Update from stable branch.

ed551cdd · Dr. Stephen Henson · 5aca224e · ed551cdd · ed551cdd · ed551cdd
10 changed file
--- a/CHANGES
+++ b/CHANGES
@@ -725,6 +725,12 @@
     [NTT]

 Changes between 0.9.8i and 0.9.8j  [xx XXX xxxx]
+  
+  *) Update Configure code and WIN32 build scripts to support experimental
+     code. This is surrounded by OPENSSL_EXPERIMENTAL_FOO and not compiled
+     in by default. Using the configuration option "enable-experimental-foo"
+     enables it. Use this option for JPAKE.
+     [Steve Henson]

  *) Add JPAKE support, including demo authentication in s_client and
     s_server.

--- a/Configure
+++ b/Configure
@@ -604,6 +604,7 @@ my $no_threads=0;
 my $threads=0;
 my $no_shared=0; # but "no-shared" is default
 my $zlib=1;      # but "no-zlib" is default
+my $jpake=1;      # but "no-jpake" is default
 my $no_krb5=0;   # but "no-krb5" is implied unless "--with-krb5-..." is used
 my $no_rfc3779=1; # but "no-rfc3779" is default
 my $no_asm=0;
@@ -640,6 +641,7 @@ my $perl;

 my %disabled = ( # "what"         => "comment"
 		 "gmp"		  => "default",
+                 "experimental-jpake"          => "default",
                 "mdc2"           => "default",
                 "rc5"            => "default",
 		 "rfc3779"	  => "default",
@@ -920,6 +922,8 @@ foreach (sort (keys %disabled))
 		{ $no_threads = 1; }
 	elsif (/^shared$/)
 		{ $no_shared = 1; }
+	elsif (/^experimental-jpake$/)
+		{ $jpake = 0; push @skip, "jpake"}
 	elsif (/^zlib$/)
 		{ $zlib = 0; }
 	elsif (/^static-engine$/)
@@ -1161,6 +1165,11 @@ if ($threads)
 	$openssl_thread_defines .= $thread_defines;
 	}

+if ($jpake)
+	{
+	$openssl_other_defines = "#define OPENSSL_EXPERIMENTAL_JPAKE\n";
+	}
+
 if ($zlib)
 	{
 	$cflags = "-DZLIB $cflags";
@@ -1367,7 +1376,8 @@ while (<IN>)
 	if ($sdirs) {
 		my $dir;
 		foreach $dir (@skip) {
-			s/([ 	])$dir /\1/;
+			s/(\s)$dir /$1/;
+			s/\s$dir$//;
 			}
 		}
 	$sdirs = 0 unless /\\$/;

--- a/apps/apps.c
+++ b/apps/apps.c
@@ -137,7 +137,9 @@
 #include <openssl/rsa.h>
 #endif
 #include <openssl/bn.h>
+#ifdef OPENSSL_EXPERIMENTAL_JPAKE
 #include <openssl/jpake.h>
+#endif

 #define NON_MAIN
 #include "apps.h"
@@ -2379,6 +2381,8 @@ void policies_print(BIO *out, X509_STORE_CTX *ctx)
 		BIO_free(out);
 	}

+#ifdef OPENSSL_EXPERIMENTAL_JPAKE
+
 static JPAKE_CTX *jpake_init(const char *us, const char *them,
 							 const char *secret)
 	{
@@ -2591,6 +2595,8 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
 	BIO_free(bconn);
 	}

+#endif
+
 /*
 * Platform-specific sections
 */

--- a/apps/apps.h
+++ b/apps/apps.h
@@ -308,8 +308,10 @@ int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
 int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value);
 int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
 			const char *algname, ENGINE *e, int do_param);
+#ifdef OPENSSL_EXPERIMENTAL_JPAKE
 void jpake_client_auth(BIO *out, BIO *conn, const char *secret);
 void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
+#endif

 #define FORMAT_UNDEF    0
 #define FORMAT_ASN1     1

--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -429,7 +429,9 @@ int MAIN(int argc, char **argv)
 	int peerlen = sizeof(peer);
 	int enable_timeouts = 0 ;
 	long socket_mtu = 0;
+#ifdef OPENSSL_EXPERIMENTAL_JPAKE
 	char *jpake_secret = NULL;
+#endif

 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
 	meth=SSLv23_client_method();
@@ -699,11 +701,13 @@ int MAIN(int argc, char **argv)
 			/* meth=TLSv1_client_method(); */
 			}
 #endif
+#ifdef OPENSSL_EXPERIMENTAL_JPAKE
 		else if (strcmp(*argv,"-jpake") == 0)
 			{
 			if (--argc < 1) goto bad;
 			jpake_secret = *++argv;
 			}
+#endif
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -1022,9 +1026,10 @@ SSL_set_tlsext_status_ids(con, ids);
 #endif
 		}
 #endif
-
+#ifdef OPENSSL_EXPERIMENTAL_JPAKE
 	if (jpake_secret)
 		jpake_client_auth(bio_c_out, sbio, jpake_secret);
+#endif

 	SSL_set_bio(con,sbio,sbio);
 	SSL_set_connect_state(con);

--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -822,7 +822,9 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));

 int MAIN(int, char **);

+#ifdef OPENSSL_EXPERIMENTAL_JPAKE
 static char *jpake_secret = NULL;
+#endif

 int MAIN(int argc, char *argv[])
 	{
@@ -1182,11 +1184,13 @@ int MAIN(int argc, char *argv[])
 			}
 			
 #endif
+#ifdef OPENSSL_EXPERIMENTAL_JPAKE
 		else if (strcmp(*argv,"-jpake") == 0)
 			{
 			if (--argc < 1) goto bad;
 			jpake_secret = *(++argv);
 			}
+#endif
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -1814,9 +1818,10 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 		test=BIO_new(BIO_f_nbio_test());
 		sbio=BIO_push(test,sbio);
 		}
-
+#ifdef OPENSSL_EXPERIMENTAL_JPAKE
 	if(jpake_secret)
 		jpake_server_auth(bio_s_out, sbio, jpake_secret);
+#endif

 	SSL_set_bio(con,sbio,sbio);
 	SSL_set_accept_state(con);

--- a/crypto/err/err_all.c
+++ b/crypto/err/err_all.c
@@ -99,8 +99,9 @@
 #ifndef OPENSSL_NO_CMS
 #include <openssl/cms.h>
 #endif
-
+#ifdef OPENSSL_EXPERIMENTAL_JPAKE
 #include <openssl/jpake.h>
+#endif

 void ERR_load_crypto_strings(void)
 	{
@@ -150,6 +151,8 @@ void ERR_load_crypto_strings(void)
 #ifndef OPENSSL_NO_CMS
 	ERR_load_CMS_strings();
 #endif
+#ifdef OPENSSL_EXPERIMENTAL_JPAKE
 	ERR_load_JPAKE_strings();
+#endif
 #endif
 	}
--- a/crypto/jpake/jpake.h
+++ b/crypto/jpake/jpake.h
@@ -8,6 +8,12 @@
 #ifndef HEADER_JPAKE_H
 #define HEADER_JPAKE_H

+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_EXPERIMENTAL_JPAKE
+#error JPAKE is disabled.
+#endif
+
 #ifdef  __cplusplus
 extern "C" {
 #endif

--- a/util/libeay.num
+++ b/util/libeay.num
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -79,7 +79,8 @@ my $OS2=0;
 my $safe_stack_def = 0;

 my @known_platforms = ( "__FreeBSD__", "PERL5", "NeXT",
-			"EXPORT_VAR_AS_FUNCTION", "ZLIB" );
+			"EXPORT_VAR_AS_FUNCTION", "ZLIB",
+			"OPENSSL_EXPERIMENTAL_JPAKE" );
 my @known_ossl_platforms = ( "VMS", "WIN16", "WIN32", "WINNT", "OS2" );
 my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
 			 "CAST", "MD2", "MD4", "MD5", "SHA", "SHA0", "SHA1",
@@ -151,6 +152,9 @@ foreach (@ARGV, split(/ /, $options))
 		$zlib = 1;
 	}

+	if ($_ eq "enable-experimental-jpake") {
+ 		$jpake = 1;
+	}

 	$do_ssl=1 if $_ eq "ssleay";
 	if ($_ eq "ssl") {
@@ -552,6 +556,10 @@ sub do_defs
 						$tag{$tag[$tag_i]}=2;
 						print STDERR "DEBUG: $file: chaged tag $1 = 2\n" if $debug;
 					}
+					if ($tag[$tag_i] eq "OPENSSL_EXPERIMENTAL_".$1) {
+						$tag{$tag[$tag_i]}=-2;
+						print STDERR "DEBUG: $file: chaged tag $1 = -2\n" if $debug;
+					}
 					$tag_i--;
 				}
 			} elsif (/^\#\s*endif/) {
@@ -561,6 +569,8 @@ sub do_defs
 					print STDERR "DEBUG: \$t=\"$t\"\n" if $debug;
 					if ($tag{$t}==2) {
 						$tag{$t}=-1;
+					} elsif ($tag{$t}==-2) {
+						$tag{$t}=1;
 					} else {
 						$tag{$t}=0;
 					}
@@ -1097,6 +1107,11 @@ sub is_valid
 				return 1;
 			}
 			if ($keyword eq "ZLIB" && $zlib) { return 1; }
+			if ($keyword eq "OPENSSL_EXPERIMENTAL_JPAKE" && $jpake) {
+
+
+				return 1;
+			}
 			return 0;
 		} else {
 			# algorithms