From de8f24ea083384bb66b32ec105dc4743c5663cdf Mon Sep 17 00:00:00 2001 From: beck <> Date: Wed, 29 Sep 1999 04:37:45 +0000 Subject: OpenSSL 0.9.4 merge --- src/lib/libssl/LICENSE | 127 + src/lib/libssl/bio_ssl.c | 62 +- src/lib/libssl/crypto-patent/Makefile | 93 +- src/lib/libssl/crypto-patent/shlib_version | 2 +- src/lib/libssl/crypto/Makefile | 85 +- src/lib/libssl/doc/openssl.cnf | 214 + src/lib/libssl/doc/openssl.txt | 1174 ++++ src/lib/libssl/s23_clnt.c | 55 +- src/lib/libssl/s23_lib.c | 52 +- src/lib/libssl/s23_pkt.c | 13 +- src/lib/libssl/s23_srvr.c | 72 +- src/lib/libssl/s3_both.c | 85 +- src/lib/libssl/s3_clnt.c | 363 +- src/lib/libssl/s3_lib.c | 382 +- src/lib/libssl/s3_pkt.c | 160 +- src/lib/libssl/s3_srvr.c | 336 +- src/lib/libssl/src/CHANGES | 1624 +++++ src/lib/libssl/src/CHANGES.SSLeay | 968 +++ src/lib/libssl/src/COPYRIGHT | 65 - src/lib/libssl/src/Configure | 938 ++- src/lib/libssl/src/HISTORY | 316 - src/lib/libssl/src/HISTORY.066 | 443 -- src/lib/libssl/src/INSTALL | 265 +- src/lib/libssl/src/INSTALL.VMS | 245 + src/lib/libssl/src/INSTALL.W32 | 323 + src/lib/libssl/src/LICENSE | 127 + src/lib/libssl/src/MICROSOFT | 146 - src/lib/libssl/src/MINFO | 968 --- src/lib/libssl/src/Makefile.org | 351 ++ src/lib/libssl/src/Makefile.ssl | 331 - src/lib/libssl/src/NEWS | 65 + src/lib/libssl/src/PATENTS | 9 - src/lib/libssl/src/PROBLEMS | 50 - src/lib/libssl/src/README | 376 +- src/lib/libssl/src/README.066 | 27 - src/lib/libssl/src/README.080 | 147 - src/lib/libssl/src/README.090 | 71 - src/lib/libssl/src/TODO | 28 - src/lib/libssl/src/VERSION | 24 - src/lib/libssl/src/apps/CA.com | 200 + src/lib/libssl/src/apps/CA.pl | 153 + src/lib/libssl/src/apps/CA.sh | 10 +- src/lib/libssl/src/apps/Makefile.ssl | 665 +- src/lib/libssl/src/apps/apps.c | 64 +- src/lib/libssl/src/apps/apps.h | 25 +- src/lib/libssl/src/apps/asn1pars.c | 105 +- src/lib/libssl/src/apps/ca-cert.srl | 2 +- src/lib/libssl/src/apps/ca.c | 818 ++- src/lib/libssl/src/apps/ciphers.c | 21 +- src/lib/libssl/src/apps/crl.c | 96 +- src/lib/libssl/src/apps/crl2p7.c | 77 +- src/lib/libssl/src/apps/der_chop | 305 - src/lib/libssl/src/apps/der_chop.in | 305 + src/lib/libssl/src/apps/dgst.c | 40 +- src/lib/libssl/src/apps/dh.c | 24 +- src/lib/libssl/src/apps/dsa-ca.pem | 23 +- src/lib/libssl/src/apps/dsa-pca.pem | 23 +- src/lib/libssl/src/apps/dsa.c | 27 +- src/lib/libssl/src/apps/dsaparam.c | 57 +- src/lib/libssl/src/apps/eay.c | 35 +- src/lib/libssl/src/apps/enc.c | 44 +- src/lib/libssl/src/apps/errstr.c | 12 +- src/lib/libssl/src/apps/ext.v3 | 2 - src/lib/libssl/src/apps/g_ssleay.pl | 114 - src/lib/libssl/src/apps/gendh.c | 42 +- src/lib/libssl/src/apps/gendsa.c | 70 +- src/lib/libssl/src/apps/genrsa.c | 46 +- src/lib/libssl/src/apps/install.com | 69 + src/lib/libssl/src/apps/makeapps.com | 1138 ++++ src/lib/libssl/src/apps/mklinks | 7 - src/lib/libssl/src/apps/nseq.c | 174 + src/lib/libssl/src/apps/oid.cnf | 6 + src/lib/libssl/src/apps/openssl-vms.cnf | 214 + src/lib/libssl/src/apps/openssl.c | 373 ++ src/lib/libssl/src/apps/openssl.cnf | 214 + src/lib/libssl/src/apps/pem_mail.c | 18 +- src/lib/libssl/src/apps/pkcs12.c | 703 +++ src/lib/libssl/src/apps/pkcs7.c | 36 +- src/lib/libssl/src/apps/pkcs8.c | 274 + src/lib/libssl/src/apps/privkey.pem | 25 +- src/lib/libssl/src/apps/progs.h | 62 +- src/lib/libssl/src/apps/progs.pl | 77 + src/lib/libssl/src/apps/req.c | 322 +- src/lib/libssl/src/apps/rmlinks | 6 - src/lib/libssl/src/apps/rsa.c | 60 +- src/lib/libssl/src/apps/s_apps.h | 51 +- src/lib/libssl/src/apps/s_cb.c | 48 +- src/lib/libssl/src/apps/s_client.c | 222 +- src/lib/libssl/src/apps/s_server.c | 441 +- src/lib/libssl/src/apps/s_socket.c | 137 +- src/lib/libssl/src/apps/s_time.c | 85 +- src/lib/libssl/src/apps/server.pem | 14 +- src/lib/libssl/src/apps/sess_id.c | 53 +- src/lib/libssl/src/apps/speed.c | 215 +- src/lib/libssl/src/apps/ssleay.c | 342 - src/lib/libssl/src/apps/ssleay.cnf | 116 - src/lib/libssl/src/apps/testdsa.h | 7 - src/lib/libssl/src/apps/verify.c | 29 +- src/lib/libssl/src/apps/version.c | 21 +- src/lib/libssl/src/apps/x509.c | 282 +- src/lib/libssl/src/bugs/sgiccbug.c | 2 + src/lib/libssl/src/bugs/stream.c | 4 +- src/lib/libssl/src/bugs/ultrixcc.c | 45 + src/lib/libssl/src/certs/vsign1.pem | 28 +- src/lib/libssl/src/certs/vsign2.pem | 45 +- src/lib/libssl/src/certs/vsign3.pem | 30 +- src/lib/libssl/src/certs/vsign4.pem | 16 - src/lib/libssl/src/certs/vsignss.pem | 17 + src/lib/libssl/src/certs/vsigntca.pem | 18 + src/lib/libssl/src/config | 279 +- src/lib/libssl/src/crypto/Makefile | 308 +- src/lib/libssl/src/crypto/Makefile.ssl | 140 +- src/lib/libssl/src/crypto/asn1/Makefile.ssl | 1038 ++- src/lib/libssl/src/crypto/asn1/a_bitstr.c | 78 +- src/lib/libssl/src/crypto/asn1/a_bmp.c | 19 +- src/lib/libssl/src/crypto/asn1/a_bool.c | 15 +- src/lib/libssl/src/crypto/asn1/a_bytes.c | 44 +- src/lib/libssl/src/crypto/asn1/a_d2i_fp.c | 18 +- src/lib/libssl/src/crypto/asn1/a_digest.c | 14 +- src/lib/libssl/src/crypto/asn1/a_dup.c | 7 +- src/lib/libssl/src/crypto/asn1/a_enum.c | 326 + src/lib/libssl/src/crypto/asn1/a_gentm.c | 224 + src/lib/libssl/src/crypto/asn1/a_hdr.c | 27 +- src/lib/libssl/src/crypto/asn1/a_i2d_fp.c | 14 +- src/lib/libssl/src/crypto/asn1/a_int.c | 215 +- src/lib/libssl/src/crypto/asn1/a_meth.c | 8 +- src/lib/libssl/src/crypto/asn1/a_object.c | 139 +- src/lib/libssl/src/crypto/asn1/a_octet.c | 17 +- src/lib/libssl/src/crypto/asn1/a_print.c | 70 +- src/lib/libssl/src/crypto/asn1/a_set.c | 112 +- src/lib/libssl/src/crypto/asn1/a_sign.c | 28 +- src/lib/libssl/src/crypto/asn1/a_time.c | 123 + src/lib/libssl/src/crypto/asn1/a_type.c | 91 +- src/lib/libssl/src/crypto/asn1/a_utctm.c | 98 +- src/lib/libssl/src/crypto/asn1/a_utf8.c | 83 + src/lib/libssl/src/crypto/asn1/a_verify.c | 23 +- src/lib/libssl/src/crypto/asn1/a_vis.c | 83 + src/lib/libssl/src/crypto/asn1/asn1.err | 182 - src/lib/libssl/src/crypto/asn1/asn1.h | 606 +- src/lib/libssl/src/crypto/asn1/asn1_err.c | 357 +- src/lib/libssl/src/crypto/asn1/asn1_lib.c | 121 +- src/lib/libssl/src/crypto/asn1/asn1_mac.h | 355 +- src/lib/libssl/src/crypto/asn1/asn1_par.c | 84 +- src/lib/libssl/src/crypto/asn1/asn_pack.c | 145 + src/lib/libssl/src/crypto/asn1/d2i_dhp.c | 23 +- src/lib/libssl/src/crypto/asn1/d2i_dsap.c | 25 +- src/lib/libssl/src/crypto/asn1/d2i_pr.c | 17 +- src/lib/libssl/src/crypto/asn1/d2i_pu.c | 17 +- src/lib/libssl/src/crypto/asn1/d2i_r_pr.c | 24 +- src/lib/libssl/src/crypto/asn1/d2i_r_pu.c | 23 +- src/lib/libssl/src/crypto/asn1/d2i_s_pr.c | 24 +- src/lib/libssl/src/crypto/asn1/d2i_s_pu.c | 25 +- src/lib/libssl/src/crypto/asn1/evp_asn1.c | 38 +- src/lib/libssl/src/crypto/asn1/f.c | 4 +- src/lib/libssl/src/crypto/asn1/f_enum.c | 207 + src/lib/libssl/src/crypto/asn1/f_int.c | 25 +- src/lib/libssl/src/crypto/asn1/f_string.c | 26 +- src/lib/libssl/src/crypto/asn1/i2d_dhp.c | 24 +- src/lib/libssl/src/crypto/asn1/i2d_dsap.c | 16 +- src/lib/libssl/src/crypto/asn1/i2d_pr.c | 10 +- src/lib/libssl/src/crypto/asn1/i2d_pu.c | 10 +- src/lib/libssl/src/crypto/asn1/i2d_r_pr.c | 19 +- src/lib/libssl/src/crypto/asn1/i2d_r_pu.c | 20 +- src/lib/libssl/src/crypto/asn1/i2d_s_pr.c | 19 +- src/lib/libssl/src/crypto/asn1/i2d_s_pu.c | 22 +- src/lib/libssl/src/crypto/asn1/n_pkey.c | 66 +- src/lib/libssl/src/crypto/asn1/nsseq.c | 118 + src/lib/libssl/src/crypto/asn1/p5_pbe.c | 156 + src/lib/libssl/src/crypto/asn1/p5_pbev2.c | 274 + src/lib/libssl/src/crypto/asn1/p7_dgst.c | 25 +- src/lib/libssl/src/crypto/asn1/p7_enc.c | 25 +- src/lib/libssl/src/crypto/asn1/p7_enc_c.c | 28 +- src/lib/libssl/src/crypto/asn1/p7_evp.c | 38 +- src/lib/libssl/src/crypto/asn1/p7_i_s.c | 25 +- src/lib/libssl/src/crypto/asn1/p7_lib.c | 42 +- src/lib/libssl/src/crypto/asn1/p7_recip.c | 29 +- src/lib/libssl/src/crypto/asn1/p7_s_e.c | 81 +- src/lib/libssl/src/crypto/asn1/p7_signd.c | 69 +- src/lib/libssl/src/crypto/asn1/p7_signi.c | 51 +- src/lib/libssl/src/crypto/asn1/p8_pkey.c | 129 + src/lib/libssl/src/crypto/asn1/pkcs8.c | 23 +- src/lib/libssl/src/crypto/asn1/t_crl.c | 166 + src/lib/libssl/src/crypto/asn1/t_pkey.c | 71 +- src/lib/libssl/src/crypto/asn1/t_req.c | 36 +- src/lib/libssl/src/crypto/asn1/t_x509.c | 150 +- src/lib/libssl/src/crypto/asn1/x_algor.c | 28 +- src/lib/libssl/src/crypto/asn1/x_attrib.c | 59 +- src/lib/libssl/src/crypto/asn1/x_cinf.c | 56 +- src/lib/libssl/src/crypto/asn1/x_crl.c | 175 +- src/lib/libssl/src/crypto/asn1/x_exten.c | 28 +- src/lib/libssl/src/crypto/asn1/x_info.c | 14 +- src/lib/libssl/src/crypto/asn1/x_name.c | 96 +- src/lib/libssl/src/crypto/asn1/x_pkey.c | 27 +- src/lib/libssl/src/crypto/asn1/x_pubkey.c | 44 +- src/lib/libssl/src/crypto/asn1/x_req.c | 61 +- src/lib/libssl/src/crypto/asn1/x_sig.c | 23 +- src/lib/libssl/src/crypto/asn1/x_spki.c | 43 +- src/lib/libssl/src/crypto/asn1/x_val.c | 43 +- src/lib/libssl/src/crypto/asn1/x_x509.c | 33 +- src/lib/libssl/src/crypto/bf/Makefile.ssl | 45 +- src/lib/libssl/src/crypto/bf/Makefile.uni | 20 +- src/lib/libssl/src/crypto/bf/asm/bf-586.pl | 4 +- src/lib/libssl/src/crypto/bf/asm/bf-686.pl | 1 - src/lib/libssl/src/crypto/bf/asm/bx86unix.cpp | 976 --- src/lib/libssl/src/crypto/bf/bf_cbc.c | 11 +- src/lib/libssl/src/crypto/bf/bf_cfb64.c | 12 +- src/lib/libssl/src/crypto/bf/bf_ecb.c | 14 +- src/lib/libssl/src/crypto/bf/bf_enc.c | 93 +- src/lib/libssl/src/crypto/bf/bf_locl.h | 219 + src/lib/libssl/src/crypto/bf/bf_locl.org | 242 - src/lib/libssl/src/crypto/bf/bf_ofb64.c | 11 +- src/lib/libssl/src/crypto/bf/bf_opts.c | 61 +- src/lib/libssl/src/crypto/bf/bf_skey.c | 7 +- src/lib/libssl/src/crypto/bf/bfs.cpp | 2 +- src/lib/libssl/src/crypto/bf/bfspeed.c | 59 +- src/lib/libssl/src/crypto/bf/bftest.c | 46 +- src/lib/libssl/src/crypto/bf/blowfish.h | 45 +- src/lib/libssl/src/crypto/bio/Makefile.ssl | 170 +- src/lib/libssl/src/crypto/bio/b_dump.c | 13 +- src/lib/libssl/src/crypto/bio/b_print.c | 19 +- src/lib/libssl/src/crypto/bio/b_sock.c | 319 +- src/lib/libssl/src/crypto/bio/bf_buff.c | 49 +- src/lib/libssl/src/crypto/bio/bf_nbio.c | 50 +- src/lib/libssl/src/crypto/bio/bf_null.c | 48 +- src/lib/libssl/src/crypto/bio/bio.err | 46 - src/lib/libssl/src/crypto/bio/bio.h | 343 +- src/lib/libssl/src/crypto/bio/bio_cb.c | 13 +- src/lib/libssl/src/crypto/bio/bio_err.c | 131 +- src/lib/libssl/src/crypto/bio/bio_lib.c | 147 +- src/lib/libssl/src/crypto/bio/bss_acpt.c | 132 +- src/lib/libssl/src/crypto/bio/bss_bio.c | 588 ++ src/lib/libssl/src/crypto/bio/bss_conn.c | 146 +- src/lib/libssl/src/crypto/bio/bss_file.c | 60 +- src/lib/libssl/src/crypto/bio/bss_log.c | 232 + src/lib/libssl/src/crypto/bio/bss_mem.c | 59 +- src/lib/libssl/src/crypto/bio/bss_null.c | 46 +- src/lib/libssl/src/crypto/bio/bss_rtcp.c | 56 +- src/lib/libssl/src/crypto/bio/bss_sock.c | 118 +- src/lib/libssl/src/crypto/bn/Makefile.ssl | 215 +- src/lib/libssl/src/crypto/bn/asm/alpha.s | 1860 +++++- src/lib/libssl/src/crypto/bn/asm/alpha.s.works | 533 ++ src/lib/libssl/src/crypto/bn/asm/bn-586.pl | 84 +- src/lib/libssl/src/crypto/bn/asm/bn-alpha.pl | 571 ++ src/lib/libssl/src/crypto/bn/asm/bn-win32.asm | 1441 ++++- src/lib/libssl/src/crypto/bn/asm/bn86unix.cpp | 752 --- src/lib/libssl/src/crypto/bn/asm/ca.pl | 33 + src/lib/libssl/src/crypto/bn/asm/co-586.pl | 286 + src/lib/libssl/src/crypto/bn/asm/co-alpha.pl | 116 + src/lib/libssl/src/crypto/bn/asm/mips1.s | 539 ++ src/lib/libssl/src/crypto/bn/asm/mips3.s | 2138 +++++++ src/lib/libssl/src/crypto/bn/asm/sparc.s | 462 -- src/lib/libssl/src/crypto/bn/asm/sparcv8.S | 1458 +++++ src/lib/libssl/src/crypto/bn/asm/sparcv8plus.S | 1535 +++++ src/lib/libssl/src/crypto/bn/asm/vms.mar | 6695 ++++++++++++++++++++ src/lib/libssl/src/crypto/bn/asm/x86.pl | 28 + src/lib/libssl/src/crypto/bn/asm/x86w16.asm | 6 +- src/lib/libssl/src/crypto/bn/asm/x86w32.asm | 34 +- src/lib/libssl/src/crypto/bn/bn.err | 27 - src/lib/libssl/src/crypto/bn/bn.h | 467 ++ src/lib/libssl/src/crypto/bn/bn.mul | 19 + src/lib/libssl/src/crypto/bn/bn.org | 502 -- src/lib/libssl/src/crypto/bn/bn_add.c | 194 +- src/lib/libssl/src/crypto/bn/bn_asm.c | 802 +++ src/lib/libssl/src/crypto/bn/bn_blind.c | 43 +- src/lib/libssl/src/crypto/bn/bn_comba.c | 345 + src/lib/libssl/src/crypto/bn/bn_div.c | 180 +- src/lib/libssl/src/crypto/bn/bn_err.c | 123 +- src/lib/libssl/src/crypto/bn/bn_exp.c | 210 +- src/lib/libssl/src/crypto/bn/bn_exp2.c | 195 + src/lib/libssl/src/crypto/bn/bn_gcd.c | 53 +- src/lib/libssl/src/crypto/bn/bn_lcl.h | 107 +- src/lib/libssl/src/crypto/bn/bn_lib.c | 492 +- src/lib/libssl/src/crypto/bn/bn_m.c | 169 - src/lib/libssl/src/crypto/bn/bn_mod.c | 97 - src/lib/libssl/src/crypto/bn/bn_mont.c | 441 +- src/lib/libssl/src/crypto/bn/bn_mpi.c | 11 +- src/lib/libssl/src/crypto/bn/bn_mul.c | 753 ++- src/lib/libssl/src/crypto/bn/bn_mulw.c | 366 -- src/lib/libssl/src/crypto/bn/bn_opts.c | 324 + src/lib/libssl/src/crypto/bn/bn_prime.c | 126 +- src/lib/libssl/src/crypto/bn/bn_prime.pl | 2 +- src/lib/libssl/src/crypto/bn/bn_print.c | 30 +- src/lib/libssl/src/crypto/bn/bn_rand.c | 10 +- src/lib/libssl/src/crypto/bn/bn_recp.c | 178 +- src/lib/libssl/src/crypto/bn/bn_shift.c | 18 +- src/lib/libssl/src/crypto/bn/bn_sqr.c | 205 +- src/lib/libssl/src/crypto/bn/bn_sub.c | 180 - src/lib/libssl/src/crypto/bn/bn_word.c | 30 +- src/lib/libssl/src/crypto/bn/bnspeed.c | 67 +- src/lib/libssl/src/crypto/bn/bntest.c | 621 +- src/lib/libssl/src/crypto/bn/comba.pl | 285 + src/lib/libssl/src/crypto/bn/d.c | 72 + src/lib/libssl/src/crypto/bn/exp.c | 60 + src/lib/libssl/src/crypto/bn/expspeed.c | 55 +- src/lib/libssl/src/crypto/bn/exptest.c | 60 +- src/lib/libssl/src/crypto/bn/new | 23 + src/lib/libssl/src/crypto/bn/test.c | 241 + src/lib/libssl/src/crypto/bn/todo | 3 + src/lib/libssl/src/crypto/bn/vms-helper.c | 66 + src/lib/libssl/src/crypto/buffer/Makefile.ssl | 44 +- src/lib/libssl/src/crypto/buffer/buf_err.c | 123 +- src/lib/libssl/src/crypto/buffer/buffer.c | 25 +- src/lib/libssl/src/crypto/buffer/buffer.err | 9 - src/lib/libssl/src/crypto/buffer/buffer.h | 21 +- src/lib/libssl/src/crypto/cast/Makefile.ssl | 51 +- src/lib/libssl/src/crypto/cast/Makefile.uni | 3 +- src/lib/libssl/src/crypto/cast/asm/c-win32.asm | 117 +- src/lib/libssl/src/crypto/cast/asm/cast-586.pl | 267 +- src/lib/libssl/src/crypto/cast/asm/cx86unix.cpp | 1010 --- src/lib/libssl/src/crypto/cast/c_cfb64.c | 25 +- src/lib/libssl/src/crypto/cast/c_ecb.c | 14 +- src/lib/libssl/src/crypto/cast/c_enc.c | 43 +- src/lib/libssl/src/crypto/cast/c_ofb64.c | 16 +- src/lib/libssl/src/crypto/cast/c_skey.c | 11 +- src/lib/libssl/src/crypto/cast/cast.h | 36 +- src/lib/libssl/src/crypto/cast/cast_lcl.h | 20 +- src/lib/libssl/src/crypto/cast/cast_s.h | 16 +- src/lib/libssl/src/crypto/cast/cast_spd.c | 59 +- src/lib/libssl/src/crypto/cast/castopts.c | 61 +- src/lib/libssl/src/crypto/cast/casts.cpp | 2 +- src/lib/libssl/src/crypto/cast/casttest.c | 183 +- src/lib/libssl/src/crypto/conf/Makefile.ssl | 49 +- src/lib/libssl/src/crypto/conf/cnf_save.c | 7 +- src/lib/libssl/src/crypto/conf/conf.c | 211 +- src/lib/libssl/src/crypto/conf/conf.err | 12 - src/lib/libssl/src/crypto/conf/conf.h | 32 +- src/lib/libssl/src/crypto/conf/conf_err.c | 120 +- src/lib/libssl/src/crypto/conf/conf_lcl.h | 14 + src/lib/libssl/src/crypto/conf/keysets.pl | 2 +- src/lib/libssl/src/crypto/conf/test.c | 5 +- src/lib/libssl/src/crypto/cpt_err.c | 122 +- src/lib/libssl/src/crypto/cryptall.h | 110 - src/lib/libssl/src/crypto/cryptlib.c | 85 +- src/lib/libssl/src/crypto/cryptlib.h | 34 +- src/lib/libssl/src/crypto/crypto-lib.com | 1218 ++++ src/lib/libssl/src/crypto/crypto.c | 575 -- src/lib/libssl/src/crypto/crypto.err | 8 - src/lib/libssl/src/crypto/crypto.h | 188 +- src/lib/libssl/src/crypto/cversion.c | 39 +- src/lib/libssl/src/crypto/date.h | 1 - src/lib/libssl/src/crypto/des/Makefile.ssl | 126 +- src/lib/libssl/src/crypto/des/Makefile.uni | 20 +- src/lib/libssl/src/crypto/des/VERSION | 1 + src/lib/libssl/src/crypto/des/asm/crypt586.pl | 4 +- src/lib/libssl/src/crypto/des/asm/des-586.pl | 4 +- src/lib/libssl/src/crypto/des/asm/des686.pl | 2 +- src/lib/libssl/src/crypto/des/asm/desboth.pl | 8 +- src/lib/libssl/src/crypto/des/asm/dx86unix.cpp | 3202 ---------- src/lib/libssl/src/crypto/des/asm/yx86unix.cpp | 976 --- src/lib/libssl/src/crypto/des/cbc3_enc.c | 12 +- src/lib/libssl/src/crypto/des/cbc_cksm.c | 16 +- src/lib/libssl/src/crypto/des/cbc_enc.c | 78 +- src/lib/libssl/src/crypto/des/cfb64ede.c | 36 +- src/lib/libssl/src/crypto/des/cfb64enc.c | 27 +- src/lib/libssl/src/crypto/des/cfb_enc.c | 14 +- src/lib/libssl/src/crypto/des/des-lib.com | 1003 +++ src/lib/libssl/src/crypto/des/des.c | 121 +- src/lib/libssl/src/crypto/des/des.h | 249 + src/lib/libssl/src/crypto/des/des.org | 301 - src/lib/libssl/src/crypto/des/des.pl | 2 +- src/lib/libssl/src/crypto/des/des3s.cpp | 2 +- src/lib/libssl/src/crypto/des/des_enc.c | 140 +- src/lib/libssl/src/crypto/des/des_locl.h | 408 ++ src/lib/libssl/src/crypto/des/des_locl.org | 516 -- src/lib/libssl/src/crypto/des/des_opts.c | 62 +- src/lib/libssl/src/crypto/des/des_ver.h | 5 +- src/lib/libssl/src/crypto/des/dess.cpp | 2 +- src/lib/libssl/src/crypto/des/destest.c | 295 +- src/lib/libssl/src/crypto/des/ecb3_enc.c | 15 +- src/lib/libssl/src/crypto/des/ecb_enc.c | 24 +- src/lib/libssl/src/crypto/des/ede_cbcm_enc.c | 197 + src/lib/libssl/src/crypto/des/ede_enc.c | 190 - src/lib/libssl/src/crypto/des/enc_read.c | 84 +- src/lib/libssl/src/crypto/des/enc_writ.c | 62 +- src/lib/libssl/src/crypto/des/fcrypt_b.c | 9 +- src/lib/libssl/src/crypto/des/ncbc_enc.c | 41 +- src/lib/libssl/src/crypto/des/ofb64ede.c | 27 +- src/lib/libssl/src/crypto/des/ofb64enc.c | 22 +- src/lib/libssl/src/crypto/des/ofb_enc.c | 13 +- src/lib/libssl/src/crypto/des/pcbc_enc.c | 18 +- src/lib/libssl/src/crypto/des/qud_cksm.c | 16 +- src/lib/libssl/src/crypto/des/rand_key.c | 22 +- src/lib/libssl/src/crypto/des/ranlib.sh | 23 - src/lib/libssl/src/crypto/des/read2pwd.c | 12 +- src/lib/libssl/src/crypto/des/read_pwd.c | 145 +- src/lib/libssl/src/crypto/des/rpc_enc.c | 23 +- src/lib/libssl/src/crypto/des/rpw.c | 10 +- src/lib/libssl/src/crypto/des/set_key.c | 36 +- src/lib/libssl/src/crypto/des/shifts.pl | 2 +- src/lib/libssl/src/crypto/des/speed.c | 77 +- src/lib/libssl/src/crypto/des/spr.h | 2 +- src/lib/libssl/src/crypto/des/str2key.c | 34 +- src/lib/libssl/src/crypto/des/supp.c | 8 +- src/lib/libssl/src/crypto/des/testdes.pl | 2 +- src/lib/libssl/src/crypto/des/vms.com | 90 - src/lib/libssl/src/crypto/des/xcbc_enc.c | 56 +- src/lib/libssl/src/crypto/dh/Makefile.ssl | 66 +- src/lib/libssl/src/crypto/dh/dh.err | 12 - src/lib/libssl/src/crypto/dh/dh.h | 44 +- src/lib/libssl/src/crypto/dh/dh_check.c | 8 +- src/lib/libssl/src/crypto/dh/dh_err.c | 118 +- src/lib/libssl/src/crypto/dh/dh_gen.c | 18 +- src/lib/libssl/src/crypto/dh/dh_key.c | 52 +- src/lib/libssl/src/crypto/dh/dh_lib.c | 19 +- src/lib/libssl/src/crypto/dh/dhtest.c | 36 +- src/lib/libssl/src/crypto/dh/p1024.c | 8 +- src/lib/libssl/src/crypto/dh/p192.c | 8 +- src/lib/libssl/src/crypto/dh/p512.c | 8 +- src/lib/libssl/src/crypto/dsa/Makefile.ssl | 91 +- src/lib/libssl/src/crypto/dsa/dsa.err | 15 - src/lib/libssl/src/crypto/dsa/dsa.h | 80 +- src/lib/libssl/src/crypto/dsa/dsa_asn1.c | 96 + src/lib/libssl/src/crypto/dsa/dsa_err.c | 123 +- src/lib/libssl/src/crypto/dsa/dsa_gen.c | 109 +- src/lib/libssl/src/crypto/dsa/dsa_key.c | 14 +- src/lib/libssl/src/crypto/dsa/dsa_lib.c | 59 +- src/lib/libssl/src/crypto/dsa/dsa_sign.c | 152 +- src/lib/libssl/src/crypto/dsa/dsa_vrf.c | 140 +- src/lib/libssl/src/crypto/dsa/dsagen.c | 5 +- src/lib/libssl/src/crypto/dsa/dsatest.c | 52 +- src/lib/libssl/src/crypto/ebcdic.h | 17 + src/lib/libssl/src/crypto/err/Makefile.ssl | 60 +- src/lib/libssl/src/crypto/err/err.c | 185 +- src/lib/libssl/src/crypto/err/err.h | 82 +- src/lib/libssl/src/crypto/err/err_all.c | 34 +- src/lib/libssl/src/crypto/err/err_code.pl | 105 - src/lib/libssl/src/crypto/err/err_genc.pl | 198 - src/lib/libssl/src/crypto/err/err_prn.c | 20 +- src/lib/libssl/src/crypto/err/error.err | 13 - src/lib/libssl/src/crypto/err/openssl.ec | 71 + src/lib/libssl/src/crypto/err/ssleay.ec | 57 - src/lib/libssl/src/crypto/evp/Makefile.ssl | 1034 ++- src/lib/libssl/src/crypto/evp/bio_b64.c | 39 +- src/lib/libssl/src/crypto/evp/bio_enc.c | 58 +- src/lib/libssl/src/crypto/evp/bio_md.c | 48 +- src/lib/libssl/src/crypto/evp/bio_ok.c | 552 ++ src/lib/libssl/src/crypto/evp/c_all.c | 77 +- src/lib/libssl/src/crypto/evp/digest.c | 29 +- src/lib/libssl/src/crypto/evp/e_cbc_3d.c | 64 +- src/lib/libssl/src/crypto/evp/e_cbc_bf.c | 31 +- src/lib/libssl/src/crypto/evp/e_cbc_c.c | 28 +- src/lib/libssl/src/crypto/evp/e_cbc_d.c | 40 +- src/lib/libssl/src/crypto/evp/e_cbc_i.c | 28 +- src/lib/libssl/src/crypto/evp/e_cbc_r2.c | 122 +- src/lib/libssl/src/crypto/evp/e_cbc_r5.c | 26 +- src/lib/libssl/src/crypto/evp/e_cfb_3d.c | 69 +- src/lib/libssl/src/crypto/evp/e_cfb_bf.c | 29 +- src/lib/libssl/src/crypto/evp/e_cfb_c.c | 26 +- src/lib/libssl/src/crypto/evp/e_cfb_d.c | 34 +- src/lib/libssl/src/crypto/evp/e_cfb_i.c | 26 +- src/lib/libssl/src/crypto/evp/e_cfb_r2.c | 30 +- src/lib/libssl/src/crypto/evp/e_cfb_r5.c | 26 +- src/lib/libssl/src/crypto/evp/e_dsa.c | 6 +- src/lib/libssl/src/crypto/evp/e_ecb_3d.c | 67 +- src/lib/libssl/src/crypto/evp/e_ecb_bf.c | 29 +- src/lib/libssl/src/crypto/evp/e_ecb_c.c | 26 +- src/lib/libssl/src/crypto/evp/e_ecb_d.c | 48 +- src/lib/libssl/src/crypto/evp/e_ecb_i.c | 26 +- src/lib/libssl/src/crypto/evp/e_ecb_r2.c | 30 +- src/lib/libssl/src/crypto/evp/e_ecb_r5.c | 26 +- src/lib/libssl/src/crypto/evp/e_null.c | 26 +- src/lib/libssl/src/crypto/evp/e_ofb_3d.c | 65 +- src/lib/libssl/src/crypto/evp/e_ofb_bf.c | 29 +- src/lib/libssl/src/crypto/evp/e_ofb_c.c | 26 +- src/lib/libssl/src/crypto/evp/e_ofb_d.c | 41 +- src/lib/libssl/src/crypto/evp/e_ofb_i.c | 26 +- src/lib/libssl/src/crypto/evp/e_ofb_r2.c | 30 +- src/lib/libssl/src/crypto/evp/e_ofb_r5.c | 26 +- src/lib/libssl/src/crypto/evp/e_rc4.c | 28 +- src/lib/libssl/src/crypto/evp/e_xcbc_d.c | 42 +- src/lib/libssl/src/crypto/evp/encode.c | 57 +- src/lib/libssl/src/crypto/evp/evp.err | 24 - src/lib/libssl/src/crypto/evp/evp.h | 347 +- src/lib/libssl/src/crypto/evp/evp_enc.c | 71 +- src/lib/libssl/src/crypto/evp/evp_err.c | 144 +- src/lib/libssl/src/crypto/evp/evp_key.c | 31 +- src/lib/libssl/src/crypto/evp/evp_lib.c | 51 +- src/lib/libssl/src/crypto/evp/evp_pbe.c | 134 + src/lib/libssl/src/crypto/evp/evp_pkey.c | 298 + src/lib/libssl/src/crypto/evp/m_dss.c | 11 +- src/lib/libssl/src/crypto/evp/m_dss1.c | 10 +- src/lib/libssl/src/crypto/evp/m_md2.c | 11 +- src/lib/libssl/src/crypto/evp/m_md5.c | 10 +- src/lib/libssl/src/crypto/evp/m_mdc2.c | 10 +- src/lib/libssl/src/crypto/evp/m_null.c | 10 +- src/lib/libssl/src/crypto/evp/m_ripemd.c | 11 +- src/lib/libssl/src/crypto/evp/m_sha.c | 11 +- src/lib/libssl/src/crypto/evp/m_sha1.c | 10 +- src/lib/libssl/src/crypto/evp/names.c | 239 +- src/lib/libssl/src/crypto/evp/p5_crpt.c | 146 + src/lib/libssl/src/crypto/evp/p5_crpt2.c | 247 + src/lib/libssl/src/crypto/evp/p_dec.c | 23 +- src/lib/libssl/src/crypto/evp/p_enc.c | 23 +- src/lib/libssl/src/crypto/evp/p_lib.c | 53 +- src/lib/libssl/src/crypto/evp/p_open.c | 22 +- src/lib/libssl/src/crypto/evp/p_seal.c | 27 +- src/lib/libssl/src/crypto/evp/p_sign.c | 25 +- src/lib/libssl/src/crypto/evp/p_verify.c | 15 +- src/lib/libssl/src/crypto/evp/pk_lib.c | 82 - src/lib/libssl/src/crypto/ex_data.c | 57 +- src/lib/libssl/src/crypto/hmac/Makefile.ssl | 44 +- src/lib/libssl/src/crypto/hmac/hmac.c | 33 +- src/lib/libssl/src/crypto/hmac/hmac.h | 28 +- src/lib/libssl/src/crypto/hmac/hmactest.c | 34 +- src/lib/libssl/src/crypto/idea/Makefile.ssl | 40 +- src/lib/libssl/src/crypto/idea/idea.h | 99 + src/lib/libssl/src/crypto/install.com | 128 + src/lib/libssl/src/crypto/lhash/Makefile.ssl | 38 +- src/lib/libssl/src/crypto/lhash/lh_stats.c | 38 +- src/lib/libssl/src/crypto/lhash/lh_test.c | 2 +- src/lib/libssl/src/crypto/lhash/lhash.c | 97 +- src/lib/libssl/src/crypto/lhash/lhash.h | 33 +- src/lib/libssl/src/crypto/lhash/num.pl | 2 +- src/lib/libssl/src/crypto/libvms.com | 31 - src/lib/libssl/src/crypto/md2/Makefile.ssl | 40 +- src/lib/libssl/src/crypto/md2/md2.c | 20 +- src/lib/libssl/src/crypto/md2/md2.h | 91 + src/lib/libssl/src/crypto/md2/md2.org | 106 - src/lib/libssl/src/crypto/md2/md2_dgst.c | 28 +- src/lib/libssl/src/crypto/md2/md2_one.c | 23 +- src/lib/libssl/src/crypto/md2/md2test.c | 27 +- src/lib/libssl/src/crypto/md32_common.h | 594 ++ src/lib/libssl/src/crypto/md5/Makefile.ssl | 58 +- src/lib/libssl/src/crypto/md5/Makefile.uni | 3 +- src/lib/libssl/src/crypto/md5/asm/m5-win32.asm | 55 +- src/lib/libssl/src/crypto/md5/asm/md5-586.pl | 40 +- src/lib/libssl/src/crypto/md5/asm/md5-sparcv9.S | 1029 +++ src/lib/libssl/src/crypto/md5/asm/mx86unix.cpp | 730 --- src/lib/libssl/src/crypto/md5/md5.c | 18 +- src/lib/libssl/src/crypto/md5/md5.h | 51 +- src/lib/libssl/src/crypto/md5/md5_dgst.c | 395 +- src/lib/libssl/src/crypto/md5/md5_locl.h | 160 +- src/lib/libssl/src/crypto/md5/md5_one.c | 28 +- src/lib/libssl/src/crypto/md5/md5s.cpp | 2 +- src/lib/libssl/src/crypto/md5/md5test.c | 23 +- src/lib/libssl/src/crypto/mdc2/Makefile.ssl | 39 +- src/lib/libssl/src/crypto/mdc2/mdc2.h | 16 +- src/lib/libssl/src/crypto/mem.c | 228 +- src/lib/libssl/src/crypto/objects/Makefile.ssl | 66 +- src/lib/libssl/src/crypto/objects/o_names.c | 243 + src/lib/libssl/src/crypto/objects/obj_dat.c | 269 +- src/lib/libssl/src/crypto/objects/obj_dat.h | 656 -- src/lib/libssl/src/crypto/objects/obj_dat.pl | 4 +- src/lib/libssl/src/crypto/objects/obj_err.c | 118 +- src/lib/libssl/src/crypto/objects/obj_lib.c | 32 +- src/lib/libssl/src/crypto/objects/objects.err | 12 - src/lib/libssl/src/crypto/objects/objects.h | 316 +- src/lib/libssl/src/crypto/opensslconf.h.in | 142 + src/lib/libssl/src/crypto/opensslv.h | 21 + src/lib/libssl/src/crypto/pem/Makefile.ssl | 162 +- src/lib/libssl/src/crypto/pem/ctx_size.c | 122 - src/lib/libssl/src/crypto/pem/pem.err | 38 - src/lib/libssl/src/crypto/pem/pem.h | 551 +- src/lib/libssl/src/crypto/pem/pem.org | 562 -- src/lib/libssl/src/crypto/pem/pem2.h | 60 + src/lib/libssl/src/crypto/pem/pem_all.c | 429 +- src/lib/libssl/src/crypto/pem/pem_err.c | 121 +- src/lib/libssl/src/crypto/pem/pem_info.c | 60 +- src/lib/libssl/src/crypto/pem/pem_lib.c | 273 +- src/lib/libssl/src/crypto/pem/pem_seal.c | 41 +- src/lib/libssl/src/crypto/pem/pem_sign.c | 27 +- src/lib/libssl/src/crypto/perlasm/alpha.pl | 434 ++ src/lib/libssl/src/crypto/perlasm/cbc.pl | 2 +- src/lib/libssl/src/crypto/perlasm/x86asm.pl | 11 +- src/lib/libssl/src/crypto/perlasm/x86ms.pl | 12 +- src/lib/libssl/src/crypto/perlasm/x86nasm.pl | 342 + src/lib/libssl/src/crypto/perlasm/x86unix.pl | 42 +- src/lib/libssl/src/crypto/pkcs7/Makefile.ssl | 97 +- src/lib/libssl/src/crypto/pkcs7/bio_ber.c | 450 ++ src/lib/libssl/src/crypto/pkcs7/dec.c | 246 + src/lib/libssl/src/crypto/pkcs7/des.pem | 15 + src/lib/libssl/src/crypto/pkcs7/enc.c | 79 +- src/lib/libssl/src/crypto/pkcs7/es1.pem | 66 + src/lib/libssl/src/crypto/pkcs7/example.c | 327 + src/lib/libssl/src/crypto/pkcs7/example.h | 57 + src/lib/libssl/src/crypto/pkcs7/info.pem | 57 + src/lib/libssl/src/crypto/pkcs7/infokey.pem | 9 + src/lib/libssl/src/crypto/pkcs7/mf.p7 | 18 - src/lib/libssl/src/crypto/pkcs7/p7.tst | 33 - src/lib/libssl/src/crypto/pkcs7/pk7_dgst.c | 10 +- src/lib/libssl/src/crypto/pkcs7/pk7_doit.c | 718 ++- src/lib/libssl/src/crypto/pkcs7/pk7_enc.c | 10 +- src/lib/libssl/src/crypto/pkcs7/pk7_lib.c | 156 +- src/lib/libssl/src/crypto/pkcs7/pkcs7.err | 26 - src/lib/libssl/src/crypto/pkcs7/pkcs7.h | 196 +- src/lib/libssl/src/crypto/pkcs7/pkcs7err.c | 129 +- src/lib/libssl/src/crypto/pkcs7/sign.c | 21 +- src/lib/libssl/src/crypto/pkcs7/verify.c | 55 +- src/lib/libssl/src/crypto/rand/Makefile.ssl | 41 +- src/lib/libssl/src/crypto/rand/md_rand.c | 102 +- src/lib/libssl/src/crypto/rand/rand.h | 31 +- src/lib/libssl/src/crypto/rand/rand_lib.c | 98 + src/lib/libssl/src/crypto/rand/randfile.c | 39 +- src/lib/libssl/src/crypto/rand/randtest.c | 20 +- src/lib/libssl/src/crypto/ranlib.sh | 23 - src/lib/libssl/src/crypto/rc2/Makefile.ssl | 40 +- src/lib/libssl/src/crypto/rc2/Makefile.uni | 3 +- src/lib/libssl/src/crypto/rc2/rc2.h | 99 + src/lib/libssl/src/crypto/rc2/rc2.org | 118 - src/lib/libssl/src/crypto/rc2/rc2_cbc.c | 19 +- src/lib/libssl/src/crypto/rc2/rc2_ecb.c | 12 +- src/lib/libssl/src/crypto/rc2/rc2_skey.c | 8 +- src/lib/libssl/src/crypto/rc2/rc2cfb64.c | 12 +- src/lib/libssl/src/crypto/rc2/rc2ofb64.c | 11 +- src/lib/libssl/src/crypto/rc2/rc2speed.c | 59 +- src/lib/libssl/src/crypto/rc2/rc2test.c | 27 +- src/lib/libssl/src/crypto/rc2/tab.c | 86 + src/lib/libssl/src/crypto/rc4/Makefile.ssl | 41 +- src/lib/libssl/src/crypto/rc4/Makefile.uni | 3 +- src/lib/libssl/src/crypto/rc4/asm/rc4-586.pl | 2 +- src/lib/libssl/src/crypto/rc4/asm/rx86unix.cpp | 358 -- src/lib/libssl/src/crypto/rc4/rc4.c | 6 +- src/lib/libssl/src/crypto/rc4/rc4.h | 88 + src/lib/libssl/src/crypto/rc4/rc4.org | 103 - src/lib/libssl/src/crypto/rc4/rc4_enc.c | 10 +- src/lib/libssl/src/crypto/rc4/rc4_locl.h | 4 + src/lib/libssl/src/crypto/rc4/rc4_locl.org | 70 - src/lib/libssl/src/crypto/rc4/rc4_skey.c | 12 +- src/lib/libssl/src/crypto/rc4/rc4s.cpp | 2 +- src/lib/libssl/src/crypto/rc4/rc4speed.c | 59 +- src/lib/libssl/src/crypto/rc4/rc4test.c | 16 +- src/lib/libssl/src/crypto/rc5/Makefile.ssl | 41 +- src/lib/libssl/src/crypto/rc5/Makefile.uni | 3 +- src/lib/libssl/src/crypto/rc5/asm/r586unix.cpp | 628 -- src/lib/libssl/src/crypto/rc5/asm/rc5-586.pl | 2 +- src/lib/libssl/src/crypto/rc5/rc5.h | 17 +- src/lib/libssl/src/crypto/ripemd/Makefile.ssl | 39 +- src/lib/libssl/src/crypto/ripemd/Makefile.uni | 2 +- src/lib/libssl/src/crypto/ripemd/asm/rips.cpp | 2 +- src/lib/libssl/src/crypto/ripemd/asm/rm86unix.cpp | 2016 ------ src/lib/libssl/src/crypto/ripemd/asm/rmd-586.pl | 4 +- src/lib/libssl/src/crypto/ripemd/ripemd.h | 13 +- src/lib/libssl/src/crypto/ripemd/rmd160.c | 18 +- src/lib/libssl/src/crypto/ripemd/rmd_dgst.c | 38 +- src/lib/libssl/src/crypto/ripemd/rmd_locl.h | 6 +- src/lib/libssl/src/crypto/ripemd/rmd_one.c | 6 +- src/lib/libssl/src/crypto/ripemd/rmdtest.c | 31 +- src/lib/libssl/src/crypto/rsa/Makefile.ssl | 134 +- src/lib/libssl/src/crypto/rsa/rsa.err | 45 - src/lib/libssl/src/crypto/rsa/rsa.h | 203 +- src/lib/libssl/src/crypto/rsa/rsa_chk.c | 184 + src/lib/libssl/src/crypto/rsa/rsa_eay.c | 164 +- src/lib/libssl/src/crypto/rsa/rsa_err.c | 133 +- src/lib/libssl/src/crypto/rsa/rsa_gen.c | 14 +- src/lib/libssl/src/crypto/rsa/rsa_lib.c | 167 +- src/lib/libssl/src/crypto/rsa/rsa_none.c | 47 +- src/lib/libssl/src/crypto/rsa/rsa_oaep.c | 162 + src/lib/libssl/src/crypto/rsa/rsa_oaep_test.c | 309 + src/lib/libssl/src/crypto/rsa/rsa_pk1.c | 53 +- src/lib/libssl/src/crypto/rsa/rsa_saos.c | 27 +- src/lib/libssl/src/crypto/rsa/rsa_sign.c | 28 +- src/lib/libssl/src/crypto/rsa/rsa_ssl.c | 22 +- src/lib/libssl/src/crypto/sha/Makefile.ssl | 42 +- src/lib/libssl/src/crypto/sha/Makefile.uni | 2 +- src/lib/libssl/src/crypto/sha/asm/sha1-586.pl | 4 +- src/lib/libssl/src/crypto/sha/asm/sx86unix.cpp | 1948 ------ src/lib/libssl/src/crypto/sha/sha.c | 19 +- src/lib/libssl/src/crypto/sha/sha.h | 58 +- src/lib/libssl/src/crypto/sha/sha1.c | 18 +- src/lib/libssl/src/crypto/sha/sha1_one.c | 9 +- src/lib/libssl/src/crypto/sha/sha1dgst.c | 244 +- src/lib/libssl/src/crypto/sha/sha1s.cpp | 2 +- src/lib/libssl/src/crypto/sha/sha1test.c | 35 +- src/lib/libssl/src/crypto/sha/sha_dgst.c | 250 +- src/lib/libssl/src/crypto/sha/sha_locl.h | 78 +- src/lib/libssl/src/crypto/sha/sha_one.c | 9 +- src/lib/libssl/src/crypto/sha/sha_sgst.c | 246 - src/lib/libssl/src/crypto/sha/shatest.c | 35 +- src/lib/libssl/src/crypto/stack/Makefile.ssl | 37 +- src/lib/libssl/src/crypto/stack/safestack.h | 129 + src/lib/libssl/src/crypto/stack/stack.c | 108 +- src/lib/libssl/src/crypto/stack/stack.h | 33 +- src/lib/libssl/src/crypto/threads/mttest.c | 119 +- src/lib/libssl/src/crypto/threads/th-lock.c | 79 +- src/lib/libssl/src/crypto/tmdiff.c | 106 +- src/lib/libssl/src/crypto/tmdiff.h | 81 + src/lib/libssl/src/crypto/txt_db/Makefile.ssl | 36 +- src/lib/libssl/src/crypto/txt_db/txt_db.c | 39 +- src/lib/libssl/src/crypto/txt_db/txt_db.h | 16 +- src/lib/libssl/src/crypto/x509/Makefile.ssl | 374 +- src/lib/libssl/src/crypto/x509/attrib | 38 - src/lib/libssl/src/crypto/x509/by_dir.c | 57 +- src/lib/libssl/src/crypto/x509/by_file.c | 41 +- src/lib/libssl/src/crypto/x509/v3_net.c | 87 - src/lib/libssl/src/crypto/x509/v3_x509.c | 253 - src/lib/libssl/src/crypto/x509/x509.doc | 27 - src/lib/libssl/src/crypto/x509/x509.err | 46 - src/lib/libssl/src/crypto/x509/x509.h | 627 +- src/lib/libssl/src/crypto/x509/x509_cmp.c | 138 +- src/lib/libssl/src/crypto/x509/x509_d2.c | 13 +- src/lib/libssl/src/crypto/x509/x509_def.c | 16 +- src/lib/libssl/src/crypto/x509/x509_err.c | 136 +- src/lib/libssl/src/crypto/x509/x509_ext.c | 106 +- src/lib/libssl/src/crypto/x509/x509_lu.c | 139 +- src/lib/libssl/src/crypto/x509/x509_obj.c | 72 +- src/lib/libssl/src/crypto/x509/x509_r2x.c | 34 +- src/lib/libssl/src/crypto/x509/x509_req.c | 27 +- src/lib/libssl/src/crypto/x509/x509_set.c | 36 +- src/lib/libssl/src/crypto/x509/x509_txt.c | 18 +- src/lib/libssl/src/crypto/x509/x509_v3.c | 225 +- src/lib/libssl/src/crypto/x509/x509_vfy.c | 221 +- src/lib/libssl/src/crypto/x509/x509_vfy.h | 168 +- src/lib/libssl/src/crypto/x509/x509name.c | 137 +- src/lib/libssl/src/crypto/x509/x509pack.c | 157 - src/lib/libssl/src/crypto/x509/x509rset.c | 20 +- src/lib/libssl/src/crypto/x509/x509type.c | 13 +- src/lib/libssl/src/crypto/x509/x509v3.doc | 24 - src/lib/libssl/src/crypto/x509/x_all.c | 272 +- src/lib/libssl/src/crypto/x509v3/Makefile.ssl | 432 ++ src/lib/libssl/src/crypto/x509v3/README | 4 + src/lib/libssl/src/crypto/x509v3/format | 92 - src/lib/libssl/src/crypto/x509v3/header | 6 - src/lib/libssl/src/crypto/x509v3/v3_akey.c | 249 + src/lib/libssl/src/crypto/x509v3/v3_alt.c | 402 ++ src/lib/libssl/src/crypto/x509v3/v3_bcons.c | 164 + src/lib/libssl/src/crypto/x509v3/v3_bitst.c | 147 + src/lib/libssl/src/crypto/x509v3/v3_conf.c | 366 ++ src/lib/libssl/src/crypto/x509v3/v3_cpols.c | 655 ++ src/lib/libssl/src/crypto/x509v3/v3_crld.c | 283 + src/lib/libssl/src/crypto/x509v3/v3_enum.c | 103 + src/lib/libssl/src/crypto/x509v3/v3_extku.c | 150 + src/lib/libssl/src/crypto/x509v3/v3_genn.c | 237 + src/lib/libssl/src/crypto/x509v3/v3_ia5.c | 116 + src/lib/libssl/src/crypto/x509v3/v3_int.c | 79 + src/lib/libssl/src/crypto/x509v3/v3_ku.c | 318 - src/lib/libssl/src/crypto/x509v3/v3_lib.c | 177 + src/lib/libssl/src/crypto/x509v3/v3_pku.c | 151 + src/lib/libssl/src/crypto/x509v3/v3_prn.c | 135 + src/lib/libssl/src/crypto/x509v3/v3_skey.c | 156 + src/lib/libssl/src/crypto/x509v3/v3_sxnet.c | 340 + src/lib/libssl/src/crypto/x509v3/v3_utl.c | 418 ++ src/lib/libssl/src/crypto/x509v3/v3conf.c | 128 + src/lib/libssl/src/crypto/x509v3/v3err.c | 171 + src/lib/libssl/src/crypto/x509v3/v3prin.c | 101 + src/lib/libssl/src/crypto/x509v3/x509v3.h | 607 +- src/lib/libssl/src/demos/README | 6 + src/lib/libssl/src/demos/b64.c | 14 +- src/lib/libssl/src/demos/b64.pl | 2 +- src/lib/libssl/src/demos/bio/Makefile | 16 + src/lib/libssl/src/demos/bio/saccept.c | 4 +- src/lib/libssl/src/demos/bio/sconnect.c | 7 +- src/lib/libssl/src/demos/maurice/Makefile | 42 +- src/lib/libssl/src/demos/maurice/example1.c | 14 +- src/lib/libssl/src/demos/maurice/example2.c | 18 +- src/lib/libssl/src/demos/maurice/example3.c | 9 +- src/lib/libssl/src/demos/maurice/example4.c | 7 +- src/lib/libssl/src/demos/maurice/loadkeys.c | 14 +- src/lib/libssl/src/demos/maurice/loadkeys.h | 2 +- src/lib/libssl/src/demos/prime/Makefile | 20 + src/lib/libssl/src/demos/prime/prime.c | 7 +- src/lib/libssl/src/demos/selfsign.c | 58 +- src/lib/libssl/src/demos/sign/Makefile | 15 + src/lib/libssl/src/demos/sign/sign.c | 82 +- src/lib/libssl/src/demos/spkigen.c | 12 +- src/lib/libssl/src/demos/ssl/cli.cpp | 29 +- src/lib/libssl/src/demos/ssl/inetdsrv.cpp | 10 +- src/lib/libssl/src/demos/ssl/serv.cpp | 66 +- src/lib/libssl/src/dep/files | 8 - src/lib/libssl/src/dep/gen.pl | 2 +- src/lib/libssl/src/doc/API.doc | 24 - src/lib/libssl/src/doc/README | 10 + src/lib/libssl/src/doc/a_verify.doc | 85 - src/lib/libssl/src/doc/apps.doc | 53 - src/lib/libssl/src/doc/asn1.doc | 401 -- src/lib/libssl/src/doc/bio.doc | 423 -- src/lib/libssl/src/doc/blowfish.doc | 146 - src/lib/libssl/src/doc/bn.doc | 381 -- src/lib/libssl/src/doc/c-indentation.el | 36 + src/lib/libssl/src/doc/ca.1 | 121 - src/lib/libssl/src/doc/callback.doc | 240 - src/lib/libssl/src/doc/cipher.doc | 345 - src/lib/libssl/src/doc/cipher.m | 128 - src/lib/libssl/src/doc/conf.doc | 89 - src/lib/libssl/src/doc/crypto.pod | 27 + src/lib/libssl/src/doc/des.doc | 505 -- src/lib/libssl/src/doc/digest.doc | 94 - src/lib/libssl/src/doc/encode.doc | 15 - src/lib/libssl/src/doc/envelope.doc | 67 - src/lib/libssl/src/doc/error.doc | 115 - src/lib/libssl/src/doc/legal.doc | 117 - src/lib/libssl/src/doc/lhash.doc | 151 - src/lib/libssl/src/doc/md2.doc | 49 - src/lib/libssl/src/doc/md5.doc | 50 - src/lib/libssl/src/doc/memory.doc | 27 - src/lib/libssl/src/doc/ms3-ca.doc | 398 -- src/lib/libssl/src/doc/ns-ca.doc | 154 - src/lib/libssl/src/doc/obj.doc | 69 - src/lib/libssl/src/doc/openssl.pod | 304 + src/lib/libssl/src/doc/openssl.txt | 1174 ++++ src/lib/libssl/src/doc/openssl_button.gif | Bin 0 -> 2063 bytes src/lib/libssl/src/doc/openssl_button.html | 7 + src/lib/libssl/src/doc/rand.doc | 141 - src/lib/libssl/src/doc/rc2.doc | 165 - src/lib/libssl/src/doc/rc4.doc | 44 - src/lib/libssl/src/doc/readme | 6 - src/lib/libssl/src/doc/ref.doc | 48 - src/lib/libssl/src/doc/req.1 | 137 - src/lib/libssl/src/doc/rsa.doc | 135 - src/lib/libssl/src/doc/rsaref.doc | 35 - src/lib/libssl/src/doc/s_mult.doc | 17 - src/lib/libssl/src/doc/session.doc | 297 - src/lib/libssl/src/doc/sha.doc | 52 - src/lib/libssl/src/doc/speed.doc | 96 - src/lib/libssl/src/doc/ssl-ciph.doc | 84 - src/lib/libssl/src/doc/ssl.doc | 172 - src/lib/libssl/src/doc/ssl.pod | 633 ++ src/lib/libssl/src/doc/ssl_ctx.doc | 68 - src/lib/libssl/src/doc/ssleay.doc | 213 - src/lib/libssl/src/doc/ssleay.txt | 7014 +++++++++++++++++++++ src/lib/libssl/src/doc/ssluse.doc | 45 - src/lib/libssl/src/doc/stack.doc | 96 - src/lib/libssl/src/doc/threads.doc | 90 - src/lib/libssl/src/doc/txt_db.doc | 4 - src/lib/libssl/src/doc/verify | 22 - src/lib/libssl/src/doc/why.doc | 79 - src/lib/libssl/src/e_os.h | 142 +- src/lib/libssl/src/e_os2.h | 38 + src/lib/libssl/src/install.com | 88 + src/lib/libssl/src/makefile.one | 1781 ------ src/lib/libssl/src/makevms.com | 969 ++- src/lib/libssl/src/ms/.rnd | Bin 1019 -> 1024 bytes src/lib/libssl/src/ms/32all.bat | 2 +- src/lib/libssl/src/ms/bcb4.bat | 6 + src/lib/libssl/src/ms/certCA.srl | 2 +- src/lib/libssl/src/ms/certCA.ss | 12 +- src/lib/libssl/src/ms/certU.ss | 14 +- src/lib/libssl/src/ms/cmp.pl | 2 +- src/lib/libssl/src/ms/do_masm.bat | 68 + src/lib/libssl/src/ms/do_ms.bat | 23 +- src/lib/libssl/src/ms/do_nasm.bat | 69 + src/lib/libssl/src/ms/do_nt.bat | 7 + src/lib/libssl/src/ms/keyCA.ss | 14 +- src/lib/libssl/src/ms/keyU.ss | 14 +- src/lib/libssl/src/ms/libeay16.def | 987 --- src/lib/libssl/src/ms/libeay32.def | 1035 --- src/lib/libssl/src/ms/mw.bat | 31 + src/lib/libssl/src/ms/ntdll.mak | 1853 ------ src/lib/libssl/src/ms/req2CA.ss | 28 +- src/lib/libssl/src/ms/reqCA.ss | 10 +- src/lib/libssl/src/ms/reqU.ss | 8 +- src/lib/libssl/src/ms/ssleay16.def | 171 - src/lib/libssl/src/ms/ssleay32.def | 164 - src/lib/libssl/src/ms/tenc.bat | 28 +- src/lib/libssl/src/ms/test.bat | 323 +- src/lib/libssl/src/ms/testenc.bat | 187 +- src/lib/libssl/src/ms/testpem.bat | 68 +- src/lib/libssl/src/ms/testss.bat | 196 +- src/lib/libssl/src/ms/tpem.bat | 12 +- src/lib/libssl/src/ms/w31dll.mak | 2295 ------- src/lib/libssl/src/ms/x86asm.bat | 57 + src/lib/libssl/src/mt/mttest.c | 35 +- src/lib/libssl/src/openssl.doxy | 7 + src/lib/libssl/src/perl/MANIFEST | 28 +- src/lib/libssl/src/perl/Makefile.PL | 66 +- src/lib/libssl/src/perl/OpenSSL.pm | 90 + src/lib/libssl/src/perl/OpenSSL.xs | 82 + src/lib/libssl/src/perl/README.1ST | 4 + src/lib/libssl/src/perl/SSLeay.pm | 78 - src/lib/libssl/src/perl/SSLeay.xs | 63 - src/lib/libssl/src/perl/b.pl | 21 - src/lib/libssl/src/perl/bio.pl | 28 - src/lib/libssl/src/perl/bio.txt | 36 - src/lib/libssl/src/perl/bio.xs | 448 -- src/lib/libssl/src/perl/bn.pl | 23 - src/lib/libssl/src/perl/bn.txt | 38 - src/lib/libssl/src/perl/bn.xs | 589 -- src/lib/libssl/src/perl/callback.c | 103 - src/lib/libssl/src/perl/cipher.pl | 39 - src/lib/libssl/src/perl/cipher.txt | 10 - src/lib/libssl/src/perl/cipher.xs | 152 - src/lib/libssl/src/perl/dh.pl | 40 - src/lib/libssl/src/perl/digest.txt | 7 - src/lib/libssl/src/perl/digest.xs | 83 - src/lib/libssl/src/perl/err.txt | 2 - src/lib/libssl/src/perl/err.xs | 46 - src/lib/libssl/src/perl/f.pl | 25 - src/lib/libssl/src/perl/g.pl | 18 - src/lib/libssl/src/perl/gen_rsa.pl | 49 - src/lib/libssl/src/perl/mul.pl | 56 - src/lib/libssl/src/perl/openssl.h | 96 + src/lib/libssl/src/perl/openssl_bio.xs | 450 ++ src/lib/libssl/src/perl/openssl_bn.xs | 593 ++ src/lib/libssl/src/perl/openssl_cipher.xs | 154 + src/lib/libssl/src/perl/openssl_digest.xs | 84 + src/lib/libssl/src/perl/openssl_err.xs | 47 + src/lib/libssl/src/perl/openssl_ssl.xs | 483 ++ src/lib/libssl/src/perl/openssl_x509.xs | 75 + src/lib/libssl/src/perl/p5SSLeay.h | 96 - src/lib/libssl/src/perl/r.pl | 56 - src/lib/libssl/src/perl/s.pl | 72 - src/lib/libssl/src/perl/s2.pl | 49 - src/lib/libssl/src/perl/server.pem | 369 -- src/lib/libssl/src/perl/ss.pl | 64 - src/lib/libssl/src/perl/ssl.pl | 71 - src/lib/libssl/src/perl/ssl.txt | 43 - src/lib/libssl/src/perl/ssl.xs | 474 -- src/lib/libssl/src/perl/ssl_srvr.pl | 35 - src/lib/libssl/src/perl/sslbio.pl | 40 - src/lib/libssl/src/perl/t.pl | 12 - src/lib/libssl/src/perl/test | 32 - src/lib/libssl/src/perl/test.pl | 30 - src/lib/libssl/src/perl/test.txt | 36 - src/lib/libssl/src/perl/test2.pl | 28 - src/lib/libssl/src/perl/test3.pl | 19 - src/lib/libssl/src/perl/test8.pl | 19 - src/lib/libssl/src/perl/test9.pl | 38 - src/lib/libssl/src/perl/testbn.pl | 23 - src/lib/libssl/src/perl/testdec.pl | 14 - src/lib/libssl/src/perl/testmd.pl | 26 - src/lib/libssl/src/perl/tt.pl | 15 - src/lib/libssl/src/perl/typemap | 52 +- src/lib/libssl/src/perl/x509.txt | 6 - src/lib/libssl/src/perl/x509.xs | 74 - src/lib/libssl/src/perl/xstmp.c | 102 - src/lib/libssl/src/perl/y.pl | 7 - src/lib/libssl/src/perl/yy.pl | 19 - src/lib/libssl/src/perl/z.pl | 32 - src/lib/libssl/src/perl/zz.pl | 22 - src/lib/libssl/src/shlib/linux.sh | 76 - src/lib/libssl/src/shlib/solaris-sc4.sh | 42 + src/lib/libssl/src/ssl/Makefile.ssl | 772 ++- src/lib/libssl/src/ssl/bio_ssl.c | 62 +- src/lib/libssl/src/ssl/install.com | 102 + src/lib/libssl/src/ssl/readme | 277 - src/lib/libssl/src/ssl/s23_clnt.c | 55 +- src/lib/libssl/src/ssl/s23_lib.c | 52 +- src/lib/libssl/src/ssl/s23_meth.c | 10 +- src/lib/libssl/src/ssl/s23_pkt.c | 13 +- src/lib/libssl/src/ssl/s23_srvr.c | 72 +- src/lib/libssl/src/ssl/s2_clnt.c | 174 +- src/lib/libssl/src/ssl/s2_enc.c | 19 +- src/lib/libssl/src/ssl/s2_lib.c | 102 +- src/lib/libssl/src/ssl/s2_meth.c | 13 +- src/lib/libssl/src/ssl/s2_pkt.c | 101 +- src/lib/libssl/src/ssl/s2_srvr.c | 162 +- src/lib/libssl/src/ssl/s3_both.c | 85 +- src/lib/libssl/src/ssl/s3_clnt.c | 363 +- src/lib/libssl/src/ssl/s3_enc.c | 176 +- src/lib/libssl/src/ssl/s3_lib.c | 382 +- src/lib/libssl/src/ssl/s3_meth.c | 10 +- src/lib/libssl/src/ssl/s3_pkt.c | 160 +- src/lib/libssl/src/ssl/s3_srvr.c | 336 +- src/lib/libssl/src/ssl/ssl-lib.com | 1200 ++++ src/lib/libssl/src/ssl/ssl.c | 172 - src/lib/libssl/src/ssl/ssl.err | 290 - src/lib/libssl/src/ssl/ssl.h | 1161 ++-- src/lib/libssl/src/ssl/ssl2.h | 6 +- src/lib/libssl/src/ssl/ssl3.h | 32 +- src/lib/libssl/src/ssl/ssl_algs.c | 23 +- src/lib/libssl/src/ssl/ssl_asn1.c | 44 +- src/lib/libssl/src/ssl/ssl_cert.c | 537 +- src/lib/libssl/src/ssl/ssl_ciph.c | 193 +- src/lib/libssl/src/ssl/ssl_err.c | 158 +- src/lib/libssl/src/ssl/ssl_err2.c | 6 +- src/lib/libssl/src/ssl/ssl_lib.c | 1016 +-- src/lib/libssl/src/ssl/ssl_locl.h | 299 +- src/lib/libssl/src/ssl/ssl_rsa.c | 332 +- src/lib/libssl/src/ssl/ssl_sess.c | 257 +- src/lib/libssl/src/ssl/ssl_stat.c | 42 +- src/lib/libssl/src/ssl/ssl_task.c | 20 +- src/lib/libssl/src/ssl/ssl_txt.c | 61 +- src/lib/libssl/src/ssl/ssltest.c | 510 +- src/lib/libssl/src/ssl/t1_clnt.c | 16 +- src/lib/libssl/src/ssl/t1_enc.c | 188 +- src/lib/libssl/src/ssl/t1_lib.c | 24 +- src/lib/libssl/src/ssl/t1_meth.c | 10 +- src/lib/libssl/src/ssl/t1_srvr.c | 18 +- src/lib/libssl/src/ssl/tls1.h | 40 +- src/lib/libssl/src/test/.rnd | Bin 1024 -> 0 bytes src/lib/libssl/src/test/Makefile.ssl | 128 +- src/lib/libssl/src/test/VMSca-response.1 | 1 + src/lib/libssl/src/test/VMSca-response.2 | 2 + src/lib/libssl/src/test/certCA.srl | 1 - src/lib/libssl/src/test/maketests.com | 1053 ++++ src/lib/libssl/src/test/methtest.c | 6 +- src/lib/libssl/src/test/p | 294 - src/lib/libssl/src/test/riptest | Bin 13325 -> 0 bytes src/lib/libssl/src/test/tcrl | 2 +- src/lib/libssl/src/test/tcrl.com | 78 + src/lib/libssl/src/test/test.txt | 31 - src/lib/libssl/src/test/testca | 2 +- src/lib/libssl/src/test/testca.com | 76 + src/lib/libssl/src/test/testenc | 12 +- src/lib/libssl/src/test/testenc.com | 50 + src/lib/libssl/src/test/testgen | 4 +- src/lib/libssl/src/test/testgen.com | 35 + src/lib/libssl/src/test/testkey.pem | 2 - src/lib/libssl/src/test/testp7.pem | 20 +- src/lib/libssl/src/test/testreq.pem | 9 - src/lib/libssl/src/test/tests.com | 203 + src/lib/libssl/src/test/testsid.pem | 4 +- src/lib/libssl/src/test/testss | 11 +- src/lib/libssl/src/test/testss.com | 105 + src/lib/libssl/src/test/testssl | 37 +- src/lib/libssl/src/test/testssl.com | 111 + src/lib/libssl/src/test/tpkcs7 | 2 +- src/lib/libssl/src/test/tpkcs7.com | 49 + src/lib/libssl/src/test/tpkcs7d | 4 +- src/lib/libssl/src/test/tpkcs7d.com | 42 + src/lib/libssl/src/test/treq | 2 +- src/lib/libssl/src/test/treq.com | 78 + src/lib/libssl/src/test/trsa | 2 +- src/lib/libssl/src/test/trsa.com | 78 + src/lib/libssl/src/test/tsid | 2 +- src/lib/libssl/src/test/tsid.com | 78 + src/lib/libssl/src/test/tverify.com | 26 + src/lib/libssl/src/test/tx509 | 2 +- src/lib/libssl/src/test/tx509.com | 78 + src/lib/libssl/src/times/x86/bfs.cpp | 2 +- src/lib/libssl/src/times/x86/casts.cpp | 2 +- src/lib/libssl/src/times/x86/des3s.cpp | 2 +- src/lib/libssl/src/times/x86/dess.cpp | 2 +- src/lib/libssl/src/times/x86/md5s.cpp | 2 +- src/lib/libssl/src/times/x86/rc4s.cpp | 2 +- src/lib/libssl/src/times/x86/sha1s.cpp | 2 +- src/lib/libssl/src/tools/Makefile.ssl | 25 +- src/lib/libssl/src/tools/c_hash | 2 +- src/lib/libssl/src/tools/c_info | 2 +- src/lib/libssl/src/tools/c_issuer | 2 +- src/lib/libssl/src/tools/c_name | 2 +- src/lib/libssl/src/tools/c_rehash | 47 - src/lib/libssl/src/tools/c_rehash.in | 61 + src/lib/libssl/src/util/add_cr.pl | 2 +- src/lib/libssl/src/util/ck_errf.pl | 3 +- src/lib/libssl/src/util/clean-depend.pl | 38 + src/lib/libssl/src/util/deleof.pl | 2 +- src/lib/libssl/src/util/do_ms.sh | 8 +- src/lib/libssl/src/util/domd | 11 + src/lib/libssl/src/util/err-ins.pl | 2 +- src/lib/libssl/src/util/files.pl | 2 +- src/lib/libssl/src/util/libeay.num | 789 ++- src/lib/libssl/src/util/mk1mf.pl | 316 +- src/lib/libssl/src/util/mkdef.pl | 444 +- src/lib/libssl/src/util/mkdir-p.pl | 33 + src/lib/libssl/src/util/mkerr.pl | 503 ++ src/lib/libssl/src/util/mkfiles.pl | 110 + src/lib/libssl/src/util/mklink.pl | 55 + src/lib/libssl/src/util/mklink.sh | 35 - src/lib/libssl/src/util/perlpath.pl | 9 +- src/lib/libssl/src/util/pl/BC-16.pl | 14 +- src/lib/libssl/src/util/pl/BC-32.pl | 153 +- src/lib/libssl/src/util/pl/Mingw32.pl | 79 + src/lib/libssl/src/util/pl/Mingw32f.pl | 73 + src/lib/libssl/src/util/pl/VC-16.pl | 14 +- src/lib/libssl/src/util/pl/VC-32.pl | 33 +- src/lib/libssl/src/util/pl/linux.pl | 16 +- src/lib/libssl/src/util/pl/ultrix.pl | 38 + src/lib/libssl/src/util/pl/unix.pl | 23 +- src/lib/libssl/src/util/point.sh | 4 +- src/lib/libssl/src/util/ranlib.sh | 23 - src/lib/libssl/src/util/sep_lib.sh | 3 - src/lib/libssl/src/util/sp-diff.pl | 2 +- src/lib/libssl/src/util/src-dep.pl | 2 +- src/lib/libssl/src/util/ssldir.pl | 52 - src/lib/libssl/src/util/ssleay.num | 61 + src/lib/libssl/src/util/tab_num.pl | 2 +- src/lib/libssl/src/util/up_ver.pl | 79 - src/lib/libssl/src/util/x86asm.sh | 4 +- src/lib/libssl/ssl-patent/Makefile | 78 +- src/lib/libssl/ssl-patent/shlib_version | 2 +- src/lib/libssl/ssl.h | 1161 ++-- src/lib/libssl/ssl/Makefile | 58 +- src/lib/libssl/ssl2.h | 6 +- src/lib/libssl/ssl3.h | 32 +- src/lib/libssl/ssl_algs.c | 23 +- src/lib/libssl/ssl_asn1.c | 44 +- src/lib/libssl/ssl_cert.c | 537 +- src/lib/libssl/ssl_ciph.c | 193 +- src/lib/libssl/ssl_err.c | 158 +- src/lib/libssl/ssl_err2.c | 6 +- src/lib/libssl/ssl_lib.c | 1016 +-- src/lib/libssl/ssl_locl.h | 299 +- src/lib/libssl/ssl_rsa.c | 332 +- src/lib/libssl/ssl_sess.c | 257 +- src/lib/libssl/ssl_stat.c | 42 +- src/lib/libssl/ssl_txt.c | 61 +- src/lib/libssl/t1_clnt.c | 16 +- src/lib/libssl/t1_enc.c | 188 +- src/lib/libssl/t1_lib.c | 24 +- src/lib/libssl/t1_meth.c | 10 +- src/lib/libssl/t1_srvr.c | 18 +- src/lib/libssl/test/.rnd | Bin 1024 -> 0 bytes src/lib/libssl/test/Makefile.ssl | 128 +- src/lib/libssl/test/VMSca-response.1 | 1 + src/lib/libssl/test/VMSca-response.2 | 2 + src/lib/libssl/test/certCA.srl | 1 - src/lib/libssl/test/maketests.com | 1053 ++++ src/lib/libssl/test/methtest.c | 6 +- src/lib/libssl/test/p | 294 - src/lib/libssl/test/riptest | Bin 13325 -> 0 bytes src/lib/libssl/test/tcrl | 2 +- src/lib/libssl/test/tcrl.com | 78 + src/lib/libssl/test/test.txt | 31 - src/lib/libssl/test/testca | 2 +- src/lib/libssl/test/testca.com | 76 + src/lib/libssl/test/testenc | 12 +- src/lib/libssl/test/testenc.com | 50 + src/lib/libssl/test/testgen | 4 +- src/lib/libssl/test/testgen.com | 35 + src/lib/libssl/test/testkey.pem | 2 - src/lib/libssl/test/testp7.pem | 20 +- src/lib/libssl/test/testreq.pem | 9 - src/lib/libssl/test/tests.com | 203 + src/lib/libssl/test/testsid.pem | 4 +- src/lib/libssl/test/testss | 11 +- src/lib/libssl/test/testss.com | 105 + src/lib/libssl/test/testssl | 37 +- src/lib/libssl/test/testssl.com | 111 + src/lib/libssl/test/tpkcs7 | 2 +- src/lib/libssl/test/tpkcs7.com | 49 + src/lib/libssl/test/tpkcs7d | 4 +- src/lib/libssl/test/tpkcs7d.com | 42 + src/lib/libssl/test/treq | 2 +- src/lib/libssl/test/treq.com | 78 + src/lib/libssl/test/trsa | 2 +- src/lib/libssl/test/trsa.com | 78 + src/lib/libssl/test/tsid | 2 +- src/lib/libssl/test/tsid.com | 78 + src/lib/libssl/test/tverify.com | 26 + src/lib/libssl/test/tx509 | 2 +- src/lib/libssl/test/tx509.com | 78 + src/lib/libssl/tls1.h | 40 +- 1122 files changed, 101957 insertions(+), 68544 deletions(-) create mode 100644 src/lib/libssl/LICENSE create mode 100644 src/lib/libssl/doc/openssl.cnf create mode 100644 src/lib/libssl/doc/openssl.txt create mode 100644 src/lib/libssl/src/CHANGES create mode 100644 src/lib/libssl/src/CHANGES.SSLeay delete mode 100644 src/lib/libssl/src/COPYRIGHT delete mode 100644 src/lib/libssl/src/HISTORY delete mode 100644 src/lib/libssl/src/HISTORY.066 create mode 100644 src/lib/libssl/src/INSTALL.VMS create mode 100644 src/lib/libssl/src/INSTALL.W32 create mode 100644 src/lib/libssl/src/LICENSE delete mode 100644 src/lib/libssl/src/MICROSOFT delete mode 100644 src/lib/libssl/src/MINFO create mode 100644 src/lib/libssl/src/Makefile.org delete mode 100644 src/lib/libssl/src/Makefile.ssl create mode 100644 src/lib/libssl/src/NEWS delete mode 100644 src/lib/libssl/src/PATENTS delete mode 100644 src/lib/libssl/src/PROBLEMS delete mode 100644 src/lib/libssl/src/README.066 delete mode 100644 src/lib/libssl/src/README.080 delete mode 100644 src/lib/libssl/src/README.090 delete mode 100644 src/lib/libssl/src/TODO delete mode 100644 src/lib/libssl/src/VERSION create mode 100644 src/lib/libssl/src/apps/CA.com create mode 100644 src/lib/libssl/src/apps/CA.pl delete mode 100644 src/lib/libssl/src/apps/der_chop create mode 100644 src/lib/libssl/src/apps/der_chop.in delete mode 100644 src/lib/libssl/src/apps/ext.v3 delete mode 100644 src/lib/libssl/src/apps/g_ssleay.pl create mode 100644 src/lib/libssl/src/apps/install.com create mode 100644 src/lib/libssl/src/apps/makeapps.com delete mode 100644 src/lib/libssl/src/apps/mklinks create mode 100644 src/lib/libssl/src/apps/nseq.c create mode 100644 src/lib/libssl/src/apps/oid.cnf create mode 100644 src/lib/libssl/src/apps/openssl-vms.cnf create mode 100644 src/lib/libssl/src/apps/openssl.c create mode 100644 src/lib/libssl/src/apps/openssl.cnf create mode 100644 src/lib/libssl/src/apps/pkcs12.c create mode 100644 src/lib/libssl/src/apps/pkcs8.c create mode 100644 src/lib/libssl/src/apps/progs.pl delete mode 100644 src/lib/libssl/src/apps/rmlinks delete mode 100644 src/lib/libssl/src/apps/ssleay.c delete mode 100644 src/lib/libssl/src/apps/ssleay.cnf create mode 100644 src/lib/libssl/src/bugs/ultrixcc.c delete mode 100644 src/lib/libssl/src/certs/vsign4.pem create mode 100644 src/lib/libssl/src/certs/vsignss.pem create mode 100644 src/lib/libssl/src/certs/vsigntca.pem create mode 100644 src/lib/libssl/src/crypto/asn1/a_enum.c create mode 100644 src/lib/libssl/src/crypto/asn1/a_gentm.c create mode 100644 src/lib/libssl/src/crypto/asn1/a_time.c create mode 100644 src/lib/libssl/src/crypto/asn1/a_utf8.c create mode 100644 src/lib/libssl/src/crypto/asn1/a_vis.c delete mode 100644 src/lib/libssl/src/crypto/asn1/asn1.err create mode 100644 src/lib/libssl/src/crypto/asn1/asn_pack.c create mode 100644 src/lib/libssl/src/crypto/asn1/f_enum.c create mode 100644 src/lib/libssl/src/crypto/asn1/nsseq.c create mode 100644 src/lib/libssl/src/crypto/asn1/p5_pbe.c create mode 100644 src/lib/libssl/src/crypto/asn1/p5_pbev2.c create mode 100644 src/lib/libssl/src/crypto/asn1/p8_pkey.c create mode 100644 src/lib/libssl/src/crypto/asn1/t_crl.c delete mode 100644 src/lib/libssl/src/crypto/bf/asm/bx86unix.cpp create mode 100644 src/lib/libssl/src/crypto/bf/bf_locl.h delete mode 100644 src/lib/libssl/src/crypto/bf/bf_locl.org delete mode 100644 src/lib/libssl/src/crypto/bio/bio.err create mode 100644 src/lib/libssl/src/crypto/bio/bss_bio.c create mode 100644 src/lib/libssl/src/crypto/bio/bss_log.c create mode 100644 src/lib/libssl/src/crypto/bn/asm/alpha.s.works create mode 100644 src/lib/libssl/src/crypto/bn/asm/bn-alpha.pl delete mode 100644 src/lib/libssl/src/crypto/bn/asm/bn86unix.cpp create mode 100644 src/lib/libssl/src/crypto/bn/asm/ca.pl create mode 100644 src/lib/libssl/src/crypto/bn/asm/co-586.pl create mode 100644 src/lib/libssl/src/crypto/bn/asm/co-alpha.pl create mode 100644 src/lib/libssl/src/crypto/bn/asm/mips1.s create mode 100644 src/lib/libssl/src/crypto/bn/asm/mips3.s delete mode 100644 src/lib/libssl/src/crypto/bn/asm/sparc.s create mode 100644 src/lib/libssl/src/crypto/bn/asm/sparcv8.S create mode 100644 src/lib/libssl/src/crypto/bn/asm/sparcv8plus.S create mode 100644 src/lib/libssl/src/crypto/bn/asm/vms.mar create mode 100644 src/lib/libssl/src/crypto/bn/asm/x86.pl delete mode 100644 src/lib/libssl/src/crypto/bn/bn.err create mode 100644 src/lib/libssl/src/crypto/bn/bn.h create mode 100644 src/lib/libssl/src/crypto/bn/bn.mul delete mode 100644 src/lib/libssl/src/crypto/bn/bn.org create mode 100644 src/lib/libssl/src/crypto/bn/bn_asm.c create mode 100644 src/lib/libssl/src/crypto/bn/bn_comba.c create mode 100644 src/lib/libssl/src/crypto/bn/bn_exp2.c delete mode 100644 src/lib/libssl/src/crypto/bn/bn_m.c delete mode 100644 src/lib/libssl/src/crypto/bn/bn_mod.c delete mode 100644 src/lib/libssl/src/crypto/bn/bn_mulw.c create mode 100644 src/lib/libssl/src/crypto/bn/bn_opts.c delete mode 100644 src/lib/libssl/src/crypto/bn/bn_sub.c create mode 100644 src/lib/libssl/src/crypto/bn/comba.pl create mode 100644 src/lib/libssl/src/crypto/bn/d.c create mode 100644 src/lib/libssl/src/crypto/bn/exp.c create mode 100644 src/lib/libssl/src/crypto/bn/new create mode 100644 src/lib/libssl/src/crypto/bn/test.c create mode 100644 src/lib/libssl/src/crypto/bn/todo create mode 100644 src/lib/libssl/src/crypto/bn/vms-helper.c delete mode 100644 src/lib/libssl/src/crypto/buffer/buffer.err delete mode 100644 src/lib/libssl/src/crypto/cast/asm/cx86unix.cpp delete mode 100644 src/lib/libssl/src/crypto/conf/conf.err delete mode 100644 src/lib/libssl/src/crypto/cryptall.h create mode 100644 src/lib/libssl/src/crypto/crypto-lib.com delete mode 100644 src/lib/libssl/src/crypto/crypto.c delete mode 100644 src/lib/libssl/src/crypto/crypto.err delete mode 100644 src/lib/libssl/src/crypto/date.h delete mode 100644 src/lib/libssl/src/crypto/des/asm/dx86unix.cpp delete mode 100644 src/lib/libssl/src/crypto/des/asm/yx86unix.cpp create mode 100644 src/lib/libssl/src/crypto/des/des-lib.com create mode 100644 src/lib/libssl/src/crypto/des/des.h delete mode 100644 src/lib/libssl/src/crypto/des/des.org create mode 100644 src/lib/libssl/src/crypto/des/des_locl.h delete mode 100644 src/lib/libssl/src/crypto/des/des_locl.org create mode 100644 src/lib/libssl/src/crypto/des/ede_cbcm_enc.c delete mode 100644 src/lib/libssl/src/crypto/des/ede_enc.c delete mode 100644 src/lib/libssl/src/crypto/des/ranlib.sh delete mode 100644 src/lib/libssl/src/crypto/des/vms.com delete mode 100644 src/lib/libssl/src/crypto/dh/dh.err delete mode 100644 src/lib/libssl/src/crypto/dsa/dsa.err create mode 100644 src/lib/libssl/src/crypto/dsa/dsa_asn1.c create mode 100644 src/lib/libssl/src/crypto/ebcdic.h delete mode 100644 src/lib/libssl/src/crypto/err/err_code.pl delete mode 100644 src/lib/libssl/src/crypto/err/err_genc.pl delete mode 100644 src/lib/libssl/src/crypto/err/error.err create mode 100644 src/lib/libssl/src/crypto/err/openssl.ec delete mode 100644 src/lib/libssl/src/crypto/err/ssleay.ec create mode 100644 src/lib/libssl/src/crypto/evp/bio_ok.c delete mode 100644 src/lib/libssl/src/crypto/evp/evp.err create mode 100644 src/lib/libssl/src/crypto/evp/evp_pbe.c create mode 100644 src/lib/libssl/src/crypto/evp/evp_pkey.c create mode 100644 src/lib/libssl/src/crypto/evp/p5_crpt.c create mode 100644 src/lib/libssl/src/crypto/evp/p5_crpt2.c delete mode 100644 src/lib/libssl/src/crypto/evp/pk_lib.c create mode 100644 src/lib/libssl/src/crypto/idea/idea.h create mode 100644 src/lib/libssl/src/crypto/install.com delete mode 100644 src/lib/libssl/src/crypto/libvms.com create mode 100644 src/lib/libssl/src/crypto/md2/md2.h delete mode 100644 src/lib/libssl/src/crypto/md2/md2.org create mode 100644 src/lib/libssl/src/crypto/md32_common.h create mode 100644 src/lib/libssl/src/crypto/md5/asm/md5-sparcv9.S delete mode 100644 src/lib/libssl/src/crypto/md5/asm/mx86unix.cpp create mode 100644 src/lib/libssl/src/crypto/objects/o_names.c delete mode 100644 src/lib/libssl/src/crypto/objects/obj_dat.h delete mode 100644 src/lib/libssl/src/crypto/objects/objects.err create mode 100644 src/lib/libssl/src/crypto/opensslconf.h.in create mode 100644 src/lib/libssl/src/crypto/opensslv.h delete mode 100644 src/lib/libssl/src/crypto/pem/ctx_size.c delete mode 100644 src/lib/libssl/src/crypto/pem/pem.err delete mode 100644 src/lib/libssl/src/crypto/pem/pem.org create mode 100644 src/lib/libssl/src/crypto/pem/pem2.h create mode 100644 src/lib/libssl/src/crypto/perlasm/alpha.pl create mode 100644 src/lib/libssl/src/crypto/perlasm/x86nasm.pl create mode 100644 src/lib/libssl/src/crypto/pkcs7/bio_ber.c create mode 100644 src/lib/libssl/src/crypto/pkcs7/dec.c create mode 100644 src/lib/libssl/src/crypto/pkcs7/des.pem create mode 100644 src/lib/libssl/src/crypto/pkcs7/es1.pem create mode 100644 src/lib/libssl/src/crypto/pkcs7/example.c create mode 100644 src/lib/libssl/src/crypto/pkcs7/example.h create mode 100644 src/lib/libssl/src/crypto/pkcs7/info.pem create mode 100644 src/lib/libssl/src/crypto/pkcs7/infokey.pem delete mode 100644 src/lib/libssl/src/crypto/pkcs7/mf.p7 delete mode 100644 src/lib/libssl/src/crypto/pkcs7/p7.tst delete mode 100644 src/lib/libssl/src/crypto/pkcs7/pkcs7.err create mode 100644 src/lib/libssl/src/crypto/rand/rand_lib.c delete mode 100644 src/lib/libssl/src/crypto/ranlib.sh create mode 100644 src/lib/libssl/src/crypto/rc2/rc2.h delete mode 100644 src/lib/libssl/src/crypto/rc2/rc2.org create mode 100644 src/lib/libssl/src/crypto/rc2/tab.c delete mode 100644 src/lib/libssl/src/crypto/rc4/asm/rx86unix.cpp create mode 100644 src/lib/libssl/src/crypto/rc4/rc4.h delete mode 100644 src/lib/libssl/src/crypto/rc4/rc4.org create mode 100644 src/lib/libssl/src/crypto/rc4/rc4_locl.h delete mode 100644 src/lib/libssl/src/crypto/rc4/rc4_locl.org delete mode 100644 src/lib/libssl/src/crypto/rc5/asm/r586unix.cpp delete mode 100644 src/lib/libssl/src/crypto/ripemd/asm/rm86unix.cpp delete mode 100644 src/lib/libssl/src/crypto/rsa/rsa.err create mode 100644 src/lib/libssl/src/crypto/rsa/rsa_chk.c create mode 100644 src/lib/libssl/src/crypto/rsa/rsa_oaep.c create mode 100644 src/lib/libssl/src/crypto/rsa/rsa_oaep_test.c delete mode 100644 src/lib/libssl/src/crypto/sha/asm/sx86unix.cpp delete mode 100644 src/lib/libssl/src/crypto/sha/sha_sgst.c create mode 100644 src/lib/libssl/src/crypto/stack/safestack.h create mode 100644 src/lib/libssl/src/crypto/tmdiff.h delete mode 100644 src/lib/libssl/src/crypto/x509/attrib delete mode 100644 src/lib/libssl/src/crypto/x509/v3_net.c delete mode 100644 src/lib/libssl/src/crypto/x509/v3_x509.c delete mode 100644 src/lib/libssl/src/crypto/x509/x509.doc delete mode 100644 src/lib/libssl/src/crypto/x509/x509.err delete mode 100644 src/lib/libssl/src/crypto/x509/x509pack.c delete mode 100644 src/lib/libssl/src/crypto/x509/x509v3.doc create mode 100644 src/lib/libssl/src/crypto/x509v3/Makefile.ssl create mode 100644 src/lib/libssl/src/crypto/x509v3/README delete mode 100644 src/lib/libssl/src/crypto/x509v3/format delete mode 100644 src/lib/libssl/src/crypto/x509v3/header create mode 100644 src/lib/libssl/src/crypto/x509v3/v3_akey.c create mode 100644 src/lib/libssl/src/crypto/x509v3/v3_alt.c create mode 100644 src/lib/libssl/src/crypto/x509v3/v3_bcons.c create mode 100644 src/lib/libssl/src/crypto/x509v3/v3_bitst.c create mode 100644 src/lib/libssl/src/crypto/x509v3/v3_conf.c create mode 100644 src/lib/libssl/src/crypto/x509v3/v3_cpols.c create mode 100644 src/lib/libssl/src/crypto/x509v3/v3_crld.c create mode 100644 src/lib/libssl/src/crypto/x509v3/v3_enum.c create mode 100644 src/lib/libssl/src/crypto/x509v3/v3_extku.c create mode 100644 src/lib/libssl/src/crypto/x509v3/v3_genn.c create mode 100644 src/lib/libssl/src/crypto/x509v3/v3_ia5.c create mode 100644 src/lib/libssl/src/crypto/x509v3/v3_int.c delete mode 100644 src/lib/libssl/src/crypto/x509v3/v3_ku.c create mode 100644 src/lib/libssl/src/crypto/x509v3/v3_lib.c create mode 100644 src/lib/libssl/src/crypto/x509v3/v3_pku.c create mode 100644 src/lib/libssl/src/crypto/x509v3/v3_prn.c create mode 100644 src/lib/libssl/src/crypto/x509v3/v3_skey.c create mode 100644 src/lib/libssl/src/crypto/x509v3/v3_sxnet.c create mode 100644 src/lib/libssl/src/crypto/x509v3/v3_utl.c create mode 100644 src/lib/libssl/src/crypto/x509v3/v3conf.c create mode 100644 src/lib/libssl/src/crypto/x509v3/v3err.c create mode 100644 src/lib/libssl/src/crypto/x509v3/v3prin.c create mode 100644 src/lib/libssl/src/demos/bio/Makefile create mode 100644 src/lib/libssl/src/demos/prime/Makefile create mode 100644 src/lib/libssl/src/demos/sign/Makefile delete mode 100644 src/lib/libssl/src/doc/API.doc create mode 100644 src/lib/libssl/src/doc/README delete mode 100644 src/lib/libssl/src/doc/a_verify.doc delete mode 100644 src/lib/libssl/src/doc/apps.doc delete mode 100644 src/lib/libssl/src/doc/asn1.doc delete mode 100644 src/lib/libssl/src/doc/bio.doc delete mode 100644 src/lib/libssl/src/doc/blowfish.doc delete mode 100644 src/lib/libssl/src/doc/bn.doc create mode 100644 src/lib/libssl/src/doc/c-indentation.el delete mode 100644 src/lib/libssl/src/doc/ca.1 delete mode 100644 src/lib/libssl/src/doc/callback.doc delete mode 100644 src/lib/libssl/src/doc/cipher.doc delete mode 100644 src/lib/libssl/src/doc/cipher.m delete mode 100644 src/lib/libssl/src/doc/conf.doc create mode 100644 src/lib/libssl/src/doc/crypto.pod delete mode 100644 src/lib/libssl/src/doc/des.doc delete mode 100644 src/lib/libssl/src/doc/digest.doc delete mode 100644 src/lib/libssl/src/doc/encode.doc delete mode 100644 src/lib/libssl/src/doc/envelope.doc delete mode 100644 src/lib/libssl/src/doc/error.doc delete mode 100644 src/lib/libssl/src/doc/legal.doc delete mode 100644 src/lib/libssl/src/doc/lhash.doc delete mode 100644 src/lib/libssl/src/doc/md2.doc delete mode 100644 src/lib/libssl/src/doc/md5.doc delete mode 100644 src/lib/libssl/src/doc/memory.doc delete mode 100644 src/lib/libssl/src/doc/ms3-ca.doc delete mode 100644 src/lib/libssl/src/doc/ns-ca.doc delete mode 100644 src/lib/libssl/src/doc/obj.doc create mode 100644 src/lib/libssl/src/doc/openssl.pod create mode 100644 src/lib/libssl/src/doc/openssl.txt create mode 100644 src/lib/libssl/src/doc/openssl_button.gif create mode 100644 src/lib/libssl/src/doc/openssl_button.html delete mode 100644 src/lib/libssl/src/doc/rand.doc delete mode 100644 src/lib/libssl/src/doc/rc2.doc delete mode 100644 src/lib/libssl/src/doc/rc4.doc delete mode 100644 src/lib/libssl/src/doc/readme delete mode 100644 src/lib/libssl/src/doc/ref.doc delete mode 100644 src/lib/libssl/src/doc/req.1 delete mode 100644 src/lib/libssl/src/doc/rsa.doc delete mode 100644 src/lib/libssl/src/doc/rsaref.doc delete mode 100644 src/lib/libssl/src/doc/s_mult.doc delete mode 100644 src/lib/libssl/src/doc/session.doc delete mode 100644 src/lib/libssl/src/doc/sha.doc delete mode 100644 src/lib/libssl/src/doc/speed.doc delete mode 100644 src/lib/libssl/src/doc/ssl-ciph.doc delete mode 100644 src/lib/libssl/src/doc/ssl.doc create mode 100644 src/lib/libssl/src/doc/ssl.pod delete mode 100644 src/lib/libssl/src/doc/ssl_ctx.doc delete mode 100644 src/lib/libssl/src/doc/ssleay.doc create mode 100644 src/lib/libssl/src/doc/ssleay.txt delete mode 100644 src/lib/libssl/src/doc/ssluse.doc delete mode 100644 src/lib/libssl/src/doc/stack.doc delete mode 100644 src/lib/libssl/src/doc/threads.doc delete mode 100644 src/lib/libssl/src/doc/txt_db.doc delete mode 100644 src/lib/libssl/src/doc/verify delete mode 100644 src/lib/libssl/src/doc/why.doc create mode 100644 src/lib/libssl/src/e_os2.h create mode 100644 src/lib/libssl/src/install.com delete mode 100644 src/lib/libssl/src/makefile.one create mode 100644 src/lib/libssl/src/ms/bcb4.bat create mode 100644 src/lib/libssl/src/ms/do_masm.bat create mode 100644 src/lib/libssl/src/ms/do_nasm.bat create mode 100644 src/lib/libssl/src/ms/do_nt.bat delete mode 100644 src/lib/libssl/src/ms/libeay16.def delete mode 100644 src/lib/libssl/src/ms/libeay32.def create mode 100644 src/lib/libssl/src/ms/mw.bat delete mode 100644 src/lib/libssl/src/ms/ntdll.mak delete mode 100644 src/lib/libssl/src/ms/ssleay16.def delete mode 100644 src/lib/libssl/src/ms/ssleay32.def delete mode 100644 src/lib/libssl/src/ms/w31dll.mak create mode 100644 src/lib/libssl/src/ms/x86asm.bat create mode 100644 src/lib/libssl/src/openssl.doxy create mode 100644 src/lib/libssl/src/perl/OpenSSL.pm create mode 100644 src/lib/libssl/src/perl/OpenSSL.xs create mode 100644 src/lib/libssl/src/perl/README.1ST delete mode 100644 src/lib/libssl/src/perl/SSLeay.pm delete mode 100644 src/lib/libssl/src/perl/SSLeay.xs delete mode 100644 src/lib/libssl/src/perl/b.pl delete mode 100644 src/lib/libssl/src/perl/bio.pl delete mode 100644 src/lib/libssl/src/perl/bio.txt delete mode 100644 src/lib/libssl/src/perl/bio.xs delete mode 100644 src/lib/libssl/src/perl/bn.pl delete mode 100644 src/lib/libssl/src/perl/bn.txt delete mode 100644 src/lib/libssl/src/perl/bn.xs delete mode 100644 src/lib/libssl/src/perl/callback.c delete mode 100644 src/lib/libssl/src/perl/cipher.pl delete mode 100644 src/lib/libssl/src/perl/cipher.txt delete mode 100644 src/lib/libssl/src/perl/cipher.xs delete mode 100644 src/lib/libssl/src/perl/dh.pl delete mode 100644 src/lib/libssl/src/perl/digest.txt delete mode 100644 src/lib/libssl/src/perl/digest.xs delete mode 100644 src/lib/libssl/src/perl/err.txt delete mode 100644 src/lib/libssl/src/perl/err.xs delete mode 100644 src/lib/libssl/src/perl/f.pl delete mode 100644 src/lib/libssl/src/perl/g.pl delete mode 100644 src/lib/libssl/src/perl/gen_rsa.pl delete mode 100644 src/lib/libssl/src/perl/mul.pl create mode 100644 src/lib/libssl/src/perl/openssl.h create mode 100644 src/lib/libssl/src/perl/openssl_bio.xs create mode 100644 src/lib/libssl/src/perl/openssl_bn.xs create mode 100644 src/lib/libssl/src/perl/openssl_cipher.xs create mode 100644 src/lib/libssl/src/perl/openssl_digest.xs create mode 100644 src/lib/libssl/src/perl/openssl_err.xs create mode 100644 src/lib/libssl/src/perl/openssl_ssl.xs create mode 100644 src/lib/libssl/src/perl/openssl_x509.xs delete mode 100644 src/lib/libssl/src/perl/p5SSLeay.h delete mode 100644 src/lib/libssl/src/perl/r.pl delete mode 100644 src/lib/libssl/src/perl/s.pl delete mode 100644 src/lib/libssl/src/perl/s2.pl delete mode 100644 src/lib/libssl/src/perl/server.pem delete mode 100644 src/lib/libssl/src/perl/ss.pl delete mode 100644 src/lib/libssl/src/perl/ssl.pl delete mode 100644 src/lib/libssl/src/perl/ssl.txt delete mode 100644 src/lib/libssl/src/perl/ssl.xs delete mode 100644 src/lib/libssl/src/perl/ssl_srvr.pl delete mode 100644 src/lib/libssl/src/perl/sslbio.pl delete mode 100644 src/lib/libssl/src/perl/t.pl delete mode 100644 src/lib/libssl/src/perl/test delete mode 100644 src/lib/libssl/src/perl/test.pl delete mode 100644 src/lib/libssl/src/perl/test.txt delete mode 100644 src/lib/libssl/src/perl/test2.pl delete mode 100644 src/lib/libssl/src/perl/test3.pl delete mode 100644 src/lib/libssl/src/perl/test8.pl delete mode 100644 src/lib/libssl/src/perl/test9.pl delete mode 100644 src/lib/libssl/src/perl/testbn.pl delete mode 100644 src/lib/libssl/src/perl/testdec.pl delete mode 100644 src/lib/libssl/src/perl/testmd.pl delete mode 100644 src/lib/libssl/src/perl/tt.pl delete mode 100644 src/lib/libssl/src/perl/x509.txt delete mode 100644 src/lib/libssl/src/perl/x509.xs delete mode 100644 src/lib/libssl/src/perl/xstmp.c delete mode 100644 src/lib/libssl/src/perl/y.pl delete mode 100644 src/lib/libssl/src/perl/yy.pl delete mode 100644 src/lib/libssl/src/perl/z.pl delete mode 100644 src/lib/libssl/src/perl/zz.pl delete mode 100644 src/lib/libssl/src/shlib/linux.sh create mode 100644 src/lib/libssl/src/shlib/solaris-sc4.sh create mode 100644 src/lib/libssl/src/ssl/install.com delete mode 100644 src/lib/libssl/src/ssl/readme create mode 100644 src/lib/libssl/src/ssl/ssl-lib.com delete mode 100644 src/lib/libssl/src/ssl/ssl.c delete mode 100644 src/lib/libssl/src/ssl/ssl.err delete mode 100644 src/lib/libssl/src/test/.rnd create mode 100644 src/lib/libssl/src/test/VMSca-response.1 create mode 100644 src/lib/libssl/src/test/VMSca-response.2 delete mode 100644 src/lib/libssl/src/test/certCA.srl create mode 100644 src/lib/libssl/src/test/maketests.com delete mode 100644 src/lib/libssl/src/test/p delete mode 100644 src/lib/libssl/src/test/riptest create mode 100644 src/lib/libssl/src/test/tcrl.com delete mode 100644 src/lib/libssl/src/test/test.txt create mode 100644 src/lib/libssl/src/test/testca.com create mode 100644 src/lib/libssl/src/test/testenc.com create mode 100644 src/lib/libssl/src/test/testgen.com delete mode 100644 src/lib/libssl/src/test/testkey.pem delete mode 100644 src/lib/libssl/src/test/testreq.pem create mode 100644 src/lib/libssl/src/test/tests.com create mode 100644 src/lib/libssl/src/test/testss.com create mode 100644 src/lib/libssl/src/test/testssl.com create mode 100644 src/lib/libssl/src/test/tpkcs7.com create mode 100644 src/lib/libssl/src/test/tpkcs7d.com create mode 100644 src/lib/libssl/src/test/treq.com create mode 100644 src/lib/libssl/src/test/trsa.com create mode 100644 src/lib/libssl/src/test/tsid.com create mode 100644 src/lib/libssl/src/test/tverify.com create mode 100644 src/lib/libssl/src/test/tx509.com delete mode 100644 src/lib/libssl/src/tools/c_rehash create mode 100644 src/lib/libssl/src/tools/c_rehash.in create mode 100644 src/lib/libssl/src/util/clean-depend.pl create mode 100644 src/lib/libssl/src/util/domd create mode 100644 src/lib/libssl/src/util/mkdir-p.pl create mode 100644 src/lib/libssl/src/util/mkerr.pl create mode 100644 src/lib/libssl/src/util/mkfiles.pl create mode 100644 src/lib/libssl/src/util/mklink.pl delete mode 100644 src/lib/libssl/src/util/mklink.sh create mode 100644 src/lib/libssl/src/util/pl/Mingw32.pl create mode 100644 src/lib/libssl/src/util/pl/Mingw32f.pl create mode 100644 src/lib/libssl/src/util/pl/ultrix.pl delete mode 100644 src/lib/libssl/src/util/ranlib.sh delete mode 100644 src/lib/libssl/src/util/ssldir.pl delete mode 100644 src/lib/libssl/src/util/up_ver.pl delete mode 100644 src/lib/libssl/test/.rnd create mode 100644 src/lib/libssl/test/VMSca-response.1 create mode 100644 src/lib/libssl/test/VMSca-response.2 delete mode 100644 src/lib/libssl/test/certCA.srl create mode 100644 src/lib/libssl/test/maketests.com delete mode 100644 src/lib/libssl/test/p delete mode 100644 src/lib/libssl/test/riptest create mode 100644 src/lib/libssl/test/tcrl.com delete mode 100644 src/lib/libssl/test/test.txt create mode 100644 src/lib/libssl/test/testca.com create mode 100644 src/lib/libssl/test/testenc.com create mode 100644 src/lib/libssl/test/testgen.com delete mode 100644 src/lib/libssl/test/testkey.pem delete mode 100644 src/lib/libssl/test/testreq.pem create mode 100644 src/lib/libssl/test/tests.com create mode 100644 src/lib/libssl/test/testss.com create mode 100644 src/lib/libssl/test/testssl.com create mode 100644 src/lib/libssl/test/tpkcs7.com create mode 100644 src/lib/libssl/test/tpkcs7d.com create mode 100644 src/lib/libssl/test/treq.com create mode 100644 src/lib/libssl/test/trsa.com create mode 100644 src/lib/libssl/test/tsid.com create mode 100644 src/lib/libssl/test/tverify.com create mode 100644 src/lib/libssl/test/tx509.com (limited to 'src/lib/libssl') diff --git a/src/lib/libssl/LICENSE b/src/lib/libssl/LICENSE new file mode 100644 index 0000000000..b9e18d5e7b --- /dev/null +++ b/src/lib/libssl/LICENSE @@ -0,0 +1,127 @@ + + LICENSE ISSUES + ============== + + The OpenSSL toolkit stays under a dual license, i.e. both the conditions of + the OpenSSL License and the original SSLeay license apply to the toolkit. + See below for the actual license texts. Actually both licenses are BSD-style + Open Source licenses. In case of any license issues related to OpenSSL + please contact openssl-core@openssl.org. + + OpenSSL License + --------------- + +/* ==================================================================== + * Copyright (c) 1998-1999 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + + Original SSLeay License + ----------------------- + +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + diff --git a/src/lib/libssl/bio_ssl.c b/src/lib/libssl/bio_ssl.c index 58a6d69b9b..f62cde4e5d 100644 --- a/src/lib/libssl/bio_ssl.c +++ b/src/lib/libssl/bio_ssl.c @@ -60,27 +60,17 @@ #include #include #include -#include "crypto.h" -#include "bio.h" -#include "err.h" -#include "ssl.h" +#include +#include +#include +#include -#ifndef NOPROTO static int ssl_write(BIO *h,char *buf,int num); static int ssl_read(BIO *h,char *buf,int size); static int ssl_puts(BIO *h,char *str); static long ssl_ctrl(BIO *h,int cmd,long arg1,char *arg2); static int ssl_new(BIO *h); static int ssl_free(BIO *data); -#else -static int ssl_write(); -static int ssl_read(); -static int ssl_puts(); -static long ssl_ctrl(); -static int ssl_new(); -static int ssl_free(); -#endif - typedef struct bio_ssl_st { SSL *ssl; /* The ssl handle :-) */ @@ -104,13 +94,12 @@ static BIO_METHOD methods_sslp= ssl_free, }; -BIO_METHOD *BIO_f_ssl() +BIO_METHOD *BIO_f_ssl(void) { return(&methods_sslp); } -static int ssl_new(bi) -BIO *bi; +static int ssl_new(BIO *bi) { BIO_SSL *bs; @@ -127,8 +116,7 @@ BIO *bi; return(1); } -static int ssl_free(a) -BIO *a; +static int ssl_free(BIO *a) { BIO_SSL *bs; @@ -147,10 +135,7 @@ BIO *a; return(1); } -static int ssl_read(b,out,outl) -BIO *b; -char *out; -int outl; +static int ssl_read(BIO *b, char *out, int outl) { int ret=1; BIO_SSL *sb; @@ -234,10 +219,7 @@ int outl; return(ret); } -static int ssl_write(b,out,outl) -BIO *b; -char *out; -int outl; +static int ssl_write(BIO *b, char *out, int outl) { int ret,r=0; int retry_reason=0; @@ -305,11 +287,7 @@ int outl; return(ret); } -static long ssl_ctrl(b,cmd,num,ptr) -BIO *b; -int cmd; -long num; -char *ptr; +static long ssl_ctrl(BIO *b, int cmd, long num, char *ptr) { SSL **sslp,*ssl; BIO_SSL *bs; @@ -483,9 +461,7 @@ char *ptr; return(ret); } -static int ssl_puts(bp,str) -BIO *bp; -char *str; +static int ssl_puts(BIO *bp, char *str) { int n,ret; @@ -494,8 +470,7 @@ char *str; return(ret); } -BIO *BIO_new_buffer_ssl_connect(ctx) -SSL_CTX *ctx; +BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx) { BIO *ret=NULL,*buf=NULL,*ssl=NULL; @@ -512,8 +487,7 @@ err: return(NULL); } -BIO *BIO_new_ssl_connect(ctx) -SSL_CTX *ctx; +BIO *BIO_new_ssl_connect(SSL_CTX *ctx) { BIO *ret=NULL,*con=NULL,*ssl=NULL; @@ -530,9 +504,7 @@ err: return(NULL); } -BIO *BIO_new_ssl(ctx,client) -SSL_CTX *ctx; -int client; +BIO *BIO_new_ssl(SSL_CTX *ctx, int client) { BIO *ret; SSL *ssl; @@ -553,8 +525,7 @@ int client; return(ret); } -int BIO_ssl_copy_session_id(t,f) -BIO *t,*f; +int BIO_ssl_copy_session_id(BIO *t, BIO *f) { t=BIO_find_type(t,BIO_TYPE_SSL); f=BIO_find_type(f,BIO_TYPE_SSL); @@ -567,8 +538,7 @@ BIO *t,*f; return(1); } -void BIO_ssl_shutdown(b) -BIO *b; +void BIO_ssl_shutdown(BIO *b) { SSL *s; diff --git a/src/lib/libssl/crypto-patent/Makefile b/src/lib/libssl/crypto-patent/Makefile index 14ceca92d7..c5b0623b0b 100644 --- a/src/lib/libssl/crypto-patent/Makefile +++ b/src/lib/libssl/crypto-patent/Makefile @@ -4,6 +4,7 @@ LIB= crypto SSLEAYDIST= src-patent LCRYPTO_SRC= ${.CURDIR}/../${SSLEAYDIST}/crypto +LCRYPTO_INC= ${.CURDIR}/../${SSLEAYDIST}/include .if ${MACHINE_ARCH} == "i386" CFLAGS+= -DL_ENDIAN -DBN_ASM @@ -23,10 +24,11 @@ CFLAGS+= -DB_ENDIAN .endif .endif -CFLAGS+= -DNO_IDEA -DTERMIOS -DANSI_SOURCE +CFLAGS+= -DNO_IDEA -DTERMIOS -DANSI_SOURCE -DNO_ERR -DNO_WINDOWS_BRAINDEATH CFLAGS+= -I${.CURDIR}/../${SSLEAYDIST} CFLAGS+= -I${LCRYPTO_SRC} -SRCS+= cryptlib.c mem.c cversion.c ex_data.c cpt_err.c +CFLAGS+= -I${LCRYPTO_INC} +SRCS+= cryptlib.c ex_data.c cpt_err.c mem.c tmdiff.c cversion.c CFLAGS+= -I${LCRYPTO_SRC}/md2 SRCS+= md2_dgst.c md2_one.c CFLAGS+= -I${LCRYPTO_SRC}/md5 @@ -45,36 +47,37 @@ SRCS+= cbc_cksm.c cbc_enc.c cfb64enc.c cfb_enc.c \ fcrypt.c ofb64enc.c ofb_enc.c pcbc_enc.c \ qud_cksm.c rand_key.c read_pwd.c rpc_enc.c set_key.c \ des_enc.c fcrypt_b.c read2pwd.c \ - fcrypt.c xcbc_enc.c \ + fcrypt.c xcbc_enc.c ede_cbcm_enc.c \ str2key.c cfb64ede.c ofb64ede.c supp.c CFLAGS+= -I${LCRYPTO_SRC}/rc2 -SRCS+= rc2_ecb.c rc2_skey.c rc2_cbc.c rc2cfb64.c +SRCS+= rc2_ecb.c rc2_skey.c rc2_cbc.c rc2cfb64.c SRCS+= rc2ofb64.c CFLAGS+= -I${LCRYPTO_SRC}/rc4 SRCS+= rc4_skey.c rc4_enc.c CFLAGS+= -I${LCRYPTO_SRC}/rc5 SRCS+= rc5_skey.c rc5_ecb.c rc5cfb64.c rc5cfb64.c SRCS+= rc5ofb64.c rc5_enc.c -CFLAGS+= -I${LCRYPTO_SRC}/idea -SRCS+= i_cbc.c i_cfb64.c i_ofb64.c i_ecb.c -SRCS+= i_skey.c +#CFLAGS+= -I${LCRYPTO_SRC}/idea +#SRCS+= i_cbc.c i_cfb64.c i_ofb64.c i_ecb.c +#SRCS+= i_skey.c CFLAGS+= -I${LCRYPTO_SRC}/bf SRCS+= bf_skey.c bf_ecb.c bf_cfb64.c bf_ofb64.c bf_enc.c CFLAGS+= -I${LCRYPTO_SRC}/cast SRCS+= c_skey.c c_ecb.c c_cfb64.c c_ofb64.c c_enc.c CFLAGS+= -I${LCRYPTO_SRC}/bn -SRCS+= bn_add.c bn_div.c bn_exp.c bn_lib.c bn_mod.c -SRCS+= bn_mul.c bn_print.c bn_rand.c bn_shift.c bn_sub.c +SRCS+= bn_add.c bn_div.c bn_exp.c bn_lib.c +SRCS+= bn_mul.c bn_print.c bn_rand.c bn_shift.c SRCS+= bn_word.c bn_blind.c bn_gcd.c bn_prime.c bn_err.c -SRCS+= bn_sqr.c bn_recp.c bn_mont.c bn_mpi.c -SRCS+= bn_mulw.c +SRCS+= bn_sqr.c bn_recp.c bn_mont.c bn_mpi.c bn_asm.c +#SRCS+= bn_comba.c d.c exp.c +SRCS+= bn_exp2.c CFLAGS+= -I${LCRYPTO_SRC}/rsa -SRCS+= rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c -SRCS+= rsa_saos.c rsa_err.c rsa_pk1.c rsa_ssl.c -SRCS+= rsa_none.c +SRCS+= rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c +SRCS+= rsa_saos.c rsa_err.c rsa_pk1.c rsa_ssl.c +SRCS+= rsa_none.c rsa_chk.c rsa_oaep.c CFLAGS+= -I${LCRYPTO_SRC}/dsa SRCS+= dsa_gen.c dsa_key.c dsa_lib.c dsa_vrf.c -SRCS+= dsa_sign.c dsa_err.c +SRCS+= dsa_sign.c dsa_err.c dsa_asn1.c CFLAGS+= -I${LCRYPTO_SRC}/dh SRCS+= dh_gen.c dh_key.c dh_lib.c dh_check.c dh_err.c CFLAGS+= -I${LCRYPTO_SRC}/buffer @@ -84,17 +87,17 @@ SRCS+= bio_lib.c bio_cb.c bio_err.c bss_mem.c SRCS+= bss_null.c bss_fd.c bss_file.c bss_sock.c SRCS+= bss_conn.c bf_null.c bf_buff.c SRCS+= b_print.c b_dump.c b_sock.c bss_acpt.c -SRCS+= bf_nbio.c +SRCS+= bf_nbio.c bss_bio.c bss_log.c CFLAGS+= -I${LCRYPTO_SRC}/stack SRCS+= stack.c CFLAGS+= -I${LCRYPTO_SRC}/lhash SRCS+= lhash.c lh_stats.c CFLAGS+= -I${LCRYPTO_SRC}/rand -SRCS+= md_rand.c randfile.c +SRCS+= md_rand.c randfile.c rand_lib.c CFLAGS+= -I${LCRYPTO_SRC}/err SRCS+= err.c err_all.c err_prn.c CFLAGS+= -I${LCRYPTO_SRC}/objects -SRCS+= obj_dat.c obj_lib.c obj_err.c +SRCS+= obj_dat.c obj_lib.c obj_err.c o_names.c CFLAGS+= -I${LCRYPTO_SRC}/evp SRCS+= encode.c digest.c evp_enc.c evp_key.c SRCS+= e_ecb_d.c e_cbc_d.c e_cfb_d.c e_ofb_d.c @@ -110,9 +113,10 @@ SRCS+= m_dss1.c m_mdc2.c m_ripemd.c p_open.c SRCS+= p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c SRCS+= p_dec.c bio_md.c bio_b64.c bio_enc.c SRCS+= evp_err.c e_null.c c_all.c evp_lib.c +SRCS+= bio_ok.c evp_pbe.c evp_pkey.c p5_crpt.c p5_crpt2.c CFLAGS+= -I${LCRYPTO_SRC}/pem SRCS+= pem_sign.c pem_seal.c pem_info.c pem_lib.c -SRCS+= pem_all.c pem_err.c +SRCS+= pem_all.c pem_err.c CFLAGS+= -I${LCRYPTO_SRC}/asn1 SRCS+= a_object.c a_bitstr.c a_utctm.c a_int.c SRCS+= a_octet.c a_print.c a_type.c a_set.c @@ -130,28 +134,42 @@ SRCS+= p7_s_e.c p7_enc.c p7_lib.c f_int.c SRCS+= f_string.c i2d_dhp.c i2d_dsap.c d2i_dhp.c SRCS+= d2i_dsap.c n_pkey.c a_hdr.c x_pkey.c SRCS+= a_bool.c x_exten.c asn1_par.c asn1_lib.c -SRCS+= asn1_err.c a_meth.c a_bytes.c evp_asn1.c +SRCS+= asn1_err.c a_meth.c a_bytes.c evp_asn1.c +SRCS+= a_enum.c a_gentm.c a_time.c a_utf8.c a_vis.c +SRCS+= asn_pack.c f_enum.c nsseq.c p5_pbe.c p5_pbev2.c +SRCS+= p8_pkey.c t_crl.c CFLAGS+= -I${LCRYPTO_SRC}/x509 SRCS+= x509_def.c x509_d2.c x509_r2x.c x509_cmp.c SRCS+= x509_obj.c x509_req.c x509_vfy.c x509_set.c SRCS+= x509rset.c x509_err.c x509name.c x509_v3.c -SRCS+= x509_ext.c x509pack.c x509type.c x509_lu.c +SRCS+= x509_ext.c x509type.c x509_lu.c SRCS+= x_all.c x509_txt.c by_file.c by_dir.c -SRCS+= v3_net.c v3_x509.c +CFLAGS+= -I${LCRYPTO_SRC}/x509v3 +SRCS+= v3_akey.c v3_alt.c v3_bcons.c v3_bitst.c v3_conf.c v3_cpols.c +SRCS+= v3_crld.c v3_enum.c v3_extku.c v3_genn.c v3_ia5.c v3_int.c +SRCS+= v3_lib.c v3_pku.c v3_prn.c v3_skey.c v3_sxnet.c v3_utl.c +SRCS+= v3err.c CFLAGS+= -I${LCRYPTO_SRC}/conf SRCS+= conf.c conf_err.c CFLAGS+= -I${LCRYPTO_SRC}/txt_db SRCS+= txt_db.c CFLAGS+= -I${LCRYPTO_SRC}/pkcs7 -SRCS+= pk7_lib.c pkcs7err.c pk7_doit.c +SRCS+= pk7_lib.c pkcs7err.c pk7_doit.c +CFLAGS+= -I${LCRYPTO_SRC}/comp +SRCS+= c_rle.c c_zlib.c comp_err.c comp_lib.c +CFLAGS+= -I${LCRYPTO_SRC}/pkcs12 +SRCS+= p12_add.c p12_attr.c p12_bags.c p12_crpt.c p12_crt.c +SRCS+= p12_decr.c p12_init.c p12_key.c p12_kiss.c p12_lib.c p12_mac.c +SRCS+= p12_mutl.c p12_sbag.c p12_utl.c pk12err.c + +HDRS= asn1.h dh.h md5.h rc4.h stack.h asn1_mac.h dsa.h mdc2.h rc5.h \ + tls1.h bio.h e_os.h objects.h ripemd.h tmdiff.h blowfish.h \ + e_os2.h opensslconf.h rsa.h txt_db.h bn.h ebcdic.h opensslv.h \ + rsaref.h x509.h buffer.h err.h pem.h safestack.h x509_vfy.h \ + cast.h evp.h pem2.h sha.h x509v3.h comp.h hmac.h pkcs12.h ssl.h \ + conf.h idea.h pkcs7.h ssl2.h crypto.h lhash.h rand.h ssl23.h \ + des.h md2.h rc2.h ssl3.h -HDRS= asn1/asn1.h asn1/asn1_mac.h bf/blowfish.h bio/bio.h \ - bn/bn.h buffer/buffer.h cast/cast.h conf/conf.h des/des.h dh/dh.h \ - dsa/dsa.h err/err.h evp/evp.h hmac/hmac.h idea/idea.h lhash/lhash.h \ - md2/md2.h md5/md5.h mdc2/mdc2.h objects/objects.h pem/pem.h \ - pkcs7/pkcs7.h rand/rand.h rc2/rc2.h rc4/rc4.h rc5/rc5.h \ - ripemd/ripemd.h rsa/rsa.h sha/sha.h stack/stack.h txt_db/txt_db.h \ - x509/x509.h x509/x509_vfy.h crypto.h cryptall.h ../e_os.h .PATH: ${LCRYPTO_SRC}/md2 ${LCRYPTO_SRC}/md5 ${LCRYPTO_SRC}/sha ${LCRYPTO_SRC}/mdc2 \ ${LCRYPTO_SRC}/hmac ${LCRYPTO_SRC}/ripemd ${LCRYPTO_SRC}/des ${LCRYPTO_SRC}/rc2 \ @@ -161,18 +179,23 @@ HDRS= asn1/asn1.h asn1/asn1_mac.h bf/blowfish.h bio/bio.h \ ${LCRYPTO_SRC}/lhash ${LCRYPTO_SRC}/rand ${LCRYPTO_SRC}/err ${LCRYPTO_SRC}/objects \ ${LCRYPTO_SRC}/evp ${LCRYPTO_SRC}/pem ${LCRYPTO_SRC}/asn1 ${LCRYPTO_SRC}/asn1 \ ${LCRYPTO_SRC}/x509 ${LCRYPTO_SRC}/conf txt_db/txt_db.c ${LCRYPTO_SRC}/pkcs7 \ + ${LCRYPTO_SRC}/x509v3 ${LCRYPTO_SRC}/pkcs12 ${LCRYPTO_SRC}/comp \ ${LCRYPTO_SRC}/txt_db ${LCRYPTO_SRC} includes: @test -d ${DESTDIR}/usr/include/ssl || mkdir ${DESTDIR}/usr/include/ssl - @cd ${LCRYPTO_SRC}; for i in $(HDRS); do \ - j="cmp -s ${LCRYPTO_SRC}/$$i \ - ${DESTDIR}/usr/include/ssl/`basename $$i` || \ + @d=`mktemp -d /tmp/libsslXXXXXXXXXX`; \ + cd ${LCRYPTO_INC}/openssl; for i in $(HDRS); do \ + f=`basename $$i`; \ + j="sed 's/$$d/$$f && \ + (cmp -s $$d/$$f ${DESTDIR}/usr/include/ssl/$$f || \ ${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 \ - ${LCRYPTO_SRC}/$$i ${DESTDIR}/usr/include/ssl"; \ + $$d/$$f ${DESTDIR}/usr/include/ssl)"; \ echo $$j; \ eval "$$j"; \ - done + done; \ + rm -rf $$d .include diff --git a/src/lib/libssl/crypto-patent/shlib_version b/src/lib/libssl/crypto-patent/shlib_version index 893819d18f..c6e3f4d3fc 100644 --- a/src/lib/libssl/crypto-patent/shlib_version +++ b/src/lib/libssl/crypto-patent/shlib_version @@ -1,2 +1,2 @@ -major=1 +major=2 minor=1 diff --git a/src/lib/libssl/crypto/Makefile b/src/lib/libssl/crypto/Makefile index 9db529295b..2250c59621 100644 --- a/src/lib/libssl/crypto/Makefile +++ b/src/lib/libssl/crypto/Makefile @@ -4,6 +4,7 @@ LIB= crypto SSLEAYDIST= src LCRYPTO_SRC= ${.CURDIR}/../${SSLEAYDIST}/crypto +LCRYPTO_INC= ${.CURDIR}/../${SSLEAYDIST}/include .if ${MACHINE_ARCH} == "i386" CFLAGS+= -DL_ENDIAN -DBN_ASM @@ -23,10 +24,11 @@ CFLAGS+= -DB_ENDIAN .endif .endif -CFLAGS+= -DNO_IDEA -DTERMIOS -DANSI_SOURCE +CFLAGS+= -DNO_IDEA -DTERMIOS -DANSI_SOURCE -DNO_ERR -DNO_WINDOWS_BRAINDEATH CFLAGS+= -I${.CURDIR}/../${SSLEAYDIST} CFLAGS+= -I${LCRYPTO_SRC} -SRCS+= cryptlib.c mem.c cversion.c ex_data.c cpt_err.c +CFLAGS+= -I${LCRYPTO_INC} +SRCS+= cryptlib.c ex_data.c cpt_err.c mem.c tmdiff.c cversion.c CFLAGS+= -I${LCRYPTO_SRC}/md2 SRCS+= md2_dgst.c md2_one.c CFLAGS+= -I${LCRYPTO_SRC}/md5 @@ -45,36 +47,37 @@ SRCS+= cbc_cksm.c cbc_enc.c cfb64enc.c cfb_enc.c \ fcrypt.c ofb64enc.c ofb_enc.c pcbc_enc.c \ qud_cksm.c rand_key.c read_pwd.c rpc_enc.c set_key.c \ des_enc.c fcrypt_b.c read2pwd.c \ - fcrypt.c xcbc_enc.c \ + fcrypt.c xcbc_enc.c ede_cbcm_enc.c \ str2key.c cfb64ede.c ofb64ede.c supp.c CFLAGS+= -I${LCRYPTO_SRC}/rc2 -SRCS+= rc2_ecb.c rc2_skey.c rc2_cbc.c rc2cfb64.c +SRCS+= rc2_ecb.c rc2_skey.c rc2_cbc.c rc2cfb64.c SRCS+= rc2ofb64.c CFLAGS+= -I${LCRYPTO_SRC}/rc4 SRCS+= rc4_skey.c rc4_enc.c CFLAGS+= -I${LCRYPTO_SRC}/rc5 SRCS+= rc5_skey.c rc5_ecb.c rc5cfb64.c rc5cfb64.c SRCS+= rc5ofb64.c rc5_enc.c -CFLAGS+= -I${LCRYPTO_SRC}/idea -SRCS+= i_cbc.c i_cfb64.c i_ofb64.c i_ecb.c -SRCS+= i_skey.c +#CFLAGS+= -I${LCRYPTO_SRC}/idea +#SRCS+= i_cbc.c i_cfb64.c i_ofb64.c i_ecb.c +#SRCS+= i_skey.c CFLAGS+= -I${LCRYPTO_SRC}/bf SRCS+= bf_skey.c bf_ecb.c bf_cfb64.c bf_ofb64.c bf_enc.c CFLAGS+= -I${LCRYPTO_SRC}/cast SRCS+= c_skey.c c_ecb.c c_cfb64.c c_ofb64.c c_enc.c CFLAGS+= -I${LCRYPTO_SRC}/bn -SRCS+= bn_add.c bn_div.c bn_exp.c bn_lib.c bn_mod.c -SRCS+= bn_mul.c bn_print.c bn_rand.c bn_shift.c bn_sub.c +SRCS+= bn_add.c bn_div.c bn_exp.c bn_lib.c +SRCS+= bn_mul.c bn_print.c bn_rand.c bn_shift.c SRCS+= bn_word.c bn_blind.c bn_gcd.c bn_prime.c bn_err.c -SRCS+= bn_sqr.c bn_recp.c bn_mont.c bn_mpi.c -SRCS+= bn_mulw.c +SRCS+= bn_sqr.c bn_recp.c bn_mont.c bn_mpi.c bn_asm.c +#SRCS+= bn_comba.c d.c exp.c +SRCS+= bn_exp2.c CFLAGS+= -I${LCRYPTO_SRC}/rsa -SRCS+= rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c -SRCS+= rsa_saos.c rsa_err.c rsa_pk1.c rsa_ssl.c -SRCS+= rsa_none.c +SRCS+= rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c +SRCS+= rsa_saos.c rsa_err.c rsa_pk1.c rsa_ssl.c +SRCS+= rsa_none.c rsa_chk.c rsa_oaep.c CFLAGS+= -I${LCRYPTO_SRC}/dsa SRCS+= dsa_gen.c dsa_key.c dsa_lib.c dsa_vrf.c -SRCS+= dsa_sign.c dsa_err.c +SRCS+= dsa_sign.c dsa_err.c dsa_asn1.c CFLAGS+= -I${LCRYPTO_SRC}/dh SRCS+= dh_gen.c dh_key.c dh_lib.c dh_check.c dh_err.c CFLAGS+= -I${LCRYPTO_SRC}/buffer @@ -84,17 +87,17 @@ SRCS+= bio_lib.c bio_cb.c bio_err.c bss_mem.c SRCS+= bss_null.c bss_fd.c bss_file.c bss_sock.c SRCS+= bss_conn.c bf_null.c bf_buff.c SRCS+= b_print.c b_dump.c b_sock.c bss_acpt.c -SRCS+= bf_nbio.c +SRCS+= bf_nbio.c bss_bio.c bss_log.c CFLAGS+= -I${LCRYPTO_SRC}/stack SRCS+= stack.c CFLAGS+= -I${LCRYPTO_SRC}/lhash SRCS+= lhash.c lh_stats.c CFLAGS+= -I${LCRYPTO_SRC}/rand -SRCS+= md_rand.c randfile.c +SRCS+= md_rand.c randfile.c rand_lib.c CFLAGS+= -I${LCRYPTO_SRC}/err SRCS+= err.c err_all.c err_prn.c CFLAGS+= -I${LCRYPTO_SRC}/objects -SRCS+= obj_dat.c obj_lib.c obj_err.c +SRCS+= obj_dat.c obj_lib.c obj_err.c o_names.c CFLAGS+= -I${LCRYPTO_SRC}/evp SRCS+= encode.c digest.c evp_enc.c evp_key.c SRCS+= e_ecb_d.c e_cbc_d.c e_cfb_d.c e_ofb_d.c @@ -110,9 +113,10 @@ SRCS+= m_dss1.c m_mdc2.c m_ripemd.c p_open.c SRCS+= p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c SRCS+= p_dec.c bio_md.c bio_b64.c bio_enc.c SRCS+= evp_err.c e_null.c c_all.c evp_lib.c +SRCS+= bio_ok.c evp_pbe.c evp_pkey.c p5_crpt.c p5_crpt2.c CFLAGS+= -I${LCRYPTO_SRC}/pem SRCS+= pem_sign.c pem_seal.c pem_info.c pem_lib.c -SRCS+= pem_all.c pem_err.c +SRCS+= pem_all.c pem_err.c CFLAGS+= -I${LCRYPTO_SRC}/asn1 SRCS+= a_object.c a_bitstr.c a_utctm.c a_int.c SRCS+= a_octet.c a_print.c a_type.c a_set.c @@ -130,28 +134,42 @@ SRCS+= p7_s_e.c p7_enc.c p7_lib.c f_int.c SRCS+= f_string.c i2d_dhp.c i2d_dsap.c d2i_dhp.c SRCS+= d2i_dsap.c n_pkey.c a_hdr.c x_pkey.c SRCS+= a_bool.c x_exten.c asn1_par.c asn1_lib.c -SRCS+= asn1_err.c a_meth.c a_bytes.c evp_asn1.c +SRCS+= asn1_err.c a_meth.c a_bytes.c evp_asn1.c +SRCS+= a_enum.c a_gentm.c a_time.c a_utf8.c a_vis.c +SRCS+= asn_pack.c f_enum.c nsseq.c p5_pbe.c p5_pbev2.c +SRCS+= p8_pkey.c t_crl.c CFLAGS+= -I${LCRYPTO_SRC}/x509 SRCS+= x509_def.c x509_d2.c x509_r2x.c x509_cmp.c SRCS+= x509_obj.c x509_req.c x509_vfy.c x509_set.c SRCS+= x509rset.c x509_err.c x509name.c x509_v3.c -SRCS+= x509_ext.c x509pack.c x509type.c x509_lu.c +SRCS+= x509_ext.c x509type.c x509_lu.c SRCS+= x_all.c x509_txt.c by_file.c by_dir.c -SRCS+= v3_net.c v3_x509.c +CFLAGS+= -I${LCRYPTO_SRC}/x509v3 +SRCS+= v3_akey.c v3_alt.c v3_bcons.c v3_bitst.c v3_conf.c v3_cpols.c +SRCS+= v3_crld.c v3_enum.c v3_extku.c v3_genn.c v3_ia5.c v3_int.c +SRCS+= v3_lib.c v3_pku.c v3_prn.c v3_skey.c v3_sxnet.c v3_utl.c +SRCS+= v3err.c CFLAGS+= -I${LCRYPTO_SRC}/conf SRCS+= conf.c conf_err.c CFLAGS+= -I${LCRYPTO_SRC}/txt_db SRCS+= txt_db.c CFLAGS+= -I${LCRYPTO_SRC}/pkcs7 -SRCS+= pk7_lib.c pkcs7err.c pk7_doit.c +SRCS+= pk7_lib.c pkcs7err.c pk7_doit.c +CFLAGS+= -I${LCRYPTO_SRC}/comp +SRCS+= c_rle.c c_zlib.c comp_err.c comp_lib.c +CFLAGS+= -I${LCRYPTO_SRC}/pkcs12 +SRCS+= p12_add.c p12_attr.c p12_bags.c p12_crpt.c p12_crt.c +SRCS+= p12_decr.c p12_init.c p12_key.c p12_kiss.c p12_lib.c p12_mac.c +SRCS+= p12_mutl.c p12_sbag.c p12_utl.c pk12err.c + +HDRS= asn1.h dh.h md5.h rc4.h stack.h asn1_mac.h dsa.h mdc2.h rc5.h \ + tls1.h bio.h e_os.h objects.h ripemd.h tmdiff.h blowfish.h \ + e_os2.h opensslconf.h rsa.h txt_db.h bn.h ebcdic.h opensslv.h \ + rsaref.h x509.h buffer.h err.h pem.h safestack.h x509_vfy.h \ + cast.h evp.h pem2.h sha.h x509v3.h comp.h hmac.h pkcs12.h ssl.h \ + conf.h idea.h pkcs7.h ssl2.h crypto.h lhash.h rand.h ssl23.h \ + des.h md2.h rc2.h ssl3.h -HDRS= asn1/asn1.h asn1/asn1_mac.h bf/blowfish.h bio/bio.h \ - bn/bn.h buffer/buffer.h cast/cast.h conf/conf.h des/des.h dh/dh.h \ - dsa/dsa.h err/err.h evp/evp.h hmac/hmac.h idea/idea.h lhash/lhash.h \ - md2/md2.h md5/md5.h mdc2/mdc2.h objects/objects.h pem/pem.h \ - pkcs7/pkcs7.h rand/rand.h rc2/rc2.h rc4/rc4.h rc5/rc5.h \ - ripemd/ripemd.h rsa/rsa.h sha/sha.h stack/stack.h txt_db/txt_db.h \ - x509/x509.h x509/x509_vfy.h crypto.h cryptall.h ../e_os.h .PATH: ${LCRYPTO_SRC}/md2 ${LCRYPTO_SRC}/md5 ${LCRYPTO_SRC}/sha ${LCRYPTO_SRC}/mdc2 \ ${LCRYPTO_SRC}/hmac ${LCRYPTO_SRC}/ripemd ${LCRYPTO_SRC}/des ${LCRYPTO_SRC}/rc2 \ @@ -161,15 +179,16 @@ HDRS= asn1/asn1.h asn1/asn1_mac.h bf/blowfish.h bio/bio.h \ ${LCRYPTO_SRC}/lhash ${LCRYPTO_SRC}/rand ${LCRYPTO_SRC}/err ${LCRYPTO_SRC}/objects \ ${LCRYPTO_SRC}/evp ${LCRYPTO_SRC}/pem ${LCRYPTO_SRC}/asn1 ${LCRYPTO_SRC}/asn1 \ ${LCRYPTO_SRC}/x509 ${LCRYPTO_SRC}/conf txt_db/txt_db.c ${LCRYPTO_SRC}/pkcs7 \ + ${LCRYPTO_SRC}/x509v3 ${LCRYPTO_SRC}/pkcs12 ${LCRYPTO_SRC}/comp \ ${LCRYPTO_SRC}/txt_db ${LCRYPTO_SRC} includes: @test -d ${DESTDIR}/usr/include/ssl || mkdir ${DESTDIR}/usr/include/ssl @d=`mktemp -d /tmp/libsslXXXXXXXXXX`; \ - cd ${LCRYPTO_SRC}; for i in $(HDRS); do \ + cd ${LCRYPTO_INC}/openssl; for i in $(HDRS); do \ f=`basename $$i`; \ - j="sed 's/#include \"\\([^\"]*\\)\"/#include /' \ - ${LCRYPTO_SRC}/$$i >$$d/$$f && \ + j="sed 's/$$d/$$f && \ (cmp -s $$d/$$f ${DESTDIR}/usr/include/ssl/$$f || \ ${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 \ $$d/$$f ${DESTDIR}/usr/include/ssl)"; \ diff --git a/src/lib/libssl/doc/openssl.cnf b/src/lib/libssl/doc/openssl.cnf new file mode 100644 index 0000000000..d70dd25622 --- /dev/null +++ b/src/lib/libssl/doc/openssl.cnf @@ -0,0 +1,214 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +RANDFILE = $ENV::HOME/.rnd +oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = md5 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (eg, YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 40 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ v3_ca ] + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# RAW DER hex encoding of an extension: beware experts only! +# 1.2.3.5=RAW:02:03 +# You can even override a supported extension: +# basicConstraints= critical, RAW:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always diff --git a/src/lib/libssl/doc/openssl.txt b/src/lib/libssl/doc/openssl.txt new file mode 100644 index 0000000000..91b85e5f14 --- /dev/null +++ b/src/lib/libssl/doc/openssl.txt @@ -0,0 +1,1174 @@ + +This is some preliminary documentation for OpenSSL. + +============================================================================== + BUFFER Library +============================================================================== + +The buffer library handles simple character arrays. Buffers are used for +various purposes in the library, most notably memory BIOs. + +The library uses the BUF_MEM structure defined in buffer.h: + +typedef struct buf_mem_st +{ + int length; /* current number of bytes */ + char *data; + int max; /* size of buffer */ +} BUF_MEM; + +'length' is the current size of the buffer in bytes, 'max' is the amount of +memory allocated to the buffer. There are three functions which handle these +and one "miscellaneous" function. + +BUF_MEM *BUF_MEM_new() + +This allocates a new buffer of zero size. Returns the buffer or NULL on error. + +void BUF_MEM_free(BUF_MEM *a) + +This frees up an already existing buffer. The data is zeroed before freeing +up in case the buffer contains sensitive data. + +int BUF_MEM_grow(BUF_MEM *str, int len) + +This changes the size of an already existing buffer. It returns zero on error +or the new size (i.e. 'len'). Any data already in the buffer is preserved if +it increases in size. + +char * BUF_strdup(char *str) + +This is the previously mentioned strdup function: like the standard library +strdup() it copies a null terminated string into a block of allocated memory +and returns a pointer to the allocated block. + +Unlike the standard C library strdup() this function uses Malloc() and so +should be used in preference to the standard library strdup() because it can +be used for memory leak checking or replacing the malloc() function. + +The memory allocated from BUF_strdup() should be freed up using the Free() +function. + +============================================================================== + OpenSSL X509V3 extension configuration +============================================================================== + +OpenSSL X509V3 extension configuration: preliminary documentation. + +INTRODUCTION. + +For OpenSSL 0.9.2 the extension code has be considerably enhanced. It is now +possible to add and print out common X509 V3 certificate and CRL extensions. + +BEGINNERS NOTE + +For most simple applications you don't need to know too much about extensions: +the default openssl.cnf values will usually do sensible things. + +If you want to know more you can initially quickly look through the sections +describing how the standard OpenSSL utilities display and add extensions and +then the list of supported extensions. + +For more technical information about the meaning of extensions see: + +http://www.imc.org/ietf-pkix/ +http://home.netscape.com/eng/security/certs.html + +PRINTING EXTENSIONS. + +Extension values are automatically printed out for supported extensions. + +openssl x509 -in cert.pem -text +openssl crl -in crl.pem -text + +will give information in the extension printout, for example: + + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 73:FE:F7:59:A7:E1:26:84:44:D6:44:36:EE:79:1A:95:7C:B1:4B:15 + X509v3 Authority Key Identifier: + keyid:73:FE:F7:59:A7:E1:26:84:44:D6:44:36:EE:79:1A:95:7C:B1:4B:15, DirName:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/Email=email@1.address/Email=email@2.address, serial:00 + X509v3 Key Usage: + Certificate Sign, CRL Sign + X509v3 Subject Alternative Name: + email:email@1.address, email:email@2.address + +CONFIGURATION FILES. + +The OpenSSL utilities 'ca' and 'req' can now have extension sections listing +which certificate extensions to include. In each case a line: + +x509_extensions = extension_section + +indicates which section contains the extensions. In the case of 'req' the +extension section is used when the -x509 option is present to create a +self signed root certificate. + +The 'x509' utility also supports extensions when it signs a certificate. +The -extfile option is used to set the configuration file containing the +extensions. In this case a line with: + +extensions = extension_section + +in the nameless (default) section is used. If no such line is included then +it uses the default section. + +You can also add extensions to CRLs: a line + +crl_extensions = crl_extension_section + +will include extensions when the -gencrl option is used with the 'ca' utility. +You can add any extension to a CRL but of the supported extensions only +issuerAltName and authorityKeyIdentifier make any real sense. Note: these are +CRL extensions NOT CRL *entry* extensions which cannot currently be generated. +CRL entry extensions can be displayed. + +NB. At this time Netscape Communicator rejects V2 CRLs: to get an old V1 CRL +you should not include a crl_extensions line in the configuration file. + +As with all configuration files you can use the inbuilt environment expansion +to allow the values to be passed in the environment. Therefore if you have +several extension sections used for different purposes you can have a line: + +x509_extensions = $ENV::ENV_EXT + +and set the ENV_EXT environment variable before calling the relevant utility. + +EXTENSION SYNTAX. + +Extensions have the basic form: + +extension_name=[critical,] extension_options + +the use of the critical option makes the extension critical. Extreme caution +should be made when using the critical flag. If an extension is marked +as critical then any client that does not understand the extension should +reject it as invalid. Some broken software will reject certificates which +have *any* critical extensions (these violates PKIX but we have to live +with it). + +There are three main types of extension: string extensions, multi-valued +extensions, and raw extensions. + +String extensions simply have a string which contains either the value itself +or how it is obtained. + +For example: + +nsComment="This is a Comment" + +Multi-valued extensions have a short form and a long form. The short form +is a list of names and values: + +basicConstraints=critical,CA:true,pathlen:1 + +The long form allows the values to be placed in a separate section: + +basicConstraints=critical,@bs_section + +[bs_section] + +CA=true +pathlen=1 + +Both forms are equivalent. However it should be noted that in some cases the +same name can appear multiple times, for example, + +subjectAltName=email:steve@here,email:steve@there + +in this case an equivalent long form is: + +subjectAltName=@alt_section + +[alt_section] + +email.1=steve@here +email.2=steve@there + +This is because the configuration file code cannot handle the same name +occurring twice in the same extension. + +The syntax of raw extensions is governed by the extension code: it can +for example contain data in multiple sections. The correct syntax to +use is defined by the extension code itself: check out the certificate +policies extension for an example. + +In addition it is also possible to use the word DER to include arbitrary +data in any extension. + +1.2.3.4=critical,DER:01:02:03:04 +1.2.3.4=DER:01020304 + +The value following DER is a hex dump of the DER encoding of the extension +Any extension can be placed in this form to override the default behaviour. +For example: + +basicConstraints=critical,DER:00:01:02:03 + +WARNING: DER should be used with caution. It is possible to create totally +invalid extensions unless care is taken. + +CURRENTLY SUPPORTED EXTENSIONS. + +If you aren't sure about extensions then they can be largely ignored: its only +when you want to do things like restrict certificate usage when you need to +worry about them. + +The only extension that a beginner might want to look at is Basic Constraints. +If in addition you want to try Netscape object signing the you should also +look at Netscape Certificate Type. + +Literal String extensions. + +In each case the 'value' of the extension is placed directly in the +extension. Currently supported extensions in this category are: nsBaseUrl, +nsRevocationUrl, nsCaRevocationUrl, nsRenewalUrl, nsCaPolicyUrl, +nsSslServerName and nsComment. + +For example: + +nsComment="This is a test comment" + +Bit Strings. + +Bit string extensions just consist of a list of supported bits, currently +two extensions are in this category: PKIX keyUsage and the Netscape specific +nsCertType. + +nsCertType (netscape certificate type) takes the flags: client, server, email, +objsign, reserved, sslCA, emailCA, objCA. + +keyUsage (PKIX key usage) takes the flags: digitalSignature, nonRepudiation, +keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, +encipherOnly, decipherOnly. + +For example: + +nsCertType=server + +keyUsage=digitalSignature, nonRepudiation + +Hints on Netscape Certificate Type. + +Other than Basic Constraints this is the only extension a beginner might +want to use, if you want to try Netscape object signing, otherwise it can +be ignored. + +If you want a certificate that can be used just for object signing then: + +nsCertType=objsign + +will do the job. If you want to use it as a normal end user and server +certificate as well then + +nsCertType=objsign,email,server + +is more appropriate. You cannot use a self signed certificate for object +signing (well Netscape signtool can but it cheats!) so you need to create +a CA certificate and sign an end user certificate with it. + +Side note: If you want to conform to the Netscape specifications then you +should really also set: + +nsCertType=objCA + +in the *CA* certificate for just an object signing CA and + +nsCertType=objCA,emailCA,sslCA + +for everything. Current Netscape software doesn't enforce this so it can +be omitted. + +Basic Constraints. + +This is generally the only extension you need to worry about for simple +applications. If you want your certificate to be usable as a CA certificate +(in addition to an end user certificate) then you set this to: + +basicConstraints=CA:TRUE + +if you want to be certain the certificate cannot be used as a CA then do: + +basicConstraints=CA:FALSE + +The rest of this section describes more advanced usage. + +Basic constraints is a multi-valued extension that supports a CA and an +optional pathlen option. The CA option takes the values true and false and +pathlen takes an integer. Note if the CA option is false the pathlen option +should be omitted. + +The pathlen parameter indicates the maximum number of CAs that can appear +below this one in a chain. So if you have a CA with a pathlen of zero it can +only be used to sign end user certificates and not further CAs. This all +assumes that the software correctly interprets this extension of course. + +Examples: + +basicConstraints=CA:TRUE +basicConstraints=critical,CA:TRUE, pathlen:0 + +NOTE: for a CA to be considered valid it must have the CA option set to +TRUE. An end user certificate MUST NOT have the CA value set to true. +According to PKIX recommendations it should exclude the extension entirely, +however some software may require CA set to FALSE for end entity certificates. + +Subject Key Identifier. + +This is really a string extension and can take two possible values. Either +a hex string giving details of the extension value to include or the word +'hash' which then automatically follow PKIX guidelines in selecting and +appropriate key identifier. The use of the hex string is strongly discouraged. + +Example: subjectKeyIdentifier=hash + +Authority Key Identifier. + +The authority key identifier extension permits two options. keyid and issuer: +both can take the optional value "always". + +If the keyid option is present an attempt is made to copy the subject key +identifier from the parent certificate. If the value "always" is present +then an error is returned if the option fails. + +The issuer option copies the issuer and serial number from the issuer +certificate. Normally this will only be done if the keyid option fails or +is not included: the "always" flag will always include the value. + +Subject Alternative Name. + +The subject alternative name extension allows various literal values to be +included in the configuration file. These include "email" (an email address) +"URI" a uniform resource indicator, "DNS" (a DNS domain name), RID (a +registered ID: OBJECT IDENTIFIER) and IP (and IP address). + +Also the email option include a special 'copy' value. This will automatically +include and email addresses contained in the certificate subject name in +the extension. + +Examples: + +subjectAltName=email:copy,email:my@other.address,URL:http://my.url.here/ +subjectAltName=email:my@other.address,RID:1.2.3.4 + +Issuer Alternative Name. + +The issuer alternative name option supports all the literal options of +subject alternative name. It does *not* support the email:copy option because +that would not make sense. It does support an additional issuer:copy option +that will copy all the subject alternative name values from the issuer +certificate (if possible). + +CRL distribution points. + +This is a multi-valued extension that supports all the literal options of +subject alternative name. Of the few software packages that currently interpret +this extension most only interpret the URI option. + +Currently each option will set a new DistributionPoint with the fullName +field set to the given value. + +Other fields like cRLissuer and reasons cannot currently be set or displayed: +at this time no examples were available that used these fields. + +If you see this extension with when you attempt to print it out +or it doesn't appear to display correctly then let me know, including the +certificate (mail me at steve@openssl.org) . + +Examples: + +crlDistributionPoints=URI:http://www.myhost.com/myca.crl +crlDistributionPoints=URI:http://www.my.com/my.crl,URI:http://www.oth.com/my.crl + +Certificate Policies. + +This is a RAW extension. It attempts to display the contents of this extension: +unfortunately this extension is often improperly encoded. + +The certificate policies extension will rarely be used in practice: few +software packages interpret it correctly or at all. IE5 does partially +support this extension: but it needs the 'ia5org' option because it will +only correctly support a broken encoding. Of the options below only the +policy OID, explicitText and CPS options are displayed with IE5. + +All the fields of this extension can be set by using the appropriate syntax. + +If you follow the PKIX recommendations of not including any qualifiers and just +using only one OID then you just include the value of that OID. Multiple OIDs +can be set separated by commas, for example: + +certificatePolicies= 1.2.4.5, 1.1.3.4 + +If you wish to include qualifiers then the policy OID and qualifiers need to +be specified in a separate section: this is done by using the @section syntax +instead of a literal OID value. + +The section referred to must include the policy OID using the name +policyIdentifier, cPSuri qualifiers can be included using the syntax: + +CPS.nnn=value + +userNotice qualifiers can be set using the syntax: + +userNotice.nnn=@notice + +The value of the userNotice qualifier is specified in the relevant section. +This section can include explicitText, organization and noticeNumbers +options. explicitText and organization are text strings, noticeNumbers is a +comma separated list of numbers. The organization and noticeNumbers options +(if included) must BOTH be present. If you use the userNotice option with IE5 +then you need the 'ia5org' option at the top level to modify the encoding: +otherwise it will not be interpreted properly. + +Example: + +certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect + +[polsect] + +policyIdentifier = 1.3.5.8 +CPS.1="http://my.host.name/" +CPS.2="http://my.your.name/" +userNotice.1=@notice + +[notice] + +explicitText="Explicit Text Here" +organization="Organisation Name" +noticeNumbers=1,2,3,4 + +TECHNICAL NOTE: the ia5org option changes the type of the 'organization' field, +according to PKIX it should be of type DisplayText but Verisign uses an +IA5STRING and IE5 needs this too. + +Display only extensions. + +Some extensions are only partially supported and currently are only displayed +but cannot be set. These include private key usage period, CRL number, and +CRL reason. + +============================================================================== + X509V3 Extension code: programmers guide +============================================================================== + +The purpose of the extension code is twofold. It allows an extension to be +created from a string or structure describing its contents and it prints out an +extension in a human or machine readable form. + +1. Initialisation and cleanup. + +X509V3_add_standard_extensions(); + +This function should be called before any other extension code. It adds support +for some common PKIX and Netscape extensions. Additional custom extensions can +be added as well (see later). + +void X509V3_EXT_cleanup(void); + +This function should be called last to cleanup the extension code. After this +call no other extension calls should be made. + +2. Printing and parsing extensions. + +The simplest way to print out extensions is via the standard X509 printing +routines: if you use the standard X509_print() function, the supported +extensions will be printed out automatically. + +The following functions allow finer control over extension display: + +int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent); +int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent); + +These two functions print out an individual extension to a BIO or FILE pointer. +Currently the flag argument is unused and should be set to 0. The 'indent' +argument is the number of spaces to indent each line. + +void *X509V3_EXT_d2i(X509_EXTENSION *ext); + +This function parses an extension and returns its internal structure. The +precise structure you get back depends on the extension being parsed. If the +extension if basicConstraints you will get back a pointer to a +BASIC_CONSTRAINTS structure. Check out the source in crypto/x509v3 for more +details about the structures returned. The returned structure should be freed +after use using the relevant free function, BASIC_CONSTRAINTS_free() for +example. + +3. Generating extensions. + +An extension will typically be generated from a configuration file, or some +other kind of configuration database. + +int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, + X509 *cert); +int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, + X509_CRL *crl); + +These functions add all the extensions in the given section to the given +certificate or CRL. They will normally be called just before the certificate +or CRL is due to be signed. Both return 0 on error on non zero for success. + +In each case 'conf' is the LHASH pointer of the configuration file to use +and 'section' is the section containing the extension details. + +See the 'context functions' section for a description of the ctx paramater. + + +X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name, + char *value); + +This function returns an extension based on a name and value pair, if the +pair will not need to access other sections in a config file (or there is no +config file) then the 'conf' parameter can be set to NULL. + +X509_EXTENSION *X509V3_EXT_conf_nid(char *conf, X509V3_CTX *ctx, int nid, + char *value); + +This function creates an extension in the same way as X509V3_EXT_conf() but +takes the NID of the extension rather than its name. + +For example to produce basicConstraints with the CA flag and a path length of +10: + +x = X509V3_EXT_conf_nid(NULL, NULL, NID_basicConstraints, "CA:TRUE,pathlen:10"); + + +X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc); + +This function sets up an extension from its internal structure. The ext_nid +parameter is the NID of the extension and 'crit' is the critical flag. + +4. Context functions. + +The following functions set and manipulate an extension context structure. +The purpose of the extension context is to allow the extension code to +access various structures relating to the "environment" of the certificate: +for example the issuers certificate or the certificate request. + +void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject, + X509_REQ *req, X509_CRL *crl, int flags); + +This function sets up an X509V3_CTX structure with details of the certificate +environment: specifically the issuers certificate, the subject certificate, +the certificate request and the CRL: if these are not relevant or not +available then they can be set to NULL. The 'flags' parameter should be set +to zero. + +X509V3_set_ctx_test(ctx) + +This macro is used to set the 'ctx' structure to a 'test' value: this is to +allow the syntax of an extension (or configuration file) to be tested. + +X509V3_set_ctx_nodb(ctx) + +This macro is used when no configuration database is present. + +void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH *lhash); + +This function is used to set the configuration database when it is an LHASH +structure: typically a configuration file. + +The following functions are used to access a configuration database: they +should only be used in RAW extensions. + +char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section); + +This function returns the value of the parameter "name" in "section", or NULL +if there has been an error. + +void X509V3_string_free(X509V3_CTX *ctx, char *str); + +This function frees up the string returned by the above function. + +STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section); + +This function returns a whole section as a STACK_OF(CONF_VALUE) . + +void X509V3_section_free( X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section); + +This function frees up the STACK returned by the above function. + +Note: it is possible to use the extension code with a custom configuration +database. To do this the "db_meth" element of the X509V3_CTX structure should +be set to an X509V3_CTX_METHOD structure. This structure contains the following +function pointers: + +char * (*get_string)(void *db, char *section, char *value); +STACK_OF(CONF_VALUE) * (*get_section)(void *db, char *section); +void (*free_string)(void *db, char * string); +void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section); + +these will be called and passed the 'db' element in the X509V3_CTX structure +to access the database. If a given function is not implemented or not required +it can be set to NULL. + +5. String helper functions. + +There are several "i2s" and "s2i" functions that convert structures to and +from ASCII strings. In all the "i2s" cases the returned string should be +freed using Free() after use. Since some of these are part of other extension +code they may take a 'method' parameter. Unless otherwise stated it can be +safely set to NULL. + +char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *oct); + +This returns a hex string from an ASN1_OCTET_STRING. + +char * i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, ASN1_INTEGER *aint); +char * i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint); + +These return a string decimal representations of an ASN1_INTEGER and an +ASN1_ENUMERATED type, respectively. + +ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, char *str); + +This converts an ASCII hex string to an ASN1_OCTET_STRING. + +ASN1_INTEGER * s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, char *value); + +This converts a decimal ASCII string into an ASN1_INTEGER. + +6. Multi valued extension helper functions. + +The following functions can be used to manipulate STACKs of CONF_VALUE +structures, as used by multi valued extensions. + +int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool); + +This function expects a boolean value in 'value' and sets 'asn1_bool' to +it. That is it sets it to 0 for FALSE or 0xff for TRUE. The following +strings are acceptable: "TRUE", "true", "Y", "y", "YES", "yes", "FALSE" +"false", "N", "n", "NO" or "no". + +int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint); + +This accepts a decimal integer of arbitrary length and sets an ASN1_INTEGER. + +int X509V3_add_value(const char *name, const char *value, + STACK_OF(CONF_VALUE) **extlist); + +This simply adds a string name and value pair. + +int X509V3_add_value_uchar(const char *name, const unsigned char *value, + STACK_OF(CONF_VALUE) **extlist); + +The same as above but for an unsigned character value. + +int X509V3_add_value_bool(const char *name, int asn1_bool, + STACK_OF(CONF_VALUE) **extlist); + +This adds either "TRUE" or "FALSE" depending on the value of 'ans1_bool' + +int X509V3_add_value_bool_nf(char *name, int asn1_bool, + STACK_OF(CONF_VALUE) **extlist); + +This is the same as above except it adds nothing if asn1_bool is FALSE. + +int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint, + STACK_OF(CONF_VALUE) **extlist); + +This function adds the value of the ASN1_INTEGER in decimal form. + +7. Other helper functions. + + + +ADDING CUSTOM EXTENSIONS. + +Currently there are three types of supported extensions. + +String extensions are simple strings where the value is placed directly in the +extensions, and the string returned is printed out. + +Multi value extensions are passed a STACK_OF(CONF_VALUE) name and value pairs +or return a STACK_OF(CONF_VALUE). + +Raw extensions are just passed a BIO or a value and it is the extensions +responsiblity to handle all the necessary printing. + +There are two ways to add an extension. One is simply as an alias to an already +existing extension. An alias is an extension that is identical in ASN1 structure +to an existing extension but has a different OBJECT IDENTIFIER. This can be +done by calling: + +int X509V3_EXT_add_alias(int nid_to, int nid_from); + +'nid_to' is the new extension NID and 'nid_from' is the already existing +extension NID. + +Alternatively an extension can be written from scratch. This involves writing +the ASN1 code to encode and decode the extension and functions to print out and +generate the extension from strings. The relevant functions are then placed in +a X509V3_EXT_METHOD structure and int X509V3_EXT_add(X509V3_EXT_METHOD *ext); +called. + +The X509V3_EXT_METHOD structure is described below. + +strut { +int ext_nid; +int ext_flags; +X509V3_EXT_NEW ext_new; +X509V3_EXT_FREE ext_free; +X509V3_EXT_D2I d2i; +X509V3_EXT_I2D i2d; +X509V3_EXT_I2S i2s; +X509V3_EXT_S2I s2i; +X509V3_EXT_I2V i2v; +X509V3_EXT_V2I v2i; +X509V3_EXT_R2I r2i; +X509V3_EXT_I2R i2r; + +void *usr_data; +}; + +The elements have the following meanings. + +ext_nid is the NID of the object identifier of the extension. + +ext_flags is set of flags. Currently the only external flag is + X509V3_EXT_MULTILINE which means a multi valued extensions + should be printed on separate lines. + +usr_data is an extension specific pointer to any relevant data. This + allows extensions to share identical code but have different + uses. An example of this is the bit string extension which uses + usr_data to contain a list of the bit names. + +All the remaining elements are function pointers. + +ext_new is a pointer to a function that allocates memory for the + extension ASN1 structure: for example ASN1_OBJECT_new(). + +ext_free is a pointer to a function that free up memory of the extension + ASN1 structure: for example ASN1_OBJECT_free(). + +d2i is the standard ASN1 function that converts a DER buffer into + the internal ASN1 structure: for example d2i_ASN1_IA5STRING(). + +i2d is the standard ASN1 function that converts the internal + structure into the DER representation: for example + i2d_ASN1_IA5STRING(). + +The remaining functions are depend on the type of extension. One i2X and +one X2i should be set and the rest set to NULL. The types set do not need +to match up, for example the extension could be set using the multi valued +v2i function and printed out using the raw i2r. + +All functions have the X509V3_EXT_METHOD passed to them in the 'method' +parameter and an X509V3_CTX structure. Extension code can then access the +parent structure via the 'method' parameter to for example make use of the value +of usr_data. If the code needs to use detail relating to the request it can +use the 'ctx' parameter. + +A note should be given here about the 'flags' member of the 'ctx' parameter. +If it has the value CTX_TEST then the configuration syntax is being checked +and no actual certificate or CRL exists. Therefore any attempt in the config +file to access such information should silently succeed. If the syntax is OK +then it should simply return a (possibly bogus) extension, otherwise it +should return NULL. + +char *i2s(struct v3_ext_method *method, void *ext); + +This function takes the internal structure in the ext parameter and returns +a Malloc'ed string representing its value. + +void * s2i(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str); + +This function takes the string representation in the ext parameter and returns +an allocated internal structure: ext_free() will be used on this internal +structure after use. + +i2v and v2i handle a STACK_OF(CONF_VALUE): + +typedef struct +{ + char *section; + char *name; + char *value; +} CONF_VALUE; + +Only the name and value members are currently used. + +STACK_OF(CONF_VALUE) * i2v(struct v3_ext_method *method, void *ext); + +This function is passed the internal structure in the ext parameter and +returns a STACK of CONF_VALUE structures. The values of name, value, +section and the structure itself will be freed up with Free after use. +Several helper functions are available to add values to this STACK. + +void * v2i(struct v3_ext_method *method, struct v3_ext_ctx *ctx, + STACK_OF(CONF_VALUE) *values); + +This function takes a STACK_OF(CONF_VALUE) structures and should set the +values of the external structure. This typically uses the name element to +determine which structure element to set and the value element to determine +what to set it to. Several helper functions are available for this +purpose (see above). + +int i2r(struct v3_ext_method *method, void *ext, BIO *out, int indent); + +This function is passed the internal extension structure in the ext parameter +and sends out a human readable version of the extension to out. The 'indent' +paremeter should be noted to determine the necessary amount of indentation +needed on the output. + +void * r2i(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str); + +This is just passed the string representation of the extension. It is intended +to be used for more elaborate extensions where the standard single and multi +valued options are insufficient. They can use the 'ctx' parameter to parse the +configuration database themselves. See the context functions section for details +of how to do this. + +Note: although this type takes the same parameters as the "r2s" function there +is a subtle difference. Whereas an "r2i" function can access a configuration +database an "s2i" function MUST NOT. This is so the internal code can safely +assume that an "s2i" function will work without a configuration database. + +============================================================================== + PKCS#12 Library +============================================================================== + +This section describes the internal PKCS#12 support. There are very few +differences between the old external library and the new internal code at +present. This may well change because the external library will not be updated +much in future. + +This version now includes a couple of high level PKCS#12 functions which +generally "do the right thing" and should make it much easier to handle PKCS#12 +structures. + +HIGH LEVEL FUNCTIONS. + +For most applications you only need concern yourself with the high level +functions. They can parse and generate simple PKCS#12 files as produced by +Netscape and MSIE or indeed any compliant PKCS#12 file containing a single +private key and certificate pair. + +1. Initialisation and cleanup. + +No special initialisation is needed for the internal PKCS#12 library: the +standard SSLeay_add_all_algorithms() is sufficient. If you do not wish to +add all algorithms (you should at least add SHA1 though) then you can manually +initialise the PKCS#12 library with: + +PKCS12_PBE_add(); + +The memory allocated by the PKCS#12 library is freed up when EVP_cleanup() is +called or it can be directly freed with: + +EVP_PBE_cleanup(); + +after this call (or EVP_cleanup() ) no more PKCS#12 library functions should +be called. + +2. I/O functions. + +i2d_PKCS12_bio(bp, p12) + +This writes out a PKCS12 structure to a BIO. + +i2d_PKCS12_fp(fp, p12) + +This is the same but for a FILE pointer. + +d2i_PKCS12_bio(bp, p12) + +This reads in a PKCS12 structure from a BIO. + +d2i_PKCS12_fp(fp, p12) + +This is the same but for a FILE pointer. + +3. Parsing and creation functions. + +3.1 Parsing with PKCS12_parse(). + +int PKCS12_parse(PKCS12 *p12, char *pass, EVP_PKEY **pkey, X509 **cert, + STACK **ca); + +This function takes a PKCS12 structure and a password (ASCII, null terminated) +and returns the private key, the corresponding certificate and any CA +certificates. If any of these is not required it can be passed as a NULL. +The 'ca' parameter should be either NULL, a pointer to NULL or a valid STACK +structure. Typically to read in a PKCS#12 file you might do: + +p12 = d2i_PKCS12_fp(fp, NULL); +PKCS12_parse(p12, password, &pkey, &cert, NULL); /* CAs not wanted */ +PKCS12_free(p12); + +3.2 PKCS#12 creation with PKCS12_create(). + +PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, + STACK *ca, int nid_key, int nid_cert, int iter, + int mac_iter, int keytype); + +This function will create a PKCS12 structure from a given password, name, +private key, certificate and optional STACK of CA certificates. The remaining +5 parameters can be set to 0 and sensible defaults will be used. + +The parameters nid_key and nid_cert are the key and certificate encryption +algorithms, iter is the encryption iteration count, mac_iter is the MAC +iteration count and keytype is the type of private key. If you really want +to know what these last 5 parameters do then read the low level section. + +Typically to create a PKCS#12 file the following could be used: + +p12 = PKCS12_create(pass, "My Certificate", pkey, cert, NULL, 0,0,0,0,0); +i2d_PKCS12_fp(fp, p12); +PKCS12_free(p12); + +LOW LEVEL FUNCTIONS. + +In some cases the high level functions do not provide the necessary +functionality. For example if you want to generate or parse more complex +PKCS#12 files. The sample pkcs12 application uses the low level functions +to display details about the internal structure of a PKCS#12 file. + +Introduction. + +This is a brief description of how a PKCS#12 file is represented internally: +some knowledge of PKCS#12 is assumed. + +A PKCS#12 object contains several levels. + +At the lowest level is a PKCS12_SAFEBAG. This can contain a certificate, a +CRL, a private key, encrypted or unencrypted, a set of safebags (so the +structure can be nested) or other secrets (not documented at present). +A safebag can optionally have attributes, currently these are: a unicode +friendlyName (a Unicode string) or a localKeyID (a string of bytes). + +At the next level is an authSafe which is a set of safebags collected into +a PKCS#7 ContentInfo. This can be just plain data, or encrypted itself. + +At the top level is the PKCS12 structure itself which contains a set of +authSafes in an embedded PKCS#7 Contentinfo of type data. In addition it +contains a MAC which is a kind of password protected digest to preserve +integrity (so any unencrypted stuff below can't be tampered with). + +The reason for these levels is so various objects can be encrypted in various +ways. For example you might want to encrypt a set of private keys with +triple-DES and then include the related certificates either unencrypted or +with lower encryption. Yes it's the dreaded crypto laws at work again which +allow strong encryption on private keys and only weak encryption on other +stuff. + +To build one of these things you turn all certificates and keys into safebags +(with optional attributes). You collect the safebags into (one or more) STACKS +and convert these into authsafes (encrypted or unencrypted). The authsafes +are collected into a STACK and added to a PKCS12 structure. Finally a MAC +inserted. + +Pulling one apart is basically the reverse process. The MAC is verified against +the given password. The authsafes are extracted and each authsafe split into +a set of safebags (possibly involving decryption). Finally the safebags are +decomposed into the original keys and certificates and the attributes used to +match up private key and certificate pairs. + +Anyway here are the functions that do the dirty work. + +1. Construction functions. + +1.1 Safebag functions. + +M_PKCS12_x5092certbag(x509) + +This macro takes an X509 structure and returns a certificate bag. The +X509 structure can be freed up after calling this function. + +M_PKCS12_x509crl2certbag(crl) + +As above but for a CRL. + +PKCS8_PRIV_KEY_INFO *PKEY2PKCS8(EVP_PKEY *pkey) + +Take a private key and convert it into a PKCS#8 PrivateKeyInfo structure. +Works for both RSA and DSA private keys. NB since the PKCS#8 PrivateKeyInfo +structure contains a private key data in plain text form it should be free'd +up as soon as it has been encrypted for security reasons (freeing up the +structure zeros out the sensitive data). This can be done with +PKCS8_PRIV_KEY_INFO_free(). + +PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage) + +This sets the key type when a key is imported into MSIE or Outlook 98. Two +values are currently supported: KEY_EX and KEY_SIG. KEY_EX is an exchange type +key that can also be used for signing but its size is limited in the export +versions of MS software to 512 bits, it is also the default. KEY_SIG is a +signing only key but the keysize is unlimited (well 16K is supposed to work). +If you are using the domestic version of MSIE then you can ignore this because +KEY_EX is not limited and can be used for both. + +PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8) + +Convert a PKCS8 private key structure into a keybag. This routine embeds the +p8 structure in the keybag so p8 should not be freed up or used after it is +called. The p8 structure will be freed up when the safebag is freed. + +PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int iter, PKCS8_PRIV_KEY_INFO *p8) + +Convert a PKCS#8 structure into a shrouded key bag (encrypted). p8 is not +embedded and can be freed up after use. + +int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen) +int PKCS12_add_friendlyname(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen) + +Add a local key id or a friendlyname to a safebag. + +1.2 Authsafe functions. + +PKCS7 *PKCS12_pack_p7data(STACK *sk) +Take a stack of safebags and convert them into an unencrypted authsafe. The +stack of safebags can be freed up after calling this function. + +PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int iter, STACK *bags); + +As above but encrypted. + +1.3 PKCS12 functions. + +PKCS12 *PKCS12_init(int mode) + +Initialise a PKCS12 structure (currently mode should be NID_pkcs7_data). + +M_PKCS12_pack_authsafes(p12, safes) + +This macro takes a STACK of authsafes and adds them to a PKCS#12 structure. + +int PKCS12_set_mac(PKCS12 *p12, unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int iter, EVP_MD *md_type); + +Add a MAC to a PKCS12 structure. If EVP_MD is NULL use SHA-1, the spec suggests +that SHA-1 should be used. + +2. Extraction Functions. + +2.1 Safebags. + +M_PKCS12_bag_type(bag) + +Return the type of "bag". Returns one of the following + +NID_keyBag +NID_pkcs8ShroudedKeyBag 7 +NID_certBag 8 +NID_crlBag 9 +NID_secretBag 10 +NID_safeContentsBag 11 + +M_PKCS12_cert_bag_type(bag) + +Returns type of certificate bag, following are understood. + +NID_x509Certificate 14 +NID_sdsiCertificate 15 + +M_PKCS12_crl_bag_type(bag) + +Returns crl bag type, currently only NID_crlBag is recognised. + +M_PKCS12_certbag2x509(bag) + +This macro extracts an X509 certificate from a certificate bag. + +M_PKCS12_certbag2x509crl(bag) + +As above but for a CRL. + +EVP_PKEY * PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8) + +Extract a private key from a PKCS8 private key info structure. + +M_PKCS12_decrypt_skey(bag, pass, passlen) + +Decrypt a shrouded key bag and return a PKCS8 private key info structure. +Works with both RSA and DSA keys + +char *PKCS12_get_friendlyname(bag) + +Returns the friendlyName of a bag if present or NULL if none. The returned +string is a null terminated ASCII string allocated with Malloc(). It should +thus be freed up with Free() after use. + +2.2 AuthSafe functions. + +M_PKCS12_unpack_p7data(p7) + +Extract a STACK of safe bags from a PKCS#7 data ContentInfo. + +#define M_PKCS12_unpack_p7encdata(p7, pass, passlen) + +As above but for an encrypted content info. + +2.3 PKCS12 functions. + +M_PKCS12_unpack_authsafes(p12) + +Extract a STACK of authsafes from a PKCS12 structure. + +M_PKCS12_mac_present(p12) + +Check to see if a MAC is present. + +int PKCS12_verify_mac(PKCS12 *p12, unsigned char *pass, int passlen) + +Verify a MAC on a PKCS12 structure. Returns an error if MAC not present. + + +Notes. + +1. All the function return 0 or NULL on error. +2. Encryption based functions take a common set of parameters. These are +described below. + +pass, passlen +ASCII password and length. The password on the MAC is called the "integrity +password" the encryption password is called the "privacy password" in the +PKCS#12 documentation. The passwords do not have to be the same. If -1 is +passed for the length it is worked out by the function itself (currently +this is sometimes done whatever is passed as the length but that may change). + +salt, saltlen +A 'salt' if salt is NULL a random salt is used. If saltlen is also zero a +default length is used. + +iter +Iteration count. This is a measure of how many times an internal function is +called to encrypt the data. The larger this value is the longer it takes, it +makes dictionary attacks on passwords harder. NOTE: Some implementations do +not support an iteration count on the MAC. If the password for the MAC and +encryption is the same then there is no point in having a high iteration +count for encryption if the MAC has no count. The MAC could be attacked +and the password used for the main decryption. + +pbe_nid +This is the NID of the password based encryption method used. The following are +supported. +NID_pbe_WithSHA1And128BitRC4 +NID_pbe_WithSHA1And40BitRC4 +NID_pbe_WithSHA1And3_Key_TripleDES_CBC +NID_pbe_WithSHA1And2_Key_TripleDES_CBC +NID_pbe_WithSHA1And128BitRC2_CBC +NID_pbe_WithSHA1And40BitRC2_CBC + +Which you use depends on the implementation you are exporting to. "Export +grade" (i.e. cryptographically challenged) products cannot support all +algorithms. Typically you may be able to use any encryption on shrouded key +bags but they must then be placed in an unencrypted authsafe. Other authsafes +may only support 40bit encryption. Of course if you are using SSLeay +throughout you can strongly encrypt everything and have high iteration counts +on everything. + +3. For decryption routines only the password and length are needed. + +4. Unlike the external version the nid's of objects are the values of the +constants: that is NID_certBag is the real nid, therefore there is no +PKCS12_obj_offset() function. Note the object constants are not the same as +those of the external version. If you use these constants then you will need +to recompile your code. + +5. With the exception of PKCS12_MAKE_KEYBAG(), after calling any function or +macro of the form PKCS12_MAKE_SOMETHING(other) the "other" structure can be +reused or freed up safely. + diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c index a4661ebb68..299d2ae5d2 100644 --- a/src/lib/libssl/s23_clnt.c +++ b/src/lib/libssl/s23_clnt.c @@ -57,28 +57,20 @@ */ #include -#include "buffer.h" -#include "rand.h" -#include "objects.h" -#include "evp.h" +#include +#include +#include +#include #include "ssl_locl.h" -#define BREAK break - -#ifndef NOPROTO +static SSL_METHOD *ssl23_get_client_method(int ver); static int ssl23_client_hello(SSL *s); static int ssl23_get_server_hello(SSL *s); -#else -static int ssl23_client_hello(); -static int ssl23_get_server_hello(); -#endif - -static SSL_METHOD *ssl23_get_client_method(ver) -int ver; +static SSL_METHOD *ssl23_get_client_method(int ver) { if (ver == SSL2_VERSION) return(SSLv2_client_method()); - else if (ver == SSL3_VERSION) + if (ver == SSL3_VERSION) return(SSLv3_client_method()); else if (ver == TLS1_VERSION) return(TLSv1_client_method()); @@ -86,24 +78,23 @@ int ver; return(NULL); } -SSL_METHOD *SSLv23_client_method() +SSL_METHOD *SSLv23_client_method(void) { static int init=1; static SSL_METHOD SSLv23_client_data; if (init) { - init=0; memcpy((char *)&SSLv23_client_data, (char *)sslv23_base_method(),sizeof(SSL_METHOD)); SSLv23_client_data.ssl_connect=ssl23_connect; SSLv23_client_data.get_ssl_method=ssl23_get_client_method; + init=0; } return(&SSLv23_client_data); } -int ssl23_connect(s) -SSL *s; +int ssl23_connect(SSL *s) { BUF_MEM *buf; unsigned long Time=time(NULL); @@ -111,7 +102,7 @@ SSL *s; int ret= -1; int new_state,state; - RAND_seed((unsigned char *)&Time,sizeof(Time)); + RAND_seed(&Time,sizeof(Time)); ERR_clear_error(); clear_sys_error(); @@ -134,6 +125,13 @@ SSL *s; case SSL_ST_BEFORE|SSL_ST_CONNECT: case SSL_ST_OK|SSL_ST_CONNECT: + if (s->session != NULL) + { + SSLerr(SSL_F_SSL23_CONNECT,SSL_R_SSL23_DOING_SESSION_ID_REUSE); + ret= -1; + goto end; + } + s->server=0; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); /* s->version=TLS1_VERSION; */ @@ -159,7 +157,7 @@ SSL *s; ssl3_init_finished_mac(s); s->state=SSL23_ST_CW_CLNT_HELLO_A; - s->ctx->sess_connect++; + s->ctx->stats.sess_connect++; s->init_num=0; break; @@ -179,7 +177,7 @@ SSL *s; ret=ssl23_get_server_hello(s); if (ret >= 0) cb=NULL; goto end; - break; + /* break; */ default: SSLerr(SSL_F_SSL23_CONNECT,SSL_R_UNKNOWN_STATE); @@ -188,7 +186,7 @@ SSL *s; /* break; */ } - if (s->debug) BIO_flush(s->wbio); + if (s->debug) { (void)BIO_flush(s->wbio); } if ((cb != NULL) && (s->state != state)) { @@ -206,8 +204,7 @@ end: } -static int ssl23_client_hello(s) -SSL *s; +static int ssl23_client_hello(SSL *s) { unsigned char *buf; unsigned char *p,*d; @@ -236,16 +233,19 @@ SSL *s; { *(d++)=TLS1_VERSION_MAJOR; *(d++)=TLS1_VERSION_MINOR; + s->client_version=TLS1_VERSION; } else if (!(s->options & SSL_OP_NO_SSLv3)) { *(d++)=SSL3_VERSION_MAJOR; *(d++)=SSL3_VERSION_MINOR; + s->client_version=SSL3_VERSION; } else if (!(s->options & SSL_OP_NO_SSLv2)) { *(d++)=SSL2_VERSION_MAJOR; *(d++)=SSL2_VERSION_MINOR; + s->client_version=SSL2_VERSION; } else { @@ -303,8 +303,7 @@ SSL *s; return(ssl23_write_bytes(s)); } -static int ssl23_get_server_hello(s) -SSL *s; +static int ssl23_get_server_hello(SSL *s) { char buf[8]; unsigned char *p; @@ -443,7 +442,7 @@ SSL *s; } s->rwstate=SSL_NOTHING; - SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,1000+p[6]); + SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_AD_REASON_OFFSET+p[6]); goto err; } else diff --git a/src/lib/libssl/s23_lib.c b/src/lib/libssl/s23_lib.c index e16f641101..822a395837 100644 --- a/src/lib/libssl/s23_lib.c +++ b/src/lib/libssl/s23_lib.c @@ -57,28 +57,17 @@ */ #include -#include "objects.h" +#include #include "ssl_locl.h" -#ifndef NOPROTO static int ssl23_num_ciphers(void ); static SSL_CIPHER *ssl23_get_cipher(unsigned int u); -static int ssl23_read(SSL *s, char *buf, int len); -static int ssl23_write(SSL *s, char *buf, int len); +static int ssl23_read(SSL *s, void *buf, int len); +static int ssl23_write(SSL *s, const void *buf, int len); static long ssl23_default_timeout(void ); -static int ssl23_put_cipher_by_char(SSL_CIPHER *c, unsigned char *p); -static SSL_CIPHER *ssl23_get_cipher_by_char(unsigned char *p); -#else -static int ssl23_num_ciphers(); -static SSL_CIPHER *ssl23_get_cipher(); -static int ssl23_read(); -static int ssl23_write(); -static long ssl23_default_timeout(); -static int ssl23_put_cipher_by_char(); -static SSL_CIPHER *ssl23_get_cipher_by_char(); -#endif - -char *SSL23_version_str="SSLv2/3 compatablity part of SSLeay 0.7.0 30-Jan-1997"; +static int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p); +static SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p); +char *SSL23_version_str="SSLv2/3 compatibility" OPENSSL_VERSION_PTEXT; static SSL_METHOD SSLv23_data= { TLS1_VERSION, @@ -88,10 +77,11 @@ static SSL_METHOD SSLv23_data= { ssl_undefined_function, ssl_undefined_function, ssl23_read, - ssl_undefined_function, + (int (*)(struct ssl_st *, char *, int))ssl_undefined_function, ssl23_write, ssl_undefined_function, ssl_undefined_function, + ssl_ok, ssl3_ctrl, ssl3_ctx_ctrl, ssl23_get_cipher_by_char, @@ -104,23 +94,22 @@ static SSL_METHOD SSLv23_data= { &ssl3_undef_enc_method, }; -static long ssl23_default_timeout() +static long ssl23_default_timeout(void) { return(300); } -SSL_METHOD *sslv23_base_method() +SSL_METHOD *sslv23_base_method(void) { return(&SSLv23_data); } -static int ssl23_num_ciphers() +static int ssl23_num_ciphers(void) { return(ssl3_num_ciphers()+ssl2_num_ciphers()); } -static SSL_CIPHER *ssl23_get_cipher(u) -unsigned int u; +static SSL_CIPHER *ssl23_get_cipher(unsigned int u) { unsigned int uu=ssl3_num_ciphers(); @@ -132,8 +121,7 @@ unsigned int u; /* This function needs to check if the ciphers required are actually * available */ -static SSL_CIPHER *ssl23_get_cipher_by_char(p) -unsigned char *p; +static SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p) { SSL_CIPHER c,*cp; unsigned long id; @@ -149,9 +137,7 @@ unsigned char *p; return(cp); } -static int ssl23_put_cipher_by_char(c,p) -SSL_CIPHER *c; -unsigned char *p; +static int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) { long l; @@ -166,10 +152,7 @@ unsigned char *p; return(3); } -static int ssl23_read(s,buf,len) -SSL *s; -char *buf; -int len; +static int ssl23_read(SSL *s, void *buf, int len) { int n; @@ -199,10 +182,7 @@ int len; } } -static int ssl23_write(s,buf,len) -SSL *s; -char *buf; -int len; +static int ssl23_write(SSL *s, const void *buf, int len) { int n; diff --git a/src/lib/libssl/s23_pkt.c b/src/lib/libssl/s23_pkt.c index c25c312772..8370ea508c 100644 --- a/src/lib/libssl/s23_pkt.c +++ b/src/lib/libssl/s23_pkt.c @@ -59,12 +59,11 @@ #include #include #define USE_SOCKETS -#include "evp.h" -#include "buffer.h" +#include +#include #include "ssl_locl.h" -int ssl23_write_bytes(s) -SSL *s; +int ssl23_write_bytes(SSL *s) { int i,num,tot; char *buf; @@ -76,7 +75,7 @@ SSL *s; { s->rwstate=SSL_WRITING; i=BIO_write(s->wbio,&(buf[tot]),num); - if (i < 0) + if (i <= 0) { s->init_off=tot; s->init_num=num; @@ -91,9 +90,7 @@ SSL *s; } /* only return when we have read 'n' bytes */ -int ssl23_read_bytes(s,n) -SSL *s; -int n; +int ssl23_read_bytes(SSL *s, int n) { unsigned char *p; int j; diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c index c7b9ecbcf2..e4122f2d78 100644 --- a/src/lib/libssl/s23_srvr.c +++ b/src/lib/libssl/s23_srvr.c @@ -57,26 +57,19 @@ */ #include -#include "buffer.h" -#include "rand.h" -#include "objects.h" -#include "evp.h" +#include +#include +#include +#include #include "ssl_locl.h" -#define BREAK break - -#ifndef NOPROTO +static SSL_METHOD *ssl23_get_server_method(int ver); int ssl23_get_client_hello(SSL *s); -#else -int ssl23_get_client_hello(); -#endif - -static SSL_METHOD *ssl23_get_server_method(ver) -int ver; +static SSL_METHOD *ssl23_get_server_method(int ver) { if (ver == SSL2_VERSION) return(SSLv2_server_method()); - else if (ver == SSL3_VERSION) + if (ver == SSL3_VERSION) return(SSLv3_server_method()); else if (ver == TLS1_VERSION) return(TLSv1_server_method()); @@ -84,24 +77,23 @@ int ver; return(NULL); } -SSL_METHOD *SSLv23_server_method() +SSL_METHOD *SSLv23_server_method(void) { static int init=1; static SSL_METHOD SSLv23_server_data; if (init) { - init=0; memcpy((char *)&SSLv23_server_data, (char *)sslv23_base_method(),sizeof(SSL_METHOD)); SSLv23_server_data.ssl_accept=ssl23_accept; SSLv23_server_data.get_ssl_method=ssl23_get_server_method; + init=0; } return(&SSLv23_server_data); } -int ssl23_accept(s) -SSL *s; +int ssl23_accept(SSL *s) { BUF_MEM *buf; unsigned long Time=time(NULL); @@ -109,7 +101,7 @@ SSL *s; int ret= -1; int new_state,state; - RAND_seed((unsigned char *)&Time,sizeof(Time)); + RAND_seed(&Time,sizeof(Time)); ERR_clear_error(); clear_sys_error(); @@ -132,6 +124,7 @@ SSL *s; case SSL_ST_BEFORE|SSL_ST_ACCEPT: case SSL_ST_OK|SSL_ST_ACCEPT: + s->server=1; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); /* s->version=SSL3_VERSION; */ @@ -155,7 +148,7 @@ SSL *s; ssl3_init_finished_mac(s); s->state=SSL23_ST_SR_CLNT_HELLO_A; - s->ctx->sess_accept++; + s->ctx->stats.sess_accept++; s->init_num=0; break; @@ -166,7 +159,7 @@ SSL *s; ret=ssl23_get_client_hello(s); if (ret >= 0) cb=NULL; goto end; - break; + /* break; */ default: SSLerr(SSL_F_SSL23_ACCEPT,SSL_R_UNKNOWN_STATE); @@ -191,8 +184,7 @@ end: } -int ssl23_get_client_hello(s) -SSL *s; +int ssl23_get_client_hello(SSL *s) { char buf_space[8]; char *buf= &(buf_space[0]); @@ -201,14 +193,16 @@ SSL *s; unsigned int csl,sil,cl; int n=0,j,tls1=0; int type=0,use_sslv2_strong=0; + int v[2]; /* read the initial header */ + v[0]=v[1]=0; if (s->state == SSL23_ST_SR_CLNT_HELLO_A) { if (!ssl3_setup_buffers(s)) goto err; n=ssl23_read_bytes(s,7); - if (n != 7) return(n); + if (n != 7) return(n); /* n == -1 || n == 0 */ p=s->packet; @@ -219,12 +213,14 @@ SSL *s; /* SSLv2 header */ if ((p[3] == 0x00) && (p[4] == 0x02)) { + v[0]=p[3]; v[1]=p[4]; /* SSLv2 */ if (!(s->options & SSL_OP_NO_SSLv2)) type=1; } else if (p[3] == SSL3_VERSION_MAJOR) { + v[0]=p[3]; v[1]=p[4]; /* SSLv3/TLSv1 */ if (p[4] >= TLS1_VERSION_MINOR) { @@ -237,13 +233,19 @@ SSL *s; { s->state=SSL23_ST_SR_CLNT_HELLO_B; } + else if (!(s->options & SSL_OP_NO_SSLv2)) + { + type=1; + } } else if (!(s->options & SSL_OP_NO_SSLv3)) s->state=SSL23_ST_SR_CLNT_HELLO_B; + else if (!(s->options & SSL_OP_NO_SSLv2)) + type=1; if (s->options & SSL_OP_NON_EXPORT_FIRST) { - STACK *sk; + STACK_OF(SSL_CIPHER) *sk; SSL_CIPHER *c; int ne2,ne3; @@ -274,10 +276,10 @@ SSL *s; if (sk != NULL) { ne2=ne3=0; - for (j=0; jalgorithms & SSL_EXP)) + c=sk_SSL_CIPHER_value(sk,j); + if (!SSL_C_IS_EXPORT(c)) { if ((c->id>>24L) == 2L) ne2=1; @@ -299,6 +301,7 @@ SSL *s; (p[1] == SSL3_VERSION_MAJOR) && (p[5] == SSL3_MT_CLIENT_HELLO)) { + v[0]=p[1]; v[1]=p[2]; /* true SSLv3 or tls1 */ if (p[2] >= TLS1_VERSION_MINOR) { @@ -313,15 +316,15 @@ SSL *s; else if (!(s->options & SSL_OP_NO_SSLv3)) type=3; } - else if ((strncmp("GET ", p,4) == 0) || - (strncmp("POST ",p,5) == 0) || - (strncmp("HEAD ",p,5) == 0) || - (strncmp("PUT ", p,4) == 0)) + else if ((strncmp("GET ", (char *)p,4) == 0) || + (strncmp("POST ",(char *)p,5) == 0) || + (strncmp("HEAD ",(char *)p,5) == 0) || + (strncmp("PUT ", (char *)p,4) == 0)) { SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_HTTP_REQUEST); goto err; } - else if (strncmp("CONNECT",p,7) == 0) + else if (strncmp("CONNECT",(char *)p,7) == 0) { SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_HTTPS_PROXY_REQUEST); goto err; @@ -387,7 +390,7 @@ next_bit: } s2n(j,dd); - /* compression */ + /* COMPRESSION */ *(d++)=1; *(d++)=0; @@ -478,6 +481,7 @@ next_bit: s->version=SSL3_VERSION; s->method=SSLv3_server_method(); } + s->client_version=(v[0]<<8)|v[1]; s->handshake_func=s->method->ssl_accept; } diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c index 6de62e1591..f3f27715d5 100644 --- a/src/lib/libssl/s3_both.c +++ b/src/lib/libssl/s3_both.c @@ -57,24 +57,15 @@ */ #include -#include "buffer.h" -#include "rand.h" -#include "objects.h" -#include "evp.h" -#include "x509.h" +#include +#include +#include +#include +#include #include "ssl_locl.h" -#define BREAK break - -/* SSL3err(SSL_F_SSL3_GET_FINISHED,SSL_R_EXCESSIVE_MESSAGE_SIZE); - */ - -int ssl3_send_finished(s,a,b,sender,slen) -SSL *s; -int a; -int b; -unsigned char *sender; -int slen; +int ssl3_send_finished(SSL *s, int a, int b, unsigned char *sender, + int slen) { unsigned char *p,*d; int i; @@ -92,6 +83,13 @@ int slen; p+=i; l=i; +#ifdef WIN16 + /* MSVC 1.5 does not clear the top bytes of the word unless + * I do this. + */ + l&=0xffff; +#endif + *(d++)=SSL3_MT_FINISHED; l2n3(l,d); s->init_num=(int)l+4; @@ -104,10 +102,7 @@ int slen; return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); } -int ssl3_get_finished(s,a,b) -SSL *s; -int a; -int b; +int ssl3_get_finished(SSL *s, int a, int b) { int al,i,ok; long n; @@ -167,9 +162,7 @@ f_err: * ssl->session->read_compression assign * ssl->session->read_hash assign */ -int ssl3_send_change_cipher_spec(s,a,b) -SSL *s; -int a,b; +int ssl3_send_change_cipher_spec(SSL *s, int a, int b) { unsigned char *p; @@ -187,9 +180,7 @@ int a,b; return(ssl3_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC)); } -unsigned long ssl3_output_cert_chain(s,x) -SSL *s; -X509 *x; +unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) { unsigned char *p; int n,i; @@ -236,6 +227,23 @@ X509 *x; X509_STORE_CTX_cleanup(&xs_ctx); } + /* Thawte special :-) */ + if (s->ctx->extra_certs != NULL) + for (i=0; ictx->extra_certs); i++) + { + x=sk_X509_value(s->ctx->extra_certs,i); + n=i2d_X509(x,NULL); + if (!BUF_MEM_grow(buf,(int)(n+l+3))) + { + SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB); + return(0); + } + p=(unsigned char *)&(buf->data[l]); + l2n3(n,p); + i2d_X509(x,&p); + l+=n+3; + } + l-=7; p=(unsigned char *)&(buf->data[4]); l2n3(l,p); @@ -247,11 +255,7 @@ X509 *x; return(l); } -long ssl3_get_message(s,st1,stn,mt,max,ok) -SSL *s; -int st1,stn,mt; -long max; -int *ok; +long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) { unsigned char *p; unsigned long l; @@ -275,9 +279,8 @@ int *ok; if (s->state == st1) { - i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE, - (char *)&(p[s->init_num]), - 4-s->init_num); + i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num], + 4-s->init_num); if (i < (4-s->init_num)) { *ok=0; @@ -315,8 +318,7 @@ int *ok; n=s->s3->tmp.message_size; if (n > 0) { - i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE, - (char *)&(p[s->init_num]),(int)n); + i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n); if (i != (int)n) { *ok=0; @@ -332,9 +334,7 @@ err: return(-1); } -int ssl_cert_type(x,pkey) -X509 *x; -EVP_PKEY *pkey; +int ssl_cert_type(X509 *x, EVP_PKEY *pkey) { EVP_PKEY *pk; int ret= -1,i,j; @@ -380,11 +380,11 @@ EVP_PKEY *pkey; ret= -1; err: + if(!pkey) EVP_PKEY_free(pk); return(ret); } -int ssl_verify_alarm_type(type) -long type; +int ssl_verify_alarm_type(long type) { int al; @@ -436,8 +436,7 @@ long type; return(al); } -int ssl3_setup_buffers(s) -SSL *s; +int ssl3_setup_buffers(SSL *s) { unsigned char *p; unsigned int extra; diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 940c6a458f..d3e6b4d1e5 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c @@ -57,23 +57,15 @@ */ #include -#include "buffer.h" -#include "rand.h" -#include "objects.h" -#include "evp.h" +#include +#include +#include +#include +#include +#include #include "ssl_locl.h" -#define BREAK break -/* SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,ERR_R_MALLOC_FAILURE); - * SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); - * SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,ERR_R_MALLOC_FAILURE); - * SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); - * SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); - * SSLerr(SSL_F_SSL3_GET_SERVER_DONE,ERR_R_MALLOC_FAILURE); -SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT); - */ - -#ifndef NOPROTO +static SSL_METHOD *ssl3_get_client_method(int ver); static int ssl3_client_hello(SSL *s); static int ssl3_get_server_hello(SSL *s); static int ssl3_get_certificate_request(SSL *s); @@ -85,22 +77,7 @@ static int ssl3_send_client_key_exchange(SSL *s); static int ssl3_get_key_exchange(SSL *s); static int ssl3_get_server_certificate(SSL *s); static int ssl3_check_cert_and_algorithm(SSL *s); -#else -static int ssl3_client_hello(); -static int ssl3_get_server_hello(); -static int ssl3_get_certificate_request(); -static int ca_dn_cmp(); -static int ssl3_get_server_done(); -static int ssl3_send_client_verify(); -static int ssl3_send_client_certificate(); -static int ssl3_send_client_key_exchange(); -static int ssl3_get_key_exchange(); -static int ssl3_get_server_certificate(); -static int ssl3_check_cert_and_algorithm(); -#endif - -static SSL_METHOD *ssl3_get_client_method(ver) -int ver; +static SSL_METHOD *ssl3_get_client_method(int ver) { if (ver == SSL3_VERSION) return(SSLv3_client_method()); @@ -108,7 +85,7 @@ int ver; return(NULL); } -SSL_METHOD *SSLv3_client_method() +SSL_METHOD *SSLv3_client_method(void) { static int init=1; static SSL_METHOD SSLv3_client_data; @@ -124,18 +101,16 @@ SSL_METHOD *SSLv3_client_method() return(&SSLv3_client_data); } -int ssl3_connect(s) -SSL *s; +int ssl3_connect(SSL *s) { BUF_MEM *buf; unsigned long Time=time(NULL),l; long num1; void (*cb)()=NULL; int ret= -1; - BIO *under; int new_state,state,skip=0;; - RAND_seed((unsigned char *)&Time,sizeof(Time)); + RAND_seed(&Time,sizeof(Time)); ERR_clear_error(); clear_sys_error(); @@ -156,13 +131,14 @@ SSL *s; case SSL_ST_RENEGOTIATE: s->new_session=1; s->state=SSL_ST_CONNECT; - s->ctx->sess_connect_renegotiate++; + s->ctx->stats.sess_connect_renegotiate++; /* break */ case SSL_ST_BEFORE: case SSL_ST_CONNECT: case SSL_ST_BEFORE|SSL_ST_CONNECT: case SSL_ST_OK|SSL_ST_CONNECT: + s->server=0; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); if ((s->version & 0xff00 ) != 0x0300) @@ -195,7 +171,7 @@ SSL *s; ssl3_init_finished_mac(s); s->state=SSL3_ST_CW_CLNT_HELLO_A; - s->ctx->sess_connect++; + s->ctx->stats.sess_connect++; s->init_num=0; break; @@ -278,6 +254,7 @@ SSL *s; case SSL3_ST_CW_CERT_A: case SSL3_ST_CW_CERT_B: case SSL3_ST_CW_CERT_C: + case SSL3_ST_CW_CERT_D: ret=ssl3_send_client_certificate(s); if (ret <= 0) goto end; s->state=SSL3_ST_CW_KEY_EXCH_A; @@ -324,6 +301,11 @@ SSL *s; s->init_num=0; s->session->cipher=s->s3->tmp.new_cipher; + if (s->s3->tmp.new_compression == NULL) + s->session->compress_meth=0; + else + s->session->compress_meth= + s->s3->tmp.new_compression->id; if (!s->method->ssl3_enc->setup_key_block(s)) { ret= -1; @@ -399,38 +381,33 @@ SSL *s; /* clean a few things up */ ssl3_cleanup_key_block(s); - BUF_MEM_free(s->init_buf); - s->init_buf=NULL; - - if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) + if (s->init_buf != NULL) { - /* remove buffering */ - under=BIO_pop(s->wbio); - if (under != NULL) - s->wbio=under; - else - abort(); /* ok */ - - BIO_free(s->bbio); - s->bbio=NULL; + BUF_MEM_free(s->init_buf); + s->init_buf=NULL; } - /* else do it later */ + + /* If we are not 'joining' the last two packets, + * remove the buffering now */ + if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) + ssl_free_wbio_buffer(s); + /* else do it later in ssl3_write */ s->init_num=0; s->new_session=0; ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); - if (s->hit) s->ctx->sess_hit++; + if (s->hit) s->ctx->stats.sess_hit++; ret=1; /* s->server=0; */ s->handshake_func=ssl3_connect; - s->ctx->sess_connect_good++; + s->ctx->stats.sess_connect_good++; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); goto end; - break; + /* break; */ default: SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE); @@ -466,19 +443,20 @@ end: } -static int ssl3_client_hello(s) -SSL *s; +static int ssl3_client_hello(SSL *s) { unsigned char *buf; unsigned char *p,*d; - int i; + int i,j; unsigned long Time,l; + SSL_COMP *comp; buf=(unsigned char *)s->init_buf->data; if (s->state == SSL3_ST_CW_CLNT_HELLO_A) { if ((s->session == NULL) || - (s->session->ssl_version != s->version)) + (s->session->ssl_version != s->version) || + (s->session->not_resumable)) { if (!ssl_get_new_session(s,0)) goto err; @@ -488,13 +466,14 @@ SSL *s; p=s->s3->client_random; Time=time(NULL); /* Time */ l2n(Time,p); - RAND_bytes(&(p[4]),SSL3_RANDOM_SIZE-sizeof(Time)); + RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); /* Do the message type and length last */ d=p= &(buf[4]); *(p++)=s->version>>8; *(p++)=s->version&0xff; + s->client_version=s->version; /* Random stuff */ memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); @@ -522,9 +501,18 @@ SSL *s; s2n(i,p); p+=i; - /* hardwire in the NULL compression algorithm. */ - *(p++)=1; - *(p++)=0; + /* COMPRESSION */ + if (s->ctx->comp_methods == NULL) + j=0; + else + j=sk_SSL_COMP_num(s->ctx->comp_methods); + *(p++)=1+j; + for (i=0; ictx->comp_methods,i); + *(p++)=comp->id; + } + *(p++)=0; /* Add the NULL method */ l=(p-d); d=buf; @@ -543,15 +531,15 @@ err: return(-1); } -static int ssl3_get_server_hello(s) -SSL *s; +static int ssl3_get_server_hello(SSL *s) { - STACK *sk; + STACK_OF(SSL_CIPHER) *sk; SSL_CIPHER *c; unsigned char *p,*d; int i,al,ok; unsigned int j; long n; + SSL_COMP *comp; n=ssl3_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, @@ -590,9 +578,18 @@ SSL *s; goto f_err; } } - if ((j != 0) && (j == s->session->session_id_length) && - (memcmp(p,s->session->session_id,j) == 0)) - s->hit=1; + if (j != 0 && j == s->session->session_id_length + && memcmp(p,s->session->session_id,j) == 0) + { + if(s->sid_ctx_length != s->session->sid_ctx_length + || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) + { + al=SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); + goto f_err; + } + s->hit=1; + } else /* a miss or crap from the other end */ { /* If we were trying for session-id reuse, make a new @@ -621,7 +618,7 @@ SSL *s; p+=ssl_put_cipher_by_char(s,NULL,NULL); sk=ssl_get_ciphers_by_id(s); - i=sk_find(sk,(char *)c); + i=sk_SSL_CIPHER_find(sk,c); if (i < 0) { /* we did not say we would use this cipher */ @@ -643,13 +640,23 @@ SSL *s; s->s3->tmp.new_cipher=c; /* lets get the compression algorithm */ + /* COMPRESSION */ j= *(p++); - if (j != 0) + if (j == 0) + comp=NULL; + else + comp=ssl3_comp_find(s->ctx->comp_methods,j); + + if ((j != 0) && (comp == NULL)) { al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); goto f_err; } + else + { + s->s3->tmp.new_compression=comp; + } if (p != (d+n)) { @@ -666,15 +673,14 @@ err: return(-1); } -static int ssl3_get_server_certificate(s) -SSL *s; +static int ssl3_get_server_certificate(SSL *s) { int al,i,ok,ret= -1; unsigned long n,nc,llen,l; X509 *x=NULL; unsigned char *p,*d,*q; - STACK *sk=NULL; - CERT *c; + STACK_OF(X509) *sk=NULL; + SESS_CERT *sc; EVP_PKEY *pkey=NULL; n=ssl3_get_message(s, @@ -704,7 +710,7 @@ SSL *s; } d=p=(unsigned char *)s->init_buf->data; - if ((sk=sk_new_null()) == NULL) + if ((sk=sk_X509_new_null()) == NULL) { SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); goto err; @@ -741,7 +747,7 @@ SSL *s; SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); goto f_err; } - if (!sk_push(sk,(char *)x)) + if (!sk_X509_push(sk,x)) { SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); goto err; @@ -752,26 +758,26 @@ SSL *s; } i=ssl_verify_cert_chain(s,sk); - if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)) + if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)) { al=ssl_verify_alarm_type(s->verify_result); SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); goto f_err; } - c=ssl_cert_new(); - if (c == NULL) goto err; + sc=ssl_sess_cert_new(); + if (sc == NULL) goto err; - if (s->session->cert) ssl_cert_free(s->session->cert); - s->session->cert=c; + if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert); + s->session->sess_cert=sc; - c->cert_chain=sk; - x=(X509 *)sk_value(sk,0); + sc->cert_chain=sk; + x=sk_X509_value(sk,0); sk=NULL; pkey=X509_get_pubkey(x); - if (EVP_PKEY_missing_parameters(pkey)) + if ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)) { x=NULL; al=SSL3_AL_FATAL; @@ -788,14 +794,16 @@ SSL *s; goto f_err; } - c->cert_type=i; + sc->peer_cert_type=i; CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); - if (c->pkeys[i].x509 != NULL) - X509_free(c->pkeys[i].x509); - c->pkeys[i].x509=x; - c->key= &(c->pkeys[i]); - - if ((s->session != NULL) && (s->session->peer != NULL)) + if (sc->peer_pkeys[i].x509 != NULL) /* Why would this ever happen? + * We just created sc a couple of + * lines ago. */ + X509_free(sc->peer_pkeys[i].x509); + sc->peer_pkeys[i].x509=x; + sc->peer_key= &(sc->peer_pkeys[i]); + + if (s->session->peer != NULL) X509_free(s->session->peer); CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); s->session->peer=x; @@ -809,13 +817,13 @@ f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); } err: - if (x != NULL) X509_free(x); - if (sk != NULL) sk_pop_free(sk,X509_free); + EVP_PKEY_free(pkey); + X509_free(x); + sk_X509_pop_free(sk,X509_free); return(ret); } -static int ssl3_get_key_exchange(s) -SSL *s; +static int ssl3_get_key_exchange(SSL *s) { #ifndef NO_RSA unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; @@ -825,7 +833,9 @@ SSL *s; int al,i,j,param_len,ok; long n,alg; EVP_PKEY *pkey=NULL; +#ifndef NO_RSA RSA *rsa=NULL; +#endif #ifndef NO_DH DH *dh=NULL; #endif @@ -847,26 +857,26 @@ SSL *s; param=p=(unsigned char *)s->init_buf->data; - if (s->session->cert != NULL) + if (s->session->sess_cert != NULL) { #ifndef NO_RSA - if (s->session->cert->rsa_tmp != NULL) + if (s->session->sess_cert->peer_rsa_tmp != NULL) { - RSA_free(s->session->cert->rsa_tmp); - s->session->cert->rsa_tmp=NULL; + RSA_free(s->session->sess_cert->peer_rsa_tmp); + s->session->sess_cert->peer_rsa_tmp=NULL; } #endif #ifndef NO_DH - if (s->session->cert->dh_tmp) + if (s->session->sess_cert->peer_dh_tmp) { - DH_free(s->session->cert->dh_tmp); - s->session->cert->dh_tmp=NULL; + DH_free(s->session->sess_cert->peer_dh_tmp); + s->session->sess_cert->peer_dh_tmp=NULL; } #endif } else { - s->session->cert=ssl_cert_new(); + s->session->sess_cert=ssl_sess_cert_new(); } param_len=0; @@ -911,16 +921,16 @@ SSL *s; p+=i; n-=param_len; -/* s->session->cert->rsa_tmp=rsa;*/ /* this should be because we are using an export cipher */ if (alg & SSL_aRSA) - pkey=X509_get_pubkey(s->session->cert->pkeys[SSL_PKEY_RSA_ENC].x509); + pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); else { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR); goto err; } - s->session->cert->rsa_tmp=rsa; + s->session->sess_cert->peer_rsa_tmp=rsa; + rsa=NULL; } else #endif @@ -980,16 +990,17 @@ SSL *s; #ifndef NO_RSA if (alg & SSL_aRSA) - pkey=X509_get_pubkey(s->session->cert->pkeys[SSL_PKEY_RSA_ENC].x509); + pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); else #endif #ifndef NO_DSA if (alg & SSL_aDSS) - pkey=X509_get_pubkey(s->session->cert->pkeys[SSL_PKEY_DSA_SIGN].x509); + pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); #endif /* else anonymous DH, so no certificate or pkey. */ - s->session->cert->dh_tmp=dh; + s->session->sess_cert->peer_dh_tmp=dh; + dh=NULL; } else if ((alg & SSL_kDHr) || (alg & SSL_kDHd)) { @@ -998,6 +1009,13 @@ SSL *s; goto f_err; } #endif + if (alg & SSL_aFZA) + { + al=SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); + goto f_err; + } + /* p points to the next byte, there are 'n' bytes left */ @@ -1014,7 +1032,7 @@ SSL *s; /* wrong packet length */ al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH); - goto err; + goto f_err; } #ifndef NO_RSA @@ -1091,23 +1109,31 @@ SSL *s; goto f_err; } } - + EVP_PKEY_free(pkey); return(1); f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); err: + EVP_PKEY_free(pkey); +#ifndef NO_RSA + if (rsa != NULL) + RSA_free(rsa); +#endif +#ifndef NO_DH + if (dh != NULL) + DH_free(dh); +#endif return(-1); } -static int ssl3_get_certificate_request(s) -SSL *s; +static int ssl3_get_certificate_request(SSL *s) { int ok,ret=0; unsigned long n,nc,l; unsigned int llen,ctype_num,i; X509_NAME *xn=NULL; unsigned char *p,*d,*q; - STACK *ca_sk=NULL; + STACK_OF(X509_NAME) *ca_sk=NULL; n=ssl3_get_message(s, SSL3_ST_CR_CERT_REQ_A, @@ -1151,7 +1177,7 @@ SSL *s; d=p=(unsigned char *)s->init_buf->data; - if ((ca_sk=sk_new(ca_dn_cmp)) == NULL) + if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) { SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); goto err; @@ -1167,6 +1193,15 @@ SSL *s; /* get the CA RDNs */ n2s(p,llen); +#if 0 +{ +FILE *out; +out=fopen("/tmp/vsign.der","w"); +fwrite(p,1,llen,out); +fclose(out); +} +#endif + if ((llen+ctype_num+2+1) != n) { ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); @@ -1207,7 +1242,7 @@ SSL *s; SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH); goto err; } - if (!sk_push(ca_sk,(char *)xn)) + if (!sk_X509_NAME_push(ca_sk,xn)) { SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); goto err; @@ -1227,24 +1262,22 @@ cont: s->s3->tmp.cert_req=1; s->s3->tmp.ctype_num=ctype_num; if (s->s3->tmp.ca_names != NULL) - sk_pop_free(s->s3->tmp.ca_names,X509_NAME_free); + sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); s->s3->tmp.ca_names=ca_sk; ca_sk=NULL; ret=1; err: - if (ca_sk != NULL) sk_pop_free(ca_sk,X509_NAME_free); + if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free); return(ret); } -static int ca_dn_cmp(a,b) -X509_NAME **a,**b; +static int ca_dn_cmp(X509_NAME **a, X509_NAME **b) { return(X509_NAME_cmp(*a,*b)); } -static int ssl3_get_server_done(s) -SSL *s; +static int ssl3_get_server_done(SSL *s) { int ok,ret=0; long n; @@ -1267,13 +1300,15 @@ SSL *s; return(ret); } -static int ssl3_send_client_key_exchange(s) -SSL *s; +static int ssl3_send_client_key_exchange(SSL *s) { - unsigned char *p,*q,*d; + unsigned char *p,*d; int n; unsigned long l; +#ifndef NO_RSA + unsigned char *q; EVP_PKEY *pkey=NULL; +#endif if (s->state == SSL3_ST_CW_KEY_EXCH_A) { @@ -1286,13 +1321,13 @@ SSL *s; if (l & SSL_kRSA) { RSA *rsa; - unsigned char tmp_buf[48]; + unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; - if (s->session->cert->rsa_tmp != NULL) - rsa=s->session->cert->rsa_tmp; + if (s->session->sess_cert->peer_rsa_tmp != NULL) + rsa=s->session->sess_cert->peer_rsa_tmp; else { - pkey=X509_get_pubkey(s->session->cert->pkeys[SSL_PKEY_RSA_ENC].x509); + pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) @@ -1301,10 +1336,11 @@ SSL *s; goto err; } rsa=pkey->pkey.rsa; + EVP_PKEY_free(pkey); } - tmp_buf[0]=s->version>>8; - tmp_buf[1]=s->version&0xff; + tmp_buf[0]=s->client_version>>8; + tmp_buf[1]=s->client_version&0xff; RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2); s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH; @@ -1315,6 +1351,10 @@ SSL *s; p+=2; n=RSA_public_encrypt(SSL_MAX_MASTER_KEY_LENGTH, tmp_buf,p,rsa,RSA_PKCS1_PADDING); +#ifdef PKCS1_CHECK + if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; + if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; +#endif if (n <= 0) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT); @@ -1331,8 +1371,8 @@ SSL *s; s->session->master_key_length= s->method->ssl3_enc->generate_master_secret(s, s->session->master_key, - tmp_buf,48); - memset(tmp_buf,0,48); + tmp_buf,SSL_MAX_MASTER_KEY_LENGTH); + memset(tmp_buf,0,SSL_MAX_MASTER_KEY_LENGTH); } else #endif @@ -1341,8 +1381,8 @@ SSL *s; { DH *dh_srvr,*dh_clnt; - if (s->session->cert->dh_tmp != NULL) - dh_srvr=s->session->cert->dh_tmp; + if (s->session->sess_cert->peer_dh_tmp != NULL) + dh_srvr=s->session->sess_cert->peer_dh_tmp; else { /* we get them from the cert */ @@ -1414,13 +1454,14 @@ err: return(-1); } -static int ssl3_send_client_verify(s) -SSL *s; +static int ssl3_send_client_verify(SSL *s) { unsigned char *p,*d; unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; EVP_PKEY *pkey; +#ifndef NO_RSA int i=0; +#endif unsigned long n; #ifndef NO_DSA int j; @@ -1485,8 +1526,7 @@ err: return(-1); } -static int ssl3_send_client_certificate(s) -SSL *s; +static int ssl3_send_client_certificate(SSL *s) { X509 *x509=NULL; EVP_PKEY *pkey=NULL; @@ -1565,19 +1605,22 @@ SSL *s; #define has_bits(i,m) (((i)&(m)) == (m)) -static int ssl3_check_cert_and_algorithm(s) -SSL *s; +static int ssl3_check_cert_and_algorithm(SSL *s) { int i,idx; long algs; EVP_PKEY *pkey=NULL; - CERT *c; + SESS_CERT *sc; +#ifndef NO_RSA RSA *rsa; +#endif +#ifndef NO_DH DH *dh; +#endif - c=s->session->cert; + sc=s->session->sess_cert; - if (c == NULL) + if (sc == NULL) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_INTERNAL_ERROR); goto err; @@ -1589,14 +1632,19 @@ SSL *s; if (algs & (SSL_aDH|SSL_aNULL)) return(1); - rsa=s->session->cert->rsa_tmp; - dh=s->session->cert->dh_tmp; +#ifndef NO_RSA + rsa=s->session->sess_cert->peer_rsa_tmp; +#endif +#ifndef NO_DH + dh=s->session->sess_cert->peer_dh_tmp; +#endif /* This is the passed certificate */ - idx=c->cert_type; - pkey=X509_get_pubkey(c->pkeys[idx].x509); - i=X509_certificate_type(c->pkeys[idx].x509,pkey); + idx=sc->peer_cert_type; + pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); + i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); + EVP_PKEY_free(pkey); /* Check that we have a certificate if we require one */ @@ -1612,15 +1660,16 @@ SSL *s; goto f_err; } #endif - +#ifndef NO_RSA if ((algs & SSL_kRSA) && !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT); goto f_err; } +#endif #ifndef NO_DH - else if ((algs & SSL_kEDH) && + if ((algs & SSL_kEDH) && !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY); @@ -1640,12 +1689,13 @@ SSL *s; #endif #endif - if ((algs & SSL_EXP) && !has_bits(i,EVP_PKT_EXP)) + if (SSL_IS_EXPORT(algs) && !has_bits(i,EVP_PKT_EXP)) { #ifndef NO_RSA if (algs & SSL_kRSA) { - if ((rsa == NULL) || (RSA_size(rsa) > 512)) + if (rsa == NULL + || RSA_size(rsa) > SSL_EXPORT_PKEYLENGTH(algs)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY); goto f_err; @@ -1655,8 +1705,9 @@ SSL *s; #endif #ifndef NO_DH if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) - { - if ((dh == NULL) || (DH_size(dh) > 512)) + { + if (dh == NULL + || DH_size(dh) > SSL_EXPORT_PKEYLENGTH(algs)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY); goto f_err; diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 0fd945025d..aeff6b5c5b 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -57,20 +57,18 @@ */ #include -#include "objects.h" +#include +#include +#include #include "ssl_locl.h" -char *ssl3_version_str="SSLv3 part of SSLeay 0.9.0b 29-Jun-1998"; +const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT; #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER)) -#ifndef NOPROTO static long ssl3_default_timeout(void ); -#else -static long ssl3_default_timeout(); -#endif -SSL_CIPHER ssl3_ciphers[]={ +OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ /* The RSA ciphers */ /* Cipher 01 */ { @@ -97,7 +95,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_ADH_RC4_40_MD5, SSL3_CK_ADH_RC4_40_MD5, - SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_EXP|SSL_SSLV3, + SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -115,7 +113,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_ADH_DES_40_CBC_SHA, SSL3_CK_ADH_DES_40_CBC_SHA, - SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3, + SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -144,7 +142,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_RSA_RC4_40_MD5, SSL3_CK_RSA_RC4_40_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_EXP|SSL_SSLV3, + SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -171,7 +169,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_RSA_RC2_40_MD5, SSL3_CK_RSA_RC2_40_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_EXP|SSL_SSLV3, + SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -189,7 +187,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_RSA_DES_40_CBC_SHA, SSL3_CK_RSA_DES_40_CBC_SHA, - SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3, + SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -218,7 +216,7 @@ SSL_CIPHER ssl3_ciphers[]={ 0, SSL3_TXT_DH_DSS_DES_40_CBC_SHA, SSL3_CK_DH_DSS_DES_40_CBC_SHA, - SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3, + SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -245,7 +243,7 @@ SSL_CIPHER ssl3_ciphers[]={ 0, SSL3_TXT_DH_RSA_DES_40_CBC_SHA, SSL3_CK_DH_RSA_DES_40_CBC_SHA, - SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3, + SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -274,7 +272,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, SSL3_CK_EDH_DSS_DES_40_CBC_SHA, - SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3, + SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -301,7 +299,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, SSL3_CK_EDH_RSA_DES_40_CBC_SHA, - SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3, + SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -355,6 +353,73 @@ SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_CIPHERS, }, +#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES + /* New TLS Export CipherSuites */ + /* Cipher 60 */ + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5, + TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5, + SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_EXP56|SSL_TLSV1, + 0, + SSL_ALL_CIPHERS + }, + /* Cipher 61 */ + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, + TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, + SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_EXP56|SSL_TLSV1, + 0, + SSL_ALL_CIPHERS + }, + /* Cipher 62 */ + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, + TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA, + SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_EXP56|SSL_TLSV1, + 0, + SSL_ALL_CIPHERS + }, + /* Cipher 63 */ + { + 1, + TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, + TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, + SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_EXP56|SSL_TLSV1, + 0, + SSL_ALL_CIPHERS + }, + /* Cipher 64 */ + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA, + TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA, + SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_EXP56|SSL_TLSV1, + 0, + SSL_ALL_CIPHERS + }, + /* Cipher 65 */ + { + 1, + TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, + TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, + SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_EXP56|SSL_TLSV1, + 0, + SSL_ALL_CIPHERS + }, + /* Cipher 66 */ + { + 1, + TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA, + TLS1_CK_DHE_DSS_WITH_RC4_128_SHA, + SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, + 0, + SSL_ALL_CIPHERS + }, +#endif + /* end of list */ }; @@ -384,6 +449,7 @@ static SSL_METHOD SSLv3_data= { ssl3_write, ssl3_shutdown, ssl3_renegotiate, + ssl3_renegotiate_check, ssl3_ctrl, ssl3_ctx_ctrl, ssl3_get_cipher_by_char, @@ -396,25 +462,24 @@ static SSL_METHOD SSLv3_data= { &SSLv3_enc_data, }; -static long ssl3_default_timeout() +static long ssl3_default_timeout(void) { /* 2 hours, the 24 hours mentioned in the SSLv3 spec * is way too long for http, the cache would over fill */ return(60*60*2); } -SSL_METHOD *sslv3_base_method() +SSL_METHOD *sslv3_base_method(void) { return(&SSLv3_data); } -int ssl3_num_ciphers() +int ssl3_num_ciphers(void) { return(SSL3_NUM_CIPHERS); } -SSL_CIPHER *ssl3_get_cipher(u) -unsigned int u; +SSL_CIPHER *ssl3_get_cipher(unsigned int u) { if (u < SSL3_NUM_CIPHERS) return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u])); @@ -423,14 +488,12 @@ unsigned int u; } /* The problem is that it may not be the correct record type */ -int ssl3_pending(s) -SSL *s; +int ssl3_pending(SSL *s) { return(s->s3->rrec.length); } -int ssl3_new(s) -SSL *s; +int ssl3_new(SSL *s) { SSL3_CTX *s3; @@ -452,33 +515,42 @@ err: return(0); } -void ssl3_free(s) -SSL *s; +void ssl3_free(SSL *s) { + if(s == NULL) + return; + ssl3_cleanup_key_block(s); if (s->s3->rbuf.buf != NULL) Free(s->s3->rbuf.buf); if (s->s3->wbuf.buf != NULL) Free(s->s3->wbuf.buf); + if (s->s3->rrec.comp != NULL) + Free(s->s3->rrec.comp); #ifndef NO_DH if (s->s3->tmp.dh != NULL) DH_free(s->s3->tmp.dh); #endif if (s->s3->tmp.ca_names != NULL) - sk_pop_free(s->s3->tmp.ca_names,X509_NAME_free); + sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); memset(s->s3,0,sizeof(SSL3_CTX)); Free(s->s3); s->s3=NULL; } -void ssl3_clear(s) -SSL *s; +void ssl3_clear(SSL *s) { unsigned char *rp,*wp; ssl3_cleanup_key_block(s); if (s->s3->tmp.ca_names != NULL) - sk_pop_free(s->s3->tmp.ca_names,X509_NAME_free); + sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); + + if (s->s3->rrec.comp != NULL) + { + Free(s->s3->rrec.comp); + s->s3->rrec.comp=NULL; + } rp=s->s3->rbuf.buf; wp=s->s3->wbuf.buf; @@ -486,6 +558,9 @@ SSL *s; memset(s->s3,0,sizeof(SSL3_CTX)); if (rp != NULL) s->s3->rbuf.buf=rp; if (wp != NULL) s->s3->wbuf.buf=wp; + + ssl_free_wbio_buffer(s); + s->packet_length=0; s->s3->renegotiate=0; s->s3->total_renegotiations=0; @@ -494,14 +569,30 @@ SSL *s; s->version=SSL3_VERSION; } -long ssl3_ctrl(s,cmd,larg,parg) -SSL *s; -int cmd; -long larg; -char *parg; +long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg) { int ret=0; +#if !defined(NO_DSA) || !defined(NO_RSA) + if ( +#ifndef NO_RSA + cmd == SSL_CTRL_SET_TMP_RSA || + cmd == SSL_CTRL_SET_TMP_RSA_CB || +#endif +#ifndef NO_DSA + cmd == SSL_CTRL_SET_TMP_DH || + cmd == SSL_CTRL_SET_TMP_DH_CB || +#endif + 0) + { + if (!ssl_cert_inst(&s->cert)) + { + SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE); + return(0); + } + } +#endif + switch (cmd) { case SSL_CTRL_GET_SESSION_REUSED: @@ -519,21 +610,75 @@ char *parg; case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: ret=s->s3->total_renegotiations; break; + case SSL_CTRL_GET_FLAGS: + ret=(int)(s->s3->flags); + break; +#ifndef NO_RSA + case SSL_CTRL_NEED_TMP_RSA: + if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) && + ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || + (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8)))) + ret = 1; + break; + case SSL_CTRL_SET_TMP_RSA: + { + RSA *rsa = (RSA *)parg; + if (rsa == NULL) { + SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); + return(ret); + } + if ((rsa = RSAPrivateKey_dup(rsa)) == NULL) { + SSLerr(SSL_F_SSL3_CTRL, ERR_R_RSA_LIB); + return(ret); + } + if (s->cert->rsa_tmp != NULL) + RSA_free(s->cert->rsa_tmp); + s->cert->rsa_tmp = rsa; + ret = 1; + } + break; + case SSL_CTRL_SET_TMP_RSA_CB: + s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))parg; + break; +#endif +#ifndef NO_DH + case SSL_CTRL_SET_TMP_DH: + { + DH *dh = (DH *)parg; + if (dh == NULL) { + SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); + return(ret); + } + if ((dh = DHparams_dup(dh)) == NULL) { + SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); + return(ret); + } + if (!DH_generate_key(dh)) { + DH_free(dh); + SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); + return(ret); + } + if (s->cert->dh_tmp != NULL) + DH_free(s->cert->dh_tmp); + s->cert->dh_tmp = dh; + ret = 1; + } + break; + case SSL_CTRL_SET_TMP_DH_CB: + s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))parg; + break; +#endif default: break; } return(ret); } -long ssl3_ctx_ctrl(ctx,cmd,larg,parg) -SSL_CTX *ctx; -int cmd; -long larg; -char *parg; +long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg) { CERT *cert; - cert=ctx->default_cert; + cert=ctx->cert; switch (cmd) { @@ -546,7 +691,7 @@ char *parg; return(1); else return(0); - break; + /* break; */ case SSL_CTRL_SET_TMP_RSA: { RSA *rsa; @@ -574,15 +719,16 @@ char *parg; return(1); } } - break; + /* break; */ case SSL_CTRL_SET_TMP_RSA_CB: - cert->rsa_tmp_cb=(RSA *(*)())parg; + cert->rsa_tmp_cb=(RSA *(*)(SSL *, int, int))parg; break; #endif #ifndef NO_DH case SSL_CTRL_SET_TMP_DH: { DH *new=NULL,*dh; + int rret=0; dh=(DH *)parg; if ( ((new=DHparams_dup(dh)) == NULL) || @@ -590,21 +736,31 @@ char *parg; { SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB); if (new != NULL) DH_free(new); - return(0); } else { if (cert->dh_tmp != NULL) DH_free(cert->dh_tmp); cert->dh_tmp=new; - return(1); + rret=1; } + return(rret); } - break; + /*break; */ case SSL_CTRL_SET_TMP_DH_CB: - cert->dh_tmp_cb=(DH *(*)())parg; + cert->dh_tmp_cb=(DH *(*)(SSL *, int, int))parg; break; #endif + /* A Thawte special :-) */ + case SSL_CTRL_EXTRA_CHAIN_CERT: + if (ctx->extra_certs == NULL) + { + if ((ctx->extra_certs=sk_X509_new_null()) == NULL) + return(0); + } + sk_X509_push(ctx->extra_certs,(X509 *)parg); + break; + default: return(0); } @@ -613,8 +769,7 @@ char *parg; /* This function needs to check if the ciphers required are actually * available */ -SSL_CIPHER *ssl3_get_cipher_by_char(p) -unsigned char *p; +SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) { static int init=1; static SSL_CIPHER *sorted[SSL3_NUM_CIPHERS]; @@ -624,7 +779,7 @@ unsigned char *p; if (init) { - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL); for (i=0; irwstate=SSL_READING; @@ -679,61 +834,67 @@ int i; } } -SSL_CIPHER *ssl3_choose_cipher(s,have,pref) -SSL *s; -STACK *have,*pref; +SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have, + STACK_OF(SSL_CIPHER) *pref) { SSL_CIPHER *c,*ret=NULL; int i,j,ok; CERT *cert; unsigned long alg,mask,emask; - /* Lets see which ciphers we can supported */ - if (s->cert != NULL) - cert=s->cert; - else - cert=s->ctx->default_cert; + /* Let's see which ciphers we can support */ + cert=s->cert; - ssl_set_cert_masks(cert); - mask=cert->mask; - emask=cert->export_mask; - - sk_set_cmp_func(pref,ssl_cipher_ptr_id_cmp); + sk_SSL_CIPHER_set_cmp_func(pref,ssl_cipher_ptr_id_cmp); - for (i=0; iname); + } +#endif + + for (i=0; imask; + emask=cert->export_mask; + alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK); - if (alg & SSL_EXPORT) + if (SSL_IS_EXPORT(c->algorithms)) { ok=((alg & emask) == alg)?1:0; #ifdef CIPHER_DEBUG - printf("%d:[%08lX:%08lX]%s\n",ok,alg,mask,c->name); + printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask, + c,c->name); #endif } else { ok=((alg & mask) == alg)?1:0; #ifdef CIPHER_DEBUG - printf("%d:[%08lX:%08lX]%s\n",ok,alg,mask,c->name); + printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c, + c->name); #endif } if (!ok) continue; - j=sk_find(pref,(char *)c); + j=sk_SSL_CIPHER_find(pref,c); if (j >= 0) { - ret=(SSL_CIPHER *)sk_value(pref,j); + ret=sk_SSL_CIPHER_value(pref,j); break; } } return(ret); } -int ssl3_get_req_cert_type(s,p) -SSL *s; -unsigned char *p; +int ssl3_get_req_cert_type(SSL *s, unsigned char *p) { int ret=0; unsigned long alg; @@ -743,33 +904,34 @@ unsigned char *p; #ifndef NO_DH if (alg & (SSL_kDHr|SSL_kEDH)) { -#ifndef NO_RSA +# ifndef NO_RSA p[ret++]=SSL3_CT_RSA_FIXED_DH; -#endif -#ifndef NO_DSA +# endif +# ifndef NO_DSA p[ret++]=SSL3_CT_DSS_FIXED_DH; -#endif +# endif } if ((s->version == SSL3_VERSION) && (alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) { -#ifndef NO_RSA +# ifndef NO_RSA p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH; -#endif -#ifndef NO_DSA +# endif +# ifndef NO_DSA p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH; -#endif +# endif } #endif /* !NO_DH */ #ifndef NO_RSA p[ret++]=SSL3_CT_RSA_SIGN; #endif +#ifndef NO_DSA p[ret++]=SSL3_CT_DSS_SIGN; +#endif return(ret); } -int ssl3_shutdown(s) -SSL *s; +int ssl3_shutdown(SSL *s) { /* Don't do anything much if we have not done the handshake or @@ -809,13 +971,9 @@ SSL *s; return(0); } -int ssl3_write(s,buf,len) -SSL *s; -char *buf; -int len; +int ssl3_write(SSL *s, const void *buf, int len) { int ret,n; - BIO *under; #if 0 if (s->shutdown & SSL_SEND_SHUTDOWN) @@ -838,7 +996,7 @@ int len; if (s->s3->delay_buf_pop_ret == 0) { ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA, - (char *)buf,len); + buf,len); if (ret <= 0) return(ret); s->s3->delay_buf_pop_ret=ret; @@ -849,30 +1007,24 @@ int len; if (n <= 0) return(n); s->rwstate=SSL_NOTHING; - /* We have flushed the buffer */ - under=BIO_pop(s->wbio); - s->wbio=under; - BIO_free(s->bbio); - s->bbio=NULL; + /* We have flushed the buffer, so remove it */ + ssl_free_wbio_buffer(s); + s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; + ret=s->s3->delay_buf_pop_ret; s->s3->delay_buf_pop_ret=0; - - s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; } else { ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA, - (char *)buf,len); + buf,len); if (ret <= 0) return(ret); } return(ret); } -int ssl3_read(s,buf,len) -SSL *s; -char *buf; -int len; +int ssl3_read(SSL *s, void *buf, int len) { int ret; @@ -894,10 +1046,7 @@ int len; return(ret); } -int ssl3_peek(s,buf,len) -SSL *s; -char *buf; -int len; +int ssl3_peek(SSL *s, char *buf, int len) { SSL3_RECORD *rr; int n; @@ -919,8 +1068,7 @@ int len; return(n); } -int ssl3_renegotiate(s) -SSL *s; +int ssl3_renegotiate(SSL *s) { if (s->handshake_func == NULL) return(1); @@ -932,8 +1080,7 @@ SSL *s; return(1); } -int ssl3_renegotiate_check(s) -SSL *s; +int ssl3_renegotiate_check(SSL *s) { int ret=0; @@ -958,4 +1105,3 @@ need to go to SSL_ST_ACCEPT. return(ret); } - diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c index 2385080347..7893d03123 100644 --- a/src/lib/libssl/s3_pkt.c +++ b/src/lib/libssl/s3_pkt.c @@ -59,49 +59,19 @@ #include #include #define USE_SOCKETS -#include "evp.h" -#include "buffer.h" +#include +#include #include "ssl_locl.h" -/* SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER); - * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE); - * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE); - * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE); - * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE); - * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE); - * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_BAD_RECORD_MAC); - * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE); - * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE); - * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_NO_CERTIFICATE); - * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_BAD_CERTIFICATE); - * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE); - * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED); - * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED); - * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN); - * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER); - */ - -#ifndef NOPROTO -static int do_ssl3_write(SSL *s, int type, char *buf, unsigned int len); -static int ssl3_write_pending(SSL *s, int type, char *buf, unsigned int len); +static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, + unsigned int len); +static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, + unsigned int len); static int ssl3_get_record(SSL *s); static int do_compress(SSL *ssl); static int do_uncompress(SSL *ssl); static int do_change_cipher_spec(SSL *ssl); -#else -static int do_ssl3_write(); -static int ssl3_write_pending(); -static int ssl3_get_record(); -static int do_compress(); -static int do_uncompress(); -static int do_change_cipher_spec(); -#endif - -static int ssl3_read_n(s,n,max,extend) -SSL *s; -int n; -int max; -int extend; +static int ssl3_read_n(SSL *s, int n, int max, int extend) { int i,off,newb; @@ -210,10 +180,8 @@ int extend; * ssl->s3->rrec.data, - data * ssl->s3->rrec.length, - number of bytes */ -static int ssl3_get_record(s) -SSL *s; +static int ssl3_get_record(SSL *s) { - char tmp_buf[512]; int ssl_major,ssl_minor,al; int n,i,ret= -1; SSL3_BUFFER *rb; @@ -331,7 +299,6 @@ again: /* decrypt in place in 'rr->input' */ rr->data=rr->input; - memcpy(tmp_buf,rr->input,(rr->length > 512)?512:rr->length); if (!s->method->ssl3_enc->enc(s,0)) { @@ -340,7 +307,7 @@ again: } #ifdef TLS_DEBUG printf("dec %d\n",rr->length); -{ int z; for (z=0; zlength; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); } +{ unsigned int z; for (z=0; zlength; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); } printf("\n"); #endif /* r->length is now the compressed data plus mac */ @@ -378,7 +345,7 @@ printf("\n"); } /* r->length is now just compressed */ - if ((sess != NULL) && (sess->read_compression != NULL)) + if (s->expand != NULL) { if (rr->length > (unsigned int)SSL3_RT_MAX_COMPRESSED_LENGTH+extra) @@ -424,27 +391,47 @@ err: return(ret); } -static int do_uncompress(ssl) -SSL *ssl; +static int do_uncompress(SSL *ssl) { + int i; + SSL3_RECORD *rr; + + rr= &(ssl->s3->rrec); + i=COMP_expand_block(ssl->expand,rr->comp, + SSL3_RT_MAX_PLAIN_LENGTH,rr->data,(int)rr->length); + if (i < 0) + return(0); + else + rr->length=i; + rr->data=rr->comp; + return(1); } -static int do_compress(ssl) -SSL *ssl; +static int do_compress(SSL *ssl) { + int i; + SSL3_RECORD *wr; + + wr= &(ssl->s3->wrec); + i=COMP_compress_block(ssl->compress,wr->data, + SSL3_RT_MAX_COMPRESSED_LENGTH, + wr->input,(int)wr->length); + if (i < 0) + return(0); + else + wr->length=i; + + wr->input=wr->data; return(1); } /* Call this to write data * It will return <= 0 if not all data has been sent or non-blocking IO. */ -int ssl3_write_bytes(s,type,buf,len) -SSL *s; -int type; -char *buf; -int len; +int ssl3_write_bytes(SSL *s, int type, const void *_buf, int len) { + const unsigned char *buf=_buf; unsigned int tot,n,nw; int i; @@ -479,20 +466,22 @@ int len; } if (type == SSL3_RT_HANDSHAKE) - ssl3_finish_mac(s,(unsigned char *)&(buf[tot]),i); + ssl3_finish_mac(s,&(buf[tot]),i); - if (i == (int)n) return(tot+i); + if ((i == (int)n) || + (type == SSL3_RT_APPLICATION_DATA && + (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) + { + return(tot+i); + } n-=i; tot+=i; } } -static int do_ssl3_write(s,type,buf,len) -SSL *s; -int type; -char *buf; -unsigned int len; +static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, + unsigned int len) { unsigned char *p,*plen; int i,mac_size,clear=0; @@ -552,7 +541,7 @@ unsigned int len; * wr->data */ /* first we compress */ - if ((sess != NULL) && (sess->write_compression != NULL)) + if (s->compress != NULL) { if (!do_compress(s)) { @@ -606,16 +595,15 @@ err: } /* if s->s3->wbuf.left != 0, we need to call this */ -static int ssl3_write_pending(s,type,buf,len) -SSL *s; -int type; -char *buf; -unsigned int len; +static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, + unsigned int len) { int i; /* XXXX */ - if ((s->s3->wpend_tot > (int)len) || (s->s3->wpend_buf != buf) + if ((s->s3->wpend_tot > (int)len) + || ((s->s3->wpend_buf != buf) && + !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) || (s->s3->wpend_type != type)) { SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY); @@ -650,18 +638,14 @@ unsigned int len; } } -int ssl3_read_bytes(s,type,buf,len) -SSL *s; -int type; -char *buf; -int len; +int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len) { int al,i,j,n,ret; SSL3_RECORD *rr; void (*cb)()=NULL; BIO *bio; - if (s->s3->rbuf.buf == NULL) /* Not initalised yet */ + if (s->s3->rbuf.buf == NULL) /* Not initialize yet */ if (!ssl3_setup_buffers(s)) return(-1); @@ -786,7 +770,8 @@ start: s->rwstate=SSL_NOTHING; s->s3->fatal_alert=n; - SSLerr(SSL_F_SSL3_READ_BYTES,1000+n); + SSLerr(SSL_F_SSL3_READ_BYTES, + SSL_AD_REASON_OFFSET+n); sprintf(tmp,"%d",n); ERR_add_error_data(2,"SSL alert number ",tmp); s->shutdown|=SSL_RECEIVED_SHUTDOWN; @@ -836,7 +821,9 @@ start: if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { - s->state=SSL_ST_BEFORE; + s->state=SSL_ST_BEFORE|(s->server) + ?SSL_ST_ACCEPT + :SSL_ST_CONNECT; s->new_session=1; } n=s->handshake_func(s); @@ -937,7 +924,7 @@ start: } if (type == SSL3_RT_HANDSHAKE) - ssl3_finish_mac(s,(unsigned char *)buf,n); + ssl3_finish_mac(s,buf,n); return(n); f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); @@ -945,8 +932,7 @@ err: return(-1); } -static int do_change_cipher_spec(s) -SSL *s; +static int do_change_cipher_spec(SSL *s) { int i; unsigned char *sender; @@ -988,14 +974,12 @@ SSL *s; return(1); } -int ssl3_do_write(s,type) -SSL *s; -int type; +int ssl3_do_write(SSL *s, int type) { int ret; - ret=ssl3_write_bytes(s,type,(char *) - &(s->init_buf->data[s->init_off]),s->init_num); + ret=ssl3_write_bytes(s,type,&s->init_buf->data[s->init_off], + s->init_num); if (ret == s->init_num) return(1); if (ret < 0) return(-1); @@ -1004,10 +988,7 @@ int type; return(0); } -void ssl3_send_alert(s,level,desc) -SSL *s; -int level; -int desc; +void ssl3_send_alert(SSL *s, int level, int desc) { /* Map tls/ssl alert value to correct one */ desc=s->method->ssl3_enc->alert_value(desc); @@ -1025,14 +1006,13 @@ int desc; * some time in the future */ } -int ssl3_dispatch_alert(s) -SSL *s; +int ssl3_dispatch_alert(SSL *s) { int i,j; void (*cb)()=NULL; s->s3->alert_dispatch=0; - i=do_ssl3_write(s,SSL3_RT_ALERT,&(s->s3->send_alert[0]),2); + i=do_ssl3_write(s,SSL3_RT_ALERT,&s->s3->send_alert[0],2); if (i <= 0) { s->s3->alert_dispatch=1; @@ -1043,7 +1023,7 @@ SSL *s; * does not get sent due to non-blocking IO, we will * not worry too much. */ if (s->s3->send_alert[0] == SSL3_AL_FATAL) - BIO_flush(s->wbio); + (void)BIO_flush(s->wbio); if (s->info_callback != NULL) cb=s->info_callback; diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 64903af151..e003d88357 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c @@ -59,22 +59,16 @@ #define REUSE_CIPHER_BUG #include -#include "buffer.h" -#include "rand.h" -#include "objects.h" -#include "evp.h" -#include "x509.h" +#include +#include +#include +#include +#include +#include +#include #include "ssl_locl.h" -#define BREAK break -/* SSLerr(SSL_F_SSL3_ACCEPT,ERR_R_MALLOC_FAILURE); - * SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE); - * SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); - * SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_MALLOC_FAILURE); - * SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); - */ - -#ifndef NOPROTO +static SSL_METHOD *ssl3_get_server_method(int ver); static int ssl3_get_client_hello(SSL *s); static int ssl3_send_server_hello(SSL *s); static int ssl3_send_server_key_exchange(SSL *s); @@ -85,22 +79,7 @@ static int ssl3_get_client_key_exchange(SSL *s); static int ssl3_get_client_certificate(SSL *s); static int ssl3_send_hello_request(SSL *s); -#else - -static int ssl3_get_client_hello(); -static int ssl3_send_server_hello(); -static int ssl3_send_server_key_exchange(); -static int ssl3_send_certificate_request(); -static int ssl3_send_server_done(); -static int ssl3_get_cert_verify(); -static int ssl3_get_client_key_exchange(); -static int ssl3_get_client_certificate(); -static int ssl3_send_hello_request(); - -#endif - -static SSL_METHOD *ssl3_get_server_method(ver) -int ver; +static SSL_METHOD *ssl3_get_server_method(int ver) { if (ver == SSL3_VERSION) return(SSLv3_server_method()); @@ -108,35 +87,32 @@ int ver; return(NULL); } -SSL_METHOD *SSLv3_server_method() +SSL_METHOD *SSLv3_server_method(void) { static int init=1; static SSL_METHOD SSLv3_server_data; if (init) { - init=0; memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(), sizeof(SSL_METHOD)); SSLv3_server_data.ssl_accept=ssl3_accept; SSLv3_server_data.get_ssl_method=ssl3_get_server_method; + init=0; } return(&SSLv3_server_data); } -int ssl3_accept(s) -SSL *s; +int ssl3_accept(SSL *s) { BUF_MEM *buf; unsigned long l,Time=time(NULL); void (*cb)()=NULL; long num1; int ret= -1; - CERT *ct; - BIO *under; int new_state,state,skip=0; - RAND_seed((unsigned char *)&Time,sizeof(Time)); + RAND_seed(&Time,sizeof(Time)); ERR_clear_error(); clear_sys_error(); @@ -149,17 +125,11 @@ SSL *s; if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); s->in_handshake++; -#ifdef undef - /* FIX THIS EAY EAY EAY */ - /* we don't actually need a cert, we just need a cert or a DH_tmp */ - if (((s->session == NULL) || (s->session->cert == NULL)) && - (s->cert == NULL)) + if (s->cert == NULL) { SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET); - ret= -1; - goto end; + return(-1); } -#endif for (;;) { @@ -176,6 +146,7 @@ SSL *s; case SSL_ST_BEFORE|SSL_ST_ACCEPT: case SSL_ST_OK|SSL_ST_ACCEPT: + s->server=1; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); if ((s->version>>8) != 3) @@ -215,11 +186,11 @@ SSL *s; { s->state=SSL3_ST_SR_CLNT_HELLO_A; ssl3_init_finished_mac(s); - s->ctx->sess_accept++; + s->ctx->stats.sess_accept++; } else { - s->ctx->sess_accept_renegotiate++; + s->ctx->stats.sess_accept_renegotiate++; s->state=SSL3_ST_SW_HELLO_REQ_A; } break; @@ -238,15 +209,6 @@ SSL *s; break; case SSL3_ST_SW_HELLO_REQ_C: - /* remove buffering on output */ - under=BIO_pop(s->wbio); - if (under != NULL) - s->wbio=under; - else - abort(); /* ok */ - BIO_free(s->bbio); - s->bbio=NULL; - s->state=SSL_ST_OK; ret=1; goto end; @@ -292,20 +254,6 @@ SSL *s; case SSL3_ST_SW_KEY_EXCH_A: case SSL3_ST_SW_KEY_EXCH_B: l=s->s3->tmp.new_cipher->algorithms; - if (s->session->cert == NULL) - { - if (s->cert != NULL) - { - CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT); - s->session->cert=s->cert; - } - else - { - CRYPTO_add(&s->ctx->default_cert->references,1,CRYPTO_LOCK_SSL_CERT); - s->session->cert=s->ctx->default_cert; - } - } - ct=s->session->cert; /* clear this, it may get reset by * send_server_key_exchange */ @@ -316,16 +264,16 @@ SSL *s; /* only send if a DH key exchange, fortezza or * RSA but we have a sign only certificate */ - if ( s->s3->tmp.use_rsa_tmp || - (l & (SSL_DH|SSL_kFZA)) || - ((l & SSL_kRSA) && - ((ct->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)|| - ((l & SSL_EXPORT) && - (EVP_PKEY_size(ct->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > 512) - ) - ) + if (s->s3->tmp.use_rsa_tmp + || (l & (SSL_DH|SSL_kFZA)) + || ((l & SSL_kRSA) + && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL + || (SSL_IS_EXPORT(l) + && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_EXPORT_PKEYLENGTH(l) + ) + ) + ) ) - ) { ret=ssl3_send_server_key_exchange(s); if (ret <= 0) goto end; @@ -478,20 +426,14 @@ SSL *s; s->init_buf=NULL; /* remove buffering on output */ - under=BIO_pop(s->wbio); - if (under != NULL) - s->wbio=under; - else - abort(); /* ok */ - BIO_free(s->bbio); - s->bbio=NULL; + ssl_free_wbio_buffer(s); s->new_session=0; s->init_num=0; ssl_update_cache(s,SSL_SESS_CACHE_SERVER); - s->ctx->sess_accept_good++; + s->ctx->stats.sess_accept_good++; /* s->server=1; */ s->handshake_func=ssl3_accept; ret=1; @@ -536,8 +478,7 @@ end: return(ret); } -static int ssl3_send_hello_request(s) -SSL *s; +static int ssl3_send_hello_request(SSL *s) { unsigned char *p; @@ -559,15 +500,15 @@ SSL *s; return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); } -static int ssl3_get_client_hello(s) -SSL *s; +static int ssl3_get_client_hello(SSL *s) { int i,j,ok,al,ret= -1; long n; unsigned long id; - unsigned char *p,*d; + unsigned char *p,*d,*q; SSL_CIPHER *c; - STACK *ciphers=NULL; + SSL_COMP *comp=NULL; + STACK_OF(SSL_CIPHER) *ciphers=NULL; /* We do this so that we will respond with our native type. * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, @@ -593,6 +534,7 @@ SSL *s; /* The version number has already been checked in ssl3_get_message. * I a native TLSv1/SSLv3 method, the match must be correct except * perhaps for the first message */ +/* s->client_version=(((int)p[0])<<8)|(int)p[1]; */ p+=2; /* load the client random */ @@ -615,7 +557,9 @@ SSL *s; { /* previous session */ s->hit=1; } - else + else if (i == -1) + goto err; + else /* i == 0 */ { if (!ssl_get_new_session(s,1)) goto err; @@ -651,9 +595,16 @@ SSL *s; j=0; id=s->session->cipher->id; - for (i=0; iid == id) { j=1; @@ -662,11 +613,11 @@ SSL *s; } if (j == 0) { - if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_num(ciphers) == 1)) + if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) { /* Very bad for multi-threading.... */ - s->session->cipher= - (SSL_CIPHER *)sk_value(ciphers,0); + s->session->cipher=sk_SSL_CIPHER_value(ciphers, + 0); } else { @@ -681,8 +632,11 @@ SSL *s; /* compression */ i= *(p++); + q=p; for (j=0; j= i) @@ -693,6 +647,35 @@ SSL *s; goto f_err; } + /* Worst case, we will use the NULL compression, but if we have other + * options, we will now look for them. We have i-1 compression + * algorithms from the client, starting at q. */ + s->s3->tmp.new_compression=NULL; + if (s->ctx->comp_methods != NULL) + { /* See if we have a match */ + int m,nn,o,v,done=0; + + nn=sk_SSL_COMP_num(s->ctx->comp_methods); + for (m=0; mctx->comp_methods,m); + v=comp->id; + for (o=0; os3->tmp.new_compression=comp; + else + comp=NULL; + } + /* TLS does not mind if there is extra stuff */ if (s->version == SSL3_VERSION) { @@ -706,15 +689,14 @@ SSL *s; } } - /* do nothing with compression */ - /* Given s->session->ciphers and ssl_get_ciphers_by_id(s), we must * pick a cipher */ if (!s->hit) { + s->session->compress_meth=(comp == NULL)?0:comp->id; if (s->session->ciphers != NULL) - sk_free(s->session->ciphers); + sk_SSL_CIPHER_free(s->session->ciphers); s->session->ciphers=ciphers; if (ciphers == NULL) { @@ -724,7 +706,7 @@ SSL *s; } ciphers=NULL; c=ssl3_choose_cipher(s,s->session->ciphers, - ssl_get_ciphers_by_id(s)); + ssl_get_ciphers_by_id(s)); if (c == NULL) { @@ -738,19 +720,19 @@ SSL *s; { /* Session-id reuse */ #ifdef REUSE_CIPHER_BUG - STACK *sk; + STACK_OF(SSL_CIPHER) *sk; SSL_CIPHER *nc=NULL; SSL_CIPHER *ec=NULL; if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) { sk=s->session->ciphers; - for (i=0; ialgorithms & SSL_eNULL) nc=c; - if (c->algorithms & SSL_EXP) + if (SSL_C_IS_EXPORT(c)) ec=c; } if (nc != NULL) @@ -783,12 +765,11 @@ f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); } err: - if (ciphers != NULL) sk_free(ciphers); + if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers); return(ret); } -static int ssl3_send_server_hello(s) -SSL *s; +static int ssl3_send_server_hello(SSL *s) { unsigned char *buf; unsigned char *p,*d; @@ -833,7 +814,10 @@ SSL *s; p+=i; /* put the compression method */ - *(p++)=0; + if (s->s3->tmp.new_compression == NULL) + *(p++)=0; + else + *(p++)=s->s3->tmp.new_compression->id; /* do the header */ l=(p-d); @@ -851,8 +835,7 @@ SSL *s; return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); } -static int ssl3_send_server_done(s) -SSL *s; +static int ssl3_send_server_done(SSL *s) { unsigned char *p; @@ -876,8 +859,7 @@ SSL *s; return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); } -static int ssl3_send_server_key_exchange(s) -SSL *s; +static int ssl3_send_server_key_exchange(SSL *s) { #ifndef NO_RSA unsigned char *q; @@ -902,7 +884,7 @@ SSL *s; if (s->state == SSL3_ST_SW_KEY_EXCH_A) { type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK; - cert=s->session->cert; + cert=s->cert; buf=s->init_buf; @@ -912,11 +894,11 @@ SSL *s; if (type & SSL_kRSA) { rsa=cert->rsa_tmp; - if ((rsa == NULL) && (s->ctx->default_cert->rsa_tmp_cb != NULL)) + if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) { - rsa=s->ctx->default_cert->rsa_tmp_cb(s, - (s->s3->tmp.new_cipher->algorithms| - SSL_NOT_EXP)?0:1); + rsa=s->cert->rsa_tmp_cb(s, + SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), + SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA); cert->rsa_tmp=rsa; } @@ -936,10 +918,10 @@ SSL *s; if (type & SSL_kEDH) { dhp=cert->dh_tmp; - if ((dhp == NULL) && (cert->dh_tmp_cb != NULL)) - dhp=cert->dh_tmp_cb(s, - (s->s3->tmp.new_cipher->algorithms| - SSL_NOT_EXP)?0:1); + if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) + dhp=s->cert->dh_tmp_cb(s, + !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), + SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); if (dhp == NULL) { al=SSL_AD_HANDSHAKE_FAILURE; @@ -953,13 +935,16 @@ SSL *s; } s->s3->tmp.dh=dh; - if (((dhp->pub_key == NULL) || - (dhp->priv_key == NULL) || - (s->options & SSL_OP_SINGLE_DH_USE)) && - (!DH_generate_key(dh))) + if ((dhp->pub_key == NULL || + dhp->priv_key == NULL || + (s->options & SSL_OP_SINGLE_DH_USE))) { - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); - goto err; + if(!DH_generate_key(dh)) + { + SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, + ERR_R_DH_LIB); + goto err; + } } else { @@ -1098,12 +1083,11 @@ err: return(-1); } -static int ssl3_send_certificate_request(s) -SSL *s; +static int ssl3_send_certificate_request(SSL *s) { unsigned char *p,*d; int i,j,nl,off,n; - STACK *sk=NULL; + STACK_OF(X509_NAME) *sk=NULL; X509_NAME *name; BUF_MEM *buf; @@ -1128,9 +1112,9 @@ SSL *s; nl=0; if (sk != NULL) { - for (i=0; is3->tmp.use_rsa_tmp) { - if ((s->session->cert != NULL) && - (s->session->cert->rsa_tmp != NULL)) - rsa=s->session->cert->rsa_tmp; - else if ((s->ctx->default_cert != NULL) && - (s->ctx->default_cert->rsa_tmp != NULL)) - rsa=s->ctx->default_cert->rsa_tmp; + if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) + rsa=s->cert->rsa_tmp; /* Don't do a callback because rsa_tmp should * be sent already */ if (rsa == NULL) @@ -1259,15 +1240,28 @@ SSL *s; i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); #if 1 - /* If a bad decrypt, use a dud master key */ + /* If a bad decrypt, use a random master key */ if ((i != SSL_MAX_MASTER_KEY_LENGTH) || - ((p[0] != (s->version>>8)) || - (p[1] != (s->version & 0xff)))) + ((p[0] != (s->client_version>>8)) || + (p[1] != (s->client_version & 0xff)))) { - p[0]=(s->version>>8); - p[1]=(s->version & 0xff); - RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2); - i=SSL_MAX_MASTER_KEY_LENGTH; + int bad=1; + + if ((i == SSL_MAX_MASTER_KEY_LENGTH) && + (p[0] == (s->version>>8)) && + (p[1] == 0)) + { + if (s->options & SSL_OP_TLS_ROLLBACK_BUG) + bad=0; + } + if (bad) + { + p[0]=(s->version>>8); + p[1]=(s->version & 0xff); + RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2); + i=SSL_MAX_MASTER_KEY_LENGTH; + } + /* else, an SSLeay bug, ssl only server, tls client */ } #else if (i != SSL_MAX_MASTER_KEY_LENGTH) @@ -1370,8 +1364,7 @@ err: return(-1); } -static int ssl3_get_cert_verify(s) -SSL *s; +static int ssl3_get_cert_verify(SSL *s) { EVP_PKEY *pkey=NULL; unsigned char *p; @@ -1505,17 +1498,17 @@ f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); } end: + EVP_PKEY_free(pkey); return(ret); } -static int ssl3_get_client_certificate(s) -SSL *s; +static int ssl3_get_client_certificate(SSL *s) { int i,ok,al,ret= -1; X509 *x=NULL; unsigned long l,nc,llen,n; unsigned char *p,*d,*q; - STACK *sk=NULL; + STACK_OF(X509) *sk=NULL; n=ssl3_get_message(s, SSL3_ST_SR_CERT_A, @@ -1558,7 +1551,7 @@ SSL *s; } d=p=(unsigned char *)s->init_buf->data; - if ((sk=sk_new_null()) == NULL) + if ((sk=sk_X509_new_null()) == NULL) { SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); goto err; @@ -1594,7 +1587,7 @@ SSL *s; SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); goto f_err; } - if (!sk_push(sk,(char *)x)) + if (!sk_X509_push(sk,x)) { SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); goto err; @@ -1603,7 +1596,7 @@ SSL *s; nc+=l+3; } - if (sk_num(sk) <= 0) + if (sk_X509_num(sk) <= 0) { /* TLS does not mind 0 certs returned */ if (s->version == SSL3_VERSION) @@ -1632,10 +1625,26 @@ SSL *s; } } - /* This should not be needed */ - if (s->session->peer != NULL) + if (s->session->peer != NULL) /* This should not be needed */ X509_free(s->session->peer); - s->session->peer=(X509 *)sk_shift(sk); + s->session->peer=sk_X509_shift(sk); + + /* With the current implementation, sess_cert will always be NULL + * when we arrive here. */ + if (s->session->sess_cert == NULL) + { + s->session->sess_cert = ssl_sess_cert_new(); + if (s->session->sess_cert == NULL) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); + goto err; + } + } + if (s->session->sess_cert->cert_chain != NULL) + sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); + s->session->sess_cert->cert_chain=sk; + + sk=NULL; ret=1; if (0) @@ -1645,12 +1654,11 @@ f_err: } err: if (x != NULL) X509_free(x); - if (sk != NULL) sk_pop_free(sk,X509_free); + if (sk != NULL) sk_X509_pop_free(sk,X509_free); return(ret); } -int ssl3_send_server_certificate(s) -SSL *s; +int ssl3_send_server_certificate(SSL *s) { unsigned long l; X509 *x; diff --git a/src/lib/libssl/src/CHANGES b/src/lib/libssl/src/CHANGES new file mode 100644 index 0000000000..d0db7eaf61 --- /dev/null +++ b/src/lib/libssl/src/CHANGES @@ -0,0 +1,1624 @@ + + OpenSSL CHANGES + _______________ + + Changes between 0.9.3a and 0.9.4 [09 Aug 1999] + + *) Install libRSAglue.a when OpenSSL is built with RSAref. + [Ralf S. Engelschall] + + *) A few more ``#ifndef NO_FP_API / #endif'' pairs for consistency. + [Andrija Antonijevic ] + + *) Fix -startdate and -enddate (which was missing) arguments to 'ca' + program. + [Steve Henson] + + *) New function DSA_dup_DH, which duplicates DSA parameters/keys as + DH parameters/keys (q is lost during that conversion, but the resulting + DH parameters contain its length). + + For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is + much faster than DH_generate_parameters (which creates parameters + where p = 2*q + 1), and also the smaller q makes DH computations + much more efficient (160-bit exponentiation instead of 1024-bit + exponentiation); so this provides a convenient way to support DHE + ciphersuites in SSL/TLS servers (see ssl/ssltest.c). It is of + utter importance to use + SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); + or + SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); + when such DH parameters are used, because otherwise small subgroup + attacks may become possible! + [Bodo Moeller] + + *) Avoid memory leak in i2d_DHparams. + [Bodo Moeller] + + *) Allow the -k option to be used more than once in the enc program: + this allows the same encrypted message to be read by multiple recipients. + [Steve Henson] + + *) New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts + an ASN1_OBJECT to a text string. If the "no_name" parameter is set then + it will always use the numerical form of the OID, even if it has a short + or long name. + [Steve Henson] + + *) Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp + method only got called if p,q,dmp1,dmq1,iqmp components were present, + otherwise bn_mod_exp was called. In the case of hardware keys for example + no private key components need be present and it might store extra data + in the RSA structure, which cannot be accessed from bn_mod_exp. By setting + RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for private key + operations. + [Steve Henson] + + *) Added support for SPARC Linux. + [Andy Polyakov] + + *) pem_password_cb function type incompatibly changed from + typedef int pem_password_cb(char *buf, int size, int rwflag); + to + ....(char *buf, int size, int rwflag, void *userdata); + so that applications can pass data to their callbacks: + The PEM[_ASN1]_{read,write}... functions and macros now take an + additional void * argument, which is just handed through whenever + the password callback is called. + [Damien Miller , with tiny changes by Bodo Moeller] + + New function SSL_CTX_set_default_passwd_cb_userdata. + + Compatibility note: As many C implementations push function arguments + onto the stack in reverse order, the new library version is likely to + interoperate with programs that have been compiled with the old + pem_password_cb definition (PEM_whatever takes some data that + happens to be on the stack as its last argument, and the callback + just ignores this garbage); but there is no guarantee whatsoever that + this will work. + + *) The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=... + (both in crypto/Makefile.ssl for use by crypto/cversion.c) caused + problems not only on Windows, but also on some Unix platforms. + To avoid problematic command lines, these definitions are now in an + auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl + for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds). + [Bodo Moeller] + + *) MIPS III/IV assembler module is reimplemented. + [Andy Polyakov] + + *) More DES library cleanups: remove references to srand/rand and + delete an unused file. + [Ulf Möller] + + *) Add support for the the free Netwide assembler (NASM) under Win32, + since not many people have MASM (ml) and it can be hard to obtain. + This is currently experimental but it seems to work OK and pass all + the tests. Check out INSTALL.W32 for info. + [Steve Henson] + + *) Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections + without temporary keys kept an extra copy of the server key, + and connections with temporary keys did not free everything in case + of an error. + [Bodo Moeller] + + *) New function RSA_check_key and new openssl rsa option -check + for verifying the consistency of RSA keys. + [Ulf Moeller, Bodo Moeller] + + *) Various changes to make Win32 compile work: + 1. Casts to avoid "loss of data" warnings in p5_crpt2.c + 2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned + comparison" warnings. + 3. Add sk__sort to DEF file generator and do make update. + [Steve Henson] + + *) Add a debugging option to PKCS#5 v2 key generation function: when + you #define DEBUG_PKCS5V2 passwords, salts, iteration counts and + derived keys are printed to stderr. + [Steve Henson] + + *) Copy the flags in ASN1_STRING_dup(). + [Roman E. Pavlov ] + + *) The x509 application mishandled signing requests containing DSA + keys when the signing key was also DSA and the parameters didn't match. + + It was supposed to omit the parameters when they matched the signing key: + the verifying software was then supposed to automatically use the CA's + parameters if they were absent from the end user certificate. + + Omitting parameters is no longer recommended. The test was also + the wrong way round! This was probably due to unusual behaviour in + EVP_cmp_parameters() which returns 1 if the parameters match. + This meant that parameters were omitted when they *didn't* match and + the certificate was useless. Certificates signed with 'ca' didn't have + this bug. + [Steve Henson, reported by Doug Erickson ] + + *) Memory leak checking (-DCRYPTO_MDEBUG) had some problems. + The interface is as follows: + Applications can use + CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(), + CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) aka MemCheck_stop(); + "off" is now the default. + The library internally uses + CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) aka MemCheck_off(), + CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE) aka MemCheck_on() + to disable memory-checking temporarily. + + Some inconsistent states that previously were possible (and were + even the default) are now avoided. + + -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time + with each memory chunk allocated; this is occasionally more helpful + than just having a counter. + + -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID. + + -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future + extensions. + [Bodo Moeller] + + *) Introduce "mode" for SSL structures (with defaults in SSL_CTX), + which largely parallels "options", but is for changing API behaviour, + whereas "options" are about protocol behaviour. + Initial "mode" flags are: + + SSL_MODE_ENABLE_PARTIAL_WRITE Allow SSL_write to report success when + a single record has been written. + SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER Don't insist that SSL_write + retries use the same buffer location. + (But all of the contents must be + copied!) + [Bodo Moeller] + + *) Bugfix: SSL_set_mode ignored its parameter, only SSL_CTX_set_mode + worked. + + *) Fix problems with no-hmac etc. + [Ulf Möller, pointed out by Brian Wellington ] + + *) New functions RSA_get_default_method(), RSA_set_method() and + RSA_get_method(). These allows replacement of RSA_METHODs without having + to mess around with the internals of an RSA structure. + [Steve Henson] + + *) Fix memory leaks in DSA_do_sign and DSA_is_prime. + Also really enable memory leak checks in openssl.c and in some + test programs. + [Chad C. Mulligan, Bodo Moeller] + + *) Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess + up the length of negative integers. This has now been simplified to just + store the length when it is first determined and use it later, rather + than trying to keep track of where data is copied and updating it to + point to the end. + [Steve Henson, reported by Brien Wheeler + ] + + *) Add a new function PKCS7_signatureVerify. This allows the verification + of a PKCS#7 signature but with the signing certificate passed to the + function itself. This contrasts with PKCS7_dataVerify which assumes the + certificate is present in the PKCS#7 structure. This isn't always the + case: certificates can be omitted from a PKCS#7 structure and be + distributed by "out of band" means (such as a certificate database). + [Steve Henson] + + *) Complete the PEM_* macros with DECLARE_PEM versions to replace the + function prototypes in pem.h, also change util/mkdef.pl to add the + necessary function names. + [Steve Henson] + + *) mk1mf.pl (used by Windows builds) did not properly read the + options set by Configure in the top level Makefile, and Configure + was not even able to write more than one option correctly. + Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended. + [Bodo Moeller] + + *) New functions CONF_load_bio() and CONF_load_fp() to allow a config + file to be loaded from a BIO or FILE pointer. The BIO version will + for example allow memory BIOs to contain config info. + [Steve Henson] + + *) New function "CRYPTO_num_locks" that returns CRYPTO_NUM_LOCKS. + Whoever hopes to achieve shared-library compatibility across versions + must use this, not the compile-time macro. + (Exercise 0.9.4: Which is the minimum library version required by + such programs?) + Note: All this applies only to multi-threaded programs, others don't + need locks. + [Bodo Moeller] + + *) Add missing case to s3_clnt.c state machine -- one of the new SSL tests + through a BIO pair triggered the default case, i.e. + SSLerr(...,SSL_R_UNKNOWN_STATE). + [Bodo Moeller] + + *) New "BIO pair" concept (crypto/bio/bss_bio.c) so that applications + can use the SSL library even if none of the specific BIOs is + appropriate. + [Bodo Moeller] + + *) Fix a bug in i2d_DSAPublicKey() which meant it returned the wrong value + for the encoded length. + [Jeon KyoungHo ] + + *) Add initial documentation of the X509V3 functions. + [Steve Henson] + + *) Add a new pair of functions PEM_write_PKCS8PrivateKey() and + PEM_write_bio_PKCS8PrivateKey() that are equivalent to + PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more + secure PKCS#8 private key format with a high iteration count. + [Steve Henson] + + *) Fix determination of Perl interpreter: A perl or perl5 + _directory_ in $PATH was also accepted as the interpreter. + [Ralf S. Engelschall] + + *) Fix demos/sign/sign.c: well there wasn't anything strictly speaking + wrong with it but it was very old and did things like calling + PEM_ASN1_read() directly and used MD5 for the hash not to mention some + unusual formatting. + [Steve Henson] + + *) Fix demos/selfsign.c: it used obsolete and deleted functions, changed + to use the new extension code. + [Steve Henson] + + *) Implement the PEM_read/PEM_write functions in crypto/pem/pem_all.c + with macros. This should make it easier to change their form, add extra + arguments etc. Fix a few PEM prototypes which didn't have cipher as a + constant. + [Steve Henson] + + *) Add to configuration table a new entry that can specify an alternative + name for unistd.h (for pre-POSIX systems); we need this for NeXTstep, + according to Mark Crispin . + [Bodo Moeller] + +#if 0 + *) DES CBC did not update the IV. Weird. + [Ben Laurie] +#else + des_cbc_encrypt does not update the IV, but des_ncbc_encrypt does. + Changing the behaviour of the former might break existing programs -- + where IV updating is needed, des_ncbc_encrypt can be used. +#endif + + *) When bntest is run from "make test" it drives bc to check its + calculations, as well as internally checking them. If an internal check + fails, it needs to cause bc to give a non-zero result or make test carries + on without noticing the failure. Fixed. + [Ben Laurie] + + *) DES library cleanups. + [Ulf Möller] + + *) Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be + used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit + ciphers. NOTE: although the key derivation function has been verified + against some published test vectors it has not been extensively tested + yet. Added a -v2 "cipher" option to pkcs8 application to allow the use + of v2.0. + [Steve Henson] + + *) Instead of "mkdir -p", which is not fully portable, use new + Perl script "util/mkdir-p.pl". + [Bodo Moeller] + + *) Rewrite the way password based encryption (PBE) is handled. It used to + assume that the ASN1 AlgorithmIdentifier parameter was a PBEParameter + structure. This was true for the PKCS#5 v1.5 and PKCS#12 PBE algorithms + but doesn't apply to PKCS#5 v2.0 where it can be something else. Now + the 'parameter' field of the AlgorithmIdentifier is passed to the + underlying key generation function so it must do its own ASN1 parsing. + This has also changed the EVP_PBE_CipherInit() function which now has a + 'parameter' argument instead of literal salt and iteration count values + and the function EVP_PBE_ALGOR_CipherInit() has been deleted. + [Steve Henson] + + *) Support for PKCS#5 v1.5 compatible password based encryption algorithms + and PKCS#8 functionality. New 'pkcs8' application linked to openssl. + Needed to change the PEM_STRING_EVP_PKEY value which was just "PRIVATE + KEY" because this clashed with PKCS#8 unencrypted string. Since this + value was just used as a "magic string" and not used directly its + value doesn't matter. + [Steve Henson] + + *) Introduce some semblance of const correctness to BN. Shame C doesn't + support mutable. + [Ben Laurie] + + *) "linux-sparc64" configuration (ultrapenguin). + [Ray Miller ] + "linux-sparc" configuration. + [Christian Forster ] + + *) config now generates no-xxx options for missing ciphers. + [Ulf Möller] + + *) Support the EBCDIC character set (work in progress). + File ebcdic.c not yet included because it has a different license. + [Martin Kraemer ] + + *) Support BS2000/OSD-POSIX. + [Martin Kraemer ] + + *) Make callbacks for key generation use void * instead of char *. + [Ben Laurie] + + *) Make S/MIME samples compile (not yet tested). + [Ben Laurie] + + *) Additional typesafe stacks. + [Ben Laurie] + + *) New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x). + [Bodo Moeller] + + + Changes between 0.9.3 and 0.9.3a [29 May 1999] + + *) New configuration variant "sco5-gcc". + + *) Updated some demos. + [Sean O Riordain, Wade Scholine] + + *) Add missing BIO_free at exit of pkcs12 application. + [Wu Zhigang] + + *) Fix memory leak in conf.c. + [Steve Henson] + + *) Updates for Win32 to assembler version of MD5. + [Steve Henson] + + *) Set #! path to perl in apps/der_chop to where we found it + instead of using a fixed path. + [Bodo Moeller] + + *) SHA library changes for irix64-mips4-cc. + [Andy Polyakov] + + *) Improvements for VMS support. + [Richard Levitte] + + + Changes between 0.9.2b and 0.9.3 [24 May 1999] + + *) Bignum library bug fix. IRIX 6 passes "make test" now! + This also avoids the problems with SC4.2 and unpatched SC5. + [Andy Polyakov ] + + *) New functions sk_num, sk_value and sk_set to replace the previous macros. + These are required because of the typesafe stack would otherwise break + existing code. If old code used a structure member which used to be STACK + and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with + sk_num or sk_value it would produce an error because the num, data members + are not present in STACK_OF. Now it just produces a warning. sk_set + replaces the old method of assigning a value to sk_value + (e.g. sk_value(x, i) = y) which the library used in a few cases. Any code + that does this will no longer work (and should use sk_set instead) but + this could be regarded as a "questionable" behaviour anyway. + [Steve Henson] + + *) Fix most of the other PKCS#7 bugs. The "experimental" code can now + correctly handle encrypted S/MIME data. + [Steve Henson] + + *) Change type of various DES function arguments from des_cblock + (which means, in function argument declarations, pointer to char) + to des_cblock * (meaning pointer to array with 8 char elements), + which allows the compiler to do more typechecking; it was like + that back in SSLeay, but with lots of ugly casts. + + Introduce new type const_des_cblock. + [Bodo Moeller] + + *) Reorganise the PKCS#7 library and get rid of some of the more obvious + problems: find RecipientInfo structure that matches recipient certificate + and initialise the ASN1 structures properly based on passed cipher. + [Steve Henson] + + *) Belatedly make the BN tests actually check the results. + [Ben Laurie] + + *) Fix the encoding and decoding of negative ASN1 INTEGERS and conversion + to and from BNs: it was completely broken. New compilation option + NEG_PUBKEY_BUG to allow for some broken certificates that encode public + key elements as negative integers. + [Steve Henson] + + *) Reorganize and speed up MD5. + [Andy Polyakov ] + + *) VMS support. + [Richard Levitte ] + + *) New option -out to asn1parse to allow the parsed structure to be + output to a file. This is most useful when combined with the -strparse + option to examine the output of things like OCTET STRINGS. + [Steve Henson] + + *) Make SSL library a little more fool-proof by not requiring any longer + that SSL_set_{accept,connect}_state be called before + SSL_{accept,connect} may be used (SSL_set_..._state is omitted + in many applications because usually everything *appeared* to work as + intended anyway -- now it really works as intended). + [Bodo Moeller] + + *) Move openssl.cnf out of lib/. + [Ulf Möller] + + *) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall + -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes + -Wmissing-declarations -Wnested-externs -Winline'' with EGCS 1.1.2+ + [Ralf S. Engelschall] + + *) Various fixes to the EVP and PKCS#7 code. It may now be able to + handle PKCS#7 enveloped data properly. + [Sebastian Akerman , modified by Steve] + + *) Create a duplicate of the SSL_CTX's CERT in SSL_new instead of + copying pointers. The cert_st handling is changed by this in + various ways (and thus what used to be known as ctx->default_cert + is now called ctx->cert, since we don't resort to s->ctx->[default_]cert + any longer when s->cert does not give us what we need). + ssl_cert_instantiate becomes obsolete by this change. + As soon as we've got the new code right (possibly it already is?), + we have solved a couple of bugs of the earlier code where s->cert + was used as if it could not have been shared with other SSL structures. + + Note that using the SSL API in certain dirty ways now will result + in different behaviour than observed with earlier library versions: + Changing settings for an SSL_CTX *ctx after having done s = SSL_new(ctx) + does not influence s as it used to. + + In order to clean up things more thoroughly, inside SSL_SESSION + we don't use CERT any longer, but a new structure SESS_CERT + that holds per-session data (if available); currently, this is + the peer's certificate chain and, for clients, the server's certificate + and temporary key. CERT holds only those values that can have + meaningful defaults in an SSL_CTX. + [Bodo Moeller] + + *) New function X509V3_EXT_i2d() to create an X509_EXTENSION structure + from the internal representation. Various PKCS#7 fixes: remove some + evil casts and set the enc_dig_alg field properly based on the signing + key type. + [Steve Henson] + + *) Allow PKCS#12 password to be set from the command line or the + environment. Let 'ca' get its config file name from the environment + variables "OPENSSL_CONF" or "SSLEAY_CONF" (for consistency with 'req' + and 'x509'). + [Steve Henson] + + *) Allow certificate policies extension to use an IA5STRING for the + organization field. This is contrary to the PKIX definition but + VeriSign uses it and IE5 only recognises this form. Document 'x509' + extension option. + [Steve Henson] + + *) Add PEDANTIC compiler flag to allow compilation with gcc -pedantic, + without disallowing inline assembler and the like for non-pedantic builds. + [Ben Laurie] + + *) Support Borland C++ builder. + [Janez Jere , modified by Ulf Möller] + + *) Support Mingw32. + [Ulf Möller] + + *) SHA-1 cleanups and performance enhancements. + [Andy Polyakov ] + + *) Sparc v8plus assembler for the bignum library. + [Andy Polyakov ] + + *) Accept any -xxx and +xxx compiler options in Configure. + [Ulf Möller] + + *) Update HPUX configuration. + [Anonymous] + + *) Add missing sk__unshift() function to safestack.h + [Ralf S. Engelschall] + + *) New function SSL_CTX_use_certificate_chain_file that sets the + "extra_cert"s in addition to the certificate. (This makes sense + only for "PEM" format files, as chains as a whole are not + DER-encoded.) + [Bodo Moeller] + + *) Support verify_depth from the SSL API. + x509_vfy.c had what can be considered an off-by-one-error: + Its depth (which was not part of the external interface) + was actually counting the number of certificates in a chain; + now it really counts the depth. + [Bodo Moeller] + + *) Bugfix in crypto/x509/x509_cmp.c: The SSLerr macro was used + instead of X509err, which often resulted in confusing error + messages since the error codes are not globally unique + (e.g. an alleged error in ssl3_accept when a certificate + didn't match the private key). + + *) New function SSL_CTX_set_session_id_context that allows to set a default + value (so that you don't need SSL_set_session_id_context for each + connection using the SSL_CTX). + [Bodo Moeller] + + *) OAEP decoding bug fix. + [Ulf Möller] + + *) Support INSTALL_PREFIX for package builders, as proposed by + David Harris. + [Bodo Moeller] + + *) New Configure options "threads" and "no-threads". For systems + where the proper compiler options are known (currently Solaris + and Linux), "threads" is the default. + [Bodo Moeller] + + *) New script util/mklink.pl as a faster substitute for util/mklink.sh. + [Bodo Moeller] + + *) Install various scripts to $(OPENSSLDIR)/misc, not to + $(INSTALLTOP)/bin -- they shouldn't clutter directories + such as /usr/local/bin. + [Bodo Moeller] + + *) "make linux-shared" to build shared libraries. + [Niels Poppe ] + + *) New Configure option no- (rsa, idea, rc5, ...). + [Ulf Möller] + + *) Add the PKCS#12 API documentation to openssl.txt. Preliminary support for + extension adding in x509 utility. + [Steve Henson] + + *) Remove NOPROTO sections and error code comments. + [Ulf Möller] + + *) Partial rewrite of the DEF file generator to now parse the ANSI + prototypes. + [Steve Henson] + + *) New Configure options --prefix=DIR and --openssldir=DIR. + [Ulf Möller] + + *) Complete rewrite of the error code script(s). It is all now handled + by one script at the top level which handles error code gathering, + header rewriting and C source file generation. It should be much better + than the old method: it now uses a modified version of Ulf's parser to + read the ANSI prototypes in all header files (thus the old K&R definitions + aren't needed for error creation any more) and do a better job of + translating function codes into names. The old 'ASN1 error code imbedded + in a comment' is no longer necessary and it doesn't use .err files which + have now been deleted. Also the error code call doesn't have to appear all + on one line (which resulted in some large lines...). + [Steve Henson] + + *) Change #include filenames from to . + [Bodo Moeller] + + *) Change behaviour of ssl2_read when facing length-0 packets: Don't return + 0 (which usually indicates a closed connection), but continue reading. + [Bodo Moeller] + + *) Fix some race conditions. + [Bodo Moeller] + + *) Add support for CRL distribution points extension. Add Certificate + Policies and CRL distribution points documentation. + [Steve Henson] + + *) Move the autogenerated header file parts to crypto/opensslconf.h. + [Ulf Möller] + + *) Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of + 8 of keying material. Merlin has also confirmed interop with this fix + between OpenSSL and Baltimore C/SSL 2.0 and J/SSL 2.0. + [Merlin Hughes ] + + *) Fix lots of warnings. + [Richard Levitte ] + + *) In add_cert_dir() in crypto/x509/by_dir.c, break out of the loop if + the directory spec didn't end with a LIST_SEPARATOR_CHAR. + [Richard Levitte ] + + *) Fix problems with sizeof(long) == 8. + [Andy Polyakov ] + + *) Change functions to ANSI C. + [Ulf Möller] + + *) Fix typos in error codes. + [Martin Kraemer , Ulf Möller] + + *) Remove defunct assembler files from Configure. + [Ulf Möller] + + *) SPARC v8 assembler BIGNUM implementation. + [Andy Polyakov ] + + *) Support for Certificate Policies extension: both print and set. + Various additions to support the r2i method this uses. + [Steve Henson] + + *) A lot of constification, and fix a bug in X509_NAME_oneline() that could + return a const string when you are expecting an allocated buffer. + [Ben Laurie] + + *) Add support for ASN1 types UTF8String and VISIBLESTRING, also the CHOICE + types DirectoryString and DisplayText. + [Steve Henson] + + *) Add code to allow r2i extensions to access the configuration database, + add an LHASH database driver and add several ctx helper functions. + [Steve Henson] + + *) Fix an evil bug in bn_expand2() which caused various BN functions to + fail when they extended the size of a BIGNUM. + [Steve Henson] + + *) Various utility functions to handle SXNet extension. Modify mkdef.pl to + support typesafe stack. + [Steve Henson] + + *) Fix typo in SSL_[gs]et_options(). + [Nils Frostberg ] + + *) Delete various functions and files that belonged to the (now obsolete) + old X509V3 handling code. + [Steve Henson] + + *) New Configure option "rsaref". + [Ulf Möller] + + *) Don't auto-generate pem.h. + [Bodo Moeller] + + *) Introduce type-safe ASN.1 SETs. + [Ben Laurie] + + *) Convert various additional casted stacks to type-safe STACK_OF() variants. + [Ben Laurie, Ralf S. Engelschall, Steve Henson] + + *) Introduce type-safe STACKs. This will almost certainly break lots of code + that links with OpenSSL (well at least cause lots of warnings), but fear + not: the conversion is trivial, and it eliminates loads of evil casts. A + few STACKed things have been converted already. Feel free to convert more. + In the fullness of time, I'll do away with the STACK type altogether. + [Ben Laurie] + + *) Add `openssl ca -revoke ' facility which revokes a certificate + specified in by updating the entry in the index.txt file. + This way one no longer has to edit the index.txt file manually for + revoking a certificate. The -revoke option does the gory details now. + [Massimiliano Pala , Ralf S. Engelschall] + + *) Fix `openssl crl -noout -text' combination where `-noout' killed the + `-text' option at all and this way the `-noout -text' combination was + inconsistent in `openssl crl' with the friends in `openssl x509|rsa|dsa'. + [Ralf S. Engelschall] + + *) Make sure a corresponding plain text error message exists for the + X509_V_ERR_CERT_REVOKED/23 error number which can occur when a + verify callback function determined that a certificate was revoked. + [Ralf S. Engelschall] + + *) Bugfix: In test/testenc, don't test "openssl " for + ciphers that were excluded, e.g. by -DNO_IDEA. Also, test + all available cipers including rc5, which was forgotten until now. + In order to let the testing shell script know which algorithms + are available, a new (up to now undocumented) command + "openssl list-cipher-commands" is used. + [Bodo Moeller] + + *) Bugfix: s_client occasionally would sleep in select() when + it should have checked SSL_pending() first. + [Bodo Moeller] + + *) New functions DSA_do_sign and DSA_do_verify to provide access to + the raw DSA values prior to ASN.1 encoding. + [Ulf Möller] + + *) Tweaks to Configure + [Niels Poppe ] + + *) Add support for PKCS#5 v2.0 ASN1 PBES2 structures. No other support, + yet... + [Steve Henson] + + *) New variables $(RANLIB) and $(PERL) in the Makefiles. + [Ulf Möller] + + *) New config option to avoid instructions that are illegal on the 80386. + The default code is faster, but requires at least a 486. + [Ulf Möller] + + *) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and + SSL2_SERVER_VERSION (not used at all) macros, which are now the + same as SSL2_VERSION anyway. + [Bodo Moeller] + + *) New "-showcerts" option for s_client. + [Bodo Moeller] + + *) Still more PKCS#12 integration. Add pkcs12 application to openssl + application. Various cleanups and fixes. + [Steve Henson] + + *) More PKCS#12 integration. Add new pkcs12 directory with Makefile.ssl and + modify error routines to work internally. Add error codes and PBE init + to library startup routines. + [Steve Henson] + + *) Further PKCS#12 integration. Added password based encryption, PKCS#8 and + packing functions to asn1 and evp. Changed function names and error + codes along the way. + [Steve Henson] + + *) PKCS12 integration: and so it begins... First of several patches to + slowly integrate PKCS#12 functionality into OpenSSL. Add PKCS#12 + objects to objects.h + [Steve Henson] + + *) Add a new 'indent' option to some X509V3 extension code. Initial ASN1 + and display support for Thawte strong extranet extension. + [Steve Henson] + + *) Add LinuxPPC support. + [Jeff Dubrule ] + + *) Get rid of redundant BN file bn_mulw.c, and rename bn_div64 to + bn_div_words in alpha.s. + [Hannes Reinecke and Ben Laurie] + + *) Make sure the RSA OAEP test is skipped under -DRSAref because + OAEP isn't supported when OpenSSL is built with RSAref. + [Ulf Moeller ] + + *) Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h + so they no longer are missing under -DNOPROTO. + [Soren S. Jorvang ] + + + Changes between 0.9.1c and 0.9.2b [22 Mar 1999] + + *) Make SSL_get_peer_cert_chain() work in servers. Unfortunately, it still + doesn't work when the session is reused. Coming soon! + [Ben Laurie] + + *) Fix a security hole, that allows sessions to be reused in the wrong + context thus bypassing client cert protection! All software that uses + client certs and session caches in multiple contexts NEEDS PATCHING to + allow session reuse! A fuller solution is in the works. + [Ben Laurie, problem pointed out by Holger Reif, Bodo Moeller (and ???)] + + *) Some more source tree cleanups (removed obsolete files + crypto/bf/asm/bf586.pl, test/test.txt and crypto/sha/asm/f.s; changed + permission on "config" script to be executable) and a fix for the INSTALL + document. + [Ulf Moeller ] + + *) Remove some legacy and erroneous uses of malloc, free instead of + Malloc, Free. + [Lennart Bang , with minor changes by Steve] + + *) Make rsa_oaep_test return non-zero on error. + [Ulf Moeller ] + + *) Add support for native Solaris shared libraries. Configure + solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice + if someone would make that last step automatic. + [Matthias Loepfe ] + + *) ctx_size was not built with the right compiler during "make links". Fixed. + [Ben Laurie] + + *) Change the meaning of 'ALL' in the cipher list. It now means "everything + except NULL ciphers". This means the default cipher list will no longer + enable NULL ciphers. They need to be specifically enabled e.g. with + the string "DEFAULT:eNULL". + [Steve Henson] + + *) Fix to RSA private encryption routines: if p < q then it would + occasionally produce an invalid result. This will only happen with + externally generated keys because OpenSSL (and SSLeay) ensure p > q. + [Steve Henson] + + *) Be less restrictive and allow also `perl util/perlpath.pl + /path/to/bin/perl' in addition to `perl util/perlpath.pl /path/to/bin', + because this way one can also use an interpreter named `perl5' (which is + usually the name of Perl 5.xxx on platforms where an Perl 4.x is still + installed as `perl'). + [Matthias Loepfe ] + + *) Let util/clean-depend.pl work also with older Perl 5.00x versions. + [Matthias Loepfe ] + + *) Fix Makefile.org so CC,CFLAG etc are passed to 'make links' add + advapi32.lib to Win32 build and change the pem test comparision + to fc.exe (thanks to Ulrich Kroener for the + suggestion). Fix misplaced ASNI prototypes and declarations in evp.h + and crypto/des/ede_cbcm_enc.c. + [Steve Henson] + + *) DES quad checksum was broken on big-endian architectures. Fixed. + [Ben Laurie] + + *) Comment out two functions in bio.h that aren't implemented. Fix up the + Win32 test batch file so it (might) work again. The Win32 test batch file + is horrible: I feel ill.... + [Steve Henson] + + *) Move various #ifdefs around so NO_SYSLOG, NO_DIRENT etc are now selected + in e_os.h. Audit of header files to check ANSI and non ANSI + sections: 10 functions were absent from non ANSI section and not exported + from Windows DLLs. Fixed up libeay.num for new functions. + [Steve Henson] + + *) Make `openssl version' output lines consistent. + [Ralf S. Engelschall] + + *) Fix Win32 symbol export lists for BIO functions: Added + BIO_get_ex_new_index, BIO_get_ex_num, BIO_get_ex_data and BIO_set_ex_data + to ms/libeay{16,32}.def. + [Ralf S. Engelschall] + + *) Second round of fixing the OpenSSL perl/ stuff. It now at least compiled + fine under Unix and passes some trivial tests I've now added. But the + whole stuff is horribly incomplete, so a README.1ST with a disclaimer was + added to make sure no one expects that this stuff really works in the + OpenSSL 0.9.2 release. Additionally I've started to clean the XS sources + up and fixed a few little bugs and inconsistencies in OpenSSL.{pm,xs} and + openssl_bio.xs. + [Ralf S. Engelschall] + + *) Fix the generation of two part addresses in perl. + [Kenji Miyake , integrated by Ben Laurie] + + *) Add config entry for Linux on MIPS. + [John Tobey ] + + *) Make links whenever Configure is run, unless we are on Windoze. + [Ben Laurie] + + *) Permit extensions to be added to CRLs using crl_section in openssl.cnf. + Currently only issuerAltName and AuthorityKeyIdentifier make any sense + in CRLs. + [Steve Henson] + + *) Add a useful kludge to allow package maintainers to specify compiler and + other platforms details on the command line without having to patch the + Configure script everytime: One now can use ``perl Configure + :
'', i.e. platform ids are allowed to have details appended + to them (seperated by colons). This is treated as there would be a static + pre-configured entry in Configure's %table under key with value +
and ``perl Configure '' is called. So, when you want to + perform a quick test-compile under FreeBSD 3.1 with pgcc and without + assembler stuff you can use ``perl Configure "FreeBSD-elf:pgcc:-O6:::"'' + now, which overrides the FreeBSD-elf entry on-the-fly. + [Ralf S. Engelschall] + + *) Disable new TLS1 ciphersuites by default: they aren't official yet. + [Ben Laurie] + + *) Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified + on the `perl Configure ...' command line. This way one can compile + OpenSSL libraries with Position Independent Code (PIC) which is needed + for linking it into DSOs. + [Ralf S. Engelschall] + + *) Remarkably, export ciphers were totally broken and no-one had noticed! + Fixed. + [Ben Laurie] + + *) Cleaned up the LICENSE document: The official contact for any license + questions now is the OpenSSL core team under openssl-core@openssl.org. + And add a paragraph about the dual-license situation to make sure people + recognize that _BOTH_ the OpenSSL license _AND_ the SSLeay license apply + to the OpenSSL toolkit. + [Ralf S. Engelschall] + + *) General source tree makefile cleanups: Made `making xxx in yyy...' + display consistent in the source tree and replaced `/bin/rm' by `rm'. + Additonally cleaned up the `make links' target: Remove unnecessary + semicolons, subsequent redundant removes, inline point.sh into mklink.sh + to speed processing and no longer clutter the display with confusing + stuff. Instead only the actually done links are displayed. + [Ralf S. Engelschall] + + *) Permit null encryption ciphersuites, used for authentication only. It used + to be necessary to set the preprocessor define SSL_ALLOW_ENULL to do this. + It is now necessary to set SSL_FORBID_ENULL to prevent the use of null + encryption. + [Ben Laurie] + + *) Add a bunch of fixes to the PKCS#7 stuff. It used to sometimes reorder + signed attributes when verifying signatures (this would break them), + the detached data encoding was wrong and public keys obtained using + X509_get_pubkey() weren't freed. + [Steve Henson] + + *) Add text documentation for the BUFFER functions. Also added a work around + to a Win95 console bug. This was triggered by the password read stuff: the + last character typed gets carried over to the next fread(). If you were + generating a new cert request using 'req' for example then the last + character of the passphrase would be CR which would then enter the first + field as blank. + [Steve Henson] + + *) Added the new `Includes OpenSSL Cryptography Software' button as + doc/openssl_button.{gif,html} which is similar in style to the old SSLeay + button and can be used by applications based on OpenSSL to show the + relationship to the OpenSSL project. + [Ralf S. Engelschall] + + *) Remove confusing variables in function signatures in files + ssl/ssl_lib.c and ssl/ssl.h. + [Lennart Bong ] + + *) Don't install bss_file.c under PREFIX/include/ + [Lennart Bong ] + + *) Get the Win32 compile working again. Modify mkdef.pl so it can handle + functions that return function pointers and has support for NT specific + stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various + #ifdef WIN32 and WINNTs sprinkled about the place and some changes from + unsigned to signed types: this was killing the Win32 compile. + [Steve Henson] + + *) Add new certificate file to stack functions, + SSL_add_dir_cert_subjects_to_stack() and + SSL_add_file_cert_subjects_to_stack(). These largely supplant + SSL_load_client_CA_file(), and can be used to add multiple certs easily + to a stack (usually this is then handed to SSL_CTX_set_client_CA_list()). + This means that Apache-SSL and similar packages don't have to mess around + to add as many CAs as they want to the preferred list. + [Ben Laurie] + + *) Experiment with doxygen documentation. Currently only partially applied to + ssl/ssl_lib.c. + See http://www.stack.nl/~dimitri/doxygen/index.html, and run doxygen with + openssl.doxy as the configuration file. + [Ben Laurie] + + *) Get rid of remaining C++-style comments which strict C compilers hate. + [Ralf S. Engelschall, pointed out by Carlos Amengual] + + *) Changed BN_RECURSION in bn_mont.c to BN_RECURSION_MONT so it is not + compiled in by default: it has problems with large keys. + [Steve Henson] + + *) Add a bunch of SSL_xxx() functions for configuring the temporary RSA and + DH private keys and/or callback functions which directly correspond to + their SSL_CTX_xxx() counterparts but work on a per-connection basis. This + is needed for applications which have to configure certificates on a + per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis + (e.g. s_server). + For the RSA certificate situation is makes no difference, but + for the DSA certificate situation this fixes the "no shared cipher" + problem where the OpenSSL cipher selection procedure failed because the + temporary keys were not overtaken from the context and the API provided + no way to reconfigure them. + The new functions now let applications reconfigure the stuff and they + are in detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh, + SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback. Additionally a new + non-public-API function ssl_cert_instantiate() is used as a helper + function and also to reduce code redundancy inside ssl_rsa.c. + [Ralf S. Engelschall] + + *) Move s_server -dcert and -dkey options out of the undocumented feature + area because they are useful for the DSA situation and should be + recognized by the users. + [Ralf S. Engelschall] + + *) Fix the cipher decision scheme for export ciphers: the export bits are + *not* within SSL_MKEY_MASK or SSL_AUTH_MASK, they are within + SSL_EXP_MASK. So, the original variable has to be used instead of the + already masked variable. + [Richard Levitte ] + + *) Fix 'port' variable from `int' to `unsigned int' in crypto/bio/b_sock.c + [Richard Levitte ] + + *) Change type of another md_len variable in pk7_doit.c:PKCS7_dataFinal() + from `int' to `unsigned int' because it's a length and initialized by + EVP_DigestFinal() which expects an `unsigned int *'. + [Richard Levitte ] + + *) Don't hard-code path to Perl interpreter on shebang line of Configure + script. Instead use the usual Shell->Perl transition trick. + [Ralf S. Engelschall] + + *) Make `openssl x509 -noout -modulus' functional also for DSA certificates + (in addition to RSA certificates) to match the behaviour of `openssl dsa + -noout -modulus' as it's already the case for `openssl rsa -noout + -modulus'. For RSA the -modulus is the real "modulus" while for DSA + currently the public key is printed (a decision which was already done by + `openssl dsa -modulus' in the past) which serves a similar purpose. + Additionally the NO_RSA no longer completely removes the whole -modulus + option; it now only avoids using the RSA stuff. Same applies to NO_DSA + now, too. + [Ralf S. Engelschall] + + *) Add Arne Ansper's reliable BIO - this is an encrypted, block-digested + BIO. See the source (crypto/evp/bio_ok.c) for more info. + [Arne Ansper ] + + *) Dump the old yucky req code that tried (and failed) to allow raw OIDs + to be added. Now both 'req' and 'ca' can use new objects defined in the + config file. + [Steve Henson] + + *) Add cool BIO that does syslog (or event log on NT). + [Arne Ansper , integrated by Ben Laurie] + + *) Add support for new TLS ciphersuites, TLS_RSA_EXPORT56_WITH_RC4_56_MD5, + TLS_RSA_EXPORT56_WITH_RC2_CBC_56_MD5 and + TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher + Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt. + [Ben Laurie] + + *) Add preliminary config info for new extension code. + [Steve Henson] + + *) Make RSA_NO_PADDING really use no padding. + [Ulf Moeller ] + + *) Generate errors when private/public key check is done. + [Ben Laurie] + + *) Overhaul for 'crl' utility. New function X509_CRL_print. Partial support + for some CRL extensions and new objects added. + [Steve Henson] + + *) Really fix the ASN1 IMPLICIT bug this time... Partial support for private + key usage extension and fuller support for authority key id. + [Steve Henson] + + *) Add OAEP encryption for the OpenSSL crypto library. OAEP is the improved + padding method for RSA, which is recommended for new applications in PKCS + #1 v2.0 (RFC 2437, October 1998). + OAEP (Optimal Asymmetric Encryption Padding) has better theoretical + foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure + against Bleichbacher's attack on RSA. + [Ulf Moeller , reformatted, corrected and integrated by + Ben Laurie] + + *) Updates to the new SSL compression code + [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] + + *) Fix so that the version number in the master secret, when passed + via RSA, checks that if TLS was proposed, but we roll back to SSLv3 + (because the server will not accept higher), that the version number + is 0x03,0x01, not 0x03,0x00 + [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] + + *) Run extensive memory leak checks on SSL apps. Fixed *lots* of memory + leaks in ssl/ relating to new X509_get_pubkey() behaviour. Also fixes + in apps/ and an unrelated leak in crypto/dsa/dsa_vrf.c + [Steve Henson] + + *) Support for RAW extensions where an arbitrary extension can be + created by including its DER encoding. See apps/openssl.cnf for + an example. + [Steve Henson] + + *) Make sure latest Perl versions don't interpret some generated C array + code as Perl array code in the crypto/err/err_genc.pl script. + [Lars Weber <3weber@informatik.uni-hamburg.de>] + + *) Modify ms/do_ms.bat to not generate assembly language makefiles since + not many people have the assembler. Various Win32 compilation fixes and + update to the INSTALL.W32 file with (hopefully) more accurate Win32 + build instructions. + [Steve Henson] + + *) Modify configure script 'Configure' to automatically create crypto/date.h + file under Win32 and also build pem.h from pem.org. New script + util/mkfiles.pl to create the MINFO file on environments that can't do a + 'make files': perl util/mkfiles.pl >MINFO should work. + [Steve Henson] + + *) Major rework of DES function declarations, in the pursuit of correctness + and purity. As a result, many evil casts evaporated, and some weirdness, + too. You may find this causes warnings in your code. Zapping your evil + casts will probably fix them. Mostly. + [Ben Laurie] + + *) Fix for a typo in asn1.h. Bug fix to object creation script + obj_dat.pl. It considered a zero in an object definition to mean + "end of object": none of the objects in objects.h have any zeros + so it wasn't spotted. + [Steve Henson, reported by Erwann ABALEA ] + + *) Add support for Triple DES Cipher Block Chaining with Output Feedback + Masking (CBCM). In the absence of test vectors, the best I have been able + to do is check that the decrypt undoes the encrypt, so far. Send me test + vectors if you have them. + [Ben Laurie] + + *) Correct calculation of key length for export ciphers (too much space was + allocated for null ciphers). This has not been tested! + [Ben Laurie] + + *) Modifications to the mkdef.pl for Win32 DEF file creation. The usage + message is now correct (it understands "crypto" and "ssl" on its + command line). There is also now an "update" option. This will update + the util/ssleay.num and util/libeay.num files with any new functions. + If you do a: + perl util/mkdef.pl crypto ssl update + it will update them. + [Steve Henson] + + *) Overhauled the Perl interface (perl/*): + - ported BN stuff to OpenSSL's different BN library + - made the perl/ source tree CVS-aware + - renamed the package from SSLeay to OpenSSL (the files still contain + their history because I've copied them in the repository) + - removed obsolete files (the test scripts will be replaced + by better Test::Harness variants in the future) + [Ralf S. Engelschall] + + *) First cut for a very conservative source tree cleanup: + 1. merge various obsolete readme texts into doc/ssleay.txt + where we collect the old documents and readme texts. + 2. remove the first part of files where I'm already sure that we no + longer need them because of three reasons: either they are just temporary + files which were left by Eric or they are preserved original files where + I've verified that the diff is also available in the CVS via "cvs diff + -rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for + the crypto/md/ stuff). + [Ralf S. Engelschall] + + *) More extension code. Incomplete support for subject and issuer alt + name, issuer and authority key id. Change the i2v function parameters + and add an extra 'crl' parameter in the X509V3_CTX structure: guess + what that's for :-) Fix to ASN1 macro which messed up + IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED. + [Steve Henson] + + *) Preliminary support for ENUMERATED type. This is largely copied from the + INTEGER code. + [Steve Henson] + + *) Add new function, EVP_MD_CTX_copy() to replace frequent use of memcpy. + [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] + + *) Make sure `make rehash' target really finds the `openssl' program. + [Ralf S. Engelschall, Matthias Loepfe ] + + *) Squeeze another 7% of speed out of MD5 assembler, at least on a P2. I'd + like to hear about it if this slows down other processors. + [Ben Laurie] + + *) Add CygWin32 platform information to Configure script. + [Alan Batie ] + + *) Fixed ms/32all.bat script: `no_asm' -> `no-asm' + [Rainer W. Gerling ] + + *) New program nseq to manipulate netscape certificate sequences + [Steve Henson] + + *) Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a + few typos. + [Steve Henson] + + *) Fixes to BN code. Previously the default was to define BN_RECURSION + but the BN code had some problems that would cause failures when + doing certificate verification and some other functions. + [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] + + *) Add ASN1 and PEM code to support netscape certificate sequences. + [Steve Henson] + + *) Add ASN1 and PEM code to support netscape certificate sequences. + [Steve Henson] + + *) Add several PKIX and private extended key usage OIDs. + [Steve Henson] + + *) Modify the 'ca' program to handle the new extension code. Modify + openssl.cnf for new extension format, add comments. + [Steve Henson] + + *) More X509 V3 changes. Fix typo in v3_bitstr.c. Add support to 'req' + and add a sample to openssl.cnf so req -x509 now adds appropriate + CA extensions. + [Steve Henson] + + *) Continued X509 V3 changes. Add to other makefiles, integrate with the + error code, add initial support to X509_print() and x509 application. + [Steve Henson] + + *) Takes a deep breath and start addding X509 V3 extension support code. Add + files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this + stuff is currently isolated and isn't even compiled yet. + [Steve Henson] + + *) Continuing patches for GeneralizedTime. Fix up certificate and CRL + ASN1 to use ASN1_TIME and modify print routines to use ASN1_TIME_print. + Removed the versions check from X509 routines when loading extensions: + this allows certain broken certificates that don't set the version + properly to be processed. + [Steve Henson] + + *) Deal with irritating shit to do with dependencies, in YAAHW (Yet Another + Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which + can still be regenerated with "make depend". + [Ben Laurie] + + *) Spelling mistake in C version of CAST-128. + [Ben Laurie, reported by Jeremy Hylton ] + + *) Changes to the error generation code. The perl script err-code.pl + now reads in the old error codes and retains the old numbers, only + adding new ones if necessary. It also only changes the .err files if new + codes are added. The makefiles have been modified to only insert errors + when needed (to avoid needlessly modifying header files). This is done + by only inserting errors if the .err file is newer than the auto generated + C file. To rebuild all the error codes from scratch (the old behaviour) + either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl + or delete all the .err files. + [Steve Henson] + + *) CAST-128 was incorrectly implemented for short keys. The C version has + been fixed, but is untested. The assembler versions are also fixed, but + new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing + to regenerate it if needed. + [Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun + Hagino ] + + *) File was opened incorrectly in randfile.c. + [Ulf Möller ] + + *) Beginning of support for GeneralizedTime. d2i, i2d, check and print + functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or + GeneralizedTime. ASN1_TIME is the proper type used in certificates et + al: it's just almost always a UTCTime. Note this patch adds new error + codes so do a "make errors" if there are problems. + [Steve Henson] + + *) Correct Linux 1 recognition in config. + [Ulf Möller ] + + *) Remove pointless MD5 hash when using DSA keys in ca. + [Anonymous ] + + *) Generate an error if given an empty string as a cert directory. Also + generate an error if handed NULL (previously returned 0 to indicate an + error, but didn't set one). + [Ben Laurie, reported by Anonymous ] + + *) Add prototypes to SSL methods. Make SSL_write's buffer const, at last. + [Ben Laurie] + + *) Fix the dummy function BN_ref_mod_exp() in rsaref.c to have the correct + parameters. This was causing a warning which killed off the Win32 compile. + [Steve Henson] + + *) Remove C++ style comments from crypto/bn/bn_local.h. + [Neil Costigan ] + + *) The function OBJ_txt2nid was broken. It was supposed to return a nid + based on a text string, looking up short and long names and finally + "dot" format. The "dot" format stuff didn't work. Added new function + OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote + OBJ_txt2nid to use it. OBJ_txt2obj can also return objects even if the + OID is not part of the table. + [Steve Henson] + + *) Add prototypes to X509 lookup/verify methods, fixing a bug in + X509_LOOKUP_by_alias(). + [Ben Laurie] + + *) Sort openssl functions by name. + [Ben Laurie] + + *) Get the gendsa program working (hopefully) and add it to app list. Remove + encryption from sample DSA keys (in case anyone is interested the password + was "1234"). + [Steve Henson] + + *) Make _all_ *_free functions accept a NULL pointer. + [Frans Heymans ] + + *) If a DH key is generated in s3_srvr.c, don't blow it by trying to use + NULL pointers. + [Anonymous ] + + *) s_server should send the CAfile as acceptable CAs, not its own cert. + [Bodo Moeller <3moeller@informatik.uni-hamburg.de>] + + *) Don't blow it for numeric -newkey arguments to apps/req. + [Bodo Moeller <3moeller@informatik.uni-hamburg.de>] + + *) Temp key "for export" tests were wrong in s3_srvr.c. + [Anonymous ] + + *) Add prototype for temp key callback functions + SSL_CTX_set_tmp_{rsa,dh}_callback(). + [Ben Laurie] + + *) Make DH_free() tolerate being passed a NULL pointer (like RSA_free() and + DSA_free()). Make X509_PUBKEY_set() check for errors in d2i_PublicKey(). + [Steve Henson] + + *) X509_name_add_entry() freed the wrong thing after an error. + [Arne Ansper ] + + *) rsa_eay.c would attempt to free a NULL context. + [Arne Ansper ] + + *) BIO_s_socket() had a broken should_retry() on Windoze. + [Arne Ansper ] + + *) BIO_f_buffer() didn't pass on BIO_CTRL_FLUSH. + [Arne Ansper ] + + *) Make sure the already existing X509_STORE->depth variable is initialized + in X509_STORE_new(), but document the fact that this variable is still + unused in the certificate verification process. + [Ralf S. Engelschall] + + *) Fix the various library and apps files to free up pkeys obtained from + X509_PUBKEY_get() et al. Also allow x509.c to handle netscape extensions. + [Steve Henson] + + *) Fix reference counting in X509_PUBKEY_get(). This makes + demos/maurice/example2.c work, amongst others, probably. + [Steve Henson and Ben Laurie] + + *) First cut of a cleanup for apps/. First the `ssleay' program is now named + `openssl' and second, the shortcut symlinks for the `openssl ' + are no longer created. This way we have a single and consistent command + line interface `openssl ', similar to `cvs '. + [Ralf S. Engelschall, Paul Sutton and Ben Laurie] + + *) ca.c: move test for DSA keys inside #ifndef NO_DSA. Make pubkey + BIT STRING wrapper always have zero unused bits. + [Steve Henson] + + *) Add CA.pl, perl version of CA.sh, add extended key usage OID. + [Steve Henson] + + *) Make the top-level INSTALL documentation easier to understand. + [Paul Sutton] + + *) Makefiles updated to exit if an error occurs in a sub-directory + make (including if user presses ^C) [Paul Sutton] + + *) Make Montgomery context stuff explicit in RSA data structure. + [Ben Laurie] + + *) Fix build order of pem and err to allow for generated pem.h. + [Ben Laurie] + + *) Fix renumbering bug in X509_NAME_delete_entry(). + [Ben Laurie] + + *) Enhanced the err-ins.pl script so it makes the error library number + global and can add a library name. This is needed for external ASN1 and + other error libraries. + [Steve Henson] + + *) Fixed sk_insert which never worked properly. + [Steve Henson] + + *) Fix ASN1 macros so they can handle indefinite length construted + EXPLICIT tags. Some non standard certificates use these: they can now + be read in. + [Steve Henson] + + *) Merged the various old/obsolete SSLeay documentation files (doc/xxx.doc) + into a single doc/ssleay.txt bundle. This way the information is still + preserved but no longer messes up this directory. Now it's new room for + the new set of documenation files. + [Ralf S. Engelschall] + + *) SETs were incorrectly DER encoded. This was a major pain, because they + shared code with SEQUENCEs, which aren't coded the same. This means that + almost everything to do with SETs or SEQUENCEs has either changed name or + number of arguments. + [Ben Laurie, based on a partial fix by GP Jayan ] + + *) Fix test data to work with the above. + [Ben Laurie] + + *) Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but + was already fixed by Eric for 0.9.1 it seems. + [Ben Laurie - pointed out by Ulf Möller ] + + *) Autodetect FreeBSD3. + [Ben Laurie] + + *) Fix various bugs in Configure. This affects the following platforms: + nextstep + ncr-scde + unixware-2.0 + unixware-2.0-pentium + sco5-cc. + [Ben Laurie] + + *) Eliminate generated files from CVS. Reorder tests to regenerate files + before they are needed. + [Ben Laurie] + + *) Generate Makefile.ssl from Makefile.org (to keep CVS happy). + [Ben Laurie] + + + Changes between 0.9.1b and 0.9.1c [23-Dec-1998] + + *) Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and + changed SSLeay to OpenSSL in version strings. + [Ralf S. Engelschall] + + *) Some fixups to the top-level documents. + [Paul Sutton] + + *) Fixed the nasty bug where rsaref.h was not found under compile-time + because the symlink to include/ was missing. + [Ralf S. Engelschall] + + *) Incorporated the popular no-RSA/DSA-only patches + which allow to compile a RSA-free SSLeay. + [Andrew Cooke / Interrader Ldt., Ralf S. Engelschall] + + *) Fixed nasty rehash problem under `make -f Makefile.ssl links' + when "ssleay" is still not found. + [Ralf S. Engelschall] + + *) Added more platforms to Configure: Cray T3E, HPUX 11, + [Ralf S. Engelschall, Beckmann ] + + *) Updated the README file. + [Ralf S. Engelschall] + + *) Added various .cvsignore files in the CVS repository subdirs + to make a "cvs update" really silent. + [Ralf S. Engelschall] + + *) Recompiled the error-definition header files and added + missing symbols to the Win32 linker tables. + [Ralf S. Engelschall] + + *) Cleaned up the top-level documents; + o new files: CHANGES and LICENSE + o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay + o merged COPYRIGHT into LICENSE + o removed obsolete TODO file + o renamed MICROSOFT to INSTALL.W32 + [Ralf S. Engelschall] + + *) Removed dummy files from the 0.9.1b source tree: + crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi + crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f + crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f + crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f + util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f + [Ralf S. Engelschall] + + *) Added various platform portability fixes. + [Mark J. Cox] + + *) The Genesis of the OpenSSL rpject: + We start with the latest (unreleased) SSLeay version 0.9.1b which Eric A. + Young and Tim J. Hudson created while they were working for C2Net until + summer 1998. + [The OpenSSL Project] + + + Changes between 0.9.0b and 0.9.1b [not released] + + *) Updated a few CA certificates under certs/ + [Eric A. Young] + + *) Changed some BIGNUM api stuff. + [Eric A. Young] + + *) Various platform ports: OpenBSD, Ultrix, IRIX 64bit, NetBSD, + DGUX x86, Linux Alpha, etc. + [Eric A. Young] + + *) New COMP library [crypto/comp/] for SSL Record Layer Compression: + RLE (dummy implemented) and ZLIB (really implemented when ZLIB is + available). + [Eric A. Young] + + *) Add -strparse option to asn1pars program which parses nested + binary structures + [Dr Stephen Henson ] + + *) Added "oid_file" to ssleay.cnf for "ca" and "req" programs. + [Eric A. Young] + + *) DSA fix for "ca" program. + [Eric A. Young] + + *) Added "-genkey" option to "dsaparam" program. + [Eric A. Young] + + *) Added RIPE MD160 (rmd160) message digest. + [Eric A. Young] + + *) Added -a (all) option to "ssleay version" command. + [Eric A. Young] + + *) Added PLATFORM define which is the id given to Configure. + [Eric A. Young] + + *) Added MemCheck_XXXX functions to crypto/mem.c for memory checking. + [Eric A. Young] + + *) Extended the ASN.1 parser routines. + [Eric A. Young] + + *) Extended BIO routines to support REUSEADDR, seek, tell, etc. + [Eric A. Young] + + *) Added a BN_CTX to the BN library. + [Eric A. Young] + + *) Fixed the weak key values in DES library + [Eric A. Young] + + *) Changed API in EVP library for cipher aliases. + [Eric A. Young] + + *) Added support for RC2/64bit cipher. + [Eric A. Young] + + *) Converted the lhash library to the crypto/mem.c functions. + [Eric A. Young] + + *) Added more recognized ASN.1 object ids. + [Eric A. Young] + + *) Added more RSA padding checks for SSL/TLS. + [Eric A. Young] + + *) Added BIO proxy/filter functionality. + [Eric A. Young] + + *) Added extra_certs to SSL_CTX which can be used + send extra CA certificates to the client in the CA cert chain sending + process. It can be configured with SSL_CTX_add_extra_chain_cert(). + [Eric A. Young] + + *) Now Fortezza is denied in the authentication phase because + this is key exchange mechanism is not supported by SSLeay at all. + [Eric A. Young] + + *) Additional PKCS1 checks. + [Eric A. Young] + + *) Support the string "TLSv1" for all TLS v1 ciphers. + [Eric A. Young] + + *) Added function SSL_get_ex_data_X509_STORE_CTX_idx() which gives the + ex_data index of the SSL context in the X509_STORE_CTX ex_data. + [Eric A. Young] + + *) Fixed a few memory leaks. + [Eric A. Young] + + *) Fixed various code and comment typos. + [Eric A. Young] + + *) A minor bug in ssl/s3_clnt.c where there would always be 4 0 + bytes sent in the client random. + [Edward Bishop ] + diff --git a/src/lib/libssl/src/CHANGES.SSLeay b/src/lib/libssl/src/CHANGES.SSLeay new file mode 100644 index 0000000000..dbb80b003d --- /dev/null +++ b/src/lib/libssl/src/CHANGES.SSLeay @@ -0,0 +1,968 @@ +This file contains the changes for the SSLeay library up to version +0.9.0b. For later changes, see the file "CHANGES". + + SSLeay CHANGES + ______________ + +Changes between 0.8.x and 0.9.0b + +10-Apr-1998 + +I said the next version would go out at easter, and so it shall. +I expect a 0.9.1 will follow with portability fixes in the next few weeks. + +This is a quick, meet the deadline. Look to ssl-users for comments on what +is new etc. + +eric (about to go bushwalking for the 4 day easter break :-) + +16-Mar-98 + - Patch for Cray T90 from Wayne Schroeder + - Lots and lots of changes + +29-Jan-98 + - ASN1_BIT_STRING_set_bit()/ASN1_BIT_STRING_get_bit() from + Goetz Babin-Ebell . + - SSL_version() now returns SSL2_VERSION, SSL3_VERSION or + TLS1_VERSION. + +7-Jan-98 + - Finally reworked the cipher string to ciphers again, so it + works correctly + - All the app_data stuff is now ex_data with funcion calls to access. + The index is supplied by a function and 'methods' can be setup + for the types that are called on XXX_new/XXX_free. This lets + applications get notified on creation and destruction. Some of + the RSA methods could be implemented this way and I may do so. + - Oh yes, SSL under perl5 is working at the basic level. + +15-Dec-97 + - Warning - the gethostbyname cache is not fully thread safe, + but it should work well enough. + - Major internal reworking of the app_data stuff. More functions + but if you were accessing ->app_data directly, things will + stop working. + - The perlv5 stuff is working. Currently on message digests, + ciphers and the bignum library. + +9-Dec-97 + - Modified re-negotiation so that server initated re-neg + will cause a SSL_read() to return -1 should retry. + The danger otherwise was that the server and the + client could end up both trying to read when using non-blocking + sockets. + +4-Dec-97 + - Lots of small changes + - Fix for binaray mode in Windows for the FILE BIO, thanks to + Bob Denny + +17-Nov-97 + - Quite a few internal cleanups, (removal of errno, and using macros + defined in e_os.h). + - A bug in ca.c, pointed out by yasuyuki-ito@d-cruise.co.jp, where + the automactic naming out output files was being stuffed up. + +29-Oct-97 + - The Cast5 cipher has been added. MD5 and SHA-1 are now in assember + for x86. + +21-Oct-97 + - Fixed a bug in the BIO_gethostbyname() cache. + +15-Oct-97 + - cbc mode for blowfish/des/3des is now in assember. Blowfish asm + has also been improved. At this point in time, on the pentium, + md5 is %80 faster, the unoptimesed sha-1 is %79 faster, + des-cbc is %28 faster, des-ede3-cbc is %9 faster and blowfish-cbc + is %62 faster. + +12-Oct-97 + - MEM_BUF_grow() has been fixed so that it always sets the buf->length + to the value we are 'growing' to. Think of MEM_BUF_grow() as the + way to set the length value correctly. + +10-Oct-97 + - I now hash for certificate lookup on the raw DER encoded RDN (md5). + This breaks things again :-(. This is efficent since I cache + the DER encoding of the RDN. + - The text DN now puts in the numeric OID instead of UNKNOWN. + - req can now process arbitary OIDs in the config file. + - I've been implementing md5 in x86 asm, much faster :-). + - Started sha1 in x86 asm, needs more work. + - Quite a few speedups in the BN stuff. RSA public operation + has been made faster by caching the BN_MONT_CTX structure. + The calulating of the Ai where A*Ai === 1 mod m was rather + expensive. Basically a 40-50% speedup on public operations. + The RSA speedup is now 15% on pentiums and %20 on pentium + pro. + +30-Sep-97 + - After doing some profiling, I added x86 adm for bn_add_words(), + which just adds 2 arrays of longs together. A %10 speedup + for 512 and 1024 bit RSA on the pentium pro. + +29-Sep-97 + - Converted the x86 bignum assembler to us the perl scripts + for generation. + +23-Sep-97 + - If SSL_set_session() is passed a NULL session, it now clears the + current session-id. + +22-Sep-97 + - Added a '-ss_cert file' to apps/ca.c. This will sign selfsigned + certificates. + - Bug in crypto/evp/encode.c where by decoding of 65 base64 + encoded lines, one line at a time (via a memory BIO) would report + EOF after the first line was decoded. + - Fix in X509_find_by_issuer_and_serial() from + Dr Stephen Henson + +19-Sep-97 + - NO_FP_API and NO_STDIO added. + - Put in sh config command. It auto runs Configure with the correct + parameters. + +18-Sep-97 + - Fix x509.c so if a DSA cert has different parameters to its parent, + they are left in place. Not tested yet. + +16-Sep-97 + - ssl_create_cipher_list() had some bugs, fixes from + Patrick Eisenacher + - Fixed a bug in the Base64 BIO, where it would return 1 instead + of -1 when end of input was encountered but should retry. + Basically a Base64/Memory BIO interaction problem. + - Added a HMAC set of functions in preporarion for TLS work. + +15-Sep-97 + - Top level makefile tweak - Cameron Simpson + - Prime generation spead up %25 (512 bit prime, pentium pro linux) + by using montgomery multiplication in the prime number test. + +11-Sep-97 + - Ugly bug in ssl3_write_bytes(). Basically if application land + does a SSL_write(ssl,buf,len) where len > 16k, the SSLv3 write code + did not check the size and tried to copy the entire buffer. + This would tend to cause memory overwrites since SSLv3 has + a maximum packet size of 16k. If your program uses + buffers <= 16k, you would probably never see this problem. + - Fixed a new errors that were cause by malloc() not returning + 0 initialised memory.. + - SSL_OP_NETSCAPE_CA_DN_BUG was being switched on when using + SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL); which was a bad thing + since this flags stops SSLeay being able to handle client + cert requests correctly. + +08-Sep-97 + - SSL_SESS_CACHE_NO_INTERNAL_LOOKUP option added. When switched + on, the SSL server routines will not use a SSL_SESSION that is + held in it's cache. This in intended to be used with the session-id + callbacks so that while the session-ids are still stored in the + cache, the decision to use them and how to look them up can be + done by the callbacks. The are the 'new', 'get' and 'remove' + callbacks. This can be used to determine the session-id + to use depending on information like which port/host the connection + is coming from. Since the are also SSL_SESSION_set_app_data() and + SSL_SESSION_get_app_data() functions, the application can hold + information against the session-id as well. + +03-Sep-97 + - Added lookup of CRLs to the by_dir method, + X509_load_crl_file() also added. Basically it means you can + lookup CRLs via the same system used to lookup certificates. + - Changed things so that the X509_NAME structure can contain + ASN.1 BIT_STRINGS which is required for the unique + identifier OID. + - Fixed some problems with the auto flushing of the session-id + cache. It was not occuring on the server side. + +02-Sep-97 + - Added SSL_CTX_sess_cache_size(SSL_CTX *ctx,unsigned long size) + which is the maximum number of entries allowed in the + session-id cache. This is enforced with a simple FIFO list. + The default size is 20*1024 entries which is rather large :-). + The Timeout code is still always operating. + +01-Sep-97 + - Added an argument to all the 'generate private key/prime` + callbacks. It is the last parameter so this should not + break existing code but it is needed for C++. + - Added the BIO_FLAGS_BASE64_NO_NL flag for the BIO_f_base64() + BIO. This lets the BIO read and write base64 encoded data + without inserting or looking for '\n' characters. The '-A' + flag turns this on when using apps/enc.c. + - RSA_NO_PADDING added to help BSAFE functionality. This is a + very dangerous thing to use, since RSA private key + operations without random padding bytes (as PKCS#1 adds) can + be attacked such that the private key can be revealed. + - ASN.1 bug and rc2-40-cbc and rc4-40 added by + Dr Stephen Henson + +31-Aug-97 (stuff added while I was away) + - Linux pthreads by Tim Hudson (tjh@cryptsoft.com). + - RSA_flags() added allowing bypass of pub/priv match check + in ssl/ssl_rsa.c - Tim Hudson. + - A few minor bugs. + +SSLeay 0.8.1 released. + +19-Jul-97 + - Server side initated dynamic renegotiation is broken. I will fix + it when I get back from holidays. + +15-Jul-97 + - Quite a few small changes. + - INVALID_SOCKET usage cleanups from Alex Kiernan + +09-Jul-97 + - Added 2 new values to the SSL info callback. + SSL_CB_START which is passed when the SSL protocol is started + and SSL_CB_DONE when it has finished sucsessfully. + +08-Jul-97 + - Fixed a few bugs problems in apps/req.c and crypto/asn1/x_pkey.c + that related to DSA public/private keys. + - Added all the relevent PEM and normal IO functions to support + reading and writing RSAPublic keys. + - Changed makefiles to use ${AR} instead of 'ar r' + +07-Jul-97 + - Error in ERR_remove_state() that would leave a dangling reference + to a free()ed location - thanks to Alex Kiernan + - s_client now prints the X509_NAMEs passed from the server + when requesting a client cert. + - Added a ssl->type, which is one of SSL_ST_CONNECT or + SSL_ST_ACCEPT. I had to add it so I could tell if I was + a connect or an accept after the handshake had finished. + - SSL_get_client_CA_list(SSL *s) now returns the CA names + passed by the server if called by a client side SSL. + +05-Jul-97 + - Bug in X509_NAME_get_text_by_OBJ(), looking starting at index + 0, not -1 :-( Fix from Tim Hudson (tjh@cryptsoft.com). + +04-Jul-97 + - Fixed some things in X509_NAME_add_entry(), thanks to + Matthew Donald . + - I had a look at the cipher section and though that it was a + bit confused, so I've changed it. + - I was not setting up the RC4-64-MD5 cipher correctly. It is + a MS special that appears in exported MS Money. + - Error in all my DH ciphers. Section 7.6.7.3 of the SSLv3 + spec. I was missing the two byte length header for the + ClientDiffieHellmanPublic value. This is a packet sent from + the client to the server. The SSL_OP_SSLEAY_080_CLIENT_DH_BUG + option will enable SSLeay server side SSLv3 accept either + the correct or my 080 packet format. + - Fixed a few typos in crypto/pem.org. + +02-Jul-97 + - Alias mapping for EVP_get_(digest|cipher)byname is now + performed before a lookup for actual cipher. This means + that an alias can be used to 're-direct' a cipher or a + digest. + - ASN1_read_bio() had a bug that only showed up when using a + memory BIO. When EOF is reached in the memory BIO, it is + reported as a -1 with BIO_should_retry() set to true. + +01-Jul-97 + - Fixed an error in X509_verify_cert() caused by my + miss-understanding how 'do { contine } while(0);' works. + Thanks to Emil Sit for educating me :-) + +30-Jun-97 + - Base64 decoding error. If the last data line did not end with + a '=', sometimes extra data would be returned. + - Another 'cut and paste' bug in x509.c related to setting up the + STDout BIO. + +27-Jun-97 + - apps/ciphers.c was not printing due to an editing error. + - Alex Kiernan send in a nice fix for + a library build error in util/mk1mf.pl + +26-Jun-97 + - Still did not have the auto 'experimental' code removal + script correct. + - A few header tweaks for Watcom 11.0 under Win32 from + Rolf Lindemann + - 0 length OCTET_STRING bug in asn1_parse + - A minor fix with an non-existent function in the MS .def files. + - A few changes to the PKCS7 stuff. + +25-Jun-97 + SSLeay 0.8.0 finally it gets released. + +24-Jun-97 + Added a SSL_OP_EPHEMERAL_RSA option which causes all SSLv3 RSA keys to + use a temporary RSA key. This is experimental and needs some more work. + Fixed a few Win16 build problems. + +23-Jun-97 + SSLv3 bug. I was not doing the 'lookup' of the CERT structure + correctly. I was taking the SSL->ctx->default_cert when I should + have been using SSL->cert. The bug was in ssl/s3_srvr.c + +20-Jun-97 + X509_ATTRIBUTES were being encoded wrongly by apps/reg.c and the + rest of the library. Even though I had the code required to do + it correctly, apps/req.c was doing the wrong thing. I have fixed + and tested everything. + + Missing a few #ifdef FIONBIO sections in crypto/bio/bss_acpt.c. + +19-Jun-97 + Fixed a bug in the SSLv2 server side first packet handling. When + using the non-blocking test BIO, the ssl->s2->first_packet flag + was being reset when a would-block failure occurred when reading + the first 5 bytes of the first packet. This caused the checking + logic to run at the wrong time and cause an error. + + Fixed a problem with specifying cipher. If RC4-MD5 were used, + only the SSLv3 version would be picked up. Now this will pick + up both SSLv2 and SSLv3 versions. This required changing the + SSL_CIPHER->mask values so that they only mask the ciphers, + digests, authentication, export type and key-exchange algorithms. + + I found that when a SSLv23 session is established, a reused + session, of type SSLv3 was attempting to write the SSLv2 + ciphers, which were invalid. The SSL_METHOD->put_cipher_by_char + method has been modified so it will only write out cipher which + that method knows about. + + + Changes between 0.8.0 and 0.8.1 + + *) Mostly bug fixes. + There is an Ephemeral DH cipher problem which is fixed. + + SSLeay 0.8.0 + +This version of SSLeay has quite a lot of things different from the +previous version. + +Basically check all callback parameters, I will be producing documentation +about how to use things in th future. Currently I'm just getting 080 out +the door. Please not that there are several ways to do everything, and +most of the applications in the apps directory are hybrids, some using old +methods and some using new methods. + +Have a look in demos/bio for some very simple programs and +apps/s_client.c and apps/s_server.c for some more advanced versions. +Notes are definitly needed but they are a week or so away. + +Anyway, some quick nots from Tim Hudson (tjh@cryptsoft.com) +--- +Quick porting notes for moving from SSLeay-0.6.x to SSLeay-0.8.x to +get those people that want to move to using the new code base off to +a quick start. + +Note that Eric has tidied up a lot of the areas of the API that were +less than desirable and renamed quite a few things (as he had to break +the API in lots of places anyrate). There are a whole pile of additional +functions for making dealing with (and creating) certificates a lot +cleaner. + +01-Jul-97 +Tim Hudson +tjh@cryptsoft.com + +---8<--- + +To maintain code that uses both SSLeay-0.6.x and SSLeay-0.8.x you could +use something like the following (assuming you #include "crypto.h" which +is something that you really should be doing). + +#if SSLEAY_VERSION_NUMBER >= 0x0800 +#define SSLEAY8 +#endif + +buffer.h -> splits into buffer.h and bio.h so you need to include bio.h + too if you are working with BIO internal stuff (as distinct + from simply using the interface in an opaque manner) + +#include "bio.h" - required along with "buffer.h" if you write + your own BIO routines as the buffer and bio + stuff that was intermixed has been separated + out + +envelope.h -> evp.h (which should have been done ages ago) + +Initialisation ... don't forget these or you end up with code that +is missing the bits required to do useful things (like ciphers): + +SSLeay_add_ssl_algorithms() +(probably also want SSL_load_error_strings() too but you should have + already had that call in place) + +SSL_CTX_new() - requires an extra method parameter + SSL_CTX_new(SSLv23_method()) + SSL_CTX_new(SSLv2_method()) + SSL_CTX_new(SSLv3_method()) + + OR to only have the server or the client code + SSL_CTX_new(SSLv23_server_method()) + SSL_CTX_new(SSLv2_server_method()) + SSL_CTX_new(SSLv3_server_method()) + or + SSL_CTX_new(SSLv23_client_method()) + SSL_CTX_new(SSLv2_client_method()) + SSL_CTX_new(SSLv3_client_method()) + +SSL_set_default_verify_paths() ... renamed to the more appropriate +SSL_CTX_set_default_verify_paths() + +If you want to use client certificates then you have to add in a bit +of extra stuff in that a SSLv3 server sends a list of those CAs that +it will accept certificates from ... so you have to provide a list to +SSLeay otherwise certain browsers will not send client certs. + +SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(s_cert_file)); + + +X509_NAME_oneline(X) -> X509_NAME_oneline(X,NULL,0) + or provide a buffer and size to copy the + result into + +X509_add_cert -> X509_STORE_add_cert (and you might want to read the + notes on X509_NAME structure changes too) + + +VERIFICATION CODE +================= + +The codes have all be renamed from VERIFY_ERR_* to X509_V_ERR_* to +more accurately reflect things. + +The verification callback args are now packaged differently so that +extra fields for verification can be added easily in future without +having to break things by adding extra parameters each release :-) + +X509_cert_verify_error_string -> X509_verify_cert_error_string + + +BIO INTERNALS +============= + +Eric has fixed things so that extra flags can be introduced in +the BIO layer in future without having to play with all the BIO +modules by adding in some macros. + +The ugly stuff using + b->flags ~= (BIO_FLAGS_RW|BIO_FLAGS_SHOULD_RETRY) +becomes + BIO_clear_retry_flags(b) + + b->flags |= (BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY) +becomes + BIO_set_retry_read(b) + +Also ... BIO_get_retry_flags(b), BIO_set_flags(b) + + + +OTHER THINGS +============ + +X509_NAME has been altered so that it isn't just a STACK ... the STACK +is now in the "entries" field ... and there are a pile of nice functions +for getting at the details in a much cleaner manner. + +SSL_CTX has been altered ... "cert" is no longer a direct member of this +structure ... things are now down under "cert_store" (see x509_vfy.h) and +things are no longer in a CERTIFICATE_CTX but instead in a X509_STORE. +If your code "knows" about this level of detail then it will need some +surgery. + +If you depending on the incorrect spelling of a number of the error codes +then you will have to change your code as these have been fixed. + +ENV_CIPHER "type" got renamed to "nid" and as that is what it actually +has been all along so this makes things clearer. +ify_cert_error_string(ctx->error)); + +SSL_R_NO_CIPHER_WE_TRUST -> SSL_R_NO_CIPHER_LIST + and SSL_R_REUSE_CIPHER_LIST_NOT_ZERO + + + + Changes between 0.7.x and 0.8.0 + + *) There have been lots of changes, mostly the addition of SSLv3. + There have been many additions from people and amongst + others, C2Net has assisted greatly. + + Changes between 0.7.x and 0.7.x + + *) Internal development version only + +SSLeay 0.6.6 13-Jan-1997 + +The main additions are + +- assember for x86 DES improvments. + From 191,000 per second on a pentium 100, I now get 281,000. The inner + loop and the IP/FP modifications are from + Svend Olaf Mikkelsen . Many thanks for his + contribution. +- The 'DES macros' introduced in 0.6.5 now have 3 types. + DES_PTR1, DES_PTR2 and 'normal'. As per before, des_opts reports which + is best and there is a summery of mine in crypto/des/options.txt +- A few bug fixes. +- Added blowfish. It is not used by SSL but all the other stuff that + deals with ciphers can use it in either ecb, cbc, cfb64 or ofb64 modes. + There are 3 options for optimising Blowfish. BF_PTR, BF_PTR2 and 'normal'. + BF_PTR2 is pentium/x86 specific. The correct option is setup in + the 'Configure' script. +- There is now a 'get client certificate' callback which can be + 'non-blocking'. If more details are required, let me know. It will + documented more in SSLv3 when I finish it. +- Bug fixes from 0.6.5 including the infamous 'ca' bug. The 'make test' + now tests the ca program. +- Lots of little things modified and tweaked. + + SSLeay 0.6.5 + +After quite some time (3 months), the new release. I have been very busy +for the last few months and so this is mostly bug fixes and improvments. + +The main additions are + +- assember for x86 DES. For all those gcc based systems, this is a big + improvement. From 117,000 DES operation a second on a pentium 100, + I now get 191,000. I have also reworked the C version so it + now gives 148,000 DESs per second. +- As mentioned above, the inner DES macros now have some more variant that + sometimes help, sometimes hinder performance. There are now 3 options + DES_PTR (ptr vs array lookup), DES_UNROLL (full vs partial loop unrolling) + and DES_RISC (a more register intensive version of the inner macro). + The crypto/des/des_opts.c program, when compiled and run, will give + an indication of the correct options to use. +- The BIO stuff has been improved. Read doc/bio.doc. There are now + modules for encryption and base64 encoding and a BIO_printf() function. +- The CA program will accept simple one line X509v3 extensions in the + ssleay.cnf file. Have a look at the example. Currently this just + puts the text into the certificate as an OCTET_STRING so currently + the more advanced X509v3 data types are not handled but this is enough + for the netscape extensions. +- There is the start of a nicer higher level interface to the X509 + strucutre. +- Quite a lot of bug fixes. +- CRYPTO_malloc_init() (or CRYPTO_set_mem_functions()) can be used + to define the malloc(), free() and realloc() routines to use + (look in crypto/crypto.h). This is mostly needed for Windows NT/95 when + using DLLs and mixing CRT libraries. + +In general, read the 'VERSION' file for changes and be aware that some of +the new stuff may not have been tested quite enough yet, so don't just plonk +in SSLeay 0.6.5 when 0.6.4 used to work and expect nothing to break. + +SSLeay 0.6.4 30/08/96 eay + +I've just finished some test builds on Windows NT, Windows 3.1, Solaris 2.3, +Solaris 2.5, Linux, IRIX, HPUX 10 and everthing seems to work :-). + +The main changes in this release + +- Thread safe. have a read of doc/threads.doc and play in the mt directory. + For anyone using 0.6.3 with threads, I found 2 major errors so consider + moving to 0.6.4. I have a test program that builds under NT and + solaris. +- The get session-id callback has changed. Have a read of doc/callback.doc. +- The X509_cert_verify callback (the SSL_verify callback) now + has another argument. Have a read of doc/callback.doc +- 'ca -preserve', sign without re-ordering the DN. Not tested much. +- VMS support. +- Compile time memory leak detection can now be built into SSLeay. + Read doc/memory.doc +- CONF routines now understand '\', '\n', '\r' etc. What this means is that + the SPKAC object mentioned in doc/ns-ca.doc can be on multiple lines. +- 'ssleay ciphers' added, lists the default cipher list for SSLeay. +- RC2 key setup is now compatable with Netscape. +- Modifed server side of SSL implementation, big performance difference when + using session-id reuse. + +0.6.3 + +Bug fixes and the addition of some nice stuff to the 'ca' program. +Have a read of doc/ns-ca.doc for how hit has been modified so +it can be driven from a CGI script. The CGI script is not provided, +but that is just being left as an excersize for the reader :-). + +0.6.2 + +This is most bug fixes and functionality improvements. + +Additions are +- More thread debugging patches, the thread stuff is still being + tested, but for those keep to play with stuff, have a look in + crypto/cryptlib.c. The application needs to define 1 (or optionaly + a second) callback that is used to implement locking. Compiling + with LOCK_DEBUG spits out lots of locking crud :-). + This is what I'm currently working on. +- SSL_CTX_set_default_passwd_cb() can be used to define the callback + function used in the SSL*_file() functions used to load keys. I was + always of the opinion that people should call + PEM_read_RSAPrivateKey() and pass the callback they want to use, but + it appears they just want to use the SSL_*_file() function() :-(. +- 'enc' now has a -kfile so a key can be read from a file. This is + mostly used so that the passwd does not appear when using 'ps', + which appears imposible to stop under solaris. +- X509v3 certificates now work correctly. I even have more examples + in my tests :-). There is now a X509_EXTENSION type that is used in + X509v3 certificates and CRLv2. +- Fixed that signature type error :-( +- Fixed quite a few potential memory leaks and problems when reusing + X509, CRL and REQ structures. +- EVP_set_pw_prompt() now sets the library wide default password + prompt. +- The 'pkcs7' command will now, given the -print_certs flag, output in + pem format, all certificates and CRL contained within. This is more + of a pre-emtive thing for the new verisign distribution method. I + should also note, that this also gives and example in code, of how + to do this :-), or for that matter, what is involved in going the + other way (list of certs and crl -> pkcs7). +- Added RSA's DESX to the DES library. It is also available via the + EVP_desx_cbc() method and via 'enc desx'. + +SSLeay 0.6.1 + +The main functional changes since 0.6.0 are as follows +- Bad news, the Microsoft 060 DLL's are not compatable, but the good news is + that from now on, I'll keep the .def numbers the same so they will be. +- RSA private key operations are about 2 times faster that 0.6.0 +- The SSL_CTX now has more fields so default values can be put against + it. When an SSL structure is created, these default values are used + but can be overwritten. There are defaults for cipher, certificate, + private key, verify mode and callback. This means SSL session + creation can now be + ssl=SSL_new() + SSL_set_fd(ssl,sock); + SSL_accept(ssl) + .... + All the other uglyness with having to keep a global copy of the + private key and certificate/verify mode in the server is now gone. +- ssl/ssltest.c - one process talking SSL to its self for testing. +- Storage of Session-id's can be controled via a session_cache_mode + flag. There is also now an automatic default flushing of + old session-id's. +- The X509_cert_verify() function now has another parameter, this + should not effect most people but it now means that the reason for + the failure to verify is now available via SSL_get_verify_result(ssl). + You don't have to use a global variable. +- SSL_get_app_data() and SSL_set_app_data() can be used to keep some + application data against the SSL structure. It is upto the application + to free the data. I don't use it, but it is available. +- SSL_CTX_set_cert_verify_callback() can be used to specify a + verify callback function that completly replaces my certificate + verification code. Xcert should be able to use this :-). + The callback is of the form int app_verify_callback(arg,ssl,cert). + This needs to be documented more. +- I have started playing with shared library builds, have a look in + the shlib directory. It is very simple. If you need a numbered + list of functions, have a look at misc/crypto.num and misc/ssl.num. +- There is some stuff to do locking to make the library thread safe. + I have only started this stuff and have not finished. If anyone is + keen to do so, please send me the patches when finished. + +So I have finally made most of the additions to the SSL interface that +I thought were needed. + +There will probably be a pause before I make any non-bug/documentation +related changes to SSLeay since I'm feeling like a bit of a break. + +eric - 12 Jul 1996 +I saw recently a comment by some-one that we now seem to be entering +the age of perpetual Beta software. +Pioneered by packages like linux but refined to an art form by +netscape. + +I too wish to join this trend with the anouncement of SSLeay 0.6.0 :-). + +There are quite a large number of sections that are 'works in +progress' in this package. I will also list the major changes and +what files you should read. + +BIO - this is the new IO structure being used everywhere in SSLeay. I +started out developing this because of microsoft, I wanted a mechanism +to callback to the application for all IO, so Windows 3.1 DLL +perversion could be hidden from me and the 15 different ways to write +to a file under NT would also not be dictated by me at library build +time. What the 'package' is is an API for a data structure containing +functions. IO interfaces can be written to conform to the +specification. This in not intended to hide the underlying data type +from the application, but to hide it from SSLeay :-). +I have only really finished testing the FILE * and socket/fd modules. +There are also 'filter' BIO's. Currently I have only implemented +message digests, and it is in use in the dgst application. This +functionality will allow base64/encrypto/buffering modules to be +'push' into a BIO without it affecting the semantics. I'm also +working on an SSL BIO which will hide the SSL_accept()/SLL_connet() +from an event loop which uses the interface. +It is also possible to 'attach' callbacks to a BIO so they get called +before and after each operation, alowing extensive debug output +to be generated (try running dgst with -d). + +Unfortunaly in the conversion from 0.5.x to 0.6.0, quite a few +functions that used to take FILE *, now take BIO *. +The wrappers are easy to write + +function_fp(fp,x) +FILE *fp; + { + BIO *b; + int ret; + + if ((b=BIO_new(BIO_s_file())) == NULL) error..... + BIO_set_fp(b,fp,BIO_NOCLOSE); + ret=function_bio(b,x); + BIO_free(b); + return(ret); + } +Remember, there are no functions that take FILE * in SSLeay when +compiled for Windows 3.1 DLL's. + +-- +I have added a general EVP_PKEY type that can hold a public/private +key. This is now what is used by the EVP_ functions and is passed +around internally. I still have not done the PKCS#8 stuff, but +X509_PKEY is defined and waiting :-) + +-- +For a full function name listings, have a look at ms/crypt32.def and +ms/ssl32.def. These are auto-generated but are complete. +Things like ASN1_INTEGER_get() have been added and are in here if you +look. I have renamed a few things, again, have a look through the +function list and you will probably find what you are after. I intend +to at least put a one line descrition for each one..... + +-- +Microsoft - thats what this release is about, read the MICROSOFT file. + +-- +Multi-threading support. I have started hunting through the code and +flaging where things need to be done. In a state of work but high on +the list. + +-- +For random numbers, edit e_os.h and set DEVRANDOM (it's near the top) +be be you random data device, otherwise 'RFILE' in e_os.h +will be used, in your home directory. It will be updated +periodically. The environment variable RANDFILE will override this +choice and read/write to that file instead. DEVRANDOM is used in +conjunction to the RFILE/RANDFILE. If you wish to 'seed' the random +number generator, pick on one of these files. + +-- + +The list of things to read and do + +dgst -d +s_client -state (this uses a callback placed in the SSL state loop and + will be used else-where to help debug/monitor what + is happening.) + +doc/why.doc +doc/bio.doc <- hmmm, needs lots of work. +doc/bss_file.doc <- one that is working :-) +doc/session.doc <- it has changed +doc/speed.doc + also play with ssleay version -a. I have now added a SSLeay() + function that returns a version number, eg 0600 for this release + which is primarily to be used to check DLL version against the + application. +util/* Quite a few will not interest people, but some may, like + mk1mf.pl, mkdef.pl, +util/do_ms.sh + +try +cc -Iinclude -Icrypto -c crypto/crypto.c +cc -Iinclude -Issl -c ssl/ssl.c +You have just built the SSLeay libraries as 2 object files :-) + +Have a general rummage around in the bin stall directory and look at +what is in there, like CA.sh and c_rehash + +There are lots more things but it is 12:30am on a Friday night and I'm +heading home :-). + +eric 22-Jun-1996 +This version has quite a few major bug fixes and improvements. It DOES NOT +do SSLv3 yet. + +The main things changed +- A Few days ago I added the s_mult application to ssleay which is + a demo of an SSL server running in an event loop type thing. + It supports non-blocking IO, I have finally gotten it right, SSL_accept() + can operate in non-blocking IO mode, look at the code to see how :-). + Have a read of doc/s_mult as well. This program leaks memory and + file descriptors everywhere but I have not cleaned it up yet. + This is a demo of how to do non-blocking IO. +- The SSL session management has been 'worked over' and there is now + quite an expansive set of functions to manipulate them. Have a read of + doc/session.doc for some-things I quickly whipped up about how it now works. + This assume you know the SSLv2 protocol :-) +- I can now read/write the netscape certificate format, use the + -inform/-outform 'net' options to the x509 command. I have not put support + for this type in the other demo programs, but it would be easy to add. +- asn1parse and 'enc' have been modified so that when reading base64 + encoded files (pem format), they do not require '-----BEGIN' header lines. + The 'enc' program had a buffering bug fixed, it can be used as a general + base64 -> binary -> base64 filter by doing 'enc -a -e' and 'enc -a -d' + respecivly. Leaving out the '-a' flag in this case makes the 'enc' command + into a form of 'cat'. +- The 'x509' and 'req' programs have been fixed and modified a little so + that they generate self-signed certificates correctly. The test + script actually generates a 'CA' certificate and then 'signs' a + 'user' certificate. Have a look at this shell script (test/sstest) + to see how things work, it tests most possible combinations of what can + be done. +- The 'SSL_set_pref_cipher()' function has been 'fixed' and the prefered name + of SSL_set_cipher_list() is now the correct API (stops confusion :-). + If this function is used in the client, only the specified ciphers can + be used, with preference given to the order the ciphers were listed. + For the server, if this is used, only the specified ciphers will be used + to accept connections. If this 'option' is not used, a default set of + ciphers will be used. The SSL_CTX_set_cipher_list(SSL_CTX *ctx) sets this + list for all ciphers started against the SSL_CTX. So the order is + SSL cipher_list, if not present, SSL_CTX cipher list, if not + present, then the library default. + What this means is that normally ciphers like + NULL-MD5 will never be used. The only way this cipher can be used + for both ends to specify to use it. + To enable or disable ciphers in the library at build time, modify the + first field for the cipher in the ssl_ciphers array in ssl/ssl_lib.c. + This file also contains the 'pref_cipher' list which is the default + cipher preference order. +- I'm not currently sure if the 'rsa -inform net' and the 'rsa -outform net' + options work. They should, and they enable loading and writing the + netscape rsa private key format. I will be re-working this section of + SSLeay for the next version. What is currently in place is a quick and + dirty hack. +- I've re-written parts of the bignum library. This gives speedups + for all platforms. I now provide assembler for use under Windows NT. + I have not tested the Windows 3.1 assembler but it is quite simple code. + This gives RSAprivate_key operation encryption times of 0.047s (512bit key) + and 0.230s (1024bit key) on a pentium 100 which I consider reasonable. + Basically the times available under linux/solaris x86 can be achieve under + Windows NT. I still don't know how these times compare to RSA's BSAFE + library but I have been emailing with people and with their help, I should + be able to get my library's quite a bit faster still (more algorithm changes). + The object file crypto/bn/asm/x86-32.obj should be used when linking + under NT. +- 'make makefile.one' in the top directory will generate a single makefile + called 'makefile.one' This makefile contains no perl references and + will build the SSLeay library into the 'tmp' and 'out' directories. + util/mk1mf.pl >makefile.one is how this makefile is + generated. The mk1mf.pl command take several option to generate the + makefile for use with cc, gcc, Visual C++ and Borland C++. This is + still under development. I have only build .lib's for NT and MSDOS + I will be working on this more. I still need to play with the + correct compiler setups for these compilers and add some more stuff but + basically if you just want to compile the library + on a 'non-unix' platform, this is a very very good file to start with :-). + Have a look in the 'microsoft' directory for my current makefiles. + I have not yet modified things to link with sockets under Windows NT. + You guys should be able to do this since this is actually outside of the + SSLeay scope :-). I will be doing it for myself soon. + util/mk1mf.pl takes quite a few options including no-rc, rsaref and no-sock + to build without RC2/RC4, to require RSAref for linking, and to + build with no socket code. + +- Oh yes, the cipher that was reported to be compatible with RSA's RC2 cipher + that was posted to sci.crypt has been added to the library and SSL. + I take the view that if RC2 is going to be included in a standard, + I'll include the cipher to make my package complete. + There are NO_RC2, NO_RC4 and NO_IDEA macros to remove these ciphers + at compile time. I have not tested this recently but it should all work + and if you are in the USA and don't want RSA threatening to sue you, + you could probably remove the RC4/RC2 code inside these sections. + I may in the future include a perl script that does this code + removal automatically for those in the USA :-). +- I have removed all references to sed in the makefiles. So basically, + the development environment requires perl and sh. The build environment + does not (use the makefile.one makefile). + The Configure script still requires perl, this will probably stay that way + since I have perl for Windows NT :-). + +eric (03-May-1996) + +PS Have a look in the VERSION file for more details on the changes and + bug fixes. +I have fixed a few bugs, added alpha and x86 assembler and generally cleaned +things up. This version will be quite stable, mostly because I'm on +holidays until 10-March-1996. For any problems in the interum, send email +to Tim Hudson . + +SSLeay 0.5.0 + +12-12-95 +This is going out before it should really be released. + +I leave for 11 weeks holidays on the 22-12-95 and so I either sit on +this for 11 weeks or get things out. It is still going to change a +lot in the next week so if you do grab this version, please test and +give me feed back ASAP, inculuding questions on how to do things with +the library. This will prompt me to write documentation so I don't +have to answer the same question again :-). + +This 'pre' release version is for people who are interested in the +library. The applications will have to be changed to use +the new version of the SSL interface. I intend to finish more +documentation before I leave but until then, look at the programs in +the apps directory. As far as code goes, it is much much nicer than +the old version. + +The current library works, has no memory leaks (as far as I can tell) +and is far more bug free that 0.4.5d. There are no global variable of +consequence (I believe) and I will produce some documentation that +tell where to look for those people that do want to do multi-threaded +stuff. + +There should be more documentation. Have a look in the +doc directory. I'll be adding more before I leave, it is a start +by mostly documents the crypto library. Tim Hudson will update +the web page ASAP. The spelling and grammar are crap but +it is better than nothing :-) + +Reasons to start playing with version 0.5.0 +- All the programs in the apps directory build into one ssleay binary. +- There is a new version of the 'req' program that generates certificate + requests, there is even documentation for this one :-) +- There is a demo certification authorithy program. Currently it will + look at the simple database and update it. It will generate CRL from + the data base. You need to edit the database by hand to revoke a + certificate, it is my aim to use perl5/Tk but I don't have time to do + this right now. It will generate the certificates but the management + scripts still need to be written. This is not a hard task. +- Things have been cleaned up alot. +- Have a look at the enc and dgst programs in the apps directory. +- It supports v3 of x509 certiticates. + + +Major things missing. +- I have been working on (and thinging about) the distributed x509 + hierachy problem. I have not had time to put my solution in place. + It will have to wait until I come back. +- I have not put in CRL checking in the certificate verification but + it would not be hard to do. I was waiting until I could generate my + own CRL (which has only been in the last week) and I don't have time + to put it in correctly. +- Montgomery multiplication need to be implemented. I know the + algorithm, just ran out of time. +- PKCS#7. I can load and write the DER version. I need to re-work + things to support BER (if that means nothing, read the ASN1 spec :-). +- Testing of the higher level digital envelope routines. I have not + played with the *_seal() and *_open() type functions. They are + written but need testing. The *_sign() and *_verify() functions are + rock solid. +- PEM. Doing this and PKCS#7 have been dependant on the distributed + x509 heirachy problem. I started implementing my ideas, got + distracted writing a CA program and then ran out of time. I provide + the functionality of RSAref at least. +- Re work the asm. code for the x86. I've changed by low level bignum + interface again, so I really need to tweak the x86 stuff. gcc is + good enough for the other boxes. + diff --git a/src/lib/libssl/src/COPYRIGHT b/src/lib/libssl/src/COPYRIGHT deleted file mode 100644 index 4faa8c0a46..0000000000 --- a/src/lib/libssl/src/COPYRIGHT +++ /dev/null @@ -1,65 +0,0 @@ -Copyright (C) 1997 Eric Young (eay@cryptsoft.com) -All rights reserved. - -This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). -The implementation was written so as to conform with Netscapes SSL. - -This library is free for commercial and non-commercial use as long as -the following conditions are aheared to. The following conditions -apply to all code found in this distribution, be it the RC4, RSA, -lhash, DES, etc., code; not just the SSL code. The SSL documentation -included with this distribution is covered by the same copyright terms -except that the holder is Tim Hudson (tjh@cryptsoft.com). - -Please note that MD2, MD5 and IDEA are publically available standards -that contain sample implementations, I have re-coded them in my own -way but there is nothing special about those implementations. The DES -library is another mater :-). - -Copyright remains Eric Young's, and as such any Copyright notices in -the code are not to be removed. -If this package is used in a product, Eric Young should be given attribution -as the author of the parts of the library used. -This can be in the form of a textual message at program startup or -in documentation (online or textual) provided with the package. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: -1. Redistributions of source code must retain the copyright - notice, this list of conditions and the following disclaimer. -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. -3. All advertising materials mentioning features or use of this software - must display the following acknowledgement: - "This product includes cryptographic software written by - Eric Young (eay@cryptsoft.com)" - The word 'cryptographic' can be left out if the rouines from the library - being used are not cryptographic related :-). -4. If you include any Windows specific code (or a derivative thereof) from - the apps directory (application code) you must include an acknowledgement: - "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - -THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE. - -The licence and distribution terms for any publically available version or -derivative of this code cannot be changed. i.e. this code cannot simply be -copied and put under another distribution licence -[including the GNU Public Licence.] - -The reason behind this being stated in this direct manner is past -experience in code simply being copied and the attribution removed -from it and then being distributed as part of other packages. This -implementation was a non-trivial and unpaid effort. - diff --git a/src/lib/libssl/src/Configure b/src/lib/libssl/src/Configure index 8b9ecbcdef..fdad0c238c 100644 --- a/src/lib/libssl/src/Configure +++ b/src/lib/libssl/src/Configure @@ -1,17 +1,37 @@ -#!/usr/bin/perl +: +eval 'exec perl -S $0 ${1+"$@"}' + if $running_under_some_shell; +## +## Configure -- OpenSSL source tree configuration script +## -# see PROBLEMS for instructions on what sort of things to do when -# tracking a bug --tjh +require 5.000; +use strict; + +# see INSTALL for instructions. + +my $usage="Usage: Configure [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [rsaref] [no-threads] [no-asm] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] os/compiler[:flags]\n"; + +# Options: # -# extra options -# -DRSAref build to use RSAref -# -DNO_IDEA build with no IDEA algorithm -# -DNO_RC4 build with no RC4 algorithm -# -DNO_RC2 build with no RC2 algorithm -# -DNO_BF build with no Blowfish algorithm -# -DNO_DES build with no DES/3DES algorithm -# -DNO_MD2 build with no MD2 algorithm +# --openssldir install OpenSSL in OPENSSLDIR (Default: DIR/ssl if the +# --prefix option is given; /usr/local/ssl otherwise) +# --prefix prefix for the OpenSSL include, lib and bin directories +# (Default: the OPENSSLDIR directory) # +# --install_prefix Additional prefix for package builders (empty by +# default). This needn't be set in advance, you can +# just as well use "make INSTALL_PREFIX=/whatever install". +# +# rsaref use RSAref +# [no-]threads [don't] try to create a library that is suitable for +# multithreaded applications (default is "threads" if we +# know how to do it) +# no-asm do not use assembler +# 386 generate 80386 code +# no- build without specified algorithm (rsa, idea, rc5, ...) +# - + compiler options are passed through +# # DES_PTR use pointer lookup vs arrays in the DES in crypto/des/des_locl.h # DES_RISC1 use different DES_ENCRYPT macro that helps reduce register # dependancies but needs to more registers, good for RISC CPU's @@ -32,124 +52,181 @@ # RC4_INDEX define RC4_INDEX in crypto/rc4/rc4_locl.h. This turns on # array lookups instead of pointer use. # BF_PTR use 'pointer arithmatic' for Blowfish (unsafe on Alpha). -# BF_PTR2 use a pentium/intel specific version. +# BF_PTR2 intel specific version (generic version is more efficient). # MD5_ASM use some extra md5 assember, # SHA1_ASM use some extra sha1 assember, must define L_ENDIAN for x86 # RMD160_ASM use some extra ripemd160 assember, -# BN_ASM use some extra bn assember, -$x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL"; +my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL"; # MD2_CHAR slags pentium pros -$x86_gcc_opts="RC4_INDEX MD2_INT BF_PTR2"; +my $x86_gcc_opts="RC4_INDEX MD2_INT"; # MODIFY THESE PARAMETERS IF YOU ARE GOING TO USE THE 'util/speed.sh SCRIPT # Don't worry about these normally -$tcc="cc"; -$tflags="-fast -Xa"; -$tbn_mul=""; -$tlib="-lnsl -lsocket"; +my $tcc="cc"; +my $tflags="-fast -Xa"; +my $tbn_mul=""; +my $tlib="-lnsl -lsocket"; #$bits1="SIXTEEN_BIT "; #$bits2="THIRTY_TWO_BIT "; -$bits1="THIRTY_TWO_BIT "; -$bits2="SIXTY_FOUR_BIT "; +my $bits1="THIRTY_TWO_BIT "; +my $bits2="SIXTY_FOUR_BIT "; -$x86_sol_asm="asm/bn86-sol.o:asm/dx86-sol.o:asm/yx86-sol.o:asm/bx86-sol.o:asm/mx86-sol.o:asm/sx86-sol.o:asm/cx86-sol.o:asm/rx86-sol.o:asm/rm86-sol.o:asm/r586-sol.o"; -$x86_elf_asm="asm/bn86-elf.o:asm/dx86-elf.o asm/yx86-elf.o:asm/bx86-elf.o:asm/mx86-elf.o:asm/sx86-elf.o:asm/cx86-elf.o:asm/rx86-elf.o:asm/rm86-elf.o:asm/r586-elf.o"; -$x86_out_asm="asm/bn86-out.o:asm/dx86-out.o asm/yx86-out.o:asm/bx86-out.o:asm/mx86-out.o:asm/sx86-out.o:asm/cx86-out.o:asm/rx86-out.o:asm/rm86-out.o:asm/r586-out.o"; -$x86_bsdi_asm="asm/bn86bsdi.o:asm/dx86bsdi.o asm/yx86bsdi.o:asm/bx86bsdi.o:asm/mx86bsdi.o:asm/sx86bsdi.o:asm/cx86bsdi.o:asm/rx86bsdi.o:asm/rm86bsdi.o:asm/r586bsdi.o"; +my $x86_sol_asm="asm/bn86-sol.o asm/co86-sol.o:asm/dx86-sol.o asm/yx86-sol.o:asm/bx86-sol.o:asm/mx86-sol.o:asm/sx86-sol.o:asm/cx86-sol.o:asm/rx86-sol.o:asm/rm86-sol.o:asm/r586-sol.o"; +my $x86_elf_asm="asm/bn86-elf.o asm/co86-elf.o:asm/dx86-elf.o asm/yx86-elf.o:asm/bx86-elf.o:asm/mx86-elf.o:asm/sx86-elf.o:asm/cx86-elf.o:asm/rx86-elf.o:asm/rm86-elf.o:asm/r586-elf.o"; +my $x86_out_asm="asm/bn86-out.o asm/co86-out.o:asm/dx86-out.o asm/yx86-out.o:asm/bx86-out.o:asm/mx86-out.o:asm/sx86-out.o:asm/cx86-out.o:asm/rx86-out.o:asm/rm86-out.o:asm/r586-out.o"; +my $x86_bsdi_asm="asm/bn86bsdi.o asm/co86bsdi.o:asm/dx86bsdi.o asm/yx86bsdi.o:asm/bx86bsdi.o:asm/mx86bsdi.o:asm/sx86bsdi.o:asm/cx86bsdi.o:asm/rx86bsdi.o:asm/rm86bsdi.o:asm/r586bsdi.o"; # -DB_ENDIAN slows things down on a sparc for md5, but helps sha1. # So the md5_locl.h file has an undef B_ENDIAN if sun is defined #config-string CC : CFLAGS : LDFLAGS : special header file mods:bn_asm \ # des_asm:bf_asm -%table=( -#"b", "$tcc:$tflags:$tlib:$bits1:$tbn_mul::", -#"bl-4c-2c", "$tcc:$tflags:$tlib:${bits1}BN_LLONG RC4_CHAR MD2_CHAR:$tbn_mul::", -#"bl-4c-ri", "$tcc:$tflags:$tlib:${bits1}BN_LLONG RC4_CHAR RC4_INDEX:$tbn_mul::", -#"b2-is-ri-dp", "$tcc:$tflags:$tlib:${bits2}IDEA_SHORT RC4_INDEX DES_PTR:$tbn_mul::", - -# A few of my development configs -"purify", "purify gcc:-g -DPURIFY -Wall:-lsocket -lnsl::::", -"debug", "gcc:-DREF_CHECK -DCRYPTO_MDEBUG -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror:::::", -"dist", "cc:-O -DNOPROTO::::", +my %table=( +#"b", "$tcc:$tflags::$tlib:$bits1:$tbn_mul::", +#"bl-4c-2c", "$tcc:$tflags::$tlib:${bits1}BN_LLONG RC4_CHAR MD2_CHAR:$tbn_mul::", +#"bl-4c-ri", "$tcc:$tflags::$tlib:${bits1}BN_LLONG RC4_CHAR RC4_INDEX:$tbn_mul::", +#"b2-is-ri-dp", "$tcc:$tflags::$tlib:${bits2}IDEA_SHORT RC4_INDEX DES_PTR:$tbn_mul::", + +# Our development configs +"purify", "purify gcc:-g -DPURIFY -Wall::(unknown):-lsocket -lnsl::::", +"debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCRYPTO_MDEBUG -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown):-lefence::::", +"debug-ben", "gcc:-DBN_DEBUG -DREF_CHECK -DCRYPTO_MDEBUG -DPEDANTIC -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::", +"debug-ben-debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCRYPTO_MDEBUG -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::", +"debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown):::::", +"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm", +"debug-bodo", "gcc:-DBIO_PAIR_DEBUG -DL_ENDIAN -DREF_CHECK -DCRYPTO_MDEBUG_ALL -g -m486 -Wall::-D_REENTRANT::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm", +"dist", "cc:-O::(unknown):::::", # Basic configs that should work on any box -"gcc", "gcc:-O3::BN_LLONG:::", -"cc", "cc:-O -DNOPROTO -DNOCONST:::::", - - -# My solaris setups -"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DBN_ASM:-lsocket -lnsl:BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_sol_asm:", -"solaris-sparc-gcc","gcc:-O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN:-lsocket -lnsl:BN_LLONG RC4_CHAR DES_UNROLL BF_PTR:::", -# DO NOT use /xO[34] on sparc with SC3.0. -# It is broken, and will not pass the tests -"solaris-sparc-cc","cc:-fast -O -Xa -DB_ENDIAN:\ - -lsocket -lnsl:BN_LLONG RC4_CHAR DES_PTR DES_UNROLL BF_PTR:asm/sparc.o::", -# SC4.0 is ok, better than gcc, except for the bignum stuff. -# -fast slows things like DES down quite a lot -"solaris-sparc-sc4","cc:-xO5 -Xa -DB_ENDIAN:-lsocket -lnsl:\ - BN_LLONG RC4_CHAR DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparc.o::", -"solaris-usparc-sc4","cc:-xtarget=ultra -xarch=v8plus -Xa -xO5 -DB_ENDIAN:\ - -lsocket -lnsl:\ - BN_LLONG RC4_CHAR DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparc.o::", +"gcc", "gcc:-O3::(unknown)::BN_LLONG:::", +"cc", "cc:-O::(unknown):::::", + +#### Solaris x86 setups +"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN::-D_REENTRANT:-lsocket -lnsl:BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_sol_asm", + +#### SPARC Solaris with GNU C setups +"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR DES_UNROLL BF_PTR:::", +"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR DES_UNROLL BF_PTR:asm/sparcv8.o::", +"solaris-sparcv9-gcc","gcc:-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o:", +# gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8 +# but keep the assembler modules. +"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o:", +#### +"debug-solaris-sparcv8-gcc","gcc:-DREF_CHECK -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR DES_UNROLL BF_PTR:::", +"debug-solaris-sparcv9-gcc","gcc:-DREF_CHECK -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR DES_UNROLL BF_PTR:asm/sparcv8plus.o::", + +#### SPARC Solaris with Sun C setups +# DO NOT use /xO[34] on sparc with SC3.0. It is broken, and will not pass the tests +"solaris-sparc-sc3","cc:-fast -O -Xa -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR DES_PTR DES_UNROLL BF_PTR:::", +# SC4.0 doesn't pass 'make test', upgrade to SC5.0 or SC4.2. +# SC4.2 is ok, better than gcc even on bn as long as you tell it -xarch=v8 +# SC5.0 note: Compiler common patch 107357-01 or later is required! +"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR DES_PTR DES_RISC1 DES_UNROLL BF_PTR:::", +"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o::", +"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o:", +"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl:SIXTY_FOUR_BIT_LONG RC4_CHAR DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o:", + +#### SPARC Linux setups +"linux-sparcv7","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG RC4_CHAR DES_UNROLL BF_PTR::", +# Ray Miller has patiently +# assisted with debugging of following two configs. +"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::BN_LLONG RC4_CHAR DES_UNROLL BF_PTR:asm/sparcv8.o::::", +# it's a real mess with -mcpu=ultrasparc option under Linux, but +# -Wa,-Av8plus should do the trick no matter what. +"linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::BN_LLONG RC4_CHAR DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o:", +# !!!Folowing can't be even tested yet!!! +# We have to wait till 64-bit glibc for SPARC is operational!!! +#"linux64-sparcv9","sparc64-linux-gcc:-m64 -mcpu=v9 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::BN_LLONG RC4_CHAR DES_UNROLL BF_PTR::::asm/md5-sparcv9.o:", # Sunos configs, assuming sparc for the gcc one. -"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::DES_UNROLL:::", -"sunos-gcc","gcc:-O3 -mv8::BN_LLONG RC4_CHAR DES_UNROLL DES_PTR DES_RISC1:::", - -# SGI configurations. If the box is rather old (r3000 cpu), you will -# probably have to remove the '-mips2' flag. I've only been using -# IRIX 5.[23]. -#"irix-gcc","gcc:-O2 -mips2::BN_LLONG RC4_INDEX RC4_CHAR:::", -"irix-gcc","gcc:-O2 -DTERMIOS -DB_ENDIAN::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:::", -"irix-cc", "cc:-O2 -DTERMIOS -DB_ENDIAN::DES_PTR DES_RISC2 DES_UNROLL BF_PTR:asm/r3000.o::", -"debug-irix-cc", "cc:-w2 -g -DCRYPTO_MDEBUG -DTERMIOS -DB_ENDIAN:::asm/r3000.o::", - -# HPUX config. I've been building on HPUX 9, so the options may be -# different on version 10. The pa-risc2.o assember file is 2 times -# faster than the old asm/pa-risc.o version but it may not run on old -# PA-RISC CPUs. If you have problems, swap back to the old one. -# Both were generated by gcc, so use the C version with the PA-RISC specific -# options turned on if you are using gcc. -"hpux-cc", "cc:-DB_ENDIAN -D_HPUX_SOURCE -Aa -Ae +ESlit +O4 -Wl,-a,archive::DES_PTR DES_UNROLL DES_RISC1:asm/pa-risc2.o::", -"hpux-kr-cc", "cc:-DB_ENDIAN -DNOCONST -DNOPROTO -D_HPUX_SOURCE::DES_PTR DES_UNROLL:asm/pa-risc2.o::", -"hpux-gcc", "gcc:-DB_ENDIAN -O3::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::", - -# Dec Alpha, OSF/1 - the alpha400-cc is the flags for a 21164A with +##"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown)::DES_UNROLL:::", +"sunos-gcc","gcc:-O3 -mv8::(unknown)::BN_LLONG RC4_CHAR DES_UNROLL DES_PTR DES_RISC1:::", + +#### IRIX 5.x configs +# -mips2 flag is added by ./config when appropriate. +"irix-gcc","gcc:-O3 -DTERMIOS -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:::", +"irix-cc", "cc:-O2 -use_readonly_const -DTERMIOS -DB_ENDIAN::(unknown)::BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR:::", +#### IRIX 6.x configs +# Only N32 and N64 ABIs are supported. If you need O32 ABI build, invoke +# './Configure irix-[g]cc' manually. +# -mips4 flag is added by ./config when appropriate. +"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN::(unknown)::MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:asm/mips3.o::", +"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN::(unknown)::DES_PTR DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:asm/mips3.o::", +# N64 ABI builds. +"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN::(unknown)::DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:asm/mips3.o::", +"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN::(unknown)::DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:asm/mips3.o::", + +# HPUX 9.X config. +# Don't use the bundled cc. It is broken. Use HP ANSI C if possible, or +# egcs. gcc 2.8.1 is also broken. + +"hpux-cc", "cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O4 -z::(unknown)::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::", +# If hpux-cc fails (e.g. during "make test"), try the next one; otherwise, +# please report your OS and compiler version to the bugs@openssl.org +# mailing list. +"hpux-brokencc", "cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::(unknown)::DES_PTR DES_UNROLL DES_RISC1:::", + +"hpux-gcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::", +# If hpux-gcc fails, try this one: +"hpux-brokengcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::DES_PTR DES_UNROLL DES_RISC1:::", + +# HPUX 10.X config. Supports threads. +"hpux10-cc", "cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O4 -z::-D_REENTRANT::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::", +# If hpux10-cc fails, try this one (if still fails, try deleting BN_LLONG): +"hpux10-brokencc", "cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::-D_REENTRANT::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::", + +"hpux10-gcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::", +# If hpux10-gcc fails, try this one: +"hpux10-brokengcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT::DES_PTR DES_UNROLL DES_RISC1:::", + +# HPUX 11.X from www.globus.org. +# Only works on PA-RISC 2.0 cpus, and not optimized. Why? +"hpux11-32bit-cc","cc:+DA2.0 -DB_ENDIAN -D_HPUX_SOURCE -Aa -Ae +ESlit::-D_REENTRANT::DES_PTR DES_UNROLL DES_RISC1:::", +"hpux11-64bit-cc","cc:+DA2.0W -g -D_HPUX_SOURCE -Aa -Ae +ESlit::-D_REENTRANT::SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT :::", + +# Dec Alpha, OSF/1 - the alpha164-cc is the flags for a 21164A with # the new compiler -"alpha-gcc","gcc:-O3::SIXTY_FOUR_BIT_LONGS DES_INT DES_PTR DES_RISC2:asm/alpha.o::", -"alpha-cc", "cc:-O2::SIXTY_FOUR_BIT_LONGS DES_INT DES_PTR DES_RISC2:asm/alpha.o::", -"alpha400-cc", "cc:-arch host -tune host -fast -std -O4 -inline speed::SIXTY_FOUR_BIT_LONG:asm/alpha.o::", +# For gcc, the following gave a %50 speedup on a 164 over the 'DES_INT' version +"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG DES_UNROLL DES_RISC1:::", +"alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG:::", +"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG:::", +"FreeBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:::", + +# assembler versions -- currently defunct: +##"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG DES_UNROLL DES_RISC1:asm/alpha.o::", +##"alpha-cc", "cc:-tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG:asm/alpha.o::", +##"alpha164-cc", "cc:-tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG:asm/alpha.o::", +##"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:asm/alpha.o::", # The intel boxes :-), It would be worth seeing if bsdi-gcc can use the # bn86-elf.o file file since it is hand tweaked assembler. -"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm", -"debug-linux-elf","gcc:-DREF_CHECK -DBN_ASM -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall:-lefence:BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm", -"linux-aout", "gcc:-DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_out_asm", -"NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", -"NetBSD-m86", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", -"NetBSD-x86", "gcc:-DTERMIOS -DBN_ASM -D_ANSI_SOURCE -O3 -fomit-frame-pointer -m486 -Wall::BN_LLONG $x86_gcc_des $x86_gcc_opts:", -"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall::SIXTY_FOUR_BIT_LONGS DES_INT DES_PTR DES_RISC2:::", -"OpenBSD-x86", "gcc:-DTERMIOS -DBN_ASM -DL_ENDIAN -D_ANSI_SOURCE -fomit-frame-pointer -O3 -m486 -Wall::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_out_asm", -"OpenBSD-bigendian", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", -"OpenBSD-pmax", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DL_ENDIAN::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", -"OpenBSD-arc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DL_ENDIAN::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", -"FreeBSD", "gcc:-DTERMIOS -DBN_ASM -DL_ENDIAN -D_ANSI_SOURCE -fomit-frame-pointer -O3 -m486 -Wall::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_out_asm", -#"bsdi-gcc", "gcc:-O3 -ffast-math -DBN_ASM -DL_ENDIAN -DPERL5 -m486::RSA_LLONG $x86_gc_des $x86_gcc_opts:$x86_bsdi_asm", -"nextstep", "cc:-O3 -Wall -DBN_ASM::BN_LLONG $x86_gcc_des $x86_gcc_opts:::", +"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm", +"debug-linux-elf","gcc:-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-lefence:BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm", +"linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_out_asm", +"linux-mips", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::", +"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::::", +"NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", +"NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", +"NetBSD-x86", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:", +"FreeBSD-elf", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm", +"FreeBSD", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_out_asm", +"bsdi-gcc", "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown)::RSA_LLONG $x86_gcc_des $x86_gcc_opts:$x86_bsdi_asm", +"bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm", +"nextstep", "cc:-O -Wall::(unknown)::BN_LLONG $x86_gcc_des ${x86_gcc_opts}:::", +"nextstep3.3", "cc:-O3 -Wall::(unknown)::BN_LLONG $x86_gcc_des ${x86_gcc_opts}:::", # NCR MP-RAS UNIX ver 02.03.01 -"ncr-scde","cc:-O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw:-lsocket -lnsl:$x86_gcc_des $x86_gcc_opts:::", +"ncr-scde","cc:-O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw::(unknown):-lsocket -lnsl:$x86_gcc_des ${x86_gcc_opts}:::", # UnixWare 2.0 -"unixware-2.0","cc:-O -DFILIO_H:-lsocket -lnsl:$x86_gcc_des $x86_gcc_opts:::", -"unixware-2.0-pentium","cc:-O -DFILIO_H -Kpentium -Kthread:-lsocket -lnsl:MD2_CHAR RC4_INDEX $x86_des_des::", +"unixware-2.0","cc:-O -DFILIO_H::(unknown):-lsocket -lnsl:$x86_gcc_des ${x86_gcc_opts}:::", +"unixware-2.0-pentium","cc:-O -DFILIO_H -Kpentium -Kthread::(unknown):-lsocket -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", # IBM's AIX. -"aix-cc", "cc:-O -DAIX -DB_ENDIAN::BN_LLONG RC4_CHAR:::", -"aix-gcc", "gcc:-O2 -DAIX -DB_ENDIAN::BN_LLONG RC4_CHAR:::", +"aix-cc", "cc:-O -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR:::", +"aix-gcc", "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR:::", # # Cray T90 (SDSC) @@ -162,104 +239,257 @@ $x86_bsdi_asm="asm/bn86bsdi.o:asm/dx86bsdi.o asm/yx86bsdi.o:asm/bx86bsdi.o:asm/m #'Taking the address of a bit field is not allowed. ' #'An expression with bit field exists as the operand of "sizeof" ' # (written by Wayne Schroeder ) -"cray-t90-cc", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::SIXTY_FOUR_BIT_LONG DES_INT:::", +"cray-t90-cc", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT:::", + +# +# Cray T3E (Research Center Juelich, beckman@acl.lanl.gov) +# +# The BIT_FIELD_LIMITS define was written for the C90 (it seems). I added +# another use. Basically, the problem is that the T3E uses some bit fields +# for some st_addr stuff, and then sizeof and address-of fails +# I could not use the ams/alpha.o option because the Cray assembler, 'cam' +# did not like it. +"cray-t3e", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT:::", # DGUX, 88100. -"dgux-R3-gcc", "gcc:-O3 -fomit-frame-pointer::RC4_INDEX DES_UNROLL:::", -"dgux-R4-gcc", "gcc:-O3 -fomit-frame-pointer:-lnsl -lsocket:RC4_INDEX:RC4_INDEX DES_UNROLL:::", -"dgux-R4-x86-gcc", "gcc:-O3 -DBN_ASM -fomit-frame-pointer -DL_ENDIAN:-lnsl -lsocket:BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm", +"dgux-R3-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown)::RC4_INDEX DES_UNROLL:::", +"dgux-R4-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown):-lnsl -lsocket:RC4_INDEX:RC4_INDEX DES_UNROLL:::", +"dgux-R4-x86-gcc", "gcc:-O3 -fomit-frame-pointer -DL_ENDIAN::(unknown):-lnsl -lsocket:BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm", -# SCO 5 -"sco5-cc", "cc:-O:-lsocket:$x86_gcc_des $x86_gcc_opts:::", # des options? +# SCO 5 - Ben Laurie says the -O breaks the +# SCO cc. +"sco5-cc", "cc:::(unknown):-lsocket:$x86_gcc_des ${x86_gcc_opts}:::", # des options? +"sco5-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG $x86_gcc_des ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ... -# Sinix RM400 -"SINIX-N","/usr/ucb/cc:-O2 -misaligned:-lucb:RC4_INDEX RC4_CHAR:::", +# Sinix/ReliantUNIX RM400 +# NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer problem. Better use -g */ +"ReliantUNIX","cc:-KPIC -g -DSNI -DTERMIOS -DB_ENDIAN::-Kthread:-lsocket -lnsl -lc -L/usr/ucblib -lucb:BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR:::", +"SINIX","cc:-O -DSNI::(unknown):-lsocket -lnsl -lc -L/usr/ucblib -lucb:RC4_INDEX RC4_CHAR:::", +"SINIX-N","/usr/ucb/cc:-O2 -misaligned::(unknown):-lucb:RC4_INDEX RC4_CHAR:::", + +# SIEMENS BS2000/OSD: an EBCDIC-based mainframe +"BS2000-OSD","c89:-XLLML -XLLMK -XL -DB_ENDIAN -DTERMIOS -DCHARSET_EBCDIC::(unknown):-lsocket -lnsl:THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR:::", # Windows NT, Microsoft Visual C++ 4.0 -# hmm... bug in perl under NT, I need to concatinate :-( -"VC-NT","cl:::BN_LLONG RC4_INDEX ".$x86_gcc_opts.":::", -"VC-WIN32","cl:::BN_LLONG RC4_INDEX ".$x86_gcc_opts.":::", -"VC-WIN16","cl:::MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::", -"VC-W31-16","cl:::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::", -"VC-W31-32","cl:::MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::", -"VC-MSDOS","cl:::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::", +"VC-NT","cl:::::BN_LLONG RC4_INDEX ${x86_gcc_opts}:::", +"VC-WIN32","cl:::::BN_LLONG RC4_INDEX ${x86_gcc_opts}:::", +"VC-WIN16","cl:::(unknown)::MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::", +"VC-W31-16","cl:::(unknown)::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::", +"VC-W31-32","cl:::::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::", +"VC-MSDOS","cl:::(unknown)::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::", # Borland C++ 4.5 -"BC-32","bcc32:::DES_PTR RC4_INDEX:::", -"BC-16","bcc:::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::", -); +"BC-32","bcc32:::::BN_LLONG DES_PTR RC4_INDEX:::", +"BC-16","bcc:::(unknown)::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::", + +# CygWin32 +# (Note: the real CFLAGS for Windows builds are defined by util/mk1mf.pl +# and its library files in util/pl/*) +"CygWin32", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::::BN_LLONG $x86_gcc_des $x86_gcc_opts:", +"Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::::BN_LLONG $x86_gcc_des $x86_gcc_opts:", + +# Ultrix from Bernhard Simon +"ultrix-cc","cc:-std1 -O -Olimit 1000 -DL_ENDIAN::(unknown)::::::", +"ultrix-gcc","gcc:-O3 -DL_ENDIAN::(unknown)::::::", +# K&R C is no longer supported; you need gcc on old Ultrix installations +##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown)::::::", + +# Some OpenBSD from Bob Beck +"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:::", +"OpenBSD-x86", "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_out_asm", +"OpenBSD", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL:::", +"OpenBSD-mips","gcc:-O2 -DL_ENDIAN::(unknown):BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR::::", -$postfix="org"; -$Makefile="Makefile.ssl"; -$des_locl="crypto/des/des_locl.h"; -$des ="crypto/des/des.h"; -$bn ="crypto/bn/bn.h"; -$md2 ="crypto/md2/md2.h"; -$rc4 ="crypto/rc4/rc4.h"; -$rc4_locl="crypto/rc4/rc4_locl.h"; -$idea ="crypto/idea/idea.h"; -$rc2 ="crypto/rc2/rc2.h"; -$bf ="crypto/bf/bf_locl.h"; -$bn_mulw="bn_mulw.o"; -$des_enc="des_enc.o fcrypt_b.o"; -$bf_enc ="bf_enc.o"; -$cast_enc="c_enc.o"; -$rc4_enc="rc4_enc.o"; -$rc5_enc="rc5_enc.o"; -$md5_obj=""; -$sha1_obj=""; -$rmd160_obj=""; - -if ($#ARGV < 0) - { - &bad_target; - exit(1); - } +); -$flags=""; +my @WinTargets=qw(VC-NT VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS BC-32 + BC-16 CygWin32 Mingw32); + +my $prefix=""; +my $openssldir=""; +my $install_prefix=""; +my $no_threads=0; +my $threads=0; +my $no_asm=0; +my @skip=(); +my $Makefile="Makefile.ssl"; +my $des_locl="crypto/des/des_locl.h"; +my $des ="crypto/des/des.h"; +my $bn ="crypto/bn/bn.h"; +my $md2 ="crypto/md2/md2.h"; +my $rc4 ="crypto/rc4/rc4.h"; +my $rc4_locl="crypto/rc4/rc4_locl.h"; +my $idea ="crypto/idea/idea.h"; +my $rc2 ="crypto/rc2/rc2.h"; +my $bf ="crypto/bf/bf_locl.h"; +my $bn_asm ="bn_asm.o"; +my $des_enc="des_enc.o fcrypt_b.o"; +my $bf_enc ="bf_enc.o"; +my $cast_enc="c_enc.o"; +my $rc4_enc="rc4_enc.o"; +my $rc5_enc="rc5_enc.o"; +my $md5_obj=""; +my $sha1_obj=""; +my $rmd160_obj=""; +my $processor=""; +my $ranlib; +my $perl; + +$ranlib=&which("ranlib") or $ranlib="true"; +$perl=&which("perl5") or $perl=&which("perl") or $perl="perl"; + +&usage if ($#ARGV < 0); + +my $flags=""; +my $depflags=""; +my $libs=""; +my $target=""; +my $options=""; foreach (@ARGV) { - if ($_ =~ /^-/) + if (/^no-asm$/) + { + $no_asm=1; + $flags .= "-DNO_ASM "; + } + elsif (/^no-threads$/) + { $no_threads=1; } + elsif (/^threads$/) + { $threads=1; } + elsif (/^no-(.+)$/) + { + my $algo=$1; + push @skip,$algo; + $algo =~ tr/[a-z]/[A-Z]/; + $flags .= "-DNO_$algo "; + $depflags .= "-DNO_$algo "; + if ($algo eq "DES") + { + $options .= " no-mdc2"; + $flags .= "-DNO_MDC2 "; + $depflags .= "-DNO_MDC2 "; + } + } + elsif (/^386$/) + { $processor=386; } + elsif (/^rsaref$/) + { + $libs.= "-lRSAglue -lrsaref "; + $flags.= "-DRSAref "; + } + elsif (/^[-+]/) { - if ($_ =~ /^-[lL](.*)$/) + if (/^-[lL](.*)$/) { $libs.=$_." "; } - elsif ($_ =~ /^-D(.*)$/) + elsif (/^-[^-]/ or /^\+/) { $flags.=$_." "; } + elsif (/^--prefix=(.*)$/) + { + $prefix=$1; + } + elsif (/^--openssldir=(.*)$/) + { + $openssldir=$1; + } + elsif (/^--install.prefix=(.*)$/) + { + $install_prefix=$1; + } else { - die "unknown options, only -Dxxx, -Lxxx -lxxx supported\n"; + print STDERR $usage; + exit(1); } } + elsif ($_ =~ /^([^:]+):(.+)$/) + { + eval "\$table{\$1} = \"$2\""; # allow $xxx constructs in the string + $target=$1; + } else { die "target already defined - $target\n" if ($target ne ""); $target=$_; - if (!defined($table{$target})) - { - &bad_target; - exit(1); - } + } + unless ($_ eq $target) { + if ($options eq "") { + $options = $_; + } else { + $options .= " ".$_; } } +} -if (!defined($table{$target})) - { - &bad_target; - exit(1); +if ($target eq "TABLE") { + foreach $target (sort keys %table) { + print_table_entry($target); } + exit 0; +} + +&usage if (!defined($table{$target})); + +my $IsWindows=scalar grep /^$target$/,@WinTargets; + +$openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq ""); +$prefix=$openssldir if $prefix eq ""; + +chop $openssldir if $openssldir =~ /\/$/; +chop $prefix if $prefix =~ /\/$/; -($cc,$cflags,$lflags,$bn_ops,$bn_obj,$des_obj,$bf_obj,$md5_obj,$sha1_obj, - $cast_obj,$rc4_obj,$rmd160_obj,$rc5_obj)= - split(/\s*:\s*/,$table{$target}); +$openssldir=$prefix . "/ssl" if $openssldir eq ""; +$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /^\//; + + +print "IsWindows=$IsWindows\n"; + +(my $cc,my $cflags,my $unistd,my $thread_cflag,my $lflags,my $bn_ops,my $bn_obj,my $des_obj,my $bf_obj, + $md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj)= + split(/\s*:\s*/,$table{$target} . ":" x 20 , -1); $cflags="$flags$cflags" if ($flags ne ""); + +my $thread_cflags; +if ($thread_cflag ne "(unknown)" && !$no_threads) + { + # If we know how to do it, support threads by default. + $threads = 1; + } +if ($thread_cflag eq "(unknown)") + { + # If the user asked for "threads", hopefully they also provided + # any system-dependent compiler options that are necessary. + $thread_cflags="-DTHREADS $cflags" + } +else + { + $thread_cflags="-DTHREADS $thread_cflag $cflags" + } + $lflags="$libs$lflags"if ($libs ne ""); -$bn_obj=$bn_mulw unless ($bn_obj =~ /\.o$/); +if ($no_asm) + { + $bn_obj=$des_obj=$bf_obj=$cast_obj=$rc4_obj=$rc5_obj=""; + $sha1_obj=$md5_obj=$rmd160_obj=""; + } + +if ($threads) + { + $cflags=$thread_cflags; + } + +#my ($bn1)=split(/\s+/,$bn_obj); +#$bn1 = "" unless defined $bn1; +#$bn1=$bn_asm unless ($bn1 =~ /\.o$/); +#$bn_obj="$bn1"; + +$bn_obj = $bn_asm unless $bn_obj ne ""; + $des_obj=$des_enc unless ($des_obj =~ /\.o$/); $bf_obj=$bf_enc unless ($bf_obj =~ /\.o$/); $cast_obj=$cast_enc unless ($cast_obj =~ /\.o$/); @@ -281,16 +511,50 @@ if ($rmd160_obj =~ /\.o$/) $cflags.=" -DRMD160_ASM"; } -$n=&file_new($Makefile); -open(IN,"<".$Makefile) || die "unable to read $Makefile:$!\n"; -open(OUT,">".$n) || die "unable to read $n:$!\n"; +my $version = "unknown"; +my $major = "unknown"; +my $minor = "unknown"; + +open(IN,') + { + $version=$1 if /OPENSSL.VERSION.TEXT.*OpenSSL (\S+) /; + } +close(IN); + +if ($version =~ /(^[0-9]*)\.([0-9\.]*)/) + { + $major=$1; + $minor=$2; + } + +open(IN,'$Makefile") || die "unable to create $Makefile:$!\n"; +my $sdirs=0; while () { chop; + $sdirs = 1 if /^SDIRS=/; + if ($sdirs) { + my $dir; + foreach $dir (@skip) { + s/$dir//; + } + } + $sdirs = 0 unless /\\$/; + s/^VERSION=.*/VERSION=$version/; + s/^MAJOR=.*/MAJOR=$major/; + s/^MINOR=.*/MINOR=$minor/; + s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/; + s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/; + s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/; + s/^PLATFORM=.*$/PLATFORM=$target/; + s/^OPTIONS=.*$/OPTIONS=$options/; s/^CC=.*$/CC= $cc/; s/^CFLAG=.*$/CFLAG= $cflags/; + s/^DEPFLAG=.*$/DEPFLAG= $depflags/; s/^EX_LIBS=.*$/EX_LIBS= $lflags/; - s/^BN_MULW=.*$/BN_MULW= $bn_obj/; + s/^BN_ASM=.*$/BN_ASM= $bn_obj/; s/^DES_ENC=.*$/DES_ENC= $des_obj/; s/^BF_ENC=.*$/BF_ENC= $bf_obj/; s/^CAST_ENC=.*$/CAST_ENC= $cast_obj/; @@ -299,16 +563,18 @@ while () s/^MD5_ASM_OBJ=.*$/MD5_ASM_OBJ= $md5_obj/; s/^SHA1_ASM_OBJ=.*$/SHA1_ASM_OBJ= $sha1_obj/; s/^RMD160_ASM_OBJ=.*$/RMD160_ASM_OBJ= $rmd160_obj/; + s/^PROCESSOR=.*/PROCESSOR= $processor/; + s/^RANLIB=.*/RANLIB= $ranlib/; + s/^PERL=.*/PERL= $perl/; print OUT $_."\n"; } close(IN); close(OUT); -&Rename($Makefile,&file_old($Makefile)); -&Rename($n,$Makefile); + print "CC =$cc\n"; print "CFLAG =$cflags\n"; print "EX_LIBS =$lflags\n"; -print "BN_MULW =$bn_obj\n"; +print "BN_ASM =$bn_obj\n"; print "DES_ENC =$des_obj\n"; print "BF_ENC =$bf_obj\n"; print "CAST_ENC =$cast_obj\n"; @@ -317,21 +583,26 @@ print "RC5_ENC =$rc5_obj\n"; print "MD5_OBJ_ASM =$md5_obj\n"; print "SHA1_OBJ_ASM =$sha1_obj\n"; print "RMD160_OBJ_ASM=$rmd160_obj\n"; - -$des_ptr=0; -$des_risc1=0; -$des_risc2=0; -$des_unroll=0; -$bn_ll=0; -$def_int=2; -$rc4_int=$def_int; -$md2_int=$def_int; -$idea_int=$def_int; -$rc2_int=$def_int; -$rc4_idx=0; -$bf_ptr=0; -@type=("char","short","int","long"); -($b64l,$b64,$b32,$b16,$b8)=(0,0,1,0,0); +print "PROCESSOR =$processor\n"; +print "RANLIB =$ranlib\n"; +print "PERL =$perl\n"; + +my $des_ptr=0; +my $des_risc1=0; +my $des_risc2=0; +my $des_unroll=0; +my $bn_ll=0; +my $def_int=2; +my $rc4_int=$def_int; +my $md2_int=$def_int; +my $idea_int=$def_int; +my $rc2_int=$def_int; +my $rc4_idx=0; +my $bf_ptr=0; +my @type=("char","short","int","long"); +my ($b64l,$b64,$b32,$b16,$b8)=(0,0,1,0,0); + +my $des_int; foreach (sort split(/\s+/,$bn_ops)) { @@ -359,13 +630,18 @@ foreach (sort split(/\s+/,$bn_ops)) ($b64l,$b64,$b32,$b16,$b8)=(0,0,0,0,1) if /EIGHT_BIT/; } -(($in=$bn) =~ s/\.([^.]+)/.$postfix/); -$n=&file_new($bn); -open(IN,"<".$in) || die "unable to read $bn:$!\n"; -open(OUT,">$n") || die "unable to read $n:$!\n"; +open(IN,'crypto/opensslconf.h') || die "unable to create crypto/opensslconf.h:$!\n"; while () { - if (/^#((define)|(undef))\s+SIXTY_FOUR_BIT_LONG/) + if (/^#define\s+OPENSSLDIR/) + { print OUT "#define OPENSSLDIR \"$openssldir\"\n"; } + elsif (/^#define\s+OPENSSL_UNISTD/) + { + $unistd = "" if $unistd eq ""; + print OUT "#define OPENSSL_UNISTD $unistd\n"; + } + elsif (/^#((define)|(undef))\s+SIXTY_FOUR_BIT_LONG/) { printf OUT "#%s SIXTY_FOUR_BIT_LONG\n",($b64l)?"define":"undef"; } elsif (/^#((define)|(undef))\s+SIXTY_FOUR_BIT/) { printf OUT "#%s SIXTY_FOUR_BIT\n",($b64)?"define":"undef"; } @@ -377,38 +653,10 @@ while () { printf OUT "#%s EIGHT_BIT\n",($b8)?"define":"undef"; } elsif (/^#((define)|(undef))\s+BN_LLONG\s*$/) { printf OUT "#%s BN_LLONG\n",($bn_ll)?"define":"undef"; } - else - { print OUT $_; } - } -close(IN); -close(OUT); -&Rename($bn,&file_old($bn)); -&Rename($n,$bn); - -(($in=$des) =~ s/\.([^.]+)/.$postfix/); -$n=&file_new($des); -open(IN,"<".$in) || die "unable to read $des:$!\n"; -open(OUT,">$n") || die "unable to read $n:$!\n"; -while () - { - if (/^\#define\s+DES_LONG\s+.*/) + elsif (/^\#define\s+DES_LONG\s+.*/) { printf OUT "#define DES_LONG unsigned %s\n", ($des_int)?'int':'long'; } - else - { print OUT $_; } - } -close(IN); -close(OUT); -&Rename($des,&file_old($des)); -&Rename($n,$des); - -(($in=$des_locl) =~ s/\.([^.]+)/.$postfix/); -$n=&file_new($des_locl); -open(IN,"<".$in) || die "unable to read $des_locl:$!\n"; -open(OUT,">$n") || die "unable to read $n:$!\n"; -while () - { - if (/^\#(define|undef)\s+DES_PTR/) + elsif (/^\#(define|undef)\s+DES_PTR/) { printf OUT "#%s DES_PTR\n",($des_ptr)?'define':'undef'; } elsif (/^\#(define|undef)\s+DES_RISC1/) { printf OUT "#%s DES_RISC1\n",($des_risc1)?'define':'undef'; } @@ -416,113 +664,33 @@ while () { printf OUT "#%s DES_RISC2\n",($des_risc2)?'define':'undef'; } elsif (/^\#(define|undef)\s+DES_UNROLL/) { printf OUT "#%s DES_UNROLL\n",($des_unroll)?'define':'undef'; } - else - { print OUT $_; } - } -close(IN); -close(OUT); -&Rename($des_locl,&file_old($des_locl)); -&Rename($n,$des_locl); - -(($in=$rc4) =~ s/\.([^.]+)/.$postfix/); -$n=&file_new($rc4); -open(IN,"<".$in) || die "unable to read $rc4:$!\n"; -open(OUT,">$n") || die "unable to read $n:$!\n"; -while () - { - if (/^#define\s+RC4_INT\s/) + elsif (/^#define\s+RC4_INT\s/) { printf OUT "#define RC4_INT unsigned %s\n",$type[$rc4_int]; } - else - { print OUT $_; } - } -close(IN); -close(OUT); -&Rename($rc4,&file_old($rc4)); -&Rename($n,$rc4); - -(($in=$rc4_locl) =~ s/\.([^.]+)/.$postfix/); -$n=&file_new($rc4_locl); -open(IN,"<".$in) || die "unable to read $rc4_locl:$!\n"; -open(OUT,">$n") || die "unable to read $n:$!\n"; -while () - { - if (/^#((define)|(undef))\s+RC4_INDEX/) + elsif (/^#((define)|(undef))\s+RC4_INDEX/) { printf OUT "#%s RC4_INDEX\n",($rc4_idx)?"define":"undef"; } - else - { print OUT $_; } - } -close(IN); -close(OUT); -&Rename($rc4_locl,&file_old($rc4_locl)); -&Rename($n,$rc4_locl); - -(($in=$md2) =~ s/\.([^.]+)/.$postfix/); -$n=&file_new($md2); -open(IN,"<".$in) || die "unable to read $bn:$!\n"; -open(OUT,">$n") || die "unable to read $n:$!\n"; -while () - { - if (/^#define\s+MD2_INT\s/) + elsif (/^#(define|undef)\s+I386_ONLY/) + { printf OUT "#%s I386_ONLY\n", ($processor == 386)? + "define":"undef"; } + elsif (/^#define\s+MD2_INT\s/) { printf OUT "#define MD2_INT unsigned %s\n",$type[$md2_int]; } - else - { print OUT $_; } - } -close(IN); -close(OUT); -&Rename($md2,&file_old($md2)); -&Rename($n,$md2); - -(($in=$idea) =~ s/\.([^.]+)/.$postfix/); -$n=&file_new($idea); -open(IN,"<".$in) || die "unable to read $idea:$!\n"; -open(OUT,">$n") || die "unable to read $n:$!\n"; -while () - { - if (/^#define\s+IDEA_INT\s/) + elsif (/^#define\s+IDEA_INT\s/) {printf OUT "#define IDEA_INT unsigned %s\n",$type[$idea_int];} - else - { print OUT $_; } - } -close(IN); -close(OUT); -&Rename($idea,&file_old($idea)); -&Rename($n,$idea); - -(($in=$rc2) =~ s/\.([^.]+)/.$postfix/); -$n=&file_new($rc2); -open(IN,"<".$in) || die "unable to read $rc2:$!\n"; -open(OUT,">$n") || die "unable to read $n:$!\n"; -while () - { - if (/^#define\s+RC2_INT\s/) + elsif (/^#define\s+RC2_INT\s/) {printf OUT "#define RC2_INT unsigned %s\n",$type[$rc2_int];} - else - { print OUT $_; } - } -close(IN); -close(OUT); -&Rename($rc2,&file_old($rc2)); -&Rename($n,$rc2); - -(($in=$bf) =~ s/\.([^.]+)/.$postfix/); -$n=&file_new($bf); -open(IN,"<".$in) || die "unable to read $bf:$!\n"; -open(OUT,">$n") || die "unable to read $n:$!\n"; -while () - { - if (/^#(define|undef)\s+BF_PTR/) + elsif (/^#(define|undef)\s+BF_PTR/) { printf OUT "#undef BF_PTR\n" if $bf_ptr == 0; printf OUT "#define BF_PTR\n" if $bf_ptr == 1; printf OUT "#define BF_PTR2\n" if $bf_ptr == 2; - } + } else { print OUT $_; } } close(IN); close(OUT); -&Rename($bf,&file_old($bf)); -&Rename($n,$bf); + + +# Fix the date print "SIXTY_FOUR_BIT_LONG mode\n" if $b64l; print "SIXTY_FOUR_BIT mode\n" if $b64; @@ -542,30 +710,160 @@ print "IDEA uses u$type[$idea_int]\n" if $idea_int != $def_int; print "RC2 uses u$type[$rc2_int]\n" if $rc2_int != $def_int; print "BF_PTR used\n" if $bf_ptr == 1; print "BF_PTR2 used\n" if $bf_ptr == 2; + +if($IsWindows) { + open (OUT,">crypto/buildinf.h") || die "Can't open buildinf.h"; + printf OUT <crypto\\objects\\obj_dat.h"; +} else { + (system "make -f Makefile.ssl PERL=\'$perl\' links") == 0 or exit $?; + ### (system 'make depend') == 0 or exit $? if $depflags ne ""; + # Run "make depend" manually if you want to be able to delete + # the source code files of ciphers you left out. + &dofile("tools/c_rehash",$openssldir,'^DIR=', 'DIR=%s',); + if ( $perl =~ m@^/@) { + &dofile("apps/der_chop",$perl,'^#!/', '#!%s'); + } else { + # No path for Perl known ... + &dofile("apps/der_chop",'/usr/local/bin/perl','^#!/', '#!%s'); + } +} + +my $pwd; + +if($IsWindows) { + $pwd="(current directory)"; +} else { + $pwd =`pwd`; + chop($pwd); +} +print < +should be used instead of #include . +These new file locations allow installing the OpenSSL header +files in /usr/local/include/openssl/ and should help avoid +conflicts with other libraries. + +To compile programs that use the old form , +usually an additional compiler option will suffice: E.g., add + -I$prefix/include/openssl +or + -I$pwd/include/openssl +to the CFLAGS in the Makefile of the program that you want to compile +(and leave all the original -I...'s in place!). + +Please make sure that no old OpenSSL header files are around: +The include directory should now be empty except for the openssl +subdirectory. + +EOF + +print <<\EOF if (!$no_threads && !$threads); + +The library could not be configured for supporting multi-threaded +applications as the compiler options required on this system are not known. +See file INSTALL for details if you need multi-threading. + +EOF + exit(0); -sub bad_target +sub usage { - print STDERR "Usage: Configure [-Dxxx] [-Lxxx] [-lxxx] os/compiler\n"; + print STDERR $usage; print STDERR "pick os/compiler from:"; - $j=0; + my $j=0; + my $i; + foreach $i (sort keys %table) + { + next if $i =~ /^debug/; + print STDERR "\n" if ($j++ % 4) == 0; + printf(STDERR "%-18s ",$i); + } foreach $i (sort keys %table) { - next if /^b-/; + next if $i !~ /^debug/; print STDERR "\n" if ($j++ % 4) == 0; printf(STDERR "%-18s ",$i); } print STDERR "\n"; + exit(1); } -sub Rename +sub which { - local($from,$to)=@_; + my($name)=@_; + my $path; + foreach $path (split /:/, $ENV{PATH}) + { + if (-f "$path/$name" and -x _) + { + return "$path/$name" unless ($name eq "perl" and + system("$path/$name -e " . '\'exit($]<5.0);\'')); + } + } + } + +sub dofile + { + my $f; my $p; my %m; my @a; my $k; my $ff; + ($f,$p,%m)=@_; - unlink($to); -# rename($from,$to) || die "unable to rename $from to $to:$!\n"; - rename($from,$to) # Don't care if it fails.. + open(IN,"<$f.in") || open(IN,"<$f") || die "unable to open $f:$!\n"; + @a=; + close(IN); + foreach $k (keys %m) + { + grep(/$k/ && ($_=sprintf($m{$k}."\n",$p)),@a); + } + ($ff=$f) =~ s/\..*$//; + open(OUT,">$ff.new") || die "unable to open $f:$!\n"; + print OUT @a; + close(OUT); + rename($f,"$ff.bak") || die "unable to rename $f\n" if -e $f; + rename("$ff.new",$f) || die "unable to rename $ff.new\n"; } -sub file_new { local($a)=@_; $a =~ s/(\.[^.]+$|$)/.new/; $a; } -sub file_old { local($a)=@_; $a =~ s/(\.[^.]+$|$)/.old/; $a; } +sub print_table_entry + { + my $target = shift; + + (my $cc,my $cflags,my $unistd,my $thread_cflag,my $lflags,my $bn_ops, + my $bn_obj,my $des_obj,my $bf_obj, + $md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj)= + split(/\s*:\s*/,$table{$target} . ":" x 20 , -1); + + print < - - Lots and lots of changes - -29-Jan-98 - - ASN1_BIT_STRING_set_bit()/ASN1_BIT_STRING_get_bit() from - Goetz Babin-Ebell . - - SSL_version() now returns SSL2_VERSION, SSL3_VERSION or - TLS1_VERSION. - -7-Jan-98 - - Finally reworked the cipher string to ciphers again, so it - works correctly - - All the app_data stuff is now ex_data with funcion calls to access. - The index is supplied by a function and 'methods' can be setup - for the types that are called on XXX_new/XXX_free. This lets - applications get notified on creation and destruction. Some of - the RSA methods could be implemented this way and I may do so. - - Oh yes, SSL under perl5 is working at the basic level. - -15-Dec-97 - - Warning - the gethostbyname cache is not fully thread safe, - but it should work well enough. - - Major internal reworking of the app_data stuff. More functions - but if you were accessing ->app_data directly, things will - stop working. - - The perlv5 stuff is working. Currently on message digests, - ciphers and the bignum library. - -9-Dec-97 - - Modified re-negotiation so that server initated re-neg - will cause a SSL_read() to return -1 should retry. - The danger otherwise was that the server and the - client could end up both trying to read when using non-blocking - sockets. - -4-Dec-97 - - Lots of small changes - - Fix for binaray mode in Windows for the FILE BIO, thanks to - Bob Denny - -17-Nov-97 - - Quite a few internal cleanups, (removal of errno, and using macros - defined in e_os.h). - - A bug in ca.c, pointed out by yasuyuki-ito@d-cruise.co.jp, where - the automactic naming out output files was being stuffed up. - -29-Oct-97 - - The Cast5 cipher has been added. MD5 and SHA-1 are now in assember - for x86. - -21-Oct-97 - - Fixed a bug in the BIO_gethostbyname() cache. - -15-Oct-97 - - cbc mode for blowfish/des/3des is now in assember. Blowfish asm - has also been improved. At this point in time, on the pentium, - md5 is %80 faster, the unoptimesed sha-1 is %79 faster, - des-cbc is %28 faster, des-ede3-cbc is %9 faster and blowfish-cbc - is %62 faster. - -12-Oct-97 - - MEM_BUF_grow() has been fixed so that it always sets the buf->length - to the value we are 'growing' to. Think of MEM_BUF_grow() as the - way to set the length value correctly. - -10-Oct-97 - - I now hash for certificate lookup on the raw DER encoded RDN (md5). - This breaks things again :-(. This is efficent since I cache - the DER encoding of the RDN. - - The text DN now puts in the numeric OID instead of UNKNOWN. - - req can now process arbitary OIDs in the config file. - - I've been implementing md5 in x86 asm, much faster :-). - - Started sha1 in x86 asm, needs more work. - - Quite a few speedups in the BN stuff. RSA public operation - has been made faster by caching the BN_MONT_CTX structure. - The calulating of the Ai where A*Ai === 1 mod m was rather - expensive. Basically a 40-50% speedup on public operations. - The RSA speedup is now 15% on pentiums and %20 on pentium - pro. - -30-Sep-97 - - After doing some profiling, I added x86 adm for bn_add_words(), - which just adds 2 arrays of longs together. A %10 speedup - for 512 and 1024 bit RSA on the pentium pro. - -29-Sep-97 - - Converted the x86 bignum assembler to us the perl scripts - for generation. - -23-Sep-97 - - If SSL_set_session() is passed a NULL session, it now clears the - current session-id. - -22-Sep-97 - - Added a '-ss_cert file' to apps/ca.c. This will sign selfsigned - certificates. - - Bug in crypto/evp/encode.c where by decoding of 65 base64 - encoded lines, one line at a time (via a memory BIO) would report - EOF after the first line was decoded. - - Fix in X509_find_by_issuer_and_serial() from - Dr Stephen Henson - -19-Sep-97 - - NO_FP_API and NO_STDIO added. - - Put in sh config command. It auto runs Configure with the correct - parameters. - -18-Sep-97 - - Fix x509.c so if a DSA cert has different parameters to its parent, - they are left in place. Not tested yet. - -16-Sep-97 - - ssl_create_cipher_list() had some bugs, fixes from - Patrick Eisenacher - - Fixed a bug in the Base64 BIO, where it would return 1 instead - of -1 when end of input was encountered but should retry. - Basically a Base64/Memory BIO interaction problem. - - Added a HMAC set of functions in preporarion for TLS work. - -15-Sep-97 - - Top level makefile tweak - Cameron Simpson - - Prime generation spead up %25 (512 bit prime, pentium pro linux) - by using montgomery multiplication in the prime number test. - -11-Sep-97 - - Ugly bug in ssl3_write_bytes(). Basically if application land - does a SSL_write(ssl,buf,len) where len > 16k, the SSLv3 write code - did not check the size and tried to copy the entire buffer. - This would tend to cause memory overwrites since SSLv3 has - a maximum packet size of 16k. If your program uses - buffers <= 16k, you would probably never see this problem. - - Fixed a new errors that were cause by malloc() not returning - 0 initialised memory.. - - SSL_OP_NETSCAPE_CA_DN_BUG was being switched on when using - SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL); which was a bad thing - since this flags stops SSLeay being able to handle client - cert requests correctly. - -08-Sep-97 - - SSL_SESS_CACHE_NO_INTERNAL_LOOKUP option added. When switched - on, the SSL server routines will not use a SSL_SESSION that is - held in it's cache. This in intended to be used with the session-id - callbacks so that while the session-ids are still stored in the - cache, the decision to use them and how to look them up can be - done by the callbacks. The are the 'new', 'get' and 'remove' - callbacks. This can be used to determine the session-id - to use depending on information like which port/host the connection - is coming from. Since the are also SSL_SESSION_set_app_data() and - SSL_SESSION_get_app_data() functions, the application can hold - information against the session-id as well. - -03-Sep-97 - - Added lookup of CRLs to the by_dir method, - X509_load_crl_file() also added. Basically it means you can - lookup CRLs via the same system used to lookup certificates. - - Changed things so that the X509_NAME structure can contain - ASN.1 BIT_STRINGS which is required for the unique - identifier OID. - - Fixed some problems with the auto flushing of the session-id - cache. It was not occuring on the server side. - -02-Sep-97 - - Added SSL_CTX_sess_cache_size(SSL_CTX *ctx,unsigned long size) - which is the maximum number of entries allowed in the - session-id cache. This is enforced with a simple FIFO list. - The default size is 20*1024 entries which is rather large :-). - The Timeout code is still always operating. - -01-Sep-97 - - Added an argument to all the 'generate private key/prime` - callbacks. It is the last parameter so this should not - break existing code but it is needed for C++. - - Added the BIO_FLAGS_BASE64_NO_NL flag for the BIO_f_base64() - BIO. This lets the BIO read and write base64 encoded data - without inserting or looking for '\n' characters. The '-A' - flag turns this on when using apps/enc.c. - - RSA_NO_PADDING added to help BSAFE functionality. This is a - very dangerous thing to use, since RSA private key - operations without random padding bytes (as PKCS#1 adds) can - be attacked such that the private key can be revealed. - - ASN.1 bug and rc2-40-cbc and rc4-40 added by - Dr Stephen Henson - -31-Aug-97 (stuff added while I was away) - - Linux pthreads by Tim Hudson (tjh@cryptsoft.com). - - RSA_flags() added allowing bypass of pub/priv match check - in ssl/ssl_rsa.c - Tim Hudson. - - A few minor bugs. - -SSLeay 0.8.1 released. - -19-Jul-97 - - Server side initated dynamic renegotiation is broken. I will fix - it when I get back from holidays. - -15-Jul-97 - - Quite a few small changes. - - INVALID_SOCKET usage cleanups from Alex Kiernan - -09-Jul-97 - - Added 2 new values to the SSL info callback. - SSL_CB_START which is passed when the SSL protocol is started - and SSL_CB_DONE when it has finished sucsessfully. - -08-Jul-97 - - Fixed a few bugs problems in apps/req.c and crypto/asn1/x_pkey.c - that related to DSA public/private keys. - - Added all the relevent PEM and normal IO functions to support - reading and writing RSAPublic keys. - - Changed makefiles to use ${AR} instead of 'ar r' - -07-Jul-97 - - Error in ERR_remove_state() that would leave a dangling reference - to a free()ed location - thanks to Alex Kiernan - - s_client now prints the X509_NAMEs passed from the server - when requesting a client cert. - - Added a ssl->type, which is one of SSL_ST_CONNECT or - SSL_ST_ACCEPT. I had to add it so I could tell if I was - a connect or an accept after the handshake had finished. - - SSL_get_client_CA_list(SSL *s) now returns the CA names - passed by the server if called by a client side SSL. - -05-Jul-97 - - Bug in X509_NAME_get_text_by_OBJ(), looking starting at index - 0, not -1 :-( Fix from Tim Hudson (tjh@cryptsoft.com). - -04-Jul-97 - - Fixed some things in X509_NAME_add_entry(), thanks to - Matthew Donald . - - I had a look at the cipher section and though that it was a - bit confused, so I've changed it. - - I was not setting up the RC4-64-MD5 cipher correctly. It is - a MS special that appears in exported MS Money. - - Error in all my DH ciphers. Section 7.6.7.3 of the SSLv3 - spec. I was missing the two byte length header for the - ClientDiffieHellmanPublic value. This is a packet sent from - the client to the server. The SSL_OP_SSLEAY_080_CLIENT_DH_BUG - option will enable SSLeay server side SSLv3 accept either - the correct or my 080 packet format. - - Fixed a few typos in crypto/pem.org. - -02-Jul-97 - - Alias mapping for EVP_get_(digest|cipher)byname is now - performed before a lookup for actual cipher. This means - that an alias can be used to 're-direct' a cipher or a - digest. - - ASN1_read_bio() had a bug that only showed up when using a - memory BIO. When EOF is reached in the memory BIO, it is - reported as a -1 with BIO_should_retry() set to true. - -01-Jul-97 - - Fixed an error in X509_verify_cert() caused by my - miss-understanding how 'do { contine } while(0);' works. - Thanks to Emil Sit for educating me :-) - -30-Jun-97 - - Base64 decoding error. If the last data line did not end with - a '=', sometimes extra data would be returned. - - Another 'cut and paste' bug in x509.c related to setting up the - STDout BIO. - -27-Jun-97 - - apps/ciphers.c was not printing due to an editing error. - - Alex Kiernan send in a nice fix for - a library build error in util/mk1mf.pl - -26-Jun-97 - - Still did not have the auto 'experimental' code removal - script correct. - - A few header tweaks for Watcom 11.0 under Win32 from - Rolf Lindemann - - 0 length OCTET_STRING bug in asn1_parse - - A minor fix with an non-existent function in the MS .def files. - - A few changes to the PKCS7 stuff. - -25-Jun-97 - SSLeay 0.8.0 finally it gets released. - -24-Jun-97 - Added a SSL_OP_EPHEMERAL_RSA option which causes all SSLv3 RSA keys to - use a temporary RSA key. This is experimental and needs some more work. - Fixed a few Win16 build problems. - -23-Jun-97 - SSLv3 bug. I was not doing the 'lookup' of the CERT structure - correctly. I was taking the SSL->ctx->default_cert when I should - have been using SSL->cert. The bug was in ssl/s3_srvr.c - -20-Jun-97 - X509_ATTRIBUTES were being encoded wrongly by apps/reg.c and the - rest of the library. Even though I had the code required to do - it correctly, apps/req.c was doing the wrong thing. I have fixed - and tested everything. - - Missing a few #ifdef FIONBIO sections in crypto/bio/bss_acpt.c. - -19-Jun-97 - Fixed a bug in the SSLv2 server side first packet handling. When - using the non-blocking test BIO, the ssl->s2->first_packet flag - was being reset when a would-block failure occurred when reading - the first 5 bytes of the first packet. This caused the checking - logic to run at the wrong time and cause an error. - - Fixed a problem with specifying cipher. If RC4-MD5 were used, - only the SSLv3 version would be picked up. Now this will pick - up both SSLv2 and SSLv3 versions. This required changing the - SSL_CIPHER->mask values so that they only mask the ciphers, - digests, authentication, export type and key-exchange algorithms. - - I found that when a SSLv23 session is established, a reused - session, of type SSLv3 was attempting to write the SSLv2 - ciphers, which were invalid. The SSL_METHOD->put_cipher_by_char - method has been modified so it will only write out cipher which - that method knows about. - diff --git a/src/lib/libssl/src/HISTORY.066 b/src/lib/libssl/src/HISTORY.066 deleted file mode 100644 index f85224977a..0000000000 --- a/src/lib/libssl/src/HISTORY.066 +++ /dev/null @@ -1,443 +0,0 @@ -SSLeay 0.6.5 - -After quite some time (3 months), the new release. I have been very busy -for the last few months and so this is mostly bug fixes and improvments. - -The main additions are - -- assember for x86 DES. For all those gcc based systems, this is a big - improvement. From 117,000 DES operation a second on a pentium 100, - I now get 191,000. I have also reworked the C version so it - now gives 148,000 DESs per second. -- As mentioned above, the inner DES macros now have some more variant that - sometimes help, sometimes hinder performance. There are now 3 options - DES_PTR (ptr vs array lookup), DES_UNROLL (full vs partial loop unrolling) - and DES_RISC (a more register intensive version of the inner macro). - The crypto/des/des_opts.c program, when compiled and run, will give - an indication of the correct options to use. -- The BIO stuff has been improved. Read doc/bio.doc. There are now - modules for encryption and base64 encoding and a BIO_printf() function. -- The CA program will accept simple one line X509v3 extensions in the - ssleay.cnf file. Have a look at the example. Currently this just - puts the text into the certificate as an OCTET_STRING so currently - the more advanced X509v3 data types are not handled but this is enough - for the netscape extensions. -- There is the start of a nicer higher level interface to the X509 - strucutre. -- Quite a lot of bug fixes. -- CRYPTO_malloc_init() (or CRYPTO_set_mem_functions()) can be used - to define the malloc(), free() and realloc() routines to use - (look in crypto/crypto.h). This is mostly needed for Windows NT/95 when - using DLLs and mixing CRT libraries. - -In general, read the 'VERSION' file for changes and be aware that some of -the new stuff may not have been tested quite enough yet, so don't just plonk -in SSLeay 0.6.5 when 0.6.4 used to work and expect nothing to break. - -SSLeay 0.6.4 30/08/96 eay - -I've just finished some test builds on Windows NT, Windows 3.1, Solaris 2.3, -Solaris 2.5, Linux, IRIX, HPUX 10 and everthing seems to work :-). - -The main changes in this release - -- Thread safe. have a read of doc/threads.doc and play in the mt directory. - For anyone using 0.6.3 with threads, I found 2 major errors so consider - moving to 0.6.4. I have a test program that builds under NT and - solaris. -- The get session-id callback has changed. Have a read of doc/callback.doc. -- The X509_cert_verify callback (the SSL_verify callback) now - has another argument. Have a read of doc/callback.doc -- 'ca -preserve', sign without re-ordering the DN. Not tested much. -- VMS support. -- Compile time memory leak detection can now be built into SSLeay. - Read doc/memory.doc -- CONF routines now understand '\', '\n', '\r' etc. What this means is that - the SPKAC object mentioned in doc/ns-ca.doc can be on multiple lines. -- 'ssleay ciphers' added, lists the default cipher list for SSLeay. -- RC2 key setup is now compatable with Netscape. -- Modifed server side of SSL implementation, big performance difference when - using session-id reuse. - -0.6.3 - -Bug fixes and the addition of some nice stuff to the 'ca' program. -Have a read of doc/ns-ca.doc for how hit has been modified so -it can be driven from a CGI script. The CGI script is not provided, -but that is just being left as an excersize for the reader :-). - -0.6.2 - -This is most bug fixes and functionality improvements. - -Additions are -- More thread debugging patches, the thread stuff is still being - tested, but for those keep to play with stuff, have a look in - crypto/cryptlib.c. The application needs to define 1 (or optionaly - a second) callback that is used to implement locking. Compiling - with LOCK_DEBUG spits out lots of locking crud :-). - This is what I'm currently working on. -- SSL_CTX_set_default_passwd_cb() can be used to define the callback - function used in the SSL*_file() functions used to load keys. I was - always of the opinion that people should call - PEM_read_RSAPrivateKey() and pass the callback they want to use, but - it appears they just want to use the SSL_*_file() function() :-(. -- 'enc' now has a -kfile so a key can be read from a file. This is - mostly used so that the passwd does not appear when using 'ps', - which appears imposible to stop under solaris. -- X509v3 certificates now work correctly. I even have more examples - in my tests :-). There is now a X509_EXTENSION type that is used in - X509v3 certificates and CRLv2. -- Fixed that signature type error :-( -- Fixed quite a few potential memory leaks and problems when reusing - X509, CRL and REQ structures. -- EVP_set_pw_prompt() now sets the library wide default password - prompt. -- The 'pkcs7' command will now, given the -print_certs flag, output in - pem format, all certificates and CRL contained within. This is more - of a pre-emtive thing for the new verisign distribution method. I - should also note, that this also gives and example in code, of how - to do this :-), or for that matter, what is involved in going the - other way (list of certs and crl -> pkcs7). -- Added RSA's DESX to the DES library. It is also available via the - EVP_desx_cbc() method and via 'enc desx'. - -SSLeay 0.6.1 - -The main functional changes since 0.6.0 are as follows -- Bad news, the Microsoft 060 DLL's are not compatable, but the good news is - that from now on, I'll keep the .def numbers the same so they will be. -- RSA private key operations are about 2 times faster that 0.6.0 -- The SSL_CTX now has more fields so default values can be put against - it. When an SSL structure is created, these default values are used - but can be overwritten. There are defaults for cipher, certificate, - private key, verify mode and callback. This means SSL session - creation can now be - ssl=SSL_new() - SSL_set_fd(ssl,sock); - SSL_accept(ssl) - .... - All the other uglyness with having to keep a global copy of the - private key and certificate/verify mode in the server is now gone. -- ssl/ssltest.c - one process talking SSL to its self for testing. -- Storage of Session-id's can be controled via a session_cache_mode - flag. There is also now an automatic default flushing of - old session-id's. -- The X509_cert_verify() function now has another parameter, this - should not effect most people but it now means that the reason for - the failure to verify is now available via SSL_get_verify_result(ssl). - You don't have to use a global variable. -- SSL_get_app_data() and SSL_set_app_data() can be used to keep some - application data against the SSL structure. It is upto the application - to free the data. I don't use it, but it is available. -- SSL_CTX_set_cert_verify_callback() can be used to specify a - verify callback function that completly replaces my certificate - verification code. Xcert should be able to use this :-). - The callback is of the form int app_verify_callback(arg,ssl,cert). - This needs to be documented more. -- I have started playing with shared library builds, have a look in - the shlib directory. It is very simple. If you need a numbered - list of functions, have a look at misc/crypto.num and misc/ssl.num. -- There is some stuff to do locking to make the library thread safe. - I have only started this stuff and have not finished. If anyone is - keen to do so, please send me the patches when finished. - -So I have finally made most of the additions to the SSL interface that -I thought were needed. - -There will probably be a pause before I make any non-bug/documentation -related changes to SSLeay since I'm feeling like a bit of a break. - -eric - 12 Jul 1996 -I saw recently a comment by some-one that we now seem to be entering -the age of perpetual Beta software. -Pioneered by packages like linux but refined to an art form by -netscape. - -I too wish to join this trend with the anouncement of SSLeay 0.6.0 :-). - -There are quite a large number of sections that are 'works in -progress' in this package. I will also list the major changes and -what files you should read. - -BIO - this is the new IO structure being used everywhere in SSLeay. I -started out developing this because of microsoft, I wanted a mechanism -to callback to the application for all IO, so Windows 3.1 DLL -perversion could be hidden from me and the 15 different ways to write -to a file under NT would also not be dictated by me at library build -time. What the 'package' is is an API for a data structure containing -functions. IO interfaces can be written to conform to the -specification. This in not intended to hide the underlying data type -from the application, but to hide it from SSLeay :-). -I have only really finished testing the FILE * and socket/fd modules. -There are also 'filter' BIO's. Currently I have only implemented -message digests, and it is in use in the dgst application. This -functionality will allow base64/encrypto/buffering modules to be -'push' into a BIO without it affecting the semantics. I'm also -working on an SSL BIO which will hide the SSL_accept()/SLL_connet() -from an event loop which uses the interface. -It is also possible to 'attach' callbacks to a BIO so they get called -before and after each operation, alowing extensive debug output -to be generated (try running dgst with -d). - -Unfortunaly in the conversion from 0.5.x to 0.6.0, quite a few -functions that used to take FILE *, now take BIO *. -The wrappers are easy to write - -function_fp(fp,x) -FILE *fp; - { - BIO *b; - int ret; - - if ((b=BIO_new(BIO_s_file())) == NULL) error..... - BIO_set_fp(b,fp,BIO_NOCLOSE); - ret=function_bio(b,x); - BIO_free(b); - return(ret); - } -Remember, there are no functions that take FILE * in SSLeay when -compiled for Windows 3.1 DLL's. - --- -I have added a general EVP_PKEY type that can hold a public/private -key. This is now what is used by the EVP_ functions and is passed -around internally. I still have not done the PKCS#8 stuff, but -X509_PKEY is defined and waiting :-) - --- -For a full function name listings, have a look at ms/crypt32.def and -ms/ssl32.def. These are auto-generated but are complete. -Things like ASN1_INTEGER_get() have been added and are in here if you -look. I have renamed a few things, again, have a look through the -function list and you will probably find what you are after. I intend -to at least put a one line descrition for each one..... - --- -Microsoft - thats what this release is about, read the MICROSOFT file. - --- -Multi-threading support. I have started hunting through the code and -flaging where things need to be done. In a state of work but high on -the list. - --- -For random numbers, edit e_os.h and set DEVRANDOM (it's near the top) -be be you random data device, otherwise 'RFILE' in e_os.h -will be used, in your home directory. It will be updated -periodically. The environment variable RANDFILE will override this -choice and read/write to that file instead. DEVRANDOM is used in -conjunction to the RFILE/RANDFILE. If you wish to 'seed' the random -number generator, pick on one of these files. - --- - -The list of things to read and do - -dgst -d -s_client -state (this uses a callback placed in the SSL state loop and - will be used else-where to help debug/monitor what - is happening.) - -doc/why.doc -doc/bio.doc <- hmmm, needs lots of work. -doc/bss_file.doc <- one that is working :-) -doc/session.doc <- it has changed -doc/speed.doc - also play with ssleay version -a. I have now added a SSLeay() - function that returns a version number, eg 0600 for this release - which is primarily to be used to check DLL version against the - application. -util/* Quite a few will not interest people, but some may, like - mk1mf.pl, mkdef.pl, -util/do_ms.sh - -try -cc -Iinclude -Icrypto -c crypto/crypto.c -cc -Iinclude -Issl -c ssl/ssl.c -You have just built the SSLeay libraries as 2 object files :-) - -Have a general rummage around in the bin stall directory and look at -what is in there, like CA.sh and c_rehash - -There are lots more things but it is 12:30am on a Friday night and I'm -heading home :-). - -eric 22-Jun-1996 -This version has quite a few major bug fixes and improvements. It DOES NOT -do SSLv3 yet. - -The main things changed -- A Few days ago I added the s_mult application to ssleay which is - a demo of an SSL server running in an event loop type thing. - It supports non-blocking IO, I have finally gotten it right, SSL_accept() - can operate in non-blocking IO mode, look at the code to see how :-). - Have a read of doc/s_mult as well. This program leaks memory and - file descriptors everywhere but I have not cleaned it up yet. - This is a demo of how to do non-blocking IO. -- The SSL session management has been 'worked over' and there is now - quite an expansive set of functions to manipulate them. Have a read of - doc/session.doc for some-things I quickly whipped up about how it now works. - This assume you know the SSLv2 protocol :-) -- I can now read/write the netscape certificate format, use the - -inform/-outform 'net' options to the x509 command. I have not put support - for this type in the other demo programs, but it would be easy to add. -- asn1parse and 'enc' have been modified so that when reading base64 - encoded files (pem format), they do not require '-----BEGIN' header lines. - The 'enc' program had a buffering bug fixed, it can be used as a general - base64 -> binary -> base64 filter by doing 'enc -a -e' and 'enc -a -d' - respecivly. Leaving out the '-a' flag in this case makes the 'enc' command - into a form of 'cat'. -- The 'x509' and 'req' programs have been fixed and modified a little so - that they generate self-signed certificates correctly. The test - script actually generates a 'CA' certificate and then 'signs' a - 'user' certificate. Have a look at this shell script (test/sstest) - to see how things work, it tests most possible combinations of what can - be done. -- The 'SSL_set_pref_cipher()' function has been 'fixed' and the prefered name - of SSL_set_cipher_list() is now the correct API (stops confusion :-). - If this function is used in the client, only the specified ciphers can - be used, with preference given to the order the ciphers were listed. - For the server, if this is used, only the specified ciphers will be used - to accept connections. If this 'option' is not used, a default set of - ciphers will be used. The SSL_CTX_set_cipher_list(SSL_CTX *ctx) sets this - list for all ciphers started against the SSL_CTX. So the order is - SSL cipher_list, if not present, SSL_CTX cipher list, if not - present, then the library default. - What this means is that normally ciphers like - NULL-MD5 will never be used. The only way this cipher can be used - for both ends to specify to use it. - To enable or disable ciphers in the library at build time, modify the - first field for the cipher in the ssl_ciphers array in ssl/ssl_lib.c. - This file also contains the 'pref_cipher' list which is the default - cipher preference order. -- I'm not currently sure if the 'rsa -inform net' and the 'rsa -outform net' - options work. They should, and they enable loading and writing the - netscape rsa private key format. I will be re-working this section of - SSLeay for the next version. What is currently in place is a quick and - dirty hack. -- I've re-written parts of the bignum library. This gives speedups - for all platforms. I now provide assembler for use under Windows NT. - I have not tested the Windows 3.1 assembler but it is quite simple code. - This gives RSAprivate_key operation encryption times of 0.047s (512bit key) - and 0.230s (1024bit key) on a pentium 100 which I consider reasonable. - Basically the times available under linux/solaris x86 can be achieve under - Windows NT. I still don't know how these times compare to RSA's BSAFE - library but I have been emailing with people and with their help, I should - be able to get my library's quite a bit faster still (more algorithm changes). - The object file crypto/bn/asm/x86-32.obj should be used when linking - under NT. -- 'make makefile.one' in the top directory will generate a single makefile - called 'makefile.one' This makefile contains no perl references and - will build the SSLeay library into the 'tmp' and 'out' directories. - util/mk1mf.pl >makefile.one is how this makefile is - generated. The mk1mf.pl command take several option to generate the - makefile for use with cc, gcc, Visual C++ and Borland C++. This is - still under development. I have only build .lib's for NT and MSDOS - I will be working on this more. I still need to play with the - correct compiler setups for these compilers and add some more stuff but - basically if you just want to compile the library - on a 'non-unix' platform, this is a very very good file to start with :-). - Have a look in the 'microsoft' directory for my current makefiles. - I have not yet modified things to link with sockets under Windows NT. - You guys should be able to do this since this is actually outside of the - SSLeay scope :-). I will be doing it for myself soon. - util/mk1mf.pl takes quite a few options including no-rc, rsaref and no-sock - to build without RC2/RC4, to require RSAref for linking, and to - build with no socket code. - -- Oh yes, the cipher that was reported to be compatible with RSA's RC2 cipher - that was posted to sci.crypt has been added to the library and SSL. - I take the view that if RC2 is going to be included in a standard, - I'll include the cipher to make my package complete. - There are NO_RC2, NO_RC4 and NO_IDEA macros to remove these ciphers - at compile time. I have not tested this recently but it should all work - and if you are in the USA and don't want RSA threatening to sue you, - you could probably remove the RC4/RC2 code inside these sections. - I may in the future include a perl script that does this code - removal automatically for those in the USA :-). -- I have removed all references to sed in the makefiles. So basically, - the development environment requires perl and sh. The build environment - does not (use the makefile.one makefile). - The Configure script still requires perl, this will probably stay that way - since I have perl for Windows NT :-). - -eric (03-May-1996) - -PS Have a look in the VERSION file for more details on the changes and - bug fixes. -I have fixed a few bugs, added alpha and x86 assembler and generally cleaned -things up. This version will be quite stable, mostly because I'm on -holidays until 10-March-1996. For any problems in the interum, send email -to Tim Hudson . - -SSLeay 0.5.0 - -12-12-95 -This is going out before it should really be released. - -I leave for 11 weeks holidays on the 22-12-95 and so I either sit on -this for 11 weeks or get things out. It is still going to change a -lot in the next week so if you do grab this version, please test and -give me feed back ASAP, inculuding questions on how to do things with -the library. This will prompt me to write documentation so I don't -have to answer the same question again :-). - -This 'pre' release version is for people who are interested in the -library. The applications will have to be changed to use -the new version of the SSL interface. I intend to finish more -documentation before I leave but until then, look at the programs in -the apps directory. As far as code goes, it is much much nicer than -the old version. - -The current library works, has no memory leaks (as far as I can tell) -and is far more bug free that 0.4.5d. There are no global variable of -consequence (I believe) and I will produce some documentation that -tell where to look for those people that do want to do multi-threaded -stuff. - -There should be more documentation. Have a look in the -doc directory. I'll be adding more before I leave, it is a start -by mostly documents the crypto library. Tim Hudson will update -the web page ASAP. The spelling and grammar are crap but -it is better than nothing :-) - -Reasons to start playing with version 0.5.0 -- All the programs in the apps directory build into one ssleay binary. -- There is a new version of the 'req' program that generates certificate - requests, there is even documentation for this one :-) -- There is a demo certification authorithy program. Currently it will - look at the simple database and update it. It will generate CRL from - the data base. You need to edit the database by hand to revoke a - certificate, it is my aim to use perl5/Tk but I don't have time to do - this right now. It will generate the certificates but the management - scripts still need to be written. This is not a hard task. -- Things have been cleaned up alot. -- Have a look at the enc and dgst programs in the apps directory. -- It supports v3 of x509 certiticates. - - -Major things missing. -- I have been working on (and thinging about) the distributed x509 - hierachy problem. I have not had time to put my solution in place. - It will have to wait until I come back. -- I have not put in CRL checking in the certificate verification but - it would not be hard to do. I was waiting until I could generate my - own CRL (which has only been in the last week) and I don't have time - to put it in correctly. -- Montgomery multiplication need to be implemented. I know the - algorithm, just ran out of time. -- PKCS#7. I can load and write the DER version. I need to re-work - things to support BER (if that means nothing, read the ASN1 spec :-). -- Testing of the higher level digital envelope routines. I have not - played with the *_seal() and *_open() type functions. They are - written but need testing. The *_sign() and *_verify() functions are - rock solid. -- PEM. Doing this and PKCS#7 have been dependant on the distributed - x509 heirachy problem. I started implementing my ideas, got - distracted writing a CA program and then ran out of time. I provide - the functionality of RSAref at least. -- Re work the asm. code for the x86. I've changed by low level bignum - interface again, so I really need to tweak the x86 stuff. gcc is - good enough for the other boxes. - diff --git a/src/lib/libssl/src/INSTALL b/src/lib/libssl/src/INSTALL index d394bf8a7b..6066fddc4a 100644 --- a/src/lib/libssl/src/INSTALL +++ b/src/lib/libssl/src/INSTALL @@ -1,6 +1,260 @@ -# Installation of SSLeay. -# It depends on perl for a few bits but those steps can be skipped and -# the top level makefile edited by hand + + INSTALLATION ON THE UNIX PLATFORM + --------------------------------- + + [See INSTALL.W32 for instructions for compiling OpenSSL on Windows systems, + and INSTALL.VMS for installing on OpenVMS systems.] + + To install OpenSSL, you will need: + + * Perl 5 + * an ANSI C compiler + * a supported Unix operating system + + Quick Start + ----------- + + If you want to just get on with it, do: + + $ ./config + $ make + $ make test + $ make install + + [If any of these steps fails, see section Installation in Detail below.] + + This will build and install OpenSSL in the default location, which is (for + historical reasons) /usr/local/ssl. If you want to install it anywhere else, + run config like this: + + $ ./config --prefix=/usr/local --openssldir=/usr/local/openssl + + + Configuration Options + --------------------- + + There are several options to ./config to customize the build: + + --prefix=DIR Install in DIR/bin, DIR/lib, DIR/include/openssl. + Configuration files used by OpenSSL will be in DIR/ssl + or the directory specified by --openssldir. + + --openssldir=DIR Directory for OpenSSL files. If no prefix is specified, + the library files and binaries are also installed there. + + rsaref Build with RSADSI's RSAREF toolkit (this assumes that + librsaref.a is in the library search path). + + no-threads Don't try to build with support for multi-threaded + applications. + + threads Build with support for multi-threaded applications. + This will usually require additional system-dependent options! + See "Note on multi-threading" below. + + no-asm Do not use assembler code. + + 386 Use the 80386 instruction set only (the default x86 code is + more efficient, but requires at least a 486). + + no- Build without the specified cipher (bf, cast, des, dh, dsa, + hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha). + The crypto/ directory can be removed after running + "make depend". + + -Dxxx, -lxxx, -Lxxx, -fxxx, -Kxxx These system specific options will + be passed through to the compiler to allow you to + define preprocessor symbols, specify additional libraries, + library directories or other compiler options. + + + Installation in Detail + ---------------------- + + 1a. Configure OpenSSL for your operation system automatically: + + $ ./config [options] + + This guesses at your operating system (and compiler, if necessary) and + configures OpenSSL based on this guess. Run ./config -t to see + if it guessed correctly. If it did not get it correct or you want to + use a different compiler then go to step 1b. Otherwise go to step 2. + + On some systems, you can include debugging information as follows: + + $ ./config -d [options] + + 1b. Configure OpenSSL for your operating system manually + + OpenSSL knows about a range of different operating system, hardware and + compiler combinations. To see the ones it knows about, run + + $ ./Configure + + Pick a suitable name from the list that matches your system. For most + operating systems there is a choice between using "cc" or "gcc". When + you have identified your system (and if necessary compiler) use this name + as the argument to ./Configure. For example, a "linux-elf" user would + run: + + $ ./Configure linux-elf [options] + + If your system is not available, you will have to edit the Configure + program and add the correct configuration for your system. The + generic configurations "cc" or "gcc" should usually work. + + Configure creates the file Makefile.ssl from Makefile.org and + defines various macros in crypto/opensslconf.h (generated from + crypto/opensslconf.h.in). + + 2. Build OpenSSL by running: + + $ make + + This will build the OpenSSL libraries (libcrypto.a and libssl.a) and the + OpenSSL binary ("openssl"). The libraries will be built in the top-level + directory, and the binary will be in the "apps" directory. + + If "make" fails, please report the problem to . + Include the output of "./config -t" and the OpenSSL version + number in your message. + + [If you encounter assembler error messages, try the "no-asm" + configuration option as an immediate fix. Note that on Solaris x86 + (not on Sparcs!) you may have to install the GNU assembler to use + OpenSSL assembler code -- /usr/ccs/bin/as won't do.] + + Compiling parts of OpenSSL with gcc and others with the system + compiler will result in unresolved symbols on some systems. + + 3. After a successful build, the libraries should be tested. Run: + + $ make test + + If a test fails, try removing any compiler optimization flags from + the CFLAGS line in Makefile.ssl and run "make clean; make". Please + send a bug report to , including the + output of "openssl version -a" and of the failed test. + + 4. If everything tests ok, install OpenSSL with + + $ make install + + This will create the installation directory (if it does not exist) and + then the following subdirectories: + + certs Initially empty, this is the default location + for certificate files. + misc Various scripts. + private Initially empty, this is the default location + for private key files. + + If you didn't chose a different installation prefix, the + following additional subdirectories will be created: + + bin Contains the openssl binary and a few other + utility programs. + include/openssl Contains the header files needed if you want to + compile programs with libcrypto or libssl. + lib Contains the OpenSSL library files themselves. + + Package builders who want to configure the library for standard + locations, but have the package installed somewhere else so that + it can easily be packaged, can use + + $ make INSTALL_PREFIX=/tmp/package-root install + + (or specify "--install_prefix=/tmp/package-root" as a configure + option). The specified prefix will be prepended to all + installation target filenames. + + + NOTE: The header files used to reside directly in the include + directory, but have now been moved to include/openssl so that + OpenSSL can co-exist with other libraries which use some of the + same filenames. This means that applications that use OpenSSL + should now use C preprocessor directives of the form + + #include + + instead of "#include ", which was used with library versions + up to OpenSSL 0.9.2b. + + If you install a new version of OpenSSL over an old library version, + you should delete the old header files in the include directory. + + Compatibility issues: + + * COMPILING existing applications + + To compile an application that uses old filenames -- e.g. + "#include " --, it will usually be enough to find + the CFLAGS definition in the application's Makefile and + add a C option such as + + -I/usr/local/ssl/include/openssl + + to it. + + But don't delete the existing -I option that points to + the ..../include directory! Otherwise, OpenSSL header files + could not #include each other. + + * WRITING applications + + To write an application that is able to handle both the new + and the old directory layout, so that it can still be compiled + with library versions up to OpenSSL 0.9.2b without bothering + the user, you can proceed as follows: + + - Always use the new filename of OpenSSL header files, + e.g. #include . + + - Create a directory "incl" that contains only a symbolic + link named "openssl", which points to the "include" directory + of OpenSSL. + For example, your application's Makefile might contain the + following rule, if OPENSSLDIR is a pathname (absolute or + relative) of the directory where OpenSSL resides: + + incl/openssl: + -mkdir incl + cd $(OPENSSLDIR) # Check whether the directory really exists + -ln -s `cd $(OPENSSLDIR); pwd`/include incl/openssl + + You will have to add "incl/openssl" to the dependencies + of those C files that include some OpenSSL header file. + + - Add "-Iincl" to your CFLAGS. + + With these additions, the OpenSSL header files will be available + under both name variants if an old library version is used: + Your application can reach them under names like , + while the header files still are able to #include each other + with names of the form . + + + Note on multi-threading + ----------------------- + + For some systems, the OpenSSL Configure script knows what compiler options + are needed to generate a library that is suitable for multi-threaded + applications. On these systems, support for multi-threading is enabled + by default; use the "no-threads" option to disable (this should never be + necessary). + + On other systems, to enable support for multi-threading, you will have + to specify at least two options: "threads", and a system-dependent option. + (The latter is "-D_REENTRANT" on various systems.) The default in this + case, obviously, is not to include support for multi-threading (but + you can still use "no-threads" to suppress an annoying warning message + from the Configure script.) + + +-------------------------------------------------------------------------------- +The orignal Unix build instructions from SSLeay follow. +Note: some of this may be out of date and no longer applicable +-------------------------------------------------------------------------------- # When bringing the SSLeay distribution back from the evil intel world # of Windows NT, do the following to make it nice again under unix :-) @@ -126,3 +380,8 @@ The examples for solaris and windows NT/95 are in the mt directory. have fun eric 25-Jun-1997 + +IRIX 5.x will build as a 32 bit system with mips1 assember. +IRIX 6.x will build as a 64 bit system with mips3 assember. It conforms +to n32 standards. In theory you can compile the 64 bit assember under +IRIX 5.x but you will have to have the correct system software installed. diff --git a/src/lib/libssl/src/INSTALL.VMS b/src/lib/libssl/src/INSTALL.VMS new file mode 100644 index 0000000000..4c01560d3d --- /dev/null +++ b/src/lib/libssl/src/INSTALL.VMS @@ -0,0 +1,245 @@ + VMS Installation instructions + written by Richard Levitte + + + +Intro: +====== + +This file is divided in the following parts: + + Compilation - Mandatory reading. + Test - Mandatory reading. + Installation - Mandatory reading. + Backward portability - Read if it's an issue. + Possible bugs or quirks - A few warnings on things that + may go wrong or may surprise you. + Report - How to get in touch with me. + +Compilation: +============ + +I've used the very good command procedures written by Robert Byer +, and just slightly modified them, making +them slightly more general and easier to maintain. + +You can actually compile in almost any directory separately. Look +for a command procedure name xxx-LIB.COM (in the library directories) +or MAKExxx.COM (in the program directories) and read the comments at +the top to understand how to use them. However, if you want to +compile all you can get, the simplest is to use MAKEVMS.COM in the top +directory. The syntax is trhe following: + + @MAKEVMS