From 5d1f64994b96668ba794f5211364ed54dd7ee08d Mon Sep 17 00:00:00 2001 From: djm <> Date: Mon, 6 Apr 2009 06:30:08 +0000 Subject: import of OpenSSL 0.9.8k --- src/lib/libcrypto/bn/bntest.c | 4 +- src/lib/libcrypto/crypto-lib.com | 8 +- src/lib/libcrypto/des/times/usparc.cc | 2 +- src/lib/libcrypto/evp/enc_min.c | 2 +- src/lib/libcrypto/evp/evp_test.c | 10 +- src/lib/libcrypto/rand/rand_unix.c | 2 +- src/lib/libcrypto/rsa/rsa_x931g.c | 4 +- src/lib/libcrypto/symhacks.h | 4 + src/lib/libcrypto/util/domd | 2 +- src/lib/libcrypto/util/libeay.num | 3 +- src/lib/libcrypto/util/pl/VC-32.pl | 6 +- src/lib/libssl/src/CHANGES | 48 ++++++- src/lib/libssl/src/Configure | 20 ++- src/lib/libssl/src/FAQ | 2 +- .../src/MacOS/GetHTTPS.src/ErrorHandling.hpp | 2 +- src/lib/libssl/src/Makefile | 7 +- src/lib/libssl/src/Makefile.org | 3 + src/lib/libssl/src/NEWS | 5 + src/lib/libssl/src/README | 2 +- src/lib/libssl/src/apps/apps.c | 2 +- src/lib/libssl/src/apps/ca.c | 2 +- src/lib/libssl/src/apps/enc.c | 3 +- src/lib/libssl/src/apps/engine.c | 4 +- src/lib/libssl/src/apps/rand.c | 27 +++- src/lib/libssl/src/apps/x509.c | 2 +- src/lib/libssl/src/config | 18 ++- src/lib/libssl/src/crypto/asn1/a_bytes.c | 2 +- src/lib/libssl/src/crypto/asn1/asn1.h | 3 + src/lib/libssl/src/crypto/asn1/asn1_err.c | 2 + src/lib/libssl/src/crypto/asn1/asn1_par.c | 2 + src/lib/libssl/src/crypto/asn1/t_x509.c | 2 +- src/lib/libssl/src/crypto/asn1/tasn_dec.c | 44 +++++-- src/lib/libssl/src/crypto/bio/bss_mem.c | 22 ++-- src/lib/libssl/src/crypto/bio/bss_sock.c | 5 + src/lib/libssl/src/crypto/bn/bntest.c | 4 +- src/lib/libssl/src/crypto/crypto-lib.com | 8 +- src/lib/libssl/src/crypto/des/times/usparc.cc | 2 +- src/lib/libssl/src/crypto/evp/enc_min.c | 2 +- src/lib/libssl/src/crypto/evp/evp_test.c | 10 +- src/lib/libssl/src/crypto/opensslv.h | 6 +- src/lib/libssl/src/crypto/pem/pem.h | 4 + src/lib/libssl/src/crypto/pkcs12/p12_crt.c | 3 + src/lib/libssl/src/crypto/pkcs7/pk7_smime.c | 3 +- src/lib/libssl/src/crypto/rand/rand_unix.c | 2 +- src/lib/libssl/src/crypto/ripemd/README | 2 +- src/lib/libssl/src/crypto/rsa/rsa_x931g.c | 4 +- src/lib/libssl/src/crypto/sha/asm/sha1-ia64.pl | 1 + src/lib/libssl/src/crypto/symhacks.h | 4 + src/lib/libssl/src/crypto/ui/ui_lib.c | 1 + src/lib/libssl/src/crypto/x509/x509_cmp.c | 3 +- src/lib/libssl/src/crypto/x509v3/v3_cpols.c | 7 +- src/lib/libssl/src/crypto/x509v3/v3_utl.c | 2 +- src/lib/libssl/src/doc/apps/rand.pod | 5 + src/lib/libssl/src/doc/apps/x509.pod | 2 +- src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod | 2 +- src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod | 2 +- src/lib/libssl/src/doc/ssl/SSL_SESSION_free.pod | 2 +- src/lib/libssl/src/doc/ssl/SSL_free.pod | 2 +- src/lib/libssl/src/doc/ssleay.txt | 4 +- src/lib/libssl/src/engines/makeengines.com | 3 +- src/lib/libssl/src/fips/Makefile | 13 +- src/lib/libssl/src/fips/aes/Makefile | 2 - src/lib/libssl/src/fips/sha/fips_standalone_sha1.c | 4 +- src/lib/libssl/src/ms/do_masm.bat | 138 ++++++++++----------- src/lib/libssl/src/openssl.spec | 2 +- src/lib/libssl/src/ssl/kssl.c | 2 +- src/lib/libssl/src/ssl/s3_clnt.c | 2 +- src/lib/libssl/src/ssl/ssl_ciph.c | 2 +- src/lib/libssl/src/ssl/ssl_lib.c | 2 + src/lib/libssl/src/test/Makefile | 2 + src/lib/libssl/src/test/times | 2 +- src/lib/libssl/src/util/domd | 2 +- src/lib/libssl/src/util/libeay.num | 3 +- src/lib/libssl/src/util/pl/VC-32.pl | 6 +- src/lib/libssl/test/Makefile | 2 + 75 files changed, 356 insertions(+), 194 deletions(-) diff --git a/src/lib/libcrypto/bn/bntest.c b/src/lib/libcrypto/bn/bntest.c index 310763eca0..cf190380f5 100644 --- a/src/lib/libcrypto/bn/bntest.c +++ b/src/lib/libcrypto/bn/bntest.c @@ -926,7 +926,7 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx) BN_bntest_rand(b,2+i,0,0); /**/ if (!BN_mod_exp(d,a,b,c,ctx)) - return(00); + return(0); if (bp != NULL) { @@ -1028,7 +1028,7 @@ int test_exp(BIO *bp, BN_CTX *ctx) BN_bntest_rand(b,2+i,0,0); /**/ if (!BN_exp(d,a,b,ctx)) - return(00); + return(0); if (bp != NULL) { diff --git a/src/lib/libcrypto/crypto-lib.com b/src/lib/libcrypto/crypto-lib.com index db9c882fb0..e72af90822 100644 --- a/src/lib/libcrypto/crypto-lib.com +++ b/src/lib/libcrypto/crypto-lib.com @@ -169,7 +169,7 @@ $ LIB_SHA = "sha_dgst,sha1dgst,sha_one,sha1_one,sha256,sha512" $ LIB_MDC2 = "mdc2dgst,mdc2_one" $ LIB_HMAC = "hmac" $ LIB_RIPEMD = "rmd_dgst,rmd_one" -$ LIB_DES = "set_key,ecb_enc,cbc_enc,"+ - +$ LIB_DES = "des_lib,set_key,ecb_enc,cbc_enc,"+ - "ecb3_enc,cfb64enc,cfb64ede,cfb_enc,ofb64ede,"+ - "enc_read,enc_writ,ofb64enc,"+ - "ofb_enc,str2key,pcbc_enc,qud_cksm,rand_key,"+ - @@ -191,7 +191,7 @@ $ LIB_BN = "bn_add,bn_div,bn_exp,bn_lib,bn_ctx,bn_mul,bn_mod,"+ - "bn_print,bn_rand,bn_shift,bn_word,bn_blind,"+ - "bn_kron,bn_sqrt,bn_gcd,bn_prime,bn_err,bn_sqr,"+LIB_BN_ASM+","+ - "bn_recp,bn_mont,bn_mpi,bn_exp2,bn_gf2m,bn_nist,"+ - - "bn_depr,bn_const" + "bn_depr,bn_x931p,bn_const,bn_opt" $ LIB_EC = "ec_lib,ecp_smpl,ecp_mont,ecp_nist,ec_cvt,ec_mult,"+ - "ec_err,ec_curve,ec_check,ec_print,ec_asn1,ec_key,"+ - "ec2_smpl,ec2_mult" @@ -211,7 +211,7 @@ $ LIB_ENGINE = "eng_err,eng_lib,eng_list,eng_init,eng_ctrl,"+ - "tb_cipher,tb_digest,"+ - "eng_openssl,eng_dyn,eng_cnf,eng_cryptodev,eng_padlock" $ LIB_AES = "aes_core,aes_misc,aes_ecb,aes_cbc,aes_cfb,aes_ofb,"+ - - "aes_ctr,aes_ige" + "aes_ctr,aes_ige,aes_wrap" $ LIB_BUFFER = "buffer,buf_str,buf_err" $ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ - "bss_mem,bss_null,bss_fd,"+ - @@ -246,7 +246,7 @@ $ LIB_ASN1 = "a_object,a_bitstr,a_utctm,a_gentm,a_time,a_int,a_octet,"+ - $ LIB_ASN1_2 = "t_req,t_x509,t_x509a,t_crl,t_pkey,t_spki,t_bitst,"+ - "tasn_new,tasn_fre,tasn_enc,tasn_dec,tasn_utl,tasn_typ,"+ - "f_int,f_string,n_pkey,"+ - - "f_enum,a_hdr,x_pkey,a_bool,x_exten,"+ - + "f_enum,a_hdr,x_pkey,a_bool,x_exten,asn_mime,"+ - "asn1_gen,asn1_par,asn1_lib,asn1_err,a_meth,a_bytes,a_strnid,"+ - "evp_asn1,asn_pack,p5_pbe,p5_pbev2,p8_pkey,asn_moid" $ LIB_PEM = "pem_sign,pem_seal,pem_info,pem_lib,pem_all,pem_err,"+ - diff --git a/src/lib/libcrypto/des/times/usparc.cc b/src/lib/libcrypto/des/times/usparc.cc index f6ec8e8831..0864285ef6 100644 --- a/src/lib/libcrypto/des/times/usparc.cc +++ b/src/lib/libcrypto/des/times/usparc.cc @@ -2,7 +2,7 @@ solaris 2.5.1 usparc 167mhz?? - SC4.0 cc -fast -Xa -xO5 For the ultra sparc, SunC 4.0 cc -fast -Xa -xO5, running 'des_opts' gives a speed of 475,000 des/s while 'speed' gives 417,000 des/s. -I belive the difference is tied up in optimisation that the compiler +I believe the difference is tied up in optimisation that the compiler is able to perform when the code is 'inlined'. For 'speed', the DES routines are being linked from a library. I'll record the higher speed since if performance is everything, you can always inline diff --git a/src/lib/libcrypto/evp/enc_min.c b/src/lib/libcrypto/evp/enc_min.c index 3cb4626bef..7fba38ee24 100644 --- a/src/lib/libcrypto/evp/enc_min.c +++ b/src/lib/libcrypto/evp/enc_min.c @@ -199,7 +199,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp enc = 1; ctx->encrypt = enc; } -#ifdef OPENSSL_NO_FIPS +#ifdef OPENSSL_FIPS if(FIPS_selftest_failed()) { FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED); diff --git a/src/lib/libcrypto/evp/evp_test.c b/src/lib/libcrypto/evp/evp_test.c index bb6f02c2e9..436be20bf1 100644 --- a/src/lib/libcrypto/evp/evp_test.c +++ b/src/lib/libcrypto/evp/evp_test.c @@ -220,18 +220,18 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, test1_exit(7); } - if(outl+outl2 != cn) + if(outl+outl2 != pn) { fprintf(stderr,"Plaintext length mismatch got %d expected %d\n", - outl+outl2,cn); + outl+outl2,pn); test1_exit(8); } - if(memcmp(out,plaintext,cn)) + if(memcmp(out,plaintext,pn)) { fprintf(stderr,"Plaintext mismatch\n"); - hexdump(stderr,"Got",out,cn); - hexdump(stderr,"Expected",plaintext,cn); + hexdump(stderr,"Got",out,pn); + hexdump(stderr,"Expected",plaintext,pn); test1_exit(9); } } diff --git a/src/lib/libcrypto/rand/rand_unix.c b/src/lib/libcrypto/rand/rand_unix.c index 6c2be5cb96..71b98ec212 100644 --- a/src/lib/libcrypto/rand/rand_unix.c +++ b/src/lib/libcrypto/rand/rand_unix.c @@ -232,7 +232,7 @@ int RAND_poll(void) t.tv_sec = 0; t.tv_usec = usec; - if (FD_SETSIZE > 0 && fd >= FD_SETSIZE) + if (FD_SETSIZE > 0 && (unsigned)fd >= FD_SETSIZE) { /* can't use select, so just try to read once anyway */ try_read = 1; diff --git a/src/lib/libcrypto/rsa/rsa_x931g.c b/src/lib/libcrypto/rsa/rsa_x931g.c index c640cc2ec9..bf94f8be7a 100644 --- a/src/lib/libcrypto/rsa/rsa_x931g.c +++ b/src/lib/libcrypto/rsa/rsa_x931g.c @@ -79,9 +79,9 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2, goto err; ctx = BN_CTX_new(); - BN_CTX_start(ctx); if (!ctx) goto err; + BN_CTX_start(ctx); r0 = BN_CTX_get(ctx); r1 = BN_CTX_get(ctx); @@ -190,7 +190,7 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2, if (ctx2) BN_CTX_free(ctx2); /* If this is set all calls successful */ - if (rsa->iqmp != NULL) + if (rsa && rsa->iqmp != NULL) return 1; return 0; diff --git a/src/lib/libcrypto/symhacks.h b/src/lib/libcrypto/symhacks.h index 6cfb5fe479..8728e6124d 100644 --- a/src/lib/libcrypto/symhacks.h +++ b/src/lib/libcrypto/symhacks.h @@ -62,6 +62,10 @@ VAX. */ #ifdef OPENSSL_SYS_VMS +/* Hack a long name in crypto/cryptlib.c */ +#undef int_CRYPTO_set_do_dynlock_callback +#define int_CRYPTO_set_do_dynlock_callback int_CRYPTO_set_do_dynlock_cb + /* Hack a long name in crypto/ex_data.c */ #undef CRYPTO_get_ex_data_implementation #define CRYPTO_get_ex_data_implementation CRYPTO_get_ex_data_impl diff --git a/src/lib/libcrypto/util/domd b/src/lib/libcrypto/util/domd index 691be7a440..560ebeaf82 100644 --- a/src/lib/libcrypto/util/domd +++ b/src/lib/libcrypto/util/domd @@ -22,7 +22,7 @@ if [ "$MAKEDEPEND" = "gcc" ]; then done sed -e '/^# DO NOT DELETE.*/,$d' < Makefile > Makefile.tmp echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp - gcc -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp + ${CC:-gcc} -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new rm -f Makefile.tmp else diff --git a/src/lib/libcrypto/util/libeay.num b/src/lib/libcrypto/util/libeay.num index 0eb54ddc89..74eb337227 100644 --- a/src/lib/libcrypto/util/libeay.num +++ b/src/lib/libcrypto/util/libeay.num @@ -3667,7 +3667,8 @@ CRYPTO_set_mem_info_functions 4053 EXIST::FUNCTION: RSA_X931_generate_key_ex 4054 EXIST::FUNCTION:RSA int_ERR_set_state_func 4055 EXIST:OPENSSL_FIPS:FUNCTION: int_EVP_MD_set_engine_callbacks 4056 EXIST:OPENSSL_FIPS:FUNCTION:ENGINE -int_CRYPTO_set_do_dynlock_callback 4057 EXIST::FUNCTION: +int_CRYPTO_set_do_dynlock_callback 4057 EXIST:!VMS:FUNCTION: +int_CRYPTO_set_do_dynlock_cb 4057 EXIST:VMS:FUNCTION: FIPS_rng_stick 4058 EXIST:OPENSSL_FIPS:FUNCTION: EVP_CIPHER_CTX_set_flags 4059 EXIST::FUNCTION: BN_X931_generate_prime_ex 4060 EXIST::FUNCTION: diff --git a/src/lib/libcrypto/util/pl/VC-32.pl b/src/lib/libcrypto/util/pl/VC-32.pl index 730c2083bd..85121c8ed1 100644 --- a/src/lib/libcrypto/util/pl/VC-32.pl +++ b/src/lib/libcrypto/util/pl/VC-32.pl @@ -164,7 +164,7 @@ if ($FLAVOR =~ /NT/) $ex_libs="unicows.lib $ex_libs"; } # static library stuff -$mklib='lib'; +$mklib='lib /nologo'; $ranlib=''; $plib=""; $libp=".lib"; @@ -184,7 +184,7 @@ if ($nasm) { $asm.=' /Zi' if $debug; $afile='/Fo'; } else { - $asm='ml /Cp /coff /c /Cx'; + $asm='ml /nologo /Cp /coff /c /Cx'; $asm.=" /Zi" if $debug; $afile='/Fo'; } @@ -405,7 +405,7 @@ sub do_link_rule if ($standalone == 1) { $ret.=" \$(LINK) \$(LFLAGS) $efile$target @<<\n\t"; - $ret.= "$mwex advapi32.lib " if ($files =~ /O_FIPSCANISTER/ && !$fipscanisterbuild); + $ret.= "\$(EX_LIBS) " if ($files =~ /O_FIPSCANISTER/ && !$fipscanisterbuild); $ret.="$files $libs\n<<\n"; } elsif ($standalone == 2) diff --git a/src/lib/libssl/src/CHANGES b/src/lib/libssl/src/CHANGES index c888c56c26..04d332e338 100644 --- a/src/lib/libssl/src/CHANGES +++ b/src/lib/libssl/src/CHANGES @@ -2,11 +2,51 @@ OpenSSL CHANGES _______________ - Changes between 0.9.8i and 0.9.8j [07 Jan 2009] + Changes between 0.9.8j and 0.9.8k [25 Mar 2009] - *) Properly check EVP_VerifyFinal() and similar return values - (CVE-2008-5077). - [Ben Laurie, Bodo Moeller, Google Security Team] + *) Don't set val to NULL when freeing up structures, it is freed up by + underlying code. If sizeof(void *) > sizeof(long) this can result in + zeroing past the valid field. (CVE-2009-0789) + [Paolo Ganci ] + + *) Fix bug where return value of CMS_SignerInfo_verify_content() was not + checked correctly. This would allow some invalid signed attributes to + appear to verify correctly. (CVE-2009-0591) + [Ivan Nestlerode ] + + *) Reject UniversalString and BMPString types with invalid lengths. This + prevents a crash in ASN1_STRING_print_ex() which assumes the strings have + a legal length. (CVE-2009-0590) + [Steve Henson] + + *) Set S/MIME signing as the default purpose rather than setting it + unconditionally. This allows applications to override it at the store + level. + [Steve Henson] + + *) Permit restricted recursion of ASN1 strings. This is needed in practice + to handle some structures. + [Steve Henson] + + *) Improve efficiency of mem_gets: don't search whole buffer each time + for a '\n' + [Jeremy Shapiro ] + + *) New -hex option for openssl rand. + [Matthieu Herrb] + + *) Print out UTF8String and NumericString when parsing ASN1. + [Steve Henson] + + *) Support NumericString type for name components. + [Steve Henson] + + *) Allow CC in the environment to override the automatically chosen + compiler. Note that nothing is done to ensure flags work with the + chosen compiler. + [Ben Laurie] + + Changes between 0.9.8i and 0.9.8j [07 Jan 2009] *) Properly check EVP_VerifyFinal() and similar return values (CVE-2008-5077). diff --git a/src/lib/libssl/src/Configure b/src/lib/libssl/src/Configure index 09b58f2113..c6dbfae482 100644 --- a/src/lib/libssl/src/Configure +++ b/src/lib/libssl/src/Configure @@ -101,6 +101,11 @@ my $usage="Usage: Configure [no- ...] [enable- ...] [experimenta # SHA512_ASM sha512_block is implemented in assembler # AES_ASM ASE_[en|de]crypt is implemented in assembler +# Minimum warning options... any contributions to OpenSSL should at least get +# past these. + +my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED"; + my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL"; # MD2_CHAR slags pentium pros @@ -154,15 +159,15 @@ my %table=( "debug-ben", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::bn86-elf.o co86-elf.o", "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", -"debug-ben-debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::::", +"debug-ben-debug", "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -g3 -O2 -pipe::(unknown)::::::", "debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::", "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32:::${no_asm}:win32:cygwin-shared:::.dll", -"debug-steve64", "gcc:-m64 -DL_ENDIAN -DTERMIO -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -DOPENSSL_NO_DEPRECATED -g -pedantic -Wall -Werror -Wno-long-long -Wsign-compare -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-steve32", "gcc:-m32 -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -DOPENSSL_NO_DEPRECATED -g -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-steve-opt", "gcc:$gcc_devteam_warn -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -m32 -g -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared", -"debug-steve-opt", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -m32 -O3 -g -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared", "debug-steve-linux-pseudo64", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT:${no_asm}:dlfcn:linux-shared", "debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -948,6 +953,10 @@ print "Configuring for $target\n"; my @fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1); my $cc = $fields[$idx_cc]; +# Allow environment CC to override compiler... +if($ENV{CC}) { + $cc = $ENV{CC}; +} my $cflags = $fields[$idx_cflags]; my $unistd = $fields[$idx_unistd]; my $thread_cflag = $fields[$idx_thread_cflag]; @@ -1048,7 +1057,6 @@ foreach (sort (keys %disabled)) print "\n"; } - my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds; $IsMK1MF=1 if ($target eq "mingw" && $^O ne "cygwin" && !is_msys()); @@ -1443,6 +1451,8 @@ while () } } $sdirs = 0 unless /\\$/; + s/fips // if (/^DIRS=/ && !$fips); + s/engines // if (/^DIRS=/ && $disabled{"engine"}); s/^VERSION=.*/VERSION=$version/; s/^MAJOR=.*/MAJOR=$major/; s/^MINOR=.*/MINOR=$minor/; diff --git a/src/lib/libssl/src/FAQ b/src/lib/libssl/src/FAQ index ce71246fb8..942a671f2c 100644 --- a/src/lib/libssl/src/FAQ +++ b/src/lib/libssl/src/FAQ @@ -78,7 +78,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 0.9.8j was released on Jan 7th, 2009. +OpenSSL 0.9.8k was released on Mar 25th, 2009. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at = 0); + assert(l > 0); assert(buf[l-1] == '\n'); buf[l-1] = '\0'; BN_hex2bn(bn, buf); diff --git a/src/lib/libssl/src/apps/ca.c b/src/lib/libssl/src/apps/ca.c index 87f0405f5d..68516ee9bd 100644 --- a/src/lib/libssl/src/apps/ca.c +++ b/src/lib/libssl/src/apps/ca.c @@ -83,7 +83,7 @@ # else # include # endif -# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE) +# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE) && !defined(__TANDEM) # include # endif #endif diff --git a/src/lib/libssl/src/apps/enc.c b/src/lib/libssl/src/apps/enc.c index 47c6eb604d..f4f9a4c4a4 100644 --- a/src/lib/libssl/src/apps/enc.c +++ b/src/lib/libssl/src/apps/enc.c @@ -533,7 +533,8 @@ bad: BIO_printf(bio_err,"invalid hex iv value\n"); goto end; } - if ((hiv == NULL) && (str == NULL)) + if ((hiv == NULL) && (str == NULL) + && EVP_CIPHER_iv_length(cipher) != 0) { /* No IV was explicitly set and no IV was generated * during EVP_BytesToKey. Hence the IV is undefined, diff --git a/src/lib/libssl/src/apps/engine.c b/src/lib/libssl/src/apps/engine.c index 1d0dd9bfbc..17bd81fb79 100644 --- a/src/lib/libssl/src/apps/engine.c +++ b/src/lib/libssl/src/apps/engine.c @@ -252,7 +252,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent /* Now decide on the output */ if(xpos == 0) /* Do an indent */ - xpos = BIO_printf(bio_out, indent); + xpos = BIO_puts(bio_out, indent); else /* Otherwise prepend a ", " */ xpos += BIO_printf(bio_out, ", "); @@ -263,7 +263,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent (xpos + (int)strlen(name) > line_wrap)) { BIO_printf(bio_out, "\n"); - xpos = BIO_printf(bio_out, indent); + xpos = BIO_puts(bio_out, indent); } xpos += BIO_printf(bio_out, "%s", name); } diff --git a/src/lib/libssl/src/apps/rand.c b/src/lib/libssl/src/apps/rand.c index c3b26c466d..44a1d46a03 100644 --- a/src/lib/libssl/src/apps/rand.c +++ b/src/lib/libssl/src/apps/rand.c @@ -68,7 +68,8 @@ /* -out file - write to file * -rand file:file - PRNG seed files - * -base64 - encode output + * -base64 - base64 encode output + * -hex - hex encode output * num - write 'num' bytes */ @@ -84,6 +85,7 @@ int MAIN(int argc, char **argv) char *outfile = NULL; char *inrand = NULL; int base64 = 0; + int hex = 0; BIO *out = NULL; int num = -1; #ifndef OPENSSL_NO_ENGINE @@ -133,6 +135,13 @@ int MAIN(int argc, char **argv) else badopt = 1; } + else if (strcmp(argv[i], "-hex") == 0) + { + if (!hex) + hex = 1; + else + badopt = 1; + } else if (isdigit((unsigned char)argv[i][0])) { if (num < 0) @@ -148,6 +157,9 @@ int MAIN(int argc, char **argv) badopt = 1; } + if (hex && base64) + badopt = 1; + if (num < 0) badopt = 1; @@ -160,7 +172,8 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "-engine e - use engine e, possibly a hardware device.\n"); #endif BIO_printf(bio_err, "-rand file%cfile%c... - seed PRNG from files\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); - BIO_printf(bio_err, "-base64 - encode output\n"); + BIO_printf(bio_err, "-base64 - base64 encode output\n"); + BIO_printf(bio_err, "-hex - hex encode output\n"); goto err; } @@ -210,9 +223,17 @@ int MAIN(int argc, char **argv) r = RAND_bytes(buf, chunk); if (r <= 0) goto err; - BIO_write(out, buf, chunk); + if (!hex) + BIO_write(out, buf, chunk); + else + { + for (i = 0; i < chunk; i++) + BIO_printf(out, "%02x", buf[i]); + } num -= chunk; } + if (hex) + BIO_puts(out, "\n"); (void)BIO_flush(out); app_RAND_write_file(NULL, bio_err); diff --git a/src/lib/libssl/src/apps/x509.c b/src/lib/libssl/src/apps/x509.c index d904d34021..6debce4419 100644 --- a/src/lib/libssl/src/apps/x509.c +++ b/src/lib/libssl/src/apps/x509.c @@ -114,7 +114,7 @@ static const char *x509_usage[]={ " -alias - output certificate alias\n", " -noout - no certificate output\n", " -ocspid - print OCSP hash values for the subject name and public key\n", -" -ocspurl - print OCSP Responder URL(s)\n", +" -ocsp_uri - print OCSP Responder URL(s)\n", " -trustout - output a \"trusted\" certificate\n", " -clrtrust - clear all trusted purposes\n", " -clrreject - clear all rejected purposes\n", diff --git a/src/lib/libssl/src/config b/src/lib/libssl/src/config index dde9275b76..68e7ea1737 100644 --- a/src/lib/libssl/src/config +++ b/src/lib/libssl/src/config @@ -29,7 +29,7 @@ EXE="" for i do case "$i" in --d*) PREFIX="debug-";; +-d) PREFIX="debug-";; -t*) TEST="true";; -h*) TEST="true"; cat </dev/null` if [ "$GCCVER" != "" ]; then - CC=gcc # then strip off whatever prefix egcs prepends the number with... # Hopefully, this will work for any future prefixes as well. GCCVER=`echo $GCCVER | LC_ALL=C sed 's/^[a-zA-Z]*\-//'` @@ -412,8 +409,17 @@ if [ "$GCCVER" != "" ]; then # major and minor version numbers. # peak single digit before and after first dot, e.g. 2.95.1 gives 29 GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'` -else - CC=cc +fi + +# Only set CC if not supplied already +if [ -z "$CC" ]; then +# figure out if gcc is available and if so we use it otherwise +# we fallback to whatever cc does on the system + if [ "$GCCVER" != "" ]; then + CC=gcc + else + CC=cc + fi fi GCCVER=${GCCVER:-0} if [ "$SYSTEM" = "HP-UX" ];then diff --git a/src/lib/libssl/src/crypto/asn1/a_bytes.c b/src/lib/libssl/src/crypto/asn1/a_bytes.c index 8d13f9c931..92d630cdba 100644 --- a/src/lib/libssl/src/crypto/asn1/a_bytes.c +++ b/src/lib/libssl/src/crypto/asn1/a_bytes.c @@ -79,7 +79,7 @@ ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, const unsigned char **pp, if (tag >= 32) { - i=ASN1_R_TAG_VALUE_TOO_HIGH;; + i=ASN1_R_TAG_VALUE_TOO_HIGH; goto err; } if (!(ASN1_tag2bit(tag) & type)) diff --git a/src/lib/libssl/src/crypto/asn1/asn1.h b/src/lib/libssl/src/crypto/asn1/asn1.h index 424cd348bb..e3385226d4 100644 --- a/src/lib/libssl/src/crypto/asn1/asn1.h +++ b/src/lib/libssl/src/crypto/asn1/asn1.h @@ -612,6 +612,7 @@ typedef struct BIT_STRING_BITNAME_st { B_ASN1_GENERALIZEDTIME #define B_ASN1_PRINTABLE \ + B_ASN1_NUMERICSTRING| \ B_ASN1_PRINTABLESTRING| \ B_ASN1_T61STRING| \ B_ASN1_IA5STRING| \ @@ -1217,6 +1218,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_BAD_OBJECT_HEADER 102 #define ASN1_R_BAD_PASSWORD_READ 103 #define ASN1_R_BAD_TAG 104 +#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210 #define ASN1_R_BN_LIB 105 #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 #define ASN1_R_BUFFER_TOO_SMALL 107 @@ -1306,6 +1308,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158 #define ASN1_R_UNEXPECTED_EOC 159 +#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211 #define ASN1_R_UNKNOWN_FORMAT 160 #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161 #define ASN1_R_UNKNOWN_OBJECT_TYPE 162 diff --git a/src/lib/libssl/src/crypto/asn1/asn1_err.c b/src/lib/libssl/src/crypto/asn1/asn1_err.c index f8a3e2e6cd..5f5de98eed 100644 --- a/src/lib/libssl/src/crypto/asn1/asn1_err.c +++ b/src/lib/libssl/src/crypto/asn1/asn1_err.c @@ -195,6 +195,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]= {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"}, {ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"}, {ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"}, +{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"}, {ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"}, {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"}, {ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"}, @@ -284,6 +285,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]= {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"}, {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"}, {ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"}, +{ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong length"}, {ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"}, {ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"}, {ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"}, diff --git a/src/lib/libssl/src/crypto/asn1/asn1_par.c b/src/lib/libssl/src/crypto/asn1/asn1_par.c index 501b62a4b1..8657f73d66 100644 --- a/src/lib/libssl/src/crypto/asn1/asn1_par.c +++ b/src/lib/libssl/src/crypto/asn1/asn1_par.c @@ -213,6 +213,8 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse (tag == V_ASN1_T61STRING) || (tag == V_ASN1_IA5STRING) || (tag == V_ASN1_VISIBLESTRING) || + (tag == V_ASN1_NUMERICSTRING) || + (tag == V_ASN1_UTF8STRING) || (tag == V_ASN1_UTCTIME) || (tag == V_ASN1_GENERALIZEDTIME)) { diff --git a/src/lib/libssl/src/crypto/asn1/t_x509.c b/src/lib/libssl/src/crypto/asn1/t_x509.c index 8b09e5890f..8f746f9c05 100644 --- a/src/lib/libssl/src/crypto/asn1/t_x509.c +++ b/src/lib/libssl/src/crypto/asn1/t_x509.c @@ -332,7 +332,7 @@ int X509_signature_print(BIO *bp, X509_ALGOR *sigalg, ASN1_STRING *sig) int ASN1_STRING_print(BIO *bp, ASN1_STRING *v) { int i,n; - char buf[80],*p;; + char buf[80],*p; if (v == NULL) return(0); n=0; diff --git a/src/lib/libssl/src/crypto/asn1/tasn_dec.c b/src/lib/libssl/src/crypto/asn1/tasn_dec.c index ced641698e..48bc1c0d4d 100644 --- a/src/lib/libssl/src/crypto/asn1/tasn_dec.c +++ b/src/lib/libssl/src/crypto/asn1/tasn_dec.c @@ -69,7 +69,7 @@ static int asn1_check_eoc(const unsigned char **in, long len); static int asn1_find_end(const unsigned char **in, long len, char inf); static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, - char inf, int tag, int aclass); + char inf, int tag, int aclass, int depth); static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen); @@ -611,7 +611,6 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val, err: ASN1_template_free(val, tt); - *val = NULL; return 0; } @@ -758,7 +757,6 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, err: ASN1_template_free(val, tt); - *val = NULL; return 0; } @@ -878,7 +876,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, * internally irrespective of the type. So instead just check * for UNIVERSAL class and ignore the tag. */ - if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL)) + if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0)) { free_cont = 1; goto err; @@ -1012,6 +1010,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, case V_ASN1_SET: case V_ASN1_SEQUENCE: default: + if (utype == V_ASN1_BMPSTRING && (len & 1)) + { + ASN1err(ASN1_F_ASN1_EX_C2I, + ASN1_R_BMPSTRING_IS_WRONG_LENGTH); + goto err; + } + if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) + { + ASN1err(ASN1_F_ASN1_EX_C2I, + ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); + goto err; + } /* All based on ASN1_STRING and handled the same */ if (!*pval) { @@ -1128,8 +1138,18 @@ static int asn1_find_end(const unsigned char **in, long len, char inf) * if it is indefinite length. */ +#ifndef ASN1_MAX_STRING_NEST +/* This determines how many levels of recursion are permitted in ASN1 + * string types. If it is not limited stack overflows can occur. If set + * to zero no recursion is allowed at all. Although zero should be adequate + * examples exist that require a value of 1. So 5 should be more than enough. + */ +#define ASN1_MAX_STRING_NEST 5 +#endif + + static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, - char inf, int tag, int aclass) + char inf, int tag, int aclass, int depth) { const unsigned char *p, *q; long plen; @@ -1171,13 +1191,15 @@ static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, /* If indefinite length constructed update max length */ if (cst) { -#ifdef OPENSSL_ALLOW_NESTED_ASN1_STRINGS - if (!asn1_collect(buf, &p, plen, ininf, tag, aclass)) + if (depth >= ASN1_MAX_STRING_NEST) + { + ASN1err(ASN1_F_ASN1_COLLECT, + ASN1_R_NESTED_ASN1_STRING); + return 0; + } + if (!asn1_collect(buf, &p, plen, ininf, tag, aclass, + depth + 1)) return 0; -#else - ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_NESTED_ASN1_STRING); - return 0; -#endif } else if (plen && !collect_data(buf, &p, plen)) return 0; diff --git a/src/lib/libssl/src/crypto/bio/bss_mem.c b/src/lib/libssl/src/crypto/bio/bss_mem.c index a4edb711ae..e7ab9cb3a3 100644 --- a/src/lib/libssl/src/crypto/bio/bss_mem.c +++ b/src/lib/libssl/src/crypto/bio/bss_mem.c @@ -284,6 +284,7 @@ static int mem_gets(BIO *bp, char *buf, int size) BIO_clear_retry_flags(bp); j=bm->length; + if ((size-1) < j) j=size-1; if (j <= 0) { *buf='\0'; @@ -292,17 +293,18 @@ static int mem_gets(BIO *bp, char *buf, int size) p=bm->data; for (i=0; i 0) buf[i]='\0'; ret=i; diff --git a/src/lib/libssl/src/crypto/bio/bss_sock.c b/src/lib/libssl/src/crypto/bio/bss_sock.c index 472dd75821..30c3ceab46 100644 --- a/src/lib/libssl/src/crypto/bio/bss_sock.c +++ b/src/lib/libssl/src/crypto/bio/bss_sock.c @@ -60,6 +60,9 @@ #include #define USE_SOCKETS #include "cryptlib.h" + +#ifndef OPENSSL_NO_SOCK + #include #ifdef WATT32 @@ -300,3 +303,5 @@ int BIO_sock_non_fatal_error(int err) } return(0); } + +#endif /* #ifndef OPENSSL_NO_SOCK */ diff --git a/src/lib/libssl/src/crypto/bn/bntest.c b/src/lib/libssl/src/crypto/bn/bntest.c index 310763eca0..cf190380f5 100644 --- a/src/lib/libssl/src/crypto/bn/bntest.c +++ b/src/lib/libssl/src/crypto/bn/bntest.c @@ -926,7 +926,7 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx) BN_bntest_rand(b,2+i,0,0); /**/ if (!BN_mod_exp(d,a,b,c,ctx)) - return(00); + return(0); if (bp != NULL) { @@ -1028,7 +1028,7 @@ int test_exp(BIO *bp, BN_CTX *ctx) BN_bntest_rand(b,2+i,0,0); /**/ if (!BN_exp(d,a,b,ctx)) - return(00); + return(0); if (bp != NULL) { diff --git a/src/lib/libssl/src/crypto/crypto-lib.com b/src/lib/libssl/src/crypto/crypto-lib.com index db9c882fb0..e72af90822 100644 --- a/src/lib/libssl/src/crypto/crypto-lib.com +++ b/src/lib/libssl/src/crypto/crypto-lib.com @@ -169,7 +169,7 @@ $ LIB_SHA = "sha_dgst,sha1dgst,sha_one,sha1_one,sha256,sha512" $ LIB_MDC2 = "mdc2dgst,mdc2_one" $ LIB_HMAC = "hmac" $ LIB_RIPEMD = "rmd_dgst,rmd_one" -$ LIB_DES = "set_key,ecb_enc,cbc_enc,"+ - +$ LIB_DES = "des_lib,set_key,ecb_enc,cbc_enc,"+ - "ecb3_enc,cfb64enc,cfb64ede,cfb_enc,ofb64ede,"+ - "enc_read,enc_writ,ofb64enc,"+ - "ofb_enc,str2key,pcbc_enc,qud_cksm,rand_key,"+ - @@ -191,7 +191,7 @@ $ LIB_BN = "bn_add,bn_div,bn_exp,bn_lib,bn_ctx,bn_mul,bn_mod,"+ - "bn_print,bn_rand,bn_shift,bn_word,bn_blind,"+ - "bn_kron,bn_sqrt,bn_gcd,bn_prime,bn_err,bn_sqr,"+LIB_BN_ASM+","+ - "bn_recp,bn_mont,bn_mpi,bn_exp2,bn_gf2m,bn_nist,"+ - - "bn_depr,bn_const" + "bn_depr,bn_x931p,bn_const,bn_opt" $ LIB_EC = "ec_lib,ecp_smpl,ecp_mont,ecp_nist,ec_cvt,ec_mult,"+ - "ec_err,ec_curve,ec_check,ec_print,ec_asn1,ec_key,"+ - "ec2_smpl,ec2_mult" @@ -211,7 +211,7 @@ $ LIB_ENGINE = "eng_err,eng_lib,eng_list,eng_init,eng_ctrl,"+ - "tb_cipher,tb_digest,"+ - "eng_openssl,eng_dyn,eng_cnf,eng_cryptodev,eng_padlock" $ LIB_AES = "aes_core,aes_misc,aes_ecb,aes_cbc,aes_cfb,aes_ofb,"+ - - "aes_ctr,aes_ige" + "aes_ctr,aes_ige,aes_wrap" $ LIB_BUFFER = "buffer,buf_str,buf_err" $ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ - "bss_mem,bss_null,bss_fd,"+ - @@ -246,7 +246,7 @@ $ LIB_ASN1 = "a_object,a_bitstr,a_utctm,a_gentm,a_time,a_int,a_octet,"+ - $ LIB_ASN1_2 = "t_req,t_x509,t_x509a,t_crl,t_pkey,t_spki,t_bitst,"+ - "tasn_new,tasn_fre,tasn_enc,tasn_dec,tasn_utl,tasn_typ,"+ - "f_int,f_string,n_pkey,"+ - - "f_enum,a_hdr,x_pkey,a_bool,x_exten,"+ - + "f_enum,a_hdr,x_pkey,a_bool,x_exten,asn_mime,"+ - "asn1_gen,asn1_par,asn1_lib,asn1_err,a_meth,a_bytes,a_strnid,"+ - "evp_asn1,asn_pack,p5_pbe,p5_pbev2,p8_pkey,asn_moid" $ LIB_PEM = "pem_sign,pem_seal,pem_info,pem_lib,pem_all,pem_err,"+ - diff --git a/src/lib/libssl/src/crypto/des/times/usparc.cc b/src/lib/libssl/src/crypto/des/times/usparc.cc index f6ec8e8831..0864285ef6 100644 --- a/src/lib/libssl/src/crypto/des/times/usparc.cc +++ b/src/lib/libssl/src/crypto/des/times/usparc.cc @@ -2,7 +2,7 @@ solaris 2.5.1 usparc 167mhz?? - SC4.0 cc -fast -Xa -xO5 For the ultra sparc, SunC 4.0 cc -fast -Xa -xO5, running 'des_opts' gives a speed of 475,000 des/s while 'speed' gives 417,000 des/s. -I belive the difference is tied up in optimisation that the compiler +I believe the difference is tied up in optimisation that the compiler is able to perform when the code is 'inlined'. For 'speed', the DES routines are being linked from a library. I'll record the higher speed since if performance is everything, you can always inline diff --git a/src/lib/libssl/src/crypto/evp/enc_min.c b/src/lib/libssl/src/crypto/evp/enc_min.c index 3cb4626bef..7fba38ee24 100644 --- a/src/lib/libssl/src/crypto/evp/enc_min.c +++ b/src/lib/libssl/src/crypto/evp/enc_min.c @@ -199,7 +199,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp enc = 1; ctx->encrypt = enc; } -#ifdef OPENSSL_NO_FIPS +#ifdef OPENSSL_FIPS if(FIPS_selftest_failed()) { FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED); diff --git a/src/lib/libssl/src/crypto/evp/evp_test.c b/src/lib/libssl/src/crypto/evp/evp_test.c index bb6f02c2e9..436be20bf1 100644 --- a/src/lib/libssl/src/crypto/evp/evp_test.c +++ b/src/lib/libssl/src/crypto/evp/evp_test.c @@ -220,18 +220,18 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, test1_exit(7); } - if(outl+outl2 != cn) + if(outl+outl2 != pn) { fprintf(stderr,"Plaintext length mismatch got %d expected %d\n", - outl+outl2,cn); + outl+outl2,pn); test1_exit(8); } - if(memcmp(out,plaintext,cn)) + if(memcmp(out,plaintext,pn)) { fprintf(stderr,"Plaintext mismatch\n"); - hexdump(stderr,"Got",out,cn); - hexdump(stderr,"Expected",plaintext,cn); + hexdump(stderr,"Got",out,pn); + hexdump(stderr,"Expected",plaintext,pn); test1_exit(9); } } diff --git a/src/lib/libssl/src/crypto/opensslv.h b/src/lib/libssl/src/crypto/opensslv.h index 09687b5136..c6207f76b2 100644 --- a/src/lib/libssl/src/crypto/opensslv.h +++ b/src/lib/libssl/src/crypto/opensslv.h @@ -25,11 +25,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x009080afL +#define OPENSSL_VERSION_NUMBER 0x009080bfL #ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8j-fips 07 Jan 2009" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8k-fips 25 Mar 2009" #else -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8j 07 Jan 2009" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8k 25 Mar 2009" #endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/src/lib/libssl/src/crypto/pem/pem.h b/src/lib/libssl/src/crypto/pem/pem.h index 6f8e01544b..6c193f1cbf 100644 --- a/src/lib/libssl/src/crypto/pem/pem.h +++ b/src/lib/libssl/src/crypto/pem/pem.h @@ -215,7 +215,9 @@ typedef struct pem_ctx_st #define IMPLEMENT_PEM_read_fp(name, type, str, asn1) /**/ #define IMPLEMENT_PEM_write_fp(name, type, str, asn1) /**/ +#define IMPLEMENT_PEM_write_fp_const(name, type, str, asn1) /**/ #define IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) /**/ +#define IMPLEMENT_PEM_write_cb_fp_const(name, type, str, asn1) /**/ #else @@ -355,6 +357,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \ #define DECLARE_PEM_read_fp(name, type) /**/ #define DECLARE_PEM_write_fp(name, type) /**/ +#define DECLARE_PEM_write_fp_const(name, type) /**/ #define DECLARE_PEM_write_cb_fp(name, type) /**/ #else @@ -392,6 +395,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \ #define DECLARE_PEM_read_bio(name, type) /**/ #define DECLARE_PEM_write_bio(name, type) /**/ +#define DECLARE_PEM_write_bio_const(name, type) /**/ #define DECLARE_PEM_write_cb_bio(name, type) /**/ #endif diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_crt.c b/src/lib/libssl/src/crypto/pkcs12/p12_crt.c index e863de52ce..9522342fa5 100644 --- a/src/lib/libssl/src/crypto/pkcs12/p12_crt.c +++ b/src/lib/libssl/src/crypto/pkcs12/p12_crt.c @@ -170,6 +170,9 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, p12 = PKCS12_add_safes(safes, 0); + if (!p12) + goto err; + sk_PKCS7_pop_free(safes, PKCS7_free); safes = NULL; diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c b/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c index c34db1d6fe..fd18ec3d95 100644 --- a/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c +++ b/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c @@ -229,8 +229,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, sk_X509_free(signers); return 0; } - X509_STORE_CTX_set_purpose(&cert_ctx, - X509_PURPOSE_SMIME_SIGN); + X509_STORE_CTX_set_default(&cert_ctx, "smime_sign"); } else if(!X509_STORE_CTX_init (&cert_ctx, store, signer, NULL)) { PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB); sk_X509_free(signers); diff --git a/src/lib/libssl/src/crypto/rand/rand_unix.c b/src/lib/libssl/src/crypto/rand/rand_unix.c index 6c2be5cb96..71b98ec212 100644 --- a/src/lib/libssl/src/crypto/rand/rand_unix.c +++ b/src/lib/libssl/src/crypto/rand/rand_unix.c @@ -232,7 +232,7 @@ int RAND_poll(void) t.tv_sec = 0; t.tv_usec = usec; - if (FD_SETSIZE > 0 && fd >= FD_SETSIZE) + if (FD_SETSIZE > 0 && (unsigned)fd >= FD_SETSIZE) { /* can't use select, so just try to read once anyway */ try_read = 1; diff --git a/src/lib/libssl/src/crypto/ripemd/README b/src/lib/libssl/src/crypto/ripemd/README index 7097707264..f1ffc8b134 100644 --- a/src/lib/libssl/src/crypto/ripemd/README +++ b/src/lib/libssl/src/crypto/ripemd/README @@ -4,7 +4,7 @@ http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html This is my implementation of RIPEMD-160. The pentium assember is a little off the pace since I only get 1050 cycles, while the best is 1013. I have a few ideas for how to get another 20 or so cycles, but at -this point I will not bother right now. I belive the trick will be +this point I will not bother right now. I believe the trick will be to remove my 'copy X array onto stack' until inside the RIP1() finctions the first time round. To do this I need another register and will only have one temporary one. A bit tricky.... I can also cleanup the saving of the 5 words diff --git a/src/lib/libssl/src/crypto/rsa/rsa_x931g.c b/src/lib/libssl/src/crypto/rsa/rsa_x931g.c index c640cc2ec9..bf94f8be7a 100644 --- a/src/lib/libssl/src/crypto/rsa/rsa_x931g.c +++ b/src/lib/libssl/src/crypto/rsa/rsa_x931g.c @@ -79,9 +79,9 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2, goto err; ctx = BN_CTX_new(); - BN_CTX_start(ctx); if (!ctx) goto err; + BN_CTX_start(ctx); r0 = BN_CTX_get(ctx); r1 = BN_CTX_get(ctx); @@ -190,7 +190,7 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2, if (ctx2) BN_CTX_free(ctx2); /* If this is set all calls successful */ - if (rsa->iqmp != NULL) + if (rsa && rsa->iqmp != NULL) return 1; return 0; diff --git a/src/lib/libssl/src/crypto/sha/asm/sha1-ia64.pl b/src/lib/libssl/src/crypto/sha/asm/sha1-ia64.pl index aa18c1089b..51c4f47ecb 100644 --- a/src/lib/libssl/src/crypto/sha/asm/sha1-ia64.pl +++ b/src/lib/libssl/src/crypto/sha/asm/sha1-ia64.pl @@ -302,4 +302,5 @@ $code.=<<___; stringz "SHA1 block transform for IA64, CRYPTOGAMS by " ___ +$output=shift and open STDOUT,">$output"; print $code; diff --git a/src/lib/libssl/src/crypto/symhacks.h b/src/lib/libssl/src/crypto/symhacks.h index 6cfb5fe479..8728e6124d 100644 --- a/src/lib/libssl/src/crypto/symhacks.h +++ b/src/lib/libssl/src/crypto/symhacks.h @@ -62,6 +62,10 @@ VAX. */ #ifdef OPENSSL_SYS_VMS +/* Hack a long name in crypto/cryptlib.c */ +#undef int_CRYPTO_set_do_dynlock_callback +#define int_CRYPTO_set_do_dynlock_callback int_CRYPTO_set_do_dynlock_cb + /* Hack a long name in crypto/ex_data.c */ #undef CRYPTO_get_ex_data_implementation #define CRYPTO_get_ex_data_implementation CRYPTO_get_ex_data_impl diff --git a/src/lib/libssl/src/crypto/ui/ui_lib.c b/src/lib/libssl/src/crypto/ui/ui_lib.c index 7ab249c3be..ac0100808f 100644 --- a/src/lib/libssl/src/crypto/ui/ui_lib.c +++ b/src/lib/libssl/src/crypto/ui/ui_lib.c @@ -90,6 +90,7 @@ UI *UI_new_method(const UI_METHOD *method) ret->strings=NULL; ret->user_data=NULL; + ret->flags=0; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_UI, ret, &ret->ex_data); return ret; } diff --git a/src/lib/libssl/src/crypto/x509/x509_cmp.c b/src/lib/libssl/src/crypto/x509/x509_cmp.c index e4c682fc44..2faf92514a 100644 --- a/src/lib/libssl/src/crypto/x509/x509_cmp.c +++ b/src/lib/libssl/src/crypto/x509/x509_cmp.c @@ -288,7 +288,8 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) if (!(nabit & STR_TYPE_CMP) || !(nbbit & STR_TYPE_CMP)) return j; - j = asn1_string_memcmp(na->value, nb->value); + if (!asn1_string_memcmp(na->value, nb->value)) + j = 0; } else if (na->value->type == V_ASN1_PRINTABLESTRING) j=nocase_spacenorm_cmp(na->value, nb->value); diff --git a/src/lib/libssl/src/crypto/x509v3/v3_cpols.c b/src/lib/libssl/src/crypto/x509v3/v3_cpols.c index 95596055ab..ad0506d75c 100644 --- a/src/lib/libssl/src/crypto/x509v3/v3_cpols.c +++ b/src/lib/libssl/src/crypto/x509v3/v3_cpols.c @@ -181,7 +181,11 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, pol = POLICYINFO_new(); pol->policyid = pobj; } - sk_POLICYINFO_push(pols, pol); + if (!sk_POLICYINFO_push(pols, pol)){ + POLICYINFO_free(pol); + X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE); + goto err; + } } sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); return pols; @@ -447,3 +451,4 @@ void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent) BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, ""); } +IMPLEMENT_STACK_OF(X509_POLICY_NODE) diff --git a/src/lib/libssl/src/crypto/x509v3/v3_utl.c b/src/lib/libssl/src/crypto/x509v3/v3_utl.c index a4236bbb6d..7a45216c00 100644 --- a/src/lib/libssl/src/crypto/x509v3/v3_utl.c +++ b/src/lib/libssl/src/crypto/x509v3/v3_utl.c @@ -84,7 +84,7 @@ int X509V3_add_value(const char *name, const char *value, CONF_VALUE *vtmp = NULL; char *tname = NULL, *tvalue = NULL; if(name && !(tname = BUF_strdup(name))) goto err; - if(value && !(tvalue = BUF_strdup(value))) goto err;; + if(value && !(tvalue = BUF_strdup(value))) goto err; if(!(vtmp = (CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE)))) goto err; if(!*extlist && !(*extlist = sk_CONF_VALUE_new_null())) goto err; vtmp->section = NULL; diff --git a/src/lib/libssl/src/doc/apps/rand.pod b/src/lib/libssl/src/doc/apps/rand.pod index 75745ca002..d1d213ef43 100644 --- a/src/lib/libssl/src/doc/apps/rand.pod +++ b/src/lib/libssl/src/doc/apps/rand.pod @@ -10,6 +10,7 @@ B [B<-out> I] [B<-rand> I] [B<-base64>] +[B<-hex>] I =head1 DESCRIPTION @@ -41,6 +42,10 @@ all others. Perform base64 encoding on the output. +=item B<-hex> + +Show the output as a hex string. + =back =head1 SEE ALSO diff --git a/src/lib/libssl/src/doc/apps/x509.pod b/src/lib/libssl/src/doc/apps/x509.pod index a925da41f1..f43c175235 100644 --- a/src/lib/libssl/src/doc/apps/x509.pod +++ b/src/lib/libssl/src/doc/apps/x509.pod @@ -155,7 +155,7 @@ outputs the "hash" of the certificate issuer name. =item B<-hash> -synonym for "-hash" for backward compatibility reasons. +synonym for "-subject_hash" for backward compatibility reasons. =item B<-subject> diff --git a/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod b/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod index f81f692df5..f62a869a9b 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod @@ -28,7 +28,7 @@ SSL_CIPHER_get_version() returns the protocol version for B, currently SSL_CIPHER_description() returns a textual description of the cipher used into the buffer B of length B provided. B must be at least -128 bytes, otherwise a pointer to the the string "Buffer too small" is +128 bytes, otherwise a pointer to the string "Buffer too small" is returned. If B is NULL, a buffer of 128 bytes is allocated using OPENSSL_malloc(). If the allocation fails, a pointer to the string "OPENSSL_malloc Error" is returned. diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod index ca8d81b82c..81566839d3 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod @@ -28,7 +28,7 @@ specifies the B function to be used. If no callback function shall be specified, the NULL pointer can be used for B. In this case last B set specifically for this B remains. If no special B was set before, the default callback for the underlying -B is used, that was valid at the the time B was created with +B is used, that was valid at the time B was created with L. SSL_CTX_set_verify_depth() sets the maximum B for the certificate chain diff --git a/src/lib/libssl/src/doc/ssl/SSL_SESSION_free.pod b/src/lib/libssl/src/doc/ssl/SSL_SESSION_free.pod index 558de01df9..110ec73ab6 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_SESSION_free.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_SESSION_free.pod @@ -14,7 +14,7 @@ SSL_SESSION_free - free an allocated SSL_SESSION structure SSL_SESSION_free() decrements the reference count of B and removes the B structure pointed to by B and frees up the allocated -memory, if the the reference count has reached 0. +memory, if the reference count has reached 0. =head1 NOTES diff --git a/src/lib/libssl/src/doc/ssl/SSL_free.pod b/src/lib/libssl/src/doc/ssl/SSL_free.pod index 2d4f8b6168..13c1abd9ec 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_free.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_free.pod @@ -14,7 +14,7 @@ SSL_free - free an allocated SSL structure SSL_free() decrements the reference count of B, and removes the SSL structure pointed to by B and frees up the allocated memory if the -the reference count has reached 0. +reference count has reached 0. =head1 NOTES diff --git a/src/lib/libssl/src/doc/ssleay.txt b/src/lib/libssl/src/doc/ssleay.txt index c75312911f..a8b04d7059 100644 --- a/src/lib/libssl/src/doc/ssleay.txt +++ b/src/lib/libssl/src/doc/ssleay.txt @@ -3800,9 +3800,9 @@ made public on sci.crypt in Sep 1994 (RC4) and Feb 1996 (RC2). I have copies of the origional postings if people are interested. RSA I believe claim that they were 'trade-secrets' and that some-one broke an NDA in revealing them. Other claim they reverse engineered the algorithms from -compiled binaries. If the algorithms were reverse engineered, I belive +compiled binaries. If the algorithms were reverse engineered, I believe RSA had no legal leg to stand on. If an NDA was broken, I don't know. -Regardless, RSA, I belive, is willing to go to court over the issue so +Regardless, RSA, I believe, is willing to go to court over the issue so licencing is probably the best idea, or at least talk to them. If there are people who actually know more about this, pease let me know, I don't want to vilify or spread miss-information if I can help it. diff --git a/src/lib/libssl/src/engines/makeengines.com b/src/lib/libssl/src/engines/makeengines.com index 4a7474e010..840864f7cf 100644 --- a/src/lib/libssl/src/engines/makeengines.com +++ b/src/lib/libssl/src/engines/makeengines.com @@ -34,7 +34,7 @@ $! Set the names of the engines we want to build $! $ ENGINES = "," + P6 $ IF ENGINES .EQS. "," THEN - - ENGINES = ",4758cca,aep,atalla,cswift,chil,nuron,sureware,ubsec" + ENGINES = ",4758cca,aep,atalla,cswift,chil,nuron,sureware,ubsec,capi" $! $! Set the default TCP/IP library to link against if needed $! @@ -87,6 +87,7 @@ $ ENGINE_chil = "e_chil" $ ENGINE_nuron = "e_nuron" $ ENGINE_sureware = "e_sureware" $ ENGINE_ubsec = "e_ubsec" +$ ENGINE_capi = "e_capi" $! $! Define which programs need to be linked with a TCP/IP library $! diff --git a/src/lib/libssl/src/fips/Makefile b/src/lib/libssl/src/fips/Makefile index d6dcb79a28..e038be8f13 100644 --- a/src/lib/libssl/src/fips/Makefile +++ b/src/lib/libssl/src/fips/Makefile @@ -123,7 +123,7 @@ fips_premain_dso$(EXE_EXT): fips_premain.c $(FIPSLIBDIR)fipscanister.o ../libcrypto.a $(EX_LIBS) # this is executed only when linking with external fipscanister.o fips_standalone_sha1$(EXE_EXT): sha/fips_standalone_sha1.c - $(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o + $(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o $(EX_LIBS) subdirs: @target=all; $(RECURSIVE_MAKE) @@ -179,8 +179,15 @@ install: chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; @target=install; $(RECURSIVE_MAKE) - @cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \ - fips_premain.c.sha1 \ + for i in $(EXE) ; \ + do \ + echo "installing $$i"; \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \ + chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \ + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \ + done + cp -p -f $(FIPSLIBDIR)fipscanister.o $(FIPSLIBDIR)fipscanister.o.sha1 \ + $(FIPSLIBDIR)fips_premain.c $(FIPSLIBDIR)fips_premain.c.sha1 \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \ chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips* diff --git a/src/lib/libssl/src/fips/aes/Makefile b/src/lib/libssl/src/fips/aes/Makefile index 403525d4c0..7b8b3a26de 100644 --- a/src/lib/libssl/src/fips/aes/Makefile +++ b/src/lib/libssl/src/fips/aes/Makefile @@ -22,7 +22,6 @@ CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST=fips_aesavs.c -TESTDATA=fips_aes_data APPS= LIB=$(TOP)/libcrypto.a @@ -50,7 +49,6 @@ files: links: @$(PERL) $(TOP)/util/mklink.pl $(TOP)/include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TEST) - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TESTDATA) @$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS) install: diff --git a/src/lib/libssl/src/fips/sha/fips_standalone_sha1.c b/src/lib/libssl/src/fips/sha/fips_standalone_sha1.c index 058b71a20f..eec65dc39e 100644 --- a/src/lib/libssl/src/fips/sha/fips_standalone_sha1.c +++ b/src/lib/libssl/src/fips/sha/fips_standalone_sha1.c @@ -65,7 +65,7 @@ void OPENSSL_cleanse(void *p,size_t len) {} static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx, const char *key) { - int len=strlen(key); + size_t len=strlen(key); int i; unsigned char keymd[HMAC_MAX_MD_CBLOCK]; unsigned char pad[HMAC_MAX_MD_CBLOCK]; @@ -139,7 +139,7 @@ int main(int argc,char **argv) for( ; ; ) { char buf[1024]; - int l=fread(buf,1,sizeof buf,f); + size_t l=fread(buf,1,sizeof buf,f); if(l == 0) { diff --git a/src/lib/libssl/src/ms/do_masm.bat b/src/lib/libssl/src/ms/do_masm.bat index 8c22256b32..a8575321f9 100644 --- a/src/lib/libssl/src/ms/do_masm.bat +++ b/src/lib/libssl/src/ms/do_masm.bat @@ -1,74 +1,70 @@ -@echo off - -SET ASMOPTS=-DOPENSSL_IA32_SSE2 -echo Generating x86 for MASM assember - -echo Bignum -cd crypto\bn\asm -perl bn-586.pl win32 %ASMOPTS% > bn_win32.asm -perl co-586.pl win32 %ASMOPTS% > co_win32.asm -perl mo-586.pl win32 %ASMOPTS% > mt_win32.asm -cd ..\..\.. - -echo AES -cd crypto\aes\asm -perl aes-586.pl win32 %ASMOPTS% > a_win32.asm -cd ..\..\.. - -echo DES -cd crypto\des\asm -perl des-586.pl win32 %ASMOPTS% > d_win32.asm -cd ..\..\.. - -echo "crypt(3)" - -cd crypto\des\asm -perl crypt586.pl win32 %ASMOPTS% > y_win32.asm -cd ..\..\.. - -echo Blowfish - -cd crypto\bf\asm -perl bf-586.pl win32 %ASMOPTS% > b_win32.asm -cd ..\..\.. - -echo CAST5 -cd crypto\cast\asm -perl cast-586.pl win32 %ASMOPTS% > c_win32.asm -cd ..\..\.. - -echo RC4 -cd crypto\rc4\asm -perl rc4-586.pl win32 %ASMOPTS% > r4_win32.asm -cd ..\..\.. - -echo MD5 -cd crypto\md5\asm -perl md5-586.pl win32 %ASMOPTS% > m5_win32.asm -cd ..\..\.. - -echo SHA1 -cd crypto\sha\asm -perl sha1-586.pl win32 %ASMOPTS% > s1_win32.asm -perl sha512-sse2.pl win32 %ASMOPTS% > sha512-sse2.asm -cd ..\..\.. - -echo RIPEMD160 -cd crypto\ripemd\asm -perl rmd-586.pl win32 %ASMOPTS% > rm_win32.asm -cd ..\..\.. - -echo RC5\32 -cd crypto\rc5\asm -perl rc5-586.pl win32 %ASMOPTS% > r5_win32.asm -cd ..\..\.. - -echo CPU-ID -cd crypto -perl x86cpuid.pl win32 %ASMOPTS% > cpu_win32.asm -cd .. - -echo on +@SET ASMOPTS=-DOPENSSL_IA32_SSE2 +@echo Generating x86 for MASM assember + +@echo Bignum +@cd crypto\bn\asm +@perl bn-586.pl win32 %ASMOPTS% > bn_win32.asm +@perl co-586.pl win32 %ASMOPTS% > co_win32.asm +@perl mo-586.pl win32 %ASMOPTS% > mt_win32.asm +@cd ..\..\.. + +@echo AES +@cd crypto\aes\asm +@perl aes-586.pl win32 %ASMOPTS% > a_win32.asm +@cd ..\..\.. + +@echo DES +@cd crypto\des\asm +@perl des-586.pl win32 %ASMOPTS% > d_win32.asm +@cd ..\..\.. + +@echo "crypt(3)" + +@cd crypto\des\asm +@perl crypt586.pl win32 %ASMOPTS% > y_win32.asm +@cd ..\..\.. + +@echo Blowfish + +@cd crypto\bf\asm +@perl bf-586.pl win32 %ASMOPTS% > b_win32.asm +@cd ..\..\.. + +@echo CAST5 +@cd crypto\cast\asm +@perl cast-586.pl win32 %ASMOPTS% > c_win32.asm +@cd ..\..\.. + +@echo RC4 +@cd crypto\rc4\asm +@perl rc4-586.pl win32 %ASMOPTS% > r4_win32.asm +@cd ..\..\.. + +@echo MD5 +@cd crypto\md5\asm +@perl md5-586.pl win32 %ASMOPTS% > m5_win32.asm +@cd ..\..\.. + +@echo SHA1 +@cd crypto\sha\asm +@perl sha1-586.pl win32 %ASMOPTS% > s1_win32.asm +@perl sha512-sse2.pl win32 %ASMOPTS% > sha512-sse2.asm +@cd ..\..\.. + +@echo RIPEMD160 +@cd crypto\ripemd\asm +@perl rmd-586.pl win32 %ASMOPTS% > rm_win32.asm +@cd ..\..\.. + +@echo RC5\32 +@cd crypto\rc5\asm +@perl rc5-586.pl win32 %ASMOPTS% > r5_win32.asm +@cd ..\..\.. + +@echo CPU-ID +@cd crypto +@perl x86cpuid.pl win32 %ASMOPTS% > cpu_win32.asm +@cd .. perl util\mkfiles.pl >MINFO perl util\mk1mf.pl VC-WIN32 >ms\nt.mak diff --git a/src/lib/libssl/src/openssl.spec b/src/lib/libssl/src/openssl.spec index 6008c3c9c8..329e3925b7 100644 --- a/src/lib/libssl/src/openssl.spec +++ b/src/lib/libssl/src/openssl.spec @@ -1,7 +1,7 @@ %define libmaj 0 %define libmin 9 %define librel 8 -%define librev j +%define librev k Release: 1 %define openssldir /var/ssl diff --git a/src/lib/libssl/src/ssl/kssl.c b/src/lib/libssl/src/ssl/kssl.c index 6da75e6416..019030ae3c 100644 --- a/src/lib/libssl/src/ssl/kssl.c +++ b/src/lib/libssl/src/ssl/kssl.c @@ -946,7 +946,7 @@ kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text) if (kssl_err == NULL) return; kssl_err->reason = reason; - BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, text); + BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "%s", text); return; } diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c index 5fd3520caf..50308487aa 100644 --- a/src/lib/libssl/src/ssl/s3_clnt.c +++ b/src/lib/libssl/src/ssl/s3_clnt.c @@ -173,7 +173,7 @@ int ssl3_connect(SSL *s) long num1; void (*cb)(const SSL *ssl,int type,int val)=NULL; int ret= -1; - int new_state,state,skip=0;; + int new_state,state,skip=0; RAND_add(&Time,sizeof(Time),0); ERR_clear_error(); diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c index 0c2aa249b4..52f91cfe60 100644 --- a/src/lib/libssl/src/ssl/ssl_ciph.c +++ b/src/lib/libssl/src/ssl/ssl_ciph.c @@ -1355,7 +1355,7 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) comp->method=cm; load_builtin_compressions(); if (ssl_comp_methods - && !sk_SSL_COMP_find(ssl_comp_methods,comp)) + && sk_SSL_COMP_find(ssl_comp_methods,comp) >= 0) { OPENSSL_free(comp); MemCheck_on(); diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c index 68eee77e6f..893abff1f4 100644 --- a/src/lib/libssl/src/ssl/ssl_lib.c +++ b/src/lib/libssl/src/ssl/ssl_lib.c @@ -510,6 +510,8 @@ void SSL_free(SSL *s) if (s->ctx) SSL_CTX_free(s->ctx); #ifndef OPENSSL_NO_TLSEXT + if (s->tlsext_hostname) + OPENSSL_free(s->tlsext_hostname); if (s->initial_ctx) SSL_CTX_free(s->initial_ctx); if (s->tlsext_ocsp_exts) sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, diff --git a/src/lib/libssl/src/test/Makefile b/src/lib/libssl/src/test/Makefile index 73d64440b1..228ee368cd 100644 --- a/src/lib/libssl/src/test/Makefile +++ b/src/lib/libssl/src/test/Makefile @@ -404,6 +404,8 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ elif [ -n "$(FIPSCANLIB)" ]; then \ FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \ + else \ + LIBRARIES="$(LIBCRYPTO)"; \ fi; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ diff --git a/src/lib/libssl/src/test/times b/src/lib/libssl/src/test/times index 49aeebf216..738d569b8f 100644 --- a/src/lib/libssl/src/test/times +++ b/src/lib/libssl/src/test/times @@ -68,7 +68,7 @@ eric (adding numbers to speculation) --- Appendix --- - The time measured is user time but these number a very rough. - Remember this is the cost of both client and server sides of the protocol. -- The TCP/kernal overhead of connection establishment is normally the +- The TCP/kernel overhead of connection establishment is normally the killer in SSL. Often delays in the TCP protocol will make session-id reuse look slower that new sessions, but this would not be the case on a loaded server. diff --git a/src/lib/libssl/src/util/domd b/src/lib/libssl/src/util/domd index 691be7a440..560ebeaf82 100644 --- a/src/lib/libssl/src/util/domd +++ b/src/lib/libssl/src/util/domd @@ -22,7 +22,7 @@ if [ "$MAKEDEPEND" = "gcc" ]; then done sed -e '/^# DO NOT DELETE.*/,$d' < Makefile > Makefile.tmp echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp - gcc -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp + ${CC:-gcc} -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new rm -f Makefile.tmp else diff --git a/src/lib/libssl/src/util/libeay.num b/src/lib/libssl/src/util/libeay.num index 0eb54ddc89..74eb337227 100644 --- a/src/lib/libssl/src/util/libeay.num +++ b/src/lib/libssl/src/util/libeay.num @@ -3667,7 +3667,8 @@ CRYPTO_set_mem_info_functions 4053 EXIST::FUNCTION: RSA_X931_generate_key_ex 4054 EXIST::FUNCTION:RSA int_ERR_set_state_func 4055 EXIST:OPENSSL_FIPS:FUNCTION: int_EVP_MD_set_engine_callbacks 4056 EXIST:OPENSSL_FIPS:FUNCTION:ENGINE -int_CRYPTO_set_do_dynlock_callback 4057 EXIST::FUNCTION: +int_CRYPTO_set_do_dynlock_callback 4057 EXIST:!VMS:FUNCTION: +int_CRYPTO_set_do_dynlock_cb 4057 EXIST:VMS:FUNCTION: FIPS_rng_stick 4058 EXIST:OPENSSL_FIPS:FUNCTION: EVP_CIPHER_CTX_set_flags 4059 EXIST::FUNCTION: BN_X931_generate_prime_ex 4060 EXIST::FUNCTION: diff --git a/src/lib/libssl/src/util/pl/VC-32.pl b/src/lib/libssl/src/util/pl/VC-32.pl index 730c2083bd..85121c8ed1 100644 --- a/src/lib/libssl/src/util/pl/VC-32.pl +++ b/src/lib/libssl/src/util/pl/VC-32.pl @@ -164,7 +164,7 @@ if ($FLAVOR =~ /NT/) $ex_libs="unicows.lib $ex_libs"; } # static library stuff -$mklib='lib'; +$mklib='lib /nologo'; $ranlib=''; $plib=""; $libp=".lib"; @@ -184,7 +184,7 @@ if ($nasm) { $asm.=' /Zi' if $debug; $afile='/Fo'; } else { - $asm='ml /Cp /coff /c /Cx'; + $asm='ml /nologo /Cp /coff /c /Cx'; $asm.=" /Zi" if $debug; $afile='/Fo'; } @@ -405,7 +405,7 @@ sub do_link_rule if ($standalone == 1) { $ret.=" \$(LINK) \$(LFLAGS) $efile$target @<<\n\t"; - $ret.= "$mwex advapi32.lib " if ($files =~ /O_FIPSCANISTER/ && !$fipscanisterbuild); + $ret.= "\$(EX_LIBS) " if ($files =~ /O_FIPSCANISTER/ && !$fipscanisterbuild); $ret.="$files $libs\n<<\n"; } elsif ($standalone == 2) diff --git a/src/lib/libssl/test/Makefile b/src/lib/libssl/test/Makefile index 73d64440b1..228ee368cd 100644 --- a/src/lib/libssl/test/Makefile +++ b/src/lib/libssl/test/Makefile @@ -404,6 +404,8 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ elif [ -n "$(FIPSCANLIB)" ]; then \ FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \ + else \ + LIBRARIES="$(LIBCRYPTO)"; \ fi; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ -- cgit v1.2.3-55-g6feb