From f6198d4d0ab97685dc56be2d48715ed39fcc74b9 Mon Sep 17 00:00:00 2001 From: djm <> Date: Tue, 27 Jun 2006 05:05:42 +0000 Subject: import of openssl-0.9.7j --- src/lib/libcrypto/aes/aes_cbc.c | 2 + src/lib/libcrypto/asn1/asn1.h | 2 + src/lib/libcrypto/asn1/asn1_err.c | 324 ++++++------- src/lib/libcrypto/asn1/tasn_dec.c | 78 +++- src/lib/libcrypto/asn1/tasn_enc.c | 9 +- src/lib/libcrypto/bf/bf_skey.c | 1 + src/lib/libcrypto/bio/b_print.c | 8 +- src/lib/libcrypto/bio/bio_err.c | 130 +++--- src/lib/libcrypto/bio/bss_conn.c | 2 +- src/lib/libcrypto/bn/asm/ppc.pl | 23 +- src/lib/libcrypto/bn/asm/sparcv8plus.S | 16 +- src/lib/libcrypto/bn/bn.h | 34 ++ src/lib/libcrypto/bn/bn_asm.c | 2 +- src/lib/libcrypto/bn/bn_err.c | 92 ++-- src/lib/libcrypto/bn/bn_exp.c | 244 +++++++++- src/lib/libcrypto/bn/bn_lcl.h | 39 ++ src/lib/libcrypto/bn/bn_mont.c | 20 + src/lib/libcrypto/bn/bn_x931p.c | 282 +++++++++++ src/lib/libcrypto/buffer/buf_err.c | 16 +- src/lib/libcrypto/cast/c_skey.c | 1 + src/lib/libcrypto/cast/cast_lcl.h | 21 +- src/lib/libcrypto/comp/c_zlib.c | 88 +--- src/lib/libcrypto/conf/conf_def.c | 13 +- src/lib/libcrypto/conf/conf_err.c | 78 ++-- src/lib/libcrypto/cpt_err.c | 30 +- src/lib/libcrypto/cryptlib.c | 218 ++++++--- src/lib/libcrypto/cryptlib.h | 4 + src/lib/libcrypto/crypto.h | 5 +- src/lib/libcrypto/des/des_locl.h | 2 +- src/lib/libcrypto/dh/dh.h | 9 +- src/lib/libcrypto/dh/dh_err.c | 26 +- src/lib/libcrypto/dh/dh_key.c | 63 ++- src/lib/libcrypto/doc/EVP_EncryptInit.pod | 6 +- src/lib/libcrypto/doc/OPENSSL_config.pod | 2 +- src/lib/libcrypto/doc/PKCS7_verify.pod | 2 +- src/lib/libcrypto/dsa/dsa.h | 14 + src/lib/libcrypto/dsa/dsa_err.c | 42 +- src/lib/libcrypto/dsa/dsa_key.c | 16 +- src/lib/libcrypto/dsa/dsa_ossl.c | 55 ++- src/lib/libcrypto/dsa/dsa_sign.c | 6 +- src/lib/libcrypto/dsa/dsa_vrf.c | 3 +- src/lib/libcrypto/dso/dso_dlfcn.c | 36 +- src/lib/libcrypto/dso/dso_err.c | 96 ++-- src/lib/libcrypto/ec/ec_err.c | 124 ++--- src/lib/libcrypto/engine/eng_cnf.c | 2 +- src/lib/libcrypto/engine/eng_err.c | 158 ++++--- src/lib/libcrypto/engine/tb_dsa.c | 2 +- src/lib/libcrypto/err/err.c | 6 +- src/lib/libcrypto/err/openssl.ec | 2 +- src/lib/libcrypto/evp/bio_enc.c | 2 +- src/lib/libcrypto/evp/e_aes.c | 6 +- src/lib/libcrypto/evp/encode.c | 2 +- src/lib/libcrypto/evp/evp.h | 20 +- src/lib/libcrypto/evp/evp_err.c | 158 ++++--- src/lib/libcrypto/evp/evp_key.c | 3 +- src/lib/libcrypto/evp/m_dss1.c | 9 +- src/lib/libcrypto/evp/m_sha1.c | 119 +++++ src/lib/libcrypto/evp/p5_crpt2.c | 11 +- src/lib/libcrypto/hmac/hmac.c | 12 +- src/lib/libcrypto/hmac/hmac.h | 4 + src/lib/libcrypto/md4/md4_one.c | 3 +- src/lib/libcrypto/md5/md5_one.c | 3 +- src/lib/libcrypto/objects/obj_err.c | 28 +- src/lib/libcrypto/objects/obj_mac.num | 16 +- src/lib/libcrypto/objects/objects.txt | 20 +- src/lib/libcrypto/ocsp/ocsp_err.c | 104 +++-- src/lib/libcrypto/opensslv.h | 6 +- src/lib/libcrypto/pem/pem_err.c | 88 ++-- src/lib/libcrypto/perlasm/x86asm.pl | 2 +- src/lib/libcrypto/pkcs12/p12_add.c | 11 +- src/lib/libcrypto/pkcs12/p12_crt.c | 10 +- src/lib/libcrypto/pkcs12/p12_mutl.c | 6 + src/lib/libcrypto/pkcs12/pk12err.c | 107 +++-- src/lib/libcrypto/pkcs12/pkcs12.h | 3 + src/lib/libcrypto/pkcs7/pk7_mime.c | 24 +- src/lib/libcrypto/pkcs7/pk7_smime.c | 6 +- src/lib/libcrypto/pkcs7/pkcs7err.c | 146 +++--- src/lib/libcrypto/rand/rand_err.c | 28 +- src/lib/libcrypto/rand/rand_lib.c | 26 +- src/lib/libcrypto/rand/randfile.c | 2 +- src/lib/libcrypto/rc2/rc2_skey.c | 1 + src/lib/libcrypto/rc4/asm/rc4-x86_64.pl | 150 ++++++ src/lib/libcrypto/rc4/rc4.h | 4 - src/lib/libcrypto/rc4/rc4_enc.c | 4 - src/lib/libcrypto/rc4/rc4_skey.c | 5 +- src/lib/libcrypto/ripemd/rmd_one.c | 3 +- src/lib/libcrypto/rsa/rsa.h | 67 ++- src/lib/libcrypto/rsa/rsa_eay.c | 247 ++++++---- src/lib/libcrypto/rsa/rsa_err.c | 135 +++--- src/lib/libcrypto/rsa/rsa_gen.c | 3 +- src/lib/libcrypto/rsa/rsa_oaep.c | 32 +- src/lib/libcrypto/rsa/rsa_pss.c | 261 +++++++++++ src/lib/libcrypto/rsa/rsa_x931.c | 177 +++++++ src/lib/libcrypto/sha/sha1_one.c | 5 +- src/lib/libcrypto/stack/safestack.h | 53 ++- src/lib/libcrypto/ui/ui_err.c | 48 +- src/lib/libcrypto/util/mkerr.pl | 37 +- src/lib/libcrypto/x509/by_dir.c | 15 +- src/lib/libcrypto/x509/x509_err.c | 138 +++--- src/lib/libcrypto/x509/x509_vfy.c | 2 +- src/lib/libcrypto/x509v3/v3_cpols.c | 9 + src/lib/libcrypto/x509v3/v3err.c | 210 ++++----- src/lib/libssl/LICENSE | 2 +- src/lib/libssl/s23_clnt.c | 225 ++++++--- src/lib/libssl/s23_srvr.c | 9 +- src/lib/libssl/s3_clnt.c | 6 +- src/lib/libssl/s3_lib.c | 12 +- src/lib/libssl/s3_srvr.c | 4 +- src/lib/libssl/ssl.h | 57 ++- src/lib/libssl/ssl_asn1.c | 2 +- src/lib/libssl/ssl_cert.c | 16 +- src/lib/libssl/ssl_ciph.c | 64 +-- src/lib/libssl/ssl_err.c | 745 +++++++++++++++--------------- src/lib/libssl/ssl_lib.c | 38 +- src/lib/libssl/ssl_locl.h | 5 +- src/lib/libssl/ssl_sess.c | 4 +- 116 files changed, 4130 insertions(+), 2104 deletions(-) create mode 100644 src/lib/libcrypto/bn/bn_x931p.c create mode 100755 src/lib/libcrypto/rc4/asm/rc4-x86_64.pl create mode 100644 src/lib/libcrypto/rsa/rsa_pss.c create mode 100644 src/lib/libcrypto/rsa/rsa_x931.c diff --git a/src/lib/libcrypto/aes/aes_cbc.c b/src/lib/libcrypto/aes/aes_cbc.c index d2ba6bcdb4..373864cd4b 100644 --- a/src/lib/libcrypto/aes/aes_cbc.c +++ b/src/lib/libcrypto/aes/aes_cbc.c @@ -59,6 +59,7 @@ #include #include "aes_locl.h" +#if !defined(OPENSSL_FIPS_AES_ASM) void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, const unsigned long length, const AES_KEY *key, unsigned char *ivec, const int enc) { @@ -129,3 +130,4 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, } } } +#endif diff --git a/src/lib/libcrypto/asn1/asn1.h b/src/lib/libcrypto/asn1/asn1.h index ceaeb4cbe3..0184b475a7 100644 --- a/src/lib/libcrypto/asn1/asn1.h +++ b/src/lib/libcrypto/asn1/asn1.h @@ -962,6 +962,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_F_ASN1_DUP 111 #define ASN1_F_ASN1_ENUMERATED_SET 112 #define ASN1_F_ASN1_ENUMERATED_TO_BN 113 +#define ASN1_F_ASN1_FIND_END 182 #define ASN1_F_ASN1_GENERALIZEDTIME_SET 178 #define ASN1_F_ASN1_GET_OBJECT 114 #define ASN1_F_ASN1_HEADER_NEW 115 @@ -1075,6 +1076,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_MISSING_SECOND_NUMBER 138 #define ASN1_R_MSTRING_NOT_UNIVERSAL 139 #define ASN1_R_MSTRING_WRONG_TAG 140 +#define ASN1_R_NESTED_ASN1_STRING 174 #define ASN1_R_NON_HEX_CHARACTERS 141 #define ASN1_R_NOT_ENOUGH_DATA 142 #define ASN1_R_NO_MATCHING_CHOICE_TYPE 143 diff --git a/src/lib/libcrypto/asn1/asn1_err.c b/src/lib/libcrypto/asn1/asn1_err.c index 3b57c8fbae..315d0a0807 100644 --- a/src/lib/libcrypto/asn1/asn1_err.c +++ b/src/lib/libcrypto/asn1/asn1_err.c @@ -1,6 +1,6 @@ /* crypto/asn1/asn1_err.c */ /* ==================================================================== - * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -64,169 +64,175 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_ASN1,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_ASN1,0,reason) + static ERR_STRING_DATA ASN1_str_functs[]= { -{ERR_PACK(0,ASN1_F_A2D_ASN1_OBJECT,0), "a2d_ASN1_OBJECT"}, -{ERR_PACK(0,ASN1_F_A2I_ASN1_ENUMERATED,0), "a2i_ASN1_ENUMERATED"}, -{ERR_PACK(0,ASN1_F_A2I_ASN1_INTEGER,0), "a2i_ASN1_INTEGER"}, -{ERR_PACK(0,ASN1_F_A2I_ASN1_STRING,0), "a2i_ASN1_STRING"}, -{ERR_PACK(0,ASN1_F_ASN1_BIT_STRING_SET_BIT,0), "ASN1_BIT_STRING_set_bit"}, -{ERR_PACK(0,ASN1_F_ASN1_CHECK_TLEN,0), "ASN1_CHECK_TLEN"}, -{ERR_PACK(0,ASN1_F_ASN1_COLLATE_PRIMITIVE,0), "ASN1_COLLATE_PRIMITIVE"}, -{ERR_PACK(0,ASN1_F_ASN1_COLLECT,0), "ASN1_COLLECT"}, -{ERR_PACK(0,ASN1_F_ASN1_D2I_BIO,0), "ASN1_d2i_bio"}, -{ERR_PACK(0,ASN1_F_ASN1_D2I_EX_PRIMITIVE,0), "ASN1_D2I_EX_PRIMITIVE"}, -{ERR_PACK(0,ASN1_F_ASN1_D2I_FP,0), "ASN1_d2i_fp"}, -{ERR_PACK(0,ASN1_F_ASN1_DIGEST,0), "ASN1_digest"}, -{ERR_PACK(0,ASN1_F_ASN1_DO_ADB,0), "ASN1_DO_ADB"}, -{ERR_PACK(0,ASN1_F_ASN1_DUP,0), "ASN1_dup"}, -{ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_SET,0), "ASN1_ENUMERATED_set"}, -{ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_TO_BN,0), "ASN1_ENUMERATED_to_BN"}, -{ERR_PACK(0,ASN1_F_ASN1_GENERALIZEDTIME_SET,0), "ASN1_GENERALIZEDTIME_set"}, -{ERR_PACK(0,ASN1_F_ASN1_GET_OBJECT,0), "ASN1_get_object"}, -{ERR_PACK(0,ASN1_F_ASN1_HEADER_NEW,0), "ASN1_HEADER_new"}, -{ERR_PACK(0,ASN1_F_ASN1_I2D_BIO,0), "ASN1_i2d_bio"}, -{ERR_PACK(0,ASN1_F_ASN1_I2D_FP,0), "ASN1_i2d_fp"}, -{ERR_PACK(0,ASN1_F_ASN1_INTEGER_SET,0), "ASN1_INTEGER_set"}, -{ERR_PACK(0,ASN1_F_ASN1_INTEGER_TO_BN,0), "ASN1_INTEGER_to_BN"}, -{ERR_PACK(0,ASN1_F_ASN1_ITEM_EX_D2I,0), "ASN1_ITEM_EX_D2I"}, -{ERR_PACK(0,ASN1_F_ASN1_ITEM_NEW,0), "ASN1_item_new"}, -{ERR_PACK(0,ASN1_F_ASN1_MBSTRING_COPY,0), "ASN1_mbstring_copy"}, -{ERR_PACK(0,ASN1_F_ASN1_OBJECT_NEW,0), "ASN1_OBJECT_new"}, -{ERR_PACK(0,ASN1_F_ASN1_PACK_STRING,0), "ASN1_pack_string"}, -{ERR_PACK(0,ASN1_F_ASN1_PBE_SET,0), "ASN1_PBE_SET"}, -{ERR_PACK(0,ASN1_F_ASN1_SEQ_PACK,0), "ASN1_seq_pack"}, -{ERR_PACK(0,ASN1_F_ASN1_SEQ_UNPACK,0), "ASN1_seq_unpack"}, -{ERR_PACK(0,ASN1_F_ASN1_SIGN,0), "ASN1_sign"}, -{ERR_PACK(0,ASN1_F_ASN1_STRING_SET,0), "ASN1_STRING_set"}, -{ERR_PACK(0,ASN1_F_ASN1_STRING_TABLE_ADD,0), "ASN1_STRING_TABLE_add"}, -{ERR_PACK(0,ASN1_F_ASN1_STRING_TYPE_NEW,0), "ASN1_STRING_type_new"}, -{ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_D2I,0), "ASN1_TEMPLATE_D2I"}, -{ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_EX_D2I,0), "ASN1_TEMPLATE_EX_D2I"}, -{ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_NEW,0), "ASN1_TEMPLATE_NEW"}, -{ERR_PACK(0,ASN1_F_ASN1_TIME_SET,0), "ASN1_TIME_set"}, -{ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,0), "ASN1_TYPE_get_int_octetstring"}, -{ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_OCTETSTRING,0), "ASN1_TYPE_get_octetstring"}, -{ERR_PACK(0,ASN1_F_ASN1_UNPACK_STRING,0), "ASN1_unpack_string"}, -{ERR_PACK(0,ASN1_F_ASN1_UTCTIME_SET,0), "ASN1_UTCTIME_set"}, -{ERR_PACK(0,ASN1_F_ASN1_VERIFY,0), "ASN1_verify"}, -{ERR_PACK(0,ASN1_F_BN_TO_ASN1_ENUMERATED,0), "BN_to_ASN1_ENUMERATED"}, -{ERR_PACK(0,ASN1_F_BN_TO_ASN1_INTEGER,0), "BN_to_ASN1_INTEGER"}, -{ERR_PACK(0,ASN1_F_COLLECT_DATA,0), "COLLECT_DATA"}, -{ERR_PACK(0,ASN1_F_D2I_ASN1_BIT_STRING,0), "D2I_ASN1_BIT_STRING"}, -{ERR_PACK(0,ASN1_F_D2I_ASN1_BOOLEAN,0), "d2i_ASN1_BOOLEAN"}, -{ERR_PACK(0,ASN1_F_D2I_ASN1_BYTES,0), "d2i_ASN1_bytes"}, -{ERR_PACK(0,ASN1_F_D2I_ASN1_GENERALIZEDTIME,0), "D2I_ASN1_GENERALIZEDTIME"}, -{ERR_PACK(0,ASN1_F_D2I_ASN1_HEADER,0), "d2i_ASN1_HEADER"}, -{ERR_PACK(0,ASN1_F_D2I_ASN1_INTEGER,0), "D2I_ASN1_INTEGER"}, -{ERR_PACK(0,ASN1_F_D2I_ASN1_OBJECT,0), "d2i_ASN1_OBJECT"}, -{ERR_PACK(0,ASN1_F_D2I_ASN1_SET,0), "d2i_ASN1_SET"}, -{ERR_PACK(0,ASN1_F_D2I_ASN1_TYPE_BYTES,0), "d2i_ASN1_type_bytes"}, -{ERR_PACK(0,ASN1_F_D2I_ASN1_UINTEGER,0), "d2i_ASN1_UINTEGER"}, -{ERR_PACK(0,ASN1_F_D2I_ASN1_UTCTIME,0), "D2I_ASN1_UTCTIME"}, -{ERR_PACK(0,ASN1_F_D2I_NETSCAPE_RSA,0), "d2i_Netscape_RSA"}, -{ERR_PACK(0,ASN1_F_D2I_NETSCAPE_RSA_2,0), "D2I_NETSCAPE_RSA_2"}, -{ERR_PACK(0,ASN1_F_D2I_PRIVATEKEY,0), "d2i_PrivateKey"}, -{ERR_PACK(0,ASN1_F_D2I_PUBLICKEY,0), "d2i_PublicKey"}, -{ERR_PACK(0,ASN1_F_D2I_X509,0), "D2I_X509"}, -{ERR_PACK(0,ASN1_F_D2I_X509_CINF,0), "D2I_X509_CINF"}, -{ERR_PACK(0,ASN1_F_D2I_X509_NAME,0), "D2I_X509_NAME"}, -{ERR_PACK(0,ASN1_F_D2I_X509_PKEY,0), "d2i_X509_PKEY"}, -{ERR_PACK(0,ASN1_F_I2D_ASN1_SET,0), "i2d_ASN1_SET"}, -{ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0), "I2D_ASN1_TIME"}, -{ERR_PACK(0,ASN1_F_I2D_DSA_PUBKEY,0), "i2d_DSA_PUBKEY"}, -{ERR_PACK(0,ASN1_F_I2D_NETSCAPE_RSA,0), "i2d_Netscape_RSA"}, -{ERR_PACK(0,ASN1_F_I2D_PRIVATEKEY,0), "i2d_PrivateKey"}, -{ERR_PACK(0,ASN1_F_I2D_PUBLICKEY,0), "i2d_PublicKey"}, -{ERR_PACK(0,ASN1_F_I2D_RSA_PUBKEY,0), "i2d_RSA_PUBKEY"}, -{ERR_PACK(0,ASN1_F_LONG_C2I,0), "LONG_C2I"}, -{ERR_PACK(0,ASN1_F_OID_MODULE_INIT,0), "OID_MODULE_INIT"}, -{ERR_PACK(0,ASN1_F_PKCS5_PBE2_SET,0), "PKCS5_pbe2_set"}, -{ERR_PACK(0,ASN1_F_X509_CINF_NEW,0), "X509_CINF_NEW"}, -{ERR_PACK(0,ASN1_F_X509_CRL_ADD0_REVOKED,0), "X509_CRL_add0_revoked"}, -{ERR_PACK(0,ASN1_F_X509_INFO_NEW,0), "X509_INFO_new"}, -{ERR_PACK(0,ASN1_F_X509_NAME_NEW,0), "X509_NAME_NEW"}, -{ERR_PACK(0,ASN1_F_X509_NEW,0), "X509_NEW"}, -{ERR_PACK(0,ASN1_F_X509_PKEY_NEW,0), "X509_PKEY_new"}, +{ERR_FUNC(ASN1_F_A2D_ASN1_OBJECT), "a2d_ASN1_OBJECT"}, +{ERR_FUNC(ASN1_F_A2I_ASN1_ENUMERATED), "a2i_ASN1_ENUMERATED"}, +{ERR_FUNC(ASN1_F_A2I_ASN1_INTEGER), "a2i_ASN1_INTEGER"}, +{ERR_FUNC(ASN1_F_A2I_ASN1_STRING), "a2i_ASN1_STRING"}, +{ERR_FUNC(ASN1_F_ASN1_BIT_STRING_SET_BIT), "ASN1_BIT_STRING_set_bit"}, +{ERR_FUNC(ASN1_F_ASN1_CHECK_TLEN), "ASN1_CHECK_TLEN"}, +{ERR_FUNC(ASN1_F_ASN1_COLLATE_PRIMITIVE), "ASN1_COLLATE_PRIMITIVE"}, +{ERR_FUNC(ASN1_F_ASN1_COLLECT), "ASN1_COLLECT"}, +{ERR_FUNC(ASN1_F_ASN1_D2I_BIO), "ASN1_d2i_bio"}, +{ERR_FUNC(ASN1_F_ASN1_D2I_EX_PRIMITIVE), "ASN1_D2I_EX_PRIMITIVE"}, +{ERR_FUNC(ASN1_F_ASN1_D2I_FP), "ASN1_d2i_fp"}, +{ERR_FUNC(ASN1_F_ASN1_DIGEST), "ASN1_digest"}, +{ERR_FUNC(ASN1_F_ASN1_DO_ADB), "ASN1_DO_ADB"}, +{ERR_FUNC(ASN1_F_ASN1_DUP), "ASN1_dup"}, +{ERR_FUNC(ASN1_F_ASN1_ENUMERATED_SET), "ASN1_ENUMERATED_set"}, +{ERR_FUNC(ASN1_F_ASN1_ENUMERATED_TO_BN), "ASN1_ENUMERATED_to_BN"}, +{ERR_FUNC(ASN1_F_ASN1_FIND_END), "ASN1_FIND_END"}, +{ERR_FUNC(ASN1_F_ASN1_GENERALIZEDTIME_SET), "ASN1_GENERALIZEDTIME_set"}, +{ERR_FUNC(ASN1_F_ASN1_GET_OBJECT), "ASN1_get_object"}, +{ERR_FUNC(ASN1_F_ASN1_HEADER_NEW), "ASN1_HEADER_new"}, +{ERR_FUNC(ASN1_F_ASN1_I2D_BIO), "ASN1_i2d_bio"}, +{ERR_FUNC(ASN1_F_ASN1_I2D_FP), "ASN1_i2d_fp"}, +{ERR_FUNC(ASN1_F_ASN1_INTEGER_SET), "ASN1_INTEGER_set"}, +{ERR_FUNC(ASN1_F_ASN1_INTEGER_TO_BN), "ASN1_INTEGER_to_BN"}, +{ERR_FUNC(ASN1_F_ASN1_ITEM_EX_D2I), "ASN1_ITEM_EX_D2I"}, +{ERR_FUNC(ASN1_F_ASN1_ITEM_NEW), "ASN1_item_new"}, +{ERR_FUNC(ASN1_F_ASN1_MBSTRING_COPY), "ASN1_mbstring_copy"}, +{ERR_FUNC(ASN1_F_ASN1_OBJECT_NEW), "ASN1_OBJECT_new"}, +{ERR_FUNC(ASN1_F_ASN1_PACK_STRING), "ASN1_pack_string"}, +{ERR_FUNC(ASN1_F_ASN1_PBE_SET), "ASN1_PBE_SET"}, +{ERR_FUNC(ASN1_F_ASN1_SEQ_PACK), "ASN1_seq_pack"}, +{ERR_FUNC(ASN1_F_ASN1_SEQ_UNPACK), "ASN1_seq_unpack"}, +{ERR_FUNC(ASN1_F_ASN1_SIGN), "ASN1_sign"}, +{ERR_FUNC(ASN1_F_ASN1_STRING_SET), "ASN1_STRING_set"}, +{ERR_FUNC(ASN1_F_ASN1_STRING_TABLE_ADD), "ASN1_STRING_TABLE_add"}, +{ERR_FUNC(ASN1_F_ASN1_STRING_TYPE_NEW), "ASN1_STRING_type_new"}, +{ERR_FUNC(ASN1_F_ASN1_TEMPLATE_D2I), "ASN1_TEMPLATE_D2I"}, +{ERR_FUNC(ASN1_F_ASN1_TEMPLATE_EX_D2I), "ASN1_TEMPLATE_EX_D2I"}, +{ERR_FUNC(ASN1_F_ASN1_TEMPLATE_NEW), "ASN1_TEMPLATE_NEW"}, +{ERR_FUNC(ASN1_F_ASN1_TIME_SET), "ASN1_TIME_set"}, +{ERR_FUNC(ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING), "ASN1_TYPE_get_int_octetstring"}, +{ERR_FUNC(ASN1_F_ASN1_TYPE_GET_OCTETSTRING), "ASN1_TYPE_get_octetstring"}, +{ERR_FUNC(ASN1_F_ASN1_UNPACK_STRING), "ASN1_unpack_string"}, +{ERR_FUNC(ASN1_F_ASN1_UTCTIME_SET), "ASN1_UTCTIME_set"}, +{ERR_FUNC(ASN1_F_ASN1_VERIFY), "ASN1_verify"}, +{ERR_FUNC(ASN1_F_BN_TO_ASN1_ENUMERATED), "BN_to_ASN1_ENUMERATED"}, +{ERR_FUNC(ASN1_F_BN_TO_ASN1_INTEGER), "BN_to_ASN1_INTEGER"}, +{ERR_FUNC(ASN1_F_COLLECT_DATA), "COLLECT_DATA"}, +{ERR_FUNC(ASN1_F_D2I_ASN1_BIT_STRING), "D2I_ASN1_BIT_STRING"}, +{ERR_FUNC(ASN1_F_D2I_ASN1_BOOLEAN), "d2i_ASN1_BOOLEAN"}, +{ERR_FUNC(ASN1_F_D2I_ASN1_BYTES), "d2i_ASN1_bytes"}, +{ERR_FUNC(ASN1_F_D2I_ASN1_GENERALIZEDTIME), "D2I_ASN1_GENERALIZEDTIME"}, +{ERR_FUNC(ASN1_F_D2I_ASN1_HEADER), "d2i_ASN1_HEADER"}, +{ERR_FUNC(ASN1_F_D2I_ASN1_INTEGER), "D2I_ASN1_INTEGER"}, +{ERR_FUNC(ASN1_F_D2I_ASN1_OBJECT), "d2i_ASN1_OBJECT"}, +{ERR_FUNC(ASN1_F_D2I_ASN1_SET), "d2i_ASN1_SET"}, +{ERR_FUNC(ASN1_F_D2I_ASN1_TYPE_BYTES), "d2i_ASN1_type_bytes"}, +{ERR_FUNC(ASN1_F_D2I_ASN1_UINTEGER), "d2i_ASN1_UINTEGER"}, +{ERR_FUNC(ASN1_F_D2I_ASN1_UTCTIME), "D2I_ASN1_UTCTIME"}, +{ERR_FUNC(ASN1_F_D2I_NETSCAPE_RSA), "d2i_Netscape_RSA"}, +{ERR_FUNC(ASN1_F_D2I_NETSCAPE_RSA_2), "D2I_NETSCAPE_RSA_2"}, +{ERR_FUNC(ASN1_F_D2I_PRIVATEKEY), "d2i_PrivateKey"}, +{ERR_FUNC(ASN1_F_D2I_PUBLICKEY), "d2i_PublicKey"}, +{ERR_FUNC(ASN1_F_D2I_X509), "D2I_X509"}, +{ERR_FUNC(ASN1_F_D2I_X509_CINF), "D2I_X509_CINF"}, +{ERR_FUNC(ASN1_F_D2I_X509_NAME), "D2I_X509_NAME"}, +{ERR_FUNC(ASN1_F_D2I_X509_PKEY), "d2i_X509_PKEY"}, +{ERR_FUNC(ASN1_F_I2D_ASN1_SET), "i2d_ASN1_SET"}, +{ERR_FUNC(ASN1_F_I2D_ASN1_TIME), "I2D_ASN1_TIME"}, +{ERR_FUNC(ASN1_F_I2D_DSA_PUBKEY), "i2d_DSA_PUBKEY"}, +{ERR_FUNC(ASN1_F_I2D_NETSCAPE_RSA), "i2d_Netscape_RSA"}, +{ERR_FUNC(ASN1_F_I2D_PRIVATEKEY), "i2d_PrivateKey"}, +{ERR_FUNC(ASN1_F_I2D_PUBLICKEY), "i2d_PublicKey"}, +{ERR_FUNC(ASN1_F_I2D_RSA_PUBKEY), "i2d_RSA_PUBKEY"}, +{ERR_FUNC(ASN1_F_LONG_C2I), "LONG_C2I"}, +{ERR_FUNC(ASN1_F_OID_MODULE_INIT), "OID_MODULE_INIT"}, +{ERR_FUNC(ASN1_F_PKCS5_PBE2_SET), "PKCS5_pbe2_set"}, +{ERR_FUNC(ASN1_F_X509_CINF_NEW), "X509_CINF_NEW"}, +{ERR_FUNC(ASN1_F_X509_CRL_ADD0_REVOKED), "X509_CRL_add0_revoked"}, +{ERR_FUNC(ASN1_F_X509_INFO_NEW), "X509_INFO_new"}, +{ERR_FUNC(ASN1_F_X509_NAME_NEW), "X509_NAME_NEW"}, +{ERR_FUNC(ASN1_F_X509_NEW), "X509_NEW"}, +{ERR_FUNC(ASN1_F_X509_PKEY_NEW), "X509_PKEY_new"}, {0,NULL} }; static ERR_STRING_DATA ASN1_str_reasons[]= { -{ASN1_R_ADDING_OBJECT ,"adding object"}, -{ASN1_R_AUX_ERROR ,"aux error"}, -{ASN1_R_BAD_CLASS ,"bad class"}, -{ASN1_R_BAD_OBJECT_HEADER ,"bad object header"}, -{ASN1_R_BAD_PASSWORD_READ ,"bad password read"}, -{ASN1_R_BAD_TAG ,"bad tag"}, -{ASN1_R_BN_LIB ,"bn lib"}, -{ASN1_R_BOOLEAN_IS_WRONG_LENGTH ,"boolean is wrong length"}, -{ASN1_R_BUFFER_TOO_SMALL ,"buffer too small"}, -{ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER ,"cipher has no object identifier"}, -{ASN1_R_DATA_IS_WRONG ,"data is wrong"}, -{ASN1_R_DECODE_ERROR ,"decode error"}, -{ASN1_R_DECODING_ERROR ,"decoding error"}, -{ASN1_R_ENCODE_ERROR ,"encode error"}, -{ASN1_R_ERROR_GETTING_TIME ,"error getting time"}, -{ASN1_R_ERROR_LOADING_SECTION ,"error loading section"}, -{ASN1_R_ERROR_PARSING_SET_ELEMENT ,"error parsing set element"}, -{ASN1_R_ERROR_SETTING_CIPHER_PARAMS ,"error setting cipher params"}, -{ASN1_R_EXPECTING_AN_INTEGER ,"expecting an integer"}, -{ASN1_R_EXPECTING_AN_OBJECT ,"expecting an object"}, -{ASN1_R_EXPECTING_A_BOOLEAN ,"expecting a boolean"}, -{ASN1_R_EXPECTING_A_TIME ,"expecting a time"}, -{ASN1_R_EXPLICIT_LENGTH_MISMATCH ,"explicit length mismatch"}, -{ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED ,"explicit tag not constructed"}, -{ASN1_R_FIELD_MISSING ,"field missing"}, -{ASN1_R_FIRST_NUM_TOO_LARGE ,"first num too large"}, -{ASN1_R_HEADER_TOO_LONG ,"header too long"}, -{ASN1_R_ILLEGAL_CHARACTERS ,"illegal characters"}, -{ASN1_R_ILLEGAL_NULL ,"illegal null"}, -{ASN1_R_ILLEGAL_OPTIONAL_ANY ,"illegal optional any"}, -{ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE ,"illegal options on item template"}, -{ASN1_R_ILLEGAL_TAGGED_ANY ,"illegal tagged any"}, -{ASN1_R_INTEGER_TOO_LARGE_FOR_LONG ,"integer too large for long"}, -{ASN1_R_INVALID_BMPSTRING_LENGTH ,"invalid bmpstring length"}, -{ASN1_R_INVALID_DIGIT ,"invalid digit"}, -{ASN1_R_INVALID_SEPARATOR ,"invalid separator"}, -{ASN1_R_INVALID_TIME_FORMAT ,"invalid time format"}, -{ASN1_R_INVALID_UNIVERSALSTRING_LENGTH ,"invalid universalstring length"}, -{ASN1_R_INVALID_UTF8STRING ,"invalid utf8string"}, -{ASN1_R_IV_TOO_LARGE ,"iv too large"}, -{ASN1_R_LENGTH_ERROR ,"length error"}, -{ASN1_R_MISSING_EOC ,"missing eoc"}, -{ASN1_R_MISSING_SECOND_NUMBER ,"missing second number"}, -{ASN1_R_MSTRING_NOT_UNIVERSAL ,"mstring not universal"}, -{ASN1_R_MSTRING_WRONG_TAG ,"mstring wrong tag"}, -{ASN1_R_NON_HEX_CHARACTERS ,"non hex characters"}, -{ASN1_R_NOT_ENOUGH_DATA ,"not enough data"}, -{ASN1_R_NO_MATCHING_CHOICE_TYPE ,"no matching choice type"}, -{ASN1_R_NULL_IS_WRONG_LENGTH ,"null is wrong length"}, -{ASN1_R_ODD_NUMBER_OF_CHARS ,"odd number of chars"}, -{ASN1_R_PRIVATE_KEY_HEADER_MISSING ,"private key header missing"}, -{ASN1_R_SECOND_NUMBER_TOO_LARGE ,"second number too large"}, -{ASN1_R_SEQUENCE_LENGTH_MISMATCH ,"sequence length mismatch"}, -{ASN1_R_SEQUENCE_NOT_CONSTRUCTED ,"sequence not constructed"}, -{ASN1_R_SHORT_LINE ,"short line"}, -{ASN1_R_STRING_TOO_LONG ,"string too long"}, -{ASN1_R_STRING_TOO_SHORT ,"string too short"}, -{ASN1_R_TAG_VALUE_TOO_HIGH ,"tag value too high"}, -{ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD,"the asn1 object identifier is not known for this md"}, -{ASN1_R_TOO_LONG ,"too long"}, -{ASN1_R_TYPE_NOT_CONSTRUCTED ,"type not constructed"}, -{ASN1_R_UNABLE_TO_DECODE_RSA_KEY ,"unable to decode rsa key"}, -{ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY ,"unable to decode rsa private key"}, -{ASN1_R_UNEXPECTED_EOC ,"unexpected eoc"}, -{ASN1_R_UNKNOWN_FORMAT ,"unknown format"}, -{ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM ,"unknown message digest algorithm"}, -{ASN1_R_UNKNOWN_OBJECT_TYPE ,"unknown object type"}, -{ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE ,"unknown public key type"}, -{ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE ,"unsupported any defined by type"}, -{ASN1_R_UNSUPPORTED_CIPHER ,"unsupported cipher"}, -{ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM ,"unsupported encryption algorithm"}, -{ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE ,"unsupported public key type"}, -{ASN1_R_WRONG_TAG ,"wrong tag"}, -{ASN1_R_WRONG_TYPE ,"wrong type"}, +{ERR_REASON(ASN1_R_ADDING_OBJECT) ,"adding object"}, +{ERR_REASON(ASN1_R_AUX_ERROR) ,"aux error"}, +{ERR_REASON(ASN1_R_BAD_CLASS) ,"bad class"}, +{ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"}, +{ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"}, +{ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"}, +{ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"}, +{ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"}, +{ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"}, +{ERR_REASON(ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER),"cipher has no object identifier"}, +{ERR_REASON(ASN1_R_DATA_IS_WRONG) ,"data is wrong"}, +{ERR_REASON(ASN1_R_DECODE_ERROR) ,"decode error"}, +{ERR_REASON(ASN1_R_DECODING_ERROR) ,"decoding error"}, +{ERR_REASON(ASN1_R_ENCODE_ERROR) ,"encode error"}, +{ERR_REASON(ASN1_R_ERROR_GETTING_TIME) ,"error getting time"}, +{ERR_REASON(ASN1_R_ERROR_LOADING_SECTION),"error loading section"}, +{ERR_REASON(ASN1_R_ERROR_PARSING_SET_ELEMENT),"error parsing set element"}, +{ERR_REASON(ASN1_R_ERROR_SETTING_CIPHER_PARAMS),"error setting cipher params"}, +{ERR_REASON(ASN1_R_EXPECTING_AN_INTEGER) ,"expecting an integer"}, +{ERR_REASON(ASN1_R_EXPECTING_AN_OBJECT) ,"expecting an object"}, +{ERR_REASON(ASN1_R_EXPECTING_A_BOOLEAN) ,"expecting a boolean"}, +{ERR_REASON(ASN1_R_EXPECTING_A_TIME) ,"expecting a time"}, +{ERR_REASON(ASN1_R_EXPLICIT_LENGTH_MISMATCH),"explicit length mismatch"}, +{ERR_REASON(ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED),"explicit tag not constructed"}, +{ERR_REASON(ASN1_R_FIELD_MISSING) ,"field missing"}, +{ERR_REASON(ASN1_R_FIRST_NUM_TOO_LARGE) ,"first num too large"}, +{ERR_REASON(ASN1_R_HEADER_TOO_LONG) ,"header too long"}, +{ERR_REASON(ASN1_R_ILLEGAL_CHARACTERS) ,"illegal characters"}, +{ERR_REASON(ASN1_R_ILLEGAL_NULL) ,"illegal null"}, +{ERR_REASON(ASN1_R_ILLEGAL_OPTIONAL_ANY) ,"illegal optional any"}, +{ERR_REASON(ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE),"illegal options on item template"}, +{ERR_REASON(ASN1_R_ILLEGAL_TAGGED_ANY) ,"illegal tagged any"}, +{ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"}, +{ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"}, +{ERR_REASON(ASN1_R_INVALID_DIGIT) ,"invalid digit"}, +{ERR_REASON(ASN1_R_INVALID_SEPARATOR) ,"invalid separator"}, +{ERR_REASON(ASN1_R_INVALID_TIME_FORMAT) ,"invalid time format"}, +{ERR_REASON(ASN1_R_INVALID_UNIVERSALSTRING_LENGTH),"invalid universalstring length"}, +{ERR_REASON(ASN1_R_INVALID_UTF8STRING) ,"invalid utf8string"}, +{ERR_REASON(ASN1_R_IV_TOO_LARGE) ,"iv too large"}, +{ERR_REASON(ASN1_R_LENGTH_ERROR) ,"length error"}, +{ERR_REASON(ASN1_R_MISSING_EOC) ,"missing eoc"}, +{ERR_REASON(ASN1_R_MISSING_SECOND_NUMBER),"missing second number"}, +{ERR_REASON(ASN1_R_MSTRING_NOT_UNIVERSAL),"mstring not universal"}, +{ERR_REASON(ASN1_R_MSTRING_WRONG_TAG) ,"mstring wrong tag"}, +{ERR_REASON(ASN1_R_NESTED_ASN1_STRING) ,"nested asn1 string"}, +{ERR_REASON(ASN1_R_NON_HEX_CHARACTERS) ,"non hex characters"}, +{ERR_REASON(ASN1_R_NOT_ENOUGH_DATA) ,"not enough data"}, +{ERR_REASON(ASN1_R_NO_MATCHING_CHOICE_TYPE),"no matching choice type"}, +{ERR_REASON(ASN1_R_NULL_IS_WRONG_LENGTH) ,"null is wrong length"}, +{ERR_REASON(ASN1_R_ODD_NUMBER_OF_CHARS) ,"odd number of chars"}, +{ERR_REASON(ASN1_R_PRIVATE_KEY_HEADER_MISSING),"private key header missing"}, +{ERR_REASON(ASN1_R_SECOND_NUMBER_TOO_LARGE),"second number too large"}, +{ERR_REASON(ASN1_R_SEQUENCE_LENGTH_MISMATCH),"sequence length mismatch"}, +{ERR_REASON(ASN1_R_SEQUENCE_NOT_CONSTRUCTED),"sequence not constructed"}, +{ERR_REASON(ASN1_R_SHORT_LINE) ,"short line"}, +{ERR_REASON(ASN1_R_STRING_TOO_LONG) ,"string too long"}, +{ERR_REASON(ASN1_R_STRING_TOO_SHORT) ,"string too short"}, +{ERR_REASON(ASN1_R_TAG_VALUE_TOO_HIGH) ,"tag value too high"}, +{ERR_REASON(ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"}, +{ERR_REASON(ASN1_R_TOO_LONG) ,"too long"}, +{ERR_REASON(ASN1_R_TYPE_NOT_CONSTRUCTED) ,"type not constructed"}, +{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"}, +{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"}, +{ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"}, +{ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"}, +{ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"}, +{ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"}, +{ERR_REASON(ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE),"unknown public key type"}, +{ERR_REASON(ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE),"unsupported any defined by type"}, +{ERR_REASON(ASN1_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"}, +{ERR_REASON(ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM),"unsupported encryption algorithm"}, +{ERR_REASON(ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE),"unsupported public key type"}, +{ERR_REASON(ASN1_R_WRONG_TAG) ,"wrong tag"}, +{ERR_REASON(ASN1_R_WRONG_TYPE) ,"wrong type"}, {0,NULL} }; @@ -240,8 +246,8 @@ void ERR_load_ASN1_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_ASN1,ASN1_str_functs); - ERR_load_strings(ERR_LIB_ASN1,ASN1_str_reasons); + ERR_load_strings(0,ASN1_str_functs); + ERR_load_strings(0,ASN1_str_reasons); #endif } diff --git a/src/lib/libcrypto/asn1/tasn_dec.c b/src/lib/libcrypto/asn1/tasn_dec.c index 2426cb6253..c22501fc63 100644 --- a/src/lib/libcrypto/asn1/tasn_dec.c +++ b/src/lib/libcrypto/asn1/tasn_dec.c @@ -66,6 +66,7 @@ #include static int asn1_check_eoc(unsigned char **in, long len); +static int asn1_find_end(unsigned char **in, long len, char inf); static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, int tag, int aclass); static int collect_data(BUF_MEM *buf, unsigned char **p, long plen); static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *inf, char *cst, @@ -644,7 +645,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long inl cont = *in; /* If indefinite length constructed find the real end */ if(inf) { - if(!asn1_collect(NULL, &p, plen, inf, -1, -1)) goto err; + if(!asn1_find_end(&p, plen, inf)) goto err; len = p - cont; } else { len = p - cont + plen; @@ -807,12 +808,66 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char return ret; } +/* This function finds the end of an ASN1 structure when passed its maximum + * length, whether it is indefinite length and a pointer to the content. + * This is more efficient than calling asn1_collect because it does not + * recurse on each indefinite length header. + */ + +static int asn1_find_end(unsigned char **in, long len, char inf) + { + int expected_eoc; + long plen; + unsigned char *p = *in, *q; + /* If not indefinite length constructed just add length */ + if (inf == 0) + { + *in += len; + return 1; + } + expected_eoc = 1; + /* Indefinite length constructed form. Find the end when enough EOCs + * are found. If more indefinite length constructed headers + * are encountered increment the expected eoc count otherwise justi + * skip to the end of the data. + */ + while (len > 0) + { + if(asn1_check_eoc(&p, len)) + { + expected_eoc--; + if (expected_eoc == 0) + break; + len -= 2; + continue; + } + q = p; + /* Just read in a header: only care about the length */ + if(!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len, + -1, 0, 0, NULL)) + { + ASN1err(ASN1_F_ASN1_FIND_END, ERR_R_NESTED_ASN1_ERROR); + return 0; + } + if (inf) + expected_eoc++; + else + p += plen; + len -= p - q; + } + if (expected_eoc) + { + ASN1err(ASN1_F_ASN1_FIND_END, ASN1_R_MISSING_EOC); + return 0; + } + *in = p; + return 1; + } + /* This function collects the asn1 data from a constructred string * type into a buffer. The values of 'in' and 'len' should refer * to the contents of the constructed type and 'inf' should be set - * if it is indefinite length. If 'buf' is NULL then we just want - * to find the end of the current structure: useful for indefinite - * length constructed stuff. + * if it is indefinite length. */ static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, int tag, int aclass) @@ -822,11 +877,6 @@ static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, in char cst, ininf; p = *in; inf &= 1; - /* If no buffer and not indefinite length constructed just pass over the encoded data */ - if(!buf && !inf) { - *in += len; - return 1; - } while(len > 0) { q = p; /* Check for EOC */ @@ -845,9 +895,15 @@ static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, in } /* If indefinite length constructed update max length */ if(cst) { - if(!asn1_collect(buf, &p, plen, ininf, tag, aclass)) return 0; +#ifdef OPENSSL_ALLOW_NESTED_ASN1_STRINGS + if (!asn1_collect(buf, &p, plen, ininf, tag, aclass)) + return 0; +#else + ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_NESTED_ASN1_STRING); + return 0; +#endif } else { - if(!collect_data(buf, &p, plen)) return 0; + if(plen && !collect_data(buf, &p, plen)) return 0; } len -= p - q; } diff --git a/src/lib/libcrypto/asn1/tasn_enc.c b/src/lib/libcrypto/asn1/tasn_enc.c index f6c8ddef0a..c675c3c832 100644 --- a/src/lib/libcrypto/asn1/tasn_enc.c +++ b/src/lib/libcrypto/asn1/tasn_enc.c @@ -445,9 +445,12 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, const ASN1_ case V_ASN1_BOOLEAN: tbool = (ASN1_BOOLEAN *)pval; if(*tbool == -1) return -1; - /* Default handling if value == size field then omit */ - if(*tbool && (it->size > 0)) return -1; - if(!*tbool && !it->size) return -1; + if (it->utype != V_ASN1_ANY) + { + /* Default handling if value == size field then omit */ + if(*tbool && (it->size > 0)) return -1; + if(!*tbool && !it->size) return -1; + } c = (unsigned char)*tbool; cont = &c; len = 1; diff --git a/src/lib/libcrypto/bf/bf_skey.c b/src/lib/libcrypto/bf/bf_skey.c index fc5bebefce..1931aba83f 100644 --- a/src/lib/libcrypto/bf/bf_skey.c +++ b/src/lib/libcrypto/bf/bf_skey.c @@ -60,6 +60,7 @@ #include #include #include +#include #include "bf_locl.h" #include "bf_pi.h" diff --git a/src/lib/libcrypto/bio/b_print.c b/src/lib/libcrypto/bio/b_print.c index c2bb357b4c..165f046295 100644 --- a/src/lib/libcrypto/bio/b_print.c +++ b/src/lib/libcrypto/bio/b_print.c @@ -576,7 +576,7 @@ abs_val(LDOUBLE value) } static LDOUBLE -pow10(int in_exp) +pow_10(int in_exp) { LDOUBLE result = 1; while (in_exp) { @@ -639,11 +639,11 @@ fmtfp( /* we "cheat" by converting the fractional part to integer by multiplying by a factor of 10 */ - fracpart = roundv((pow10(max)) * (ufvalue - intpart)); + fracpart = roundv((pow_10(max)) * (ufvalue - intpart)); - if (fracpart >= (long)pow10(max)) { + if (fracpart >= (long)pow_10(max)) { intpart++; - fracpart -= (long)pow10(max); + fracpart -= (long)pow_10(max); } /* convert integer part */ diff --git a/src/lib/libcrypto/bio/bio_err.c b/src/lib/libcrypto/bio/bio_err.c index 68a119d895..8859a58ae4 100644 --- a/src/lib/libcrypto/bio/bio_err.c +++ b/src/lib/libcrypto/bio/bio_err.c @@ -1,6 +1,6 @@ /* crypto/bio/bio_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -64,73 +64,77 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_BIO,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_BIO,0,reason) + static ERR_STRING_DATA BIO_str_functs[]= { -{ERR_PACK(0,BIO_F_ACPT_STATE,0), "ACPT_STATE"}, -{ERR_PACK(0,BIO_F_BIO_ACCEPT,0), "BIO_accept"}, -{ERR_PACK(0,BIO_F_BIO_BER_GET_HEADER,0), "BIO_BER_GET_HEADER"}, -{ERR_PACK(0,BIO_F_BIO_CTRL,0), "BIO_ctrl"}, -{ERR_PACK(0,BIO_F_BIO_GETHOSTBYNAME,0), "BIO_gethostbyname"}, -{ERR_PACK(0,BIO_F_BIO_GETS,0), "BIO_gets"}, -{ERR_PACK(0,BIO_F_BIO_GET_ACCEPT_SOCKET,0), "BIO_get_accept_socket"}, -{ERR_PACK(0,BIO_F_BIO_GET_HOST_IP,0), "BIO_get_host_ip"}, -{ERR_PACK(0,BIO_F_BIO_GET_PORT,0), "BIO_get_port"}, -{ERR_PACK(0,BIO_F_BIO_MAKE_PAIR,0), "BIO_MAKE_PAIR"}, -{ERR_PACK(0,BIO_F_BIO_NEW,0), "BIO_new"}, -{ERR_PACK(0,BIO_F_BIO_NEW_FILE,0), "BIO_new_file"}, -{ERR_PACK(0,BIO_F_BIO_NEW_MEM_BUF,0), "BIO_new_mem_buf"}, -{ERR_PACK(0,BIO_F_BIO_NREAD,0), "BIO_nread"}, -{ERR_PACK(0,BIO_F_BIO_NREAD0,0), "BIO_nread0"}, -{ERR_PACK(0,BIO_F_BIO_NWRITE,0), "BIO_nwrite"}, -{ERR_PACK(0,BIO_F_BIO_NWRITE0,0), "BIO_nwrite0"}, -{ERR_PACK(0,BIO_F_BIO_PUTS,0), "BIO_puts"}, -{ERR_PACK(0,BIO_F_BIO_READ,0), "BIO_read"}, -{ERR_PACK(0,BIO_F_BIO_SOCK_INIT,0), "BIO_sock_init"}, -{ERR_PACK(0,BIO_F_BIO_WRITE,0), "BIO_write"}, -{ERR_PACK(0,BIO_F_BUFFER_CTRL,0), "BUFFER_CTRL"}, -{ERR_PACK(0,BIO_F_CONN_CTRL,0), "CONN_CTRL"}, -{ERR_PACK(0,BIO_F_CONN_STATE,0), "CONN_STATE"}, -{ERR_PACK(0,BIO_F_FILE_CTRL,0), "FILE_CTRL"}, -{ERR_PACK(0,BIO_F_FILE_READ,0), "FILE_READ"}, -{ERR_PACK(0,BIO_F_LINEBUFFER_CTRL,0), "LINEBUFFER_CTRL"}, -{ERR_PACK(0,BIO_F_MEM_READ,0), "MEM_READ"}, -{ERR_PACK(0,BIO_F_MEM_WRITE,0), "MEM_WRITE"}, -{ERR_PACK(0,BIO_F_SSL_NEW,0), "SSL_new"}, -{ERR_PACK(0,BIO_F_WSASTARTUP,0), "WSASTARTUP"}, +{ERR_FUNC(BIO_F_ACPT_STATE), "ACPT_STATE"}, +{ERR_FUNC(BIO_F_BIO_ACCEPT), "BIO_accept"}, +{ERR_FUNC(BIO_F_BIO_BER_GET_HEADER), "BIO_BER_GET_HEADER"}, +{ERR_FUNC(BIO_F_BIO_CTRL), "BIO_ctrl"}, +{ERR_FUNC(BIO_F_BIO_GETHOSTBYNAME), "BIO_gethostbyname"}, +{ERR_FUNC(BIO_F_BIO_GETS), "BIO_gets"}, +{ERR_FUNC(BIO_F_BIO_GET_ACCEPT_SOCKET), "BIO_get_accept_socket"}, +{ERR_FUNC(BIO_F_BIO_GET_HOST_IP), "BIO_get_host_ip"}, +{ERR_FUNC(BIO_F_BIO_GET_PORT), "BIO_get_port"}, +{ERR_FUNC(BIO_F_BIO_MAKE_PAIR), "BIO_MAKE_PAIR"}, +{ERR_FUNC(BIO_F_BIO_NEW), "BIO_new"}, +{ERR_FUNC(BIO_F_BIO_NEW_FILE), "BIO_new_file"}, +{ERR_FUNC(BIO_F_BIO_NEW_MEM_BUF), "BIO_new_mem_buf"}, +{ERR_FUNC(BIO_F_BIO_NREAD), "BIO_nread"}, +{ERR_FUNC(BIO_F_BIO_NREAD0), "BIO_nread0"}, +{ERR_FUNC(BIO_F_BIO_NWRITE), "BIO_nwrite"}, +{ERR_FUNC(BIO_F_BIO_NWRITE0), "BIO_nwrite0"}, +{ERR_FUNC(BIO_F_BIO_PUTS), "BIO_puts"}, +{ERR_FUNC(BIO_F_BIO_READ), "BIO_read"}, +{ERR_FUNC(BIO_F_BIO_SOCK_INIT), "BIO_sock_init"}, +{ERR_FUNC(BIO_F_BIO_WRITE), "BIO_write"}, +{ERR_FUNC(BIO_F_BUFFER_CTRL), "BUFFER_CTRL"}, +{ERR_FUNC(BIO_F_CONN_CTRL), "CONN_CTRL"}, +{ERR_FUNC(BIO_F_CONN_STATE), "CONN_STATE"}, +{ERR_FUNC(BIO_F_FILE_CTRL), "FILE_CTRL"}, +{ERR_FUNC(BIO_F_FILE_READ), "FILE_READ"}, +{ERR_FUNC(BIO_F_LINEBUFFER_CTRL), "LINEBUFFER_CTRL"}, +{ERR_FUNC(BIO_F_MEM_READ), "MEM_READ"}, +{ERR_FUNC(BIO_F_MEM_WRITE), "MEM_WRITE"}, +{ERR_FUNC(BIO_F_SSL_NEW), "SSL_new"}, +{ERR_FUNC(BIO_F_WSASTARTUP), "WSASTARTUP"}, {0,NULL} }; static ERR_STRING_DATA BIO_str_reasons[]= { -{BIO_R_ACCEPT_ERROR ,"accept error"}, -{BIO_R_BAD_FOPEN_MODE ,"bad fopen mode"}, -{BIO_R_BAD_HOSTNAME_LOOKUP ,"bad hostname lookup"}, -{BIO_R_BROKEN_PIPE ,"broken pipe"}, -{BIO_R_CONNECT_ERROR ,"connect error"}, -{BIO_R_EOF_ON_MEMORY_BIO ,"EOF on memory BIO"}, -{BIO_R_ERROR_SETTING_NBIO ,"error setting nbio"}, -{BIO_R_ERROR_SETTING_NBIO_ON_ACCEPTED_SOCKET,"error setting nbio on accepted socket"}, -{BIO_R_ERROR_SETTING_NBIO_ON_ACCEPT_SOCKET,"error setting nbio on accept socket"}, -{BIO_R_GETHOSTBYNAME_ADDR_IS_NOT_AF_INET ,"gethostbyname addr is not af inet"}, -{BIO_R_INVALID_ARGUMENT ,"invalid argument"}, -{BIO_R_INVALID_IP_ADDRESS ,"invalid ip address"}, -{BIO_R_IN_USE ,"in use"}, -{BIO_R_KEEPALIVE ,"keepalive"}, -{BIO_R_NBIO_CONNECT_ERROR ,"nbio connect error"}, -{BIO_R_NO_ACCEPT_PORT_SPECIFIED ,"no accept port specified"}, -{BIO_R_NO_HOSTNAME_SPECIFIED ,"no hostname specified"}, -{BIO_R_NO_PORT_DEFINED ,"no port defined"}, -{BIO_R_NO_PORT_SPECIFIED ,"no port specified"}, -{BIO_R_NO_SUCH_FILE ,"no such file"}, -{BIO_R_NULL_PARAMETER ,"null parameter"}, -{BIO_R_TAG_MISMATCH ,"tag mismatch"}, -{BIO_R_UNABLE_TO_BIND_SOCKET ,"unable to bind socket"}, -{BIO_R_UNABLE_TO_CREATE_SOCKET ,"unable to create socket"}, -{BIO_R_UNABLE_TO_LISTEN_SOCKET ,"unable to listen socket"}, -{BIO_R_UNINITIALIZED ,"uninitialized"}, -{BIO_R_UNSUPPORTED_METHOD ,"unsupported method"}, -{BIO_R_WRITE_TO_READ_ONLY_BIO ,"write to read only BIO"}, -{BIO_R_WSASTARTUP ,"WSAStartup"}, +{ERR_REASON(BIO_R_ACCEPT_ERROR) ,"accept error"}, +{ERR_REASON(BIO_R_BAD_FOPEN_MODE) ,"bad fopen mode"}, +{ERR_REASON(BIO_R_BAD_HOSTNAME_LOOKUP) ,"bad hostname lookup"}, +{ERR_REASON(BIO_R_BROKEN_PIPE) ,"broken pipe"}, +{ERR_REASON(BIO_R_CONNECT_ERROR) ,"connect error"}, +{ERR_REASON(BIO_R_EOF_ON_MEMORY_BIO) ,"EOF on memory BIO"}, +{ERR_REASON(BIO_R_ERROR_SETTING_NBIO) ,"error setting nbio"}, +{ERR_REASON(BIO_R_ERROR_SETTING_NBIO_ON_ACCEPTED_SOCKET),"error setting nbio on accepted socket"}, +{ERR_REASON(BIO_R_ERROR_SETTING_NBIO_ON_ACCEPT_SOCKET),"error setting nbio on accept socket"}, +{ERR_REASON(BIO_R_GETHOSTBYNAME_ADDR_IS_NOT_AF_INET),"gethostbyname addr is not af inet"}, +{ERR_REASON(BIO_R_INVALID_ARGUMENT) ,"invalid argument"}, +{ERR_REASON(BIO_R_INVALID_IP_ADDRESS) ,"invalid ip address"}, +{ERR_REASON(BIO_R_IN_USE) ,"in use"}, +{ERR_REASON(BIO_R_KEEPALIVE) ,"keepalive"}, +{ERR_REASON(BIO_R_NBIO_CONNECT_ERROR) ,"nbio connect error"}, +{ERR_REASON(BIO_R_NO_ACCEPT_PORT_SPECIFIED),"no accept port specified"}, +{ERR_REASON(BIO_R_NO_HOSTNAME_SPECIFIED) ,"no hostname specified"}, +{ERR_REASON(BIO_R_NO_PORT_DEFINED) ,"no port defined"}, +{ERR_REASON(BIO_R_NO_PORT_SPECIFIED) ,"no port specified"}, +{ERR_REASON(BIO_R_NO_SUCH_FILE) ,"no such file"}, +{ERR_REASON(BIO_R_NULL_PARAMETER) ,"null parameter"}, +{ERR_REASON(BIO_R_TAG_MISMATCH) ,"tag mismatch"}, +{ERR_REASON(BIO_R_UNABLE_TO_BIND_SOCKET) ,"unable to bind socket"}, +{ERR_REASON(BIO_R_UNABLE_TO_CREATE_SOCKET),"unable to create socket"}, +{ERR_REASON(BIO_R_UNABLE_TO_LISTEN_SOCKET),"unable to listen socket"}, +{ERR_REASON(BIO_R_UNINITIALIZED) ,"uninitialized"}, +{ERR_REASON(BIO_R_UNSUPPORTED_METHOD) ,"unsupported method"}, +{ERR_REASON(BIO_R_WRITE_TO_READ_ONLY_BIO),"write to read only BIO"}, +{ERR_REASON(BIO_R_WSASTARTUP) ,"WSAStartup"}, {0,NULL} }; @@ -144,8 +148,8 @@ void ERR_load_BIO_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_BIO,BIO_str_functs); - ERR_load_strings(ERR_LIB_BIO,BIO_str_reasons); + ERR_load_strings(0,BIO_str_functs); + ERR_load_strings(0,BIO_str_reasons); #endif } diff --git a/src/lib/libcrypto/bio/bss_conn.c b/src/lib/libcrypto/bio/bss_conn.c index f5d0e759e2..216780ed5e 100644 --- a/src/lib/libcrypto/bio/bss_conn.c +++ b/src/lib/libcrypto/bio/bss_conn.c @@ -469,7 +469,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) break; case BIO_C_DO_STATE_MACHINE: /* use this one to start the connection */ - if (!data->state != BIO_CONN_S_OK) + if (data->state != BIO_CONN_S_OK) ret=(long)conn_state(b,data); else ret=1; diff --git a/src/lib/libcrypto/bn/asm/ppc.pl b/src/lib/libcrypto/bn/asm/ppc.pl index 307c7ccb35..08e0053473 100644 --- a/src/lib/libcrypto/bn/asm/ppc.pl +++ b/src/lib/libcrypto/bn/asm/ppc.pl @@ -116,7 +116,7 @@ if ($opf =~ /32\.s/) { $UDIV= "divwu"; # unsigned divide $UCMPI= "cmplwi"; # unsigned compare with immediate $UCMP= "cmplw"; # unsigned compare - $COUNTZ="cntlzw"; # count leading zeros + $CNTLZ= "cntlzw"; # count leading zeros $SHL= "slw"; # shift left $SHR= "srw"; # unsigned shift right $SHRI= "srwi"; # unsigned shift right by immediate @@ -124,6 +124,7 @@ if ($opf =~ /32\.s/) { $CLRU= "clrlwi"; # clear upper bits $INSR= "insrwi"; # insert right $ROTL= "rotlwi"; # rotate left by immediate + $TR= "tw"; # conditional trap } elsif ($opf =~ /64\.s/) { $BITS= 64; $BNSZ= $BITS/8; @@ -139,7 +140,7 @@ if ($opf =~ /32\.s/) { $UDIV= "divdu"; # unsigned divide $UCMPI= "cmpldi"; # unsigned compare with immediate $UCMP= "cmpld"; # unsigned compare - $COUNTZ="cntlzd"; # count leading zeros + $CNTLZ= "cntlzd"; # count leading zeros $SHL= "sld"; # shift left $SHR= "srd"; # unsigned shift right $SHRI= "srdi"; # unsigned shift right by immediate @@ -147,6 +148,7 @@ if ($opf =~ /32\.s/) { $CLRU= "clrldi"; # clear upper bits $INSR= "insrdi"; # insert right $ROTL= "rotldi"; # rotate left by immediate + $TR= "td"; # conditional trap } else { die "nonsense $opf"; } ( defined shift || open STDOUT,">$opf" ) || die "can't open $opf: $!"; @@ -1710,17 +1712,12 @@ Lppcasm_add_adios: bclr BO_ALWAYS,CR0_LT Lppcasm_div1: xor r0,r0,r0 #r0=0 - $COUNTZ r7,r5 #r7 = num leading 0s in d. - subfic r8,r7,$BITS #r8 = BN_num_bits_word(d) - cmpi 0,0,r8,$BITS # - bc BO_IF,CR0_EQ,Lppcasm_div2 #proceed if (r8==$BITS) - li r9,1 # r9=1 - $SHL r10,r9,r8 # r9<<=r8 - $UCMP 0,r3,r10 # - bc BO_IF,CR0_GT,Lppcasm_div2 #or if (h > (1<=d? bc BO_IF,CR0_LT,Lppcasm_div3 #goto Lppcasm_div3 if not diff --git a/src/lib/libcrypto/bn/asm/sparcv8plus.S b/src/lib/libcrypto/bn/asm/sparcv8plus.S index 0074dfdb75..8c56e2e7e7 100644 --- a/src/lib/libcrypto/bn/asm/sparcv8plus.S +++ b/src/lib/libcrypto/bn/asm/sparcv8plus.S @@ -162,10 +162,14 @@ * BN_ULONG w; */ bn_mul_add_words: + sra %o2,%g0,%o2 ! signx %o2 brgz,a %o2,.L_bn_mul_add_words_proceed lduw [%o1],%g2 retl clr %o0 + nop + nop + nop .L_bn_mul_add_words_proceed: srl %o3,%g0,%o3 ! clruw %o3 @@ -260,10 +264,14 @@ bn_mul_add_words: * BN_ULONG w; */ bn_mul_words: + sra %o2,%g0,%o2 ! signx %o2 brgz,a %o2,.L_bn_mul_words_proceeed lduw [%o1],%g2 retl clr %o0 + nop + nop + nop .L_bn_mul_words_proceeed: srl %o3,%g0,%o3 ! clruw %o3 @@ -344,10 +352,14 @@ bn_mul_words: * int n; */ bn_sqr_words: + sra %o2,%g0,%o2 ! signx %o2 brgz,a %o2,.L_bn_sqr_words_proceeed lduw [%o1],%g2 retl clr %o0 + nop + nop + nop .L_bn_sqr_words_proceeed: andcc %o2,-4,%g0 @@ -445,6 +457,7 @@ bn_div_words: * int n; */ bn_add_words: + sra %o3,%g0,%o3 ! signx %o3 brgz,a %o3,.L_bn_add_words_proceed lduw [%o1],%o4 retl @@ -454,7 +467,6 @@ bn_add_words: andcc %o3,-4,%g0 bz,pn %icc,.L_bn_add_words_tail addcc %g0,0,%g0 ! clear carry flag - nop .L_bn_add_words_loop: ! wow! 32 aligned! dec 4,%o3 @@ -523,6 +535,7 @@ bn_add_words: * int n; */ bn_sub_words: + sra %o3,%g0,%o3 ! signx %o3 brgz,a %o3,.L_bn_sub_words_proceed lduw [%o1],%o4 retl @@ -532,7 +545,6 @@ bn_sub_words: andcc %o3,-4,%g0 bz,pn %icc,.L_bn_sub_words_tail addcc %g0,0,%g0 ! clear carry flag - nop .L_bn_sub_words_loop: ! wow! 32 aligned! dec 4,%o3 diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h index 3da6d8ced9..1251521c54 100644 --- a/src/lib/libcrypto/bn/bn.h +++ b/src/lib/libcrypto/bn/bn.h @@ -225,10 +225,23 @@ extern "C" { #define BN_FLG_MALLOCED 0x01 #define BN_FLG_STATIC_DATA 0x02 +#define BN_FLG_EXP_CONSTTIME 0x04 /* avoid leaking exponent information through timings + * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime) */ #define BN_FLG_FREE 0x8000 /* used for debuging */ #define BN_set_flags(b,n) ((b)->flags|=(n)) #define BN_get_flags(b,n) ((b)->flags&(n)) +/* get a clone of a BIGNUM with changed flags, for *temporary* use only + * (the two BIGNUMs cannot not be used in parallel!) */ +#define BN_with_flags(dest,b,n) ((dest)->d=(b)->d, \ + (dest)->top=(b)->top, \ + (dest)->dmax=(b)->dmax, \ + (dest)->neg=(b)->neg, \ + (dest)->flags=(((dest)->flags & BN_FLG_MALLOCED) \ + | ((b)->flags & ~BN_FLG_MALLOCED) \ + | BN_FLG_STATIC_DATA \ + | (n))) + typedef struct bignum_st { BN_ULONG *d; /* Pointer to an array of 'BN_BITS2' bit chunks. */ @@ -378,6 +391,8 @@ int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,BN_CTX *ctx); int BN_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); +int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont); int BN_mod_exp_mont_word(BIGNUM *r, BN_ULONG a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); int BN_mod_exp2_mont(BIGNUM *r, const BIGNUM *a1, const BIGNUM *p1, @@ -423,6 +438,19 @@ int BN_is_prime_fasttest(const BIGNUM *p,int nchecks, void (*callback)(int,int,void *),BN_CTX *ctx,void *cb_arg, int do_trial_division); +#ifdef OPENSSL_FIPS +int BN_X931_derive_prime(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, + void (*cb)(int, int, void *), void *cb_arg, + const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2, + const BIGNUM *e, BN_CTX *ctx); +int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx); +int BN_X931_generate_prime(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, + BIGNUM *Xp1, BIGNUM *Xp2, + const BIGNUM *Xp, + const BIGNUM *e, BN_CTX *ctx, + void (*cb)(int, int, void *), void *cb_arg); +#endif + BN_MONT_CTX *BN_MONT_CTX_new(void ); void BN_MONT_CTX_init(BN_MONT_CTX *ctx); int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b, @@ -434,6 +462,8 @@ int BN_from_montgomery(BIGNUM *r,const BIGNUM *a, void BN_MONT_CTX_free(BN_MONT_CTX *mont); int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *mod,BN_CTX *ctx); BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to,BN_MONT_CTX *from); +BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock, + const BIGNUM *mod, BN_CTX *ctx); BN_BLINDING *BN_BLINDING_new(BIGNUM *A,BIGNUM *Ai,BIGNUM *mod); void BN_BLINDING_free(BN_BLINDING *b); @@ -510,11 +540,15 @@ void ERR_load_BN_strings(void); #define BN_F_BN_CTX_GET 116 #define BN_F_BN_CTX_NEW 106 #define BN_F_BN_DIV 107 +#define BN_F_BN_EXP 123 #define BN_F_BN_EXPAND2 108 #define BN_F_BN_EXPAND_INTERNAL 120 #define BN_F_BN_MOD_EXP2_MONT 118 #define BN_F_BN_MOD_EXP_MONT 109 +#define BN_F_BN_MOD_EXP_MONT_CONSTTIME 124 #define BN_F_BN_MOD_EXP_MONT_WORD 117 +#define BN_F_BN_MOD_EXP_RECP 125 +#define BN_F_BN_MOD_EXP_SIMPLE 126 #define BN_F_BN_MOD_INVERSE 110 #define BN_F_BN_MOD_LSHIFT_QUICK 119 #define BN_F_BN_MOD_MUL_RECIPROCAL 111 diff --git a/src/lib/libcrypto/bn/bn_asm.c b/src/lib/libcrypto/bn/bn_asm.c index be8aa3ffc5..19978085b2 100644 --- a/src/lib/libcrypto/bn/bn_asm.c +++ b/src/lib/libcrypto/bn/bn_asm.c @@ -237,7 +237,7 @@ BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) if (d == 0) return(BN_MASK2); i=BN_num_bits_word(d); - assert((i == BN_BITS2) || (h > (BN_ULONG)1<= d) h-=d; diff --git a/src/lib/libcrypto/bn/bn_err.c b/src/lib/libcrypto/bn/bn_err.c index fb84ee96d8..5dfac00c88 100644 --- a/src/lib/libcrypto/bn/bn_err.c +++ b/src/lib/libcrypto/bn/bn_err.c @@ -1,6 +1,6 @@ /* crypto/bn/bn_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -64,52 +64,60 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_BN,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_BN,0,reason) + static ERR_STRING_DATA BN_str_functs[]= { -{ERR_PACK(0,BN_F_BN_BLINDING_CONVERT,0), "BN_BLINDING_convert"}, -{ERR_PACK(0,BN_F_BN_BLINDING_INVERT,0), "BN_BLINDING_invert"}, -{ERR_PACK(0,BN_F_BN_BLINDING_NEW,0), "BN_BLINDING_new"}, -{ERR_PACK(0,BN_F_BN_BLINDING_UPDATE,0), "BN_BLINDING_update"}, -{ERR_PACK(0,BN_F_BN_BN2DEC,0), "BN_bn2dec"}, -{ERR_PACK(0,BN_F_BN_BN2HEX,0), "BN_bn2hex"}, -{ERR_PACK(0,BN_F_BN_CTX_GET,0), "BN_CTX_get"}, -{ERR_PACK(0,BN_F_BN_CTX_NEW,0), "BN_CTX_new"}, -{ERR_PACK(0,BN_F_BN_DIV,0), "BN_div"}, -{ERR_PACK(0,BN_F_BN_EXPAND2,0), "bn_expand2"}, -{ERR_PACK(0,BN_F_BN_EXPAND_INTERNAL,0), "BN_EXPAND_INTERNAL"}, -{ERR_PACK(0,BN_F_BN_MOD_EXP2_MONT,0), "BN_mod_exp2_mont"}, -{ERR_PACK(0,BN_F_BN_MOD_EXP_MONT,0), "BN_mod_exp_mont"}, -{ERR_PACK(0,BN_F_BN_MOD_EXP_MONT_WORD,0), "BN_mod_exp_mont_word"}, -{ERR_PACK(0,BN_F_BN_MOD_INVERSE,0), "BN_mod_inverse"}, -{ERR_PACK(0,BN_F_BN_MOD_LSHIFT_QUICK,0), "BN_mod_lshift_quick"}, -{ERR_PACK(0,BN_F_BN_MOD_MUL_RECIPROCAL,0), "BN_mod_mul_reciprocal"}, -{ERR_PACK(0,BN_F_BN_MOD_SQRT,0), "BN_mod_sqrt"}, -{ERR_PACK(0,BN_F_BN_MPI2BN,0), "BN_mpi2bn"}, -{ERR_PACK(0,BN_F_BN_NEW,0), "BN_new"}, -{ERR_PACK(0,BN_F_BN_RAND,0), "BN_rand"}, -{ERR_PACK(0,BN_F_BN_RAND_RANGE,0), "BN_rand_range"}, -{ERR_PACK(0,BN_F_BN_USUB,0), "BN_usub"}, +{ERR_FUNC(BN_F_BN_BLINDING_CONVERT), "BN_BLINDING_convert"}, +{ERR_FUNC(BN_F_BN_BLINDING_INVERT), "BN_BLINDING_invert"}, +{ERR_FUNC(BN_F_BN_BLINDING_NEW), "BN_BLINDING_new"}, +{ERR_FUNC(BN_F_BN_BLINDING_UPDATE), "BN_BLINDING_update"}, +{ERR_FUNC(BN_F_BN_BN2DEC), "BN_bn2dec"}, +{ERR_FUNC(BN_F_BN_BN2HEX), "BN_bn2hex"}, +{ERR_FUNC(BN_F_BN_CTX_GET), "BN_CTX_get"}, +{ERR_FUNC(BN_F_BN_CTX_NEW), "BN_CTX_new"}, +{ERR_FUNC(BN_F_BN_DIV), "BN_div"}, +{ERR_FUNC(BN_F_BN_EXP), "BN_exp"}, +{ERR_FUNC(BN_F_BN_EXPAND2), "bn_expand2"}, +{ERR_FUNC(BN_F_BN_EXPAND_INTERNAL), "BN_EXPAND_INTERNAL"}, +{ERR_FUNC(BN_F_BN_MOD_EXP2_MONT), "BN_mod_exp2_mont"}, +{ERR_FUNC(BN_F_BN_MOD_EXP_MONT), "BN_mod_exp_mont"}, +{ERR_FUNC(BN_F_BN_MOD_EXP_MONT_CONSTTIME), "BN_mod_exp_mont_consttime"}, +{ERR_FUNC(BN_F_BN_MOD_EXP_MONT_WORD), "BN_mod_exp_mont_word"}, +{ERR_FUNC(BN_F_BN_MOD_EXP_RECP), "BN_mod_exp_recp"}, +{ERR_FUNC(BN_F_BN_MOD_EXP_SIMPLE), "BN_mod_exp_simple"}, +{ERR_FUNC(BN_F_BN_MOD_INVERSE), "BN_mod_inverse"}, +{ERR_FUNC(BN_F_BN_MOD_LSHIFT_QUICK), "BN_mod_lshift_quick"}, +{ERR_FUNC(BN_F_BN_MOD_MUL_RECIPROCAL), "BN_mod_mul_reciprocal"}, +{ERR_FUNC(BN_F_BN_MOD_SQRT), "BN_mod_sqrt"}, +{ERR_FUNC(BN_F_BN_MPI2BN), "BN_mpi2bn"}, +{ERR_FUNC(BN_F_BN_NEW), "BN_new"}, +{ERR_FUNC(BN_F_BN_RAND), "BN_rand"}, +{ERR_FUNC(BN_F_BN_RAND_RANGE), "BN_rand_range"}, +{ERR_FUNC(BN_F_BN_USUB), "BN_usub"}, {0,NULL} }; static ERR_STRING_DATA BN_str_reasons[]= { -{BN_R_ARG2_LT_ARG3 ,"arg2 lt arg3"}, -{BN_R_BAD_RECIPROCAL ,"bad reciprocal"}, -{BN_R_BIGNUM_TOO_LONG ,"bignum too long"}, -{BN_R_CALLED_WITH_EVEN_MODULUS ,"called with even modulus"}, -{BN_R_DIV_BY_ZERO ,"div by zero"}, -{BN_R_ENCODING_ERROR ,"encoding error"}, -{BN_R_EXPAND_ON_STATIC_BIGNUM_DATA ,"expand on static bignum data"}, -{BN_R_INPUT_NOT_REDUCED ,"input not reduced"}, -{BN_R_INVALID_LENGTH ,"invalid length"}, -{BN_R_INVALID_RANGE ,"invalid range"}, -{BN_R_NOT_A_SQUARE ,"not a square"}, -{BN_R_NOT_INITIALIZED ,"not initialized"}, -{BN_R_NO_INVERSE ,"no inverse"}, -{BN_R_P_IS_NOT_PRIME ,"p is not prime"}, -{BN_R_TOO_MANY_ITERATIONS ,"too many iterations"}, -{BN_R_TOO_MANY_TEMPORARY_VARIABLES ,"too many temporary variables"}, +{ERR_REASON(BN_R_ARG2_LT_ARG3) ,"arg2 lt arg3"}, +{ERR_REASON(BN_R_BAD_RECIPROCAL) ,"bad reciprocal"}, +{ERR_REASON(BN_R_BIGNUM_TOO_LONG) ,"bignum too long"}, +{ERR_REASON(BN_R_CALLED_WITH_EVEN_MODULUS),"called with even modulus"}, +{ERR_REASON(BN_R_DIV_BY_ZERO) ,"div by zero"}, +{ERR_REASON(BN_R_ENCODING_ERROR) ,"encoding error"}, +{ERR_REASON(BN_R_EXPAND_ON_STATIC_BIGNUM_DATA),"expand on static bignum data"}, +{ERR_REASON(BN_R_INPUT_NOT_REDUCED) ,"input not reduced"}, +{ERR_REASON(BN_R_INVALID_LENGTH) ,"invalid length"}, +{ERR_REASON(BN_R_INVALID_RANGE) ,"invalid range"}, +{ERR_REASON(BN_R_NOT_A_SQUARE) ,"not a square"}, +{ERR_REASON(BN_R_NOT_INITIALIZED) ,"not initialized"}, +{ERR_REASON(BN_R_NO_INVERSE) ,"no inverse"}, +{ERR_REASON(BN_R_P_IS_NOT_PRIME) ,"p is not prime"}, +{ERR_REASON(BN_R_TOO_MANY_ITERATIONS) ,"too many iterations"}, +{ERR_REASON(BN_R_TOO_MANY_TEMPORARY_VARIABLES),"too many temporary variables"}, {0,NULL} }; @@ -123,8 +131,8 @@ void ERR_load_BN_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_BN,BN_str_functs); - ERR_load_strings(ERR_LIB_BN,BN_str_reasons); + ERR_load_strings(0,BN_str_functs); + ERR_load_strings(0,BN_str_reasons); #endif } diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c index afdfd580fb..9e1e88abe8 100644 --- a/src/lib/libcrypto/bn/bn_exp.c +++ b/src/lib/libcrypto/bn/bn_exp.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -113,6 +113,7 @@ #include "cryptlib.h" #include "bn_lcl.h" +/* maximum precomputation table size for *variable* sliding windows */ #define TABLE_SIZE 32 /* this one works - simple but works */ @@ -121,6 +122,13 @@ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) int i,bits,ret=0; BIGNUM *v,*rr; + if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0) + { + /* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */ + BNerr(BN_F_BN_EXP,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return -1; + } + BN_CTX_start(ctx); if ((r == a) || (r == p)) rr = BN_CTX_get(ctx); @@ -204,7 +212,7 @@ int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, if (BN_is_odd(m)) { # ifdef MONT_EXP_WORD - if (a->top == 1 && !a->neg) + if (a->top == 1 && !a->neg && (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) == 0)) { BN_ULONG A = a->d[0]; ret=BN_mod_exp_mont_word(r,A,p,m,ctx,NULL); @@ -234,6 +242,13 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BIGNUM val[TABLE_SIZE]; BN_RECP_CTX recp; + if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0) + { + /* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */ + BNerr(BN_F_BN_MOD_EXP_RECP,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return -1; + } + bits=BN_num_bits(p); if (bits == 0) @@ -361,6 +376,11 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, BIGNUM val[TABLE_SIZE]; BN_MONT_CTX *mont=NULL; + if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0) + { + return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont); + } + bn_check_top(a); bn_check_top(p); bn_check_top(m); @@ -493,6 +513,212 @@ err: return(ret); } + +/* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific layout + * so that accessing any of these table values shows the same access pattern as far + * as cache lines are concerned. The following functions are used to transfer a BIGNUM + * from/to that table. */ + +static int MOD_EXP_CTIME_COPY_TO_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width) + { + size_t i, j; + + if (bn_wexpand(b, top) == NULL) + return 0; + while (b->top < top) + { + b->d[b->top++] = 0; + } + + for (i = 0, j=idx; i < top * sizeof b->d[0]; i++, j+=width) + { + buf[j] = ((unsigned char*)b->d)[i]; + } + + bn_fix_top(b); + return 1; + } + +static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width) + { + size_t i, j; + + if (bn_wexpand(b, top) == NULL) + return 0; + + for (i=0, j=idx; i < top * sizeof b->d[0]; i++, j+=width) + { + ((unsigned char*)b->d)[i] = buf[j]; + } + + b->top = top; + bn_fix_top(b); + return 1; + } + +/* Given a pointer value, compute the next address that is a cache line multiple. */ +#define MOD_EXP_CTIME_ALIGN(x_) \ + ((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((BN_ULONG)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK)))) + +/* This variant of BN_mod_exp_mont() uses fixed windows and the special + * precomputation memory layout to limit data-dependency to a minimum + * to protect secret exponents (cf. the hyper-threading timing attacks + * pointed out by Colin Percival, + * http://www.daemonology.net/hyperthreading-considered-harmful/) + */ +int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) + { + int i,bits,ret=0,idx,window,wvalue; + int top; + BIGNUM *r; + const BIGNUM *aa; + BN_MONT_CTX *mont=NULL; + + int numPowers; + unsigned char *powerbufFree=NULL; + int powerbufLen = 0; + unsigned char *powerbuf=NULL; + BIGNUM *computeTemp=NULL, *am=NULL; + + bn_check_top(a); + bn_check_top(p); + bn_check_top(m); + + top = m->top; + + if (!(m->d[0] & 1)) + { + BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME,BN_R_CALLED_WITH_EVEN_MODULUS); + return(0); + } + bits=BN_num_bits(p); + if (bits == 0) + { + ret = BN_one(rr); + return ret; + } + + /* Initialize BIGNUM context and allocate intermediate result */ + BN_CTX_start(ctx); + r = BN_CTX_get(ctx); + if (r == NULL) goto err; + + /* Allocate a montgomery context if it was not supplied by the caller. + * If this is not done, things will break in the montgomery part. + */ + if (in_mont != NULL) + mont=in_mont; + else + { + if ((mont=BN_MONT_CTX_new()) == NULL) goto err; + if (!BN_MONT_CTX_set(mont,m,ctx)) goto err; + } + + /* Get the window size to use with size of p. */ + window = BN_window_bits_for_ctime_exponent_size(bits); + + /* Allocate a buffer large enough to hold all of the pre-computed + * powers of a. + */ + numPowers = 1 << window; + powerbufLen = sizeof(m->d[0])*top*numPowers; + if ((powerbufFree=(unsigned char*)OPENSSL_malloc(powerbufLen+MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH)) == NULL) + goto err; + + powerbuf = MOD_EXP_CTIME_ALIGN(powerbufFree); + memset(powerbuf, 0, powerbufLen); + + /* Initialize the intermediate result. Do this early to save double conversion, + * once each for a^0 and intermediate result. + */ + if (!BN_to_montgomery(r,BN_value_one(),mont,ctx)) goto err; + if (!MOD_EXP_CTIME_COPY_TO_PREBUF(r, top, powerbuf, 0, numPowers)) goto err; + + /* Initialize computeTemp as a^1 with montgomery precalcs */ + computeTemp = BN_CTX_get(ctx); + am = BN_CTX_get(ctx); + if (computeTemp==NULL || am==NULL) goto err; + + if (a->neg || BN_ucmp(a,m) >= 0) + { + if (!BN_mod(am,a,m,ctx)) + goto err; + aa= am; + } + else + aa=a; + if (!BN_to_montgomery(am,aa,mont,ctx)) goto err; + if (!BN_copy(computeTemp, am)) goto err; + if (!MOD_EXP_CTIME_COPY_TO_PREBUF(am, top, powerbuf, 1, numPowers)) goto err; + + /* If the window size is greater than 1, then calculate + * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1) + * (even powers could instead be computed as (a^(i/2))^2 + * to use the slight performance advantage of sqr over mul). + */ + if (window > 1) + { + for (i=2; i= 0) + { + wvalue=0; /* The 'value' of the window */ + + /* Scan the window, squaring the result as we go */ + for (i=0; i 937 ? 6 : \ + (b) > 306 ? 5 : \ + (b) > 89 ? 4 : \ + (b) > 22 ? 3 : 1) +# define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (6) + +#elif MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 32 + +# define BN_window_bits_for_ctime_exponent_size(b) \ + ((b) > 306 ? 5 : \ + (b) > 89 ? 4 : \ + (b) > 22 ? 3 : 1) +# define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (5) + +#endif + + /* Pentium pro 16,16,16,32,64 */ /* Alpha 16,16,16,16.64 */ #define BN_MULL_SIZE_NORMAL (16) /* 32 */ diff --git a/src/lib/libcrypto/bn/bn_mont.c b/src/lib/libcrypto/bn/bn_mont.c index b79b1b60da..3572e5a690 100644 --- a/src/lib/libcrypto/bn/bn_mont.c +++ b/src/lib/libcrypto/bn/bn_mont.c @@ -347,3 +347,23 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from) return(to); } +BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock, + const BIGNUM *mod, BN_CTX *ctx) + { + if (*pmont) + return *pmont; + CRYPTO_w_lock(lock); + if (!*pmont) + { + *pmont = BN_MONT_CTX_new(); + if (*pmont && !BN_MONT_CTX_set(*pmont, mod, ctx)) + { + BN_MONT_CTX_free(*pmont); + *pmont = NULL; + } + } + CRYPTO_w_unlock(lock); + return *pmont; + } + + diff --git a/src/lib/libcrypto/bn/bn_x931p.c b/src/lib/libcrypto/bn/bn_x931p.c new file mode 100644 index 0000000000..c64410dd3a --- /dev/null +++ b/src/lib/libcrypto/bn/bn_x931p.c @@ -0,0 +1,282 @@ +/* bn_x931p.c */ +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 2005. + */ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include +#include + +#ifdef OPENSSL_FIPS + +/* X9.31 routines for prime derivation */ + + +/* X9.31 prime derivation. This is used to generate the primes pi + * (p1, p2, q1, q2) from a parameter Xpi by checking successive odd + * integers. + */ + +static int bn_x931_derive_pi(BIGNUM *pi, const BIGNUM *Xpi, BN_CTX *ctx, + void (*cb)(int, int, void *), void *cb_arg) + { + int i = 0; + if (!BN_copy(pi, Xpi)) + return 0; + if (!BN_is_odd(pi) && !BN_add_word(pi, 1)) + return 0; + for(;;) + { + i++; + if (cb) + cb(0, i, cb_arg); + /* NB 27 MR is specificed in X9.31 */ + if (BN_is_prime_fasttest(pi, 27, cb, ctx, cb_arg, 1)) + break; + if (!BN_add_word(pi, 2)) + return 0; + } + if (cb) + cb(2, i, cb_arg); + return 1; + } + +/* This is the main X9.31 prime derivation function. From parameters + * Xp1, Xp2 and Xp derive the prime p. If the parameters p1 or p2 are + * not NULL they will be returned too: this is needed for testing. + */ + +int BN_X931_derive_prime(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, + void (*cb)(int, int, void *), void *cb_arg, + const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2, + const BIGNUM *e, BN_CTX *ctx) + { + int ret = 0; + + BIGNUM *t, *p1p2, *pm1; + + /* Only even e supported */ + if (!BN_is_odd(e)) + return 0; + + BN_CTX_start(ctx); + if (!p1) + p1 = BN_CTX_get(ctx); + + if (!p2) + p2 = BN_CTX_get(ctx); + + t = BN_CTX_get(ctx); + + p1p2 = BN_CTX_get(ctx); + + pm1 = BN_CTX_get(ctx); + + if (!bn_x931_derive_pi(p1, Xp1, ctx, cb, cb_arg)) + goto err; + + if (!bn_x931_derive_pi(p2, Xp2, ctx, cb, cb_arg)) + goto err; + + if (!BN_mul(p1p2, p1, p2, ctx)) + goto err; + + /* First set p to value of Rp */ + + if (!BN_mod_inverse(p, p2, p1, ctx)) + goto err; + + if (!BN_mul(p, p, p2, ctx)) + goto err; + + if (!BN_mod_inverse(t, p1, p2, ctx)) + goto err; + + if (!BN_mul(t, t, p1, ctx)) + goto err; + + if (!BN_sub(p, p, t)) + goto err; + + if (p->neg && !BN_add(p, p, p1p2)) + goto err; + + /* p now equals Rp */ + + if (!BN_mod_sub(p, p, Xp, p1p2, ctx)) + goto err; + + if (!BN_add(p, p, Xp)) + goto err; + + /* p now equals Yp0 */ + + for (;;) + { + int i = 1; + if (cb) + cb(0, i++, cb_arg); + if (!BN_copy(pm1, p)) + goto err; + if (!BN_sub_word(pm1, 1)) + goto err; + if (!BN_gcd(t, pm1, e, ctx)) + goto err; + if (BN_is_one(t) + /* X9.31 specifies 8 MR and 1 Lucas test or any prime test + * offering similar or better guarantees 50 MR is considerably + * better. + */ + && BN_is_prime_fasttest(p, 50, cb, ctx, cb_arg, 1)) + break; + if (!BN_add(p, p, p1p2)) + goto err; + } + + if (cb) + cb(3, 0, cb_arg); + + ret = 1; + + err: + + BN_CTX_end(ctx); + + return ret; + } + +/* Generate pair of paramters Xp, Xq for X9.31 prime generation. + * Note: nbits paramter is sum of number of bits in both. + */ + +int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx) + { + BIGNUM *t; + int i; + /* Number of bits for each prime is of the form + * 512+128s for s = 0, 1, ... + */ + if ((nbits < 1024) || (nbits & 0xff)) + return 0; + nbits >>= 1; + /* The random value Xp must be between sqrt(2) * 2^(nbits-1) and + * 2^nbits - 1. By setting the top two bits we ensure that the lower + * bound is exceeded. + */ + if (!BN_rand(Xp, nbits, 1, 0)) + return 0; + + BN_CTX_start(ctx); + t = BN_CTX_get(ctx); + + for (i = 0; i < 1000; i++) + { + if (!BN_rand(Xq, nbits, 1, 0)) + return 0; + /* Check that |Xp - Xq| > 2^(nbits - 100) */ + BN_sub(t, Xp, Xq); + if (BN_num_bits(t) > (nbits - 100)) + break; + } + + BN_CTX_end(ctx); + + if (i < 1000) + return 1; + + return 0; + + } + +/* Generate primes using X9.31 algorithm. Of the values p, p1, p2, Xp1 + * and Xp2 only 'p' needs to be non-NULL. If any of the others are not NULL + * the relevant parameter will be stored in it. + * + * Due to the fact that |Xp - Xq| > 2^(nbits - 100) must be satisfied Xp and Xq + * are generated using the previous function and supplied as input. + */ + +int BN_X931_generate_prime(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, + BIGNUM *Xp1, BIGNUM *Xp2, + const BIGNUM *Xp, + const BIGNUM *e, BN_CTX *ctx, + void (*cb)(int, int, void *), void *cb_arg) + { + int ret = 0; + + BN_CTX_start(ctx); + if (!Xp1) + Xp1 = BN_CTX_get(ctx); + if (!Xp2) + Xp2 = BN_CTX_get(ctx); + + if (!BN_rand(Xp1, 101, 0, 0)) + goto error; + if (!BN_rand(Xp2, 101, 0, 0)) + goto error; + if (!BN_X931_derive_prime(p, p1, p2, cb, cb_arg, + Xp, Xp1, Xp2, e, ctx)) + goto error; + + ret = 1; + + error: + BN_CTX_end(ctx); + + return ret; + + } + +#endif diff --git a/src/lib/libcrypto/buffer/buf_err.c b/src/lib/libcrypto/buffer/buf_err.c index 5eee653e14..1fc32a6861 100644 --- a/src/lib/libcrypto/buffer/buf_err.c +++ b/src/lib/libcrypto/buffer/buf_err.c @@ -1,6 +1,6 @@ /* crypto/buffer/buf_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -64,11 +64,15 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_BUF,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_BUF,0,reason) + static ERR_STRING_DATA BUF_str_functs[]= { -{ERR_PACK(0,BUF_F_BUF_MEM_GROW,0), "BUF_MEM_grow"}, -{ERR_PACK(0,BUF_F_BUF_MEM_NEW,0), "BUF_MEM_new"}, -{ERR_PACK(0,BUF_F_BUF_STRDUP,0), "BUF_strdup"}, +{ERR_FUNC(BUF_F_BUF_MEM_GROW), "BUF_MEM_grow"}, +{ERR_FUNC(BUF_F_BUF_MEM_NEW), "BUF_MEM_new"}, +{ERR_FUNC(BUF_F_BUF_STRDUP), "BUF_strdup"}, {0,NULL} }; @@ -87,8 +91,8 @@ void ERR_load_BUF_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_BUF,BUF_str_functs); - ERR_load_strings(ERR_LIB_BUF,BUF_str_reasons); + ERR_load_strings(0,BUF_str_functs); + ERR_load_strings(0,BUF_str_reasons); #endif } diff --git a/src/lib/libcrypto/cast/c_skey.c b/src/lib/libcrypto/cast/c_skey.c index dc4791a8cf..db9b7573e0 100644 --- a/src/lib/libcrypto/cast/c_skey.c +++ b/src/lib/libcrypto/cast/c_skey.c @@ -57,6 +57,7 @@ */ #include +#include #include #include "cast_lcl.h" diff --git a/src/lib/libcrypto/cast/cast_lcl.h b/src/lib/libcrypto/cast/cast_lcl.h index 37f41cc6a4..e756021a33 100644 --- a/src/lib/libcrypto/cast/cast_lcl.h +++ b/src/lib/libcrypto/cast/cast_lcl.h @@ -64,11 +64,6 @@ #endif -#ifdef OPENSSL_BUILD_SHLIBCRYPTO -# undef OPENSSL_EXTERN -# define OPENSSL_EXTERN OPENSSL_EXPORT -#endif - #undef c2l #define c2l(c,l) (l =((unsigned long)(*((c)++))) , \ l|=((unsigned long)(*((c)++)))<< 8L, \ @@ -222,11 +217,11 @@ } #endif -OPENSSL_EXTERN const CAST_LONG CAST_S_table0[256]; -OPENSSL_EXTERN const CAST_LONG CAST_S_table1[256]; -OPENSSL_EXTERN const CAST_LONG CAST_S_table2[256]; -OPENSSL_EXTERN const CAST_LONG CAST_S_table3[256]; -OPENSSL_EXTERN const CAST_LONG CAST_S_table4[256]; -OPENSSL_EXTERN const CAST_LONG CAST_S_table5[256]; -OPENSSL_EXTERN const CAST_LONG CAST_S_table6[256]; -OPENSSL_EXTERN const CAST_LONG CAST_S_table7[256]; +extern const CAST_LONG CAST_S_table0[256]; +extern const CAST_LONG CAST_S_table1[256]; +extern const CAST_LONG CAST_S_table2[256]; +extern const CAST_LONG CAST_S_table3[256]; +extern const CAST_LONG CAST_S_table4[256]; +extern const CAST_LONG CAST_S_table5[256]; +extern const CAST_LONG CAST_S_table6[256]; +extern const CAST_LONG CAST_S_table7[256]; diff --git a/src/lib/libcrypto/comp/c_zlib.c b/src/lib/libcrypto/comp/c_zlib.c index 1bd2850d15..5fcb521ffb 100644 --- a/src/lib/libcrypto/comp/c_zlib.c +++ b/src/lib/libcrypto/comp/c_zlib.c @@ -51,30 +51,17 @@ static COMP_METHOD zlib_method={ */ #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) # include - -# define Z_CALLCONV _stdcall -# define ZLIB_SHARED -#else -# define Z_CALLCONV #endif /* !(OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32) */ #ifdef ZLIB_SHARED #include -/* Prototypes for built in stubs */ -static int stub_compress(Bytef *dest,uLongf *destLen, - const Bytef *source, uLong sourceLen); -static int stub_inflateEnd(z_streamp strm); -static int stub_inflate(z_streamp strm, int flush); -static int stub_inflateInit_(z_streamp strm, const char * version, - int stream_size); - /* Function pointers */ -typedef int (Z_CALLCONV *compress_ft)(Bytef *dest,uLongf *destLen, +typedef int (*compress_ft)(Bytef *dest,uLongf *destLen, const Bytef *source, uLong sourceLen); -typedef int (Z_CALLCONV *inflateEnd_ft)(z_streamp strm); -typedef int (Z_CALLCONV *inflate_ft)(z_streamp strm, int flush); -typedef int (Z_CALLCONV *inflateInit__ft)(z_streamp strm, +typedef int (*inflateEnd_ft)(z_streamp strm); +typedef int (*inflate_ft)(z_streamp strm, int flush); +typedef int (*inflateInit__ft)(z_streamp strm, const char * version, int stream_size); static compress_ft p_compress=NULL; static inflateEnd_ft p_inflateEnd=NULL; @@ -84,10 +71,10 @@ static inflateInit__ft p_inflateInit_=NULL; static int zlib_loaded = 0; /* only attempt to init func pts once */ static DSO *zlib_dso = NULL; -#define compress stub_compress -#define inflateEnd stub_inflateEnd -#define inflate stub_inflate -#define inflateInit_ stub_inflateInit_ +#define compress p_compress +#define inflateEnd p_inflateEnd +#define inflate p_inflate +#define inflateInit_ p_inflateInit_ #endif /* ZLIB_SHARED */ static int zlib_compress_block(COMP_CTX *ctx, unsigned char *out, @@ -191,16 +178,6 @@ COMP_METHOD *COMP_zlib(void) { #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) zlib_dso = DSO_load(NULL, "ZLIB1", NULL, 0); - if (!zlib_dso) - { - zlib_dso = DSO_load(NULL, "ZLIB", NULL, 0); - if (zlib_dso) - { - /* Clear the errors from the first failed - DSO_load() */ - ERR_clear_error(); - } - } #else zlib_dso = DSO_load(NULL, "z", NULL, 0); #endif @@ -218,54 +195,21 @@ COMP_METHOD *COMP_zlib(void) p_inflateInit_ = (inflateInit__ft) DSO_bind_func(zlib_dso, "inflateInit_"); - zlib_loaded++; + + if (p_compress && p_inflateEnd && p_inflate + && p_inflateInit_) + zlib_loaded++; } } #endif +#ifdef ZLIB_SHARED + if (zlib_loaded) +#endif #if defined(ZLIB) || defined(ZLIB_SHARED) - meth = &zlib_method; + meth = &zlib_method; #endif return(meth); } -#ifdef ZLIB_SHARED -/* Stubs for each function to be dynamicly loaded */ -static int -stub_compress(Bytef *dest,uLongf *destLen,const Bytef *source, uLong sourceLen) - { - if (p_compress) - return(p_compress(dest,destLen,source,sourceLen)); - else - return(Z_MEM_ERROR); - } - -static int -stub_inflateEnd(z_streamp strm) - { - if ( p_inflateEnd ) - return(p_inflateEnd(strm)); - else - return(Z_MEM_ERROR); - } - -static int -stub_inflate(z_streamp strm, int flush) - { - if ( p_inflate ) - return(p_inflate(strm,flush)); - else - return(Z_MEM_ERROR); - } - -static int -stub_inflateInit_(z_streamp strm, const char * version, int stream_size) - { - if ( p_inflateInit_ ) - return(p_inflateInit_(strm,version,stream_size)); - else - return(Z_MEM_ERROR); - } - -#endif /* ZLIB_SHARED */ diff --git a/src/lib/libcrypto/conf/conf_def.c b/src/lib/libcrypto/conf/conf_def.c index b5a876ae68..2464f8ed90 100644 --- a/src/lib/libcrypto/conf/conf_def.c +++ b/src/lib/libcrypto/conf/conf_def.c @@ -613,13 +613,13 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from) e++; } /* So at this point we have - * ns which is the start of the name string which is + * np which is the start of the name string which is * '\0' terminated. - * cs which is the start of the section string which is + * cp which is the start of the section string which is * '\0' terminated. * e is the 'next point after'. - * r and s are the chars replaced by the '\0' - * rp and sp is where 'r' and 's' came from. + * r and rr are the chars replaced by the '\0' + * rp and rrp is where 'r' and 'rr' came from. */ p=_CONF_get_string(conf,cp,np); if (rrp != NULL) *rrp=rr; @@ -638,6 +638,11 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from) points at. /RL */ len -= e-from; from=e; + + /* In case there were no braces or parenthesis around + the variable reference, we have to put back the + character that was replaced with a '\0'. /RL */ + *rp = r; } else buf->data[to++]= *(from++); diff --git a/src/lib/libcrypto/conf/conf_err.c b/src/lib/libcrypto/conf/conf_err.c index ee07bfe9d9..f5e2ca4bf0 100644 --- a/src/lib/libcrypto/conf/conf_err.c +++ b/src/lib/libcrypto/conf/conf_err.c @@ -1,6 +1,6 @@ /* crypto/conf/conf_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -64,47 +64,51 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_CONF,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_CONF,0,reason) + static ERR_STRING_DATA CONF_str_functs[]= { -{ERR_PACK(0,CONF_F_CONF_DUMP_FP,0), "CONF_dump_fp"}, -{ERR_PACK(0,CONF_F_CONF_LOAD,0), "CONF_load"}, -{ERR_PACK(0,CONF_F_CONF_LOAD_BIO,0), "CONF_load_bio"}, -{ERR_PACK(0,CONF_F_CONF_LOAD_FP,0), "CONF_load_fp"}, -{ERR_PACK(0,CONF_F_CONF_MODULES_LOAD,0), "CONF_modules_load"}, -{ERR_PACK(0,CONF_F_MODULE_INIT,0), "MODULE_INIT"}, -{ERR_PACK(0,CONF_F_MODULE_LOAD_DSO,0), "MODULE_LOAD_DSO"}, -{ERR_PACK(0,CONF_F_MODULE_RUN,0), "MODULE_RUN"}, -{ERR_PACK(0,CONF_F_NCONF_DUMP_BIO,0), "NCONF_dump_bio"}, -{ERR_PACK(0,CONF_F_NCONF_DUMP_FP,0), "NCONF_dump_fp"}, -{ERR_PACK(0,CONF_F_NCONF_GET_NUMBER,0), "NCONF_get_number"}, -{ERR_PACK(0,CONF_F_NCONF_GET_NUMBER_E,0), "NCONF_get_number_e"}, -{ERR_PACK(0,CONF_F_NCONF_GET_SECTION,0), "NCONF_get_section"}, -{ERR_PACK(0,CONF_F_NCONF_GET_STRING,0), "NCONF_get_string"}, -{ERR_PACK(0,CONF_F_NCONF_LOAD,0), "NCONF_load"}, -{ERR_PACK(0,CONF_F_NCONF_LOAD_BIO,0), "NCONF_load_bio"}, -{ERR_PACK(0,CONF_F_NCONF_LOAD_FP,0), "NCONF_load_fp"}, -{ERR_PACK(0,CONF_F_NCONF_NEW,0), "NCONF_new"}, -{ERR_PACK(0,CONF_F_STR_COPY,0), "STR_COPY"}, +{ERR_FUNC(CONF_F_CONF_DUMP_FP), "CONF_dump_fp"}, +{ERR_FUNC(CONF_F_CONF_LOAD), "CONF_load"}, +{ERR_FUNC(CONF_F_CONF_LOAD_BIO), "CONF_load_bio"}, +{ERR_FUNC(CONF_F_CONF_LOAD_FP), "CONF_load_fp"}, +{ERR_FUNC(CONF_F_CONF_MODULES_LOAD), "CONF_modules_load"}, +{ERR_FUNC(CONF_F_MODULE_INIT), "MODULE_INIT"}, +{ERR_FUNC(CONF_F_MODULE_LOAD_DSO), "MODULE_LOAD_DSO"}, +{ERR_FUNC(CONF_F_MODULE_RUN), "MODULE_RUN"}, +{ERR_FUNC(CONF_F_NCONF_DUMP_BIO), "NCONF_dump_bio"}, +{ERR_FUNC(CONF_F_NCONF_DUMP_FP), "NCONF_dump_fp"}, +{ERR_FUNC(CONF_F_NCONF_GET_NUMBER), "NCONF_get_number"}, +{ERR_FUNC(CONF_F_NCONF_GET_NUMBER_E), "NCONF_get_number_e"}, +{ERR_FUNC(CONF_F_NCONF_GET_SECTION), "NCONF_get_section"}, +{ERR_FUNC(CONF_F_NCONF_GET_STRING), "NCONF_get_string"}, +{ERR_FUNC(CONF_F_NCONF_LOAD), "NCONF_load"}, +{ERR_FUNC(CONF_F_NCONF_LOAD_BIO), "NCONF_load_bio"}, +{ERR_FUNC(CONF_F_NCONF_LOAD_FP), "NCONF_load_fp"}, +{ERR_FUNC(CONF_F_NCONF_NEW), "NCONF_new"}, +{ERR_FUNC(CONF_F_STR_COPY), "STR_COPY"}, {0,NULL} }; static ERR_STRING_DATA CONF_str_reasons[]= { -{CONF_R_ERROR_LOADING_DSO ,"error loading dso"}, -{CONF_R_MISSING_CLOSE_SQUARE_BRACKET ,"missing close square bracket"}, -{CONF_R_MISSING_EQUAL_SIGN ,"missing equal sign"}, -{CONF_R_MISSING_FINISH_FUNCTION ,"missing finish function"}, -{CONF_R_MISSING_INIT_FUNCTION ,"missing init function"}, -{CONF_R_MODULE_INITIALIZATION_ERROR ,"module initialization error"}, -{CONF_R_NO_CLOSE_BRACE ,"no close brace"}, -{CONF_R_NO_CONF ,"no conf"}, -{CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE ,"no conf or environment variable"}, -{CONF_R_NO_SECTION ,"no section"}, -{CONF_R_NO_SUCH_FILE ,"no such file"}, -{CONF_R_NO_VALUE ,"no value"}, -{CONF_R_UNABLE_TO_CREATE_NEW_SECTION ,"unable to create new section"}, -{CONF_R_UNKNOWN_MODULE_NAME ,"unknown module name"}, -{CONF_R_VARIABLE_HAS_NO_VALUE ,"variable has no value"}, +{ERR_REASON(CONF_R_ERROR_LOADING_DSO) ,"error loading dso"}, +{ERR_REASON(CONF_R_MISSING_CLOSE_SQUARE_BRACKET),"missing close square bracket"}, +{ERR_REASON(CONF_R_MISSING_EQUAL_SIGN) ,"missing equal sign"}, +{ERR_REASON(CONF_R_MISSING_FINISH_FUNCTION),"missing finish function"}, +{ERR_REASON(CONF_R_MISSING_INIT_FUNCTION),"missing init function"}, +{ERR_REASON(CONF_R_MODULE_INITIALIZATION_ERROR),"module initialization error"}, +{ERR_REASON(CONF_R_NO_CLOSE_BRACE) ,"no close brace"}, +{ERR_REASON(CONF_R_NO_CONF) ,"no conf"}, +{ERR_REASON(CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE),"no conf or environment variable"}, +{ERR_REASON(CONF_R_NO_SECTION) ,"no section"}, +{ERR_REASON(CONF_R_NO_SUCH_FILE) ,"no such file"}, +{ERR_REASON(CONF_R_NO_VALUE) ,"no value"}, +{ERR_REASON(CONF_R_UNABLE_TO_CREATE_NEW_SECTION),"unable to create new section"}, +{ERR_REASON(CONF_R_UNKNOWN_MODULE_NAME) ,"unknown module name"}, +{ERR_REASON(CONF_R_VARIABLE_HAS_NO_VALUE),"variable has no value"}, {0,NULL} }; @@ -118,8 +122,8 @@ void ERR_load_CONF_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_CONF,CONF_str_functs); - ERR_load_strings(ERR_LIB_CONF,CONF_str_reasons); + ERR_load_strings(0,CONF_str_functs); + ERR_load_strings(0,CONF_str_reasons); #endif } diff --git a/src/lib/libcrypto/cpt_err.c b/src/lib/libcrypto/cpt_err.c index 1b4a1cb4d4..06a6109cce 100644 --- a/src/lib/libcrypto/cpt_err.c +++ b/src/lib/libcrypto/cpt_err.c @@ -1,6 +1,6 @@ /* crypto/cpt_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -64,23 +64,27 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_CRYPTO,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_CRYPTO,0,reason) + static ERR_STRING_DATA CRYPTO_str_functs[]= { -{ERR_PACK(0,CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX,0), "CRYPTO_get_ex_new_index"}, -{ERR_PACK(0,CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID,0), "CRYPTO_get_new_dynlockid"}, -{ERR_PACK(0,CRYPTO_F_CRYPTO_GET_NEW_LOCKID,0), "CRYPTO_get_new_lockid"}, -{ERR_PACK(0,CRYPTO_F_CRYPTO_SET_EX_DATA,0), "CRYPTO_set_ex_data"}, -{ERR_PACK(0,CRYPTO_F_DEF_ADD_INDEX,0), "DEF_ADD_INDEX"}, -{ERR_PACK(0,CRYPTO_F_DEF_GET_CLASS,0), "DEF_GET_CLASS"}, -{ERR_PACK(0,CRYPTO_F_INT_DUP_EX_DATA,0), "INT_DUP_EX_DATA"}, -{ERR_PACK(0,CRYPTO_F_INT_FREE_EX_DATA,0), "INT_FREE_EX_DATA"}, -{ERR_PACK(0,CRYPTO_F_INT_NEW_EX_DATA,0), "INT_NEW_EX_DATA"}, +{ERR_FUNC(CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX), "CRYPTO_get_ex_new_index"}, +{ERR_FUNC(CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID), "CRYPTO_get_new_dynlockid"}, +{ERR_FUNC(CRYPTO_F_CRYPTO_GET_NEW_LOCKID), "CRYPTO_get_new_lockid"}, +{ERR_FUNC(CRYPTO_F_CRYPTO_SET_EX_DATA), "CRYPTO_set_ex_data"}, +{ERR_FUNC(CRYPTO_F_DEF_ADD_INDEX), "DEF_ADD_INDEX"}, +{ERR_FUNC(CRYPTO_F_DEF_GET_CLASS), "DEF_GET_CLASS"}, +{ERR_FUNC(CRYPTO_F_INT_DUP_EX_DATA), "INT_DUP_EX_DATA"}, +{ERR_FUNC(CRYPTO_F_INT_FREE_EX_DATA), "INT_FREE_EX_DATA"}, +{ERR_FUNC(CRYPTO_F_INT_NEW_EX_DATA), "INT_NEW_EX_DATA"}, {0,NULL} }; static ERR_STRING_DATA CRYPTO_str_reasons[]= { -{CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK ,"no dynlock create callback"}, +{ERR_REASON(CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK),"no dynlock create callback"}, {0,NULL} }; @@ -94,8 +98,8 @@ void ERR_load_CRYPTO_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_CRYPTO,CRYPTO_str_functs); - ERR_load_strings(ERR_LIB_CRYPTO,CRYPTO_str_reasons); + ERR_load_strings(0,CRYPTO_str_functs); + ERR_load_strings(0,CRYPTO_str_reasons); #endif } diff --git a/src/lib/libcrypto/cryptlib.c b/src/lib/libcrypto/cryptlib.c index fef0afb29f..e63bbe8dba 100644 --- a/src/lib/libcrypto/cryptlib.c +++ b/src/lib/libcrypto/cryptlib.c @@ -480,6 +480,8 @@ const char *CRYPTO_get_lock_name(int type) return(sk_value(app_locks,type-CRYPTO_NUM_LOCKS)); } +int OPENSSL_NONPIC_relocated=0; + #if defined(_WIN32) && defined(_WINDLL) /* All we really need to do is remove the 'error' state when a thread @@ -491,6 +493,21 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, switch(fdwReason) { case DLL_PROCESS_ATTACH: +#if defined(_WIN32_WINNT) + { + IMAGE_DOS_HEADER *dos_header = (IMAGE_DOS_HEADER *)hinstDLL; + IMAGE_NT_HEADERS *nt_headers; + + if (dos_header->e_magic==IMAGE_DOS_SIGNATURE) + { + nt_headers = (IMAGE_NT_HEADERS *)((char *)dos_header + + dos_header->e_lfanew); + if (nt_headers->Signature==IMAGE_NT_SIGNATURE && + hinstDLL!=(HINSTANCE)(nt_headers->OptionalHeader.ImageBase)) + OPENSSL_NONPIC_relocated=1; + } + } +#endif break; case DLL_THREAD_ATTACH: break; @@ -504,18 +521,160 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, } #endif +#if defined(_WIN32) +#include + +#if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333 +static int IsService(void) +{ HWINSTA h; + DWORD len; + WCHAR *name; + + (void)GetDesktopWindow(); /* return value is ignored */ + + h = GetProcessWindowStation(); + if (h==NULL) return -1; + + if (GetUserObjectInformationW (h,UOI_NAME,NULL,0,&len) || + GetLastError() != ERROR_INSUFFICIENT_BUFFER) + return -1; + + if (len>512) return -1; /* paranoia */ + len++,len&=~1; /* paranoia */ +#ifdef _MSC_VER + name=(WCHAR *)_alloca(len+sizeof(WCHAR)); +#else + name=(WCHAR *)alloca(len+sizeof(WCHAR)); +#endif + if (!GetUserObjectInformationW (h,UOI_NAME,name,len,&len)) + return -1; + + len++,len&=~1; /* paranoia */ + name[len/sizeof(WCHAR)]=L'\0'; /* paranoia */ +#if 1 + /* This doesn't cover "interactive" services [working with real + * WinSta0's] nor programs started non-interactively by Task + * Scheduler [those are working with SAWinSta]. */ + if (wcsstr(name,L"Service-0x")) return 1; +#else + /* This covers all non-interactive programs such as services. */ + if (!wcsstr(name,L"WinSta0")) return 1; +#endif + else return 0; +} +#endif + +void OPENSSL_showfatal (const char *fmta,...) +{ va_list ap; + TCHAR buf[256]; + const TCHAR *fmt; + HANDLE h; + + if ((h=GetStdHandle(STD_ERROR_HANDLE)) != NULL && + GetFileType(h)!=FILE_TYPE_UNKNOWN) + { /* must be console application */ + va_start (ap,fmta); + vfprintf (stderr,fmta,ap); + va_end (ap); + return; + } + + if (sizeof(TCHAR)==sizeof(char)) + fmt=(const TCHAR *)fmta; + else do + { int keepgoing; + size_t len_0=strlen(fmta)+1,i; + WCHAR *fmtw; + +#ifdef _MSC_VER + fmtw = (WCHAR *)_alloca (len_0*sizeof(WCHAR)); +#else + fmtw = (WCHAR *)alloca (len_0*sizeof(WCHAR)); +#endif + if (fmtw == NULL) { fmt=(const TCHAR *)L"no stack?"; break; } + +#ifndef OPENSSL_NO_MULTIBYTE + if (!MultiByteToWideChar(CP_ACP,0,fmta,len_0,fmtw,len_0)) +#endif + for (i=0;i=0x0333 + /* this -------------v--- guards NT-specific calls */ + if (GetVersion() < 0x80000000 && IsService()) + { HANDLE h = RegisterEventSource(0,_T("OPENSSL")); + const TCHAR *pmsg=buf; + ReportEvent(h,EVENTLOG_ERROR_TYPE,0,0,0,1,0,&pmsg,0); + DeregisterEventSource(h); + } + else +#endif + { MSGBOXPARAMS m; + + m.cbSize = sizeof(m); + m.hwndOwner = NULL; + m.lpszCaption = _T("OpenSSL: FATAL"); + m.dwStyle = MB_OK; + m.hInstance = NULL; + m.lpszIcon = IDI_ERROR; + m.dwContextHelpId = 0; + m.lpfnMsgBoxCallback = NULL; + m.dwLanguageId = MAKELANGID(LANG_ENGLISH,SUBLANG_ENGLISH_US); + m.lpszText = buf; + + MessageBoxIndirect (&m); + } +} +#else +void OPENSSL_showfatal (const char *fmta,...) +{ va_list ap; + + va_start (ap,fmta); + vfprintf (stderr,fmta,ap); + va_end (ap); +} +#endif + void OpenSSLDie(const char *file,int line,const char *assertion) { - fprintf(stderr, + OPENSSL_showfatal( "%s(%d): OpenSSL internal error, assertion failed: %s\n", file,line,assertion); abort(); } +void *OPENSSL_stderr(void) { return stderr; } + #ifdef OPENSSL_FIPS + +void fips_w_lock(void) { CRYPTO_w_lock(CRYPTO_LOCK_FIPS); } +void fips_w_unlock(void) { CRYPTO_w_unlock(CRYPTO_LOCK_FIPS); } +void fips_r_lock(void) { CRYPTO_r_lock(CRYPTO_LOCK_FIPS); } +void fips_r_unlock(void) { CRYPTO_r_unlock(CRYPTO_LOCK_FIPS); } + static int fips_started = 0; -static int fips_mode = 0; -static void *fips_rand_check = 0; static unsigned long fips_thread = 0; void fips_set_started(void) @@ -576,57 +735,10 @@ int fips_clear_owning_thread(void) return ret; } -void fips_set_mode(int onoff) - { - int owning_thread = fips_is_owning_thread(); - - if (fips_is_started()) - { - if (!owning_thread) CRYPTO_w_lock(CRYPTO_LOCK_FIPS); - fips_mode = onoff; - if (!owning_thread) CRYPTO_w_unlock(CRYPTO_LOCK_FIPS); - } - } - -void fips_set_rand_check(void *rand_check) - { - int owning_thread = fips_is_owning_thread(); - - if (fips_is_started()) - { - if (!owning_thread) CRYPTO_w_lock(CRYPTO_LOCK_FIPS); - fips_rand_check = rand_check; - if (!owning_thread) CRYPTO_w_unlock(CRYPTO_LOCK_FIPS); - } - } - -int FIPS_mode(void) - { - int ret = 0; - int owning_thread = fips_is_owning_thread(); - - if (fips_is_started()) - { - if (!owning_thread) CRYPTO_r_lock(CRYPTO_LOCK_FIPS); - ret = fips_mode; - if (!owning_thread) CRYPTO_r_unlock(CRYPTO_LOCK_FIPS); - } - return ret; - } - -void *FIPS_rand_check(void) +unsigned char *fips_signature_witness(void) { - void *ret = 0; - int owning_thread = fips_is_owning_thread(); - - if (fips_is_started()) - { - if (!owning_thread) CRYPTO_r_lock(CRYPTO_LOCK_FIPS); - ret = fips_rand_check; - if (!owning_thread) CRYPTO_r_unlock(CRYPTO_LOCK_FIPS); - } - return ret; + extern unsigned char FIPS_signature[]; + return FIPS_signature; } - #endif /* OPENSSL_FIPS */ diff --git a/src/lib/libcrypto/cryptlib.h b/src/lib/libcrypto/cryptlib.h index 0d6b9d59f0..6f59e08ca6 100644 --- a/src/lib/libcrypto/cryptlib.h +++ b/src/lib/libcrypto/cryptlib.h @@ -93,6 +93,10 @@ extern "C" { #define DECIMAL_SIZE(type) ((sizeof(type)*8+2)/3+1) #define HEX_SIZE(type) (sizeof(type)*2) +void OPENSSL_showfatal(const char *,...); +void *OPENSSL_stderr(void); +extern int OPENSSL_NONPIC_relocated; + #ifdef __cplusplus } #endif diff --git a/src/lib/libcrypto/crypto.h b/src/lib/libcrypto/crypto.h index 4d1dfac7f1..22fd939e65 100644 --- a/src/lib/libcrypto/crypto.h +++ b/src/lib/libcrypto/crypto.h @@ -434,12 +434,9 @@ void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb); /* die if we have to */ void OpenSSLDie(const char *file,int line,const char *assertion); -#define OPENSSL_assert(e) ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e)) +#define OPENSSL_assert(e) (void)((e) ? 0 : (OpenSSLDie(__FILE__, __LINE__, #e),1)) #ifdef OPENSSL_FIPS -int FIPS_mode(void); -void *FIPS_rand_check(void); - #define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \ alg " previous FIPS forbidden algorithm error ignored"); diff --git a/src/lib/libcrypto/des/des_locl.h b/src/lib/libcrypto/des/des_locl.h index e44e8e98b2..8f04b18c50 100644 --- a/src/lib/libcrypto/des/des_locl.h +++ b/src/lib/libcrypto/des/des_locl.h @@ -421,7 +421,7 @@ PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \ } -OPENSSL_EXTERN const DES_LONG DES_SPtrans[8][64]; +extern const DES_LONG DES_SPtrans[8][64]; void fcrypt_body(DES_LONG *out,DES_key_schedule *ks, DES_LONG Eswap0, DES_LONG Eswap1); diff --git a/src/lib/libcrypto/dh/dh.h b/src/lib/libcrypto/dh/dh.h index 05851f8429..92c7481e10 100644 --- a/src/lib/libcrypto/dh/dh.h +++ b/src/lib/libcrypto/dh/dh.h @@ -70,7 +70,14 @@ #include #include -#define DH_FLAG_CACHE_MONT_P 0x01 +#define DH_FLAG_CACHE_MONT_P 0x01 +#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH + * implementation now uses constant time + * modular exponentiation for secret exponents + * by default. This flag causes the + * faster variable sliding window method to + * be used for all exponents. + */ #ifdef __cplusplus extern "C" { diff --git a/src/lib/libcrypto/dh/dh_err.c b/src/lib/libcrypto/dh/dh_err.c index c2715044c9..83ccb41221 100644 --- a/src/lib/libcrypto/dh/dh_err.c +++ b/src/lib/libcrypto/dh/dh_err.c @@ -1,6 +1,6 @@ /* crypto/dh/dh_err.c */ /* ==================================================================== - * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -64,21 +64,25 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_DH,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_DH,0,reason) + static ERR_STRING_DATA DH_str_functs[]= { -{ERR_PACK(0,DH_F_DHPARAMS_PRINT,0), "DHparams_print"}, -{ERR_PACK(0,DH_F_DHPARAMS_PRINT_FP,0), "DHparams_print_fp"}, -{ERR_PACK(0,DH_F_DH_COMPUTE_KEY,0), "DH_compute_key"}, -{ERR_PACK(0,DH_F_DH_GENERATE_KEY,0), "DH_generate_key"}, -{ERR_PACK(0,DH_F_DH_GENERATE_PARAMETERS,0), "DH_generate_parameters"}, -{ERR_PACK(0,DH_F_DH_NEW_METHOD,0), "DH_new_method"}, +{ERR_FUNC(DH_F_DHPARAMS_PRINT), "DHparams_print"}, +{ERR_FUNC(DH_F_DHPARAMS_PRINT_FP), "DHparams_print_fp"}, +{ERR_FUNC(DH_F_DH_COMPUTE_KEY), "DH_compute_key"}, +{ERR_FUNC(DH_F_DH_GENERATE_KEY), "DH_generate_key"}, +{ERR_FUNC(DH_F_DH_GENERATE_PARAMETERS), "DH_generate_parameters"}, +{ERR_FUNC(DH_F_DH_NEW_METHOD), "DH_new_method"}, {0,NULL} }; static ERR_STRING_DATA DH_str_reasons[]= { -{DH_R_BAD_GENERATOR ,"bad generator"}, -{DH_R_NO_PRIVATE_VALUE ,"no private value"}, +{ERR_REASON(DH_R_BAD_GENERATOR) ,"bad generator"}, +{ERR_REASON(DH_R_NO_PRIVATE_VALUE) ,"no private value"}, {0,NULL} }; @@ -92,8 +96,8 @@ void ERR_load_DH_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_DH,DH_str_functs); - ERR_load_strings(ERR_LIB_DH,DH_str_reasons); + ERR_load_strings(0,DH_str_functs); + ERR_load_strings(0,DH_str_reasons); #endif } diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c index ff125c2296..3a39f7c8ca 100644 --- a/src/lib/libcrypto/dh/dh_key.c +++ b/src/lib/libcrypto/dh/dh_key.c @@ -105,7 +105,7 @@ static int generate_key(DH *dh) int generate_new_key=0; unsigned l; BN_CTX *ctx; - BN_MONT_CTX *mont; + BN_MONT_CTX *mont=NULL; BIGNUM *pub_key=NULL,*priv_key=NULL; ctx = BN_CTX_new(); @@ -128,21 +128,37 @@ static int generate_key(DH *dh) else pub_key=dh->pub_key; - if ((dh->method_mont_p == NULL) && (dh->flags & DH_FLAG_CACHE_MONT_P)) + + if (dh->flags & DH_FLAG_CACHE_MONT_P) { - if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p, - dh->p,ctx)) goto err; + mont = BN_MONT_CTX_set_locked( + (BN_MONT_CTX **)&dh->method_mont_p, + CRYPTO_LOCK_DH, dh->p, ctx); + if (!mont) + goto err; } - mont=(BN_MONT_CTX *)dh->method_mont_p; if (generate_new_key) { l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */ if (!BN_rand(priv_key, l, 0, 0)) goto err; } - if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, priv_key,dh->p,ctx,mont)) - goto err; + + { + BIGNUM local_prk; + BIGNUM *prk; + + if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) + { + BN_init(&local_prk); + prk = &local_prk; + BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME); + } + else + prk = priv_key; + + if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) goto err; + } dh->pub_key=pub_key; dh->priv_key=priv_key; @@ -160,7 +176,7 @@ err: static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { BN_CTX *ctx; - BN_MONT_CTX *mont; + BN_MONT_CTX *mont=NULL; BIGNUM *tmp; int ret= -1; @@ -174,14 +190,21 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) DHerr(DH_F_DH_COMPUTE_KEY,DH_R_NO_PRIVATE_VALUE); goto err; } - if ((dh->method_mont_p == NULL) && (dh->flags & DH_FLAG_CACHE_MONT_P)) + + if (dh->flags & DH_FLAG_CACHE_MONT_P) { - if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p, - dh->p,ctx)) goto err; + mont = BN_MONT_CTX_set_locked( + (BN_MONT_CTX **)&dh->method_mont_p, + CRYPTO_LOCK_DH, dh->p, ctx); + if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) + { + /* XXX */ + BN_set_flags(dh->priv_key, BN_FLG_EXP_CONSTTIME); + } + if (!mont) + goto err; } - mont=(BN_MONT_CTX *)dh->method_mont_p; if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key,dh->p,ctx,mont)) { DHerr(DH_F_DH_COMPUTE_KEY,ERR_R_BN_LIB); @@ -190,8 +213,11 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) ret=BN_bn2bin(tmp,key); err: - BN_CTX_end(ctx); - BN_CTX_free(ctx); + if (ctx != NULL) + { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } return(ret); } @@ -200,7 +226,10 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) { - if (a->top == 1) + /* If a is only one word long and constant time is false, use the faster + * exponenentiation function. + */ + if (a->top == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0)) { BN_ULONG A = a->d[0]; return BN_mod_exp_mont_word(r,A,p,m,ctx,m_ctx); diff --git a/src/lib/libcrypto/doc/EVP_EncryptInit.pod b/src/lib/libcrypto/doc/EVP_EncryptInit.pod index 40e525dd56..8271d3dfc4 100644 --- a/src/lib/libcrypto/doc/EVP_EncryptInit.pod +++ b/src/lib/libcrypto/doc/EVP_EncryptInit.pod @@ -22,7 +22,7 @@ EVP_CIPHER_CTX_set_padding - EVP cipher routines #include - int EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a); + void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a); int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, ENGINE *impl, unsigned char *key, unsigned char *iv); @@ -236,8 +236,8 @@ RC5 can be set. =head1 RETURN VALUES -EVP_CIPHER_CTX_init, EVP_EncryptInit_ex(), EVP_EncryptUpdate() and -EVP_EncryptFinal_ex() return 1 for success and 0 for failure. +EVP_EncryptInit_ex(), EVP_EncryptUpdate() and EVP_EncryptFinal_ex() +return 1 for success and 0 for failure. EVP_DecryptInit_ex() and EVP_DecryptUpdate() return 1 for success and 0 for failure. EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success. diff --git a/src/lib/libcrypto/doc/OPENSSL_config.pod b/src/lib/libcrypto/doc/OPENSSL_config.pod index 16600620cc..e7bba2aaca 100644 --- a/src/lib/libcrypto/doc/OPENSSL_config.pod +++ b/src/lib/libcrypto/doc/OPENSSL_config.pod @@ -35,7 +35,7 @@ calls OPENSSL_add_all_algorithms() by compiling an application with the preprocessor symbol B #define'd. In this way configuration can be added without source changes. -The environment variable B can be set to specify the location +The environment variable B can be set to specify the location of the configuration file. Currently ASN1 OBJECTs and ENGINE configuration can be performed future diff --git a/src/lib/libcrypto/doc/PKCS7_verify.pod b/src/lib/libcrypto/doc/PKCS7_verify.pod index 07c9fdad40..3490b5dc82 100644 --- a/src/lib/libcrypto/doc/PKCS7_verify.pod +++ b/src/lib/libcrypto/doc/PKCS7_verify.pod @@ -8,7 +8,7 @@ PKCS7_verify - verify a PKCS#7 signedData structure int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags); -int PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags); +STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags); =head1 DESCRIPTION diff --git a/src/lib/libcrypto/dsa/dsa.h b/src/lib/libcrypto/dsa/dsa.h index 225ff391f9..851e3f0445 100644 --- a/src/lib/libcrypto/dsa/dsa.h +++ b/src/lib/libcrypto/dsa/dsa.h @@ -80,6 +80,20 @@ #endif #define DSA_FLAG_CACHE_MONT_P 0x01 +#define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA + * implementation now uses constant time + * modular exponentiation for secret exponents + * by default. This flag causes the + * faster variable sliding window method to + * be used for all exponents. + */ + +/* If this flag is set external DSA_METHOD callbacks are allowed in FIPS mode + * it is then the applications responsibility to ensure the external method + * is compliant. + */ + +#define DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW 0x04 #if defined(OPENSSL_FIPS) #define FIPS_DSA_SIZE_T int diff --git a/src/lib/libcrypto/dsa/dsa_err.c b/src/lib/libcrypto/dsa/dsa_err.c index 79aa4ff526..fd42053572 100644 --- a/src/lib/libcrypto/dsa/dsa_err.c +++ b/src/lib/libcrypto/dsa/dsa_err.c @@ -1,6 +1,6 @@ /* crypto/dsa/dsa_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -64,29 +64,33 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_DSA,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_DSA,0,reason) + static ERR_STRING_DATA DSA_str_functs[]= { -{ERR_PACK(0,DSA_F_D2I_DSA_SIG,0), "d2i_DSA_SIG"}, -{ERR_PACK(0,DSA_F_DSAPARAMS_PRINT,0), "DSAparams_print"}, -{ERR_PACK(0,DSA_F_DSAPARAMS_PRINT_FP,0), "DSAparams_print_fp"}, -{ERR_PACK(0,DSA_F_DSA_DO_SIGN,0), "DSA_do_sign"}, -{ERR_PACK(0,DSA_F_DSA_DO_VERIFY,0), "DSA_do_verify"}, -{ERR_PACK(0,DSA_F_DSA_NEW_METHOD,0), "DSA_new_method"}, -{ERR_PACK(0,DSA_F_DSA_PRINT,0), "DSA_print"}, -{ERR_PACK(0,DSA_F_DSA_PRINT_FP,0), "DSA_print_fp"}, -{ERR_PACK(0,DSA_F_DSA_SIGN,0), "DSA_sign"}, -{ERR_PACK(0,DSA_F_DSA_SIGN_SETUP,0), "DSA_sign_setup"}, -{ERR_PACK(0,DSA_F_DSA_SIG_NEW,0), "DSA_SIG_new"}, -{ERR_PACK(0,DSA_F_DSA_VERIFY,0), "DSA_verify"}, -{ERR_PACK(0,DSA_F_I2D_DSA_SIG,0), "i2d_DSA_SIG"}, -{ERR_PACK(0,DSA_F_SIG_CB,0), "SIG_CB"}, +{ERR_FUNC(DSA_F_D2I_DSA_SIG), "d2i_DSA_SIG"}, +{ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"}, +{ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP), "DSAparams_print_fp"}, +{ERR_FUNC(DSA_F_DSA_DO_SIGN), "DSA_do_sign"}, +{ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"}, +{ERR_FUNC(DSA_F_DSA_NEW_METHOD), "DSA_new_method"}, +{ERR_FUNC(DSA_F_DSA_PRINT), "DSA_print"}, +{ERR_FUNC(DSA_F_DSA_PRINT_FP), "DSA_print_fp"}, +{ERR_FUNC(DSA_F_DSA_SIGN), "DSA_sign"}, +{ERR_FUNC(DSA_F_DSA_SIGN_SETUP), "DSA_sign_setup"}, +{ERR_FUNC(DSA_F_DSA_SIG_NEW), "DSA_SIG_new"}, +{ERR_FUNC(DSA_F_DSA_VERIFY), "DSA_verify"}, +{ERR_FUNC(DSA_F_I2D_DSA_SIG), "i2d_DSA_SIG"}, +{ERR_FUNC(DSA_F_SIG_CB), "SIG_CB"}, {0,NULL} }; static ERR_STRING_DATA DSA_str_reasons[]= { -{DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE ,"data too large for key size"}, -{DSA_R_MISSING_PARAMETERS ,"missing parameters"}, +{ERR_REASON(DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"}, +{ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"}, {0,NULL} }; @@ -100,8 +104,8 @@ void ERR_load_DSA_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_DSA,DSA_str_functs); - ERR_load_strings(ERR_LIB_DSA,DSA_str_reasons); + ERR_load_strings(0,DSA_str_functs); + ERR_load_strings(0,DSA_str_reasons); #endif } diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c index 30607ca579..980b6dc2d3 100644 --- a/src/lib/libcrypto/dsa/dsa_key.c +++ b/src/lib/libcrypto/dsa/dsa_key.c @@ -90,8 +90,22 @@ int DSA_generate_key(DSA *dsa) } else pub_key=dsa->pub_key; + + { + BIGNUM local_prk; + BIGNUM *prk; + + if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) + { + BN_init(&local_prk); + prk = &local_prk; + BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME); + } + else + prk = priv_key; - if (!BN_mod_exp(pub_key,dsa->g,priv_key,dsa->p,ctx)) goto err; + if (!BN_mod_exp(pub_key,dsa->g,prk,dsa->p,ctx)) goto err; + } dsa->priv_key=priv_key; dsa->pub_key=pub_key; diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c index f1a85afcde..12509a7083 100644 --- a/src/lib/libcrypto/dsa/dsa_ossl.c +++ b/src/lib/libcrypto/dsa/dsa_ossl.c @@ -172,7 +172,7 @@ err: static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { BN_CTX *ctx; - BIGNUM k,*kinv=NULL,*r=NULL; + BIGNUM k,kq,*K,*kinv=NULL,*r=NULL; int ret=0; if (!dsa->p || !dsa->q || !dsa->g) @@ -182,6 +182,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) } BN_init(&k); + BN_init(&kq); if (ctx_in == NULL) { @@ -191,22 +192,49 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) ctx=ctx_in; if ((r=BN_new()) == NULL) goto err; - kinv=NULL; /* Get random k */ do if (!BN_rand_range(&k, dsa->q)) goto err; while (BN_is_zero(&k)); + if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) + { + BN_set_flags(&k, BN_FLG_EXP_CONSTTIME); + } - if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P)) + if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { - if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p, - dsa->p,ctx)) goto err; + if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p, + CRYPTO_LOCK_DSA, + dsa->p, ctx)) + goto err; } /* Compute r = (g^k mod p) mod q */ - if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx, + + if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) + { + if (!BN_copy(&kq, &k)) goto err; + + /* We do not want timing information to leak the length of k, + * so we compute g^k using an equivalent exponent of fixed length. + * + * (This is a kludge that we need because the BN_mod_exp_mont() + * does not let us specify the desired timing behaviour.) */ + + if (!BN_add(&kq, &kq, dsa->q)) goto err; + if (BN_num_bits(&kq) <= BN_num_bits(dsa->q)) + { + if (!BN_add(&kq, &kq, dsa->q)) goto err; + } + + K = &kq; + } + else + { + K = &k; + } + if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,K,dsa->p,ctx, (BN_MONT_CTX *)dsa->method_mont_p)) goto err; if (!BN_mod(r,r,dsa->q,ctx)) goto err; @@ -229,6 +257,7 @@ err: if (ctx_in == NULL) BN_CTX_free(ctx); if (kinv != NULL) BN_clear_free(kinv); BN_clear_free(&k); + BN_clear_free(&kq); return(ret); } @@ -275,13 +304,15 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, /* u2 = r * w mod q */ if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err; - if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P)) + + if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { - if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p, - dsa->p,ctx)) goto err; + mont = BN_MONT_CTX_set_locked( + (BN_MONT_CTX **)&dsa->method_mont_p, + CRYPTO_LOCK_DSA, dsa->p, ctx); + if (!mont) + goto err; } - mont=(BN_MONT_CTX *)dsa->method_mont_p; #if 0 { diff --git a/src/lib/libcrypto/dsa/dsa_sign.c b/src/lib/libcrypto/dsa/dsa_sign.c index 3c9753bac3..37c65efb20 100644 --- a/src/lib/libcrypto/dsa/dsa_sign.c +++ b/src/lib/libcrypto/dsa/dsa_sign.c @@ -72,7 +72,8 @@ DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { #ifdef OPENSSL_FIPS - if(FIPS_mode() && !FIPS_dsa_check(dsa)) + if(FIPS_mode() && !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW) + && !FIPS_dsa_check(dsa)) return NULL; #endif return dsa->meth->dsa_do_sign(dgst, dlen, dsa); @@ -96,7 +97,8 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig, int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { #ifdef OPENSSL_FIPS - if(FIPS_mode() && !FIPS_dsa_check(dsa)) + if(FIPS_mode() && !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW) + && !FIPS_dsa_check(dsa)) return 0; #endif return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp); diff --git a/src/lib/libcrypto/dsa/dsa_vrf.c b/src/lib/libcrypto/dsa/dsa_vrf.c index 8ef0c45025..c9784bed48 100644 --- a/src/lib/libcrypto/dsa/dsa_vrf.c +++ b/src/lib/libcrypto/dsa/dsa_vrf.c @@ -74,7 +74,8 @@ int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) { #ifdef OPENSSL_FIPS - if(FIPS_mode() && !FIPS_dsa_check(dsa)) + if(FIPS_mode() && !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW) + && !FIPS_dsa_check(dsa)) return -1; #endif return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa); diff --git a/src/lib/libcrypto/dso/dso_dlfcn.c b/src/lib/libcrypto/dso/dso_dlfcn.c index 9d49ebc253..0422a4859a 100644 --- a/src/lib/libcrypto/dso/dso_dlfcn.c +++ b/src/lib/libcrypto/dso/dso_dlfcn.c @@ -56,6 +56,10 @@ * */ +#ifdef __linux +#define _GNU_SOURCE +#endif + #include #include "cryptlib.h" #include @@ -228,7 +232,7 @@ static void *dlfcn_bind_var(DSO *dso, const char *symname) static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname) { void *ptr; - DSO_FUNC_TYPE sym; + DSO_FUNC_TYPE sym, *tsym = &sym; if((dso == NULL) || (symname == NULL)) { @@ -246,7 +250,7 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname) DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_NULL_HANDLE); return(NULL); } - sym = (DSO_FUNC_TYPE)dlsym(ptr, symname); + *(void**)(tsym) = dlsym(ptr, symname); if(sym == NULL) { DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE); @@ -290,4 +294,32 @@ static char *dlfcn_name_converter(DSO *dso, const char *filename) return(translated); } +#ifdef OPENSSL_FIPS +static void dlfcn_ref_point(){} + +int DSO_pathbyaddr(void *addr,char *path,int sz) + { + Dl_info dli; + int len; + + if (addr == NULL) + { + union { void(*f)(void); void *p; } t = { dlfcn_ref_point }; + addr = t.p; + } + + if (dladdr(addr,&dli)) + { + len = (int)strlen(dli.dli_fname); + if (sz <= 0) return len+1; + if (len >= sz) len=sz-1; + memcpy(path,dli.dli_fname,len); + path[len++]=0; + return len; + } + + ERR_add_error_data(4, "dlfcn_pathbyaddr(): ", dlerror()); + return -1; + } +#endif #endif /* DSO_DLFCN */ diff --git a/src/lib/libcrypto/dso/dso_err.c b/src/lib/libcrypto/dso/dso_err.c index cf452de1aa..581677cc36 100644 --- a/src/lib/libcrypto/dso/dso_err.c +++ b/src/lib/libcrypto/dso/dso_err.c @@ -1,6 +1,6 @@ /* crypto/dso/dso_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -64,56 +64,60 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_DSO,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_DSO,0,reason) + static ERR_STRING_DATA DSO_str_functs[]= { -{ERR_PACK(0,DSO_F_DLFCN_BIND_FUNC,0), "DLFCN_BIND_FUNC"}, -{ERR_PACK(0,DSO_F_DLFCN_BIND_VAR,0), "DLFCN_BIND_VAR"}, -{ERR_PACK(0,DSO_F_DLFCN_LOAD,0), "DLFCN_LOAD"}, -{ERR_PACK(0,DSO_F_DLFCN_NAME_CONVERTER,0), "DLFCN_NAME_CONVERTER"}, -{ERR_PACK(0,DSO_F_DLFCN_UNLOAD,0), "DLFCN_UNLOAD"}, -{ERR_PACK(0,DSO_F_DL_BIND_FUNC,0), "DL_BIND_FUNC"}, -{ERR_PACK(0,DSO_F_DL_BIND_VAR,0), "DL_BIND_VAR"}, -{ERR_PACK(0,DSO_F_DL_LOAD,0), "DL_LOAD"}, -{ERR_PACK(0,DSO_F_DL_NAME_CONVERTER,0), "DL_NAME_CONVERTER"}, -{ERR_PACK(0,DSO_F_DL_UNLOAD,0), "DL_UNLOAD"}, -{ERR_PACK(0,DSO_F_DSO_BIND_FUNC,0), "DSO_bind_func"}, -{ERR_PACK(0,DSO_F_DSO_BIND_VAR,0), "DSO_bind_var"}, -{ERR_PACK(0,DSO_F_DSO_CONVERT_FILENAME,0), "DSO_convert_filename"}, -{ERR_PACK(0,DSO_F_DSO_CTRL,0), "DSO_ctrl"}, -{ERR_PACK(0,DSO_F_DSO_FREE,0), "DSO_free"}, -{ERR_PACK(0,DSO_F_DSO_GET_FILENAME,0), "DSO_get_filename"}, -{ERR_PACK(0,DSO_F_DSO_GET_LOADED_FILENAME,0), "DSO_get_loaded_filename"}, -{ERR_PACK(0,DSO_F_DSO_LOAD,0), "DSO_load"}, -{ERR_PACK(0,DSO_F_DSO_NEW_METHOD,0), "DSO_new_method"}, -{ERR_PACK(0,DSO_F_DSO_SET_FILENAME,0), "DSO_set_filename"}, -{ERR_PACK(0,DSO_F_DSO_SET_NAME_CONVERTER,0), "DSO_set_name_converter"}, -{ERR_PACK(0,DSO_F_DSO_UP_REF,0), "DSO_up_ref"}, -{ERR_PACK(0,DSO_F_VMS_BIND_VAR,0), "VMS_BIND_VAR"}, -{ERR_PACK(0,DSO_F_VMS_LOAD,0), "VMS_LOAD"}, -{ERR_PACK(0,DSO_F_VMS_UNLOAD,0), "VMS_UNLOAD"}, -{ERR_PACK(0,DSO_F_WIN32_BIND_FUNC,0), "WIN32_BIND_FUNC"}, -{ERR_PACK(0,DSO_F_WIN32_BIND_VAR,0), "WIN32_BIND_VAR"}, -{ERR_PACK(0,DSO_F_WIN32_LOAD,0), "WIN32_LOAD"}, -{ERR_PACK(0,DSO_F_WIN32_NAME_CONVERTER,0), "WIN32_NAME_CONVERTER"}, -{ERR_PACK(0,DSO_F_WIN32_UNLOAD,0), "WIN32_UNLOAD"}, +{ERR_FUNC(DSO_F_DLFCN_BIND_FUNC), "DLFCN_BIND_FUNC"}, +{ERR_FUNC(DSO_F_DLFCN_BIND_VAR), "DLFCN_BIND_VAR"}, +{ERR_FUNC(DSO_F_DLFCN_LOAD), "DLFCN_LOAD"}, +{ERR_FUNC(DSO_F_DLFCN_NAME_CONVERTER), "DLFCN_NAME_CONVERTER"}, +{ERR_FUNC(DSO_F_DLFCN_UNLOAD), "DLFCN_UNLOAD"}, +{ERR_FUNC(DSO_F_DL_BIND_FUNC), "DL_BIND_FUNC"}, +{ERR_FUNC(DSO_F_DL_BIND_VAR), "DL_BIND_VAR"}, +{ERR_FUNC(DSO_F_DL_LOAD), "DL_LOAD"}, +{ERR_FUNC(DSO_F_DL_NAME_CONVERTER), "DL_NAME_CONVERTER"}, +{ERR_FUNC(DSO_F_DL_UNLOAD), "DL_UNLOAD"}, +{ERR_FUNC(DSO_F_DSO_BIND_FUNC), "DSO_bind_func"}, +{ERR_FUNC(DSO_F_DSO_BIND_VAR), "DSO_bind_var"}, +{ERR_FUNC(DSO_F_DSO_CONVERT_FILENAME), "DSO_convert_filename"}, +{ERR_FUNC(DSO_F_DSO_CTRL), "DSO_ctrl"}, +{ERR_FUNC(DSO_F_DSO_FREE), "DSO_free"}, +{ERR_FUNC(DSO_F_DSO_GET_FILENAME), "DSO_get_filename"}, +{ERR_FUNC(DSO_F_DSO_GET_LOADED_FILENAME), "DSO_get_loaded_filename"}, +{ERR_FUNC(DSO_F_DSO_LOAD), "DSO_load"}, +{ERR_FUNC(DSO_F_DSO_NEW_METHOD), "DSO_new_method"}, +{ERR_FUNC(DSO_F_DSO_SET_FILENAME), "DSO_set_filename"}, +{ERR_FUNC(DSO_F_DSO_SET_NAME_CONVERTER), "DSO_set_name_converter"}, +{ERR_FUNC(DSO_F_DSO_UP_REF), "DSO_up_ref"}, +{ERR_FUNC(DSO_F_VMS_BIND_VAR), "VMS_BIND_VAR"}, +{ERR_FUNC(DSO_F_VMS_LOAD), "VMS_LOAD"}, +{ERR_FUNC(DSO_F_VMS_UNLOAD), "VMS_UNLOAD"}, +{ERR_FUNC(DSO_F_WIN32_BIND_FUNC), "WIN32_BIND_FUNC"}, +{ERR_FUNC(DSO_F_WIN32_BIND_VAR), "WIN32_BIND_VAR"}, +{ERR_FUNC(DSO_F_WIN32_LOAD), "WIN32_LOAD"}, +{ERR_FUNC(DSO_F_WIN32_NAME_CONVERTER), "WIN32_NAME_CONVERTER"}, +{ERR_FUNC(DSO_F_WIN32_UNLOAD), "WIN32_UNLOAD"}, {0,NULL} }; static ERR_STRING_DATA DSO_str_reasons[]= { -{DSO_R_CTRL_FAILED ,"control command failed"}, -{DSO_R_DSO_ALREADY_LOADED ,"dso already loaded"}, -{DSO_R_FILENAME_TOO_BIG ,"filename too big"}, -{DSO_R_FINISH_FAILED ,"cleanup method function failed"}, -{DSO_R_LOAD_FAILED ,"could not load the shared library"}, -{DSO_R_NAME_TRANSLATION_FAILED ,"name translation failed"}, -{DSO_R_NO_FILENAME ,"no filename"}, -{DSO_R_NULL_HANDLE ,"a null shared library handle was used"}, -{DSO_R_SET_FILENAME_FAILED ,"set filename failed"}, -{DSO_R_STACK_ERROR ,"the meth_data stack is corrupt"}, -{DSO_R_SYM_FAILURE ,"could not bind to the requested symbol name"}, -{DSO_R_UNLOAD_FAILED ,"could not unload the shared library"}, -{DSO_R_UNSUPPORTED ,"functionality not supported"}, +{ERR_REASON(DSO_R_CTRL_FAILED) ,"control command failed"}, +{ERR_REASON(DSO_R_DSO_ALREADY_LOADED) ,"dso already loaded"}, +{ERR_REASON(DSO_R_FILENAME_TOO_BIG) ,"filename too big"}, +{ERR_REASON(DSO_R_FINISH_FAILED) ,"cleanup method function failed"}, +{ERR_REASON(DSO_R_LOAD_FAILED) ,"could not load the shared library"}, +{ERR_REASON(DSO_R_NAME_TRANSLATION_FAILED),"name translation failed"}, +{ERR_REASON(DSO_R_NO_FILENAME) ,"no filename"}, +{ERR_REASON(DSO_R_NULL_HANDLE) ,"a null shared library handle was used"}, +{ERR_REASON(DSO_R_SET_FILENAME_FAILED) ,"set filename failed"}, +{ERR_REASON(DSO_R_STACK_ERROR) ,"the meth_data stack is corrupt"}, +{ERR_REASON(DSO_R_SYM_FAILURE) ,"could not bind to the requested symbol name"}, +{ERR_REASON(DSO_R_UNLOAD_FAILED) ,"could not unload the shared library"}, +{ERR_REASON(DSO_R_UNSUPPORTED) ,"functionality not supported"}, {0,NULL} }; @@ -127,8 +131,8 @@ void ERR_load_DSO_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_DSO,DSO_str_functs); - ERR_load_strings(ERR_LIB_DSO,DSO_str_reasons); + ERR_load_strings(0,DSO_str_functs); + ERR_load_strings(0,DSO_str_reasons); #endif } diff --git a/src/lib/libcrypto/ec/ec_err.c b/src/lib/libcrypto/ec/ec_err.c index d37b6aba87..5b70f94382 100644 --- a/src/lib/libcrypto/ec/ec_err.c +++ b/src/lib/libcrypto/ec/ec_err.c @@ -1,6 +1,6 @@ /* crypto/ec/ec_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -64,70 +64,74 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_EC,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_EC,0,reason) + static ERR_STRING_DATA EC_str_functs[]= { -{ERR_PACK(0,EC_F_COMPUTE_WNAF,0), "COMPUTE_WNAF"}, -{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_DECODE,0), "ec_GFp_mont_field_decode"}, -{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_ENCODE,0), "ec_GFp_mont_field_encode"}, -{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_MUL,0), "ec_GFp_mont_field_mul"}, -{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_SQR,0), "ec_GFp_mont_field_sqr"}, -{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP,0), "ec_GFp_simple_group_set_curve_GFp"}, -{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR,0), "ec_GFp_simple_group_set_generator"}, -{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_MAKE_AFFINE,0), "ec_GFp_simple_make_affine"}, -{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_OCT2POINT,0), "ec_GFp_simple_oct2point"}, -{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT2OCT,0), "ec_GFp_simple_point2oct"}, -{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE,0), "ec_GFp_simple_points_make_affine"}, -{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP,0), "ec_GFp_simple_point_get_affine_coordinates_GFp"}, -{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP,0), "ec_GFp_simple_point_set_affine_coordinates_GFp"}, -{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP,0), "ec_GFp_simple_set_compressed_coordinates_GFp"}, -{ERR_PACK(0,EC_F_EC_GROUP_COPY,0), "EC_GROUP_copy"}, -{ERR_PACK(0,EC_F_EC_GROUP_GET0_GENERATOR,0), "EC_GROUP_get0_generator"}, -{ERR_PACK(0,EC_F_EC_GROUP_GET_COFACTOR,0), "EC_GROUP_get_cofactor"}, -{ERR_PACK(0,EC_F_EC_GROUP_GET_CURVE_GFP,0), "EC_GROUP_get_curve_GFp"}, -{ERR_PACK(0,EC_F_EC_GROUP_GET_ORDER,0), "EC_GROUP_get_order"}, -{ERR_PACK(0,EC_F_EC_GROUP_NEW,0), "EC_GROUP_new"}, -{ERR_PACK(0,EC_F_EC_GROUP_PRECOMPUTE_MULT,0), "EC_GROUP_precompute_mult"}, -{ERR_PACK(0,EC_F_EC_GROUP_SET_CURVE_GFP,0), "EC_GROUP_set_curve_GFp"}, -{ERR_PACK(0,EC_F_EC_GROUP_SET_EXTRA_DATA,0), "EC_GROUP_set_extra_data"}, -{ERR_PACK(0,EC_F_EC_GROUP_SET_GENERATOR,0), "EC_GROUP_set_generator"}, -{ERR_PACK(0,EC_F_EC_POINTS_MAKE_AFFINE,0), "EC_POINTs_make_affine"}, -{ERR_PACK(0,EC_F_EC_POINTS_MUL,0), "EC_POINTs_mul"}, -{ERR_PACK(0,EC_F_EC_POINT_ADD,0), "EC_POINT_add"}, -{ERR_PACK(0,EC_F_EC_POINT_CMP,0), "EC_POINT_cmp"}, -{ERR_PACK(0,EC_F_EC_POINT_COPY,0), "EC_POINT_copy"}, -{ERR_PACK(0,EC_F_EC_POINT_DBL,0), "EC_POINT_dbl"}, -{ERR_PACK(0,EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP,0), "EC_POINT_get_affine_coordinates_GFp"}, -{ERR_PACK(0,EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP,0), "EC_POINT_get_Jprojective_coordinates_GFp"}, -{ERR_PACK(0,EC_F_EC_POINT_IS_AT_INFINITY,0), "EC_POINT_is_at_infinity"}, -{ERR_PACK(0,EC_F_EC_POINT_IS_ON_CURVE,0), "EC_POINT_is_on_curve"}, -{ERR_PACK(0,EC_F_EC_POINT_MAKE_AFFINE,0), "EC_POINT_make_affine"}, -{ERR_PACK(0,EC_F_EC_POINT_NEW,0), "EC_POINT_new"}, -{ERR_PACK(0,EC_F_EC_POINT_OCT2POINT,0), "EC_POINT_oct2point"}, -{ERR_PACK(0,EC_F_EC_POINT_POINT2OCT,0), "EC_POINT_point2oct"}, -{ERR_PACK(0,EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP,0), "EC_POINT_set_affine_coordinates_GFp"}, -{ERR_PACK(0,EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP,0), "EC_POINT_set_compressed_coordinates_GFp"}, -{ERR_PACK(0,EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP,0), "EC_POINT_set_Jprojective_coordinates_GFp"}, -{ERR_PACK(0,EC_F_EC_POINT_SET_TO_INFINITY,0), "EC_POINT_set_to_infinity"}, -{ERR_PACK(0,EC_F_GFP_MONT_GROUP_SET_CURVE_GFP,0), "GFP_MONT_GROUP_SET_CURVE_GFP"}, +{ERR_FUNC(EC_F_COMPUTE_WNAF), "COMPUTE_WNAF"}, +{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_DECODE), "ec_GFp_mont_field_decode"}, +{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_ENCODE), "ec_GFp_mont_field_encode"}, +{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_MUL), "ec_GFp_mont_field_mul"}, +{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_SQR), "ec_GFp_mont_field_sqr"}, +{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP), "ec_GFp_simple_group_set_curve_GFp"}, +{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR), "ec_GFp_simple_group_set_generator"}, +{ERR_FUNC(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE), "ec_GFp_simple_make_affine"}, +{ERR_FUNC(EC_F_EC_GFP_SIMPLE_OCT2POINT), "ec_GFp_simple_oct2point"}, +{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT2OCT), "ec_GFp_simple_point2oct"}, +{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE), "ec_GFp_simple_points_make_affine"}, +{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP), "ec_GFp_simple_point_get_affine_coordinates_GFp"}, +{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP), "ec_GFp_simple_point_set_affine_coordinates_GFp"}, +{ERR_FUNC(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP), "ec_GFp_simple_set_compressed_coordinates_GFp"}, +{ERR_FUNC(EC_F_EC_GROUP_COPY), "EC_GROUP_copy"}, +{ERR_FUNC(EC_F_EC_GROUP_GET0_GENERATOR), "EC_GROUP_get0_generator"}, +{ERR_FUNC(EC_F_EC_GROUP_GET_COFACTOR), "EC_GROUP_get_cofactor"}, +{ERR_FUNC(EC_F_EC_GROUP_GET_CURVE_GFP), "EC_GROUP_get_curve_GFp"}, +{ERR_FUNC(EC_F_EC_GROUP_GET_ORDER), "EC_GROUP_get_order"}, +{ERR_FUNC(EC_F_EC_GROUP_NEW), "EC_GROUP_new"}, +{ERR_FUNC(EC_F_EC_GROUP_PRECOMPUTE_MULT), "EC_GROUP_precompute_mult"}, +{ERR_FUNC(EC_F_EC_GROUP_SET_CURVE_GFP), "EC_GROUP_set_curve_GFp"}, +{ERR_FUNC(EC_F_EC_GROUP_SET_EXTRA_DATA), "EC_GROUP_set_extra_data"}, +{ERR_FUNC(EC_F_EC_GROUP_SET_GENERATOR), "EC_GROUP_set_generator"}, +{ERR_FUNC(EC_F_EC_POINTS_MAKE_AFFINE), "EC_POINTs_make_affine"}, +{ERR_FUNC(EC_F_EC_POINTS_MUL), "EC_POINTs_mul"}, +{ERR_FUNC(EC_F_EC_POINT_ADD), "EC_POINT_add"}, +{ERR_FUNC(EC_F_EC_POINT_CMP), "EC_POINT_cmp"}, +{ERR_FUNC(EC_F_EC_POINT_COPY), "EC_POINT_copy"}, +{ERR_FUNC(EC_F_EC_POINT_DBL), "EC_POINT_dbl"}, +{ERR_FUNC(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP), "EC_POINT_get_affine_coordinates_GFp"}, +{ERR_FUNC(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP), "EC_POINT_get_Jprojective_coordinates_GFp"}, +{ERR_FUNC(EC_F_EC_POINT_IS_AT_INFINITY), "EC_POINT_is_at_infinity"}, +{ERR_FUNC(EC_F_EC_POINT_IS_ON_CURVE), "EC_POINT_is_on_curve"}, +{ERR_FUNC(EC_F_EC_POINT_MAKE_AFFINE), "EC_POINT_make_affine"}, +{ERR_FUNC(EC_F_EC_POINT_NEW), "EC_POINT_new"}, +{ERR_FUNC(EC_F_EC_POINT_OCT2POINT), "EC_POINT_oct2point"}, +{ERR_FUNC(EC_F_EC_POINT_POINT2OCT), "EC_POINT_point2oct"}, +{ERR_FUNC(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP), "EC_POINT_set_affine_coordinates_GFp"}, +{ERR_FUNC(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP), "EC_POINT_set_compressed_coordinates_GFp"}, +{ERR_FUNC(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP), "EC_POINT_set_Jprojective_coordinates_GFp"}, +{ERR_FUNC(EC_F_EC_POINT_SET_TO_INFINITY), "EC_POINT_set_to_infinity"}, +{ERR_FUNC(EC_F_GFP_MONT_GROUP_SET_CURVE_GFP), "GFP_MONT_GROUP_SET_CURVE_GFP"}, {0,NULL} }; static ERR_STRING_DATA EC_str_reasons[]= { -{EC_R_BUFFER_TOO_SMALL ,"buffer too small"}, -{EC_R_INCOMPATIBLE_OBJECTS ,"incompatible objects"}, -{EC_R_INVALID_ARGUMENT ,"invalid argument"}, -{EC_R_INVALID_COMPRESSED_POINT ,"invalid compressed point"}, -{EC_R_INVALID_COMPRESSION_BIT ,"invalid compression bit"}, -{EC_R_INVALID_ENCODING ,"invalid encoding"}, -{EC_R_INVALID_FIELD ,"invalid field"}, -{EC_R_INVALID_FORM ,"invalid form"}, -{EC_R_NOT_INITIALIZED ,"not initialized"}, -{EC_R_POINT_AT_INFINITY ,"point at infinity"}, -{EC_R_POINT_IS_NOT_ON_CURVE ,"point is not on curve"}, -{EC_R_SLOT_FULL ,"slot full"}, -{EC_R_UNDEFINED_GENERATOR ,"undefined generator"}, -{EC_R_UNKNOWN_ORDER ,"unknown order"}, +{ERR_REASON(EC_R_BUFFER_TOO_SMALL) ,"buffer too small"}, +{ERR_REASON(EC_R_INCOMPATIBLE_OBJECTS) ,"incompatible objects"}, +{ERR_REASON(EC_R_INVALID_ARGUMENT) ,"invalid argument"}, +{ERR_REASON(EC_R_INVALID_COMPRESSED_POINT),"invalid compressed point"}, +{ERR_REASON(EC_R_INVALID_COMPRESSION_BIT),"invalid compression bit"}, +{ERR_REASON(EC_R_INVALID_ENCODING) ,"invalid encoding"}, +{ERR_REASON(EC_R_INVALID_FIELD) ,"invalid field"}, +{ERR_REASON(EC_R_INVALID_FORM) ,"invalid form"}, +{ERR_REASON(EC_R_NOT_INITIALIZED) ,"not initialized"}, +{ERR_REASON(EC_R_POINT_AT_INFINITY) ,"point at infinity"}, +{ERR_REASON(EC_R_POINT_IS_NOT_ON_CURVE) ,"point is not on curve"}, +{ERR_REASON(EC_R_SLOT_FULL) ,"slot full"}, +{ERR_REASON(EC_R_UNDEFINED_GENERATOR) ,"undefined generator"}, +{ERR_REASON(EC_R_UNKNOWN_ORDER) ,"unknown order"}, {0,NULL} }; @@ -141,8 +145,8 @@ void ERR_load_EC_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_EC,EC_str_functs); - ERR_load_strings(ERR_LIB_EC,EC_str_reasons); + ERR_load_strings(0,EC_str_functs); + ERR_load_strings(0,EC_str_reasons); #endif } diff --git a/src/lib/libcrypto/engine/eng_cnf.c b/src/lib/libcrypto/engine/eng_cnf.c index cdf670901a..4225760af1 100644 --- a/src/lib/libcrypto/engine/eng_cnf.c +++ b/src/lib/libcrypto/engine/eng_cnf.c @@ -158,7 +158,7 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf) */ if (!strcmp(ctrlvalue, "EMPTY")) ctrlvalue = NULL; - else if (!strcmp(ctrlname, "init")) + if (!strcmp(ctrlname, "init")) { if (!NCONF_get_number_e(cnf, value, "init", &do_init)) goto err; diff --git a/src/lib/libcrypto/engine/eng_err.c b/src/lib/libcrypto/engine/eng_err.c index 814d95ee32..fdc0e7be0f 100644 --- a/src/lib/libcrypto/engine/eng_err.c +++ b/src/lib/libcrypto/engine/eng_err.c @@ -1,6 +1,6 @@ /* crypto/engine/eng_err.c */ /* ==================================================================== - * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -64,87 +64,91 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_ENGINE,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_ENGINE,0,reason) + static ERR_STRING_DATA ENGINE_str_functs[]= { -{ERR_PACK(0,ENGINE_F_DYNAMIC_CTRL,0), "DYNAMIC_CTRL"}, -{ERR_PACK(0,ENGINE_F_DYNAMIC_GET_DATA_CTX,0), "DYNAMIC_GET_DATA_CTX"}, -{ERR_PACK(0,ENGINE_F_DYNAMIC_LOAD,0), "DYNAMIC_LOAD"}, -{ERR_PACK(0,ENGINE_F_ENGINE_ADD,0), "ENGINE_add"}, -{ERR_PACK(0,ENGINE_F_ENGINE_BY_ID,0), "ENGINE_by_id"}, -{ERR_PACK(0,ENGINE_F_ENGINE_CMD_IS_EXECUTABLE,0), "ENGINE_cmd_is_executable"}, -{ERR_PACK(0,ENGINE_F_ENGINE_CTRL,0), "ENGINE_ctrl"}, -{ERR_PACK(0,ENGINE_F_ENGINE_CTRL_CMD,0), "ENGINE_ctrl_cmd"}, -{ERR_PACK(0,ENGINE_F_ENGINE_CTRL_CMD_STRING,0), "ENGINE_ctrl_cmd_string"}, -{ERR_PACK(0,ENGINE_F_ENGINE_FINISH,0), "ENGINE_finish"}, -{ERR_PACK(0,ENGINE_F_ENGINE_FREE,0), "ENGINE_free"}, -{ERR_PACK(0,ENGINE_F_ENGINE_GET_CIPHER,0), "ENGINE_get_cipher"}, -{ERR_PACK(0,ENGINE_F_ENGINE_GET_DEFAULT_TYPE,0), "ENGINE_GET_DEFAULT_TYPE"}, -{ERR_PACK(0,ENGINE_F_ENGINE_GET_DIGEST,0), "ENGINE_get_digest"}, -{ERR_PACK(0,ENGINE_F_ENGINE_GET_NEXT,0), "ENGINE_get_next"}, -{ERR_PACK(0,ENGINE_F_ENGINE_GET_PREV,0), "ENGINE_get_prev"}, -{ERR_PACK(0,ENGINE_F_ENGINE_INIT,0), "ENGINE_init"}, -{ERR_PACK(0,ENGINE_F_ENGINE_LIST_ADD,0), "ENGINE_LIST_ADD"}, -{ERR_PACK(0,ENGINE_F_ENGINE_LIST_REMOVE,0), "ENGINE_LIST_REMOVE"}, -{ERR_PACK(0,ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,0), "ENGINE_load_private_key"}, -{ERR_PACK(0,ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,0), "ENGINE_load_public_key"}, -{ERR_PACK(0,ENGINE_F_ENGINE_MODULE_INIT,0), "ENGINE_MODULE_INIT"}, -{ERR_PACK(0,ENGINE_F_ENGINE_NEW,0), "ENGINE_new"}, -{ERR_PACK(0,ENGINE_F_ENGINE_REMOVE,0), "ENGINE_remove"}, -{ERR_PACK(0,ENGINE_F_ENGINE_SET_DEFAULT_STRING,0), "ENGINE_set_default_string"}, -{ERR_PACK(0,ENGINE_F_ENGINE_SET_DEFAULT_TYPE,0), "ENGINE_SET_DEFAULT_TYPE"}, -{ERR_PACK(0,ENGINE_F_ENGINE_SET_ID,0), "ENGINE_set_id"}, -{ERR_PACK(0,ENGINE_F_ENGINE_SET_NAME,0), "ENGINE_set_name"}, -{ERR_PACK(0,ENGINE_F_ENGINE_TABLE_REGISTER,0), "ENGINE_TABLE_REGISTER"}, -{ERR_PACK(0,ENGINE_F_ENGINE_UNLOAD_KEY,0), "ENGINE_UNLOAD_KEY"}, -{ERR_PACK(0,ENGINE_F_ENGINE_UP_REF,0), "ENGINE_up_ref"}, -{ERR_PACK(0,ENGINE_F_INT_CTRL_HELPER,0), "INT_CTRL_HELPER"}, -{ERR_PACK(0,ENGINE_F_INT_ENGINE_CONFIGURE,0), "INT_ENGINE_CONFIGURE"}, -{ERR_PACK(0,ENGINE_F_LOG_MESSAGE,0), "LOG_MESSAGE"}, -{ERR_PACK(0,ENGINE_F_SET_DATA_CTX,0), "SET_DATA_CTX"}, +{ERR_FUNC(ENGINE_F_DYNAMIC_CTRL), "DYNAMIC_CTRL"}, +{ERR_FUNC(ENGINE_F_DYNAMIC_GET_DATA_CTX), "DYNAMIC_GET_DATA_CTX"}, +{ERR_FUNC(ENGINE_F_DYNAMIC_LOAD), "DYNAMIC_LOAD"}, +{ERR_FUNC(ENGINE_F_ENGINE_ADD), "ENGINE_add"}, +{ERR_FUNC(ENGINE_F_ENGINE_BY_ID), "ENGINE_by_id"}, +{ERR_FUNC(ENGINE_F_ENGINE_CMD_IS_EXECUTABLE), "ENGINE_cmd_is_executable"}, +{ERR_FUNC(ENGINE_F_ENGINE_CTRL), "ENGINE_ctrl"}, +{ERR_FUNC(ENGINE_F_ENGINE_CTRL_CMD), "ENGINE_ctrl_cmd"}, +{ERR_FUNC(ENGINE_F_ENGINE_CTRL_CMD_STRING), "ENGINE_ctrl_cmd_string"}, +{ERR_FUNC(ENGINE_F_ENGINE_FINISH), "ENGINE_finish"}, +{ERR_FUNC(ENGINE_F_ENGINE_FREE), "ENGINE_free"}, +{ERR_FUNC(ENGINE_F_ENGINE_GET_CIPHER), "ENGINE_get_cipher"}, +{ERR_FUNC(ENGINE_F_ENGINE_GET_DEFAULT_TYPE), "ENGINE_GET_DEFAULT_TYPE"}, +{ERR_FUNC(ENGINE_F_ENGINE_GET_DIGEST), "ENGINE_get_digest"}, +{ERR_FUNC(ENGINE_F_ENGINE_GET_NEXT), "ENGINE_get_next"}, +{ERR_FUNC(ENGINE_F_ENGINE_GET_PREV), "ENGINE_get_prev"}, +{ERR_FUNC(ENGINE_F_ENGINE_INIT), "ENGINE_init"}, +{ERR_FUNC(ENGINE_F_ENGINE_LIST_ADD), "ENGINE_LIST_ADD"}, +{ERR_FUNC(ENGINE_F_ENGINE_LIST_REMOVE), "ENGINE_LIST_REMOVE"}, +{ERR_FUNC(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY), "ENGINE_load_private_key"}, +{ERR_FUNC(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY), "ENGINE_load_public_key"}, +{ERR_FUNC(ENGINE_F_ENGINE_MODULE_INIT), "ENGINE_MODULE_INIT"}, +{ERR_FUNC(ENGINE_F_ENGINE_NEW), "ENGINE_new"}, +{ERR_FUNC(ENGINE_F_ENGINE_REMOVE), "ENGINE_remove"}, +{ERR_FUNC(ENGINE_F_ENGINE_SET_DEFAULT_STRING), "ENGINE_set_default_string"}, +{ERR_FUNC(ENGINE_F_ENGINE_SET_DEFAULT_TYPE), "ENGINE_SET_DEFAULT_TYPE"}, +{ERR_FUNC(ENGINE_F_ENGINE_SET_ID), "ENGINE_set_id"}, +{ERR_FUNC(ENGINE_F_ENGINE_SET_NAME), "ENGINE_set_name"}, +{ERR_FUNC(ENGINE_F_ENGINE_TABLE_REGISTER), "ENGINE_TABLE_REGISTER"}, +{ERR_FUNC(ENGINE_F_ENGINE_UNLOAD_KEY), "ENGINE_UNLOAD_KEY"}, +{ERR_FUNC(ENGINE_F_ENGINE_UP_REF), "ENGINE_up_ref"}, +{ERR_FUNC(ENGINE_F_INT_CTRL_HELPER), "INT_CTRL_HELPER"}, +{ERR_FUNC(ENGINE_F_INT_ENGINE_CONFIGURE), "INT_ENGINE_CONFIGURE"}, +{ERR_FUNC(ENGINE_F_LOG_MESSAGE), "LOG_MESSAGE"}, +{ERR_FUNC(ENGINE_F_SET_DATA_CTX), "SET_DATA_CTX"}, {0,NULL} }; static ERR_STRING_DATA ENGINE_str_reasons[]= { -{ENGINE_R_ALREADY_LOADED ,"already loaded"}, -{ENGINE_R_ARGUMENT_IS_NOT_A_NUMBER ,"argument is not a number"}, -{ENGINE_R_CMD_NOT_EXECUTABLE ,"cmd not executable"}, -{ENGINE_R_COMMAND_TAKES_INPUT ,"command takes input"}, -{ENGINE_R_COMMAND_TAKES_NO_INPUT ,"command takes no input"}, -{ENGINE_R_CONFLICTING_ENGINE_ID ,"conflicting engine id"}, -{ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED ,"ctrl command not implemented"}, -{ENGINE_R_DH_NOT_IMPLEMENTED ,"dh not implemented"}, -{ENGINE_R_DSA_NOT_IMPLEMENTED ,"dsa not implemented"}, -{ENGINE_R_DSO_FAILURE ,"DSO failure"}, -{ENGINE_R_DSO_NOT_FOUND ,"dso not found"}, -{ENGINE_R_ENGINES_SECTION_ERROR ,"engines section error"}, -{ENGINE_R_ENGINE_IS_NOT_IN_LIST ,"engine is not in the list"}, -{ENGINE_R_ENGINE_SECTION_ERROR ,"engine section error"}, -{ENGINE_R_FAILED_LOADING_PRIVATE_KEY ,"failed loading private key"}, -{ENGINE_R_FAILED_LOADING_PUBLIC_KEY ,"failed loading public key"}, -{ENGINE_R_FINISH_FAILED ,"finish failed"}, -{ENGINE_R_GET_HANDLE_FAILED ,"could not obtain hardware handle"}, -{ENGINE_R_ID_OR_NAME_MISSING ,"'id' or 'name' missing"}, -{ENGINE_R_INIT_FAILED ,"init failed"}, -{ENGINE_R_INTERNAL_LIST_ERROR ,"internal list error"}, -{ENGINE_R_INVALID_ARGUMENT ,"invalid argument"}, -{ENGINE_R_INVALID_CMD_NAME ,"invalid cmd name"}, -{ENGINE_R_INVALID_CMD_NUMBER ,"invalid cmd number"}, -{ENGINE_R_INVALID_INIT_VALUE ,"invalid init value"}, -{ENGINE_R_INVALID_STRING ,"invalid string"}, -{ENGINE_R_NOT_INITIALISED ,"not initialised"}, -{ENGINE_R_NOT_LOADED ,"not loaded"}, -{ENGINE_R_NO_CONTROL_FUNCTION ,"no control function"}, -{ENGINE_R_NO_INDEX ,"no index"}, -{ENGINE_R_NO_LOAD_FUNCTION ,"no load function"}, -{ENGINE_R_NO_REFERENCE ,"no reference"}, -{ENGINE_R_NO_SUCH_ENGINE ,"no such engine"}, -{ENGINE_R_NO_UNLOAD_FUNCTION ,"no unload function"}, -{ENGINE_R_PROVIDE_PARAMETERS ,"provide parameters"}, -{ENGINE_R_RSA_NOT_IMPLEMENTED ,"rsa not implemented"}, -{ENGINE_R_UNIMPLEMENTED_CIPHER ,"unimplemented cipher"}, -{ENGINE_R_UNIMPLEMENTED_DIGEST ,"unimplemented digest"}, -{ENGINE_R_VERSION_INCOMPATIBILITY ,"version incompatibility"}, +{ERR_REASON(ENGINE_R_ALREADY_LOADED) ,"already loaded"}, +{ERR_REASON(ENGINE_R_ARGUMENT_IS_NOT_A_NUMBER),"argument is not a number"}, +{ERR_REASON(ENGINE_R_CMD_NOT_EXECUTABLE) ,"cmd not executable"}, +{ERR_REASON(ENGINE_R_COMMAND_TAKES_INPUT),"command takes input"}, +{ERR_REASON(ENGINE_R_COMMAND_TAKES_NO_INPUT),"command takes no input"}, +{ERR_REASON(ENGINE_R_CONFLICTING_ENGINE_ID),"conflicting engine id"}, +{ERR_REASON(ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED),"ctrl command not implemented"}, +{ERR_REASON(ENGINE_R_DH_NOT_IMPLEMENTED) ,"dh not implemented"}, +{ERR_REASON(ENGINE_R_DSA_NOT_IMPLEMENTED),"dsa not implemented"}, +{ERR_REASON(ENGINE_R_DSO_FAILURE) ,"DSO failure"}, +{ERR_REASON(ENGINE_R_DSO_NOT_FOUND) ,"dso not found"}, +{ERR_REASON(ENGINE_R_ENGINES_SECTION_ERROR),"engines section error"}, +{ERR_REASON(ENGINE_R_ENGINE_IS_NOT_IN_LIST),"engine is not in the list"}, +{ERR_REASON(ENGINE_R_ENGINE_SECTION_ERROR),"engine section error"}, +{ERR_REASON(ENGINE_R_FAILED_LOADING_PRIVATE_KEY),"failed loading private key"}, +{ERR_REASON(ENGINE_R_FAILED_LOADING_PUBLIC_KEY),"failed loading public key"}, +{ERR_REASON(ENGINE_R_FINISH_FAILED) ,"finish failed"}, +{ERR_REASON(ENGINE_R_GET_HANDLE_FAILED) ,"could not obtain hardware handle"}, +{ERR_REASON(ENGINE_R_ID_OR_NAME_MISSING) ,"'id' or 'name' missing"}, +{ERR_REASON(ENGINE_R_INIT_FAILED) ,"init failed"}, +{ERR_REASON(ENGINE_R_INTERNAL_LIST_ERROR),"internal list error"}, +{ERR_REASON(ENGINE_R_INVALID_ARGUMENT) ,"invalid argument"}, +{ERR_REASON(ENGINE_R_INVALID_CMD_NAME) ,"invalid cmd name"}, +{ERR_REASON(ENGINE_R_INVALID_CMD_NUMBER) ,"invalid cmd number"}, +{ERR_REASON(ENGINE_R_INVALID_INIT_VALUE) ,"invalid init value"}, +{ERR_REASON(ENGINE_R_INVALID_STRING) ,"invalid string"}, +{ERR_REASON(ENGINE_R_NOT_INITIALISED) ,"not initialised"}, +{ERR_REASON(ENGINE_R_NOT_LOADED) ,"not loaded"}, +{ERR_REASON(ENGINE_R_NO_CONTROL_FUNCTION),"no control function"}, +{ERR_REASON(ENGINE_R_NO_INDEX) ,"no index"}, +{ERR_REASON(ENGINE_R_NO_LOAD_FUNCTION) ,"no load function"}, +{ERR_REASON(ENGINE_R_NO_REFERENCE) ,"no reference"}, +{ERR_REASON(ENGINE_R_NO_SUCH_ENGINE) ,"no such engine"}, +{ERR_REASON(ENGINE_R_NO_UNLOAD_FUNCTION) ,"no unload function"}, +{ERR_REASON(ENGINE_R_PROVIDE_PARAMETERS) ,"provide parameters"}, +{ERR_REASON(ENGINE_R_RSA_NOT_IMPLEMENTED),"rsa not implemented"}, +{ERR_REASON(ENGINE_R_UNIMPLEMENTED_CIPHER),"unimplemented cipher"}, +{ERR_REASON(ENGINE_R_UNIMPLEMENTED_DIGEST),"unimplemented digest"}, +{ERR_REASON(ENGINE_R_VERSION_INCOMPATIBILITY),"version incompatibility"}, {0,NULL} }; @@ -158,8 +162,8 @@ void ERR_load_ENGINE_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_ENGINE,ENGINE_str_functs); - ERR_load_strings(ERR_LIB_ENGINE,ENGINE_str_reasons); + ERR_load_strings(0,ENGINE_str_functs); + ERR_load_strings(0,ENGINE_str_reasons); #endif } diff --git a/src/lib/libcrypto/engine/tb_dsa.c b/src/lib/libcrypto/engine/tb_dsa.c index 80170591f2..7efe181927 100644 --- a/src/lib/libcrypto/engine/tb_dsa.c +++ b/src/lib/libcrypto/engine/tb_dsa.c @@ -94,7 +94,7 @@ int ENGINE_set_default_DSA(ENGINE *e) { if(e->dsa_meth) return engine_table_register(&dsa_table, - engine_unregister_all_DSA, e, &dummy_nid, 1, 0); + engine_unregister_all_DSA, e, &dummy_nid, 1, 1); return 1; } diff --git a/src/lib/libcrypto/err/err.c b/src/lib/libcrypto/err/err.c index c78790a54c..53687d79ab 100644 --- a/src/lib/libcrypto/err/err.c +++ b/src/lib/libcrypto/err/err.c @@ -621,7 +621,8 @@ static void err_load_strings(int lib, ERR_STRING_DATA *str) { while (str->error) { - str->error|=ERR_PACK(lib,0,0); + if (lib) + str->error|=ERR_PACK(lib,0,0); ERRFN(err_set_item)(str); str++; } @@ -637,7 +638,8 @@ void ERR_unload_strings(int lib, ERR_STRING_DATA *str) { while (str->error) { - str->error|=ERR_PACK(lib,0,0); + if (lib) + str->error|=ERR_PACK(lib,0,0); ERRFN(err_del_item)(str); str++; } diff --git a/src/lib/libcrypto/err/openssl.ec b/src/lib/libcrypto/err/openssl.ec index 447a7f87ed..f8cd6937e7 100644 --- a/src/lib/libcrypto/err/openssl.ec +++ b/src/lib/libcrypto/err/openssl.ec @@ -27,7 +27,7 @@ L DSO crypto/dso/dso.h crypto/dso/dso_err.c L ENGINE crypto/engine/engine.h crypto/engine/eng_err.c L OCSP crypto/ocsp/ocsp.h crypto/ocsp/ocsp_err.c L UI crypto/ui/ui.h crypto/ui/ui_err.c -L FIPS fips/fips.h fips/fips_err.h +L FIPS fips-1.0/fips.h fips-1.0/fips_err.h # additional header files to be scanned for function names L NONE crypto/x509/x509_vfy.h NONE diff --git a/src/lib/libcrypto/evp/bio_enc.c b/src/lib/libcrypto/evp/bio_enc.c index ab81851503..b8cda1a9f0 100644 --- a/src/lib/libcrypto/evp/bio_enc.c +++ b/src/lib/libcrypto/evp/bio_enc.c @@ -71,7 +71,7 @@ static int enc_new(BIO *h); static int enc_free(BIO *data); static long enc_callback_ctrl(BIO *h, int cmd, bio_info_cb *fps); #define ENC_BLOCK_SIZE (1024*4) -#define BUF_OFFSET EVP_MAX_BLOCK_LENGTH +#define BUF_OFFSET (EVP_MAX_BLOCK_LENGTH*2) typedef struct enc_struct { diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c index f35036c9d7..7b67984fa1 100644 --- a/src/lib/libcrypto/evp/e_aes.c +++ b/src/lib/libcrypto/evp/e_aes.c @@ -86,9 +86,9 @@ IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY, #define IMPLEMENT_AES_CFBR(ksize,cbits,flags) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16,flags) -IMPLEMENT_AES_CFBR(128,1,0) -IMPLEMENT_AES_CFBR(192,1,0) -IMPLEMENT_AES_CFBR(256,1,0) +IMPLEMENT_AES_CFBR(128,1,EVP_CIPH_FLAG_FIPS) +IMPLEMENT_AES_CFBR(192,1,EVP_CIPH_FLAG_FIPS) +IMPLEMENT_AES_CFBR(256,1,EVP_CIPH_FLAG_FIPS) IMPLEMENT_AES_CFBR(128,8,EVP_CIPH_FLAG_FIPS) IMPLEMENT_AES_CFBR(192,8,EVP_CIPH_FLAG_FIPS) diff --git a/src/lib/libcrypto/evp/encode.c b/src/lib/libcrypto/evp/encode.c index 08209357ce..33e540087d 100644 --- a/src/lib/libcrypto/evp/encode.c +++ b/src/lib/libcrypto/evp/encode.c @@ -313,7 +313,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, /* There will never be more than two '=' */ } - if ((v == B64_EOF) || (n >= 64)) + if ((v == B64_EOF && (n&3) == 0) || (n >= 64)) { /* This is needed to work correctly on 64 byte input * lines. We process the line and then need to diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h index 5cde88ae76..56eec23fef 100644 --- a/src/lib/libcrypto/evp/evp.h +++ b/src/lib/libcrypto/evp/evp.h @@ -84,7 +84,11 @@ #include #endif #ifndef OPENSSL_NO_SHA +#ifndef OPENSSL_FIPS #include +#else +#include +#endif #endif #ifndef OPENSSL_NO_RIPEMD #include @@ -128,7 +132,11 @@ #define EVP_CAST5_KEY_SIZE 16 #define EVP_RC5_32_12_16_KEY_SIZE 16 */ -#define EVP_MAX_MD_SIZE (16+20) /* The SSLv3 md5+sha1 type */ +#ifdef OPENSSL_FIPS +#define EVP_MAX_MD_SIZE 64 /* longest known SHA512 */ +#else +#define EVP_MAX_MD_SIZE (16+20) /* The SSLv3 md5+sha1 type */ +#endif #define EVP_MAX_KEY_LENGTH 32 #define EVP_MAX_IV_LENGTH 16 #define EVP_MAX_BLOCK_LENGTH 32 @@ -642,6 +650,16 @@ const EVP_MD *EVP_sha(void); const EVP_MD *EVP_sha1(void); const EVP_MD *EVP_dss(void); const EVP_MD *EVP_dss1(void); +#ifdef OPENSSL_FIPS +#ifndef OPENSSL_NO_SHA256 +const EVP_MD *EVP_sha224(void); +const EVP_MD *EVP_sha256(void); +#endif +#ifndef OPENSSL_NO_SHA512 +const EVP_MD *EVP_sha384(void); +const EVP_MD *EVP_sha512(void); +#endif +#endif #endif #ifndef OPENSSL_NO_MDC2 const EVP_MD *EVP_mdc2(void); diff --git a/src/lib/libcrypto/evp/evp_err.c b/src/lib/libcrypto/evp/evp_err.c index 40135d0729..77eee070d3 100644 --- a/src/lib/libcrypto/evp/evp_err.c +++ b/src/lib/libcrypto/evp/evp_err.c @@ -64,88 +64,92 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_EVP,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_EVP,0,reason) + static ERR_STRING_DATA EVP_str_functs[]= { -{ERR_PACK(0,EVP_F_AES_INIT_KEY,0), "AES_INIT_KEY"}, -{ERR_PACK(0,EVP_F_D2I_PKEY,0), "D2I_PKEY"}, -{ERR_PACK(0,EVP_F_EVP_ADD_CIPHER,0), "EVP_add_cipher"}, -{ERR_PACK(0,EVP_F_EVP_ADD_DIGEST,0), "EVP_add_digest"}, -{ERR_PACK(0,EVP_F_EVP_CIPHERINIT,0), "EVP_CipherInit"}, -{ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_CTRL,0), "EVP_CIPHER_CTX_ctrl"}, -{ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH,0), "EVP_CIPHER_CTX_set_key_length"}, -{ERR_PACK(0,EVP_F_EVP_DECRYPTFINAL,0), "EVP_DecryptFinal"}, -{ERR_PACK(0,EVP_F_EVP_DIGESTINIT,0), "EVP_DigestInit"}, -{ERR_PACK(0,EVP_F_EVP_ENCRYPTFINAL,0), "EVP_EncryptFinal"}, -{ERR_PACK(0,EVP_F_EVP_GET_CIPHERBYNAME,0), "EVP_get_cipherbyname"}, -{ERR_PACK(0,EVP_F_EVP_GET_DIGESTBYNAME,0), "EVP_get_digestbyname"}, -{ERR_PACK(0,EVP_F_EVP_MD_CTX_COPY,0), "EVP_MD_CTX_copy"}, -{ERR_PACK(0,EVP_F_EVP_OPENINIT,0), "EVP_OpenInit"}, -{ERR_PACK(0,EVP_F_EVP_PBE_ALG_ADD,0), "EVP_PBE_alg_add"}, -{ERR_PACK(0,EVP_F_EVP_PBE_CIPHERINIT,0), "EVP_PBE_CipherInit"}, -{ERR_PACK(0,EVP_F_EVP_PKCS82PKEY,0), "EVP_PKCS82PKEY"}, -{ERR_PACK(0,EVP_F_EVP_PKCS8_SET_BROKEN,0), "EVP_PKCS8_SET_BROKEN"}, -{ERR_PACK(0,EVP_F_EVP_PKEY2PKCS8,0), "EVP_PKEY2PKCS8"}, -{ERR_PACK(0,EVP_F_EVP_PKEY_COPY_PARAMETERS,0), "EVP_PKEY_copy_parameters"}, -{ERR_PACK(0,EVP_F_EVP_PKEY_DECRYPT,0), "EVP_PKEY_decrypt"}, -{ERR_PACK(0,EVP_F_EVP_PKEY_ENCRYPT,0), "EVP_PKEY_encrypt"}, -{ERR_PACK(0,EVP_F_EVP_PKEY_GET1_DH,0), "EVP_PKEY_get1_DH"}, -{ERR_PACK(0,EVP_F_EVP_PKEY_GET1_DSA,0), "EVP_PKEY_get1_DSA"}, -{ERR_PACK(0,EVP_F_EVP_PKEY_GET1_RSA,0), "EVP_PKEY_get1_RSA"}, -{ERR_PACK(0,EVP_F_EVP_PKEY_NEW,0), "EVP_PKEY_new"}, -{ERR_PACK(0,EVP_F_EVP_RIJNDAEL,0), "EVP_RIJNDAEL"}, -{ERR_PACK(0,EVP_F_EVP_SIGNFINAL,0), "EVP_SignFinal"}, -{ERR_PACK(0,EVP_F_EVP_VERIFYFINAL,0), "EVP_VerifyFinal"}, -{ERR_PACK(0,EVP_F_PKCS5_PBE_KEYIVGEN,0), "PKCS5_PBE_keyivgen"}, -{ERR_PACK(0,EVP_F_PKCS5_V2_PBE_KEYIVGEN,0), "PKCS5_v2_PBE_keyivgen"}, -{ERR_PACK(0,EVP_F_RC2_MAGIC_TO_METH,0), "RC2_MAGIC_TO_METH"}, -{ERR_PACK(0,EVP_F_RC5_CTRL,0), "RC5_CTRL"}, +{ERR_FUNC(EVP_F_AES_INIT_KEY), "AES_INIT_KEY"}, +{ERR_FUNC(EVP_F_D2I_PKEY), "D2I_PKEY"}, +{ERR_FUNC(EVP_F_EVP_ADD_CIPHER), "EVP_add_cipher"}, +{ERR_FUNC(EVP_F_EVP_ADD_DIGEST), "EVP_add_digest"}, +{ERR_FUNC(EVP_F_EVP_CIPHERINIT), "EVP_CipherInit"}, +{ERR_FUNC(EVP_F_EVP_CIPHER_CTX_CTRL), "EVP_CIPHER_CTX_ctrl"}, +{ERR_FUNC(EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH), "EVP_CIPHER_CTX_set_key_length"}, +{ERR_FUNC(EVP_F_EVP_DECRYPTFINAL), "EVP_DecryptFinal"}, +{ERR_FUNC(EVP_F_EVP_DIGESTINIT), "EVP_DigestInit"}, +{ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL), "EVP_EncryptFinal"}, +{ERR_FUNC(EVP_F_EVP_GET_CIPHERBYNAME), "EVP_get_cipherbyname"}, +{ERR_FUNC(EVP_F_EVP_GET_DIGESTBYNAME), "EVP_get_digestbyname"}, +{ERR_FUNC(EVP_F_EVP_MD_CTX_COPY), "EVP_MD_CTX_copy"}, +{ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"}, +{ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD), "EVP_PBE_alg_add"}, +{ERR_FUNC(EVP_F_EVP_PBE_CIPHERINIT), "EVP_PBE_CipherInit"}, +{ERR_FUNC(EVP_F_EVP_PKCS82PKEY), "EVP_PKCS82PKEY"}, +{ERR_FUNC(EVP_F_EVP_PKCS8_SET_BROKEN), "EVP_PKCS8_SET_BROKEN"}, +{ERR_FUNC(EVP_F_EVP_PKEY2PKCS8), "EVP_PKEY2PKCS8"}, +{ERR_FUNC(EVP_F_EVP_PKEY_COPY_PARAMETERS), "EVP_PKEY_copy_parameters"}, +{ERR_FUNC(EVP_F_EVP_PKEY_DECRYPT), "EVP_PKEY_decrypt"}, +{ERR_FUNC(EVP_F_EVP_PKEY_ENCRYPT), "EVP_PKEY_encrypt"}, +{ERR_FUNC(EVP_F_EVP_PKEY_GET1_DH), "EVP_PKEY_get1_DH"}, +{ERR_FUNC(EVP_F_EVP_PKEY_GET1_DSA), "EVP_PKEY_get1_DSA"}, +{ERR_FUNC(EVP_F_EVP_PKEY_GET1_RSA), "EVP_PKEY_get1_RSA"}, +{ERR_FUNC(EVP_F_EVP_PKEY_NEW), "EVP_PKEY_new"}, +{ERR_FUNC(EVP_F_EVP_RIJNDAEL), "EVP_RIJNDAEL"}, +{ERR_FUNC(EVP_F_EVP_SIGNFINAL), "EVP_SignFinal"}, +{ERR_FUNC(EVP_F_EVP_VERIFYFINAL), "EVP_VerifyFinal"}, +{ERR_FUNC(EVP_F_PKCS5_PBE_KEYIVGEN), "PKCS5_PBE_keyivgen"}, +{ERR_FUNC(EVP_F_PKCS5_V2_PBE_KEYIVGEN), "PKCS5_v2_PBE_keyivgen"}, +{ERR_FUNC(EVP_F_RC2_MAGIC_TO_METH), "RC2_MAGIC_TO_METH"}, +{ERR_FUNC(EVP_F_RC5_CTRL), "RC5_CTRL"}, {0,NULL} }; static ERR_STRING_DATA EVP_str_reasons[]= { -{EVP_R_AES_KEY_SETUP_FAILED ,"aes key setup failed"}, -{EVP_R_BAD_BLOCK_LENGTH ,"bad block length"}, -{EVP_R_BAD_DECRYPT ,"bad decrypt"}, -{EVP_R_BAD_KEY_LENGTH ,"bad key length"}, -{EVP_R_BN_DECODE_ERROR ,"bn decode error"}, -{EVP_R_BN_PUBKEY_ERROR ,"bn pubkey error"}, -{EVP_R_CIPHER_PARAMETER_ERROR ,"cipher parameter error"}, -{EVP_R_CTRL_NOT_IMPLEMENTED ,"ctrl not implemented"}, -{EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED ,"ctrl operation not implemented"}, -{EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH ,"data not multiple of block length"}, -{EVP_R_DECODE_ERROR ,"decode error"}, -{EVP_R_DIFFERENT_KEY_TYPES ,"different key types"}, -{EVP_R_DISABLED_FOR_FIPS ,"disabled for fips"}, -{EVP_R_ENCODE_ERROR ,"encode error"}, -{EVP_R_EVP_PBE_CIPHERINIT_ERROR ,"evp pbe cipherinit error"}, -{EVP_R_EXPECTING_AN_RSA_KEY ,"expecting an rsa key"}, -{EVP_R_EXPECTING_A_DH_KEY ,"expecting a dh key"}, -{EVP_R_EXPECTING_A_DSA_KEY ,"expecting a dsa key"}, -{EVP_R_INITIALIZATION_ERROR ,"initialization error"}, -{EVP_R_INPUT_NOT_INITIALIZED ,"input not initialized"}, -{EVP_R_INVALID_KEY_LENGTH ,"invalid key length"}, -{EVP_R_IV_TOO_LARGE ,"iv too large"}, -{EVP_R_KEYGEN_FAILURE ,"keygen failure"}, -{EVP_R_MISSING_PARAMETERS ,"missing parameters"}, -{EVP_R_NO_CIPHER_SET ,"no cipher set"}, -{EVP_R_NO_DIGEST_SET ,"no digest set"}, -{EVP_R_NO_DSA_PARAMETERS ,"no dsa parameters"}, -{EVP_R_NO_SIGN_FUNCTION_CONFIGURED ,"no sign function configured"}, -{EVP_R_NO_VERIFY_FUNCTION_CONFIGURED ,"no verify function configured"}, -{EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE ,"pkcs8 unknown broken type"}, -{EVP_R_PUBLIC_KEY_NOT_RSA ,"public key not rsa"}, -{EVP_R_UNKNOWN_PBE_ALGORITHM ,"unknown pbe algorithm"}, -{EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS ,"unsuported number of rounds"}, -{EVP_R_UNSUPPORTED_CIPHER ,"unsupported cipher"}, -{EVP_R_UNSUPPORTED_KEYLENGTH ,"unsupported keylength"}, -{EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION,"unsupported key derivation function"}, -{EVP_R_UNSUPPORTED_KEY_SIZE ,"unsupported key size"}, -{EVP_R_UNSUPPORTED_PRF ,"unsupported prf"}, -{EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM ,"unsupported private key algorithm"}, -{EVP_R_UNSUPPORTED_SALT_TYPE ,"unsupported salt type"}, -{EVP_R_WRONG_FINAL_BLOCK_LENGTH ,"wrong final block length"}, -{EVP_R_WRONG_PUBLIC_KEY_TYPE ,"wrong public key type"}, +{ERR_REASON(EVP_R_AES_KEY_SETUP_FAILED) ,"aes key setup failed"}, +{ERR_REASON(EVP_R_BAD_BLOCK_LENGTH) ,"bad block length"}, +{ERR_REASON(EVP_R_BAD_DECRYPT) ,"bad decrypt"}, +{ERR_REASON(EVP_R_BAD_KEY_LENGTH) ,"bad key length"}, +{ERR_REASON(EVP_R_BN_DECODE_ERROR) ,"bn decode error"}, +{ERR_REASON(EVP_R_BN_PUBKEY_ERROR) ,"bn pubkey error"}, +{ERR_REASON(EVP_R_CIPHER_PARAMETER_ERROR),"cipher parameter error"}, +{ERR_REASON(EVP_R_CTRL_NOT_IMPLEMENTED) ,"ctrl not implemented"}, +{ERR_REASON(EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED),"ctrl operation not implemented"}, +{ERR_REASON(EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH),"data not multiple of block length"}, +{ERR_REASON(EVP_R_DECODE_ERROR) ,"decode error"}, +{ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES) ,"different key types"}, +{ERR_REASON(EVP_R_DISABLED_FOR_FIPS) ,"disabled for fips"}, +{ERR_REASON(EVP_R_ENCODE_ERROR) ,"encode error"}, +{ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"}, +{ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY) ,"expecting an rsa key"}, +{ERR_REASON(EVP_R_EXPECTING_A_DH_KEY) ,"expecting a dh key"}, +{ERR_REASON(EVP_R_EXPECTING_A_DSA_KEY) ,"expecting a dsa key"}, +{ERR_REASON(EVP_R_INITIALIZATION_ERROR) ,"initialization error"}, +{ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED) ,"input not initialized"}, +{ERR_REASON(EVP_R_INVALID_KEY_LENGTH) ,"invalid key length"}, +{ERR_REASON(EVP_R_IV_TOO_LARGE) ,"iv too large"}, +{ERR_REASON(EVP_R_KEYGEN_FAILURE) ,"keygen failure"}, +{ERR_REASON(EVP_R_MISSING_PARAMETERS) ,"missing parameters"}, +{ERR_REASON(EVP_R_NO_CIPHER_SET) ,"no cipher set"}, +{ERR_REASON(EVP_R_NO_DIGEST_SET) ,"no digest set"}, +{ERR_REASON(EVP_R_NO_DSA_PARAMETERS) ,"no dsa parameters"}, +{ERR_REASON(EVP_R_NO_SIGN_FUNCTION_CONFIGURED),"no sign function configured"}, +{ERR_REASON(EVP_R_NO_VERIFY_FUNCTION_CONFIGURED),"no verify function configured"}, +{ERR_REASON(EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE),"pkcs8 unknown broken type"}, +{ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA) ,"public key not rsa"}, +{ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown pbe algorithm"}, +{ERR_REASON(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS),"unsuported number of rounds"}, +{ERR_REASON(EVP_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"}, +{ERR_REASON(EVP_R_UNSUPPORTED_KEYLENGTH) ,"unsupported keylength"}, +{ERR_REASON(EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION),"unsupported key derivation function"}, +{ERR_REASON(EVP_R_UNSUPPORTED_KEY_SIZE) ,"unsupported key size"}, +{ERR_REASON(EVP_R_UNSUPPORTED_PRF) ,"unsupported prf"}, +{ERR_REASON(EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM),"unsupported private key algorithm"}, +{ERR_REASON(EVP_R_UNSUPPORTED_SALT_TYPE) ,"unsupported salt type"}, +{ERR_REASON(EVP_R_WRONG_FINAL_BLOCK_LENGTH),"wrong final block length"}, +{ERR_REASON(EVP_R_WRONG_PUBLIC_KEY_TYPE) ,"wrong public key type"}, {0,NULL} }; @@ -159,8 +163,8 @@ void ERR_load_EVP_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_EVP,EVP_str_functs); - ERR_load_strings(ERR_LIB_EVP,EVP_str_reasons); + ERR_load_strings(0,EVP_str_functs); + ERR_load_strings(0,EVP_str_reasons); #endif } diff --git a/src/lib/libcrypto/evp/evp_key.c b/src/lib/libcrypto/evp/evp_key.c index 5f387a94d3..f8650d5df6 100644 --- a/src/lib/libcrypto/evp/evp_key.c +++ b/src/lib/libcrypto/evp/evp_key.c @@ -126,7 +126,8 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md, EVP_MD_CTX_init(&c); for (;;) { - EVP_DigestInit_ex(&c,md, NULL); + if (!EVP_DigestInit_ex(&c,md, NULL)) + return 0; if (addmd++) EVP_DigestUpdate(&c,&(md_buf[0]),mds); EVP_DigestUpdate(&c,data,datal); diff --git a/src/lib/libcrypto/evp/m_dss1.c b/src/lib/libcrypto/evp/m_dss1.c index f5668ebda0..23b90d0538 100644 --- a/src/lib/libcrypto/evp/m_dss1.c +++ b/src/lib/libcrypto/evp/m_dss1.c @@ -67,7 +67,14 @@ static int init(EVP_MD_CTX *ctx) { return SHA1_Init(ctx->md_data); } static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count) +#ifndef OPENSSL_FIPS { return SHA1_Update(ctx->md_data,data,count); } +#else + { + OPENSSL_assert(sizeof(count)<=sizeof(size_t)); + return SHA1_Update(ctx->md_data,data,count); + } +#endif static int final(EVP_MD_CTX *ctx,unsigned char *md) { return SHA1_Final(md,ctx->md_data); } @@ -77,7 +84,7 @@ static const EVP_MD dss1_md= NID_dsa, NID_dsaWithSHA1, SHA_DIGEST_LENGTH, - 0, + EVP_MD_FLAG_FIPS, init, update, final, diff --git a/src/lib/libcrypto/evp/m_sha1.c b/src/lib/libcrypto/evp/m_sha1.c index fe4402389a..60da93873c 100644 --- a/src/lib/libcrypto/evp/m_sha1.c +++ b/src/lib/libcrypto/evp/m_sha1.c @@ -67,7 +67,14 @@ static int init(EVP_MD_CTX *ctx) { return SHA1_Init(ctx->md_data); } static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count) +#ifndef OPENSSL_FIPS { return SHA1_Update(ctx->md_data,data,count); } +#else + { + OPENSSL_assert(sizeof(count)<=sizeof(size_t)); + return SHA1_Update(ctx->md_data,data,count); + } +#endif static int final(EVP_MD_CTX *ctx,unsigned char *md) { return SHA1_Final(md,ctx->md_data); } @@ -93,3 +100,115 @@ const EVP_MD *EVP_sha1(void) return(&sha1_md); } #endif + +#ifdef OPENSSL_FIPS +#ifndef OPENSSL_NO_SHA256 +static int init224(EVP_MD_CTX *ctx) + { return SHA224_Init(ctx->md_data); } +static int init256(EVP_MD_CTX *ctx) + { return SHA256_Init(ctx->md_data); } +/* + * Even though there're separate SHA224_[Update|Final], we call + * SHA256 functions even in SHA224 context. This is what happens + * there anyway, so we can spare few CPU cycles:-) + */ +static int update256(EVP_MD_CTX *ctx,const void *data,unsigned long count) + { + OPENSSL_assert(sizeof(count)<=sizeof(size_t)); + return SHA256_Update(ctx->md_data,data,count); + } +static int final256(EVP_MD_CTX *ctx,unsigned char *md) + { return SHA256_Final(md,ctx->md_data); } + +static const EVP_MD sha224_md= + { + NID_sha224, + NID_sha224WithRSAEncryption, + SHA224_DIGEST_LENGTH, + EVP_MD_FLAG_FIPS, + init224, + update256, + final256, + NULL, + NULL, + EVP_PKEY_RSA_method, + SHA256_CBLOCK, + sizeof(EVP_MD *)+sizeof(SHA256_CTX), + }; + +const EVP_MD *EVP_sha224(void) + { return(&sha224_md); } + +static const EVP_MD sha256_md= + { + NID_sha256, + NID_sha256WithRSAEncryption, + SHA256_DIGEST_LENGTH, + EVP_MD_FLAG_FIPS, + init256, + update256, + final256, + NULL, + NULL, + EVP_PKEY_RSA_method, + SHA256_CBLOCK, + sizeof(EVP_MD *)+sizeof(SHA256_CTX), + }; + +const EVP_MD *EVP_sha256(void) + { return(&sha256_md); } +#endif /* ifndef OPENSSL_NO_SHA256 */ + +#ifndef OPENSSL_NO_SHA512 +static int init384(EVP_MD_CTX *ctx) + { return SHA384_Init(ctx->md_data); } +static int init512(EVP_MD_CTX *ctx) + { return SHA512_Init(ctx->md_data); } +/* See comment in SHA224/256 section */ +static int update512(EVP_MD_CTX *ctx,const void *data,unsigned long count) + { + OPENSSL_assert(sizeof(count)<=sizeof(size_t)); + return SHA512_Update(ctx->md_data,data,count); + } +static int final512(EVP_MD_CTX *ctx,unsigned char *md) + { return SHA512_Final(md,ctx->md_data); } + +static const EVP_MD sha384_md= + { + NID_sha384, + NID_sha384WithRSAEncryption, + SHA384_DIGEST_LENGTH, + EVP_MD_FLAG_FIPS, + init384, + update512, + final512, + NULL, + NULL, + EVP_PKEY_RSA_method, + SHA512_CBLOCK, + sizeof(EVP_MD *)+sizeof(SHA512_CTX), + }; + +const EVP_MD *EVP_sha384(void) + { return(&sha384_md); } + +static const EVP_MD sha512_md= + { + NID_sha512, + NID_sha512WithRSAEncryption, + SHA512_DIGEST_LENGTH, + EVP_MD_FLAG_FIPS, + init512, + update512, + final512, + NULL, + NULL, + EVP_PKEY_RSA_method, + SHA512_CBLOCK, + sizeof(EVP_MD *)+sizeof(SHA512_CTX), + }; + +const EVP_MD *EVP_sha512(void) + { return(&sha512_md); } +#endif /* ifndef OPENSSL_NO_SHA512 */ +#endif /* ifdef OPENSSL_FIPS */ diff --git a/src/lib/libcrypto/evp/p5_crpt2.c b/src/lib/libcrypto/evp/p5_crpt2.c index 1f94e1ef88..1d5fabc4b2 100644 --- a/src/lib/libcrypto/evp/p5_crpt2.c +++ b/src/lib/libcrypto/evp/p5_crpt2.c @@ -194,11 +194,16 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, /* Now decode key derivation function */ + if(!pbe2->keyfunc->parameter || + (pbe2->keyfunc->parameter->type != V_ASN1_SEQUENCE)) + { + EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR); + goto err; + } + pbuf = pbe2->keyfunc->parameter->value.sequence->data; plen = pbe2->keyfunc->parameter->value.sequence->length; - if(!pbe2->keyfunc->parameter || - (pbe2->keyfunc->parameter->type != V_ASN1_SEQUENCE) || - !(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) { + if(!(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) { EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR); goto err; } diff --git a/src/lib/libcrypto/hmac/hmac.c b/src/lib/libcrypto/hmac/hmac.c index 06ee80761f..6c110bd52b 100644 --- a/src/lib/libcrypto/hmac/hmac.c +++ b/src/lib/libcrypto/hmac/hmac.c @@ -61,6 +61,8 @@ #include #include "cryptlib.h" +#ifndef OPENSSL_FIPS + void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md, ENGINE *impl) { @@ -77,15 +79,6 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, if (key != NULL) { -#ifdef OPENSSL_FIPS - if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS) - && (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) - || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) - || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))) - OpenSSLDie(__FILE__,__LINE__, - "HMAC: digest not allowed in FIPS mode"); -#endif - reset=1; j=EVP_MD_block_size(md); OPENSSL_assert(j <= sizeof ctx->key); @@ -187,3 +180,4 @@ void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags) EVP_MD_CTX_set_flags(&ctx->md_ctx, flags); } +#endif diff --git a/src/lib/libcrypto/hmac/hmac.h b/src/lib/libcrypto/hmac/hmac.h index 294ab3b36a..c6489c04c8 100644 --- a/src/lib/libcrypto/hmac/hmac.h +++ b/src/lib/libcrypto/hmac/hmac.h @@ -64,7 +64,11 @@ #include +#ifdef OPENSSL_FIPS +#define HMAC_MAX_MD_CBLOCK 128 +#else #define HMAC_MAX_MD_CBLOCK 64 +#endif #ifdef __cplusplus extern "C" { diff --git a/src/lib/libcrypto/md4/md4_one.c b/src/lib/libcrypto/md4/md4_one.c index 00565507e4..50f79352f6 100644 --- a/src/lib/libcrypto/md4/md4_one.c +++ b/src/lib/libcrypto/md4/md4_one.c @@ -71,7 +71,8 @@ unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md) static unsigned char m[MD4_DIGEST_LENGTH]; if (md == NULL) md=m; - MD4_Init(&c); + if (!MD4_Init(&c)) + return NULL; #ifndef CHARSET_EBCDIC MD4_Update(&c,d,n); #else diff --git a/src/lib/libcrypto/md5/md5_one.c b/src/lib/libcrypto/md5/md5_one.c index c5dd2d81db..44c6c455d1 100644 --- a/src/lib/libcrypto/md5/md5_one.c +++ b/src/lib/libcrypto/md5/md5_one.c @@ -71,7 +71,8 @@ unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md) static unsigned char m[MD5_DIGEST_LENGTH]; if (md == NULL) md=m; - MD5_Init(&c); + if (!MD5_Init(&c)) + return NULL; #ifndef CHARSET_EBCDIC MD5_Update(&c,d,n); #else diff --git a/src/lib/libcrypto/objects/obj_err.c b/src/lib/libcrypto/objects/obj_err.c index 2b5f43e3cc..0682979b38 100644 --- a/src/lib/libcrypto/objects/obj_err.c +++ b/src/lib/libcrypto/objects/obj_err.c @@ -1,6 +1,6 @@ /* crypto/objects/obj_err.c */ /* ==================================================================== - * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -64,22 +64,26 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_OBJ,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_OBJ,0,reason) + static ERR_STRING_DATA OBJ_str_functs[]= { -{ERR_PACK(0,OBJ_F_OBJ_ADD_OBJECT,0), "OBJ_add_object"}, -{ERR_PACK(0,OBJ_F_OBJ_CREATE,0), "OBJ_create"}, -{ERR_PACK(0,OBJ_F_OBJ_DUP,0), "OBJ_dup"}, -{ERR_PACK(0,OBJ_F_OBJ_NAME_NEW_INDEX,0), "OBJ_NAME_new_index"}, -{ERR_PACK(0,OBJ_F_OBJ_NID2LN,0), "OBJ_nid2ln"}, -{ERR_PACK(0,OBJ_F_OBJ_NID2OBJ,0), "OBJ_nid2obj"}, -{ERR_PACK(0,OBJ_F_OBJ_NID2SN,0), "OBJ_nid2sn"}, +{ERR_FUNC(OBJ_F_OBJ_ADD_OBJECT), "OBJ_add_object"}, +{ERR_FUNC(OBJ_F_OBJ_CREATE), "OBJ_create"}, +{ERR_FUNC(OBJ_F_OBJ_DUP), "OBJ_dup"}, +{ERR_FUNC(OBJ_F_OBJ_NAME_NEW_INDEX), "OBJ_NAME_new_index"}, +{ERR_FUNC(OBJ_F_OBJ_NID2LN), "OBJ_nid2ln"}, +{ERR_FUNC(OBJ_F_OBJ_NID2OBJ), "OBJ_nid2obj"}, +{ERR_FUNC(OBJ_F_OBJ_NID2SN), "OBJ_nid2sn"}, {0,NULL} }; static ERR_STRING_DATA OBJ_str_reasons[]= { -{OBJ_R_MALLOC_FAILURE ,"malloc failure"}, -{OBJ_R_UNKNOWN_NID ,"unknown nid"}, +{ERR_REASON(OBJ_R_MALLOC_FAILURE) ,"malloc failure"}, +{ERR_REASON(OBJ_R_UNKNOWN_NID) ,"unknown nid"}, {0,NULL} }; @@ -93,8 +97,8 @@ void ERR_load_OBJ_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_OBJ,OBJ_str_functs); - ERR_load_strings(ERR_LIB_OBJ,OBJ_str_reasons); + ERR_load_strings(0,OBJ_str_functs); + ERR_load_strings(0,OBJ_str_reasons); #endif } diff --git a/src/lib/libcrypto/objects/obj_mac.num b/src/lib/libcrypto/objects/obj_mac.num index 0e64a929ba..84555d936e 100644 --- a/src/lib/libcrypto/objects/obj_mac.num +++ b/src/lib/libcrypto/objects/obj_mac.num @@ -287,9 +287,9 @@ qcStatements 286 ac_auditEntity 287 ac_targeting 288 aaControls 289 -sbqp_ipAddrBlock 290 -sbqp_autonomousSysNum 291 -sbqp_routerIdentifier 292 +sbgp_ipAddrBlock 290 +sbgp_autonomousSysNum 291 +sbgp_routerIdentifier 292 textNotice 293 ipsecEndSystem 294 ipsecTunnel 295 @@ -663,5 +663,13 @@ id_ppl 662 proxyCertInfo 663 id_ppl_anyLanguage 664 id_ppl_inheritAll 665 -id_ppl_independent 666 +name_constraints 666 Independent 667 +sha256WithRSAEncryption 668 +sha384WithRSAEncryption 669 +sha512WithRSAEncryption 670 +sha224WithRSAEncryption 671 +sha256 672 +sha384 673 +sha512 674 +sha224 675 diff --git a/src/lib/libcrypto/objects/objects.txt b/src/lib/libcrypto/objects/objects.txt index 50e9031e61..2635c4e667 100644 --- a/src/lib/libcrypto/objects/objects.txt +++ b/src/lib/libcrypto/objects/objects.txt @@ -63,6 +63,11 @@ pkcs1 2 : RSA-MD2 : md2WithRSAEncryption pkcs1 3 : RSA-MD4 : md4WithRSAEncryption pkcs1 4 : RSA-MD5 : md5WithRSAEncryption pkcs1 5 : RSA-SHA1 : sha1WithRSAEncryption +# According to PKCS #1 version 2.1 +pkcs1 11 : RSA-SHA256 : sha256WithRSAEncryption +pkcs1 12 : RSA-SHA384 : sha384WithRSAEncryption +pkcs1 13 : RSA-SHA512 : sha512WithRSAEncryption +pkcs1 14 : RSA-SHA224 : sha224WithRSAEncryption pkcs 3 : pkcs3 pkcs3 1 : : dhKeyAgreement @@ -341,9 +346,9 @@ id-pe 3 : qcStatements id-pe 4 : ac-auditEntity id-pe 5 : ac-targeting id-pe 6 : aaControls -id-pe 7 : sbqp-ipAddrBlock -id-pe 8 : sbqp-autonomousSysNum -id-pe 9 : sbqp-routerIdentifier +id-pe 7 : sbgp-ipAddrBlock +id-pe 8 : sbgp-autonomousSysNum +id-pe 9 : sbgp-routerIdentifier id-pe 10 : ac-proxying !Cname sinfo-access id-pe 11 : subjectInfoAccess : Subject Information Access @@ -584,6 +589,8 @@ id-ce 21 : CRLReason : X509v3 CRL Reason Code id-ce 24 : invalidityDate : Invalidity Date !Cname delta-crl id-ce 27 : deltaCRL : X509v3 Delta CRL Indicator +!Cname name-constraints +id-ce 30 : nameConstraints : X509v3 Name Constraints !Cname crl-distribution-points id-ce 31 : crlDistributionPoints : X509v3 CRL Distribution Points !Cname certificate-policies @@ -703,6 +710,13 @@ aes 44 : AES-256-CFB : aes-256-cfb : DES-EDE3-CFB1 : des-ede3-cfb1 : DES-EDE3-CFB8 : des-ede3-cfb8 +# OIDs for SHA224, SHA256, SHA385 and SHA512, according to x9.84. +!Alias nist_hashalgs nistAlgorithms 2 +nist_hashalgs 1 : SHA256 : sha256 +nist_hashalgs 2 : SHA384 : sha384 +nist_hashalgs 3 : SHA512 : sha512 +nist_hashalgs 4 : SHA224 : sha224 + # Hold instruction CRL entry extension !Cname hold-instruction-code id-ce 23 : holdInstructionCode : Hold Instruction Code diff --git a/src/lib/libcrypto/ocsp/ocsp_err.c b/src/lib/libcrypto/ocsp/ocsp_err.c index 4c4d8306f8..65e6093fbc 100644 --- a/src/lib/libcrypto/ocsp/ocsp_err.c +++ b/src/lib/libcrypto/ocsp/ocsp_err.c @@ -1,6 +1,6 @@ /* crypto/ocsp/ocsp_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -64,60 +64,64 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_OCSP,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_OCSP,0,reason) + static ERR_STRING_DATA OCSP_str_functs[]= { -{ERR_PACK(0,OCSP_F_ASN1_STRING_ENCODE,0), "ASN1_STRING_encode"}, -{ERR_PACK(0,OCSP_F_CERT_ID_NEW,0), "CERT_ID_NEW"}, -{ERR_PACK(0,OCSP_F_D2I_OCSP_NONCE,0), "D2I_OCSP_NONCE"}, -{ERR_PACK(0,OCSP_F_OCSP_BASIC_ADD1_STATUS,0), "OCSP_basic_add1_status"}, -{ERR_PACK(0,OCSP_F_OCSP_BASIC_SIGN,0), "OCSP_basic_sign"}, -{ERR_PACK(0,OCSP_F_OCSP_BASIC_VERIFY,0), "OCSP_basic_verify"}, -{ERR_PACK(0,OCSP_F_OCSP_CHECK_DELEGATED,0), "OCSP_CHECK_DELEGATED"}, -{ERR_PACK(0,OCSP_F_OCSP_CHECK_IDS,0), "OCSP_CHECK_IDS"}, -{ERR_PACK(0,OCSP_F_OCSP_CHECK_ISSUER,0), "OCSP_CHECK_ISSUER"}, -{ERR_PACK(0,OCSP_F_OCSP_CHECK_VALIDITY,0), "OCSP_check_validity"}, -{ERR_PACK(0,OCSP_F_OCSP_MATCH_ISSUERID,0), "OCSP_MATCH_ISSUERID"}, -{ERR_PACK(0,OCSP_F_OCSP_PARSE_URL,0), "OCSP_parse_url"}, -{ERR_PACK(0,OCSP_F_OCSP_REQUEST_SIGN,0), "OCSP_request_sign"}, -{ERR_PACK(0,OCSP_F_OCSP_REQUEST_VERIFY,0), "OCSP_request_verify"}, -{ERR_PACK(0,OCSP_F_OCSP_RESPONSE_GET1_BASIC,0), "OCSP_response_get1_basic"}, -{ERR_PACK(0,OCSP_F_OCSP_SENDREQ_BIO,0), "OCSP_sendreq_bio"}, -{ERR_PACK(0,OCSP_F_REQUEST_VERIFY,0), "REQUEST_VERIFY"}, +{ERR_FUNC(OCSP_F_ASN1_STRING_ENCODE), "ASN1_STRING_encode"}, +{ERR_FUNC(OCSP_F_CERT_ID_NEW), "CERT_ID_NEW"}, +{ERR_FUNC(OCSP_F_D2I_OCSP_NONCE), "D2I_OCSP_NONCE"}, +{ERR_FUNC(OCSP_F_OCSP_BASIC_ADD1_STATUS), "OCSP_basic_add1_status"}, +{ERR_FUNC(OCSP_F_OCSP_BASIC_SIGN), "OCSP_basic_sign"}, +{ERR_FUNC(OCSP_F_OCSP_BASIC_VERIFY), "OCSP_basic_verify"}, +{ERR_FUNC(OCSP_F_OCSP_CHECK_DELEGATED), "OCSP_CHECK_DELEGATED"}, +{ERR_FUNC(OCSP_F_OCSP_CHECK_IDS), "OCSP_CHECK_IDS"}, +{ERR_FUNC(OCSP_F_OCSP_CHECK_ISSUER), "OCSP_CHECK_ISSUER"}, +{ERR_FUNC(OCSP_F_OCSP_CHECK_VALIDITY), "OCSP_check_validity"}, +{ERR_FUNC(OCSP_F_OCSP_MATCH_ISSUERID), "OCSP_MATCH_ISSUERID"}, +{ERR_FUNC(OCSP_F_OCSP_PARSE_URL), "OCSP_parse_url"}, +{ERR_FUNC(OCSP_F_OCSP_REQUEST_SIGN), "OCSP_request_sign"}, +{ERR_FUNC(OCSP_F_OCSP_REQUEST_VERIFY), "OCSP_request_verify"}, +{ERR_FUNC(OCSP_F_OCSP_RESPONSE_GET1_BASIC), "OCSP_response_get1_basic"}, +{ERR_FUNC(OCSP_F_OCSP_SENDREQ_BIO), "OCSP_sendreq_bio"}, +{ERR_FUNC(OCSP_F_REQUEST_VERIFY), "REQUEST_VERIFY"}, {0,NULL} }; static ERR_STRING_DATA OCSP_str_reasons[]= { -{OCSP_R_BAD_DATA ,"bad data"}, -{OCSP_R_CERTIFICATE_VERIFY_ERROR ,"certificate verify error"}, -{OCSP_R_DIGEST_ERR ,"digest err"}, -{OCSP_R_ERROR_IN_NEXTUPDATE_FIELD ,"error in nextupdate field"}, -{OCSP_R_ERROR_IN_THISUPDATE_FIELD ,"error in thisupdate field"}, -{OCSP_R_ERROR_PARSING_URL ,"error parsing url"}, -{OCSP_R_MISSING_OCSPSIGNING_USAGE ,"missing ocspsigning usage"}, -{OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE ,"nextupdate before thisupdate"}, -{OCSP_R_NOT_BASIC_RESPONSE ,"not basic response"}, -{OCSP_R_NO_CERTIFICATES_IN_CHAIN ,"no certificates in chain"}, -{OCSP_R_NO_CONTENT ,"no content"}, -{OCSP_R_NO_PUBLIC_KEY ,"no public key"}, -{OCSP_R_NO_RESPONSE_DATA ,"no response data"}, -{OCSP_R_NO_REVOKED_TIME ,"no revoked time"}, -{OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"}, -{OCSP_R_REQUEST_NOT_SIGNED ,"request not signed"}, -{OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA,"response contains no revocation data"}, -{OCSP_R_ROOT_CA_NOT_TRUSTED ,"root ca not trusted"}, -{OCSP_R_SERVER_READ_ERROR ,"server read error"}, -{OCSP_R_SERVER_RESPONSE_ERROR ,"server response error"}, -{OCSP_R_SERVER_RESPONSE_PARSE_ERROR ,"server response parse error"}, -{OCSP_R_SERVER_WRITE_ERROR ,"server write error"}, -{OCSP_R_SIGNATURE_FAILURE ,"signature failure"}, -{OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND ,"signer certificate not found"}, -{OCSP_R_STATUS_EXPIRED ,"status expired"}, -{OCSP_R_STATUS_NOT_YET_VALID ,"status not yet valid"}, -{OCSP_R_STATUS_TOO_OLD ,"status too old"}, -{OCSP_R_UNKNOWN_MESSAGE_DIGEST ,"unknown message digest"}, -{OCSP_R_UNKNOWN_NID ,"unknown nid"}, -{OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE ,"unsupported requestorname type"}, +{ERR_REASON(OCSP_R_BAD_DATA) ,"bad data"}, +{ERR_REASON(OCSP_R_CERTIFICATE_VERIFY_ERROR),"certificate verify error"}, +{ERR_REASON(OCSP_R_DIGEST_ERR) ,"digest err"}, +{ERR_REASON(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD),"error in nextupdate field"}, +{ERR_REASON(OCSP_R_ERROR_IN_THISUPDATE_FIELD),"error in thisupdate field"}, +{ERR_REASON(OCSP_R_ERROR_PARSING_URL) ,"error parsing url"}, +{ERR_REASON(OCSP_R_MISSING_OCSPSIGNING_USAGE),"missing ocspsigning usage"}, +{ERR_REASON(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE),"nextupdate before thisupdate"}, +{ERR_REASON(OCSP_R_NOT_BASIC_RESPONSE) ,"not basic response"}, +{ERR_REASON(OCSP_R_NO_CERTIFICATES_IN_CHAIN),"no certificates in chain"}, +{ERR_REASON(OCSP_R_NO_CONTENT) ,"no content"}, +{ERR_REASON(OCSP_R_NO_PUBLIC_KEY) ,"no public key"}, +{ERR_REASON(OCSP_R_NO_RESPONSE_DATA) ,"no response data"}, +{ERR_REASON(OCSP_R_NO_REVOKED_TIME) ,"no revoked time"}, +{ERR_REASON(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE),"private key does not match certificate"}, +{ERR_REASON(OCSP_R_REQUEST_NOT_SIGNED) ,"request not signed"}, +{ERR_REASON(OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA),"response contains no revocation data"}, +{ERR_REASON(OCSP_R_ROOT_CA_NOT_TRUSTED) ,"root ca not trusted"}, +{ERR_REASON(OCSP_R_SERVER_READ_ERROR) ,"server read error"}, +{ERR_REASON(OCSP_R_SERVER_RESPONSE_ERROR),"server response error"}, +{ERR_REASON(OCSP_R_SERVER_RESPONSE_PARSE_ERROR),"server response parse error"}, +{ERR_REASON(OCSP_R_SERVER_WRITE_ERROR) ,"server write error"}, +{ERR_REASON(OCSP_R_SIGNATURE_FAILURE) ,"signature failure"}, +{ERR_REASON(OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND),"signer certificate not found"}, +{ERR_REASON(OCSP_R_STATUS_EXPIRED) ,"status expired"}, +{ERR_REASON(OCSP_R_STATUS_NOT_YET_VALID) ,"status not yet valid"}, +{ERR_REASON(OCSP_R_STATUS_TOO_OLD) ,"status too old"}, +{ERR_REASON(OCSP_R_UNKNOWN_MESSAGE_DIGEST),"unknown message digest"}, +{ERR_REASON(OCSP_R_UNKNOWN_NID) ,"unknown nid"}, +{ERR_REASON(OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE),"unsupported requestorname type"}, {0,NULL} }; @@ -131,8 +135,8 @@ void ERR_load_OCSP_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_OCSP,OCSP_str_functs); - ERR_load_strings(ERR_LIB_OCSP,OCSP_str_reasons); + ERR_load_strings(0,OCSP_str_functs); + ERR_load_strings(0,OCSP_str_reasons); #endif } diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h index 5d5f688edd..e50c1baf00 100644 --- a/src/lib/libcrypto/opensslv.h +++ b/src/lib/libcrypto/opensslv.h @@ -25,11 +25,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x0090707fL +#define OPENSSL_VERSION_NUMBER 0x009070afL #ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7g-fips 11 Apr 2005" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7j-fips 04 May 2006" #else -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7g 11 Apr 2005" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7j 04 May 2006" #endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/src/lib/libcrypto/pem/pem_err.c b/src/lib/libcrypto/pem/pem_err.c index 3b39b84d66..8527028ebc 100644 --- a/src/lib/libcrypto/pem/pem_err.c +++ b/src/lib/libcrypto/pem/pem_err.c @@ -1,6 +1,6 @@ /* crypto/pem/pem_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -64,52 +64,56 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_PEM,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_PEM,0,reason) + static ERR_STRING_DATA PEM_str_functs[]= { -{ERR_PACK(0,PEM_F_D2I_PKCS8PRIVATEKEY_BIO,0), "d2i_PKCS8PrivateKey_bio"}, -{ERR_PACK(0,PEM_F_D2I_PKCS8PRIVATEKEY_FP,0), "d2i_PKCS8PrivateKey_fp"}, -{ERR_PACK(0,PEM_F_DEF_CALLBACK,0), "DEF_CALLBACK"}, -{ERR_PACK(0,PEM_F_LOAD_IV,0), "LOAD_IV"}, -{ERR_PACK(0,PEM_F_PEM_ASN1_READ,0), "PEM_ASN1_read"}, -{ERR_PACK(0,PEM_F_PEM_ASN1_READ_BIO,0), "PEM_ASN1_read_bio"}, -{ERR_PACK(0,PEM_F_PEM_ASN1_WRITE,0), "PEM_ASN1_write"}, -{ERR_PACK(0,PEM_F_PEM_ASN1_WRITE_BIO,0), "PEM_ASN1_write_bio"}, -{ERR_PACK(0,PEM_F_PEM_DO_HEADER,0), "PEM_do_header"}, -{ERR_PACK(0,PEM_F_PEM_F_DO_PK8KEY_FP,0), "PEM_F_DO_PK8KEY_FP"}, -{ERR_PACK(0,PEM_F_PEM_F_PEM_WRITE_PKCS8PRIVATEKEY,0), "PEM_F_PEM_WRITE_PKCS8PRIVATEKEY"}, -{ERR_PACK(0,PEM_F_PEM_GET_EVP_CIPHER_INFO,0), "PEM_get_EVP_CIPHER_INFO"}, -{ERR_PACK(0,PEM_F_PEM_READ,0), "PEM_read"}, -{ERR_PACK(0,PEM_F_PEM_READ_BIO,0), "PEM_read_bio"}, -{ERR_PACK(0,PEM_F_PEM_SEALFINAL,0), "PEM_SealFinal"}, -{ERR_PACK(0,PEM_F_PEM_SEALINIT,0), "PEM_SealInit"}, -{ERR_PACK(0,PEM_F_PEM_SIGNFINAL,0), "PEM_SignFinal"}, -{ERR_PACK(0,PEM_F_PEM_WRITE,0), "PEM_write"}, -{ERR_PACK(0,PEM_F_PEM_WRITE_BIO,0), "PEM_write_bio"}, -{ERR_PACK(0,PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY,0), "PEM_write_bio_PKCS8PrivateKey"}, -{ERR_PACK(0,PEM_F_PEM_X509_INFO_READ,0), "PEM_X509_INFO_read"}, -{ERR_PACK(0,PEM_F_PEM_X509_INFO_READ_BIO,0), "PEM_X509_INFO_read_bio"}, -{ERR_PACK(0,PEM_F_PEM_X509_INFO_WRITE_BIO,0), "PEM_X509_INFO_write_bio"}, +{ERR_FUNC(PEM_F_D2I_PKCS8PRIVATEKEY_BIO), "d2i_PKCS8PrivateKey_bio"}, +{ERR_FUNC(PEM_F_D2I_PKCS8PRIVATEKEY_FP), "d2i_PKCS8PrivateKey_fp"}, +{ERR_FUNC(PEM_F_DEF_CALLBACK), "DEF_CALLBACK"}, +{ERR_FUNC(PEM_F_LOAD_IV), "LOAD_IV"}, +{ERR_FUNC(PEM_F_PEM_ASN1_READ), "PEM_ASN1_read"}, +{ERR_FUNC(PEM_F_PEM_ASN1_READ_BIO), "PEM_ASN1_read_bio"}, +{ERR_FUNC(PEM_F_PEM_ASN1_WRITE), "PEM_ASN1_write"}, +{ERR_FUNC(PEM_F_PEM_ASN1_WRITE_BIO), "PEM_ASN1_write_bio"}, +{ERR_FUNC(PEM_F_PEM_DO_HEADER), "PEM_do_header"}, +{ERR_FUNC(PEM_F_PEM_F_DO_PK8KEY_FP), "PEM_F_DO_PK8KEY_FP"}, +{ERR_FUNC(PEM_F_PEM_F_PEM_WRITE_PKCS8PRIVATEKEY), "PEM_F_PEM_WRITE_PKCS8PRIVATEKEY"}, +{ERR_FUNC(PEM_F_PEM_GET_EVP_CIPHER_INFO), "PEM_get_EVP_CIPHER_INFO"}, +{ERR_FUNC(PEM_F_PEM_READ), "PEM_read"}, +{ERR_FUNC(PEM_F_PEM_READ_BIO), "PEM_read_bio"}, +{ERR_FUNC(PEM_F_PEM_SEALFINAL), "PEM_SealFinal"}, +{ERR_FUNC(PEM_F_PEM_SEALINIT), "PEM_SealInit"}, +{ERR_FUNC(PEM_F_PEM_SIGNFINAL), "PEM_SignFinal"}, +{ERR_FUNC(PEM_F_PEM_WRITE), "PEM_write"}, +{ERR_FUNC(PEM_F_PEM_WRITE_BIO), "PEM_write_bio"}, +{ERR_FUNC(PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY), "PEM_write_bio_PKCS8PrivateKey"}, +{ERR_FUNC(PEM_F_PEM_X509_INFO_READ), "PEM_X509_INFO_read"}, +{ERR_FUNC(PEM_F_PEM_X509_INFO_READ_BIO), "PEM_X509_INFO_read_bio"}, +{ERR_FUNC(PEM_F_PEM_X509_INFO_WRITE_BIO), "PEM_X509_INFO_write_bio"}, {0,NULL} }; static ERR_STRING_DATA PEM_str_reasons[]= { -{PEM_R_BAD_BASE64_DECODE ,"bad base64 decode"}, -{PEM_R_BAD_DECRYPT ,"bad decrypt"}, -{PEM_R_BAD_END_LINE ,"bad end line"}, -{PEM_R_BAD_IV_CHARS ,"bad iv chars"}, -{PEM_R_BAD_PASSWORD_READ ,"bad password read"}, -{PEM_R_ERROR_CONVERTING_PRIVATE_KEY ,"error converting private key"}, -{PEM_R_NOT_DEK_INFO ,"not dek info"}, -{PEM_R_NOT_ENCRYPTED ,"not encrypted"}, -{PEM_R_NOT_PROC_TYPE ,"not proc type"}, -{PEM_R_NO_START_LINE ,"no start line"}, -{PEM_R_PROBLEMS_GETTING_PASSWORD ,"problems getting password"}, -{PEM_R_PUBLIC_KEY_NO_RSA ,"public key no rsa"}, -{PEM_R_READ_KEY ,"read key"}, -{PEM_R_SHORT_HEADER ,"short header"}, -{PEM_R_UNSUPPORTED_CIPHER ,"unsupported cipher"}, -{PEM_R_UNSUPPORTED_ENCRYPTION ,"unsupported encryption"}, +{ERR_REASON(PEM_R_BAD_BASE64_DECODE) ,"bad base64 decode"}, +{ERR_REASON(PEM_R_BAD_DECRYPT) ,"bad decrypt"}, +{ERR_REASON(PEM_R_BAD_END_LINE) ,"bad end line"}, +{ERR_REASON(PEM_R_BAD_IV_CHARS) ,"bad iv chars"}, +{ERR_REASON(PEM_R_BAD_PASSWORD_READ) ,"bad password read"}, +{ERR_REASON(PEM_R_ERROR_CONVERTING_PRIVATE_KEY),"error converting private key"}, +{ERR_REASON(PEM_R_NOT_DEK_INFO) ,"not dek info"}, +{ERR_REASON(PEM_R_NOT_ENCRYPTED) ,"not encrypted"}, +{ERR_REASON(PEM_R_NOT_PROC_TYPE) ,"not proc type"}, +{ERR_REASON(PEM_R_NO_START_LINE) ,"no start line"}, +{ERR_REASON(PEM_R_PROBLEMS_GETTING_PASSWORD),"problems getting password"}, +{ERR_REASON(PEM_R_PUBLIC_KEY_NO_RSA) ,"public key no rsa"}, +{ERR_REASON(PEM_R_READ_KEY) ,"read key"}, +{ERR_REASON(PEM_R_SHORT_HEADER) ,"short header"}, +{ERR_REASON(PEM_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"}, +{ERR_REASON(PEM_R_UNSUPPORTED_ENCRYPTION),"unsupported encryption"}, {0,NULL} }; @@ -123,8 +127,8 @@ void ERR_load_PEM_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_PEM,PEM_str_functs); - ERR_load_strings(ERR_LIB_PEM,PEM_str_reasons); + ERR_load_strings(0,PEM_str_functs); + ERR_load_strings(0,PEM_str_reasons); #endif } diff --git a/src/lib/libcrypto/perlasm/x86asm.pl b/src/lib/libcrypto/perlasm/x86asm.pl index bef2667079..ea54a1edc5 100644 --- a/src/lib/libcrypto/perlasm/x86asm.pl +++ b/src/lib/libcrypto/perlasm/x86asm.pl @@ -90,7 +90,7 @@ $tmp #ifdef OUT #define OK 1 #define ALIGN 4 -#if defined(__CYGWIN__) || defined(__DJGPP__) +#if defined(__CYGWIN__) || defined(__DJGPP__) || defined(__MINGW32__) #undef SIZE #undef TYPE #define SIZE(a,b) diff --git a/src/lib/libcrypto/pkcs12/p12_add.c b/src/lib/libcrypto/pkcs12/p12_add.c index 1909f28506..27015dd8c3 100644 --- a/src/lib/libcrypto/pkcs12/p12_add.c +++ b/src/lib/libcrypto/pkcs12/p12_add.c @@ -148,7 +148,11 @@ PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk) /* Unpack SAFEBAGS from PKCS#7 data ContentInfo */ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7) { - if(!PKCS7_type_is_data(p7)) return NULL; + if(!PKCS7_type_is_data(p7)) + { + PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA,PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); } @@ -211,5 +215,10 @@ int PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes) STACK_OF(PKCS7) *PKCS12_unpack_authsafes(PKCS12 *p12) { + if (!PKCS7_type_is_data(p12->authsafes)) + { + PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES,PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } return ASN1_item_unpack(p12->authsafes->d.data, ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); } diff --git a/src/lib/libcrypto/pkcs12/p12_crt.c b/src/lib/libcrypto/pkcs12/p12_crt.c index 4c36c643ce..40340a7bef 100644 --- a/src/lib/libcrypto/pkcs12/p12_crt.c +++ b/src/lib/libcrypto/pkcs12/p12_crt.c @@ -76,7 +76,15 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, unsigned int keyidlen; /* Set defaults */ - if(!nid_cert) nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; + if(!nid_cert) + { +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; + else +#endif + nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; + } if(!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; if(!iter) iter = PKCS12_DEFAULT_ITER; if(!mac_iter) mac_iter = 1; diff --git a/src/lib/libcrypto/pkcs12/p12_mutl.c b/src/lib/libcrypto/pkcs12/p12_mutl.c index 4886b9b289..140d21155e 100644 --- a/src/lib/libcrypto/pkcs12/p12_mutl.c +++ b/src/lib/libcrypto/pkcs12/p12_mutl.c @@ -72,6 +72,12 @@ int PKCS12_gen_mac (PKCS12 *p12, const char *pass, int passlen, unsigned char key[PKCS12_MAC_KEY_LENGTH], *salt; int saltlen, iter; + if (!PKCS7_type_is_data(p12->authsafes)) + { + PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_CONTENT_TYPE_NOT_DATA); + return 0; + } + salt = p12->mac->salt->data; saltlen = p12->mac->salt->length; if (!p12->mac->iter) iter = 1; diff --git a/src/lib/libcrypto/pkcs12/pk12err.c b/src/lib/libcrypto/pkcs12/pk12err.c index 10ab80502c..a33b37b1c7 100644 --- a/src/lib/libcrypto/pkcs12/pk12err.c +++ b/src/lib/libcrypto/pkcs12/pk12err.c @@ -1,6 +1,6 @@ /* crypto/pkcs12/pk12err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -64,60 +64,67 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_PKCS12,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_PKCS12,0,reason) + static ERR_STRING_DATA PKCS12_str_functs[]= { -{ERR_PACK(0,PKCS12_F_PARSE_BAGS,0), "PARSE_BAGS"}, -{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME,0), "PKCS12_ADD_FRIENDLYNAME"}, -{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC,0), "PKCS12_add_friendlyname_asc"}, -{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,0), "PKCS12_add_friendlyname_uni"}, -{ERR_PACK(0,PKCS12_F_PKCS12_ADD_LOCALKEYID,0), "PKCS12_add_localkeyid"}, -{ERR_PACK(0,PKCS12_F_PKCS12_CREATE,0), "PKCS12_create"}, -{ERR_PACK(0,PKCS12_F_PKCS12_DECRYPT_D2I,0), "PKCS12_decrypt_d2i"}, -{ERR_PACK(0,PKCS12_F_PKCS12_GEN_MAC,0), "PKCS12_gen_mac"}, -{ERR_PACK(0,PKCS12_F_PKCS12_I2D_ENCRYPT,0), "PKCS12_i2d_encrypt"}, -{ERR_PACK(0,PKCS12_F_PKCS12_INIT,0), "PKCS12_init"}, -{ERR_PACK(0,PKCS12_F_PKCS12_KEY_GEN_ASC,0), "PKCS12_key_gen_asc"}, -{ERR_PACK(0,PKCS12_F_PKCS12_KEY_GEN_UNI,0), "PKCS12_key_gen_uni"}, -{ERR_PACK(0,PKCS12_F_PKCS12_MAKE_KEYBAG,0), "PKCS12_MAKE_KEYBAG"}, -{ERR_PACK(0,PKCS12_F_PKCS12_MAKE_SHKEYBAG,0), "PKCS12_MAKE_SHKEYBAG"}, -{ERR_PACK(0,PKCS12_F_PKCS12_NEWPASS,0), "PKCS12_newpass"}, -{ERR_PACK(0,PKCS12_F_PKCS12_PACK_P7DATA,0), "PKCS12_pack_p7data"}, -{ERR_PACK(0,PKCS12_F_PKCS12_PACK_P7ENCDATA,0), "PKCS12_pack_p7encdata"}, -{ERR_PACK(0,PKCS12_F_PKCS12_PACK_SAFEBAG,0), "PKCS12_pack_safebag"}, -{ERR_PACK(0,PKCS12_F_PKCS12_PARSE,0), "PKCS12_parse"}, -{ERR_PACK(0,PKCS12_F_PKCS12_PBE_CRYPT,0), "PKCS12_pbe_crypt"}, -{ERR_PACK(0,PKCS12_F_PKCS12_PBE_KEYIVGEN,0), "PKCS12_PBE_keyivgen"}, -{ERR_PACK(0,PKCS12_F_PKCS12_SETUP_MAC,0), "PKCS12_setup_mac"}, -{ERR_PACK(0,PKCS12_F_PKCS12_SET_MAC,0), "PKCS12_set_mac"}, -{ERR_PACK(0,PKCS12_F_PKCS8_ADD_KEYUSAGE,0), "PKCS8_add_keyusage"}, -{ERR_PACK(0,PKCS12_F_PKCS8_ENCRYPT,0), "PKCS8_encrypt"}, -{ERR_PACK(0,PKCS12_F_VERIFY_MAC,0), "VERIFY_MAC"}, +{ERR_FUNC(PKCS12_F_PARSE_BAGS), "PARSE_BAGS"}, +{ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME), "PKCS12_ADD_FRIENDLYNAME"}, +{ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC), "PKCS12_add_friendlyname_asc"}, +{ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI), "PKCS12_add_friendlyname_uni"}, +{ERR_FUNC(PKCS12_F_PKCS12_ADD_LOCALKEYID), "PKCS12_add_localkeyid"}, +{ERR_FUNC(PKCS12_F_PKCS12_CREATE), "PKCS12_create"}, +{ERR_FUNC(PKCS12_F_PKCS12_DECRYPT_D2I), "PKCS12_DECRYPT_D2I"}, +{ERR_FUNC(PKCS12_F_PKCS12_GEN_MAC), "PKCS12_gen_mac"}, +{ERR_FUNC(PKCS12_F_PKCS12_I2D_ENCRYPT), "PKCS12_I2D_ENCRYPT"}, +{ERR_FUNC(PKCS12_F_PKCS12_INIT), "PKCS12_init"}, +{ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_ASC), "PKCS12_key_gen_asc"}, +{ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_UNI), "PKCS12_key_gen_uni"}, +{ERR_FUNC(PKCS12_F_PKCS12_MAKE_KEYBAG), "PKCS12_MAKE_KEYBAG"}, +{ERR_FUNC(PKCS12_F_PKCS12_MAKE_SHKEYBAG), "PKCS12_MAKE_SHKEYBAG"}, +{ERR_FUNC(PKCS12_F_PKCS12_NEWPASS), "PKCS12_newpass"}, +{ERR_FUNC(PKCS12_F_PKCS12_PACK_P7DATA), "PKCS12_pack_p7data"}, +{ERR_FUNC(PKCS12_F_PKCS12_PACK_P7ENCDATA), "PKCS12_pack_p7encdata"}, +{ERR_FUNC(PKCS12_F_PKCS12_PACK_SAFEBAG), "PKCS12_PACK_SAFEBAG"}, +{ERR_FUNC(PKCS12_F_PKCS12_PARSE), "PKCS12_parse"}, +{ERR_FUNC(PKCS12_F_PKCS12_PBE_CRYPT), "PKCS12_pbe_crypt"}, +{ERR_FUNC(PKCS12_F_PKCS12_PBE_KEYIVGEN), "PKCS12_PBE_keyivgen"}, +{ERR_FUNC(PKCS12_F_PKCS12_SETUP_MAC), "PKCS12_setup_mac"}, +{ERR_FUNC(PKCS12_F_PKCS12_SET_MAC), "PKCS12_set_mac"}, +{ERR_FUNC(PKCS12_F_PKCS12_UNPACK_AUTHSAFES), "PKCS12_unpack_authsafes"}, +{ERR_FUNC(PKCS12_F_PKCS12_UNPACK_P7DATA), "PKCS12_unpack_p7data"}, +{ERR_FUNC(PKCS12_F_PKCS8_ADD_KEYUSAGE), "PKCS8_add_keyusage"}, +{ERR_FUNC(PKCS12_F_PKCS8_ENCRYPT), "PKCS8_encrypt"}, +{ERR_FUNC(PKCS12_F_VERIFY_MAC), "VERIFY_MAC"}, {0,NULL} }; static ERR_STRING_DATA PKCS12_str_reasons[]= { -{PKCS12_R_CANT_PACK_STRUCTURE ,"cant pack structure"}, -{PKCS12_R_DECODE_ERROR ,"decode error"}, -{PKCS12_R_ENCODE_ERROR ,"encode error"}, -{PKCS12_R_ENCRYPT_ERROR ,"encrypt error"}, -{PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE,"error setting encrypted data type"}, -{PKCS12_R_INVALID_NULL_ARGUMENT ,"invalid null argument"}, -{PKCS12_R_INVALID_NULL_PKCS12_POINTER ,"invalid null pkcs12 pointer"}, -{PKCS12_R_IV_GEN_ERROR ,"iv gen error"}, -{PKCS12_R_KEY_GEN_ERROR ,"key gen error"}, -{PKCS12_R_MAC_ABSENT ,"mac absent"}, -{PKCS12_R_MAC_GENERATION_ERROR ,"mac generation error"}, -{PKCS12_R_MAC_SETUP_ERROR ,"mac setup error"}, -{PKCS12_R_MAC_STRING_SET_ERROR ,"mac string set error"}, -{PKCS12_R_MAC_VERIFY_ERROR ,"mac verify error"}, -{PKCS12_R_MAC_VERIFY_FAILURE ,"mac verify failure"}, -{PKCS12_R_PARSE_ERROR ,"parse error"}, -{PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR ,"pkcs12 algor cipherinit error"}, -{PKCS12_R_PKCS12_CIPHERFINAL_ERROR ,"pkcs12 cipherfinal error"}, -{PKCS12_R_PKCS12_PBE_CRYPT_ERROR ,"pkcs12 pbe crypt error"}, -{PKCS12_R_UNKNOWN_DIGEST_ALGORITHM ,"unknown digest algorithm"}, -{PKCS12_R_UNSUPPORTED_PKCS12_MODE ,"unsupported pkcs12 mode"}, +{ERR_REASON(PKCS12_R_CANT_PACK_STRUCTURE),"cant pack structure"}, +{ERR_REASON(PKCS12_R_CONTENT_TYPE_NOT_DATA),"content type not data"}, +{ERR_REASON(PKCS12_R_DECODE_ERROR) ,"decode error"}, +{ERR_REASON(PKCS12_R_ENCODE_ERROR) ,"encode error"}, +{ERR_REASON(PKCS12_R_ENCRYPT_ERROR) ,"encrypt error"}, +{ERR_REASON(PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE),"error setting encrypted data type"}, +{ERR_REASON(PKCS12_R_INVALID_NULL_ARGUMENT),"invalid null argument"}, +{ERR_REASON(PKCS12_R_INVALID_NULL_PKCS12_POINTER),"invalid null pkcs12 pointer"}, +{ERR_REASON(PKCS12_R_IV_GEN_ERROR) ,"iv gen error"}, +{ERR_REASON(PKCS12_R_KEY_GEN_ERROR) ,"key gen error"}, +{ERR_REASON(PKCS12_R_MAC_ABSENT) ,"mac absent"}, +{ERR_REASON(PKCS12_R_MAC_GENERATION_ERROR),"mac generation error"}, +{ERR_REASON(PKCS12_R_MAC_SETUP_ERROR) ,"mac setup error"}, +{ERR_REASON(PKCS12_R_MAC_STRING_SET_ERROR),"mac string set error"}, +{ERR_REASON(PKCS12_R_MAC_VERIFY_ERROR) ,"mac verify error"}, +{ERR_REASON(PKCS12_R_MAC_VERIFY_FAILURE) ,"mac verify failure"}, +{ERR_REASON(PKCS12_R_PARSE_ERROR) ,"parse error"}, +{ERR_REASON(PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR),"pkcs12 algor cipherinit error"}, +{ERR_REASON(PKCS12_R_PKCS12_CIPHERFINAL_ERROR),"pkcs12 cipherfinal error"}, +{ERR_REASON(PKCS12_R_PKCS12_PBE_CRYPT_ERROR),"pkcs12 pbe crypt error"}, +{ERR_REASON(PKCS12_R_UNKNOWN_DIGEST_ALGORITHM),"unknown digest algorithm"}, +{ERR_REASON(PKCS12_R_UNSUPPORTED_PKCS12_MODE),"unsupported pkcs12 mode"}, {0,NULL} }; @@ -131,8 +138,8 @@ void ERR_load_PKCS12_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_PKCS12,PKCS12_str_functs); - ERR_load_strings(ERR_LIB_PKCS12,PKCS12_str_reasons); + ERR_load_strings(0,PKCS12_str_functs); + ERR_load_strings(0,PKCS12_str_reasons); #endif } diff --git a/src/lib/libcrypto/pkcs12/pkcs12.h b/src/lib/libcrypto/pkcs12/pkcs12.h index dd338f266c..fb8af82d4f 100644 --- a/src/lib/libcrypto/pkcs12/pkcs12.h +++ b/src/lib/libcrypto/pkcs12/pkcs12.h @@ -287,12 +287,15 @@ void ERR_load_PKCS12_strings(void); #define PKCS12_F_PKCS12_PBE_KEYIVGEN 120 #define PKCS12_F_PKCS12_SETUP_MAC 122 #define PKCS12_F_PKCS12_SET_MAC 123 +#define PKCS12_F_PKCS12_UNPACK_AUTHSAFES 129 +#define PKCS12_F_PKCS12_UNPACK_P7DATA 130 #define PKCS12_F_PKCS8_ADD_KEYUSAGE 124 #define PKCS12_F_PKCS8_ENCRYPT 125 #define PKCS12_F_VERIFY_MAC 126 /* Reason codes. */ #define PKCS12_R_CANT_PACK_STRUCTURE 100 +#define PKCS12_R_CONTENT_TYPE_NOT_DATA 121 #define PKCS12_R_DECODE_ERROR 101 #define PKCS12_R_ENCODE_ERROR 102 #define PKCS12_R_ENCRYPT_ERROR 103 diff --git a/src/lib/libcrypto/pkcs7/pk7_mime.c b/src/lib/libcrypto/pkcs7/pk7_mime.c index 5d2a97839d..927b88c3e7 100644 --- a/src/lib/libcrypto/pkcs7/pk7_mime.c +++ b/src/lib/libcrypto/pkcs7/pk7_mime.c @@ -3,7 +3,7 @@ * project 1999. */ /* ==================================================================== - * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -152,11 +152,12 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) { char bound[33], c; int i; - char *mime_prefix, *mime_eol; + char *mime_prefix, *mime_eol, *msg_type=NULL; if (flags & PKCS7_NOOLDMIMETYPE) mime_prefix = "application/pkcs7-"; else mime_prefix = "application/x-pkcs7-"; + if (flags & PKCS7_CRLFEOL) mime_eol = "\r\n"; else @@ -198,11 +199,30 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) mime_eol, mime_eol); return 1; } + + /* Determine smime-type header */ + + if (PKCS7_type_is_enveloped(p7)) + msg_type = "enveloped-data"; + else if (PKCS7_type_is_signed(p7)) + { + /* If we have any signers it is signed-data othewise + * certs-only. + */ + STACK_OF(PKCS7_SIGNER_INFO) *sinfos; + sinfos = PKCS7_get_signer_info(p7); + if (sk_PKCS7_SIGNER_INFO_num(sinfos) > 0) + msg_type = "signed-data"; + else + msg_type = "certs-only"; + } /* MIME headers */ BIO_printf(bio, "MIME-Version: 1.0%s", mime_eol); BIO_printf(bio, "Content-Disposition: attachment;"); BIO_printf(bio, " filename=\"smime.p7m\"%s", mime_eol); BIO_printf(bio, "Content-Type: %smime;", mime_prefix); + if (msg_type) + BIO_printf(bio, " smime-type=%s;", msg_type); BIO_printf(bio, " name=\"smime.p7m\"%s", mime_eol); BIO_printf(bio, "Content-Transfer-Encoding: base64%s%s", mime_eol, mime_eol); diff --git a/src/lib/libcrypto/pkcs7/pk7_smime.c b/src/lib/libcrypto/pkcs7/pk7_smime.c index a852b49235..99a0d63f38 100644 --- a/src/lib/libcrypto/pkcs7/pk7_smime.c +++ b/src/lib/libcrypto/pkcs7/pk7_smime.c @@ -296,11 +296,9 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, if (tmpin == indata) { - if(indata) BIO_pop(p7bio); - BIO_free_all(p7bio); + if (indata) BIO_pop(p7bio); } - else - BIO_free_all(tmpin); + BIO_free_all(p7bio); sk_X509_free(signers); diff --git a/src/lib/libcrypto/pkcs7/pkcs7err.c b/src/lib/libcrypto/pkcs7/pkcs7err.c index 5e51527a40..19894c80a4 100644 --- a/src/lib/libcrypto/pkcs7/pkcs7err.c +++ b/src/lib/libcrypto/pkcs7/pkcs7err.c @@ -1,6 +1,6 @@ /* crypto/pkcs7/pkcs7err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -64,81 +64,85 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_PKCS7,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_PKCS7,0,reason) + static ERR_STRING_DATA PKCS7_str_functs[]= { -{ERR_PACK(0,PKCS7_F_B64_READ_PKCS7,0), "B64_READ_PKCS7"}, -{ERR_PACK(0,PKCS7_F_B64_WRITE_PKCS7,0), "B64_WRITE_PKCS7"}, -{ERR_PACK(0,PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP,0), "PKCS7_add_attrib_smimecap"}, -{ERR_PACK(0,PKCS7_F_PKCS7_ADD_CERTIFICATE,0), "PKCS7_add_certificate"}, -{ERR_PACK(0,PKCS7_F_PKCS7_ADD_CRL,0), "PKCS7_add_crl"}, -{ERR_PACK(0,PKCS7_F_PKCS7_ADD_RECIPIENT_INFO,0), "PKCS7_add_recipient_info"}, -{ERR_PACK(0,PKCS7_F_PKCS7_ADD_SIGNER,0), "PKCS7_add_signer"}, -{ERR_PACK(0,PKCS7_F_PKCS7_CTRL,0), "PKCS7_ctrl"}, -{ERR_PACK(0,PKCS7_F_PKCS7_DATADECODE,0), "PKCS7_dataDecode"}, -{ERR_PACK(0,PKCS7_F_PKCS7_DATAINIT,0), "PKCS7_dataInit"}, -{ERR_PACK(0,PKCS7_F_PKCS7_DATASIGN,0), "PKCS7_DATASIGN"}, -{ERR_PACK(0,PKCS7_F_PKCS7_DATAVERIFY,0), "PKCS7_dataVerify"}, -{ERR_PACK(0,PKCS7_F_PKCS7_DECRYPT,0), "PKCS7_decrypt"}, -{ERR_PACK(0,PKCS7_F_PKCS7_ENCRYPT,0), "PKCS7_encrypt"}, -{ERR_PACK(0,PKCS7_F_PKCS7_GET0_SIGNERS,0), "PKCS7_get0_signers"}, -{ERR_PACK(0,PKCS7_F_PKCS7_SET_CIPHER,0), "PKCS7_set_cipher"}, -{ERR_PACK(0,PKCS7_F_PKCS7_SET_CONTENT,0), "PKCS7_set_content"}, -{ERR_PACK(0,PKCS7_F_PKCS7_SET_TYPE,0), "PKCS7_set_type"}, -{ERR_PACK(0,PKCS7_F_PKCS7_SIGN,0), "PKCS7_sign"}, -{ERR_PACK(0,PKCS7_F_PKCS7_SIGNATUREVERIFY,0), "PKCS7_signatureVerify"}, -{ERR_PACK(0,PKCS7_F_PKCS7_SIMPLE_SMIMECAP,0), "PKCS7_simple_smimecap"}, -{ERR_PACK(0,PKCS7_F_PKCS7_VERIFY,0), "PKCS7_verify"}, -{ERR_PACK(0,PKCS7_F_SMIME_READ_PKCS7,0), "SMIME_read_PKCS7"}, -{ERR_PACK(0,PKCS7_F_SMIME_TEXT,0), "SMIME_text"}, +{ERR_FUNC(PKCS7_F_B64_READ_PKCS7), "B64_READ_PKCS7"}, +{ERR_FUNC(PKCS7_F_B64_WRITE_PKCS7), "B64_WRITE_PKCS7"}, +{ERR_FUNC(PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP), "PKCS7_add_attrib_smimecap"}, +{ERR_FUNC(PKCS7_F_PKCS7_ADD_CERTIFICATE), "PKCS7_add_certificate"}, +{ERR_FUNC(PKCS7_F_PKCS7_ADD_CRL), "PKCS7_add_crl"}, +{ERR_FUNC(PKCS7_F_PKCS7_ADD_RECIPIENT_INFO), "PKCS7_add_recipient_info"}, +{ERR_FUNC(PKCS7_F_PKCS7_ADD_SIGNER), "PKCS7_add_signer"}, +{ERR_FUNC(PKCS7_F_PKCS7_CTRL), "PKCS7_ctrl"}, +{ERR_FUNC(PKCS7_F_PKCS7_DATADECODE), "PKCS7_dataDecode"}, +{ERR_FUNC(PKCS7_F_PKCS7_DATAINIT), "PKCS7_dataInit"}, +{ERR_FUNC(PKCS7_F_PKCS7_DATASIGN), "PKCS7_DATASIGN"}, +{ERR_FUNC(PKCS7_F_PKCS7_DATAVERIFY), "PKCS7_dataVerify"}, +{ERR_FUNC(PKCS7_F_PKCS7_DECRYPT), "PKCS7_decrypt"}, +{ERR_FUNC(PKCS7_F_PKCS7_ENCRYPT), "PKCS7_encrypt"}, +{ERR_FUNC(PKCS7_F_PKCS7_GET0_SIGNERS), "PKCS7_get0_signers"}, +{ERR_FUNC(PKCS7_F_PKCS7_SET_CIPHER), "PKCS7_set_cipher"}, +{ERR_FUNC(PKCS7_F_PKCS7_SET_CONTENT), "PKCS7_set_content"}, +{ERR_FUNC(PKCS7_F_PKCS7_SET_TYPE), "PKCS7_set_type"}, +{ERR_FUNC(PKCS7_F_PKCS7_SIGN), "PKCS7_sign"}, +{ERR_FUNC(PKCS7_F_PKCS7_SIGNATUREVERIFY), "PKCS7_signatureVerify"}, +{ERR_FUNC(PKCS7_F_PKCS7_SIMPLE_SMIMECAP), "PKCS7_simple_smimecap"}, +{ERR_FUNC(PKCS7_F_PKCS7_VERIFY), "PKCS7_verify"}, +{ERR_FUNC(PKCS7_F_SMIME_READ_PKCS7), "SMIME_read_PKCS7"}, +{ERR_FUNC(PKCS7_F_SMIME_TEXT), "SMIME_text"}, {0,NULL} }; static ERR_STRING_DATA PKCS7_str_reasons[]= { -{PKCS7_R_CERTIFICATE_VERIFY_ERROR ,"certificate verify error"}, -{PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER ,"cipher has no object identifier"}, -{PKCS7_R_CIPHER_NOT_INITIALIZED ,"cipher not initialized"}, -{PKCS7_R_CONTENT_AND_DATA_PRESENT ,"content and data present"}, -{PKCS7_R_DECODE_ERROR ,"decode error"}, -{PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH ,"decrypted key is wrong length"}, -{PKCS7_R_DECRYPT_ERROR ,"decrypt error"}, -{PKCS7_R_DIGEST_FAILURE ,"digest failure"}, -{PKCS7_R_ERROR_ADDING_RECIPIENT ,"error adding recipient"}, -{PKCS7_R_ERROR_SETTING_CIPHER ,"error setting cipher"}, -{PKCS7_R_INVALID_MIME_TYPE ,"invalid mime type"}, -{PKCS7_R_INVALID_NULL_POINTER ,"invalid null pointer"}, -{PKCS7_R_MIME_NO_CONTENT_TYPE ,"mime no content type"}, -{PKCS7_R_MIME_PARSE_ERROR ,"mime parse error"}, -{PKCS7_R_MIME_SIG_PARSE_ERROR ,"mime sig parse error"}, -{PKCS7_R_MISSING_CERIPEND_INFO ,"missing ceripend info"}, -{PKCS7_R_NO_CONTENT ,"no content"}, -{PKCS7_R_NO_CONTENT_TYPE ,"no content type"}, -{PKCS7_R_NO_MULTIPART_BODY_FAILURE ,"no multipart body failure"}, -{PKCS7_R_NO_MULTIPART_BOUNDARY ,"no multipart boundary"}, -{PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE,"no recipient matches certificate"}, -{PKCS7_R_NO_SIGNATURES_ON_DATA ,"no signatures on data"}, -{PKCS7_R_NO_SIGNERS ,"no signers"}, -{PKCS7_R_NO_SIG_CONTENT_TYPE ,"no sig content type"}, -{PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE,"operation not supported on this type"}, -{PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR ,"pkcs7 add signature error"}, -{PKCS7_R_PKCS7_DATAFINAL_ERROR ,"pkcs7 datafinal error"}, -{PKCS7_R_PKCS7_DATASIGN ,"pkcs7 datasign"}, -{PKCS7_R_PKCS7_PARSE_ERROR ,"pkcs7 parse error"}, -{PKCS7_R_PKCS7_SIG_PARSE_ERROR ,"pkcs7 sig parse error"}, -{PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"}, -{PKCS7_R_SIGNATURE_FAILURE ,"signature failure"}, -{PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND ,"signer certificate not found"}, -{PKCS7_R_SIG_INVALID_MIME_TYPE ,"sig invalid mime type"}, -{PKCS7_R_SMIME_TEXT_ERROR ,"smime text error"}, -{PKCS7_R_UNABLE_TO_FIND_CERTIFICATE ,"unable to find certificate"}, -{PKCS7_R_UNABLE_TO_FIND_MEM_BIO ,"unable to find mem bio"}, -{PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST ,"unable to find message digest"}, -{PKCS7_R_UNKNOWN_DIGEST_TYPE ,"unknown digest type"}, -{PKCS7_R_UNKNOWN_OPERATION ,"unknown operation"}, -{PKCS7_R_UNSUPPORTED_CIPHER_TYPE ,"unsupported cipher type"}, -{PKCS7_R_UNSUPPORTED_CONTENT_TYPE ,"unsupported content type"}, -{PKCS7_R_WRONG_CONTENT_TYPE ,"wrong content type"}, -{PKCS7_R_WRONG_PKCS7_TYPE ,"wrong pkcs7 type"}, +{ERR_REASON(PKCS7_R_CERTIFICATE_VERIFY_ERROR),"certificate verify error"}, +{ERR_REASON(PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER),"cipher has no object identifier"}, +{ERR_REASON(PKCS7_R_CIPHER_NOT_INITIALIZED),"cipher not initialized"}, +{ERR_REASON(PKCS7_R_CONTENT_AND_DATA_PRESENT),"content and data present"}, +{ERR_REASON(PKCS7_R_DECODE_ERROR) ,"decode error"}, +{ERR_REASON(PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH),"decrypted key is wrong length"}, +{ERR_REASON(PKCS7_R_DECRYPT_ERROR) ,"decrypt error"}, +{ERR_REASON(PKCS7_R_DIGEST_FAILURE) ,"digest failure"}, +{ERR_REASON(PKCS7_R_ERROR_ADDING_RECIPIENT),"error adding recipient"}, +{ERR_REASON(PKCS7_R_ERROR_SETTING_CIPHER),"error setting cipher"}, +{ERR_REASON(PKCS7_R_INVALID_MIME_TYPE) ,"invalid mime type"}, +{ERR_REASON(PKCS7_R_INVALID_NULL_POINTER),"invalid null pointer"}, +{ERR_REASON(PKCS7_R_MIME_NO_CONTENT_TYPE),"mime no content type"}, +{ERR_REASON(PKCS7_R_MIME_PARSE_ERROR) ,"mime parse error"}, +{ERR_REASON(PKCS7_R_MIME_SIG_PARSE_ERROR),"mime sig parse error"}, +{ERR_REASON(PKCS7_R_MISSING_CERIPEND_INFO),"missing ceripend info"}, +{ERR_REASON(PKCS7_R_NO_CONTENT) ,"no content"}, +{ERR_REASON(PKCS7_R_NO_CONTENT_TYPE) ,"no content type"}, +{ERR_REASON(PKCS7_R_NO_MULTIPART_BODY_FAILURE),"no multipart body failure"}, +{ERR_REASON(PKCS7_R_NO_MULTIPART_BOUNDARY),"no multipart boundary"}, +{ERR_REASON(PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE),"no recipient matches certificate"}, +{ERR_REASON(PKCS7_R_NO_SIGNATURES_ON_DATA),"no signatures on data"}, +{ERR_REASON(PKCS7_R_NO_SIGNERS) ,"no signers"}, +{ERR_REASON(PKCS7_R_NO_SIG_CONTENT_TYPE) ,"no sig content type"}, +{ERR_REASON(PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE),"operation not supported on this type"}, +{ERR_REASON(PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR),"pkcs7 add signature error"}, +{ERR_REASON(PKCS7_R_PKCS7_DATAFINAL_ERROR),"pkcs7 datafinal error"}, +{ERR_REASON(PKCS7_R_PKCS7_DATASIGN) ,"pkcs7 datasign"}, +{ERR_REASON(PKCS7_R_PKCS7_PARSE_ERROR) ,"pkcs7 parse error"}, +{ERR_REASON(PKCS7_R_PKCS7_SIG_PARSE_ERROR),"pkcs7 sig parse error"}, +{ERR_REASON(PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE),"private key does not match certificate"}, +{ERR_REASON(PKCS7_R_SIGNATURE_FAILURE) ,"signature failure"}, +{ERR_REASON(PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND),"signer certificate not found"}, +{ERR_REASON(PKCS7_R_SIG_INVALID_MIME_TYPE),"sig invalid mime type"}, +{ERR_REASON(PKCS7_R_SMIME_TEXT_ERROR) ,"smime text error"}, +{ERR_REASON(PKCS7_R_UNABLE_TO_FIND_CERTIFICATE),"unable to find certificate"}, +{ERR_REASON(PKCS7_R_UNABLE_TO_FIND_MEM_BIO),"unable to find mem bio"}, +{ERR_REASON(PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST),"unable to find message digest"}, +{ERR_REASON(PKCS7_R_UNKNOWN_DIGEST_TYPE) ,"unknown digest type"}, +{ERR_REASON(PKCS7_R_UNKNOWN_OPERATION) ,"unknown operation"}, +{ERR_REASON(PKCS7_R_UNSUPPORTED_CIPHER_TYPE),"unsupported cipher type"}, +{ERR_REASON(PKCS7_R_UNSUPPORTED_CONTENT_TYPE),"unsupported content type"}, +{ERR_REASON(PKCS7_R_WRONG_CONTENT_TYPE) ,"wrong content type"}, +{ERR_REASON(PKCS7_R_WRONG_PKCS7_TYPE) ,"wrong pkcs7 type"}, {0,NULL} }; @@ -152,8 +156,8 @@ void ERR_load_PKCS7_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_PKCS7,PKCS7_str_functs); - ERR_load_strings(ERR_LIB_PKCS7,PKCS7_str_reasons); + ERR_load_strings(0,PKCS7_str_functs); + ERR_load_strings(0,PKCS7_str_reasons); #endif } diff --git a/src/lib/libcrypto/rand/rand_err.c b/src/lib/libcrypto/rand/rand_err.c index 95574659ac..97f96e1aee 100644 --- a/src/lib/libcrypto/rand/rand_err.c +++ b/src/lib/libcrypto/rand/rand_err.c @@ -1,6 +1,6 @@ /* crypto/rand/rand_err.c */ /* ==================================================================== - * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -64,22 +64,26 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_RAND,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_RAND,0,reason) + static ERR_STRING_DATA RAND_str_functs[]= { -{ERR_PACK(0,RAND_F_FIPS_RAND_BYTES,0), "FIPS_RAND_BYTES"}, -{ERR_PACK(0,RAND_F_RAND_GET_RAND_METHOD,0), "RAND_get_rand_method"}, -{ERR_PACK(0,RAND_F_SSLEAY_RAND_BYTES,0), "SSLEAY_RAND_BYTES"}, +{ERR_FUNC(RAND_F_FIPS_RAND_BYTES), "FIPS_RAND_BYTES"}, +{ERR_FUNC(RAND_F_RAND_GET_RAND_METHOD), "RAND_get_rand_method"}, +{ERR_FUNC(RAND_F_SSLEAY_RAND_BYTES), "SSLEAY_RAND_BYTES"}, {0,NULL} }; static ERR_STRING_DATA RAND_str_reasons[]= { -{RAND_R_NON_FIPS_METHOD ,"non fips method"}, -{RAND_R_PRNG_ASKING_FOR_TOO_MUCH ,"prng asking for too much"}, -{RAND_R_PRNG_NOT_REKEYED ,"prng not rekeyed"}, -{RAND_R_PRNG_NOT_RESEEDED ,"prng not reseeded"}, -{RAND_R_PRNG_NOT_SEEDED ,"PRNG not seeded"}, -{RAND_R_PRNG_STUCK ,"prng stuck"}, +{ERR_REASON(RAND_R_NON_FIPS_METHOD) ,"non fips method"}, +{ERR_REASON(RAND_R_PRNG_ASKING_FOR_TOO_MUCH),"prng asking for too much"}, +{ERR_REASON(RAND_R_PRNG_NOT_REKEYED) ,"prng not rekeyed"}, +{ERR_REASON(RAND_R_PRNG_NOT_RESEEDED) ,"prng not reseeded"}, +{ERR_REASON(RAND_R_PRNG_NOT_SEEDED) ,"PRNG not seeded"}, +{ERR_REASON(RAND_R_PRNG_STUCK) ,"prng stuck"}, {0,NULL} }; @@ -93,8 +97,8 @@ void ERR_load_RAND_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_RAND,RAND_str_functs); - ERR_load_strings(ERR_LIB_RAND,RAND_str_reasons); + ERR_load_strings(0,RAND_str_functs); + ERR_load_strings(0,RAND_str_reasons); #endif } diff --git a/src/lib/libcrypto/rand/rand_lib.c b/src/lib/libcrypto/rand/rand_lib.c index 88f1b56d91..a21bde79de 100644 --- a/src/lib/libcrypto/rand/rand_lib.c +++ b/src/lib/libcrypto/rand/rand_lib.c @@ -87,16 +87,6 @@ int RAND_set_rand_method(const RAND_METHOD *meth) const RAND_METHOD *RAND_get_rand_method(void) { -#ifdef OPENSSL_FIPS - if(FIPS_mode() - && default_RAND_meth != FIPS_rand_check()) - { - RANDerr(RAND_F_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD); - return 0; - } -#endif - - if (!default_RAND_meth) { #ifndef OPENSSL_NO_ENGINE @@ -114,8 +104,22 @@ const RAND_METHOD *RAND_get_rand_method(void) funct_ref = e; else #endif - default_RAND_meth = RAND_SSLeay(); +#ifdef OPENSSL_FIPS + if(FIPS_mode()) + default_RAND_meth=FIPS_rand_method(); + else +#endif + default_RAND_meth = RAND_SSLeay(); } + +#ifdef OPENSSL_FIPS + if(FIPS_mode() + && default_RAND_meth != FIPS_rand_check()) + { + RANDerr(RAND_F_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD); + return 0; + } +#endif return default_RAND_meth; } diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c index c7fba496a8..7183fa32e4 100644 --- a/src/lib/libcrypto/rand/randfile.c +++ b/src/lib/libcrypto/rand/randfile.c @@ -57,7 +57,7 @@ */ /* We need to define this to get macros like S_IFBLK and S_IFCHR */ -#define _XOPEN_SOURCE 1 +#define _XOPEN_SOURCE 500 #include #include diff --git a/src/lib/libcrypto/rc2/rc2_skey.c b/src/lib/libcrypto/rc2/rc2_skey.c index 22f372f85c..9652865188 100644 --- a/src/lib/libcrypto/rc2/rc2_skey.c +++ b/src/lib/libcrypto/rc2/rc2_skey.c @@ -58,6 +58,7 @@ #include #include +#include #include "rc2_locl.h" static unsigned char key_table[256]={ diff --git a/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl b/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl new file mode 100755 index 0000000000..b628daca70 --- /dev/null +++ b/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl @@ -0,0 +1,150 @@ +#!/usr/bin/env perl +# +# ==================================================================== +# Written by Andy Polyakov for the OpenSSL +# project. Rights for redistribution and usage in source and binary +# forms are granted according to the OpenSSL license. +# ==================================================================== +# +# Unlike 0.9.7f this code expects RC4_CHAR back in config line! See +# commentary section in corresponding script in development branch +# for background information about this option carousel. For those +# who don't have energy to figure out these gory details, here is +# basis in form of performance matrix relative to the original +# 0.9.7e C code-base: +# +# 0.9.7e 0.9.7f this +# AMD64 1x 3.3x 2.4x +# EM64T 1x 0.8x 1.5x +# +# In other words idea is to trade -25% AMD64 performance to compensate +# for deterioration and gain +90% on EM64T core. Development branch +# maintains best performance for either target, i.e. 3.3x for AMD64 +# and 1.5x for EM64T. + +$output=shift; + +open STDOUT,">$output" || die "can't open $output: $!"; + +$dat="%rdi"; # arg1 +$len="%rsi"; # arg2 +$inp="%rdx"; # arg3 +$out="%rcx"; # arg4 + +@XX=("%r8","%r10"); +@TX=("%r9","%r11"); +$YY="%r12"; +$TY="%r13"; + +$code=<<___;; +.text + +.globl RC4 +.type RC4,\@function +.align 16 +RC4: or $len,$len + jne .Lentry + repret +.Lentry: + push %r12 + push %r13 + + add \$2,$dat + movzb -2($dat),$XX[0]#d + movzb -1($dat),$YY#d + + add \$1,$XX[0]#b + movzb ($dat,$XX[0]),$TX[0]#d + test \$-8,$len + jz .Lcloop1 + push %rbx +.align 16 # incidentally aligned already +.Lcloop8: + mov ($inp),%eax + mov 4($inp),%ebx +___ +# unroll 2x4-wise, because 64-bit rotates kill Intel P4... +for ($i=0;$i<4;$i++) { +$code.=<<___; + add $TX[0]#b,$YY#b + lea 1($XX[0]),$XX[1] + movzb ($dat,$YY),$TY#d + movzb $XX[1]#b,$XX[1]#d + movzb ($dat,$XX[1]),$TX[1]#d + movb $TX[0]#b,($dat,$YY) + cmp $XX[1],$YY + movb $TY#b,($dat,$XX[0]) + jne .Lcmov$i # Intel cmov is sloooow... + mov $TX[0],$TX[1] +.Lcmov$i: + add $TX[0]#b,$TY#b + xor ($dat,$TY),%al + ror \$8,%eax +___ +push(@TX,shift(@TX)); push(@XX,shift(@XX)); # "rotate" registers +} +for ($i=4;$i<8;$i++) { +$code.=<<___; + add $TX[0]#b,$YY#b + lea 1($XX[0]),$XX[1] + movzb ($dat,$YY),$TY#d + movzb $XX[1]#b,$XX[1]#d + movzb ($dat,$XX[1]),$TX[1]#d + movb $TX[0]#b,($dat,$YY) + cmp $XX[1],$YY + movb $TY#b,($dat,$XX[0]) + jne .Lcmov$i # Intel cmov is sloooow... + mov $TX[0],$TX[1] +.Lcmov$i: + add $TX[0]#b,$TY#b + xor ($dat,$TY),%bl + ror \$8,%ebx +___ +push(@TX,shift(@TX)); push(@XX,shift(@XX)); # "rotate" registers +} +$code.=<<___; + lea -8($len),$len + mov %eax,($out) + lea 8($inp),$inp + mov %ebx,4($out) + lea 8($out),$out + + test \$-8,$len + jnz .Lcloop8 + pop %rbx + cmp \$0,$len + jne .Lcloop1 +.Lexit: + sub \$1,$XX[0]#b + movb $XX[0]#b,-2($dat) + movb $YY#b,-1($dat) + + pop %r13 + pop %r12 + repret + +.align 16 +.Lcloop1: + add $TX[0]#b,$YY#b + movzb ($dat,$YY),$TY#d + movb $TX[0]#b,($dat,$YY) + movb $TY#b,($dat,$XX[0]) + add $TX[0]#b,$TY#b + add \$1,$XX[0]#b + movzb ($dat,$TY),$TY#d + movzb ($dat,$XX[0]),$TX[0]#d + xorb ($inp),$TY#b + lea 1($inp),$inp + movb $TY#b,($out) + lea 1($out),$out + sub \$1,$len + jnz .Lcloop1 + jmp .Lexit +.size RC4,.-RC4 +___ + +$code =~ s/#([bwd])/$1/gm; + +$code =~ s/repret/.byte\t0xF3,0xC3/gm; + +print $code; diff --git a/src/lib/libcrypto/rc4/rc4.h b/src/lib/libcrypto/rc4/rc4.h index dd90d9fde0..ae0cea75b8 100644 --- a/src/lib/libcrypto/rc4/rc4.h +++ b/src/lib/libcrypto/rc4/rc4.h @@ -73,10 +73,6 @@ typedef struct rc4_key_st { RC4_INT x,y; RC4_INT data[256]; -#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64) - /* see crypto/rc4/asm/rc4-ia64.S for further details... */ - RC4_INT pad[512-256-2]; -#endif } RC4_KEY; diff --git a/src/lib/libcrypto/rc4/rc4_enc.c b/src/lib/libcrypto/rc4/rc4_enc.c index 81a97ea3b7..d5f18a3a70 100644 --- a/src/lib/libcrypto/rc4/rc4_enc.c +++ b/src/lib/libcrypto/rc4/rc4_enc.c @@ -77,10 +77,6 @@ void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata, x=key->x; y=key->y; d=key->data; -#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64) - /* see crypto/rc4/asm/rc4-ia64.S for further details... */ - d=(RC4_INT *)(((size_t)(d+255))&~(sizeof(key->data)-1)); -#endif #if defined(RC4_CHUNK) /* diff --git a/src/lib/libcrypto/rc4/rc4_skey.c b/src/lib/libcrypto/rc4/rc4_skey.c index 07234f061a..60510624fd 100644 --- a/src/lib/libcrypto/rc4/rc4_skey.c +++ b/src/lib/libcrypto/rc4/rc4_skey.c @@ -58,6 +58,7 @@ #include #include +#include #include "rc4_locl.h" #include @@ -94,10 +95,6 @@ FIPS_NON_FIPS_VCIPHER_Init(RC4) unsigned int i; d= &(key->data[0]); -#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64) - /* see crypto/rc4/asm/rc4-ia64.S for further details... */ - d=(RC4_INT *)(((size_t)(d+255))&~(sizeof(key->data)-1)); -#endif for (i=0; i<256; i++) d[i]=i; diff --git a/src/lib/libcrypto/ripemd/rmd_one.c b/src/lib/libcrypto/ripemd/rmd_one.c index f8b580c33a..b88446b267 100644 --- a/src/lib/libcrypto/ripemd/rmd_one.c +++ b/src/lib/libcrypto/ripemd/rmd_one.c @@ -68,7 +68,8 @@ unsigned char *RIPEMD160(const unsigned char *d, unsigned long n, static unsigned char m[RIPEMD160_DIGEST_LENGTH]; if (md == NULL) md=m; - RIPEMD160_Init(&c); + if (!RIPEMD160_Init(&c)) + return NULL; RIPEMD160_Update(&c,d,n); RIPEMD160_Final(md,&c); OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */ diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h index fc3bb5f86d..0b639cd37f 100644 --- a/src/lib/libcrypto/rsa/rsa.h +++ b/src/lib/libcrypto/rsa/rsa.h @@ -157,33 +157,41 @@ struct rsa_st #define RSA_3 0x3L #define RSA_F4 0x10001L -#define RSA_METHOD_FLAG_NO_CHECK 0x01 /* don't check pub/private match */ +#define RSA_METHOD_FLAG_NO_CHECK 0x0001 /* don't check pub/private match */ -#define RSA_FLAG_CACHE_PUBLIC 0x02 -#define RSA_FLAG_CACHE_PRIVATE 0x04 -#define RSA_FLAG_BLINDING 0x08 -#define RSA_FLAG_THREAD_SAFE 0x10 +#define RSA_FLAG_CACHE_PUBLIC 0x0002 +#define RSA_FLAG_CACHE_PRIVATE 0x0004 +#define RSA_FLAG_BLINDING 0x0008 +#define RSA_FLAG_THREAD_SAFE 0x0010 /* This flag means the private key operations will be handled by rsa_mod_exp * and that they do not depend on the private key components being present: * for example a key stored in external hardware. Without this flag bn_mod_exp * gets called when private key components are absent. */ -#define RSA_FLAG_EXT_PKEY 0x20 +#define RSA_FLAG_EXT_PKEY 0x0020 /* This flag in the RSA_METHOD enables the new rsa_sign, rsa_verify functions. */ -#define RSA_FLAG_SIGN_VER 0x40 - -#define RSA_FLAG_NO_BLINDING 0x80 /* new with 0.9.6j and 0.9.7b; the built-in - * RSA implementation now uses blinding by - * default (ignoring RSA_FLAG_BLINDING), - * but other engines might not need it - */ +#define RSA_FLAG_SIGN_VER 0x0040 + +#define RSA_FLAG_NO_BLINDING 0x0080 /* new with 0.9.6j and 0.9.7b; the built-in + * RSA implementation now uses blinding by + * default (ignoring RSA_FLAG_BLINDING), + * but other engines might not need it + */ +#define RSA_FLAG_NO_EXP_CONSTTIME 0x0100 /* new with 0.9.7h; the built-in RSA + * implementation now uses constant time + * modular exponentiation for secret exponents + * by default. This flag causes the + * faster variable sliding window method to + * be used for all exponents. + */ #define RSA_PKCS1_PADDING 1 #define RSA_SSLV23_PADDING 2 #define RSA_NO_PADDING 3 #define RSA_PKCS1_OAEP_PADDING 4 +#define RSA_X931_PADDING 5 #define RSA_PKCS1_PADDING_SIZE 11 @@ -196,6 +204,15 @@ int RSA_size(const RSA *); RSA * RSA_generate_key(int bits, unsigned long e,void (*callback)(int,int,void *),void *cb_arg); int RSA_check_key(const RSA *); +#ifdef OPENSSL_FIPS +int RSA_X931_derive(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2, + void (*cb)(int, int, void *), void *cb_arg, + const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp, + const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq, + const BIGNUM *e); +RSA *RSA_X931_generate_key(int bits, const BIGNUM *e, + void (*cb)(int,int,void *), void *cb_arg); +#endif /* next 4 return -1 on error */ int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,int padding); @@ -268,6 +285,8 @@ int RSA_padding_add_PKCS1_type_2(unsigned char *to,int tlen, const unsigned char *f,int fl); int RSA_padding_check_PKCS1_type_2(unsigned char *to,int tlen, const unsigned char *f,int fl,int rsa_len); +int PKCS1_MGF1(unsigned char *mask, long len, + const unsigned char *seed, long seedlen, const EVP_MD *dgst); int RSA_padding_add_PKCS1_OAEP(unsigned char *to,int tlen, const unsigned char *f,int fl, const unsigned char *p,int pl); @@ -282,6 +301,17 @@ int RSA_padding_add_none(unsigned char *to,int tlen, const unsigned char *f,int fl); int RSA_padding_check_none(unsigned char *to,int tlen, const unsigned char *f,int fl,int rsa_len); +int RSA_padding_add_X931(unsigned char *to,int tlen, + const unsigned char *f,int fl); +int RSA_padding_check_X931(unsigned char *to,int tlen, + const unsigned char *f,int fl,int rsa_len); +int RSA_X931_hash_id(int nid); + +int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, + const EVP_MD *Hash, const unsigned char *EM, int sLen); +int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM, + const unsigned char *mHash, + const EVP_MD *Hash, int sLen); int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); @@ -311,20 +341,24 @@ void ERR_load_RSA_strings(void); #define RSA_F_RSA_NULL 124 #define RSA_F_RSA_PADDING_ADD_NONE 107 #define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121 +#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125 #define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108 #define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109 #define RSA_F_RSA_PADDING_ADD_SSLV23 110 +#define RSA_F_RSA_PADDING_ADD_X931 127 #define RSA_F_RSA_PADDING_CHECK_NONE 111 #define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP 122 #define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1 112 #define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2 113 #define RSA_F_RSA_PADDING_CHECK_SSLV23 114 +#define RSA_F_RSA_PADDING_CHECK_X931 128 #define RSA_F_RSA_PRINT 115 #define RSA_F_RSA_PRINT_FP 116 #define RSA_F_RSA_SIGN 117 #define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118 #define RSA_F_RSA_VERIFY 119 #define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120 +#define RSA_F_RSA_VERIFY_PKCS1_PSS 126 /* Reason codes. */ #define RSA_R_ALGORITHM_MISMATCH 100 @@ -344,9 +378,14 @@ void ERR_load_RSA_strings(void); #define RSA_R_DMP1_NOT_CONGRUENT_TO_D 124 #define RSA_R_DMQ1_NOT_CONGRUENT_TO_D 125 #define RSA_R_D_E_NOT_CONGRUENT_TO_1 123 +#define RSA_R_FIRST_OCTET_INVALID 133 +#define RSA_R_INVALID_HEADER 137 #define RSA_R_INVALID_MESSAGE_LENGTH 131 +#define RSA_R_INVALID_PADDING 138 +#define RSA_R_INVALID_TRAILER 139 #define RSA_R_IQMP_NOT_INVERSE_OF_Q 126 #define RSA_R_KEY_SIZE_TOO_SMALL 120 +#define RSA_R_LAST_OCTET_INVALID 134 #define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 #define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 #define RSA_R_OAEP_DECODING_ERROR 121 @@ -354,6 +393,8 @@ void ERR_load_RSA_strings(void); #define RSA_R_P_NOT_PRIME 128 #define RSA_R_Q_NOT_PRIME 129 #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130 +#define RSA_R_SLEN_CHECK_FAILED 136 +#define RSA_R_SLEN_RECOVERY_FAILED 135 #define RSA_R_SSLV3_ROLLBACK_ATTACK 115 #define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116 #define RSA_R_UNKNOWN_ALGORITHM_TYPE 117 diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c index d4caab3f95..be4ac96ce3 100644 --- a/src/lib/libcrypto/rsa/rsa_eay.c +++ b/src/lib/libcrypto/rsa/rsa_eay.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include #include "cryptlib.h" @@ -145,30 +198,13 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from, goto err; } - if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) + if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { - BN_MONT_CTX* bn_mont_ctx; - if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) - goto err; - if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) - { - BN_MONT_CTX_free(bn_mont_ctx); + if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, + CRYPTO_LOCK_RSA, rsa->n, ctx)) goto err; - } - if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ - { - CRYPTO_w_lock(CRYPTO_LOCK_RSA); - if (rsa->_method_mod_n == NULL) - { - rsa->_method_mod_n = bn_mont_ctx; - bn_mont_ctx = NULL; - } - CRYPTO_w_unlock(CRYPTO_LOCK_RSA); - } - if (bn_mont_ctx) - BN_MONT_CTX_free(bn_mont_ctx); } - + if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, rsa->_method_mod_n)) goto err; @@ -249,7 +285,7 @@ err: static int RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { - BIGNUM f,ret; + BIGNUM f,ret, *res; int i,j,k,num=0,r= -1; unsigned char *buf=NULL; BN_CTX *ctx=NULL; @@ -331,19 +367,43 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL)) ) - { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } + { + if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; + } else { - if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err; + BIGNUM local_d; + BIGNUM *d = NULL; + + if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) + { + BN_init(&local_d); + d = &local_d; + BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); + } + else + d = rsa->d; + if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) goto err; } if (blinding) if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; + if (padding == RSA_X931_PADDING) + { + BN_sub(&f, rsa->n, &ret); + if (BN_cmp(&ret, &f)) + res = &f; + else + res = &ret; + } + else + res = &ret; + /* put in leading 0 bytes if the number is less than the * length of the modulus */ - j=BN_num_bytes(&ret); - i=BN_bn2bin(&ret,&(to[num-j])); + j=BN_num_bytes(res); + i=BN_bn2bin(res,&(to[num-j])); for (k=0; k<(num-i); k++) to[k]=0; @@ -444,10 +504,22 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL)) ) - { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } + { + if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; + } else { - if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) + BIGNUM local_d; + BIGNUM *d = NULL; + + if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) + { + d = &local_d; + BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); + } + else + d = rsa->d; + if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) goto err; } @@ -534,33 +606,20 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from, } /* do the decrypt */ - if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) + + if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { - BN_MONT_CTX* bn_mont_ctx; - if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) - goto err; - if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) - { - BN_MONT_CTX_free(bn_mont_ctx); + if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, + CRYPTO_LOCK_RSA, rsa->n, ctx)) goto err; - } - if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ - { - CRYPTO_w_lock(CRYPTO_LOCK_RSA); - if (rsa->_method_mod_n == NULL) - { - rsa->_method_mod_n = bn_mont_ctx; - bn_mont_ctx = NULL; - } - CRYPTO_w_unlock(CRYPTO_LOCK_RSA); - } - if (bn_mont_ctx) - BN_MONT_CTX_free(bn_mont_ctx); } - + if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, rsa->_method_mod_n)) goto err; + if ((padding == RSA_X931_PADDING) && ((ret.d[0] & 0xf) != 12)) + BN_sub(&ret, rsa->n, &ret); + p=buf; i=BN_bn2bin(&ret,p); @@ -594,6 +653,8 @@ err: static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) { BIGNUM r1,m1,vrfy; + BIGNUM local_dmp1, local_dmq1; + BIGNUM *dmp1, *dmq1; int ret=0; BN_CTX *ctx; @@ -604,61 +665,34 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { - if (rsa->_method_mod_p == NULL) - { - BN_MONT_CTX* bn_mont_ctx; - if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) - goto err; - if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx)) - { - BN_MONT_CTX_free(bn_mont_ctx); - goto err; - } - if (rsa->_method_mod_p == NULL) /* other thread may have finished first */ - { - CRYPTO_w_lock(CRYPTO_LOCK_RSA); - if (rsa->_method_mod_p == NULL) - { - rsa->_method_mod_p = bn_mont_ctx; - bn_mont_ctx = NULL; - } - CRYPTO_w_unlock(CRYPTO_LOCK_RSA); - } - if (bn_mont_ctx) - BN_MONT_CTX_free(bn_mont_ctx); - } - - if (rsa->_method_mod_q == NULL) - { - BN_MONT_CTX* bn_mont_ctx; - if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) - goto err; - if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx)) - { - BN_MONT_CTX_free(bn_mont_ctx); - goto err; - } - if (rsa->_method_mod_q == NULL) /* other thread may have finished first */ - { - CRYPTO_w_lock(CRYPTO_LOCK_RSA); - if (rsa->_method_mod_q == NULL) - { - rsa->_method_mod_q = bn_mont_ctx; - bn_mont_ctx = NULL; - } - CRYPTO_w_unlock(CRYPTO_LOCK_RSA); - } - if (bn_mont_ctx) - BN_MONT_CTX_free(bn_mont_ctx); - } + if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, + CRYPTO_LOCK_RSA, rsa->p, ctx)) + goto err; + if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, + CRYPTO_LOCK_RSA, rsa->q, ctx)) + goto err; } - + if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; - if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx, + if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) + { + dmq1 = &local_dmq1; + BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME); + } + else + dmq1 = rsa->dmq1; + if (!rsa->meth->bn_mod_exp(&m1,&r1,dmq1,rsa->q,ctx, rsa->_method_mod_q)) goto err; if (!BN_mod(&r1,I,rsa->p,ctx)) goto err; - if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx, + if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) + { + dmp1 = &local_dmp1; + BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME); + } + else + dmp1 = rsa->dmp1; + if (!rsa->meth->bn_mod_exp(r0,&r1,dmp1,rsa->p,ctx, rsa->_method_mod_p)) goto err; if (!BN_sub(r0,r0,&m1)) goto err; @@ -693,10 +727,23 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) if (vrfy.neg) if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err; if (!BN_is_zero(&vrfy)) + { /* 'I' and 'vrfy' aren't congruent mod n. Don't leak * miscalculated CRT output, just do a raw (slower) * mod_exp and return that instead. */ - if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err; + + BIGNUM local_d; + BIGNUM *d = NULL; + + if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME)) + { + d = &local_d; + BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME); + } + else + d = rsa->d; + if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,NULL)) goto err; + } } ret=1; err: diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c index a7766c3b76..2ec4b30ff7 100644 --- a/src/lib/libcrypto/rsa/rsa_err.c +++ b/src/lib/libcrypto/rsa/rsa_err.c @@ -1,6 +1,6 @@ /* crypto/rsa/rsa_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -64,70 +64,85 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_RSA,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_RSA,0,reason) + static ERR_STRING_DATA RSA_str_functs[]= { -{ERR_PACK(0,RSA_F_MEMORY_LOCK,0), "MEMORY_LOCK"}, -{ERR_PACK(0,RSA_F_RSA_CHECK_KEY,0), "RSA_check_key"}, -{ERR_PACK(0,RSA_F_RSA_EAY_PRIVATE_DECRYPT,0), "RSA_EAY_PRIVATE_DECRYPT"}, -{ERR_PACK(0,RSA_F_RSA_EAY_PRIVATE_ENCRYPT,0), "RSA_EAY_PRIVATE_ENCRYPT"}, -{ERR_PACK(0,RSA_F_RSA_EAY_PUBLIC_DECRYPT,0), "RSA_EAY_PUBLIC_DECRYPT"}, -{ERR_PACK(0,RSA_F_RSA_EAY_PUBLIC_ENCRYPT,0), "RSA_EAY_PUBLIC_ENCRYPT"}, -{ERR_PACK(0,RSA_F_RSA_GENERATE_KEY,0), "RSA_generate_key"}, -{ERR_PACK(0,RSA_F_RSA_NEW_METHOD,0), "RSA_new_method"}, -{ERR_PACK(0,RSA_F_RSA_NULL,0), "RSA_NULL"}, -{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_NONE,0), "RSA_padding_add_none"}, -{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,0), "RSA_padding_add_PKCS1_OAEP"}, -{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,0), "RSA_padding_add_PKCS1_type_1"}, -{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,0), "RSA_padding_add_PKCS1_type_2"}, -{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_SSLV23,0), "RSA_padding_add_SSLv23"}, -{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_NONE,0), "RSA_padding_check_none"}, -{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,0), "RSA_padding_check_PKCS1_OAEP"}, -{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,0), "RSA_padding_check_PKCS1_type_1"}, -{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,0), "RSA_padding_check_PKCS1_type_2"}, -{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_SSLV23,0), "RSA_padding_check_SSLv23"}, -{ERR_PACK(0,RSA_F_RSA_PRINT,0), "RSA_print"}, -{ERR_PACK(0,RSA_F_RSA_PRINT_FP,0), "RSA_print_fp"}, -{ERR_PACK(0,RSA_F_RSA_SIGN,0), "RSA_sign"}, -{ERR_PACK(0,RSA_F_RSA_SIGN_ASN1_OCTET_STRING,0), "RSA_sign_ASN1_OCTET_STRING"}, -{ERR_PACK(0,RSA_F_RSA_VERIFY,0), "RSA_verify"}, -{ERR_PACK(0,RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,0), "RSA_verify_ASN1_OCTET_STRING"}, +{ERR_FUNC(RSA_F_MEMORY_LOCK), "MEMORY_LOCK"}, +{ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"}, +{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_DECRYPT), "RSA_EAY_PRIVATE_DECRYPT"}, +{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_ENCRYPT), "RSA_EAY_PRIVATE_ENCRYPT"}, +{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"}, +{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"}, +{ERR_FUNC(RSA_F_RSA_GENERATE_KEY), "RSA_generate_key"}, +{ERR_FUNC(RSA_F_RSA_NEW_METHOD), "RSA_new_method"}, +{ERR_FUNC(RSA_F_RSA_NULL), "RSA_NULL"}, +{ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE), "RSA_padding_add_none"}, +{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP), "RSA_padding_add_PKCS1_OAEP"}, +{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS), "RSA_padding_add_PKCS1_PSS"}, +{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1), "RSA_padding_add_PKCS1_type_1"}, +{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2), "RSA_padding_add_PKCS1_type_2"}, +{ERR_FUNC(RSA_F_RSA_PADDING_ADD_SSLV23), "RSA_padding_add_SSLv23"}, +{ERR_FUNC(RSA_F_RSA_PADDING_ADD_X931), "RSA_padding_add_X931"}, +{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_NONE), "RSA_padding_check_none"}, +{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP), "RSA_padding_check_PKCS1_OAEP"}, +{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1), "RSA_padding_check_PKCS1_type_1"}, +{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2), "RSA_padding_check_PKCS1_type_2"}, +{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_SSLV23), "RSA_padding_check_SSLv23"}, +{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931), "RSA_padding_check_X931"}, +{ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"}, +{ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"}, +{ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"}, +{ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"}, +{ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"}, +{ERR_FUNC(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING), "RSA_verify_ASN1_OCTET_STRING"}, +{ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS), "RSA_verify_PKCS1_PSS"}, {0,NULL} }; static ERR_STRING_DATA RSA_str_reasons[]= { -{RSA_R_ALGORITHM_MISMATCH ,"algorithm mismatch"}, -{RSA_R_BAD_E_VALUE ,"bad e value"}, -{RSA_R_BAD_FIXED_HEADER_DECRYPT ,"bad fixed header decrypt"}, -{RSA_R_BAD_PAD_BYTE_COUNT ,"bad pad byte count"}, -{RSA_R_BAD_SIGNATURE ,"bad signature"}, -{RSA_R_BLOCK_TYPE_IS_NOT_01 ,"block type is not 01"}, -{RSA_R_BLOCK_TYPE_IS_NOT_02 ,"block type is not 02"}, -{RSA_R_DATA_GREATER_THAN_MOD_LEN ,"data greater than mod len"}, -{RSA_R_DATA_TOO_LARGE ,"data too large"}, -{RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE ,"data too large for key size"}, -{RSA_R_DATA_TOO_LARGE_FOR_MODULUS ,"data too large for modulus"}, -{RSA_R_DATA_TOO_SMALL ,"data too small"}, -{RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE ,"data too small for key size"}, -{RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY ,"digest too big for rsa key"}, -{RSA_R_DMP1_NOT_CONGRUENT_TO_D ,"dmp1 not congruent to d"}, -{RSA_R_DMQ1_NOT_CONGRUENT_TO_D ,"dmq1 not congruent to d"}, -{RSA_R_D_E_NOT_CONGRUENT_TO_1 ,"d e not congruent to 1"}, -{RSA_R_INVALID_MESSAGE_LENGTH ,"invalid message length"}, -{RSA_R_IQMP_NOT_INVERSE_OF_Q ,"iqmp not inverse of q"}, -{RSA_R_KEY_SIZE_TOO_SMALL ,"key size too small"}, -{RSA_R_NULL_BEFORE_BLOCK_MISSING ,"null before block missing"}, -{RSA_R_N_DOES_NOT_EQUAL_P_Q ,"n does not equal p q"}, -{RSA_R_OAEP_DECODING_ERROR ,"oaep decoding error"}, -{RSA_R_PADDING_CHECK_FAILED ,"padding check failed"}, -{RSA_R_P_NOT_PRIME ,"p not prime"}, -{RSA_R_Q_NOT_PRIME ,"q not prime"}, -{RSA_R_RSA_OPERATIONS_NOT_SUPPORTED ,"rsa operations not supported"}, -{RSA_R_SSLV3_ROLLBACK_ATTACK ,"sslv3 rollback attack"}, -{RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD,"the asn1 object identifier is not known for this md"}, -{RSA_R_UNKNOWN_ALGORITHM_TYPE ,"unknown algorithm type"}, -{RSA_R_UNKNOWN_PADDING_TYPE ,"unknown padding type"}, -{RSA_R_WRONG_SIGNATURE_LENGTH ,"wrong signature length"}, +{ERR_REASON(RSA_R_ALGORITHM_MISMATCH) ,"algorithm mismatch"}, +{ERR_REASON(RSA_R_BAD_E_VALUE) ,"bad e value"}, +{ERR_REASON(RSA_R_BAD_FIXED_HEADER_DECRYPT),"bad fixed header decrypt"}, +{ERR_REASON(RSA_R_BAD_PAD_BYTE_COUNT) ,"bad pad byte count"}, +{ERR_REASON(RSA_R_BAD_SIGNATURE) ,"bad signature"}, +{ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_01) ,"block type is not 01"}, +{ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_02) ,"block type is not 02"}, +{ERR_REASON(RSA_R_DATA_GREATER_THAN_MOD_LEN),"data greater than mod len"}, +{ERR_REASON(RSA_R_DATA_TOO_LARGE) ,"data too large"}, +{ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"}, +{ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_MODULUS),"data too large for modulus"}, +{ERR_REASON(RSA_R_DATA_TOO_SMALL) ,"data too small"}, +{ERR_REASON(RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE),"data too small for key size"}, +{ERR_REASON(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY),"digest too big for rsa key"}, +{ERR_REASON(RSA_R_DMP1_NOT_CONGRUENT_TO_D),"dmp1 not congruent to d"}, +{ERR_REASON(RSA_R_DMQ1_NOT_CONGRUENT_TO_D),"dmq1 not congruent to d"}, +{ERR_REASON(RSA_R_D_E_NOT_CONGRUENT_TO_1),"d e not congruent to 1"}, +{ERR_REASON(RSA_R_FIRST_OCTET_INVALID) ,"first octet invalid"}, +{ERR_REASON(RSA_R_INVALID_HEADER) ,"invalid header"}, +{ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH),"invalid message length"}, +{ERR_REASON(RSA_R_INVALID_PADDING) ,"invalid padding"}, +{ERR_REASON(RSA_R_INVALID_TRAILER) ,"invalid trailer"}, +{ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"}, +{ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"}, +{ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"}, +{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"}, +{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"}, +{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"}, +{ERR_REASON(RSA_R_SLEN_RECOVERY_FAILED) ,"salt length recovery failed"}, +{ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"}, +{ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"}, +{ERR_REASON(RSA_R_Q_NOT_PRIME) ,"q not prime"}, +{ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"}, +{ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) ,"sslv3 rollback attack"}, +{ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"}, +{ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE),"unknown algorithm type"}, +{ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) ,"unknown padding type"}, +{ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"}, +{ERR_REASON(RSA_R_SLEN_CHECK_FAILED) ,"salt length check failed"}, {0,NULL} }; @@ -141,8 +156,8 @@ void ERR_load_RSA_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_RSA,RSA_str_functs); - ERR_load_strings(ERR_LIB_RSA,RSA_str_reasons); + ERR_load_strings(0,RSA_str_functs); + ERR_load_strings(0,RSA_str_reasons); #endif } diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c index adb5e34da5..dd1422cc98 100644 --- a/src/lib/libcrypto/rsa/rsa_gen.c +++ b/src/lib/libcrypto/rsa/rsa_gen.c @@ -184,7 +184,8 @@ err: RSAerr(RSA_F_RSA_GENERATE_KEY,ERR_LIB_BN); ok=0; } - BN_CTX_end(ctx); + if (ctx != NULL) + BN_CTX_end(ctx); BN_CTX_free(ctx); BN_CTX_free(ctx2); diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c index e3f7c608ec..d43ecaca63 100644 --- a/src/lib/libcrypto/rsa/rsa_oaep.c +++ b/src/lib/libcrypto/rsa/rsa_oaep.c @@ -28,9 +28,6 @@ #include #include -int MGF1(unsigned char *mask, long len, - const unsigned char *seed, long seedlen); - int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, const unsigned char *from, int flen, const unsigned char *param, int plen) @@ -76,11 +73,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, 20); #endif - MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH); + PKCS1_MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH, + EVP_sha1()); for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++) db[i] ^= dbmask[i]; - MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH); + PKCS1_MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH, + EVP_sha1()); for (i = 0; i < SHA_DIGEST_LENGTH; i++) seed[i] ^= seedmask[i]; @@ -126,11 +125,11 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, return -1; } - MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen); + PKCS1_MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen, EVP_sha1()); for (i = lzero; i < SHA_DIGEST_LENGTH; i++) seed[i] ^= from[i - lzero]; - MGF1(db, dblen, seed, SHA_DIGEST_LENGTH); + PKCS1_MGF1(db, dblen, seed, SHA_DIGEST_LENGTH, EVP_sha1()); for (i = 0; i < dblen; i++) db[i] ^= maskeddb[i]; @@ -170,28 +169,30 @@ decoding_err: return -1; } -int MGF1(unsigned char *mask, long len, - const unsigned char *seed, long seedlen) +int PKCS1_MGF1(unsigned char *mask, long len, + const unsigned char *seed, long seedlen, const EVP_MD *dgst) { long i, outlen = 0; unsigned char cnt[4]; EVP_MD_CTX c; - unsigned char md[SHA_DIGEST_LENGTH]; + unsigned char md[EVP_MAX_MD_SIZE]; + int mdlen; EVP_MD_CTX_init(&c); + mdlen = EVP_MD_size(dgst); for (i = 0; outlen < len; i++) { cnt[0] = (unsigned char)((i >> 24) & 255); cnt[1] = (unsigned char)((i >> 16) & 255); cnt[2] = (unsigned char)((i >> 8)) & 255; cnt[3] = (unsigned char)(i & 255); - EVP_DigestInit_ex(&c,EVP_sha1(), NULL); + EVP_DigestInit_ex(&c,dgst, NULL); EVP_DigestUpdate(&c, seed, seedlen); EVP_DigestUpdate(&c, cnt, 4); - if (outlen + SHA_DIGEST_LENGTH <= len) + if (outlen + mdlen <= len) { EVP_DigestFinal_ex(&c, mask + outlen, NULL); - outlen += SHA_DIGEST_LENGTH; + outlen += mdlen; } else { @@ -203,4 +204,9 @@ int MGF1(unsigned char *mask, long len, EVP_MD_CTX_cleanup(&c); return 0; } + +int MGF1(unsigned char *mask, long len, const unsigned char *seed, long seedlen) + { + return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1()); + } #endif diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c new file mode 100644 index 0000000000..2815628f5f --- /dev/null +++ b/src/lib/libcrypto/rsa/rsa_pss.c @@ -0,0 +1,261 @@ +/* rsa_pss.c */ +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 2005. + */ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include +#include "cryptlib.h" +#include +#include +#include +#include +#include + +const static unsigned char zeroes[] = {0,0,0,0,0,0,0,0}; + +int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, + const EVP_MD *Hash, const unsigned char *EM, int sLen) + { + int i; + int ret = 0; + int hLen, maskedDBLen, MSBits, emLen; + const unsigned char *H; + unsigned char *DB = NULL; + EVP_MD_CTX ctx; + unsigned char H_[EVP_MAX_MD_SIZE]; + + hLen = EVP_MD_size(Hash); + /* + * Negative sLen has special meanings: + * -1 sLen == hLen + * -2 salt length is autorecovered from signature + * -N reserved + */ + if (sLen == -1) sLen = hLen; + else if (sLen == -2) sLen = -2; + else if (sLen < -2) + { + RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); + goto err; + } + + MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; + emLen = RSA_size(rsa); + if (EM[0] & (0xFF << MSBits)) + { + RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_FIRST_OCTET_INVALID); + goto err; + } + if (MSBits == 0) + { + EM++; + emLen--; + } + if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */ + { + RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_DATA_TOO_LARGE); + goto err; + } + if (EM[emLen - 1] != 0xbc) + { + RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_LAST_OCTET_INVALID); + goto err; + } + maskedDBLen = emLen - hLen - 1; + H = EM + maskedDBLen; + DB = OPENSSL_malloc(maskedDBLen); + if (!DB) + { + RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, ERR_R_MALLOC_FAILURE); + goto err; + } + PKCS1_MGF1(DB, maskedDBLen, H, hLen, Hash); + for (i = 0; i < maskedDBLen; i++) + DB[i] ^= EM[i]; + if (MSBits) + DB[0] &= 0xFF >> (8 - MSBits); + for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ; + if (DB[i++] != 0x1) + { + RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_RECOVERY_FAILED); + goto err; + } + if (sLen >= 0 && (maskedDBLen - i) != sLen) + { + RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); + goto err; + } + EVP_MD_CTX_init(&ctx); + EVP_DigestInit_ex(&ctx, Hash, NULL); + EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes); + EVP_DigestUpdate(&ctx, mHash, hLen); + if (maskedDBLen - i) + EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i); + EVP_DigestFinal(&ctx, H_, NULL); + EVP_MD_CTX_cleanup(&ctx); + if (memcmp(H_, H, hLen)) + { + RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_BAD_SIGNATURE); + ret = 0; + } + else + ret = 1; + + err: + if (DB) + OPENSSL_free(DB); + + return ret; + + } + +int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM, + const unsigned char *mHash, + const EVP_MD *Hash, int sLen) + { + int i; + int ret = 0; + int hLen, maskedDBLen, MSBits, emLen; + unsigned char *H, *salt = NULL, *p; + EVP_MD_CTX ctx; + + hLen = EVP_MD_size(Hash); + /* + * Negative sLen has special meanings: + * -1 sLen == hLen + * -2 salt length is maximized + * -N reserved + */ + if (sLen == -1) sLen = hLen; + else if (sLen == -2) sLen = -2; + else if (sLen < -2) + { + RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED); + goto err; + } + + MSBits = (BN_num_bits(rsa->n) - 1) & 0x7; + emLen = RSA_size(rsa); + if (MSBits == 0) + { + *EM++ = 0; + emLen--; + } + if (sLen == -2) + { + sLen = emLen - hLen - 2; + } + else if (emLen < (hLen + sLen + 2)) + { + RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, + RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); + goto err; + } + if (sLen > 0) + { + salt = OPENSSL_malloc(sLen); + if (!salt) + { + RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, + ERR_R_MALLOC_FAILURE); + goto err; + } + if (!RAND_bytes(salt, sLen)) + goto err; + } + maskedDBLen = emLen - hLen - 1; + H = EM + maskedDBLen; + EVP_MD_CTX_init(&ctx); + EVP_DigestInit_ex(&ctx, Hash, NULL); + EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes); + EVP_DigestUpdate(&ctx, mHash, hLen); + if (sLen) + EVP_DigestUpdate(&ctx, salt, sLen); + EVP_DigestFinal(&ctx, H, NULL); + EVP_MD_CTX_cleanup(&ctx); + + /* Generate dbMask in place then perform XOR on it */ + PKCS1_MGF1(EM, maskedDBLen, H, hLen, Hash); + + p = EM; + + /* Initial PS XORs with all zeroes which is a NOP so just update + * pointer. Note from a test above this value is guaranteed to + * be non-negative. + */ + p += emLen - sLen - hLen - 2; + *p++ ^= 0x1; + if (sLen > 0) + { + for (i = 0; i < sLen; i++) + *p++ ^= salt[i]; + } + if (MSBits) + EM[0] &= 0xFF >> (8 - MSBits); + + /* H is already in place so just set final 0xbc */ + + EM[emLen - 1] = 0xbc; + + ret = 1; + + err: + if (salt) + OPENSSL_free(salt); + + return ret; + + } diff --git a/src/lib/libcrypto/rsa/rsa_x931.c b/src/lib/libcrypto/rsa/rsa_x931.c new file mode 100644 index 0000000000..df3c45f802 --- /dev/null +++ b/src/lib/libcrypto/rsa/rsa_x931.c @@ -0,0 +1,177 @@ +/* rsa_x931.c */ +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 2005. + */ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include +#include "cryptlib.h" +#include +#include +#include +#include + +int RSA_padding_add_X931(unsigned char *to, int tlen, + const unsigned char *from, int flen) + { + int j; + unsigned char *p; + + /* Absolute minimum amount of padding is 1 header nibble, 1 padding + * nibble and 2 trailer bytes: but 1 hash if is already in 'from'. + */ + + j = tlen - flen - 2; + + if (j < 0) + { + RSAerr(RSA_F_RSA_PADDING_ADD_X931,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); + return -1; + } + + p=(unsigned char *)to; + + /* If no padding start and end nibbles are in one byte */ + if (j == 0) + *p++ = 0x6A; + else + { + *p++ = 0x6B; + if (j > 1) + { + memset(p, 0xBB, j - 1); + p += j - 1; + } + *p++ = 0xBA; + } + memcpy(p,from,(unsigned int)flen); + p += flen; + *p = 0xCC; + return(1); + } + +int RSA_padding_check_X931(unsigned char *to, int tlen, + const unsigned char *from, int flen, int num) + { + int i,j; + const unsigned char *p; + + p=from; + if ((num != flen) || ((*p != 0x6A) && (*p != 0x6B))) + { + RSAerr(RSA_F_RSA_PADDING_CHECK_X931,RSA_R_INVALID_HEADER); + return -1; + } + + if (*p++ == 0x6B) + { + j=flen-3; + for (i = 0; i < j; i++) + { + unsigned char c = *p++; + if (c == 0xBA) + break; + if (c != 0xBB) + { + RSAerr(RSA_F_RSA_PADDING_CHECK_X931, + RSA_R_INVALID_PADDING); + return -1; + } + } + + j -= i; + + if (i == 0) + { + RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_PADDING); + return -1; + } + + } + else j = flen - 2; + + if (p[j] != 0xCC) + { + RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_TRAILER); + return -1; + } + + memcpy(to,p,(unsigned int)j); + + return(j); + } + +/* Translate between X931 hash ids and NIDs */ + +int RSA_X931_hash_id(int nid) + { + switch (nid) + { + case NID_sha1: + return 0x33; + + case NID_sha256: + return 0x34; + + case NID_sha384: + return 0x36; + + case NID_sha512: + return 0x35; + + } + return -1; + } + diff --git a/src/lib/libcrypto/sha/sha1_one.c b/src/lib/libcrypto/sha/sha1_one.c index 20e660c71d..f4694b701b 100644 --- a/src/lib/libcrypto/sha/sha1_one.c +++ b/src/lib/libcrypto/sha/sha1_one.c @@ -61,14 +61,15 @@ #include #include -#ifndef OPENSSL_NO_SHA1 +#if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_FIPS) unsigned char *SHA1(const unsigned char *d, unsigned long n, unsigned char *md) { SHA_CTX c; static unsigned char m[SHA_DIGEST_LENGTH]; if (md == NULL) md=m; - SHA1_Init(&c); + if (!SHA1_Init(&c)) + return NULL; SHA1_Update(&c,d,n); SHA1_Final(md,&c); OPENSSL_cleanse(&c,sizeof(c)); diff --git a/src/lib/libcrypto/stack/safestack.h b/src/lib/libcrypto/stack/safestack.h index bd1121c279..6010b7f122 100644 --- a/src/lib/libcrypto/stack/safestack.h +++ b/src/lib/libcrypto/stack/safestack.h @@ -55,6 +55,9 @@ #ifndef HEADER_SAFESTACK_H #define HEADER_SAFESTACK_H +typedef void (*openssl_fptr)(void); +#define openssl_fcast(f) ((openssl_fptr)f) + #include #ifdef DEBUG_SAFESTACK @@ -73,74 +76,74 @@ STACK_OF(type) \ /* SKM_sk_... stack macros are internal to safestack.h: * never use them directly, use sk__... instead */ #define SKM_sk_new(type, cmp) \ - ((STACK_OF(type) * (*)(int (*)(const type * const *, const type * const *)))sk_new)(cmp) + ((STACK_OF(type) * (*)(int (*)(const type * const *, const type * const *)))openssl_fcast(sk_new))(cmp) #define SKM_sk_new_null(type) \ - ((STACK_OF(type) * (*)(void))sk_new_null)() + ((STACK_OF(type) * (*)(void))openssl_fcast(sk_new_null))() #define SKM_sk_free(type, st) \ - ((void (*)(STACK_OF(type) *))sk_free)(st) + ((void (*)(STACK_OF(type) *))openssl_fcast(sk_free))(st) #define SKM_sk_num(type, st) \ - ((int (*)(const STACK_OF(type) *))sk_num)(st) + ((int (*)(const STACK_OF(type) *))openssl_fcast(sk_num))(st) #define SKM_sk_value(type, st,i) \ - ((type * (*)(const STACK_OF(type) *, int))sk_value)(st, i) + ((type * (*)(const STACK_OF(type) *, int))openssl_fcast(sk_value))(st, i) #define SKM_sk_set(type, st,i,val) \ - ((type * (*)(STACK_OF(type) *, int, type *))sk_set)(st, i, val) + ((type * (*)(STACK_OF(type) *, int, type *))openssl_fcast(sk_set))(st, i, val) #define SKM_sk_zero(type, st) \ - ((void (*)(STACK_OF(type) *))sk_zero)(st) + ((void (*)(STACK_OF(type) *))openssl_fcast(sk_zero))(st) #define SKM_sk_push(type, st,val) \ - ((int (*)(STACK_OF(type) *, type *))sk_push)(st, val) + ((int (*)(STACK_OF(type) *, type *))openssl_fcast(sk_push))(st, val) #define SKM_sk_unshift(type, st,val) \ - ((int (*)(STACK_OF(type) *, type *))sk_unshift)(st, val) + ((int (*)(STACK_OF(type) *, type *))openssl_fcast(sk_unshift))(st, val) #define SKM_sk_find(type, st,val) \ - ((int (*)(STACK_OF(type) *, type *))sk_find)(st, val) + ((int (*)(STACK_OF(type) *, type *))openssl_fcast(sk_find))(st, val) #define SKM_sk_delete(type, st,i) \ - ((type * (*)(STACK_OF(type) *, int))sk_delete)(st, i) + ((type * (*)(STACK_OF(type) *, int))openssl_fcast(sk_delete))(st, i) #define SKM_sk_delete_ptr(type, st,ptr) \ - ((type * (*)(STACK_OF(type) *, type *))sk_delete_ptr)(st, ptr) + ((type * (*)(STACK_OF(type) *, type *))openssl_fcast(sk_delete_ptr))(st, ptr) #define SKM_sk_insert(type, st,val,i) \ - ((int (*)(STACK_OF(type) *, type *, int))sk_insert)(st, val, i) + ((int (*)(STACK_OF(type) *, type *, int))openssl_fcast(sk_insert))(st, val, i) #define SKM_sk_set_cmp_func(type, st,cmp) \ ((int (*(*)(STACK_OF(type) *, int (*)(const type * const *, const type * const *))) \ - (const type * const *, const type * const *))sk_set_cmp_func)\ + (const type * const *, const type * const *))openssl_fcast(sk_set_cmp_func))\ (st, cmp) #define SKM_sk_dup(type, st) \ - ((STACK_OF(type) *(*)(STACK_OF(type) *))sk_dup)(st) + ((STACK_OF(type) *(*)(STACK_OF(type) *))openssl_fcast(sk_dup))(st) #define SKM_sk_pop_free(type, st,free_func) \ - ((void (*)(STACK_OF(type) *, void (*)(type *)))sk_pop_free)\ + ((void (*)(STACK_OF(type) *, void (*)(type *)))openssl_fcast(sk_pop_free))\ (st, free_func) #define SKM_sk_shift(type, st) \ - ((type * (*)(STACK_OF(type) *))sk_shift)(st) + ((type * (*)(STACK_OF(type) *))openssl_fcast(sk_shift))(st) #define SKM_sk_pop(type, st) \ - ((type * (*)(STACK_OF(type) *))sk_pop)(st) + ((type * (*)(STACK_OF(type) *))openssl_fcast(sk_pop))(st) #define SKM_sk_sort(type, st) \ - ((void (*)(STACK_OF(type) *))sk_sort)(st) + ((void (*)(STACK_OF(type) *))openssl_fcast(sk_sort))(st) #define SKM_sk_is_sorted(type, st) \ - ((int (*)(const STACK_OF(type) *))sk_is_sorted)(st) + ((int (*)(const STACK_OF(type) *))openssl_fcast(sk_is_sorted))(st) #define SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ ((STACK_OF(type) * (*) (STACK_OF(type) **,unsigned char **, long , \ type *(*)(type **, unsigned char **,long), \ - void (*)(type *), int ,int )) d2i_ASN1_SET) \ + void (*)(type *), int ,int )) openssl_fcast(d2i_ASN1_SET)) \ (st,pp,length, d2i_func, free_func, ex_tag,ex_class) #define SKM_ASN1_SET_OF_i2d(type, st, pp, i2d_func, ex_tag, ex_class, is_set) \ ((int (*)(STACK_OF(type) *,unsigned char **, \ - int (*)(type *,unsigned char **), int , int , int)) i2d_ASN1_SET) \ + int (*)(type *,unsigned char **), int , int , int)) openssl_fcast(i2d_ASN1_SET)) \ (st,pp,i2d_func,ex_tag,ex_class,is_set) #define SKM_ASN1_seq_pack(type, st, i2d_func, buf, len) \ ((unsigned char *(*)(STACK_OF(type) *, \ - int (*)(type *,unsigned char **), unsigned char **,int *)) ASN1_seq_pack) \ + int (*)(type *,unsigned char **), unsigned char **,int *)) openssl_fcast(ASN1_seq_pack)) \ (st, i2d_func, buf, len) #define SKM_ASN1_seq_unpack(type, buf, len, d2i_func, free_func) \ ((STACK_OF(type) * (*)(unsigned char *,int, \ type *(*)(type **,unsigned char **, long), \ - void (*)(type *)))ASN1_seq_unpack) \ + void (*)(type *)))openssl_fcast(ASN1_seq_unpack)) \ (buf,len,d2i_func, free_func) #define SKM_PKCS12_decrypt_d2i(type, algor, d2i_func, free_func, pass, passlen, oct, seq) \ ((STACK_OF(type) * (*)(X509_ALGOR *, \ type *(*)(type **, unsigned char **, long), void (*)(type *), \ const char *, int, \ - ASN1_STRING *, int))PKCS12_decrypt_d2i) \ + ASN1_STRING *, int))openssl_fcast(PKCS12_decrypt_d2i)) \ (algor,d2i_func,free_func,pass,passlen,oct,seq) #else diff --git a/src/lib/libcrypto/ui/ui_err.c b/src/lib/libcrypto/ui/ui_err.c index 39a62ae737..d983cdd66f 100644 --- a/src/lib/libcrypto/ui/ui_err.c +++ b/src/lib/libcrypto/ui/ui_err.c @@ -1,6 +1,6 @@ /* crypto/ui/ui_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -64,32 +64,36 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_UI,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_UI,0,reason) + static ERR_STRING_DATA UI_str_functs[]= { -{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_BOOLEAN,0), "GENERAL_ALLOCATE_BOOLEAN"}, -{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_PROMPT,0), "GENERAL_ALLOCATE_PROMPT"}, -{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_STRING,0), "GENERAL_ALLOCATE_STRING"}, -{ERR_PACK(0,UI_F_UI_CTRL,0), "UI_ctrl"}, -{ERR_PACK(0,UI_F_UI_DUP_ERROR_STRING,0), "UI_dup_error_string"}, -{ERR_PACK(0,UI_F_UI_DUP_INFO_STRING,0), "UI_dup_info_string"}, -{ERR_PACK(0,UI_F_UI_DUP_INPUT_BOOLEAN,0), "UI_dup_input_boolean"}, -{ERR_PACK(0,UI_F_UI_DUP_INPUT_STRING,0), "UI_dup_input_string"}, -{ERR_PACK(0,UI_F_UI_DUP_VERIFY_STRING,0), "UI_dup_verify_string"}, -{ERR_PACK(0,UI_F_UI_GET0_RESULT,0), "UI_get0_result"}, -{ERR_PACK(0,UI_F_UI_NEW_METHOD,0), "UI_new_method"}, -{ERR_PACK(0,UI_F_UI_SET_RESULT,0), "UI_set_result"}, +{ERR_FUNC(UI_F_GENERAL_ALLOCATE_BOOLEAN), "GENERAL_ALLOCATE_BOOLEAN"}, +{ERR_FUNC(UI_F_GENERAL_ALLOCATE_PROMPT), "GENERAL_ALLOCATE_PROMPT"}, +{ERR_FUNC(UI_F_GENERAL_ALLOCATE_STRING), "GENERAL_ALLOCATE_STRING"}, +{ERR_FUNC(UI_F_UI_CTRL), "UI_ctrl"}, +{ERR_FUNC(UI_F_UI_DUP_ERROR_STRING), "UI_dup_error_string"}, +{ERR_FUNC(UI_F_UI_DUP_INFO_STRING), "UI_dup_info_string"}, +{ERR_FUNC(UI_F_UI_DUP_INPUT_BOOLEAN), "UI_dup_input_boolean"}, +{ERR_FUNC(UI_F_UI_DUP_INPUT_STRING), "UI_dup_input_string"}, +{ERR_FUNC(UI_F_UI_DUP_VERIFY_STRING), "UI_dup_verify_string"}, +{ERR_FUNC(UI_F_UI_GET0_RESULT), "UI_get0_result"}, +{ERR_FUNC(UI_F_UI_NEW_METHOD), "UI_new_method"}, +{ERR_FUNC(UI_F_UI_SET_RESULT), "UI_set_result"}, {0,NULL} }; static ERR_STRING_DATA UI_str_reasons[]= { -{UI_R_COMMON_OK_AND_CANCEL_CHARACTERS ,"common ok and cancel characters"}, -{UI_R_INDEX_TOO_LARGE ,"index too large"}, -{UI_R_INDEX_TOO_SMALL ,"index too small"}, -{UI_R_NO_RESULT_BUFFER ,"no result buffer"}, -{UI_R_RESULT_TOO_LARGE ,"result too large"}, -{UI_R_RESULT_TOO_SMALL ,"result too small"}, -{UI_R_UNKNOWN_CONTROL_COMMAND ,"unknown control command"}, +{ERR_REASON(UI_R_COMMON_OK_AND_CANCEL_CHARACTERS),"common ok and cancel characters"}, +{ERR_REASON(UI_R_INDEX_TOO_LARGE) ,"index too large"}, +{ERR_REASON(UI_R_INDEX_TOO_SMALL) ,"index too small"}, +{ERR_REASON(UI_R_NO_RESULT_BUFFER) ,"no result buffer"}, +{ERR_REASON(UI_R_RESULT_TOO_LARGE) ,"result too large"}, +{ERR_REASON(UI_R_RESULT_TOO_SMALL) ,"result too small"}, +{ERR_REASON(UI_R_UNKNOWN_CONTROL_COMMAND),"unknown control command"}, {0,NULL} }; @@ -103,8 +107,8 @@ void ERR_load_UI_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_UI,UI_str_functs); - ERR_load_strings(ERR_LIB_UI,UI_str_reasons); + ERR_load_strings(0,UI_str_functs); + ERR_load_strings(0,UI_str_reasons); #endif } diff --git a/src/lib/libcrypto/util/mkerr.pl b/src/lib/libcrypto/util/mkerr.pl index 60e534807e..9678514604 100644 --- a/src/lib/libcrypto/util/mkerr.pl +++ b/src/lib/libcrypto/util/mkerr.pl @@ -9,6 +9,9 @@ my $reindex = 0; my $dowrite = 0; my $staticloader = ""; +my $pack_errcode; +my $load_errcode; + while (@ARGV) { my $arg = $ARGV[0]; if($arg eq "-conf") { @@ -41,8 +44,8 @@ while (@ARGV) { } if($recurse) { - @source = (, , , , - ); + @source = (, , , , + ); } else { @source = @ARGV; } @@ -399,6 +402,20 @@ EOF $hincf = "\"$hfile\""; } + # If static we know the error code at compile time so use it + # in error definitions. + + if ($static) + { + $pack_errcode = "ERR_LIB_${lib}"; + $load_errcode = "0"; + } + else + { + $pack_errcode = "0"; + $load_errcode = "ERR_LIB_${lib}"; + } + open (OUT,">$cfile") || die "Can't open $cfile for writing"; @@ -469,6 +486,10 @@ EOF /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK($pack_errcode,func,0) +#define ERR_REASON(reason) ERR_PACK($pack_errcode,0,reason) + static ERR_STRING_DATA ${lib}_str_functs[]= { EOF @@ -480,7 +501,8 @@ EOF if(exists $ftrans{$fn}) { $fn = $ftrans{$fn}; } - print OUT "{ERR_PACK(0,$i,0),\t\"$fn\"},\n"; +# print OUT "{ERR_PACK($pack_errcode,$i,0),\t\"$fn\"},\n"; + print OUT "{ERR_FUNC($i),\t\"$fn\"},\n"; } print OUT <<"EOF"; {0,NULL} @@ -492,6 +514,7 @@ EOF # Add each reason code. foreach $i (@reasons) { my $rn; + my $rstr = "ERR_REASON($i)"; my $nspc = 0; if (exists $err_reason_strings{$i}) { $rn = $err_reason_strings{$i}; @@ -500,9 +523,9 @@ EOF $rn = $1; $rn =~ tr/_[A-Z]/ [a-z]/; } - $nspc = 40 - length($i) unless length($i) > 40; + $nspc = 40 - length($rstr) unless length($rstr) > 40; $nspc = " " x $nspc; - print OUT "{${i}${nspc},\"$rn\"},\n"; + print OUT "{${rstr}${nspc},\"$rn\"},\n"; } if($static) { print OUT <<"EOF"; @@ -519,8 +542,8 @@ ${staticloader}void ERR_load_${lib}_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_${lib},${lib}_str_functs); - ERR_load_strings(ERR_LIB_${lib},${lib}_str_reasons); + ERR_load_strings($load_errcode,${lib}_str_functs); + ERR_load_strings($load_errcode,${lib}_str_reasons); #endif } diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c index 6207340472..ea689aed1a 100644 --- a/src/lib/libcrypto/x509/by_dir.c +++ b/src/lib/libcrypto/x509/by_dir.c @@ -114,7 +114,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, { int ret=0; BY_DIR *ld; - char *dir; + char *dir = NULL; ld=(BY_DIR *)ctx->method_data; @@ -123,17 +123,16 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, case X509_L_ADD_DIR: if (argl == X509_FILETYPE_DEFAULT) { - ret=add_cert_dir(ld,X509_get_default_cert_dir(), - X509_FILETYPE_PEM); + dir=(char *)Getenv(X509_get_default_cert_dir_env()); + if (dir) + ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM); + else + ret=add_cert_dir(ld,X509_get_default_cert_dir(), + X509_FILETYPE_PEM); if (!ret) { X509err(X509_F_DIR_CTRL,X509_R_LOADING_CERT_DIR); } - else - { - dir=(char *)Getenv(X509_get_default_cert_dir_env()); - ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM); - } } else ret=add_cert_dir(ld,argp,(int)argl); diff --git a/src/lib/libcrypto/x509/x509_err.c b/src/lib/libcrypto/x509/x509_err.c index 5bbf4acf76..d44d046027 100644 --- a/src/lib/libcrypto/x509/x509_err.c +++ b/src/lib/libcrypto/x509/x509_err.c @@ -1,6 +1,6 @@ /* crypto/x509/x509_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -64,77 +64,81 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509,0,reason) + static ERR_STRING_DATA X509_str_functs[]= { -{ERR_PACK(0,X509_F_ADD_CERT_DIR,0), "ADD_CERT_DIR"}, -{ERR_PACK(0,X509_F_BY_FILE_CTRL,0), "BY_FILE_CTRL"}, -{ERR_PACK(0,X509_F_DIR_CTRL,0), "DIR_CTRL"}, -{ERR_PACK(0,X509_F_GET_CERT_BY_SUBJECT,0), "GET_CERT_BY_SUBJECT"}, -{ERR_PACK(0,X509_F_NETSCAPE_SPKI_B64_DECODE,0), "NETSCAPE_SPKI_b64_decode"}, -{ERR_PACK(0,X509_F_NETSCAPE_SPKI_B64_ENCODE,0), "NETSCAPE_SPKI_b64_encode"}, -{ERR_PACK(0,X509_F_X509V3_ADD_EXT,0), "X509v3_add_ext"}, -{ERR_PACK(0,X509_F_X509_ADD_ATTR,0), "X509_ADD_ATTR"}, -{ERR_PACK(0,X509_F_X509_ATTRIBUTE_CREATE_BY_NID,0), "X509_ATTRIBUTE_create_by_NID"}, -{ERR_PACK(0,X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,0), "X509_ATTRIBUTE_create_by_OBJ"}, -{ERR_PACK(0,X509_F_X509_ATTRIBUTE_CREATE_BY_TXT,0), "X509_ATTRIBUTE_create_by_txt"}, -{ERR_PACK(0,X509_F_X509_ATTRIBUTE_GET0_DATA,0), "X509_ATTRIBUTE_get0_data"}, -{ERR_PACK(0,X509_F_X509_ATTRIBUTE_SET1_DATA,0), "X509_ATTRIBUTE_set1_data"}, -{ERR_PACK(0,X509_F_X509_CHECK_PRIVATE_KEY,0), "X509_check_private_key"}, -{ERR_PACK(0,X509_F_X509_EXTENSION_CREATE_BY_NID,0), "X509_EXTENSION_create_by_NID"}, -{ERR_PACK(0,X509_F_X509_EXTENSION_CREATE_BY_OBJ,0), "X509_EXTENSION_create_by_OBJ"}, -{ERR_PACK(0,X509_F_X509_GET_PUBKEY_PARAMETERS,0), "X509_get_pubkey_parameters"}, -{ERR_PACK(0,X509_F_X509_LOAD_CERT_CRL_FILE,0), "X509_load_cert_crl_file"}, -{ERR_PACK(0,X509_F_X509_LOAD_CERT_FILE,0), "X509_load_cert_file"}, -{ERR_PACK(0,X509_F_X509_LOAD_CRL_FILE,0), "X509_load_crl_file"}, -{ERR_PACK(0,X509_F_X509_NAME_ADD_ENTRY,0), "X509_NAME_add_entry"}, -{ERR_PACK(0,X509_F_X509_NAME_ENTRY_CREATE_BY_NID,0), "X509_NAME_ENTRY_create_by_NID"}, -{ERR_PACK(0,X509_F_X509_NAME_ENTRY_CREATE_BY_TXT,0), "X509_NAME_ENTRY_create_by_txt"}, -{ERR_PACK(0,X509_F_X509_NAME_ENTRY_SET_OBJECT,0), "X509_NAME_ENTRY_set_object"}, -{ERR_PACK(0,X509_F_X509_NAME_ONELINE,0), "X509_NAME_oneline"}, -{ERR_PACK(0,X509_F_X509_NAME_PRINT,0), "X509_NAME_print"}, -{ERR_PACK(0,X509_F_X509_PRINT_FP,0), "X509_print_fp"}, -{ERR_PACK(0,X509_F_X509_PUBKEY_GET,0), "X509_PUBKEY_get"}, -{ERR_PACK(0,X509_F_X509_PUBKEY_SET,0), "X509_PUBKEY_set"}, -{ERR_PACK(0,X509_F_X509_REQ_PRINT,0), "X509_REQ_print"}, -{ERR_PACK(0,X509_F_X509_REQ_PRINT_FP,0), "X509_REQ_print_fp"}, -{ERR_PACK(0,X509_F_X509_REQ_TO_X509,0), "X509_REQ_to_X509"}, -{ERR_PACK(0,X509_F_X509_STORE_ADD_CERT,0), "X509_STORE_add_cert"}, -{ERR_PACK(0,X509_F_X509_STORE_ADD_CRL,0), "X509_STORE_add_crl"}, -{ERR_PACK(0,X509_F_X509_STORE_CTX_INIT,0), "X509_STORE_CTX_init"}, -{ERR_PACK(0,X509_F_X509_STORE_CTX_NEW,0), "X509_STORE_CTX_new"}, -{ERR_PACK(0,X509_F_X509_STORE_CTX_PURPOSE_INHERIT,0), "X509_STORE_CTX_purpose_inherit"}, -{ERR_PACK(0,X509_F_X509_TO_X509_REQ,0), "X509_to_X509_REQ"}, -{ERR_PACK(0,X509_F_X509_TRUST_ADD,0), "X509_TRUST_add"}, -{ERR_PACK(0,X509_F_X509_TRUST_SET,0), "X509_TRUST_set"}, -{ERR_PACK(0,X509_F_X509_VERIFY_CERT,0), "X509_verify_cert"}, +{ERR_FUNC(X509_F_ADD_CERT_DIR), "ADD_CERT_DIR"}, +{ERR_FUNC(X509_F_BY_FILE_CTRL), "BY_FILE_CTRL"}, +{ERR_FUNC(X509_F_DIR_CTRL), "DIR_CTRL"}, +{ERR_FUNC(X509_F_GET_CERT_BY_SUBJECT), "GET_CERT_BY_SUBJECT"}, +{ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_DECODE), "NETSCAPE_SPKI_b64_decode"}, +{ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_ENCODE), "NETSCAPE_SPKI_b64_encode"}, +{ERR_FUNC(X509_F_X509V3_ADD_EXT), "X509v3_add_ext"}, +{ERR_FUNC(X509_F_X509_ADD_ATTR), "X509_ADD_ATTR"}, +{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_NID), "X509_ATTRIBUTE_create_by_NID"}, +{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ), "X509_ATTRIBUTE_create_by_OBJ"}, +{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT), "X509_ATTRIBUTE_create_by_txt"}, +{ERR_FUNC(X509_F_X509_ATTRIBUTE_GET0_DATA), "X509_ATTRIBUTE_get0_data"}, +{ERR_FUNC(X509_F_X509_ATTRIBUTE_SET1_DATA), "X509_ATTRIBUTE_set1_data"}, +{ERR_FUNC(X509_F_X509_CHECK_PRIVATE_KEY), "X509_check_private_key"}, +{ERR_FUNC(X509_F_X509_EXTENSION_CREATE_BY_NID), "X509_EXTENSION_create_by_NID"}, +{ERR_FUNC(X509_F_X509_EXTENSION_CREATE_BY_OBJ), "X509_EXTENSION_create_by_OBJ"}, +{ERR_FUNC(X509_F_X509_GET_PUBKEY_PARAMETERS), "X509_get_pubkey_parameters"}, +{ERR_FUNC(X509_F_X509_LOAD_CERT_CRL_FILE), "X509_load_cert_crl_file"}, +{ERR_FUNC(X509_F_X509_LOAD_CERT_FILE), "X509_load_cert_file"}, +{ERR_FUNC(X509_F_X509_LOAD_CRL_FILE), "X509_load_crl_file"}, +{ERR_FUNC(X509_F_X509_NAME_ADD_ENTRY), "X509_NAME_add_entry"}, +{ERR_FUNC(X509_F_X509_NAME_ENTRY_CREATE_BY_NID), "X509_NAME_ENTRY_create_by_NID"}, +{ERR_FUNC(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT), "X509_NAME_ENTRY_create_by_txt"}, +{ERR_FUNC(X509_F_X509_NAME_ENTRY_SET_OBJECT), "X509_NAME_ENTRY_set_object"}, +{ERR_FUNC(X509_F_X509_NAME_ONELINE), "X509_NAME_oneline"}, +{ERR_FUNC(X509_F_X509_NAME_PRINT), "X509_NAME_print"}, +{ERR_FUNC(X509_F_X509_PRINT_FP), "X509_print_fp"}, +{ERR_FUNC(X509_F_X509_PUBKEY_GET), "X509_PUBKEY_get"}, +{ERR_FUNC(X509_F_X509_PUBKEY_SET), "X509_PUBKEY_set"}, +{ERR_FUNC(X509_F_X509_REQ_PRINT), "X509_REQ_print"}, +{ERR_FUNC(X509_F_X509_REQ_PRINT_FP), "X509_REQ_print_fp"}, +{ERR_FUNC(X509_F_X509_REQ_TO_X509), "X509_REQ_to_X509"}, +{ERR_FUNC(X509_F_X509_STORE_ADD_CERT), "X509_STORE_add_cert"}, +{ERR_FUNC(X509_F_X509_STORE_ADD_CRL), "X509_STORE_add_crl"}, +{ERR_FUNC(X509_F_X509_STORE_CTX_INIT), "X509_STORE_CTX_init"}, +{ERR_FUNC(X509_F_X509_STORE_CTX_NEW), "X509_STORE_CTX_new"}, +{ERR_FUNC(X509_F_X509_STORE_CTX_PURPOSE_INHERIT), "X509_STORE_CTX_purpose_inherit"}, +{ERR_FUNC(X509_F_X509_TO_X509_REQ), "X509_to_X509_REQ"}, +{ERR_FUNC(X509_F_X509_TRUST_ADD), "X509_TRUST_add"}, +{ERR_FUNC(X509_F_X509_TRUST_SET), "X509_TRUST_set"}, +{ERR_FUNC(X509_F_X509_VERIFY_CERT), "X509_verify_cert"}, {0,NULL} }; static ERR_STRING_DATA X509_str_reasons[]= { -{X509_R_BAD_X509_FILETYPE ,"bad x509 filetype"}, -{X509_R_BASE64_DECODE_ERROR ,"base64 decode error"}, -{X509_R_CANT_CHECK_DH_KEY ,"cant check dh key"}, -{X509_R_CERT_ALREADY_IN_HASH_TABLE ,"cert already in hash table"}, -{X509_R_ERR_ASN1_LIB ,"err asn1 lib"}, -{X509_R_INVALID_DIRECTORY ,"invalid directory"}, -{X509_R_INVALID_FIELD_NAME ,"invalid field name"}, -{X509_R_INVALID_TRUST ,"invalid trust"}, -{X509_R_KEY_TYPE_MISMATCH ,"key type mismatch"}, -{X509_R_KEY_VALUES_MISMATCH ,"key values mismatch"}, -{X509_R_LOADING_CERT_DIR ,"loading cert dir"}, -{X509_R_LOADING_DEFAULTS ,"loading defaults"}, -{X509_R_NO_CERT_SET_FOR_US_TO_VERIFY ,"no cert set for us to verify"}, -{X509_R_SHOULD_RETRY ,"should retry"}, -{X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN,"unable to find parameters in chain"}, -{X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY ,"unable to get certs public key"}, -{X509_R_UNKNOWN_KEY_TYPE ,"unknown key type"}, -{X509_R_UNKNOWN_NID ,"unknown nid"}, -{X509_R_UNKNOWN_PURPOSE_ID ,"unknown purpose id"}, -{X509_R_UNKNOWN_TRUST_ID ,"unknown trust id"}, -{X509_R_UNSUPPORTED_ALGORITHM ,"unsupported algorithm"}, -{X509_R_WRONG_LOOKUP_TYPE ,"wrong lookup type"}, -{X509_R_WRONG_TYPE ,"wrong type"}, +{ERR_REASON(X509_R_BAD_X509_FILETYPE) ,"bad x509 filetype"}, +{ERR_REASON(X509_R_BASE64_DECODE_ERROR) ,"base64 decode error"}, +{ERR_REASON(X509_R_CANT_CHECK_DH_KEY) ,"cant check dh key"}, +{ERR_REASON(X509_R_CERT_ALREADY_IN_HASH_TABLE),"cert already in hash table"}, +{ERR_REASON(X509_R_ERR_ASN1_LIB) ,"err asn1 lib"}, +{ERR_REASON(X509_R_INVALID_DIRECTORY) ,"invalid directory"}, +{ERR_REASON(X509_R_INVALID_FIELD_NAME) ,"invalid field name"}, +{ERR_REASON(X509_R_INVALID_TRUST) ,"invalid trust"}, +{ERR_REASON(X509_R_KEY_TYPE_MISMATCH) ,"key type mismatch"}, +{ERR_REASON(X509_R_KEY_VALUES_MISMATCH) ,"key values mismatch"}, +{ERR_REASON(X509_R_LOADING_CERT_DIR) ,"loading cert dir"}, +{ERR_REASON(X509_R_LOADING_DEFAULTS) ,"loading defaults"}, +{ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY),"no cert set for us to verify"}, +{ERR_REASON(X509_R_SHOULD_RETRY) ,"should retry"}, +{ERR_REASON(X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN),"unable to find parameters in chain"}, +{ERR_REASON(X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY),"unable to get certs public key"}, +{ERR_REASON(X509_R_UNKNOWN_KEY_TYPE) ,"unknown key type"}, +{ERR_REASON(X509_R_UNKNOWN_NID) ,"unknown nid"}, +{ERR_REASON(X509_R_UNKNOWN_PURPOSE_ID) ,"unknown purpose id"}, +{ERR_REASON(X509_R_UNKNOWN_TRUST_ID) ,"unknown trust id"}, +{ERR_REASON(X509_R_UNSUPPORTED_ALGORITHM),"unsupported algorithm"}, +{ERR_REASON(X509_R_WRONG_LOOKUP_TYPE) ,"wrong lookup type"}, +{ERR_REASON(X509_R_WRONG_TYPE) ,"wrong type"}, {0,NULL} }; @@ -148,8 +152,8 @@ void ERR_load_X509_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_X509,X509_str_functs); - ERR_load_strings(ERR_LIB_X509,X509_str_reasons); + ERR_load_strings(0,X509_str_functs); + ERR_load_strings(0,X509_str_reasons); #endif } diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index e43c861ee7..383e082aba 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c @@ -944,7 +944,7 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time) offset=0; else { - if ((*str != '+') && (str[5] != '-')) + if ((*str != '+') && (*str != '-')) return 0; offset=((str[1]-'0')*10+(str[2]-'0'))*60; offset+=(str[3]-'0')*10+(str[4]-'0'); diff --git a/src/lib/libcrypto/x509v3/v3_cpols.c b/src/lib/libcrypto/x509v3/v3_cpols.c index 0d554f3a2c..867525f336 100644 --- a/src/lib/libcrypto/x509v3/v3_cpols.c +++ b/src/lib/libcrypto/x509v3/v3_cpols.c @@ -137,7 +137,15 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, CONF_VALUE *cnf; int i, ia5org; pols = sk_POLICYINFO_new_null(); + if (pols == NULL) { + X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE); + return NULL; + } vals = X509V3_parse_list(value); + if (vals == NULL) { + X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_X509V3_LIB); + goto err; + } ia5org = 0; for(i = 0; i < sk_CONF_VALUE_num(vals); i++) { cnf = sk_CONF_VALUE_value(vals, i); @@ -176,6 +184,7 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); return pols; err: + sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); sk_POLICYINFO_pop_free(pols, POLICYINFO_free); return NULL; } diff --git a/src/lib/libcrypto/x509v3/v3err.c b/src/lib/libcrypto/x509v3/v3err.c index 2df0c3ef01..e1edaf5248 100644 --- a/src/lib/libcrypto/x509v3/v3err.c +++ b/src/lib/libcrypto/x509v3/v3err.c @@ -64,114 +64,118 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509V3,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509V3,0,reason) + static ERR_STRING_DATA X509V3_str_functs[]= { -{ERR_PACK(0,X509V3_F_COPY_EMAIL,0), "COPY_EMAIL"}, -{ERR_PACK(0,X509V3_F_COPY_ISSUER,0), "COPY_ISSUER"}, -{ERR_PACK(0,X509V3_F_DO_EXT_CONF,0), "DO_EXT_CONF"}, -{ERR_PACK(0,X509V3_F_DO_EXT_I2D,0), "DO_EXT_I2D"}, -{ERR_PACK(0,X509V3_F_HEX_TO_STRING,0), "hex_to_string"}, -{ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0), "i2s_ASN1_ENUMERATED"}, -{ERR_PACK(0,X509V3_F_I2S_ASN1_IA5STRING,0), "I2S_ASN1_IA5STRING"}, -{ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0), "i2s_ASN1_INTEGER"}, -{ERR_PACK(0,X509V3_F_I2V_AUTHORITY_INFO_ACCESS,0), "I2V_AUTHORITY_INFO_ACCESS"}, -{ERR_PACK(0,X509V3_F_NOTICE_SECTION,0), "NOTICE_SECTION"}, -{ERR_PACK(0,X509V3_F_NREF_NOS,0), "NREF_NOS"}, -{ERR_PACK(0,X509V3_F_POLICY_SECTION,0), "POLICY_SECTION"}, -{ERR_PACK(0,X509V3_F_R2I_CERTPOL,0), "R2I_CERTPOL"}, -{ERR_PACK(0,X509V3_F_R2I_PCI,0), "R2I_PCI"}, -{ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0), "S2I_ASN1_IA5STRING"}, -{ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0), "s2i_ASN1_INTEGER"}, -{ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0), "s2i_ASN1_OCTET_STRING"}, -{ERR_PACK(0,X509V3_F_S2I_ASN1_SKEY_ID,0), "S2I_ASN1_SKEY_ID"}, -{ERR_PACK(0,X509V3_F_S2I_S2I_SKEY_ID,0), "S2I_S2I_SKEY_ID"}, -{ERR_PACK(0,X509V3_F_STRING_TO_HEX,0), "string_to_hex"}, -{ERR_PACK(0,X509V3_F_SXNET_ADD_ASC,0), "SXNET_ADD_ASC"}, -{ERR_PACK(0,X509V3_F_SXNET_ADD_ID_INTEGER,0), "SXNET_add_id_INTEGER"}, -{ERR_PACK(0,X509V3_F_SXNET_ADD_ID_ULONG,0), "SXNET_add_id_ulong"}, -{ERR_PACK(0,X509V3_F_SXNET_GET_ID_ASC,0), "SXNET_get_id_asc"}, -{ERR_PACK(0,X509V3_F_SXNET_GET_ID_ULONG,0), "SXNET_get_id_ulong"}, -{ERR_PACK(0,X509V3_F_V2I_ACCESS_DESCRIPTION,0), "V2I_ACCESS_DESCRIPTION"}, -{ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0), "V2I_ASN1_BIT_STRING"}, -{ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0), "V2I_AUTHORITY_KEYID"}, -{ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0), "V2I_BASIC_CONSTRAINTS"}, -{ERR_PACK(0,X509V3_F_V2I_CRLD,0), "V2I_CRLD"}, -{ERR_PACK(0,X509V3_F_V2I_EXT_KU,0), "V2I_EXT_KU"}, -{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0), "v2i_GENERAL_NAME"}, -{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0), "v2i_GENERAL_NAMES"}, -{ERR_PACK(0,X509V3_F_V3_GENERIC_EXTENSION,0), "V3_GENERIC_EXTENSION"}, -{ERR_PACK(0,X509V3_F_X509V3_ADD_I2D,0), "X509V3_ADD_I2D"}, -{ERR_PACK(0,X509V3_F_X509V3_ADD_VALUE,0), "X509V3_add_value"}, -{ERR_PACK(0,X509V3_F_X509V3_EXT_ADD,0), "X509V3_EXT_add"}, -{ERR_PACK(0,X509V3_F_X509V3_EXT_ADD_ALIAS,0), "X509V3_EXT_add_alias"}, -{ERR_PACK(0,X509V3_F_X509V3_EXT_CONF,0), "X509V3_EXT_conf"}, -{ERR_PACK(0,X509V3_F_X509V3_EXT_I2D,0), "X509V3_EXT_i2d"}, -{ERR_PACK(0,X509V3_F_X509V3_GET_VALUE_BOOL,0), "X509V3_get_value_bool"}, -{ERR_PACK(0,X509V3_F_X509V3_PARSE_LIST,0), "X509V3_parse_list"}, -{ERR_PACK(0,X509V3_F_X509_PURPOSE_ADD,0), "X509_PURPOSE_add"}, -{ERR_PACK(0,X509V3_F_X509_PURPOSE_SET,0), "X509_PURPOSE_set"}, +{ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"}, +{ERR_FUNC(X509V3_F_COPY_ISSUER), "COPY_ISSUER"}, +{ERR_FUNC(X509V3_F_DO_EXT_CONF), "DO_EXT_CONF"}, +{ERR_FUNC(X509V3_F_DO_EXT_I2D), "DO_EXT_I2D"}, +{ERR_FUNC(X509V3_F_HEX_TO_STRING), "hex_to_string"}, +{ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED), "i2s_ASN1_ENUMERATED"}, +{ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "I2S_ASN1_IA5STRING"}, +{ERR_FUNC(X509V3_F_I2S_ASN1_INTEGER), "i2s_ASN1_INTEGER"}, +{ERR_FUNC(X509V3_F_I2V_AUTHORITY_INFO_ACCESS), "I2V_AUTHORITY_INFO_ACCESS"}, +{ERR_FUNC(X509V3_F_NOTICE_SECTION), "NOTICE_SECTION"}, +{ERR_FUNC(X509V3_F_NREF_NOS), "NREF_NOS"}, +{ERR_FUNC(X509V3_F_POLICY_SECTION), "POLICY_SECTION"}, +{ERR_FUNC(X509V3_F_R2I_CERTPOL), "R2I_CERTPOL"}, +{ERR_FUNC(X509V3_F_R2I_PCI), "R2I_PCI"}, +{ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING), "S2I_ASN1_IA5STRING"}, +{ERR_FUNC(X509V3_F_S2I_ASN1_INTEGER), "s2i_ASN1_INTEGER"}, +{ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING), "s2i_ASN1_OCTET_STRING"}, +{ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID), "S2I_ASN1_SKEY_ID"}, +{ERR_FUNC(X509V3_F_S2I_S2I_SKEY_ID), "S2I_S2I_SKEY_ID"}, +{ERR_FUNC(X509V3_F_STRING_TO_HEX), "string_to_hex"}, +{ERR_FUNC(X509V3_F_SXNET_ADD_ASC), "SXNET_ADD_ASC"}, +{ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER), "SXNET_add_id_INTEGER"}, +{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG), "SXNET_add_id_ulong"}, +{ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC), "SXNET_get_id_asc"}, +{ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG), "SXNET_get_id_ulong"}, +{ERR_FUNC(X509V3_F_V2I_ACCESS_DESCRIPTION), "V2I_ACCESS_DESCRIPTION"}, +{ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "V2I_ASN1_BIT_STRING"}, +{ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID), "V2I_AUTHORITY_KEYID"}, +{ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS), "V2I_BASIC_CONSTRAINTS"}, +{ERR_FUNC(X509V3_F_V2I_CRLD), "V2I_CRLD"}, +{ERR_FUNC(X509V3_F_V2I_EXT_KU), "V2I_EXT_KU"}, +{ERR_FUNC(X509V3_F_V2I_GENERAL_NAME), "v2i_GENERAL_NAME"}, +{ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES), "v2i_GENERAL_NAMES"}, +{ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION), "V3_GENERIC_EXTENSION"}, +{ERR_FUNC(X509V3_F_X509V3_ADD_I2D), "X509V3_ADD_I2D"}, +{ERR_FUNC(X509V3_F_X509V3_ADD_VALUE), "X509V3_add_value"}, +{ERR_FUNC(X509V3_F_X509V3_EXT_ADD), "X509V3_EXT_add"}, +{ERR_FUNC(X509V3_F_X509V3_EXT_ADD_ALIAS), "X509V3_EXT_add_alias"}, +{ERR_FUNC(X509V3_F_X509V3_EXT_CONF), "X509V3_EXT_conf"}, +{ERR_FUNC(X509V3_F_X509V3_EXT_I2D), "X509V3_EXT_i2d"}, +{ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL), "X509V3_get_value_bool"}, +{ERR_FUNC(X509V3_F_X509V3_PARSE_LIST), "X509V3_parse_list"}, +{ERR_FUNC(X509V3_F_X509_PURPOSE_ADD), "X509_PURPOSE_add"}, +{ERR_FUNC(X509V3_F_X509_PURPOSE_SET), "X509_PURPOSE_set"}, {0,NULL} }; static ERR_STRING_DATA X509V3_str_reasons[]= { -{X509V3_R_BAD_IP_ADDRESS ,"bad ip address"}, -{X509V3_R_BAD_OBJECT ,"bad object"}, -{X509V3_R_BN_DEC2BN_ERROR ,"bn dec2bn error"}, -{X509V3_R_BN_TO_ASN1_INTEGER_ERROR ,"bn to asn1 integer error"}, -{X509V3_R_DUPLICATE_ZONE_ID ,"duplicate zone id"}, -{X509V3_R_ERROR_CONVERTING_ZONE ,"error converting zone"}, -{X509V3_R_ERROR_CREATING_EXTENSION ,"error creating extension"}, -{X509V3_R_ERROR_IN_EXTENSION ,"error in extension"}, -{X509V3_R_EXPECTED_A_SECTION_NAME ,"expected a section name"}, -{X509V3_R_EXTENSION_EXISTS ,"extension exists"}, -{X509V3_R_EXTENSION_NAME_ERROR ,"extension name error"}, -{X509V3_R_EXTENSION_NOT_FOUND ,"extension not found"}, -{X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"}, -{X509V3_R_EXTENSION_VALUE_ERROR ,"extension value error"}, -{X509V3_R_ILLEGAL_HEX_DIGIT ,"illegal hex digit"}, -{X509V3_R_INCORRECT_POLICY_SYNTAX_TAG ,"incorrect policy syntax tag"}, -{X509V3_R_INVALID_BOOLEAN_STRING ,"invalid boolean string"}, -{X509V3_R_INVALID_EXTENSION_STRING ,"invalid extension string"}, -{X509V3_R_INVALID_NAME ,"invalid name"}, -{X509V3_R_INVALID_NULL_ARGUMENT ,"invalid null argument"}, -{X509V3_R_INVALID_NULL_NAME ,"invalid null name"}, -{X509V3_R_INVALID_NULL_VALUE ,"invalid null value"}, -{X509V3_R_INVALID_NUMBER ,"invalid number"}, -{X509V3_R_INVALID_NUMBERS ,"invalid numbers"}, -{X509V3_R_INVALID_OBJECT_IDENTIFIER ,"invalid object identifier"}, -{X509V3_R_INVALID_OPTION ,"invalid option"}, -{X509V3_R_INVALID_POLICY_IDENTIFIER ,"invalid policy identifier"}, -{X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER,"invalid proxy policy identifier"}, -{X509V3_R_INVALID_PROXY_POLICY_SETTING ,"invalid proxy policy setting"}, -{X509V3_R_INVALID_PURPOSE ,"invalid purpose"}, -{X509V3_R_INVALID_SECTION ,"invalid section"}, -{X509V3_R_INVALID_SYNTAX ,"invalid syntax"}, -{X509V3_R_ISSUER_DECODE_ERROR ,"issuer decode error"}, -{X509V3_R_MISSING_VALUE ,"missing value"}, -{X509V3_R_NEED_ORGANIZATION_AND_NUMBERS ,"need organization and numbers"}, -{X509V3_R_NO_CONFIG_DATABASE ,"no config database"}, -{X509V3_R_NO_ISSUER_CERTIFICATE ,"no issuer certificate"}, -{X509V3_R_NO_ISSUER_DETAILS ,"no issuer details"}, -{X509V3_R_NO_POLICY_IDENTIFIER ,"no policy identifier"}, -{X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED,"no proxy cert policy language defined"}, -{X509V3_R_NO_PUBLIC_KEY ,"no public key"}, -{X509V3_R_NO_SUBJECT_DETAILS ,"no subject details"}, -{X509V3_R_ODD_NUMBER_OF_DIGITS ,"odd number of digits"}, -{X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED,"policy language alreadty defined"}, -{X509V3_R_POLICY_PATH_LENGTH ,"policy path length"}, -{X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED,"policy path length alreadty defined"}, -{X509V3_R_POLICY_SYNTAX_NOT ,"policy syntax not"}, -{X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED,"policy syntax not currently supported"}, -{X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY,"policy when proxy language requires no policy"}, -{X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS ,"unable to get issuer details"}, -{X509V3_R_UNABLE_TO_GET_ISSUER_KEYID ,"unable to get issuer keyid"}, -{X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT ,"unknown bit string argument"}, -{X509V3_R_UNKNOWN_EXTENSION ,"unknown extension"}, -{X509V3_R_UNKNOWN_EXTENSION_NAME ,"unknown extension name"}, -{X509V3_R_UNKNOWN_OPTION ,"unknown option"}, -{X509V3_R_UNSUPPORTED_OPTION ,"unsupported option"}, -{X509V3_R_USER_TOO_LONG ,"user too long"}, +{ERR_REASON(X509V3_R_BAD_IP_ADDRESS) ,"bad ip address"}, +{ERR_REASON(X509V3_R_BAD_OBJECT) ,"bad object"}, +{ERR_REASON(X509V3_R_BN_DEC2BN_ERROR) ,"bn dec2bn error"}, +{ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR),"bn to asn1 integer error"}, +{ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID) ,"duplicate zone id"}, +{ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE),"error converting zone"}, +{ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION),"error creating extension"}, +{ERR_REASON(X509V3_R_ERROR_IN_EXTENSION) ,"error in extension"}, +{ERR_REASON(X509V3_R_EXPECTED_A_SECTION_NAME),"expected a section name"}, +{ERR_REASON(X509V3_R_EXTENSION_EXISTS) ,"extension exists"}, +{ERR_REASON(X509V3_R_EXTENSION_NAME_ERROR),"extension name error"}, +{ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND),"extension not found"}, +{ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED),"extension setting not supported"}, +{ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR),"extension value error"}, +{ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT) ,"illegal hex digit"}, +{ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),"incorrect policy syntax tag"}, +{ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING),"invalid boolean string"}, +{ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING),"invalid extension string"}, +{ERR_REASON(X509V3_R_INVALID_NAME) ,"invalid name"}, +{ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT),"invalid null argument"}, +{ERR_REASON(X509V3_R_INVALID_NULL_NAME) ,"invalid null name"}, +{ERR_REASON(X509V3_R_INVALID_NULL_VALUE) ,"invalid null value"}, +{ERR_REASON(X509V3_R_INVALID_NUMBER) ,"invalid number"}, +{ERR_REASON(X509V3_R_INVALID_NUMBERS) ,"invalid numbers"}, +{ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER),"invalid object identifier"}, +{ERR_REASON(X509V3_R_INVALID_OPTION) ,"invalid option"}, +{ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER),"invalid policy identifier"}, +{ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER),"invalid proxy policy identifier"}, +{ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING),"invalid proxy policy setting"}, +{ERR_REASON(X509V3_R_INVALID_PURPOSE) ,"invalid purpose"}, +{ERR_REASON(X509V3_R_INVALID_SECTION) ,"invalid section"}, +{ERR_REASON(X509V3_R_INVALID_SYNTAX) ,"invalid syntax"}, +{ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR),"issuer decode error"}, +{ERR_REASON(X509V3_R_MISSING_VALUE) ,"missing value"}, +{ERR_REASON(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS),"need organization and numbers"}, +{ERR_REASON(X509V3_R_NO_CONFIG_DATABASE) ,"no config database"}, +{ERR_REASON(X509V3_R_NO_ISSUER_CERTIFICATE),"no issuer certificate"}, +{ERR_REASON(X509V3_R_NO_ISSUER_DETAILS) ,"no issuer details"}, +{ERR_REASON(X509V3_R_NO_POLICY_IDENTIFIER),"no policy identifier"}, +{ERR_REASON(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED),"no proxy cert policy language defined"}, +{ERR_REASON(X509V3_R_NO_PUBLIC_KEY) ,"no public key"}, +{ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS) ,"no subject details"}, +{ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS),"odd number of digits"}, +{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED),"policy language alreadty defined"}, +{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) ,"policy path length"}, +{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED),"policy path length alreadty defined"}, +{ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT) ,"policy syntax not"}, +{ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED),"policy syntax not currently supported"}, +{ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY),"policy when proxy language requires no policy"}, +{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS),"unable to get issuer details"}, +{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID),"unable to get issuer keyid"}, +{ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT),"unknown bit string argument"}, +{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION) ,"unknown extension"}, +{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME),"unknown extension name"}, +{ERR_REASON(X509V3_R_UNKNOWN_OPTION) ,"unknown option"}, +{ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) ,"unsupported option"}, +{ERR_REASON(X509V3_R_USER_TOO_LONG) ,"user too long"}, {0,NULL} }; @@ -185,8 +189,8 @@ void ERR_load_X509V3_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_X509V3,X509V3_str_functs); - ERR_load_strings(ERR_LIB_X509V3,X509V3_str_reasons); + ERR_load_strings(0,X509V3_str_functs); + ERR_load_strings(0,X509V3_str_reasons); #endif } diff --git a/src/lib/libssl/LICENSE b/src/lib/libssl/LICENSE index 40277883a5..e6afecc724 100644 --- a/src/lib/libssl/LICENSE +++ b/src/lib/libssl/LICENSE @@ -12,7 +12,7 @@ --------------- /* ==================================================================== - * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c index 779e94a35c..86356731ea 100644 --- a/src/lib/libssl/s23_clnt.c +++ b/src/lib/libssl/s23_clnt.c @@ -106,7 +106,7 @@ SSL_METHOD *SSLv23_client_method(void) int ssl23_connect(SSL *s) { BUF_MEM *buf=NULL; - unsigned long Time=time(NULL); + unsigned long Time=(unsigned long)time(NULL); void (*cb)(const SSL *ssl,int type,int val)=NULL; int ret= -1; int new_state,state; @@ -220,9 +220,28 @@ static int ssl23_client_hello(SSL *s) { unsigned char *buf; unsigned char *p,*d; - int i,ch_len; + int i,j,ch_len; + unsigned long Time,l; + int ssl2_compat; + int version = 0, version_major, version_minor; + SSL_COMP *comp; int ret; + ssl2_compat = (s->options & SSL_OP_NO_SSLv2) ? 0 : 1; + + if (!(s->options & SSL_OP_NO_TLSv1)) + { + version = TLS1_VERSION; + } + else if (!(s->options & SSL_OP_NO_SSLv3)) + { + version = SSL3_VERSION; + } + else if (!(s->options & SSL_OP_NO_SSLv2)) + { + version = SSL2_VERSION; + } + buf=(unsigned char *)s->init_buf->data; if (s->state == SSL23_ST_CW_CLNT_HELLO_A) { @@ -235,19 +254,15 @@ static int ssl23_client_hello(SSL *s) #endif p=s->s3->client_random; - if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE) <= 0) - return -1; - - /* Do the message type and length last */ - d= &(buf[2]); - p=d+9; + Time=(unsigned long)time(NULL); /* Time */ + l2n(Time,p); + if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) + return -1; - *(d++)=SSL2_MT_CLIENT_HELLO; - if (!(s->options & SSL_OP_NO_TLSv1)) + if (version == TLS1_VERSION) { - *(d++)=TLS1_VERSION_MAJOR; - *(d++)=TLS1_VERSION_MINOR; - s->client_version=TLS1_VERSION; + version_major = TLS1_VERSION_MAJOR; + version_minor = TLS1_VERSION_MINOR; } #ifdef OPENSSL_FIPS else if(FIPS_mode()) @@ -257,17 +272,15 @@ static int ssl23_client_hello(SSL *s) return -1; } #endif - else if (!(s->options & SSL_OP_NO_SSLv3)) + else if (version == SSL3_VERSION) { - *(d++)=SSL3_VERSION_MAJOR; - *(d++)=SSL3_VERSION_MINOR; - s->client_version=SSL3_VERSION; + version_major = SSL3_VERSION_MAJOR; + version_minor = SSL3_VERSION_MINOR; } - else if (!(s->options & SSL_OP_NO_SSLv2)) + else if (version == SSL2_VERSION) { - *(d++)=SSL2_VERSION_MAJOR; - *(d++)=SSL2_VERSION_MINOR; - s->client_version=SSL2_VERSION; + version_major = SSL2_VERSION_MAJOR; + version_minor = SSL2_VERSION_MINOR; } else { @@ -275,59 +288,153 @@ static int ssl23_client_hello(SSL *s) return(-1); } - /* Ciphers supported */ - i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),p); - if (i == 0) + s->client_version = version; + + if (ssl2_compat) { - /* no ciphers */ - SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); - return(-1); - } - s2n(i,d); - p+=i; + /* create SSL 2.0 compatible Client Hello */ + + /* two byte record header will be written last */ + d = &(buf[2]); + p = d + 9; /* leave space for message type, version, individual length fields */ - /* put in the session-id, zero since there is no - * reuse. */ + *(d++) = SSL2_MT_CLIENT_HELLO; + *(d++) = version_major; + *(d++) = version_minor; + + /* Ciphers supported */ + i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),p,0); + if (i == 0) + { + /* no ciphers */ + SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); + return -1; + } + s2n(i,d); + p+=i; + + /* put in the session-id length (zero since there is no reuse) */ #if 0 - s->session->session_id_length=0; + s->session->session_id_length=0; #endif - s2n(0,d); - - if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG) - ch_len=SSL2_CHALLENGE_LENGTH; + s2n(0,d); + + if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG) + ch_len=SSL2_CHALLENGE_LENGTH; + else + ch_len=SSL2_MAX_CHALLENGE_LENGTH; + + /* write out sslv2 challenge */ + if (SSL3_RANDOM_SIZE < ch_len) + i=SSL3_RANDOM_SIZE; + else + i=ch_len; + s2n(i,d); + memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE); + if (RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i) <= 0) + return -1; + + memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i); + p+=i; + + i= p- &(buf[2]); + buf[0]=((i>>8)&0xff)|0x80; + buf[1]=(i&0xff); + + /* number of bytes to write */ + s->init_num=i+2; + s->init_off=0; + + ssl3_finish_mac(s,&(buf[2]),i); + } else - ch_len=SSL2_MAX_CHALLENGE_LENGTH; + { + /* create Client Hello in SSL 3.0/TLS 1.0 format */ - /* write out sslv2 challenge */ - if (SSL3_RANDOM_SIZE < ch_len) - i=SSL3_RANDOM_SIZE; - else - i=ch_len; - s2n(i,d); - memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE); - if(RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i) <= 0) - return -1; + /* do the record header (5 bytes) and handshake message header (4 bytes) last */ + d = p = &(buf[9]); + + *(p++) = version_major; + *(p++) = version_minor; + + /* Random stuff */ + memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); + p += SSL3_RANDOM_SIZE; + + /* Session ID (zero since there is no reuse) */ + *(p++) = 0; + + /* Ciphers supported (using SSL 3.0/TLS 1.0 format) */ + i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),ssl3_put_cipher_by_char); + if (i == 0) + { + SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); + return -1; + } + s2n(i,p); + p+=i; + + /* COMPRESSION */ + if (s->ctx->comp_methods == NULL) + j=0; + else + j=sk_SSL_COMP_num(s->ctx->comp_methods); + *(p++)=1+j; + for (i=0; ictx->comp_methods,i); + *(p++)=comp->id; + } + *(p++)=0; /* Add the NULL method */ + + l = p-d; + *p = 42; - memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i); - p+=i; + /* fill in 4-byte handshake header */ + d=&(buf[5]); + *(d++)=SSL3_MT_CLIENT_HELLO; + l2n3(l,d); - i= p- &(buf[2]); - buf[0]=((i>>8)&0xff)|0x80; - buf[1]=(i&0xff); + l += 4; + + if (l > SSL3_RT_MAX_PLAIN_LENGTH) + { + SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); + return -1; + } + + /* fill in 5-byte record header */ + d=buf; + *(d++) = SSL3_RT_HANDSHAKE; + *(d++) = version_major; + *(d++) = version_minor; /* arguably we should send the *lowest* suported version here + * (indicating, e.g., TLS 1.0 in "SSL 3.0 format") */ + s2n((int)l,d); + + /* number of bytes to write */ + s->init_num=p-buf; + s->init_off=0; + + ssl3_finish_mac(s,&(buf[5]), s->init_num - 5); + } s->state=SSL23_ST_CW_CLNT_HELLO_B; - /* number of bytes to write */ - s->init_num=i+2; s->init_off=0; - - ssl3_finish_mac(s,&(buf[2]),i); } /* SSL3_ST_CW_CLNT_HELLO_B */ ret = ssl23_write_bytes(s); - if (ret >= 2) - if (s->msg_callback) - s->msg_callback(1, SSL2_VERSION, 0, s->init_buf->data+2, ret-2, s, s->msg_callback_arg); /* CLIENT-HELLO */ + + if ((ret >= 2) && s->msg_callback) + { + /* Client Hello has been sent; tell msg_callback */ + + if (ssl2_compat) + s->msg_callback(1, SSL2_VERSION, 0, s->init_buf->data+2, ret-2, s, s->msg_callback_arg); + else + s->msg_callback(1, version, SSL3_RT_HANDSHAKE, s->init_buf->data+5, ret-5, s, s->msg_callback_arg); + } + return ret; } diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c index 92f3391f60..b73abc448f 100644 --- a/src/lib/libssl/s23_srvr.c +++ b/src/lib/libssl/s23_srvr.c @@ -158,7 +158,7 @@ SSL_METHOD *SSLv23_server_method(void) int ssl23_accept(SSL *s) { BUF_MEM *buf; - unsigned long Time=time(NULL); + unsigned long Time=(unsigned long)time(NULL); void (*cb)(const SSL *ssl,int type,int val)=NULL; int ret= -1; int new_state,state; @@ -268,9 +268,6 @@ int ssl23_get_client_hello(SSL *s) int n=0,j; int type=0; int v[2]; -#ifndef OPENSSL_NO_RSA - int use_sslv2_strong=0; -#endif if (s->state == SSL23_ST_SR_CLNT_HELLO_A) { @@ -528,9 +525,7 @@ int ssl23_get_client_hello(SSL *s) } s->state=SSL2_ST_GET_CLIENT_HELLO_A; - if ((s->options & SSL_OP_MSIE_SSLV2_RSA_PADDING) || - use_sslv2_strong || - (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3)) + if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3) s->s2->ssl2_rollback=0; else /* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0 diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 0969476b25..05194fdb31 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c @@ -165,7 +165,7 @@ SSL_METHOD *SSLv3_client_method(void) int ssl3_connect(SSL *s) { BUF_MEM *buf=NULL; - unsigned long Time=time(NULL),l; + unsigned long Time=(unsigned long)time(NULL),l; long num1; void (*cb)(const SSL *ssl,int type,int val)=NULL; int ret= -1; @@ -533,7 +533,7 @@ static int ssl3_client_hello(SSL *s) /* else use the pre-loaded session */ p=s->s3->client_random; - Time=time(NULL); /* Time */ + Time=(unsigned long)time(NULL); /* Time */ l2n(Time,p); if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) goto err; @@ -567,7 +567,7 @@ static int ssl3_client_hello(SSL *s) } /* Ciphers supported */ - i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2])); + i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0); if (i == 0) { SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 9bf1dbec06..a77588e725 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -835,7 +835,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_RSA_WITH_AES_128_SHA, TLS1_CK_RSA_WITH_AES_128_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 128, 128, @@ -848,7 +848,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DH_DSS_WITH_AES_128_SHA, TLS1_CK_DH_DSS_WITH_AES_128_SHA, SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 128, 128, @@ -861,7 +861,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DH_RSA_WITH_AES_128_SHA, TLS1_CK_DH_RSA_WITH_AES_128_SHA, SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 128, 128, @@ -874,7 +874,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, TLS1_CK_DHE_DSS_WITH_AES_128_SHA, SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 128, 128, @@ -887,7 +887,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, TLS1_CK_DHE_RSA_WITH_AES_128_SHA, SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 128, 128, @@ -900,7 +900,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_ADH_WITH_AES_128_SHA, TLS1_CK_ADH_WITH_AES_128_SHA, SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 128, 128, diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index c4a1a71523..36fc39d7f8 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c @@ -173,7 +173,7 @@ SSL_METHOD *SSLv3_server_method(void) int ssl3_accept(SSL *s) { BUF_MEM *buf; - unsigned long l,Time=time(NULL); + unsigned long l,Time=(unsigned long)time(NULL); void (*cb)(const SSL *ssl,int type,int val)=NULL; long num1; int ret= -1; @@ -954,7 +954,7 @@ static int ssl3_send_server_hello(SSL *s) { buf=(unsigned char *)s->init_buf->data; p=s->s3->server_random; - Time=time(NULL); /* Time */ + Time=(unsigned long)time(NULL); /* Time */ l2n(Time,p); if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) return -1; diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 3161f532cf..99e188086b 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h @@ -467,7 +467,7 @@ typedef struct ssl_session_st #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L -#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L +#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L #define SSL_OP_TLS_D5_BUG 0x00000100L #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L @@ -1567,6 +1567,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL_CTRL 232 #define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168 #define SSL_F_SSL_CTX_NEW 169 +#define SSL_F_SSL_CTX_SET_CIPHER_LIST 269 #define SSL_F_SSL_CTX_SET_PURPOSE 226 #define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT 219 #define SSL_F_SSL_CTX_SET_SSL_VERSION 170 @@ -1596,6 +1597,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL_SESSION_PRINT_FP 190 #define SSL_F_SSL_SESS_CERT_NEW 225 #define SSL_F_SSL_SET_CERT 191 +#define SSL_F_SSL_SET_CIPHER_LIST 271 #define SSL_F_SSL_SET_FD 192 #define SSL_F_SSL_SET_PKEY 193 #define SSL_F_SSL_SET_PURPOSE 227 @@ -1674,40 +1676,39 @@ void ERR_load_SSL_strings(void); #define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 145 #define SSL_R_DATA_LENGTH_TOO_LONG 146 #define SSL_R_DECRYPTION_FAILED 147 -#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 1109 +#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281 #define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148 #define SSL_R_DIGEST_CHECK_FAILED 149 #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150 -#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 1092 +#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 282 #define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151 #define SSL_R_EXCESSIVE_MESSAGE_SIZE 152 #define SSL_R_EXTRA_DATA_IN_MESSAGE 153 #define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154 #define SSL_R_HTTPS_PROXY_REQUEST 155 #define SSL_R_HTTP_REQUEST 156 -#define SSL_R_ILLEGAL_PADDING 1110 +#define SSL_R_ILLEGAL_PADDING 283 #define SSL_R_INVALID_CHALLENGE_LENGTH 158 #define SSL_R_INVALID_COMMAND 280 #define SSL_R_INVALID_PURPOSE 278 #define SSL_R_INVALID_TRUST 279 -#define SSL_R_KEY_ARG_TOO_LONG 1112 -#define SSL_R_KRB5 1104 -#define SSL_R_KRB5_C_CC_PRINC 1094 -#define SSL_R_KRB5_C_GET_CRED 1095 -#define SSL_R_KRB5_C_INIT 1096 -#define SSL_R_KRB5_C_MK_REQ 1097 -#define SSL_R_KRB5_S_BAD_TICKET 1098 -#define SSL_R_KRB5_S_INIT 1099 -#define SSL_R_KRB5_S_RD_REQ 1108 -#define SSL_R_KRB5_S_TKT_EXPIRED 1105 -#define SSL_R_KRB5_S_TKT_NYV 1106 -#define SSL_R_KRB5_S_TKT_SKEW 1107 +#define SSL_R_KEY_ARG_TOO_LONG 284 +#define SSL_R_KRB5 285 +#define SSL_R_KRB5_C_CC_PRINC 286 +#define SSL_R_KRB5_C_GET_CRED 287 +#define SSL_R_KRB5_C_INIT 288 +#define SSL_R_KRB5_C_MK_REQ 289 +#define SSL_R_KRB5_S_BAD_TICKET 290 +#define SSL_R_KRB5_S_INIT 291 +#define SSL_R_KRB5_S_RD_REQ 292 +#define SSL_R_KRB5_S_TKT_EXPIRED 293 +#define SSL_R_KRB5_S_TKT_NYV 294 +#define SSL_R_KRB5_S_TKT_SKEW 295 #define SSL_R_LENGTH_MISMATCH 159 #define SSL_R_LENGTH_TOO_SHORT 160 #define SSL_R_LIBRARY_BUG 274 #define SSL_R_LIBRARY_HAS_NO_CIPHERS 161 -#define SSL_R_MASTER_KEY_TOO_LONG 1112 -#define SSL_R_MESSAGE_TOO_LONG 1111 +#define SSL_R_MESSAGE_TOO_LONG 296 #define SSL_R_MISSING_DH_DSA_CERT 162 #define SSL_R_MISSING_DH_KEY 163 #define SSL_R_MISSING_DH_RSA_CERT 164 @@ -1744,7 +1745,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_NULL_SSL_CTX 195 #define SSL_R_NULL_SSL_METHOD_PASSED 196 #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197 -#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 1115 +#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 297 #define SSL_R_PACKET_LENGTH_TOO_LONG 198 #define SSL_R_PATH_TOO_LONG 270 #define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199 @@ -1763,7 +1764,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_READ_WRONG_PACKET_TYPE 212 #define SSL_R_RECORD_LENGTH_MISMATCH 213 #define SSL_R_RECORD_TOO_LARGE 214 -#define SSL_R_RECORD_TOO_SMALL 1093 +#define SSL_R_RECORD_TOO_SMALL 298 #define SSL_R_REQUIRED_CIPHER_MISSING 215 #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216 #define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217 @@ -1772,8 +1773,8 @@ void ERR_load_SSL_strings(void); #define SSL_R_SHORT_READ 219 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 #define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 -#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 1114 -#define SSL_R_SSL3_SESSION_ID_TOO_LONG 1113 +#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 299 +#define SSL_R_SSL3_SESSION_ID_TOO_LONG 300 #define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 @@ -1784,20 +1785,15 @@ void ERR_load_SSL_strings(void); #define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040 #define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047 #define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 223 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 224 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 225 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 226 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010 -#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 227 #define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043 #define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228 #define SSL_R_SSL_HANDSHAKE_FAILURE 229 #define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230 -#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 1102 -#define SSL_R_SSL_SESSION_ID_CONFLICT 1103 +#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 301 +#define SSL_R_SSL_SESSION_ID_CONFLICT 302 #define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273 -#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 1101 +#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 303 #define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231 #define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049 #define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050 @@ -1838,7 +1834,6 @@ void ERR_load_SSL_strings(void); #define SSL_R_UNKNOWN_STATE 255 #define SSL_R_UNSUPPORTED_CIPHER 256 #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257 -#define SSL_R_UNSUPPORTED_OPTION 1091 #define SSL_R_UNSUPPORTED_PROTOCOL 258 #define SSL_R_UNSUPPORTED_SSL_VERSION 259 #define SSL_R_WRITE_BIO_NOT_SET 260 diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c index 4d5900ad2f..fc5fcce108 100644 --- a/src/lib/libssl/ssl_asn1.c +++ b/src/lib/libssl/ssl_asn1.c @@ -344,7 +344,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char * const *pp, OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; } else - ret->time=time(NULL); + ret->time=(unsigned long)time(NULL); ai.length=0; M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,2); diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c index b8b9bc2390..b779e6bb4d 100644 --- a/src/lib/libssl/ssl_cert.c +++ b/src/lib/libssl/ssl_cert.c @@ -616,14 +616,13 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) BIO *in; X509 *x=NULL; X509_NAME *xn=NULL; - STACK_OF(X509_NAME) *ret,*sk; + STACK_OF(X509_NAME) *ret = NULL,*sk; - ret=sk_X509_NAME_new_null(); sk=sk_X509_NAME_new(xname_cmp); in=BIO_new(BIO_s_file_internal()); - if ((ret == NULL) || (sk == NULL) || (in == NULL)) + if ((sk == NULL) || (in == NULL)) { SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE); goto err; @@ -636,6 +635,15 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) { if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL) break; + if (ret == NULL) + { + ret = sk_X509_NAME_new_null(); + if (ret == NULL) + { + SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE); + goto err; + } + } if ((xn=X509_get_subject_name(x)) == NULL) goto err; /* check for duplicates */ xn=X509_NAME_dup(xn); @@ -658,6 +666,8 @@ err: if (sk != NULL) sk_X509_NAME_free(sk); if (in != NULL) BIO_free(in); if (x != NULL) X509_free(x); + if (ret != NULL) + ERR_clear_error(); return(ret); } #endif diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index b68ed81e52..3df5e2fa80 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c @@ -700,9 +700,18 @@ static int ssl_cipher_process_rulestr(const char *rule_str, if (!found) break; /* ignore this entry */ - algorithms |= ca_list[j]->algorithms; + /* New algorithms: + * 1 - any old restrictions apply outside new mask + * 2 - any new restrictions apply outside old mask + * 3 - enforce old & new where masks intersect + */ + algorithms = (algorithms & ~ca_list[j]->mask) | /* 1 */ + (ca_list[j]->algorithms & ~mask) | /* 2 */ + (algorithms & ca_list[j]->algorithms); /* 3 */ mask |= ca_list[j]->mask; - algo_strength |= ca_list[j]->algo_strength; + algo_strength = (algo_strength & ~ca_list[j]->mask_strength) | + (ca_list[j]->algo_strength & ~mask_strength) | + (algo_strength & ca_list[j]->algo_strength); mask_strength |= ca_list[j]->mask_strength; if (!multi) break; @@ -756,7 +765,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, { int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; unsigned long disabled_mask; - STACK_OF(SSL_CIPHER) *cipherstack; + STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list; const char *rule_p; CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; SSL_CIPHER **ca_list = NULL; @@ -764,7 +773,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, /* * Return with error if nothing to do. */ - if (rule_str == NULL) return(NULL); + if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) + return NULL; if (init_ciphers) { @@ -875,46 +885,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, } OPENSSL_free(co_list); /* Not needed any longer */ - /* - * The following passage is a little bit odd. If pointer variables - * were supplied to hold STACK_OF(SSL_CIPHER) return information, - * the old memory pointed to is free()ed. Then, however, the - * cipher_list entry will be assigned just a copy of the returned - * cipher stack. For cipher_list_by_id a copy of the cipher stack - * will be created. See next comment... - */ - if (cipher_list != NULL) - { - if (*cipher_list != NULL) - sk_SSL_CIPHER_free(*cipher_list); - *cipher_list = cipherstack; - } - - if (cipher_list_by_id != NULL) - { - if (*cipher_list_by_id != NULL) - sk_SSL_CIPHER_free(*cipher_list_by_id); - *cipher_list_by_id = sk_SSL_CIPHER_dup(cipherstack); - } - - /* - * Now it is getting really strange. If something failed during - * the previous pointer assignment or if one of the pointers was - * not requested, the error condition is met. That might be - * discussable. The strange thing is however that in this case - * the memory "ret" pointed to is "free()ed" and hence the pointer - * cipher_list becomes wild. The memory reserved for - * cipher_list_by_id however is not "free()ed" and stays intact. - */ - if ( (cipher_list_by_id == NULL) || - (*cipher_list_by_id == NULL) || - (cipher_list == NULL) || - (*cipher_list == NULL)) + tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); + if (tmp_cipher_list == NULL) { sk_SSL_CIPHER_free(cipherstack); - return(NULL); + return NULL; } - + if (*cipher_list != NULL) + sk_SSL_CIPHER_free(*cipher_list); + *cipher_list = cipherstack; + if (*cipher_list_by_id != NULL) + sk_SSL_CIPHER_free(*cipher_list_by_id); + *cipher_list_by_id = tmp_cipher_list; sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp); return(cipherstack); diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c index 29b8ff4788..4bcf591298 100644 --- a/src/lib/libssl/ssl_err.c +++ b/src/lib/libssl/ssl_err.c @@ -64,384 +64,383 @@ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_SSL,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_SSL,0,reason) + static ERR_STRING_DATA SSL_str_functs[]= { -{ERR_PACK(0,SSL_F_CLIENT_CERTIFICATE,0), "CLIENT_CERTIFICATE"}, -{ERR_PACK(0,SSL_F_CLIENT_FINISHED,0), "CLIENT_FINISHED"}, -{ERR_PACK(0,SSL_F_CLIENT_HELLO,0), "CLIENT_HELLO"}, -{ERR_PACK(0,SSL_F_CLIENT_MASTER_KEY,0), "CLIENT_MASTER_KEY"}, -{ERR_PACK(0,SSL_F_D2I_SSL_SESSION,0), "d2i_SSL_SESSION"}, -{ERR_PACK(0,SSL_F_DO_SSL3_WRITE,0), "DO_SSL3_WRITE"}, -{ERR_PACK(0,SSL_F_GET_CLIENT_FINISHED,0), "GET_CLIENT_FINISHED"}, -{ERR_PACK(0,SSL_F_GET_CLIENT_HELLO,0), "GET_CLIENT_HELLO"}, -{ERR_PACK(0,SSL_F_GET_CLIENT_MASTER_KEY,0), "GET_CLIENT_MASTER_KEY"}, -{ERR_PACK(0,SSL_F_GET_SERVER_FINISHED,0), "GET_SERVER_FINISHED"}, -{ERR_PACK(0,SSL_F_GET_SERVER_HELLO,0), "GET_SERVER_HELLO"}, -{ERR_PACK(0,SSL_F_GET_SERVER_VERIFY,0), "GET_SERVER_VERIFY"}, -{ERR_PACK(0,SSL_F_I2D_SSL_SESSION,0), "i2d_SSL_SESSION"}, -{ERR_PACK(0,SSL_F_READ_N,0), "READ_N"}, -{ERR_PACK(0,SSL_F_REQUEST_CERTIFICATE,0), "REQUEST_CERTIFICATE"}, -{ERR_PACK(0,SSL_F_SERVER_FINISH,0), "SERVER_FINISH"}, -{ERR_PACK(0,SSL_F_SERVER_HELLO,0), "SERVER_HELLO"}, -{ERR_PACK(0,SSL_F_SERVER_VERIFY,0), "SERVER_VERIFY"}, -{ERR_PACK(0,SSL_F_SSL23_ACCEPT,0), "SSL23_ACCEPT"}, -{ERR_PACK(0,SSL_F_SSL23_CLIENT_HELLO,0), "SSL23_CLIENT_HELLO"}, -{ERR_PACK(0,SSL_F_SSL23_CONNECT,0), "SSL23_CONNECT"}, -{ERR_PACK(0,SSL_F_SSL23_GET_CLIENT_HELLO,0), "SSL23_GET_CLIENT_HELLO"}, -{ERR_PACK(0,SSL_F_SSL23_GET_SERVER_HELLO,0), "SSL23_GET_SERVER_HELLO"}, -{ERR_PACK(0,SSL_F_SSL23_PEEK,0), "SSL23_PEEK"}, -{ERR_PACK(0,SSL_F_SSL23_READ,0), "SSL23_READ"}, -{ERR_PACK(0,SSL_F_SSL23_WRITE,0), "SSL23_WRITE"}, -{ERR_PACK(0,SSL_F_SSL2_ACCEPT,0), "SSL2_ACCEPT"}, -{ERR_PACK(0,SSL_F_SSL2_CONNECT,0), "SSL2_CONNECT"}, -{ERR_PACK(0,SSL_F_SSL2_ENC_INIT,0), "SSL2_ENC_INIT"}, -{ERR_PACK(0,SSL_F_SSL2_GENERATE_KEY_MATERIAL,0), "SSL2_GENERATE_KEY_MATERIAL"}, -{ERR_PACK(0,SSL_F_SSL2_PEEK,0), "SSL2_PEEK"}, -{ERR_PACK(0,SSL_F_SSL2_READ,0), "SSL2_READ"}, -{ERR_PACK(0,SSL_F_SSL2_READ_INTERNAL,0), "SSL2_READ_INTERNAL"}, -{ERR_PACK(0,SSL_F_SSL2_SET_CERTIFICATE,0), "SSL2_SET_CERTIFICATE"}, -{ERR_PACK(0,SSL_F_SSL2_WRITE,0), "SSL2_WRITE"}, -{ERR_PACK(0,SSL_F_SSL3_ACCEPT,0), "SSL3_ACCEPT"}, -{ERR_PACK(0,SSL_F_SSL3_CALLBACK_CTRL,0), "SSL3_CALLBACK_CTRL"}, -{ERR_PACK(0,SSL_F_SSL3_CHANGE_CIPHER_STATE,0), "SSL3_CHANGE_CIPHER_STATE"}, -{ERR_PACK(0,SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,0), "SSL3_CHECK_CERT_AND_ALGORITHM"}, -{ERR_PACK(0,SSL_F_SSL3_CLIENT_HELLO,0), "SSL3_CLIENT_HELLO"}, -{ERR_PACK(0,SSL_F_SSL3_CONNECT,0), "SSL3_CONNECT"}, -{ERR_PACK(0,SSL_F_SSL3_CTRL,0), "SSL3_CTRL"}, -{ERR_PACK(0,SSL_F_SSL3_CTX_CTRL,0), "SSL3_CTX_CTRL"}, -{ERR_PACK(0,SSL_F_SSL3_ENC,0), "SSL3_ENC"}, -{ERR_PACK(0,SSL_F_SSL3_GENERATE_KEY_BLOCK,0), "SSL3_GENERATE_KEY_BLOCK"}, -{ERR_PACK(0,SSL_F_SSL3_GET_CERTIFICATE_REQUEST,0), "SSL3_GET_CERTIFICATE_REQUEST"}, -{ERR_PACK(0,SSL_F_SSL3_GET_CERT_VERIFY,0), "SSL3_GET_CERT_VERIFY"}, -{ERR_PACK(0,SSL_F_SSL3_GET_CLIENT_CERTIFICATE,0), "SSL3_GET_CLIENT_CERTIFICATE"}, -{ERR_PACK(0,SSL_F_SSL3_GET_CLIENT_HELLO,0), "SSL3_GET_CLIENT_HELLO"}, -{ERR_PACK(0,SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,0), "SSL3_GET_CLIENT_KEY_EXCHANGE"}, -{ERR_PACK(0,SSL_F_SSL3_GET_FINISHED,0), "SSL3_GET_FINISHED"}, -{ERR_PACK(0,SSL_F_SSL3_GET_KEY_EXCHANGE,0), "SSL3_GET_KEY_EXCHANGE"}, -{ERR_PACK(0,SSL_F_SSL3_GET_MESSAGE,0), "SSL3_GET_MESSAGE"}, -{ERR_PACK(0,SSL_F_SSL3_GET_RECORD,0), "SSL3_GET_RECORD"}, -{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_CERTIFICATE,0), "SSL3_GET_SERVER_CERTIFICATE"}, -{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_DONE,0), "SSL3_GET_SERVER_DONE"}, -{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_HELLO,0), "SSL3_GET_SERVER_HELLO"}, -{ERR_PACK(0,SSL_F_SSL3_OUTPUT_CERT_CHAIN,0), "SSL3_OUTPUT_CERT_CHAIN"}, -{ERR_PACK(0,SSL_F_SSL3_PEEK,0), "SSL3_PEEK"}, -{ERR_PACK(0,SSL_F_SSL3_READ_BYTES,0), "SSL3_READ_BYTES"}, -{ERR_PACK(0,SSL_F_SSL3_READ_N,0), "SSL3_READ_N"}, -{ERR_PACK(0,SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,0), "SSL3_SEND_CERTIFICATE_REQUEST"}, -{ERR_PACK(0,SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,0), "SSL3_SEND_CLIENT_CERTIFICATE"}, -{ERR_PACK(0,SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,0), "SSL3_SEND_CLIENT_KEY_EXCHANGE"}, -{ERR_PACK(0,SSL_F_SSL3_SEND_CLIENT_VERIFY,0), "SSL3_SEND_CLIENT_VERIFY"}, -{ERR_PACK(0,SSL_F_SSL3_SEND_SERVER_CERTIFICATE,0), "SSL3_SEND_SERVER_CERTIFICATE"}, -{ERR_PACK(0,SSL_F_SSL3_SEND_SERVER_HELLO,0), "SSL3_SEND_SERVER_HELLO"}, -{ERR_PACK(0,SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,0), "SSL3_SEND_SERVER_KEY_EXCHANGE"}, -{ERR_PACK(0,SSL_F_SSL3_SETUP_BUFFERS,0), "SSL3_SETUP_BUFFERS"}, -{ERR_PACK(0,SSL_F_SSL3_SETUP_KEY_BLOCK,0), "SSL3_SETUP_KEY_BLOCK"}, -{ERR_PACK(0,SSL_F_SSL3_WRITE_BYTES,0), "SSL3_WRITE_BYTES"}, -{ERR_PACK(0,SSL_F_SSL3_WRITE_PENDING,0), "SSL3_WRITE_PENDING"}, -{ERR_PACK(0,SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,0), "SSL_add_dir_cert_subjects_to_stack"}, -{ERR_PACK(0,SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,0), "SSL_add_file_cert_subjects_to_stack"}, -{ERR_PACK(0,SSL_F_SSL_BAD_METHOD,0), "SSL_BAD_METHOD"}, -{ERR_PACK(0,SSL_F_SSL_BYTES_TO_CIPHER_LIST,0), "SSL_BYTES_TO_CIPHER_LIST"}, -{ERR_PACK(0,SSL_F_SSL_CERT_DUP,0), "SSL_CERT_DUP"}, -{ERR_PACK(0,SSL_F_SSL_CERT_INST,0), "SSL_CERT_INST"}, -{ERR_PACK(0,SSL_F_SSL_CERT_INSTANTIATE,0), "SSL_CERT_INSTANTIATE"}, -{ERR_PACK(0,SSL_F_SSL_CERT_NEW,0), "SSL_CERT_NEW"}, -{ERR_PACK(0,SSL_F_SSL_CHECK_PRIVATE_KEY,0), "SSL_check_private_key"}, -{ERR_PACK(0,SSL_F_SSL_CIPHER_PROCESS_RULESTR,0), "SSL_CIPHER_PROCESS_RULESTR"}, -{ERR_PACK(0,SSL_F_SSL_CIPHER_STRENGTH_SORT,0), "SSL_CIPHER_STRENGTH_SORT"}, -{ERR_PACK(0,SSL_F_SSL_CLEAR,0), "SSL_clear"}, -{ERR_PACK(0,SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,0), "SSL_COMP_add_compression_method"}, -{ERR_PACK(0,SSL_F_SSL_CREATE_CIPHER_LIST,0), "SSL_CREATE_CIPHER_LIST"}, -{ERR_PACK(0,SSL_F_SSL_CTRL,0), "SSL_ctrl"}, -{ERR_PACK(0,SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,0), "SSL_CTX_check_private_key"}, -{ERR_PACK(0,SSL_F_SSL_CTX_NEW,0), "SSL_CTX_new"}, -{ERR_PACK(0,SSL_F_SSL_CTX_SET_PURPOSE,0), "SSL_CTX_set_purpose"}, -{ERR_PACK(0,SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,0), "SSL_CTX_set_session_id_context"}, -{ERR_PACK(0,SSL_F_SSL_CTX_SET_SSL_VERSION,0), "SSL_CTX_set_ssl_version"}, -{ERR_PACK(0,SSL_F_SSL_CTX_SET_TRUST,0), "SSL_CTX_set_trust"}, -{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE,0), "SSL_CTX_use_certificate"}, -{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1,0), "SSL_CTX_use_certificate_ASN1"}, -{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,0), "SSL_CTX_use_certificate_chain_file"}, -{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,0), "SSL_CTX_use_certificate_file"}, -{ERR_PACK(0,SSL_F_SSL_CTX_USE_PRIVATEKEY,0), "SSL_CTX_use_PrivateKey"}, -{ERR_PACK(0,SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1,0), "SSL_CTX_use_PrivateKey_ASN1"}, -{ERR_PACK(0,SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,0), "SSL_CTX_use_PrivateKey_file"}, -{ERR_PACK(0,SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,0), "SSL_CTX_use_RSAPrivateKey"}, -{ERR_PACK(0,SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1,0), "SSL_CTX_use_RSAPrivateKey_ASN1"}, -{ERR_PACK(0,SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,0), "SSL_CTX_use_RSAPrivateKey_file"}, -{ERR_PACK(0,SSL_F_SSL_DO_HANDSHAKE,0), "SSL_do_handshake"}, -{ERR_PACK(0,SSL_F_SSL_GET_NEW_SESSION,0), "SSL_GET_NEW_SESSION"}, -{ERR_PACK(0,SSL_F_SSL_GET_PREV_SESSION,0), "SSL_GET_PREV_SESSION"}, -{ERR_PACK(0,SSL_F_SSL_GET_SERVER_SEND_CERT,0), "SSL_GET_SERVER_SEND_CERT"}, -{ERR_PACK(0,SSL_F_SSL_GET_SIGN_PKEY,0), "SSL_GET_SIGN_PKEY"}, -{ERR_PACK(0,SSL_F_SSL_INIT_WBIO_BUFFER,0), "SSL_INIT_WBIO_BUFFER"}, -{ERR_PACK(0,SSL_F_SSL_LOAD_CLIENT_CA_FILE,0), "SSL_load_client_CA_file"}, -{ERR_PACK(0,SSL_F_SSL_NEW,0), "SSL_new"}, -{ERR_PACK(0,SSL_F_SSL_READ,0), "SSL_read"}, -{ERR_PACK(0,SSL_F_SSL_RSA_PRIVATE_DECRYPT,0), "SSL_RSA_PRIVATE_DECRYPT"}, -{ERR_PACK(0,SSL_F_SSL_RSA_PUBLIC_ENCRYPT,0), "SSL_RSA_PUBLIC_ENCRYPT"}, -{ERR_PACK(0,SSL_F_SSL_SESSION_NEW,0), "SSL_SESSION_new"}, -{ERR_PACK(0,SSL_F_SSL_SESSION_PRINT_FP,0), "SSL_SESSION_print_fp"}, -{ERR_PACK(0,SSL_F_SSL_SESS_CERT_NEW,0), "SSL_SESS_CERT_NEW"}, -{ERR_PACK(0,SSL_F_SSL_SET_CERT,0), "SSL_SET_CERT"}, -{ERR_PACK(0,SSL_F_SSL_SET_FD,0), "SSL_set_fd"}, -{ERR_PACK(0,SSL_F_SSL_SET_PKEY,0), "SSL_SET_PKEY"}, -{ERR_PACK(0,SSL_F_SSL_SET_PURPOSE,0), "SSL_set_purpose"}, -{ERR_PACK(0,SSL_F_SSL_SET_RFD,0), "SSL_set_rfd"}, -{ERR_PACK(0,SSL_F_SSL_SET_SESSION,0), "SSL_set_session"}, -{ERR_PACK(0,SSL_F_SSL_SET_SESSION_ID_CONTEXT,0), "SSL_set_session_id_context"}, -{ERR_PACK(0,SSL_F_SSL_SET_TRUST,0), "SSL_set_trust"}, -{ERR_PACK(0,SSL_F_SSL_SET_WFD,0), "SSL_set_wfd"}, -{ERR_PACK(0,SSL_F_SSL_SHUTDOWN,0), "SSL_shutdown"}, -{ERR_PACK(0,SSL_F_SSL_UNDEFINED_CONST_FUNCTION,0), "SSL_UNDEFINED_CONST_FUNCTION"}, -{ERR_PACK(0,SSL_F_SSL_UNDEFINED_FUNCTION,0), "SSL_UNDEFINED_FUNCTION"}, -{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE,0), "SSL_use_certificate"}, -{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE_ASN1,0), "SSL_use_certificate_ASN1"}, -{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE_FILE,0), "SSL_use_certificate_file"}, -{ERR_PACK(0,SSL_F_SSL_USE_PRIVATEKEY,0), "SSL_use_PrivateKey"}, -{ERR_PACK(0,SSL_F_SSL_USE_PRIVATEKEY_ASN1,0), "SSL_use_PrivateKey_ASN1"}, -{ERR_PACK(0,SSL_F_SSL_USE_PRIVATEKEY_FILE,0), "SSL_use_PrivateKey_file"}, -{ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY,0), "SSL_use_RSAPrivateKey"}, -{ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1,0), "SSL_use_RSAPrivateKey_ASN1"}, -{ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,0), "SSL_use_RSAPrivateKey_file"}, -{ERR_PACK(0,SSL_F_SSL_VERIFY_CERT_CHAIN,0), "SSL_VERIFY_CERT_CHAIN"}, -{ERR_PACK(0,SSL_F_SSL_WRITE,0), "SSL_write"}, -{ERR_PACK(0,SSL_F_TLS1_CHANGE_CIPHER_STATE,0), "TLS1_CHANGE_CIPHER_STATE"}, -{ERR_PACK(0,SSL_F_TLS1_ENC,0), "TLS1_ENC"}, -{ERR_PACK(0,SSL_F_TLS1_SETUP_KEY_BLOCK,0), "TLS1_SETUP_KEY_BLOCK"}, -{ERR_PACK(0,SSL_F_WRITE_PENDING,0), "WRITE_PENDING"}, +{ERR_FUNC(SSL_F_CLIENT_CERTIFICATE), "CLIENT_CERTIFICATE"}, +{ERR_FUNC(SSL_F_CLIENT_FINISHED), "CLIENT_FINISHED"}, +{ERR_FUNC(SSL_F_CLIENT_HELLO), "CLIENT_HELLO"}, +{ERR_FUNC(SSL_F_CLIENT_MASTER_KEY), "CLIENT_MASTER_KEY"}, +{ERR_FUNC(SSL_F_D2I_SSL_SESSION), "d2i_SSL_SESSION"}, +{ERR_FUNC(SSL_F_DO_SSL3_WRITE), "DO_SSL3_WRITE"}, +{ERR_FUNC(SSL_F_GET_CLIENT_FINISHED), "GET_CLIENT_FINISHED"}, +{ERR_FUNC(SSL_F_GET_CLIENT_HELLO), "GET_CLIENT_HELLO"}, +{ERR_FUNC(SSL_F_GET_CLIENT_MASTER_KEY), "GET_CLIENT_MASTER_KEY"}, +{ERR_FUNC(SSL_F_GET_SERVER_FINISHED), "GET_SERVER_FINISHED"}, +{ERR_FUNC(SSL_F_GET_SERVER_HELLO), "GET_SERVER_HELLO"}, +{ERR_FUNC(SSL_F_GET_SERVER_VERIFY), "GET_SERVER_VERIFY"}, +{ERR_FUNC(SSL_F_I2D_SSL_SESSION), "i2d_SSL_SESSION"}, +{ERR_FUNC(SSL_F_READ_N), "READ_N"}, +{ERR_FUNC(SSL_F_REQUEST_CERTIFICATE), "REQUEST_CERTIFICATE"}, +{ERR_FUNC(SSL_F_SERVER_FINISH), "SERVER_FINISH"}, +{ERR_FUNC(SSL_F_SERVER_HELLO), "SERVER_HELLO"}, +{ERR_FUNC(SSL_F_SERVER_VERIFY), "SERVER_VERIFY"}, +{ERR_FUNC(SSL_F_SSL23_ACCEPT), "SSL23_ACCEPT"}, +{ERR_FUNC(SSL_F_SSL23_CLIENT_HELLO), "SSL23_CLIENT_HELLO"}, +{ERR_FUNC(SSL_F_SSL23_CONNECT), "SSL23_CONNECT"}, +{ERR_FUNC(SSL_F_SSL23_GET_CLIENT_HELLO), "SSL23_GET_CLIENT_HELLO"}, +{ERR_FUNC(SSL_F_SSL23_GET_SERVER_HELLO), "SSL23_GET_SERVER_HELLO"}, +{ERR_FUNC(SSL_F_SSL23_PEEK), "SSL23_PEEK"}, +{ERR_FUNC(SSL_F_SSL23_READ), "SSL23_READ"}, +{ERR_FUNC(SSL_F_SSL23_WRITE), "SSL23_WRITE"}, +{ERR_FUNC(SSL_F_SSL2_ACCEPT), "SSL2_ACCEPT"}, +{ERR_FUNC(SSL_F_SSL2_CONNECT), "SSL2_CONNECT"}, +{ERR_FUNC(SSL_F_SSL2_ENC_INIT), "SSL2_ENC_INIT"}, +{ERR_FUNC(SSL_F_SSL2_GENERATE_KEY_MATERIAL), "SSL2_GENERATE_KEY_MATERIAL"}, +{ERR_FUNC(SSL_F_SSL2_PEEK), "SSL2_PEEK"}, +{ERR_FUNC(SSL_F_SSL2_READ), "SSL2_READ"}, +{ERR_FUNC(SSL_F_SSL2_READ_INTERNAL), "SSL2_READ_INTERNAL"}, +{ERR_FUNC(SSL_F_SSL2_SET_CERTIFICATE), "SSL2_SET_CERTIFICATE"}, +{ERR_FUNC(SSL_F_SSL2_WRITE), "SSL2_WRITE"}, +{ERR_FUNC(SSL_F_SSL3_ACCEPT), "SSL3_ACCEPT"}, +{ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"}, +{ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"}, +{ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"}, +{ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"}, +{ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"}, +{ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"}, +{ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "SSL3_CTX_CTRL"}, +{ERR_FUNC(SSL_F_SSL3_ENC), "SSL3_ENC"}, +{ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"}, +{ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"}, +{ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY), "SSL3_GET_CERT_VERIFY"}, +{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE), "SSL3_GET_CLIENT_CERTIFICATE"}, +{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO), "SSL3_GET_CLIENT_HELLO"}, +{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE), "SSL3_GET_CLIENT_KEY_EXCHANGE"}, +{ERR_FUNC(SSL_F_SSL3_GET_FINISHED), "SSL3_GET_FINISHED"}, +{ERR_FUNC(SSL_F_SSL3_GET_KEY_EXCHANGE), "SSL3_GET_KEY_EXCHANGE"}, +{ERR_FUNC(SSL_F_SSL3_GET_MESSAGE), "SSL3_GET_MESSAGE"}, +{ERR_FUNC(SSL_F_SSL3_GET_RECORD), "SSL3_GET_RECORD"}, +{ERR_FUNC(SSL_F_SSL3_GET_SERVER_CERTIFICATE), "SSL3_GET_SERVER_CERTIFICATE"}, +{ERR_FUNC(SSL_F_SSL3_GET_SERVER_DONE), "SSL3_GET_SERVER_DONE"}, +{ERR_FUNC(SSL_F_SSL3_GET_SERVER_HELLO), "SSL3_GET_SERVER_HELLO"}, +{ERR_FUNC(SSL_F_SSL3_OUTPUT_CERT_CHAIN), "SSL3_OUTPUT_CERT_CHAIN"}, +{ERR_FUNC(SSL_F_SSL3_PEEK), "SSL3_PEEK"}, +{ERR_FUNC(SSL_F_SSL3_READ_BYTES), "SSL3_READ_BYTES"}, +{ERR_FUNC(SSL_F_SSL3_READ_N), "SSL3_READ_N"}, +{ERR_FUNC(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST), "SSL3_SEND_CERTIFICATE_REQUEST"}, +{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE), "SSL3_SEND_CLIENT_CERTIFICATE"}, +{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE), "SSL3_SEND_CLIENT_KEY_EXCHANGE"}, +{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_VERIFY), "SSL3_SEND_CLIENT_VERIFY"}, +{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_CERTIFICATE), "SSL3_SEND_SERVER_CERTIFICATE"}, +{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_HELLO), "SSL3_SEND_SERVER_HELLO"}, +{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE), "SSL3_SEND_SERVER_KEY_EXCHANGE"}, +{ERR_FUNC(SSL_F_SSL3_SETUP_BUFFERS), "SSL3_SETUP_BUFFERS"}, +{ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK), "SSL3_SETUP_KEY_BLOCK"}, +{ERR_FUNC(SSL_F_SSL3_WRITE_BYTES), "SSL3_WRITE_BYTES"}, +{ERR_FUNC(SSL_F_SSL3_WRITE_PENDING), "SSL3_WRITE_PENDING"}, +{ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK), "SSL_add_dir_cert_subjects_to_stack"}, +{ERR_FUNC(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK), "SSL_add_file_cert_subjects_to_stack"}, +{ERR_FUNC(SSL_F_SSL_BAD_METHOD), "SSL_BAD_METHOD"}, +{ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST), "SSL_BYTES_TO_CIPHER_LIST"}, +{ERR_FUNC(SSL_F_SSL_CERT_DUP), "SSL_CERT_DUP"}, +{ERR_FUNC(SSL_F_SSL_CERT_INST), "SSL_CERT_INST"}, +{ERR_FUNC(SSL_F_SSL_CERT_INSTANTIATE), "SSL_CERT_INSTANTIATE"}, +{ERR_FUNC(SSL_F_SSL_CERT_NEW), "SSL_CERT_NEW"}, +{ERR_FUNC(SSL_F_SSL_CHECK_PRIVATE_KEY), "SSL_check_private_key"}, +{ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR), "SSL_CIPHER_PROCESS_RULESTR"}, +{ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT), "SSL_CIPHER_STRENGTH_SORT"}, +{ERR_FUNC(SSL_F_SSL_CLEAR), "SSL_clear"}, +{ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD), "SSL_COMP_add_compression_method"}, +{ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST), "SSL_CREATE_CIPHER_LIST"}, +{ERR_FUNC(SSL_F_SSL_CTRL), "SSL_ctrl"}, +{ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY), "SSL_CTX_check_private_key"}, +{ERR_FUNC(SSL_F_SSL_CTX_NEW), "SSL_CTX_new"}, +{ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST), "SSL_CTX_set_cipher_list"}, +{ERR_FUNC(SSL_F_SSL_CTX_SET_PURPOSE), "SSL_CTX_set_purpose"}, +{ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT), "SSL_CTX_set_session_id_context"}, +{ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION), "SSL_CTX_set_ssl_version"}, +{ERR_FUNC(SSL_F_SSL_CTX_SET_TRUST), "SSL_CTX_set_trust"}, +{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE), "SSL_CTX_use_certificate"}, +{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1), "SSL_CTX_use_certificate_ASN1"}, +{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE), "SSL_CTX_use_certificate_chain_file"}, +{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE), "SSL_CTX_use_certificate_file"}, +{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY), "SSL_CTX_use_PrivateKey"}, +{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1), "SSL_CTX_use_PrivateKey_ASN1"}, +{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE), "SSL_CTX_use_PrivateKey_file"}, +{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY), "SSL_CTX_use_RSAPrivateKey"}, +{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1), "SSL_CTX_use_RSAPrivateKey_ASN1"}, +{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE), "SSL_CTX_use_RSAPrivateKey_file"}, +{ERR_FUNC(SSL_F_SSL_DO_HANDSHAKE), "SSL_do_handshake"}, +{ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "SSL_GET_NEW_SESSION"}, +{ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "SSL_GET_PREV_SESSION"}, +{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT), "SSL_GET_SERVER_SEND_CERT"}, +{ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "SSL_GET_SIGN_PKEY"}, +{ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"}, +{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"}, +{ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"}, +{ERR_FUNC(SSL_F_SSL_READ), "SSL_read"}, +{ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"}, +{ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT), "SSL_RSA_PUBLIC_ENCRYPT"}, +{ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"}, +{ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"}, +{ERR_FUNC(SSL_F_SSL_SESS_CERT_NEW), "SSL_SESS_CERT_NEW"}, +{ERR_FUNC(SSL_F_SSL_SET_CERT), "SSL_SET_CERT"}, +{ERR_FUNC(SSL_F_SSL_SET_CIPHER_LIST), "SSL_set_cipher_list"}, +{ERR_FUNC(SSL_F_SSL_SET_FD), "SSL_set_fd"}, +{ERR_FUNC(SSL_F_SSL_SET_PKEY), "SSL_SET_PKEY"}, +{ERR_FUNC(SSL_F_SSL_SET_PURPOSE), "SSL_set_purpose"}, +{ERR_FUNC(SSL_F_SSL_SET_RFD), "SSL_set_rfd"}, +{ERR_FUNC(SSL_F_SSL_SET_SESSION), "SSL_set_session"}, +{ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT), "SSL_set_session_id_context"}, +{ERR_FUNC(SSL_F_SSL_SET_TRUST), "SSL_set_trust"}, +{ERR_FUNC(SSL_F_SSL_SET_WFD), "SSL_set_wfd"}, +{ERR_FUNC(SSL_F_SSL_SHUTDOWN), "SSL_shutdown"}, +{ERR_FUNC(SSL_F_SSL_UNDEFINED_CONST_FUNCTION), "SSL_UNDEFINED_CONST_FUNCTION"}, +{ERR_FUNC(SSL_F_SSL_UNDEFINED_FUNCTION), "SSL_UNDEFINED_FUNCTION"}, +{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE), "SSL_use_certificate"}, +{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_ASN1), "SSL_use_certificate_ASN1"}, +{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_FILE), "SSL_use_certificate_file"}, +{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY), "SSL_use_PrivateKey"}, +{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_ASN1), "SSL_use_PrivateKey_ASN1"}, +{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_FILE), "SSL_use_PrivateKey_file"}, +{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY), "SSL_use_RSAPrivateKey"}, +{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1), "SSL_use_RSAPrivateKey_ASN1"}, +{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), "SSL_use_RSAPrivateKey_file"}, +{ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "SSL_VERIFY_CERT_CHAIN"}, +{ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"}, +{ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "TLS1_CHANGE_CIPHER_STATE"}, +{ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"}, +{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"}, +{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"}, {0,NULL} }; static ERR_STRING_DATA SSL_str_reasons[]= { -{SSL_R_APP_DATA_IN_HANDSHAKE ,"app data in handshake"}, -{SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT,"attempt to reuse session in different context"}, -{SSL_R_BAD_ALERT_RECORD ,"bad alert record"}, -{SSL_R_BAD_AUTHENTICATION_TYPE ,"bad authentication type"}, -{SSL_R_BAD_CHANGE_CIPHER_SPEC ,"bad change cipher spec"}, -{SSL_R_BAD_CHECKSUM ,"bad checksum"}, -{SSL_R_BAD_DATA_RETURNED_BY_CALLBACK ,"bad data returned by callback"}, -{SSL_R_BAD_DECOMPRESSION ,"bad decompression"}, -{SSL_R_BAD_DH_G_LENGTH ,"bad dh g length"}, -{SSL_R_BAD_DH_PUB_KEY_LENGTH ,"bad dh pub key length"}, -{SSL_R_BAD_DH_P_LENGTH ,"bad dh p length"}, -{SSL_R_BAD_DIGEST_LENGTH ,"bad digest length"}, -{SSL_R_BAD_DSA_SIGNATURE ,"bad dsa signature"}, -{SSL_R_BAD_HELLO_REQUEST ,"bad hello request"}, -{SSL_R_BAD_LENGTH ,"bad length"}, -{SSL_R_BAD_MAC_DECODE ,"bad mac decode"}, -{SSL_R_BAD_MESSAGE_TYPE ,"bad message type"}, -{SSL_R_BAD_PACKET_LENGTH ,"bad packet length"}, -{SSL_R_BAD_PROTOCOL_VERSION_NUMBER ,"bad protocol version number"}, -{SSL_R_BAD_RESPONSE_ARGUMENT ,"bad response argument"}, -{SSL_R_BAD_RSA_DECRYPT ,"bad rsa decrypt"}, -{SSL_R_BAD_RSA_ENCRYPT ,"bad rsa encrypt"}, -{SSL_R_BAD_RSA_E_LENGTH ,"bad rsa e length"}, -{SSL_R_BAD_RSA_MODULUS_LENGTH ,"bad rsa modulus length"}, -{SSL_R_BAD_RSA_SIGNATURE ,"bad rsa signature"}, -{SSL_R_BAD_SIGNATURE ,"bad signature"}, -{SSL_R_BAD_SSL_FILETYPE ,"bad ssl filetype"}, -{SSL_R_BAD_SSL_SESSION_ID_LENGTH ,"bad ssl session id length"}, -{SSL_R_BAD_STATE ,"bad state"}, -{SSL_R_BAD_WRITE_RETRY ,"bad write retry"}, -{SSL_R_BIO_NOT_SET ,"bio not set"}, -{SSL_R_BLOCK_CIPHER_PAD_IS_WRONG ,"block cipher pad is wrong"}, -{SSL_R_BN_LIB ,"bn lib"}, -{SSL_R_CA_DN_LENGTH_MISMATCH ,"ca dn length mismatch"}, -{SSL_R_CA_DN_TOO_LONG ,"ca dn too long"}, -{SSL_R_CCS_RECEIVED_EARLY ,"ccs received early"}, -{SSL_R_CERTIFICATE_VERIFY_FAILED ,"certificate verify failed"}, -{SSL_R_CERT_LENGTH_MISMATCH ,"cert length mismatch"}, -{SSL_R_CHALLENGE_IS_DIFFERENT ,"challenge is different"}, -{SSL_R_CIPHER_CODE_WRONG_LENGTH ,"cipher code wrong length"}, -{SSL_R_CIPHER_OR_HASH_UNAVAILABLE ,"cipher or hash unavailable"}, -{SSL_R_CIPHER_TABLE_SRC_ERROR ,"cipher table src error"}, -{SSL_R_COMPRESSED_LENGTH_TOO_LONG ,"compressed length too long"}, -{SSL_R_COMPRESSION_FAILURE ,"compression failure"}, -{SSL_R_COMPRESSION_LIBRARY_ERROR ,"compression library error"}, -{SSL_R_CONNECTION_ID_IS_DIFFERENT ,"connection id is different"}, -{SSL_R_CONNECTION_TYPE_NOT_SET ,"connection type not set"}, -{SSL_R_DATA_BETWEEN_CCS_AND_FINISHED ,"data between ccs and finished"}, -{SSL_R_DATA_LENGTH_TOO_LONG ,"data length too long"}, -{SSL_R_DECRYPTION_FAILED ,"decryption failed"}, -{SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC,"decryption failed or bad record mac"}, -{SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG ,"dh public value length is wrong"}, -{SSL_R_DIGEST_CHECK_FAILED ,"digest check failed"}, -{SSL_R_ENCRYPTED_LENGTH_TOO_LONG ,"encrypted length too long"}, -{SSL_R_ERROR_GENERATING_TMP_RSA_KEY ,"error generating tmp rsa key"}, -{SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST ,"error in received cipher list"}, -{SSL_R_EXCESSIVE_MESSAGE_SIZE ,"excessive message size"}, -{SSL_R_EXTRA_DATA_IN_MESSAGE ,"extra data in message"}, -{SSL_R_GOT_A_FIN_BEFORE_A_CCS ,"got a fin before a ccs"}, -{SSL_R_HTTPS_PROXY_REQUEST ,"https proxy request"}, -{SSL_R_HTTP_REQUEST ,"http request"}, -{SSL_R_ILLEGAL_PADDING ,"illegal padding"}, -{SSL_R_INVALID_CHALLENGE_LENGTH ,"invalid challenge length"}, -{SSL_R_INVALID_COMMAND ,"invalid command"}, -{SSL_R_INVALID_PURPOSE ,"invalid purpose"}, -{SSL_R_INVALID_TRUST ,"invalid trust"}, -{SSL_R_KEY_ARG_TOO_LONG ,"key arg too long"}, -{SSL_R_KRB5 ,"krb5"}, -{SSL_R_KRB5_C_CC_PRINC ,"krb5 client cc principal (no tkt?)"}, -{SSL_R_KRB5_C_GET_CRED ,"krb5 client get cred"}, -{SSL_R_KRB5_C_INIT ,"krb5 client init"}, -{SSL_R_KRB5_C_MK_REQ ,"krb5 client mk_req (expired tkt?)"}, -{SSL_R_KRB5_S_BAD_TICKET ,"krb5 server bad ticket"}, -{SSL_R_KRB5_S_INIT ,"krb5 server init"}, -{SSL_R_KRB5_S_RD_REQ ,"krb5 server rd_req (keytab perms?)"}, -{SSL_R_KRB5_S_TKT_EXPIRED ,"krb5 server tkt expired"}, -{SSL_R_KRB5_S_TKT_NYV ,"krb5 server tkt not yet valid"}, -{SSL_R_KRB5_S_TKT_SKEW ,"krb5 server tkt skew"}, -{SSL_R_LENGTH_MISMATCH ,"length mismatch"}, -{SSL_R_LENGTH_TOO_SHORT ,"length too short"}, -{SSL_R_LIBRARY_BUG ,"library bug"}, -{SSL_R_LIBRARY_HAS_NO_CIPHERS ,"library has no ciphers"}, -{SSL_R_MASTER_KEY_TOO_LONG ,"master key too long"}, -{SSL_R_MESSAGE_TOO_LONG ,"message too long"}, -{SSL_R_MISSING_DH_DSA_CERT ,"missing dh dsa cert"}, -{SSL_R_MISSING_DH_KEY ,"missing dh key"}, -{SSL_R_MISSING_DH_RSA_CERT ,"missing dh rsa cert"}, -{SSL_R_MISSING_DSA_SIGNING_CERT ,"missing dsa signing cert"}, -{SSL_R_MISSING_EXPORT_TMP_DH_KEY ,"missing export tmp dh key"}, -{SSL_R_MISSING_EXPORT_TMP_RSA_KEY ,"missing export tmp rsa key"}, -{SSL_R_MISSING_RSA_CERTIFICATE ,"missing rsa certificate"}, -{SSL_R_MISSING_RSA_ENCRYPTING_CERT ,"missing rsa encrypting cert"}, -{SSL_R_MISSING_RSA_SIGNING_CERT ,"missing rsa signing cert"}, -{SSL_R_MISSING_TMP_DH_KEY ,"missing tmp dh key"}, -{SSL_R_MISSING_TMP_RSA_KEY ,"missing tmp rsa key"}, -{SSL_R_MISSING_TMP_RSA_PKEY ,"missing tmp rsa pkey"}, -{SSL_R_MISSING_VERIFY_MESSAGE ,"missing verify message"}, -{SSL_R_NON_SSLV2_INITIAL_PACKET ,"non sslv2 initial packet"}, -{SSL_R_NO_CERTIFICATES_RETURNED ,"no certificates returned"}, -{SSL_R_NO_CERTIFICATE_ASSIGNED ,"no certificate assigned"}, -{SSL_R_NO_CERTIFICATE_RETURNED ,"no certificate returned"}, -{SSL_R_NO_CERTIFICATE_SET ,"no certificate set"}, -{SSL_R_NO_CERTIFICATE_SPECIFIED ,"no certificate specified"}, -{SSL_R_NO_CIPHERS_AVAILABLE ,"no ciphers available"}, -{SSL_R_NO_CIPHERS_PASSED ,"no ciphers passed"}, -{SSL_R_NO_CIPHERS_SPECIFIED ,"no ciphers specified"}, -{SSL_R_NO_CIPHER_LIST ,"no cipher list"}, -{SSL_R_NO_CIPHER_MATCH ,"no cipher match"}, -{SSL_R_NO_CLIENT_CERT_RECEIVED ,"no client cert received"}, -{SSL_R_NO_COMPRESSION_SPECIFIED ,"no compression specified"}, -{SSL_R_NO_METHOD_SPECIFIED ,"no method specified"}, -{SSL_R_NO_PRIVATEKEY ,"no privatekey"}, -{SSL_R_NO_PRIVATE_KEY_ASSIGNED ,"no private key assigned"}, -{SSL_R_NO_PROTOCOLS_AVAILABLE ,"no protocols available"}, -{SSL_R_NO_PUBLICKEY ,"no publickey"}, -{SSL_R_NO_SHARED_CIPHER ,"no shared cipher"}, -{SSL_R_NO_VERIFY_CALLBACK ,"no verify callback"}, -{SSL_R_NULL_SSL_CTX ,"null ssl ctx"}, -{SSL_R_NULL_SSL_METHOD_PASSED ,"null ssl method passed"}, -{SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED ,"old session cipher not returned"}, -{SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE ,"only tls allowed in fips mode"}, -{SSL_R_PACKET_LENGTH_TOO_LONG ,"packet length too long"}, -{SSL_R_PATH_TOO_LONG ,"path too long"}, -{SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE ,"peer did not return a certificate"}, -{SSL_R_PEER_ERROR ,"peer error"}, -{SSL_R_PEER_ERROR_CERTIFICATE ,"peer error certificate"}, -{SSL_R_PEER_ERROR_NO_CERTIFICATE ,"peer error no certificate"}, -{SSL_R_PEER_ERROR_NO_CIPHER ,"peer error no cipher"}, -{SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE,"peer error unsupported certificate type"}, -{SSL_R_PRE_MAC_LENGTH_TOO_LONG ,"pre mac length too long"}, -{SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS ,"problems mapping cipher functions"}, -{SSL_R_PROTOCOL_IS_SHUTDOWN ,"protocol is shutdown"}, -{SSL_R_PUBLIC_KEY_ENCRYPT_ERROR ,"public key encrypt error"}, -{SSL_R_PUBLIC_KEY_IS_NOT_RSA ,"public key is not rsa"}, -{SSL_R_PUBLIC_KEY_NOT_RSA ,"public key not rsa"}, -{SSL_R_READ_BIO_NOT_SET ,"read bio not set"}, -{SSL_R_READ_WRONG_PACKET_TYPE ,"read wrong packet type"}, -{SSL_R_RECORD_LENGTH_MISMATCH ,"record length mismatch"}, -{SSL_R_RECORD_TOO_LARGE ,"record too large"}, -{SSL_R_RECORD_TOO_SMALL ,"record too small"}, -{SSL_R_REQUIRED_CIPHER_MISSING ,"required cipher missing"}, -{SSL_R_REUSE_CERT_LENGTH_NOT_ZERO ,"reuse cert length not zero"}, -{SSL_R_REUSE_CERT_TYPE_NOT_ZERO ,"reuse cert type not zero"}, -{SSL_R_REUSE_CIPHER_LIST_NOT_ZERO ,"reuse cipher list not zero"}, -{SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED ,"session id context uninitialized"}, -{SSL_R_SHORT_READ ,"short read"}, -{SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"}, -{SSL_R_SSL23_DOING_SESSION_ID_REUSE ,"ssl23 doing session id reuse"}, -{SSL_R_SSL2_CONNECTION_ID_TOO_LONG ,"ssl2 connection id too long"}, -{SSL_R_SSL3_SESSION_ID_TOO_LONG ,"ssl3 session id too long"}, -{SSL_R_SSL3_SESSION_ID_TOO_SHORT ,"ssl3 session id too short"}, -{SSL_R_SSLV3_ALERT_BAD_CERTIFICATE ,"sslv3 alert bad certificate"}, -{SSL_R_SSLV3_ALERT_BAD_RECORD_MAC ,"sslv3 alert bad record mac"}, -{SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED ,"sslv3 alert certificate expired"}, -{SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED ,"sslv3 alert certificate revoked"}, -{SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN ,"sslv3 alert certificate unknown"}, -{SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE ,"sslv3 alert decompression failure"}, -{SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE ,"sslv3 alert handshake failure"}, -{SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER ,"sslv3 alert illegal parameter"}, -{SSL_R_SSLV3_ALERT_NO_CERTIFICATE ,"sslv3 alert no certificate"}, -{SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE,"sslv3 alert peer error certificate"}, -{SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE,"sslv3 alert peer error no certificate"}, -{SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER ,"sslv3 alert peer error no cipher"}, -{SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE,"sslv3 alert peer error unsupported certificate type"}, -{SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE ,"sslv3 alert unexpected message"}, -{SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE,"sslv3 alert unknown remote error type"}, -{SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE,"sslv3 alert unsupported certificate"}, -{SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION,"ssl ctx has no default ssl version"}, -{SSL_R_SSL_HANDSHAKE_FAILURE ,"ssl handshake failure"}, -{SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS ,"ssl library has no ciphers"}, -{SSL_R_SSL_SESSION_ID_CALLBACK_FAILED ,"ssl session id callback failed"}, -{SSL_R_SSL_SESSION_ID_CONFLICT ,"ssl session id conflict"}, -{SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG ,"ssl session id context too long"}, -{SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH ,"ssl session id has bad length"}, -{SSL_R_SSL_SESSION_ID_IS_DIFFERENT ,"ssl session id is different"}, -{SSL_R_TLSV1_ALERT_ACCESS_DENIED ,"tlsv1 alert access denied"}, -{SSL_R_TLSV1_ALERT_DECODE_ERROR ,"tlsv1 alert decode error"}, -{SSL_R_TLSV1_ALERT_DECRYPTION_FAILED ,"tlsv1 alert decryption failed"}, -{SSL_R_TLSV1_ALERT_DECRYPT_ERROR ,"tlsv1 alert decrypt error"}, -{SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION ,"tlsv1 alert export restriction"}, -{SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY ,"tlsv1 alert insufficient security"}, -{SSL_R_TLSV1_ALERT_INTERNAL_ERROR ,"tlsv1 alert internal error"}, -{SSL_R_TLSV1_ALERT_NO_RENEGOTIATION ,"tlsv1 alert no renegotiation"}, -{SSL_R_TLSV1_ALERT_PROTOCOL_VERSION ,"tlsv1 alert protocol version"}, -{SSL_R_TLSV1_ALERT_RECORD_OVERFLOW ,"tlsv1 alert record overflow"}, -{SSL_R_TLSV1_ALERT_UNKNOWN_CA ,"tlsv1 alert unknown ca"}, -{SSL_R_TLSV1_ALERT_USER_CANCELLED ,"tlsv1 alert user cancelled"}, -{SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER,"tls client cert req with anon cipher"}, -{SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST,"tls peer did not respond with certificate list"}, -{SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG,"tls rsa encrypted value length is wrong"}, -{SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER ,"tried to use unsupported cipher"}, -{SSL_R_UNABLE_TO_DECODE_DH_CERTS ,"unable to decode dh certs"}, -{SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY ,"unable to extract public key"}, -{SSL_R_UNABLE_TO_FIND_DH_PARAMETERS ,"unable to find dh parameters"}, -{SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS,"unable to find public key parameters"}, -{SSL_R_UNABLE_TO_FIND_SSL_METHOD ,"unable to find ssl method"}, -{SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES ,"unable to load ssl2 md5 routines"}, -{SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES ,"unable to load ssl3 md5 routines"}, -{SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES ,"unable to load ssl3 sha1 routines"}, -{SSL_R_UNEXPECTED_MESSAGE ,"unexpected message"}, -{SSL_R_UNEXPECTED_RECORD ,"unexpected record"}, -{SSL_R_UNINITIALIZED ,"uninitialized"}, -{SSL_R_UNKNOWN_ALERT_TYPE ,"unknown alert type"}, -{SSL_R_UNKNOWN_CERTIFICATE_TYPE ,"unknown certificate type"}, -{SSL_R_UNKNOWN_CIPHER_RETURNED ,"unknown cipher returned"}, -{SSL_R_UNKNOWN_CIPHER_TYPE ,"unknown cipher type"}, -{SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE ,"unknown key exchange type"}, -{SSL_R_UNKNOWN_PKEY_TYPE ,"unknown pkey type"}, -{SSL_R_UNKNOWN_PROTOCOL ,"unknown protocol"}, -{SSL_R_UNKNOWN_REMOTE_ERROR_TYPE ,"unknown remote error type"}, -{SSL_R_UNKNOWN_SSL_VERSION ,"unknown ssl version"}, -{SSL_R_UNKNOWN_STATE ,"unknown state"}, -{SSL_R_UNSUPPORTED_CIPHER ,"unsupported cipher"}, -{SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM ,"unsupported compression algorithm"}, -{SSL_R_UNSUPPORTED_OPTION ,"unsupported option"}, -{SSL_R_UNSUPPORTED_PROTOCOL ,"unsupported protocol"}, -{SSL_R_UNSUPPORTED_SSL_VERSION ,"unsupported ssl version"}, -{SSL_R_WRITE_BIO_NOT_SET ,"write bio not set"}, -{SSL_R_WRONG_CIPHER_RETURNED ,"wrong cipher returned"}, -{SSL_R_WRONG_MESSAGE_TYPE ,"wrong message type"}, -{SSL_R_WRONG_NUMBER_OF_KEY_BITS ,"wrong number of key bits"}, -{SSL_R_WRONG_SIGNATURE_LENGTH ,"wrong signature length"}, -{SSL_R_WRONG_SIGNATURE_SIZE ,"wrong signature size"}, -{SSL_R_WRONG_SSL_VERSION ,"wrong ssl version"}, -{SSL_R_WRONG_VERSION_NUMBER ,"wrong version number"}, -{SSL_R_X509_LIB ,"x509 lib"}, -{SSL_R_X509_VERIFICATION_SETUP_PROBLEMS ,"x509 verification setup problems"}, +{ERR_REASON(SSL_R_APP_DATA_IN_HANDSHAKE) ,"app data in handshake"}, +{ERR_REASON(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT),"attempt to reuse session in different context"}, +{ERR_REASON(SSL_R_BAD_ALERT_RECORD) ,"bad alert record"}, +{ERR_REASON(SSL_R_BAD_AUTHENTICATION_TYPE),"bad authentication type"}, +{ERR_REASON(SSL_R_BAD_CHANGE_CIPHER_SPEC),"bad change cipher spec"}, +{ERR_REASON(SSL_R_BAD_CHECKSUM) ,"bad checksum"}, +{ERR_REASON(SSL_R_BAD_DATA_RETURNED_BY_CALLBACK),"bad data returned by callback"}, +{ERR_REASON(SSL_R_BAD_DECOMPRESSION) ,"bad decompression"}, +{ERR_REASON(SSL_R_BAD_DH_G_LENGTH) ,"bad dh g length"}, +{ERR_REASON(SSL_R_BAD_DH_PUB_KEY_LENGTH) ,"bad dh pub key length"}, +{ERR_REASON(SSL_R_BAD_DH_P_LENGTH) ,"bad dh p length"}, +{ERR_REASON(SSL_R_BAD_DIGEST_LENGTH) ,"bad digest length"}, +{ERR_REASON(SSL_R_BAD_DSA_SIGNATURE) ,"bad dsa signature"}, +{ERR_REASON(SSL_R_BAD_HELLO_REQUEST) ,"bad hello request"}, +{ERR_REASON(SSL_R_BAD_LENGTH) ,"bad length"}, +{ERR_REASON(SSL_R_BAD_MAC_DECODE) ,"bad mac decode"}, +{ERR_REASON(SSL_R_BAD_MESSAGE_TYPE) ,"bad message type"}, +{ERR_REASON(SSL_R_BAD_PACKET_LENGTH) ,"bad packet length"}, +{ERR_REASON(SSL_R_BAD_PROTOCOL_VERSION_NUMBER),"bad protocol version number"}, +{ERR_REASON(SSL_R_BAD_RESPONSE_ARGUMENT) ,"bad response argument"}, +{ERR_REASON(SSL_R_BAD_RSA_DECRYPT) ,"bad rsa decrypt"}, +{ERR_REASON(SSL_R_BAD_RSA_ENCRYPT) ,"bad rsa encrypt"}, +{ERR_REASON(SSL_R_BAD_RSA_E_LENGTH) ,"bad rsa e length"}, +{ERR_REASON(SSL_R_BAD_RSA_MODULUS_LENGTH),"bad rsa modulus length"}, +{ERR_REASON(SSL_R_BAD_RSA_SIGNATURE) ,"bad rsa signature"}, +{ERR_REASON(SSL_R_BAD_SIGNATURE) ,"bad signature"}, +{ERR_REASON(SSL_R_BAD_SSL_FILETYPE) ,"bad ssl filetype"}, +{ERR_REASON(SSL_R_BAD_SSL_SESSION_ID_LENGTH),"bad ssl session id length"}, +{ERR_REASON(SSL_R_BAD_STATE) ,"bad state"}, +{ERR_REASON(SSL_R_BAD_WRITE_RETRY) ,"bad write retry"}, +{ERR_REASON(SSL_R_BIO_NOT_SET) ,"bio not set"}, +{ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),"block cipher pad is wrong"}, +{ERR_REASON(SSL_R_BN_LIB) ,"bn lib"}, +{ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH) ,"ca dn length mismatch"}, +{ERR_REASON(SSL_R_CA_DN_TOO_LONG) ,"ca dn too long"}, +{ERR_REASON(SSL_R_CCS_RECEIVED_EARLY) ,"ccs received early"}, +{ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED),"certificate verify failed"}, +{ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH) ,"cert length mismatch"}, +{ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT),"challenge is different"}, +{ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH),"cipher code wrong length"}, +{ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE),"cipher or hash unavailable"}, +{ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"}, +{ERR_REASON(SSL_R_COMPRESSED_LENGTH_TOO_LONG),"compressed length too long"}, +{ERR_REASON(SSL_R_COMPRESSION_FAILURE) ,"compression failure"}, +{ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),"compression library error"}, +{ERR_REASON(SSL_R_CONNECTION_ID_IS_DIFFERENT),"connection id is different"}, +{ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET),"connection type not set"}, +{ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),"data between ccs and finished"}, +{ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) ,"data length too long"}, +{ERR_REASON(SSL_R_DECRYPTION_FAILED) ,"decryption failed"}, +{ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),"decryption failed or bad record mac"}, +{ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),"dh public value length is wrong"}, +{ERR_REASON(SSL_R_DIGEST_CHECK_FAILED) ,"digest check failed"}, +{ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),"encrypted length too long"}, +{ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),"error generating tmp rsa key"}, +{ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),"error in received cipher list"}, +{ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE),"excessive message size"}, +{ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) ,"extra data in message"}, +{ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS),"got a fin before a ccs"}, +{ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"}, +{ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"}, +{ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"}, +{ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"}, +{ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"}, +{ERR_REASON(SSL_R_INVALID_PURPOSE) ,"invalid purpose"}, +{ERR_REASON(SSL_R_INVALID_TRUST) ,"invalid trust"}, +{ERR_REASON(SSL_R_KEY_ARG_TOO_LONG) ,"key arg too long"}, +{ERR_REASON(SSL_R_KRB5) ,"krb5"}, +{ERR_REASON(SSL_R_KRB5_C_CC_PRINC) ,"krb5 client cc principal (no tkt?)"}, +{ERR_REASON(SSL_R_KRB5_C_GET_CRED) ,"krb5 client get cred"}, +{ERR_REASON(SSL_R_KRB5_C_INIT) ,"krb5 client init"}, +{ERR_REASON(SSL_R_KRB5_C_MK_REQ) ,"krb5 client mk_req (expired tkt?)"}, +{ERR_REASON(SSL_R_KRB5_S_BAD_TICKET) ,"krb5 server bad ticket"}, +{ERR_REASON(SSL_R_KRB5_S_INIT) ,"krb5 server init"}, +{ERR_REASON(SSL_R_KRB5_S_RD_REQ) ,"krb5 server rd_req (keytab perms?)"}, +{ERR_REASON(SSL_R_KRB5_S_TKT_EXPIRED) ,"krb5 server tkt expired"}, +{ERR_REASON(SSL_R_KRB5_S_TKT_NYV) ,"krb5 server tkt not yet valid"}, +{ERR_REASON(SSL_R_KRB5_S_TKT_SKEW) ,"krb5 server tkt skew"}, +{ERR_REASON(SSL_R_LENGTH_MISMATCH) ,"length mismatch"}, +{ERR_REASON(SSL_R_LENGTH_TOO_SHORT) ,"length too short"}, +{ERR_REASON(SSL_R_LIBRARY_BUG) ,"library bug"}, +{ERR_REASON(SSL_R_LIBRARY_HAS_NO_CIPHERS),"library has no ciphers"}, +{ERR_REASON(SSL_R_MESSAGE_TOO_LONG) ,"message too long"}, +{ERR_REASON(SSL_R_MISSING_DH_DSA_CERT) ,"missing dh dsa cert"}, +{ERR_REASON(SSL_R_MISSING_DH_KEY) ,"missing dh key"}, +{ERR_REASON(SSL_R_MISSING_DH_RSA_CERT) ,"missing dh rsa cert"}, +{ERR_REASON(SSL_R_MISSING_DSA_SIGNING_CERT),"missing dsa signing cert"}, +{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY),"missing export tmp dh key"}, +{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY),"missing export tmp rsa key"}, +{ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE),"missing rsa certificate"}, +{ERR_REASON(SSL_R_MISSING_RSA_ENCRYPTING_CERT),"missing rsa encrypting cert"}, +{ERR_REASON(SSL_R_MISSING_RSA_SIGNING_CERT),"missing rsa signing cert"}, +{ERR_REASON(SSL_R_MISSING_TMP_DH_KEY) ,"missing tmp dh key"}, +{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"}, +{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) ,"missing tmp rsa pkey"}, +{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"}, +{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"}, +{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"}, +{ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"}, +{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),"no certificate returned"}, +{ERR_REASON(SSL_R_NO_CERTIFICATE_SET) ,"no certificate set"}, +{ERR_REASON(SSL_R_NO_CERTIFICATE_SPECIFIED),"no certificate specified"}, +{ERR_REASON(SSL_R_NO_CIPHERS_AVAILABLE) ,"no ciphers available"}, +{ERR_REASON(SSL_R_NO_CIPHERS_PASSED) ,"no ciphers passed"}, +{ERR_REASON(SSL_R_NO_CIPHERS_SPECIFIED) ,"no ciphers specified"}, +{ERR_REASON(SSL_R_NO_CIPHER_LIST) ,"no cipher list"}, +{ERR_REASON(SSL_R_NO_CIPHER_MATCH) ,"no cipher match"}, +{ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED),"no client cert received"}, +{ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"}, +{ERR_REASON(SSL_R_NO_METHOD_SPECIFIED) ,"no method specified"}, +{ERR_REASON(SSL_R_NO_PRIVATEKEY) ,"no privatekey"}, +{ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"}, +{ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"}, +{ERR_REASON(SSL_R_NO_PUBLICKEY) ,"no publickey"}, +{ERR_REASON(SSL_R_NO_SHARED_CIPHER) ,"no shared cipher"}, +{ERR_REASON(SSL_R_NO_VERIFY_CALLBACK) ,"no verify callback"}, +{ERR_REASON(SSL_R_NULL_SSL_CTX) ,"null ssl ctx"}, +{ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED),"null ssl method passed"}, +{ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"}, +{ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"}, +{ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"}, +{ERR_REASON(SSL_R_PATH_TOO_LONG) ,"path too long"}, +{ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE),"peer did not return a certificate"}, +{ERR_REASON(SSL_R_PEER_ERROR) ,"peer error"}, +{ERR_REASON(SSL_R_PEER_ERROR_CERTIFICATE),"peer error certificate"}, +{ERR_REASON(SSL_R_PEER_ERROR_NO_CERTIFICATE),"peer error no certificate"}, +{ERR_REASON(SSL_R_PEER_ERROR_NO_CIPHER) ,"peer error no cipher"}, +{ERR_REASON(SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE),"peer error unsupported certificate type"}, +{ERR_REASON(SSL_R_PRE_MAC_LENGTH_TOO_LONG),"pre mac length too long"}, +{ERR_REASON(SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS),"problems mapping cipher functions"}, +{ERR_REASON(SSL_R_PROTOCOL_IS_SHUTDOWN) ,"protocol is shutdown"}, +{ERR_REASON(SSL_R_PUBLIC_KEY_ENCRYPT_ERROR),"public key encrypt error"}, +{ERR_REASON(SSL_R_PUBLIC_KEY_IS_NOT_RSA) ,"public key is not rsa"}, +{ERR_REASON(SSL_R_PUBLIC_KEY_NOT_RSA) ,"public key not rsa"}, +{ERR_REASON(SSL_R_READ_BIO_NOT_SET) ,"read bio not set"}, +{ERR_REASON(SSL_R_READ_WRONG_PACKET_TYPE),"read wrong packet type"}, +{ERR_REASON(SSL_R_RECORD_LENGTH_MISMATCH),"record length mismatch"}, +{ERR_REASON(SSL_R_RECORD_TOO_LARGE) ,"record too large"}, +{ERR_REASON(SSL_R_RECORD_TOO_SMALL) ,"record too small"}, +{ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING),"required cipher missing"}, +{ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"}, +{ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"}, +{ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"}, +{ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"}, +{ERR_REASON(SSL_R_SHORT_READ) ,"short read"}, +{ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"}, +{ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),"ssl23 doing session id reuse"}, +{ERR_REASON(SSL_R_SSL2_CONNECTION_ID_TOO_LONG),"ssl2 connection id too long"}, +{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_LONG),"ssl3 session id too long"}, +{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT),"ssl3 session id too short"}, +{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_CERTIFICATE),"sslv3 alert bad certificate"}, +{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_RECORD_MAC),"sslv3 alert bad record mac"}, +{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED),"sslv3 alert certificate expired"}, +{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED),"sslv3 alert certificate revoked"}, +{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN),"sslv3 alert certificate unknown"}, +{ERR_REASON(SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE),"sslv3 alert decompression failure"}, +{ERR_REASON(SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE),"sslv3 alert handshake failure"}, +{ERR_REASON(SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER),"sslv3 alert illegal parameter"}, +{ERR_REASON(SSL_R_SSLV3_ALERT_NO_CERTIFICATE),"sslv3 alert no certificate"}, +{ERR_REASON(SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE),"sslv3 alert unexpected message"}, +{ERR_REASON(SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE),"sslv3 alert unsupported certificate"}, +{ERR_REASON(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION),"ssl ctx has no default ssl version"}, +{ERR_REASON(SSL_R_SSL_HANDSHAKE_FAILURE) ,"ssl handshake failure"}, +{ERR_REASON(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS),"ssl library has no ciphers"}, +{ERR_REASON(SSL_R_SSL_SESSION_ID_CALLBACK_FAILED),"ssl session id callback failed"}, +{ERR_REASON(SSL_R_SSL_SESSION_ID_CONFLICT),"ssl session id conflict"}, +{ERR_REASON(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG),"ssl session id context too long"}, +{ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH),"ssl session id has bad length"}, +{ERR_REASON(SSL_R_SSL_SESSION_ID_IS_DIFFERENT),"ssl session id is different"}, +{ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED),"tlsv1 alert access denied"}, +{ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR),"tlsv1 alert decode error"}, +{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"}, +{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"}, +{ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"}, +{ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"}, +{ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"}, +{ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"}, +{ERR_REASON(SSL_R_TLSV1_ALERT_PROTOCOL_VERSION),"tlsv1 alert protocol version"}, +{ERR_REASON(SSL_R_TLSV1_ALERT_RECORD_OVERFLOW),"tlsv1 alert record overflow"}, +{ERR_REASON(SSL_R_TLSV1_ALERT_UNKNOWN_CA),"tlsv1 alert unknown ca"}, +{ERR_REASON(SSL_R_TLSV1_ALERT_USER_CANCELLED),"tlsv1 alert user cancelled"}, +{ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER),"tls client cert req with anon cipher"}, +{ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),"tls peer did not respond with certificate list"}, +{ERR_REASON(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG),"tls rsa encrypted value length is wrong"}, +{ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER),"tried to use unsupported cipher"}, +{ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS),"unable to decode dh certs"}, +{ERR_REASON(SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY),"unable to extract public key"}, +{ERR_REASON(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS),"unable to find dh parameters"}, +{ERR_REASON(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS),"unable to find public key parameters"}, +{ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD),"unable to find ssl method"}, +{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES),"unable to load ssl2 md5 routines"}, +{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES),"unable to load ssl3 md5 routines"}, +{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),"unable to load ssl3 sha1 routines"}, +{ERR_REASON(SSL_R_UNEXPECTED_MESSAGE) ,"unexpected message"}, +{ERR_REASON(SSL_R_UNEXPECTED_RECORD) ,"unexpected record"}, +{ERR_REASON(SSL_R_UNINITIALIZED) ,"uninitialized"}, +{ERR_REASON(SSL_R_UNKNOWN_ALERT_TYPE) ,"unknown alert type"}, +{ERR_REASON(SSL_R_UNKNOWN_CERTIFICATE_TYPE),"unknown certificate type"}, +{ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED),"unknown cipher returned"}, +{ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE) ,"unknown cipher type"}, +{ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE),"unknown key exchange type"}, +{ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE) ,"unknown pkey type"}, +{ERR_REASON(SSL_R_UNKNOWN_PROTOCOL) ,"unknown protocol"}, +{ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"}, +{ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"}, +{ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"}, +{ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"}, +{ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"}, +{ERR_REASON(SSL_R_UNSUPPORTED_PROTOCOL) ,"unsupported protocol"}, +{ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION),"unsupported ssl version"}, +{ERR_REASON(SSL_R_WRITE_BIO_NOT_SET) ,"write bio not set"}, +{ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) ,"wrong cipher returned"}, +{ERR_REASON(SSL_R_WRONG_MESSAGE_TYPE) ,"wrong message type"}, +{ERR_REASON(SSL_R_WRONG_NUMBER_OF_KEY_BITS),"wrong number of key bits"}, +{ERR_REASON(SSL_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"}, +{ERR_REASON(SSL_R_WRONG_SIGNATURE_SIZE) ,"wrong signature size"}, +{ERR_REASON(SSL_R_WRONG_SSL_VERSION) ,"wrong ssl version"}, +{ERR_REASON(SSL_R_WRONG_VERSION_NUMBER) ,"wrong version number"}, +{ERR_REASON(SSL_R_X509_LIB) ,"x509 lib"}, +{ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),"x509 verification setup problems"}, {0,NULL} }; @@ -455,8 +454,8 @@ void ERR_load_SSL_strings(void) { init=0; #ifndef OPENSSL_NO_ERR - ERR_load_strings(ERR_LIB_SSL,SSL_str_functs); - ERR_load_strings(ERR_LIB_SSL,SSL_str_reasons); + ERR_load_strings(0,SSL_str_functs); + ERR_load_strings(0,SSL_str_reasons); #endif } diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 631229558f..2bd9a5af86 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c @@ -125,7 +125,7 @@ const char *SSL_version_str=OPENSSL_VERSION_TEXT; -OPENSSL_GLOBAL SSL3_ENC_METHOD ssl3_undef_enc_method={ +SSL3_ENC_METHOD ssl3_undef_enc_method={ /* evil casts, but these functions are only called if there's a library bug */ (int (*)(SSL *,int))ssl_undefined_function, (int (*)(SSL *, unsigned char *, int))ssl_undefined_function, @@ -1130,8 +1130,21 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list, &ctx->cipher_list_by_id,str); -/* XXXX */ - return((sk == NULL)?0:1); + /* ssl_create_cipher_list may return an empty stack if it + * was unable to find a cipher matching the given rule string + * (for example if the rule string specifies a cipher which + * has been disabled). This is not an error as far as + * ssl_create_cipher_list is concerned, and hence + * ctx->cipher_list and ctx->cipher_list_by_id has been + * updated. */ + if (sk == NULL) + return 0; + else if (sk_SSL_CIPHER_num(sk) == 0) + { + SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); + return 0; + } + return 1; } /** specify the ciphers to be used by the SSL */ @@ -1141,8 +1154,15 @@ int SSL_set_cipher_list(SSL *s,const char *str) sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list, &s->cipher_list_by_id,str); -/* XXXX */ - return((sk == NULL)?0:1); + /* see comment in SSL_CTX_set_cipher_list */ + if (sk == NULL) + return 0; + else if (sk_SSL_CIPHER_num(sk) == 0) + { + SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); + return 0; + } + return 1; } /* works well for SSLv2, not so good for SSLv3 */ @@ -1181,7 +1201,8 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) return(buf); } -int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p) +int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, + int (*put_cb)(const SSL_CIPHER *, unsigned char *)) { int i,j=0; SSL_CIPHER *c; @@ -1200,7 +1221,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p) if ((c->algorithms & SSL_KRB5) && nokrb5) continue; #endif /* OPENSSL_NO_KRB5 */ - j=ssl_put_cipher_by_char(s,c,p); + + j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p); p+=j; } return(p-q); @@ -1694,7 +1716,7 @@ void ssl_update_cache(SSL *s,int mode) ?s->ctx->stats.sess_connect_good :s->ctx->stats.sess_accept_good) & 0xff) == 0xff) { - SSL_CTX_flush_sessions(s->ctx,time(NULL)); + SSL_CTX_flush_sessions(s->ctx,(unsigned long)time(NULL)); } } } diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 25a144a0d0..6a0b7595f4 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h @@ -462,7 +462,7 @@ typedef struct ssl3_comp_st COMP_METHOD *method; /* The method :-) */ } SSL3_COMP; -OPENSSL_EXTERN SSL3_ENC_METHOD ssl3_undef_enc_method; +extern SSL3_ENC_METHOD ssl3_undef_enc_method; OPENSSL_EXTERN SSL_CIPHER ssl2_ciphers[]; OPENSSL_EXTERN SSL_CIPHER ssl3_ciphers[]; @@ -493,7 +493,8 @@ int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap, const SSL_CIPHER * const *bp); STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, STACK_OF(SSL_CIPHER) **skp); -int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p); +int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, + int (*put_cb)(const SSL_CIPHER *, unsigned char *)); STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth, STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) **sorted, diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index 5f12aa361c..2ba8b9612e 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c @@ -118,7 +118,7 @@ SSL_SESSION *SSL_SESSION_new(void) ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ ss->references=1; ss->timeout=60*5+4; /* 5 minute timeout by default */ - ss->time=time(NULL); + ss->time=(unsigned long)time(NULL); ss->prev=NULL; ss->next=NULL; ss->compress_meth=0; @@ -377,7 +377,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len) CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); #endif - if ((long)(ret->time+ret->timeout) < (long)time(NULL)) /* timeout */ + if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */ { s->ctx->stats.sess_timeout++; /* remove it from the cache */ -- cgit v1.2.3-55-g6feb