From 58c08aa241f168c84ce7cc3052454ea59a44eada Mon Sep 17 00:00:00 2001 From: markus <> Date: Wed, 7 Apr 2004 20:42:07 +0000 Subject: import openssl-0.9.7d --- src/lib/libcrypto/aes/aes_cbc.c | 2 +- src/lib/libcrypto/asn1/a_mbstr.c | 4 +- src/lib/libcrypto/asn1/a_strex.c | 2 +- src/lib/libcrypto/asn1/a_time.c | 9 +- src/lib/libcrypto/asn1/asn1_lib.c | 4 +- src/lib/libcrypto/asn1/asn1_par.c | 6 +- src/lib/libcrypto/asn1/asn_moid.c | 9 +- src/lib/libcrypto/asn1/t_pkey.c | 4 +- src/lib/libcrypto/asn1/x_long.c | 10 +- src/lib/libcrypto/bio/b_dump.c | 32 ++- src/lib/libcrypto/bio/b_print.c | 12 +- src/lib/libcrypto/bio/b_sock.c | 12 +- src/lib/libcrypto/bio/bio_cb.c | 36 +-- src/lib/libcrypto/bio/bss_conn.c | 6 +- src/lib/libcrypto/bio/bss_file.c | 10 +- src/lib/libcrypto/bn/asm/bn-586.pl | 2 +- src/lib/libcrypto/bn/asm/x86_64-gcc.c | 2 +- src/lib/libcrypto/bn/bn_lcl.h | 17 +- src/lib/libcrypto/bn/bn_lib.c | 8 +- src/lib/libcrypto/bn/bn_print.c | 5 +- src/lib/libcrypto/conf/conf_def.c | 6 +- src/lib/libcrypto/conf/conf_mod.c | 12 +- src/lib/libcrypto/cversion.c | 8 +- src/lib/libcrypto/des/cfb_enc.c | 21 +- src/lib/libcrypto/des/ecb_enc.c | 4 +- src/lib/libcrypto/doc/EVP_BytesToKey.pod | 2 +- src/lib/libcrypto/doc/EVP_DigestInit.pod | 2 +- src/lib/libcrypto/doc/OPENSSL_config.pod | 82 ++++++ .../libcrypto/doc/OPENSSL_load_builtin_modules.pod | 51 ++++ .../libcrypto/doc/OpenSSL_add_all_algorithms.pod | 2 +- src/lib/libcrypto/doc/RSA_print.pod | 2 +- src/lib/libcrypto/doc/d2i_DSAPublicKey.pod | 5 +- src/lib/libcrypto/doc/d2i_RSAPublicKey.pod | 5 +- src/lib/libcrypto/dso/dso_lib.c | 4 +- src/lib/libcrypto/ec/ecp_smpl.c | 2 +- src/lib/libcrypto/engine/eng_ctrl.c | 10 +- src/lib/libcrypto/engine/eng_fat.c | 6 +- src/lib/libcrypto/engine/engine.h | 27 +- src/lib/libcrypto/err/err.c | 2 +- src/lib/libcrypto/evp/digest.c | 15 +- src/lib/libcrypto/evp/evp.h | 2 + src/lib/libcrypto/evp/evp_enc.c | 14 +- src/lib/libcrypto/evp/evp_pbe.c | 2 +- src/lib/libcrypto/evp/evp_pkey.c | 2 +- src/lib/libcrypto/mem_dbg.c | 17 +- src/lib/libcrypto/objects/obj_dat.c | 4 +- src/lib/libcrypto/objects/obj_dat.pl | 4 + src/lib/libcrypto/ocsp/ocsp_ext.c | 24 +- src/lib/libcrypto/ocsp/ocsp_lib.c | 1 + src/lib/libcrypto/ocsp/ocsp_vfy.c | 6 +- src/lib/libcrypto/opensslv.h | 4 +- src/lib/libcrypto/pem/pem_lib.c | 21 +- src/lib/libcrypto/pem/pem_pkey.c | 4 + src/lib/libcrypto/pkcs7/pk7_doit.c | 58 ++-- src/lib/libcrypto/rand/randfile.c | 71 ++++- src/lib/libcrypto/sha/asm/sha1-586.pl | 291 +++++++-------------- src/lib/libcrypto/ui/ui_lib.c | 13 +- src/lib/libcrypto/x509/by_dir.c | 34 ++- src/lib/libcrypto/x509/x509.h | 4 - src/lib/libcrypto/x509/x509_txt.c | 8 +- src/lib/libcrypto/x509/x509_vfy.c | 55 +++- src/lib/libcrypto/x509/x509_vfy.h | 19 +- src/lib/libcrypto/x509/x509type.c | 2 +- src/lib/libcrypto/x509v3/v3_alt.c | 3 +- src/lib/libcrypto/x509v3/v3_crld.c | 2 +- src/lib/libcrypto/x509v3/v3_info.c | 11 +- src/lib/libcrypto/x509v3/v3_purp.c | 5 +- src/lib/libssl/LICENSE | 2 +- src/lib/libssl/doc/openssl.cnf | 5 + src/lib/libssl/s3_clnt.c | 5 +- src/lib/libssl/s3_lib.c | 2 + src/lib/libssl/s3_pkt.c | 8 + src/lib/libssl/s3_srvr.c | 19 +- src/lib/libssl/ssl.h | 4 +- src/lib/libssl/ssl_asn1.c | 1 - src/lib/libssl/ssl_cert.c | 12 +- src/lib/libssl/ssl_ciph.c | 85 +++--- src/lib/libssl/ssl_lib.c | 1 - src/lib/libssl/ssl_sess.c | 1 - 79 files changed, 777 insertions(+), 509 deletions(-) create mode 100644 src/lib/libcrypto/doc/OPENSSL_config.pod create mode 100644 src/lib/libcrypto/doc/OPENSSL_load_builtin_modules.pod diff --git a/src/lib/libcrypto/aes/aes_cbc.c b/src/lib/libcrypto/aes/aes_cbc.c index 86b27b10d6..1222a21002 100644 --- a/src/lib/libcrypto/aes/aes_cbc.c +++ b/src/lib/libcrypto/aes/aes_cbc.c @@ -104,7 +104,7 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, memcpy(tmp, in, AES_BLOCK_SIZE); AES_decrypt(tmp, tmp, key); for(n=0; n < len; ++n) - out[n] ^= ivec[n]; + out[n] = tmp[n] ^ ivec[n]; memcpy(ivec, tmp, AES_BLOCK_SIZE); } } diff --git a/src/lib/libcrypto/asn1/a_mbstr.c b/src/lib/libcrypto/asn1/a_mbstr.c index e8a26af521..208b3ec395 100644 --- a/src/lib/libcrypto/asn1/a_mbstr.c +++ b/src/lib/libcrypto/asn1/a_mbstr.c @@ -145,14 +145,14 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, if((minsize > 0) && (nchar < minsize)) { ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_SHORT); - sprintf(strbuf, "%ld", minsize); + BIO_snprintf(strbuf, sizeof strbuf, "%ld", minsize); ERR_add_error_data(2, "minsize=", strbuf); return -1; } if((maxsize > 0) && (nchar > maxsize)) { ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_LONG); - sprintf(strbuf, "%ld", maxsize); + BIO_snprintf(strbuf, sizeof strbuf, "%ld", maxsize); ERR_add_error_data(2, "maxsize=", strbuf); return -1; } diff --git a/src/lib/libcrypto/asn1/a_strex.c b/src/lib/libcrypto/asn1/a_strex.c index 8abfdfe598..bde666a6ff 100644 --- a/src/lib/libcrypto/asn1/a_strex.c +++ b/src/lib/libcrypto/asn1/a_strex.c @@ -285,7 +285,7 @@ const static signed char tag2nbyte[] = { -1, -1, 0, -1, /* 10-13 */ -1, -1, -1, -1, /* 15-17 */ -1, 1, 1, /* 18-20 */ - -1, 1, -1,-1, /* 21-24 */ + -1, 1, 1, 1, /* 21-24 */ -1, 1, -1, /* 25-27 */ 4, -1, 2 /* 28-30 */ }; diff --git a/src/lib/libcrypto/asn1/a_time.c b/src/lib/libcrypto/asn1/a_time.c index 7348da9457..159681fbcb 100644 --- a/src/lib/libcrypto/asn1/a_time.c +++ b/src/lib/libcrypto/asn1/a_time.c @@ -128,6 +128,7 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE { ASN1_GENERALIZEDTIME *ret; char *str; + int newlen; if (!ASN1_TIME_check(t)) return NULL; @@ -150,12 +151,14 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE /* grow the string */ if (!ASN1_STRING_set(ret, NULL, t->length + 2)) return NULL; + /* ASN1_STRING_set() allocated 'len + 1' bytes. */ + newlen = t->length + 2 + 1; str = (char *)ret->data; /* Work out the century and prepend */ - if (t->data[0] >= '5') strcpy(str, "19"); - else strcpy(str, "20"); + if (t->data[0] >= '5') BUF_strlcpy(str, "19", newlen); + else BUF_strlcpy(str, "20", newlen); - BUF_strlcat(str, (char *)t->data, t->length+3); /* Include space for a '\0' */ + BUF_strlcat(str, (char *)t->data, newlen); return ret; } diff --git a/src/lib/libcrypto/asn1/asn1_lib.c b/src/lib/libcrypto/asn1/asn1_lib.c index e30d5dd303..a74f1368d3 100644 --- a/src/lib/libcrypto/asn1/asn1_lib.c +++ b/src/lib/libcrypto/asn1/asn1_lib.c @@ -414,8 +414,8 @@ void asn1_add_error(unsigned char *address, int offset) { char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1]; - sprintf(buf1,"%lu",(unsigned long)address); - sprintf(buf2,"%d",offset); + BIO_snprintf(buf1,sizeof buf1,"%lu",(unsigned long)address); + BIO_snprintf(buf2,sizeof buf2,"%d",offset); ERR_add_error_data(4,"address=",buf1," offset=",buf2); } diff --git a/src/lib/libcrypto/asn1/asn1_par.c b/src/lib/libcrypto/asn1/asn1_par.c index e48532a24d..676d434f03 100644 --- a/src/lib/libcrypto/asn1/asn1_par.c +++ b/src/lib/libcrypto/asn1/asn1_par.c @@ -83,11 +83,11 @@ static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed, p=str; if ((xclass & V_ASN1_PRIVATE) == V_ASN1_PRIVATE) - sprintf(str,"priv [ %d ] ",tag); + BIO_snprintf(str,sizeof str,"priv [ %d ] ",tag); else if ((xclass & V_ASN1_CONTEXT_SPECIFIC) == V_ASN1_CONTEXT_SPECIFIC) - sprintf(str,"cont [ %d ]",tag); + BIO_snprintf(str,sizeof str,"cont [ %d ]",tag); else if ((xclass & V_ASN1_APPLICATION) == V_ASN1_APPLICATION) - sprintf(str,"appl [ %d ]",tag); + BIO_snprintf(str,sizeof str,"appl [ %d ]",tag); else p = ASN1_tag2str(tag); if (p2 != NULL) diff --git a/src/lib/libcrypto/asn1/asn_moid.c b/src/lib/libcrypto/asn1/asn_moid.c index be20db4bad..edb44c988f 100644 --- a/src/lib/libcrypto/asn1/asn_moid.c +++ b/src/lib/libcrypto/asn1/asn_moid.c @@ -87,9 +87,14 @@ static int oid_module_init(CONF_IMODULE *md, const CONF *cnf) } } return 1; -} + } + +static void oid_module_finish(CONF_IMODULE *md) + { + OBJ_cleanup(); + } void ASN1_add_oid_module(void) { - CONF_module_add("oid_section", oid_module_init, 0); + CONF_module_add("oid_section", oid_module_init, oid_module_finish); } diff --git a/src/lib/libcrypto/asn1/t_pkey.c b/src/lib/libcrypto/asn1/t_pkey.c index 4e09c9e44e..d15006e654 100644 --- a/src/lib/libcrypto/asn1/t_pkey.c +++ b/src/lib/libcrypto/asn1/t_pkey.c @@ -139,9 +139,9 @@ int RSA_print(BIO *bp, const RSA *x, int off) } if (x->d == NULL) - sprintf(str,"Modulus (%d bit):",BN_num_bits(x->n)); + BIO_snprintf(str,sizeof str,"Modulus (%d bit):",BN_num_bits(x->n)); else - strcpy(str,"modulus:"); + BUF_strlcpy(str,"modulus:",sizeof str); if (!print(bp,str,x->n,m,off)) goto err; s=(x->d == NULL)?"Exponent:":"publicExponent:"; if (!print(bp,s,x->e,m,off)) goto err; diff --git a/src/lib/libcrypto/asn1/x_long.c b/src/lib/libcrypto/asn1/x_long.c index c04b192794..c5f25956cb 100644 --- a/src/lib/libcrypto/asn1/x_long.c +++ b/src/lib/libcrypto/asn1/x_long.c @@ -104,7 +104,12 @@ static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const A long ltmp; unsigned long utmp; int clen, pad, i; - ltmp = *(long *)pval; + /* this exists to bypass broken gcc optimization */ + char *cp = (char *)pval; + + /* use memcpy, because we may not be long aligned */ + memcpy(<mp, cp, sizeof(long)); + if(ltmp == it->size) return -1; /* Convert the long to positive: we subtract one if negative so * we can cleanly handle the padding if only the MSB of the leading @@ -136,6 +141,7 @@ static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, int neg, i; long ltmp; unsigned long utmp = 0; + char *cp = (char *)pval; if(len > sizeof(long)) { ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG); return 0; @@ -158,6 +164,6 @@ static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG); return 0; } - *(long *)pval = ltmp; + memcpy(cp, <mp, sizeof(long)); return 1; } diff --git a/src/lib/libcrypto/bio/b_dump.c b/src/lib/libcrypto/bio/b_dump.c index 8397cfab6a..f671e722fa 100644 --- a/src/lib/libcrypto/bio/b_dump.c +++ b/src/lib/libcrypto/bio/b_dump.c @@ -104,38 +104,41 @@ int BIO_dump_indent(BIO *bio, const char *s, int len, int indent) for(i=0;i=len) { - strcat(buf," "); + BUF_strlcat(buf," ",sizeof buf); } else { ch=((unsigned char)*(s+i*dump_width+j)) & 0xff; - sprintf(tmp,"%02x%c",ch,j==7?'-':' '); - strcat(buf,tmp); + BIO_snprintf(tmp,sizeof tmp,"%02x%c",ch, + j==7?'-':' '); + BUF_strlcat(buf,tmp,sizeof buf); } } - strcat(buf," "); + BUF_strlcat(buf," ",sizeof buf); for(j=0;j=len) break; ch=((unsigned char)*(s+i*dump_width+j)) & 0xff; #ifndef CHARSET_EBCDIC - sprintf(tmp,"%c",((ch>=' ')&&(ch<='~'))?ch:'.'); + BIO_snprintf(tmp,sizeof tmp,"%c", + ((ch>=' ')&&(ch<='~'))?ch:'.'); #else - sprintf(tmp,"%c",((ch>=os_toascii[' '])&&(ch<=os_toascii['~'])) - ? os_toebcdic[ch] - : '.'); + BIO_snprintf(tmp,sizeof tmp,"%c", + ((ch>=os_toascii[' '])&&(ch<=os_toascii['~'])) + ? os_toebcdic[ch] + : '.'); #endif - strcat(buf,tmp); + BUF_strlcat(buf,tmp,sizeof buf); } - strcat(buf,"\n"); + BUF_strlcat(buf,"\n",sizeof buf); /* if this is the last call then update the ddt_dump thing so that * we will move the selection point in the debug window */ @@ -144,7 +147,8 @@ int BIO_dump_indent(BIO *bio, const char *s, int len, int indent) #ifdef TRUNCATE if (trunc > 0) { - sprintf(buf,"%s%04x - \n",str,len+trunc); + BIO_snprintf(buf,sizeof buf,"%s%04x - \n",str, + len+trunc); ret+=BIO_write(bio,(char *)buf,strlen(buf)); } #endif diff --git a/src/lib/libcrypto/bio/b_print.c b/src/lib/libcrypto/bio/b_print.c index 2cfc689dd6..fbff331796 100644 --- a/src/lib/libcrypto/bio/b_print.c +++ b/src/lib/libcrypto/bio/b_print.c @@ -576,12 +576,12 @@ abs_val(LDOUBLE value) } static LDOUBLE -pow10(int exp) +pow10(int in_exp) { LDOUBLE result = 1; - while (exp) { + while (in_exp) { result *= 10; - exp--; + in_exp--; } return result; } @@ -652,8 +652,8 @@ fmtfp( (caps ? "0123456789ABCDEF" : "0123456789abcdef")[intpart % 10]; intpart = (intpart / 10); - } while (intpart && (iplace < sizeof iplace)); - if (iplace == sizeof iplace) + } while (intpart && (iplace < sizeof iconvert)); + if (iplace == sizeof iconvert) iplace--; iconvert[iplace] = 0; @@ -664,7 +664,7 @@ fmtfp( : "0123456789abcdef")[fracpart % 10]; fracpart = (fracpart / 10); } while (fplace < max); - if (fplace == sizeof fplace) + if (fplace == sizeof fconvert) fplace--; fconvert[fplace] = 0; diff --git a/src/lib/libcrypto/bio/b_sock.c b/src/lib/libcrypto/bio/b_sock.c index 601a14f37c..c851298d1e 100644 --- a/src/lib/libcrypto/bio/b_sock.c +++ b/src/lib/libcrypto/bio/b_sock.c @@ -709,12 +709,12 @@ int BIO_accept(int sock, char **addr) } *addr=p; } - sprintf(*addr,"%d.%d.%d.%d:%d", - (unsigned char)(l>>24L)&0xff, - (unsigned char)(l>>16L)&0xff, - (unsigned char)(l>> 8L)&0xff, - (unsigned char)(l )&0xff, - port); + BIO_snprintf(*addr,24,"%d.%d.%d.%d:%d", + (unsigned char)(l>>24L)&0xff, + (unsigned char)(l>>16L)&0xff, + (unsigned char)(l>> 8L)&0xff, + (unsigned char)(l )&0xff, + port); end: return(ret); } diff --git a/src/lib/libcrypto/bio/bio_cb.c b/src/lib/libcrypto/bio/bio_cb.c index 0ffa4d2136..6f4254a114 100644 --- a/src/lib/libcrypto/bio/bio_cb.c +++ b/src/lib/libcrypto/bio/bio_cb.c @@ -70,55 +70,61 @@ long MS_CALLBACK BIO_debug_callback(BIO *bio, int cmd, const char *argp, MS_STATIC char buf[256]; char *p; long r=1; + size_t p_maxlen; if (BIO_CB_RETURN & cmd) r=ret; - sprintf(buf,"BIO[%08lX]:",(unsigned long)bio); + BIO_snprintf(buf,sizeof buf,"BIO[%08lX]:",(unsigned long)bio); p= &(buf[14]); + p_maxlen = sizeof buf - 14; switch (cmd) { case BIO_CB_FREE: - sprintf(p,"Free - %s\n",bio->method->name); + BIO_snprintf(p,p_maxlen,"Free - %s\n",bio->method->name); break; case BIO_CB_READ: if (bio->method->type & BIO_TYPE_DESCRIPTOR) - sprintf(p,"read(%d,%d) - %s fd=%d\n",bio->num,argi,bio->method->name,bio->num); + BIO_snprintf(p,p_maxlen,"read(%d,%d) - %s fd=%d\n", + bio->num,argi,bio->method->name,bio->num); else - sprintf(p,"read(%d,%d) - %s\n",bio->num,argi,bio->method->name); + BIO_snprintf(p,p_maxlen,"read(%d,%d) - %s\n", + bio->num,argi,bio->method->name); break; case BIO_CB_WRITE: if (bio->method->type & BIO_TYPE_DESCRIPTOR) - sprintf(p,"write(%d,%d) - %s fd=%d\n",bio->num,argi,bio->method->name,bio->num); + BIO_snprintf(p,p_maxlen,"write(%d,%d) - %s fd=%d\n", + bio->num,argi,bio->method->name,bio->num); else - sprintf(p,"write(%d,%d) - %s\n",bio->num,argi,bio->method->name); + BIO_snprintf(p,p_maxlen,"write(%d,%d) - %s\n", + bio->num,argi,bio->method->name); break; case BIO_CB_PUTS: - sprintf(p,"puts() - %s\n",bio->method->name); + BIO_snprintf(p,p_maxlen,"puts() - %s\n",bio->method->name); break; case BIO_CB_GETS: - sprintf(p,"gets(%d) - %s\n",argi,bio->method->name); + BIO_snprintf(p,p_maxlen,"gets(%d) - %s\n",argi,bio->method->name); break; case BIO_CB_CTRL: - sprintf(p,"ctrl(%d) - %s\n",argi,bio->method->name); + BIO_snprintf(p,p_maxlen,"ctrl(%d) - %s\n",argi,bio->method->name); break; case BIO_CB_RETURN|BIO_CB_READ: - sprintf(p,"read return %ld\n",ret); + BIO_snprintf(p,p_maxlen,"read return %ld\n",ret); break; case BIO_CB_RETURN|BIO_CB_WRITE: - sprintf(p,"write return %ld\n",ret); + BIO_snprintf(p,p_maxlen,"write return %ld\n",ret); break; case BIO_CB_RETURN|BIO_CB_GETS: - sprintf(p,"gets return %ld\n",ret); + BIO_snprintf(p,p_maxlen,"gets return %ld\n",ret); break; case BIO_CB_RETURN|BIO_CB_PUTS: - sprintf(p,"puts return %ld\n",ret); + BIO_snprintf(p,p_maxlen,"puts return %ld\n",ret); break; case BIO_CB_RETURN|BIO_CB_CTRL: - sprintf(p,"ctrl return %ld\n",ret); + BIO_snprintf(p,p_maxlen,"ctrl return %ld\n",ret); break; default: - sprintf(p,"bio callback - unknown type (%d)\n",cmd); + BIO_snprintf(p,p_maxlen,"bio callback - unknown type (%d)\n",cmd); break; } diff --git a/src/lib/libcrypto/bio/bss_conn.c b/src/lib/libcrypto/bio/bss_conn.c index 743db6ff94..f5d0e759e2 100644 --- a/src/lib/libcrypto/bio/bss_conn.c +++ b/src/lib/libcrypto/bio/bss_conn.c @@ -521,8 +521,8 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) char buf[16]; unsigned char *p = ptr; - sprintf(buf,"%d.%d.%d.%d", - p[0],p[1],p[2],p[3]); + BIO_snprintf(buf,sizeof buf,"%d.%d.%d.%d", + p[0],p[1],p[2],p[3]); if (data->param_hostname != NULL) OPENSSL_free(data->param_hostname); data->param_hostname=BUF_strdup(buf); @@ -532,7 +532,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) { char buf[DECIMAL_SIZE(int)+1]; - sprintf(buf,"%d",*(int *)ptr); + BIO_snprintf(buf,sizeof buf,"%d",*(int *)ptr); if (data->param_port != NULL) OPENSSL_free(data->param_port); data->param_port=BUF_strdup(buf); diff --git a/src/lib/libcrypto/bio/bss_file.c b/src/lib/libcrypto/bio/bss_file.c index 6904b5c081..9cdf159f82 100644 --- a/src/lib/libcrypto/bio/bss_file.c +++ b/src/lib/libcrypto/bio/bss_file.c @@ -249,15 +249,15 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) if (num & BIO_FP_APPEND) { if (num & BIO_FP_READ) - strcpy(p,"a+"); - else strcpy(p,"a"); + BUF_strlcpy(p,"a+",sizeof p); + else BUF_strlcpy(p,"a",sizeof p); } else if ((num & BIO_FP_READ) && (num & BIO_FP_WRITE)) - strcpy(p,"r+"); + BUF_strlcpy(p,"r+",sizeof p); else if (num & BIO_FP_WRITE) - strcpy(p,"w"); + BUF_strlcpy(p,"w",sizeof p); else if (num & BIO_FP_READ) - strcpy(p,"r"); + BUF_strlcpy(p,"r",sizeof p); else { BIOerr(BIO_F_FILE_CTRL,BIO_R_BAD_FOPEN_MODE); diff --git a/src/lib/libcrypto/bn/asm/bn-586.pl b/src/lib/libcrypto/bn/asm/bn-586.pl index 33f6125920..c4de4a2bee 100644 --- a/src/lib/libcrypto/bn/asm/bn-586.pl +++ b/src/lib/libcrypto/bn/asm/bn-586.pl @@ -11,7 +11,7 @@ require "x86asm.pl"; &bn_div_words("bn_div_words"); &bn_add_words("bn_add_words"); &bn_sub_words("bn_sub_words"); -&bn_sub_part_words("bn_sub_part_words"); +#&bn_sub_part_words("bn_sub_part_words"); &asm_finish(); diff --git a/src/lib/libcrypto/bn/asm/x86_64-gcc.c b/src/lib/libcrypto/bn/asm/x86_64-gcc.c index b97b394661..450e8e4322 100644 --- a/src/lib/libcrypto/bn/asm/x86_64-gcc.c +++ b/src/lib/libcrypto/bn/asm/x86_64-gcc.c @@ -142,7 +142,7 @@ void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n) BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) { BN_ULONG ret,waste; - asm ("divq %3" + asm ("divq %4" : "=a"(ret),"=d"(waste) : "a"(l),"d"(h),"g"(d) : "cc"); diff --git a/src/lib/libcrypto/bn/bn_lcl.h b/src/lib/libcrypto/bn/bn_lcl.h index 5614bc6164..253e195e23 100644 --- a/src/lib/libcrypto/bn/bn_lcl.h +++ b/src/lib/libcrypto/bn/bn_lcl.h @@ -433,19 +433,18 @@ void bn_sqr_comba4(BN_ULONG *r,const BN_ULONG *a); int bn_cmp_words(const BN_ULONG *a,const BN_ULONG *b,int n); int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl); -#if 0 -/* bn_mul.c rollback */ -void bn_mul_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2, - int dna,int dnb,BN_ULONG *t); -void bn_mul_part_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, - int n,int tna,int tnb,BN_ULONG *t); -#endif -void bn_sqr_recursive(BN_ULONG *r,const BN_ULONG *a, int n2, BN_ULONG *t); -void bn_mul_low_normal(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, int n); +#ifdef BN_RECURSION +void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2, + BN_ULONG *t); +void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn, + int n, BN_ULONG *t); void bn_mul_low_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2, BN_ULONG *t); void bn_mul_high(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,BN_ULONG *l,int n2, BN_ULONG *t); +void bn_sqr_recursive(BN_ULONG *r,const BN_ULONG *a, int n2, BN_ULONG *t); +#endif +void bn_mul_low_normal(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, int n); #ifdef __cplusplus } diff --git a/src/lib/libcrypto/bn/bn_lib.c b/src/lib/libcrypto/bn/bn_lib.c index fa0ff485ad..e1660450bc 100644 --- a/src/lib/libcrypto/bn/bn_lib.c +++ b/src/lib/libcrypto/bn/bn_lib.c @@ -145,11 +145,11 @@ char *BN_options(void) { init++; #ifdef BN_LLONG - sprintf(data,"bn(%d,%d)",(int)sizeof(BN_ULLONG)*8, - (int)sizeof(BN_ULONG)*8); + BIO_snprintf(data,sizeof data,"bn(%d,%d)", + (int)sizeof(BN_ULLONG)*8,(int)sizeof(BN_ULONG)*8); #else - sprintf(data,"bn(%d,%d)",(int)sizeof(BN_ULONG)*8, - (int)sizeof(BN_ULONG)*8); + BIO_snprintf(data,sizeof data,"bn(%d,%d)", + (int)sizeof(BN_ULONG)*8,(int)sizeof(BN_ULONG)*8); #endif } return(data); diff --git a/src/lib/libcrypto/bn/bn_print.c b/src/lib/libcrypto/bn/bn_print.c index 5f46b1826c..0d942603b1 100644 --- a/src/lib/libcrypto/bn/bn_print.c +++ b/src/lib/libcrypto/bn/bn_print.c @@ -119,6 +119,7 @@ char *BN_bn2dec(const BIGNUM *a) } if ((t=BN_dup(a)) == NULL) goto err; +#define BUF_REMAIN (num+3 - (size_t)(p - buf)) p=buf; lp=bn_data; if (t->neg) *(p++)='-'; @@ -139,12 +140,12 @@ char *BN_bn2dec(const BIGNUM *a) /* We now have a series of blocks, BN_DEC_NUM chars * in length, where the last one needs truncation. * The blocks need to be reversed in order. */ - sprintf(p,BN_DEC_FMT1,*lp); + BIO_snprintf(p,BUF_REMAIN,BN_DEC_FMT1,*lp); while (*p) p++; while (lp != bn_data) { lp--; - sprintf(p,BN_DEC_FMT2,*lp); + BIO_snprintf(p,BUF_REMAIN,BN_DEC_FMT2,*lp); while (*p) p++; } } diff --git a/src/lib/libcrypto/conf/conf_def.c b/src/lib/libcrypto/conf/conf_def.c index 57d2739ae0..2e9f52f1fd 100644 --- a/src/lib/libcrypto/conf/conf_def.c +++ b/src/lib/libcrypto/conf/conf_def.c @@ -235,7 +235,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_MALLOC_FAILURE); goto err; } - strcpy(section,"default"); + BUF_strlcpy(section,"default",10); if (_CONF_new_data(conf) == 0) { @@ -392,7 +392,7 @@ again: ERR_R_MALLOC_FAILURE); goto err; } - strcpy(v->name,pname); + BUF_strlcpy(v->name,pname,strlen(pname)+1); if (!str_copy(conf,psection,&(v->value),start)) goto err; if (strcmp(psection,section) != 0) @@ -447,7 +447,7 @@ err: if (buff != NULL) BUF_MEM_free(buff); if (section != NULL) OPENSSL_free(section); if (line != NULL) *line=eline; - sprintf(btmp,"%ld",eline); + BIO_snprintf(btmp,sizeof btmp,"%ld",eline); ERR_add_error_data(2,"line ",btmp); if ((h != conf->data) && (conf->data != NULL)) { diff --git a/src/lib/libcrypto/conf/conf_mod.c b/src/lib/libcrypto/conf/conf_mod.c index edcc08921c..d45adea851 100644 --- a/src/lib/libcrypto/conf/conf_mod.c +++ b/src/lib/libcrypto/conf/conf_mod.c @@ -232,7 +232,7 @@ static int module_run(const CONF *cnf, char *name, char *value, { char rcode[DECIMAL_SIZE(ret)+1]; CONFerr(CONF_F_CONF_MODULES_LOAD, CONF_R_MODULE_INITIALIZATION_ERROR); - sprintf(rcode, "%-8d", ret); + BIO_snprintf(rcode, sizeof rcode, "%-8d", ret); ERR_add_error_data(6, "module=", name, ", value=", value, ", retcode=", rcode); } } @@ -561,11 +561,11 @@ char *CONF_get1_default_config_file(void) if (!file) return NULL; - strcpy(file,X509_get_default_cert_area()); + BUF_strlcpy(file,X509_get_default_cert_area(),len + 1); #ifndef OPENSSL_SYS_VMS - strcat(file,"/"); + BUF_strlcat(file,"/",len + 1); #endif - strcat(file,OPENSSL_CONF); + BUF_strlcat(file,OPENSSL_CONF,len + 1); return file; } @@ -576,12 +576,12 @@ char *CONF_get1_default_config_file(void) * be used to parse comma separated lists for example. */ -int CONF_parse_list(const char *list, int sep, int nospc, +int CONF_parse_list(const char *list_, int sep, int nospc, int (*list_cb)(const char *elem, int len, void *usr), void *arg) { int ret; const char *lstart, *tmpend, *p; - lstart = list; + lstart = list_; for(;;) { diff --git a/src/lib/libcrypto/cversion.c b/src/lib/libcrypto/cversion.c index 8ecfba7b16..beeeb14013 100644 --- a/src/lib/libcrypto/cversion.c +++ b/src/lib/libcrypto/cversion.c @@ -61,7 +61,9 @@ #include "cryptlib.h" #include +#ifndef NO_WINDOWS_BRAINDEATH #include "buildinf.h" +#endif const char *SSLeay_version(int t) { @@ -72,7 +74,7 @@ const char *SSLeay_version(int t) #ifdef DATE static char buf[sizeof(DATE)+11]; - sprintf(buf,"built on: %s",DATE); + BIO_snprintf(buf,sizeof buf,"built on: %s",DATE); return(buf); #else return("built on: date not available"); @@ -83,7 +85,7 @@ const char *SSLeay_version(int t) #ifdef CFLAGS static char buf[sizeof(CFLAGS)+11]; - sprintf(buf,"compiler: %s",CFLAGS); + BIO_snprintf(buf,sizeof buf,"compiler: %s",CFLAGS); return(buf); #else return("compiler: information not available"); @@ -94,7 +96,7 @@ const char *SSLeay_version(int t) #ifdef PLATFORM static char buf[sizeof(PLATFORM)+11]; - sprintf(buf,"platform: %s", PLATFORM); + BIO_snprintf(buf,sizeof buf,"platform: %s", PLATFORM); return(buf); #else return("platform: information not available"); diff --git a/src/lib/libcrypto/des/cfb_enc.c b/src/lib/libcrypto/des/cfb_enc.c index 2600bdfc93..03cabb223c 100644 --- a/src/lib/libcrypto/des/cfb_enc.c +++ b/src/lib/libcrypto/des/cfb_enc.c @@ -56,6 +56,7 @@ * [including the GNU Public Licence.] */ +#include "e_os.h" #include "des_locl.h" /* The input and output are loaded in multiples of 8 bits. @@ -64,17 +65,15 @@ * the second. The second 12 bits will come from the 3rd and half the 4th * byte. */ -/* WARNING WARNING: this uses in and out in 8-byte chunks regardless of - * length */ /* Until Aug 1 2003 this function did not correctly implement CFB-r, so it * will not be compatible with any encryption prior to that date. Ben. */ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, long length, DES_key_schedule *schedule, DES_cblock *ivec, int enc) { - register DES_LONG d0,d1,v0,v1,n=(numbits+7)/8; - register unsigned long l=length; - register int num=numbits; + register DES_LONG d0,d1,v0,v1; + register unsigned long l=length,n=(numbits+7)/8; + register int num=numbits,i; DES_LONG ti[2]; unsigned char *iv; unsigned char ovec[16]; @@ -114,10 +113,10 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0)); /* now the remaining bits */ if(num%8 != 0) - for(n=0 ; n < 8 ; ++n) + for(i=0 ; i < 8 ; ++i) { - ovec[n]<<=num%8; - ovec[n]|=ovec[n+1]>>(8-num%8); + ovec[i]<<=num%8; + ovec[i]|=ovec[i+1]>>(8-num%8); } iv=&ovec[0]; c2l(iv,v0); @@ -152,10 +151,10 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0)); /* now the remaining bits */ if(num%8 != 0) - for(n=0 ; n < 8 ; ++n) + for(i=0 ; i < 8 ; ++i) { - ovec[n]<<=num%8; - ovec[n]|=ovec[n+1]>>(8-num%8); + ovec[i]<<=num%8; + ovec[i]|=ovec[i+1]>>(8-num%8); } iv=&ovec[0]; c2l(iv,v0); diff --git a/src/lib/libcrypto/des/ecb_enc.c b/src/lib/libcrypto/des/ecb_enc.c index 1b70f68806..784aa5ba23 100644 --- a/src/lib/libcrypto/des/ecb_enc.c +++ b/src/lib/libcrypto/des/ecb_enc.c @@ -60,6 +60,7 @@ #include "des_ver.h" #include "spr.h" #include +#include OPENSSL_GLOBAL const char *libdes_version="libdes" OPENSSL_VERSION_PTEXT; OPENSSL_GLOBAL const char *DES_version="DES" OPENSSL_VERSION_PTEXT; @@ -97,7 +98,8 @@ const char *DES_options(void) size="int"; else size="long"; - sprintf(buf,"des(%s,%s,%s,%s)",ptr,risc,unroll,size); + BIO_snprintf(buf,sizeof buf,"des(%s,%s,%s,%s)",ptr,risc,unroll, + size); init=0; } return(buf); diff --git a/src/lib/libcrypto/doc/EVP_BytesToKey.pod b/src/lib/libcrypto/doc/EVP_BytesToKey.pod index 5ce4add082..016381f3e9 100644 --- a/src/lib/libcrypto/doc/EVP_BytesToKey.pod +++ b/src/lib/libcrypto/doc/EVP_BytesToKey.pod @@ -2,7 +2,7 @@ =head1 NAME - EVP_BytesToKey - password based encryption routine +EVP_BytesToKey - password based encryption routine =head1 SYNOPSIS diff --git a/src/lib/libcrypto/doc/EVP_DigestInit.pod b/src/lib/libcrypto/doc/EVP_DigestInit.pod index 5901c39526..1cb315e739 100644 --- a/src/lib/libcrypto/doc/EVP_DigestInit.pod +++ b/src/lib/libcrypto/doc/EVP_DigestInit.pod @@ -4,7 +4,7 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_DigestInit_ex, EVP_DigestUpdate, EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE, -EVP_MD_CTX_copy_ex EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, +EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2, EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj - diff --git a/src/lib/libcrypto/doc/OPENSSL_config.pod b/src/lib/libcrypto/doc/OPENSSL_config.pod new file mode 100644 index 0000000000..16600620cc --- /dev/null +++ b/src/lib/libcrypto/doc/OPENSSL_config.pod @@ -0,0 +1,82 @@ +=pod + +=head1 NAME + +OPENSSL_config, OPENSSL_no_config - simple OpenSSL configuration functions + +=head1 SYNOPSIS + + #include + + void OPENSSL_config(const char *config_name); + void OPENSSL_no_config(void); + +=head1 DESCRIPTION + +OPENSSL_config() configures OpenSSL using the standard B +configuration file name using B. If B is NULL then +the default name B will be used. Any errors are ignored. Further +calls to OPENSSL_config() will have no effect. The configuration file format +is documented in the L manual page. + +OPENSSL_no_config() disables configuration. If called before OPENSSL_config() +no configuration takes place. + +=head1 NOTES + +It is B recommended that B new applications call OPENSSL_config() +or the more sophisticated functions such as CONF_modules_load() during +initialization (that is before starting any threads). By doing this +an application does not need to keep track of all configuration options +and some new functionality can be supported automatically. + +It is also possible to automatically call OPENSSL_config() when an application +calls OPENSSL_add_all_algorithms() by compiling an application with the +preprocessor symbol B #define'd. In this way configuration +can be added without source changes. + +The environment variable B can be set to specify the location +of the configuration file. + +Currently ASN1 OBJECTs and ENGINE configuration can be performed future +versions of OpenSSL will add new configuration options. + +There are several reasons why calling the OpenSSL configuration routines is +advisable. For example new ENGINE functionality was added to OpenSSL 0.9.7. +In OpenSSL 0.9.7 control functions can be supported by ENGINEs, this can be +used (among other things) to load dynamic ENGINEs from shared libraries (DSOs). +However very few applications currently support the control interface and so +very few can load and use dynamic ENGINEs. Equally in future more sophisticated +ENGINEs will require certain control operations to customize them. If an +application calls OPENSSL_config() it doesn't need to know or care about +ENGINE control operations because they can be performed by editing a +configuration file. + +Applications should free up configuration at application closedown by calling +CONF_modules_free(). + +=head1 RESTRICTIONS + +The OPENSSL_config() function is designed to be a very simple "call it and +forget it" function. As a result its behaviour is somewhat limited. It ignores +all errors silently and it can only load from the standard configuration file +location for example. + +It is however B better than nothing. Applications which need finer +control over their configuration functionality should use the configuration +functions such as CONF_load_modules() directly. + +=head1 RETURN VALUES + +Neither OPENSSL_config() nor OPENSSL_no_config() return a value. + +=head1 SEE ALSO + +L, L, +L + +=head1 HISTORY + +OPENSSL_config() and OPENSSL_no_config() first appeared in OpenSSL 0.9.7 + +=cut diff --git a/src/lib/libcrypto/doc/OPENSSL_load_builtin_modules.pod b/src/lib/libcrypto/doc/OPENSSL_load_builtin_modules.pod new file mode 100644 index 0000000000..f14dfaf005 --- /dev/null +++ b/src/lib/libcrypto/doc/OPENSSL_load_builtin_modules.pod @@ -0,0 +1,51 @@ +=pod + +=head1 NAME + +OPENSSL_load_builtin_modules - add standard configuration modules + +=head1 SYNOPSIS + + #include + + void OPENSSL_load_builtin_modules(void); + void ASN1_add_oid_module(void); + ENGINE_add_conf_module(); + +=head1 DESCRIPTION + +The function OPENSSL_load_builtin_modules() adds all the standard OpenSSL +configuration modules to the internal list. They can then be used by the +OpenSSL configuration code. + +ASN1_add_oid_module() adds just the ASN1 OBJECT module. + +ENGINE_add_conf_module() adds just the ENGINE configuration module. + +=head1 NOTES + +If the simple configuration function OPENSSL_config() is called then +OPENSSL_load_builtin_modules() is called automatically. + +Applications which use the configuration functions directly will need to +call OPENSSL_load_builtin_modules() themselves I any other +configuration code. + +Applications should call OPENSSL_load_builtin_modules() to load all +configuration modules instead of adding modules selectively: otherwise +functionality may be missing from the application if an when new +modules are added. + +=head1 RETURN VALUE + +None of the functions return a value. + +=head1 SEE ALSO + +L, L + +=head1 HISTORY + +These functions first appeared in OpenSSL 0.9.7. + +=cut diff --git a/src/lib/libcrypto/doc/OpenSSL_add_all_algorithms.pod b/src/lib/libcrypto/doc/OpenSSL_add_all_algorithms.pod index 486c903430..e63411b5bb 100644 --- a/src/lib/libcrypto/doc/OpenSSL_add_all_algorithms.pod +++ b/src/lib/libcrypto/doc/OpenSSL_add_all_algorithms.pod @@ -36,7 +36,7 @@ None of the functions return a value. =head1 NOTES -A typical application will will call OpenSSL_add_all_algorithms() initially and +A typical application will call OpenSSL_add_all_algorithms() initially and EVP_cleanup() before exiting. An application does not need to add algorithms to use them explicitly, for example diff --git a/src/lib/libcrypto/doc/RSA_print.pod b/src/lib/libcrypto/doc/RSA_print.pod index e28d107d1c..c971e91f4d 100644 --- a/src/lib/libcrypto/doc/RSA_print.pod +++ b/src/lib/libcrypto/doc/RSA_print.pod @@ -44,6 +44,6 @@ L, L, L, L RSA_print(), RSA_print_fp(), DSA_print(), DSA_print_fp(), DH_print(), DH_print_fp() are available in all versions of SSLeay and OpenSSL. -DSAparams_print() and DSAparams_print_pf() were added in SSLeay 0.8. +DSAparams_print() and DSAparams_print_fp() were added in SSLeay 0.8. =cut diff --git a/src/lib/libcrypto/doc/d2i_DSAPublicKey.pod b/src/lib/libcrypto/doc/d2i_DSAPublicKey.pod index 6ebd30427b..22c1b50f22 100644 --- a/src/lib/libcrypto/doc/d2i_DSAPublicKey.pod +++ b/src/lib/libcrypto/doc/d2i_DSAPublicKey.pod @@ -9,6 +9,7 @@ and parsing functions. =head1 SYNOPSIS #include + #include DSA * d2i_DSAPublicKey(DSA **a, const unsigned char **pp, long length); @@ -35,8 +36,8 @@ and parsing functions. d2i_DSAPublicKey() and i2d_DSAPublicKey() decode and encode the DSA public key components structure. -d2i_DSA_PUKEY() and i2d_DSA_PUKEY() decode and encode an DSA public key using a -SubjectPublicKeyInfo (certificate public key) structure. +d2i_DSA_PUBKEY() and i2d_DSA_PUBKEY() decode and encode an DSA public key using +a SubjectPublicKeyInfo (certificate public key) structure. d2i_DSAPrivateKey(), i2d_DSAPrivateKey() decode and encode the DSA private key components. diff --git a/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod b/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod index 7c71bcbf3d..279b29c873 100644 --- a/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod +++ b/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod @@ -9,6 +9,7 @@ d2i_Netscape_RSA - RSA public and private key encoding functions. =head1 SYNOPSIS #include + #include RSA * d2i_RSAPublicKey(RSA **a, unsigned char **pp, long length); @@ -31,8 +32,8 @@ d2i_Netscape_RSA - RSA public and private key encoding functions. d2i_RSAPublicKey() and i2d_RSAPublicKey() decode and encode a PKCS#1 RSAPublicKey structure. -d2i_RSA_PUKEY() and i2d_RSA_PUKEY() decode and encode an RSA public key using a -SubjectPublicKeyInfo (certificate public key) structure. +d2i_RSA_PUBKEY() and i2d_RSA_PUBKEY() decode and encode an RSA public key using +a SubjectPublicKeyInfo (certificate public key) structure. d2i_RSAPrivateKey(), i2d_RSAPrivateKey() decode and encode a PKCS#1 RSAPrivateKey structure. diff --git a/src/lib/libcrypto/dso/dso_lib.c b/src/lib/libcrypto/dso/dso_lib.c index 556069b9b8..48d9fdb25e 100644 --- a/src/lib/libcrypto/dso/dso_lib.c +++ b/src/lib/libcrypto/dso/dso_lib.c @@ -383,7 +383,7 @@ int DSO_set_filename(DSO *dso, const char *filename) DSOerr(DSO_F_DSO_SET_FILENAME,ERR_R_MALLOC_FAILURE); return(0); } - strcpy(copied, filename); + BUF_strlcpy(copied, filename, strlen(filename) + 1); if(dso->filename) OPENSSL_free(dso->filename); dso->filename = copied; @@ -422,7 +422,7 @@ char *DSO_convert_filename(DSO *dso, const char *filename) ERR_R_MALLOC_FAILURE); return(NULL); } - strcpy(result, filename); + BUF_strlcpy(result, filename, strlen(filename) + 1); } return(result); } diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c index 4666a052bf..e9a51fb87a 100644 --- a/src/lib/libcrypto/ec/ecp_smpl.c +++ b/src/lib/libcrypto/ec/ecp_smpl.c @@ -896,7 +896,7 @@ int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point, } form = buf[0]; y_bit = form & 1; - form = form & ~1; + form = form & ~1U; if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED) && (form != POINT_CONVERSION_UNCOMPRESSED) && (form != POINT_CONVERSION_HYBRID)) diff --git a/src/lib/libcrypto/engine/eng_ctrl.c b/src/lib/libcrypto/engine/eng_ctrl.c index ad3858395b..412c73fb0f 100644 --- a/src/lib/libcrypto/engine/eng_ctrl.c +++ b/src/lib/libcrypto/engine/eng_ctrl.c @@ -160,15 +160,19 @@ static int int_ctrl_helper(ENGINE *e, int cmd, long i, void *p, void (*f)()) case ENGINE_CTRL_GET_NAME_LEN_FROM_CMD: return strlen(e->cmd_defns[idx].cmd_name); case ENGINE_CTRL_GET_NAME_FROM_CMD: - return sprintf(s, "%s", e->cmd_defns[idx].cmd_name); + return BIO_snprintf(s,strlen(e->cmd_defns[idx].cmd_name) + 1, + "%s", e->cmd_defns[idx].cmd_name); case ENGINE_CTRL_GET_DESC_LEN_FROM_CMD: if(e->cmd_defns[idx].cmd_desc) return strlen(e->cmd_defns[idx].cmd_desc); return strlen(int_no_description); case ENGINE_CTRL_GET_DESC_FROM_CMD: if(e->cmd_defns[idx].cmd_desc) - return sprintf(s, "%s", e->cmd_defns[idx].cmd_desc); - return sprintf(s, "%s", int_no_description); + return BIO_snprintf(s, + strlen(e->cmd_defns[idx].cmd_desc) + 1, + "%s", e->cmd_defns[idx].cmd_desc); + return BIO_snprintf(s, strlen(int_no_description) + 1,"%s", + int_no_description); case ENGINE_CTRL_GET_CMD_FLAGS: return e->cmd_defns[idx].cmd_flags; } diff --git a/src/lib/libcrypto/engine/eng_fat.c b/src/lib/libcrypto/engine/eng_fat.c index 0d7dae00b2..7ccf7022ee 100644 --- a/src/lib/libcrypto/engine/eng_fat.c +++ b/src/lib/libcrypto/engine/eng_fat.c @@ -107,14 +107,14 @@ static int int_def_cb(const char *alg, int len, void *arg) } -int ENGINE_set_default_string(ENGINE *e, const char *list) +int ENGINE_set_default_string(ENGINE *e, const char *def_list) { unsigned int flags = 0; - if (!CONF_parse_list(list, ',', 1, int_def_cb, &flags)) + if (!CONF_parse_list(def_list, ',', 1, int_def_cb, &flags)) { ENGINEerr(ENGINE_F_ENGINE_SET_DEFAULT_STRING, ENGINE_R_INVALID_STRING); - ERR_add_error_data(2, "str=",list); + ERR_add_error_data(2, "str=",def_list); return 0; } return ENGINE_set_default(e, flags); diff --git a/src/lib/libcrypto/engine/engine.h b/src/lib/libcrypto/engine/engine.h index 9c3ab182d3..900f75ce8d 100644 --- a/src/lib/libcrypto/engine/engine.h +++ b/src/lib/libcrypto/engine/engine.h @@ -513,7 +513,7 @@ ENGINE *ENGINE_get_digest_engine(int nid); * structure will have had its reference count up'd so the caller * should still free their own reference 'e'. */ int ENGINE_set_default_RSA(ENGINE *e); -int ENGINE_set_default_string(ENGINE *e, const char *list); +int ENGINE_set_default_string(ENGINE *e, const char *def_list); /* Same for the other "methods" */ int ENGINE_set_default_DSA(ENGINE *e); int ENGINE_set_default_DH(ENGINE *e); @@ -616,17 +616,20 @@ typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id, const dynamic_fns *fns); #define IMPLEMENT_DYNAMIC_BIND_FN(fn) \ int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { \ - if(!CRYPTO_set_mem_functions(fns->mem_fns.malloc_cb, \ - fns->mem_fns.realloc_cb, fns->mem_fns.free_cb)) \ - return 0; \ - CRYPTO_set_locking_callback(fns->lock_fns.lock_locking_cb); \ - CRYPTO_set_add_lock_callback(fns->lock_fns.lock_add_lock_cb); \ - CRYPTO_set_dynlock_create_callback(fns->lock_fns.dynlock_create_cb); \ - CRYPTO_set_dynlock_lock_callback(fns->lock_fns.dynlock_lock_cb); \ - CRYPTO_set_dynlock_destroy_callback(fns->lock_fns.dynlock_destroy_cb); \ - if(!CRYPTO_set_ex_data_implementation(fns->ex_data_fns)) \ - return 0; \ - if(!ERR_set_implementation(fns->err_fns)) return 0; \ + if (ERR_get_implementation() != fns->err_fns) \ + { \ + if(!CRYPTO_set_mem_functions(fns->mem_fns.malloc_cb, \ + fns->mem_fns.realloc_cb, fns->mem_fns.free_cb)) \ + return 0; \ + CRYPTO_set_locking_callback(fns->lock_fns.lock_locking_cb); \ + CRYPTO_set_add_lock_callback(fns->lock_fns.lock_add_lock_cb); \ + CRYPTO_set_dynlock_create_callback(fns->lock_fns.dynlock_create_cb); \ + CRYPTO_set_dynlock_lock_callback(fns->lock_fns.dynlock_lock_cb); \ + CRYPTO_set_dynlock_destroy_callback(fns->lock_fns.dynlock_destroy_cb); \ + if(!CRYPTO_set_ex_data_implementation(fns->ex_data_fns)) \ + return 0; \ + if(!ERR_set_implementation(fns->err_fns)) return 0; \ + } \ if(!fn(e,id)) return 0; \ return 1; } diff --git a/src/lib/libcrypto/err/err.c b/src/lib/libcrypto/err/err.c index 633a1addfe..792f329600 100644 --- a/src/lib/libcrypto/err/err.c +++ b/src/lib/libcrypto/err/err.c @@ -1065,7 +1065,7 @@ void ERR_add_error_data(int num, ...) else str=p; } - strcat(str,a); + BUF_strlcat(str,a,s+1); } } ERR_set_error_data(str,ERR_TXT_MALLOCED|ERR_TXT_STRING); diff --git a/src/lib/libcrypto/evp/digest.c b/src/lib/libcrypto/evp/digest.c index b22eed4421..0623ddf1f0 100644 --- a/src/lib/libcrypto/evp/digest.c +++ b/src/lib/libcrypto/evp/digest.c @@ -248,6 +248,7 @@ int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) { + unsigned char *tmp_buf; if ((in == NULL) || (in->digest == NULL)) { EVPerr(EVP_F_EVP_MD_CTX_COPY,EVP_R_INPUT_NOT_INITIALIZED); @@ -262,15 +263,22 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) } #endif + if (out->digest == in->digest) + { + tmp_buf = out->md_data; + EVP_MD_CTX_set_flags(out,EVP_MD_CTX_FLAG_REUSE); + } + else tmp_buf = NULL; EVP_MD_CTX_cleanup(out); memcpy(out,in,sizeof *out); if (out->digest->ctx_size) { - out->md_data=OPENSSL_malloc(out->digest->ctx_size); + if (tmp_buf) out->md_data = tmp_buf; + else out->md_data=OPENSSL_malloc(out->digest->ctx_size); memcpy(out->md_data,in->md_data,out->digest->ctx_size); } - + if (out->digest->copy) return out->digest->copy(out,in); @@ -308,7 +316,8 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) if (ctx->digest && ctx->digest->cleanup && !EVP_MD_CTX_test_flags(ctx,EVP_MD_CTX_FLAG_CLEANED)) ctx->digest->cleanup(ctx); - if (ctx->digest && ctx->digest->ctx_size && ctx->md_data) + if (ctx->digest && ctx->digest->ctx_size && ctx->md_data + && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)) { OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size); OPENSSL_free(ctx->md_data); diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h index 45a25f968d..4801d8eaa3 100644 --- a/src/lib/libcrypto/evp/evp.h +++ b/src/lib/libcrypto/evp/evp.h @@ -329,6 +329,8 @@ struct env_md_ctx_st * once only */ #define EVP_MD_CTX_FLAG_CLEANED 0x0002 /* context has already been * cleaned */ +#define EVP_MD_CTX_FLAG_REUSE 0x0004 /* Don't free up ctx->md_data + * in EVP_MD_CTX_cleanup */ struct evp_cipher_st { diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c index be0758a879..8ea5aa935d 100644 --- a/src/lib/libcrypto/evp/evp_enc.c +++ b/src/lib/libcrypto/evp/evp_enc.c @@ -148,7 +148,19 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp #endif ctx->cipher=cipher; - ctx->cipher_data=OPENSSL_malloc(ctx->cipher->ctx_size); + if (ctx->cipher->ctx_size) + { + ctx->cipher_data=OPENSSL_malloc(ctx->cipher->ctx_size); + if (!ctx->cipher_data) + { + EVPerr(EVP_F_EVP_CIPHERINIT, ERR_R_MALLOC_FAILURE); + return 0; + } + } + else + { + ctx->cipher_data = NULL; + } ctx->key_len = cipher->key_len; ctx->flags = 0; if(ctx->cipher->flags & EVP_CIPH_CTRL_INIT) diff --git a/src/lib/libcrypto/evp/evp_pbe.c b/src/lib/libcrypto/evp/evp_pbe.c index 0da88fdcff..91e545a141 100644 --- a/src/lib/libcrypto/evp/evp_pbe.c +++ b/src/lib/libcrypto/evp/evp_pbe.c @@ -87,7 +87,7 @@ int EVP_PBE_CipherInit (ASN1_OBJECT *pbe_obj, const char *pass, int passlen, if (i == -1) { char obj_tmp[80]; EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_UNKNOWN_PBE_ALGORITHM); - if (!pbe_obj) strcpy (obj_tmp, "NULL"); + if (!pbe_obj) BUF_strlcpy (obj_tmp, "NULL", sizeof obj_tmp); else i2t_ASN1_OBJECT(obj_tmp, sizeof obj_tmp, pbe_obj); ERR_add_error_data(2, "TYPE=", obj_tmp); return 0; diff --git a/src/lib/libcrypto/evp/evp_pkey.c b/src/lib/libcrypto/evp/evp_pkey.c index 34b5b1d21c..eb481ec661 100644 --- a/src/lib/libcrypto/evp/evp_pkey.c +++ b/src/lib/libcrypto/evp/evp_pkey.c @@ -210,7 +210,7 @@ EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8) #endif default: EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM); - if (!a->algorithm) strcpy (obj_tmp, "NULL"); + if (!a->algorithm) BUF_strlcpy (obj_tmp, "NULL", sizeof obj_tmp); else i2t_ASN1_OBJECT(obj_tmp, 80, a->algorithm); ERR_add_error_data(2, "TYPE=", obj_tmp); EVP_PKEY_free (pkey); diff --git a/src/lib/libcrypto/mem_dbg.c b/src/lib/libcrypto/mem_dbg.c index 57bd08f65d..e212de27e4 100644 --- a/src/lib/libcrypto/mem_dbg.c +++ b/src/lib/libcrypto/mem_dbg.c @@ -597,6 +597,8 @@ static void print_leak(const MEM *m, MEM_LEAK *l) struct tm *lcl = NULL; unsigned long ti; +#define BUF_REMAIN (sizeof buf - (size_t)(bufp - buf)) + if(m->addr == (char *)l->bio) return; @@ -604,22 +606,22 @@ static void print_leak(const MEM *m, MEM_LEAK *l) { lcl = localtime(&m->time); - sprintf(bufp, "[%02d:%02d:%02d] ", + BIO_snprintf(bufp, BUF_REMAIN, "[%02d:%02d:%02d] ", lcl->tm_hour,lcl->tm_min,lcl->tm_sec); bufp += strlen(bufp); } - sprintf(bufp, "%5lu file=%s, line=%d, ", + BIO_snprintf(bufp, BUF_REMAIN, "%5lu file=%s, line=%d, ", m->order,m->file,m->line); bufp += strlen(bufp); if (options & V_CRYPTO_MDEBUG_THREAD) { - sprintf(bufp, "thread=%lu, ", m->thread); + BIO_snprintf(bufp, BUF_REMAIN, "thread=%lu, ", m->thread); bufp += strlen(bufp); } - sprintf(bufp, "number=%d, address=%08lX\n", + BIO_snprintf(bufp, BUF_REMAIN, "number=%d, address=%08lX\n", m->num,(unsigned long)m->addr); bufp += strlen(bufp); @@ -641,7 +643,7 @@ static void print_leak(const MEM *m, MEM_LEAK *l) ami_cnt++; memset(buf,'>',ami_cnt); - sprintf(buf + ami_cnt, + BIO_snprintf(buf + ami_cnt, sizeof buf - ami_cnt, " thread=%lu, file=%s, line=%d, info=\"", amip->thread, amip->file, amip->line); buf_len=strlen(buf); @@ -653,10 +655,11 @@ static void print_leak(const MEM *m, MEM_LEAK *l) } else { - strcpy(buf + buf_len, amip->info); + BUF_strlcpy(buf + buf_len, amip->info, + sizeof buf - buf_len); buf_len = strlen(buf); } - sprintf(buf + buf_len, "\"\n"); + BIO_snprintf(buf + buf_len, sizeof buf - buf_len, "\"\n"); BIO_puts(l->bio,buf); diff --git a/src/lib/libcrypto/objects/obj_dat.c b/src/lib/libcrypto/objects/obj_dat.c index 5d983e3ed4..4534dc0985 100644 --- a/src/lib/libcrypto/objects/obj_dat.c +++ b/src/lib/libcrypto/objects/obj_dat.c @@ -462,7 +462,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) if (i > 2) i=2; l-=(long)(i*40); - sprintf(tbuf,"%d.%lu",i,l); + BIO_snprintf(tbuf,sizeof tbuf,"%d.%lu",i,l); i=strlen(tbuf); BUF_strlcpy(buf,tbuf,buf_len); buf_len-=i; @@ -473,7 +473,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) for (; idx 0) BUF_strlcpy(buf,tbuf,buf_len); diff --git a/src/lib/libcrypto/objects/obj_dat.pl b/src/lib/libcrypto/objects/obj_dat.pl index 5dfb84ea00..d0371661f9 100644 --- a/src/lib/libcrypto/objects/obj_dat.pl +++ b/src/lib/libcrypto/objects/obj_dat.pl @@ -1,5 +1,9 @@ #!/usr/local/bin/perl +# fixes bug in floating point emulation on sparc64 when +# this script produces off-by-one output on sparc64 +use integer; + sub obj_cmp { local(@a,@b,$_,$r); diff --git a/src/lib/libcrypto/ocsp/ocsp_ext.c b/src/lib/libcrypto/ocsp/ocsp_ext.c index d6c8899f58..57399433fc 100644 --- a/src/lib/libcrypto/ocsp/ocsp_ext.c +++ b/src/lib/libcrypto/ocsp/ocsp_ext.c @@ -305,6 +305,8 @@ err: /* Add a nonce to an extension stack. A nonce can be specificed or if NULL * a random nonce will be generated. + * Note: OpenSSL 0.9.7d and later create an OCTET STRING containing the + * nonce, previous versions used the raw nonce. */ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len) @@ -313,20 +315,28 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, ASN1_OCTET_STRING os; int ret = 0; if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH; - if (val) tmpval = val; + /* Create the OCTET STRING manually by writing out the header and + * appending the content octets. This avoids an extra memory allocation + * operation in some cases. Applications should *NOT* do this because + * it relies on library internals. + */ + os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING); + os.data = OPENSSL_malloc(os.length); + if (os.data == NULL) + goto err; + tmpval = os.data; + ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL); + if (val) + memcpy(tmpval, val, len); else - { - if (!(tmpval = OPENSSL_malloc(len))) goto err; RAND_pseudo_bytes(tmpval, len); - } - os.data = tmpval; - os.length = len; if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0, X509V3_ADD_REPLACE)) goto err; ret = 1; err: - if(!val) OPENSSL_free(tmpval); + if (os.data) + OPENSSL_free(os.data); return ret; } diff --git a/src/lib/libcrypto/ocsp/ocsp_lib.c b/src/lib/libcrypto/ocsp/ocsp_lib.c index 3875af165c..9e87fc7895 100644 --- a/src/lib/libcrypto/ocsp/ocsp_lib.c +++ b/src/lib/libcrypto/ocsp/ocsp_lib.c @@ -253,6 +253,7 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss err: + if (buf) OPENSSL_free(buf); if (*ppath) OPENSSL_free(*ppath); if (*pport) OPENSSL_free(*pport); if (*phost) OPENSSL_free(*phost); diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c index 1f5fda7ca3..3d58dfb06c 100644 --- a/src/lib/libcrypto/ocsp/ocsp_vfy.c +++ b/src/lib/libcrypto/ocsp/ocsp_vfy.c @@ -3,7 +3,7 @@ * project 2000. */ /* ==================================================================== - * Copyright (c) 2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -272,7 +272,7 @@ static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret) for (i = 1; i < idcount; i++) { - tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId; + tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; /* Check to see if IDs match */ if (OCSP_id_issuer_cmp(cid, tmpid)) { @@ -330,7 +330,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, OCSP_CERTID *tmpid; for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) { - tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId; + tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; ret = ocsp_match_issuerid(cert, tmpid, NULL); if (ret <= 0) return ret; } diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h index e226d9de79..02f1710fb3 100644 --- a/src/lib/libcrypto/opensslv.h +++ b/src/lib/libcrypto/opensslv.h @@ -25,8 +25,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x0090703fL -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7c 30 Sep 2003" +#define OPENSSL_VERSION_NUMBER 0x0090704fL +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7d 17 Mar 2004" #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/src/lib/libcrypto/pem/pem_lib.c b/src/lib/libcrypto/pem/pem_lib.c index 70b5446797..7785039b99 100644 --- a/src/lib/libcrypto/pem/pem_lib.c +++ b/src/lib/libcrypto/pem/pem_lib.c @@ -131,9 +131,9 @@ void PEM_proc_type(char *buf, int type) else str="BAD-TYPE"; - strcat(buf,"Proc-Type: 4,"); - strcat(buf,str); - strcat(buf,"\n"); + BUF_strlcat(buf,"Proc-Type: 4,",PEM_BUFSIZE); + BUF_strlcat(buf,str,PEM_BUFSIZE); + BUF_strlcat(buf,"\n",PEM_BUFSIZE); } void PEM_dek_info(char *buf, const char *type, int len, char *str) @@ -142,10 +142,12 @@ void PEM_dek_info(char *buf, const char *type, int len, char *str) long i; int j; - strcat(buf,"DEK-Info: "); - strcat(buf,type); - strcat(buf,","); + BUF_strlcat(buf,"DEK-Info: ",PEM_BUFSIZE); + BUF_strlcat(buf,type,PEM_BUFSIZE); + BUF_strlcat(buf,",",PEM_BUFSIZE); j=strlen(buf); + if (j + (len * 2) + 1 > PEM_BUFSIZE) + return; for (i=0; i>4)&0x0f]; @@ -533,7 +535,7 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data, long len) { int nlen,n,i,j,outl; - unsigned char *buf; + unsigned char *buf = NULL; EVP_ENCODE_CTX ctx; int reason=ERR_R_BUF_LIB; @@ -553,7 +555,7 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data, goto err; } - buf=(unsigned char *)OPENSSL_malloc(PEM_BUFSIZE*8); + buf = OPENSSL_malloc(PEM_BUFSIZE*8); if (buf == NULL) { reason=ERR_R_MALLOC_FAILURE; @@ -574,12 +576,15 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data, EVP_EncodeFinal(&ctx,buf,&outl); if ((outl > 0) && (BIO_write(bp,(char *)buf,outl) != outl)) goto err; OPENSSL_free(buf); + buf = NULL; if ( (BIO_write(bp,"-----END ",9) != 9) || (BIO_write(bp,name,nlen) != nlen) || (BIO_write(bp,"-----\n",6) != 6)) goto err; return(i+outl); err: + if (buf) + OPENSSL_free(buf); PEMerr(PEM_F_PEM_WRITE_BIO,reason); return(0); } diff --git a/src/lib/libcrypto/pem/pem_pkey.c b/src/lib/libcrypto/pem/pem_pkey.c index d96ecf6940..f77c949e87 100644 --- a/src/lib/libcrypto/pem/pem_pkey.c +++ b/src/lib/libcrypto/pem/pem_pkey.c @@ -87,6 +87,10 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, vo p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, len); if(!p8inf) goto p8err; ret = EVP_PKCS82PKEY(p8inf); + if(x) { + if(*x) EVP_PKEY_free((EVP_PKEY *)*x); + *x = ret; + } PKCS8_PRIV_KEY_INFO_free(p8inf); } else if (strcmp(nm,PEM_STRING_PKCS8) == 0) { PKCS8_PRIV_KEY_INFO *p8inf; diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c index 190ca0e9bf..35c7dcd0b3 100644 --- a/src/lib/libcrypto/pkcs7/pk7_doit.c +++ b/src/lib/libcrypto/pkcs7/pk7_doit.c @@ -91,17 +91,19 @@ static int PKCS7_type_is_other(PKCS7* p7) } -static int PKCS7_type_is_octet_string(PKCS7* p7) +static ASN1_OCTET_STRING *PKCS7_get_octet_string(PKCS7 *p7) { - if ( 0==PKCS7_type_is_other(p7) ) - return 0; - - return (V_ASN1_OCTET_STRING==p7->d.other->type) ? 1 : 0; + if ( PKCS7_type_is_data(p7)) + return p7->d.data; + if ( PKCS7_type_is_other(p7) && p7->d.other + && (p7->d.other->type == V_ASN1_OCTET_STRING)) + return p7->d.other->value.octet_string; + return NULL; } BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) { - int i,j; + int i; BIO *out=NULL,*btmp=NULL; X509_ALGOR *xa; const EVP_MD *evp_md; @@ -159,8 +161,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) goto err; } - j=OBJ_obj2nid(xa->algorithm); - evp_md=EVP_get_digestbyname(OBJ_nid2sn(j)); + evp_md=EVP_get_digestbyobj(xa->algorithm); if (evp_md == NULL) { PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_UNKNOWN_DIGEST_TYPE); @@ -250,29 +251,22 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) btmp=NULL; } - if (bio == NULL) { + if (bio == NULL) + { if (PKCS7_is_detached(p7)) bio=BIO_new(BIO_s_null()); - else { - if (PKCS7_type_is_signed(p7) ) { - if ( PKCS7_type_is_data(p7->d.sign->contents)) { - ASN1_OCTET_STRING *os; - os=p7->d.sign->contents->d.data; - if (os->length > 0) - bio = BIO_new_mem_buf(os->data, os->length); - } - else if ( PKCS7_type_is_octet_string(p7->d.sign->contents) ) { - ASN1_OCTET_STRING *os; - os=p7->d.sign->contents->d.other->value.octet_string; - if (os->length > 0) - bio = BIO_new_mem_buf(os->data, os->length); - } - } - if(bio == NULL) { + else + { + ASN1_OCTET_STRING *os; + os = PKCS7_get_octet_string(p7->d.sign->contents); + if (os && os->length > 0) + bio = BIO_new_mem_buf(os->data, os->length); + if(bio == NULL) + { bio=BIO_new(BIO_s_mem()); BIO_set_mem_eof_return(bio,0); + } } - } } BIO_push(out,bio); bio=NULL; @@ -311,7 +305,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) switch (i) { case NID_pkcs7_signed: - data_body=p7->d.sign->contents->d.data; + data_body=PKCS7_get_octet_string(p7->d.sign->contents); md_sk=p7->d.sign->md_algs; break; case NID_pkcs7_signedAndEnveloped: @@ -319,7 +313,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) md_sk=p7->d.signed_and_enveloped->md_algs; data_body=p7->d.signed_and_enveloped->enc_data->enc_data; enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm; - evp_cipher=EVP_get_cipherbyname(OBJ_nid2sn(OBJ_obj2nid(enc_alg->algorithm))); + evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); if (evp_cipher == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE); @@ -331,7 +325,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) rsk=p7->d.enveloped->recipientinfo; enc_alg=p7->d.enveloped->enc_data->algorithm; data_body=p7->d.enveloped->enc_data->enc_data; - evp_cipher=EVP_get_cipherbyname(OBJ_nid2sn(OBJ_obj2nid(enc_alg->algorithm))); + evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); if (evp_cipher == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE); @@ -357,7 +351,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) } j=OBJ_obj2nid(xa->algorithm); - evp_md=EVP_get_digestbyname(OBJ_nid2sn(j)); + evp_md=EVP_get_digestbynid(j); if (evp_md == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNKNOWN_DIGEST_TYPE); @@ -531,9 +525,9 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) break; case NID_pkcs7_signed: si_sk=p7->d.sign->signer_info; - os=p7->d.sign->contents->d.data; + os=PKCS7_get_octet_string(p7->d.sign->contents); /* If detached data then the content is excluded */ - if(p7->detached) { + if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { M_ASN1_OCTET_STRING_free(os); p7->d.sign->contents->d.data = NULL; } diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c index 41574768ab..f5d0843d13 100644 --- a/src/lib/libcrypto/rand/randfile.c +++ b/src/lib/libcrypto/rand/randfile.c @@ -56,6 +56,9 @@ * [including the GNU Public Licence.] */ +/* We need to define this to get macros like S_IFBLK and S_IFCHR */ +#define _XOPEN_SOURCE 1 + #include #include #include @@ -64,6 +67,7 @@ #include "e_os.h" #include #include +#include #ifdef OPENSSL_SYS_VMS #include @@ -106,6 +110,16 @@ int RAND_load_file(const char *file, long bytes) in=fopen(file,"rb"); if (in == NULL) goto err; +#if defined(S_IFBLK) && defined(S_IFCHR) + if (sb.st_mode & (S_IFBLK | S_IFCHR)) { + /* this file is a device. we don't want read an infinite number + * of bytes from a random device, nor do we want to use buffered + * I/O because we will waste system entropy. + */ + bytes = (bytes == -1) ? 2048 : bytes; /* ok, is 2048 enough? */ + setvbuf(in, NULL, _IONBF, 0); /* don't do buffered reads */ + } +#endif for (;;) { if (bytes > 0) @@ -135,7 +149,22 @@ int RAND_write_file(const char *file) int i,ret=0,rand_err=0; FILE *out = NULL; int n; + struct stat sb; + i=stat(file,&sb); + if (i != -1) { +#if defined(S_IFBLK) && defined(S_IFCHR) + if (sb.st_mode & (S_IFBLK | S_IFCHR)) { + /* this file is a device. we don't write back to it. + * we "succeed" on the assumption this is some sort + * of random device. Otherwise attempting to write to + * and chmod the device causes problems. + */ + return(1); + } +#endif + } + #if defined(O_CREAT) && !defined(OPENSSL_SYS_WIN32) /* For some reason Win32 can't write to files created this way */ @@ -197,16 +226,17 @@ err: const char *RAND_file_name(char *buf, size_t size) { char *s=NULL; - char *ret=NULL; + int ok = 0; +#ifdef __OpenBSD__ + struct stat sb; +#endif if (OPENSSL_issetugid() == 0) s=getenv("RANDFILE"); - if (s != NULL) + if (s != NULL && *s && strlen(s) + 1 < size) { - if(strlen(s) >= size) + if (BUF_strlcpy(buf,s,size) >= size) return NULL; - strcpy(buf,s); - ret=buf; } else { @@ -218,17 +248,36 @@ const char *RAND_file_name(char *buf, size_t size) s = DEFAULT_HOME; } #endif - if (s != NULL && (strlen(s)+strlen(RFILE)+2 < size)) + if (s && *s && strlen(s)+strlen(RFILE)+2 < size) { - strcpy(buf,s); + BUF_strlcpy(buf,s,size); #ifndef OPENSSL_SYS_VMS - strcat(buf,"/"); + BUF_strlcat(buf,"/",size); #endif - strcat(buf,RFILE); - ret=buf; + BUF_strlcat(buf,RFILE,size); + ok = 1; } else buf[0] = '\0'; /* no file name */ } - return(ret); + +#ifdef __OpenBSD__ + /* given that all random loads just fail if the file can't be + * seen on a stat, we stat the file we're returning, if it + * fails, use /dev/arandom instead. this allows the user to + * use their own source for good random data, but defaults + * to something hopefully decent if that isn't available. + */ + + if (!ok) + if (BUF_strlcpy(buf,"/dev/arandom",size) >= size) { + return(NULL); + } + if (stat(buf,&sb) == -1) + if (BUF_strlcpy(buf,"/dev/arandom",size) >= size) { + return(NULL); + } + +#endif + return(buf); } diff --git a/src/lib/libcrypto/sha/asm/sha1-586.pl b/src/lib/libcrypto/sha/asm/sha1-586.pl index fe51fd0794..e00f709553 100644 --- a/src/lib/libcrypto/sha/asm/sha1-586.pl +++ b/src/lib/libcrypto/sha/asm/sha1-586.pl @@ -1,5 +1,30 @@ #!/usr/local/bin/perl +# It was noted that Intel IA-32 C compiler generates code which +# performs ~30% *faster* on P4 CPU than original *hand-coded* +# SHA1 assembler implementation. To address this problem (and +# prove that humans are still better than machines:-), the +# original code was overhauled, which resulted in following +# performance changes: +# +# compared with original compared with Intel cc +# assembler impl. generated code +# Pentium -25% +37% +# PIII/AMD +8% +16% +# P4 +85%(!) +45% +# +# As you can see Pentium came out as looser:-( Yet I reckoned that +# improvement on P4 outweights the loss and incorporate this +# re-tuned code to 0.9.7 and later. +# ---------------------------------------------------------------- +# Those who for any particular reason absolutely must score on +# Pentium can replace this module with one from 0.9.6 distribution. +# This "offer" shall be revoked the moment programming interface to +# this module is changed, in which case this paragraph should be +# removed. +# ---------------------------------------------------------------- +# + $normal=0; push(@INC,"perlasm","../../perlasm"); @@ -77,54 +102,21 @@ sub BODY_00_15 { local($pos,$K,$X,$n,$a,$b,$c,$d,$e,$f)=@_; -return if $n & 1; &comment("00_15 $n"); - &mov($f,$c); - - &mov($tmp1,$a); - &xor($f,$d); # F2 - - &rotl($tmp1,5); # A2 - - &and($f,$b); # F3 - &add($tmp1,$e); - - &rotr($b,1); # B1 <- F - &mov($e,&swtmp($n)); # G1 - - &rotr($b,1); # B1 <- F - &xor($f,$d); # F4 - - &lea($tmp1,&DWP($K,$tmp1,$e,1)); - -############################ -# &BODY_40_59( 0,$K[2],$X,42,$A,$B,$C,$D,$E,$T); -# &BODY_40_59( 0,$K[2],$X,43,$T,$A,$B,$C,$D,$E); -$n++; - local($n0,$n1,$n2,$n3,$np)=&Na($n); - ($b,$c,$d,$e,$f,$a)=($a,$b,$c,$d,$e,$f); - - &mov($f,$c); - - &add($a,$tmp1); # MOVED DOWN - &xor($f,$d); # F2 - &mov($tmp1,$a); - &and($f,$b); # F3 - - &rotl($tmp1,5); # A2 - - &add($tmp1,$e); - &mov($e,&swtmp($n)); # G1 - - &rotr($b,1); # B1 <- F - &xor($f,$d); # F4 - - &rotr($b,1); # B1 <- F - &lea($tmp1,&DWP($K,$tmp1,$e,1)); - - &add($f,$tmp1); + &mov($f,$c); # f to hold F_00_19(b,c,d) + &rotl($tmp1,5); # tmp1=ROTATE(a,5) + &xor($f,$d); + &and($f,$b); + &rotr($b,2); # b=ROTATE(b,30) + &add($tmp1,$e); # tmp1+=e; + &mov($e,&swtmp($n)); # e becomes volatile and + # is loaded with xi + &xor($f,$d); # f holds F_00_19(b,c,d) + &lea($tmp1,&DWP($K,$tmp1,$e,1));# tmp1+=K_00_19+xi + + &add($f,$tmp1); # f+=tmp1 } sub BODY_16_19 @@ -132,66 +124,24 @@ sub BODY_16_19 local($pos,$K,$X,$n,$a,$b,$c,$d,$e,$f)=@_; local($n0,$n1,$n2,$n3,$np)=&Na($n); -return if $n & 1; &comment("16_19 $n"); - &nop() if ($pos < 0); -&mov($tmp1,&swtmp($n0)); # X1 - &mov($f,&swtmp($n1)); # X2 -&xor($f,$tmp1); # X3 - &mov($tmp1,&swtmp($n2)); # X4 -&xor($f,$tmp1); # X5 - &mov($tmp1,&swtmp($n3)); # X6 -&xor($f,$tmp1); # X7 - slot - &mov($tmp1,$c); # F1 -&rotl($f,1); # X8 - slot - &xor($tmp1,$d); # F2 -&mov(&swtmp($n0),$f); # X9 - anytime - &and($tmp1,$b); # F3 -&lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e - &xor($tmp1,$d); # F4 -&mov($e,$a); # A1 - &add($f,$tmp1); # tot+=F(); - -&rotl($e,5); # A2 - -&rotr($b,1); # B1 <- F - &add($f,$e); # tot+=a - -############################ -# &BODY_40_59( 0,$K[2],$X,42,$A,$B,$C,$D,$E,$T); -# &BODY_40_59( 0,$K[2],$X,43,$T,$A,$B,$C,$D,$E); -$n++; - local($n0,$n1,$n2,$n3,$np)=&Na($n); - ($b,$c,$d,$e,$f,$a)=($a,$b,$c,$d,$e,$f); - - -&mov($f,&swtmp($n0)); # X1 - &mov($tmp1,&swtmp($n1)); # X2 -&xor($f,$tmp1); # X3 - &mov($tmp1,&swtmp($n2)); # X4 -&xor($f,$tmp1); # X5 - &mov($tmp1,&swtmp($n3)); # X6 -&rotr($c,1); #&rotr($b,1); # B1 <- F # MOVED DOWN - &xor($f,$tmp1); # X7 - slot -&rotl($f,1); # X8 - slot - &mov($tmp1,$c); # F1 -&xor($tmp1,$d); # F2 - &mov(&swtmp($n0),$f); # X9 - anytime -&and($tmp1,$b); # F3 - &lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e - -&xor($tmp1,$d); # F4 - &mov($e,$a); # A1 - -&rotl($e,5); # A2 - -&rotr($b,1); # B1 <- F - &add($f,$e); # tot+=a - -&rotr($b,1); # B1 <- F - &add($f,$tmp1); # tot+=F(); - + &mov($f,&swtmp($n1)); # f to hold Xupdate(xi,xa,xb,xc,xd) + &mov($tmp1,$c); # tmp1 to hold F_00_19(b,c,d) + &xor($f,&swtmp($n0)); + &xor($tmp1,$d); + &xor($f,&swtmp($n2)); + &and($tmp1,$b); # tmp1 holds F_00_19(b,c,d) + &xor($f,&swtmp($n3)); # f holds xa^xb^xc^xd + &rotr($b,2); # b=ROTATE(b,30) + &xor($tmp1,$d); # tmp1=F_00_19(b,c,d) + &rotl($f,1); # f=ROATE(f,1) + &mov(&swtmp($n0),$f); # xi=f + &lea($f,&DWP($K,$f,$e,1)); # f+=K_00_19+e + &mov($e,$a); # e becomes volatile + &add($f,$tmp1); # f+=F_00_19(b,c,d) + &rotl($e,5); # e=ROTATE(a,5) + &add($f,$e); # f+=ROTATE(a,5) } sub BODY_20_39 @@ -201,42 +151,21 @@ sub BODY_20_39 &comment("20_39 $n"); local($n0,$n1,$n2,$n3,$np)=&Na($n); -&mov($f,&swtmp($n0)); # X1 - &mov($tmp1,&swtmp($n1)); # X2 -&xor($f,$tmp1); # X3 - &mov($tmp1,&swtmp($n2)); # X4 -&xor($f,$tmp1); # X5 - &mov($tmp1,&swtmp($n3)); # X6 -&xor($f,$tmp1); # X7 - slot - &mov($tmp1,$b); # F1 -&rotl($f,1); # X8 - slot - &xor($tmp1,$c); # F2 -&mov(&swtmp($n0),$f); # X9 - anytime - &xor($tmp1,$d); # F3 - -&lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e - &mov($e,$a); # A1 - -&rotl($e,5); # A2 - -if ($n != 79) # last loop - { - &rotr($b,1); # B1 <- F - &add($e,$tmp1); # tmp1=F()+a - - &rotr($b,1); # B2 <- F - &add($f,$e); # tot+=tmp1; - } -else - { - &add($e,$tmp1); # tmp1=F()+a - &mov($tmp1,&wparam(0)); - - &rotr($b,1); # B1 <- F - &add($f,$e); # tot+=tmp1; - - &rotr($b,1); # B2 <- F - } + &mov($f,&swtmp($n0)); # f to hold Xupdate(xi,xa,xb,xc,xd) + &mov($tmp1,$b); # tmp1 to hold F_20_39(b,c,d) + &xor($f,&swtmp($n1)); + &rotr($b,2); # b=ROTATE(b,30) + &xor($f,&swtmp($n2)); + &xor($tmp1,$c); + &xor($f,&swtmp($n3)); # f holds xa^xb^xc^xd + &xor($tmp1,$d); # tmp1 holds F_20_39(b,c,d) + &rotl($f,1); # f=ROTATE(f,1) + &mov(&swtmp($n0),$f); # xi=f + &lea($f,&DWP($K,$f,$e,1)); # f+=K_20_39+e + &mov($e,$a); # e becomes volatile + &rotl($e,5); # e=ROTATE(a,5) + &add($f,$tmp1); # f+=F_20_39(b,c,d) + &add($f,$e); # f+=ROTATE(a,5) } sub BODY_40_59 @@ -244,70 +173,27 @@ sub BODY_40_59 local($pos,$K,$X,$n,$a,$b,$c,$d,$e,$f)=@_; &comment("40_59 $n"); - return if $n & 1; local($n0,$n1,$n2,$n3,$np)=&Na($n); -&mov($f,&swtmp($n0)); # X1 - &mov($tmp1,&swtmp($n1)); # X2 -&xor($f,$tmp1); # X3 - &mov($tmp1,&swtmp($n2)); # X4 -&xor($f,$tmp1); # X5 - &mov($tmp1,&swtmp($n3)); # X6 -&xor($f,$tmp1); # X7 - slot - &mov($tmp1,$b); # F1 -&rotl($f,1); # X8 - slot - &or($tmp1,$c); # F2 -&mov(&swtmp($n0),$f); # X9 - anytime - &and($tmp1,$d); # F3 - -&lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e - &mov($e,$b); # F4 - -&rotr($b,1); # B1 <- F - &and($e,$c); # F5 - -&or($tmp1,$e); # F6 - &mov($e,$a); # A1 - -&rotl($e,5); # A2 - -&add($tmp1,$e); # tmp1=F()+a - -############################ -# &BODY_40_59( 0,$K[2],$X,42,$A,$B,$C,$D,$E,$T); -# &BODY_40_59( 0,$K[2],$X,43,$T,$A,$B,$C,$D,$E); -$n++; - local($n0,$n1,$n2,$n3,$np)=&Na($n); - ($b,$c,$d,$e,$f,$a)=($a,$b,$c,$d,$e,$f); - - &mov($f,&swtmp($n0)); # X1 -&add($a,$tmp1); # tot+=tmp1; # moved was add f,tmp1 - &mov($tmp1,&swtmp($n1)); # X2 -&xor($f,$tmp1); # X3 - &mov($tmp1,&swtmp($n2)); # X4 -&xor($f,$tmp1); # X5 - &mov($tmp1,&swtmp($n3)); # X6 -&rotr($c,1); # B2 <- F # moved was rotr b,1 - &xor($f,$tmp1); # X7 - slot -&rotl($f,1); # X8 - slot - &mov($tmp1,$b); # F1 -&mov(&swtmp($n0),$f); # X9 - anytime - &or($tmp1,$c); # F2 -&lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e - &mov($e,$b); # F4 -&and($tmp1,$d); # F3 - &and($e,$c); # F5 - -&or($tmp1,$e); # F6 - &mov($e,$a); # A1 - -&rotl($e,5); # A2 - -&rotr($b,1); # B1 <- F - &add($tmp1,$e); # tmp1=F()+a - -&rotr($b,1); # B2 <- F - &add($f,$tmp1); # tot+=tmp1; + &mov($f,&swtmp($n0)); # f to hold Xupdate(xi,xa,xb,xc,xd) + &mov($tmp1,$b); # tmp1 to hold F_40_59(b,c,d) + &xor($f,&swtmp($n1)); + &or($tmp1,$c); + &xor($f,&swtmp($n2)); + &and($tmp1,$d); + &xor($f,&swtmp($n3)); # f holds xa^xb^xc^xd + &rotl($f,1); # f=ROTATE(f,1) + &mov(&swtmp($n0),$f); # xi=f + &lea($f,&DWP($K,$f,$e,1)); # f+=K_40_59+e + &mov($e,$b); # e becomes volatile and is used + # to calculate F_40_59(b,c,d) + &rotr($b,2); # b=ROTATE(b,30) + &and($e,$c); + &or($tmp1,$e); # tmp1 holds F_40_59(b,c,d) + &mov($e,$a); + &rotl($e,5); # e=ROTATE(a,5) + &add($tmp1,$e); # tmp1+=ROTATE(a,5) + &add($f,$tmp1); # f+=tmp1; } sub BODY_60_79 @@ -495,8 +381,7 @@ sub sha1_block_data # C -> E # D -> T - # The last 2 have been moved into the last loop - # &mov($tmp1,&wparam(0)); + &mov($tmp1,&wparam(0)); &mov($D, &DWP(12,$tmp1,"",0)); &add($D,$B); diff --git a/src/lib/libcrypto/ui/ui_lib.c b/src/lib/libcrypto/ui/ui_lib.c index 13e5f20dcb..dbc9711a2d 100644 --- a/src/lib/libcrypto/ui/ui_lib.c +++ b/src/lib/libcrypto/ui/ui_lib.c @@ -430,14 +430,14 @@ char *UI_construct_prompt(UI *ui, const char *object_desc, len += sizeof(prompt3) - 1; prompt = (char *)OPENSSL_malloc(len + 1); - strcpy(prompt, prompt1); - strcat(prompt, object_desc); + BUF_strlcpy(prompt, prompt1, len + 1); + BUF_strlcat(prompt, object_desc, len + 1); if (object_name) { - strcat(prompt, prompt2); - strcat(prompt, object_name); + BUF_strlcat(prompt, prompt2, len + 1); + BUF_strlcat(prompt, object_name, len + 1); } - strcat(prompt, prompt3); + BUF_strlcat(prompt, prompt3, len + 1); } return prompt; } @@ -865,7 +865,8 @@ int UI_set_result(UI *ui, UI_STRING *uis, const char *result) return -1; } - strcpy(uis->result_buf, result); + BUF_strlcpy(uis->result_buf, result, + uis->_.string_data.result_maxsize + 1); break; case UIT_BOOLEAN: { diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c index 448bd7e69c..6207340472 100644 --- a/src/lib/libcrypto/x509/by_dir.c +++ b/src/lib/libcrypto/x509/by_dir.c @@ -302,8 +302,38 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, k=0; for (;;) { - sprintf(b->data,"%s/%08lx.%s%d",ctx->dirs[i],h, - postfix,k); + char c = '/'; +#ifdef OPENSSL_SYS_VMS + c = ctx->dirs[i][strlen(ctx->dirs[i])-1]; + if (c != ':' && c != '>' && c != ']') + { + /* If no separator is present, we assume the + directory specifier is a logical name, and + add a colon. We really should use better + VMS routines for merging things like this, + but this will do for now... + -- Richard Levitte */ + c = ':'; + } + else + { + c = '\0'; + } +#endif + if (c == '\0') + { + /* This is special. When c == '\0', no + directory separator should be added. */ + BIO_snprintf(b->data,b->max, + "%s%08lx.%s%d",ctx->dirs[i],h, + postfix,k); + } + else + { + BIO_snprintf(b->data,b->max, + "%s%c%08lx.%s%d",ctx->dirs[i],c,h, + postfix,k); + } k++; if (stat(b->data,&st) < 0) break; diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h index eaad5685a8..8d0c7e2e17 100644 --- a/src/lib/libcrypto/x509/x509.h +++ b/src/lib/libcrypto/x509/x509.h @@ -810,10 +810,6 @@ X509_REQ *X509_REQ_dup(X509_REQ *req); X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn); X509_NAME *X509_NAME_dup(X509_NAME *xn); X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne); -#ifndef OPENSSL_NO_RSA -RSA *RSAPublicKey_dup(RSA *rsa); -RSA *RSAPrivateKey_dup(RSA *rsa); -#endif #endif /* !SSLEAY_MACROS */ diff --git a/src/lib/libcrypto/x509/x509_txt.c b/src/lib/libcrypto/x509/x509_txt.c index 4f83db8ba2..e31ebc6741 100644 --- a/src/lib/libcrypto/x509/x509_txt.c +++ b/src/lib/libcrypto/x509/x509_txt.c @@ -147,8 +147,14 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: return("unhandled critical extension"); + case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: + return("key usage does not include CRL signing"); + + case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: + return("unhandled critical CRL extension"); + default: - sprintf(buf,"error number %ld",n); + BIO_snprintf(buf,sizeof buf,"error number %ld",n); return(buf); } } diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 2bb21b443e..2e4d0b823a 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c @@ -383,6 +383,7 @@ static int check_chain_purpose(X509_STORE_CTX *ctx) /* Check all untrusted certificates */ for (i = 0; i < ctx->last_untrusted; i++) { + int ret; x = sk_X509_value(ctx->chain, i); if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL) && (x->ex_flags & EXFLAG_CRITICAL)) @@ -393,7 +394,10 @@ static int check_chain_purpose(X509_STORE_CTX *ctx) ok=cb(0,ctx); if (!ok) goto end; } - if (!X509_check_purpose(x, ctx->purpose, i)) + ret = X509_check_purpose(x, ctx->purpose, i); + if ((ret == 0) + || ((ctx->flags & X509_V_FLAG_X509_STRICT) + && (ret != 1))) { if (i) ctx->error = X509_V_ERR_INVALID_CA; @@ -537,6 +541,14 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) if(issuer) { + /* Check for cRLSign bit if keyUsage present */ + if ((issuer->ex_flags & EXFLAG_KUSAGE) && + !(issuer->ex_kusage & KU_CRL_SIGN)) + { + ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; + ok = ctx->verify_cb(0, ctx); + if(!ok) goto err; + } /* Attempt to get issuer certificate public key */ ikey = X509_get_pubkey(issuer); @@ -611,17 +623,46 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) { int idx, ok; X509_REVOKED rtmp; + STACK_OF(X509_EXTENSION) *exts; + X509_EXTENSION *ext; /* Look for serial number of certificate in CRL */ rtmp.serialNumber = X509_get_serialNumber(x); idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp); - /* Not found: OK */ - if(idx == -1) return 1; - /* Otherwise revoked: want something cleverer than + /* If found assume revoked: want something cleverer than * this to handle entry extensions in V2 CRLs. */ - ctx->error = X509_V_ERR_CERT_REVOKED; - ok = ctx->verify_cb(0, ctx); - return ok; + if(idx >= 0) + { + ctx->error = X509_V_ERR_CERT_REVOKED; + ok = ctx->verify_cb(0, ctx); + if (!ok) return 0; + } + + if (ctx->flags & X509_V_FLAG_IGNORE_CRITICAL) + return 1; + + /* See if we have any critical CRL extensions: since we + * currently don't handle any CRL extensions the CRL must be + * rejected. + * This code accesses the X509_CRL structure directly: applications + * shouldn't do this. + */ + + exts = crl->crl->extensions; + + for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) + { + ext = sk_X509_EXTENSION_value(exts, idx); + if (ext->critical > 0) + { + ctx->error = + X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; + ok = ctx->verify_cb(0, ctx); + if(!ok) return 0; + break; + } + } + return 1; } static int internal_verify(X509_STORE_CTX *ctx) diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h index f0be21f452..198495884c 100644 --- a/src/lib/libcrypto/x509/x509_vfy.h +++ b/src/lib/libcrypto/x509/x509_vfy.h @@ -304,17 +304,26 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 #define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 +#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 +#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 /* The application is not happy */ #define X509_V_ERR_APPLICATION_VERIFICATION 50 /* Certificate verify flags */ -#define X509_V_FLAG_CB_ISSUER_CHECK 0x1 /* Send issuer+subject checks to verify_cb */ -#define X509_V_FLAG_USE_CHECK_TIME 0x2 /* Use check time instead of current time */ -#define X509_V_FLAG_CRL_CHECK 0x4 /* Lookup CRLs */ -#define X509_V_FLAG_CRL_CHECK_ALL 0x8 /* Lookup CRLs for whole chain */ -#define X509_V_FLAG_IGNORE_CRITICAL 0x10 /* Ignore unhandled critical extensions */ +/* Send issuer+subject checks to verify_cb */ +#define X509_V_FLAG_CB_ISSUER_CHECK 0x1 +/* Use check time instead of current time */ +#define X509_V_FLAG_USE_CHECK_TIME 0x2 +/* Lookup CRLs */ +#define X509_V_FLAG_CRL_CHECK 0x4 +/* Lookup CRLs for whole chain */ +#define X509_V_FLAG_CRL_CHECK_ALL 0x8 +/* Ignore unhandled critical extensions */ +#define X509_V_FLAG_IGNORE_CRITICAL 0x10 +/* Disable workarounds for broken certificates */ +#define X509_V_FLAG_X509_STRICT 0x20 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name); diff --git a/src/lib/libcrypto/x509/x509type.c b/src/lib/libcrypto/x509/x509type.c index f78c2a6b43..c25959a742 100644 --- a/src/lib/libcrypto/x509/x509type.c +++ b/src/lib/libcrypto/x509/x509type.c @@ -106,7 +106,7 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) break; } - if (EVP_PKEY_size(pk) <= 512/8) /* /8 because it's 512 bits we look + if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look for, not bytes */ ret|=EVP_PKT_EXP; if(pkey==NULL) EVP_PKEY_free(pk); diff --git a/src/lib/libcrypto/x509v3/v3_alt.c b/src/lib/libcrypto/x509v3/v3_alt.c index 0e9e7dcb4f..58b935a3b6 100644 --- a/src/lib/libcrypto/x509v3/v3_alt.c +++ b/src/lib/libcrypto/x509v3/v3_alt.c @@ -137,7 +137,8 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_add_value("IP Address","", &ret); break; } - sprintf(oline, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]); + BIO_snprintf(oline, sizeof oline, + "%d.%d.%d.%d", p[0], p[1], p[2], p[3]); X509V3_add_value("IP Address",oline, &ret); break; diff --git a/src/lib/libcrypto/x509v3/v3_crld.c b/src/lib/libcrypto/x509v3/v3_crld.c index 894a8b94d8..f90829c574 100644 --- a/src/lib/libcrypto/x509v3/v3_crld.c +++ b/src/lib/libcrypto/x509v3/v3_crld.c @@ -156,7 +156,7 @@ ASN1_SEQUENCE(DIST_POINT) = { IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT) ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) = - ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, DIST_POINT, DIST_POINT) + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CRLDistributionPoints, DIST_POINT) ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS) IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS) diff --git a/src/lib/libcrypto/x509v3/v3_info.c b/src/lib/libcrypto/x509v3/v3_info.c index e269df1373..53e3f48859 100644 --- a/src/lib/libcrypto/x509v3/v3_info.c +++ b/src/lib/libcrypto/x509v3/v3_info.c @@ -105,7 +105,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method STACK_OF(CONF_VALUE) *ret) { ACCESS_DESCRIPTION *desc; - int i; + int i,nlen; char objtmp[80], *ntmp; CONF_VALUE *vtmp; for(i = 0; i < sk_ACCESS_DESCRIPTION_num(ainfo); i++) { @@ -114,15 +114,16 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method if(!ret) break; vtmp = sk_CONF_VALUE_value(ret, i); i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method); - ntmp = OPENSSL_malloc(strlen(objtmp) + strlen(vtmp->name) + 5); + nlen = strlen(objtmp) + strlen(vtmp->name) + 5; + ntmp = OPENSSL_malloc(nlen); if(!ntmp) { X509V3err(X509V3_F_I2V_AUTHORITY_INFO_ACCESS, ERR_R_MALLOC_FAILURE); return NULL; } - strcpy(ntmp, objtmp); - strcat(ntmp, " - "); - strcat(ntmp, vtmp->name); + BUF_strlcpy(ntmp, objtmp, nlen); + BUF_strlcat(ntmp, " - ", nlen); + BUF_strlcat(ntmp, vtmp->name, nlen); OPENSSL_free(vtmp->name); vtmp->name = ntmp; diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c index 4d145f71fd..b3d1ae5d1c 100644 --- a/src/lib/libcrypto/x509v3/v3_purp.c +++ b/src/lib/libcrypto/x509v3/v3_purp.c @@ -3,7 +3,7 @@ * project 2001. */ /* ==================================================================== - * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -415,6 +415,7 @@ static void x509v3_cache_extensions(X509 *x) * 1 is a CA * 2 basicConstraints absent so "maybe" a CA * 3 basicConstraints absent but self signed V1. + * 4 basicConstraints absent but keyUsage present and keyCertSign asserted. */ #define V1_ROOT (EXFLAG_V1|EXFLAG_SS) @@ -436,7 +437,7 @@ static int ca_check(const X509 *x) } else { if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; /* If key usage present it must have certSign so tolerate it */ - else if (x->ex_flags & EXFLAG_KUSAGE) return 3; + else if (x->ex_flags & EXFLAG_KUSAGE) return 4; else return 2; } } diff --git a/src/lib/libssl/LICENSE b/src/lib/libssl/LICENSE index dddb07842b..40277883a5 100644 --- a/src/lib/libssl/LICENSE +++ b/src/lib/libssl/LICENSE @@ -12,7 +12,7 @@ --------------- /* ==================================================================== - * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/src/lib/libssl/doc/openssl.cnf b/src/lib/libssl/doc/openssl.cnf index eca51c3322..854d1f164e 100644 --- a/src/lib/libssl/doc/openssl.cnf +++ b/src/lib/libssl/doc/openssl.cnf @@ -38,10 +38,14 @@ dir = ./demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number +#crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file @@ -58,6 +62,7 @@ cert_opt = ca_default # Certificate field options # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index eb7daebfdf..26ce0cb963 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c @@ -117,7 +117,6 @@ #include #include #include -#include "cryptlib.h" static SSL_METHOD *ssl3_get_client_method(int ver); static int ssl3_client_hello(SSL *s); @@ -1947,7 +1946,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s) if (algs & SSL_kRSA) { if (rsa == NULL - || RSA_size(rsa) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) + || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY); goto f_err; @@ -1959,7 +1958,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s) if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { if (dh == NULL - || DH_size(dh) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) + || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY); goto f_err; diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 896b12fc4f..d04096016c 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -271,6 +271,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, /* Cipher 07 */ +#ifndef OPENSSL_NO_IDEA { 1, SSL3_TXT_RSA_IDEA_128_SHA, @@ -283,6 +284,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, +#endif /* Cipher 08 */ { 1, diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c index 3f88429e79..9f3e5139ad 100644 --- a/src/lib/libssl/s3_pkt.c +++ b/src/lib/libssl/s3_pkt.c @@ -1085,6 +1085,14 @@ start: goto err; } + /* Check we have a cipher to change to */ + if (s->s3->tmp.new_cipher == NULL) + { + i=SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); + goto err; + } + rr->length=0; if (s->msg_callback) diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 881f68b998..deb3cffabe 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c @@ -121,9 +121,10 @@ #include #include #include +#ifndef OPENSSL_NO_KRB5 #include +#endif #include -#include "cryptlib.h" static SSL_METHOD *ssl3_get_server_method(int ver); static int ssl3_get_client_hello(SSL *s); @@ -1587,11 +1588,27 @@ static int ssl3_get_client_key_exchange(SSL *s) n2s(p,i); enc_ticket.length = i; + + if (n < enc_ticket.length + 6) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DATA_LENGTH_TOO_LONG); + goto err; + } + enc_ticket.data = (char *)p; p+=enc_ticket.length; n2s(p,i); authenticator.length = i; + + if (n < enc_ticket.length + authenticator.length + 6) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DATA_LENGTH_TOO_LONG); + goto err; + } + authenticator.data = (char *)p; p+=authenticator.length; diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 4ae8458259..913bd40eea 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h @@ -1357,8 +1357,8 @@ const char *SSL_alert_type_string(int value); const char *SSL_alert_desc_string_long(int value); const char *SSL_alert_desc_string(int value); -void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list); -void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); +void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list); +void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list); STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s); STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *s); int SSL_add_client_CA(SSL *ssl,X509 *x); diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c index 16bc11b559..d8ff8fc4a3 100644 --- a/src/lib/libssl/ssl_asn1.c +++ b/src/lib/libssl/ssl_asn1.c @@ -62,7 +62,6 @@ #include #include #include -#include "cryptlib.h" typedef struct ssl_session_asn1_st { diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c index da90078a37..2cfb615878 100644 --- a/src/lib/libssl/ssl_cert.c +++ b/src/lib/libssl/ssl_cert.c @@ -505,12 +505,12 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) return(i); } -static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *list) +static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *name_list) { if (*ca_list != NULL) sk_X509_NAME_pop_free(*ca_list,X509_NAME_free); - *ca_list=list; + *ca_list=name_list; } STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk) @@ -532,14 +532,14 @@ STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk) return(ret); } -void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *list) +void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *name_list) { - set_client_CA_list(&(s->client_CA),list); + set_client_CA_list(&(s->client_CA),name_list); } -void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *list) +void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list) { - set_client_CA_list(&(ctx->client_CA),list); + set_client_CA_list(&(ctx->client_CA),name_list); } STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx) diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 888b667fa1..44c503eb04 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c @@ -125,7 +125,9 @@ static const SSL_CIPHER cipher_aliases[]={ {0,SSL_TXT_3DES,0,SSL_3DES, 0,0,0,0,SSL_ENC_MASK,0}, {0,SSL_TXT_RC4, 0,SSL_RC4, 0,0,0,0,SSL_ENC_MASK,0}, {0,SSL_TXT_RC2, 0,SSL_RC2, 0,0,0,0,SSL_ENC_MASK,0}, +#ifndef OPENSSL_NO_IDEA {0,SSL_TXT_IDEA,0,SSL_IDEA, 0,0,0,0,SSL_ENC_MASK,0}, +#endif {0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, {0,SSL_TXT_eFZA,0,SSL_eFZA, 0,0,0,0,SSL_ENC_MASK,0}, {0,SSL_TXT_AES, 0,SSL_AES, 0,0,0,0,SSL_ENC_MASK,0}, @@ -166,8 +168,12 @@ static void load_ciphers(void) EVP_get_cipherbyname(SN_rc4); ssl_cipher_methods[SSL_ENC_RC2_IDX]= EVP_get_cipherbyname(SN_rc2_cbc); +#ifndef OPENSSL_NO_IDEA ssl_cipher_methods[SSL_ENC_IDEA_IDX]= EVP_get_cipherbyname(SN_idea_cbc); +#else + ssl_cipher_methods[SSL_ENC_IDEA_IDX]= NULL; +#endif ssl_cipher_methods[SSL_ENC_AES128_IDX]= EVP_get_cipherbyname(SN_aes_128_cbc); ssl_cipher_methods[SSL_ENC_AES256_IDX]= @@ -334,10 +340,10 @@ static unsigned long ssl_cipher_get_disabled(void) } static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, - int num_of_ciphers, unsigned long mask, CIPHER_ORDER *list, + int num_of_ciphers, unsigned long mask, CIPHER_ORDER *co_list, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) { - int i, list_num; + int i, co_list_num; SSL_CIPHER *c; /* @@ -348,18 +354,18 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, */ /* Get the initial list of ciphers */ - list_num = 0; /* actual count of ciphers */ + co_list_num = 0; /* actual count of ciphers */ for (i = 0; i < num_of_ciphers; i++) { c = ssl_method->get_cipher(i); /* drop those that use any of that is not available */ if ((c != NULL) && c->valid && !(c->algorithms & mask)) { - list[list_num].cipher = c; - list[list_num].next = NULL; - list[list_num].prev = NULL; - list[list_num].active = 0; - list_num++; + co_list[co_list_num].cipher = c; + co_list[co_list_num].next = NULL; + co_list[co_list_num].prev = NULL; + co_list[co_list_num].active = 0; + co_list_num++; #ifdef KSSL_DEBUG printf("\t%d: %s %lx %lx\n",i,c->name,c->id,c->algorithms); #endif /* KSSL_DEBUG */ @@ -372,18 +378,18 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, /* * Prepare linked list from list entries */ - for (i = 1; i < list_num - 1; i++) + for (i = 1; i < co_list_num - 1; i++) { - list[i].prev = &(list[i-1]); - list[i].next = &(list[i+1]); + co_list[i].prev = &(co_list[i-1]); + co_list[i].next = &(co_list[i+1]); } - if (list_num > 0) + if (co_list_num > 0) { - (*head_p) = &(list[0]); + (*head_p) = &(co_list[0]); (*head_p)->prev = NULL; - (*head_p)->next = &(list[1]); - (*tail_p) = &(list[list_num - 1]); - (*tail_p)->prev = &(list[list_num - 2]); + (*head_p)->next = &(co_list[1]); + (*tail_p) = &(co_list[co_list_num - 1]); + (*tail_p)->prev = &(co_list[co_list_num - 2]); (*tail_p)->next = NULL; } } @@ -429,7 +435,7 @@ static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list, static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask, unsigned long algo_strength, unsigned long mask_strength, - int rule, int strength_bits, CIPHER_ORDER *list, + int rule, int strength_bits, CIPHER_ORDER *co_list, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) { CIPHER_ORDER *head, *tail, *curr, *curr2, *tail2; @@ -524,8 +530,9 @@ static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask, *tail_p = tail; } -static int ssl_cipher_strength_sort(CIPHER_ORDER *list, CIPHER_ORDER **head_p, - CIPHER_ORDER **tail_p) +static int ssl_cipher_strength_sort(CIPHER_ORDER *co_list, + CIPHER_ORDER **head_p, + CIPHER_ORDER **tail_p) { int max_strength_bits, i, *number_uses; CIPHER_ORDER *curr; @@ -570,14 +577,14 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER *list, CIPHER_ORDER **head_p, for (i = max_strength_bits; i >= 0; i--) if (number_uses[i] > 0) ssl_cipher_apply_rule(0, 0, 0, 0, CIPHER_ORD, i, - list, head_p, tail_p); + co_list, head_p, tail_p); OPENSSL_free(number_uses); return(1); } static int ssl_cipher_process_rulestr(const char *rule_str, - CIPHER_ORDER *list, CIPHER_ORDER **head_p, + CIPHER_ORDER *co_list, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p, SSL_CIPHER **ca_list) { unsigned long algorithms, mask, algo_strength, mask_strength; @@ -702,7 +709,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, ok = 0; if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8)) - ok = ssl_cipher_strength_sort(list, + ok = ssl_cipher_strength_sort(co_list, head_p, tail_p); else SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, @@ -722,7 +729,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, { ssl_cipher_apply_rule(algorithms, mask, algo_strength, mask_strength, rule, -1, - list, head_p, tail_p); + co_list, head_p, tail_p); } else { @@ -744,7 +751,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, unsigned long disabled_mask; STACK_OF(SSL_CIPHER) *cipherstack; const char *rule_p; - CIPHER_ORDER *list = NULL, *head = NULL, *tail = NULL, *curr; + CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; SSL_CIPHER **ca_list = NULL; /* @@ -774,15 +781,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, #ifdef KSSL_DEBUG printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers); #endif /* KSSL_DEBUG */ - list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); - if (list == NULL) + co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); + if (co_list == NULL) { SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); return(NULL); /* Failure */ } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask, - list, &head, &tail); + co_list, &head, &tail); /* * We also need cipher aliases for selecting based on the rule_str. @@ -798,7 +805,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, (SSL_CIPHER **)OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max); if (ca_list == NULL) { - OPENSSL_free(list); + OPENSSL_free(co_list); SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); return(NULL); /* Failure */ } @@ -814,21 +821,21 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, if (strncmp(rule_str,"DEFAULT",7) == 0) { ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, - list, &head, &tail, ca_list); + co_list, &head, &tail, ca_list); rule_p += 7; if (*rule_p == ':') rule_p++; } if (ok && (strlen(rule_p) > 0)) - ok = ssl_cipher_process_rulestr(rule_p, list, &head, &tail, + ok = ssl_cipher_process_rulestr(rule_p, co_list, &head, &tail, ca_list); OPENSSL_free(ca_list); /* Not needed anymore */ if (!ok) { /* Rule processing failure */ - OPENSSL_free(list); + OPENSSL_free(co_list); return(NULL); } /* @@ -837,7 +844,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, */ if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { - OPENSSL_free(list); + OPENSSL_free(co_list); return(NULL); } @@ -855,7 +862,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, #endif } } - OPENSSL_free(list); /* Not needed any longer */ + OPENSSL_free(co_list); /* Not needed any longer */ /* * The following passage is a little bit odd. If pointer variables @@ -905,7 +912,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) { int is_export,pkl,kl; - char *ver,*exp; + char *ver,*exp_str; char *kx,*au,*enc,*mac; unsigned long alg,alg2,alg_s; #ifdef KSSL_DEBUG @@ -921,7 +928,7 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) is_export=SSL_C_IS_EXPORT(cipher); pkl=SSL_C_EXPORT_PKEYLENGTH(cipher); kl=SSL_C_EXPORT_KEYLENGTH(cipher); - exp=is_export?" export":""; + exp_str=is_export?" export":""; if (alg & SSL_SSLV2) ver="SSLv2"; @@ -1040,9 +1047,9 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) return("Buffer too small"); #ifdef KSSL_DEBUG - BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp,alg); + BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str,alg); #else - BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp); + BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str); #endif /* KSSL_DEBUG */ return(buf); } @@ -1129,11 +1136,11 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { MemCheck_on(); SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE); - return(0); + return(1); } else { MemCheck_on(); - return(1); + return(0); } } diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 6d69890688..ee9a82d586 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c @@ -121,7 +121,6 @@ #include #include #include -#include "cryptlib.h" const char *SSL_version_str=OPENSSL_VERSION_TEXT; diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index fabcdefa6e..7016c87d3b 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c @@ -60,7 +60,6 @@ #include #include #include "ssl_locl.h" -#include "cryptlib.h" static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s); -- cgit v1.2.3-55-g6feb