summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm <>2005-04-29 05:37:34 +0000
committerdjm <>2005-04-29 05:37:34 +0000
commita95585a25ab25668b931a78b7543f707a3354db8 (patch)
treef9e9febf7ac0c8f5d6df761fe70fd613aac06203
parent58c08aa241f168c84ce7cc3052454ea59a44eada (diff)
downloadopenbsd-a95585a25ab25668b931a78b7543f707a3354db8.tar.gz
openbsd-a95585a25ab25668b931a78b7543f707a3354db8.tar.bz2
openbsd-a95585a25ab25668b931a78b7543f707a3354db8.zip
import of openssl-0.9.7g; tested on platforms from alpha to zaurus, ok deraadt@
Diffstat
-rw-r--r--src/lib/libcrypto/aes/aes.h15
-rw-r--r--src/lib/libcrypto/aes/aes_cbc.c44
-rw-r--r--src/lib/libcrypto/aes/aes_cfb.c68
-rw-r--r--src/lib/libcrypto/aes/aes_core.c4
-rw-r--r--src/lib/libcrypto/aes/aes_ctr.c35
-rw-r--r--src/lib/libcrypto/aes/aes_locl.h2
-rw-r--r--src/lib/libcrypto/asn1/a_bitstr.c8
-rw-r--r--src/lib/libcrypto/asn1/a_digest.c7
-rw-r--r--src/lib/libcrypto/asn1/a_enum.c2
-rw-r--r--src/lib/libcrypto/asn1/a_int.c21
-rw-r--r--src/lib/libcrypto/asn1/a_print.c2
-rw-r--r--src/lib/libcrypto/asn1/a_set.c23
-rw-r--r--src/lib/libcrypto/asn1/a_strex.c9
-rw-r--r--src/lib/libcrypto/asn1/a_type.c5
-rw-r--r--src/lib/libcrypto/asn1/a_verify.c8
-rw-r--r--src/lib/libcrypto/asn1/asn1.h8
-rw-r--r--src/lib/libcrypto/asn1/asn1_err.c8
-rw-r--r--src/lib/libcrypto/asn1/asn1_lib.c1
-rw-r--r--src/lib/libcrypto/asn1/evp_asn1.c6
-rw-r--r--src/lib/libcrypto/asn1/p5_pbe.c26
-rw-r--r--src/lib/libcrypto/asn1/p5_pbev2.c6
-rw-r--r--src/lib/libcrypto/asn1/t_bitst.c5
-rw-r--r--src/lib/libcrypto/asn1/x_crl.c40
-rw-r--r--src/lib/libcrypto/asn1/x_name.c19
-rw-r--r--src/lib/libcrypto/asn1/x_pubkey.c50
-rw-r--r--src/lib/libcrypto/bf/bf_skey.c3
-rw-r--r--src/lib/libcrypto/bf/blowfish.h5
-rw-r--r--src/lib/libcrypto/bio/b_print.c2
-rw-r--r--src/lib/libcrypto/bio/bio.h1
-rw-r--r--src/lib/libcrypto/bio/bss_file.c16
-rw-r--r--src/lib/libcrypto/bn/asm/ia64.S217
-rw-r--r--src/lib/libcrypto/bn/asm/ppc.pl2081
-rw-r--r--src/lib/libcrypto/bn/asm/x86_64-gcc.c54
-rw-r--r--src/lib/libcrypto/bn/bn_mont.c2
-rw-r--r--src/lib/libcrypto/cast/c_skey.c4
-rw-r--r--src/lib/libcrypto/cast/cast.h5
-rw-r--r--src/lib/libcrypto/comp/c_zlib.c13
-rw-r--r--src/lib/libcrypto/conf/conf_def.c5
-rw-r--r--src/lib/libcrypto/cryptlib.c130
-rw-r--r--src/lib/libcrypto/crypto.h61
-rw-r--r--src/lib/libcrypto/des/cfb64ede.c112
-rw-r--r--src/lib/libcrypto/des/des.h6
-rw-r--r--src/lib/libcrypto/des/des_enc.c8
-rw-r--r--src/lib/libcrypto/des/ecb3_enc.c4
-rw-r--r--src/lib/libcrypto/des/set_key.c4
-rw-r--r--src/lib/libcrypto/dh/dh_check.c4
-rw-r--r--src/lib/libcrypto/dh/dh_err.c2
-rw-r--r--src/lib/libcrypto/dh/dh_gen.c6
-rw-r--r--src/lib/libcrypto/dh/dh_key.c4
-rw-r--r--src/lib/libcrypto/doc/ERR_error_string.pod2
-rw-r--r--src/lib/libcrypto/doc/EVP_EncryptInit.pod2
-rw-r--r--src/lib/libcrypto/doc/EVP_SealInit.pod5
-rw-r--r--src/lib/libcrypto/doc/EVP_SignInit.pod9
-rw-r--r--src/lib/libcrypto/doc/RSA_public_encrypt.pod7
-rw-r--r--src/lib/libcrypto/doc/X509_NAME_ENTRY_get_object.pod6
-rw-r--r--src/lib/libcrypto/doc/X509_NAME_add_entry_by_txt.pod6
-rw-r--r--src/lib/libcrypto/doc/X509_NAME_print_ex.pod4
-rw-r--r--src/lib/libcrypto/dsa/dsa.h4
-rw-r--r--src/lib/libcrypto/dsa/dsa_gen.c45
-rw-r--r--src/lib/libcrypto/dsa/dsa_key.c2
-rw-r--r--src/lib/libcrypto/dsa/dsa_ossl.c2
-rw-r--r--src/lib/libcrypto/dsa/dsa_sign.c12
-rw-r--r--src/lib/libcrypto/dsa/dsa_vrf.c8
-rw-r--r--src/lib/libcrypto/err/err.c2
-rw-r--r--src/lib/libcrypto/err/err.h3
-rw-r--r--src/lib/libcrypto/err/err_all.c4
-rw-r--r--src/lib/libcrypto/err/openssl.ec1
-rw-r--r--src/lib/libcrypto/evp/bio_md.c19
-rw-r--r--src/lib/libcrypto/evp/digest.c45
-rw-r--r--src/lib/libcrypto/evp/e_aes.c32
-rw-r--r--src/lib/libcrypto/evp/e_des.c43
-rw-r--r--src/lib/libcrypto/evp/e_des3.c51
-rw-r--r--src/lib/libcrypto/evp/e_null.c2
-rw-r--r--src/lib/libcrypto/evp/e_old.c108
-rw-r--r--src/lib/libcrypto/evp/e_rc4.c1
-rw-r--r--src/lib/libcrypto/evp/evp.h70
-rw-r--r--src/lib/libcrypto/evp/evp_enc.c61
-rw-r--r--src/lib/libcrypto/evp/evp_err.c9
-rw-r--r--src/lib/libcrypto/evp/evp_lib.c28
-rw-r--r--src/lib/libcrypto/evp/evp_locl.h29
-rw-r--r--src/lib/libcrypto/evp/evp_pkey.c124
-rw-r--r--src/lib/libcrypto/evp/m_dss.c2
-rw-r--r--src/lib/libcrypto/evp/m_md4.c1
-rw-r--r--src/lib/libcrypto/evp/m_md5.c1
-rw-r--r--src/lib/libcrypto/evp/m_sha1.c2
-rw-r--r--src/lib/libcrypto/evp/names.c3
-rw-r--r--src/lib/libcrypto/hmac/hmac.c16
-rw-r--r--src/lib/libcrypto/hmac/hmac.h1
-rw-r--r--src/lib/libcrypto/idea/idea.h4
-rw-r--r--src/lib/libcrypto/md32_common.h14
-rw-r--r--src/lib/libcrypto/md4/md4.h3
-rw-r--r--src/lib/libcrypto/md4/md4_dgst.c2
-rw-r--r--src/lib/libcrypto/md5/md5.h3
-rw-r--r--src/lib/libcrypto/md5/md5_dgst.c2
-rw-r--r--src/lib/libcrypto/o_str.c96
-rw-r--r--src/lib/libcrypto/o_time.c21
-rw-r--r--src/lib/libcrypto/objects/o_names.c7
-rw-r--r--src/lib/libcrypto/objects/obj_dat.c12
-rw-r--r--src/lib/libcrypto/objects/obj_err.c4
-rw-r--r--src/lib/libcrypto/objects/obj_mac.num18
-rw-r--r--src/lib/libcrypto/objects/objects.h2
-rw-r--r--src/lib/libcrypto/objects/objects.txt22
-rw-r--r--src/lib/libcrypto/opensslv.h8
-rw-r--r--src/lib/libcrypto/pem/pem_all.c119
-rw-r--r--src/lib/libcrypto/pem/pem_lib.c15
-rw-r--r--src/lib/libcrypto/pem/pem_pkey.c1
-rw-r--r--src/lib/libcrypto/perlasm/x86asm.pl2
-rw-r--r--src/lib/libcrypto/pkcs12/p12_crpt.c6
-rw-r--r--src/lib/libcrypto/pkcs12/p12_init.c12
-rw-r--r--src/lib/libcrypto/pkcs12/p12_kiss.c18
-rw-r--r--src/lib/libcrypto/pkcs12/p12_mutl.c5
-rw-r--r--src/lib/libcrypto/pkcs7/pk7_attr.c9
-rw-r--r--src/lib/libcrypto/pkcs7/pk7_doit.c55
-rw-r--r--src/lib/libcrypto/pkcs7/pk7_lib.c44
-rw-r--r--src/lib/libcrypto/pkcs7/pk7_smime.c46
-rw-r--r--src/lib/libcrypto/rand/rand.h10
-rw-r--r--src/lib/libcrypto/rand/rand_err.c8
-rw-r--r--src/lib/libcrypto/rand/rand_lib.c12
-rw-r--r--src/lib/libcrypto/rand/randfile.c2
-rw-r--r--src/lib/libcrypto/rc2/rc2.h5
-rw-r--r--src/lib/libcrypto/rc2/rc2_skey.c13
-rw-r--r--src/lib/libcrypto/rc4/asm/rc4-586.pl114
-rw-r--r--src/lib/libcrypto/rc4/rc4.h7
-rw-r--r--src/lib/libcrypto/rc4/rc4_enc.c4
-rw-r--r--src/lib/libcrypto/rc4/rc4_locl.h1
-rw-r--r--src/lib/libcrypto/rc4/rc4_skey.c8
-rw-r--r--src/lib/libcrypto/ripemd/ripemd.h3
-rw-r--r--src/lib/libcrypto/ripemd/rmd_dgst.c3
-rw-r--r--src/lib/libcrypto/rsa/rsa.h4
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c2
-rw-r--r--src/lib/libcrypto/rsa/rsa_gen.c3
-rw-r--r--src/lib/libcrypto/rsa/rsa_saos.c7
-rw-r--r--src/lib/libcrypto/rsa/rsa_sign.c9
-rw-r--r--src/lib/libcrypto/sha/asm/sha1-586.pl2
-rw-r--r--src/lib/libcrypto/sha/asm/sha1-ia64.pl549
-rw-r--r--src/lib/libcrypto/sha/sha.h7
-rw-r--r--src/lib/libcrypto/sha/sha1dgst.c8
-rw-r--r--src/lib/libcrypto/sha/sha_locl.h9
-rw-r--r--src/lib/libcrypto/stack/safestack.h59
-rw-r--r--src/lib/libcrypto/stack/stack.c14
-rw-r--r--src/lib/libcrypto/stack/stack.h1
-rw-r--r--src/lib/libcrypto/util/mkerr.pl7
-rw-r--r--src/lib/libcrypto/util/mkstack.pl1
-rw-r--r--src/lib/libcrypto/x509/by_file.c4
-rw-r--r--src/lib/libcrypto/x509/x509.h11
-rw-r--r--src/lib/libcrypto/x509/x509_cmp.c48
-rw-r--r--src/lib/libcrypto/x509/x509_r2x.c6
-rw-r--r--src/lib/libcrypto/x509/x509_req.c35
-rw-r--r--src/lib/libcrypto/x509/x509_txt.c13
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c131
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.h8
-rw-r--r--src/lib/libcrypto/x509/x509cset.c1
-rw-r--r--src/lib/libcrypto/x509/x509name.c10
-rw-r--r--src/lib/libcrypto/x509/x_all.c1
-rw-r--r--src/lib/libcrypto/x509v3/ext_dat.h11
-rw-r--r--src/lib/libcrypto/x509v3/v3_bitst.c7
-rw-r--r--src/lib/libcrypto/x509v3/v3_ia5.c5
-rw-r--r--src/lib/libcrypto/x509v3/v3_int.c19
-rw-r--r--src/lib/libcrypto/x509v3/v3_pci.c313
-rw-r--r--src/lib/libcrypto/x509v3/v3_pcia.c55
-rw-r--r--src/lib/libcrypto/x509v3/v3_purp.c75
-rw-r--r--src/lib/libcrypto/x509v3/v3err.c14
-rw-r--r--src/lib/libcrypto/x509v3/x509v3.h31
-rw-r--r--src/lib/libssl/doc/openssl.cnf57
-rw-r--r--src/lib/libssl/doc/standards.txt4
-rw-r--r--src/lib/libssl/s23_clnt.c23
-rw-r--r--src/lib/libssl/s23_lib.c2
-rw-r--r--src/lib/libssl/s23_srvr.c9
-rw-r--r--src/lib/libssl/s3_clnt.c7
-rw-r--r--src/lib/libssl/s3_lib.c74
-rw-r--r--src/lib/libssl/s3_pkt.c12
-rw-r--r--src/lib/libssl/s3_srvr.c17
-rw-r--r--src/lib/libssl/ssl.h118
-rw-r--r--src/lib/libssl/ssl_asn1.c8
-rw-r--r--src/lib/libssl/ssl_cert.c104
-rw-r--r--src/lib/libssl/ssl_ciph.c21
-rw-r--r--src/lib/libssl/ssl_err.c4
-rw-r--r--src/lib/libssl/ssl_lib.c103
-rw-r--r--src/lib/libssl/ssl_locl.h12
-rw-r--r--src/lib/libssl/ssl_rsa.c2
-rw-r--r--src/lib/libssl/ssl_sess.c13
-rw-r--r--src/lib/libssl/ssl_txt.c4
-rw-r--r--src/lib/libssl/t1_enc.c4
-rw-r--r--src/lib/libssl/test/CAss.cnf8
-rw-r--r--src/lib/libssl/test/P1ss.cnf37
-rw-r--r--src/lib/libssl/test/P2ss.cnf45
-rw-r--r--src/lib/libssl/test/Uss.cnf8
-rw-r--r--src/lib/libssl/test/bctest2
-rw-r--r--src/lib/libssl/test/tcrl2
-rw-r--r--src/lib/libssl/test/testca3
-rw-r--r--src/lib/libssl/test/testenc20
-rw-r--r--src/lib/libssl/test/testgen6
-rw-r--r--src/lib/libssl/test/testss86
-rw-r--r--src/lib/libssl/test/testssl14
-rw-r--r--src/lib/libssl/test/testsslproxy10
-rw-r--r--src/lib/libssl/test/tpkcs72
-rw-r--r--src/lib/libssl/test/tpkcs7d2
-rw-r--r--src/lib/libssl/test/treq2
-rw-r--r--src/lib/libssl/test/trsa4
-rw-r--r--src/lib/libssl/test/tsid2
-rw-r--r--src/lib/libssl/test/tx5092
201 files changed, 6124 insertions, 892 deletions
diff --git a/src/lib/libcrypto/aes/aes.h b/src/lib/libcrypto/aes/aes.h
index da067f4a8f..8a3ea0b883 100644
--- a/src/lib/libcrypto/aes/aes.h
+++ b/src/lib/libcrypto/aes/aes.h
@@ -52,6 +52,8 @@
52#ifndef HEADER_AES_H 52#ifndef HEADER_AES_H
53#define HEADER_AES_H 53#define HEADER_AES_H
54 54
55#include <openssl/e_os2.h>
56
55#ifdef OPENSSL_NO_AES 57#ifdef OPENSSL_NO_AES
56#error AES is disabled. 58#error AES is disabled.
57#endif 59#endif
@@ -64,6 +66,10 @@
64#define AES_MAXNR 14 66#define AES_MAXNR 14
65#define AES_BLOCK_SIZE 16 67#define AES_BLOCK_SIZE 16
66 68
69#if defined(OPENSSL_FIPS)
70#define FIPS_AES_SIZE_T int
71#endif
72
67#ifdef __cplusplus 73#ifdef __cplusplus
68extern "C" { 74extern "C" {
69#endif 75#endif
@@ -95,6 +101,15 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
95void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out, 101void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
96 const unsigned long length, const AES_KEY *key, 102 const unsigned long length, const AES_KEY *key,
97 unsigned char *ivec, int *num, const int enc); 103 unsigned char *ivec, int *num, const int enc);
104void AES_cfb1_encrypt(const unsigned char *in, unsigned char *out,
105 const unsigned long length, const AES_KEY *key,
106 unsigned char *ivec, int *num, const int enc);
107void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out,
108 const unsigned long length, const AES_KEY *key,
109 unsigned char *ivec, int *num, const int enc);
110void AES_cfbr_encrypt_block(const unsigned char *in,unsigned char *out,
111 const int nbits,const AES_KEY *key,
112 unsigned char *ivec,const int enc);
98void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out, 113void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
99 const unsigned long length, const AES_KEY *key, 114 const unsigned long length, const AES_KEY *key,
100 unsigned char *ivec, int *num); 115 unsigned char *ivec, int *num);
diff --git a/src/lib/libcrypto/aes/aes_cbc.c b/src/lib/libcrypto/aes/aes_cbc.c
index 1222a21002..d2ba6bcdb4 100644
--- a/src/lib/libcrypto/aes/aes_cbc.c
+++ b/src/lib/libcrypto/aes/aes_cbc.c
@@ -66,6 +66,7 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
66 unsigned long n; 66 unsigned long n;
67 unsigned long len = length; 67 unsigned long len = length;
68 unsigned char tmp[AES_BLOCK_SIZE]; 68 unsigned char tmp[AES_BLOCK_SIZE];
69 const unsigned char *iv = ivec;
69 70
70 assert(in && out && key && ivec); 71 assert(in && out && key && ivec);
71 assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc)); 72 assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc));
@@ -73,22 +74,39 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
73 if (AES_ENCRYPT == enc) { 74 if (AES_ENCRYPT == enc) {
74 while (len >= AES_BLOCK_SIZE) { 75 while (len >= AES_BLOCK_SIZE) {
75 for(n=0; n < AES_BLOCK_SIZE; ++n) 76 for(n=0; n < AES_BLOCK_SIZE; ++n)
76 tmp[n] = in[n] ^ ivec[n]; 77 out[n] = in[n] ^ iv[n];
77 AES_encrypt(tmp, out, key); 78 AES_encrypt(out, out, key);
78 memcpy(ivec, out, AES_BLOCK_SIZE); 79 iv = out;
79 len -= AES_BLOCK_SIZE; 80 len -= AES_BLOCK_SIZE;
80 in += AES_BLOCK_SIZE; 81 in += AES_BLOCK_SIZE;
81 out += AES_BLOCK_SIZE; 82 out += AES_BLOCK_SIZE;
82 } 83 }
83 if (len) { 84 if (len) {
84 for(n=0; n < len; ++n) 85 for(n=0; n < len; ++n)
85 tmp[n] = in[n] ^ ivec[n]; 86 out[n] = in[n] ^ iv[n];
86 for(n=len; n < AES_BLOCK_SIZE; ++n) 87 for(n=len; n < AES_BLOCK_SIZE; ++n)
87 tmp[n] = ivec[n]; 88 out[n] = iv[n];
88 AES_encrypt(tmp, tmp, key); 89 AES_encrypt(out, out, key);
89 memcpy(out, tmp, AES_BLOCK_SIZE); 90 iv = out;
90 memcpy(ivec, tmp, AES_BLOCK_SIZE); 91 }
91 } 92 memcpy(ivec,iv,AES_BLOCK_SIZE);
93 } else if (in != out) {
94 while (len >= AES_BLOCK_SIZE) {
95 AES_decrypt(in, out, key);
96 for(n=0; n < AES_BLOCK_SIZE; ++n)
97 out[n] ^= iv[n];
98 iv = in;
99 len -= AES_BLOCK_SIZE;
100 in += AES_BLOCK_SIZE;
101 out += AES_BLOCK_SIZE;
102 }
103 if (len) {
104 AES_decrypt(in,tmp,key);
105 for(n=0; n < len; ++n)
106 out[n] = tmp[n] ^ iv[n];
107 iv = in;
108 }
109 memcpy(ivec,iv,AES_BLOCK_SIZE);
92 } else { 110 } else {
93 while (len >= AES_BLOCK_SIZE) { 111 while (len >= AES_BLOCK_SIZE) {
94 memcpy(tmp, in, AES_BLOCK_SIZE); 112 memcpy(tmp, in, AES_BLOCK_SIZE);
@@ -102,10 +120,12 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
102 } 120 }
103 if (len) { 121 if (len) {
104 memcpy(tmp, in, AES_BLOCK_SIZE); 122 memcpy(tmp, in, AES_BLOCK_SIZE);
105 AES_decrypt(tmp, tmp, key); 123 AES_decrypt(tmp, out, key);
106 for(n=0; n < len; ++n) 124 for(n=0; n < len; ++n)
107 out[n] = tmp[n] ^ ivec[n]; 125 out[n] ^= ivec[n];
126 for(n=len; n < AES_BLOCK_SIZE; ++n)
127 out[n] = tmp[n];
108 memcpy(ivec, tmp, AES_BLOCK_SIZE); 128 memcpy(ivec, tmp, AES_BLOCK_SIZE);
109 } 129 }
110 } 130 }
111} 131}
diff --git a/src/lib/libcrypto/aes/aes_cfb.c b/src/lib/libcrypto/aes/aes_cfb.c
index 9b569dda90..49f0411010 100644
--- a/src/lib/libcrypto/aes/aes_cfb.c
+++ b/src/lib/libcrypto/aes/aes_cfb.c
@@ -114,6 +114,7 @@
114 114
115#include <openssl/aes.h> 115#include <openssl/aes.h>
116#include "aes_locl.h" 116#include "aes_locl.h"
117#include "e_os.h"
117 118
118/* The input and output encrypted as though 128bit cfb mode is being 119/* The input and output encrypted as though 128bit cfb mode is being
119 * used. The extra state information to record how much of the 120 * used. The extra state information to record how much of the
@@ -155,3 +156,70 @@ void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
155 *num=n; 156 *num=n;
156} 157}
157 158
159/* This expects a single block of size nbits for both in and out. Note that
160 it corrupts any extra bits in the last byte of out */
161void AES_cfbr_encrypt_block(const unsigned char *in,unsigned char *out,
162 const int nbits,const AES_KEY *key,
163 unsigned char *ivec,const int enc)
164 {
165 int n,rem,num;
166 unsigned char ovec[AES_BLOCK_SIZE*2];
167
168 if (nbits<=0 || nbits>128) return;
169
170 /* fill in the first half of the new IV with the current IV */
171 memcpy(ovec,ivec,AES_BLOCK_SIZE);
172 /* construct the new IV */
173 AES_encrypt(ivec,ivec,key);
174 num = (nbits+7)/8;
175 if (enc) /* encrypt the input */
176 for(n=0 ; n < num ; ++n)
177 out[n] = (ovec[AES_BLOCK_SIZE+n] = in[n] ^ ivec[n]);
178 else /* decrypt the input */
179 for(n=0 ; n < num ; ++n)
180 out[n] = (ovec[AES_BLOCK_SIZE+n] = in[n]) ^ ivec[n];
181 /* shift ovec left... */
182 rem = nbits%8;
183 num = nbits/8;
184 if(rem==0)
185 memcpy(ivec,ovec+num,AES_BLOCK_SIZE);
186 else
187 for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
188 ivec[n] = ovec[n+num]<<rem | ovec[n+num+1]>>(8-rem);
189
190 /* it is not necessary to cleanse ovec, since the IV is not secret */
191 }
192
193/* N.B. This expects the input to be packed, MS bit first */
194void AES_cfb1_encrypt(const unsigned char *in, unsigned char *out,
195 const unsigned long length, const AES_KEY *key,
196 unsigned char *ivec, int *num, const int enc)
197 {
198 unsigned int n;
199 unsigned char c[1],d[1];
200
201 assert(in && out && key && ivec && num);
202 assert(*num == 0);
203
204 memset(out,0,(length+7)/8);
205 for(n=0 ; n < length ; ++n)
206 {
207 c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0;
208 AES_cfbr_encrypt_block(c,d,1,key,ivec,enc);
209 out[n/8]=(out[n/8]&~(1 << (7-n%8)))|((d[0]&0x80) >> (n%8));
210 }
211 }
212
213void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out,
214 const unsigned long length, const AES_KEY *key,
215 unsigned char *ivec, int *num, const int enc)
216 {
217 unsigned int n;
218
219 assert(in && out && key && ivec && num);
220 assert(*num == 0);
221
222 for(n=0 ; n < length ; ++n)
223 AES_cfbr_encrypt_block(&in[n],&out[n],8,key,ivec,enc);
224 }
225
diff --git a/src/lib/libcrypto/aes/aes_core.c b/src/lib/libcrypto/aes/aes_core.c
index 2f41a825f8..ed566a8123 100644
--- a/src/lib/libcrypto/aes/aes_core.c
+++ b/src/lib/libcrypto/aes/aes_core.c
@@ -37,8 +37,11 @@
37 37
38#include <stdlib.h> 38#include <stdlib.h>
39#include <openssl/aes.h> 39#include <openssl/aes.h>
40#include <openssl/fips.h>
40#include "aes_locl.h" 41#include "aes_locl.h"
41 42
43#ifndef OPENSSL_FIPS
44
42/* 45/*
43Te0[x] = S [x].[02, 01, 01, 03]; 46Te0[x] = S [x].[02, 01, 01, 03];
44Te1[x] = S [x].[03, 02, 01, 01]; 47Te1[x] = S [x].[03, 02, 01, 01];
@@ -1255,3 +1258,4 @@ void AES_decrypt(const unsigned char *in, unsigned char *out,
1255 PUTU32(out + 12, s3); 1258 PUTU32(out + 12, s3);
1256} 1259}
1257 1260
1261#endif /* ndef OPENSSL_FIPS */
diff --git a/src/lib/libcrypto/aes/aes_ctr.c b/src/lib/libcrypto/aes/aes_ctr.c
index 79e1c18f19..f36982be1e 100644
--- a/src/lib/libcrypto/aes/aes_ctr.c
+++ b/src/lib/libcrypto/aes/aes_ctr.c
@@ -59,7 +59,7 @@
59#include <openssl/aes.h> 59#include <openssl/aes.h>
60#include "aes_locl.h" 60#include "aes_locl.h"
61 61
62/* NOTE: CTR mode is big-endian. The rest of the AES code 62/* NOTE: the IV/counter CTR mode is big-endian. The rest of the AES code
63 * is endian-neutral. */ 63 * is endian-neutral. */
64 64
65/* increment counter (128-bit int) by 1 */ 65/* increment counter (128-bit int) by 1 */
@@ -67,61 +67,36 @@ static void AES_ctr128_inc(unsigned char *counter) {
67 unsigned long c; 67 unsigned long c;
68 68
69 /* Grab bottom dword of counter and increment */ 69 /* Grab bottom dword of counter and increment */
70#ifdef L_ENDIAN
71 c = GETU32(counter + 0);
72 c++;
73 PUTU32(counter + 0, c);
74#else
75 c = GETU32(counter + 12); 70 c = GETU32(counter + 12);
76 c++; 71 c++; c &= 0xFFFFFFFF;
77 PUTU32(counter + 12, c); 72 PUTU32(counter + 12, c);
78#endif
79 73
80 /* if no overflow, we're done */ 74 /* if no overflow, we're done */
81 if (c) 75 if (c)
82 return; 76 return;
83 77
84 /* Grab 1st dword of counter and increment */ 78 /* Grab 1st dword of counter and increment */
85#ifdef L_ENDIAN
86 c = GETU32(counter + 4);
87 c++;
88 PUTU32(counter + 4, c);
89#else
90 c = GETU32(counter + 8); 79 c = GETU32(counter + 8);
91 c++; 80 c++; c &= 0xFFFFFFFF;
92 PUTU32(counter + 8, c); 81 PUTU32(counter + 8, c);
93#endif
94 82
95 /* if no overflow, we're done */ 83 /* if no overflow, we're done */
96 if (c) 84 if (c)
97 return; 85 return;
98 86
99 /* Grab 2nd dword of counter and increment */ 87 /* Grab 2nd dword of counter and increment */
100#ifdef L_ENDIAN
101 c = GETU32(counter + 8);
102 c++;
103 PUTU32(counter + 8, c);
104#else
105 c = GETU32(counter + 4); 88 c = GETU32(counter + 4);
106 c++; 89 c++; c &= 0xFFFFFFFF;
107 PUTU32(counter + 4, c); 90 PUTU32(counter + 4, c);
108#endif
109 91
110 /* if no overflow, we're done */ 92 /* if no overflow, we're done */
111 if (c) 93 if (c)
112 return; 94 return;
113 95
114 /* Grab top dword of counter and increment */ 96 /* Grab top dword of counter and increment */
115#ifdef L_ENDIAN
116 c = GETU32(counter + 12);
117 c++;
118 PUTU32(counter + 12, c);
119#else
120 c = GETU32(counter + 0); 97 c = GETU32(counter + 0);
121 c++; 98 c++; c &= 0xFFFFFFFF;
122 PUTU32(counter + 0, c); 99 PUTU32(counter + 0, c);
123#endif
124
125} 100}
126 101
127/* The input encrypted as though 128bit counter mode is being 102/* The input encrypted as though 128bit counter mode is being
diff --git a/src/lib/libcrypto/aes/aes_locl.h b/src/lib/libcrypto/aes/aes_locl.h
index f290946058..4184729e34 100644
--- a/src/lib/libcrypto/aes/aes_locl.h
+++ b/src/lib/libcrypto/aes/aes_locl.h
@@ -62,7 +62,7 @@
62#include <stdlib.h> 62#include <stdlib.h>
63#include <string.h> 63#include <string.h>
64 64
65#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE) 65#if defined(_MSC_VER) && !defined(_M_IA64) && !defined(OPENSSL_SYS_WINCE)
66# define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00) 66# define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
67# define GETU32(p) SWAP(*((u32 *)(p))) 67# define GETU32(p) SWAP(*((u32 *)(p)))
68# define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); } 68# define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); }
diff --git a/src/lib/libcrypto/asn1/a_bitstr.c b/src/lib/libcrypto/asn1/a_bitstr.c
index f4ea96cd54..b81bf4fc81 100644
--- a/src/lib/libcrypto/asn1/a_bitstr.c
+++ b/src/lib/libcrypto/asn1/a_bitstr.c
@@ -194,8 +194,12 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
194 c=(unsigned char *)OPENSSL_realloc_clean(a->data, 194 c=(unsigned char *)OPENSSL_realloc_clean(a->data,
195 a->length, 195 a->length,
196 w+1); 196 w+1);
197 if (c == NULL) return(0); 197 if (c == NULL)
198 if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length); 198 {
199 ASN1err(ASN1_F_ASN1_BIT_STRING_SET_BIT,ERR_R_MALLOC_FAILURE);
200 return 0;
201 }
202 if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length);
199 a->data=c; 203 a->data=c;
200 a->length=w+1; 204 a->length=w+1;
201 } 205 }
diff --git a/src/lib/libcrypto/asn1/a_digest.c b/src/lib/libcrypto/asn1/a_digest.c
index 4931e222a0..7182e9fa5d 100644
--- a/src/lib/libcrypto/asn1/a_digest.c
+++ b/src/lib/libcrypto/asn1/a_digest.c
@@ -65,6 +65,7 @@
65# include <sys/types.h> 65# include <sys/types.h>
66#endif 66#endif
67 67
68#include <openssl/err.h>
68#include <openssl/evp.h> 69#include <openssl/evp.h>
69#include <openssl/buffer.h> 70#include <openssl/buffer.h>
70#include <openssl/x509.h> 71#include <openssl/x509.h>
@@ -78,7 +79,11 @@ int ASN1_digest(int (*i2d)(), const EVP_MD *type, char *data,
78 unsigned char *str,*p; 79 unsigned char *str,*p;
79 80
80 i=i2d(data,NULL); 81 i=i2d(data,NULL);
81 if ((str=(unsigned char *)OPENSSL_malloc(i)) == NULL) return(0); 82 if ((str=(unsigned char *)OPENSSL_malloc(i)) == NULL)
83 {
84 ASN1err(ASN1_F_ASN1_DIGEST,ERR_R_MALLOC_FAILURE);
85 return(0);
86 }
82 p=str; 87 p=str;
83 i2d(data,&p); 88 i2d(data,&p);
84 89
diff --git a/src/lib/libcrypto/asn1/a_enum.c b/src/lib/libcrypto/asn1/a_enum.c
index ad8f0ffd1a..03ede68d1c 100644
--- a/src/lib/libcrypto/asn1/a_enum.c
+++ b/src/lib/libcrypto/asn1/a_enum.c
@@ -156,7 +156,7 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
156 unsigned char *new_data=OPENSSL_realloc(ret->data, len+4); 156 unsigned char *new_data=OPENSSL_realloc(ret->data, len+4);
157 if (!new_data) 157 if (!new_data)
158 { 158 {
159 ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_MALLOC_FAILURE); 159 ASN1err(ASN1_F_BN_TO_ASN1_ENUMERATED,ERR_R_MALLOC_FAILURE);
160 goto err; 160 goto err;
161 } 161 }
162 ret->data=new_data; 162 ret->data=new_data;
diff --git a/src/lib/libcrypto/asn1/a_int.c b/src/lib/libcrypto/asn1/a_int.c
index edb243c021..21cc64bb23 100644
--- a/src/lib/libcrypto/asn1/a_int.c
+++ b/src/lib/libcrypto/asn1/a_int.c
@@ -64,7 +64,26 @@ ASN1_INTEGER *ASN1_INTEGER_dup(ASN1_INTEGER *x)
64{ return M_ASN1_INTEGER_dup(x);} 64{ return M_ASN1_INTEGER_dup(x);}
65 65
66int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y) 66int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y)
67{ return M_ASN1_INTEGER_cmp(x,y);} 67 {
68 int neg, ret;
69 /* Compare signs */
70 neg = x->type & V_ASN1_NEG;
71 if (neg != (y->type & V_ASN1_NEG))
72 {
73 if (neg)
74 return -1;
75 else
76 return 1;
77 }
78
79 ret = ASN1_STRING_cmp(x, y);
80
81 if (neg)
82 return -ret;
83 else
84 return ret;
85 }
86
68 87
69/* 88/*
70 * This converts an ASN1 INTEGER into its content encoding. 89 * This converts an ASN1 INTEGER into its content encoding.
diff --git a/src/lib/libcrypto/asn1/a_print.c b/src/lib/libcrypto/asn1/a_print.c
index 8035513f04..d18e772320 100644
--- a/src/lib/libcrypto/asn1/a_print.c
+++ b/src/lib/libcrypto/asn1/a_print.c
@@ -60,7 +60,7 @@
60#include "cryptlib.h" 60#include "cryptlib.h"
61#include <openssl/asn1.h> 61#include <openssl/asn1.h>
62 62
63int ASN1_PRINTABLE_type(unsigned char *s, int len) 63int ASN1_PRINTABLE_type(const unsigned char *s, int len)
64 { 64 {
65 int c; 65 int c;
66 int ia5=0; 66 int ia5=0;
diff --git a/src/lib/libcrypto/asn1/a_set.c b/src/lib/libcrypto/asn1/a_set.c
index 0f839822ff..e24061c545 100644
--- a/src/lib/libcrypto/asn1/a_set.c
+++ b/src/lib/libcrypto/asn1/a_set.c
@@ -118,8 +118,13 @@ int i2d_ASN1_SET(STACK *a, unsigned char **pp, int (*func)(), int ex_tag,
118 } 118 }
119 119
120 pStart = p; /* Catch the beg of Setblobs*/ 120 pStart = p; /* Catch the beg of Setblobs*/
121 if (!(rgSetBlob = (MYBLOB *)OPENSSL_malloc( sk_num(a) * sizeof(MYBLOB)))) return 0; /* In this array 121 /* In this array we will store the SET blobs */
122we will store the SET blobs */ 122 rgSetBlob = (MYBLOB *)OPENSSL_malloc(sk_num(a) * sizeof(MYBLOB));
123 if (rgSetBlob == NULL)
124 {
125 ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
126 return(0);
127 }
123 128
124 for (i=0; i<sk_num(a); i++) 129 for (i=0; i<sk_num(a); i++)
125 { 130 {
@@ -135,7 +140,11 @@ SetBlob
135 /* Now we have to sort the blobs. I am using a simple algo. 140 /* Now we have to sort the blobs. I am using a simple algo.
136 *Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/ 141 *Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/
137 qsort( rgSetBlob, sk_num(a), sizeof(MYBLOB), SetBlobCmp); 142 qsort( rgSetBlob, sk_num(a), sizeof(MYBLOB), SetBlobCmp);
138 if (!(pTempMem = OPENSSL_malloc(totSize))) return 0; 143 if (!(pTempMem = OPENSSL_malloc(totSize)))
144 {
145 ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
146 return(0);
147 }
139 148
140/* Copy to temp mem */ 149/* Copy to temp mem */
141 p = pTempMem; 150 p = pTempMem;
@@ -160,7 +169,13 @@ STACK *d2i_ASN1_SET(STACK **a, unsigned char **pp, long length,
160 STACK *ret=NULL; 169 STACK *ret=NULL;
161 170
162 if ((a == NULL) || ((*a) == NULL)) 171 if ((a == NULL) || ((*a) == NULL))
163 { if ((ret=sk_new_null()) == NULL) goto err; } 172 {
173 if ((ret=sk_new_null()) == NULL)
174 {
175 ASN1err(ASN1_F_D2I_ASN1_SET,ERR_R_MALLOC_FAILURE);
176 goto err;
177 }
178 }
164 else 179 else
165 ret=(*a); 180 ret=(*a);
166 181
diff --git a/src/lib/libcrypto/asn1/a_strex.c b/src/lib/libcrypto/asn1/a_strex.c
index bde666a6ff..a07122ba47 100644
--- a/src/lib/libcrypto/asn1/a_strex.c
+++ b/src/lib/libcrypto/asn1/a_strex.c
@@ -3,7 +3,7 @@
3 * project 2000. 3 * project 2000.
4 */ 4 */
5/* ==================================================================== 5/* ====================================================================
6 * Copyright (c) 2000 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -553,7 +553,12 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
553 if((type < 0) || (type > 30)) return -1; 553 if((type < 0) || (type > 30)) return -1;
554 mbflag = tag2nbyte[type]; 554 mbflag = tag2nbyte[type];
555 if(mbflag == -1) return -1; 555 if(mbflag == -1) return -1;
556 mbflag |= MBSTRING_FLAG; 556 if (mbflag == 0)
557 mbflag = MBSTRING_UTF8;
558 else if (mbflag == 4)
559 mbflag = MBSTRING_UNIV;
560 else
561 mbflag |= MBSTRING_FLAG;
557 stmp.data = NULL; 562 stmp.data = NULL;
558 ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING); 563 ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
559 if(ret < 0) return ret; 564 if(ret < 0) return ret;
diff --git a/src/lib/libcrypto/asn1/a_type.c b/src/lib/libcrypto/asn1/a_type.c
index fe3fcd40b0..2292d49b93 100644
--- a/src/lib/libcrypto/asn1/a_type.c
+++ b/src/lib/libcrypto/asn1/a_type.c
@@ -71,7 +71,10 @@ int ASN1_TYPE_get(ASN1_TYPE *a)
71void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value) 71void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value)
72 { 72 {
73 if (a->value.ptr != NULL) 73 if (a->value.ptr != NULL)
74 ASN1_primitive_free((ASN1_VALUE **)&a, NULL); 74 {
75 ASN1_TYPE **tmp_a = &a;
76 ASN1_primitive_free((ASN1_VALUE **)tmp_a, NULL);
77 }
75 a->type=type; 78 a->type=type;
76 a->value.ptr=value; 79 a->value.ptr=value;
77 } 80 }
diff --git a/src/lib/libcrypto/asn1/a_verify.c b/src/lib/libcrypto/asn1/a_verify.c
index da2a0a6d69..18ef0acf00 100644
--- a/src/lib/libcrypto/asn1/a_verify.c
+++ b/src/lib/libcrypto/asn1/a_verify.c
@@ -142,6 +142,13 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
142 goto err; 142 goto err;
143 } 143 }
144 144
145 if (!EVP_VerifyInit_ex(&ctx,type, NULL))
146 {
147 ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB);
148 ret=0;
149 goto err;
150 }
151
145 inl = ASN1_item_i2d(asn, &buf_in, it); 152 inl = ASN1_item_i2d(asn, &buf_in, it);
146 153
147 if (buf_in == NULL) 154 if (buf_in == NULL)
@@ -150,7 +157,6 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
150 goto err; 157 goto err;
151 } 158 }
152 159
153 EVP_VerifyInit_ex(&ctx,type, NULL);
154 EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl); 160 EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
155 161
156 OPENSSL_cleanse(buf_in,(unsigned int)inl); 162 OPENSSL_cleanse(buf_in,(unsigned int)inl);
diff --git a/src/lib/libcrypto/asn1/asn1.h b/src/lib/libcrypto/asn1/asn1.h
index 3414509f1b..ceaeb4cbe3 100644
--- a/src/lib/libcrypto/asn1/asn1.h
+++ b/src/lib/libcrypto/asn1/asn1.h
@@ -829,7 +829,7 @@ BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai,BIGNUM *bn);
829 829
830/* General */ 830/* General */
831/* given a string, return the correct type, max is the maximum length */ 831/* given a string, return the correct type, max is the maximum length */
832int ASN1_PRINTABLE_type(unsigned char *s, int max); 832int ASN1_PRINTABLE_type(const unsigned char *s, int max);
833 833
834int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass); 834int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass);
835ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp, 835ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp,
@@ -950,16 +950,19 @@ void ERR_load_ASN1_strings(void);
950#define ASN1_F_A2I_ASN1_ENUMERATED 101 950#define ASN1_F_A2I_ASN1_ENUMERATED 101
951#define ASN1_F_A2I_ASN1_INTEGER 102 951#define ASN1_F_A2I_ASN1_INTEGER 102
952#define ASN1_F_A2I_ASN1_STRING 103 952#define ASN1_F_A2I_ASN1_STRING 103
953#define ASN1_F_ASN1_BIT_STRING_SET_BIT 176
953#define ASN1_F_ASN1_CHECK_TLEN 104 954#define ASN1_F_ASN1_CHECK_TLEN 104
954#define ASN1_F_ASN1_COLLATE_PRIMITIVE 105 955#define ASN1_F_ASN1_COLLATE_PRIMITIVE 105
955#define ASN1_F_ASN1_COLLECT 106 956#define ASN1_F_ASN1_COLLECT 106
956#define ASN1_F_ASN1_D2I_BIO 107 957#define ASN1_F_ASN1_D2I_BIO 107
957#define ASN1_F_ASN1_D2I_EX_PRIMITIVE 108 958#define ASN1_F_ASN1_D2I_EX_PRIMITIVE 108
958#define ASN1_F_ASN1_D2I_FP 109 959#define ASN1_F_ASN1_D2I_FP 109
960#define ASN1_F_ASN1_DIGEST 177
959#define ASN1_F_ASN1_DO_ADB 110 961#define ASN1_F_ASN1_DO_ADB 110
960#define ASN1_F_ASN1_DUP 111 962#define ASN1_F_ASN1_DUP 111
961#define ASN1_F_ASN1_ENUMERATED_SET 112 963#define ASN1_F_ASN1_ENUMERATED_SET 112
962#define ASN1_F_ASN1_ENUMERATED_TO_BN 113 964#define ASN1_F_ASN1_ENUMERATED_TO_BN 113
965#define ASN1_F_ASN1_GENERALIZEDTIME_SET 178
963#define ASN1_F_ASN1_GET_OBJECT 114 966#define ASN1_F_ASN1_GET_OBJECT 114
964#define ASN1_F_ASN1_HEADER_NEW 115 967#define ASN1_F_ASN1_HEADER_NEW 115
965#define ASN1_F_ASN1_I2D_BIO 116 968#define ASN1_F_ASN1_I2D_BIO 116
@@ -975,6 +978,7 @@ void ERR_load_ASN1_strings(void);
975#define ASN1_F_ASN1_SEQ_PACK 126 978#define ASN1_F_ASN1_SEQ_PACK 126
976#define ASN1_F_ASN1_SEQ_UNPACK 127 979#define ASN1_F_ASN1_SEQ_UNPACK 127
977#define ASN1_F_ASN1_SIGN 128 980#define ASN1_F_ASN1_SIGN 128
981#define ASN1_F_ASN1_STRING_SET 179
978#define ASN1_F_ASN1_STRING_TABLE_ADD 129 982#define ASN1_F_ASN1_STRING_TABLE_ADD 129
979#define ASN1_F_ASN1_STRING_TYPE_NEW 130 983#define ASN1_F_ASN1_STRING_TYPE_NEW 130
980#define ASN1_F_ASN1_TEMPLATE_D2I 131 984#define ASN1_F_ASN1_TEMPLATE_D2I 131
@@ -984,6 +988,7 @@ void ERR_load_ASN1_strings(void);
984#define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING 134 988#define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING 134
985#define ASN1_F_ASN1_TYPE_GET_OCTETSTRING 135 989#define ASN1_F_ASN1_TYPE_GET_OCTETSTRING 135
986#define ASN1_F_ASN1_UNPACK_STRING 136 990#define ASN1_F_ASN1_UNPACK_STRING 136
991#define ASN1_F_ASN1_UTCTIME_SET 180
987#define ASN1_F_ASN1_VERIFY 137 992#define ASN1_F_ASN1_VERIFY 137
988#define ASN1_F_BN_TO_ASN1_ENUMERATED 138 993#define ASN1_F_BN_TO_ASN1_ENUMERATED 138
989#define ASN1_F_BN_TO_ASN1_INTEGER 139 994#define ASN1_F_BN_TO_ASN1_INTEGER 139
@@ -1007,6 +1012,7 @@ void ERR_load_ASN1_strings(void);
1007#define ASN1_F_D2I_X509_CINF 157 1012#define ASN1_F_D2I_X509_CINF 157
1008#define ASN1_F_D2I_X509_NAME 158 1013#define ASN1_F_D2I_X509_NAME 158
1009#define ASN1_F_D2I_X509_PKEY 159 1014#define ASN1_F_D2I_X509_PKEY 159
1015#define ASN1_F_I2D_ASN1_SET 181
1010#define ASN1_F_I2D_ASN1_TIME 160 1016#define ASN1_F_I2D_ASN1_TIME 160
1011#define ASN1_F_I2D_DSA_PUBKEY 161 1017#define ASN1_F_I2D_DSA_PUBKEY 161
1012#define ASN1_F_I2D_NETSCAPE_RSA 162 1018#define ASN1_F_I2D_NETSCAPE_RSA 162
diff --git a/src/lib/libcrypto/asn1/asn1_err.c b/src/lib/libcrypto/asn1/asn1_err.c
index 094ec06fda..3b57c8fbae 100644
--- a/src/lib/libcrypto/asn1/asn1_err.c
+++ b/src/lib/libcrypto/asn1/asn1_err.c
@@ -1,6 +1,6 @@
1/* crypto/asn1/asn1_err.c */ 1/* crypto/asn1/asn1_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -70,16 +70,19 @@ static ERR_STRING_DATA ASN1_str_functs[]=
70{ERR_PACK(0,ASN1_F_A2I_ASN1_ENUMERATED,0), "a2i_ASN1_ENUMERATED"}, 70{ERR_PACK(0,ASN1_F_A2I_ASN1_ENUMERATED,0), "a2i_ASN1_ENUMERATED"},
71{ERR_PACK(0,ASN1_F_A2I_ASN1_INTEGER,0), "a2i_ASN1_INTEGER"}, 71{ERR_PACK(0,ASN1_F_A2I_ASN1_INTEGER,0), "a2i_ASN1_INTEGER"},
72{ERR_PACK(0,ASN1_F_A2I_ASN1_STRING,0), "a2i_ASN1_STRING"}, 72{ERR_PACK(0,ASN1_F_A2I_ASN1_STRING,0), "a2i_ASN1_STRING"},
73{ERR_PACK(0,ASN1_F_ASN1_BIT_STRING_SET_BIT,0), "ASN1_BIT_STRING_set_bit"},
73{ERR_PACK(0,ASN1_F_ASN1_CHECK_TLEN,0), "ASN1_CHECK_TLEN"}, 74{ERR_PACK(0,ASN1_F_ASN1_CHECK_TLEN,0), "ASN1_CHECK_TLEN"},
74{ERR_PACK(0,ASN1_F_ASN1_COLLATE_PRIMITIVE,0), "ASN1_COLLATE_PRIMITIVE"}, 75{ERR_PACK(0,ASN1_F_ASN1_COLLATE_PRIMITIVE,0), "ASN1_COLLATE_PRIMITIVE"},
75{ERR_PACK(0,ASN1_F_ASN1_COLLECT,0), "ASN1_COLLECT"}, 76{ERR_PACK(0,ASN1_F_ASN1_COLLECT,0), "ASN1_COLLECT"},
76{ERR_PACK(0,ASN1_F_ASN1_D2I_BIO,0), "ASN1_d2i_bio"}, 77{ERR_PACK(0,ASN1_F_ASN1_D2I_BIO,0), "ASN1_d2i_bio"},
77{ERR_PACK(0,ASN1_F_ASN1_D2I_EX_PRIMITIVE,0), "ASN1_D2I_EX_PRIMITIVE"}, 78{ERR_PACK(0,ASN1_F_ASN1_D2I_EX_PRIMITIVE,0), "ASN1_D2I_EX_PRIMITIVE"},
78{ERR_PACK(0,ASN1_F_ASN1_D2I_FP,0), "ASN1_d2i_fp"}, 79{ERR_PACK(0,ASN1_F_ASN1_D2I_FP,0), "ASN1_d2i_fp"},
80{ERR_PACK(0,ASN1_F_ASN1_DIGEST,0), "ASN1_digest"},
79{ERR_PACK(0,ASN1_F_ASN1_DO_ADB,0), "ASN1_DO_ADB"}, 81{ERR_PACK(0,ASN1_F_ASN1_DO_ADB,0), "ASN1_DO_ADB"},
80{ERR_PACK(0,ASN1_F_ASN1_DUP,0), "ASN1_dup"}, 82{ERR_PACK(0,ASN1_F_ASN1_DUP,0), "ASN1_dup"},
81{ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_SET,0), "ASN1_ENUMERATED_set"}, 83{ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_SET,0), "ASN1_ENUMERATED_set"},
82{ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_TO_BN,0), "ASN1_ENUMERATED_to_BN"}, 84{ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_TO_BN,0), "ASN1_ENUMERATED_to_BN"},
85{ERR_PACK(0,ASN1_F_ASN1_GENERALIZEDTIME_SET,0), "ASN1_GENERALIZEDTIME_set"},
83{ERR_PACK(0,ASN1_F_ASN1_GET_OBJECT,0), "ASN1_get_object"}, 86{ERR_PACK(0,ASN1_F_ASN1_GET_OBJECT,0), "ASN1_get_object"},
84{ERR_PACK(0,ASN1_F_ASN1_HEADER_NEW,0), "ASN1_HEADER_new"}, 87{ERR_PACK(0,ASN1_F_ASN1_HEADER_NEW,0), "ASN1_HEADER_new"},
85{ERR_PACK(0,ASN1_F_ASN1_I2D_BIO,0), "ASN1_i2d_bio"}, 88{ERR_PACK(0,ASN1_F_ASN1_I2D_BIO,0), "ASN1_i2d_bio"},
@@ -95,6 +98,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
95{ERR_PACK(0,ASN1_F_ASN1_SEQ_PACK,0), "ASN1_seq_pack"}, 98{ERR_PACK(0,ASN1_F_ASN1_SEQ_PACK,0), "ASN1_seq_pack"},
96{ERR_PACK(0,ASN1_F_ASN1_SEQ_UNPACK,0), "ASN1_seq_unpack"}, 99{ERR_PACK(0,ASN1_F_ASN1_SEQ_UNPACK,0), "ASN1_seq_unpack"},
97{ERR_PACK(0,ASN1_F_ASN1_SIGN,0), "ASN1_sign"}, 100{ERR_PACK(0,ASN1_F_ASN1_SIGN,0), "ASN1_sign"},
101{ERR_PACK(0,ASN1_F_ASN1_STRING_SET,0), "ASN1_STRING_set"},
98{ERR_PACK(0,ASN1_F_ASN1_STRING_TABLE_ADD,0), "ASN1_STRING_TABLE_add"}, 102{ERR_PACK(0,ASN1_F_ASN1_STRING_TABLE_ADD,0), "ASN1_STRING_TABLE_add"},
99{ERR_PACK(0,ASN1_F_ASN1_STRING_TYPE_NEW,0), "ASN1_STRING_type_new"}, 103{ERR_PACK(0,ASN1_F_ASN1_STRING_TYPE_NEW,0), "ASN1_STRING_type_new"},
100{ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_D2I,0), "ASN1_TEMPLATE_D2I"}, 104{ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_D2I,0), "ASN1_TEMPLATE_D2I"},
@@ -104,6 +108,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
104{ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,0), "ASN1_TYPE_get_int_octetstring"}, 108{ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,0), "ASN1_TYPE_get_int_octetstring"},
105{ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_OCTETSTRING,0), "ASN1_TYPE_get_octetstring"}, 109{ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_OCTETSTRING,0), "ASN1_TYPE_get_octetstring"},
106{ERR_PACK(0,ASN1_F_ASN1_UNPACK_STRING,0), "ASN1_unpack_string"}, 110{ERR_PACK(0,ASN1_F_ASN1_UNPACK_STRING,0), "ASN1_unpack_string"},
111{ERR_PACK(0,ASN1_F_ASN1_UTCTIME_SET,0), "ASN1_UTCTIME_set"},
107{ERR_PACK(0,ASN1_F_ASN1_VERIFY,0), "ASN1_verify"}, 112{ERR_PACK(0,ASN1_F_ASN1_VERIFY,0), "ASN1_verify"},
108{ERR_PACK(0,ASN1_F_BN_TO_ASN1_ENUMERATED,0), "BN_to_ASN1_ENUMERATED"}, 113{ERR_PACK(0,ASN1_F_BN_TO_ASN1_ENUMERATED,0), "BN_to_ASN1_ENUMERATED"},
109{ERR_PACK(0,ASN1_F_BN_TO_ASN1_INTEGER,0), "BN_to_ASN1_INTEGER"}, 114{ERR_PACK(0,ASN1_F_BN_TO_ASN1_INTEGER,0), "BN_to_ASN1_INTEGER"},
@@ -127,6 +132,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
127{ERR_PACK(0,ASN1_F_D2I_X509_CINF,0), "D2I_X509_CINF"}, 132{ERR_PACK(0,ASN1_F_D2I_X509_CINF,0), "D2I_X509_CINF"},
128{ERR_PACK(0,ASN1_F_D2I_X509_NAME,0), "D2I_X509_NAME"}, 133{ERR_PACK(0,ASN1_F_D2I_X509_NAME,0), "D2I_X509_NAME"},
129{ERR_PACK(0,ASN1_F_D2I_X509_PKEY,0), "d2i_X509_PKEY"}, 134{ERR_PACK(0,ASN1_F_D2I_X509_PKEY,0), "d2i_X509_PKEY"},
135{ERR_PACK(0,ASN1_F_I2D_ASN1_SET,0), "i2d_ASN1_SET"},
130{ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0), "I2D_ASN1_TIME"}, 136{ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0), "I2D_ASN1_TIME"},
131{ERR_PACK(0,ASN1_F_I2D_DSA_PUBKEY,0), "i2d_DSA_PUBKEY"}, 137{ERR_PACK(0,ASN1_F_I2D_DSA_PUBKEY,0), "i2d_DSA_PUBKEY"},
132{ERR_PACK(0,ASN1_F_I2D_NETSCAPE_RSA,0), "i2d_Netscape_RSA"}, 138{ERR_PACK(0,ASN1_F_I2D_NETSCAPE_RSA,0), "i2d_Netscape_RSA"},
diff --git a/src/lib/libcrypto/asn1/asn1_lib.c b/src/lib/libcrypto/asn1/asn1_lib.c
index a74f1368d3..97b9b35f4b 100644
--- a/src/lib/libcrypto/asn1/asn1_lib.c
+++ b/src/lib/libcrypto/asn1/asn1_lib.c
@@ -349,6 +349,7 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len)
349 349
350 if (str->data == NULL) 350 if (str->data == NULL)
351 { 351 {
352 ASN1err(ASN1_F_ASN1_STRING_SET,ERR_R_MALLOC_FAILURE);
352 str->data=c; 353 str->data=c;
353 return(0); 354 return(0);
354 } 355 }
diff --git a/src/lib/libcrypto/asn1/evp_asn1.c b/src/lib/libcrypto/asn1/evp_asn1.c
index 3506005a71..f92ce6cb5d 100644
--- a/src/lib/libcrypto/asn1/evp_asn1.c
+++ b/src/lib/libcrypto/asn1/evp_asn1.c
@@ -115,7 +115,11 @@ int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data,
115 115
116 if ((osp=ASN1_STRING_new()) == NULL) return(0); 116 if ((osp=ASN1_STRING_new()) == NULL) return(0);
117 /* Grow the 'string' */ 117 /* Grow the 'string' */
118 ASN1_STRING_set(osp,NULL,size); 118 if (!ASN1_STRING_set(osp,NULL,size))
119 {
120 ASN1_STRING_free(osp);
121 return(0);
122 }
119 123
120 M_ASN1_STRING_length_set(osp, size); 124 M_ASN1_STRING_length_set(osp, size);
121 p=M_ASN1_STRING_data(osp); 125 p=M_ASN1_STRING_data(osp);
diff --git a/src/lib/libcrypto/asn1/p5_pbe.c b/src/lib/libcrypto/asn1/p5_pbe.c
index 891150638e..ec788267e0 100644
--- a/src/lib/libcrypto/asn1/p5_pbe.c
+++ b/src/lib/libcrypto/asn1/p5_pbe.c
@@ -76,47 +76,55 @@ IMPLEMENT_ASN1_FUNCTIONS(PBEPARAM)
76X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt, 76X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt,
77 int saltlen) 77 int saltlen)
78{ 78{
79 PBEPARAM *pbe; 79 PBEPARAM *pbe=NULL;
80 ASN1_OBJECT *al; 80 ASN1_OBJECT *al;
81 X509_ALGOR *algor; 81 X509_ALGOR *algor;
82 ASN1_TYPE *astype; 82 ASN1_TYPE *astype=NULL;
83 83
84 if (!(pbe = PBEPARAM_new ())) { 84 if (!(pbe = PBEPARAM_new ())) {
85 ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE); 85 ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
86 return NULL; 86 goto err;
87 } 87 }
88 if(iter <= 0) iter = PKCS5_DEFAULT_ITER; 88 if(iter <= 0) iter = PKCS5_DEFAULT_ITER;
89 ASN1_INTEGER_set (pbe->iter, iter); 89 if (!ASN1_INTEGER_set(pbe->iter, iter)) {
90 ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
91 goto err;
92 }
90 if (!saltlen) saltlen = PKCS5_SALT_LEN; 93 if (!saltlen) saltlen = PKCS5_SALT_LEN;
91 if (!(pbe->salt->data = OPENSSL_malloc (saltlen))) { 94 if (!(pbe->salt->data = OPENSSL_malloc (saltlen))) {
92 ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE); 95 ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
93 return NULL; 96 goto err;
94 } 97 }
95 pbe->salt->length = saltlen; 98 pbe->salt->length = saltlen;
96 if (salt) memcpy (pbe->salt->data, salt, saltlen); 99 if (salt) memcpy (pbe->salt->data, salt, saltlen);
97 else if (RAND_pseudo_bytes (pbe->salt->data, saltlen) < 0) 100 else if (RAND_pseudo_bytes (pbe->salt->data, saltlen) < 0)
98 return NULL; 101 goto err;
99 102
100 if (!(astype = ASN1_TYPE_new())) { 103 if (!(astype = ASN1_TYPE_new())) {
101 ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE); 104 ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
102 return NULL; 105 goto err;
103 } 106 }
104 107
105 astype->type = V_ASN1_SEQUENCE; 108 astype->type = V_ASN1_SEQUENCE;
106 if(!ASN1_pack_string(pbe, i2d_PBEPARAM, &astype->value.sequence)) { 109 if(!ASN1_pack_string(pbe, i2d_PBEPARAM, &astype->value.sequence)) {
107 ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE); 110 ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
108 return NULL; 111 goto err;
109 } 112 }
110 PBEPARAM_free (pbe); 113 PBEPARAM_free (pbe);
114 pbe = NULL;
111 115
112 al = OBJ_nid2obj(alg); /* never need to free al */ 116 al = OBJ_nid2obj(alg); /* never need to free al */
113 if (!(algor = X509_ALGOR_new())) { 117 if (!(algor = X509_ALGOR_new())) {
114 ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE); 118 ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
115 return NULL; 119 goto err;
116 } 120 }
117 ASN1_OBJECT_free(algor->algorithm); 121 ASN1_OBJECT_free(algor->algorithm);
118 algor->algorithm = al; 122 algor->algorithm = al;
119 algor->parameter = astype; 123 algor->parameter = astype;
120 124
121 return (algor); 125 return (algor);
126err:
127 if (pbe != NULL) PBEPARAM_free(pbe);
128 if (astype != NULL) ASN1_TYPE_free(astype);
129 return NULL;
122} 130}
diff --git a/src/lib/libcrypto/asn1/p5_pbev2.c b/src/lib/libcrypto/asn1/p5_pbev2.c
index 91e1c8987d..e0dc0ec4ee 100644
--- a/src/lib/libcrypto/asn1/p5_pbev2.c
+++ b/src/lib/libcrypto/asn1/p5_pbev2.c
@@ -1,6 +1,6 @@
1/* p5_pbev2.c */ 1/* p5_pbev2.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL 2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 1999. 3 * project 1999-2004.
4 */ 4 */
5/* ==================================================================== 5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
@@ -113,7 +113,8 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
113 if(!(scheme->parameter = ASN1_TYPE_new())) goto merr; 113 if(!(scheme->parameter = ASN1_TYPE_new())) goto merr;
114 114
115 /* Create random IV */ 115 /* Create random IV */
116 if (RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0) 116 if (EVP_CIPHER_iv_length(cipher) &&
117 RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0)
117 goto err; 118 goto err;
118 119
119 EVP_CIPHER_CTX_init(&ctx); 120 EVP_CIPHER_CTX_init(&ctx);
@@ -123,6 +124,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
123 if(EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) { 124 if(EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) {
124 ASN1err(ASN1_F_PKCS5_PBE2_SET, 125 ASN1err(ASN1_F_PKCS5_PBE2_SET,
125 ASN1_R_ERROR_SETTING_CIPHER_PARAMS); 126 ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
127 EVP_CIPHER_CTX_cleanup(&ctx);
126 goto err; 128 goto err;
127 } 129 }
128 EVP_CIPHER_CTX_cleanup(&ctx); 130 EVP_CIPHER_CTX_cleanup(&ctx);
diff --git a/src/lib/libcrypto/asn1/t_bitst.c b/src/lib/libcrypto/asn1/t_bitst.c
index 8ee789f082..397332d9b8 100644
--- a/src/lib/libcrypto/asn1/t_bitst.c
+++ b/src/lib/libcrypto/asn1/t_bitst.c
@@ -84,7 +84,10 @@ int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value,
84 int bitnum; 84 int bitnum;
85 bitnum = ASN1_BIT_STRING_num_asc(name, tbl); 85 bitnum = ASN1_BIT_STRING_num_asc(name, tbl);
86 if(bitnum < 0) return 0; 86 if(bitnum < 0) return 0;
87 if(bs) ASN1_BIT_STRING_set_bit(bs, bitnum, value); 87 if(bs) {
88 if(!ASN1_BIT_STRING_set_bit(bs, bitnum, value))
89 return 0;
90 }
88 return 1; 91 return 1;
89} 92}
90 93
diff --git a/src/lib/libcrypto/asn1/x_crl.c b/src/lib/libcrypto/asn1/x_crl.c
index 11fce96825..b99f8fc522 100644
--- a/src/lib/libcrypto/asn1/x_crl.c
+++ b/src/lib/libcrypto/asn1/x_crl.c
@@ -63,8 +63,6 @@
63 63
64static int X509_REVOKED_cmp(const X509_REVOKED * const *a, 64static int X509_REVOKED_cmp(const X509_REVOKED * const *a,
65 const X509_REVOKED * const *b); 65 const X509_REVOKED * const *b);
66static int X509_REVOKED_seq_cmp(const X509_REVOKED * const *a,
67 const X509_REVOKED * const *b);
68 66
69ASN1_SEQUENCE(X509_REVOKED) = { 67ASN1_SEQUENCE(X509_REVOKED) = {
70 ASN1_SIMPLE(X509_REVOKED,serialNumber, ASN1_INTEGER), 68 ASN1_SIMPLE(X509_REVOKED,serialNumber, ASN1_INTEGER),
@@ -72,43 +70,28 @@ ASN1_SEQUENCE(X509_REVOKED) = {
72 ASN1_SEQUENCE_OF_OPT(X509_REVOKED,extensions, X509_EXTENSION) 70 ASN1_SEQUENCE_OF_OPT(X509_REVOKED,extensions, X509_EXTENSION)
73} ASN1_SEQUENCE_END(X509_REVOKED) 71} ASN1_SEQUENCE_END(X509_REVOKED)
74 72
75/* The X509_CRL_INFO structure needs a bit of customisation. This is actually 73/* The X509_CRL_INFO structure needs a bit of customisation.
76 * mirroring the old behaviour: its purpose is to allow the use of 74 * Since we cache the original encoding the signature wont be affected by
77 * sk_X509_REVOKED_find to lookup revoked certificates. Unfortunately 75 * reordering of the revoked field.
78 * this will zap the original order and the signature so we keep a copy
79 * of the original positions and reorder appropriately before encoding.
80 *
81 * Might want to see if there's a better way of doing this later...
82 */ 76 */
83static int crl_inf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it) 77static int crl_inf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
84{ 78{
85 X509_CRL_INFO *a = (X509_CRL_INFO *)*pval; 79 X509_CRL_INFO *a = (X509_CRL_INFO *)*pval;
86 int i;
87 int (*old_cmp)(const X509_REVOKED * const *,
88 const X509_REVOKED * const *);
89 80
90 if(!a || !a->revoked) return 1; 81 if(!a || !a->revoked) return 1;
91 switch(operation) { 82 switch(operation) {
92 83 /* Just set cmp function here. We don't sort because that
93 /* Save original order */ 84 * would affect the output of X509_CRL_print().
85 */
94 case ASN1_OP_D2I_POST: 86 case ASN1_OP_D2I_POST:
95 for (i=0; i<sk_X509_REVOKED_num(a->revoked); i++)
96 sk_X509_REVOKED_value(a->revoked,i)->sequence=i;
97 sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_cmp); 87 sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_cmp);
98 break; 88 break;
99
100 /* Restore original order */
101 case ASN1_OP_I2D_PRE:
102 old_cmp=sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_seq_cmp);
103 sk_X509_REVOKED_sort(a->revoked);
104 sk_X509_REVOKED_set_cmp_func(a->revoked,old_cmp);
105 break;
106 } 89 }
107 return 1; 90 return 1;
108} 91}
109 92
110 93
111ASN1_SEQUENCE_cb(X509_CRL_INFO, crl_inf_cb) = { 94ASN1_SEQUENCE_enc(X509_CRL_INFO, enc, crl_inf_cb) = {
112 ASN1_OPT(X509_CRL_INFO, version, ASN1_INTEGER), 95 ASN1_OPT(X509_CRL_INFO, version, ASN1_INTEGER),
113 ASN1_SIMPLE(X509_CRL_INFO, sig_alg, X509_ALGOR), 96 ASN1_SIMPLE(X509_CRL_INFO, sig_alg, X509_ALGOR),
114 ASN1_SIMPLE(X509_CRL_INFO, issuer, X509_NAME), 97 ASN1_SIMPLE(X509_CRL_INFO, issuer, X509_NAME),
@@ -116,7 +99,7 @@ ASN1_SEQUENCE_cb(X509_CRL_INFO, crl_inf_cb) = {
116 ASN1_OPT(X509_CRL_INFO, nextUpdate, ASN1_TIME), 99 ASN1_OPT(X509_CRL_INFO, nextUpdate, ASN1_TIME),
117 ASN1_SEQUENCE_OF_OPT(X509_CRL_INFO, revoked, X509_REVOKED), 100 ASN1_SEQUENCE_OF_OPT(X509_CRL_INFO, revoked, X509_REVOKED),
118 ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0) 101 ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0)
119} ASN1_SEQUENCE_END_cb(X509_CRL_INFO, X509_CRL_INFO) 102} ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO)
120 103
121ASN1_SEQUENCE_ref(X509_CRL, 0, CRYPTO_LOCK_X509_CRL) = { 104ASN1_SEQUENCE_ref(X509_CRL, 0, CRYPTO_LOCK_X509_CRL) = {
122 ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO), 105 ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO),
@@ -137,12 +120,6 @@ static int X509_REVOKED_cmp(const X509_REVOKED * const *a,
137 (ASN1_STRING *)(*b)->serialNumber)); 120 (ASN1_STRING *)(*b)->serialNumber));
138 } 121 }
139 122
140static int X509_REVOKED_seq_cmp(const X509_REVOKED * const *a,
141 const X509_REVOKED * const *b)
142 {
143 return((*a)->sequence-(*b)->sequence);
144 }
145
146int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev) 123int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
147{ 124{
148 X509_CRL_INFO *inf; 125 X509_CRL_INFO *inf;
@@ -153,6 +130,7 @@ int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
153 ASN1err(ASN1_F_X509_CRL_ADD0_REVOKED, ERR_R_MALLOC_FAILURE); 130 ASN1err(ASN1_F_X509_CRL_ADD0_REVOKED, ERR_R_MALLOC_FAILURE);
154 return 0; 131 return 0;
155 } 132 }
133 inf->enc.modified = 1;
156 return 1; 134 return 1;
157} 135}
158 136
diff --git a/src/lib/libcrypto/asn1/x_name.c b/src/lib/libcrypto/asn1/x_name.c
index caece0f158..31f3377b64 100644
--- a/src/lib/libcrypto/asn1/x_name.c
+++ b/src/lib/libcrypto/asn1/x_name.c
@@ -160,21 +160,22 @@ static int x509_name_ex_d2i(ASN1_VALUE **val, unsigned char **in, long len, cons
160 int tag, int aclass, char opt, ASN1_TLC *ctx) 160 int tag, int aclass, char opt, ASN1_TLC *ctx)
161{ 161{
162 unsigned char *p = *in, *q; 162 unsigned char *p = *in, *q;
163 STACK *intname = NULL; 163 STACK *intname = NULL, **intname_pp = &intname;
164 int i, j, ret; 164 int i, j, ret;
165 X509_NAME *nm = NULL; 165 X509_NAME *nm = NULL, **nm_pp = &nm;
166 STACK_OF(X509_NAME_ENTRY) *entries; 166 STACK_OF(X509_NAME_ENTRY) *entries;
167 X509_NAME_ENTRY *entry; 167 X509_NAME_ENTRY *entry;
168 q = p; 168 q = p;
169 169
170 /* Get internal representation of Name */ 170 /* Get internal representation of Name */
171 ret = ASN1_item_ex_d2i((ASN1_VALUE **)&intname, &p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL), 171 ret = ASN1_item_ex_d2i((ASN1_VALUE **)intname_pp,
172 tag, aclass, opt, ctx); 172 &p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL),
173 tag, aclass, opt, ctx);
173 174
174 if(ret <= 0) return ret; 175 if(ret <= 0) return ret;
175 176
176 if(*val) x509_name_ex_free(val, NULL); 177 if(*val) x509_name_ex_free(val, NULL);
177 if(!x509_name_ex_new((ASN1_VALUE **)&nm, NULL)) goto err; 178 if(!x509_name_ex_new((ASN1_VALUE **)nm_pp, NULL)) goto err;
178 /* We've decoded it: now cache encoding */ 179 /* We've decoded it: now cache encoding */
179 if(!BUF_MEM_grow(nm->bytes, p - q)) goto err; 180 if(!BUF_MEM_grow(nm->bytes, p - q)) goto err;
180 memcpy(nm->bytes->data, q, p - q); 181 memcpy(nm->bytes->data, q, p - q);
@@ -218,7 +219,7 @@ static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out, const ASN1_IT
218 219
219static int x509_name_encode(X509_NAME *a) 220static int x509_name_encode(X509_NAME *a)
220{ 221{
221 STACK *intname = NULL; 222 STACK *intname = NULL, **intname_pp = &intname;
222 int len; 223 int len;
223 unsigned char *p; 224 unsigned char *p;
224 STACK_OF(X509_NAME_ENTRY) *entries = NULL; 225 STACK_OF(X509_NAME_ENTRY) *entries = NULL;
@@ -236,10 +237,12 @@ static int x509_name_encode(X509_NAME *a)
236 } 237 }
237 if(!sk_X509_NAME_ENTRY_push(entries, entry)) goto memerr; 238 if(!sk_X509_NAME_ENTRY_push(entries, entry)) goto memerr;
238 } 239 }
239 len = ASN1_item_ex_i2d((ASN1_VALUE **)&intname, NULL, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1); 240 len = ASN1_item_ex_i2d((ASN1_VALUE **)intname_pp, NULL,
241 ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
240 if (!BUF_MEM_grow(a->bytes,len)) goto memerr; 242 if (!BUF_MEM_grow(a->bytes,len)) goto memerr;
241 p=(unsigned char *)a->bytes->data; 243 p=(unsigned char *)a->bytes->data;
242 ASN1_item_ex_i2d((ASN1_VALUE **)&intname, &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1); 244 ASN1_item_ex_i2d((ASN1_VALUE **)intname_pp,
245 &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
243 sk_pop_free(intname, sk_internal_free); 246 sk_pop_free(intname, sk_internal_free);
244 a->modified = 0; 247 a->modified = 0;
245 return len; 248 return len;
diff --git a/src/lib/libcrypto/asn1/x_pubkey.c b/src/lib/libcrypto/asn1/x_pubkey.c
index d958540120..7d6d71af88 100644
--- a/src/lib/libcrypto/asn1/x_pubkey.c
+++ b/src/lib/libcrypto/asn1/x_pubkey.c
@@ -80,8 +80,7 @@ IMPLEMENT_ASN1_FUNCTIONS(X509_PUBKEY)
80 80
81int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) 81int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
82 { 82 {
83 int ok=0; 83 X509_PUBKEY *pk=NULL;
84 X509_PUBKEY *pk;
85 X509_ALGOR *a; 84 X509_ALGOR *a;
86 ASN1_OBJECT *o; 85 ASN1_OBJECT *o;
87 unsigned char *s,*p = NULL; 86 unsigned char *s,*p = NULL;
@@ -104,7 +103,11 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
104 (a->parameter->type != V_ASN1_NULL)) 103 (a->parameter->type != V_ASN1_NULL))
105 { 104 {
106 ASN1_TYPE_free(a->parameter); 105 ASN1_TYPE_free(a->parameter);
107 a->parameter=ASN1_TYPE_new(); 106 if (!(a->parameter=ASN1_TYPE_new()))
107 {
108 X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
109 goto err;
110 }
108 a->parameter->type=V_ASN1_NULL; 111 a->parameter->type=V_ASN1_NULL;
109 } 112 }
110 } 113 }
@@ -118,14 +121,34 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
118 dsa=pkey->pkey.dsa; 121 dsa=pkey->pkey.dsa;
119 dsa->write_params=0; 122 dsa->write_params=0;
120 ASN1_TYPE_free(a->parameter); 123 ASN1_TYPE_free(a->parameter);
121 i=i2d_DSAparams(dsa,NULL); 124 if ((i=i2d_DSAparams(dsa,NULL)) <= 0)
122 if ((p=(unsigned char *)OPENSSL_malloc(i)) == NULL) goto err; 125 goto err;
126 if (!(p=(unsigned char *)OPENSSL_malloc(i)))
127 {
128 X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
129 goto err;
130 }
123 pp=p; 131 pp=p;
124 i2d_DSAparams(dsa,&pp); 132 i2d_DSAparams(dsa,&pp);
125 a->parameter=ASN1_TYPE_new(); 133 if (!(a->parameter=ASN1_TYPE_new()))
134 {
135 OPENSSL_free(p);
136 X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
137 goto err;
138 }
126 a->parameter->type=V_ASN1_SEQUENCE; 139 a->parameter->type=V_ASN1_SEQUENCE;
127 a->parameter->value.sequence=ASN1_STRING_new(); 140 if (!(a->parameter->value.sequence=ASN1_STRING_new()))
128 ASN1_STRING_set(a->parameter->value.sequence,p,i); 141 {
142 OPENSSL_free(p);
143 X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
144 goto err;
145 }
146 if (!ASN1_STRING_set(a->parameter->value.sequence,p,i))
147 {
148 OPENSSL_free(p);
149 X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
150 goto err;
151 }
129 OPENSSL_free(p); 152 OPENSSL_free(p);
130 } 153 }
131 else 154 else
@@ -143,7 +166,11 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
143 } 166 }
144 p=s; 167 p=s;
145 i2d_PublicKey(pkey,&p); 168 i2d_PublicKey(pkey,&p);
146 if (!M_ASN1_BIT_STRING_set(pk->public_key,s,i)) goto err; 169 if (!M_ASN1_BIT_STRING_set(pk->public_key,s,i))
170 {
171 X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
172 goto err;
173 }
147 /* Set number of unused bits to zero */ 174 /* Set number of unused bits to zero */
148 pk->public_key->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); 175 pk->public_key->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
149 pk->public_key->flags|=ASN1_STRING_FLAG_BITS_LEFT; 176 pk->public_key->flags|=ASN1_STRING_FLAG_BITS_LEFT;
@@ -159,12 +186,11 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
159 X509_PUBKEY_free(*x); 186 X509_PUBKEY_free(*x);
160 187
161 *x=pk; 188 *x=pk;
162 pk=NULL;
163 189
164 ok=1; 190 return 1;
165err: 191err:
166 if (pk != NULL) X509_PUBKEY_free(pk); 192 if (pk != NULL) X509_PUBKEY_free(pk);
167 return(ok); 193 return 0;
168 } 194 }
169 195
170EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key) 196EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
diff --git a/src/lib/libcrypto/bf/bf_skey.c b/src/lib/libcrypto/bf/bf_skey.c
index 3673cdee6e..fc5bebefce 100644
--- a/src/lib/libcrypto/bf/bf_skey.c
+++ b/src/lib/libcrypto/bf/bf_skey.c
@@ -58,11 +58,12 @@
58 58
59#include <stdio.h> 59#include <stdio.h>
60#include <string.h> 60#include <string.h>
61#include <openssl/crypto.h>
61#include <openssl/blowfish.h> 62#include <openssl/blowfish.h>
62#include "bf_locl.h" 63#include "bf_locl.h"
63#include "bf_pi.h" 64#include "bf_pi.h"
64 65
65void BF_set_key(BF_KEY *key, int len, const unsigned char *data) 66FIPS_NON_FIPS_VCIPHER_Init(BF)
66 { 67 {
67 int i; 68 int i;
68 BF_LONG *p,ri,in[2]; 69 BF_LONG *p,ri,in[2];
diff --git a/src/lib/libcrypto/bf/blowfish.h b/src/lib/libcrypto/bf/blowfish.h
index cd49e85ab2..b4d8774961 100644
--- a/src/lib/libcrypto/bf/blowfish.h
+++ b/src/lib/libcrypto/bf/blowfish.h
@@ -104,7 +104,10 @@ typedef struct bf_key_st
104 BF_LONG S[4*256]; 104 BF_LONG S[4*256];
105 } BF_KEY; 105 } BF_KEY;
106 106
107 107
108#ifdef OPENSSL_FIPS
109void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data);
110#endif
108void BF_set_key(BF_KEY *key, int len, const unsigned char *data); 111void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
109 112
110void BF_encrypt(BF_LONG *data,const BF_KEY *key); 113void BF_encrypt(BF_LONG *data,const BF_KEY *key);
diff --git a/src/lib/libcrypto/bio/b_print.c b/src/lib/libcrypto/bio/b_print.c
index fbff331796..c2bb357b4c 100644
--- a/src/lib/libcrypto/bio/b_print.c
+++ b/src/lib/libcrypto/bio/b_print.c
@@ -641,7 +641,7 @@ fmtfp(
641 multiplying by a factor of 10 */ 641 multiplying by a factor of 10 */
642 fracpart = roundv((pow10(max)) * (ufvalue - intpart)); 642 fracpart = roundv((pow10(max)) * (ufvalue - intpart));
643 643
644 if (fracpart >= pow10(max)) { 644 if (fracpart >= (long)pow10(max)) {
645 intpart++; 645 intpart++;
646 fracpart -= (long)pow10(max); 646 fracpart -= (long)pow10(max);
647 } 647 }
diff --git a/src/lib/libcrypto/bio/bio.h b/src/lib/libcrypto/bio/bio.h
index fbbc16d00c..2eb703830f 100644
--- a/src/lib/libcrypto/bio/bio.h
+++ b/src/lib/libcrypto/bio/bio.h
@@ -347,6 +347,7 @@ typedef struct bio_f_buffer_ctx_struct
347#define BIO_C_NWRITE0 145 347#define BIO_C_NWRITE0 145
348#define BIO_C_NWRITE 146 348#define BIO_C_NWRITE 146
349#define BIO_C_RESET_READ_REQUEST 147 349#define BIO_C_RESET_READ_REQUEST 147
350#define BIO_C_SET_MD_CTX 148
350 351
351 352
352#define BIO_set_app_data(s,arg) BIO_set_ex_data(s,0,arg) 353#define BIO_set_app_data(s,arg) BIO_set_ex_data(s,0,arg)
diff --git a/src/lib/libcrypto/bio/bss_file.c b/src/lib/libcrypto/bio/bss_file.c
index 9cdf159f82..8034ac93f9 100644
--- a/src/lib/libcrypto/bio/bss_file.c
+++ b/src/lib/libcrypto/bio/bss_file.c
@@ -213,13 +213,14 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
213 b->shutdown=(int)num&BIO_CLOSE; 213 b->shutdown=(int)num&BIO_CLOSE;
214 b->ptr=(char *)ptr; 214 b->ptr=(char *)ptr;
215 b->init=1; 215 b->init=1;
216 {
216#if defined(OPENSSL_SYS_WINDOWS) 217#if defined(OPENSSL_SYS_WINDOWS)
218 int fd = fileno((FILE*)ptr);
217 if (num & BIO_FP_TEXT) 219 if (num & BIO_FP_TEXT)
218 _setmode(fileno((FILE *)ptr),_O_TEXT); 220 _setmode(fd,_O_TEXT);
219 else 221 else
220 _setmode(fileno((FILE *)ptr),_O_BINARY); 222 _setmode(fd,_O_BINARY);
221#elif defined(OPENSSL_SYS_MSDOS) 223#elif defined(OPENSSL_SYS_MSDOS)
222 {
223 int fd = fileno((FILE*)ptr); 224 int fd = fileno((FILE*)ptr);
224 /* Set correct text/binary mode */ 225 /* Set correct text/binary mode */
225 if (num & BIO_FP_TEXT) 226 if (num & BIO_FP_TEXT)
@@ -235,13 +236,14 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
235 else 236 else
236 _setmode(fd,_O_BINARY); 237 _setmode(fd,_O_BINARY);
237 } 238 }
238 }
239#elif defined(OPENSSL_SYS_OS2) 239#elif defined(OPENSSL_SYS_OS2)
240 int fd = fileno((FILE*)ptr);
240 if (num & BIO_FP_TEXT) 241 if (num & BIO_FP_TEXT)
241 setmode(fileno((FILE *)ptr), O_TEXT); 242 setmode(fd, O_TEXT);
242 else 243 else
243 setmode(fileno((FILE *)ptr), O_BINARY); 244 setmode(fd, O_BINARY);
244#endif 245#endif
246 }
245 break; 247 break;
246 case BIO_C_SET_FILENAME: 248 case BIO_C_SET_FILENAME:
247 file_free(b); 249 file_free(b);
@@ -264,7 +266,7 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
264 ret=0; 266 ret=0;
265 break; 267 break;
266 } 268 }
267#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) 269#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_WIN32_CYGWIN)
268 if (!(num & BIO_FP_TEXT)) 270 if (!(num & BIO_FP_TEXT))
269 strcat(p,"b"); 271 strcat(p,"b");
270 else 272 else
diff --git a/src/lib/libcrypto/bn/asm/ia64.S b/src/lib/libcrypto/bn/asm/ia64.S
index 7dfda85566..7b82b820e6 100644
--- a/src/lib/libcrypto/bn/asm/ia64.S
+++ b/src/lib/libcrypto/bn/asm/ia64.S
@@ -1,6 +1,6 @@
1.explicit 1.explicit
2.text 2.text
3.ident "ia64.S, Version 2.0" 3.ident "ia64.S, Version 2.1"
4.ident "IA-64 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>" 4.ident "IA-64 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
5 5
6// 6//
@@ -35,7 +35,7 @@
35// What does it mean? You might ratiocinate that the original code 35// What does it mean? You might ratiocinate that the original code
36// should run just faster... Because sum of latencies is smaller... 36// should run just faster... Because sum of latencies is smaller...
37// Wrong! Note that getf latency increased. This means that if a loop is 37// Wrong! Note that getf latency increased. This means that if a loop is
38// scheduled for lower latency (and they are), then it will suffer from 38// scheduled for lower latency (as they were), then it will suffer from
39// stall condition and the code will therefore turn anti-scalable, e.g. 39// stall condition and the code will therefore turn anti-scalable, e.g.
40// original bn_mul_words spun at 5*n or 2.5 times slower than expected 40// original bn_mul_words spun at 5*n or 2.5 times slower than expected
41// on Itanium2! What to do? Reschedule loops for Itanium2? But then 41// on Itanium2! What to do? Reschedule loops for Itanium2? But then
@@ -145,6 +145,12 @@
145// -Drum=nop.m in command line. 145// -Drum=nop.m in command line.
146// 146//
147 147
148#if defined(_HPUX_SOURCE) && !defined(_LP64)
149#define ADDP addp4
150#else
151#define ADDP add
152#endif
153
148#if 1 154#if 1
149// 155//
150// bn_[add|sub]_words routines. 156// bn_[add|sub]_words routines.
@@ -178,27 +184,12 @@ bn_add_words:
178 brp.loop.imp .L_bn_add_words_ctop,.L_bn_add_words_cend-16 184 brp.loop.imp .L_bn_add_words_ctop,.L_bn_add_words_cend-16
179 } 185 }
180 .body 186 .body
181{ .mib; 187{ .mib; ADDP r14=0,r32 // rp
182#if defined(_HPUX_SOURCE) && defined(_ILP32)
183 addp4 r14=0,r32 // rp
184#else
185 mov r14=r32 // rp
186#endif
187 mov r9=pr };; 188 mov r9=pr };;
188{ .mii; 189{ .mii; ADDP r15=0,r33 // ap
189#if defined(_HPUX_SOURCE) && defined(_ILP32)
190 addp4 r15=0,r33 // ap
191#else
192 mov r15=r33 // ap
193#endif
194 mov ar.lc=r10 190 mov ar.lc=r10
195 mov ar.ec=6 } 191 mov ar.ec=6 }
196{ .mib; 192{ .mib; ADDP r16=0,r34 // bp
197#if defined(_HPUX_SOURCE) && defined(_ILP32)
198 addp4 r16=0,r34 // bp
199#else
200 mov r16=r34 // bp
201#endif
202 mov pr.rot=1<<16 };; 193 mov pr.rot=1<<16 };;
203 194
204.L_bn_add_words_ctop: 195.L_bn_add_words_ctop:
@@ -246,27 +237,12 @@ bn_sub_words:
246 brp.loop.imp .L_bn_sub_words_ctop,.L_bn_sub_words_cend-16 237 brp.loop.imp .L_bn_sub_words_ctop,.L_bn_sub_words_cend-16
247 } 238 }
248 .body 239 .body
249{ .mib; 240{ .mib; ADDP r14=0,r32 // rp
250#if defined(_HPUX_SOURCE) && defined(_ILP32)
251 addp4 r14=0,r32 // rp
252#else
253 mov r14=r32 // rp
254#endif
255 mov r9=pr };; 241 mov r9=pr };;
256{ .mii; 242{ .mii; ADDP r15=0,r33 // ap
257#if defined(_HPUX_SOURCE) && defined(_ILP32)
258 addp4 r15=0,r33 // ap
259#else
260 mov r15=r33 // ap
261#endif
262 mov ar.lc=r10 243 mov ar.lc=r10
263 mov ar.ec=6 } 244 mov ar.ec=6 }
264{ .mib; 245{ .mib; ADDP r16=0,r34 // bp
265#if defined(_HPUX_SOURCE) && defined(_ILP32)
266 addp4 r16=0,r34 // bp
267#else
268 mov r16=r34 // bp
269#endif
270 mov pr.rot=1<<16 };; 246 mov pr.rot=1<<16 };;
271 247
272.L_bn_sub_words_ctop: 248.L_bn_sub_words_ctop:
@@ -332,16 +308,10 @@ bn_mul_words:
332 308
333#ifndef XMA_TEMPTATION 309#ifndef XMA_TEMPTATION
334 310
335{ .mii; 311{ .mmi; ADDP r14=0,r32 // rp
336#if defined(_HPUX_SOURCE) && defined(_ILP32) 312 ADDP r15=0,r33 // ap
337 addp4 r14=0,r32 // rp
338 addp4 r15=0,r33 // ap
339#else
340 mov r14=r32 // rp
341 mov r15=r33 // ap
342#endif
343 mov ar.lc=r10 } 313 mov ar.lc=r10 }
344{ .mii; mov r40=0 // serves as r35 at first (p27) 314{ .mmi; mov r40=0 // serves as r35 at first (p27)
345 mov ar.ec=13 };; 315 mov ar.ec=13 };;
346 316
347// This loop spins in 2*(n+12) ticks. It's scheduled for data in Itanium 317// This loop spins in 2*(n+12) ticks. It's scheduled for data in Itanium
@@ -424,89 +394,64 @@ bn_mul_words:
424.global bn_mul_add_words# 394.global bn_mul_add_words#
425.proc bn_mul_add_words# 395.proc bn_mul_add_words#
426.align 64 396.align 64
427//.skip 0 // makes the loop split at 64-byte boundary 397.skip 48 // makes the loop body aligned at 64-byte boundary
428bn_mul_add_words: 398bn_mul_add_words:
429 .prologue 399 .prologue
430 .fframe 0 400 .fframe 0
431 .save ar.pfs,r2 401 .save ar.pfs,r2
432{ .mii; alloc r2=ar.pfs,4,12,0,16
433 cmp4.le p6,p0=r34,r0 };;
434{ .mfb; mov r8=r0 // return value
435(p6) br.ret.spnt.many b0 };;
436
437 .save ar.lc,r3 402 .save ar.lc,r3
438{ .mii; sub r10=r34,r0,1 403 .save pr,r9
439 mov r3=ar.lc 404{ .mmi; alloc r2=ar.pfs,4,4,0,8
440 mov r9=pr };; 405 cmp4.le p6,p0=r34,r0
406 mov r3=ar.lc };;
407{ .mib; mov r8=r0 // return value
408 sub r10=r34,r0,1
409(p6) br.ret.spnt.many b0 };;
441 410
442 .body 411 .body
443{ .mib; setf.sig f8=r35 // w 412{ .mib; setf.sig f8=r35 // w
444 mov pr.rot=0x800001<<16 413 mov r9=pr
445 // ------^----- serves as (p50) at first (p27)
446 brp.loop.imp .L_bn_mul_add_words_ctop,.L_bn_mul_add_words_cend-16 414 brp.loop.imp .L_bn_mul_add_words_ctop,.L_bn_mul_add_words_cend-16
447 } 415 }
448{ .mii; 416{ .mmi; ADDP r14=0,r32 // rp
449#if defined(_HPUX_SOURCE) && defined(_ILP32) 417 ADDP r15=0,r33 // ap
450 addp4 r14=0,r32 // rp
451 addp4 r15=0,r33 // ap
452#else
453 mov r14=r32 // rp
454 mov r15=r33 // ap
455#endif
456 mov ar.lc=r10 } 418 mov ar.lc=r10 }
457{ .mii; mov r40=0 // serves as r35 at first (p27) 419{ .mii; ADDP r16=0,r32 // rp copy
458#if defined(_HPUX_SOURCE) && defined(_ILP32) 420 mov pr.rot=0x2001<<16
459 addp4 r18=0,r32 // rp copy 421 // ------^----- serves as (p40) at first (p27)
460#else 422 mov ar.ec=11 };;
461 mov r18=r32 // rp copy 423
462#endif 424// This loop spins in 3*(n+10) ticks on Itanium and in 2*(n+10) on
463 mov ar.ec=15 };; 425// Itanium 2. Yes, unlike previous versions it scales:-) Previous
464 426// version was peforming *all* additions in IALU and was starving
465// This loop spins in 3*(n+14) ticks on Itanium and should spin in 427// for those even on Itanium 2. In this version one addition is
466// 2*(n+14) on "wider" IA-64 implementations (to be verified with new 428// moved to FPU and is folded with multiplication. This is at cost
467// µ-architecture manuals as they become available). As usual it's 429// of propogating the result from previous call to this subroutine
468// possible to compress the epilogue, down to 10 in this case, at the 430// to L2 cache... In other words negligible even for shorter keys.
469// cost of scalability. Compressed (and therefore non-scalable) loop 431// *Overall* performance improvement [over previous version] varies
470// running at 3*(n+11) would buy you ~10% on Itanium but take ~35% 432// from 11 to 22 percent depending on key length.
471// from "wider" IA-64 so let it be scalable! Special attention was
472// paid for having the loop body split at 64-byte boundary. ld8 is
473// scheduled for L1 cache as the data is more than likely there.
474// Indeed, bn_mul_words has put it there a moment ago:-)
475.L_bn_mul_add_words_ctop: 433.L_bn_mul_add_words_ctop:
476{ .mfi; (p25) getf.sig r36=f52 // low 434.pred.rel "mutex",p40,p42
477 (p21) xmpy.lu f48=f37,f8 435{ .mfi; (p23) getf.sig r36=f45 // low
478 (p28) cmp.ltu p54,p50=r41,r39 } 436 (p20) xma.lu f42=f36,f8,f50 // low
479{ .mfi; (p16) ldf8 f32=[r15],8 437 (p40) add r39=r39,r35 } // (p27)
480 (p21) xmpy.hu f40=f37,f8 438{ .mfi; (p16) ldf8 f32=[r15],8 // *(ap++)
481 (p28) add r45=r45,r41 };; 439 (p20) xma.hu f36=f36,f8,f50 // high
482{ .mii; (p25) getf.sig r32=f44 // high 440 (p42) add r39=r39,r35,1 };; // (p27)
483 .pred.rel "mutex",p50,p54 441{ .mmi; (p24) getf.sig r32=f40 // high
484 (p50) add r40=r38,r35 // (p27) 442 (p16) ldf8 f46=[r16],8 // *(rp1++)
485 (p54) add r40=r38,r35,1 } // (p27) 443 (p40) cmp.ltu p41,p39=r39,r35 } // (p27)
486{ .mfb; (p28) cmp.ltu.unc p60,p0=r45,r41 444{ .mib; (p26) st8 [r14]=r39,8 // *(rp2++)
487 (p0) nop.f 0x0 445 (p42) cmp.leu p41,p39=r39,r35 // (p27)
488 (p0) nop.b 0x0 }
489{ .mii; (p27) ld8 r44=[r18],8
490 (p62) cmp.eq.or p61,p0=-1,r46
491 (p62) add r46=1,r46 }
492{ .mfb; (p30) st8 [r14]=r47,8
493 (p0) nop.f 0x0
494 br.ctop.sptk .L_bn_mul_add_words_ctop};; 446 br.ctop.sptk .L_bn_mul_add_words_ctop};;
495.L_bn_mul_add_words_cend: 447.L_bn_mul_add_words_cend:
496 448
497{ .mii; nop.m 0x0 449{ .mmi; .pred.rel "mutex",p40,p42
498.pred.rel "mutex",p53,p57 450(p40) add r8=r35,r0
499(p53) add r8=r38,r0 451(p42) add r8=r35,r0,1
500(p57) add r8=r38,r0,1 } 452 mov pr=r9,0x1ffff }
501{ .mfb; nop.m 0x0 453{ .mib; rum 1<<5 // clear um.mfh
502 nop.f 0x0 454 mov ar.lc=r3
503 nop.b 0x0 };;
504{ .mii;
505(p63) add r8=1,r8
506 mov pr=r9,0x1ffff
507 mov ar.lc=r3 }
508{ .mfb; rum 1<<5 // clear um.mfh
509 nop.f 0x0
510 br.ret.sptk.many b0 };; 455 br.ret.sptk.many b0 };;
511.endp bn_mul_add_words# 456.endp bn_mul_add_words#
512#endif 457#endif
@@ -527,7 +472,8 @@ bn_sqr_words:
527 sxt4 r34=r34 };; 472 sxt4 r34=r34 };;
528{ .mii; cmp.le p6,p0=r34,r0 473{ .mii; cmp.le p6,p0=r34,r0
529 mov r8=r0 } // return value 474 mov r8=r0 } // return value
530{ .mfb; nop.f 0x0 475{ .mfb; ADDP r32=0,r32
476 nop.f 0x0
531(p6) br.ret.spnt.many b0 };; 477(p6) br.ret.spnt.many b0 };;
532 478
533 .save ar.lc,r3 479 .save ar.lc,r3
@@ -536,11 +482,7 @@ bn_sqr_words:
536 mov r9=pr };; 482 mov r9=pr };;
537 483
538 .body 484 .body
539#if defined(_HPUX_SOURCE) && defined(_ILP32) 485{ .mib; ADDP r33=0,r33
540{ .mii; addp4 r32=0,r32
541 addp4 r33=0,r33 };;
542#endif
543{ .mib;
544 mov pr.rot=1<<16 486 mov pr.rot=1<<16
545 brp.loop.imp .L_bn_sqr_words_ctop,.L_bn_sqr_words_cend-16 487 brp.loop.imp .L_bn_sqr_words_ctop,.L_bn_sqr_words_cend-16
546 } 488 }
@@ -605,7 +547,7 @@ bn_sqr_comba8:
605 .prologue 547 .prologue
606 .fframe 0 548 .fframe 0
607 .save ar.pfs,r2 549 .save ar.pfs,r2
608#if defined(_HPUX_SOURCE) && defined(_ILP32) 550#if defined(_HPUX_SOURCE) && !defined(_LP64)
609{ .mii; alloc r2=ar.pfs,2,1,0,0 551{ .mii; alloc r2=ar.pfs,2,1,0,0
610 addp4 r33=0,r33 552 addp4 r33=0,r33
611 addp4 r32=0,r32 };; 553 addp4 r32=0,r32 };;
@@ -631,6 +573,10 @@ bn_sqr_comba8:
631// clause in Itanium µ-architecture manual? Comments are welcomed and 573// clause in Itanium µ-architecture manual? Comments are welcomed and
632// highly appreciated. 574// highly appreciated.
633// 575//
576// On Itanium 2 it takes ~190 ticks. This is because of stalls on
577// result from getf.sig. I do nothing about it at this point for
578// reasons depicted below.
579//
634// However! It should be noted that even 160 ticks is darn good result 580// However! It should be noted that even 160 ticks is darn good result
635// as it's over 10 (yes, ten, spelled as t-e-n) times faster than the 581// as it's over 10 (yes, ten, spelled as t-e-n) times faster than the
636// C version (compiled with gcc with inline assembler). I really 582// C version (compiled with gcc with inline assembler). I really
@@ -673,7 +619,7 @@ bn_mul_comba8:
673 .prologue 619 .prologue
674 .fframe 0 620 .fframe 0
675 .save ar.pfs,r2 621 .save ar.pfs,r2
676#if defined(_HPUX_SOURCE) && defined(_ILP32) 622#if defined(_HPUX_SOURCE) && !defined(_LP64)
677{ .mii; alloc r2=ar.pfs,3,0,0,0 623{ .mii; alloc r2=ar.pfs,3,0,0,0
678 addp4 r33=0,r33 624 addp4 r33=0,r33
679 addp4 r34=0,r34 };; 625 addp4 r34=0,r34 };;
@@ -1231,7 +1177,7 @@ bn_sqr_comba4:
1231 .prologue 1177 .prologue
1232 .fframe 0 1178 .fframe 0
1233 .save ar.pfs,r2 1179 .save ar.pfs,r2
1234#if defined(_HPUX_SOURCE) && defined(_ILP32) 1180#if defined(_HPUX_SOURCE) && !defined(_LP64)
1235{ .mii; alloc r2=ar.pfs,2,1,0,0 1181{ .mii; alloc r2=ar.pfs,2,1,0,0
1236 addp4 r32=0,r32 1182 addp4 r32=0,r32
1237 addp4 r33=0,r33 };; 1183 addp4 r33=0,r33 };;
@@ -1264,7 +1210,7 @@ bn_mul_comba4:
1264 .prologue 1210 .prologue
1265 .fframe 0 1211 .fframe 0
1266 .save ar.pfs,r2 1212 .save ar.pfs,r2
1267#if defined(_HPUX_SOURCE) && defined(_ILP32) 1213#if defined(_HPUX_SOURCE) && !defined(_LP64)
1268{ .mii; alloc r2=ar.pfs,3,0,0,0 1214{ .mii; alloc r2=ar.pfs,3,0,0,0
1269 addp4 r33=0,r33 1215 addp4 r33=0,r33
1270 addp4 r34=0,r34 };; 1216 addp4 r34=0,r34 };;
@@ -1448,8 +1394,8 @@ bn_mul_comba4:
1448#define I r21 1394#define I r21
1449 1395
1450#if 0 1396#if 0
1451// Some preprocessors (most notably HP-UX) apper to be allergic to 1397// Some preprocessors (most notably HP-UX) appear to be allergic to
1452// macros enclosed to parenthesis as these three will be. 1398// macros enclosed to parenthesis [as these three were].
1453#define cont p16 1399#define cont p16
1454#define break p0 // p20 1400#define break p0 // p20
1455#define equ p24 1401#define equ p24
@@ -1581,9 +1527,18 @@ bn_div_words:
1581// output: f8 = (int)(a/b) 1527// output: f8 = (int)(a/b)
1582// clobbered: f8,f9,f10,f11,pred 1528// clobbered: f8,f9,f10,f11,pred
1583pred=p15 1529pred=p15
1584// This procedure is essentially Intel code and therefore is 1530// One can argue that this snippet is copyrighted to Intel
1585// copyrighted to Intel Corporation (I suppose...). It's sligtly 1531// Corporation, as it's essentially identical to one of those
1586// modified for specific needs. 1532// found in "Divide, Square Root and Remainder" section at
1533// http://www.intel.com/software/products/opensource/libraries/num.htm.
1534// Yes, I admit that the referred code was used as template,
1535// but after I realized that there hardly is any other instruction
1536// sequence which would perform this operation. I mean I figure that
1537// any independent attempt to implement high-performance division
1538// will result in code virtually identical to the Intel code. It
1539// should be noted though that below division kernel is 1 cycle
1540// faster than Intel one (note commented splits:-), not to mention
1541// original prologue (rather lack of one) and epilogue.
1587.align 32 1542.align 32
1588.skip 16 1543.skip 16
1589.L_udiv64_32_b6: 1544.L_udiv64_32_b6:
diff --git a/src/lib/libcrypto/bn/asm/ppc.pl b/src/lib/libcrypto/bn/asm/ppc.pl
new file mode 100644
index 0000000000..307c7ccb35
--- /dev/null
+++ b/src/lib/libcrypto/bn/asm/ppc.pl
@@ -0,0 +1,2081 @@
1#!/usr/bin/env perl
2#
3# Implemented as a Perl wrapper as we want to support several different
4# architectures with single file. We pick up the target based on the
5# file name we are asked to generate.
6#
7# It should be noted though that this perl code is nothing like
8# <openssl>/crypto/perlasm/x86*. In this case perl is used pretty much
9# as pre-processor to cover for platform differences in name decoration,
10# linker tables, 32-/64-bit instruction sets...
11#
12# As you might know there're several PowerPC ABI in use. Most notably
13# Linux and AIX use different 32-bit ABIs. Good news are that these ABIs
14# are similar enough to implement leaf(!) functions, which would be ABI
15# neutral. And that's what you find here: ABI neutral leaf functions.
16# In case you wonder what that is...
17#
18# AIX performance
19#
20# MEASUREMENTS WITH cc ON a 200 MhZ PowerPC 604e.
21#
22# The following is the performance of 32-bit compiler
23# generated code:
24#
25# OpenSSL 0.9.6c 21 dec 2001
26# built on: Tue Jun 11 11:06:51 EDT 2002
27# options:bn(64,32) ...
28#compiler: cc -DTHREADS -DAIX -DB_ENDIAN -DBN_LLONG -O3
29# sign verify sign/s verify/s
30#rsa 512 bits 0.0098s 0.0009s 102.0 1170.6
31#rsa 1024 bits 0.0507s 0.0026s 19.7 387.5
32#rsa 2048 bits 0.3036s 0.0085s 3.3 117.1
33#rsa 4096 bits 2.0040s 0.0299s 0.5 33.4
34#dsa 512 bits 0.0087s 0.0106s 114.3 94.5
35#dsa 1024 bits 0.0256s 0.0313s 39.0 32.0
36#
37# Same bechmark with this assembler code:
38#
39#rsa 512 bits 0.0056s 0.0005s 178.6 2049.2
40#rsa 1024 bits 0.0283s 0.0015s 35.3 674.1
41#rsa 2048 bits 0.1744s 0.0050s 5.7 201.2
42#rsa 4096 bits 1.1644s 0.0179s 0.9 55.7
43#dsa 512 bits 0.0052s 0.0062s 191.6 162.0
44#dsa 1024 bits 0.0149s 0.0180s 67.0 55.5
45#
46# Number of operations increases by at almost 75%
47#
48# Here are performance numbers for 64-bit compiler
49# generated code:
50#
51# OpenSSL 0.9.6g [engine] 9 Aug 2002
52# built on: Fri Apr 18 16:59:20 EDT 2003
53# options:bn(64,64) ...
54# compiler: cc -DTHREADS -D_REENTRANT -q64 -DB_ENDIAN -O3
55# sign verify sign/s verify/s
56#rsa 512 bits 0.0028s 0.0003s 357.1 3844.4
57#rsa 1024 bits 0.0148s 0.0008s 67.5 1239.7
58#rsa 2048 bits 0.0963s 0.0028s 10.4 353.0
59#rsa 4096 bits 0.6538s 0.0102s 1.5 98.1
60#dsa 512 bits 0.0026s 0.0032s 382.5 313.7
61#dsa 1024 bits 0.0081s 0.0099s 122.8 100.6
62#
63# Same benchmark with this assembler code:
64#
65#rsa 512 bits 0.0020s 0.0002s 510.4 6273.7
66#rsa 1024 bits 0.0088s 0.0005s 114.1 2128.3
67#rsa 2048 bits 0.0540s 0.0016s 18.5 622.5
68#rsa 4096 bits 0.3700s 0.0058s 2.7 171.0
69#dsa 512 bits 0.0016s 0.0020s 610.7 507.1
70#dsa 1024 bits 0.0047s 0.0058s 212.5 173.2
71#
72# Again, performance increases by at about 75%
73#
74# Mac OS X, Apple G5 1.8GHz (Note this is 32 bit code)
75# OpenSSL 0.9.7c 30 Sep 2003
76#
77# Original code.
78#
79#rsa 512 bits 0.0011s 0.0001s 906.1 11012.5
80#rsa 1024 bits 0.0060s 0.0003s 166.6 3363.1
81#rsa 2048 bits 0.0370s 0.0010s 27.1 982.4
82#rsa 4096 bits 0.2426s 0.0036s 4.1 280.4
83#dsa 512 bits 0.0010s 0.0012s 1038.1 841.5
84#dsa 1024 bits 0.0030s 0.0037s 329.6 269.7
85#dsa 2048 bits 0.0101s 0.0127s 98.9 78.6
86#
87# Same benchmark with this assembler code:
88#
89#rsa 512 bits 0.0007s 0.0001s 1416.2 16645.9
90#rsa 1024 bits 0.0036s 0.0002s 274.4 5380.6
91#rsa 2048 bits 0.0222s 0.0006s 45.1 1589.5
92#rsa 4096 bits 0.1469s 0.0022s 6.8 449.6
93#dsa 512 bits 0.0006s 0.0007s 1664.2 1376.2
94#dsa 1024 bits 0.0018s 0.0023s 545.0 442.2
95#dsa 2048 bits 0.0061s 0.0075s 163.5 132.8
96#
97# Performance increase of ~60%
98#
99# If you have comments or suggestions to improve code send
100# me a note at schari@us.ibm.com
101#
102
103$opf = shift;
104
105if ($opf =~ /32\.s/) {
106 $BITS= 32;
107 $BNSZ= $BITS/8;
108 $ISA= "\"ppc\"";
109
110 $LD= "lwz"; # load
111 $LDU= "lwzu"; # load and update
112 $ST= "stw"; # store
113 $STU= "stwu"; # store and update
114 $UMULL= "mullw"; # unsigned multiply low
115 $UMULH= "mulhwu"; # unsigned multiply high
116 $UDIV= "divwu"; # unsigned divide
117 $UCMPI= "cmplwi"; # unsigned compare with immediate
118 $UCMP= "cmplw"; # unsigned compare
119 $COUNTZ="cntlzw"; # count leading zeros
120 $SHL= "slw"; # shift left
121 $SHR= "srw"; # unsigned shift right
122 $SHRI= "srwi"; # unsigned shift right by immediate
123 $SHLI= "slwi"; # shift left by immediate
124 $CLRU= "clrlwi"; # clear upper bits
125 $INSR= "insrwi"; # insert right
126 $ROTL= "rotlwi"; # rotate left by immediate
127} elsif ($opf =~ /64\.s/) {
128 $BITS= 64;
129 $BNSZ= $BITS/8;
130 $ISA= "\"ppc64\"";
131
132 # same as above, but 64-bit mnemonics...
133 $LD= "ld"; # load
134 $LDU= "ldu"; # load and update
135 $ST= "std"; # store
136 $STU= "stdu"; # store and update
137 $UMULL= "mulld"; # unsigned multiply low
138 $UMULH= "mulhdu"; # unsigned multiply high
139 $UDIV= "divdu"; # unsigned divide
140 $UCMPI= "cmpldi"; # unsigned compare with immediate
141 $UCMP= "cmpld"; # unsigned compare
142 $COUNTZ="cntlzd"; # count leading zeros
143 $SHL= "sld"; # shift left
144 $SHR= "srd"; # unsigned shift right
145 $SHRI= "srdi"; # unsigned shift right by immediate
146 $SHLI= "sldi"; # shift left by immediate
147 $CLRU= "clrldi"; # clear upper bits
148 $INSR= "insrdi"; # insert right
149 $ROTL= "rotldi"; # rotate left by immediate
150} else { die "nonsense $opf"; }
151
152( defined shift || open STDOUT,">$opf" ) || die "can't open $opf: $!";
153
154# function entry points from the AIX code
155#
156# There are other, more elegant, ways to handle this. We (IBM) chose
157# this approach as it plays well with scripts we run to 'namespace'
158# OpenSSL .i.e. we add a prefix to all the public symbols so we can
159# co-exist in the same process with other implementations of OpenSSL.
160# 'cleverer' ways of doing these substitutions tend to hide data we
161# need to be obvious.
162#
163my @items = ("bn_sqr_comba4",
164 "bn_sqr_comba8",
165 "bn_mul_comba4",
166 "bn_mul_comba8",
167 "bn_sub_words",
168 "bn_add_words",
169 "bn_div_words",
170 "bn_sqr_words",
171 "bn_mul_words",
172 "bn_mul_add_words");
173
174if ($opf =~ /linux/) { do_linux(); }
175elsif ($opf =~ /aix/) { do_aix(); }
176elsif ($opf =~ /osx/) { do_osx(); }
177else { do_bsd(); }
178
179sub do_linux {
180 $d=&data();
181
182 if ($BITS==64) {
183 foreach $t (@items) {
184 $d =~ s/\.$t:/\
185\t.section\t".opd","aw"\
186\t.align\t3\
187\t.globl\t$t\
188$t:\
189\t.quad\t.$t,.TOC.\@tocbase,0\
190\t.size\t$t,24\
191\t.previous\n\
192\t.type\t.$t,\@function\
193\t.globl\t.$t\
194.$t:/g;
195 }
196 }
197 else {
198 foreach $t (@items) {
199 $d=~s/\.$t/$t/g;
200 }
201 }
202 # hide internal labels to avoid pollution of name table...
203 $d=~s/Lppcasm_/.Lppcasm_/gm;
204 print $d;
205}
206
207sub do_aix {
208 # AIX assembler is smart enough to please the linker without
209 # making us do something special...
210 print &data();
211}
212
213# MacOSX 32 bit
214sub do_osx {
215 $d=&data();
216 # Change the bn symbol prefix from '.' to '_'
217 foreach $t (@items) {
218 $d=~s/\.$t/_$t/g;
219 }
220 # Change .machine to something OS X asm will accept
221 $d=~s/\.machine.*/.text/g;
222 $d=~s/\#/;/g; # change comment from '#' to ';'
223 print $d;
224}
225
226# BSD (Untested)
227sub do_bsd {
228 $d=&data();
229 foreach $t (@items) {
230 $d=~s/\.$t/_$t/g;
231 }
232 print $d;
233}
234
235sub data {
236 local($data)=<<EOF;
237#--------------------------------------------------------------------
238#
239#
240#
241#
242# File: ppc32.s
243#
244# Created by: Suresh Chari
245# IBM Thomas J. Watson Research Library
246# Hawthorne, NY
247#
248#
249# Description: Optimized assembly routines for OpenSSL crypto
250# on the 32 bitPowerPC platform.
251#
252#
253# Version History
254#
255# 2. Fixed bn_add,bn_sub and bn_div_words, added comments,
256# cleaned up code. Also made a single version which can
257# be used for both the AIX and Linux compilers. See NOTE
258# below.
259# 12/05/03 Suresh Chari
260# (with lots of help from) Andy Polyakov
261##
262# 1. Initial version 10/20/02 Suresh Chari
263#
264#
265# The following file works for the xlc,cc
266# and gcc compilers.
267#
268# NOTE: To get the file to link correctly with the gcc compiler
269# you have to change the names of the routines and remove
270# the first .(dot) character. This should automatically
271# be done in the build process.
272#
273# Hand optimized assembly code for the following routines
274#
275# bn_sqr_comba4
276# bn_sqr_comba8
277# bn_mul_comba4
278# bn_mul_comba8
279# bn_sub_words
280# bn_add_words
281# bn_div_words
282# bn_sqr_words
283# bn_mul_words
284# bn_mul_add_words
285#
286# NOTE: It is possible to optimize this code more for
287# specific PowerPC or Power architectures. On the Northstar
288# architecture the optimizations in this file do
289# NOT provide much improvement.
290#
291# If you have comments or suggestions to improve code send
292# me a note at schari\@us.ibm.com
293#
294#--------------------------------------------------------------------------
295#
296# Defines to be used in the assembly code.
297#
298.set r0,0 # we use it as storage for value of 0
299.set SP,1 # preserved
300.set RTOC,2 # preserved
301.set r3,3 # 1st argument/return value
302.set r4,4 # 2nd argument/volatile register
303.set r5,5 # 3rd argument/volatile register
304.set r6,6 # ...
305.set r7,7
306.set r8,8
307.set r9,9
308.set r10,10
309.set r11,11
310.set r12,12
311.set r13,13 # not used, nor any other "below" it...
312
313.set BO_IF_NOT,4
314.set BO_IF,12
315.set BO_dCTR_NZERO,16
316.set BO_dCTR_ZERO,18
317.set BO_ALWAYS,20
318.set CR0_LT,0;
319.set CR0_GT,1;
320.set CR0_EQ,2
321.set CR1_FX,4;
322.set CR1_FEX,5;
323.set CR1_VX,6
324.set LR,8
325
326# Declare function names to be global
327# NOTE: For gcc these names MUST be changed to remove
328# the first . i.e. for example change ".bn_sqr_comba4"
329# to "bn_sqr_comba4". This should be automatically done
330# in the build.
331
332 .globl .bn_sqr_comba4
333 .globl .bn_sqr_comba8
334 .globl .bn_mul_comba4
335 .globl .bn_mul_comba8
336 .globl .bn_sub_words
337 .globl .bn_add_words
338 .globl .bn_div_words
339 .globl .bn_sqr_words
340 .globl .bn_mul_words
341 .globl .bn_mul_add_words
342
343# .text section
344
345 .machine $ISA
346
347#
348# NOTE: The following label name should be changed to
349# "bn_sqr_comba4" i.e. remove the first dot
350# for the gcc compiler. This should be automatically
351# done in the build
352#
353
354.align 4
355.bn_sqr_comba4:
356#
357# Optimized version of bn_sqr_comba4.
358#
359# void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
360# r3 contains r
361# r4 contains a
362#
363# Freely use registers r5,r6,r7,r8,r9,r10,r11 as follows:
364#
365# r5,r6 are the two BN_ULONGs being multiplied.
366# r7,r8 are the results of the 32x32 giving 64 bit multiply.
367# r9,r10, r11 are the equivalents of c1,c2, c3.
368# Here's the assembly
369#
370#
371 xor r0,r0,r0 # set r0 = 0. Used in the addze
372 # instructions below
373
374 #sqr_add_c(a,0,c1,c2,c3)
375 $LD r5,`0*$BNSZ`(r4)
376 $UMULL r9,r5,r5
377 $UMULH r10,r5,r5 #in first iteration. No need
378 #to add since c1=c2=c3=0.
379 # Note c3(r11) is NOT set to 0
380 # but will be.
381
382 $ST r9,`0*$BNSZ`(r3) # r[0]=c1;
383 # sqr_add_c2(a,1,0,c2,c3,c1);
384 $LD r6,`1*$BNSZ`(r4)
385 $UMULL r7,r5,r6
386 $UMULH r8,r5,r6
387
388 addc r7,r7,r7 # compute (r7,r8)=2*(r7,r8)
389 adde r8,r8,r8
390 addze r9,r0 # catch carry if any.
391 # r9= r0(=0) and carry
392
393 addc r10,r7,r10 # now add to temp result.
394 addze r11,r8 # r8 added to r11 which is 0
395 addze r9,r9
396
397 $ST r10,`1*$BNSZ`(r3) #r[1]=c2;
398 #sqr_add_c(a,1,c3,c1,c2)
399 $UMULL r7,r6,r6
400 $UMULH r8,r6,r6
401 addc r11,r7,r11
402 adde r9,r8,r9
403 addze r10,r0
404 #sqr_add_c2(a,2,0,c3,c1,c2)
405 $LD r6,`2*$BNSZ`(r4)
406 $UMULL r7,r5,r6
407 $UMULH r8,r5,r6
408
409 addc r7,r7,r7
410 adde r8,r8,r8
411 addze r10,r10
412
413 addc r11,r7,r11
414 adde r9,r8,r9
415 addze r10,r10
416 $ST r11,`2*$BNSZ`(r3) #r[2]=c3
417 #sqr_add_c2(a,3,0,c1,c2,c3);
418 $LD r6,`3*$BNSZ`(r4)
419 $UMULL r7,r5,r6
420 $UMULH r8,r5,r6
421 addc r7,r7,r7
422 adde r8,r8,r8
423 addze r11,r0
424
425 addc r9,r7,r9
426 adde r10,r8,r10
427 addze r11,r11
428 #sqr_add_c2(a,2,1,c1,c2,c3);
429 $LD r5,`1*$BNSZ`(r4)
430 $LD r6,`2*$BNSZ`(r4)
431 $UMULL r7,r5,r6
432 $UMULH r8,r5,r6
433
434 addc r7,r7,r7
435 adde r8,r8,r8
436 addze r11,r11
437 addc r9,r7,r9
438 adde r10,r8,r10
439 addze r11,r11
440 $ST r9,`3*$BNSZ`(r3) #r[3]=c1
441 #sqr_add_c(a,2,c2,c3,c1);
442 $UMULL r7,r6,r6
443 $UMULH r8,r6,r6
444 addc r10,r7,r10
445 adde r11,r8,r11
446 addze r9,r0
447 #sqr_add_c2(a,3,1,c2,c3,c1);
448 $LD r6,`3*$BNSZ`(r4)
449 $UMULL r7,r5,r6
450 $UMULH r8,r5,r6
451 addc r7,r7,r7
452 adde r8,r8,r8
453 addze r9,r9
454
455 addc r10,r7,r10
456 adde r11,r8,r11
457 addze r9,r9
458 $ST r10,`4*$BNSZ`(r3) #r[4]=c2
459 #sqr_add_c2(a,3,2,c3,c1,c2);
460 $LD r5,`2*$BNSZ`(r4)
461 $UMULL r7,r5,r6
462 $UMULH r8,r5,r6
463 addc r7,r7,r7
464 adde r8,r8,r8
465 addze r10,r0
466
467 addc r11,r7,r11
468 adde r9,r8,r9
469 addze r10,r10
470 $ST r11,`5*$BNSZ`(r3) #r[5] = c3
471 #sqr_add_c(a,3,c1,c2,c3);
472 $UMULL r7,r6,r6
473 $UMULH r8,r6,r6
474 addc r9,r7,r9
475 adde r10,r8,r10
476
477 $ST r9,`6*$BNSZ`(r3) #r[6]=c1
478 $ST r10,`7*$BNSZ`(r3) #r[7]=c2
479 bclr BO_ALWAYS,CR0_LT
480 .long 0x00000000
481
482#
483# NOTE: The following label name should be changed to
484# "bn_sqr_comba8" i.e. remove the first dot
485# for the gcc compiler. This should be automatically
486# done in the build
487#
488
489.align 4
490.bn_sqr_comba8:
491#
492# This is an optimized version of the bn_sqr_comba8 routine.
493# Tightly uses the adde instruction
494#
495#
496# void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
497# r3 contains r
498# r4 contains a
499#
500# Freely use registers r5,r6,r7,r8,r9,r10,r11 as follows:
501#
502# r5,r6 are the two BN_ULONGs being multiplied.
503# r7,r8 are the results of the 32x32 giving 64 bit multiply.
504# r9,r10, r11 are the equivalents of c1,c2, c3.
505#
506# Possible optimization of loading all 8 longs of a into registers
507# doesnt provide any speedup
508#
509
510 xor r0,r0,r0 #set r0 = 0.Used in addze
511 #instructions below.
512
513 #sqr_add_c(a,0,c1,c2,c3);
514 $LD r5,`0*$BNSZ`(r4)
515 $UMULL r9,r5,r5 #1st iteration: no carries.
516 $UMULH r10,r5,r5
517 $ST r9,`0*$BNSZ`(r3) # r[0]=c1;
518 #sqr_add_c2(a,1,0,c2,c3,c1);
519 $LD r6,`1*$BNSZ`(r4)
520 $UMULL r7,r5,r6
521 $UMULH r8,r5,r6
522
523 addc r10,r7,r10 #add the two register number
524 adde r11,r8,r0 # (r8,r7) to the three register
525 addze r9,r0 # number (r9,r11,r10).NOTE:r0=0
526
527 addc r10,r7,r10 #add the two register number
528 adde r11,r8,r11 # (r8,r7) to the three register
529 addze r9,r9 # number (r9,r11,r10).
530
531 $ST r10,`1*$BNSZ`(r3) # r[1]=c2
532
533 #sqr_add_c(a,1,c3,c1,c2);
534 $UMULL r7,r6,r6
535 $UMULH r8,r6,r6
536 addc r11,r7,r11
537 adde r9,r8,r9
538 addze r10,r0
539 #sqr_add_c2(a,2,0,c3,c1,c2);
540 $LD r6,`2*$BNSZ`(r4)
541 $UMULL r7,r5,r6
542 $UMULH r8,r5,r6
543
544 addc r11,r7,r11
545 adde r9,r8,r9
546 addze r10,r10
547
548 addc r11,r7,r11
549 adde r9,r8,r9
550 addze r10,r10
551
552 $ST r11,`2*$BNSZ`(r3) #r[2]=c3
553 #sqr_add_c2(a,3,0,c1,c2,c3);
554 $LD r6,`3*$BNSZ`(r4) #r6 = a[3]. r5 is already a[0].
555 $UMULL r7,r5,r6
556 $UMULH r8,r5,r6
557
558 addc r9,r7,r9
559 adde r10,r8,r10
560 addze r11,r0
561
562 addc r9,r7,r9
563 adde r10,r8,r10
564 addze r11,r11
565 #sqr_add_c2(a,2,1,c1,c2,c3);
566 $LD r5,`1*$BNSZ`(r4)
567 $LD r6,`2*$BNSZ`(r4)
568 $UMULL r7,r5,r6
569 $UMULH r8,r5,r6
570
571 addc r9,r7,r9
572 adde r10,r8,r10
573 addze r11,r11
574
575 addc r9,r7,r9
576 adde r10,r8,r10
577 addze r11,r11
578
579 $ST r9,`3*$BNSZ`(r3) #r[3]=c1;
580 #sqr_add_c(a,2,c2,c3,c1);
581 $UMULL r7,r6,r6
582 $UMULH r8,r6,r6
583
584 addc r10,r7,r10
585 adde r11,r8,r11
586 addze r9,r0
587 #sqr_add_c2(a,3,1,c2,c3,c1);
588 $LD r6,`3*$BNSZ`(r4)
589 $UMULL r7,r5,r6
590 $UMULH r8,r5,r6
591
592 addc r10,r7,r10
593 adde r11,r8,r11
594 addze r9,r9
595
596 addc r10,r7,r10
597 adde r11,r8,r11
598 addze r9,r9
599 #sqr_add_c2(a,4,0,c2,c3,c1);
600 $LD r5,`0*$BNSZ`(r4)
601 $LD r6,`4*$BNSZ`(r4)
602 $UMULL r7,r5,r6
603 $UMULH r8,r5,r6
604
605 addc r10,r7,r10
606 adde r11,r8,r11
607 addze r9,r9
608
609 addc r10,r7,r10
610 adde r11,r8,r11
611 addze r9,r9
612 $ST r10,`4*$BNSZ`(r3) #r[4]=c2;
613 #sqr_add_c2(a,5,0,c3,c1,c2);
614 $LD r6,`5*$BNSZ`(r4)
615 $UMULL r7,r5,r6
616 $UMULH r8,r5,r6
617
618 addc r11,r7,r11
619 adde r9,r8,r9
620 addze r10,r0
621
622 addc r11,r7,r11
623 adde r9,r8,r9
624 addze r10,r10
625 #sqr_add_c2(a,4,1,c3,c1,c2);
626 $LD r5,`1*$BNSZ`(r4)
627 $LD r6,`4*$BNSZ`(r4)
628 $UMULL r7,r5,r6
629 $UMULH r8,r5,r6
630
631 addc r11,r7,r11
632 adde r9,r8,r9
633 addze r10,r10
634
635 addc r11,r7,r11
636 adde r9,r8,r9
637 addze r10,r10
638 #sqr_add_c2(a,3,2,c3,c1,c2);
639 $LD r5,`2*$BNSZ`(r4)
640 $LD r6,`3*$BNSZ`(r4)
641 $UMULL r7,r5,r6
642 $UMULH r8,r5,r6
643
644 addc r11,r7,r11
645 adde r9,r8,r9
646 addze r10,r10
647
648 addc r11,r7,r11
649 adde r9,r8,r9
650 addze r10,r10
651 $ST r11,`5*$BNSZ`(r3) #r[5]=c3;
652 #sqr_add_c(a,3,c1,c2,c3);
653 $UMULL r7,r6,r6
654 $UMULH r8,r6,r6
655 addc r9,r7,r9
656 adde r10,r8,r10
657 addze r11,r0
658 #sqr_add_c2(a,4,2,c1,c2,c3);
659 $LD r6,`4*$BNSZ`(r4)
660 $UMULL r7,r5,r6
661 $UMULH r8,r5,r6
662
663 addc r9,r7,r9
664 adde r10,r8,r10
665 addze r11,r11
666
667 addc r9,r7,r9
668 adde r10,r8,r10
669 addze r11,r11
670 #sqr_add_c2(a,5,1,c1,c2,c3);
671 $LD r5,`1*$BNSZ`(r4)
672 $LD r6,`5*$BNSZ`(r4)
673 $UMULL r7,r5,r6
674 $UMULH r8,r5,r6
675
676 addc r9,r7,r9
677 adde r10,r8,r10
678 addze r11,r11
679
680 addc r9,r7,r9
681 adde r10,r8,r10
682 addze r11,r11
683 #sqr_add_c2(a,6,0,c1,c2,c3);
684 $LD r5,`0*$BNSZ`(r4)
685 $LD r6,`6*$BNSZ`(r4)
686 $UMULL r7,r5,r6
687 $UMULH r8,r5,r6
688 addc r9,r7,r9
689 adde r10,r8,r10
690 addze r11,r11
691 addc r9,r7,r9
692 adde r10,r8,r10
693 addze r11,r11
694 $ST r9,`6*$BNSZ`(r3) #r[6]=c1;
695 #sqr_add_c2(a,7,0,c2,c3,c1);
696 $LD r6,`7*$BNSZ`(r4)
697 $UMULL r7,r5,r6
698 $UMULH r8,r5,r6
699
700 addc r10,r7,r10
701 adde r11,r8,r11
702 addze r9,r0
703 addc r10,r7,r10
704 adde r11,r8,r11
705 addze r9,r9
706 #sqr_add_c2(a,6,1,c2,c3,c1);
707 $LD r5,`1*$BNSZ`(r4)
708 $LD r6,`6*$BNSZ`(r4)
709 $UMULL r7,r5,r6
710 $UMULH r8,r5,r6
711
712 addc r10,r7,r10
713 adde r11,r8,r11
714 addze r9,r9
715 addc r10,r7,r10
716 adde r11,r8,r11
717 addze r9,r9
718 #sqr_add_c2(a,5,2,c2,c3,c1);
719 $LD r5,`2*$BNSZ`(r4)
720 $LD r6,`5*$BNSZ`(r4)
721 $UMULL r7,r5,r6
722 $UMULH r8,r5,r6
723 addc r10,r7,r10
724 adde r11,r8,r11
725 addze r9,r9
726 addc r10,r7,r10
727 adde r11,r8,r11
728 addze r9,r9
729 #sqr_add_c2(a,4,3,c2,c3,c1);
730 $LD r5,`3*$BNSZ`(r4)
731 $LD r6,`4*$BNSZ`(r4)
732 $UMULL r7,r5,r6
733 $UMULH r8,r5,r6
734
735 addc r10,r7,r10
736 adde r11,r8,r11
737 addze r9,r9
738 addc r10,r7,r10
739 adde r11,r8,r11
740 addze r9,r9
741 $ST r10,`7*$BNSZ`(r3) #r[7]=c2;
742 #sqr_add_c(a,4,c3,c1,c2);
743 $UMULL r7,r6,r6
744 $UMULH r8,r6,r6
745 addc r11,r7,r11
746 adde r9,r8,r9
747 addze r10,r0
748 #sqr_add_c2(a,5,3,c3,c1,c2);
749 $LD r6,`5*$BNSZ`(r4)
750 $UMULL r7,r5,r6
751 $UMULH r8,r5,r6
752 addc r11,r7,r11
753 adde r9,r8,r9
754 addze r10,r10
755 addc r11,r7,r11
756 adde r9,r8,r9
757 addze r10,r10
758 #sqr_add_c2(a,6,2,c3,c1,c2);
759 $LD r5,`2*$BNSZ`(r4)
760 $LD r6,`6*$BNSZ`(r4)
761 $UMULL r7,r5,r6
762 $UMULH r8,r5,r6
763 addc r11,r7,r11
764 adde r9,r8,r9
765 addze r10,r10
766
767 addc r11,r7,r11
768 adde r9,r8,r9
769 addze r10,r10
770 #sqr_add_c2(a,7,1,c3,c1,c2);
771 $LD r5,`1*$BNSZ`(r4)
772 $LD r6,`7*$BNSZ`(r4)
773 $UMULL r7,r5,r6
774 $UMULH r8,r5,r6
775 addc r11,r7,r11
776 adde r9,r8,r9
777 addze r10,r10
778 addc r11,r7,r11
779 adde r9,r8,r9
780 addze r10,r10
781 $ST r11,`8*$BNSZ`(r3) #r[8]=c3;
782 #sqr_add_c2(a,7,2,c1,c2,c3);
783 $LD r5,`2*$BNSZ`(r4)
784 $UMULL r7,r5,r6
785 $UMULH r8,r5,r6
786
787 addc r9,r7,r9
788 adde r10,r8,r10
789 addze r11,r0
790 addc r9,r7,r9
791 adde r10,r8,r10
792 addze r11,r11
793 #sqr_add_c2(a,6,3,c1,c2,c3);
794 $LD r5,`3*$BNSZ`(r4)
795 $LD r6,`6*$BNSZ`(r4)
796 $UMULL r7,r5,r6
797 $UMULH r8,r5,r6
798 addc r9,r7,r9
799 adde r10,r8,r10
800 addze r11,r11
801 addc r9,r7,r9
802 adde r10,r8,r10
803 addze r11,r11
804 #sqr_add_c2(a,5,4,c1,c2,c3);
805 $LD r5,`4*$BNSZ`(r4)
806 $LD r6,`5*$BNSZ`(r4)
807 $UMULL r7,r5,r6
808 $UMULH r8,r5,r6
809 addc r9,r7,r9
810 adde r10,r8,r10
811 addze r11,r11
812 addc r9,r7,r9
813 adde r10,r8,r10
814 addze r11,r11
815 $ST r9,`9*$BNSZ`(r3) #r[9]=c1;
816 #sqr_add_c(a,5,c2,c3,c1);
817 $UMULL r7,r6,r6
818 $UMULH r8,r6,r6
819 addc r10,r7,r10
820 adde r11,r8,r11
821 addze r9,r0
822 #sqr_add_c2(a,6,4,c2,c3,c1);
823 $LD r6,`6*$BNSZ`(r4)
824 $UMULL r7,r5,r6
825 $UMULH r8,r5,r6
826 addc r10,r7,r10
827 adde r11,r8,r11
828 addze r9,r9
829 addc r10,r7,r10
830 adde r11,r8,r11
831 addze r9,r9
832 #sqr_add_c2(a,7,3,c2,c3,c1);
833 $LD r5,`3*$BNSZ`(r4)
834 $LD r6,`7*$BNSZ`(r4)
835 $UMULL r7,r5,r6
836 $UMULH r8,r5,r6
837 addc r10,r7,r10
838 adde r11,r8,r11
839 addze r9,r9
840 addc r10,r7,r10
841 adde r11,r8,r11
842 addze r9,r9
843 $ST r10,`10*$BNSZ`(r3) #r[10]=c2;
844 #sqr_add_c2(a,7,4,c3,c1,c2);
845 $LD r5,`4*$BNSZ`(r4)
846 $UMULL r7,r5,r6
847 $UMULH r8,r5,r6
848 addc r11,r7,r11
849 adde r9,r8,r9
850 addze r10,r0
851 addc r11,r7,r11
852 adde r9,r8,r9
853 addze r10,r10
854 #sqr_add_c2(a,6,5,c3,c1,c2);
855 $LD r5,`5*$BNSZ`(r4)
856 $LD r6,`6*$BNSZ`(r4)
857 $UMULL r7,r5,r6
858 $UMULH r8,r5,r6
859 addc r11,r7,r11
860 adde r9,r8,r9
861 addze r10,r10
862 addc r11,r7,r11
863 adde r9,r8,r9
864 addze r10,r10
865 $ST r11,`11*$BNSZ`(r3) #r[11]=c3;
866 #sqr_add_c(a,6,c1,c2,c3);
867 $UMULL r7,r6,r6
868 $UMULH r8,r6,r6
869 addc r9,r7,r9
870 adde r10,r8,r10
871 addze r11,r0
872 #sqr_add_c2(a,7,5,c1,c2,c3)
873 $LD r6,`7*$BNSZ`(r4)
874 $UMULL r7,r5,r6
875 $UMULH r8,r5,r6
876 addc r9,r7,r9
877 adde r10,r8,r10
878 addze r11,r11
879 addc r9,r7,r9
880 adde r10,r8,r10
881 addze r11,r11
882 $ST r9,`12*$BNSZ`(r3) #r[12]=c1;
883
884 #sqr_add_c2(a,7,6,c2,c3,c1)
885 $LD r5,`6*$BNSZ`(r4)
886 $UMULL r7,r5,r6
887 $UMULH r8,r5,r6
888 addc r10,r7,r10
889 adde r11,r8,r11
890 addze r9,r0
891 addc r10,r7,r10
892 adde r11,r8,r11
893 addze r9,r9
894 $ST r10,`13*$BNSZ`(r3) #r[13]=c2;
895 #sqr_add_c(a,7,c3,c1,c2);
896 $UMULL r7,r6,r6
897 $UMULH r8,r6,r6
898 addc r11,r7,r11
899 adde r9,r8,r9
900 $ST r11,`14*$BNSZ`(r3) #r[14]=c3;
901 $ST r9, `15*$BNSZ`(r3) #r[15]=c1;
902
903
904 bclr BO_ALWAYS,CR0_LT
905
906 .long 0x00000000
907
908#
909# NOTE: The following label name should be changed to
910# "bn_mul_comba4" i.e. remove the first dot
911# for the gcc compiler. This should be automatically
912# done in the build
913#
914
915.align 4
916.bn_mul_comba4:
917#
918# This is an optimized version of the bn_mul_comba4 routine.
919#
920# void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
921# r3 contains r
922# r4 contains a
923# r5 contains b
924# r6, r7 are the 2 BN_ULONGs being multiplied.
925# r8, r9 are the results of the 32x32 giving 64 multiply.
926# r10, r11, r12 are the equivalents of c1, c2, and c3.
927#
928 xor r0,r0,r0 #r0=0. Used in addze below.
929 #mul_add_c(a[0],b[0],c1,c2,c3);
930 $LD r6,`0*$BNSZ`(r4)
931 $LD r7,`0*$BNSZ`(r5)
932 $UMULL r10,r6,r7
933 $UMULH r11,r6,r7
934 $ST r10,`0*$BNSZ`(r3) #r[0]=c1
935 #mul_add_c(a[0],b[1],c2,c3,c1);
936 $LD r7,`1*$BNSZ`(r5)
937 $UMULL r8,r6,r7
938 $UMULH r9,r6,r7
939 addc r11,r8,r11
940 adde r12,r9,r0
941 addze r10,r0
942 #mul_add_c(a[1],b[0],c2,c3,c1);
943 $LD r6, `1*$BNSZ`(r4)
944 $LD r7, `0*$BNSZ`(r5)
945 $UMULL r8,r6,r7
946 $UMULH r9,r6,r7
947 addc r11,r8,r11
948 adde r12,r9,r12
949 addze r10,r10
950 $ST r11,`1*$BNSZ`(r3) #r[1]=c2
951 #mul_add_c(a[2],b[0],c3,c1,c2);
952 $LD r6,`2*$BNSZ`(r4)
953 $UMULL r8,r6,r7
954 $UMULH r9,r6,r7
955 addc r12,r8,r12
956 adde r10,r9,r10
957 addze r11,r0
958 #mul_add_c(a[1],b[1],c3,c1,c2);
959 $LD r6,`1*$BNSZ`(r4)
960 $LD r7,`1*$BNSZ`(r5)
961 $UMULL r8,r6,r7
962 $UMULH r9,r6,r7
963 addc r12,r8,r12
964 adde r10,r9,r10
965 addze r11,r11
966 #mul_add_c(a[0],b[2],c3,c1,c2);
967 $LD r6,`0*$BNSZ`(r4)
968 $LD r7,`2*$BNSZ`(r5)
969 $UMULL r8,r6,r7
970 $UMULH r9,r6,r7
971 addc r12,r8,r12
972 adde r10,r9,r10
973 addze r11,r11
974 $ST r12,`2*$BNSZ`(r3) #r[2]=c3
975 #mul_add_c(a[0],b[3],c1,c2,c3);
976 $LD r7,`3*$BNSZ`(r5)
977 $UMULL r8,r6,r7
978 $UMULH r9,r6,r7
979 addc r10,r8,r10
980 adde r11,r9,r11
981 addze r12,r0
982 #mul_add_c(a[1],b[2],c1,c2,c3);
983 $LD r6,`1*$BNSZ`(r4)
984 $LD r7,`2*$BNSZ`(r5)
985 $UMULL r8,r6,r7
986 $UMULH r9,r6,r7
987 addc r10,r8,r10
988 adde r11,r9,r11
989 addze r12,r12
990 #mul_add_c(a[2],b[1],c1,c2,c3);
991 $LD r6,`2*$BNSZ`(r4)
992 $LD r7,`1*$BNSZ`(r5)
993 $UMULL r8,r6,r7
994 $UMULH r9,r6,r7
995 addc r10,r8,r10
996 adde r11,r9,r11
997 addze r12,r12
998 #mul_add_c(a[3],b[0],c1,c2,c3);
999 $LD r6,`3*$BNSZ`(r4)
1000 $LD r7,`0*$BNSZ`(r5)
1001 $UMULL r8,r6,r7
1002 $UMULH r9,r6,r7
1003 addc r10,r8,r10
1004 adde r11,r9,r11
1005 addze r12,r12
1006 $ST r10,`3*$BNSZ`(r3) #r[3]=c1
1007 #mul_add_c(a[3],b[1],c2,c3,c1);
1008 $LD r7,`1*$BNSZ`(r5)
1009 $UMULL r8,r6,r7
1010 $UMULH r9,r6,r7
1011 addc r11,r8,r11
1012 adde r12,r9,r12
1013 addze r10,r0
1014 #mul_add_c(a[2],b[2],c2,c3,c1);
1015 $LD r6,`2*$BNSZ`(r4)
1016 $LD r7,`2*$BNSZ`(r5)
1017 $UMULL r8,r6,r7
1018 $UMULH r9,r6,r7
1019 addc r11,r8,r11
1020 adde r12,r9,r12
1021 addze r10,r10
1022 #mul_add_c(a[1],b[3],c2,c3,c1);
1023 $LD r6,`1*$BNSZ`(r4)
1024 $LD r7,`3*$BNSZ`(r5)
1025 $UMULL r8,r6,r7
1026 $UMULH r9,r6,r7
1027 addc r11,r8,r11
1028 adde r12,r9,r12
1029 addze r10,r10
1030 $ST r11,`4*$BNSZ`(r3) #r[4]=c2
1031 #mul_add_c(a[2],b[3],c3,c1,c2);
1032 $LD r6,`2*$BNSZ`(r4)
1033 $UMULL r8,r6,r7
1034 $UMULH r9,r6,r7
1035 addc r12,r8,r12
1036 adde r10,r9,r10
1037 addze r11,r0
1038 #mul_add_c(a[3],b[2],c3,c1,c2);
1039 $LD r6,`3*$BNSZ`(r4)
1040 $LD r7,`2*$BNSZ`(r4)
1041 $UMULL r8,r6,r7
1042 $UMULH r9,r6,r7
1043 addc r12,r8,r12
1044 adde r10,r9,r10
1045 addze r11,r11
1046 $ST r12,`5*$BNSZ`(r3) #r[5]=c3
1047 #mul_add_c(a[3],b[3],c1,c2,c3);
1048 $LD r7,`3*$BNSZ`(r5)
1049 $UMULL r8,r6,r7
1050 $UMULH r9,r6,r7
1051 addc r10,r8,r10
1052 adde r11,r9,r11
1053
1054 $ST r10,`6*$BNSZ`(r3) #r[6]=c1
1055 $ST r11,`7*$BNSZ`(r3) #r[7]=c2
1056 bclr BO_ALWAYS,CR0_LT
1057 .long 0x00000000
1058
1059#
1060# NOTE: The following label name should be changed to
1061# "bn_mul_comba8" i.e. remove the first dot
1062# for the gcc compiler. This should be automatically
1063# done in the build
1064#
1065
1066.align 4
1067.bn_mul_comba8:
1068#
1069# Optimized version of the bn_mul_comba8 routine.
1070#
1071# void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
1072# r3 contains r
1073# r4 contains a
1074# r5 contains b
1075# r6, r7 are the 2 BN_ULONGs being multiplied.
1076# r8, r9 are the results of the 32x32 giving 64 multiply.
1077# r10, r11, r12 are the equivalents of c1, c2, and c3.
1078#
1079 xor r0,r0,r0 #r0=0. Used in addze below.
1080
1081 #mul_add_c(a[0],b[0],c1,c2,c3);
1082 $LD r6,`0*$BNSZ`(r4) #a[0]
1083 $LD r7,`0*$BNSZ`(r5) #b[0]
1084 $UMULL r10,r6,r7
1085 $UMULH r11,r6,r7
1086 $ST r10,`0*$BNSZ`(r3) #r[0]=c1;
1087 #mul_add_c(a[0],b[1],c2,c3,c1);
1088 $LD r7,`1*$BNSZ`(r5)
1089 $UMULL r8,r6,r7
1090 $UMULH r9,r6,r7
1091 addc r11,r11,r8
1092 addze r12,r9 # since we didnt set r12 to zero before.
1093 addze r10,r0
1094 #mul_add_c(a[1],b[0],c2,c3,c1);
1095 $LD r6,`1*$BNSZ`(r4)
1096 $LD r7,`0*$BNSZ`(r5)
1097 $UMULL r8,r6,r7
1098 $UMULH r9,r6,r7
1099 addc r11,r11,r8
1100 adde r12,r12,r9
1101 addze r10,r10
1102 $ST r11,`1*$BNSZ`(r3) #r[1]=c2;
1103 #mul_add_c(a[2],b[0],c3,c1,c2);
1104 $LD r6,`2*$BNSZ`(r4)
1105 $UMULL r8,r6,r7
1106 $UMULH r9,r6,r7
1107 addc r12,r12,r8
1108 adde r10,r10,r9
1109 addze r11,r0
1110 #mul_add_c(a[1],b[1],c3,c1,c2);
1111 $LD r6,`1*$BNSZ`(r4)
1112 $LD r7,`1*$BNSZ`(r5)
1113 $UMULL r8,r6,r7
1114 $UMULH r9,r6,r7
1115 addc r12,r12,r8
1116 adde r10,r10,r9
1117 addze r11,r11
1118 #mul_add_c(a[0],b[2],c3,c1,c2);
1119 $LD r6,`0*$BNSZ`(r4)
1120 $LD r7,`2*$BNSZ`(r5)
1121 $UMULL r8,r6,r7
1122 $UMULH r9,r6,r7
1123 addc r12,r12,r8
1124 adde r10,r10,r9
1125 addze r11,r11
1126 $ST r12,`2*$BNSZ`(r3) #r[2]=c3;
1127 #mul_add_c(a[0],b[3],c1,c2,c3);
1128 $LD r7,`3*$BNSZ`(r5)
1129 $UMULL r8,r6,r7
1130 $UMULH r9,r6,r7
1131 addc r10,r10,r8
1132 adde r11,r11,r9
1133 addze r12,r0
1134 #mul_add_c(a[1],b[2],c1,c2,c3);
1135 $LD r6,`1*$BNSZ`(r4)
1136 $LD r7,`2*$BNSZ`(r5)
1137 $UMULL r8,r6,r7
1138 $UMULH r9,r6,r7
1139 addc r10,r10,r8
1140 adde r11,r11,r9
1141 addze r12,r12
1142
1143 #mul_add_c(a[2],b[1],c1,c2,c3);
1144 $LD r6,`2*$BNSZ`(r4)
1145 $LD r7,`1*$BNSZ`(r5)
1146 $UMULL r8,r6,r7
1147 $UMULH r9,r6,r7
1148 addc r10,r10,r8
1149 adde r11,r11,r9
1150 addze r12,r12
1151 #mul_add_c(a[3],b[0],c1,c2,c3);
1152 $LD r6,`3*$BNSZ`(r4)
1153 $LD r7,`0*$BNSZ`(r5)
1154 $UMULL r8,r6,r7
1155 $UMULH r9,r6,r7
1156 addc r10,r10,r8
1157 adde r11,r11,r9
1158 addze r12,r12
1159 $ST r10,`3*$BNSZ`(r3) #r[3]=c1;
1160 #mul_add_c(a[4],b[0],c2,c3,c1);
1161 $LD r6,`4*$BNSZ`(r4)
1162 $UMULL r8,r6,r7
1163 $UMULH r9,r6,r7
1164 addc r11,r11,r8
1165 adde r12,r12,r9
1166 addze r10,r0
1167 #mul_add_c(a[3],b[1],c2,c3,c1);
1168 $LD r6,`3*$BNSZ`(r4)
1169 $LD r7,`1*$BNSZ`(r5)
1170 $UMULL r8,r6,r7
1171 $UMULH r9,r6,r7
1172 addc r11,r11,r8
1173 adde r12,r12,r9
1174 addze r10,r10
1175 #mul_add_c(a[2],b[2],c2,c3,c1);
1176 $LD r6,`2*$BNSZ`(r4)
1177 $LD r7,`2*$BNSZ`(r5)
1178 $UMULL r8,r6,r7
1179 $UMULH r9,r6,r7
1180 addc r11,r11,r8
1181 adde r12,r12,r9
1182 addze r10,r10
1183 #mul_add_c(a[1],b[3],c2,c3,c1);
1184 $LD r6,`1*$BNSZ`(r4)
1185 $LD r7,`3*$BNSZ`(r5)
1186 $UMULL r8,r6,r7
1187 $UMULH r9,r6,r7
1188 addc r11,r11,r8
1189 adde r12,r12,r9
1190 addze r10,r10
1191 #mul_add_c(a[0],b[4],c2,c3,c1);
1192 $LD r6,`0*$BNSZ`(r4)
1193 $LD r7,`4*$BNSZ`(r5)
1194 $UMULL r8,r6,r7
1195 $UMULH r9,r6,r7
1196 addc r11,r11,r8
1197 adde r12,r12,r9
1198 addze r10,r10
1199 $ST r11,`4*$BNSZ`(r3) #r[4]=c2;
1200 #mul_add_c(a[0],b[5],c3,c1,c2);
1201 $LD r7,`5*$BNSZ`(r5)
1202 $UMULL r8,r6,r7
1203 $UMULH r9,r6,r7
1204 addc r12,r12,r8
1205 adde r10,r10,r9
1206 addze r11,r0
1207 #mul_add_c(a[1],b[4],c3,c1,c2);
1208 $LD r6,`1*$BNSZ`(r4)
1209 $LD r7,`4*$BNSZ`(r5)
1210 $UMULL r8,r6,r7
1211 $UMULH r9,r6,r7
1212 addc r12,r12,r8
1213 adde r10,r10,r9
1214 addze r11,r11
1215 #mul_add_c(a[2],b[3],c3,c1,c2);
1216 $LD r6,`2*$BNSZ`(r4)
1217 $LD r7,`3*$BNSZ`(r5)
1218 $UMULL r8,r6,r7
1219 $UMULH r9,r6,r7
1220 addc r12,r12,r8
1221 adde r10,r10,r9
1222 addze r11,r11
1223 #mul_add_c(a[3],b[2],c3,c1,c2);
1224 $LD r6,`3*$BNSZ`(r4)
1225 $LD r7,`2*$BNSZ`(r5)
1226 $UMULL r8,r6,r7
1227 $UMULH r9,r6,r7
1228 addc r12,r12,r8
1229 adde r10,r10,r9
1230 addze r11,r11
1231 #mul_add_c(a[4],b[1],c3,c1,c2);
1232 $LD r6,`4*$BNSZ`(r4)
1233 $LD r7,`1*$BNSZ`(r5)
1234 $UMULL r8,r6,r7
1235 $UMULH r9,r6,r7
1236 addc r12,r12,r8
1237 adde r10,r10,r9
1238 addze r11,r11
1239 #mul_add_c(a[5],b[0],c3,c1,c2);
1240 $LD r6,`5*$BNSZ`(r4)
1241 $LD r7,`0*$BNSZ`(r5)
1242 $UMULL r8,r6,r7
1243 $UMULH r9,r6,r7
1244 addc r12,r12,r8
1245 adde r10,r10,r9
1246 addze r11,r11
1247 $ST r12,`5*$BNSZ`(r3) #r[5]=c3;
1248 #mul_add_c(a[6],b[0],c1,c2,c3);
1249 $LD r6,`6*$BNSZ`(r4)
1250 $UMULL r8,r6,r7
1251 $UMULH r9,r6,r7
1252 addc r10,r10,r8
1253 adde r11,r11,r9
1254 addze r12,r0
1255 #mul_add_c(a[5],b[1],c1,c2,c3);
1256 $LD r6,`5*$BNSZ`(r4)
1257 $LD r7,`1*$BNSZ`(r5)
1258 $UMULL r8,r6,r7
1259 $UMULH r9,r6,r7
1260 addc r10,r10,r8
1261 adde r11,r11,r9
1262 addze r12,r12
1263 #mul_add_c(a[4],b[2],c1,c2,c3);
1264 $LD r6,`4*$BNSZ`(r4)
1265 $LD r7,`2*$BNSZ`(r5)
1266 $UMULL r8,r6,r7
1267 $UMULH r9,r6,r7
1268 addc r10,r10,r8
1269 adde r11,r11,r9
1270 addze r12,r12
1271 #mul_add_c(a[3],b[3],c1,c2,c3);
1272 $LD r6,`3*$BNSZ`(r4)
1273 $LD r7,`3*$BNSZ`(r5)
1274 $UMULL r8,r6,r7
1275 $UMULH r9,r6,r7
1276 addc r10,r10,r8
1277 adde r11,r11,r9
1278 addze r12,r12
1279 #mul_add_c(a[2],b[4],c1,c2,c3);
1280 $LD r6,`2*$BNSZ`(r4)
1281 $LD r7,`4*$BNSZ`(r5)
1282 $UMULL r8,r6,r7
1283 $UMULH r9,r6,r7
1284 addc r10,r10,r8
1285 adde r11,r11,r9
1286 addze r12,r12
1287 #mul_add_c(a[1],b[5],c1,c2,c3);
1288 $LD r6,`1*$BNSZ`(r4)
1289 $LD r7,`5*$BNSZ`(r5)
1290 $UMULL r8,r6,r7
1291 $UMULH r9,r6,r7
1292 addc r10,r10,r8
1293 adde r11,r11,r9
1294 addze r12,r12
1295 #mul_add_c(a[0],b[6],c1,c2,c3);
1296 $LD r6,`0*$BNSZ`(r4)
1297 $LD r7,`6*$BNSZ`(r5)
1298 $UMULL r8,r6,r7
1299 $UMULH r9,r6,r7
1300 addc r10,r10,r8
1301 adde r11,r11,r9
1302 addze r12,r12
1303 $ST r10,`6*$BNSZ`(r3) #r[6]=c1;
1304 #mul_add_c(a[0],b[7],c2,c3,c1);
1305 $LD r7,`7*$BNSZ`(r5)
1306 $UMULL r8,r6,r7
1307 $UMULH r9,r6,r7
1308 addc r11,r11,r8
1309 adde r12,r12,r9
1310 addze r10,r0
1311 #mul_add_c(a[1],b[6],c2,c3,c1);
1312 $LD r6,`1*$BNSZ`(r4)
1313 $LD r7,`6*$BNSZ`(r5)
1314 $UMULL r8,r6,r7
1315 $UMULH r9,r6,r7
1316 addc r11,r11,r8
1317 adde r12,r12,r9
1318 addze r10,r10
1319 #mul_add_c(a[2],b[5],c2,c3,c1);
1320 $LD r6,`2*$BNSZ`(r4)
1321 $LD r7,`5*$BNSZ`(r5)
1322 $UMULL r8,r6,r7
1323 $UMULH r9,r6,r7
1324 addc r11,r11,r8
1325 adde r12,r12,r9
1326 addze r10,r10
1327 #mul_add_c(a[3],b[4],c2,c3,c1);
1328 $LD r6,`3*$BNSZ`(r4)
1329 $LD r7,`4*$BNSZ`(r5)
1330 $UMULL r8,r6,r7
1331 $UMULH r9,r6,r7
1332 addc r11,r11,r8
1333 adde r12,r12,r9
1334 addze r10,r10
1335 #mul_add_c(a[4],b[3],c2,c3,c1);
1336 $LD r6,`4*$BNSZ`(r4)
1337 $LD r7,`3*$BNSZ`(r5)
1338 $UMULL r8,r6,r7
1339 $UMULH r9,r6,r7
1340 addc r11,r11,r8
1341 adde r12,r12,r9
1342 addze r10,r10
1343 #mul_add_c(a[5],b[2],c2,c3,c1);
1344 $LD r6,`5*$BNSZ`(r4)
1345 $LD r7,`2*$BNSZ`(r5)
1346 $UMULL r8,r6,r7
1347 $UMULH r9,r6,r7
1348 addc r11,r11,r8
1349 adde r12,r12,r9
1350 addze r10,r10
1351 #mul_add_c(a[6],b[1],c2,c3,c1);
1352 $LD r6,`6*$BNSZ`(r4)
1353 $LD r7,`1*$BNSZ`(r5)
1354 $UMULL r8,r6,r7
1355 $UMULH r9,r6,r7
1356 addc r11,r11,r8
1357 adde r12,r12,r9
1358 addze r10,r10
1359 #mul_add_c(a[7],b[0],c2,c3,c1);
1360 $LD r6,`7*$BNSZ`(r4)
1361 $LD r7,`0*$BNSZ`(r5)
1362 $UMULL r8,r6,r7
1363 $UMULH r9,r6,r7
1364 addc r11,r11,r8
1365 adde r12,r12,r9
1366 addze r10,r10
1367 $ST r11,`7*$BNSZ`(r3) #r[7]=c2;
1368 #mul_add_c(a[7],b[1],c3,c1,c2);
1369 $LD r7,`1*$BNSZ`(r5)
1370 $UMULL r8,r6,r7
1371 $UMULH r9,r6,r7
1372 addc r12,r12,r8
1373 adde r10,r10,r9
1374 addze r11,r0
1375 #mul_add_c(a[6],b[2],c3,c1,c2);
1376 $LD r6,`6*$BNSZ`(r4)
1377 $LD r7,`2*$BNSZ`(r5)
1378 $UMULL r8,r6,r7
1379 $UMULH r9,r6,r7
1380 addc r12,r12,r8
1381 adde r10,r10,r9
1382 addze r11,r11
1383 #mul_add_c(a[5],b[3],c3,c1,c2);
1384 $LD r6,`5*$BNSZ`(r4)
1385 $LD r7,`3*$BNSZ`(r5)
1386 $UMULL r8,r6,r7
1387 $UMULH r9,r6,r7
1388 addc r12,r12,r8
1389 adde r10,r10,r9
1390 addze r11,r11
1391 #mul_add_c(a[4],b[4],c3,c1,c2);
1392 $LD r6,`4*$BNSZ`(r4)
1393 $LD r7,`4*$BNSZ`(r5)
1394 $UMULL r8,r6,r7
1395 $UMULH r9,r6,r7
1396 addc r12,r12,r8
1397 adde r10,r10,r9
1398 addze r11,r11
1399 #mul_add_c(a[3],b[5],c3,c1,c2);
1400 $LD r6,`3*$BNSZ`(r4)
1401 $LD r7,`5*$BNSZ`(r5)
1402 $UMULL r8,r6,r7
1403 $UMULH r9,r6,r7
1404 addc r12,r12,r8
1405 adde r10,r10,r9
1406 addze r11,r11
1407 #mul_add_c(a[2],b[6],c3,c1,c2);
1408 $LD r6,`2*$BNSZ`(r4)
1409 $LD r7,`6*$BNSZ`(r5)
1410 $UMULL r8,r6,r7
1411 $UMULH r9,r6,r7
1412 addc r12,r12,r8
1413 adde r10,r10,r9
1414 addze r11,r11
1415 #mul_add_c(a[1],b[7],c3,c1,c2);
1416 $LD r6,`1*$BNSZ`(r4)
1417 $LD r7,`7*$BNSZ`(r5)
1418 $UMULL r8,r6,r7
1419 $UMULH r9,r6,r7
1420 addc r12,r12,r8
1421 adde r10,r10,r9
1422 addze r11,r11
1423 $ST r12,`8*$BNSZ`(r3) #r[8]=c3;
1424 #mul_add_c(a[2],b[7],c1,c2,c3);
1425 $LD r6,`2*$BNSZ`(r4)
1426 $UMULL r8,r6,r7
1427 $UMULH r9,r6,r7
1428 addc r10,r10,r8
1429 adde r11,r11,r9
1430 addze r12,r0
1431 #mul_add_c(a[3],b[6],c1,c2,c3);
1432 $LD r6,`3*$BNSZ`(r4)
1433 $LD r7,`6*$BNSZ`(r5)
1434 $UMULL r8,r6,r7
1435 $UMULH r9,r6,r7
1436 addc r10,r10,r8
1437 adde r11,r11,r9
1438 addze r12,r12
1439 #mul_add_c(a[4],b[5],c1,c2,c3);
1440 $LD r6,`4*$BNSZ`(r4)
1441 $LD r7,`5*$BNSZ`(r5)
1442 $UMULL r8,r6,r7
1443 $UMULH r9,r6,r7
1444 addc r10,r10,r8
1445 adde r11,r11,r9
1446 addze r12,r12
1447 #mul_add_c(a[5],b[4],c1,c2,c3);
1448 $LD r6,`5*$BNSZ`(r4)
1449 $LD r7,`4*$BNSZ`(r5)
1450 $UMULL r8,r6,r7
1451 $UMULH r9,r6,r7
1452 addc r10,r10,r8
1453 adde r11,r11,r9
1454 addze r12,r12
1455 #mul_add_c(a[6],b[3],c1,c2,c3);
1456 $LD r6,`6*$BNSZ`(r4)
1457 $LD r7,`3*$BNSZ`(r5)
1458 $UMULL r8,r6,r7
1459 $UMULH r9,r6,r7
1460 addc r10,r10,r8
1461 adde r11,r11,r9
1462 addze r12,r12
1463 #mul_add_c(a[7],b[2],c1,c2,c3);
1464 $LD r6,`7*$BNSZ`(r4)
1465 $LD r7,`2*$BNSZ`(r5)
1466 $UMULL r8,r6,r7
1467 $UMULH r9,r6,r7
1468 addc r10,r10,r8
1469 adde r11,r11,r9
1470 addze r12,r12
1471 $ST r10,`9*$BNSZ`(r3) #r[9]=c1;
1472 #mul_add_c(a[7],b[3],c2,c3,c1);
1473 $LD r7,`3*$BNSZ`(r5)
1474 $UMULL r8,r6,r7
1475 $UMULH r9,r6,r7
1476 addc r11,r11,r8
1477 adde r12,r12,r9
1478 addze r10,r0
1479 #mul_add_c(a[6],b[4],c2,c3,c1);
1480 $LD r6,`6*$BNSZ`(r4)
1481 $LD r7,`4*$BNSZ`(r5)
1482 $UMULL r8,r6,r7
1483 $UMULH r9,r6,r7
1484 addc r11,r11,r8
1485 adde r12,r12,r9
1486 addze r10,r10
1487 #mul_add_c(a[5],b[5],c2,c3,c1);
1488 $LD r6,`5*$BNSZ`(r4)
1489 $LD r7,`5*$BNSZ`(r5)
1490 $UMULL r8,r6,r7
1491 $UMULH r9,r6,r7
1492 addc r11,r11,r8
1493 adde r12,r12,r9
1494 addze r10,r10
1495 #mul_add_c(a[4],b[6],c2,c3,c1);
1496 $LD r6,`4*$BNSZ`(r4)
1497 $LD r7,`6*$BNSZ`(r5)
1498 $UMULL r8,r6,r7
1499 $UMULH r9,r6,r7
1500 addc r11,r11,r8
1501 adde r12,r12,r9
1502 addze r10,r10
1503 #mul_add_c(a[3],b[7],c2,c3,c1);
1504 $LD r6,`3*$BNSZ`(r4)
1505 $LD r7,`7*$BNSZ`(r5)
1506 $UMULL r8,r6,r7
1507 $UMULH r9,r6,r7
1508 addc r11,r11,r8
1509 adde r12,r12,r9
1510 addze r10,r10
1511 $ST r11,`10*$BNSZ`(r3) #r[10]=c2;
1512 #mul_add_c(a[4],b[7],c3,c1,c2);
1513 $LD r6,`4*$BNSZ`(r4)
1514 $UMULL r8,r6,r7
1515 $UMULH r9,r6,r7
1516 addc r12,r12,r8
1517 adde r10,r10,r9
1518 addze r11,r0
1519 #mul_add_c(a[5],b[6],c3,c1,c2);
1520 $LD r6,`5*$BNSZ`(r4)
1521 $LD r7,`6*$BNSZ`(r5)
1522 $UMULL r8,r6,r7
1523 $UMULH r9,r6,r7
1524 addc r12,r12,r8
1525 adde r10,r10,r9
1526 addze r11,r11
1527 #mul_add_c(a[6],b[5],c3,c1,c2);
1528 $LD r6,`6*$BNSZ`(r4)
1529 $LD r7,`5*$BNSZ`(r5)
1530 $UMULL r8,r6,r7
1531 $UMULH r9,r6,r7
1532 addc r12,r12,r8
1533 adde r10,r10,r9
1534 addze r11,r11
1535 #mul_add_c(a[7],b[4],c3,c1,c2);
1536 $LD r6,`7*$BNSZ`(r4)
1537 $LD r7,`4*$BNSZ`(r5)
1538 $UMULL r8,r6,r7
1539 $UMULH r9,r6,r7
1540 addc r12,r12,r8
1541 adde r10,r10,r9
1542 addze r11,r11
1543 $ST r12,`11*$BNSZ`(r3) #r[11]=c3;
1544 #mul_add_c(a[7],b[5],c1,c2,c3);
1545 $LD r7,`5*$BNSZ`(r5)
1546 $UMULL r8,r6,r7
1547 $UMULH r9,r6,r7
1548 addc r10,r10,r8
1549 adde r11,r11,r9
1550 addze r12,r0
1551 #mul_add_c(a[6],b[6],c1,c2,c3);
1552 $LD r6,`6*$BNSZ`(r4)
1553 $LD r7,`6*$BNSZ`(r5)
1554 $UMULL r8,r6,r7
1555 $UMULH r9,r6,r7
1556 addc r10,r10,r8
1557 adde r11,r11,r9
1558 addze r12,r12
1559 #mul_add_c(a[5],b[7],c1,c2,c3);
1560 $LD r6,`5*$BNSZ`(r4)
1561 $LD r7,`7*$BNSZ`(r5)
1562 $UMULL r8,r6,r7
1563 $UMULH r9,r6,r7
1564 addc r10,r10,r8
1565 adde r11,r11,r9
1566 addze r12,r12
1567 $ST r10,`12*$BNSZ`(r3) #r[12]=c1;
1568 #mul_add_c(a[6],b[7],c2,c3,c1);
1569 $LD r6,`6*$BNSZ`(r4)
1570 $UMULL r8,r6,r7
1571 $UMULH r9,r6,r7
1572 addc r11,r11,r8
1573 adde r12,r12,r9
1574 addze r10,r0
1575 #mul_add_c(a[7],b[6],c2,c3,c1);
1576 $LD r6,`7*$BNSZ`(r4)
1577 $LD r7,`6*$BNSZ`(r5)
1578 $UMULL r8,r6,r7
1579 $UMULH r9,r6,r7
1580 addc r11,r11,r8
1581 adde r12,r12,r9
1582 addze r10,r10
1583 $ST r11,`13*$BNSZ`(r3) #r[13]=c2;
1584 #mul_add_c(a[7],b[7],c3,c1,c2);
1585 $LD r7,`7*$BNSZ`(r5)
1586 $UMULL r8,r6,r7
1587 $UMULH r9,r6,r7
1588 addc r12,r12,r8
1589 adde r10,r10,r9
1590 $ST r12,`14*$BNSZ`(r3) #r[14]=c3;
1591 $ST r10,`15*$BNSZ`(r3) #r[15]=c1;
1592 bclr BO_ALWAYS,CR0_LT
1593 .long 0x00000000
1594
1595#
1596# NOTE: The following label name should be changed to
1597# "bn_sub_words" i.e. remove the first dot
1598# for the gcc compiler. This should be automatically
1599# done in the build
1600#
1601#
1602.align 4
1603.bn_sub_words:
1604#
1605# Handcoded version of bn_sub_words
1606#
1607#BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
1608#
1609# r3 = r
1610# r4 = a
1611# r5 = b
1612# r6 = n
1613#
1614# Note: No loop unrolling done since this is not a performance
1615# critical loop.
1616
1617 xor r0,r0,r0 #set r0 = 0
1618#
1619# check for r6 = 0 AND set carry bit.
1620#
1621 subfc. r7,r0,r6 # If r6 is 0 then result is 0.
1622 # if r6 > 0 then result !=0
1623 # In either case carry bit is set.
1624 bc BO_IF,CR0_EQ,Lppcasm_sub_adios
1625 addi r4,r4,-$BNSZ
1626 addi r3,r3,-$BNSZ
1627 addi r5,r5,-$BNSZ
1628 mtctr r6
1629Lppcasm_sub_mainloop:
1630 $LDU r7,$BNSZ(r4)
1631 $LDU r8,$BNSZ(r5)
1632 subfe r6,r8,r7 # r6 = r7+carry bit + onescomplement(r8)
1633 # if carry = 1 this is r7-r8. Else it
1634 # is r7-r8 -1 as we need.
1635 $STU r6,$BNSZ(r3)
1636 bc BO_dCTR_NZERO,CR0_EQ,Lppcasm_sub_mainloop
1637Lppcasm_sub_adios:
1638 subfze r3,r0 # if carry bit is set then r3 = 0 else -1
1639 andi. r3,r3,1 # keep only last bit.
1640 bclr BO_ALWAYS,CR0_LT
1641 .long 0x00000000
1642
1643
1644#
1645# NOTE: The following label name should be changed to
1646# "bn_add_words" i.e. remove the first dot
1647# for the gcc compiler. This should be automatically
1648# done in the build
1649#
1650
1651.align 4
1652.bn_add_words:
1653#
1654# Handcoded version of bn_add_words
1655#
1656#BN_ULONG bn_add_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
1657#
1658# r3 = r
1659# r4 = a
1660# r5 = b
1661# r6 = n
1662#
1663# Note: No loop unrolling done since this is not a performance
1664# critical loop.
1665
1666 xor r0,r0,r0
1667#
1668# check for r6 = 0. Is this needed?
1669#
1670 addic. r6,r6,0 #test r6 and clear carry bit.
1671 bc BO_IF,CR0_EQ,Lppcasm_add_adios
1672 addi r4,r4,-$BNSZ
1673 addi r3,r3,-$BNSZ
1674 addi r5,r5,-$BNSZ
1675 mtctr r6
1676Lppcasm_add_mainloop:
1677 $LDU r7,$BNSZ(r4)
1678 $LDU r8,$BNSZ(r5)
1679 adde r8,r7,r8
1680 $STU r8,$BNSZ(r3)
1681 bc BO_dCTR_NZERO,CR0_EQ,Lppcasm_add_mainloop
1682Lppcasm_add_adios:
1683 addze r3,r0 #return carry bit.
1684 bclr BO_ALWAYS,CR0_LT
1685 .long 0x00000000
1686
1687#
1688# NOTE: The following label name should be changed to
1689# "bn_div_words" i.e. remove the first dot
1690# for the gcc compiler. This should be automatically
1691# done in the build
1692#
1693
1694.align 4
1695.bn_div_words:
1696#
1697# This is a cleaned up version of code generated by
1698# the AIX compiler. The only optimization is to use
1699# the PPC instruction to count leading zeros instead
1700# of call to num_bits_word. Since this was compiled
1701# only at level -O2 we can possibly squeeze it more?
1702#
1703# r3 = h
1704# r4 = l
1705# r5 = d
1706
1707 $UCMPI 0,r5,0 # compare r5 and 0
1708 bc BO_IF_NOT,CR0_EQ,Lppcasm_div1 # proceed if d!=0
1709 li r3,-1 # d=0 return -1
1710 bclr BO_ALWAYS,CR0_LT
1711Lppcasm_div1:
1712 xor r0,r0,r0 #r0=0
1713 $COUNTZ r7,r5 #r7 = num leading 0s in d.
1714 subfic r8,r7,$BITS #r8 = BN_num_bits_word(d)
1715 cmpi 0,0,r8,$BITS #
1716 bc BO_IF,CR0_EQ,Lppcasm_div2 #proceed if (r8==$BITS)
1717 li r9,1 # r9=1
1718 $SHL r10,r9,r8 # r9<<=r8
1719 $UCMP 0,r3,r10 #
1720 bc BO_IF,CR0_GT,Lppcasm_div2 #or if (h > (1<<r8))
1721 $UDIV r3,r3,r0 #if not assert(0) divide by 0!
1722 #that's how we signal overflow
1723 bclr BO_ALWAYS,CR0_LT #return. NEVER REACHED.
1724Lppcasm_div2:
1725 $UCMP 0,r3,r5 #h>=d?
1726 bc BO_IF,CR0_LT,Lppcasm_div3 #goto Lppcasm_div3 if not
1727 subf r3,r5,r3 #h-=d ;
1728Lppcasm_div3: #r7 = BN_BITS2-i. so r7=i
1729 cmpi 0,0,r7,0 # is (i == 0)?
1730 bc BO_IF,CR0_EQ,Lppcasm_div4
1731 $SHL r3,r3,r7 # h = (h<< i)
1732 $SHR r8,r4,r8 # r8 = (l >> BN_BITS2 -i)
1733 $SHL r5,r5,r7 # d<<=i
1734 or r3,r3,r8 # h = (h<<i)|(l>>(BN_BITS2-i))
1735 $SHL r4,r4,r7 # l <<=i
1736Lppcasm_div4:
1737 $SHRI r9,r5,`$BITS/2` # r9 = dh
1738 # dl will be computed when needed
1739 # as it saves registers.
1740 li r6,2 #r6=2
1741 mtctr r6 #counter will be in count.
1742Lppcasm_divouterloop:
1743 $SHRI r8,r3,`$BITS/2` #r8 = (h>>BN_BITS4)
1744 $SHRI r11,r4,`$BITS/2` #r11= (l&BN_MASK2h)>>BN_BITS4
1745 # compute here for innerloop.
1746 $UCMP 0,r8,r9 # is (h>>BN_BITS4)==dh
1747 bc BO_IF_NOT,CR0_EQ,Lppcasm_div5 # goto Lppcasm_div5 if not
1748
1749 li r8,-1
1750 $CLRU r8,r8,`$BITS/2` #q = BN_MASK2l
1751 b Lppcasm_div6
1752Lppcasm_div5:
1753 $UDIV r8,r3,r9 #q = h/dh
1754Lppcasm_div6:
1755 $UMULL r12,r9,r8 #th = q*dh
1756 $CLRU r10,r5,`$BITS/2` #r10=dl
1757 $UMULL r6,r8,r10 #tl = q*dl
1758
1759Lppcasm_divinnerloop:
1760 subf r10,r12,r3 #t = h -th
1761 $SHRI r7,r10,`$BITS/2` #r7= (t &BN_MASK2H), sort of...
1762 addic. r7,r7,0 #test if r7 == 0. used below.
1763 # now want to compute
1764 # r7 = (t<<BN_BITS4)|((l&BN_MASK2h)>>BN_BITS4)
1765 # the following 2 instructions do that
1766 $SHLI r7,r10,`$BITS/2` # r7 = (t<<BN_BITS4)
1767 or r7,r7,r11 # r7|=((l&BN_MASK2h)>>BN_BITS4)
1768 $UCMP 1,r6,r7 # compare (tl <= r7)
1769 bc BO_IF_NOT,CR0_EQ,Lppcasm_divinnerexit
1770 bc BO_IF_NOT,CR1_FEX,Lppcasm_divinnerexit
1771 addi r8,r8,-1 #q--
1772 subf r12,r9,r12 #th -=dh
1773 $CLRU r10,r5,`$BITS/2` #r10=dl. t is no longer needed in loop.
1774 subf r6,r10,r6 #tl -=dl
1775 b Lppcasm_divinnerloop
1776Lppcasm_divinnerexit:
1777 $SHRI r10,r6,`$BITS/2` #t=(tl>>BN_BITS4)
1778 $SHLI r11,r6,`$BITS/2` #tl=(tl<<BN_BITS4)&BN_MASK2h;
1779 $UCMP 1,r4,r11 # compare l and tl
1780 add r12,r12,r10 # th+=t
1781 bc BO_IF_NOT,CR1_FX,Lppcasm_div7 # if (l>=tl) goto Lppcasm_div7
1782 addi r12,r12,1 # th++
1783Lppcasm_div7:
1784 subf r11,r11,r4 #r11=l-tl
1785 $UCMP 1,r3,r12 #compare h and th
1786 bc BO_IF_NOT,CR1_FX,Lppcasm_div8 #if (h>=th) goto Lppcasm_div8
1787 addi r8,r8,-1 # q--
1788 add r3,r5,r3 # h+=d
1789Lppcasm_div8:
1790 subf r12,r12,r3 #r12 = h-th
1791 $SHLI r4,r11,`$BITS/2` #l=(l&BN_MASK2l)<<BN_BITS4
1792 # want to compute
1793 # h = ((h<<BN_BITS4)|(l>>BN_BITS4))&BN_MASK2
1794 # the following 2 instructions will do this.
1795 $INSR r11,r12,`$BITS/2`,`$BITS/2` # r11 is the value we want rotated $BITS/2.
1796 $ROTL r3,r11,`$BITS/2` # rotate by $BITS/2 and store in r3
1797 bc BO_dCTR_ZERO,CR0_EQ,Lppcasm_div9#if (count==0) break ;
1798 $SHLI r0,r8,`$BITS/2` #ret =q<<BN_BITS4
1799 b Lppcasm_divouterloop
1800Lppcasm_div9:
1801 or r3,r8,r0
1802 bclr BO_ALWAYS,CR0_LT
1803 .long 0x00000000
1804
1805#
1806# NOTE: The following label name should be changed to
1807# "bn_sqr_words" i.e. remove the first dot
1808# for the gcc compiler. This should be automatically
1809# done in the build
1810#
1811.align 4
1812.bn_sqr_words:
1813#
1814# Optimized version of bn_sqr_words
1815#
1816# void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n)
1817#
1818# r3 = r
1819# r4 = a
1820# r5 = n
1821#
1822# r6 = a[i].
1823# r7,r8 = product.
1824#
1825# No unrolling done here. Not performance critical.
1826
1827 addic. r5,r5,0 #test r5.
1828 bc BO_IF,CR0_EQ,Lppcasm_sqr_adios
1829 addi r4,r4,-$BNSZ
1830 addi r3,r3,-$BNSZ
1831 mtctr r5
1832Lppcasm_sqr_mainloop:
1833 #sqr(r[0],r[1],a[0]);
1834 $LDU r6,$BNSZ(r4)
1835 $UMULL r7,r6,r6
1836 $UMULH r8,r6,r6
1837 $STU r7,$BNSZ(r3)
1838 $STU r8,$BNSZ(r3)
1839 bc BO_dCTR_NZERO,CR0_EQ,Lppcasm_sqr_mainloop
1840Lppcasm_sqr_adios:
1841 bclr BO_ALWAYS,CR0_LT
1842 .long 0x00000000
1843
1844
1845#
1846# NOTE: The following label name should be changed to
1847# "bn_mul_words" i.e. remove the first dot
1848# for the gcc compiler. This should be automatically
1849# done in the build
1850#
1851
1852.align 4
1853.bn_mul_words:
1854#
1855# BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
1856#
1857# r3 = rp
1858# r4 = ap
1859# r5 = num
1860# r6 = w
1861 xor r0,r0,r0
1862 xor r12,r12,r12 # used for carry
1863 rlwinm. r7,r5,30,2,31 # num >> 2
1864 bc BO_IF,CR0_EQ,Lppcasm_mw_REM
1865 mtctr r7
1866Lppcasm_mw_LOOP:
1867 #mul(rp[0],ap[0],w,c1);
1868 $LD r8,`0*$BNSZ`(r4)
1869 $UMULL r9,r6,r8
1870 $UMULH r10,r6,r8
1871 addc r9,r9,r12
1872 #addze r10,r10 #carry is NOT ignored.
1873 #will be taken care of
1874 #in second spin below
1875 #using adde.
1876 $ST r9,`0*$BNSZ`(r3)
1877 #mul(rp[1],ap[1],w,c1);
1878 $LD r8,`1*$BNSZ`(r4)
1879 $UMULL r11,r6,r8
1880 $UMULH r12,r6,r8
1881 adde r11,r11,r10
1882 #addze r12,r12
1883 $ST r11,`1*$BNSZ`(r3)
1884 #mul(rp[2],ap[2],w,c1);
1885 $LD r8,`2*$BNSZ`(r4)
1886 $UMULL r9,r6,r8
1887 $UMULH r10,r6,r8
1888 adde r9,r9,r12
1889 #addze r10,r10
1890 $ST r9,`2*$BNSZ`(r3)
1891 #mul_add(rp[3],ap[3],w,c1);
1892 $LD r8,`3*$BNSZ`(r4)
1893 $UMULL r11,r6,r8
1894 $UMULH r12,r6,r8
1895 adde r11,r11,r10
1896 addze r12,r12 #this spin we collect carry into
1897 #r12
1898 $ST r11,`3*$BNSZ`(r3)
1899
1900 addi r3,r3,`4*$BNSZ`
1901 addi r4,r4,`4*$BNSZ`
1902 bc BO_dCTR_NZERO,CR0_EQ,Lppcasm_mw_LOOP
1903
1904Lppcasm_mw_REM:
1905 andi. r5,r5,0x3
1906 bc BO_IF,CR0_EQ,Lppcasm_mw_OVER
1907 #mul(rp[0],ap[0],w,c1);
1908 $LD r8,`0*$BNSZ`(r4)
1909 $UMULL r9,r6,r8
1910 $UMULH r10,r6,r8
1911 addc r9,r9,r12
1912 addze r10,r10
1913 $ST r9,`0*$BNSZ`(r3)
1914 addi r12,r10,0
1915
1916 addi r5,r5,-1
1917 cmpli 0,0,r5,0
1918 bc BO_IF,CR0_EQ,Lppcasm_mw_OVER
1919
1920
1921 #mul(rp[1],ap[1],w,c1);
1922 $LD r8,`1*$BNSZ`(r4)
1923 $UMULL r9,r6,r8
1924 $UMULH r10,r6,r8
1925 addc r9,r9,r12
1926 addze r10,r10
1927 $ST r9,`1*$BNSZ`(r3)
1928 addi r12,r10,0
1929
1930 addi r5,r5,-1
1931 cmpli 0,0,r5,0
1932 bc BO_IF,CR0_EQ,Lppcasm_mw_OVER
1933
1934 #mul_add(rp[2],ap[2],w,c1);
1935 $LD r8,`2*$BNSZ`(r4)
1936 $UMULL r9,r6,r8
1937 $UMULH r10,r6,r8
1938 addc r9,r9,r12
1939 addze r10,r10
1940 $ST r9,`2*$BNSZ`(r3)
1941 addi r12,r10,0
1942
1943Lppcasm_mw_OVER:
1944 addi r3,r12,0
1945 bclr BO_ALWAYS,CR0_LT
1946 .long 0x00000000
1947
1948#
1949# NOTE: The following label name should be changed to
1950# "bn_mul_add_words" i.e. remove the first dot
1951# for the gcc compiler. This should be automatically
1952# done in the build
1953#
1954
1955.align 4
1956.bn_mul_add_words:
1957#
1958# BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
1959#
1960# r3 = rp
1961# r4 = ap
1962# r5 = num
1963# r6 = w
1964#
1965# empirical evidence suggests that unrolled version performs best!!
1966#
1967 xor r0,r0,r0 #r0 = 0
1968 xor r12,r12,r12 #r12 = 0 . used for carry
1969 rlwinm. r7,r5,30,2,31 # num >> 2
1970 bc BO_IF,CR0_EQ,Lppcasm_maw_leftover # if (num < 4) go LPPCASM_maw_leftover
1971 mtctr r7
1972Lppcasm_maw_mainloop:
1973 #mul_add(rp[0],ap[0],w,c1);
1974 $LD r8,`0*$BNSZ`(r4)
1975 $LD r11,`0*$BNSZ`(r3)
1976 $UMULL r9,r6,r8
1977 $UMULH r10,r6,r8
1978 addc r9,r9,r12 #r12 is carry.
1979 addze r10,r10
1980 addc r9,r9,r11
1981 #addze r10,r10
1982 #the above instruction addze
1983 #is NOT needed. Carry will NOT
1984 #be ignored. It's not affected
1985 #by multiply and will be collected
1986 #in the next spin
1987 $ST r9,`0*$BNSZ`(r3)
1988
1989 #mul_add(rp[1],ap[1],w,c1);
1990 $LD r8,`1*$BNSZ`(r4)
1991 $LD r9,`1*$BNSZ`(r3)
1992 $UMULL r11,r6,r8
1993 $UMULH r12,r6,r8
1994 adde r11,r11,r10 #r10 is carry.
1995 addze r12,r12
1996 addc r11,r11,r9
1997 #addze r12,r12
1998 $ST r11,`1*$BNSZ`(r3)
1999
2000 #mul_add(rp[2],ap[2],w,c1);
2001 $LD r8,`2*$BNSZ`(r4)
2002 $UMULL r9,r6,r8
2003 $LD r11,`2*$BNSZ`(r3)
2004 $UMULH r10,r6,r8
2005 adde r9,r9,r12
2006 addze r10,r10
2007 addc r9,r9,r11
2008 #addze r10,r10
2009 $ST r9,`2*$BNSZ`(r3)
2010
2011 #mul_add(rp[3],ap[3],w,c1);
2012 $LD r8,`3*$BNSZ`(r4)
2013 $UMULL r11,r6,r8
2014 $LD r9,`3*$BNSZ`(r3)
2015 $UMULH r12,r6,r8
2016 adde r11,r11,r10
2017 addze r12,r12
2018 addc r11,r11,r9
2019 addze r12,r12
2020 $ST r11,`3*$BNSZ`(r3)
2021 addi r3,r3,`4*$BNSZ`
2022 addi r4,r4,`4*$BNSZ`
2023 bc BO_dCTR_NZERO,CR0_EQ,Lppcasm_maw_mainloop
2024
2025Lppcasm_maw_leftover:
2026 andi. r5,r5,0x3
2027 bc BO_IF,CR0_EQ,Lppcasm_maw_adios
2028 addi r3,r3,-$BNSZ
2029 addi r4,r4,-$BNSZ
2030 #mul_add(rp[0],ap[0],w,c1);
2031 mtctr r5
2032 $LDU r8,$BNSZ(r4)
2033 $UMULL r9,r6,r8
2034 $UMULH r10,r6,r8
2035 $LDU r11,$BNSZ(r3)
2036 addc r9,r9,r11
2037 addze r10,r10
2038 addc r9,r9,r12
2039 addze r12,r10
2040 $ST r9,0(r3)
2041
2042 bc BO_dCTR_ZERO,CR0_EQ,Lppcasm_maw_adios
2043 #mul_add(rp[1],ap[1],w,c1);
2044 $LDU r8,$BNSZ(r4)
2045 $UMULL r9,r6,r8
2046 $UMULH r10,r6,r8
2047 $LDU r11,$BNSZ(r3)
2048 addc r9,r9,r11
2049 addze r10,r10
2050 addc r9,r9,r12
2051 addze r12,r10
2052 $ST r9,0(r3)
2053
2054 bc BO_dCTR_ZERO,CR0_EQ,Lppcasm_maw_adios
2055 #mul_add(rp[2],ap[2],w,c1);
2056 $LDU r8,$BNSZ(r4)
2057 $UMULL r9,r6,r8
2058 $UMULH r10,r6,r8
2059 $LDU r11,$BNSZ(r3)
2060 addc r9,r9,r11
2061 addze r10,r10
2062 addc r9,r9,r12
2063 addze r12,r10
2064 $ST r9,0(r3)
2065
2066Lppcasm_maw_adios:
2067 addi r3,r12,0
2068 bclr BO_ALWAYS,CR0_LT
2069 .long 0x00000000
2070 .align 4
2071EOF
2072 $data =~ s/\`([^\`]*)\`/eval $1/gem;
2073
2074 # if some assembler chokes on some simplified mnemonic,
2075 # this is the spot to fix it up, e.g.:
2076 # GNU as doesn't seem to accept cmplw, 32-bit unsigned compare
2077 $data =~ s/^(\s*)cmplw(\s+)([^,]+),(.*)/$1cmpl$2$3,0,$4/gm;
2078 # assembler X doesn't accept li, load immediate value
2079 #$data =~ s/^(\s*)li(\s+)([^,]+),(.*)/$1addi$2$3,0,$4/gm;
2080 return($data);
2081}
diff --git a/src/lib/libcrypto/bn/asm/x86_64-gcc.c b/src/lib/libcrypto/bn/asm/x86_64-gcc.c
index 450e8e4322..7378344251 100644
--- a/src/lib/libcrypto/bn/asm/x86_64-gcc.c
+++ b/src/lib/libcrypto/bn/asm/x86_64-gcc.c
@@ -13,20 +13,42 @@
13 * A. Well, that's because this code is basically a quick-n-dirty 13 * A. Well, that's because this code is basically a quick-n-dirty
14 * proof-of-concept hack. As you can see it's implemented with 14 * proof-of-concept hack. As you can see it's implemented with
15 * inline assembler, which means that you're bound to GCC and that 15 * inline assembler, which means that you're bound to GCC and that
16 * there must be a room for fine-tuning. 16 * there might be enough room for further improvement.
17 * 17 *
18 * Q. Why inline assembler? 18 * Q. Why inline assembler?
19 * A. x86_64 features own ABI I'm not familiar with. Which is why 19 * A. x86_64 features own ABI which I'm not familiar with. This is
20 * I decided to let the compiler take care of subroutine 20 * why I decided to let the compiler take care of subroutine
21 * prologue/epilogue as well as register allocation. 21 * prologue/epilogue as well as register allocation. For reference.
22 * Win64 implements different ABI for AMD64, different from Linux.
22 * 23 *
23 * Q. How much faster does it get? 24 * Q. How much faster does it get?
24 * A. Unfortunately people sitting on x86_64 hardware are prohibited 25 * A. 'apps/openssl speed rsa dsa' output with no-asm:
25 * to disclose the performance numbers, so they (SuSE labs to be 26 *
26 * specific) wouldn't tell me. However! Very similar coding technique 27 * sign verify sign/s verify/s
27 * (reaching out for 128-bit result from 64x64-bit multiplication) 28 * rsa 512 bits 0.0006s 0.0001s 1683.8 18456.2
28 * results in >3 times performance improvement on MIPS and I see no 29 * rsa 1024 bits 0.0028s 0.0002s 356.0 6407.0
29 * reason why gain on x86_64 would be so much different:-) 30 * rsa 2048 bits 0.0172s 0.0005s 58.0 1957.8
31 * rsa 4096 bits 0.1155s 0.0018s 8.7 555.6
32 * sign verify sign/s verify/s
33 * dsa 512 bits 0.0005s 0.0006s 2100.8 1768.3
34 * dsa 1024 bits 0.0014s 0.0018s 692.3 559.2
35 * dsa 2048 bits 0.0049s 0.0061s 204.7 165.0
36 *
37 * 'apps/openssl speed rsa dsa' output with this module:
38 *
39 * sign verify sign/s verify/s
40 * rsa 512 bits 0.0004s 0.0000s 2767.1 33297.9
41 * rsa 1024 bits 0.0012s 0.0001s 867.4 14674.7
42 * rsa 2048 bits 0.0061s 0.0002s 164.0 5270.0
43 * rsa 4096 bits 0.0384s 0.0006s 26.1 1650.8
44 * sign verify sign/s verify/s
45 * dsa 512 bits 0.0002s 0.0003s 4442.2 3786.3
46 * dsa 1024 bits 0.0005s 0.0007s 1835.1 1497.4
47 * dsa 2048 bits 0.0016s 0.0020s 620.4 504.6
48 *
49 * For the reference. IA-32 assembler implementation performs
50 * very much like 64-bit code compiled with no-asm on the same
51 * machine.
30 */ 52 */
31 53
32#define BN_ULONG unsigned long 54#define BN_ULONG unsigned long
@@ -151,7 +173,7 @@ BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
151} 173}
152 174
153BN_ULONG bn_add_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n) 175BN_ULONG bn_add_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n)
154{ BN_ULONG ret,i; 176{ BN_ULONG ret=0,i=0;
155 177
156 if (n <= 0) return 0; 178 if (n <= 0) return 0;
157 179
@@ -164,7 +186,7 @@ BN_ULONG bn_add_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n)
164 " leaq 1(%2),%2 \n" 186 " leaq 1(%2),%2 \n"
165 " loop 1b \n" 187 " loop 1b \n"
166 " sbbq %0,%0 \n" 188 " sbbq %0,%0 \n"
167 : "+a"(ret),"+c"(n),"+r"(i) 189 : "=&a"(ret),"+c"(n),"=&r"(i)
168 : "r"(rp),"r"(ap),"r"(bp) 190 : "r"(rp),"r"(ap),"r"(bp)
169 : "cc" 191 : "cc"
170 ); 192 );
@@ -174,7 +196,7 @@ BN_ULONG bn_add_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n)
174 196
175#ifndef SIMICS 197#ifndef SIMICS
176BN_ULONG bn_sub_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n) 198BN_ULONG bn_sub_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n)
177{ BN_ULONG ret,i; 199{ BN_ULONG ret=0,i=0;
178 200
179 if (n <= 0) return 0; 201 if (n <= 0) return 0;
180 202
@@ -187,7 +209,7 @@ BN_ULONG bn_sub_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n)
187 " leaq 1(%2),%2 \n" 209 " leaq 1(%2),%2 \n"
188 " loop 1b \n" 210 " loop 1b \n"
189 " sbbq %0,%0 \n" 211 " sbbq %0,%0 \n"
190 : "+a"(ret),"+c"(n),"+r"(i) 212 : "=&a"(ret),"+c"(n),"=&r"(i)
191 : "r"(rp),"r"(ap),"r"(bp) 213 : "r"(rp),"r"(ap),"r"(bp)
192 : "cc" 214 : "cc"
193 ); 215 );
@@ -318,7 +340,6 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
318 340
319void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b) 341void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
320 { 342 {
321 BN_ULONG bl,bh;
322 BN_ULONG t1,t2; 343 BN_ULONG t1,t2;
323 BN_ULONG c1,c2,c3; 344 BN_ULONG c1,c2,c3;
324 345
@@ -423,7 +444,6 @@ void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
423 444
424void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b) 445void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
425 { 446 {
426 BN_ULONG bl,bh;
427 BN_ULONG t1,t2; 447 BN_ULONG t1,t2;
428 BN_ULONG c1,c2,c3; 448 BN_ULONG c1,c2,c3;
429 449
@@ -464,7 +484,6 @@ void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
464 484
465void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a) 485void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
466 { 486 {
467 BN_ULONG bl,bh;
468 BN_ULONG t1,t2; 487 BN_ULONG t1,t2;
469 BN_ULONG c1,c2,c3; 488 BN_ULONG c1,c2,c3;
470 489
@@ -541,7 +560,6 @@ void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
541 560
542void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a) 561void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
543 { 562 {
544 BN_ULONG bl,bh;
545 BN_ULONG t1,t2; 563 BN_ULONG t1,t2;
546 BN_ULONG c1,c2,c3; 564 BN_ULONG c1,c2,c3;
547 565
diff --git a/src/lib/libcrypto/bn/bn_mont.c b/src/lib/libcrypto/bn/bn_mont.c
index c9ebdbaabe..b79b1b60da 100644
--- a/src/lib/libcrypto/bn/bn_mont.c
+++ b/src/lib/libcrypto/bn/bn_mont.c
@@ -273,7 +273,7 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
273 273
274 BN_init(&Ri); 274 BN_init(&Ri);
275 R= &(mont->RR); /* grab RR as a temp */ 275 R= &(mont->RR); /* grab RR as a temp */
276 BN_copy(&(mont->N),mod); /* Set N */ 276 if (!BN_copy(&(mont->N),mod)) goto err; /* Set N */
277 mont->N.neg = 0; 277 mont->N.neg = 0;
278 278
279#ifdef MONT_WORD 279#ifdef MONT_WORD
diff --git a/src/lib/libcrypto/cast/c_skey.c b/src/lib/libcrypto/cast/c_skey.c
index 76e40005c9..dc4791a8cf 100644
--- a/src/lib/libcrypto/cast/c_skey.c
+++ b/src/lib/libcrypto/cast/c_skey.c
@@ -56,7 +56,9 @@
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58 58
59#include <openssl/crypto.h>
59#include <openssl/cast.h> 60#include <openssl/cast.h>
61
60#include "cast_lcl.h" 62#include "cast_lcl.h"
61#include "cast_s.h" 63#include "cast_s.h"
62 64
@@ -72,7 +74,7 @@
72#define S6 CAST_S_table6 74#define S6 CAST_S_table6
73#define S7 CAST_S_table7 75#define S7 CAST_S_table7
74 76
75void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data) 77FIPS_NON_FIPS_VCIPHER_Init(CAST)
76 { 78 {
77 CAST_LONG x[16]; 79 CAST_LONG x[16];
78 CAST_LONG z[16]; 80 CAST_LONG z[16];
diff --git a/src/lib/libcrypto/cast/cast.h b/src/lib/libcrypto/cast/cast.h
index b28e4e4f3b..9e300178d9 100644
--- a/src/lib/libcrypto/cast/cast.h
+++ b/src/lib/libcrypto/cast/cast.h
@@ -81,7 +81,10 @@ typedef struct cast_key_st
81 int short_key; /* Use reduced rounds for short key */ 81 int short_key; /* Use reduced rounds for short key */
82 } CAST_KEY; 82 } CAST_KEY;
83 83
84 84
85#ifdef OPENSSL_FIPS
86void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
87#endif
85void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); 88void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
86void CAST_ecb_encrypt(const unsigned char *in,unsigned char *out,CAST_KEY *key, 89void CAST_ecb_encrypt(const unsigned char *in,unsigned char *out,CAST_KEY *key,
87 int enc); 90 int enc);
diff --git a/src/lib/libcrypto/comp/c_zlib.c b/src/lib/libcrypto/comp/c_zlib.c
index 8c0876151a..1bd2850d15 100644
--- a/src/lib/libcrypto/comp/c_zlib.c
+++ b/src/lib/libcrypto/comp/c_zlib.c
@@ -3,6 +3,7 @@
3#include <string.h> 3#include <string.h>
4#include <openssl/objects.h> 4#include <openssl/objects.h>
5#include <openssl/comp.h> 5#include <openssl/comp.h>
6#include <openssl/err.h>
6 7
7COMP_METHOD *COMP_zlib(void ); 8COMP_METHOD *COMP_zlib(void );
8 9
@@ -189,7 +190,17 @@ COMP_METHOD *COMP_zlib(void)
189 if (!zlib_loaded) 190 if (!zlib_loaded)
190 { 191 {
191#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) 192#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
192 zlib_dso = DSO_load(NULL, "ZLIB", NULL, 0); 193 zlib_dso = DSO_load(NULL, "ZLIB1", NULL, 0);
194 if (!zlib_dso)
195 {
196 zlib_dso = DSO_load(NULL, "ZLIB", NULL, 0);
197 if (zlib_dso)
198 {
199 /* Clear the errors from the first failed
200 DSO_load() */
201 ERR_clear_error();
202 }
203 }
193#else 204#else
194 zlib_dso = DSO_load(NULL, "z", NULL, 0); 205 zlib_dso = DSO_load(NULL, "z", NULL, 0);
195#endif 206#endif
diff --git a/src/lib/libcrypto/conf/conf_def.c b/src/lib/libcrypto/conf/conf_def.c
index 2e9f52f1fd..b5a876ae68 100644
--- a/src/lib/libcrypto/conf/conf_def.c
+++ b/src/lib/libcrypto/conf/conf_def.c
@@ -632,6 +632,11 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
632 BUF_MEM_grow_clean(buf,(strlen(p)+len-(e-from))); 632 BUF_MEM_grow_clean(buf,(strlen(p)+len-(e-from)));
633 while (*p) 633 while (*p)
634 buf->data[to++]= *(p++); 634 buf->data[to++]= *(p++);
635
636 /* Since we change the pointer 'from', we also have
637 to change the perceived length of the string it
638 points at. /RL */
639 len -= e-from;
635 from=e; 640 from=e;
636 } 641 }
637 else 642 else
diff --git a/src/lib/libcrypto/cryptlib.c b/src/lib/libcrypto/cryptlib.c
index 2924def2bb..fef0afb29f 100644
--- a/src/lib/libcrypto/cryptlib.c
+++ b/src/lib/libcrypto/cryptlib.c
@@ -105,7 +105,9 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
105 "engine", 105 "engine",
106 "ui", 106 "ui",
107 "hwcrhk", /* This is a HACK which will disappear in 0.9.8 */ 107 "hwcrhk", /* This is a HACK which will disappear in 0.9.8 */
108#if CRYPTO_NUM_LOCKS != 33 108 "fips",
109 "fips2",
110#if CRYPTO_NUM_LOCKS != 35
109# error "Inconsistency between crypto.h and cryptlib.c" 111# error "Inconsistency between crypto.h and cryptlib.c"
110#endif 112#endif
111 }; 113 };
@@ -478,13 +480,12 @@ const char *CRYPTO_get_lock_name(int type)
478 return(sk_value(app_locks,type-CRYPTO_NUM_LOCKS)); 480 return(sk_value(app_locks,type-CRYPTO_NUM_LOCKS));
479 } 481 }
480 482
481#ifdef _DLL 483#if defined(_WIN32) && defined(_WINDLL)
482#ifdef OPENSSL_SYS_WIN32
483 484
484/* All we really need to do is remove the 'error' state when a thread 485/* All we really need to do is remove the 'error' state when a thread
485 * detaches */ 486 * detaches */
486 487
487BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, 488BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason,
488 LPVOID lpvReserved) 489 LPVOID lpvReserved)
489 { 490 {
490 switch(fdwReason) 491 switch(fdwReason)
@@ -503,8 +504,6 @@ BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason,
503 } 504 }
504#endif 505#endif
505 506
506#endif
507
508void OpenSSLDie(const char *file,int line,const char *assertion) 507void OpenSSLDie(const char *file,int line,const char *assertion)
509 { 508 {
510 fprintf(stderr, 509 fprintf(stderr,
@@ -512,3 +511,122 @@ void OpenSSLDie(const char *file,int line,const char *assertion)
512 file,line,assertion); 511 file,line,assertion);
513 abort(); 512 abort();
514 } 513 }
514
515#ifdef OPENSSL_FIPS
516static int fips_started = 0;
517static int fips_mode = 0;
518static void *fips_rand_check = 0;
519static unsigned long fips_thread = 0;
520
521void fips_set_started(void)
522 {
523 fips_started = 1;
524 }
525
526int fips_is_started(void)
527 {
528 return fips_started;
529 }
530
531int fips_is_owning_thread(void)
532 {
533 int ret = 0;
534
535 if (fips_is_started())
536 {
537 CRYPTO_r_lock(CRYPTO_LOCK_FIPS2);
538 if (fips_thread != 0 && fips_thread == CRYPTO_thread_id())
539 ret = 1;
540 CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2);
541 }
542 return ret;
543 }
544
545int fips_set_owning_thread(void)
546 {
547 int ret = 0;
548
549 if (fips_is_started())
550 {
551 CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
552 if (fips_thread == 0)
553 {
554 fips_thread = CRYPTO_thread_id();
555 ret = 1;
556 }
557 CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
558 }
559 return ret;
560 }
561
562int fips_clear_owning_thread(void)
563 {
564 int ret = 0;
565
566 if (fips_is_started())
567 {
568 CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
569 if (fips_thread == CRYPTO_thread_id())
570 {
571 fips_thread = 0;
572 ret = 1;
573 }
574 CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
575 }
576 return ret;
577 }
578
579void fips_set_mode(int onoff)
580 {
581 int owning_thread = fips_is_owning_thread();
582
583 if (fips_is_started())
584 {
585 if (!owning_thread) CRYPTO_w_lock(CRYPTO_LOCK_FIPS);
586 fips_mode = onoff;
587 if (!owning_thread) CRYPTO_w_unlock(CRYPTO_LOCK_FIPS);
588 }
589 }
590
591void fips_set_rand_check(void *rand_check)
592 {
593 int owning_thread = fips_is_owning_thread();
594
595 if (fips_is_started())
596 {
597 if (!owning_thread) CRYPTO_w_lock(CRYPTO_LOCK_FIPS);
598 fips_rand_check = rand_check;
599 if (!owning_thread) CRYPTO_w_unlock(CRYPTO_LOCK_FIPS);
600 }
601 }
602
603int FIPS_mode(void)
604 {
605 int ret = 0;
606 int owning_thread = fips_is_owning_thread();
607
608 if (fips_is_started())
609 {
610 if (!owning_thread) CRYPTO_r_lock(CRYPTO_LOCK_FIPS);
611 ret = fips_mode;
612 if (!owning_thread) CRYPTO_r_unlock(CRYPTO_LOCK_FIPS);
613 }
614 return ret;
615 }
616
617void *FIPS_rand_check(void)
618 {
619 void *ret = 0;
620 int owning_thread = fips_is_owning_thread();
621
622 if (fips_is_started())
623 {
624 if (!owning_thread) CRYPTO_r_lock(CRYPTO_LOCK_FIPS);
625 ret = fips_rand_check;
626 if (!owning_thread) CRYPTO_r_unlock(CRYPTO_LOCK_FIPS);
627 }
628 return ret;
629 }
630
631#endif /* OPENSSL_FIPS */
632
diff --git a/src/lib/libcrypto/crypto.h b/src/lib/libcrypto/crypto.h
index 273bc5e3f8..4d1dfac7f1 100644
--- a/src/lib/libcrypto/crypto.h
+++ b/src/lib/libcrypto/crypto.h
@@ -128,7 +128,9 @@ extern "C" {
128#define CRYPTO_LOCK_ENGINE 30 128#define CRYPTO_LOCK_ENGINE 30
129#define CRYPTO_LOCK_UI 31 129#define CRYPTO_LOCK_UI 31
130#define CRYPTO_LOCK_HWCRHK 32 /* This is a HACK which will disappear in 0.9.8 */ 130#define CRYPTO_LOCK_HWCRHK 32 /* This is a HACK which will disappear in 0.9.8 */
131#define CRYPTO_NUM_LOCKS 33 131#define CRYPTO_LOCK_FIPS 33
132#define CRYPTO_LOCK_FIPS2 34
133#define CRYPTO_NUM_LOCKS 35
132 134
133#define CRYPTO_LOCK 1 135#define CRYPTO_LOCK 1
134#define CRYPTO_UNLOCK 2 136#define CRYPTO_UNLOCK 2
@@ -434,6 +436,63 @@ void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb);
434void OpenSSLDie(const char *file,int line,const char *assertion); 436void OpenSSLDie(const char *file,int line,const char *assertion);
435#define OPENSSL_assert(e) ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e)) 437#define OPENSSL_assert(e) ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e))
436 438
439#ifdef OPENSSL_FIPS
440int FIPS_mode(void);
441void *FIPS_rand_check(void);
442
443#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \
444 alg " previous FIPS forbidden algorithm error ignored");
445
446#define FIPS_BAD_ABORT(alg) OpenSSLDie(__FILE__, __LINE__, \
447 #alg " Algorithm forbidden in FIPS mode");
448
449#ifdef OPENSSL_FIPS_STRICT
450#define FIPS_BAD_ALGORITHM(alg) FIPS_BAD_ABORT(alg)
451#else
452#define FIPS_BAD_ALGORITHM(alg) \
453 { \
454 FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD); \
455 ERR_add_error_data(2, "Algorithm=", #alg); \
456 return 0; \
457 }
458#endif
459
460/* Low level digest API blocking macro */
461
462#define FIPS_NON_FIPS_MD_Init(alg) \
463 int alg##_Init(alg##_CTX *c) \
464 { \
465 if (FIPS_mode()) \
466 FIPS_BAD_ALGORITHM(alg) \
467 return private_##alg##_Init(c); \
468 } \
469 int private_##alg##_Init(alg##_CTX *c)
470
471/* For ciphers the API often varies from cipher to cipher and each needs to
472 * be treated as a special case. Variable key length ciphers (Blowfish, RC4,
473 * CAST) however are very similar and can use a blocking macro.
474 */
475
476#define FIPS_NON_FIPS_VCIPHER_Init(alg) \
477 void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data) \
478 { \
479 if (FIPS_mode()) \
480 FIPS_BAD_ABORT(alg) \
481 private_##alg##_set_key(key, len, data); \
482 } \
483 void private_##alg##_set_key(alg##_KEY *key, int len, \
484 const unsigned char *data)
485
486#else
487
488#define FIPS_NON_FIPS_VCIPHER_Init(alg) \
489 void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data)
490
491#define FIPS_NON_FIPS_MD_Init(alg) \
492 int alg##_Init(alg##_CTX *c)
493
494#endif /* def OPENSSL_FIPS */
495
437/* BEGIN ERROR CODES */ 496/* BEGIN ERROR CODES */
438/* The following lines are auto generated by the script mkerr.pl. Any changes 497/* The following lines are auto generated by the script mkerr.pl. Any changes
439 * made after this point may be overwritten when the script is next run. 498 * made after this point may be overwritten when the script is next run.
diff --git a/src/lib/libcrypto/des/cfb64ede.c b/src/lib/libcrypto/des/cfb64ede.c
index 60c1aa08db..f3c6018528 100644
--- a/src/lib/libcrypto/des/cfb64ede.c
+++ b/src/lib/libcrypto/des/cfb64ede.c
@@ -57,6 +57,7 @@
57 */ 57 */
58 58
59#include "des_locl.h" 59#include "des_locl.h"
60#include "e_os.h"
60 61
61/* The input and output encrypted as though 64bit cfb mode is being 62/* The input and output encrypted as though 64bit cfb mode is being
62 * used. The extra state information to record how much of the 63 * used. The extra state information to record how much of the
@@ -140,3 +141,114 @@ void DES_ede2_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
140 DES_ede3_cfb64_encrypt(in,out,length,ks1,ks2,ks1,ivec,num,enc); 141 DES_ede3_cfb64_encrypt(in,out,length,ks1,ks2,ks1,ivec,num,enc);
141 } 142 }
142#endif 143#endif
144
145/* This is compatible with the single key CFB-r for DES, even thought that's
146 * not what EVP needs.
147 */
148
149void DES_ede3_cfb_encrypt(const unsigned char *in,unsigned char *out,
150 int numbits,long length,DES_key_schedule *ks1,
151 DES_key_schedule *ks2,DES_key_schedule *ks3,
152 DES_cblock *ivec,int enc)
153 {
154 register DES_LONG d0,d1,v0,v1;
155 register long l=length;
156 register int num=numbits,n=(numbits+7)/8,i;
157 DES_LONG ti[2];
158 unsigned char *iv;
159 unsigned char ovec[16];
160
161 if (num > 64) return;
162 iv = &(*ivec)[0];
163 c2l(iv,v0);
164 c2l(iv,v1);
165 if (enc)
166 {
167 while (l >= n)
168 {
169 l-=n;
170 ti[0]=v0;
171 ti[1]=v1;
172 DES_encrypt3(ti,ks1,ks2,ks3);
173 c2ln(in,d0,d1,n);
174 in+=n;
175 d0^=ti[0];
176 d1^=ti[1];
177 l2cn(d0,d1,out,n);
178 out+=n;
179 /* 30-08-94 - eay - changed because l>>32 and
180 * l<<32 are bad under gcc :-( */
181 if (num == 32)
182 { v0=v1; v1=d0; }
183 else if (num == 64)
184 { v0=d0; v1=d1; }
185 else
186 {
187 iv=&ovec[0];
188 l2c(v0,iv);
189 l2c(v1,iv);
190 l2c(d0,iv);
191 l2c(d1,iv);
192 /* shift ovec left most of the bits... */
193 memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
194 /* now the remaining bits */
195 if(num%8 != 0)
196 for(i=0 ; i < 8 ; ++i)
197 {
198 ovec[i]<<=num%8;
199 ovec[i]|=ovec[i+1]>>(8-num%8);
200 }
201 iv=&ovec[0];
202 c2l(iv,v0);
203 c2l(iv,v1);
204 }
205 }
206 }
207 else
208 {
209 while (l >= n)
210 {
211 l-=n;
212 ti[0]=v0;
213 ti[1]=v1;
214 DES_encrypt3(ti,ks1,ks2,ks3);
215 c2ln(in,d0,d1,n);
216 in+=n;
217 /* 30-08-94 - eay - changed because l>>32 and
218 * l<<32 are bad under gcc :-( */
219 if (num == 32)
220 { v0=v1; v1=d0; }
221 else if (num == 64)
222 { v0=d0; v1=d1; }
223 else
224 {
225 iv=&ovec[0];
226 l2c(v0,iv);
227 l2c(v1,iv);
228 l2c(d0,iv);
229 l2c(d1,iv);
230 /* shift ovec left most of the bits... */
231 memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
232 /* now the remaining bits */
233 if(num%8 != 0)
234 for(i=0 ; i < 8 ; ++i)
235 {
236 ovec[i]<<=num%8;
237 ovec[i]|=ovec[i+1]>>(8-num%8);
238 }
239 iv=&ovec[0];
240 c2l(iv,v0);
241 c2l(iv,v1);
242 }
243 d0^=ti[0];
244 d1^=ti[1];
245 l2cn(d0,d1,out,n);
246 out+=n;
247 }
248 }
249 iv = &(*ivec)[0];
250 l2c(v0,iv);
251 l2c(v1,iv);
252 v0=v1=d0=d1=ti[0]=ti[1]=0;
253 }
254
diff --git a/src/lib/libcrypto/des/des.h b/src/lib/libcrypto/des/des.h
index daaf239dbe..c5df1c9c7b 100644
--- a/src/lib/libcrypto/des/des.h
+++ b/src/lib/libcrypto/des/des.h
@@ -128,7 +128,7 @@ OPENSSL_DECLARE_GLOBAL(int,DES_rw_mode); /* defaults to DES_PCBC_MODE */
128#define DES_rw_mode OPENSSL_GLOBAL_REF(DES_rw_mode) 128#define DES_rw_mode OPENSSL_GLOBAL_REF(DES_rw_mode)
129 129
130const char *DES_options(void); 130const char *DES_options(void);
131void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output, 131void DES_ecb3_encrypt(const unsigned char *input, unsigned char *output,
132 DES_key_schedule *ks1,DES_key_schedule *ks2, 132 DES_key_schedule *ks1,DES_key_schedule *ks2,
133 DES_key_schedule *ks3, int enc); 133 DES_key_schedule *ks3, int enc);
134DES_LONG DES_cbc_cksum(const unsigned char *input,DES_cblock *output, 134DES_LONG DES_cbc_cksum(const unsigned char *input,DES_cblock *output,
@@ -187,6 +187,10 @@ void DES_ede3_cfb64_encrypt(const unsigned char *in,unsigned char *out,
187 long length,DES_key_schedule *ks1, 187 long length,DES_key_schedule *ks1,
188 DES_key_schedule *ks2,DES_key_schedule *ks3, 188 DES_key_schedule *ks2,DES_key_schedule *ks3,
189 DES_cblock *ivec,int *num,int enc); 189 DES_cblock *ivec,int *num,int enc);
190void DES_ede3_cfb_encrypt(const unsigned char *in,unsigned char *out,
191 int numbits,long length,DES_key_schedule *ks1,
192 DES_key_schedule *ks2,DES_key_schedule *ks3,
193 DES_cblock *ivec,int enc);
190void DES_ede3_ofb64_encrypt(const unsigned char *in,unsigned char *out, 194void DES_ede3_ofb64_encrypt(const unsigned char *in,unsigned char *out,
191 long length,DES_key_schedule *ks1, 195 long length,DES_key_schedule *ks1,
192 DES_key_schedule *ks2,DES_key_schedule *ks3, 196 DES_key_schedule *ks2,DES_key_schedule *ks3,
diff --git a/src/lib/libcrypto/des/des_enc.c b/src/lib/libcrypto/des/des_enc.c
index 1c37ab96d3..72be2d98d7 100644
--- a/src/lib/libcrypto/des/des_enc.c
+++ b/src/lib/libcrypto/des/des_enc.c
@@ -58,6 +58,8 @@
58 58
59#include "des_locl.h" 59#include "des_locl.h"
60 60
61#ifndef OPENSSL_FIPS
62
61void DES_encrypt1(DES_LONG *data, DES_key_schedule *ks, int enc) 63void DES_encrypt1(DES_LONG *data, DES_key_schedule *ks, int enc)
62 { 64 {
63 register DES_LONG l,r,t,u; 65 register DES_LONG l,r,t,u;
@@ -287,8 +289,12 @@ void DES_decrypt3(DES_LONG *data, DES_key_schedule *ks1,
287 data[1]=r; 289 data[1]=r;
288 } 290 }
289 291
292#endif /* ndef OPENSSL_FIPS */
293
290#ifndef DES_DEFAULT_OPTIONS 294#ifndef DES_DEFAULT_OPTIONS
291 295
296#if !defined(OPENSSL_FIPS_DES_ASM)
297
292#undef CBC_ENC_C__DONT_UPDATE_IV 298#undef CBC_ENC_C__DONT_UPDATE_IV
293#include "ncbc_enc.c" /* DES_ncbc_encrypt */ 299#include "ncbc_enc.c" /* DES_ncbc_encrypt */
294 300
@@ -404,4 +410,6 @@ void DES_ede3_cbc_encrypt(const unsigned char *input, unsigned char *output,
404 tin[0]=tin[1]=0; 410 tin[0]=tin[1]=0;
405 } 411 }
406 412
413#endif /* !defined(OPENSSL_FIPS_DES_ASM) */
414
407#endif /* DES_DEFAULT_OPTIONS */ 415#endif /* DES_DEFAULT_OPTIONS */
diff --git a/src/lib/libcrypto/des/ecb3_enc.c b/src/lib/libcrypto/des/ecb3_enc.c
index c3437bc606..fa0c9c4d4f 100644
--- a/src/lib/libcrypto/des/ecb3_enc.c
+++ b/src/lib/libcrypto/des/ecb3_enc.c
@@ -58,15 +58,13 @@
58 58
59#include "des_locl.h" 59#include "des_locl.h"
60 60
61void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output, 61void DES_ecb3_encrypt(const unsigned char *in, unsigned char *out,
62 DES_key_schedule *ks1, DES_key_schedule *ks2, 62 DES_key_schedule *ks1, DES_key_schedule *ks2,
63 DES_key_schedule *ks3, 63 DES_key_schedule *ks3,
64 int enc) 64 int enc)
65 { 65 {
66 register DES_LONG l0,l1; 66 register DES_LONG l0,l1;
67 DES_LONG ll[2]; 67 DES_LONG ll[2];
68 const unsigned char *in = &(*input)[0];
69 unsigned char *out = &(*output)[0];
70 68
71 c2l(in,l0); 69 c2l(in,l0);
72 c2l(in,l1); 70 c2l(in,l1);
diff --git a/src/lib/libcrypto/des/set_key.c b/src/lib/libcrypto/des/set_key.c
index 143008ed9c..8881d46a7a 100644
--- a/src/lib/libcrypto/des/set_key.c
+++ b/src/lib/libcrypto/des/set_key.c
@@ -65,6 +65,8 @@
65 */ 65 */
66#include "des_locl.h" 66#include "des_locl.h"
67 67
68#ifndef OPENSSL_FIPS
69
68OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key); /* defaults to false */ 70OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key); /* defaults to false */
69 71
70static const unsigned char odd_parity[256]={ 72static const unsigned char odd_parity[256]={
@@ -405,3 +407,5 @@ void des_fixup_key_parity(des_cblock *key)
405 des_set_odd_parity(key); 407 des_set_odd_parity(key);
406 } 408 }
407*/ 409*/
410
411#endif /* ndef OPENSSL_FIPS */
diff --git a/src/lib/libcrypto/dh/dh_check.c b/src/lib/libcrypto/dh/dh_check.c
index f0373f7d68..a7e9920efb 100644
--- a/src/lib/libcrypto/dh/dh_check.c
+++ b/src/lib/libcrypto/dh/dh_check.c
@@ -70,6 +70,8 @@
70 * should hold. 70 * should hold.
71 */ 71 */
72 72
73#ifndef OPENSSL_FIPS
74
73int DH_check(const DH *dh, int *ret) 75int DH_check(const DH *dh, int *ret)
74 { 76 {
75 int ok=0; 77 int ok=0;
@@ -118,3 +120,5 @@ err:
118 if (q != NULL) BN_free(q); 120 if (q != NULL) BN_free(q);
119 return(ok); 121 return(ok);
120 } 122 }
123
124#endif
diff --git a/src/lib/libcrypto/dh/dh_err.c b/src/lib/libcrypto/dh/dh_err.c
index d837950aec..c2715044c9 100644
--- a/src/lib/libcrypto/dh/dh_err.c
+++ b/src/lib/libcrypto/dh/dh_err.c
@@ -1,6 +1,6 @@
1/* crypto/dh/dh_err.c */ 1/* crypto/dh/dh_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
diff --git a/src/lib/libcrypto/dh/dh_gen.c b/src/lib/libcrypto/dh/dh_gen.c
index 06f78b35ab..23777f5a16 100644
--- a/src/lib/libcrypto/dh/dh_gen.c
+++ b/src/lib/libcrypto/dh/dh_gen.c
@@ -86,6 +86,9 @@
86 * It's just as OK (and in some sense better) to use a generator of the 86 * It's just as OK (and in some sense better) to use a generator of the
87 * order-q subgroup. 87 * order-q subgroup.
88 */ 88 */
89
90#ifndef OPENSSL_FIPS
91
89DH *DH_generate_parameters(int prime_len, int generator, 92DH *DH_generate_parameters(int prime_len, int generator,
90 void (*callback)(int,int,void *), void *cb_arg) 93 void (*callback)(int,int,void *), void *cb_arg)
91 { 94 {
@@ -146,6 +149,7 @@ DH *DH_generate_parameters(int prime_len, int generator,
146 if (callback != NULL) callback(3,0,cb_arg); 149 if (callback != NULL) callback(3,0,cb_arg);
147 ret->p=p; 150 ret->p=p;
148 ret->g=BN_new(); 151 ret->g=BN_new();
152 if (ret->g == NULL) goto err;
149 if (!BN_set_word(ret->g,g)) goto err; 153 if (!BN_set_word(ret->g,g)) goto err;
150 ok=1; 154 ok=1;
151err: 155err:
@@ -167,3 +171,5 @@ err:
167 } 171 }
168 return(ret); 172 return(ret);
169 } 173 }
174
175#endif
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index 77f2f50b51..ff125c2296 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -62,6 +62,8 @@
62#include <openssl/rand.h> 62#include <openssl/rand.h>
63#include <openssl/dh.h> 63#include <openssl/dh.h>
64 64
65#ifndef OPENSSL_FIPS
66
65static int generate_key(DH *dh); 67static int generate_key(DH *dh);
66static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); 68static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
67static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, 69static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
@@ -220,3 +222,5 @@ static int dh_finish(DH *dh)
220 BN_MONT_CTX_free((BN_MONT_CTX *)dh->method_mont_p); 222 BN_MONT_CTX_free((BN_MONT_CTX *)dh->method_mont_p);
221 return(1); 223 return(1);
222 } 224 }
225
226#endif
diff --git a/src/lib/libcrypto/doc/ERR_error_string.pod b/src/lib/libcrypto/doc/ERR_error_string.pod
index e01beb817a..cdfa7fe1fe 100644
--- a/src/lib/libcrypto/doc/ERR_error_string.pod
+++ b/src/lib/libcrypto/doc/ERR_error_string.pod
@@ -11,7 +11,7 @@ error message
11 #include <openssl/err.h> 11 #include <openssl/err.h>
12 12
13 char *ERR_error_string(unsigned long e, char *buf); 13 char *ERR_error_string(unsigned long e, char *buf);
14 char *ERR_error_string_n(unsigned long e, char *buf, size_t len); 14 void ERR_error_string_n(unsigned long e, char *buf, size_t len);
15 15
16 const char *ERR_lib_error_string(unsigned long e); 16 const char *ERR_lib_error_string(unsigned long e);
17 const char *ERR_func_error_string(unsigned long e); 17 const char *ERR_func_error_string(unsigned long e);
diff --git a/src/lib/libcrypto/doc/EVP_EncryptInit.pod b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
index daf57e5895..40e525dd56 100644
--- a/src/lib/libcrypto/doc/EVP_EncryptInit.pod
+++ b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
@@ -479,6 +479,7 @@ General encryption, decryption function example using FILE I/O and RC2 with an
479 if(!EVP_CipherUpdate(&ctx, outbuf, &outlen, inbuf, inlen)) 479 if(!EVP_CipherUpdate(&ctx, outbuf, &outlen, inbuf, inlen))
480 { 480 {
481 /* Error */ 481 /* Error */
482 EVP_CIPHER_CTX_cleanup(&ctx);
482 return 0; 483 return 0;
483 } 484 }
484 fwrite(outbuf, 1, outlen, out); 485 fwrite(outbuf, 1, outlen, out);
@@ -486,6 +487,7 @@ General encryption, decryption function example using FILE I/O and RC2 with an
486 if(!EVP_CipherFinal_ex(&ctx, outbuf, &outlen)) 487 if(!EVP_CipherFinal_ex(&ctx, outbuf, &outlen))
487 { 488 {
488 /* Error */ 489 /* Error */
490 EVP_CIPHER_CTX_cleanup(&ctx);
489 return 0; 491 return 0;
490 } 492 }
491 fwrite(outbuf, 1, outlen, out); 493 fwrite(outbuf, 1, outlen, out);
diff --git a/src/lib/libcrypto/doc/EVP_SealInit.pod b/src/lib/libcrypto/doc/EVP_SealInit.pod
index b5e477e294..48a0e29954 100644
--- a/src/lib/libcrypto/doc/EVP_SealInit.pod
+++ b/src/lib/libcrypto/doc/EVP_SealInit.pod
@@ -8,8 +8,9 @@ EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption
8 8
9 #include <openssl/evp.h> 9 #include <openssl/evp.h>
10 10
11 int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek, 11 int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
12 int *ekl, unsigned char *iv,EVP_PKEY **pubk, int npubk); 12 unsigned char **ek, int *ekl, unsigned char *iv,
13 EVP_PKEY **pubk, int npubk);
13 int EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, 14 int EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
14 int *outl, unsigned char *in, int inl); 15 int *outl, unsigned char *in, int inl);
15 int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, 16 int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
diff --git a/src/lib/libcrypto/doc/EVP_SignInit.pod b/src/lib/libcrypto/doc/EVP_SignInit.pod
index b203c3a1c5..b6e62ce7f6 100644
--- a/src/lib/libcrypto/doc/EVP_SignInit.pod
+++ b/src/lib/libcrypto/doc/EVP_SignInit.pod
@@ -29,11 +29,10 @@ EVP_SignUpdate() hashes B<cnt> bytes of data at B<d> into the
29signature context B<ctx>. This function can be called several times on the 29signature context B<ctx>. This function can be called several times on the
30same B<ctx> to include additional data. 30same B<ctx> to include additional data.
31 31
32EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey> 32EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey> and
33and places the signature in B<sig>. If the B<s> parameter is not NULL 33places the signature in B<sig>. The number of bytes of data written (i.e. the
34then the number of bytes of data written (i.e. the length of the signature) 34length of the signature) will be written to the integer at B<s>, at most
35will be written to the integer at B<s>, at most EVP_PKEY_size(pkey) bytes 35EVP_PKEY_size(pkey) bytes will be written.
36will be written.
37 36
38EVP_SignInit() initializes a signing context B<ctx> to use the default 37EVP_SignInit() initializes a signing context B<ctx> to use the default
39implementation of digest B<type>. 38implementation of digest B<type>.
diff --git a/src/lib/libcrypto/doc/RSA_public_encrypt.pod b/src/lib/libcrypto/doc/RSA_public_encrypt.pod
index d53e19d2b7..ab0fe3b2cd 100644
--- a/src/lib/libcrypto/doc/RSA_public_encrypt.pod
+++ b/src/lib/libcrypto/doc/RSA_public_encrypt.pod
@@ -47,9 +47,10 @@ Encrypting user data directly with RSA is insecure.
47=back 47=back
48 48
49B<flen> must be less than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5 49B<flen> must be less than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5
50based padding modes, and less than RSA_size(B<rsa>) - 41 for 50based padding modes, less than RSA_size(B<rsa>) - 41 for
51RSA_PKCS1_OAEP_PADDING. The random number generator must be seeded 51RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B<rsa>) for RSA_NO_PADDING.
52prior to calling RSA_public_encrypt(). 52The random number generator must be seeded prior to calling
53RSA_public_encrypt().
53 54
54RSA_private_decrypt() decrypts the B<flen> bytes at B<from> using the 55RSA_private_decrypt() decrypts the B<flen> bytes at B<from> using the
55private key B<rsa> and stores the plaintext in B<to>. B<to> must point 56private key B<rsa> and stores the plaintext in B<to>. B<to> must point
diff --git a/src/lib/libcrypto/doc/X509_NAME_ENTRY_get_object.pod b/src/lib/libcrypto/doc/X509_NAME_ENTRY_get_object.pod
index d287c18564..11b35f6fd3 100644
--- a/src/lib/libcrypto/doc/X509_NAME_ENTRY_get_object.pod
+++ b/src/lib/libcrypto/doc/X509_NAME_ENTRY_get_object.pod
@@ -13,11 +13,11 @@ ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne);
13ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne); 13ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne);
14 14
15int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj); 15int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj);
16int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, unsigned char *bytes, int len); 16int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, const unsigned char *bytes, int len);
17 17
18X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, char *field, int type, unsigned char *bytes, int len); 18X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, const char *field, int type, const unsigned char *bytes, int len);
19X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type,unsigned char *bytes, int len); 19X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type,unsigned char *bytes, int len);
20X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, ASN1_OBJECT *obj, int type,unsigned char *bytes, int len); 20X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len);
21 21
22=head1 DESCRIPTION 22=head1 DESCRIPTION
23 23
diff --git a/src/lib/libcrypto/doc/X509_NAME_add_entry_by_txt.pod b/src/lib/libcrypto/doc/X509_NAME_add_entry_by_txt.pod
index 4472a1c5cf..e2ab4b0d2b 100644
--- a/src/lib/libcrypto/doc/X509_NAME_add_entry_by_txt.pod
+++ b/src/lib/libcrypto/doc/X509_NAME_add_entry_by_txt.pod
@@ -7,10 +7,14 @@ X509_NAME_add_entry, X509_NAME_delete_entry - X509_NAME modification functions
7 7
8=head1 SYNOPSIS 8=head1 SYNOPSIS
9 9
10int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type, unsigned char *bytes, int len, int loc, int set); 10int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, const unsigned char *bytes, int len, int loc, int set);
11
11int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, unsigned char *bytes, int len, int loc, int set); 12int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, unsigned char *bytes, int len, int loc, int set);
13
12int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, unsigned char *bytes, int len, int loc, int set); 14int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, unsigned char *bytes, int len, int loc, int set);
15
13int X509_NAME_add_entry(X509_NAME *name,X509_NAME_ENTRY *ne, int loc, int set); 16int X509_NAME_add_entry(X509_NAME *name,X509_NAME_ENTRY *ne, int loc, int set);
17
14X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc); 18X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc);
15 19
16=head1 DESCRIPTION 20=head1 DESCRIPTION
diff --git a/src/lib/libcrypto/doc/X509_NAME_print_ex.pod b/src/lib/libcrypto/doc/X509_NAME_print_ex.pod
index 907c04f684..919b908919 100644
--- a/src/lib/libcrypto/doc/X509_NAME_print_ex.pod
+++ b/src/lib/libcrypto/doc/X509_NAME_print_ex.pod
@@ -41,8 +41,8 @@ applications.
41Although there are a large number of possible flags for most purposes 41Although there are a large number of possible flags for most purposes
42B<XN_FLAG_ONELINE>, B<XN_FLAG_MULTILINE> or B<XN_FLAG_RFC2253> will suffice. 42B<XN_FLAG_ONELINE>, B<XN_FLAG_MULTILINE> or B<XN_FLAG_RFC2253> will suffice.
43As noted on the L<ASN1_STRING_print_ex(3)|ASN1_STRING_print_ex(3)> manual page 43As noted on the L<ASN1_STRING_print_ex(3)|ASN1_STRING_print_ex(3)> manual page
44for UTF8 terminals the B<ASN1_STRFLAGS_ESC_MSB> should be unset: so for example 44for UTF8 terminals the B<ASN1_STRFLGS_ESC_MSB> should be unset: so for example
45B<XN_FLAG_ONELINE & ~ASN1_STRFLAGS_ESC_MSB> would be used. 45B<XN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB> would be used.
46 46
47The complete set of the flags supported by X509_NAME_print_ex() is listed below. 47The complete set of the flags supported by X509_NAME_print_ex() is listed below.
48 48
diff --git a/src/lib/libcrypto/dsa/dsa.h b/src/lib/libcrypto/dsa/dsa.h
index 9b3baadf2c..225ff391f9 100644
--- a/src/lib/libcrypto/dsa/dsa.h
+++ b/src/lib/libcrypto/dsa/dsa.h
@@ -81,6 +81,10 @@
81 81
82#define DSA_FLAG_CACHE_MONT_P 0x01 82#define DSA_FLAG_CACHE_MONT_P 0x01
83 83
84#if defined(OPENSSL_FIPS)
85#define FIPS_DSA_SIZE_T int
86#endif
87
84#ifdef __cplusplus 88#ifdef __cplusplus
85extern "C" { 89extern "C" {
86#endif 90#endif
diff --git a/src/lib/libcrypto/dsa/dsa_gen.c b/src/lib/libcrypto/dsa/dsa_gen.c
index dc9c249310..e40afeea51 100644
--- a/src/lib/libcrypto/dsa/dsa_gen.c
+++ b/src/lib/libcrypto/dsa/dsa_gen.c
@@ -80,6 +80,7 @@
80#include <openssl/rand.h> 80#include <openssl/rand.h>
81#include <openssl/sha.h> 81#include <openssl/sha.h>
82 82
83#ifndef OPENSSL_FIPS
83DSA *DSA_generate_parameters(int bits, 84DSA *DSA_generate_parameters(int bits,
84 unsigned char *seed_in, int seed_len, 85 unsigned char *seed_in, int seed_len,
85 int *counter_ret, unsigned long *h_ret, 86 int *counter_ret, unsigned long *h_ret,
@@ -127,8 +128,9 @@ DSA *DSA_generate_parameters(int bits,
127 c = BN_CTX_get(ctx2); 128 c = BN_CTX_get(ctx2);
128 p = BN_CTX_get(ctx2); 129 p = BN_CTX_get(ctx2);
129 test = BN_CTX_get(ctx2); 130 test = BN_CTX_get(ctx2);
131 if (test == NULL) goto err;
130 132
131 BN_lshift(test,BN_value_one(),bits-1); 133 if (!BN_lshift(test,BN_value_one(),bits-1)) goto err;
132 134
133 for (;;) 135 for (;;)
134 { 136 {
@@ -196,7 +198,7 @@ DSA *DSA_generate_parameters(int bits,
196 callback(0,counter,cb_arg); 198 callback(0,counter,cb_arg);
197 199
198 /* step 7 */ 200 /* step 7 */
199 BN_zero(W); 201 if (!BN_zero(W)) goto err;
200 /* now 'buf' contains "SEED + offset - 1" */ 202 /* now 'buf' contains "SEED + offset - 1" */
201 for (k=0; k<=n; k++) 203 for (k=0; k<=n; k++)
202 { 204 {
@@ -212,20 +214,20 @@ DSA *DSA_generate_parameters(int bits,
212 /* step 8 */ 214 /* step 8 */
213 if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0)) 215 if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0))
214 goto err; 216 goto err;
215 BN_lshift(r0,r0,160*k); 217 if (!BN_lshift(r0,r0,160*k)) goto err;
216 BN_add(W,W,r0); 218 if (!BN_add(W,W,r0)) goto err;
217 } 219 }
218 220
219 /* more of step 8 */ 221 /* more of step 8 */
220 BN_mask_bits(W,bits-1); 222 if (!BN_mask_bits(W,bits-1)) goto err;
221 BN_copy(X,W); /* this should be ok */ 223 if (!BN_copy(X,W)) goto err;
222 BN_add(X,X,test); /* this should be ok */ 224 if (!BN_add(X,X,test)) goto err;
223 225
224 /* step 9 */ 226 /* step 9 */
225 BN_lshift1(r0,q); 227 if (!BN_lshift1(r0,q)) goto err;
226 BN_mod(c,X,r0,ctx); 228 if (!BN_mod(c,X,r0,ctx)) goto err;
227 BN_sub(r0,c,BN_value_one()); 229 if (!BN_sub(r0,c,BN_value_one())) goto err;
228 BN_sub(p,X,r0); 230 if (!BN_sub(p,X,r0)) goto err;
229 231
230 /* step 10 */ 232 /* step 10 */
231 if (BN_cmp(p,test) >= 0) 233 if (BN_cmp(p,test) >= 0)
@@ -251,18 +253,18 @@ end:
251 253
252 /* We now need to generate g */ 254 /* We now need to generate g */
253 /* Set r0=(p-1)/q */ 255 /* Set r0=(p-1)/q */
254 BN_sub(test,p,BN_value_one()); 256 if (!BN_sub(test,p,BN_value_one())) goto err;
255 BN_div(r0,NULL,test,q,ctx); 257 if (!BN_div(r0,NULL,test,q,ctx)) goto err;
256 258
257 BN_set_word(test,h); 259 if (!BN_set_word(test,h)) goto err;
258 BN_MONT_CTX_set(mont,p,ctx); 260 if (!BN_MONT_CTX_set(mont,p,ctx)) goto err;
259 261
260 for (;;) 262 for (;;)
261 { 263 {
262 /* g=test^r0%p */ 264 /* g=test^r0%p */
263 BN_mod_exp_mont(g,test,r0,p,ctx,mont); 265 if (!BN_mod_exp_mont(g,test,r0,p,ctx,mont)) goto err;
264 if (!BN_is_one(g)) break; 266 if (!BN_is_one(g)) break;
265 BN_add(test,test,BN_value_one()); 267 if (!BN_add(test,test,BN_value_one())) goto err;
266 h++; 268 h++;
267 } 269 }
268 270
@@ -279,6 +281,11 @@ err:
279 ret->p=BN_dup(p); 281 ret->p=BN_dup(p);
280 ret->q=BN_dup(q); 282 ret->q=BN_dup(q);
281 ret->g=BN_dup(g); 283 ret->g=BN_dup(g);
284 if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
285 {
286 ok=0;
287 goto err;
288 }
282 if ((m > 1) && (seed_in != NULL)) memcpy(seed_in,seed,20); 289 if ((m > 1) && (seed_in != NULL)) memcpy(seed_in,seed,20);
283 if (counter_ret != NULL) *counter_ret=counter; 290 if (counter_ret != NULL) *counter_ret=counter;
284 if (h_ret != NULL) *h_ret=h; 291 if (h_ret != NULL) *h_ret=h;
@@ -293,4 +300,6 @@ err:
293 if (mont != NULL) BN_MONT_CTX_free(mont); 300 if (mont != NULL) BN_MONT_CTX_free(mont);
294 return(ok?ret:NULL); 301 return(ok?ret:NULL);
295 } 302 }
296#endif 303#endif /* ndef OPENSSL_FIPS */
304#endif /* ndef OPENSSL_NO_SHA */
305
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
index ef87c3e637..30607ca579 100644
--- a/src/lib/libcrypto/dsa/dsa_key.c
+++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -64,6 +64,7 @@
64#include <openssl/dsa.h> 64#include <openssl/dsa.h>
65#include <openssl/rand.h> 65#include <openssl/rand.h>
66 66
67#ifndef OPENSSL_FIPS
67int DSA_generate_key(DSA *dsa) 68int DSA_generate_key(DSA *dsa)
68 { 69 {
69 int ok=0; 70 int ok=0;
@@ -103,3 +104,4 @@ err:
103 return(ok); 104 return(ok);
104 } 105 }
105#endif 106#endif
107#endif
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index b9e7f3ea5c..f1a85afcde 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -65,6 +65,7 @@
65#include <openssl/rand.h> 65#include <openssl/rand.h>
66#include <openssl/asn1.h> 66#include <openssl/asn1.h>
67 67
68#ifndef OPENSSL_FIPS
68static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); 69static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
69static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); 70static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
70static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, 71static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
@@ -346,3 +347,4 @@ static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
346{ 347{
347 return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); 348 return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
348} 349}
350#endif
diff --git a/src/lib/libcrypto/dsa/dsa_sign.c b/src/lib/libcrypto/dsa/dsa_sign.c
index 89205026f0..3c9753bac3 100644
--- a/src/lib/libcrypto/dsa/dsa_sign.c
+++ b/src/lib/libcrypto/dsa/dsa_sign.c
@@ -64,9 +64,17 @@
64#include <openssl/dsa.h> 64#include <openssl/dsa.h>
65#include <openssl/rand.h> 65#include <openssl/rand.h>
66#include <openssl/asn1.h> 66#include <openssl/asn1.h>
67#ifndef OPENSSL_NO_ENGINE
68#include <openssl/engine.h>
69#endif
70#include <openssl/fips.h>
67 71
68DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) 72DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
69 { 73 {
74#ifdef OPENSSL_FIPS
75 if(FIPS_mode() && !FIPS_dsa_check(dsa))
76 return NULL;
77#endif
70 return dsa->meth->dsa_do_sign(dgst, dlen, dsa); 78 return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
71 } 79 }
72 80
@@ -87,6 +95,10 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
87 95
88int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) 96int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
89 { 97 {
98#ifdef OPENSSL_FIPS
99 if(FIPS_mode() && !FIPS_dsa_check(dsa))
100 return 0;
101#endif
90 return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp); 102 return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
91 } 103 }
92 104
diff --git a/src/lib/libcrypto/dsa/dsa_vrf.c b/src/lib/libcrypto/dsa/dsa_vrf.c
index c4aeddd056..8ef0c45025 100644
--- a/src/lib/libcrypto/dsa/dsa_vrf.c
+++ b/src/lib/libcrypto/dsa/dsa_vrf.c
@@ -65,10 +65,18 @@
65#include <openssl/rand.h> 65#include <openssl/rand.h>
66#include <openssl/asn1.h> 66#include <openssl/asn1.h>
67#include <openssl/asn1_mac.h> 67#include <openssl/asn1_mac.h>
68#ifndef OPENSSL_NO_ENGINE
69#include <openssl/engine.h>
70#endif
71#include <openssl/fips.h>
68 72
69int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, 73int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
70 DSA *dsa) 74 DSA *dsa)
71 { 75 {
76#ifdef OPENSSL_FIPS
77 if(FIPS_mode() && !FIPS_dsa_check(dsa))
78 return -1;
79#endif
72 return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa); 80 return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
73 } 81 }
74 82
diff --git a/src/lib/libcrypto/err/err.c b/src/lib/libcrypto/err/err.c
index 792f329600..c78790a54c 100644
--- a/src/lib/libcrypto/err/err.c
+++ b/src/lib/libcrypto/err/err.c
@@ -149,6 +149,7 @@ static ERR_STRING_DATA ERR_str_libraries[]=
149{ERR_PACK(ERR_LIB_DSO,0,0) ,"DSO support routines"}, 149{ERR_PACK(ERR_LIB_DSO,0,0) ,"DSO support routines"},
150{ERR_PACK(ERR_LIB_ENGINE,0,0) ,"engine routines"}, 150{ERR_PACK(ERR_LIB_ENGINE,0,0) ,"engine routines"},
151{ERR_PACK(ERR_LIB_OCSP,0,0) ,"OCSP routines"}, 151{ERR_PACK(ERR_LIB_OCSP,0,0) ,"OCSP routines"},
152{ERR_PACK(ERR_LIB_FIPS,0,0) ,"FIPS routines"},
152{0,NULL}, 153{0,NULL},
153 }; 154 };
154 155
@@ -167,6 +168,7 @@ static ERR_STRING_DATA ERR_str_functs[]=
167#endif 168#endif
168 {ERR_PACK(0,SYS_F_OPENDIR,0), "opendir"}, 169 {ERR_PACK(0,SYS_F_OPENDIR,0), "opendir"},
169 {ERR_PACK(0,SYS_F_FREAD,0), "fread"}, 170 {ERR_PACK(0,SYS_F_FREAD,0), "fread"},
171 {ERR_PACK(0,SYS_F_GETADDRINFO,0), "getaddrinfo"},
170 {0,NULL}, 172 {0,NULL},
171 }; 173 };
172 174
diff --git a/src/lib/libcrypto/err/err.h b/src/lib/libcrypto/err/err.h
index 8faa3a7b4f..2efa18866a 100644
--- a/src/lib/libcrypto/err/err.h
+++ b/src/lib/libcrypto/err/err.h
@@ -131,6 +131,7 @@ typedef struct err_state_st
131#define ERR_LIB_OCSP 39 131#define ERR_LIB_OCSP 39
132#define ERR_LIB_UI 40 132#define ERR_LIB_UI 40
133#define ERR_LIB_COMP 41 133#define ERR_LIB_COMP 41
134#define ERR_LIB_FIPS 42
134 135
135#define ERR_LIB_USER 128 136#define ERR_LIB_USER 128
136 137
@@ -159,6 +160,7 @@ typedef struct err_state_st
159#define OCSPerr(f,r) ERR_PUT_error(ERR_LIB_OCSP,(f),(r),__FILE__,__LINE__) 160#define OCSPerr(f,r) ERR_PUT_error(ERR_LIB_OCSP,(f),(r),__FILE__,__LINE__)
160#define UIerr(f,r) ERR_PUT_error(ERR_LIB_UI,(f),(r),__FILE__,__LINE__) 161#define UIerr(f,r) ERR_PUT_error(ERR_LIB_UI,(f),(r),__FILE__,__LINE__)
161#define COMPerr(f,r) ERR_PUT_error(ERR_LIB_COMP,(f),(r),__FILE__,__LINE__) 162#define COMPerr(f,r) ERR_PUT_error(ERR_LIB_COMP,(f),(r),__FILE__,__LINE__)
163#define FIPSerr(f,r) ERR_PUT_error(ERR_LIB_FIPS,(f),(r),__FILE__,__LINE__)
162 164
163/* Borland C seems too stupid to be able to shift and do longs in 165/* Borland C seems too stupid to be able to shift and do longs in
164 * the pre-processor :-( */ 166 * the pre-processor :-( */
@@ -183,6 +185,7 @@ typedef struct err_state_st
183#define SYS_F_WSASTARTUP 9 /* Winsock stuff */ 185#define SYS_F_WSASTARTUP 9 /* Winsock stuff */
184#define SYS_F_OPENDIR 10 186#define SYS_F_OPENDIR 10
185#define SYS_F_FREAD 11 187#define SYS_F_FREAD 11
188#define SYS_F_GETADDRINFO 12
186 189
187 190
188/* reasons */ 191/* reasons */
diff --git a/src/lib/libcrypto/err/err_all.c b/src/lib/libcrypto/err/err_all.c
index dc505d9d9d..4dc9300892 100644
--- a/src/lib/libcrypto/err/err_all.c
+++ b/src/lib/libcrypto/err/err_all.c
@@ -87,6 +87,7 @@
87#endif 87#endif
88#include <openssl/ocsp.h> 88#include <openssl/ocsp.h>
89#include <openssl/err.h> 89#include <openssl/err.h>
90#include <openssl/fips.h>
90 91
91void ERR_load_crypto_strings(void) 92void ERR_load_crypto_strings(void)
92 { 93 {
@@ -130,4 +131,7 @@ void ERR_load_crypto_strings(void)
130 ERR_load_OCSP_strings(); 131 ERR_load_OCSP_strings();
131 ERR_load_UI_strings(); 132 ERR_load_UI_strings();
132#endif 133#endif
134#ifdef OPENSSL_FIPS
135 ERR_load_FIPS_strings();
136#endif
133 } 137 }
diff --git a/src/lib/libcrypto/err/openssl.ec b/src/lib/libcrypto/err/openssl.ec
index 29a69dfdd4..447a7f87ed 100644
--- a/src/lib/libcrypto/err/openssl.ec
+++ b/src/lib/libcrypto/err/openssl.ec
@@ -27,6 +27,7 @@ L DSO crypto/dso/dso.h crypto/dso/dso_err.c
27L ENGINE crypto/engine/engine.h crypto/engine/eng_err.c 27L ENGINE crypto/engine/engine.h crypto/engine/eng_err.c
28L OCSP crypto/ocsp/ocsp.h crypto/ocsp/ocsp_err.c 28L OCSP crypto/ocsp/ocsp.h crypto/ocsp/ocsp_err.c
29L UI crypto/ui/ui.h crypto/ui/ui_err.c 29L UI crypto/ui/ui.h crypto/ui/ui_err.c
30L FIPS fips/fips.h fips/fips_err.h
30 31
31# additional header files to be scanned for function names 32# additional header files to be scanned for function names
32L NONE crypto/x509/x509_vfy.h NONE 33L NONE crypto/x509/x509_vfy.h NONE
diff --git a/src/lib/libcrypto/evp/bio_md.c b/src/lib/libcrypto/evp/bio_md.c
index c632dfb202..f4aa41ac4b 100644
--- a/src/lib/libcrypto/evp/bio_md.c
+++ b/src/lib/libcrypto/evp/bio_md.c
@@ -176,10 +176,11 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
176 { 176 {
177 case BIO_CTRL_RESET: 177 case BIO_CTRL_RESET:
178 if (b->init) 178 if (b->init)
179 EVP_DigestInit_ex(ctx,ctx->digest, NULL); 179 ret = EVP_DigestInit_ex(ctx,ctx->digest, NULL);
180 else 180 else
181 ret=0; 181 ret=0;
182 ret=BIO_ctrl(b->next_bio,cmd,num,ptr); 182 if (ret > 0)
183 ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
183 break; 184 break;
184 case BIO_C_GET_MD: 185 case BIO_C_GET_MD:
185 if (b->init) 186 if (b->init)
@@ -191,11 +192,12 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
191 ret=0; 192 ret=0;
192 break; 193 break;
193 case BIO_C_GET_MD_CTX: 194 case BIO_C_GET_MD_CTX:
195 pctx=ptr;
196 *pctx=ctx;
197 break;
198 case BIO_C_SET_MD_CTX:
194 if (b->init) 199 if (b->init)
195 { 200 b->ptr=ptr;
196 pctx=ptr;
197 *pctx=ctx;
198 }
199 else 201 else
200 ret=0; 202 ret=0;
201 break; 203 break;
@@ -207,8 +209,9 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
207 209
208 case BIO_C_SET_MD: 210 case BIO_C_SET_MD:
209 md=ptr; 211 md=ptr;
210 EVP_DigestInit_ex(ctx,md, NULL); 212 ret = EVP_DigestInit_ex(ctx,md, NULL);
211 b->init=1; 213 if (ret > 0)
214 b->init=1;
212 break; 215 break;
213 case BIO_CTRL_DUP: 216 case BIO_CTRL_DUP:
214 dbio=ptr; 217 dbio=ptr;
diff --git a/src/lib/libcrypto/evp/digest.c b/src/lib/libcrypto/evp/digest.c
index 0623ddf1f0..f21c63842c 100644
--- a/src/lib/libcrypto/evp/digest.c
+++ b/src/lib/libcrypto/evp/digest.c
@@ -137,6 +137,39 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type)
137 return EVP_DigestInit_ex(ctx, type, NULL); 137 return EVP_DigestInit_ex(ctx, type, NULL);
138 } 138 }
139 139
140#ifdef OPENSSL_FIPS
141
142/* The purpose of these is to trap programs that attempt to use non FIPS
143 * algorithms in FIPS mode and ignore the errors.
144 */
145
146static int bad_init(EVP_MD_CTX *ctx)
147 { FIPS_ERROR_IGNORED("Digest init"); return 0;}
148
149static int bad_update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
150 { FIPS_ERROR_IGNORED("Digest update"); return 0;}
151
152static int bad_final(EVP_MD_CTX *ctx,unsigned char *md)
153 { FIPS_ERROR_IGNORED("Digest Final"); return 0;}
154
155static const EVP_MD bad_md =
156 {
157 0,
158 0,
159 0,
160 0,
161 bad_init,
162 bad_update,
163 bad_final,
164 NULL,
165 NULL,
166 NULL,
167 0,
168 {0,0,0,0},
169 };
170
171#endif
172
140int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) 173int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
141 { 174 {
142 EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED); 175 EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
@@ -195,6 +228,18 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
195#endif 228#endif
196 if (ctx->digest != type) 229 if (ctx->digest != type)
197 { 230 {
231#ifdef OPENSSL_FIPS
232 if (FIPS_mode())
233 {
234 if (!(type->flags & EVP_MD_FLAG_FIPS)
235 && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))
236 {
237 EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_DISABLED_FOR_FIPS);
238 ctx->digest = &bad_md;
239 return 0;
240 }
241 }
242#endif
198 if (ctx->digest && ctx->digest->ctx_size) 243 if (ctx->digest && ctx->digest->ctx_size)
199 OPENSSL_free(ctx->md_data); 244 OPENSSL_free(ctx->md_data);
200 ctx->digest=type; 245 ctx->digest=type;
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index fe8bcda631..f35036c9d7 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -67,34 +67,52 @@ typedef struct
67 67
68IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY, 68IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY,
69 NID_aes_128, 16, 16, 16, 128, 69 NID_aes_128, 16, 16, 16, 128,
70 0, aes_init_key, NULL, 70 EVP_CIPH_FLAG_FIPS, aes_init_key, NULL,
71 EVP_CIPHER_set_asn1_iv, 71 EVP_CIPHER_set_asn1_iv,
72 EVP_CIPHER_get_asn1_iv, 72 EVP_CIPHER_get_asn1_iv,
73 NULL) 73 NULL)
74IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY, 74IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY,
75 NID_aes_192, 16, 24, 16, 128, 75 NID_aes_192, 16, 24, 16, 128,
76 0, aes_init_key, NULL, 76 EVP_CIPH_FLAG_FIPS, aes_init_key, NULL,
77 EVP_CIPHER_set_asn1_iv, 77 EVP_CIPHER_set_asn1_iv,
78 EVP_CIPHER_get_asn1_iv, 78 EVP_CIPHER_get_asn1_iv,
79 NULL) 79 NULL)
80IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY, 80IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY,
81 NID_aes_256, 16, 32, 16, 128, 81 NID_aes_256, 16, 32, 16, 128,
82 0, aes_init_key, NULL, 82 EVP_CIPH_FLAG_FIPS, aes_init_key, NULL,
83 EVP_CIPHER_set_asn1_iv, 83 EVP_CIPHER_set_asn1_iv,
84 EVP_CIPHER_get_asn1_iv, 84 EVP_CIPHER_get_asn1_iv,
85 NULL) 85 NULL)
86 86
87#define IMPLEMENT_AES_CFBR(ksize,cbits,flags) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16,flags)
88
89IMPLEMENT_AES_CFBR(128,1,0)
90IMPLEMENT_AES_CFBR(192,1,0)
91IMPLEMENT_AES_CFBR(256,1,0)
92
93IMPLEMENT_AES_CFBR(128,8,EVP_CIPH_FLAG_FIPS)
94IMPLEMENT_AES_CFBR(192,8,EVP_CIPH_FLAG_FIPS)
95IMPLEMENT_AES_CFBR(256,8,EVP_CIPH_FLAG_FIPS)
96
87static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 97static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
88 const unsigned char *iv, int enc) { 98 const unsigned char *iv, int enc)
99 {
100 int ret;
89 101
90 if ((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CFB_MODE 102 if ((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CFB_MODE
91 || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_OFB_MODE 103 || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_OFB_MODE
92 || enc) 104 || enc)
93 AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data); 105 ret=AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
94 else 106 else
95 AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data); 107 ret=AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
108
109 if(ret < 0)
110 {
111 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
112 return 0;
113 }
96 114
97 return 1; 115 return 1;
98} 116 }
99 117
100#endif 118#endif
diff --git a/src/lib/libcrypto/evp/e_des.c b/src/lib/libcrypto/evp/e_des.c
index 105266a4b3..46e2899825 100644
--- a/src/lib/libcrypto/evp/e_des.c
+++ b/src/lib/libcrypto/evp/e_des.c
@@ -56,9 +56,9 @@
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58 58
59#ifndef OPENSSL_NO_DES
60#include <stdio.h> 59#include <stdio.h>
61#include "cryptlib.h" 60#include "cryptlib.h"
61#ifndef OPENSSL_NO_DES
62#include <openssl/evp.h> 62#include <openssl/evp.h>
63#include <openssl/objects.h> 63#include <openssl/objects.h>
64#include "evp_locl.h" 64#include "evp_locl.h"
@@ -92,20 +92,55 @@ static int des_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
92 return 1; 92 return 1;
93} 93}
94 94
95static int des_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 95static int des_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
96 const unsigned char *in, unsigned int inl) 96 const unsigned char *in, unsigned int inl)
97{ 97{
98 DES_cfb64_encrypt(in, out, (long)inl, ctx->cipher_data, 98 DES_cfb64_encrypt(in, out, (long)inl, ctx->cipher_data,
99 (DES_cblock *)ctx->iv, &ctx->num, ctx->encrypt); 99 (DES_cblock *)ctx->iv, &ctx->num, ctx->encrypt);
100 return 1; 100 return 1;
101} 101}
102 102
103/* Although we have a CFB-r implementation for DES, it doesn't pack the right
104 way, so wrap it here */
105static int des_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
106 const unsigned char *in, unsigned int inl)
107 {
108 unsigned int n;
109 unsigned char c[1],d[1];
110
111 for(n=0 ; n < inl ; ++n)
112 {
113 c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0;
114 DES_cfb_encrypt(c,d,1,1,ctx->cipher_data,(DES_cblock *)ctx->iv,
115 ctx->encrypt);
116 out[n/8]=(out[n/8]&~(0x80 >> (n%8)))|((d[0]&0x80) >> (n%8));
117 }
118 return 1;
119 }
120
121static int des_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
122 const unsigned char *in, unsigned int inl)
123 {
124 DES_cfb_encrypt(in,out,8,inl,ctx->cipher_data,(DES_cblock *)ctx->iv,
125 ctx->encrypt);
126 return 1;
127 }
128
103BLOCK_CIPHER_defs(des, DES_key_schedule, NID_des, 8, 8, 8, 64, 129BLOCK_CIPHER_defs(des, DES_key_schedule, NID_des, 8, 8, 8, 64,
104 0, des_init_key, NULL, 130 EVP_CIPH_FLAG_FIPS, des_init_key, NULL,
105 EVP_CIPHER_set_asn1_iv, 131 EVP_CIPHER_set_asn1_iv,
106 EVP_CIPHER_get_asn1_iv, 132 EVP_CIPHER_get_asn1_iv,
107 NULL) 133 NULL)
108 134
135BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,1,
136 EVP_CIPH_FLAG_FIPS,des_init_key,NULL,
137 EVP_CIPHER_set_asn1_iv,
138 EVP_CIPHER_get_asn1_iv,NULL)
139
140BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,8,
141 EVP_CIPH_FLAG_FIPS,des_init_key,NULL,
142 EVP_CIPHER_set_asn1_iv,
143 EVP_CIPHER_get_asn1_iv,NULL)
109 144
110static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 145static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
111 const unsigned char *iv, int enc) 146 const unsigned char *iv, int enc)
diff --git a/src/lib/libcrypto/evp/e_des3.c b/src/lib/libcrypto/evp/e_des3.c
index 077860e7b6..677322bf02 100644
--- a/src/lib/libcrypto/evp/e_des3.c
+++ b/src/lib/libcrypto/evp/e_des3.c
@@ -56,9 +56,9 @@
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58 58
59#ifndef OPENSSL_NO_DES
60#include <stdio.h> 59#include <stdio.h>
61#include "cryptlib.h" 60#include "cryptlib.h"
61#ifndef OPENSSL_NO_DES
62#include <openssl/evp.h> 62#include <openssl/evp.h>
63#include <openssl/objects.h> 63#include <openssl/objects.h>
64#include "evp_locl.h" 64#include "evp_locl.h"
@@ -85,7 +85,7 @@ static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
85 const unsigned char *in, unsigned int inl) 85 const unsigned char *in, unsigned int inl)
86{ 86{
87 BLOCK_CIPHER_ecb_loop() 87 BLOCK_CIPHER_ecb_loop()
88 DES_ecb3_encrypt((DES_cblock *)(in + i), (DES_cblock *)(out + i), 88 DES_ecb3_encrypt(in + i,out + i,
89 &data(ctx)->ks1, &data(ctx)->ks2, 89 &data(ctx)->ks1, &data(ctx)->ks2,
90 &data(ctx)->ks3, 90 &data(ctx)->ks3,
91 ctx->encrypt); 91 ctx->encrypt);
@@ -121,7 +121,7 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
121 return 1; 121 return 1;
122} 122}
123 123
124static int des_ede_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 124static int des_ede_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
125 const unsigned char *in, unsigned int inl) 125 const unsigned char *in, unsigned int inl)
126{ 126{
127 DES_ede3_cfb64_encrypt(in, out, (long)inl, 127 DES_ede3_cfb64_encrypt(in, out, (long)inl,
@@ -130,23 +130,62 @@ static int des_ede_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
130 return 1; 130 return 1;
131} 131}
132 132
133/* Although we have a CFB-r implementation for 3-DES, it doesn't pack the right
134 way, so wrap it here */
135static int des_ede3_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
136 const unsigned char *in, unsigned int inl)
137 {
138 unsigned int n;
139 unsigned char c[1],d[1];
140
141 for(n=0 ; n < inl ; ++n)
142 {
143 c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0;
144 DES_ede3_cfb_encrypt(c,d,1,1,
145 &data(ctx)->ks1,&data(ctx)->ks2,&data(ctx)->ks3,
146 (DES_cblock *)ctx->iv,ctx->encrypt);
147 out[n/8]=(out[n/8]&~(0x80 >> (n%8)))|((d[0]&0x80) >> (n%8));
148 }
149
150 return 1;
151 }
152
153static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
154 const unsigned char *in, unsigned int inl)
155 {
156 DES_ede3_cfb_encrypt(in,out,8,inl,
157 &data(ctx)->ks1,&data(ctx)->ks2,&data(ctx)->ks3,
158 (DES_cblock *)ctx->iv,ctx->encrypt);
159 return 1;
160 }
161
133BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64, 162BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
134 0, des_ede_init_key, NULL, 163 EVP_CIPH_FLAG_FIPS, des_ede_init_key, NULL,
135 EVP_CIPHER_set_asn1_iv, 164 EVP_CIPHER_set_asn1_iv,
136 EVP_CIPHER_get_asn1_iv, 165 EVP_CIPHER_get_asn1_iv,
137 NULL) 166 NULL)
138 167
139#define des_ede3_cfb_cipher des_ede_cfb_cipher 168#define des_ede3_cfb64_cipher des_ede_cfb64_cipher
140#define des_ede3_ofb_cipher des_ede_ofb_cipher 169#define des_ede3_ofb_cipher des_ede_ofb_cipher
141#define des_ede3_cbc_cipher des_ede_cbc_cipher 170#define des_ede3_cbc_cipher des_ede_cbc_cipher
142#define des_ede3_ecb_cipher des_ede_ecb_cipher 171#define des_ede3_ecb_cipher des_ede_ecb_cipher
143 172
144BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64, 173BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
145 0, des_ede3_init_key, NULL, 174 EVP_CIPH_FLAG_FIPS, des_ede3_init_key, NULL,
146 EVP_CIPHER_set_asn1_iv, 175 EVP_CIPHER_set_asn1_iv,
147 EVP_CIPHER_get_asn1_iv, 176 EVP_CIPHER_get_asn1_iv,
148 NULL) 177 NULL)
149 178
179BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1,
180 EVP_CIPH_FLAG_FIPS, des_ede3_init_key,NULL,
181 EVP_CIPHER_set_asn1_iv,
182 EVP_CIPHER_get_asn1_iv,NULL)
183
184BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8,
185 EVP_CIPH_FLAG_FIPS, des_ede3_init_key,NULL,
186 EVP_CIPHER_set_asn1_iv,
187 EVP_CIPHER_get_asn1_iv,NULL)
188
150static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 189static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
151 const unsigned char *iv, int enc) 190 const unsigned char *iv, int enc)
152 { 191 {
diff --git a/src/lib/libcrypto/evp/e_null.c b/src/lib/libcrypto/evp/e_null.c
index 2420d7e5af..a84b0f14b1 100644
--- a/src/lib/libcrypto/evp/e_null.c
+++ b/src/lib/libcrypto/evp/e_null.c
@@ -69,7 +69,7 @@ static const EVP_CIPHER n_cipher=
69 { 69 {
70 NID_undef, 70 NID_undef,
71 1,0,0, 71 1,0,0,
72 0, 72 EVP_CIPH_FLAG_FIPS,
73 null_init_key, 73 null_init_key,
74 null_cipher, 74 null_cipher,
75 NULL, 75 NULL,
diff --git a/src/lib/libcrypto/evp/e_old.c b/src/lib/libcrypto/evp/e_old.c
new file mode 100644
index 0000000000..92dc498945
--- /dev/null
+++ b/src/lib/libcrypto/evp/e_old.c
@@ -0,0 +1,108 @@
1/* crypto/evp/e_old.c -*- mode:C; c-file-style: "eay" -*- */
2/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@openssl.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/evp.h>
60
61/* Define some deprecated functions, so older programs
62 don't crash and burn too quickly. On Windows and VMS,
63 these will never be used, since functions and variables
64 in shared libraries are selected by entry point location,
65 not by name. */
66
67#ifndef OPENSSL_NO_BF
68#undef EVP_bf_cfb
69const EVP_CIPHER *EVP_bf_cfb(void) { return EVP_bf_cfb64(); }
70#endif
71
72#ifndef OPENSSL_NO_DES
73#undef EVP_des_cfb
74const EVP_CIPHER *EVP_des_cfb(void) { return EVP_des_cfb64(); }
75#undef EVP_des_ede3_cfb
76const EVP_CIPHER *EVP_des_ede3_cfb(void) { return EVP_des_ede3_cfb64(); }
77#undef EVP_des_ede_cfb
78const EVP_CIPHER *EVP_des_ede_cfb(void) { return EVP_des_ede_cfb64(); }
79#endif
80
81#ifndef OPENSSL_NO_IDEA
82#undef EVP_idea_cfb
83const EVP_CIPHER *EVP_idea_cfb(void) { return EVP_idea_cfb64(); }
84#endif
85
86#ifndef OPENSSL_NO_RC2
87#undef EVP_rc2_cfb
88const EVP_CIPHER *EVP_rc2_cfb(void) { return EVP_rc2_cfb64(); }
89#endif
90
91#ifndef OPENSSL_NO_CAST
92#undef EVP_cast5_cfb
93const EVP_CIPHER *EVP_cast5_cfb(void) { return EVP_cast5_cfb64(); }
94#endif
95
96#ifndef OPENSSL_NO_RC5
97#undef EVP_rc5_32_12_16_cfb
98const EVP_CIPHER *EVP_rc5_32_12_16_cfb(void) { return EVP_rc5_32_12_16_cfb64(); }
99#endif
100
101#ifndef OPENSSL_NO_AES
102#undef EVP_aes_128_cfb
103const EVP_CIPHER *EVP_aes_128_cfb(void) { return EVP_aes_128_cfb128(); }
104#undef EVP_aes_192_cfb
105const EVP_CIPHER *EVP_aes_192_cfb(void) { return EVP_aes_192_cfb128(); }
106#undef EVP_aes_256_cfb
107const EVP_CIPHER *EVP_aes_256_cfb(void) { return EVP_aes_256_cfb128(); }
108#endif
diff --git a/src/lib/libcrypto/evp/e_rc4.c b/src/lib/libcrypto/evp/e_rc4.c
index d58f507837..8aa70585b9 100644
--- a/src/lib/libcrypto/evp/e_rc4.c
+++ b/src/lib/libcrypto/evp/e_rc4.c
@@ -62,6 +62,7 @@
62#include "cryptlib.h" 62#include "cryptlib.h"
63#include <openssl/evp.h> 63#include <openssl/evp.h>
64#include <openssl/objects.h> 64#include <openssl/objects.h>
65#include "evp_locl.h"
65#include <openssl/rc4.h> 66#include <openssl/rc4.h>
66 67
67/* FIXME: surely this is available elsewhere? */ 68/* FIXME: surely this is available elsewhere? */
diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h
index 4801d8eaa3..5cde88ae76 100644
--- a/src/lib/libcrypto/evp/evp.h
+++ b/src/lib/libcrypto/evp/evp.h
@@ -117,6 +117,10 @@
117#include <openssl/aes.h> 117#include <openssl/aes.h>
118#endif 118#endif
119 119
120#ifdef OPENSSL_FIPS
121#include <openssl/fips.h>
122#endif
123
120/* 124/*
121#define EVP_RC2_KEY_SIZE 16 125#define EVP_RC2_KEY_SIZE 16
122#define EVP_RC4_KEY_SIZE 16 126#define EVP_RC4_KEY_SIZE 16
@@ -290,6 +294,7 @@ struct env_md_st
290 294
291#define EVP_MD_FLAG_ONESHOT 0x0001 /* digest can only handle a single 295#define EVP_MD_FLAG_ONESHOT 0x0001 /* digest can only handle a single
292 * block */ 296 * block */
297#define EVP_MD_FLAG_FIPS 0x0400 /* Note if suitable for use in FIPS mode */
293 298
294#define EVP_PKEY_NULL_method NULL,NULL,{0,0,0,0} 299#define EVP_PKEY_NULL_method NULL,NULL,{0,0,0,0}
295 300
@@ -332,6 +337,9 @@ struct env_md_ctx_st
332#define EVP_MD_CTX_FLAG_REUSE 0x0004 /* Don't free up ctx->md_data 337#define EVP_MD_CTX_FLAG_REUSE 0x0004 /* Don't free up ctx->md_data
333 * in EVP_MD_CTX_cleanup */ 338 * in EVP_MD_CTX_cleanup */
334 339
340#define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008 /* Allow use of non FIPS digest
341 * in FIPS mode */
342
335struct evp_cipher_st 343struct evp_cipher_st
336 { 344 {
337 int nid; 345 int nid;
@@ -373,6 +381,10 @@ struct evp_cipher_st
373#define EVP_CIPH_CUSTOM_KEY_LENGTH 0x80 381#define EVP_CIPH_CUSTOM_KEY_LENGTH 0x80
374/* Don't use standard block padding */ 382/* Don't use standard block padding */
375#define EVP_CIPH_NO_PADDING 0x100 383#define EVP_CIPH_NO_PADDING 0x100
384/* Note if suitable for use in FIPS mode */
385#define EVP_CIPH_FLAG_FIPS 0x400
386/* Allow non FIPS cipher in FIPS mode */
387#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x800
376 388
377/* ctrl() values */ 389/* ctrl() values */
378 390
@@ -478,6 +490,9 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
478#define EVP_CIPHER_CTX_set_app_data(e,d) ((e)->app_data=(char *)(d)) 490#define EVP_CIPHER_CTX_set_app_data(e,d) ((e)->app_data=(char *)(d))
479#define EVP_CIPHER_CTX_type(c) EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c)) 491#define EVP_CIPHER_CTX_type(c) EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c))
480#define EVP_CIPHER_CTX_flags(e) ((e)->cipher->flags) 492#define EVP_CIPHER_CTX_flags(e) ((e)->cipher->flags)
493#define EVP_CIPHER_CTX_set_flags(ctx,flgs) ((ctx)->flags|=(flgs))
494#define EVP_CIPHER_CTX_clear_flags(ctx,flgs) ((ctx)->flags&=~(flgs))
495#define EVP_CIPHER_CTX_test_flags(ctx,flgs) ((ctx)->flags&(flgs))
481#define EVP_CIPHER_CTX_mode(e) ((e)->cipher->flags & EVP_CIPH_MODE) 496#define EVP_CIPHER_CTX_mode(e) ((e)->cipher->flags & EVP_CIPH_MODE)
482 497
483#define EVP_ENCODE_LENGTH(l) (((l+2)/3*4)+(l/48+1)*2+80) 498#define EVP_ENCODE_LENGTH(l) (((l+2)/3*4)+(l/48+1)*2+80)
@@ -499,6 +514,7 @@ void BIO_set_md(BIO *,const EVP_MD *md);
499#endif 514#endif
500#define BIO_get_md(b,mdp) BIO_ctrl(b,BIO_C_GET_MD,0,(char *)mdp) 515#define BIO_get_md(b,mdp) BIO_ctrl(b,BIO_C_GET_MD,0,(char *)mdp)
501#define BIO_get_md_ctx(b,mdcp) BIO_ctrl(b,BIO_C_GET_MD_CTX,0,(char *)mdcp) 516#define BIO_get_md_ctx(b,mdcp) BIO_ctrl(b,BIO_C_GET_MD_CTX,0,(char *)mdcp)
517#define BIO_set_md_ctx(b,mdcp) BIO_ctrl(b,BIO_C_SET_MD_CTX,0,(char *)mdcp)
502#define BIO_get_cipher_status(b) BIO_ctrl(b,BIO_C_GET_CIPHER_STATUS,0,NULL) 518#define BIO_get_cipher_status(b) BIO_ctrl(b,BIO_C_GET_CIPHER_STATUS,0,NULL)
503#define BIO_get_cipher_ctx(b,c_pp) BIO_ctrl(b,BIO_C_GET_CIPHER_CTX,0,(char *)c_pp) 519#define BIO_get_cipher_ctx(b,c_pp) BIO_ctrl(b,BIO_C_GET_CIPHER_CTX,0,(char *)c_pp)
504 520
@@ -640,9 +656,20 @@ const EVP_CIPHER *EVP_des_ede(void);
640const EVP_CIPHER *EVP_des_ede3(void); 656const EVP_CIPHER *EVP_des_ede3(void);
641const EVP_CIPHER *EVP_des_ede_ecb(void); 657const EVP_CIPHER *EVP_des_ede_ecb(void);
642const EVP_CIPHER *EVP_des_ede3_ecb(void); 658const EVP_CIPHER *EVP_des_ede3_ecb(void);
643const EVP_CIPHER *EVP_des_cfb(void); 659const EVP_CIPHER *EVP_des_cfb64(void);
644const EVP_CIPHER *EVP_des_ede_cfb(void); 660# define EVP_des_cfb EVP_des_cfb64
645const EVP_CIPHER *EVP_des_ede3_cfb(void); 661const EVP_CIPHER *EVP_des_cfb1(void);
662const EVP_CIPHER *EVP_des_cfb8(void);
663const EVP_CIPHER *EVP_des_ede_cfb64(void);
664# define EVP_des_ede_cfb EVP_des_ede_cfb64
665#if 0
666const EVP_CIPHER *EVP_des_ede_cfb1(void);
667const EVP_CIPHER *EVP_des_ede_cfb8(void);
668#endif
669const EVP_CIPHER *EVP_des_ede3_cfb64(void);
670# define EVP_des_ede3_cfb EVP_des_ede3_cfb64
671const EVP_CIPHER *EVP_des_ede3_cfb1(void);
672const EVP_CIPHER *EVP_des_ede3_cfb8(void);
646const EVP_CIPHER *EVP_des_ofb(void); 673const EVP_CIPHER *EVP_des_ofb(void);
647const EVP_CIPHER *EVP_des_ede_ofb(void); 674const EVP_CIPHER *EVP_des_ede_ofb(void);
648const EVP_CIPHER *EVP_des_ede3_ofb(void); 675const EVP_CIPHER *EVP_des_ede3_ofb(void);
@@ -666,7 +693,8 @@ const EVP_CIPHER *EVP_rc4_40(void);
666#endif 693#endif
667#ifndef OPENSSL_NO_IDEA 694#ifndef OPENSSL_NO_IDEA
668const EVP_CIPHER *EVP_idea_ecb(void); 695const EVP_CIPHER *EVP_idea_ecb(void);
669const EVP_CIPHER *EVP_idea_cfb(void); 696const EVP_CIPHER *EVP_idea_cfb64(void);
697# define EVP_idea_cfb EVP_idea_cfb64
670const EVP_CIPHER *EVP_idea_ofb(void); 698const EVP_CIPHER *EVP_idea_ofb(void);
671const EVP_CIPHER *EVP_idea_cbc(void); 699const EVP_CIPHER *EVP_idea_cbc(void);
672#endif 700#endif
@@ -675,45 +703,58 @@ const EVP_CIPHER *EVP_rc2_ecb(void);
675const EVP_CIPHER *EVP_rc2_cbc(void); 703const EVP_CIPHER *EVP_rc2_cbc(void);
676const EVP_CIPHER *EVP_rc2_40_cbc(void); 704const EVP_CIPHER *EVP_rc2_40_cbc(void);
677const EVP_CIPHER *EVP_rc2_64_cbc(void); 705const EVP_CIPHER *EVP_rc2_64_cbc(void);
678const EVP_CIPHER *EVP_rc2_cfb(void); 706const EVP_CIPHER *EVP_rc2_cfb64(void);
707# define EVP_rc2_cfb EVP_rc2_cfb64
679const EVP_CIPHER *EVP_rc2_ofb(void); 708const EVP_CIPHER *EVP_rc2_ofb(void);
680#endif 709#endif
681#ifndef OPENSSL_NO_BF 710#ifndef OPENSSL_NO_BF
682const EVP_CIPHER *EVP_bf_ecb(void); 711const EVP_CIPHER *EVP_bf_ecb(void);
683const EVP_CIPHER *EVP_bf_cbc(void); 712const EVP_CIPHER *EVP_bf_cbc(void);
684const EVP_CIPHER *EVP_bf_cfb(void); 713const EVP_CIPHER *EVP_bf_cfb64(void);
714# define EVP_bf_cfb EVP_bf_cfb64
685const EVP_CIPHER *EVP_bf_ofb(void); 715const EVP_CIPHER *EVP_bf_ofb(void);
686#endif 716#endif
687#ifndef OPENSSL_NO_CAST 717#ifndef OPENSSL_NO_CAST
688const EVP_CIPHER *EVP_cast5_ecb(void); 718const EVP_CIPHER *EVP_cast5_ecb(void);
689const EVP_CIPHER *EVP_cast5_cbc(void); 719const EVP_CIPHER *EVP_cast5_cbc(void);
690const EVP_CIPHER *EVP_cast5_cfb(void); 720const EVP_CIPHER *EVP_cast5_cfb64(void);
721# define EVP_cast5_cfb EVP_cast5_cfb64
691const EVP_CIPHER *EVP_cast5_ofb(void); 722const EVP_CIPHER *EVP_cast5_ofb(void);
692#endif 723#endif
693#ifndef OPENSSL_NO_RC5 724#ifndef OPENSSL_NO_RC5
694const EVP_CIPHER *EVP_rc5_32_12_16_cbc(void); 725const EVP_CIPHER *EVP_rc5_32_12_16_cbc(void);
695const EVP_CIPHER *EVP_rc5_32_12_16_ecb(void); 726const EVP_CIPHER *EVP_rc5_32_12_16_ecb(void);
696const EVP_CIPHER *EVP_rc5_32_12_16_cfb(void); 727const EVP_CIPHER *EVP_rc5_32_12_16_cfb64(void);
728# define EVP_rc5_32_12_16_cfb EVP_rc5_32_12_16_cfb64
697const EVP_CIPHER *EVP_rc5_32_12_16_ofb(void); 729const EVP_CIPHER *EVP_rc5_32_12_16_ofb(void);
698#endif 730#endif
699#ifndef OPENSSL_NO_AES 731#ifndef OPENSSL_NO_AES
700const EVP_CIPHER *EVP_aes_128_ecb(void); 732const EVP_CIPHER *EVP_aes_128_ecb(void);
701const EVP_CIPHER *EVP_aes_128_cbc(void); 733const EVP_CIPHER *EVP_aes_128_cbc(void);
702const EVP_CIPHER *EVP_aes_128_cfb(void); 734const EVP_CIPHER *EVP_aes_128_cfb1(void);
735const EVP_CIPHER *EVP_aes_128_cfb8(void);
736const EVP_CIPHER *EVP_aes_128_cfb128(void);
737# define EVP_aes_128_cfb EVP_aes_128_cfb128
703const EVP_CIPHER *EVP_aes_128_ofb(void); 738const EVP_CIPHER *EVP_aes_128_ofb(void);
704#if 0 739#if 0
705const EVP_CIPHER *EVP_aes_128_ctr(void); 740const EVP_CIPHER *EVP_aes_128_ctr(void);
706#endif 741#endif
707const EVP_CIPHER *EVP_aes_192_ecb(void); 742const EVP_CIPHER *EVP_aes_192_ecb(void);
708const EVP_CIPHER *EVP_aes_192_cbc(void); 743const EVP_CIPHER *EVP_aes_192_cbc(void);
709const EVP_CIPHER *EVP_aes_192_cfb(void); 744const EVP_CIPHER *EVP_aes_192_cfb1(void);
745const EVP_CIPHER *EVP_aes_192_cfb8(void);
746const EVP_CIPHER *EVP_aes_192_cfb128(void);
747# define EVP_aes_192_cfb EVP_aes_192_cfb128
710const EVP_CIPHER *EVP_aes_192_ofb(void); 748const EVP_CIPHER *EVP_aes_192_ofb(void);
711#if 0 749#if 0
712const EVP_CIPHER *EVP_aes_192_ctr(void); 750const EVP_CIPHER *EVP_aes_192_ctr(void);
713#endif 751#endif
714const EVP_CIPHER *EVP_aes_256_ecb(void); 752const EVP_CIPHER *EVP_aes_256_ecb(void);
715const EVP_CIPHER *EVP_aes_256_cbc(void); 753const EVP_CIPHER *EVP_aes_256_cbc(void);
716const EVP_CIPHER *EVP_aes_256_cfb(void); 754const EVP_CIPHER *EVP_aes_256_cfb1(void);
755const EVP_CIPHER *EVP_aes_256_cfb8(void);
756const EVP_CIPHER *EVP_aes_256_cfb128(void);
757# define EVP_aes_256_cfb EVP_aes_256_cfb128
717const EVP_CIPHER *EVP_aes_256_ofb(void); 758const EVP_CIPHER *EVP_aes_256_ofb(void);
718#if 0 759#if 0
719const EVP_CIPHER *EVP_aes_256_ctr(void); 760const EVP_CIPHER *EVP_aes_256_ctr(void);
@@ -825,13 +866,18 @@ void ERR_load_EVP_strings(void);
825/* Error codes for the EVP functions. */ 866/* Error codes for the EVP functions. */
826 867
827/* Function codes. */ 868/* Function codes. */
869#define EVP_F_AES_INIT_KEY 129
828#define EVP_F_D2I_PKEY 100 870#define EVP_F_D2I_PKEY 100
871#define EVP_F_EVP_ADD_CIPHER 130
872#define EVP_F_EVP_ADD_DIGEST 131
829#define EVP_F_EVP_CIPHERINIT 123 873#define EVP_F_EVP_CIPHERINIT 123
830#define EVP_F_EVP_CIPHER_CTX_CTRL 124 874#define EVP_F_EVP_CIPHER_CTX_CTRL 124
831#define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 122 875#define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 122
832#define EVP_F_EVP_DECRYPTFINAL 101 876#define EVP_F_EVP_DECRYPTFINAL 101
833#define EVP_F_EVP_DIGESTINIT 128 877#define EVP_F_EVP_DIGESTINIT 128
834#define EVP_F_EVP_ENCRYPTFINAL 127 878#define EVP_F_EVP_ENCRYPTFINAL 127
879#define EVP_F_EVP_GET_CIPHERBYNAME 132
880#define EVP_F_EVP_GET_DIGESTBYNAME 133
835#define EVP_F_EVP_MD_CTX_COPY 110 881#define EVP_F_EVP_MD_CTX_COPY 110
836#define EVP_F_EVP_OPENINIT 102 882#define EVP_F_EVP_OPENINIT 102
837#define EVP_F_EVP_PBE_ALG_ADD 115 883#define EVP_F_EVP_PBE_ALG_ADD 115
@@ -855,6 +901,7 @@ void ERR_load_EVP_strings(void);
855#define EVP_F_RC5_CTRL 125 901#define EVP_F_RC5_CTRL 125
856 902
857/* Reason codes. */ 903/* Reason codes. */
904#define EVP_R_AES_KEY_SETUP_FAILED 140
858#define EVP_R_BAD_BLOCK_LENGTH 136 905#define EVP_R_BAD_BLOCK_LENGTH 136
859#define EVP_R_BAD_DECRYPT 100 906#define EVP_R_BAD_DECRYPT 100
860#define EVP_R_BAD_KEY_LENGTH 137 907#define EVP_R_BAD_KEY_LENGTH 137
@@ -866,6 +913,7 @@ void ERR_load_EVP_strings(void);
866#define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138 913#define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138
867#define EVP_R_DECODE_ERROR 114 914#define EVP_R_DECODE_ERROR 114
868#define EVP_R_DIFFERENT_KEY_TYPES 101 915#define EVP_R_DIFFERENT_KEY_TYPES 101
916#define EVP_R_DISABLED_FOR_FIPS 141
869#define EVP_R_ENCODE_ERROR 115 917#define EVP_R_ENCODE_ERROR 115
870#define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119 918#define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119
871#define EVP_R_EXPECTING_AN_RSA_KEY 127 919#define EVP_R_EXPECTING_AN_RSA_KEY 127
diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c
index 8ea5aa935d..f549eeb437 100644
--- a/src/lib/libcrypto/evp/evp_enc.c
+++ b/src/lib/libcrypto/evp/evp_enc.c
@@ -82,6 +82,48 @@ int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
82 return EVP_CipherInit_ex(ctx,cipher,NULL,key,iv,enc); 82 return EVP_CipherInit_ex(ctx,cipher,NULL,key,iv,enc);
83 } 83 }
84 84
85#ifdef OPENSSL_FIPS
86
87/* The purpose of these is to trap programs that attempt to use non FIPS
88 * algorithms in FIPS mode and ignore the errors.
89 */
90
91int bad_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
92 const unsigned char *iv, int enc)
93 { FIPS_ERROR_IGNORED("Cipher init"); return 0;}
94
95int bad_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
96 const unsigned char *in, unsigned int inl)
97 { FIPS_ERROR_IGNORED("Cipher update"); return 0;}
98
99/* NB: no cleanup because it is allowed after failed init */
100
101int bad_set_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
102 { FIPS_ERROR_IGNORED("Cipher set_asn1"); return 0;}
103int bad_get_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
104 { FIPS_ERROR_IGNORED("Cipher get_asn1"); return 0;}
105int bad_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
106 { FIPS_ERROR_IGNORED("Cipher ctrl"); return 0;}
107
108static const EVP_CIPHER bad_cipher =
109 {
110 0,
111 0,
112 0,
113 0,
114 0,
115 bad_init,
116 bad_do_cipher,
117 NULL,
118 0,
119 bad_set_asn1,
120 bad_get_asn1,
121 bad_ctrl,
122 NULL
123 };
124
125#endif
126
85int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl, 127int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl,
86 const unsigned char *key, const unsigned char *iv, int enc) 128 const unsigned char *key, const unsigned char *iv, int enc)
87 { 129 {
@@ -146,7 +188,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
146 else 188 else
147 ctx->engine = NULL; 189 ctx->engine = NULL;
148#endif 190#endif
149
150 ctx->cipher=cipher; 191 ctx->cipher=cipher;
151 if (ctx->cipher->ctx_size) 192 if (ctx->cipher->ctx_size)
152 { 193 {
@@ -210,6 +251,24 @@ skip_to_init:
210 } 251 }
211 } 252 }
212 253
254#ifdef OPENSSL_FIPS
255 /* After 'key' is set no further parameters changes are permissible.
256 * So only check for non FIPS enabling at this point.
257 */
258 if (key && FIPS_mode())
259 {
260 if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS)
261 & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
262 {
263 EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_DISABLED_FOR_FIPS);
264 ERR_add_error_data(2, "cipher=",
265 EVP_CIPHER_name(ctx->cipher));
266 ctx->cipher = &bad_cipher;
267 return 0;
268 }
269 }
270#endif
271
213 if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { 272 if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
214 if(!ctx->cipher->init(ctx,key,iv,enc)) return 0; 273 if(!ctx->cipher->init(ctx,key,iv,enc)) return 0;
215 } 274 }
diff --git a/src/lib/libcrypto/evp/evp_err.c b/src/lib/libcrypto/evp/evp_err.c
index 3a23d21c21..40135d0729 100644
--- a/src/lib/libcrypto/evp/evp_err.c
+++ b/src/lib/libcrypto/evp/evp_err.c
@@ -1,6 +1,6 @@
1/* crypto/evp/evp_err.c */ 1/* crypto/evp/evp_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -66,13 +66,18 @@
66#ifndef OPENSSL_NO_ERR 66#ifndef OPENSSL_NO_ERR
67static ERR_STRING_DATA EVP_str_functs[]= 67static ERR_STRING_DATA EVP_str_functs[]=
68 { 68 {
69{ERR_PACK(0,EVP_F_AES_INIT_KEY,0), "AES_INIT_KEY"},
69{ERR_PACK(0,EVP_F_D2I_PKEY,0), "D2I_PKEY"}, 70{ERR_PACK(0,EVP_F_D2I_PKEY,0), "D2I_PKEY"},
71{ERR_PACK(0,EVP_F_EVP_ADD_CIPHER,0), "EVP_add_cipher"},
72{ERR_PACK(0,EVP_F_EVP_ADD_DIGEST,0), "EVP_add_digest"},
70{ERR_PACK(0,EVP_F_EVP_CIPHERINIT,0), "EVP_CipherInit"}, 73{ERR_PACK(0,EVP_F_EVP_CIPHERINIT,0), "EVP_CipherInit"},
71{ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_CTRL,0), "EVP_CIPHER_CTX_ctrl"}, 74{ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_CTRL,0), "EVP_CIPHER_CTX_ctrl"},
72{ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH,0), "EVP_CIPHER_CTX_set_key_length"}, 75{ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH,0), "EVP_CIPHER_CTX_set_key_length"},
73{ERR_PACK(0,EVP_F_EVP_DECRYPTFINAL,0), "EVP_DecryptFinal"}, 76{ERR_PACK(0,EVP_F_EVP_DECRYPTFINAL,0), "EVP_DecryptFinal"},
74{ERR_PACK(0,EVP_F_EVP_DIGESTINIT,0), "EVP_DigestInit"}, 77{ERR_PACK(0,EVP_F_EVP_DIGESTINIT,0), "EVP_DigestInit"},
75{ERR_PACK(0,EVP_F_EVP_ENCRYPTFINAL,0), "EVP_EncryptFinal"}, 78{ERR_PACK(0,EVP_F_EVP_ENCRYPTFINAL,0), "EVP_EncryptFinal"},
79{ERR_PACK(0,EVP_F_EVP_GET_CIPHERBYNAME,0), "EVP_get_cipherbyname"},
80{ERR_PACK(0,EVP_F_EVP_GET_DIGESTBYNAME,0), "EVP_get_digestbyname"},
76{ERR_PACK(0,EVP_F_EVP_MD_CTX_COPY,0), "EVP_MD_CTX_copy"}, 81{ERR_PACK(0,EVP_F_EVP_MD_CTX_COPY,0), "EVP_MD_CTX_copy"},
77{ERR_PACK(0,EVP_F_EVP_OPENINIT,0), "EVP_OpenInit"}, 82{ERR_PACK(0,EVP_F_EVP_OPENINIT,0), "EVP_OpenInit"},
78{ERR_PACK(0,EVP_F_EVP_PBE_ALG_ADD,0), "EVP_PBE_alg_add"}, 83{ERR_PACK(0,EVP_F_EVP_PBE_ALG_ADD,0), "EVP_PBE_alg_add"},
@@ -99,6 +104,7 @@ static ERR_STRING_DATA EVP_str_functs[]=
99 104
100static ERR_STRING_DATA EVP_str_reasons[]= 105static ERR_STRING_DATA EVP_str_reasons[]=
101 { 106 {
107{EVP_R_AES_KEY_SETUP_FAILED ,"aes key setup failed"},
102{EVP_R_BAD_BLOCK_LENGTH ,"bad block length"}, 108{EVP_R_BAD_BLOCK_LENGTH ,"bad block length"},
103{EVP_R_BAD_DECRYPT ,"bad decrypt"}, 109{EVP_R_BAD_DECRYPT ,"bad decrypt"},
104{EVP_R_BAD_KEY_LENGTH ,"bad key length"}, 110{EVP_R_BAD_KEY_LENGTH ,"bad key length"},
@@ -110,6 +116,7 @@ static ERR_STRING_DATA EVP_str_reasons[]=
110{EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH ,"data not multiple of block length"}, 116{EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH ,"data not multiple of block length"},
111{EVP_R_DECODE_ERROR ,"decode error"}, 117{EVP_R_DECODE_ERROR ,"decode error"},
112{EVP_R_DIFFERENT_KEY_TYPES ,"different key types"}, 118{EVP_R_DIFFERENT_KEY_TYPES ,"different key types"},
119{EVP_R_DISABLED_FOR_FIPS ,"disabled for fips"},
113{EVP_R_ENCODE_ERROR ,"encode error"}, 120{EVP_R_ENCODE_ERROR ,"encode error"},
114{EVP_R_EVP_PBE_CIPHERINIT_ERROR ,"evp pbe cipherinit error"}, 121{EVP_R_EVP_PBE_CIPHERINIT_ERROR ,"evp pbe cipherinit error"},
115{EVP_R_EXPECTING_AN_RSA_KEY ,"expecting an rsa key"}, 122{EVP_R_EXPECTING_AN_RSA_KEY ,"expecting an rsa key"},
diff --git a/src/lib/libcrypto/evp/evp_lib.c b/src/lib/libcrypto/evp/evp_lib.c
index 52a3b287be..a63ba19317 100644
--- a/src/lib/libcrypto/evp/evp_lib.c
+++ b/src/lib/libcrypto/evp/evp_lib.c
@@ -68,7 +68,7 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
68 if (c->cipher->set_asn1_parameters != NULL) 68 if (c->cipher->set_asn1_parameters != NULL)
69 ret=c->cipher->set_asn1_parameters(c,type); 69 ret=c->cipher->set_asn1_parameters(c,type);
70 else 70 else
71 ret=1; 71 return -1;
72 return(ret); 72 return(ret);
73 } 73 }
74 74
@@ -79,7 +79,7 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
79 if (c->cipher->get_asn1_parameters != NULL) 79 if (c->cipher->get_asn1_parameters != NULL)
80 ret=c->cipher->get_asn1_parameters(c,type); 80 ret=c->cipher->get_asn1_parameters(c,type);
81 else 81 else
82 ret=1; 82 return -1;
83 return(ret); 83 return(ret);
84 } 84 }
85 85
@@ -133,6 +133,30 @@ int EVP_CIPHER_type(const EVP_CIPHER *ctx)
133 133
134 return NID_rc4; 134 return NID_rc4;
135 135
136 case NID_aes_128_cfb128:
137 case NID_aes_128_cfb8:
138 case NID_aes_128_cfb1:
139
140 return NID_aes_128_cfb128;
141
142 case NID_aes_192_cfb128:
143 case NID_aes_192_cfb8:
144 case NID_aes_192_cfb1:
145
146 return NID_aes_192_cfb128;
147
148 case NID_aes_256_cfb128:
149 case NID_aes_256_cfb8:
150 case NID_aes_256_cfb1:
151
152 return NID_aes_256_cfb128;
153
154 case NID_des_cfb64:
155 case NID_des_cfb8:
156 case NID_des_cfb1:
157
158 return NID_des_cfb64;
159
136 default: 160 default:
137 /* Check it has an OID and it is valid */ 161 /* Check it has an OID and it is valid */
138 otmp = OBJ_nid2obj(nid); 162 otmp = OBJ_nid2obj(nid);
diff --git a/src/lib/libcrypto/evp/evp_locl.h b/src/lib/libcrypto/evp/evp_locl.h
index 4d81a3bf4c..f8c5343620 100644
--- a/src/lib/libcrypto/evp/evp_locl.h
+++ b/src/lib/libcrypto/evp/evp_locl.h
@@ -90,7 +90,7 @@ static int cname##_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const uns
90} 90}
91 91
92#define BLOCK_CIPHER_func_cfb(cname, cprefix, cbits, kstruct, ksched) \ 92#define BLOCK_CIPHER_func_cfb(cname, cprefix, cbits, kstruct, ksched) \
93static int cname##_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \ 93static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \
94{\ 94{\
95 cprefix##_cfb##cbits##_encrypt(in, out, (long)inl, &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num, ctx->encrypt);\ 95 cprefix##_cfb##cbits##_encrypt(in, out, (long)inl, &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num, ctx->encrypt);\
96 return 1;\ 96 return 1;\
@@ -127,7 +127,7 @@ BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid, block_size, key_len, \
127#define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \ 127#define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \
128 iv_len, cbits, flags, init_key, cleanup, \ 128 iv_len, cbits, flags, init_key, cleanup, \
129 set_asn1, get_asn1, ctrl) \ 129 set_asn1, get_asn1, ctrl) \
130BLOCK_CIPHER_def1(cname, cfb##cbits, cfb, CFB, kstruct, nid, 1, \ 130BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, 1, \
131 key_len, iv_len, flags, init_key, cleanup, set_asn1, \ 131 key_len, iv_len, flags, init_key, cleanup, set_asn1, \
132 get_asn1, ctrl) 132 get_asn1, ctrl)
133 133
@@ -225,3 +225,28 @@ const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; }
225 get_asn1, ctrl) 225 get_asn1, ctrl)
226 226
227#define EVP_C_DATA(kstruct, ctx) ((kstruct *)(ctx)->cipher_data) 227#define EVP_C_DATA(kstruct, ctx) ((kstruct *)(ctx)->cipher_data)
228
229#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len,flags) \
230 BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \
231 BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \
232 NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \
233 flags, cipher##_init_key, NULL, \
234 EVP_CIPHER_set_asn1_iv, \
235 EVP_CIPHER_get_asn1_iv, \
236 NULL)
237
238#ifdef OPENSSL_FIPS
239#define RC2_set_key private_RC2_set_key
240#define RC4_set_key private_RC4_set_key
241#define CAST_set_key private_CAST_set_key
242#define RC5_32_set_key private_RC5_32_set_key
243#define BF_set_key private_BF_set_key
244#define idea_set_encrypt_key private_idea_set_encrypt_key
245
246#define MD5_Init private_MD5_Init
247#define MD4_Init private_MD4_Init
248#define MD2_Init private_MD2_Init
249#define MDC2_Init private_MDC2_Init
250#define SHA_Init private_SHA_Init
251
252#endif
diff --git a/src/lib/libcrypto/evp/evp_pkey.c b/src/lib/libcrypto/evp/evp_pkey.c
index eb481ec661..47a69932a5 100644
--- a/src/lib/libcrypto/evp/evp_pkey.c
+++ b/src/lib/libcrypto/evp/evp_pkey.c
@@ -235,7 +235,11 @@ PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken)
235 return NULL; 235 return NULL;
236 } 236 }
237 p8->broken = broken; 237 p8->broken = broken;
238 ASN1_INTEGER_set (p8->version, 0); 238 if (!ASN1_INTEGER_set(p8->version, 0)) {
239 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
240 PKCS8_PRIV_KEY_INFO_free (p8);
241 return NULL;
242 }
239 if (!(p8->pkeyalg->parameter = ASN1_TYPE_new ())) { 243 if (!(p8->pkeyalg->parameter = ASN1_TYPE_new ())) {
240 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); 244 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
241 PKCS8_PRIV_KEY_INFO_free (p8); 245 PKCS8_PRIV_KEY_INFO_free (p8);
@@ -303,29 +307,35 @@ PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken)
303#ifndef OPENSSL_NO_DSA 307#ifndef OPENSSL_NO_DSA
304static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey) 308static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey)
305{ 309{
306 ASN1_STRING *params; 310 ASN1_STRING *params = NULL;
307 ASN1_INTEGER *prkey; 311 ASN1_INTEGER *prkey = NULL;
308 ASN1_TYPE *ttmp; 312 ASN1_TYPE *ttmp = NULL;
309 STACK_OF(ASN1_TYPE) *ndsa; 313 STACK_OF(ASN1_TYPE) *ndsa = NULL;
310 unsigned char *p, *q; 314 unsigned char *p = NULL, *q;
311 int len; 315 int len;
312 316
313 p8->pkeyalg->algorithm = OBJ_nid2obj(NID_dsa); 317 p8->pkeyalg->algorithm = OBJ_nid2obj(NID_dsa);
314 len = i2d_DSAparams (pkey->pkey.dsa, NULL); 318 len = i2d_DSAparams (pkey->pkey.dsa, NULL);
315 if (!(p = OPENSSL_malloc(len))) { 319 if (!(p = OPENSSL_malloc(len))) {
316 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); 320 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
317 PKCS8_PRIV_KEY_INFO_free (p8); 321 goto err;
318 return 0;
319 } 322 }
320 q = p; 323 q = p;
321 i2d_DSAparams (pkey->pkey.dsa, &q); 324 i2d_DSAparams (pkey->pkey.dsa, &q);
322 params = ASN1_STRING_new(); 325 if (!(params = ASN1_STRING_new())) {
323 ASN1_STRING_set(params, p, len); 326 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
327 goto err;
328 }
329 if (!ASN1_STRING_set(params, p, len)) {
330 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
331 goto err;
332 }
324 OPENSSL_free(p); 333 OPENSSL_free(p);
334 p = NULL;
325 /* Get private key into integer */ 335 /* Get private key into integer */
326 if (!(prkey = BN_to_ASN1_INTEGER (pkey->pkey.dsa->priv_key, NULL))) { 336 if (!(prkey = BN_to_ASN1_INTEGER (pkey->pkey.dsa->priv_key, NULL))) {
327 EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR); 337 EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR);
328 return 0; 338 goto err;
329 } 339 }
330 340
331 switch(p8->broken) { 341 switch(p8->broken) {
@@ -336,12 +346,13 @@ static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey)
336 if (!ASN1_pack_string((char *)prkey, i2d_ASN1_INTEGER, 346 if (!ASN1_pack_string((char *)prkey, i2d_ASN1_INTEGER,
337 &p8->pkey->value.octet_string)) { 347 &p8->pkey->value.octet_string)) {
338 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); 348 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
339 M_ASN1_INTEGER_free (prkey); 349 goto err;
340 return 0;
341 } 350 }
342 351
343 M_ASN1_INTEGER_free (prkey); 352 M_ASN1_INTEGER_free (prkey);
353 prkey = NULL;
344 p8->pkeyalg->parameter->value.sequence = params; 354 p8->pkeyalg->parameter->value.sequence = params;
355 params = NULL;
345 p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE; 356 p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE;
346 357
347 break; 358 break;
@@ -349,32 +360,51 @@ static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey)
349 case PKCS8_NS_DB: 360 case PKCS8_NS_DB:
350 361
351 p8->pkeyalg->parameter->value.sequence = params; 362 p8->pkeyalg->parameter->value.sequence = params;
363 params = NULL;
352 p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE; 364 p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE;
353 ndsa = sk_ASN1_TYPE_new_null(); 365 if (!(ndsa = sk_ASN1_TYPE_new_null())) {
354 ttmp = ASN1_TYPE_new(); 366 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
355 if (!(ttmp->value.integer = BN_to_ASN1_INTEGER (pkey->pkey.dsa->pub_key, NULL))) { 367 goto err;
368 }
369 if (!(ttmp = ASN1_TYPE_new())) {
370 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
371 goto err;
372 }
373 if (!(ttmp->value.integer =
374 BN_to_ASN1_INTEGER(pkey->pkey.dsa->pub_key, NULL))) {
356 EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR); 375 EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR);
357 PKCS8_PRIV_KEY_INFO_free(p8); 376 goto err;
358 return 0;
359 } 377 }
360 ttmp->type = V_ASN1_INTEGER; 378 ttmp->type = V_ASN1_INTEGER;
361 sk_ASN1_TYPE_push(ndsa, ttmp); 379 if (!sk_ASN1_TYPE_push(ndsa, ttmp)) {
380 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
381 goto err;
382 }
362 383
363 ttmp = ASN1_TYPE_new(); 384 if (!(ttmp = ASN1_TYPE_new())) {
385 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
386 goto err;
387 }
364 ttmp->value.integer = prkey; 388 ttmp->value.integer = prkey;
389 prkey = NULL;
365 ttmp->type = V_ASN1_INTEGER; 390 ttmp->type = V_ASN1_INTEGER;
366 sk_ASN1_TYPE_push(ndsa, ttmp); 391 if (!sk_ASN1_TYPE_push(ndsa, ttmp)) {
392 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
393 goto err;
394 }
395 ttmp = NULL;
367 396
368 p8->pkey->value.octet_string = ASN1_OCTET_STRING_new(); 397 if (!(p8->pkey->value.octet_string = ASN1_OCTET_STRING_new())) {
398 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
399 goto err;
400 }
369 401
370 if (!ASN1_seq_pack_ASN1_TYPE(ndsa, i2d_ASN1_TYPE, 402 if (!ASN1_seq_pack_ASN1_TYPE(ndsa, i2d_ASN1_TYPE,
371 &p8->pkey->value.octet_string->data, 403 &p8->pkey->value.octet_string->data,
372 &p8->pkey->value.octet_string->length)) { 404 &p8->pkey->value.octet_string->length)) {
373 405
374 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); 406 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
375 sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); 407 goto err;
376 M_ASN1_INTEGER_free(prkey);
377 return 0;
378 } 408 }
379 sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); 409 sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
380 break; 410 break;
@@ -382,31 +412,57 @@ static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey)
382 case PKCS8_EMBEDDED_PARAM: 412 case PKCS8_EMBEDDED_PARAM:
383 413
384 p8->pkeyalg->parameter->type = V_ASN1_NULL; 414 p8->pkeyalg->parameter->type = V_ASN1_NULL;
385 ndsa = sk_ASN1_TYPE_new_null(); 415 if (!(ndsa = sk_ASN1_TYPE_new_null())) {
386 ttmp = ASN1_TYPE_new(); 416 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
417 goto err;
418 }
419 if (!(ttmp = ASN1_TYPE_new())) {
420 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
421 goto err;
422 }
387 ttmp->value.sequence = params; 423 ttmp->value.sequence = params;
424 params = NULL;
388 ttmp->type = V_ASN1_SEQUENCE; 425 ttmp->type = V_ASN1_SEQUENCE;
389 sk_ASN1_TYPE_push(ndsa, ttmp); 426 if (!sk_ASN1_TYPE_push(ndsa, ttmp)) {
427 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
428 goto err;
429 }
390 430
391 ttmp = ASN1_TYPE_new(); 431 if (!(ttmp = ASN1_TYPE_new())) {
432 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
433 goto err;
434 }
392 ttmp->value.integer = prkey; 435 ttmp->value.integer = prkey;
436 prkey = NULL;
393 ttmp->type = V_ASN1_INTEGER; 437 ttmp->type = V_ASN1_INTEGER;
394 sk_ASN1_TYPE_push(ndsa, ttmp); 438 if (!sk_ASN1_TYPE_push(ndsa, ttmp)) {
439 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
440 goto err;
441 }
442 ttmp = NULL;
395 443
396 p8->pkey->value.octet_string = ASN1_OCTET_STRING_new(); 444 if (!(p8->pkey->value.octet_string = ASN1_OCTET_STRING_new())) {
445 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
446 goto err;
447 }
397 448
398 if (!ASN1_seq_pack_ASN1_TYPE(ndsa, i2d_ASN1_TYPE, 449 if (!ASN1_seq_pack_ASN1_TYPE(ndsa, i2d_ASN1_TYPE,
399 &p8->pkey->value.octet_string->data, 450 &p8->pkey->value.octet_string->data,
400 &p8->pkey->value.octet_string->length)) { 451 &p8->pkey->value.octet_string->length)) {
401 452
402 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); 453 EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
403 sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); 454 goto err;
404 M_ASN1_INTEGER_free (prkey);
405 return 0;
406 } 455 }
407 sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); 456 sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
408 break; 457 break;
409 } 458 }
410 return 1; 459 return 1;
460err:
461 if (p != NULL) OPENSSL_free(p);
462 if (params != NULL) ASN1_STRING_free(params);
463 if (prkey != NULL) M_ASN1_INTEGER_free(prkey);
464 if (ttmp != NULL) ASN1_TYPE_free(ttmp);
465 if (ndsa != NULL) sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
466 return 0;
411} 467}
412#endif 468#endif
diff --git a/src/lib/libcrypto/evp/m_dss.c b/src/lib/libcrypto/evp/m_dss.c
index beb8d7fc5c..d393eb3400 100644
--- a/src/lib/libcrypto/evp/m_dss.c
+++ b/src/lib/libcrypto/evp/m_dss.c
@@ -77,7 +77,7 @@ static const EVP_MD dsa_md=
77 NID_dsaWithSHA, 77 NID_dsaWithSHA,
78 NID_dsaWithSHA, 78 NID_dsaWithSHA,
79 SHA_DIGEST_LENGTH, 79 SHA_DIGEST_LENGTH,
80 0, 80 EVP_MD_FLAG_FIPS,
81 init, 81 init,
82 update, 82 update,
83 final, 83 final,
diff --git a/src/lib/libcrypto/evp/m_md4.c b/src/lib/libcrypto/evp/m_md4.c
index e19b663754..0605e4b707 100644
--- a/src/lib/libcrypto/evp/m_md4.c
+++ b/src/lib/libcrypto/evp/m_md4.c
@@ -60,6 +60,7 @@
60#include <stdio.h> 60#include <stdio.h>
61#include "cryptlib.h" 61#include "cryptlib.h"
62#include <openssl/evp.h> 62#include <openssl/evp.h>
63#include "evp_locl.h"
63#include <openssl/objects.h> 64#include <openssl/objects.h>
64#include <openssl/x509.h> 65#include <openssl/x509.h>
65#include <openssl/md4.h> 66#include <openssl/md4.h>
diff --git a/src/lib/libcrypto/evp/m_md5.c b/src/lib/libcrypto/evp/m_md5.c
index b00a03e048..752615d473 100644
--- a/src/lib/libcrypto/evp/m_md5.c
+++ b/src/lib/libcrypto/evp/m_md5.c
@@ -60,6 +60,7 @@
60#include <stdio.h> 60#include <stdio.h>
61#include "cryptlib.h" 61#include "cryptlib.h"
62#include <openssl/evp.h> 62#include <openssl/evp.h>
63#include "evp_locl.h"
63#include <openssl/objects.h> 64#include <openssl/objects.h>
64#include <openssl/x509.h> 65#include <openssl/x509.h>
65#include <openssl/md5.h> 66#include <openssl/md5.h>
diff --git a/src/lib/libcrypto/evp/m_sha1.c b/src/lib/libcrypto/evp/m_sha1.c
index d6be3502f0..fe4402389a 100644
--- a/src/lib/libcrypto/evp/m_sha1.c
+++ b/src/lib/libcrypto/evp/m_sha1.c
@@ -77,7 +77,7 @@ static const EVP_MD sha1_md=
77 NID_sha1, 77 NID_sha1,
78 NID_sha1WithRSAEncryption, 78 NID_sha1WithRSAEncryption,
79 SHA_DIGEST_LENGTH, 79 SHA_DIGEST_LENGTH,
80 0, 80 EVP_MD_FLAG_FIPS,
81 init, 81 init,
82 update, 82 update,
83 final, 83 final,
diff --git a/src/lib/libcrypto/evp/names.c b/src/lib/libcrypto/evp/names.c
index eb9f4329cd..7712453046 100644
--- a/src/lib/libcrypto/evp/names.c
+++ b/src/lib/libcrypto/evp/names.c
@@ -61,6 +61,9 @@
61#include <openssl/evp.h> 61#include <openssl/evp.h>
62#include <openssl/objects.h> 62#include <openssl/objects.h>
63#include <openssl/x509.h> 63#include <openssl/x509.h>
64#ifdef OPENSSL_FIPS
65#include <openssl/fips.h>
66#endif
64 67
65int EVP_add_cipher(const EVP_CIPHER *c) 68int EVP_add_cipher(const EVP_CIPHER *c)
66 { 69 {
diff --git a/src/lib/libcrypto/hmac/hmac.c b/src/lib/libcrypto/hmac/hmac.c
index 4c91f919d5..06ee80761f 100644
--- a/src/lib/libcrypto/hmac/hmac.c
+++ b/src/lib/libcrypto/hmac/hmac.c
@@ -77,6 +77,15 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
77 77
78 if (key != NULL) 78 if (key != NULL)
79 { 79 {
80#ifdef OPENSSL_FIPS
81 if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS)
82 && (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
83 || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
84 || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)))
85 OpenSSLDie(__FILE__,__LINE__,
86 "HMAC: digest not allowed in FIPS mode");
87#endif
88
80 reset=1; 89 reset=1;
81 j=EVP_MD_block_size(md); 90 j=EVP_MD_block_size(md);
82 OPENSSL_assert(j <= sizeof ctx->key); 91 OPENSSL_assert(j <= sizeof ctx->key);
@@ -171,3 +180,10 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
171 return(md); 180 return(md);
172 } 181 }
173 182
183void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
184 {
185 EVP_MD_CTX_set_flags(&ctx->i_ctx, flags);
186 EVP_MD_CTX_set_flags(&ctx->o_ctx, flags);
187 EVP_MD_CTX_set_flags(&ctx->md_ctx, flags);
188 }
189
diff --git a/src/lib/libcrypto/hmac/hmac.h b/src/lib/libcrypto/hmac/hmac.h
index 0364a1fcbd..294ab3b36a 100644
--- a/src/lib/libcrypto/hmac/hmac.h
+++ b/src/lib/libcrypto/hmac/hmac.h
@@ -98,6 +98,7 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
98 const unsigned char *d, int n, unsigned char *md, 98 const unsigned char *d, int n, unsigned char *md,
99 unsigned int *md_len); 99 unsigned int *md_len);
100 100
101void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags);
101 102
102#ifdef __cplusplus 103#ifdef __cplusplus
103} 104}
diff --git a/src/lib/libcrypto/idea/idea.h b/src/lib/libcrypto/idea/idea.h
index 67132414ee..bf41844fd7 100644
--- a/src/lib/libcrypto/idea/idea.h
+++ b/src/lib/libcrypto/idea/idea.h
@@ -82,6 +82,10 @@ typedef struct idea_key_st
82const char *idea_options(void); 82const char *idea_options(void);
83void idea_ecb_encrypt(const unsigned char *in, unsigned char *out, 83void idea_ecb_encrypt(const unsigned char *in, unsigned char *out,
84 IDEA_KEY_SCHEDULE *ks); 84 IDEA_KEY_SCHEDULE *ks);
85#ifdef OPENSSL_FIPS
86void private_idea_set_encrypt_key(const unsigned char *key,
87 IDEA_KEY_SCHEDULE *ks);
88#endif
85void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks); 89void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks);
86void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk); 90void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk);
87void idea_cbc_encrypt(const unsigned char *in, unsigned char *out, 91void idea_cbc_encrypt(const unsigned char *in, unsigned char *out,
diff --git a/src/lib/libcrypto/md32_common.h b/src/lib/libcrypto/md32_common.h
index 573850b122..733da6acaf 100644
--- a/src/lib/libcrypto/md32_common.h
+++ b/src/lib/libcrypto/md32_common.h
@@ -128,6 +128,10 @@
128 * <appro@fy.chalmers.se> 128 * <appro@fy.chalmers.se>
129 */ 129 */
130 130
131#include <openssl/crypto.h>
132#include <openssl/fips.h>
133#include <openssl/err.h>
134
131#if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN) 135#if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
132#error "DATA_ORDER must be defined!" 136#error "DATA_ORDER must be defined!"
133#endif 137#endif
@@ -207,7 +211,7 @@
207 : "cc"); \ 211 : "cc"); \
208 ret; \ 212 ret; \
209 }) 213 })
210# elif defined(__powerpc) || defined(__ppc) 214# elif defined(__powerpc) || defined(__ppc__) || defined(__powerpc64__)
211# define ROTATE(a,n) ({ register unsigned int ret; \ 215# define ROTATE(a,n) ({ register unsigned int ret; \
212 asm ( \ 216 asm ( \
213 "rlwinm %0,%1,%2,0,31" \ 217 "rlwinm %0,%1,%2,0,31" \
@@ -555,6 +559,14 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c)
555 static const unsigned char end[4]={0x80,0x00,0x00,0x00}; 559 static const unsigned char end[4]={0x80,0x00,0x00,0x00};
556 const unsigned char *cp=end; 560 const unsigned char *cp=end;
557 561
562#if 0
563 if(FIPS_mode() && !FIPS_md5_allowed())
564 {
565 FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD);
566 return 0;
567 }
568#endif
569
558 /* c->num should definitly have room for at least one more byte. */ 570 /* c->num should definitly have room for at least one more byte. */
559 p=c->data; 571 p=c->data;
560 i=c->num>>2; 572 i=c->num>>2;
diff --git a/src/lib/libcrypto/md4/md4.h b/src/lib/libcrypto/md4/md4.h
index 7a7b23682f..7e761efb62 100644
--- a/src/lib/libcrypto/md4/md4.h
+++ b/src/lib/libcrypto/md4/md4.h
@@ -104,6 +104,9 @@ typedef struct MD4state_st
104 int num; 104 int num;
105 } MD4_CTX; 105 } MD4_CTX;
106 106
107#ifdef OPENSSL_FIPS
108int private_MD4_Init(MD4_CTX *c);
109#endif
107int MD4_Init(MD4_CTX *c); 110int MD4_Init(MD4_CTX *c);
108int MD4_Update(MD4_CTX *c, const void *data, unsigned long len); 111int MD4_Update(MD4_CTX *c, const void *data, unsigned long len);
109int MD4_Final(unsigned char *md, MD4_CTX *c); 112int MD4_Final(unsigned char *md, MD4_CTX *c);
diff --git a/src/lib/libcrypto/md4/md4_dgst.c b/src/lib/libcrypto/md4/md4_dgst.c
index 7afb7185b6..ee7cc72262 100644
--- a/src/lib/libcrypto/md4/md4_dgst.c
+++ b/src/lib/libcrypto/md4/md4_dgst.c
@@ -70,7 +70,7 @@ const char *MD4_version="MD4" OPENSSL_VERSION_PTEXT;
70#define INIT_DATA_C (unsigned long)0x98badcfeL 70#define INIT_DATA_C (unsigned long)0x98badcfeL
71#define INIT_DATA_D (unsigned long)0x10325476L 71#define INIT_DATA_D (unsigned long)0x10325476L
72 72
73int MD4_Init(MD4_CTX *c) 73FIPS_NON_FIPS_MD_Init(MD4)
74 { 74 {
75 c->A=INIT_DATA_A; 75 c->A=INIT_DATA_A;
76 c->B=INIT_DATA_B; 76 c->B=INIT_DATA_B;
diff --git a/src/lib/libcrypto/md5/md5.h b/src/lib/libcrypto/md5/md5.h
index a252e02115..c663dd1816 100644
--- a/src/lib/libcrypto/md5/md5.h
+++ b/src/lib/libcrypto/md5/md5.h
@@ -104,6 +104,9 @@ typedef struct MD5state_st
104 int num; 104 int num;
105 } MD5_CTX; 105 } MD5_CTX;
106 106
107#ifdef OPENSSL_FIPS
108int private_MD5_Init(MD5_CTX *c);
109#endif
107int MD5_Init(MD5_CTX *c); 110int MD5_Init(MD5_CTX *c);
108int MD5_Update(MD5_CTX *c, const void *data, unsigned long len); 111int MD5_Update(MD5_CTX *c, const void *data, unsigned long len);
109int MD5_Final(unsigned char *md, MD5_CTX *c); 112int MD5_Final(unsigned char *md, MD5_CTX *c);
diff --git a/src/lib/libcrypto/md5/md5_dgst.c b/src/lib/libcrypto/md5/md5_dgst.c
index 9c7abc3697..54b33c6509 100644
--- a/src/lib/libcrypto/md5/md5_dgst.c
+++ b/src/lib/libcrypto/md5/md5_dgst.c
@@ -70,7 +70,7 @@ const char *MD5_version="MD5" OPENSSL_VERSION_PTEXT;
70#define INIT_DATA_C (unsigned long)0x98badcfeL 70#define INIT_DATA_C (unsigned long)0x98badcfeL
71#define INIT_DATA_D (unsigned long)0x10325476L 71#define INIT_DATA_D (unsigned long)0x10325476L
72 72
73int MD5_Init(MD5_CTX *c) 73FIPS_NON_FIPS_MD_Init(MD5)
74 { 74 {
75 c->A=INIT_DATA_A; 75 c->A=INIT_DATA_A;
76 c->B=INIT_DATA_B; 76 c->B=INIT_DATA_B;
diff --git a/src/lib/libcrypto/o_str.c b/src/lib/libcrypto/o_str.c
new file mode 100644
index 0000000000..da8860491d
--- /dev/null
+++ b/src/lib/libcrypto/o_str.c
@@ -0,0 +1,96 @@
1/* crypto/o_str.c -*- mode:C; c-file-style: "eay" -*- */
2/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
3 * project 2003.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@openssl.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <ctype.h>
60#include <e_os.h>
61#include "o_str.h"
62
63int OPENSSL_strncasecmp(const char *str1, const char *str2, size_t n)
64 {
65#if defined(OPENSSL_IMPLEMENTS_strncasecmp)
66 while (*str1 && *str2 && n)
67 {
68 int res = toupper(*str1) - toupper(*str2);
69 if (res) return res < 0 ? -1 : 1;
70 str1++;
71 str2++;
72 n--;
73 }
74 if (n == 0)
75 return 0;
76 if (*str1)
77 return 1;
78 if (*str2)
79 return -1;
80 return 0;
81#else
82 /* Recursion hazard warning! Whenever strncasecmp is #defined as
83 * OPENSSL_strncasecmp, OPENSSL_IMPLEMENTS_strncasecmp must be
84 * defined as well. */
85 return strncasecmp(str1, str2, n);
86#endif
87 }
88int OPENSSL_strcasecmp(const char *str1, const char *str2)
89 {
90#if defined(OPENSSL_IMPLEMENTS_strncasecmp)
91 return OPENSSL_strncasecmp(str1, str2, (size_t)-1);
92#else
93 return strcasecmp(str1, str2);
94#endif
95 }
96
diff --git a/src/lib/libcrypto/o_time.c b/src/lib/libcrypto/o_time.c
index 785468131e..e29091d650 100644
--- a/src/lib/libcrypto/o_time.c
+++ b/src/lib/libcrypto/o_time.c
@@ -114,16 +114,28 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
114 return NULL; 114 return NULL;
115 logvalue[reslen] = '\0'; 115 logvalue[reslen] = '\0';
116 116
117 t = *timer;
118
119/* The following is extracted from the DEC C header time.h */
120/*
121** Beginning in OpenVMS Version 7.0 mktime, time, ctime, strftime
122** have two implementations. One implementation is provided
123** for compatibility and deals with time in terms of local time,
124** the other __utc_* deals with time in terms of UTC.
125*/
126/* We use the same conditions as in said time.h to check if we should
127 assume that t contains local time (and should therefore be adjusted)
128 or UTC (and should therefore be left untouched). */
129#if __CRTL_VER < 70000000 || defined _VMS_V6_SOURCE
117 /* Get the numerical value of the equivalence string */ 130 /* Get the numerical value of the equivalence string */
118 status = atoi(logvalue); 131 status = atoi(logvalue);
119 132
120 /* and use it to move time to GMT */ 133 /* and use it to move time to GMT */
121 t = *timer - status; 134 t -= status;
135#endif
122 136
123 /* then convert the result to the time structure */ 137 /* then convert the result to the time structure */
124#ifndef OPENSSL_THREADS 138
125 ts=(struct tm *)localtime(&t);
126#else
127 /* Since there was no gmtime_r() to do this stuff for us, 139 /* Since there was no gmtime_r() to do this stuff for us,
128 we have to do it the hard way. */ 140 we have to do it the hard way. */
129 { 141 {
@@ -198,7 +210,6 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
198 result->tm_isdst = 0; /* There's no way to know... */ 210 result->tm_isdst = 0; /* There's no way to know... */
199 211
200 ts = result; 212 ts = result;
201#endif
202 } 213 }
203 } 214 }
204#endif 215#endif
diff --git a/src/lib/libcrypto/objects/o_names.c b/src/lib/libcrypto/objects/o_names.c
index b4453b4a98..28c9370ca3 100644
--- a/src/lib/libcrypto/objects/o_names.c
+++ b/src/lib/libcrypto/objects/o_names.c
@@ -2,6 +2,7 @@
2#include <stdlib.h> 2#include <stdlib.h>
3#include <string.h> 3#include <string.h>
4 4
5#include <openssl/err.h>
5#include <openssl/lhash.h> 6#include <openssl/lhash.h>
6#include <openssl/objects.h> 7#include <openssl/objects.h>
7#include <openssl/safestack.h> 8#include <openssl/safestack.h>
@@ -80,7 +81,11 @@ int OBJ_NAME_new_index(unsigned long (*hash_func)(const char *),
80 MemCheck_off(); 81 MemCheck_off();
81 name_funcs = OPENSSL_malloc(sizeof(NAME_FUNCS)); 82 name_funcs = OPENSSL_malloc(sizeof(NAME_FUNCS));
82 MemCheck_on(); 83 MemCheck_on();
83 if (!name_funcs) return(0); 84 if (!name_funcs)
85 {
86 OBJerr(OBJ_F_OBJ_NAME_NEW_INDEX,ERR_R_MALLOC_FAILURE);
87 return(0);
88 }
84 name_funcs->hash_func = lh_strhash; 89 name_funcs->hash_func = lh_strhash;
85 name_funcs->cmp_func = OPENSSL_strcmp; 90 name_funcs->cmp_func = OPENSSL_strcmp;
86 name_funcs->free_func = 0; /* NULL is often declared to 91 name_funcs->free_func = 0; /* NULL is often declared to
diff --git a/src/lib/libcrypto/objects/obj_dat.c b/src/lib/libcrypto/objects/obj_dat.c
index 4534dc0985..f549d078ef 100644
--- a/src/lib/libcrypto/objects/obj_dat.c
+++ b/src/lib/libcrypto/objects/obj_dat.c
@@ -236,13 +236,13 @@ int OBJ_add_object(const ASN1_OBJECT *obj)
236 if (added == NULL) 236 if (added == NULL)
237 if (!init_added()) return(0); 237 if (!init_added()) return(0);
238 if ((o=OBJ_dup(obj)) == NULL) goto err; 238 if ((o=OBJ_dup(obj)) == NULL) goto err;
239 if (!(ao[ADDED_NID]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err; 239 if (!(ao[ADDED_NID]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2;
240 if ((o->length != 0) && (obj->data != NULL)) 240 if ((o->length != 0) && (obj->data != NULL))
241 ao[ADDED_DATA]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)); 241 if (!(ao[ADDED_DATA]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2;
242 if (o->sn != NULL) 242 if (o->sn != NULL)
243 ao[ADDED_SNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)); 243 if (!(ao[ADDED_SNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2;
244 if (o->ln != NULL) 244 if (o->ln != NULL)
245 ao[ADDED_LNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)); 245 if (!(ao[ADDED_LNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2;
246 246
247 for (i=ADDED_DATA; i<=ADDED_NID; i++) 247 for (i=ADDED_DATA; i<=ADDED_NID; i++)
248 { 248 {
@@ -260,6 +260,8 @@ int OBJ_add_object(const ASN1_OBJECT *obj)
260 ASN1_OBJECT_FLAG_DYNAMIC_DATA); 260 ASN1_OBJECT_FLAG_DYNAMIC_DATA);
261 261
262 return(o->nid); 262 return(o->nid);
263err2:
264 OBJerr(OBJ_F_OBJ_ADD_OBJECT,ERR_R_MALLOC_FAILURE);
263err: 265err:
264 for (i=ADDED_DATA; i<=ADDED_NID; i++) 266 for (i=ADDED_DATA; i<=ADDED_NID; i++)
265 if (ao[i] != NULL) OPENSSL_free(ao[i]); 267 if (ao[i] != NULL) OPENSSL_free(ao[i]);
@@ -648,7 +650,7 @@ int OBJ_create(const char *oid, const char *sn, const char *ln)
648 650
649 if ((buf=(unsigned char *)OPENSSL_malloc(i)) == NULL) 651 if ((buf=(unsigned char *)OPENSSL_malloc(i)) == NULL)
650 { 652 {
651 OBJerr(OBJ_F_OBJ_CREATE,OBJ_R_MALLOC_FAILURE); 653 OBJerr(OBJ_F_OBJ_CREATE,ERR_R_MALLOC_FAILURE);
652 return(0); 654 return(0);
653 } 655 }
654 i=a2d_ASN1_OBJECT(buf,i,oid,-1); 656 i=a2d_ASN1_OBJECT(buf,i,oid,-1);
diff --git a/src/lib/libcrypto/objects/obj_err.c b/src/lib/libcrypto/objects/obj_err.c
index 80ab6855af..2b5f43e3cc 100644
--- a/src/lib/libcrypto/objects/obj_err.c
+++ b/src/lib/libcrypto/objects/obj_err.c
@@ -1,6 +1,6 @@
1/* crypto/objects/obj_err.c */ 1/* crypto/objects/obj_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -66,8 +66,10 @@
66#ifndef OPENSSL_NO_ERR 66#ifndef OPENSSL_NO_ERR
67static ERR_STRING_DATA OBJ_str_functs[]= 67static ERR_STRING_DATA OBJ_str_functs[]=
68 { 68 {
69{ERR_PACK(0,OBJ_F_OBJ_ADD_OBJECT,0), "OBJ_add_object"},
69{ERR_PACK(0,OBJ_F_OBJ_CREATE,0), "OBJ_create"}, 70{ERR_PACK(0,OBJ_F_OBJ_CREATE,0), "OBJ_create"},
70{ERR_PACK(0,OBJ_F_OBJ_DUP,0), "OBJ_dup"}, 71{ERR_PACK(0,OBJ_F_OBJ_DUP,0), "OBJ_dup"},
72{ERR_PACK(0,OBJ_F_OBJ_NAME_NEW_INDEX,0), "OBJ_NAME_new_index"},
71{ERR_PACK(0,OBJ_F_OBJ_NID2LN,0), "OBJ_nid2ln"}, 73{ERR_PACK(0,OBJ_F_OBJ_NID2LN,0), "OBJ_nid2ln"},
72{ERR_PACK(0,OBJ_F_OBJ_NID2OBJ,0), "OBJ_nid2obj"}, 74{ERR_PACK(0,OBJ_F_OBJ_NID2OBJ,0), "OBJ_nid2obj"},
73{ERR_PACK(0,OBJ_F_OBJ_NID2SN,0), "OBJ_nid2sn"}, 75{ERR_PACK(0,OBJ_F_OBJ_NID2SN,0), "OBJ_nid2sn"},
diff --git a/src/lib/libcrypto/objects/obj_mac.num b/src/lib/libcrypto/objects/obj_mac.num
index 9838072b65..0e64a929ba 100644
--- a/src/lib/libcrypto/objects/obj_mac.num
+++ b/src/lib/libcrypto/objects/obj_mac.num
@@ -647,3 +647,21 @@ joint_iso_itu_t 646
647international_organizations 647 647international_organizations 647
648ms_smartcard_login 648 648ms_smartcard_login 648
649ms_upn 649 649ms_upn 649
650aes_128_cfb1 650
651aes_192_cfb1 651
652aes_256_cfb1 652
653aes_128_cfb8 653
654aes_192_cfb8 654
655aes_256_cfb8 655
656des_cfb1 656
657des_cfb8 657
658des_ede3_cfb1 658
659des_ede3_cfb8 659
660streetAddress 660
661postalCode 661
662id_ppl 662
663proxyCertInfo 663
664id_ppl_anyLanguage 664
665id_ppl_inheritAll 665
666id_ppl_independent 666
667Independent 667
diff --git a/src/lib/libcrypto/objects/objects.h b/src/lib/libcrypto/objects/objects.h
index de10532813..f859d859b8 100644
--- a/src/lib/libcrypto/objects/objects.h
+++ b/src/lib/libcrypto/objects/objects.h
@@ -1026,8 +1026,10 @@ void ERR_load_OBJ_strings(void);
1026/* Error codes for the OBJ functions. */ 1026/* Error codes for the OBJ functions. */
1027 1027
1028/* Function codes. */ 1028/* Function codes. */
1029#define OBJ_F_OBJ_ADD_OBJECT 105
1029#define OBJ_F_OBJ_CREATE 100 1030#define OBJ_F_OBJ_CREATE 100
1030#define OBJ_F_OBJ_DUP 101 1031#define OBJ_F_OBJ_DUP 101
1032#define OBJ_F_OBJ_NAME_NEW_INDEX 106
1031#define OBJ_F_OBJ_NID2LN 102 1033#define OBJ_F_OBJ_NID2LN 102
1032#define OBJ_F_OBJ_NID2OBJ 103 1034#define OBJ_F_OBJ_NID2OBJ 103
1033#define OBJ_F_OBJ_NID2SN 104 1035#define OBJ_F_OBJ_NID2SN 104
diff --git a/src/lib/libcrypto/objects/objects.txt b/src/lib/libcrypto/objects/objects.txt
index 3ba11f65cc..50e9031e61 100644
--- a/src/lib/libcrypto/objects/objects.txt
+++ b/src/lib/libcrypto/objects/objects.txt
@@ -312,6 +312,7 @@ id-pkix 9 : id-pda
312id-pkix 10 : id-aca 312id-pkix 10 : id-aca
313id-pkix 11 : id-qcs 313id-pkix 11 : id-qcs
314id-pkix 12 : id-cct 314id-pkix 12 : id-cct
315id-pkix 21 : id-ppl
315id-pkix 48 : id-ad 316id-pkix 48 : id-ad
316 317
317# PKIX Modules 318# PKIX Modules
@@ -346,6 +347,7 @@ id-pe 9 : sbqp-routerIdentifier
346id-pe 10 : ac-proxying 347id-pe 10 : ac-proxying
347!Cname sinfo-access 348!Cname sinfo-access
348id-pe 11 : subjectInfoAccess : Subject Information Access 349id-pe 11 : subjectInfoAccess : Subject Information Access
350id-pe 14 : proxyCertInfo : Proxy Certificate Information
349 351
350# PKIX policyQualifiers for Internet policy qualifiers 352# PKIX policyQualifiers for Internet policy qualifiers
351id-qt 1 : id-qt-cps : Policy Qualifier CPS 353id-qt 1 : id-qt-cps : Policy Qualifier CPS
@@ -461,6 +463,11 @@ id-cct 1 : id-cct-crs
461id-cct 2 : id-cct-PKIData 463id-cct 2 : id-cct-PKIData
462id-cct 3 : id-cct-PKIResponse 464id-cct 3 : id-cct-PKIResponse
463 465
466# Predefined Proxy Certificate policy languages
467id-ppl 0 : id-ppl-anyLanguage : Any language
468id-ppl 1 : id-ppl-inheritAll : Inherit all
469id-ppl 2 : id-ppl-independent : Independent
470
464# access descriptors for authority info access extension 471# access descriptors for authority info access extension
465!Cname ad-OCSP 472!Cname ad-OCSP
466id-ad 1 : OCSP : OCSP 473id-ad 1 : OCSP : OCSP
@@ -536,10 +543,12 @@ X509 5 : : serialNumber
536X509 6 : C : countryName 543X509 6 : C : countryName
537X509 7 : L : localityName 544X509 7 : L : localityName
538X509 8 : ST : stateOrProvinceName 545X509 8 : ST : stateOrProvinceName
546X509 9 : : streetAddress
539X509 10 : O : organizationName 547X509 10 : O : organizationName
540X509 11 : OU : organizationalUnitName 548X509 11 : OU : organizationalUnitName
541X509 12 : : title 549X509 12 : : title
542X509 13 : : description 550X509 13 : : description
551X509 17 : : postalCode
543X509 41 : name : name 552X509 41 : name : name
544X509 42 : GN : givenName 553X509 42 : GN : givenName
545X509 43 : : initials 554X509 43 : : initials
@@ -681,6 +690,19 @@ aes 43 : AES-256-OFB : aes-256-ofb
681!Cname aes-256-cfb128 690!Cname aes-256-cfb128
682aes 44 : AES-256-CFB : aes-256-cfb 691aes 44 : AES-256-CFB : aes-256-cfb
683 692
693# There are no OIDs for these modes...
694
695 : AES-128-CFB1 : aes-128-cfb1
696 : AES-192-CFB1 : aes-192-cfb1
697 : AES-256-CFB1 : aes-256-cfb1
698 : AES-128-CFB8 : aes-128-cfb8
699 : AES-192-CFB8 : aes-192-cfb8
700 : AES-256-CFB8 : aes-256-cfb8
701 : DES-CFB1 : des-cfb1
702 : DES-CFB8 : des-cfb8
703 : DES-EDE3-CFB1 : des-ede3-cfb1
704 : DES-EDE3-CFB8 : des-ede3-cfb8
705
684# Hold instruction CRL entry extension 706# Hold instruction CRL entry extension
685!Cname hold-instruction-code 707!Cname hold-instruction-code
686id-ce 23 : holdInstructionCode : Hold Instruction Code 708id-ce 23 : holdInstructionCode : Hold Instruction Code
diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h
index 02f1710fb3..5d5f688edd 100644
--- a/src/lib/libcrypto/opensslv.h
+++ b/src/lib/libcrypto/opensslv.h
@@ -25,8 +25,12 @@
25 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for 25 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
26 * major minor fix final patch/beta) 26 * major minor fix final patch/beta)
27 */ 27 */
28#define OPENSSL_VERSION_NUMBER 0x0090704fL 28#define OPENSSL_VERSION_NUMBER 0x0090707fL
29#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7d 17 Mar 2004" 29#ifdef OPENSSL_FIPS
30#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7g-fips 11 Apr 2005"
31#else
32#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7g 11 Apr 2005"
33#endif
30#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT 34#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
31 35
32 36
diff --git a/src/lib/libcrypto/pem/pem_all.c b/src/lib/libcrypto/pem/pem_all.c
index e72b7134ce..07963314c9 100644
--- a/src/lib/libcrypto/pem/pem_all.c
+++ b/src/lib/libcrypto/pem/pem_all.c
@@ -64,6 +64,7 @@
64#include <openssl/x509.h> 64#include <openssl/x509.h>
65#include <openssl/pkcs7.h> 65#include <openssl/pkcs7.h>
66#include <openssl/pem.h> 66#include <openssl/pem.h>
67#include <openssl/fips.h>
67 68
68#ifndef OPENSSL_NO_RSA 69#ifndef OPENSSL_NO_RSA
69static RSA *pkey_get_rsa(EVP_PKEY *key, RSA **rsa); 70static RSA *pkey_get_rsa(EVP_PKEY *key, RSA **rsa);
@@ -128,7 +129,49 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb,
128 129
129#endif 130#endif
130 131
132#ifdef OPENSSL_FIPS
133
134int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
135 unsigned char *kstr, int klen,
136 pem_password_cb *cb, void *u)
137{
138 EVP_PKEY *k;
139 int ret;
140 k = EVP_PKEY_new();
141 if (!k)
142 return 0;
143 EVP_PKEY_set1_RSA(k, x);
144
145 ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
146 EVP_PKEY_free(k);
147 return ret;
148}
149
150#ifndef OPENSSL_NO_FP_API
151int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
152 unsigned char *kstr, int klen,
153 pem_password_cb *cb, void *u)
154{
155 EVP_PKEY *k;
156 int ret;
157 k = EVP_PKEY_new();
158 if (!k)
159 return 0;
160
161 EVP_PKEY_set1_RSA(k, x);
162
163 ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
164 EVP_PKEY_free(k);
165 return ret;
166}
167#endif
168
169#else
170
131IMPLEMENT_PEM_write_cb(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey) 171IMPLEMENT_PEM_write_cb(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
172
173#endif
174
132IMPLEMENT_PEM_rw(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey) 175IMPLEMENT_PEM_rw(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)
133IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY) 176IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)
134 177
@@ -158,7 +201,48 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb,
158 return pkey_get_dsa(pktmp, dsa); 201 return pkey_get_dsa(pktmp, dsa);
159} 202}
160 203
204
205#ifdef OPENSSL_FIPS
206
207int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
208 unsigned char *kstr, int klen,
209 pem_password_cb *cb, void *u)
210{
211 EVP_PKEY *k;
212 int ret;
213 k = EVP_PKEY_new();
214 if (!k)
215 return 0;
216 EVP_PKEY_set1_DSA(k, x);
217
218 ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
219 EVP_PKEY_free(k);
220 return ret;
221}
222
223#ifndef OPENSSL_NO_FP_API
224int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
225 unsigned char *kstr, int klen,
226 pem_password_cb *cb, void *u)
227{
228 EVP_PKEY *k;
229 int ret;
230 k = EVP_PKEY_new();
231 if (!k)
232 return 0;
233 EVP_PKEY_set1_DSA(k, x);
234 ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
235 EVP_PKEY_free(k);
236 return ret;
237}
238#endif
239
240#else
241
161IMPLEMENT_PEM_write_cb(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey) 242IMPLEMENT_PEM_write_cb(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
243
244#endif
245
162IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY) 246IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
163 247
164#ifndef OPENSSL_NO_FP_API 248#ifndef OPENSSL_NO_FP_API
@@ -190,7 +274,42 @@ IMPLEMENT_PEM_rw(DHparams, DH, PEM_STRING_DHPARAMS, DHparams)
190 * (When reading, parameter PEM_STRING_EVP_PKEY is a wildcard for anything 274 * (When reading, parameter PEM_STRING_EVP_PKEY is a wildcard for anything
191 * appropriate.) 275 * appropriate.)
192 */ 276 */
277
278#ifdef OPENSSL_FIPS
279
280int PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
281 unsigned char *kstr, int klen,
282 pem_password_cb *cb, void *u)
283 {
284 if (FIPS_mode())
285 return PEM_write_bio_PKCS8PrivateKey(bp, x, enc,
286 (char *)kstr, klen, cb, u);
287 else
288 return PEM_ASN1_write_bio((int (*)())i2d_PrivateKey,
289 (((x)->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA),
290 bp,(char *)x,enc,kstr,klen,cb,u);
291 }
292
293#ifndef OPENSSL_NO_FP_API
294int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
295 unsigned char *kstr, int klen,
296 pem_password_cb *cb, void *u)
297 {
298 if (FIPS_mode())
299 return PEM_write_PKCS8PrivateKey(fp, x, enc,
300 (char *)kstr, klen, cb, u);
301 else
302 return PEM_ASN1_write((int (*)())i2d_PrivateKey,
303 (((x)->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA),
304 fp,(char *)x,enc,kstr,klen,cb,u);
305 }
306#endif
307
308#else
309
193IMPLEMENT_PEM_write_cb(PrivateKey, EVP_PKEY, ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA), PrivateKey) 310IMPLEMENT_PEM_write_cb(PrivateKey, EVP_PKEY, ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA), PrivateKey)
194 311
312#endif
313
195IMPLEMENT_PEM_rw(PUBKEY, EVP_PKEY, PEM_STRING_PUBLIC, PUBKEY) 314IMPLEMENT_PEM_rw(PUBKEY, EVP_PKEY, PEM_STRING_PUBLIC, PUBKEY)
196 315
diff --git a/src/lib/libcrypto/pem/pem_lib.c b/src/lib/libcrypto/pem/pem_lib.c
index 7785039b99..82815067b3 100644
--- a/src/lib/libcrypto/pem/pem_lib.c
+++ b/src/lib/libcrypto/pem/pem_lib.c
@@ -73,7 +73,7 @@ const char *PEM_version="PEM" OPENSSL_VERSION_PTEXT;
73 73
74#define MIN_LENGTH 4 74#define MIN_LENGTH 4
75 75
76static int load_iv(unsigned char **fromp,unsigned char *to, int num); 76static int load_iv(char **fromp,unsigned char *to, int num);
77static int check_pem(const char *nm, const char *name); 77static int check_pem(const char *nm, const char *name);
78 78
79int PEM_def_callback(char *buf, int num, int w, void *key) 79int PEM_def_callback(char *buf, int num, int w, void *key)
@@ -301,7 +301,7 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
301 301
302 if ((dsize=i2d(x,NULL)) < 0) 302 if ((dsize=i2d(x,NULL)) < 0)
303 { 303 {
304 PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,ERR_R_MALLOC_FAILURE); 304 PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,ERR_R_ASN1_LIB);
305 dsize=0; 305 dsize=0;
306 goto err; 306 goto err;
307 } 307 }
@@ -432,6 +432,7 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
432 int o; 432 int o;
433 const EVP_CIPHER *enc=NULL; 433 const EVP_CIPHER *enc=NULL;
434 char *p,c; 434 char *p,c;
435 char **header_pp = &header;
435 436
436 cipher->cipher=NULL; 437 cipher->cipher=NULL;
437 if ((header == NULL) || (*header == '\0') || (*header == '\n')) 438 if ((header == NULL) || (*header == '\0') || (*header == '\n'))
@@ -478,15 +479,16 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
478 PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO,PEM_R_UNSUPPORTED_ENCRYPTION); 479 PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO,PEM_R_UNSUPPORTED_ENCRYPTION);
479 return(0); 480 return(0);
480 } 481 }
481 if (!load_iv((unsigned char **)&header,&(cipher->iv[0]),enc->iv_len)) return(0); 482 if (!load_iv(header_pp,&(cipher->iv[0]),enc->iv_len))
483 return(0);
482 484
483 return(1); 485 return(1);
484 } 486 }
485 487
486static int load_iv(unsigned char **fromp, unsigned char *to, int num) 488static int load_iv(char **fromp, unsigned char *to, int num)
487 { 489 {
488 int v,i; 490 int v,i;
489 unsigned char *from; 491 char *from;
490 492
491 from= *fromp; 493 from= *fromp;
492 for (i=0; i<num; i++) to[i]=0; 494 for (i=0; i<num; i++) to[i]=0;
@@ -623,6 +625,9 @@ int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data,
623 dataB=BUF_MEM_new(); 625 dataB=BUF_MEM_new();
624 if ((nameB == NULL) || (headerB == NULL) || (dataB == NULL)) 626 if ((nameB == NULL) || (headerB == NULL) || (dataB == NULL))
625 { 627 {
628 BUF_MEM_free(nameB);
629 BUF_MEM_free(headerB);
630 BUF_MEM_free(dataB);
626 PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE); 631 PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE);
627 return(0); 632 return(0);
628 } 633 }
diff --git a/src/lib/libcrypto/pem/pem_pkey.c b/src/lib/libcrypto/pem/pem_pkey.c
index f77c949e87..9ecdbd5419 100644
--- a/src/lib/libcrypto/pem/pem_pkey.c
+++ b/src/lib/libcrypto/pem/pem_pkey.c
@@ -104,6 +104,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, vo
104 if (klen <= 0) { 104 if (klen <= 0) {
105 PEMerr(PEM_F_PEM_ASN1_READ_BIO, 105 PEMerr(PEM_F_PEM_ASN1_READ_BIO,
106 PEM_R_BAD_PASSWORD_READ); 106 PEM_R_BAD_PASSWORD_READ);
107 X509_SIG_free(p8);
107 goto err; 108 goto err;
108 } 109 }
109 p8inf = PKCS8_decrypt(p8, psbuf, klen); 110 p8inf = PKCS8_decrypt(p8, psbuf, klen);
diff --git a/src/lib/libcrypto/perlasm/x86asm.pl b/src/lib/libcrypto/perlasm/x86asm.pl
index 1cb96e914a..bef2667079 100644
--- a/src/lib/libcrypto/perlasm/x86asm.pl
+++ b/src/lib/libcrypto/perlasm/x86asm.pl
@@ -124,4 +124,6 @@ BSDI - a.out with a very primative version of as.
124EOF 124EOF
125 } 125 }
126 126
127sub main'align() {} # swallow align statements in 0.9.7 context
128
1271; 1291;
diff --git a/src/lib/libcrypto/pkcs12/p12_crpt.c b/src/lib/libcrypto/pkcs12/p12_crpt.c
index 5e8958612b..003ec7a33e 100644
--- a/src/lib/libcrypto/pkcs12/p12_crpt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crpt.c
@@ -88,7 +88,7 @@ int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
88 ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de) 88 ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de)
89{ 89{
90 PBEPARAM *pbe; 90 PBEPARAM *pbe;
91 int saltlen, iter; 91 int saltlen, iter, ret;
92 unsigned char *salt, *pbuf; 92 unsigned char *salt, *pbuf;
93 unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; 93 unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
94 94
@@ -117,8 +117,8 @@ int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
117 return 0; 117 return 0;
118 } 118 }
119 PBEPARAM_free(pbe); 119 PBEPARAM_free(pbe);
120 EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de); 120 ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de);
121 OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH); 121 OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
122 OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH); 122 OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
123 return 1; 123 return ret;
124} 124}
diff --git a/src/lib/libcrypto/pkcs12/p12_init.c b/src/lib/libcrypto/pkcs12/p12_init.c
index eb837a78cf..5276b12669 100644
--- a/src/lib/libcrypto/pkcs12/p12_init.c
+++ b/src/lib/libcrypto/pkcs12/p12_init.c
@@ -76,15 +76,17 @@ PKCS12 *PKCS12_init (int mode)
76 if (!(pkcs12->authsafes->d.data = 76 if (!(pkcs12->authsafes->d.data =
77 M_ASN1_OCTET_STRING_new())) { 77 M_ASN1_OCTET_STRING_new())) {
78 PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE); 78 PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
79 return NULL; 79 goto err;
80 } 80 }
81 break; 81 break;
82 default: 82 default:
83 PKCS12err(PKCS12_F_PKCS12_INIT,PKCS12_R_UNSUPPORTED_PKCS12_MODE); 83 PKCS12err(PKCS12_F_PKCS12_INIT,
84 PKCS12_free(pkcs12); 84 PKCS12_R_UNSUPPORTED_PKCS12_MODE);
85 return NULL; 85 goto err;
86 break;
87 } 86 }
88 87
89 return pkcs12; 88 return pkcs12;
89err:
90 if (pkcs12 != NULL) PKCS12_free(pkcs12);
91 return NULL;
90} 92}
diff --git a/src/lib/libcrypto/pkcs12/p12_kiss.c b/src/lib/libcrypto/pkcs12/p12_kiss.c
index 885087ad00..2b31999e11 100644
--- a/src/lib/libcrypto/pkcs12/p12_kiss.c
+++ b/src/lib/libcrypto/pkcs12/p12_kiss.c
@@ -249,14 +249,26 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
249 if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate ) 249 if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
250 return 1; 250 return 1;
251 if (!(x509 = PKCS12_certbag2x509(bag))) return 0; 251 if (!(x509 = PKCS12_certbag2x509(bag))) return 0;
252 if(ckid) X509_keyid_set1(x509, ckid->data, ckid->length); 252 if(ckid)
253 {
254 if (!X509_keyid_set1(x509, ckid->data, ckid->length))
255 {
256 X509_free(x509);
257 return 0;
258 }
259 }
253 if(fname) { 260 if(fname) {
254 int len; 261 int len, r;
255 unsigned char *data; 262 unsigned char *data;
256 len = ASN1_STRING_to_UTF8(&data, fname); 263 len = ASN1_STRING_to_UTF8(&data, fname);
257 if(len > 0) { 264 if(len > 0) {
258 X509_alias_set1(x509, data, len); 265 r = X509_alias_set1(x509, data, len);
259 OPENSSL_free(data); 266 OPENSSL_free(data);
267 if (!r)
268 {
269 X509_free(x509);
270 return 0;
271 }
260 } 272 }
261 } 273 }
262 274
diff --git a/src/lib/libcrypto/pkcs12/p12_mutl.c b/src/lib/libcrypto/pkcs12/p12_mutl.c
index 0fb67f74b8..4886b9b289 100644
--- a/src/lib/libcrypto/pkcs12/p12_mutl.c
+++ b/src/lib/libcrypto/pkcs12/p12_mutl.c
@@ -148,7 +148,10 @@ int PKCS12_setup_mac (PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
148 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); 148 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
149 return 0; 149 return 0;
150 } 150 }
151 ASN1_INTEGER_set(p12->mac->iter, iter); 151 if (!ASN1_INTEGER_set(p12->mac->iter, iter)) {
152 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
153 return 0;
154 }
152 } 155 }
153 if (!saltlen) saltlen = PKCS12_SALT_LEN; 156 if (!saltlen) saltlen = PKCS12_SALT_LEN;
154 p12->mac->salt->length = saltlen; 157 p12->mac->salt->length = saltlen;
diff --git a/src/lib/libcrypto/pkcs7/pk7_attr.c b/src/lib/libcrypto/pkcs7/pk7_attr.c
index 5ff5a88b5c..039141027a 100644
--- a/src/lib/libcrypto/pkcs7/pk7_attr.c
+++ b/src/lib/libcrypto/pkcs7/pk7_attr.c
@@ -3,7 +3,7 @@
3 * project 2001. 3 * project 2001.
4 */ 4 */
5/* ==================================================================== 5/* ====================================================================
6 * Copyright (c) 2001 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 2001-2004 The OpenSSL Project. All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -94,17 +94,18 @@ int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK_OF(X509_ALGOR) *cap)
94} 94}
95 95
96STACK_OF(X509_ALGOR) *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si) 96STACK_OF(X509_ALGOR) *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si)
97{ 97 {
98 ASN1_TYPE *cap; 98 ASN1_TYPE *cap;
99 unsigned char *p; 99 unsigned char *p;
100 cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities); 100 cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities);
101 if (!cap) return NULL; 101 if (!cap || (cap->type != V_ASN1_SEQUENCE))
102 return NULL;
102 p = cap->value.sequence->data; 103 p = cap->value.sequence->data;
103 return d2i_ASN1_SET_OF_X509_ALGOR(NULL, &p, 104 return d2i_ASN1_SET_OF_X509_ALGOR(NULL, &p,
104 cap->value.sequence->length, 105 cap->value.sequence->length,
105 d2i_X509_ALGOR, X509_ALGOR_free, 106 d2i_X509_ALGOR, X509_ALGOR_free,
106 V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); 107 V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
107} 108 }
108 109
109/* Basic smime-capabilities OID and optional integer arg */ 110/* Basic smime-capabilities OID and optional integer arg */
110int PKCS7_simple_smimecap(STACK_OF(X509_ALGOR) *sk, int nid, int arg) 111int PKCS7_simple_smimecap(STACK_OF(X509_ALGOR) *sk, int nid, int arg)
diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c
index 35c7dcd0b3..4ac29ae14d 100644
--- a/src/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/src/lib/libcrypto/pkcs7/pk7_doit.c
@@ -239,7 +239,13 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
239 OPENSSL_free(tmp); 239 OPENSSL_free(tmp);
240 goto err; 240 goto err;
241 } 241 }
242 M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj); 242 if (!M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj))
243 {
244 PKCS7err(PKCS7_F_PKCS7_DATAINIT,
245 ERR_R_MALLOC_FAILURE);
246 OPENSSL_free(tmp);
247 goto err;
248 }
243 } 249 }
244 OPENSSL_free(tmp); 250 OPENSSL_free(tmp);
245 OPENSSL_cleanse(key, keylen); 251 OPENSSL_cleanse(key, keylen);
@@ -257,10 +263,15 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
257 bio=BIO_new(BIO_s_null()); 263 bio=BIO_new(BIO_s_null());
258 else 264 else
259 { 265 {
260 ASN1_OCTET_STRING *os; 266 if (PKCS7_type_is_signed(p7))
261 os = PKCS7_get_octet_string(p7->d.sign->contents); 267 {
262 if (os && os->length > 0) 268 ASN1_OCTET_STRING *os;
263 bio = BIO_new_mem_buf(os->data, os->length); 269 os = PKCS7_get_octet_string(
270 p7->d.sign->contents);
271 if (os && os->length > 0)
272 bio = BIO_new_mem_buf(os->data,
273 os->length);
274 }
264 if(bio == NULL) 275 if(bio == NULL)
265 { 276 {
266 bio=BIO_new(BIO_s_mem()); 277 bio=BIO_new(BIO_s_mem());
@@ -515,12 +526,20 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
515 case NID_pkcs7_signedAndEnveloped: 526 case NID_pkcs7_signedAndEnveloped:
516 /* XXXXXXXXXXXXXXXX */ 527 /* XXXXXXXXXXXXXXXX */
517 si_sk=p7->d.signed_and_enveloped->signer_info; 528 si_sk=p7->d.signed_and_enveloped->signer_info;
518 os=M_ASN1_OCTET_STRING_new(); 529 if (!(os=M_ASN1_OCTET_STRING_new()))
530 {
531 PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_MALLOC_FAILURE);
532 goto err;
533 }
519 p7->d.signed_and_enveloped->enc_data->enc_data=os; 534 p7->d.signed_and_enveloped->enc_data->enc_data=os;
520 break; 535 break;
521 case NID_pkcs7_enveloped: 536 case NID_pkcs7_enveloped:
522 /* XXXXXXXXXXXXXXXX */ 537 /* XXXXXXXXXXXXXXXX */
523 os=M_ASN1_OCTET_STRING_new(); 538 if (!(os=M_ASN1_OCTET_STRING_new()))
539 {
540 PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_MALLOC_FAILURE);
541 goto err;
542 }
524 p7->d.enveloped->enc_data->enc_data=os; 543 p7->d.enveloped->enc_data->enc_data=os;
525 break; 544 break;
526 case NID_pkcs7_signed: 545 case NID_pkcs7_signed:
@@ -594,7 +613,12 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
594 if (!PKCS7_get_signed_attribute(si, 613 if (!PKCS7_get_signed_attribute(si,
595 NID_pkcs9_signingTime)) 614 NID_pkcs9_signingTime))
596 { 615 {
597 sign_time=X509_gmtime_adj(NULL,0); 616 if (!(sign_time=X509_gmtime_adj(NULL,0)))
617 {
618 PKCS7err(PKCS7_F_PKCS7_DATASIGN,
619 ERR_R_MALLOC_FAILURE);
620 goto err;
621 }
598 PKCS7_add_signed_attribute(si, 622 PKCS7_add_signed_attribute(si,
599 NID_pkcs9_signingTime, 623 NID_pkcs9_signingTime,
600 V_ASN1_UTCTIME,sign_time); 624 V_ASN1_UTCTIME,sign_time);
@@ -603,8 +627,19 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
603 /* Add digest */ 627 /* Add digest */
604 md_tmp=EVP_MD_CTX_md(&ctx_tmp); 628 md_tmp=EVP_MD_CTX_md(&ctx_tmp);
605 EVP_DigestFinal_ex(&ctx_tmp,md_data,&md_len); 629 EVP_DigestFinal_ex(&ctx_tmp,md_data,&md_len);
606 digest=M_ASN1_OCTET_STRING_new(); 630 if (!(digest=M_ASN1_OCTET_STRING_new()))
607 M_ASN1_OCTET_STRING_set(digest,md_data,md_len); 631 {
632 PKCS7err(PKCS7_F_PKCS7_DATASIGN,
633 ERR_R_MALLOC_FAILURE);
634 goto err;
635 }
636 if (!M_ASN1_OCTET_STRING_set(digest,md_data,
637 md_len))
638 {
639 PKCS7err(PKCS7_F_PKCS7_DATASIGN,
640 ERR_R_MALLOC_FAILURE);
641 goto err;
642 }
608 PKCS7_add_signed_attribute(si, 643 PKCS7_add_signed_attribute(si,
609 NID_pkcs9_messageDigest, 644 NID_pkcs9_messageDigest,
610 V_ASN1_OCTET_STRING,digest); 645 V_ASN1_OCTET_STRING,digest);
diff --git a/src/lib/libcrypto/pkcs7/pk7_lib.c b/src/lib/libcrypto/pkcs7/pk7_lib.c
index 985b07245c..ee1817c7af 100644
--- a/src/lib/libcrypto/pkcs7/pk7_lib.c
+++ b/src/lib/libcrypto/pkcs7/pk7_lib.c
@@ -164,7 +164,12 @@ int PKCS7_set_type(PKCS7 *p7, int type)
164 p7->type=obj; 164 p7->type=obj;
165 if ((p7->d.sign=PKCS7_SIGNED_new()) == NULL) 165 if ((p7->d.sign=PKCS7_SIGNED_new()) == NULL)
166 goto err; 166 goto err;
167 ASN1_INTEGER_set(p7->d.sign->version,1); 167 if (!ASN1_INTEGER_set(p7->d.sign->version,1))
168 {
169 PKCS7_SIGNED_free(p7->d.sign);
170 p7->d.sign=NULL;
171 goto err;
172 }
168 break; 173 break;
169 case NID_pkcs7_data: 174 case NID_pkcs7_data:
170 p7->type=obj; 175 p7->type=obj;
@@ -176,6 +181,8 @@ int PKCS7_set_type(PKCS7 *p7, int type)
176 if ((p7->d.signed_and_enveloped=PKCS7_SIGN_ENVELOPE_new()) 181 if ((p7->d.signed_and_enveloped=PKCS7_SIGN_ENVELOPE_new())
177 == NULL) goto err; 182 == NULL) goto err;
178 ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1); 183 ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1);
184 if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1))
185 goto err;
179 p7->d.signed_and_enveloped->enc_data->content_type 186 p7->d.signed_and_enveloped->enc_data->content_type
180 = OBJ_nid2obj(NID_pkcs7_data); 187 = OBJ_nid2obj(NID_pkcs7_data);
181 break; 188 break;
@@ -183,7 +190,8 @@ int PKCS7_set_type(PKCS7 *p7, int type)
183 p7->type=obj; 190 p7->type=obj;
184 if ((p7->d.enveloped=PKCS7_ENVELOPE_new()) 191 if ((p7->d.enveloped=PKCS7_ENVELOPE_new())
185 == NULL) goto err; 192 == NULL) goto err;
186 ASN1_INTEGER_set(p7->d.enveloped->version,0); 193 if (!ASN1_INTEGER_set(p7->d.enveloped->version,0))
194 goto err;
187 p7->d.enveloped->enc_data->content_type 195 p7->d.enveloped->enc_data->content_type
188 = OBJ_nid2obj(NID_pkcs7_data); 196 = OBJ_nid2obj(NID_pkcs7_data);
189 break; 197 break;
@@ -191,7 +199,8 @@ int PKCS7_set_type(PKCS7 *p7, int type)
191 p7->type=obj; 199 p7->type=obj;
192 if ((p7->d.encrypted=PKCS7_ENCRYPT_new()) 200 if ((p7->d.encrypted=PKCS7_ENCRYPT_new())
193 == NULL) goto err; 201 == NULL) goto err;
194 ASN1_INTEGER_set(p7->d.encrypted->version,0); 202 if (!ASN1_INTEGER_set(p7->d.encrypted->version,0))
203 goto err;
195 p7->d.encrypted->enc_data->content_type 204 p7->d.encrypted->enc_data->content_type
196 = OBJ_nid2obj(NID_pkcs7_data); 205 = OBJ_nid2obj(NID_pkcs7_data);
197 break; 206 break;
@@ -318,15 +327,18 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
318 if (pkey->type == EVP_PKEY_DSA) is_dsa = 1; 327 if (pkey->type == EVP_PKEY_DSA) is_dsa = 1;
319 else is_dsa = 0; 328 else is_dsa = 0;
320 /* We now need to add another PKCS7_SIGNER_INFO entry */ 329 /* We now need to add another PKCS7_SIGNER_INFO entry */
321 ASN1_INTEGER_set(p7i->version,1); 330 if (!ASN1_INTEGER_set(p7i->version,1))
322 X509_NAME_set(&p7i->issuer_and_serial->issuer, 331 goto err;
323 X509_get_issuer_name(x509)); 332 if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
333 X509_get_issuer_name(x509)))
334 goto err;
324 335
325 /* because ASN1_INTEGER_set is used to set a 'long' we will do 336 /* because ASN1_INTEGER_set is used to set a 'long' we will do
326 * things the ugly way. */ 337 * things the ugly way. */
327 M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial); 338 M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
328 p7i->issuer_and_serial->serial= 339 if (!(p7i->issuer_and_serial->serial=
329 M_ASN1_INTEGER_dup(X509_get_serialNumber(x509)); 340 M_ASN1_INTEGER_dup(X509_get_serialNumber(x509))))
341 goto err;
330 342
331 /* lets keep the pkey around for a while */ 343 /* lets keep the pkey around for a while */
332 CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY); 344 CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
@@ -423,16 +435,20 @@ int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri)
423 435
424int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509) 436int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509)
425 { 437 {
426 ASN1_INTEGER_set(p7i->version,0); 438 if (!ASN1_INTEGER_set(p7i->version,0))
427 X509_NAME_set(&p7i->issuer_and_serial->issuer, 439 return 0;
428 X509_get_issuer_name(x509)); 440 if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
441 X509_get_issuer_name(x509)))
442 return 0;
429 443
430 M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial); 444 M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
431 p7i->issuer_and_serial->serial= 445 if (!(p7i->issuer_and_serial->serial=
432 M_ASN1_INTEGER_dup(X509_get_serialNumber(x509)); 446 M_ASN1_INTEGER_dup(X509_get_serialNumber(x509))))
447 return 0;
433 448
434 X509_ALGOR_free(p7i->key_enc_algor); 449 X509_ALGOR_free(p7i->key_enc_algor);
435 p7i->key_enc_algor= X509_ALGOR_dup(x509->cert_info->key->algor); 450 if (!(p7i->key_enc_algor= X509_ALGOR_dup(x509->cert_info->key->algor)))
451 return 0;
436 452
437 CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509); 453 CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);
438 p7i->cert=x509; 454 p7i->cert=x509;
diff --git a/src/lib/libcrypto/pkcs7/pk7_smime.c b/src/lib/libcrypto/pkcs7/pk7_smime.c
index 6e5735de11..a852b49235 100644
--- a/src/lib/libcrypto/pkcs7/pk7_smime.c
+++ b/src/lib/libcrypto/pkcs7/pk7_smime.c
@@ -155,7 +155,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
155 char buf[4096]; 155 char buf[4096];
156 int i, j=0, k, ret = 0; 156 int i, j=0, k, ret = 0;
157 BIO *p7bio; 157 BIO *p7bio;
158 BIO *tmpout; 158 BIO *tmpin, *tmpout;
159 159
160 if(!p7) { 160 if(!p7) {
161 PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_INVALID_NULL_POINTER); 161 PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_INVALID_NULL_POINTER);
@@ -228,7 +228,30 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
228 /* Check for revocation status here */ 228 /* Check for revocation status here */
229 } 229 }
230 230
231 p7bio=PKCS7_dataInit(p7,indata); 231 /* Performance optimization: if the content is a memory BIO then
232 * store its contents in a temporary read only memory BIO. This
233 * avoids potentially large numbers of slow copies of data which will
234 * occur when reading from a read write memory BIO when signatures
235 * are calculated.
236 */
237
238 if (indata && (BIO_method_type(indata) == BIO_TYPE_MEM))
239 {
240 char *ptr;
241 long len;
242 len = BIO_get_mem_data(indata, &ptr);
243 tmpin = BIO_new_mem_buf(ptr, len);
244 if (tmpin == NULL)
245 {
246 PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_MALLOC_FAILURE);
247 return 0;
248 }
249 }
250 else
251 tmpin = indata;
252
253
254 p7bio=PKCS7_dataInit(p7,tmpin);
232 255
233 if(flags & PKCS7_TEXT) { 256 if(flags & PKCS7_TEXT) {
234 if(!(tmpout = BIO_new(BIO_s_mem()))) { 257 if(!(tmpout = BIO_new(BIO_s_mem()))) {
@@ -270,9 +293,15 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
270 ret = 1; 293 ret = 1;
271 294
272 err: 295 err:
296
297 if (tmpin == indata)
298 {
299 if(indata) BIO_pop(p7bio);
300 BIO_free_all(p7bio);
301 }
302 else
303 BIO_free_all(tmpin);
273 304
274 if(indata) BIO_pop(p7bio);
275 BIO_free_all(p7bio);
276 sk_X509_free(signers); 305 sk_X509_free(signers);
277 306
278 return ret; 307 return ret;
@@ -296,10 +325,6 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags)
296 PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_WRONG_CONTENT_TYPE); 325 PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_WRONG_CONTENT_TYPE);
297 return NULL; 326 return NULL;
298 } 327 }
299 if(!(signers = sk_X509_new_null())) {
300 PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,ERR_R_MALLOC_FAILURE);
301 return NULL;
302 }
303 328
304 /* Collect all the signers together */ 329 /* Collect all the signers together */
305 330
@@ -310,6 +335,11 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags)
310 return 0; 335 return 0;
311 } 336 }
312 337
338 if(!(signers = sk_X509_new_null())) {
339 PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,ERR_R_MALLOC_FAILURE);
340 return NULL;
341 }
342
313 for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++) 343 for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++)
314 { 344 {
315 si = sk_PKCS7_SIGNER_INFO_value(sinfos, i); 345 si = sk_PKCS7_SIGNER_INFO_value(sinfos, i);
diff --git a/src/lib/libcrypto/rand/rand.h b/src/lib/libcrypto/rand/rand.h
index 606382dd21..604df9be6c 100644
--- a/src/lib/libcrypto/rand/rand.h
+++ b/src/lib/libcrypto/rand/rand.h
@@ -71,6 +71,10 @@
71extern "C" { 71extern "C" {
72#endif 72#endif
73 73
74#if defined(OPENSSL_FIPS)
75#define FIPS_RAND_SIZE_T int
76#endif
77
74typedef struct rand_meth_st 78typedef struct rand_meth_st
75 { 79 {
76 void (*seed)(const void *buf, int num); 80 void (*seed)(const void *buf, int num);
@@ -121,11 +125,17 @@ void ERR_load_RAND_strings(void);
121/* Error codes for the RAND functions. */ 125/* Error codes for the RAND functions. */
122 126
123/* Function codes. */ 127/* Function codes. */
128#define RAND_F_FIPS_RAND_BYTES 102
124#define RAND_F_RAND_GET_RAND_METHOD 101 129#define RAND_F_RAND_GET_RAND_METHOD 101
125#define RAND_F_SSLEAY_RAND_BYTES 100 130#define RAND_F_SSLEAY_RAND_BYTES 100
126 131
127/* Reason codes. */ 132/* Reason codes. */
133#define RAND_R_NON_FIPS_METHOD 101
134#define RAND_R_PRNG_ASKING_FOR_TOO_MUCH 105
135#define RAND_R_PRNG_NOT_REKEYED 103
136#define RAND_R_PRNG_NOT_RESEEDED 104
128#define RAND_R_PRNG_NOT_SEEDED 100 137#define RAND_R_PRNG_NOT_SEEDED 100
138#define RAND_R_PRNG_STUCK 102
129 139
130#ifdef __cplusplus 140#ifdef __cplusplus
131} 141}
diff --git a/src/lib/libcrypto/rand/rand_err.c b/src/lib/libcrypto/rand/rand_err.c
index b77267e213..95574659ac 100644
--- a/src/lib/libcrypto/rand/rand_err.c
+++ b/src/lib/libcrypto/rand/rand_err.c
@@ -1,6 +1,6 @@
1/* crypto/rand/rand_err.c */ 1/* crypto/rand/rand_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -66,6 +66,7 @@
66#ifndef OPENSSL_NO_ERR 66#ifndef OPENSSL_NO_ERR
67static ERR_STRING_DATA RAND_str_functs[]= 67static ERR_STRING_DATA RAND_str_functs[]=
68 { 68 {
69{ERR_PACK(0,RAND_F_FIPS_RAND_BYTES,0), "FIPS_RAND_BYTES"},
69{ERR_PACK(0,RAND_F_RAND_GET_RAND_METHOD,0), "RAND_get_rand_method"}, 70{ERR_PACK(0,RAND_F_RAND_GET_RAND_METHOD,0), "RAND_get_rand_method"},
70{ERR_PACK(0,RAND_F_SSLEAY_RAND_BYTES,0), "SSLEAY_RAND_BYTES"}, 71{ERR_PACK(0,RAND_F_SSLEAY_RAND_BYTES,0), "SSLEAY_RAND_BYTES"},
71{0,NULL} 72{0,NULL}
@@ -73,7 +74,12 @@ static ERR_STRING_DATA RAND_str_functs[]=
73 74
74static ERR_STRING_DATA RAND_str_reasons[]= 75static ERR_STRING_DATA RAND_str_reasons[]=
75 { 76 {
77{RAND_R_NON_FIPS_METHOD ,"non fips method"},
78{RAND_R_PRNG_ASKING_FOR_TOO_MUCH ,"prng asking for too much"},
79{RAND_R_PRNG_NOT_REKEYED ,"prng not rekeyed"},
80{RAND_R_PRNG_NOT_RESEEDED ,"prng not reseeded"},
76{RAND_R_PRNG_NOT_SEEDED ,"PRNG not seeded"}, 81{RAND_R_PRNG_NOT_SEEDED ,"PRNG not seeded"},
82{RAND_R_PRNG_STUCK ,"prng stuck"},
77{0,NULL} 83{0,NULL}
78 }; 84 };
79 85
diff --git a/src/lib/libcrypto/rand/rand_lib.c b/src/lib/libcrypto/rand/rand_lib.c
index 513e338985..88f1b56d91 100644
--- a/src/lib/libcrypto/rand/rand_lib.c
+++ b/src/lib/libcrypto/rand/rand_lib.c
@@ -63,6 +63,8 @@
63#ifndef OPENSSL_NO_ENGINE 63#ifndef OPENSSL_NO_ENGINE
64#include <openssl/engine.h> 64#include <openssl/engine.h>
65#endif 65#endif
66#include <openssl/fips.h>
67#include <openssl/fips_rand.h>
66 68
67#ifndef OPENSSL_NO_ENGINE 69#ifndef OPENSSL_NO_ENGINE
68/* non-NULL if default_RAND_meth is ENGINE-provided */ 70/* non-NULL if default_RAND_meth is ENGINE-provided */
@@ -85,6 +87,16 @@ int RAND_set_rand_method(const RAND_METHOD *meth)
85 87
86const RAND_METHOD *RAND_get_rand_method(void) 88const RAND_METHOD *RAND_get_rand_method(void)
87 { 89 {
90#ifdef OPENSSL_FIPS
91 if(FIPS_mode()
92 && default_RAND_meth != FIPS_rand_check())
93 {
94 RANDerr(RAND_F_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD);
95 return 0;
96 }
97#endif
98
99
88 if (!default_RAND_meth) 100 if (!default_RAND_meth)
89 { 101 {
90#ifndef OPENSSL_NO_ENGINE 102#ifndef OPENSSL_NO_ENGINE
diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c
index f5d0843d13..c7fba496a8 100644
--- a/src/lib/libcrypto/rand/randfile.c
+++ b/src/lib/libcrypto/rand/randfile.c
@@ -166,6 +166,7 @@ int RAND_write_file(const char *file)
166 } 166 }
167 167
168#if defined(O_CREAT) && !defined(OPENSSL_SYS_WIN32) 168#if defined(O_CREAT) && !defined(OPENSSL_SYS_WIN32)
169 {
169 /* For some reason Win32 can't write to files created this way */ 170 /* For some reason Win32 can't write to files created this way */
170 171
171 /* chmod(..., 0600) is too late to protect the file, 172 /* chmod(..., 0600) is too late to protect the file,
@@ -173,6 +174,7 @@ int RAND_write_file(const char *file)
173 int fd = open(file, O_CREAT, 0600); 174 int fd = open(file, O_CREAT, 0600);
174 if (fd != -1) 175 if (fd != -1)
175 out = fdopen(fd, "wb"); 176 out = fdopen(fd, "wb");
177 }
176#endif 178#endif
177 if (out == NULL) 179 if (out == NULL)
178 out = fopen(file,"wb"); 180 out = fopen(file,"wb");
diff --git a/src/lib/libcrypto/rc2/rc2.h b/src/lib/libcrypto/rc2/rc2.h
index 7816b454dc..71788158d8 100644
--- a/src/lib/libcrypto/rc2/rc2.h
+++ b/src/lib/libcrypto/rc2/rc2.h
@@ -79,7 +79,10 @@ typedef struct rc2_key_st
79 RC2_INT data[64]; 79 RC2_INT data[64];
80 } RC2_KEY; 80 } RC2_KEY;
81 81
82 82#ifdef OPENSSL_FIPS
83void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,
84 int bits);
85#endif
83void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits); 86void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits);
84void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key, 87void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key,
85 int enc); 88 int enc);
diff --git a/src/lib/libcrypto/rc2/rc2_skey.c b/src/lib/libcrypto/rc2/rc2_skey.c
index cab3080c73..22f372f85c 100644
--- a/src/lib/libcrypto/rc2/rc2_skey.c
+++ b/src/lib/libcrypto/rc2/rc2_skey.c
@@ -57,6 +57,7 @@
57 */ 57 */
58 58
59#include <openssl/rc2.h> 59#include <openssl/rc2.h>
60#include <openssl/crypto.h>
60#include "rc2_locl.h" 61#include "rc2_locl.h"
61 62
62static unsigned char key_table[256]={ 63static unsigned char key_table[256]={
@@ -90,7 +91,19 @@ static unsigned char key_table[256]={
90 * BSAFE uses the 'retarded' version. What I previously shipped is 91 * BSAFE uses the 'retarded' version. What I previously shipped is
91 * the same as specifying 1024 for the 'bits' parameter. Bsafe uses 92 * the same as specifying 1024 for the 'bits' parameter. Bsafe uses
92 * a version where the bits parameter is the same as len*8 */ 93 * a version where the bits parameter is the same as len*8 */
94
95#ifdef OPENSSL_FIPS
96void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
97 {
98 if (FIPS_mode())
99 FIPS_BAD_ABORT(RC2)
100 private_RC2_set_key(key, len, data, bits);
101 }
102void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,
103 int bits)
104#else
93void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits) 105void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
106#endif
94 { 107 {
95 int i,j; 108 int i,j;
96 unsigned char *k; 109 unsigned char *k;
diff --git a/src/lib/libcrypto/rc4/asm/rc4-586.pl b/src/lib/libcrypto/rc4/asm/rc4-586.pl
index 7ef889e5a1..d6e98f0811 100644
--- a/src/lib/libcrypto/rc4/asm/rc4-586.pl
+++ b/src/lib/libcrypto/rc4/asm/rc4-586.pl
@@ -1,16 +1,37 @@
1#!/usr/local/bin/perl 1#!/usr/local/bin/perl
2 2
3# define for pentium pro friendly version 3# At some point it became apparent that the original SSLeay RC4
4# assembler implementation performs suboptimaly on latest IA-32
5# microarchitectures. After re-tuning performance has changed as
6# following:
7#
8# Pentium +0%
9# Pentium III +17%
10# AMD +52%(*)
11# P4 +180%(**)
12#
13# (*) This number is actually a trade-off:-) It's possible to
14# achieve +72%, but at the cost of -48% off PIII performance.
15# In other words code performing further 13% faster on AMD
16# would perform almost 2 times slower on Intel PIII...
17# For reference! This code delivers ~80% of rc4-amd64.pl
18# performance on the same Opteron machine.
19# (**) This number requires compressed key schedule set up by
20# RC4_set_key and therefore doesn't apply to 0.9.7 [option for
21# compressed key schedule is implemented in 0.9.8 and later,
22# see commentary section in rc4_skey.c for further details].
23#
24# <appro@fy.chalmers.se>
4 25
5push(@INC,"perlasm","../../perlasm"); 26push(@INC,"perlasm","../../perlasm");
6require "x86asm.pl"; 27require "x86asm.pl";
7 28
8&asm_init($ARGV[0],"rc4-586.pl"); 29&asm_init($ARGV[0],"rc4-586.pl");
9 30
10$tx="eax"; 31$x="eax";
11$ty="ebx"; 32$y="ebx";
12$x="ecx"; 33$tx="ecx";
13$y="edx"; 34$ty="edx";
14$in="esi"; 35$in="esi";
15$out="edi"; 36$out="edi";
16$d="ebp"; 37$d="ebp";
@@ -31,7 +52,7 @@ sub RC4_loop
31 { 52 {
32 &mov($ty, &swtmp(2)); 53 &mov($ty, &swtmp(2));
33 &cmp($ty, $in); 54 &cmp($ty, $in);
34 &jle(&label("finished")); 55 &jbe(&label("finished"));
35 &inc($in); 56 &inc($in);
36 } 57 }
37 else 58 else
@@ -39,27 +60,23 @@ sub RC4_loop
39 &add($ty, 8); 60 &add($ty, 8);
40 &inc($in); 61 &inc($in);
41 &cmp($ty, $in); 62 &cmp($ty, $in);
42 &jl(&label("finished")); 63 &jb(&label("finished"));
43 &mov(&swtmp(2), $ty); 64 &mov(&swtmp(2), $ty);
44 } 65 }
45 } 66 }
46 # Moved out 67 # Moved out
47 # &mov( $tx, &DWP(0,$d,$x,4)) if $p < 0; 68 # &mov( $tx, &DWP(0,$d,$x,4)) if $p < 0;
48 69
49 &add( $y, $tx); 70 &add( &LB($y), &LB($tx));
50 &and( $y, 0xff);
51 &inc( $x); # NEXT ROUND
52 &mov( $ty, &DWP(0,$d,$y,4)); 71 &mov( $ty, &DWP(0,$d,$y,4));
53 # XXX 72 # XXX
54 &mov( &DWP(-4,$d,$x,4),$ty); # AGI 73 &mov( &DWP(0,$d,$x,4),$ty);
55 &add( $ty, $tx); 74 &add( $ty, $tx);
56 &and( $x, 0xff); # NEXT ROUND
57 &and( $ty, 0xff);
58 &mov( &DWP(0,$d,$y,4),$tx); 75 &mov( &DWP(0,$d,$y,4),$tx);
59 &nop(); 76 &and( $ty, 0xff);
60 &mov( $ty, &DWP(0,$d,$ty,4)); 77 &inc( &LB($x)); # NEXT ROUND
61 &mov( $tx, &DWP(0,$d,$x,4)) if $p < 1; # NEXT ROUND 78 &mov( $tx, &DWP(0,$d,$x,4)) if $p < 1; # NEXT ROUND
62 # XXX 79 &mov( $ty, &DWP(0,$d,$ty,4));
63 80
64 if (!$char) 81 if (!$char)
65 { 82 {
@@ -88,35 +105,47 @@ sub RC4
88 105
89 &function_begin_B($name,""); 106 &function_begin_B($name,"");
90 107
108 &mov($ty,&wparam(1)); # len
109 &cmp($ty,0);
110 &jne(&label("proceed"));
111 &ret();
112 &set_label("proceed");
113
91 &comment(""); 114 &comment("");
92 115
93 &push("ebp"); 116 &push("ebp");
94 &push("ebx"); 117 &push("ebx");
95 &mov( $d, &wparam(0)); # key
96 &mov( $ty, &wparam(1)); # num
97 &push("esi"); 118 &push("esi");
98 &push("edi"); 119 &xor( $x, $x); # avoid partial register stalls
120 &push("edi");
121 &xor( $y, $y); # avoid partial register stalls
122 &mov( $d, &wparam(0)); # key
123 &mov( $in, &wparam(2));
99 124
100 &mov( $x, &DWP(0,$d,"",1)); 125 &movb( &LB($x), &BP(0,$d,"",1));
101 &mov( $y, &DWP(4,$d,"",1)); 126 &movb( &LB($y), &BP(4,$d,"",1));
102 127
103 &mov( $in, &wparam(2)); 128 &mov( $out, &wparam(3));
104 &inc( $x); 129 &inc( &LB($x));
105 130
106 &stack_push(3); # 3 temp variables 131 &stack_push(3); # 3 temp variables
107 &add( $d, 8); 132 &add( $d, 8);
108 &and( $x, 0xff); 133
134 # detect compressed schedule, see commentary section in rc4_skey.c...
135 # in 0.9.7 context ~50 bytes below RC4_CHAR label remain redundant,
136 # as compressed key schedule is set up in 0.9.8 and later.
137 &cmp(&DWP(256,$d),-1);
138 &je(&label("RC4_CHAR"));
109 139
110 &lea( $ty, &DWP(-8,$ty,$in)); 140 &lea( $ty, &DWP(-8,$ty,$in));
111 141
112 # check for 0 length input 142 # check for 0 length input
113 143
114 &mov( $out, &wparam(3));
115 &mov( &swtmp(2), $ty); # this is now address to exit at 144 &mov( &swtmp(2), $ty); # this is now address to exit at
116 &mov( $tx, &DWP(0,$d,$x,4)); 145 &mov( $tx, &DWP(0,$d,$x,4));
117 146
118 &cmp( $ty, $in); 147 &cmp( $ty, $in);
119 &jl( &label("end")); # less than 8 bytes 148 &jb( &label("end")); # less than 8 bytes
120 149
121 &set_label("start"); 150 &set_label("start");
122 151
@@ -148,7 +177,7 @@ sub RC4
148 &mov( &DWP(-4,$out,"",0), $tx); 177 &mov( &DWP(-4,$out,"",0), $tx);
149 &mov( $tx, &DWP(0,$d,$x,4)); 178 &mov( $tx, &DWP(0,$d,$x,4));
150 &cmp($in, $ty); 179 &cmp($in, $ty);
151 &jle(&label("start")); 180 &jbe(&label("start"));
152 181
153 &set_label("end"); 182 &set_label("end");
154 183
@@ -162,10 +191,37 @@ sub RC4
162 &RC4_loop(5,0,1); 191 &RC4_loop(5,0,1);
163 &RC4_loop(6,1,1); 192 &RC4_loop(6,1,1);
164 193
194 &jmp(&label("finished"));
195
196 &align(16);
197 # this is essentially Intel P4 specific codepath, see rc4_skey.c,
198 # and is engaged in 0.9.8 and later context...
199 &set_label("RC4_CHAR");
200
201 &lea ($ty,&DWP(0,$in,$ty));
202 &mov (&swtmp(2),$ty);
203
204 # strangely enough unrolled loop performs over 20% slower...
205 &set_label("RC4_CHAR_loop");
206 &movz ($tx,&BP(0,$d,$x));
207 &add (&LB($y),&LB($tx));
208 &movz ($ty,&BP(0,$d,$y));
209 &movb (&BP(0,$d,$y),&LB($tx));
210 &movb (&BP(0,$d,$x),&LB($ty));
211 &add (&LB($ty),&LB($tx));
212 &movz ($ty,&BP(0,$d,$ty));
213 &xorb (&LB($ty),&BP(0,$in));
214 &movb (&BP(0,$out),&LB($ty));
215 &inc (&LB($x));
216 &inc ($in);
217 &inc ($out);
218 &cmp ($in,&swtmp(2));
219 &jb (&label("RC4_CHAR_loop"));
220
165 &set_label("finished"); 221 &set_label("finished");
166 &dec( $x); 222 &dec( $x);
167 &stack_pop(3); 223 &stack_pop(3);
168 &mov( &DWP(-4,$d,"",0),$y); 224 &movb( &BP(-4,$d,"",0),&LB($y));
169 &movb( &BP(-8,$d,"",0),&LB($x)); 225 &movb( &BP(-8,$d,"",0),&LB($x));
170 226
171 &function_end($name); 227 &function_end($name);
diff --git a/src/lib/libcrypto/rc4/rc4.h b/src/lib/libcrypto/rc4/rc4.h
index 8722091f2e..dd90d9fde0 100644
--- a/src/lib/libcrypto/rc4/rc4.h
+++ b/src/lib/libcrypto/rc4/rc4.h
@@ -73,10 +73,17 @@ typedef struct rc4_key_st
73 { 73 {
74 RC4_INT x,y; 74 RC4_INT x,y;
75 RC4_INT data[256]; 75 RC4_INT data[256];
76#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
77 /* see crypto/rc4/asm/rc4-ia64.S for further details... */
78 RC4_INT pad[512-256-2];
79#endif
76 } RC4_KEY; 80 } RC4_KEY;
77 81
78 82
79const char *RC4_options(void); 83const char *RC4_options(void);
84#ifdef OPENSSL_FIPS
85void private_RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
86#endif
80void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data); 87void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
81void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata, 88void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
82 unsigned char *outdata); 89 unsigned char *outdata);
diff --git a/src/lib/libcrypto/rc4/rc4_enc.c b/src/lib/libcrypto/rc4/rc4_enc.c
index d5f18a3a70..81a97ea3b7 100644
--- a/src/lib/libcrypto/rc4/rc4_enc.c
+++ b/src/lib/libcrypto/rc4/rc4_enc.c
@@ -77,6 +77,10 @@ void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
77 x=key->x; 77 x=key->x;
78 y=key->y; 78 y=key->y;
79 d=key->data; 79 d=key->data;
80#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
81 /* see crypto/rc4/asm/rc4-ia64.S for further details... */
82 d=(RC4_INT *)(((size_t)(d+255))&~(sizeof(key->data)-1));
83#endif
80 84
81#if defined(RC4_CHUNK) 85#if defined(RC4_CHUNK)
82 /* 86 /*
diff --git a/src/lib/libcrypto/rc4/rc4_locl.h b/src/lib/libcrypto/rc4/rc4_locl.h
index 3bb80b6ce9..c712e1632e 100644
--- a/src/lib/libcrypto/rc4/rc4_locl.h
+++ b/src/lib/libcrypto/rc4/rc4_locl.h
@@ -1,4 +1,5 @@
1#ifndef HEADER_RC4_LOCL_H 1#ifndef HEADER_RC4_LOCL_H
2#define HEADER_RC4_LOCL_H 2#define HEADER_RC4_LOCL_H
3#include <openssl/opensslconf.h> 3#include <openssl/opensslconf.h>
4#include <cryptlib.h>
4#endif 5#endif
diff --git a/src/lib/libcrypto/rc4/rc4_skey.c b/src/lib/libcrypto/rc4/rc4_skey.c
index bb10c1ebe2..07234f061a 100644
--- a/src/lib/libcrypto/rc4/rc4_skey.c
+++ b/src/lib/libcrypto/rc4/rc4_skey.c
@@ -57,6 +57,7 @@
57 */ 57 */
58 58
59#include <openssl/rc4.h> 59#include <openssl/rc4.h>
60#include <openssl/crypto.h>
60#include "rc4_locl.h" 61#include "rc4_locl.h"
61#include <openssl/opensslv.h> 62#include <openssl/opensslv.h>
62 63
@@ -85,7 +86,7 @@ const char *RC4_options(void)
85 * Date: Wed, 14 Sep 1994 06:35:31 GMT 86 * Date: Wed, 14 Sep 1994 06:35:31 GMT
86 */ 87 */
87 88
88void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data) 89FIPS_NON_FIPS_VCIPHER_Init(RC4)
89 { 90 {
90 register RC4_INT tmp; 91 register RC4_INT tmp;
91 register int id1,id2; 92 register int id1,id2;
@@ -93,6 +94,11 @@ void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
93 unsigned int i; 94 unsigned int i;
94 95
95 d= &(key->data[0]); 96 d= &(key->data[0]);
97#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
98 /* see crypto/rc4/asm/rc4-ia64.S for further details... */
99 d=(RC4_INT *)(((size_t)(d+255))&~(sizeof(key->data)-1));
100#endif
101
96 for (i=0; i<256; i++) 102 for (i=0; i<256; i++)
97 d[i]=i; 103 d[i]=i;
98 key->x = 0; 104 key->x = 0;
diff --git a/src/lib/libcrypto/ripemd/ripemd.h b/src/lib/libcrypto/ripemd/ripemd.h
index 78d5f36560..7d0d998189 100644
--- a/src/lib/libcrypto/ripemd/ripemd.h
+++ b/src/lib/libcrypto/ripemd/ripemd.h
@@ -90,6 +90,9 @@ typedef struct RIPEMD160state_st
90 int num; 90 int num;
91 } RIPEMD160_CTX; 91 } RIPEMD160_CTX;
92 92
93#ifdef OPENSSL_FIPS
94int private_RIPEMD160_Init(RIPEMD160_CTX *c);
95#endif
93int RIPEMD160_Init(RIPEMD160_CTX *c); 96int RIPEMD160_Init(RIPEMD160_CTX *c);
94int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, unsigned long len); 97int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, unsigned long len);
95int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c); 98int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
diff --git a/src/lib/libcrypto/ripemd/rmd_dgst.c b/src/lib/libcrypto/ripemd/rmd_dgst.c
index f351f00eea..5dff6bafa1 100644
--- a/src/lib/libcrypto/ripemd/rmd_dgst.c
+++ b/src/lib/libcrypto/ripemd/rmd_dgst.c
@@ -58,6 +58,7 @@
58 58
59#include <stdio.h> 59#include <stdio.h>
60#include "rmd_locl.h" 60#include "rmd_locl.h"
61#include <openssl/fips.h>
61#include <openssl/opensslv.h> 62#include <openssl/opensslv.h>
62 63
63const char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT; 64const char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT;
@@ -69,7 +70,7 @@ const char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT;
69 void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,int num); 70 void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,int num);
70# endif 71# endif
71 72
72int RIPEMD160_Init(RIPEMD160_CTX *c) 73FIPS_NON_FIPS_MD_Init(RIPEMD160)
73 { 74 {
74 c->A=RIPEMD160_A; 75 c->A=RIPEMD160_A;
75 c->B=RIPEMD160_B; 76 c->B=RIPEMD160_B;
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index 62fa745f79..fc3bb5f86d 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -72,6 +72,10 @@
72#error RSA is disabled. 72#error RSA is disabled.
73#endif 73#endif
74 74
75#if defined(OPENSSL_FIPS)
76#define FIPS_RSA_SIZE_T int
77#endif
78
75#ifdef __cplusplus 79#ifdef __cplusplus
76extern "C" { 80extern "C" {
77#endif 81#endif
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index e0d286266e..d4caab3f95 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -62,7 +62,7 @@
62#include <openssl/rsa.h> 62#include <openssl/rsa.h>
63#include <openssl/rand.h> 63#include <openssl/rand.h>
64 64
65#ifndef RSA_NULL 65#if !defined(RSA_NULL) && !defined(OPENSSL_FIPS)
66 66
67static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 67static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
68 unsigned char *to, RSA *rsa,int padding); 68 unsigned char *to, RSA *rsa,int padding);
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index 00c25adbc5..adb5e34da5 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -62,6 +62,8 @@
62#include <openssl/bn.h> 62#include <openssl/bn.h>
63#include <openssl/rsa.h> 63#include <openssl/rsa.h>
64 64
65#ifndef OPENSSL_FIPS
66
65RSA *RSA_generate_key(int bits, unsigned long e_value, 67RSA *RSA_generate_key(int bits, unsigned long e_value,
66 void (*callback)(int,int,void *), void *cb_arg) 68 void (*callback)(int,int,void *), void *cb_arg)
67 { 69 {
@@ -195,3 +197,4 @@ err:
195 return(rsa); 197 return(rsa);
196 } 198 }
197 199
200#endif
diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c
index f462716a57..24fc94835e 100644
--- a/src/lib/libcrypto/rsa/rsa_saos.c
+++ b/src/lib/libcrypto/rsa/rsa_saos.c
@@ -139,8 +139,11 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype,
139 ret=1; 139 ret=1;
140err: 140err:
141 if (sig != NULL) M_ASN1_OCTET_STRING_free(sig); 141 if (sig != NULL) M_ASN1_OCTET_STRING_free(sig);
142 OPENSSL_cleanse(s,(unsigned int)siglen); 142 if (s != NULL)
143 OPENSSL_free(s); 143 {
144 OPENSSL_cleanse(s,(unsigned int)siglen);
145 OPENSSL_free(s);
146 }
144 return(ret); 147 return(ret);
145 } 148 }
146 149
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
index 8a1e642183..cee09eccb1 100644
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -169,7 +169,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
169 } 169 }
170 if((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH) ) { 170 if((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH) ) {
171 RSAerr(RSA_F_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH); 171 RSAerr(RSA_F_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
172 return(0); 172 goto err;
173 } 173 }
174 i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING); 174 i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
175 175
@@ -222,8 +222,11 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
222 } 222 }
223err: 223err:
224 if (sig != NULL) X509_SIG_free(sig); 224 if (sig != NULL) X509_SIG_free(sig);
225 OPENSSL_cleanse(s,(unsigned int)siglen); 225 if (s != NULL)
226 OPENSSL_free(s); 226 {
227 OPENSSL_cleanse(s,(unsigned int)siglen);
228 OPENSSL_free(s);
229 }
227 return(ret); 230 return(ret);
228 } 231 }
229 232
diff --git a/src/lib/libcrypto/sha/asm/sha1-586.pl b/src/lib/libcrypto/sha/asm/sha1-586.pl
index e00f709553..041acc0348 100644
--- a/src/lib/libcrypto/sha/asm/sha1-586.pl
+++ b/src/lib/libcrypto/sha/asm/sha1-586.pl
@@ -405,7 +405,7 @@ sub sha1_block_data
405 &mov(&DWP(16,$tmp1,"",0),$E); 405 &mov(&DWP(16,$tmp1,"",0),$E);
406 &cmp("esi","eax"); 406 &cmp("esi","eax");
407 &mov(&DWP( 4,$tmp1,"",0),$B); 407 &mov(&DWP( 4,$tmp1,"",0),$B);
408 &jl(&label("start")); 408 &jb(&label("start"));
409 409
410 &stack_pop(18+9); 410 &stack_pop(18+9);
411 &pop("edi"); 411 &pop("edi");
diff --git a/src/lib/libcrypto/sha/asm/sha1-ia64.pl b/src/lib/libcrypto/sha/asm/sha1-ia64.pl
new file mode 100644
index 0000000000..cb9dfad124
--- /dev/null
+++ b/src/lib/libcrypto/sha/asm/sha1-ia64.pl
@@ -0,0 +1,549 @@
1#!/usr/bin/env perl
2#
3# ====================================================================
4# Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
5# project. Rights for redistribution and usage in source and binary
6# forms are granted according to the OpenSSL license.
7# ====================================================================
8#
9# Eternal question is what's wrong with compiler generated code? The
10# trick is that it's possible to reduce the number of shifts required
11# to perform rotations by maintaining copy of 32-bit value in upper
12# bits of 64-bit register. Just follow mux2 and shrp instructions...
13# Performance under big-endian OS such as HP-UX is 179MBps*1GHz, which
14# is >50% better than HP C and >2x better than gcc. As of this moment
15# performance under little-endian OS such as Linux and Windows will be
16# a bit lower, because data has to be picked in reverse byte-order.
17# It's possible to resolve this issue by implementing third function,
18# sha1_block_asm_data_order_aligned, which would temporarily flip
19# BE field in User Mask register...
20
21$code=<<___;
22.ident \"sha1-ia64.s, version 1.0\"
23.ident \"IA-64 ISA artwork by Andy Polyakov <appro\@fy.chalmers.se>\"
24.explicit
25
26___
27
28
29if ($^O eq "hpux") {
30 $ADDP="addp4";
31 for (@ARGV) { $ADDP="add" if (/[\+DD|\-mlp]64/); }
32} else { $ADDP="add"; }
33for (@ARGV) { $big_endian=1 if (/\-DB_ENDIAN/);
34 $big_endian=0 if (/\-DL_ENDIAN/); }
35if (!defined($big_endian))
36 { $big_endian=(unpack('L',pack('N',1))==1); }
37
38#$human=1;
39if ($human) { # useful for visual code auditing...
40 ($A,$B,$C,$D,$E,$T) = ("A","B","C","D","E","T");
41 ($h0,$h1,$h2,$h3,$h4) = ("h0","h1","h2","h3","h4");
42 ($K_00_19, $K_20_39, $K_40_59, $K_60_79) =
43 ( "K_00_19","K_20_39","K_40_59","K_60_79" );
44 @X= ( "X0", "X1", "X2", "X3", "X4", "X5", "X6", "X7",
45 "X8", "X9","X10","X11","X12","X13","X14","X15" );
46}
47else {
48 ($A,$B,$C,$D,$E,$T) = ("loc0","loc1","loc2","loc3","loc4","loc5");
49 ($h0,$h1,$h2,$h3,$h4) = ("loc6","loc7","loc8","loc9","loc10");
50 ($K_00_19, $K_20_39, $K_40_59, $K_60_79) =
51 ( "r14", "r15", "loc11", "loc12" );
52 @X= ( "r16", "r17", "r18", "r19", "r20", "r21", "r22", "r23",
53 "r24", "r25", "r26", "r27", "r28", "r29", "r30", "r31" );
54}
55
56sub BODY_00_15 {
57local *code=shift;
58local ($i,$a,$b,$c,$d,$e,$f,$unaligned)=@_;
59
60if ($unaligned) {
61 $code.=<<___;
62{ .mmi; ld1 tmp0=[inp],2 // MSB
63 ld1 tmp1=[tmp3],2 };;
64{ .mmi; ld1 tmp2=[inp],2
65 ld1 $X[$i&0xf]=[tmp3],2 // LSB
66 dep tmp1=tmp0,tmp1,8,8 };;
67{ .mii; cmp.ne p16,p0=r0,r0 // no misaligned prefetch
68 dep $X[$i&0xf]=tmp2,$X[$i&0xf],8,8;;
69 dep $X[$i&0xf]=tmp1,$X[$i&0xf],16,16 };;
70{ .mmi; nop.m 0
71___
72 }
73elsif ($i<15) {
74 $code.=<<___;
75{ .mmi; ld4 $X[($i+1)&0xf]=[inp],4 // prefetch
76___
77 }
78else {
79 $code.=<<___;
80{ .mmi; nop.m 0
81___
82 }
83if ($i<15) {
84 $code.=<<___;
85 and tmp0=$c,$b
86 dep.z tmp5=$a,5,27 } // a<<5
87{ .mmi; andcm tmp1=$d,$b
88 add tmp4=$e,$K_00_19 };;
89{ .mmi; or tmp0=tmp0,tmp1 // F_00_19(b,c,d)=(b&c)|(~b&d)
90 add $f=tmp4,$X[$i&0xf] // f=xi+e+K_00_19
91 extr.u tmp1=$a,27,5 };; // a>>27
92{ .mib; add $f=$f,tmp0 // f+=F_00_19(b,c,d)
93 shrp $b=tmp6,tmp6,2 } // b=ROTATE(b,30)
94{ .mib; or tmp1=tmp1,tmp5 // ROTATE(a,5)
95 mux2 tmp6=$a,0x44 };; // see b in next iteration
96{ .mii; add $f=$f,tmp1 // f+=ROTATE(a,5)
97 mux2 $X[$i&0xf]=$X[$i&0xf],0x44
98 nop.i 0 };;
99
100___
101 }
102else {
103 $code.=<<___;
104 and tmp0=$c,$b
105 dep.z tmp5=$a,5,27 } // a<<5 ;;?
106{ .mmi; andcm tmp1=$d,$b
107 add tmp4=$e,$K_00_19 };;
108{ .mmi; or tmp0=tmp0,tmp1 // F_00_19(b,c,d)=(b&c)|(~b&d)
109 add $f=tmp4,$X[$i&0xf] // f=xi+e+K_00_19
110 extr.u tmp1=$a,27,5 } // a>>27
111{ .mmi; xor tmp2=$X[($i+0+1)&0xf],$X[($i+2+1)&0xf] // +1
112 xor tmp3=$X[($i+8+1)&0xf],$X[($i+13+1)&0xf] // +1
113 nop.i 0 };;
114{ .mmi; add $f=$f,tmp0 // f+=F_00_19(b,c,d)
115 xor tmp2=tmp2,tmp3 // +1
116 shrp $b=tmp6,tmp6,2 } // b=ROTATE(b,30)
117{ .mmi; or tmp1=tmp1,tmp5 // ROTATE(a,5)
118 mux2 tmp6=$a,0x44 };; // see b in next iteration
119{ .mii; add $f=$f,tmp1 // f+=ROTATE(a,5)
120 shrp $e=tmp2,tmp2,31 // f+1=ROTATE(x[0]^x[2]^x[8]^x[13],1)
121 mux2 $X[$i&0xf]=$X[$i&0xf],0x44 };;
122
123___
124 }
125}
126
127sub BODY_16_19 {
128local *code=shift;
129local ($i,$a,$b,$c,$d,$e,$f)=@_;
130
131$code.=<<___;
132{ .mmi; mov $X[$i&0xf]=$f // Xupdate
133 and tmp0=$c,$b
134 dep.z tmp5=$a,5,27 } // a<<5
135{ .mmi; andcm tmp1=$d,$b
136 add tmp4=$e,$K_00_19 };;
137{ .mmi; or tmp0=tmp0,tmp1 // F_00_19(b,c,d)=(b&c)|(~b&d)
138 add $f=$f,tmp4 // f+=e+K_00_19
139 extr.u tmp1=$a,27,5 } // a>>27
140{ .mmi; xor tmp2=$X[($i+0+1)&0xf],$X[($i+2+1)&0xf] // +1
141 xor tmp3=$X[($i+8+1)&0xf],$X[($i+13+1)&0xf] // +1
142 nop.i 0 };;
143{ .mmi; add $f=$f,tmp0 // f+=F_00_19(b,c,d)
144 xor tmp2=tmp2,tmp3 // +1
145 shrp $b=tmp6,tmp6,2 } // b=ROTATE(b,30)
146{ .mmi; or tmp1=tmp1,tmp5 // ROTATE(a,5)
147 mux2 tmp6=$a,0x44 };; // see b in next iteration
148{ .mii; add $f=$f,tmp1 // f+=ROTATE(a,5)
149 shrp $e=tmp2,tmp2,31 // f+1=ROTATE(x[0]^x[2]^x[8]^x[13],1)
150 nop.i 0 };;
151
152___
153}
154
155sub BODY_20_39 {
156local *code=shift;
157local ($i,$a,$b,$c,$d,$e,$f,$Konst)=@_;
158 $Konst = $K_20_39 if (!defined($Konst));
159
160if ($i<79) {
161$code.=<<___;
162{ .mib; mov $X[$i&0xf]=$f // Xupdate
163 dep.z tmp5=$a,5,27 } // a<<5
164{ .mib; xor tmp0=$c,$b
165 add tmp4=$e,$Konst };;
166{ .mmi; xor tmp0=tmp0,$d // F_20_39(b,c,d)=b^c^d
167 add $f=$f,tmp4 // f+=e+K_20_39
168 extr.u tmp1=$a,27,5 } // a>>27
169{ .mmi; xor tmp2=$X[($i+0+1)&0xf],$X[($i+2+1)&0xf] // +1
170 xor tmp3=$X[($i+8+1)&0xf],$X[($i+13+1)&0xf] // +1
171 nop.i 0 };;
172{ .mmi; add $f=$f,tmp0 // f+=F_20_39(b,c,d)
173 xor tmp2=tmp2,tmp3 // +1
174 shrp $b=tmp6,tmp6,2 } // b=ROTATE(b,30)
175{ .mmi; or tmp1=tmp1,tmp5 // ROTATE(a,5)
176 mux2 tmp6=$a,0x44 };; // see b in next iteration
177{ .mii; add $f=$f,tmp1 // f+=ROTATE(a,5)
178 shrp $e=tmp2,tmp2,31 // f+1=ROTATE(x[0]^x[2]^x[8]^x[13],1)
179 nop.i 0 };;
180
181___
182}
183else {
184$code.=<<___;
185{ .mib; mov $X[$i&0xf]=$f // Xupdate
186 dep.z tmp5=$a,5,27 } // a<<5
187{ .mib; xor tmp0=$c,$b
188 add tmp4=$e,$Konst };;
189{ .mib; xor tmp0=tmp0,$d // F_20_39(b,c,d)=b^c^d
190 extr.u tmp1=$a,27,5 } // a>>27
191{ .mib; add $f=$f,tmp4 // f+=e+K_20_39
192 add $h1=$h1,$a };; // wrap up
193{ .mmi;
194(p16) ld4.s $X[0]=[inp],4 // non-faulting prefetch
195 add $f=$f,tmp0 // f+=F_20_39(b,c,d)
196 shrp $b=tmp6,tmp6,2 } // b=ROTATE(b,30) ;;?
197{ .mmi; or tmp1=tmp1,tmp5 // ROTATE(a,5)
198 add $h3=$h3,$c };; // wrap up
199{ .mib; add tmp3=1,inp // used in unaligned codepath
200 add $f=$f,tmp1 } // f+=ROTATE(a,5)
201{ .mib; add $h2=$h2,$b // wrap up
202 add $h4=$h4,$d };; // wrap up
203
204___
205}
206}
207
208sub BODY_40_59 {
209local *code=shift;
210local ($i,$a,$b,$c,$d,$e,$f)=@_;
211
212$code.=<<___;
213{ .mmi; mov $X[$i&0xf]=$f // Xupdate
214 and tmp0=$c,$b
215 dep.z tmp5=$a,5,27 } // a<<5
216{ .mmi; and tmp1=$d,$b
217 add tmp4=$e,$K_40_59 };;
218{ .mmi; or tmp0=tmp0,tmp1 // (b&c)|(b&d)
219 add $f=$f,tmp4 // f+=e+K_40_59
220 extr.u tmp1=$a,27,5 } // a>>27
221{ .mmi; and tmp4=$c,$d
222 xor tmp2=$X[($i+0+1)&0xf],$X[($i+2+1)&0xf] // +1
223 xor tmp3=$X[($i+8+1)&0xf],$X[($i+13+1)&0xf] // +1
224 };;
225{ .mmi; or tmp1=tmp1,tmp5 // ROTATE(a,5)
226 xor tmp2=tmp2,tmp3 // +1
227 shrp $b=tmp6,tmp6,2 } // b=ROTATE(b,30)
228{ .mmi; or tmp0=tmp0,tmp4 // F_40_59(b,c,d)=(b&c)|(b&d)|(c&d)
229 mux2 tmp6=$a,0x44 };; // see b in next iteration
230{ .mii; add $f=$f,tmp0 // f+=F_40_59(b,c,d)
231 shrp $e=tmp2,tmp2,31;; // f+1=ROTATE(x[0]^x[2]^x[8]^x[13],1)
232 add $f=$f,tmp1 };; // f+=ROTATE(a,5)
233
234___
235}
236sub BODY_60_79 { &BODY_20_39(@_,$K_60_79); }
237
238$code.=<<___;
239.text
240
241tmp0=r8;
242tmp1=r9;
243tmp2=r10;
244tmp3=r11;
245ctx=r32; // in0
246inp=r33; // in1
247
248// void sha1_block_asm_host_order(SHA_CTX *c,const void *p,size_t num);
249.global sha1_block_asm_host_order#
250.proc sha1_block_asm_host_order#
251.align 32
252sha1_block_asm_host_order:
253 .prologue
254 .fframe 0
255 .save ar.pfs,r0
256 .save ar.lc,r3
257{ .mmi; alloc tmp1=ar.pfs,3,15,0,0
258 $ADDP tmp0=4,ctx
259 mov r3=ar.lc }
260{ .mmi; $ADDP ctx=0,ctx
261 $ADDP inp=0,inp
262 mov r2=pr };;
263tmp4=in2;
264tmp5=loc13;
265tmp6=loc14;
266 .body
267{ .mlx; ld4 $h0=[ctx],8
268 movl $K_00_19=0x5a827999 }
269{ .mlx; ld4 $h1=[tmp0],8
270 movl $K_20_39=0x6ed9eba1 };;
271{ .mlx; ld4 $h2=[ctx],8
272 movl $K_40_59=0x8f1bbcdc }
273{ .mlx; ld4 $h3=[tmp0]
274 movl $K_60_79=0xca62c1d6 };;
275{ .mmi; ld4 $h4=[ctx],-16
276 add in2=-1,in2 // adjust num for ar.lc
277 mov ar.ec=1 };;
278{ .mmi; ld4 $X[0]=[inp],4 // prefetch
279 cmp.ne p16,p0=r0,in2 // prefecth at loop end
280 mov ar.lc=in2 };; // brp.loop.imp: too far
281
282.Lhtop:
283{ .mmi; mov $A=$h0
284 mov $B=$h1
285 mux2 tmp6=$h1,0x44 }
286{ .mmi; mov $C=$h2
287 mov $D=$h3
288 mov $E=$h4 };;
289
290___
291
292 &BODY_00_15(\$code, 0,$A,$B,$C,$D,$E,$T);
293 &BODY_00_15(\$code, 1,$T,$A,$B,$C,$D,$E);
294 &BODY_00_15(\$code, 2,$E,$T,$A,$B,$C,$D);
295 &BODY_00_15(\$code, 3,$D,$E,$T,$A,$B,$C);
296 &BODY_00_15(\$code, 4,$C,$D,$E,$T,$A,$B);
297 &BODY_00_15(\$code, 5,$B,$C,$D,$E,$T,$A);
298 &BODY_00_15(\$code, 6,$A,$B,$C,$D,$E,$T);
299 &BODY_00_15(\$code, 7,$T,$A,$B,$C,$D,$E);
300 &BODY_00_15(\$code, 8,$E,$T,$A,$B,$C,$D);
301 &BODY_00_15(\$code, 9,$D,$E,$T,$A,$B,$C);
302 &BODY_00_15(\$code,10,$C,$D,$E,$T,$A,$B);
303 &BODY_00_15(\$code,11,$B,$C,$D,$E,$T,$A);
304 &BODY_00_15(\$code,12,$A,$B,$C,$D,$E,$T);
305 &BODY_00_15(\$code,13,$T,$A,$B,$C,$D,$E);
306 &BODY_00_15(\$code,14,$E,$T,$A,$B,$C,$D);
307 &BODY_00_15(\$code,15,$D,$E,$T,$A,$B,$C);
308
309 &BODY_16_19(\$code,16,$C,$D,$E,$T,$A,$B);
310 &BODY_16_19(\$code,17,$B,$C,$D,$E,$T,$A);
311 &BODY_16_19(\$code,18,$A,$B,$C,$D,$E,$T);
312 &BODY_16_19(\$code,19,$T,$A,$B,$C,$D,$E);
313
314 &BODY_20_39(\$code,20,$E,$T,$A,$B,$C,$D);
315 &BODY_20_39(\$code,21,$D,$E,$T,$A,$B,$C);
316 &BODY_20_39(\$code,22,$C,$D,$E,$T,$A,$B);
317 &BODY_20_39(\$code,23,$B,$C,$D,$E,$T,$A);
318 &BODY_20_39(\$code,24,$A,$B,$C,$D,$E,$T);
319 &BODY_20_39(\$code,25,$T,$A,$B,$C,$D,$E);
320 &BODY_20_39(\$code,26,$E,$T,$A,$B,$C,$D);
321 &BODY_20_39(\$code,27,$D,$E,$T,$A,$B,$C);
322 &BODY_20_39(\$code,28,$C,$D,$E,$T,$A,$B);
323 &BODY_20_39(\$code,29,$B,$C,$D,$E,$T,$A);
324 &BODY_20_39(\$code,30,$A,$B,$C,$D,$E,$T);
325 &BODY_20_39(\$code,31,$T,$A,$B,$C,$D,$E);
326 &BODY_20_39(\$code,32,$E,$T,$A,$B,$C,$D);
327 &BODY_20_39(\$code,33,$D,$E,$T,$A,$B,$C);
328 &BODY_20_39(\$code,34,$C,$D,$E,$T,$A,$B);
329 &BODY_20_39(\$code,35,$B,$C,$D,$E,$T,$A);
330 &BODY_20_39(\$code,36,$A,$B,$C,$D,$E,$T);
331 &BODY_20_39(\$code,37,$T,$A,$B,$C,$D,$E);
332 &BODY_20_39(\$code,38,$E,$T,$A,$B,$C,$D);
333 &BODY_20_39(\$code,39,$D,$E,$T,$A,$B,$C);
334
335 &BODY_40_59(\$code,40,$C,$D,$E,$T,$A,$B);
336 &BODY_40_59(\$code,41,$B,$C,$D,$E,$T,$A);
337 &BODY_40_59(\$code,42,$A,$B,$C,$D,$E,$T);
338 &BODY_40_59(\$code,43,$T,$A,$B,$C,$D,$E);
339 &BODY_40_59(\$code,44,$E,$T,$A,$B,$C,$D);
340 &BODY_40_59(\$code,45,$D,$E,$T,$A,$B,$C);
341 &BODY_40_59(\$code,46,$C,$D,$E,$T,$A,$B);
342 &BODY_40_59(\$code,47,$B,$C,$D,$E,$T,$A);
343 &BODY_40_59(\$code,48,$A,$B,$C,$D,$E,$T);
344 &BODY_40_59(\$code,49,$T,$A,$B,$C,$D,$E);
345 &BODY_40_59(\$code,50,$E,$T,$A,$B,$C,$D);
346 &BODY_40_59(\$code,51,$D,$E,$T,$A,$B,$C);
347 &BODY_40_59(\$code,52,$C,$D,$E,$T,$A,$B);
348 &BODY_40_59(\$code,53,$B,$C,$D,$E,$T,$A);
349 &BODY_40_59(\$code,54,$A,$B,$C,$D,$E,$T);
350 &BODY_40_59(\$code,55,$T,$A,$B,$C,$D,$E);
351 &BODY_40_59(\$code,56,$E,$T,$A,$B,$C,$D);
352 &BODY_40_59(\$code,57,$D,$E,$T,$A,$B,$C);
353 &BODY_40_59(\$code,58,$C,$D,$E,$T,$A,$B);
354 &BODY_40_59(\$code,59,$B,$C,$D,$E,$T,$A);
355
356 &BODY_60_79(\$code,60,$A,$B,$C,$D,$E,$T);
357 &BODY_60_79(\$code,61,$T,$A,$B,$C,$D,$E);
358 &BODY_60_79(\$code,62,$E,$T,$A,$B,$C,$D);
359 &BODY_60_79(\$code,63,$D,$E,$T,$A,$B,$C);
360 &BODY_60_79(\$code,64,$C,$D,$E,$T,$A,$B);
361 &BODY_60_79(\$code,65,$B,$C,$D,$E,$T,$A);
362 &BODY_60_79(\$code,66,$A,$B,$C,$D,$E,$T);
363 &BODY_60_79(\$code,67,$T,$A,$B,$C,$D,$E);
364 &BODY_60_79(\$code,68,$E,$T,$A,$B,$C,$D);
365 &BODY_60_79(\$code,69,$D,$E,$T,$A,$B,$C);
366 &BODY_60_79(\$code,70,$C,$D,$E,$T,$A,$B);
367 &BODY_60_79(\$code,71,$B,$C,$D,$E,$T,$A);
368 &BODY_60_79(\$code,72,$A,$B,$C,$D,$E,$T);
369 &BODY_60_79(\$code,73,$T,$A,$B,$C,$D,$E);
370 &BODY_60_79(\$code,74,$E,$T,$A,$B,$C,$D);
371 &BODY_60_79(\$code,75,$D,$E,$T,$A,$B,$C);
372 &BODY_60_79(\$code,76,$C,$D,$E,$T,$A,$B);
373 &BODY_60_79(\$code,77,$B,$C,$D,$E,$T,$A);
374 &BODY_60_79(\$code,78,$A,$B,$C,$D,$E,$T);
375 &BODY_60_79(\$code,79,$T,$A,$B,$C,$D,$E);
376
377$code.=<<___;
378{ .mmb; add $h0=$h0,$E
379 nop.m 0
380 br.ctop.dptk.many .Lhtop };;
381.Lhend:
382{ .mmi; add tmp0=4,ctx
383 mov ar.lc=r3 };;
384{ .mmi; st4 [ctx]=$h0,8
385 st4 [tmp0]=$h1,8 };;
386{ .mmi; st4 [ctx]=$h2,8
387 st4 [tmp0]=$h3 };;
388{ .mib; st4 [ctx]=$h4,-16
389 mov pr=r2,0x1ffff
390 br.ret.sptk.many b0 };;
391.endp sha1_block_asm_host_order#
392___
393
394
395$code.=<<___;
396// void sha1_block_asm_data_order(SHA_CTX *c,const void *p,size_t num);
397.global sha1_block_asm_data_order#
398.proc sha1_block_asm_data_order#
399.align 32
400sha1_block_asm_data_order:
401___
402$code.=<<___ if ($big_endian);
403{ .mmi; and r2=3,inp };;
404{ .mib; cmp.eq p6,p0=r0,r2
405(p6) br.dptk.many sha1_block_asm_host_order };;
406___
407$code.=<<___;
408 .prologue
409 .fframe 0
410 .save ar.pfs,r0
411 .save ar.lc,r3
412{ .mmi; alloc tmp1=ar.pfs,3,15,0,0
413 $ADDP tmp0=4,ctx
414 mov r3=ar.lc }
415{ .mmi; $ADDP ctx=0,ctx
416 $ADDP inp=0,inp
417 mov r2=pr };;
418tmp4=in2;
419tmp5=loc13;
420tmp6=loc14;
421 .body
422{ .mlx; ld4 $h0=[ctx],8
423 movl $K_00_19=0x5a827999 }
424{ .mlx; ld4 $h1=[tmp0],8
425 movl $K_20_39=0x6ed9eba1 };;
426{ .mlx; ld4 $h2=[ctx],8
427 movl $K_40_59=0x8f1bbcdc }
428{ .mlx; ld4 $h3=[tmp0]
429 movl $K_60_79=0xca62c1d6 };;
430{ .mmi; ld4 $h4=[ctx],-16
431 add in2=-1,in2 // adjust num for ar.lc
432 mov ar.ec=1 };;
433{ .mmi; nop.m 0
434 add tmp3=1,inp
435 mov ar.lc=in2 };; // brp.loop.imp: too far
436
437.Ldtop:
438{ .mmi; mov $A=$h0
439 mov $B=$h1
440 mux2 tmp6=$h1,0x44 }
441{ .mmi; mov $C=$h2
442 mov $D=$h3
443 mov $E=$h4 };;
444
445___
446
447 &BODY_00_15(\$code, 0,$A,$B,$C,$D,$E,$T,1);
448 &BODY_00_15(\$code, 1,$T,$A,$B,$C,$D,$E,1);
449 &BODY_00_15(\$code, 2,$E,$T,$A,$B,$C,$D,1);
450 &BODY_00_15(\$code, 3,$D,$E,$T,$A,$B,$C,1);
451 &BODY_00_15(\$code, 4,$C,$D,$E,$T,$A,$B,1);
452 &BODY_00_15(\$code, 5,$B,$C,$D,$E,$T,$A,1);
453 &BODY_00_15(\$code, 6,$A,$B,$C,$D,$E,$T,1);
454 &BODY_00_15(\$code, 7,$T,$A,$B,$C,$D,$E,1);
455 &BODY_00_15(\$code, 8,$E,$T,$A,$B,$C,$D,1);
456 &BODY_00_15(\$code, 9,$D,$E,$T,$A,$B,$C,1);
457 &BODY_00_15(\$code,10,$C,$D,$E,$T,$A,$B,1);
458 &BODY_00_15(\$code,11,$B,$C,$D,$E,$T,$A,1);
459 &BODY_00_15(\$code,12,$A,$B,$C,$D,$E,$T,1);
460 &BODY_00_15(\$code,13,$T,$A,$B,$C,$D,$E,1);
461 &BODY_00_15(\$code,14,$E,$T,$A,$B,$C,$D,1);
462 &BODY_00_15(\$code,15,$D,$E,$T,$A,$B,$C,1);
463
464 &BODY_16_19(\$code,16,$C,$D,$E,$T,$A,$B);
465 &BODY_16_19(\$code,17,$B,$C,$D,$E,$T,$A);
466 &BODY_16_19(\$code,18,$A,$B,$C,$D,$E,$T);
467 &BODY_16_19(\$code,19,$T,$A,$B,$C,$D,$E);
468
469 &BODY_20_39(\$code,20,$E,$T,$A,$B,$C,$D);
470 &BODY_20_39(\$code,21,$D,$E,$T,$A,$B,$C);
471 &BODY_20_39(\$code,22,$C,$D,$E,$T,$A,$B);
472 &BODY_20_39(\$code,23,$B,$C,$D,$E,$T,$A);
473 &BODY_20_39(\$code,24,$A,$B,$C,$D,$E,$T);
474 &BODY_20_39(\$code,25,$T,$A,$B,$C,$D,$E);
475 &BODY_20_39(\$code,26,$E,$T,$A,$B,$C,$D);
476 &BODY_20_39(\$code,27,$D,$E,$T,$A,$B,$C);
477 &BODY_20_39(\$code,28,$C,$D,$E,$T,$A,$B);
478 &BODY_20_39(\$code,29,$B,$C,$D,$E,$T,$A);
479 &BODY_20_39(\$code,30,$A,$B,$C,$D,$E,$T);
480 &BODY_20_39(\$code,31,$T,$A,$B,$C,$D,$E);
481 &BODY_20_39(\$code,32,$E,$T,$A,$B,$C,$D);
482 &BODY_20_39(\$code,33,$D,$E,$T,$A,$B,$C);
483 &BODY_20_39(\$code,34,$C,$D,$E,$T,$A,$B);
484 &BODY_20_39(\$code,35,$B,$C,$D,$E,$T,$A);
485 &BODY_20_39(\$code,36,$A,$B,$C,$D,$E,$T);
486 &BODY_20_39(\$code,37,$T,$A,$B,$C,$D,$E);
487 &BODY_20_39(\$code,38,$E,$T,$A,$B,$C,$D);
488 &BODY_20_39(\$code,39,$D,$E,$T,$A,$B,$C);
489
490 &BODY_40_59(\$code,40,$C,$D,$E,$T,$A,$B);
491 &BODY_40_59(\$code,41,$B,$C,$D,$E,$T,$A);
492 &BODY_40_59(\$code,42,$A,$B,$C,$D,$E,$T);
493 &BODY_40_59(\$code,43,$T,$A,$B,$C,$D,$E);
494 &BODY_40_59(\$code,44,$E,$T,$A,$B,$C,$D);
495 &BODY_40_59(\$code,45,$D,$E,$T,$A,$B,$C);
496 &BODY_40_59(\$code,46,$C,$D,$E,$T,$A,$B);
497 &BODY_40_59(\$code,47,$B,$C,$D,$E,$T,$A);
498 &BODY_40_59(\$code,48,$A,$B,$C,$D,$E,$T);
499 &BODY_40_59(\$code,49,$T,$A,$B,$C,$D,$E);
500 &BODY_40_59(\$code,50,$E,$T,$A,$B,$C,$D);
501 &BODY_40_59(\$code,51,$D,$E,$T,$A,$B,$C);
502 &BODY_40_59(\$code,52,$C,$D,$E,$T,$A,$B);
503 &BODY_40_59(\$code,53,$B,$C,$D,$E,$T,$A);
504 &BODY_40_59(\$code,54,$A,$B,$C,$D,$E,$T);
505 &BODY_40_59(\$code,55,$T,$A,$B,$C,$D,$E);
506 &BODY_40_59(\$code,56,$E,$T,$A,$B,$C,$D);
507 &BODY_40_59(\$code,57,$D,$E,$T,$A,$B,$C);
508 &BODY_40_59(\$code,58,$C,$D,$E,$T,$A,$B);
509 &BODY_40_59(\$code,59,$B,$C,$D,$E,$T,$A);
510
511 &BODY_60_79(\$code,60,$A,$B,$C,$D,$E,$T);
512 &BODY_60_79(\$code,61,$T,$A,$B,$C,$D,$E);
513 &BODY_60_79(\$code,62,$E,$T,$A,$B,$C,$D);
514 &BODY_60_79(\$code,63,$D,$E,$T,$A,$B,$C);
515 &BODY_60_79(\$code,64,$C,$D,$E,$T,$A,$B);
516 &BODY_60_79(\$code,65,$B,$C,$D,$E,$T,$A);
517 &BODY_60_79(\$code,66,$A,$B,$C,$D,$E,$T);
518 &BODY_60_79(\$code,67,$T,$A,$B,$C,$D,$E);
519 &BODY_60_79(\$code,68,$E,$T,$A,$B,$C,$D);
520 &BODY_60_79(\$code,69,$D,$E,$T,$A,$B,$C);
521 &BODY_60_79(\$code,70,$C,$D,$E,$T,$A,$B);
522 &BODY_60_79(\$code,71,$B,$C,$D,$E,$T,$A);
523 &BODY_60_79(\$code,72,$A,$B,$C,$D,$E,$T);
524 &BODY_60_79(\$code,73,$T,$A,$B,$C,$D,$E);
525 &BODY_60_79(\$code,74,$E,$T,$A,$B,$C,$D);
526 &BODY_60_79(\$code,75,$D,$E,$T,$A,$B,$C);
527 &BODY_60_79(\$code,76,$C,$D,$E,$T,$A,$B);
528 &BODY_60_79(\$code,77,$B,$C,$D,$E,$T,$A);
529 &BODY_60_79(\$code,78,$A,$B,$C,$D,$E,$T);
530 &BODY_60_79(\$code,79,$T,$A,$B,$C,$D,$E);
531
532$code.=<<___;
533{ .mmb; add $h0=$h0,$E
534 nop.m 0
535 br.ctop.dptk.many .Ldtop };;
536.Ldend:
537{ .mmi; add tmp0=4,ctx
538 mov ar.lc=r3 };;
539{ .mmi; st4 [ctx]=$h0,8
540 st4 [tmp0]=$h1,8 };;
541{ .mmi; st4 [ctx]=$h2,8
542 st4 [tmp0]=$h3 };;
543{ .mib; st4 [ctx]=$h4,-16
544 mov pr=r2,0x1ffff
545 br.ret.sptk.many b0 };;
546.endp sha1_block_asm_data_order#
547___
548
549print $code;
diff --git a/src/lib/libcrypto/sha/sha.h b/src/lib/libcrypto/sha/sha.h
index 3fd54a10cc..79c07b0fd1 100644
--- a/src/lib/libcrypto/sha/sha.h
+++ b/src/lib/libcrypto/sha/sha.h
@@ -69,6 +69,10 @@ extern "C" {
69#error SHA is disabled. 69#error SHA is disabled.
70#endif 70#endif
71 71
72#if defined(OPENSSL_FIPS)
73#define FIPS_SHA_SIZE_T unsigned long
74#endif
75
72/* 76/*
73 * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 77 * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
74 * ! SHA_LONG has to be at least 32 bits wide. If it's wider, then ! 78 * ! SHA_LONG has to be at least 32 bits wide. If it's wider, then !
@@ -101,6 +105,9 @@ typedef struct SHAstate_st
101 } SHA_CTX; 105 } SHA_CTX;
102 106
103#ifndef OPENSSL_NO_SHA0 107#ifndef OPENSSL_NO_SHA0
108#ifdef OPENSSL_FIPS
109int private_SHA_Init(SHA_CTX *c);
110#endif
104int SHA_Init(SHA_CTX *c); 111int SHA_Init(SHA_CTX *c);
105int SHA_Update(SHA_CTX *c, const void *data, unsigned long len); 112int SHA_Update(SHA_CTX *c, const void *data, unsigned long len);
106int SHA_Final(unsigned char *md, SHA_CTX *c); 113int SHA_Final(unsigned char *md, SHA_CTX *c);
diff --git a/src/lib/libcrypto/sha/sha1dgst.c b/src/lib/libcrypto/sha/sha1dgst.c
index 182f65982a..1e2009b760 100644
--- a/src/lib/libcrypto/sha/sha1dgst.c
+++ b/src/lib/libcrypto/sha/sha1dgst.c
@@ -62,12 +62,20 @@
62#define SHA_1 62#define SHA_1
63 63
64#include <openssl/opensslv.h> 64#include <openssl/opensslv.h>
65#include <openssl/opensslconf.h>
65 66
67#ifndef OPENSSL_FIPS
66const char *SHA1_version="SHA1" OPENSSL_VERSION_PTEXT; 68const char *SHA1_version="SHA1" OPENSSL_VERSION_PTEXT;
67 69
68/* The implementation is in ../md32_common.h */ 70/* The implementation is in ../md32_common.h */
69 71
70#include "sha_locl.h" 72#include "sha_locl.h"
71 73
74#else /* ndef OPENSSL_FIPS */
75
76static void *dummy=&dummy;
77
78#endif /* ndef OPENSSL_FIPS */
79
72#endif 80#endif
73 81
diff --git a/src/lib/libcrypto/sha/sha_locl.h b/src/lib/libcrypto/sha/sha_locl.h
index 2dd63a62a6..a3623f72da 100644
--- a/src/lib/libcrypto/sha/sha_locl.h
+++ b/src/lib/libcrypto/sha/sha_locl.h
@@ -121,6 +121,11 @@
121# define sha1_block_data_order sha1_block_asm_data_order 121# define sha1_block_data_order sha1_block_asm_data_order
122# define DONT_IMPLEMENT_BLOCK_DATA_ORDER 122# define DONT_IMPLEMENT_BLOCK_DATA_ORDER
123# define HASH_BLOCK_DATA_ORDER_ALIGNED sha1_block_asm_data_order 123# define HASH_BLOCK_DATA_ORDER_ALIGNED sha1_block_asm_data_order
124# elif defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
125# define sha1_block_host_order sha1_block_asm_host_order
126# define DONT_IMPLEMENT_BLOCK_HOST_ORDER
127# define sha1_block_data_order sha1_block_asm_data_order
128# define DONT_IMPLEMENT_BLOCK_DATA_ORDER
124# endif 129# endif
125# endif 130# endif
126 void sha1_block_host_order (SHA_CTX *c, const void *p,int num); 131 void sha1_block_host_order (SHA_CTX *c, const void *p,int num);
@@ -138,7 +143,11 @@
138#define INIT_DATA_h3 0x10325476UL 143#define INIT_DATA_h3 0x10325476UL
139#define INIT_DATA_h4 0xc3d2e1f0UL 144#define INIT_DATA_h4 0xc3d2e1f0UL
140 145
146#if defined(SHA_0) && defined(OPENSSL_FIPS)
147FIPS_NON_FIPS_MD_Init(SHA)
148#else
141int HASH_INIT (SHA_CTX *c) 149int HASH_INIT (SHA_CTX *c)
150#endif
142 { 151 {
143 c->h0=INIT_DATA_h0; 152 c->h0=INIT_DATA_h0;
144 c->h1=INIT_DATA_h1; 153 c->h1=INIT_DATA_h1;
diff --git a/src/lib/libcrypto/stack/safestack.h b/src/lib/libcrypto/stack/safestack.h
index ed9ed2c23a..bd1121c279 100644
--- a/src/lib/libcrypto/stack/safestack.h
+++ b/src/lib/libcrypto/stack/safestack.h
@@ -113,6 +113,8 @@ STACK_OF(type) \
113 ((type * (*)(STACK_OF(type) *))sk_pop)(st) 113 ((type * (*)(STACK_OF(type) *))sk_pop)(st)
114#define SKM_sk_sort(type, st) \ 114#define SKM_sk_sort(type, st) \
115 ((void (*)(STACK_OF(type) *))sk_sort)(st) 115 ((void (*)(STACK_OF(type) *))sk_sort)(st)
116#define SKM_sk_is_sorted(type, st) \
117 ((int (*)(const STACK_OF(type) *))sk_is_sorted)(st)
116 118
117#define SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ 119#define SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
118 ((STACK_OF(type) * (*) (STACK_OF(type) **,unsigned char **, long , \ 120 ((STACK_OF(type) * (*) (STACK_OF(type) **,unsigned char **, long , \
@@ -187,6 +189,8 @@ STACK_OF(type) \
187 ((type *)sk_pop(st)) 189 ((type *)sk_pop(st))
188#define SKM_sk_sort(type, st) \ 190#define SKM_sk_sort(type, st) \
189 sk_sort(st) 191 sk_sort(st)
192#define SKM_sk_is_sorted(type, st) \
193 sk_is_sorted(st)
190 194
191#define SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ 195#define SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
192 d2i_ASN1_SET(st,pp,length, (char *(*)())d2i_func, (void (*)(void *))free_func, ex_tag,ex_class) 196 d2i_ASN1_SET(st,pp,length, (char *(*)())d2i_func, (void (*)(void *))free_func, ex_tag,ex_class)
@@ -223,6 +227,7 @@ STACK_OF(type) \
223#define sk_ACCESS_DESCRIPTION_shift(st) SKM_sk_shift(ACCESS_DESCRIPTION, (st)) 227#define sk_ACCESS_DESCRIPTION_shift(st) SKM_sk_shift(ACCESS_DESCRIPTION, (st))
224#define sk_ACCESS_DESCRIPTION_pop(st) SKM_sk_pop(ACCESS_DESCRIPTION, (st)) 228#define sk_ACCESS_DESCRIPTION_pop(st) SKM_sk_pop(ACCESS_DESCRIPTION, (st))
225#define sk_ACCESS_DESCRIPTION_sort(st) SKM_sk_sort(ACCESS_DESCRIPTION, (st)) 229#define sk_ACCESS_DESCRIPTION_sort(st) SKM_sk_sort(ACCESS_DESCRIPTION, (st))
230#define sk_ACCESS_DESCRIPTION_is_sorted(st) SKM_sk_is_sorted(ACCESS_DESCRIPTION, (st))
226 231
227#define sk_ASN1_GENERALSTRING_new(st) SKM_sk_new(ASN1_GENERALSTRING, (st)) 232#define sk_ASN1_GENERALSTRING_new(st) SKM_sk_new(ASN1_GENERALSTRING, (st))
228#define sk_ASN1_GENERALSTRING_new_null() SKM_sk_new_null(ASN1_GENERALSTRING) 233#define sk_ASN1_GENERALSTRING_new_null() SKM_sk_new_null(ASN1_GENERALSTRING)
@@ -243,6 +248,7 @@ STACK_OF(type) \
243#define sk_ASN1_GENERALSTRING_shift(st) SKM_sk_shift(ASN1_GENERALSTRING, (st)) 248#define sk_ASN1_GENERALSTRING_shift(st) SKM_sk_shift(ASN1_GENERALSTRING, (st))
244#define sk_ASN1_GENERALSTRING_pop(st) SKM_sk_pop(ASN1_GENERALSTRING, (st)) 249#define sk_ASN1_GENERALSTRING_pop(st) SKM_sk_pop(ASN1_GENERALSTRING, (st))
245#define sk_ASN1_GENERALSTRING_sort(st) SKM_sk_sort(ASN1_GENERALSTRING, (st)) 250#define sk_ASN1_GENERALSTRING_sort(st) SKM_sk_sort(ASN1_GENERALSTRING, (st))
251#define sk_ASN1_GENERALSTRING_is_sorted(st) SKM_sk_is_sorted(ASN1_GENERALSTRING, (st))
246 252
247#define sk_ASN1_INTEGER_new(st) SKM_sk_new(ASN1_INTEGER, (st)) 253#define sk_ASN1_INTEGER_new(st) SKM_sk_new(ASN1_INTEGER, (st))
248#define sk_ASN1_INTEGER_new_null() SKM_sk_new_null(ASN1_INTEGER) 254#define sk_ASN1_INTEGER_new_null() SKM_sk_new_null(ASN1_INTEGER)
@@ -263,6 +269,7 @@ STACK_OF(type) \
263#define sk_ASN1_INTEGER_shift(st) SKM_sk_shift(ASN1_INTEGER, (st)) 269#define sk_ASN1_INTEGER_shift(st) SKM_sk_shift(ASN1_INTEGER, (st))
264#define sk_ASN1_INTEGER_pop(st) SKM_sk_pop(ASN1_INTEGER, (st)) 270#define sk_ASN1_INTEGER_pop(st) SKM_sk_pop(ASN1_INTEGER, (st))
265#define sk_ASN1_INTEGER_sort(st) SKM_sk_sort(ASN1_INTEGER, (st)) 271#define sk_ASN1_INTEGER_sort(st) SKM_sk_sort(ASN1_INTEGER, (st))
272#define sk_ASN1_INTEGER_is_sorted(st) SKM_sk_is_sorted(ASN1_INTEGER, (st))
266 273
267#define sk_ASN1_OBJECT_new(st) SKM_sk_new(ASN1_OBJECT, (st)) 274#define sk_ASN1_OBJECT_new(st) SKM_sk_new(ASN1_OBJECT, (st))
268#define sk_ASN1_OBJECT_new_null() SKM_sk_new_null(ASN1_OBJECT) 275#define sk_ASN1_OBJECT_new_null() SKM_sk_new_null(ASN1_OBJECT)
@@ -283,6 +290,7 @@ STACK_OF(type) \
283#define sk_ASN1_OBJECT_shift(st) SKM_sk_shift(ASN1_OBJECT, (st)) 290#define sk_ASN1_OBJECT_shift(st) SKM_sk_shift(ASN1_OBJECT, (st))
284#define sk_ASN1_OBJECT_pop(st) SKM_sk_pop(ASN1_OBJECT, (st)) 291#define sk_ASN1_OBJECT_pop(st) SKM_sk_pop(ASN1_OBJECT, (st))
285#define sk_ASN1_OBJECT_sort(st) SKM_sk_sort(ASN1_OBJECT, (st)) 292#define sk_ASN1_OBJECT_sort(st) SKM_sk_sort(ASN1_OBJECT, (st))
293#define sk_ASN1_OBJECT_is_sorted(st) SKM_sk_is_sorted(ASN1_OBJECT, (st))
286 294
287#define sk_ASN1_STRING_TABLE_new(st) SKM_sk_new(ASN1_STRING_TABLE, (st)) 295#define sk_ASN1_STRING_TABLE_new(st) SKM_sk_new(ASN1_STRING_TABLE, (st))
288#define sk_ASN1_STRING_TABLE_new_null() SKM_sk_new_null(ASN1_STRING_TABLE) 296#define sk_ASN1_STRING_TABLE_new_null() SKM_sk_new_null(ASN1_STRING_TABLE)
@@ -303,6 +311,7 @@ STACK_OF(type) \
303#define sk_ASN1_STRING_TABLE_shift(st) SKM_sk_shift(ASN1_STRING_TABLE, (st)) 311#define sk_ASN1_STRING_TABLE_shift(st) SKM_sk_shift(ASN1_STRING_TABLE, (st))
304#define sk_ASN1_STRING_TABLE_pop(st) SKM_sk_pop(ASN1_STRING_TABLE, (st)) 312#define sk_ASN1_STRING_TABLE_pop(st) SKM_sk_pop(ASN1_STRING_TABLE, (st))
305#define sk_ASN1_STRING_TABLE_sort(st) SKM_sk_sort(ASN1_STRING_TABLE, (st)) 313#define sk_ASN1_STRING_TABLE_sort(st) SKM_sk_sort(ASN1_STRING_TABLE, (st))
314#define sk_ASN1_STRING_TABLE_is_sorted(st) SKM_sk_is_sorted(ASN1_STRING_TABLE, (st))
306 315
307#define sk_ASN1_TYPE_new(st) SKM_sk_new(ASN1_TYPE, (st)) 316#define sk_ASN1_TYPE_new(st) SKM_sk_new(ASN1_TYPE, (st))
308#define sk_ASN1_TYPE_new_null() SKM_sk_new_null(ASN1_TYPE) 317#define sk_ASN1_TYPE_new_null() SKM_sk_new_null(ASN1_TYPE)
@@ -323,6 +332,7 @@ STACK_OF(type) \
323#define sk_ASN1_TYPE_shift(st) SKM_sk_shift(ASN1_TYPE, (st)) 332#define sk_ASN1_TYPE_shift(st) SKM_sk_shift(ASN1_TYPE, (st))
324#define sk_ASN1_TYPE_pop(st) SKM_sk_pop(ASN1_TYPE, (st)) 333#define sk_ASN1_TYPE_pop(st) SKM_sk_pop(ASN1_TYPE, (st))
325#define sk_ASN1_TYPE_sort(st) SKM_sk_sort(ASN1_TYPE, (st)) 334#define sk_ASN1_TYPE_sort(st) SKM_sk_sort(ASN1_TYPE, (st))
335#define sk_ASN1_TYPE_is_sorted(st) SKM_sk_is_sorted(ASN1_TYPE, (st))
326 336
327#define sk_ASN1_VALUE_new(st) SKM_sk_new(ASN1_VALUE, (st)) 337#define sk_ASN1_VALUE_new(st) SKM_sk_new(ASN1_VALUE, (st))
328#define sk_ASN1_VALUE_new_null() SKM_sk_new_null(ASN1_VALUE) 338#define sk_ASN1_VALUE_new_null() SKM_sk_new_null(ASN1_VALUE)
@@ -343,6 +353,7 @@ STACK_OF(type) \
343#define sk_ASN1_VALUE_shift(st) SKM_sk_shift(ASN1_VALUE, (st)) 353#define sk_ASN1_VALUE_shift(st) SKM_sk_shift(ASN1_VALUE, (st))
344#define sk_ASN1_VALUE_pop(st) SKM_sk_pop(ASN1_VALUE, (st)) 354#define sk_ASN1_VALUE_pop(st) SKM_sk_pop(ASN1_VALUE, (st))
345#define sk_ASN1_VALUE_sort(st) SKM_sk_sort(ASN1_VALUE, (st)) 355#define sk_ASN1_VALUE_sort(st) SKM_sk_sort(ASN1_VALUE, (st))
356#define sk_ASN1_VALUE_is_sorted(st) SKM_sk_is_sorted(ASN1_VALUE, (st))
346 357
347#define sk_BIO_new(st) SKM_sk_new(BIO, (st)) 358#define sk_BIO_new(st) SKM_sk_new(BIO, (st))
348#define sk_BIO_new_null() SKM_sk_new_null(BIO) 359#define sk_BIO_new_null() SKM_sk_new_null(BIO)
@@ -363,6 +374,7 @@ STACK_OF(type) \
363#define sk_BIO_shift(st) SKM_sk_shift(BIO, (st)) 374#define sk_BIO_shift(st) SKM_sk_shift(BIO, (st))
364#define sk_BIO_pop(st) SKM_sk_pop(BIO, (st)) 375#define sk_BIO_pop(st) SKM_sk_pop(BIO, (st))
365#define sk_BIO_sort(st) SKM_sk_sort(BIO, (st)) 376#define sk_BIO_sort(st) SKM_sk_sort(BIO, (st))
377#define sk_BIO_is_sorted(st) SKM_sk_is_sorted(BIO, (st))
366 378
367#define sk_CONF_IMODULE_new(st) SKM_sk_new(CONF_IMODULE, (st)) 379#define sk_CONF_IMODULE_new(st) SKM_sk_new(CONF_IMODULE, (st))
368#define sk_CONF_IMODULE_new_null() SKM_sk_new_null(CONF_IMODULE) 380#define sk_CONF_IMODULE_new_null() SKM_sk_new_null(CONF_IMODULE)
@@ -383,6 +395,7 @@ STACK_OF(type) \
383#define sk_CONF_IMODULE_shift(st) SKM_sk_shift(CONF_IMODULE, (st)) 395#define sk_CONF_IMODULE_shift(st) SKM_sk_shift(CONF_IMODULE, (st))
384#define sk_CONF_IMODULE_pop(st) SKM_sk_pop(CONF_IMODULE, (st)) 396#define sk_CONF_IMODULE_pop(st) SKM_sk_pop(CONF_IMODULE, (st))
385#define sk_CONF_IMODULE_sort(st) SKM_sk_sort(CONF_IMODULE, (st)) 397#define sk_CONF_IMODULE_sort(st) SKM_sk_sort(CONF_IMODULE, (st))
398#define sk_CONF_IMODULE_is_sorted(st) SKM_sk_is_sorted(CONF_IMODULE, (st))
386 399
387#define sk_CONF_MODULE_new(st) SKM_sk_new(CONF_MODULE, (st)) 400#define sk_CONF_MODULE_new(st) SKM_sk_new(CONF_MODULE, (st))
388#define sk_CONF_MODULE_new_null() SKM_sk_new_null(CONF_MODULE) 401#define sk_CONF_MODULE_new_null() SKM_sk_new_null(CONF_MODULE)
@@ -403,6 +416,7 @@ STACK_OF(type) \
403#define sk_CONF_MODULE_shift(st) SKM_sk_shift(CONF_MODULE, (st)) 416#define sk_CONF_MODULE_shift(st) SKM_sk_shift(CONF_MODULE, (st))
404#define sk_CONF_MODULE_pop(st) SKM_sk_pop(CONF_MODULE, (st)) 417#define sk_CONF_MODULE_pop(st) SKM_sk_pop(CONF_MODULE, (st))
405#define sk_CONF_MODULE_sort(st) SKM_sk_sort(CONF_MODULE, (st)) 418#define sk_CONF_MODULE_sort(st) SKM_sk_sort(CONF_MODULE, (st))
419#define sk_CONF_MODULE_is_sorted(st) SKM_sk_is_sorted(CONF_MODULE, (st))
406 420
407#define sk_CONF_VALUE_new(st) SKM_sk_new(CONF_VALUE, (st)) 421#define sk_CONF_VALUE_new(st) SKM_sk_new(CONF_VALUE, (st))
408#define sk_CONF_VALUE_new_null() SKM_sk_new_null(CONF_VALUE) 422#define sk_CONF_VALUE_new_null() SKM_sk_new_null(CONF_VALUE)
@@ -423,6 +437,7 @@ STACK_OF(type) \
423#define sk_CONF_VALUE_shift(st) SKM_sk_shift(CONF_VALUE, (st)) 437#define sk_CONF_VALUE_shift(st) SKM_sk_shift(CONF_VALUE, (st))
424#define sk_CONF_VALUE_pop(st) SKM_sk_pop(CONF_VALUE, (st)) 438#define sk_CONF_VALUE_pop(st) SKM_sk_pop(CONF_VALUE, (st))
425#define sk_CONF_VALUE_sort(st) SKM_sk_sort(CONF_VALUE, (st)) 439#define sk_CONF_VALUE_sort(st) SKM_sk_sort(CONF_VALUE, (st))
440#define sk_CONF_VALUE_is_sorted(st) SKM_sk_is_sorted(CONF_VALUE, (st))
426 441
427#define sk_CRYPTO_EX_DATA_FUNCS_new(st) SKM_sk_new(CRYPTO_EX_DATA_FUNCS, (st)) 442#define sk_CRYPTO_EX_DATA_FUNCS_new(st) SKM_sk_new(CRYPTO_EX_DATA_FUNCS, (st))
428#define sk_CRYPTO_EX_DATA_FUNCS_new_null() SKM_sk_new_null(CRYPTO_EX_DATA_FUNCS) 443#define sk_CRYPTO_EX_DATA_FUNCS_new_null() SKM_sk_new_null(CRYPTO_EX_DATA_FUNCS)
@@ -443,6 +458,7 @@ STACK_OF(type) \
443#define sk_CRYPTO_EX_DATA_FUNCS_shift(st) SKM_sk_shift(CRYPTO_EX_DATA_FUNCS, (st)) 458#define sk_CRYPTO_EX_DATA_FUNCS_shift(st) SKM_sk_shift(CRYPTO_EX_DATA_FUNCS, (st))
444#define sk_CRYPTO_EX_DATA_FUNCS_pop(st) SKM_sk_pop(CRYPTO_EX_DATA_FUNCS, (st)) 459#define sk_CRYPTO_EX_DATA_FUNCS_pop(st) SKM_sk_pop(CRYPTO_EX_DATA_FUNCS, (st))
445#define sk_CRYPTO_EX_DATA_FUNCS_sort(st) SKM_sk_sort(CRYPTO_EX_DATA_FUNCS, (st)) 460#define sk_CRYPTO_EX_DATA_FUNCS_sort(st) SKM_sk_sort(CRYPTO_EX_DATA_FUNCS, (st))
461#define sk_CRYPTO_EX_DATA_FUNCS_is_sorted(st) SKM_sk_is_sorted(CRYPTO_EX_DATA_FUNCS, (st))
446 462
447#define sk_CRYPTO_dynlock_new(st) SKM_sk_new(CRYPTO_dynlock, (st)) 463#define sk_CRYPTO_dynlock_new(st) SKM_sk_new(CRYPTO_dynlock, (st))
448#define sk_CRYPTO_dynlock_new_null() SKM_sk_new_null(CRYPTO_dynlock) 464#define sk_CRYPTO_dynlock_new_null() SKM_sk_new_null(CRYPTO_dynlock)
@@ -463,6 +479,7 @@ STACK_OF(type) \
463#define sk_CRYPTO_dynlock_shift(st) SKM_sk_shift(CRYPTO_dynlock, (st)) 479#define sk_CRYPTO_dynlock_shift(st) SKM_sk_shift(CRYPTO_dynlock, (st))
464#define sk_CRYPTO_dynlock_pop(st) SKM_sk_pop(CRYPTO_dynlock, (st)) 480#define sk_CRYPTO_dynlock_pop(st) SKM_sk_pop(CRYPTO_dynlock, (st))
465#define sk_CRYPTO_dynlock_sort(st) SKM_sk_sort(CRYPTO_dynlock, (st)) 481#define sk_CRYPTO_dynlock_sort(st) SKM_sk_sort(CRYPTO_dynlock, (st))
482#define sk_CRYPTO_dynlock_is_sorted(st) SKM_sk_is_sorted(CRYPTO_dynlock, (st))
466 483
467#define sk_DIST_POINT_new(st) SKM_sk_new(DIST_POINT, (st)) 484#define sk_DIST_POINT_new(st) SKM_sk_new(DIST_POINT, (st))
468#define sk_DIST_POINT_new_null() SKM_sk_new_null(DIST_POINT) 485#define sk_DIST_POINT_new_null() SKM_sk_new_null(DIST_POINT)
@@ -483,6 +500,7 @@ STACK_OF(type) \
483#define sk_DIST_POINT_shift(st) SKM_sk_shift(DIST_POINT, (st)) 500#define sk_DIST_POINT_shift(st) SKM_sk_shift(DIST_POINT, (st))
484#define sk_DIST_POINT_pop(st) SKM_sk_pop(DIST_POINT, (st)) 501#define sk_DIST_POINT_pop(st) SKM_sk_pop(DIST_POINT, (st))
485#define sk_DIST_POINT_sort(st) SKM_sk_sort(DIST_POINT, (st)) 502#define sk_DIST_POINT_sort(st) SKM_sk_sort(DIST_POINT, (st))
503#define sk_DIST_POINT_is_sorted(st) SKM_sk_is_sorted(DIST_POINT, (st))
486 504
487#define sk_ENGINE_new(st) SKM_sk_new(ENGINE, (st)) 505#define sk_ENGINE_new(st) SKM_sk_new(ENGINE, (st))
488#define sk_ENGINE_new_null() SKM_sk_new_null(ENGINE) 506#define sk_ENGINE_new_null() SKM_sk_new_null(ENGINE)
@@ -503,6 +521,7 @@ STACK_OF(type) \
503#define sk_ENGINE_shift(st) SKM_sk_shift(ENGINE, (st)) 521#define sk_ENGINE_shift(st) SKM_sk_shift(ENGINE, (st))
504#define sk_ENGINE_pop(st) SKM_sk_pop(ENGINE, (st)) 522#define sk_ENGINE_pop(st) SKM_sk_pop(ENGINE, (st))
505#define sk_ENGINE_sort(st) SKM_sk_sort(ENGINE, (st)) 523#define sk_ENGINE_sort(st) SKM_sk_sort(ENGINE, (st))
524#define sk_ENGINE_is_sorted(st) SKM_sk_is_sorted(ENGINE, (st))
506 525
507#define sk_ENGINE_CLEANUP_ITEM_new(st) SKM_sk_new(ENGINE_CLEANUP_ITEM, (st)) 526#define sk_ENGINE_CLEANUP_ITEM_new(st) SKM_sk_new(ENGINE_CLEANUP_ITEM, (st))
508#define sk_ENGINE_CLEANUP_ITEM_new_null() SKM_sk_new_null(ENGINE_CLEANUP_ITEM) 527#define sk_ENGINE_CLEANUP_ITEM_new_null() SKM_sk_new_null(ENGINE_CLEANUP_ITEM)
@@ -523,6 +542,7 @@ STACK_OF(type) \
523#define sk_ENGINE_CLEANUP_ITEM_shift(st) SKM_sk_shift(ENGINE_CLEANUP_ITEM, (st)) 542#define sk_ENGINE_CLEANUP_ITEM_shift(st) SKM_sk_shift(ENGINE_CLEANUP_ITEM, (st))
524#define sk_ENGINE_CLEANUP_ITEM_pop(st) SKM_sk_pop(ENGINE_CLEANUP_ITEM, (st)) 543#define sk_ENGINE_CLEANUP_ITEM_pop(st) SKM_sk_pop(ENGINE_CLEANUP_ITEM, (st))
525#define sk_ENGINE_CLEANUP_ITEM_sort(st) SKM_sk_sort(ENGINE_CLEANUP_ITEM, (st)) 544#define sk_ENGINE_CLEANUP_ITEM_sort(st) SKM_sk_sort(ENGINE_CLEANUP_ITEM, (st))
545#define sk_ENGINE_CLEANUP_ITEM_is_sorted(st) SKM_sk_is_sorted(ENGINE_CLEANUP_ITEM, (st))
526 546
527#define sk_GENERAL_NAME_new(st) SKM_sk_new(GENERAL_NAME, (st)) 547#define sk_GENERAL_NAME_new(st) SKM_sk_new(GENERAL_NAME, (st))
528#define sk_GENERAL_NAME_new_null() SKM_sk_new_null(GENERAL_NAME) 548#define sk_GENERAL_NAME_new_null() SKM_sk_new_null(GENERAL_NAME)
@@ -543,6 +563,7 @@ STACK_OF(type) \
543#define sk_GENERAL_NAME_shift(st) SKM_sk_shift(GENERAL_NAME, (st)) 563#define sk_GENERAL_NAME_shift(st) SKM_sk_shift(GENERAL_NAME, (st))
544#define sk_GENERAL_NAME_pop(st) SKM_sk_pop(GENERAL_NAME, (st)) 564#define sk_GENERAL_NAME_pop(st) SKM_sk_pop(GENERAL_NAME, (st))
545#define sk_GENERAL_NAME_sort(st) SKM_sk_sort(GENERAL_NAME, (st)) 565#define sk_GENERAL_NAME_sort(st) SKM_sk_sort(GENERAL_NAME, (st))
566#define sk_GENERAL_NAME_is_sorted(st) SKM_sk_is_sorted(GENERAL_NAME, (st))
546 567
547#define sk_KRB5_APREQBODY_new(st) SKM_sk_new(KRB5_APREQBODY, (st)) 568#define sk_KRB5_APREQBODY_new(st) SKM_sk_new(KRB5_APREQBODY, (st))
548#define sk_KRB5_APREQBODY_new_null() SKM_sk_new_null(KRB5_APREQBODY) 569#define sk_KRB5_APREQBODY_new_null() SKM_sk_new_null(KRB5_APREQBODY)
@@ -563,6 +584,7 @@ STACK_OF(type) \
563#define sk_KRB5_APREQBODY_shift(st) SKM_sk_shift(KRB5_APREQBODY, (st)) 584#define sk_KRB5_APREQBODY_shift(st) SKM_sk_shift(KRB5_APREQBODY, (st))
564#define sk_KRB5_APREQBODY_pop(st) SKM_sk_pop(KRB5_APREQBODY, (st)) 585#define sk_KRB5_APREQBODY_pop(st) SKM_sk_pop(KRB5_APREQBODY, (st))
565#define sk_KRB5_APREQBODY_sort(st) SKM_sk_sort(KRB5_APREQBODY, (st)) 586#define sk_KRB5_APREQBODY_sort(st) SKM_sk_sort(KRB5_APREQBODY, (st))
587#define sk_KRB5_APREQBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_APREQBODY, (st))
566 588
567#define sk_KRB5_AUTHDATA_new(st) SKM_sk_new(KRB5_AUTHDATA, (st)) 589#define sk_KRB5_AUTHDATA_new(st) SKM_sk_new(KRB5_AUTHDATA, (st))
568#define sk_KRB5_AUTHDATA_new_null() SKM_sk_new_null(KRB5_AUTHDATA) 590#define sk_KRB5_AUTHDATA_new_null() SKM_sk_new_null(KRB5_AUTHDATA)
@@ -583,6 +605,7 @@ STACK_OF(type) \
583#define sk_KRB5_AUTHDATA_shift(st) SKM_sk_shift(KRB5_AUTHDATA, (st)) 605#define sk_KRB5_AUTHDATA_shift(st) SKM_sk_shift(KRB5_AUTHDATA, (st))
584#define sk_KRB5_AUTHDATA_pop(st) SKM_sk_pop(KRB5_AUTHDATA, (st)) 606#define sk_KRB5_AUTHDATA_pop(st) SKM_sk_pop(KRB5_AUTHDATA, (st))
585#define sk_KRB5_AUTHDATA_sort(st) SKM_sk_sort(KRB5_AUTHDATA, (st)) 607#define sk_KRB5_AUTHDATA_sort(st) SKM_sk_sort(KRB5_AUTHDATA, (st))
608#define sk_KRB5_AUTHDATA_is_sorted(st) SKM_sk_is_sorted(KRB5_AUTHDATA, (st))
586 609
587#define sk_KRB5_AUTHENTBODY_new(st) SKM_sk_new(KRB5_AUTHENTBODY, (st)) 610#define sk_KRB5_AUTHENTBODY_new(st) SKM_sk_new(KRB5_AUTHENTBODY, (st))
588#define sk_KRB5_AUTHENTBODY_new_null() SKM_sk_new_null(KRB5_AUTHENTBODY) 611#define sk_KRB5_AUTHENTBODY_new_null() SKM_sk_new_null(KRB5_AUTHENTBODY)
@@ -603,6 +626,7 @@ STACK_OF(type) \
603#define sk_KRB5_AUTHENTBODY_shift(st) SKM_sk_shift(KRB5_AUTHENTBODY, (st)) 626#define sk_KRB5_AUTHENTBODY_shift(st) SKM_sk_shift(KRB5_AUTHENTBODY, (st))
604#define sk_KRB5_AUTHENTBODY_pop(st) SKM_sk_pop(KRB5_AUTHENTBODY, (st)) 627#define sk_KRB5_AUTHENTBODY_pop(st) SKM_sk_pop(KRB5_AUTHENTBODY, (st))
605#define sk_KRB5_AUTHENTBODY_sort(st) SKM_sk_sort(KRB5_AUTHENTBODY, (st)) 628#define sk_KRB5_AUTHENTBODY_sort(st) SKM_sk_sort(KRB5_AUTHENTBODY, (st))
629#define sk_KRB5_AUTHENTBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_AUTHENTBODY, (st))
606 630
607#define sk_KRB5_CHECKSUM_new(st) SKM_sk_new(KRB5_CHECKSUM, (st)) 631#define sk_KRB5_CHECKSUM_new(st) SKM_sk_new(KRB5_CHECKSUM, (st))
608#define sk_KRB5_CHECKSUM_new_null() SKM_sk_new_null(KRB5_CHECKSUM) 632#define sk_KRB5_CHECKSUM_new_null() SKM_sk_new_null(KRB5_CHECKSUM)
@@ -623,6 +647,7 @@ STACK_OF(type) \
623#define sk_KRB5_CHECKSUM_shift(st) SKM_sk_shift(KRB5_CHECKSUM, (st)) 647#define sk_KRB5_CHECKSUM_shift(st) SKM_sk_shift(KRB5_CHECKSUM, (st))
624#define sk_KRB5_CHECKSUM_pop(st) SKM_sk_pop(KRB5_CHECKSUM, (st)) 648#define sk_KRB5_CHECKSUM_pop(st) SKM_sk_pop(KRB5_CHECKSUM, (st))
625#define sk_KRB5_CHECKSUM_sort(st) SKM_sk_sort(KRB5_CHECKSUM, (st)) 649#define sk_KRB5_CHECKSUM_sort(st) SKM_sk_sort(KRB5_CHECKSUM, (st))
650#define sk_KRB5_CHECKSUM_is_sorted(st) SKM_sk_is_sorted(KRB5_CHECKSUM, (st))
626 651
627#define sk_KRB5_ENCDATA_new(st) SKM_sk_new(KRB5_ENCDATA, (st)) 652#define sk_KRB5_ENCDATA_new(st) SKM_sk_new(KRB5_ENCDATA, (st))
628#define sk_KRB5_ENCDATA_new_null() SKM_sk_new_null(KRB5_ENCDATA) 653#define sk_KRB5_ENCDATA_new_null() SKM_sk_new_null(KRB5_ENCDATA)
@@ -643,6 +668,7 @@ STACK_OF(type) \
643#define sk_KRB5_ENCDATA_shift(st) SKM_sk_shift(KRB5_ENCDATA, (st)) 668#define sk_KRB5_ENCDATA_shift(st) SKM_sk_shift(KRB5_ENCDATA, (st))
644#define sk_KRB5_ENCDATA_pop(st) SKM_sk_pop(KRB5_ENCDATA, (st)) 669#define sk_KRB5_ENCDATA_pop(st) SKM_sk_pop(KRB5_ENCDATA, (st))
645#define sk_KRB5_ENCDATA_sort(st) SKM_sk_sort(KRB5_ENCDATA, (st)) 670#define sk_KRB5_ENCDATA_sort(st) SKM_sk_sort(KRB5_ENCDATA, (st))
671#define sk_KRB5_ENCDATA_is_sorted(st) SKM_sk_is_sorted(KRB5_ENCDATA, (st))
646 672
647#define sk_KRB5_ENCKEY_new(st) SKM_sk_new(KRB5_ENCKEY, (st)) 673#define sk_KRB5_ENCKEY_new(st) SKM_sk_new(KRB5_ENCKEY, (st))
648#define sk_KRB5_ENCKEY_new_null() SKM_sk_new_null(KRB5_ENCKEY) 674#define sk_KRB5_ENCKEY_new_null() SKM_sk_new_null(KRB5_ENCKEY)
@@ -663,6 +689,7 @@ STACK_OF(type) \
663#define sk_KRB5_ENCKEY_shift(st) SKM_sk_shift(KRB5_ENCKEY, (st)) 689#define sk_KRB5_ENCKEY_shift(st) SKM_sk_shift(KRB5_ENCKEY, (st))
664#define sk_KRB5_ENCKEY_pop(st) SKM_sk_pop(KRB5_ENCKEY, (st)) 690#define sk_KRB5_ENCKEY_pop(st) SKM_sk_pop(KRB5_ENCKEY, (st))
665#define sk_KRB5_ENCKEY_sort(st) SKM_sk_sort(KRB5_ENCKEY, (st)) 691#define sk_KRB5_ENCKEY_sort(st) SKM_sk_sort(KRB5_ENCKEY, (st))
692#define sk_KRB5_ENCKEY_is_sorted(st) SKM_sk_is_sorted(KRB5_ENCKEY, (st))
666 693
667#define sk_KRB5_PRINCNAME_new(st) SKM_sk_new(KRB5_PRINCNAME, (st)) 694#define sk_KRB5_PRINCNAME_new(st) SKM_sk_new(KRB5_PRINCNAME, (st))
668#define sk_KRB5_PRINCNAME_new_null() SKM_sk_new_null(KRB5_PRINCNAME) 695#define sk_KRB5_PRINCNAME_new_null() SKM_sk_new_null(KRB5_PRINCNAME)
@@ -683,6 +710,7 @@ STACK_OF(type) \
683#define sk_KRB5_PRINCNAME_shift(st) SKM_sk_shift(KRB5_PRINCNAME, (st)) 710#define sk_KRB5_PRINCNAME_shift(st) SKM_sk_shift(KRB5_PRINCNAME, (st))
684#define sk_KRB5_PRINCNAME_pop(st) SKM_sk_pop(KRB5_PRINCNAME, (st)) 711#define sk_KRB5_PRINCNAME_pop(st) SKM_sk_pop(KRB5_PRINCNAME, (st))
685#define sk_KRB5_PRINCNAME_sort(st) SKM_sk_sort(KRB5_PRINCNAME, (st)) 712#define sk_KRB5_PRINCNAME_sort(st) SKM_sk_sort(KRB5_PRINCNAME, (st))
713#define sk_KRB5_PRINCNAME_is_sorted(st) SKM_sk_is_sorted(KRB5_PRINCNAME, (st))
686 714
687#define sk_KRB5_TKTBODY_new(st) SKM_sk_new(KRB5_TKTBODY, (st)) 715#define sk_KRB5_TKTBODY_new(st) SKM_sk_new(KRB5_TKTBODY, (st))
688#define sk_KRB5_TKTBODY_new_null() SKM_sk_new_null(KRB5_TKTBODY) 716#define sk_KRB5_TKTBODY_new_null() SKM_sk_new_null(KRB5_TKTBODY)
@@ -703,6 +731,7 @@ STACK_OF(type) \
703#define sk_KRB5_TKTBODY_shift(st) SKM_sk_shift(KRB5_TKTBODY, (st)) 731#define sk_KRB5_TKTBODY_shift(st) SKM_sk_shift(KRB5_TKTBODY, (st))
704#define sk_KRB5_TKTBODY_pop(st) SKM_sk_pop(KRB5_TKTBODY, (st)) 732#define sk_KRB5_TKTBODY_pop(st) SKM_sk_pop(KRB5_TKTBODY, (st))
705#define sk_KRB5_TKTBODY_sort(st) SKM_sk_sort(KRB5_TKTBODY, (st)) 733#define sk_KRB5_TKTBODY_sort(st) SKM_sk_sort(KRB5_TKTBODY, (st))
734#define sk_KRB5_TKTBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_TKTBODY, (st))
706 735
707#define sk_MIME_HEADER_new(st) SKM_sk_new(MIME_HEADER, (st)) 736#define sk_MIME_HEADER_new(st) SKM_sk_new(MIME_HEADER, (st))
708#define sk_MIME_HEADER_new_null() SKM_sk_new_null(MIME_HEADER) 737#define sk_MIME_HEADER_new_null() SKM_sk_new_null(MIME_HEADER)
@@ -723,6 +752,7 @@ STACK_OF(type) \
723#define sk_MIME_HEADER_shift(st) SKM_sk_shift(MIME_HEADER, (st)) 752#define sk_MIME_HEADER_shift(st) SKM_sk_shift(MIME_HEADER, (st))
724#define sk_MIME_HEADER_pop(st) SKM_sk_pop(MIME_HEADER, (st)) 753#define sk_MIME_HEADER_pop(st) SKM_sk_pop(MIME_HEADER, (st))
725#define sk_MIME_HEADER_sort(st) SKM_sk_sort(MIME_HEADER, (st)) 754#define sk_MIME_HEADER_sort(st) SKM_sk_sort(MIME_HEADER, (st))
755#define sk_MIME_HEADER_is_sorted(st) SKM_sk_is_sorted(MIME_HEADER, (st))
726 756
727#define sk_MIME_PARAM_new(st) SKM_sk_new(MIME_PARAM, (st)) 757#define sk_MIME_PARAM_new(st) SKM_sk_new(MIME_PARAM, (st))
728#define sk_MIME_PARAM_new_null() SKM_sk_new_null(MIME_PARAM) 758#define sk_MIME_PARAM_new_null() SKM_sk_new_null(MIME_PARAM)
@@ -743,6 +773,7 @@ STACK_OF(type) \
743#define sk_MIME_PARAM_shift(st) SKM_sk_shift(MIME_PARAM, (st)) 773#define sk_MIME_PARAM_shift(st) SKM_sk_shift(MIME_PARAM, (st))
744#define sk_MIME_PARAM_pop(st) SKM_sk_pop(MIME_PARAM, (st)) 774#define sk_MIME_PARAM_pop(st) SKM_sk_pop(MIME_PARAM, (st))
745#define sk_MIME_PARAM_sort(st) SKM_sk_sort(MIME_PARAM, (st)) 775#define sk_MIME_PARAM_sort(st) SKM_sk_sort(MIME_PARAM, (st))
776#define sk_MIME_PARAM_is_sorted(st) SKM_sk_is_sorted(MIME_PARAM, (st))
746 777
747#define sk_NAME_FUNCS_new(st) SKM_sk_new(NAME_FUNCS, (st)) 778#define sk_NAME_FUNCS_new(st) SKM_sk_new(NAME_FUNCS, (st))
748#define sk_NAME_FUNCS_new_null() SKM_sk_new_null(NAME_FUNCS) 779#define sk_NAME_FUNCS_new_null() SKM_sk_new_null(NAME_FUNCS)
@@ -763,6 +794,7 @@ STACK_OF(type) \
763#define sk_NAME_FUNCS_shift(st) SKM_sk_shift(NAME_FUNCS, (st)) 794#define sk_NAME_FUNCS_shift(st) SKM_sk_shift(NAME_FUNCS, (st))
764#define sk_NAME_FUNCS_pop(st) SKM_sk_pop(NAME_FUNCS, (st)) 795#define sk_NAME_FUNCS_pop(st) SKM_sk_pop(NAME_FUNCS, (st))
765#define sk_NAME_FUNCS_sort(st) SKM_sk_sort(NAME_FUNCS, (st)) 796#define sk_NAME_FUNCS_sort(st) SKM_sk_sort(NAME_FUNCS, (st))
797#define sk_NAME_FUNCS_is_sorted(st) SKM_sk_is_sorted(NAME_FUNCS, (st))
766 798
767#define sk_OCSP_CERTID_new(st) SKM_sk_new(OCSP_CERTID, (st)) 799#define sk_OCSP_CERTID_new(st) SKM_sk_new(OCSP_CERTID, (st))
768#define sk_OCSP_CERTID_new_null() SKM_sk_new_null(OCSP_CERTID) 800#define sk_OCSP_CERTID_new_null() SKM_sk_new_null(OCSP_CERTID)
@@ -783,6 +815,7 @@ STACK_OF(type) \
783#define sk_OCSP_CERTID_shift(st) SKM_sk_shift(OCSP_CERTID, (st)) 815#define sk_OCSP_CERTID_shift(st) SKM_sk_shift(OCSP_CERTID, (st))
784#define sk_OCSP_CERTID_pop(st) SKM_sk_pop(OCSP_CERTID, (st)) 816#define sk_OCSP_CERTID_pop(st) SKM_sk_pop(OCSP_CERTID, (st))
785#define sk_OCSP_CERTID_sort(st) SKM_sk_sort(OCSP_CERTID, (st)) 817#define sk_OCSP_CERTID_sort(st) SKM_sk_sort(OCSP_CERTID, (st))
818#define sk_OCSP_CERTID_is_sorted(st) SKM_sk_is_sorted(OCSP_CERTID, (st))
786 819
787#define sk_OCSP_ONEREQ_new(st) SKM_sk_new(OCSP_ONEREQ, (st)) 820#define sk_OCSP_ONEREQ_new(st) SKM_sk_new(OCSP_ONEREQ, (st))
788#define sk_OCSP_ONEREQ_new_null() SKM_sk_new_null(OCSP_ONEREQ) 821#define sk_OCSP_ONEREQ_new_null() SKM_sk_new_null(OCSP_ONEREQ)
@@ -803,6 +836,7 @@ STACK_OF(type) \
803#define sk_OCSP_ONEREQ_shift(st) SKM_sk_shift(OCSP_ONEREQ, (st)) 836#define sk_OCSP_ONEREQ_shift(st) SKM_sk_shift(OCSP_ONEREQ, (st))
804#define sk_OCSP_ONEREQ_pop(st) SKM_sk_pop(OCSP_ONEREQ, (st)) 837#define sk_OCSP_ONEREQ_pop(st) SKM_sk_pop(OCSP_ONEREQ, (st))
805#define sk_OCSP_ONEREQ_sort(st) SKM_sk_sort(OCSP_ONEREQ, (st)) 838#define sk_OCSP_ONEREQ_sort(st) SKM_sk_sort(OCSP_ONEREQ, (st))
839#define sk_OCSP_ONEREQ_is_sorted(st) SKM_sk_is_sorted(OCSP_ONEREQ, (st))
806 840
807#define sk_OCSP_SINGLERESP_new(st) SKM_sk_new(OCSP_SINGLERESP, (st)) 841#define sk_OCSP_SINGLERESP_new(st) SKM_sk_new(OCSP_SINGLERESP, (st))
808#define sk_OCSP_SINGLERESP_new_null() SKM_sk_new_null(OCSP_SINGLERESP) 842#define sk_OCSP_SINGLERESP_new_null() SKM_sk_new_null(OCSP_SINGLERESP)
@@ -823,6 +857,7 @@ STACK_OF(type) \
823#define sk_OCSP_SINGLERESP_shift(st) SKM_sk_shift(OCSP_SINGLERESP, (st)) 857#define sk_OCSP_SINGLERESP_shift(st) SKM_sk_shift(OCSP_SINGLERESP, (st))
824#define sk_OCSP_SINGLERESP_pop(st) SKM_sk_pop(OCSP_SINGLERESP, (st)) 858#define sk_OCSP_SINGLERESP_pop(st) SKM_sk_pop(OCSP_SINGLERESP, (st))
825#define sk_OCSP_SINGLERESP_sort(st) SKM_sk_sort(OCSP_SINGLERESP, (st)) 859#define sk_OCSP_SINGLERESP_sort(st) SKM_sk_sort(OCSP_SINGLERESP, (st))
860#define sk_OCSP_SINGLERESP_is_sorted(st) SKM_sk_is_sorted(OCSP_SINGLERESP, (st))
826 861
827#define sk_PKCS12_SAFEBAG_new(st) SKM_sk_new(PKCS12_SAFEBAG, (st)) 862#define sk_PKCS12_SAFEBAG_new(st) SKM_sk_new(PKCS12_SAFEBAG, (st))
828#define sk_PKCS12_SAFEBAG_new_null() SKM_sk_new_null(PKCS12_SAFEBAG) 863#define sk_PKCS12_SAFEBAG_new_null() SKM_sk_new_null(PKCS12_SAFEBAG)
@@ -843,6 +878,7 @@ STACK_OF(type) \
843#define sk_PKCS12_SAFEBAG_shift(st) SKM_sk_shift(PKCS12_SAFEBAG, (st)) 878#define sk_PKCS12_SAFEBAG_shift(st) SKM_sk_shift(PKCS12_SAFEBAG, (st))
844#define sk_PKCS12_SAFEBAG_pop(st) SKM_sk_pop(PKCS12_SAFEBAG, (st)) 879#define sk_PKCS12_SAFEBAG_pop(st) SKM_sk_pop(PKCS12_SAFEBAG, (st))
845#define sk_PKCS12_SAFEBAG_sort(st) SKM_sk_sort(PKCS12_SAFEBAG, (st)) 880#define sk_PKCS12_SAFEBAG_sort(st) SKM_sk_sort(PKCS12_SAFEBAG, (st))
881#define sk_PKCS12_SAFEBAG_is_sorted(st) SKM_sk_is_sorted(PKCS12_SAFEBAG, (st))
846 882
847#define sk_PKCS7_new(st) SKM_sk_new(PKCS7, (st)) 883#define sk_PKCS7_new(st) SKM_sk_new(PKCS7, (st))
848#define sk_PKCS7_new_null() SKM_sk_new_null(PKCS7) 884#define sk_PKCS7_new_null() SKM_sk_new_null(PKCS7)
@@ -863,6 +899,7 @@ STACK_OF(type) \
863#define sk_PKCS7_shift(st) SKM_sk_shift(PKCS7, (st)) 899#define sk_PKCS7_shift(st) SKM_sk_shift(PKCS7, (st))
864#define sk_PKCS7_pop(st) SKM_sk_pop(PKCS7, (st)) 900#define sk_PKCS7_pop(st) SKM_sk_pop(PKCS7, (st))
865#define sk_PKCS7_sort(st) SKM_sk_sort(PKCS7, (st)) 901#define sk_PKCS7_sort(st) SKM_sk_sort(PKCS7, (st))
902#define sk_PKCS7_is_sorted(st) SKM_sk_is_sorted(PKCS7, (st))
866 903
867#define sk_PKCS7_RECIP_INFO_new(st) SKM_sk_new(PKCS7_RECIP_INFO, (st)) 904#define sk_PKCS7_RECIP_INFO_new(st) SKM_sk_new(PKCS7_RECIP_INFO, (st))
868#define sk_PKCS7_RECIP_INFO_new_null() SKM_sk_new_null(PKCS7_RECIP_INFO) 905#define sk_PKCS7_RECIP_INFO_new_null() SKM_sk_new_null(PKCS7_RECIP_INFO)
@@ -883,6 +920,7 @@ STACK_OF(type) \
883#define sk_PKCS7_RECIP_INFO_shift(st) SKM_sk_shift(PKCS7_RECIP_INFO, (st)) 920#define sk_PKCS7_RECIP_INFO_shift(st) SKM_sk_shift(PKCS7_RECIP_INFO, (st))
884#define sk_PKCS7_RECIP_INFO_pop(st) SKM_sk_pop(PKCS7_RECIP_INFO, (st)) 921#define sk_PKCS7_RECIP_INFO_pop(st) SKM_sk_pop(PKCS7_RECIP_INFO, (st))
885#define sk_PKCS7_RECIP_INFO_sort(st) SKM_sk_sort(PKCS7_RECIP_INFO, (st)) 922#define sk_PKCS7_RECIP_INFO_sort(st) SKM_sk_sort(PKCS7_RECIP_INFO, (st))
923#define sk_PKCS7_RECIP_INFO_is_sorted(st) SKM_sk_is_sorted(PKCS7_RECIP_INFO, (st))
886 924
887#define sk_PKCS7_SIGNER_INFO_new(st) SKM_sk_new(PKCS7_SIGNER_INFO, (st)) 925#define sk_PKCS7_SIGNER_INFO_new(st) SKM_sk_new(PKCS7_SIGNER_INFO, (st))
888#define sk_PKCS7_SIGNER_INFO_new_null() SKM_sk_new_null(PKCS7_SIGNER_INFO) 926#define sk_PKCS7_SIGNER_INFO_new_null() SKM_sk_new_null(PKCS7_SIGNER_INFO)
@@ -903,6 +941,7 @@ STACK_OF(type) \
903#define sk_PKCS7_SIGNER_INFO_shift(st) SKM_sk_shift(PKCS7_SIGNER_INFO, (st)) 941#define sk_PKCS7_SIGNER_INFO_shift(st) SKM_sk_shift(PKCS7_SIGNER_INFO, (st))
904#define sk_PKCS7_SIGNER_INFO_pop(st) SKM_sk_pop(PKCS7_SIGNER_INFO, (st)) 942#define sk_PKCS7_SIGNER_INFO_pop(st) SKM_sk_pop(PKCS7_SIGNER_INFO, (st))
905#define sk_PKCS7_SIGNER_INFO_sort(st) SKM_sk_sort(PKCS7_SIGNER_INFO, (st)) 943#define sk_PKCS7_SIGNER_INFO_sort(st) SKM_sk_sort(PKCS7_SIGNER_INFO, (st))
944#define sk_PKCS7_SIGNER_INFO_is_sorted(st) SKM_sk_is_sorted(PKCS7_SIGNER_INFO, (st))
906 945
907#define sk_POLICYINFO_new(st) SKM_sk_new(POLICYINFO, (st)) 946#define sk_POLICYINFO_new(st) SKM_sk_new(POLICYINFO, (st))
908#define sk_POLICYINFO_new_null() SKM_sk_new_null(POLICYINFO) 947#define sk_POLICYINFO_new_null() SKM_sk_new_null(POLICYINFO)
@@ -923,6 +962,7 @@ STACK_OF(type) \
923#define sk_POLICYINFO_shift(st) SKM_sk_shift(POLICYINFO, (st)) 962#define sk_POLICYINFO_shift(st) SKM_sk_shift(POLICYINFO, (st))
924#define sk_POLICYINFO_pop(st) SKM_sk_pop(POLICYINFO, (st)) 963#define sk_POLICYINFO_pop(st) SKM_sk_pop(POLICYINFO, (st))
925#define sk_POLICYINFO_sort(st) SKM_sk_sort(POLICYINFO, (st)) 964#define sk_POLICYINFO_sort(st) SKM_sk_sort(POLICYINFO, (st))
965#define sk_POLICYINFO_is_sorted(st) SKM_sk_is_sorted(POLICYINFO, (st))
926 966
927#define sk_POLICYQUALINFO_new(st) SKM_sk_new(POLICYQUALINFO, (st)) 967#define sk_POLICYQUALINFO_new(st) SKM_sk_new(POLICYQUALINFO, (st))
928#define sk_POLICYQUALINFO_new_null() SKM_sk_new_null(POLICYQUALINFO) 968#define sk_POLICYQUALINFO_new_null() SKM_sk_new_null(POLICYQUALINFO)
@@ -943,6 +983,7 @@ STACK_OF(type) \
943#define sk_POLICYQUALINFO_shift(st) SKM_sk_shift(POLICYQUALINFO, (st)) 983#define sk_POLICYQUALINFO_shift(st) SKM_sk_shift(POLICYQUALINFO, (st))
944#define sk_POLICYQUALINFO_pop(st) SKM_sk_pop(POLICYQUALINFO, (st)) 984#define sk_POLICYQUALINFO_pop(st) SKM_sk_pop(POLICYQUALINFO, (st))
945#define sk_POLICYQUALINFO_sort(st) SKM_sk_sort(POLICYQUALINFO, (st)) 985#define sk_POLICYQUALINFO_sort(st) SKM_sk_sort(POLICYQUALINFO, (st))
986#define sk_POLICYQUALINFO_is_sorted(st) SKM_sk_is_sorted(POLICYQUALINFO, (st))
946 987
947#define sk_SSL_CIPHER_new(st) SKM_sk_new(SSL_CIPHER, (st)) 988#define sk_SSL_CIPHER_new(st) SKM_sk_new(SSL_CIPHER, (st))
948#define sk_SSL_CIPHER_new_null() SKM_sk_new_null(SSL_CIPHER) 989#define sk_SSL_CIPHER_new_null() SKM_sk_new_null(SSL_CIPHER)
@@ -963,6 +1004,7 @@ STACK_OF(type) \
963#define sk_SSL_CIPHER_shift(st) SKM_sk_shift(SSL_CIPHER, (st)) 1004#define sk_SSL_CIPHER_shift(st) SKM_sk_shift(SSL_CIPHER, (st))
964#define sk_SSL_CIPHER_pop(st) SKM_sk_pop(SSL_CIPHER, (st)) 1005#define sk_SSL_CIPHER_pop(st) SKM_sk_pop(SSL_CIPHER, (st))
965#define sk_SSL_CIPHER_sort(st) SKM_sk_sort(SSL_CIPHER, (st)) 1006#define sk_SSL_CIPHER_sort(st) SKM_sk_sort(SSL_CIPHER, (st))
1007#define sk_SSL_CIPHER_is_sorted(st) SKM_sk_is_sorted(SSL_CIPHER, (st))
966 1008
967#define sk_SSL_COMP_new(st) SKM_sk_new(SSL_COMP, (st)) 1009#define sk_SSL_COMP_new(st) SKM_sk_new(SSL_COMP, (st))
968#define sk_SSL_COMP_new_null() SKM_sk_new_null(SSL_COMP) 1010#define sk_SSL_COMP_new_null() SKM_sk_new_null(SSL_COMP)
@@ -983,6 +1025,7 @@ STACK_OF(type) \
983#define sk_SSL_COMP_shift(st) SKM_sk_shift(SSL_COMP, (st)) 1025#define sk_SSL_COMP_shift(st) SKM_sk_shift(SSL_COMP, (st))
984#define sk_SSL_COMP_pop(st) SKM_sk_pop(SSL_COMP, (st)) 1026#define sk_SSL_COMP_pop(st) SKM_sk_pop(SSL_COMP, (st))
985#define sk_SSL_COMP_sort(st) SKM_sk_sort(SSL_COMP, (st)) 1027#define sk_SSL_COMP_sort(st) SKM_sk_sort(SSL_COMP, (st))
1028#define sk_SSL_COMP_is_sorted(st) SKM_sk_is_sorted(SSL_COMP, (st))
986 1029
987#define sk_SXNETID_new(st) SKM_sk_new(SXNETID, (st)) 1030#define sk_SXNETID_new(st) SKM_sk_new(SXNETID, (st))
988#define sk_SXNETID_new_null() SKM_sk_new_null(SXNETID) 1031#define sk_SXNETID_new_null() SKM_sk_new_null(SXNETID)
@@ -1003,6 +1046,7 @@ STACK_OF(type) \
1003#define sk_SXNETID_shift(st) SKM_sk_shift(SXNETID, (st)) 1046#define sk_SXNETID_shift(st) SKM_sk_shift(SXNETID, (st))
1004#define sk_SXNETID_pop(st) SKM_sk_pop(SXNETID, (st)) 1047#define sk_SXNETID_pop(st) SKM_sk_pop(SXNETID, (st))
1005#define sk_SXNETID_sort(st) SKM_sk_sort(SXNETID, (st)) 1048#define sk_SXNETID_sort(st) SKM_sk_sort(SXNETID, (st))
1049#define sk_SXNETID_is_sorted(st) SKM_sk_is_sorted(SXNETID, (st))
1006 1050
1007#define sk_UI_STRING_new(st) SKM_sk_new(UI_STRING, (st)) 1051#define sk_UI_STRING_new(st) SKM_sk_new(UI_STRING, (st))
1008#define sk_UI_STRING_new_null() SKM_sk_new_null(UI_STRING) 1052#define sk_UI_STRING_new_null() SKM_sk_new_null(UI_STRING)
@@ -1023,6 +1067,7 @@ STACK_OF(type) \
1023#define sk_UI_STRING_shift(st) SKM_sk_shift(UI_STRING, (st)) 1067#define sk_UI_STRING_shift(st) SKM_sk_shift(UI_STRING, (st))
1024#define sk_UI_STRING_pop(st) SKM_sk_pop(UI_STRING, (st)) 1068#define sk_UI_STRING_pop(st) SKM_sk_pop(UI_STRING, (st))
1025#define sk_UI_STRING_sort(st) SKM_sk_sort(UI_STRING, (st)) 1069#define sk_UI_STRING_sort(st) SKM_sk_sort(UI_STRING, (st))
1070#define sk_UI_STRING_is_sorted(st) SKM_sk_is_sorted(UI_STRING, (st))
1026 1071
1027#define sk_X509_new(st) SKM_sk_new(X509, (st)) 1072#define sk_X509_new(st) SKM_sk_new(X509, (st))
1028#define sk_X509_new_null() SKM_sk_new_null(X509) 1073#define sk_X509_new_null() SKM_sk_new_null(X509)
@@ -1043,6 +1088,7 @@ STACK_OF(type) \
1043#define sk_X509_shift(st) SKM_sk_shift(X509, (st)) 1088#define sk_X509_shift(st) SKM_sk_shift(X509, (st))
1044#define sk_X509_pop(st) SKM_sk_pop(X509, (st)) 1089#define sk_X509_pop(st) SKM_sk_pop(X509, (st))
1045#define sk_X509_sort(st) SKM_sk_sort(X509, (st)) 1090#define sk_X509_sort(st) SKM_sk_sort(X509, (st))
1091#define sk_X509_is_sorted(st) SKM_sk_is_sorted(X509, (st))
1046 1092
1047#define sk_X509V3_EXT_METHOD_new(st) SKM_sk_new(X509V3_EXT_METHOD, (st)) 1093#define sk_X509V3_EXT_METHOD_new(st) SKM_sk_new(X509V3_EXT_METHOD, (st))
1048#define sk_X509V3_EXT_METHOD_new_null() SKM_sk_new_null(X509V3_EXT_METHOD) 1094#define sk_X509V3_EXT_METHOD_new_null() SKM_sk_new_null(X509V3_EXT_METHOD)
@@ -1063,6 +1109,7 @@ STACK_OF(type) \
1063#define sk_X509V3_EXT_METHOD_shift(st) SKM_sk_shift(X509V3_EXT_METHOD, (st)) 1109#define sk_X509V3_EXT_METHOD_shift(st) SKM_sk_shift(X509V3_EXT_METHOD, (st))
1064#define sk_X509V3_EXT_METHOD_pop(st) SKM_sk_pop(X509V3_EXT_METHOD, (st)) 1110#define sk_X509V3_EXT_METHOD_pop(st) SKM_sk_pop(X509V3_EXT_METHOD, (st))
1065#define sk_X509V3_EXT_METHOD_sort(st) SKM_sk_sort(X509V3_EXT_METHOD, (st)) 1111#define sk_X509V3_EXT_METHOD_sort(st) SKM_sk_sort(X509V3_EXT_METHOD, (st))
1112#define sk_X509V3_EXT_METHOD_is_sorted(st) SKM_sk_is_sorted(X509V3_EXT_METHOD, (st))
1066 1113
1067#define sk_X509_ALGOR_new(st) SKM_sk_new(X509_ALGOR, (st)) 1114#define sk_X509_ALGOR_new(st) SKM_sk_new(X509_ALGOR, (st))
1068#define sk_X509_ALGOR_new_null() SKM_sk_new_null(X509_ALGOR) 1115#define sk_X509_ALGOR_new_null() SKM_sk_new_null(X509_ALGOR)
@@ -1083,6 +1130,7 @@ STACK_OF(type) \
1083#define sk_X509_ALGOR_shift(st) SKM_sk_shift(X509_ALGOR, (st)) 1130#define sk_X509_ALGOR_shift(st) SKM_sk_shift(X509_ALGOR, (st))
1084#define sk_X509_ALGOR_pop(st) SKM_sk_pop(X509_ALGOR, (st)) 1131#define sk_X509_ALGOR_pop(st) SKM_sk_pop(X509_ALGOR, (st))
1085#define sk_X509_ALGOR_sort(st) SKM_sk_sort(X509_ALGOR, (st)) 1132#define sk_X509_ALGOR_sort(st) SKM_sk_sort(X509_ALGOR, (st))
1133#define sk_X509_ALGOR_is_sorted(st) SKM_sk_is_sorted(X509_ALGOR, (st))
1086 1134
1087#define sk_X509_ATTRIBUTE_new(st) SKM_sk_new(X509_ATTRIBUTE, (st)) 1135#define sk_X509_ATTRIBUTE_new(st) SKM_sk_new(X509_ATTRIBUTE, (st))
1088#define sk_X509_ATTRIBUTE_new_null() SKM_sk_new_null(X509_ATTRIBUTE) 1136#define sk_X509_ATTRIBUTE_new_null() SKM_sk_new_null(X509_ATTRIBUTE)
@@ -1103,6 +1151,7 @@ STACK_OF(type) \
1103#define sk_X509_ATTRIBUTE_shift(st) SKM_sk_shift(X509_ATTRIBUTE, (st)) 1151#define sk_X509_ATTRIBUTE_shift(st) SKM_sk_shift(X509_ATTRIBUTE, (st))
1104#define sk_X509_ATTRIBUTE_pop(st) SKM_sk_pop(X509_ATTRIBUTE, (st)) 1152#define sk_X509_ATTRIBUTE_pop(st) SKM_sk_pop(X509_ATTRIBUTE, (st))
1105#define sk_X509_ATTRIBUTE_sort(st) SKM_sk_sort(X509_ATTRIBUTE, (st)) 1153#define sk_X509_ATTRIBUTE_sort(st) SKM_sk_sort(X509_ATTRIBUTE, (st))
1154#define sk_X509_ATTRIBUTE_is_sorted(st) SKM_sk_is_sorted(X509_ATTRIBUTE, (st))
1106 1155
1107#define sk_X509_CRL_new(st) SKM_sk_new(X509_CRL, (st)) 1156#define sk_X509_CRL_new(st) SKM_sk_new(X509_CRL, (st))
1108#define sk_X509_CRL_new_null() SKM_sk_new_null(X509_CRL) 1157#define sk_X509_CRL_new_null() SKM_sk_new_null(X509_CRL)
@@ -1123,6 +1172,7 @@ STACK_OF(type) \
1123#define sk_X509_CRL_shift(st) SKM_sk_shift(X509_CRL, (st)) 1172#define sk_X509_CRL_shift(st) SKM_sk_shift(X509_CRL, (st))
1124#define sk_X509_CRL_pop(st) SKM_sk_pop(X509_CRL, (st)) 1173#define sk_X509_CRL_pop(st) SKM_sk_pop(X509_CRL, (st))
1125#define sk_X509_CRL_sort(st) SKM_sk_sort(X509_CRL, (st)) 1174#define sk_X509_CRL_sort(st) SKM_sk_sort(X509_CRL, (st))
1175#define sk_X509_CRL_is_sorted(st) SKM_sk_is_sorted(X509_CRL, (st))
1126 1176
1127#define sk_X509_EXTENSION_new(st) SKM_sk_new(X509_EXTENSION, (st)) 1177#define sk_X509_EXTENSION_new(st) SKM_sk_new(X509_EXTENSION, (st))
1128#define sk_X509_EXTENSION_new_null() SKM_sk_new_null(X509_EXTENSION) 1178#define sk_X509_EXTENSION_new_null() SKM_sk_new_null(X509_EXTENSION)
@@ -1143,6 +1193,7 @@ STACK_OF(type) \
1143#define sk_X509_EXTENSION_shift(st) SKM_sk_shift(X509_EXTENSION, (st)) 1193#define sk_X509_EXTENSION_shift(st) SKM_sk_shift(X509_EXTENSION, (st))
1144#define sk_X509_EXTENSION_pop(st) SKM_sk_pop(X509_EXTENSION, (st)) 1194#define sk_X509_EXTENSION_pop(st) SKM_sk_pop(X509_EXTENSION, (st))
1145#define sk_X509_EXTENSION_sort(st) SKM_sk_sort(X509_EXTENSION, (st)) 1195#define sk_X509_EXTENSION_sort(st) SKM_sk_sort(X509_EXTENSION, (st))
1196#define sk_X509_EXTENSION_is_sorted(st) SKM_sk_is_sorted(X509_EXTENSION, (st))
1146 1197
1147#define sk_X509_INFO_new(st) SKM_sk_new(X509_INFO, (st)) 1198#define sk_X509_INFO_new(st) SKM_sk_new(X509_INFO, (st))
1148#define sk_X509_INFO_new_null() SKM_sk_new_null(X509_INFO) 1199#define sk_X509_INFO_new_null() SKM_sk_new_null(X509_INFO)
@@ -1163,6 +1214,7 @@ STACK_OF(type) \
1163#define sk_X509_INFO_shift(st) SKM_sk_shift(X509_INFO, (st)) 1214#define sk_X509_INFO_shift(st) SKM_sk_shift(X509_INFO, (st))
1164#define sk_X509_INFO_pop(st) SKM_sk_pop(X509_INFO, (st)) 1215#define sk_X509_INFO_pop(st) SKM_sk_pop(X509_INFO, (st))
1165#define sk_X509_INFO_sort(st) SKM_sk_sort(X509_INFO, (st)) 1216#define sk_X509_INFO_sort(st) SKM_sk_sort(X509_INFO, (st))
1217#define sk_X509_INFO_is_sorted(st) SKM_sk_is_sorted(X509_INFO, (st))
1166 1218
1167#define sk_X509_LOOKUP_new(st) SKM_sk_new(X509_LOOKUP, (st)) 1219#define sk_X509_LOOKUP_new(st) SKM_sk_new(X509_LOOKUP, (st))
1168#define sk_X509_LOOKUP_new_null() SKM_sk_new_null(X509_LOOKUP) 1220#define sk_X509_LOOKUP_new_null() SKM_sk_new_null(X509_LOOKUP)
@@ -1183,6 +1235,7 @@ STACK_OF(type) \
1183#define sk_X509_LOOKUP_shift(st) SKM_sk_shift(X509_LOOKUP, (st)) 1235#define sk_X509_LOOKUP_shift(st) SKM_sk_shift(X509_LOOKUP, (st))
1184#define sk_X509_LOOKUP_pop(st) SKM_sk_pop(X509_LOOKUP, (st)) 1236#define sk_X509_LOOKUP_pop(st) SKM_sk_pop(X509_LOOKUP, (st))
1185#define sk_X509_LOOKUP_sort(st) SKM_sk_sort(X509_LOOKUP, (st)) 1237#define sk_X509_LOOKUP_sort(st) SKM_sk_sort(X509_LOOKUP, (st))
1238#define sk_X509_LOOKUP_is_sorted(st) SKM_sk_is_sorted(X509_LOOKUP, (st))
1186 1239
1187#define sk_X509_NAME_new(st) SKM_sk_new(X509_NAME, (st)) 1240#define sk_X509_NAME_new(st) SKM_sk_new(X509_NAME, (st))
1188#define sk_X509_NAME_new_null() SKM_sk_new_null(X509_NAME) 1241#define sk_X509_NAME_new_null() SKM_sk_new_null(X509_NAME)
@@ -1203,6 +1256,7 @@ STACK_OF(type) \
1203#define sk_X509_NAME_shift(st) SKM_sk_shift(X509_NAME, (st)) 1256#define sk_X509_NAME_shift(st) SKM_sk_shift(X509_NAME, (st))
1204#define sk_X509_NAME_pop(st) SKM_sk_pop(X509_NAME, (st)) 1257#define sk_X509_NAME_pop(st) SKM_sk_pop(X509_NAME, (st))
1205#define sk_X509_NAME_sort(st) SKM_sk_sort(X509_NAME, (st)) 1258#define sk_X509_NAME_sort(st) SKM_sk_sort(X509_NAME, (st))
1259#define sk_X509_NAME_is_sorted(st) SKM_sk_is_sorted(X509_NAME, (st))
1206 1260
1207#define sk_X509_NAME_ENTRY_new(st) SKM_sk_new(X509_NAME_ENTRY, (st)) 1261#define sk_X509_NAME_ENTRY_new(st) SKM_sk_new(X509_NAME_ENTRY, (st))
1208#define sk_X509_NAME_ENTRY_new_null() SKM_sk_new_null(X509_NAME_ENTRY) 1262#define sk_X509_NAME_ENTRY_new_null() SKM_sk_new_null(X509_NAME_ENTRY)
@@ -1223,6 +1277,7 @@ STACK_OF(type) \
1223#define sk_X509_NAME_ENTRY_shift(st) SKM_sk_shift(X509_NAME_ENTRY, (st)) 1277#define sk_X509_NAME_ENTRY_shift(st) SKM_sk_shift(X509_NAME_ENTRY, (st))
1224#define sk_X509_NAME_ENTRY_pop(st) SKM_sk_pop(X509_NAME_ENTRY, (st)) 1278#define sk_X509_NAME_ENTRY_pop(st) SKM_sk_pop(X509_NAME_ENTRY, (st))
1225#define sk_X509_NAME_ENTRY_sort(st) SKM_sk_sort(X509_NAME_ENTRY, (st)) 1279#define sk_X509_NAME_ENTRY_sort(st) SKM_sk_sort(X509_NAME_ENTRY, (st))
1280#define sk_X509_NAME_ENTRY_is_sorted(st) SKM_sk_is_sorted(X509_NAME_ENTRY, (st))
1226 1281
1227#define sk_X509_OBJECT_new(st) SKM_sk_new(X509_OBJECT, (st)) 1282#define sk_X509_OBJECT_new(st) SKM_sk_new(X509_OBJECT, (st))
1228#define sk_X509_OBJECT_new_null() SKM_sk_new_null(X509_OBJECT) 1283#define sk_X509_OBJECT_new_null() SKM_sk_new_null(X509_OBJECT)
@@ -1243,6 +1298,7 @@ STACK_OF(type) \
1243#define sk_X509_OBJECT_shift(st) SKM_sk_shift(X509_OBJECT, (st)) 1298#define sk_X509_OBJECT_shift(st) SKM_sk_shift(X509_OBJECT, (st))
1244#define sk_X509_OBJECT_pop(st) SKM_sk_pop(X509_OBJECT, (st)) 1299#define sk_X509_OBJECT_pop(st) SKM_sk_pop(X509_OBJECT, (st))
1245#define sk_X509_OBJECT_sort(st) SKM_sk_sort(X509_OBJECT, (st)) 1300#define sk_X509_OBJECT_sort(st) SKM_sk_sort(X509_OBJECT, (st))
1301#define sk_X509_OBJECT_is_sorted(st) SKM_sk_is_sorted(X509_OBJECT, (st))
1246 1302
1247#define sk_X509_PURPOSE_new(st) SKM_sk_new(X509_PURPOSE, (st)) 1303#define sk_X509_PURPOSE_new(st) SKM_sk_new(X509_PURPOSE, (st))
1248#define sk_X509_PURPOSE_new_null() SKM_sk_new_null(X509_PURPOSE) 1304#define sk_X509_PURPOSE_new_null() SKM_sk_new_null(X509_PURPOSE)
@@ -1263,6 +1319,7 @@ STACK_OF(type) \
1263#define sk_X509_PURPOSE_shift(st) SKM_sk_shift(X509_PURPOSE, (st)) 1319#define sk_X509_PURPOSE_shift(st) SKM_sk_shift(X509_PURPOSE, (st))
1264#define sk_X509_PURPOSE_pop(st) SKM_sk_pop(X509_PURPOSE, (st)) 1320#define sk_X509_PURPOSE_pop(st) SKM_sk_pop(X509_PURPOSE, (st))
1265#define sk_X509_PURPOSE_sort(st) SKM_sk_sort(X509_PURPOSE, (st)) 1321#define sk_X509_PURPOSE_sort(st) SKM_sk_sort(X509_PURPOSE, (st))
1322#define sk_X509_PURPOSE_is_sorted(st) SKM_sk_is_sorted(X509_PURPOSE, (st))
1266 1323
1267#define sk_X509_REVOKED_new(st) SKM_sk_new(X509_REVOKED, (st)) 1324#define sk_X509_REVOKED_new(st) SKM_sk_new(X509_REVOKED, (st))
1268#define sk_X509_REVOKED_new_null() SKM_sk_new_null(X509_REVOKED) 1325#define sk_X509_REVOKED_new_null() SKM_sk_new_null(X509_REVOKED)
@@ -1283,6 +1340,7 @@ STACK_OF(type) \
1283#define sk_X509_REVOKED_shift(st) SKM_sk_shift(X509_REVOKED, (st)) 1340#define sk_X509_REVOKED_shift(st) SKM_sk_shift(X509_REVOKED, (st))
1284#define sk_X509_REVOKED_pop(st) SKM_sk_pop(X509_REVOKED, (st)) 1341#define sk_X509_REVOKED_pop(st) SKM_sk_pop(X509_REVOKED, (st))
1285#define sk_X509_REVOKED_sort(st) SKM_sk_sort(X509_REVOKED, (st)) 1342#define sk_X509_REVOKED_sort(st) SKM_sk_sort(X509_REVOKED, (st))
1343#define sk_X509_REVOKED_is_sorted(st) SKM_sk_is_sorted(X509_REVOKED, (st))
1286 1344
1287#define sk_X509_TRUST_new(st) SKM_sk_new(X509_TRUST, (st)) 1345#define sk_X509_TRUST_new(st) SKM_sk_new(X509_TRUST, (st))
1288#define sk_X509_TRUST_new_null() SKM_sk_new_null(X509_TRUST) 1346#define sk_X509_TRUST_new_null() SKM_sk_new_null(X509_TRUST)
@@ -1303,6 +1361,7 @@ STACK_OF(type) \
1303#define sk_X509_TRUST_shift(st) SKM_sk_shift(X509_TRUST, (st)) 1361#define sk_X509_TRUST_shift(st) SKM_sk_shift(X509_TRUST, (st))
1304#define sk_X509_TRUST_pop(st) SKM_sk_pop(X509_TRUST, (st)) 1362#define sk_X509_TRUST_pop(st) SKM_sk_pop(X509_TRUST, (st))
1305#define sk_X509_TRUST_sort(st) SKM_sk_sort(X509_TRUST, (st)) 1363#define sk_X509_TRUST_sort(st) SKM_sk_sort(X509_TRUST, (st))
1364#define sk_X509_TRUST_is_sorted(st) SKM_sk_is_sorted(X509_TRUST, (st))
1306 1365
1307#define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ 1366#define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
1308 SKM_ASN1_SET_OF_d2i(ACCESS_DESCRIPTION, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) 1367 SKM_ASN1_SET_OF_d2i(ACCESS_DESCRIPTION, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class))
diff --git a/src/lib/libcrypto/stack/stack.c b/src/lib/libcrypto/stack/stack.c
index 2496f28a8c..c7173eb6ab 100644
--- a/src/lib/libcrypto/stack/stack.c
+++ b/src/lib/libcrypto/stack/stack.c
@@ -191,8 +191,7 @@ char *sk_delete(STACK *st, int loc)
191 char *ret; 191 char *ret;
192 int i,j; 192 int i,j;
193 193
194 if ((st == NULL) || (st->num == 0) || (loc < 0) 194 if(!st || (loc < 0) || (loc >= st->num)) return NULL;
195 || (loc >= st->num)) return(NULL);
196 195
197 ret=st->data[loc]; 196 ret=st->data[loc];
198 if (loc != st->num-1) 197 if (loc != st->num-1)
@@ -306,13 +305,13 @@ int sk_num(const STACK *st)
306 305
307char *sk_value(const STACK *st, int i) 306char *sk_value(const STACK *st, int i)
308{ 307{
309 if(st == NULL) return NULL; 308 if(!st || (i < 0) || (i >= st->num)) return NULL;
310 return st->data[i]; 309 return st->data[i];
311} 310}
312 311
313char *sk_set(STACK *st, int i, char *value) 312char *sk_set(STACK *st, int i, char *value)
314{ 313{
315 if(st == NULL) return NULL; 314 if(!st || (i < 0) || (i >= st->num)) return NULL;
316 return (st->data[i] = value); 315 return (st->data[i] = value);
317} 316}
318 317
@@ -332,3 +331,10 @@ void sk_sort(STACK *st)
332 st->sorted=1; 331 st->sorted=1;
333 } 332 }
334 } 333 }
334
335int sk_is_sorted(const STACK *st)
336 {
337 if (!st)
338 return 1;
339 return st->sorted;
340 }
diff --git a/src/lib/libcrypto/stack/stack.h b/src/lib/libcrypto/stack/stack.h
index 8b436ca4b9..7570b85fe8 100644
--- a/src/lib/libcrypto/stack/stack.h
+++ b/src/lib/libcrypto/stack/stack.h
@@ -99,6 +99,7 @@ int (*sk_set_cmp_func(STACK *sk, int (*c)(const char * const *,
99 (const char * const *, const char * const *); 99 (const char * const *, const char * const *);
100STACK *sk_dup(STACK *st); 100STACK *sk_dup(STACK *st);
101void sk_sort(STACK *st); 101void sk_sort(STACK *st);
102int sk_is_sorted(const STACK *st);
102 103
103#ifdef __cplusplus 104#ifdef __cplusplus
104} 105}
diff --git a/src/lib/libcrypto/util/mkerr.pl b/src/lib/libcrypto/util/mkerr.pl
index 1b2915c767..60e534807e 100644
--- a/src/lib/libcrypto/util/mkerr.pl
+++ b/src/lib/libcrypto/util/mkerr.pl
@@ -41,7 +41,8 @@ while (@ARGV) {
41} 41}
42 42
43if($recurse) { 43if($recurse) {
44 @source = (<crypto/*.c>, <crypto/*/*.c>, <ssl/*.c>); 44 @source = (<crypto/*.c>, <crypto/*/*.c>, <ssl/*.c>, <fips/*.c>,
45 <fips/*/*.c>);
45} else { 46} else {
46 @source = @ARGV; 47 @source = @ARGV;
47} 48}
@@ -262,7 +263,7 @@ foreach $lib (keys %csrc)
262 } else { 263 } else {
263 push @out, 264 push @out,
264"/* ====================================================================\n", 265"/* ====================================================================\n",
265" * Copyright (c) 2001-2003 The OpenSSL Project. All rights reserved.\n", 266" * Copyright (c) 2001-2005 The OpenSSL Project. All rights reserved.\n",
266" *\n", 267" *\n",
267" * Redistribution and use in source and binary forms, with or without\n", 268" * Redistribution and use in source and binary forms, with or without\n",
268" * modification, are permitted provided that the following conditions\n", 269" * modification, are permitted provided that the following conditions\n",
@@ -404,7 +405,7 @@ EOF
404 print OUT <<"EOF"; 405 print OUT <<"EOF";
405/* $cfile */ 406/* $cfile */
406/* ==================================================================== 407/* ====================================================================
407 * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. 408 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
408 * 409 *
409 * Redistribution and use in source and binary forms, with or without 410 * Redistribution and use in source and binary forms, with or without
410 * modification, are permitted provided that the following conditions 411 * modification, are permitted provided that the following conditions
diff --git a/src/lib/libcrypto/util/mkstack.pl b/src/lib/libcrypto/util/mkstack.pl
index 085c50f790..0ca9eb6a76 100644
--- a/src/lib/libcrypto/util/mkstack.pl
+++ b/src/lib/libcrypto/util/mkstack.pl
@@ -84,6 +84,7 @@ while(<IN>) {
84#define sk_${type_thing}_shift(st) SKM_sk_shift($type_thing, (st)) 84#define sk_${type_thing}_shift(st) SKM_sk_shift($type_thing, (st))
85#define sk_${type_thing}_pop(st) SKM_sk_pop($type_thing, (st)) 85#define sk_${type_thing}_pop(st) SKM_sk_pop($type_thing, (st))
86#define sk_${type_thing}_sort(st) SKM_sk_sort($type_thing, (st)) 86#define sk_${type_thing}_sort(st) SKM_sk_sort($type_thing, (st))
87#define sk_${type_thing}_is_sorted(st) SKM_sk_is_sorted($type_thing, (st))
87EOF 88EOF
88 } 89 }
89 foreach $type_thing (sort @asn1setlst) { 90 foreach $type_thing (sort @asn1setlst) {
diff --git a/src/lib/libcrypto/x509/by_file.c b/src/lib/libcrypto/x509/by_file.c
index b4b04183d0..a5e0d4aefa 100644
--- a/src/lib/libcrypto/x509/by_file.c
+++ b/src/lib/libcrypto/x509/by_file.c
@@ -150,7 +150,7 @@ int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type)
150 x=PEM_read_bio_X509_AUX(in,NULL,NULL,NULL); 150 x=PEM_read_bio_X509_AUX(in,NULL,NULL,NULL);
151 if (x == NULL) 151 if (x == NULL)
152 { 152 {
153 if ((ERR_GET_REASON(ERR_peek_error()) == 153 if ((ERR_GET_REASON(ERR_peek_last_error()) ==
154 PEM_R_NO_START_LINE) && (count > 0)) 154 PEM_R_NO_START_LINE) && (count > 0))
155 { 155 {
156 ERR_clear_error(); 156 ERR_clear_error();
@@ -217,7 +217,7 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
217 x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL); 217 x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
218 if (x == NULL) 218 if (x == NULL)
219 { 219 {
220 if ((ERR_GET_REASON(ERR_peek_error()) == 220 if ((ERR_GET_REASON(ERR_peek_last_error()) ==
221 PEM_R_NO_START_LINE) && (count > 0)) 221 PEM_R_NO_START_LINE) && (count > 0))
222 { 222 {
223 ERR_clear_error(); 223 ERR_clear_error();
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index 8d0c7e2e17..e8c1a59cf2 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -410,6 +410,7 @@ typedef struct X509_crl_info_st
410 ASN1_TIME *nextUpdate; 410 ASN1_TIME *nextUpdate;
411 STACK_OF(X509_REVOKED) *revoked; 411 STACK_OF(X509_REVOKED) *revoked;
412 STACK_OF(X509_EXTENSION) /* [0] */ *extensions; 412 STACK_OF(X509_EXTENSION) /* [0] */ *extensions;
413 ASN1_ENCODING enc;
413 } X509_CRL_INFO; 414 } X509_CRL_INFO;
414 415
415struct X509_crl_st 416struct X509_crl_st
@@ -1037,18 +1038,18 @@ int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
1037int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, 1038int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
1038 unsigned char *bytes, int len, int loc, int set); 1039 unsigned char *bytes, int len, int loc, int set);
1039X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, 1040X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
1040 char *field, int type, unsigned char *bytes, int len); 1041 const char *field, int type, const unsigned char *bytes, int len);
1041X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, 1042X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
1042 int type,unsigned char *bytes, int len); 1043 int type,unsigned char *bytes, int len);
1043int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type, 1044int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
1044 unsigned char *bytes, int len, int loc, int set); 1045 const unsigned char *bytes, int len, int loc, int set);
1045X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, 1046X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
1046 ASN1_OBJECT *obj, int type,unsigned char *bytes, 1047 ASN1_OBJECT *obj, int type,const unsigned char *bytes,
1047 int len); 1048 int len);
1048int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, 1049int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne,
1049 ASN1_OBJECT *obj); 1050 ASN1_OBJECT *obj);
1050int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, 1051int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
1051 unsigned char *bytes, int len); 1052 const unsigned char *bytes, int len);
1052ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne); 1053ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne);
1053ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne); 1054ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne);
1054 1055
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
index f460102f49..030d0966fc 100644
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -254,33 +254,49 @@ static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
254 return 0; 254 return 0;
255} 255}
256 256
257static int asn1_string_memcmp(ASN1_STRING *a, ASN1_STRING *b)
258 {
259 int j;
260 j = a->length - b->length;
261 if (j)
262 return j;
263 return memcmp(a->data, b->data, a->length);
264 }
265
266#define STR_TYPE_CMP (B_ASN1_PRINTABLESTRING|B_ASN1_T61STRING|B_ASN1_UTF8STRING)
267
257int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) 268int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
258 { 269 {
259 int i,j; 270 int i,j;
260 X509_NAME_ENTRY *na,*nb; 271 X509_NAME_ENTRY *na,*nb;
261 272
262 if (sk_X509_NAME_ENTRY_num(a->entries) 273 unsigned long nabit, nbbit;
263 != sk_X509_NAME_ENTRY_num(b->entries)) 274
264 return sk_X509_NAME_ENTRY_num(a->entries) 275 j = sk_X509_NAME_ENTRY_num(a->entries)
265 -sk_X509_NAME_ENTRY_num(b->entries); 276 - sk_X509_NAME_ENTRY_num(b->entries);
277 if (j)
278 return j;
266 for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--) 279 for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--)
267 { 280 {
268 na=sk_X509_NAME_ENTRY_value(a->entries,i); 281 na=sk_X509_NAME_ENTRY_value(a->entries,i);
269 nb=sk_X509_NAME_ENTRY_value(b->entries,i); 282 nb=sk_X509_NAME_ENTRY_value(b->entries,i);
270 j=na->value->type-nb->value->type; 283 j=na->value->type-nb->value->type;
271 if (j) return(j); 284 if (j)
272 if (na->value->type == V_ASN1_PRINTABLESTRING) 285 {
286 nabit = ASN1_tag2bit(na->value->type);
287 nbbit = ASN1_tag2bit(nb->value->type);
288 if (!(nabit & STR_TYPE_CMP) ||
289 !(nbbit & STR_TYPE_CMP))
290 return j;
291 j = asn1_string_memcmp(na->value, nb->value);
292 }
293 else if (na->value->type == V_ASN1_PRINTABLESTRING)
273 j=nocase_spacenorm_cmp(na->value, nb->value); 294 j=nocase_spacenorm_cmp(na->value, nb->value);
274 else if (na->value->type == V_ASN1_IA5STRING 295 else if (na->value->type == V_ASN1_IA5STRING
275 && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress) 296 && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress)
276 j=nocase_cmp(na->value, nb->value); 297 j=nocase_cmp(na->value, nb->value);
277 else 298 else
278 { 299 j = asn1_string_memcmp(na->value, nb->value);
279 j=na->value->length-nb->value->length;
280 if (j) return(j);
281 j=memcmp(na->value->data,nb->value->data,
282 na->value->length);
283 }
284 if (j) return(j); 300 if (j) return(j);
285 j=na->set-nb->set; 301 j=na->set-nb->set;
286 if (j) return(j); 302 if (j) return(j);
@@ -306,10 +322,16 @@ unsigned long X509_NAME_hash(X509_NAME *x)
306 { 322 {
307 unsigned long ret=0; 323 unsigned long ret=0;
308 unsigned char md[16]; 324 unsigned char md[16];
325 EVP_MD_CTX md_ctx;
309 326
310 /* Make sure X509_NAME structure contains valid cached encoding */ 327 /* Make sure X509_NAME structure contains valid cached encoding */
311 i2d_X509_NAME(x,NULL); 328 i2d_X509_NAME(x,NULL);
312 EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL); 329 EVP_MD_CTX_init(&md_ctx);
330 EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
331 EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL);
332 EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length);
333 EVP_DigestFinal_ex(&md_ctx,md,NULL);
334 EVP_MD_CTX_cleanup(&md_ctx);
313 335
314 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| 336 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
315 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) 337 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
diff --git a/src/lib/libcrypto/x509/x509_r2x.c b/src/lib/libcrypto/x509/x509_r2x.c
index db051033d9..fb8a78dabe 100644
--- a/src/lib/libcrypto/x509/x509_r2x.c
+++ b/src/lib/libcrypto/x509/x509_r2x.c
@@ -92,8 +92,10 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
92 X509_set_subject_name(ret,X509_NAME_dup(xn)); 92 X509_set_subject_name(ret,X509_NAME_dup(xn));
93 X509_set_issuer_name(ret,X509_NAME_dup(xn)); 93 X509_set_issuer_name(ret,X509_NAME_dup(xn));
94 94
95 X509_gmtime_adj(xi->validity->notBefore,0); 95 if (X509_gmtime_adj(xi->validity->notBefore,0) == NULL)
96 X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days); 96 goto err;
97 if (X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days) == NULL)
98 goto err;
97 99
98 X509_set_pubkey(ret,X509_REQ_get_pubkey(r)); 100 X509_set_pubkey(ret,X509_REQ_get_pubkey(r));
99 101
diff --git a/src/lib/libcrypto/x509/x509_req.c b/src/lib/libcrypto/x509/x509_req.c
index 0affa3bf30..59fc6ca548 100644
--- a/src/lib/libcrypto/x509/x509_req.c
+++ b/src/lib/libcrypto/x509/x509_req.c
@@ -118,7 +118,7 @@ EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
118 * used and there may be more: so the list is configurable. 118 * used and there may be more: so the list is configurable.
119 */ 119 */
120 120
121static int ext_nid_list[] = { NID_ms_ext_req, NID_ext_req, NID_undef}; 121static int ext_nid_list[] = { NID_ext_req, NID_ms_ext_req, NID_undef};
122 122
123static int *ext_nids = ext_nid_list; 123static int *ext_nids = ext_nid_list;
124 124
@@ -143,32 +143,33 @@ void X509_REQ_set_extension_nids(int *nids)
143} 143}
144 144
145STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) 145STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
146{ 146 {
147 X509_ATTRIBUTE *attr; 147 X509_ATTRIBUTE *attr;
148 STACK_OF(X509_ATTRIBUTE) *sk;
149 ASN1_TYPE *ext = NULL; 148 ASN1_TYPE *ext = NULL;
150 int i; 149 int idx, *pnid;
151 unsigned char *p; 150 unsigned char *p;
152 if ((req == NULL) || (req->req_info == NULL)) 151
152 if ((req == NULL) || (req->req_info == NULL) || !ext_nids)
153 return(NULL); 153 return(NULL);
154 sk=req->req_info->attributes; 154 for (pnid = ext_nids; *pnid != NID_undef; pnid++)
155 if (!sk) return NULL; 155 {
156 for(i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { 156 idx = X509_REQ_get_attr_by_NID(req, *pnid, -1);
157 attr = sk_X509_ATTRIBUTE_value(sk, i); 157 if (idx == -1)
158 if(X509_REQ_extension_nid(OBJ_obj2nid(attr->object))) { 158 continue;
159 if(attr->single) ext = attr->value.single; 159 attr = X509_REQ_get_attr(req, idx);
160 else if(sk_ASN1_TYPE_num(attr->value.set)) 160 if(attr->single) ext = attr->value.single;
161 ext = sk_ASN1_TYPE_value(attr->value.set, 0); 161 else if(sk_ASN1_TYPE_num(attr->value.set))
162 break; 162 ext = sk_ASN1_TYPE_value(attr->value.set, 0);
163 break;
163 } 164 }
164 } 165 if(!ext || (ext->type != V_ASN1_SEQUENCE))
165 if(!ext || (ext->type != V_ASN1_SEQUENCE)) return NULL; 166 return NULL;
166 p = ext->value.sequence->data; 167 p = ext->value.sequence->data;
167 return d2i_ASN1_SET_OF_X509_EXTENSION(NULL, &p, 168 return d2i_ASN1_SET_OF_X509_EXTENSION(NULL, &p,
168 ext->value.sequence->length, 169 ext->value.sequence->length,
169 d2i_X509_EXTENSION, X509_EXTENSION_free, 170 d2i_X509_EXTENSION, X509_EXTENSION_free,
170 V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); 171 V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
171} 172 }
172 173
173/* Add a STACK_OF extensions to a certificate request: allow alternative OIDs 174/* Add a STACK_OF extensions to a certificate request: allow alternative OIDs
174 * in case we want to create a non standard one. 175 * in case we want to create a non standard one.
diff --git a/src/lib/libcrypto/x509/x509_txt.c b/src/lib/libcrypto/x509/x509_txt.c
index e31ebc6741..f19e66a238 100644
--- a/src/lib/libcrypto/x509/x509_txt.c
+++ b/src/lib/libcrypto/x509/x509_txt.c
@@ -122,8 +122,14 @@ const char *X509_verify_cert_error_string(long n)
122 return("certificate revoked"); 122 return("certificate revoked");
123 case X509_V_ERR_INVALID_CA: 123 case X509_V_ERR_INVALID_CA:
124 return ("invalid CA certificate"); 124 return ("invalid CA certificate");
125 case X509_V_ERR_INVALID_NON_CA:
126 return ("invalid non-CA certificate (has CA markings)");
125 case X509_V_ERR_PATH_LENGTH_EXCEEDED: 127 case X509_V_ERR_PATH_LENGTH_EXCEEDED:
126 return ("path length constraint exceeded"); 128 return ("path length constraint exceeded");
129 case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
130 return("proxy path length constraint exceeded");
131 case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
132 return("proxy cerificates not allowed, please set the appropriate flag");
127 case X509_V_ERR_INVALID_PURPOSE: 133 case X509_V_ERR_INVALID_PURPOSE:
128 return ("unsupported certificate purpose"); 134 return ("unsupported certificate purpose");
129 case X509_V_ERR_CERT_UNTRUSTED: 135 case X509_V_ERR_CERT_UNTRUSTED:
@@ -140,19 +146,16 @@ const char *X509_verify_cert_error_string(long n)
140 return("authority and issuer serial number mismatch"); 146 return("authority and issuer serial number mismatch");
141 case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: 147 case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
142 return("key usage does not include certificate signing"); 148 return("key usage does not include certificate signing");
143
144 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: 149 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
145 return("unable to get CRL issuer certificate"); 150 return("unable to get CRL issuer certificate");
146
147 case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: 151 case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
148 return("unhandled critical extension"); 152 return("unhandled critical extension");
149
150 case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: 153 case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
151 return("key usage does not include CRL signing"); 154 return("key usage does not include CRL signing");
152 155 case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
156 return("key usage does not include digital signature");
153 case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: 157 case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
154 return("unhandled critical CRL extension"); 158 return("unhandled critical CRL extension");
155
156 default: 159 default:
157 BIO_snprintf(buf,sizeof buf,"error number %ld",n); 160 BIO_snprintf(buf,sizeof buf,"error number %ld",n);
158 return(buf); 161 return(buf);
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 2e4d0b823a..e43c861ee7 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -73,7 +73,7 @@
73static int null_callback(int ok,X509_STORE_CTX *e); 73static int null_callback(int ok,X509_STORE_CTX *e);
74static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); 74static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
75static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); 75static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
76static int check_chain_purpose(X509_STORE_CTX *ctx); 76static int check_chain_extensions(X509_STORE_CTX *ctx);
77static int check_trust(X509_STORE_CTX *ctx); 77static int check_trust(X509_STORE_CTX *ctx);
78static int check_revocation(X509_STORE_CTX *ctx); 78static int check_revocation(X509_STORE_CTX *ctx);
79static int check_cert(X509_STORE_CTX *ctx); 79static int check_cert(X509_STORE_CTX *ctx);
@@ -281,7 +281,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
281 } 281 }
282 282
283 /* We have the chain complete: now we need to check its purpose */ 283 /* We have the chain complete: now we need to check its purpose */
284 if (ctx->purpose > 0) ok = check_chain_purpose(ctx); 284 ok = check_chain_extensions(ctx);
285 285
286 if (!ok) goto end; 286 if (!ok) goto end;
287 287
@@ -365,21 +365,39 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
365 else 365 else
366 return 0; 366 return 0;
367} 367}
368 368
369 369
370/* Check a certificate chains extensions for consistency 370/* Check a certificate chains extensions for consistency
371 * with the supplied purpose 371 * with the supplied purpose
372 */ 372 */
373 373
374static int check_chain_purpose(X509_STORE_CTX *ctx) 374static int check_chain_extensions(X509_STORE_CTX *ctx)
375{ 375{
376#ifdef OPENSSL_NO_CHAIN_VERIFY 376#ifdef OPENSSL_NO_CHAIN_VERIFY
377 return 1; 377 return 1;
378#else 378#else
379 int i, ok=0; 379 int i, ok=0, must_be_ca;
380 X509 *x; 380 X509 *x;
381 int (*cb)(); 381 int (*cb)();
382 int proxy_path_length = 0;
383 int allow_proxy_certs = !!(ctx->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
382 cb=ctx->verify_cb; 384 cb=ctx->verify_cb;
385
386 /* must_be_ca can have 1 of 3 values:
387 -1: we accept both CA and non-CA certificates, to allow direct
388 use of self-signed certificates (which are marked as CA).
389 0: we only accept non-CA certificates. This is currently not
390 used, but the possibility is present for future extensions.
391 1: we only accept CA certificates. This is currently used for
392 all certificates in the chain except the leaf certificate.
393 */
394 must_be_ca = -1;
395
396 /* A hack to keep people who don't want to modify their software
397 happy */
398 if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
399 allow_proxy_certs = 1;
400
383 /* Check all untrusted certificates */ 401 /* Check all untrusted certificates */
384 for (i = 0; i < ctx->last_untrusted; i++) 402 for (i = 0; i < ctx->last_untrusted; i++)
385 { 403 {
@@ -394,23 +412,73 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
394 ok=cb(0,ctx); 412 ok=cb(0,ctx);
395 if (!ok) goto end; 413 if (!ok) goto end;
396 } 414 }
397 ret = X509_check_purpose(x, ctx->purpose, i); 415 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY))
398 if ((ret == 0)
399 || ((ctx->flags & X509_V_FLAG_X509_STRICT)
400 && (ret != 1)))
401 { 416 {
402 if (i) 417 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
418 ctx->error_depth = i;
419 ctx->current_cert = x;
420 ok=cb(0,ctx);
421 if (!ok) goto end;
422 }
423 ret = X509_check_ca(x);
424 switch(must_be_ca)
425 {
426 case -1:
427 if ((ctx->flags & X509_V_FLAG_X509_STRICT)
428 && (ret != 1) && (ret != 0))
429 {
430 ret = 0;
403 ctx->error = X509_V_ERR_INVALID_CA; 431 ctx->error = X509_V_ERR_INVALID_CA;
432 }
404 else 433 else
405 ctx->error = X509_V_ERR_INVALID_PURPOSE; 434 ret = 1;
435 break;
436 case 0:
437 if (ret != 0)
438 {
439 ret = 0;
440 ctx->error = X509_V_ERR_INVALID_NON_CA;
441 }
442 else
443 ret = 1;
444 break;
445 default:
446 if ((ret == 0)
447 || ((ctx->flags & X509_V_FLAG_X509_STRICT)
448 && (ret != 1)))
449 {
450 ret = 0;
451 ctx->error = X509_V_ERR_INVALID_CA;
452 }
453 else
454 ret = 1;
455 break;
456 }
457 if (ret == 0)
458 {
406 ctx->error_depth = i; 459 ctx->error_depth = i;
407 ctx->current_cert = x; 460 ctx->current_cert = x;
408 ok=cb(0,ctx); 461 ok=cb(0,ctx);
409 if (!ok) goto end; 462 if (!ok) goto end;
410 } 463 }
464 if (ctx->purpose > 0)
465 {
466 ret = X509_check_purpose(x, ctx->purpose,
467 must_be_ca > 0);
468 if ((ret == 0)
469 || ((ctx->flags & X509_V_FLAG_X509_STRICT)
470 && (ret != 1)))
471 {
472 ctx->error = X509_V_ERR_INVALID_PURPOSE;
473 ctx->error_depth = i;
474 ctx->current_cert = x;
475 ok=cb(0,ctx);
476 if (!ok) goto end;
477 }
478 }
411 /* Check pathlen */ 479 /* Check pathlen */
412 if ((i > 1) && (x->ex_pathlen != -1) 480 if ((i > 1) && (x->ex_pathlen != -1)
413 && (i > (x->ex_pathlen + 1))) 481 && (i > (x->ex_pathlen + proxy_path_length + 1)))
414 { 482 {
415 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; 483 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
416 ctx->error_depth = i; 484 ctx->error_depth = i;
@@ -418,6 +486,32 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
418 ok=cb(0,ctx); 486 ok=cb(0,ctx);
419 if (!ok) goto end; 487 if (!ok) goto end;
420 } 488 }
489 /* If this certificate is a proxy certificate, the next
490 certificate must be another proxy certificate or a EE
491 certificate. If not, the next certificate must be a
492 CA certificate. */
493 if (x->ex_flags & EXFLAG_PROXY)
494 {
495 PROXY_CERT_INFO_EXTENSION *pci =
496 X509_get_ext_d2i(x, NID_proxyCertInfo,
497 NULL, NULL);
498 if (pci->pcPathLengthConstraint &&
499 ASN1_INTEGER_get(pci->pcPathLengthConstraint)
500 < i)
501 {
502 PROXY_CERT_INFO_EXTENSION_free(pci);
503 ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
504 ctx->error_depth = i;
505 ctx->current_cert = x;
506 ok=cb(0,ctx);
507 if (!ok) goto end;
508 }
509 PROXY_CERT_INFO_EXTENSION_free(pci);
510 proxy_path_length++;
511 must_be_ca = 0;
512 }
513 else
514 must_be_ca = 1;
421 } 515 }
422 ok = 1; 516 ok = 1;
423 end: 517 end:
@@ -627,6 +721,15 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
627 X509_EXTENSION *ext; 721 X509_EXTENSION *ext;
628 /* Look for serial number of certificate in CRL */ 722 /* Look for serial number of certificate in CRL */
629 rtmp.serialNumber = X509_get_serialNumber(x); 723 rtmp.serialNumber = X509_get_serialNumber(x);
724 /* Sort revoked into serial number order if not already sorted.
725 * Do this under a lock to avoid race condition.
726 */
727 if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked))
728 {
729 CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL);
730 sk_X509_REVOKED_sort(crl->crl->revoked);
731 CRYPTO_w_unlock(CRYPTO_LOCK_X509_CRL);
732 }
630 idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp); 733 idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);
631 /* If found assume revoked: want something cleverer than 734 /* If found assume revoked: want something cleverer than
632 * this to handle entry extensions in V2 CRLs. 735 * this to handle entry extensions in V2 CRLs.
@@ -772,6 +875,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
772 } 875 }
773 876
774 /* The last error (if any) is still in the error value */ 877 /* The last error (if any) is still in the error value */
878 ctx->current_issuer=xi;
775 ctx->current_cert=xs; 879 ctx->current_cert=xs;
776 ok=(*cb)(1,ctx); 880 ok=(*cb)(1,ctx);
777 if (!ok) goto end; 881 if (!ok) goto end;
@@ -851,7 +955,8 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time)
851 atm.length=sizeof(buff2); 955 atm.length=sizeof(buff2);
852 atm.data=(unsigned char *)buff2; 956 atm.data=(unsigned char *)buff2;
853 957
854 X509_time_adj(&atm,-offset*60, cmp_time); 958 if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL)
959 return 0;
855 960
856 if (ctm->type == V_ASN1_UTCTIME) 961 if (ctm->type == V_ASN1_UTCTIME)
857 { 962 {
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
index 198495884c..7fd1f0bc4d 100644
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -276,7 +276,7 @@ struct x509_store_ctx_st /* X509_STORE_CTX */
276#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 276#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6
277#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 277#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7
278#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 278#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8
279#define X509_V_ERR_CERT_NOT_YET_VALID 9 279#define X509_V_ERR_CERT_NOT_YET_VALID 9
280#define X509_V_ERR_CERT_HAS_EXPIRED 10 280#define X509_V_ERR_CERT_HAS_EXPIRED 10
281#define X509_V_ERR_CRL_NOT_YET_VALID 11 281#define X509_V_ERR_CRL_NOT_YET_VALID 11
282#define X509_V_ERR_CRL_HAS_EXPIRED 12 282#define X509_V_ERR_CRL_HAS_EXPIRED 12
@@ -306,6 +306,10 @@ struct x509_store_ctx_st /* X509_STORE_CTX */
306#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 306#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34
307#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 307#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35
308#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 308#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36
309#define X509_V_ERR_INVALID_NON_CA 37
310#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38
311#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39
312#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40
309 313
310/* The application is not happy */ 314/* The application is not happy */
311#define X509_V_ERR_APPLICATION_VERIFICATION 50 315#define X509_V_ERR_APPLICATION_VERIFICATION 50
@@ -324,6 +328,8 @@ struct x509_store_ctx_st /* X509_STORE_CTX */
324#define X509_V_FLAG_IGNORE_CRITICAL 0x10 328#define X509_V_FLAG_IGNORE_CRITICAL 0x10
325/* Disable workarounds for broken certificates */ 329/* Disable workarounds for broken certificates */
326#define X509_V_FLAG_X509_STRICT 0x20 330#define X509_V_FLAG_X509_STRICT 0x20
331/* Enable proxy certificate validation */
332#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40
327 333
328int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, 334int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
329 X509_NAME *name); 335 X509_NAME *name);
diff --git a/src/lib/libcrypto/x509/x509cset.c b/src/lib/libcrypto/x509/x509cset.c
index 6cac440ea9..9d1646d5c8 100644
--- a/src/lib/libcrypto/x509/x509cset.c
+++ b/src/lib/libcrypto/x509/x509cset.c
@@ -129,6 +129,7 @@ int X509_CRL_sort(X509_CRL *c)
129 r=sk_X509_REVOKED_value(c->crl->revoked,i); 129 r=sk_X509_REVOKED_value(c->crl->revoked,i);
130 r->sequence=i; 130 r->sequence=i;
131 } 131 }
132 c->crl->enc.modified = 1;
132 return 1; 133 return 1;
133 } 134 }
134 135
diff --git a/src/lib/libcrypto/x509/x509name.c b/src/lib/libcrypto/x509/x509name.c
index 4c20e03ece..068abfe5f0 100644
--- a/src/lib/libcrypto/x509/x509name.c
+++ b/src/lib/libcrypto/x509/x509name.c
@@ -195,8 +195,8 @@ int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
195 return ret; 195 return ret;
196} 196}
197 197
198int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type, 198int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
199 unsigned char *bytes, int len, int loc, int set) 199 const unsigned char *bytes, int len, int loc, int set)
200{ 200{
201 X509_NAME_ENTRY *ne; 201 X509_NAME_ENTRY *ne;
202 int ret; 202 int ret;
@@ -273,7 +273,7 @@ err:
273 } 273 }
274 274
275X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, 275X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
276 char *field, int type, unsigned char *bytes, int len) 276 const char *field, int type, const unsigned char *bytes, int len)
277 { 277 {
278 ASN1_OBJECT *obj; 278 ASN1_OBJECT *obj;
279 X509_NAME_ENTRY *nentry; 279 X509_NAME_ENTRY *nentry;
@@ -309,7 +309,7 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
309 } 309 }
310 310
311X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, 311X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
312 ASN1_OBJECT *obj, int type, unsigned char *bytes, int len) 312 ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len)
313 { 313 {
314 X509_NAME_ENTRY *ret; 314 X509_NAME_ENTRY *ret;
315 315
@@ -347,7 +347,7 @@ int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj)
347 } 347 }
348 348
349int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, 349int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
350 unsigned char *bytes, int len) 350 const unsigned char *bytes, int len)
351 { 351 {
352 int i; 352 int i;
353 353
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
index fb5015cd4d..ac6dea493a 100644
--- a/src/lib/libcrypto/x509/x_all.c
+++ b/src/lib/libcrypto/x509/x_all.c
@@ -103,6 +103,7 @@ int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
103 103
104int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) 104int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
105 { 105 {
106 x->crl->enc.modified = 1;
106 return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO),x->crl->sig_alg, 107 return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO),x->crl->sig_alg,
107 x->sig_alg, x->signature, x->crl,pkey,md)); 108 x->sig_alg, x->signature, x->crl,pkey,md));
108 } 109 }
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
index 5442480595..d8328ac468 100644
--- a/src/lib/libcrypto/x509v3/ext_dat.h
+++ b/src/lib/libcrypto/x509v3/ext_dat.h
@@ -3,7 +3,7 @@
3 * project 1999. 3 * project 1999.
4 */ 4 */
5/* ==================================================================== 5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -60,10 +60,11 @@
60extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku; 60extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
61extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo; 61extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
62extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id; 62extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
63extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate, v3_cpols, v3_crld; 63extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
64extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld;
64extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; 65extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
65extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; 66extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
66extern X509V3_EXT_METHOD v3_crl_hold; 67extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
67 68
68/* This table will be searched using OBJ_bsearch so it *must* kept in 69/* This table will be searched using OBJ_bsearch so it *must* kept in
69 * order of the ext_nid values. 70 * order of the ext_nid values.
@@ -89,6 +90,7 @@ static X509V3_EXT_METHOD *standard_exts[] = {
89&v3_akey_id, 90&v3_akey_id,
90&v3_crld, 91&v3_crld,
91&v3_ext_ku, 92&v3_ext_ku,
93&v3_delta_crl,
92&v3_crl_reason, 94&v3_crl_reason,
93#ifndef OPENSSL_NO_OCSP 95#ifndef OPENSSL_NO_OCSP
94&v3_crl_invdate, 96&v3_crl_invdate,
@@ -105,8 +107,9 @@ static X509V3_EXT_METHOD *standard_exts[] = {
105#endif 107#endif
106&v3_sinfo, 108&v3_sinfo,
107#ifndef OPENSSL_NO_OCSP 109#ifndef OPENSSL_NO_OCSP
108&v3_crl_hold 110&v3_crl_hold,
109#endif 111#endif
112&v3_pci,
110}; 113};
111 114
112/* Number of standard extensions */ 115/* Number of standard extensions */
diff --git a/src/lib/libcrypto/x509v3/v3_bitst.c b/src/lib/libcrypto/x509v3/v3_bitst.c
index 16cf125562..274965306d 100644
--- a/src/lib/libcrypto/x509v3/v3_bitst.c
+++ b/src/lib/libcrypto/x509v3/v3_bitst.c
@@ -124,7 +124,12 @@ static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
124 for(bnam = method->usr_data; bnam->lname; bnam++) { 124 for(bnam = method->usr_data; bnam->lname; bnam++) {
125 if(!strcmp(bnam->sname, val->name) || 125 if(!strcmp(bnam->sname, val->name) ||
126 !strcmp(bnam->lname, val->name) ) { 126 !strcmp(bnam->lname, val->name) ) {
127 ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1); 127 if(!ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1)) {
128 X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
129 ERR_R_MALLOC_FAILURE);
130 M_ASN1_BIT_STRING_free(bs);
131 return NULL;
132 }
128 break; 133 break;
129 } 134 }
130 } 135 }
diff --git a/src/lib/libcrypto/x509v3/v3_ia5.c b/src/lib/libcrypto/x509v3/v3_ia5.c
index f9414456de..9683afa47c 100644
--- a/src/lib/libcrypto/x509v3/v3_ia5.c
+++ b/src/lib/libcrypto/x509v3/v3_ia5.c
@@ -82,7 +82,10 @@ static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
82{ 82{
83 char *tmp; 83 char *tmp;
84 if(!ia5 || !ia5->length) return NULL; 84 if(!ia5 || !ia5->length) return NULL;
85 if (!(tmp = OPENSSL_malloc(ia5->length + 1))) return NULL; 85 if(!(tmp = OPENSSL_malloc(ia5->length + 1))) {
86 X509V3err(X509V3_F_I2S_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE);
87 return NULL;
88 }
86 memcpy(tmp, ia5->data, ia5->length); 89 memcpy(tmp, ia5->data, ia5->length);
87 tmp[ia5->length] = 0; 90 tmp[ia5->length] = 0;
88 return tmp; 91 return tmp;
diff --git a/src/lib/libcrypto/x509v3/v3_int.c b/src/lib/libcrypto/x509v3/v3_int.c
index f34cbfb731..7a43b4717b 100644
--- a/src/lib/libcrypto/x509v3/v3_int.c
+++ b/src/lib/libcrypto/x509v3/v3_int.c
@@ -3,7 +3,7 @@
3 * project 1999. 3 * project 1999.
4 */ 4 */
5/* ==================================================================== 5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -61,9 +61,16 @@
61#include <openssl/x509v3.h> 61#include <openssl/x509v3.h>
62 62
63X509V3_EXT_METHOD v3_crl_num = { 63X509V3_EXT_METHOD v3_crl_num = {
64NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER), 64 NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER),
650,0,0,0, 65 0,0,0,0,
66(X509V3_EXT_I2S)i2s_ASN1_INTEGER, 66 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
670, 67 0,
680,0,0,0, NULL}; 68 0,0,0,0, NULL};
69
70X509V3_EXT_METHOD v3_delta_crl = {
71 NID_delta_crl, 0, ASN1_ITEM_ref(ASN1_INTEGER),
72 0,0,0,0,
73 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
74 0,
75 0,0,0,0, NULL};
69 76
diff --git a/src/lib/libcrypto/x509v3/v3_pci.c b/src/lib/libcrypto/x509v3/v3_pci.c
new file mode 100644
index 0000000000..b32d968619
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_pci.c
@@ -0,0 +1,313 @@
1/* v3_pci.c -*- mode:C; c-file-style: "eay" -*- */
2/* Contributed to the OpenSSL Project 2004
3 * by Richard Levitte (richard@levitte.org)
4 */
5/* Copyright (c) 2004 Kungliga Tekniska Högskolan
6 * (Royal Institute of Technology, Stockholm, Sweden).
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 *
20 * 3. Neither the name of the Institute nor the names of its contributors
21 * may be used to endorse or promote products derived from this software
22 * without specific prior written permission.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 */
36
37#include <stdio.h>
38#include "cryptlib.h"
39#include <openssl/conf.h>
40#include <openssl/x509v3.h>
41
42static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
43 BIO *out, int indent);
44static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
45 X509V3_CTX *ctx, char *str);
46
47X509V3_EXT_METHOD v3_pci =
48 { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),
49 0,0,0,0,
50 0,0,
51 NULL, NULL,
52 (X509V3_EXT_I2R)i2r_pci,
53 (X509V3_EXT_R2I)r2i_pci,
54 NULL,
55 };
56
57static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci,
58 BIO *out, int indent)
59 {
60 BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
61 if (pci->pcPathLengthConstraint)
62 i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
63 else
64 BIO_printf(out, "infinite");
65 BIO_puts(out, "\n");
66 BIO_printf(out, "%*sPolicy Language: ", indent, "");
67 i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
68 BIO_puts(out, "\n");
69 if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
70 BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
71 pci->proxyPolicy->policy->data);
72 return 1;
73 }
74
75static int process_pci_value(CONF_VALUE *val,
76 ASN1_OBJECT **language, ASN1_INTEGER **pathlen,
77 ASN1_OCTET_STRING **policy)
78 {
79 int free_policy = 0;
80
81 if (strcmp(val->name, "language") == 0)
82 {
83 if (*language)
84 {
85 X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED);
86 X509V3_conf_err(val);
87 return 0;
88 }
89 if (!(*language = OBJ_txt2obj(val->value, 0)))
90 {
91 X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_OBJECT_IDENTIFIER);
92 X509V3_conf_err(val);
93 return 0;
94 }
95 }
96 else if (strcmp(val->name, "pathlen") == 0)
97 {
98 if (*pathlen)
99 {
100 X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED);
101 X509V3_conf_err(val);
102 return 0;
103 }
104 if (!X509V3_get_value_int(val, pathlen))
105 {
106 X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_PATH_LENGTH);
107 X509V3_conf_err(val);
108 return 0;
109 }
110 }
111 else if (strcmp(val->name, "policy") == 0)
112 {
113 unsigned char *tmp_data = NULL;
114 long val_len;
115 if (!*policy)
116 {
117 *policy = ASN1_OCTET_STRING_new();
118 if (!*policy)
119 {
120 X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
121 X509V3_conf_err(val);
122 return 0;
123 }
124 free_policy = 1;
125 }
126 if (strncmp(val->value, "hex:", 4) == 0)
127 {
128 unsigned char *tmp_data2 =
129 string_to_hex(val->value + 4, &val_len);
130
131 if (!tmp_data2) goto err;
132
133 tmp_data = OPENSSL_realloc((*policy)->data,
134 (*policy)->length + val_len + 1);
135 if (tmp_data)
136 {
137 (*policy)->data = tmp_data;
138 memcpy(&(*policy)->data[(*policy)->length],
139 tmp_data2, val_len);
140 (*policy)->length += val_len;
141 (*policy)->data[(*policy)->length] = '\0';
142 }
143 }
144 else if (strncmp(val->value, "file:", 5) == 0)
145 {
146 unsigned char buf[2048];
147 int n;
148 BIO *b = BIO_new_file(val->value + 5, "r");
149 if (!b)
150 {
151 X509V3err(X509V3_F_R2I_PCI,ERR_R_BIO_LIB);
152 X509V3_conf_err(val);
153 goto err;
154 }
155 while((n = BIO_read(b, buf, sizeof(buf))) > 0
156 || (n == 0 && BIO_should_retry(b)))
157 {
158 if (!n) continue;
159
160 tmp_data = OPENSSL_realloc((*policy)->data,
161 (*policy)->length + n + 1);
162
163 if (!tmp_data)
164 break;
165
166 (*policy)->data = tmp_data;
167 memcpy(&(*policy)->data[(*policy)->length],
168 buf, n);
169 (*policy)->length += n;
170 (*policy)->data[(*policy)->length] = '\0';
171 }
172
173 if (n < 0)
174 {
175 X509V3err(X509V3_F_R2I_PCI,ERR_R_BIO_LIB);
176 X509V3_conf_err(val);
177 goto err;
178 }
179 }
180 else if (strncmp(val->value, "text:", 5) == 0)
181 {
182 val_len = strlen(val->value + 5);
183 tmp_data = OPENSSL_realloc((*policy)->data,
184 (*policy)->length + val_len + 1);
185 if (tmp_data)
186 {
187 (*policy)->data = tmp_data;
188 memcpy(&(*policy)->data[(*policy)->length],
189 val->value + 5, val_len);
190 (*policy)->length += val_len;
191 (*policy)->data[(*policy)->length] = '\0';
192 }
193 }
194 else
195 {
196 X509V3err(X509V3_F_R2I_PCI,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
197 X509V3_conf_err(val);
198 goto err;
199 }
200 if (!tmp_data)
201 {
202 X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
203 X509V3_conf_err(val);
204 goto err;
205 }
206 }
207 return 1;
208err:
209 if (free_policy)
210 {
211 ASN1_OCTET_STRING_free(*policy);
212 *policy = NULL;
213 }
214 return 0;
215 }
216
217static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
218 X509V3_CTX *ctx, char *value)
219 {
220 PROXY_CERT_INFO_EXTENSION *pci = NULL;
221 STACK_OF(CONF_VALUE) *vals;
222 ASN1_OBJECT *language = NULL;
223 ASN1_INTEGER *pathlen = NULL;
224 ASN1_OCTET_STRING *policy = NULL;
225 int i, j;
226
227 vals = X509V3_parse_list(value);
228 for (i = 0; i < sk_CONF_VALUE_num(vals); i++)
229 {
230 CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
231 if (!cnf->name || (*cnf->name != '@' && !cnf->value))
232 {
233 X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_PROXY_POLICY_SETTING);
234 X509V3_conf_err(cnf);
235 goto err;
236 }
237 if (*cnf->name == '@')
238 {
239 STACK_OF(CONF_VALUE) *sect;
240 int success_p = 1;
241
242 sect = X509V3_get_section(ctx, cnf->name + 1);
243 if (!sect)
244 {
245 X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_SECTION);
246 X509V3_conf_err(cnf);
247 goto err;
248 }
249 for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++)
250 {
251 success_p =
252 process_pci_value(sk_CONF_VALUE_value(sect, j),
253 &language, &pathlen, &policy);
254 }
255 X509V3_section_free(ctx, sect);
256 if (!success_p)
257 goto err;
258 }
259 else
260 {
261 if (!process_pci_value(cnf,
262 &language, &pathlen, &policy))
263 {
264 X509V3_conf_err(cnf);
265 goto err;
266 }
267 }
268 }
269
270 /* Language is mandatory */
271 if (!language)
272 {
273 X509V3err(X509V3_F_R2I_PCI,X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
274 goto err;
275 }
276 i = OBJ_obj2nid(language);
277 if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy)
278 {
279 X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
280 goto err;
281 }
282
283 pci = PROXY_CERT_INFO_EXTENSION_new();
284 if (!pci)
285 {
286 X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
287 goto err;
288 }
289 pci->proxyPolicy = PROXY_POLICY_new();
290 if (!pci->proxyPolicy)
291 {
292 X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
293 goto err;
294 }
295
296 pci->proxyPolicy->policyLanguage = language; language = NULL;
297 pci->proxyPolicy->policy = policy; policy = NULL;
298 pci->pcPathLengthConstraint = pathlen; pathlen = NULL;
299 goto end;
300err:
301 if (language) { ASN1_OBJECT_free(language); language = NULL; }
302 if (pathlen) { ASN1_INTEGER_free(pathlen); pathlen = NULL; }
303 if (policy) { ASN1_OCTET_STRING_free(policy); policy = NULL; }
304 if (pci && pci->proxyPolicy)
305 {
306 PROXY_POLICY_free(pci->proxyPolicy);
307 pci->proxyPolicy = NULL;
308 }
309 if (pci) { PROXY_CERT_INFO_EXTENSION_free(pci); pci = NULL; }
310end:
311 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
312 return pci;
313 }
diff --git a/src/lib/libcrypto/x509v3/v3_pcia.c b/src/lib/libcrypto/x509v3/v3_pcia.c
new file mode 100644
index 0000000000..bb362e0e5a
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_pcia.c
@@ -0,0 +1,55 @@
1/* v3_pcia.c -*- mode:C; c-file-style: "eay" -*- */
2/* Contributed to the OpenSSL Project 2004
3 * by Richard Levitte (richard@levitte.org)
4 */
5/* Copyright (c) 2004 Kungliga Tekniska Högskolan
6 * (Royal Institute of Technology, Stockholm, Sweden).
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 *
20 * 3. Neither the name of the Institute nor the names of its contributors
21 * may be used to endorse or promote products derived from this software
22 * without specific prior written permission.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 */
36
37#include <openssl/asn1.h>
38#include <openssl/asn1t.h>
39#include <openssl/x509v3.h>
40
41ASN1_SEQUENCE(PROXY_POLICY) =
42 {
43 ASN1_SIMPLE(PROXY_POLICY,policyLanguage,ASN1_OBJECT),
44 ASN1_OPT(PROXY_POLICY,policy,ASN1_OCTET_STRING)
45} ASN1_SEQUENCE_END(PROXY_POLICY)
46
47IMPLEMENT_ASN1_FUNCTIONS(PROXY_POLICY)
48
49ASN1_SEQUENCE(PROXY_CERT_INFO_EXTENSION) =
50 {
51 ASN1_OPT(PROXY_CERT_INFO_EXTENSION,pcPathLengthConstraint,ASN1_INTEGER),
52 ASN1_SIMPLE(PROXY_CERT_INFO_EXTENSION,proxyPolicy,PROXY_POLICY)
53} ASN1_SEQUENCE_END(PROXY_CERT_INFO_EXTENSION)
54
55IMPLEMENT_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
index b3d1ae5d1c..bbdf6da493 100644
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -63,7 +63,6 @@
63 63
64static void x509v3_cache_extensions(X509 *x); 64static void x509v3_cache_extensions(X509 *x);
65 65
66static int ca_check(const X509 *x);
67static int check_ssl_ca(const X509 *x); 66static int check_ssl_ca(const X509 *x);
68static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca); 67static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca);
69static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); 68static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);
@@ -286,7 +285,8 @@ int X509_supported_extension(X509_EXTENSION *ex)
286 NID_key_usage, /* 83 */ 285 NID_key_usage, /* 83 */
287 NID_subject_alt_name, /* 85 */ 286 NID_subject_alt_name, /* 85 */
288 NID_basic_constraints, /* 87 */ 287 NID_basic_constraints, /* 87 */
289 NID_ext_key_usage /* 126 */ 288 NID_ext_key_usage, /* 126 */
289 NID_proxyCertInfo /* 661 */
290 }; 290 };
291 291
292 int ex_nid; 292 int ex_nid;
@@ -307,6 +307,7 @@ int X509_supported_extension(X509_EXTENSION *ex)
307static void x509v3_cache_extensions(X509 *x) 307static void x509v3_cache_extensions(X509 *x)
308{ 308{
309 BASIC_CONSTRAINTS *bs; 309 BASIC_CONSTRAINTS *bs;
310 PROXY_CERT_INFO_EXTENSION *pci;
310 ASN1_BIT_STRING *usage; 311 ASN1_BIT_STRING *usage;
311 ASN1_BIT_STRING *ns; 312 ASN1_BIT_STRING *ns;
312 EXTENDED_KEY_USAGE *extusage; 313 EXTENDED_KEY_USAGE *extusage;
@@ -335,6 +336,16 @@ static void x509v3_cache_extensions(X509 *x)
335 BASIC_CONSTRAINTS_free(bs); 336 BASIC_CONSTRAINTS_free(bs);
336 x->ex_flags |= EXFLAG_BCONS; 337 x->ex_flags |= EXFLAG_BCONS;
337 } 338 }
339 /* Handle proxy certificates */
340 if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
341 if (x->ex_flags & EXFLAG_CA
342 || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
343 || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
344 x->ex_flags |= EXFLAG_INVALID;
345 }
346 PROXY_CERT_INFO_EXTENSION_free(pci);
347 x->ex_flags |= EXFLAG_PROXY;
348 }
338 /* Handle key usage */ 349 /* Handle key usage */
339 if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { 350 if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
340 if(usage->length > 0) { 351 if(usage->length > 0) {
@@ -426,7 +437,7 @@ static void x509v3_cache_extensions(X509 *x)
426#define ns_reject(x, usage) \ 437#define ns_reject(x, usage) \
427 (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) 438 (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
428 439
429static int ca_check(const X509 *x) 440static int check_ca(const X509 *x)
430{ 441{
431 /* keyUsage if present should allow cert signing */ 442 /* keyUsage if present should allow cert signing */
432 if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0; 443 if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
@@ -435,25 +446,37 @@ static int ca_check(const X509 *x)
435 /* If basicConstraints says not a CA then say so */ 446 /* If basicConstraints says not a CA then say so */
436 else return 0; 447 else return 0;
437 } else { 448 } else {
449 /* we support V1 roots for... uh, I don't really know why. */
438 if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; 450 if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
439 /* If key usage present it must have certSign so tolerate it */ 451 /* If key usage present it must have certSign so tolerate it */
440 else if (x->ex_flags & EXFLAG_KUSAGE) return 4; 452 else if (x->ex_flags & EXFLAG_KUSAGE) return 4;
441 else return 2; 453 /* Older certificates could have Netscape-specific CA types */
454 else if (x->ex_flags & EXFLAG_NSCERT
455 && x->ex_nscert & NS_ANY_CA) return 5;
456 /* can this still be regarded a CA certificate? I doubt it */
457 return 0;
442 } 458 }
443} 459}
444 460
461int X509_check_ca(X509 *x)
462{
463 if(!(x->ex_flags & EXFLAG_SET)) {
464 CRYPTO_w_lock(CRYPTO_LOCK_X509);
465 x509v3_cache_extensions(x);
466 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
467 }
468
469 return check_ca(x);
470}
471
445/* Check SSL CA: common checks for SSL client and server */ 472/* Check SSL CA: common checks for SSL client and server */
446static int check_ssl_ca(const X509 *x) 473static int check_ssl_ca(const X509 *x)
447{ 474{
448 int ca_ret; 475 int ca_ret;
449 ca_ret = ca_check(x); 476 ca_ret = check_ca(x);
450 if(!ca_ret) return 0; 477 if(!ca_ret) return 0;
451 /* check nsCertType if present */ 478 /* check nsCertType if present */
452 if(x->ex_flags & EXFLAG_NSCERT) { 479 if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret;
453 if(x->ex_nscert & NS_SSL_CA) return ca_ret;
454 return 0;
455 }
456 if(ca_ret != 2) return ca_ret;
457 else return 0; 480 else return 0;
458} 481}
459 482
@@ -498,14 +521,10 @@ static int purpose_smime(const X509 *x, int ca)
498 if(xku_reject(x,XKU_SMIME)) return 0; 521 if(xku_reject(x,XKU_SMIME)) return 0;
499 if(ca) { 522 if(ca) {
500 int ca_ret; 523 int ca_ret;
501 ca_ret = ca_check(x); 524 ca_ret = check_ca(x);
502 if(!ca_ret) return 0; 525 if(!ca_ret) return 0;
503 /* check nsCertType if present */ 526 /* check nsCertType if present */
504 if(x->ex_flags & EXFLAG_NSCERT) { 527 if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret;
505 if(x->ex_nscert & NS_SMIME_CA) return ca_ret;
506 return 0;
507 }
508 if(ca_ret != 2) return ca_ret;
509 else return 0; 528 else return 0;
510 } 529 }
511 if(x->ex_flags & EXFLAG_NSCERT) { 530 if(x->ex_flags & EXFLAG_NSCERT) {
@@ -539,7 +558,7 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
539{ 558{
540 if(ca) { 559 if(ca) {
541 int ca_ret; 560 int ca_ret;
542 if((ca_ret = ca_check(x)) != 2) return ca_ret; 561 if((ca_ret = check_ca(x)) != 2) return ca_ret;
543 else return 0; 562 else return 0;
544 } 563 }
545 if(ku_reject(x, KU_CRL_SIGN)) return 0; 564 if(ku_reject(x, KU_CRL_SIGN)) return 0;
@@ -552,17 +571,9 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
552 571
553static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) 572static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
554{ 573{
555 /* Must be a valid CA */ 574 /* Must be a valid CA. Should we really support the "I don't know"
556 if(ca) { 575 value (2)? */
557 int ca_ret; 576 if(ca) return check_ca(x);
558 ca_ret = ca_check(x);
559 if(ca_ret != 2) return ca_ret;
560 if(x->ex_flags & EXFLAG_NSCERT) {
561 if(x->ex_nscert & NS_ANY_CA) return ca_ret;
562 return 0;
563 }
564 return 0;
565 }
566 /* leaf certificate is checked in OCSP_verify() */ 577 /* leaf certificate is checked in OCSP_verify() */
567 return 1; 578 return 1;
568} 579}
@@ -624,7 +635,13 @@ int X509_check_issued(X509 *issuer, X509 *subject)
624 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; 635 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
625 } 636 }
626 } 637 }
627 if(ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; 638 if(subject->ex_flags & EXFLAG_PROXY)
639 {
640 if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
641 return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
642 }
643 else if(ku_reject(issuer, KU_KEY_CERT_SIGN))
644 return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
628 return X509_V_OK; 645 return X509_V_OK;
629} 646}
630 647
diff --git a/src/lib/libcrypto/x509v3/v3err.c b/src/lib/libcrypto/x509v3/v3err.c
index 6458e95bb9..2df0c3ef01 100644
--- a/src/lib/libcrypto/x509v3/v3err.c
+++ b/src/lib/libcrypto/x509v3/v3err.c
@@ -1,6 +1,6 @@
1/* crypto/x509v3/v3err.c */ 1/* crypto/x509v3/v3err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -72,12 +72,14 @@ static ERR_STRING_DATA X509V3_str_functs[]=
72{ERR_PACK(0,X509V3_F_DO_EXT_I2D,0), "DO_EXT_I2D"}, 72{ERR_PACK(0,X509V3_F_DO_EXT_I2D,0), "DO_EXT_I2D"},
73{ERR_PACK(0,X509V3_F_HEX_TO_STRING,0), "hex_to_string"}, 73{ERR_PACK(0,X509V3_F_HEX_TO_STRING,0), "hex_to_string"},
74{ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0), "i2s_ASN1_ENUMERATED"}, 74{ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0), "i2s_ASN1_ENUMERATED"},
75{ERR_PACK(0,X509V3_F_I2S_ASN1_IA5STRING,0), "I2S_ASN1_IA5STRING"},
75{ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0), "i2s_ASN1_INTEGER"}, 76{ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0), "i2s_ASN1_INTEGER"},
76{ERR_PACK(0,X509V3_F_I2V_AUTHORITY_INFO_ACCESS,0), "I2V_AUTHORITY_INFO_ACCESS"}, 77{ERR_PACK(0,X509V3_F_I2V_AUTHORITY_INFO_ACCESS,0), "I2V_AUTHORITY_INFO_ACCESS"},
77{ERR_PACK(0,X509V3_F_NOTICE_SECTION,0), "NOTICE_SECTION"}, 78{ERR_PACK(0,X509V3_F_NOTICE_SECTION,0), "NOTICE_SECTION"},
78{ERR_PACK(0,X509V3_F_NREF_NOS,0), "NREF_NOS"}, 79{ERR_PACK(0,X509V3_F_NREF_NOS,0), "NREF_NOS"},
79{ERR_PACK(0,X509V3_F_POLICY_SECTION,0), "POLICY_SECTION"}, 80{ERR_PACK(0,X509V3_F_POLICY_SECTION,0), "POLICY_SECTION"},
80{ERR_PACK(0,X509V3_F_R2I_CERTPOL,0), "R2I_CERTPOL"}, 81{ERR_PACK(0,X509V3_F_R2I_CERTPOL,0), "R2I_CERTPOL"},
82{ERR_PACK(0,X509V3_F_R2I_PCI,0), "R2I_PCI"},
81{ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0), "S2I_ASN1_IA5STRING"}, 83{ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0), "S2I_ASN1_IA5STRING"},
82{ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0), "s2i_ASN1_INTEGER"}, 84{ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0), "s2i_ASN1_INTEGER"},
83{ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0), "s2i_ASN1_OCTET_STRING"}, 85{ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0), "s2i_ASN1_OCTET_STRING"},
@@ -128,6 +130,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
128{X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"}, 130{X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"},
129{X509V3_R_EXTENSION_VALUE_ERROR ,"extension value error"}, 131{X509V3_R_EXTENSION_VALUE_ERROR ,"extension value error"},
130{X509V3_R_ILLEGAL_HEX_DIGIT ,"illegal hex digit"}, 132{X509V3_R_ILLEGAL_HEX_DIGIT ,"illegal hex digit"},
133{X509V3_R_INCORRECT_POLICY_SYNTAX_TAG ,"incorrect policy syntax tag"},
131{X509V3_R_INVALID_BOOLEAN_STRING ,"invalid boolean string"}, 134{X509V3_R_INVALID_BOOLEAN_STRING ,"invalid boolean string"},
132{X509V3_R_INVALID_EXTENSION_STRING ,"invalid extension string"}, 135{X509V3_R_INVALID_EXTENSION_STRING ,"invalid extension string"},
133{X509V3_R_INVALID_NAME ,"invalid name"}, 136{X509V3_R_INVALID_NAME ,"invalid name"},
@@ -139,6 +142,8 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
139{X509V3_R_INVALID_OBJECT_IDENTIFIER ,"invalid object identifier"}, 142{X509V3_R_INVALID_OBJECT_IDENTIFIER ,"invalid object identifier"},
140{X509V3_R_INVALID_OPTION ,"invalid option"}, 143{X509V3_R_INVALID_OPTION ,"invalid option"},
141{X509V3_R_INVALID_POLICY_IDENTIFIER ,"invalid policy identifier"}, 144{X509V3_R_INVALID_POLICY_IDENTIFIER ,"invalid policy identifier"},
145{X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER,"invalid proxy policy identifier"},
146{X509V3_R_INVALID_PROXY_POLICY_SETTING ,"invalid proxy policy setting"},
142{X509V3_R_INVALID_PURPOSE ,"invalid purpose"}, 147{X509V3_R_INVALID_PURPOSE ,"invalid purpose"},
143{X509V3_R_INVALID_SECTION ,"invalid section"}, 148{X509V3_R_INVALID_SECTION ,"invalid section"},
144{X509V3_R_INVALID_SYNTAX ,"invalid syntax"}, 149{X509V3_R_INVALID_SYNTAX ,"invalid syntax"},
@@ -149,9 +154,16 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
149{X509V3_R_NO_ISSUER_CERTIFICATE ,"no issuer certificate"}, 154{X509V3_R_NO_ISSUER_CERTIFICATE ,"no issuer certificate"},
150{X509V3_R_NO_ISSUER_DETAILS ,"no issuer details"}, 155{X509V3_R_NO_ISSUER_DETAILS ,"no issuer details"},
151{X509V3_R_NO_POLICY_IDENTIFIER ,"no policy identifier"}, 156{X509V3_R_NO_POLICY_IDENTIFIER ,"no policy identifier"},
157{X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED,"no proxy cert policy language defined"},
152{X509V3_R_NO_PUBLIC_KEY ,"no public key"}, 158{X509V3_R_NO_PUBLIC_KEY ,"no public key"},
153{X509V3_R_NO_SUBJECT_DETAILS ,"no subject details"}, 159{X509V3_R_NO_SUBJECT_DETAILS ,"no subject details"},
154{X509V3_R_ODD_NUMBER_OF_DIGITS ,"odd number of digits"}, 160{X509V3_R_ODD_NUMBER_OF_DIGITS ,"odd number of digits"},
161{X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED,"policy language alreadty defined"},
162{X509V3_R_POLICY_PATH_LENGTH ,"policy path length"},
163{X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED,"policy path length alreadty defined"},
164{X509V3_R_POLICY_SYNTAX_NOT ,"policy syntax not"},
165{X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED,"policy syntax not currently supported"},
166{X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY,"policy when proxy language requires no policy"},
155{X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS ,"unable to get issuer details"}, 167{X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS ,"unable to get issuer details"},
156{X509V3_R_UNABLE_TO_GET_ISSUER_KEYID ,"unable to get issuer keyid"}, 168{X509V3_R_UNABLE_TO_GET_ISSUER_KEYID ,"unable to get issuer keyid"},
157{X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT ,"unknown bit string argument"}, 169{X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT ,"unknown bit string argument"},
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
index fb07a19016..e6d91251c2 100644
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ b/src/lib/libcrypto/x509v3/x509v3.h
@@ -287,6 +287,23 @@ typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
287DECLARE_STACK_OF(POLICYINFO) 287DECLARE_STACK_OF(POLICYINFO)
288DECLARE_ASN1_SET_OF(POLICYINFO) 288DECLARE_ASN1_SET_OF(POLICYINFO)
289 289
290/* Proxy certificate structures, see RFC 3820 */
291typedef struct PROXY_POLICY_st
292 {
293 ASN1_OBJECT *policyLanguage;
294 ASN1_OCTET_STRING *policy;
295 } PROXY_POLICY;
296
297typedef struct PROXY_CERT_INFO_EXTENSION_st
298 {
299 ASN1_INTEGER *pcPathLengthConstraint;
300 PROXY_POLICY *proxyPolicy;
301 } PROXY_CERT_INFO_EXTENSION;
302
303DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
304DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
305
306
290#define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \ 307#define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \
291",name:", val->name, ",value:", val->value); 308",name:", val->name, ",value:", val->value);
292 309
@@ -325,6 +342,7 @@ DECLARE_ASN1_SET_OF(POLICYINFO)
325#define EXFLAG_INVALID 0x80 342#define EXFLAG_INVALID 0x80
326#define EXFLAG_SET 0x100 343#define EXFLAG_SET 0x100
327#define EXFLAG_CRITICAL 0x200 344#define EXFLAG_CRITICAL 0x200
345#define EXFLAG_PROXY 0x400
328 346
329#define KU_DIGITAL_SIGNATURE 0x0080 347#define KU_DIGITAL_SIGNATURE 0x0080
330#define KU_NON_REPUDIATION 0x0040 348#define KU_NON_REPUDIATION 0x0040
@@ -527,6 +545,7 @@ int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
527 545
528int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent); 546int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent);
529 547
548int X509_check_ca(X509 *x);
530int X509_check_purpose(X509 *x, int id, int ca); 549int X509_check_purpose(X509 *x, int id, int ca);
531int X509_supported_extension(X509_EXTENSION *ex); 550int X509_supported_extension(X509_EXTENSION *ex);
532int X509_PURPOSE_set(int *p, int purpose); 551int X509_PURPOSE_set(int *p, int purpose);
@@ -564,12 +583,14 @@ void ERR_load_X509V3_strings(void);
564#define X509V3_F_DO_EXT_I2D 135 583#define X509V3_F_DO_EXT_I2D 135
565#define X509V3_F_HEX_TO_STRING 111 584#define X509V3_F_HEX_TO_STRING 111
566#define X509V3_F_I2S_ASN1_ENUMERATED 121 585#define X509V3_F_I2S_ASN1_ENUMERATED 121
586#define X509V3_F_I2S_ASN1_IA5STRING 142
567#define X509V3_F_I2S_ASN1_INTEGER 120 587#define X509V3_F_I2S_ASN1_INTEGER 120
568#define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138 588#define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138
569#define X509V3_F_NOTICE_SECTION 132 589#define X509V3_F_NOTICE_SECTION 132
570#define X509V3_F_NREF_NOS 133 590#define X509V3_F_NREF_NOS 133
571#define X509V3_F_POLICY_SECTION 131 591#define X509V3_F_POLICY_SECTION 131
572#define X509V3_F_R2I_CERTPOL 130 592#define X509V3_F_R2I_CERTPOL 130
593#define X509V3_F_R2I_PCI 142
573#define X509V3_F_S2I_ASN1_IA5STRING 100 594#define X509V3_F_S2I_ASN1_IA5STRING 100
574#define X509V3_F_S2I_ASN1_INTEGER 108 595#define X509V3_F_S2I_ASN1_INTEGER 108
575#define X509V3_F_S2I_ASN1_OCTET_STRING 112 596#define X509V3_F_S2I_ASN1_OCTET_STRING 112
@@ -617,6 +638,7 @@ void ERR_load_X509V3_strings(void);
617#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103 638#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103
618#define X509V3_R_EXTENSION_VALUE_ERROR 116 639#define X509V3_R_EXTENSION_VALUE_ERROR 116
619#define X509V3_R_ILLEGAL_HEX_DIGIT 113 640#define X509V3_R_ILLEGAL_HEX_DIGIT 113
641#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 153
620#define X509V3_R_INVALID_BOOLEAN_STRING 104 642#define X509V3_R_INVALID_BOOLEAN_STRING 104
621#define X509V3_R_INVALID_EXTENSION_STRING 105 643#define X509V3_R_INVALID_EXTENSION_STRING 105
622#define X509V3_R_INVALID_NAME 106 644#define X509V3_R_INVALID_NAME 106
@@ -628,6 +650,8 @@ void ERR_load_X509V3_strings(void);
628#define X509V3_R_INVALID_OBJECT_IDENTIFIER 110 650#define X509V3_R_INVALID_OBJECT_IDENTIFIER 110
629#define X509V3_R_INVALID_OPTION 138 651#define X509V3_R_INVALID_OPTION 138
630#define X509V3_R_INVALID_POLICY_IDENTIFIER 134 652#define X509V3_R_INVALID_POLICY_IDENTIFIER 134
653#define X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER 147
654#define X509V3_R_INVALID_PROXY_POLICY_SETTING 151
631#define X509V3_R_INVALID_PURPOSE 146 655#define X509V3_R_INVALID_PURPOSE 146
632#define X509V3_R_INVALID_SECTION 135 656#define X509V3_R_INVALID_SECTION 135
633#define X509V3_R_INVALID_SYNTAX 143 657#define X509V3_R_INVALID_SYNTAX 143
@@ -638,9 +662,16 @@ void ERR_load_X509V3_strings(void);
638#define X509V3_R_NO_ISSUER_CERTIFICATE 121 662#define X509V3_R_NO_ISSUER_CERTIFICATE 121
639#define X509V3_R_NO_ISSUER_DETAILS 127 663#define X509V3_R_NO_ISSUER_DETAILS 127
640#define X509V3_R_NO_POLICY_IDENTIFIER 139 664#define X509V3_R_NO_POLICY_IDENTIFIER 139
665#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 148
641#define X509V3_R_NO_PUBLIC_KEY 114 666#define X509V3_R_NO_PUBLIC_KEY 114
642#define X509V3_R_NO_SUBJECT_DETAILS 125 667#define X509V3_R_NO_SUBJECT_DETAILS 125
643#define X509V3_R_ODD_NUMBER_OF_DIGITS 112 668#define X509V3_R_ODD_NUMBER_OF_DIGITS 112
669#define X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED 149
670#define X509V3_R_POLICY_PATH_LENGTH 152
671#define X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED 150
672#define X509V3_R_POLICY_SYNTAX_NOT 154
673#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 155
674#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 156
644#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122 675#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122
645#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123 676#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123
646#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111 677#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111
diff --git a/src/lib/libssl/doc/openssl.cnf b/src/lib/libssl/doc/openssl.cnf
index 854d1f164e..4c1d595b0a 100644
--- a/src/lib/libssl/doc/openssl.cnf
+++ b/src/lib/libssl/doc/openssl.cnf
@@ -44,8 +44,8 @@ new_certs_dir = $dir/newcerts # default place for new certs.
44 44
45certificate = $dir/cacert.pem # The CA certificate 45certificate = $dir/cacert.pem # The CA certificate
46serial = $dir/serial # The current serial number 46serial = $dir/serial # The current serial number
47#crlnumber = $dir/crlnumber # the current crl number 47#crlnumber = $dir/crlnumber # the current crl number must be
48 # must be commented out to leave a V1 CRL 48 # commented out to leave a V1 CRL
49crl = $dir/crl.pem # The current CRL 49crl = $dir/crl.pem # The current CRL
50private_key = $dir/private/cakey.pem# The private key 50private_key = $dir/private/cakey.pem# The private key
51RANDFILE = $dir/private/.rand # private random number file 51RANDFILE = $dir/private/.rand # private random number file
@@ -258,3 +258,56 @@ basicConstraints = CA:true
258 258
259# issuerAltName=issuer:copy 259# issuerAltName=issuer:copy
260authorityKeyIdentifier=keyid:always,issuer:always 260authorityKeyIdentifier=keyid:always,issuer:always
261
262[ proxy_cert_ext ]
263# These extensions should be added when creating a proxy certificate
264
265# This goes against PKIX guidelines but some CAs do it and some software
266# requires this to avoid interpreting an end user certificate as a CA.
267
268basicConstraints=CA:FALSE
269
270# Here are some examples of the usage of nsCertType. If it is omitted
271# the certificate can be used for anything *except* object signing.
272
273# This is OK for an SSL server.
274# nsCertType = server
275
276# For an object signing certificate this would be used.
277# nsCertType = objsign
278
279# For normal client use this is typical
280# nsCertType = client, email
281
282# and for everything including object signing:
283# nsCertType = client, email, objsign
284
285# This is typical in keyUsage for a client certificate.
286# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
287
288# This will be displayed in Netscape's comment listbox.
289nsComment = "OpenSSL Generated Certificate"
290
291# PKIX recommendations harmless if included in all certificates.
292subjectKeyIdentifier=hash
293authorityKeyIdentifier=keyid,issuer:always
294
295# This stuff is for subjectAltName and issuerAltname.
296# Import the email address.
297# subjectAltName=email:copy
298# An alternative to produce certificates that aren't
299# deprecated according to PKIX.
300# subjectAltName=email:move
301
302# Copy subject details
303# issuerAltName=issuer:copy
304
305#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
306#nsBaseUrl
307#nsRevocationUrl
308#nsRenewalUrl
309#nsCaPolicyUrl
310#nsSslServerName
311
312# This really needs to be in place for it to be a proxy certificate.
313proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/src/lib/libssl/doc/standards.txt b/src/lib/libssl/doc/standards.txt
index edbe2f3a57..f6675b574b 100644
--- a/src/lib/libssl/doc/standards.txt
+++ b/src/lib/libssl/doc/standards.txt
@@ -88,6 +88,10 @@ PKCS#12: Personal Information Exchange Syntax Standard, version 1.0.
88 (Format: TXT=143173 bytes) (Obsoletes RFC2437) (Status: 88 (Format: TXT=143173 bytes) (Obsoletes RFC2437) (Status:
89 INFORMATIONAL) 89 INFORMATIONAL)
90 90
913820 Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate
92 Profile. S. Tuecke, V. Welch, D. Engert, L. Pearlman, M. Thompson.
93 June 2004. (Format: TXT=86374 bytes) (Status: PROPOSED STANDARD)
94
91 95
92Related: 96Related:
93-------- 97--------
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index 64ee4269ec..779e94a35c 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -235,7 +235,8 @@ static int ssl23_client_hello(SSL *s)
235#endif 235#endif
236 236
237 p=s->s3->client_random; 237 p=s->s3->client_random;
238 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE); 238 if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE) <= 0)
239 return -1;
239 240
240 /* Do the message type and length last */ 241 /* Do the message type and length last */
241 d= &(buf[2]); 242 d= &(buf[2]);
@@ -248,6 +249,14 @@ static int ssl23_client_hello(SSL *s)
248 *(d++)=TLS1_VERSION_MINOR; 249 *(d++)=TLS1_VERSION_MINOR;
249 s->client_version=TLS1_VERSION; 250 s->client_version=TLS1_VERSION;
250 } 251 }
252#ifdef OPENSSL_FIPS
253 else if(FIPS_mode())
254 {
255 SSLerr(SSL_F_SSL23_CLIENT_HELLO,
256 SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
257 return -1;
258 }
259#endif
251 else if (!(s->options & SSL_OP_NO_SSLv3)) 260 else if (!(s->options & SSL_OP_NO_SSLv3))
252 { 261 {
253 *(d++)=SSL3_VERSION_MAJOR; 262 *(d++)=SSL3_VERSION_MAJOR;
@@ -296,7 +305,9 @@ static int ssl23_client_hello(SSL *s)
296 i=ch_len; 305 i=ch_len;
297 s2n(i,d); 306 s2n(i,d);
298 memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE); 307 memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
299 RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i); 308 if(RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i) <= 0)
309 return -1;
310
300 memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i); 311 memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
301 p+=i; 312 p+=i;
302 313
@@ -426,6 +437,14 @@ static int ssl23_get_server_hello(SSL *s)
426 if ((p[2] == SSL3_VERSION_MINOR) && 437 if ((p[2] == SSL3_VERSION_MINOR) &&
427 !(s->options & SSL_OP_NO_SSLv3)) 438 !(s->options & SSL_OP_NO_SSLv3))
428 { 439 {
440#ifdef OPENSSL_FIPS
441 if(FIPS_mode())
442 {
443 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
444 SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
445 goto err;
446 }
447#endif
429 s->version=SSL3_VERSION; 448 s->version=SSL3_VERSION;
430 s->method=SSLv3_client_method(); 449 s->method=SSLv3_client_method();
431 } 450 }
diff --git a/src/lib/libssl/s23_lib.c b/src/lib/libssl/s23_lib.c
index b70002a647..8d7dbcf569 100644
--- a/src/lib/libssl/s23_lib.c
+++ b/src/lib/libssl/s23_lib.c
@@ -87,7 +87,7 @@ static SSL_METHOD SSLv23_data= {
87 ssl3_ctx_ctrl, 87 ssl3_ctx_ctrl,
88 ssl23_get_cipher_by_char, 88 ssl23_get_cipher_by_char,
89 ssl23_put_cipher_by_char, 89 ssl23_put_cipher_by_char,
90 ssl_undefined_function, 90 ssl_undefined_const_function,
91 ssl23_num_ciphers, 91 ssl23_num_ciphers,
92 ssl23_get_cipher, 92 ssl23_get_cipher,
93 ssl_bad_method, 93 ssl_bad_method,
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index c5404ca0bc..92f3391f60 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -407,6 +407,15 @@ int ssl23_get_client_hello(SSL *s)
407 } 407 }
408 } 408 }
409 409
410#ifdef OPENSSL_FIPS
411 if (FIPS_mode() && (s->version < TLS1_VERSION))
412 {
413 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
414 SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
415 goto err;
416 }
417#endif
418
410 if (s->state == SSL23_ST_SR_CLNT_HELLO_B) 419 if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
411 { 420 {
412 /* we have SSLv3/TLSv1 in an SSLv2 header 421 /* we have SSLv3/TLSv1 in an SSLv2 header
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 26ce0cb963..0969476b25 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -117,6 +117,7 @@
117#include <openssl/objects.h> 117#include <openssl/objects.h>
118#include <openssl/evp.h> 118#include <openssl/evp.h>
119#include <openssl/md5.h> 119#include <openssl/md5.h>
120#include <openssl/fips.h>
120 121
121static SSL_METHOD *ssl3_get_client_method(int ver); 122static SSL_METHOD *ssl3_get_client_method(int ver);
122static int ssl3_client_hello(SSL *s); 123static int ssl3_client_hello(SSL *s);
@@ -534,7 +535,8 @@ static int ssl3_client_hello(SSL *s)
534 p=s->s3->client_random; 535 p=s->s3->client_random;
535 Time=time(NULL); /* Time */ 536 Time=time(NULL); /* Time */
536 l2n(Time,p); 537 l2n(Time,p);
537 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); 538 if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
539 goto err;
538 540
539 /* Do the message type and length last */ 541 /* Do the message type and length last */
540 d=p= &(buf[4]); 542 d=p= &(buf[4]);
@@ -1160,11 +1162,14 @@ static int ssl3_get_key_exchange(SSL *s)
1160 q=md_buf; 1162 q=md_buf;
1161 for (num=2; num > 0; num--) 1163 for (num=2; num > 0; num--)
1162 { 1164 {
1165 EVP_MD_CTX_set_flags(&md_ctx,
1166 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1163 EVP_DigestInit_ex(&md_ctx,(num == 2) 1167 EVP_DigestInit_ex(&md_ctx,(num == 2)
1164 ?s->ctx->md5:s->ctx->sha1, NULL); 1168 ?s->ctx->md5:s->ctx->sha1, NULL);
1165 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1169 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1166 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1170 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1167 EVP_DigestUpdate(&md_ctx,param,param_len); 1171 EVP_DigestUpdate(&md_ctx,param,param_len);
1172
1168 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); 1173 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
1169 q+=i; 1174 q+=i;
1170 j+=i; 1175 j+=i;
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index d04096016c..9bf1dbec06 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -142,7 +142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
142 SSL3_TXT_RSA_NULL_SHA, 142 SSL3_TXT_RSA_NULL_SHA,
143 SSL3_CK_RSA_NULL_SHA, 143 SSL3_CK_RSA_NULL_SHA,
144 SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3, 144 SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
145 SSL_NOT_EXP|SSL_STRONG_NONE, 145 SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
146 0, 146 0,
147 0, 147 0,
148 0, 148 0,
@@ -183,7 +183,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
183 SSL3_TXT_ADH_DES_40_CBC_SHA, 183 SSL3_TXT_ADH_DES_40_CBC_SHA,
184 SSL3_CK_ADH_DES_40_CBC_SHA, 184 SSL3_CK_ADH_DES_40_CBC_SHA,
185 SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3, 185 SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3,
186 SSL_EXPORT|SSL_EXP40, 186 SSL_EXPORT|SSL_EXP40|SSL_FIPS,
187 0, 187 0,
188 40, 188 40,
189 128, 189 128,
@@ -196,7 +196,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
196 SSL3_TXT_ADH_DES_64_CBC_SHA, 196 SSL3_TXT_ADH_DES_64_CBC_SHA,
197 SSL3_CK_ADH_DES_64_CBC_SHA, 197 SSL3_CK_ADH_DES_64_CBC_SHA,
198 SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3, 198 SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3,
199 SSL_NOT_EXP|SSL_LOW, 199 SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
200 0, 200 0,
201 56, 201 56,
202 56, 202 56,
@@ -209,7 +209,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
209 SSL3_TXT_ADH_DES_192_CBC_SHA, 209 SSL3_TXT_ADH_DES_192_CBC_SHA,
210 SSL3_CK_ADH_DES_192_CBC_SHA, 210 SSL3_CK_ADH_DES_192_CBC_SHA,
211 SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3, 211 SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
212 SSL_NOT_EXP|SSL_HIGH, 212 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
213 0, 213 0,
214 168, 214 168,
215 168, 215 168,
@@ -291,7 +291,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
291 SSL3_TXT_RSA_DES_40_CBC_SHA, 291 SSL3_TXT_RSA_DES_40_CBC_SHA,
292 SSL3_CK_RSA_DES_40_CBC_SHA, 292 SSL3_CK_RSA_DES_40_CBC_SHA,
293 SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, 293 SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
294 SSL_EXPORT|SSL_EXP40, 294 SSL_EXPORT|SSL_EXP40|SSL_FIPS,
295 0, 295 0,
296 40, 296 40,
297 56, 297 56,
@@ -304,7 +304,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
304 SSL3_TXT_RSA_DES_64_CBC_SHA, 304 SSL3_TXT_RSA_DES_64_CBC_SHA,
305 SSL3_CK_RSA_DES_64_CBC_SHA, 305 SSL3_CK_RSA_DES_64_CBC_SHA,
306 SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, 306 SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3,
307 SSL_NOT_EXP|SSL_LOW, 307 SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
308 0, 308 0,
309 56, 309 56,
310 56, 310 56,
@@ -317,7 +317,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
317 SSL3_TXT_RSA_DES_192_CBC3_SHA, 317 SSL3_TXT_RSA_DES_192_CBC3_SHA,
318 SSL3_CK_RSA_DES_192_CBC3_SHA, 318 SSL3_CK_RSA_DES_192_CBC3_SHA,
319 SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, 319 SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
320 SSL_NOT_EXP|SSL_HIGH, 320 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
321 0, 321 0,
322 168, 322 168,
323 168, 323 168,
@@ -332,7 +332,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
332 SSL3_TXT_DH_DSS_DES_40_CBC_SHA, 332 SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
333 SSL3_CK_DH_DSS_DES_40_CBC_SHA, 333 SSL3_CK_DH_DSS_DES_40_CBC_SHA,
334 SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, 334 SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
335 SSL_EXPORT|SSL_EXP40, 335 SSL_EXPORT|SSL_EXP40|SSL_FIPS,
336 0, 336 0,
337 40, 337 40,
338 56, 338 56,
@@ -345,7 +345,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
345 SSL3_TXT_DH_DSS_DES_64_CBC_SHA, 345 SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
346 SSL3_CK_DH_DSS_DES_64_CBC_SHA, 346 SSL3_CK_DH_DSS_DES_64_CBC_SHA,
347 SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, 347 SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3,
348 SSL_NOT_EXP|SSL_LOW, 348 SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
349 0, 349 0,
350 56, 350 56,
351 56, 351 56,
@@ -358,7 +358,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
358 SSL3_TXT_DH_DSS_DES_192_CBC3_SHA, 358 SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
359 SSL3_CK_DH_DSS_DES_192_CBC3_SHA, 359 SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
360 SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, 360 SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
361 SSL_NOT_EXP|SSL_HIGH, 361 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
362 0, 362 0,
363 168, 363 168,
364 168, 364 168,
@@ -371,7 +371,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
371 SSL3_TXT_DH_RSA_DES_40_CBC_SHA, 371 SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
372 SSL3_CK_DH_RSA_DES_40_CBC_SHA, 372 SSL3_CK_DH_RSA_DES_40_CBC_SHA,
373 SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, 373 SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
374 SSL_EXPORT|SSL_EXP40, 374 SSL_EXPORT|SSL_EXP40|SSL_FIPS,
375 0, 375 0,
376 40, 376 40,
377 56, 377 56,
@@ -384,7 +384,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
384 SSL3_TXT_DH_RSA_DES_64_CBC_SHA, 384 SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
385 SSL3_CK_DH_RSA_DES_64_CBC_SHA, 385 SSL3_CK_DH_RSA_DES_64_CBC_SHA,
386 SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, 386 SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3,
387 SSL_NOT_EXP|SSL_LOW, 387 SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
388 0, 388 0,
389 56, 389 56,
390 56, 390 56,
@@ -397,7 +397,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
397 SSL3_TXT_DH_RSA_DES_192_CBC3_SHA, 397 SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
398 SSL3_CK_DH_RSA_DES_192_CBC3_SHA, 398 SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
399 SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, 399 SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
400 SSL_NOT_EXP|SSL_HIGH, 400 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
401 0, 401 0,
402 168, 402 168,
403 168, 403 168,
@@ -412,7 +412,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
412 SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, 412 SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
413 SSL3_CK_EDH_DSS_DES_40_CBC_SHA, 413 SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
414 SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3, 414 SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3,
415 SSL_EXPORT|SSL_EXP40, 415 SSL_EXPORT|SSL_EXP40|SSL_FIPS,
416 0, 416 0,
417 40, 417 40,
418 56, 418 56,
@@ -425,7 +425,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
425 SSL3_TXT_EDH_DSS_DES_64_CBC_SHA, 425 SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
426 SSL3_CK_EDH_DSS_DES_64_CBC_SHA, 426 SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
427 SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_SSLV3, 427 SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_SSLV3,
428 SSL_NOT_EXP|SSL_LOW, 428 SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
429 0, 429 0,
430 56, 430 56,
431 56, 431 56,
@@ -438,7 +438,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
438 SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, 438 SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
439 SSL3_CK_EDH_DSS_DES_192_CBC3_SHA, 439 SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
440 SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3, 440 SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,
441 SSL_NOT_EXP|SSL_HIGH, 441 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
442 0, 442 0,
443 168, 443 168,
444 168, 444 168,
@@ -451,7 +451,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
451 SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, 451 SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
452 SSL3_CK_EDH_RSA_DES_40_CBC_SHA, 452 SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
453 SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, 453 SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
454 SSL_EXPORT|SSL_EXP40, 454 SSL_EXPORT|SSL_EXP40|SSL_FIPS,
455 0, 455 0,
456 40, 456 40,
457 56, 457 56,
@@ -464,7 +464,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
464 SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, 464 SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
465 SSL3_CK_EDH_RSA_DES_64_CBC_SHA, 465 SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
466 SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, 466 SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3,
467 SSL_NOT_EXP|SSL_LOW, 467 SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
468 0, 468 0,
469 56, 469 56,
470 56, 470 56,
@@ -477,7 +477,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
477 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 477 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
478 SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, 478 SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
479 SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, 479 SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
480 SSL_NOT_EXP|SSL_HIGH, 480 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
481 0, 481 0,
482 168, 482 168,
483 168, 483 168,
@@ -541,7 +541,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
541 SSL3_TXT_KRB5_DES_64_CBC_SHA, 541 SSL3_TXT_KRB5_DES_64_CBC_SHA,
542 SSL3_CK_KRB5_DES_64_CBC_SHA, 542 SSL3_CK_KRB5_DES_64_CBC_SHA,
543 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, 543 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3,
544 SSL_NOT_EXP|SSL_LOW, 544 SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
545 0, 545 0,
546 56, 546 56,
547 56, 547 56,
@@ -555,7 +555,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
555 SSL3_TXT_KRB5_DES_192_CBC3_SHA, 555 SSL3_TXT_KRB5_DES_192_CBC3_SHA,
556 SSL3_CK_KRB5_DES_192_CBC3_SHA, 556 SSL3_CK_KRB5_DES_192_CBC3_SHA,
557 SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3, 557 SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3,
558 SSL_NOT_EXP|SSL_HIGH, 558 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
559 0, 559 0,
560 112, 560 112,
561 168, 561 168,
@@ -653,7 +653,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
653 SSL3_TXT_KRB5_DES_40_CBC_SHA, 653 SSL3_TXT_KRB5_DES_40_CBC_SHA,
654 SSL3_CK_KRB5_DES_40_CBC_SHA, 654 SSL3_CK_KRB5_DES_40_CBC_SHA,
655 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, 655 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3,
656 SSL_EXPORT|SSL_EXP40, 656 SSL_EXPORT|SSL_EXP40|SSL_FIPS,
657 0, 657 0,
658 40, 658 40,
659 56, 659 56,
@@ -767,7 +767,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
767 TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, 767 TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
768 TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA, 768 TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
769 SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1, 769 SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
770 SSL_EXPORT|SSL_EXP56, 770 SSL_EXPORT|SSL_EXP56|SSL_FIPS,
771 0, 771 0,
772 56, 772 56,
773 56, 773 56,
@@ -780,7 +780,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
780 TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, 780 TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
781 TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, 781 TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
782 SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1, 782 SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1,
783 SSL_EXPORT|SSL_EXP56, 783 SSL_EXPORT|SSL_EXP56|SSL_FIPS,
784 0, 784 0,
785 56, 785 56,
786 56, 786 56,
@@ -835,7 +835,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
835 TLS1_TXT_RSA_WITH_AES_128_SHA, 835 TLS1_TXT_RSA_WITH_AES_128_SHA,
836 TLS1_CK_RSA_WITH_AES_128_SHA, 836 TLS1_CK_RSA_WITH_AES_128_SHA,
837 SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, 837 SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
838 SSL_NOT_EXP|SSL_MEDIUM, 838 SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
839 0, 839 0,
840 128, 840 128,
841 128, 841 128,
@@ -848,7 +848,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
848 TLS1_TXT_DH_DSS_WITH_AES_128_SHA, 848 TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
849 TLS1_CK_DH_DSS_WITH_AES_128_SHA, 849 TLS1_CK_DH_DSS_WITH_AES_128_SHA,
850 SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, 850 SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
851 SSL_NOT_EXP|SSL_MEDIUM, 851 SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
852 0, 852 0,
853 128, 853 128,
854 128, 854 128,
@@ -861,7 +861,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
861 TLS1_TXT_DH_RSA_WITH_AES_128_SHA, 861 TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
862 TLS1_CK_DH_RSA_WITH_AES_128_SHA, 862 TLS1_CK_DH_RSA_WITH_AES_128_SHA,
863 SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, 863 SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
864 SSL_NOT_EXP|SSL_MEDIUM, 864 SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
865 0, 865 0,
866 128, 866 128,
867 128, 867 128,
@@ -874,7 +874,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
874 TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, 874 TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
875 TLS1_CK_DHE_DSS_WITH_AES_128_SHA, 875 TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
876 SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, 876 SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
877 SSL_NOT_EXP|SSL_MEDIUM, 877 SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
878 0, 878 0,
879 128, 879 128,
880 128, 880 128,
@@ -887,7 +887,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
887 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, 887 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
888 TLS1_CK_DHE_RSA_WITH_AES_128_SHA, 888 TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
889 SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 889 SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
890 SSL_NOT_EXP|SSL_MEDIUM, 890 SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
891 0, 891 0,
892 128, 892 128,
893 128, 893 128,
@@ -900,7 +900,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
900 TLS1_TXT_ADH_WITH_AES_128_SHA, 900 TLS1_TXT_ADH_WITH_AES_128_SHA,
901 TLS1_CK_ADH_WITH_AES_128_SHA, 901 TLS1_CK_ADH_WITH_AES_128_SHA,
902 SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, 902 SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
903 SSL_NOT_EXP|SSL_MEDIUM, 903 SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
904 0, 904 0,
905 128, 905 128,
906 128, 906 128,
@@ -914,7 +914,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
914 TLS1_TXT_RSA_WITH_AES_256_SHA, 914 TLS1_TXT_RSA_WITH_AES_256_SHA,
915 TLS1_CK_RSA_WITH_AES_256_SHA, 915 TLS1_CK_RSA_WITH_AES_256_SHA,
916 SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, 916 SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
917 SSL_NOT_EXP|SSL_HIGH, 917 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
918 0, 918 0,
919 256, 919 256,
920 256, 920 256,
@@ -927,7 +927,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
927 TLS1_TXT_DH_DSS_WITH_AES_256_SHA, 927 TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
928 TLS1_CK_DH_DSS_WITH_AES_256_SHA, 928 TLS1_CK_DH_DSS_WITH_AES_256_SHA,
929 SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, 929 SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
930 SSL_NOT_EXP|SSL_HIGH, 930 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
931 0, 931 0,
932 256, 932 256,
933 256, 933 256,
@@ -940,7 +940,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
940 TLS1_TXT_DH_RSA_WITH_AES_256_SHA, 940 TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
941 TLS1_CK_DH_RSA_WITH_AES_256_SHA, 941 TLS1_CK_DH_RSA_WITH_AES_256_SHA,
942 SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, 942 SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
943 SSL_NOT_EXP|SSL_HIGH, 943 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
944 0, 944 0,
945 256, 945 256,
946 256, 946 256,
@@ -953,7 +953,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
953 TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, 953 TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
954 TLS1_CK_DHE_DSS_WITH_AES_256_SHA, 954 TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
955 SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, 955 SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
956 SSL_NOT_EXP|SSL_HIGH, 956 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
957 0, 957 0,
958 256, 958 256,
959 256, 959 256,
@@ -966,7 +966,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
966 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, 966 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
967 TLS1_CK_DHE_RSA_WITH_AES_256_SHA, 967 TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
968 SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 968 SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
969 SSL_NOT_EXP|SSL_HIGH, 969 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
970 0, 970 0,
971 256, 971 256,
972 256, 972 256,
@@ -979,7 +979,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
979 TLS1_TXT_ADH_WITH_AES_256_SHA, 979 TLS1_TXT_ADH_WITH_AES_256_SHA,
980 TLS1_CK_ADH_WITH_AES_256_SHA, 980 TLS1_CK_ADH_WITH_AES_256_SHA,
981 SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, 981 SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
982 SSL_NOT_EXP|SSL_HIGH, 982 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
983 0, 983 0,
984 256, 984 256,
985 256, 985 256,
@@ -1057,7 +1057,7 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u)
1057 return(NULL); 1057 return(NULL);
1058 } 1058 }
1059 1059
1060int ssl3_pending(SSL *s) 1060int ssl3_pending(const SSL *s)
1061 { 1061 {
1062 if (s->rstate == SSL_ST_READ_BODY) 1062 if (s->rstate == SSL_ST_READ_BODY)
1063 return 0; 1063 return 0;
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index 9f3e5139ad..cb0b12b400 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -862,7 +862,7 @@ start:
862 { 862 {
863 al=SSL_AD_UNEXPECTED_MESSAGE; 863 al=SSL_AD_UNEXPECTED_MESSAGE;
864 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); 864 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
865 goto err; 865 goto f_err;
866 } 866 }
867 867
868 /* If the other end has shut down, throw anything we read away 868 /* If the other end has shut down, throw anything we read away
@@ -969,7 +969,7 @@ start:
969 { 969 {
970 al=SSL_AD_DECODE_ERROR; 970 al=SSL_AD_DECODE_ERROR;
971 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST); 971 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
972 goto err; 972 goto f_err;
973 } 973 }
974 974
975 if (s->msg_callback) 975 if (s->msg_callback)
@@ -1080,17 +1080,17 @@ start:
1080 if ( (rr->length != 1) || (rr->off != 0) || 1080 if ( (rr->length != 1) || (rr->off != 0) ||
1081 (rr->data[0] != SSL3_MT_CCS)) 1081 (rr->data[0] != SSL3_MT_CCS))
1082 { 1082 {
1083 i=SSL_AD_ILLEGAL_PARAMETER; 1083 al=SSL_AD_ILLEGAL_PARAMETER;
1084 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC); 1084 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
1085 goto err; 1085 goto f_err;
1086 } 1086 }
1087 1087
1088 /* Check we have a cipher to change to */ 1088 /* Check we have a cipher to change to */
1089 if (s->s3->tmp.new_cipher == NULL) 1089 if (s->s3->tmp.new_cipher == NULL)
1090 { 1090 {
1091 i=SSL_AD_UNEXPECTED_MESSAGE; 1091 al=SSL_AD_UNEXPECTED_MESSAGE;
1092 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); 1092 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
1093 goto err; 1093 goto f_err;
1094 } 1094 }
1095 1095
1096 rr->length=0; 1096 rr->length=0;
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index deb3cffabe..c4a1a71523 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -125,6 +125,7 @@
125#include <openssl/krb5_asn.h> 125#include <openssl/krb5_asn.h>
126#endif 126#endif
127#include <openssl/md5.h> 127#include <openssl/md5.h>
128#include <openssl/fips.h>
128 129
129static SSL_METHOD *ssl3_get_server_method(int ver); 130static SSL_METHOD *ssl3_get_server_method(int ver);
130static int ssl3_get_client_hello(SSL *s); 131static int ssl3_get_client_hello(SSL *s);
@@ -955,7 +956,8 @@ static int ssl3_send_server_hello(SSL *s)
955 p=s->s3->server_random; 956 p=s->s3->server_random;
956 Time=time(NULL); /* Time */ 957 Time=time(NULL); /* Time */
957 l2n(Time,p); 958 l2n(Time,p);
958 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); 959 if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
960 return -1;
959 /* Do the message type and length last */ 961 /* Do the message type and length last */
960 d=p= &(buf[4]); 962 d=p= &(buf[4]);
961 963
@@ -1211,6 +1213,8 @@ static int ssl3_send_server_key_exchange(SSL *s)
1211 j=0; 1213 j=0;
1212 for (num=2; num > 0; num--) 1214 for (num=2; num > 0; num--)
1213 { 1215 {
1216 EVP_MD_CTX_set_flags(&md_ctx,
1217 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1214 EVP_DigestInit_ex(&md_ctx,(num == 2) 1218 EVP_DigestInit_ex(&md_ctx,(num == 2)
1215 ?s->ctx->md5:s->ctx->sha1, NULL); 1219 ?s->ctx->md5:s->ctx->sha1, NULL);
1216 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1220 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
@@ -1491,7 +1495,8 @@ static int ssl3_get_client_key_exchange(SSL *s)
1491 i = SSL_MAX_MASTER_KEY_LENGTH; 1495 i = SSL_MAX_MASTER_KEY_LENGTH;
1492 p[0] = s->client_version >> 8; 1496 p[0] = s->client_version >> 8;
1493 p[1] = s->client_version & 0xff; 1497 p[1] = s->client_version & 0xff;
1494 RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ 1498 if(RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */
1499 goto err;
1495 } 1500 }
1496 1501
1497 s->session->master_key_length= 1502 s->session->master_key_length=
@@ -1589,7 +1594,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
1589 n2s(p,i); 1594 n2s(p,i);
1590 enc_ticket.length = i; 1595 enc_ticket.length = i;
1591 1596
1592 if (n < enc_ticket.length + 6) 1597 if (n < (long)enc_ticket.length + 6)
1593 { 1598 {
1594 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1599 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1595 SSL_R_DATA_LENGTH_TOO_LONG); 1600 SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1602,7 +1607,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
1602 n2s(p,i); 1607 n2s(p,i);
1603 authenticator.length = i; 1608 authenticator.length = i;
1604 1609
1605 if (n < enc_ticket.length + authenticator.length + 6) 1610 if (n < (long)(enc_ticket.length + authenticator.length + 6))
1606 { 1611 {
1607 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1612 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1608 SSL_R_DATA_LENGTH_TOO_LONG); 1613 SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1627,8 +1632,8 @@ static int ssl3_get_client_key_exchange(SSL *s)
1627 goto err; 1632 goto err;
1628 } 1633 }
1629 1634
1630 if (n != enc_ticket.length + authenticator.length + 1635 if (n != (long)(enc_ticket.length + authenticator.length +
1631 enc_pms.length + 6) 1636 enc_pms.length + 6))
1632 { 1637 {
1633 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1638 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1634 SSL_R_DATA_LENGTH_TOO_LONG); 1639 SSL_R_DATA_LENGTH_TOO_LONG);
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 913bd40eea..3161f532cf 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -239,6 +239,7 @@ extern "C" {
239#define SSL_TXT_LOW "LOW" 239#define SSL_TXT_LOW "LOW"
240#define SSL_TXT_MEDIUM "MEDIUM" 240#define SSL_TXT_MEDIUM "MEDIUM"
241#define SSL_TXT_HIGH "HIGH" 241#define SSL_TXT_HIGH "HIGH"
242#define SSL_TXT_FIPS "FIPS"
242#define SSL_TXT_kFZA "kFZA" 243#define SSL_TXT_kFZA "kFZA"
243#define SSL_TXT_aFZA "aFZA" 244#define SSL_TXT_aFZA "aFZA"
244#define SSL_TXT_eFZA "eFZA" 245#define SSL_TXT_eFZA "eFZA"
@@ -372,7 +373,7 @@ typedef struct ssl_method_st
372 long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg); 373 long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg);
373 SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr); 374 SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
374 int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr); 375 int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr);
375 int (*ssl_pending)(SSL *s); 376 int (*ssl_pending)(const SSL *s);
376 int (*num_ciphers)(void); 377 int (*num_ciphers)(void);
377 SSL_CIPHER *(*get_cipher)(unsigned ncipher); 378 SSL_CIPHER *(*get_cipher)(unsigned ncipher);
378 struct ssl_method_st *(*get_ssl_method)(int version); 379 struct ssl_method_st *(*get_ssl_method)(int version);
@@ -998,8 +999,8 @@ extern "C" {
998 * -- that we sent (SSL_get_finished) 999 * -- that we sent (SSL_get_finished)
999 * -- that we expected from peer (SSL_get_peer_finished). 1000 * -- that we expected from peer (SSL_get_peer_finished).
1000 * Returns length (0 == no Finished so far), copies up to 'count' bytes. */ 1001 * Returns length (0 == no Finished so far), copies up to 'count' bytes. */
1001size_t SSL_get_finished(SSL *s, void *buf, size_t count); 1002size_t SSL_get_finished(const SSL *s, void *buf, size_t count);
1002size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count); 1003size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
1003 1004
1004/* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options 1005/* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
1005 * are 'ored' with SSL_VERIFY_PEER if they are desired */ 1006 * are 'ored' with SSL_VERIFY_PEER if they are desired */
@@ -1171,26 +1172,26 @@ int SSL_CTX_set_cipher_list(SSL_CTX *,const char *str);
1171SSL_CTX *SSL_CTX_new(SSL_METHOD *meth); 1172SSL_CTX *SSL_CTX_new(SSL_METHOD *meth);
1172void SSL_CTX_free(SSL_CTX *); 1173void SSL_CTX_free(SSL_CTX *);
1173long SSL_CTX_set_timeout(SSL_CTX *ctx,long t); 1174long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
1174long SSL_CTX_get_timeout(SSL_CTX *ctx); 1175long SSL_CTX_get_timeout(const SSL_CTX *ctx);
1175X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *); 1176X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
1176void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *); 1177void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *);
1177int SSL_want(SSL *s); 1178int SSL_want(const SSL *s);
1178int SSL_clear(SSL *s); 1179int SSL_clear(SSL *s);
1179 1180
1180void SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm); 1181void SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm);
1181 1182
1182SSL_CIPHER *SSL_get_current_cipher(SSL *s); 1183SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
1183int SSL_CIPHER_get_bits(SSL_CIPHER *c,int *alg_bits); 1184int SSL_CIPHER_get_bits(const SSL_CIPHER *c,int *alg_bits);
1184char * SSL_CIPHER_get_version(SSL_CIPHER *c); 1185char * SSL_CIPHER_get_version(const SSL_CIPHER *c);
1185const char * SSL_CIPHER_get_name(SSL_CIPHER *c); 1186const char * SSL_CIPHER_get_name(const SSL_CIPHER *c);
1186 1187
1187int SSL_get_fd(SSL *s); 1188int SSL_get_fd(const SSL *s);
1188int SSL_get_rfd(SSL *s); 1189int SSL_get_rfd(const SSL *s);
1189int SSL_get_wfd(SSL *s); 1190int SSL_get_wfd(const SSL *s);
1190const char * SSL_get_cipher_list(SSL *s,int n); 1191const char * SSL_get_cipher_list(const SSL *s,int n);
1191char * SSL_get_shared_ciphers(SSL *s, char *buf, int len); 1192char * SSL_get_shared_ciphers(const SSL *s, char *buf, int len);
1192int SSL_get_read_ahead(SSL * s); 1193int SSL_get_read_ahead(const SSL * s);
1193int SSL_pending(SSL *s); 1194int SSL_pending(const SSL *s);
1194#ifndef OPENSSL_NO_SOCK 1195#ifndef OPENSSL_NO_SOCK
1195int SSL_set_fd(SSL *s, int fd); 1196int SSL_set_fd(SSL *s, int fd);
1196int SSL_set_rfd(SSL *s, int fd); 1197int SSL_set_rfd(SSL *s, int fd);
@@ -1198,14 +1199,14 @@ int SSL_set_wfd(SSL *s, int fd);
1198#endif 1199#endif
1199#ifndef OPENSSL_NO_BIO 1200#ifndef OPENSSL_NO_BIO
1200void SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio); 1201void SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio);
1201BIO * SSL_get_rbio(SSL *s); 1202BIO * SSL_get_rbio(const SSL *s);
1202BIO * SSL_get_wbio(SSL *s); 1203BIO * SSL_get_wbio(const SSL *s);
1203#endif 1204#endif
1204int SSL_set_cipher_list(SSL *s, const char *str); 1205int SSL_set_cipher_list(SSL *s, const char *str);
1205void SSL_set_read_ahead(SSL *s, int yes); 1206void SSL_set_read_ahead(SSL *s, int yes);
1206int SSL_get_verify_mode(SSL *s); 1207int SSL_get_verify_mode(const SSL *s);
1207int SSL_get_verify_depth(SSL *s); 1208int SSL_get_verify_depth(const SSL *s);
1208int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *); 1209int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *);
1209void SSL_set_verify(SSL *s, int mode, 1210void SSL_set_verify(SSL *s, int mode,
1210 int (*callback)(int ok,X509_STORE_CTX *ctx)); 1211 int (*callback)(int ok,X509_STORE_CTX *ctx));
1211void SSL_set_verify_depth(SSL *s, int depth); 1212void SSL_set_verify_depth(SSL *s, int depth);
@@ -1243,20 +1244,20 @@ const char *SSL_state_string(const SSL *s);
1243const char *SSL_rstate_string(const SSL *s); 1244const char *SSL_rstate_string(const SSL *s);
1244const char *SSL_state_string_long(const SSL *s); 1245const char *SSL_state_string_long(const SSL *s);
1245const char *SSL_rstate_string_long(const SSL *s); 1246const char *SSL_rstate_string_long(const SSL *s);
1246long SSL_SESSION_get_time(SSL_SESSION *s); 1247long SSL_SESSION_get_time(const SSL_SESSION *s);
1247long SSL_SESSION_set_time(SSL_SESSION *s, long t); 1248long SSL_SESSION_set_time(SSL_SESSION *s, long t);
1248long SSL_SESSION_get_timeout(SSL_SESSION *s); 1249long SSL_SESSION_get_timeout(const SSL_SESSION *s);
1249long SSL_SESSION_set_timeout(SSL_SESSION *s, long t); 1250long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
1250void SSL_copy_session_id(SSL *to,SSL *from); 1251void SSL_copy_session_id(SSL *to,const SSL *from);
1251 1252
1252SSL_SESSION *SSL_SESSION_new(void); 1253SSL_SESSION *SSL_SESSION_new(void);
1253unsigned long SSL_SESSION_hash(SSL_SESSION *a); 1254unsigned long SSL_SESSION_hash(const SSL_SESSION *a);
1254int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b); 1255int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b);
1255#ifndef OPENSSL_NO_FP_API 1256#ifndef OPENSSL_NO_FP_API
1256int SSL_SESSION_print_fp(FILE *fp,SSL_SESSION *ses); 1257int SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses);
1257#endif 1258#endif
1258#ifndef OPENSSL_NO_BIO 1259#ifndef OPENSSL_NO_BIO
1259int SSL_SESSION_print(BIO *fp,SSL_SESSION *ses); 1260int SSL_SESSION_print(BIO *fp,const SSL_SESSION *ses);
1260#endif 1261#endif
1261void SSL_SESSION_free(SSL_SESSION *ses); 1262void SSL_SESSION_free(SSL_SESSION *ses);
1262int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp); 1263int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
@@ -1267,17 +1268,18 @@ int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
1267int SSL_set_generate_session_id(SSL *, GEN_SESSION_CB); 1268int SSL_set_generate_session_id(SSL *, GEN_SESSION_CB);
1268int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, 1269int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
1269 unsigned int id_len); 1270 unsigned int id_len);
1270SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,unsigned char **pp,long length); 1271SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,const unsigned char * const *pp,
1272 long length);
1271 1273
1272#ifdef HEADER_X509_H 1274#ifdef HEADER_X509_H
1273X509 * SSL_get_peer_certificate(SSL *s); 1275X509 * SSL_get_peer_certificate(const SSL *s);
1274#endif 1276#endif
1275 1277
1276STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s); 1278STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s);
1277 1279
1278int SSL_CTX_get_verify_mode(SSL_CTX *ctx); 1280int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
1279int SSL_CTX_get_verify_depth(SSL_CTX *ctx); 1281int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
1280int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *); 1282int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *);
1281void SSL_CTX_set_verify(SSL_CTX *ctx,int mode, 1283void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,
1282 int (*callback)(int, X509_STORE_CTX *)); 1284 int (*callback)(int, X509_STORE_CTX *));
1283void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth); 1285void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
@@ -1295,8 +1297,8 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);
1295void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb); 1297void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
1296void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u); 1298void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
1297 1299
1298int SSL_CTX_check_private_key(SSL_CTX *ctx); 1300int SSL_CTX_check_private_key(const SSL_CTX *ctx);
1299int SSL_check_private_key(SSL *ctx); 1301int SSL_check_private_key(const SSL *ctx);
1300 1302
1301int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx, 1303int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
1302 unsigned int sid_ctx_len); 1304 unsigned int sid_ctx_len);
@@ -1321,8 +1323,8 @@ long SSL_callback_ctrl(SSL *, int, void (*)());
1321long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, void *parg); 1323long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, void *parg);
1322long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)()); 1324long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)());
1323 1325
1324int SSL_get_error(SSL *s,int ret_code); 1326int SSL_get_error(const SSL *s,int ret_code);
1325const char *SSL_get_version(SSL *s); 1327const char *SSL_get_version(const SSL *s);
1326 1328
1327/* This sets the 'default' SSL version that SSL_new() will create */ 1329/* This sets the 'default' SSL version that SSL_new() will create */
1328int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth); 1330int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth);
@@ -1343,7 +1345,7 @@ SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */
1343SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */ 1345SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */
1344SSL_METHOD *TLSv1_client_method(void); /* TLSv1.0 */ 1346SSL_METHOD *TLSv1_client_method(void); /* TLSv1.0 */
1345 1347
1346STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s); 1348STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
1347 1349
1348int SSL_do_handshake(SSL *s); 1350int SSL_do_handshake(SSL *s);
1349int SSL_renegotiate(SSL *s); 1351int SSL_renegotiate(SSL *s);
@@ -1359,15 +1361,15 @@ const char *SSL_alert_desc_string(int value);
1359 1361
1360void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list); 1362void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
1361void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list); 1363void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
1362STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s); 1364STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
1363STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *s); 1365STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *s);
1364int SSL_add_client_CA(SSL *ssl,X509 *x); 1366int SSL_add_client_CA(SSL *ssl,X509 *x);
1365int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x); 1367int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x);
1366 1368
1367void SSL_set_connect_state(SSL *s); 1369void SSL_set_connect_state(SSL *s);
1368void SSL_set_accept_state(SSL *s); 1370void SSL_set_accept_state(SSL *s);
1369 1371
1370long SSL_get_default_timeout(SSL *s); 1372long SSL_get_default_timeout(const SSL *s);
1371 1373
1372int SSL_library_init(void ); 1374int SSL_library_init(void );
1373 1375
@@ -1376,43 +1378,43 @@ STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
1376 1378
1377SSL *SSL_dup(SSL *ssl); 1379SSL *SSL_dup(SSL *ssl);
1378 1380
1379X509 *SSL_get_certificate(SSL *ssl); 1381X509 *SSL_get_certificate(const SSL *ssl);
1380/* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl); 1382/* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl);
1381 1383
1382void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode); 1384void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode);
1383int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx); 1385int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
1384void SSL_set_quiet_shutdown(SSL *ssl,int mode); 1386void SSL_set_quiet_shutdown(SSL *ssl,int mode);
1385int SSL_get_quiet_shutdown(SSL *ssl); 1387int SSL_get_quiet_shutdown(const SSL *ssl);
1386void SSL_set_shutdown(SSL *ssl,int mode); 1388void SSL_set_shutdown(SSL *ssl,int mode);
1387int SSL_get_shutdown(SSL *ssl); 1389int SSL_get_shutdown(const SSL *ssl);
1388int SSL_version(SSL *ssl); 1390int SSL_version(const SSL *ssl);
1389int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx); 1391int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
1390int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, 1392int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
1391 const char *CApath); 1393 const char *CApath);
1392#define SSL_get0_session SSL_get_session /* just peek at pointer */ 1394#define SSL_get0_session SSL_get_session /* just peek at pointer */
1393SSL_SESSION *SSL_get_session(SSL *ssl); 1395SSL_SESSION *SSL_get_session(const SSL *ssl);
1394SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */ 1396SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
1395SSL_CTX *SSL_get_SSL_CTX(SSL *ssl); 1397SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
1396void SSL_set_info_callback(SSL *ssl, 1398void SSL_set_info_callback(SSL *ssl,
1397 void (*cb)(const SSL *ssl,int type,int val)); 1399 void (*cb)(const SSL *ssl,int type,int val));
1398void (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val); 1400void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val);
1399int SSL_state(SSL *ssl); 1401int SSL_state(const SSL *ssl);
1400 1402
1401void SSL_set_verify_result(SSL *ssl,long v); 1403void SSL_set_verify_result(SSL *ssl,long v);
1402long SSL_get_verify_result(SSL *ssl); 1404long SSL_get_verify_result(const SSL *ssl);
1403 1405
1404int SSL_set_ex_data(SSL *ssl,int idx,void *data); 1406int SSL_set_ex_data(SSL *ssl,int idx,void *data);
1405void *SSL_get_ex_data(SSL *ssl,int idx); 1407void *SSL_get_ex_data(const SSL *ssl,int idx);
1406int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 1408int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1407 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); 1409 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1408 1410
1409int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data); 1411int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data);
1410void *SSL_SESSION_get_ex_data(SSL_SESSION *ss,int idx); 1412void *SSL_SESSION_get_ex_data(const SSL_SESSION *ss,int idx);
1411int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 1413int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1412 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); 1414 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1413 1415
1414int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data); 1416int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data);
1415void *SSL_CTX_get_ex_data(SSL_CTX *ssl,int idx); 1417void *SSL_CTX_get_ex_data(const SSL_CTX *ssl,int idx);
1416int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 1418int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1417 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); 1419 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1418 1420
@@ -1603,6 +1605,7 @@ void ERR_load_SSL_strings(void);
1603#define SSL_F_SSL_SET_TRUST 228 1605#define SSL_F_SSL_SET_TRUST 228
1604#define SSL_F_SSL_SET_WFD 196 1606#define SSL_F_SSL_SET_WFD 196
1605#define SSL_F_SSL_SHUTDOWN 224 1607#define SSL_F_SSL_SHUTDOWN 224
1608#define SSL_F_SSL_UNDEFINED_CONST_FUNCTION 243
1606#define SSL_F_SSL_UNDEFINED_FUNCTION 197 1609#define SSL_F_SSL_UNDEFINED_FUNCTION 197
1607#define SSL_F_SSL_USE_CERTIFICATE 198 1610#define SSL_F_SSL_USE_CERTIFICATE 198
1608#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199 1611#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199
@@ -1741,6 +1744,7 @@ void ERR_load_SSL_strings(void);
1741#define SSL_R_NULL_SSL_CTX 195 1744#define SSL_R_NULL_SSL_CTX 195
1742#define SSL_R_NULL_SSL_METHOD_PASSED 196 1745#define SSL_R_NULL_SSL_METHOD_PASSED 196
1743#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197 1746#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
1747#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 1115
1744#define SSL_R_PACKET_LENGTH_TOO_LONG 198 1748#define SSL_R_PACKET_LENGTH_TOO_LONG 198
1745#define SSL_R_PATH_TOO_LONG 270 1749#define SSL_R_PATH_TOO_LONG 270
1746#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199 1750#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
index d8ff8fc4a3..4d5900ad2f 100644
--- a/src/lib/libssl/ssl_asn1.c
+++ b/src/lib/libssl/ssl_asn1.c
@@ -226,7 +226,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
226 M_ASN1_I2D_finish(); 226 M_ASN1_I2D_finish();
227 } 227 }
228 228
229SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, 229SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char * const *pp,
230 long length) 230 long length)
231 { 231 {
232 int version,ssl_version=0,i; 232 int version,ssl_version=0,i;
@@ -266,7 +266,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
266 ((unsigned long)os.data[1]<< 8L)| 266 ((unsigned long)os.data[1]<< 8L)|
267 (unsigned long)os.data[2]; 267 (unsigned long)os.data[2];
268 } 268 }
269 else if ((ssl_version>>8) == 3) 269 else if ((ssl_version>>8) == SSL3_VERSION_MAJOR)
270 { 270 {
271 if (os.length != 2) 271 if (os.length != 2)
272 { 272 {
@@ -287,9 +287,9 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
287 ret->cipher_id=id; 287 ret->cipher_id=id;
288 288
289 M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING); 289 M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
290 if ((ssl_version>>8) == SSL3_VERSION) 290 if ((ssl_version>>8) == SSL3_VERSION_MAJOR)
291 i=SSL3_MAX_SSL_SESSION_ID_LENGTH; 291 i=SSL3_MAX_SSL_SESSION_ID_LENGTH;
292 else /* if (ssl_version == SSL2_VERSION) */ 292 else /* if (ssl_version == SSL2_VERSION_MAJOR) */
293 i=SSL2_MAX_SSL_SESSION_ID_LENGTH; 293 i=SSL2_MAX_SSL_SESSION_ID_LENGTH;
294 294
295 if (os.length > i) 295 if (os.length > i)
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 2cfb615878..b8b9bc2390 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -117,6 +117,7 @@
117 117
118#if defined(WIN32) 118#if defined(WIN32)
119#include <windows.h> 119#include <windows.h>
120#include <tchar.h>
120#endif 121#endif
121 122
122#ifdef NeXT 123#ifdef NeXT
@@ -129,6 +130,7 @@
129#include <openssl/pem.h> 130#include <openssl/pem.h>
130#include <openssl/x509v3.h> 131#include <openssl/x509v3.h>
131#include "ssl_locl.h" 132#include "ssl_locl.h"
133#include <openssl/fips.h>
132 134
133int SSL_get_ex_data_X509_STORE_CTX_idx(void) 135int SSL_get_ex_data_X509_STORE_CTX_idx(void)
134 { 136 {
@@ -542,12 +544,12 @@ void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list)
542 set_client_CA_list(&(ctx->client_CA),name_list); 544 set_client_CA_list(&(ctx->client_CA),name_list);
543 } 545 }
544 546
545STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx) 547STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
546 { 548 {
547 return(ctx->client_CA); 549 return(ctx->client_CA);
548 } 550 }
549 551
550STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s) 552STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
551 { 553 {
552 if (s->type == SSL_ST_CONNECT) 554 if (s->type == SSL_ST_CONNECT)
553 { /* we are in the client */ 555 { /* we are in the client */
@@ -783,36 +785,54 @@ err:
783 785
784#else /* OPENSSL_SYS_WIN32 */ 786#else /* OPENSSL_SYS_WIN32 */
785 787
788#if defined(_WIN32_WCE)
789# ifndef UNICODE
790# error "WinCE comes in UNICODE flavor only..."
791# endif
792# if _WIN32_WCE<101 && !defined(OPENSSL_NO_MULTIBYTE)
793# define OPENSSL_NO_MULTIBYTE
794# endif
795# ifndef FindFirstFile
796# define FindFirstFile FindFirstFileW
797# endif
798# ifndef FindNextFile
799# define FindNextFile FindNextFileW
800# endif
801#endif
802
786int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, 803int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
787 const char *dir) 804 const char *dir)
788 { 805 {
789 WIN32_FIND_DATA FindFileData; 806 WIN32_FIND_DATA FindFileData;
790 HANDLE hFind; 807 HANDLE hFind;
791 int ret = 0; 808 int ret = 0;
792#ifdef OPENSSL_SYS_WINCE 809 TCHAR *wdir = NULL;
793 WCHAR* wdir = NULL; 810 size_t i,len_0 = strlen(dir)+1; /* len_0 accounts for trailing 0 */
794#endif 811 char buf[1024],*slash;
812
813 if (len_0 > (sizeof(buf)-14)) /* 14 is just some value... */
814 {
815 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
816 return ret;
817 }
795 818
796 CRYPTO_w_lock(CRYPTO_LOCK_READDIR); 819 CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
797 820
798#ifdef OPENSSL_SYS_WINCE 821 if (sizeof(TCHAR) != sizeof(char))
799 /* convert strings to UNICODE */ 822 {
800 { 823 wdir = (TCHAR *)malloc(len_0*sizeof(TCHAR));
801 BOOL result = FALSE;
802 int i;
803 wdir = malloc((strlen(dir)+1)*2);
804 if (wdir == NULL) 824 if (wdir == NULL)
805 goto err_noclose; 825 goto err_noclose;
806 for (i=0; i<(int)strlen(dir)+1; i++) 826#ifndef OPENSSL_NO_MULTIBYTE
807 wdir[i] = (short)dir[i]; 827 if (!MultiByteToWideChar(CP_ACP,0,dir,len_0,
808 } 828 (WCHAR *)wdir,len_0))
809#endif 829#endif
830 for (i=0;i<len_0;i++) wdir[i]=(TCHAR)dir[i];
831
832 hFind = FindFirstFile(wdir, &FindFileData);
833 }
834 else hFind = FindFirstFile((const TCHAR *)dir, &FindFileData);
810 835
811#ifdef OPENSSL_SYS_WINCE
812 hFind = FindFirstFile(wdir, &FindFileData);
813#else
814 hFind = FindFirstFile(dir, &FindFileData);
815#endif
816 /* Note that a side effect is that the CAs will be sorted by name */ 836 /* Note that a side effect is that the CAs will be sorted by name */
817 if(hFind == INVALID_HANDLE_VALUE) 837 if(hFind == INVALID_HANDLE_VALUE)
818 { 838 {
@@ -821,25 +841,34 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
821 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB); 841 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
822 goto err_noclose; 842 goto err_noclose;
823 } 843 }
824 844
825 do 845 strncpy(buf,dir,sizeof(buf)); /* strcpy is safe too... */
826 { 846 buf[len_0-1]='/'; /* no trailing zero! */
827 char buf[1024]; 847 slash=buf+len_0;
828 int r; 848
829 849 do {
830#ifdef OPENSSL_SYS_WINCE 850 const TCHAR *fnam=FindFileData.cFileName;
831 if(strlen(dir)+_tcslen(FindFileData.cFileName)+2 > sizeof buf) 851 size_t flen_0=_tcslen(fnam)+1;
832#else 852
833 if(strlen(dir)+strlen(FindFileData.cFileName)+2 > sizeof buf) 853 if (flen_0 > (sizeof(buf)-len_0))
834#endif
835 { 854 {
836 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG); 855 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
837 goto err; 856 goto err;
838 } 857 }
839 858 /* else strcpy would be safe too... */
840 r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,FindFileData.cFileName); 859
841 if (r <= 0 || r >= sizeof buf) 860 if (sizeof(TCHAR) != sizeof(char))
842 goto err; 861 {
862#ifndef OPENSSL_NO_MULTIBYTE
863 if (!WideCharToMultiByte(CP_ACP,0,
864 (WCHAR *)fnam,flen_0,
865 slash,sizeof(buf)-len_0,
866 NULL,0))
867#endif
868 for (i=0;i<flen_0;i++) slash[i]=(char)fnam[i];
869 }
870 else strncpy(slash,(const char *)fnam,sizeof(buf)-len_0);
871
843 if(!SSL_add_file_cert_subjects_to_stack(stack,buf)) 872 if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
844 goto err; 873 goto err;
845 } 874 }
@@ -849,10 +878,9 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
849err: 878err:
850 FindClose(hFind); 879 FindClose(hFind);
851err_noclose: 880err_noclose:
852#ifdef OPENSSL_SYS_WINCE
853 if (wdir != NULL) 881 if (wdir != NULL)
854 free(wdir); 882 free(wdir);
855#endif 883
856 CRYPTO_w_unlock(CRYPTO_LOCK_READDIR); 884 CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
857 return ret; 885 return ret;
858 } 886 }
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 44c503eb04..b68ed81e52 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -59,6 +59,7 @@
59#include <stdio.h> 59#include <stdio.h>
60#include <openssl/objects.h> 60#include <openssl/objects.h>
61#include <openssl/comp.h> 61#include <openssl/comp.h>
62#include <openssl/fips.h>
62#include "ssl_locl.h" 63#include "ssl_locl.h"
63 64
64#define SSL_ENC_DES_IDX 0 65#define SSL_ENC_DES_IDX 0
@@ -153,13 +154,13 @@ static const SSL_CIPHER cipher_aliases[]={
153 {0,SSL_TXT_LOW, 0, 0, SSL_LOW, 0,0,0,0,SSL_STRONG_MASK}, 154 {0,SSL_TXT_LOW, 0, 0, SSL_LOW, 0,0,0,0,SSL_STRONG_MASK},
154 {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK}, 155 {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK},
155 {0,SSL_TXT_HIGH, 0, 0, SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK}, 156 {0,SSL_TXT_HIGH, 0, 0, SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK},
157 {0,SSL_TXT_FIPS, 0, 0, SSL_FIPS, 0,0,0,0,SSL_FIPS|SSL_STRONG_NONE},
156 }; 158 };
157 159
158static int init_ciphers=1; 160static int init_ciphers=1;
159 161
160static void load_ciphers(void) 162static void load_ciphers(void)
161 { 163 {
162 init_ciphers=0;
163 ssl_cipher_methods[SSL_ENC_DES_IDX]= 164 ssl_cipher_methods[SSL_ENC_DES_IDX]=
164 EVP_get_cipherbyname(SN_des_cbc); 165 EVP_get_cipherbyname(SN_des_cbc);
165 ssl_cipher_methods[SSL_ENC_3DES_IDX]= 166 ssl_cipher_methods[SSL_ENC_3DES_IDX]=
@@ -183,9 +184,10 @@ static void load_ciphers(void)
183 EVP_get_digestbyname(SN_md5); 184 EVP_get_digestbyname(SN_md5);
184 ssl_digest_methods[SSL_MD_SHA1_IDX]= 185 ssl_digest_methods[SSL_MD_SHA1_IDX]=
185 EVP_get_digestbyname(SN_sha1); 186 EVP_get_digestbyname(SN_sha1);
187 init_ciphers=0;
186 } 188 }
187 189
188int ssl_cipher_get_evp(SSL_SESSION *s, const EVP_CIPHER **enc, 190int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
189 const EVP_MD **md, SSL_COMP **comp) 191 const EVP_MD **md, SSL_COMP **comp)
190 { 192 {
191 int i; 193 int i;
@@ -359,7 +361,12 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
359 { 361 {
360 c = ssl_method->get_cipher(i); 362 c = ssl_method->get_cipher(i);
361 /* drop those that use any of that is not available */ 363 /* drop those that use any of that is not available */
364#ifdef OPENSSL_FIPS
365 if ((c != NULL) && c->valid && !(c->algorithms & mask)
366 && (!FIPS_mode() || (c->algo_strength & SSL_FIPS)))
367#else
362 if ((c != NULL) && c->valid && !(c->algorithms & mask)) 368 if ((c != NULL) && c->valid && !(c->algorithms & mask))
369#endif
363 { 370 {
364 co_list[co_list_num].cipher = c; 371 co_list[co_list_num].cipher = c;
365 co_list[co_list_num].next = NULL; 372 co_list[co_list_num].next = NULL;
@@ -854,7 +861,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
854 */ 861 */
855 for (curr = head; curr != NULL; curr = curr->next) 862 for (curr = head; curr != NULL; curr = curr->next)
856 { 863 {
864#ifdef OPENSSL_FIPS
865 if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
866#else
857 if (curr->active) 867 if (curr->active)
868#endif
858 { 869 {
859 sk_SSL_CIPHER_push(cipherstack, curr->cipher); 870 sk_SSL_CIPHER_push(cipherstack, curr->cipher);
860#ifdef CIPHER_DEBUG 871#ifdef CIPHER_DEBUG
@@ -1054,7 +1065,7 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
1054 return(buf); 1065 return(buf);
1055 } 1066 }
1056 1067
1057char *SSL_CIPHER_get_version(SSL_CIPHER *c) 1068char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
1058 { 1069 {
1059 int i; 1070 int i;
1060 1071
@@ -1069,7 +1080,7 @@ char *SSL_CIPHER_get_version(SSL_CIPHER *c)
1069 } 1080 }
1070 1081
1071/* return the actual cipher being used */ 1082/* return the actual cipher being used */
1072const char *SSL_CIPHER_get_name(SSL_CIPHER *c) 1083const char *SSL_CIPHER_get_name(const SSL_CIPHER *c)
1073 { 1084 {
1074 if (c != NULL) 1085 if (c != NULL)
1075 return(c->name); 1086 return(c->name);
@@ -1077,7 +1088,7 @@ const char *SSL_CIPHER_get_name(SSL_CIPHER *c)
1077 } 1088 }
1078 1089
1079/* number of bits for symmetric cipher */ 1090/* number of bits for symmetric cipher */
1080int SSL_CIPHER_get_bits(SSL_CIPHER *c, int *alg_bits) 1091int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
1081 { 1092 {
1082 int ret=0; 1093 int ret=0;
1083 1094
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index d2cb181503..29b8ff4788 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -1,6 +1,6 @@
1/* ssl/ssl_err.c */ 1/* ssl/ssl_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -193,6 +193,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
193{ERR_PACK(0,SSL_F_SSL_SET_TRUST,0), "SSL_set_trust"}, 193{ERR_PACK(0,SSL_F_SSL_SET_TRUST,0), "SSL_set_trust"},
194{ERR_PACK(0,SSL_F_SSL_SET_WFD,0), "SSL_set_wfd"}, 194{ERR_PACK(0,SSL_F_SSL_SET_WFD,0), "SSL_set_wfd"},
195{ERR_PACK(0,SSL_F_SSL_SHUTDOWN,0), "SSL_shutdown"}, 195{ERR_PACK(0,SSL_F_SSL_SHUTDOWN,0), "SSL_shutdown"},
196{ERR_PACK(0,SSL_F_SSL_UNDEFINED_CONST_FUNCTION,0), "SSL_UNDEFINED_CONST_FUNCTION"},
196{ERR_PACK(0,SSL_F_SSL_UNDEFINED_FUNCTION,0), "SSL_UNDEFINED_FUNCTION"}, 197{ERR_PACK(0,SSL_F_SSL_UNDEFINED_FUNCTION,0), "SSL_UNDEFINED_FUNCTION"},
197{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE,0), "SSL_use_certificate"}, 198{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE,0), "SSL_use_certificate"},
198{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE_ASN1,0), "SSL_use_certificate_ASN1"}, 199{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE_ASN1,0), "SSL_use_certificate_ASN1"},
@@ -334,6 +335,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
334{SSL_R_NULL_SSL_CTX ,"null ssl ctx"}, 335{SSL_R_NULL_SSL_CTX ,"null ssl ctx"},
335{SSL_R_NULL_SSL_METHOD_PASSED ,"null ssl method passed"}, 336{SSL_R_NULL_SSL_METHOD_PASSED ,"null ssl method passed"},
336{SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED ,"old session cipher not returned"}, 337{SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED ,"old session cipher not returned"},
338{SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE ,"only tls allowed in fips mode"},
337{SSL_R_PACKET_LENGTH_TOO_LONG ,"packet length too long"}, 339{SSL_R_PACKET_LENGTH_TOO_LONG ,"packet length too long"},
338{SSL_R_PATH_TOO_LONG ,"path too long"}, 340{SSL_R_PATH_TOO_LONG ,"path too long"},
339{SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE ,"peer did not return a certificate"}, 341{SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE ,"peer did not return a certificate"},
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index ee9a82d586..631229558f 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -121,6 +121,7 @@
121#include <openssl/objects.h> 121#include <openssl/objects.h>
122#include <openssl/lhash.h> 122#include <openssl/lhash.h>
123#include <openssl/x509v3.h> 123#include <openssl/x509v3.h>
124#include <openssl/fips.h>
124 125
125const char *SSL_version_str=OPENSSL_VERSION_TEXT; 126const char *SSL_version_str=OPENSSL_VERSION_TEXT;
126 127
@@ -500,18 +501,18 @@ void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio)
500 s->wbio=wbio; 501 s->wbio=wbio;
501 } 502 }
502 503
503BIO *SSL_get_rbio(SSL *s) 504BIO *SSL_get_rbio(const SSL *s)
504 { return(s->rbio); } 505 { return(s->rbio); }
505 506
506BIO *SSL_get_wbio(SSL *s) 507BIO *SSL_get_wbio(const SSL *s)
507 { return(s->wbio); } 508 { return(s->wbio); }
508 509
509int SSL_get_fd(SSL *s) 510int SSL_get_fd(const SSL *s)
510 { 511 {
511 return(SSL_get_rfd(s)); 512 return(SSL_get_rfd(s));
512 } 513 }
513 514
514int SSL_get_rfd(SSL *s) 515int SSL_get_rfd(const SSL *s)
515 { 516 {
516 int ret= -1; 517 int ret= -1;
517 BIO *b,*r; 518 BIO *b,*r;
@@ -523,7 +524,7 @@ int SSL_get_rfd(SSL *s)
523 return(ret); 524 return(ret);
524 } 525 }
525 526
526int SSL_get_wfd(SSL *s) 527int SSL_get_wfd(const SSL *s)
527 { 528 {
528 int ret= -1; 529 int ret= -1;
529 BIO *b,*r; 530 BIO *b,*r;
@@ -605,7 +606,7 @@ err:
605 606
606 607
607/* return length of latest Finished message we sent, copy to 'buf' */ 608/* return length of latest Finished message we sent, copy to 'buf' */
608size_t SSL_get_finished(SSL *s, void *buf, size_t count) 609size_t SSL_get_finished(const SSL *s, void *buf, size_t count)
609 { 610 {
610 size_t ret = 0; 611 size_t ret = 0;
611 612
@@ -620,7 +621,7 @@ size_t SSL_get_finished(SSL *s, void *buf, size_t count)
620 } 621 }
621 622
622/* return length of latest Finished message we expected, copy to 'buf' */ 623/* return length of latest Finished message we expected, copy to 'buf' */
623size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count) 624size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
624 { 625 {
625 size_t ret = 0; 626 size_t ret = 0;
626 627
@@ -635,32 +636,32 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count)
635 } 636 }
636 637
637 638
638int SSL_get_verify_mode(SSL *s) 639int SSL_get_verify_mode(const SSL *s)
639 { 640 {
640 return(s->verify_mode); 641 return(s->verify_mode);
641 } 642 }
642 643
643int SSL_get_verify_depth(SSL *s) 644int SSL_get_verify_depth(const SSL *s)
644 { 645 {
645 return(s->verify_depth); 646 return(s->verify_depth);
646 } 647 }
647 648
648int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *) 649int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *)
649 { 650 {
650 return(s->verify_callback); 651 return(s->verify_callback);
651 } 652 }
652 653
653int SSL_CTX_get_verify_mode(SSL_CTX *ctx) 654int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
654 { 655 {
655 return(ctx->verify_mode); 656 return(ctx->verify_mode);
656 } 657 }
657 658
658int SSL_CTX_get_verify_depth(SSL_CTX *ctx) 659int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
659 { 660 {
660 return(ctx->verify_depth); 661 return(ctx->verify_depth);
661 } 662 }
662 663
663int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *) 664int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *)
664 { 665 {
665 return(ctx->default_verify_callback); 666 return(ctx->default_verify_callback);
666 } 667 }
@@ -683,12 +684,12 @@ void SSL_set_read_ahead(SSL *s,int yes)
683 s->read_ahead=yes; 684 s->read_ahead=yes;
684 } 685 }
685 686
686int SSL_get_read_ahead(SSL *s) 687int SSL_get_read_ahead(const SSL *s)
687 { 688 {
688 return(s->read_ahead); 689 return(s->read_ahead);
689 } 690 }
690 691
691int SSL_pending(SSL *s) 692int SSL_pending(const SSL *s)
692 { 693 {
693 /* SSL_pending cannot work properly if read-ahead is enabled 694 /* SSL_pending cannot work properly if read-ahead is enabled
694 * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), 695 * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)),
@@ -700,7 +701,7 @@ int SSL_pending(SSL *s)
700 return(s->method->ssl_pending(s)); 701 return(s->method->ssl_pending(s));
701 } 702 }
702 703
703X509 *SSL_get_peer_certificate(SSL *s) 704X509 *SSL_get_peer_certificate(const SSL *s)
704 { 705 {
705 X509 *r; 706 X509 *r;
706 707
@@ -716,7 +717,7 @@ X509 *SSL_get_peer_certificate(SSL *s)
716 return(r); 717 return(r);
717 } 718 }
718 719
719STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s) 720STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
720 { 721 {
721 STACK_OF(X509) *r; 722 STACK_OF(X509) *r;
722 723
@@ -733,7 +734,7 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s)
733 734
734/* Now in theory, since the calling process own 't' it should be safe to 735/* Now in theory, since the calling process own 't' it should be safe to
735 * modify. We need to be able to read f without being hassled */ 736 * modify. We need to be able to read f without being hassled */
736void SSL_copy_session_id(SSL *t,SSL *f) 737void SSL_copy_session_id(SSL *t,const SSL *f)
737 { 738 {
738 CERT *tmp; 739 CERT *tmp;
739 740
@@ -762,7 +763,7 @@ void SSL_copy_session_id(SSL *t,SSL *f)
762 } 763 }
763 764
764/* Fix this so it checks all the valid key/cert options */ 765/* Fix this so it checks all the valid key/cert options */
765int SSL_CTX_check_private_key(SSL_CTX *ctx) 766int SSL_CTX_check_private_key(const SSL_CTX *ctx)
766 { 767 {
767 if ( (ctx == NULL) || 768 if ( (ctx == NULL) ||
768 (ctx->cert == NULL) || 769 (ctx->cert == NULL) ||
@@ -780,7 +781,7 @@ int SSL_CTX_check_private_key(SSL_CTX *ctx)
780 } 781 }
781 782
782/* Fix this function so that it takes an optional type parameter */ 783/* Fix this function so that it takes an optional type parameter */
783int SSL_check_private_key(SSL *ssl) 784int SSL_check_private_key(const SSL *ssl)
784 { 785 {
785 if (ssl == NULL) 786 if (ssl == NULL)
786 { 787 {
@@ -824,7 +825,7 @@ int SSL_connect(SSL *s)
824 return(s->method->ssl_connect(s)); 825 return(s->method->ssl_connect(s));
825 } 826 }
826 827
827long SSL_get_default_timeout(SSL *s) 828long SSL_get_default_timeout(const SSL *s)
828 { 829 {
829 return(s->method->get_timeout()); 830 return(s->method->get_timeout());
830 } 831 }
@@ -1071,7 +1072,7 @@ int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
1071 1072
1072/** return a STACK of the ciphers available for the SSL and in order of 1073/** return a STACK of the ciphers available for the SSL and in order of
1073 * preference */ 1074 * preference */
1074STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s) 1075STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
1075 { 1076 {
1076 if (s != NULL) 1077 if (s != NULL)
1077 { 1078 {
@@ -1108,7 +1109,7 @@ STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
1108 } 1109 }
1109 1110
1110/** The old interface to get the same thing as SSL_get_ciphers() */ 1111/** The old interface to get the same thing as SSL_get_ciphers() */
1111const char *SSL_get_cipher_list(SSL *s,int n) 1112const char *SSL_get_cipher_list(const SSL *s,int n)
1112 { 1113 {
1113 SSL_CIPHER *c; 1114 SSL_CIPHER *c;
1114 STACK_OF(SSL_CIPHER) *sk; 1115 STACK_OF(SSL_CIPHER) *sk;
@@ -1145,7 +1146,7 @@ int SSL_set_cipher_list(SSL *s,const char *str)
1145 } 1146 }
1146 1147
1147/* works well for SSLv2, not so good for SSLv3 */ 1148/* works well for SSLv2, not so good for SSLv3 */
1148char *SSL_get_shared_ciphers(SSL *s,char *buf,int len) 1149char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
1149 { 1150 {
1150 char *p; 1151 char *p;
1151 const char *cp; 1152 const char *cp;
@@ -1249,7 +1250,7 @@ err:
1249 return(NULL); 1250 return(NULL);
1250 } 1251 }
1251 1252
1252unsigned long SSL_SESSION_hash(SSL_SESSION *a) 1253unsigned long SSL_SESSION_hash(const SSL_SESSION *a)
1253 { 1254 {
1254 unsigned long l; 1255 unsigned long l;
1255 1256
@@ -1266,7 +1267,7 @@ unsigned long SSL_SESSION_hash(SSL_SESSION *a)
1266 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being 1267 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
1267 * able to construct an SSL_SESSION that will collide with any existing session 1268 * able to construct an SSL_SESSION that will collide with any existing session
1268 * with a matching session ID. */ 1269 * with a matching session ID. */
1269int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b) 1270int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
1270 { 1271 {
1271 if (a->ssl_version != b->ssl_version) 1272 if (a->ssl_version != b->ssl_version)
1272 return(1); 1273 return(1);
@@ -1292,6 +1293,14 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
1292 return(NULL); 1293 return(NULL);
1293 } 1294 }
1294 1295
1296#ifdef OPENSSL_FIPS
1297 if (FIPS_mode() && (meth->version < TLS1_VERSION))
1298 {
1299 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
1300 return NULL;
1301 }
1302#endif
1303
1295 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) 1304 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
1296 { 1305 {
1297 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); 1306 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
@@ -1722,7 +1731,7 @@ int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth)
1722 return(ret); 1731 return(ret);
1723 } 1732 }
1724 1733
1725int SSL_get_error(SSL *s,int i) 1734int SSL_get_error(const SSL *s,int i)
1726 { 1735 {
1727 int reason; 1736 int reason;
1728 unsigned long l; 1737 unsigned long l;
@@ -1856,13 +1865,19 @@ int ssl_undefined_function(SSL *s)
1856 return(0); 1865 return(0);
1857 } 1866 }
1858 1867
1868int ssl_undefined_const_function(const SSL *s)
1869 {
1870 SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1871 return(0);
1872 }
1873
1859SSL_METHOD *ssl_bad_method(int ver) 1874SSL_METHOD *ssl_bad_method(int ver)
1860 { 1875 {
1861 SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1876 SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1862 return(NULL); 1877 return(NULL);
1863 } 1878 }
1864 1879
1865const char *SSL_get_version(SSL *s) 1880const char *SSL_get_version(const SSL *s)
1866 { 1881 {
1867 if (s->version == TLS1_VERSION) 1882 if (s->version == TLS1_VERSION)
1868 return("TLSv1"); 1883 return("TLSv1");
@@ -2031,7 +2046,7 @@ void ssl_clear_cipher_ctx(SSL *s)
2031 } 2046 }
2032 2047
2033/* Fix this function so that it takes an optional type parameter */ 2048/* Fix this function so that it takes an optional type parameter */
2034X509 *SSL_get_certificate(SSL *s) 2049X509 *SSL_get_certificate(const SSL *s)
2035 { 2050 {
2036 if (s->cert != NULL) 2051 if (s->cert != NULL)
2037 return(s->cert->key->x509); 2052 return(s->cert->key->x509);
@@ -2048,7 +2063,7 @@ EVP_PKEY *SSL_get_privatekey(SSL *s)
2048 return(NULL); 2063 return(NULL);
2049 } 2064 }
2050 2065
2051SSL_CIPHER *SSL_get_current_cipher(SSL *s) 2066SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
2052 { 2067 {
2053 if ((s->session != NULL) && (s->session->cipher != NULL)) 2068 if ((s->session != NULL) && (s->session->cipher != NULL))
2054 return(s->session->cipher); 2069 return(s->session->cipher);
@@ -2112,7 +2127,7 @@ void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode)
2112 ctx->quiet_shutdown=mode; 2127 ctx->quiet_shutdown=mode;
2113 } 2128 }
2114 2129
2115int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx) 2130int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
2116 { 2131 {
2117 return(ctx->quiet_shutdown); 2132 return(ctx->quiet_shutdown);
2118 } 2133 }
@@ -2122,7 +2137,7 @@ void SSL_set_quiet_shutdown(SSL *s,int mode)
2122 s->quiet_shutdown=mode; 2137 s->quiet_shutdown=mode;
2123 } 2138 }
2124 2139
2125int SSL_get_quiet_shutdown(SSL *s) 2140int SSL_get_quiet_shutdown(const SSL *s)
2126 { 2141 {
2127 return(s->quiet_shutdown); 2142 return(s->quiet_shutdown);
2128 } 2143 }
@@ -2132,17 +2147,17 @@ void SSL_set_shutdown(SSL *s,int mode)
2132 s->shutdown=mode; 2147 s->shutdown=mode;
2133 } 2148 }
2134 2149
2135int SSL_get_shutdown(SSL *s) 2150int SSL_get_shutdown(const SSL *s)
2136 { 2151 {
2137 return(s->shutdown); 2152 return(s->shutdown);
2138 } 2153 }
2139 2154
2140int SSL_version(SSL *s) 2155int SSL_version(const SSL *s)
2141 { 2156 {
2142 return(s->version); 2157 return(s->version);
2143 } 2158 }
2144 2159
2145SSL_CTX *SSL_get_SSL_CTX(SSL *ssl) 2160SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
2146 { 2161 {
2147 return(ssl->ctx); 2162 return(ssl->ctx);
2148 } 2163 }
@@ -2156,7 +2171,9 @@ int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
2156int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, 2171int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
2157 const char *CApath) 2172 const char *CApath)
2158 { 2173 {
2159 return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath)); 2174 int r;
2175 r=X509_STORE_load_locations(ctx->cert_store,CAfile,CApath);
2176 return r;
2160 } 2177 }
2161#endif 2178#endif
2162 2179
@@ -2166,12 +2183,12 @@ void SSL_set_info_callback(SSL *ssl,
2166 ssl->info_callback=cb; 2183 ssl->info_callback=cb;
2167 } 2184 }
2168 2185
2169void (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val) 2186void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val)
2170 { 2187 {
2171 return ssl->info_callback; 2188 return ssl->info_callback;
2172 } 2189 }
2173 2190
2174int SSL_state(SSL *ssl) 2191int SSL_state(const SSL *ssl)
2175 { 2192 {
2176 return(ssl->state); 2193 return(ssl->state);
2177 } 2194 }
@@ -2181,7 +2198,7 @@ void SSL_set_verify_result(SSL *ssl,long arg)
2181 ssl->verify_result=arg; 2198 ssl->verify_result=arg;
2182 } 2199 }
2183 2200
2184long SSL_get_verify_result(SSL *ssl) 2201long SSL_get_verify_result(const SSL *ssl)
2185 { 2202 {
2186 return(ssl->verify_result); 2203 return(ssl->verify_result);
2187 } 2204 }
@@ -2198,7 +2215,7 @@ int SSL_set_ex_data(SSL *s,int idx,void *arg)
2198 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); 2215 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
2199 } 2216 }
2200 2217
2201void *SSL_get_ex_data(SSL *s,int idx) 2218void *SSL_get_ex_data(const SSL *s,int idx)
2202 { 2219 {
2203 return(CRYPTO_get_ex_data(&s->ex_data,idx)); 2220 return(CRYPTO_get_ex_data(&s->ex_data,idx));
2204 } 2221 }
@@ -2215,7 +2232,7 @@ int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg)
2215 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); 2232 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
2216 } 2233 }
2217 2234
2218void *SSL_CTX_get_ex_data(SSL_CTX *s,int idx) 2235void *SSL_CTX_get_ex_data(const SSL_CTX *s,int idx)
2219 { 2236 {
2220 return(CRYPTO_get_ex_data(&s->ex_data,idx)); 2237 return(CRYPTO_get_ex_data(&s->ex_data,idx));
2221 } 2238 }
@@ -2225,7 +2242,7 @@ int ssl_ok(SSL *s)
2225 return(1); 2242 return(1);
2226 } 2243 }
2227 2244
2228X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx) 2245X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx)
2229 { 2246 {
2230 return(ctx->cert_store); 2247 return(ctx->cert_store);
2231 } 2248 }
@@ -2237,7 +2254,7 @@ void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store)
2237 ctx->cert_store=store; 2254 ctx->cert_store=store;
2238 } 2255 }
2239 2256
2240int SSL_want(SSL *s) 2257int SSL_want(const SSL *s)
2241 { 2258 {
2242 return(s->rwstate); 2259 return(s->rwstate);
2243 } 2260 }
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index dd6c7a7323..25a144a0d0 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -302,8 +302,9 @@
302#define SSL_LOW 0x00000020L 302#define SSL_LOW 0x00000020L
303#define SSL_MEDIUM 0x00000040L 303#define SSL_MEDIUM 0x00000040L
304#define SSL_HIGH 0x00000080L 304#define SSL_HIGH 0x00000080L
305#define SSL_FIPS 0x00000100L
305 306
306/* we have used 000000ff - 24 bits left to go */ 307/* we have used 000001ff - 23 bits left to go */
307 308
308/* 309/*
309 * Macros to check the export status and cipher strength for export ciphers. 310 * Macros to check the export status and cipher strength for export ciphers.
@@ -498,10 +499,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
498 STACK_OF(SSL_CIPHER) **sorted, 499 STACK_OF(SSL_CIPHER) **sorted,
499 const char *rule_str); 500 const char *rule_str);
500void ssl_update_cache(SSL *s, int mode); 501void ssl_update_cache(SSL *s, int mode);
501int ssl_cipher_get_evp(SSL_SESSION *s,const EVP_CIPHER **enc,const EVP_MD **md, 502int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc,
502 SSL_COMP **comp); 503 const EVP_MD **md,SSL_COMP **comp);
503int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk); 504int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
504int ssl_undefined_function(SSL *s); 505int ssl_undefined_function(SSL *s);
506int ssl_undefined_const_function(const SSL *s);
505X509 *ssl_get_server_send_cert(SSL *); 507X509 *ssl_get_server_send_cert(SSL *);
506EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *); 508EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *);
507int ssl_cert_type(X509 *x,EVP_PKEY *pkey); 509int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
@@ -535,7 +537,7 @@ long ssl2_ctrl(SSL *s,int cmd, long larg, void *parg);
535long ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg); 537long ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
536long ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)()); 538long ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)());
537long ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)()); 539long ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
538int ssl2_pending(SSL *s); 540int ssl2_pending(const SSL *s);
539 541
540SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p); 542SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
541int ssl3_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p); 543int ssl3_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
@@ -583,7 +585,7 @@ long ssl3_ctrl(SSL *s,int cmd, long larg, void *parg);
583long ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg); 585long ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
584long ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)()); 586long ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)());
585long ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)()); 587long ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
586int ssl3_pending(SSL *s); 588int ssl3_pending(const SSL *s);
587 589
588int ssl23_accept(SSL *s); 590int ssl23_accept(SSL *s);
589int ssl23_connect(SSL *s); 591int ssl23_connect(SSL *s);
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 330390519b..fb0bd4d045 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -804,7 +804,7 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
804 /* When the while loop ends, it's usually just EOF. */ 804 /* When the while loop ends, it's usually just EOF. */
805 err = ERR_peek_last_error(); 805 err = ERR_peek_last_error();
806 if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) 806 if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
807 (void)ERR_get_error(); 807 ERR_clear_error();
808 else 808 else
809 ret = 0; /* some real error */ 809 ret = 0; /* some real error */
810 } 810 }
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 7016c87d3b..5f12aa361c 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -65,7 +65,7 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
65static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s); 65static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
66static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck); 66static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
67 67
68SSL_SESSION *SSL_get_session(SSL *ssl) 68SSL_SESSION *SSL_get_session(const SSL *ssl)
69/* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */ 69/* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
70 { 70 {
71 return(ssl->session); 71 return(ssl->session);
@@ -98,7 +98,7 @@ int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
98 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); 98 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
99 } 99 }
100 100
101void *SSL_SESSION_get_ex_data(SSL_SESSION *s, int idx) 101void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx)
102 { 102 {
103 return(CRYPTO_get_ex_data(&s->ex_data,idx)); 103 return(CRYPTO_get_ex_data(&s->ex_data,idx));
104 } 104 }
@@ -141,7 +141,8 @@ static int def_generate_session_id(const SSL *ssl, unsigned char *id,
141{ 141{
142 unsigned int retry = 0; 142 unsigned int retry = 0;
143 do 143 do
144 RAND_pseudo_bytes(id, *id_len); 144 if(RAND_pseudo_bytes(id, *id_len) <= 0)
145 return 0;
145 while(SSL_has_matching_session_id(ssl, id, *id_len) && 146 while(SSL_has_matching_session_id(ssl, id, *id_len) &&
146 (++retry < MAX_SESS_ID_ATTEMPTS)); 147 (++retry < MAX_SESS_ID_ATTEMPTS));
147 if(retry < MAX_SESS_ID_ATTEMPTS) 148 if(retry < MAX_SESS_ID_ATTEMPTS)
@@ -609,13 +610,13 @@ long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
609 return(1); 610 return(1);
610 } 611 }
611 612
612long SSL_SESSION_get_timeout(SSL_SESSION *s) 613long SSL_SESSION_get_timeout(const SSL_SESSION *s)
613 { 614 {
614 if (s == NULL) return(0); 615 if (s == NULL) return(0);
615 return(s->timeout); 616 return(s->timeout);
616 } 617 }
617 618
618long SSL_SESSION_get_time(SSL_SESSION *s) 619long SSL_SESSION_get_time(const SSL_SESSION *s)
619 { 620 {
620 if (s == NULL) return(0); 621 if (s == NULL) return(0);
621 return(s->time); 622 return(s->time);
@@ -637,7 +638,7 @@ long SSL_CTX_set_timeout(SSL_CTX *s, long t)
637 return(l); 638 return(l);
638 } 639 }
639 640
640long SSL_CTX_get_timeout(SSL_CTX *s) 641long SSL_CTX_get_timeout(const SSL_CTX *s)
641 { 642 {
642 if (s == NULL) return(0); 643 if (s == NULL) return(0);
643 return(s->session_timeout); 644 return(s->session_timeout);
diff --git a/src/lib/libssl/ssl_txt.c b/src/lib/libssl/ssl_txt.c
index 40b76b1b26..8655a31333 100644
--- a/src/lib/libssl/ssl_txt.c
+++ b/src/lib/libssl/ssl_txt.c
@@ -61,7 +61,7 @@
61#include "ssl_locl.h" 61#include "ssl_locl.h"
62 62
63#ifndef OPENSSL_NO_FP_API 63#ifndef OPENSSL_NO_FP_API
64int SSL_SESSION_print_fp(FILE *fp, SSL_SESSION *x) 64int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x)
65 { 65 {
66 BIO *b; 66 BIO *b;
67 int ret; 67 int ret;
@@ -78,7 +78,7 @@ int SSL_SESSION_print_fp(FILE *fp, SSL_SESSION *x)
78 } 78 }
79#endif 79#endif
80 80
81int SSL_SESSION_print(BIO *bp, SSL_SESSION *x) 81int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
82 { 82 {
83 unsigned int i; 83 unsigned int i;
84 char *s; 84 char *s;
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 271e247eea..2c6246abf5 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -115,6 +115,7 @@
115#include <openssl/evp.h> 115#include <openssl/evp.h>
116#include <openssl/hmac.h> 116#include <openssl/hmac.h>
117#include <openssl/md5.h> 117#include <openssl/md5.h>
118#include <openssl/fips.h>
118 119
119static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, 120static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
120 int sec_len, unsigned char *seed, int seed_len, 121 int sec_len, unsigned char *seed, int seed_len,
@@ -131,6 +132,8 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
131 132
132 HMAC_CTX_init(&ctx); 133 HMAC_CTX_init(&ctx);
133 HMAC_CTX_init(&ctx_tmp); 134 HMAC_CTX_init(&ctx_tmp);
135 HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
136 HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
134 HMAC_Init_ex(&ctx,sec,sec_len,md, NULL); 137 HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
135 HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL); 138 HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
136 HMAC_Update(&ctx,seed,seed_len); 139 HMAC_Update(&ctx,seed,seed_len);
@@ -177,7 +180,6 @@ static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
177 S2= &(sec[len]); 180 S2= &(sec[len]);
178 len+=(slen&1); /* add for odd, make longer */ 181 len+=(slen&1); /* add for odd, make longer */
179 182
180
181 tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen); 183 tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);
182 tls1_P_hash(sha1,S2,len,label,label_len,out2,olen); 184 tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
183 185
diff --git a/src/lib/libssl/test/CAss.cnf b/src/lib/libssl/test/CAss.cnf
index b941b7ae15..21da59a73a 100644
--- a/src/lib/libssl/test/CAss.cnf
+++ b/src/lib/libssl/test/CAss.cnf
@@ -23,3 +23,11 @@ organizationName_value = Dodgy Brothers
23 23
24commonName = Common Name (eg, YOUR name) 24commonName = Common Name (eg, YOUR name)
25commonName_value = Dodgy CA 25commonName_value = Dodgy CA
26
27[ v3_ca ]
28subjectKeyIdentifier=hash
29authorityKeyIdentifier=keyid:always,issuer:always
30basicConstraints = CA:true,pathlen:1
31keyUsage = cRLSign, keyCertSign
32issuerAltName=issuer:copy
33
diff --git a/src/lib/libssl/test/P1ss.cnf b/src/lib/libssl/test/P1ss.cnf
new file mode 100644
index 0000000000..876a0d35f8
--- /dev/null
+++ b/src/lib/libssl/test/P1ss.cnf
@@ -0,0 +1,37 @@
1#
2# SSLeay example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6RANDFILE = ./.rnd
7
8####################################################################
9[ req ]
10default_bits = 512
11default_keyfile = keySS.pem
12distinguished_name = req_distinguished_name
13encrypt_rsa_key = no
14default_md = md2
15
16[ req_distinguished_name ]
17countryName = Country Name (2 letter code)
18countryName_default = AU
19countryName_value = AU
20
21organizationName = Organization Name (eg, company)
22organizationName_value = Dodgy Brothers
23
240.commonName = Common Name (eg, YOUR name)
250.commonName_value = Brother 1
26
271.commonName = Common Name (eg, YOUR name)
281.commonName_value = Brother 2
29
302.commonName = Common Name (eg, YOUR name)
312.commonName_value = Proxy 1
32
33[ v3_proxy ]
34basicConstraints=CA:FALSE
35subjectKeyIdentifier=hash
36authorityKeyIdentifier=keyid,issuer:always
37proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
diff --git a/src/lib/libssl/test/P2ss.cnf b/src/lib/libssl/test/P2ss.cnf
new file mode 100644
index 0000000000..373a87e7c2
--- /dev/null
+++ b/src/lib/libssl/test/P2ss.cnf
@@ -0,0 +1,45 @@
1#
2# SSLeay example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6RANDFILE = ./.rnd
7
8####################################################################
9[ req ]
10default_bits = 512
11default_keyfile = keySS.pem
12distinguished_name = req_distinguished_name
13encrypt_rsa_key = no
14default_md = md2
15
16[ req_distinguished_name ]
17countryName = Country Name (2 letter code)
18countryName_default = AU
19countryName_value = AU
20
21organizationName = Organization Name (eg, company)
22organizationName_value = Dodgy Brothers
23
240.commonName = Common Name (eg, YOUR name)
250.commonName_value = Brother 1
26
271.commonName = Common Name (eg, YOUR name)
281.commonName_value = Brother 2
29
302.commonName = Common Name (eg, YOUR name)
312.commonName_value = Proxy 1
32
333.commonName = Common Name (eg, YOUR name)
343.commonName_value = Proxy 2
35
36[ v3_proxy ]
37basicConstraints=CA:FALSE
38subjectKeyIdentifier=hash
39authorityKeyIdentifier=keyid,issuer:always
40proxyCertInfo=critical,@proxy_ext
41
42[ proxy_ext ]
43language=id-ppl-anyLanguage
44pathlen=0
45policy=text:BC
diff --git a/src/lib/libssl/test/Uss.cnf b/src/lib/libssl/test/Uss.cnf
index c89692d519..0c0ebb5f67 100644
--- a/src/lib/libssl/test/Uss.cnf
+++ b/src/lib/libssl/test/Uss.cnf
@@ -26,3 +26,11 @@ organizationName_value = Dodgy Brothers
26 26
271.commonName = Common Name (eg, YOUR name) 271.commonName = Common Name (eg, YOUR name)
281.commonName_value = Brother 2 281.commonName_value = Brother 2
29
30[ v3_ee ]
31subjectKeyIdentifier=hash
32authorityKeyIdentifier=keyid,issuer:always
33basicConstraints = CA:false
34keyUsage = nonRepudiation, digitalSignature, keyEncipherment
35issuerAltName=issuer:copy
36
diff --git a/src/lib/libssl/test/bctest b/src/lib/libssl/test/bctest
index bdb3218f7a..e81fc0733a 100644
--- a/src/lib/libssl/test/bctest
+++ b/src/lib/libssl/test/bctest
@@ -1,6 +1,6 @@
1#!/bin/sh 1#!/bin/sh
2 2
3# This script is used by test/Makefile.ssl to check whether a sane 'bc' 3# This script is used by test/Makefile to check whether a sane 'bc'
4# is installed. 4# is installed.
5# ('make test_bn' should not try to run 'bc' if it does not exist or if 5# ('make test_bn' should not try to run 'bc' if it does not exist or if
6# it is a broken 'bc' version that is known to cause trouble.) 6# it is a broken 'bc' version that is known to cause trouble.)
diff --git a/src/lib/libssl/test/tcrl b/src/lib/libssl/test/tcrl
index f71ef7a863..3ffed12a03 100644
--- a/src/lib/libssl/test/tcrl
+++ b/src/lib/libssl/test/tcrl
@@ -7,7 +7,7 @@ else
7fi 7fi
8export PATH 8export PATH
9 9
10cmd='../apps/openssl crl' 10cmd='../util/shlib_wrap.sh ../apps/openssl crl'
11 11
12if [ "$1"x != "x" ]; then 12if [ "$1"x != "x" ]; then
13 t=$1 13 t=$1
diff --git a/src/lib/libssl/test/testca b/src/lib/libssl/test/testca
index 8215ebb5d1..5b2faa78f1 100644
--- a/src/lib/libssl/test/testca
+++ b/src/lib/libssl/test/testca
@@ -11,6 +11,9 @@ export SH PATH
11SSLEAY_CONFIG="-config CAss.cnf" 11SSLEAY_CONFIG="-config CAss.cnf"
12export SSLEAY_CONFIG 12export SSLEAY_CONFIG
13 13
14OPENSSL="`pwd`/../util/shlib_wrap.sh openssl"
15export OPENSSL
16
14/bin/rm -fr demoCA 17/bin/rm -fr demoCA
15$SH ../apps/CA.sh -newca <<EOF 18$SH ../apps/CA.sh -newca <<EOF
16EOF 19EOF
diff --git a/src/lib/libssl/test/testenc b/src/lib/libssl/test/testenc
index 0656c7f525..4571ea2875 100644
--- a/src/lib/libssl/test/testenc
+++ b/src/lib/libssl/test/testenc
@@ -1,14 +1,14 @@
1#!/bin/sh 1#!/bin/sh
2 2
3testsrc=Makefile.ssl 3testsrc=Makefile
4test=./p 4test=./p
5cmd=../apps/openssl 5cmd="../util/shlib_wrap.sh ../apps/openssl"
6 6
7cat $testsrc >$test; 7cat $testsrc >$test;
8 8
9echo cat 9echo cat
10$cmd enc < $test > $test.cipher 10$cmd enc -non-fips-allow < $test > $test.cipher
11$cmd enc < $test.cipher >$test.clear 11$cmd enc -non-fips-allow < $test.cipher >$test.clear
12cmp $test $test.clear 12cmp $test $test.clear
13if [ $? != 0 ] 13if [ $? != 0 ]
14then 14then
@@ -17,8 +17,8 @@ else
17 /bin/rm $test.cipher $test.clear 17 /bin/rm $test.cipher $test.clear
18fi 18fi
19echo base64 19echo base64
20$cmd enc -a -e < $test > $test.cipher 20$cmd enc -non-fips-allow -a -e < $test > $test.cipher
21$cmd enc -a -d < $test.cipher >$test.clear 21$cmd enc -non-fips-allow -a -d < $test.cipher >$test.clear
22cmp $test $test.clear 22cmp $test $test.clear
23if [ $? != 0 ] 23if [ $? != 0 ]
24then 24then
@@ -30,8 +30,8 @@ fi
30for i in `$cmd list-cipher-commands` 30for i in `$cmd list-cipher-commands`
31do 31do
32 echo $i 32 echo $i
33 $cmd $i -bufsize 113 -e -k test < $test > $test.$i.cipher 33 $cmd $i -non-fips-allow -bufsize 113 -e -k test < $test > $test.$i.cipher
34 $cmd $i -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear 34 $cmd $i -non-fips-allow -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear
35 cmp $test $test.$i.clear 35 cmp $test $test.$i.clear
36 if [ $? != 0 ] 36 if [ $? != 0 ]
37 then 37 then
@@ -41,8 +41,8 @@ do
41 fi 41 fi
42 42
43 echo $i base64 43 echo $i base64
44 $cmd $i -bufsize 113 -a -e -k test < $test > $test.$i.cipher 44 $cmd $i -non-fips-allow -bufsize 113 -a -e -k test < $test > $test.$i.cipher
45 $cmd $i -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear 45 $cmd $i -non-fips-allow -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear
46 cmp $test $test.$i.clear 46 cmp $test $test.$i.clear
47 if [ $? != 0 ] 47 if [ $? != 0 ]
48 then 48 then
diff --git a/src/lib/libssl/test/testgen b/src/lib/libssl/test/testgen
index 3798543e04..524c0d134c 100644
--- a/src/lib/libssl/test/testgen
+++ b/src/lib/libssl/test/testgen
@@ -17,7 +17,7 @@ echo "generating certificate request"
17 17
18echo "string to make the random number generator think it has entropy" >> ./.rnd 18echo "string to make the random number generator think it has entropy" >> ./.rnd
19 19
20if ../apps/openssl no-rsa; then 20if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
21 req_new='-newkey dsa:../apps/dsa512.pem' 21 req_new='-newkey dsa:../apps/dsa512.pem'
22else 22else
23 req_new='-new' 23 req_new='-new'
@@ -29,13 +29,13 @@ echo "This could take some time."
29 29
30rm -f testkey.pem testreq.pem 30rm -f testkey.pem testreq.pem
31 31
32../apps/openssl req -config test.cnf $req_new -out testreq.pem 32../util/shlib_wrap.sh ../apps/openssl req -config test.cnf $req_new -out testreq.pem
33if [ $? != 0 ]; then 33if [ $? != 0 ]; then
34echo problems creating request 34echo problems creating request
35exit 1 35exit 1
36fi 36fi
37 37
38../apps/openssl req -config test.cnf -verify -in testreq.pem -noout 38../util/shlib_wrap.sh ../apps/openssl req -config test.cnf -verify -in testreq.pem -noout
39if [ $? != 0 ]; then 39if [ $? != 0 ]; then
40echo signature on req is wrong 40echo signature on req is wrong
41exit 1 41exit 1
diff --git a/src/lib/libssl/test/testss b/src/lib/libssl/test/testss
index 8d3557f356..1a426857d3 100644
--- a/src/lib/libssl/test/testss
+++ b/src/lib/libssl/test/testss
@@ -1,9 +1,9 @@
1#!/bin/sh 1#!/bin/sh
2 2
3digest='-md5' 3digest='-sha1'
4reqcmd="../apps/openssl req" 4reqcmd="../util/shlib_wrap.sh ../apps/openssl req"
5x509cmd="../apps/openssl x509 $digest" 5x509cmd="../util/shlib_wrap.sh ../apps/openssl x509 $digest"
6verifycmd="../apps/openssl verify" 6verifycmd="../util/shlib_wrap.sh ../apps/openssl verify"
7dummycnf="../apps/openssl.cnf" 7dummycnf="../apps/openssl.cnf"
8 8
9CAkey="keyCA.ss" 9CAkey="keyCA.ss"
@@ -17,12 +17,24 @@ Ukey="keyU.ss"
17Ureq="reqU.ss" 17Ureq="reqU.ss"
18Ucert="certU.ss" 18Ucert="certU.ss"
19 19
20P1conf="P1ss.cnf"
21P1key="keyP1.ss"
22P1req="reqP1.ss"
23P1cert="certP1.ss"
24P1intermediate="tmp_intP1.ss"
25
26P2conf="P2ss.cnf"
27P2key="keyP2.ss"
28P2req="reqP2.ss"
29P2cert="certP2.ss"
30P2intermediate="tmp_intP2.ss"
31
20echo 32echo
21echo "make a certificate request using 'req'" 33echo "make a certificate request using 'req'"
22 34
23echo "string to make the random number generator think it has entropy" >> ./.rnd 35echo "string to make the random number generator think it has entropy" >> ./.rnd
24 36
25if ../apps/openssl no-rsa; then 37if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
26 req_new='-newkey dsa:../apps/dsa512.pem' 38 req_new='-newkey dsa:../apps/dsa512.pem'
27else 39else
28 req_new='-new' 40 req_new='-new'
@@ -35,7 +47,7 @@ if [ $? != 0 ]; then
35fi 47fi
36echo 48echo
37echo "convert the certificate request into a self signed certificate using 'x509'" 49echo "convert the certificate request into a self signed certificate using 'x509'"
38$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey >err.ss 50$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey -extfile $CAconf -extensions v3_ca >err.ss
39if [ $? != 0 ]; then 51if [ $? != 0 ]; then
40 echo "error using 'x509' to self sign a certificate request" 52 echo "error using 'x509' to self sign a certificate request"
41 exit 1 53 exit 1
@@ -68,18 +80,18 @@ if [ $? != 0 ]; then
68fi 80fi
69 81
70echo 82echo
71echo "make another certificate request using 'req'" 83echo "make a user certificate request using 'req'"
72$reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss 84$reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss
73if [ $? != 0 ]; then 85if [ $? != 0 ]; then
74 echo "error using 'req' to generate a certificate request" 86 echo "error using 'req' to generate a user certificate request"
75 exit 1 87 exit 1
76fi 88fi
77 89
78echo 90echo
79echo "sign certificate request with the just created CA via 'x509'" 91echo "sign user certificate request with the just created CA via 'x509'"
80$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey >err.ss 92$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -extfile $Uconf -extensions v3_ee >err.ss
81if [ $? != 0 ]; then 93if [ $? != 0 ]; then
82 echo "error using 'x509' to sign a certificate request" 94 echo "error using 'x509' to sign a user certificate request"
83 exit 1 95 exit 1
84fi 96fi
85 97
@@ -89,11 +101,63 @@ echo "Certificate details"
89$x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert 101$x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert
90 102
91echo 103echo
104echo "make a proxy certificate request using 'req'"
105$reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss
106if [ $? != 0 ]; then
107 echo "error using 'req' to generate a proxy certificate request"
108 exit 1
109fi
110
111echo
112echo "sign proxy certificate request with the just created user certificate via 'x509'"
113$x509cmd -CAcreateserial -in $P1req -days 30 -req -out $P1cert -CA $Ucert -CAkey $Ukey -extfile $P1conf -extensions v3_proxy >err.ss
114if [ $? != 0 ]; then
115 echo "error using 'x509' to sign a proxy certificate request"
116 exit 1
117fi
118
119cat $Ucert > $P1intermediate
120$verifycmd -CAfile $CAcert -untrusted $P1intermediate $P1cert
121echo
122echo "Certificate details"
123$x509cmd -subject -issuer -startdate -enddate -noout -in $P1cert
124
125echo
126echo "make another proxy certificate request using 'req'"
127$reqcmd -config $P2conf -out $P2req -keyout $P2key $req_new >err.ss
128if [ $? != 0 ]; then
129 echo "error using 'req' to generate another proxy certificate request"
130 exit 1
131fi
132
133echo
134echo "sign second proxy certificate request with the first proxy certificate via 'x509'"
135$x509cmd -CAcreateserial -in $P2req -days 30 -req -out $P2cert -CA $P1cert -CAkey $P1key -extfile $P2conf -extensions v3_proxy >err.ss
136if [ $? != 0 ]; then
137 echo "error using 'x509' to sign a second proxy certificate request"
138 exit 1
139fi
140
141cat $Ucert $P1cert > $P2intermediate
142$verifycmd -CAfile $CAcert -untrusted $P2intermediate $P2cert
143echo
144echo "Certificate details"
145$x509cmd -subject -issuer -startdate -enddate -noout -in $P2cert
146
147echo
92echo The generated CA certificate is $CAcert 148echo The generated CA certificate is $CAcert
93echo The generated CA private key is $CAkey 149echo The generated CA private key is $CAkey
94 150
95echo The generated user certificate is $Ucert 151echo The generated user certificate is $Ucert
96echo The generated user private key is $Ukey 152echo The generated user private key is $Ukey
97 153
154echo The first generated proxy certificate is $P1cert
155echo The first generated proxy private key is $P1key
156
157echo The second generated proxy certificate is $P2cert
158echo The second generated proxy private key is $P2key
159
98/bin/rm err.ss 160/bin/rm err.ss
161#/bin/rm $P1intermediate
162#/bin/rm $P2intermediate
99exit 0 163exit 0
diff --git a/src/lib/libssl/test/testssl b/src/lib/libssl/test/testssl
index ca8e718022..8ac90ae5ee 100644
--- a/src/lib/libssl/test/testssl
+++ b/src/lib/libssl/test/testssl
@@ -10,9 +10,9 @@ if [ "$2" = "" ]; then
10else 10else
11 cert="$2" 11 cert="$2"
12fi 12fi
13ssltest="./ssltest -key $key -cert $cert -c_key $key -c_cert $cert" 13ssltest="../util/shlib_wrap.sh ./ssltest -key $key -cert $cert -c_key $key -c_cert $cert"
14 14
15if ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then 15if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
16 dsa_cert=YES 16 dsa_cert=YES
17else 17else
18 dsa_cert=NO 18 dsa_cert=NO
@@ -121,24 +121,24 @@ $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
121 121
122############################################################################# 122#############################################################################
123 123
124if ../apps/openssl no-dh; then 124if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
125 echo skipping anonymous DH tests 125 echo skipping anonymous DH tests
126else 126else
127 echo test tls1 with 1024bit anonymous DH, multiple handshakes 127 echo test tls1 with 1024bit anonymous DH, multiple handshakes
128 $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1 128 $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
129fi 129fi
130 130
131if ../apps/openssl no-rsa; then 131if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
132 echo skipping RSA tests 132 echo skipping RSA tests
133else 133else
134 echo test tls1 with 1024bit RSA, no DHE, multiple handshakes 134 echo test tls1 with 1024bit RSA, no DHE, multiple handshakes
135 ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1 135 ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1
136 136
137 if ../apps/openssl no-dh; then 137 if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
138 echo skipping RSA+DHE tests 138 echo skipping RSA+DHE tests
139 else 139 else
140 echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes 140 echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
141 ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1 141 ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
142 fi 142 fi
143fi 143fi
144 144
diff --git a/src/lib/libssl/test/testsslproxy b/src/lib/libssl/test/testsslproxy
new file mode 100644
index 0000000000..58bbda8ab7
--- /dev/null
+++ b/src/lib/libssl/test/testsslproxy
@@ -0,0 +1,10 @@
1#! /bin/sh
2
3echo 'Testing a lot of proxy conditions.'
4echo 'Some of them may turn out being invalid, which is fine.'
5for auth in A B C BC; do
6 for cond in A B C 'A|B&!C'; do
7 sh ./testssl $1 $2 $3 "-proxy -proxy_auth $auth -proxy_cond $cond"
8 if [ $? = 3 ]; then exit 1; fi
9 done
10done
diff --git a/src/lib/libssl/test/tpkcs7 b/src/lib/libssl/test/tpkcs7
index cf3bd9fadb..79bb6e0edf 100644
--- a/src/lib/libssl/test/tpkcs7
+++ b/src/lib/libssl/test/tpkcs7
@@ -7,7 +7,7 @@ else
7fi 7fi
8export PATH 8export PATH
9 9
10cmd='../apps/openssl pkcs7' 10cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7'
11 11
12if [ "$1"x != "x" ]; then 12if [ "$1"x != "x" ]; then
13 t=$1 13 t=$1
diff --git a/src/lib/libssl/test/tpkcs7d b/src/lib/libssl/test/tpkcs7d
index 18f9311b06..20394b34c4 100644
--- a/src/lib/libssl/test/tpkcs7d
+++ b/src/lib/libssl/test/tpkcs7d
@@ -7,7 +7,7 @@ else
7fi 7fi
8export PATH 8export PATH
9 9
10cmd='../apps/openssl pkcs7' 10cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7'
11 11
12if [ "$1"x != "x" ]; then 12if [ "$1"x != "x" ]; then
13 t=$1 13 t=$1
diff --git a/src/lib/libssl/test/treq b/src/lib/libssl/test/treq
index 47a8273cde..7e020210a5 100644
--- a/src/lib/libssl/test/treq
+++ b/src/lib/libssl/test/treq
@@ -7,7 +7,7 @@ else
7fi 7fi
8export PATH 8export PATH
9 9
10cmd='../apps/openssl req -config ../apps/openssl.cnf' 10cmd='../util/shlib_wrap.sh ../apps/openssl req -config ../apps/openssl.cnf'
11 11
12if [ "$1"x != "x" ]; then 12if [ "$1"x != "x" ]; then
13 t=$1 13 t=$1
diff --git a/src/lib/libssl/test/trsa b/src/lib/libssl/test/trsa
index 413e2ec0a0..67b4a98841 100644
--- a/src/lib/libssl/test/trsa
+++ b/src/lib/libssl/test/trsa
@@ -7,12 +7,12 @@ else
7fi 7fi
8export PATH 8export PATH
9 9
10if ../apps/openssl no-rsa; then 10if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
11 echo skipping rsa conversion test 11 echo skipping rsa conversion test
12 exit 0 12 exit 0
13fi 13fi
14 14
15cmd='../apps/openssl rsa' 15cmd='../util/shlib_wrap.sh ../apps/openssl rsa'
16 16
17if [ "$1"x != "x" ]; then 17if [ "$1"x != "x" ]; then
18 t=$1 18 t=$1
diff --git a/src/lib/libssl/test/tsid b/src/lib/libssl/test/tsid
index 40a1dfa97c..fb4a7213b9 100644
--- a/src/lib/libssl/test/tsid
+++ b/src/lib/libssl/test/tsid
@@ -7,7 +7,7 @@ else
7fi 7fi
8export PATH 8export PATH
9 9
10cmd='../apps/openssl sess_id' 10cmd='../util/shlib_wrap.sh ../apps/openssl sess_id'
11 11
12if [ "$1"x != "x" ]; then 12if [ "$1"x != "x" ]; then
13 t=$1 13 t=$1
diff --git a/src/lib/libssl/test/tx509 b/src/lib/libssl/test/tx509
index d380963abc..1b9c8661f3 100644
--- a/src/lib/libssl/test/tx509
+++ b/src/lib/libssl/test/tx509
@@ -7,7 +7,7 @@ else
7fi 7fi
8export PATH 8export PATH
9 9
10cmd='../apps/openssl x509' 10cmd='../util/shlib_wrap.sh ../apps/openssl x509'
11 11
12if [ "$1"x != "x" ]; then 12if [ "$1"x != "x" ]; then
13 t=$1 13 t=$1
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-17 20:54:25 +0000