diff --git a/crypto/dist/openssl/CHANGES b/crypto/dist/openssl/CHANGES index c6bef3035501..be4d128b834a 100644 --- a/crypto/dist/openssl/CHANGES +++ b/crypto/dist/openssl/CHANGES @@ -2,17 +2,40 @@ OpenSSL CHANGES _______________ - Changes in security patch + Changes between 0.9.6d and 0.9.6e [30 Jul 2002] -Changes marked "(CHATS)" were sponsored by the Defense Advanced -Research Projects Agency (DARPA) and Air Force Research Laboratory, -Air Force Materiel Command, USAF, under agreement number -F30602-01-2-0537. + *) Fix cipher selection routines: ciphers without encryption had no flags + for the cipher strength set and where therefore not handled correctly + by the selection routines (PR #130). + [Lutz Jaenicke] + + *) Fix EVP_dsa_sha macro. + [Nils Larsch] + + *) New option + SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure + that was added in OpenSSL 0.9.6d. + + As the countermeasure turned out to be incompatible with some + broken SSL implementations, the new option is part of SSL_OP_ALL. + SSL_OP_ALL is usually employed when compatibility with weird SSL + implementations is desired (e.g. '-bugs' option to 's_client' and + 's_server'), so the new option is automatically set in many + applications. + [Bodo Moeller] + + *) Changes in security patch: + + Changes marked "(CHATS)" were sponsored by the Defense Advanced + Research Projects Agency (DARPA) and Air Force Research Laboratory, + Air Force Materiel Command, USAF, under agreement number + F30602-01-2-0537. *) Add various sanity checks to asn1_get_length() to reject the ASN1 length bytes if they exceed sizeof(long), will appear negative or the content length exceeds the length of the - supplied buffer. (CAN-2002-0659) + supplied buffer. [Steve Henson, Adi Stav , James Yonan ] *) Assertions for various potential buffer overflows, not known to diff --git a/crypto/dist/openssl/FAQ b/crypto/dist/openssl/FAQ index 3b69d8bcc935..ad75299f8820 100644 --- a/crypto/dist/openssl/FAQ +++ b/crypto/dist/openssl/FAQ @@ -38,6 +38,8 @@ OpenSSL - Frequently Asked Questions * Why does the OpenSSL compilation fail on Alpha Tru64 Unix? * Why does the OpenSSL compilation fail with "ar: command not found"? * Why does the OpenSSL compilation fail on Win32 with VC++? +* What is special about OpenSSL on Redhat? +* Why does the OpenSSL test suite fail on MacOS X? [PROG] Questions about programming with OpenSSL @@ -59,7 +61,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 0.9.6d was released on 9 May, 2002. +OpenSSL 0.9.6e was released on 30 May, 2002. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at and others have suggested installing the SUNski package from Sun patch 105710-01 (Sparc) which adds a /dev/random device and make sure it gets used, usually through $RANDFILE. There are probably similar patches for the other Solaris -versions. However, be warned that /dev/random is usually a blocking -device, which may have some effects on OpenSSL. +versions. An official statement from Sun with respect to /dev/random +support can be found at + http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski +However, be warned that /dev/random is usually a blocking device, which +may have some effects on OpenSSL. * Why do I get an "unable to write 'random state'" error message? @@ -451,6 +456,52 @@ under 'Program Files'). This needs to be done prior to running NMAKE, and the changes are only valid for the current DOS session. +* What is special about OpenSSL on Redhat? + +Red Hat Linux (release 7.0 and later) include a preinstalled limited +version of OpenSSL. For patent reasons, support for IDEA, RC5 and MDC2 +is disabled in this version. The same may apply to other Linux distributions. +Users may therefore wish to install more or all of the features left out. + +To do this you MUST ensure that you do not overwrite the openssl that is in +/usr/bin on your Red Hat machine. Several packages depend on this file, +including sendmail and ssh. /usr/local/bin is a good alternative choice. The +libraries that come with Red Hat 7.0 onwards have different names and so are +not affected. (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and +/lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and +/lib/libcrypto.so.2 respectively). + +Please note that we have been advised by Red Hat attempting to recompile the +openssl rpm with all the cryptography enabled will not work. All other +packages depend on the original Red Hat supplied openssl package. It is also +worth noting that due to the way Red Hat supplies its packages, updates to +openssl on each distribution never change the package version, only the +build number. For example, on Red Hat 7.1, the latest openssl package has +version number 0.9.6 and build number 9 even though it contains all the +relevant updates in packages up to and including 0.9.6b. + +A possible way around this is to persuade Red Hat to produce a non-US +version of Red Hat Linux. + +FYI: Patent numbers and expiry dates of US patents: +MDC-2: 4,908,861 13/03/2007 +IDEA: 5,214,703 25/05/2010 +RC5: 5,724,428 03/03/2015 + + +* Why does the OpenSSL test suite fail on MacOS X? + +If the failure happens when running 'make test' and the RC4 test fails, +it's very probable that you have OpenSSL 0.9.6b delivered with the +operating system (you can find out by running '/usr/bin/openssl version') +and that you were trying to build OpenSSL 0.9.6d. The problem is that +the loader ('ld') in MacOS X has a misfeature that's quite difficult to +go around and has linked the programs "openssl" and the test programs +with /usr/lib/libcrypto.dylib and /usr/lib/libssl.dylib instead of the +libraries you just built. +Look in the file PROBLEMS for a more detailed explanation and for possible +solutions. + [PROG] ======================================================================== * Is OpenSSL thread-safe? diff --git a/crypto/dist/openssl/crypto/des/des.h b/crypto/dist/openssl/crypto/des/des.h index dc7421367511..c77ae7580bc1 100644 --- a/crypto/dist/openssl/crypto/des/des.h +++ b/crypto/dist/openssl/crypto/des/des.h @@ -188,7 +188,7 @@ int des_enc_write(int fd,const void *buf,int len,des_key_schedule sched, des_cblock *iv); char *des_fcrypt(const char *buf,const char *salt, char *ret); char *des_crypt(const char *buf,const char *salt); -#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT) && !defined(__NetBSD__) +#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT) && !defined(_UWIN) && !defined(__NetBSD__) char *crypt(const char *buf,const char *salt); #endif void des_ofb_encrypt(const unsigned char *in,unsigned char *out,int numbits, diff --git a/crypto/dist/openssl/crypto/ebcdic.c b/crypto/dist/openssl/crypto/ebcdic.c index 91a7a8bcb430..a83536ba5ead 100644 --- a/crypto/dist/openssl/crypto/ebcdic.c +++ b/crypto/dist/openssl/crypto/ebcdic.c @@ -211,7 +211,7 @@ ascii2ebcdic(void *dest, const void *srce, size_t count) } #else /*CHARSET_EBCDIC*/ -#if defined(PEDANTIC) || defined(VMS) || defined(__VMS) +#if defined(PEDANTIC) || defined(VMS) || defined(__VMS) || defined(_DARWIN) static void *dummy=&dummy; #endif #endif diff --git a/crypto/dist/openssl/crypto/evp/c_alld.c b/crypto/dist/openssl/crypto/evp/c_alld.c index bbf059eb85e2..41695df1067b 100644 --- a/crypto/dist/openssl/crypto/evp/c_alld.c +++ b/crypto/dist/openssl/crypto/evp/c_alld.c @@ -64,6 +64,10 @@ void OpenSSL_add_all_digests(void) { + static int done=0; + + if (done) return; + done=1; #ifndef NO_MD2 EVP_add_digest(EVP_md2()); #endif diff --git a/crypto/dist/openssl/crypto/evp/evp.h b/crypto/dist/openssl/crypto/evp/evp.h index 91ab7f7d62ae..918a2f006a84 100644 --- a/crypto/dist/openssl/crypto/evp/evp.h +++ b/crypto/dist/openssl/crypto/evp/evp.h @@ -188,7 +188,7 @@ typedef struct evp_pkey_md_st EVP_rsa_octet_string(),EVP_mdc2()) #define EVP_dsa_sha() \ EVP_PKEY_MD_add(NID_dsaWithSHA,\ - EVP_dsa(),EVP_mdc2()) + EVP_dsa(),EVP_sha()) #define EVP_dsa_sha1() \ EVP_PKEY_MD_add(NID_dsaWithSHA1,\ EVP_dsa(),EVP_sha1()) diff --git a/crypto/dist/openssl/crypto/objects/obj_dat.c b/crypto/dist/openssl/crypto/objects/obj_dat.c index 68f342d451ea..41fdf6e7b2cc 100644 --- a/crypto/dist/openssl/crypto/objects/obj_dat.c +++ b/crypto/dist/openssl/crypto/objects/obj_dat.c @@ -228,7 +228,7 @@ int OBJ_add_object(ASN1_OBJECT *obj) if (added == NULL) if (!init_added()) return(0); if ((o=OBJ_dup(obj)) == NULL) goto err; - ao[ADDED_NID]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)); + if (!(ao[ADDED_NID]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err; if ((o->length != 0) && (obj->data != NULL)) ao[ADDED_DATA]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)); if (o->sn != NULL) diff --git a/crypto/dist/openssl/doc/apps/smime.pod b/crypto/dist/openssl/doc/apps/smime.pod index ce99b5c345a1..fa5d23e8dc3b 100644 --- a/crypto/dist/openssl/doc/apps/smime.pod +++ b/crypto/dist/openssl/doc/apps/smime.pod @@ -21,7 +21,6 @@ B B [B<-certfile file>] [B<-signer file>] [B<-recip file>] -[B<-in file>] [B<-inform SMIME|PEM|DER>] [B<-passin arg>] [B<-inkey file>] diff --git a/crypto/dist/openssl/doc/crypto/BN_rand.pod b/crypto/dist/openssl/doc/crypto/BN_rand.pod index ecd410f7f252..9cec238f9e24 100644 --- a/crypto/dist/openssl/doc/crypto/BN_rand.pod +++ b/crypto/dist/openssl/doc/crypto/BN_rand.pod @@ -14,7 +14,7 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number int BN_rand_range(BIGNUM *rnd, BIGNUM *range); - int BN_pseudo_rand_range(BIGNUM *rnd, int bits, int top, int bottom); + int BN_pseudo_rand_range(BIGNUM *rnd, BIGNUM *range); =head1 DESCRIPTION diff --git a/crypto/dist/openssl/doc/crypto/EVP_DigestInit.pod b/crypto/dist/openssl/doc/crypto/EVP_DigestInit.pod index b8a231c642d5..b99ecd25d939 100644 --- a/crypto/dist/openssl/doc/crypto/EVP_DigestInit.pod +++ b/crypto/dist/openssl/doc/crypto/EVP_DigestInit.pod @@ -192,7 +192,7 @@ in code that must be recompiled if the size of B increases. L, L, L, L, L, L, -L, L +L, L =head1 HISTORY diff --git a/crypto/dist/openssl/doc/crypto/EVP_SignInit.pod b/crypto/dist/openssl/doc/crypto/EVP_SignInit.pod index 7f9265d0a60d..51d05ffe9da1 100644 --- a/crypto/dist/openssl/doc/crypto/EVP_SignInit.pod +++ b/crypto/dist/openssl/doc/crypto/EVP_SignInit.pod @@ -75,7 +75,7 @@ L, L, L, L, L, L, L, L, L, -L, L +L, L =head1 HISTORY diff --git a/crypto/dist/openssl/doc/crypto/EVP_VerifyInit.pod b/crypto/dist/openssl/doc/crypto/EVP_VerifyInit.pod index 736a0f4a822b..5d0d1fb151d9 100644 --- a/crypto/dist/openssl/doc/crypto/EVP_VerifyInit.pod +++ b/crypto/dist/openssl/doc/crypto/EVP_VerifyInit.pod @@ -62,7 +62,7 @@ L, L, L, L, L, L, L, L, L, -L, L +L, L =head1 HISTORY diff --git a/crypto/dist/openssl/doc/crypto/err.pod b/crypto/dist/openssl/doc/crypto/err.pod index 264e30103d67..6f729554d2a9 100644 --- a/crypto/dist/openssl/doc/crypto/err.pod +++ b/crypto/dist/openssl/doc/crypto/err.pod @@ -172,7 +172,7 @@ ERR_get_string_table(void) respectively. =head1 SEE ALSO L, -L, +L, L, L, L, diff --git a/crypto/dist/openssl/doc/crypto/rsa.pod b/crypto/dist/openssl/doc/crypto/rsa.pod index 1633840d4c21..ec7458c40934 100644 --- a/crypto/dist/openssl/doc/crypto/rsa.pod +++ b/crypto/dist/openssl/doc/crypto/rsa.pod @@ -110,7 +110,7 @@ L, L, L, L, L, -L, +L, L =cut diff --git a/crypto/dist/openssl/doc/ssl/SSL_get_error.pod b/crypto/dist/openssl/doc/ssl/SSL_get_error.pod index f700bf0ace55..fe28dd942aee 100644 --- a/crypto/dist/openssl/doc/ssl/SSL_get_error.pod +++ b/crypto/dist/openssl/doc/ssl/SSL_get_error.pod @@ -13,7 +13,7 @@ SSL_get_error - obtain result code for TLS/SSL I/O operation =head1 DESCRIPTION SSL_get_error() returns a result code (suitable for the C "switch" -statement) for a preceding call to SSL_connect(), SSL_accept(), +statement) for a preceding call to SSL_connect(), SSL_accept(), SSL_do_handshake(), SSL_read(), SSL_peek(), or SSL_write() on B. The value returned by that TLS/SSL I/O function must be passed to SSL_get_error() in parameter B. diff --git a/crypto/dist/openssl/doc/ssl/ssl.pod b/crypto/dist/openssl/doc/ssl/ssl.pod index 79b19d9eb136..2dcee0385a40 100644 --- a/crypto/dist/openssl/doc/ssl/ssl.pod +++ b/crypto/dist/openssl/doc/ssl/ssl.pod @@ -682,6 +682,7 @@ L, L, L, L, +L, L, L, L, diff --git a/crypto/dist/openssl/e_os.h b/crypto/dist/openssl/e_os.h index b13b65b95e74..ea42d22a0039 100644 --- a/crypto/dist/openssl/e_os.h +++ b/crypto/dist/openssl/e_os.h @@ -114,11 +114,11 @@ extern "C" { # define MS_STATIC #endif -#if defined(_WIN32) && !defined(WIN32) && !defined(__CYGWIN32__) +#if defined(_WIN32) && !defined(WIN32) && !defined(__CYGWIN32__) && !defined(_UWIN) # define WIN32 #endif -#if (defined(WIN32) || defined(WIN16)) && !defined(__CYGWIN32__) +#if (defined(WIN32) || defined(WIN16)) && !defined(__CYGWIN32__) && !defined(_UWIN) # ifndef WINDOWS # define WINDOWS # endif @@ -142,7 +142,8 @@ extern "C" { #define clear_sys_error() errno=0 #endif -#if defined(WINDOWS) && !defined(__CYGWIN32__) +#if defined(WINDOWS) && !defined(__CYGWIN32__) && !defined(_UWIN) + #define get_last_socket_error() WSAGetLastError() #define clear_socket_error() WSASetLastError(0) #define readsocket(s,b,n) recv((s),(b),(n),0) @@ -180,7 +181,7 @@ extern "C" { #endif -#if (defined(WINDOWS) || defined(MSDOS)) && !defined(__CYGWIN32__) +#if (defined(WINDOWS) || defined(MSDOS)) && !defined(__CYGWIN32__) && !defined(_UWIN) # ifndef S_IFDIR # define S_IFDIR _S_IFDIR diff --git a/crypto/dist/openssl/shlib/Makefile.hpux10-cc b/crypto/dist/openssl/shlib/Makefile.hpux10-cc index ecc6ad637d8b..3b8a70259c7b 100644 --- a/crypto/dist/openssl/shlib/Makefile.hpux10-cc +++ b/crypto/dist/openssl/shlib/Makefile.hpux10-cc @@ -1,6 +1,6 @@ # Makefile.hpux-cc -major=0.9.6d +major=0.9.6e slib=libssl sh_slib=$(slib).sl.$(major) diff --git a/crypto/dist/openssl/shlib/hpux10-cc.sh b/crypto/dist/openssl/shlib/hpux10-cc.sh index 5a9be6dbffa7..a5b850fb2152 100644 --- a/crypto/dist/openssl/shlib/hpux10-cc.sh +++ b/crypto/dist/openssl/shlib/hpux10-cc.sh @@ -60,9 +60,9 @@ mkdir /usr/local mkdir /usr/local/ssl mkdir /usr/local/ssl/lib chmod 444 lib*_pic.a -chmod 555 lib*.sl.0.9.6d -cp -p lib*_pic.a lib*.sl.0.9.6d /usr/local/ssl/lib -(cd /usr/local/ssl/lib ; ln -sf libcrypto.sl.0.9.6d libcrypto.sl ; ln -sf libssl.sl.0.9.6d libssl.sl) +chmod 555 lib*.sl.0.9.6e +cp -p lib*_pic.a lib*.sl.0.9.6e /usr/local/ssl/lib +(cd /usr/local/ssl/lib ; ln -sf libcrypto.sl.0.9.6e libcrypto.sl ; ln -sf libssl.sl.0.9.6e libssl.sl) # Reconfigure without pic to compile the executables. Unfortunately, while # performing this task we have to recompile the library components, even diff --git a/crypto/dist/openssl/ssl/s2_lib.c b/crypto/dist/openssl/ssl/s2_lib.c index 1ae806c5cb00..25734a05a926 100644 --- a/crypto/dist/openssl/ssl/s2_lib.c +++ b/crypto/dist/openssl/ssl/s2_lib.c @@ -77,7 +77,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={ SSL2_TXT_NULL_WITH_MD5, SSL2_CK_NULL_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_SSLV2, - SSL_EXPORT|SSL_EXP40, + SSL_EXPORT|SSL_EXP40|SSL_STRONG_NONE, + 0, 0, 0, SSL_ALL_CIPHERS, @@ -199,6 +200,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={ SSL2_TXT_NULL, SSL2_CK_NULL, 0, + SSL_STRONG_NONE, 0, 0, 0, diff --git a/crypto/dist/openssl/ssl/s3_lib.c b/crypto/dist/openssl/ssl/s3_lib.c index ac0cf7626822..592c78650786 100644 --- a/crypto/dist/openssl/ssl/s3_lib.c +++ b/crypto/dist/openssl/ssl/s3_lib.c @@ -129,7 +129,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_RSA_NULL_MD5, SSL3_CK_RSA_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, @@ -142,7 +142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_RSA_NULL_SHA, SSL3_CK_RSA_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, @@ -492,7 +492,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_FZA_DMS_NULL_SHA, SSL3_CK_FZA_DMS_NULL_SHA, SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, @@ -506,7 +506,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_FZA_DMS_FZA_SHA, SSL3_CK_FZA_DMS_FZA_SHA, SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, diff --git a/crypto/dist/openssl/ssl/ssl.h b/crypto/dist/openssl/ssl/ssl.h index 7eac93545147..ac73321ed228 100644 --- a/crypto/dist/openssl/ssl/ssl.h +++ b/crypto/dist/openssl/ssl/ssl.h @@ -340,6 +340,7 @@ typedef struct ssl_session_st struct ssl_session_st *prev,*next; } SSL_SESSION; + #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L @@ -351,11 +352,25 @@ typedef struct ssl_session_st #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L #define SSL_OP_TLS_ROLLBACK_BUG 0x00000400L +/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added + * in OpenSSL 0.9.6d. Usually (depending on the application protocol) + * the workaround is not needed. Unfortunately some broken SSL/TLS + * implementations cannot handle it at all, which is why we include + * it in SSL_OP_ALL. */ +#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L /* added in 0.9.6e */ + +/* SSL_OP_ALL: various bug workarounds that should be rather harmless */ +#define SSL_OP_ALL 0x000FFFFFL + /* If set, always create a new key when using tmp_dh parameters */ #define SSL_OP_SINGLE_DH_USE 0x00100000L /* Set to also use the tmp_rsa key when doing RSA operations. */ #define SSL_OP_EPHEMERAL_RSA 0x00200000L +#define SSL_OP_NO_SSLv2 0x01000000L +#define SSL_OP_NO_SSLv3 0x02000000L +#define SSL_OP_NO_TLSv1 0x04000000L + /* The next flag deliberately changes the ciphertest, this is a check * for the PKCS#1 attack */ #define SSL_OP_PKCS1_CHECK_1 0x08000000L @@ -364,11 +379,7 @@ typedef struct ssl_session_st /* SSL_OP_NON_EXPORT_FIRST looks utterly broken .. */ #define SSL_OP_NON_EXPORT_FIRST 0x40000000L #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x80000000L -#define SSL_OP_ALL 0x000FFFFFL -#define SSL_OP_NO_SSLv2 0x01000000L -#define SSL_OP_NO_SSLv3 0x02000000L -#define SSL_OP_NO_TLSv1 0x04000000L /* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success * when just a single record has been written): */ @@ -382,6 +393,7 @@ typedef struct ssl_session_st * is blocking: */ #define SSL_MODE_AUTO_RETRY 0x00000004L + /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, * they cannot be used to clear bits. */ diff --git a/crypto/dist/openssl/ssl/ssl_locl.h b/crypto/dist/openssl/ssl/ssl_locl.h index 100fec7dc825..74d9b9afa39a 100644 --- a/crypto/dist/openssl/ssl/ssl_locl.h +++ b/crypto/dist/openssl/ssl/ssl_locl.h @@ -283,16 +283,17 @@ #define SSL_NOT_EXP 0x00000001L #define SSL_EXPORT 0x00000002L -#define SSL_STRONG_MASK 0x0000007cL -#define SSL_EXP40 0x00000004L +#define SSL_STRONG_MASK 0x000000fcL +#define SSL_STRONG_NONE 0x00000004L +#define SSL_EXP40 0x00000008L #define SSL_MICRO (SSL_EXP40) -#define SSL_EXP56 0x00000008L +#define SSL_EXP56 0x00000010L #define SSL_MINI (SSL_EXP56) -#define SSL_LOW 0x00000010L -#define SSL_MEDIUM 0x00000020L -#define SSL_HIGH 0x00000040L +#define SSL_LOW 0x00000020L +#define SSL_MEDIUM 0x00000040L +#define SSL_HIGH 0x00000080L -/* we have used 0000007f - 25 bits left to go */ +/* we have used 000000ff - 24 bits left to go */ /* * Macros to check the export status and cipher strength for export ciphers. diff --git a/crypto/dist/openssl/util/pod2man.pl b/crypto/dist/openssl/util/pod2man.pl index c6b64add602d..657e4e264e07 100755 --- a/crypto/dist/openssl/util/pod2man.pl +++ b/crypto/dist/openssl/util/pod2man.pl @@ -416,8 +416,8 @@ if ($name ne 'something') { warn "$0: Improper man page - malformed NAME header in paragraph $. of $ARGV[0]\n" } else { - $n[0] =~ s/\n/ /; - $n[1] =~ s/\n/ /; + $n[0] =~ s/\n/ /g; + $n[1] =~ s/\n/ /g; %namedesc = @n; } }