summaryrefslogtreecommitdiff
path: root/src/lib/libssl
diff options
context:
space:
mode:
authordjm <>2005-04-29 05:37:34 +0000
committerdjm <>2005-04-29 05:37:34 +0000
commita95585a25ab25668b931a78b7543f707a3354db8 (patch)
treef9e9febf7ac0c8f5d6df761fe70fd613aac06203 /src/lib/libssl
parent58c08aa241f168c84ce7cc3052454ea59a44eada (diff)
downloadopenbsd-a95585a25ab25668b931a78b7543f707a3354db8.tar.gz
openbsd-a95585a25ab25668b931a78b7543f707a3354db8.tar.bz2
openbsd-a95585a25ab25668b931a78b7543f707a3354db8.zip
import of openssl-0.9.7g; tested on platforms from alpha to zaurus, ok deraadt@
Diffstat (limited to 'src/lib/libssl')
-rw-r--r--src/lib/libssl/doc/openssl.cnf57
-rw-r--r--src/lib/libssl/doc/standards.txt4
-rw-r--r--src/lib/libssl/s23_clnt.c23
-rw-r--r--src/lib/libssl/s23_lib.c2
-rw-r--r--src/lib/libssl/s23_srvr.c9
-rw-r--r--src/lib/libssl/s3_clnt.c7
-rw-r--r--src/lib/libssl/s3_lib.c74
-rw-r--r--src/lib/libssl/s3_pkt.c12
-rw-r--r--src/lib/libssl/s3_srvr.c17
-rw-r--r--src/lib/libssl/ssl.h118
-rw-r--r--src/lib/libssl/ssl_asn1.c8
-rw-r--r--src/lib/libssl/ssl_cert.c104
-rw-r--r--src/lib/libssl/ssl_ciph.c21
-rw-r--r--src/lib/libssl/ssl_err.c4
-rw-r--r--src/lib/libssl/ssl_lib.c103
-rw-r--r--src/lib/libssl/ssl_locl.h12
-rw-r--r--src/lib/libssl/ssl_rsa.c2
-rw-r--r--src/lib/libssl/ssl_sess.c13
-rw-r--r--src/lib/libssl/ssl_txt.c4
-rw-r--r--src/lib/libssl/t1_enc.c4
-rw-r--r--src/lib/libssl/test/CAss.cnf8
-rw-r--r--src/lib/libssl/test/P1ss.cnf37
-rw-r--r--src/lib/libssl/test/P2ss.cnf45
-rw-r--r--src/lib/libssl/test/Uss.cnf8
-rw-r--r--src/lib/libssl/test/bctest2
-rw-r--r--src/lib/libssl/test/tcrl2
-rw-r--r--src/lib/libssl/test/testca3
-rw-r--r--src/lib/libssl/test/testenc20
-rw-r--r--src/lib/libssl/test/testgen6
-rw-r--r--src/lib/libssl/test/testss86
-rw-r--r--src/lib/libssl/test/testssl14
-rw-r--r--src/lib/libssl/test/testsslproxy10
-rw-r--r--src/lib/libssl/test/tpkcs72
-rw-r--r--src/lib/libssl/test/tpkcs7d2
-rw-r--r--src/lib/libssl/test/treq2
-rw-r--r--src/lib/libssl/test/trsa4
-rw-r--r--src/lib/libssl/test/tsid2
-rw-r--r--src/lib/libssl/test/tx5092
38 files changed, 595 insertions, 258 deletions
diff --git a/src/lib/libssl/doc/openssl.cnf b/src/lib/libssl/doc/openssl.cnf
index 854d1f164e..4c1d595b0a 100644
--- a/src/lib/libssl/doc/openssl.cnf
+++ b/src/lib/libssl/doc/openssl.cnf
@@ -44,8 +44,8 @@ new_certs_dir = $dir/newcerts # default place for new certs.
44 44
45certificate = $dir/cacert.pem # The CA certificate 45certificate = $dir/cacert.pem # The CA certificate
46serial = $dir/serial # The current serial number 46serial = $dir/serial # The current serial number
47#crlnumber = $dir/crlnumber # the current crl number 47#crlnumber = $dir/crlnumber # the current crl number must be
48 # must be commented out to leave a V1 CRL 48 # commented out to leave a V1 CRL
49crl = $dir/crl.pem # The current CRL 49crl = $dir/crl.pem # The current CRL
50private_key = $dir/private/cakey.pem# The private key 50private_key = $dir/private/cakey.pem# The private key
51RANDFILE = $dir/private/.rand # private random number file 51RANDFILE = $dir/private/.rand # private random number file
@@ -258,3 +258,56 @@ basicConstraints = CA:true
258 258
259# issuerAltName=issuer:copy 259# issuerAltName=issuer:copy
260authorityKeyIdentifier=keyid:always,issuer:always 260authorityKeyIdentifier=keyid:always,issuer:always
261
262[ proxy_cert_ext ]
263# These extensions should be added when creating a proxy certificate
264
265# This goes against PKIX guidelines but some CAs do it and some software
266# requires this to avoid interpreting an end user certificate as a CA.
267
268basicConstraints=CA:FALSE
269
270# Here are some examples of the usage of nsCertType. If it is omitted
271# the certificate can be used for anything *except* object signing.
272
273# This is OK for an SSL server.
274# nsCertType = server
275
276# For an object signing certificate this would be used.
277# nsCertType = objsign
278
279# For normal client use this is typical
280# nsCertType = client, email
281
282# and for everything including object signing:
283# nsCertType = client, email, objsign
284
285# This is typical in keyUsage for a client certificate.
286# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
287
288# This will be displayed in Netscape's comment listbox.
289nsComment = "OpenSSL Generated Certificate"
290
291# PKIX recommendations harmless if included in all certificates.
292subjectKeyIdentifier=hash
293authorityKeyIdentifier=keyid,issuer:always
294
295# This stuff is for subjectAltName and issuerAltname.
296# Import the email address.
297# subjectAltName=email:copy
298# An alternative to produce certificates that aren't
299# deprecated according to PKIX.
300# subjectAltName=email:move
301
302# Copy subject details
303# issuerAltName=issuer:copy
304
305#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
306#nsBaseUrl
307#nsRevocationUrl
308#nsRenewalUrl
309#nsCaPolicyUrl
310#nsSslServerName
311
312# This really needs to be in place for it to be a proxy certificate.
313proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/src/lib/libssl/doc/standards.txt b/src/lib/libssl/doc/standards.txt
index edbe2f3a57..f6675b574b 100644
--- a/src/lib/libssl/doc/standards.txt
+++ b/src/lib/libssl/doc/standards.txt
@@ -88,6 +88,10 @@ PKCS#12: Personal Information Exchange Syntax Standard, version 1.0.
88 (Format: TXT=143173 bytes) (Obsoletes RFC2437) (Status: 88 (Format: TXT=143173 bytes) (Obsoletes RFC2437) (Status:
89 INFORMATIONAL) 89 INFORMATIONAL)
90 90
913820 Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate
92 Profile. S. Tuecke, V. Welch, D. Engert, L. Pearlman, M. Thompson.
93 June 2004. (Format: TXT=86374 bytes) (Status: PROPOSED STANDARD)
94
91 95
92Related: 96Related:
93-------- 97--------
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index 64ee4269ec..779e94a35c 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -235,7 +235,8 @@ static int ssl23_client_hello(SSL *s)
235#endif 235#endif
236 236
237 p=s->s3->client_random; 237 p=s->s3->client_random;
238 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE); 238 if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE) <= 0)
239 return -1;
239 240
240 /* Do the message type and length last */ 241 /* Do the message type and length last */
241 d= &(buf[2]); 242 d= &(buf[2]);
@@ -248,6 +249,14 @@ static int ssl23_client_hello(SSL *s)
248 *(d++)=TLS1_VERSION_MINOR; 249 *(d++)=TLS1_VERSION_MINOR;
249 s->client_version=TLS1_VERSION; 250 s->client_version=TLS1_VERSION;
250 } 251 }
252#ifdef OPENSSL_FIPS
253 else if(FIPS_mode())
254 {
255 SSLerr(SSL_F_SSL23_CLIENT_HELLO,
256 SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
257 return -1;
258 }
259#endif
251 else if (!(s->options & SSL_OP_NO_SSLv3)) 260 else if (!(s->options & SSL_OP_NO_SSLv3))
252 { 261 {
253 *(d++)=SSL3_VERSION_MAJOR; 262 *(d++)=SSL3_VERSION_MAJOR;
@@ -296,7 +305,9 @@ static int ssl23_client_hello(SSL *s)
296 i=ch_len; 305 i=ch_len;
297 s2n(i,d); 306 s2n(i,d);
298 memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE); 307 memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
299 RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i); 308 if(RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i) <= 0)
309 return -1;
310
300 memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i); 311 memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
301 p+=i; 312 p+=i;
302 313
@@ -426,6 +437,14 @@ static int ssl23_get_server_hello(SSL *s)
426 if ((p[2] == SSL3_VERSION_MINOR) && 437 if ((p[2] == SSL3_VERSION_MINOR) &&
427 !(s->options & SSL_OP_NO_SSLv3)) 438 !(s->options & SSL_OP_NO_SSLv3))
428 { 439 {
440#ifdef OPENSSL_FIPS
441 if(FIPS_mode())
442 {
443 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
444 SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
445 goto err;
446 }
447#endif
429 s->version=SSL3_VERSION; 448 s->version=SSL3_VERSION;
430 s->method=SSLv3_client_method(); 449 s->method=SSLv3_client_method();
431 } 450 }
diff --git a/src/lib/libssl/s23_lib.c b/src/lib/libssl/s23_lib.c
index b70002a647..8d7dbcf569 100644
--- a/src/lib/libssl/s23_lib.c
+++ b/src/lib/libssl/s23_lib.c
@@ -87,7 +87,7 @@ static SSL_METHOD SSLv23_data= {
87 ssl3_ctx_ctrl, 87 ssl3_ctx_ctrl,
88 ssl23_get_cipher_by_char, 88 ssl23_get_cipher_by_char,
89 ssl23_put_cipher_by_char, 89 ssl23_put_cipher_by_char,
90 ssl_undefined_function, 90 ssl_undefined_const_function,
91 ssl23_num_ciphers, 91 ssl23_num_ciphers,
92 ssl23_get_cipher, 92 ssl23_get_cipher,
93 ssl_bad_method, 93 ssl_bad_method,
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index c5404ca0bc..92f3391f60 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -407,6 +407,15 @@ int ssl23_get_client_hello(SSL *s)
407 } 407 }
408 } 408 }
409 409
410#ifdef OPENSSL_FIPS
411 if (FIPS_mode() && (s->version < TLS1_VERSION))
412 {
413 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
414 SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
415 goto err;
416 }
417#endif
418
410 if (s->state == SSL23_ST_SR_CLNT_HELLO_B) 419 if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
411 { 420 {
412 /* we have SSLv3/TLSv1 in an SSLv2 header 421 /* we have SSLv3/TLSv1 in an SSLv2 header
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 26ce0cb963..0969476b25 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -117,6 +117,7 @@
117#include <openssl/objects.h> 117#include <openssl/objects.h>
118#include <openssl/evp.h> 118#include <openssl/evp.h>
119#include <openssl/md5.h> 119#include <openssl/md5.h>
120#include <openssl/fips.h>
120 121
121static SSL_METHOD *ssl3_get_client_method(int ver); 122static SSL_METHOD *ssl3_get_client_method(int ver);
122static int ssl3_client_hello(SSL *s); 123static int ssl3_client_hello(SSL *s);
@@ -534,7 +535,8 @@ static int ssl3_client_hello(SSL *s)
534 p=s->s3->client_random; 535 p=s->s3->client_random;
535 Time=time(NULL); /* Time */ 536 Time=time(NULL); /* Time */
536 l2n(Time,p); 537 l2n(Time,p);
537 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); 538 if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
539 goto err;
538 540
539 /* Do the message type and length last */ 541 /* Do the message type and length last */
540 d=p= &(buf[4]); 542 d=p= &(buf[4]);
@@ -1160,11 +1162,14 @@ static int ssl3_get_key_exchange(SSL *s)
1160 q=md_buf; 1162 q=md_buf;
1161 for (num=2; num > 0; num--) 1163 for (num=2; num > 0; num--)
1162 { 1164 {
1165 EVP_MD_CTX_set_flags(&md_ctx,
1166 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1163 EVP_DigestInit_ex(&md_ctx,(num == 2) 1167 EVP_DigestInit_ex(&md_ctx,(num == 2)
1164 ?s->ctx->md5:s->ctx->sha1, NULL); 1168 ?s->ctx->md5:s->ctx->sha1, NULL);
1165 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1169 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1166 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1170 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1167 EVP_DigestUpdate(&md_ctx,param,param_len); 1171 EVP_DigestUpdate(&md_ctx,param,param_len);
1172
1168 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); 1173 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
1169 q+=i; 1174 q+=i;
1170 j+=i; 1175 j+=i;
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index d04096016c..9bf1dbec06 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -142,7 +142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
142 SSL3_TXT_RSA_NULL_SHA, 142 SSL3_TXT_RSA_NULL_SHA,
143 SSL3_CK_RSA_NULL_SHA, 143 SSL3_CK_RSA_NULL_SHA,
144 SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3, 144 SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
145 SSL_NOT_EXP|SSL_STRONG_NONE, 145 SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
146 0, 146 0,
147 0, 147 0,
148 0, 148 0,
@@ -183,7 +183,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
183 SSL3_TXT_ADH_DES_40_CBC_SHA, 183 SSL3_TXT_ADH_DES_40_CBC_SHA,
184 SSL3_CK_ADH_DES_40_CBC_SHA, 184 SSL3_CK_ADH_DES_40_CBC_SHA,
185 SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3, 185 SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3,
186 SSL_EXPORT|SSL_EXP40, 186 SSL_EXPORT|SSL_EXP40|SSL_FIPS,
187 0, 187 0,
188 40, 188 40,
189 128, 189 128,
@@ -196,7 +196,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
196 SSL3_TXT_ADH_DES_64_CBC_SHA, 196 SSL3_TXT_ADH_DES_64_CBC_SHA,
197 SSL3_CK_ADH_DES_64_CBC_SHA, 197 SSL3_CK_ADH_DES_64_CBC_SHA,
198 SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3, 198 SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3,
199 SSL_NOT_EXP|SSL_LOW, 199 SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
200 0, 200 0,
201 56, 201 56,
202 56, 202 56,
@@ -209,7 +209,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
209 SSL3_TXT_ADH_DES_192_CBC_SHA, 209 SSL3_TXT_ADH_DES_192_CBC_SHA,
210 SSL3_CK_ADH_DES_192_CBC_SHA, 210 SSL3_CK_ADH_DES_192_CBC_SHA,
211 SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3, 211 SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
212 SSL_NOT_EXP|SSL_HIGH, 212 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
213 0, 213 0,
214 168, 214 168,
215 168, 215 168,
@@ -291,7 +291,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
291 SSL3_TXT_RSA_DES_40_CBC_SHA, 291 SSL3_TXT_RSA_DES_40_CBC_SHA,
292 SSL3_CK_RSA_DES_40_CBC_SHA, 292 SSL3_CK_RSA_DES_40_CBC_SHA,
293 SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, 293 SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
294 SSL_EXPORT|SSL_EXP40, 294 SSL_EXPORT|SSL_EXP40|SSL_FIPS,
295 0, 295 0,
296 40, 296 40,
297 56, 297 56,
@@ -304,7 +304,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
304 SSL3_TXT_RSA_DES_64_CBC_SHA, 304 SSL3_TXT_RSA_DES_64_CBC_SHA,
305 SSL3_CK_RSA_DES_64_CBC_SHA, 305 SSL3_CK_RSA_DES_64_CBC_SHA,
306 SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, 306 SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3,
307 SSL_NOT_EXP|SSL_LOW, 307 SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
308 0, 308 0,
309 56, 309 56,
310 56, 310 56,
@@ -317,7 +317,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
317 SSL3_TXT_RSA_DES_192_CBC3_SHA, 317 SSL3_TXT_RSA_DES_192_CBC3_SHA,
318 SSL3_CK_RSA_DES_192_CBC3_SHA, 318 SSL3_CK_RSA_DES_192_CBC3_SHA,
319 SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, 319 SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
320 SSL_NOT_EXP|SSL_HIGH, 320 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
321 0, 321 0,
322 168, 322 168,
323 168, 323 168,
@@ -332,7 +332,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
332 SSL3_TXT_DH_DSS_DES_40_CBC_SHA, 332 SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
333 SSL3_CK_DH_DSS_DES_40_CBC_SHA, 333 SSL3_CK_DH_DSS_DES_40_CBC_SHA,
334 SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, 334 SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
335 SSL_EXPORT|SSL_EXP40, 335 SSL_EXPORT|SSL_EXP40|SSL_FIPS,
336 0, 336 0,
337 40, 337 40,
338 56, 338 56,
@@ -345,7 +345,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
345 SSL3_TXT_DH_DSS_DES_64_CBC_SHA, 345 SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
346 SSL3_CK_DH_DSS_DES_64_CBC_SHA, 346 SSL3_CK_DH_DSS_DES_64_CBC_SHA,
347 SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, 347 SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3,
348 SSL_NOT_EXP|SSL_LOW, 348 SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
349 0, 349 0,
350 56, 350 56,
351 56, 351 56,
@@ -358,7 +358,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
358 SSL3_TXT_DH_DSS_DES_192_CBC3_SHA, 358 SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
359 SSL3_CK_DH_DSS_DES_192_CBC3_SHA, 359 SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
360 SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, 360 SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
361 SSL_NOT_EXP|SSL_HIGH, 361 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
362 0, 362 0,
363 168, 363 168,
364 168, 364 168,
@@ -371,7 +371,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
371 SSL3_TXT_DH_RSA_DES_40_CBC_SHA, 371 SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
372 SSL3_CK_DH_RSA_DES_40_CBC_SHA, 372 SSL3_CK_DH_RSA_DES_40_CBC_SHA,
373 SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, 373 SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
374 SSL_EXPORT|SSL_EXP40, 374 SSL_EXPORT|SSL_EXP40|SSL_FIPS,
375 0, 375 0,
376 40, 376 40,
377 56, 377 56,
@@ -384,7 +384,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
384 SSL3_TXT_DH_RSA_DES_64_CBC_SHA, 384 SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
385 SSL3_CK_DH_RSA_DES_64_CBC_SHA, 385 SSL3_CK_DH_RSA_DES_64_CBC_SHA,
386 SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, 386 SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3,
387 SSL_NOT_EXP|SSL_LOW, 387 SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
388 0, 388 0,
389 56, 389 56,
390 56, 390 56,
@@ -397,7 +397,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
397 SSL3_TXT_DH_RSA_DES_192_CBC3_SHA, 397 SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
398 SSL3_CK_DH_RSA_DES_192_CBC3_SHA, 398 SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
399 SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, 399 SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
400 SSL_NOT_EXP|SSL_HIGH, 400 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
401 0, 401 0,
402 168, 402 168,
403 168, 403 168,
@@ -412,7 +412,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
412 SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, 412 SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
413 SSL3_CK_EDH_DSS_DES_40_CBC_SHA, 413 SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
414 SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3, 414 SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3,
415 SSL_EXPORT|SSL_EXP40, 415 SSL_EXPORT|SSL_EXP40|SSL_FIPS,
416 0, 416 0,
417 40, 417 40,
418 56, 418 56,
@@ -425,7 +425,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
425 SSL3_TXT_EDH_DSS_DES_64_CBC_SHA, 425 SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
426 SSL3_CK_EDH_DSS_DES_64_CBC_SHA, 426 SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
427 SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_SSLV3, 427 SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_SSLV3,
428 SSL_NOT_EXP|SSL_LOW, 428 SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
429 0, 429 0,
430 56, 430 56,
431 56, 431 56,
@@ -438,7 +438,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
438 SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, 438 SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
439 SSL3_CK_EDH_DSS_DES_192_CBC3_SHA, 439 SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
440 SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3, 440 SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,
441 SSL_NOT_EXP|SSL_HIGH, 441 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
442 0, 442 0,
443 168, 443 168,
444 168, 444 168,
@@ -451,7 +451,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
451 SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, 451 SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
452 SSL3_CK_EDH_RSA_DES_40_CBC_SHA, 452 SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
453 SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, 453 SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
454 SSL_EXPORT|SSL_EXP40, 454 SSL_EXPORT|SSL_EXP40|SSL_FIPS,
455 0, 455 0,
456 40, 456 40,
457 56, 457 56,
@@ -464,7 +464,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
464 SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, 464 SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
465 SSL3_CK_EDH_RSA_DES_64_CBC_SHA, 465 SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
466 SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, 466 SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3,
467 SSL_NOT_EXP|SSL_LOW, 467 SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
468 0, 468 0,
469 56, 469 56,
470 56, 470 56,
@@ -477,7 +477,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
477 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 477 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
478 SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, 478 SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
479 SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, 479 SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
480 SSL_NOT_EXP|SSL_HIGH, 480 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
481 0, 481 0,
482 168, 482 168,
483 168, 483 168,
@@ -541,7 +541,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
541 SSL3_TXT_KRB5_DES_64_CBC_SHA, 541 SSL3_TXT_KRB5_DES_64_CBC_SHA,
542 SSL3_CK_KRB5_DES_64_CBC_SHA, 542 SSL3_CK_KRB5_DES_64_CBC_SHA,
543 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, 543 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3,
544 SSL_NOT_EXP|SSL_LOW, 544 SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
545 0, 545 0,
546 56, 546 56,
547 56, 547 56,
@@ -555,7 +555,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
555 SSL3_TXT_KRB5_DES_192_CBC3_SHA, 555 SSL3_TXT_KRB5_DES_192_CBC3_SHA,
556 SSL3_CK_KRB5_DES_192_CBC3_SHA, 556 SSL3_CK_KRB5_DES_192_CBC3_SHA,
557 SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3, 557 SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3,
558 SSL_NOT_EXP|SSL_HIGH, 558 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
559 0, 559 0,
560 112, 560 112,
561 168, 561 168,
@@ -653,7 +653,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
653 SSL3_TXT_KRB5_DES_40_CBC_SHA, 653 SSL3_TXT_KRB5_DES_40_CBC_SHA,
654 SSL3_CK_KRB5_DES_40_CBC_SHA, 654 SSL3_CK_KRB5_DES_40_CBC_SHA,
655 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, 655 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3,
656 SSL_EXPORT|SSL_EXP40, 656 SSL_EXPORT|SSL_EXP40|SSL_FIPS,
657 0, 657 0,
658 40, 658 40,
659 56, 659 56,
@@ -767,7 +767,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
767 TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, 767 TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
768 TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA, 768 TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
769 SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1, 769 SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
770 SSL_EXPORT|SSL_EXP56, 770 SSL_EXPORT|SSL_EXP56|SSL_FIPS,
771 0, 771 0,
772 56, 772 56,
773 56, 773 56,
@@ -780,7 +780,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
780 TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, 780 TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
781 TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, 781 TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
782 SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1, 782 SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1,
783 SSL_EXPORT|SSL_EXP56, 783 SSL_EXPORT|SSL_EXP56|SSL_FIPS,
784 0, 784 0,
785 56, 785 56,
786 56, 786 56,
@@ -835,7 +835,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
835 TLS1_TXT_RSA_WITH_AES_128_SHA, 835 TLS1_TXT_RSA_WITH_AES_128_SHA,
836 TLS1_CK_RSA_WITH_AES_128_SHA, 836 TLS1_CK_RSA_WITH_AES_128_SHA,
837 SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, 837 SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
838 SSL_NOT_EXP|SSL_MEDIUM, 838 SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
839 0, 839 0,
840 128, 840 128,
841 128, 841 128,
@@ -848,7 +848,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
848 TLS1_TXT_DH_DSS_WITH_AES_128_SHA, 848 TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
849 TLS1_CK_DH_DSS_WITH_AES_128_SHA, 849 TLS1_CK_DH_DSS_WITH_AES_128_SHA,
850 SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, 850 SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
851 SSL_NOT_EXP|SSL_MEDIUM, 851 SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
852 0, 852 0,
853 128, 853 128,
854 128, 854 128,
@@ -861,7 +861,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
861 TLS1_TXT_DH_RSA_WITH_AES_128_SHA, 861 TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
862 TLS1_CK_DH_RSA_WITH_AES_128_SHA, 862 TLS1_CK_DH_RSA_WITH_AES_128_SHA,
863 SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, 863 SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
864 SSL_NOT_EXP|SSL_MEDIUM, 864 SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
865 0, 865 0,
866 128, 866 128,
867 128, 867 128,
@@ -874,7 +874,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
874 TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, 874 TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
875 TLS1_CK_DHE_DSS_WITH_AES_128_SHA, 875 TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
876 SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, 876 SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
877 SSL_NOT_EXP|SSL_MEDIUM, 877 SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
878 0, 878 0,
879 128, 879 128,
880 128, 880 128,
@@ -887,7 +887,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
887 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, 887 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
888 TLS1_CK_DHE_RSA_WITH_AES_128_SHA, 888 TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
889 SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 889 SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
890 SSL_NOT_EXP|SSL_MEDIUM, 890 SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
891 0, 891 0,
892 128, 892 128,
893 128, 893 128,
@@ -900,7 +900,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
900 TLS1_TXT_ADH_WITH_AES_128_SHA, 900 TLS1_TXT_ADH_WITH_AES_128_SHA,
901 TLS1_CK_ADH_WITH_AES_128_SHA, 901 TLS1_CK_ADH_WITH_AES_128_SHA,
902 SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, 902 SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
903 SSL_NOT_EXP|SSL_MEDIUM, 903 SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
904 0, 904 0,
905 128, 905 128,
906 128, 906 128,
@@ -914,7 +914,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
914 TLS1_TXT_RSA_WITH_AES_256_SHA, 914 TLS1_TXT_RSA_WITH_AES_256_SHA,
915 TLS1_CK_RSA_WITH_AES_256_SHA, 915 TLS1_CK_RSA_WITH_AES_256_SHA,
916 SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, 916 SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
917 SSL_NOT_EXP|SSL_HIGH, 917 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
918 0, 918 0,
919 256, 919 256,
920 256, 920 256,
@@ -927,7 +927,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
927 TLS1_TXT_DH_DSS_WITH_AES_256_SHA, 927 TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
928 TLS1_CK_DH_DSS_WITH_AES_256_SHA, 928 TLS1_CK_DH_DSS_WITH_AES_256_SHA,
929 SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, 929 SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
930 SSL_NOT_EXP|SSL_HIGH, 930 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
931 0, 931 0,
932 256, 932 256,
933 256, 933 256,
@@ -940,7 +940,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
940 TLS1_TXT_DH_RSA_WITH_AES_256_SHA, 940 TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
941 TLS1_CK_DH_RSA_WITH_AES_256_SHA, 941 TLS1_CK_DH_RSA_WITH_AES_256_SHA,
942 SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, 942 SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
943 SSL_NOT_EXP|SSL_HIGH, 943 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
944 0, 944 0,
945 256, 945 256,
946 256, 946 256,
@@ -953,7 +953,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
953 TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, 953 TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
954 TLS1_CK_DHE_DSS_WITH_AES_256_SHA, 954 TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
955 SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, 955 SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
956 SSL_NOT_EXP|SSL_HIGH, 956 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
957 0, 957 0,
958 256, 958 256,
959 256, 959 256,
@@ -966,7 +966,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
966 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, 966 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
967 TLS1_CK_DHE_RSA_WITH_AES_256_SHA, 967 TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
968 SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 968 SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
969 SSL_NOT_EXP|SSL_HIGH, 969 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
970 0, 970 0,
971 256, 971 256,
972 256, 972 256,
@@ -979,7 +979,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
979 TLS1_TXT_ADH_WITH_AES_256_SHA, 979 TLS1_TXT_ADH_WITH_AES_256_SHA,
980 TLS1_CK_ADH_WITH_AES_256_SHA, 980 TLS1_CK_ADH_WITH_AES_256_SHA,
981 SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, 981 SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
982 SSL_NOT_EXP|SSL_HIGH, 982 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
983 0, 983 0,
984 256, 984 256,
985 256, 985 256,
@@ -1057,7 +1057,7 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u)
1057 return(NULL); 1057 return(NULL);
1058 } 1058 }
1059 1059
1060int ssl3_pending(SSL *s) 1060int ssl3_pending(const SSL *s)
1061 { 1061 {
1062 if (s->rstate == SSL_ST_READ_BODY) 1062 if (s->rstate == SSL_ST_READ_BODY)
1063 return 0; 1063 return 0;
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index 9f3e5139ad..cb0b12b400 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -862,7 +862,7 @@ start:
862 { 862 {
863 al=SSL_AD_UNEXPECTED_MESSAGE; 863 al=SSL_AD_UNEXPECTED_MESSAGE;
864 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); 864 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
865 goto err; 865 goto f_err;
866 } 866 }
867 867
868 /* If the other end has shut down, throw anything we read away 868 /* If the other end has shut down, throw anything we read away
@@ -969,7 +969,7 @@ start:
969 { 969 {
970 al=SSL_AD_DECODE_ERROR; 970 al=SSL_AD_DECODE_ERROR;
971 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST); 971 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
972 goto err; 972 goto f_err;
973 } 973 }
974 974
975 if (s->msg_callback) 975 if (s->msg_callback)
@@ -1080,17 +1080,17 @@ start:
1080 if ( (rr->length != 1) || (rr->off != 0) || 1080 if ( (rr->length != 1) || (rr->off != 0) ||
1081 (rr->data[0] != SSL3_MT_CCS)) 1081 (rr->data[0] != SSL3_MT_CCS))
1082 { 1082 {
1083 i=SSL_AD_ILLEGAL_PARAMETER; 1083 al=SSL_AD_ILLEGAL_PARAMETER;
1084 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC); 1084 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
1085 goto err; 1085 goto f_err;
1086 } 1086 }
1087 1087
1088 /* Check we have a cipher to change to */ 1088 /* Check we have a cipher to change to */
1089 if (s->s3->tmp.new_cipher == NULL) 1089 if (s->s3->tmp.new_cipher == NULL)
1090 { 1090 {
1091 i=SSL_AD_UNEXPECTED_MESSAGE; 1091 al=SSL_AD_UNEXPECTED_MESSAGE;
1092 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); 1092 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
1093 goto err; 1093 goto f_err;
1094 } 1094 }
1095 1095
1096 rr->length=0; 1096 rr->length=0;
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index deb3cffabe..c4a1a71523 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -125,6 +125,7 @@
125#include <openssl/krb5_asn.h> 125#include <openssl/krb5_asn.h>
126#endif 126#endif
127#include <openssl/md5.h> 127#include <openssl/md5.h>
128#include <openssl/fips.h>
128 129
129static SSL_METHOD *ssl3_get_server_method(int ver); 130static SSL_METHOD *ssl3_get_server_method(int ver);
130static int ssl3_get_client_hello(SSL *s); 131static int ssl3_get_client_hello(SSL *s);
@@ -955,7 +956,8 @@ static int ssl3_send_server_hello(SSL *s)
955 p=s->s3->server_random; 956 p=s->s3->server_random;
956 Time=time(NULL); /* Time */ 957 Time=time(NULL); /* Time */
957 l2n(Time,p); 958 l2n(Time,p);
958 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); 959 if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
960 return -1;
959 /* Do the message type and length last */ 961 /* Do the message type and length last */
960 d=p= &(buf[4]); 962 d=p= &(buf[4]);
961 963
@@ -1211,6 +1213,8 @@ static int ssl3_send_server_key_exchange(SSL *s)
1211 j=0; 1213 j=0;
1212 for (num=2; num > 0; num--) 1214 for (num=2; num > 0; num--)
1213 { 1215 {
1216 EVP_MD_CTX_set_flags(&md_ctx,
1217 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1214 EVP_DigestInit_ex(&md_ctx,(num == 2) 1218 EVP_DigestInit_ex(&md_ctx,(num == 2)
1215 ?s->ctx->md5:s->ctx->sha1, NULL); 1219 ?s->ctx->md5:s->ctx->sha1, NULL);
1216 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1220 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
@@ -1491,7 +1495,8 @@ static int ssl3_get_client_key_exchange(SSL *s)
1491 i = SSL_MAX_MASTER_KEY_LENGTH; 1495 i = SSL_MAX_MASTER_KEY_LENGTH;
1492 p[0] = s->client_version >> 8; 1496 p[0] = s->client_version >> 8;
1493 p[1] = s->client_version & 0xff; 1497 p[1] = s->client_version & 0xff;
1494 RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ 1498 if(RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */
1499 goto err;
1495 } 1500 }
1496 1501
1497 s->session->master_key_length= 1502 s->session->master_key_length=
@@ -1589,7 +1594,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
1589 n2s(p,i); 1594 n2s(p,i);
1590 enc_ticket.length = i; 1595 enc_ticket.length = i;
1591 1596
1592 if (n < enc_ticket.length + 6) 1597 if (n < (long)enc_ticket.length + 6)
1593 { 1598 {
1594 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1599 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1595 SSL_R_DATA_LENGTH_TOO_LONG); 1600 SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1602,7 +1607,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
1602 n2s(p,i); 1607 n2s(p,i);
1603 authenticator.length = i; 1608 authenticator.length = i;
1604 1609
1605 if (n < enc_ticket.length + authenticator.length + 6) 1610 if (n < (long)(enc_ticket.length + authenticator.length + 6))
1606 { 1611 {
1607 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1612 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1608 SSL_R_DATA_LENGTH_TOO_LONG); 1613 SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1627,8 +1632,8 @@ static int ssl3_get_client_key_exchange(SSL *s)
1627 goto err; 1632 goto err;
1628 } 1633 }
1629 1634
1630 if (n != enc_ticket.length + authenticator.length + 1635 if (n != (long)(enc_ticket.length + authenticator.length +
1631 enc_pms.length + 6) 1636 enc_pms.length + 6))
1632 { 1637 {
1633 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1638 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1634 SSL_R_DATA_LENGTH_TOO_LONG); 1639 SSL_R_DATA_LENGTH_TOO_LONG);
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 913bd40eea..3161f532cf 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -239,6 +239,7 @@ extern "C" {
239#define SSL_TXT_LOW "LOW" 239#define SSL_TXT_LOW "LOW"
240#define SSL_TXT_MEDIUM "MEDIUM" 240#define SSL_TXT_MEDIUM "MEDIUM"
241#define SSL_TXT_HIGH "HIGH" 241#define SSL_TXT_HIGH "HIGH"
242#define SSL_TXT_FIPS "FIPS"
242#define SSL_TXT_kFZA "kFZA" 243#define SSL_TXT_kFZA "kFZA"
243#define SSL_TXT_aFZA "aFZA" 244#define SSL_TXT_aFZA "aFZA"
244#define SSL_TXT_eFZA "eFZA" 245#define SSL_TXT_eFZA "eFZA"
@@ -372,7 +373,7 @@ typedef struct ssl_method_st
372 long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg); 373 long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg);
373 SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr); 374 SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
374 int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr); 375 int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr);
375 int (*ssl_pending)(SSL *s); 376 int (*ssl_pending)(const SSL *s);
376 int (*num_ciphers)(void); 377 int (*num_ciphers)(void);
377 SSL_CIPHER *(*get_cipher)(unsigned ncipher); 378 SSL_CIPHER *(*get_cipher)(unsigned ncipher);
378 struct ssl_method_st *(*get_ssl_method)(int version); 379 struct ssl_method_st *(*get_ssl_method)(int version);
@@ -998,8 +999,8 @@ extern "C" {
998 * -- that we sent (SSL_get_finished) 999 * -- that we sent (SSL_get_finished)
999 * -- that we expected from peer (SSL_get_peer_finished). 1000 * -- that we expected from peer (SSL_get_peer_finished).
1000 * Returns length (0 == no Finished so far), copies up to 'count' bytes. */ 1001 * Returns length (0 == no Finished so far), copies up to 'count' bytes. */
1001size_t SSL_get_finished(SSL *s, void *buf, size_t count); 1002size_t SSL_get_finished(const SSL *s, void *buf, size_t count);
1002size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count); 1003size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
1003 1004
1004/* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options 1005/* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
1005 * are 'ored' with SSL_VERIFY_PEER if they are desired */ 1006 * are 'ored' with SSL_VERIFY_PEER if they are desired */
@@ -1171,26 +1172,26 @@ int SSL_CTX_set_cipher_list(SSL_CTX *,const char *str);
1171SSL_CTX *SSL_CTX_new(SSL_METHOD *meth); 1172SSL_CTX *SSL_CTX_new(SSL_METHOD *meth);
1172void SSL_CTX_free(SSL_CTX *); 1173void SSL_CTX_free(SSL_CTX *);
1173long SSL_CTX_set_timeout(SSL_CTX *ctx,long t); 1174long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
1174long SSL_CTX_get_timeout(SSL_CTX *ctx); 1175long SSL_CTX_get_timeout(const SSL_CTX *ctx);
1175X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *); 1176X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
1176void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *); 1177void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *);
1177int SSL_want(SSL *s); 1178int SSL_want(const SSL *s);
1178int SSL_clear(SSL *s); 1179int SSL_clear(SSL *s);
1179 1180
1180void SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm); 1181void SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm);
1181 1182
1182SSL_CIPHER *SSL_get_current_cipher(SSL *s); 1183SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
1183int SSL_CIPHER_get_bits(SSL_CIPHER *c,int *alg_bits); 1184int SSL_CIPHER_get_bits(const SSL_CIPHER *c,int *alg_bits);
1184char * SSL_CIPHER_get_version(SSL_CIPHER *c); 1185char * SSL_CIPHER_get_version(const SSL_CIPHER *c);
1185const char * SSL_CIPHER_get_name(SSL_CIPHER *c); 1186const char * SSL_CIPHER_get_name(const SSL_CIPHER *c);
1186 1187
1187int SSL_get_fd(SSL *s); 1188int SSL_get_fd(const SSL *s);
1188int SSL_get_rfd(SSL *s); 1189int SSL_get_rfd(const SSL *s);
1189int SSL_get_wfd(SSL *s); 1190int SSL_get_wfd(const SSL *s);
1190const char * SSL_get_cipher_list(SSL *s,int n); 1191const char * SSL_get_cipher_list(const SSL *s,int n);
1191char * SSL_get_shared_ciphers(SSL *s, char *buf, int len); 1192char * SSL_get_shared_ciphers(const SSL *s, char *buf, int len);
1192int SSL_get_read_ahead(SSL * s); 1193int SSL_get_read_ahead(const SSL * s);
1193int SSL_pending(SSL *s); 1194int SSL_pending(const SSL *s);
1194#ifndef OPENSSL_NO_SOCK 1195#ifndef OPENSSL_NO_SOCK
1195int SSL_set_fd(SSL *s, int fd); 1196int SSL_set_fd(SSL *s, int fd);
1196int SSL_set_rfd(SSL *s, int fd); 1197int SSL_set_rfd(SSL *s, int fd);
@@ -1198,14 +1199,14 @@ int SSL_set_wfd(SSL *s, int fd);
1198#endif 1199#endif
1199#ifndef OPENSSL_NO_BIO 1200#ifndef OPENSSL_NO_BIO
1200void SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio); 1201void SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio);
1201BIO * SSL_get_rbio(SSL *s); 1202BIO * SSL_get_rbio(const SSL *s);
1202BIO * SSL_get_wbio(SSL *s); 1203BIO * SSL_get_wbio(const SSL *s);
1203#endif 1204#endif
1204int SSL_set_cipher_list(SSL *s, const char *str); 1205int SSL_set_cipher_list(SSL *s, const char *str);
1205void SSL_set_read_ahead(SSL *s, int yes); 1206void SSL_set_read_ahead(SSL *s, int yes);
1206int SSL_get_verify_mode(SSL *s); 1207int SSL_get_verify_mode(const SSL *s);
1207int SSL_get_verify_depth(SSL *s); 1208int SSL_get_verify_depth(const SSL *s);
1208int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *); 1209int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *);
1209void SSL_set_verify(SSL *s, int mode, 1210void SSL_set_verify(SSL *s, int mode,
1210 int (*callback)(int ok,X509_STORE_CTX *ctx)); 1211 int (*callback)(int ok,X509_STORE_CTX *ctx));
1211void SSL_set_verify_depth(SSL *s, int depth); 1212void SSL_set_verify_depth(SSL *s, int depth);
@@ -1243,20 +1244,20 @@ const char *SSL_state_string(const SSL *s);
1243const char *SSL_rstate_string(const SSL *s); 1244const char *SSL_rstate_string(const SSL *s);
1244const char *SSL_state_string_long(const SSL *s); 1245const char *SSL_state_string_long(const SSL *s);
1245const char *SSL_rstate_string_long(const SSL *s); 1246const char *SSL_rstate_string_long(const SSL *s);
1246long SSL_SESSION_get_time(SSL_SESSION *s); 1247long SSL_SESSION_get_time(const SSL_SESSION *s);
1247long SSL_SESSION_set_time(SSL_SESSION *s, long t); 1248long SSL_SESSION_set_time(SSL_SESSION *s, long t);
1248long SSL_SESSION_get_timeout(SSL_SESSION *s); 1249long SSL_SESSION_get_timeout(const SSL_SESSION *s);
1249long SSL_SESSION_set_timeout(SSL_SESSION *s, long t); 1250long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
1250void SSL_copy_session_id(SSL *to,SSL *from); 1251void SSL_copy_session_id(SSL *to,const SSL *from);
1251 1252
1252SSL_SESSION *SSL_SESSION_new(void); 1253SSL_SESSION *SSL_SESSION_new(void);
1253unsigned long SSL_SESSION_hash(SSL_SESSION *a); 1254unsigned long SSL_SESSION_hash(const SSL_SESSION *a);
1254int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b); 1255int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b);
1255#ifndef OPENSSL_NO_FP_API 1256#ifndef OPENSSL_NO_FP_API
1256int SSL_SESSION_print_fp(FILE *fp,SSL_SESSION *ses); 1257int SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses);
1257#endif 1258#endif
1258#ifndef OPENSSL_NO_BIO 1259#ifndef OPENSSL_NO_BIO
1259int SSL_SESSION_print(BIO *fp,SSL_SESSION *ses); 1260int SSL_SESSION_print(BIO *fp,const SSL_SESSION *ses);
1260#endif 1261#endif
1261void SSL_SESSION_free(SSL_SESSION *ses); 1262void SSL_SESSION_free(SSL_SESSION *ses);
1262int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp); 1263int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
@@ -1267,17 +1268,18 @@ int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
1267int SSL_set_generate_session_id(SSL *, GEN_SESSION_CB); 1268int SSL_set_generate_session_id(SSL *, GEN_SESSION_CB);
1268int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, 1269int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
1269 unsigned int id_len); 1270 unsigned int id_len);
1270SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,unsigned char **pp,long length); 1271SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,const unsigned char * const *pp,
1272 long length);
1271 1273
1272#ifdef HEADER_X509_H 1274#ifdef HEADER_X509_H
1273X509 * SSL_get_peer_certificate(SSL *s); 1275X509 * SSL_get_peer_certificate(const SSL *s);
1274#endif 1276#endif
1275 1277
1276STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s); 1278STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s);
1277 1279
1278int SSL_CTX_get_verify_mode(SSL_CTX *ctx); 1280int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
1279int SSL_CTX_get_verify_depth(SSL_CTX *ctx); 1281int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
1280int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *); 1282int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *);
1281void SSL_CTX_set_verify(SSL_CTX *ctx,int mode, 1283void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,
1282 int (*callback)(int, X509_STORE_CTX *)); 1284 int (*callback)(int, X509_STORE_CTX *));
1283void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth); 1285void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
@@ -1295,8 +1297,8 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);
1295void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb); 1297void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
1296void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u); 1298void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
1297 1299
1298int SSL_CTX_check_private_key(SSL_CTX *ctx); 1300int SSL_CTX_check_private_key(const SSL_CTX *ctx);
1299int SSL_check_private_key(SSL *ctx); 1301int SSL_check_private_key(const SSL *ctx);
1300 1302
1301int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx, 1303int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
1302 unsigned int sid_ctx_len); 1304 unsigned int sid_ctx_len);
@@ -1321,8 +1323,8 @@ long SSL_callback_ctrl(SSL *, int, void (*)());
1321long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, void *parg); 1323long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, void *parg);
1322long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)()); 1324long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)());
1323 1325
1324int SSL_get_error(SSL *s,int ret_code); 1326int SSL_get_error(const SSL *s,int ret_code);
1325const char *SSL_get_version(SSL *s); 1327const char *SSL_get_version(const SSL *s);
1326 1328
1327/* This sets the 'default' SSL version that SSL_new() will create */ 1329/* This sets the 'default' SSL version that SSL_new() will create */
1328int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth); 1330int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth);
@@ -1343,7 +1345,7 @@ SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */
1343SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */ 1345SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */
1344SSL_METHOD *TLSv1_client_method(void); /* TLSv1.0 */ 1346SSL_METHOD *TLSv1_client_method(void); /* TLSv1.0 */
1345 1347
1346STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s); 1348STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
1347 1349
1348int SSL_do_handshake(SSL *s); 1350int SSL_do_handshake(SSL *s);
1349int SSL_renegotiate(SSL *s); 1351int SSL_renegotiate(SSL *s);
@@ -1359,15 +1361,15 @@ const char *SSL_alert_desc_string(int value);
1359 1361
1360void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list); 1362void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
1361void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list); 1363void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
1362STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s); 1364STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
1363STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *s); 1365STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *s);
1364int SSL_add_client_CA(SSL *ssl,X509 *x); 1366int SSL_add_client_CA(SSL *ssl,X509 *x);
1365int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x); 1367int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x);
1366 1368
1367void SSL_set_connect_state(SSL *s); 1369void SSL_set_connect_state(SSL *s);
1368void SSL_set_accept_state(SSL *s); 1370void SSL_set_accept_state(SSL *s);
1369 1371
1370long SSL_get_default_timeout(SSL *s); 1372long SSL_get_default_timeout(const SSL *s);
1371 1373
1372int SSL_library_init(void ); 1374int SSL_library_init(void );
1373 1375
@@ -1376,43 +1378,43 @@ STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
1376 1378
1377SSL *SSL_dup(SSL *ssl); 1379SSL *SSL_dup(SSL *ssl);
1378 1380
1379X509 *SSL_get_certificate(SSL *ssl); 1381X509 *SSL_get_certificate(const SSL *ssl);
1380/* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl); 1382/* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl);
1381 1383
1382void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode); 1384void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode);
1383int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx); 1385int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
1384void SSL_set_quiet_shutdown(SSL *ssl,int mode); 1386void SSL_set_quiet_shutdown(SSL *ssl,int mode);
1385int SSL_get_quiet_shutdown(SSL *ssl); 1387int SSL_get_quiet_shutdown(const SSL *ssl);
1386void SSL_set_shutdown(SSL *ssl,int mode); 1388void SSL_set_shutdown(SSL *ssl,int mode);
1387int SSL_get_shutdown(SSL *ssl); 1389int SSL_get_shutdown(const SSL *ssl);
1388int SSL_version(SSL *ssl); 1390int SSL_version(const SSL *ssl);
1389int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx); 1391int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
1390int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, 1392int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
1391 const char *CApath); 1393 const char *CApath);
1392#define SSL_get0_session SSL_get_session /* just peek at pointer */ 1394#define SSL_get0_session SSL_get_session /* just peek at pointer */
1393SSL_SESSION *SSL_get_session(SSL *ssl); 1395SSL_SESSION *SSL_get_session(const SSL *ssl);
1394SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */ 1396SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
1395SSL_CTX *SSL_get_SSL_CTX(SSL *ssl); 1397SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
1396void SSL_set_info_callback(SSL *ssl, 1398void SSL_set_info_callback(SSL *ssl,
1397 void (*cb)(const SSL *ssl,int type,int val)); 1399 void (*cb)(const SSL *ssl,int type,int val));
1398void (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val); 1400void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val);
1399int SSL_state(SSL *ssl); 1401int SSL_state(const SSL *ssl);
1400 1402
1401void SSL_set_verify_result(SSL *ssl,long v); 1403void SSL_set_verify_result(SSL *ssl,long v);
1402long SSL_get_verify_result(SSL *ssl); 1404long SSL_get_verify_result(const SSL *ssl);
1403 1405
1404int SSL_set_ex_data(SSL *ssl,int idx,void *data); 1406int SSL_set_ex_data(SSL *ssl,int idx,void *data);
1405void *SSL_get_ex_data(SSL *ssl,int idx); 1407void *SSL_get_ex_data(const SSL *ssl,int idx);
1406int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 1408int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1407 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); 1409 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1408 1410
1409int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data); 1411int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data);
1410void *SSL_SESSION_get_ex_data(SSL_SESSION *ss,int idx); 1412void *SSL_SESSION_get_ex_data(const SSL_SESSION *ss,int idx);
1411int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 1413int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1412 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); 1414 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1413 1415
1414int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data); 1416int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data);
1415void *SSL_CTX_get_ex_data(SSL_CTX *ssl,int idx); 1417void *SSL_CTX_get_ex_data(const SSL_CTX *ssl,int idx);
1416int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 1418int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1417 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); 1419 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1418 1420
@@ -1603,6 +1605,7 @@ void ERR_load_SSL_strings(void);
1603#define SSL_F_SSL_SET_TRUST 228 1605#define SSL_F_SSL_SET_TRUST 228
1604#define SSL_F_SSL_SET_WFD 196 1606#define SSL_F_SSL_SET_WFD 196
1605#define SSL_F_SSL_SHUTDOWN 224 1607#define SSL_F_SSL_SHUTDOWN 224
1608#define SSL_F_SSL_UNDEFINED_CONST_FUNCTION 243
1606#define SSL_F_SSL_UNDEFINED_FUNCTION 197 1609#define SSL_F_SSL_UNDEFINED_FUNCTION 197
1607#define SSL_F_SSL_USE_CERTIFICATE 198 1610#define SSL_F_SSL_USE_CERTIFICATE 198
1608#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199 1611#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199
@@ -1741,6 +1744,7 @@ void ERR_load_SSL_strings(void);
1741#define SSL_R_NULL_SSL_CTX 195 1744#define SSL_R_NULL_SSL_CTX 195
1742#define SSL_R_NULL_SSL_METHOD_PASSED 196 1745#define SSL_R_NULL_SSL_METHOD_PASSED 196
1743#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197 1746#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
1747#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 1115
1744#define SSL_R_PACKET_LENGTH_TOO_LONG 198 1748#define SSL_R_PACKET_LENGTH_TOO_LONG 198
1745#define SSL_R_PATH_TOO_LONG 270 1749#define SSL_R_PATH_TOO_LONG 270
1746#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199 1750#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
index d8ff8fc4a3..4d5900ad2f 100644
--- a/src/lib/libssl/ssl_asn1.c
+++ b/src/lib/libssl/ssl_asn1.c
@@ -226,7 +226,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
226 M_ASN1_I2D_finish(); 226 M_ASN1_I2D_finish();
227 } 227 }
228 228
229SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, 229SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char * const *pp,
230 long length) 230 long length)
231 { 231 {
232 int version,ssl_version=0,i; 232 int version,ssl_version=0,i;
@@ -266,7 +266,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
266 ((unsigned long)os.data[1]<< 8L)| 266 ((unsigned long)os.data[1]<< 8L)|
267 (unsigned long)os.data[2]; 267 (unsigned long)os.data[2];
268 } 268 }
269 else if ((ssl_version>>8) == 3) 269 else if ((ssl_version>>8) == SSL3_VERSION_MAJOR)
270 { 270 {
271 if (os.length != 2) 271 if (os.length != 2)
272 { 272 {
@@ -287,9 +287,9 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
287 ret->cipher_id=id; 287 ret->cipher_id=id;
288 288
289 M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING); 289 M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
290 if ((ssl_version>>8) == SSL3_VERSION) 290 if ((ssl_version>>8) == SSL3_VERSION_MAJOR)
291 i=SSL3_MAX_SSL_SESSION_ID_LENGTH; 291 i=SSL3_MAX_SSL_SESSION_ID_LENGTH;
292 else /* if (ssl_version == SSL2_VERSION) */ 292 else /* if (ssl_version == SSL2_VERSION_MAJOR) */
293 i=SSL2_MAX_SSL_SESSION_ID_LENGTH; 293 i=SSL2_MAX_SSL_SESSION_ID_LENGTH;
294 294
295 if (os.length > i) 295 if (os.length > i)
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 2cfb615878..b8b9bc2390 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -117,6 +117,7 @@
117 117
118#if defined(WIN32) 118#if defined(WIN32)
119#include <windows.h> 119#include <windows.h>
120#include <tchar.h>
120#endif 121#endif
121 122
122#ifdef NeXT 123#ifdef NeXT
@@ -129,6 +130,7 @@
129#include <openssl/pem.h> 130#include <openssl/pem.h>
130#include <openssl/x509v3.h> 131#include <openssl/x509v3.h>
131#include "ssl_locl.h" 132#include "ssl_locl.h"
133#include <openssl/fips.h>
132 134
133int SSL_get_ex_data_X509_STORE_CTX_idx(void) 135int SSL_get_ex_data_X509_STORE_CTX_idx(void)
134 { 136 {
@@ -542,12 +544,12 @@ void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list)
542 set_client_CA_list(&(ctx->client_CA),name_list); 544 set_client_CA_list(&(ctx->client_CA),name_list);
543 } 545 }
544 546
545STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx) 547STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
546 { 548 {
547 return(ctx->client_CA); 549 return(ctx->client_CA);
548 } 550 }
549 551
550STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s) 552STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
551 { 553 {
552 if (s->type == SSL_ST_CONNECT) 554 if (s->type == SSL_ST_CONNECT)
553 { /* we are in the client */ 555 { /* we are in the client */
@@ -783,36 +785,54 @@ err:
783 785
784#else /* OPENSSL_SYS_WIN32 */ 786#else /* OPENSSL_SYS_WIN32 */
785 787
788#if defined(_WIN32_WCE)
789# ifndef UNICODE
790# error "WinCE comes in UNICODE flavor only..."
791# endif
792# if _WIN32_WCE<101 && !defined(OPENSSL_NO_MULTIBYTE)
793# define OPENSSL_NO_MULTIBYTE
794# endif
795# ifndef FindFirstFile
796# define FindFirstFile FindFirstFileW
797# endif
798# ifndef FindNextFile
799# define FindNextFile FindNextFileW
800# endif
801#endif
802
786int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, 803int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
787 const char *dir) 804 const char *dir)
788 { 805 {
789 WIN32_FIND_DATA FindFileData; 806 WIN32_FIND_DATA FindFileData;
790 HANDLE hFind; 807 HANDLE hFind;
791 int ret = 0; 808 int ret = 0;
792#ifdef OPENSSL_SYS_WINCE 809 TCHAR *wdir = NULL;
793 WCHAR* wdir = NULL; 810 size_t i,len_0 = strlen(dir)+1; /* len_0 accounts for trailing 0 */
794#endif 811 char buf[1024],*slash;
812
813 if (len_0 > (sizeof(buf)-14)) /* 14 is just some value... */
814 {
815 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
816 return ret;
817 }
795 818
796 CRYPTO_w_lock(CRYPTO_LOCK_READDIR); 819 CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
797 820
798#ifdef OPENSSL_SYS_WINCE 821 if (sizeof(TCHAR) != sizeof(char))
799 /* convert strings to UNICODE */ 822 {
800 { 823 wdir = (TCHAR *)malloc(len_0*sizeof(TCHAR));
801 BOOL result = FALSE;
802 int i;
803 wdir = malloc((strlen(dir)+1)*2);
804 if (wdir == NULL) 824 if (wdir == NULL)
805 goto err_noclose; 825 goto err_noclose;
806 for (i=0; i<(int)strlen(dir)+1; i++) 826#ifndef OPENSSL_NO_MULTIBYTE
807 wdir[i] = (short)dir[i]; 827 if (!MultiByteToWideChar(CP_ACP,0,dir,len_0,
808 } 828 (WCHAR *)wdir,len_0))
809#endif 829#endif
830 for (i=0;i<len_0;i++) wdir[i]=(TCHAR)dir[i];
831
832 hFind = FindFirstFile(wdir, &FindFileData);
833 }
834 else hFind = FindFirstFile((const TCHAR *)dir, &FindFileData);
810 835
811#ifdef OPENSSL_SYS_WINCE
812 hFind = FindFirstFile(wdir, &FindFileData);
813#else
814 hFind = FindFirstFile(dir, &FindFileData);
815#endif
816 /* Note that a side effect is that the CAs will be sorted by name */ 836 /* Note that a side effect is that the CAs will be sorted by name */
817 if(hFind == INVALID_HANDLE_VALUE) 837 if(hFind == INVALID_HANDLE_VALUE)
818 { 838 {
@@ -821,25 +841,34 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
821 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB); 841 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
822 goto err_noclose; 842 goto err_noclose;
823 } 843 }
824 844
825 do 845 strncpy(buf,dir,sizeof(buf)); /* strcpy is safe too... */
826 { 846 buf[len_0-1]='/'; /* no trailing zero! */
827 char buf[1024]; 847 slash=buf+len_0;
828 int r; 848
829 849 do {
830#ifdef OPENSSL_SYS_WINCE 850 const TCHAR *fnam=FindFileData.cFileName;
831 if(strlen(dir)+_tcslen(FindFileData.cFileName)+2 > sizeof buf) 851 size_t flen_0=_tcslen(fnam)+1;
832#else 852
833 if(strlen(dir)+strlen(FindFileData.cFileName)+2 > sizeof buf) 853 if (flen_0 > (sizeof(buf)-len_0))
834#endif
835 { 854 {
836 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG); 855 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
837 goto err; 856 goto err;
838 } 857 }
839 858 /* else strcpy would be safe too... */
840 r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,FindFileData.cFileName); 859
841 if (r <= 0 || r >= sizeof buf) 860 if (sizeof(TCHAR) != sizeof(char))
842 goto err; 861 {
862#ifndef OPENSSL_NO_MULTIBYTE
863 if (!WideCharToMultiByte(CP_ACP,0,
864 (WCHAR *)fnam,flen_0,
865 slash,sizeof(buf)-len_0,
866 NULL,0))
867#endif
868 for (i=0;i<flen_0;i++) slash[i]=(char)fnam[i];
869 }
870 else strncpy(slash,(const char *)fnam,sizeof(buf)-len_0);
871
843 if(!SSL_add_file_cert_subjects_to_stack(stack,buf)) 872 if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
844 goto err; 873 goto err;
845 } 874 }
@@ -849,10 +878,9 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
849err: 878err:
850 FindClose(hFind); 879 FindClose(hFind);
851err_noclose: 880err_noclose:
852#ifdef OPENSSL_SYS_WINCE
853 if (wdir != NULL) 881 if (wdir != NULL)
854 free(wdir); 882 free(wdir);
855#endif 883
856 CRYPTO_w_unlock(CRYPTO_LOCK_READDIR); 884 CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
857 return ret; 885 return ret;
858 } 886 }
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 44c503eb04..b68ed81e52 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -59,6 +59,7 @@
59#include <stdio.h> 59#include <stdio.h>
60#include <openssl/objects.h> 60#include <openssl/objects.h>
61#include <openssl/comp.h> 61#include <openssl/comp.h>
62#include <openssl/fips.h>
62#include "ssl_locl.h" 63#include "ssl_locl.h"
63 64
64#define SSL_ENC_DES_IDX 0 65#define SSL_ENC_DES_IDX 0
@@ -153,13 +154,13 @@ static const SSL_CIPHER cipher_aliases[]={
153 {0,SSL_TXT_LOW, 0, 0, SSL_LOW, 0,0,0,0,SSL_STRONG_MASK}, 154 {0,SSL_TXT_LOW, 0, 0, SSL_LOW, 0,0,0,0,SSL_STRONG_MASK},
154 {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK}, 155 {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK},
155 {0,SSL_TXT_HIGH, 0, 0, SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK}, 156 {0,SSL_TXT_HIGH, 0, 0, SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK},
157 {0,SSL_TXT_FIPS, 0, 0, SSL_FIPS, 0,0,0,0,SSL_FIPS|SSL_STRONG_NONE},
156 }; 158 };
157 159
158static int init_ciphers=1; 160static int init_ciphers=1;
159 161
160static void load_ciphers(void) 162static void load_ciphers(void)
161 { 163 {
162 init_ciphers=0;
163 ssl_cipher_methods[SSL_ENC_DES_IDX]= 164 ssl_cipher_methods[SSL_ENC_DES_IDX]=
164 EVP_get_cipherbyname(SN_des_cbc); 165 EVP_get_cipherbyname(SN_des_cbc);
165 ssl_cipher_methods[SSL_ENC_3DES_IDX]= 166 ssl_cipher_methods[SSL_ENC_3DES_IDX]=
@@ -183,9 +184,10 @@ static void load_ciphers(void)
183 EVP_get_digestbyname(SN_md5); 184 EVP_get_digestbyname(SN_md5);
184 ssl_digest_methods[SSL_MD_SHA1_IDX]= 185 ssl_digest_methods[SSL_MD_SHA1_IDX]=
185 EVP_get_digestbyname(SN_sha1); 186 EVP_get_digestbyname(SN_sha1);
187 init_ciphers=0;
186 } 188 }
187 189
188int ssl_cipher_get_evp(SSL_SESSION *s, const EVP_CIPHER **enc, 190int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
189 const EVP_MD **md, SSL_COMP **comp) 191 const EVP_MD **md, SSL_COMP **comp)
190 { 192 {
191 int i; 193 int i;
@@ -359,7 +361,12 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
359 { 361 {
360 c = ssl_method->get_cipher(i); 362 c = ssl_method->get_cipher(i);
361 /* drop those that use any of that is not available */ 363 /* drop those that use any of that is not available */
364#ifdef OPENSSL_FIPS
365 if ((c != NULL) && c->valid && !(c->algorithms & mask)
366 && (!FIPS_mode() || (c->algo_strength & SSL_FIPS)))
367#else
362 if ((c != NULL) && c->valid && !(c->algorithms & mask)) 368 if ((c != NULL) && c->valid && !(c->algorithms & mask))
369#endif
363 { 370 {
364 co_list[co_list_num].cipher = c; 371 co_list[co_list_num].cipher = c;
365 co_list[co_list_num].next = NULL; 372 co_list[co_list_num].next = NULL;
@@ -854,7 +861,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
854 */ 861 */
855 for (curr = head; curr != NULL; curr = curr->next) 862 for (curr = head; curr != NULL; curr = curr->next)
856 { 863 {
864#ifdef OPENSSL_FIPS
865 if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
866#else
857 if (curr->active) 867 if (curr->active)
868#endif
858 { 869 {
859 sk_SSL_CIPHER_push(cipherstack, curr->cipher); 870 sk_SSL_CIPHER_push(cipherstack, curr->cipher);
860#ifdef CIPHER_DEBUG 871#ifdef CIPHER_DEBUG
@@ -1054,7 +1065,7 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
1054 return(buf); 1065 return(buf);
1055 } 1066 }
1056 1067
1057char *SSL_CIPHER_get_version(SSL_CIPHER *c) 1068char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
1058 { 1069 {
1059 int i; 1070 int i;
1060 1071
@@ -1069,7 +1080,7 @@ char *SSL_CIPHER_get_version(SSL_CIPHER *c)
1069 } 1080 }
1070 1081
1071/* return the actual cipher being used */ 1082/* return the actual cipher being used */
1072const char *SSL_CIPHER_get_name(SSL_CIPHER *c) 1083const char *SSL_CIPHER_get_name(const SSL_CIPHER *c)
1073 { 1084 {
1074 if (c != NULL) 1085 if (c != NULL)
1075 return(c->name); 1086 return(c->name);
@@ -1077,7 +1088,7 @@ const char *SSL_CIPHER_get_name(SSL_CIPHER *c)
1077 } 1088 }
1078 1089
1079/* number of bits for symmetric cipher */ 1090/* number of bits for symmetric cipher */
1080int SSL_CIPHER_get_bits(SSL_CIPHER *c, int *alg_bits) 1091int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
1081 { 1092 {
1082 int ret=0; 1093 int ret=0;
1083 1094
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index d2cb181503..29b8ff4788 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -1,6 +1,6 @@
1/* ssl/ssl_err.c */ 1/* ssl/ssl_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -193,6 +193,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
193{ERR_PACK(0,SSL_F_SSL_SET_TRUST,0), "SSL_set_trust"}, 193{ERR_PACK(0,SSL_F_SSL_SET_TRUST,0), "SSL_set_trust"},
194{ERR_PACK(0,SSL_F_SSL_SET_WFD,0), "SSL_set_wfd"}, 194{ERR_PACK(0,SSL_F_SSL_SET_WFD,0), "SSL_set_wfd"},
195{ERR_PACK(0,SSL_F_SSL_SHUTDOWN,0), "SSL_shutdown"}, 195{ERR_PACK(0,SSL_F_SSL_SHUTDOWN,0), "SSL_shutdown"},
196{ERR_PACK(0,SSL_F_SSL_UNDEFINED_CONST_FUNCTION,0), "SSL_UNDEFINED_CONST_FUNCTION"},
196{ERR_PACK(0,SSL_F_SSL_UNDEFINED_FUNCTION,0), "SSL_UNDEFINED_FUNCTION"}, 197{ERR_PACK(0,SSL_F_SSL_UNDEFINED_FUNCTION,0), "SSL_UNDEFINED_FUNCTION"},
197{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE,0), "SSL_use_certificate"}, 198{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE,0), "SSL_use_certificate"},
198{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE_ASN1,0), "SSL_use_certificate_ASN1"}, 199{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE_ASN1,0), "SSL_use_certificate_ASN1"},
@@ -334,6 +335,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
334{SSL_R_NULL_SSL_CTX ,"null ssl ctx"}, 335{SSL_R_NULL_SSL_CTX ,"null ssl ctx"},
335{SSL_R_NULL_SSL_METHOD_PASSED ,"null ssl method passed"}, 336{SSL_R_NULL_SSL_METHOD_PASSED ,"null ssl method passed"},
336{SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED ,"old session cipher not returned"}, 337{SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED ,"old session cipher not returned"},
338{SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE ,"only tls allowed in fips mode"},
337{SSL_R_PACKET_LENGTH_TOO_LONG ,"packet length too long"}, 339{SSL_R_PACKET_LENGTH_TOO_LONG ,"packet length too long"},
338{SSL_R_PATH_TOO_LONG ,"path too long"}, 340{SSL_R_PATH_TOO_LONG ,"path too long"},
339{SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE ,"peer did not return a certificate"}, 341{SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE ,"peer did not return a certificate"},
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index ee9a82d586..631229558f 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -121,6 +121,7 @@
121#include <openssl/objects.h> 121#include <openssl/objects.h>
122#include <openssl/lhash.h> 122#include <openssl/lhash.h>
123#include <openssl/x509v3.h> 123#include <openssl/x509v3.h>
124#include <openssl/fips.h>
124 125
125const char *SSL_version_str=OPENSSL_VERSION_TEXT; 126const char *SSL_version_str=OPENSSL_VERSION_TEXT;
126 127
@@ -500,18 +501,18 @@ void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio)
500 s->wbio=wbio; 501 s->wbio=wbio;
501 } 502 }
502 503
503BIO *SSL_get_rbio(SSL *s) 504BIO *SSL_get_rbio(const SSL *s)
504 { return(s->rbio); } 505 { return(s->rbio); }
505 506
506BIO *SSL_get_wbio(SSL *s) 507BIO *SSL_get_wbio(const SSL *s)
507 { return(s->wbio); } 508 { return(s->wbio); }
508 509
509int SSL_get_fd(SSL *s) 510int SSL_get_fd(const SSL *s)
510 { 511 {
511 return(SSL_get_rfd(s)); 512 return(SSL_get_rfd(s));
512 } 513 }
513 514
514int SSL_get_rfd(SSL *s) 515int SSL_get_rfd(const SSL *s)
515 { 516 {
516 int ret= -1; 517 int ret= -1;
517 BIO *b,*r; 518 BIO *b,*r;
@@ -523,7 +524,7 @@ int SSL_get_rfd(SSL *s)
523 return(ret); 524 return(ret);
524 } 525 }
525 526
526int SSL_get_wfd(SSL *s) 527int SSL_get_wfd(const SSL *s)
527 { 528 {
528 int ret= -1; 529 int ret= -1;
529 BIO *b,*r; 530 BIO *b,*r;
@@ -605,7 +606,7 @@ err:
605 606
606 607
607/* return length of latest Finished message we sent, copy to 'buf' */ 608/* return length of latest Finished message we sent, copy to 'buf' */
608size_t SSL_get_finished(SSL *s, void *buf, size_t count) 609size_t SSL_get_finished(const SSL *s, void *buf, size_t count)
609 { 610 {
610 size_t ret = 0; 611 size_t ret = 0;
611 612
@@ -620,7 +621,7 @@ size_t SSL_get_finished(SSL *s, void *buf, size_t count)
620 } 621 }
621 622
622/* return length of latest Finished message we expected, copy to 'buf' */ 623/* return length of latest Finished message we expected, copy to 'buf' */
623size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count) 624size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
624 { 625 {
625 size_t ret = 0; 626 size_t ret = 0;
626 627
@@ -635,32 +636,32 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count)
635 } 636 }
636 637
637 638
638int SSL_get_verify_mode(SSL *s) 639int SSL_get_verify_mode(const SSL *s)
639 { 640 {
640 return(s->verify_mode); 641 return(s->verify_mode);
641 } 642 }
642 643
643int SSL_get_verify_depth(SSL *s) 644int SSL_get_verify_depth(const SSL *s)
644 { 645 {
645 return(s->verify_depth); 646 return(s->verify_depth);
646 } 647 }
647 648
648int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *) 649int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *)
649 { 650 {
650 return(s->verify_callback); 651 return(s->verify_callback);
651 } 652 }
652 653
653int SSL_CTX_get_verify_mode(SSL_CTX *ctx) 654int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
654 { 655 {
655 return(ctx->verify_mode); 656 return(ctx->verify_mode);
656 } 657 }
657 658
658int SSL_CTX_get_verify_depth(SSL_CTX *ctx) 659int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
659 { 660 {
660 return(ctx->verify_depth); 661 return(ctx->verify_depth);
661 } 662 }
662 663
663int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *) 664int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *)
664 { 665 {
665 return(ctx->default_verify_callback); 666 return(ctx->default_verify_callback);
666 } 667 }
@@ -683,12 +684,12 @@ void SSL_set_read_ahead(SSL *s,int yes)
683 s->read_ahead=yes; 684 s->read_ahead=yes;
684 } 685 }
685 686
686int SSL_get_read_ahead(SSL *s) 687int SSL_get_read_ahead(const SSL *s)
687 { 688 {
688 return(s->read_ahead); 689 return(s->read_ahead);
689 } 690 }
690 691
691int SSL_pending(SSL *s) 692int SSL_pending(const SSL *s)
692 { 693 {
693 /* SSL_pending cannot work properly if read-ahead is enabled 694 /* SSL_pending cannot work properly if read-ahead is enabled
694 * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), 695 * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)),
@@ -700,7 +701,7 @@ int SSL_pending(SSL *s)
700 return(s->method->ssl_pending(s)); 701 return(s->method->ssl_pending(s));
701 } 702 }
702 703
703X509 *SSL_get_peer_certificate(SSL *s) 704X509 *SSL_get_peer_certificate(const SSL *s)
704 { 705 {
705 X509 *r; 706 X509 *r;
706 707
@@ -716,7 +717,7 @@ X509 *SSL_get_peer_certificate(SSL *s)
716 return(r); 717 return(r);
717 } 718 }
718 719
719STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s) 720STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
720 { 721 {
721 STACK_OF(X509) *r; 722 STACK_OF(X509) *r;
722 723
@@ -733,7 +734,7 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s)
733 734
734/* Now in theory, since the calling process own 't' it should be safe to 735/* Now in theory, since the calling process own 't' it should be safe to
735 * modify. We need to be able to read f without being hassled */ 736 * modify. We need to be able to read f without being hassled */
736void SSL_copy_session_id(SSL *t,SSL *f) 737void SSL_copy_session_id(SSL *t,const SSL *f)
737 { 738 {
738 CERT *tmp; 739 CERT *tmp;
739 740
@@ -762,7 +763,7 @@ void SSL_copy_session_id(SSL *t,SSL *f)
762 } 763 }
763 764
764/* Fix this so it checks all the valid key/cert options */ 765/* Fix this so it checks all the valid key/cert options */
765int SSL_CTX_check_private_key(SSL_CTX *ctx) 766int SSL_CTX_check_private_key(const SSL_CTX *ctx)
766 { 767 {
767 if ( (ctx == NULL) || 768 if ( (ctx == NULL) ||
768 (ctx->cert == NULL) || 769 (ctx->cert == NULL) ||
@@ -780,7 +781,7 @@ int SSL_CTX_check_private_key(SSL_CTX *ctx)
780 } 781 }
781 782
782/* Fix this function so that it takes an optional type parameter */ 783/* Fix this function so that it takes an optional type parameter */
783int SSL_check_private_key(SSL *ssl) 784int SSL_check_private_key(const SSL *ssl)
784 { 785 {
785 if (ssl == NULL) 786 if (ssl == NULL)
786 { 787 {
@@ -824,7 +825,7 @@ int SSL_connect(SSL *s)
824 return(s->method->ssl_connect(s)); 825 return(s->method->ssl_connect(s));
825 } 826 }
826 827
827long SSL_get_default_timeout(SSL *s) 828long SSL_get_default_timeout(const SSL *s)
828 { 829 {
829 return(s->method->get_timeout()); 830 return(s->method->get_timeout());
830 } 831 }
@@ -1071,7 +1072,7 @@ int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
1071 1072
1072/** return a STACK of the ciphers available for the SSL and in order of 1073/** return a STACK of the ciphers available for the SSL and in order of
1073 * preference */ 1074 * preference */
1074STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s) 1075STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
1075 { 1076 {
1076 if (s != NULL) 1077 if (s != NULL)
1077 { 1078 {
@@ -1108,7 +1109,7 @@ STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
1108 } 1109 }
1109 1110
1110/** The old interface to get the same thing as SSL_get_ciphers() */ 1111/** The old interface to get the same thing as SSL_get_ciphers() */
1111const char *SSL_get_cipher_list(SSL *s,int n) 1112const char *SSL_get_cipher_list(const SSL *s,int n)
1112 { 1113 {
1113 SSL_CIPHER *c; 1114 SSL_CIPHER *c;
1114 STACK_OF(SSL_CIPHER) *sk; 1115 STACK_OF(SSL_CIPHER) *sk;
@@ -1145,7 +1146,7 @@ int SSL_set_cipher_list(SSL *s,const char *str)
1145 } 1146 }
1146 1147
1147/* works well for SSLv2, not so good for SSLv3 */ 1148/* works well for SSLv2, not so good for SSLv3 */
1148char *SSL_get_shared_ciphers(SSL *s,char *buf,int len) 1149char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
1149 { 1150 {
1150 char *p; 1151 char *p;
1151 const char *cp; 1152 const char *cp;
@@ -1249,7 +1250,7 @@ err:
1249 return(NULL); 1250 return(NULL);
1250 } 1251 }
1251 1252
1252unsigned long SSL_SESSION_hash(SSL_SESSION *a) 1253unsigned long SSL_SESSION_hash(const SSL_SESSION *a)
1253 { 1254 {
1254 unsigned long l; 1255 unsigned long l;
1255 1256
@@ -1266,7 +1267,7 @@ unsigned long SSL_SESSION_hash(SSL_SESSION *a)
1266 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being 1267 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
1267 * able to construct an SSL_SESSION that will collide with any existing session 1268 * able to construct an SSL_SESSION that will collide with any existing session
1268 * with a matching session ID. */ 1269 * with a matching session ID. */
1269int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b) 1270int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
1270 { 1271 {
1271 if (a->ssl_version != b->ssl_version) 1272 if (a->ssl_version != b->ssl_version)
1272 return(1); 1273 return(1);
@@ -1292,6 +1293,14 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
1292 return(NULL); 1293 return(NULL);
1293 } 1294 }
1294 1295
1296#ifdef OPENSSL_FIPS
1297 if (FIPS_mode() && (meth->version < TLS1_VERSION))
1298 {
1299 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
1300 return NULL;
1301 }
1302#endif
1303
1295 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) 1304 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
1296 { 1305 {
1297 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); 1306 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
@@ -1722,7 +1731,7 @@ int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth)
1722 return(ret); 1731 return(ret);
1723 } 1732 }
1724 1733
1725int SSL_get_error(SSL *s,int i) 1734int SSL_get_error(const SSL *s,int i)
1726 { 1735 {
1727 int reason; 1736 int reason;
1728 unsigned long l; 1737 unsigned long l;
@@ -1856,13 +1865,19 @@ int ssl_undefined_function(SSL *s)
1856 return(0); 1865 return(0);
1857 } 1866 }
1858 1867
1868int ssl_undefined_const_function(const SSL *s)
1869 {
1870 SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1871 return(0);
1872 }
1873
1859SSL_METHOD *ssl_bad_method(int ver) 1874SSL_METHOD *ssl_bad_method(int ver)
1860 { 1875 {
1861 SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1876 SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1862 return(NULL); 1877 return(NULL);
1863 } 1878 }
1864 1879
1865const char *SSL_get_version(SSL *s) 1880const char *SSL_get_version(const SSL *s)
1866 { 1881 {
1867 if (s->version == TLS1_VERSION) 1882 if (s->version == TLS1_VERSION)
1868 return("TLSv1"); 1883 return("TLSv1");
@@ -2031,7 +2046,7 @@ void ssl_clear_cipher_ctx(SSL *s)
2031 } 2046 }
2032 2047
2033/* Fix this function so that it takes an optional type parameter */ 2048/* Fix this function so that it takes an optional type parameter */
2034X509 *SSL_get_certificate(SSL *s) 2049X509 *SSL_get_certificate(const SSL *s)
2035 { 2050 {
2036 if (s->cert != NULL) 2051 if (s->cert != NULL)
2037 return(s->cert->key->x509); 2052 return(s->cert->key->x509);
@@ -2048,7 +2063,7 @@ EVP_PKEY *SSL_get_privatekey(SSL *s)
2048 return(NULL); 2063 return(NULL);
2049 } 2064 }
2050 2065
2051SSL_CIPHER *SSL_get_current_cipher(SSL *s) 2066SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
2052 { 2067 {
2053 if ((s->session != NULL) && (s->session->cipher != NULL)) 2068 if ((s->session != NULL) && (s->session->cipher != NULL))
2054 return(s->session->cipher); 2069 return(s->session->cipher);
@@ -2112,7 +2127,7 @@ void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode)
2112 ctx->quiet_shutdown=mode; 2127 ctx->quiet_shutdown=mode;
2113 } 2128 }
2114 2129
2115int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx) 2130int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
2116 { 2131 {
2117 return(ctx->quiet_shutdown); 2132 return(ctx->quiet_shutdown);
2118 } 2133 }
@@ -2122,7 +2137,7 @@ void SSL_set_quiet_shutdown(SSL *s,int mode)
2122 s->quiet_shutdown=mode; 2137 s->quiet_shutdown=mode;
2123 } 2138 }
2124 2139
2125int SSL_get_quiet_shutdown(SSL *s) 2140int SSL_get_quiet_shutdown(const SSL *s)
2126 { 2141 {
2127 return(s->quiet_shutdown); 2142 return(s->quiet_shutdown);
2128 } 2143 }
@@ -2132,17 +2147,17 @@ void SSL_set_shutdown(SSL *s,int mode)
2132 s->shutdown=mode; 2147 s->shutdown=mode;
2133 } 2148 }
2134 2149
2135int SSL_get_shutdown(SSL *s) 2150int SSL_get_shutdown(const SSL *s)
2136 { 2151 {
2137 return(s->shutdown); 2152 return(s->shutdown);
2138 } 2153 }
2139 2154
2140int SSL_version(SSL *s) 2155int SSL_version(const SSL *s)
2141 { 2156 {
2142 return(s->version); 2157 return(s->version);
2143 } 2158 }
2144 2159
2145SSL_CTX *SSL_get_SSL_CTX(SSL *ssl) 2160SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
2146 { 2161 {
2147 return(ssl->ctx); 2162 return(ssl->ctx);
2148 } 2163 }
@@ -2156,7 +2171,9 @@ int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
2156int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, 2171int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
2157 const char *CApath) 2172 const char *CApath)
2158 { 2173 {
2159 return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath)); 2174 int r;
2175 r=X509_STORE_load_locations(ctx->cert_store,CAfile,CApath);
2176 return r;
2160 } 2177 }
2161#endif 2178#endif
2162 2179
@@ -2166,12 +2183,12 @@ void SSL_set_info_callback(SSL *ssl,
2166 ssl->info_callback=cb; 2183 ssl->info_callback=cb;
2167 } 2184 }
2168 2185
2169void (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val) 2186void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val)
2170 { 2187 {
2171 return ssl->info_callback; 2188 return ssl->info_callback;
2172 } 2189 }
2173 2190
2174int SSL_state(SSL *ssl) 2191int SSL_state(const SSL *ssl)
2175 { 2192 {
2176 return(ssl->state); 2193 return(ssl->state);
2177 } 2194 }
@@ -2181,7 +2198,7 @@ void SSL_set_verify_result(SSL *ssl,long arg)
2181 ssl->verify_result=arg; 2198 ssl->verify_result=arg;
2182 } 2199 }
2183 2200
2184long SSL_get_verify_result(SSL *ssl) 2201long SSL_get_verify_result(const SSL *ssl)
2185 { 2202 {
2186 return(ssl->verify_result); 2203 return(ssl->verify_result);
2187 } 2204 }
@@ -2198,7 +2215,7 @@ int SSL_set_ex_data(SSL *s,int idx,void *arg)
2198 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); 2215 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
2199 } 2216 }
2200 2217
2201void *SSL_get_ex_data(SSL *s,int idx) 2218void *SSL_get_ex_data(const SSL *s,int idx)
2202 { 2219 {
2203 return(CRYPTO_get_ex_data(&s->ex_data,idx)); 2220 return(CRYPTO_get_ex_data(&s->ex_data,idx));
2204 } 2221 }
@@ -2215,7 +2232,7 @@ int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg)
2215 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); 2232 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
2216 } 2233 }
2217 2234
2218void *SSL_CTX_get_ex_data(SSL_CTX *s,int idx) 2235void *SSL_CTX_get_ex_data(const SSL_CTX *s,int idx)
2219 { 2236 {
2220 return(CRYPTO_get_ex_data(&s->ex_data,idx)); 2237 return(CRYPTO_get_ex_data(&s->ex_data,idx));
2221 } 2238 }
@@ -2225,7 +2242,7 @@ int ssl_ok(SSL *s)
2225 return(1); 2242 return(1);
2226 } 2243 }
2227 2244
2228X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx) 2245X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx)
2229 { 2246 {
2230 return(ctx->cert_store); 2247 return(ctx->cert_store);
2231 } 2248 }
@@ -2237,7 +2254,7 @@ void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store)
2237 ctx->cert_store=store; 2254 ctx->cert_store=store;
2238 } 2255 }
2239 2256
2240int SSL_want(SSL *s) 2257int SSL_want(const SSL *s)
2241 { 2258 {
2242 return(s->rwstate); 2259 return(s->rwstate);
2243 } 2260 }
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index dd6c7a7323..25a144a0d0 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -302,8 +302,9 @@
302#define SSL_LOW 0x00000020L 302#define SSL_LOW 0x00000020L
303#define SSL_MEDIUM 0x00000040L 303#define SSL_MEDIUM 0x00000040L
304#define SSL_HIGH 0x00000080L 304#define SSL_HIGH 0x00000080L
305#define SSL_FIPS 0x00000100L
305 306
306/* we have used 000000ff - 24 bits left to go */ 307/* we have used 000001ff - 23 bits left to go */
307 308
308/* 309/*
309 * Macros to check the export status and cipher strength for export ciphers. 310 * Macros to check the export status and cipher strength for export ciphers.
@@ -498,10 +499,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
498 STACK_OF(SSL_CIPHER) **sorted, 499 STACK_OF(SSL_CIPHER) **sorted,
499 const char *rule_str); 500 const char *rule_str);
500void ssl_update_cache(SSL *s, int mode); 501void ssl_update_cache(SSL *s, int mode);
501int ssl_cipher_get_evp(SSL_SESSION *s,const EVP_CIPHER **enc,const EVP_MD **md, 502int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc,
502 SSL_COMP **comp); 503 const EVP_MD **md,SSL_COMP **comp);
503int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk); 504int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
504int ssl_undefined_function(SSL *s); 505int ssl_undefined_function(SSL *s);
506int ssl_undefined_const_function(const SSL *s);
505X509 *ssl_get_server_send_cert(SSL *); 507X509 *ssl_get_server_send_cert(SSL *);
506EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *); 508EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *);
507int ssl_cert_type(X509 *x,EVP_PKEY *pkey); 509int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
@@ -535,7 +537,7 @@ long ssl2_ctrl(SSL *s,int cmd, long larg, void *parg);
535long ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg); 537long ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
536long ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)()); 538long ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)());
537long ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)()); 539long ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
538int ssl2_pending(SSL *s); 540int ssl2_pending(const SSL *s);
539 541
540SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p); 542SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
541int ssl3_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p); 543int ssl3_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
@@ -583,7 +585,7 @@ long ssl3_ctrl(SSL *s,int cmd, long larg, void *parg);
583long ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg); 585long ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
584long ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)()); 586long ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)());
585long ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)()); 587long ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
586int ssl3_pending(SSL *s); 588int ssl3_pending(const SSL *s);
587 589
588int ssl23_accept(SSL *s); 590int ssl23_accept(SSL *s);
589int ssl23_connect(SSL *s); 591int ssl23_connect(SSL *s);
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 330390519b..fb0bd4d045 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -804,7 +804,7 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
804 /* When the while loop ends, it's usually just EOF. */ 804 /* When the while loop ends, it's usually just EOF. */
805 err = ERR_peek_last_error(); 805 err = ERR_peek_last_error();
806 if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) 806 if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
807 (void)ERR_get_error(); 807 ERR_clear_error();
808 else 808 else
809 ret = 0; /* some real error */ 809 ret = 0; /* some real error */
810 } 810 }
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 7016c87d3b..5f12aa361c 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -65,7 +65,7 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
65static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s); 65static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
66static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck); 66static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
67 67
68SSL_SESSION *SSL_get_session(SSL *ssl) 68SSL_SESSION *SSL_get_session(const SSL *ssl)
69/* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */ 69/* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
70 { 70 {
71 return(ssl->session); 71 return(ssl->session);
@@ -98,7 +98,7 @@ int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
98 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); 98 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
99 } 99 }
100 100
101void *SSL_SESSION_get_ex_data(SSL_SESSION *s, int idx) 101void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx)
102 { 102 {
103 return(CRYPTO_get_ex_data(&s->ex_data,idx)); 103 return(CRYPTO_get_ex_data(&s->ex_data,idx));
104 } 104 }
@@ -141,7 +141,8 @@ static int def_generate_session_id(const SSL *ssl, unsigned char *id,
141{ 141{
142 unsigned int retry = 0; 142 unsigned int retry = 0;
143 do 143 do
144 RAND_pseudo_bytes(id, *id_len); 144 if(RAND_pseudo_bytes(id, *id_len) <= 0)
145 return 0;
145 while(SSL_has_matching_session_id(ssl, id, *id_len) && 146 while(SSL_has_matching_session_id(ssl, id, *id_len) &&
146 (++retry < MAX_SESS_ID_ATTEMPTS)); 147 (++retry < MAX_SESS_ID_ATTEMPTS));
147 if(retry < MAX_SESS_ID_ATTEMPTS) 148 if(retry < MAX_SESS_ID_ATTEMPTS)
@@ -609,13 +610,13 @@ long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
609 return(1); 610 return(1);
610 } 611 }
611 612
612long SSL_SESSION_get_timeout(SSL_SESSION *s) 613long SSL_SESSION_get_timeout(const SSL_SESSION *s)
613 { 614 {
614 if (s == NULL) return(0); 615 if (s == NULL) return(0);
615 return(s->timeout); 616 return(s->timeout);
616 } 617 }
617 618
618long SSL_SESSION_get_time(SSL_SESSION *s) 619long SSL_SESSION_get_time(const SSL_SESSION *s)
619 { 620 {
620 if (s == NULL) return(0); 621 if (s == NULL) return(0);
621 return(s->time); 622 return(s->time);
@@ -637,7 +638,7 @@ long SSL_CTX_set_timeout(SSL_CTX *s, long t)
637 return(l); 638 return(l);
638 } 639 }
639 640
640long SSL_CTX_get_timeout(SSL_CTX *s) 641long SSL_CTX_get_timeout(const SSL_CTX *s)
641 { 642 {
642 if (s == NULL) return(0); 643 if (s == NULL) return(0);
643 return(s->session_timeout); 644 return(s->session_timeout);
diff --git a/src/lib/libssl/ssl_txt.c b/src/lib/libssl/ssl_txt.c
index 40b76b1b26..8655a31333 100644
--- a/src/lib/libssl/ssl_txt.c
+++ b/src/lib/libssl/ssl_txt.c
@@ -61,7 +61,7 @@
61#include "ssl_locl.h" 61#include "ssl_locl.h"
62 62
63#ifndef OPENSSL_NO_FP_API 63#ifndef OPENSSL_NO_FP_API
64int SSL_SESSION_print_fp(FILE *fp, SSL_SESSION *x) 64int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x)
65 { 65 {
66 BIO *b; 66 BIO *b;
67 int ret; 67 int ret;
@@ -78,7 +78,7 @@ int SSL_SESSION_print_fp(FILE *fp, SSL_SESSION *x)
78 } 78 }
79#endif 79#endif
80 80
81int SSL_SESSION_print(BIO *bp, SSL_SESSION *x) 81int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
82 { 82 {
83 unsigned int i; 83 unsigned int i;
84 char *s; 84 char *s;
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 271e247eea..2c6246abf5 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -115,6 +115,7 @@
115#include <openssl/evp.h> 115#include <openssl/evp.h>
116#include <openssl/hmac.h> 116#include <openssl/hmac.h>
117#include <openssl/md5.h> 117#include <openssl/md5.h>
118#include <openssl/fips.h>
118 119
119static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, 120static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
120 int sec_len, unsigned char *seed, int seed_len, 121 int sec_len, unsigned char *seed, int seed_len,
@@ -131,6 +132,8 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
131 132
132 HMAC_CTX_init(&ctx); 133 HMAC_CTX_init(&ctx);
133 HMAC_CTX_init(&ctx_tmp); 134 HMAC_CTX_init(&ctx_tmp);
135 HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
136 HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
134 HMAC_Init_ex(&ctx,sec,sec_len,md, NULL); 137 HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
135 HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL); 138 HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
136 HMAC_Update(&ctx,seed,seed_len); 139 HMAC_Update(&ctx,seed,seed_len);
@@ -177,7 +180,6 @@ static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
177 S2= &(sec[len]); 180 S2= &(sec[len]);
178 len+=(slen&1); /* add for odd, make longer */ 181 len+=(slen&1); /* add for odd, make longer */
179 182
180
181 tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen); 183 tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);
182 tls1_P_hash(sha1,S2,len,label,label_len,out2,olen); 184 tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
183 185
diff --git a/src/lib/libssl/test/CAss.cnf b/src/lib/libssl/test/CAss.cnf
index b941b7ae15..21da59a73a 100644
--- a/src/lib/libssl/test/CAss.cnf
+++ b/src/lib/libssl/test/CAss.cnf
@@ -23,3 +23,11 @@ organizationName_value = Dodgy Brothers
23 23
24commonName = Common Name (eg, YOUR name) 24commonName = Common Name (eg, YOUR name)
25commonName_value = Dodgy CA 25commonName_value = Dodgy CA
26
27[ v3_ca ]
28subjectKeyIdentifier=hash
29authorityKeyIdentifier=keyid:always,issuer:always
30basicConstraints = CA:true,pathlen:1
31keyUsage = cRLSign, keyCertSign
32issuerAltName=issuer:copy
33
diff --git a/src/lib/libssl/test/P1ss.cnf b/src/lib/libssl/test/P1ss.cnf
new file mode 100644
index 0000000000..876a0d35f8
--- /dev/null
+++ b/src/lib/libssl/test/P1ss.cnf
@@ -0,0 +1,37 @@
1#
2# SSLeay example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6RANDFILE = ./.rnd
7
8####################################################################
9[ req ]
10default_bits = 512
11default_keyfile = keySS.pem
12distinguished_name = req_distinguished_name
13encrypt_rsa_key = no
14default_md = md2
15
16[ req_distinguished_name ]
17countryName = Country Name (2 letter code)
18countryName_default = AU
19countryName_value = AU
20
21organizationName = Organization Name (eg, company)
22organizationName_value = Dodgy Brothers
23
240.commonName = Common Name (eg, YOUR name)
250.commonName_value = Brother 1
26
271.commonName = Common Name (eg, YOUR name)
281.commonName_value = Brother 2
29
302.commonName = Common Name (eg, YOUR name)
312.commonName_value = Proxy 1
32
33[ v3_proxy ]
34basicConstraints=CA:FALSE
35subjectKeyIdentifier=hash
36authorityKeyIdentifier=keyid,issuer:always
37proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
diff --git a/src/lib/libssl/test/P2ss.cnf b/src/lib/libssl/test/P2ss.cnf
new file mode 100644
index 0000000000..373a87e7c2
--- /dev/null
+++ b/src/lib/libssl/test/P2ss.cnf
@@ -0,0 +1,45 @@
1#
2# SSLeay example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6RANDFILE = ./.rnd
7
8####################################################################
9[ req ]
10default_bits = 512
11default_keyfile = keySS.pem
12distinguished_name = req_distinguished_name
13encrypt_rsa_key = no
14default_md = md2
15
16[ req_distinguished_name ]
17countryName = Country Name (2 letter code)
18countryName_default = AU
19countryName_value = AU
20
21organizationName = Organization Name (eg, company)
22organizationName_value = Dodgy Brothers
23
240.commonName = Common Name (eg, YOUR name)
250.commonName_value = Brother 1
26
271.commonName = Common Name (eg, YOUR name)
281.commonName_value = Brother 2
29
302.commonName = Common Name (eg, YOUR name)
312.commonName_value = Proxy 1
32
333.commonName = Common Name (eg, YOUR name)
343.commonName_value = Proxy 2
35
36[ v3_proxy ]
37basicConstraints=CA:FALSE
38subjectKeyIdentifier=hash
39authorityKeyIdentifier=keyid,issuer:always
40proxyCertInfo=critical,@proxy_ext
41
42[ proxy_ext ]
43language=id-ppl-anyLanguage
44pathlen=0
45policy=text:BC
diff --git a/src/lib/libssl/test/Uss.cnf b/src/lib/libssl/test/Uss.cnf
index c89692d519..0c0ebb5f67 100644
--- a/src/lib/libssl/test/Uss.cnf
+++ b/src/lib/libssl/test/Uss.cnf
@@ -26,3 +26,11 @@ organizationName_value = Dodgy Brothers
26 26
271.commonName = Common Name (eg, YOUR name) 271.commonName = Common Name (eg, YOUR name)
281.commonName_value = Brother 2 281.commonName_value = Brother 2
29
30[ v3_ee ]
31subjectKeyIdentifier=hash
32authorityKeyIdentifier=keyid,issuer:always
33basicConstraints = CA:false
34keyUsage = nonRepudiation, digitalSignature, keyEncipherment
35issuerAltName=issuer:copy
36
diff --git a/src/lib/libssl/test/bctest b/src/lib/libssl/test/bctest
index bdb3218f7a..e81fc0733a 100644
--- a/src/lib/libssl/test/bctest
+++ b/src/lib/libssl/test/bctest
@@ -1,6 +1,6 @@
1#!/bin/sh 1#!/bin/sh
2 2
3# This script is used by test/Makefile.ssl to check whether a sane 'bc' 3# This script is used by test/Makefile to check whether a sane 'bc'
4# is installed. 4# is installed.
5# ('make test_bn' should not try to run 'bc' if it does not exist or if 5# ('make test_bn' should not try to run 'bc' if it does not exist or if
6# it is a broken 'bc' version that is known to cause trouble.) 6# it is a broken 'bc' version that is known to cause trouble.)
diff --git a/src/lib/libssl/test/tcrl b/src/lib/libssl/test/tcrl
index f71ef7a863..3ffed12a03 100644
--- a/src/lib/libssl/test/tcrl
+++ b/src/lib/libssl/test/tcrl
@@ -7,7 +7,7 @@ else
7fi 7fi
8export PATH 8export PATH
9 9
10cmd='../apps/openssl crl' 10cmd='../util/shlib_wrap.sh ../apps/openssl crl'
11 11
12if [ "$1"x != "x" ]; then 12if [ "$1"x != "x" ]; then
13 t=$1 13 t=$1
diff --git a/src/lib/libssl/test/testca b/src/lib/libssl/test/testca
index 8215ebb5d1..5b2faa78f1 100644
--- a/src/lib/libssl/test/testca
+++ b/src/lib/libssl/test/testca
@@ -11,6 +11,9 @@ export SH PATH
11SSLEAY_CONFIG="-config CAss.cnf" 11SSLEAY_CONFIG="-config CAss.cnf"
12export SSLEAY_CONFIG 12export SSLEAY_CONFIG
13 13
14OPENSSL="`pwd`/../util/shlib_wrap.sh openssl"
15export OPENSSL
16
14/bin/rm -fr demoCA 17/bin/rm -fr demoCA
15$SH ../apps/CA.sh -newca <<EOF 18$SH ../apps/CA.sh -newca <<EOF
16EOF 19EOF
diff --git a/src/lib/libssl/test/testenc b/src/lib/libssl/test/testenc
index 0656c7f525..4571ea2875 100644
--- a/src/lib/libssl/test/testenc
+++ b/src/lib/libssl/test/testenc
@@ -1,14 +1,14 @@
1#!/bin/sh 1#!/bin/sh
2 2
3testsrc=Makefile.ssl 3testsrc=Makefile
4test=./p 4test=./p
5cmd=../apps/openssl 5cmd="../util/shlib_wrap.sh ../apps/openssl"
6 6
7cat $testsrc >$test; 7cat $testsrc >$test;
8 8
9echo cat 9echo cat
10$cmd enc < $test > $test.cipher 10$cmd enc -non-fips-allow < $test > $test.cipher
11$cmd enc < $test.cipher >$test.clear 11$cmd enc -non-fips-allow < $test.cipher >$test.clear
12cmp $test $test.clear 12cmp $test $test.clear
13if [ $? != 0 ] 13if [ $? != 0 ]
14then 14then
@@ -17,8 +17,8 @@ else
17 /bin/rm $test.cipher $test.clear 17 /bin/rm $test.cipher $test.clear
18fi 18fi
19echo base64 19echo base64
20$cmd enc -a -e < $test > $test.cipher 20$cmd enc -non-fips-allow -a -e < $test > $test.cipher
21$cmd enc -a -d < $test.cipher >$test.clear 21$cmd enc -non-fips-allow -a -d < $test.cipher >$test.clear
22cmp $test $test.clear 22cmp $test $test.clear
23if [ $? != 0 ] 23if [ $? != 0 ]
24then 24then
@@ -30,8 +30,8 @@ fi
30for i in `$cmd list-cipher-commands` 30for i in `$cmd list-cipher-commands`
31do 31do
32 echo $i 32 echo $i
33 $cmd $i -bufsize 113 -e -k test < $test > $test.$i.cipher 33 $cmd $i -non-fips-allow -bufsize 113 -e -k test < $test > $test.$i.cipher
34 $cmd $i -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear 34 $cmd $i -non-fips-allow -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear
35 cmp $test $test.$i.clear 35 cmp $test $test.$i.clear
36 if [ $? != 0 ] 36 if [ $? != 0 ]
37 then 37 then
@@ -41,8 +41,8 @@ do
41 fi 41 fi
42 42
43 echo $i base64 43 echo $i base64
44 $cmd $i -bufsize 113 -a -e -k test < $test > $test.$i.cipher 44 $cmd $i -non-fips-allow -bufsize 113 -a -e -k test < $test > $test.$i.cipher
45 $cmd $i -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear 45 $cmd $i -non-fips-allow -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear
46 cmp $test $test.$i.clear 46 cmp $test $test.$i.clear
47 if [ $? != 0 ] 47 if [ $? != 0 ]
48 then 48 then
diff --git a/src/lib/libssl/test/testgen b/src/lib/libssl/test/testgen
index 3798543e04..524c0d134c 100644
--- a/src/lib/libssl/test/testgen
+++ b/src/lib/libssl/test/testgen
@@ -17,7 +17,7 @@ echo "generating certificate request"
17 17
18echo "string to make the random number generator think it has entropy" >> ./.rnd 18echo "string to make the random number generator think it has entropy" >> ./.rnd
19 19
20if ../apps/openssl no-rsa; then 20if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
21 req_new='-newkey dsa:../apps/dsa512.pem' 21 req_new='-newkey dsa:../apps/dsa512.pem'
22else 22else
23 req_new='-new' 23 req_new='-new'
@@ -29,13 +29,13 @@ echo "This could take some time."
29 29
30rm -f testkey.pem testreq.pem 30rm -f testkey.pem testreq.pem
31 31
32../apps/openssl req -config test.cnf $req_new -out testreq.pem 32../util/shlib_wrap.sh ../apps/openssl req -config test.cnf $req_new -out testreq.pem
33if [ $? != 0 ]; then 33if [ $? != 0 ]; then
34echo problems creating request 34echo problems creating request
35exit 1 35exit 1
36fi 36fi
37 37
38../apps/openssl req -config test.cnf -verify -in testreq.pem -noout 38../util/shlib_wrap.sh ../apps/openssl req -config test.cnf -verify -in testreq.pem -noout
39if [ $? != 0 ]; then 39if [ $? != 0 ]; then
40echo signature on req is wrong 40echo signature on req is wrong
41exit 1 41exit 1
diff --git a/src/lib/libssl/test/testss b/src/lib/libssl/test/testss
index 8d3557f356..1a426857d3 100644
--- a/src/lib/libssl/test/testss
+++ b/src/lib/libssl/test/testss
@@ -1,9 +1,9 @@
1#!/bin/sh 1#!/bin/sh
2 2
3digest='-md5' 3digest='-sha1'
4reqcmd="../apps/openssl req" 4reqcmd="../util/shlib_wrap.sh ../apps/openssl req"
5x509cmd="../apps/openssl x509 $digest" 5x509cmd="../util/shlib_wrap.sh ../apps/openssl x509 $digest"
6verifycmd="../apps/openssl verify" 6verifycmd="../util/shlib_wrap.sh ../apps/openssl verify"
7dummycnf="../apps/openssl.cnf" 7dummycnf="../apps/openssl.cnf"
8 8
9CAkey="keyCA.ss" 9CAkey="keyCA.ss"
@@ -17,12 +17,24 @@ Ukey="keyU.ss"
17Ureq="reqU.ss" 17Ureq="reqU.ss"
18Ucert="certU.ss" 18Ucert="certU.ss"
19 19
20P1conf="P1ss.cnf"
21P1key="keyP1.ss"
22P1req="reqP1.ss"
23P1cert="certP1.ss"
24P1intermediate="tmp_intP1.ss"
25
26P2conf="P2ss.cnf"
27P2key="keyP2.ss"
28P2req="reqP2.ss"
29P2cert="certP2.ss"
30P2intermediate="tmp_intP2.ss"
31
20echo 32echo
21echo "make a certificate request using 'req'" 33echo "make a certificate request using 'req'"
22 34
23echo "string to make the random number generator think it has entropy" >> ./.rnd 35echo "string to make the random number generator think it has entropy" >> ./.rnd
24 36
25if ../apps/openssl no-rsa; then 37if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
26 req_new='-newkey dsa:../apps/dsa512.pem' 38 req_new='-newkey dsa:../apps/dsa512.pem'
27else 39else
28 req_new='-new' 40 req_new='-new'
@@ -35,7 +47,7 @@ if [ $? != 0 ]; then
35fi 47fi
36echo 48echo
37echo "convert the certificate request into a self signed certificate using 'x509'" 49echo "convert the certificate request into a self signed certificate using 'x509'"
38$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey >err.ss 50$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey -extfile $CAconf -extensions v3_ca >err.ss
39if [ $? != 0 ]; then 51if [ $? != 0 ]; then
40 echo "error using 'x509' to self sign a certificate request" 52 echo "error using 'x509' to self sign a certificate request"
41 exit 1 53 exit 1
@@ -68,18 +80,18 @@ if [ $? != 0 ]; then
68fi 80fi
69 81
70echo 82echo
71echo "make another certificate request using 'req'" 83echo "make a user certificate request using 'req'"
72$reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss 84$reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss
73if [ $? != 0 ]; then 85if [ $? != 0 ]; then
74 echo "error using 'req' to generate a certificate request" 86 echo "error using 'req' to generate a user certificate request"
75 exit 1 87 exit 1
76fi 88fi
77 89
78echo 90echo
79echo "sign certificate request with the just created CA via 'x509'" 91echo "sign user certificate request with the just created CA via 'x509'"
80$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey >err.ss 92$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -extfile $Uconf -extensions v3_ee >err.ss
81if [ $? != 0 ]; then 93if [ $? != 0 ]; then
82 echo "error using 'x509' to sign a certificate request" 94 echo "error using 'x509' to sign a user certificate request"
83 exit 1 95 exit 1
84fi 96fi
85 97
@@ -89,11 +101,63 @@ echo "Certificate details"
89$x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert 101$x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert
90 102
91echo 103echo
104echo "make a proxy certificate request using 'req'"
105$reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss
106if [ $? != 0 ]; then
107 echo "error using 'req' to generate a proxy certificate request"
108 exit 1
109fi
110
111echo
112echo "sign proxy certificate request with the just created user certificate via 'x509'"
113$x509cmd -CAcreateserial -in $P1req -days 30 -req -out $P1cert -CA $Ucert -CAkey $Ukey -extfile $P1conf -extensions v3_proxy >err.ss
114if [ $? != 0 ]; then
115 echo "error using 'x509' to sign a proxy certificate request"
116 exit 1
117fi
118
119cat $Ucert > $P1intermediate
120$verifycmd -CAfile $CAcert -untrusted $P1intermediate $P1cert
121echo
122echo "Certificate details"
123$x509cmd -subject -issuer -startdate -enddate -noout -in $P1cert
124
125echo
126echo "make another proxy certificate request using 'req'"
127$reqcmd -config $P2conf -out $P2req -keyout $P2key $req_new >err.ss
128if [ $? != 0 ]; then
129 echo "error using 'req' to generate another proxy certificate request"
130 exit 1
131fi
132
133echo
134echo "sign second proxy certificate request with the first proxy certificate via 'x509'"
135$x509cmd -CAcreateserial -in $P2req -days 30 -req -out $P2cert -CA $P1cert -CAkey $P1key -extfile $P2conf -extensions v3_proxy >err.ss
136if [ $? != 0 ]; then
137 echo "error using 'x509' to sign a second proxy certificate request"
138 exit 1
139fi
140
141cat $Ucert $P1cert > $P2intermediate
142$verifycmd -CAfile $CAcert -untrusted $P2intermediate $P2cert
143echo
144echo "Certificate details"
145$x509cmd -subject -issuer -startdate -enddate -noout -in $P2cert
146
147echo
92echo The generated CA certificate is $CAcert 148echo The generated CA certificate is $CAcert
93echo The generated CA private key is $CAkey 149echo The generated CA private key is $CAkey
94 150
95echo The generated user certificate is $Ucert 151echo The generated user certificate is $Ucert
96echo The generated user private key is $Ukey 152echo The generated user private key is $Ukey
97 153
154echo The first generated proxy certificate is $P1cert
155echo The first generated proxy private key is $P1key
156
157echo The second generated proxy certificate is $P2cert
158echo The second generated proxy private key is $P2key
159
98/bin/rm err.ss 160/bin/rm err.ss
161#/bin/rm $P1intermediate
162#/bin/rm $P2intermediate
99exit 0 163exit 0
diff --git a/src/lib/libssl/test/testssl b/src/lib/libssl/test/testssl
index ca8e718022..8ac90ae5ee 100644
--- a/src/lib/libssl/test/testssl
+++ b/src/lib/libssl/test/testssl
@@ -10,9 +10,9 @@ if [ "$2" = "" ]; then
10else 10else
11 cert="$2" 11 cert="$2"
12fi 12fi
13ssltest="./ssltest -key $key -cert $cert -c_key $key -c_cert $cert" 13ssltest="../util/shlib_wrap.sh ./ssltest -key $key -cert $cert -c_key $key -c_cert $cert"
14 14
15if ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then 15if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
16 dsa_cert=YES 16 dsa_cert=YES
17else 17else
18 dsa_cert=NO 18 dsa_cert=NO
@@ -121,24 +121,24 @@ $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
121 121
122############################################################################# 122#############################################################################
123 123
124if ../apps/openssl no-dh; then 124if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
125 echo skipping anonymous DH tests 125 echo skipping anonymous DH tests
126else 126else
127 echo test tls1 with 1024bit anonymous DH, multiple handshakes 127 echo test tls1 with 1024bit anonymous DH, multiple handshakes
128 $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1 128 $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
129fi 129fi
130 130
131if ../apps/openssl no-rsa; then 131if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
132 echo skipping RSA tests 132 echo skipping RSA tests
133else 133else
134 echo test tls1 with 1024bit RSA, no DHE, multiple handshakes 134 echo test tls1 with 1024bit RSA, no DHE, multiple handshakes
135 ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1 135 ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1
136 136
137 if ../apps/openssl no-dh; then 137 if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
138 echo skipping RSA+DHE tests 138 echo skipping RSA+DHE tests
139 else 139 else
140 echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes 140 echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
141 ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1 141 ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
142 fi 142 fi
143fi 143fi
144 144
diff --git a/src/lib/libssl/test/testsslproxy b/src/lib/libssl/test/testsslproxy
new file mode 100644
index 0000000000..58bbda8ab7
--- /dev/null
+++ b/src/lib/libssl/test/testsslproxy
@@ -0,0 +1,10 @@
1#! /bin/sh
2
3echo 'Testing a lot of proxy conditions.'
4echo 'Some of them may turn out being invalid, which is fine.'
5for auth in A B C BC; do
6 for cond in A B C 'A|B&!C'; do
7 sh ./testssl $1 $2 $3 "-proxy -proxy_auth $auth -proxy_cond $cond"
8 if [ $? = 3 ]; then exit 1; fi
9 done
10done
diff --git a/src/lib/libssl/test/tpkcs7 b/src/lib/libssl/test/tpkcs7
index cf3bd9fadb..79bb6e0edf 100644
--- a/src/lib/libssl/test/tpkcs7
+++ b/src/lib/libssl/test/tpkcs7
@@ -7,7 +7,7 @@ else
7fi 7fi
8export PATH 8export PATH
9 9
10cmd='../apps/openssl pkcs7' 10cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7'
11 11
12if [ "$1"x != "x" ]; then 12if [ "$1"x != "x" ]; then
13 t=$1 13 t=$1
diff --git a/src/lib/libssl/test/tpkcs7d b/src/lib/libssl/test/tpkcs7d
index 18f9311b06..20394b34c4 100644
--- a/src/lib/libssl/test/tpkcs7d
+++ b/src/lib/libssl/test/tpkcs7d
@@ -7,7 +7,7 @@ else
7fi 7fi
8export PATH 8export PATH
9 9
10cmd='../apps/openssl pkcs7' 10cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7'
11 11
12if [ "$1"x != "x" ]; then 12if [ "$1"x != "x" ]; then
13 t=$1 13 t=$1
diff --git a/src/lib/libssl/test/treq b/src/lib/libssl/test/treq
index 47a8273cde..7e020210a5 100644
--- a/src/lib/libssl/test/treq
+++ b/src/lib/libssl/test/treq
@@ -7,7 +7,7 @@ else
7fi 7fi
8export PATH 8export PATH
9 9
10cmd='../apps/openssl req -config ../apps/openssl.cnf' 10cmd='../util/shlib_wrap.sh ../apps/openssl req -config ../apps/openssl.cnf'
11 11
12if [ "$1"x != "x" ]; then 12if [ "$1"x != "x" ]; then
13 t=$1 13 t=$1
diff --git a/src/lib/libssl/test/trsa b/src/lib/libssl/test/trsa
index 413e2ec0a0..67b4a98841 100644
--- a/src/lib/libssl/test/trsa
+++ b/src/lib/libssl/test/trsa
@@ -7,12 +7,12 @@ else
7fi 7fi
8export PATH 8export PATH
9 9
10if ../apps/openssl no-rsa; then 10if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
11 echo skipping rsa conversion test 11 echo skipping rsa conversion test
12 exit 0 12 exit 0
13fi 13fi
14 14
15cmd='../apps/openssl rsa' 15cmd='../util/shlib_wrap.sh ../apps/openssl rsa'
16 16
17if [ "$1"x != "x" ]; then 17if [ "$1"x != "x" ]; then
18 t=$1 18 t=$1
diff --git a/src/lib/libssl/test/tsid b/src/lib/libssl/test/tsid
index 40a1dfa97c..fb4a7213b9 100644
--- a/src/lib/libssl/test/tsid
+++ b/src/lib/libssl/test/tsid
@@ -7,7 +7,7 @@ else
7fi 7fi
8export PATH 8export PATH
9 9
10cmd='../apps/openssl sess_id' 10cmd='../util/shlib_wrap.sh ../apps/openssl sess_id'
11 11
12if [ "$1"x != "x" ]; then 12if [ "$1"x != "x" ]; then
13 t=$1 13 t=$1
diff --git a/src/lib/libssl/test/tx509 b/src/lib/libssl/test/tx509
index d380963abc..1b9c8661f3 100644
--- a/src/lib/libssl/test/tx509
+++ b/src/lib/libssl/test/tx509
@@ -7,7 +7,7 @@ else
7fi 7fi
8export PATH 8export PATH
9 9
10cmd='../apps/openssl x509' 10cmd='../util/shlib_wrap.sh ../apps/openssl x509'
11 11
12if [ "$1"x != "x" ]; then 12if [ "$1"x != "x" ]; then
13 t=$1 13 t=$1
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-16 00:14:09 +0000