summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libcrypto/bn/bntest.c4
-rw-r--r--src/lib/libcrypto/crypto-lib.com8
-rw-r--r--src/lib/libcrypto/des/times/usparc.cc2
-rw-r--r--src/lib/libcrypto/evp/enc_min.c2
-rw-r--r--src/lib/libcrypto/evp/evp_test.c10
-rw-r--r--src/lib/libcrypto/rand/rand_unix.c2
-rw-r--r--src/lib/libcrypto/rsa/rsa_x931g.c4
-rw-r--r--src/lib/libcrypto/symhacks.h4
-rw-r--r--src/lib/libcrypto/util/domd2
-rw-r--r--src/lib/libcrypto/util/libeay.num3
-rw-r--r--src/lib/libcrypto/util/pl/VC-32.pl6
-rw-r--r--src/lib/libssl/src/CHANGES48
-rw-r--r--src/lib/libssl/src/Configure20
-rw-r--r--src/lib/libssl/src/FAQ2
-rw-r--r--src/lib/libssl/src/MacOS/GetHTTPS.src/ErrorHandling.hpp2
-rw-r--r--src/lib/libssl/src/Makefile7
-rw-r--r--src/lib/libssl/src/Makefile.org3
-rw-r--r--src/lib/libssl/src/NEWS5
-rw-r--r--src/lib/libssl/src/README2
-rw-r--r--src/lib/libssl/src/apps/apps.c2
-rw-r--r--src/lib/libssl/src/apps/ca.c2
-rw-r--r--src/lib/libssl/src/apps/enc.c3
-rw-r--r--src/lib/libssl/src/apps/engine.c4
-rw-r--r--src/lib/libssl/src/apps/rand.c27
-rw-r--r--src/lib/libssl/src/apps/x509.c2
-rw-r--r--src/lib/libssl/src/config18
-rw-r--r--src/lib/libssl/src/crypto/asn1/a_bytes.c2
-rw-r--r--src/lib/libssl/src/crypto/asn1/asn1.h3
-rw-r--r--src/lib/libssl/src/crypto/asn1/asn1_err.c2
-rw-r--r--src/lib/libssl/src/crypto/asn1/asn1_par.c2
-rw-r--r--src/lib/libssl/src/crypto/asn1/t_x509.c2
-rw-r--r--src/lib/libssl/src/crypto/asn1/tasn_dec.c44
-rw-r--r--src/lib/libssl/src/crypto/bio/bss_mem.c22
-rw-r--r--src/lib/libssl/src/crypto/bio/bss_sock.c5
-rw-r--r--src/lib/libssl/src/crypto/bn/bntest.c4
-rw-r--r--src/lib/libssl/src/crypto/crypto-lib.com8
-rw-r--r--src/lib/libssl/src/crypto/des/times/usparc.cc2
-rw-r--r--src/lib/libssl/src/crypto/evp/enc_min.c2
-rw-r--r--src/lib/libssl/src/crypto/evp/evp_test.c10
-rw-r--r--src/lib/libssl/src/crypto/opensslv.h6
-rw-r--r--src/lib/libssl/src/crypto/pem/pem.h4
-rw-r--r--src/lib/libssl/src/crypto/pkcs12/p12_crt.c3
-rw-r--r--src/lib/libssl/src/crypto/pkcs7/pk7_smime.c3
-rw-r--r--src/lib/libssl/src/crypto/rand/rand_unix.c2
-rw-r--r--src/lib/libssl/src/crypto/ripemd/README2
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_x931g.c4
-rw-r--r--src/lib/libssl/src/crypto/sha/asm/sha1-ia64.pl1
-rw-r--r--src/lib/libssl/src/crypto/symhacks.h4
-rw-r--r--src/lib/libssl/src/crypto/ui/ui_lib.c1
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_cmp.c3
-rw-r--r--src/lib/libssl/src/crypto/x509v3/v3_cpols.c7
-rw-r--r--src/lib/libssl/src/crypto/x509v3/v3_utl.c2
-rw-r--r--src/lib/libssl/src/doc/apps/rand.pod5
-rw-r--r--src/lib/libssl/src/doc/apps/x509.pod2
-rw-r--r--src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod2
-rw-r--r--src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod2
-rw-r--r--src/lib/libssl/src/doc/ssl/SSL_SESSION_free.pod2
-rw-r--r--src/lib/libssl/src/doc/ssl/SSL_free.pod2
-rw-r--r--src/lib/libssl/src/doc/ssleay.txt4
-rw-r--r--src/lib/libssl/src/engines/makeengines.com3
-rw-r--r--src/lib/libssl/src/fips/Makefile13
-rw-r--r--src/lib/libssl/src/fips/aes/Makefile2
-rw-r--r--src/lib/libssl/src/fips/sha/fips_standalone_sha1.c4
-rw-r--r--src/lib/libssl/src/ms/do_masm.bat138
-rw-r--r--src/lib/libssl/src/openssl.spec2
-rw-r--r--src/lib/libssl/src/ssl/kssl.c2
-rw-r--r--src/lib/libssl/src/ssl/s3_clnt.c2
-rw-r--r--src/lib/libssl/src/ssl/ssl_ciph.c2
-rw-r--r--src/lib/libssl/src/ssl/ssl_lib.c2
-rw-r--r--src/lib/libssl/src/test/Makefile2
-rw-r--r--src/lib/libssl/src/test/times2
-rw-r--r--src/lib/libssl/src/util/domd2
-rw-r--r--src/lib/libssl/src/util/libeay.num3
-rw-r--r--src/lib/libssl/src/util/pl/VC-32.pl6
-rw-r--r--src/lib/libssl/test/Makefile2
75 files changed, 356 insertions, 194 deletions
diff --git a/src/lib/libcrypto/bn/bntest.c b/src/lib/libcrypto/bn/bntest.c
index 310763eca0..cf190380f5 100644
--- a/src/lib/libcrypto/bn/bntest.c
+++ b/src/lib/libcrypto/bn/bntest.c
@@ -926,7 +926,7 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx)
926 BN_bntest_rand(b,2+i,0,0); /**/ 926 BN_bntest_rand(b,2+i,0,0); /**/
927 927
928 if (!BN_mod_exp(d,a,b,c,ctx)) 928 if (!BN_mod_exp(d,a,b,c,ctx))
929 return(00); 929 return(0);
930 930
931 if (bp != NULL) 931 if (bp != NULL)
932 { 932 {
@@ -1028,7 +1028,7 @@ int test_exp(BIO *bp, BN_CTX *ctx)
1028 BN_bntest_rand(b,2+i,0,0); /**/ 1028 BN_bntest_rand(b,2+i,0,0); /**/
1029 1029
1030 if (!BN_exp(d,a,b,ctx)) 1030 if (!BN_exp(d,a,b,ctx))
1031 return(00); 1031 return(0);
1032 1032
1033 if (bp != NULL) 1033 if (bp != NULL)
1034 { 1034 {
diff --git a/src/lib/libcrypto/crypto-lib.com b/src/lib/libcrypto/crypto-lib.com
index db9c882fb0..e72af90822 100644
--- a/src/lib/libcrypto/crypto-lib.com
+++ b/src/lib/libcrypto/crypto-lib.com
@@ -169,7 +169,7 @@ $ LIB_SHA = "sha_dgst,sha1dgst,sha_one,sha1_one,sha256,sha512"
169$ LIB_MDC2 = "mdc2dgst,mdc2_one" 169$ LIB_MDC2 = "mdc2dgst,mdc2_one"
170$ LIB_HMAC = "hmac" 170$ LIB_HMAC = "hmac"
171$ LIB_RIPEMD = "rmd_dgst,rmd_one" 171$ LIB_RIPEMD = "rmd_dgst,rmd_one"
172$ LIB_DES = "set_key,ecb_enc,cbc_enc,"+ - 172$ LIB_DES = "des_lib,set_key,ecb_enc,cbc_enc,"+ -
173 "ecb3_enc,cfb64enc,cfb64ede,cfb_enc,ofb64ede,"+ - 173 "ecb3_enc,cfb64enc,cfb64ede,cfb_enc,ofb64ede,"+ -
174 "enc_read,enc_writ,ofb64enc,"+ - 174 "enc_read,enc_writ,ofb64enc,"+ -
175 "ofb_enc,str2key,pcbc_enc,qud_cksm,rand_key,"+ - 175 "ofb_enc,str2key,pcbc_enc,qud_cksm,rand_key,"+ -
@@ -191,7 +191,7 @@ $ LIB_BN = "bn_add,bn_div,bn_exp,bn_lib,bn_ctx,bn_mul,bn_mod,"+ -
191 "bn_print,bn_rand,bn_shift,bn_word,bn_blind,"+ - 191 "bn_print,bn_rand,bn_shift,bn_word,bn_blind,"+ -
192 "bn_kron,bn_sqrt,bn_gcd,bn_prime,bn_err,bn_sqr,"+LIB_BN_ASM+","+ - 192 "bn_kron,bn_sqrt,bn_gcd,bn_prime,bn_err,bn_sqr,"+LIB_BN_ASM+","+ -
193 "bn_recp,bn_mont,bn_mpi,bn_exp2,bn_gf2m,bn_nist,"+ - 193 "bn_recp,bn_mont,bn_mpi,bn_exp2,bn_gf2m,bn_nist,"+ -
194 "bn_depr,bn_const" 194 "bn_depr,bn_x931p,bn_const,bn_opt"
195$ LIB_EC = "ec_lib,ecp_smpl,ecp_mont,ecp_nist,ec_cvt,ec_mult,"+ - 195$ LIB_EC = "ec_lib,ecp_smpl,ecp_mont,ecp_nist,ec_cvt,ec_mult,"+ -
196 "ec_err,ec_curve,ec_check,ec_print,ec_asn1,ec_key,"+ - 196 "ec_err,ec_curve,ec_check,ec_print,ec_asn1,ec_key,"+ -
197 "ec2_smpl,ec2_mult" 197 "ec2_smpl,ec2_mult"
@@ -211,7 +211,7 @@ $ LIB_ENGINE = "eng_err,eng_lib,eng_list,eng_init,eng_ctrl,"+ -
211 "tb_cipher,tb_digest,"+ - 211 "tb_cipher,tb_digest,"+ -
212 "eng_openssl,eng_dyn,eng_cnf,eng_cryptodev,eng_padlock" 212 "eng_openssl,eng_dyn,eng_cnf,eng_cryptodev,eng_padlock"
213$ LIB_AES = "aes_core,aes_misc,aes_ecb,aes_cbc,aes_cfb,aes_ofb,"+ - 213$ LIB_AES = "aes_core,aes_misc,aes_ecb,aes_cbc,aes_cfb,aes_ofb,"+ -
214 "aes_ctr,aes_ige" 214 "aes_ctr,aes_ige,aes_wrap"
215$ LIB_BUFFER = "buffer,buf_str,buf_err" 215$ LIB_BUFFER = "buffer,buf_str,buf_err"
216$ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ - 216$ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ -
217 "bss_mem,bss_null,bss_fd,"+ - 217 "bss_mem,bss_null,bss_fd,"+ -
@@ -246,7 +246,7 @@ $ LIB_ASN1 = "a_object,a_bitstr,a_utctm,a_gentm,a_time,a_int,a_octet,"+ -
246$ LIB_ASN1_2 = "t_req,t_x509,t_x509a,t_crl,t_pkey,t_spki,t_bitst,"+ - 246$ LIB_ASN1_2 = "t_req,t_x509,t_x509a,t_crl,t_pkey,t_spki,t_bitst,"+ -
247 "tasn_new,tasn_fre,tasn_enc,tasn_dec,tasn_utl,tasn_typ,"+ - 247 "tasn_new,tasn_fre,tasn_enc,tasn_dec,tasn_utl,tasn_typ,"+ -
248 "f_int,f_string,n_pkey,"+ - 248 "f_int,f_string,n_pkey,"+ -
249 "f_enum,a_hdr,x_pkey,a_bool,x_exten,"+ - 249 "f_enum,a_hdr,x_pkey,a_bool,x_exten,asn_mime,"+ -
250 "asn1_gen,asn1_par,asn1_lib,asn1_err,a_meth,a_bytes,a_strnid,"+ - 250 "asn1_gen,asn1_par,asn1_lib,asn1_err,a_meth,a_bytes,a_strnid,"+ -
251 "evp_asn1,asn_pack,p5_pbe,p5_pbev2,p8_pkey,asn_moid" 251 "evp_asn1,asn_pack,p5_pbe,p5_pbev2,p8_pkey,asn_moid"
252$ LIB_PEM = "pem_sign,pem_seal,pem_info,pem_lib,pem_all,pem_err,"+ - 252$ LIB_PEM = "pem_sign,pem_seal,pem_info,pem_lib,pem_all,pem_err,"+ -
diff --git a/src/lib/libcrypto/des/times/usparc.cc b/src/lib/libcrypto/des/times/usparc.cc
index f6ec8e8831..0864285ef6 100644
--- a/src/lib/libcrypto/des/times/usparc.cc
+++ b/src/lib/libcrypto/des/times/usparc.cc
@@ -2,7 +2,7 @@ solaris 2.5.1 usparc 167mhz?? - SC4.0 cc -fast -Xa -xO5
2 2
3For the ultra sparc, SunC 4.0 cc -fast -Xa -xO5, running 'des_opts' 3For the ultra sparc, SunC 4.0 cc -fast -Xa -xO5, running 'des_opts'
4gives a speed of 475,000 des/s while 'speed' gives 417,000 des/s. 4gives a speed of 475,000 des/s while 'speed' gives 417,000 des/s.
5I belive the difference is tied up in optimisation that the compiler 5I believe the difference is tied up in optimisation that the compiler
6is able to perform when the code is 'inlined'. For 'speed', the DES 6is able to perform when the code is 'inlined'. For 'speed', the DES
7routines are being linked from a library. I'll record the higher 7routines are being linked from a library. I'll record the higher
8speed since if performance is everything, you can always inline 8speed since if performance is everything, you can always inline
diff --git a/src/lib/libcrypto/evp/enc_min.c b/src/lib/libcrypto/evp/enc_min.c
index 3cb4626bef..7fba38ee24 100644
--- a/src/lib/libcrypto/evp/enc_min.c
+++ b/src/lib/libcrypto/evp/enc_min.c
@@ -199,7 +199,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
199 enc = 1; 199 enc = 1;
200 ctx->encrypt = enc; 200 ctx->encrypt = enc;
201 } 201 }
202#ifdef OPENSSL_NO_FIPS 202#ifdef OPENSSL_FIPS
203 if(FIPS_selftest_failed()) 203 if(FIPS_selftest_failed())
204 { 204 {
205 FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED); 205 FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED);
diff --git a/src/lib/libcrypto/evp/evp_test.c b/src/lib/libcrypto/evp/evp_test.c
index bb6f02c2e9..436be20bf1 100644
--- a/src/lib/libcrypto/evp/evp_test.c
+++ b/src/lib/libcrypto/evp/evp_test.c
@@ -220,18 +220,18 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
220 test1_exit(7); 220 test1_exit(7);
221 } 221 }
222 222
223 if(outl+outl2 != cn) 223 if(outl+outl2 != pn)
224 { 224 {
225 fprintf(stderr,"Plaintext length mismatch got %d expected %d\n", 225 fprintf(stderr,"Plaintext length mismatch got %d expected %d\n",
226 outl+outl2,cn); 226 outl+outl2,pn);
227 test1_exit(8); 227 test1_exit(8);
228 } 228 }
229 229
230 if(memcmp(out,plaintext,cn)) 230 if(memcmp(out,plaintext,pn))
231 { 231 {
232 fprintf(stderr,"Plaintext mismatch\n"); 232 fprintf(stderr,"Plaintext mismatch\n");
233 hexdump(stderr,"Got",out,cn); 233 hexdump(stderr,"Got",out,pn);
234 hexdump(stderr,"Expected",plaintext,cn); 234 hexdump(stderr,"Expected",plaintext,pn);
235 test1_exit(9); 235 test1_exit(9);
236 } 236 }
237 } 237 }
diff --git a/src/lib/libcrypto/rand/rand_unix.c b/src/lib/libcrypto/rand/rand_unix.c
index 6c2be5cb96..71b98ec212 100644
--- a/src/lib/libcrypto/rand/rand_unix.c
+++ b/src/lib/libcrypto/rand/rand_unix.c
@@ -232,7 +232,7 @@ int RAND_poll(void)
232 t.tv_sec = 0; 232 t.tv_sec = 0;
233 t.tv_usec = usec; 233 t.tv_usec = usec;
234 234
235 if (FD_SETSIZE > 0 && fd >= FD_SETSIZE) 235 if (FD_SETSIZE > 0 && (unsigned)fd >= FD_SETSIZE)
236 { 236 {
237 /* can't use select, so just try to read once anyway */ 237 /* can't use select, so just try to read once anyway */
238 try_read = 1; 238 try_read = 1;
diff --git a/src/lib/libcrypto/rsa/rsa_x931g.c b/src/lib/libcrypto/rsa/rsa_x931g.c
index c640cc2ec9..bf94f8be7a 100644
--- a/src/lib/libcrypto/rsa/rsa_x931g.c
+++ b/src/lib/libcrypto/rsa/rsa_x931g.c
@@ -79,9 +79,9 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
79 goto err; 79 goto err;
80 80
81 ctx = BN_CTX_new(); 81 ctx = BN_CTX_new();
82 BN_CTX_start(ctx);
83 if (!ctx) 82 if (!ctx)
84 goto err; 83 goto err;
84 BN_CTX_start(ctx);
85 85
86 r0 = BN_CTX_get(ctx); 86 r0 = BN_CTX_get(ctx);
87 r1 = BN_CTX_get(ctx); 87 r1 = BN_CTX_get(ctx);
@@ -190,7 +190,7 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
190 if (ctx2) 190 if (ctx2)
191 BN_CTX_free(ctx2); 191 BN_CTX_free(ctx2);
192 /* If this is set all calls successful */ 192 /* If this is set all calls successful */
193 if (rsa->iqmp != NULL) 193 if (rsa && rsa->iqmp != NULL)
194 return 1; 194 return 1;
195 195
196 return 0; 196 return 0;
diff --git a/src/lib/libcrypto/symhacks.h b/src/lib/libcrypto/symhacks.h
index 6cfb5fe479..8728e6124d 100644
--- a/src/lib/libcrypto/symhacks.h
+++ b/src/lib/libcrypto/symhacks.h
@@ -62,6 +62,10 @@
62 VAX. */ 62 VAX. */
63#ifdef OPENSSL_SYS_VMS 63#ifdef OPENSSL_SYS_VMS
64 64
65/* Hack a long name in crypto/cryptlib.c */
66#undef int_CRYPTO_set_do_dynlock_callback
67#define int_CRYPTO_set_do_dynlock_callback int_CRYPTO_set_do_dynlock_cb
68
65/* Hack a long name in crypto/ex_data.c */ 69/* Hack a long name in crypto/ex_data.c */
66#undef CRYPTO_get_ex_data_implementation 70#undef CRYPTO_get_ex_data_implementation
67#define CRYPTO_get_ex_data_implementation CRYPTO_get_ex_data_impl 71#define CRYPTO_get_ex_data_implementation CRYPTO_get_ex_data_impl
diff --git a/src/lib/libcrypto/util/domd b/src/lib/libcrypto/util/domd
index 691be7a440..560ebeaf82 100644
--- a/src/lib/libcrypto/util/domd
+++ b/src/lib/libcrypto/util/domd
@@ -22,7 +22,7 @@ if [ "$MAKEDEPEND" = "gcc" ]; then
22 done 22 done
23 sed -e '/^# DO NOT DELETE.*/,$d' < Makefile > Makefile.tmp 23 sed -e '/^# DO NOT DELETE.*/,$d' < Makefile > Makefile.tmp
24 echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp 24 echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp
25 gcc -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp 25 ${CC:-gcc} -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp
26 ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new 26 ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new
27 rm -f Makefile.tmp 27 rm -f Makefile.tmp
28else 28else
diff --git a/src/lib/libcrypto/util/libeay.num b/src/lib/libcrypto/util/libeay.num
index 0eb54ddc89..74eb337227 100644
--- a/src/lib/libcrypto/util/libeay.num
+++ b/src/lib/libcrypto/util/libeay.num
@@ -3667,7 +3667,8 @@ CRYPTO_set_mem_info_functions 4053 EXIST::FUNCTION:
3667RSA_X931_generate_key_ex 4054 EXIST::FUNCTION:RSA 3667RSA_X931_generate_key_ex 4054 EXIST::FUNCTION:RSA
3668int_ERR_set_state_func 4055 EXIST:OPENSSL_FIPS:FUNCTION: 3668int_ERR_set_state_func 4055 EXIST:OPENSSL_FIPS:FUNCTION:
3669int_EVP_MD_set_engine_callbacks 4056 EXIST:OPENSSL_FIPS:FUNCTION:ENGINE 3669int_EVP_MD_set_engine_callbacks 4056 EXIST:OPENSSL_FIPS:FUNCTION:ENGINE
3670int_CRYPTO_set_do_dynlock_callback 4057 EXIST::FUNCTION: 3670int_CRYPTO_set_do_dynlock_callback 4057 EXIST:!VMS:FUNCTION:
3671int_CRYPTO_set_do_dynlock_cb 4057 EXIST:VMS:FUNCTION:
3671FIPS_rng_stick 4058 EXIST:OPENSSL_FIPS:FUNCTION: 3672FIPS_rng_stick 4058 EXIST:OPENSSL_FIPS:FUNCTION:
3672EVP_CIPHER_CTX_set_flags 4059 EXIST::FUNCTION: 3673EVP_CIPHER_CTX_set_flags 4059 EXIST::FUNCTION:
3673BN_X931_generate_prime_ex 4060 EXIST::FUNCTION: 3674BN_X931_generate_prime_ex 4060 EXIST::FUNCTION:
diff --git a/src/lib/libcrypto/util/pl/VC-32.pl b/src/lib/libcrypto/util/pl/VC-32.pl
index 730c2083bd..85121c8ed1 100644
--- a/src/lib/libcrypto/util/pl/VC-32.pl
+++ b/src/lib/libcrypto/util/pl/VC-32.pl
@@ -164,7 +164,7 @@ if ($FLAVOR =~ /NT/)
164 $ex_libs="unicows.lib $ex_libs"; 164 $ex_libs="unicows.lib $ex_libs";
165 } 165 }
166# static library stuff 166# static library stuff
167$mklib='lib'; 167$mklib='lib /nologo';
168$ranlib=''; 168$ranlib='';
169$plib=""; 169$plib="";
170$libp=".lib"; 170$libp=".lib";
@@ -184,7 +184,7 @@ if ($nasm) {
184 $asm.=' /Zi' if $debug; 184 $asm.=' /Zi' if $debug;
185 $afile='/Fo'; 185 $afile='/Fo';
186} else { 186} else {
187 $asm='ml /Cp /coff /c /Cx'; 187 $asm='ml /nologo /Cp /coff /c /Cx';
188 $asm.=" /Zi" if $debug; 188 $asm.=" /Zi" if $debug;
189 $afile='/Fo'; 189 $afile='/Fo';
190} 190}
@@ -405,7 +405,7 @@ sub do_link_rule
405 if ($standalone == 1) 405 if ($standalone == 1)
406 { 406 {
407 $ret.=" \$(LINK) \$(LFLAGS) $efile$target @<<\n\t"; 407 $ret.=" \$(LINK) \$(LFLAGS) $efile$target @<<\n\t";
408 $ret.= "$mwex advapi32.lib " if ($files =~ /O_FIPSCANISTER/ && !$fipscanisterbuild); 408 $ret.= "\$(EX_LIBS) " if ($files =~ /O_FIPSCANISTER/ && !$fipscanisterbuild);
409 $ret.="$files $libs\n<<\n"; 409 $ret.="$files $libs\n<<\n";
410 } 410 }
411 elsif ($standalone == 2) 411 elsif ($standalone == 2)
diff --git a/src/lib/libssl/src/CHANGES b/src/lib/libssl/src/CHANGES
index c888c56c26..04d332e338 100644
--- a/src/lib/libssl/src/CHANGES
+++ b/src/lib/libssl/src/CHANGES
@@ -2,11 +2,51 @@
2 OpenSSL CHANGES 2 OpenSSL CHANGES
3 _______________ 3 _______________
4 4
5 Changes between 0.9.8i and 0.9.8j [07 Jan 2009] 5 Changes between 0.9.8j and 0.9.8k [25 Mar 2009]
6 6
7 *) Properly check EVP_VerifyFinal() and similar return values 7 *) Don't set val to NULL when freeing up structures, it is freed up by
8 (CVE-2008-5077). 8 underlying code. If sizeof(void *) > sizeof(long) this can result in
9 [Ben Laurie, Bodo Moeller, Google Security Team] 9 zeroing past the valid field. (CVE-2009-0789)
10 [Paolo Ganci <Paolo.Ganci@AdNovum.CH>]
11
12 *) Fix bug where return value of CMS_SignerInfo_verify_content() was not
13 checked correctly. This would allow some invalid signed attributes to
14 appear to verify correctly. (CVE-2009-0591)
15 [Ivan Nestlerode <inestlerode@us.ibm.com>]
16
17 *) Reject UniversalString and BMPString types with invalid lengths. This
18 prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
19 a legal length. (CVE-2009-0590)
20 [Steve Henson]
21
22 *) Set S/MIME signing as the default purpose rather than setting it
23 unconditionally. This allows applications to override it at the store
24 level.
25 [Steve Henson]
26
27 *) Permit restricted recursion of ASN1 strings. This is needed in practice
28 to handle some structures.
29 [Steve Henson]
30
31 *) Improve efficiency of mem_gets: don't search whole buffer each time
32 for a '\n'
33 [Jeremy Shapiro <jnshapir@us.ibm.com>]
34
35 *) New -hex option for openssl rand.
36 [Matthieu Herrb]
37
38 *) Print out UTF8String and NumericString when parsing ASN1.
39 [Steve Henson]
40
41 *) Support NumericString type for name components.
42 [Steve Henson]
43
44 *) Allow CC in the environment to override the automatically chosen
45 compiler. Note that nothing is done to ensure flags work with the
46 chosen compiler.
47 [Ben Laurie]
48
49 Changes between 0.9.8i and 0.9.8j [07 Jan 2009]
10 50
11 *) Properly check EVP_VerifyFinal() and similar return values 51 *) Properly check EVP_VerifyFinal() and similar return values
12 (CVE-2008-5077). 52 (CVE-2008-5077).
diff --git a/src/lib/libssl/src/Configure b/src/lib/libssl/src/Configure
index 09b58f2113..c6dbfae482 100644
--- a/src/lib/libssl/src/Configure
+++ b/src/lib/libssl/src/Configure
@@ -101,6 +101,11 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta
101# SHA512_ASM sha512_block is implemented in assembler 101# SHA512_ASM sha512_block is implemented in assembler
102# AES_ASM ASE_[en|de]crypt is implemented in assembler 102# AES_ASM ASE_[en|de]crypt is implemented in assembler
103 103
104# Minimum warning options... any contributions to OpenSSL should at least get
105# past these.
106
107my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED";
108
104my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL"; 109my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL";
105 110
106# MD2_CHAR slags pentium pros 111# MD2_CHAR slags pentium pros
@@ -154,15 +159,15 @@ my %table=(
154"debug-ben", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::bn86-elf.o co86-elf.o", 159"debug-ben", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::bn86-elf.o co86-elf.o",
155"debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", 160"debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
156"debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", 161"debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
157"debug-ben-debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::::", 162"debug-ben-debug", "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -g3 -O2 -pipe::(unknown)::::::",
158"debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::", 163"debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
159"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", 164"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
160"debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", 165"debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
161"debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32:::${no_asm}:win32:cygwin-shared:::.dll", 166"debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32:::${no_asm}:win32:cygwin-shared:::.dll",
162"debug-steve64", "gcc:-m64 -DL_ENDIAN -DTERMIO -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -DOPENSSL_NO_DEPRECATED -g -pedantic -Wall -Werror -Wno-long-long -Wsign-compare -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 167"debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
163"debug-steve32", "gcc:-m32 -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -DOPENSSL_NO_DEPRECATED -g -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 168"debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
169"debug-steve-opt", "gcc:$gcc_devteam_warn -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
164"debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -m32 -g -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared", 170"debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -m32 -g -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared",
165"debug-steve-opt", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -m32 -O3 -g -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared",
166"debug-steve-linux-pseudo64", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT:${no_asm}:dlfcn:linux-shared", 171"debug-steve-linux-pseudo64", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT:${no_asm}:dlfcn:linux-shared",
167"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 172"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
168"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 173"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -948,6 +953,10 @@ print "Configuring for $target\n";
948 953
949my @fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1); 954my @fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
950my $cc = $fields[$idx_cc]; 955my $cc = $fields[$idx_cc];
956# Allow environment CC to override compiler...
957if($ENV{CC}) {
958 $cc = $ENV{CC};
959}
951my $cflags = $fields[$idx_cflags]; 960my $cflags = $fields[$idx_cflags];
952my $unistd = $fields[$idx_unistd]; 961my $unistd = $fields[$idx_unistd];
953my $thread_cflag = $fields[$idx_thread_cflag]; 962my $thread_cflag = $fields[$idx_thread_cflag];
@@ -1048,7 +1057,6 @@ foreach (sort (keys %disabled))
1048 print "\n"; 1057 print "\n";
1049 } 1058 }
1050 1059
1051
1052my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds; 1060my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds;
1053 1061
1054$IsMK1MF=1 if ($target eq "mingw" && $^O ne "cygwin" && !is_msys()); 1062$IsMK1MF=1 if ($target eq "mingw" && $^O ne "cygwin" && !is_msys());
@@ -1443,6 +1451,8 @@ while (<IN>)
1443 } 1451 }
1444 } 1452 }
1445 $sdirs = 0 unless /\\$/; 1453 $sdirs = 0 unless /\\$/;
1454 s/fips // if (/^DIRS=/ && !$fips);
1455 s/engines // if (/^DIRS=/ && $disabled{"engine"});
1446 s/^VERSION=.*/VERSION=$version/; 1456 s/^VERSION=.*/VERSION=$version/;
1447 s/^MAJOR=.*/MAJOR=$major/; 1457 s/^MAJOR=.*/MAJOR=$major/;
1448 s/^MINOR=.*/MINOR=$minor/; 1458 s/^MINOR=.*/MINOR=$minor/;
diff --git a/src/lib/libssl/src/FAQ b/src/lib/libssl/src/FAQ
index ce71246fb8..942a671f2c 100644
--- a/src/lib/libssl/src/FAQ
+++ b/src/lib/libssl/src/FAQ
@@ -78,7 +78,7 @@ OpenSSL - Frequently Asked Questions
78* Which is the current version of OpenSSL? 78* Which is the current version of OpenSSL?
79 79
80The current version is available from <URL: http://www.openssl.org>. 80The current version is available from <URL: http://www.openssl.org>.
81OpenSSL 0.9.8j was released on Jan 7th, 2009. 81OpenSSL 0.9.8k was released on Mar 25th, 2009.
82 82
83In addition to the current stable release, you can also access daily 83In addition to the current stable release, you can also access daily
84snapshots of the OpenSSL development version at <URL: 84snapshots of the OpenSSL development version at <URL:
diff --git a/src/lib/libssl/src/MacOS/GetHTTPS.src/ErrorHandling.hpp b/src/lib/libssl/src/MacOS/GetHTTPS.src/ErrorHandling.hpp
index 3036df7ee0..fbfbe786b7 100644
--- a/src/lib/libssl/src/MacOS/GetHTTPS.src/ErrorHandling.hpp
+++ b/src/lib/libssl/src/MacOS/GetHTTPS.src/ErrorHandling.hpp
@@ -29,7 +29,7 @@ OSErr AppendErrorMessageToHandle(Handle inoutHandle);
29 29
30 30
31 31
32// A bunch of evil macros that would be uneccessary if I were always using C++ ! 32// A bunch of evil macros that would be unnecessary if I were always using C++ !
33 33
34#define SetErrorMessageAndBailIfNil(theArg,theMessage) \ 34#define SetErrorMessageAndBailIfNil(theArg,theMessage) \
35{ \ 35{ \
diff --git a/src/lib/libssl/src/Makefile b/src/lib/libssl/src/Makefile
index fe0fe16843..57d742e4d4 100644
--- a/src/lib/libssl/src/Makefile
+++ b/src/lib/libssl/src/Makefile
@@ -4,7 +4,7 @@
4## Makefile for OpenSSL 4## Makefile for OpenSSL
5## 5##
6 6
7VERSION=0.9.8j 7VERSION=0.9.8k
8MAJOR=0 8MAJOR=0
9MINOR=9.8 9MINOR=9.8
10SHLIB_VERSION_NUMBER=0.9.8 10SHLIB_VERSION_NUMBER=0.9.8
@@ -133,7 +133,7 @@ FIPSCANLIB=
133 133
134BASEADDR=0xFB00000 134BASEADDR=0xFB00000
135 135
136DIRS= crypto fips ssl engines apps test tools 136DIRS= crypto ssl engines apps test tools
137SHLIBDIRS= crypto ssl 137SHLIBDIRS= crypto ssl
138 138
139# dirs in crypto to build 139# dirs in crypto to build
@@ -506,6 +506,9 @@ links:
506 @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl 506 @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
507 @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER) 507 @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
508 @set -e; target=links; $(RECURSIVE_BUILD_CMD) 508 @set -e; target=links; $(RECURSIVE_BUILD_CMD)
509 @if [ -z "$(FIPSCANLIB)" ]; then \
510 set -e; target=links; dir=fips ; $(BUILD_CMD) ; \
511 fi
509 512
510gentests: 513gentests:
511 @(cd test && echo "generating dummy tests (if needed)..." && \ 514 @(cd test && echo "generating dummy tests (if needed)..." && \
diff --git a/src/lib/libssl/src/Makefile.org b/src/lib/libssl/src/Makefile.org
index 4be7dad7d6..d1b56b2f58 100644
--- a/src/lib/libssl/src/Makefile.org
+++ b/src/lib/libssl/src/Makefile.org
@@ -504,6 +504,9 @@ links:
504 @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl 504 @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
505 @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER) 505 @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
506 @set -e; target=links; $(RECURSIVE_BUILD_CMD) 506 @set -e; target=links; $(RECURSIVE_BUILD_CMD)
507 @if [ -z "$(FIPSCANLIB)" ]; then \
508 set -e; target=links; dir=fips ; $(BUILD_CMD) ; \
509 fi
507 510
508gentests: 511gentests:
509 @(cd test && echo "generating dummy tests (if needed)..." && \ 512 @(cd test && echo "generating dummy tests (if needed)..." && \
diff --git a/src/lib/libssl/src/NEWS b/src/lib/libssl/src/NEWS
index 322c3848f2..37156fc593 100644
--- a/src/lib/libssl/src/NEWS
+++ b/src/lib/libssl/src/NEWS
@@ -5,6 +5,11 @@
5 This file gives a brief overview of the major changes between each OpenSSL 5 This file gives a brief overview of the major changes between each OpenSSL
6 release. For more details please read the CHANGES file. 6 release. For more details please read the CHANGES file.
7 7
8 Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k:
9
10 o Fix various build issues.
11 o Fix security issues (CVE-2009-0590, CVE-2009-0591, CVE-2009-0789)
12
8 Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j: 13 Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j:
9 14
10 o Fix security issue (CVE-2008-5077) 15 o Fix security issue (CVE-2008-5077)
diff --git a/src/lib/libssl/src/README b/src/lib/libssl/src/README
index b3baac4a36..99a6a7b4bf 100644
--- a/src/lib/libssl/src/README
+++ b/src/lib/libssl/src/README
@@ -1,5 +1,5 @@
1 1
2 OpenSSL 0.9.8j 2 OpenSSL 0.9.8k
3 3
4 Copyright (c) 1998-2008 The OpenSSL Project 4 Copyright (c) 1998-2008 The OpenSSL Project
5 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson 5 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/src/lib/libssl/src/apps/apps.c b/src/lib/libssl/src/apps/apps.c
index 367eb177e1..498722a5a2 100644
--- a/src/lib/libssl/src/apps/apps.c
+++ b/src/lib/libssl/src/apps/apps.c
@@ -2428,7 +2428,7 @@ static void readbn(BIGNUM **bn, BIO *bconn)
2428 int l; 2428 int l;
2429 2429
2430 l = BIO_gets(bconn, buf, sizeof buf); 2430 l = BIO_gets(bconn, buf, sizeof buf);
2431 assert(l >= 0); 2431 assert(l > 0);
2432 assert(buf[l-1] == '\n'); 2432 assert(buf[l-1] == '\n');
2433 buf[l-1] = '\0'; 2433 buf[l-1] = '\0';
2434 BN_hex2bn(bn, buf); 2434 BN_hex2bn(bn, buf);
diff --git a/src/lib/libssl/src/apps/ca.c b/src/lib/libssl/src/apps/ca.c
index 87f0405f5d..68516ee9bd 100644
--- a/src/lib/libssl/src/apps/ca.c
+++ b/src/lib/libssl/src/apps/ca.c
@@ -83,7 +83,7 @@
83# else 83# else
84# include <unixlib.h> 84# include <unixlib.h>
85# endif 85# endif
86# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE) 86# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE) && !defined(__TANDEM)
87# include <sys/file.h> 87# include <sys/file.h>
88# endif 88# endif
89#endif 89#endif
diff --git a/src/lib/libssl/src/apps/enc.c b/src/lib/libssl/src/apps/enc.c
index 47c6eb604d..f4f9a4c4a4 100644
--- a/src/lib/libssl/src/apps/enc.c
+++ b/src/lib/libssl/src/apps/enc.c
@@ -533,7 +533,8 @@ bad:
533 BIO_printf(bio_err,"invalid hex iv value\n"); 533 BIO_printf(bio_err,"invalid hex iv value\n");
534 goto end; 534 goto end;
535 } 535 }
536 if ((hiv == NULL) && (str == NULL)) 536 if ((hiv == NULL) && (str == NULL)
537 && EVP_CIPHER_iv_length(cipher) != 0)
537 { 538 {
538 /* No IV was explicitly set and no IV was generated 539 /* No IV was explicitly set and no IV was generated
539 * during EVP_BytesToKey. Hence the IV is undefined, 540 * during EVP_BytesToKey. Hence the IV is undefined,
diff --git a/src/lib/libssl/src/apps/engine.c b/src/lib/libssl/src/apps/engine.c
index 1d0dd9bfbc..17bd81fb79 100644
--- a/src/lib/libssl/src/apps/engine.c
+++ b/src/lib/libssl/src/apps/engine.c
@@ -252,7 +252,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent
252 /* Now decide on the output */ 252 /* Now decide on the output */
253 if(xpos == 0) 253 if(xpos == 0)
254 /* Do an indent */ 254 /* Do an indent */
255 xpos = BIO_printf(bio_out, indent); 255 xpos = BIO_puts(bio_out, indent);
256 else 256 else
257 /* Otherwise prepend a ", " */ 257 /* Otherwise prepend a ", " */
258 xpos += BIO_printf(bio_out, ", "); 258 xpos += BIO_printf(bio_out, ", ");
@@ -263,7 +263,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent
263 (xpos + (int)strlen(name) > line_wrap)) 263 (xpos + (int)strlen(name) > line_wrap))
264 { 264 {
265 BIO_printf(bio_out, "\n"); 265 BIO_printf(bio_out, "\n");
266 xpos = BIO_printf(bio_out, indent); 266 xpos = BIO_puts(bio_out, indent);
267 } 267 }
268 xpos += BIO_printf(bio_out, "%s", name); 268 xpos += BIO_printf(bio_out, "%s", name);
269 } 269 }
diff --git a/src/lib/libssl/src/apps/rand.c b/src/lib/libssl/src/apps/rand.c
index c3b26c466d..44a1d46a03 100644
--- a/src/lib/libssl/src/apps/rand.c
+++ b/src/lib/libssl/src/apps/rand.c
@@ -68,7 +68,8 @@
68 68
69/* -out file - write to file 69/* -out file - write to file
70 * -rand file:file - PRNG seed files 70 * -rand file:file - PRNG seed files
71 * -base64 - encode output 71 * -base64 - base64 encode output
72 * -hex - hex encode output
72 * num - write 'num' bytes 73 * num - write 'num' bytes
73 */ 74 */
74 75
@@ -84,6 +85,7 @@ int MAIN(int argc, char **argv)
84 char *outfile = NULL; 85 char *outfile = NULL;
85 char *inrand = NULL; 86 char *inrand = NULL;
86 int base64 = 0; 87 int base64 = 0;
88 int hex = 0;
87 BIO *out = NULL; 89 BIO *out = NULL;
88 int num = -1; 90 int num = -1;
89#ifndef OPENSSL_NO_ENGINE 91#ifndef OPENSSL_NO_ENGINE
@@ -133,6 +135,13 @@ int MAIN(int argc, char **argv)
133 else 135 else
134 badopt = 1; 136 badopt = 1;
135 } 137 }
138 else if (strcmp(argv[i], "-hex") == 0)
139 {
140 if (!hex)
141 hex = 1;
142 else
143 badopt = 1;
144 }
136 else if (isdigit((unsigned char)argv[i][0])) 145 else if (isdigit((unsigned char)argv[i][0]))
137 { 146 {
138 if (num < 0) 147 if (num < 0)
@@ -148,6 +157,9 @@ int MAIN(int argc, char **argv)
148 badopt = 1; 157 badopt = 1;
149 } 158 }
150 159
160 if (hex && base64)
161 badopt = 1;
162
151 if (num < 0) 163 if (num < 0)
152 badopt = 1; 164 badopt = 1;
153 165
@@ -160,7 +172,8 @@ int MAIN(int argc, char **argv)
160 BIO_printf(bio_err, "-engine e - use engine e, possibly a hardware device.\n"); 172 BIO_printf(bio_err, "-engine e - use engine e, possibly a hardware device.\n");
161#endif 173#endif
162 BIO_printf(bio_err, "-rand file%cfile%c... - seed PRNG from files\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); 174 BIO_printf(bio_err, "-rand file%cfile%c... - seed PRNG from files\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
163 BIO_printf(bio_err, "-base64 - encode output\n"); 175 BIO_printf(bio_err, "-base64 - base64 encode output\n");
176 BIO_printf(bio_err, "-hex - hex encode output\n");
164 goto err; 177 goto err;
165 } 178 }
166 179
@@ -210,9 +223,17 @@ int MAIN(int argc, char **argv)
210 r = RAND_bytes(buf, chunk); 223 r = RAND_bytes(buf, chunk);
211 if (r <= 0) 224 if (r <= 0)
212 goto err; 225 goto err;
213 BIO_write(out, buf, chunk); 226 if (!hex)
227 BIO_write(out, buf, chunk);
228 else
229 {
230 for (i = 0; i < chunk; i++)
231 BIO_printf(out, "%02x", buf[i]);
232 }
214 num -= chunk; 233 num -= chunk;
215 } 234 }
235 if (hex)
236 BIO_puts(out, "\n");
216 (void)BIO_flush(out); 237 (void)BIO_flush(out);
217 238
218 app_RAND_write_file(NULL, bio_err); 239 app_RAND_write_file(NULL, bio_err);
diff --git a/src/lib/libssl/src/apps/x509.c b/src/lib/libssl/src/apps/x509.c
index d904d34021..6debce4419 100644
--- a/src/lib/libssl/src/apps/x509.c
+++ b/src/lib/libssl/src/apps/x509.c
@@ -114,7 +114,7 @@ static const char *x509_usage[]={
114" -alias - output certificate alias\n", 114" -alias - output certificate alias\n",
115" -noout - no certificate output\n", 115" -noout - no certificate output\n",
116" -ocspid - print OCSP hash values for the subject name and public key\n", 116" -ocspid - print OCSP hash values for the subject name and public key\n",
117" -ocspurl - print OCSP Responder URL(s)\n", 117" -ocsp_uri - print OCSP Responder URL(s)\n",
118" -trustout - output a \"trusted\" certificate\n", 118" -trustout - output a \"trusted\" certificate\n",
119" -clrtrust - clear all trusted purposes\n", 119" -clrtrust - clear all trusted purposes\n",
120" -clrreject - clear all rejected purposes\n", 120" -clrreject - clear all rejected purposes\n",
diff --git a/src/lib/libssl/src/config b/src/lib/libssl/src/config
index dde9275b76..68e7ea1737 100644
--- a/src/lib/libssl/src/config
+++ b/src/lib/libssl/src/config
@@ -29,7 +29,7 @@ EXE=""
29for i 29for i
30do 30do
31case "$i" in 31case "$i" in
32-d*) PREFIX="debug-";; 32-d) PREFIX="debug-";;
33-t*) TEST="true";; 33-t*) TEST="true";;
34-h*) TEST="true"; cat <<EOF 34-h*) TEST="true"; cat <<EOF
35Usage: config [options] 35Usage: config [options]
@@ -399,11 +399,8 @@ exit 0
399# this is where the translation occurs into SSLeay terms 399# this is where the translation occurs into SSLeay terms
400# --------------------------------------------------------------------------- 400# ---------------------------------------------------------------------------
401 401
402# figure out if gcc is available and if so we use it otherwise
403# we fallback to whatever cc does on the system
404GCCVER=`(gcc -dumpversion) 2>/dev/null` 402GCCVER=`(gcc -dumpversion) 2>/dev/null`
405if [ "$GCCVER" != "" ]; then 403if [ "$GCCVER" != "" ]; then
406 CC=gcc
407 # then strip off whatever prefix egcs prepends the number with... 404 # then strip off whatever prefix egcs prepends the number with...
408 # Hopefully, this will work for any future prefixes as well. 405 # Hopefully, this will work for any future prefixes as well.
409 GCCVER=`echo $GCCVER | LC_ALL=C sed 's/^[a-zA-Z]*\-//'` 406 GCCVER=`echo $GCCVER | LC_ALL=C sed 's/^[a-zA-Z]*\-//'`
@@ -412,8 +409,17 @@ if [ "$GCCVER" != "" ]; then
412 # major and minor version numbers. 409 # major and minor version numbers.
413 # peak single digit before and after first dot, e.g. 2.95.1 gives 29 410 # peak single digit before and after first dot, e.g. 2.95.1 gives 29
414 GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'` 411 GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'`
415else 412fi
416 CC=cc 413
414# Only set CC if not supplied already
415if [ -z "$CC" ]; then
416# figure out if gcc is available and if so we use it otherwise
417# we fallback to whatever cc does on the system
418 if [ "$GCCVER" != "" ]; then
419 CC=gcc
420 else
421 CC=cc
422 fi
417fi 423fi
418GCCVER=${GCCVER:-0} 424GCCVER=${GCCVER:-0}
419if [ "$SYSTEM" = "HP-UX" ];then 425if [ "$SYSTEM" = "HP-UX" ];then
diff --git a/src/lib/libssl/src/crypto/asn1/a_bytes.c b/src/lib/libssl/src/crypto/asn1/a_bytes.c
index 8d13f9c931..92d630cdba 100644
--- a/src/lib/libssl/src/crypto/asn1/a_bytes.c
+++ b/src/lib/libssl/src/crypto/asn1/a_bytes.c
@@ -79,7 +79,7 @@ ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, const unsigned char **pp,
79 79
80 if (tag >= 32) 80 if (tag >= 32)
81 { 81 {
82 i=ASN1_R_TAG_VALUE_TOO_HIGH;; 82 i=ASN1_R_TAG_VALUE_TOO_HIGH;
83 goto err; 83 goto err;
84 } 84 }
85 if (!(ASN1_tag2bit(tag) & type)) 85 if (!(ASN1_tag2bit(tag) & type))
diff --git a/src/lib/libssl/src/crypto/asn1/asn1.h b/src/lib/libssl/src/crypto/asn1/asn1.h
index 424cd348bb..e3385226d4 100644
--- a/src/lib/libssl/src/crypto/asn1/asn1.h
+++ b/src/lib/libssl/src/crypto/asn1/asn1.h
@@ -612,6 +612,7 @@ typedef struct BIT_STRING_BITNAME_st {
612 B_ASN1_GENERALIZEDTIME 612 B_ASN1_GENERALIZEDTIME
613 613
614#define B_ASN1_PRINTABLE \ 614#define B_ASN1_PRINTABLE \
615 B_ASN1_NUMERICSTRING| \
615 B_ASN1_PRINTABLESTRING| \ 616 B_ASN1_PRINTABLESTRING| \
616 B_ASN1_T61STRING| \ 617 B_ASN1_T61STRING| \
617 B_ASN1_IA5STRING| \ 618 B_ASN1_IA5STRING| \
@@ -1217,6 +1218,7 @@ void ERR_load_ASN1_strings(void);
1217#define ASN1_R_BAD_OBJECT_HEADER 102 1218#define ASN1_R_BAD_OBJECT_HEADER 102
1218#define ASN1_R_BAD_PASSWORD_READ 103 1219#define ASN1_R_BAD_PASSWORD_READ 103
1219#define ASN1_R_BAD_TAG 104 1220#define ASN1_R_BAD_TAG 104
1221#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210
1220#define ASN1_R_BN_LIB 105 1222#define ASN1_R_BN_LIB 105
1221#define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 1223#define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106
1222#define ASN1_R_BUFFER_TOO_SMALL 107 1224#define ASN1_R_BUFFER_TOO_SMALL 107
@@ -1306,6 +1308,7 @@ void ERR_load_ASN1_strings(void);
1306#define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 1308#define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157
1307#define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158 1309#define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158
1308#define ASN1_R_UNEXPECTED_EOC 159 1310#define ASN1_R_UNEXPECTED_EOC 159
1311#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211
1309#define ASN1_R_UNKNOWN_FORMAT 160 1312#define ASN1_R_UNKNOWN_FORMAT 160
1310#define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161 1313#define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161
1311#define ASN1_R_UNKNOWN_OBJECT_TYPE 162 1314#define ASN1_R_UNKNOWN_OBJECT_TYPE 162
diff --git a/src/lib/libssl/src/crypto/asn1/asn1_err.c b/src/lib/libssl/src/crypto/asn1/asn1_err.c
index f8a3e2e6cd..5f5de98eed 100644
--- a/src/lib/libssl/src/crypto/asn1/asn1_err.c
+++ b/src/lib/libssl/src/crypto/asn1/asn1_err.c
@@ -195,6 +195,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
195{ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"}, 195{ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"},
196{ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"}, 196{ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"},
197{ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"}, 197{ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"},
198{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"},
198{ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"}, 199{ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"},
199{ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"}, 200{ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"},
200{ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"}, 201{ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"},
@@ -284,6 +285,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
284{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"}, 285{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
285{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"}, 286{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"},
286{ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"}, 287{ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"},
288{ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong length"},
287{ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"}, 289{ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"},
288{ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"}, 290{ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"},
289{ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"}, 291{ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"},
diff --git a/src/lib/libssl/src/crypto/asn1/asn1_par.c b/src/lib/libssl/src/crypto/asn1/asn1_par.c
index 501b62a4b1..8657f73d66 100644
--- a/src/lib/libssl/src/crypto/asn1/asn1_par.c
+++ b/src/lib/libssl/src/crypto/asn1/asn1_par.c
@@ -213,6 +213,8 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse
213 (tag == V_ASN1_T61STRING) || 213 (tag == V_ASN1_T61STRING) ||
214 (tag == V_ASN1_IA5STRING) || 214 (tag == V_ASN1_IA5STRING) ||
215 (tag == V_ASN1_VISIBLESTRING) || 215 (tag == V_ASN1_VISIBLESTRING) ||
216 (tag == V_ASN1_NUMERICSTRING) ||
217 (tag == V_ASN1_UTF8STRING) ||
216 (tag == V_ASN1_UTCTIME) || 218 (tag == V_ASN1_UTCTIME) ||
217 (tag == V_ASN1_GENERALIZEDTIME)) 219 (tag == V_ASN1_GENERALIZEDTIME))
218 { 220 {
diff --git a/src/lib/libssl/src/crypto/asn1/t_x509.c b/src/lib/libssl/src/crypto/asn1/t_x509.c
index 8b09e5890f..8f746f9c05 100644
--- a/src/lib/libssl/src/crypto/asn1/t_x509.c
+++ b/src/lib/libssl/src/crypto/asn1/t_x509.c
@@ -332,7 +332,7 @@ int X509_signature_print(BIO *bp, X509_ALGOR *sigalg, ASN1_STRING *sig)
332int ASN1_STRING_print(BIO *bp, ASN1_STRING *v) 332int ASN1_STRING_print(BIO *bp, ASN1_STRING *v)
333 { 333 {
334 int i,n; 334 int i,n;
335 char buf[80],*p;; 335 char buf[80],*p;
336 336
337 if (v == NULL) return(0); 337 if (v == NULL) return(0);
338 n=0; 338 n=0;
diff --git a/src/lib/libssl/src/crypto/asn1/tasn_dec.c b/src/lib/libssl/src/crypto/asn1/tasn_dec.c
index ced641698e..48bc1c0d4d 100644
--- a/src/lib/libssl/src/crypto/asn1/tasn_dec.c
+++ b/src/lib/libssl/src/crypto/asn1/tasn_dec.c
@@ -69,7 +69,7 @@ static int asn1_check_eoc(const unsigned char **in, long len);
69static int asn1_find_end(const unsigned char **in, long len, char inf); 69static int asn1_find_end(const unsigned char **in, long len, char inf);
70 70
71static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, 71static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
72 char inf, int tag, int aclass); 72 char inf, int tag, int aclass, int depth);
73 73
74static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen); 74static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen);
75 75
@@ -611,7 +611,6 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val,
611 611
612 err: 612 err:
613 ASN1_template_free(val, tt); 613 ASN1_template_free(val, tt);
614 *val = NULL;
615 return 0; 614 return 0;
616 } 615 }
617 616
@@ -758,7 +757,6 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
758 757
759 err: 758 err:
760 ASN1_template_free(val, tt); 759 ASN1_template_free(val, tt);
761 *val = NULL;
762 return 0; 760 return 0;
763 } 761 }
764 762
@@ -878,7 +876,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
878 * internally irrespective of the type. So instead just check 876 * internally irrespective of the type. So instead just check
879 * for UNIVERSAL class and ignore the tag. 877 * for UNIVERSAL class and ignore the tag.
880 */ 878 */
881 if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL)) 879 if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0))
882 { 880 {
883 free_cont = 1; 881 free_cont = 1;
884 goto err; 882 goto err;
@@ -1012,6 +1010,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
1012 case V_ASN1_SET: 1010 case V_ASN1_SET:
1013 case V_ASN1_SEQUENCE: 1011 case V_ASN1_SEQUENCE:
1014 default: 1012 default:
1013 if (utype == V_ASN1_BMPSTRING && (len & 1))
1014 {
1015 ASN1err(ASN1_F_ASN1_EX_C2I,
1016 ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
1017 goto err;
1018 }
1019 if (utype == V_ASN1_UNIVERSALSTRING && (len & 3))
1020 {
1021 ASN1err(ASN1_F_ASN1_EX_C2I,
1022 ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
1023 goto err;
1024 }
1015 /* All based on ASN1_STRING and handled the same */ 1025 /* All based on ASN1_STRING and handled the same */
1016 if (!*pval) 1026 if (!*pval)
1017 { 1027 {
@@ -1128,8 +1138,18 @@ static int asn1_find_end(const unsigned char **in, long len, char inf)
1128 * if it is indefinite length. 1138 * if it is indefinite length.
1129 */ 1139 */
1130 1140
1141#ifndef ASN1_MAX_STRING_NEST
1142/* This determines how many levels of recursion are permitted in ASN1
1143 * string types. If it is not limited stack overflows can occur. If set
1144 * to zero no recursion is allowed at all. Although zero should be adequate
1145 * examples exist that require a value of 1. So 5 should be more than enough.
1146 */
1147#define ASN1_MAX_STRING_NEST 5
1148#endif
1149
1150
1131static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, 1151static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
1132 char inf, int tag, int aclass) 1152 char inf, int tag, int aclass, int depth)
1133 { 1153 {
1134 const unsigned char *p, *q; 1154 const unsigned char *p, *q;
1135 long plen; 1155 long plen;
@@ -1171,13 +1191,15 @@ static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
1171 /* If indefinite length constructed update max length */ 1191 /* If indefinite length constructed update max length */
1172 if (cst) 1192 if (cst)
1173 { 1193 {
1174#ifdef OPENSSL_ALLOW_NESTED_ASN1_STRINGS 1194 if (depth >= ASN1_MAX_STRING_NEST)
1175 if (!asn1_collect(buf, &p, plen, ininf, tag, aclass)) 1195 {
1196 ASN1err(ASN1_F_ASN1_COLLECT,
1197 ASN1_R_NESTED_ASN1_STRING);
1198 return 0;
1199 }
1200 if (!asn1_collect(buf, &p, plen, ininf, tag, aclass,
1201 depth + 1))
1176 return 0; 1202 return 0;
1177#else
1178 ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_NESTED_ASN1_STRING);
1179 return 0;
1180#endif
1181 } 1203 }
1182 else if (plen && !collect_data(buf, &p, plen)) 1204 else if (plen && !collect_data(buf, &p, plen))
1183 return 0; 1205 return 0;
diff --git a/src/lib/libssl/src/crypto/bio/bss_mem.c b/src/lib/libssl/src/crypto/bio/bss_mem.c
index a4edb711ae..e7ab9cb3a3 100644
--- a/src/lib/libssl/src/crypto/bio/bss_mem.c
+++ b/src/lib/libssl/src/crypto/bio/bss_mem.c
@@ -284,6 +284,7 @@ static int mem_gets(BIO *bp, char *buf, int size)
284 284
285 BIO_clear_retry_flags(bp); 285 BIO_clear_retry_flags(bp);
286 j=bm->length; 286 j=bm->length;
287 if ((size-1) < j) j=size-1;
287 if (j <= 0) 288 if (j <= 0)
288 { 289 {
289 *buf='\0'; 290 *buf='\0';
@@ -292,17 +293,18 @@ static int mem_gets(BIO *bp, char *buf, int size)
292 p=bm->data; 293 p=bm->data;
293 for (i=0; i<j; i++) 294 for (i=0; i<j; i++)
294 { 295 {
295 if (p[i] == '\n') break; 296 if (p[i] == '\n')
296 } 297 {
297 if (i == j) 298 i++;
298 { 299 break;
299 BIO_set_retry_read(bp); 300 }
300 /* return(-1); change the semantics 0.6.6a */
301 } 301 }
302 else 302
303 i++; 303 /*
304 /* i is the max to copy */ 304 * i is now the max num of bytes to copy, either j or up to
305 if ((size-1) < i) i=size-1; 305 * and including the first newline
306 */
307
306 i=mem_read(bp,buf,i); 308 i=mem_read(bp,buf,i);
307 if (i > 0) buf[i]='\0'; 309 if (i > 0) buf[i]='\0';
308 ret=i; 310 ret=i;
diff --git a/src/lib/libssl/src/crypto/bio/bss_sock.c b/src/lib/libssl/src/crypto/bio/bss_sock.c
index 472dd75821..30c3ceab46 100644
--- a/src/lib/libssl/src/crypto/bio/bss_sock.c
+++ b/src/lib/libssl/src/crypto/bio/bss_sock.c
@@ -60,6 +60,9 @@
60#include <errno.h> 60#include <errno.h>
61#define USE_SOCKETS 61#define USE_SOCKETS
62#include "cryptlib.h" 62#include "cryptlib.h"
63
64#ifndef OPENSSL_NO_SOCK
65
63#include <openssl/bio.h> 66#include <openssl/bio.h>
64 67
65#ifdef WATT32 68#ifdef WATT32
@@ -300,3 +303,5 @@ int BIO_sock_non_fatal_error(int err)
300 } 303 }
301 return(0); 304 return(0);
302 } 305 }
306
307#endif /* #ifndef OPENSSL_NO_SOCK */
diff --git a/src/lib/libssl/src/crypto/bn/bntest.c b/src/lib/libssl/src/crypto/bn/bntest.c
index 310763eca0..cf190380f5 100644
--- a/src/lib/libssl/src/crypto/bn/bntest.c
+++ b/src/lib/libssl/src/crypto/bn/bntest.c
@@ -926,7 +926,7 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx)
926 BN_bntest_rand(b,2+i,0,0); /**/ 926 BN_bntest_rand(b,2+i,0,0); /**/
927 927
928 if (!BN_mod_exp(d,a,b,c,ctx)) 928 if (!BN_mod_exp(d,a,b,c,ctx))
929 return(00); 929 return(0);
930 930
931 if (bp != NULL) 931 if (bp != NULL)
932 { 932 {
@@ -1028,7 +1028,7 @@ int test_exp(BIO *bp, BN_CTX *ctx)
1028 BN_bntest_rand(b,2+i,0,0); /**/ 1028 BN_bntest_rand(b,2+i,0,0); /**/
1029 1029
1030 if (!BN_exp(d,a,b,ctx)) 1030 if (!BN_exp(d,a,b,ctx))
1031 return(00); 1031 return(0);
1032 1032
1033 if (bp != NULL) 1033 if (bp != NULL)
1034 { 1034 {
diff --git a/src/lib/libssl/src/crypto/crypto-lib.com b/src/lib/libssl/src/crypto/crypto-lib.com
index db9c882fb0..e72af90822 100644
--- a/src/lib/libssl/src/crypto/crypto-lib.com
+++ b/src/lib/libssl/src/crypto/crypto-lib.com
@@ -169,7 +169,7 @@ $ LIB_SHA = "sha_dgst,sha1dgst,sha_one,sha1_one,sha256,sha512"
169$ LIB_MDC2 = "mdc2dgst,mdc2_one" 169$ LIB_MDC2 = "mdc2dgst,mdc2_one"
170$ LIB_HMAC = "hmac" 170$ LIB_HMAC = "hmac"
171$ LIB_RIPEMD = "rmd_dgst,rmd_one" 171$ LIB_RIPEMD = "rmd_dgst,rmd_one"
172$ LIB_DES = "set_key,ecb_enc,cbc_enc,"+ - 172$ LIB_DES = "des_lib,set_key,ecb_enc,cbc_enc,"+ -
173 "ecb3_enc,cfb64enc,cfb64ede,cfb_enc,ofb64ede,"+ - 173 "ecb3_enc,cfb64enc,cfb64ede,cfb_enc,ofb64ede,"+ -
174 "enc_read,enc_writ,ofb64enc,"+ - 174 "enc_read,enc_writ,ofb64enc,"+ -
175 "ofb_enc,str2key,pcbc_enc,qud_cksm,rand_key,"+ - 175 "ofb_enc,str2key,pcbc_enc,qud_cksm,rand_key,"+ -
@@ -191,7 +191,7 @@ $ LIB_BN = "bn_add,bn_div,bn_exp,bn_lib,bn_ctx,bn_mul,bn_mod,"+ -
191 "bn_print,bn_rand,bn_shift,bn_word,bn_blind,"+ - 191 "bn_print,bn_rand,bn_shift,bn_word,bn_blind,"+ -
192 "bn_kron,bn_sqrt,bn_gcd,bn_prime,bn_err,bn_sqr,"+LIB_BN_ASM+","+ - 192 "bn_kron,bn_sqrt,bn_gcd,bn_prime,bn_err,bn_sqr,"+LIB_BN_ASM+","+ -
193 "bn_recp,bn_mont,bn_mpi,bn_exp2,bn_gf2m,bn_nist,"+ - 193 "bn_recp,bn_mont,bn_mpi,bn_exp2,bn_gf2m,bn_nist,"+ -
194 "bn_depr,bn_const" 194 "bn_depr,bn_x931p,bn_const,bn_opt"
195$ LIB_EC = "ec_lib,ecp_smpl,ecp_mont,ecp_nist,ec_cvt,ec_mult,"+ - 195$ LIB_EC = "ec_lib,ecp_smpl,ecp_mont,ecp_nist,ec_cvt,ec_mult,"+ -
196 "ec_err,ec_curve,ec_check,ec_print,ec_asn1,ec_key,"+ - 196 "ec_err,ec_curve,ec_check,ec_print,ec_asn1,ec_key,"+ -
197 "ec2_smpl,ec2_mult" 197 "ec2_smpl,ec2_mult"
@@ -211,7 +211,7 @@ $ LIB_ENGINE = "eng_err,eng_lib,eng_list,eng_init,eng_ctrl,"+ -
211 "tb_cipher,tb_digest,"+ - 211 "tb_cipher,tb_digest,"+ -
212 "eng_openssl,eng_dyn,eng_cnf,eng_cryptodev,eng_padlock" 212 "eng_openssl,eng_dyn,eng_cnf,eng_cryptodev,eng_padlock"
213$ LIB_AES = "aes_core,aes_misc,aes_ecb,aes_cbc,aes_cfb,aes_ofb,"+ - 213$ LIB_AES = "aes_core,aes_misc,aes_ecb,aes_cbc,aes_cfb,aes_ofb,"+ -
214 "aes_ctr,aes_ige" 214 "aes_ctr,aes_ige,aes_wrap"
215$ LIB_BUFFER = "buffer,buf_str,buf_err" 215$ LIB_BUFFER = "buffer,buf_str,buf_err"
216$ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ - 216$ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ -
217 "bss_mem,bss_null,bss_fd,"+ - 217 "bss_mem,bss_null,bss_fd,"+ -
@@ -246,7 +246,7 @@ $ LIB_ASN1 = "a_object,a_bitstr,a_utctm,a_gentm,a_time,a_int,a_octet,"+ -
246$ LIB_ASN1_2 = "t_req,t_x509,t_x509a,t_crl,t_pkey,t_spki,t_bitst,"+ - 246$ LIB_ASN1_2 = "t_req,t_x509,t_x509a,t_crl,t_pkey,t_spki,t_bitst,"+ -
247 "tasn_new,tasn_fre,tasn_enc,tasn_dec,tasn_utl,tasn_typ,"+ - 247 "tasn_new,tasn_fre,tasn_enc,tasn_dec,tasn_utl,tasn_typ,"+ -
248 "f_int,f_string,n_pkey,"+ - 248 "f_int,f_string,n_pkey,"+ -
249 "f_enum,a_hdr,x_pkey,a_bool,x_exten,"+ - 249 "f_enum,a_hdr,x_pkey,a_bool,x_exten,asn_mime,"+ -
250 "asn1_gen,asn1_par,asn1_lib,asn1_err,a_meth,a_bytes,a_strnid,"+ - 250 "asn1_gen,asn1_par,asn1_lib,asn1_err,a_meth,a_bytes,a_strnid,"+ -
251 "evp_asn1,asn_pack,p5_pbe,p5_pbev2,p8_pkey,asn_moid" 251 "evp_asn1,asn_pack,p5_pbe,p5_pbev2,p8_pkey,asn_moid"
252$ LIB_PEM = "pem_sign,pem_seal,pem_info,pem_lib,pem_all,pem_err,"+ - 252$ LIB_PEM = "pem_sign,pem_seal,pem_info,pem_lib,pem_all,pem_err,"+ -
diff --git a/src/lib/libssl/src/crypto/des/times/usparc.cc b/src/lib/libssl/src/crypto/des/times/usparc.cc
index f6ec8e8831..0864285ef6 100644
--- a/src/lib/libssl/src/crypto/des/times/usparc.cc
+++ b/src/lib/libssl/src/crypto/des/times/usparc.cc
@@ -2,7 +2,7 @@ solaris 2.5.1 usparc 167mhz?? - SC4.0 cc -fast -Xa -xO5
2 2
3For the ultra sparc, SunC 4.0 cc -fast -Xa -xO5, running 'des_opts' 3For the ultra sparc, SunC 4.0 cc -fast -Xa -xO5, running 'des_opts'
4gives a speed of 475,000 des/s while 'speed' gives 417,000 des/s. 4gives a speed of 475,000 des/s while 'speed' gives 417,000 des/s.
5I belive the difference is tied up in optimisation that the compiler 5I believe the difference is tied up in optimisation that the compiler
6is able to perform when the code is 'inlined'. For 'speed', the DES 6is able to perform when the code is 'inlined'. For 'speed', the DES
7routines are being linked from a library. I'll record the higher 7routines are being linked from a library. I'll record the higher
8speed since if performance is everything, you can always inline 8speed since if performance is everything, you can always inline
diff --git a/src/lib/libssl/src/crypto/evp/enc_min.c b/src/lib/libssl/src/crypto/evp/enc_min.c
index 3cb4626bef..7fba38ee24 100644
--- a/src/lib/libssl/src/crypto/evp/enc_min.c
+++ b/src/lib/libssl/src/crypto/evp/enc_min.c
@@ -199,7 +199,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
199 enc = 1; 199 enc = 1;
200 ctx->encrypt = enc; 200 ctx->encrypt = enc;
201 } 201 }
202#ifdef OPENSSL_NO_FIPS 202#ifdef OPENSSL_FIPS
203 if(FIPS_selftest_failed()) 203 if(FIPS_selftest_failed())
204 { 204 {
205 FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED); 205 FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED);
diff --git a/src/lib/libssl/src/crypto/evp/evp_test.c b/src/lib/libssl/src/crypto/evp/evp_test.c
index bb6f02c2e9..436be20bf1 100644
--- a/src/lib/libssl/src/crypto/evp/evp_test.c
+++ b/src/lib/libssl/src/crypto/evp/evp_test.c
@@ -220,18 +220,18 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
220 test1_exit(7); 220 test1_exit(7);
221 } 221 }
222 222
223 if(outl+outl2 != cn) 223 if(outl+outl2 != pn)
224 { 224 {
225 fprintf(stderr,"Plaintext length mismatch got %d expected %d\n", 225 fprintf(stderr,"Plaintext length mismatch got %d expected %d\n",
226 outl+outl2,cn); 226 outl+outl2,pn);
227 test1_exit(8); 227 test1_exit(8);
228 } 228 }
229 229
230 if(memcmp(out,plaintext,cn)) 230 if(memcmp(out,plaintext,pn))
231 { 231 {
232 fprintf(stderr,"Plaintext mismatch\n"); 232 fprintf(stderr,"Plaintext mismatch\n");
233 hexdump(stderr,"Got",out,cn); 233 hexdump(stderr,"Got",out,pn);
234 hexdump(stderr,"Expected",plaintext,cn); 234 hexdump(stderr,"Expected",plaintext,pn);
235 test1_exit(9); 235 test1_exit(9);
236 } 236 }
237 } 237 }
diff --git a/src/lib/libssl/src/crypto/opensslv.h b/src/lib/libssl/src/crypto/opensslv.h
index 09687b5136..c6207f76b2 100644
--- a/src/lib/libssl/src/crypto/opensslv.h
+++ b/src/lib/libssl/src/crypto/opensslv.h
@@ -25,11 +25,11 @@
25 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for 25 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
26 * major minor fix final patch/beta) 26 * major minor fix final patch/beta)
27 */ 27 */
28#define OPENSSL_VERSION_NUMBER 0x009080afL 28#define OPENSSL_VERSION_NUMBER 0x009080bfL
29#ifdef OPENSSL_FIPS 29#ifdef OPENSSL_FIPS
30#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8j-fips 07 Jan 2009" 30#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8k-fips 25 Mar 2009"
31#else 31#else
32#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8j 07 Jan 2009" 32#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8k 25 Mar 2009"
33#endif 33#endif
34#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT 34#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
35 35
diff --git a/src/lib/libssl/src/crypto/pem/pem.h b/src/lib/libssl/src/crypto/pem/pem.h
index 6f8e01544b..6c193f1cbf 100644
--- a/src/lib/libssl/src/crypto/pem/pem.h
+++ b/src/lib/libssl/src/crypto/pem/pem.h
@@ -215,7 +215,9 @@ typedef struct pem_ctx_st
215 215
216#define IMPLEMENT_PEM_read_fp(name, type, str, asn1) /**/ 216#define IMPLEMENT_PEM_read_fp(name, type, str, asn1) /**/
217#define IMPLEMENT_PEM_write_fp(name, type, str, asn1) /**/ 217#define IMPLEMENT_PEM_write_fp(name, type, str, asn1) /**/
218#define IMPLEMENT_PEM_write_fp_const(name, type, str, asn1) /**/
218#define IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) /**/ 219#define IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) /**/
220#define IMPLEMENT_PEM_write_cb_fp_const(name, type, str, asn1) /**/
219 221
220#else 222#else
221 223
@@ -355,6 +357,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
355 357
356#define DECLARE_PEM_read_fp(name, type) /**/ 358#define DECLARE_PEM_read_fp(name, type) /**/
357#define DECLARE_PEM_write_fp(name, type) /**/ 359#define DECLARE_PEM_write_fp(name, type) /**/
360#define DECLARE_PEM_write_fp_const(name, type) /**/
358#define DECLARE_PEM_write_cb_fp(name, type) /**/ 361#define DECLARE_PEM_write_cb_fp(name, type) /**/
359 362
360#else 363#else
@@ -392,6 +395,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
392 395
393#define DECLARE_PEM_read_bio(name, type) /**/ 396#define DECLARE_PEM_read_bio(name, type) /**/
394#define DECLARE_PEM_write_bio(name, type) /**/ 397#define DECLARE_PEM_write_bio(name, type) /**/
398#define DECLARE_PEM_write_bio_const(name, type) /**/
395#define DECLARE_PEM_write_cb_bio(name, type) /**/ 399#define DECLARE_PEM_write_cb_bio(name, type) /**/
396 400
397#endif 401#endif
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_crt.c b/src/lib/libssl/src/crypto/pkcs12/p12_crt.c
index e863de52ce..9522342fa5 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_crt.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_crt.c
@@ -170,6 +170,9 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
170 170
171 p12 = PKCS12_add_safes(safes, 0); 171 p12 = PKCS12_add_safes(safes, 0);
172 172
173 if (!p12)
174 goto err;
175
173 sk_PKCS7_pop_free(safes, PKCS7_free); 176 sk_PKCS7_pop_free(safes, PKCS7_free);
174 177
175 safes = NULL; 178 safes = NULL;
diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c b/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c
index c34db1d6fe..fd18ec3d95 100644
--- a/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c
+++ b/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c
@@ -229,8 +229,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
229 sk_X509_free(signers); 229 sk_X509_free(signers);
230 return 0; 230 return 0;
231 } 231 }
232 X509_STORE_CTX_set_purpose(&cert_ctx, 232 X509_STORE_CTX_set_default(&cert_ctx, "smime_sign");
233 X509_PURPOSE_SMIME_SIGN);
234 } else if(!X509_STORE_CTX_init (&cert_ctx, store, signer, NULL)) { 233 } else if(!X509_STORE_CTX_init (&cert_ctx, store, signer, NULL)) {
235 PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB); 234 PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB);
236 sk_X509_free(signers); 235 sk_X509_free(signers);
diff --git a/src/lib/libssl/src/crypto/rand/rand_unix.c b/src/lib/libssl/src/crypto/rand/rand_unix.c
index 6c2be5cb96..71b98ec212 100644
--- a/src/lib/libssl/src/crypto/rand/rand_unix.c
+++ b/src/lib/libssl/src/crypto/rand/rand_unix.c
@@ -232,7 +232,7 @@ int RAND_poll(void)
232 t.tv_sec = 0; 232 t.tv_sec = 0;
233 t.tv_usec = usec; 233 t.tv_usec = usec;
234 234
235 if (FD_SETSIZE > 0 && fd >= FD_SETSIZE) 235 if (FD_SETSIZE > 0 && (unsigned)fd >= FD_SETSIZE)
236 { 236 {
237 /* can't use select, so just try to read once anyway */ 237 /* can't use select, so just try to read once anyway */
238 try_read = 1; 238 try_read = 1;
diff --git a/src/lib/libssl/src/crypto/ripemd/README b/src/lib/libssl/src/crypto/ripemd/README
index 7097707264..f1ffc8b134 100644
--- a/src/lib/libssl/src/crypto/ripemd/README
+++ b/src/lib/libssl/src/crypto/ripemd/README
@@ -4,7 +4,7 @@ http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html
4This is my implementation of RIPEMD-160. The pentium assember is a little 4This is my implementation of RIPEMD-160. The pentium assember is a little
5off the pace since I only get 1050 cycles, while the best is 1013. 5off the pace since I only get 1050 cycles, while the best is 1013.
6I have a few ideas for how to get another 20 or so cycles, but at 6I have a few ideas for how to get another 20 or so cycles, but at
7this point I will not bother right now. I belive the trick will be 7this point I will not bother right now. I believe the trick will be
8to remove my 'copy X array onto stack' until inside the RIP1() finctions the 8to remove my 'copy X array onto stack' until inside the RIP1() finctions the
9first time round. To do this I need another register and will only have one 9first time round. To do this I need another register and will only have one
10temporary one. A bit tricky.... I can also cleanup the saving of the 5 words 10temporary one. A bit tricky.... I can also cleanup the saving of the 5 words
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_x931g.c b/src/lib/libssl/src/crypto/rsa/rsa_x931g.c
index c640cc2ec9..bf94f8be7a 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_x931g.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_x931g.c
@@ -79,9 +79,9 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
79 goto err; 79 goto err;
80 80
81 ctx = BN_CTX_new(); 81 ctx = BN_CTX_new();
82 BN_CTX_start(ctx);
83 if (!ctx) 82 if (!ctx)
84 goto err; 83 goto err;
84 BN_CTX_start(ctx);
85 85
86 r0 = BN_CTX_get(ctx); 86 r0 = BN_CTX_get(ctx);
87 r1 = BN_CTX_get(ctx); 87 r1 = BN_CTX_get(ctx);
@@ -190,7 +190,7 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
190 if (ctx2) 190 if (ctx2)
191 BN_CTX_free(ctx2); 191 BN_CTX_free(ctx2);
192 /* If this is set all calls successful */ 192 /* If this is set all calls successful */
193 if (rsa->iqmp != NULL) 193 if (rsa && rsa->iqmp != NULL)
194 return 1; 194 return 1;
195 195
196 return 0; 196 return 0;
diff --git a/src/lib/libssl/src/crypto/sha/asm/sha1-ia64.pl b/src/lib/libssl/src/crypto/sha/asm/sha1-ia64.pl
index aa18c1089b..51c4f47ecb 100644
--- a/src/lib/libssl/src/crypto/sha/asm/sha1-ia64.pl
+++ b/src/lib/libssl/src/crypto/sha/asm/sha1-ia64.pl
@@ -302,4 +302,5 @@ $code.=<<___;
302stringz "SHA1 block transform for IA64, CRYPTOGAMS by <appro\@openssl.org>" 302stringz "SHA1 block transform for IA64, CRYPTOGAMS by <appro\@openssl.org>"
303___ 303___
304 304
305$output=shift and open STDOUT,">$output";
305print $code; 306print $code;
diff --git a/src/lib/libssl/src/crypto/symhacks.h b/src/lib/libssl/src/crypto/symhacks.h
index 6cfb5fe479..8728e6124d 100644
--- a/src/lib/libssl/src/crypto/symhacks.h
+++ b/src/lib/libssl/src/crypto/symhacks.h
@@ -62,6 +62,10 @@
62 VAX. */ 62 VAX. */
63#ifdef OPENSSL_SYS_VMS 63#ifdef OPENSSL_SYS_VMS
64 64
65/* Hack a long name in crypto/cryptlib.c */
66#undef int_CRYPTO_set_do_dynlock_callback
67#define int_CRYPTO_set_do_dynlock_callback int_CRYPTO_set_do_dynlock_cb
68
65/* Hack a long name in crypto/ex_data.c */ 69/* Hack a long name in crypto/ex_data.c */
66#undef CRYPTO_get_ex_data_implementation 70#undef CRYPTO_get_ex_data_implementation
67#define CRYPTO_get_ex_data_implementation CRYPTO_get_ex_data_impl 71#define CRYPTO_get_ex_data_implementation CRYPTO_get_ex_data_impl
diff --git a/src/lib/libssl/src/crypto/ui/ui_lib.c b/src/lib/libssl/src/crypto/ui/ui_lib.c
index 7ab249c3be..ac0100808f 100644
--- a/src/lib/libssl/src/crypto/ui/ui_lib.c
+++ b/src/lib/libssl/src/crypto/ui/ui_lib.c
@@ -90,6 +90,7 @@ UI *UI_new_method(const UI_METHOD *method)
90 90
91 ret->strings=NULL; 91 ret->strings=NULL;
92 ret->user_data=NULL; 92 ret->user_data=NULL;
93 ret->flags=0;
93 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_UI, ret, &ret->ex_data); 94 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_UI, ret, &ret->ex_data);
94 return ret; 95 return ret;
95 } 96 }
diff --git a/src/lib/libssl/src/crypto/x509/x509_cmp.c b/src/lib/libssl/src/crypto/x509/x509_cmp.c
index e4c682fc44..2faf92514a 100644
--- a/src/lib/libssl/src/crypto/x509/x509_cmp.c
+++ b/src/lib/libssl/src/crypto/x509/x509_cmp.c
@@ -288,7 +288,8 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
288 if (!(nabit & STR_TYPE_CMP) || 288 if (!(nabit & STR_TYPE_CMP) ||
289 !(nbbit & STR_TYPE_CMP)) 289 !(nbbit & STR_TYPE_CMP))
290 return j; 290 return j;
291 j = asn1_string_memcmp(na->value, nb->value); 291 if (!asn1_string_memcmp(na->value, nb->value))
292 j = 0;
292 } 293 }
293 else if (na->value->type == V_ASN1_PRINTABLESTRING) 294 else if (na->value->type == V_ASN1_PRINTABLESTRING)
294 j=nocase_spacenorm_cmp(na->value, nb->value); 295 j=nocase_spacenorm_cmp(na->value, nb->value);
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_cpols.c b/src/lib/libssl/src/crypto/x509v3/v3_cpols.c
index 95596055ab..ad0506d75c 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_cpols.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_cpols.c
@@ -181,7 +181,11 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
181 pol = POLICYINFO_new(); 181 pol = POLICYINFO_new();
182 pol->policyid = pobj; 182 pol->policyid = pobj;
183 } 183 }
184 sk_POLICYINFO_push(pols, pol); 184 if (!sk_POLICYINFO_push(pols, pol)){
185 POLICYINFO_free(pol);
186 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
187 goto err;
188 }
185 } 189 }
186 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); 190 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
187 return pols; 191 return pols;
@@ -447,3 +451,4 @@ void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
447 BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, ""); 451 BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
448 } 452 }
449 453
454IMPLEMENT_STACK_OF(X509_POLICY_NODE)
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_utl.c b/src/lib/libssl/src/crypto/x509v3/v3_utl.c
index a4236bbb6d..7a45216c00 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_utl.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_utl.c
@@ -84,7 +84,7 @@ int X509V3_add_value(const char *name, const char *value,
84 CONF_VALUE *vtmp = NULL; 84 CONF_VALUE *vtmp = NULL;
85 char *tname = NULL, *tvalue = NULL; 85 char *tname = NULL, *tvalue = NULL;
86 if(name && !(tname = BUF_strdup(name))) goto err; 86 if(name && !(tname = BUF_strdup(name))) goto err;
87 if(value && !(tvalue = BUF_strdup(value))) goto err;; 87 if(value && !(tvalue = BUF_strdup(value))) goto err;
88 if(!(vtmp = (CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE)))) goto err; 88 if(!(vtmp = (CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE)))) goto err;
89 if(!*extlist && !(*extlist = sk_CONF_VALUE_new_null())) goto err; 89 if(!*extlist && !(*extlist = sk_CONF_VALUE_new_null())) goto err;
90 vtmp->section = NULL; 90 vtmp->section = NULL;
diff --git a/src/lib/libssl/src/doc/apps/rand.pod b/src/lib/libssl/src/doc/apps/rand.pod
index 75745ca002..d1d213ef43 100644
--- a/src/lib/libssl/src/doc/apps/rand.pod
+++ b/src/lib/libssl/src/doc/apps/rand.pod
@@ -10,6 +10,7 @@ B<openssl rand>
10[B<-out> I<file>] 10[B<-out> I<file>]
11[B<-rand> I<file(s)>] 11[B<-rand> I<file(s)>]
12[B<-base64>] 12[B<-base64>]
13[B<-hex>]
13I<num> 14I<num>
14 15
15=head1 DESCRIPTION 16=head1 DESCRIPTION
@@ -41,6 +42,10 @@ all others.
41 42
42Perform base64 encoding on the output. 43Perform base64 encoding on the output.
43 44
45=item B<-hex>
46
47Show the output as a hex string.
48
44=back 49=back
45 50
46=head1 SEE ALSO 51=head1 SEE ALSO
diff --git a/src/lib/libssl/src/doc/apps/x509.pod b/src/lib/libssl/src/doc/apps/x509.pod
index a925da41f1..f43c175235 100644
--- a/src/lib/libssl/src/doc/apps/x509.pod
+++ b/src/lib/libssl/src/doc/apps/x509.pod
@@ -155,7 +155,7 @@ outputs the "hash" of the certificate issuer name.
155 155
156=item B<-hash> 156=item B<-hash>
157 157
158synonym for "-hash" for backward compatibility reasons. 158synonym for "-subject_hash" for backward compatibility reasons.
159 159
160=item B<-subject> 160=item B<-subject>
161 161
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod b/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod
index f81f692df5..f62a869a9b 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod
@@ -28,7 +28,7 @@ SSL_CIPHER_get_version() returns the protocol version for B<cipher>, currently
28 28
29SSL_CIPHER_description() returns a textual description of the cipher used 29SSL_CIPHER_description() returns a textual description of the cipher used
30into the buffer B<buf> of length B<len> provided. B<len> must be at least 30into the buffer B<buf> of length B<len> provided. B<len> must be at least
31128 bytes, otherwise a pointer to the the string "Buffer too small" is 31128 bytes, otherwise a pointer to the string "Buffer too small" is
32returned. If B<buf> is NULL, a buffer of 128 bytes is allocated using 32returned. If B<buf> is NULL, a buffer of 128 bytes is allocated using
33OPENSSL_malloc(). If the allocation fails, a pointer to the string 33OPENSSL_malloc(). If the allocation fails, a pointer to the string
34"OPENSSL_malloc Error" is returned. 34"OPENSSL_malloc Error" is returned.
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod
index ca8d81b82c..81566839d3 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod
@@ -28,7 +28,7 @@ specifies the B<verify_callback> function to be used. If no callback function
28shall be specified, the NULL pointer can be used for B<verify_callback>. In 28shall be specified, the NULL pointer can be used for B<verify_callback>. In
29this case last B<verify_callback> set specifically for this B<ssl> remains. If 29this case last B<verify_callback> set specifically for this B<ssl> remains. If
30no special B<callback> was set before, the default callback for the underlying 30no special B<callback> was set before, the default callback for the underlying
31B<ctx> is used, that was valid at the the time B<ssl> was created with 31B<ctx> is used, that was valid at the time B<ssl> was created with
32L<SSL_new(3)|SSL_new(3)>. 32L<SSL_new(3)|SSL_new(3)>.
33 33
34SSL_CTX_set_verify_depth() sets the maximum B<depth> for the certificate chain 34SSL_CTX_set_verify_depth() sets the maximum B<depth> for the certificate chain
diff --git a/src/lib/libssl/src/doc/ssl/SSL_SESSION_free.pod b/src/lib/libssl/src/doc/ssl/SSL_SESSION_free.pod
index 558de01df9..110ec73ab6 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_SESSION_free.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_SESSION_free.pod
@@ -14,7 +14,7 @@ SSL_SESSION_free - free an allocated SSL_SESSION structure
14 14
15SSL_SESSION_free() decrements the reference count of B<session> and removes 15SSL_SESSION_free() decrements the reference count of B<session> and removes
16the B<SSL_SESSION> structure pointed to by B<session> and frees up the allocated 16the B<SSL_SESSION> structure pointed to by B<session> and frees up the allocated
17memory, if the the reference count has reached 0. 17memory, if the reference count has reached 0.
18 18
19=head1 NOTES 19=head1 NOTES
20 20
diff --git a/src/lib/libssl/src/doc/ssl/SSL_free.pod b/src/lib/libssl/src/doc/ssl/SSL_free.pod
index 2d4f8b6168..13c1abd9ec 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_free.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_free.pod
@@ -14,7 +14,7 @@ SSL_free - free an allocated SSL structure
14 14
15SSL_free() decrements the reference count of B<ssl>, and removes the SSL 15SSL_free() decrements the reference count of B<ssl>, and removes the SSL
16structure pointed to by B<ssl> and frees up the allocated memory if the 16structure pointed to by B<ssl> and frees up the allocated memory if the
17the reference count has reached 0. 17reference count has reached 0.
18 18
19=head1 NOTES 19=head1 NOTES
20 20
diff --git a/src/lib/libssl/src/doc/ssleay.txt b/src/lib/libssl/src/doc/ssleay.txt
index c75312911f..a8b04d7059 100644
--- a/src/lib/libssl/src/doc/ssleay.txt
+++ b/src/lib/libssl/src/doc/ssleay.txt
@@ -3800,9 +3800,9 @@ made public on sci.crypt in Sep 1994 (RC4) and Feb 1996 (RC2). I have
3800copies of the origional postings if people are interested. RSA I believe 3800copies of the origional postings if people are interested. RSA I believe
3801claim that they were 'trade-secrets' and that some-one broke an NDA in 3801claim that they were 'trade-secrets' and that some-one broke an NDA in
3802revealing them. Other claim they reverse engineered the algorithms from 3802revealing them. Other claim they reverse engineered the algorithms from
3803compiled binaries. If the algorithms were reverse engineered, I belive 3803compiled binaries. If the algorithms were reverse engineered, I believe
3804RSA had no legal leg to stand on. If an NDA was broken, I don't know. 3804RSA had no legal leg to stand on. If an NDA was broken, I don't know.
3805Regardless, RSA, I belive, is willing to go to court over the issue so 3805Regardless, RSA, I believe, is willing to go to court over the issue so
3806licencing is probably the best idea, or at least talk to them. 3806licencing is probably the best idea, or at least talk to them.
3807If there are people who actually know more about this, pease let me know, I 3807If there are people who actually know more about this, pease let me know, I
3808don't want to vilify or spread miss-information if I can help it. 3808don't want to vilify or spread miss-information if I can help it.
diff --git a/src/lib/libssl/src/engines/makeengines.com b/src/lib/libssl/src/engines/makeengines.com
index 4a7474e010..840864f7cf 100644
--- a/src/lib/libssl/src/engines/makeengines.com
+++ b/src/lib/libssl/src/engines/makeengines.com
@@ -34,7 +34,7 @@ $! Set the names of the engines we want to build
34$! 34$!
35$ ENGINES = "," + P6 35$ ENGINES = "," + P6
36$ IF ENGINES .EQS. "," THEN - 36$ IF ENGINES .EQS. "," THEN -
37 ENGINES = ",4758cca,aep,atalla,cswift,chil,nuron,sureware,ubsec" 37 ENGINES = ",4758cca,aep,atalla,cswift,chil,nuron,sureware,ubsec,capi"
38$! 38$!
39$! Set the default TCP/IP library to link against if needed 39$! Set the default TCP/IP library to link against if needed
40$! 40$!
@@ -87,6 +87,7 @@ $ ENGINE_chil = "e_chil"
87$ ENGINE_nuron = "e_nuron" 87$ ENGINE_nuron = "e_nuron"
88$ ENGINE_sureware = "e_sureware" 88$ ENGINE_sureware = "e_sureware"
89$ ENGINE_ubsec = "e_ubsec" 89$ ENGINE_ubsec = "e_ubsec"
90$ ENGINE_capi = "e_capi"
90$! 91$!
91$! Define which programs need to be linked with a TCP/IP library 92$! Define which programs need to be linked with a TCP/IP library
92$! 93$!
diff --git a/src/lib/libssl/src/fips/Makefile b/src/lib/libssl/src/fips/Makefile
index d6dcb79a28..e038be8f13 100644
--- a/src/lib/libssl/src/fips/Makefile
+++ b/src/lib/libssl/src/fips/Makefile
@@ -123,7 +123,7 @@ fips_premain_dso$(EXE_EXT): fips_premain.c
123 $(FIPSLIBDIR)fipscanister.o ../libcrypto.a $(EX_LIBS) 123 $(FIPSLIBDIR)fipscanister.o ../libcrypto.a $(EX_LIBS)
124# this is executed only when linking with external fipscanister.o 124# this is executed only when linking with external fipscanister.o
125fips_standalone_sha1$(EXE_EXT): sha/fips_standalone_sha1.c 125fips_standalone_sha1$(EXE_EXT): sha/fips_standalone_sha1.c
126 $(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o 126 $(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o $(EX_LIBS)
127 127
128subdirs: 128subdirs:
129 @target=all; $(RECURSIVE_MAKE) 129 @target=all; $(RECURSIVE_MAKE)
@@ -179,8 +179,15 @@ install:
179 chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ 179 chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
180 done; 180 done;
181 @target=install; $(RECURSIVE_MAKE) 181 @target=install; $(RECURSIVE_MAKE)
182 @cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \ 182 for i in $(EXE) ; \
183 fips_premain.c.sha1 \ 183 do \
184 echo "installing $$i"; \
185 cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
186 chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
187 mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
188 done
189 cp -p -f $(FIPSLIBDIR)fipscanister.o $(FIPSLIBDIR)fipscanister.o.sha1 \
190 $(FIPSLIBDIR)fips_premain.c $(FIPSLIBDIR)fips_premain.c.sha1 \
184 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \ 191 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \
185 chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips* 192 chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips*
186 193
diff --git a/src/lib/libssl/src/fips/aes/Makefile b/src/lib/libssl/src/fips/aes/Makefile
index 403525d4c0..7b8b3a26de 100644
--- a/src/lib/libssl/src/fips/aes/Makefile
+++ b/src/lib/libssl/src/fips/aes/Makefile
@@ -22,7 +22,6 @@ CFLAGS= $(INCLUDES) $(CFLAG)
22 22
23GENERAL=Makefile 23GENERAL=Makefile
24TEST=fips_aesavs.c 24TEST=fips_aesavs.c
25TESTDATA=fips_aes_data
26APPS= 25APPS=
27 26
28LIB=$(TOP)/libcrypto.a 27LIB=$(TOP)/libcrypto.a
@@ -50,7 +49,6 @@ files:
50links: 49links:
51 @$(PERL) $(TOP)/util/mklink.pl $(TOP)/include/openssl $(EXHEADER) 50 @$(PERL) $(TOP)/util/mklink.pl $(TOP)/include/openssl $(EXHEADER)
52 @$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TEST) 51 @$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TEST)
53 @$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TESTDATA)
54 @$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS) 52 @$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS)
55 53
56install: 54install:
diff --git a/src/lib/libssl/src/fips/sha/fips_standalone_sha1.c b/src/lib/libssl/src/fips/sha/fips_standalone_sha1.c
index 058b71a20f..eec65dc39e 100644
--- a/src/lib/libssl/src/fips/sha/fips_standalone_sha1.c
+++ b/src/lib/libssl/src/fips/sha/fips_standalone_sha1.c
@@ -65,7 +65,7 @@ void OPENSSL_cleanse(void *p,size_t len) {}
65static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx, 65static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
66 const char *key) 66 const char *key)
67 { 67 {
68 int len=strlen(key); 68 size_t len=strlen(key);
69 int i; 69 int i;
70 unsigned char keymd[HMAC_MAX_MD_CBLOCK]; 70 unsigned char keymd[HMAC_MAX_MD_CBLOCK];
71 unsigned char pad[HMAC_MAX_MD_CBLOCK]; 71 unsigned char pad[HMAC_MAX_MD_CBLOCK];
@@ -139,7 +139,7 @@ int main(int argc,char **argv)
139 for( ; ; ) 139 for( ; ; )
140 { 140 {
141 char buf[1024]; 141 char buf[1024];
142 int l=fread(buf,1,sizeof buf,f); 142 size_t l=fread(buf,1,sizeof buf,f);
143 143
144 if(l == 0) 144 if(l == 0)
145 { 145 {
diff --git a/src/lib/libssl/src/ms/do_masm.bat b/src/lib/libssl/src/ms/do_masm.bat
index 8c22256b32..a8575321f9 100644
--- a/src/lib/libssl/src/ms/do_masm.bat
+++ b/src/lib/libssl/src/ms/do_masm.bat
@@ -1,74 +1,70 @@
1@echo off 1@SET ASMOPTS=-DOPENSSL_IA32_SSE2
2 2@echo Generating x86 for MASM assember
3SET ASMOPTS=-DOPENSSL_IA32_SSE2 3
4echo Generating x86 for MASM assember 4@echo Bignum
5 5@cd crypto\bn\asm
6echo Bignum 6@perl bn-586.pl win32 %ASMOPTS% > bn_win32.asm
7cd crypto\bn\asm 7@perl co-586.pl win32 %ASMOPTS% > co_win32.asm
8perl bn-586.pl win32 %ASMOPTS% > bn_win32.asm 8@perl mo-586.pl win32 %ASMOPTS% > mt_win32.asm
9perl co-586.pl win32 %ASMOPTS% > co_win32.asm 9@cd ..\..\..
10perl mo-586.pl win32 %ASMOPTS% > mt_win32.asm 10
11cd ..\..\.. 11@echo AES
12 12@cd crypto\aes\asm
13echo AES 13@perl aes-586.pl win32 %ASMOPTS% > a_win32.asm
14cd crypto\aes\asm 14@cd ..\..\..
15perl aes-586.pl win32 %ASMOPTS% > a_win32.asm 15
16cd ..\..\.. 16@echo DES
17 17@cd crypto\des\asm
18echo DES 18@perl des-586.pl win32 %ASMOPTS% > d_win32.asm
19cd crypto\des\asm 19@cd ..\..\..
20perl des-586.pl win32 %ASMOPTS% > d_win32.asm 20
21cd ..\..\.. 21@echo "crypt(3)"
22 22
23echo "crypt(3)" 23@cd crypto\des\asm
24 24@perl crypt586.pl win32 %ASMOPTS% > y_win32.asm
25cd crypto\des\asm 25@cd ..\..\..
26perl crypt586.pl win32 %ASMOPTS% > y_win32.asm 26
27cd ..\..\.. 27@echo Blowfish
28 28
29echo Blowfish 29@cd crypto\bf\asm
30 30@perl bf-586.pl win32 %ASMOPTS% > b_win32.asm
31cd crypto\bf\asm 31@cd ..\..\..
32perl bf-586.pl win32 %ASMOPTS% > b_win32.asm 32
33cd ..\..\.. 33@echo CAST5
34 34@cd crypto\cast\asm
35echo CAST5 35@perl cast-586.pl win32 %ASMOPTS% > c_win32.asm
36cd crypto\cast\asm 36@cd ..\..\..
37perl cast-586.pl win32 %ASMOPTS% > c_win32.asm 37
38cd ..\..\.. 38@echo RC4
39 39@cd crypto\rc4\asm
40echo RC4 40@perl rc4-586.pl win32 %ASMOPTS% > r4_win32.asm
41cd crypto\rc4\asm 41@cd ..\..\..
42perl rc4-586.pl win32 %ASMOPTS% > r4_win32.asm 42
43cd ..\..\.. 43@echo MD5
44 44@cd crypto\md5\asm
45echo MD5 45@perl md5-586.pl win32 %ASMOPTS% > m5_win32.asm
46cd crypto\md5\asm 46@cd ..\..\..
47perl md5-586.pl win32 %ASMOPTS% > m5_win32.asm 47
48cd ..\..\.. 48@echo SHA1
49 49@cd crypto\sha\asm
50echo SHA1 50@perl sha1-586.pl win32 %ASMOPTS% > s1_win32.asm
51cd crypto\sha\asm 51@perl sha512-sse2.pl win32 %ASMOPTS% > sha512-sse2.asm
52perl sha1-586.pl win32 %ASMOPTS% > s1_win32.asm 52@cd ..\..\..
53perl sha512-sse2.pl win32 %ASMOPTS% > sha512-sse2.asm 53
54cd ..\..\.. 54@echo RIPEMD160
55 55@cd crypto\ripemd\asm
56echo RIPEMD160 56@perl rmd-586.pl win32 %ASMOPTS% > rm_win32.asm
57cd crypto\ripemd\asm 57@cd ..\..\..
58perl rmd-586.pl win32 %ASMOPTS% > rm_win32.asm 58
59cd ..\..\.. 59@echo RC5\32
60 60@cd crypto\rc5\asm
61echo RC5\32 61@perl rc5-586.pl win32 %ASMOPTS% > r5_win32.asm
62cd crypto\rc5\asm 62@cd ..\..\..
63perl rc5-586.pl win32 %ASMOPTS% > r5_win32.asm 63
64cd ..\..\.. 64@echo CPU-ID
65 65@cd crypto
66echo CPU-ID 66@perl x86cpuid.pl win32 %ASMOPTS% > cpu_win32.asm
67cd crypto 67@cd ..
68perl x86cpuid.pl win32 %ASMOPTS% > cpu_win32.asm
69cd ..
70
71echo on
72 68
73perl util\mkfiles.pl >MINFO 69perl util\mkfiles.pl >MINFO
74perl util\mk1mf.pl VC-WIN32 >ms\nt.mak 70perl util\mk1mf.pl VC-WIN32 >ms\nt.mak
diff --git a/src/lib/libssl/src/openssl.spec b/src/lib/libssl/src/openssl.spec
index 6008c3c9c8..329e3925b7 100644
--- a/src/lib/libssl/src/openssl.spec
+++ b/src/lib/libssl/src/openssl.spec
@@ -1,7 +1,7 @@
1%define libmaj 0 1%define libmaj 0
2%define libmin 9 2%define libmin 9
3%define librel 8 3%define librel 8
4%define librev j 4%define librev k
5Release: 1 5Release: 1
6 6
7%define openssldir /var/ssl 7%define openssldir /var/ssl
diff --git a/src/lib/libssl/src/ssl/kssl.c b/src/lib/libssl/src/ssl/kssl.c
index 6da75e6416..019030ae3c 100644
--- a/src/lib/libssl/src/ssl/kssl.c
+++ b/src/lib/libssl/src/ssl/kssl.c
@@ -946,7 +946,7 @@ kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text)
946 if (kssl_err == NULL) return; 946 if (kssl_err == NULL) return;
947 947
948 kssl_err->reason = reason; 948 kssl_err->reason = reason;
949 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, text); 949 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "%s", text);
950 return; 950 return;
951 } 951 }
952 952
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 5fd3520caf..50308487aa 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -173,7 +173,7 @@ int ssl3_connect(SSL *s)
173 long num1; 173 long num1;
174 void (*cb)(const SSL *ssl,int type,int val)=NULL; 174 void (*cb)(const SSL *ssl,int type,int val)=NULL;
175 int ret= -1; 175 int ret= -1;
176 int new_state,state,skip=0;; 176 int new_state,state,skip=0;
177 177
178 RAND_add(&Time,sizeof(Time),0); 178 RAND_add(&Time,sizeof(Time),0);
179 ERR_clear_error(); 179 ERR_clear_error();
diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c
index 0c2aa249b4..52f91cfe60 100644
--- a/src/lib/libssl/src/ssl/ssl_ciph.c
+++ b/src/lib/libssl/src/ssl/ssl_ciph.c
@@ -1355,7 +1355,7 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
1355 comp->method=cm; 1355 comp->method=cm;
1356 load_builtin_compressions(); 1356 load_builtin_compressions();
1357 if (ssl_comp_methods 1357 if (ssl_comp_methods
1358 && !sk_SSL_COMP_find(ssl_comp_methods,comp)) 1358 && sk_SSL_COMP_find(ssl_comp_methods,comp) >= 0)
1359 { 1359 {
1360 OPENSSL_free(comp); 1360 OPENSSL_free(comp);
1361 MemCheck_on(); 1361 MemCheck_on();
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 68eee77e6f..893abff1f4 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -510,6 +510,8 @@ void SSL_free(SSL *s)
510 510
511 if (s->ctx) SSL_CTX_free(s->ctx); 511 if (s->ctx) SSL_CTX_free(s->ctx);
512#ifndef OPENSSL_NO_TLSEXT 512#ifndef OPENSSL_NO_TLSEXT
513 if (s->tlsext_hostname)
514 OPENSSL_free(s->tlsext_hostname);
513 if (s->initial_ctx) SSL_CTX_free(s->initial_ctx); 515 if (s->initial_ctx) SSL_CTX_free(s->initial_ctx);
514 if (s->tlsext_ocsp_exts) 516 if (s->tlsext_ocsp_exts)
515 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 517 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
diff --git a/src/lib/libssl/src/test/Makefile b/src/lib/libssl/src/test/Makefile
index 73d64440b1..228ee368cd 100644
--- a/src/lib/libssl/src/test/Makefile
+++ b/src/lib/libssl/src/test/Makefile
@@ -404,6 +404,8 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
404 elif [ -n "$(FIPSCANLIB)" ]; then \ 404 elif [ -n "$(FIPSCANLIB)" ]; then \
405 FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ 405 FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
406 LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \ 406 LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \
407 else \
408 LIBRARIES="$(LIBCRYPTO)"; \
407 fi; \ 409 fi; \
408 $(MAKE) -f $(TOP)/Makefile.shared -e \ 410 $(MAKE) -f $(TOP)/Makefile.shared -e \
409 CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ 411 CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
diff --git a/src/lib/libssl/src/test/times b/src/lib/libssl/src/test/times
index 49aeebf216..738d569b8f 100644
--- a/src/lib/libssl/src/test/times
+++ b/src/lib/libssl/src/test/times
@@ -68,7 +68,7 @@ eric (adding numbers to speculation)
68--- Appendix --- 68--- Appendix ---
69- The time measured is user time but these number a very rough. 69- The time measured is user time but these number a very rough.
70- Remember this is the cost of both client and server sides of the protocol. 70- Remember this is the cost of both client and server sides of the protocol.
71- The TCP/kernal overhead of connection establishment is normally the 71- The TCP/kernel overhead of connection establishment is normally the
72 killer in SSL. Often delays in the TCP protocol will make session-id 72 killer in SSL. Often delays in the TCP protocol will make session-id
73 reuse look slower that new sessions, but this would not be the case on 73 reuse look slower that new sessions, but this would not be the case on
74 a loaded server. 74 a loaded server.
diff --git a/src/lib/libssl/src/util/domd b/src/lib/libssl/src/util/domd
index 691be7a440..560ebeaf82 100644
--- a/src/lib/libssl/src/util/domd
+++ b/src/lib/libssl/src/util/domd
@@ -22,7 +22,7 @@ if [ "$MAKEDEPEND" = "gcc" ]; then
22 done 22 done
23 sed -e '/^# DO NOT DELETE.*/,$d' < Makefile > Makefile.tmp 23 sed -e '/^# DO NOT DELETE.*/,$d' < Makefile > Makefile.tmp
24 echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp 24 echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp
25 gcc -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp 25 ${CC:-gcc} -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp
26 ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new 26 ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new
27 rm -f Makefile.tmp 27 rm -f Makefile.tmp
28else 28else
diff --git a/src/lib/libssl/src/util/libeay.num b/src/lib/libssl/src/util/libeay.num
index 0eb54ddc89..74eb337227 100644
--- a/src/lib/libssl/src/util/libeay.num
+++ b/src/lib/libssl/src/util/libeay.num
@@ -3667,7 +3667,8 @@ CRYPTO_set_mem_info_functions 4053 EXIST::FUNCTION:
3667RSA_X931_generate_key_ex 4054 EXIST::FUNCTION:RSA 3667RSA_X931_generate_key_ex 4054 EXIST::FUNCTION:RSA
3668int_ERR_set_state_func 4055 EXIST:OPENSSL_FIPS:FUNCTION: 3668int_ERR_set_state_func 4055 EXIST:OPENSSL_FIPS:FUNCTION:
3669int_EVP_MD_set_engine_callbacks 4056 EXIST:OPENSSL_FIPS:FUNCTION:ENGINE 3669int_EVP_MD_set_engine_callbacks 4056 EXIST:OPENSSL_FIPS:FUNCTION:ENGINE
3670int_CRYPTO_set_do_dynlock_callback 4057 EXIST::FUNCTION: 3670int_CRYPTO_set_do_dynlock_callback 4057 EXIST:!VMS:FUNCTION:
3671int_CRYPTO_set_do_dynlock_cb 4057 EXIST:VMS:FUNCTION:
3671FIPS_rng_stick 4058 EXIST:OPENSSL_FIPS:FUNCTION: 3672FIPS_rng_stick 4058 EXIST:OPENSSL_FIPS:FUNCTION:
3672EVP_CIPHER_CTX_set_flags 4059 EXIST::FUNCTION: 3673EVP_CIPHER_CTX_set_flags 4059 EXIST::FUNCTION:
3673BN_X931_generate_prime_ex 4060 EXIST::FUNCTION: 3674BN_X931_generate_prime_ex 4060 EXIST::FUNCTION:
diff --git a/src/lib/libssl/src/util/pl/VC-32.pl b/src/lib/libssl/src/util/pl/VC-32.pl
index 730c2083bd..85121c8ed1 100644
--- a/src/lib/libssl/src/util/pl/VC-32.pl
+++ b/src/lib/libssl/src/util/pl/VC-32.pl
@@ -164,7 +164,7 @@ if ($FLAVOR =~ /NT/)
164 $ex_libs="unicows.lib $ex_libs"; 164 $ex_libs="unicows.lib $ex_libs";
165 } 165 }
166# static library stuff 166# static library stuff
167$mklib='lib'; 167$mklib='lib /nologo';
168$ranlib=''; 168$ranlib='';
169$plib=""; 169$plib="";
170$libp=".lib"; 170$libp=".lib";
@@ -184,7 +184,7 @@ if ($nasm) {
184 $asm.=' /Zi' if $debug; 184 $asm.=' /Zi' if $debug;
185 $afile='/Fo'; 185 $afile='/Fo';
186} else { 186} else {
187 $asm='ml /Cp /coff /c /Cx'; 187 $asm='ml /nologo /Cp /coff /c /Cx';
188 $asm.=" /Zi" if $debug; 188 $asm.=" /Zi" if $debug;
189 $afile='/Fo'; 189 $afile='/Fo';
190} 190}
@@ -405,7 +405,7 @@ sub do_link_rule
405 if ($standalone == 1) 405 if ($standalone == 1)
406 { 406 {
407 $ret.=" \$(LINK) \$(LFLAGS) $efile$target @<<\n\t"; 407 $ret.=" \$(LINK) \$(LFLAGS) $efile$target @<<\n\t";
408 $ret.= "$mwex advapi32.lib " if ($files =~ /O_FIPSCANISTER/ && !$fipscanisterbuild); 408 $ret.= "\$(EX_LIBS) " if ($files =~ /O_FIPSCANISTER/ && !$fipscanisterbuild);
409 $ret.="$files $libs\n<<\n"; 409 $ret.="$files $libs\n<<\n";
410 } 410 }
411 elsif ($standalone == 2) 411 elsif ($standalone == 2)
diff --git a/src/lib/libssl/test/Makefile b/src/lib/libssl/test/Makefile
index 73d64440b1..228ee368cd 100644
--- a/src/lib/libssl/test/Makefile
+++ b/src/lib/libssl/test/Makefile
@@ -404,6 +404,8 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
404 elif [ -n "$(FIPSCANLIB)" ]; then \ 404 elif [ -n "$(FIPSCANLIB)" ]; then \
405 FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ 405 FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
406 LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \ 406 LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \
407 else \
408 LIBRARIES="$(LIBCRYPTO)"; \
407 fi; \ 409 fi; \
408 $(MAKE) -f $(TOP)/Makefile.shared -e \ 410 $(MAKE) -f $(TOP)/Makefile.shared -e \
409 CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ 411 CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-19 22:17:33 +0000