL_PULL_TLSA_RECORD:
> - hostname = parg;
> - parg = SSL_get_tlsa_record_byname
> (parg,larg,s->version<0xF000?1:0);
> - /* yes, fall through */
> - case SSL_CTRL_SET_TLSA_RECORD:
> - if (parg!=NULL)
> - {
> - TLSA_EX_DATA *ex = SSL_get_TLSA_ex_data(s);
> - unsigned char *tlsa_rec = parg;
> - int tlsa_len = 0;
> -
> - if (hostname==NULL)
> - {
> - while (1)
> - {
> - int dlen;
> -
> - memcpy(&dlen,tlsa_rec,sizeof(dlen));
> - tlsa_rec += sizeof(dlen)+dlen;
> -
> - if (dlen==0) break;
> - }
> - if ((tlsa_rec = OPENSSL_malloc(tlsa_len)))
> - memcpy(tlsa_rec,parg,tlsa_len);
> - else
> - {
> -
> SSLerr(SSL_F_SSL_CTRL,SSL_R_UNINITIALIZED);
> - return 0;
> - }
> - }
> - ex->tlsa_record = tlsa_rec;
> - }
> - return 1;
> -#endif
> default:
> return(s->method->ssl_ctrl(s,cmd,larg,parg));
> }
> diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
> index 1d90ddd..adb1f32 100644
> --- a/ssl/ssl_locl.h
> +++ b/ssl/ssl_locl.h
> @@ -1357,15 +1357,4 @@ void tls_fips_digest_extra(
> const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx,
> const unsigned char *data, size_t data_len, size_t orig_len);
>
> -#ifndef OPENSSL_NO_DANE
> -
> -typedef struct {
> - unsigned char *tlsa_record;
> - int tlsa_witness, tlsa_mask;
> - int (*get_issuer)(X509 **issuer,X509_STORE_CTX *ctx,X509 *x);
> - } TLSA_EX_DATA;
> -
> -TLSA_EX_DATA *SSL_get_TLSA_ex_data(SSL *);
> -int SSL_get_TLSA_ex_data_idx(void);
> -#endif
> #endif
> diff --git a/util/mk1mf.pl b/util/mk1mf.pl
> index 324871f..af1904b 100755
> --- a/util/mk1mf.pl
> +++ b/util/mk1mf.pl
> @@ -1231,7 +1231,6 @@ sub read_options
> "no-zlib" => 0,
> "no-zlib-dynamic" => 0,
> "no-ssl-trace" => 0,
> - "no-dane" => 0,
> "no-libunbound" => 0,
> "no-multiblock" => 0,
> "fips" => \$fips
>
>
> hooks/post-receive
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
