From 9cea7b85baecb1a02a3ea617de73d9693a9792eb Mon Sep 17 00:00:00 2001 From: markus <> Date: Sun, 11 May 2003 21:36:59 +0000 Subject: import 0.9.7b (without idea and rc5) --- src/lib/libcrypto/bf/bftest.c | 10 +- src/lib/libcrypto/bn/asm/vms.mar | 254 ++--- src/lib/libcrypto/bn/bntest.c | 23 +- src/lib/libcrypto/bn/divtest.c | 6 +- src/lib/libcrypto/bn/exptest.c | 22 +- src/lib/libcrypto/cast/casttest.c | 4 +- src/lib/libcrypto/crypto-lib.com | 344 ++----- src/lib/libcrypto/des/FILES0 | 96 ++ src/lib/libcrypto/des/des.c | 32 +- src/lib/libcrypto/des/des_old.h | 10 +- src/lib/libcrypto/des/destest.c | 6 +- src/lib/libcrypto/des/read2pwd.c | 8 +- src/lib/libcrypto/des/read_pwd.c | 44 +- src/lib/libcrypto/dh/dhtest.c | 14 +- src/lib/libcrypto/dsa/dsagen.c | 2 +- src/lib/libcrypto/dsa/dsatest.c | 17 +- src/lib/libcrypto/dso/dso_dl.c | 2 +- src/lib/libcrypto/dso/dso_win32.c | 2 +- src/lib/libcrypto/ec/ectest.c | 11 +- src/lib/libcrypto/engine/enginetest.c | 11 +- src/lib/libcrypto/engine/hw_4758_cca.c | 6 +- src/lib/libcrypto/engine/hw_atalla.c | 2 + src/lib/libcrypto/engine/hw_cryptodev.c | 540 ++++++---- src/lib/libcrypto/engine/hw_cswift.c | 73 ++ src/lib/libcrypto/engine/hw_ncipher.c | 68 +- src/lib/libcrypto/engine/hw_ncipher_err.c | 3 +- src/lib/libcrypto/engine/hw_ncipher_err.h | 1 + src/lib/libcrypto/engine/hw_nuron.c | 2 + src/lib/libcrypto/engine/hw_sureware.c | 1039 ++++++++++++++++++++ src/lib/libcrypto/engine/hw_ubsec.c | 2 + src/lib/libcrypto/engine/vendor_defns/hw_ubsec.h | 100 ++ .../libcrypto/engine/vendor_defns/hwcryptohook.h | 486 +++++++++ src/lib/libcrypto/engine/vendor_defns/sureware.h | 239 +++++ src/lib/libcrypto/evp/bio_ok.c | 2 +- src/lib/libcrypto/evp/evp_acnf.c | 1 - src/lib/libcrypto/evp/evp_test.c | 58 +- src/lib/libcrypto/hmac/hmactest.c | 21 +- src/lib/libcrypto/idea/version | 12 + src/lib/libcrypto/md2/md2_dgst.c | 9 +- src/lib/libcrypto/md2/md2_one.c | 2 +- src/lib/libcrypto/md2/md2test.c | 5 +- src/lib/libcrypto/md4/md4.c | 4 +- src/lib/libcrypto/md4/md4test.c | 4 +- src/lib/libcrypto/md5/md5.c | 2 +- src/lib/libcrypto/md5/md5test.c | 4 +- src/lib/libcrypto/mdc2/mdc2test.c | 146 +++ src/lib/libcrypto/mem.c | 47 +- src/lib/libcrypto/objects/obj_dat.h | 29 +- src/lib/libcrypto/objects/obj_mac.h | 12 +- src/lib/libcrypto/opensslconf.h | 2 +- src/lib/libcrypto/opensslconf.h.in | 2 +- src/lib/libcrypto/perlasm/x86ms.pl | 15 +- src/lib/libcrypto/perlasm/x86nasm.pl | 15 +- src/lib/libcrypto/perlasm/x86unix.pl | 53 +- src/lib/libcrypto/pkcs7/bio_ber.c | 2 +- src/lib/libcrypto/rand/md_rand.c | 4 +- src/lib/libcrypto/rand/rand_egd.c | 6 +- src/lib/libcrypto/rand/rand_unix.c | 11 +- src/lib/libcrypto/rand/rand_win.c | 84 +- src/lib/libcrypto/rand/randtest.c | 4 +- src/lib/libcrypto/rc2/rc2test.c | 4 +- src/lib/libcrypto/rc4/rc4.c | 4 +- src/lib/libcrypto/rc4/rc4test.c | 4 +- src/lib/libcrypto/rc5/rc5s.cpp | 70 ++ src/lib/libcrypto/ripemd/rmd160.c | 2 +- src/lib/libcrypto/ripemd/rmdtest.c | 4 +- src/lib/libcrypto/rsa/rsa_test.c | 1 - src/lib/libcrypto/sha/sha1test.c | 4 +- src/lib/libcrypto/sha/sha_one.c | 3 +- src/lib/libcrypto/sha/shatest.c | 4 +- src/lib/libcrypto/threads/mttest.c | 5 - src/lib/libcrypto/tmdiff.c | 32 +- src/lib/libcrypto/uid.c | 2 +- src/lib/libcrypto/util/bat.sh | 2 + src/lib/libcrypto/util/cygwin.sh | 2 + src/lib/libcrypto/util/domd | 7 +- src/lib/libcrypto/util/extract-names.pl | 22 + src/lib/libcrypto/util/libeay.num | 226 +++-- src/lib/libcrypto/util/mk1mf.pl | 33 +- src/lib/libcrypto/util/mkcerts.sh | 6 +- src/lib/libcrypto/util/mkdef.pl | 25 +- src/lib/libcrypto/util/pl/BC-32.pl | 4 +- src/lib/libcrypto/util/pl/Mingw32.pl | 34 +- src/lib/libcrypto/util/pl/VC-32.pl | 2 +- src/lib/libcrypto/util/pl/VC-CE.pl | 111 +++ src/lib/libcrypto/util/ssleay.num | 2 +- src/lib/libcrypto/x509v3/v3conf.c | 2 +- src/lib/libssl/src/CHANGES | 354 ++++++- src/lib/libssl/src/Configure | 199 ++-- src/lib/libssl/src/FAQ | 107 +- src/lib/libssl/src/INSTALL | 42 +- src/lib/libssl/src/INSTALL.DJGPP | 14 +- src/lib/libssl/src/INSTALL.W32 | 130 +-- src/lib/libssl/src/INSTALL.WCE | 71 ++ src/lib/libssl/src/LICENSE | 2 +- .../libssl/src/MacOS/GetHTTPS.src/MacSocket.cpp | 4 +- src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.h | 2 +- src/lib/libssl/src/Makefile.org | 218 +++- src/lib/libssl/src/NEWS | 58 ++ src/lib/libssl/src/PROBLEMS | 83 ++ src/lib/libssl/src/README | 4 +- src/lib/libssl/src/apps/CA.pl | 2 +- src/lib/libssl/src/apps/apps.c | 104 +- src/lib/libssl/src/apps/apps.h | 78 +- src/lib/libssl/src/apps/asn1pars.c | 2 +- src/lib/libssl/src/apps/ca.c | 140 ++- src/lib/libssl/src/apps/ciphers.c | 4 +- src/lib/libssl/src/apps/crl.c | 3 +- src/lib/libssl/src/apps/crl2p7.c | 2 +- src/lib/libssl/src/apps/dgst.c | 14 +- src/lib/libssl/src/apps/dh.c | 17 +- src/lib/libssl/src/apps/dhparam.c | 15 +- src/lib/libssl/src/apps/dsa.c | 17 +- src/lib/libssl/src/apps/dsaparam.c | 12 +- src/lib/libssl/src/apps/enc.c | 32 +- src/lib/libssl/src/apps/engine.c | 11 +- src/lib/libssl/src/apps/errstr.c | 2 +- src/lib/libssl/src/apps/gendh.c | 12 +- src/lib/libssl/src/apps/gendsa.c | 12 +- src/lib/libssl/src/apps/genrsa.c | 12 +- src/lib/libssl/src/apps/makeapps.com | 294 +----- src/lib/libssl/src/apps/nseq.c | 4 +- src/lib/libssl/src/apps/ocsp.c | 35 +- src/lib/libssl/src/apps/openssl.c | 32 +- src/lib/libssl/src/apps/passwd.c | 5 +- src/lib/libssl/src/apps/pkcs12.c | 16 +- src/lib/libssl/src/apps/pkcs7.c | 12 +- src/lib/libssl/src/apps/pkcs8.c | 14 +- src/lib/libssl/src/apps/progs.h | 6 + src/lib/libssl/src/apps/rand.c | 12 +- src/lib/libssl/src/apps/req.c | 57 +- src/lib/libssl/src/apps/rsa.c | 10 +- src/lib/libssl/src/apps/rsautl.c | 8 + src/lib/libssl/src/apps/s_cb.c | 4 +- src/lib/libssl/src/apps/s_client.c | 46 +- src/lib/libssl/src/apps/s_server.c | 32 +- src/lib/libssl/src/apps/s_socket.c | 39 +- src/lib/libssl/src/apps/s_time.c | 21 +- src/lib/libssl/src/apps/sess_id.c | 2 +- src/lib/libssl/src/apps/smime.c | 8 + src/lib/libssl/src/apps/speed.c | 19 +- src/lib/libssl/src/apps/spkac.c | 10 +- src/lib/libssl/src/apps/verify.c | 17 +- src/lib/libssl/src/apps/version.c | 2 +- src/lib/libssl/src/apps/winrand.c | 1 - src/lib/libssl/src/apps/x509.c | 27 +- src/lib/libssl/src/config | 87 +- src/lib/libssl/src/crypto/aes/aes.h | 9 +- src/lib/libssl/src/crypto/aes/aes_cbc.c | 58 +- src/lib/libssl/src/crypto/aes/aes_cfb.c | 6 + src/lib/libssl/src/crypto/aes/aes_core.c | 12 +- src/lib/libssl/src/crypto/aes/aes_ctr.c | 21 +- src/lib/libssl/src/crypto/aes/aes_ecb.c | 6 + src/lib/libssl/src/crypto/aes/aes_locl.h | 2 +- src/lib/libssl/src/crypto/aes/aes_ofb.c | 6 + src/lib/libssl/src/crypto/asn1/a_bitstr.c | 4 +- src/lib/libssl/src/crypto/asn1/a_bytes.c | 2 +- src/lib/libssl/src/crypto/asn1/a_d2i_fp.c | 24 +- src/lib/libssl/src/crypto/asn1/a_object.c | 4 +- src/lib/libssl/src/crypto/asn1/a_sign.c | 8 +- src/lib/libssl/src/crypto/asn1/a_strex.c | 14 +- src/lib/libssl/src/crypto/asn1/a_strnid.c | 35 + src/lib/libssl/src/crypto/asn1/a_time.c | 5 +- src/lib/libssl/src/crypto/asn1/a_type.c | 2 +- src/lib/libssl/src/crypto/asn1/a_verify.c | 4 +- src/lib/libssl/src/crypto/asn1/asn1.h | 5 +- src/lib/libssl/src/crypto/asn1/asn1_err.c | 4 +- src/lib/libssl/src/crypto/asn1/asn1_par.c | 7 +- src/lib/libssl/src/crypto/asn1/f_int.c | 3 +- src/lib/libssl/src/crypto/asn1/n_pkey.c | 6 +- src/lib/libssl/src/crypto/asn1/p8_pkey.c | 4 +- src/lib/libssl/src/crypto/asn1/t_crl.c | 7 +- src/lib/libssl/src/crypto/asn1/t_pkey.c | 32 +- src/lib/libssl/src/crypto/asn1/t_req.c | 18 +- src/lib/libssl/src/crypto/asn1/t_x509.c | 9 +- src/lib/libssl/src/crypto/asn1/t_x509a.c | 4 +- src/lib/libssl/src/crypto/asn1/tasn_dec.c | 4 +- src/lib/libssl/src/crypto/asn1/tasn_fre.c | 5 +- src/lib/libssl/src/crypto/asn1/tasn_new.c | 5 +- src/lib/libssl/src/crypto/asn1/tasn_prn.c | 2 +- src/lib/libssl/src/crypto/bf/bftest.c | 10 +- src/lib/libssl/src/crypto/bio/b_print.c | 29 +- src/lib/libssl/src/crypto/bio/b_sock.c | 16 +- src/lib/libssl/src/crypto/bio/bf_buff.c | 2 +- src/lib/libssl/src/crypto/bio/bio.h | 7 +- src/lib/libssl/src/crypto/bio/bio_lib.c | 15 +- src/lib/libssl/src/crypto/bio/bss_bio.c | 3 +- src/lib/libssl/src/crypto/bio/bss_conn.c | 4 +- src/lib/libssl/src/crypto/bio/bss_file.c | 2 +- src/lib/libssl/src/crypto/bio/bss_log.c | 13 +- src/lib/libssl/src/crypto/bio/bss_mem.c | 8 +- src/lib/libssl/src/crypto/bio/bss_sock.c | 6 + src/lib/libssl/src/crypto/bn/asm/ia64.S | 235 +++-- src/lib/libssl/src/crypto/bn/asm/pa-risc2.s | 36 +- src/lib/libssl/src/crypto/bn/asm/vms.mar | 254 ++--- src/lib/libssl/src/crypto/bn/asm/x86_64-gcc.c | 575 +++++++++++ src/lib/libssl/src/crypto/bn/bn.h | 2 + src/lib/libssl/src/crypto/bn/bn_div.c | 28 +- src/lib/libssl/src/crypto/bn/bn_lcl.h | 26 +- src/lib/libssl/src/crypto/bn/bn_lib.c | 4 +- src/lib/libssl/src/crypto/bn/bn_mul.c | 529 ++-------- src/lib/libssl/src/crypto/bn/bn_prime.c | 2 +- src/lib/libssl/src/crypto/bn/bn_rand.c | 2 +- src/lib/libssl/src/crypto/bn/bn_word.c | 5 +- src/lib/libssl/src/crypto/bn/bntest.c | 23 +- src/lib/libssl/src/crypto/bn/divtest.c | 6 +- src/lib/libssl/src/crypto/bn/exptest.c | 22 +- src/lib/libssl/src/crypto/buffer/buffer.c | 57 ++ src/lib/libssl/src/crypto/buffer/buffer.h | 9 + src/lib/libssl/src/crypto/cast/casttest.c | 4 +- src/lib/libssl/src/crypto/comp/c_zlib.c | 4 +- src/lib/libssl/src/crypto/conf/conf_def.c | 18 +- src/lib/libssl/src/crypto/conf/conf_mall.c | 4 + src/lib/libssl/src/crypto/conf/conf_sap.c | 4 + src/lib/libssl/src/crypto/cryptlib.c | 40 +- src/lib/libssl/src/crypto/cryptlib.h | 6 +- src/lib/libssl/src/crypto/crypto-lib.com | 344 ++----- src/lib/libssl/src/crypto/crypto.h | 65 +- src/lib/libssl/src/crypto/des/FILES0 | 96 ++ src/lib/libssl/src/crypto/des/asm/crypt586.pl | 46 +- src/lib/libssl/src/crypto/des/asm/des-586.pl | 50 +- src/lib/libssl/src/crypto/des/cbc_cksm.c | 9 + src/lib/libssl/src/crypto/des/des.c | 32 +- src/lib/libssl/src/crypto/des/des.h | 4 +- src/lib/libssl/src/crypto/des/des_locl.h | 13 +- src/lib/libssl/src/crypto/des/des_old.h | 10 +- src/lib/libssl/src/crypto/des/destest.c | 6 +- src/lib/libssl/src/crypto/des/read2pwd.c | 8 +- src/lib/libssl/src/crypto/des/read_pwd.c | 44 +- src/lib/libssl/src/crypto/des/str2key.c | 4 +- src/lib/libssl/src/crypto/dh/dh_key.c | 1 - src/lib/libssl/src/crypto/dh/dh_lib.c | 10 + src/lib/libssl/src/crypto/dh/dhtest.c | 14 +- src/lib/libssl/src/crypto/dsa/dsa_lib.c | 15 +- src/lib/libssl/src/crypto/dsa/dsa_ossl.c | 14 +- src/lib/libssl/src/crypto/dsa/dsa_sign.c | 1 - src/lib/libssl/src/crypto/dsa/dsa_vrf.c | 1 - src/lib/libssl/src/crypto/dsa/dsagen.c | 2 +- src/lib/libssl/src/crypto/dsa/dsatest.c | 17 +- src/lib/libssl/src/crypto/dso/dso_dl.c | 2 +- src/lib/libssl/src/crypto/dso/dso_win32.c | 2 +- src/lib/libssl/src/crypto/ec/ec.h | 2 - src/lib/libssl/src/crypto/ec/ec_err.c | 2 - src/lib/libssl/src/crypto/ec/ec_lib.c | 8 +- src/lib/libssl/src/crypto/ec/ec_mult.c | 11 + src/lib/libssl/src/crypto/ec/ectest.c | 11 +- src/lib/libssl/src/crypto/engine/eng_all.c | 15 +- src/lib/libssl/src/crypto/engine/eng_err.c | 3 +- src/lib/libssl/src/crypto/engine/eng_fat.c | 8 +- src/lib/libssl/src/crypto/engine/eng_init.c | 2 +- src/lib/libssl/src/crypto/engine/eng_list.c | 33 +- src/lib/libssl/src/crypto/engine/eng_openssl.c | 18 +- src/lib/libssl/src/crypto/engine/engine.h | 10 +- src/lib/libssl/src/crypto/engine/enginetest.c | 11 +- src/lib/libssl/src/crypto/engine/hw_4758_cca.c | 6 +- src/lib/libssl/src/crypto/engine/hw_atalla.c | 2 + src/lib/libssl/src/crypto/engine/hw_cryptodev.c | 540 ++++++---- src/lib/libssl/src/crypto/engine/hw_cswift.c | 73 ++ src/lib/libssl/src/crypto/engine/hw_ncipher.c | 68 +- src/lib/libssl/src/crypto/engine/hw_ncipher_err.c | 3 +- src/lib/libssl/src/crypto/engine/hw_ncipher_err.h | 1 + src/lib/libssl/src/crypto/engine/hw_nuron.c | 2 + src/lib/libssl/src/crypto/engine/hw_sureware.c | 1039 ++++++++++++++++++++ src/lib/libssl/src/crypto/engine/hw_ubsec.c | 2 + src/lib/libssl/src/crypto/engine/tb_cipher.c | 4 +- src/lib/libssl/src/crypto/engine/tb_dh.c | 4 +- src/lib/libssl/src/crypto/engine/tb_digest.c | 4 +- src/lib/libssl/src/crypto/engine/tb_dsa.c | 4 +- src/lib/libssl/src/crypto/engine/tb_rand.c | 4 +- src/lib/libssl/src/crypto/engine/tb_rsa.c | 4 +- .../src/crypto/engine/vendor_defns/hw_ubsec.h | 100 ++ .../src/crypto/engine/vendor_defns/hwcryptohook.h | 486 +++++++++ .../src/crypto/engine/vendor_defns/sureware.h | 239 +++++ src/lib/libssl/src/crypto/err/err.c | 2 + src/lib/libssl/src/crypto/err/err_all.c | 4 + src/lib/libssl/src/crypto/err/err_prn.c | 1 - src/lib/libssl/src/crypto/evp/bio_b64.c | 1 + src/lib/libssl/src/crypto/evp/bio_enc.c | 9 +- src/lib/libssl/src/crypto/evp/bio_ok.c | 2 +- src/lib/libssl/src/crypto/evp/c_all.c | 5 + src/lib/libssl/src/crypto/evp/digest.c | 17 +- src/lib/libssl/src/crypto/evp/e_aes.c | 1 - src/lib/libssl/src/crypto/evp/e_idea.c | 2 +- src/lib/libssl/src/crypto/evp/e_rc2.c | 1 + src/lib/libssl/src/crypto/evp/e_rc4.c | 5 +- src/lib/libssl/src/crypto/evp/encode.c | 2 + src/lib/libssl/src/crypto/evp/evp_acnf.c | 1 - src/lib/libssl/src/crypto/evp/evp_enc.c | 30 +- src/lib/libssl/src/crypto/evp/evp_key.c | 6 +- src/lib/libssl/src/crypto/evp/evp_lib.c | 2 + src/lib/libssl/src/crypto/evp/evp_pbe.c | 2 +- src/lib/libssl/src/crypto/evp/evp_test.c | 58 +- src/lib/libssl/src/crypto/evp/p5_crpt.c | 8 +- src/lib/libssl/src/crypto/evp/p5_crpt2.c | 3 +- src/lib/libssl/src/crypto/evp/p_open.c | 2 +- src/lib/libssl/src/crypto/hmac/hmac.c | 3 + src/lib/libssl/src/crypto/hmac/hmactest.c | 21 +- src/lib/libssl/src/crypto/idea/version | 12 + src/lib/libssl/src/crypto/lhash/lh_stats.c | 86 +- src/lib/libssl/src/crypto/md2/md2_dgst.c | 9 +- src/lib/libssl/src/crypto/md2/md2_one.c | 2 +- src/lib/libssl/src/crypto/md2/md2test.c | 5 +- src/lib/libssl/src/crypto/md32_common.h | 38 +- src/lib/libssl/src/crypto/md4/md4.c | 4 +- src/lib/libssl/src/crypto/md4/md4_dgst.c | 36 +- src/lib/libssl/src/crypto/md4/md4_one.c | 3 +- src/lib/libssl/src/crypto/md4/md4test.c | 4 +- src/lib/libssl/src/crypto/md5/md5.c | 2 +- src/lib/libssl/src/crypto/md5/md5.h | 4 +- src/lib/libssl/src/crypto/md5/md5_dgst.c | 36 +- src/lib/libssl/src/crypto/md5/md5_locl.h | 2 +- src/lib/libssl/src/crypto/md5/md5_one.c | 3 +- src/lib/libssl/src/crypto/md5/md5test.c | 4 +- src/lib/libssl/src/crypto/mdc2/mdc2test.c | 146 +++ src/lib/libssl/src/crypto/mem.c | 47 +- src/lib/libssl/src/crypto/mem_clr.c | 75 ++ src/lib/libssl/src/crypto/mem_dbg.c | 24 +- src/lib/libssl/src/crypto/o_time.c | 3 + src/lib/libssl/src/crypto/objects/obj_dat.c | 7 +- src/lib/libssl/src/crypto/objects/obj_dat.h | 29 +- src/lib/libssl/src/crypto/objects/obj_mac.h | 12 +- src/lib/libssl/src/crypto/objects/obj_mac.num | 2 + src/lib/libssl/src/crypto/objects/objects.txt | 6 +- src/lib/libssl/src/crypto/ocsp/ocsp_asn.c | 2 +- src/lib/libssl/src/crypto/ocsp/ocsp_ht.c | 19 +- src/lib/libssl/src/crypto/opensslconf.h | 2 +- src/lib/libssl/src/crypto/opensslconf.h.in | 2 +- src/lib/libssl/src/crypto/opensslv.h | 4 +- src/lib/libssl/src/crypto/ossl_typ.h | 2 + src/lib/libssl/src/crypto/pem/pem.h | 8 +- src/lib/libssl/src/crypto/pem/pem_info.c | 5 +- src/lib/libssl/src/crypto/pem/pem_lib.c | 26 +- src/lib/libssl/src/crypto/pem/pem_pk8.c | 2 +- src/lib/libssl/src/crypto/pem/pem_seal.c | 2 +- src/lib/libssl/src/crypto/perlasm/cbc.pl | 41 +- src/lib/libssl/src/crypto/perlasm/x86asm.pl | 9 +- src/lib/libssl/src/crypto/perlasm/x86ms.pl | 15 +- src/lib/libssl/src/crypto/perlasm/x86nasm.pl | 15 +- src/lib/libssl/src/crypto/perlasm/x86unix.pl | 53 +- src/lib/libssl/src/crypto/pkcs12/p12_crpt.c | 4 +- src/lib/libssl/src/crypto/pkcs12/p12_decr.c | 4 +- src/lib/libssl/src/crypto/pkcs12/p12_key.c | 2 +- src/lib/libssl/src/crypto/pkcs12/p12_npas.c | 2 +- src/lib/libssl/src/crypto/pkcs7/bio_ber.c | 2 +- src/lib/libssl/src/crypto/pkcs7/pk7_doit.c | 6 +- src/lib/libssl/src/crypto/rand/md_rand.c | 4 +- src/lib/libssl/src/crypto/rand/rand.h | 2 + src/lib/libssl/src/crypto/rand/rand_egd.c | 6 +- src/lib/libssl/src/crypto/rand/rand_lib.c | 10 + src/lib/libssl/src/crypto/rand/rand_unix.c | 11 +- src/lib/libssl/src/crypto/rand/rand_win.c | 84 +- src/lib/libssl/src/crypto/rand/randfile.c | 9 +- src/lib/libssl/src/crypto/rand/randtest.c | 4 +- src/lib/libssl/src/crypto/rc2/rc2test.c | 4 +- src/lib/libssl/src/crypto/rc4/rc4.c | 4 +- src/lib/libssl/src/crypto/rc4/rc4test.c | 4 +- src/lib/libssl/src/crypto/rc5/rc5s.cpp | 70 ++ src/lib/libssl/src/crypto/ripemd/rmd160.c | 2 +- src/lib/libssl/src/crypto/ripemd/rmd_dgst.c | 12 +- src/lib/libssl/src/crypto/ripemd/rmd_one.c | 3 +- src/lib/libssl/src/crypto/ripemd/rmdtest.c | 4 +- src/lib/libssl/src/crypto/rsa/rsa.h | 9 + src/lib/libssl/src/crypto/rsa/rsa_eay.c | 150 ++- src/lib/libssl/src/crypto/rsa/rsa_lib.c | 43 +- src/lib/libssl/src/crypto/rsa/rsa_pk1.c | 2 +- src/lib/libssl/src/crypto/rsa/rsa_saos.c | 6 +- src/lib/libssl/src/crypto/rsa/rsa_sign.c | 25 +- src/lib/libssl/src/crypto/rsa/rsa_test.c | 1 - src/lib/libssl/src/crypto/sha/sha1_one.c | 3 +- src/lib/libssl/src/crypto/sha/sha1test.c | 4 +- src/lib/libssl/src/crypto/sha/sha_locl.h | 12 +- src/lib/libssl/src/crypto/sha/sha_one.c | 3 +- src/lib/libssl/src/crypto/sha/shatest.c | 4 +- src/lib/libssl/src/crypto/threads/mttest.c | 5 - src/lib/libssl/src/crypto/tmdiff.c | 32 +- src/lib/libssl/src/crypto/txt_db/txt_db.c | 4 +- src/lib/libssl/src/crypto/ui/ui_lib.c | 10 +- src/lib/libssl/src/crypto/ui/ui_openssl.c | 28 +- src/lib/libssl/src/crypto/ui/ui_util.c | 8 +- src/lib/libssl/src/crypto/uid.c | 2 +- src/lib/libssl/src/crypto/x509/by_file.c | 20 +- src/lib/libssl/src/crypto/x509/x509.h | 3 +- src/lib/libssl/src/crypto/x509/x509_cmp.c | 119 ++- src/lib/libssl/src/crypto/x509/x509_v3.c | 2 +- src/lib/libssl/src/crypto/x509/x509_vfy.c | 2 +- src/lib/libssl/src/crypto/x509v3/ext_dat.h | 6 + src/lib/libssl/src/crypto/x509v3/v3_info.c | 2 +- src/lib/libssl/src/crypto/x509v3/v3_ocsp.c | 3 + src/lib/libssl/src/crypto/x509v3/v3_prn.c | 2 +- src/lib/libssl/src/crypto/x509v3/v3_purp.c | 4 + src/lib/libssl/src/crypto/x509v3/v3_utl.c | 2 +- src/lib/libssl/src/crypto/x509v3/v3conf.c | 2 +- src/lib/libssl/src/crypto/x509v3/x509v3.h | 1 + src/lib/libssl/src/demos/b64.c | 2 - src/lib/libssl/src/demos/bio/saccept.c | 5 + src/lib/libssl/src/demos/bio/sconnect.c | 5 + .../demos/engines/cluster_labs/hw_cluster_labs.c | 7 +- src/lib/libssl/src/demos/engines/ibmca/hw_ibmca.c | 3 + src/lib/libssl/src/demos/engines/rsaref/Makefile | 16 + src/lib/libssl/src/demos/engines/rsaref/rsaref.c | 47 +- .../libssl/src/demos/engines/zencod/hw_zencod.c | 5 +- src/lib/libssl/src/demos/spkigen.c | 3 +- src/lib/libssl/src/demos/x509/mkcert.c | 6 +- src/lib/libssl/src/demos/x509/mkreq.c | 4 + src/lib/libssl/src/doc/HOWTO/certificates.txt | 53 +- src/lib/libssl/src/doc/HOWTO/keys.txt | 73 ++ src/lib/libssl/src/doc/apps/ca.pod | 66 +- src/lib/libssl/src/doc/apps/ciphers.pod | 26 +- src/lib/libssl/src/doc/apps/dhparam.pod | 8 + src/lib/libssl/src/doc/apps/dsa.pod | 8 + src/lib/libssl/src/doc/apps/dsaparam.pod | 8 + src/lib/libssl/src/doc/apps/gendsa.pod | 8 + src/lib/libssl/src/doc/apps/genrsa.pod | 8 + src/lib/libssl/src/doc/apps/ocsp.pod | 37 +- src/lib/libssl/src/doc/apps/passwd.pod | 2 +- src/lib/libssl/src/doc/apps/pkcs7.pod | 8 + src/lib/libssl/src/doc/apps/pkcs8.pod | 8 + src/lib/libssl/src/doc/apps/req.pod | 18 +- src/lib/libssl/src/doc/apps/rsa.pod | 8 + src/lib/libssl/src/doc/apps/s_client.pod | 7 + src/lib/libssl/src/doc/apps/s_server.pod | 8 + src/lib/libssl/src/doc/apps/smime.pod | 4 +- src/lib/libssl/src/doc/apps/speed.pod | 2 + src/lib/libssl/src/doc/apps/spkac.pod | 8 +- src/lib/libssl/src/doc/apps/x509.pod | 40 +- src/lib/libssl/src/doc/c-indentation.el | 10 +- src/lib/libssl/src/doc/crypto/ASN1_OBJECT_new.pod | 43 + .../libssl/src/doc/crypto/ASN1_STRING_length.pod | 81 ++ src/lib/libssl/src/doc/crypto/ASN1_STRING_new.pod | 44 + .../libssl/src/doc/crypto/ASN1_STRING_print_ex.pod | 96 ++ src/lib/libssl/src/doc/crypto/BIO_f_cipher.pod | 2 +- src/lib/libssl/src/doc/crypto/BIO_s_accept.pod | 2 +- src/lib/libssl/src/doc/crypto/BIO_s_bio.pod | 56 +- src/lib/libssl/src/doc/crypto/BN_CTX_new.pod | 2 +- src/lib/libssl/src/doc/crypto/BN_add.pod | 2 +- src/lib/libssl/src/doc/crypto/BN_add_word.pod | 2 +- src/lib/libssl/src/doc/crypto/BN_bn2bin.pod | 2 +- src/lib/libssl/src/doc/crypto/BN_copy.pod | 2 +- .../libssl/src/doc/crypto/BN_generate_prime.pod | 4 +- src/lib/libssl/src/doc/crypto/BN_mod_inverse.pod | 2 +- .../src/doc/crypto/BN_mod_mul_montgomery.pod | 2 +- .../src/doc/crypto/BN_mod_mul_reciprocal.pod | 2 +- src/lib/libssl/src/doc/crypto/BN_new.pod | 2 +- src/lib/libssl/src/doc/crypto/BN_rand.pod | 2 +- src/lib/libssl/src/doc/crypto/DH_generate_key.pod | 2 +- .../src/doc/crypto/DH_generate_parameters.pod | 3 +- src/lib/libssl/src/doc/crypto/DH_new.pod | 2 +- src/lib/libssl/src/doc/crypto/DSA_SIG_new.pod | 3 +- src/lib/libssl/src/doc/crypto/DSA_do_sign.pod | 2 +- src/lib/libssl/src/doc/crypto/DSA_dup_DH.pod | 2 +- src/lib/libssl/src/doc/crypto/DSA_generate_key.pod | 3 +- .../src/doc/crypto/DSA_generate_parameters.pod | 2 +- src/lib/libssl/src/doc/crypto/DSA_new.pod | 2 +- src/lib/libssl/src/doc/crypto/DSA_sign.pod | 2 +- src/lib/libssl/src/doc/crypto/ERR_get_error.pod | 2 +- src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod | 2 +- src/lib/libssl/src/doc/crypto/EVP_PKEY_new.pod | 47 + .../libssl/src/doc/crypto/EVP_PKEY_set1_RSA.pod | 80 ++ src/lib/libssl/src/doc/crypto/EVP_SealInit.pod | 26 +- src/lib/libssl/src/doc/crypto/OBJ_nid2obj.pod | 149 +++ src/lib/libssl/src/doc/crypto/PKCS12_create.pod | 57 ++ src/lib/libssl/src/doc/crypto/PKCS12_parse.pod | 50 + src/lib/libssl/src/doc/crypto/PKCS7_decrypt.pod | 53 + src/lib/libssl/src/doc/crypto/PKCS7_encrypt.pod | 65 ++ src/lib/libssl/src/doc/crypto/PKCS7_sign.pod | 85 ++ src/lib/libssl/src/doc/crypto/PKCS7_verify.pod | 116 +++ src/lib/libssl/src/doc/crypto/RAND_bytes.pod | 3 +- src/lib/libssl/src/doc/crypto/RSA_check_key.pod | 2 +- src/lib/libssl/src/doc/crypto/RSA_generate_key.pod | 3 +- src/lib/libssl/src/doc/crypto/RSA_new.pod | 3 +- src/lib/libssl/src/doc/crypto/RSA_print.pod | 6 +- .../libssl/src/doc/crypto/RSA_private_encrypt.pod | 3 +- .../libssl/src/doc/crypto/RSA_public_encrypt.pod | 3 +- src/lib/libssl/src/doc/crypto/RSA_set_method.pod | 13 +- src/lib/libssl/src/doc/crypto/RSA_sign.pod | 4 +- .../src/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod | 4 +- src/lib/libssl/src/doc/crypto/SMIME_read_PKCS7.pod | 71 ++ .../libssl/src/doc/crypto/SMIME_write_PKCS7.pod | 59 ++ .../src/doc/crypto/X509_NAME_ENTRY_get_object.pod | 72 ++ .../src/doc/crypto/X509_NAME_add_entry_by_txt.pod | 110 +++ .../src/doc/crypto/X509_NAME_get_index_by_NID.pod | 106 ++ .../libssl/src/doc/crypto/X509_NAME_print_ex.pod | 105 ++ src/lib/libssl/src/doc/crypto/X509_new.pod | 37 + src/lib/libssl/src/doc/crypto/crypto.pod | 16 + src/lib/libssl/src/doc/crypto/d2i_ASN1_OBJECT.pod | 29 + src/lib/libssl/src/doc/crypto/d2i_DHparams.pod | 14 +- src/lib/libssl/src/doc/crypto/d2i_DSAPublicKey.pod | 82 ++ .../libssl/src/doc/crypto/d2i_PKCS8PrivateKey.pod | 56 ++ src/lib/libssl/src/doc/crypto/d2i_RSAPublicKey.pod | 39 +- src/lib/libssl/src/doc/crypto/d2i_X509.pod | 231 +++++ src/lib/libssl/src/doc/crypto/d2i_X509_ALGOR.pod | 30 + src/lib/libssl/src/doc/crypto/d2i_X509_CRL.pod | 37 + src/lib/libssl/src/doc/crypto/d2i_X509_NAME.pod | 31 + src/lib/libssl/src/doc/crypto/d2i_X509_REQ.pod | 36 + src/lib/libssl/src/doc/crypto/d2i_X509_SIG.pod | 30 + src/lib/libssl/src/doc/crypto/engine.pod | 12 +- src/lib/libssl/src/doc/openssl-shared.txt | 32 + src/lib/libssl/src/doc/ssl/SSL_CTX_add_session.pod | 8 + src/lib/libssl/src/doc/ssl/SSL_CTX_free.pod | 12 +- .../libssl/src/doc/ssl/SSL_CTX_sess_set_get_cb.pod | 12 +- src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod | 2 +- .../src/doc/ssl/SSL_CTX_set_session_cache_mode.pod | 53 +- src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod | 2 +- src/lib/libssl/src/doc/ssl/ssl.pod | 2 +- src/lib/libssl/src/doc/standards.txt | 173 +++- src/lib/libssl/src/e_os.h | 91 +- src/lib/libssl/src/e_os2.h | 18 +- src/lib/libssl/src/makevms.com | 124 +-- src/lib/libssl/src/ms/do_ms.bat | 2 + src/lib/libssl/src/ms/mingw32.bat | 11 +- src/lib/libssl/src/ms/mw.bat | 5 - src/lib/libssl/src/ms/tencce.bat | 19 + src/lib/libssl/src/ms/test.bat | 4 + src/lib/libssl/src/ms/testce.bat | 234 +++++ src/lib/libssl/src/ms/testce2.bat | 2 + src/lib/libssl/src/ms/testenc.bat | 4 +- src/lib/libssl/src/ms/testencce.bat | 97 ++ src/lib/libssl/src/ms/testpem.bat | 2 +- src/lib/libssl/src/ms/testpemce.bat | 42 + src/lib/libssl/src/ms/testss.bat | 2 +- src/lib/libssl/src/ms/testssce.bat | 104 ++ src/lib/libssl/src/ms/tpemce.bat | 8 + src/lib/libssl/src/openssl.spec | 6 +- src/lib/libssl/src/shlib/sco5-shared-gcc.sh | 48 + src/lib/libssl/src/shlib/sco5-shared-installed | 28 + src/lib/libssl/src/shlib/sco5-shared.sh | 48 + src/lib/libssl/src/shlib/svr5-shared-gcc.sh | 2 +- src/lib/libssl/src/shlib/svr5-shared-installed | 3 +- src/lib/libssl/src/shlib/svr5-shared.sh | 2 +- src/lib/libssl/src/ssl/bio_ssl.c | 6 + src/lib/libssl/src/ssl/kssl.c | 83 +- src/lib/libssl/src/ssl/s23_clnt.c | 24 +- src/lib/libssl/src/ssl/s23_meth.c | 19 +- src/lib/libssl/src/ssl/s23_srvr.c | 19 +- src/lib/libssl/src/ssl/s2_clnt.c | 34 +- src/lib/libssl/src/ssl/s2_enc.c | 3 + src/lib/libssl/src/ssl/s2_lib.c | 25 +- src/lib/libssl/src/ssl/s2_meth.c | 19 +- src/lib/libssl/src/ssl/s2_pkt.c | 2 + src/lib/libssl/src/ssl/s2_srvr.c | 21 +- src/lib/libssl/src/ssl/s3_both.c | 25 +- src/lib/libssl/src/ssl/s3_clnt.c | 73 +- src/lib/libssl/src/ssl/s3_enc.c | 14 +- src/lib/libssl/src/ssl/s3_lib.c | 193 +++- src/lib/libssl/src/ssl/s3_meth.c | 19 +- src/lib/libssl/src/ssl/s3_pkt.c | 47 +- src/lib/libssl/src/ssl/s3_srvr.c | 53 +- src/lib/libssl/src/ssl/ssl-lib.com | 280 +----- src/lib/libssl/src/ssl/ssl.h | 30 +- src/lib/libssl/src/ssl/ssl3.h | 48 +- src/lib/libssl/src/ssl/ssl_asn1.c | 11 +- src/lib/libssl/src/ssl/ssl_cert.c | 30 +- src/lib/libssl/src/ssl/ssl_ciph.c | 14 +- src/lib/libssl/src/ssl/ssl_err.c | 1 + src/lib/libssl/src/ssl/ssl_lib.c | 45 +- src/lib/libssl/src/ssl/ssl_sess.c | 17 +- src/lib/libssl/src/ssl/ssl_task.c | 2 +- src/lib/libssl/src/ssl/ssltest.c | 52 +- src/lib/libssl/src/ssl/t1_clnt.c | 17 +- src/lib/libssl/src/ssl/t1_enc.c | 20 +- src/lib/libssl/src/ssl/t1_meth.c | 20 +- src/lib/libssl/src/ssl/t1_srvr.c | 17 +- src/lib/libssl/src/test/evptests.txt | 183 ++++ src/lib/libssl/src/test/maketests.com | 262 +---- src/lib/libssl/src/test/methtest.c | 4 +- src/lib/libssl/src/test/testgen | 2 + src/lib/libssl/src/test/testssl | 16 +- src/lib/libssl/src/test/testssl.com | 32 +- src/lib/libssl/src/tools/c_rehash | 8 +- src/lib/libssl/src/tools/c_rehash.in | 6 +- src/lib/libssl/src/util/bat.sh | 2 + src/lib/libssl/src/util/cygwin.sh | 2 + src/lib/libssl/src/util/domd | 7 +- src/lib/libssl/src/util/extract-names.pl | 22 + src/lib/libssl/src/util/libeay.num | 226 +++-- src/lib/libssl/src/util/mk1mf.pl | 33 +- src/lib/libssl/src/util/mkcerts.sh | 6 +- src/lib/libssl/src/util/mkdef.pl | 25 +- src/lib/libssl/src/util/mkerr.pl | 16 +- src/lib/libssl/src/util/pl/BC-32.pl | 4 +- src/lib/libssl/src/util/pl/Mingw32.pl | 34 +- src/lib/libssl/src/util/pl/VC-32.pl | 2 +- src/lib/libssl/src/util/pl/VC-CE.pl | 111 +++ src/lib/libssl/src/util/ssleay.num | 2 +- src/lib/libssl/test/evptests.txt | 183 ++++ src/lib/libssl/test/maketests.com | 262 +---- src/lib/libssl/test/testssl.com | 32 +- 587 files changed, 16510 insertions(+), 5223 deletions(-) create mode 100644 src/lib/libcrypto/des/FILES0 create mode 100644 src/lib/libcrypto/engine/hw_sureware.c create mode 100644 src/lib/libcrypto/engine/vendor_defns/hw_ubsec.h create mode 100644 src/lib/libcrypto/engine/vendor_defns/hwcryptohook.h create mode 100644 src/lib/libcrypto/engine/vendor_defns/sureware.h create mode 100644 src/lib/libcrypto/idea/version create mode 100644 src/lib/libcrypto/mdc2/mdc2test.c create mode 100644 src/lib/libcrypto/rc5/rc5s.cpp create mode 100644 src/lib/libcrypto/util/extract-names.pl create mode 100644 src/lib/libcrypto/util/pl/VC-CE.pl create mode 100644 src/lib/libssl/src/INSTALL.WCE create mode 100644 src/lib/libssl/src/crypto/bn/asm/x86_64-gcc.c create mode 100644 src/lib/libssl/src/crypto/des/FILES0 create mode 100644 src/lib/libssl/src/crypto/engine/hw_sureware.c create mode 100644 src/lib/libssl/src/crypto/engine/vendor_defns/hw_ubsec.h create mode 100644 src/lib/libssl/src/crypto/engine/vendor_defns/hwcryptohook.h create mode 100644 src/lib/libssl/src/crypto/engine/vendor_defns/sureware.h create mode 100644 src/lib/libssl/src/crypto/idea/version create mode 100644 src/lib/libssl/src/crypto/mdc2/mdc2test.c create mode 100644 src/lib/libssl/src/crypto/mem_clr.c create mode 100644 src/lib/libssl/src/crypto/rc5/rc5s.cpp create mode 100644 src/lib/libssl/src/doc/HOWTO/keys.txt create mode 100644 src/lib/libssl/src/doc/crypto/ASN1_OBJECT_new.pod create mode 100644 src/lib/libssl/src/doc/crypto/ASN1_STRING_length.pod create mode 100644 src/lib/libssl/src/doc/crypto/ASN1_STRING_new.pod create mode 100644 src/lib/libssl/src/doc/crypto/ASN1_STRING_print_ex.pod create mode 100644 src/lib/libssl/src/doc/crypto/EVP_PKEY_new.pod create mode 100644 src/lib/libssl/src/doc/crypto/EVP_PKEY_set1_RSA.pod create mode 100644 src/lib/libssl/src/doc/crypto/OBJ_nid2obj.pod create mode 100644 src/lib/libssl/src/doc/crypto/PKCS12_create.pod create mode 100644 src/lib/libssl/src/doc/crypto/PKCS12_parse.pod create mode 100644 src/lib/libssl/src/doc/crypto/PKCS7_decrypt.pod create mode 100644 src/lib/libssl/src/doc/crypto/PKCS7_encrypt.pod create mode 100644 src/lib/libssl/src/doc/crypto/PKCS7_sign.pod create mode 100644 src/lib/libssl/src/doc/crypto/PKCS7_verify.pod create mode 100644 src/lib/libssl/src/doc/crypto/SMIME_read_PKCS7.pod create mode 100644 src/lib/libssl/src/doc/crypto/SMIME_write_PKCS7.pod create mode 100644 src/lib/libssl/src/doc/crypto/X509_NAME_ENTRY_get_object.pod create mode 100644 src/lib/libssl/src/doc/crypto/X509_NAME_add_entry_by_txt.pod create mode 100644 src/lib/libssl/src/doc/crypto/X509_NAME_get_index_by_NID.pod create mode 100644 src/lib/libssl/src/doc/crypto/X509_NAME_print_ex.pod create mode 100644 src/lib/libssl/src/doc/crypto/X509_new.pod create mode 100644 src/lib/libssl/src/doc/crypto/d2i_ASN1_OBJECT.pod create mode 100644 src/lib/libssl/src/doc/crypto/d2i_DSAPublicKey.pod create mode 100644 src/lib/libssl/src/doc/crypto/d2i_PKCS8PrivateKey.pod create mode 100644 src/lib/libssl/src/doc/crypto/d2i_X509.pod create mode 100644 src/lib/libssl/src/doc/crypto/d2i_X509_ALGOR.pod create mode 100644 src/lib/libssl/src/doc/crypto/d2i_X509_CRL.pod create mode 100644 src/lib/libssl/src/doc/crypto/d2i_X509_NAME.pod create mode 100644 src/lib/libssl/src/doc/crypto/d2i_X509_REQ.pod create mode 100644 src/lib/libssl/src/doc/crypto/d2i_X509_SIG.pod create mode 100644 src/lib/libssl/src/doc/openssl-shared.txt create mode 100644 src/lib/libssl/src/ms/tencce.bat create mode 100644 src/lib/libssl/src/ms/testce.bat create mode 100644 src/lib/libssl/src/ms/testce2.bat create mode 100644 src/lib/libssl/src/ms/testencce.bat create mode 100644 src/lib/libssl/src/ms/testpemce.bat create mode 100644 src/lib/libssl/src/ms/testssce.bat create mode 100644 src/lib/libssl/src/ms/tpemce.bat create mode 100644 src/lib/libssl/src/shlib/sco5-shared-gcc.sh create mode 100644 src/lib/libssl/src/shlib/sco5-shared-installed create mode 100644 src/lib/libssl/src/shlib/sco5-shared.sh create mode 100644 src/lib/libssl/src/test/evptests.txt create mode 100644 src/lib/libssl/src/util/extract-names.pl create mode 100644 src/lib/libssl/src/util/pl/VC-CE.pl create mode 100644 src/lib/libssl/test/evptests.txt (limited to 'src/lib') diff --git a/src/lib/libcrypto/bf/bftest.c b/src/lib/libcrypto/bf/bftest.c index 09895f2542..24d526b14b 100644 --- a/src/lib/libcrypto/bf/bftest.c +++ b/src/lib/libcrypto/bf/bftest.c @@ -63,6 +63,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_BF int main(int argc, char *argv[]) { @@ -275,7 +277,7 @@ int main(int argc, char *argv[]) else ret=test(); - exit(ret); + EXIT(ret); return(0); } @@ -454,9 +456,9 @@ static int test(void) len=strlen(cbc_data)+1; BF_set_key(&key,16,cbc_key); - memset(cbc_in,0,40); - memset(cbc_out,0,40); - memcpy(iv,cbc_iv,8); + memset(cbc_in,0,sizeof cbc_in); + memset(cbc_out,0,sizeof cbc_out); + memcpy(iv,cbc_iv,sizeof iv); BF_cbc_encrypt((unsigned char *)cbc_data,cbc_out,len, &key,iv,BF_ENCRYPT); if (memcmp(cbc_out,cbc_ok,32) != 0) diff --git a/src/lib/libcrypto/bn/asm/vms.mar b/src/lib/libcrypto/bn/asm/vms.mar index 465f2774b6..aefab15cdb 100644 --- a/src/lib/libcrypto/bn/asm/vms.mar +++ b/src/lib/libcrypto/bn/asm/vms.mar @@ -1,4 +1,4 @@ - .title vax_bn_mul_add_word unsigned multiply & add, 32*32+32+32=>64 + .title vax_bn_mul_add_words unsigned multiply & add, 32*32+32+32=>64 ; ; w.j.m. 15-jan-1999 ; @@ -59,7 +59,7 @@ w=16 ;(AP) w by value (input) movl r6,r0 ; return c ret - .title vax_bn_mul_word unsigned multiply & add, 32*32+32=>64 + .title vax_bn_mul_words unsigned multiply & add, 32*32+32=>64 ; ; w.j.m. 15-jan-1999 ; @@ -172,147 +172,175 @@ n=12 ;(AP) n by value (input) ; } ; ; Using EDIV would be very easy, if it didn't do signed calculations. -; Therefore, som extra things have to happen around it. The way to -; handle that is to shift all operands right one step (basically dividing -; them by 2) and handle the different cases depending on what the lowest -; bit of each operand was. +; Any time any of the input numbers are signed, there are problems, +; usually with integer overflow, at which point it returns useless +; data (the quotient gets the value of l, and the remainder becomes 0). ; -; To start with, let's define the following: +; If it was just for the dividend, it would be very easy, just divide +; it by 2 (unsigned), do the division, multiply the resulting quotient +; and remainder by 2, add the bit that was dropped when dividing by 2 +; to the remainder, and do some adjustment so the remainder doesn't +; end up larger than the divisor. For some cases when the divisor is +; negative (from EDIV's point of view, i.e. when the highest bit is set), +; dividing the dividend by 2 isn't enough, and since some operations +; might generate integer overflows even when the dividend is divided by +; 4 (when the high part of the shifted down dividend ends up being exactly +; half of the divisor, the result is the quotient 0x80000000, which is +; negative...) it needs to be divided by 8. Furthermore, the divisor needs +; to be divided by 2 (unsigned) as well, to avoid more problems with the sign. +; In this case, a little extra fiddling with the remainder is required. ; -; a' = l & 1 -; a2 = >> 1 # UNSIGNED shift! -; b' = d & 1 -; b2 = d >> 1 # UNSIGNED shift! +; So, the simplest way to handle this is always to divide the dividend +; by 8, and to divide the divisor by 2 if it's highest bit is set. +; After EDIV has been used, the quotient gets multiplied by 8 if the +; original divisor was positive, otherwise 4. The remainder, oddly +; enough, is *always* multiplied by 8. +; NOTE: in the case mentioned above, where the high part of the shifted +; down dividend ends up being exactly half the shifted down divisor, we +; end up with a 33 bit quotient. That's no problem however, it usually +; means we have ended up with a too large remainder as well, and the +; problem is fixed by the last part of the algorithm (next paragraph). ; -; Now, use EDIV to calculate a quotient and a remainder: +; The routine ends with comparing the resulting remainder with the +; original divisor and if the remainder is larger, subtract the +; original divisor from it, and increase the quotient by 1. This is +; done until the remainder is smaller than the divisor. ; -; q'' = a2/b2 -; r'' = a2 - q''*b2 +; The complete algorithm looks like this: ; -; If b' is 0, the quotient is already correct, we just need to adjust the -; remainder: +; d' = d +; l' = l & 7 +; [h,l] = [h,l] >> 3 +; [q,r] = floor([h,l] / d) # This is the EDIV operation +; if (q < 0) q = -q # I doubt this is necessary any more ; -; if (b' == 0) -; { -; r = 2*r'' + a' -; q = q'' -; } -; -; If b' is 1, we need to do other adjustements. The first thought is the -; following (note that r' will not always have the right value, but an -; adjustement follows further down): -; -; if (b' == 1) -; { -; q' = q'' -; r' = a - q'*b -; -; However, one can note the folowing relationship: -; -; r'' = a2 - q''*b2 -; => 2*r'' = 2*a2 - 2*q''*b2 -; = { a = 2*a2 + a', b = 2*b2 + b' = 2*b2 + 1, -; q' = q'' } -; = a - a' - q'*(b - 1) -; = a - q'*b - a' + q' -; = r' - a' + q' -; => r' = 2*r'' - q' + a' +; r' = r >> 29 +; if (d' >= 0) +; q' = q >> 29 +; q = q << 3 +; else +; q' = q >> 30 +; q = q << 2 +; r = (r << 3) + l' ; -; This enables us to use r'' instead of discarding and calculating another -; modulo: -; -; if (b' == 1) +; if (d' < 0) ; { -; q' = q'' -; r' = (r'' << 1) - q' + a' -; -; Now, all we have to do is adjust r', because it might be < 0: -; -; while (r' < 0) +; [r',r] = [r',r] - q +; while ([r',r] < 0) ; { -; r' = r' + b -; q' = q' - 1 +; [r',r] = [r',r] + d +; [q',q] = [q',q] - 1 ; } ; } ; -; return q' +; while ([r',r] >= d') +; { +; [r',r] = [r',r] - d' +; [q',q] = [q',q] + 1 +; } +; +; return q h=4 ;(AP) h by value (input) l=8 ;(AP) l by value (input) d=12 ;(AP) d by value (input) -;aprim=r5 -;a2=r6 -;a20=r6 -;a21=r7 -;bprim=r8 -;b2=r9 -;qprim=r10 ; initially used as q'' -;rprim=r11 ; initially used as r'' - +;r2 = l, q +;r3 = h, r +;r4 = d +;r5 = l' +;r6 = r' +;r7 = d' +;r8 = q' .psect code,nowrt -.entry bn_div_words,^m +.entry bn_div_words,^m movl l(ap),r2 movl h(ap),r3 movl d(ap),r4 - movl #0,r5 - movl #0,r8 - movl #0,r0 -; movl #0,r1 + bicl3 #^XFFFFFFF8,r2,r5 ; l' = l & 7 + bicl3 #^X00000007,r2,r2 - rotl #-1,r2,r6 ; a20 = l >> 1 (almost) - rotl #-1,r3,r7 ; a21 = h >> 1 (almost) - rotl #-1,r4,r9 ; b2 = d >> 1 (almost) + bicl3 #^XFFFFFFF8,r3,r6 + bicl3 #^X00000007,r3,r3 + + addl r6,r2 - tstl r6 - bgeq 1$ - xorl2 #^X80000000,r6 ; fixup a20 so highest bit is 0 - incl r5 ; a' = 1 -1$: - tstl r7 - bgeq 2$ - xorl2 #^X80000000,r6 ; fixup a20 so highest bit is 1, - ; since that's what was lowest in a21 - xorl2 #^X80000000,r7 ; fixup a21 so highest bit is 1 -2$: - tstl r9 + rotl #-3,r2,r2 ; l = l >> 3 + rotl #-3,r3,r3 ; h = h >> 3 + + movl r4,r7 ; d' = d + + movl #0,r6 ; r' = 0 + movl #0,r8 ; q' = 0 + + tstl r4 beql 666$ ; Uh-oh, the divisor is 0... - bgtr 3$ - xorl2 #^X80000000,r9 ; fixup b2 so highest bit is 0 - incl r8 ; b' = 1 -3$: - tstl r9 - bneq 4$ ; if b2 is 0, we know that b' is 1 - tstl r3 - bneq 666$ ; if higher half isn't 0, we overflow - movl r2,r10 ; otherwise, we have our result - brb 42$ ; This is a success, really. -4$: - ediv r9,r6,r10,r11 - - tstl r8 - bneq 5$ ; If b' != 0, go to the other part -; addl3 r11,r11,r1 -; addl2 r5,r1 - brb 42$ -5$: - ashl #1,r11,r11 - subl2 r10,r11 - addl2 r5,r11 - bgeq 7$ -6$: - decl r10 - addl2 r4,r11 - blss 6$ -7$: -; movl r11,r1 + bgtr 1$ + rotl #-1,r4,r4 ; If d is negative, shift it right. + bicl2 #^X80000000,r4 ; Since d is then a large number, the + ; lowest bit is insignificant + ; (contradict that, and I'll fix the problem!) +1$: + ediv r4,r2,r2,r3 ; Do the actual division + + tstl r2 + bgeq 3$ + mnegl r2,r2 ; if q < 0, negate it +3$: + tstl r7 + blss 4$ + rotl #3,r2,r2 ; q = q << 3 + bicl3 #^XFFFFFFF8,r2,r8 ; q' gets the high bits from q + bicl3 #^X00000007,r2,r2 + bsb 41$ +4$: ; else + rotl #2,r2,r2 ; q = q << 2 + bicl3 #^XFFFFFFFC,r2,r8 ; q' gets the high bits from q + bicl3 #^X00000003,r2,r2 +41$: + rotl #3,r3,r3 ; r = r << 3 + bicl3 #^XFFFFFFF8,r3,r6 ; r' gets the high bits from r + bicl3 #^X00000007,r3,r3 + addl r5,r3 ; r = r + l' + + tstl r7 + bgeq 5$ + bitl #1,r7 + beql 5$ ; if d' < 0 && d' & 1 + subl r2,r3 ; [r',r] = [r',r] - [q',q] + sbwc r8,r6 +45$: + bgeq 5$ ; while r < 0 + decl r2 ; [q',q] = [q',q] - 1 + sbwc #0,r8 + addl r7,r3 ; [r',r] = [r',r] + d' + adwc #0,r6 + brb 45$ + +; The return points are placed in the middle to keep a short distance from +; all the branch points 42$: - movl r10,r0 +; movl r3,r1 + movl r2,r0 + ret 666$: + movl #^XFFFFFFFF,r0 ret + +5$: + tstl r6 + bneq 6$ + cmpl r3,r7 + blssu 42$ ; while [r',r] >= d' +6$: + subl r7,r3 ; [r',r] = [r',r] - d' + sbwc #0,r6 + incl r2 ; [q',q] = [q',q] + 1 + adwc #0,r8 + brb 5$ .title vax_bn_add_words unsigned add of two arrays ; diff --git a/src/lib/libcrypto/bn/bntest.c b/src/lib/libcrypto/bn/bntest.c index 8158a67374..3c8c540387 100644 --- a/src/lib/libcrypto/bn/bntest.c +++ b/src/lib/libcrypto/bn/bntest.c @@ -68,10 +68,6 @@ #include #include -#ifdef OPENSSL_SYS_WINDOWS -#include "../bio/bss_file.c" -#endif - const int num0 = 100; /* number of tests */ const int num1 = 50; /* additional tests for some functions */ const int num2 = 5; /* number of tests for slow functions */ @@ -96,11 +92,6 @@ int test_sqrt(BIO *bp,BN_CTX *ctx); int rand_neg(void); static int results=0; -#ifdef OPENSSL_NO_STDIO -#define APPS_WIN16 -#include "bss_file.c" -#endif - static unsigned char lst[]="\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9" "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0"; @@ -141,10 +132,10 @@ int main(int argc, char *argv[]) ctx=BN_CTX_new(); - if (ctx == NULL) exit(1); + if (ctx == NULL) EXIT(1); out=BIO_new(BIO_s_file()); - if (out == NULL) exit(1); + if (out == NULL) EXIT(1); if (outfile == NULL) { BIO_set_fp(out,stdout,BIO_NOCLOSE); @@ -154,7 +145,7 @@ int main(int argc, char *argv[]) if (!BIO_write_filename(out,outfile)) { perror(outfile); - exit(1); + EXIT(1); } } @@ -238,14 +229,14 @@ int main(int argc, char *argv[]) BIO_free(out); /**/ - exit(0); + EXIT(0); err: BIO_puts(out,"1\n"); /* make sure the Perl script fed by bc notices * the failure, see test_bn in test/Makefile.ssl*/ BIO_flush(out); ERR_load_crypto_strings(); ERR_print_errors_fp(stderr); - exit(1); + EXIT(1); return(1); } @@ -488,7 +479,7 @@ int test_mul(BIO *bp) BN_CTX *ctx; ctx = BN_CTX_new(); - if (ctx == NULL) exit(1); + if (ctx == NULL) EXIT(1); BN_init(&a); BN_init(&b); @@ -726,7 +717,7 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx) while ((l=ERR_get_error())) fprintf(stderr,"ERROR:%s\n", ERR_error_string(l,NULL)); - exit(1); + EXIT(1); } if (bp != NULL) { diff --git a/src/lib/libcrypto/bn/divtest.c b/src/lib/libcrypto/bn/divtest.c index 13ba86e3c4..d3fc688f33 100644 --- a/src/lib/libcrypto/bn/divtest.c +++ b/src/lib/libcrypto/bn/divtest.c @@ -1,7 +1,7 @@ #include #include -static int rand(n) +static int Rand(n) { unsigned char x[2]; RAND_pseudo_bytes(x,2); @@ -26,8 +26,8 @@ main() BN_CTX *ctx=BN_CTX_new(); for(;;) { - BN_pseudo_rand(a,rand(),0,0); - BN_pseudo_rand(b,rand(),0,0); + BN_pseudo_rand(a,Rand(),0,0); + BN_pseudo_rand(b,Rand(),0,0); if (BN_is_zero(b)) continue; BN_RECP_CTX_set(recp,b,ctx); diff --git a/src/lib/libcrypto/bn/exptest.c b/src/lib/libcrypto/bn/exptest.c index 5ca570d1a8..b09cf88705 100644 --- a/src/lib/libcrypto/bn/exptest.c +++ b/src/lib/libcrypto/bn/exptest.c @@ -59,13 +59,13 @@ #include #include #include + +#include "../e_os.h" + #include #include #include #include -#ifdef OPENSSL_SYS_WINDOWS -#include "../bio/bss_file.c" -#endif #define NUM_BITS (BN_BITS*2) @@ -86,7 +86,7 @@ int main(int argc, char *argv[]) ERR_load_BN_strings(); ctx=BN_CTX_new(); - if (ctx == NULL) exit(1); + if (ctx == NULL) EXIT(1); r_mont=BN_new(); r_recp=BN_new(); r_simple=BN_new(); @@ -99,7 +99,7 @@ int main(int argc, char *argv[]) out=BIO_new(BIO_s_file()); - if (out == NULL) exit(1); + if (out == NULL) EXIT(1); BIO_set_fp(out,stdout,BIO_NOCLOSE); for (i=0; i<200; i++) @@ -124,7 +124,7 @@ int main(int argc, char *argv[]) { printf("BN_mod_exp_mont() problems\n"); ERR_print_errors(out); - exit(1); + EXIT(1); } ret=BN_mod_exp_recp(r_recp,a,b,m,ctx); @@ -132,7 +132,7 @@ int main(int argc, char *argv[]) { printf("BN_mod_exp_recp() problems\n"); ERR_print_errors(out); - exit(1); + EXIT(1); } ret=BN_mod_exp_simple(r_simple,a,b,m,ctx); @@ -140,7 +140,7 @@ int main(int argc, char *argv[]) { printf("BN_mod_exp_simple() problems\n"); ERR_print_errors(out); - exit(1); + EXIT(1); } if (BN_cmp(r_simple, r_mont) == 0 @@ -163,7 +163,7 @@ int main(int argc, char *argv[]) printf("\nrecp ="); BN_print(out,r_recp); printf("\nmont ="); BN_print(out,r_mont); printf("\n"); - exit(1); + EXIT(1); } } BN_free(r_mont); @@ -177,11 +177,11 @@ int main(int argc, char *argv[]) CRYPTO_mem_leaks(out); BIO_free(out); printf(" done\n"); - exit(0); + EXIT(0); err: ERR_load_crypto_strings(); ERR_print_errors(out); - exit(1); + EXIT(1); return(1); } diff --git a/src/lib/libcrypto/cast/casttest.c b/src/lib/libcrypto/cast/casttest.c index 099e790886..83e5a16c73 100644 --- a/src/lib/libcrypto/cast/casttest.c +++ b/src/lib/libcrypto/cast/casttest.c @@ -60,6 +60,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_CAST int main(int argc, char *argv[]) { @@ -224,7 +226,7 @@ int main(int argc, char *argv[]) } #endif - exit(err); + EXIT(err); return(err); } #endif diff --git a/src/lib/libcrypto/crypto-lib.com b/src/lib/libcrypto/crypto-lib.com index dfcff11860..39e78c69e5 100644 --- a/src/lib/libcrypto/crypto-lib.com +++ b/src/lib/libcrypto/crypto-lib.com @@ -21,22 +21,10 @@ $! LIBRARY To just compile the [.xxx.EXE.CRYPTO]LIBCRYPTO.OLB Library. $! APPS To just compile the [.xxx.EXE.CRYPTO]*.EXE $! ALL To do both LIBRARY and APPS $! -$! Specify RSAREF as P2 to compile with the RSAREF library instead of -$! the regular one. If you specify NORSAREF it will compile with the -$! regular RSAREF routines. (Note: If you are in the United States -$! you MUST compile with RSAREF unless you have a license from RSA). -$! -$! Note: The RSAREF libraries are NOT INCLUDED and you have to -$! download it from "ftp://ftp.rsa.com/rsaref". You have to -$! get the ".tar-Z" file as the ".zip" file dosen't have the -$! directory structure stored. You have to extract the file -$! into the [.RSAREF] directory under the root directory as that -$! is where the scripts will look for the files. -$! -$! Specify DEBUG or NODEBUG as P3 to compile with or without debugger +$! Specify DEBUG or NODEBUG as P2 to compile with or without debugger $! information. $! -$! Specify which compiler at P4 to try to compile under. +$! Specify which compiler at P3 to try to compile under. $! $! VAXC For VAX C. $! DECC For DEC C. @@ -45,16 +33,16 @@ $! $! If you don't speficy a compiler, it will try to determine which $! "C" compiler to use. $! -$! P5, if defined, sets a TCP/IP library to use, through one of the following +$! P4, if defined, sets a TCP/IP library to use, through one of the following $! keywords: $! $! UCX for UCX $! TCPIP for TCPIP (post UCX) $! SOCKETSHR for SOCKETSHR+NETLIB $! -$! P6, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up) +$! P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up) $! -$! P7, if defined, sets a choice of crypto methods to compile. +$! P6, if defined, sets a choice of crypto methods to compile. $! WARNING: this should only be done to recompile some part of an already $! fully compiled library. $! @@ -93,7 +81,6 @@ $ ENCRYPT_TYPES = "Basic,MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,"+ - "BUFFER,BIO,STACK,LHASH,RAND,ERR,OBJECTS,"+ - "EVP,EVP_2,ASN1,ASN1_2,PEM,X509,X509V3,"+ - "CONF,TXT_DB,PKCS7,PKCS12,COMP,OCSP,UI,KRB5" -$ ENCRYPT_PROGRAMS = "DES,PKCS7" $! $! Check To Make Sure We Have Valid Command Line Parameters. $! @@ -149,10 +136,6 @@ $! Define The CRYPTO-LIB We Are To Use. $! $ CRYPTO_LIB := 'EXE_DIR'LIBCRYPTO.OLB $! -$! Define The RSAREF-LIB We Are To Use. -$! -$ RSAREF_LIB := SYS$DISK:[-.'ARCH'.EXE.RSAREF]LIBRSAGLUE.OLB -$! $! Check To See If We Already Have A "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" Library... $! $ IF (F$SEARCH(LIB_NAME).EQS."") @@ -175,7 +158,7 @@ $! $ APPS_DES = "DES/DES,CBC3_ENC" $ APPS_PKCS7 = "ENC/ENC;DEC/DEC;SIGN/SIGN;VERIFY/VERIFY,EXAMPLE" $ -$ LIB_ = "cryptlib,mem,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time" +$ LIB_ = "cryptlib,mem,mem_clr,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time" $ LIB_MD2 = "md2_dgst,md2_one" $ LIB_MD4 = "md4_dgst,md4_one" $ LIB_MD5 = "md5_dgst,md5_one" @@ -216,7 +199,7 @@ $ LIB_ENGINE = "eng_err,eng_lib,eng_list,eng_init,eng_ctrl,"+ - "tb_rsa,tb_dsa,tb_dh,tb_rand,tb_cipher,tb_digest,"+ - "eng_openssl,eng_dyn,eng_cnf,"+ - "hw_atalla,hw_cswift,hw_ncipher,hw_nuron,hw_ubsec,"+ - - "hw_openbsd_dev_crypto,hw_aep,hw_sureware,hw_4758_cca" + "hw_cryptodev,hw_aep,hw_sureware,hw_4758_cca" $ LIB_AES = "aes_core,aes_misc,aes_ecb,aes_cbc,aes_cfb,aes_ofb,aes_ctr" $ LIB_BUFFER = "buffer,buf_err" $ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ - @@ -287,86 +270,6 @@ $ COMPILEWITH_CC4 = ",a_utctm,bss_log,o_time," $ COMPILEWITH_CC5 = ",md2_dgst,md4_dgst,md5_dgst,mdc2dgst," + - "sha_dgst,sha1dgst,rmd_dgst,bf_enc," $! -$! Check To See If We Are Going To Use RSAREF. -$! -$ IF (RSAREF.EQS."TRUE" .AND. ENCRYPT_TYPES - "RSA".NES.ENCRYPT_TYPES - - .AND. (BUILDALL .EQS. "TRUE" .OR. BUILDALL .EQS. "LIBRARY")) -$ THEN -$! -$! Check To See If The File [-.RSAREF]RSAREF.C Is Actually There. -$! -$ IF (F$SEARCH("SYS$DISK:[-.RSAREF]RSAREF.C").EQS."") -$ THEN -$! -$! Tell The User That The File Doesn't Exist. -$! -$ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The File [-.RSAREF]RSAREF.C Doesn't Exist." -$ WRITE SYS$OUTPUT "" -$! -$! Exit The Build. -$! -$ GOTO EXIT -$! -$! End The [-.RSAREF]RSAREF.C Check. -$! -$ ENDIF -$! -$! Tell The User We Are Compiling The [-.RSAREF]RSAREF File. -$! -$ WRITE SYS$OUTPUT "Compiling The [-.RSAREF]RSAREF File." -$! -$! Compile [-.RSAREF]RSAREF.C -$! -$ CC/OBJECT='OBJ_DIR'RSAREF.OBJ SYS$DISK:[-.RSAREF]RSAREF.C -$! -$! Add It To The Library. -$! -$ LIBRARY/REPLACE 'LIB_NAME' 'OBJ_DIR'RSAREF.OBJ -$! -$! Delete The Object File. -$! -$ DELETE 'OBJ_DIR'RSAREF.OBJ;* -$! -$! Check To See If The File [-.RSAREF]RSAR_ERR.C Is Actually There. -$! -$ IF (F$SEARCH("SYS$DISK:[-.RSAREF]RSAR_ERR.C").EQS."") -$ THEN -$! -$! Tell The User That The File Doesn't Exist. -$! -$ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The File [-.RSAREF]RSAR_ERR.C Doesn't Exist." -$ WRITE SYS$OUTPUT "" -$! -$! Exit The Build. -$! -$ GOTO EXIT -$! -$! End The [-.RSAREF]RSAR_ERR.C File Check. -$! -$ ENDIF -$! -$! Tell The User We Are Compiling The [-.RSAREF]RSAR_ERR File. -$! -$ WRITE SYS$OUTPUT "Compiling The [-.RSAREF]RSAR_ERR File." -$! -$! Compile [-.RSAREF]RSAR_ERR.C -$! -$ CC/OBJECT='OBJ_DIR'RSAR_ERR.OBJ SYS$DISK:[-.RSAREF]RSAR_ERR.C -$! -$! Add It To The Library. -$! -$ LIBRARY/REPLACE 'LIB_NAME' 'OBJ_DIR'RSAR_ERR.OBJ -$! -$! Delete The Object File. -$! -$ DELETE 'OBJ_DIR'RSAR_ERR.OBJ;* -$! -$! End The RSAREF Check. -$! -$ ENDIF -$! $! Figure Out What Other Modules We Are To Build. $! $ BUILD_SET: @@ -639,74 +542,34 @@ $! Tell the user what happens $! $ WRITE SYS$OUTPUT " ",APPLICATION,".exe" $! -$! Link The Program, Check To See If We Need To Link With RSAREF Or Not. +$! Link The Program. $! $ ON ERROR THEN GOTO NEXT_APPLICATION -$ IF (RSAREF.EQS."TRUE") -$ THEN $! -$! Check To See If We Are To Link With A Specific TCP/IP Library. +$! Check To See If We Are To Link With A Specific TCP/IP Library. $! -$ IF (TCPIP_LIB.NES."") -$ THEN -$! -$! Link With The RSAREF Library And A Specific TCP/IP Library. -$! -$ LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE - - 'OBJ_DIR''APPLICATION_OBJECTS', - - 'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, - - 'TCPIP_LIB','OPT_FILE'/OPTION -$! -$! Else... -$! -$ ELSE -$! -$! Link With The RSAREF Library And NO TCP/IP Library. +$ IF (TCPIP_LIB.NES."") +$ THEN $! -$ LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE - - 'OBJ_DIR''APPLICATION_OBJECTS', - - 'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, - - 'OPT_FILE'/OPTION +$! Link With A TCP/IP Library. $! -$! End The TCP/IP Library Check. +$ LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE - + 'OBJ_DIR''APPLICATION_OBJECTS', - + 'CRYPTO_LIB'/LIBRARY, - + 'TCPIP_LIB','OPT_FILE'/OPTION $! -$ ENDIF -$! -$! Else... +$! Else... $! $ ELSE $! -$! Don't Link With The RSAREF Routines. -$! -$! -$! Check To See If We Are To Link With A Specific TCP/IP Library. -$! -$ IF (TCPIP_LIB.NES."") -$ THEN -$! -$! Don't Link With The RSAREF Routines And TCP/IP Library. -$! -$ LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE - - 'OBJ_DIR''APPLICATION_OBJECTS', - - 'CRYPTO_LIB'/LIBRARY, - - 'TCPIP_LIB','OPT_FILE'/OPTION -$! -$! Else... -$! -$ ELSE -$! -$! Don't Link With The RSAREF Routines And Link With A TCP/IP Library. -$! -$ LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE - - 'OBJ_DIR''APPLICATION_OBJECTS',- - 'CRYPTO_LIB'/LIBRARY, - - 'OPT_FILE'/OPTION +$! Don't Link With A TCP/IP Library. $! -$! End The TCP/IP Library Check. +$ LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE - + 'OBJ_DIR''APPLICATION_OBJECTS',- + 'CRYPTO_LIB'/LIBRARY, - + 'OPT_FILE'/OPTION $! -$ ENDIF -$! -$! End The RSAREF Link Check. +$! End The TCP/IP Library Check. $! $ ENDIF $ GOTO NEXT_APPLICATION @@ -912,75 +775,10 @@ $ ENDIF $! $! Check To See If P2 Is Blank. $! -$ P2 = "NORSAREF" -$ IF (P2.EQS."NORSAREF") +$ IF (P2.EQS."NODEBUG") $ THEN $! -$! P2 Is NORSAREF, So Compile With The Regular RSA Libraries. -$! -$ RSAREF = "FALSE" -$ ELSE -$! -$! Check To See If We Are To Use The RSAREF Library. -$! -$ IF (P2.EQS."RSAREF") -$ THEN -$! -$! Check To Make Sure We Have The RSAREF Source Code Directory. -$! -$ IF (F$SEARCH("SYS$DISK:[-.RSAREF]SOURCE.DIR").EQS."") -$ THEN -$! -$! We Don't Have The RSAREF Souce Code Directory, So Tell The -$! User This. -$! -$ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "It appears that you don't have the RSAREF Souce Code." -$ WRITE SYS$OUTPUT "You need to go to 'ftp://ftp.rsa.com/rsaref'. You have to" -$ WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file doesn't have the" -$ WRITE SYS$OUTPUT "directory structure stored. You have to extract the file" -$ WRITE SYS$OUTPUT "into the [.RSAREF] directory under the root directory" -$ WRITE SYS$OUTPUT "as that is where the scripts will look for the files." -$ WRITE SYS$OUTPUT "" -$! -$! Time To Exit. -$! -$ EXIT -$! -$! Else, Compile Using The RSAREF Library. -$! -$ ELSE -$ RSAREF = "TRUE" -$ ENDIF -$ ELSE -$! -$! They Entered An Invalid Option.. -$! -$ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The Option ",P2," Is Invalid. The Valid Options Are:" -$ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT " RSAREF : Compile With The RSAREF Library." -$ WRITE SYS$OUTPUT " NORSAREF : Compile With The Regular RSA Library." -$ WRITE SYS$OUTPUT "" -$! -$! Time To EXIT. -$! -$ EXIT -$! -$! End The Valid Arguement Check. -$! -$ ENDIF -$! -$! End The P2 Check. -$! -$ ENDIF -$! -$! Check To See If P3 Is Blank. -$! -$ IF (P3.EQS."NODEBUG") -$ THEN -$! -$! P3 Is NODEBUG, So Compile Without The Debugger Information. +$! P2 Is NODEBUG, So Compile Without The Debugger Information. $! $ DEBUGGER = "NODEBUG" $ TRACEBACK = "NOTRACEBACK" @@ -993,7 +791,7 @@ $ ELSE $! $! Check To See If We Are To Compile With Debugger Information. $! -$ IF (P3.EQS."DEBUG") +$ IF (P2.EQS."DEBUG") $ THEN $! $! Compile With Debugger Information. @@ -1010,7 +808,7 @@ $! $! They Entered An Invalid Option.. $! $ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The Option ",P3," Is Invalid. The Valid Options Are:" +$ WRITE SYS$OUTPUT "The Option ",P2," Is Invalid. The Valid Options Are:" $ WRITE SYS$OUTPUT "" $ WRITE SYS$OUTPUT " DEBUG : Compile With The Debugger Information." $ WRITE SYS$OUTPUT " NODEBUG : Compile Without The Debugger Information." @@ -1024,7 +822,7 @@ $! End The Valid Arguement Check. $! $ ENDIF $! -$! End The P3 Check. +$! End The P2 Check. $! $ ENDIF $! @@ -1034,9 +832,9 @@ $! Written By: Richard Levitte $! richard@levitte.org $! $! -$! Check To See If We Have A Option For P6. +$! Check To See If We Have A Option For P5. $! -$ IF (P6.EQS."") +$ IF (P5.EQS."") $ THEN $! $! Get The Version Of VMS We Are Using. @@ -1058,13 +856,13 @@ $! End The VMS Version Check. $! $ ENDIF $! -$! End The P6 Check. +$! End The P5 Check. $! $ ENDIF $! -$! Check To See If P4 Is Blank. +$! Check To See If P3 Is Blank. $! -$ IF (P4.EQS."") +$ IF (P3.EQS."") $ THEN $! $! O.K., The User Didn't Specify A Compiler, Let's Try To @@ -1077,7 +875,7 @@ $ THEN $! $! Looks Like GNUC, Set To Use GNUC. $! -$ P4 = "GNUC" +$ P3 = "GNUC" $! $! Else... $! @@ -1090,7 +888,7 @@ $ THEN $! $! Looks Like DECC, Set To Use DECC. $! -$ P4 = "DECC" +$ P3 = "DECC" $! $! Else... $! @@ -1098,7 +896,7 @@ $ ELSE $! $! Looks Like VAXC, Set To Use VAXC. $! -$ P4 = "VAXC" +$ P3 = "VAXC" $! $! End The VAXC Compiler Check. $! @@ -1112,9 +910,9 @@ $! End The Compiler Check. $! $ ENDIF $! -$! Check To See If We Have A Option For P5. +$! Check To See If We Have A Option For P4. $! -$ IF (P5.EQS."") +$ IF (P4.EQS."") $ THEN $! $! Find out what socket library we have available @@ -1124,7 +922,7 @@ $ THEN $! $! We have SOCKETSHR, and it is my opinion that it's the best to use. $! -$ P5 = "SOCKETSHR" +$ P4 = "SOCKETSHR" $! $! Tell the user $! @@ -1144,7 +942,7 @@ $ THEN $! $! Last resort: a UCX or UCX-compatible library $! -$ P5 = "UCX" +$ P4 = "UCX" $! $! Tell the user $! @@ -1158,7 +956,7 @@ $ ENDIF $! $! Set Up Initial CC Definitions, Possibly With User Ones $! -$ CCDEFS = "TCPIP_TYPE_''P5',DSO_VMS" +$ CCDEFS = "TCPIP_TYPE_''P4',DSO_VMS" $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS $ CCEXTRAFLAGS = "" $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS @@ -1168,12 +966,12 @@ $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN - $! $! Check To See If The User Entered A Valid Paramter. $! -$ IF (P4.EQS."VAXC").OR.(P4.EQS."DECC").OR.(P4.EQS."GNUC") +$ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC") $ THEN $! $! Check To See If The User Wanted DECC. $! -$ IF (P4.EQS."DECC") +$ IF (P3.EQS."DECC") $ THEN $! $! Looks Like DECC, Set To Use DECC. @@ -1204,7 +1002,7 @@ $ ENDIF $! $! Check To See If We Are To Use VAXC. $! -$ IF (P4.EQS."VAXC") +$ IF (P3.EQS."VAXC") $ THEN $! $! Looks Like VAXC, Set To Use VAXC. @@ -1243,7 +1041,7 @@ $ ENDIF $! $! Check To See If We Are To Use GNU C. $! -$ IF (P4.EQS."GNUC") +$ IF (P3.EQS."GNUC") $ THEN $! $! Looks Like GNUC, Set To Use GNUC. @@ -1272,31 +1070,6 @@ $! Set up default defines $! $ CCDEFS = """FLAT_INC=1""," + CCDEFS $! -$! Check To See If We Are To Compile With RSAREF Routines. -$! -$ IF (RSAREF.EQS."TRUE") -$ THEN -$! -$! Compile With RSAREF. -$! -$ CCDEFS = CCDEFS + ",""RSAref=1""" -$! -$! Tell The User This. -$! -$ WRITE SYS$OUTPUT "Compiling With RSAREF Routines." -$! -$! Else, We Don't Care. Compile Without The RSAREF Library. -$! -$ ELSE -$! -$! Tell The User We Are Compile Without The RSAREF Routines. -$! -$ WRITE SYS$OUTPUT "Compiling Without The RSAREF Routines. -$! -$! End The RSAREF Check. -$! -$ ENDIF -$! $! Finish up the definition of CC. $! $ IF COMPILER .EQS. "DECC" @@ -1315,7 +1088,7 @@ $ CC4DISABLEWARNINGS = "" $ ENDIF $ CC3 = CC + "/DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS $ CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS -$ IF ARCH .EQS. "VAX" .AND. COMPILER .EQS. "DECC" .AND. P3 .NES. "DEBUG" +$ IF ARCH .EQS. "VAX" .AND. COMPILER .EQS. "DECC" .AND. P2 .NES. "DEBUG" $ THEN $ CC5 = CC + "/OPTIMIZE=NODISJOINT" $ ELSE @@ -1334,7 +1107,7 @@ $! $! Tell The User We Don't Know What They Want. $! $ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The Option ",P4," Is Invalid. The Valid Options Are:" +$ WRITE SYS$OUTPUT "The Option ",P3," Is Invalid. The Valid Options Are:" $ WRITE SYS$OUTPUT "" $ WRITE SYS$OUTPUT " VAXC : To Compile With VAX C." $ WRITE SYS$OUTPUT " DECC : To Compile With DEC C." @@ -1360,13 +1133,13 @@ $ WRITE/SYMBOL SYS$OUTPUT "Main MACRO Compiling Command: ",MACRO $! $! Time to check the contents, and to make sure we get the correct library. $! -$ IF P5.EQS."SOCKETSHR" .OR. P5.EQS."MULTINET" .OR. P5.EQS."UCX" - - .OR. P5.EQS."TCPIP" .OR. P5.EQS."NONE" +$ IF P4.EQS."SOCKETSHR" .OR. P4.EQS."MULTINET" .OR. P4.EQS."UCX" - + .OR. P4.EQS."TCPIP" .OR. P4.EQS."NONE" $ THEN $! $! Check to see if SOCKETSHR was chosen $! -$ IF P5.EQS."SOCKETSHR" +$ IF P4.EQS."SOCKETSHR" $ THEN $! $! Set the library to use SOCKETSHR @@ -1379,12 +1152,12 @@ $ ENDIF $! $! Check to see if MULTINET was chosen $! -$ IF P5.EQS."MULTINET" +$ IF P4.EQS."MULTINET" $ THEN $! $! Set the library to use UCX emulation. $! -$ P5 = "UCX" +$ P4 = "UCX" $! $! Done with MULTINET $! @@ -1392,7 +1165,7 @@ $ ENDIF $! $! Check to see if UCX was chosen $! -$ IF P5.EQS."UCX" +$ IF P4.EQS."UCX" $ THEN $! $! Set the library to use UCX. @@ -1412,7 +1185,7 @@ $ ENDIF $! $! Check to see if TCPIP was chosen $! -$ IF P5.EQS."TCPIP" +$ IF P4.EQS."TCPIP" $ THEN $! $! Set the library to use TCPIP (post UCX). @@ -1425,7 +1198,7 @@ $ ENDIF $! $! Check to see if NONE was chosen $! -$ IF P5.EQS."NONE" +$ IF P4.EQS."NONE" $ THEN $! $! Do not use a TCPIP library. @@ -1447,7 +1220,7 @@ $! $! Tell The User We Don't Know What They Want. $! $ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The Option ",P5," Is Invalid. The Valid Options Are:" +$ WRITE SYS$OUTPUT "The Option ",P4," Is Invalid. The Valid Options Are:" $ WRITE SYS$OUTPUT "" $ WRITE SYS$OUTPUT " SOCKETSHR : To link with SOCKETSHR TCP/IP library." $ WRITE SYS$OUTPUT " UCX : To link with UCX TCP/IP library." @@ -1465,10 +1238,9 @@ $! $! Check if the user wanted to compile just a subset of all the encryption $! methods. $! -$ IF P7 .NES. "" +$ IF P6 .NES. "" $ THEN -$ ENCRYPT_TYPES = P7 -$! NYI: ENCRYPT_PROGRAMS = P7 +$ ENCRYPT_TYPES = P6 $ ENDIF $! $! Time To RETURN... diff --git a/src/lib/libcrypto/des/FILES0 b/src/lib/libcrypto/des/FILES0 new file mode 100644 index 0000000000..4c7ea2de7a --- /dev/null +++ b/src/lib/libcrypto/des/FILES0 @@ -0,0 +1,96 @@ +/* General stuff */ +COPYRIGHT - Copyright info. +MODES.DES - A description of the features of the different modes of DES. +FILES - This file. +INSTALL - How to make things compile. +Imakefile - For use with kerberos. +README - What this package is. +VERSION - Which version this is and what was changed. +KERBEROS - Kerberos version 4 notes. +Makefile.PL - An old makefile to build with perl5, not current. +Makefile.ssl - The SSLeay makefile +Makefile.uni - The normal unix makefile. +GNUmakefile - The makefile for use with glibc. +makefile.bc - A Borland C makefile +times - Some outputs from 'speed' on some machines. +vms.com - For use when compiling under VMS + +/* My SunOS des(1) replacement */ +des.c - des(1) source code. +des.man - des(1) manual. + +/* Testing and timing programs. */ +destest.c - Source for libdes.a test program. +speed.c - Source for libdes.a timing program. +rpw.c - Source for libdes.a testing password reading routines. + +/* libdes.a source code */ +des_crypt.man - libdes.a manual page. +des.h - Public libdes.a header file. +ecb_enc.c - des_ecb_encrypt() source, this contains the basic DES code. +ecb3_enc.c - des_ecb3_encrypt() source. +cbc_ckm.c - des_cbc_cksum() source. +cbc_enc.c - des_cbc_encrypt() source. +ncbc_enc.c - des_cbc_encrypt() that is 'normal' in that it copies + the new iv values back in the passed iv vector. +ede_enc.c - des_ede3_cbc_encrypt() cbc mode des using triple DES. +cbc3_enc.c - des_3cbc_encrypt() source, don't use this function. +cfb_enc.c - des_cfb_encrypt() source. +cfb64enc.c - des_cfb64_encrypt() cfb in 64 bit mode but setup to be + used as a stream cipher. +cfb64ede.c - des_ede3_cfb64_encrypt() cfb in 64 bit mode but setup to be + used as a stream cipher and using triple DES. +ofb_enc.c - des_cfb_encrypt() source. +ofb64_enc.c - des_ofb_encrypt() ofb in 64 bit mode but setup to be + used as a stream cipher. +ofb64ede.c - des_ede3_ofb64_encrypt() ofb in 64 bit mode but setup to be + used as a stream cipher and using triple DES. +enc_read.c - des_enc_read() source. +enc_writ.c - des_enc_write() source. +pcbc_enc.c - des_pcbc_encrypt() source. +qud_cksm.c - quad_cksum() source. +rand_key.c - des_random_key() source. +read_pwd.c - Source for des_read_password() plus related functions. +set_key.c - Source for des_set_key(). +str2key.c - Covert a string of any length into a key. +fcrypt.c - A small, fast version of crypt(3). +des_locl.h - Internal libdes.a header file. +podd.h - Odd parity tables - used in des_set_key(). +sk.h - Lookup tables used in des_set_key(). +spr.h - What is left of the S tables - used in ecb_encrypt(). +des_ver.h - header file for the external definition of the + version string. +des.doc - SSLeay documentation for the library. + +/* The perl scripts - you can ignore these files they are only + * included for the curious */ +des.pl - des in perl anyone? des_set_key and des_ecb_encrypt + both done in a perl library. +testdes.pl - Testing program for des.pl +doIP - Perl script used to develop IP xor/shift code. +doPC1 - Perl script used to develop PC1 xor/shift code. +doPC2 - Generates sk.h. +PC1 - Output of doPC1 should be the same as output from PC1. +PC2 - used in development of doPC2. +shifts.pl - Perl library used by my perl scripts. + +/* I started making a perl5 dynamic library for libdes + * but did not fully finish, these files are part of that effort. */ +DES.pm +DES.pod +DES.xs +t +typemap + +/* The following are for use with sun RPC implementaions. */ +rpc_des.h +rpc_enc.c + +/* The following are contibuted by Mark Murray . They + * are not normally built into libdes due to machine specific routines + * contained in them. They are for use in the most recent incarnation of + * export kerberos v 4 (eBones). */ +supp.c +new_rkey.c + + diff --git a/src/lib/libcrypto/des/des.c b/src/lib/libcrypto/des/des.c index d8c846b23d..343135ff9e 100644 --- a/src/lib/libcrypto/des/des.c +++ b/src/lib/libcrypto/des/des.c @@ -427,7 +427,7 @@ void doencryption(void) k2[i-8]=k; } DES_set_key_unchecked(&k2,&ks2); - memset(k2,0,sizeof(k2)); + OPENSSL_cleanse(k2,sizeof(k2)); } else if (longk || flag3) { @@ -435,7 +435,7 @@ void doencryption(void) { DES_string_to_2keys(key,&kk,&k2); DES_set_key_unchecked(&k2,&ks2); - memset(k2,0,sizeof(k2)); + OPENSSL_cleanse(k2,sizeof(k2)); } else DES_string_to_key(key,&kk); @@ -457,8 +457,8 @@ void doencryption(void) } DES_set_key_unchecked(&kk,&ks); - memset(key,0,sizeof(key)); - memset(kk,0,sizeof(kk)); + OPENSSL_cleanse(key,sizeof(key)); + OPENSSL_cleanse(kk,sizeof(kk)); /* woops - A bug that does not showup under unix :-( */ memset(iv,0,sizeof(iv)); memset(iv2,0,sizeof(iv2)); @@ -666,18 +666,18 @@ void doencryption(void) if (l) fclose(CKSUM_OUT); } problems: - memset(buf,0,sizeof(buf)); - memset(obuf,0,sizeof(obuf)); - memset(&ks,0,sizeof(ks)); - memset(&ks2,0,sizeof(ks2)); - memset(iv,0,sizeof(iv)); - memset(iv2,0,sizeof(iv2)); - memset(kk,0,sizeof(kk)); - memset(k2,0,sizeof(k2)); - memset(uubuf,0,sizeof(uubuf)); - memset(b,0,sizeof(b)); - memset(bb,0,sizeof(bb)); - memset(cksum,0,sizeof(cksum)); + OPENSSL_cleanse(buf,sizeof(buf)); + OPENSSL_cleanse(obuf,sizeof(obuf)); + OPENSSL_cleanse(&ks,sizeof(ks)); + OPENSSL_cleanse(&ks2,sizeof(ks2)); + OPENSSL_cleanse(iv,sizeof(iv)); + OPENSSL_cleanse(iv2,sizeof(iv2)); + OPENSSL_cleanse(kk,sizeof(kk)); + OPENSSL_cleanse(k2,sizeof(k2)); + OPENSSL_cleanse(uubuf,sizeof(uubuf)); + OPENSSL_cleanse(b,sizeof(b)); + OPENSSL_cleanse(bb,sizeof(bb)); + OPENSSL_cleanse(cksum,sizeof(cksum)); if (Exit) EXIT(Exit); } diff --git a/src/lib/libcrypto/des/des_old.h b/src/lib/libcrypto/des/des_old.h index 51b987422a..1d840b474a 100644 --- a/src/lib/libcrypto/des/des_old.h +++ b/src/lib/libcrypto/des/des_old.h @@ -88,14 +88,14 @@ * */ -#ifndef HEADER_DES_OLD_H -#define HEADER_DES_OLD_H +#ifndef HEADER_DES_H +#define HEADER_DES_H #ifdef OPENSSL_NO_DES #error DES is disabled. #endif -#ifndef HEADER_DES_H +#ifndef HEADER_NEW_DES_H #error You must include des.h, not des_old.h directly. #endif @@ -173,10 +173,12 @@ typedef struct _ossl_old_des_ks_struct DES_fcrypt((b),(s),(r)) #define des_crypt(b,s)\ DES_crypt((b),(s)) +#if 0 #if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT) && !defined(__OpenBSD__) #define crypt(b,s)\ DES_crypt((b),(s)) #endif +#endif #define des_ofb_encrypt(i,o,n,l,k,iv)\ DES_ofb_encrypt((i),(o),(n),(l),&(k),(iv)) #define des_pcbc_encrypt(i,o,l,k,iv,e)\ @@ -274,8 +276,10 @@ typedef struct _ossl_old_des_ks_struct _ossl_old_des_fcrypt((b),(s),(r)) #define des_crypt(b,s)\ _ossl_old_des_crypt((b),(s)) +#if 0 #define crypt(b,s)\ _ossl_old_crypt((b),(s)) +#endif #define des_ofb_encrypt(i,o,n,l,k,iv)\ _ossl_old_des_ofb_encrypt((i),(o),(n),(l),(k),(iv)) #define des_pcbc_encrypt(i,o,l,k,iv,e)\ diff --git a/src/lib/libcrypto/des/destest.c b/src/lib/libcrypto/des/destest.c index 58e8c35dcb..687c00c792 100644 --- a/src/lib/libcrypto/des/destest.c +++ b/src/lib/libcrypto/des/destest.c @@ -84,9 +84,7 @@ int main(int argc, char *argv[]) #else #include -#if defined(PERL5) || defined(__FreeBSD__) || defined(NeXT) #define crypt(c,s) (des_crypt((c),(s))) -#endif /* tisk tisk - the test keys don't all have odd parity :-( */ /* test data */ @@ -322,7 +320,11 @@ static unsigned char ofb_cipher[24]= 0x3d,0x6d,0x5b,0xe3,0x25,0x5a,0xf8,0xc3 }; +#if 0 static DES_LONG cbc_cksum_ret=0xB462FEF7L; +#else +static DES_LONG cbc_cksum_ret=0xF7FE62B4L; +#endif static unsigned char cbc_cksum_data[8]={0x1D,0x26,0x93,0x97,0xf7,0xfe,0x62,0xb4}; static char *pt(unsigned char *p); diff --git a/src/lib/libcrypto/des/read2pwd.c b/src/lib/libcrypto/des/read2pwd.c index b4720c3a98..3a63c4016c 100644 --- a/src/lib/libcrypto/des/read2pwd.c +++ b/src/lib/libcrypto/des/read2pwd.c @@ -120,8 +120,8 @@ int DES_read_password(DES_cblock *key, const char *prompt, int verify) if ((ok=UI_UTIL_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0) DES_string_to_key(buf,key); - memset(buf,0,BUFSIZ); - memset(buff,0,BUFSIZ); + OPENSSL_cleanse(buf,BUFSIZ); + OPENSSL_cleanse(buff,BUFSIZ); return(ok); } @@ -133,7 +133,7 @@ int DES_read_2passwords(DES_cblock *key1, DES_cblock *key2, const char *prompt, if ((ok=UI_UTIL_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0) DES_string_to_2keys(buf,key1,key2); - memset(buf,0,BUFSIZ); - memset(buff,0,BUFSIZ); + OPENSSL_cleanse(buf,BUFSIZ); + OPENSSL_cleanse(buff,BUFSIZ); return(ok); } diff --git a/src/lib/libcrypto/des/read_pwd.c b/src/lib/libcrypto/des/read_pwd.c index 9061935f21..ce5fa00a37 100644 --- a/src/lib/libcrypto/des/read_pwd.c +++ b/src/lib/libcrypto/des/read_pwd.c @@ -101,8 +101,10 @@ #ifdef WIN_CONSOLE_BUG #include +#ifndef OPENSSL_SYS_WINCE #include #endif +#endif /* There are 5 types of terminal interface supported, @@ -133,7 +135,7 @@ #define SGTTY #endif -#if defined(OPENSSL_SYS_VSWORKS) +#if defined(OPENSSL_SYS_VXWORKS) #undef TERMIOS #undef TERMIO #undef SGTTY @@ -167,7 +169,7 @@ #include #endif -#if defined(OPENSSL_SYS_MSDOS) && !defined(__CYGWIN32__) +#if defined(OPENSSL_SYS_MSDOS) && !defined(__CYGWIN32__) && !defined(OPENSSL_SYS_WINCE) #include #define fgets(a,b,c) noecho_fgets(a,b,c) #endif @@ -218,11 +220,29 @@ int des_read_pw_string(char *buf, int length, const char *prompt, int ret; ret=des_read_pw(buf,buff,(length>BUFSIZ)?BUFSIZ:length,prompt,verify); - memset(buff,0,BUFSIZ); + OPENSSL_cleanse(buff,BUFSIZ); return(ret); } -#ifndef OPENSSL_SYS_WIN16 +#ifdef OPENSSL_SYS_WINCE + +int des_read_pw(char *buf, char *buff, int size, const char *prompt, int verify) + { + memset(buf,0,size); + memset(buff,0,size); + return(0); + } + +#elif defined(OPENSSL_SYS_WIN16) + +int des_read_pw(char *buf, char *buff, int size, char *prompt, int verify) + { + memset(buf,0,size); + memset(buff,0,size); + return(0); + } + +#else /* !OPENSSL_SYS_WINCE && !OPENSSL_SYS_WIN16 */ static void read_till_nl(FILE *in) { @@ -274,7 +294,7 @@ int des_read_pw(char *buf, char *buff, int size, const char *prompt, #ifdef OPENSSL_SYS_MSDOS if ((tty=fopen("con","r")) == NULL) tty=stdin; -#elif defined(MAC_OS_pre_X) || defined(OPENSSL_SYS_VSWORKS) +#elif defined(MAC_OS_pre_X) || defined(OPENSSL_SYS_VXWORKS) tty=stdin; #else #ifndef OPENSSL_SYS_MPE @@ -393,17 +413,6 @@ error: return(!ok); } -#else /* OPENSSL_SYS_WIN16 */ - -int des_read_pw(char *buf, char *buff, int size, char *prompt, int verify) - { - memset(buf,0,size); - memset(buff,0,size); - return(0); - } - -#endif - static void pushsig(void) { int i; @@ -466,7 +475,7 @@ static void recsig(int i) #endif } -#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16) +#ifdef OPENSSL_SYS_MSDOS static int noecho_fgets(char *buf, int size, FILE *tty) { int i; @@ -509,3 +518,4 @@ static int noecho_fgets(char *buf, int size, FILE *tty) return(strlen(buf)); } #endif +#endif /* !OPENSSL_SYS_WINCE && !WIN16 */ diff --git a/src/lib/libcrypto/dh/dhtest.c b/src/lib/libcrypto/dh/dhtest.c index 34894ced73..d75077f9fa 100644 --- a/src/lib/libcrypto/dh/dhtest.c +++ b/src/lib/libcrypto/dh/dhtest.c @@ -59,9 +59,9 @@ #include #include #include -#ifdef OPENSSL_SYS_WINDOWS -#include "../bio/bss_file.c" -#endif + +#include "../e_os.h" + #include #include #include @@ -84,10 +84,6 @@ int main(int argc, char *argv[]) #endif static void MS_CALLBACK cb(int p, int n, void *arg); -#ifdef OPENSSL_NO_STDIO -#define APPS_WIN16 -#include "bss_file.c" -#endif static const char rnd_seed[] = "string to make the random number generator think it has entropy"; @@ -111,7 +107,7 @@ int main(int argc, char *argv[]) RAND_seed(rnd_seed, sizeof rnd_seed); out=BIO_new(BIO_s_file()); - if (out == NULL) exit(1); + if (out == NULL) EXIT(1); BIO_set_fp(out,stdout,BIO_NOCLOSE); a=DH_generate_parameters(64,DH_GENERATOR_5,cb,out); @@ -195,7 +191,7 @@ err: CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); CRYPTO_mem_leaks_fp(stderr); - exit(ret); + EXIT(ret); return(ret); } diff --git a/src/lib/libcrypto/dsa/dsagen.c b/src/lib/libcrypto/dsa/dsagen.c index a0b0976640..1b6a1cca0f 100644 --- a/src/lib/libcrypto/dsa/dsagen.c +++ b/src/lib/libcrypto/dsa/dsagen.c @@ -103,7 +103,7 @@ main() bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); memcpy(seed_buf,seed,20); - dsa=DSA_generate_parameters(1024,seed,20,&counter,&h,cb); + dsa=DSA_generate_parameters(1024,seed,20,&counter,&h,cb,bio_err); if (dsa == NULL) DSA_print(bio_err,dsa,0); diff --git a/src/lib/libcrypto/dsa/dsatest.c b/src/lib/libcrypto/dsa/dsatest.c index 12da64f9f4..4734ce4af8 100644 --- a/src/lib/libcrypto/dsa/dsatest.c +++ b/src/lib/libcrypto/dsa/dsatest.c @@ -61,14 +61,13 @@ #include #include #include + +#include "../e_os.h" + #include #include #include #include -#include -#ifdef OPENSSL_SYS_WINDOWS -#include "../bio/bss_file.c" -#endif #ifdef OPENSSL_NO_DSA int main(int argc, char *argv[]) @@ -212,10 +211,16 @@ end: BIO_free(bio_err); bio_err = NULL; } - exit(!ret); + EXIT(!ret); return(0); } +static int cb_exit(int ec) + { + EXIT(ec); + return(0); /* To keep some compilers quiet */ + } + static void MS_CALLBACK dsa_cb(int p, int n, void *arg) { char c='*'; @@ -231,7 +236,7 @@ static void MS_CALLBACK dsa_cb(int p, int n, void *arg) if (!ok && (p == 0) && (num > 1)) { BIO_printf((BIO *)arg,"error in dsatest\n"); - exit(1); + cb_exit(1); } } #endif diff --git a/src/lib/libcrypto/dso/dso_dl.c b/src/lib/libcrypto/dso/dso_dl.c index 195717e993..79d2cb4d8c 100644 --- a/src/lib/libcrypto/dso/dso_dl.c +++ b/src/lib/libcrypto/dso/dso_dl.c @@ -126,7 +126,7 @@ static int dl_load(DSO *dso) DSOerr(DSO_F_DL_LOAD,DSO_R_NO_FILENAME); goto err; } - ptr = shl_load(filename, BIND_IMMEDIATE|DYNAMIC_PATH, NULL); + ptr = shl_load(filename, BIND_IMMEDIATE|DYNAMIC_PATH, 0L); if(ptr == NULL) { DSOerr(DSO_F_DL_LOAD,DSO_R_LOAD_FAILED); diff --git a/src/lib/libcrypto/dso/dso_win32.c b/src/lib/libcrypto/dso/dso_win32.c index af8586d754..6c30deb250 100644 --- a/src/lib/libcrypto/dso/dso_win32.c +++ b/src/lib/libcrypto/dso/dso_win32.c @@ -61,7 +61,7 @@ #include "cryptlib.h" #include -#ifndef OPENSSL_SYS_WIN32 +#if !defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE) DSO_METHOD *DSO_METHOD_win32(void) { return NULL; diff --git a/src/lib/libcrypto/ec/ectest.c b/src/lib/libcrypto/ec/ectest.c index eab46cc080..345d3e4289 100644 --- a/src/lib/libcrypto/ec/ectest.c +++ b/src/lib/libcrypto/ec/ectest.c @@ -55,6 +55,11 @@ #include #include +#ifdef FLAT_INC +#include "e_os.h" +#else +#include "../e_os.h" +#endif #include #include @@ -65,14 +70,16 @@ int main(int argc, char * argv[]) { puts("Elliptic curves are disabled."); retur #include +#ifndef OPENSSL_NO_ENGINE #include +#endif #include #define ABORT do { \ fflush(stdout); \ fprintf(stderr, "%s:%d: ABORT\n", __FILE__, __LINE__); \ ERR_print_errors_fp(stderr); \ - exit(1); \ + EXIT(1); \ } while (0) #if 0 @@ -623,7 +630,9 @@ int main(int argc, char *argv[]) if (P_384) EC_GROUP_free(P_384); if (P_521) EC_GROUP_free(P_521); +#ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); +#endif CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); ERR_remove_state(0); diff --git a/src/lib/libcrypto/engine/enginetest.c b/src/lib/libcrypto/engine/enginetest.c index 87fa8c57b7..c2d0297392 100644 --- a/src/lib/libcrypto/engine/enginetest.c +++ b/src/lib/libcrypto/engine/enginetest.c @@ -56,9 +56,17 @@ * */ -#include #include #include + +#ifdef OPENSSL_NO_ENGINE +int main(int argc, char *argv[]) +{ + printf("No ENGINE support\n"); + return(0); +} +#else +#include #include #include #include @@ -272,3 +280,4 @@ end: CRYPTO_mem_leaks_fp(stderr); return to_return; } +#endif diff --git a/src/lib/libcrypto/engine/hw_4758_cca.c b/src/lib/libcrypto/engine/hw_4758_cca.c index bfb80968e2..4f5ae8a46d 100644 --- a/src/lib/libcrypto/engine/hw_4758_cca.c +++ b/src/lib/libcrypto/engine/hw_4758_cca.c @@ -223,6 +223,7 @@ static int bind_helper(ENGINE *e) return 1; } +#ifndef ENGINE_DYNAMIC_SUPPORT static ENGINE *engine_4758_cca(void) { ENGINE *ret = ENGINE_new(); @@ -244,6 +245,7 @@ void ENGINE_load_4758cca(void) ENGINE_free(e_4758); ERR_clear_error(); } +#endif static int ibm_4758_cca_destroy(ENGINE *e) { @@ -715,7 +717,7 @@ static int cca_rsa_verify(int type, const unsigned char *m, unsigned int m_len, if (type == NID_sha1 || type == NID_md5) { - memset(hashBuffer, keyLength+1, 0); + OPENSSL_cleanse(hashBuffer, keyLength+1); OPENSSL_free(hashBuffer); } @@ -838,7 +840,7 @@ static int cca_rsa_sign(int type, const unsigned char *m, unsigned int m_len, if (type == NID_sha1 || type == NID_md5) { - memset(hashBuffer, keyLength+1, 0); + OPENSSL_cleanse(hashBuffer, keyLength+1); OPENSSL_free(hashBuffer); } diff --git a/src/lib/libcrypto/engine/hw_atalla.c b/src/lib/libcrypto/engine/hw_atalla.c index 6151c46902..e9eff9fad1 100644 --- a/src/lib/libcrypto/engine/hw_atalla.c +++ b/src/lib/libcrypto/engine/hw_atalla.c @@ -242,6 +242,7 @@ static int bind_helper(ENGINE *e) return 1; } +#ifndef ENGINE_DYNAMIC_SUPPORT static ENGINE *engine_atalla(void) { ENGINE *ret = ENGINE_new(); @@ -264,6 +265,7 @@ void ENGINE_load_atalla(void) ENGINE_free(toadd); ERR_clear_error(); } +#endif /* This is a process-global DSO handle used for loading and unloading * the Atalla library. NB: This is only set (or unset) during an diff --git a/src/lib/libcrypto/engine/hw_cryptodev.c b/src/lib/libcrypto/engine/hw_cryptodev.c index 7c3728f395..40af97ac24 100644 --- a/src/lib/libcrypto/engine/hw_cryptodev.c +++ b/src/lib/libcrypto/engine/hw_cryptodev.c @@ -1,6 +1,7 @@ /* * Copyright (c) 2002 Bob Beck * Copyright (c) 2002 Theo de Raadt + * Copyright (c) 2002 Markus Friedl * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -28,33 +29,85 @@ * */ -#include +#include +#include +#include + +#if (defined(__unix__) || defined(unix)) && !defined(USG) #include +# if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041) +# define HAVE_CRYPTODEV +# endif +# if (OpenBSD >= 200110) +# define HAVE_SYSLOG_R +# endif +#endif + +#ifndef HAVE_CRYPTODEV + +void +ENGINE_load_cryptodev(void) +{ + /* This is a NOP on platforms without /dev/crypto */ + return; +} + +#else + +#include #include #include #include #include #include #include -#include #include -#include -#include -#include +#include +#include +#include -static int cryptodev_fd = -1; -static int cryptodev_sessions = 0; -static u_int32_t cryptodev_symfeat = 0; +struct dev_crypto_state { + struct session_op d_sess; + int d_fd; +}; +static u_int32_t cryptodev_asymfeat = 0; + +static int get_asym_dev_crypto(void); +static int open_dev_crypto(void); +static int get_dev_crypto(void); +static int cryptodev_max_iv(int cipher); +static int cryptodev_key_length_valid(int cipher, int len); +static int cipher_nid_to_cryptodev(int nid); +static int get_cryptodev_ciphers(const int **cnids); +static int get_cryptodev_digests(const int **cnids); +static int cryptodev_usable_ciphers(const int **nids); +static int cryptodev_usable_digests(const int **nids); +static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl); +static int cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc); +static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx); +static int cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, + const int **nids, int nid); +static int cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest, + const int **nids, int nid); static int bn2crparam(const BIGNUM *a, struct crparam *crp); static int crparam2bn(struct crparam *crp, BIGNUM *a); static void zapparams(struct crypt_kop *kop); +static int cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r, + int slen, BIGNUM *s); -static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa); static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); +static int cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, + RSA *rsa); +static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa); static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); +static int cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g, + BIGNUM *u1, BIGNUM *pub_key, BIGNUM *u2, BIGNUM *p, + BN_CTX *ctx, BN_MONT_CTX *mont); static DSA_SIG *cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int cryptodev_dsa_verify(const unsigned char *dgst, int dgst_len, @@ -64,6 +117,9 @@ static int cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *m_ctx); static int cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); +static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, + void (*f)()); +void ENGINE_load_cryptodev(void); static const ENGINE_CMD_DEFN cryptodev_defns[] = { { 0, NULL, NULL, 0 } @@ -77,11 +133,10 @@ static struct { } ciphers[] = { { CRYPTO_DES_CBC, NID_des_cbc, 8, 8, }, { CRYPTO_3DES_CBC, NID_des_ede3_cbc, 8, 24, }, - { CRYPTO_AES_CBC, NID_undef, 8, 24, }, + { CRYPTO_AES_CBC, NID_aes_128_cbc, 16, 16, }, { CRYPTO_BLF_CBC, NID_bf_cbc, 8, 16, }, - { CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 8, }, + { CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 16, }, { CRYPTO_SKIPJACK_CBC, NID_undef, 0, 0, }, - { CRYPTO_ARC4, NID_rc4, 8, 16, }, { 0, NID_undef, 0, 0, }, }; @@ -99,33 +154,53 @@ static struct { }; /* - * Return 1 if /dev/crypto seems usable, 0 otherwise , also - * does most of the work of initting the device, if not already - * done.. This should leave is with global fd initialized with CRIOGET. + * Return a fd if /dev/crypto seems usable, 0 otherwise. */ static int -check_dev_crypto() +open_dev_crypto(void) { - int fd; + static int fd = -1; - if (cryptodev_fd == -1) { + if (fd == -1) { if ((fd = open("/dev/crypto", O_RDWR, 0)) == -1) - return (0); - if (ioctl(fd, CRIOGET, &cryptodev_fd) == -1) { - close(fd); - return (0); - } - close(fd); + return (-1); /* close on exec */ - if (fcntl(cryptodev_fd, F_SETFD, 1) == -1) { - close(cryptodev_fd); - cryptodev_fd = -1; - return (0); + if (fcntl(fd, F_SETFD, 1) == -1) { + close(fd); + fd = -1; + return (-1); } } - ioctl(cryptodev_fd, CIOCSYMFEAT, &cryptodev_symfeat); + return (fd); +} - return (1); +static int +get_dev_crypto(void) +{ + int fd, retfd; + + if ((fd = open_dev_crypto()) == -1) + return (-1); + if (ioctl(fd, CRIOGET, &retfd) == -1) + return (-1); + + /* close on exec */ + if (fcntl(retfd, F_SETFD, 1) == -1) { + close(retfd); + return (-1); + } + return (retfd); +} + +/* Caching version for asym operations */ +static int +get_asym_dev_crypto(void) +{ + static int fd = -1; + + if (fd == -1) + fd = get_dev_crypto(); + return fd; } /* @@ -183,8 +258,12 @@ get_cryptodev_ciphers(const int **cnids) { static int nids[CRYPTO_ALGORITHM_MAX]; struct session_op sess; - int i, count = 0; + int fd, i, count = 0; + if ((fd = get_dev_crypto()) < 0) { + *nids = NULL; + return (0); + } memset(&sess, 0, sizeof(sess)); sess.key = (caddr_t)"123456781234567812345678"; @@ -194,10 +273,12 @@ get_cryptodev_ciphers(const int **cnids) sess.cipher = ciphers[i].id; sess.keylen = ciphers[i].keylen; sess.mac = 0; - if (ioctl(cryptodev_fd, CIOCGSESSION, &sess) != -1 && - ioctl(cryptodev_fd, CIOCFSESSION, &sess.ses) != -1) + if (ioctl(fd, CIOCGSESSION, &sess) != -1 && + ioctl(fd, CIOCFSESSION, &sess.ses) != -1) nids[count++] = ciphers[i].nid; } + close(fd); + if (count > 0) *cnids = nids; else @@ -216,18 +297,24 @@ get_cryptodev_digests(const int **cnids) { static int nids[CRYPTO_ALGORITHM_MAX]; struct session_op sess; - int i, count = 0; + int fd, i, count = 0; + if ((fd = get_dev_crypto()) < 0) { + *nids = NULL; + return (0); + } memset(&sess, 0, sizeof(sess)); for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) { if (digests[i].nid == NID_undef) continue; sess.mac = digests[i].id; sess.cipher = 0; - if (ioctl(cryptodev_fd, CIOCGSESSION, &sess) != -1 && - ioctl(cryptodev_fd, CIOCFSESSION, &sess.ses) != -1) + if (ioctl(fd, CIOCGSESSION, &sess) != -1 && + ioctl(fd, CIOCFSESSION, &sess.ses) != -1) nids[count++] = digests[i].nid; } + close(fd); + if (count > 0) *cnids = nids; else @@ -256,25 +343,15 @@ get_cryptodev_digests(const int **cnids) * want most of the decisions made about what we actually want * to use from /dev/crypto. */ -int +static int cryptodev_usable_ciphers(const int **nids) { - if (!check_dev_crypto()) { - *nids = NULL; - return (0); - } - - /* find what the device can do. Unfortunately, we don't - * necessarily want all of these yet, because we aren't - * yet set up to do them - */ return (get_cryptodev_ciphers(nids)); } -int +static int cryptodev_usable_digests(const int **nids) { -#if 1 /* * XXXX just disable all digests for now, because it sucks. * we need a better way to decide this - i.e. I may not @@ -289,29 +366,19 @@ cryptodev_usable_digests(const int **nids) */ *nids = NULL; return (0); -#endif - - if (!check_dev_crypto()) { - *nids = NULL; - return (0); - } - return (get_cryptodev_digests(nids)); } - -int +static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) { struct crypt_op cryp; - struct session_op *sess = ctx->cipher_data; + struct dev_crypto_state *state = ctx->cipher_data; + struct session_op *sess = &state->d_sess; void *iiv; unsigned char save_iv[EVP_MAX_IV_LENGTH]; - struct syslog_data sd = SYSLOG_DATA_INIT; - if (cryptodev_fd == -1) - return (0); - if (sess == NULL) + if (state->d_fd < 0) return (0); if (!inl) return (1); @@ -338,11 +405,10 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, } else cryp.iv = NULL; - if (ioctl(cryptodev_fd, CIOCCRYPT, &cryp) == -1) { + if (ioctl(state->d_fd, CIOCCRYPT, &cryp) == -1) { /* XXX need better errror handling * this can fail for a number of different reasons. */ - syslog_r(LOG_ERR, &sd, "CIOCCRYPT failed (%m)"); return (0); } @@ -356,20 +422,17 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return (1); } -int +static int cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { - struct session_op *sess = ctx->cipher_data; - struct syslog_data sd = SYSLOG_DATA_INIT; + struct dev_crypto_state *state = ctx->cipher_data; + struct session_op *sess = &state->d_sess; int cipher; if ((cipher = cipher_nid_to_cryptodev(ctx->cipher->nid)) == NID_undef) return (0); - if (!check_dev_crypto()) - return (0); - if (ctx->cipher->iv_len > cryptodev_max_iv(cipher)) return (0); @@ -378,15 +441,18 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, memset(sess, 0, sizeof(struct session_op)); + if ((state->d_fd = get_dev_crypto()) < 0) + return (0); + sess->key = (unsigned char *)key; sess->keylen = ctx->key_len; sess->cipher = cipher; - if (ioctl(cryptodev_fd, CIOCGSESSION, sess) == -1) { - syslog_r(LOG_ERR, &sd, "CIOCGSESSION failed (%m)"); + if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) { + close(state->d_fd); + state->d_fd = -1; return (0); } - cryptodev_sessions++; return (1); } @@ -394,14 +460,14 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, * free anything we allocated earlier when initting a * session, and close the session. */ -int +static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx) { int ret = 0; - struct session_op *sess = ctx->cipher_data; - struct syslog_data sd = SYSLOG_DATA_INIT; + struct dev_crypto_state *state = ctx->cipher_data; + struct session_op *sess = &state->d_sess; - if (sess == NULL) + if (state->d_fd < 0) return (0); /* XXX if this ioctl fails, someting's wrong. the invoker @@ -415,17 +481,14 @@ cryptodev_cleanup(EVP_CIPHER_CTX *ctx) * print messages to users of the library. hmm.. */ - if (ioctl(cryptodev_fd, CIOCFSESSION, &sess->ses) == -1) { - syslog_r(LOG_ERR, &sd, "CIOCFSESSION failed (%m)"); + if (ioctl(state->d_fd, CIOCFSESSION, &sess->ses) == -1) { ret = 0; } else { - cryptodev_sessions--; ret = 1; } - if (cryptodev_sessions == 0 && cryptodev_fd != -1 ) { - close(cryptodev_fd); /* XXX should this be closed? */ - cryptodev_fd = -1; - } + close(state->d_fd); + state->d_fd = -1; + return (ret); } @@ -434,20 +497,6 @@ cryptodev_cleanup(EVP_CIPHER_CTX *ctx) * gets called when libcrypto requests a cipher NID. */ -/* ARC4 (16 byte key) */ -const EVP_CIPHER cryptodev_arc4_cipher = { - NID_rc4, - 1, 16, 0, - EVP_CIPH_VARIABLE_LENGTH, - cryptodev_init_key, - cryptodev_cipher, - cryptodev_cleanup, - sizeof(struct session_op), - NULL, - NULL, - NULL -}; - /* DES CBC EVP */ const EVP_CIPHER cryptodev_des_cbc = { NID_des_cbc, @@ -456,7 +505,7 @@ const EVP_CIPHER cryptodev_des_cbc = { cryptodev_init_key, cryptodev_cipher, cryptodev_cleanup, - sizeof(struct session_op), + sizeof(struct dev_crypto_state), EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL @@ -470,19 +519,57 @@ const EVP_CIPHER cryptodev_3des_cbc = { cryptodev_init_key, cryptodev_cipher, cryptodev_cleanup, - sizeof(struct session_op), + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, + NULL +}; + +const EVP_CIPHER cryptodev_bf_cbc = { + NID_bf_cbc, + 8, 16, 8, + EVP_CIPH_CBC_MODE, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, + NULL +}; + +const EVP_CIPHER cryptodev_cast_cbc = { + NID_cast5_cbc, + 8, 16, 8, + EVP_CIPH_CBC_MODE, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL }; +const EVP_CIPHER cryptodev_aes_cbc = { + NID_aes_128_cbc, + 16, 16, 16, + EVP_CIPH_CBC_MODE, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, + NULL +}; /* * Registered by the ENGINE when used to find out how to deal with * a particular NID in the ENGINE. this says what we'll do at the * top level - note, that list is restricted by what we answer with */ -int +static int cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid) { @@ -490,15 +577,21 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, return (cryptodev_usable_ciphers(nids)); switch (nid) { - case NID_rc4: - *cipher = &cryptodev_arc4_cipher; - break; case NID_des_ede3_cbc: *cipher = &cryptodev_3des_cbc; break; case NID_des_cbc: *cipher = &cryptodev_des_cbc; break; + case NID_bf_cbc: + *cipher = &cryptodev_bf_cbc; + break; + case NID_cast5_cbc: + *cipher = &cryptodev_cast_cbc; + break; + case NID_aes_128_cbc: + *cipher = &cryptodev_aes_cbc; + break; default: *cipher = NULL; break; @@ -506,7 +599,7 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, return (*cipher != NULL); } -int +static int cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest, const int **nids, int nid) { @@ -524,7 +617,6 @@ cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest, return (*digest != NULL); } - /* * Convert a BIGNUM to the representation that /dev/crypto needs. * Upon completion of use, the caller is responsible for freeing @@ -533,7 +625,7 @@ cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest, static int bn2crparam(const BIGNUM *a, struct crparam *crp) { - int i, j, n; + int i, j, k; ssize_t words, bytes, bits; u_char *b; @@ -550,17 +642,13 @@ bn2crparam(const BIGNUM *a, struct crparam *crp) crp->crp_p = b; crp->crp_nbits = bits; - words = (bits + BN_BITS2 - 1) / BN_BITS2; - - n = 0; - for (i = 0; i < words && n < bytes; i++) { - BN_ULONG word; - - word = a->d[i]; - for (j = 0 ; j < BN_BYTES && n < bytes; j++, n++) { - *b++ = (word & 0xff); - word >>= 8; + for (i = 0, j = 0; i < a->top; i++) { + for (k = 0; k < BN_BITS2 / 8; k++) { + if ((j + k) >= bytes) + return (0); + b[j + k] = a->d[i] >> (k * 8); } + j += BN_BITS2 / 8; } return (0); } @@ -569,15 +657,22 @@ bn2crparam(const BIGNUM *a, struct crparam *crp) static int crparam2bn(struct crparam *crp, BIGNUM *a) { + u_int8_t *pd; int i, bytes; - bytes = (crp->crp_nbits + 7)/8; + bytes = (crp->crp_nbits + 7) / 8; - BN_zero(a); - for (i = bytes - 1; i >= 0; i--) { - BN_lshift(a, a, 8); - BN_add_word(a, (u_char)crp->crp_p[i]); - } + if (bytes == 0) + return (-1); + + if ((pd = (u_int8_t *) malloc(bytes)) == NULL) + return (-1); + + for (i = 0; i < bytes; i++) + pd[i] = crp->crp_p[bytes - i - 1]; + + BN_bin2bn(pd, bytes, a); + free(pd); return (0); } @@ -596,25 +691,32 @@ zapparams(struct crypt_kop *kop) } static int -cryptodev_sym(struct crypt_kop *kop, BIGNUM *r, BIGNUM *s) +cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r, int slen, BIGNUM *s) { - int ret = -1; + int fd, ret = -1; + + if ((fd = get_asym_dev_crypto()) < 0) + return (ret); if (r) { - kop->crk_param[kop->crk_iparams].crp_p = malloc(256); - kop->crk_param[kop->crk_iparams].crp_nbits = 256 * 8; + kop->crk_param[kop->crk_iparams].crp_p = calloc(rlen, sizeof(char)); + kop->crk_param[kop->crk_iparams].crp_nbits = rlen * 8; kop->crk_oparams++; } if (s) { - kop->crk_param[kop->crk_iparams+1].crp_p = malloc(256); - kop->crk_param[kop->crk_iparams+1].crp_nbits = 256 * 8; + kop->crk_param[kop->crk_iparams+1].crp_p = calloc(slen, sizeof(char)); + kop->crk_param[kop->crk_iparams+1].crp_nbits = slen * 8; kop->crk_oparams++; } - if (ioctl(cryptodev_fd, CIOCKEY, &kop) == 0) { - crparam2bn(&kop->crk_param[3], r); + if (ioctl(fd, CIOCKEY, kop) == 0) { + if (r) + crparam2bn(&kop->crk_param[kop->crk_iparams], r); + if (s) + crparam2bn(&kop->crk_param[kop->crk_iparams+1], s); ret = 0; } + return (ret); } @@ -623,38 +725,58 @@ cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) { struct crypt_kop kop; - int ret = 0; + int ret = 1; + + /* Currently, we know we can do mod exp iff we can do any + * asymmetric operations at all. + */ + if (cryptodev_asymfeat == 0) { + ret = BN_mod_exp(r, a, p, m, ctx); + return (ret); + } memset(&kop, 0, sizeof kop); kop.crk_op = CRK_MOD_EXP; - /* inputs: a m p */ + /* inputs: a^p % m */ if (bn2crparam(a, &kop.crk_param[0])) goto err; - if (bn2crparam(m, &kop.crk_param[1])) + if (bn2crparam(p, &kop.crk_param[1])) goto err; - if (bn2crparam(p, &kop.crk_param[2])) + if (bn2crparam(m, &kop.crk_param[2])) goto err; kop.crk_iparams = 3; - if (cryptodev_sym(&kop, r, NULL) == -1) { - ret = BN_mod_exp(r, a, p, m, ctx); + if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL) == -1) { + const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); + ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont); } err: zapparams(&kop); return (ret); } +static int +cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) +{ + int r; + BN_CTX *ctx; + + ctx = BN_CTX_new(); + r = cryptodev_bn_mod_exp(r0, I, rsa->d, rsa->n, ctx, NULL); + BN_CTX_free(ctx); + return (r); +} static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) { struct crypt_kop kop; - int ret = 0; + int ret = 1; if (!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp) { /* XXX 0 means failure?? */ - goto err; + return (0); } memset(&kop, 0, sizeof kop); @@ -674,9 +796,8 @@ cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) goto err; kop.crk_iparams = 6; - if (cryptodev_sym(&kop, r0, NULL) == -1) { + if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL) == -1) { const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); - ret = (*meth->rsa_mod_exp)(r0, I, rsa); } err: @@ -690,8 +811,8 @@ static RSA_METHOD cryptodev_rsa = { NULL, /* rsa_pub_dec */ NULL, /* rsa_priv_enc */ NULL, /* rsa_priv_dec */ - cryptodev_rsa_mod_exp, /* rsa_mod_exp */ - cryptodev_bn_mod_exp, /* bn_mod_exp */ + NULL, + NULL, NULL, /* init */ NULL, /* finish */ 0, /* flags */ @@ -707,6 +828,38 @@ cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, return (cryptodev_bn_mod_exp(r, a, p, m, ctx, m_ctx)); } +static int +cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g, + BIGNUM *u1, BIGNUM *pub_key, BIGNUM *u2, BIGNUM *p, + BN_CTX *ctx, BN_MONT_CTX *mont) +{ + BIGNUM t2; + int ret = 0; + + BN_init(&t2); + + /* v = ( g^u1 * y^u2 mod p ) mod q */ + /* let t1 = g ^ u1 mod p */ + ret = 0; + + if (!dsa->meth->bn_mod_exp(dsa,t1,dsa->g,u1,dsa->p,ctx,mont)) + goto err; + + /* let t2 = y ^ u2 mod p */ + if (!dsa->meth->bn_mod_exp(dsa,&t2,dsa->pub_key,u2,dsa->p,ctx,mont)) + goto err; + /* let u1 = t1 * t2 mod p */ + if (!BN_mod_mul(u1,t1,&t2,dsa->p,ctx)) + goto err; + + BN_copy(t1,u1); + + ret = 1; +err: + BN_free(&t2); + return(ret); +} + static DSA_SIG * cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { @@ -721,6 +874,7 @@ cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) goto err; } + printf("bar\n"); memset(&kop, 0, sizeof kop); kop.crk_op = CRK_DSA_SIGN; @@ -737,13 +891,13 @@ cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) goto err; kop.crk_iparams = 5; - if (cryptodev_sym(&kop, r, s) == 0) { + if (cryptodev_asym(&kop, BN_num_bytes(dsa->q), r, + BN_num_bytes(dsa->q), s) == 0) { dsaret = DSA_SIG_new(); dsaret->r = r; dsaret->s = s; } else { const DSA_METHOD *meth = DSA_OpenSSL(); - BN_free(r); BN_free(s); dsaret = (meth->dsa_do_sign)(dgst, dlen, dsa); @@ -759,7 +913,7 @@ cryptodev_dsa_verify(const unsigned char *dgst, int dlen, DSA_SIG *sig, DSA *dsa) { struct crypt_kop kop; - int dsaret = 0; + int dsaret = 1; memset(&kop, 0, sizeof kop); kop.crk_op = CRK_DSA_VERIFY; @@ -781,7 +935,7 @@ cryptodev_dsa_verify(const unsigned char *dgst, int dlen, goto err; kop.crk_iparams = 7; - if (cryptodev_sym(&kop, NULL, NULL) == 0) { + if (cryptodev_asym(&kop, 0, NULL, 0, NULL) == 0) { dsaret = kop.crk_status; } else { const DSA_METHOD *meth = DSA_OpenSSL(); @@ -796,11 +950,11 @@ err: static DSA_METHOD cryptodev_dsa = { "cryptodev DSA method", - cryptodev_dsa_do_sign, + NULL, NULL, /* dsa_sign_setup */ - cryptodev_dsa_verify, + NULL, NULL, /* dsa_mod_exp */ - cryptodev_dsa_bn_mod_exp, /* bn_mod_exp */ + NULL, NULL, /* init */ NULL, /* finish */ 0, /* flags */ @@ -819,8 +973,14 @@ static int cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { struct crypt_kop kop; - int dhret = 0; - int keylen; + int dhret = 1; + int fd, keylen; + + if ((fd = get_asym_dev_crypto()) < 0) { + const DH_METHOD *meth = DH_OpenSSL(); + + return ((meth->compute_key)(key, pub_key, dh)); + } keylen = BN_num_bits(dh->p); @@ -840,7 +1000,7 @@ cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) kop.crk_param[3].crp_nbits = keylen * 8; kop.crk_oparams = 1; - if (ioctl(cryptodev_fd, CIOCKEY, &kop) == -1) { + if (ioctl(fd, CIOCKEY, &kop) == -1) { const DH_METHOD *meth = DH_OpenSSL(); dhret = (meth->compute_key)(key, pub_key, dh); @@ -854,8 +1014,8 @@ err: static DH_METHOD cryptodev_dh = { "cryptodev DH method", NULL, /* cryptodev_dh_generate_key */ - cryptodev_dh_compute_key, - cryptodev_mod_exp_dh, + NULL, + NULL, NULL, NULL, 0, /* flags */ @@ -869,12 +1029,18 @@ static DH_METHOD cryptodev_dh = { static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()) { +#ifdef HAVE_SYSLOG_R struct syslog_data sd = SYSLOG_DATA_INIT; +#endif switch (cmd) { default: +#ifdef HAVE_SYSLOG_R syslog_r(LOG_ERR, &sd, "cryptodev_ctrl: unknown command %d", cmd); +#else + syslog(LOG_ERR, "cryptodev_ctrl: unknown command %d", cmd); +#endif break; } return (1); @@ -884,14 +1050,24 @@ void ENGINE_load_cryptodev(void) { ENGINE *engine = ENGINE_new(); - const RSA_METHOD *rsa_meth; - const DH_METHOD *dh_meth; + int fd; if (engine == NULL) return; + if ((fd = get_dev_crypto()) < 0) + return; + + /* + * find out what asymmetric crypto algorithms we support + */ + if (ioctl(fd, CIOCASYMFEAT, &cryptodev_asymfeat) == -1) { + close(fd); + return; + } + close(fd); if (!ENGINE_set_id(engine, "cryptodev") || - !ENGINE_set_name(engine, "OpenBSD cryptodev engine") || + !ENGINE_set_name(engine, "BSD cryptodev engine") || !ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) || !ENGINE_set_digests(engine, cryptodev_engine_digests) || !ENGINE_set_ctrl_function(engine, cryptodev_ctrl) || @@ -900,27 +1076,57 @@ ENGINE_load_cryptodev(void) return; } - if ((cryptodev_symfeat & CRSFEAT_RSA) && - ENGINE_set_RSA(engine, &cryptodev_rsa)) { - rsa_meth = RSA_PKCS1_SSLeay(); + if (ENGINE_set_RSA(engine, &cryptodev_rsa)) { + const RSA_METHOD *rsa_meth = RSA_PKCS1_SSLeay(); + + cryptodev_rsa.bn_mod_exp = rsa_meth->bn_mod_exp; + cryptodev_rsa.rsa_mod_exp = rsa_meth->rsa_mod_exp; cryptodev_rsa.rsa_pub_enc = rsa_meth->rsa_pub_enc; cryptodev_rsa.rsa_pub_dec = rsa_meth->rsa_pub_dec; - cryptodev_rsa.rsa_priv_enc = rsa_meth->rsa_priv_dec; + cryptodev_rsa.rsa_priv_enc = rsa_meth->rsa_priv_enc; cryptodev_rsa.rsa_priv_dec = rsa_meth->rsa_priv_dec; + if (cryptodev_asymfeat & CRF_MOD_EXP) { + cryptodev_rsa.bn_mod_exp = cryptodev_bn_mod_exp; + if (cryptodev_asymfeat & CRF_MOD_EXP_CRT) + cryptodev_rsa.rsa_mod_exp = + cryptodev_rsa_mod_exp; + else + cryptodev_rsa.rsa_mod_exp = + cryptodev_rsa_nocrt_mod_exp; + } } - if ((cryptodev_symfeat & CRSFEAT_DSA) && - ENGINE_set_DSA(engine, &cryptodev_dsa)) { + if (ENGINE_set_DSA(engine, &cryptodev_dsa)) { + const DSA_METHOD *meth = DSA_OpenSSL(); + + memcpy(&cryptodev_dsa, meth, sizeof(DSA_METHOD)); + if (cryptodev_asymfeat & CRF_DSA_SIGN) + cryptodev_dsa.dsa_do_sign = cryptodev_dsa_do_sign; + if (cryptodev_asymfeat & CRF_MOD_EXP) { + cryptodev_dsa.bn_mod_exp = cryptodev_dsa_bn_mod_exp; + cryptodev_dsa.dsa_mod_exp = cryptodev_dsa_dsa_mod_exp; + } + if (cryptodev_asymfeat & CRF_DSA_VERIFY) + cryptodev_dsa.dsa_do_verify = cryptodev_dsa_verify; } - if ((cryptodev_symfeat & CRSFEAT_DH) && - ENGINE_set_DH(engine, &cryptodev_dh)) { - dh_meth = DH_OpenSSL(); + if (ENGINE_set_DH(engine, &cryptodev_dh)){ + const DH_METHOD *dh_meth = DH_OpenSSL(); + cryptodev_dh.generate_key = dh_meth->generate_key; cryptodev_dh.compute_key = dh_meth->compute_key; + cryptodev_dh.bn_mod_exp = dh_meth->bn_mod_exp; + if (cryptodev_asymfeat & CRF_MOD_EXP) { + cryptodev_dh.bn_mod_exp = cryptodev_mod_exp_dh; + if (cryptodev_asymfeat & CRF_DH_COMPUTE_KEY) + cryptodev_dh.compute_key = + cryptodev_dh_compute_key; + } } ENGINE_add(engine); ENGINE_free(engine); ERR_clear_error(); } + +#endif /* HAVE_CRYPTODEV */ diff --git a/src/lib/libcrypto/engine/hw_cswift.c b/src/lib/libcrypto/engine/hw_cswift.c index f5c897bdbb..f128ee5a68 100644 --- a/src/lib/libcrypto/engine/hw_cswift.c +++ b/src/lib/libcrypto/engine/hw_cswift.c @@ -121,6 +121,10 @@ static int cswift_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); #endif +/* RAND stuff */ +static int cswift_rand_bytes(unsigned char *buf, int num); +static int cswift_rand_status(void); + /* The definitions for control commands specific to this engine */ #define CSWIFT_CMD_SO_PATH ENGINE_CMD_BASE static const ENGINE_CMD_DEFN cswift_cmd_defns[] = { @@ -183,6 +187,18 @@ static DH_METHOD cswift_dh = }; #endif +static RAND_METHOD cswift_random = + { + /* "CryptoSwift RAND method", */ + NULL, + cswift_rand_bytes, + NULL, + NULL, + cswift_rand_bytes, + cswift_rand_status, + }; + + /* Constants used when creating the ENGINE */ static const char *engine_cswift_id = "cswift"; static const char *engine_cswift_name = "CryptoSwift hardware engine support"; @@ -208,6 +224,7 @@ static int bind_helper(ENGINE *e) #ifndef OPENSSL_NO_DH !ENGINE_set_DH(e, &cswift_dh) || #endif + !ENGINE_set_RAND(e, &cswift_random) || !ENGINE_set_destroy_function(e, cswift_destroy) || !ENGINE_set_init_function(e, cswift_init) || !ENGINE_set_finish_function(e, cswift_finish) || @@ -242,6 +259,7 @@ static int bind_helper(ENGINE *e) return 1; } +#ifndef ENGINE_DYNAMIC_SUPPORT static ENGINE *engine_cswift(void) { ENGINE *ret = ENGINE_new(); @@ -264,6 +282,7 @@ void ENGINE_load_cswift(void) ENGINE_free(toadd); ERR_clear_error(); } +#endif /* This is a process-global DSO handle used for loading and unloading * the CryptoSwift library. NB: This is only set (or unset) during an @@ -905,6 +924,60 @@ static int cswift_mod_exp_dh(const DH *dh, BIGNUM *r, } #endif +/* Random bytes are good */ +static int cswift_rand_bytes(unsigned char *buf, int num) +{ + SW_CONTEXT_HANDLE hac; + SW_STATUS swrc; + SW_LARGENUMBER largenum; + size_t nbytes = 0; + int acquired = 0; + int to_return = 0; /* assume failure */ + + if (!get_context(&hac)) + { + CSWIFTerr(CSWIFT_F_CSWIFT_CTRL, CSWIFT_R_UNIT_FAILURE); + goto err; + } + acquired = 1; + + while (nbytes < (size_t)num) + { + /* tell CryptoSwift how many bytes we want and where we want it. + * Note: - CryptoSwift cannot do more than 4096 bytes at a time. + * - CryptoSwift can only do multiple of 32-bits. */ + largenum.value = (SW_BYTE *) buf + nbytes; + if (4096 > num - nbytes) + largenum.nbytes = num - nbytes; + else + largenum.nbytes = 4096; + + swrc = p_CSwift_SimpleRequest(hac, SW_CMD_RAND, NULL, 0, &largenum, 1); + if (swrc != SW_OK) + { + char tmpbuf[20]; + CSWIFTerr(CSWIFT_F_CSWIFT_CTRL, CSWIFT_R_REQUEST_FAILED); + sprintf(tmpbuf, "%ld", swrc); + ERR_add_error_data(2, "CryptoSwift error number is ", tmpbuf); + goto err; + } + + nbytes += largenum.nbytes; + } + to_return = 1; /* success */ + +err: + if (acquired) + release_context(hac); + return to_return; +} + +static int cswift_rand_status(void) +{ + return 1; +} + + /* This stuff is needed if this ENGINE is being compiled into a self-contained * shared-library. */ #ifdef ENGINE_DYNAMIC_SUPPORT diff --git a/src/lib/libcrypto/engine/hw_ncipher.c b/src/lib/libcrypto/engine/hw_ncipher.c index a43d4360f2..0d1c6b8df0 100644 --- a/src/lib/libcrypto/engine/hw_ncipher.c +++ b/src/lib/libcrypto/engine/hw_ncipher.c @@ -91,11 +91,19 @@ static int hwcrhk_init(ENGINE *e); static int hwcrhk_finish(ENGINE *e); static int hwcrhk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()); -/* Functions to handle mutexes */ +/* Functions to handle mutexes if have dynamic locks */ static int hwcrhk_mutex_init(HWCryptoHook_Mutex*, HWCryptoHook_CallerContext*); static int hwcrhk_mutex_lock(HWCryptoHook_Mutex*); static void hwcrhk_mutex_unlock(HWCryptoHook_Mutex*); static void hwcrhk_mutex_destroy(HWCryptoHook_Mutex*); +#if 1 /* This is a HACK which will disappear in 0.9.8 */ +/* Functions to handle mutexes if only have static locks */ +static int hwcrhk_static_mutex_init(HWCryptoHook_Mutex *m, + HWCryptoHook_CallerContext *c); +static int hwcrhk_static_mutex_lock(HWCryptoHook_Mutex *m); +static void hwcrhk_static_mutex_unlock(HWCryptoHook_Mutex *m); +static void hwcrhk_static_mutex_destroy(HWCryptoHook_Mutex *m); +#endif /* BIGNUM stuff */ static int hwcrhk_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, @@ -373,6 +381,7 @@ static int bind_helper(ENGINE *e) return 1; } +#ifndef ENGINE_DYNAMIC_SUPPORT static ENGINE *engine_ncipher(void) { ENGINE *ret = ENGINE_new(); @@ -395,6 +404,7 @@ void ENGINE_load_chil(void) ENGINE_free(toadd); ERR_clear_error(); } +#endif /* This is a process-global DSO handle used for loading and unloading * the HWCryptoHook library. NB: This is only set (or unset) during an @@ -558,15 +568,31 @@ static int hwcrhk_init(ENGINE *e) /* Check if the application decided to support dynamic locks, and if it does, use them. */ - if (disable_mutex_callbacks == 0 && - CRYPTO_get_dynlock_create_callback() != NULL && - CRYPTO_get_dynlock_lock_callback() != NULL && - CRYPTO_get_dynlock_destroy_callback() != NULL) + if (disable_mutex_callbacks == 0) { - hwcrhk_globals.mutex_init = hwcrhk_mutex_init; - hwcrhk_globals.mutex_acquire = hwcrhk_mutex_lock; - hwcrhk_globals.mutex_release = hwcrhk_mutex_unlock; - hwcrhk_globals.mutex_destroy = hwcrhk_mutex_destroy; + if (CRYPTO_get_dynlock_create_callback() != NULL && + CRYPTO_get_dynlock_lock_callback() != NULL && + CRYPTO_get_dynlock_destroy_callback() != NULL) + { + hwcrhk_globals.mutex_init = hwcrhk_mutex_init; + hwcrhk_globals.mutex_acquire = hwcrhk_mutex_lock; + hwcrhk_globals.mutex_release = hwcrhk_mutex_unlock; + hwcrhk_globals.mutex_destroy = hwcrhk_mutex_destroy; + } + else if (CRYPTO_get_locking_callback() != NULL) + { + HWCRHKerr(HWCRHK_F_HWCRHK_INIT,HWCRHK_R_DYNAMIC_LOCKING_MISSING); + ERR_add_error_data(1,"You HAVE to add dynamic locking callbacks via CRYPTO_set_dynlock_{create,lock,destroy}_callback()"); +#if 1 /* This is a HACK which will disappear in 0.9.8 */ + hwcrhk_globals.maxmutexes = 1; /* Only have one lock */ + hwcrhk_globals.mutex_init = hwcrhk_static_mutex_init; + hwcrhk_globals.mutex_acquire = hwcrhk_static_mutex_lock; + hwcrhk_globals.mutex_release = hwcrhk_static_mutex_unlock; + hwcrhk_globals.mutex_destroy = hwcrhk_static_mutex_destroy; +#else + goto err; +#endif + } } /* Try and get a context - if not, we may have a DSO but no @@ -1020,7 +1046,7 @@ static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa) /* Perform the operation */ ret = p_hwcrhk_ModExpCRT(hwcrhk_context, m_a, m_p, m_q, - m_dmp1, m_dmq1, m_iqmp, &m_r, NULL); + m_dmp1, m_dmq1, m_iqmp, &m_r, &rmsg); /* Convert the response */ r->top = m_r.size / sizeof(BN_ULONG); @@ -1171,6 +1197,26 @@ static void hwcrhk_mutex_destroy(HWCryptoHook_Mutex *mt) CRYPTO_destroy_dynlockid(mt->lockid); } +/* Mutex upcalls to use if the application does not support dynamic locks */ + +static int hwcrhk_static_mutex_init(HWCryptoHook_Mutex *m, + HWCryptoHook_CallerContext *c) + { + return 0; + } +static int hwcrhk_static_mutex_lock(HWCryptoHook_Mutex *m) + { + CRYPTO_w_lock(CRYPTO_LOCK_HWCRHK); + return 0; + } +static void hwcrhk_static_mutex_unlock(HWCryptoHook_Mutex *m) + { + CRYPTO_w_unlock(CRYPTO_LOCK_HWCRHK); + } +static void hwcrhk_static_mutex_destroy(HWCryptoHook_Mutex *m) + { + } + static int hwcrhk_get_pass(const char *prompt_info, int *len_io, char *buf, HWCryptoHook_PassphraseContext *ppctx, @@ -1318,7 +1364,7 @@ static void hwcrhk_log_message(void *logstr, const char *message) lstream=*(BIO **)logstr; if (lstream) { - BIO_write(lstream, message, strlen(message)); + BIO_printf(lstream, "%s\n", message); } CRYPTO_w_unlock(CRYPTO_LOCK_BIO); } diff --git a/src/lib/libcrypto/engine/hw_ncipher_err.c b/src/lib/libcrypto/engine/hw_ncipher_err.c index 24024cfc6f..5bc94581b7 100644 --- a/src/lib/libcrypto/engine/hw_ncipher_err.c +++ b/src/lib/libcrypto/engine/hw_ncipher_err.c @@ -1,6 +1,6 @@ /* hw_ncipher_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -86,6 +86,7 @@ static ERR_STRING_DATA HWCRHK_str_reasons[]= {HWCRHK_R_CHIL_ERROR ,"chil error"}, {HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED ,"ctrl command not implemented"}, {HWCRHK_R_DSO_FAILURE ,"dso failure"}, +{HWCRHK_R_DYNAMIC_LOCKING_MISSING ,"dynamic locking missing"}, {HWCRHK_R_MISSING_KEY_COMPONENTS ,"missing key components"}, {HWCRHK_R_NOT_INITIALISED ,"not initialised"}, {HWCRHK_R_NOT_LOADED ,"not loaded"}, diff --git a/src/lib/libcrypto/engine/hw_ncipher_err.h b/src/lib/libcrypto/engine/hw_ncipher_err.h index 4d65b1d470..d232d02319 100644 --- a/src/lib/libcrypto/engine/hw_ncipher_err.h +++ b/src/lib/libcrypto/engine/hw_ncipher_err.h @@ -84,6 +84,7 @@ static void ERR_HWCRHK_error(int function, int reason, char *file, int line); #define HWCRHK_R_CHIL_ERROR 102 #define HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED 103 #define HWCRHK_R_DSO_FAILURE 104 +#define HWCRHK_R_DYNAMIC_LOCKING_MISSING 114 #define HWCRHK_R_MISSING_KEY_COMPONENTS 105 #define HWCRHK_R_NOT_INITIALISED 106 #define HWCRHK_R_NOT_LOADED 107 diff --git a/src/lib/libcrypto/engine/hw_nuron.c b/src/lib/libcrypto/engine/hw_nuron.c index 130b6d8b40..fb9188bfe5 100644 --- a/src/lib/libcrypto/engine/hw_nuron.c +++ b/src/lib/libcrypto/engine/hw_nuron.c @@ -374,6 +374,7 @@ static int bind_helper(ENGINE *e) return 1; } +#ifndef ENGINE_DYNAMIC_SUPPORT static ENGINE *engine_nuron(void) { ENGINE *ret = ENGINE_new(); @@ -396,6 +397,7 @@ void ENGINE_load_nuron(void) ENGINE_free(toadd); ERR_clear_error(); } +#endif /* This stuff is needed if this ENGINE is being compiled into a self-contained * shared-library. */ diff --git a/src/lib/libcrypto/engine/hw_sureware.c b/src/lib/libcrypto/engine/hw_sureware.c new file mode 100644 index 0000000000..fca467e690 --- /dev/null +++ b/src/lib/libcrypto/engine/hw_sureware.c @@ -0,0 +1,1039 @@ +/* Written by Corinne Dive-Reclus(cdive@baltimore.com) +* +* +* Redistribution and use in source and binary forms, with or without +* modification, are permitted provided that the following conditions +* are met: +* +* 1. Redistributions of source code must retain the above copyright +* notice, this list of conditions and the following disclaimer. +* +* 2. Redistributions in binary form must reproduce the above copyright +* notice, this list of conditions and the following disclaimer in +* the documentation and/or other materials provided with the +* distribution. +* +* 3. All advertising materials mentioning features or use of this +* software must display the following acknowledgment: +* "This product includes software developed by the OpenSSL Project +* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" +* +* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +* endorse or promote products derived from this software without +* prior written permission. For written permission, please contact +* licensing@OpenSSL.org. +* +* 5. Products derived from this software may not be called "OpenSSL" +* nor may "OpenSSL" appear in their names without prior written +* permission of the OpenSSL Project. +* +* 6. Redistributions of any form whatsoever must retain the following +* acknowledgment: +* "This product includes software developed by the OpenSSL Project +* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" +* +* Written by Corinne Dive-Reclus(cdive@baltimore.com) +* +* Copyright@2001 Baltimore Technologies Ltd. +* All right Reserved. +* * +* THIS FILE IS PROVIDED BY BALTIMORE TECHNOLOGIES ``AS IS'' AND * +* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * +* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * +* ARE DISCLAIMED. IN NO EVENT SHALL BALTIMORE TECHNOLOGIES BE LIABLE * +* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * +* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * +* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * +* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * +* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * +* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * +* SUCH DAMAGE. * +====================================================================*/ + +#include +#include "cryptlib.h" +#include +#include +#include +#include "eng_int.h" +#include "engine.h" +#include + +#ifndef OPENSSL_NO_HW +#ifndef OPENSSL_NO_HW_SUREWARE + +#ifdef FLAT_INC +#include "sureware.h" +#else +#include "vendor_defns/sureware.h" +#endif + +#define SUREWARE_LIB_NAME "sureware engine" +#include "hw_sureware_err.c" + +static int surewarehk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()); +static int surewarehk_destroy(ENGINE *e); +static int surewarehk_init(ENGINE *e); +static int surewarehk_finish(ENGINE *e); +static int surewarehk_modexp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx); + +/* RSA stuff */ +static int surewarehk_rsa_priv_dec(int flen,const unsigned char *from,unsigned char *to, + RSA *rsa,int padding); +static int surewarehk_rsa_sign(int flen,const unsigned char *from,unsigned char *to, + RSA *rsa,int padding); + +/* RAND stuff */ +static int surewarehk_rand_bytes(unsigned char *buf, int num); +static void surewarehk_rand_seed(const void *buf, int num); +static void surewarehk_rand_add(const void *buf, int num, double entropy); + +/* KM stuff */ +static EVP_PKEY *surewarehk_load_privkey(ENGINE *e, const char *key_id, + UI_METHOD *ui_method, void *callback_data); +static EVP_PKEY *surewarehk_load_pubkey(ENGINE *e, const char *key_id, + UI_METHOD *ui_method, void *callback_data); +static void surewarehk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad, + int idx,long argl, void *argp); +#if 0 +static void surewarehk_dh_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad, + int idx,long argl, void *argp); +#endif + +#ifndef OPENSSL_NO_RSA +/* This function is aliased to mod_exp (with the mont stuff dropped). */ +static int surewarehk_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) +{ + return surewarehk_modexp(r, a, p, m, ctx); +} + +/* Our internal RSA_METHOD that we provide pointers to */ +static RSA_METHOD surewarehk_rsa = + { + "SureWare RSA method", + NULL, /* pub_enc*/ + NULL, /* pub_dec*/ + surewarehk_rsa_sign, /* our rsa_sign is OpenSSL priv_enc*/ + surewarehk_rsa_priv_dec, /* priv_dec*/ + NULL, /*mod_exp*/ + surewarehk_mod_exp_mont, /*mod_exp_mongomery*/ + NULL, /* init*/ + NULL, /* finish*/ + 0, /* RSA flag*/ + NULL, + NULL, /* OpenSSL sign*/ + NULL /* OpenSSL verify*/ + }; +#endif + +#ifndef OPENSSL_NO_DH +/* Our internal DH_METHOD that we provide pointers to */ +/* This function is aliased to mod_exp (with the dh and mont dropped). */ +static int surewarehk_modexp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) +{ + return surewarehk_modexp(r, a, p, m, ctx); +} + +static DH_METHOD surewarehk_dh = + { + "SureWare DH method", + NULL,/*gen_key*/ + NULL,/*agree,*/ + surewarehk_modexp_dh, /*dh mod exp*/ + NULL, /* init*/ + NULL, /* finish*/ + 0, /* flags*/ + NULL + }; +#endif + +static RAND_METHOD surewarehk_rand = + { + /* "SureWare RAND method", */ + surewarehk_rand_seed, + surewarehk_rand_bytes, + NULL,/*cleanup*/ + surewarehk_rand_add, + surewarehk_rand_bytes, + NULL,/*rand_status*/ + }; + +#ifndef OPENSSL_NO_DSA +/* DSA stuff */ +static DSA_SIG * surewarehk_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); +static int surewarehk_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, + BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *in_mont) +{ + BIGNUM t; + int to_return = 0; + BN_init(&t); + /* let rr = a1 ^ p1 mod m */ + if (!surewarehk_modexp(rr,a1,p1,m,ctx)) goto end; + /* let t = a2 ^ p2 mod m */ + if (!surewarehk_modexp(&t,a2,p2,m,ctx)) goto end; + /* let rr = rr * t mod m */ + if (!BN_mod_mul(rr,rr,&t,m,ctx)) goto end; + to_return = 1; +end: + BN_free(&t); + return to_return; +} + +static DSA_METHOD surewarehk_dsa = + { + "SureWare DSA method", + surewarehk_dsa_do_sign, + NULL,/*sign setup*/ + NULL,/*verify,*/ + surewarehk_dsa_mod_exp,/*mod exp*/ + NULL,/*bn mod exp*/ + NULL, /*init*/ + NULL,/*finish*/ + 0, + NULL, + }; +#endif + +static const char *engine_sureware_id = "sureware"; +static const char *engine_sureware_name = "SureWare hardware engine support"; + +/* Now, to our own code */ + +/* As this is only ever called once, there's no need for locking + * (indeed - the lock will already be held by our caller!!!) */ +static int bind_sureware(ENGINE *e) +{ +#ifndef OPENSSL_NO_RSA + const RSA_METHOD *meth1; +#endif +#ifndef OPENSSL_NO_DSA + const DSA_METHOD *meth2; +#endif +#ifndef OPENSSL_NO_DH + const DH_METHOD *meth3; +#endif + + if(!ENGINE_set_id(e, engine_sureware_id) || + !ENGINE_set_name(e, engine_sureware_name) || +#ifndef OPENSSL_NO_RSA + !ENGINE_set_RSA(e, &surewarehk_rsa) || +#endif +#ifndef OPENSSL_NO_DSA + !ENGINE_set_DSA(e, &surewarehk_dsa) || +#endif +#ifndef OPENSSL_NO_DH + !ENGINE_set_DH(e, &surewarehk_dh) || +#endif + !ENGINE_set_RAND(e, &surewarehk_rand) || + !ENGINE_set_destroy_function(e, surewarehk_destroy) || + !ENGINE_set_init_function(e, surewarehk_init) || + !ENGINE_set_finish_function(e, surewarehk_finish) || + !ENGINE_set_ctrl_function(e, surewarehk_ctrl) || + !ENGINE_set_load_privkey_function(e, surewarehk_load_privkey) || + !ENGINE_set_load_pubkey_function(e, surewarehk_load_pubkey)) + return 0; + +#ifndef OPENSSL_NO_RSA + /* We know that the "PKCS1_SSLeay()" functions hook properly + * to the cswift-specific mod_exp and mod_exp_crt so we use + * those functions. NB: We don't use ENGINE_openssl() or + * anything "more generic" because something like the RSAref + * code may not hook properly, and if you own one of these + * cards then you have the right to do RSA operations on it + * anyway! */ + meth1 = RSA_PKCS1_SSLeay(); + if (meth1) + { + surewarehk_rsa.rsa_pub_enc = meth1->rsa_pub_enc; + surewarehk_rsa.rsa_pub_dec = meth1->rsa_pub_dec; + } +#endif + +#ifndef OPENSSL_NO_DSA + /* Use the DSA_OpenSSL() method and just hook the mod_exp-ish + * bits. */ + meth2 = DSA_OpenSSL(); + if (meth2) + { + surewarehk_dsa.dsa_do_verify = meth2->dsa_do_verify; + } +#endif + +#ifndef OPENSSL_NO_DH + /* Much the same for Diffie-Hellman */ + meth3 = DH_OpenSSL(); + if (meth3) + { + surewarehk_dh.generate_key = meth3->generate_key; + surewarehk_dh.compute_key = meth3->compute_key; + } +#endif + + /* Ensure the sureware error handling is set up */ + ERR_load_SUREWARE_strings(); + return 1; +} + +#ifdef ENGINE_DYNAMIC_SUPPORT +static int bind_helper(ENGINE *e, const char *id) + { + if(id && (strcmp(id, engine_sureware_id) != 0)) + return 0; + if(!bind_sureware(e)) + return 0; + return 1; + } +IMPLEMENT_DYNAMIC_CHECK_FN() +IMPLEMENT_DYNAMIC_BIND_FN(bind_helper) +#else +static ENGINE *engine_sureware(void) + { + ENGINE *ret = ENGINE_new(); + if(!ret) + return NULL; + if(!bind_sureware(ret)) + { + ENGINE_free(ret); + return NULL; + } + return ret; + } + +void ENGINE_load_sureware(void) + { + /* Copied from eng_[openssl|dyn].c */ + ENGINE *toadd = engine_sureware(); + if(!toadd) return; + ENGINE_add(toadd); + ENGINE_free(toadd); + ERR_clear_error(); + } +#endif + +/* This is a process-global DSO handle used for loading and unloading + * the SureWareHook library. NB: This is only set (or unset) during an + * init() or finish() call (reference counts permitting) and they're + * operating with global locks, so this should be thread-safe + * implicitly. */ +static DSO *surewarehk_dso = NULL; +#ifndef OPENSSL_NO_RSA +static int rsaHndidx = -1; /* Index for KM handle. Not really used yet. */ +#endif +#ifndef OPENSSL_NO_DSA +static int dsaHndidx = -1; /* Index for KM handle. Not really used yet. */ +#endif + +/* These are the function pointers that are (un)set when the library has + * successfully (un)loaded. */ +static SureWareHook_Init_t *p_surewarehk_Init = NULL; +static SureWareHook_Finish_t *p_surewarehk_Finish = NULL; +static SureWareHook_Rand_Bytes_t *p_surewarehk_Rand_Bytes = NULL; +static SureWareHook_Rand_Seed_t *p_surewarehk_Rand_Seed = NULL; +static SureWareHook_Load_Privkey_t *p_surewarehk_Load_Privkey = NULL; +static SureWareHook_Info_Pubkey_t *p_surewarehk_Info_Pubkey = NULL; +static SureWareHook_Load_Rsa_Pubkey_t *p_surewarehk_Load_Rsa_Pubkey = NULL; +static SureWareHook_Load_Dsa_Pubkey_t *p_surewarehk_Load_Dsa_Pubkey = NULL; +static SureWareHook_Free_t *p_surewarehk_Free=NULL; +static SureWareHook_Rsa_Priv_Dec_t *p_surewarehk_Rsa_Priv_Dec=NULL; +static SureWareHook_Rsa_Sign_t *p_surewarehk_Rsa_Sign=NULL; +static SureWareHook_Dsa_Sign_t *p_surewarehk_Dsa_Sign=NULL; +static SureWareHook_Mod_Exp_t *p_surewarehk_Mod_Exp=NULL; + +/* Used in the DSO operations. */ +static const char *surewarehk_LIBNAME = "SureWareHook"; +static const char *n_surewarehk_Init = "SureWareHook_Init"; +static const char *n_surewarehk_Finish = "SureWareHook_Finish"; +static const char *n_surewarehk_Rand_Bytes="SureWareHook_Rand_Bytes"; +static const char *n_surewarehk_Rand_Seed="SureWareHook_Rand_Seed"; +static const char *n_surewarehk_Load_Privkey="SureWareHook_Load_Privkey"; +static const char *n_surewarehk_Info_Pubkey="SureWareHook_Info_Pubkey"; +static const char *n_surewarehk_Load_Rsa_Pubkey="SureWareHook_Load_Rsa_Pubkey"; +static const char *n_surewarehk_Load_Dsa_Pubkey="SureWareHook_Load_Dsa_Pubkey"; +static const char *n_surewarehk_Free="SureWareHook_Free"; +static const char *n_surewarehk_Rsa_Priv_Dec="SureWareHook_Rsa_Priv_Dec"; +static const char *n_surewarehk_Rsa_Sign="SureWareHook_Rsa_Sign"; +static const char *n_surewarehk_Dsa_Sign="SureWareHook_Dsa_Sign"; +static const char *n_surewarehk_Mod_Exp="SureWareHook_Mod_Exp"; +static BIO *logstream = NULL; + +/* SureWareHook library functions and mechanics - these are used by the + * higher-level functions further down. NB: As and where there's no + * error checking, take a look lower down where these functions are + * called, the checking and error handling is probably down there. +*/ +static int threadsafe=1; +static int surewarehk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()) +{ + int to_return = 1; + + switch(cmd) + { + case ENGINE_CTRL_SET_LOGSTREAM: + { + BIO *bio = (BIO *)p; + CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); + if (logstream) + { + BIO_free(logstream); + logstream = NULL; + } + if (CRYPTO_add(&bio->references,1,CRYPTO_LOCK_BIO) > 1) + logstream = bio; + else + SUREWAREerr(SUREWARE_F_SUREWAREHK_CTRL,SUREWARE_R_BIO_WAS_FREED); + } + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); + break; + /* This will prevent the initialisation function from "installing" + * the mutex-handling callbacks, even if they are available from + * within the library (or were provided to the library from the + * calling application). This is to remove any baggage for + * applications not using multithreading. */ + case ENGINE_CTRL_CHIL_NO_LOCKING: + CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); + threadsafe = 0; + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); + break; + + /* The command isn't understood by this engine */ + default: + SUREWAREerr(SUREWARE_F_SUREWAREHK_CTRL, + ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED); + to_return = 0; + break; + } + + return to_return; +} + +/* Destructor (complements the "ENGINE_surewarehk()" constructor) */ +static int surewarehk_destroy(ENGINE *e) +{ + ERR_unload_SUREWARE_strings(); + return 1; +} + +/* (de)initialisation functions. */ +static int surewarehk_init(ENGINE *e) +{ + char msg[64]="ENGINE_init"; + SureWareHook_Init_t *p1=NULL; + SureWareHook_Finish_t *p2=NULL; + SureWareHook_Rand_Bytes_t *p3=NULL; + SureWareHook_Rand_Seed_t *p4=NULL; + SureWareHook_Load_Privkey_t *p5=NULL; + SureWareHook_Load_Rsa_Pubkey_t *p6=NULL; + SureWareHook_Free_t *p7=NULL; + SureWareHook_Rsa_Priv_Dec_t *p8=NULL; + SureWareHook_Rsa_Sign_t *p9=NULL; + SureWareHook_Dsa_Sign_t *p12=NULL; + SureWareHook_Info_Pubkey_t *p13=NULL; + SureWareHook_Load_Dsa_Pubkey_t *p14=NULL; + SureWareHook_Mod_Exp_t *p15=NULL; + + if(surewarehk_dso != NULL) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,ENGINE_R_ALREADY_LOADED); + goto err; + } + /* Attempt to load libsurewarehk.so/surewarehk.dll/whatever. */ + surewarehk_dso = DSO_load(NULL, surewarehk_LIBNAME, NULL, 0); + if(surewarehk_dso == NULL) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,ENGINE_R_DSO_FAILURE); + goto err; + } + if(!(p1=(SureWareHook_Init_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Init)) || + !(p2=(SureWareHook_Finish_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Finish)) || + !(p3=(SureWareHook_Rand_Bytes_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rand_Bytes)) || + !(p4=(SureWareHook_Rand_Seed_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rand_Seed)) || + !(p5=(SureWareHook_Load_Privkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Load_Privkey)) || + !(p6=(SureWareHook_Load_Rsa_Pubkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Load_Rsa_Pubkey)) || + !(p7=(SureWareHook_Free_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Free)) || + !(p8=(SureWareHook_Rsa_Priv_Dec_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rsa_Priv_Dec)) || + !(p9=(SureWareHook_Rsa_Sign_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rsa_Sign)) || + !(p12=(SureWareHook_Dsa_Sign_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Dsa_Sign)) || + !(p13=(SureWareHook_Info_Pubkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Info_Pubkey)) || + !(p14=(SureWareHook_Load_Dsa_Pubkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Load_Dsa_Pubkey)) || + !(p15=(SureWareHook_Mod_Exp_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Mod_Exp))) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,ENGINE_R_DSO_FAILURE); + goto err; + } + /* Copy the pointers */ + p_surewarehk_Init = p1; + p_surewarehk_Finish = p2; + p_surewarehk_Rand_Bytes = p3; + p_surewarehk_Rand_Seed = p4; + p_surewarehk_Load_Privkey = p5; + p_surewarehk_Load_Rsa_Pubkey = p6; + p_surewarehk_Free = p7; + p_surewarehk_Rsa_Priv_Dec = p8; + p_surewarehk_Rsa_Sign = p9; + p_surewarehk_Dsa_Sign = p12; + p_surewarehk_Info_Pubkey = p13; + p_surewarehk_Load_Dsa_Pubkey = p14; + p_surewarehk_Mod_Exp = p15; + /* Contact the hardware and initialises it. */ + if(p_surewarehk_Init(msg,threadsafe)==SUREWAREHOOK_ERROR_UNIT_FAILURE) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,SUREWARE_R_UNIT_FAILURE); + goto err; + } + if(p_surewarehk_Init(msg,threadsafe)==SUREWAREHOOK_ERROR_UNIT_FAILURE) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,SUREWARE_R_UNIT_FAILURE); + goto err; + } + /* try to load the default private key, if failed does not return a failure but + wait for an explicit ENGINE_load_privakey */ + surewarehk_load_privkey(e,NULL,NULL,NULL); + + /* Everything's fine. */ +#ifndef OPENSSL_NO_RSA + if (rsaHndidx == -1) + rsaHndidx = RSA_get_ex_new_index(0, + "SureWareHook RSA key handle", + NULL, NULL, surewarehk_ex_free); +#endif +#ifndef OPENSSL_NO_DSA + if (dsaHndidx == -1) + dsaHndidx = DSA_get_ex_new_index(0, + "SureWareHook DSA key handle", + NULL, NULL, surewarehk_ex_free); +#endif + + return 1; +err: + if(surewarehk_dso) + DSO_free(surewarehk_dso); + surewarehk_dso = NULL; + p_surewarehk_Init = NULL; + p_surewarehk_Finish = NULL; + p_surewarehk_Rand_Bytes = NULL; + p_surewarehk_Rand_Seed = NULL; + p_surewarehk_Load_Privkey = NULL; + p_surewarehk_Load_Rsa_Pubkey = NULL; + p_surewarehk_Free = NULL; + p_surewarehk_Rsa_Priv_Dec = NULL; + p_surewarehk_Rsa_Sign = NULL; + p_surewarehk_Dsa_Sign = NULL; + p_surewarehk_Info_Pubkey = NULL; + p_surewarehk_Load_Dsa_Pubkey = NULL; + p_surewarehk_Mod_Exp = NULL; + return 0; +} + +static int surewarehk_finish(ENGINE *e) +{ + int to_return = 1; + if(surewarehk_dso == NULL) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_FINISH,ENGINE_R_NOT_LOADED); + to_return = 0; + goto err; + } + p_surewarehk_Finish(); + if(!DSO_free(surewarehk_dso)) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_FINISH,ENGINE_R_DSO_FAILURE); + to_return = 0; + goto err; + } + err: + if (logstream) + BIO_free(logstream); + surewarehk_dso = NULL; + p_surewarehk_Init = NULL; + p_surewarehk_Finish = NULL; + p_surewarehk_Rand_Bytes = NULL; + p_surewarehk_Rand_Seed = NULL; + p_surewarehk_Load_Privkey = NULL; + p_surewarehk_Load_Rsa_Pubkey = NULL; + p_surewarehk_Free = NULL; + p_surewarehk_Rsa_Priv_Dec = NULL; + p_surewarehk_Rsa_Sign = NULL; + p_surewarehk_Dsa_Sign = NULL; + p_surewarehk_Info_Pubkey = NULL; + p_surewarehk_Load_Dsa_Pubkey = NULL; + p_surewarehk_Mod_Exp = NULL; + return to_return; +} + +static void surewarehk_error_handling(char *const msg,int func,int ret) +{ + switch (ret) + { + case SUREWAREHOOK_ERROR_UNIT_FAILURE: + ENGINEerr(func,SUREWARE_R_UNIT_FAILURE); + break; + case SUREWAREHOOK_ERROR_FALLBACK: + ENGINEerr(func,SUREWARE_R_REQUEST_FALLBACK); + break; + case SUREWAREHOOK_ERROR_DATA_SIZE: + ENGINEerr(func,SUREWARE_R_SIZE_TOO_LARGE_OR_TOO_SMALL); + break; + case SUREWAREHOOK_ERROR_INVALID_PAD: + ENGINEerr(func,RSA_R_PADDING_CHECK_FAILED); + break; + default: + ENGINEerr(func,SUREWARE_R_REQUEST_FAILED); + break; + case 1:/*nothing*/ + msg[0]='\0'; + } + if (*msg) + { + ERR_add_error_data(1,msg); + if (logstream) + { + CRYPTO_w_lock(CRYPTO_LOCK_BIO); + BIO_write(logstream, msg, strlen(msg)); + CRYPTO_w_unlock(CRYPTO_LOCK_BIO); + } + } +} + +static int surewarehk_rand_bytes(unsigned char *buf, int num) +{ + int ret=0; + char msg[64]="ENGINE_rand_bytes"; + if(!p_surewarehk_Rand_Bytes) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_RAND_BYTES,ENGINE_R_NOT_INITIALISED); + } + else + { + ret = p_surewarehk_Rand_Bytes(msg,buf, num); + surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RAND_BYTES,ret); + } + return ret==1 ? 1 : 0; +} + +static void surewarehk_rand_seed(const void *buf, int num) +{ + int ret=0; + char msg[64]="ENGINE_rand_seed"; + if(!p_surewarehk_Rand_Seed) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_RAND_SEED,ENGINE_R_NOT_INITIALISED); + } + else + { + ret = p_surewarehk_Rand_Seed(msg,buf, num); + surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RAND_SEED,ret); + } +} + +static void surewarehk_rand_add(const void *buf, int num, double entropy) +{ + surewarehk_rand_seed(buf,num); +} + +static EVP_PKEY* sureware_load_public(ENGINE *e,const char *key_id,char *hptr,unsigned long el,char keytype) +{ + EVP_PKEY *res = NULL; +#ifndef OPENSSL_NO_RSA + RSA *rsatmp = NULL; +#endif +#ifndef OPENSSL_NO_DSA + DSA *dsatmp=NULL; +#endif + char msg[64]="sureware_load_public"; + int ret=0; + if(!p_surewarehk_Load_Rsa_Pubkey || !p_surewarehk_Load_Dsa_Pubkey) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ENGINE_R_NOT_INITIALISED); + goto err; + } + switch (keytype) + { +#ifndef OPENSSL_NO_RSA + case 1: /*RSA*/ + /* set private external reference */ + rsatmp = RSA_new_method(e); + RSA_set_ex_data(rsatmp,rsaHndidx,hptr); + rsatmp->flags |= RSA_FLAG_EXT_PKEY; + + /* set public big nums*/ + rsatmp->e = BN_new(); + rsatmp->n = BN_new(); + bn_expand2(rsatmp->e, el/sizeof(BN_ULONG)); + bn_expand2(rsatmp->n, el/sizeof(BN_ULONG)); + if (!rsatmp->e || rsatmp->e->dmax!=(int)(el/sizeof(BN_ULONG))|| + !rsatmp->n || rsatmp->n->dmax!=(int)(el/sizeof(BN_ULONG))) + goto err; + ret=p_surewarehk_Load_Rsa_Pubkey(msg,key_id,el, + (unsigned long *)rsatmp->n->d, + (unsigned long *)rsatmp->e->d); + surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ret); + if (ret!=1) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_FAILED_LOADING_PUBLIC_KEY); + goto err; + } + /* normalise pub e and pub n */ + rsatmp->e->top=el/sizeof(BN_ULONG); + bn_fix_top(rsatmp->e); + rsatmp->n->top=el/sizeof(BN_ULONG); + bn_fix_top(rsatmp->n); + /* create an EVP object: engine + rsa key */ + res = EVP_PKEY_new(); + EVP_PKEY_assign_RSA(res, rsatmp); + break; +#endif + +#ifndef OPENSSL_NO_DSA + case 2:/*DSA*/ + /* set private/public external reference */ + dsatmp = DSA_new_method(e); + DSA_set_ex_data(dsatmp,dsaHndidx,hptr); + /*dsatmp->flags |= DSA_FLAG_EXT_PKEY;*/ + + /* set public key*/ + dsatmp->pub_key = BN_new(); + dsatmp->p = BN_new(); + dsatmp->q = BN_new(); + dsatmp->g = BN_new(); + bn_expand2(dsatmp->pub_key, el/sizeof(BN_ULONG)); + bn_expand2(dsatmp->p, el/sizeof(BN_ULONG)); + bn_expand2(dsatmp->q, 20/sizeof(BN_ULONG)); + bn_expand2(dsatmp->g, el/sizeof(BN_ULONG)); + if (!dsatmp->pub_key || dsatmp->pub_key->dmax!=(int)(el/sizeof(BN_ULONG))|| + !dsatmp->p || dsatmp->p->dmax!=(int)(el/sizeof(BN_ULONG)) || + !dsatmp->q || dsatmp->q->dmax!=20/sizeof(BN_ULONG) || + !dsatmp->g || dsatmp->g->dmax!=(int)(el/sizeof(BN_ULONG))) + goto err; + + ret=p_surewarehk_Load_Dsa_Pubkey(msg,key_id,el, + (unsigned long *)dsatmp->pub_key->d, + (unsigned long *)dsatmp->p->d, + (unsigned long *)dsatmp->q->d, + (unsigned long *)dsatmp->g->d); + surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ret); + if (ret!=1) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_FAILED_LOADING_PUBLIC_KEY); + goto err; + } + /* set parameters */ + /* normalise pubkey and parameters in case of */ + dsatmp->pub_key->top=el/sizeof(BN_ULONG); + bn_fix_top(dsatmp->pub_key); + dsatmp->p->top=el/sizeof(BN_ULONG); + bn_fix_top(dsatmp->p); + dsatmp->q->top=20/sizeof(BN_ULONG); + bn_fix_top(dsatmp->q); + dsatmp->g->top=el/sizeof(BN_ULONG); + bn_fix_top(dsatmp->g); + + /* create an EVP object: engine + rsa key */ + res = EVP_PKEY_new(); + EVP_PKEY_assign_DSA(res, dsatmp); + break; +#endif + + default: + SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_FAILED_LOADING_PRIVATE_KEY); + goto err; + } + return res; + err: + if (res) + EVP_PKEY_free(res); +#ifndef OPENSSL_NO_RSA + if (rsatmp) + RSA_free(rsatmp); +#endif +#ifndef OPENSSL_NO_DSA + if (dsatmp) + DSA_free(dsatmp); +#endif + return NULL; +} + +static EVP_PKEY *surewarehk_load_privkey(ENGINE *e, const char *key_id, + UI_METHOD *ui_method, void *callback_data) +{ + EVP_PKEY *res = NULL; + int ret=0; + unsigned long el=0; + char *hptr=NULL; + char keytype=0; + char msg[64]="ENGINE_load_privkey"; + + if(!p_surewarehk_Load_Privkey) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_NOT_INITIALISED); + } + else + { + ret=p_surewarehk_Load_Privkey(msg,key_id,&hptr,&el,&keytype); + if (ret!=1) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_FAILED_LOADING_PRIVATE_KEY); + ERR_add_error_data(1,msg); + } + else + res=sureware_load_public(e,key_id,hptr,el,keytype); + } + return res; +} + +static EVP_PKEY *surewarehk_load_pubkey(ENGINE *e, const char *key_id, + UI_METHOD *ui_method, void *callback_data) +{ + EVP_PKEY *res = NULL; + int ret=0; + unsigned long el=0; + char *hptr=NULL; + char keytype=0; + char msg[64]="ENGINE_load_pubkey"; + + if(!p_surewarehk_Info_Pubkey) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ENGINE_R_NOT_INITIALISED); + } + else + { + /* call once to identify if DSA or RSA */ + ret=p_surewarehk_Info_Pubkey(msg,key_id,&el,&keytype); + if (ret!=1) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ENGINE_R_FAILED_LOADING_PUBLIC_KEY); + ERR_add_error_data(1,msg); + } + else + res=sureware_load_public(e,key_id,hptr,el,keytype); + } + return res; +} + +/* This cleans up an RSA/DSA KM key(do not destroy the key into the hardware) +, called when ex_data is freed */ +static void surewarehk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad, + int idx,long argl, void *argp) +{ + if(!p_surewarehk_Free) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_EX_FREE,ENGINE_R_NOT_INITIALISED); + } + else + p_surewarehk_Free((char *)item,0); +} + +#if 0 +/* This cleans up an DH KM key (destroys the key into hardware), +called when ex_data is freed */ +static void surewarehk_dh_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad, + int idx,long argl, void *argp) +{ + if(!p_surewarehk_Free) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_EX_FREE,ENGINE_R_NOT_INITIALISED); + } + else + p_surewarehk_Free((char *)item,1); +} +#endif + +/* +* return number of decrypted bytes +*/ +#ifndef OPENSSL_NO_RSA +static int surewarehk_rsa_priv_dec(int flen,const unsigned char *from,unsigned char *to, + RSA *rsa,int padding) +{ + int ret=0,tlen; + char *buf=NULL,*hptr=NULL; + char msg[64]="ENGINE_rsa_priv_dec"; + if (!p_surewarehk_Rsa_Priv_Dec) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,ENGINE_R_NOT_INITIALISED); + } + /* extract ref to private key */ + else if (!(hptr=RSA_get_ex_data(rsa, rsaHndidx))) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,SUREWARE_R_MISSING_KEY_COMPONENTS); + goto err; + } + /* analyse what padding we can do into the hardware */ + if (padding==RSA_PKCS1_PADDING) + { + /* do it one shot */ + ret=p_surewarehk_Rsa_Priv_Dec(msg,flen,(unsigned char *)from,&tlen,to,hptr,SUREWARE_PKCS1_PAD); + surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,ret); + if (ret!=1) + goto err; + ret=tlen; + } + else /* do with no padding into hardware */ + { + ret=p_surewarehk_Rsa_Priv_Dec(msg,flen,(unsigned char *)from,&tlen,to,hptr,SUREWARE_NO_PAD); + surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,ret); + if (ret!=1) + goto err; + /* intermediate buffer for padding */ + if ((buf=OPENSSL_malloc(tlen)) == NULL) + { + RSAerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,ERR_R_MALLOC_FAILURE); + goto err; + } + memcpy(buf,to,tlen);/* transfert to into buf */ + switch (padding) /* check padding in software */ + { +#ifndef OPENSSL_NO_SHA + case RSA_PKCS1_OAEP_PADDING: + ret=RSA_padding_check_PKCS1_OAEP(to,tlen,(unsigned char *)buf,tlen,tlen,NULL,0); + break; +#endif + case RSA_SSLV23_PADDING: + ret=RSA_padding_check_SSLv23(to,tlen,(unsigned char *)buf,flen,tlen); + break; + case RSA_NO_PADDING: + ret=RSA_padding_check_none(to,tlen,(unsigned char *)buf,flen,tlen); + break; + default: + RSAerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,RSA_R_UNKNOWN_PADDING_TYPE); + goto err; + } + if (ret < 0) + RSAerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,RSA_R_PADDING_CHECK_FAILED); + } +err: + if (buf) + { + OPENSSL_cleanse(buf,tlen); + OPENSSL_free(buf); + } + return ret; +} + +/* +* Does what OpenSSL rsa_priv_enc does. +*/ +static int surewarehk_rsa_sign(int flen,const unsigned char *from,unsigned char *to, + RSA *rsa,int padding) +{ + int ret=0,tlen; + char *hptr=NULL; + char msg[64]="ENGINE_rsa_sign"; + if (!p_surewarehk_Rsa_Sign) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_ENC,ENGINE_R_NOT_INITIALISED); + } + /* extract ref to private key */ + else if (!(hptr=RSA_get_ex_data(rsa, rsaHndidx))) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_ENC,SUREWARE_R_MISSING_KEY_COMPONENTS); + } + else + { + switch (padding) + { + case RSA_PKCS1_PADDING: /* do it in one shot */ + ret=p_surewarehk_Rsa_Sign(msg,flen,(unsigned char *)from,&tlen,to,hptr,SUREWARE_PKCS1_PAD); + surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RSA_PRIV_ENC,ret); + break; + case RSA_NO_PADDING: + default: + RSAerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_ENC,RSA_R_UNKNOWN_PADDING_TYPE); + } + } + return ret==1 ? tlen : ret; +} + +#endif + +#ifndef OPENSSL_NO_DSA +/* DSA sign and verify */ +static DSA_SIG * surewarehk_dsa_do_sign(const unsigned char *from, int flen, DSA *dsa) +{ + int ret=0; + char *hptr=NULL; + DSA_SIG *psign=NULL; + char msg[64]="ENGINE_dsa_do_sign"; + if (!p_surewarehk_Dsa_Sign) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,ENGINE_R_NOT_INITIALISED); + } + /* extract ref to private key */ + else if (!(hptr=DSA_get_ex_data(dsa, dsaHndidx))) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,SUREWARE_R_MISSING_KEY_COMPONENTS); + } + else + { + if((psign = DSA_SIG_new()) == NULL) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,ERR_R_MALLOC_FAILURE); + goto err; + } + psign->r=BN_new(); + psign->s=BN_new(); + bn_expand2(psign->r, 20/sizeof(BN_ULONG)); + bn_expand2(psign->s, 20/sizeof(BN_ULONG)); + if (!psign->r || psign->r->dmax!=20/sizeof(BN_ULONG) || + !psign->s || psign->s->dmax!=20/sizeof(BN_ULONG)) + goto err; + ret=p_surewarehk_Dsa_Sign(msg,flen,from, + (unsigned long *)psign->r->d, + (unsigned long *)psign->s->d, + hptr); + surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,ret); + } + psign->r->top=20/sizeof(BN_ULONG); + bn_fix_top(psign->r); + psign->s->top=20/sizeof(BN_ULONG); + bn_fix_top(psign->s); + +err: + if (psign) + { + DSA_SIG_free(psign); + psign=NULL; + } + return psign; +} +#endif + +static int surewarehk_modexp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx) +{ + int ret=0; + char msg[64]="ENGINE_modexp"; + if (!p_surewarehk_Mod_Exp) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_MOD_EXP,ENGINE_R_NOT_INITIALISED); + } + else + { + bn_expand2(r,m->top); + if (r && r->dmax==m->top) + { + /* do it*/ + ret=p_surewarehk_Mod_Exp(msg, + m->top*sizeof(BN_ULONG), + (unsigned long *)m->d, + p->top*sizeof(BN_ULONG), + (unsigned long *)p->d, + a->top*sizeof(BN_ULONG), + (unsigned long *)a->d, + (unsigned long *)r->d); + surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_MOD_EXP,ret); + if (ret==1) + { + /* normalise result */ + r->top=m->top; + bn_fix_top(r); + } + } + } + return ret; +} +#endif /* !OPENSSL_NO_HW_SureWare */ +#endif /* !OPENSSL_NO_HW */ diff --git a/src/lib/libcrypto/engine/hw_ubsec.c b/src/lib/libcrypto/engine/hw_ubsec.c index ed8401ec16..6286dd851c 100644 --- a/src/lib/libcrypto/engine/hw_ubsec.c +++ b/src/lib/libcrypto/engine/hw_ubsec.c @@ -242,6 +242,7 @@ static int bind_helper(ENGINE *e) return 1; } +#ifndef ENGINE_DYNAMIC_SUPPORT static ENGINE *engine_ubsec(void) { ENGINE *ret = ENGINE_new(); @@ -264,6 +265,7 @@ void ENGINE_load_ubsec(void) ENGINE_free(toadd); ERR_clear_error(); } +#endif /* This is a process-global DSO handle used for loading and unloading * the UBSEC library. NB: This is only set (or unset) during an diff --git a/src/lib/libcrypto/engine/vendor_defns/hw_ubsec.h b/src/lib/libcrypto/engine/vendor_defns/hw_ubsec.h new file mode 100644 index 0000000000..b6619d40f2 --- /dev/null +++ b/src/lib/libcrypto/engine/vendor_defns/hw_ubsec.h @@ -0,0 +1,100 @@ +/****************************************************************************** + * + * Copyright 2000 + * Broadcom Corporation + * 16215 Alton Parkway + * PO Box 57013 + * Irvine CA 92619-7013 + * + *****************************************************************************/ +/* + * Broadcom Corporation uBSec SDK + */ +/* + * Character device header file. + */ +/* + * Revision History: + * + * October 2000 JTT Created. + */ + +#define MAX_PUBLIC_KEY_BITS (1024) +#define MAX_PUBLIC_KEY_BYTES (1024/8) +#define SHA_BIT_SIZE (160) +#define MAX_CRYPTO_KEY_LENGTH 24 +#define MAX_MAC_KEY_LENGTH 64 +#define UBSEC_CRYPTO_DEVICE_NAME ((unsigned char *)"/dev/ubscrypt") +#define UBSEC_KEY_DEVICE_NAME ((unsigned char *)"/dev/ubskey") + +/* Math command types. */ +#define UBSEC_MATH_MODADD 0x0001 +#define UBSEC_MATH_MODSUB 0x0002 +#define UBSEC_MATH_MODMUL 0x0004 +#define UBSEC_MATH_MODEXP 0x0008 +#define UBSEC_MATH_MODREM 0x0010 +#define UBSEC_MATH_MODINV 0x0020 + +typedef long ubsec_MathCommand_t; +typedef long ubsec_RNGCommand_t; + +typedef struct ubsec_crypto_context_s { + unsigned int flags; + unsigned char crypto[MAX_CRYPTO_KEY_LENGTH]; + unsigned char auth[MAX_MAC_KEY_LENGTH]; +} ubsec_crypto_context_t, *ubsec_crypto_context_p; + +/* + * Predeclare the function pointer types that we dynamically load from the DSO. + */ + +typedef int t_UBSEC_ubsec_bytes_to_bits(unsigned char *n, int bytes); + +typedef int t_UBSEC_ubsec_bits_to_bytes(int bits); + +typedef int t_UBSEC_ubsec_open(unsigned char *device); + +typedef int t_UBSEC_ubsec_close(int fd); + +typedef int t_UBSEC_diffie_hellman_generate_ioctl (int fd, + unsigned char *x, int *x_len, unsigned char *y, int *y_len, + unsigned char *g, int g_len, unsigned char *m, int m_len, + unsigned char *userX, int userX_len, int random_bits); + +typedef int t_UBSEC_diffie_hellman_agree_ioctl (int fd, + unsigned char *x, int x_len, unsigned char *y, int y_len, + unsigned char *m, int m_len, unsigned char *k, int *k_len); + +typedef int t_UBSEC_rsa_mod_exp_ioctl (int fd, + unsigned char *x, int x_len, unsigned char *m, int m_len, + unsigned char *e, int e_len, unsigned char *y, int *y_len); + +typedef int t_UBSEC_rsa_mod_exp_crt_ioctl (int fd, + unsigned char *x, int x_len, unsigned char *qinv, int qinv_len, + unsigned char *edq, int edq_len, unsigned char *q, int q_len, + unsigned char *edp, int edp_len, unsigned char *p, int p_len, + unsigned char *y, int *y_len); + +typedef int t_UBSEC_dsa_sign_ioctl (int fd, + int hash, unsigned char *data, int data_len, + unsigned char *rndom, int random_len, + unsigned char *p, int p_len, unsigned char *q, int q_len, + unsigned char *g, int g_len, unsigned char *key, int key_len, + unsigned char *r, int *r_len, unsigned char *s, int *s_len); + +typedef int t_UBSEC_dsa_verify_ioctl (int fd, + int hash, unsigned char *data, int data_len, + unsigned char *p, int p_len, unsigned char *q, int q_len, + unsigned char *g, int g_len, unsigned char *key, int key_len, + unsigned char *r, int r_len, unsigned char *s, int s_len, + unsigned char *v, int *v_len); + +typedef int t_UBSEC_math_accelerate_ioctl(int fd, ubsec_MathCommand_t command, + unsigned char *ModN, int *ModN_len, unsigned char *ExpE, int *ExpE_len, + unsigned char *ParamA, int *ParamA_len, unsigned char *ParamB, int *ParamB_len, + unsigned char *Result, int *Result_len); + +typedef int t_UBSEC_rng_ioctl(int fd, ubsec_RNGCommand_t command, + unsigned char *Result, int *Result_len); + +typedef int t_UBSEC_max_key_len_ioctl(int fd, int *max_key_len); diff --git a/src/lib/libcrypto/engine/vendor_defns/hwcryptohook.h b/src/lib/libcrypto/engine/vendor_defns/hwcryptohook.h new file mode 100644 index 0000000000..aaa4d4575e --- /dev/null +++ b/src/lib/libcrypto/engine/vendor_defns/hwcryptohook.h @@ -0,0 +1,486 @@ +/* + * ModExp / RSA (with/without KM) plugin API + * + * The application will load a dynamic library which + * exports entrypoint(s) defined in this file. + * + * This set of entrypoints provides only a multithreaded, + * synchronous-within-each-thread, facility. + * + * + * This file is Copyright 1998-2000 nCipher Corporation Limited. + * + * Redistribution and use in source and binary forms, with opr without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the copyright notice, + * this list of conditions, and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions, and the following + * disclaimer, in the documentation and/or other materials provided + * with the distribution + * + * IN NO EVENT SHALL NCIPHER CORPORATION LIMITED (`NCIPHER') AND/OR + * ANY OTHER AUTHORS OR DISTRIBUTORS OF THIS FILE BE LIABLE for any + * damages arising directly or indirectly from this file, its use or + * this licence. Without prejudice to the generality of the + * foregoing: all liability shall be excluded for direct, indirect, + * special, incidental, consequential or other damages or any loss of + * profits, business, revenue goodwill or anticipated savings; + * liability shall be excluded even if nCipher or anyone else has been + * advised of the possibility of damage. In any event, if the + * exclusion of liability is not effective, the liability of nCipher + * or any author or distributor shall be limited to the lesser of the + * price paid and 1,000 pounds sterling. This licence only fails to + * exclude or limit liability for death or personal injury arising out + * of negligence, and only to the extent that such an exclusion or + * limitation is not effective. + * + * NCIPHER AND THE AUTHORS AND DISTRIBUTORS SPECIFICALLY DISCLAIM ALL + * AND ANY WARRANTIES (WHETHER EXPRESS OR IMPLIED), including, but not + * limited to, any implied warranties of merchantability, fitness for + * a particular purpose, satisfactory quality, and/or non-infringement + * of any third party rights. + * + * US Government use: This software and documentation is Commercial + * Computer Software and Computer Software Documentation, as defined in + * sub-paragraphs (a)(1) and (a)(5) of DFAR 252.227-7014, "Rights in + * Noncommercial Computer Software and Noncommercial Computer Software + * Documentation." Use, duplication or disclosure by the Government is + * subject to the terms and conditions specified here. + * + * By using or distributing this file you will be accepting these + * terms and conditions, including the limitation of liability and + * lack of warranty. If you do not wish to accept these terms and + * conditions, DO NOT USE THE FILE. + * + * + * The actual dynamically loadable plugin, and the library files for + * static linking, which are also provided in some distributions, are + * not covered by the licence described above. You should have + * received a separate licence with terms and conditions for these + * library files; if you received the library files without a licence, + * please contact nCipher. + * + * + * $Id: hwcryptohook.h,v 1.1.1.1 2003/05/11 21:35:16 markus Exp $ + */ + +#ifndef HWCRYPTOHOOK_H +#define HWCRYPTOHOOK_H + +#include +#include + +#ifndef HWCRYPTOHOOK_DECLARE_APPTYPES +#define HWCRYPTOHOOK_DECLARE_APPTYPES 1 +#endif + +#define HWCRYPTOHOOK_ERROR_FAILED -1 +#define HWCRYPTOHOOK_ERROR_FALLBACK -2 +#define HWCRYPTOHOOK_ERROR_MPISIZE -3 + +#if HWCRYPTOHOOK_DECLARE_APPTYPES + +/* These structs are defined by the application and opaque to the + * crypto plugin. The application may define these as it sees fit. + * Default declarations are provided here, but the application may + * #define HWCRYPTOHOOK_DECLARE_APPTYPES 0 + * to prevent these declarations, and instead provide its own + * declarations of these types. (Pointers to them must still be + * ordinary pointers to structs or unions, or the resulting combined + * program will have a type inconsistency.) + */ +typedef struct HWCryptoHook_MutexValue HWCryptoHook_Mutex; +typedef struct HWCryptoHook_CondVarValue HWCryptoHook_CondVar; +typedef struct HWCryptoHook_PassphraseContextValue HWCryptoHook_PassphraseContext; +typedef struct HWCryptoHook_CallerContextValue HWCryptoHook_CallerContext; + +#endif /* HWCRYPTOHOOK_DECLARE_APPTYPES */ + +/* These next two structs are opaque to the application. The crypto + * plugin will return pointers to them; the caller simply manipulates + * the pointers. + */ +typedef struct HWCryptoHook_Context *HWCryptoHook_ContextHandle; +typedef struct HWCryptoHook_RSAKey *HWCryptoHook_RSAKeyHandle; + +typedef struct { + char *buf; + size_t size; +} HWCryptoHook_ErrMsgBuf; +/* Used for error reporting. When a HWCryptoHook function fails it + * will return a sentinel value (0 for pointer-valued functions, or a + * negative number, usually HWCRYPTOHOOK_ERROR_FAILED, for + * integer-valued ones). It will, if an ErrMsgBuf is passed, also put + * an error message there. + * + * size is the size of the buffer, and will not be modified. If you + * pass 0 for size you must pass 0 for buf, and nothing will be + * recorded (just as if you passed 0 for the struct pointer). + * Messages written to the buffer will always be null-terminated, even + * when truncated to fit within size bytes. + * + * The contents of the buffer are not defined if there is no error. + */ + +typedef struct HWCryptoHook_MPIStruct { + unsigned char *buf; + size_t size; +} HWCryptoHook_MPI; +/* When one of these is returned, a pointer is passed to the function. + * At call, size is the space available. Afterwards it is updated to + * be set to the actual length (which may be more than the space available, + * if there was not enough room and the result was truncated). + * buf (the pointer) is not updated. + * + * size is in bytes and may be zero at call or return, but must be a + * multiple of the limb size. Zero limbs at the MS end are not + * permitted. + */ + +#define HWCryptoHook_InitFlags_FallbackModExp 0x0002UL +#define HWCryptoHook_InitFlags_FallbackRSAImmed 0x0004UL +/* Enable requesting fallback to software in case of problems with the + * hardware support. This indicates to the crypto provider that the + * application is prepared to fall back to software operation if the + * ModExp* or RSAImmed* functions return HWCRYPTOHOOK_ERROR_FALLBACK. + * Without this flag those calls will never return + * HWCRYPTOHOOK_ERROR_FALLBACK. The flag will also cause the crypto + * provider to avoid repeatedly attempting to contact dead hardware + * within a short interval, if appropriate. + */ + +#define HWCryptoHook_InitFlags_SimpleForkCheck 0x0010UL +/* Without _SimpleForkCheck the library is allowed to assume that the + * application will not fork and call the library in the child(ren). + * + * When it is specified, this is allowed. However, after a fork + * neither parent nor child may unload any loaded keys or call + * _Finish. Instead, they should call exit (or die with a signal) + * without calling _Finish. After all the children have died the + * parent may unload keys or call _Finish. + * + * This flag only has any effect on UN*X platforms. + */ + +typedef struct { + unsigned long flags; + void *logstream; /* usually a FILE*. See below. */ + + size_t limbsize; /* bignum format - size of radix type, must be power of 2 */ + int mslimbfirst; /* 0 or 1 */ + int msbytefirst; /* 0 or 1; -1 = native */ + + /* All the callback functions should return 0 on success, or a + * nonzero integer (whose value will be visible in the error message + * put in the buffer passed to the call). + * + * If a callback is not available pass a null function pointer. + * + * The callbacks may not call down again into the crypto plugin. + */ + + /* For thread-safety. Set everything to 0 if you promise only to be + * singlethreaded. maxsimultaneous is the number of calls to + * ModExp[Crt]/RSAImmed{Priv,Pub}/RSA. If you don't know what to + * put there then say 0 and the hook library will use a default. + * + * maxmutexes is a small limit on the number of simultaneous mutexes + * which will be requested by the library. If there is no small + * limit, set it to 0. If the crypto plugin cannot create the + * advertised number of mutexes the calls to its functions may fail. + * If a low number of mutexes is advertised the plugin will try to + * do the best it can. Making larger numbers of mutexes available + * may improve performance and parallelism by reducing contention + * over critical sections. Unavailability of any mutexes, implying + * single-threaded operation, should be indicated by the setting + * mutex_init et al to 0. + */ + int maxmutexes; + int maxsimultaneous; + size_t mutexsize; + int (*mutex_init)(HWCryptoHook_Mutex*, HWCryptoHook_CallerContext *cactx); + int (*mutex_acquire)(HWCryptoHook_Mutex*); + void (*mutex_release)(HWCryptoHook_Mutex*); + void (*mutex_destroy)(HWCryptoHook_Mutex*); + + /* For greater efficiency, can use condition vars internally for + * synchronisation. In this case maxsimultaneous is ignored, but + * the other mutex stuff must be available. In singlethreaded + * programs, set everything to 0. + */ + size_t condvarsize; + int (*condvar_init)(HWCryptoHook_CondVar*, HWCryptoHook_CallerContext *cactx); + int (*condvar_wait)(HWCryptoHook_CondVar*, HWCryptoHook_Mutex*); + void (*condvar_signal)(HWCryptoHook_CondVar*); + void (*condvar_broadcast)(HWCryptoHook_CondVar*); + void (*condvar_destroy)(HWCryptoHook_CondVar*); + + /* The semantics of acquiring and releasing mutexes and broadcasting + * and waiting on condition variables are expected to be those from + * POSIX threads (pthreads). The mutexes may be (in pthread-speak) + * fast mutexes, recursive mutexes, or nonrecursive ones. + * + * The _release/_signal/_broadcast and _destroy functions must + * always succeed when given a valid argument; if they are given an + * invalid argument then the program (crypto plugin + application) + * has an internal error, and they should abort the program. + */ + + int (*getpassphrase)(const char *prompt_info, + int *len_io, char *buf, + HWCryptoHook_PassphraseContext *ppctx, + HWCryptoHook_CallerContext *cactx); + /* Passphrases and the prompt_info, if they contain high-bit-set + * characters, are UTF-8. The prompt_info may be a null pointer if + * no prompt information is available (it should not be an empty + * string). It will not contain text like `enter passphrase'; + * instead it might say something like `Operator Card for John + * Smith' or `SmartCard in nFast Module #1, Slot #1'. + * + * buf points to a buffer in which to return the passphrase; on + * entry *len_io is the length of the buffer. It should be updated + * by the callback. The returned passphrase should not be + * null-terminated by the callback. + */ + + int (*getphystoken)(const char *prompt_info, + const char *wrong_info, + HWCryptoHook_PassphraseContext *ppctx, + HWCryptoHook_CallerContext *cactx); + /* Requests that the human user physically insert a different + * smartcard, DataKey, etc. The plugin should check whether the + * currently inserted token(s) are appropriate, and if they are it + * should not make this call. + * + * prompt_info is as before. wrong_info is a description of the + * currently inserted token(s) so that the user is told what + * something is. wrong_info, like prompt_info, may be null, but + * should not be an empty string. Its contents should be + * syntactically similar to that of prompt_info. + */ + + /* Note that a single LoadKey operation might cause several calls to + * getpassphrase and/or requestphystoken. If requestphystoken is + * not provided (ie, a null pointer is passed) then the plugin may + * not support loading keys for which authorisation by several cards + * is required. If getpassphrase is not provided then cards with + * passphrases may not be supported. + * + * getpassphrase and getphystoken do not need to check that the + * passphrase has been entered correctly or the correct token + * inserted; the crypto plugin will do that. If this is not the + * case then the crypto plugin is responsible for calling these + * routines again as appropriate until the correct token(s) and + * passphrase(s) are supplied as required, or until any retry limits + * implemented by the crypto plugin are reached. + * + * In either case, the application must allow the user to say `no' + * or `cancel' to indicate that they do not know the passphrase or + * have the appropriate token; this should cause the callback to + * return nonzero indicating error. + */ + + void (*logmessage)(void *logstream, const char *message); + /* A log message will be generated at least every time something goes + * wrong and an ErrMsgBuf is filled in (or would be if one was + * provided). Other diagnostic information may be written there too, + * including more detailed reasons for errors which are reported in an + * ErrMsgBuf. + * + * When a log message is generated, this callback is called. It + * should write a message to the relevant logging arrangements. + * + * The message string passed will be null-terminated and may be of arbitrary + * length. It will not be prefixed by the time and date, nor by the + * name of the library that is generating it - if this is required, + * the logmessage callback must do it. The message will not have a + * trailing newline (though it may contain internal newlines). + * + * If a null pointer is passed for logmessage a default function is + * used. The default function treats logstream as a FILE* which has + * been converted to a void*. If logstream is 0 it does nothing. + * Otherwise it prepends the date and time and library name and + * writes the message to logstream. Each line will be prefixed by a + * descriptive string containing the date, time and identity of the + * crypto plugin. Errors on the logstream are not reported + * anywhere, and the default function doesn't flush the stream, so + * the application must set the buffering how it wants it. + * + * The crypto plugin may also provide a facility to have copies of + * log messages sent elsewhere, and or for adjusting the verbosity + * of the log messages; any such facilities will be configured by + * external means. + */ + +} HWCryptoHook_InitInfo; + +typedef +HWCryptoHook_ContextHandle HWCryptoHook_Init_t(const HWCryptoHook_InitInfo *initinfo, + size_t initinfosize, + const HWCryptoHook_ErrMsgBuf *errors, + HWCryptoHook_CallerContext *cactx); +extern HWCryptoHook_Init_t HWCryptoHook_Init; + +/* Caller should set initinfosize to the size of the HWCryptoHook struct, + * so it can be extended later. + * + * On success, a message for display or logging by the server, + * including the name and version number of the plugin, will be filled + * in into *errors; on failure *errors is used for error handling, as + * usual. + */ + +/* All these functions return 0 on success, HWCRYPTOHOOK_ERROR_FAILED + * on most failures. HWCRYPTOHOOK_ERROR_MPISIZE means at least one of + * the output MPI buffer(s) was too small; the sizes of all have been + * set to the desired size (and for those where the buffer was large + * enough, the value may have been copied in), and no error message + * has been recorded. + * + * You may pass 0 for the errors struct. In any case, unless you set + * _NoStderr at init time then messages may be reported to stderr. + */ + +/* The RSAImmed* functions (and key managed RSA) only work with + * modules which have an RSA patent licence - currently that means KM + * units; the ModExp* ones work with all modules, so you need a patent + * licence in the software in the US. They are otherwise identical. + */ + +typedef +void HWCryptoHook_Finish_t(HWCryptoHook_ContextHandle hwctx); +extern HWCryptoHook_Finish_t HWCryptoHook_Finish; +/* You must not have any calls going or keys loaded when you call this. */ + +typedef +int HWCryptoHook_RandomBytes_t(HWCryptoHook_ContextHandle hwctx, + unsigned char *buf, size_t len, + const HWCryptoHook_ErrMsgBuf *errors); +extern HWCryptoHook_RandomBytes_t HWCryptoHook_RandomBytes; + +typedef +int HWCryptoHook_ModExp_t(HWCryptoHook_ContextHandle hwctx, + HWCryptoHook_MPI a, + HWCryptoHook_MPI p, + HWCryptoHook_MPI n, + HWCryptoHook_MPI *r, + const HWCryptoHook_ErrMsgBuf *errors); +extern HWCryptoHook_ModExp_t HWCryptoHook_ModExp; + +typedef +int HWCryptoHook_RSAImmedPub_t(HWCryptoHook_ContextHandle hwctx, + HWCryptoHook_MPI m, + HWCryptoHook_MPI e, + HWCryptoHook_MPI n, + HWCryptoHook_MPI *r, + const HWCryptoHook_ErrMsgBuf *errors); +extern HWCryptoHook_RSAImmedPub_t HWCryptoHook_RSAImmedPub; + +typedef +int HWCryptoHook_ModExpCRT_t(HWCryptoHook_ContextHandle hwctx, + HWCryptoHook_MPI a, + HWCryptoHook_MPI p, + HWCryptoHook_MPI q, + HWCryptoHook_MPI dmp1, + HWCryptoHook_MPI dmq1, + HWCryptoHook_MPI iqmp, + HWCryptoHook_MPI *r, + const HWCryptoHook_ErrMsgBuf *errors); +extern HWCryptoHook_ModExpCRT_t HWCryptoHook_ModExpCRT; + +typedef +int HWCryptoHook_RSAImmedPriv_t(HWCryptoHook_ContextHandle hwctx, + HWCryptoHook_MPI m, + HWCryptoHook_MPI p, + HWCryptoHook_MPI q, + HWCryptoHook_MPI dmp1, + HWCryptoHook_MPI dmq1, + HWCryptoHook_MPI iqmp, + HWCryptoHook_MPI *r, + const HWCryptoHook_ErrMsgBuf *errors); +extern HWCryptoHook_RSAImmedPriv_t HWCryptoHook_RSAImmedPriv; + +/* The RSAImmed* and ModExp* functions may return E_FAILED or + * E_FALLBACK for failure. + * + * E_FAILED means the failure is permanent and definite and there + * should be no attempt to fall back to software. (Eg, for some + * applications, which support only the acceleration-only + * functions, the `key material' may actually be an encoded key + * identifier, and doing the operation in software would give wrong + * answers.) + * + * E_FALLBACK means that doing the computation in software would seem + * reasonable. If an application pays attention to this and is + * able to fall back, it should also set the Fallback init flags. + */ + +typedef +int HWCryptoHook_RSALoadKey_t(HWCryptoHook_ContextHandle hwctx, + const char *key_ident, + HWCryptoHook_RSAKeyHandle *keyhandle_r, + const HWCryptoHook_ErrMsgBuf *errors, + HWCryptoHook_PassphraseContext *ppctx); +extern HWCryptoHook_RSALoadKey_t HWCryptoHook_RSALoadKey; +/* The key_ident is a null-terminated string configured by the + * user via the application's usual configuration mechanisms. + * It is provided to the user by the crypto provider's key management + * system. The user must be able to enter at least any string of between + * 1 and 1023 characters inclusive, consisting of printable 7-bit + * ASCII characters. The provider should avoid using + * any characters except alphanumerics and the punctuation + * characters _ - + . / @ ~ (the user is expected to be able + * to enter these without quoting). The string may be case-sensitive. + * The application may allow the user to enter other NULL-terminated strings, + * and the provider must cope (returning an error if the string is not + * valid). + * + * If the key does not exist, no error is recorded and 0 is returned; + * keyhandle_r will be set to 0 instead of to a key handle. + */ + +typedef +int HWCryptoHook_RSAGetPublicKey_t(HWCryptoHook_RSAKeyHandle k, + HWCryptoHook_MPI *n, + HWCryptoHook_MPI *e, + const HWCryptoHook_ErrMsgBuf *errors); +extern HWCryptoHook_RSAGetPublicKey_t HWCryptoHook_RSAGetPublicKey; +/* The crypto plugin will not store certificates. + * + * Although this function for acquiring the public key value is + * provided, it is not the purpose of this API to deal fully with the + * handling of the public key. + * + * It is expected that the crypto supplier's key generation program + * will provide general facilities for producing X.509 + * self-certificates and certificate requests in PEM format. These + * will be given to the user so that they can configure them in the + * application, send them to CAs, or whatever. + * + * In case this kind of certificate handling is not appropriate, the + * crypto supplier's key generation program should be able to be + * configured not to generate such a self-certificate or certificate + * request. Then the application will need to do all of this, and + * will need to store and handle the public key and certificates + * itself. + */ + +typedef +int HWCryptoHook_RSAUnloadKey_t(HWCryptoHook_RSAKeyHandle k, + const HWCryptoHook_ErrMsgBuf *errors); +extern HWCryptoHook_RSAUnloadKey_t HWCryptoHook_RSAUnloadKey; +/* Might fail due to locking problems, or other serious internal problems. */ + +typedef +int HWCryptoHook_RSA_t(HWCryptoHook_MPI m, + HWCryptoHook_RSAKeyHandle k, + HWCryptoHook_MPI *r, + const HWCryptoHook_ErrMsgBuf *errors); +extern HWCryptoHook_RSA_t HWCryptoHook_RSA; +/* RSA private key operation (sign or decrypt) - raw, unpadded. */ + +#endif /*HWCRYPTOHOOK_H*/ diff --git a/src/lib/libcrypto/engine/vendor_defns/sureware.h b/src/lib/libcrypto/engine/vendor_defns/sureware.h new file mode 100644 index 0000000000..1d3789219d --- /dev/null +++ b/src/lib/libcrypto/engine/vendor_defns/sureware.h @@ -0,0 +1,239 @@ +/* +* Written by Corinne Dive-Reclus(cdive@baltimore.com) +* +* Copyright@2001 Baltimore Technologies Ltd. +* * +* THIS FILE IS PROVIDED BY BALTIMORE TECHNOLOGIES ``AS IS'' AND * +* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * +* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * +* ARE DISCLAIMED. IN NO EVENT SHALL BALTIMORE TECHNOLOGIES BE LIABLE * +* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * +* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * +* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * +* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * +* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * +* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * +* SUCH DAMAGE. * +* +* +*/ +#ifdef WIN32 +#define SW_EXPORT __declspec ( dllexport ) +#else +#define SW_EXPORT +#endif + +/* +* List of exposed SureWare errors +*/ +#define SUREWAREHOOK_ERROR_FAILED -1 +#define SUREWAREHOOK_ERROR_FALLBACK -2 +#define SUREWAREHOOK_ERROR_UNIT_FAILURE -3 +#define SUREWAREHOOK_ERROR_DATA_SIZE -4 +#define SUREWAREHOOK_ERROR_INVALID_PAD -5 +/* +* -----------------WARNING----------------------------------- +* In all the following functions: +* msg is a string with at least 24 bytes free. +* A 24 bytes string will be concatenated to the existing content of msg. +*/ +/* +* SureWare Initialisation function +* in param threadsafe, if !=0, thread safe enabled +* return SureWareHOOK_ERROR_UNIT_FAILURE if failure, 1 if success +*/ +typedef int SureWareHook_Init_t(char*const msg,int threadsafe); +extern SW_EXPORT SureWareHook_Init_t SureWareHook_Init; +/* +* SureWare Finish function +*/ +typedef void SureWareHook_Finish_t(); +extern SW_EXPORT SureWareHook_Finish_t SureWareHook_Finish; +/* +* PRE_CONDITION: +* DO NOT CALL ANY OF THE FOLLOWING FUNCTIONS IN CASE OF INIT FAILURE +*/ +/* +* SureWare RAND Bytes function +* In case of failure, the content of buf is unpredictable. +* return 1 if success +* SureWareHOOK_ERROR_FALLBACK if function not available in hardware +* SureWareHOOK_ERROR_FAILED if error while processing +* SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure +* SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf +* +* in/out param buf : a num bytes long buffer where random bytes will be put +* in param num : the number of bytes into buf +*/ +typedef int SureWareHook_Rand_Bytes_t(char*const msg,unsigned char *buf, int num); +extern SW_EXPORT SureWareHook_Rand_Bytes_t SureWareHook_Rand_Bytes; + +/* +* SureWare RAND Seed function +* Adds some seed to the Hardware Random Number Generator +* return 1 if success +* SureWareHOOK_ERROR_FALLBACK if function not available in hardware +* SureWareHOOK_ERROR_FAILED if error while processing +* SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure +* SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf +* +* in param buf : the seed to add into the HRNG +* in param num : the number of bytes into buf +*/ +typedef int SureWareHook_Rand_Seed_t(char*const msg,const void *buf, int num); +extern SW_EXPORT SureWareHook_Rand_Seed_t SureWareHook_Rand_Seed; + +/* +* SureWare Load Private Key function +* return 1 if success +* SureWareHOOK_ERROR_FAILED if error while processing +* No hardware is contact for this function. +* +* in param key_id :the name of the private protected key file without the extension + ".sws" +* out param hptr : a pointer to a buffer allocated by SureWare_Hook +* out param num: the effective key length in bytes +* out param keytype: 1 if RSA 2 if DSA +*/ +typedef int SureWareHook_Load_Privkey_t(char*const msg,const char *key_id,char **hptr,unsigned long *num,char *keytype); +extern SW_EXPORT SureWareHook_Load_Privkey_t SureWareHook_Load_Privkey; + +/* +* SureWare Info Public Key function +* return 1 if success +* SureWareHOOK_ERROR_FAILED if error while processing +* No hardware is contact for this function. +* +* in param key_id :the name of the private protected key file without the extension + ".swp" +* out param hptr : a pointer to a buffer allocated by SureWare_Hook +* out param num: the effective key length in bytes +* out param keytype: 1 if RSA 2 if DSA +*/ +typedef int SureWareHook_Info_Pubkey_t(char*const msg,const char *key_id,unsigned long *num, + char *keytype); +extern SW_EXPORT SureWareHook_Info_Pubkey_t SureWareHook_Info_Pubkey; + +/* +* SureWare Load Public Key function +* return 1 if success +* SureWareHOOK_ERROR_FAILED if error while processing +* No hardware is contact for this function. +* +* in param key_id :the name of the public protected key file without the extension + ".swp" +* in param num : the bytes size of n and e +* out param n: where to write modulus in bn format +* out param e: where to write exponent in bn format +*/ +typedef int SureWareHook_Load_Rsa_Pubkey_t(char*const msg,const char *key_id,unsigned long num, + unsigned long *n, unsigned long *e); +extern SW_EXPORT SureWareHook_Load_Rsa_Pubkey_t SureWareHook_Load_Rsa_Pubkey; + +/* +* SureWare Load DSA Public Key function +* return 1 if success +* SureWareHOOK_ERROR_FAILED if error while processing +* No hardware is contact for this function. +* +* in param key_id :the name of the public protected key file without the extension + ".swp" +* in param num : the bytes size of n and e +* out param pub: where to write pub key in bn format +* out param p: where to write prime in bn format +* out param q: where to write sunprime (length 20 bytes) in bn format +* out param g: where to write base in bn format +*/ +typedef int SureWareHook_Load_Dsa_Pubkey_t(char*const msg,const char *key_id,unsigned long num, + unsigned long *pub, unsigned long *p,unsigned long*q, + unsigned long *g); +extern SW_EXPORT SureWareHook_Load_Dsa_Pubkey_t SureWareHook_Load_Dsa_Pubkey; + +/* +* SureWare Free function +* Destroy the key into the hardware if destroy==1 +*/ +typedef void SureWareHook_Free_t(char *p,int destroy); +extern SW_EXPORT SureWareHook_Free_t SureWareHook_Free; + +#define SUREWARE_PKCS1_PAD 1 +#define SUREWARE_ISO9796_PAD 2 +#define SUREWARE_NO_PAD 0 +/* +* SureWare RSA Private Decryption +* return 1 if success +* SureWareHOOK_ERROR_FAILED if error while processing +* SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure +* SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf +* +* in param flen : byte size of from and to +* in param from : encrypted data buffer, should be a not-null valid pointer +* out param tlen: byte size of decrypted data, if error, unexpected value +* out param to : decrypted data buffer, should be a not-null valid pointer +* in param prsa: a protected key pointer, should be a not-null valid pointer +* int padding: padding id as follow +* SUREWARE_PKCS1_PAD +* SUREWARE_NO_PAD +* +*/ +typedef int SureWareHook_Rsa_Priv_Dec_t(char*const msg,int flen,unsigned char *from, + int *tlen,unsigned char *to, + char *prsa,int padding); +extern SW_EXPORT SureWareHook_Rsa_Priv_Dec_t SureWareHook_Rsa_Priv_Dec; +/* +* SureWare RSA Signature +* return 1 if success +* SureWareHOOK_ERROR_FAILED if error while processing +* SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure +* SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf +* +* in param flen : byte size of from and to +* in param from : encrypted data buffer, should be a not-null valid pointer +* out param tlen: byte size of decrypted data, if error, unexpected value +* out param to : decrypted data buffer, should be a not-null valid pointer +* in param prsa: a protected key pointer, should be a not-null valid pointer +* int padding: padding id as follow +* SUREWARE_PKCS1_PAD +* SUREWARE_ISO9796_PAD +* +*/ +typedef int SureWareHook_Rsa_Sign_t(char*const msg,int flen,unsigned char *from, + int *tlen,unsigned char *to, + char *prsa,int padding); +extern SW_EXPORT SureWareHook_Rsa_Sign_t SureWareHook_Rsa_Sign; +/* +* SureWare DSA Signature +* return 1 if success +* SureWareHOOK_ERROR_FAILED if error while processing +* SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure +* SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf +* +* in param flen : byte size of from and to +* in param from : encrypted data buffer, should be a not-null valid pointer +* out param to : decrypted data buffer, should be a 40bytes valid pointer +* in param pdsa: a protected key pointer, should be a not-null valid pointer +* +*/ +typedef int SureWareHook_Dsa_Sign_t(char*const msg,int flen,const unsigned char *from, + unsigned long *r,unsigned long *s,char *pdsa); +extern SW_EXPORT SureWareHook_Dsa_Sign_t SureWareHook_Dsa_Sign; + + +/* +* SureWare Mod Exp +* return 1 if success +* SureWareHOOK_ERROR_FAILED if error while processing +* SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure +* SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf +* +* mod and res are mlen bytes long. +* exp is elen bytes long +* data is dlen bytes long +* mlen,elen and dlen are all multiple of sizeof(unsigned long) +*/ +typedef int SureWareHook_Mod_Exp_t(char*const msg,int mlen,const unsigned long *mod, + int elen,const unsigned long *exp, + int dlen,unsigned long *data, + unsigned long *res); +extern SW_EXPORT SureWareHook_Mod_Exp_t SureWareHook_Mod_Exp; + diff --git a/src/lib/libcrypto/evp/bio_ok.c b/src/lib/libcrypto/evp/bio_ok.c index 3cbc6e7848..530ab937ce 100644 --- a/src/lib/libcrypto/evp/bio_ok.c +++ b/src/lib/libcrypto/evp/bio_ok.c @@ -211,7 +211,7 @@ static int ok_free(BIO *a) { if (a == NULL) return(0); EVP_MD_CTX_cleanup(&((BIO_OK_CTX *)a->ptr)->md); - memset(a->ptr,0,sizeof(BIO_OK_CTX)); + OPENSSL_cleanse(a->ptr,sizeof(BIO_OK_CTX)); OPENSSL_free(a->ptr); a->ptr=NULL; a->init=0; diff --git a/src/lib/libcrypto/evp/evp_acnf.c b/src/lib/libcrypto/evp/evp_acnf.c index a68b979bdb..ff3e311cc5 100644 --- a/src/lib/libcrypto/evp/evp_acnf.c +++ b/src/lib/libcrypto/evp/evp_acnf.c @@ -59,7 +59,6 @@ #include "cryptlib.h" #include #include -#include /* Load all algorithms and configure OpenSSL. diff --git a/src/lib/libcrypto/evp/evp_test.c b/src/lib/libcrypto/evp/evp_test.c index 90294ef686..28460173f7 100644 --- a/src/lib/libcrypto/evp/evp_test.c +++ b/src/lib/libcrypto/evp/evp_test.c @@ -49,8 +49,14 @@ #include #include + +#include "../e_os.h" + #include +#ifndef OPENSSL_NO_ENGINE #include +#endif +#include #include static void hexdump(FILE *f,const char *title,const unsigned char *s,int l) @@ -78,7 +84,7 @@ static int convert(unsigned char *s) if(!s[1]) { fprintf(stderr,"Odd number of hex digits!"); - exit(4); + EXIT(4); } sscanf((char *)s,"%2x",&n); *d=(unsigned char)n; @@ -120,6 +126,12 @@ static char *sstrsep(char **string, const char *delim) static unsigned char *ustrsep(char **p,const char *sep) { return (unsigned char *)sstrsep(p,sep); } +static int test1_exit(int ec) + { + EXIT(ec); + return(0); /* To keep some compilers quiet */ + } + static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, const unsigned char *iv,int in, const unsigned char *plaintext,int pn, @@ -142,7 +154,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, { fprintf(stderr,"Key length doesn't match, got %d expected %d\n",kn, c->key_len); - exit(5); + test1_exit(5); } EVP_CIPHER_CTX_init(&ctx); if (encdec != 0) @@ -150,26 +162,26 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, if(!EVP_EncryptInit_ex(&ctx,c,NULL,key,iv)) { fprintf(stderr,"EncryptInit failed\n"); - exit(10); + test1_exit(10); } EVP_CIPHER_CTX_set_padding(&ctx,0); if(!EVP_EncryptUpdate(&ctx,out,&outl,plaintext,pn)) { fprintf(stderr,"Encrypt failed\n"); - exit(6); + test1_exit(6); } if(!EVP_EncryptFinal_ex(&ctx,out+outl,&outl2)) { fprintf(stderr,"EncryptFinal failed\n"); - exit(7); + test1_exit(7); } if(outl+outl2 != cn) { fprintf(stderr,"Ciphertext length mismatch got %d expected %d\n", outl+outl2,cn); - exit(8); + test1_exit(8); } if(memcmp(out,ciphertext,cn)) @@ -177,7 +189,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, fprintf(stderr,"Ciphertext mismatch\n"); hexdump(stderr,"Got",out,cn); hexdump(stderr,"Expected",ciphertext,cn); - exit(9); + test1_exit(9); } } @@ -186,26 +198,26 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, if(!EVP_DecryptInit_ex(&ctx,c,NULL,key,iv)) { fprintf(stderr,"DecryptInit failed\n"); - exit(11); + test1_exit(11); } EVP_CIPHER_CTX_set_padding(&ctx,0); if(!EVP_DecryptUpdate(&ctx,out,&outl,ciphertext,cn)) { fprintf(stderr,"Decrypt failed\n"); - exit(6); + test1_exit(6); } if(!EVP_DecryptFinal_ex(&ctx,out+outl,&outl2)) { fprintf(stderr,"DecryptFinal failed\n"); - exit(7); + test1_exit(7); } if(outl+outl2 != cn) { fprintf(stderr,"Plaintext length mismatch got %d expected %d\n", outl+outl2,cn); - exit(8); + test1_exit(8); } if(memcmp(out,plaintext,cn)) @@ -213,7 +225,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, fprintf(stderr,"Plaintext mismatch\n"); hexdump(stderr,"Got",out,cn); hexdump(stderr,"Expected",plaintext,cn); - exit(9); + test1_exit(9); } } @@ -260,24 +272,24 @@ static int test_digest(const char *digest, if(!EVP_DigestInit_ex(&ctx,d, NULL)) { fprintf(stderr,"DigestInit failed\n"); - exit(100); + EXIT(100); } if(!EVP_DigestUpdate(&ctx,plaintext,pn)) { fprintf(stderr,"DigestUpdate failed\n"); - exit(101); + EXIT(101); } if(!EVP_DigestFinal_ex(&ctx,md,&mdn)) { fprintf(stderr,"DigestFinal failed\n"); - exit(101); + EXIT(101); } EVP_MD_CTX_cleanup(&ctx); if(mdn != cn) { fprintf(stderr,"Digest length mismatch, got %d expected %d\n",mdn,cn); - exit(102); + EXIT(102); } if(memcmp(md,ciphertext,cn)) @@ -285,7 +297,7 @@ static int test_digest(const char *digest, fprintf(stderr,"Digest mismatch\n"); hexdump(stderr,"Got",md,cn); hexdump(stderr,"Expected",ciphertext,cn); - exit(103); + EXIT(103); } printf("\n"); @@ -303,7 +315,7 @@ int main(int argc,char **argv) if(argc != 2) { fprintf(stderr,"%s \n",argv[0]); - exit(1); + EXIT(1); } CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); @@ -315,17 +327,20 @@ int main(int argc,char **argv) if(!f) { perror(szTestFile); - exit(2); + EXIT(2); } /* Load up the software EVP_CIPHER and EVP_MD definitions */ OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); +#ifndef OPENSSL_NO_ENGINE /* Load all compiled-in ENGINEs */ ENGINE_load_builtin_engines(); +#endif #if 0 OPENSSL_config(); #endif +#ifndef OPENSSL_NO_ENGINE /* Register all available ENGINE implementations of ciphers and digests. * This could perhaps be changed to "ENGINE_register_all_complete()"? */ ENGINE_register_all_ciphers(); @@ -334,6 +349,7 @@ int main(int argc,char **argv) * It'll prevent ENGINEs being ENGINE_init()ialised for cipher/digest use if * they weren't already initialised. */ /* ENGINE_set_cipher_flags(ENGINE_CIPHER_FLAG_NOINIT); */ +#endif for( ; ; ) { @@ -371,11 +387,13 @@ int main(int argc,char **argv) && !test_digest(cipher,plaintext,pn,ciphertext,cn)) { fprintf(stderr,"Can't find %s\n",cipher); - exit(3); + EXIT(3); } } +#ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); +#endif EVP_cleanup(); CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); diff --git a/src/lib/libcrypto/hmac/hmactest.c b/src/lib/libcrypto/hmac/hmactest.c index 96d3beb8e6..1b906b81af 100644 --- a/src/lib/libcrypto/hmac/hmactest.c +++ b/src/lib/libcrypto/hmac/hmactest.c @@ -60,6 +60,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_HMAC int main(int argc, char *argv[]) { @@ -68,12 +70,15 @@ int main(int argc, char *argv[]) } #else #include +#ifndef OPENSSL_NO_MD5 #include +#endif #ifdef CHARSET_EBCDIC #include #endif +#ifndef OPENSSL_NO_MD5 static struct test_st { unsigned char key[16]; @@ -113,13 +118,20 @@ static struct test_st (unsigned char *)"56be34521d144c88dbb8c733f0e8b3f6", }, }; - +#endif static char *pt(unsigned char *md); int main(int argc, char *argv[]) { - int i,err=0; +#ifndef OPENSSL_NO_MD5 + int i; char *p; +#endif + int err=0; + +#ifdef OPENSSL_NO_MD5 + printf("test skipped: MD5 disabled\n"); +#else #ifdef CHARSET_EBCDIC ebcdic2ascii(test[0].data, test[0].data, test[0].data_len); @@ -144,10 +156,12 @@ int main(int argc, char *argv[]) else printf("test %d ok\n",i); } - exit(err); +#endif /* OPENSSL_NO_MD5 */ + EXIT(err); return(0); } +#ifndef OPENSSL_NO_MD5 static char *pt(unsigned char *md) { int i; @@ -158,3 +172,4 @@ static char *pt(unsigned char *md) return(buf); } #endif +#endif diff --git a/src/lib/libcrypto/idea/version b/src/lib/libcrypto/idea/version new file mode 100644 index 0000000000..3f22293795 --- /dev/null +++ b/src/lib/libcrypto/idea/version @@ -0,0 +1,12 @@ +1.1 07/12/95 - eay + Many thanks to Rhys Weatherley + for pointing out that I was assuming little endian byte + order for all quantities what idea actually used + bigendian. No where in the spec does it mention + this, it is all in terms of 16 bit numbers and even the example + does not use byte streams for the input example :-(. + If you byte swap each pair of input, keys and iv, the functions + would produce the output as the old version :-(. + +1.0 ??/??/95 - eay + First version. diff --git a/src/lib/libcrypto/md2/md2_dgst.c b/src/lib/libcrypto/md2/md2_dgst.c index e25dd00e02..ecb64f0ec4 100644 --- a/src/lib/libcrypto/md2/md2_dgst.c +++ b/src/lib/libcrypto/md2/md2_dgst.c @@ -61,6 +61,7 @@ #include #include #include +#include const char *MD2_version="MD2" OPENSSL_VERSION_PTEXT; @@ -118,9 +119,9 @@ const char *MD2_options(void) int MD2_Init(MD2_CTX *c) { c->num=0; - memset(c->state,0,MD2_BLOCK*sizeof(MD2_INT)); - memset(c->cksm,0,MD2_BLOCK*sizeof(MD2_INT)); - memset(c->data,0,MD2_BLOCK); + memset(c->state,0,sizeof c->state); + memset(c->cksm,0,sizeof c->cksm); + memset(c->data,0,sizeof c->data); return 1; } @@ -196,7 +197,7 @@ static void md2_block(MD2_CTX *c, const unsigned char *d) t=(t+i)&0xff; } memcpy(sp1,state,16*sizeof(MD2_INT)); - memset(state,0,48*sizeof(MD2_INT)); + OPENSSL_cleanse(state,48*sizeof(MD2_INT)); } int MD2_Final(unsigned char *md, MD2_CTX *c) diff --git a/src/lib/libcrypto/md2/md2_one.c b/src/lib/libcrypto/md2/md2_one.c index b12c37ce4d..835160ef56 100644 --- a/src/lib/libcrypto/md2/md2_one.c +++ b/src/lib/libcrypto/md2/md2_one.c @@ -88,6 +88,6 @@ unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md) } #endif MD2_Final(md,&c); - memset(&c,0,sizeof(c)); /* Security consideration */ + OPENSSL_cleanse(&c,sizeof(c)); /* Security consideration */ return(md); } diff --git a/src/lib/libcrypto/md2/md2test.c b/src/lib/libcrypto/md2/md2test.c index 7d3664faf5..901d0a7d8e 100644 --- a/src/lib/libcrypto/md2/md2test.c +++ b/src/lib/libcrypto/md2/md2test.c @@ -61,6 +61,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_MD2 int main(int argc, char *argv[]) { @@ -122,8 +124,7 @@ int main(int argc, char *argv[]) R++; P++; } - exit(err); - return(0); + EXIT(err); } static char *pt(unsigned char *md) diff --git a/src/lib/libcrypto/md4/md4.c b/src/lib/libcrypto/md4/md4.c index e4b0aac011..141415ad4d 100644 --- a/src/lib/libcrypto/md4/md4.c +++ b/src/lib/libcrypto/md4/md4.c @@ -64,7 +64,7 @@ void do_fp(FILE *f); void pt(unsigned char *md); -#ifndef _OSD_POSIX +#if !defined(_OSD_POSIX) && !defined(__DJGPP__) int read(int, void *, unsigned int); #endif @@ -108,7 +108,7 @@ void do_fp(FILE *f) MD4_Init(&c); for (;;) { - i=read(fd,buf,BUFSIZE); + i=read(fd,buf,sizeof buf); if (i <= 0) break; MD4_Update(&c,buf,(unsigned long)i); } diff --git a/src/lib/libcrypto/md4/md4test.c b/src/lib/libcrypto/md4/md4test.c index e0fdc42282..21a77d96f7 100644 --- a/src/lib/libcrypto/md4/md4test.c +++ b/src/lib/libcrypto/md4/md4test.c @@ -60,6 +60,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_MD4 int main(int argc, char *argv[]) { @@ -118,7 +120,7 @@ int main(int argc, char *argv[]) R++; P++; } - exit(err); + EXIT(err); return(0); } diff --git a/src/lib/libcrypto/md5/md5.c b/src/lib/libcrypto/md5/md5.c index 7ed0024ae1..563733abc5 100644 --- a/src/lib/libcrypto/md5/md5.c +++ b/src/lib/libcrypto/md5/md5.c @@ -64,7 +64,7 @@ void do_fp(FILE *f); void pt(unsigned char *md); -#ifndef _OSD_POSIX +#if !defined(_OSD_POSIX) && !defined(__DJGPP__) int read(int, void *, unsigned int); #endif diff --git a/src/lib/libcrypto/md5/md5test.c b/src/lib/libcrypto/md5/md5test.c index 862b89658a..bfd62629ed 100644 --- a/src/lib/libcrypto/md5/md5test.c +++ b/src/lib/libcrypto/md5/md5test.c @@ -60,6 +60,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_MD5 int main(int argc, char *argv[]) { @@ -118,7 +120,7 @@ int main(int argc, char *argv[]) R++; P++; } - exit(err); + EXIT(err); return(0); } diff --git a/src/lib/libcrypto/mdc2/mdc2test.c b/src/lib/libcrypto/mdc2/mdc2test.c new file mode 100644 index 0000000000..c9abe99d92 --- /dev/null +++ b/src/lib/libcrypto/mdc2/mdc2test.c @@ -0,0 +1,146 @@ +/* crypto/mdc2/mdc2test.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#include +#include +#include + +#include "../e_os.h" + +#if defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_MDC2) +#define OPENSSL_NO_MDC2 +#endif + +#ifdef OPENSSL_NO_MDC2 +int main(int argc, char *argv[]) +{ + printf("No MDC2 support\n"); + return(0); +} +#else +#include +#include + +#ifdef CHARSET_EBCDIC +#include +#endif + +static unsigned char pad1[16]={ + 0x42,0xE5,0x0C,0xD2,0x24,0xBA,0xCE,0xBA, + 0x76,0x0B,0xDD,0x2B,0xD4,0x09,0x28,0x1A + }; + +static unsigned char pad2[16]={ + 0x2E,0x46,0x79,0xB5,0xAD,0xD9,0xCA,0x75, + 0x35,0xD8,0x7A,0xFE,0xAB,0x33,0xBE,0xE2 + }; + +int main(int argc, char *argv[]) + { + int ret=0; + unsigned char md[MDC2_DIGEST_LENGTH]; + int i; + EVP_MD_CTX c; + static char *text="Now is the time for all "; + +#ifdef CHARSET_EBCDIC + ebcdic2ascii(text,text,strlen(text)); +#endif + + EVP_MD_CTX_init(&c); + EVP_DigestInit_ex(&c,EVP_mdc2(), NULL); + EVP_DigestUpdate(&c,(unsigned char *)text,strlen(text)); + EVP_DigestFinal_ex(&c,&(md[0]),NULL); + + if (memcmp(md,pad1,MDC2_DIGEST_LENGTH) != 0) + { + for (i=0; ipad_type=2; + EVP_DigestUpdate(&c,(unsigned char *)text,strlen(text)); + EVP_DigestFinal_ex(&c,&(md[0]),NULL); + + if (memcmp(md,pad2,MDC2_DIGEST_LENGTH) != 0) + { + for (i=0; i2Kb so the overhead doesn't bother us. */ + if(ret && (num > 2048)) + ((unsigned char *)ret)[0] = cleanse_ctr; + return ret; } @@ -282,6 +291,9 @@ void CRYPTO_free_locked(void *str) void *CRYPTO_malloc(int num, const char *file, int line) { void *ret = NULL; + extern unsigned char cleanse_ctr; + + if (num < 0) return NULL; allow_customize = 0; if (malloc_debug_func != NULL) @@ -296,6 +308,12 @@ void *CRYPTO_malloc(int num, const char *file, int line) if (malloc_debug_func != NULL) malloc_debug_func(ret, num, file, line, 1); + /* Create a dependency on the value of 'cleanse_ctr' so our memory + * sanitisation function can't be optimised out. NB: We only do + * this for >2Kb so the overhead doesn't bother us. */ + if(ret && (num > 2048)) + ((unsigned char *)ret)[0] = cleanse_ctr; + return ret; } @@ -306,6 +324,8 @@ void *CRYPTO_realloc(void *str, int num, const char *file, int line) if (str == NULL) return CRYPTO_malloc(num, file, line); + if (num < 0) return NULL; + if (realloc_debug_func != NULL) realloc_debug_func(str, NULL, num, file, line, 0); ret = realloc_ex_func(str,num,file,line); @@ -318,6 +338,32 @@ void *CRYPTO_realloc(void *str, int num, const char *file, int line) return ret; } +void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file, + int line) + { + void *ret = NULL; + + if (str == NULL) + return CRYPTO_malloc(num, file, line); + + if (num < 0) return NULL; + + if (realloc_debug_func != NULL) + realloc_debug_func(str, NULL, num, file, line, 0); + ret=malloc_ex_func(num,file,line); + if(ret) + memcpy(ret,str,old_len); + OPENSSL_cleanse(str,old_len); + free_func(str); +#ifdef LEVITTE_DEBUG_MEM + fprintf(stderr, "LEVITTE_DEBUG_MEM: | 0x%p -> 0x%p (%d)\n", str, ret, num); +#endif + if (realloc_debug_func != NULL) + realloc_debug_func(str, ret, num, file, line, 1); + + return ret; + } + void CRYPTO_free(void *str) { if (free_debug_func != NULL) @@ -337,7 +383,6 @@ void *CRYPTO_remalloc(void *a, int num, const char *file, int line) return(a); } - void CRYPTO_set_mem_debug_options(long bits) { if (set_debug_options_func != NULL) diff --git a/src/lib/libcrypto/objects/obj_dat.h b/src/lib/libcrypto/objects/obj_dat.h index 30812c8aa6..969b18a341 100644 --- a/src/lib/libcrypto/objects/obj_dat.h +++ b/src/lib/libcrypto/objects/obj_dat.h @@ -62,12 +62,12 @@ * [including the GNU Public Licence.] */ -#define NUM_NID 645 -#define NUM_SN 641 -#define NUM_LN 641 -#define NUM_OBJ 615 +#define NUM_NID 650 +#define NUM_SN 643 +#define NUM_LN 643 +#define NUM_OBJ 617 -static unsigned char lvalues[4435]={ +static unsigned char lvalues[4455]={ 0x00, /* [ 0] OBJ_undef */ 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 1] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 7] OBJ_pkcs */ @@ -683,6 +683,8 @@ static unsigned char lvalues[4435]={ 0x67,0x2A,0x08,0xAE,0x7B, /* [4412] OBJ_set_brand_Novus */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x0A, /* [4417] OBJ_des_cdmf */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x06,/* [4425] OBJ_rsaOAEPEncryptionSET */ +0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x02,/* [4434] OBJ_ms_smartcard_login */ +0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x03,/* [4444] OBJ_ms_upn */ }; static ASN1_OBJECT nid_objs[NUM_NID]={ @@ -824,7 +826,7 @@ static ASN1_OBJECT nid_objs[NUM_NID]={ {"RSA-MDC2","mdc2WithRSA",NID_mdc2WithRSA,4,&(lvalues[531]),0}, {"RC4-40","rc4-40",NID_rc4_40,0,NULL}, {"RC2-40-CBC","rc2-40-cbc",NID_rc2_40_cbc,0,NULL}, -{"gn","givenName",NID_givenName,3,&(lvalues[535]),0}, +{"GN","givenName",NID_givenName,3,&(lvalues[535]),0}, {"SN","surname",NID_surname,3,&(lvalues[538]),0}, {"initials","initials",NID_initials,3,&(lvalues[541]),0}, {NULL,NULL,NID_undef,0,NULL}, @@ -1719,6 +1721,13 @@ static ASN1_OBJECT nid_objs[NUM_NID]={ {"DES-CDMF","des-cdmf",NID_des_cdmf,8,&(lvalues[4417]),0}, {"rsaOAEPEncryptionSET","rsaOAEPEncryptionSET", NID_rsaOAEPEncryptionSET,9,&(lvalues[4425]),0}, +{NULL,NULL,NID_undef,0,NULL}, +{NULL,NULL,NID_undef,0,NULL}, +{NULL,NULL,NID_undef,0,NULL}, +{"msSmartcardLogin","Microsoft Smartcardlogin",NID_ms_smartcard_login, + 10,&(lvalues[4434]),0}, +{"msUPN","Microsoft Universal Principal Name",NID_ms_upn,10, + &(lvalues[4444]),0}, }; static ASN1_OBJECT *sn_objs[NUM_SN]={ @@ -1771,6 +1780,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[70]),/* "DSA-SHA1-old" */ &(nid_objs[67]),/* "DSA-old" */ &(nid_objs[297]),/* "DVCS" */ +&(nid_objs[99]),/* "GN" */ &(nid_objs[381]),/* "IANA" */ &(nid_objs[34]),/* "IDEA-CBC" */ &(nid_objs[35]),/* "IDEA-CFB" */ @@ -1917,7 +1927,6 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[490]),/* "friendlyCountryName" */ &(nid_objs[156]),/* "friendlyName" */ &(nid_objs[509]),/* "generationQualifier" */ -&(nid_objs[99]),/* "gn" */ &(nid_objs[163]),/* "hmacWithSHA1" */ &(nid_objs[432]),/* "holdInstructionCallIssuer" */ &(nid_objs[430]),/* "holdInstructionCode" */ @@ -2127,6 +2136,8 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[138]),/* "msEFS" */ &(nid_objs[171]),/* "msExtReq" */ &(nid_objs[137]),/* "msSGC" */ +&(nid_objs[648]),/* "msSmartcardLogin" */ +&(nid_objs[649]),/* "msUPN" */ &(nid_objs[481]),/* "nSRecord" */ &(nid_objs[173]),/* "name" */ &(nid_objs[369]),/* "noCheck" */ @@ -2401,7 +2412,9 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[171]),/* "Microsoft Extension Request" */ &(nid_objs[134]),/* "Microsoft Individual Code Signing" */ &(nid_objs[137]),/* "Microsoft Server Gated Crypto" */ +&(nid_objs[648]),/* "Microsoft Smartcardlogin" */ &(nid_objs[136]),/* "Microsoft Trust List Signing" */ +&(nid_objs[649]),/* "Microsoft Universal Principal Name" */ &(nid_objs[72]),/* "Netscape Base Url" */ &(nid_objs[76]),/* "Netscape CA Policy Url" */ &(nid_objs[74]),/* "Netscape CA Revocation Url" */ @@ -3557,6 +3570,8 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[136]),/* OBJ_ms_ctl_sign 1 3 6 1 4 1 311 10 3 1 */ &(nid_objs[137]),/* OBJ_ms_sgc 1 3 6 1 4 1 311 10 3 3 */ &(nid_objs[138]),/* OBJ_ms_efs 1 3 6 1 4 1 311 10 3 4 */ +&(nid_objs[648]),/* OBJ_ms_smartcard_login 1 3 6 1 4 1 311 20 2 2 */ +&(nid_objs[649]),/* OBJ_ms_upn 1 3 6 1 4 1 311 20 2 3 */ &(nid_objs[196]),/* OBJ_id_smime_mod_cms 1 2 840 113549 1 9 16 0 1 */ &(nid_objs[197]),/* OBJ_id_smime_mod_ess 1 2 840 113549 1 9 16 0 2 */ &(nid_objs[198]),/* OBJ_id_smime_mod_oid 1 2 840 113549 1 9 16 0 3 */ diff --git a/src/lib/libcrypto/objects/obj_mac.h b/src/lib/libcrypto/objects/obj_mac.h index 899db8325c..7645012298 100644 --- a/src/lib/libcrypto/objects/obj_mac.h +++ b/src/lib/libcrypto/objects/obj_mac.h @@ -850,6 +850,16 @@ #define NID_ms_efs 138 #define OBJ_ms_efs 1L,3L,6L,1L,4L,1L,311L,10L,3L,4L +#define SN_ms_smartcard_login "msSmartcardLogin" +#define LN_ms_smartcard_login "Microsoft Smartcardlogin" +#define NID_ms_smartcard_login 648 +#define OBJ_ms_smartcard_login 1L,3L,6L,1L,4L,1L,311L,20L,2L,2L + +#define SN_ms_upn "msUPN" +#define LN_ms_upn "Microsoft Universal Principal Name" +#define NID_ms_upn 649 +#define OBJ_ms_upn 1L,3L,6L,1L,4L,1L,311L,20L,2L,3L + #define SN_idea_cbc "IDEA-CBC" #define LN_idea_cbc "idea-cbc" #define NID_idea_cbc 34 @@ -1632,7 +1642,7 @@ #define NID_name 173 #define OBJ_name OBJ_X509,41L -#define SN_givenName "gn" +#define SN_givenName "GN" #define LN_givenName "givenName" #define NID_givenName 99 #define OBJ_givenName OBJ_X509,42L diff --git a/src/lib/libcrypto/opensslconf.h b/src/lib/libcrypto/opensslconf.h index c9756e47a3..492041bc7c 100644 --- a/src/lib/libcrypto/opensslconf.h +++ b/src/lib/libcrypto/opensslconf.h @@ -69,7 +69,7 @@ #endif #endif -#if (defined(HEADER_DES_H) || defined(HEADER_DES_OLD_H)) && !defined(DES_LONG) +#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a * %20 speed up (longs are 8 bytes, int's are 4). */ #ifndef DES_LONG diff --git a/src/lib/libcrypto/opensslconf.h.in b/src/lib/libcrypto/opensslconf.h.in index 9082a16c46..685e83b7a3 100644 --- a/src/lib/libcrypto/opensslconf.h.in +++ b/src/lib/libcrypto/opensslconf.h.in @@ -47,7 +47,7 @@ #endif #endif -#if (defined(HEADER_DES_H) || defined(HEADER_DES_OLD_H)) && !defined(DES_LONG) +#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a * %20 speed up (longs are 8 bytes, int's are 4). */ #ifndef DES_LONG diff --git a/src/lib/libcrypto/perlasm/x86ms.pl b/src/lib/libcrypto/perlasm/x86ms.pl index 206452341d..35f1a4ddb9 100644 --- a/src/lib/libcrypto/perlasm/x86ms.pl +++ b/src/lib/libcrypto/perlasm/x86ms.pl @@ -92,6 +92,8 @@ sub get_mem $addr="_$addr"; } + if ($addr =~ /^.+\-.+$/) { $addr="($addr)"; } + $reg1="$regs{$reg1}" if defined($regs{$reg1}); $reg2="$regs{$reg2}" if defined($regs{$reg2}); if (($addr ne "") && ($addr ne 0)) @@ -111,6 +113,7 @@ sub get_mem { $ret.="[$reg1$post]" } + $ret =~ s/\[\]//; # in case $addr was the only argument return($ret); } @@ -151,7 +154,7 @@ sub main'push { &out1("push",@_); $stack+=4; } sub main'pop { &out1("pop",@_); $stack-=4; } sub main'bswap { &out1("bswap",@_); &using486(); } sub main'not { &out1("not",@_); } -sub main'call { &out1("call",'_'.$_[0]); } +sub main'call { &out1("call",($_[0]=~/^\$L/?'':'_').$_[0]); } sub main'ret { &out0("ret"); } sub main'nop { &out0("nop"); } @@ -338,7 +341,7 @@ sub main'set_label { if (!defined($label{$_[0]})) { - $label{$_[0]}="${label}${_[0]}"; + $label{$_[0]}="\$${label}${_[0]}"; $label++; } if((defined $_[2]) && ($_[2] == 1)) @@ -363,3 +366,11 @@ sub out1p push(@out,"\t$name\t ".&conv($p1)."\n"); } + +sub main'picmeup + { + local($dst,$sym)=@_; + &main'lea($dst,&main'DWP($sym)); + } + +sub main'blindpop { &out1("pop",@_); } diff --git a/src/lib/libcrypto/perlasm/x86nasm.pl b/src/lib/libcrypto/perlasm/x86nasm.pl index 519d8a5867..f30b7466d4 100644 --- a/src/lib/libcrypto/perlasm/x86nasm.pl +++ b/src/lib/libcrypto/perlasm/x86nasm.pl @@ -98,6 +98,8 @@ sub get_mem $addr="_$addr"; } + if ($addr =~ /^.+\-.+$/) { $addr="($addr)"; } + $reg1="$regs{$reg1}" if defined($regs{$reg1}); $reg2="$regs{$reg2}" if defined($regs{$reg2}); if (($addr ne "") && ($addr ne 0)) @@ -117,6 +119,7 @@ sub get_mem { $ret.="$reg1$post]" } + $ret =~ s/\+\]/]/; # in case $addr was the only argument return($ret); } @@ -160,7 +163,7 @@ sub main'push { &out1("push",@_); $stack+=4; } sub main'pop { &out1("pop",@_); $stack-=4; } sub main'bswap { &out1("bswap",@_); &using486(); } sub main'not { &out1("not",@_); } -sub main'call { &out1("call",'_'.$_[0]); } +sub main'call { &out1("call",($_[0]=~/^\$L/?'':'_').$_[0]); } sub main'ret { &out0("ret"); } sub main'nop { &out0("nop"); } @@ -322,7 +325,7 @@ sub main'set_label { if (!defined($label{$_[0]})) { - $label{$_[0]}="${label}${_[0]}"; + $label{$_[0]}="\$${label}${_[0]}"; $label++; } push(@out,"$label{$_[0]}:\n"); @@ -340,3 +343,11 @@ sub out1p push(@out,"\t$name\t ".&conv($p1)."\n"); } + +sub main'picmeup + { + local($dst,$sym)=@_; + &main'lea($dst,&main'DWP($sym)); + } + +sub main'blindpop { &out1("pop",@_); } diff --git a/src/lib/libcrypto/perlasm/x86unix.pl b/src/lib/libcrypto/perlasm/x86unix.pl index 9ceabf0705..72bde061c5 100644 --- a/src/lib/libcrypto/perlasm/x86unix.pl +++ b/src/lib/libcrypto/perlasm/x86unix.pl @@ -87,12 +87,12 @@ sub main'DWP $ret.=$addr if ($addr ne "") && ($addr ne 0); if ($reg2 ne "") { - if($idx ne "") + if($idx ne "" && $idx != 0) { $ret.="($reg1,$reg2,$idx)"; } else { $ret.="($reg1,$reg2)"; } } - else + elsif ($reg1 ne "") { $ret.="($reg1)" } return($ret); } @@ -167,7 +167,7 @@ sub main'pop { &out1("popl",@_); $stack-=4; } sub main'pushf { &out0("pushf"); $stack+=4; } sub main'popf { &out0("popf"); $stack-=4; } sub main'not { &out1("notl",@_); } -sub main'call { &out1("call",$under.$_[0]); } +sub main'call { &out1("call",($_[0]=~/^\.L/?'':$under).$_[0]); } sub main'ret { &out0("ret"); } sub main'nop { &out0("nop"); } @@ -345,15 +345,15 @@ sub main'function_end popl %ebx popl %ebp ret -.${func}_end: +.L_${func}_end: EOF push(@out,$tmp); if ($main'cpp) - { push(@out,"\tSIZE($func,.${func}_end-$func)\n"); } + { push(@out,"\tSIZE($func,.L_${func}_end-$func)\n"); } elsif ($main'gaswin) { $tmp=push(@out,"\t.align 4\n"); } - else { push(@out,"\t.size\t$func,.${func}_end-$func\n"); } + else { push(@out,"\t.size\t$func,.L_${func}_end-$func\n"); } push(@out,".ident \"$func\"\n"); $stack=0; %label=(); @@ -426,6 +426,11 @@ sub main'swtmp sub main'comment { + if ($main'elf) # GNU and SVR4 as'es use different comment delimiters, + { # so we just skip comments... + push(@out,"\n"); + return; + } foreach (@_) { if (/^\s*$/) @@ -542,3 +547,39 @@ sub popvars &main'pop("edx"); &main'popf(); } + +sub main'picmeup + { + local($dst,$sym)=@_; + if ($main'cpp) + { + local($tmp)=<<___; +#if (defined(ELF) || defined(SOL)) && defined(PIC) + .align 8 + call 1f +1: popl $regs{$dst} + addl \$_GLOBAL_OFFSET_TABLE_+[.-1b],$regs{$dst} + movl $sym\@GOT($regs{$dst}),$regs{$dst} +#else + leal $sym,$regs{$dst} +#endif +___ + push(@out,$tmp); + } + elsif ($main'pic && ($main'elf || $main'aout)) + { + push(@out,"\t.align\t8\n"); + &main'call(&main'label("PIC_me_up")); + &main'set_label("PIC_me_up"); + &main'blindpop($dst); + &main'add($dst,"\$$under"."_GLOBAL_OFFSET_TABLE_+[.-". + &main'label("PIC_me_up") . "]"); + &main'mov($dst,&main'DWP($sym."\@GOT",$dst)); + } + else + { + &main'lea($dst,&main'DWP($sym)); + } + } + +sub main'blindpop { &out1("popl",@_); } diff --git a/src/lib/libcrypto/pkcs7/bio_ber.c b/src/lib/libcrypto/pkcs7/bio_ber.c index 42331f7ab0..895a91177b 100644 --- a/src/lib/libcrypto/pkcs7/bio_ber.c +++ b/src/lib/libcrypto/pkcs7/bio_ber.c @@ -145,7 +145,7 @@ static int ber_free(BIO *a) if (a == NULL) return(0); b=(BIO_BER_CTX *)a->ptr; - memset(a->ptr,0,sizeof(BIO_BER_CTX)); + OPENSSL_cleanse(a->ptr,sizeof(BIO_BER_CTX)); OPENSSL_free(a->ptr); a->ptr=NULL; a->init=0; diff --git a/src/lib/libcrypto/rand/md_rand.c b/src/lib/libcrypto/rand/md_rand.c index a00ed70718..eeffc0df4c 100644 --- a/src/lib/libcrypto/rand/md_rand.c +++ b/src/lib/libcrypto/rand/md_rand.c @@ -177,10 +177,10 @@ RAND_METHOD *RAND_SSLeay(void) static void ssleay_rand_cleanup(void) { - memset(state,0,sizeof(state)); + OPENSSL_cleanse(state,sizeof(state)); state_num=0; state_index=0; - memset(md,0,MD_DIGEST_LENGTH); + OPENSSL_cleanse(md,MD_DIGEST_LENGTH); md_count[0]=0; md_count[1]=0; entropy=0; diff --git a/src/lib/libcrypto/rand/rand_egd.c b/src/lib/libcrypto/rand/rand_egd.c index abc3ac27d5..1f168221e3 100644 --- a/src/lib/libcrypto/rand/rand_egd.c +++ b/src/lib/libcrypto/rand/rand_egd.c @@ -94,7 +94,7 @@ * RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255. */ -#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(__DJGPP__) +#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) { return(-1); @@ -114,7 +114,7 @@ int RAND_egd_bytes(const char *path,int bytes) #include #include #ifndef NO_SYS_UN_H -# ifdef OPENSSL_SYS_VSWORKS +# ifdef OPENSSL_SYS_VXWORKS # include # else # include @@ -143,7 +143,7 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; - if (strlen(path) > sizeof(addr.sun_path)) + if (strlen(path) >= sizeof(addr.sun_path)) return (-1); strcpy(addr.sun_path,path); len = offsetof(struct sockaddr_un, sun_path) + strlen(path); diff --git a/src/lib/libcrypto/rand/rand_unix.c b/src/lib/libcrypto/rand/rand_unix.c index ec09d74603..a776e52243 100644 --- a/src/lib/libcrypto/rand/rand_unix.c +++ b/src/lib/libcrypto/rand/rand_unix.c @@ -115,7 +115,7 @@ #include #include "rand_lcl.h" -#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2)) +#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS)) #include #include @@ -215,7 +215,7 @@ int RAND_poll(void) if (n > 0) { RAND_add(tmpbuf,sizeof tmpbuf,n); - memset(tmpbuf,0,n); + OPENSSL_cleanse(tmpbuf,n); } #endif @@ -236,3 +236,10 @@ int RAND_poll(void) } #endif + +#if defined(OPENSSL_SYS_VXWORKS) +int RAND_poll(void) +{ + return 0; +} +#endif diff --git a/src/lib/libcrypto/rand/rand_win.c b/src/lib/libcrypto/rand/rand_win.c index c1b955b06f..113b58678f 100644 --- a/src/lib/libcrypto/rand/rand_win.c +++ b/src/lib/libcrypto/rand/rand_win.c @@ -125,7 +125,7 @@ * http://developer.intel.com/design/security/rng/redist_license.htm */ #define PROV_INTEL_SEC 22 -#define INTEL_DEF_PROV "Intel Hardware Cryptographic Service Provider" +#define INTEL_DEF_PROV TEXT("Intel Hardware Cryptographic Service Provider") static void readtimer(void); static void readscreen(void); @@ -170,7 +170,9 @@ typedef BOOL (WINAPI *THREAD32)(HANDLE, LPTHREADENTRY32); typedef BOOL (WINAPI *MODULE32)(HANDLE, LPMODULEENTRY32); #include +#ifndef OPENSSL_SYS_WINCE #include +#endif #if 1 /* The NET API is Unicode only. It requires the use of the UNICODE * macro. When UNICODE is defined LPTSTR becomes LPWSTR. LMSTR was * was added to the Platform SDK to allow the NET API to be used in @@ -209,20 +211,32 @@ int RAND_poll(void) osverinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO) ; GetVersionEx( &osverinfo ) ; +#if defined(OPENSSL_SYS_WINCE) && WCEPLATFORM!=MS_HPC_PRO + /* poll the CryptoAPI PRNG */ + /* The CryptoAPI returns sizeof(buf) bytes of randomness */ + if (CryptAcquireContext(&hProvider, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) + { + if (CryptGenRandom(hProvider, sizeof(buf), buf)) + RAND_add(buf, sizeof(buf), sizeof(buf)); + CryptReleaseContext(hProvider, 0); + } +#endif + /* load functions dynamically - not available on all systems */ - advapi = LoadLibrary("ADVAPI32.DLL"); - kernel = LoadLibrary("KERNEL32.DLL"); - user = LoadLibrary("USER32.DLL"); - netapi = LoadLibrary("NETAPI32.DLL"); + advapi = LoadLibrary(TEXT("ADVAPI32.DLL")); + kernel = LoadLibrary(TEXT("KERNEL32.DLL")); + user = LoadLibrary(TEXT("USER32.DLL")); + netapi = LoadLibrary(TEXT("NETAPI32.DLL")); +#ifndef OPENSSL_SYS_WINCE #if 1 /* There was previously a problem with NETSTATGET. Currently, this * section is still experimental, but if all goes well, this conditional * will be removed */ if (netapi) { - netstatget = (NETSTATGET) GetProcAddress(netapi,"NetStatisticsGet"); - netfree = (NETFREE) GetProcAddress(netapi,"NetApiBufferFree"); + netstatget = (NETSTATGET) GetProcAddress(netapi,TEXT("NetStatisticsGet")); + netfree = (NETFREE) GetProcAddress(netapi,TEXT("NetApiBufferFree")); } if (netstatget && netfree) @@ -249,7 +263,9 @@ int RAND_poll(void) if (netapi) FreeLibrary(netapi); #endif /* 1 */ +#endif /* !OPENSSL_SYS_WINCE */ +#ifndef OPENSSL_SYS_WINCE /* It appears like this can cause an exception deep within ADVAPI32.DLL * at random times on Windows 2000. Reported by Jeffrey Altman. * Only use it on NT. @@ -280,30 +296,40 @@ int RAND_poll(void) bufsz += 8192; length = bufsz; - rc = RegQueryValueEx(HKEY_PERFORMANCE_DATA, "Global", + rc = RegQueryValueEx(HKEY_PERFORMANCE_DATA, TEXT("Global"), NULL, NULL, buf, &length); } if (rc == ERROR_SUCCESS) { /* For entropy count assume only least significant * byte of each DWORD is random. - */ + */ RAND_add(&length, sizeof(length), 0); RAND_add(buf, length, length / 4.0); + + /* Close the Registry Key to allow Windows to cleanup/close + * the open handle + * Note: The 'HKEY_PERFORMANCE_DATA' key is implicitly opened + * when the RegQueryValueEx above is done. However, if + * it is not explicitly closed, it can cause disk + * partition manipulation problems. + */ + RegCloseKey(HKEY_PERFORMANCE_DATA); } if (buf) free(buf); } #endif +#endif /* !OPENSSL_SYS_WINCE */ if (advapi) { acquire = (CRYPTACQUIRECONTEXT) GetProcAddress(advapi, - "CryptAcquireContextA"); + TEXT("CryptAcquireContextA")); gen = (CRYPTGENRANDOM) GetProcAddress(advapi, - "CryptGenRandom"); + TEXT("CryptGenRandom")); release = (CRYPTRELEASECONTEXT) GetProcAddress(advapi, - "CryptReleaseContext"); + TEXT("CryptReleaseContext")); } if (acquire && gen && release) @@ -357,9 +383,9 @@ int RAND_poll(void) GETFOREGROUNDWINDOW win; GETQUEUESTATUS queue; - win = (GETFOREGROUNDWINDOW) GetProcAddress(user, "GetForegroundWindow"); - cursor = (GETCURSORINFO) GetProcAddress(user, "GetCursorInfo"); - queue = (GETQUEUESTATUS) GetProcAddress(user, "GetQueueStatus"); + win = (GETFOREGROUNDWINDOW) GetProcAddress(user, TEXT("GetForegroundWindow")); + cursor = (GETCURSORINFO) GetProcAddress(user, TEXT("GetCursorInfo")); + queue = (GETQUEUESTATUS) GetProcAddress(user, TEXT("GetQueueStatus")); if (win) { @@ -430,17 +456,17 @@ int RAND_poll(void) MODULEENTRY32 m; snap = (CREATETOOLHELP32SNAPSHOT) - GetProcAddress(kernel, "CreateToolhelp32Snapshot"); - heap_first = (HEAP32FIRST) GetProcAddress(kernel, "Heap32First"); - heap_next = (HEAP32NEXT) GetProcAddress(kernel, "Heap32Next"); - heaplist_first = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListFirst"); - heaplist_next = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListNext"); - process_first = (PROCESS32) GetProcAddress(kernel, "Process32First"); - process_next = (PROCESS32) GetProcAddress(kernel, "Process32Next"); - thread_first = (THREAD32) GetProcAddress(kernel, "Thread32First"); - thread_next = (THREAD32) GetProcAddress(kernel, "Thread32Next"); - module_first = (MODULE32) GetProcAddress(kernel, "Module32First"); - module_next = (MODULE32) GetProcAddress(kernel, "Module32Next"); + GetProcAddress(kernel, TEXT("CreateToolhelp32Snapshot")); + heap_first = (HEAP32FIRST) GetProcAddress(kernel, TEXT("Heap32First")); + heap_next = (HEAP32NEXT) GetProcAddress(kernel, TEXT("Heap32Next")); + heaplist_first = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListFirst")); + heaplist_next = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListNext")); + process_first = (PROCESS32) GetProcAddress(kernel, TEXT("Process32First")); + process_next = (PROCESS32) GetProcAddress(kernel, TEXT("Process32Next")); + thread_first = (THREAD32) GetProcAddress(kernel, TEXT("Thread32First")); + thread_next = (THREAD32) GetProcAddress(kernel, TEXT("Thread32Next")); + module_first = (MODULE32) GetProcAddress(kernel, TEXT("Module32First")); + module_next = (MODULE32) GetProcAddress(kernel, TEXT("Module32Next")); if (snap && heap_first && heap_next && heaplist_first && heaplist_next && process_first && process_next && @@ -575,7 +601,7 @@ static void readtimer(void) DWORD w; LARGE_INTEGER l; static int have_perfc = 1; -#ifdef _MSC_VER +#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE) static int have_tsc = 1; DWORD cyclecount; @@ -628,6 +654,7 @@ static void readtimer(void) static void readscreen(void) { +#ifndef OPENSSL_SYS_WINCE HDC hScrDC; /* screen DC */ HDC hMemDC; /* memory DC */ HBITMAP hBitmap; /* handle for our bitmap */ @@ -641,7 +668,7 @@ static void readscreen(void) int n = 16; /* number of screen lines to grab at a time */ /* Create a screen DC and a memory DC compatible to screen DC */ - hScrDC = CreateDC("DISPLAY", NULL, NULL, NULL); + hScrDC = CreateDC(TEXT("DISPLAY"), NULL, NULL, NULL); hMemDC = CreateCompatibleDC(hScrDC); /* Get screen resolution */ @@ -688,6 +715,7 @@ static void readscreen(void) DeleteObject(hBitmap); DeleteDC(hMemDC); DeleteDC(hScrDC); +#endif /* !OPENSSL_SYS_WINCE */ } #endif diff --git a/src/lib/libcrypto/rand/randtest.c b/src/lib/libcrypto/rand/randtest.c index b64de616db..701932e6ee 100644 --- a/src/lib/libcrypto/rand/randtest.c +++ b/src/lib/libcrypto/rand/randtest.c @@ -60,6 +60,8 @@ #include #include +#include "../e_os.h" + /* some FIPS 140-1 random number test */ /* some simple tests */ @@ -209,6 +211,6 @@ int main() printf("test 4 done\n"); err: err=((err)?1:0); - exit(err); + EXIT(err); return(err); } diff --git a/src/lib/libcrypto/rc2/rc2test.c b/src/lib/libcrypto/rc2/rc2test.c index d9a2a0a1cb..b67bafb49f 100644 --- a/src/lib/libcrypto/rc2/rc2test.c +++ b/src/lib/libcrypto/rc2/rc2test.c @@ -63,6 +63,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_RC2 int main(int argc, char *argv[]) { @@ -203,7 +205,7 @@ int main(int argc, char *argv[]) printf("ok\n"); #endif - exit(err); + EXIT(err); return(err); } diff --git a/src/lib/libcrypto/rc4/rc4.c b/src/lib/libcrypto/rc4/rc4.c index c2165b0b75..b39c070292 100644 --- a/src/lib/libcrypto/rc4/rc4.c +++ b/src/lib/libcrypto/rc4/rc4.c @@ -155,7 +155,7 @@ bad: i=EVP_read_pw_string(buf,BUFSIZ,"Enter RC4 password:",0); if (i != 0) { - memset(buf,0,BUFSIZ); + OPENSSL_cleanse(buf,BUFSIZ); fprintf(stderr,"bad password read\n"); exit(1); } @@ -163,7 +163,7 @@ bad: } EVP_Digest((unsigned char *)keystr,(unsigned long)strlen(keystr),md,NULL,EVP_md5()); - memset(keystr,0,strlen(keystr)); + OPENSSL_cleanse(keystr,strlen(keystr)); RC4_set_key(&key,MD5_DIGEST_LENGTH,md); for(;;) diff --git a/src/lib/libcrypto/rc4/rc4test.c b/src/lib/libcrypto/rc4/rc4test.c index a28d457c8d..b9d8f20975 100644 --- a/src/lib/libcrypto/rc4/rc4test.c +++ b/src/lib/libcrypto/rc4/rc4test.c @@ -60,6 +60,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_RC4 int main(int argc, char *argv[]) { @@ -195,7 +197,7 @@ int main(int argc, char *argv[]) } } printf("done\n"); - exit(err); + EXIT(err); return(0); } #endif diff --git a/src/lib/libcrypto/rc5/rc5s.cpp b/src/lib/libcrypto/rc5/rc5s.cpp new file mode 100644 index 0000000000..1c5518bc80 --- /dev/null +++ b/src/lib/libcrypto/rc5/rc5s.cpp @@ -0,0 +1,70 @@ +// +// gettsc.inl +// +// gives access to the Pentium's (secret) cycle counter +// +// This software was written by Leonard Janke (janke@unixg.ubc.ca) +// in 1996-7 and is entered, by him, into the public domain. + +#if defined(__WATCOMC__) +void GetTSC(unsigned long&); +#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax]; +#elif defined(__GNUC__) +inline +void GetTSC(unsigned long& tsc) +{ + asm volatile(".byte 15, 49\n\t" + : "=eax" (tsc) + : + : "%edx", "%eax"); +} +#elif defined(_MSC_VER) +inline +void GetTSC(unsigned long& tsc) +{ + unsigned long a; + __asm _emit 0fh + __asm _emit 31h + __asm mov a, eax; + tsc=a; +} +#endif + +#include +#include +#include + +void main(int argc,char *argv[]) + { + RC5_32_KEY key; + unsigned long s1,s2,e1,e2; + unsigned long data[2]; + int i,j; + static unsigned char d[16]={0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}; + + RC5_32_set_key(&key, 16,d,12); + + for (j=0; j<6; j++) + { + for (i=0; i<1000; i++) /**/ + { + RC5_32_encrypt(&data[0],&key); + GetTSC(s1); + RC5_32_encrypt(&data[0],&key); + RC5_32_encrypt(&data[0],&key); + RC5_32_encrypt(&data[0],&key); + GetTSC(e1); + GetTSC(s2); + RC5_32_encrypt(&data[0],&key); + RC5_32_encrypt(&data[0],&key); + RC5_32_encrypt(&data[0],&key); + RC5_32_encrypt(&data[0],&key); + GetTSC(e2); + RC5_32_encrypt(&data[0],&key); + } + + printf("cast %d %d (%d)\n", + e1-s1,e2-s2,((e2-s2)-(e1-s1))); + } + } + diff --git a/src/lib/libcrypto/ripemd/rmd160.c b/src/lib/libcrypto/ripemd/rmd160.c index 4f8b88a18a..b0ec574498 100644 --- a/src/lib/libcrypto/ripemd/rmd160.c +++ b/src/lib/libcrypto/ripemd/rmd160.c @@ -64,7 +64,7 @@ void do_fp(FILE *f); void pt(unsigned char *md); -#ifndef _OSD_POSIX +#if !defined(_OSD_POSIX) && !defined(__DJGPP__) int read(int, void *, unsigned int); #endif diff --git a/src/lib/libcrypto/ripemd/rmdtest.c b/src/lib/libcrypto/ripemd/rmdtest.c index be1fb8b1f6..d4c709e646 100644 --- a/src/lib/libcrypto/ripemd/rmdtest.c +++ b/src/lib/libcrypto/ripemd/rmdtest.c @@ -60,6 +60,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_RIPEMD int main(int argc, char *argv[]) { @@ -127,7 +129,7 @@ int main(int argc, char *argv[]) R++; P++; } - exit(err); + EXIT(err); return(0); } diff --git a/src/lib/libcrypto/rsa/rsa_test.c b/src/lib/libcrypto/rsa/rsa_test.c index b8b462d33b..924e9ad1f6 100644 --- a/src/lib/libcrypto/rsa/rsa_test.c +++ b/src/lib/libcrypto/rsa/rsa_test.c @@ -16,7 +16,6 @@ int main(int argc, char *argv[]) } #else #include -#include #define SetKey \ key->n = BN_bin2bn(n, sizeof(n)-1, key->n); \ diff --git a/src/lib/libcrypto/sha/sha1test.c b/src/lib/libcrypto/sha/sha1test.c index 499a1cf5af..4f2e4ada2d 100644 --- a/src/lib/libcrypto/sha/sha1test.c +++ b/src/lib/libcrypto/sha/sha1test.c @@ -60,6 +60,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_SHA int main(int argc, char *argv[]) { @@ -155,7 +157,7 @@ int main(int argc, char *argv[]) } else printf("test 3 ok\n"); - exit(err); + EXIT(err); EVP_MD_CTX_cleanup(&c); return(0); } diff --git a/src/lib/libcrypto/sha/sha_one.c b/src/lib/libcrypto/sha/sha_one.c index 5426faae4a..e61c63f3e9 100644 --- a/src/lib/libcrypto/sha/sha_one.c +++ b/src/lib/libcrypto/sha/sha_one.c @@ -59,6 +59,7 @@ #include #include #include +#include #ifndef OPENSSL_NO_SHA0 unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md) @@ -70,7 +71,7 @@ unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md) SHA_Init(&c); SHA_Update(&c,d,n); SHA_Final(md,&c); - memset(&c,0,sizeof(c)); + OPENSSL_cleanse(&c,sizeof(c)); return(md); } #endif diff --git a/src/lib/libcrypto/sha/shatest.c b/src/lib/libcrypto/sha/shatest.c index 331294a74f..5d2b1d3b1a 100644 --- a/src/lib/libcrypto/sha/shatest.c +++ b/src/lib/libcrypto/sha/shatest.c @@ -60,6 +60,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_SHA int main(int argc, char *argv[]) { @@ -156,7 +158,7 @@ int main(int argc, char *argv[]) else printf("test 3 ok\n"); EVP_MD_CTX_cleanup(&c); - exit(err); + EXIT(err); return(0); } diff --git a/src/lib/libcrypto/threads/mttest.c b/src/lib/libcrypto/threads/mttest.c index 7142e4edc7..54d598565d 100644 --- a/src/lib/libcrypto/threads/mttest.c +++ b/src/lib/libcrypto/threads/mttest.c @@ -86,11 +86,6 @@ #include #include -#ifdef OPENSSL_NO_FP_API -#define APPS_WIN16 -#include "../buffer/bss_file.c" -#endif - #define TEST_SERVER_CERT "../../apps/server.pem" #define TEST_CLIENT_CERT "../../apps/client.pem" diff --git a/src/lib/libcrypto/tmdiff.c b/src/lib/libcrypto/tmdiff.c index 7ebf2b202a..307523ebba 100644 --- a/src/lib/libcrypto/tmdiff.c +++ b/src/lib/libcrypto/tmdiff.c @@ -59,13 +59,16 @@ #include #include "cryptlib.h" #include +#if !defined(OPENSSL_SYS_MSDOS) +#include OPENSSL_UNISTD +#endif #ifdef TIMEB #undef OPENSSL_SYS_WIN32 #undef TIMES #endif -#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_VMS) || defined(__DECC) && !defined(OPENSSL_SYS_MACOSX) && !defined(OPENSSL_SYS_VXWORKS) +#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32) && !(defined(OPENSSL_SYS_VMS) || defined(__DECC)) && !defined(OPENSSL_SYS_MACOSX_RHAPSODY) && !defined(OPENSSL_SYS_VXWORKS) # define TIMES #endif @@ -101,14 +104,19 @@ /* The following if from times(3) man page. It may need to be changed */ #ifndef HZ -# ifndef CLK_TCK -# ifndef _BSD_CLK_TCK_ /* FreeBSD hack */ -# define HZ 100.0 -# else /* _BSD_CLK_TCK_ */ -# define HZ ((double)_BSD_CLK_TCK_) +# if defined(_SC_CLK_TCK) \ + && (!defined(OPENSSL_SYS_VMS) || __CTRL_VER >= 70000000) +# define HZ ((double)sysconf(_SC_CLK_TCK)) +# else +# ifndef CLK_TCK +# ifndef _BSD_CLK_TCK_ /* FreeBSD hack */ +# define HZ 100.0 +# else /* _BSD_CLK_TCK_ */ +# define HZ ((double)_BSD_CLK_TCK_) +# endif +# else /* CLK_TCK */ +# define HZ ((double)CLK_TCK) # endif -# else /* CLK_TCK */ -# define HZ ((double)CLK_TCK) # endif #endif @@ -121,7 +129,7 @@ typedef struct ms_tm HANDLE thread_id; FILETIME ms_win32; # else -# ifdef OPENSSL_SYS_VSWORKS +# ifdef OPENSSL_SYS_VXWORKS unsigned long ticks; # else struct timeb ms_timeb; @@ -163,7 +171,7 @@ void ms_time_get(char *a) # ifdef OPENSSL_SYS_WIN32 GetThreadTimes(tm->thread_id,&tmpa,&tmpb,&tmpc,&(tm->ms_win32)); # else -# ifdef OPENSSL_SYS_VSWORKS +# ifdef OPENSSL_SYS_VXWORKS tm->ticks = tickGet(); # else ftime(&tm->ms_timeb); @@ -197,7 +205,7 @@ double ms_time_diff(char *ap, char *bp) ret=((double)(lb-la))/1e7; } # else -# ifdef OPENSSL_SYS_VSWORKS +# ifdef OPENSSL_SYS_VXWORKS ret = (double)(b->ticks - a->ticks) / (double)sysClkRateGet(); # else ret= (double)(b->ms_timeb.time-a->ms_timeb.time)+ @@ -222,7 +230,7 @@ int ms_time_cmp(char *ap, char *bp) d =(b->ms_win32.dwHighDateTime&0x000fffff)*10+b->ms_win32.dwLowDateTime/1e7; d-=(a->ms_win32.dwHighDateTime&0x000fffff)*10+a->ms_win32.dwLowDateTime/1e7; # else -# ifdef OPENSSL_SYS_VSWORKS +# ifdef OPENSSL_SYS_VXWORKS d = (b->ticks - a->ticks); # else d= (double)(b->ms_timeb.time-a->ms_timeb.time)+ diff --git a/src/lib/libcrypto/uid.c b/src/lib/libcrypto/uid.c index d3d249c36f..73205a4baa 100644 --- a/src/lib/libcrypto/uid.c +++ b/src/lib/libcrypto/uid.c @@ -65,7 +65,7 @@ int OPENSSL_issetugid(void) return issetugid(); } -#elif defined(OPENSSL_SYS_WIN32) +#elif defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS) int OPENSSL_issetugid(void) { diff --git a/src/lib/libcrypto/util/bat.sh b/src/lib/libcrypto/util/bat.sh index c6f48e8a7b..4d9a8287d0 100644 --- a/src/lib/libcrypto/util/bat.sh +++ b/src/lib/libcrypto/util/bat.sh @@ -62,6 +62,7 @@ sub var_add local($dir,$val)=@_; local(@a,$_,$ret); + return("") if $no_engine && $dir =~ /\/engine/; return("") if $no_idea && $dir =~ /\/idea/; return("") if $no_rc2 && $dir =~ /\/rc2/; return("") if $no_rc4 && $dir =~ /\/rc4/; @@ -116,6 +117,7 @@ sub var_add @a=grep(!/(^sha1)|(_sha1$)|(m_dss1$)/,@a) if $no_sha1; @a=grep(!/_mdc2$/,@a) if $no_mdc2; + @a=grep(!/^engine$/,@a) if $no_engine; @a=grep(!/(^rsa$)|(^genrsa$)|(^req$)|(^ca$)/,@a) if $no_rsa; @a=grep(!/(^dsa$)|(^gendsa$)|(^dsaparam$)/,@a) if $no_dsa; @a=grep(!/^gendsa$/,@a) if $no_sha1; diff --git a/src/lib/libcrypto/util/cygwin.sh b/src/lib/libcrypto/util/cygwin.sh index b607399b02..930f766b4f 100644 --- a/src/lib/libcrypto/util/cygwin.sh +++ b/src/lib/libcrypto/util/cygwin.sh @@ -96,6 +96,8 @@ fi get_openssl_version +make depend || exit 1 + make || exit 1 base_install diff --git a/src/lib/libcrypto/util/domd b/src/lib/libcrypto/util/domd index 8cbe383c16..49310bbdd1 100644 --- a/src/lib/libcrypto/util/domd +++ b/src/lib/libcrypto/util/domd @@ -15,9 +15,14 @@ cp Makefile.ssl Makefile.save # fake the presence of Kerberos touch $TOP/krb5.h if [ "$MAKEDEPEND" = "gcc" ]; then + args="" + while [ $# -gt 0 ]; do + if [ "$1" != "--" ]; then args="$args $1"; fi + shift + done sed -e '/^# DO NOT DELETE.*/,$d' < Makefile.ssl > Makefile.tmp echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp - gcc -D OPENSSL_DOING_MAKEDEPEND -M $@ >> Makefile.tmp + gcc -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new rm -f Makefile.tmp else diff --git a/src/lib/libcrypto/util/extract-names.pl b/src/lib/libcrypto/util/extract-names.pl new file mode 100644 index 0000000000..d413a045cc --- /dev/null +++ b/src/lib/libcrypto/util/extract-names.pl @@ -0,0 +1,22 @@ +#!/usr/bin/perl + +$/ = ""; # Eat a paragraph at once. +while() { + chop; + s/\n/ /gm; + if (/^=head1 /) { + $name = 0; + } elsif ($name) { + if (/ - /) { + s/ - .*//; + s/[ \t,]+/ /g; + push @words, split ' '; + } + } + if (/^=head1 *NAME *$/) { + $name = 1; + } +} + +print join("\n", @words),"\n"; + diff --git a/src/lib/libcrypto/util/libeay.num b/src/lib/libcrypto/util/libeay.num index 7e5728495f..f5c8c0be8a 100644 --- a/src/lib/libcrypto/util/libeay.num +++ b/src/lib/libcrypto/util/libeay.num @@ -980,7 +980,7 @@ BN_mul_word 999 EXIST::FUNCTION: BN_sub_word 1000 EXIST::FUNCTION: BN_dec2bn 1001 EXIST::FUNCTION: BN_bn2dec 1002 EXIST::FUNCTION: -BIO_ghbn_ctrl 1003 EXIST::FUNCTION: +BIO_ghbn_ctrl 1003 NOEXIST::FUNCTION: CRYPTO_free_ex_data 1004 EXIST::FUNCTION: CRYPTO_get_ex_data 1005 EXIST::FUNCTION: CRYPTO_set_ex_data 1007 EXIST::FUNCTION: @@ -1881,72 +1881,72 @@ BIO_f_linebuffer 2463 EXIST:VMS:FUNCTION: BN_bntest_rand 2464 EXIST::FUNCTION: OPENSSL_issetugid 2465 EXIST::FUNCTION: BN_rand_range 2466 EXIST::FUNCTION: -ERR_load_ENGINE_strings 2467 EXIST::FUNCTION: -ENGINE_set_DSA 2468 EXIST::FUNCTION: -ENGINE_get_finish_function 2469 EXIST::FUNCTION: -ENGINE_get_default_RSA 2470 EXIST::FUNCTION: +ERR_load_ENGINE_strings 2467 EXIST::FUNCTION:ENGINE +ENGINE_set_DSA 2468 EXIST::FUNCTION:ENGINE +ENGINE_get_finish_function 2469 EXIST::FUNCTION:ENGINE +ENGINE_get_default_RSA 2470 EXIST::FUNCTION:ENGINE ENGINE_get_BN_mod_exp 2471 NOEXIST::FUNCTION: DSA_get_default_openssl_method 2472 NOEXIST::FUNCTION: -ENGINE_set_DH 2473 EXIST::FUNCTION: +ENGINE_set_DH 2473 EXIST::FUNCTION:ENGINE ENGINE_set_def_BN_mod_exp_crt 2474 NOEXIST::FUNCTION: ENGINE_set_default_BN_mod_exp_crt 2474 NOEXIST::FUNCTION: -ENGINE_init 2475 EXIST::FUNCTION: +ENGINE_init 2475 EXIST::FUNCTION:ENGINE DH_get_default_openssl_method 2476 NOEXIST::FUNCTION: RSA_set_default_openssl_method 2477 NOEXIST::FUNCTION: -ENGINE_finish 2478 EXIST::FUNCTION: -ENGINE_load_public_key 2479 EXIST::FUNCTION: -ENGINE_get_DH 2480 EXIST::FUNCTION: -ENGINE_ctrl 2481 EXIST::FUNCTION: -ENGINE_get_init_function 2482 EXIST::FUNCTION: -ENGINE_set_init_function 2483 EXIST::FUNCTION: -ENGINE_set_default_DSA 2484 EXIST::FUNCTION: -ENGINE_get_name 2485 EXIST::FUNCTION: -ENGINE_get_last 2486 EXIST::FUNCTION: -ENGINE_get_prev 2487 EXIST::FUNCTION: -ENGINE_get_default_DH 2488 EXIST::FUNCTION: -ENGINE_get_RSA 2489 EXIST::FUNCTION: -ENGINE_set_default 2490 EXIST::FUNCTION: -ENGINE_get_RAND 2491 EXIST::FUNCTION: -ENGINE_get_first 2492 EXIST::FUNCTION: -ENGINE_by_id 2493 EXIST::FUNCTION: -ENGINE_set_finish_function 2494 EXIST::FUNCTION: +ENGINE_finish 2478 EXIST::FUNCTION:ENGINE +ENGINE_load_public_key 2479 EXIST::FUNCTION:ENGINE +ENGINE_get_DH 2480 EXIST::FUNCTION:ENGINE +ENGINE_ctrl 2481 EXIST::FUNCTION:ENGINE +ENGINE_get_init_function 2482 EXIST::FUNCTION:ENGINE +ENGINE_set_init_function 2483 EXIST::FUNCTION:ENGINE +ENGINE_set_default_DSA 2484 EXIST::FUNCTION:ENGINE +ENGINE_get_name 2485 EXIST::FUNCTION:ENGINE +ENGINE_get_last 2486 EXIST::FUNCTION:ENGINE +ENGINE_get_prev 2487 EXIST::FUNCTION:ENGINE +ENGINE_get_default_DH 2488 EXIST::FUNCTION:ENGINE +ENGINE_get_RSA 2489 EXIST::FUNCTION:ENGINE +ENGINE_set_default 2490 EXIST::FUNCTION:ENGINE +ENGINE_get_RAND 2491 EXIST::FUNCTION:ENGINE +ENGINE_get_first 2492 EXIST::FUNCTION:ENGINE +ENGINE_by_id 2493 EXIST::FUNCTION:ENGINE +ENGINE_set_finish_function 2494 EXIST::FUNCTION:ENGINE ENGINE_get_def_BN_mod_exp_crt 2495 NOEXIST::FUNCTION: ENGINE_get_default_BN_mod_exp_crt 2495 NOEXIST::FUNCTION: RSA_get_default_openssl_method 2496 NOEXIST::FUNCTION: -ENGINE_set_RSA 2497 EXIST::FUNCTION: -ENGINE_load_private_key 2498 EXIST::FUNCTION: -ENGINE_set_default_RAND 2499 EXIST::FUNCTION: +ENGINE_set_RSA 2497 EXIST::FUNCTION:ENGINE +ENGINE_load_private_key 2498 EXIST::FUNCTION:ENGINE +ENGINE_set_default_RAND 2499 EXIST::FUNCTION:ENGINE ENGINE_set_BN_mod_exp 2500 NOEXIST::FUNCTION: -ENGINE_remove 2501 EXIST::FUNCTION: -ENGINE_free 2502 EXIST::FUNCTION: +ENGINE_remove 2501 EXIST::FUNCTION:ENGINE +ENGINE_free 2502 EXIST::FUNCTION:ENGINE ENGINE_get_BN_mod_exp_crt 2503 NOEXIST::FUNCTION: -ENGINE_get_next 2504 EXIST::FUNCTION: -ENGINE_set_name 2505 EXIST::FUNCTION: -ENGINE_get_default_DSA 2506 EXIST::FUNCTION: +ENGINE_get_next 2504 EXIST::FUNCTION:ENGINE +ENGINE_set_name 2505 EXIST::FUNCTION:ENGINE +ENGINE_get_default_DSA 2506 EXIST::FUNCTION:ENGINE ENGINE_set_default_BN_mod_exp 2507 NOEXIST::FUNCTION: -ENGINE_set_default_RSA 2508 EXIST::FUNCTION: -ENGINE_get_default_RAND 2509 EXIST::FUNCTION: +ENGINE_set_default_RSA 2508 EXIST::FUNCTION:ENGINE +ENGINE_get_default_RAND 2509 EXIST::FUNCTION:ENGINE ENGINE_get_default_BN_mod_exp 2510 NOEXIST::FUNCTION: -ENGINE_set_RAND 2511 EXIST::FUNCTION: -ENGINE_set_id 2512 EXIST::FUNCTION: +ENGINE_set_RAND 2511 EXIST::FUNCTION:ENGINE +ENGINE_set_id 2512 EXIST::FUNCTION:ENGINE ENGINE_set_BN_mod_exp_crt 2513 NOEXIST::FUNCTION: -ENGINE_set_default_DH 2514 EXIST::FUNCTION: -ENGINE_new 2515 EXIST::FUNCTION: -ENGINE_get_id 2516 EXIST::FUNCTION: +ENGINE_set_default_DH 2514 EXIST::FUNCTION:ENGINE +ENGINE_new 2515 EXIST::FUNCTION:ENGINE +ENGINE_get_id 2516 EXIST::FUNCTION:ENGINE DSA_set_default_openssl_method 2517 NOEXIST::FUNCTION: -ENGINE_add 2518 EXIST::FUNCTION: +ENGINE_add 2518 EXIST::FUNCTION:ENGINE DH_set_default_openssl_method 2519 NOEXIST::FUNCTION: -ENGINE_get_DSA 2520 EXIST::FUNCTION: -ENGINE_get_ctrl_function 2521 EXIST::FUNCTION: -ENGINE_set_ctrl_function 2522 EXIST::FUNCTION: +ENGINE_get_DSA 2520 EXIST::FUNCTION:ENGINE +ENGINE_get_ctrl_function 2521 EXIST::FUNCTION:ENGINE +ENGINE_set_ctrl_function 2522 EXIST::FUNCTION:ENGINE BN_pseudo_rand_range 2523 EXIST::FUNCTION: X509_STORE_CTX_set_verify_cb 2524 EXIST::FUNCTION: ERR_load_COMP_strings 2525 EXIST::FUNCTION: PKCS12_item_decrypt_d2i 2526 EXIST::FUNCTION: ASN1_UTF8STRING_it 2527 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: ASN1_UTF8STRING_it 2527 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -ENGINE_unregister_ciphers 2528 EXIST::FUNCTION: -ENGINE_get_ciphers 2529 EXIST::FUNCTION: +ENGINE_unregister_ciphers 2528 EXIST::FUNCTION:ENGINE +ENGINE_get_ciphers 2529 EXIST::FUNCTION:ENGINE d2i_OCSP_BASICRESP 2530 EXIST::FUNCTION: KRB5_CHECKSUM_it 2531 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: KRB5_CHECKSUM_it 2531 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: @@ -1959,15 +1959,15 @@ X509V3_add1_i2d 2536 EXIST::FUNCTION: PKCS7_ENVELOPE_it 2537 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: PKCS7_ENVELOPE_it 2537 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: UI_add_input_boolean 2538 EXIST::FUNCTION: -ENGINE_unregister_RSA 2539 EXIST::FUNCTION: +ENGINE_unregister_RSA 2539 EXIST::FUNCTION:ENGINE X509V3_EXT_nconf 2540 EXIST::FUNCTION: ASN1_GENERALSTRING_free 2541 EXIST::FUNCTION: d2i_OCSP_CERTSTATUS 2542 EXIST::FUNCTION: X509_REVOKED_set_serialNumber 2543 EXIST::FUNCTION: X509_print_ex 2544 EXIST::FUNCTION:BIO OCSP_ONEREQ_get1_ext_d2i 2545 EXIST::FUNCTION: -ENGINE_register_all_RAND 2546 EXIST::FUNCTION: -ENGINE_load_dynamic 2547 EXIST::FUNCTION: +ENGINE_register_all_RAND 2546 EXIST::FUNCTION:ENGINE +ENGINE_load_dynamic 2547 EXIST::FUNCTION:ENGINE PBKDF2PARAM_it 2548 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: PBKDF2PARAM_it 2548 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: EXTENDED_KEY_USAGE_new 2549 EXIST::FUNCTION: @@ -1987,7 +1987,7 @@ X509_STORE_set_purpose 2559 EXIST::FUNCTION: i2d_ASN1_GENERALSTRING 2560 EXIST::FUNCTION: OCSP_response_status 2561 EXIST::FUNCTION: i2d_OCSP_SERVICELOC 2562 EXIST::FUNCTION: -ENGINE_get_digest_engine 2563 EXIST::FUNCTION: +ENGINE_get_digest_engine 2563 EXIST::FUNCTION:ENGINE EC_GROUP_set_curve_GFp 2564 EXIST::FUNCTION:EC OCSP_REQUEST_get_ext_by_OBJ 2565 EXIST::FUNCTION: _ossl_old_des_random_key 2566 EXIST::FUNCTION:DES @@ -2011,7 +2011,7 @@ _shadow_DES_rw_mode 2581 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA _shadow_DES_rw_mode 2581 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:DES asn1_do_adb 2582 EXIST::FUNCTION: ASN1_template_i2d 2583 EXIST::FUNCTION: -ENGINE_register_DH 2584 EXIST::FUNCTION: +ENGINE_register_DH 2584 EXIST::FUNCTION:ENGINE UI_construct_prompt 2585 EXIST::FUNCTION: X509_STORE_set_trust 2586 EXIST::FUNCTION: UI_dup_input_string 2587 EXIST::FUNCTION: @@ -2039,7 +2039,7 @@ OCSP_resp_find 2605 EXIST::FUNCTION: BN_nnmod 2606 EXIST::FUNCTION: X509_CRL_sort 2607 EXIST::FUNCTION: X509_REVOKED_set_revocationDate 2608 EXIST::FUNCTION: -ENGINE_register_RAND 2609 EXIST::FUNCTION: +ENGINE_register_RAND 2609 EXIST::FUNCTION:ENGINE OCSP_SERVICELOC_new 2610 EXIST::FUNCTION: EC_POINT_set_affine_coordinates_GFp 2611 EXIST:!VMS:FUNCTION:EC EC_POINT_set_affine_coords_GFp 2611 EXIST:VMS:FUNCTION:EC @@ -2049,11 +2049,11 @@ SXNET_it 2613 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI UI_dup_input_boolean 2614 EXIST::FUNCTION: PKCS12_add_CSPName_asc 2615 EXIST::FUNCTION: EC_POINT_is_at_infinity 2616 EXIST::FUNCTION:EC -ENGINE_load_openbsd_dev_crypto 2617 EXIST::FUNCTION: +ENGINE_load_cryptodev 2617 EXIST::FUNCTION:ENGINE DSO_convert_filename 2618 EXIST::FUNCTION: POLICYQUALINFO_it 2619 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: POLICYQUALINFO_it 2619 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -ENGINE_register_ciphers 2620 EXIST::FUNCTION: +ENGINE_register_ciphers 2620 EXIST::FUNCTION:ENGINE BN_mod_lshift_quick 2621 EXIST::FUNCTION: DSO_set_filename 2622 EXIST::FUNCTION: ASN1_item_free 2623 EXIST::FUNCTION: @@ -2062,7 +2062,7 @@ AUTHORITY_KEYID_it 2625 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA AUTHORITY_KEYID_it 2625 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: KRB5_APREQBODY_new 2626 EXIST::FUNCTION: X509V3_EXT_REQ_add_nconf 2627 EXIST::FUNCTION: -ENGINE_ctrl_cmd_string 2628 EXIST::FUNCTION: +ENGINE_ctrl_cmd_string 2628 EXIST::FUNCTION:ENGINE i2d_OCSP_RESPDATA 2629 EXIST::FUNCTION: EVP_MD_CTX_init 2630 EXIST::FUNCTION: EXTENDED_KEY_USAGE_free 2631 EXIST::FUNCTION: @@ -2071,8 +2071,8 @@ PKCS7_ATTR_SIGN_it 2632 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI UI_add_error_string 2633 EXIST::FUNCTION: KRB5_CHECKSUM_free 2634 EXIST::FUNCTION: OCSP_REQUEST_get_ext 2635 EXIST::FUNCTION: -ENGINE_load_ubsec 2636 EXIST::FUNCTION: -ENGINE_register_all_digests 2637 EXIST::FUNCTION: +ENGINE_load_ubsec 2636 EXIST::FUNCTION:ENGINE +ENGINE_register_all_digests 2637 EXIST::FUNCTION:ENGINE PKEY_USAGE_PERIOD_it 2638 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: PKEY_USAGE_PERIOD_it 2638 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: PKCS12_unpack_authsafes 2639 EXIST::FUNCTION: @@ -2098,16 +2098,16 @@ OCSP_CERTSTATUS_free 2653 EXIST::FUNCTION: _ossl_old_des_crypt 2654 EXIST::FUNCTION:DES ASN1_item_i2d 2655 EXIST::FUNCTION: EVP_DecryptFinal_ex 2656 EXIST::FUNCTION: -ENGINE_load_openssl 2657 EXIST::FUNCTION: -ENGINE_get_cmd_defns 2658 EXIST::FUNCTION: -ENGINE_set_load_privkey_function 2659 EXIST:!VMS:FUNCTION: -ENGINE_set_load_privkey_fn 2659 EXIST:VMS:FUNCTION: +ENGINE_load_openssl 2657 EXIST::FUNCTION:ENGINE +ENGINE_get_cmd_defns 2658 EXIST::FUNCTION:ENGINE +ENGINE_set_load_privkey_function 2659 EXIST:!VMS:FUNCTION:ENGINE +ENGINE_set_load_privkey_fn 2659 EXIST:VMS:FUNCTION:ENGINE EVP_EncryptFinal_ex 2660 EXIST::FUNCTION: -ENGINE_set_default_digests 2661 EXIST::FUNCTION: +ENGINE_set_default_digests 2661 EXIST::FUNCTION:ENGINE X509_get0_pubkey_bitstr 2662 EXIST::FUNCTION: asn1_ex_i2c 2663 EXIST::FUNCTION: -ENGINE_register_RSA 2664 EXIST::FUNCTION: -ENGINE_unregister_DSA 2665 EXIST::FUNCTION: +ENGINE_register_RSA 2664 EXIST::FUNCTION:ENGINE +ENGINE_unregister_DSA 2665 EXIST::FUNCTION:ENGINE _ossl_old_des_key_sched 2666 EXIST::FUNCTION:DES X509_EXTENSION_it 2667 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: X509_EXTENSION_it 2667 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: @@ -2120,7 +2120,7 @@ PKCS12_certbag2x509 2672 EXIST::FUNCTION: _ossl_old_des_ofb64_encrypt 2673 EXIST::FUNCTION:DES d2i_EXTENDED_KEY_USAGE 2674 EXIST::FUNCTION: ERR_print_errors_cb 2675 EXIST::FUNCTION: -ENGINE_set_ciphers 2676 EXIST::FUNCTION: +ENGINE_set_ciphers 2676 EXIST::FUNCTION:ENGINE d2i_KRB5_APREQBODY 2677 EXIST::FUNCTION: UI_method_get_flusher 2678 EXIST::FUNCTION: X509_PUBKEY_it 2679 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: @@ -2156,7 +2156,7 @@ NCONF_get_number_e 2704 EXIST::FUNCTION: _ossl_old_des_decrypt3 2705 EXIST::FUNCTION:DES X509_signature_print 2706 EXIST::FUNCTION:EVP OCSP_SINGLERESP_free 2707 EXIST::FUNCTION: -ENGINE_load_builtin_engines 2708 EXIST::FUNCTION: +ENGINE_load_builtin_engines 2708 EXIST::FUNCTION:ENGINE i2d_OCSP_ONEREQ 2709 EXIST::FUNCTION: OCSP_REQUEST_add_ext 2710 EXIST::FUNCTION: OCSP_RESPBYTES_new 2711 EXIST::FUNCTION: @@ -2184,7 +2184,7 @@ X509_CERT_AUX_it 2727 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI CERTIFICATEPOLICIES_it 2728 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: CERTIFICATEPOLICIES_it 2728 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: _ossl_old_des_ede3_cbc_encrypt 2729 EXIST::FUNCTION:DES -RAND_set_rand_engine 2730 EXIST::FUNCTION: +RAND_set_rand_engine 2730 EXIST::FUNCTION:ENGINE DSO_get_loaded_filename 2731 EXIST::FUNCTION: X509_ATTRIBUTE_it 2732 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: X509_ATTRIBUTE_it 2732 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: @@ -2206,7 +2206,7 @@ i2d_OCSP_BASICRESP 2744 EXIST::FUNCTION: i2d_OCSP_RESPBYTES 2745 EXIST::FUNCTION: PKCS12_unpack_p7encdata 2746 EXIST::FUNCTION: HMAC_CTX_init 2747 EXIST::FUNCTION:HMAC -ENGINE_get_digest 2748 EXIST::FUNCTION: +ENGINE_get_digest 2748 EXIST::FUNCTION:ENGINE OCSP_RESPONSE_print 2749 EXIST::FUNCTION: KRB5_TKTBODY_it 2750 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: KRB5_TKTBODY_it 2750 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: @@ -2219,16 +2219,16 @@ PBE2PARAM_it 2753 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI PKCS12_certbag2x509crl 2754 EXIST::FUNCTION: PKCS7_SIGNED_it 2755 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: PKCS7_SIGNED_it 2755 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -ENGINE_get_cipher 2756 EXIST::FUNCTION: +ENGINE_get_cipher 2756 EXIST::FUNCTION:ENGINE i2d_OCSP_CRLID 2757 EXIST::FUNCTION: OCSP_SINGLERESP_new 2758 EXIST::FUNCTION: -ENGINE_cmd_is_executable 2759 EXIST::FUNCTION: +ENGINE_cmd_is_executable 2759 EXIST::FUNCTION:ENGINE RSA_up_ref 2760 EXIST::FUNCTION:RSA ASN1_GENERALSTRING_it 2761 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: ASN1_GENERALSTRING_it 2761 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -ENGINE_register_DSA 2762 EXIST::FUNCTION: +ENGINE_register_DSA 2762 EXIST::FUNCTION:ENGINE X509V3_EXT_add_nconf_sk 2763 EXIST::FUNCTION: -ENGINE_set_load_pubkey_function 2764 EXIST::FUNCTION: +ENGINE_set_load_pubkey_function 2764 EXIST::FUNCTION:ENGINE PKCS8_decrypt 2765 EXIST::FUNCTION: PEM_bytes_read_bio 2766 EXIST::FUNCTION:BIO DIRECTORYSTRING_it 2767 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: @@ -2265,7 +2265,7 @@ UI_method_set_flusher 2789 EXIST::FUNCTION: X509_ocspid_print 2790 EXIST::FUNCTION:BIO KRB5_ENCDATA_it 2791 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: KRB5_ENCDATA_it 2791 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -ENGINE_get_load_pubkey_function 2792 EXIST::FUNCTION: +ENGINE_get_load_pubkey_function 2792 EXIST::FUNCTION:ENGINE UI_add_user_data 2793 EXIST::FUNCTION: OCSP_REQUEST_delete_ext 2794 EXIST::FUNCTION: UI_get_method 2795 EXIST::FUNCTION: @@ -2289,16 +2289,16 @@ ASN1_FBOOLEAN_it 2806 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA ASN1_FBOOLEAN_it 2806 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: UI_set_ex_data 2807 EXIST::FUNCTION: _ossl_old_des_string_to_key 2808 EXIST::FUNCTION:DES -ENGINE_register_all_RSA 2809 EXIST::FUNCTION: +ENGINE_register_all_RSA 2809 EXIST::FUNCTION:ENGINE d2i_KRB5_PRINCNAME 2810 EXIST::FUNCTION: OCSP_RESPBYTES_it 2811 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: OCSP_RESPBYTES_it 2811 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: X509_CINF_it 2812 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: X509_CINF_it 2812 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -ENGINE_unregister_digests 2813 EXIST::FUNCTION: +ENGINE_unregister_digests 2813 EXIST::FUNCTION:ENGINE d2i_EDIPARTYNAME 2814 EXIST::FUNCTION: d2i_OCSP_SERVICELOC 2815 EXIST::FUNCTION: -ENGINE_get_digests 2816 EXIST::FUNCTION: +ENGINE_get_digests 2816 EXIST::FUNCTION:ENGINE _ossl_old_des_set_odd_parity 2817 EXIST::FUNCTION:DES OCSP_RESPDATA_free 2818 EXIST::FUNCTION: d2i_KRB5_TICKET 2819 EXIST::FUNCTION: @@ -2309,7 +2309,7 @@ d2i_ASN1_GENERALSTRING 2822 EXIST::FUNCTION: X509_CRL_set_version 2823 EXIST::FUNCTION: BN_mod_sub 2824 EXIST::FUNCTION: OCSP_SINGLERESP_get_ext_by_NID 2825 EXIST::FUNCTION: -ENGINE_get_ex_new_index 2826 EXIST::FUNCTION: +ENGINE_get_ex_new_index 2826 EXIST::FUNCTION:ENGINE OCSP_REQUEST_free 2827 EXIST::FUNCTION: OCSP_REQUEST_add1_ext_i2d 2828 EXIST::FUNCTION: X509_VAL_it 2829 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: @@ -2343,7 +2343,7 @@ EC_POINT_method_of 2852 EXIST::FUNCTION:EC i2d_KRB5_APREQBODY 2853 EXIST::FUNCTION: _ossl_old_des_ecb3_encrypt 2854 EXIST::FUNCTION:DES CRYPTO_get_mem_ex_functions 2855 EXIST::FUNCTION: -ENGINE_get_ex_data 2856 EXIST::FUNCTION: +ENGINE_get_ex_data 2856 EXIST::FUNCTION:ENGINE UI_destroy_method 2857 EXIST::FUNCTION: ASN1_item_i2d_bio 2858 EXIST::FUNCTION:BIO OCSP_ONEREQ_get_ext_by_OBJ 2859 EXIST::FUNCTION: @@ -2367,7 +2367,7 @@ PKCS12_SAFEBAGS_it 2872 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA PKCS12_SAFEBAGS_it 2872 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: d2i_OCSP_SIGNATURE 2873 EXIST::FUNCTION: OCSP_request_add1_nonce 2874 EXIST::FUNCTION: -ENGINE_set_cmd_defns 2875 EXIST::FUNCTION: +ENGINE_set_cmd_defns 2875 EXIST::FUNCTION:ENGINE OCSP_SERVICELOC_free 2876 EXIST::FUNCTION: EC_GROUP_free 2877 EXIST::FUNCTION:EC ASN1_BIT_STRING_it 2878 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: @@ -2384,7 +2384,7 @@ EC_GROUP_new_curve_GFp 2885 EXIST::FUNCTION:EC OCSP_REQUEST_get1_ext_d2i 2886 EXIST::FUNCTION: PKCS12_item_pack_safebag 2887 EXIST::FUNCTION: asn1_ex_c2i 2888 EXIST::FUNCTION: -ENGINE_register_digests 2889 EXIST::FUNCTION: +ENGINE_register_digests 2889 EXIST::FUNCTION:ENGINE i2d_OCSP_REVOKEDINFO 2890 EXIST::FUNCTION: asn1_enc_restore 2891 EXIST::FUNCTION: UI_free 2892 EXIST::FUNCTION: @@ -2395,7 +2395,7 @@ EC_POINT_invert 2896 EXIST::FUNCTION:EC OCSP_basic_sign 2897 EXIST::FUNCTION: i2d_OCSP_RESPID 2898 EXIST::FUNCTION: OCSP_check_nonce 2899 EXIST::FUNCTION: -ENGINE_ctrl_cmd 2900 EXIST::FUNCTION: +ENGINE_ctrl_cmd 2900 EXIST::FUNCTION:ENGINE d2i_KRB5_ENCKEY 2901 EXIST::FUNCTION: OCSP_parse_url 2902 EXIST::FUNCTION: OCSP_SINGLERESP_get_ext 2903 EXIST::FUNCTION: @@ -2403,12 +2403,12 @@ OCSP_CRLID_free 2904 EXIST::FUNCTION: OCSP_BASICRESP_get1_ext_d2i 2905 EXIST::FUNCTION: RSAPrivateKey_it 2906 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RSA RSAPrivateKey_it 2906 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RSA -ENGINE_register_all_DH 2907 EXIST::FUNCTION: +ENGINE_register_all_DH 2907 EXIST::FUNCTION:ENGINE i2d_EDIPARTYNAME 2908 EXIST::FUNCTION: EC_POINT_get_affine_coordinates_GFp 2909 EXIST:!VMS:FUNCTION:EC EC_POINT_get_affine_coords_GFp 2909 EXIST:VMS:FUNCTION:EC OCSP_CRLID_new 2910 EXIST::FUNCTION: -ENGINE_get_flags 2911 EXIST::FUNCTION: +ENGINE_get_flags 2911 EXIST::FUNCTION:ENGINE OCSP_ONEREQ_it 2912 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: OCSP_ONEREQ_it 2912 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: UI_process 2913 EXIST::FUNCTION: @@ -2416,8 +2416,8 @@ ASN1_INTEGER_it 2914 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA ASN1_INTEGER_it 2914 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: EVP_CipherInit_ex 2915 EXIST::FUNCTION: UI_get_string_type 2916 EXIST::FUNCTION: -ENGINE_unregister_DH 2917 EXIST::FUNCTION: -ENGINE_register_all_DSA 2918 EXIST::FUNCTION: +ENGINE_unregister_DH 2917 EXIST::FUNCTION:ENGINE +ENGINE_register_all_DSA 2918 EXIST::FUNCTION:ENGINE OCSP_ONEREQ_get_ext_by_critical 2919 EXIST::FUNCTION: bn_dup_expand 2920 EXIST::FUNCTION: OCSP_cert_id_new 2921 EXIST::FUNCTION: @@ -2438,11 +2438,11 @@ BN_mod_sub_quick 2933 EXIST::FUNCTION: OCSP_ONEREQ_add_ext 2934 EXIST::FUNCTION: OCSP_request_sign 2935 EXIST::FUNCTION: EVP_DigestFinal_ex 2936 EXIST::FUNCTION: -ENGINE_set_digests 2937 EXIST::FUNCTION: +ENGINE_set_digests 2937 EXIST::FUNCTION:ENGINE OCSP_id_issuer_cmp 2938 EXIST::FUNCTION: OBJ_NAME_do_all 2939 EXIST::FUNCTION: EC_POINTs_mul 2940 EXIST::FUNCTION:EC -ENGINE_register_complete 2941 EXIST::FUNCTION: +ENGINE_register_complete 2941 EXIST::FUNCTION:ENGINE X509V3_EXT_nconf_nid 2942 EXIST::FUNCTION: ASN1_SEQUENCE_it 2943 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: ASN1_SEQUENCE_it 2943 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: @@ -2451,7 +2451,7 @@ RAND_query_egd_bytes 2945 EXIST::FUNCTION: UI_method_get_writer 2946 EXIST::FUNCTION: UI_OpenSSL 2947 EXIST::FUNCTION: PEM_def_callback 2948 EXIST::FUNCTION: -ENGINE_cleanup 2949 EXIST::FUNCTION: +ENGINE_cleanup 2949 EXIST::FUNCTION:ENGINE DIST_POINT_it 2950 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: DIST_POINT_it 2950 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: OCSP_SINGLERESP_it 2951 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: @@ -2475,7 +2475,7 @@ OCSP_RESPID_new 2967 EXIST::FUNCTION: OCSP_RESPDATA_it 2968 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: OCSP_RESPDATA_it 2968 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: d2i_OCSP_RESPDATA 2969 EXIST::FUNCTION: -ENGINE_register_all_complete 2970 EXIST::FUNCTION: +ENGINE_register_all_complete 2970 EXIST::FUNCTION:ENGINE OCSP_check_validity 2971 EXIST::FUNCTION: PKCS12_BAGS_it 2972 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: PKCS12_BAGS_it 2972 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: @@ -2487,7 +2487,7 @@ KRB5_AUTHENTBODY_it 2976 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI X509_supported_extension 2977 EXIST::FUNCTION: i2d_KRB5_AUTHDATA 2978 EXIST::FUNCTION: UI_method_get_opener 2979 EXIST::FUNCTION: -ENGINE_set_ex_data 2980 EXIST::FUNCTION: +ENGINE_set_ex_data 2980 EXIST::FUNCTION:ENGINE OCSP_REQUEST_print 2981 EXIST::FUNCTION: CBIGNUM_it 2982 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: CBIGNUM_it 2982 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: @@ -2501,7 +2501,7 @@ OCSP_single_get0_status 2989 EXIST::FUNCTION: BN_swap 2990 EXIST::FUNCTION: POLICYINFO_it 2991 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: POLICYINFO_it 2991 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -ENGINE_set_destroy_function 2992 EXIST::FUNCTION: +ENGINE_set_destroy_function 2992 EXIST::FUNCTION:ENGINE asn1_enc_free 2993 EXIST::FUNCTION: OCSP_RESPID_it 2994 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: OCSP_RESPID_it 2994 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: @@ -2523,8 +2523,8 @@ EDIPARTYNAME_it 3005 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI NETSCAPE_SPKI_it 3006 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: NETSCAPE_SPKI_it 3006 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: UI_get0_test_string 3007 EXIST::FUNCTION: -ENGINE_get_cipher_engine 3008 EXIST::FUNCTION: -ENGINE_register_all_ciphers 3009 EXIST::FUNCTION: +ENGINE_get_cipher_engine 3008 EXIST::FUNCTION:ENGINE +ENGINE_register_all_ciphers 3009 EXIST::FUNCTION:ENGINE EC_POINT_copy 3010 EXIST::FUNCTION:EC BN_kronecker 3011 EXIST::FUNCTION: _ossl_old_des_ede3_ofb64_encrypt 3012 EXIST:!VMS:FUNCTION:DES @@ -2545,9 +2545,9 @@ OCSP_RESPONSE_new 3023 EXIST::FUNCTION: AES_set_encrypt_key 3024 EXIST::FUNCTION:AES OCSP_resp_count 3025 EXIST::FUNCTION: KRB5_CHECKSUM_new 3026 EXIST::FUNCTION: -ENGINE_load_cswift 3027 EXIST::FUNCTION: +ENGINE_load_cswift 3027 EXIST::FUNCTION:ENGINE OCSP_onereq_get0_id 3028 EXIST::FUNCTION: -ENGINE_set_default_ciphers 3029 EXIST::FUNCTION: +ENGINE_set_default_ciphers 3029 EXIST::FUNCTION:ENGINE NOTICEREF_it 3030 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: NOTICEREF_it 3030 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: X509V3_EXT_CRL_add_nconf 3031 EXIST::FUNCTION: @@ -2565,7 +2565,7 @@ AES_decrypt 3040 EXIST::FUNCTION:AES asn1_enc_init 3041 EXIST::FUNCTION: UI_get_result_maxsize 3042 EXIST::FUNCTION: OCSP_CERTID_new 3043 EXIST::FUNCTION: -ENGINE_unregister_RAND 3044 EXIST::FUNCTION: +ENGINE_unregister_RAND 3044 EXIST::FUNCTION:ENGINE UI_method_get_closer 3045 EXIST::FUNCTION: d2i_KRB5_ENCDATA 3046 EXIST::FUNCTION: OCSP_request_onereq_count 3047 EXIST::FUNCTION: @@ -2576,7 +2576,7 @@ ASN1_primitive_free 3051 EXIST::FUNCTION: i2d_EXTENDED_KEY_USAGE 3052 EXIST::FUNCTION: i2d_OCSP_SIGNATURE 3053 EXIST::FUNCTION: asn1_enc_save 3054 EXIST::FUNCTION: -ENGINE_load_nuron 3055 EXIST::FUNCTION: +ENGINE_load_nuron 3055 EXIST::FUNCTION:ENGINE _ossl_old_des_pcbc_encrypt 3056 EXIST::FUNCTION:DES PKCS12_MAC_DATA_it 3057 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: PKCS12_MAC_DATA_it 3057 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: @@ -2598,15 +2598,15 @@ ASN1_item_d2i_bio 3069 EXIST::FUNCTION:BIO EC_POINT_dbl 3070 EXIST::FUNCTION:EC asn1_get_choice_selector 3071 EXIST::FUNCTION: i2d_KRB5_CHECKSUM 3072 EXIST::FUNCTION: -ENGINE_set_table_flags 3073 EXIST::FUNCTION: +ENGINE_set_table_flags 3073 EXIST::FUNCTION:ENGINE AES_options 3074 EXIST::FUNCTION:AES -ENGINE_load_chil 3075 EXIST::FUNCTION: +ENGINE_load_chil 3075 EXIST::FUNCTION:ENGINE OCSP_id_cmp 3076 EXIST::FUNCTION: OCSP_BASICRESP_new 3077 EXIST::FUNCTION: OCSP_REQUEST_get_ext_by_NID 3078 EXIST::FUNCTION: KRB5_APREQ_it 3079 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: KRB5_APREQ_it 3079 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -ENGINE_get_destroy_function 3080 EXIST::FUNCTION: +ENGINE_get_destroy_function 3080 EXIST::FUNCTION:ENGINE CONF_set_nconf 3081 EXIST::FUNCTION: ASN1_PRINTABLE_free 3082 EXIST::FUNCTION: OCSP_BASICRESP_get_ext_by_NID 3083 EXIST::FUNCTION: @@ -2667,7 +2667,7 @@ OCSP_CRLID_it 3127 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA OCSP_CRLID_it 3127 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: i2d_KRB5_AUTHENTBODY 3128 EXIST::FUNCTION: OCSP_REQUEST_get_ext_count 3129 EXIST::FUNCTION: -ENGINE_load_atalla 3130 EXIST::FUNCTION: +ENGINE_load_atalla 3130 EXIST::FUNCTION:ENGINE X509_NAME_it 3131 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: X509_NAME_it 3131 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: USERNOTICE_it 3132 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: @@ -2685,7 +2685,7 @@ UI_method_set_opener 3140 EXIST::FUNCTION: ASN1_item_ex_free 3141 EXIST::FUNCTION: ASN1_BOOLEAN_it 3142 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: ASN1_BOOLEAN_it 3142 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -ENGINE_get_table_flags 3143 EXIST::FUNCTION: +ENGINE_get_table_flags 3143 EXIST::FUNCTION:ENGINE UI_create_method 3144 EXIST::FUNCTION: OCSP_ONEREQ_add1_ext_i2d 3145 EXIST::FUNCTION: _shadow_DES_check_key 3146 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:DES @@ -2709,7 +2709,7 @@ PKCS7_it 3160 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA PKCS7_it 3160 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: OCSP_REQUEST_get_ext_by_critical 3161 EXIST:!VMS:FUNCTION: OCSP_REQUEST_get_ext_by_crit 3161 EXIST:VMS:FUNCTION: -ENGINE_set_flags 3162 EXIST::FUNCTION: +ENGINE_set_flags 3162 EXIST::FUNCTION:ENGINE _ossl_old_des_ecb_encrypt 3163 EXIST::FUNCTION:DES OCSP_response_get1_basic 3164 EXIST::FUNCTION: EVP_Digest 3165 EXIST::FUNCTION: @@ -2721,8 +2721,8 @@ ASN1_TIME_to_generalizedtime 3169 EXIST::FUNCTION: BIGNUM_it 3170 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: BIGNUM_it 3170 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: AES_cbc_encrypt 3171 EXIST::FUNCTION:AES -ENGINE_get_load_privkey_function 3172 EXIST:!VMS:FUNCTION: -ENGINE_get_load_privkey_fn 3172 EXIST:VMS:FUNCTION: +ENGINE_get_load_privkey_function 3172 EXIST:!VMS:FUNCTION:ENGINE +ENGINE_get_load_privkey_fn 3172 EXIST:VMS:FUNCTION:ENGINE OCSP_RESPONSE_free 3173 EXIST::FUNCTION: UI_method_set_reader 3174 EXIST::FUNCTION: i2d_ASN1_T61STRING 3175 EXIST::FUNCTION: @@ -2736,7 +2736,7 @@ OCSP_crlID_new 3181 EXIST:!OS2,!VMS,!WIN16:FUNCTION: OCSP_crlID2_new 3181 EXIST:OS2,VMS,WIN16:FUNCTION: CONF_modules_load_file 3182 EXIST::FUNCTION: CONF_imodule_set_usr_data 3183 EXIST::FUNCTION: -ENGINE_set_default_string 3184 EXIST::FUNCTION: +ENGINE_set_default_string 3184 EXIST::FUNCTION:ENGINE CONF_module_get_usr_data 3185 EXIST::FUNCTION: ASN1_add_oid_module 3186 EXIST::FUNCTION: CONF_modules_finish 3187 EXIST::FUNCTION: @@ -2754,7 +2754,7 @@ CONF_imodule_get_name 3198 EXIST::FUNCTION: ERR_peek_top_error 3199 NOEXIST::FUNCTION: CONF_imodule_get_usr_data 3200 EXIST::FUNCTION: CONF_imodule_set_flags 3201 EXIST::FUNCTION: -ENGINE_add_conf_module 3202 EXIST::FUNCTION: +ENGINE_add_conf_module 3202 EXIST::FUNCTION:ENGINE ERR_peek_last_error_line 3203 EXIST::FUNCTION: ERR_peek_last_error_line_data 3204 EXIST::FUNCTION: ERR_peek_last_error 3205 EXIST::FUNCTION: @@ -2762,8 +2762,8 @@ DES_read_2passwords 3206 EXIST::FUNCTION:DES DES_read_password 3207 EXIST::FUNCTION:DES UI_UTIL_read_pw 3208 EXIST::FUNCTION: UI_UTIL_read_pw_string 3209 EXIST::FUNCTION: -ENGINE_load_aep 3210 EXIST::FUNCTION: -ENGINE_load_sureware 3211 EXIST::FUNCTION: +ENGINE_load_aep 3210 EXIST::FUNCTION:ENGINE +ENGINE_load_sureware 3211 EXIST::FUNCTION:ENGINE OPENSSL_add_all_algorithms_noconf 3212 EXIST:!VMS:FUNCTION: OPENSSL_add_all_algo_noconf 3212 EXIST:VMS:FUNCTION: OPENSSL_add_all_algorithms_conf 3213 EXIST:!VMS:FUNCTION: @@ -2772,7 +2772,7 @@ OPENSSL_load_builtin_modules 3214 EXIST::FUNCTION: AES_ofb128_encrypt 3215 EXIST::FUNCTION:AES AES_ctr128_encrypt 3216 EXIST::FUNCTION:AES AES_cfb128_encrypt 3217 EXIST::FUNCTION:AES -ENGINE_load_4758cca 3218 EXIST::FUNCTION: +ENGINE_load_4758cca 3218 EXIST::FUNCTION:ENGINE _ossl_096_des_random_seed 3219 EXIST::FUNCTION:DES EVP_aes_256_ofb 3220 EXIST::FUNCTION:AES EVP_aes_192_ofb 3221 EXIST::FUNCTION:AES @@ -2793,3 +2793,11 @@ ASN1_UNIVERSALSTRING_it 3234 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI d2i_ASN1_UNIVERSALSTRING 3235 EXIST::FUNCTION: EVP_des_ede3_ecb 3236 EXIST::FUNCTION:DES X509_REQ_print_ex 3237 EXIST::FUNCTION:BIO +ENGINE_up_ref 3238 EXIST::FUNCTION:ENGINE +BUF_MEM_grow_clean 3239 EXIST::FUNCTION: +CRYPTO_realloc_clean 3240 EXIST::FUNCTION: +BUF_strlcat 3241 EXIST::FUNCTION: +BIO_indent 3242 EXIST::FUNCTION: +BUF_strlcpy 3243 EXIST::FUNCTION: +OpenSSLDie 3244 EXIST::FUNCTION: +OPENSSL_cleanse 3245 EXIST::FUNCTION: diff --git a/src/lib/libcrypto/util/mk1mf.pl b/src/lib/libcrypto/util/mk1mf.pl index c9271bbffe..c538f9dffb 100644 --- a/src/lib/libcrypto/util/mk1mf.pl +++ b/src/lib/libcrypto/util/mk1mf.pl @@ -24,6 +24,7 @@ $infile="MINFO"; %ops=( "VC-WIN32", "Microsoft Visual C++ [4-6] - Windows NT or 9X", + "VC-CE", "Microsoft eMbedded Visual C++ 3.0 - Windows CE ONLY", "VC-NT", "Microsoft Visual C++ [4-6] - Windows NT ONLY", "VC-W31-16", "Microsoft Visual C++ 1.52 - Windows 3.1 - 286", "VC-WIN16", "Alias for VC-W31-32", @@ -63,6 +64,8 @@ and [options] can be one of no-asm - No x86 asm no-krb5 - No KRB5 no-ec - No EC + no-engine - No engine + no-hw - No hw nasm - Use NASM for x86 asm gaswin - Use GNU as with Mingw32 no-socks - No socket code @@ -137,6 +140,10 @@ elsif (($platform eq "VC-WIN32") || ($platform eq "VC-NT")) $NT = 1 if $platform eq "VC-NT"; require 'VC-32.pl'; } +elsif ($platform eq "VC-CE") + { + require 'VC-CE.pl'; + } elsif ($platform eq "Mingw32") { require 'Mingw32.pl'; @@ -213,7 +220,7 @@ $cflags.=" -DOPENSSL_NO_MD4" if $no_md4; $cflags.=" -DOPENSSL_NO_MD5" if $no_md5; $cflags.=" -DOPENSSL_NO_SHA" if $no_sha; $cflags.=" -DOPENSSL_NO_SHA1" if $no_sha1; -$cflags.=" -DOPENSSL_NO_RIPEMD" if $no_rmd160; +$cflags.=" -DOPENSSL_NO_RIPEMD" if $no_ripemd; $cflags.=" -DOPENSSL_NO_MDC2" if $no_mdc2; $cflags.=" -DOPENSSL_NO_BF" if $no_bf; $cflags.=" -DOPENSSL_NO_CAST" if $no_cast; @@ -227,6 +234,8 @@ $cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3; $cflags.=" -DOPENSSL_NO_ERR" if $no_err; $cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5; $cflags.=" -DOPENSSL_NO_EC" if $no_ec; +$cflags.=" -DOPENSSL_NO_ENGINE" if $no_engine; +$cflags.=" -DOPENSSL_NO_HW" if $no_hw; #$cflags.=" -DRSAref" if $rsaref ne ""; ## if ($unix) @@ -266,6 +275,17 @@ $defs= <<"EOF"; # The one monster makefile better suits building in non-unix # environments. +EOF + +if ($platform eq "VC-CE") + { + $defs.= <<"EOF"; +!INCLUDE <\$(WCECOMPAT)/wcedefs.mak> + +EOF + } + +$defs.= <<"EOF"; INSTALLTOP=$INSTALLTOP # Set your compiler options @@ -632,6 +652,8 @@ sub var_add local($dir,$val)=@_; local(@a,$_,$ret); + return("") if $no_engine && $dir =~ /\/engine/; + return("") if $no_hw && $dir =~ /\/hw/; return("") if $no_idea && $dir =~ /\/idea/; return("") if $no_aes && $dir =~ /\/aes/; return("") if $no_rc2 && $dir =~ /\/rc2/; @@ -641,6 +663,7 @@ sub var_add return("") if $no_rsa && $dir =~ /^rsaref/; return("") if $no_dsa && $dir =~ /\/dsa/; return("") if $no_dh && $dir =~ /\/dh/; + return("") if $no_ec && $dir =~ /\/ec/; if ($no_des && $dir =~ /\/des/) { if ($val =~ /read_pwd/) @@ -675,7 +698,7 @@ sub var_add @a=grep(!/(^md2)|(_md2$)/,@a) if $no_md2; @a=grep(!/(^md4)|(_md4$)/,@a) if $no_md4; @a=grep(!/(^md5)|(_md5$)/,@a) if $no_md5; - @a=grep(!/(rmd)|(ripemd)/,@a) if $no_rmd160; + @a=grep(!/(rmd)|(ripemd)/,@a) if $no_ripemd; @a=grep(!/(^d2i_r_)|(^i2d_r_)/,@a) if $no_rsa; @a=grep(!/(^p_open$)|(^p_seal$)/,@a) if $no_rsa; @@ -692,6 +715,8 @@ sub var_add @a=grep(!/(^sha1)|(_sha1$)|(m_dss1$)/,@a) if $no_sha1; @a=grep(!/_mdc2$/,@a) if $no_mdc2; + @a=grep(!/^engine$/,@a) if $no_engine; + @a=grep(!/^hw$/,@a) if $no_hw; @a=grep(!/(^rsa$)|(^genrsa$)/,@a) if $no_rsa; @a=grep(!/(^dsa$)|(^gendsa$)|(^dsaparam$)/,@a) if $no_dsa; @a=grep(!/^gendsa$/,@a) if $no_sha1; @@ -885,10 +910,12 @@ sub read_options elsif (/^no-sock$/) { $no_sock=1; } elsif (/^no-krb5$/) { $no_krb5=1; } elsif (/^no-ec$/) { $no_ec=1; } + elsif (/^no-engine$/) { $no_engine=1; } + elsif (/^no-hw$/) { $no_hw=1; } elsif (/^just-ssl$/) { $no_rc2=$no_idea=$no_des=$no_bf=$no_cast=1; $no_md2=$no_sha=$no_mdc2=$no_dsa=$no_dh=1; - $no_ssl2=$no_err=$no_rmd160=$no_rc5=1; + $no_ssl2=$no_err=$no_ripemd=$no_rc5=1; $no_aes=1; } elsif (/^rsaref$/) { } diff --git a/src/lib/libcrypto/util/mkcerts.sh b/src/lib/libcrypto/util/mkcerts.sh index 5f8a1dae73..0184fcb70e 100644 --- a/src/lib/libcrypto/util/mkcerts.sh +++ b/src/lib/libcrypto/util/mkcerts.sh @@ -1,4 +1,4 @@ -#!bin/sh +#!/bin/sh # This script will re-make all the required certs. # cd apps @@ -12,8 +12,8 @@ # CAbits=1024 -SSLEAY="../apps/ssleay" -CONF="-config ../apps/ssleay.cnf" +SSLEAY="../apps/openssl" +CONF="-config ../apps/openssl.cnf" # create pca request. echo creating $CAbits bit PCA cert request diff --git a/src/lib/libcrypto/util/mkdef.pl b/src/lib/libcrypto/util/mkdef.pl index adfd447dd3..cdd2164c4e 100644 --- a/src/lib/libcrypto/util/mkdef.pl +++ b/src/lib/libcrypto/util/mkdef.pl @@ -91,7 +91,7 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF", "BIO", "COMP", "BUFFER", "LHASH", "STACK", "ERR", "LOCKING", # External "algorithms" - "FP_API", "STDIO", "SOCK", "KRB5" ); + "FP_API", "STDIO", "SOCK", "KRB5", "ENGINE", "HW" ); my $options=""; open(IN,"object))); if(ext->critical) printf(",critical:\n"); else printf(":\n"); - X509V3_EXT_print_fp(stdout, ext, 0); + X509V3_EXT_print_fp(stdout, ext, 0, 0); printf("\n"); } diff --git a/src/lib/libssl/src/CHANGES b/src/lib/libssl/src/CHANGES index 03b697cd7e..1e85275800 100644 --- a/src/lib/libssl/src/CHANGES +++ b/src/lib/libssl/src/CHANGES @@ -2,7 +2,266 @@ OpenSSL CHANGES _______________ - Changes between 0.9.6h and 0.9.7 [XX xxx 2002] + Changes between 0.9.7a and 0.9.7b [10 Apr 2003] + + *) Countermeasure against the Klima-Pokorny-Rosa extension of + Bleichbacher's attack on PKCS #1 v1.5 padding: treat + a protocol version number mismatch like a decryption error + in ssl3_get_client_key_exchange (ssl/s3_srvr.c). + [Bodo Moeller] + + *) Turn on RSA blinding by default in the default implementation + to avoid a timing attack. Applications that don't want it can call + RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. + They would be ill-advised to do so in most cases. + [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] + + *) Change RSA blinding code so that it works when the PRNG is not + seeded (in this case, the secret RSA exponent is abused as + an unpredictable seed -- if it is not unpredictable, there + is no point in blinding anyway). Make RSA blinding thread-safe + by remembering the creator's thread ID in rsa->blinding and + having all other threads use local one-time blinding factors + (this requires more computation than sharing rsa->blinding, but + avoids excessive locking; and if an RSA object is not shared + between threads, blinding will still be very fast). + [Bodo Moeller] + + *) Fixed a typo bug that would cause ENGINE_set_default() to set an + ENGINE as defaults for all supported algorithms irrespective of + the 'flags' parameter. 'flags' is now honoured, so applications + should make sure they are passing it correctly. + [Geoff Thorpe] + + *) Target "mingw" now allows native Windows code to be generated in + the Cygwin environment as well as with the MinGW compiler. + [Ulf Moeller] + + Changes between 0.9.7 and 0.9.7a [19 Feb 2003] + + *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked + via timing by performing a MAC computation even if incorrrect + block cipher padding has been found. This is a countermeasure + against active attacks where the attacker has to distinguish + between bad padding and a MAC verification error. (CAN-2003-0078) + + [Bodo Moeller; problem pointed out by Brice Canvel (EPFL), + Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and + Martin Vuagnoux (EPFL, Ilion)] + + *) Make the no-err option work as intended. The intention with no-err + is not to have the whole error stack handling routines removed from + libcrypto, it's only intended to remove all the function name and + reason texts, thereby removing some of the footprint that may not + be interesting if those errors aren't displayed anyway. + + NOTE: it's still possible for any application or module to have it's + own set of error texts inserted. The routines are there, just not + used by default when no-err is given. + [Richard Levitte] + + *) Add support for FreeBSD on IA64. + [dirk.meyer@dinoex.sub.org via Richard Levitte, resolves #454] + + *) Adjust DES_cbc_cksum() so it returns the same value as the MIT + Kerberos function mit_des_cbc_cksum(). Before this change, + the value returned by DES_cbc_cksum() was like the one from + mit_des_cbc_cksum(), except the bytes were swapped. + [Kevin Greaney and Richard Levitte] + + *) Allow an application to disable the automatic SSL chain building. + Before this a rather primitive chain build was always performed in + ssl3_output_cert_chain(): an application had no way to send the + correct chain if the automatic operation produced an incorrect result. + + Now the chain builder is disabled if either: + + 1. Extra certificates are added via SSL_CTX_add_extra_chain_cert(). + + 2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set. + + The reasoning behind this is that an application would not want the + auto chain building to take place if extra chain certificates are + present and it might also want a means of sending no additional + certificates (for example the chain has two certificates and the + root is omitted). + [Steve Henson] + + *) Add the possibility to build without the ENGINE framework. + [Steven Reddie via Richard Levitte] + + *) Under Win32 gmtime() can return NULL: check return value in + OPENSSL_gmtime(). Add error code for case where gmtime() fails. + [Steve Henson] + + *) DSA routines: under certain error conditions uninitialized BN objects + could be freed. Solution: make sure initialization is performed early + enough. (Reported and fix supplied by Ivan D Nestlerode , + Nils Larsch via PR#459) + [Lutz Jaenicke] + + *) Another fix for SSLv2 session ID handling: the session ID was incorrectly + checked on reconnect on the client side, therefore session resumption + could still fail with a "ssl session id is different" error. This + behaviour is masked when SSL_OP_ALL is used due to + SSL_OP_MICROSOFT_SESS_ID_BUG being set. + Behaviour observed by Crispin Flowerday as + followup to PR #377. + [Lutz Jaenicke] + + *) IA-32 assembler support enhancements: unified ELF targets, support + for SCO/Caldera platforms, fix for Cygwin shared build. + [Andy Polyakov] + + *) Add support for FreeBSD on sparc64. As a consequence, support for + FreeBSD on non-x86 processors is separate from x86 processors on + the config script, much like the NetBSD support. + [Richard Levitte & Kris Kennaway ] + + Changes between 0.9.6h and 0.9.7 [31 Dec 2002] + + *) Fix session ID handling in SSLv2 client code: the SERVER FINISHED + code (06) was taken as the first octet of the session ID and the last + octet was ignored consequently. As a result SSLv2 client side session + caching could not have worked due to the session ID mismatch between + client and server. + Behaviour observed by Crispin Flowerday as + PR #377. + [Lutz Jaenicke] + + *) Change the declaration of needed Kerberos libraries to use EX_LIBS + instead of the special (and badly supported) LIBKRB5. LIBKRB5 is + removed entirely. + [Richard Levitte] + + *) The hw_ncipher.c engine requires dynamic locks. Unfortunately, it + seems that in spite of existing for more than a year, many application + author have done nothing to provide the necessary callbacks, which + means that this particular engine will not work properly anywhere. + This is a very unfortunate situation which forces us, in the name + of usability, to give the hw_ncipher.c a static lock, which is part + of libcrypto. + NOTE: This is for the 0.9.7 series ONLY. This hack will never + appear in 0.9.8 or later. We EXPECT application authors to have + dealt properly with this when 0.9.8 is released (unless we actually + make such changes in the libcrypto locking code that changes will + have to be made anyway). + [Richard Levitte] + + *) In asn1_d2i_read_bio() repeatedly call BIO_read() until all content + octets have been read, EOF or an error occurs. Without this change + some truncated ASN1 structures will not produce an error. + [Steve Henson] + + *) Disable Heimdal support, since it hasn't been fully implemented. + Still give the possibility to force the use of Heimdal, but with + warnings and a request that patches get sent to openssl-dev. + [Richard Levitte] + + *) Add the VC-CE target, introduce the WINCE sysname, and add + INSTALL.WCE and appropriate conditionals to make it build. + [Steven Reddie via Richard Levitte] + + *) Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and + cygssl-x.y.z.dll, where x, y and z are the major, minor and + edit numbers of the version. + [Corinna Vinschen and Richard Levitte] + + *) Introduce safe string copy and catenation functions + (BUF_strlcpy() and BUF_strlcat()). + [Ben Laurie (CHATS) and Richard Levitte] + + *) Avoid using fixed-size buffers for one-line DNs. + [Ben Laurie (CHATS)] + + *) Add BUF_MEM_grow_clean() to avoid information leakage when + resizing buffers containing secrets, and use where appropriate. + [Ben Laurie (CHATS)] + + *) Avoid using fixed size buffers for configuration file location. + [Ben Laurie (CHATS)] + + *) Avoid filename truncation for various CA files. + [Ben Laurie (CHATS)] + + *) Use sizeof in preference to magic numbers. + [Ben Laurie (CHATS)] + + *) Avoid filename truncation in cert requests. + [Ben Laurie (CHATS)] + + *) Add assertions to check for (supposedly impossible) buffer + overflows. + [Ben Laurie (CHATS)] + + *) Don't cache truncated DNS entries in the local cache (this could + potentially lead to a spoofing attack). + [Ben Laurie (CHATS)] + + *) Fix various buffers to be large enough for hex/decimal + representations in a platform independent manner. + [Ben Laurie (CHATS)] + + *) Add CRYPTO_realloc_clean() to avoid information leakage when + resizing buffers containing secrets, and use where appropriate. + [Ben Laurie (CHATS)] + + *) Add BIO_indent() to avoid much slightly worrying code to do + indents. + [Ben Laurie (CHATS)] + + *) Convert sprintf()/BIO_puts() to BIO_printf(). + [Ben Laurie (CHATS)] + + *) buffer_gets() could terminate with the buffer only half + full. Fixed. + [Ben Laurie (CHATS)] + + *) Add assertions to prevent user-supplied crypto functions from + overflowing internal buffers by having large block sizes, etc. + [Ben Laurie (CHATS)] + + *) New OPENSSL_assert() macro (similar to assert(), but enabled + unconditionally). + [Ben Laurie (CHATS)] + + *) Eliminate unused copy of key in RC4. + [Ben Laurie (CHATS)] + + *) Eliminate unused and incorrectly sized buffers for IV in pem.h. + [Ben Laurie (CHATS)] + + *) Fix off-by-one error in EGD path. + [Ben Laurie (CHATS)] + + *) If RANDFILE path is too long, ignore instead of truncating. + [Ben Laurie (CHATS)] + + *) Eliminate unused and incorrectly sized X.509 structure + CBCParameter. + [Ben Laurie (CHATS)] + + *) Eliminate unused and dangerous function knumber(). + [Ben Laurie (CHATS)] + + *) Eliminate unused and dangerous structure, KSSL_ERR. + [Ben Laurie (CHATS)] + + *) Protect against overlong session ID context length in an encoded + session object. Since these are local, this does not appear to be + exploitable. + [Ben Laurie (CHATS)] + + *) Change from security patch (see 0.9.6e below) that did not affect + the 0.9.6 release series: + + Remote buffer overflow in SSL3 protocol - an attacker could + supply an oversized master key in Kerberos-enabled versions. + (CAN-2002-0657) + [Ben Laurie (CHATS)] + + *) Change the SSL kerb5 codes to match RFC 2712. + [Richard Levitte] *) Make -nameopt work fully for req and add -reqopt switch. [Michael Bell , Steve Henson] @@ -34,7 +293,7 @@ # is assumed to contain the absolute OpenSSL source directory. mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`" cd objtree/"`uname -s`-`uname -r`-`uname -m`" - (cd $OPENSSL_SOURCE; find . -type f -o -type l) | while read F; do + (cd $OPENSSL_SOURCE; find . -type f) | while read F; do mkdir -p `dirname $F` ln -s $OPENSSL_SOURCE/$F $F done @@ -1534,6 +1793,11 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k be reduced modulo m. [Lenka Fibikova , Bodo Moeller] +#if 0 + The following entry accidentily appeared in the CHANGES file + distributed with OpenSSL 0.9.7. The modifications described in + it do *not* apply to OpenSSL 0.9.7. + *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there was actually never needed) and in BN_mul(). The removal in BN_mul() required a small change in bn_mul_part_recursive() and the addition @@ -1542,6 +1806,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k bn_sub_words() and bn_add_words() except they take arrays with differing sizes. [Richard Levitte] +#endif *) In 'openssl passwd', verify passwords read from the terminal unless the '-salt' option is used (which usually means that @@ -1673,7 +1938,76 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Clean old EAY MD5 hack from e_os.h. [Richard Levitte] - Changes between 0.9.6g and 0.9.6h [xx XXX xxxx] + Changes between 0.9.6h and 0.9.6i [19 Feb 2003] + + *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked + via timing by performing a MAC computation even if incorrrect + block cipher padding has been found. This is a countermeasure + against active attacks where the attacker has to distinguish + between bad padding and a MAC verification error. (CAN-2003-0078) + + [Bodo Moeller; problem pointed out by Brice Canvel (EPFL), + Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and + Martin Vuagnoux (EPFL, Ilion)] + + Changes between 0.9.6g and 0.9.6h [5 Dec 2002] + + *) New function OPENSSL_cleanse(), which is used to cleanse a section of + memory from it's contents. This is done with a counter that will + place alternating values in each byte. This can be used to solve + two issues: 1) the removal of calls to memset() by highly optimizing + compilers, and 2) cleansing with other values than 0, since those can + be read through on certain media, for example a swap space on disk. + [Geoff Thorpe] + + *) Bugfix: client side session caching did not work with external caching, + because the session->cipher setting was not restored when reloading + from the external cache. This problem was masked, when + SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set. + (Found by Steve Haslam .) + [Lutz Jaenicke] + + *) Fix client_certificate (ssl/s2_clnt.c): The permissible total + length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33. + [Zeev Lieber ] + + *) Undo an undocumented change introduced in 0.9.6e which caused + repeated calls to OpenSSL_add_all_ciphers() and + OpenSSL_add_all_digests() to be ignored, even after calling + EVP_cleanup(). + [Richard Levitte] + + *) Change the default configuration reader to deal with last line not + being properly terminated. + [Richard Levitte] + + *) Change X509_NAME_cmp() so it applies the special rules on handling + DN values that are of type PrintableString, as well as RDNs of type + emailAddress where the value has the type ia5String. + [stefank@valicert.com via Richard Levitte] + + *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half + the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently + doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be + the bitwise-OR of the two for use by the majority of applications + wanting this behaviour, and update the docs. The documented + behaviour and actual behaviour were inconsistent and had been + changing anyway, so this is more a bug-fix than a behavioural + change. + [Geoff Thorpe, diagnosed by Nadav Har'El] + + *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c + (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes). + [Bodo Moeller] + + *) Fix initialization code race conditions in + SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(), + SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(), + SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(), + TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(), + ssl2_get_cipher_by_char(), + ssl3_get_cipher_by_char(). + [Patrick McCormick , Bodo Moeller] *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after the cached sessions are flushed, as the remove_cb() might use ex_data @@ -1703,7 +2037,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k overflow checks added in 0.9.6e. This prevents DoS (the assertions could call abort()). [Arne Ansper , Bodo Moeller] - + Changes between 0.9.6d and 0.9.6e [30 Jul 2002] *) Add various sanity checks to asn1_get_length() to reject @@ -1754,11 +2088,6 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k too small for 64 bit platforms. (CAN-2002-0655) [Matthew Byng-Maddick and Ben Laurie (CHATS)> - *) Remote buffer overflow in SSL3 protocol - an attacker could - supply an oversized master key in Kerberos-enabled versions. - (CAN-2002-0657) - [Ben Laurie (CHATS)] - *) Remote buffer overflow in SSL3 protocol - an attacker could supply an oversized session ID to a client. (CAN-2002-0656) [Ben Laurie (CHATS)] @@ -1767,7 +2096,6 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k supply an oversized client master key. (CAN-2002-0656) [Ben Laurie (CHATS)] - Changes between 0.9.6c and 0.9.6d [9 May 2002] *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not @@ -1854,13 +2182,13 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k value is 0. [Richard Levitte] - *) Add the configuration target linux-s390x. - [Neale Ferguson via Richard Levitte] - *) [In 0.9.6d-engine release:] Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). [Toomas Kiisk via Richard Levitte] + *) Add the configuration target linux-s390x. + [Neale Ferguson via Richard Levitte] + *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag variable as an indication that a ClientHello message has been diff --git a/src/lib/libssl/src/Configure b/src/lib/libssl/src/Configure index 292ca877c6..7763dc4138 100644 --- a/src/lib/libssl/src/Configure +++ b/src/lib/libssl/src/Configure @@ -10,7 +10,7 @@ use strict; # see INSTALL for instructions. -my $usage="Usage: Configure [no- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n"; +my $usage="Usage: Configure [no- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-engine] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n"; # Options: # @@ -38,6 +38,7 @@ my $usage="Usage: Configure [no- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [- # --test-sanity Make a number of sanity checks on the data in this file. # This is a debugging tool for OpenSSL developers. # +# no-engine do not compile in any engine code. # no-hw-xxx do not compile support for specific crypto hardware. # Generic OpenSSL-style methods relating to this support # are always compiled but return NULL if the hardware @@ -107,7 +108,6 @@ my $tlib="-lnsl -lsocket"; my $bits1="THIRTY_TWO_BIT "; my $bits2="SIXTY_FOUR_BIT "; -my $x86_sol_asm="asm/bn86-sol.o asm/co86-sol.o:asm/dx86-sol.o asm/yx86-sol.o:asm/bx86-sol.o:asm/mx86-sol.o:asm/sx86-sol.o:asm/cx86-sol.o:asm/rx86-sol.o:asm/rm86-sol.o:asm/r586-sol.o"; my $x86_elf_asm="asm/bn86-elf.o asm/co86-elf.o:asm/dx86-elf.o asm/yx86-elf.o:asm/bx86-elf.o:asm/mx86-elf.o:asm/sx86-elf.o:asm/cx86-elf.o:asm/rx86-elf.o:asm/rm86-elf.o:asm/r586-elf.o"; my $x86_out_asm="asm/bn86-out.o asm/co86-out.o:asm/dx86-out.o asm/yx86-out.o:asm/bx86-out.o:asm/mx86-out.o:asm/sx86-out.o:asm/cx86-out.o:asm/rx86-out.o:asm/rm86-out.o:asm/r586-out.o"; my $x86_bsdi_asm="asm/bn86bsdi.o asm/co86bsdi.o:asm/dx86bsdi.o asm/yx86bsdi.o:asm/bx86bsdi.o:asm/mx86bsdi.o:asm/sx86bsdi.o:asm/cx86bsdi.o:asm/rx86bsdi.o:asm/rm86bsdi.o:asm/r586bsdi.o"; @@ -145,8 +145,10 @@ my %table=( "debug-ulf", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT:::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "debug-steve-linux-pseudo64", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn", -"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wid-clash-31 -Wcast-align -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wid-clash-31 -Wcast-align -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "dist", "cc:-O::(unknown)::::::", # Basic configs that should work on any (32 and less bit) box @@ -159,25 +161,25 @@ my %table=( # surrounds it with #APP #NO_APP comment pair which (at least Solaris # 7_x86) /usr/ccs/bin/as fails to assemble with "Illegal mnemonic" # error message. -"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}:dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### Solaris x86 with Sun C setups "solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Solaris with GNU C setups -"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # -m32 should be safe to add as long as driver recognizes -mcpu=ultrasparc -"solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"solaris64-sparcv9-gcc31","gcc:-mcpu=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris64-sparcv9-gcc31","gcc:-mcpu=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8 # but keep the assembler modules. -"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### -"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Solaris with Sun C setups # DO NOT use /xO[34] on sparc with SC3.0. It is broken, and will not pass the tests @@ -201,13 +203,12 @@ my %table=( # it's a real mess with -mcpu=ultrasparc option under Linux, but # -Wa,-Av8plus should do the trick no matter what. "linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -# !!!Folowing can't be even tested yet!!! -# We have to wait till 64-bit glibc for SPARC is operational!!! -#"linux64-sparcv9","sparc64-linux-gcc:-m64 -mcpu=v9 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT:ULTRASPARC::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o:", +# GCC 3.1 is a requirement +"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # Sunos configs, assuming sparc for the gcc one. -##"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):::DES_UNROLL:::", -"sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:::", +##"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:::", +"sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:::", #### IRIX 5.x configs # -mips2 flag is added by ./config when appropriate. @@ -218,7 +219,7 @@ my %table=( # './Configure irix-[g]cc' manually. # -mips4 flag is added by ./config when appropriate. "irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"irix-mips3-cc", "cc:-n32 -mips3 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # N64 ABI builds. "irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -261,22 +262,21 @@ my %table=( "hpux64-parisc-gcc","gcc:-DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # IA-64 targets -# I have no idea if this one actually works, feedback needed. -"hpux-ia64-cc","cc:-Ae +DD32 +O3 +ESlit -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # Frank Geurts has patiently assisted with # with debugging of the following config. -"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # More attempts at unified 10.X and 11.X targets for HP C compiler. # # Chris Ruemmler # Kevin Steves -"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # Isn't the line below meaningless? HP-UX cc optimizes for host by default. # hpux-parisc1_0-cc with +DAportable flag would make more sense. -"hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # HPUX 9.X config. # Don't use the bundled cc. It is broken. Use HP ANSI C if possible, or @@ -383,17 +383,21 @@ my %table=( "debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", -"linux-mipsel", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown):::BN_LLONG:::", -"linux-mips", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown):::BN_LLONG:::", +"linux-mipsel", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-mips", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-m68k", "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::", "linux-s390", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-s390x", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-ia64-ecc", "ecc:-DL_ENDIAN -DTERMIO -O2 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o:::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "NetBSD-x86", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "FreeBSD-elf", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::-pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"FreeBSD-sparc64","gcc:-DB_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::-pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE:::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2 BF_PTR::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"FreeBSD-ia64","gcc:-DL_ENDIAN -DTERMIOS -O -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64-cpp.o:::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "FreeBSD", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", "bsdi-gcc", "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown):::RSA_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_bsdi_asm}", "bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -401,7 +405,7 @@ my %table=( "nextstep3.3", "cc:-O3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # NCR MP-RAS UNIX ver 02.03.01 -"ncr-scde","cc:-O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw::(unknown)::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:::", +"ncr-scde","cc:-O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw::(unknown)::-lsocket -lnsl -lc89:${x86_gcc_des} ${x86_gcc_opts}:::", # QNX 4 "qnx4", "cc:-DL_ENDIAN -DTERMIO::(unknown):::${x86_gcc_des} ${x86_gcc_opts}:", @@ -412,33 +416,36 @@ my %table=( # Linux on ARM "linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +# SCO/Caldera targets. +# +# Originally we had like unixware-*, unixware-*-pentium, unixware-*-p6, etc. +# Now we only have blended unixware-* as it's the only one used by ./config. +# If you want to optimize for particular microarchitecture, bypass ./config +# and './Configure unixware-7 -Kpentium_pro' or whatever appropriate. +# Note that not all targets include assembler support. Mostly because of +# lack of motivation to support out-of-date platforms with out-of-date +# compiler drivers and assemblers. Tim Rice has +# patiently assisted to debug most of it. +# # UnixWare 2.0x fails destest with -O "unixware-2.0","cc:-DFILIO_H -DNO_STRINGS_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::", -"unixware-2.0-pentium","cc:-DFILIO_H -DNO_STRINGS_H -Kpentium::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", - -# UnixWare 2.1 "unixware-2.1","cc:-O -DFILIO_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::", -"unixware-2.1-pentium","cc:-O -DFILIO_H -Kpentium::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", -"unixware-2.1-p6","cc:-O -DFILIO_H -Kp6::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", - -# UnixWare 7 -"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"unixware-7-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"unixware-7-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:gnu-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:gnu-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"OpenUNIX-8","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"OpenUNIX-8-gcc","gcc:-O -DFILIO_H -fomit-frame-pointer::-pthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"sco3-gcc", "gcc:-O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H::(unknown)::-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ... +# SCO 5 - Ben Laurie says the -O breaks the SCO cc. +"sco5-cc", "cc:-belf::(unknown)::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"sco5-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -# OpenUNIX 8 -"OpenUNIX-8","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"OpenUNIX-8-gcc","gcc:-O -DFILIO_H -fomit-frame-pointer::-pthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"OpenUNIX-8-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"OpenUNIX-8-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # IBM's AIX. "aix-cc", "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::", "aix-gcc", "gcc:-O3 -DB_ENDIAN::(unknown):AIX::BN_LLONG RC4_CHAR:::", -"aix43-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:", -"aix43-gcc", "gcc:-O3 -DAIX -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:", -"aix64-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384 -q64::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHAR::::::::::dlfcn::::::-X 64", +"aix43-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:aix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::", +"aix43-gcc", "gcc:-O1 -DAIX -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:", +"aix64-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384 -q64::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHAR::::::::::dlfcn:aix-shared::-q64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64", # # Cray T90 and similar (SDSC) @@ -471,15 +478,6 @@ my %table=( "dgux-R4-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown)::-lnsl -lsocket:RC4_INDEX DES_UNROLL:::", "dgux-R4-x86-gcc", "gcc:-O3 -fomit-frame-pointer -DL_ENDIAN::(unknown)::-lnsl -lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", -# SCO 3 - Tim Rice -"sco3-gcc", "gcc:-O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H::(unknown)::-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ... - -# SCO 5 - Ben Laurie says the -O breaks the -# SCO cc. -"sco5-cc", "cc:-belf::(unknown)::-lsocket -lresolv -lnsl:${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:svr3-shared:-Kpic", # des options? -"sco5-cc-pentium", "cc:-Kpentium::(unknown)::-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options? -"sco5-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lresolv -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-fPIC", # the SCO assembler doesn't seem to like our assembler files ... - # Sinix/ReliantUNIX RM400 # NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer problem. Better use -g */ "ReliantUNIX","cc:-KPIC -g -DTERMIOS -DB_ENDIAN::-Kthread:SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:reliantunix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -498,6 +496,7 @@ my %table=( # Windows NT, Microsoft Visual C++ 4.0 "VC-NT","cl::::WINNT::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32", +"VC-CE","cl::::WINCE::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32", "VC-WIN32","cl::::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32", "VC-WIN16","cl:::(unknown):WIN16::MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::", "VC-W31-16","cl:::(unknown):WIN16::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::", @@ -505,26 +504,24 @@ my %table=( "VC-MSDOS","cl:::(unknown):MSDOS::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::", # Borland C++ 4.5 -"BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX::::::::::win32", +"BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN::::::::::win32", "BC-16","bcc:::(unknown):WIN16::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::", -# Mingw32 -# (Note: the real CFLAGS for Windows builds are defined by util/mk1mf.pl -# and its library files in util/pl/*) -"Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32", +# MinGW +"mingw", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wall:::MINGW32:-mno-cygwin -lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32::::.dll", # UWIN "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32", # Cygwin "Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32", -"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32:cygwin-shared:::.dll", +"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32:cygwin-shared:::.dll", # DJGPP -"DJGPP", "gcc:-I/dev/env/DJDIR/watt32/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/DJDIR/watt32/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::", +"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::", # Ultrix from Bernhard Simon -"ultrix-cc","cc:-std1 -O -Olimit 1000 -DL_ENDIAN::(unknown):::::::", +"ultrix-cc","cc:-std1 -O -Olimit 2500 -DL_ENDIAN::(unknown):::::::", "ultrix-gcc","gcc:-O3 -DL_ENDIAN::(unknown):::::::", # K&R C is no longer supported; you need gcc on old Ultrix installations ##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown):::::::", @@ -543,10 +540,13 @@ my %table=( "OpenBSD-hppa", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ##### MacOS X (a.k.a. Rhapsody or Darwin) setup -"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::", +"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::", "darwin-ppc-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", "darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", +##### A/UX +"aux3-gcc","gcc:-O2 -DTERMIO::(unknown):AUX:-lbsd:RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::", + ##### Sony NEWS-OS 4.x "newsos4-gcc","gcc:-O -DB_ENDIAN::(unknown):NEWS4:-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::", @@ -558,11 +558,16 @@ my %table=( ##### VxWorks for various targets "vxworks-ppc405","ccppc:-g -msoft-float -mlongcall -DCPU=PPC405 -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::", +"vxworks-ppc750","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h \$(DEBUG_FLAG):::VXWORKS:-r:::::", +"vxworks-ppc750-debug","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DDEBUG -g:::VXWORKS:-r:::::", + +##### Compaq Non-Stop Kernel (Tandem) +"tandem-c89","c89:-Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN::(unknown):::THIRTY_TWO_BIT:::", ); -my @WinTargets=qw(VC-NT VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS BC-32 - BC-16 Mingw32 OS2-EMX); +my @WinTargets=qw(VC-NT VC-CE VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS + BC-32 BC-16 Mingw32 OS2-EMX); my $idx = 0; my $idx_cc = $idx++; @@ -645,6 +650,7 @@ my $openssl_thread_defines; my $openssl_sys_defines=""; my $openssl_other_defines; my $libs; +my $libkrb5=""; my $target; my $options; my $symlink; @@ -685,6 +691,11 @@ PROCESS_ARGS: $flags .= "-DOPENSSL_NO_ASM "; $openssl_other_defines .= "#define OPENSSL_NO_ASM\n"; } + elsif (/^no-err$/) + { + $flags .= "-DOPENSSL_NO_ERR "; + $openssl_other_defines .= "#define OPENSSL_NO_ERR\n"; + } elsif (/^no-hw-(.+)$/) { my $hw=$1; @@ -707,7 +718,7 @@ PROCESS_ARGS: { $threads=1; } elsif (/^no-shared$/) { $no_shared=1; } - elsif (/^shared$/) + elsif (/^shared$/ || /^-shared$/ || /^--shared$/) { $no_shared=0; } elsif (/^no-zlib$/) { $zlib=0; } @@ -735,6 +746,7 @@ PROCESS_ARGS: $openssl_algorithm_defines .= "#define OPENSSL_NO_$algo\n"; if ($algo eq "RIJNDAEL") { + push @skip, "aes"; $flags .= "-DOPENSSL_NO_AES "; $depflags .= "-DOPENSSL_NO_AES "; $openssl_algorithm_defines .= "#define OPENSSL_NO_AES\n"; @@ -944,6 +956,8 @@ my $shared_extension = $fields[$idx_shared_extension]; my $ranlib = $fields[$idx_ranlib]; my $arflags = $fields[$idx_arflags]; +my $no_shared_warn=0; + $cflags="$flags$cflags" if ($flags ne ""); # Kerberos settings. The flavor must be provided from outside, either through @@ -961,6 +975,17 @@ else my ($lresolv, $lpath, $lext); if ($withargs{"krb5-flavor"} =~ /^[Hh]eimdal$/) { + die "Sorry, Heimdal is currently not supported\n"; + } + ##### HACK to force use of Heimdal. + ##### WARNING: Since we don't really have adequate support for Heimdal, + ##### using this will break the build. You'll have to make + ##### changes to the source, and if you do, please send + ##### patches to openssl-dev@openssl.org + if ($withargs{"krb5-flavor"} =~ /^force-[Hh]eimdal$/) + { + warn "Heimdal isn't really supported. Your build WILL break\n"; + warn "If you fix the problems, please send a patch to openssl-dev\@openssl.org\n"; $withargs{"krb5-dir"} = "/usr/heimdal" if $withargs{"krb5-dir"} eq ""; $withargs{"krb5-lib"} = "-L".$withargs{"krb5-dir"}. @@ -993,7 +1018,7 @@ else } } $withargs{"krb5-lib"} .= " -lresolv" - if ("$lresolv"); + if ("$lresolv" ne ""); $withargs{"krb5-include"} = "-I".$withargs{"krb5-dir"}."/include" if $withargs{"krb5-include"} eq "" && $withargs{"krb5-dir"} ne ""; @@ -1052,7 +1077,7 @@ else # } } -$lflags="$libs$lflags"if ($libs ne ""); +$lflags="$libs$lflags" if ($libs ne ""); if ($no_asm) { @@ -1060,6 +1085,11 @@ if ($no_asm) $sha1_obj=$md5_obj=$rmd160_obj=""; } +if (!$no_shared) + { + $cast_obj=""; # CAST assembler is not PIC + } + if ($threads) { $cflags=$thread_cflags; @@ -1075,20 +1105,17 @@ if ($zlib) # You will find shlib_mark1 and shlib_mark2 explained in Makefile.org my $shared_mark = ""; -if ($shared_target ne "") +if ($shared_target eq "") + { + $no_shared_warn = 1 if !$no_shared; + $no_shared = 1; + } +if (!$no_shared) { if ($shared_cflag ne "") { $cflags = "$shared_cflag $cflags"; } - if (!$no_shared) - { - #$shared_mark = "\$(SHARED_LIBS)"; - } - } -else - { - $no_shared = 1; } if ($sys_id ne "") @@ -1262,8 +1289,6 @@ print "ARFLAGS =$arflags\n"; print "PERL =$perl\n"; print "KRB5_INCLUDES =",$withargs{"krb5-include"},"\n" if $withargs{"krb5-include"} ne ""; -print "LIBKRB5 =",$withargs{"krb5-lib"},"\n" - if $withargs{"krb5-lib"} ne ""; my $des_ptr=0; my $des_risc1=0; @@ -1490,6 +1515,16 @@ applications as the compiler options required on this system are not known. See file INSTALL for details if you need multi-threading. EOF +print <<\EOF if ($no_shared_warn); + +You gave the option 'shared'. Normally, that would give you shared libraries. +Unfortunately, the OpenSSL configuration doesn't include shared library support +for this platform yet, so it will pretend you gave the option 'no-shared'. If +you can inform the developpers (openssl-dev\@openssl.org) how to support shared +libraries on this platform, they will at least look at it and try their best +(but please first make sure you have tried with a current version of OpenSSL). +EOF + exit(0); sub usage diff --git a/src/lib/libssl/src/FAQ b/src/lib/libssl/src/FAQ index 28027fdcac..7812ae88cb 100644 --- a/src/lib/libssl/src/FAQ +++ b/src/lib/libssl/src/FAQ @@ -9,6 +9,7 @@ OpenSSL - Frequently Asked Questions * Where can I get a compiled version of OpenSSL? * Why aren't tools like 'autoconf' and 'libtool' used? * What is an 'engine' version? +* How do I check the authenticity of the OpenSSL distribution? [LEGAL] Legal questions @@ -43,6 +44,8 @@ OpenSSL - Frequently Asked Questions * What is special about OpenSSL on Redhat? * Why does the OpenSSL compilation fail on MacOS X? * Why does the OpenSSL test suite fail on MacOS X? +* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]? +* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"? [PROG] Questions about programming with OpenSSL @@ -65,7 +68,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 0.9.6g was released on August 9, 2002. +OpenSSL 0.9.7b was released on April 10, 2003. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at +(Solaris 9 includes these devices by default). For /dev/random support +for earlier Solaris versions, see Sun's statement at + +(the SUNWski package is available in patch 105710). On systems without /dev/urandom and /dev/random, it is a good idea to use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for @@ -217,16 +245,6 @@ OpenSSL command line tools. Applications using the OpenSSL library provide their own configuration options to specify the entropy source, please check out the documentation coming the with application. -For Solaris 2.6, Tim Nibbe and others have suggested -installing the SUNski package from Sun patch 105710-01 (Sparc) which -adds a /dev/random device and make sure it gets used, usually through -$RANDFILE. There are probably similar patches for the other Solaris -versions. An official statement from Sun with respect to /dev/random -support can be found at - http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski -However, be warned that /dev/random is usually a blocking device, which -may have some effects on OpenSSL. - * Why do I get an "unable to write 'random state'" error message? @@ -472,10 +490,13 @@ and then redo the compilation. What you should really do is make sure Sometimes, you may get reports from VC++ command line (cl) that it can't find standard include files like stdio.h and other weirdnesses. One possible cause is that the environment isn't correctly set up. -To solve that problem, one should run VCVARS32.BAT which is found in -the 'bin' subdirectory of the VC++ installation directory (somewhere -under 'Program Files'). This needs to be done prior to running NMAKE, -and the changes are only valid for the current DOS session. +To solve that problem for VC++ versions up to 6, one should run +VCVARS32.BAT which is found in the 'bin' subdirectory of the VC++ +installation directory (somewhere under 'Program Files'). For VC++ +version 7 (and up?), which is also called VS.NET, the file is called +VSVARS32.BAT instead. +This needs to be done prior to running NMAKE, and the changes are only +valid for the current DOS session. * What is special about OpenSSL on Redhat? @@ -536,6 +557,37 @@ libraries you just built. Look in the file PROBLEMS for a more detailed explanation and for possible solutions. +* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]? + +Failure in BN_sqr test is most likely caused by a failure to configure the +toolkit for current platform or lack of support for the platform in question. +Run './config -t' and './apps/openssl version -p'. Do these platform +identifiers match? If they don't, then you most likely failed to run +./config and you're hereby advised to do so before filing a bug report. +If ./config itself fails to run, then it's most likely problem with your +local environment and you should turn to your system administrator (or +similar). If identifiers match (and/or no alternative identifier is +suggested by ./config script), then the platform is unsupported. There might +or might not be a workaround. Most notably on SPARC64 platforms with GNU +C compiler you should be able to produce a working build by running +'./config -m32'. I understand that -m32 might not be what you want/need, +but the build should be operational. For further details turn to +. + +* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"? + +As of 0.9.7 assembler routines were overhauled for position independence +of the machine code, which is essential for shared library support. For +some reason OpenBSD is equipped with an out-of-date GNU assembler which +finds the new code offensive. To work around the problem, configure with +no-asm (and sacrifice a great deal of performance) or patch your assembler +according to . +For your convenience a pre-compiled replacement binary is provided at +. +Reportedly elder *BSD a.out platforms also suffer from this problem and +remedy should be same. Provided binary is statically linked and should be +working across wider range of *BSD branches, not just OpenBSD. + [PROG] ======================================================================== * Is OpenSSL thread-safe? @@ -680,6 +732,7 @@ The general answer is to check the config.log file generated when running the OpenSSH configure script. It should contain the detailed information on why the OpenSSL library was not detected or considered incompatible. + * Can I use OpenSSL's SSL library with non-blocking I/O? Yes; make sure to read the SSL_get_error(3) manual page! diff --git a/src/lib/libssl/src/INSTALL b/src/lib/libssl/src/INSTALL index af86485e00..1c3f3c3fe9 100644 --- a/src/lib/libssl/src/INSTALL +++ b/src/lib/libssl/src/INSTALL @@ -140,8 +140,8 @@ standard headers). If it is a problem with OpenSSL itself, please report the problem to (note that your message will be recorded in the request tracker publicly readable - via http://www.openssl.org/rt2.html and will be forwarded to a public - mailing list). Include the output of "make report" in your message. + via http://www.openssl.org/support/rt2.html and will be forwarded to a + public mailing list). Include the output of "make report" in your message. Please check out the request tracker. Maybe the bug was already reported or has already been fixed. @@ -158,11 +158,11 @@ If a test fails, look at the output. There may be reasons for the failure that isn't a problem in OpenSSL itself (like a missing or malfunctioning bc). If it is a problem with OpenSSL itself, - try removing any compiler optimization flags from the CFLAGS line + try removing any compiler optimization flags from the CFLAG line in Makefile.ssl and run "make clean; make". Please send a bug report to , including the output of "make report" in order to be added to the request tracker at - http://www.openssl.org/rt2.html. + http://www.openssl.org/support/rt2.html. 4. If everything tests ok, install OpenSSL with @@ -296,3 +296,37 @@ targets for shared library creation, like linux-shared. Those targets can currently be used on their own just as well, but this is expected to change in future versions of OpenSSL. + + Note on random number generation + -------------------------------- + + Availability of cryptographically secure random numbers is required for + secret key generation. OpenSSL provides several options to seed the + internal PRNG. If not properly seeded, the internal PRNG will refuse + to deliver random bytes and a "PRNG not seeded error" will occur. + On systems without /dev/urandom (or similar) device, it may be necessary + to install additional support software to obtain random seed. + Please check out the manual pages for RAND_add(), RAND_bytes(), RAND_egd(), + and the FAQ for more information. + + Note on support for multiple builds + ----------------------------------- + + OpenSSL is usually built in it's source tree. Unfortunately, this doesn't + support building for multiple platforms from the same source tree very well. + It is however possible to build in a separate tree through the use of lots + of symbolic links, which should be prepared like this: + + mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`" + cd objtree/"`uname -s`-`uname -r`-`uname -m`" + (cd $OPENSSL_SOURCE; find . -type f) | while read F; do + mkdir -p `dirname $F` + rm -f $F; ln -s $OPENSSL_SOURCE/$F $F + echo $F '->' $OPENSSL_SOURCE/$F + done + make -f Makefile.org clean + + OPENSSL_SOURCE is an environment variable that contains the absolute (this + is important!) path to the OpenSSL source tree. + + Also, operations like 'make update' should still be made in the source tree. diff --git a/src/lib/libssl/src/INSTALL.DJGPP b/src/lib/libssl/src/INSTALL.DJGPP index 0120b946b5..cdeac222b2 100644 --- a/src/lib/libssl/src/INSTALL.DJGPP +++ b/src/lib/libssl/src/INSTALL.DJGPP @@ -12,12 +12,14 @@ latest versions of DJGPP, GCC, BINUTILS, BASH, etc. This package requires that PERL and BC also be installed. - All of these can be obtained from the usual DJGPP mirror sites, such as - "ftp://ftp.simtel.net/pub/simtelnet/gnu/djgpp". You also need to have - the WATT-32 networking package installed before you try to compile - openssl. This can be obtained from "http://www.bgnett.no/~giva/". The - Makefile assumes that the WATT-32 code is in directory "watt32" under - /dev/env/DJDIR. + All of these can be obtained from the usual DJGPP mirror sites, such + as "ftp://ftp.simtel.net/pub/simtelnet/gnu/djgpp". You also need to + have the WATT-32 networking package installed before you try to compile + openssl. This can be obtained from "http://www.bgnett.no/~giva/". + The Makefile assumes that the WATT-32 code is in the directory + specified by the environment variable WATT_ROOT. If you have watt-32 + in directory "watt32" under your main DJGPP directory, specify + WATT_ROOT="/dev/env/DJDIR/watt32". To compile openssl, start your BASH shell. Then configure for DOS by running "./Configure" with appropriate arguments. The basic syntax for diff --git a/src/lib/libssl/src/INSTALL.W32 b/src/lib/libssl/src/INSTALL.W32 index 3de6544fc5..78d289e16a 100644 --- a/src/lib/libssl/src/INSTALL.W32 +++ b/src/lib/libssl/src/INSTALL.W32 @@ -2,19 +2,28 @@ INSTALLATION ON THE WIN32 PLATFORM ---------------------------------- + [Instructions for building for Windows CE can be found in INSTALL.WCE] + Heres a few comments about building OpenSSL in Windows environments. Most of this is tested on Win32 but it may also work in Win 3.1 with some modification. You need Perl for Win32. Unless you will build on Cygwin, you will need ActiveState Perl, available from http://www.activestate.com/ActivePerl. - For Cygwin users, there's more info in the Cygwin section. and one of the following C compilers: * Visual C++ * Borland C - * GNU C (Mingw32 or Cygwin) + * GNU C (Cygwin or MinGW) + + If you are compiling from a tarball or a CVS snapshot then the Win32 files + may well be not up to date. This may mean that some "tweaking" is required to + get it all to work. See the trouble shooting section later on for if (when?) + it goes wrong. + + Visual C++ + ---------- If you want to compile in the assembly language routines with Visual C++ then you will need an assembler. This is worth doing because it will result in @@ -24,26 +33,19 @@ * Microsoft MASM (aka "ml") * Free Netwide Assembler NASM. - MASM was at one point distributed with VC++. It is now distributed with some - Microsoft DDKs, for example the Windows NT 4.0 DDK and the Windows 98 DDK. If - you do not have either of these DDKs then you can just download the binaries - for the Windows 98 DDK and extract and rename the two files XXXXXml.exe and - XXXXXml.err, to ml.exe and ml.err and install somewhere on your PATH. Both - DDKs can be downloaded from the Microsoft developers site www.msdn.com. + MASM is distributed with most versions of VC++. For the versions where it is + not included in VC++, it is also distributed with some Microsoft DDKs, for + example the Windows NT 4.0 DDK and the Windows 98 DDK. If you do not have + either of these DDKs then you can just download the binaries for the Windows + 98 DDK and extract and rename the two files XXXXXml.exe and XXXXXml.err, to + ml.exe and ml.err and install somewhere on your PATH. Both DDKs can be + downloaded from the Microsoft developers site www.msdn.com. NASM is freely available. Version 0.98 was used during testing: other versions may also work. It is available from many places, see for example: http://www.kernel.org/pub/software/devel/nasm/binaries/win32/ The NASM binary nasmw.exe needs to be installed anywhere on your PATH. - If you are compiling from a tarball or a CVS snapshot then the Win32 files - may well be not up to date. This may mean that some "tweaking" is required to - get it all to work. See the trouble shooting section later on for if (when?) - it goes wrong. - - Visual C++ - ---------- - Firstly you should run Configure: > perl Configure VC-WIN32 @@ -82,7 +84,8 @@ There are various changes you can make to the Win32 compile environment. By default the library is not compiled with debugging symbols. If you add 'debug' to the mk1mf.pl lines in the do_* batch file then debugging symbols will be - compiled in. + compiled in. Note that mk1mf.pl expects the platform to be the last argument + on the command line, so 'debug' must appear before that, as all other options. The default Win32 environment is to leave out any Windows NT specific features. @@ -116,62 +119,35 @@ * Run make: > make -f bcb.mak - GNU C (Mingw32) - --------------- - - To build OpenSSL, you need the Mingw32 package and GNU make. - - * Compiler installation: - - Mingw32 is available from . Extract it - to a directory such as C:\gcc-2.95.2 and add c:\gcc-2.95.2\bin to - the PATH environment variable in "System Properties"; or edit and - run C:\gcc-2.95.2\mingw32.bat to set the PATH. - - * Compile OpenSSL: - - > ms\mingw32 - - This will create the library and binaries in out. In case any problems - occur, try - > ms\mingw32 no-asm - instead. - - libcrypto.a and libssl.a are the static libraries. To use the DLLs, - link with libeay32.a and libssl32.a instead. - - See troubleshooting if you get error messages about functions not having - a number assigned. - - * You can now try the tests: - - > cd out - > ..\ms\test - GNU C (Cygwin) -------------- Cygwin provides a bash shell and GNU tools environment running on NT 4.0, Windows 9x, Windows ME, Windows 2000, and Windows XP. Consequently, a make of OpenSSL with Cygwin is closer to a GNU - bash environment such as Linux than to other W32 makes which are - based on a single makefile approach. Cygwin implements Posix/Unix - calls through cygwin1.dll, and is contrasted to Mingw32 which links - dynamically to msvcrt.dll or crtdll.dll. + bash environment such as Linux than to other the other Win32 + makes. + + Cygwin implements a Posix/Unix runtime system (cygwin1.dll). + It is also possible to create Win32 binaries that only use the + Microsoft C runtime system (msvcrt.dll or crtdll.dll) using + MinGW. MinGW can be used in the Cygwin development environment + or in a standalone setup as described in the following section. To build OpenSSL using Cygwin: * Install Cygwin (see http://cygwin.com/) - * Install Perl and ensure it is in the path (recent Cygwin perl - (version 5.6.1-2 of the latter has been reported to work) or - ActivePerl) + * Install Perl and ensure it is in the path. Both Cygwin perl + (5.6.1-2 or newer) and ActivePerl work. * Run the Cygwin bash shell * $ tar zxvf openssl-x.x.x.tar.gz $ cd openssl-x.x.x + + To build the Cygwin version of OpenSSL: + $ ./config [...] $ make @@ -179,7 +155,16 @@ $ make test $ make install - This will create a default install in /usr/local/ssl. + This will create a default install in /usr/local/ssl. + + To build the MinGW version (native Windows) in Cygwin: + + $ ./Configure mingw + [...] + $ make + [...] + $ make test + $ make install Cygwin Notes: @@ -192,6 +177,35 @@ non-fatal error in "make test" but is otherwise harmless. If desired and needed, GNU bc can be built with Cygwin without change. + GNU C (MinGW) + ------------- + + * Compiler installation: + + MinGW is available from http://www.mingw.org. Run the installer and + set the MinGW bin directory to the PATH in "System Properties" or + autoexec.bat. + + * Compile OpenSSL: + + > ms\mingw32 + + This will create the library and binaries in out. In case any problems + occur, try + > ms\mingw32 no-asm + instead. + + libcrypto.a and libssl.a are the static libraries. To use the DLLs, + link with libeay32.a and libssl32.a instead. + + See troubleshooting if you get error messages about functions not having + a number assigned. + + * You can now try the tests: + + > cd out + > ..\ms\test + Installation ------------ diff --git a/src/lib/libssl/src/INSTALL.WCE b/src/lib/libssl/src/INSTALL.WCE new file mode 100644 index 0000000000..ac587d6bd2 --- /dev/null +++ b/src/lib/libssl/src/INSTALL.WCE @@ -0,0 +1,71 @@ + + INSTALLATION FOR THE WINDOWS CE PLATFORM + ---------------------------------------- + + Building OpenSSL for Windows CE requires the following external tools: + + * Microsoft eMbedded Visual C++ 3.0 + * wcecompat compatibility library (www.essemer.com.au) + * Optionally ceutils for running automated tests (www.essemer.com.au) + + You also need Perl for Win32. You will need ActiveState Perl, available + from http://www.activestate.com/ActivePerl. + + Windows CE support in OpenSSL relies on wcecompat. All Windows CE specific + issues should be directed to www.essemer.com.au. + + The C Runtime Library implementation for Windows CE that is included with + Microsoft eMbedded Visual C++ 3.0 is incomplete and in some places + incorrect. wcecompat plugs the holes and tries to bring the Windows CE + CRT to a level that is more compatible with ANSI C. wcecompat goes further + and provides low-level IO and stream IO support for stdin/stdout/stderr + (which Windows CE does not provide). This IO functionality is not needed + by the OpenSSL library itself but is used for the tests and openssl.exe. + More information is available at www.essemer.com.au. + + Building + -------- + + Setup the eMbedded Visual C++ environment. There are batch files for doing + this installed with eVC++. For an ARM processor, for example, execute: + + > "C:\Program Files\Microsoft eMbedded Tools\EVC\WCE300\BIN\WCEARM.BAT" + + Next indicate where wcecompat is located: + + > set WCECOMPAT=C:\wcecompat + + Next you should run Configure: + + > perl Configure VC-CE + + Next you need to build the Makefiles: + + > ms\do_ms + + If you get errors about things not having numbers assigned then check the + troubleshooting section in INSTALL.W32: you probably won't be able to compile + it as it stands. + + Then from the VC++ environment at a prompt do: + + - to build static libraries: + + > nmake -f ms\ce.mak + + - or to build DLLs: + + > nmake -f ms\cedll.mak + + If all is well it should compile and you will have some static libraries and + executables in out32, or some DLLs and executables in out32dll. If you want + to try the tests then make sure the ceutils are in the path and do: + + > cd out32 + > ..\ms\testce + + This will copy each of the test programs to the Windows CE device and execute + them, displaying the output of the tests on this computer. The output should + look similar to the output produced by running the tests for a regular Windows + build. + diff --git a/src/lib/libssl/src/LICENSE b/src/lib/libssl/src/LICENSE index 7b93e0dbce..dddb07842b 100644 --- a/src/lib/libssl/src/LICENSE +++ b/src/lib/libssl/src/LICENSE @@ -12,7 +12,7 @@ --------------- /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.cpp b/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.cpp index 2726136347..c95d804d5d 100644 --- a/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.cpp +++ b/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.cpp @@ -1287,7 +1287,7 @@ EXITPOINT: // Send some bytes -int MacSocket_send(const int inSocketNum,void *inBuff,int inBuffLength) +int MacSocket_send(const int inSocketNum,const void *inBuff,int inBuffLength) { OSErr errCode = noErr; int bytesSent = 0; @@ -1604,4 +1604,4 @@ EPInfo* epi = (EPInfo*) context; } } } -*/ \ No newline at end of file +*/ diff --git a/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.h b/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.h index 6e90a5bb44..ad59dc9e4f 100644 --- a/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.h +++ b/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.h @@ -62,7 +62,7 @@ int MacSocket_recv(const int inSocketNum,void *outBuff,int outBuffLength,const B // Call this to send data on a socket -int MacSocket_send(const int inSocketNum,void *inBuff,int inBuffLength); +int MacSocket_send(const int inSocketNum,const void *inBuff,int inBuffLength); // If zero bytes were read in a call to MacSocket_recv(), it may be that the remote end has done a half-close diff --git a/src/lib/libssl/src/Makefile.org b/src/lib/libssl/src/Makefile.org index d7af0815f3..4d0627bfdd 100644 --- a/src/lib/libssl/src/Makefile.org +++ b/src/lib/libssl/src/Makefile.org @@ -15,6 +15,11 @@ OPTIONS= CONFIGURE_ARGS= SHLIB_TARGET= +# HERE indicates where this Makefile lives. This can be used to indicate +# where sub-Makefiles are expected to be. Currently has very limited usage, +# and should probably not be bothered with at all. +HERE=. + # INSTALL_PREFIX is for package builders so that they can configure # for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/. # Normally it is left empty. @@ -67,6 +72,14 @@ TAR= tar TARFLAGS= --no-recursion MAKEDEPPROG=makedepend +# We let the C compiler driver to take care of .s files. This is done in +# order to be excused from maintaining a separate set of architecture +# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC +# gcc, then the driver will automatically translate it to -xarch=v8plus +# and pass it down to assembler. +AS=$(CC) -c +ASFLAGS=$(CFLAG) + # Set BN_ASM to bn_asm.o if you want to use the C version BN_ASM= bn_asm.o #BN_ASM= bn_asm.o @@ -205,14 +218,14 @@ HEADER= e_os.h # When we're prepared to use shared libraries in the programs we link here # we might remove 'clean-shared' from the targets to perform at this stage -all: Makefile.ssl sub_all +all: Makefile.ssl sub_all openssl.pc sub_all: @for i in $(DIRS); \ do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making all in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \ + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAGS='${ASFLAGS}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \ else \ $(MAKE) $$i; \ fi; \ @@ -242,7 +255,7 @@ clean-shared: fi; \ ( set -x; rm -f lib$$i$(SHLIB_EXT) ); \ if [ "$(PLATFORM)" = "Cygwin" ]; then \ - ( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \ + ( set -x; rm -f cyg$$i-$(SHLIB_VERSION_NUMBER)$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \ fi; \ done @@ -265,39 +278,45 @@ do_bsd-gcc-shared: do_gnu-shared do_linux-shared: do_gnu-shared do_gnu-shared: libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ + if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ ( set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Wl,-Bsymbolic \ -Wl,--whole-archive lib$$i.a \ -Wl,--no-whole-archive $$libs ${EX_LIBS} -lc ) || exit 1; \ - libs="$$libs -l$$i"; \ + libs="-l$$i $$libs"; \ done -DETECT_GNU_LD=${CC} -v 2>&1 | grep '^gcc' >/dev/null 2>&1 && \ - my_ld=`gcc -print-prog-name=ld 2>&1` && \ - [ -n "$$my_ld" ] && \ - $$my_ld -v 2>&1 | grep 'GNU ld' >/dev/null 2>&1 +DETECT_GNU_LD=(${CC} -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null # For Darwin AKA Mac OS/X (dyld) do_darwin-shared: libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ - ( set -x ; ${CC} --verbose -dynamiclib -o lib$$i${SHLIB_EXT} \ + if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ + ( set -x; ${CC} --verbose -dynamiclib -o lib$$i${SHLIB_EXT} \ lib$$i.a $$libs -all_load -current_version ${SHLIB_MAJOR}.${SHLIB_MINOR} \ -compatibility_version ${SHLIB_MAJOR}.`echo ${SHLIB_MINOR} | cut -d. -f1` \ -install_name ${INSTALLTOP}/lib/lib$$i${SHLIB_EXT} ) || exit 1; \ - libs="$$libs -l`basename $$i${SHLIB_EXT} .dylib`"; \ + libs="-l`basename $$i${SHLIB_EXT} .dylib` $$libs"; \ echo "" ; \ done do_cygwin-shared: libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ - ( set -x; ${CC} -shared -o cyg$$i.dll \ + if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ + ( set -x; ${CC} -shared -o cyg$$i-$(SHLIB_VERSION_NUMBER).dll \ -Wl,-Bsymbolic \ -Wl,--whole-archive lib$$i.a \ -Wl,--out-implib,lib$$i.dll.a \ -Wl,--no-whole-archive $$libs ) || exit 1; \ - libs="$$libs -l$$i"; \ + libs="-l$$i $$libs"; \ done # This assumes that GNU utilities are *not* used @@ -306,11 +325,14 @@ do_alpha-osf1-shared: $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ + if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ ( set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -o lib$$i.so \ -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \ -all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \ - libs="$$libs -l$$i"; \ + libs="-l$$i $$libs"; \ done; \ fi @@ -322,11 +344,14 @@ do_tru64-shared: $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ + if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ ( set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -msym -o lib$$i.so \ -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \ -all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \ - libs="$$libs -l$$i"; \ + libs="-l$$i $$libs"; \ done; \ fi @@ -338,12 +363,15 @@ do_tru64-shared-rpath: $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ + if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ ( set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -msym -o lib$$i.so \ -rpath ${INSTALLTOP}/lib \ -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \ -all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \ - libs="$$libs -l$$i"; \ + libs="-l$$i $$libs"; \ done; \ fi @@ -354,12 +382,18 @@ do_solaris-shared: $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ + if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ ( PATH=/usr/ccs/bin:$$PATH ; export PATH; \ - set -x; ${CC} ${SHARED_LDFLAGS} \ - -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + MINUSZ='-z '; \ + (${CC} -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \ + set -x; ${CC} ${SHARED_LDFLAGS} -G -dy -z text \ + -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - -z allextract lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \ - libs="$$libs -l$$i"; \ + $${MINUSZ}allextract lib$$i.a $${MINUSZ}defaultextract \ + $$libs ${EX_LIBS} -lc ) || exit 1; \ + libs="-l$$i $$libs"; \ done; \ fi @@ -369,16 +403,20 @@ do_svr3-shared: $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ + if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ ( PATH=/usr/ccs/bin:$$PATH ; export PATH; \ find . -name "*.o" -print > allobjs ; \ OBJS= ; export OBJS ; \ for obj in `ar t lib$$i.a` ; do \ OBJS="$${OBJS} `grep $$obj allobjs`" ; \ done ; \ - set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + set -x; ${CC} ${SHARED_LDFLAGS} \ + -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ $${OBJS} $$libs ${EX_LIBS} ) || exit 1; \ - libs="$$libs -l$$i"; \ + libs="-l$$i $$libs"; \ done; \ fi @@ -388,17 +426,23 @@ do_svr5-shared: $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ + if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ ( PATH=/usr/ccs/bin:$$PATH ; export PATH; \ + SHARE_FLAG='-G'; \ + (${CC} -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \ find . -name "*.o" -print > allobjs ; \ OBJS= ; export OBJS ; \ for obj in `ar t lib$$i.a` ; do \ OBJS="$${OBJS} `grep $$obj allobjs`" ; \ done ; \ - set -x; ${CC} ${SHARED_LDFLAGS} \ - -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + set -x; LD_LIBRARY_PATH=.:$$LD_LIBRARY_PATH \ + ${CC} ${SHARED_LDFLAGS} \ + $${SHARE_FLAG} -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ $${OBJS} $$libs ${EX_LIBS} ) || exit 1; \ - libs="$$libs -l$$i"; \ + libs="-l$$i $$libs"; \ done; \ fi @@ -408,11 +452,14 @@ do_irix-shared: $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ + if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ ( set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -all lib$$i.a $$libs ${EX_LIBS} -lc) || exit 1; \ - libs="$$libs -l$$i"; \ + libs="-l$$i $$libs"; \ done; \ fi @@ -429,6 +476,9 @@ do_irix-shared: # do_hpux-shared: for i in ${SHLIBDIRS}; do \ + if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ ( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \ +vnocompatwarnings \ -b -z +s \ @@ -449,6 +499,9 @@ do_hpux-shared: # do_hpux64-shared: for i in ${SHLIBDIRS}; do \ + if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ ( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \ -b -z \ -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ @@ -491,17 +544,24 @@ SHAREDFLAGS=${SHARED_LDFLAGS} -G -bE:lib$$i.exp -bM:SRE SHAREDCMD=$(CC) do_aix-shared: libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ + if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ ( set -x; \ - ld -r -o $$i.o $(ALLSYMSFLAG) lib$$i.a && \ + ld -r -o lib$$i.o $(ALLSYMSFLAG) lib$$i.a && \ ( nm -Pg lib$$i.o | grep ' [BD] ' | cut -f1 -d' ' > lib$$i.exp; \ - $(SHAREDCMD) $(SHAREDFLAG) -o lib$$i.so lib$$i.o \ + $(SHAREDCMD) $(SHAREDFLAGS) \ + -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} lib$$i.o \ $$libs ${EX_LIBS} ) ) \ || exit 1; \ - libs="$$libs -l$$i"; \ + libs="-l$$i $$libs"; \ done do_reliantunix-shared: libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ + if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ tmpdir=/tmp/openssl.$$$$ ; rm -rf $$tmpdir ; \ ( set -x; \ ( Opwd=`pwd` ; mkdir $$tmpdir || exit 1; \ @@ -511,19 +571,32 @@ do_reliantunix-shared: cp $$tmpdir/lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} . ; \ ) || exit 1; \ rm -rf $$tmpdir ; \ - libs="$$libs -l$$i"; \ + libs="-l$$i $$libs"; \ done +openssl.pc: Makefile.ssl + @ ( echo 'prefix=$(INSTALLTOP)'; \ + echo 'exec_prefix=$${prefix}'; \ + echo 'libdir=$${exec_prefix}/lib'; \ + echo 'includedir=$${prefix}/include'; \ + echo ''; \ + echo 'Name: OpenSSL'; \ + echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \ + echo 'Version: '$(VERSION); \ + echo 'Requires: '; \ + echo 'Libs: -L$${libdir} -lssl -lcrypto $(LIBKRB5) $(EX_LIBS)'; \ + echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc + Makefile.ssl: Makefile.org @echo "Makefile.ssl is older than Makefile.org." @echo "Reconfigure the source tree (via './config' or 'perl Configure'), please." @false libclean: - rm -f *.a */lib */*/lib + rm -f *.map *.so *.so.* engines/*.so *.a */lib */*/lib -clean: - rm -f shlib/*.o *.o core a.out fluff *.map rehash.time testlog make.log cctest cctest.c +clean: libclean + rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c @for i in $(DIRS) ;\ do \ if [ -d "$$i" ]; then \ @@ -532,7 +605,8 @@ clean: rm -f $(LIBS); \ fi; \ done; - rm -f *.a *.o speed.* *.map *.so .pure core + rm -f openssl.pc + rm -f speed.* .pure rm -f $(TARFILE) @for i in $(ONEDIRS) ;\ do \ @@ -582,8 +656,12 @@ rehash: rehash.time rehash.time: certs @(OPENSSL="`pwd`/apps/openssl"; OPENSSL_DEBUG_MEMORY=on; \ export OPENSSL OPENSSL_DEBUG_MEMORY; \ - LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \ - export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH; \ + LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \ + DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \ + SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \ + LIBPATH="`pwd`:$$LIBPATH"; \ + if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ + export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ $(PERL) tools/c_rehash certs) touch rehash.time @@ -592,9 +670,13 @@ test: tests tests: rehash @(cd test && echo "testing..." && \ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests ); - @LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \ - export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH; \ - apps/openssl version -a + @LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \ + DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \ + SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \ + LIBPATH="`pwd`:$$LIBPATH"; \ + if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ + export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ + apps/openssl version -a report: @$(PERL) util/selftest.pl @@ -656,6 +738,9 @@ update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_ # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal # tar does not support the --files-from option. tar: + find . -type d -print | xargs chmod 755 + find . -type f -print | xargs chmod a+r + find . -type f -perm -0100 -print | xargs chmod a+x find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \ $(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \ tardy --user_number=0 --user_name=openssl \ @@ -685,6 +770,7 @@ dist_pem_h: install: all install_docs @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib \ + $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \ $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \ $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \ $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \ @@ -706,9 +792,10 @@ install: all install_docs do \ if [ -f "$$i" ]; then \ ( echo installing $$i; \ - cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ - $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ fi; \ done; @if [ -n "$(SHARED_LIBS)" ]; then \ @@ -718,14 +805,17 @@ install: all install_docs if [ -f "$$i" -o -f "$$i.a" ]; then \ ( echo installing $$i; \ if [ "$(PLATFORM)" != "Cygwin" ]; then \ - cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ - chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ else \ - c=`echo $$i | sed 's/^lib/cyg/'`; \ - cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \ - chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \ - cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \ + c=`echo $$i | sed 's/^lib\(.*\)\.dll/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \ + cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \ + chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \ + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \ + cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \ + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \ fi ); \ fi; \ done; \ @@ -733,7 +823,14 @@ install: all install_docs cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ set $(MAKE); \ $$1 -f $$here/Makefile link-shared ); \ + if [ "$(INSTALLTOP)" != "/usr" ]; then \ + echo 'OpenSSL shared libraries have been installed in:'; \ + echo ' $(INSTALLTOP)'; \ + echo ''; \ + sed -e '1,/^$$/d' doc/openssl-shared.txt; \ + fi; \ fi + cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig install_docs: @$(PERL) $(TOP)/util/mkdir-p.pl \ @@ -742,25 +839,42 @@ install_docs: $(INSTALL_PREFIX)$(MANDIR)/man5 \ $(INSTALL_PREFIX)$(MANDIR)/man7 @pod2man="`cd util; ./pod2mantest $(PERL)`"; \ + here="`pwd`"; \ + filecase=; \ + if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" ]; then \ + filecase=-i; \ + fi; \ for i in doc/apps/*.pod; do \ fn=`basename $$i .pod`; \ if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \ - echo "installing man$$sec/`basename $$i .pod`.$$sec"; \ + echo "installing man$$sec/$$fn.$$sec"; \ (cd `$(PERL) util/dirname.pl $$i`; \ sh -c "$$pod2man \ --section=$$sec --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ - > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \ + > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \ + $(PERL) util/extract-names.pl < $$i | \ + grep -v $$filecase "^$$fn\$$" | \ + (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \ + while read n; do \ + $$here/util/point.sh $$fn.$$sec $$n.$$sec; \ + done); \ done; \ for i in doc/crypto/*.pod doc/ssl/*.pod; do \ fn=`basename $$i .pod`; \ if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \ - echo "installing man$$sec/`basename $$i .pod`.$$sec"; \ + echo "installing man$$sec/$$fn.$$sec"; \ (cd `$(PERL) util/dirname.pl $$i`; \ sh -c "$$pod2man \ --section=$$sec --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ - > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \ + > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \ + $(PERL) util/extract-names.pl < $$i | \ + grep -v $$filecase "^$$fn\$$" | \ + (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \ + while read n; do \ + $$here/util/point.sh $$fn.$$sec $$n.$$sec; \ + done); \ done # DO NOT DELETE THIS LINE -- make depend depends on it. diff --git a/src/lib/libssl/src/NEWS b/src/lib/libssl/src/NEWS index 418b3b0505..dce63f0549 100644 --- a/src/lib/libssl/src/NEWS +++ b/src/lib/libssl/src/NEWS @@ -5,6 +5,28 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b: + + o Security: counter the Klima-Pokorny-Rosa extension of + Bleichbacher's attack + o Security: make RSA blinding default. + o Configuration: Irix fixes, AIX fixes, better mingw support. + o Support for new platforms: linux-ia64-ecc. + o Build: shared library support fixes. + o ASN.1: treat domainComponent correctly. + o Documentation: fixes and additions. + + Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a: + + o Security: Important security related bugfixes. + o Enhanced compatibility with MIT Kerberos. + o Can be built without the ENGINE framework. + o IA32 assembler enhancements. + o Support for new platforms: FreeBSD/IA64 and FreeBSD/Sparc64. + o Configuration: the no-err option now works properly. + o SSL/TLS: now handles manual certificate chain building. + o SSL/TLS: certain session ID malfunctions corrected. + Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7: o New library section OCSP. @@ -17,6 +39,15 @@ a separate distribution. o New elliptic curve library section. o New AES (Rijndael) library section. + o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit, + Linux x86_64, Linux 64-bit on Sparc v9 + o Extended support for some platforms: VxWorks + o Enhanced support for shared libraries. + o Now only builds PIC code when shared library support is requested. + o Support for pkg-config. + o Lots of new manuals. + o Makes symbolic links to or copies of manuals to cover all described + functions. o Change DES API to clean up the namespace (some applications link also against libdes providing similar functions having the same name). Provide macros for backward compatibility (will be removed in the @@ -30,16 +61,43 @@ o Reworked parts of the BIGNUM code. o Support for new engines: Broadcom ubsec, Accelerated Encryption Processing, IBM 4758. + o A few new engines added in the demos area. o Extended and corrected OID (object identifier) table. o PRNG: query at more locations for a random device, automatic query for EGD style random sources at several locations. o SSL/TLS: allow optional cipher choice according to server's preference. o SSL/TLS: allow server to explicitly set new session ids. o SSL/TLS: support Kerberos cipher suites (RFC2712). + Only supports MIT Kerberos for now. o SSL/TLS: allow more precise control of renegotiations and sessions. o SSL/TLS: add callback to retrieve SSL/TLS messages. o SSL/TLS: support AES cipher suites (RFC3268). + Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j: + + o Security: counter the Klima-Pokorny-Rosa extension of + Bleichbacher's attack + o Security: make RSA blinding default. + o Build: shared library support fixes. + + Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i: + + o Important security related bugfixes. + + Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h: + + o New configuration targets for Tandem OSS and A/UX. + o New OIDs for Microsoft attributes. + o Better handling of SSL session caching. + o Better comparison of distinguished names. + o Better handling of shared libraries in a mixed GNU/non-GNU environment. + o Support assembler code with Borland C. + o Fixes for length problems. + o Fixes for uninitialised variables. + o Fixes for memory leaks, some unusual crashes and some race conditions. + o Fixes for smaller building problems. + o Updates of manuals, FAQ and other instructive documents. + Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g: o Important building fixes on Unix. diff --git a/src/lib/libssl/src/PROBLEMS b/src/lib/libssl/src/PROBLEMS index bf532d112b..85e96a5ebe 100644 --- a/src/lib/libssl/src/PROBLEMS +++ b/src/lib/libssl/src/PROBLEMS @@ -46,3 +46,86 @@ scripts use the same name for output and input files, which means different will interfere with each other and lead to test failure. The solution is simple for now: don't run parallell make when testing. + + +* Bugs in gcc 3.0 triggered + +According to a problem report, there are bugs in gcc 3.0 that are +triggered by some of the code in OpenSSL, more specifically in +PEM_get_EVP_CIPHER_INFO(). The triggering code is the following: + + header+=11; + if (*header != '4') return(0); header++; + if (*header != ',') return(0); header++; + +What happens is that gcc might optimize a little too agressively, and +you end up with an extra incrementation when *header != '4'. + +We recommend that you upgrade gcc to as high a 3.x version as you can. + +* solaris64-sparcv9-cc SHA-1 performance with WorkShop 6 compiler. + +As subject suggests SHA-1 might perform poorly (4 times slower) +if compiled with WorkShop 6 compiler and -xarch=v9. The cause for +this seems to be the fact that compiler emits multiplication to +perform shift operations:-( To work the problem around configure +with './Configure solaris64-sparcv9-cc -DMD32_REG_T=int'. + +* Problems with hp-parisc2-cc target when used with "no-asm" flag + +When using the hp-parisc2-cc target, wrong bignum code is generated. +This is due to the SIXTY_FOUR_BIT build being compiled with the +O3 +aggressive optimization. +The problem manifests itself by the BN_kronecker test hanging in an +endless loop. Reason: the BN_kronecker test calls BN_generate_prime() +which itself hangs. The reason could be tracked down to the bn_mul_comba8() +function in bn_asm.c. At some occasions the higher 32bit value of r[7] +is off by 1 (meaning: calculated=shouldbe+1). Further analysis failed, +as no debugger support possible at +O3 and additional fprintf()'s +introduced fixed the bug, therefore it is most likely a bug in the +optimizer. +The bug was found in the BN_kronecker test but may also lead to +failures in other parts of the code. +(See Ticket #426.) + +Workaround: modify the target to +O2 when building with no-asm. + +* Poor support for AIX shared builds. + +do_aix-shared rule is not flexible enough to parameterize through a +config-line. './Configure aix43-cc shared' is working, but not +'./Configure aix64-gcc shared'. In latter case make fails to create shared +libraries. It's possible to build 64-bit shared libraries by running +'env OBJECT_MODE=64 make', but we need more elegant solution. Preferably one +supporting even gcc shared builds. See RT#463 for background information. + +* Problems building shared libraries on SCO OpenServer Release 5.0.6 + with gcc 2.95.3 + +The symptoms appear when running the test suite, more specifically +test/ectest, with the following result: + +OSSL_LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH="$OSSL_LIBPATH:$LD_LIBRARY_PATH"; DYLD_LIBRARY_PATH="$OSSL_LIBPATH:$DYLD_LIBRARY_PATH"; SHLIB_PATH="$OSSL_LIBPATH:$SHLIB_PATH"; LIBPATH="$OSSL_LIBPATH:$LIBPATH"; if [ "debug-sco5-gcc" = "Cygwin" ]; then PATH="${LIBPATH}:$PATH"; fi; export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; ./ectest +ectest.c:186: ABORT + +The cause of the problem seems to be that isxdigit(), called from +BN_hex2bn(), returns 0 on a perfectly legitimate hex digit. Further +investigation shows that any of the isxxx() macros return 0 on any +input. A direct look in the information array that the isxxx() use, +called __ctype, shows that it contains all zeroes... + +Taking a look at the newly created libcrypto.so with nm, one can see +that the variable __ctype is defined in libcrypto's .bss (which +explains why it is filled with zeroes): + +$ nm -Pg libcrypto.so | grep __ctype +__ctype B 0011659c +__ctype2 U + +Curiously, __ctype2 is undefined, in spite of being declared in +/usr/include/ctype.h in exactly the same way as __ctype. + +Any information helping to solve this issue would be deeply +appreciated. + +NOTE: building non-shared doesn't come with this problem. diff --git a/src/lib/libssl/src/README b/src/lib/libssl/src/README index 4228e145f9..3af69bfdb5 100644 --- a/src/lib/libssl/src/README +++ b/src/lib/libssl/src/README @@ -1,7 +1,7 @@ - OpenSSL 0.9.7-beta3 30 Jul 2002 + OpenSSL 0.9.7b 10 Apr 2003 - Copyright (c) 1998-2002 The OpenSSL Project + Copyright (c) 1998-2003 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. diff --git a/src/lib/libssl/src/apps/CA.pl b/src/lib/libssl/src/apps/CA.pl index 915fa5beca..8b2ce7ea42 100644 --- a/src/lib/libssl/src/apps/CA.pl +++ b/src/lib/libssl/src/apps/CA.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl5 +#!/usr/local/bin/perl # # CA - wrapper around ca to make it easier to use ... basically ca requires # some setup stuff to be done before you can use it and this makes diff --git a/src/lib/libssl/src/apps/apps.c b/src/lib/libssl/src/apps/apps.c index 1a24b1c596..007e3e06c3 100644 --- a/src/lib/libssl/src/apps/apps.c +++ b/src/lib/libssl/src/apps/apps.c @@ -114,9 +114,7 @@ #include #include #include -#define NON_MAIN -#include "apps.h" -#undef NON_MAIN +#include #include #include #include @@ -124,7 +122,9 @@ #include #include #include +#ifndef OPENSSL_NO_ENGINE #include +#endif #ifdef OPENSSL_SYS_WINDOWS #define strcasecmp _stricmp @@ -136,9 +136,9 @@ # endif /* NO_STRINGS_H */ #endif -#ifdef OPENSSL_SYS_WINDOWS -# include "bss_file.c" -#endif +#define NON_MAIN +#include "apps.h" +#undef NON_MAIN typedef struct { char *name; @@ -335,8 +335,7 @@ void program_name(char *in, char *out, int size) p++; else p=in; - strncpy(out,p,size-1); - out[size-1]='\0'; + BUF_strlcpy(out,p,size); } #endif #endif @@ -344,6 +343,7 @@ void program_name(char *in, char *out, int size) #ifdef OPENSSL_SYS_WIN32 int WIN32_rename(char *from, char *to) { +#ifndef OPENSSL_SYS_WINCE /* Windows rename gives an error if 'to' exists, so delete it * first and ignore file not found errror */ @@ -351,6 +351,46 @@ int WIN32_rename(char *from, char *to) return -1; #undef rename return rename(from, to); +#else + /* convert strings to UNICODE */ + { + BOOL result = FALSE; + WCHAR* wfrom; + WCHAR* wto; + int i; + wfrom = malloc((strlen(from)+1)*2); + wto = malloc((strlen(to)+1)*2); + if (wfrom != NULL && wto != NULL) + { + for (i=0; i<(int)strlen(from)+1; i++) + wfrom[i] = (short)from[i]; + for (i=0; i<(int)strlen(to)+1; i++) + wto[i] = (short)to[i]; + result = MoveFile(wfrom, wto); + } + if (wfrom != NULL) + free(wfrom); + if (wto != NULL) + free(wto); + return result; + } +#endif + } +#endif + +#ifdef OPENSSL_SYS_VMS +int VMS_strcasecmp(const char *str1, const char *str2) + { + while (*str1 && *str2) + { + int res = toupper(*str1) - toupper(*str2); + if (res) return res < 0 ? -1 : 1; + } + if (*str1) + return 1; + if (*str2) + return -1; + return 0; } #endif @@ -429,16 +469,20 @@ int app_init(long mesgwin) int dump_cert_text (BIO *out, X509 *x) { - char buf[256]; - X509_NAME_oneline(X509_get_subject_name(x),buf,256); + char *p; + + p=X509_NAME_oneline(X509_get_subject_name(x),NULL,0); BIO_puts(out,"subject="); - BIO_puts(out,buf); + BIO_puts(out,p); + OPENSSL_free(p); - X509_NAME_oneline(X509_get_issuer_name(x),buf,256); - BIO_puts(out,"\nissuer= "); - BIO_puts(out,buf); + p=X509_NAME_oneline(X509_get_issuer_name(x),NULL,0); + BIO_puts(out,"\nissuer="); + BIO_puts(out,p); BIO_puts(out,"\n"); - return 0; + OPENSSL_free(p); + + return 0; } static int ui_open(UI *ui) @@ -569,7 +613,7 @@ int password_callback(char *buf, int bufsiz, int verify, if (buff) { - memset(buff,0,(unsigned int)bufsiz); + OPENSSL_cleanse(buff,(unsigned int)bufsiz); OPENSSL_free(buff); } @@ -579,13 +623,13 @@ int password_callback(char *buf, int bufsiz, int verify, { BIO_printf(bio_err, "User interface error\n"); ERR_print_errors(bio_err); - memset(buf,0,(unsigned int)bufsiz); + OPENSSL_cleanse(buf,(unsigned int)bufsiz); res = 0; } if (ok == -2) { BIO_printf(bio_err,"aborted!\n"); - memset(buf,0,(unsigned int)bufsiz); + OPENSSL_cleanse(buf,(unsigned int)bufsiz); res = 0; } UI_free(ui); @@ -813,6 +857,7 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin, BIO_printf(err,"no keyfile specified\n"); goto end; } +#ifndef OPENSSL_NO_ENGINE if (format == FORMAT_ENGINE) { if (!e) @@ -822,6 +867,7 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin, ui_method, &cb_data); goto end; } +#endif key=BIO_new(BIO_s_file()); if (key == NULL) { @@ -889,6 +935,7 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, BIO_printf(err,"no keyfile specified\n"); goto end; } +#ifndef OPENSSL_NO_ENGINE if (format == FORMAT_ENGINE) { if (!e) @@ -898,6 +945,7 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, ui_method, &cb_data); goto end; } +#endif key=BIO_new(BIO_s_file()); if (key == NULL) { @@ -960,7 +1008,7 @@ load_netscape_key(BIO *err, BIO *key, const char *file, goto error; for (;;) { - if (!BUF_MEM_grow(buf,size+1024*10)) + if (!BUF_MEM_grow_clean(buf,size+1024*10)) goto error; i = BIO_read(key, &(buf->data[size]), 1024*10); size += i; @@ -1235,6 +1283,7 @@ void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags) char *buf; char mline = 0; int indent = 0; + if(title) BIO_puts(out, title); if((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { mline = 1; @@ -1282,6 +1331,7 @@ X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath) return NULL; } +#ifndef OPENSSL_NO_ENGINE /* Try to load an engine in a shareable library */ static ENGINE *try_load_engine(BIO *err, const char *engine, int debug) { @@ -1338,6 +1388,7 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug) } return e; } +#endif int load_config(BIO *err, CONF *cnf) { @@ -1356,3 +1407,18 @@ int load_config(BIO *err, CONF *cnf) } return 1; } + +char *make_config_name() + { + const char *t=X509_get_default_cert_area(); + char *p; + + p=OPENSSL_malloc(strlen(t)+strlen(OPENSSL_CONF)+2); + strcpy(p,t); +#ifndef OPENSSL_SYS_VMS + strcat(p,"/"); +#endif + strcat(p,OPENSSL_CONF); + + return p; + } diff --git a/src/lib/libssl/src/apps/apps.h b/src/lib/libssl/src/apps/apps.h index 32a79605ee..c36b9d2566 100644 --- a/src/lib/libssl/src/apps/apps.h +++ b/src/lib/libssl/src/apps/apps.h @@ -121,7 +121,9 @@ #include #include #include +#ifndef OPENSSL_NO_ENGINE #include +#endif #include int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn); @@ -139,13 +141,21 @@ long app_RAND_load_files(char *file); /* `file' is a list of files to read, int WIN32_rename(char *oldname,char *newname); #endif +/* VMS below version 7.0 doesn't have strcasecmp() */ +#ifdef OPENSSL_SYS_VMS +#define strcasecmp(str1,str2) VMS_strcasecmp((str1),(str2)) +int VMS_strcasecmp(const char *str1, const char *str2); +#endif + #ifndef MONOLITH #define MAIN(a,v) main(a,v) #ifndef NON_MAIN +CONF *config=NULL; BIO *bio_err=NULL; #else +extern CONF *config; extern BIO *bio_err; #endif @@ -171,30 +181,57 @@ extern BIO *bio_err; do_pipe_sig() # define apps_shutdown() #else -# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \ - defined(OPENSSL_SYS_WIN32) -# ifdef _O_BINARY -# define apps_startup() \ - do { _fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ - ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ - ENGINE_load_builtin_engines(); setup_ui_method(); } while(0) +# ifndef OPENSSL_NO_ENGINE +# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \ + defined(OPENSSL_SYS_WIN32) +# ifdef _O_BINARY +# define apps_startup() \ + do { _fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ + ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ + ENGINE_load_builtin_engines(); setup_ui_method(); } while(0) +# else +# define apps_startup() \ + do { _fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ + ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ + ENGINE_load_builtin_engines(); setup_ui_method(); } while(0) +# endif # else # define apps_startup() \ - do { _fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ - ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ - ENGINE_load_builtin_engines(); setup_ui_method(); } while(0) + do { do_pipe_sig(); OpenSSL_add_all_algorithms(); \ + ERR_load_crypto_strings(); ENGINE_load_builtin_engines(); \ + setup_ui_method(); } while(0) # endif +# define apps_shutdown() \ + do { CONF_modules_unload(1); destroy_ui_method(); \ + EVP_cleanup(); ENGINE_cleanup(); \ + CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \ + ERR_free_strings(); } while(0) # else -# define apps_startup() \ - do { do_pipe_sig(); OpenSSL_add_all_algorithms(); \ - ERR_load_crypto_strings(); ENGINE_load_builtin_engines(); \ - setup_ui_method(); } while(0) +# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \ + defined(OPENSSL_SYS_WIN32) +# ifdef _O_BINARY +# define apps_startup() \ + do { _fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ + ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ + setup_ui_method(); } while(0) +# else +# define apps_startup() \ + do { _fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ + ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ + setup_ui_method(); } while(0) +# endif +# else +# define apps_startup() \ + do { do_pipe_sig(); OpenSSL_add_all_algorithms(); \ + ERR_load_crypto_strings(); \ + setup_ui_method(); } while(0) +# endif +# define apps_shutdown() \ + do { CONF_modules_unload(1); destroy_ui_method(); \ + EVP_cleanup(); \ + CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \ + ERR_free_strings(); } while(0) # endif -# define apps_shutdown() \ - do { CONF_modules_unload(1); destroy_ui_method(); \ - EVP_cleanup(); ENGINE_cleanup(); \ - CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \ - ERR_free_strings(); } while(0) #endif typedef struct args_st @@ -240,9 +277,12 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, STACK_OF(X509) *load_certs(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip); X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath); +#ifndef OPENSSL_NO_ENGINE ENGINE *setup_engine(BIO *err, const char *engine, int debug); +#endif int load_config(BIO *err, CONF *cnf); +char *make_config_name(void); /* Functions defined in ca.c and also used in ocsp.c */ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, diff --git a/src/lib/libssl/src/apps/asn1pars.c b/src/lib/libssl/src/apps/asn1pars.c index 8f178db851..8367415405 100644 --- a/src/lib/libssl/src/apps/asn1pars.c +++ b/src/lib/libssl/src/apps/asn1pars.c @@ -332,6 +332,6 @@ end: if (osk != NULL) sk_free(osk); OBJ_cleanup(); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } diff --git a/src/lib/libssl/src/apps/ca.c b/src/lib/libssl/src/apps/ca.c index 492b64f04f..7ed60c7a9a 100644 --- a/src/lib/libssl/src/apps/ca.c +++ b/src/lib/libssl/src/apps/ca.c @@ -64,7 +64,6 @@ #include #include #include -#include "apps.h" #include #include #include @@ -94,11 +93,13 @@ # else # include # endif -# elif !defined(OPENSSL_SYS_VXWORKS) +# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) # include # endif #endif +#include "apps.h" + #ifndef W_OK # define F_OK 0 # define X_OK 1 @@ -195,7 +196,9 @@ static char *ca_usage[]={ " -extensions .. - Extension section (override value in config file)\n", " -extfile file - Configuration file with X509v3 extentions to add\n", " -crlexts .. - CRL extension section (override value in config file)\n", +#ifndef OPENSSL_NO_ENGINE " -engine e - use engine e, possibly a hardware device.\n", +#endif " -status serial - Shows certificate status given the serial number\n", " -updatedb - Updates db for expired certificates\n", NULL @@ -332,7 +335,10 @@ int MAIN(int argc, char **argv) #define BSIZE 256 MS_STATIC char buf[3][BSIZE]; char *randfile=NULL; +#ifndef OPENSSL_NO_ENGINE char *engine = NULL; +#endif + char *tofree=NULL; #ifdef EFENCE EF_PROTECT_FREE=1; @@ -535,11 +541,13 @@ EF_ALIGNMENT=0; rev_arg = *(++argv); rev_type = REV_CA_COMPROMISE; } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else { bad: @@ -560,25 +568,28 @@ bad: ERR_load_crypto_strings(); - e = setup_engine(bio_err, engine, 0); +#ifndef OPENSSL_NO_ENGINE + e = setup_engine(bio_err, engine, 0); +#endif /*****************************************************************/ + tofree=NULL; if (configfile == NULL) configfile = getenv("OPENSSL_CONF"); if (configfile == NULL) configfile = getenv("SSLEAY_CONF"); if (configfile == NULL) { - /* We will just use 'buf[0]' as a temporary buffer. */ + const char *s=X509_get_default_cert_area(); + #ifdef OPENSSL_SYS_VMS - strncpy(buf[0],X509_get_default_cert_area(), - sizeof(buf[0])-1-sizeof(CONFIG_FILE)); + tofree=OPENSSL_malloc(strlen(s)+sizeof(CONFIG_FILE)); + strcpy(tofree,s); #else - strncpy(buf[0],X509_get_default_cert_area(), - sizeof(buf[0])-2-sizeof(CONFIG_FILE)); - buf[0][sizeof(buf[0])-2-sizeof(CONFIG_FILE)]='\0'; - strcat(buf[0],"/"); + tofree=OPENSSL_malloc(strlen(s)+sizeof(CONFIG_FILE)+1); + strcpy(tofree,s); + strcat(tofree,"/"); #endif - strcat(buf[0],CONFIG_FILE); - configfile=buf[0]; + strcat(tofree,CONFIG_FILE); + configfile=tofree; } BIO_printf(bio_err,"Using configuration from %s\n",configfile); @@ -593,6 +604,11 @@ bad: ,errorline,configfile); goto err; } + if(tofree) + { + OPENSSL_free(tofree); + tofree = NULL; + } if (!load_config(bio_err, conf)) goto err; @@ -701,7 +717,7 @@ bad: } pkey = load_key(bio_err, keyfile, keyform, 0, key, e, "CA private key"); - if (key) memset(key,0,strlen(key)); + if (key) OPENSSL_cleanse(key,strlen(key)); if (pkey == NULL) { /* load_key() has already printed an appropriate message */ @@ -1016,7 +1032,7 @@ bad: } if (verbose) - BIO_printf(bio_err, "Succesfully loaded extensions file %s\n", extfile); + BIO_printf(bio_err, "Successfully loaded extensions file %s\n", extfile); /* We can have sections in the ext file */ if (!extensions && !(extensions = NCONF_get_string(extconf, "default", "extensions"))) @@ -1158,9 +1174,14 @@ bad: } if (verbose) { - if ((f=BN_bn2hex(serial)) == NULL) goto err; - BIO_printf(bio_err,"next serial number is %s\n",f); - OPENSSL_free(f); + if (BN_is_zero(serial)) + BIO_printf(bio_err,"next serial number is 00\n"); + else + { + if ((f=BN_bn2hex(serial)) == NULL) goto err; + BIO_printf(bio_err,"next serial number is %s\n",f); + OPENSSL_free(f); + } } if ((attribs=NCONF_get_section(conf,policy)) == NULL) @@ -1280,8 +1301,13 @@ bad: BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk)); - strncpy(buf[0],serialfile,BSIZE-4); - buf[0][BSIZE-4]='\0'; + if(strlen(serialfile) > BSIZE-5 || strlen(dbfile) > BSIZE-5) + { + BIO_printf(bio_err,"file name too long\n"); + goto err; + } + + strcpy(buf[0],serialfile); #ifdef OPENSSL_SYS_VMS strcat(buf[0],"-new"); @@ -1291,8 +1317,7 @@ bad: if (!save_serial(buf[0],serial)) goto err; - strncpy(buf[1],dbfile,BSIZE-4); - buf[1][BSIZE-4]='\0'; + strcpy(buf[1],dbfile); #ifdef OPENSSL_SYS_VMS strcat(buf[1],"-new"); @@ -1322,8 +1347,13 @@ bad: j=x->cert_info->serialNumber->length; p=(char *)x->cert_info->serialNumber->data; - strncpy(buf[2],outdir,BSIZE-(j*2)-6); - buf[2][BSIZE-(j*2)-6]='\0'; + if(strlen(outdir) >= (size_t)(j ? BSIZE-j*2-6 : BSIZE-8)) + { + BIO_printf(bio_err,"certificate file name too long\n"); + goto err; + } + + strcpy(buf[2],outdir); #ifndef OPENSSL_SYS_VMS strcat(buf[2],"/"); @@ -1557,8 +1587,13 @@ bad: if (j <= 0) goto err; X509_free(revcert); - strncpy(buf[0],dbfile,BSIZE-4); - buf[0][BSIZE-4]='\0'; + if(strlen(dbfile) > BSIZE-5) + { + BIO_printf(bio_err,"filename too long\n"); + goto err; + } + + strcpy(buf[0],dbfile); #ifndef OPENSSL_SYS_VMS strcat(buf[0],".new"); #else @@ -1602,16 +1637,19 @@ bad: /*****************************************************************/ ret=0; err: + if(tofree) + OPENSSL_free(tofree); BIO_free_all(Cout); BIO_free_all(Sout); BIO_free_all(out); BIO_free_all(in); - sk_X509_pop_free(cert_sk,X509_free); + if (cert_sk) + sk_X509_pop_free(cert_sk,X509_free); if (ret) ERR_print_errors(bio_err); app_RAND_write_file(randfile, bio_err); - if (free_key) + if (free_key && key) OPENSSL_free(key); BN_free(serial); TXT_DB_free(db); @@ -1621,7 +1659,7 @@ err: NCONF_free(conf); OBJ_cleanup(); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } static void lookup_fail(char *name, char *tag) @@ -1686,7 +1724,7 @@ static BIGNUM *load_serial(char *serialfile) ret=ASN1_INTEGER_to_BN(ai,NULL); if (ret == NULL) { - BIO_printf(bio_err,"error converting number from bin to BIGNUM"); + BIO_printf(bio_err,"error converting number from bin to BIGNUM\n"); goto err; } err: @@ -2089,7 +2127,10 @@ again2: } } - row[DB_serial]=BN_bn2hex(serial); + if (BN_is_zero(serial)) + row[DB_serial]=BUF_strdup("00"); + else + row[DB_serial]=BN_bn2hex(serial); if (row[DB_serial] == NULL) { BIO_printf(bio_err,"Memory allocation failure\n"); @@ -2152,7 +2193,7 @@ again2: #ifdef X509_V3 /* Make it an X509 v3 certificate. */ - if (!X509_set_version(x509,2)) goto err; + if (!X509_set_version(ret,2)) goto err; #endif if (BN_to_ASN1_INTEGER(serial,ci->serialNumber) == NULL) @@ -2573,7 +2614,10 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value) row[i]=NULL; row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0); bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL); - row[DB_serial]=BN_bn2hex(bn); + if (BN_is_zero(bn)) + row[DB_serial]=BUF_strdup("00"); + else + row[DB_serial]=BN_bn2hex(bn); BN_free(bn); if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) { @@ -3042,55 +3086,59 @@ X509_NAME *do_subject(char *subject, long chtype) sp++; /* skip leading / */ while (*sp) - { + { /* collect type */ ne_types[ne_num] = bp; while (*sp) - { + { if (*sp == '\\') /* is there anything to escape in the type...? */ + { if (*++sp) *bp++ = *sp++; else - { + { BIO_printf(bio_err, "escape character at end of string\n"); goto error; + } } else if (*sp == '=') - { + { sp++; *bp++ = '\0'; break; - } + } else *bp++ = *sp++; - } + } if (!*sp) - { + { BIO_printf(bio_err, "end of string encountered while processing type of subject name element #%d\n", ne_num); goto error; - } + } ne_values[ne_num] = bp; while (*sp) - { + { if (*sp == '\\') + { if (*++sp) *bp++ = *sp++; else - { + { BIO_printf(bio_err, "escape character at end of string\n"); goto error; + } } else if (*sp == '/') - { + { sp++; break; - } + } else *bp++ = *sp++; - } + } *bp++ = '\0'; ne_num++; - } + } if (!(n = X509_NAME_new())) goto error; diff --git a/src/lib/libssl/src/apps/ciphers.c b/src/lib/libssl/src/apps/ciphers.c index 2d6e104790..7c62fc5dc3 100644 --- a/src/lib/libssl/src/apps/ciphers.c +++ b/src/lib/libssl/src/apps/ciphers.c @@ -187,7 +187,7 @@ int MAIN(int argc, char **argv) { BIO_puts(STDout,SSL_CIPHER_description( sk_SSL_CIPHER_value(sk,i), - buf,512)); + buf,sizeof buf)); } } @@ -203,6 +203,6 @@ end: if (ssl != NULL) SSL_free(ssl); if (STDout != NULL) BIO_free_all(STDout); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } diff --git a/src/lib/libssl/src/apps/crl.c b/src/lib/libssl/src/apps/crl.c index 00946b4d20..81d66587c1 100644 --- a/src/lib/libssl/src/apps/crl.c +++ b/src/lib/libssl/src/apps/crl.c @@ -81,6 +81,7 @@ static char *crl_usage[]={ " -in arg - input file - default stdin\n", " -out arg - output file - default stdout\n", " -hash - print hash value\n", +" -fingerprint - print the crl fingerprint\n", " -issuer - print issuer DN\n", " -lastupdate - lastUpdate field\n", " -nextupdate - nextUpdate field\n", @@ -377,7 +378,7 @@ end: X509_STORE_free(store); } apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } static X509_CRL *load_crl(char *infile, int format) diff --git a/src/lib/libssl/src/apps/crl2p7.c b/src/lib/libssl/src/apps/crl2p7.c index 8729068462..b2f2d121d5 100644 --- a/src/lib/libssl/src/apps/crl2p7.c +++ b/src/lib/libssl/src/apps/crl2p7.c @@ -280,7 +280,7 @@ end: if (crl != NULL) X509_CRL_free(crl); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } /* diff --git a/src/lib/libssl/src/apps/dgst.c b/src/lib/libssl/src/apps/dgst.c index 32e40c1f53..47d1309b14 100644 --- a/src/lib/libssl/src/apps/dgst.c +++ b/src/lib/libssl/src/apps/dgst.c @@ -100,7 +100,9 @@ int MAIN(int argc, char **argv) EVP_PKEY *sigkey = NULL; unsigned char *sigbuf = NULL; int siglen = 0; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif apps_startup(); @@ -117,7 +119,7 @@ int MAIN(int argc, char **argv) goto end; /* first check the program name */ - program_name(argv[0],pname,PROG_NAME_SIZE); + program_name(argv[0],pname,sizeof pname); md=EVP_get_digestbyname(pname); @@ -166,11 +168,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) break; keyform=str2fmt(*(++argv)); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) break; engine= *(++argv); } +#endif else if (strcmp(*argv,"-hex") == 0) out_bin = 0; else if (strcmp(*argv,"-binary") == 0) @@ -208,7 +212,9 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err,"-keyform arg key file format (PEM or ENGINE)\n"); BIO_printf(bio_err,"-signature file signature to verify\n"); BIO_printf(bio_err,"-binary output in binary form\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err,"-engine e use engine e, possibly a hardware device.\n"); +#endif BIO_printf(bio_err,"-%3s to use the %s message digest algorithm (default)\n", LN_md5,LN_md5); @@ -228,7 +234,9 @@ int MAIN(int argc, char **argv) goto end; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif in=BIO_new(BIO_s_file()); bmd=BIO_new(BIO_f_md()); @@ -356,7 +364,7 @@ int MAIN(int argc, char **argv) end: if (buf != NULL) { - memset(buf,0,BUFSIZE); + OPENSSL_cleanse(buf,BUFSIZE); OPENSSL_free(buf); } if (in != NULL) BIO_free(in); @@ -365,7 +373,7 @@ end: if(sigbuf) OPENSSL_free(sigbuf); if (bmd != NULL) BIO_free(bmd); apps_shutdown(); - EXIT(err); + OPENSSL_EXIT(err); } int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, diff --git a/src/lib/libssl/src/apps/dh.c b/src/lib/libssl/src/apps/dh.c index 27c3dc8df2..cd01fed139 100644 --- a/src/lib/libssl/src/apps/dh.c +++ b/src/lib/libssl/src/apps/dh.c @@ -87,12 +87,17 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif DH *dh=NULL; int i,badops=0,text=0; BIO *in=NULL,*out=NULL; int informat,outformat,check=0,noout=0,C=0,ret=1; - char *infile,*outfile,*prog,*engine; + char *infile,*outfile,*prog; +#ifndef OPENSSL_NO_ENGINE + char *engine; +#endif apps_startup(); @@ -103,7 +108,9 @@ int MAIN(int argc, char **argv) if (!load_config(bio_err, NULL)) goto end; +#ifndef OPENSSL_NO_ENGINE engine=NULL; +#endif infile=NULL; outfile=NULL; informat=FORMAT_PEM; @@ -134,11 +141,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; outfile= *(++argv); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-check") == 0) check=1; else if (strcmp(*argv,"-text") == 0) @@ -170,13 +179,17 @@ bad: BIO_printf(bio_err," -text print a text form of the DH parameters\n"); BIO_printf(bio_err," -C Output C code\n"); BIO_printf(bio_err," -noout no output\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); +#endif goto end; } ERR_load_crypto_strings(); +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif in=BIO_new(BIO_s_file()); out=BIO_new(BIO_s_file()); @@ -333,6 +346,6 @@ end: if (out != NULL) BIO_free_all(out); if (dh != NULL) DH_free(dh); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } #endif diff --git a/src/lib/libssl/src/apps/dhparam.c b/src/lib/libssl/src/apps/dhparam.c index ea15ef3236..dc00355b95 100644 --- a/src/lib/libssl/src/apps/dhparam.c +++ b/src/lib/libssl/src/apps/dhparam.c @@ -148,7 +148,9 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif DH *dh=NULL; int i,badops=0,text=0; #ifndef OPENSSL_NO_DSA @@ -157,7 +159,10 @@ int MAIN(int argc, char **argv) BIO *in=NULL,*out=NULL; int informat,outformat,check=0,noout=0,C=0,ret=1; char *infile,*outfile,*prog; - char *inrand=NULL,*engine=NULL; + char *inrand=NULL; +#ifndef OPENSSL_NO_ENGINE + char *engine=NULL; +#endif int num = 0, g = 0; apps_startup(); @@ -199,11 +204,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; outfile= *(++argv); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-check") == 0) check=1; else if (strcmp(*argv,"-text") == 0) @@ -249,7 +256,9 @@ bad: BIO_printf(bio_err," -2 generate parameters using 2 as the generator value\n"); BIO_printf(bio_err," -5 generate parameters using 5 as the generator value\n"); BIO_printf(bio_err," numbits number of bits in to generate (default 512)\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); +#endif BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err," - load the file (or the files in the directory) into\n"); BIO_printf(bio_err," the random number generator\n"); @@ -259,7 +268,9 @@ bad: ERR_load_crypto_strings(); +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if (g && !num) num = DEFBITS; @@ -519,7 +530,7 @@ end: if (out != NULL) BIO_free_all(out); if (dh != NULL) DH_free(dh); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } /* dh_cb is identical to dsa_cb in apps/dsaparam.c */ diff --git a/src/lib/libssl/src/apps/dsa.c b/src/lib/libssl/src/apps/dsa.c index 9da1a41645..e9de3a3bdf 100644 --- a/src/lib/libssl/src/apps/dsa.c +++ b/src/lib/libssl/src/apps/dsa.c @@ -90,7 +90,9 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif int ret=1; DSA *dsa=NULL; int i,badops=0; @@ -98,7 +100,10 @@ int MAIN(int argc, char **argv) BIO *in=NULL,*out=NULL; int informat,outformat,text=0,noout=0; int pubin = 0, pubout = 0; - char *infile,*outfile,*prog,*engine; + char *infile,*outfile,*prog; +#ifndef OPENSSL_NO_ENGINE + char *engine; +#endif char *passargin = NULL, *passargout = NULL; char *passin = NULL, *passout = NULL; int modulus=0; @@ -112,7 +117,9 @@ int MAIN(int argc, char **argv) if (!load_config(bio_err, NULL)) goto end; +#ifndef OPENSSL_NO_ENGINE engine=NULL; +#endif infile=NULL; outfile=NULL; informat=FORMAT_PEM; @@ -153,11 +160,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; passargout= *(++argv); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-noout") == 0) noout=1; else if (strcmp(*argv,"-text") == 0) @@ -189,7 +198,9 @@ bad: BIO_printf(bio_err," -passin arg input file pass phrase source\n"); BIO_printf(bio_err," -out arg output file\n"); BIO_printf(bio_err," -passout arg output file pass phrase source\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); +#endif BIO_printf(bio_err," -des encrypt PEM output with cbc des\n"); BIO_printf(bio_err," -des3 encrypt PEM output with ede cbc des using 168 bit key\n"); #ifndef OPENSSL_NO_IDEA @@ -207,7 +218,9 @@ bad: ERR_load_crypto_strings(); +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); @@ -314,6 +327,6 @@ end: if(passin) OPENSSL_free(passin); if(passout) OPENSSL_free(passout); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } #endif diff --git a/src/lib/libssl/src/apps/dsaparam.c b/src/lib/libssl/src/apps/dsaparam.c index 2f436803e3..04861e8986 100644 --- a/src/lib/libssl/src/apps/dsaparam.c +++ b/src/lib/libssl/src/apps/dsaparam.c @@ -90,7 +90,9 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif DSA *dsa=NULL; int i,badops=0,text=0; BIO *in=NULL,*out=NULL; @@ -98,7 +100,9 @@ int MAIN(int argc, char **argv) char *infile,*outfile,*prog,*inrand=NULL; int numbits= -1,num,genkey=0; int need_rand=0; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif apps_startup(); @@ -139,11 +143,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; outfile= *(++argv); } +#ifndef OPENSSL_NO_ENGINE else if(strcmp(*argv, "-engine") == 0) { if (--argc < 1) goto bad; engine = *(++argv); } +#endif else if (strcmp(*argv,"-text") == 0) text=1; else if (strcmp(*argv,"-C") == 0) @@ -191,7 +197,9 @@ bad: BIO_printf(bio_err," -noout no output\n"); BIO_printf(bio_err," -genkey generate a DSA key\n"); BIO_printf(bio_err," -rand files to use for random number input\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); +#endif BIO_printf(bio_err," number number of bits to use for generating private key\n"); goto end; } @@ -235,7 +243,9 @@ bad: } } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if (need_rand) { @@ -372,7 +382,7 @@ end: if (out != NULL) BIO_free_all(out); if (dsa != NULL) DSA_free(dsa); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } static void MS_CALLBACK dsa_cb(int p, int n, void *arg) diff --git a/src/lib/libssl/src/apps/enc.c b/src/lib/libssl/src/apps/enc.c index 1ba2ea2f68..0a9f7310bf 100644 --- a/src/lib/libssl/src/apps/enc.c +++ b/src/lib/libssl/src/apps/enc.c @@ -100,9 +100,11 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif static const char magic[]="Salted__"; - char mbuf[8]; /* should be 1 smaller than magic */ + char mbuf[sizeof magic-1]; char *strbuf=NULL; unsigned char *buff=NULL,*bufsize=NULL; int bsize=BSIZE,verbose=0; @@ -119,7 +121,9 @@ int MAIN(int argc, char **argv) BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL; #define PROG_NAME_SIZE 39 char pname[PROG_NAME_SIZE+1]; +#ifndef OPENSSL_NO_ENGINE char *engine = NULL; +#endif apps_startup(); @@ -131,7 +135,7 @@ int MAIN(int argc, char **argv) goto end; /* first check the program name */ - program_name(argv[0],pname,PROG_NAME_SIZE); + program_name(argv[0],pname,sizeof pname); if (strcmp(pname,"base64") == 0) base64=1; @@ -163,11 +167,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; passarg= *(++argv); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-d") == 0) enc=0; else if (strcmp(*argv,"-p") == 0) @@ -216,7 +222,7 @@ int MAIN(int argc, char **argv) goto bad; } buf[0]='\0'; - fgets(buf,128,infile); + fgets(buf,sizeof buf,infile); fclose(infile); i=strlen(buf); if ((i > 0) && @@ -270,7 +276,9 @@ bad: BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv"); BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]"); BIO_printf(bio_err,"%-14s buffer size\n","-bufsize "); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err,"%-14s use engine e, possibly a hardware device.\n","-engine e"); +#endif BIO_printf(bio_err,"Cipher Types\n"); OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, @@ -284,7 +292,9 @@ bad: argv++; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if (bufsize != NULL) { @@ -442,12 +452,12 @@ bad: else { if(enc) { if(hsalt) { - if(!set_hex(hsalt,salt,PKCS5_SALT_LEN)) { + if(!set_hex(hsalt,salt,sizeof salt)) { BIO_printf(bio_err, "invalid hex salt value\n"); goto end; } - } else if (RAND_pseudo_bytes(salt, PKCS5_SALT_LEN) < 0) + } else if (RAND_pseudo_bytes(salt, sizeof salt) < 0) goto end; /* If -P option then don't bother writing */ if((printkey != 2) @@ -455,14 +465,14 @@ bad: sizeof magic-1) != sizeof magic-1 || BIO_write(wbio, (char *)salt, - PKCS5_SALT_LEN) != PKCS5_SALT_LEN)) { + sizeof salt) != sizeof salt)) { BIO_printf(bio_err,"error writing output file\n"); goto end; } } else if(BIO_read(rbio,mbuf,sizeof mbuf) != sizeof mbuf || BIO_read(rbio, (unsigned char *)salt, - PKCS5_SALT_LEN) != PKCS5_SALT_LEN) { + sizeof salt) != sizeof salt) { BIO_printf(bio_err,"error reading input file\n"); goto end; } else if(memcmp(mbuf,magic,sizeof magic-1)) { @@ -481,9 +491,9 @@ bad: * bug picked up by * Larry J. Hughes Jr. */ if (str == strbuf) - memset(str,0,SIZE); + OPENSSL_cleanse(str,SIZE); else - memset(str,0,strlen(str)); + OPENSSL_cleanse(str,strlen(str)); } if ((hiv != NULL) && !set_hex(hiv,iv,sizeof iv)) { @@ -524,7 +534,7 @@ bad: if (!nosalt) { printf("salt="); - for (i=0; i #include #include @@ -516,5 +518,12 @@ end: sk_pop_free(post_cmds, identity); if (bio_out != NULL) BIO_free_all(bio_out); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } +#else + +# if PEDANTIC +static void *dummy=&dummy; +# endif + +#endif diff --git a/src/lib/libssl/src/apps/errstr.c b/src/lib/libssl/src/apps/errstr.c index fedb568d68..19489b0df3 100644 --- a/src/lib/libssl/src/apps/errstr.c +++ b/src/lib/libssl/src/apps/errstr.c @@ -122,5 +122,5 @@ int MAIN(int argc, char **argv) } } apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } diff --git a/src/lib/libssl/src/apps/gendh.c b/src/lib/libssl/src/apps/gendh.c index f2542960bf..a34a862caf 100644 --- a/src/lib/libssl/src/apps/gendh.c +++ b/src/lib/libssl/src/apps/gendh.c @@ -81,13 +81,17 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif DH *dh=NULL; int ret=1,num=DEFBITS; int g=2; char *outfile=NULL; char *inrand=NULL; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif BIO *out=NULL; apps_startup(); @@ -115,11 +119,13 @@ int MAIN(int argc, char **argv) g=3; */ else if (strcmp(*argv,"-5") == 0) g=5; +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-rand") == 0) { if (--argc < 1) goto bad; @@ -138,14 +144,18 @@ bad: BIO_printf(bio_err," -2 - use 2 as the generator value\n"); /* BIO_printf(bio_err," -3 - use 3 as the generator value\n"); */ BIO_printf(bio_err," -5 - use 5 as the generator value\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n"); +#endif BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err," - load the file (or the files in the directory) into\n"); BIO_printf(bio_err," the random number generator\n"); goto end; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif out=BIO_new(BIO_s_file()); if (out == NULL) @@ -198,7 +208,7 @@ end: if (out != NULL) BIO_free_all(out); if (dh != NULL) DH_free(dh); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } static void MS_CALLBACK dh_cb(int p, int n, void *arg) diff --git a/src/lib/libssl/src/apps/gendsa.c b/src/lib/libssl/src/apps/gendsa.c index 1e1e9f3e4c..6d2ed06c81 100644 --- a/src/lib/libssl/src/apps/gendsa.c +++ b/src/lib/libssl/src/apps/gendsa.c @@ -77,7 +77,9 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif DSA *dsa=NULL; int ret=1; char *outfile=NULL; @@ -85,7 +87,9 @@ int MAIN(int argc, char **argv) char *passargout = NULL, *passout = NULL; BIO *out=NULL,*in=NULL; const EVP_CIPHER *enc=NULL; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif apps_startup(); @@ -111,11 +115,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; passargout= *(++argv); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-rand") == 0) { if (--argc < 1) goto bad; @@ -167,7 +173,9 @@ bad: BIO_printf(bio_err," -aes128, -aes192, -aes256\n"); BIO_printf(bio_err," encrypt PEM output with cbc aes\n"); #endif +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n"); +#endif BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err," - load the file (or the files in the directory) into\n"); BIO_printf(bio_err," the random number generator\n"); @@ -176,7 +184,9 @@ bad: goto end; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if(!app_passwd(bio_err, NULL, passargout, NULL, &passout)) { BIO_printf(bio_err, "Error getting password\n"); @@ -246,6 +256,6 @@ end: if (dsa != NULL) DSA_free(dsa); if(passout) OPENSSL_free(passout); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } #endif diff --git a/src/lib/libssl/src/apps/genrsa.c b/src/lib/libssl/src/apps/genrsa.c index 515bd7c901..63be873b7b 100644 --- a/src/lib/libssl/src/apps/genrsa.c +++ b/src/lib/libssl/src/apps/genrsa.c @@ -81,7 +81,9 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif int ret=1; RSA *rsa=NULL; int i,num=DEFBITS; @@ -90,7 +92,9 @@ int MAIN(int argc, char **argv) unsigned long f4=RSA_F4; char *outfile=NULL; char *passargout = NULL, *passout = NULL; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif char *inrand=NULL; BIO *out=NULL; @@ -122,11 +126,13 @@ int MAIN(int argc, char **argv) f4=3; else if (strcmp(*argv,"-F4") == 0 || strcmp(*argv,"-f4") == 0) f4=RSA_F4; +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-rand") == 0) { if (--argc < 1) goto bad; @@ -177,7 +183,9 @@ bad: BIO_printf(bio_err," -passout arg output file pass phrase source\n"); BIO_printf(bio_err," -f4 use F4 (0x10001) for the E value\n"); BIO_printf(bio_err," -3 use 3 for the E value\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); +#endif BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err," load the file (or the files in the directory) into\n"); BIO_printf(bio_err," the random number generator\n"); @@ -191,7 +199,9 @@ bad: goto err; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if (outfile == NULL) { @@ -258,7 +268,7 @@ err: if (ret != 0) ERR_print_errors(bio_err); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } static void MS_CALLBACK genrsa_cb(int p, int n, void *arg) diff --git a/src/lib/libssl/src/apps/makeapps.com b/src/lib/libssl/src/apps/makeapps.com index 148246facc..0197c8a171 100644 --- a/src/lib/libssl/src/apps/makeapps.com +++ b/src/lib/libssl/src/apps/makeapps.com @@ -15,22 +15,10 @@ $! $! It was written so it would try to determine what "C" compiler to $! use or you can specify which "C" compiler to use. $! -$! Specify RSAREF as P1 to compile with the RSAREF library instead of -$! the regular one. If you specify NORSAREF it will compile with the -$! regular RSAREF routines. (Note: If you are in the United States -$! you MUST compile with RSAREF unless you have a license from RSA). -$! -$! Note: The RSAREF libraries are NOT INCLUDED and you have to -$! download it from "ftp://ftp.rsa.com/rsaref". You have to -$! get the ".tar-Z" file as the ".zip" file dosen't have the -$! directory structure stored. You have to extract the file -$! into the [.RSAREF] directory under the root directory as that -$! is where the scripts will look for the files. -$! -$! Specify DEBUG or NODEBUG as P2 to compile with or without debugger +$! Specify DEBUG or NODEBUG as P1 to compile with or without debugger $! information. $! -$! Specify which compiler at P3 to try to compile under. +$! Specify which compiler at P2 to try to compile under. $! $! VAXC For VAX C. $! DECC For DEC C. @@ -39,16 +27,16 @@ $! $! If you don't speficy a compiler, it will try to determine which $! "C" compiler to use. $! -$! P4, if defined, sets a TCP/IP library to use, through one of the following +$! P3, if defined, sets a TCP/IP library to use, through one of the following $! keywords: $! $! UCX for UCX $! SOCKETSHR for SOCKETSHR+NETLIB $! TCPIP for TCPIP (post UCX) $! -$! P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up) +$! P4, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up) $! -$! P6, if defined, sets a choice of programs to compile. +$! P5, if defined, sets a choice of programs to compile. $! $! $! Define A TCP/IP Library That We Will Need To Link To. @@ -101,10 +89,6 @@ $! Define The CRYPTO Library. $! $ CRYPTO_LIB := SYS$DISK:[-.'ARCH'.EXE.CRYPTO]LIBCRYPTO.OLB $! -$! Define The RSAREF Library. -$! -$ RSAREF_LIB := SYS$DISK:[-.'ARCH'.EXE.RSAREF]LIBRSAGLUE.OLB -$! $! Define The SSL Library. $! $ SSL_LIB := SYS$DISK:[-.'ARCH'.EXE.SSL]LIBSSL.OLB @@ -182,7 +166,7 @@ $! TCPIP_PROGRAMS = ",S_SERVER,S_CLIENT,SESS_ID,CIPHERS,S_TIME," $! $! Setup exceptional compilations $! -$ COMPILEWITH_CC2 = ",S_SOCKET,S_SERVER,S_CLIENT," +$ COMPILEWITH_CC2 = ",S_SERVER,S_CLIENT," $! $ PHASE := LIB $! @@ -293,73 +277,31 @@ $ WRITE SYS$OUTPUT FILE_NAME," needs a TCP/IP library. Can't link. Skipping. $ GOTO NEXT_FILE $ ENDIF $! -$! Link The Program, Check To See If We Need To Link With RSAREF Or Not. +$! Link The Program. +$! Check To See If We Are To Link With A Specific TCP/IP Library. $! -$ IF (RSAREF.EQS."TRUE") +$ IF (TCPIP_LIB.NES."") $ THEN $! -$! Check To See If We Are To Link With A Specific TCP/IP Library. -$! -$ IF (TCPIP_LIB.NES."") -$ THEN -$! -$! Link With The RSAREF Library And A Specific TCP/IP Library. -$! -$ LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' - - 'OBJECT_FILE''EXTRA_OBJ', - - 'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, - - 'TCPIP_LIB','OPT_FILE'/OPTION +$! Don't Link With The RSAREF Routines And TCP/IP Library. $! -$! Else... -$! -$ ELSE -$! -$! Link With The RSAREF Library And NO TCP/IP Library. -$! -$ LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' - - 'OBJECT_FILE''EXTRA_OBJ', - - 'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, - - 'OPT_FILE'/OPTION -$! -$! End The TCP/IP Library Check. -$! -$ ENDIF +$ LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' - + 'OBJECT_FILE''EXTRA_OBJ', - + 'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, - + 'TCPIP_LIB','OPT_FILE'/OPTION $! $! Else... $! $ ELSE $! -$! Don't Link With The RSAREF Routines. -$! +$! Don't Link With The RSAREF Routines And Link With A TCP/IP Library. $! -$! Check To See If We Are To Link With A Specific TCP/IP Library. +$ LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' - + 'OBJECT_FILE''EXTRA_OBJ', - + 'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, - + 'OPT_FILE'/OPTION $! -$ IF (TCPIP_LIB.NES."") -$ THEN -$! -$! Don't Link With The RSAREF Routines And TCP/IP Library. -$! -$ LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' - - 'OBJECT_FILE''EXTRA_OBJ', - - 'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, - - 'TCPIP_LIB','OPT_FILE'/OPTION -$! -$! Else... -$! -$ ELSE -$! -$! Don't Link With The RSAREF Routines And Link With A TCP/IP Library. -$! -$ LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' - - 'OBJECT_FILE''EXTRA_OBJ', - - 'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, - - 'OPT_FILE'/OPTION -$! -$! End The TCP/IP Library Check. -$! -$ ENDIF -$! -$! End The RSAREF Link Check. +$! End The TCP/IP Library Check. $! $ ENDIF $! @@ -526,32 +468,6 @@ $! End The Crypto Library Check. $! $ ENDIF $! -$! See If We Need The RSAREF Library. -$! -$ IF (RSAREF.EQS."TRUE") -$ THEN -$! -$! Look For The Library LIBRSAGLUE.OLB. -$! -$ IF (F$SEARCH(RSAREF_LIB).EQS."") -$ THEN -$! -$! Tell The User We Can't Find The LIBRSAGLUE.OLB Library. -$! -$ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "Can't Find The Library ",RSAREF_LIB,"." -$ WRITE SYS$OUTPUT "We Can't Link Without It." -$ WRITE SYS$OUTPUT "" -$! -$! Since We Can't Link Without It, Exit. -$! -$ EXIT -$ ENDIF -$! -$! End The RSAREF Library Check. -$! -$ ENDIF -$! $! Look For The Library LIBSSL.OLB. $! $ IF (F$SEARCH(SSL_LIB).EQS."") @@ -582,87 +498,10 @@ $ CHECK_OPTIONS: $! $! Check To See If P1 Is Blank. $! -$ P1 = "NORSAREF" -$ IF (P1.EQS."NORSAREF") +$ IF (P1.EQS."NODEBUG") $ THEN $! -$! P1 Is NORSAREF, So Compile With The Regular RSA Libraries. -$! -$ RSAREF = "FALSE" -$! -$! Else... -$! -$ ELSE -$! -$! Check To See If We Are To Use The RSAREF Library. -$! -$ IF (P1.EQS."RSAREF") -$ THEN -$! -$! Check To Make Sure We Have The RSAREF Source Code Directory. -$! -$ IF (F$SEARCH("SYS$DISK:[-.RSAREF]SOURCE.DIR").EQS."") -$ THEN -$! -$! We Don't Have The RSAREF Souce Code Directory, So Tell The -$! User This. -$! -$ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "It appears that you don't have the RSAREF Souce Code." -$ WRITE SYS$OUTPUT "You need to go to 'ftp://ftp.rsa.com/rsaref'. You have to" -$ WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file dosen't have the" -$ WRITE SYS$OUTPUT "directory structure stored. You have to extract the file" -$ WRITE SYS$OUTPUT "into the [.RSAREF] directory under the root directory" -$ WRITE SYS$OUTPUT "as that is where the scripts will look for the files." -$ WRITE SYS$OUTPUT "" -$! -$! Time To Exit. -$! -$ EXIT -$! -$! Else... -$! -$ ELSE -$! -$! Compile Using The RSAREF Library. -$! -$ RSAREF = "TRUE" -$! -$! End The RSAREF Soure Directory Check. -$! -$ ENDIF -$! -$! Else... -$! -$ ELSE -$! -$! They Entered An Invalid Option.. -$! -$ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The Option ",P1," Is Invalid. The Valid Options Are:" -$ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT " RSAREF : Compile With The RSAREF Library." -$ WRITE SYS$OUTPUT " NORSAREF : Compile With The Regular RSA Library." -$ WRITE SYS$OUTPUT "" -$! -$! Time To EXIT. -$! -$ EXIT -$! -$! End The Valid Arguement Check. -$! -$ ENDIF -$! -$! End P1 Check. -$! -$ ENDIF -$! -$! Check To See If P2 Is Blank. -$! -$ IF (P2.EQS."NODEBUG") -$ THEN -$! -$! P2 Is NODEBUG, So Compile Without Debugger Information. +$! P1 Is NODEBUG, So Compile Without Debugger Information. $! $ DEBUGGER = "NODEBUG" $ TRACEBACK = "NOTRACEBACK" @@ -677,7 +516,7 @@ $ ELSE $! $! Check To See If We Are To Compile With Debugger Information. $! -$ IF (P2.EQS."DEBUG") +$ IF (P1.EQS."DEBUG") $ THEN $! $! Compile With Debugger Information. @@ -693,7 +532,7 @@ $! $! Tell The User Entered An Invalid Option.. $! $ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The Option ",P2," Is Invalid. The Valid Options Are:" +$ WRITE SYS$OUTPUT "The Option ",P1," Is Invalid. The Valid Options Are:" $ WRITE SYS$OUTPUT "" $ WRITE SYS$OUTPUT " DEBUG : Compile With The Debugger Information." $ WRITE SYS$OUTPUT " NODEBUG : Compile Without The Debugger Information." @@ -707,13 +546,13 @@ $! End The Valid Arguement Check. $! $ ENDIF $! -$! End The P2 Check. +$! End The P1 Check. $! $ ENDIF $! -$! Check To See If P3 Is Blank. +$! Check To See If P2 Is Blank. $! -$ IF (P3.EQS."") +$ IF (P2.EQS."") $ THEN $! $! O.K., The User Didn't Specify A Compiler, Let's Try To @@ -726,7 +565,7 @@ $ THEN $! $! Looks Like GNUC, Set To Use GNUC. $! -$ P3 = "GNUC" +$ P2 = "GNUC" $! $! Else... $! @@ -739,7 +578,7 @@ $ THEN $! $! Looks Like DECC, Set To Use DECC. $! -$ P3 = "DECC" +$ P2 = "DECC" $! $! Else... $! @@ -747,7 +586,7 @@ $ ELSE $! $! Looks Like VAXC, Set To Use VAXC. $! -$ P3 = "VAXC" +$ P2 = "VAXC" $! $! End The VAXC Compiler Check. $! @@ -761,9 +600,9 @@ $! End The Compiler Check. $! $ ENDIF $! -$! Check To See If We Have A Option For P4. +$! Check To See If We Have A Option For P3. $! -$ IF (P4.EQS."") +$ IF (P3.EQS."") $ THEN $! $! Find out what socket library we have available @@ -773,7 +612,7 @@ $ THEN $! $! We have SOCKETSHR, and it is my opinion that it's the best to use. $! -$ P4 = "SOCKETSHR" +$ P3 = "SOCKETSHR" $! $! Tell the user $! @@ -793,7 +632,7 @@ $ THEN $! $! Last resort: a UCX or UCX-compatible library $! -$ P4 = "UCX" +$ P3 = "UCX" $! $! Tell the user $! @@ -817,12 +656,12 @@ $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN - $! $! Check To See If The User Entered A Valid Paramter. $! -$ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC") +$ IF (P2.EQS."VAXC").OR.(P2.EQS."DECC").OR.(P2.EQS."GNUC") $ THEN $! $! Check To See If The User Wanted DECC. $! -$ IF (P3.EQS."DECC") +$ IF (P2.EQS."DECC") $ THEN $! $! Looks Like DECC, Set To Use DECC. @@ -852,7 +691,7 @@ $ ENDIF $! $! Check To See If We Are To Use VAXC. $! -$ IF (P3.EQS."VAXC") +$ IF (P2.EQS."VAXC") $ THEN $! $! Looks Like VAXC, Set To Use VAXC. @@ -889,7 +728,7 @@ $ ENDIF $! $! Check To See If We Are To Use GNU C. $! -$ IF (P3.EQS."GNUC") +$ IF (P2.EQS."GNUC") $ THEN $! $! Looks Like GNUC, Set To Use GNUC. @@ -918,31 +757,6 @@ $! Set up default defines $! $ CCDEFS = """FLAT_INC=1""," + CCDEFS $! -$! Check To See If We Are To Compile With RSAREF Routines. -$! -$ IF (RSAREF.EQS."TRUE") -$ THEN -$! -$! Compile With RSAREF. -$! -$ CCDEFS = CCDEFS + ",""RSAref=1""" -$! -$! Tell The User This. -$! -$ WRITE SYS$OUTPUT "Compiling With RSAREF Routines." -$! -$! Else, We Don't Care. Compile Without The RSAREF Library. -$! -$ ELSE -$! -$! Tell The User We Are Compile Without The RSAREF Routines. -$! -$ WRITE SYS$OUTPUT "Compiling Without The RSAREF Routines. -$! -$! End The RSAREF Check. -$! -$ ENDIF -$! $! Else The User Entered An Invalid Arguement. $! $ ELSE @@ -950,7 +764,7 @@ $! $! Tell The User We Don't Know What They Want. $! $ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The Option ",P3," Is Invalid. The Valid Options Are:" +$ WRITE SYS$OUTPUT "The Option ",P2," Is Invalid. The Valid Options Are:" $ WRITE SYS$OUTPUT "" $ WRITE SYS$OUTPUT " VAXC : To Compile With VAX C." $ WRITE SYS$OUTPUT " DECC : To Compile With DEC C." @@ -964,13 +778,13 @@ $ ENDIF $! $! Time to check the contents, and to make sure we get the correct library. $! -$ IF P4.EQS."SOCKETSHR" .OR. P4.EQS."MULTINET" .OR. P4.EQS."UCX" - - .OR. P4.EQS."TCPIP" .OR. P4.EQS."NONE" +$ IF P3.EQS."SOCKETSHR" .OR. P3.EQS."MULTINET" .OR. P3.EQS."UCX" - + .OR. P3.EQS."TCPIP" .OR. P3.EQS."NONE" $ THEN $! $! Check to see if SOCKETSHR was chosen $! -$ IF P4.EQS."SOCKETSHR" +$ IF P3.EQS."SOCKETSHR" $ THEN $! $! Set the library to use SOCKETSHR @@ -983,12 +797,12 @@ $ ENDIF $! $! Check to see if MULTINET was chosen $! -$ IF P4.EQS."MULTINET" +$ IF P3.EQS."MULTINET" $ THEN $! $! Set the library to use UCX emulation. $! -$ P4 = "UCX" +$ P3 = "UCX" $! $! Done with MULTINET $! @@ -996,7 +810,7 @@ $ ENDIF $! $! Check to see if UCX was chosen $! -$ IF P4.EQS."UCX" +$ IF P3.EQS."UCX" $ THEN $! $! Set the library to use UCX. @@ -1016,7 +830,7 @@ $ ENDIF $! $! Check to see if TCPIP (post UCX) was chosen $! -$ IF P4.EQS."TCPIP" +$ IF P3.EQS."TCPIP" $ THEN $! $! Set the library to use TCPIP. @@ -1029,7 +843,7 @@ $ ENDIF $! $! Check to see if NONE was chosen $! -$ IF P4.EQS."NONE" +$ IF P3.EQS."NONE" $ THEN $! $! Do not use TCPIP. @@ -1042,7 +856,7 @@ $ ENDIF $! $! Add TCP/IP type to CC definitions. $! -$ CCDEFS = CCDEFS + ",TCPIP_TYPE_''P4'" +$ CCDEFS = CCDEFS + ",TCPIP_TYPE_''P3'" $! $! Print info $! @@ -1055,7 +869,7 @@ $! $! Tell The User We Don't Know What They Want. $! $ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The Option ",P4," Is Invalid. The Valid Options Are:" +$ WRITE SYS$OUTPUT "The Option ",P3," Is Invalid. The Valid Options Are:" $ WRITE SYS$OUTPUT "" $ WRITE SYS$OUTPUT " SOCKETSHR : To link with SOCKETSHR TCP/IP library." $ WRITE SYS$OUTPUT " UCX : To link with UCX TCP/IP library." @@ -1094,9 +908,9 @@ $! Written By: Richard Levitte $! richard@levitte.org $! $! -$! Check To See If We Have A Option For P5. +$! Check To See If We Have A Option For P4. $! -$ IF (P5.EQS."") +$ IF (P4.EQS."") $ THEN $! $! Get The Version Of VMS We Are Using. @@ -1118,15 +932,15 @@ $! End The VMS Version Check. $! $ ENDIF $! -$! End The P5 Check. +$! End The P4 Check. $! $ ENDIF $! $! Check if the user wanted to compile just a subset of all the programs. $! -$ IF P6 .NES. "" +$ IF P5 .NES. "" $ THEN -$ PROGRAMS = P6 +$ PROGRAMS = P5 $ ENDIF $! $! Time To RETURN... diff --git a/src/lib/libssl/src/apps/nseq.c b/src/lib/libssl/src/apps/nseq.c index c26f62cb61..dc71d45012 100644 --- a/src/lib/libssl/src/apps/nseq.c +++ b/src/lib/libssl/src/apps/nseq.c @@ -102,7 +102,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-in file input file\n"); BIO_printf (bio_err, "-out file output file\n"); BIO_printf (bio_err, "-toseq output NS Sequence file\n"); - EXIT(1); + OPENSSL_EXIT(1); } if (infile) { @@ -162,6 +162,6 @@ end: BIO_free_all(out); NETSCAPE_CERT_SEQUENCE_free(seq); - EXIT(ret); + OPENSSL_EXIT(ret); } diff --git a/src/lib/libssl/src/apps/ocsp.c b/src/lib/libssl/src/apps/ocsp.c index 59b97a634b..17e84366d9 100644 --- a/src/lib/libssl/src/apps/ocsp.c +++ b/src/lib/libssl/src/apps/ocsp.c @@ -55,6 +55,7 @@ * Hudson (tjh@cryptsoft.com). * */ +#ifndef OPENSSL_NO_OCSP #include #include @@ -523,7 +524,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-serial n serial number to check\n"); BIO_printf (bio_err, "-signer file certificate to sign OCSP request with\n"); BIO_printf (bio_err, "-signkey file private key to sign OCSP request with\n"); - BIO_printf (bio_err, "-sign_certs file additional certificates to include in signed request\n"); + BIO_printf (bio_err, "-sign_other file additional certificates to include in signed request\n"); BIO_printf (bio_err, "-no_certs don't include any certificates in signed request\n"); BIO_printf (bio_err, "-req_text print text form of request\n"); BIO_printf (bio_err, "-resp_text print text form of response\n"); @@ -543,10 +544,10 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); BIO_printf (bio_err, "-status_age n maximum status age in seconds\n"); BIO_printf (bio_err, "-noverify don't verify response at all\n"); - BIO_printf (bio_err, "-verify_certs file additional certificates to search for signer\n"); + BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n"); BIO_printf (bio_err, "-trust_other don't verify additional certificates\n"); BIO_printf (bio_err, "-no_intern don't search certificates contained in response for signer\n"); - BIO_printf (bio_err, "-no_sig_verify don't check signature on response\n"); + BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n"); BIO_printf (bio_err, "-no_cert_verify don't check signing certificate\n"); BIO_printf (bio_err, "-no_chain don't chain verify response\n"); BIO_printf (bio_err, "-no_cert_checks don't do additional checks on signing certificate\n"); @@ -722,7 +723,12 @@ int MAIN(int argc, char **argv) } else if (host) { +#ifndef OPENSSL_NO_SOCK cbio = BIO_new_connect(host); +#else + BIO_printf(bio_err, "Error creating connect BIO - sockets not supported.\n"); + goto end; +#endif if (!cbio) { BIO_printf(bio_err, "Error creating connect BIO\n"); @@ -732,7 +738,16 @@ int MAIN(int argc, char **argv) if (use_ssl == 1) { BIO *sbio; +#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) ctx = SSL_CTX_new(SSLv23_client_method()); +#elif !defined(OPENSSL_NO_SSL3) + ctx = SSL_CTX_new(SSLv3_client_method()); +#elif !defined(OPENSSL_NO_SSL2) + ctx = SSL_CTX_new(SSLv2_client_method()); +#else + BIO_printf(bio_err, "SSL is disabled\n"); + goto end; +#endif SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); sbio = BIO_new_ssl(ctx, 1); cbio = BIO_push(sbio, cbio); @@ -899,7 +914,7 @@ end: SSL_CTX_free(ctx); } - EXIT(ret); + OPENSSL_EXIT(ret); } static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, @@ -1120,7 +1135,10 @@ static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser) char *itmp, *row[DB_NUMBER],**rrow; for (i = 0; i < DB_NUMBER; i++) row[i] = NULL; bn = ASN1_INTEGER_to_BN(ser,NULL); - itmp = BN_bn2hex(bn); + if (BN_is_zero(bn)) + itmp = BUF_strdup("00"); + else + itmp = BN_bn2hex(bn); row[DB_serial] = itmp; BN_free(bn); rrow=TXT_DB_get_by_index(db,DB_serial,row); @@ -1136,7 +1154,11 @@ static BIO *init_responder(char *port) bufbio = BIO_new(BIO_f_buffer()); if (!bufbio) goto err; +#ifndef OPENSSL_NO_SOCK acbio = BIO_new_accept(port); +#else + BIO_printf(bio_err, "Error setting up accept BIO - sockets not supported.\n"); +#endif if (!acbio) goto err; BIO_set_accept_bios(acbio, bufbio); @@ -1176,7 +1198,7 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port for(;;) { - len = BIO_gets(cbio, inbuf, 1024); + len = BIO_gets(cbio, inbuf, sizeof inbuf); if (len <= 0) return 1; /* Look for "POST" signalling start of query */ @@ -1223,3 +1245,4 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp) return 1; } +#endif diff --git a/src/lib/libssl/src/apps/openssl.c b/src/lib/libssl/src/apps/openssl.c index 1c4a4291aa..45af2ba7f9 100644 --- a/src/lib/libssl/src/apps/openssl.c +++ b/src/lib/libssl/src/apps/openssl.c @@ -122,7 +122,9 @@ #include #include #include +#ifndef OPENSSL_NO_ENGINE #include +#endif #define USE_SOCKETS /* needed for the _O_BINARY defs in the MS world */ #include "progs.h" #include "s_apps.h" @@ -139,11 +141,11 @@ static unsigned long MS_CALLBACK hash(const void *a_void); static int MS_CALLBACK cmp(const void *a_void,const void *b_void); static LHASH *prog_init(void ); static int do_cmd(LHASH *prog,int argc,char *argv[]); -CONF *config=NULL; char *default_config_file=NULL; /* Make sure there is only one when MONOLITH is defined */ #ifdef MONOLITH +CONF *config=NULL; BIO *bio_err=NULL; #endif @@ -218,7 +220,8 @@ int main(int Argc, char *Argv[]) #define PROG_NAME_SIZE 39 char pname[PROG_NAME_SIZE+1]; FUNCTION f,*fp; - MS_STATIC char *prompt,buf[1024],config_name[256]; + MS_STATIC char *prompt,buf[1024]; + char *to_free=NULL; int n,i,ret=0; int argc; char **argv,*p; @@ -228,6 +231,10 @@ int main(int Argc, char *Argv[]) arg.data=NULL; arg.count=0; + if (bio_err == NULL) + if ((bio_err=BIO_new(BIO_s_file())) != NULL) + BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); + if (getenv("OPENSSL_DEBUG_MEMORY") != NULL) /* if not defined, use compiled-in library defaults */ { if (!(0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))) @@ -252,23 +259,12 @@ int main(int Argc, char *Argv[]) apps_startup(); - if (bio_err == NULL) - if ((bio_err=BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); - /* Lets load up our environment a little */ p=getenv("OPENSSL_CONF"); if (p == NULL) p=getenv("SSLEAY_CONF"); if (p == NULL) - { - strcpy(config_name,X509_get_default_cert_area()); -#ifndef OPENSSL_SYS_VMS - strcat(config_name,"/"); -#endif - strcat(config_name,OPENSSL_CONF); - p=config_name; - } + p=to_free=make_config_name(); default_config_file=p; @@ -284,7 +280,7 @@ int main(int Argc, char *Argv[]) prog=prog_init(); /* first check the program name */ - program_name(Argv[0],pname,PROG_NAME_SIZE); + program_name(Argv[0],pname,sizeof pname); f.name=pname; fp=(FUNCTION *)lh_retrieve(prog,&f); @@ -312,7 +308,7 @@ int main(int Argc, char *Argv[]) { ret=0; p=buf; - n=1024; + n=sizeof buf; i=0; for (;;) { @@ -346,6 +342,8 @@ int main(int Argc, char *Argv[]) BIO_printf(bio_err,"bad exit\n"); ret=1; end: + if (to_free) + OPENSSL_free(to_free); if (config != NULL) { NCONF_free(config); @@ -362,7 +360,7 @@ end: BIO_free(bio_err); bio_err=NULL; } - EXIT(ret); + OPENSSL_EXIT(ret); } #define LIST_STANDARD_COMMANDS "list-standard-commands" diff --git a/src/lib/libssl/src/apps/passwd.c b/src/lib/libssl/src/apps/passwd.c index ad8e7b0349..3ad91d89d6 100644 --- a/src/lib/libssl/src/apps/passwd.c +++ b/src/lib/libssl/src/apps/passwd.c @@ -19,7 +19,6 @@ # include #endif #ifndef NO_MD5CRYPT_1 -# include # include #endif @@ -293,7 +292,7 @@ err: if (out) BIO_free_all(out); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } @@ -506,6 +505,6 @@ err: int MAIN(int argc, char **argv) { fputs("Program not available.\n", stderr) - EXIT(1); + OPENSSL_EXIT(1); } #endif diff --git a/src/lib/libssl/src/apps/pkcs12.c b/src/lib/libssl/src/apps/pkcs12.c index 1697f6157f..5136acdc57 100644 --- a/src/lib/libssl/src/apps/pkcs12.c +++ b/src/lib/libssl/src/apps/pkcs12.c @@ -120,7 +120,9 @@ int MAIN(int argc, char **argv) char *passin = NULL, *passout = NULL; char *inrand = NULL; char *CApath = NULL, *CAfile = NULL; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif apps_startup(); @@ -252,11 +254,13 @@ int MAIN(int argc, char **argv) args++; CAfile = *args; } else badarg = 1; +#ifndef OPENSSL_NO_ENGINE } else if (!strcmp(*args,"-engine")) { if (args[1]) { args++; engine = *args; } else badarg = 1; +#endif } else badarg = 1; } else badarg = 1; @@ -304,14 +308,18 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-password p set import/export password source\n"); BIO_printf (bio_err, "-passin p input file pass phrase source\n"); BIO_printf (bio_err, "-passout p output file pass phrase source\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf (bio_err, "-engine e use engine e, possibly a hardware device.\n"); +#endif BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err, " load the file (or the files in the directory) into\n"); BIO_printf(bio_err, " the random number generator\n"); goto end; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if(passarg) { if(export_cert) passargout = passarg; @@ -399,7 +407,7 @@ int MAIN(int argc, char **argv) #ifdef CRYPTO_MDEBUG CRYPTO_push_info("read MAC password"); #endif - if(EVP_read_pw_string (macpass, 50, "Enter MAC Password:", export_cert)) + if(EVP_read_pw_string (macpass, sizeof macpass, "Enter MAC Password:", export_cert)) { BIO_printf (bio_err, "Can't read Password\n"); goto end; @@ -545,7 +553,7 @@ int MAIN(int argc, char **argv) #endif if(!noprompt && - EVP_read_pw_string(pass, 50, "Enter Export Password:", 1)) { + EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:", 1)) { BIO_printf (bio_err, "Can't read Password\n"); goto export_end; } @@ -642,7 +650,7 @@ int MAIN(int argc, char **argv) #ifdef CRYPTO_MDEBUG CRYPTO_push_info("read import password"); #endif - if(!noprompt && EVP_read_pw_string(pass, 50, "Enter Import Password:", 0)) { + if(!noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:", 0)) { BIO_printf (bio_err, "Can't read Password\n"); goto end; } @@ -696,7 +704,7 @@ int MAIN(int argc, char **argv) if(passin) OPENSSL_free(passin); if(passout) OPENSSL_free(passout); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass, diff --git a/src/lib/libssl/src/apps/pkcs7.c b/src/lib/libssl/src/apps/pkcs7.c index 0cced40f0f..6c58c67eb2 100644 --- a/src/lib/libssl/src/apps/pkcs7.c +++ b/src/lib/libssl/src/apps/pkcs7.c @@ -82,7 +82,9 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif PKCS7 *p7=NULL; int i,badops=0; BIO *in=NULL,*out=NULL; @@ -90,7 +92,9 @@ int MAIN(int argc, char **argv) char *infile,*outfile,*prog; int print_certs=0,text=0,noout=0; int ret=1; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif apps_startup(); @@ -134,11 +138,13 @@ int MAIN(int argc, char **argv) text=1; else if (strcmp(*argv,"-print_certs") == 0) print_certs=1; +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -161,14 +167,18 @@ bad: BIO_printf(bio_err," -print_certs print any certs or crl in the input\n"); BIO_printf(bio_err," -text print full details of certificates\n"); BIO_printf(bio_err," -noout don't output encoded data\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); +#endif ret = 1; goto end; } ERR_load_crypto_strings(); +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif in=BIO_new(BIO_s_file()); out=BIO_new(BIO_s_file()); @@ -301,5 +311,5 @@ end: if (in != NULL) BIO_free(in); if (out != NULL) BIO_free_all(out); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } diff --git a/src/lib/libssl/src/apps/pkcs8.c b/src/lib/libssl/src/apps/pkcs8.c index 912e32006b..6be27e7f44 100644 --- a/src/lib/libssl/src/apps/pkcs8.c +++ b/src/lib/libssl/src/apps/pkcs8.c @@ -63,7 +63,6 @@ #include #include -#include "apps.h" #define PROG pkcs8_main int MAIN(int, char **); @@ -86,7 +85,9 @@ int MAIN(int argc, char **argv) EVP_PKEY *pkey=NULL; char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL; int badarg = 0; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); @@ -146,11 +147,13 @@ int MAIN(int argc, char **argv) if (!args[1]) goto bad; passargout= *(++args); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*args,"-engine") == 0) { if (!args[1]) goto bad; engine= *(++args); } +#endif else if (!strcmp (*args, "-in")) { if (args[1]) { args++; @@ -183,11 +186,15 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "-nocrypt use or expect unencrypted private key\n"); BIO_printf(bio_err, "-v2 alg use PKCS#5 v2.0 and cipher \"alg\"\n"); BIO_printf(bio_err, "-v1 obj use PKCS#5 v1.5 and cipher \"alg\"\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); +#endif return (1); } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); @@ -245,7 +252,8 @@ int MAIN(int argc, char **argv) if(passout) p8pass = passout; else { p8pass = pass; - EVP_read_pw_string(pass, 50, "Enter Encryption Password:", 1); + if (EVP_read_pw_string(pass, sizeof pass, "Enter Encryption Password:", 1)) + return (1); } app_RAND_load_file(NULL, bio_err, 0); if (!(p8 = PKCS8_encrypt(pbe_nid, cipher, @@ -302,7 +310,7 @@ int MAIN(int argc, char **argv) if(passin) p8pass = passin; else { p8pass = pass; - EVP_read_pw_string(pass, 50, "Enter Password:", 0); + EVP_read_pw_string(pass, sizeof pass, "Enter Password:", 0); } p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass)); X509_SIG_free(p8); diff --git a/src/lib/libssl/src/apps/progs.h b/src/lib/libssl/src/apps/progs.h index 752385d3a7..70e4dbac07 100644 --- a/src/lib/libssl/src/apps/progs.h +++ b/src/lib/libssl/src/apps/progs.h @@ -35,7 +35,9 @@ extern int pkcs8_main(int argc,char *argv[]); extern int spkac_main(int argc,char *argv[]); extern int smime_main(int argc,char *argv[]); extern int rand_main(int argc,char *argv[]); +#ifndef OPENSSL_NO_ENGINE extern int engine_main(int argc,char *argv[]); +#endif extern int ocsp_main(int argc,char *argv[]); #define FUNC_TYPE_GENERAL 1 @@ -92,7 +94,9 @@ FUNCTION functions[] = { #if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3)) {FUNC_TYPE_GENERAL,"s_client",s_client_main}, #endif +#ifndef OPENSSL_NO_SPEED {FUNC_TYPE_GENERAL,"speed",speed_main}, +#endif #if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3)) {FUNC_TYPE_GENERAL,"s_time",s_time_main}, #endif @@ -111,7 +115,9 @@ FUNCTION functions[] = { {FUNC_TYPE_GENERAL,"spkac",spkac_main}, {FUNC_TYPE_GENERAL,"smime",smime_main}, {FUNC_TYPE_GENERAL,"rand",rand_main}, +#ifndef OPENSSL_NO_ENGINE {FUNC_TYPE_GENERAL,"engine",engine_main}, +#endif {FUNC_TYPE_GENERAL,"ocsp",ocsp_main}, #ifndef OPENSSL_NO_MD2 {FUNC_TYPE_MD,"md2",dgst_main}, diff --git a/src/lib/libssl/src/apps/rand.c b/src/lib/libssl/src/apps/rand.c index f51f5bec35..63724bc730 100644 --- a/src/lib/libssl/src/apps/rand.c +++ b/src/lib/libssl/src/apps/rand.c @@ -76,7 +76,9 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif int i, r, ret = 1; int badopt; char *outfile = NULL; @@ -84,7 +86,9 @@ int MAIN(int argc, char **argv) int base64 = 0; BIO *out = NULL; int num = -1; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif apps_startup(); @@ -106,6 +110,7 @@ int MAIN(int argc, char **argv) else badopt = 1; } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(argv[i], "-engine") == 0) { if ((argv[i+1] != NULL) && (engine == NULL)) @@ -113,6 +118,7 @@ int MAIN(int argc, char **argv) else badopt = 1; } +#endif else if (strcmp(argv[i], "-rand") == 0) { if ((argv[i+1] != NULL) && (inrand == NULL)) @@ -150,13 +156,17 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "Usage: rand [options] num\n"); BIO_printf(bio_err, "where options are\n"); BIO_printf(bio_err, "-out file - write to file\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, "-engine e - use engine e, possibly a hardware device.\n"); +#endif BIO_printf(bio_err, "-rand file%cfile%c... - seed PRNG from files\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err, "-base64 - encode output\n"); goto err; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif app_RAND_load_file(NULL, bio_err, (inrand != NULL)); if (inrand != NULL) @@ -213,5 +223,5 @@ err: if (out) BIO_free_all(out); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } diff --git a/src/lib/libssl/src/apps/req.c b/src/lib/libssl/src/apps/req.c index a3c1e0b4c4..5f6ec3d339 100644 --- a/src/lib/libssl/src/apps/req.c +++ b/src/lib/libssl/src/apps/req.c @@ -73,6 +73,7 @@ #include #include #include +#include "../crypto/cryptlib.h" #define SECTION "req" @@ -134,7 +135,6 @@ static int req_check_len(int len,int n_min,int n_max); static int check_end(char *str, char *end); #ifndef MONOLITH static char *default_config_file=NULL; -static CONF *config=NULL; #endif static CONF *req_conf=NULL; static int batch=0; @@ -162,7 +162,9 @@ int MAIN(int argc, char **argv) int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM; int nodes=0,kludge=0,newhdr=0,subject=0,pubkey=0; char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif char *extensions = NULL; char *req_exts = NULL; const EVP_CIPHER *cipher=NULL; @@ -176,7 +178,7 @@ int MAIN(int argc, char **argv) const EVP_MD *md_alg=NULL,*digest=EVP_md5(); unsigned long chtype = MBSTRING_ASC; #ifndef MONOLITH - MS_STATIC char config_name[256]; + char *to_free; long errline; #endif @@ -210,11 +212,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; outformat=str2fmt(*(++argv)); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-key") == 0) { if (--argc < 1) goto bad; @@ -428,7 +432,9 @@ bad: BIO_printf(bio_err," -verify verify signature on REQ\n"); BIO_printf(bio_err," -modulus RSA modulus\n"); BIO_printf(bio_err," -nodes don't encrypt the output key\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device\n"); +#endif BIO_printf(bio_err," -subject output the request's subject\n"); BIO_printf(bio_err," -passin private key password source\n"); BIO_printf(bio_err," -key file use the private key contained in file\n"); @@ -453,7 +459,7 @@ bad: BIO_printf(bio_err," -extensions .. specify certificate extension section (override value in config file)\n"); BIO_printf(bio_err," -reqexts .. specify request extension section (override value in config file)\n"); BIO_printf(bio_err," -utf8 input characters are UTF8 (default ASCII)\n"); - BIO_printf(bio_err," -nameopt arg - various certificate name options\n"); + BIO_printf(bio_err," -nameopt arg - various certificate name options\n"); BIO_printf(bio_err," -reqopt arg - various request text options\n\n"); goto end; } @@ -470,14 +476,7 @@ bad: if (p == NULL) p=getenv("SSLEAY_CONF"); if (p == NULL) - { - strcpy(config_name,X509_get_default_cert_area()); -#ifndef OPENSSL_SYS_VMS - strcat(config_name,"/"); -#endif - strcat(config_name,OPENSSL_CONF); - p=config_name; - } + p=to_free=make_config_name(); default_config_file=p; config=NCONF_new(NULL); i=NCONF_load(config, p, &errline); @@ -485,7 +484,7 @@ bad: if (template != NULL) { - long errline; + long errline = -1; if( verbose ) BIO_printf(bio_err,"Using configuration from %s\n",template); @@ -624,7 +623,9 @@ bad: if ((in == NULL) || (out == NULL)) goto end; +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if (keyfile != NULL) { @@ -1059,6 +1060,10 @@ loop: } ex=0; end: +#ifndef MONOLITH + if(to_free) + OPENSSL_free(to_free); +#endif if (ex) { ERR_print_errors(bio_err); @@ -1077,7 +1082,7 @@ end: if (dsa_params != NULL) DSA_free(dsa_params); #endif apps_shutdown(); - EXIT(ex); + OPENSSL_EXIT(ex); } static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int attribs, @@ -1218,13 +1223,19 @@ start: for (;;) } /* If OBJ not recognised ignore it */ if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start; + + if(strlen(v->name) > sizeof buf-9) + { + BIO_printf(bio_err,"Name '%s' too long\n",v->name); + return 0; + } + sprintf(buf,"%s_default",v->name); if ((def=NCONF_get_string(req_conf,dn_sect,buf)) == NULL) { ERR_clear_error(); def=""; } - sprintf(buf,"%s_value",v->name); if ((value=NCONF_get_string(req_conf,dn_sect,buf)) == NULL) { @@ -1234,11 +1245,17 @@ start: for (;;) sprintf(buf,"%s_min",v->name); if (!NCONF_get_number(req_conf,dn_sect,buf, &n_min)) + { + ERR_clear_error(); n_min = -1; + } sprintf(buf,"%s_max",v->name); if (!NCONF_get_number(req_conf,dn_sect,buf, &n_max)) + { + ERR_clear_error(); n_max = -1; + } if (!add_DN_object(subj,v->value,def,value,nid, n_min,n_max, chtype)) @@ -1271,6 +1288,12 @@ start2: for (;;) if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start2; + if(strlen(v->name) > sizeof buf-9) + { + BIO_printf(bio_err,"Name '%s' too long\n",v->name); + return 0; + } + sprintf(buf,"%s_default",type); if ((def=NCONF_get_string(req_conf,attr_sect,buf)) == NULL) @@ -1374,6 +1397,7 @@ start: (void)BIO_flush(bio_err); if(value != NULL) { + OPENSSL_assert(strlen(value) < sizeof buf-2); strcpy(buf,value); strcat(buf,"\n"); BIO_printf(bio_err,"%s\n",value); @@ -1383,7 +1407,7 @@ start: buf[0]='\0'; if (!batch) { - fgets(buf,1024,stdin); + fgets(buf,sizeof buf,stdin); } else { @@ -1432,6 +1456,7 @@ start: (void)BIO_flush(bio_err); if (value != NULL) { + OPENSSL_assert(strlen(value) < sizeof buf-2); strcpy(buf,value); strcat(buf,"\n"); BIO_printf(bio_err,"%s\n",value); @@ -1441,7 +1466,7 @@ start: buf[0]='\0'; if (!batch) { - fgets(buf,1024,stdin); + fgets(buf,sizeof buf,stdin); } else { diff --git a/src/lib/libssl/src/apps/rsa.c b/src/lib/libssl/src/apps/rsa.c index 4e19bc16fb..0acdb08b24 100644 --- a/src/lib/libssl/src/apps/rsa.c +++ b/src/lib/libssl/src/apps/rsa.c @@ -104,7 +104,9 @@ int MAIN(int argc, char **argv) char *infile,*outfile,*prog; char *passargin = NULL, *passargout = NULL; char *passin = NULL, *passout = NULL; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif int modulus=0; apps_startup(); @@ -156,11 +158,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; passargout= *(++argv); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-sgckey") == 0) sgckey=1; else if (strcmp(*argv,"-pubin") == 0) @@ -212,13 +216,17 @@ bad: BIO_printf(bio_err," -check verify key consistency\n"); BIO_printf(bio_err," -pubin expect a public key in input file\n"); BIO_printf(bio_err," -pubout output a public key\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); +#endif goto end; } ERR_load_crypto_strings(); +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); @@ -369,7 +377,7 @@ end: if(passin) OPENSSL_free(passin); if(passout) OPENSSL_free(passout); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } #else /* !OPENSSL_NO_RSA */ diff --git a/src/lib/libssl/src/apps/rsautl.c b/src/lib/libssl/src/apps/rsautl.c index 36957e5b84..5a6fd115f4 100644 --- a/src/lib/libssl/src/apps/rsautl.c +++ b/src/lib/libssl/src/apps/rsautl.c @@ -85,7 +85,9 @@ int MAIN(int argc, char **argv) ENGINE *e = NULL; BIO *in = NULL, *out = NULL; char *infile = NULL, *outfile = NULL; +#ifndef OPENSSL_NO_ENGINE char *engine = NULL; +#endif char *keyfile = NULL; char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY; int keyform = FORMAT_PEM; @@ -125,9 +127,11 @@ int MAIN(int argc, char **argv) } else if (strcmp(*argv,"-keyform") == 0) { if (--argc < 1) badarg = 1; keyform=str2fmt(*(++argv)); +#ifndef OPENSSL_NO_ENGINE } else if(!strcmp(*argv, "-engine")) { if (--argc < 1) badarg = 1; engine = *(++argv); +#endif } else if(!strcmp(*argv, "-pubin")) { key_type = KEY_PUBKEY; } else if(!strcmp(*argv, "-certin")) { @@ -162,7 +166,9 @@ int MAIN(int argc, char **argv) goto end; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif /* FIXME: seed PRNG only if needed */ app_RAND_load_file(NULL, bio_err, 0); @@ -305,7 +311,9 @@ static void usage() BIO_printf(bio_err, "-encrypt encrypt with public key\n"); BIO_printf(bio_err, "-decrypt decrypt with private key\n"); BIO_printf(bio_err, "-hexdump hex dump output\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n"); +#endif } diff --git a/src/lib/libssl/src/apps/s_cb.c b/src/lib/libssl/src/apps/s_cb.c index ca5b24548c..675527df1f 100644 --- a/src/lib/libssl/src/apps/s_cb.c +++ b/src/lib/libssl/src/apps/s_cb.c @@ -134,7 +134,7 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) err= X509_STORE_CTX_get_error(ctx); depth= X509_STORE_CTX_get_error_depth(ctx); - X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256); + X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof buf); BIO_printf(bio_err,"depth=%d %s\n",depth,buf); if (!ok) { @@ -154,7 +154,7 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) switch (ctx->error) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256); + X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,sizeof buf); BIO_printf(bio_err,"issuer= %s\n",buf); break; case X509_V_ERR_CERT_NOT_YET_VALID: diff --git a/src/lib/libssl/src/apps/s_client.c b/src/lib/libssl/src/apps/s_client.c index 658a79d390..2e73f34676 100644 --- a/src/lib/libssl/src/apps/s_client.c +++ b/src/lib/libssl/src/apps/s_client.c @@ -140,6 +140,14 @@ typedef unsigned int u_int; #include #endif +#ifdef OPENSSL_SYS_WINCE +/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */ +#ifdef fileno +#undef fileno +#endif +#define fileno(a) (int)_fileno(a) +#endif + #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000) /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */ @@ -214,7 +222,9 @@ static void sc_usage(void) BIO_printf(bio_err," for those protocols that support it, where\n"); BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n"); BIO_printf(bio_err," only \"smtp\" is supported.\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); +#endif BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); } @@ -246,8 +256,10 @@ int MAIN(int argc, char **argv) SSL_METHOD *meth=NULL; BIO *sbio; char *inrand=NULL; +#ifndef OPENSSL_NO_ENGINE char *engine_id=NULL; ENGINE *e=NULL; +#endif #ifdef OPENSSL_SYS_WINDOWS struct timeval tv; #endif @@ -407,11 +419,13 @@ int MAIN(int argc, char **argv) else goto bad; } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine_id = *(++argv); } +#endif else if (strcmp(*argv,"-rand") == 0) { if (--argc < 1) goto bad; @@ -436,7 +450,9 @@ bad: OpenSSL_add_ssl_algorithms(); SSL_load_error_strings(); +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine_id, 1); +#endif if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL && !RAND_status()) @@ -662,7 +678,11 @@ re_start: tv.tv_usec = 0; i=select(width,(void *)&readfds,(void *)&writefds, NULL,&tv); +#ifdef OPENSSL_SYS_WINCE + if(!i && (!_kbhit() || !read_tty) ) continue; +#else if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue; +#endif } else i=select(width,(void *)&readfds,(void *)&writefds, NULL,NULL); } @@ -746,8 +766,8 @@ re_start: goto shut; } } -#ifdef OPENSSL_SYS_WINDOWS - /* Assume Windows can always write */ +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) + /* Assume Windows/DOS can always write */ else if (!ssl_pending && write_tty) #else else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds)) @@ -828,7 +848,11 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240 } #ifdef OPENSSL_SYS_WINDOWS +#ifdef OPENSSL_SYS_WINCE + else if (_kbhit()) +#else else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) +#endif #else else if (FD_ISSET(fileno(stdin),&readfds)) #endif @@ -892,16 +916,16 @@ end: if (con != NULL) SSL_free(con); if (con2 != NULL) SSL_free(con2); if (ctx != NULL) SSL_CTX_free(ctx); - if (cbuf != NULL) { memset(cbuf,0,BUFSIZZ); OPENSSL_free(cbuf); } - if (sbuf != NULL) { memset(sbuf,0,BUFSIZZ); OPENSSL_free(sbuf); } - if (mbuf != NULL) { memset(mbuf,0,BUFSIZZ); OPENSSL_free(mbuf); } + if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); } + if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); } + if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); } if (bio_c_out != NULL) { BIO_free(bio_c_out); bio_c_out=NULL; } apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } @@ -930,10 +954,10 @@ static void print_stuff(BIO *bio, SSL *s, int full) for (i=0; i #endif +#ifdef OPENSSL_SYS_WINCE +/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */ +#ifdef fileno +#undef fileno +#endif +#define fileno(a) (int)_fileno(a) +#endif + #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000) /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */ #undef FIONBIO @@ -234,7 +242,9 @@ static int s_msg=0; static int s_quiet=0; static int hack=0; +#ifndef OPENSSL_NO_ENGINE static char *engine_id=NULL; +#endif static const char *session_id_prefix=NULL; #ifdef MONOLITH @@ -259,7 +269,9 @@ static void s_server_init(void) s_msg=0; s_quiet=0; hack=0; +#ifndef OPENSSL_NO_ENGINE engine_id=NULL; +#endif } #endif @@ -308,7 +320,9 @@ static void sv_usage(void) BIO_printf(bio_err," -WWW - Respond to a 'GET / HTTP/1.0' with file ./\n"); BIO_printf(bio_err," -HTTP - Respond to a 'GET / HTTP/1.0' with file ./\n"); BIO_printf(bio_err," with the assumption it contains a complete HTTP response.\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); +#endif BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n"); BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); } @@ -482,7 +496,9 @@ int MAIN(int argc, char *argv[]) int no_tmp_rsa=0,no_dhe=0,nocert=0; int state=0; SSL_METHOD *meth=NULL; +#ifndef OPENSSL_NO_ENGINE ENGINE *e=NULL; +#endif char *inrand=NULL; #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) @@ -657,11 +673,13 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; session_id_prefix = *(++argv); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine_id= *(++argv); } +#endif else if (strcmp(*argv,"-rand") == 0) { if (--argc < 1) goto bad; @@ -686,7 +704,9 @@ bad: SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine_id, 1); +#endif if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL && !RAND_status()) @@ -860,7 +880,7 @@ end: bio_s_out=NULL; } apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } static void print_stats(BIO *bio, SSL_CTX *ssl_ctx) @@ -1176,7 +1196,7 @@ err: BIO_printf(bio_s_out,"CONNECTION CLOSED\n"); if (buf != NULL) { - memset(buf,0,bufsize); + OPENSSL_cleanse(buf,bufsize); OPENSSL_free(buf); } if (ret >= 0) @@ -1228,14 +1248,14 @@ static int init_ssl_connection(SSL *con) { BIO_printf(bio_s_out,"Client certificate\n"); PEM_write_bio_X509(bio_s_out,peer); - X509_NAME_oneline(X509_get_subject_name(peer),buf,BUFSIZ); + X509_NAME_oneline(X509_get_subject_name(peer),buf,sizeof buf); BIO_printf(bio_s_out,"subject=%s\n",buf); - X509_NAME_oneline(X509_get_issuer_name(peer),buf,BUFSIZ); + X509_NAME_oneline(X509_get_issuer_name(peer),buf,sizeof buf); BIO_printf(bio_s_out,"issuer=%s\n",buf); X509_free(peer); } - if (SSL_get_shared_ciphers(con,buf,BUFSIZ) != NULL) + if (SSL_get_shared_ciphers(con,buf,sizeof buf) != NULL) BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf); str=SSL_CIPHER_get_name(SSL_get_current_cipher(con)); BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)"); @@ -1395,7 +1415,7 @@ static int www_body(char *hostname, int s, unsigned char *context) else { BIO_printf(bio_s_out,"read R BLOCK\n"); -#ifndef OPENSSL_SYS_MSDOS +#if !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__) sleep(1); #endif continue; diff --git a/src/lib/libssl/src/apps/s_socket.c b/src/lib/libssl/src/apps/s_socket.c index bd499d020c..a88de6c8c8 100644 --- a/src/lib/libssl/src/apps/s_socket.c +++ b/src/lib/libssl/src/apps/s_socket.c @@ -83,9 +83,9 @@ typedef unsigned int u_int; static struct hostent *GetHostByName(char *name); #ifdef OPENSSL_SYS_WINDOWS -static void sock_cleanup(void); +static void ssl_sock_cleanup(void); #endif -static int sock_init(void); +static int ssl_sock_init(void); static int init_client_ip(int *sock,unsigned char ip[4], int port); static int init_server(int *sock, int port); static int init_server_long(int *sock, int port,char *ip); @@ -118,7 +118,7 @@ static LONG FAR PASCAL topHookProc(HWND hwnd, UINT message, WPARAM wParam, case WM_DESTROY: case WM_CLOSE: SetWindowLong(topWnd,GWL_WNDPROC,(LONG)lpTopWndProc); - sock_cleanup(); + ssl_sock_cleanup(); break; } } @@ -135,26 +135,34 @@ static BOOL CALLBACK enumproc(HWND hwnd,LPARAM lParam) #endif /* OPENSSL_SYS_WINDOWS */ #ifdef OPENSSL_SYS_WINDOWS -static void sock_cleanup(void) +static void ssl_sock_cleanup(void) { if (wsa_init_done) { wsa_init_done=0; +#ifndef OPENSSL_SYS_WINCE WSACancelBlockingCall(); +#endif WSACleanup(); } } #endif -static int sock_init(void) +static int ssl_sock_init(void) { -#ifdef OPENSSL_SYS_WINDOWS +#ifdef WATT32 + extern int _watt_do_exit; + _watt_do_exit = 0; + dbug_init(); + if (sock_init()) + return (0); +#elif defined(OPENSSL_SYS_WINDOWS) if (!wsa_init_done) { int err; #ifdef SIGINT - signal(SIGINT,(void (*)(int))sock_cleanup); + signal(SIGINT,(void (*)(int))ssl_sock_cleanup); #endif wsa_init_done=1; memset(&wsa_state,0,sizeof(wsa_state)); @@ -196,7 +204,7 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port) struct sockaddr_in them; int s,i; - if (!sock_init()) return(0); + if (!ssl_sock_init()) return(0); memset((char *)&them,0,sizeof(them)); them.sin_family=AF_INET; @@ -261,7 +269,7 @@ static int init_server_long(int *sock, int port, char *ip) struct sockaddr_in server; int s= -1,i; - if (!sock_init()) return(0); + if (!ssl_sock_init()) return(0); memset((char *)&server,0,sizeof(server)); server.sin_family=AF_INET; @@ -318,7 +326,7 @@ static int do_accept(int acc_sock, int *sock, char **host) int len; /* struct linger ling; */ - if (!sock_init()) return(0); + if (!ssl_sock_init()) return(0); #ifndef OPENSSL_SYS_WINDOWS redoit: @@ -448,7 +456,7 @@ static int host_ip(char *str, unsigned char ip[4]) { /* do a gethostbyname */ struct hostent *he; - if (!sock_init()) return(0); + if (!ssl_sock_init()) return(0); he=GetHostByName(str); if (he == NULL) @@ -529,9 +537,12 @@ static struct hostent *GetHostByName(char *name) ret=gethostbyname(name); if (ret == NULL) return(NULL); /* else add to cache */ - strncpy(ghbn_cache[lowi].name,name,128); - memcpy((char *)&(ghbn_cache[lowi].ent),ret,sizeof(struct hostent)); - ghbn_cache[lowi].order=ghbn_miss+ghbn_hits; + if(strlen(name) < sizeof ghbn_cache[0].name) + { + strcpy(ghbn_cache[lowi].name,name); + memcpy((char *)&(ghbn_cache[lowi].ent),ret,sizeof(struct hostent)); + ghbn_cache[lowi].order=ghbn_miss+ghbn_hits; + } return(ret); } else diff --git a/src/lib/libssl/src/apps/s_time.c b/src/lib/libssl/src/apps/s_time.c index 752158460a..1ad16cd607 100644 --- a/src/lib/libssl/src/apps/s_time.c +++ b/src/lib/libssl/src/apps/s_time.c @@ -146,6 +146,8 @@ #undef BUFSIZZ #define BUFSIZZ 1024*10 +#define MYBUFSIZ 1024*8 + #undef min #undef max #define min(a,b) (((a) < (b)) ? (a) : (b)) @@ -320,6 +322,11 @@ static int parseArgs(int argc, char **argv) { if (--argc < 1) goto bad; s_www_path= *(++argv); + if(strlen(s_www_path) > MYBUFSIZ-100) + { + BIO_printf(bio_err,"-www option too long\n"); + badop=1; + } } else if(strcmp(*argv,"-bugs") == 0) st_bugs=1; @@ -480,7 +487,7 @@ int MAIN(int argc, char **argv) tm_Time_F(START); for (;;) { - if (finishtime < time(NULL)) break; + if (finishtime < (long)time(NULL)) break; #ifdef WIN32_STUFF if( flushWinMsgs(0) == -1 ) @@ -531,9 +538,9 @@ int MAIN(int argc, char **argv) } totalTime += tm_Time_F(STOP); /* Add the time for this iteration */ - i=(int)(time(NULL)-finishtime+maxTime); + i=(int)((long)time(NULL)-finishtime+maxTime); printf( "\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double)nConn/totalTime),bytes_read); - printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,time(NULL)-finishtime+maxTime,bytes_read/nConn); + printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,(long)time(NULL)-finishtime+maxTime,bytes_read/nConn); /* Now loop and time connections using the same session id over and over */ @@ -565,7 +572,7 @@ next: nConn = 0; totalTime = 0.0; - finishtime=time(NULL)+maxTime; + finishtime=(long)time(NULL)+maxTime; printf( "starting\n" ); bytes_read=0; @@ -573,7 +580,7 @@ next: for (;;) { - if (finishtime < time(NULL)) break; + if (finishtime < (long)time(NULL)) break; #ifdef WIN32_STUFF if( flushWinMsgs(0) == -1 ) @@ -623,7 +630,7 @@ next: printf( "\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double)nConn/totalTime),bytes_read); - printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,time(NULL)-finishtime+maxTime,bytes_read/nConn); + printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,(long)time(NULL)-finishtime+maxTime,bytes_read/nConn); ret=0; end: @@ -635,7 +642,7 @@ end: tm_ctx=NULL; } apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } /*********************************************************************** diff --git a/src/lib/libssl/src/apps/sess_id.c b/src/lib/libssl/src/apps/sess_id.c index 41c3b3f4a3..d91d84d220 100644 --- a/src/lib/libssl/src/apps/sess_id.c +++ b/src/lib/libssl/src/apps/sess_id.c @@ -273,7 +273,7 @@ end: if (out != NULL) BIO_free_all(out); if (x != NULL) SSL_SESSION_free(x); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } static SSL_SESSION *load_sess_id(char *infile, int format) diff --git a/src/lib/libssl/src/apps/smime.c b/src/lib/libssl/src/apps/smime.c index ef0e477464..cc248d377b 100644 --- a/src/lib/libssl/src/apps/smime.c +++ b/src/lib/libssl/src/apps/smime.c @@ -104,7 +104,9 @@ int MAIN(int argc, char **argv) int need_rand = 0; int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; int keyform = FORMAT_PEM; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif args = argv + 1; ret = 1; @@ -176,11 +178,13 @@ int MAIN(int argc, char **argv) inrand = *args; } else badarg = 1; need_rand = 1; +#ifndef OPENSSL_NO_ENGINE } else if (!strcmp(*args,"-engine")) { if (args[1]) { args++; engine = *args; } else badarg = 1; +#endif } else if (!strcmp(*args,"-passin")) { if (args[1]) { args++; @@ -330,7 +334,9 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf (bio_err, "-engine e use engine e, possibly a hardware device.\n"); +#endif BIO_printf (bio_err, "-passin arg input file pass phrase source\n"); BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err, " load the file (or the files in the directory) into\n"); @@ -339,7 +345,9 @@ int MAIN(int argc, char **argv) goto end; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); diff --git a/src/lib/libssl/src/apps/speed.c b/src/lib/libssl/src/apps/speed.c index fea0ffe2cf..ec55b4188c 100644 --- a/src/lib/libssl/src/apps/speed.c +++ b/src/lib/libssl/src/apps/speed.c @@ -58,6 +58,8 @@ /* most of this code has been pilfered from my libdes speed.c program */ +#ifndef OPENSSL_NO_SPEED + #undef SECONDS #define SECONDS 3 #define RSA_SECONDS 10 @@ -187,7 +189,8 @@ /* The following if from times(3) man page. It may need to be changed */ #ifndef HZ -# ifdef _SC_CLK_TCK +# if defined(_SC_CLK_TCK) \ + && (!defined(OPENSSL_SYS_VMS) || __CTRL_VER >= 70000000) # define HZ ((double)sysconf(_SC_CLK_TCK)) # else # ifndef CLK_TCK @@ -369,7 +372,9 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif unsigned char *buf=NULL,*buf2=NULL; int mret=1; long count=0,save_count=0; @@ -589,6 +594,7 @@ int MAIN(int argc, char **argv) j--; /* Otherwise, -elapsed gets confused with an algorithm. */ } +#ifndef OPENSSL_NO_ENGINE else if ((argc > 0) && (strcmp(*argv,"-engine") == 0)) { argc--; @@ -605,6 +611,7 @@ int MAIN(int argc, char **argv) means all of them should be run) */ j--; } +#endif #ifdef HAVE_FORK else if ((argc > 0) && (strcmp(*argv,"-multi") == 0)) { @@ -861,10 +868,12 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err,"\n"); BIO_printf(bio_err,"Available options:\n"); -#ifdef TIMES +#if defined(TIMES) || defined(USE_TOD) BIO_printf(bio_err,"-elapsed measure time in real time instead of CPU user time.\n"); #endif +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err,"-engine e use engine e, possibly a hardware device.\n"); +#endif BIO_printf(bio_err,"-evp e use EVP e.\n"); BIO_printf(bio_err,"-decrypt time decryption instead of encryption (only EVP).\n"); BIO_printf(bio_err,"-mr produce machine readable output.\n"); @@ -1392,6 +1401,7 @@ int MAIN(int argc, char **argv) else EVP_EncryptFinal_ex(&ctx,buf,&outl); d=Time_F(STOP); + EVP_CIPHER_CTX_cleanup(&ctx); } if (evp_md) { @@ -1728,7 +1738,7 @@ end: DSA_free(dsa_key[i]); #endif apps_shutdown(); - EXIT(mret); + OPENSSL_EXIT(mret); } static void print_message(const char *s, long num, int length) @@ -1781,7 +1791,7 @@ static char *sstrsep(char **string, const char *delim) if (**string == 0) return NULL; - memset(isdelim, 0, 256); + memset(isdelim, 0, sizeof isdelim); isdelim[0] = 1; while (*delim) @@ -1938,3 +1948,4 @@ static int do_multi(int multi) return 1; } #endif +#endif diff --git a/src/lib/libssl/src/apps/spkac.c b/src/lib/libssl/src/apps/spkac.c index 4ce53e36c9..47ee53f1ee 100644 --- a/src/lib/libssl/src/apps/spkac.c +++ b/src/lib/libssl/src/apps/spkac.c @@ -92,7 +92,9 @@ int MAIN(int argc, char **argv) CONF *conf = NULL; NETSCAPE_SPKI *spki = NULL; EVP_PKEY *pkey = NULL; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif apps_startup(); @@ -141,11 +143,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; spksect= *(++argv); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-noout") == 0) noout=1; else if (strcmp(*argv,"-pubkey") == 0) @@ -171,7 +175,9 @@ bad: BIO_printf(bio_err," -noout don't print SPKAC\n"); BIO_printf(bio_err," -pubkey output public key\n"); BIO_printf(bio_err," -verify verify SPKAC signature\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); +#endif goto end; } @@ -181,7 +187,9 @@ bad: goto end; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if(keyfile) { pkey = load_key(bio_err, @@ -295,5 +303,5 @@ end: EVP_PKEY_free(pkey); if(passin) OPENSSL_free(passin); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } diff --git a/src/lib/libssl/src/apps/verify.c b/src/lib/libssl/src/apps/verify.c index 215ef84fc7..6a93c018b8 100644 --- a/src/lib/libssl/src/apps/verify.c +++ b/src/lib/libssl/src/apps/verify.c @@ -86,7 +86,9 @@ int MAIN(int argc, char **argv) STACK_OF(X509) *untrusted = NULL, *trusted = NULL; X509_STORE *cert_ctx=NULL; X509_LOOKUP *lookup=NULL; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif cert_ctx=X509_STORE_new(); if (cert_ctx == NULL) goto end; @@ -142,11 +144,13 @@ int MAIN(int argc, char **argv) if (argc-- < 1) goto end; trustfile= *(++argv); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto end; engine= *(++argv); } +#endif else if (strcmp(*argv,"-help") == 0) goto end; else if (strcmp(*argv,"-ignore_critical") == 0) @@ -170,7 +174,9 @@ int MAIN(int argc, char **argv) break; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file()); if (lookup == NULL) abort(); @@ -219,7 +225,11 @@ int MAIN(int argc, char **argv) ret=0; end: if (ret == 1) { - BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...\n"); + BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); +#ifndef OPENSSL_NO_ENGINE + BIO_printf(bio_err," [-engine e]"); +#endif + BIO_printf(bio_err," cert1 cert2 ...\n"); BIO_printf(bio_err,"recognized usages:\n"); for(i = 0; i < X509_PURPOSE_get_count(); i++) { X509_PURPOSE *ptmp; @@ -232,7 +242,7 @@ end: sk_X509_pop_free(untrusted, X509_free); sk_X509_pop_free(trusted, X509_free); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose, ENGINE *e) @@ -330,7 +340,8 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx) if (!ok) { X509_NAME_oneline( - X509_get_subject_name(ctx->current_cert),buf,256); + X509_get_subject_name(ctx->current_cert),buf, + sizeof buf); printf("%s\n",buf); printf("error %d at %d depth lookup:%s\n",ctx->error, ctx->error_depth, diff --git a/src/lib/libssl/src/apps/version.c b/src/lib/libssl/src/apps/version.c index 0cbcb47f88..0843b67565 100644 --- a/src/lib/libssl/src/apps/version.c +++ b/src/lib/libssl/src/apps/version.c @@ -200,5 +200,5 @@ int MAIN(int argc, char **argv) if (dir) printf("%s\n",SSLeay_version(SSLEAY_DIR)); end: apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } diff --git a/src/lib/libssl/src/apps/winrand.c b/src/lib/libssl/src/apps/winrand.c index d042258b50..59bede3d70 100644 --- a/src/lib/libssl/src/apps/winrand.c +++ b/src/lib/libssl/src/apps/winrand.c @@ -118,7 +118,6 @@ LRESULT CALLBACK WndProc(HWND hwnd, UINT iMsg, WPARAM wParam, LPARAM lParam) HDC hdc; PAINTSTRUCT ps; RECT rect; - char buffer[200]; static int seeded = 0; switch (iMsg) diff --git a/src/lib/libssl/src/apps/x509.c b/src/lib/libssl/src/apps/x509.c index 5a41c389ee..66f0074f45 100644 --- a/src/lib/libssl/src/apps/x509.c +++ b/src/lib/libssl/src/apps/x509.c @@ -122,7 +122,7 @@ static char *x509_usage[]={ " -CAkey arg - set the CA key, must be PEM format\n", " missing, it is assumed to be in the CA file.\n", " -CAcreateserial - create serial number file if it does not exist\n", -" -CAserial - serial file\n", +" -CAserial arg - serial file\n", " -set_serial - serial number to use\n", " -text - print the certificate in text form\n", " -C - print out C code forms\n", @@ -131,7 +131,9 @@ static char *x509_usage[]={ " -extensions - section from config file with X509V3 extensions to add\n", " -clrext - delete extensions before signing and input certificate\n", " -nameopt arg - various certificate name options\n", +#ifndef OPENSSL_NO_ENGINE " -engine e - use engine e, possibly a hardware device.\n", +#endif " -certopt arg - various certificate text options\n", NULL }; @@ -183,7 +185,9 @@ int MAIN(int argc, char **argv) int need_rand = 0; int checkend=0,checkoffset=0; unsigned long nmflag = 0, certflag = 0; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif reqfile=0; @@ -354,17 +358,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; if (!set_name_ex(&nmflag, *(++argv))) goto bad; } - else if (strcmp(*argv,"-setalias") == 0) - { - if (--argc < 1) goto bad; - alias= *(++argv); - trustout = 1; - } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-C") == 0) C= ++num; else if (strcmp(*argv,"-email") == 0) @@ -450,7 +450,9 @@ bad: goto end; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if (need_rand) app_RAND_load_file(NULL, bio_err, 0); @@ -479,7 +481,7 @@ bad: if (extfile) { - long errorline; + long errorline = -1; X509V3_CTX ctx2; extconf = NCONF_new(NULL); if (!NCONF_load(extconf, extfile,&errorline)) @@ -770,10 +772,11 @@ bad: int y,z; X509_NAME_oneline(X509_get_subject_name(x), - buf,256); + buf,sizeof buf); BIO_printf(STDout,"/* subject:%s */\n",buf); m=X509_NAME_oneline( - X509_get_issuer_name(x),buf,256); + X509_get_issuer_name(x),buf, + sizeof buf); BIO_printf(STDout,"/* issuer :%s */\n",buf); z=i2d_X509(x,NULL); @@ -1016,7 +1019,7 @@ end: sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); if (passin) OPENSSL_free(passin); apps_shutdown(); - EXIT(ret); + OPENSSL_EXIT(ret); } static ASN1_INTEGER *load_serial(char *CAfile, char *serialfile, int create) @@ -1074,7 +1077,7 @@ static ASN1_INTEGER *load_serial(char *CAfile, char *serialfile, int create) } else { - if (!a2i_ASN1_INTEGER(io,bs,buf2,1024)) + if (!a2i_ASN1_INTEGER(io,bs,buf2,sizeof buf2)) { BIO_printf(bio_err,"unable to load serial number from %s\n",buf); ERR_print_errors(bio_err); diff --git a/src/lib/libssl/src/config b/src/lib/libssl/src/config index 3e9af7680a..b3bd96bbfc 100644 --- a/src/lib/libssl/src/config +++ b/src/lib/libssl/src/config @@ -74,34 +74,27 @@ if [ "x$XREL" != "x" ]; then echo "whatever-whatever-sco5"; exit 0 ;; 4.2MP) - if [ "x$VERSION" = "x2.01" ]; then - echo "${MACHINE}-whatever-unixware201"; exit 0 - elif [ "x$VERSION" = "x2.02" ]; then - echo "${MACHINE}-whatever-unixware202"; exit 0 - elif [ "x$VERSION" = "x2.03" ]; then - echo "${MACHINE}-whatever-unixware203"; exit 0 - elif [ "x$VERSION" = "x2.1.1" ]; then - echo "${MACHINE}-whatever-unixware211"; exit 0 - elif [ "x$VERSION" = "x2.1.2" ]; then - echo "${MACHINE}-whatever-unixware212"; exit 0 - elif [ "x$VERSION" = "x2.1.3" ]; then - echo "${MACHINE}-whatever-unixware213"; exit 0 - else - echo "${MACHINE}-whatever-unixware2"; exit 0 - fi + case "x${VERSION}" in + x2.0*) echo "whatever-whatever-unixware20"; exit 0 ;; + x2.1*) echo "whatever-whatever-unixware21"; exit 0 ;; + x2*) echo "whatever-whatever-unixware2"; exit 0 ;; + esac ;; 4.2) - echo "whatever-whatever-unixware1"; exit 0 - ;; - OpenUNIX) - if [ "`echo x$VERSION | sed -e 's/\..*//'`" = "x8" ]; then - echo "${MACHINE}-unknown-OpenUNIX${VERSION}"; exit 0 - fi + echo "i386-whatever-unixware1"; exit 0 ;; 5) - if [ "`echo x$VERSION | sed -e 's/\..*//'`" = "x7" ]; then - echo "${MACHINE}-sco-unixware7"; exit 0 - fi + case "x${VERSION}" in + # We hardcode i586 in place of ${MACHINE} for the + # following reason. The catch is that even though Pentium + # is minimum requirement for platforms in question, + # ${MACHINE} gets always assigned to i386. Now, problem + # with i386 is that it makes ./config pass 386 to + # ./Configure, which in turn makes make generate + # inefficient SHA-1 (for this moment) code. + x7*) echo "i586-sco-unixware7"; exit 0 ;; + x8*) echo "i586-unkn-OpenUNIX${VERSION}"; exit 0 ;; + esac ;; esac fi @@ -196,7 +189,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in echo "${MACHINE}-whatever-bsdi"; exit 0 ;; - FreeBSD:*) + FreeBSD:*:*:*386*) VERS=`echo ${RELEASE} | sed -e 's/[-(].*//'` MACH=`sysctl -n hw.model` ARCH='whatever' @@ -205,7 +198,6 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in *486* ) MACH="i486" ;; Pentium\ II*) MACH="i686" ;; Pentium* ) MACH="i586" ;; - Alpha* ) MACH="alpha" ;; * ) MACH="$MACHINE" ;; esac case ${MACH} in @@ -214,6 +206,10 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in echo "${MACH}-${ARCH}-freebsd${VERS}"; exit 0 ;; + FreeBSD:*) + echo "${MACHINE}-whatever-freebsd"; exit 0 + ;; + NetBSD:*:*:*386*) echo "`(/usr/sbin/sysctl -n hw.model || /sbin/sysctl -n hw.model) | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0 ;; @@ -351,6 +347,10 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in *CRAY*) echo "j90-cray-unicos"; exit 0; ;; + + NONSTOP_KERNEL*) + echo "nsr-tandem-nsk"; exit 0; + ;; esac # @@ -457,6 +457,10 @@ if [ "${SYSTEM}-${MACHINE}" = "Linux-alpha" ]; then fi fi +if [ "${SYSTEM}" = "AIX" ]; then # favor vendor cc over gcc + (cc) 2>&1 | grep -iv "not found" > /dev/null && CC=cc +fi + CCVER=${CCVER:-0} # read the output of the embedded GuessOS @@ -469,7 +473,7 @@ echo Operating system: $GUESSOS # more time that I want to waste at the moment case "$GUESSOS" in mips2-sgi-irix) - CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` + CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` CPU=${CPU:-0} if [ $CPU -ge 4000 ]; then options="$options -mips2" @@ -477,7 +481,7 @@ case "$GUESSOS" in OUT="irix-$CC" ;; mips3-sgi-irix) - CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` + CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` CPU=${CPU:-0} if [ $CPU -ge 5000 ]; then options="$options -mips4" @@ -493,7 +497,7 @@ case "$GUESSOS" in echo " You have about 5 seconds to press Ctrl-C to abort." (stty -icanon min 0 time 50; read waste) < /dev/tty fi - CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` + CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` CPU=${CPU:-0} if [ $CPU -ge 5000 ]; then options="$options -mips4" @@ -543,12 +547,13 @@ EOF ppc-apple-darwin*) OUT="darwin-ppc-cc" ;; i386-apple-darwin*) OUT="darwin-i386-cc" ;; sparc64-*-linux2) - #Before we can uncomment following lines we have to wait at least - #till 64-bit glibc for SPARC is operational:-( - #echo "WARNING! If you wish to build 64-bit library, then you have to" - #echo " invoke './Configure linux64-sparcv9' *manually*." - #echo " Type return if you want to continue, Ctrl-C to abort." - #read waste < /dev/tty + echo "WARNING! If you *know* that your GNU C supports 64-bit/V9 ABI" + echo " and wish to build 64-bit library, then you have to" + echo " invoke './Configure linux64-sparcv9' *manually*." + if [ "$TEST" = "false" ]; then + echo " You have about 5 seconds to press Ctrl-C to abort." + (stty -icanon min 0 time 50; read waste) < /dev/tty + fi OUT="linux-sparcv9" ;; sparc-*-linux2) KARCH=`awk '/^type/{print$3}' /proc/cpuinfo` @@ -581,6 +586,7 @@ EOF arm*-*-linux2) OUT="linux-elf-arm" ;; s390-*-linux2) OUT="linux-s390" ;; s390x-*-linux?) OUT="linux-s390x" ;; + x86_64-*-linux?) OUT="linux-x86_64" ;; *-*-linux2) OUT="linux-elf" if [ "$GCCVER" -gt 28 ]; then if grep '^model.*Pentium' /proc/cpuinfo >/dev/null ; then @@ -634,6 +640,8 @@ EOF *86*-*-solaris2) OUT="solaris-x86-$CC" ;; *-*-sunos4) OUT="sunos-$CC" ;; alpha*-*-freebsd*) OUT="FreeBSD-alpha" ;; + sparc64-*-freebsd*) OUT="FreeBSD-sparc64" ;; + ia64-*-freebsd*) OUT="FreeBSD-ia64" ;; *-freebsd[3-9]*) OUT="FreeBSD-elf" ;; *-freebsd[1-2]*) OUT="FreeBSD" ;; *86*-*-netbsd) OUT="NetBSD-x86" ;; @@ -690,9 +698,11 @@ EOF CPU_VERSION=${CPU_VERSION:-0} # See for further info on CPU_VERSION. if [ $CPU_VERSION -ge 768 ]; then # IA-64 CPU - echo "NOTICE! 64-bit is the only ABI currently operational on HP-UXi." - echo " Post request to openssl-dev@openssl.org for 32-bit support." + echo "WARNING! 64-bit ABI is the default configured ABI on HP-UXi." + echo " If you wish to build 32-bit library, the you have to" + echo " invoke './Configure hpux-ia32-cc' *manually*." if [ "$TEST" = "false" ]; then + echo " You have about 5 seconds to press Ctrl-C to abort." (stty -icanon min 0 time 50; read waste) < /dev/tty fi OUT="hpux64-ia64-cc" @@ -725,6 +735,7 @@ EOF *-*-cygwin) OUT="Cygwin" ;; t3e-cray-unicosmk) OUT="cray-t3e" ;; j90-cray-unicos) OUT="cray-j90" ;; + nsr-tandem-nsk) OUT="tandem-c89" ;; *) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;; esac @@ -759,7 +770,7 @@ case "$GUESSOS" in i386-*) options="$options 386" ;; esac -for i in bf cast des dh dsa ec hmac idea md2 md5 mdc2 rc2 rc4 rc5 rijndael ripemd rsa sha +for i in bf cast des dh dsa ec hmac idea md2 md5 mdc2 rc2 rc4 rc5 aes ripemd rsa sha do if [ ! -d crypto/$i ] then diff --git a/src/lib/libssl/src/crypto/aes/aes.h b/src/lib/libssl/src/crypto/aes/aes.h index e8da921ec5..8294a41a3a 100644 --- a/src/lib/libssl/src/crypto/aes/aes.h +++ b/src/lib/libssl/src/crypto/aes/aes.h @@ -56,8 +56,9 @@ #error AES is disabled. #endif -static const int AES_DECRYPT = 0; -static const int AES_ENCRYPT = 1; +#define AES_ENCRYPT 1 +#define AES_DECRYPT 0 + /* Because array size can't be a const in C, the following two are macros. Both sizes are in bytes. */ #define AES_MAXNR 14 @@ -99,7 +100,9 @@ void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out, unsigned char *ivec, int *num); void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out, const unsigned long length, const AES_KEY *key, - unsigned char *counter, unsigned int *num); + unsigned char counter[AES_BLOCK_SIZE], + unsigned char ecount_buf[AES_BLOCK_SIZE], + unsigned int *num); #ifdef __cplusplus diff --git a/src/lib/libssl/src/crypto/aes/aes_cbc.c b/src/lib/libssl/src/crypto/aes/aes_cbc.c index 3dfd7aba2a..de438306b1 100644 --- a/src/lib/libssl/src/crypto/aes/aes_cbc.c +++ b/src/lib/libssl/src/crypto/aes/aes_cbc.c @@ -49,7 +49,13 @@ * */ +#ifndef AES_DEBUG +# ifndef NDEBUG +# define NDEBUG +# endif +#endif #include + #include #include "aes_locl.h" @@ -57,33 +63,49 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, const unsigned long length, const AES_KEY *key, unsigned char *ivec, const int enc) { - int n; + unsigned long n; unsigned long len = length; - unsigned char tmp[16]; + unsigned char tmp[AES_BLOCK_SIZE]; assert(in && out && key && ivec); - assert(length % AES_BLOCK_SIZE == 0); assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc)); - if (AES_ENCRYPT == enc) - while (len > 0) { - for(n=0; n < 16; ++n) + if (AES_ENCRYPT == enc) { + while (len >= AES_BLOCK_SIZE) { + for(n=0; n < sizeof tmp; ++n) tmp[n] = in[n] ^ ivec[n]; AES_encrypt(tmp, out, key); - memcpy(ivec, out, 16); - len -= 16; - in += 16; - out += 16; + memcpy(ivec, out, AES_BLOCK_SIZE); + len -= AES_BLOCK_SIZE; + in += AES_BLOCK_SIZE; + out += AES_BLOCK_SIZE; } - else - while (len > 0) { - memcpy(tmp, in, 16); + if (len) { + for(n=0; n < len; ++n) + tmp[n] = in[n] ^ ivec[n]; + for(n=len; n < AES_BLOCK_SIZE; ++n) + tmp[n] = ivec[n]; + AES_encrypt(tmp, tmp, key); + memcpy(out, tmp, len); + memcpy(ivec, tmp, sizeof tmp); + } + } else { + while (len >= AES_BLOCK_SIZE) { + memcpy(tmp, in, sizeof tmp); AES_decrypt(in, out, key); - for(n=0; n < 16; ++n) + for(n=0; n < AES_BLOCK_SIZE; ++n) out[n] ^= ivec[n]; - memcpy(ivec, tmp, 16); - len -= 16; - in += 16; - out += 16; + memcpy(ivec, tmp, AES_BLOCK_SIZE); + len -= AES_BLOCK_SIZE; + in += AES_BLOCK_SIZE; + out += AES_BLOCK_SIZE; } + if (len) { + memcpy(tmp, in, sizeof tmp); + AES_decrypt(tmp, tmp, key); + for(n=0; n < len; ++n) + out[n] ^= ivec[n]; + memcpy(ivec, tmp, sizeof tmp); + } + } } diff --git a/src/lib/libssl/src/crypto/aes/aes_cfb.c b/src/lib/libssl/src/crypto/aes/aes_cfb.c index 41c2a5ec3d..9b569dda90 100644 --- a/src/lib/libssl/src/crypto/aes/aes_cfb.c +++ b/src/lib/libssl/src/crypto/aes/aes_cfb.c @@ -105,7 +105,13 @@ * [including the GNU Public Licence.] */ +#ifndef AES_DEBUG +# ifndef NDEBUG +# define NDEBUG +# endif +#endif #include + #include #include "aes_locl.h" diff --git a/src/lib/libssl/src/crypto/aes/aes_core.c b/src/lib/libssl/src/crypto/aes/aes_core.c index 937988dd8c..2f41a825f8 100644 --- a/src/lib/libssl/src/crypto/aes/aes_core.c +++ b/src/lib/libssl/src/crypto/aes/aes_core.c @@ -28,7 +28,13 @@ /* Note: rewritten a little bit to provide error control and an OpenSSL- compatible API */ +#ifndef AES_DEBUG +# ifndef NDEBUG +# define NDEBUG +# endif +#endif #include + #include #include #include "aes_locl.h" @@ -744,7 +750,7 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits, rk[2] = GETU32(userKey + 8); rk[3] = GETU32(userKey + 12); if (bits == 128) { - for (;;) { + while (1) { temp = rk[3]; rk[4] = rk[0] ^ (Te4[(temp >> 16) & 0xff] & 0xff000000) ^ @@ -764,7 +770,7 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits, rk[4] = GETU32(userKey + 16); rk[5] = GETU32(userKey + 20); if (bits == 192) { - for (;;) { + while (1) { temp = rk[ 5]; rk[ 6] = rk[ 0] ^ (Te4[(temp >> 16) & 0xff] & 0xff000000) ^ @@ -786,7 +792,7 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits, rk[6] = GETU32(userKey + 24); rk[7] = GETU32(userKey + 28); if (bits == 256) { - for (;;) { + while (1) { temp = rk[ 7]; rk[ 8] = rk[ 0] ^ (Te4[(temp >> 16) & 0xff] & 0xff000000) ^ diff --git a/src/lib/libssl/src/crypto/aes/aes_ctr.c b/src/lib/libssl/src/crypto/aes/aes_ctr.c index aea3db2092..59088499a0 100644 --- a/src/lib/libssl/src/crypto/aes/aes_ctr.c +++ b/src/lib/libssl/src/crypto/aes/aes_ctr.c @@ -49,7 +49,13 @@ * */ +#ifndef AES_DEBUG +# ifndef NDEBUG +# define NDEBUG +# endif +#endif #include + #include #include "aes_locl.h" @@ -90,26 +96,31 @@ static void AES_ctr128_inc(unsigned char *counter) { /* The input encrypted as though 128bit counter mode is being * used. The extra state information to record how much of the - * 128bit block we have used is contained in *num; + * 128bit block we have used is contained in *num, and the + * encrypted counter is kept in ecount_buf. Both *num and + * ecount_buf must be initialised with zeros before the first + * call to AES_ctr128_encrypt(). */ void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out, const unsigned long length, const AES_KEY *key, - unsigned char *counter, unsigned int *num) { + unsigned char counter[AES_BLOCK_SIZE], + unsigned char ecount_buf[AES_BLOCK_SIZE], + unsigned int *num) { unsigned int n; unsigned long l=length; - unsigned char tmp[AES_BLOCK_SIZE]; assert(in && out && key && counter && num); + assert(*num < AES_BLOCK_SIZE); n = *num; while (l--) { if (n == 0) { - AES_encrypt(counter, tmp, key); + AES_encrypt(counter, ecount_buf, key); AES_ctr128_inc(counter); } - *(out++) = *(in++) ^ tmp[n]; + *(out++) = *(in++) ^ ecount_buf[n]; n = (n+1) % AES_BLOCK_SIZE; } diff --git a/src/lib/libssl/src/crypto/aes/aes_ecb.c b/src/lib/libssl/src/crypto/aes/aes_ecb.c index 1cb2e07d3d..28aa561c2d 100644 --- a/src/lib/libssl/src/crypto/aes/aes_ecb.c +++ b/src/lib/libssl/src/crypto/aes/aes_ecb.c @@ -49,7 +49,13 @@ * */ +#ifndef AES_DEBUG +# ifndef NDEBUG +# define NDEBUG +# endif +#endif #include + #include #include "aes_locl.h" diff --git a/src/lib/libssl/src/crypto/aes/aes_locl.h b/src/lib/libssl/src/crypto/aes/aes_locl.h index 18fc2d0747..f290946058 100644 --- a/src/lib/libssl/src/crypto/aes/aes_locl.h +++ b/src/lib/libssl/src/crypto/aes/aes_locl.h @@ -62,7 +62,7 @@ #include #include -#ifdef _MSC_VER +#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE) # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00) # define GETU32(p) SWAP(*((u32 *)(p))) # define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); } diff --git a/src/lib/libssl/src/crypto/aes/aes_ofb.c b/src/lib/libssl/src/crypto/aes/aes_ofb.c index e33bdaea28..f358bb39e2 100644 --- a/src/lib/libssl/src/crypto/aes/aes_ofb.c +++ b/src/lib/libssl/src/crypto/aes/aes_ofb.c @@ -105,7 +105,13 @@ * [including the GNU Public Licence.] */ +#ifndef AES_DEBUG +# ifndef NDEBUG +# define NDEBUG +# endif +#endif #include + #include #include "aes_locl.h" diff --git a/src/lib/libssl/src/crypto/asn1/a_bitstr.c b/src/lib/libssl/src/crypto/asn1/a_bitstr.c index e0265f69d2..f4ea96cd54 100644 --- a/src/lib/libssl/src/crypto/asn1/a_bitstr.c +++ b/src/lib/libssl/src/crypto/asn1/a_bitstr.c @@ -191,7 +191,9 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value) if (a->data == NULL) c=(unsigned char *)OPENSSL_malloc(w+1); else - c=(unsigned char *)OPENSSL_realloc(a->data,w+1); + c=(unsigned char *)OPENSSL_realloc_clean(a->data, + a->length, + w+1); if (c == NULL) return(0); if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length); a->data=c; diff --git a/src/lib/libssl/src/crypto/asn1/a_bytes.c b/src/lib/libssl/src/crypto/asn1/a_bytes.c index bb88660f58..afd27b80e1 100644 --- a/src/lib/libssl/src/crypto/asn1/a_bytes.c +++ b/src/lib/libssl/src/crypto/asn1/a_bytes.c @@ -285,7 +285,7 @@ static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c) goto err; } - if (!BUF_MEM_grow(&b,num+os->length)) + if (!BUF_MEM_grow_clean(&b,num+os->length)) { c->error=ERR_R_BUF_LIB; goto err; diff --git a/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c b/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c index a80fbe9ff7..b67b75e7c2 100644 --- a/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c +++ b/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c @@ -149,7 +149,12 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) ASN1_CTX c; int want=HEADER_SIZE; int eos=0; +#if defined(__GNUC__) && defined(__ia64) + /* pathetic compiler bug in all known versions as of Nov. 2002 */ + long off=0; +#else int off=0; +#endif int len=0; b=BUF_MEM_new(); @@ -166,7 +171,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) { want-=(len-off); - if (!BUF_MEM_grow(b,len+want)) + if (!BUF_MEM_grow_clean(b,len+want)) { ASN1err(ASN1_F_ASN1_D2I_BIO,ERR_R_MALLOC_FAILURE); goto err; @@ -221,18 +226,23 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) if (want > (len-off)) { want-=(len-off); - if (!BUF_MEM_grow(b,len+want)) + if (!BUF_MEM_grow_clean(b,len+want)) { ASN1err(ASN1_F_ASN1_D2I_BIO,ERR_R_MALLOC_FAILURE); goto err; } - i=BIO_read(in,&(b->data[len]),want); - if (i <= 0) + while (want > 0) { - ASN1err(ASN1_F_ASN1_D2I_BIO,ASN1_R_NOT_ENOUGH_DATA); - goto err; + i=BIO_read(in,&(b->data[len]),want); + if (i <= 0) + { + ASN1err(ASN1_F_ASN1_D2I_BIO, + ASN1_R_NOT_ENOUGH_DATA); + goto err; + } + len+=i; + want -= i; } - len+=i; } off+=(int)c.slen; if (eos <= 0) diff --git a/src/lib/libssl/src/crypto/asn1/a_object.c b/src/lib/libssl/src/crypto/asn1/a_object.c index 71ce7c3896..0a8e6c287c 100644 --- a/src/lib/libssl/src/crypto/asn1/a_object.c +++ b/src/lib/libssl/src/crypto/asn1/a_object.c @@ -183,8 +183,8 @@ int i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a) if ((a == NULL) || (a->data == NULL)) return(BIO_write(bp,"NULL",4)); - i=i2t_ASN1_OBJECT(buf,80,a); - if (i > 80) i=80; + i=i2t_ASN1_OBJECT(buf,sizeof buf,a); + if (i > sizeof buf) i=sizeof buf; BIO_write(bp,buf,i); return(i); } diff --git a/src/lib/libssl/src/crypto/asn1/a_sign.c b/src/lib/libssl/src/crypto/asn1/a_sign.c index de53b44144..52ce7e3974 100644 --- a/src/lib/libssl/src/crypto/asn1/a_sign.c +++ b/src/lib/libssl/src/crypto/asn1/a_sign.c @@ -204,9 +204,9 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2, err: EVP_MD_CTX_cleanup(&ctx); if (buf_in != NULL) - { memset((char *)buf_in,0,(unsigned int)inl); OPENSSL_free(buf_in); } + { OPENSSL_cleanse((char *)buf_in,(unsigned int)inl); OPENSSL_free(buf_in); } if (buf_out != NULL) - { memset((char *)buf_out,0,outll); OPENSSL_free(buf_out); } + { OPENSSL_cleanse((char *)buf_out,outll); OPENSSL_free(buf_out); } return(outl); } @@ -287,8 +287,8 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, err: EVP_MD_CTX_cleanup(&ctx); if (buf_in != NULL) - { memset((char *)buf_in,0,(unsigned int)inl); OPENSSL_free(buf_in); } + { OPENSSL_cleanse((char *)buf_in,(unsigned int)inl); OPENSSL_free(buf_in); } if (buf_out != NULL) - { memset((char *)buf_out,0,outll); OPENSSL_free(buf_out); } + { OPENSSL_cleanse((char *)buf_out,outll); OPENSSL_free(buf_out); } return(outl); } diff --git a/src/lib/libssl/src/crypto/asn1/a_strex.c b/src/lib/libssl/src/crypto/asn1/a_strex.c index 7ddb7662f1..1def6c6549 100644 --- a/src/lib/libssl/src/crypto/asn1/a_strex.c +++ b/src/lib/libssl/src/crypto/asn1/a_strex.c @@ -63,6 +63,7 @@ #include #include "charmap.h" +#include "cryptlib.h" /* ASN1_STRING_print_ex() and X509_NAME_print_ex(). * Enhanced string and name printing routines handling @@ -114,14 +115,17 @@ typedef int char_io(void *arg, const void *buf, int len); static int do_esc_char(unsigned long c, unsigned char flags, char *do_quotes, char_io *io_ch, void *arg) { unsigned char chflgs, chtmp; - char tmphex[11]; + char tmphex[HEX_SIZE(long)+3]; + + if(c > 0xffffffffL) + return -1; if(c > 0xffff) { - BIO_snprintf(tmphex, 11, "\\W%08lX", c); + BIO_snprintf(tmphex, sizeof tmphex, "\\W%08lX", c); if(!io_ch(arg, tmphex, 10)) return -1; return 10; } if(c > 0xff) { - BIO_snprintf(tmphex, 11, "\\U%04lX", c); + BIO_snprintf(tmphex, sizeof tmphex, "\\U%04lX", c); if(!io_ch(arg, tmphex, 6)) return -1; return 6; } @@ -195,7 +199,7 @@ static int do_buf(unsigned char *buf, int buflen, if(type & BUF_TYPE_CONVUTF8) { unsigned char utfbuf[6]; int utflen; - utflen = UTF8_putc(utfbuf, 6, c); + utflen = UTF8_putc(utfbuf, sizeof utfbuf, c); for(i = 0; i < utflen; i++) { /* We don't need to worry about setting orflags correctly * because if utflen==1 its value will be correct anyway @@ -461,7 +465,7 @@ static int do_name_ex(char_io *io_ch, void *arg, X509_NAME *n, if(fn_opt != XN_FLAG_FN_NONE) { int objlen, fld_len; if((fn_opt == XN_FLAG_FN_OID) || (fn_nid==NID_undef) ) { - OBJ_obj2txt(objtmp, 80, fn, 1); + OBJ_obj2txt(objtmp, sizeof objtmp, fn, 1); fld_len = 0; /* XXX: what should this be? */ objbuf = objtmp; } else { diff --git a/src/lib/libssl/src/crypto/asn1/a_strnid.c b/src/lib/libssl/src/crypto/asn1/a_strnid.c index 04789d1c63..aa49e9d7d0 100644 --- a/src/lib/libssl/src/crypto/asn1/a_strnid.c +++ b/src/lib/libssl/src/crypto/asn1/a_strnid.c @@ -173,6 +173,7 @@ static ASN1_STRING_TABLE tbl_standard[] = { {NID_friendlyName, -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK}, {NID_name, 1, ub_name, DIRSTRING_TYPE, 0}, {NID_dnQualifier, -1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK}, +{NID_domainComponent, 1, -1, B_ASN1_IA5STRING, STABLE_NO_MASK}, {NID_ms_csp_name, -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK} }; @@ -249,4 +250,38 @@ static void st_free(ASN1_STRING_TABLE *tbl) if(tbl->flags & STABLE_FLAGS_MALLOC) OPENSSL_free(tbl); } + IMPLEMENT_STACK_OF(ASN1_STRING_TABLE) + +#ifdef STRING_TABLE_TEST + +main() +{ + ASN1_STRING_TABLE *tmp; + int i, last_nid = -1; + + for (tmp = tbl_standard, i = 0; + i < sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE); i++, tmp++) + { + if (tmp->nid < last_nid) + { + last_nid = 0; + break; + } + last_nid = tmp->nid; + } + + if (last_nid != 0) + { + printf("Table order OK\n"); + exit(0); + } + + for (tmp = tbl_standard, i = 0; + i < sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE); i++, tmp++) + printf("Index %d, NID %d, Name=%s\n", i, tmp->nid, + OBJ_nid2ln(tmp->nid)); + +} + +#endif diff --git a/src/lib/libssl/src/crypto/asn1/a_time.c b/src/lib/libssl/src/crypto/asn1/a_time.c index 27ddd30899..7348da9457 100644 --- a/src/lib/libssl/src/crypto/asn1/a_time.c +++ b/src/lib/libssl/src/crypto/asn1/a_time.c @@ -105,7 +105,10 @@ ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t) ts=OPENSSL_gmtime(&t,&data); if (ts == NULL) + { + ASN1err(ASN1_F_ASN1_TIME_SET, ASN1_R_ERROR_GETTING_TIME); return NULL; + } if((ts->tm_year >= 50) && (ts->tm_year < 150)) return ASN1_UTCTIME_set(s, t); return ASN1_GENERALIZEDTIME_set(s,t); @@ -152,7 +155,7 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE if (t->data[0] >= '5') strcpy(str, "19"); else strcpy(str, "20"); - strcat(str, (char *)t->data); + BUF_strlcat(str, (char *)t->data, t->length+3); /* Include space for a '\0' */ return ret; } diff --git a/src/lib/libssl/src/crypto/asn1/a_type.c b/src/lib/libssl/src/crypto/asn1/a_type.c index 96e111cf23..fe3fcd40b0 100644 --- a/src/lib/libssl/src/crypto/asn1/a_type.c +++ b/src/lib/libssl/src/crypto/asn1/a_type.c @@ -62,7 +62,7 @@ int ASN1_TYPE_get(ASN1_TYPE *a) { - if (a->value.ptr != NULL) + if ((a->value.ptr != NULL) || (a->type == V_ASN1_NULL)) return(a->type); else return(0); diff --git a/src/lib/libssl/src/crypto/asn1/a_verify.c b/src/lib/libssl/src/crypto/asn1/a_verify.c index bf41de5146..da2a0a6d69 100644 --- a/src/lib/libssl/src/crypto/asn1/a_verify.c +++ b/src/lib/libssl/src/crypto/asn1/a_verify.c @@ -103,7 +103,7 @@ int ASN1_verify(int (*i2d)(), X509_ALGOR *a, ASN1_BIT_STRING *signature, EVP_VerifyInit_ex(&ctx,type, NULL); EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl); - memset(buf_in,0,(unsigned int)inl); + OPENSSL_cleanse(buf_in,(unsigned int)inl); OPENSSL_free(buf_in); if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data, @@ -153,7 +153,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat EVP_VerifyInit_ex(&ctx,type, NULL); EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl); - memset(buf_in,0,(unsigned int)inl); + OPENSSL_cleanse(buf_in,(unsigned int)inl); OPENSSL_free(buf_in); if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data, diff --git a/src/lib/libssl/src/crypto/asn1/asn1.h b/src/lib/libssl/src/crypto/asn1/asn1.h index dbb30f4f22..3414509f1b 100644 --- a/src/lib/libssl/src/crypto/asn1/asn1.h +++ b/src/lib/libssl/src/crypto/asn1/asn1.h @@ -70,7 +70,6 @@ #include -#include #include #ifdef OPENSSL_BUILD_SHLIBCRYPTO @@ -133,7 +132,7 @@ extern "C" { #define B_ASN1_NUMERICSTRING 0x0001 #define B_ASN1_PRINTABLESTRING 0x0002 #define B_ASN1_T61STRING 0x0004 -#define B_ASN1_TELETEXSTRING 0x0008 +#define B_ASN1_TELETEXSTRING 0x0004 #define B_ASN1_VIDEOTEXSTRING 0x0008 #define B_ASN1_IA5STRING 0x0010 #define B_ASN1_GRAPHICSTRING 0x0020 @@ -981,6 +980,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_F_ASN1_TEMPLATE_D2I 131 #define ASN1_F_ASN1_TEMPLATE_EX_D2I 132 #define ASN1_F_ASN1_TEMPLATE_NEW 133 +#define ASN1_F_ASN1_TIME_SET 175 #define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING 134 #define ASN1_F_ASN1_TYPE_GET_OCTETSTRING 135 #define ASN1_F_ASN1_UNPACK_STRING 136 @@ -1038,6 +1038,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_DECODE_ERROR 110 #define ASN1_R_DECODING_ERROR 111 #define ASN1_R_ENCODE_ERROR 112 +#define ASN1_R_ERROR_GETTING_TIME 173 #define ASN1_R_ERROR_LOADING_SECTION 172 #define ASN1_R_ERROR_PARSING_SET_ELEMENT 113 #define ASN1_R_ERROR_SETTING_CIPHER_PARAMS 114 diff --git a/src/lib/libssl/src/crypto/asn1/asn1_err.c b/src/lib/libssl/src/crypto/asn1/asn1_err.c index c4c3d2a91d..094ec06fda 100644 --- a/src/lib/libssl/src/crypto/asn1/asn1_err.c +++ b/src/lib/libssl/src/crypto/asn1/asn1_err.c @@ -1,6 +1,6 @@ /* crypto/asn1/asn1_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -100,6 +100,7 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_D2I,0), "ASN1_TEMPLATE_D2I"}, {ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_EX_D2I,0), "ASN1_TEMPLATE_EX_D2I"}, {ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_NEW,0), "ASN1_TEMPLATE_NEW"}, +{ERR_PACK(0,ASN1_F_ASN1_TIME_SET,0), "ASN1_TIME_set"}, {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,0), "ASN1_TYPE_get_int_octetstring"}, {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_OCTETSTRING,0), "ASN1_TYPE_get_octetstring"}, {ERR_PACK(0,ASN1_F_ASN1_UNPACK_STRING,0), "ASN1_unpack_string"}, @@ -160,6 +161,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]= {ASN1_R_DECODE_ERROR ,"decode error"}, {ASN1_R_DECODING_ERROR ,"decoding error"}, {ASN1_R_ENCODE_ERROR ,"encode error"}, +{ASN1_R_ERROR_GETTING_TIME ,"error getting time"}, {ASN1_R_ERROR_LOADING_SECTION ,"error loading section"}, {ASN1_R_ERROR_PARSING_SET_ELEMENT ,"error parsing set element"}, {ASN1_R_ERROR_SETTING_CIPHER_PARAMS ,"error setting cipher params"}, diff --git a/src/lib/libssl/src/crypto/asn1/asn1_par.c b/src/lib/libssl/src/crypto/asn1/asn1_par.c index facfdd27fc..e48532a24d 100644 --- a/src/lib/libssl/src/crypto/asn1/asn1_par.c +++ b/src/lib/libssl/src/crypto/asn1/asn1_par.c @@ -79,12 +79,7 @@ static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed, else p="prim: "; if (BIO_write(bp,p,6) < 6) goto err; - if (indent) - { - if (indent > 128) indent=128; - memset(str,' ',indent); - if (BIO_write(bp,str,indent) < indent) goto err; - } + BIO_indent(bp,indent,128); p=str; if ((xclass & V_ASN1_PRIVATE) == V_ASN1_PRIVATE) diff --git a/src/lib/libssl/src/crypto/asn1/f_int.c b/src/lib/libssl/src/crypto/asn1/f_int.c index 48cc3bfb90..9494e597ab 100644 --- a/src/lib/libssl/src/crypto/asn1/f_int.c +++ b/src/lib/libssl/src/crypto/asn1/f_int.c @@ -169,8 +169,7 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size) sp=(unsigned char *)OPENSSL_malloc( (unsigned int)num+i*2); else - sp=(unsigned char *)OPENSSL_realloc(s, - (unsigned int)num+i*2); + sp=OPENSSL_realloc_clean(s,slen,num+i*2); if (sp == NULL) { ASN1err(ASN1_F_A2I_ASN1_INTEGER,ERR_R_MALLOC_FAILURE); diff --git a/src/lib/libssl/src/crypto/asn1/n_pkey.c b/src/lib/libssl/src/crypto/asn1/n_pkey.c index 9146ee02c9..766b51c538 100644 --- a/src/lib/libssl/src/crypto/asn1/n_pkey.c +++ b/src/lib/libssl/src/crypto/asn1/n_pkey.c @@ -187,7 +187,7 @@ int i2d_RSA_NET(const RSA *a, unsigned char **pp, int (*cb)(), int sgckey) i2d_NETSCAPE_PKEY(pkey,&zz); /* Wipe the private key encoding */ - memset(pkey->private_key->data, 0, rsalen); + OPENSSL_cleanse(pkey->private_key->data, rsalen); if (cb == NULL) cb=EVP_read_pw_string; @@ -206,7 +206,7 @@ int i2d_RSA_NET(const RSA *a, unsigned char **pp, int (*cb)(), int sgckey) } EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL); - memset(buf,0,256); + OPENSSL_cleanse(buf,256); /* Encrypt private key in place */ zz = enckey->enckey->digest->data; @@ -294,7 +294,7 @@ static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os, } EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL); - memset(buf,0,256); + OPENSSL_cleanse(buf,256); EVP_CIPHER_CTX_init(&ctx); EVP_DecryptInit_ex(&ctx,EVP_rc4(),NULL, key,NULL); diff --git a/src/lib/libssl/src/crypto/asn1/p8_pkey.c b/src/lib/libssl/src/crypto/asn1/p8_pkey.c index b634d5bc85..24b409132f 100644 --- a/src/lib/libssl/src/crypto/asn1/p8_pkey.c +++ b/src/lib/libssl/src/crypto/asn1/p8_pkey.c @@ -68,8 +68,8 @@ static int pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it) if(operation == ASN1_OP_FREE_PRE) { PKCS8_PRIV_KEY_INFO *key = (PKCS8_PRIV_KEY_INFO *)*pval; if (key->pkey->value.octet_string) - memset(key->pkey->value.octet_string->data, - 0, key->pkey->value.octet_string->length); + OPENSSL_cleanse(key->pkey->value.octet_string->data, + key->pkey->value.octet_string->length); } return 1; } diff --git a/src/lib/libssl/src/crypto/asn1/t_crl.c b/src/lib/libssl/src/crypto/asn1/t_crl.c index 60db305756..757c148df8 100644 --- a/src/lib/libssl/src/crypto/asn1/t_crl.c +++ b/src/lib/libssl/src/crypto/asn1/t_crl.c @@ -84,11 +84,11 @@ int X509_CRL_print_fp(FILE *fp, X509_CRL *x) int X509_CRL_print(BIO *out, X509_CRL *x) { - char buf[256]; STACK_OF(X509_REVOKED) *rev; X509_REVOKED *r; long l; int i, n; + char *p; BIO_printf(out, "Certificate Revocation List (CRL):\n"); l = X509_CRL_get_version(x); @@ -96,8 +96,9 @@ int X509_CRL_print(BIO *out, X509_CRL *x) i = OBJ_obj2nid(x->sig_alg->algorithm); BIO_printf(out, "%8sSignature Algorithm: %s\n", "", (i == NID_undef) ? "NONE" : OBJ_nid2ln(i)); - X509_NAME_oneline(X509_CRL_get_issuer(x),buf,256); - BIO_printf(out,"%8sIssuer: %s\n","",buf); + p=X509_NAME_oneline(X509_CRL_get_issuer(x),NULL,0); + BIO_printf(out,"%8sIssuer: %s\n","",p); + OPENSSL_free(p); BIO_printf(out,"%8sLast Update: ",""); ASN1_TIME_print(out,X509_CRL_get_lastUpdate(x)); BIO_printf(out,"\n%8sNext Update: ",""); diff --git a/src/lib/libssl/src/crypto/asn1/t_pkey.c b/src/lib/libssl/src/crypto/asn1/t_pkey.c index 2d46914cb1..4e09c9e44e 100644 --- a/src/lib/libssl/src/crypto/asn1/t_pkey.c +++ b/src/lib/libssl/src/crypto/asn1/t_pkey.c @@ -130,14 +130,10 @@ int RSA_print(BIO *bp, const RSA *x, int off) goto err; } - if (off) - { - if (off > 128) off=128; - memset(str,' ',off); - } if (x->d != NULL) { - if (off && (BIO_write(bp,str,off) <= 0)) goto err; + if(!BIO_indent(bp,off,128)) + goto err; if (BIO_printf(bp,"Private-Key: (%d bit)\n",BN_num_bits(x->n)) <= 0) goto err; } @@ -183,7 +179,6 @@ int DSA_print_fp(FILE *fp, const DSA *x, int off) int DSA_print(BIO *bp, const DSA *x, int off) { - char str[128]; unsigned char *m=NULL; int ret=0; size_t buf_len=0,i; @@ -210,14 +205,10 @@ int DSA_print(BIO *bp, const DSA *x, int off) goto err; } - if (off) - { - if (off > 128) off=128; - memset(str,' ',off); - } if (x->priv_key != NULL) { - if (off && (BIO_write(bp,str,off) <= 0)) goto err; + if(!BIO_indent(bp,off,128)) + goto err; if (BIO_printf(bp,"Private-Key: (%d bit)\n",BN_num_bits(x->p)) <= 0) goto err; } @@ -240,17 +231,12 @@ static int print(BIO *bp, const char *number, BIGNUM *num, unsigned char *buf, int off) { int n,i; - char str[128]; const char *neg; if (num == NULL) return(1); neg=(num->neg)?"-":""; - if (off) - { - if (off > 128) off=128; - memset(str,' ',off); - if (BIO_write(bp,str,off) <= 0) return(0); - } + if(!BIO_indent(bp,off,128)) + return 0; if (BN_num_bytes(num) <= BN_BYTES) { @@ -274,9 +260,9 @@ static int print(BIO *bp, const char *number, BIGNUM *num, unsigned char *buf, { if ((i%15) == 0) { - str[0]='\n'; - memset(&(str[1]),' ',off+4); - if (BIO_write(bp,str,off+1+4) <= 0) return(0); + if(BIO_puts(bp,"\n") <= 0 + || !BIO_indent(bp,off+4,128)) + return 0; } if (BIO_printf(bp,"%02x%s",buf[i],((i+1) == n)?"":":") <= 0) return(0); diff --git a/src/lib/libssl/src/crypto/asn1/t_req.c b/src/lib/libssl/src/crypto/asn1/t_req.c index 739f272ecf..740cee80c0 100644 --- a/src/lib/libssl/src/crypto/asn1/t_req.c +++ b/src/lib/libssl/src/crypto/asn1/t_req.c @@ -91,7 +91,6 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long EVP_PKEY *pkey; STACK_OF(X509_ATTRIBUTE) *sk; STACK_OF(X509_EXTENSION) *exts; - char str[128]; char mlch = ' '; int nmindent = 0; @@ -116,8 +115,9 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long l=0; for (i=0; iversion->length; i++) { l<<=8; l+=ri->version->data[i]; } - sprintf(str,"%8sVersion: %s%lu (%s0x%lx)\n","",neg,l,neg,l); - if (BIO_puts(bp,str) <= 0) goto err; + if(BIO_printf(bp,"%8sVersion: %s%lu (%s0x%lx)\n","",neg,l,neg, + l) <= 0) + goto err; } if(!(cflag & X509_FLAG_NO_SUBJECT)) { @@ -168,14 +168,14 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long if(!(cflag & X509_FLAG_NO_ATTRIBUTES)) { /* may not be */ - sprintf(str,"%8sAttributes:\n",""); - if (BIO_puts(bp,str) <= 0) goto err; + if(BIO_printf(bp,"%8sAttributes:\n","") <= 0) + goto err; sk=x->req_info->attributes; if (sk_X509_ATTRIBUTE_num(sk) == 0) { - sprintf(str,"%12sa0:00\n",""); - if (BIO_puts(bp,str) <= 0) goto err; + if(BIO_printf(bp,"%12sa0:00\n","") <= 0) + goto err; } else { @@ -190,8 +190,8 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long a=sk_X509_ATTRIBUTE_value(sk,i); if(X509_REQ_extension_nid(OBJ_obj2nid(a->object))) continue; - sprintf(str,"%12s",""); - if (BIO_puts(bp,str) <= 0) goto err; + if(BIO_printf(bp,"%12s","") <= 0) + goto err; if ((j=i2a_ASN1_OBJECT(bp,a->object)) > 0) { if (a->single) diff --git a/src/lib/libssl/src/crypto/asn1/t_x509.c b/src/lib/libssl/src/crypto/asn1/t_x509.c index 5de4833ed0..d1034c47f8 100644 --- a/src/lib/libssl/src/crypto/asn1/t_x509.c +++ b/src/lib/libssl/src/crypto/asn1/t_x509.c @@ -433,15 +433,17 @@ err: int X509_NAME_print(BIO *bp, X509_NAME *name, int obase) { - char *s,*c; + char *s,*c,*b; int ret=0,l,ll,i,first=1; - char buf[256]; ll=80-2-obase; - s=X509_NAME_oneline(name,buf,256); + b=s=X509_NAME_oneline(name,NULL,0); if (!*s) + { + OPENSSL_free(b); return 1; + } s++; /* skip the first slash */ l=ll; @@ -497,6 +499,7 @@ int X509_NAME_print(BIO *bp, X509_NAME *name, int obase) err: X509err(X509_F_X509_NAME_PRINT,ERR_R_BUF_LIB); } + OPENSSL_free(b); return(ret); } diff --git a/src/lib/libssl/src/crypto/asn1/t_x509a.c b/src/lib/libssl/src/crypto/asn1/t_x509a.c index 7d4a6e6084..ffbbfb51f4 100644 --- a/src/lib/libssl/src/crypto/asn1/t_x509a.c +++ b/src/lib/libssl/src/crypto/asn1/t_x509a.c @@ -77,7 +77,7 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent) for(i = 0; i < sk_ASN1_OBJECT_num(aux->trust); i++) { if(!first) BIO_puts(out, ", "); else first = 0; - OBJ_obj2txt(oidstr, 80, + OBJ_obj2txt(oidstr, sizeof oidstr, sk_ASN1_OBJECT_value(aux->trust, i), 0); BIO_puts(out, oidstr); } @@ -90,7 +90,7 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent) for(i = 0; i < sk_ASN1_OBJECT_num(aux->reject); i++) { if(!first) BIO_puts(out, ", "); else first = 0; - OBJ_obj2txt(oidstr, 80, + OBJ_obj2txt(oidstr, sizeof oidstr, sk_ASN1_OBJECT_value(aux->reject, i), 0); BIO_puts(out, oidstr); } diff --git a/src/lib/libssl/src/crypto/asn1/tasn_dec.c b/src/lib/libssl/src/crypto/asn1/tasn_dec.c index f87c08793a..76fc023230 100644 --- a/src/lib/libssl/src/crypto/asn1/tasn_dec.c +++ b/src/lib/libssl/src/crypto/asn1/tasn_dec.c @@ -664,7 +664,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long inl if(!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL)) goto err; len = buf.length; /* Append a final null to string */ - if(!BUF_MEM_grow(&buf, len + 1)) { + if(!BUF_MEM_grow_clean(&buf, len + 1)) { ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_MALLOC_FAILURE); return 0; } @@ -857,7 +857,7 @@ static int collect_data(BUF_MEM *buf, unsigned char **p, long plen) int len; if(buf) { len = buf->length; - if(!BUF_MEM_grow(buf, len + plen)) { + if(!BUF_MEM_grow_clean(buf, len + plen)) { ASN1err(ASN1_F_COLLECT_DATA, ERR_R_MALLOC_FAILURE); return 0; } diff --git a/src/lib/libssl/src/crypto/asn1/tasn_fre.c b/src/lib/libssl/src/crypto/asn1/tasn_fre.c index c7610776f2..2dd844159e 100644 --- a/src/lib/libssl/src/crypto/asn1/tasn_fre.c +++ b/src/lib/libssl/src/crypto/asn1/tasn_fre.c @@ -206,7 +206,10 @@ void ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it) break; case V_ASN1_BOOLEAN: - *(ASN1_BOOLEAN *)pval = it->size; + if (it) + *(ASN1_BOOLEAN *)pval = it->size; + else + *(ASN1_BOOLEAN *)pval = -1; return; case V_ASN1_NULL: diff --git a/src/lib/libssl/src/crypto/asn1/tasn_new.c b/src/lib/libssl/src/crypto/asn1/tasn_new.c index e33861f864..a0e3db574f 100644 --- a/src/lib/libssl/src/crypto/asn1/tasn_new.c +++ b/src/lib/libssl/src/crypto/asn1/tasn_new.c @@ -305,7 +305,10 @@ int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it) return 1; case V_ASN1_BOOLEAN: - *(ASN1_BOOLEAN *)pval = it->size; + if (it) + *(ASN1_BOOLEAN *)pval = it->size; + else + *(ASN1_BOOLEAN *)pval = -1; return 1; case V_ASN1_NULL: diff --git a/src/lib/libssl/src/crypto/asn1/tasn_prn.c b/src/lib/libssl/src/crypto/asn1/tasn_prn.c index fab67ae5ac..719639b511 100644 --- a/src/lib/libssl/src/crypto/asn1/tasn_prn.c +++ b/src/lib/libssl/src/crypto/asn1/tasn_prn.c @@ -186,7 +186,7 @@ if(*bool == -1) printf("BOOL MISSING\n"); char objbuf[80], *ln; ln = OBJ_nid2ln(OBJ_obj2nid(fld)); if(!ln) ln = ""; - OBJ_obj2txt(objbuf, 80, fld, 1); + OBJ_obj2txt(objbuf, sizeof objbuf, fld, 1); BIO_printf(out, "%*s%s:%s (%s)", indent, "", "OBJECT", ln, objbuf); } else { BIO_printf(out, "%*s%s:", indent, "", name); diff --git a/src/lib/libssl/src/crypto/bf/bftest.c b/src/lib/libssl/src/crypto/bf/bftest.c index 09895f2542..24d526b14b 100644 --- a/src/lib/libssl/src/crypto/bf/bftest.c +++ b/src/lib/libssl/src/crypto/bf/bftest.c @@ -63,6 +63,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_BF int main(int argc, char *argv[]) { @@ -275,7 +277,7 @@ int main(int argc, char *argv[]) else ret=test(); - exit(ret); + EXIT(ret); return(0); } @@ -454,9 +456,9 @@ static int test(void) len=strlen(cbc_data)+1; BF_set_key(&key,16,cbc_key); - memset(cbc_in,0,40); - memset(cbc_out,0,40); - memcpy(iv,cbc_iv,8); + memset(cbc_in,0,sizeof cbc_in); + memset(cbc_out,0,sizeof cbc_out); + memcpy(iv,cbc_iv,sizeof iv); BF_cbc_encrypt((unsigned char *)cbc_data,cbc_out,len, &key,iv,BF_ENCRYPT); if (memcmp(cbc_out,cbc_ok,32) != 0) diff --git a/src/lib/libssl/src/crypto/bio/b_print.c b/src/lib/libssl/src/crypto/bio/b_print.c index 80c9cb69db..a9e552f245 100644 --- a/src/lib/libssl/src/crypto/bio/b_print.c +++ b/src/lib/libssl/src/crypto/bio/b_print.c @@ -378,7 +378,7 @@ _dopr( case 'p': value = (long)va_arg(args, void *); fmtint(sbuffer, buffer, &currlen, maxlen, - value, 16, min, max, flags); + value, 16, min, max, flags|DP_F_NUM); break; case 'n': /* XXX */ if (cflags == DP_C_SHORT) { @@ -482,8 +482,9 @@ fmtint( int flags) { int signvalue = 0; + char *prefix = ""; unsigned LLONG uvalue; - char convert[20]; + char convert[DECIMAL_SIZE(value)+3]; int place = 0; int spadlen = 0; int zpadlen = 0; @@ -501,6 +502,10 @@ fmtint( else if (flags & DP_F_SPACE) signvalue = ' '; } + if (flags & DP_F_NUM) { + if (base == 8) prefix = "0"; + if (base == 16) prefix = "0x"; + } if (flags & DP_F_UP) caps = 1; do { @@ -508,13 +513,13 @@ fmtint( (caps ? "0123456789ABCDEF" : "0123456789abcdef") [uvalue % (unsigned) base]; uvalue = (uvalue / (unsigned) base); - } while (uvalue && (place < 20)); - if (place == 20) + } while (uvalue && (place < sizeof convert)); + if (place == sizeof convert) place--; convert[place] = 0; zpadlen = max - place; - spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0); + spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0) - strlen(prefix); if (zpadlen < 0) zpadlen = 0; if (spadlen < 0) @@ -536,6 +541,12 @@ fmtint( if (signvalue) doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); + /* prefix */ + while (*prefix) { + doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix); + prefix++; + } + /* zeros */ if (zpadlen > 0) { while (zpadlen > 0) { @@ -641,8 +652,8 @@ fmtfp( (caps ? "0123456789ABCDEF" : "0123456789abcdef")[intpart % 10]; intpart = (intpart / 10); - } while (intpart && (iplace < 20)); - if (iplace == 20) + } while (intpart && (iplace < sizeof iplace)); + if (iplace == sizeof iplace) iplace--; iconvert[iplace] = 0; @@ -653,7 +664,7 @@ fmtfp( : "0123456789abcdef")[fracpart % 10]; fracpart = (fracpart / 10); } while (fplace < max); - if (fplace == 20) + if (fplace == sizeof fplace) fplace--; fconvert[fplace] = 0; @@ -692,7 +703,7 @@ fmtfp( * Decimal point. This should probably use locale to find the correct * char to print out. */ - if (max > 0) { + if (max > 0 || (flags & DP_F_NUM)) { doapr_outch(sbuffer, buffer, currlen, maxlen, '.'); while (fplace > 0) diff --git a/src/lib/libssl/src/crypto/bio/b_sock.c b/src/lib/libssl/src/crypto/bio/b_sock.c index 45bd7c47e8..601a14f37c 100644 --- a/src/lib/libssl/src/crypto/bio/b_sock.c +++ b/src/lib/libssl/src/crypto/bio/b_sock.c @@ -83,6 +83,7 @@ static int wsa_init_done=0; #endif +#if 0 static unsigned long BIO_ghbn_hits=0L; static unsigned long BIO_ghbn_miss=0L; @@ -93,6 +94,7 @@ static struct ghbn_cache_st struct hostent *ent; unsigned long order; } ghbn_cache[GHBN_NUM]; +#endif static int get_ip(const char *str,unsigned char *ip); #if 0 @@ -230,6 +232,7 @@ int BIO_sock_error(int sock) return(j); } +#if 0 long BIO_ghbn_ctrl(int cmd, int iarg, char *parg) { int i; @@ -267,6 +270,7 @@ long BIO_ghbn_ctrl(int cmd, int iarg, char *parg) } return(1); } +#endif #if 0 static struct hostent *ghbn_dup(struct hostent *a) @@ -463,6 +467,12 @@ int BIO_sock_init(void) } } #endif /* OPENSSL_SYS_WINDOWS */ +#ifdef WATT32 + extern int _watt_do_exit; + _watt_do_exit = 0; /* don't make sock_init() call exit() */ + if (sock_init()) + return (-1); +#endif return(1); } @@ -472,7 +482,9 @@ void BIO_sock_cleanup(void) if (wsa_init_done) { wsa_init_done=0; +#ifndef OPENSSL_SYS_WINCE WSACancelBlockingCall(); +#endif WSACleanup(); } #endif @@ -480,7 +492,7 @@ void BIO_sock_cleanup(void) #if !defined(OPENSSL_SYS_VMS) || __VMS_VER >= 70000000 -int BIO_socket_ioctl(int fd, long type, unsigned long *arg) +int BIO_socket_ioctl(int fd, long type, void *arg) { int i; @@ -730,7 +742,7 @@ int BIO_set_tcp_ndelay(int s, int on) int BIO_socket_nbio(int s, int mode) { int ret= -1; - unsigned long l; + int l; l=mode; #ifdef FIONBIO diff --git a/src/lib/libssl/src/crypto/bio/bf_buff.c b/src/lib/libssl/src/crypto/bio/bf_buff.c index 6ccda06596..1cecd70579 100644 --- a/src/lib/libssl/src/crypto/bio/bf_buff.c +++ b/src/lib/libssl/src/crypto/bio/bf_buff.c @@ -482,7 +482,7 @@ static int buffer_gets(BIO *b, char *buf, int size) size-=i; ctx->ibuf_len-=i; ctx->ibuf_off+=i; - if ((flag) || (i == size)) + if (flag || size == 0) { *buf='\0'; return(num); diff --git a/src/lib/libssl/src/crypto/bio/bio.h b/src/lib/libssl/src/crypto/bio/bio.h index c5caf253c9..fbbc16d00c 100644 --- a/src/lib/libssl/src/crypto/bio/bio.h +++ b/src/lib/libssl/src/crypto/bio/bio.h @@ -244,7 +244,7 @@ typedef struct bio_method_st long (_far *ctrl)(); int (_far *create)(); int (_far *destroy)(); - long (_fat *callback_ctrl)(); + long (_far *callback_ctrl)(); } BIO_METHOD; #endif @@ -522,6 +522,7 @@ int BIO_read(BIO *b, void *data, int len); int BIO_gets(BIO *bp,char *buf, int size); int BIO_write(BIO *b, const void *data, int len); int BIO_puts(BIO *bp,const char *buf); +int BIO_indent(BIO *b,int indent,int max); long BIO_ctrl(BIO *bp,int cmd,long larg,void *parg); long BIO_callback_ctrl(BIO *b, int cmd, void (*fp)(struct bio_st *, int, const char *, int, long, long)); char * BIO_ptr_ctrl(BIO *bp,int cmd,long larg); @@ -584,7 +585,7 @@ struct hostent *BIO_gethostbyname(const char *name); * and an appropriate error code is set). */ int BIO_sock_error(int sock); -int BIO_socket_ioctl(int fd, long type, unsigned long *arg); +int BIO_socket_ioctl(int fd, long type, void *arg); int BIO_socket_nbio(int fd,int mode); int BIO_get_port(const char *str, unsigned short *port_ptr); int BIO_get_host_ip(const char *str, unsigned char *ip); @@ -608,7 +609,7 @@ int BIO_new_bio_pair(BIO **bio1, size_t writebuf1, void BIO_copy_next_retry(BIO *b); -long BIO_ghbn_ctrl(int cmd,int iarg,char *parg); +/*long BIO_ghbn_ctrl(int cmd,int iarg,char *parg);*/ int BIO_printf(BIO *bio, const char *format, ...); int BIO_vprintf(BIO *bio, const char *format, va_list args); diff --git a/src/lib/libssl/src/crypto/bio/bio_lib.c b/src/lib/libssl/src/crypto/bio/bio_lib.c index 50df2238fa..692c8fb5c6 100644 --- a/src/lib/libssl/src/crypto/bio/bio_lib.c +++ b/src/lib/libssl/src/crypto/bio/bio_lib.c @@ -272,6 +272,18 @@ int BIO_gets(BIO *b, char *in, int inl) return(i); } +int BIO_indent(BIO *b,int indent,int max) + { + if(indent < 0) + indent=0; + if(indent > max) + indent=max; + while(indent--) + if(BIO_puts(b," ") != 1) + return 0; + return 1; + } + long BIO_int_ctrl(BIO *b, int cmd, long larg, int iarg) { int i; @@ -383,6 +395,8 @@ BIO *BIO_pop(BIO *b) if (b == NULL) return(NULL); ret=b->next_bio; + BIO_ctrl(b,BIO_CTRL_POP,0,NULL); + if (b->prev_bio != NULL) b->prev_bio->next_bio=b->next_bio; if (b->next_bio != NULL) @@ -390,7 +404,6 @@ BIO *BIO_pop(BIO *b) b->next_bio=NULL; b->prev_bio=NULL; - BIO_ctrl(b,BIO_CTRL_POP,0,NULL); return(ret); } diff --git a/src/lib/libssl/src/crypto/bio/bss_bio.c b/src/lib/libssl/src/crypto/bio/bss_bio.c index 1c485a4479..aa58dab046 100644 --- a/src/lib/libssl/src/crypto/bio/bss_bio.c +++ b/src/lib/libssl/src/crypto/bio/bss_bio.c @@ -28,13 +28,12 @@ #include #include -#include #include #include "e_os.h" /* VxWorks defines SSIZE_MAX with an empty value causing compile errors */ -#if defined(OPENSSL_SYS_VSWORKS) +#if defined(OPENSSL_SYS_VXWORKS) # undef SSIZE_MAX #endif #ifndef SSIZE_MAX diff --git a/src/lib/libssl/src/crypto/bio/bss_conn.c b/src/lib/libssl/src/crypto/bio/bss_conn.c index f91ae4c8c6..743db6ff94 100644 --- a/src/lib/libssl/src/crypto/bio/bss_conn.c +++ b/src/lib/libssl/src/crypto/bio/bss_conn.c @@ -519,7 +519,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) else if (num == 2) { char buf[16]; - char *p = ptr; + unsigned char *p = ptr; sprintf(buf,"%d.%d.%d.%d", p[0],p[1],p[2],p[3]); @@ -530,7 +530,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) } else if (num == 3) { - char buf[16]; + char buf[DECIMAL_SIZE(int)+1]; sprintf(buf,"%d",*(int *)ptr); if (data->param_port != NULL) diff --git a/src/lib/libssl/src/crypto/bio/bss_file.c b/src/lib/libssl/src/crypto/bio/bss_file.c index 826b361fa2..a66600c1a3 100644 --- a/src/lib/libssl/src/crypto/bio/bss_file.c +++ b/src/lib/libssl/src/crypto/bio/bss_file.c @@ -247,7 +247,7 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) ret=0; break; } -#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) +#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) if (!(num & BIO_FP_TEXT)) strcat(p,"b"); else diff --git a/src/lib/libssl/src/crypto/bio/bss_log.c b/src/lib/libssl/src/crypto/bio/bss_log.c index a39d95297c..1eb678cac0 100644 --- a/src/lib/libssl/src/crypto/bio/bss_log.c +++ b/src/lib/libssl/src/crypto/bio/bss_log.c @@ -68,7 +68,8 @@ #include "cryptlib.h" -#if defined(OPENSSL_SYS_WIN32) +#if defined(OPENSSL_SYS_WINCE) +#elif defined(OPENSSL_SYS_WIN32) # include #elif defined(OPENSSL_SYS_VMS) # include @@ -77,7 +78,7 @@ # include #elif defined(__ultrix) # include -#elif !defined(MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && !defined(NO_SYSLOG) /* Unix */ +#elif (!defined(MSDOS) || defined(WATT32)) && !defined(OPENSSL_SYS_VXWORKS) && !defined(NO_SYSLOG) # include #endif @@ -274,7 +275,7 @@ static void xsyslog(BIO *bp, int priority, const char *string) LPCSTR lpszStrings[2]; WORD evtype= EVENTLOG_ERROR_TYPE; int pid = _getpid(); - char pidbuf[20]; + char pidbuf[DECIMAL_SIZE(pid)+4]; switch (priority) { @@ -373,11 +374,15 @@ static void xcloselog(BIO* bp) { } -#else /* Unix */ +#else /* Unix/Watt32 */ static void xopenlog(BIO* bp, char* name, int level) { +#ifdef WATT32 /* djgpp/DOS */ + openlog(name, LOG_PID|LOG_CONS|LOG_NDELAY, level); +#else openlog(name, LOG_PID|LOG_CONS, level); +#endif } static void xsyslog(BIO *bp, int priority, const char *string) diff --git a/src/lib/libssl/src/crypto/bio/bss_mem.c b/src/lib/libssl/src/crypto/bio/bss_mem.c index 28ff7582bf..a4edb711ae 100644 --- a/src/lib/libssl/src/crypto/bio/bss_mem.c +++ b/src/lib/libssl/src/crypto/bio/bss_mem.c @@ -190,7 +190,7 @@ static int mem_write(BIO *b, const char *in, int inl) BIO_clear_retry_flags(b); blen=bm->length; - if (BUF_MEM_grow(bm,blen+inl) != (blen+inl)) + if (BUF_MEM_grow_clean(bm,blen+inl) != (blen+inl)) goto end; memcpy(&(bm->data[blen]),in,inl); ret=inl; @@ -284,7 +284,11 @@ static int mem_gets(BIO *bp, char *buf, int size) BIO_clear_retry_flags(bp); j=bm->length; - if (j <= 0) return(0); + if (j <= 0) + { + *buf='\0'; + return 0; + } p=bm->data; for (i=0; i +#ifdef WATT32 +#define sock_write SockWrite /* Watt-32 uses same names */ +#define sock_read SockRead +#define sock_puts SockPuts +#endif + static int sock_write(BIO *h, const char *buf, int num); static int sock_read(BIO *h, char *buf, int size); static int sock_puts(BIO *h, const char *str); diff --git a/src/lib/libssl/src/crypto/bn/asm/ia64.S b/src/lib/libssl/src/crypto/bn/asm/ia64.S index ae56066310..7dfda85566 100644 --- a/src/lib/libssl/src/crypto/bn/asm/ia64.S +++ b/src/lib/libssl/src/crypto/bn/asm/ia64.S @@ -1,6 +1,6 @@ .explicit .text -.ident "ia64.S, Version 1.1" +.ident "ia64.S, Version 2.0" .ident "IA-64 ISA artwork by Andy Polyakov " // @@ -13,6 +13,35 @@ // disclaimed. // ==================================================================== // +// Version 2.x is Itanium2 re-tune. Few words about how Itanum2 is +// different from Itanium to this module viewpoint. Most notably, is it +// "wider" than Itanium? Can you experience loop scalability as +// discussed in commentary sections? Not really:-( Itanium2 has 6 +// integer ALU ports, i.e. it's 2 ports wider, but it's not enough to +// spin twice as fast, as I need 8 IALU ports. Amount of floating point +// ports is the same, i.e. 2, while I need 4. In other words, to this +// module Itanium2 remains effectively as "wide" as Itanium. Yet it's +// essentially different in respect to this module, and a re-tune was +// required. Well, because some intruction latencies has changed. Most +// noticeably those intensively used: +// +// Itanium Itanium2 +// ldf8 9 6 L2 hit +// ld8 2 1 L1 hit +// getf 2 5 +// xma[->getf] 7[+1] 4[+0] +// add[->st8] 1[+1] 1[+0] +// +// What does it mean? You might ratiocinate that the original code +// should run just faster... Because sum of latencies is smaller... +// Wrong! Note that getf latency increased. This means that if a loop is +// scheduled for lower latency (and they are), then it will suffer from +// stall condition and the code will therefore turn anti-scalable, e.g. +// original bn_mul_words spun at 5*n or 2.5 times slower than expected +// on Itanium2! What to do? Reschedule loops for Itanium2? But then +// Itanium would exhibit anti-scalability. So I've chosen to reschedule +// for worst latency for every instruction aiming for best *all-round* +// performance. // Q. How much faster does it get? // A. Here is the output from 'openssl speed rsa dsa' for vanilla @@ -149,12 +178,27 @@ bn_add_words: brp.loop.imp .L_bn_add_words_ctop,.L_bn_add_words_cend-16 } .body -{ .mib; mov r14=r32 // rp +{ .mib; +#if defined(_HPUX_SOURCE) && defined(_ILP32) + addp4 r14=0,r32 // rp +#else + mov r14=r32 // rp +#endif mov r9=pr };; -{ .mii; mov r15=r33 // ap +{ .mii; +#if defined(_HPUX_SOURCE) && defined(_ILP32) + addp4 r15=0,r33 // ap +#else + mov r15=r33 // ap +#endif mov ar.lc=r10 mov ar.ec=6 } -{ .mib; mov r16=r34 // bp +{ .mib; +#if defined(_HPUX_SOURCE) && defined(_ILP32) + addp4 r16=0,r34 // bp +#else + mov r16=r34 // bp +#endif mov pr.rot=1<<16 };; .L_bn_add_words_ctop: @@ -174,7 +218,7 @@ bn_add_words: { .mii; (p59) add r8=1,r8 // return value - mov pr=r9,-1 + mov pr=r9,0x1ffff mov ar.lc=r3 } { .mbb; nop.b 0x0 br.ret.sptk.many b0 };; @@ -202,12 +246,27 @@ bn_sub_words: brp.loop.imp .L_bn_sub_words_ctop,.L_bn_sub_words_cend-16 } .body -{ .mib; mov r14=r32 // rp +{ .mib; +#if defined(_HPUX_SOURCE) && defined(_ILP32) + addp4 r14=0,r32 // rp +#else + mov r14=r32 // rp +#endif mov r9=pr };; -{ .mii; mov r15=r33 // ap +{ .mii; +#if defined(_HPUX_SOURCE) && defined(_ILP32) + addp4 r15=0,r33 // ap +#else + mov r15=r33 // ap +#endif mov ar.lc=r10 mov ar.ec=6 } -{ .mib; mov r16=r34 // bp +{ .mib; +#if defined(_HPUX_SOURCE) && defined(_ILP32) + addp4 r16=0,r34 // bp +#else + mov r16=r34 // bp +#endif mov pr.rot=1<<16 };; .L_bn_sub_words_ctop: @@ -227,7 +286,7 @@ bn_sub_words: { .mii; (p59) add r8=1,r8 // return value - mov pr=r9,-1 + mov pr=r9,0x1ffff mov ar.lc=r3 } { .mbb; nop.b 0x0 br.ret.sptk.many b0 };; @@ -253,7 +312,7 @@ bn_mul_words: #ifdef XMA_TEMPTATION { .mfi; alloc r2=ar.pfs,4,0,0,0 };; #else -{ .mfi; alloc r2=ar.pfs,4,4,0,8 };; +{ .mfi; alloc r2=ar.pfs,4,12,0,16 };; #endif { .mib; mov r8=r0 // return value cmp4.le p6,p0=r34,r0 @@ -266,24 +325,30 @@ bn_mul_words: .body { .mib; setf.sig f8=r35 // w - mov pr.rot=0x400001<<16 - // ------^----- serves as (p48) at first (p26) + mov pr.rot=0x800001<<16 + // ------^----- serves as (p50) at first (p27) brp.loop.imp .L_bn_mul_words_ctop,.L_bn_mul_words_cend-16 } #ifndef XMA_TEMPTATION -{ .mii; mov r14=r32 // rp - mov r15=r33 // ap +{ .mii; +#if defined(_HPUX_SOURCE) && defined(_ILP32) + addp4 r14=0,r32 // rp + addp4 r15=0,r33 // ap +#else + mov r14=r32 // rp + mov r15=r33 // ap +#endif mov ar.lc=r10 } -{ .mii; mov r39=0 // serves as r33 at first (p26) - mov ar.ec=12 };; +{ .mii; mov r40=0 // serves as r35 at first (p27) + mov ar.ec=13 };; -// This loop spins in 2*(n+11) ticks. It's scheduled for data in L2 -// cache (i.e. 9 ticks away) as floating point load/store instructions +// This loop spins in 2*(n+12) ticks. It's scheduled for data in Itanium +// L2 cache (i.e. 9 ticks away) as floating point load/store instructions // bypass L1 cache and L2 latency is actually best-case scenario for -// ldf8. The loop is not scalable and shall run in 2*(n+11) even on -// "wider" IA-64 implementations. It's a trade-off here. n+22 loop +// ldf8. The loop is not scalable and shall run in 2*(n+12) even on +// "wider" IA-64 implementations. It's a trade-off here. n+24 loop // would give us ~5% in *overall* performance improvement on "wider" // IA-64, but would hurt Itanium for about same because of longer // epilogue. As it's a matter of few percents in either case I've @@ -291,25 +356,25 @@ bn_mul_words: // this very instruction sequence in bn_mul_add_words loop which in // turn is scalable). .L_bn_mul_words_ctop: -{ .mfi; (p25) getf.sig r36=f49 // low - (p21) xmpy.lu f45=f37,f8 - (p27) cmp.ltu p52,p48=r39,r38 } +{ .mfi; (p25) getf.sig r36=f52 // low + (p21) xmpy.lu f48=f37,f8 + (p28) cmp.ltu p54,p50=r41,r39 } { .mfi; (p16) ldf8 f32=[r15],8 - (p21) xmpy.hu f38=f37,f8 + (p21) xmpy.hu f40=f37,f8 (p0) nop.i 0x0 };; -{ .mii; (p26) getf.sig r32=f43 // high - .pred.rel "mutex",p48,p52 - (p48) add r38=r37,r33 // (p26) - (p52) add r38=r37,r33,1 } // (p26) -{ .mfb; (p27) st8 [r14]=r39,8 +{ .mii; (p25) getf.sig r32=f44 // high + .pred.rel "mutex",p50,p54 + (p50) add r40=r38,r35 // (p27) + (p54) add r40=r38,r35,1 } // (p27) +{ .mfb; (p28) st8 [r14]=r41,8 (p0) nop.f 0x0 br.ctop.sptk .L_bn_mul_words_ctop };; .L_bn_mul_words_cend: { .mii; nop.m 0x0 -.pred.rel "mutex",p49,p53 -(p49) add r8=r34,r0 -(p53) add r8=r34,r0,1 } +.pred.rel "mutex",p51,p55 +(p51) add r8=r36,r0 +(p55) add r8=r36,r0,1 } { .mfb; nop.m 0x0 nop.f 0x0 nop.b 0x0 } @@ -344,7 +409,7 @@ bn_mul_words: #endif // XMA_TEMPTATION { .mii; nop.m 0x0 - mov pr=r9,-1 + mov pr=r9,0x1ffff mov ar.lc=r3 } { .mfb; rum 1<<5 // clear um.mfh nop.f 0x0 @@ -376,59 +441,69 @@ bn_mul_add_words: .body { .mib; setf.sig f8=r35 // w - mov pr.rot=0x400001<<16 - // ------^----- serves as (p48) at first (p26) + mov pr.rot=0x800001<<16 + // ------^----- serves as (p50) at first (p27) brp.loop.imp .L_bn_mul_add_words_ctop,.L_bn_mul_add_words_cend-16 } -{ .mii; mov r14=r32 // rp - mov r15=r33 // ap +{ .mii; +#if defined(_HPUX_SOURCE) && defined(_ILP32) + addp4 r14=0,r32 // rp + addp4 r15=0,r33 // ap +#else + mov r14=r32 // rp + mov r15=r33 // ap +#endif mov ar.lc=r10 } -{ .mii; mov r39=0 // serves as r33 at first (p26) - mov r18=r32 // rp copy - mov ar.ec=14 };; +{ .mii; mov r40=0 // serves as r35 at first (p27) +#if defined(_HPUX_SOURCE) && defined(_ILP32) + addp4 r18=0,r32 // rp copy +#else + mov r18=r32 // rp copy +#endif + mov ar.ec=15 };; -// This loop spins in 3*(n+13) ticks on Itanium and should spin in -// 2*(n+13) on "wider" IA-64 implementations (to be verified with new +// This loop spins in 3*(n+14) ticks on Itanium and should spin in +// 2*(n+14) on "wider" IA-64 implementations (to be verified with new // µ-architecture manuals as they become available). As usual it's // possible to compress the epilogue, down to 10 in this case, at the // cost of scalability. Compressed (and therefore non-scalable) loop -// running at 3*(n+10) would buy you ~10% on Itanium but take ~35% +// running at 3*(n+11) would buy you ~10% on Itanium but take ~35% // from "wider" IA-64 so let it be scalable! Special attention was // paid for having the loop body split at 64-byte boundary. ld8 is // scheduled for L1 cache as the data is more than likely there. // Indeed, bn_mul_words has put it there a moment ago:-) .L_bn_mul_add_words_ctop: -{ .mfi; (p25) getf.sig r36=f49 // low - (p21) xmpy.lu f45=f37,f8 - (p27) cmp.ltu p52,p48=r39,r38 } +{ .mfi; (p25) getf.sig r36=f52 // low + (p21) xmpy.lu f48=f37,f8 + (p28) cmp.ltu p54,p50=r41,r39 } { .mfi; (p16) ldf8 f32=[r15],8 - (p21) xmpy.hu f38=f37,f8 - (p27) add r43=r43,r39 };; -{ .mii; (p26) getf.sig r32=f43 // high - .pred.rel "mutex",p48,p52 - (p48) add r38=r37,r33 // (p26) - (p52) add r38=r37,r33,1 } // (p26) -{ .mfb; (p27) cmp.ltu.unc p56,p0=r43,r39 + (p21) xmpy.hu f40=f37,f8 + (p28) add r45=r45,r41 };; +{ .mii; (p25) getf.sig r32=f44 // high + .pred.rel "mutex",p50,p54 + (p50) add r40=r38,r35 // (p27) + (p54) add r40=r38,r35,1 } // (p27) +{ .mfb; (p28) cmp.ltu.unc p60,p0=r45,r41 (p0) nop.f 0x0 (p0) nop.b 0x0 } -{ .mii; (p26) ld8 r42=[r18],8 - (p58) cmp.eq.or p57,p0=-1,r44 - (p58) add r44=1,r44 } -{ .mfb; (p29) st8 [r14]=r45,8 +{ .mii; (p27) ld8 r44=[r18],8 + (p62) cmp.eq.or p61,p0=-1,r46 + (p62) add r46=1,r46 } +{ .mfb; (p30) st8 [r14]=r47,8 (p0) nop.f 0x0 br.ctop.sptk .L_bn_mul_add_words_ctop};; .L_bn_mul_add_words_cend: { .mii; nop.m 0x0 -.pred.rel "mutex",p51,p55 -(p51) add r8=r36,r0 -(p55) add r8=r36,r0,1 } +.pred.rel "mutex",p53,p57 +(p53) add r8=r38,r0 +(p57) add r8=r38,r0,1 } { .mfb; nop.m 0x0 nop.f 0x0 nop.b 0x0 };; { .mii; -(p59) add r8=1,r8 - mov pr=r9,-1 +(p63) add r8=1,r8 + mov pr=r9,0x1ffff mov ar.lc=r3 } { .mfb; rum 1<<5 // clear um.mfh nop.f 0x0 @@ -461,6 +536,10 @@ bn_sqr_words: mov r9=pr };; .body +#if defined(_HPUX_SOURCE) && defined(_ILP32) +{ .mii; addp4 r32=0,r32 + addp4 r33=0,r33 };; +#endif { .mib; mov pr.rot=1<<16 brp.loop.imp .L_bn_sqr_words_ctop,.L_bn_sqr_words_cend-16 @@ -492,7 +571,7 @@ bn_sqr_words: .L_bn_sqr_words_cend: { .mii; nop.m 0x0 - mov pr=r9,-1 + mov pr=r9,0x1ffff mov ar.lc=r3 } { .mfb; rum 1<<5 // clear um.mfh nop.f 0x0 @@ -526,7 +605,14 @@ bn_sqr_comba8: .prologue .fframe 0 .save ar.pfs,r2 +#if defined(_HPUX_SOURCE) && defined(_ILP32) { .mii; alloc r2=ar.pfs,2,1,0,0 + addp4 r33=0,r33 + addp4 r32=0,r32 };; +{ .mii; +#else +{ .mii; alloc r2=ar.pfs,2,1,0,0 +#endif mov r34=r33 add r14=8,r33 };; .body @@ -587,7 +673,14 @@ bn_mul_comba8: .prologue .fframe 0 .save ar.pfs,r2 +#if defined(_HPUX_SOURCE) && defined(_ILP32) { .mii; alloc r2=ar.pfs,3,0,0,0 + addp4 r33=0,r33 + addp4 r34=0,r34 };; +{ .mii; addp4 r32=0,r32 +#else +{ .mii; alloc r2=ar.pfs,3,0,0,0 +#endif add r14=8,r33 add r17=8,r34 } .body @@ -1138,7 +1231,14 @@ bn_sqr_comba4: .prologue .fframe 0 .save ar.pfs,r2 +#if defined(_HPUX_SOURCE) && defined(_ILP32) +{ .mii; alloc r2=ar.pfs,2,1,0,0 + addp4 r32=0,r32 + addp4 r33=0,r33 };; +{ .mii; +#else { .mii; alloc r2=ar.pfs,2,1,0,0 +#endif mov r34=r33 add r14=8,r33 };; .body @@ -1164,7 +1264,14 @@ bn_mul_comba4: .prologue .fframe 0 .save ar.pfs,r2 +#if defined(_HPUX_SOURCE) && defined(_ILP32) +{ .mii; alloc r2=ar.pfs,3,0,0,0 + addp4 r33=0,r33 + addp4 r34=0,r34 };; +{ .mii; addp4 r32=0,r32 +#else { .mii; alloc r2=ar.pfs,3,0,0,0 +#endif add r14=8,r33 add r17=8,r34 } .body @@ -1464,7 +1571,7 @@ bn_div_words: or r8=r8,r33 mov ar.pfs=r2 };; { .mii; shr.u r9=H,I // remainder if anybody wants it - mov pr=r10,-1 } + mov pr=r10,0x1ffff } { .mfb; br.ret.sptk.many b0 };; // Unsigned 64 by 32 (well, by 64 for the moment) bit integer division diff --git a/src/lib/libssl/src/crypto/bn/asm/pa-risc2.s b/src/lib/libssl/src/crypto/bn/asm/pa-risc2.s index af9730d062..f3b16290eb 100644 --- a/src/lib/libssl/src/crypto/bn/asm/pa-risc2.s +++ b/src/lib/libssl/src/crypto/bn/asm/pa-risc2.s @@ -747,8 +747,8 @@ bn_div_words .PROC .EXPORT bn_div_words,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,ARGW3=GR,RTNVAL=GR,LONG_RETURN .IMPORT BN_num_bits_word,CODE - .IMPORT __iob,DATA - .IMPORT fprintf,CODE + ;--- not PIC .IMPORT __iob,DATA + ;--- not PIC .IMPORT fprintf,CODE .IMPORT abort,CODE .IMPORT $$div2U,MILLICODE .CALLINFO CALLER,FRAME=144,ENTRY_GR=%r9,SAVE_RP,ARGS_SAVED,ORDERING_AWARE @@ -844,12 +844,12 @@ $0006001A MOVIB,TR 2,%r8,$0006001C ;offset 0xa18 EXTRD,U %r3,63,32,%r7 ;offset 0xa1c $D2 - ADDIL LR'__iob-$global$,%r27,%r1 ;offset 0xa20 - LDIL LR'C$7,%r21 ;offset 0xa24 - LDO RR'__iob-$global$+32(%r1),%r26 ;offset 0xa28 - .CALL ARGW0=GR,ARGW1=GR,ARGW2=GR,RTNVAL=GR ;in=24,25,26;out=28; - B,L fprintf,%r2 ;offset 0xa2c - LDO RR'C$7(%r21),%r25 ;offset 0xa30 + ;--- not PIC ADDIL LR'__iob-$global$,%r27,%r1 ;offset 0xa20 + ;--- not PIC LDIL LR'C$7,%r21 ;offset 0xa24 + ;--- not PIC LDO RR'__iob-$global$+32(%r1),%r26 ;offset 0xa28 + ;--- not PIC .CALL ARGW0=GR,ARGW1=GR,ARGW2=GR,RTNVAL=GR ;in=24,25,26;out=28; + ;--- not PIC B,L fprintf,%r2 ;offset 0xa2c + ;--- not PIC LDO RR'C$7(%r21),%r25 ;offset 0xa30 .CALL ; B,L abort,%r2 ;offset 0xa34 NOP ;offset 0xa38 @@ -1605,14 +1605,14 @@ bn_mul_comba4 .PROCEND - .SPACE $TEXT$ - .SUBSPA $CODE$ - .SPACE $PRIVATE$,SORT=16 - .IMPORT $global$,DATA - .SPACE $TEXT$ - .SUBSPA $CODE$ - .SUBSPA $LIT$,ACCESS=0x2c -C$7 - .ALIGN 8 - .STRINGZ "Division would overflow (%d)\n" +;--- not PIC .SPACE $TEXT$ +;--- not PIC .SUBSPA $CODE$ +;--- not PIC .SPACE $PRIVATE$,SORT=16 +;--- not PIC .IMPORT $global$,DATA +;--- not PIC .SPACE $TEXT$ +;--- not PIC .SUBSPA $CODE$ +;--- not PIC .SUBSPA $LIT$,ACCESS=0x2c +;--- not PIC C$7 +;--- not PIC .ALIGN 8 +;--- not PIC .STRINGZ "Division would overflow (%d)\n" .END diff --git a/src/lib/libssl/src/crypto/bn/asm/vms.mar b/src/lib/libssl/src/crypto/bn/asm/vms.mar index 465f2774b6..aefab15cdb 100644 --- a/src/lib/libssl/src/crypto/bn/asm/vms.mar +++ b/src/lib/libssl/src/crypto/bn/asm/vms.mar @@ -1,4 +1,4 @@ - .title vax_bn_mul_add_word unsigned multiply & add, 32*32+32+32=>64 + .title vax_bn_mul_add_words unsigned multiply & add, 32*32+32+32=>64 ; ; w.j.m. 15-jan-1999 ; @@ -59,7 +59,7 @@ w=16 ;(AP) w by value (input) movl r6,r0 ; return c ret - .title vax_bn_mul_word unsigned multiply & add, 32*32+32=>64 + .title vax_bn_mul_words unsigned multiply & add, 32*32+32=>64 ; ; w.j.m. 15-jan-1999 ; @@ -172,147 +172,175 @@ n=12 ;(AP) n by value (input) ; } ; ; Using EDIV would be very easy, if it didn't do signed calculations. -; Therefore, som extra things have to happen around it. The way to -; handle that is to shift all operands right one step (basically dividing -; them by 2) and handle the different cases depending on what the lowest -; bit of each operand was. +; Any time any of the input numbers are signed, there are problems, +; usually with integer overflow, at which point it returns useless +; data (the quotient gets the value of l, and the remainder becomes 0). ; -; To start with, let's define the following: +; If it was just for the dividend, it would be very easy, just divide +; it by 2 (unsigned), do the division, multiply the resulting quotient +; and remainder by 2, add the bit that was dropped when dividing by 2 +; to the remainder, and do some adjustment so the remainder doesn't +; end up larger than the divisor. For some cases when the divisor is +; negative (from EDIV's point of view, i.e. when the highest bit is set), +; dividing the dividend by 2 isn't enough, and since some operations +; might generate integer overflows even when the dividend is divided by +; 4 (when the high part of the shifted down dividend ends up being exactly +; half of the divisor, the result is the quotient 0x80000000, which is +; negative...) it needs to be divided by 8. Furthermore, the divisor needs +; to be divided by 2 (unsigned) as well, to avoid more problems with the sign. +; In this case, a little extra fiddling with the remainder is required. ; -; a' = l & 1 -; a2 = >> 1 # UNSIGNED shift! -; b' = d & 1 -; b2 = d >> 1 # UNSIGNED shift! +; So, the simplest way to handle this is always to divide the dividend +; by 8, and to divide the divisor by 2 if it's highest bit is set. +; After EDIV has been used, the quotient gets multiplied by 8 if the +; original divisor was positive, otherwise 4. The remainder, oddly +; enough, is *always* multiplied by 8. +; NOTE: in the case mentioned above, where the high part of the shifted +; down dividend ends up being exactly half the shifted down divisor, we +; end up with a 33 bit quotient. That's no problem however, it usually +; means we have ended up with a too large remainder as well, and the +; problem is fixed by the last part of the algorithm (next paragraph). ; -; Now, use EDIV to calculate a quotient and a remainder: +; The routine ends with comparing the resulting remainder with the +; original divisor and if the remainder is larger, subtract the +; original divisor from it, and increase the quotient by 1. This is +; done until the remainder is smaller than the divisor. ; -; q'' = a2/b2 -; r'' = a2 - q''*b2 +; The complete algorithm looks like this: ; -; If b' is 0, the quotient is already correct, we just need to adjust the -; remainder: +; d' = d +; l' = l & 7 +; [h,l] = [h,l] >> 3 +; [q,r] = floor([h,l] / d) # This is the EDIV operation +; if (q < 0) q = -q # I doubt this is necessary any more ; -; if (b' == 0) -; { -; r = 2*r'' + a' -; q = q'' -; } -; -; If b' is 1, we need to do other adjustements. The first thought is the -; following (note that r' will not always have the right value, but an -; adjustement follows further down): -; -; if (b' == 1) -; { -; q' = q'' -; r' = a - q'*b -; -; However, one can note the folowing relationship: -; -; r'' = a2 - q''*b2 -; => 2*r'' = 2*a2 - 2*q''*b2 -; = { a = 2*a2 + a', b = 2*b2 + b' = 2*b2 + 1, -; q' = q'' } -; = a - a' - q'*(b - 1) -; = a - q'*b - a' + q' -; = r' - a' + q' -; => r' = 2*r'' - q' + a' +; r' = r >> 29 +; if (d' >= 0) +; q' = q >> 29 +; q = q << 3 +; else +; q' = q >> 30 +; q = q << 2 +; r = (r << 3) + l' ; -; This enables us to use r'' instead of discarding and calculating another -; modulo: -; -; if (b' == 1) +; if (d' < 0) ; { -; q' = q'' -; r' = (r'' << 1) - q' + a' -; -; Now, all we have to do is adjust r', because it might be < 0: -; -; while (r' < 0) +; [r',r] = [r',r] - q +; while ([r',r] < 0) ; { -; r' = r' + b -; q' = q' - 1 +; [r',r] = [r',r] + d +; [q',q] = [q',q] - 1 ; } ; } ; -; return q' +; while ([r',r] >= d') +; { +; [r',r] = [r',r] - d' +; [q',q] = [q',q] + 1 +; } +; +; return q h=4 ;(AP) h by value (input) l=8 ;(AP) l by value (input) d=12 ;(AP) d by value (input) -;aprim=r5 -;a2=r6 -;a20=r6 -;a21=r7 -;bprim=r8 -;b2=r9 -;qprim=r10 ; initially used as q'' -;rprim=r11 ; initially used as r'' - +;r2 = l, q +;r3 = h, r +;r4 = d +;r5 = l' +;r6 = r' +;r7 = d' +;r8 = q' .psect code,nowrt -.entry bn_div_words,^m +.entry bn_div_words,^m movl l(ap),r2 movl h(ap),r3 movl d(ap),r4 - movl #0,r5 - movl #0,r8 - movl #0,r0 -; movl #0,r1 + bicl3 #^XFFFFFFF8,r2,r5 ; l' = l & 7 + bicl3 #^X00000007,r2,r2 - rotl #-1,r2,r6 ; a20 = l >> 1 (almost) - rotl #-1,r3,r7 ; a21 = h >> 1 (almost) - rotl #-1,r4,r9 ; b2 = d >> 1 (almost) + bicl3 #^XFFFFFFF8,r3,r6 + bicl3 #^X00000007,r3,r3 + + addl r6,r2 - tstl r6 - bgeq 1$ - xorl2 #^X80000000,r6 ; fixup a20 so highest bit is 0 - incl r5 ; a' = 1 -1$: - tstl r7 - bgeq 2$ - xorl2 #^X80000000,r6 ; fixup a20 so highest bit is 1, - ; since that's what was lowest in a21 - xorl2 #^X80000000,r7 ; fixup a21 so highest bit is 1 -2$: - tstl r9 + rotl #-3,r2,r2 ; l = l >> 3 + rotl #-3,r3,r3 ; h = h >> 3 + + movl r4,r7 ; d' = d + + movl #0,r6 ; r' = 0 + movl #0,r8 ; q' = 0 + + tstl r4 beql 666$ ; Uh-oh, the divisor is 0... - bgtr 3$ - xorl2 #^X80000000,r9 ; fixup b2 so highest bit is 0 - incl r8 ; b' = 1 -3$: - tstl r9 - bneq 4$ ; if b2 is 0, we know that b' is 1 - tstl r3 - bneq 666$ ; if higher half isn't 0, we overflow - movl r2,r10 ; otherwise, we have our result - brb 42$ ; This is a success, really. -4$: - ediv r9,r6,r10,r11 - - tstl r8 - bneq 5$ ; If b' != 0, go to the other part -; addl3 r11,r11,r1 -; addl2 r5,r1 - brb 42$ -5$: - ashl #1,r11,r11 - subl2 r10,r11 - addl2 r5,r11 - bgeq 7$ -6$: - decl r10 - addl2 r4,r11 - blss 6$ -7$: -; movl r11,r1 + bgtr 1$ + rotl #-1,r4,r4 ; If d is negative, shift it right. + bicl2 #^X80000000,r4 ; Since d is then a large number, the + ; lowest bit is insignificant + ; (contradict that, and I'll fix the problem!) +1$: + ediv r4,r2,r2,r3 ; Do the actual division + + tstl r2 + bgeq 3$ + mnegl r2,r2 ; if q < 0, negate it +3$: + tstl r7 + blss 4$ + rotl #3,r2,r2 ; q = q << 3 + bicl3 #^XFFFFFFF8,r2,r8 ; q' gets the high bits from q + bicl3 #^X00000007,r2,r2 + bsb 41$ +4$: ; else + rotl #2,r2,r2 ; q = q << 2 + bicl3 #^XFFFFFFFC,r2,r8 ; q' gets the high bits from q + bicl3 #^X00000003,r2,r2 +41$: + rotl #3,r3,r3 ; r = r << 3 + bicl3 #^XFFFFFFF8,r3,r6 ; r' gets the high bits from r + bicl3 #^X00000007,r3,r3 + addl r5,r3 ; r = r + l' + + tstl r7 + bgeq 5$ + bitl #1,r7 + beql 5$ ; if d' < 0 && d' & 1 + subl r2,r3 ; [r',r] = [r',r] - [q',q] + sbwc r8,r6 +45$: + bgeq 5$ ; while r < 0 + decl r2 ; [q',q] = [q',q] - 1 + sbwc #0,r8 + addl r7,r3 ; [r',r] = [r',r] + d' + adwc #0,r6 + brb 45$ + +; The return points are placed in the middle to keep a short distance from +; all the branch points 42$: - movl r10,r0 +; movl r3,r1 + movl r2,r0 + ret 666$: + movl #^XFFFFFFFF,r0 ret + +5$: + tstl r6 + bneq 6$ + cmpl r3,r7 + blssu 42$ ; while [r',r] >= d' +6$: + subl r7,r3 ; [r',r] = [r',r] - d' + sbwc #0,r6 + incl r2 ; [q',q] = [q',q] + 1 + adwc #0,r8 + brb 5$ .title vax_bn_add_words unsigned add of two arrays ; diff --git a/src/lib/libssl/src/crypto/bn/asm/x86_64-gcc.c b/src/lib/libssl/src/crypto/bn/asm/x86_64-gcc.c new file mode 100644 index 0000000000..b97b394661 --- /dev/null +++ b/src/lib/libssl/src/crypto/bn/asm/x86_64-gcc.c @@ -0,0 +1,575 @@ +/* + * x86_64 BIGNUM accelerator version 0.1, December 2002. + * + * Implemented by Andy Polyakov for the OpenSSL + * project. + * + * Rights for redistribution and usage in source and binary forms are + * granted according to the OpenSSL license. Warranty of any kind is + * disclaimed. + * + * Q. Version 0.1? It doesn't sound like Andy, he used to assign real + * versions, like 1.0... + * A. Well, that's because this code is basically a quick-n-dirty + * proof-of-concept hack. As you can see it's implemented with + * inline assembler, which means that you're bound to GCC and that + * there must be a room for fine-tuning. + * + * Q. Why inline assembler? + * A. x86_64 features own ABI I'm not familiar with. Which is why + * I decided to let the compiler take care of subroutine + * prologue/epilogue as well as register allocation. + * + * Q. How much faster does it get? + * A. Unfortunately people sitting on x86_64 hardware are prohibited + * to disclose the performance numbers, so they (SuSE labs to be + * specific) wouldn't tell me. However! Very similar coding technique + * (reaching out for 128-bit result from 64x64-bit multiplication) + * results in >3 times performance improvement on MIPS and I see no + * reason why gain on x86_64 would be so much different:-) + */ + +#define BN_ULONG unsigned long + +/* + * "m"(a), "+m"(r) is the way to favor DirectPath µ-code; + * "g"(0) let the compiler to decide where does it + * want to keep the value of zero; + */ +#define mul_add(r,a,word,carry) do { \ + register BN_ULONG high,low; \ + asm ("mulq %3" \ + : "=a"(low),"=d"(high) \ + : "a"(word),"m"(a) \ + : "cc"); \ + asm ("addq %2,%0; adcq %3,%1" \ + : "+r"(carry),"+d"(high)\ + : "a"(low),"g"(0) \ + : "cc"); \ + asm ("addq %2,%0; adcq %3,%1" \ + : "+m"(r),"+d"(high) \ + : "r"(carry),"g"(0) \ + : "cc"); \ + carry=high; \ + } while (0) + +#define mul(r,a,word,carry) do { \ + register BN_ULONG high,low; \ + asm ("mulq %3" \ + : "=a"(low),"=d"(high) \ + : "a"(word),"g"(a) \ + : "cc"); \ + asm ("addq %2,%0; adcq %3,%1" \ + : "+r"(carry),"+d"(high)\ + : "a"(low),"g"(0) \ + : "cc"); \ + (r)=carry, carry=high; \ + } while (0) + +#define sqr(r0,r1,a) \ + asm ("mulq %2" \ + : "=a"(r0),"=d"(r1) \ + : "a"(a) \ + : "cc"); + +BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w) + { + BN_ULONG c1=0; + + if (num <= 0) return(c1); + + while (num&~3) + { + mul_add(rp[0],ap[0],w,c1); + mul_add(rp[1],ap[1],w,c1); + mul_add(rp[2],ap[2],w,c1); + mul_add(rp[3],ap[3],w,c1); + ap+=4; rp+=4; num-=4; + } + if (num) + { + mul_add(rp[0],ap[0],w,c1); if (--num==0) return c1; + mul_add(rp[1],ap[1],w,c1); if (--num==0) return c1; + mul_add(rp[2],ap[2],w,c1); return c1; + } + + return(c1); + } + +BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w) + { + BN_ULONG c1=0; + + if (num <= 0) return(c1); + + while (num&~3) + { + mul(rp[0],ap[0],w,c1); + mul(rp[1],ap[1],w,c1); + mul(rp[2],ap[2],w,c1); + mul(rp[3],ap[3],w,c1); + ap+=4; rp+=4; num-=4; + } + if (num) + { + mul(rp[0],ap[0],w,c1); if (--num == 0) return c1; + mul(rp[1],ap[1],w,c1); if (--num == 0) return c1; + mul(rp[2],ap[2],w,c1); + } + return(c1); + } + +void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n) + { + if (n <= 0) return; + + while (n&~3) + { + sqr(r[0],r[1],a[0]); + sqr(r[2],r[3],a[1]); + sqr(r[4],r[5],a[2]); + sqr(r[6],r[7],a[3]); + a+=4; r+=8; n-=4; + } + if (n) + { + sqr(r[0],r[1],a[0]); if (--n == 0) return; + sqr(r[2],r[3],a[1]); if (--n == 0) return; + sqr(r[4],r[5],a[2]); + } + } + +BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) +{ BN_ULONG ret,waste; + + asm ("divq %3" + : "=a"(ret),"=d"(waste) + : "a"(l),"d"(h),"g"(d) + : "cc"); + + return ret; +} + +BN_ULONG bn_add_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n) +{ BN_ULONG ret,i; + + if (n <= 0) return 0; + + asm ( + " subq %2,%2 \n" + ".align 16 \n" + "1: movq (%4,%2,8),%0 \n" + " adcq (%5,%2,8),%0 \n" + " movq %0,(%3,%2,8) \n" + " leaq 1(%2),%2 \n" + " loop 1b \n" + " sbbq %0,%0 \n" + : "+a"(ret),"+c"(n),"+r"(i) + : "r"(rp),"r"(ap),"r"(bp) + : "cc" + ); + + return ret&1; +} + +#ifndef SIMICS +BN_ULONG bn_sub_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n) +{ BN_ULONG ret,i; + + if (n <= 0) return 0; + + asm ( + " subq %2,%2 \n" + ".align 16 \n" + "1: movq (%4,%2,8),%0 \n" + " sbbq (%5,%2,8),%0 \n" + " movq %0,(%3,%2,8) \n" + " leaq 1(%2),%2 \n" + " loop 1b \n" + " sbbq %0,%0 \n" + : "+a"(ret),"+c"(n),"+r"(i) + : "r"(rp),"r"(ap),"r"(bp) + : "cc" + ); + + return ret&1; +} +#else +/* Simics 1.4<7 has buggy sbbq:-( */ +#define BN_MASK2 0xffffffffffffffffL +BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n) + { + BN_ULONG t1,t2; + int c=0; + + if (n <= 0) return((BN_ULONG)0); + + for (;;) + { + t1=a[0]; t2=b[0]; + r[0]=(t1-t2-c)&BN_MASK2; + if (t1 != t2) c=(t1 < t2); + if (--n <= 0) break; + + t1=a[1]; t2=b[1]; + r[1]=(t1-t2-c)&BN_MASK2; + if (t1 != t2) c=(t1 < t2); + if (--n <= 0) break; + + t1=a[2]; t2=b[2]; + r[2]=(t1-t2-c)&BN_MASK2; + if (t1 != t2) c=(t1 < t2); + if (--n <= 0) break; + + t1=a[3]; t2=b[3]; + r[3]=(t1-t2-c)&BN_MASK2; + if (t1 != t2) c=(t1 < t2); + if (--n <= 0) break; + + a+=4; + b+=4; + r+=4; + } + return(c); + } +#endif + +/* mul_add_c(a,b,c0,c1,c2) -- c+=a*b for three word number c=(c2,c1,c0) */ +/* mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0) */ +/* sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) */ +/* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) */ + +#if 0 +/* original macros are kept for reference purposes */ +#define mul_add_c(a,b,c0,c1,c2) { \ + BN_ULONG ta=(a),tb=(b); \ + t1 = ta * tb; \ + t2 = BN_UMULT_HIGH(ta,tb); \ + c0 += t1; t2 += (c0 + */ +# define bn_div_words(n0,n1,d0) \ + ({ asm volatile ( \ + "divq %4" \ + : "=a"(q), "=d"(rem) \ + : "a"(n1), "d"(n0), "g"(d0) \ + : "cc"); \ + q; \ + }) +# define REMAINDER_IS_ALREADY_CALCULATED # endif /* __ */ # endif /* __GNUC__ */ #endif /* OPENSSL_NO_ASM */ @@ -268,6 +282,11 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, q=(BN_ULONG)(((((BN_ULLONG)n0)< 0x%08X\n", + n0, n1, d0, q); +#endif #endif #ifndef REMAINDER_IS_ALREADY_CALCULATED @@ -292,11 +311,18 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, BN_ULONG t2l,t2h,ql,qh; q=bn_div_words(n0,n1,d0); +#ifdef BN_DEBUG_LEVITTE + fprintf(stderr,"DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\ +X) -> 0x%08X\n", + n0, n1, d0, q); +#endif #ifndef REMAINDER_IS_ALREADY_CALCULATED rem=(n1-q*d0)&BN_MASK2; #endif -#ifdef BN_UMULT_HIGH +#if defined(BN_UMULT_LOHI) + BN_UMULT_LOHI(t2l,t2h,d1,q); +#elif defined(BN_UMULT_HIGH) t2l = d1 * q; t2h = BN_UMULT_HIGH(d1,q); #else diff --git a/src/lib/libssl/src/crypto/bn/bn_lcl.h b/src/lib/libssl/src/crypto/bn/bn_lcl.h index 8a4dba375a..5614bc6164 100644 --- a/src/lib/libssl/src/crypto/bn/bn_lcl.h +++ b/src/lib/libssl/src/crypto/bn/bn_lcl.h @@ -230,6 +230,21 @@ struct bignum_ctx : "r"(a), "r"(b)); \ ret; }) # endif /* compiler */ +# elif defined(__x86_64) && defined(SIXTY_FOUR_BIT_LONG) +# if defined(__GNUC__) +# define BN_UMULT_HIGH(a,b) ({ \ + register BN_ULONG ret,discard; \ + asm ("mulq %3" \ + : "=a"(discard),"=d"(ret) \ + : "a"(a), "g"(b) \ + : "cc"); \ + ret; }) +# define BN_UMULT_LOHI(low,high,a,b) \ + asm ("mulq %3" \ + : "=a"(low),"=d"(high) \ + : "a"(a),"g"(b) \ + : "cc"); +# endif # endif /* cpu */ #endif /* OPENSSL_NO_ASM */ @@ -337,7 +352,7 @@ struct bignum_ctx #define LBITS(a) ((a)&BN_MASK2l) #define HBITS(a) (((a)>>BN_BITS4)&BN_MASK2l) -#define L2HBITS(a) ((BN_ULONG)((a)&BN_MASK2l)<>BN_BITS2)&BN_MASKl) @@ -353,7 +368,7 @@ struct bignum_ctx lt=(bl)*(lt); \ m1=(bl)*(ht); \ ht =(bh)*(ht); \ - m=(m+m1)&BN_MASK2; if (m < m1) ht+=L2HBITS(1L); \ + m=(m+m1)&BN_MASK2; if (m < m1) ht+=L2HBITS((BN_ULONG)1); \ ht+=HBITS(m); \ m1=L2HBITS(m); \ lt=(lt+m1)&BN_MASK2; if (lt < m1) ht++; \ @@ -418,20 +433,19 @@ void bn_sqr_comba4(BN_ULONG *r,const BN_ULONG *a); int bn_cmp_words(const BN_ULONG *a,const BN_ULONG *b,int n); int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl); +#if 0 +/* bn_mul.c rollback */ void bn_mul_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2, int dna,int dnb,BN_ULONG *t); void bn_mul_part_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, int n,int tna,int tnb,BN_ULONG *t); +#endif void bn_sqr_recursive(BN_ULONG *r,const BN_ULONG *a, int n2, BN_ULONG *t); void bn_mul_low_normal(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, int n); void bn_mul_low_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2, BN_ULONG *t); void bn_mul_high(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,BN_ULONG *l,int n2, BN_ULONG *t); -BN_ULONG bn_add_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, - int cl, int dl); -BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, - int cl, int dl); #ifdef __cplusplus } diff --git a/src/lib/libssl/src/crypto/bn/bn_lib.c b/src/lib/libssl/src/crypto/bn/bn_lib.c index 8abe095af2..fa0ff485ad 100644 --- a/src/lib/libssl/src/crypto/bn/bn_lib.c +++ b/src/lib/libssl/src/crypto/bn/bn_lib.c @@ -263,12 +263,12 @@ void BN_clear_free(BIGNUM *a) if (a == NULL) return; if (a->d != NULL) { - memset(a->d,0,a->dmax*sizeof(a->d[0])); + OPENSSL_cleanse(a->d,a->dmax*sizeof(a->d[0])); if (!(BN_get_flags(a,BN_FLG_STATIC_DATA))) OPENSSL_free(a->d); } i=BN_get_flags(a,BN_FLG_MALLOCED); - memset(a,0,sizeof(BIGNUM)); + OPENSSL_cleanse(a,sizeof(BIGNUM)); if (i) OPENSSL_free(a); } diff --git a/src/lib/libssl/src/crypto/bn/bn_mul.c b/src/lib/libssl/src/crypto/bn/bn_mul.c index b03458d002..cb93ac3356 100644 --- a/src/lib/libssl/src/crypto/bn/bn_mul.c +++ b/src/lib/libssl/src/crypto/bn/bn_mul.c @@ -56,325 +56,10 @@ * [including the GNU Public Licence.] */ -#ifndef BN_DEBUG -# undef NDEBUG /* avoid conflicting definitions */ -# define NDEBUG -#endif - #include -#include #include "cryptlib.h" #include "bn_lcl.h" -#if defined(OPENSSL_NO_ASM) || !(defined(__i386) || defined(__i386__)) || defined(__DJGPP__) /* Assembler implementation exists only for x86 */ -/* Here follows specialised variants of bn_add_words() and - bn_sub_words(). They have the property performing operations on - arrays of different sizes. The sizes of those arrays is expressed through - cl, which is the common length ( basicall, min(len(a),len(b)) ), and dl, - which is the delta between the two lengths, calculated as len(a)-len(b). - All lengths are the number of BN_ULONGs... For the operations that require - a result array as parameter, it must have the length cl+abs(dl). - These functions should probably end up in bn_asm.c as soon as there are - assembler counterparts for the systems that use assembler files. */ - -BN_ULONG bn_sub_part_words(BN_ULONG *r, - const BN_ULONG *a, const BN_ULONG *b, - int cl, int dl) - { - BN_ULONG c, t; - - assert(cl >= 0); - c = bn_sub_words(r, a, b, cl); - - if (dl == 0) - return c; - - r += cl; - a += cl; - b += cl; - - if (dl < 0) - { -#ifdef BN_COUNT - fprintf(stderr, " bn_sub_part_words %d + %d (dl < 0, c = %d)\n", cl, dl, c); -#endif - for (;;) - { - t = b[0]; - r[0] = (0-t-c)&BN_MASK2; - if (t != 0) c=1; - if (++dl >= 0) break; - - t = b[1]; - r[1] = (0-t-c)&BN_MASK2; - if (t != 0) c=1; - if (++dl >= 0) break; - - t = b[2]; - r[2] = (0-t-c)&BN_MASK2; - if (t != 0) c=1; - if (++dl >= 0) break; - - t = b[3]; - r[3] = (0-t-c)&BN_MASK2; - if (t != 0) c=1; - if (++dl >= 0) break; - - b += 4; - r += 4; - } - } - else - { - int save_dl = dl; -#ifdef BN_COUNT - fprintf(stderr, " bn_sub_part_words %d + %d (dl > 0, c = %d)\n", cl, dl, c); -#endif - while(c) - { - t = a[0]; - r[0] = (t-c)&BN_MASK2; - if (t != 0) c=0; - if (--dl <= 0) break; - - t = a[1]; - r[1] = (t-c)&BN_MASK2; - if (t != 0) c=0; - if (--dl <= 0) break; - - t = a[2]; - r[2] = (t-c)&BN_MASK2; - if (t != 0) c=0; - if (--dl <= 0) break; - - t = a[3]; - r[3] = (t-c)&BN_MASK2; - if (t != 0) c=0; - if (--dl <= 0) break; - - save_dl = dl; - a += 4; - r += 4; - } - if (dl > 0) - { -#ifdef BN_COUNT - fprintf(stderr, " bn_sub_part_words %d + %d (dl > 0, c == 0)\n", cl, dl); -#endif - if (save_dl > dl) - { - switch (save_dl - dl) - { - case 1: - r[1] = a[1]; - if (--dl <= 0) break; - case 2: - r[2] = a[2]; - if (--dl <= 0) break; - case 3: - r[3] = a[3]; - if (--dl <= 0) break; - } - a += 4; - r += 4; - } - } - if (dl > 0) - { -#ifdef BN_COUNT - fprintf(stderr, " bn_sub_part_words %d + %d (dl > 0, copy)\n", cl, dl); -#endif - for(;;) - { - r[0] = a[0]; - if (--dl <= 0) break; - r[1] = a[1]; - if (--dl <= 0) break; - r[2] = a[2]; - if (--dl <= 0) break; - r[3] = a[3]; - if (--dl <= 0) break; - - a += 4; - r += 4; - } - } - } - return c; - } -#endif - -BN_ULONG bn_add_part_words(BN_ULONG *r, - const BN_ULONG *a, const BN_ULONG *b, - int cl, int dl) - { - BN_ULONG c, l, t; - - assert(cl >= 0); - c = bn_add_words(r, a, b, cl); - - if (dl == 0) - return c; - - r += cl; - a += cl; - b += cl; - - if (dl < 0) - { - int save_dl = dl; -#ifdef BN_COUNT - fprintf(stderr, " bn_add_part_words %d + %d (dl < 0, c = %d)\n", cl, dl, c); -#endif - while (c) - { - l=(c+b[0])&BN_MASK2; - c=(l < c); - r[0]=l; - if (++dl >= 0) break; - - l=(c+b[1])&BN_MASK2; - c=(l < c); - r[1]=l; - if (++dl >= 0) break; - - l=(c+b[2])&BN_MASK2; - c=(l < c); - r[2]=l; - if (++dl >= 0) break; - - l=(c+b[3])&BN_MASK2; - c=(l < c); - r[3]=l; - if (++dl >= 0) break; - - save_dl = dl; - b+=4; - r+=4; - } - if (dl < 0) - { -#ifdef BN_COUNT - fprintf(stderr, " bn_add_part_words %d + %d (dl < 0, c == 0)\n", cl, dl); -#endif - if (save_dl < dl) - { - switch (dl - save_dl) - { - case 1: - r[1] = b[1]; - if (++dl >= 0) break; - case 2: - r[2] = b[2]; - if (++dl >= 0) break; - case 3: - r[3] = b[3]; - if (++dl >= 0) break; - } - b += 4; - r += 4; - } - } - if (dl < 0) - { -#ifdef BN_COUNT - fprintf(stderr, " bn_add_part_words %d + %d (dl < 0, copy)\n", cl, dl); -#endif - for(;;) - { - r[0] = b[0]; - if (++dl >= 0) break; - r[1] = b[1]; - if (++dl >= 0) break; - r[2] = b[2]; - if (++dl >= 0) break; - r[3] = b[3]; - if (++dl >= 0) break; - - b += 4; - r += 4; - } - } - } - else - { - int save_dl = dl; -#ifdef BN_COUNT - fprintf(stderr, " bn_add_part_words %d + %d (dl > 0)\n", cl, dl); -#endif - while (c) - { - t=(a[0]+c)&BN_MASK2; - c=(t < c); - r[0]=t; - if (--dl <= 0) break; - - t=(a[1]+c)&BN_MASK2; - c=(t < c); - r[1]=t; - if (--dl <= 0) break; - - t=(a[2]+c)&BN_MASK2; - c=(t < c); - r[2]=t; - if (--dl <= 0) break; - - t=(a[3]+c)&BN_MASK2; - c=(t < c); - r[3]=t; - if (--dl <= 0) break; - - save_dl = dl; - a+=4; - r+=4; - } -#ifdef BN_COUNT - fprintf(stderr, " bn_add_part_words %d + %d (dl > 0, c == 0)\n", cl, dl); -#endif - if (dl > 0) - { - if (save_dl > dl) - { - switch (save_dl - dl) - { - case 1: - r[1] = a[1]; - if (--dl <= 0) break; - case 2: - r[2] = a[2]; - if (--dl <= 0) break; - case 3: - r[3] = a[3]; - if (--dl <= 0) break; - } - a += 4; - r += 4; - } - } - if (dl > 0) - { -#ifdef BN_COUNT - fprintf(stderr, " bn_add_part_words %d + %d (dl > 0, copy)\n", cl, dl); -#endif - for(;;) - { - r[0] = a[0]; - if (--dl <= 0) break; - r[1] = a[1]; - if (--dl <= 0) break; - r[2] = a[2]; - if (--dl <= 0) break; - r[3] = a[3]; - if (--dl <= 0) break; - - a += 4; - r += 4; - } - } - } - return c; - } - #ifdef BN_RECURSION /* Karatsuba recursive multiplication algorithm * (cf. Knuth, The Art of Computer Programming, Vol. 2) */ @@ -390,15 +75,14 @@ BN_ULONG bn_add_part_words(BN_ULONG *r, * a[1]*b[1] */ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2, - int dna, int dnb, BN_ULONG *t) + BN_ULONG *t) { int n=n2/2,c1,c2; - int tna=n+dna, tnb=n+dnb; unsigned int neg,zero; BN_ULONG ln,lo,*p; # ifdef BN_COUNT - fprintf(stderr," bn_mul_recursive %d * %d\n",n2,n2); + printf(" bn_mul_recursive %d * %d\n",n2,n2); # endif # ifdef BN_MUL_COMBA # if 0 @@ -408,40 +92,34 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2, return; } # endif - /* Only call bn_mul_comba 8 if n2 == 8 and the - * two arrays are complete [steve] - */ - if (n2 == 8 && dna == 0 && dnb == 0) + if (n2 == 8) { bn_mul_comba8(r,a,b); return; } # endif /* BN_MUL_COMBA */ - /* Else do normal multiply */ if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL) { - bn_mul_normal(r,a,n2+dna,b,n2+dnb); - if ((dna + dnb) < 0) - memset(&r[2*n2 + dna + dnb], 0, - sizeof(BN_ULONG) * -(dna + dnb)); + /* This should not happen */ + bn_mul_normal(r,a,n2,b,n2); return; } /* r=(a[0]-a[1])*(b[1]-b[0]) */ - c1=bn_cmp_part_words(a,&(a[n]),tna,n-tna); - c2=bn_cmp_part_words(&(b[n]),b,tnb,tnb-n); + c1=bn_cmp_words(a,&(a[n]),n); + c2=bn_cmp_words(&(b[n]),b,n); zero=neg=0; switch (c1*3+c2) { case -4: - bn_sub_part_words(t, &(a[n]),a, tna,tna-n); /* - */ - bn_sub_part_words(&(t[n]),b, &(b[n]),tnb,n-tnb); /* - */ + bn_sub_words(t, &(a[n]),a, n); /* - */ + bn_sub_words(&(t[n]),b, &(b[n]),n); /* - */ break; case -3: zero=1; break; case -2: - bn_sub_part_words(t, &(a[n]),a, tna,tna-n); /* - */ - bn_sub_part_words(&(t[n]),&(b[n]),b, tnb,tnb-n); /* + */ + bn_sub_words(t, &(a[n]),a, n); /* - */ + bn_sub_words(&(t[n]),&(b[n]),b, n); /* + */ neg=1; break; case -1: @@ -450,22 +128,21 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2, zero=1; break; case 2: - bn_sub_part_words(t, a, &(a[n]),tna,n-tna); /* + */ - bn_sub_part_words(&(t[n]),b, &(b[n]),tnb,n-tnb); /* - */ + bn_sub_words(t, a, &(a[n]),n); /* + */ + bn_sub_words(&(t[n]),b, &(b[n]),n); /* - */ neg=1; break; case 3: zero=1; break; case 4: - bn_sub_part_words(t, a, &(a[n]),tna,n-tna); - bn_sub_part_words(&(t[n]),&(b[n]),b, tnb,tnb-n); + bn_sub_words(t, a, &(a[n]),n); + bn_sub_words(&(t[n]),&(b[n]),b, n); break; } # ifdef BN_MUL_COMBA - if (n == 4 && dna == 0 && dnb == 0) /* XXX: bn_mul_comba4 could take - extra args to do this well */ + if (n == 4) { if (!zero) bn_mul_comba4(&(t[n2]),t,&(t[n])); @@ -475,9 +152,7 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2, bn_mul_comba4(r,a,b); bn_mul_comba4(&(r[n2]),&(a[n]),&(b[n])); } - else if (n == 8 && dna == 0 && dnb == 0) /* XXX: bn_mul_comba8 could - take extra args to do this - well */ + else if (n == 8) { if (!zero) bn_mul_comba8(&(t[n2]),t,&(t[n])); @@ -492,11 +167,11 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2, { p= &(t[n2*2]); if (!zero) - bn_mul_recursive(&(t[n2]),t,&(t[n]),n,0,0,p); + bn_mul_recursive(&(t[n2]),t,&(t[n]),n,p); else memset(&(t[n2]),0,n2*sizeof(BN_ULONG)); - bn_mul_recursive(r,a,b,n,0,0,p); - bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),n,dna,dnb,p); + bn_mul_recursive(r,a,b,n,p); + bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),n,p); } /* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign @@ -545,39 +220,39 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2, /* n+tn is the word length * t needs to be n*4 is size, as does r */ -void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n, - int tna, int tnb, BN_ULONG *t) +void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn, + int n, BN_ULONG *t) { int i,j,n2=n*2; unsigned int c1,c2,neg,zero; BN_ULONG ln,lo,*p; # ifdef BN_COUNT - fprintf(stderr," bn_mul_part_recursive (%d+%d) * (%d+%d)\n", - tna, n, tnb, n); + printf(" bn_mul_part_recursive %d * %d\n",tn+n,tn+n); # endif if (n < 8) { - bn_mul_normal(r,a,n+tna,b,n+tnb); + i=tn+n; + bn_mul_normal(r,a,i,b,i); return; } /* r=(a[0]-a[1])*(b[1]-b[0]) */ - c1=bn_cmp_part_words(a,&(a[n]),tna,n-tna); - c2=bn_cmp_part_words(&(b[n]),b,tnb,tnb-n); + c1=bn_cmp_words(a,&(a[n]),n); + c2=bn_cmp_words(&(b[n]),b,n); zero=neg=0; switch (c1*3+c2) { case -4: - bn_sub_part_words(t, &(a[n]),a, tna,tna-n); /* - */ - bn_sub_part_words(&(t[n]),b, &(b[n]),tnb,n-tnb); /* - */ + bn_sub_words(t, &(a[n]),a, n); /* - */ + bn_sub_words(&(t[n]),b, &(b[n]),n); /* - */ break; case -3: zero=1; /* break; */ case -2: - bn_sub_part_words(t, &(a[n]),a, tna,tna-n); /* - */ - bn_sub_part_words(&(t[n]),&(b[n]),b, tnb,tnb-n); /* + */ + bn_sub_words(t, &(a[n]),a, n); /* - */ + bn_sub_words(&(t[n]),&(b[n]),b, n); /* + */ neg=1; break; case -1: @@ -586,16 +261,16 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n, zero=1; /* break; */ case 2: - bn_sub_part_words(t, a, &(a[n]),tna,n-tna); /* + */ - bn_sub_part_words(&(t[n]),b, &(b[n]),tnb,n-tnb); /* - */ + bn_sub_words(t, a, &(a[n]),n); /* + */ + bn_sub_words(&(t[n]),b, &(b[n]),n); /* - */ neg=1; break; case 3: zero=1; /* break; */ case 4: - bn_sub_part_words(t, a, &(a[n]),tna,n-tna); - bn_sub_part_words(&(t[n]),&(b[n]),b, tnb,tnb-n); + bn_sub_words(t, a, &(a[n]),n); + bn_sub_words(&(t[n]),&(b[n]),b, n); break; } /* The zero case isn't yet implemented here. The speedup @@ -614,59 +289,54 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n, { bn_mul_comba8(&(t[n2]),t,&(t[n])); bn_mul_comba8(r,a,b); - bn_mul_normal(&(r[n2]),&(a[n]),tna,&(b[n]),tnb); - memset(&(r[n2+tna+tnb]),0,sizeof(BN_ULONG)*(n2-tna-tnb)); + bn_mul_normal(&(r[n2]),&(a[n]),tn,&(b[n]),tn); + memset(&(r[n2+tn*2]),0,sizeof(BN_ULONG)*(n2-tn*2)); } else { p= &(t[n2*2]); - bn_mul_recursive(&(t[n2]),t,&(t[n]),n,0,0,p); - bn_mul_recursive(r,a,b,n,0,0,p); + bn_mul_recursive(&(t[n2]),t,&(t[n]),n,p); + bn_mul_recursive(r,a,b,n,p); i=n/2; /* If there is only a bottom half to the number, * just do it */ - if (tna > tnb) - j = tna - i; - else - j = tnb - i; + j=tn-i; if (j == 0) { - bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]), - i,tna-i,tnb-i,p); + bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),i,p); memset(&(r[n2+i*2]),0,sizeof(BN_ULONG)*(n2-i*2)); } else if (j > 0) /* eg, n == 16, i == 8 and tn == 11 */ { bn_mul_part_recursive(&(r[n2]),&(a[n]),&(b[n]), - i,tna-i,tnb-i,p); - memset(&(r[n2+tna+tnb]),0, - sizeof(BN_ULONG)*(n2-tna-tnb)); + j,i,p); + memset(&(r[n2+tn*2]),0, + sizeof(BN_ULONG)*(n2-tn*2)); } else /* (j < 0) eg, n == 16, i == 8 and tn == 5 */ { memset(&(r[n2]),0,sizeof(BN_ULONG)*n2); - if (tna < BN_MUL_RECURSIVE_SIZE_NORMAL - && tnb < BN_MUL_RECURSIVE_SIZE_NORMAL) + if (tn < BN_MUL_RECURSIVE_SIZE_NORMAL) { - bn_mul_normal(&(r[n2]),&(a[n]),tna,&(b[n]),tnb); + bn_mul_normal(&(r[n2]),&(a[n]),tn,&(b[n]),tn); } else { for (;;) { i/=2; - if (i < tna && i < tnb) + if (i < tn) { bn_mul_part_recursive(&(r[n2]), &(a[n]),&(b[n]), - i,tna-i,tnb-i,p); + tn-i,i,p); break; } - else if (i <= tna && i <= tnb) + else if (i == tn) { bn_mul_recursive(&(r[n2]), &(a[n]),&(b[n]), - i,tna-i,tnb-i,p); + i,p); break; } } @@ -727,10 +397,10 @@ void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2, int n=n2/2; # ifdef BN_COUNT - fprintf(stderr," bn_mul_low_recursive %d * %d\n",n2,n2); + printf(" bn_mul_low_recursive %d * %d\n",n2,n2); # endif - bn_mul_recursive(r,a,b,n,0,0,&(t[0])); + bn_mul_recursive(r,a,b,n,&(t[0])); if (n >= BN_MUL_LOW_RECURSIVE_SIZE_NORMAL) { bn_mul_low_recursive(&(t[0]),&(a[0]),&(b[n]),n,&(t[n2])); @@ -761,7 +431,7 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2, BN_ULONG ll,lc,*lp,*mp; # ifdef BN_COUNT - fprintf(stderr," bn_mul_high %d * %d\n",n2,n2); + printf(" bn_mul_high %d * %d\n",n2,n2); # endif n=n2/2; @@ -814,8 +484,8 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2, else # endif { - bn_mul_recursive(&(t[0]),&(r[0]),&(r[n]),n,0,0,&(t[n2])); - bn_mul_recursive(r,&(a[n]),&(b[n]),n,0,0,&(t[n2])); + bn_mul_recursive(&(t[0]),&(r[0]),&(r[n]),n,&(t[n2])); + bn_mul_recursive(r,&(a[n]),&(b[n]),n,&(t[n2])); } /* s0 == low(al*bl) @@ -940,19 +610,19 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2, int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { - int ret=0; int top,al,bl; BIGNUM *rr; + int ret = 0; #if defined(BN_MUL_COMBA) || defined(BN_RECURSION) int i; #endif #ifdef BN_RECURSION - BIGNUM *t=NULL; - int j=0,k; + BIGNUM *t; + int j,k; #endif #ifdef BN_COUNT - fprintf(stderr,"BN_mul %d * %d\n",a->top,b->top); + printf("BN_mul %d * %d\n",a->top,b->top); #endif bn_check_top(a); @@ -1005,55 +675,21 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) #ifdef BN_RECURSION if ((al >= BN_MULL_SIZE_NORMAL) && (bl >= BN_MULL_SIZE_NORMAL)) { - if (i >= -1 && i <= 1) + if (i == 1 && !BN_get_flags(b,BN_FLG_STATIC_DATA) && bldmax) { - int sav_j =0; - /* Find out the power of two lower or equal - to the longest of the two numbers */ - if (i >= 0) - { - j = BN_num_bits_word((BN_ULONG)al); - } - if (i == -1) - { - j = BN_num_bits_word((BN_ULONG)bl); - } - sav_j = j; - j = 1<<(j-1); - assert(j <= al || j <= bl); - k = j+j; - t = BN_CTX_get(ctx); - if (al > j || bl > j) - { - bn_wexpand(t,k*4); - bn_wexpand(rr,k*4); - bn_mul_part_recursive(rr->d,a->d,b->d, - j,al-j,bl-j,t->d); - } - else /* al <= j || bl <= j */ - { - bn_wexpand(t,k*2); - bn_wexpand(rr,k*2); - bn_mul_recursive(rr->d,a->d,b->d, - j,al-j,bl-j,t->d); - } - rr->top=top; - goto end; - } -#if 0 - if (i == 1 && !BN_get_flags(b,BN_FLG_STATIC_DATA)) - { - BIGNUM *tmp_bn = (BIGNUM *)b; - if (bn_wexpand(tmp_bn,al) == NULL) goto err; - tmp_bn->d[bl]=0; +#if 0 /* tribute to const-ification, bldmax above covers for this */ + if (bn_wexpand(b,al) == NULL) goto err; +#endif + b->d[bl]=0; bl++; i--; } - else if (i == -1 && !BN_get_flags(a,BN_FLG_STATIC_DATA)) + else if (i == -1 && !BN_get_flags(a,BN_FLG_STATIC_DATA) && aldmax) { - BIGNUM *tmp_bn = (BIGNUM *)a; - if (bn_wexpand(tmp_bn,bl) == NULL) goto err; - tmp_bn->d[al]=0; +#if 0 /* tribute to const-ification, aldmax above covers for this */ + if (bn_wexpand(a,bl) == NULL) goto err; +#endif + a->d[al]=0; al++; i++; } @@ -1070,17 +706,26 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) if (bn_wexpand(t,k*2) == NULL) goto err; if (bn_wexpand(rr,k*2) == NULL) goto err; bn_mul_recursive(rr->d,a->d,b->d,al,t->d); + rr->top=top; + goto end; } +#if 0 /* tribute to const-ification, rsa/dsa performance is not affected */ else { - if (bn_wexpand(t,k*4) == NULL) goto err; - if (bn_wexpand(rr,k*4) == NULL) goto err; + if (bn_wexpand(a,k) == NULL ) goto err; + if (bn_wexpand(b,k) == NULL ) goto err; + if (bn_wexpand(t,k*4) == NULL ) goto err; + if (bn_wexpand(rr,k*4) == NULL ) goto err; + for (i=a->top; id[i]=0; + for (i=b->top; id[i]=0; bn_mul_part_recursive(rr->d,a->d,b->d,al-j,j,t->d); } rr->top=top; goto end; - } #endif + } } #endif /* BN_RECURSION */ if (bn_wexpand(rr,top) == NULL) goto err; @@ -1103,7 +748,7 @@ void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb) BN_ULONG *rr; #ifdef BN_COUNT - fprintf(stderr," bn_mul_normal %d * %d\n",na,nb); + printf(" bn_mul_normal %d * %d\n",na,nb); #endif if (na < nb) @@ -1116,13 +761,7 @@ void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb) } rr= &(r[na]); - if (nb <= 0) - { - (void)bn_mul_words(r,a,na,0); - return; - } - else - rr[0]=bn_mul_words(r,a,na,b[0]); + rr[0]=bn_mul_words(r,a,na,b[0]); for (;;) { @@ -1143,7 +782,7 @@ void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb) void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n) { #ifdef BN_COUNT - fprintf(stderr," bn_mul_low_normal %d * %d\n",n,n); + printf(" bn_mul_low_normal %d * %d\n",n,n); #endif bn_mul_words(r,a,n,b[0]); diff --git a/src/lib/libssl/src/crypto/bn/bn_prime.c b/src/lib/libssl/src/crypto/bn/bn_prime.c index 918b9237c6..e072d9255c 100644 --- a/src/lib/libssl/src/crypto/bn/bn_prime.c +++ b/src/lib/libssl/src/crypto/bn/bn_prime.c @@ -140,6 +140,7 @@ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, BN_CTX *ctx; int checks = BN_prime_checks_for_size(bits); + BN_init(&t); ctx=BN_CTX_new(); if (ctx == NULL) goto err; if (ret == NULL) @@ -148,7 +149,6 @@ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, } else rnd=ret; - BN_init(&t); loop: /* make a random number and set the top and bottom bits */ if (add == NULL) diff --git a/src/lib/libssl/src/crypto/bn/bn_rand.c b/src/lib/libssl/src/crypto/bn/bn_rand.c index 9e08ccd22e..893c9d2af9 100644 --- a/src/lib/libssl/src/crypto/bn/bn_rand.c +++ b/src/lib/libssl/src/crypto/bn/bn_rand.c @@ -201,7 +201,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) err: if (buf != NULL) { - memset(buf,0,bytes); + OPENSSL_cleanse(buf,bytes); OPENSSL_free(buf); } return(ret); diff --git a/src/lib/libssl/src/crypto/bn/bn_word.c b/src/lib/libssl/src/crypto/bn/bn_word.c index cd59baa2c4..988e0ca7b3 100644 --- a/src/lib/libssl/src/crypto/bn/bn_word.c +++ b/src/lib/libssl/src/crypto/bn/bn_word.c @@ -123,7 +123,10 @@ int BN_add_word(BIGNUM *a, BN_ULONG w) i=0; for (;;) { - l=(a->d[i]+(BN_ULONG)w)&BN_MASK2; + if (i >= a->top) + l=w; + else + l=(a->d[i]+(BN_ULONG)w)&BN_MASK2; a->d[i]=l; if (w > l) w=1; diff --git a/src/lib/libssl/src/crypto/bn/bntest.c b/src/lib/libssl/src/crypto/bn/bntest.c index 8158a67374..3c8c540387 100644 --- a/src/lib/libssl/src/crypto/bn/bntest.c +++ b/src/lib/libssl/src/crypto/bn/bntest.c @@ -68,10 +68,6 @@ #include #include -#ifdef OPENSSL_SYS_WINDOWS -#include "../bio/bss_file.c" -#endif - const int num0 = 100; /* number of tests */ const int num1 = 50; /* additional tests for some functions */ const int num2 = 5; /* number of tests for slow functions */ @@ -96,11 +92,6 @@ int test_sqrt(BIO *bp,BN_CTX *ctx); int rand_neg(void); static int results=0; -#ifdef OPENSSL_NO_STDIO -#define APPS_WIN16 -#include "bss_file.c" -#endif - static unsigned char lst[]="\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9" "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0"; @@ -141,10 +132,10 @@ int main(int argc, char *argv[]) ctx=BN_CTX_new(); - if (ctx == NULL) exit(1); + if (ctx == NULL) EXIT(1); out=BIO_new(BIO_s_file()); - if (out == NULL) exit(1); + if (out == NULL) EXIT(1); if (outfile == NULL) { BIO_set_fp(out,stdout,BIO_NOCLOSE); @@ -154,7 +145,7 @@ int main(int argc, char *argv[]) if (!BIO_write_filename(out,outfile)) { perror(outfile); - exit(1); + EXIT(1); } } @@ -238,14 +229,14 @@ int main(int argc, char *argv[]) BIO_free(out); /**/ - exit(0); + EXIT(0); err: BIO_puts(out,"1\n"); /* make sure the Perl script fed by bc notices * the failure, see test_bn in test/Makefile.ssl*/ BIO_flush(out); ERR_load_crypto_strings(); ERR_print_errors_fp(stderr); - exit(1); + EXIT(1); return(1); } @@ -488,7 +479,7 @@ int test_mul(BIO *bp) BN_CTX *ctx; ctx = BN_CTX_new(); - if (ctx == NULL) exit(1); + if (ctx == NULL) EXIT(1); BN_init(&a); BN_init(&b); @@ -726,7 +717,7 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx) while ((l=ERR_get_error())) fprintf(stderr,"ERROR:%s\n", ERR_error_string(l,NULL)); - exit(1); + EXIT(1); } if (bp != NULL) { diff --git a/src/lib/libssl/src/crypto/bn/divtest.c b/src/lib/libssl/src/crypto/bn/divtest.c index 13ba86e3c4..d3fc688f33 100644 --- a/src/lib/libssl/src/crypto/bn/divtest.c +++ b/src/lib/libssl/src/crypto/bn/divtest.c @@ -1,7 +1,7 @@ #include #include -static int rand(n) +static int Rand(n) { unsigned char x[2]; RAND_pseudo_bytes(x,2); @@ -26,8 +26,8 @@ main() BN_CTX *ctx=BN_CTX_new(); for(;;) { - BN_pseudo_rand(a,rand(),0,0); - BN_pseudo_rand(b,rand(),0,0); + BN_pseudo_rand(a,Rand(),0,0); + BN_pseudo_rand(b,Rand(),0,0); if (BN_is_zero(b)) continue; BN_RECP_CTX_set(recp,b,ctx); diff --git a/src/lib/libssl/src/crypto/bn/exptest.c b/src/lib/libssl/src/crypto/bn/exptest.c index 5ca570d1a8..b09cf88705 100644 --- a/src/lib/libssl/src/crypto/bn/exptest.c +++ b/src/lib/libssl/src/crypto/bn/exptest.c @@ -59,13 +59,13 @@ #include #include #include + +#include "../e_os.h" + #include #include #include #include -#ifdef OPENSSL_SYS_WINDOWS -#include "../bio/bss_file.c" -#endif #define NUM_BITS (BN_BITS*2) @@ -86,7 +86,7 @@ int main(int argc, char *argv[]) ERR_load_BN_strings(); ctx=BN_CTX_new(); - if (ctx == NULL) exit(1); + if (ctx == NULL) EXIT(1); r_mont=BN_new(); r_recp=BN_new(); r_simple=BN_new(); @@ -99,7 +99,7 @@ int main(int argc, char *argv[]) out=BIO_new(BIO_s_file()); - if (out == NULL) exit(1); + if (out == NULL) EXIT(1); BIO_set_fp(out,stdout,BIO_NOCLOSE); for (i=0; i<200; i++) @@ -124,7 +124,7 @@ int main(int argc, char *argv[]) { printf("BN_mod_exp_mont() problems\n"); ERR_print_errors(out); - exit(1); + EXIT(1); } ret=BN_mod_exp_recp(r_recp,a,b,m,ctx); @@ -132,7 +132,7 @@ int main(int argc, char *argv[]) { printf("BN_mod_exp_recp() problems\n"); ERR_print_errors(out); - exit(1); + EXIT(1); } ret=BN_mod_exp_simple(r_simple,a,b,m,ctx); @@ -140,7 +140,7 @@ int main(int argc, char *argv[]) { printf("BN_mod_exp_simple() problems\n"); ERR_print_errors(out); - exit(1); + EXIT(1); } if (BN_cmp(r_simple, r_mont) == 0 @@ -163,7 +163,7 @@ int main(int argc, char *argv[]) printf("\nrecp ="); BN_print(out,r_recp); printf("\nmont ="); BN_print(out,r_mont); printf("\n"); - exit(1); + EXIT(1); } } BN_free(r_mont); @@ -177,11 +177,11 @@ int main(int argc, char *argv[]) CRYPTO_mem_leaks(out); BIO_free(out); printf(" done\n"); - exit(0); + EXIT(0); err: ERR_load_crypto_strings(); ERR_print_errors(out); - exit(1); + EXIT(1); return(1); } diff --git a/src/lib/libssl/src/crypto/buffer/buffer.c b/src/lib/libssl/src/crypto/buffer/buffer.c index 9299baba9e..d96487e7db 100644 --- a/src/lib/libssl/src/crypto/buffer/buffer.c +++ b/src/lib/libssl/src/crypto/buffer/buffer.c @@ -125,6 +125,43 @@ int BUF_MEM_grow(BUF_MEM *str, int len) return(len); } +int BUF_MEM_grow_clean(BUF_MEM *str, int len) + { + char *ret; + unsigned int n; + + if (str->length >= len) + { + memset(&str->data[len],0,str->length-len); + str->length=len; + return(len); + } + if (str->max >= len) + { + memset(&str->data[str->length],0,len-str->length); + str->length=len; + return(len); + } + n=(len+3)/3*4; + if (str->data == NULL) + ret=OPENSSL_malloc(n); + else + ret=OPENSSL_realloc_clean(str->data,str->max,n); + if (ret == NULL) + { + BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE); + len=0; + } + else + { + str->data=ret; + str->max=n; + memset(&str->data[str->length],0,len-str->length); + str->length=len; + } + return(len); + } + char *BUF_strdup(const char *str) { char *ret; @@ -143,3 +180,23 @@ char *BUF_strdup(const char *str) return(ret); } +size_t BUF_strlcpy(char *dst, const char *src, size_t size) + { + size_t l = 0; + for(; size > 1 && *src; size--) + { + *dst++ = *src++; + l++; + } + if (size) + *dst = '\0'; + return l + strlen(src); + } + +size_t BUF_strlcat(char *dst, const char *src, size_t size) + { + size_t l = 0; + for(; size > 0 && *dst; size--, dst++) + l++; + return l + BUF_strlcpy(dst, src, size); + } diff --git a/src/lib/libssl/src/crypto/buffer/buffer.h b/src/lib/libssl/src/crypto/buffer/buffer.h index 11e2d0359a..465dc34f3f 100644 --- a/src/lib/libssl/src/crypto/buffer/buffer.h +++ b/src/lib/libssl/src/crypto/buffer/buffer.h @@ -63,6 +63,9 @@ extern "C" { #endif +#include +#include + typedef struct buf_mem_st { int length; /* current number of bytes */ @@ -73,8 +76,14 @@ typedef struct buf_mem_st BUF_MEM *BUF_MEM_new(void); void BUF_MEM_free(BUF_MEM *a); int BUF_MEM_grow(BUF_MEM *str, int len); +int BUF_MEM_grow_clean(BUF_MEM *str, int len); char * BUF_strdup(const char *str); +/* safe string functions */ +size_t BUF_strlcpy(char *dst,const char *src,size_t siz); +size_t BUF_strlcat(char *dst,const char *src,size_t siz); + + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. diff --git a/src/lib/libssl/src/crypto/cast/casttest.c b/src/lib/libssl/src/crypto/cast/casttest.c index 099e790886..83e5a16c73 100644 --- a/src/lib/libssl/src/crypto/cast/casttest.c +++ b/src/lib/libssl/src/crypto/cast/casttest.c @@ -60,6 +60,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_CAST int main(int argc, char *argv[]) { @@ -224,7 +226,7 @@ int main(int argc, char *argv[]) } #endif - exit(err); + EXIT(err); return(err); } #endif diff --git a/src/lib/libssl/src/crypto/comp/c_zlib.c b/src/lib/libssl/src/crypto/comp/c_zlib.c index cd2f8a491b..8c0876151a 100644 --- a/src/lib/libssl/src/crypto/comp/c_zlib.c +++ b/src/lib/libssl/src/crypto/comp/c_zlib.c @@ -208,11 +208,11 @@ COMP_METHOD *COMP_zlib(void) = (inflateInit__ft) DSO_bind_func(zlib_dso, "inflateInit_"); zlib_loaded++; - meth = &zlib_method; } } -#elif defined(ZLIB) +#endif +#if defined(ZLIB) || defined(ZLIB_SHARED) meth = &zlib_method; #endif diff --git a/src/lib/libssl/src/crypto/conf/conf_def.c b/src/lib/libssl/src/crypto/conf/conf_def.c index 5e194de60e..57d2739ae0 100644 --- a/src/lib/libssl/src/crypto/conf/conf_def.c +++ b/src/lib/libssl/src/crypto/conf/conf_def.c @@ -208,7 +208,8 @@ static int def_load(CONF *conf, const char *name, long *line) static int def_load_bio(CONF *conf, BIO *in, long *line) { -#define BUFSIZE 512 +/* The macro BUFSIZE conflicts with a system macro in VxWorks */ +#define CONFBUFSIZE 512 int bufnum=0,i,ii; BUF_MEM *buff=NULL; char *s,*p,*end; @@ -252,20 +253,21 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) section_sk=(STACK_OF(CONF_VALUE) *)sv->value; bufnum=0; + again=0; for (;;) { - again=0; - if (!BUF_MEM_grow(buff,bufnum+BUFSIZE)) + if (!BUF_MEM_grow(buff,bufnum+CONFBUFSIZE)) { CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_BUF_LIB); goto err; } p= &(buff->data[bufnum]); *p='\0'; - BIO_gets(in, p, BUFSIZE-1); - p[BUFSIZE-1]='\0'; + BIO_gets(in, p, CONFBUFSIZE-1); + p[CONFBUFSIZE-1]='\0'; ii=i=strlen(p); - if (i == 0) break; + if (i == 0 && !again) break; + again=0; while (i > 0) { if ((p[i-1] != '\r') && (p[i-1] != '\n')) @@ -275,7 +277,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) } /* we removed some trailing stuff so there is a new * line on the end. */ - if (i == ii) + if (ii && i == ii) again=1; /* long line */ else { @@ -627,7 +629,7 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from) CONFerr(CONF_F_STR_COPY,CONF_R_VARIABLE_HAS_NO_VALUE); goto err; } - BUF_MEM_grow(buf,(strlen(p)+len-(e-from))); + BUF_MEM_grow_clean(buf,(strlen(p)+len-(e-from))); while (*p) buf->data[to++]= *(p++); from=e; diff --git a/src/lib/libssl/src/crypto/conf/conf_mall.c b/src/lib/libssl/src/crypto/conf/conf_mall.c index d702af689b..4ba40cf44c 100644 --- a/src/lib/libssl/src/crypto/conf/conf_mall.c +++ b/src/lib/libssl/src/crypto/conf/conf_mall.c @@ -63,7 +63,9 @@ #include #include #include +#ifndef OPENSSL_NO_ENGINE #include +#endif /* Load all OpenSSL builtin modules */ @@ -71,6 +73,8 @@ void OPENSSL_load_builtin_modules(void) { /* Add builtin modules here */ ASN1_add_oid_module(); +#ifndef OPENSSL_NO_ENGINE ENGINE_add_conf_module(); +#endif } diff --git a/src/lib/libssl/src/crypto/conf/conf_sap.c b/src/lib/libssl/src/crypto/conf/conf_sap.c index 97fb174303..e15c2e5546 100644 --- a/src/lib/libssl/src/crypto/conf/conf_sap.c +++ b/src/lib/libssl/src/crypto/conf/conf_sap.c @@ -63,7 +63,9 @@ #include #include #include +#ifndef OPENSSL_NO_ENGINE #include +#endif /* This is the automatic configuration loader: it is called automatically by * OpenSSL when any of a number of standard initialisation functions are called, @@ -78,8 +80,10 @@ void OPENSSL_config(const char *config_name) return; OPENSSL_load_builtin_modules(); +#ifndef OPENSSL_NO_ENGINE /* Need to load ENGINEs */ ENGINE_load_builtin_engines(); +#endif /* Add others here? */ diff --git a/src/lib/libssl/src/crypto/cryptlib.c b/src/lib/libssl/src/crypto/cryptlib.c index 612b3b93b4..2924def2bb 100644 --- a/src/lib/libssl/src/crypto/cryptlib.c +++ b/src/lib/libssl/src/crypto/cryptlib.c @@ -89,6 +89,7 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] = "ssl_session", "ssl_sess_cert", "ssl", + "ssl_method", "rand", "rand2", "debug_malloc", @@ -103,7 +104,8 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] = "dynlock", "engine", "ui", -#if CRYPTO_NUM_LOCKS != 31 + "hwcrhk", /* This is a HACK which will disappear in 0.9.8 */ +#if CRYPTO_NUM_LOCKS != 33 # error "Inconsistency between crypto.h and cryptlib.c" #endif }; @@ -206,10 +208,18 @@ int CRYPTO_get_new_dynlockid(void) i=sk_CRYPTO_dynlock_find(dyn_locks,NULL); /* If there was none, push, thereby creating a new one */ if (i == -1) - i=sk_CRYPTO_dynlock_push(dyn_locks,pointer); + /* Since sk_push() returns the number of items on the + stack, not the location of the pushed item, we need + to transform the returned number into a position, + by decreasing it. */ + i=sk_CRYPTO_dynlock_push(dyn_locks,pointer) - 1; + else + /* If we found a place with a NULL pointer, put our pointer + in it. */ + sk_CRYPTO_dynlock_set(dyn_locks,i,pointer); CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK); - if (!i) + if (i == -1) { dynlock_destroy_callback(pointer->data,__FILE__,__LINE__); OPENSSL_free(pointer); @@ -401,15 +411,17 @@ void CRYPTO_lock(int mode, int type, const char *file, int line) #endif if (type < 0) { - struct CRYPTO_dynlock_value *pointer - = CRYPTO_get_dynlock_value(type); - - if (pointer && dynlock_lock_callback) + if (dynlock_lock_callback != NULL) { + struct CRYPTO_dynlock_value *pointer + = CRYPTO_get_dynlock_value(type); + + OPENSSL_assert(pointer != NULL); + dynlock_lock_callback(mode, pointer, file, line); - } - CRYPTO_destroy_dynlockid(type); + CRYPTO_destroy_dynlockid(type); + } } else if (locking_callback != NULL) @@ -460,7 +472,7 @@ const char *CRYPTO_get_lock_name(int type) return("dynamic"); else if (type < CRYPTO_NUM_LOCKS) return(lock_names[type]); - else if (type-CRYPTO_NUM_LOCKS >= sk_num(app_locks)) + else if (type-CRYPTO_NUM_LOCKS > sk_num(app_locks)) return("ERROR"); else return(sk_value(app_locks,type-CRYPTO_NUM_LOCKS)); @@ -492,3 +504,11 @@ BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, #endif #endif + +void OpenSSLDie(const char *file,int line,const char *assertion) + { + fprintf(stderr, + "%s(%d): OpenSSL internal error, assertion failed: %s\n", + file,line,assertion); + abort(); + } diff --git a/src/lib/libssl/src/crypto/cryptlib.h b/src/lib/libssl/src/crypto/cryptlib.h index 88e4ae509f..0d6b9d59f0 100644 --- a/src/lib/libssl/src/crypto/cryptlib.h +++ b/src/lib/libssl/src/crypto/cryptlib.h @@ -89,9 +89,9 @@ extern "C" { #define X509_CERT_DIR_EVP "SSL_CERT_DIR" #define X509_CERT_FILE_EVP "SSL_CERT_FILE" -/* size of string represenations */ -#define DECIMAL_SIZE(type) ((sizeof(type)*8+2)/3+1) -#define HEX_SIZE(type) ((sizeof(type)*2) +/* size of string representations */ +#define DECIMAL_SIZE(type) ((sizeof(type)*8+2)/3+1) +#define HEX_SIZE(type) (sizeof(type)*2) #ifdef __cplusplus } diff --git a/src/lib/libssl/src/crypto/crypto-lib.com b/src/lib/libssl/src/crypto/crypto-lib.com index dfcff11860..39e78c69e5 100644 --- a/src/lib/libssl/src/crypto/crypto-lib.com +++ b/src/lib/libssl/src/crypto/crypto-lib.com @@ -21,22 +21,10 @@ $! LIBRARY To just compile the [.xxx.EXE.CRYPTO]LIBCRYPTO.OLB Library. $! APPS To just compile the [.xxx.EXE.CRYPTO]*.EXE $! ALL To do both LIBRARY and APPS $! -$! Specify RSAREF as P2 to compile with the RSAREF library instead of -$! the regular one. If you specify NORSAREF it will compile with the -$! regular RSAREF routines. (Note: If you are in the United States -$! you MUST compile with RSAREF unless you have a license from RSA). -$! -$! Note: The RSAREF libraries are NOT INCLUDED and you have to -$! download it from "ftp://ftp.rsa.com/rsaref". You have to -$! get the ".tar-Z" file as the ".zip" file dosen't have the -$! directory structure stored. You have to extract the file -$! into the [.RSAREF] directory under the root directory as that -$! is where the scripts will look for the files. -$! -$! Specify DEBUG or NODEBUG as P3 to compile with or without debugger +$! Specify DEBUG or NODEBUG as P2 to compile with or without debugger $! information. $! -$! Specify which compiler at P4 to try to compile under. +$! Specify which compiler at P3 to try to compile under. $! $! VAXC For VAX C. $! DECC For DEC C. @@ -45,16 +33,16 @@ $! $! If you don't speficy a compiler, it will try to determine which $! "C" compiler to use. $! -$! P5, if defined, sets a TCP/IP library to use, through one of the following +$! P4, if defined, sets a TCP/IP library to use, through one of the following $! keywords: $! $! UCX for UCX $! TCPIP for TCPIP (post UCX) $! SOCKETSHR for SOCKETSHR+NETLIB $! -$! P6, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up) +$! P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up) $! -$! P7, if defined, sets a choice of crypto methods to compile. +$! P6, if defined, sets a choice of crypto methods to compile. $! WARNING: this should only be done to recompile some part of an already $! fully compiled library. $! @@ -93,7 +81,6 @@ $ ENCRYPT_TYPES = "Basic,MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,"+ - "BUFFER,BIO,STACK,LHASH,RAND,ERR,OBJECTS,"+ - "EVP,EVP_2,ASN1,ASN1_2,PEM,X509,X509V3,"+ - "CONF,TXT_DB,PKCS7,PKCS12,COMP,OCSP,UI,KRB5" -$ ENCRYPT_PROGRAMS = "DES,PKCS7" $! $! Check To Make Sure We Have Valid Command Line Parameters. $! @@ -149,10 +136,6 @@ $! Define The CRYPTO-LIB We Are To Use. $! $ CRYPTO_LIB := 'EXE_DIR'LIBCRYPTO.OLB $! -$! Define The RSAREF-LIB We Are To Use. -$! -$ RSAREF_LIB := SYS$DISK:[-.'ARCH'.EXE.RSAREF]LIBRSAGLUE.OLB -$! $! Check To See If We Already Have A "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" Library... $! $ IF (F$SEARCH(LIB_NAME).EQS."") @@ -175,7 +158,7 @@ $! $ APPS_DES = "DES/DES,CBC3_ENC" $ APPS_PKCS7 = "ENC/ENC;DEC/DEC;SIGN/SIGN;VERIFY/VERIFY,EXAMPLE" $ -$ LIB_ = "cryptlib,mem,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time" +$ LIB_ = "cryptlib,mem,mem_clr,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time" $ LIB_MD2 = "md2_dgst,md2_one" $ LIB_MD4 = "md4_dgst,md4_one" $ LIB_MD5 = "md5_dgst,md5_one" @@ -216,7 +199,7 @@ $ LIB_ENGINE = "eng_err,eng_lib,eng_list,eng_init,eng_ctrl,"+ - "tb_rsa,tb_dsa,tb_dh,tb_rand,tb_cipher,tb_digest,"+ - "eng_openssl,eng_dyn,eng_cnf,"+ - "hw_atalla,hw_cswift,hw_ncipher,hw_nuron,hw_ubsec,"+ - - "hw_openbsd_dev_crypto,hw_aep,hw_sureware,hw_4758_cca" + "hw_cryptodev,hw_aep,hw_sureware,hw_4758_cca" $ LIB_AES = "aes_core,aes_misc,aes_ecb,aes_cbc,aes_cfb,aes_ofb,aes_ctr" $ LIB_BUFFER = "buffer,buf_err" $ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ - @@ -287,86 +270,6 @@ $ COMPILEWITH_CC4 = ",a_utctm,bss_log,o_time," $ COMPILEWITH_CC5 = ",md2_dgst,md4_dgst,md5_dgst,mdc2dgst," + - "sha_dgst,sha1dgst,rmd_dgst,bf_enc," $! -$! Check To See If We Are Going To Use RSAREF. -$! -$ IF (RSAREF.EQS."TRUE" .AND. ENCRYPT_TYPES - "RSA".NES.ENCRYPT_TYPES - - .AND. (BUILDALL .EQS. "TRUE" .OR. BUILDALL .EQS. "LIBRARY")) -$ THEN -$! -$! Check To See If The File [-.RSAREF]RSAREF.C Is Actually There. -$! -$ IF (F$SEARCH("SYS$DISK:[-.RSAREF]RSAREF.C").EQS."") -$ THEN -$! -$! Tell The User That The File Doesn't Exist. -$! -$ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The File [-.RSAREF]RSAREF.C Doesn't Exist." -$ WRITE SYS$OUTPUT "" -$! -$! Exit The Build. -$! -$ GOTO EXIT -$! -$! End The [-.RSAREF]RSAREF.C Check. -$! -$ ENDIF -$! -$! Tell The User We Are Compiling The [-.RSAREF]RSAREF File. -$! -$ WRITE SYS$OUTPUT "Compiling The [-.RSAREF]RSAREF File." -$! -$! Compile [-.RSAREF]RSAREF.C -$! -$ CC/OBJECT='OBJ_DIR'RSAREF.OBJ SYS$DISK:[-.RSAREF]RSAREF.C -$! -$! Add It To The Library. -$! -$ LIBRARY/REPLACE 'LIB_NAME' 'OBJ_DIR'RSAREF.OBJ -$! -$! Delete The Object File. -$! -$ DELETE 'OBJ_DIR'RSAREF.OBJ;* -$! -$! Check To See If The File [-.RSAREF]RSAR_ERR.C Is Actually There. -$! -$ IF (F$SEARCH("SYS$DISK:[-.RSAREF]RSAR_ERR.C").EQS."") -$ THEN -$! -$! Tell The User That The File Doesn't Exist. -$! -$ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The File [-.RSAREF]RSAR_ERR.C Doesn't Exist." -$ WRITE SYS$OUTPUT "" -$! -$! Exit The Build. -$! -$ GOTO EXIT -$! -$! End The [-.RSAREF]RSAR_ERR.C File Check. -$! -$ ENDIF -$! -$! Tell The User We Are Compiling The [-.RSAREF]RSAR_ERR File. -$! -$ WRITE SYS$OUTPUT "Compiling The [-.RSAREF]RSAR_ERR File." -$! -$! Compile [-.RSAREF]RSAR_ERR.C -$! -$ CC/OBJECT='OBJ_DIR'RSAR_ERR.OBJ SYS$DISK:[-.RSAREF]RSAR_ERR.C -$! -$! Add It To The Library. -$! -$ LIBRARY/REPLACE 'LIB_NAME' 'OBJ_DIR'RSAR_ERR.OBJ -$! -$! Delete The Object File. -$! -$ DELETE 'OBJ_DIR'RSAR_ERR.OBJ;* -$! -$! End The RSAREF Check. -$! -$ ENDIF -$! $! Figure Out What Other Modules We Are To Build. $! $ BUILD_SET: @@ -639,74 +542,34 @@ $! Tell the user what happens $! $ WRITE SYS$OUTPUT " ",APPLICATION,".exe" $! -$! Link The Program, Check To See If We Need To Link With RSAREF Or Not. +$! Link The Program. $! $ ON ERROR THEN GOTO NEXT_APPLICATION -$ IF (RSAREF.EQS."TRUE") -$ THEN $! -$! Check To See If We Are To Link With A Specific TCP/IP Library. +$! Check To See If We Are To Link With A Specific TCP/IP Library. $! -$ IF (TCPIP_LIB.NES."") -$ THEN -$! -$! Link With The RSAREF Library And A Specific TCP/IP Library. -$! -$ LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE - - 'OBJ_DIR''APPLICATION_OBJECTS', - - 'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, - - 'TCPIP_LIB','OPT_FILE'/OPTION -$! -$! Else... -$! -$ ELSE -$! -$! Link With The RSAREF Library And NO TCP/IP Library. +$ IF (TCPIP_LIB.NES."") +$ THEN $! -$ LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE - - 'OBJ_DIR''APPLICATION_OBJECTS', - - 'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, - - 'OPT_FILE'/OPTION +$! Link With A TCP/IP Library. $! -$! End The TCP/IP Library Check. +$ LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE - + 'OBJ_DIR''APPLICATION_OBJECTS', - + 'CRYPTO_LIB'/LIBRARY, - + 'TCPIP_LIB','OPT_FILE'/OPTION $! -$ ENDIF -$! -$! Else... +$! Else... $! $ ELSE $! -$! Don't Link With The RSAREF Routines. -$! -$! -$! Check To See If We Are To Link With A Specific TCP/IP Library. -$! -$ IF (TCPIP_LIB.NES."") -$ THEN -$! -$! Don't Link With The RSAREF Routines And TCP/IP Library. -$! -$ LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE - - 'OBJ_DIR''APPLICATION_OBJECTS', - - 'CRYPTO_LIB'/LIBRARY, - - 'TCPIP_LIB','OPT_FILE'/OPTION -$! -$! Else... -$! -$ ELSE -$! -$! Don't Link With The RSAREF Routines And Link With A TCP/IP Library. -$! -$ LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE - - 'OBJ_DIR''APPLICATION_OBJECTS',- - 'CRYPTO_LIB'/LIBRARY, - - 'OPT_FILE'/OPTION +$! Don't Link With A TCP/IP Library. $! -$! End The TCP/IP Library Check. +$ LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE - + 'OBJ_DIR''APPLICATION_OBJECTS',- + 'CRYPTO_LIB'/LIBRARY, - + 'OPT_FILE'/OPTION $! -$ ENDIF -$! -$! End The RSAREF Link Check. +$! End The TCP/IP Library Check. $! $ ENDIF $ GOTO NEXT_APPLICATION @@ -912,75 +775,10 @@ $ ENDIF $! $! Check To See If P2 Is Blank. $! -$ P2 = "NORSAREF" -$ IF (P2.EQS."NORSAREF") +$ IF (P2.EQS."NODEBUG") $ THEN $! -$! P2 Is NORSAREF, So Compile With The Regular RSA Libraries. -$! -$ RSAREF = "FALSE" -$ ELSE -$! -$! Check To See If We Are To Use The RSAREF Library. -$! -$ IF (P2.EQS."RSAREF") -$ THEN -$! -$! Check To Make Sure We Have The RSAREF Source Code Directory. -$! -$ IF (F$SEARCH("SYS$DISK:[-.RSAREF]SOURCE.DIR").EQS."") -$ THEN -$! -$! We Don't Have The RSAREF Souce Code Directory, So Tell The -$! User This. -$! -$ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "It appears that you don't have the RSAREF Souce Code." -$ WRITE SYS$OUTPUT "You need to go to 'ftp://ftp.rsa.com/rsaref'. You have to" -$ WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file doesn't have the" -$ WRITE SYS$OUTPUT "directory structure stored. You have to extract the file" -$ WRITE SYS$OUTPUT "into the [.RSAREF] directory under the root directory" -$ WRITE SYS$OUTPUT "as that is where the scripts will look for the files." -$ WRITE SYS$OUTPUT "" -$! -$! Time To Exit. -$! -$ EXIT -$! -$! Else, Compile Using The RSAREF Library. -$! -$ ELSE -$ RSAREF = "TRUE" -$ ENDIF -$ ELSE -$! -$! They Entered An Invalid Option.. -$! -$ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The Option ",P2," Is Invalid. The Valid Options Are:" -$ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT " RSAREF : Compile With The RSAREF Library." -$ WRITE SYS$OUTPUT " NORSAREF : Compile With The Regular RSA Library." -$ WRITE SYS$OUTPUT "" -$! -$! Time To EXIT. -$! -$ EXIT -$! -$! End The Valid Arguement Check. -$! -$ ENDIF -$! -$! End The P2 Check. -$! -$ ENDIF -$! -$! Check To See If P3 Is Blank. -$! -$ IF (P3.EQS."NODEBUG") -$ THEN -$! -$! P3 Is NODEBUG, So Compile Without The Debugger Information. +$! P2 Is NODEBUG, So Compile Without The Debugger Information. $! $ DEBUGGER = "NODEBUG" $ TRACEBACK = "NOTRACEBACK" @@ -993,7 +791,7 @@ $ ELSE $! $! Check To See If We Are To Compile With Debugger Information. $! -$ IF (P3.EQS."DEBUG") +$ IF (P2.EQS."DEBUG") $ THEN $! $! Compile With Debugger Information. @@ -1010,7 +808,7 @@ $! $! They Entered An Invalid Option.. $! $ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The Option ",P3," Is Invalid. The Valid Options Are:" +$ WRITE SYS$OUTPUT "The Option ",P2," Is Invalid. The Valid Options Are:" $ WRITE SYS$OUTPUT "" $ WRITE SYS$OUTPUT " DEBUG : Compile With The Debugger Information." $ WRITE SYS$OUTPUT " NODEBUG : Compile Without The Debugger Information." @@ -1024,7 +822,7 @@ $! End The Valid Arguement Check. $! $ ENDIF $! -$! End The P3 Check. +$! End The P2 Check. $! $ ENDIF $! @@ -1034,9 +832,9 @@ $! Written By: Richard Levitte $! richard@levitte.org $! $! -$! Check To See If We Have A Option For P6. +$! Check To See If We Have A Option For P5. $! -$ IF (P6.EQS."") +$ IF (P5.EQS."") $ THEN $! $! Get The Version Of VMS We Are Using. @@ -1058,13 +856,13 @@ $! End The VMS Version Check. $! $ ENDIF $! -$! End The P6 Check. +$! End The P5 Check. $! $ ENDIF $! -$! Check To See If P4 Is Blank. +$! Check To See If P3 Is Blank. $! -$ IF (P4.EQS."") +$ IF (P3.EQS."") $ THEN $! $! O.K., The User Didn't Specify A Compiler, Let's Try To @@ -1077,7 +875,7 @@ $ THEN $! $! Looks Like GNUC, Set To Use GNUC. $! -$ P4 = "GNUC" +$ P3 = "GNUC" $! $! Else... $! @@ -1090,7 +888,7 @@ $ THEN $! $! Looks Like DECC, Set To Use DECC. $! -$ P4 = "DECC" +$ P3 = "DECC" $! $! Else... $! @@ -1098,7 +896,7 @@ $ ELSE $! $! Looks Like VAXC, Set To Use VAXC. $! -$ P4 = "VAXC" +$ P3 = "VAXC" $! $! End The VAXC Compiler Check. $! @@ -1112,9 +910,9 @@ $! End The Compiler Check. $! $ ENDIF $! -$! Check To See If We Have A Option For P5. +$! Check To See If We Have A Option For P4. $! -$ IF (P5.EQS."") +$ IF (P4.EQS."") $ THEN $! $! Find out what socket library we have available @@ -1124,7 +922,7 @@ $ THEN $! $! We have SOCKETSHR, and it is my opinion that it's the best to use. $! -$ P5 = "SOCKETSHR" +$ P4 = "SOCKETSHR" $! $! Tell the user $! @@ -1144,7 +942,7 @@ $ THEN $! $! Last resort: a UCX or UCX-compatible library $! -$ P5 = "UCX" +$ P4 = "UCX" $! $! Tell the user $! @@ -1158,7 +956,7 @@ $ ENDIF $! $! Set Up Initial CC Definitions, Possibly With User Ones $! -$ CCDEFS = "TCPIP_TYPE_''P5',DSO_VMS" +$ CCDEFS = "TCPIP_TYPE_''P4',DSO_VMS" $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS $ CCEXTRAFLAGS = "" $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS @@ -1168,12 +966,12 @@ $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN - $! $! Check To See If The User Entered A Valid Paramter. $! -$ IF (P4.EQS."VAXC").OR.(P4.EQS."DECC").OR.(P4.EQS."GNUC") +$ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC") $ THEN $! $! Check To See If The User Wanted DECC. $! -$ IF (P4.EQS."DECC") +$ IF (P3.EQS."DECC") $ THEN $! $! Looks Like DECC, Set To Use DECC. @@ -1204,7 +1002,7 @@ $ ENDIF $! $! Check To See If We Are To Use VAXC. $! -$ IF (P4.EQS."VAXC") +$ IF (P3.EQS."VAXC") $ THEN $! $! Looks Like VAXC, Set To Use VAXC. @@ -1243,7 +1041,7 @@ $ ENDIF $! $! Check To See If We Are To Use GNU C. $! -$ IF (P4.EQS."GNUC") +$ IF (P3.EQS."GNUC") $ THEN $! $! Looks Like GNUC, Set To Use GNUC. @@ -1272,31 +1070,6 @@ $! Set up default defines $! $ CCDEFS = """FLAT_INC=1""," + CCDEFS $! -$! Check To See If We Are To Compile With RSAREF Routines. -$! -$ IF (RSAREF.EQS."TRUE") -$ THEN -$! -$! Compile With RSAREF. -$! -$ CCDEFS = CCDEFS + ",""RSAref=1""" -$! -$! Tell The User This. -$! -$ WRITE SYS$OUTPUT "Compiling With RSAREF Routines." -$! -$! Else, We Don't Care. Compile Without The RSAREF Library. -$! -$ ELSE -$! -$! Tell The User We Are Compile Without The RSAREF Routines. -$! -$ WRITE SYS$OUTPUT "Compiling Without The RSAREF Routines. -$! -$! End The RSAREF Check. -$! -$ ENDIF -$! $! Finish up the definition of CC. $! $ IF COMPILER .EQS. "DECC" @@ -1315,7 +1088,7 @@ $ CC4DISABLEWARNINGS = "" $ ENDIF $ CC3 = CC + "/DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS $ CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS -$ IF ARCH .EQS. "VAX" .AND. COMPILER .EQS. "DECC" .AND. P3 .NES. "DEBUG" +$ IF ARCH .EQS. "VAX" .AND. COMPILER .EQS. "DECC" .AND. P2 .NES. "DEBUG" $ THEN $ CC5 = CC + "/OPTIMIZE=NODISJOINT" $ ELSE @@ -1334,7 +1107,7 @@ $! $! Tell The User We Don't Know What They Want. $! $ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The Option ",P4," Is Invalid. The Valid Options Are:" +$ WRITE SYS$OUTPUT "The Option ",P3," Is Invalid. The Valid Options Are:" $ WRITE SYS$OUTPUT "" $ WRITE SYS$OUTPUT " VAXC : To Compile With VAX C." $ WRITE SYS$OUTPUT " DECC : To Compile With DEC C." @@ -1360,13 +1133,13 @@ $ WRITE/SYMBOL SYS$OUTPUT "Main MACRO Compiling Command: ",MACRO $! $! Time to check the contents, and to make sure we get the correct library. $! -$ IF P5.EQS."SOCKETSHR" .OR. P5.EQS."MULTINET" .OR. P5.EQS."UCX" - - .OR. P5.EQS."TCPIP" .OR. P5.EQS."NONE" +$ IF P4.EQS."SOCKETSHR" .OR. P4.EQS."MULTINET" .OR. P4.EQS."UCX" - + .OR. P4.EQS."TCPIP" .OR. P4.EQS."NONE" $ THEN $! $! Check to see if SOCKETSHR was chosen $! -$ IF P5.EQS."SOCKETSHR" +$ IF P4.EQS."SOCKETSHR" $ THEN $! $! Set the library to use SOCKETSHR @@ -1379,12 +1152,12 @@ $ ENDIF $! $! Check to see if MULTINET was chosen $! -$ IF P5.EQS."MULTINET" +$ IF P4.EQS."MULTINET" $ THEN $! $! Set the library to use UCX emulation. $! -$ P5 = "UCX" +$ P4 = "UCX" $! $! Done with MULTINET $! @@ -1392,7 +1165,7 @@ $ ENDIF $! $! Check to see if UCX was chosen $! -$ IF P5.EQS."UCX" +$ IF P4.EQS."UCX" $ THEN $! $! Set the library to use UCX. @@ -1412,7 +1185,7 @@ $ ENDIF $! $! Check to see if TCPIP was chosen $! -$ IF P5.EQS."TCPIP" +$ IF P4.EQS."TCPIP" $ THEN $! $! Set the library to use TCPIP (post UCX). @@ -1425,7 +1198,7 @@ $ ENDIF $! $! Check to see if NONE was chosen $! -$ IF P5.EQS."NONE" +$ IF P4.EQS."NONE" $ THEN $! $! Do not use a TCPIP library. @@ -1447,7 +1220,7 @@ $! $! Tell The User We Don't Know What They Want. $! $ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT "The Option ",P5," Is Invalid. The Valid Options Are:" +$ WRITE SYS$OUTPUT "The Option ",P4," Is Invalid. The Valid Options Are:" $ WRITE SYS$OUTPUT "" $ WRITE SYS$OUTPUT " SOCKETSHR : To link with SOCKETSHR TCP/IP library." $ WRITE SYS$OUTPUT " UCX : To link with UCX TCP/IP library." @@ -1465,10 +1238,9 @@ $! $! Check if the user wanted to compile just a subset of all the encryption $! methods. $! -$ IF P7 .NES. "" +$ IF P6 .NES. "" $ THEN -$ ENCRYPT_TYPES = P7 -$! NYI: ENCRYPT_PROGRAMS = P7 +$ ENCRYPT_TYPES = P6 $ ENDIF $! $! Time To RETURN... diff --git a/src/lib/libssl/src/crypto/crypto.h b/src/lib/libssl/src/crypto/crypto.h index fc6ff860af..273bc5e3f8 100644 --- a/src/lib/libssl/src/crypto/crypto.h +++ b/src/lib/libssl/src/crypto/crypto.h @@ -96,37 +96,39 @@ extern "C" { * names in cryptlib.c */ -#define CRYPTO_LOCK_ERR 1 -#define CRYPTO_LOCK_EX_DATA 2 -#define CRYPTO_LOCK_X509 3 -#define CRYPTO_LOCK_X509_INFO 4 -#define CRYPTO_LOCK_X509_PKEY 5 +#define CRYPTO_LOCK_ERR 1 +#define CRYPTO_LOCK_EX_DATA 2 +#define CRYPTO_LOCK_X509 3 +#define CRYPTO_LOCK_X509_INFO 4 +#define CRYPTO_LOCK_X509_PKEY 5 #define CRYPTO_LOCK_X509_CRL 6 #define CRYPTO_LOCK_X509_REQ 7 #define CRYPTO_LOCK_DSA 8 #define CRYPTO_LOCK_RSA 9 #define CRYPTO_LOCK_EVP_PKEY 10 -#define CRYPTO_LOCK_X509_STORE 11 -#define CRYPTO_LOCK_SSL_CTX 12 -#define CRYPTO_LOCK_SSL_CERT 13 -#define CRYPTO_LOCK_SSL_SESSION 14 -#define CRYPTO_LOCK_SSL_SESS_CERT 15 -#define CRYPTO_LOCK_SSL 16 -#define CRYPTO_LOCK_RAND 17 -#define CRYPTO_LOCK_RAND2 18 -#define CRYPTO_LOCK_MALLOC 19 -#define CRYPTO_LOCK_BIO 20 -#define CRYPTO_LOCK_GETHOSTBYNAME 21 -#define CRYPTO_LOCK_GETSERVBYNAME 22 -#define CRYPTO_LOCK_READDIR 23 -#define CRYPTO_LOCK_RSA_BLINDING 24 -#define CRYPTO_LOCK_DH 25 -#define CRYPTO_LOCK_MALLOC2 26 -#define CRYPTO_LOCK_DSO 27 -#define CRYPTO_LOCK_DYNLOCK 28 -#define CRYPTO_LOCK_ENGINE 29 -#define CRYPTO_LOCK_UI 30 -#define CRYPTO_NUM_LOCKS 31 +#define CRYPTO_LOCK_X509_STORE 11 +#define CRYPTO_LOCK_SSL_CTX 12 +#define CRYPTO_LOCK_SSL_CERT 13 +#define CRYPTO_LOCK_SSL_SESSION 14 +#define CRYPTO_LOCK_SSL_SESS_CERT 15 +#define CRYPTO_LOCK_SSL 16 +#define CRYPTO_LOCK_SSL_METHOD 17 +#define CRYPTO_LOCK_RAND 18 +#define CRYPTO_LOCK_RAND2 19 +#define CRYPTO_LOCK_MALLOC 20 +#define CRYPTO_LOCK_BIO 21 +#define CRYPTO_LOCK_GETHOSTBYNAME 22 +#define CRYPTO_LOCK_GETSERVBYNAME 23 +#define CRYPTO_LOCK_READDIR 24 +#define CRYPTO_LOCK_RSA_BLINDING 25 +#define CRYPTO_LOCK_DH 26 +#define CRYPTO_LOCK_MALLOC2 27 +#define CRYPTO_LOCK_DSO 28 +#define CRYPTO_LOCK_DYNLOCK 29 +#define CRYPTO_LOCK_ENGINE 30 +#define CRYPTO_LOCK_UI 31 +#define CRYPTO_LOCK_HWCRHK 32 /* This is a HACK which will disappear in 0.9.8 */ +#define CRYPTO_NUM_LOCKS 33 #define CRYPTO_LOCK 1 #define CRYPTO_UNLOCK 2 @@ -148,7 +150,7 @@ extern "C" { #endif #else #define CRYPTO_w_lock(a) -#define CRYPTO_w_unlock(a) +#define CRYPTO_w_unlock(a) #define CRYPTO_r_lock(a) #define CRYPTO_r_unlock(a) #define CRYPTO_add(a,b,c) ((*(a))+=(b)) @@ -278,6 +280,8 @@ int CRYPTO_is_mem_check_on(void); #define OPENSSL_malloc(num) CRYPTO_malloc((int)num,__FILE__,__LINE__) #define OPENSSL_realloc(addr,num) \ CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__) +#define OPENSSL_realloc_clean(addr,old_num,num) \ + CRYPTO_realloc_clean(addr,old_num,num,__FILE__,__LINE__) #define OPENSSL_remalloc(addr,num) \ CRYPTO_remalloc((char **)addr,(int)num,__FILE__,__LINE__) #define OPENSSL_freeFunc CRYPTO_free @@ -380,8 +384,12 @@ void CRYPTO_free_locked(void *); void *CRYPTO_malloc(int num, const char *file, int line); void CRYPTO_free(void *); void *CRYPTO_realloc(void *addr,int num, const char *file, int line); +void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file, + int line); void *CRYPTO_remalloc(void *addr,int num, const char *file, int line); +void OPENSSL_cleanse(void *ptr, size_t len); + void CRYPTO_set_mem_debug_options(long bits); long CRYPTO_get_mem_debug_options(void); @@ -422,6 +430,9 @@ void CRYPTO_mem_leaks(struct bio_st *bio); typedef void *CRYPTO_MEM_LEAK_CB(unsigned long, const char *, int, int, void *); void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb); +/* die if we have to */ +void OpenSSLDie(const char *file,int line,const char *assertion); +#define OPENSSL_assert(e) ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e)) /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes diff --git a/src/lib/libssl/src/crypto/des/FILES0 b/src/lib/libssl/src/crypto/des/FILES0 new file mode 100644 index 0000000000..4c7ea2de7a --- /dev/null +++ b/src/lib/libssl/src/crypto/des/FILES0 @@ -0,0 +1,96 @@ +/* General stuff */ +COPYRIGHT - Copyright info. +MODES.DES - A description of the features of the different modes of DES. +FILES - This file. +INSTALL - How to make things compile. +Imakefile - For use with kerberos. +README - What this package is. +VERSION - Which version this is and what was changed. +KERBEROS - Kerberos version 4 notes. +Makefile.PL - An old makefile to build with perl5, not current. +Makefile.ssl - The SSLeay makefile +Makefile.uni - The normal unix makefile. +GNUmakefile - The makefile for use with glibc. +makefile.bc - A Borland C makefile +times - Some outputs from 'speed' on some machines. +vms.com - For use when compiling under VMS + +/* My SunOS des(1) replacement */ +des.c - des(1) source code. +des.man - des(1) manual. + +/* Testing and timing programs. */ +destest.c - Source for libdes.a test program. +speed.c - Source for libdes.a timing program. +rpw.c - Source for libdes.a testing password reading routines. + +/* libdes.a source code */ +des_crypt.man - libdes.a manual page. +des.h - Public libdes.a header file. +ecb_enc.c - des_ecb_encrypt() source, this contains the basic DES code. +ecb3_enc.c - des_ecb3_encrypt() source. +cbc_ckm.c - des_cbc_cksum() source. +cbc_enc.c - des_cbc_encrypt() source. +ncbc_enc.c - des_cbc_encrypt() that is 'normal' in that it copies + the new iv values back in the passed iv vector. +ede_enc.c - des_ede3_cbc_encrypt() cbc mode des using triple DES. +cbc3_enc.c - des_3cbc_encrypt() source, don't use this function. +cfb_enc.c - des_cfb_encrypt() source. +cfb64enc.c - des_cfb64_encrypt() cfb in 64 bit mode but setup to be + used as a stream cipher. +cfb64ede.c - des_ede3_cfb64_encrypt() cfb in 64 bit mode but setup to be + used as a stream cipher and using triple DES. +ofb_enc.c - des_cfb_encrypt() source. +ofb64_enc.c - des_ofb_encrypt() ofb in 64 bit mode but setup to be + used as a stream cipher. +ofb64ede.c - des_ede3_ofb64_encrypt() ofb in 64 bit mode but setup to be + used as a stream cipher and using triple DES. +enc_read.c - des_enc_read() source. +enc_writ.c - des_enc_write() source. +pcbc_enc.c - des_pcbc_encrypt() source. +qud_cksm.c - quad_cksum() source. +rand_key.c - des_random_key() source. +read_pwd.c - Source for des_read_password() plus related functions. +set_key.c - Source for des_set_key(). +str2key.c - Covert a string of any length into a key. +fcrypt.c - A small, fast version of crypt(3). +des_locl.h - Internal libdes.a header file. +podd.h - Odd parity tables - used in des_set_key(). +sk.h - Lookup tables used in des_set_key(). +spr.h - What is left of the S tables - used in ecb_encrypt(). +des_ver.h - header file for the external definition of the + version string. +des.doc - SSLeay documentation for the library. + +/* The perl scripts - you can ignore these files they are only + * included for the curious */ +des.pl - des in perl anyone? des_set_key and des_ecb_encrypt + both done in a perl library. +testdes.pl - Testing program for des.pl +doIP - Perl script used to develop IP xor/shift code. +doPC1 - Perl script used to develop PC1 xor/shift code. +doPC2 - Generates sk.h. +PC1 - Output of doPC1 should be the same as output from PC1. +PC2 - used in development of doPC2. +shifts.pl - Perl library used by my perl scripts. + +/* I started making a perl5 dynamic library for libdes + * but did not fully finish, these files are part of that effort. */ +DES.pm +DES.pod +DES.xs +t +typemap + +/* The following are for use with sun RPC implementaions. */ +rpc_des.h +rpc_enc.c + +/* The following are contibuted by Mark Murray . They + * are not normally built into libdes due to machine specific routines + * contained in them. They are for use in the most recent incarnation of + * export kerberos v 4 (eBones). */ +supp.c +new_rkey.c + + diff --git a/src/lib/libssl/src/crypto/des/asm/crypt586.pl b/src/lib/libssl/src/crypto/des/asm/crypt586.pl index 3d41d82f69..1d04ed6def 100644 --- a/src/lib/libssl/src/crypto/des/asm/crypt586.pl +++ b/src/lib/libssl/src/crypto/des/asm/crypt586.pl @@ -26,11 +26,18 @@ sub fcrypt_body &comment(""); &comment("Load the 2 words"); - $ks="ebp"; + $trans="ebp"; &xor( $L, $L); &xor( $R, $R); - &mov($ks,&wparam(1)); + + # PIC-ification:-) + &picmeup("edx","DES_SPtrans"); + #if ($cpp) { &picmeup("edx","DES_SPtrans"); } + #else { &lea("edx",&DWP("DES_SPtrans")); } + &push("edx"); # becomes &swtmp(1) + # + &mov($trans,&wparam(1)); # reloaded with DES_SPtrans in D_ENCRYPT &push(&DWC(25)); # add a variable @@ -39,11 +46,11 @@ sub fcrypt_body { &comment(""); &comment("Round $i"); - &D_ENCRYPT($i,$L,$R,$i*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx"); + &D_ENCRYPT($i,$L,$R,$i*2,$trans,"eax","ebx","ecx","edx"); &comment(""); &comment("Round ".sprintf("%d",$i+1)); - &D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx"); + &D_ENCRYPT($i+1,$R,$L,($i+1)*2,$trans,"eax","ebx","ecx","edx"); } &mov("ebx", &swtmp(0)); &mov("eax", $L); @@ -61,14 +68,14 @@ sub fcrypt_body &mov(&DWP(0,"edx","",0),"eax"); &mov(&DWP(4,"edx","",0),$L); - &pop("ecx"); # remove variable + &add("esp",8); # remove variables &function_end($name); } sub D_ENCRYPT { - local($r,$L,$R,$S,$ks,$desSP,$u,$tmp1,$tmp2,$t)=@_; + local($r,$L,$R,$S,$trans,$u,$tmp1,$tmp2,$t)=@_; &mov( $u, &wparam(2)); # 2 &mov( $t, $R); @@ -85,9 +92,9 @@ sub D_ENCRYPT &shl( $tmp2, 16); # 1 &xor( $u, $tmp1); # 2 &xor( $t, $tmp2); # 2 - &mov( $tmp1, &DWP(&n2a($S*4),$ks,"",0)); # 2 + &mov( $tmp1, &DWP(&n2a($S*4),$trans,"",0)); # 2 &xor( $u, $tmp1); - &mov( $tmp2, &DWP(&n2a(($S+1)*4),$ks,"",0)); # 2 + &mov( $tmp2, &DWP(&n2a(($S+1)*4),$trans,"",0)); # 2 &xor( $u, $R); &xor( $t, $R); &xor( $t, $tmp2); @@ -99,31 +106,28 @@ sub D_ENCRYPT &movb( &LB($tmp1), &LB($u) ); &movb( &LB($tmp2), &HB($u) ); &rotr( $t, 4 ); - &mov( $ks, &DWP(" $desSP",$tmp1,"",0)); + &mov( $trans, &swtmp(1)); + &xor( $L, &DWP(" ",$trans,$tmp1,0)); &movb( &LB($tmp1), &LB($t) ); - &xor( $L, $ks); - &mov( $ks, &DWP("0x200+$desSP",$tmp2,"",0)); - &xor( $L, $ks); + &xor( $L, &DWP("0x200",$trans,$tmp2,0)); &movb( &LB($tmp2), &HB($t) ); &shr( $u, 16); - &mov( $ks, &DWP("0x100+$desSP",$tmp1,"",0)); - &xor( $L, $ks); + &xor( $L, &DWP("0x100",$trans,$tmp1,0)); &movb( &LB($tmp1), &HB($u) ); &shr( $t, 16); - &mov( $ks, &DWP("0x300+$desSP",$tmp2,"",0)); - &xor( $L, $ks); - &mov( $ks, &wparam(1)); + &xor( $L, &DWP("0x300",$trans,$tmp2,0)); &movb( &LB($tmp2), &HB($t) ); &and( $u, "0xff" ); &and( $t, "0xff" ); - &mov( $tmp1, &DWP("0x600+$desSP",$tmp1,"",0)); + &mov( $tmp1, &DWP("0x600",$trans,$tmp1,0)); &xor( $L, $tmp1); - &mov( $tmp1, &DWP("0x700+$desSP",$tmp2,"",0)); + &mov( $tmp1, &DWP("0x700",$trans,$tmp2,0)); &xor( $L, $tmp1); - &mov( $tmp1, &DWP("0x400+$desSP",$u,"",0)); + &mov( $tmp1, &DWP("0x400",$trans,$u,0)); &xor( $L, $tmp1); - &mov( $tmp1, &DWP("0x500+$desSP",$t,"",0)); + &mov( $tmp1, &DWP("0x500",$trans,$t,0)); &xor( $L, $tmp1); + &mov( $trans, &wparam(1)); } sub n2a diff --git a/src/lib/libssl/src/crypto/des/asm/des-586.pl b/src/lib/libssl/src/crypto/des/asm/des-586.pl index 0d08e8a3a9..b75d3c6b3a 100644 --- a/src/lib/libssl/src/crypto/des/asm/des-586.pl +++ b/src/lib/libssl/src/crypto/des/asm/des-586.pl @@ -40,7 +40,7 @@ sub DES_encrypt &comment(""); &comment("Load the 2 words"); - $ks="ebp"; + $trans="ebp"; if ($do_ip) { @@ -72,7 +72,12 @@ sub DES_encrypt &rotl($L,3); } - &mov( $ks, &wparam(1) ); + # PIC-ification:-) + &picmeup($trans,"DES_SPtrans"); + #if ($cpp) { &picmeup($trans,"DES_SPtrans"); } + #else { &lea($trans,&DWP("DES_SPtrans")); } + + &mov( "ecx", &wparam(1) ); &cmp("ebx","0"); &je(&label("start_decrypt")); @@ -80,11 +85,11 @@ sub DES_encrypt { &comment(""); &comment("Round $i"); - &D_ENCRYPT($i,$L,$R,$i*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx"); + &D_ENCRYPT($i,$L,$R,$i*2,$trans,"eax","ebx","ecx","edx"); &comment(""); &comment("Round ".sprintf("%d",$i+1)); - &D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx"); + &D_ENCRYPT($i+1,$R,$L,($i+1)*2,$trans,"eax","ebx","ecx","edx"); } &jmp(&label("end")); @@ -94,10 +99,10 @@ sub DES_encrypt { &comment(""); &comment("Round $i"); - &D_ENCRYPT(15-$i,$L,$R,$i*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx"); + &D_ENCRYPT(15-$i,$L,$R,$i*2,$trans,"eax","ebx","ecx","edx"); &comment(""); &comment("Round ".sprintf("%d",$i-1)); - &D_ENCRYPT(15-$i+1,$R,$L,($i-1)*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx"); + &D_ENCRYPT(15-$i+1,$R,$L,($i-1)*2,$trans,"eax","ebx","ecx","edx"); } &set_label("end"); @@ -134,43 +139,36 @@ sub DES_encrypt sub D_ENCRYPT { - local($r,$L,$R,$S,$ks,$desSP,$u,$tmp1,$tmp2,$t)=@_; + local($r,$L,$R,$S,$trans,$u,$tmp1,$tmp2,$t)=@_; - &mov( $u, &DWP(&n2a($S*4),$ks,"",0)); + &mov( $u, &DWP(&n2a($S*4),$tmp2,"",0)); &xor( $tmp1, $tmp1); - &mov( $t, &DWP(&n2a(($S+1)*4),$ks,"",0)); + &mov( $t, &DWP(&n2a(($S+1)*4),$tmp2,"",0)); &xor( $u, $R); + &xor( $tmp2, $tmp2); &xor( $t, $R); &and( $u, "0xfcfcfcfc" ); &and( $t, "0xcfcfcfcf" ); &movb( &LB($tmp1), &LB($u) ); &movb( &LB($tmp2), &HB($u) ); &rotr( $t, 4 ); - &mov( $ks, &DWP(" $desSP",$tmp1,"",0)); + &xor( $L, &DWP(" ",$trans,$tmp1,0)); &movb( &LB($tmp1), &LB($t) ); - &xor( $L, $ks); - &mov( $ks, &DWP("0x200+$desSP",$tmp2,"",0)); - &xor( $L, $ks); ###### + &xor( $L, &DWP("0x200",$trans,$tmp2,0)); &movb( &LB($tmp2), &HB($t) ); &shr( $u, 16); - &mov( $ks, &DWP("0x100+$desSP",$tmp1,"",0)); - &xor( $L, $ks); ###### + &xor( $L, &DWP("0x100",$trans,$tmp1,0)); &movb( &LB($tmp1), &HB($u) ); &shr( $t, 16); - &mov( $ks, &DWP("0x300+$desSP",$tmp2,"",0)); - &xor( $L, $ks); - &mov( $ks, &wparam(1) ); + &xor( $L, &DWP("0x300",$trans,$tmp2,0)); &movb( &LB($tmp2), &HB($t) ); &and( $u, "0xff" ); &and( $t, "0xff" ); - &mov( $tmp1, &DWP("0x600+$desSP",$tmp1,"",0)); - &xor( $L, $tmp1); - &mov( $tmp1, &DWP("0x700+$desSP",$tmp2,"",0)); - &xor( $L, $tmp1); - &mov( $tmp1, &DWP("0x400+$desSP",$u,"",0)); - &xor( $L, $tmp1); - &mov( $tmp1, &DWP("0x500+$desSP",$t,"",0)); - &xor( $L, $tmp1); + &xor( $L, &DWP("0x600",$trans,$tmp1,0)); + &xor( $L, &DWP("0x700",$trans,$tmp2,0)); + &mov( $tmp2, &wparam(1) ); + &xor( $L, &DWP("0x400",$trans,$u,0)); + &xor( $L, &DWP("0x500",$trans,$t,0)); } sub n2a diff --git a/src/lib/libssl/src/crypto/des/cbc_cksm.c b/src/lib/libssl/src/crypto/des/cbc_cksm.c index 6c5305b99d..09a7ba56aa 100644 --- a/src/lib/libssl/src/crypto/des/cbc_cksm.c +++ b/src/lib/libssl/src/crypto/des/cbc_cksm.c @@ -93,5 +93,14 @@ DES_LONG DES_cbc_cksum(const unsigned char *in, DES_cblock *output, l2c(tout1,out); } tout0=tin0=tin1=tin[0]=tin[1]=0; + /* + Transform the data in tout1 so that it will + match the return value that the MIT Kerberos + mit_des_cbc_cksum API returns. + */ + tout1 = ((tout1 >> 24L) & 0x000000FF) + | ((tout1 >> 8L) & 0x0000FF00) + | ((tout1 << 8L) & 0x00FF0000) + | ((tout1 << 24L) & 0xFF000000); return(tout1); } diff --git a/src/lib/libssl/src/crypto/des/des.c b/src/lib/libssl/src/crypto/des/des.c index d8c846b23d..343135ff9e 100644 --- a/src/lib/libssl/src/crypto/des/des.c +++ b/src/lib/libssl/src/crypto/des/des.c @@ -427,7 +427,7 @@ void doencryption(void) k2[i-8]=k; } DES_set_key_unchecked(&k2,&ks2); - memset(k2,0,sizeof(k2)); + OPENSSL_cleanse(k2,sizeof(k2)); } else if (longk || flag3) { @@ -435,7 +435,7 @@ void doencryption(void) { DES_string_to_2keys(key,&kk,&k2); DES_set_key_unchecked(&k2,&ks2); - memset(k2,0,sizeof(k2)); + OPENSSL_cleanse(k2,sizeof(k2)); } else DES_string_to_key(key,&kk); @@ -457,8 +457,8 @@ void doencryption(void) } DES_set_key_unchecked(&kk,&ks); - memset(key,0,sizeof(key)); - memset(kk,0,sizeof(kk)); + OPENSSL_cleanse(key,sizeof(key)); + OPENSSL_cleanse(kk,sizeof(kk)); /* woops - A bug that does not showup under unix :-( */ memset(iv,0,sizeof(iv)); memset(iv2,0,sizeof(iv2)); @@ -666,18 +666,18 @@ void doencryption(void) if (l) fclose(CKSUM_OUT); } problems: - memset(buf,0,sizeof(buf)); - memset(obuf,0,sizeof(obuf)); - memset(&ks,0,sizeof(ks)); - memset(&ks2,0,sizeof(ks2)); - memset(iv,0,sizeof(iv)); - memset(iv2,0,sizeof(iv2)); - memset(kk,0,sizeof(kk)); - memset(k2,0,sizeof(k2)); - memset(uubuf,0,sizeof(uubuf)); - memset(b,0,sizeof(b)); - memset(bb,0,sizeof(bb)); - memset(cksum,0,sizeof(cksum)); + OPENSSL_cleanse(buf,sizeof(buf)); + OPENSSL_cleanse(obuf,sizeof(obuf)); + OPENSSL_cleanse(&ks,sizeof(ks)); + OPENSSL_cleanse(&ks2,sizeof(ks2)); + OPENSSL_cleanse(iv,sizeof(iv)); + OPENSSL_cleanse(iv2,sizeof(iv2)); + OPENSSL_cleanse(kk,sizeof(kk)); + OPENSSL_cleanse(k2,sizeof(k2)); + OPENSSL_cleanse(uubuf,sizeof(uubuf)); + OPENSSL_cleanse(b,sizeof(b)); + OPENSSL_cleanse(bb,sizeof(bb)); + OPENSSL_cleanse(cksum,sizeof(cksum)); if (Exit) EXIT(Exit); } diff --git a/src/lib/libssl/src/crypto/des/des.h b/src/lib/libssl/src/crypto/des/des.h index 4cb9d84fdf..daaf239dbe 100644 --- a/src/lib/libssl/src/crypto/des/des.h +++ b/src/lib/libssl/src/crypto/des/des.h @@ -56,8 +56,8 @@ * [including the GNU Public Licence.] */ -#ifndef HEADER_DES_H -#define HEADER_DES_H +#ifndef HEADER_NEW_DES_H +#define HEADER_NEW_DES_H #ifdef OPENSSL_NO_DES #error DES is disabled. diff --git a/src/lib/libssl/src/crypto/des/des_locl.h b/src/lib/libssl/src/crypto/des/des_locl.h index 70e833be3f..e44e8e98b2 100644 --- a/src/lib/libssl/src/crypto/des/des_locl.h +++ b/src/lib/libssl/src/crypto/des/des_locl.h @@ -162,7 +162,18 @@ #if defined(OPENSSL_SYS_WIN32) && defined(_MSC_VER) #define ROTATE(a,n) (_lrotr(a,n)) -#else +#elif defined(__GNUC__) && __GNUC__>=2 && !defined(__STRICT_ANSI__) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) && !defined(PEDANTIC) +# if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__) +# define ROTATE(a,n) ({ register unsigned int ret; \ + asm ("rorl %1,%0" \ + : "=r"(ret) \ + : "I"(n),"0"(a) \ + : "cc"); \ + ret; \ + }) +# endif +#endif +#ifndef ROTATE #define ROTATE(a,n) (((a)>>(n))+((a)<<(32-(n)))) #endif diff --git a/src/lib/libssl/src/crypto/des/des_old.h b/src/lib/libssl/src/crypto/des/des_old.h index 51b987422a..1d840b474a 100644 --- a/src/lib/libssl/src/crypto/des/des_old.h +++ b/src/lib/libssl/src/crypto/des/des_old.h @@ -88,14 +88,14 @@ * */ -#ifndef HEADER_DES_OLD_H -#define HEADER_DES_OLD_H +#ifndef HEADER_DES_H +#define HEADER_DES_H #ifdef OPENSSL_NO_DES #error DES is disabled. #endif -#ifndef HEADER_DES_H +#ifndef HEADER_NEW_DES_H #error You must include des.h, not des_old.h directly. #endif @@ -173,10 +173,12 @@ typedef struct _ossl_old_des_ks_struct DES_fcrypt((b),(s),(r)) #define des_crypt(b,s)\ DES_crypt((b),(s)) +#if 0 #if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT) && !defined(__OpenBSD__) #define crypt(b,s)\ DES_crypt((b),(s)) #endif +#endif #define des_ofb_encrypt(i,o,n,l,k,iv)\ DES_ofb_encrypt((i),(o),(n),(l),&(k),(iv)) #define des_pcbc_encrypt(i,o,l,k,iv,e)\ @@ -274,8 +276,10 @@ typedef struct _ossl_old_des_ks_struct _ossl_old_des_fcrypt((b),(s),(r)) #define des_crypt(b,s)\ _ossl_old_des_crypt((b),(s)) +#if 0 #define crypt(b,s)\ _ossl_old_crypt((b),(s)) +#endif #define des_ofb_encrypt(i,o,n,l,k,iv)\ _ossl_old_des_ofb_encrypt((i),(o),(n),(l),(k),(iv)) #define des_pcbc_encrypt(i,o,l,k,iv,e)\ diff --git a/src/lib/libssl/src/crypto/des/destest.c b/src/lib/libssl/src/crypto/des/destest.c index 58e8c35dcb..687c00c792 100644 --- a/src/lib/libssl/src/crypto/des/destest.c +++ b/src/lib/libssl/src/crypto/des/destest.c @@ -84,9 +84,7 @@ int main(int argc, char *argv[]) #else #include -#if defined(PERL5) || defined(__FreeBSD__) || defined(NeXT) #define crypt(c,s) (des_crypt((c),(s))) -#endif /* tisk tisk - the test keys don't all have odd parity :-( */ /* test data */ @@ -322,7 +320,11 @@ static unsigned char ofb_cipher[24]= 0x3d,0x6d,0x5b,0xe3,0x25,0x5a,0xf8,0xc3 }; +#if 0 static DES_LONG cbc_cksum_ret=0xB462FEF7L; +#else +static DES_LONG cbc_cksum_ret=0xF7FE62B4L; +#endif static unsigned char cbc_cksum_data[8]={0x1D,0x26,0x93,0x97,0xf7,0xfe,0x62,0xb4}; static char *pt(unsigned char *p); diff --git a/src/lib/libssl/src/crypto/des/read2pwd.c b/src/lib/libssl/src/crypto/des/read2pwd.c index b4720c3a98..3a63c4016c 100644 --- a/src/lib/libssl/src/crypto/des/read2pwd.c +++ b/src/lib/libssl/src/crypto/des/read2pwd.c @@ -120,8 +120,8 @@ int DES_read_password(DES_cblock *key, const char *prompt, int verify) if ((ok=UI_UTIL_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0) DES_string_to_key(buf,key); - memset(buf,0,BUFSIZ); - memset(buff,0,BUFSIZ); + OPENSSL_cleanse(buf,BUFSIZ); + OPENSSL_cleanse(buff,BUFSIZ); return(ok); } @@ -133,7 +133,7 @@ int DES_read_2passwords(DES_cblock *key1, DES_cblock *key2, const char *prompt, if ((ok=UI_UTIL_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0) DES_string_to_2keys(buf,key1,key2); - memset(buf,0,BUFSIZ); - memset(buff,0,BUFSIZ); + OPENSSL_cleanse(buf,BUFSIZ); + OPENSSL_cleanse(buff,BUFSIZ); return(ok); } diff --git a/src/lib/libssl/src/crypto/des/read_pwd.c b/src/lib/libssl/src/crypto/des/read_pwd.c index 9061935f21..ce5fa00a37 100644 --- a/src/lib/libssl/src/crypto/des/read_pwd.c +++ b/src/lib/libssl/src/crypto/des/read_pwd.c @@ -101,8 +101,10 @@ #ifdef WIN_CONSOLE_BUG #include +#ifndef OPENSSL_SYS_WINCE #include #endif +#endif /* There are 5 types of terminal interface supported, @@ -133,7 +135,7 @@ #define SGTTY #endif -#if defined(OPENSSL_SYS_VSWORKS) +#if defined(OPENSSL_SYS_VXWORKS) #undef TERMIOS #undef TERMIO #undef SGTTY @@ -167,7 +169,7 @@ #include #endif -#if defined(OPENSSL_SYS_MSDOS) && !defined(__CYGWIN32__) +#if defined(OPENSSL_SYS_MSDOS) && !defined(__CYGWIN32__) && !defined(OPENSSL_SYS_WINCE) #include #define fgets(a,b,c) noecho_fgets(a,b,c) #endif @@ -218,11 +220,29 @@ int des_read_pw_string(char *buf, int length, const char *prompt, int ret; ret=des_read_pw(buf,buff,(length>BUFSIZ)?BUFSIZ:length,prompt,verify); - memset(buff,0,BUFSIZ); + OPENSSL_cleanse(buff,BUFSIZ); return(ret); } -#ifndef OPENSSL_SYS_WIN16 +#ifdef OPENSSL_SYS_WINCE + +int des_read_pw(char *buf, char *buff, int size, const char *prompt, int verify) + { + memset(buf,0,size); + memset(buff,0,size); + return(0); + } + +#elif defined(OPENSSL_SYS_WIN16) + +int des_read_pw(char *buf, char *buff, int size, char *prompt, int verify) + { + memset(buf,0,size); + memset(buff,0,size); + return(0); + } + +#else /* !OPENSSL_SYS_WINCE && !OPENSSL_SYS_WIN16 */ static void read_till_nl(FILE *in) { @@ -274,7 +294,7 @@ int des_read_pw(char *buf, char *buff, int size, const char *prompt, #ifdef OPENSSL_SYS_MSDOS if ((tty=fopen("con","r")) == NULL) tty=stdin; -#elif defined(MAC_OS_pre_X) || defined(OPENSSL_SYS_VSWORKS) +#elif defined(MAC_OS_pre_X) || defined(OPENSSL_SYS_VXWORKS) tty=stdin; #else #ifndef OPENSSL_SYS_MPE @@ -393,17 +413,6 @@ error: return(!ok); } -#else /* OPENSSL_SYS_WIN16 */ - -int des_read_pw(char *buf, char *buff, int size, char *prompt, int verify) - { - memset(buf,0,size); - memset(buff,0,size); - return(0); - } - -#endif - static void pushsig(void) { int i; @@ -466,7 +475,7 @@ static void recsig(int i) #endif } -#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16) +#ifdef OPENSSL_SYS_MSDOS static int noecho_fgets(char *buf, int size, FILE *tty) { int i; @@ -509,3 +518,4 @@ static int noecho_fgets(char *buf, int size, FILE *tty) return(strlen(buf)); } #endif +#endif /* !OPENSSL_SYS_WINCE && !WIN16 */ diff --git a/src/lib/libssl/src/crypto/des/str2key.c b/src/lib/libssl/src/crypto/des/str2key.c index 36c3f81d99..0373db469c 100644 --- a/src/lib/libssl/src/crypto/des/str2key.c +++ b/src/lib/libssl/src/crypto/des/str2key.c @@ -94,7 +94,7 @@ void DES_string_to_key(const char *str, DES_cblock *key) DES_set_key_unchecked(key,&ks); #endif DES_cbc_cksum((const unsigned char*)str,key,length,&ks,key); - memset(&ks,0,sizeof(ks)); + OPENSSL_cleanse(&ks,sizeof(ks)); DES_set_odd_parity(key); } @@ -167,7 +167,7 @@ void DES_string_to_2keys(const char *str, DES_cblock *key1, DES_cblock *key2) DES_set_key_unchecked(key2,&ks); #endif DES_cbc_cksum((const unsigned char*)str,key2,length,&ks,key2); - memset(&ks,0,sizeof(ks)); + OPENSSL_cleanse(&ks,sizeof(ks)); DES_set_odd_parity(key1); DES_set_odd_parity(key2); } diff --git a/src/lib/libssl/src/crypto/dh/dh_key.c b/src/lib/libssl/src/crypto/dh/dh_key.c index 1a0efca2c4..77f2f50b51 100644 --- a/src/lib/libssl/src/crypto/dh/dh_key.c +++ b/src/lib/libssl/src/crypto/dh/dh_key.c @@ -61,7 +61,6 @@ #include #include #include -#include static int generate_key(DH *dh); static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); diff --git a/src/lib/libssl/src/crypto/dh/dh_lib.c b/src/lib/libssl/src/crypto/dh/dh_lib.c index ba5fd41057..09965ee2ea 100644 --- a/src/lib/libssl/src/crypto/dh/dh_lib.c +++ b/src/lib/libssl/src/crypto/dh/dh_lib.c @@ -60,7 +60,9 @@ #include "cryptlib.h" #include #include +#ifndef OPENSSL_NO_ENGINE #include +#endif const char *DH_version="Diffie-Hellman" OPENSSL_VERSION_PTEXT; @@ -85,11 +87,13 @@ int DH_set_method(DH *dh, const DH_METHOD *meth) const DH_METHOD *mtmp; mtmp = dh->meth; if (mtmp->finish) mtmp->finish(dh); +#ifndef OPENSSL_NO_ENGINE if (dh->engine) { ENGINE_finish(dh->engine); dh->engine = NULL; } +#endif dh->meth = meth; if (meth->init) meth->init(dh); return 1; @@ -112,6 +116,7 @@ DH *DH_new_method(ENGINE *engine) } ret->meth = DH_get_default_method(); +#ifndef OPENSSL_NO_ENGINE if (engine) { if (!ENGINE_init(engine)) @@ -135,6 +140,7 @@ DH *DH_new_method(ENGINE *engine) return NULL; } } +#endif ret->pad=0; ret->version=0; @@ -154,8 +160,10 @@ DH *DH_new_method(ENGINE *engine) CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data); if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { +#ifndef OPENSSL_NO_ENGINE if (ret->engine) ENGINE_finish(ret->engine); +#endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data); OPENSSL_free(ret); ret=NULL; @@ -182,8 +190,10 @@ void DH_free(DH *r) if (r->meth->finish) r->meth->finish(r); +#ifndef OPENSSL_NO_ENGINE if (r->engine) ENGINE_finish(r->engine); +#endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, r, &r->ex_data); diff --git a/src/lib/libssl/src/crypto/dh/dhtest.c b/src/lib/libssl/src/crypto/dh/dhtest.c index 34894ced73..d75077f9fa 100644 --- a/src/lib/libssl/src/crypto/dh/dhtest.c +++ b/src/lib/libssl/src/crypto/dh/dhtest.c @@ -59,9 +59,9 @@ #include #include #include -#ifdef OPENSSL_SYS_WINDOWS -#include "../bio/bss_file.c" -#endif + +#include "../e_os.h" + #include #include #include @@ -84,10 +84,6 @@ int main(int argc, char *argv[]) #endif static void MS_CALLBACK cb(int p, int n, void *arg); -#ifdef OPENSSL_NO_STDIO -#define APPS_WIN16 -#include "bss_file.c" -#endif static const char rnd_seed[] = "string to make the random number generator think it has entropy"; @@ -111,7 +107,7 @@ int main(int argc, char *argv[]) RAND_seed(rnd_seed, sizeof rnd_seed); out=BIO_new(BIO_s_file()); - if (out == NULL) exit(1); + if (out == NULL) EXIT(1); BIO_set_fp(out,stdout,BIO_NOCLOSE); a=DH_generate_parameters(64,DH_GENERATOR_5,cb,out); @@ -195,7 +191,7 @@ err: CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); CRYPTO_mem_leaks_fp(stderr); - exit(ret); + EXIT(ret); return(ret); } diff --git a/src/lib/libssl/src/crypto/dsa/dsa_lib.c b/src/lib/libssl/src/crypto/dsa/dsa_lib.c index da2cdfa3d6..4171af24c6 100644 --- a/src/lib/libssl/src/crypto/dsa/dsa_lib.c +++ b/src/lib/libssl/src/crypto/dsa/dsa_lib.c @@ -63,7 +63,9 @@ #include #include #include +#ifndef OPENSSL_NO_ENGINE #include +#endif const char *DSA_version="DSA" OPENSSL_VERSION_PTEXT; @@ -93,11 +95,13 @@ int DSA_set_method(DSA *dsa, const DSA_METHOD *meth) const DSA_METHOD *mtmp; mtmp = dsa->meth; if (mtmp->finish) mtmp->finish(dsa); +#ifndef OPENSSL_NO_ENGINE if (dsa->engine) { ENGINE_finish(dsa->engine); dsa->engine = NULL; } +#endif dsa->meth = meth; if (meth->init) meth->init(dsa); return 1; @@ -114,6 +118,7 @@ DSA *DSA_new_method(ENGINE *engine) return(NULL); } ret->meth = DSA_get_default_method(); +#ifndef OPENSSL_NO_ENGINE if (engine) { if (!ENGINE_init(engine)) @@ -138,6 +143,7 @@ DSA *DSA_new_method(ENGINE *engine) return NULL; } } +#endif ret->pad=0; ret->version=0; @@ -158,8 +164,10 @@ DSA *DSA_new_method(ENGINE *engine) CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data); if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { +#ifndef OPENSSL_NO_ENGINE if (ret->engine) ENGINE_finish(ret->engine); +#endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data); OPENSSL_free(ret); ret=NULL; @@ -189,8 +197,10 @@ void DSA_free(DSA *r) if(r->meth->finish) r->meth->finish(r); +#ifndef OPENSSL_NO_ENGINE if(r->engine) ENGINE_finish(r->engine); +#endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, r, &r->ex_data); @@ -224,7 +234,10 @@ int DSA_size(const DSA *r) { int ret,i; ASN1_INTEGER bs; - unsigned char buf[4]; + unsigned char buf[4]; /* 4 bytes looks really small. + However, i2d_ASN1_INTEGER() will not look + beyond the first byte, as long as the second + parameter is NULL. */ i=BN_num_bits(r->q); bs.length=(i+7)/8; diff --git a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c index 37dd5fc994..b9e7f3ea5c 100644 --- a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c +++ b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c @@ -64,7 +64,6 @@ #include #include #include -#include static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); @@ -106,13 +105,15 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) int i,reason=ERR_R_BN_LIB; DSA_SIG *ret=NULL; + BN_init(&m); + BN_init(&xr); + if (!dsa->p || !dsa->q || !dsa->g) { reason=DSA_R_MISSING_PARAMETERS; goto err; } - BN_init(&m); - BN_init(&xr); + s=BN_new(); if (s == NULL) goto err; @@ -178,6 +179,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) DSAerr(DSA_F_DSA_SIGN_SETUP,DSA_R_MISSING_PARAMETERS); return 0; } + + BN_init(&k); + if (ctx_in == NULL) { if ((ctx=BN_CTX_new()) == NULL) goto err; @@ -185,7 +189,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) else ctx=ctx_in; - BN_init(&k); if ((r=BN_new()) == NULL) goto err; kinv=NULL; @@ -241,11 +244,12 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, return -1; } - if ((ctx=BN_CTX_new()) == NULL) goto err; BN_init(&u1); BN_init(&u2); BN_init(&t1); + if ((ctx=BN_CTX_new()) == NULL) goto err; + if (BN_is_zero(sig->r) || sig->r->neg || BN_ucmp(sig->r, dsa->q) >= 0) { ret = 0; diff --git a/src/lib/libssl/src/crypto/dsa/dsa_sign.c b/src/lib/libssl/src/crypto/dsa/dsa_sign.c index e9469ca62f..89205026f0 100644 --- a/src/lib/libssl/src/crypto/dsa/dsa_sign.c +++ b/src/lib/libssl/src/crypto/dsa/dsa_sign.c @@ -64,7 +64,6 @@ #include #include #include -#include DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { diff --git a/src/lib/libssl/src/crypto/dsa/dsa_vrf.c b/src/lib/libssl/src/crypto/dsa/dsa_vrf.c index 066c6b5b28..c4aeddd056 100644 --- a/src/lib/libssl/src/crypto/dsa/dsa_vrf.c +++ b/src/lib/libssl/src/crypto/dsa/dsa_vrf.c @@ -65,7 +65,6 @@ #include #include #include -#include int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) diff --git a/src/lib/libssl/src/crypto/dsa/dsagen.c b/src/lib/libssl/src/crypto/dsa/dsagen.c index a0b0976640..1b6a1cca0f 100644 --- a/src/lib/libssl/src/crypto/dsa/dsagen.c +++ b/src/lib/libssl/src/crypto/dsa/dsagen.c @@ -103,7 +103,7 @@ main() bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); memcpy(seed_buf,seed,20); - dsa=DSA_generate_parameters(1024,seed,20,&counter,&h,cb); + dsa=DSA_generate_parameters(1024,seed,20,&counter,&h,cb,bio_err); if (dsa == NULL) DSA_print(bio_err,dsa,0); diff --git a/src/lib/libssl/src/crypto/dsa/dsatest.c b/src/lib/libssl/src/crypto/dsa/dsatest.c index 12da64f9f4..4734ce4af8 100644 --- a/src/lib/libssl/src/crypto/dsa/dsatest.c +++ b/src/lib/libssl/src/crypto/dsa/dsatest.c @@ -61,14 +61,13 @@ #include #include #include + +#include "../e_os.h" + #include #include #include #include -#include -#ifdef OPENSSL_SYS_WINDOWS -#include "../bio/bss_file.c" -#endif #ifdef OPENSSL_NO_DSA int main(int argc, char *argv[]) @@ -212,10 +211,16 @@ end: BIO_free(bio_err); bio_err = NULL; } - exit(!ret); + EXIT(!ret); return(0); } +static int cb_exit(int ec) + { + EXIT(ec); + return(0); /* To keep some compilers quiet */ + } + static void MS_CALLBACK dsa_cb(int p, int n, void *arg) { char c='*'; @@ -231,7 +236,7 @@ static void MS_CALLBACK dsa_cb(int p, int n, void *arg) if (!ok && (p == 0) && (num > 1)) { BIO_printf((BIO *)arg,"error in dsatest\n"); - exit(1); + cb_exit(1); } } #endif diff --git a/src/lib/libssl/src/crypto/dso/dso_dl.c b/src/lib/libssl/src/crypto/dso/dso_dl.c index 195717e993..79d2cb4d8c 100644 --- a/src/lib/libssl/src/crypto/dso/dso_dl.c +++ b/src/lib/libssl/src/crypto/dso/dso_dl.c @@ -126,7 +126,7 @@ static int dl_load(DSO *dso) DSOerr(DSO_F_DL_LOAD,DSO_R_NO_FILENAME); goto err; } - ptr = shl_load(filename, BIND_IMMEDIATE|DYNAMIC_PATH, NULL); + ptr = shl_load(filename, BIND_IMMEDIATE|DYNAMIC_PATH, 0L); if(ptr == NULL) { DSOerr(DSO_F_DL_LOAD,DSO_R_LOAD_FAILED); diff --git a/src/lib/libssl/src/crypto/dso/dso_win32.c b/src/lib/libssl/src/crypto/dso/dso_win32.c index af8586d754..6c30deb250 100644 --- a/src/lib/libssl/src/crypto/dso/dso_win32.c +++ b/src/lib/libssl/src/crypto/dso/dso_win32.c @@ -61,7 +61,7 @@ #include "cryptlib.h" #include -#ifndef OPENSSL_SYS_WIN32 +#if !defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE) DSO_METHOD *DSO_METHOD_win32(void) { return NULL; diff --git a/src/lib/libssl/src/crypto/ec/ec.h b/src/lib/libssl/src/crypto/ec/ec.h index a52d4edf14..6d6a9b7127 100644 --- a/src/lib/libssl/src/crypto/ec/ec.h +++ b/src/lib/libssl/src/crypto/ec/ec.h @@ -195,7 +195,6 @@ void ERR_load_EC_strings(void); #define EC_F_EC_GROUP_GET0_GENERATOR 139 #define EC_F_EC_GROUP_GET_COFACTOR 140 #define EC_F_EC_GROUP_GET_CURVE_GFP 130 -#define EC_F_EC_GROUP_GET_EXTRA_DATA 107 #define EC_F_EC_GROUP_GET_ORDER 141 #define EC_F_EC_GROUP_NEW 108 #define EC_F_EC_GROUP_PRECOMPUTE_MULT 142 @@ -232,7 +231,6 @@ void ERR_load_EC_strings(void); #define EC_R_INVALID_FIELD 103 #define EC_R_INVALID_FORM 104 #define EC_R_NOT_INITIALIZED 111 -#define EC_R_NO_SUCH_EXTRA_DATA 105 #define EC_R_POINT_AT_INFINITY 106 #define EC_R_POINT_IS_NOT_ON_CURVE 107 #define EC_R_SLOT_FULL 108 diff --git a/src/lib/libssl/src/crypto/ec/ec_err.c b/src/lib/libssl/src/crypto/ec/ec_err.c index 394cdc021f..d37b6aba87 100644 --- a/src/lib/libssl/src/crypto/ec/ec_err.c +++ b/src/lib/libssl/src/crypto/ec/ec_err.c @@ -84,7 +84,6 @@ static ERR_STRING_DATA EC_str_functs[]= {ERR_PACK(0,EC_F_EC_GROUP_GET0_GENERATOR,0), "EC_GROUP_get0_generator"}, {ERR_PACK(0,EC_F_EC_GROUP_GET_COFACTOR,0), "EC_GROUP_get_cofactor"}, {ERR_PACK(0,EC_F_EC_GROUP_GET_CURVE_GFP,0), "EC_GROUP_get_curve_GFp"}, -{ERR_PACK(0,EC_F_EC_GROUP_GET_EXTRA_DATA,0), "EC_GROUP_get_extra_data"}, {ERR_PACK(0,EC_F_EC_GROUP_GET_ORDER,0), "EC_GROUP_get_order"}, {ERR_PACK(0,EC_F_EC_GROUP_NEW,0), "EC_GROUP_new"}, {ERR_PACK(0,EC_F_EC_GROUP_PRECOMPUTE_MULT,0), "EC_GROUP_precompute_mult"}, @@ -124,7 +123,6 @@ static ERR_STRING_DATA EC_str_reasons[]= {EC_R_INVALID_FIELD ,"invalid field"}, {EC_R_INVALID_FORM ,"invalid form"}, {EC_R_NOT_INITIALIZED ,"not initialized"}, -{EC_R_NO_SUCH_EXTRA_DATA ,"no such extra data"}, {EC_R_POINT_AT_INFINITY ,"point at infinity"}, {EC_R_POINT_IS_NOT_ON_CURVE ,"point is not on curve"}, {EC_R_SLOT_FULL ,"slot full"}, diff --git a/src/lib/libssl/src/crypto/ec/ec_lib.c b/src/lib/libssl/src/crypto/ec/ec_lib.c index 0cf485de60..deb522060f 100644 --- a/src/lib/libssl/src/crypto/ec/ec_lib.c +++ b/src/lib/libssl/src/crypto/ec/ec_lib.c @@ -128,7 +128,7 @@ void EC_GROUP_clear_free(EC_GROUP *group) EC_GROUP_clear_free_extra_data(group); - memset(group, 0, sizeof *group); + OPENSSL_cleanse(group, sizeof *group); OPENSSL_free(group); } @@ -268,7 +268,9 @@ void *EC_GROUP_get_extra_data(const EC_GROUP *group, void *(*extra_data_dup_func || (group->extra_data_free_func != extra_data_free_func) || (group->extra_data_clear_free_func != extra_data_clear_free_func)) { - ECerr(EC_F_EC_GROUP_GET_EXTRA_DATA, EC_R_NO_SUCH_EXTRA_DATA); +#if 0 /* this was an error in 0.9.7, but that does not make a lot of sense */ + ECerr(..._F_EC_GROUP_GET_EXTRA_DATA, ..._R_NO_SUCH_EXTRA_DATA); +#endif return NULL; } @@ -357,7 +359,7 @@ void EC_POINT_clear_free(EC_POINT *point) point->meth->point_clear_finish(point); else if (point->meth != NULL && point->meth->point_finish != 0) point->meth->point_finish(point); - memset(point, 0, sizeof *point); + OPENSSL_cleanse(point, sizeof *point); OPENSSL_free(point); } diff --git a/src/lib/libssl/src/crypto/ec/ec_mult.c b/src/lib/libssl/src/crypto/ec/ec_mult.c index 603ba31b81..4dbc931120 100644 --- a/src/lib/libssl/src/crypto/ec/ec_mult.c +++ b/src/lib/libssl/src/crypto/ec/ec_mult.c @@ -209,6 +209,17 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' */ int ret = 0; + if (group->meth != r->meth) + { + ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); + return 0; + } + + if ((scalar == NULL) && (num == 0)) + { + return EC_POINT_set_to_infinity(group, r); + } + if (scalar != NULL) { generator = EC_GROUP_get0_generator(group); diff --git a/src/lib/libssl/src/crypto/ec/ectest.c b/src/lib/libssl/src/crypto/ec/ectest.c index eab46cc080..345d3e4289 100644 --- a/src/lib/libssl/src/crypto/ec/ectest.c +++ b/src/lib/libssl/src/crypto/ec/ectest.c @@ -55,6 +55,11 @@ #include #include +#ifdef FLAT_INC +#include "e_os.h" +#else +#include "../e_os.h" +#endif #include #include @@ -65,14 +70,16 @@ int main(int argc, char * argv[]) { puts("Elliptic curves are disabled."); retur #include +#ifndef OPENSSL_NO_ENGINE #include +#endif #include #define ABORT do { \ fflush(stdout); \ fprintf(stderr, "%s:%d: ABORT\n", __FILE__, __LINE__); \ ERR_print_errors_fp(stderr); \ - exit(1); \ + EXIT(1); \ } while (0) #if 0 @@ -623,7 +630,9 @@ int main(int argc, char *argv[]) if (P_384) EC_GROUP_free(P_384); if (P_521) EC_GROUP_free(P_521); +#ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); +#endif CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); ERR_remove_state(0); diff --git a/src/lib/libssl/src/crypto/engine/eng_all.c b/src/lib/libssl/src/crypto/engine/eng_all.c index b3030fe505..0f6992a40d 100644 --- a/src/lib/libssl/src/crypto/engine/eng_all.c +++ b/src/lib/libssl/src/crypto/engine/eng_all.c @@ -95,8 +95,19 @@ void ENGINE_load_builtin_engines(void) #ifndef OPENSSL_NO_HW_4758_CCA ENGINE_load_4758cca(); #endif -#ifdef OPENSSL_OPENBSD_DEV_CRYPTO - ENGINE_load_openbsd_dev_crypto(); +#if defined(__OpenBSD__) || defined(__FreeBSD__) + ENGINE_load_cryptodev(); #endif #endif } + +#if defined(__OpenBSD__) || defined(__FreeBSD__) +void ENGINE_setup_bsd_cryptodev(void) { + static int bsd_cryptodev_default_loaded = 0; + if (!bsd_cryptodev_default_loaded) { + ENGINE_load_cryptodev(); + ENGINE_register_all_complete(); + } + bsd_cryptodev_default_loaded=1; +} +#endif diff --git a/src/lib/libssl/src/crypto/engine/eng_err.c b/src/lib/libssl/src/crypto/engine/eng_err.c index f6c5630395..814d95ee32 100644 --- a/src/lib/libssl/src/crypto/engine/eng_err.c +++ b/src/lib/libssl/src/crypto/engine/eng_err.c @@ -1,6 +1,6 @@ /* crypto/engine/eng_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -96,6 +96,7 @@ static ERR_STRING_DATA ENGINE_str_functs[]= {ERR_PACK(0,ENGINE_F_ENGINE_SET_NAME,0), "ENGINE_set_name"}, {ERR_PACK(0,ENGINE_F_ENGINE_TABLE_REGISTER,0), "ENGINE_TABLE_REGISTER"}, {ERR_PACK(0,ENGINE_F_ENGINE_UNLOAD_KEY,0), "ENGINE_UNLOAD_KEY"}, +{ERR_PACK(0,ENGINE_F_ENGINE_UP_REF,0), "ENGINE_up_ref"}, {ERR_PACK(0,ENGINE_F_INT_CTRL_HELPER,0), "INT_CTRL_HELPER"}, {ERR_PACK(0,ENGINE_F_INT_ENGINE_CONFIGURE,0), "INT_ENGINE_CONFIGURE"}, {ERR_PACK(0,ENGINE_F_LOG_MESSAGE,0), "LOG_MESSAGE"}, diff --git a/src/lib/libssl/src/crypto/engine/eng_fat.c b/src/lib/libssl/src/crypto/engine/eng_fat.c index f7edb5ad32..0d7dae00b2 100644 --- a/src/lib/libssl/src/crypto/engine/eng_fat.c +++ b/src/lib/libssl/src/crypto/engine/eng_fat.c @@ -66,18 +66,18 @@ int ENGINE_set_default(ENGINE *e, unsigned int flags) if((flags & ENGINE_METHOD_DIGESTS) && !ENGINE_set_default_digests(e)) return 0; #ifndef OPENSSL_NO_RSA - if((flags & ENGINE_METHOD_RSA) & !ENGINE_set_default_RSA(e)) + if((flags & ENGINE_METHOD_RSA) && !ENGINE_set_default_RSA(e)) return 0; #endif #ifndef OPENSSL_NO_DSA - if((flags & ENGINE_METHOD_DSA) & !ENGINE_set_default_DSA(e)) + if((flags & ENGINE_METHOD_DSA) && !ENGINE_set_default_DSA(e)) return 0; #endif #ifndef OPENSSL_NO_DH - if((flags & ENGINE_METHOD_DH) & !ENGINE_set_default_DH(e)) + if((flags & ENGINE_METHOD_DH) && !ENGINE_set_default_DH(e)) return 0; #endif - if((flags & ENGINE_METHOD_RAND) & !ENGINE_set_default_RAND(e)) + if((flags & ENGINE_METHOD_RAND) && !ENGINE_set_default_RAND(e)) return 0; return 1; } diff --git a/src/lib/libssl/src/crypto/engine/eng_init.c b/src/lib/libssl/src/crypto/engine/eng_init.c index 98caa21e32..170c1791b3 100644 --- a/src/lib/libssl/src/crypto/engine/eng_init.c +++ b/src/lib/libssl/src/crypto/engine/eng_init.c @@ -93,7 +93,7 @@ int engine_unlocked_finish(ENGINE *e, int unlock_for_handlers) * there's a chance that both threads will together take the count from * 2 to 0 without either calling finish(). */ e->funct_ref--; - engine_ref_debug(e, 1, -1) + engine_ref_debug(e, 1, -1); if((e->funct_ref == 0) && e->finish) { if(unlock_for_handlers) diff --git a/src/lib/libssl/src/crypto/engine/eng_list.c b/src/lib/libssl/src/crypto/engine/eng_list.c index 0c220558e7..1cc3217f4c 100644 --- a/src/lib/libssl/src/crypto/engine/eng_list.c +++ b/src/lib/libssl/src/crypto/engine/eng_list.c @@ -191,14 +191,14 @@ ENGINE *ENGINE_get_first(void) { ENGINE *ret; - CRYPTO_r_lock(CRYPTO_LOCK_ENGINE); + CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); ret = engine_list_head; if(ret) { ret->struct_ref++; engine_ref_debug(ret, 0, 1) } - CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE); + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); return ret; } @@ -206,14 +206,14 @@ ENGINE *ENGINE_get_last(void) { ENGINE *ret; - CRYPTO_r_lock(CRYPTO_LOCK_ENGINE); - ret = engine_list_tail; + CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); + ret = engine_list_tail; if(ret) { ret->struct_ref++; engine_ref_debug(ret, 0, 1) } - CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE); + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); return ret; } @@ -227,7 +227,7 @@ ENGINE *ENGINE_get_next(ENGINE *e) ERR_R_PASSED_NULL_PARAMETER); return 0; } - CRYPTO_r_lock(CRYPTO_LOCK_ENGINE); + CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); ret = e->next; if(ret) { @@ -235,7 +235,7 @@ ENGINE *ENGINE_get_next(ENGINE *e) ret->struct_ref++; engine_ref_debug(ret, 0, 1) } - CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE); + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); /* Release the structural reference to the previous ENGINE */ ENGINE_free(e); return ret; @@ -250,7 +250,7 @@ ENGINE *ENGINE_get_prev(ENGINE *e) ERR_R_PASSED_NULL_PARAMETER); return 0; } - CRYPTO_r_lock(CRYPTO_LOCK_ENGINE); + CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); ret = e->prev; if(ret) { @@ -258,7 +258,7 @@ ENGINE *ENGINE_get_prev(ENGINE *e) ret->struct_ref++; engine_ref_debug(ret, 0, 1) } - CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE); + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); /* Release the structural reference to the previous ENGINE */ ENGINE_free(e); return ret; @@ -346,7 +346,7 @@ ENGINE *ENGINE_by_id(const char *id) ERR_R_PASSED_NULL_PARAMETER); return NULL; } - CRYPTO_r_lock(CRYPTO_LOCK_ENGINE); + CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); iterator = engine_list_head; while(iterator && (strcmp(id, iterator->id) != 0)) iterator = iterator->next; @@ -372,7 +372,7 @@ ENGINE *ENGINE_by_id(const char *id) engine_ref_debug(iterator, 0, 1) } } - CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE); + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); if(iterator == NULL) { ENGINEerr(ENGINE_F_ENGINE_BY_ID, @@ -381,3 +381,14 @@ ENGINE *ENGINE_by_id(const char *id) } return iterator; } + +int ENGINE_up_ref(ENGINE *e) + { + if (e == NULL) + { + ENGINEerr(ENGINE_F_ENGINE_UP_REF,ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + CRYPTO_add(&e->struct_ref,1,CRYPTO_LOCK_ENGINE); + return 1; + } diff --git a/src/lib/libssl/src/crypto/engine/eng_openssl.c b/src/lib/libssl/src/crypto/engine/eng_openssl.c index e9d976f46b..54579eea2e 100644 --- a/src/lib/libssl/src/crypto/engine/eng_openssl.c +++ b/src/lib/libssl/src/crypto/engine/eng_openssl.c @@ -63,6 +63,7 @@ #include #include #include +#include /* This testing gunk is implemented (and explained) lower down. It also assumes * the application explicitly calls "ENGINE_load_openssl()" because this is no @@ -78,6 +79,21 @@ /* #define TEST_ENG_OPENSSL_SHA_P_UPDATE */ /* #define TEST_ENG_OPENSSL_SHA_P_FINAL */ +/* Now check what of those algorithms are actually enabled */ +#ifdef OPENSSL_NO_RC4 +#undef TEST_ENG_OPENSSL_RC4 +#undef TEST_ENG_OPENSSL_RC4_OTHERS +#undef TEST_ENG_OPENSSL_RC4_P_INIT +#undef TEST_ENG_OPENSSL_RC4_P_CIPHER +#endif +#if defined(OPENSSL_NO_SHA) || defined(OPENSSL_NO_SHA0) || defined(OPENSSL_NO_SHA1) +#undef TEST_ENG_OPENSSL_SHA +#undef TEST_ENG_OPENSSL_SHA_OTHERS +#undef TEST_ENG_OPENSSL_SHA_P_INIT +#undef TEST_ENG_OPENSSL_SHA_P_UPDATE +#undef TEST_ENG_OPENSSL_SHA_P_FINAL +#endif + #ifdef TEST_ENG_OPENSSL_RC4 static int openssl_ciphers(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid); @@ -180,7 +196,6 @@ IMPLEMENT_DYNAMIC_BIND_FN(bind_fn) * the "init_key" handler is called. * TEST_ENG_OPENSSL_RC4_P_CIPHER - ditto for the "cipher" handler. */ -#include #include #define TEST_RC4_KEY_SIZE 16 static int test_cipher_nids[] = {NID_rc4,NID_rc4_40}; @@ -265,7 +280,6 @@ static int openssl_ciphers(ENGINE *e, const EVP_CIPHER **cipher, #ifdef TEST_ENG_OPENSSL_SHA /* Much the same sort of comment as for TEST_ENG_OPENSSL_RC4 */ -#include #include static int test_digest_nids[] = {NID_sha1}; static int test_digest_nids_number = 1; diff --git a/src/lib/libssl/src/crypto/engine/engine.h b/src/lib/libssl/src/crypto/engine/engine.h index cf06618286..8686879e1a 100644 --- a/src/lib/libssl/src/crypto/engine/engine.h +++ b/src/lib/libssl/src/crypto/engine/engine.h @@ -59,6 +59,12 @@ #ifndef HEADER_ENGINE_H #define HEADER_ENGINE_H +#include + +#ifdef OPENSSL_NO_ENGINE +#error ENGINE is disabled. +#endif + #include #include #ifndef OPENSSL_NO_RSA @@ -307,7 +313,7 @@ void ENGINE_load_ubsec(void); void ENGINE_load_aep(void); void ENGINE_load_sureware(void); void ENGINE_load_4758cca(void); -void ENGINE_load_openbsd_dev_crypto(void); +void ENGINE_load_cryptodev(void); void ENGINE_load_builtin_engines(void); /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation @@ -406,6 +412,7 @@ int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg, * compatibility! */ ENGINE *ENGINE_new(void); int ENGINE_free(ENGINE *e); +int ENGINE_up_ref(ENGINE *e); int ENGINE_set_id(ENGINE *e, const char *id); int ENGINE_set_name(ENGINE *e, const char *name); int ENGINE_set_RSA(ENGINE *e, const RSA_METHOD *rsa_meth); @@ -662,6 +669,7 @@ void ERR_load_ENGINE_strings(void); #define ENGINE_F_ENGINE_SET_NAME 130 #define ENGINE_F_ENGINE_TABLE_REGISTER 184 #define ENGINE_F_ENGINE_UNLOAD_KEY 152 +#define ENGINE_F_ENGINE_UP_REF 190 #define ENGINE_F_INT_CTRL_HELPER 172 #define ENGINE_F_INT_ENGINE_CONFIGURE 188 #define ENGINE_F_LOG_MESSAGE 141 diff --git a/src/lib/libssl/src/crypto/engine/enginetest.c b/src/lib/libssl/src/crypto/engine/enginetest.c index 87fa8c57b7..c2d0297392 100644 --- a/src/lib/libssl/src/crypto/engine/enginetest.c +++ b/src/lib/libssl/src/crypto/engine/enginetest.c @@ -56,9 +56,17 @@ * */ -#include #include #include + +#ifdef OPENSSL_NO_ENGINE +int main(int argc, char *argv[]) +{ + printf("No ENGINE support\n"); + return(0); +} +#else +#include #include #include #include @@ -272,3 +280,4 @@ end: CRYPTO_mem_leaks_fp(stderr); return to_return; } +#endif diff --git a/src/lib/libssl/src/crypto/engine/hw_4758_cca.c b/src/lib/libssl/src/crypto/engine/hw_4758_cca.c index bfb80968e2..4f5ae8a46d 100644 --- a/src/lib/libssl/src/crypto/engine/hw_4758_cca.c +++ b/src/lib/libssl/src/crypto/engine/hw_4758_cca.c @@ -223,6 +223,7 @@ static int bind_helper(ENGINE *e) return 1; } +#ifndef ENGINE_DYNAMIC_SUPPORT static ENGINE *engine_4758_cca(void) { ENGINE *ret = ENGINE_new(); @@ -244,6 +245,7 @@ void ENGINE_load_4758cca(void) ENGINE_free(e_4758); ERR_clear_error(); } +#endif static int ibm_4758_cca_destroy(ENGINE *e) { @@ -715,7 +717,7 @@ static int cca_rsa_verify(int type, const unsigned char *m, unsigned int m_len, if (type == NID_sha1 || type == NID_md5) { - memset(hashBuffer, keyLength+1, 0); + OPENSSL_cleanse(hashBuffer, keyLength+1); OPENSSL_free(hashBuffer); } @@ -838,7 +840,7 @@ static int cca_rsa_sign(int type, const unsigned char *m, unsigned int m_len, if (type == NID_sha1 || type == NID_md5) { - memset(hashBuffer, keyLength+1, 0); + OPENSSL_cleanse(hashBuffer, keyLength+1); OPENSSL_free(hashBuffer); } diff --git a/src/lib/libssl/src/crypto/engine/hw_atalla.c b/src/lib/libssl/src/crypto/engine/hw_atalla.c index 6151c46902..e9eff9fad1 100644 --- a/src/lib/libssl/src/crypto/engine/hw_atalla.c +++ b/src/lib/libssl/src/crypto/engine/hw_atalla.c @@ -242,6 +242,7 @@ static int bind_helper(ENGINE *e) return 1; } +#ifndef ENGINE_DYNAMIC_SUPPORT static ENGINE *engine_atalla(void) { ENGINE *ret = ENGINE_new(); @@ -264,6 +265,7 @@ void ENGINE_load_atalla(void) ENGINE_free(toadd); ERR_clear_error(); } +#endif /* This is a process-global DSO handle used for loading and unloading * the Atalla library. NB: This is only set (or unset) during an diff --git a/src/lib/libssl/src/crypto/engine/hw_cryptodev.c b/src/lib/libssl/src/crypto/engine/hw_cryptodev.c index 7c3728f395..40af97ac24 100644 --- a/src/lib/libssl/src/crypto/engine/hw_cryptodev.c +++ b/src/lib/libssl/src/crypto/engine/hw_cryptodev.c @@ -1,6 +1,7 @@ /* * Copyright (c) 2002 Bob Beck * Copyright (c) 2002 Theo de Raadt + * Copyright (c) 2002 Markus Friedl * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -28,33 +29,85 @@ * */ -#include +#include +#include +#include + +#if (defined(__unix__) || defined(unix)) && !defined(USG) #include +# if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041) +# define HAVE_CRYPTODEV +# endif +# if (OpenBSD >= 200110) +# define HAVE_SYSLOG_R +# endif +#endif + +#ifndef HAVE_CRYPTODEV + +void +ENGINE_load_cryptodev(void) +{ + /* This is a NOP on platforms without /dev/crypto */ + return; +} + +#else + +#include #include #include #include #include #include #include -#include #include -#include -#include -#include +#include +#include +#include -static int cryptodev_fd = -1; -static int cryptodev_sessions = 0; -static u_int32_t cryptodev_symfeat = 0; +struct dev_crypto_state { + struct session_op d_sess; + int d_fd; +}; +static u_int32_t cryptodev_asymfeat = 0; + +static int get_asym_dev_crypto(void); +static int open_dev_crypto(void); +static int get_dev_crypto(void); +static int cryptodev_max_iv(int cipher); +static int cryptodev_key_length_valid(int cipher, int len); +static int cipher_nid_to_cryptodev(int nid); +static int get_cryptodev_ciphers(const int **cnids); +static int get_cryptodev_digests(const int **cnids); +static int cryptodev_usable_ciphers(const int **nids); +static int cryptodev_usable_digests(const int **nids); +static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl); +static int cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc); +static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx); +static int cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, + const int **nids, int nid); +static int cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest, + const int **nids, int nid); static int bn2crparam(const BIGNUM *a, struct crparam *crp); static int crparam2bn(struct crparam *crp, BIGNUM *a); static void zapparams(struct crypt_kop *kop); +static int cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r, + int slen, BIGNUM *s); -static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa); static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); +static int cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, + RSA *rsa); +static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa); static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); +static int cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g, + BIGNUM *u1, BIGNUM *pub_key, BIGNUM *u2, BIGNUM *p, + BN_CTX *ctx, BN_MONT_CTX *mont); static DSA_SIG *cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int cryptodev_dsa_verify(const unsigned char *dgst, int dgst_len, @@ -64,6 +117,9 @@ static int cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *m_ctx); static int cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); +static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, + void (*f)()); +void ENGINE_load_cryptodev(void); static const ENGINE_CMD_DEFN cryptodev_defns[] = { { 0, NULL, NULL, 0 } @@ -77,11 +133,10 @@ static struct { } ciphers[] = { { CRYPTO_DES_CBC, NID_des_cbc, 8, 8, }, { CRYPTO_3DES_CBC, NID_des_ede3_cbc, 8, 24, }, - { CRYPTO_AES_CBC, NID_undef, 8, 24, }, + { CRYPTO_AES_CBC, NID_aes_128_cbc, 16, 16, }, { CRYPTO_BLF_CBC, NID_bf_cbc, 8, 16, }, - { CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 8, }, + { CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 16, }, { CRYPTO_SKIPJACK_CBC, NID_undef, 0, 0, }, - { CRYPTO_ARC4, NID_rc4, 8, 16, }, { 0, NID_undef, 0, 0, }, }; @@ -99,33 +154,53 @@ static struct { }; /* - * Return 1 if /dev/crypto seems usable, 0 otherwise , also - * does most of the work of initting the device, if not already - * done.. This should leave is with global fd initialized with CRIOGET. + * Return a fd if /dev/crypto seems usable, 0 otherwise. */ static int -check_dev_crypto() +open_dev_crypto(void) { - int fd; + static int fd = -1; - if (cryptodev_fd == -1) { + if (fd == -1) { if ((fd = open("/dev/crypto", O_RDWR, 0)) == -1) - return (0); - if (ioctl(fd, CRIOGET, &cryptodev_fd) == -1) { - close(fd); - return (0); - } - close(fd); + return (-1); /* close on exec */ - if (fcntl(cryptodev_fd, F_SETFD, 1) == -1) { - close(cryptodev_fd); - cryptodev_fd = -1; - return (0); + if (fcntl(fd, F_SETFD, 1) == -1) { + close(fd); + fd = -1; + return (-1); } } - ioctl(cryptodev_fd, CIOCSYMFEAT, &cryptodev_symfeat); + return (fd); +} - return (1); +static int +get_dev_crypto(void) +{ + int fd, retfd; + + if ((fd = open_dev_crypto()) == -1) + return (-1); + if (ioctl(fd, CRIOGET, &retfd) == -1) + return (-1); + + /* close on exec */ + if (fcntl(retfd, F_SETFD, 1) == -1) { + close(retfd); + return (-1); + } + return (retfd); +} + +/* Caching version for asym operations */ +static int +get_asym_dev_crypto(void) +{ + static int fd = -1; + + if (fd == -1) + fd = get_dev_crypto(); + return fd; } /* @@ -183,8 +258,12 @@ get_cryptodev_ciphers(const int **cnids) { static int nids[CRYPTO_ALGORITHM_MAX]; struct session_op sess; - int i, count = 0; + int fd, i, count = 0; + if ((fd = get_dev_crypto()) < 0) { + *nids = NULL; + return (0); + } memset(&sess, 0, sizeof(sess)); sess.key = (caddr_t)"123456781234567812345678"; @@ -194,10 +273,12 @@ get_cryptodev_ciphers(const int **cnids) sess.cipher = ciphers[i].id; sess.keylen = ciphers[i].keylen; sess.mac = 0; - if (ioctl(cryptodev_fd, CIOCGSESSION, &sess) != -1 && - ioctl(cryptodev_fd, CIOCFSESSION, &sess.ses) != -1) + if (ioctl(fd, CIOCGSESSION, &sess) != -1 && + ioctl(fd, CIOCFSESSION, &sess.ses) != -1) nids[count++] = ciphers[i].nid; } + close(fd); + if (count > 0) *cnids = nids; else @@ -216,18 +297,24 @@ get_cryptodev_digests(const int **cnids) { static int nids[CRYPTO_ALGORITHM_MAX]; struct session_op sess; - int i, count = 0; + int fd, i, count = 0; + if ((fd = get_dev_crypto()) < 0) { + *nids = NULL; + return (0); + } memset(&sess, 0, sizeof(sess)); for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) { if (digests[i].nid == NID_undef) continue; sess.mac = digests[i].id; sess.cipher = 0; - if (ioctl(cryptodev_fd, CIOCGSESSION, &sess) != -1 && - ioctl(cryptodev_fd, CIOCFSESSION, &sess.ses) != -1) + if (ioctl(fd, CIOCGSESSION, &sess) != -1 && + ioctl(fd, CIOCFSESSION, &sess.ses) != -1) nids[count++] = digests[i].nid; } + close(fd); + if (count > 0) *cnids = nids; else @@ -256,25 +343,15 @@ get_cryptodev_digests(const int **cnids) * want most of the decisions made about what we actually want * to use from /dev/crypto. */ -int +static int cryptodev_usable_ciphers(const int **nids) { - if (!check_dev_crypto()) { - *nids = NULL; - return (0); - } - - /* find what the device can do. Unfortunately, we don't - * necessarily want all of these yet, because we aren't - * yet set up to do them - */ return (get_cryptodev_ciphers(nids)); } -int +static int cryptodev_usable_digests(const int **nids) { -#if 1 /* * XXXX just disable all digests for now, because it sucks. * we need a better way to decide this - i.e. I may not @@ -289,29 +366,19 @@ cryptodev_usable_digests(const int **nids) */ *nids = NULL; return (0); -#endif - - if (!check_dev_crypto()) { - *nids = NULL; - return (0); - } - return (get_cryptodev_digests(nids)); } - -int +static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) { struct crypt_op cryp; - struct session_op *sess = ctx->cipher_data; + struct dev_crypto_state *state = ctx->cipher_data; + struct session_op *sess = &state->d_sess; void *iiv; unsigned char save_iv[EVP_MAX_IV_LENGTH]; - struct syslog_data sd = SYSLOG_DATA_INIT; - if (cryptodev_fd == -1) - return (0); - if (sess == NULL) + if (state->d_fd < 0) return (0); if (!inl) return (1); @@ -338,11 +405,10 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, } else cryp.iv = NULL; - if (ioctl(cryptodev_fd, CIOCCRYPT, &cryp) == -1) { + if (ioctl(state->d_fd, CIOCCRYPT, &cryp) == -1) { /* XXX need better errror handling * this can fail for a number of different reasons. */ - syslog_r(LOG_ERR, &sd, "CIOCCRYPT failed (%m)"); return (0); } @@ -356,20 +422,17 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return (1); } -int +static int cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { - struct session_op *sess = ctx->cipher_data; - struct syslog_data sd = SYSLOG_DATA_INIT; + struct dev_crypto_state *state = ctx->cipher_data; + struct session_op *sess = &state->d_sess; int cipher; if ((cipher = cipher_nid_to_cryptodev(ctx->cipher->nid)) == NID_undef) return (0); - if (!check_dev_crypto()) - return (0); - if (ctx->cipher->iv_len > cryptodev_max_iv(cipher)) return (0); @@ -378,15 +441,18 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, memset(sess, 0, sizeof(struct session_op)); + if ((state->d_fd = get_dev_crypto()) < 0) + return (0); + sess->key = (unsigned char *)key; sess->keylen = ctx->key_len; sess->cipher = cipher; - if (ioctl(cryptodev_fd, CIOCGSESSION, sess) == -1) { - syslog_r(LOG_ERR, &sd, "CIOCGSESSION failed (%m)"); + if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) { + close(state->d_fd); + state->d_fd = -1; return (0); } - cryptodev_sessions++; return (1); } @@ -394,14 +460,14 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, * free anything we allocated earlier when initting a * session, and close the session. */ -int +static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx) { int ret = 0; - struct session_op *sess = ctx->cipher_data; - struct syslog_data sd = SYSLOG_DATA_INIT; + struct dev_crypto_state *state = ctx->cipher_data; + struct session_op *sess = &state->d_sess; - if (sess == NULL) + if (state->d_fd < 0) return (0); /* XXX if this ioctl fails, someting's wrong. the invoker @@ -415,17 +481,14 @@ cryptodev_cleanup(EVP_CIPHER_CTX *ctx) * print messages to users of the library. hmm.. */ - if (ioctl(cryptodev_fd, CIOCFSESSION, &sess->ses) == -1) { - syslog_r(LOG_ERR, &sd, "CIOCFSESSION failed (%m)"); + if (ioctl(state->d_fd, CIOCFSESSION, &sess->ses) == -1) { ret = 0; } else { - cryptodev_sessions--; ret = 1; } - if (cryptodev_sessions == 0 && cryptodev_fd != -1 ) { - close(cryptodev_fd); /* XXX should this be closed? */ - cryptodev_fd = -1; - } + close(state->d_fd); + state->d_fd = -1; + return (ret); } @@ -434,20 +497,6 @@ cryptodev_cleanup(EVP_CIPHER_CTX *ctx) * gets called when libcrypto requests a cipher NID. */ -/* ARC4 (16 byte key) */ -const EVP_CIPHER cryptodev_arc4_cipher = { - NID_rc4, - 1, 16, 0, - EVP_CIPH_VARIABLE_LENGTH, - cryptodev_init_key, - cryptodev_cipher, - cryptodev_cleanup, - sizeof(struct session_op), - NULL, - NULL, - NULL -}; - /* DES CBC EVP */ const EVP_CIPHER cryptodev_des_cbc = { NID_des_cbc, @@ -456,7 +505,7 @@ const EVP_CIPHER cryptodev_des_cbc = { cryptodev_init_key, cryptodev_cipher, cryptodev_cleanup, - sizeof(struct session_op), + sizeof(struct dev_crypto_state), EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL @@ -470,19 +519,57 @@ const EVP_CIPHER cryptodev_3des_cbc = { cryptodev_init_key, cryptodev_cipher, cryptodev_cleanup, - sizeof(struct session_op), + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, + NULL +}; + +const EVP_CIPHER cryptodev_bf_cbc = { + NID_bf_cbc, + 8, 16, 8, + EVP_CIPH_CBC_MODE, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, + NULL +}; + +const EVP_CIPHER cryptodev_cast_cbc = { + NID_cast5_cbc, + 8, 16, 8, + EVP_CIPH_CBC_MODE, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL }; +const EVP_CIPHER cryptodev_aes_cbc = { + NID_aes_128_cbc, + 16, 16, 16, + EVP_CIPH_CBC_MODE, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, + NULL +}; /* * Registered by the ENGINE when used to find out how to deal with * a particular NID in the ENGINE. this says what we'll do at the * top level - note, that list is restricted by what we answer with */ -int +static int cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid) { @@ -490,15 +577,21 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, return (cryptodev_usable_ciphers(nids)); switch (nid) { - case NID_rc4: - *cipher = &cryptodev_arc4_cipher; - break; case NID_des_ede3_cbc: *cipher = &cryptodev_3des_cbc; break; case NID_des_cbc: *cipher = &cryptodev_des_cbc; break; + case NID_bf_cbc: + *cipher = &cryptodev_bf_cbc; + break; + case NID_cast5_cbc: + *cipher = &cryptodev_cast_cbc; + break; + case NID_aes_128_cbc: + *cipher = &cryptodev_aes_cbc; + break; default: *cipher = NULL; break; @@ -506,7 +599,7 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, return (*cipher != NULL); } -int +static int cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest, const int **nids, int nid) { @@ -524,7 +617,6 @@ cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest, return (*digest != NULL); } - /* * Convert a BIGNUM to the representation that /dev/crypto needs. * Upon completion of use, the caller is responsible for freeing @@ -533,7 +625,7 @@ cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest, static int bn2crparam(const BIGNUM *a, struct crparam *crp) { - int i, j, n; + int i, j, k; ssize_t words, bytes, bits; u_char *b; @@ -550,17 +642,13 @@ bn2crparam(const BIGNUM *a, struct crparam *crp) crp->crp_p = b; crp->crp_nbits = bits; - words = (bits + BN_BITS2 - 1) / BN_BITS2; - - n = 0; - for (i = 0; i < words && n < bytes; i++) { - BN_ULONG word; - - word = a->d[i]; - for (j = 0 ; j < BN_BYTES && n < bytes; j++, n++) { - *b++ = (word & 0xff); - word >>= 8; + for (i = 0, j = 0; i < a->top; i++) { + for (k = 0; k < BN_BITS2 / 8; k++) { + if ((j + k) >= bytes) + return (0); + b[j + k] = a->d[i] >> (k * 8); } + j += BN_BITS2 / 8; } return (0); } @@ -569,15 +657,22 @@ bn2crparam(const BIGNUM *a, struct crparam *crp) static int crparam2bn(struct crparam *crp, BIGNUM *a) { + u_int8_t *pd; int i, bytes; - bytes = (crp->crp_nbits + 7)/8; + bytes = (crp->crp_nbits + 7) / 8; - BN_zero(a); - for (i = bytes - 1; i >= 0; i--) { - BN_lshift(a, a, 8); - BN_add_word(a, (u_char)crp->crp_p[i]); - } + if (bytes == 0) + return (-1); + + if ((pd = (u_int8_t *) malloc(bytes)) == NULL) + return (-1); + + for (i = 0; i < bytes; i++) + pd[i] = crp->crp_p[bytes - i - 1]; + + BN_bin2bn(pd, bytes, a); + free(pd); return (0); } @@ -596,25 +691,32 @@ zapparams(struct crypt_kop *kop) } static int -cryptodev_sym(struct crypt_kop *kop, BIGNUM *r, BIGNUM *s) +cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r, int slen, BIGNUM *s) { - int ret = -1; + int fd, ret = -1; + + if ((fd = get_asym_dev_crypto()) < 0) + return (ret); if (r) { - kop->crk_param[kop->crk_iparams].crp_p = malloc(256); - kop->crk_param[kop->crk_iparams].crp_nbits = 256 * 8; + kop->crk_param[kop->crk_iparams].crp_p = calloc(rlen, sizeof(char)); + kop->crk_param[kop->crk_iparams].crp_nbits = rlen * 8; kop->crk_oparams++; } if (s) { - kop->crk_param[kop->crk_iparams+1].crp_p = malloc(256); - kop->crk_param[kop->crk_iparams+1].crp_nbits = 256 * 8; + kop->crk_param[kop->crk_iparams+1].crp_p = calloc(slen, sizeof(char)); + kop->crk_param[kop->crk_iparams+1].crp_nbits = slen * 8; kop->crk_oparams++; } - if (ioctl(cryptodev_fd, CIOCKEY, &kop) == 0) { - crparam2bn(&kop->crk_param[3], r); + if (ioctl(fd, CIOCKEY, kop) == 0) { + if (r) + crparam2bn(&kop->crk_param[kop->crk_iparams], r); + if (s) + crparam2bn(&kop->crk_param[kop->crk_iparams+1], s); ret = 0; } + return (ret); } @@ -623,38 +725,58 @@ cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) { struct crypt_kop kop; - int ret = 0; + int ret = 1; + + /* Currently, we know we can do mod exp iff we can do any + * asymmetric operations at all. + */ + if (cryptodev_asymfeat == 0) { + ret = BN_mod_exp(r, a, p, m, ctx); + return (ret); + } memset(&kop, 0, sizeof kop); kop.crk_op = CRK_MOD_EXP; - /* inputs: a m p */ + /* inputs: a^p % m */ if (bn2crparam(a, &kop.crk_param[0])) goto err; - if (bn2crparam(m, &kop.crk_param[1])) + if (bn2crparam(p, &kop.crk_param[1])) goto err; - if (bn2crparam(p, &kop.crk_param[2])) + if (bn2crparam(m, &kop.crk_param[2])) goto err; kop.crk_iparams = 3; - if (cryptodev_sym(&kop, r, NULL) == -1) { - ret = BN_mod_exp(r, a, p, m, ctx); + if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL) == -1) { + const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); + ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont); } err: zapparams(&kop); return (ret); } +static int +cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) +{ + int r; + BN_CTX *ctx; + + ctx = BN_CTX_new(); + r = cryptodev_bn_mod_exp(r0, I, rsa->d, rsa->n, ctx, NULL); + BN_CTX_free(ctx); + return (r); +} static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) { struct crypt_kop kop; - int ret = 0; + int ret = 1; if (!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp) { /* XXX 0 means failure?? */ - goto err; + return (0); } memset(&kop, 0, sizeof kop); @@ -674,9 +796,8 @@ cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) goto err; kop.crk_iparams = 6; - if (cryptodev_sym(&kop, r0, NULL) == -1) { + if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL) == -1) { const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); - ret = (*meth->rsa_mod_exp)(r0, I, rsa); } err: @@ -690,8 +811,8 @@ static RSA_METHOD cryptodev_rsa = { NULL, /* rsa_pub_dec */ NULL, /* rsa_priv_enc */ NULL, /* rsa_priv_dec */ - cryptodev_rsa_mod_exp, /* rsa_mod_exp */ - cryptodev_bn_mod_exp, /* bn_mod_exp */ + NULL, + NULL, NULL, /* init */ NULL, /* finish */ 0, /* flags */ @@ -707,6 +828,38 @@ cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, return (cryptodev_bn_mod_exp(r, a, p, m, ctx, m_ctx)); } +static int +cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g, + BIGNUM *u1, BIGNUM *pub_key, BIGNUM *u2, BIGNUM *p, + BN_CTX *ctx, BN_MONT_CTX *mont) +{ + BIGNUM t2; + int ret = 0; + + BN_init(&t2); + + /* v = ( g^u1 * y^u2 mod p ) mod q */ + /* let t1 = g ^ u1 mod p */ + ret = 0; + + if (!dsa->meth->bn_mod_exp(dsa,t1,dsa->g,u1,dsa->p,ctx,mont)) + goto err; + + /* let t2 = y ^ u2 mod p */ + if (!dsa->meth->bn_mod_exp(dsa,&t2,dsa->pub_key,u2,dsa->p,ctx,mont)) + goto err; + /* let u1 = t1 * t2 mod p */ + if (!BN_mod_mul(u1,t1,&t2,dsa->p,ctx)) + goto err; + + BN_copy(t1,u1); + + ret = 1; +err: + BN_free(&t2); + return(ret); +} + static DSA_SIG * cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { @@ -721,6 +874,7 @@ cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) goto err; } + printf("bar\n"); memset(&kop, 0, sizeof kop); kop.crk_op = CRK_DSA_SIGN; @@ -737,13 +891,13 @@ cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) goto err; kop.crk_iparams = 5; - if (cryptodev_sym(&kop, r, s) == 0) { + if (cryptodev_asym(&kop, BN_num_bytes(dsa->q), r, + BN_num_bytes(dsa->q), s) == 0) { dsaret = DSA_SIG_new(); dsaret->r = r; dsaret->s = s; } else { const DSA_METHOD *meth = DSA_OpenSSL(); - BN_free(r); BN_free(s); dsaret = (meth->dsa_do_sign)(dgst, dlen, dsa); @@ -759,7 +913,7 @@ cryptodev_dsa_verify(const unsigned char *dgst, int dlen, DSA_SIG *sig, DSA *dsa) { struct crypt_kop kop; - int dsaret = 0; + int dsaret = 1; memset(&kop, 0, sizeof kop); kop.crk_op = CRK_DSA_VERIFY; @@ -781,7 +935,7 @@ cryptodev_dsa_verify(const unsigned char *dgst, int dlen, goto err; kop.crk_iparams = 7; - if (cryptodev_sym(&kop, NULL, NULL) == 0) { + if (cryptodev_asym(&kop, 0, NULL, 0, NULL) == 0) { dsaret = kop.crk_status; } else { const DSA_METHOD *meth = DSA_OpenSSL(); @@ -796,11 +950,11 @@ err: static DSA_METHOD cryptodev_dsa = { "cryptodev DSA method", - cryptodev_dsa_do_sign, + NULL, NULL, /* dsa_sign_setup */ - cryptodev_dsa_verify, + NULL, NULL, /* dsa_mod_exp */ - cryptodev_dsa_bn_mod_exp, /* bn_mod_exp */ + NULL, NULL, /* init */ NULL, /* finish */ 0, /* flags */ @@ -819,8 +973,14 @@ static int cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { struct crypt_kop kop; - int dhret = 0; - int keylen; + int dhret = 1; + int fd, keylen; + + if ((fd = get_asym_dev_crypto()) < 0) { + const DH_METHOD *meth = DH_OpenSSL(); + + return ((meth->compute_key)(key, pub_key, dh)); + } keylen = BN_num_bits(dh->p); @@ -840,7 +1000,7 @@ cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) kop.crk_param[3].crp_nbits = keylen * 8; kop.crk_oparams = 1; - if (ioctl(cryptodev_fd, CIOCKEY, &kop) == -1) { + if (ioctl(fd, CIOCKEY, &kop) == -1) { const DH_METHOD *meth = DH_OpenSSL(); dhret = (meth->compute_key)(key, pub_key, dh); @@ -854,8 +1014,8 @@ err: static DH_METHOD cryptodev_dh = { "cryptodev DH method", NULL, /* cryptodev_dh_generate_key */ - cryptodev_dh_compute_key, - cryptodev_mod_exp_dh, + NULL, + NULL, NULL, NULL, 0, /* flags */ @@ -869,12 +1029,18 @@ static DH_METHOD cryptodev_dh = { static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()) { +#ifdef HAVE_SYSLOG_R struct syslog_data sd = SYSLOG_DATA_INIT; +#endif switch (cmd) { default: +#ifdef HAVE_SYSLOG_R syslog_r(LOG_ERR, &sd, "cryptodev_ctrl: unknown command %d", cmd); +#else + syslog(LOG_ERR, "cryptodev_ctrl: unknown command %d", cmd); +#endif break; } return (1); @@ -884,14 +1050,24 @@ void ENGINE_load_cryptodev(void) { ENGINE *engine = ENGINE_new(); - const RSA_METHOD *rsa_meth; - const DH_METHOD *dh_meth; + int fd; if (engine == NULL) return; + if ((fd = get_dev_crypto()) < 0) + return; + + /* + * find out what asymmetric crypto algorithms we support + */ + if (ioctl(fd, CIOCASYMFEAT, &cryptodev_asymfeat) == -1) { + close(fd); + return; + } + close(fd); if (!ENGINE_set_id(engine, "cryptodev") || - !ENGINE_set_name(engine, "OpenBSD cryptodev engine") || + !ENGINE_set_name(engine, "BSD cryptodev engine") || !ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) || !ENGINE_set_digests(engine, cryptodev_engine_digests) || !ENGINE_set_ctrl_function(engine, cryptodev_ctrl) || @@ -900,27 +1076,57 @@ ENGINE_load_cryptodev(void) return; } - if ((cryptodev_symfeat & CRSFEAT_RSA) && - ENGINE_set_RSA(engine, &cryptodev_rsa)) { - rsa_meth = RSA_PKCS1_SSLeay(); + if (ENGINE_set_RSA(engine, &cryptodev_rsa)) { + const RSA_METHOD *rsa_meth = RSA_PKCS1_SSLeay(); + + cryptodev_rsa.bn_mod_exp = rsa_meth->bn_mod_exp; + cryptodev_rsa.rsa_mod_exp = rsa_meth->rsa_mod_exp; cryptodev_rsa.rsa_pub_enc = rsa_meth->rsa_pub_enc; cryptodev_rsa.rsa_pub_dec = rsa_meth->rsa_pub_dec; - cryptodev_rsa.rsa_priv_enc = rsa_meth->rsa_priv_dec; + cryptodev_rsa.rsa_priv_enc = rsa_meth->rsa_priv_enc; cryptodev_rsa.rsa_priv_dec = rsa_meth->rsa_priv_dec; + if (cryptodev_asymfeat & CRF_MOD_EXP) { + cryptodev_rsa.bn_mod_exp = cryptodev_bn_mod_exp; + if (cryptodev_asymfeat & CRF_MOD_EXP_CRT) + cryptodev_rsa.rsa_mod_exp = + cryptodev_rsa_mod_exp; + else + cryptodev_rsa.rsa_mod_exp = + cryptodev_rsa_nocrt_mod_exp; + } } - if ((cryptodev_symfeat & CRSFEAT_DSA) && - ENGINE_set_DSA(engine, &cryptodev_dsa)) { + if (ENGINE_set_DSA(engine, &cryptodev_dsa)) { + const DSA_METHOD *meth = DSA_OpenSSL(); + + memcpy(&cryptodev_dsa, meth, sizeof(DSA_METHOD)); + if (cryptodev_asymfeat & CRF_DSA_SIGN) + cryptodev_dsa.dsa_do_sign = cryptodev_dsa_do_sign; + if (cryptodev_asymfeat & CRF_MOD_EXP) { + cryptodev_dsa.bn_mod_exp = cryptodev_dsa_bn_mod_exp; + cryptodev_dsa.dsa_mod_exp = cryptodev_dsa_dsa_mod_exp; + } + if (cryptodev_asymfeat & CRF_DSA_VERIFY) + cryptodev_dsa.dsa_do_verify = cryptodev_dsa_verify; } - if ((cryptodev_symfeat & CRSFEAT_DH) && - ENGINE_set_DH(engine, &cryptodev_dh)) { - dh_meth = DH_OpenSSL(); + if (ENGINE_set_DH(engine, &cryptodev_dh)){ + const DH_METHOD *dh_meth = DH_OpenSSL(); + cryptodev_dh.generate_key = dh_meth->generate_key; cryptodev_dh.compute_key = dh_meth->compute_key; + cryptodev_dh.bn_mod_exp = dh_meth->bn_mod_exp; + if (cryptodev_asymfeat & CRF_MOD_EXP) { + cryptodev_dh.bn_mod_exp = cryptodev_mod_exp_dh; + if (cryptodev_asymfeat & CRF_DH_COMPUTE_KEY) + cryptodev_dh.compute_key = + cryptodev_dh_compute_key; + } } ENGINE_add(engine); ENGINE_free(engine); ERR_clear_error(); } + +#endif /* HAVE_CRYPTODEV */ diff --git a/src/lib/libssl/src/crypto/engine/hw_cswift.c b/src/lib/libssl/src/crypto/engine/hw_cswift.c index f5c897bdbb..f128ee5a68 100644 --- a/src/lib/libssl/src/crypto/engine/hw_cswift.c +++ b/src/lib/libssl/src/crypto/engine/hw_cswift.c @@ -121,6 +121,10 @@ static int cswift_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); #endif +/* RAND stuff */ +static int cswift_rand_bytes(unsigned char *buf, int num); +static int cswift_rand_status(void); + /* The definitions for control commands specific to this engine */ #define CSWIFT_CMD_SO_PATH ENGINE_CMD_BASE static const ENGINE_CMD_DEFN cswift_cmd_defns[] = { @@ -183,6 +187,18 @@ static DH_METHOD cswift_dh = }; #endif +static RAND_METHOD cswift_random = + { + /* "CryptoSwift RAND method", */ + NULL, + cswift_rand_bytes, + NULL, + NULL, + cswift_rand_bytes, + cswift_rand_status, + }; + + /* Constants used when creating the ENGINE */ static const char *engine_cswift_id = "cswift"; static const char *engine_cswift_name = "CryptoSwift hardware engine support"; @@ -208,6 +224,7 @@ static int bind_helper(ENGINE *e) #ifndef OPENSSL_NO_DH !ENGINE_set_DH(e, &cswift_dh) || #endif + !ENGINE_set_RAND(e, &cswift_random) || !ENGINE_set_destroy_function(e, cswift_destroy) || !ENGINE_set_init_function(e, cswift_init) || !ENGINE_set_finish_function(e, cswift_finish) || @@ -242,6 +259,7 @@ static int bind_helper(ENGINE *e) return 1; } +#ifndef ENGINE_DYNAMIC_SUPPORT static ENGINE *engine_cswift(void) { ENGINE *ret = ENGINE_new(); @@ -264,6 +282,7 @@ void ENGINE_load_cswift(void) ENGINE_free(toadd); ERR_clear_error(); } +#endif /* This is a process-global DSO handle used for loading and unloading * the CryptoSwift library. NB: This is only set (or unset) during an @@ -905,6 +924,60 @@ static int cswift_mod_exp_dh(const DH *dh, BIGNUM *r, } #endif +/* Random bytes are good */ +static int cswift_rand_bytes(unsigned char *buf, int num) +{ + SW_CONTEXT_HANDLE hac; + SW_STATUS swrc; + SW_LARGENUMBER largenum; + size_t nbytes = 0; + int acquired = 0; + int to_return = 0; /* assume failure */ + + if (!get_context(&hac)) + { + CSWIFTerr(CSWIFT_F_CSWIFT_CTRL, CSWIFT_R_UNIT_FAILURE); + goto err; + } + acquired = 1; + + while (nbytes < (size_t)num) + { + /* tell CryptoSwift how many bytes we want and where we want it. + * Note: - CryptoSwift cannot do more than 4096 bytes at a time. + * - CryptoSwift can only do multiple of 32-bits. */ + largenum.value = (SW_BYTE *) buf + nbytes; + if (4096 > num - nbytes) + largenum.nbytes = num - nbytes; + else + largenum.nbytes = 4096; + + swrc = p_CSwift_SimpleRequest(hac, SW_CMD_RAND, NULL, 0, &largenum, 1); + if (swrc != SW_OK) + { + char tmpbuf[20]; + CSWIFTerr(CSWIFT_F_CSWIFT_CTRL, CSWIFT_R_REQUEST_FAILED); + sprintf(tmpbuf, "%ld", swrc); + ERR_add_error_data(2, "CryptoSwift error number is ", tmpbuf); + goto err; + } + + nbytes += largenum.nbytes; + } + to_return = 1; /* success */ + +err: + if (acquired) + release_context(hac); + return to_return; +} + +static int cswift_rand_status(void) +{ + return 1; +} + + /* This stuff is needed if this ENGINE is being compiled into a self-contained * shared-library. */ #ifdef ENGINE_DYNAMIC_SUPPORT diff --git a/src/lib/libssl/src/crypto/engine/hw_ncipher.c b/src/lib/libssl/src/crypto/engine/hw_ncipher.c index a43d4360f2..0d1c6b8df0 100644 --- a/src/lib/libssl/src/crypto/engine/hw_ncipher.c +++ b/src/lib/libssl/src/crypto/engine/hw_ncipher.c @@ -91,11 +91,19 @@ static int hwcrhk_init(ENGINE *e); static int hwcrhk_finish(ENGINE *e); static int hwcrhk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()); -/* Functions to handle mutexes */ +/* Functions to handle mutexes if have dynamic locks */ static int hwcrhk_mutex_init(HWCryptoHook_Mutex*, HWCryptoHook_CallerContext*); static int hwcrhk_mutex_lock(HWCryptoHook_Mutex*); static void hwcrhk_mutex_unlock(HWCryptoHook_Mutex*); static void hwcrhk_mutex_destroy(HWCryptoHook_Mutex*); +#if 1 /* This is a HACK which will disappear in 0.9.8 */ +/* Functions to handle mutexes if only have static locks */ +static int hwcrhk_static_mutex_init(HWCryptoHook_Mutex *m, + HWCryptoHook_CallerContext *c); +static int hwcrhk_static_mutex_lock(HWCryptoHook_Mutex *m); +static void hwcrhk_static_mutex_unlock(HWCryptoHook_Mutex *m); +static void hwcrhk_static_mutex_destroy(HWCryptoHook_Mutex *m); +#endif /* BIGNUM stuff */ static int hwcrhk_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, @@ -373,6 +381,7 @@ static int bind_helper(ENGINE *e) return 1; } +#ifndef ENGINE_DYNAMIC_SUPPORT static ENGINE *engine_ncipher(void) { ENGINE *ret = ENGINE_new(); @@ -395,6 +404,7 @@ void ENGINE_load_chil(void) ENGINE_free(toadd); ERR_clear_error(); } +#endif /* This is a process-global DSO handle used for loading and unloading * the HWCryptoHook library. NB: This is only set (or unset) during an @@ -558,15 +568,31 @@ static int hwcrhk_init(ENGINE *e) /* Check if the application decided to support dynamic locks, and if it does, use them. */ - if (disable_mutex_callbacks == 0 && - CRYPTO_get_dynlock_create_callback() != NULL && - CRYPTO_get_dynlock_lock_callback() != NULL && - CRYPTO_get_dynlock_destroy_callback() != NULL) + if (disable_mutex_callbacks == 0) { - hwcrhk_globals.mutex_init = hwcrhk_mutex_init; - hwcrhk_globals.mutex_acquire = hwcrhk_mutex_lock; - hwcrhk_globals.mutex_release = hwcrhk_mutex_unlock; - hwcrhk_globals.mutex_destroy = hwcrhk_mutex_destroy; + if (CRYPTO_get_dynlock_create_callback() != NULL && + CRYPTO_get_dynlock_lock_callback() != NULL && + CRYPTO_get_dynlock_destroy_callback() != NULL) + { + hwcrhk_globals.mutex_init = hwcrhk_mutex_init; + hwcrhk_globals.mutex_acquire = hwcrhk_mutex_lock; + hwcrhk_globals.mutex_release = hwcrhk_mutex_unlock; + hwcrhk_globals.mutex_destroy = hwcrhk_mutex_destroy; + } + else if (CRYPTO_get_locking_callback() != NULL) + { + HWCRHKerr(HWCRHK_F_HWCRHK_INIT,HWCRHK_R_DYNAMIC_LOCKING_MISSING); + ERR_add_error_data(1,"You HAVE to add dynamic locking callbacks via CRYPTO_set_dynlock_{create,lock,destroy}_callback()"); +#if 1 /* This is a HACK which will disappear in 0.9.8 */ + hwcrhk_globals.maxmutexes = 1; /* Only have one lock */ + hwcrhk_globals.mutex_init = hwcrhk_static_mutex_init; + hwcrhk_globals.mutex_acquire = hwcrhk_static_mutex_lock; + hwcrhk_globals.mutex_release = hwcrhk_static_mutex_unlock; + hwcrhk_globals.mutex_destroy = hwcrhk_static_mutex_destroy; +#else + goto err; +#endif + } } /* Try and get a context - if not, we may have a DSO but no @@ -1020,7 +1046,7 @@ static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa) /* Perform the operation */ ret = p_hwcrhk_ModExpCRT(hwcrhk_context, m_a, m_p, m_q, - m_dmp1, m_dmq1, m_iqmp, &m_r, NULL); + m_dmp1, m_dmq1, m_iqmp, &m_r, &rmsg); /* Convert the response */ r->top = m_r.size / sizeof(BN_ULONG); @@ -1171,6 +1197,26 @@ static void hwcrhk_mutex_destroy(HWCryptoHook_Mutex *mt) CRYPTO_destroy_dynlockid(mt->lockid); } +/* Mutex upcalls to use if the application does not support dynamic locks */ + +static int hwcrhk_static_mutex_init(HWCryptoHook_Mutex *m, + HWCryptoHook_CallerContext *c) + { + return 0; + } +static int hwcrhk_static_mutex_lock(HWCryptoHook_Mutex *m) + { + CRYPTO_w_lock(CRYPTO_LOCK_HWCRHK); + return 0; + } +static void hwcrhk_static_mutex_unlock(HWCryptoHook_Mutex *m) + { + CRYPTO_w_unlock(CRYPTO_LOCK_HWCRHK); + } +static void hwcrhk_static_mutex_destroy(HWCryptoHook_Mutex *m) + { + } + static int hwcrhk_get_pass(const char *prompt_info, int *len_io, char *buf, HWCryptoHook_PassphraseContext *ppctx, @@ -1318,7 +1364,7 @@ static void hwcrhk_log_message(void *logstr, const char *message) lstream=*(BIO **)logstr; if (lstream) { - BIO_write(lstream, message, strlen(message)); + BIO_printf(lstream, "%s\n", message); } CRYPTO_w_unlock(CRYPTO_LOCK_BIO); } diff --git a/src/lib/libssl/src/crypto/engine/hw_ncipher_err.c b/src/lib/libssl/src/crypto/engine/hw_ncipher_err.c index 24024cfc6f..5bc94581b7 100644 --- a/src/lib/libssl/src/crypto/engine/hw_ncipher_err.c +++ b/src/lib/libssl/src/crypto/engine/hw_ncipher_err.c @@ -1,6 +1,6 @@ /* hw_ncipher_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -86,6 +86,7 @@ static ERR_STRING_DATA HWCRHK_str_reasons[]= {HWCRHK_R_CHIL_ERROR ,"chil error"}, {HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED ,"ctrl command not implemented"}, {HWCRHK_R_DSO_FAILURE ,"dso failure"}, +{HWCRHK_R_DYNAMIC_LOCKING_MISSING ,"dynamic locking missing"}, {HWCRHK_R_MISSING_KEY_COMPONENTS ,"missing key components"}, {HWCRHK_R_NOT_INITIALISED ,"not initialised"}, {HWCRHK_R_NOT_LOADED ,"not loaded"}, diff --git a/src/lib/libssl/src/crypto/engine/hw_ncipher_err.h b/src/lib/libssl/src/crypto/engine/hw_ncipher_err.h index 4d65b1d470..d232d02319 100644 --- a/src/lib/libssl/src/crypto/engine/hw_ncipher_err.h +++ b/src/lib/libssl/src/crypto/engine/hw_ncipher_err.h @@ -84,6 +84,7 @@ static void ERR_HWCRHK_error(int function, int reason, char *file, int line); #define HWCRHK_R_CHIL_ERROR 102 #define HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED 103 #define HWCRHK_R_DSO_FAILURE 104 +#define HWCRHK_R_DYNAMIC_LOCKING_MISSING 114 #define HWCRHK_R_MISSING_KEY_COMPONENTS 105 #define HWCRHK_R_NOT_INITIALISED 106 #define HWCRHK_R_NOT_LOADED 107 diff --git a/src/lib/libssl/src/crypto/engine/hw_nuron.c b/src/lib/libssl/src/crypto/engine/hw_nuron.c index 130b6d8b40..fb9188bfe5 100644 --- a/src/lib/libssl/src/crypto/engine/hw_nuron.c +++ b/src/lib/libssl/src/crypto/engine/hw_nuron.c @@ -374,6 +374,7 @@ static int bind_helper(ENGINE *e) return 1; } +#ifndef ENGINE_DYNAMIC_SUPPORT static ENGINE *engine_nuron(void) { ENGINE *ret = ENGINE_new(); @@ -396,6 +397,7 @@ void ENGINE_load_nuron(void) ENGINE_free(toadd); ERR_clear_error(); } +#endif /* This stuff is needed if this ENGINE is being compiled into a self-contained * shared-library. */ diff --git a/src/lib/libssl/src/crypto/engine/hw_sureware.c b/src/lib/libssl/src/crypto/engine/hw_sureware.c new file mode 100644 index 0000000000..fca467e690 --- /dev/null +++ b/src/lib/libssl/src/crypto/engine/hw_sureware.c @@ -0,0 +1,1039 @@ +/* Written by Corinne Dive-Reclus(cdive@baltimore.com) +* +* +* Redistribution and use in source and binary forms, with or without +* modification, are permitted provided that the following conditions +* are met: +* +* 1. Redistributions of source code must retain the above copyright +* notice, this list of conditions and the following disclaimer. +* +* 2. Redistributions in binary form must reproduce the above copyright +* notice, this list of conditions and the following disclaimer in +* the documentation and/or other materials provided with the +* distribution. +* +* 3. All advertising materials mentioning features or use of this +* software must display the following acknowledgment: +* "This product includes software developed by the OpenSSL Project +* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" +* +* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +* endorse or promote products derived from this software without +* prior written permission. For written permission, please contact +* licensing@OpenSSL.org. +* +* 5. Products derived from this software may not be called "OpenSSL" +* nor may "OpenSSL" appear in their names without prior written +* permission of the OpenSSL Project. +* +* 6. Redistributions of any form whatsoever must retain the following +* acknowledgment: +* "This product includes software developed by the OpenSSL Project +* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" +* +* Written by Corinne Dive-Reclus(cdive@baltimore.com) +* +* Copyright@2001 Baltimore Technologies Ltd. +* All right Reserved. +* * +* THIS FILE IS PROVIDED BY BALTIMORE TECHNOLOGIES ``AS IS'' AND * +* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * +* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * +* ARE DISCLAIMED. IN NO EVENT SHALL BALTIMORE TECHNOLOGIES BE LIABLE * +* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * +* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * +* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * +* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * +* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * +* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * +* SUCH DAMAGE. * +====================================================================*/ + +#include +#include "cryptlib.h" +#include +#include +#include +#include "eng_int.h" +#include "engine.h" +#include + +#ifndef OPENSSL_NO_HW +#ifndef OPENSSL_NO_HW_SUREWARE + +#ifdef FLAT_INC +#include "sureware.h" +#else +#include "vendor_defns/sureware.h" +#endif + +#define SUREWARE_LIB_NAME "sureware engine" +#include "hw_sureware_err.c" + +static int surewarehk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()); +static int surewarehk_destroy(ENGINE *e); +static int surewarehk_init(ENGINE *e); +static int surewarehk_finish(ENGINE *e); +static int surewarehk_modexp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx); + +/* RSA stuff */ +static int surewarehk_rsa_priv_dec(int flen,const unsigned char *from,unsigned char *to, + RSA *rsa,int padding); +static int surewarehk_rsa_sign(int flen,const unsigned char *from,unsigned char *to, + RSA *rsa,int padding); + +/* RAND stuff */ +static int surewarehk_rand_bytes(unsigned char *buf, int num); +static void surewarehk_rand_seed(const void *buf, int num); +static void surewarehk_rand_add(const void *buf, int num, double entropy); + +/* KM stuff */ +static EVP_PKEY *surewarehk_load_privkey(ENGINE *e, const char *key_id, + UI_METHOD *ui_method, void *callback_data); +static EVP_PKEY *surewarehk_load_pubkey(ENGINE *e, const char *key_id, + UI_METHOD *ui_method, void *callback_data); +static void surewarehk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad, + int idx,long argl, void *argp); +#if 0 +static void surewarehk_dh_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad, + int idx,long argl, void *argp); +#endif + +#ifndef OPENSSL_NO_RSA +/* This function is aliased to mod_exp (with the mont stuff dropped). */ +static int surewarehk_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) +{ + return surewarehk_modexp(r, a, p, m, ctx); +} + +/* Our internal RSA_METHOD that we provide pointers to */ +static RSA_METHOD surewarehk_rsa = + { + "SureWare RSA method", + NULL, /* pub_enc*/ + NULL, /* pub_dec*/ + surewarehk_rsa_sign, /* our rsa_sign is OpenSSL priv_enc*/ + surewarehk_rsa_priv_dec, /* priv_dec*/ + NULL, /*mod_exp*/ + surewarehk_mod_exp_mont, /*mod_exp_mongomery*/ + NULL, /* init*/ + NULL, /* finish*/ + 0, /* RSA flag*/ + NULL, + NULL, /* OpenSSL sign*/ + NULL /* OpenSSL verify*/ + }; +#endif + +#ifndef OPENSSL_NO_DH +/* Our internal DH_METHOD that we provide pointers to */ +/* This function is aliased to mod_exp (with the dh and mont dropped). */ +static int surewarehk_modexp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) +{ + return surewarehk_modexp(r, a, p, m, ctx); +} + +static DH_METHOD surewarehk_dh = + { + "SureWare DH method", + NULL,/*gen_key*/ + NULL,/*agree,*/ + surewarehk_modexp_dh, /*dh mod exp*/ + NULL, /* init*/ + NULL, /* finish*/ + 0, /* flags*/ + NULL + }; +#endif + +static RAND_METHOD surewarehk_rand = + { + /* "SureWare RAND method", */ + surewarehk_rand_seed, + surewarehk_rand_bytes, + NULL,/*cleanup*/ + surewarehk_rand_add, + surewarehk_rand_bytes, + NULL,/*rand_status*/ + }; + +#ifndef OPENSSL_NO_DSA +/* DSA stuff */ +static DSA_SIG * surewarehk_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); +static int surewarehk_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, + BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *in_mont) +{ + BIGNUM t; + int to_return = 0; + BN_init(&t); + /* let rr = a1 ^ p1 mod m */ + if (!surewarehk_modexp(rr,a1,p1,m,ctx)) goto end; + /* let t = a2 ^ p2 mod m */ + if (!surewarehk_modexp(&t,a2,p2,m,ctx)) goto end; + /* let rr = rr * t mod m */ + if (!BN_mod_mul(rr,rr,&t,m,ctx)) goto end; + to_return = 1; +end: + BN_free(&t); + return to_return; +} + +static DSA_METHOD surewarehk_dsa = + { + "SureWare DSA method", + surewarehk_dsa_do_sign, + NULL,/*sign setup*/ + NULL,/*verify,*/ + surewarehk_dsa_mod_exp,/*mod exp*/ + NULL,/*bn mod exp*/ + NULL, /*init*/ + NULL,/*finish*/ + 0, + NULL, + }; +#endif + +static const char *engine_sureware_id = "sureware"; +static const char *engine_sureware_name = "SureWare hardware engine support"; + +/* Now, to our own code */ + +/* As this is only ever called once, there's no need for locking + * (indeed - the lock will already be held by our caller!!!) */ +static int bind_sureware(ENGINE *e) +{ +#ifndef OPENSSL_NO_RSA + const RSA_METHOD *meth1; +#endif +#ifndef OPENSSL_NO_DSA + const DSA_METHOD *meth2; +#endif +#ifndef OPENSSL_NO_DH + const DH_METHOD *meth3; +#endif + + if(!ENGINE_set_id(e, engine_sureware_id) || + !ENGINE_set_name(e, engine_sureware_name) || +#ifndef OPENSSL_NO_RSA + !ENGINE_set_RSA(e, &surewarehk_rsa) || +#endif +#ifndef OPENSSL_NO_DSA + !ENGINE_set_DSA(e, &surewarehk_dsa) || +#endif +#ifndef OPENSSL_NO_DH + !ENGINE_set_DH(e, &surewarehk_dh) || +#endif + !ENGINE_set_RAND(e, &surewarehk_rand) || + !ENGINE_set_destroy_function(e, surewarehk_destroy) || + !ENGINE_set_init_function(e, surewarehk_init) || + !ENGINE_set_finish_function(e, surewarehk_finish) || + !ENGINE_set_ctrl_function(e, surewarehk_ctrl) || + !ENGINE_set_load_privkey_function(e, surewarehk_load_privkey) || + !ENGINE_set_load_pubkey_function(e, surewarehk_load_pubkey)) + return 0; + +#ifndef OPENSSL_NO_RSA + /* We know that the "PKCS1_SSLeay()" functions hook properly + * to the cswift-specific mod_exp and mod_exp_crt so we use + * those functions. NB: We don't use ENGINE_openssl() or + * anything "more generic" because something like the RSAref + * code may not hook properly, and if you own one of these + * cards then you have the right to do RSA operations on it + * anyway! */ + meth1 = RSA_PKCS1_SSLeay(); + if (meth1) + { + surewarehk_rsa.rsa_pub_enc = meth1->rsa_pub_enc; + surewarehk_rsa.rsa_pub_dec = meth1->rsa_pub_dec; + } +#endif + +#ifndef OPENSSL_NO_DSA + /* Use the DSA_OpenSSL() method and just hook the mod_exp-ish + * bits. */ + meth2 = DSA_OpenSSL(); + if (meth2) + { + surewarehk_dsa.dsa_do_verify = meth2->dsa_do_verify; + } +#endif + +#ifndef OPENSSL_NO_DH + /* Much the same for Diffie-Hellman */ + meth3 = DH_OpenSSL(); + if (meth3) + { + surewarehk_dh.generate_key = meth3->generate_key; + surewarehk_dh.compute_key = meth3->compute_key; + } +#endif + + /* Ensure the sureware error handling is set up */ + ERR_load_SUREWARE_strings(); + return 1; +} + +#ifdef ENGINE_DYNAMIC_SUPPORT +static int bind_helper(ENGINE *e, const char *id) + { + if(id && (strcmp(id, engine_sureware_id) != 0)) + return 0; + if(!bind_sureware(e)) + return 0; + return 1; + } +IMPLEMENT_DYNAMIC_CHECK_FN() +IMPLEMENT_DYNAMIC_BIND_FN(bind_helper) +#else +static ENGINE *engine_sureware(void) + { + ENGINE *ret = ENGINE_new(); + if(!ret) + return NULL; + if(!bind_sureware(ret)) + { + ENGINE_free(ret); + return NULL; + } + return ret; + } + +void ENGINE_load_sureware(void) + { + /* Copied from eng_[openssl|dyn].c */ + ENGINE *toadd = engine_sureware(); + if(!toadd) return; + ENGINE_add(toadd); + ENGINE_free(toadd); + ERR_clear_error(); + } +#endif + +/* This is a process-global DSO handle used for loading and unloading + * the SureWareHook library. NB: This is only set (or unset) during an + * init() or finish() call (reference counts permitting) and they're + * operating with global locks, so this should be thread-safe + * implicitly. */ +static DSO *surewarehk_dso = NULL; +#ifndef OPENSSL_NO_RSA +static int rsaHndidx = -1; /* Index for KM handle. Not really used yet. */ +#endif +#ifndef OPENSSL_NO_DSA +static int dsaHndidx = -1; /* Index for KM handle. Not really used yet. */ +#endif + +/* These are the function pointers that are (un)set when the library has + * successfully (un)loaded. */ +static SureWareHook_Init_t *p_surewarehk_Init = NULL; +static SureWareHook_Finish_t *p_surewarehk_Finish = NULL; +static SureWareHook_Rand_Bytes_t *p_surewarehk_Rand_Bytes = NULL; +static SureWareHook_Rand_Seed_t *p_surewarehk_Rand_Seed = NULL; +static SureWareHook_Load_Privkey_t *p_surewarehk_Load_Privkey = NULL; +static SureWareHook_Info_Pubkey_t *p_surewarehk_Info_Pubkey = NULL; +static SureWareHook_Load_Rsa_Pubkey_t *p_surewarehk_Load_Rsa_Pubkey = NULL; +static SureWareHook_Load_Dsa_Pubkey_t *p_surewarehk_Load_Dsa_Pubkey = NULL; +static SureWareHook_Free_t *p_surewarehk_Free=NULL; +static SureWareHook_Rsa_Priv_Dec_t *p_surewarehk_Rsa_Priv_Dec=NULL; +static SureWareHook_Rsa_Sign_t *p_surewarehk_Rsa_Sign=NULL; +static SureWareHook_Dsa_Sign_t *p_surewarehk_Dsa_Sign=NULL; +static SureWareHook_Mod_Exp_t *p_surewarehk_Mod_Exp=NULL; + +/* Used in the DSO operations. */ +static const char *surewarehk_LIBNAME = "SureWareHook"; +static const char *n_surewarehk_Init = "SureWareHook_Init"; +static const char *n_surewarehk_Finish = "SureWareHook_Finish"; +static const char *n_surewarehk_Rand_Bytes="SureWareHook_Rand_Bytes"; +static const char *n_surewarehk_Rand_Seed="SureWareHook_Rand_Seed"; +static const char *n_surewarehk_Load_Privkey="SureWareHook_Load_Privkey"; +static const char *n_surewarehk_Info_Pubkey="SureWareHook_Info_Pubkey"; +static const char *n_surewarehk_Load_Rsa_Pubkey="SureWareHook_Load_Rsa_Pubkey"; +static const char *n_surewarehk_Load_Dsa_Pubkey="SureWareHook_Load_Dsa_Pubkey"; +static const char *n_surewarehk_Free="SureWareHook_Free"; +static const char *n_surewarehk_Rsa_Priv_Dec="SureWareHook_Rsa_Priv_Dec"; +static const char *n_surewarehk_Rsa_Sign="SureWareHook_Rsa_Sign"; +static const char *n_surewarehk_Dsa_Sign="SureWareHook_Dsa_Sign"; +static const char *n_surewarehk_Mod_Exp="SureWareHook_Mod_Exp"; +static BIO *logstream = NULL; + +/* SureWareHook library functions and mechanics - these are used by the + * higher-level functions further down. NB: As and where there's no + * error checking, take a look lower down where these functions are + * called, the checking and error handling is probably down there. +*/ +static int threadsafe=1; +static int surewarehk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()) +{ + int to_return = 1; + + switch(cmd) + { + case ENGINE_CTRL_SET_LOGSTREAM: + { + BIO *bio = (BIO *)p; + CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); + if (logstream) + { + BIO_free(logstream); + logstream = NULL; + } + if (CRYPTO_add(&bio->references,1,CRYPTO_LOCK_BIO) > 1) + logstream = bio; + else + SUREWAREerr(SUREWARE_F_SUREWAREHK_CTRL,SUREWARE_R_BIO_WAS_FREED); + } + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); + break; + /* This will prevent the initialisation function from "installing" + * the mutex-handling callbacks, even if they are available from + * within the library (or were provided to the library from the + * calling application). This is to remove any baggage for + * applications not using multithreading. */ + case ENGINE_CTRL_CHIL_NO_LOCKING: + CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); + threadsafe = 0; + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); + break; + + /* The command isn't understood by this engine */ + default: + SUREWAREerr(SUREWARE_F_SUREWAREHK_CTRL, + ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED); + to_return = 0; + break; + } + + return to_return; +} + +/* Destructor (complements the "ENGINE_surewarehk()" constructor) */ +static int surewarehk_destroy(ENGINE *e) +{ + ERR_unload_SUREWARE_strings(); + return 1; +} + +/* (de)initialisation functions. */ +static int surewarehk_init(ENGINE *e) +{ + char msg[64]="ENGINE_init"; + SureWareHook_Init_t *p1=NULL; + SureWareHook_Finish_t *p2=NULL; + SureWareHook_Rand_Bytes_t *p3=NULL; + SureWareHook_Rand_Seed_t *p4=NULL; + SureWareHook_Load_Privkey_t *p5=NULL; + SureWareHook_Load_Rsa_Pubkey_t *p6=NULL; + SureWareHook_Free_t *p7=NULL; + SureWareHook_Rsa_Priv_Dec_t *p8=NULL; + SureWareHook_Rsa_Sign_t *p9=NULL; + SureWareHook_Dsa_Sign_t *p12=NULL; + SureWareHook_Info_Pubkey_t *p13=NULL; + SureWareHook_Load_Dsa_Pubkey_t *p14=NULL; + SureWareHook_Mod_Exp_t *p15=NULL; + + if(surewarehk_dso != NULL) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,ENGINE_R_ALREADY_LOADED); + goto err; + } + /* Attempt to load libsurewarehk.so/surewarehk.dll/whatever. */ + surewarehk_dso = DSO_load(NULL, surewarehk_LIBNAME, NULL, 0); + if(surewarehk_dso == NULL) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,ENGINE_R_DSO_FAILURE); + goto err; + } + if(!(p1=(SureWareHook_Init_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Init)) || + !(p2=(SureWareHook_Finish_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Finish)) || + !(p3=(SureWareHook_Rand_Bytes_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rand_Bytes)) || + !(p4=(SureWareHook_Rand_Seed_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rand_Seed)) || + !(p5=(SureWareHook_Load_Privkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Load_Privkey)) || + !(p6=(SureWareHook_Load_Rsa_Pubkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Load_Rsa_Pubkey)) || + !(p7=(SureWareHook_Free_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Free)) || + !(p8=(SureWareHook_Rsa_Priv_Dec_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rsa_Priv_Dec)) || + !(p9=(SureWareHook_Rsa_Sign_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rsa_Sign)) || + !(p12=(SureWareHook_Dsa_Sign_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Dsa_Sign)) || + !(p13=(SureWareHook_Info_Pubkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Info_Pubkey)) || + !(p14=(SureWareHook_Load_Dsa_Pubkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Load_Dsa_Pubkey)) || + !(p15=(SureWareHook_Mod_Exp_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Mod_Exp))) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,ENGINE_R_DSO_FAILURE); + goto err; + } + /* Copy the pointers */ + p_surewarehk_Init = p1; + p_surewarehk_Finish = p2; + p_surewarehk_Rand_Bytes = p3; + p_surewarehk_Rand_Seed = p4; + p_surewarehk_Load_Privkey = p5; + p_surewarehk_Load_Rsa_Pubkey = p6; + p_surewarehk_Free = p7; + p_surewarehk_Rsa_Priv_Dec = p8; + p_surewarehk_Rsa_Sign = p9; + p_surewarehk_Dsa_Sign = p12; + p_surewarehk_Info_Pubkey = p13; + p_surewarehk_Load_Dsa_Pubkey = p14; + p_surewarehk_Mod_Exp = p15; + /* Contact the hardware and initialises it. */ + if(p_surewarehk_Init(msg,threadsafe)==SUREWAREHOOK_ERROR_UNIT_FAILURE) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,SUREWARE_R_UNIT_FAILURE); + goto err; + } + if(p_surewarehk_Init(msg,threadsafe)==SUREWAREHOOK_ERROR_UNIT_FAILURE) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,SUREWARE_R_UNIT_FAILURE); + goto err; + } + /* try to load the default private key, if failed does not return a failure but + wait for an explicit ENGINE_load_privakey */ + surewarehk_load_privkey(e,NULL,NULL,NULL); + + /* Everything's fine. */ +#ifndef OPENSSL_NO_RSA + if (rsaHndidx == -1) + rsaHndidx = RSA_get_ex_new_index(0, + "SureWareHook RSA key handle", + NULL, NULL, surewarehk_ex_free); +#endif +#ifndef OPENSSL_NO_DSA + if (dsaHndidx == -1) + dsaHndidx = DSA_get_ex_new_index(0, + "SureWareHook DSA key handle", + NULL, NULL, surewarehk_ex_free); +#endif + + return 1; +err: + if(surewarehk_dso) + DSO_free(surewarehk_dso); + surewarehk_dso = NULL; + p_surewarehk_Init = NULL; + p_surewarehk_Finish = NULL; + p_surewarehk_Rand_Bytes = NULL; + p_surewarehk_Rand_Seed = NULL; + p_surewarehk_Load_Privkey = NULL; + p_surewarehk_Load_Rsa_Pubkey = NULL; + p_surewarehk_Free = NULL; + p_surewarehk_Rsa_Priv_Dec = NULL; + p_surewarehk_Rsa_Sign = NULL; + p_surewarehk_Dsa_Sign = NULL; + p_surewarehk_Info_Pubkey = NULL; + p_surewarehk_Load_Dsa_Pubkey = NULL; + p_surewarehk_Mod_Exp = NULL; + return 0; +} + +static int surewarehk_finish(ENGINE *e) +{ + int to_return = 1; + if(surewarehk_dso == NULL) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_FINISH,ENGINE_R_NOT_LOADED); + to_return = 0; + goto err; + } + p_surewarehk_Finish(); + if(!DSO_free(surewarehk_dso)) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_FINISH,ENGINE_R_DSO_FAILURE); + to_return = 0; + goto err; + } + err: + if (logstream) + BIO_free(logstream); + surewarehk_dso = NULL; + p_surewarehk_Init = NULL; + p_surewarehk_Finish = NULL; + p_surewarehk_Rand_Bytes = NULL; + p_surewarehk_Rand_Seed = NULL; + p_surewarehk_Load_Privkey = NULL; + p_surewarehk_Load_Rsa_Pubkey = NULL; + p_surewarehk_Free = NULL; + p_surewarehk_Rsa_Priv_Dec = NULL; + p_surewarehk_Rsa_Sign = NULL; + p_surewarehk_Dsa_Sign = NULL; + p_surewarehk_Info_Pubkey = NULL; + p_surewarehk_Load_Dsa_Pubkey = NULL; + p_surewarehk_Mod_Exp = NULL; + return to_return; +} + +static void surewarehk_error_handling(char *const msg,int func,int ret) +{ + switch (ret) + { + case SUREWAREHOOK_ERROR_UNIT_FAILURE: + ENGINEerr(func,SUREWARE_R_UNIT_FAILURE); + break; + case SUREWAREHOOK_ERROR_FALLBACK: + ENGINEerr(func,SUREWARE_R_REQUEST_FALLBACK); + break; + case SUREWAREHOOK_ERROR_DATA_SIZE: + ENGINEerr(func,SUREWARE_R_SIZE_TOO_LARGE_OR_TOO_SMALL); + break; + case SUREWAREHOOK_ERROR_INVALID_PAD: + ENGINEerr(func,RSA_R_PADDING_CHECK_FAILED); + break; + default: + ENGINEerr(func,SUREWARE_R_REQUEST_FAILED); + break; + case 1:/*nothing*/ + msg[0]='\0'; + } + if (*msg) + { + ERR_add_error_data(1,msg); + if (logstream) + { + CRYPTO_w_lock(CRYPTO_LOCK_BIO); + BIO_write(logstream, msg, strlen(msg)); + CRYPTO_w_unlock(CRYPTO_LOCK_BIO); + } + } +} + +static int surewarehk_rand_bytes(unsigned char *buf, int num) +{ + int ret=0; + char msg[64]="ENGINE_rand_bytes"; + if(!p_surewarehk_Rand_Bytes) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_RAND_BYTES,ENGINE_R_NOT_INITIALISED); + } + else + { + ret = p_surewarehk_Rand_Bytes(msg,buf, num); + surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RAND_BYTES,ret); + } + return ret==1 ? 1 : 0; +} + +static void surewarehk_rand_seed(const void *buf, int num) +{ + int ret=0; + char msg[64]="ENGINE_rand_seed"; + if(!p_surewarehk_Rand_Seed) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_RAND_SEED,ENGINE_R_NOT_INITIALISED); + } + else + { + ret = p_surewarehk_Rand_Seed(msg,buf, num); + surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RAND_SEED,ret); + } +} + +static void surewarehk_rand_add(const void *buf, int num, double entropy) +{ + surewarehk_rand_seed(buf,num); +} + +static EVP_PKEY* sureware_load_public(ENGINE *e,const char *key_id,char *hptr,unsigned long el,char keytype) +{ + EVP_PKEY *res = NULL; +#ifndef OPENSSL_NO_RSA + RSA *rsatmp = NULL; +#endif +#ifndef OPENSSL_NO_DSA + DSA *dsatmp=NULL; +#endif + char msg[64]="sureware_load_public"; + int ret=0; + if(!p_surewarehk_Load_Rsa_Pubkey || !p_surewarehk_Load_Dsa_Pubkey) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ENGINE_R_NOT_INITIALISED); + goto err; + } + switch (keytype) + { +#ifndef OPENSSL_NO_RSA + case 1: /*RSA*/ + /* set private external reference */ + rsatmp = RSA_new_method(e); + RSA_set_ex_data(rsatmp,rsaHndidx,hptr); + rsatmp->flags |= RSA_FLAG_EXT_PKEY; + + /* set public big nums*/ + rsatmp->e = BN_new(); + rsatmp->n = BN_new(); + bn_expand2(rsatmp->e, el/sizeof(BN_ULONG)); + bn_expand2(rsatmp->n, el/sizeof(BN_ULONG)); + if (!rsatmp->e || rsatmp->e->dmax!=(int)(el/sizeof(BN_ULONG))|| + !rsatmp->n || rsatmp->n->dmax!=(int)(el/sizeof(BN_ULONG))) + goto err; + ret=p_surewarehk_Load_Rsa_Pubkey(msg,key_id,el, + (unsigned long *)rsatmp->n->d, + (unsigned long *)rsatmp->e->d); + surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ret); + if (ret!=1) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_FAILED_LOADING_PUBLIC_KEY); + goto err; + } + /* normalise pub e and pub n */ + rsatmp->e->top=el/sizeof(BN_ULONG); + bn_fix_top(rsatmp->e); + rsatmp->n->top=el/sizeof(BN_ULONG); + bn_fix_top(rsatmp->n); + /* create an EVP object: engine + rsa key */ + res = EVP_PKEY_new(); + EVP_PKEY_assign_RSA(res, rsatmp); + break; +#endif + +#ifndef OPENSSL_NO_DSA + case 2:/*DSA*/ + /* set private/public external reference */ + dsatmp = DSA_new_method(e); + DSA_set_ex_data(dsatmp,dsaHndidx,hptr); + /*dsatmp->flags |= DSA_FLAG_EXT_PKEY;*/ + + /* set public key*/ + dsatmp->pub_key = BN_new(); + dsatmp->p = BN_new(); + dsatmp->q = BN_new(); + dsatmp->g = BN_new(); + bn_expand2(dsatmp->pub_key, el/sizeof(BN_ULONG)); + bn_expand2(dsatmp->p, el/sizeof(BN_ULONG)); + bn_expand2(dsatmp->q, 20/sizeof(BN_ULONG)); + bn_expand2(dsatmp->g, el/sizeof(BN_ULONG)); + if (!dsatmp->pub_key || dsatmp->pub_key->dmax!=(int)(el/sizeof(BN_ULONG))|| + !dsatmp->p || dsatmp->p->dmax!=(int)(el/sizeof(BN_ULONG)) || + !dsatmp->q || dsatmp->q->dmax!=20/sizeof(BN_ULONG) || + !dsatmp->g || dsatmp->g->dmax!=(int)(el/sizeof(BN_ULONG))) + goto err; + + ret=p_surewarehk_Load_Dsa_Pubkey(msg,key_id,el, + (unsigned long *)dsatmp->pub_key->d, + (unsigned long *)dsatmp->p->d, + (unsigned long *)dsatmp->q->d, + (unsigned long *)dsatmp->g->d); + surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ret); + if (ret!=1) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_FAILED_LOADING_PUBLIC_KEY); + goto err; + } + /* set parameters */ + /* normalise pubkey and parameters in case of */ + dsatmp->pub_key->top=el/sizeof(BN_ULONG); + bn_fix_top(dsatmp->pub_key); + dsatmp->p->top=el/sizeof(BN_ULONG); + bn_fix_top(dsatmp->p); + dsatmp->q->top=20/sizeof(BN_ULONG); + bn_fix_top(dsatmp->q); + dsatmp->g->top=el/sizeof(BN_ULONG); + bn_fix_top(dsatmp->g); + + /* create an EVP object: engine + rsa key */ + res = EVP_PKEY_new(); + EVP_PKEY_assign_DSA(res, dsatmp); + break; +#endif + + default: + SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_FAILED_LOADING_PRIVATE_KEY); + goto err; + } + return res; + err: + if (res) + EVP_PKEY_free(res); +#ifndef OPENSSL_NO_RSA + if (rsatmp) + RSA_free(rsatmp); +#endif +#ifndef OPENSSL_NO_DSA + if (dsatmp) + DSA_free(dsatmp); +#endif + return NULL; +} + +static EVP_PKEY *surewarehk_load_privkey(ENGINE *e, const char *key_id, + UI_METHOD *ui_method, void *callback_data) +{ + EVP_PKEY *res = NULL; + int ret=0; + unsigned long el=0; + char *hptr=NULL; + char keytype=0; + char msg[64]="ENGINE_load_privkey"; + + if(!p_surewarehk_Load_Privkey) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_NOT_INITIALISED); + } + else + { + ret=p_surewarehk_Load_Privkey(msg,key_id,&hptr,&el,&keytype); + if (ret!=1) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_FAILED_LOADING_PRIVATE_KEY); + ERR_add_error_data(1,msg); + } + else + res=sureware_load_public(e,key_id,hptr,el,keytype); + } + return res; +} + +static EVP_PKEY *surewarehk_load_pubkey(ENGINE *e, const char *key_id, + UI_METHOD *ui_method, void *callback_data) +{ + EVP_PKEY *res = NULL; + int ret=0; + unsigned long el=0; + char *hptr=NULL; + char keytype=0; + char msg[64]="ENGINE_load_pubkey"; + + if(!p_surewarehk_Info_Pubkey) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ENGINE_R_NOT_INITIALISED); + } + else + { + /* call once to identify if DSA or RSA */ + ret=p_surewarehk_Info_Pubkey(msg,key_id,&el,&keytype); + if (ret!=1) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ENGINE_R_FAILED_LOADING_PUBLIC_KEY); + ERR_add_error_data(1,msg); + } + else + res=sureware_load_public(e,key_id,hptr,el,keytype); + } + return res; +} + +/* This cleans up an RSA/DSA KM key(do not destroy the key into the hardware) +, called when ex_data is freed */ +static void surewarehk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad, + int idx,long argl, void *argp) +{ + if(!p_surewarehk_Free) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_EX_FREE,ENGINE_R_NOT_INITIALISED); + } + else + p_surewarehk_Free((char *)item,0); +} + +#if 0 +/* This cleans up an DH KM key (destroys the key into hardware), +called when ex_data is freed */ +static void surewarehk_dh_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad, + int idx,long argl, void *argp) +{ + if(!p_surewarehk_Free) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_EX_FREE,ENGINE_R_NOT_INITIALISED); + } + else + p_surewarehk_Free((char *)item,1); +} +#endif + +/* +* return number of decrypted bytes +*/ +#ifndef OPENSSL_NO_RSA +static int surewarehk_rsa_priv_dec(int flen,const unsigned char *from,unsigned char *to, + RSA *rsa,int padding) +{ + int ret=0,tlen; + char *buf=NULL,*hptr=NULL; + char msg[64]="ENGINE_rsa_priv_dec"; + if (!p_surewarehk_Rsa_Priv_Dec) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,ENGINE_R_NOT_INITIALISED); + } + /* extract ref to private key */ + else if (!(hptr=RSA_get_ex_data(rsa, rsaHndidx))) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,SUREWARE_R_MISSING_KEY_COMPONENTS); + goto err; + } + /* analyse what padding we can do into the hardware */ + if (padding==RSA_PKCS1_PADDING) + { + /* do it one shot */ + ret=p_surewarehk_Rsa_Priv_Dec(msg,flen,(unsigned char *)from,&tlen,to,hptr,SUREWARE_PKCS1_PAD); + surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,ret); + if (ret!=1) + goto err; + ret=tlen; + } + else /* do with no padding into hardware */ + { + ret=p_surewarehk_Rsa_Priv_Dec(msg,flen,(unsigned char *)from,&tlen,to,hptr,SUREWARE_NO_PAD); + surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,ret); + if (ret!=1) + goto err; + /* intermediate buffer for padding */ + if ((buf=OPENSSL_malloc(tlen)) == NULL) + { + RSAerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,ERR_R_MALLOC_FAILURE); + goto err; + } + memcpy(buf,to,tlen);/* transfert to into buf */ + switch (padding) /* check padding in software */ + { +#ifndef OPENSSL_NO_SHA + case RSA_PKCS1_OAEP_PADDING: + ret=RSA_padding_check_PKCS1_OAEP(to,tlen,(unsigned char *)buf,tlen,tlen,NULL,0); + break; +#endif + case RSA_SSLV23_PADDING: + ret=RSA_padding_check_SSLv23(to,tlen,(unsigned char *)buf,flen,tlen); + break; + case RSA_NO_PADDING: + ret=RSA_padding_check_none(to,tlen,(unsigned char *)buf,flen,tlen); + break; + default: + RSAerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,RSA_R_UNKNOWN_PADDING_TYPE); + goto err; + } + if (ret < 0) + RSAerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,RSA_R_PADDING_CHECK_FAILED); + } +err: + if (buf) + { + OPENSSL_cleanse(buf,tlen); + OPENSSL_free(buf); + } + return ret; +} + +/* +* Does what OpenSSL rsa_priv_enc does. +*/ +static int surewarehk_rsa_sign(int flen,const unsigned char *from,unsigned char *to, + RSA *rsa,int padding) +{ + int ret=0,tlen; + char *hptr=NULL; + char msg[64]="ENGINE_rsa_sign"; + if (!p_surewarehk_Rsa_Sign) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_ENC,ENGINE_R_NOT_INITIALISED); + } + /* extract ref to private key */ + else if (!(hptr=RSA_get_ex_data(rsa, rsaHndidx))) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_ENC,SUREWARE_R_MISSING_KEY_COMPONENTS); + } + else + { + switch (padding) + { + case RSA_PKCS1_PADDING: /* do it in one shot */ + ret=p_surewarehk_Rsa_Sign(msg,flen,(unsigned char *)from,&tlen,to,hptr,SUREWARE_PKCS1_PAD); + surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RSA_PRIV_ENC,ret); + break; + case RSA_NO_PADDING: + default: + RSAerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_ENC,RSA_R_UNKNOWN_PADDING_TYPE); + } + } + return ret==1 ? tlen : ret; +} + +#endif + +#ifndef OPENSSL_NO_DSA +/* DSA sign and verify */ +static DSA_SIG * surewarehk_dsa_do_sign(const unsigned char *from, int flen, DSA *dsa) +{ + int ret=0; + char *hptr=NULL; + DSA_SIG *psign=NULL; + char msg[64]="ENGINE_dsa_do_sign"; + if (!p_surewarehk_Dsa_Sign) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,ENGINE_R_NOT_INITIALISED); + } + /* extract ref to private key */ + else if (!(hptr=DSA_get_ex_data(dsa, dsaHndidx))) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,SUREWARE_R_MISSING_KEY_COMPONENTS); + } + else + { + if((psign = DSA_SIG_new()) == NULL) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,ERR_R_MALLOC_FAILURE); + goto err; + } + psign->r=BN_new(); + psign->s=BN_new(); + bn_expand2(psign->r, 20/sizeof(BN_ULONG)); + bn_expand2(psign->s, 20/sizeof(BN_ULONG)); + if (!psign->r || psign->r->dmax!=20/sizeof(BN_ULONG) || + !psign->s || psign->s->dmax!=20/sizeof(BN_ULONG)) + goto err; + ret=p_surewarehk_Dsa_Sign(msg,flen,from, + (unsigned long *)psign->r->d, + (unsigned long *)psign->s->d, + hptr); + surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,ret); + } + psign->r->top=20/sizeof(BN_ULONG); + bn_fix_top(psign->r); + psign->s->top=20/sizeof(BN_ULONG); + bn_fix_top(psign->s); + +err: + if (psign) + { + DSA_SIG_free(psign); + psign=NULL; + } + return psign; +} +#endif + +static int surewarehk_modexp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx) +{ + int ret=0; + char msg[64]="ENGINE_modexp"; + if (!p_surewarehk_Mod_Exp) + { + SUREWAREerr(SUREWARE_F_SUREWAREHK_MOD_EXP,ENGINE_R_NOT_INITIALISED); + } + else + { + bn_expand2(r,m->top); + if (r && r->dmax==m->top) + { + /* do it*/ + ret=p_surewarehk_Mod_Exp(msg, + m->top*sizeof(BN_ULONG), + (unsigned long *)m->d, + p->top*sizeof(BN_ULONG), + (unsigned long *)p->d, + a->top*sizeof(BN_ULONG), + (unsigned long *)a->d, + (unsigned long *)r->d); + surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_MOD_EXP,ret); + if (ret==1) + { + /* normalise result */ + r->top=m->top; + bn_fix_top(r); + } + } + } + return ret; +} +#endif /* !OPENSSL_NO_HW_SureWare */ +#endif /* !OPENSSL_NO_HW */ diff --git a/src/lib/libssl/src/crypto/engine/hw_ubsec.c b/src/lib/libssl/src/crypto/engine/hw_ubsec.c index ed8401ec16..6286dd851c 100644 --- a/src/lib/libssl/src/crypto/engine/hw_ubsec.c +++ b/src/lib/libssl/src/crypto/engine/hw_ubsec.c @@ -242,6 +242,7 @@ static int bind_helper(ENGINE *e) return 1; } +#ifndef ENGINE_DYNAMIC_SUPPORT static ENGINE *engine_ubsec(void) { ENGINE *ret = ENGINE_new(); @@ -264,6 +265,7 @@ void ENGINE_load_ubsec(void) ENGINE_free(toadd); ERR_clear_error(); } +#endif /* This is a process-global DSO handle used for loading and unloading * the UBSEC library. NB: This is only set (or unset) during an diff --git a/src/lib/libssl/src/crypto/engine/tb_cipher.c b/src/lib/libssl/src/crypto/engine/tb_cipher.c index c5a50fc910..50b3cec1fa 100644 --- a/src/lib/libssl/src/crypto/engine/tb_cipher.c +++ b/src/lib/libssl/src/crypto/engine/tb_cipher.c @@ -81,7 +81,7 @@ int ENGINE_register_ciphers(ENGINE *e) int num_nids = e->ciphers(e, NULL, &nids, 0); if(num_nids > 0) return engine_table_register(&cipher_table, - &engine_unregister_all_ciphers, e, nids, + engine_unregister_all_ciphers, e, nids, num_nids, 0); } return 1; @@ -103,7 +103,7 @@ int ENGINE_set_default_ciphers(ENGINE *e) int num_nids = e->ciphers(e, NULL, &nids, 0); if(num_nids > 0) return engine_table_register(&cipher_table, - &engine_unregister_all_ciphers, e, nids, + engine_unregister_all_ciphers, e, nids, num_nids, 1); } return 1; diff --git a/src/lib/libssl/src/crypto/engine/tb_dh.c b/src/lib/libssl/src/crypto/engine/tb_dh.c index c9347235ea..e290e1702b 100644 --- a/src/lib/libssl/src/crypto/engine/tb_dh.c +++ b/src/lib/libssl/src/crypto/engine/tb_dh.c @@ -78,7 +78,7 @@ int ENGINE_register_DH(ENGINE *e) { if(e->dh_meth) return engine_table_register(&dh_table, - &engine_unregister_all_DH, e, &dummy_nid, 1, 0); + engine_unregister_all_DH, e, &dummy_nid, 1, 0); return 1; } @@ -94,7 +94,7 @@ int ENGINE_set_default_DH(ENGINE *e) { if(e->dh_meth) return engine_table_register(&dh_table, - &engine_unregister_all_DH, e, &dummy_nid, 1, 1); + engine_unregister_all_DH, e, &dummy_nid, 1, 1); return 1; } diff --git a/src/lib/libssl/src/crypto/engine/tb_digest.c b/src/lib/libssl/src/crypto/engine/tb_digest.c index 2c4dd6f796..e82d2a17c9 100644 --- a/src/lib/libssl/src/crypto/engine/tb_digest.c +++ b/src/lib/libssl/src/crypto/engine/tb_digest.c @@ -81,7 +81,7 @@ int ENGINE_register_digests(ENGINE *e) int num_nids = e->digests(e, NULL, &nids, 0); if(num_nids > 0) return engine_table_register(&digest_table, - &engine_unregister_all_digests, e, nids, + engine_unregister_all_digests, e, nids, num_nids, 0); } return 1; @@ -103,7 +103,7 @@ int ENGINE_set_default_digests(ENGINE *e) int num_nids = e->digests(e, NULL, &nids, 0); if(num_nids > 0) return engine_table_register(&digest_table, - &engine_unregister_all_digests, e, nids, + engine_unregister_all_digests, e, nids, num_nids, 1); } return 1; diff --git a/src/lib/libssl/src/crypto/engine/tb_dsa.c b/src/lib/libssl/src/crypto/engine/tb_dsa.c index e9209476b8..80170591f2 100644 --- a/src/lib/libssl/src/crypto/engine/tb_dsa.c +++ b/src/lib/libssl/src/crypto/engine/tb_dsa.c @@ -78,7 +78,7 @@ int ENGINE_register_DSA(ENGINE *e) { if(e->dsa_meth) return engine_table_register(&dsa_table, - &engine_unregister_all_DSA, e, &dummy_nid, 1, 0); + engine_unregister_all_DSA, e, &dummy_nid, 1, 0); return 1; } @@ -94,7 +94,7 @@ int ENGINE_set_default_DSA(ENGINE *e) { if(e->dsa_meth) return engine_table_register(&dsa_table, - &engine_unregister_all_DSA, e, &dummy_nid, 1, 0); + engine_unregister_all_DSA, e, &dummy_nid, 1, 0); return 1; } diff --git a/src/lib/libssl/src/crypto/engine/tb_rand.c b/src/lib/libssl/src/crypto/engine/tb_rand.c index 0b1d031f1e..69b67111bc 100644 --- a/src/lib/libssl/src/crypto/engine/tb_rand.c +++ b/src/lib/libssl/src/crypto/engine/tb_rand.c @@ -78,7 +78,7 @@ int ENGINE_register_RAND(ENGINE *e) { if(e->rand_meth) return engine_table_register(&rand_table, - &engine_unregister_all_RAND, e, &dummy_nid, 1, 0); + engine_unregister_all_RAND, e, &dummy_nid, 1, 0); return 1; } @@ -94,7 +94,7 @@ int ENGINE_set_default_RAND(ENGINE *e) { if(e->rand_meth) return engine_table_register(&rand_table, - &engine_unregister_all_RAND, e, &dummy_nid, 1, 1); + engine_unregister_all_RAND, e, &dummy_nid, 1, 1); return 1; } diff --git a/src/lib/libssl/src/crypto/engine/tb_rsa.c b/src/lib/libssl/src/crypto/engine/tb_rsa.c index f84fea3968..fee4867f52 100644 --- a/src/lib/libssl/src/crypto/engine/tb_rsa.c +++ b/src/lib/libssl/src/crypto/engine/tb_rsa.c @@ -78,7 +78,7 @@ int ENGINE_register_RSA(ENGINE *e) { if(e->rsa_meth) return engine_table_register(&rsa_table, - &engine_unregister_all_RSA, e, &dummy_nid, 1, 0); + engine_unregister_all_RSA, e, &dummy_nid, 1, 0); return 1; } @@ -94,7 +94,7 @@ int ENGINE_set_default_RSA(ENGINE *e) { if(e->rsa_meth) return engine_table_register(&rsa_table, - &engine_unregister_all_RSA, e, &dummy_nid, 1, 1); + engine_unregister_all_RSA, e, &dummy_nid, 1, 1); return 1; } diff --git a/src/lib/libssl/src/crypto/engine/vendor_defns/hw_ubsec.h b/src/lib/libssl/src/crypto/engine/vendor_defns/hw_ubsec.h new file mode 100644 index 0000000000..b6619d40f2 --- /dev/null +++ b/src/lib/libssl/src/crypto/engine/vendor_defns/hw_ubsec.h @@ -0,0 +1,100 @@ +/****************************************************************************** + * + * Copyright 2000 + * Broadcom Corporation + * 16215 Alton Parkway + * PO Box 57013 + * Irvine CA 92619-7013 + * + *****************************************************************************/ +/* + * Broadcom Corporation uBSec SDK + */ +/* + * Character device header file. + */ +/* + * Revision History: + * + * October 2000 JTT Created. + */ + +#define MAX_PUBLIC_KEY_BITS (1024) +#define MAX_PUBLIC_KEY_BYTES (1024/8) +#define SHA_BIT_SIZE (160) +#define MAX_CRYPTO_KEY_LENGTH 24 +#define MAX_MAC_KEY_LENGTH 64 +#define UBSEC_CRYPTO_DEVICE_NAME ((unsigned char *)"/dev/ubscrypt") +#define UBSEC_KEY_DEVICE_NAME ((unsigned char *)"/dev/ubskey") + +/* Math command types. */ +#define UBSEC_MATH_MODADD 0x0001 +#define UBSEC_MATH_MODSUB 0x0002 +#define UBSEC_MATH_MODMUL 0x0004 +#define UBSEC_MATH_MODEXP 0x0008 +#define UBSEC_MATH_MODREM 0x0010 +#define UBSEC_MATH_MODINV 0x0020 + +typedef long ubsec_MathCommand_t; +typedef long ubsec_RNGCommand_t; + +typedef struct ubsec_crypto_context_s { + unsigned int flags; + unsigned char crypto[MAX_CRYPTO_KEY_LENGTH]; + unsigned char auth[MAX_MAC_KEY_LENGTH]; +} ubsec_crypto_context_t, *ubsec_crypto_context_p; + +/* + * Predeclare the function pointer types that we dynamically load from the DSO. + */ + +typedef int t_UBSEC_ubsec_bytes_to_bits(unsigned char *n, int bytes); + +typedef int t_UBSEC_ubsec_bits_to_bytes(int bits); + +typedef int t_UBSEC_ubsec_open(unsigned char *device); + +typedef int t_UBSEC_ubsec_close(int fd); + +typedef int t_UBSEC_diffie_hellman_generate_ioctl (int fd, + unsigned char *x, int *x_len, unsigned char *y, int *y_len, + unsigned char *g, int g_len, unsigned char *m, int m_len, + unsigned char *userX, int userX_len, int random_bits); + +typedef int t_UBSEC_diffie_hellman_agree_ioctl (int fd, + unsigned char *x, int x_len, unsigned char *y, int y_len, + unsigned char *m, int m_len, unsigned char *k, int *k_len); + +typedef int t_UBSEC_rsa_mod_exp_ioctl (int fd, + unsigned char *x, int x_len, unsigned char *m, int m_len, + unsigned char *e, int e_len, unsigned char *y, int *y_len); + +typedef int t_UBSEC_rsa_mod_exp_crt_ioctl (int fd, + unsigned char *x, int x_len, unsigned char *qinv, int qinv_len, + unsigned char *edq, int edq_len, unsigned char *q, int q_len, + unsigned char *edp, int edp_len, unsigned char *p, int p_len, + unsigned char *y, int *y_len); + +typedef int t_UBSEC_dsa_sign_ioctl (int fd, + int hash, unsigned char *data, int data_len, + unsigned char *rndom, int random_len, + unsigned char *p, int p_len, unsigned char *q, int q_len, + unsigned char *g, int g_len, unsigned char *key, int key_len, + unsigned char *r, int *r_len, unsigned char *s, int *s_len); + +typedef int t_UBSEC_dsa_verify_ioctl (int fd, + int hash, unsigned char *data, int data_len, + unsigned char *p, int p_len, unsigned char *q, int q_len, + unsigned char *g, int g_len, unsigned char *key, int key_len, + unsigned char *r, int r_len, unsigned char *s, int s_len, + unsigned char *v, int *v_len); + +typedef int t_UBSEC_math_accelerate_ioctl(int fd, ubsec_MathCommand_t command, + unsigned char *ModN, int *ModN_len, unsigned char *ExpE, int *ExpE_len, + unsigned char *ParamA, int *ParamA_len, unsigned char *ParamB, int *ParamB_len, + unsigned char *Result, int *Result_len); + +typedef int t_UBSEC_rng_ioctl(int fd, ubsec_RNGCommand_t command, + unsigned char *Result, int *Result_len); + +typedef int t_UBSEC_max_key_len_ioctl(int fd, int *max_key_len); diff --git a/src/lib/libssl/src/crypto/engine/vendor_defns/hwcryptohook.h b/src/lib/libssl/src/crypto/engine/vendor_defns/hwcryptohook.h new file mode 100644 index 0000000000..aaa4d4575e --- /dev/null +++ b/src/lib/libssl/src/crypto/engine/vendor_defns/hwcryptohook.h @@ -0,0 +1,486 @@ +/* + * ModExp / RSA (with/without KM) plugin API + * + * The application will load a dynamic library which + * exports entrypoint(s) defined in this file. + * + * This set of entrypoints provides only a multithreaded, + * synchronous-within-each-thread, facility. + * + * + * This file is Copyright 1998-2000 nCipher Corporation Limited. + * + * Redistribution and use in source and binary forms, with opr without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the copyright notice, + * this list of conditions, and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions, and the following + * disclaimer, in the documentation and/or other materials provided + * with the distribution + * + * IN NO EVENT SHALL NCIPHER CORPORATION LIMITED (`NCIPHER') AND/OR + * ANY OTHER AUTHORS OR DISTRIBUTORS OF THIS FILE BE LIABLE for any + * damages arising directly or indirectly from this file, its use or + * this licence. Without prejudice to the generality of the + * foregoing: all liability shall be excluded for direct, indirect, + * special, incidental, consequential or other damages or any loss of + * profits, business, revenue goodwill or anticipated savings; + * liability shall be excluded even if nCipher or anyone else has been + * advised of the possibility of damage. In any event, if the + * exclusion of liability is not effective, the liability of nCipher + * or any author or distributor shall be limited to the lesser of the + * price paid and 1,000 pounds sterling. This licence only fails to + * exclude or limit liability for death or personal injury arising out + * of negligence, and only to the extent that such an exclusion or + * limitation is not effective. + * + * NCIPHER AND THE AUTHORS AND DISTRIBUTORS SPECIFICALLY DISCLAIM ALL + * AND ANY WARRANTIES (WHETHER EXPRESS OR IMPLIED), including, but not + * limited to, any implied warranties of merchantability, fitness for + * a particular purpose, satisfactory quality, and/or non-infringement + * of any third party rights. + * + * US Government use: This software and documentation is Commercial + * Computer Software and Computer Software Documentation, as defined in + * sub-paragraphs (a)(1) and (a)(5) of DFAR 252.227-7014, "Rights in + * Noncommercial Computer Software and Noncommercial Computer Software + * Documentation." Use, duplication or disclosure by the Government is + * subject to the terms and conditions specified here. + * + * By using or distributing this file you will be accepting these + * terms and conditions, including the limitation of liability and + * lack of warranty. If you do not wish to accept these terms and + * conditions, DO NOT USE THE FILE. + * + * + * The actual dynamically loadable plugin, and the library files for + * static linking, which are also provided in some distributions, are + * not covered by the licence described above. You should have + * received a separate licence with terms and conditions for these + * library files; if you received the library files without a licence, + * please contact nCipher. + * + * + * $Id: hwcryptohook.h,v 1.1.1.1 2003/05/11 21:35:16 markus Exp $ + */ + +#ifndef HWCRYPTOHOOK_H +#define HWCRYPTOHOOK_H + +#include +#include + +#ifndef HWCRYPTOHOOK_DECLARE_APPTYPES +#define HWCRYPTOHOOK_DECLARE_APPTYPES 1 +#endif + +#define HWCRYPTOHOOK_ERROR_FAILED -1 +#define HWCRYPTOHOOK_ERROR_FALLBACK -2 +#define HWCRYPTOHOOK_ERROR_MPISIZE -3 + +#if HWCRYPTOHOOK_DECLARE_APPTYPES + +/* These structs are defined by the application and opaque to the + * crypto plugin. The application may define these as it sees fit. + * Default declarations are provided here, but the application may + * #define HWCRYPTOHOOK_DECLARE_APPTYPES 0 + * to prevent these declarations, and instead provide its own + * declarations of these types. (Pointers to them must still be + * ordinary pointers to structs or unions, or the resulting combined + * program will have a type inconsistency.) + */ +typedef struct HWCryptoHook_MutexValue HWCryptoHook_Mutex; +typedef struct HWCryptoHook_CondVarValue HWCryptoHook_CondVar; +typedef struct HWCryptoHook_PassphraseContextValue HWCryptoHook_PassphraseContext; +typedef struct HWCryptoHook_CallerContextValue HWCryptoHook_CallerContext; + +#endif /* HWCRYPTOHOOK_DECLARE_APPTYPES */ + +/* These next two structs are opaque to the application. The crypto + * plugin will return pointers to them; the caller simply manipulates + * the pointers. + */ +typedef struct HWCryptoHook_Context *HWCryptoHook_ContextHandle; +typedef struct HWCryptoHook_RSAKey *HWCryptoHook_RSAKeyHandle; + +typedef struct { + char *buf; + size_t size; +} HWCryptoHook_ErrMsgBuf; +/* Used for error reporting. When a HWCryptoHook function fails it + * will return a sentinel value (0 for pointer-valued functions, or a + * negative number, usually HWCRYPTOHOOK_ERROR_FAILED, for + * integer-valued ones). It will, if an ErrMsgBuf is passed, also put + * an error message there. + * + * size is the size of the buffer, and will not be modified. If you + * pass 0 for size you must pass 0 for buf, and nothing will be + * recorded (just as if you passed 0 for the struct pointer). + * Messages written to the buffer will always be null-terminated, even + * when truncated to fit within size bytes. + * + * The contents of the buffer are not defined if there is no error. + */ + +typedef struct HWCryptoHook_MPIStruct { + unsigned char *buf; + size_t size; +} HWCryptoHook_MPI; +/* When one of these is returned, a pointer is passed to the function. + * At call, size is the space available. Afterwards it is updated to + * be set to the actual length (which may be more than the space available, + * if there was not enough room and the result was truncated). + * buf (the pointer) is not updated. + * + * size is in bytes and may be zero at call or return, but must be a + * multiple of the limb size. Zero limbs at the MS end are not + * permitted. + */ + +#define HWCryptoHook_InitFlags_FallbackModExp 0x0002UL +#define HWCryptoHook_InitFlags_FallbackRSAImmed 0x0004UL +/* Enable requesting fallback to software in case of problems with the + * hardware support. This indicates to the crypto provider that the + * application is prepared to fall back to software operation if the + * ModExp* or RSAImmed* functions return HWCRYPTOHOOK_ERROR_FALLBACK. + * Without this flag those calls will never return + * HWCRYPTOHOOK_ERROR_FALLBACK. The flag will also cause the crypto + * provider to avoid repeatedly attempting to contact dead hardware + * within a short interval, if appropriate. + */ + +#define HWCryptoHook_InitFlags_SimpleForkCheck 0x0010UL +/* Without _SimpleForkCheck the library is allowed to assume that the + * application will not fork and call the library in the child(ren). + * + * When it is specified, this is allowed. However, after a fork + * neither parent nor child may unload any loaded keys or call + * _Finish. Instead, they should call exit (or die with a signal) + * without calling _Finish. After all the children have died the + * parent may unload keys or call _Finish. + * + * This flag only has any effect on UN*X platforms. + */ + +typedef struct { + unsigned long flags; + void *logstream; /* usually a FILE*. See below. */ + + size_t limbsize; /* bignum format - size of radix type, must be power of 2 */ + int mslimbfirst; /* 0 or 1 */ + int msbytefirst; /* 0 or 1; -1 = native */ + + /* All the callback functions should return 0 on success, or a + * nonzero integer (whose value will be visible in the error message + * put in the buffer passed to the call). + * + * If a callback is not available pass a null function pointer. + * + * The callbacks may not call down again into the crypto plugin. + */ + + /* For thread-safety. Set everything to 0 if you promise only to be + * singlethreaded. maxsimultaneous is the number of calls to + * ModExp[Crt]/RSAImmed{Priv,Pub}/RSA. If you don't know what to + * put there then say 0 and the hook library will use a default. + * + * maxmutexes is a small limit on the number of simultaneous mutexes + * which will be requested by the library. If there is no small + * limit, set it to 0. If the crypto plugin cannot create the + * advertised number of mutexes the calls to its functions may fail. + * If a low number of mutexes is advertised the plugin will try to + * do the best it can. Making larger numbers of mutexes available + * may improve performance and parallelism by reducing contention + * over critical sections. Unavailability of any mutexes, implying + * single-threaded operation, should be indicated by the setting + * mutex_init et al to 0. + */ + int maxmutexes; + int maxsimultaneous; + size_t mutexsize; + int (*mutex_init)(HWCryptoHook_Mutex*, HWCryptoHook_CallerContext *cactx); + int (*mutex_acquire)(HWCryptoHook_Mutex*); + void (*mutex_release)(HWCryptoHook_Mutex*); + void (*mutex_destroy)(HWCryptoHook_Mutex*); + + /* For greater efficiency, can use condition vars internally for + * synchronisation. In this case maxsimultaneous is ignored, but + * the other mutex stuff must be available. In singlethreaded + * programs, set everything to 0. + */ + size_t condvarsize; + int (*condvar_init)(HWCryptoHook_CondVar*, HWCryptoHook_CallerContext *cactx); + int (*condvar_wait)(HWCryptoHook_CondVar*, HWCryptoHook_Mutex*); + void (*condvar_signal)(HWCryptoHook_CondVar*); + void (*condvar_broadcast)(HWCryptoHook_CondVar*); + void (*condvar_destroy)(HWCryptoHook_CondVar*); + + /* The semantics of acquiring and releasing mutexes and broadcasting + * and waiting on condition variables are expected to be those from + * POSIX threads (pthreads). The mutexes may be (in pthread-speak) + * fast mutexes, recursive mutexes, or nonrecursive ones. + * + * The _release/_signal/_broadcast and _destroy functions must + * always succeed when given a valid argument; if they are given an + * invalid argument then the program (crypto plugin + application) + * has an internal error, and they should abort the program. + */ + + int (*getpassphrase)(const char *prompt_info, + int *len_io, char *buf, + HWCryptoHook_PassphraseContext *ppctx, + HWCryptoHook_CallerContext *cactx); + /* Passphrases and the prompt_info, if they contain high-bit-set + * characters, are UTF-8. The prompt_info may be a null pointer if + * no prompt information is available (it should not be an empty + * string). It will not contain text like `enter passphrase'; + * instead it might say something like `Operator Card for John + * Smith' or `SmartCard in nFast Module #1, Slot #1'. + * + * buf points to a buffer in which to return the passphrase; on + * entry *len_io is the length of the buffer. It should be updated + * by the callback. The returned passphrase should not be + * null-terminated by the callback. + */ + + int (*getphystoken)(const char *prompt_info, + const char *wrong_info, + HWCryptoHook_PassphraseContext *ppctx, + HWCryptoHook_CallerContext *cactx); + /* Requests that the human user physically insert a different + * smartcard, DataKey, etc. The plugin should check whether the + * currently inserted token(s) are appropriate, and if they are it + * should not make this call. + * + * prompt_info is as before. wrong_info is a description of the + * currently inserted token(s) so that the user is told what + * something is. wrong_info, like prompt_info, may be null, but + * should not be an empty string. Its contents should be + * syntactically similar to that of prompt_info. + */ + + /* Note that a single LoadKey operation might cause several calls to + * getpassphrase and/or requestphystoken. If requestphystoken is + * not provided (ie, a null pointer is passed) then the plugin may + * not support loading keys for which authorisation by several cards + * is required. If getpassphrase is not provided then cards with + * passphrases may not be supported. + * + * getpassphrase and getphystoken do not need to check that the + * passphrase has been entered correctly or the correct token + * inserted; the crypto plugin will do that. If this is not the + * case then the crypto plugin is responsible for calling these + * routines again as appropriate until the correct token(s) and + * passphrase(s) are supplied as required, or until any retry limits + * implemented by the crypto plugin are reached. + * + * In either case, the application must allow the user to say `no' + * or `cancel' to indicate that they do not know the passphrase or + * have the appropriate token; this should cause the callback to + * return nonzero indicating error. + */ + + void (*logmessage)(void *logstream, const char *message); + /* A log message will be generated at least every time something goes + * wrong and an ErrMsgBuf is filled in (or would be if one was + * provided). Other diagnostic information may be written there too, + * including more detailed reasons for errors which are reported in an + * ErrMsgBuf. + * + * When a log message is generated, this callback is called. It + * should write a message to the relevant logging arrangements. + * + * The message string passed will be null-terminated and may be of arbitrary + * length. It will not be prefixed by the time and date, nor by the + * name of the library that is generating it - if this is required, + * the logmessage callback must do it. The message will not have a + * trailing newline (though it may contain internal newlines). + * + * If a null pointer is passed for logmessage a default function is + * used. The default function treats logstream as a FILE* which has + * been converted to a void*. If logstream is 0 it does nothing. + * Otherwise it prepends the date and time and library name and + * writes the message to logstream. Each line will be prefixed by a + * descriptive string containing the date, time and identity of the + * crypto plugin. Errors on the logstream are not reported + * anywhere, and the default function doesn't flush the stream, so + * the application must set the buffering how it wants it. + * + * The crypto plugin may also provide a facility to have copies of + * log messages sent elsewhere, and or for adjusting the verbosity + * of the log messages; any such facilities will be configured by + * external means. + */ + +} HWCryptoHook_InitInfo; + +typedef +HWCryptoHook_ContextHandle HWCryptoHook_Init_t(const HWCryptoHook_InitInfo *initinfo, + size_t initinfosize, + const HWCryptoHook_ErrMsgBuf *errors, + HWCryptoHook_CallerContext *cactx); +extern HWCryptoHook_Init_t HWCryptoHook_Init; + +/* Caller should set initinfosize to the size of the HWCryptoHook struct, + * so it can be extended later. + * + * On success, a message for display or logging by the server, + * including the name and version number of the plugin, will be filled + * in into *errors; on failure *errors is used for error handling, as + * usual. + */ + +/* All these functions return 0 on success, HWCRYPTOHOOK_ERROR_FAILED + * on most failures. HWCRYPTOHOOK_ERROR_MPISIZE means at least one of + * the output MPI buffer(s) was too small; the sizes of all have been + * set to the desired size (and for those where the buffer was large + * enough, the value may have been copied in), and no error message + * has been recorded. + * + * You may pass 0 for the errors struct. In any case, unless you set + * _NoStderr at init time then messages may be reported to stderr. + */ + +/* The RSAImmed* functions (and key managed RSA) only work with + * modules which have an RSA patent licence - currently that means KM + * units; the ModExp* ones work with all modules, so you need a patent + * licence in the software in the US. They are otherwise identical. + */ + +typedef +void HWCryptoHook_Finish_t(HWCryptoHook_ContextHandle hwctx); +extern HWCryptoHook_Finish_t HWCryptoHook_Finish; +/* You must not have any calls going or keys loaded when you call this. */ + +typedef +int HWCryptoHook_RandomBytes_t(HWCryptoHook_ContextHandle hwctx, + unsigned char *buf, size_t len, + const HWCryptoHook_ErrMsgBuf *errors); +extern HWCryptoHook_RandomBytes_t HWCryptoHook_RandomBytes; + +typedef +int HWCryptoHook_ModExp_t(HWCryptoHook_ContextHandle hwctx, + HWCryptoHook_MPI a, + HWCryptoHook_MPI p, + HWCryptoHook_MPI n, + HWCryptoHook_MPI *r, + const HWCryptoHook_ErrMsgBuf *errors); +extern HWCryptoHook_ModExp_t HWCryptoHook_ModExp; + +typedef +int HWCryptoHook_RSAImmedPub_t(HWCryptoHook_ContextHandle hwctx, + HWCryptoHook_MPI m, + HWCryptoHook_MPI e, + HWCryptoHook_MPI n, + HWCryptoHook_MPI *r, + const HWCryptoHook_ErrMsgBuf *errors); +extern HWCryptoHook_RSAImmedPub_t HWCryptoHook_RSAImmedPub; + +typedef +int HWCryptoHook_ModExpCRT_t(HWCryptoHook_ContextHandle hwctx, + HWCryptoHook_MPI a, + HWCryptoHook_MPI p, + HWCryptoHook_MPI q, + HWCryptoHook_MPI dmp1, + HWCryptoHook_MPI dmq1, + HWCryptoHook_MPI iqmp, + HWCryptoHook_MPI *r, + const HWCryptoHook_ErrMsgBuf *errors); +extern HWCryptoHook_ModExpCRT_t HWCryptoHook_ModExpCRT; + +typedef +int HWCryptoHook_RSAImmedPriv_t(HWCryptoHook_ContextHandle hwctx, + HWCryptoHook_MPI m, + HWCryptoHook_MPI p, + HWCryptoHook_MPI q, + HWCryptoHook_MPI dmp1, + HWCryptoHook_MPI dmq1, + HWCryptoHook_MPI iqmp, + HWCryptoHook_MPI *r, + const HWCryptoHook_ErrMsgBuf *errors); +extern HWCryptoHook_RSAImmedPriv_t HWCryptoHook_RSAImmedPriv; + +/* The RSAImmed* and ModExp* functions may return E_FAILED or + * E_FALLBACK for failure. + * + * E_FAILED means the failure is permanent and definite and there + * should be no attempt to fall back to software. (Eg, for some + * applications, which support only the acceleration-only + * functions, the `key material' may actually be an encoded key + * identifier, and doing the operation in software would give wrong + * answers.) + * + * E_FALLBACK means that doing the computation in software would seem + * reasonable. If an application pays attention to this and is + * able to fall back, it should also set the Fallback init flags. + */ + +typedef +int HWCryptoHook_RSALoadKey_t(HWCryptoHook_ContextHandle hwctx, + const char *key_ident, + HWCryptoHook_RSAKeyHandle *keyhandle_r, + const HWCryptoHook_ErrMsgBuf *errors, + HWCryptoHook_PassphraseContext *ppctx); +extern HWCryptoHook_RSALoadKey_t HWCryptoHook_RSALoadKey; +/* The key_ident is a null-terminated string configured by the + * user via the application's usual configuration mechanisms. + * It is provided to the user by the crypto provider's key management + * system. The user must be able to enter at least any string of between + * 1 and 1023 characters inclusive, consisting of printable 7-bit + * ASCII characters. The provider should avoid using + * any characters except alphanumerics and the punctuation + * characters _ - + . / @ ~ (the user is expected to be able + * to enter these without quoting). The string may be case-sensitive. + * The application may allow the user to enter other NULL-terminated strings, + * and the provider must cope (returning an error if the string is not + * valid). + * + * If the key does not exist, no error is recorded and 0 is returned; + * keyhandle_r will be set to 0 instead of to a key handle. + */ + +typedef +int HWCryptoHook_RSAGetPublicKey_t(HWCryptoHook_RSAKeyHandle k, + HWCryptoHook_MPI *n, + HWCryptoHook_MPI *e, + const HWCryptoHook_ErrMsgBuf *errors); +extern HWCryptoHook_RSAGetPublicKey_t HWCryptoHook_RSAGetPublicKey; +/* The crypto plugin will not store certificates. + * + * Although this function for acquiring the public key value is + * provided, it is not the purpose of this API to deal fully with the + * handling of the public key. + * + * It is expected that the crypto supplier's key generation program + * will provide general facilities for producing X.509 + * self-certificates and certificate requests in PEM format. These + * will be given to the user so that they can configure them in the + * application, send them to CAs, or whatever. + * + * In case this kind of certificate handling is not appropriate, the + * crypto supplier's key generation program should be able to be + * configured not to generate such a self-certificate or certificate + * request. Then the application will need to do all of this, and + * will need to store and handle the public key and certificates + * itself. + */ + +typedef +int HWCryptoHook_RSAUnloadKey_t(HWCryptoHook_RSAKeyHandle k, + const HWCryptoHook_ErrMsgBuf *errors); +extern HWCryptoHook_RSAUnloadKey_t HWCryptoHook_RSAUnloadKey; +/* Might fail due to locking problems, or other serious internal problems. */ + +typedef +int HWCryptoHook_RSA_t(HWCryptoHook_MPI m, + HWCryptoHook_RSAKeyHandle k, + HWCryptoHook_MPI *r, + const HWCryptoHook_ErrMsgBuf *errors); +extern HWCryptoHook_RSA_t HWCryptoHook_RSA; +/* RSA private key operation (sign or decrypt) - raw, unpadded. */ + +#endif /*HWCRYPTOHOOK_H*/ diff --git a/src/lib/libssl/src/crypto/engine/vendor_defns/sureware.h b/src/lib/libssl/src/crypto/engine/vendor_defns/sureware.h new file mode 100644 index 0000000000..1d3789219d --- /dev/null +++ b/src/lib/libssl/src/crypto/engine/vendor_defns/sureware.h @@ -0,0 +1,239 @@ +/* +* Written by Corinne Dive-Reclus(cdive@baltimore.com) +* +* Copyright@2001 Baltimore Technologies Ltd. +* * +* THIS FILE IS PROVIDED BY BALTIMORE TECHNOLOGIES ``AS IS'' AND * +* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * +* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * +* ARE DISCLAIMED. IN NO EVENT SHALL BALTIMORE TECHNOLOGIES BE LIABLE * +* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * +* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * +* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * +* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * +* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * +* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * +* SUCH DAMAGE. * +* +* +*/ +#ifdef WIN32 +#define SW_EXPORT __declspec ( dllexport ) +#else +#define SW_EXPORT +#endif + +/* +* List of exposed SureWare errors +*/ +#define SUREWAREHOOK_ERROR_FAILED -1 +#define SUREWAREHOOK_ERROR_FALLBACK -2 +#define SUREWAREHOOK_ERROR_UNIT_FAILURE -3 +#define SUREWAREHOOK_ERROR_DATA_SIZE -4 +#define SUREWAREHOOK_ERROR_INVALID_PAD -5 +/* +* -----------------WARNING----------------------------------- +* In all the following functions: +* msg is a string with at least 24 bytes free. +* A 24 bytes string will be concatenated to the existing content of msg. +*/ +/* +* SureWare Initialisation function +* in param threadsafe, if !=0, thread safe enabled +* return SureWareHOOK_ERROR_UNIT_FAILURE if failure, 1 if success +*/ +typedef int SureWareHook_Init_t(char*const msg,int threadsafe); +extern SW_EXPORT SureWareHook_Init_t SureWareHook_Init; +/* +* SureWare Finish function +*/ +typedef void SureWareHook_Finish_t(); +extern SW_EXPORT SureWareHook_Finish_t SureWareHook_Finish; +/* +* PRE_CONDITION: +* DO NOT CALL ANY OF THE FOLLOWING FUNCTIONS IN CASE OF INIT FAILURE +*/ +/* +* SureWare RAND Bytes function +* In case of failure, the content of buf is unpredictable. +* return 1 if success +* SureWareHOOK_ERROR_FALLBACK if function not available in hardware +* SureWareHOOK_ERROR_FAILED if error while processing +* SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure +* SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf +* +* in/out param buf : a num bytes long buffer where random bytes will be put +* in param num : the number of bytes into buf +*/ +typedef int SureWareHook_Rand_Bytes_t(char*const msg,unsigned char *buf, int num); +extern SW_EXPORT SureWareHook_Rand_Bytes_t SureWareHook_Rand_Bytes; + +/* +* SureWare RAND Seed function +* Adds some seed to the Hardware Random Number Generator +* return 1 if success +* SureWareHOOK_ERROR_FALLBACK if function not available in hardware +* SureWareHOOK_ERROR_FAILED if error while processing +* SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure +* SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf +* +* in param buf : the seed to add into the HRNG +* in param num : the number of bytes into buf +*/ +typedef int SureWareHook_Rand_Seed_t(char*const msg,const void *buf, int num); +extern SW_EXPORT SureWareHook_Rand_Seed_t SureWareHook_Rand_Seed; + +/* +* SureWare Load Private Key function +* return 1 if success +* SureWareHOOK_ERROR_FAILED if error while processing +* No hardware is contact for this function. +* +* in param key_id :the name of the private protected key file without the extension + ".sws" +* out param hptr : a pointer to a buffer allocated by SureWare_Hook +* out param num: the effective key length in bytes +* out param keytype: 1 if RSA 2 if DSA +*/ +typedef int SureWareHook_Load_Privkey_t(char*const msg,const char *key_id,char **hptr,unsigned long *num,char *keytype); +extern SW_EXPORT SureWareHook_Load_Privkey_t SureWareHook_Load_Privkey; + +/* +* SureWare Info Public Key function +* return 1 if success +* SureWareHOOK_ERROR_FAILED if error while processing +* No hardware is contact for this function. +* +* in param key_id :the name of the private protected key file without the extension + ".swp" +* out param hptr : a pointer to a buffer allocated by SureWare_Hook +* out param num: the effective key length in bytes +* out param keytype: 1 if RSA 2 if DSA +*/ +typedef int SureWareHook_Info_Pubkey_t(char*const msg,const char *key_id,unsigned long *num, + char *keytype); +extern SW_EXPORT SureWareHook_Info_Pubkey_t SureWareHook_Info_Pubkey; + +/* +* SureWare Load Public Key function +* return 1 if success +* SureWareHOOK_ERROR_FAILED if error while processing +* No hardware is contact for this function. +* +* in param key_id :the name of the public protected key file without the extension + ".swp" +* in param num : the bytes size of n and e +* out param n: where to write modulus in bn format +* out param e: where to write exponent in bn format +*/ +typedef int SureWareHook_Load_Rsa_Pubkey_t(char*const msg,const char *key_id,unsigned long num, + unsigned long *n, unsigned long *e); +extern SW_EXPORT SureWareHook_Load_Rsa_Pubkey_t SureWareHook_Load_Rsa_Pubkey; + +/* +* SureWare Load DSA Public Key function +* return 1 if success +* SureWareHOOK_ERROR_FAILED if error while processing +* No hardware is contact for this function. +* +* in param key_id :the name of the public protected key file without the extension + ".swp" +* in param num : the bytes size of n and e +* out param pub: where to write pub key in bn format +* out param p: where to write prime in bn format +* out param q: where to write sunprime (length 20 bytes) in bn format +* out param g: where to write base in bn format +*/ +typedef int SureWareHook_Load_Dsa_Pubkey_t(char*const msg,const char *key_id,unsigned long num, + unsigned long *pub, unsigned long *p,unsigned long*q, + unsigned long *g); +extern SW_EXPORT SureWareHook_Load_Dsa_Pubkey_t SureWareHook_Load_Dsa_Pubkey; + +/* +* SureWare Free function +* Destroy the key into the hardware if destroy==1 +*/ +typedef void SureWareHook_Free_t(char *p,int destroy); +extern SW_EXPORT SureWareHook_Free_t SureWareHook_Free; + +#define SUREWARE_PKCS1_PAD 1 +#define SUREWARE_ISO9796_PAD 2 +#define SUREWARE_NO_PAD 0 +/* +* SureWare RSA Private Decryption +* return 1 if success +* SureWareHOOK_ERROR_FAILED if error while processing +* SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure +* SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf +* +* in param flen : byte size of from and to +* in param from : encrypted data buffer, should be a not-null valid pointer +* out param tlen: byte size of decrypted data, if error, unexpected value +* out param to : decrypted data buffer, should be a not-null valid pointer +* in param prsa: a protected key pointer, should be a not-null valid pointer +* int padding: padding id as follow +* SUREWARE_PKCS1_PAD +* SUREWARE_NO_PAD +* +*/ +typedef int SureWareHook_Rsa_Priv_Dec_t(char*const msg,int flen,unsigned char *from, + int *tlen,unsigned char *to, + char *prsa,int padding); +extern SW_EXPORT SureWareHook_Rsa_Priv_Dec_t SureWareHook_Rsa_Priv_Dec; +/* +* SureWare RSA Signature +* return 1 if success +* SureWareHOOK_ERROR_FAILED if error while processing +* SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure +* SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf +* +* in param flen : byte size of from and to +* in param from : encrypted data buffer, should be a not-null valid pointer +* out param tlen: byte size of decrypted data, if error, unexpected value +* out param to : decrypted data buffer, should be a not-null valid pointer +* in param prsa: a protected key pointer, should be a not-null valid pointer +* int padding: padding id as follow +* SUREWARE_PKCS1_PAD +* SUREWARE_ISO9796_PAD +* +*/ +typedef int SureWareHook_Rsa_Sign_t(char*const msg,int flen,unsigned char *from, + int *tlen,unsigned char *to, + char *prsa,int padding); +extern SW_EXPORT SureWareHook_Rsa_Sign_t SureWareHook_Rsa_Sign; +/* +* SureWare DSA Signature +* return 1 if success +* SureWareHOOK_ERROR_FAILED if error while processing +* SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure +* SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf +* +* in param flen : byte size of from and to +* in param from : encrypted data buffer, should be a not-null valid pointer +* out param to : decrypted data buffer, should be a 40bytes valid pointer +* in param pdsa: a protected key pointer, should be a not-null valid pointer +* +*/ +typedef int SureWareHook_Dsa_Sign_t(char*const msg,int flen,const unsigned char *from, + unsigned long *r,unsigned long *s,char *pdsa); +extern SW_EXPORT SureWareHook_Dsa_Sign_t SureWareHook_Dsa_Sign; + + +/* +* SureWare Mod Exp +* return 1 if success +* SureWareHOOK_ERROR_FAILED if error while processing +* SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure +* SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf +* +* mod and res are mlen bytes long. +* exp is elen bytes long +* data is dlen bytes long +* mlen,elen and dlen are all multiple of sizeof(unsigned long) +*/ +typedef int SureWareHook_Mod_Exp_t(char*const msg,int mlen,const unsigned long *mod, + int elen,const unsigned long *exp, + int dlen,unsigned long *data, + unsigned long *res); +extern SW_EXPORT SureWareHook_Mod_Exp_t SureWareHook_Mod_Exp; + diff --git a/src/lib/libssl/src/crypto/err/err.c b/src/lib/libssl/src/crypto/err/err.c index 5abe44e6d5..b873270c04 100644 --- a/src/lib/libssl/src/crypto/err/err.c +++ b/src/lib/libssl/src/crypto/err/err.c @@ -211,6 +211,7 @@ static ERR_STRING_DATA ERR_str_reasons[]= {0,NULL}, }; +#endif /* Define the predeclared (but externally opaque) "ERR_FNS" type */ @@ -491,6 +492,7 @@ static int int_err_get_next_lib(void) } +#ifndef OPENSSL_NO_ERR #define NUM_SYS_STR_REASONS 127 #define LEN_SYS_STR_REASON 32 diff --git a/src/lib/libssl/src/crypto/err/err_all.c b/src/lib/libssl/src/crypto/err/err_all.c index 90029fd159..dc505d9d9d 100644 --- a/src/lib/libssl/src/crypto/err/err_all.c +++ b/src/lib/libssl/src/crypto/err/err_all.c @@ -82,7 +82,9 @@ #include #include #include +#ifndef OPENSSL_NO_ENGINE #include +#endif #include #include @@ -122,7 +124,9 @@ void ERR_load_crypto_strings(void) ERR_load_PKCS12_strings(); ERR_load_RAND_strings(); ERR_load_DSO_strings(); +#ifndef OPENSSL_NO_ENGINE ERR_load_ENGINE_strings(); +#endif ERR_load_OCSP_strings(); ERR_load_UI_strings(); #endif diff --git a/src/lib/libssl/src/crypto/err/err_prn.c b/src/lib/libssl/src/crypto/err/err_prn.c index c156663f0e..81e34bd6ce 100644 --- a/src/lib/libssl/src/crypto/err/err_prn.c +++ b/src/lib/libssl/src/crypto/err/err_prn.c @@ -62,7 +62,6 @@ #include "cryptlib.h" #include #include -#include void ERR_print_errors_cb(int (*cb)(const char *str, size_t len, void *u), void *u) diff --git a/src/lib/libssl/src/crypto/evp/bio_b64.c b/src/lib/libssl/src/crypto/evp/bio_b64.c index f12eac1b55..6e550f6a43 100644 --- a/src/lib/libssl/src/crypto/evp/bio_b64.c +++ b/src/lib/libssl/src/crypto/evp/bio_b64.c @@ -165,6 +165,7 @@ static int b64_read(BIO *b, char *out, int outl) { i=ctx->buf_len-ctx->buf_off; if (i > outl) i=outl; + OPENSSL_assert(ctx->buf_off+i < sizeof ctx->buf); memcpy(out,&(ctx->buf[ctx->buf_off]),i); ret=i; out+=i; diff --git a/src/lib/libssl/src/crypto/evp/bio_enc.c b/src/lib/libssl/src/crypto/evp/bio_enc.c index 64fb2353af..ab81851503 100644 --- a/src/lib/libssl/src/crypto/evp/bio_enc.c +++ b/src/lib/libssl/src/crypto/evp/bio_enc.c @@ -132,7 +132,7 @@ static int enc_free(BIO *a) if (a == NULL) return(0); b=(BIO_ENC_CTX *)a->ptr; EVP_CIPHER_CTX_cleanup(&(b->cipher)); - memset(a->ptr,0,sizeof(BIO_ENC_CTX)); + OPENSSL_cleanse(a->ptr,sizeof(BIO_ENC_CTX)); OPENSSL_free(a->ptr); a->ptr=NULL; a->init=0; @@ -271,7 +271,7 @@ static int enc_write(BIO *b, const char *in, int inl) if (i <= 0) { BIO_copy_next_retry(b); - return(i); + return (ret == inl) ? i : ret - inl; } n-=i; ctx->buf_off+=i; @@ -325,10 +325,7 @@ again: { i=enc_write(b,NULL,0); if (i < 0) - { - ret=i; - break; - } + return i; } if (!ctx->finished) diff --git a/src/lib/libssl/src/crypto/evp/bio_ok.c b/src/lib/libssl/src/crypto/evp/bio_ok.c index 3cbc6e7848..530ab937ce 100644 --- a/src/lib/libssl/src/crypto/evp/bio_ok.c +++ b/src/lib/libssl/src/crypto/evp/bio_ok.c @@ -211,7 +211,7 @@ static int ok_free(BIO *a) { if (a == NULL) return(0); EVP_MD_CTX_cleanup(&((BIO_OK_CTX *)a->ptr)->md); - memset(a->ptr,0,sizeof(BIO_OK_CTX)); + OPENSSL_cleanse(a->ptr,sizeof(BIO_OK_CTX)); OPENSSL_free(a->ptr); a->ptr=NULL; a->init=0; diff --git a/src/lib/libssl/src/crypto/evp/c_all.c b/src/lib/libssl/src/crypto/evp/c_all.c index 2d3e57c4fa..1b31a14e37 100644 --- a/src/lib/libssl/src/crypto/evp/c_all.c +++ b/src/lib/libssl/src/crypto/evp/c_all.c @@ -73,4 +73,9 @@ void OPENSSL_add_all_algorithms_noconf(void) { OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); +#ifndef OPENSSL_NO_ENGINE +# if defined(__OpenBSD__) || defined(__FreeBSD__) + ENGINE_setup_bsd_cryptodev(); +# endif +#endif } diff --git a/src/lib/libssl/src/crypto/evp/digest.c b/src/lib/libssl/src/crypto/evp/digest.c index a969ac69ed..b22eed4421 100644 --- a/src/lib/libssl/src/crypto/evp/digest.c +++ b/src/lib/libssl/src/crypto/evp/digest.c @@ -113,7 +113,9 @@ #include "cryptlib.h" #include #include +#ifndef OPENSSL_NO_ENGINE #include +#endif void EVP_MD_CTX_init(EVP_MD_CTX *ctx) { @@ -138,6 +140,7 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type) int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) { EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED); +#ifndef OPENSSL_NO_ENGINE /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts * so this context may already have an ENGINE! Try to avoid releasing * the previous handle, re-querying for an ENGINE, and having a @@ -183,11 +186,13 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) else ctx->engine = NULL; } - else if(!ctx->digest) + else + if(!ctx->digest) { EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_NO_DIGEST_SET); return 0; } +#endif if (ctx->digest != type) { if (ctx->digest && ctx->digest->ctx_size) @@ -196,7 +201,9 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) if (type->ctx_size) ctx->md_data=OPENSSL_malloc(type->ctx_size); } +#ifndef OPENSSL_NO_ENGINE skip_to_init: +#endif return ctx->digest->init(ctx); } @@ -219,6 +226,8 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) { int ret; + + OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); ret=ctx->digest->final(ctx,md); if (size != NULL) *size=ctx->digest->md_size; @@ -244,12 +253,14 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) EVPerr(EVP_F_EVP_MD_CTX_COPY,EVP_R_INPUT_NOT_INITIALIZED); return 0; } +#ifndef OPENSSL_NO_ENGINE /* Make sure it's safe to copy a digest context using an ENGINE */ if (in->engine && !ENGINE_init(in->engine)) { EVPerr(EVP_F_EVP_MD_CTX_COPY,ERR_R_ENGINE_LIB); return 0; } +#endif EVP_MD_CTX_cleanup(out); memcpy(out,in,sizeof *out); @@ -299,13 +310,15 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) ctx->digest->cleanup(ctx); if (ctx->digest && ctx->digest->ctx_size && ctx->md_data) { - memset(ctx->md_data,0,ctx->digest->ctx_size); + OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size); OPENSSL_free(ctx->md_data); } +#ifndef OPENSSL_NO_ENGINE if(ctx->engine) /* The EVP_MD we used belongs to an ENGINE, release the * functional reference we held for this reason. */ ENGINE_finish(ctx->engine); +#endif memset(ctx,'\0',sizeof *ctx); return 1; diff --git a/src/lib/libssl/src/crypto/evp/e_aes.c b/src/lib/libssl/src/crypto/evp/e_aes.c index c323fa2892..fe8bcda631 100644 --- a/src/lib/libssl/src/crypto/evp/e_aes.c +++ b/src/lib/libssl/src/crypto/evp/e_aes.c @@ -52,7 +52,6 @@ #include #include #include -#include #include #include "evp_locl.h" diff --git a/src/lib/libssl/src/crypto/evp/e_idea.c b/src/lib/libssl/src/crypto/evp/e_idea.c index ed838d3e62..b9efa75ae7 100644 --- a/src/lib/libssl/src/crypto/evp/e_idea.c +++ b/src/lib/libssl/src/crypto/evp/e_idea.c @@ -109,7 +109,7 @@ static int idea_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, idea_set_encrypt_key(key,&tmp); idea_set_decrypt_key(&tmp,ctx->cipher_data); - memset((unsigned char *)&tmp,0, + OPENSSL_cleanse((unsigned char *)&tmp, sizeof(IDEA_KEY_SCHEDULE)); } return 1; diff --git a/src/lib/libssl/src/crypto/evp/e_rc2.c b/src/lib/libssl/src/crypto/evp/e_rc2.c index 4685198e2e..d42cbfd17e 100644 --- a/src/lib/libssl/src/crypto/evp/e_rc2.c +++ b/src/lib/libssl/src/crypto/evp/e_rc2.c @@ -174,6 +174,7 @@ static int rc2_get_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type) if (type != NULL) { l=EVP_CIPHER_CTX_iv_length(c); + OPENSSL_assert(l <= sizeof iv); i=ASN1_TYPE_get_int_octetstring(type,&num,iv,l); if (i != l) return(-1); diff --git a/src/lib/libssl/src/crypto/evp/e_rc4.c b/src/lib/libssl/src/crypto/evp/e_rc4.c index 4064cc5fa0..d58f507837 100644 --- a/src/lib/libssl/src/crypto/evp/e_rc4.c +++ b/src/lib/libssl/src/crypto/evp/e_rc4.c @@ -69,8 +69,6 @@ typedef struct { - /* FIXME: what is the key for? */ - unsigned char key[EVP_RC4_KEY_SIZE]; RC4_KEY ks; /* working key */ } EVP_RC4_KEY; @@ -121,9 +119,8 @@ const EVP_CIPHER *EVP_rc4_40(void) static int rc4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { - memcpy(&data(ctx)->key[0],key,EVP_CIPHER_CTX_key_length(ctx)); RC4_set_key(&data(ctx)->ks,EVP_CIPHER_CTX_key_length(ctx), - data(ctx)->key); + key); return 1; } diff --git a/src/lib/libssl/src/crypto/evp/encode.c b/src/lib/libssl/src/crypto/evp/encode.c index 12c6379df1..08209357ce 100644 --- a/src/lib/libssl/src/crypto/evp/encode.c +++ b/src/lib/libssl/src/crypto/evp/encode.c @@ -136,6 +136,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, *outl=0; if (inl == 0) return; + OPENSSL_assert(ctx->length <= sizeof ctx->enc_data); if ((ctx->num+inl) < ctx->length) { memcpy(&(ctx->enc_data[ctx->num]),in,inl); @@ -258,6 +259,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, /* only save the good data :-) */ if (!B64_NOT_BASE64(v)) { + OPENSSL_assert(n < sizeof ctx->enc_data); d[n++]=tmp; ln++; } diff --git a/src/lib/libssl/src/crypto/evp/evp_acnf.c b/src/lib/libssl/src/crypto/evp/evp_acnf.c index a68b979bdb..ff3e311cc5 100644 --- a/src/lib/libssl/src/crypto/evp/evp_acnf.c +++ b/src/lib/libssl/src/crypto/evp/evp_acnf.c @@ -59,7 +59,6 @@ #include "cryptlib.h" #include #include -#include /* Load all algorithms and configure OpenSSL. diff --git a/src/lib/libssl/src/crypto/evp/evp_enc.c b/src/lib/libssl/src/crypto/evp/evp_enc.c index 32a1c7a2e9..be0758a879 100644 --- a/src/lib/libssl/src/crypto/evp/evp_enc.c +++ b/src/lib/libssl/src/crypto/evp/evp_enc.c @@ -60,11 +60,11 @@ #include "cryptlib.h" #include #include +#ifndef OPENSSL_NO_ENGINE #include +#endif #include "evp_locl.h" -#include - const char *EVP_version="EVP" OPENSSL_VERSION_PTEXT; void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) @@ -93,6 +93,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp enc = 1; ctx->encrypt = enc; } +#ifndef OPENSSL_NO_ENGINE /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts * so this context may already have an ENGINE! Try to avoid releasing * the previous handle, re-querying for an ENGINE, and having a @@ -100,6 +101,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp if (ctx->engine && ctx->cipher && (!cipher || (cipher && (cipher->nid == ctx->cipher->nid)))) goto skip_to_init; +#endif if (cipher) { /* Ensure a context left lying around from last time is cleared @@ -109,6 +111,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp /* Restore encrypt field: it is zeroed by cleanup */ ctx->encrypt = enc; +#ifndef OPENSSL_NO_ENGINE if(impl) { if (!ENGINE_init(impl)) @@ -142,6 +145,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp } else ctx->engine = NULL; +#endif ctx->cipher=cipher; ctx->cipher_data=OPENSSL_malloc(ctx->cipher->ctx_size); @@ -161,11 +165,13 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_NO_CIPHER_SET); return 0; } +#ifndef OPENSSL_NO_ENGINE skip_to_init: +#endif /* we assume block size is a power of 2 in *cryptUpdate */ - assert(ctx->cipher->block_size == 1 - || ctx->cipher->block_size == 8 - || ctx->cipher->block_size == 16); + OPENSSL_assert(ctx->cipher->block_size == 1 + || ctx->cipher->block_size == 8 + || ctx->cipher->block_size == 16); if(!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) { switch(EVP_CIPHER_CTX_mode(ctx)) { @@ -181,6 +187,7 @@ skip_to_init: case EVP_CIPH_CBC_MODE: + OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) <= sizeof ctx->iv); if(iv) memcpy(ctx->oiv, iv, EVP_CIPHER_CTX_iv_length(ctx)); memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx)); break; @@ -237,7 +244,7 @@ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *imp int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, const unsigned char *key, const unsigned char *iv) { - return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0); + return EVP_CipherInit(ctx, cipher, key, iv, 0); } int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl, @@ -251,6 +258,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, { int i,j,bl; + OPENSSL_assert(inl > 0); if(ctx->buf_len == 0 && (inl&(ctx->block_mask)) == 0) { if(ctx->cipher->do_cipher(ctx,out,in,inl)) @@ -266,6 +274,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, } i=ctx->buf_len; bl=ctx->cipher->block_size; + OPENSSL_assert(bl <= sizeof ctx->buf); if (i != 0) { if (i+inl < bl) @@ -314,6 +323,7 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) int i,n,b,bl,ret; b=ctx->cipher->block_size; + OPENSSL_assert(b <= sizeof ctx->buf); if (b == 1) { *outl=0; @@ -358,6 +368,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, return EVP_EncryptUpdate(ctx, out, outl, in, inl); b=ctx->cipher->block_size; + OPENSSL_assert(b <= sizeof ctx->final); if(ctx->final_used) { @@ -420,6 +431,7 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_WRONG_FINAL_BLOCK_LENGTH); return(0); } + OPENSSL_assert(b <= sizeof ctx->final); n=ctx->final[b-1]; if (n > b) { @@ -450,16 +462,18 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) { if(c->cipher->cleanup && !c->cipher->cleanup(c)) return 0; - /* Zero cipher context data */ + /* Cleanse cipher context data */ if (c->cipher_data) - memset(c->cipher_data, 0, c->cipher->ctx_size); + OPENSSL_cleanse(c->cipher_data, c->cipher->ctx_size); } if (c->cipher_data) OPENSSL_free(c->cipher_data); +#ifndef OPENSSL_NO_ENGINE if (c->engine) /* The EVP_CIPHER we used belongs to an ENGINE, release the * functional reference we held for this reason. */ ENGINE_finish(c->engine); +#endif memset(c,0,sizeof(EVP_CIPHER_CTX)); return 1; } diff --git a/src/lib/libssl/src/crypto/evp/evp_key.c b/src/lib/libssl/src/crypto/evp/evp_key.c index 4271393069..5f387a94d3 100644 --- a/src/lib/libssl/src/crypto/evp/evp_key.c +++ b/src/lib/libssl/src/crypto/evp/evp_key.c @@ -103,7 +103,7 @@ int EVP_read_pw_string(char *buf, int len, const char *prompt, int verify) buff,0,(len>=BUFSIZ)?BUFSIZ-1:len,buf); ret = UI_process(ui); UI_free(ui); - memset(buff,0,BUFSIZ); + OPENSSL_cleanse(buff,BUFSIZ); return ret; } @@ -118,6 +118,8 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md, nkey=type->key_len; niv=type->iv_len; + OPENSSL_assert(nkey <= EVP_MAX_KEY_LENGTH); + OPENSSL_assert(niv <= EVP_MAX_IV_LENGTH); if (data == NULL) return(nkey); @@ -166,7 +168,7 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md, if ((nkey == 0) && (niv == 0)) break; } EVP_MD_CTX_cleanup(&c); - memset(&(md_buf[0]),0,EVP_MAX_MD_SIZE); + OPENSSL_cleanse(&(md_buf[0]),EVP_MAX_MD_SIZE); return(type->key_len); } diff --git a/src/lib/libssl/src/crypto/evp/evp_lib.c b/src/lib/libssl/src/crypto/evp/evp_lib.c index a431945ef5..52a3b287be 100644 --- a/src/lib/libssl/src/crypto/evp/evp_lib.c +++ b/src/lib/libssl/src/crypto/evp/evp_lib.c @@ -90,6 +90,7 @@ int EVP_CIPHER_get_asn1_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type) if (type != NULL) { l=EVP_CIPHER_CTX_iv_length(c); + OPENSSL_assert(l <= sizeof c->iv); i=ASN1_TYPE_get_octetstring(type,c->oiv,l); if (i != l) return(-1); @@ -106,6 +107,7 @@ int EVP_CIPHER_set_asn1_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type) if (type != NULL) { j=EVP_CIPHER_CTX_iv_length(c); + OPENSSL_assert(j <= sizeof c->iv); i=ASN1_TYPE_set_octetstring(type,c->oiv,j); } return(i); diff --git a/src/lib/libssl/src/crypto/evp/evp_pbe.c b/src/lib/libssl/src/crypto/evp/evp_pbe.c index bcd4d29f85..0da88fdcff 100644 --- a/src/lib/libssl/src/crypto/evp/evp_pbe.c +++ b/src/lib/libssl/src/crypto/evp/evp_pbe.c @@ -88,7 +88,7 @@ int EVP_PBE_CipherInit (ASN1_OBJECT *pbe_obj, const char *pass, int passlen, char obj_tmp[80]; EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_UNKNOWN_PBE_ALGORITHM); if (!pbe_obj) strcpy (obj_tmp, "NULL"); - else i2t_ASN1_OBJECT(obj_tmp, 80, pbe_obj); + else i2t_ASN1_OBJECT(obj_tmp, sizeof obj_tmp, pbe_obj); ERR_add_error_data(2, "TYPE=", obj_tmp); return 0; } diff --git a/src/lib/libssl/src/crypto/evp/evp_test.c b/src/lib/libssl/src/crypto/evp/evp_test.c index 90294ef686..28460173f7 100644 --- a/src/lib/libssl/src/crypto/evp/evp_test.c +++ b/src/lib/libssl/src/crypto/evp/evp_test.c @@ -49,8 +49,14 @@ #include #include + +#include "../e_os.h" + #include +#ifndef OPENSSL_NO_ENGINE #include +#endif +#include #include static void hexdump(FILE *f,const char *title,const unsigned char *s,int l) @@ -78,7 +84,7 @@ static int convert(unsigned char *s) if(!s[1]) { fprintf(stderr,"Odd number of hex digits!"); - exit(4); + EXIT(4); } sscanf((char *)s,"%2x",&n); *d=(unsigned char)n; @@ -120,6 +126,12 @@ static char *sstrsep(char **string, const char *delim) static unsigned char *ustrsep(char **p,const char *sep) { return (unsigned char *)sstrsep(p,sep); } +static int test1_exit(int ec) + { + EXIT(ec); + return(0); /* To keep some compilers quiet */ + } + static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, const unsigned char *iv,int in, const unsigned char *plaintext,int pn, @@ -142,7 +154,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, { fprintf(stderr,"Key length doesn't match, got %d expected %d\n",kn, c->key_len); - exit(5); + test1_exit(5); } EVP_CIPHER_CTX_init(&ctx); if (encdec != 0) @@ -150,26 +162,26 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, if(!EVP_EncryptInit_ex(&ctx,c,NULL,key,iv)) { fprintf(stderr,"EncryptInit failed\n"); - exit(10); + test1_exit(10); } EVP_CIPHER_CTX_set_padding(&ctx,0); if(!EVP_EncryptUpdate(&ctx,out,&outl,plaintext,pn)) { fprintf(stderr,"Encrypt failed\n"); - exit(6); + test1_exit(6); } if(!EVP_EncryptFinal_ex(&ctx,out+outl,&outl2)) { fprintf(stderr,"EncryptFinal failed\n"); - exit(7); + test1_exit(7); } if(outl+outl2 != cn) { fprintf(stderr,"Ciphertext length mismatch got %d expected %d\n", outl+outl2,cn); - exit(8); + test1_exit(8); } if(memcmp(out,ciphertext,cn)) @@ -177,7 +189,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, fprintf(stderr,"Ciphertext mismatch\n"); hexdump(stderr,"Got",out,cn); hexdump(stderr,"Expected",ciphertext,cn); - exit(9); + test1_exit(9); } } @@ -186,26 +198,26 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, if(!EVP_DecryptInit_ex(&ctx,c,NULL,key,iv)) { fprintf(stderr,"DecryptInit failed\n"); - exit(11); + test1_exit(11); } EVP_CIPHER_CTX_set_padding(&ctx,0); if(!EVP_DecryptUpdate(&ctx,out,&outl,ciphertext,cn)) { fprintf(stderr,"Decrypt failed\n"); - exit(6); + test1_exit(6); } if(!EVP_DecryptFinal_ex(&ctx,out+outl,&outl2)) { fprintf(stderr,"DecryptFinal failed\n"); - exit(7); + test1_exit(7); } if(outl+outl2 != cn) { fprintf(stderr,"Plaintext length mismatch got %d expected %d\n", outl+outl2,cn); - exit(8); + test1_exit(8); } if(memcmp(out,plaintext,cn)) @@ -213,7 +225,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, fprintf(stderr,"Plaintext mismatch\n"); hexdump(stderr,"Got",out,cn); hexdump(stderr,"Expected",plaintext,cn); - exit(9); + test1_exit(9); } } @@ -260,24 +272,24 @@ static int test_digest(const char *digest, if(!EVP_DigestInit_ex(&ctx,d, NULL)) { fprintf(stderr,"DigestInit failed\n"); - exit(100); + EXIT(100); } if(!EVP_DigestUpdate(&ctx,plaintext,pn)) { fprintf(stderr,"DigestUpdate failed\n"); - exit(101); + EXIT(101); } if(!EVP_DigestFinal_ex(&ctx,md,&mdn)) { fprintf(stderr,"DigestFinal failed\n"); - exit(101); + EXIT(101); } EVP_MD_CTX_cleanup(&ctx); if(mdn != cn) { fprintf(stderr,"Digest length mismatch, got %d expected %d\n",mdn,cn); - exit(102); + EXIT(102); } if(memcmp(md,ciphertext,cn)) @@ -285,7 +297,7 @@ static int test_digest(const char *digest, fprintf(stderr,"Digest mismatch\n"); hexdump(stderr,"Got",md,cn); hexdump(stderr,"Expected",ciphertext,cn); - exit(103); + EXIT(103); } printf("\n"); @@ -303,7 +315,7 @@ int main(int argc,char **argv) if(argc != 2) { fprintf(stderr,"%s \n",argv[0]); - exit(1); + EXIT(1); } CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); @@ -315,17 +327,20 @@ int main(int argc,char **argv) if(!f) { perror(szTestFile); - exit(2); + EXIT(2); } /* Load up the software EVP_CIPHER and EVP_MD definitions */ OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); +#ifndef OPENSSL_NO_ENGINE /* Load all compiled-in ENGINEs */ ENGINE_load_builtin_engines(); +#endif #if 0 OPENSSL_config(); #endif +#ifndef OPENSSL_NO_ENGINE /* Register all available ENGINE implementations of ciphers and digests. * This could perhaps be changed to "ENGINE_register_all_complete()"? */ ENGINE_register_all_ciphers(); @@ -334,6 +349,7 @@ int main(int argc,char **argv) * It'll prevent ENGINEs being ENGINE_init()ialised for cipher/digest use if * they weren't already initialised. */ /* ENGINE_set_cipher_flags(ENGINE_CIPHER_FLAG_NOINIT); */ +#endif for( ; ; ) { @@ -371,11 +387,13 @@ int main(int argc,char **argv) && !test_digest(cipher,plaintext,pn,ciphertext,cn)) { fprintf(stderr,"Can't find %s\n",cipher); - exit(3); + EXIT(3); } } +#ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); +#endif EVP_cleanup(); CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); diff --git a/src/lib/libssl/src/crypto/evp/p5_crpt.c b/src/lib/libssl/src/crypto/evp/p5_crpt.c index 27a8286489..a1874e83b2 100644 --- a/src/lib/libssl/src/crypto/evp/p5_crpt.c +++ b/src/lib/libssl/src/crypto/evp/p5_crpt.c @@ -140,12 +140,14 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen, EVP_DigestFinal_ex (&ctx, md_tmp, NULL); } EVP_MD_CTX_cleanup(&ctx); + OPENSSL_assert(EVP_CIPHER_key_length(cipher) <= sizeof md_tmp); memcpy(key, md_tmp, EVP_CIPHER_key_length(cipher)); + OPENSSL_assert(EVP_CIPHER_iv_length(cipher) <= 16); memcpy(iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)), EVP_CIPHER_iv_length(cipher)); EVP_CipherInit_ex(cctx, cipher, NULL, key, iv, en_de); - memset(md_tmp, 0, EVP_MAX_MD_SIZE); - memset(key, 0, EVP_MAX_KEY_LENGTH); - memset(iv, 0, EVP_MAX_IV_LENGTH); + OPENSSL_cleanse(md_tmp, EVP_MAX_MD_SIZE); + OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH); + OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH); return 1; } diff --git a/src/lib/libssl/src/crypto/evp/p5_crpt2.c b/src/lib/libssl/src/crypto/evp/p5_crpt2.c index 7485d6a278..1f94e1ef88 100644 --- a/src/lib/libssl/src/crypto/evp/p5_crpt2.c +++ b/src/lib/libssl/src/crypto/evp/p5_crpt2.c @@ -190,6 +190,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, goto err; } keylen = EVP_CIPHER_CTX_key_length(ctx); + OPENSSL_assert(keylen <= sizeof key); /* Now decode key derivation function */ @@ -230,7 +231,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, iter = ASN1_INTEGER_get(kdf->iter); PKCS5_PBKDF2_HMAC_SHA1(pass, passlen, salt, saltlen, iter, keylen, key); EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de); - memset(key, 0, keylen); + OPENSSL_cleanse(key, keylen); PBKDF2PARAM_free(kdf); return 1; diff --git a/src/lib/libssl/src/crypto/evp/p_open.c b/src/lib/libssl/src/crypto/evp/p_open.c index 6976f2a867..5a933d1cda 100644 --- a/src/lib/libssl/src/crypto/evp/p_open.c +++ b/src/lib/libssl/src/crypto/evp/p_open.c @@ -101,7 +101,7 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char *ek, ret=1; err: - if (key != NULL) memset(key,0,size); + if (key != NULL) OPENSSL_cleanse(key,size); OPENSSL_free(key); return(ret); } diff --git a/src/lib/libssl/src/crypto/hmac/hmac.c b/src/lib/libssl/src/crypto/hmac/hmac.c index da363b7950..4c91f919d5 100644 --- a/src/lib/libssl/src/crypto/hmac/hmac.c +++ b/src/lib/libssl/src/crypto/hmac/hmac.c @@ -59,6 +59,7 @@ #include #include #include +#include "cryptlib.h" void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md, ENGINE *impl) @@ -78,6 +79,7 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, { reset=1; j=EVP_MD_block_size(md); + OPENSSL_assert(j <= sizeof ctx->key); if (j < len) { EVP_DigestInit_ex(&ctx->md_ctx,md, impl); @@ -87,6 +89,7 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, } else { + OPENSSL_assert(len <= sizeof ctx->key); memcpy(ctx->key,key,len); ctx->key_length=len; } diff --git a/src/lib/libssl/src/crypto/hmac/hmactest.c b/src/lib/libssl/src/crypto/hmac/hmactest.c index 96d3beb8e6..1b906b81af 100644 --- a/src/lib/libssl/src/crypto/hmac/hmactest.c +++ b/src/lib/libssl/src/crypto/hmac/hmactest.c @@ -60,6 +60,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_HMAC int main(int argc, char *argv[]) { @@ -68,12 +70,15 @@ int main(int argc, char *argv[]) } #else #include +#ifndef OPENSSL_NO_MD5 #include +#endif #ifdef CHARSET_EBCDIC #include #endif +#ifndef OPENSSL_NO_MD5 static struct test_st { unsigned char key[16]; @@ -113,13 +118,20 @@ static struct test_st (unsigned char *)"56be34521d144c88dbb8c733f0e8b3f6", }, }; - +#endif static char *pt(unsigned char *md); int main(int argc, char *argv[]) { - int i,err=0; +#ifndef OPENSSL_NO_MD5 + int i; char *p; +#endif + int err=0; + +#ifdef OPENSSL_NO_MD5 + printf("test skipped: MD5 disabled\n"); +#else #ifdef CHARSET_EBCDIC ebcdic2ascii(test[0].data, test[0].data, test[0].data_len); @@ -144,10 +156,12 @@ int main(int argc, char *argv[]) else printf("test %d ok\n",i); } - exit(err); +#endif /* OPENSSL_NO_MD5 */ + EXIT(err); return(0); } +#ifndef OPENSSL_NO_MD5 static char *pt(unsigned char *md) { int i; @@ -158,3 +172,4 @@ static char *pt(unsigned char *md) return(buf); } #endif +#endif diff --git a/src/lib/libssl/src/crypto/idea/version b/src/lib/libssl/src/crypto/idea/version new file mode 100644 index 0000000000..3f22293795 --- /dev/null +++ b/src/lib/libssl/src/crypto/idea/version @@ -0,0 +1,12 @@ +1.1 07/12/95 - eay + Many thanks to Rhys Weatherley + for pointing out that I was assuming little endian byte + order for all quantities what idea actually used + bigendian. No where in the spec does it mention + this, it is all in terms of 16 bit numbers and even the example + does not use byte streams for the input example :-(. + If you byte swap each pair of input, keys and iv, the functions + would produce the output as the old version :-(. + +1.0 ??/??/95 - eay + First version. diff --git a/src/lib/libssl/src/crypto/lhash/lh_stats.c b/src/lib/libssl/src/crypto/lhash/lh_stats.c index 39ea2885f4..5aa7766aa6 100644 --- a/src/lib/libssl/src/crypto/lhash/lh_stats.c +++ b/src/lib/libssl/src/crypto/lhash/lh_stats.c @@ -179,49 +179,29 @@ end:; void lh_stats_bio(const LHASH *lh, BIO *out) { - char buf[128]; - - sprintf(buf,"num_items = %lu\n",lh->num_items); - BIO_puts(out,buf); - sprintf(buf,"num_nodes = %u\n",lh->num_nodes); - BIO_puts(out,buf); - sprintf(buf,"num_alloc_nodes = %u\n",lh->num_alloc_nodes); - BIO_puts(out,buf); - sprintf(buf,"num_expands = %lu\n",lh->num_expands); - BIO_puts(out,buf); - sprintf(buf,"num_expand_reallocs = %lu\n",lh->num_expand_reallocs); - BIO_puts(out,buf); - sprintf(buf,"num_contracts = %lu\n",lh->num_contracts); - BIO_puts(out,buf); - sprintf(buf,"num_contract_reallocs = %lu\n",lh->num_contract_reallocs); - BIO_puts(out,buf); - sprintf(buf,"num_hash_calls = %lu\n",lh->num_hash_calls); - BIO_puts(out,buf); - sprintf(buf,"num_comp_calls = %lu\n",lh->num_comp_calls); - BIO_puts(out,buf); - sprintf(buf,"num_insert = %lu\n",lh->num_insert); - BIO_puts(out,buf); - sprintf(buf,"num_replace = %lu\n",lh->num_replace); - BIO_puts(out,buf); - sprintf(buf,"num_delete = %lu\n",lh->num_delete); - BIO_puts(out,buf); - sprintf(buf,"num_no_delete = %lu\n",lh->num_no_delete); - BIO_puts(out,buf); - sprintf(buf,"num_retrieve = %lu\n",lh->num_retrieve); - BIO_puts(out,buf); - sprintf(buf,"num_retrieve_miss = %lu\n",lh->num_retrieve_miss); - BIO_puts(out,buf); - sprintf(buf,"num_hash_comps = %lu\n",lh->num_hash_comps); - BIO_puts(out,buf); + BIO_printf(out,"num_items = %lu\n",lh->num_items); + BIO_printf(out,"num_nodes = %u\n",lh->num_nodes); + BIO_printf(out,"num_alloc_nodes = %u\n",lh->num_alloc_nodes); + BIO_printf(out,"num_expands = %lu\n",lh->num_expands); + BIO_printf(out,"num_expand_reallocs = %lu\n", + lh->num_expand_reallocs); + BIO_printf(out,"num_contracts = %lu\n",lh->num_contracts); + BIO_printf(out,"num_contract_reallocs = %lu\n", + lh->num_contract_reallocs); + BIO_printf(out,"num_hash_calls = %lu\n",lh->num_hash_calls); + BIO_printf(out,"num_comp_calls = %lu\n",lh->num_comp_calls); + BIO_printf(out,"num_insert = %lu\n",lh->num_insert); + BIO_printf(out,"num_replace = %lu\n",lh->num_replace); + BIO_printf(out,"num_delete = %lu\n",lh->num_delete); + BIO_printf(out,"num_no_delete = %lu\n",lh->num_no_delete); + BIO_printf(out,"num_retrieve = %lu\n",lh->num_retrieve); + BIO_printf(out,"num_retrieve_miss = %lu\n",lh->num_retrieve_miss); + BIO_printf(out,"num_hash_comps = %lu\n",lh->num_hash_comps); #if 0 - sprintf(buf,"p = %u\n",lh->p); - BIO_puts(out,buf); - sprintf(buf,"pmax = %u\n",lh->pmax); - BIO_puts(out,buf); - sprintf(buf,"up_load = %lu\n",lh->up_load); - BIO_puts(out,buf); - sprintf(buf,"down_load = %lu\n",lh->down_load); - BIO_puts(out,buf); + BIO_printf(out,"p = %u\n",lh->p); + BIO_printf(out,"pmax = %u\n",lh->pmax); + BIO_printf(out,"up_load = %lu\n",lh->up_load); + BIO_printf(out,"down_load = %lu\n",lh->down_load); #endif } @@ -229,14 +209,12 @@ void lh_node_stats_bio(const LHASH *lh, BIO *out) { LHASH_NODE *n; unsigned int i,num; - char buf[128]; for (i=0; inum_nodes; i++) { for (n=lh->b[i],num=0; n != NULL; n=n->next) num++; - sprintf(buf,"node %6u -> %3u\n",i,num); - BIO_puts(out,buf); + BIO_printf(out,"node %6u -> %3u\n",i,num); } } @@ -246,7 +224,6 @@ void lh_node_usage_stats_bio(const LHASH *lh, BIO *out) unsigned long num; unsigned int i; unsigned long total=0,n_used=0; - char buf[128]; for (i=0; inum_nodes; i++) { @@ -258,17 +235,14 @@ void lh_node_usage_stats_bio(const LHASH *lh, BIO *out) total+=num; } } - sprintf(buf,"%lu nodes used out of %u\n",n_used,lh->num_nodes); - BIO_puts(out,buf); - sprintf(buf,"%lu items\n",total); - BIO_puts(out,buf); + BIO_printf(out,"%lu nodes used out of %u\n",n_used,lh->num_nodes); + BIO_printf(out,"%lu items\n",total); if (n_used == 0) return; - sprintf(buf,"load %d.%02d actual load %d.%02d\n", - (int)(total/lh->num_nodes), - (int)((total%lh->num_nodes)*100/lh->num_nodes), - (int)(total/n_used), - (int)((total%n_used)*100/n_used)); - BIO_puts(out,buf); + BIO_printf(out,"load %d.%02d actual load %d.%02d\n", + (int)(total/lh->num_nodes), + (int)((total%lh->num_nodes)*100/lh->num_nodes), + (int)(total/n_used), + (int)((total%n_used)*100/n_used)); } #endif diff --git a/src/lib/libssl/src/crypto/md2/md2_dgst.c b/src/lib/libssl/src/crypto/md2/md2_dgst.c index e25dd00e02..ecb64f0ec4 100644 --- a/src/lib/libssl/src/crypto/md2/md2_dgst.c +++ b/src/lib/libssl/src/crypto/md2/md2_dgst.c @@ -61,6 +61,7 @@ #include #include #include +#include const char *MD2_version="MD2" OPENSSL_VERSION_PTEXT; @@ -118,9 +119,9 @@ const char *MD2_options(void) int MD2_Init(MD2_CTX *c) { c->num=0; - memset(c->state,0,MD2_BLOCK*sizeof(MD2_INT)); - memset(c->cksm,0,MD2_BLOCK*sizeof(MD2_INT)); - memset(c->data,0,MD2_BLOCK); + memset(c->state,0,sizeof c->state); + memset(c->cksm,0,sizeof c->cksm); + memset(c->data,0,sizeof c->data); return 1; } @@ -196,7 +197,7 @@ static void md2_block(MD2_CTX *c, const unsigned char *d) t=(t+i)&0xff; } memcpy(sp1,state,16*sizeof(MD2_INT)); - memset(state,0,48*sizeof(MD2_INT)); + OPENSSL_cleanse(state,48*sizeof(MD2_INT)); } int MD2_Final(unsigned char *md, MD2_CTX *c) diff --git a/src/lib/libssl/src/crypto/md2/md2_one.c b/src/lib/libssl/src/crypto/md2/md2_one.c index b12c37ce4d..835160ef56 100644 --- a/src/lib/libssl/src/crypto/md2/md2_one.c +++ b/src/lib/libssl/src/crypto/md2/md2_one.c @@ -88,6 +88,6 @@ unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md) } #endif MD2_Final(md,&c); - memset(&c,0,sizeof(c)); /* Security consideration */ + OPENSSL_cleanse(&c,sizeof(c)); /* Security consideration */ return(md); } diff --git a/src/lib/libssl/src/crypto/md2/md2test.c b/src/lib/libssl/src/crypto/md2/md2test.c index 7d3664faf5..901d0a7d8e 100644 --- a/src/lib/libssl/src/crypto/md2/md2test.c +++ b/src/lib/libssl/src/crypto/md2/md2test.c @@ -61,6 +61,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_MD2 int main(int argc, char *argv[]) { @@ -122,8 +124,7 @@ int main(int argc, char *argv[]) R++; P++; } - exit(err); - return(0); + EXIT(err); } static char *pt(unsigned char *md) diff --git a/src/lib/libssl/src/crypto/md32_common.h b/src/lib/libssl/src/crypto/md32_common.h index 353d2b96ad..573850b122 100644 --- a/src/lib/libssl/src/crypto/md32_common.h +++ b/src/lib/libssl/src/crypto/md32_common.h @@ -1,6 +1,6 @@ /* crypto/md32_common.h */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -198,7 +198,7 @@ * * */ -# if defined(__i386) || defined(__i386__) +# if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__) # define ROTATE(a,n) ({ register unsigned int ret; \ asm ( \ "roll %1,%0" \ @@ -224,7 +224,7 @@ */ # if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) /* some GNU C inline assembler templates by */ -# if (defined(__i386) || defined(__i386__)) && !defined(I386_ONLY) +# if (defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)) && !defined(I386_ONLY) # define BE_FETCH32(a) ({ register unsigned int l=(a);\ asm ( \ "bswapl %0" \ @@ -456,7 +456,10 @@ int HASH_UPDATE (HASH_CTX *c, const void *data_, unsigned long len) { ew=(c->num>>2); ec=(c->num&0x03); - l=p[sw]; HOST_p_c2l(data,l,sc); p[sw++]=l; + if (sc) + l=p[sw]; + HOST_p_c2l(data,l,sc); + p[sw++]=l; for (; sw < ew; sw++) { HOST_c2l(data,l); p[sw]=l; @@ -603,7 +606,32 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c) c->num=0; /* clear stuff, HASH_BLOCK may be leaving some stuff on the stack * but I'm not worried :-) - memset((void *)c,0,sizeof(HASH_CTX)); + OPENSSL_cleanse((void *)c,sizeof(HASH_CTX)); */ return 1; } + +#ifndef MD32_REG_T +#define MD32_REG_T long +/* + * This comment was originaly written for MD5, which is why it + * discusses A-D. But it basically applies to all 32-bit digests, + * which is why it was moved to common header file. + * + * In case you wonder why A-D are declared as long and not + * as MD5_LONG. Doing so results in slight performance + * boost on LP64 architectures. The catch is we don't + * really care if 32 MSBs of a 64-bit register get polluted + * with eventual overflows as we *save* only 32 LSBs in + * *either* case. Now declaring 'em long excuses the compiler + * from keeping 32 MSBs zeroed resulting in 13% performance + * improvement under SPARC Solaris7/64 and 5% under AlphaLinux. + * Well, to be honest it should say that this *prevents* + * performance degradation. + * + * Apparently there're LP64 compilers that generate better + * code if A-D are declared int. Most notably GCC-x86_64 + * generates better code. + * + */ +#endif diff --git a/src/lib/libssl/src/crypto/md4/md4.c b/src/lib/libssl/src/crypto/md4/md4.c index e4b0aac011..141415ad4d 100644 --- a/src/lib/libssl/src/crypto/md4/md4.c +++ b/src/lib/libssl/src/crypto/md4/md4.c @@ -64,7 +64,7 @@ void do_fp(FILE *f); void pt(unsigned char *md); -#ifndef _OSD_POSIX +#if !defined(_OSD_POSIX) && !defined(__DJGPP__) int read(int, void *, unsigned int); #endif @@ -108,7 +108,7 @@ void do_fp(FILE *f) MD4_Init(&c); for (;;) { - i=read(fd,buf,BUFSIZE); + i=read(fd,buf,sizeof buf); if (i <= 0) break; MD4_Update(&c,buf,(unsigned long)i); } diff --git a/src/lib/libssl/src/crypto/md4/md4_dgst.c b/src/lib/libssl/src/crypto/md4/md4_dgst.c index 6446f5f5e7..7afb7185b6 100644 --- a/src/lib/libssl/src/crypto/md4/md4_dgst.c +++ b/src/lib/libssl/src/crypto/md4/md4_dgst.c @@ -86,21 +86,7 @@ int MD4_Init(MD4_CTX *c) void md4_block_host_order (MD4_CTX *c, const void *data, int num) { const MD4_LONG *X=data; - register unsigned long A,B,C,D; - /* - * In case you wonder why A-D are declared as long and not - * as MD4_LONG. Doing so results in slight performance - * boost on LP64 architectures. The catch is we don't - * really care if 32 MSBs of a 64-bit register get polluted - * with eventual overflows as we *save* only 32 LSBs in - * *either* case. Now declaring 'em long excuses the compiler - * from keeping 32 MSBs zeroed resulting in 13% performance - * improvement under SPARC Solaris7/64 and 5% under AlphaLinux. - * Well, to be honest it should say that this *prevents* - * performance degradation. - * - * - */ + register unsigned MD32_REG_T A,B,C,D; A=c->A; B=c->B; @@ -176,25 +162,11 @@ void md4_block_host_order (MD4_CTX *c, const void *data, int num) void md4_block_data_order (MD4_CTX *c, const void *data_, int num) { const unsigned char *data=data_; - register unsigned long A,B,C,D,l; - /* - * In case you wonder why A-D are declared as long and not - * as MD4_LONG. Doing so results in slight performance - * boost on LP64 architectures. The catch is we don't - * really care if 32 MSBs of a 64-bit register get polluted - * with eventual overflows as we *save* only 32 LSBs in - * *either* case. Now declaring 'em long excuses the compiler - * from keeping 32 MSBs zeroed resulting in 13% performance - * improvement under SPARC Solaris7/64 and 5% under AlphaLinux. - * Well, to be honest it should say that this *prevents* - * performance degradation. - * - * - */ + register unsigned MD32_REG_T A,B,C,D,l; #ifndef MD32_XARRAY /* See comment in crypto/sha/sha_locl.h for details. */ - unsigned long XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, - XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15; + unsigned MD32_REG_T XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, + XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15; # define X(i) XX##i #else MD4_LONG XX[MD4_LBLOCK]; diff --git a/src/lib/libssl/src/crypto/md4/md4_one.c b/src/lib/libssl/src/crypto/md4/md4_one.c index 87a995d38d..00565507e4 100644 --- a/src/lib/libssl/src/crypto/md4/md4_one.c +++ b/src/lib/libssl/src/crypto/md4/md4_one.c @@ -59,6 +59,7 @@ #include #include #include +#include #ifdef CHARSET_EBCDIC #include @@ -89,7 +90,7 @@ unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md) } #endif MD4_Final(md,&c); - memset(&c,0,sizeof(c)); /* security consideration */ + OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */ return(md); } diff --git a/src/lib/libssl/src/crypto/md4/md4test.c b/src/lib/libssl/src/crypto/md4/md4test.c index e0fdc42282..21a77d96f7 100644 --- a/src/lib/libssl/src/crypto/md4/md4test.c +++ b/src/lib/libssl/src/crypto/md4/md4test.c @@ -60,6 +60,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_MD4 int main(int argc, char *argv[]) { @@ -118,7 +120,7 @@ int main(int argc, char *argv[]) R++; P++; } - exit(err); + EXIT(err); return(0); } diff --git a/src/lib/libssl/src/crypto/md5/md5.c b/src/lib/libssl/src/crypto/md5/md5.c index 7ed0024ae1..563733abc5 100644 --- a/src/lib/libssl/src/crypto/md5/md5.c +++ b/src/lib/libssl/src/crypto/md5/md5.c @@ -64,7 +64,7 @@ void do_fp(FILE *f); void pt(unsigned char *md); -#ifndef _OSD_POSIX +#if !defined(_OSD_POSIX) && !defined(__DJGPP__) int read(int, void *, unsigned int); #endif diff --git a/src/lib/libssl/src/crypto/md5/md5.h b/src/lib/libssl/src/crypto/md5/md5.h index 52cb753e6a..a252e02115 100644 --- a/src/lib/libssl/src/crypto/md5/md5.h +++ b/src/lib/libssl/src/crypto/md5/md5.h @@ -59,6 +59,8 @@ #ifndef HEADER_MD5_H #define HEADER_MD5_H +#include + #ifdef __cplusplus extern "C" { #endif @@ -76,7 +78,7 @@ extern "C" { #if defined(OPENSSL_SYS_WIN16) || defined(__LP32__) #define MD5_LONG unsigned long -#elif defined(OENSSL_SYS_CRAY) || defined(__ILP64__) +#elif defined(OPENSSL_SYS_CRAY) || defined(__ILP64__) #define MD5_LONG unsigned long #define MD5_LONG_LOG2 3 /* diff --git a/src/lib/libssl/src/crypto/md5/md5_dgst.c b/src/lib/libssl/src/crypto/md5/md5_dgst.c index c38a3f021e..9c7abc3697 100644 --- a/src/lib/libssl/src/crypto/md5/md5_dgst.c +++ b/src/lib/libssl/src/crypto/md5/md5_dgst.c @@ -86,21 +86,7 @@ int MD5_Init(MD5_CTX *c) void md5_block_host_order (MD5_CTX *c, const void *data, int num) { const MD5_LONG *X=data; - register unsigned long A,B,C,D; - /* - * In case you wonder why A-D are declared as long and not - * as MD5_LONG. Doing so results in slight performance - * boost on LP64 architectures. The catch is we don't - * really care if 32 MSBs of a 64-bit register get polluted - * with eventual overflows as we *save* only 32 LSBs in - * *either* case. Now declaring 'em long excuses the compiler - * from keeping 32 MSBs zeroed resulting in 13% performance - * improvement under SPARC Solaris7/64 and 5% under AlphaLinux. - * Well, to be honest it should say that this *prevents* - * performance degradation. - * - * - */ + register unsigned MD32_REG_T A,B,C,D; A=c->A; B=c->B; @@ -193,25 +179,11 @@ void md5_block_host_order (MD5_CTX *c, const void *data, int num) void md5_block_data_order (MD5_CTX *c, const void *data_, int num) { const unsigned char *data=data_; - register unsigned long A,B,C,D,l; - /* - * In case you wonder why A-D are declared as long and not - * as MD5_LONG. Doing so results in slight performance - * boost on LP64 architectures. The catch is we don't - * really care if 32 MSBs of a 64-bit register get polluted - * with eventual overflows as we *save* only 32 LSBs in - * *either* case. Now declaring 'em long excuses the compiler - * from keeping 32 MSBs zeroed resulting in 13% performance - * improvement under SPARC Solaris7/64 and 5% under AlphaLinux. - * Well, to be honest it should say that this *prevents* - * performance degradation. - * - * - */ + register unsigned MD32_REG_T A,B,C,D,l; #ifndef MD32_XARRAY /* See comment in crypto/sha/sha_locl.h for details. */ - unsigned long XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, - XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15; + unsigned MD32_REG_T XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, + XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15; # define X(i) XX##i #else MD5_LONG XX[MD5_LBLOCK]; diff --git a/src/lib/libssl/src/crypto/md5/md5_locl.h b/src/lib/libssl/src/crypto/md5/md5_locl.h index 34c5257306..9e360da732 100644 --- a/src/lib/libssl/src/crypto/md5/md5_locl.h +++ b/src/lib/libssl/src/crypto/md5/md5_locl.h @@ -58,7 +58,7 @@ #include #include -#include +#include #include #ifndef MD5_LONG_LOG2 diff --git a/src/lib/libssl/src/crypto/md5/md5_one.c b/src/lib/libssl/src/crypto/md5/md5_one.c index b89dec850d..c5dd2d81db 100644 --- a/src/lib/libssl/src/crypto/md5/md5_one.c +++ b/src/lib/libssl/src/crypto/md5/md5_one.c @@ -59,6 +59,7 @@ #include #include #include +#include #ifdef CHARSET_EBCDIC #include @@ -89,7 +90,7 @@ unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md) } #endif MD5_Final(md,&c); - memset(&c,0,sizeof(c)); /* security consideration */ + OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */ return(md); } diff --git a/src/lib/libssl/src/crypto/md5/md5test.c b/src/lib/libssl/src/crypto/md5/md5test.c index 862b89658a..bfd62629ed 100644 --- a/src/lib/libssl/src/crypto/md5/md5test.c +++ b/src/lib/libssl/src/crypto/md5/md5test.c @@ -60,6 +60,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_MD5 int main(int argc, char *argv[]) { @@ -118,7 +120,7 @@ int main(int argc, char *argv[]) R++; P++; } - exit(err); + EXIT(err); return(0); } diff --git a/src/lib/libssl/src/crypto/mdc2/mdc2test.c b/src/lib/libssl/src/crypto/mdc2/mdc2test.c new file mode 100644 index 0000000000..c9abe99d92 --- /dev/null +++ b/src/lib/libssl/src/crypto/mdc2/mdc2test.c @@ -0,0 +1,146 @@ +/* crypto/mdc2/mdc2test.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#include +#include +#include + +#include "../e_os.h" + +#if defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_MDC2) +#define OPENSSL_NO_MDC2 +#endif + +#ifdef OPENSSL_NO_MDC2 +int main(int argc, char *argv[]) +{ + printf("No MDC2 support\n"); + return(0); +} +#else +#include +#include + +#ifdef CHARSET_EBCDIC +#include +#endif + +static unsigned char pad1[16]={ + 0x42,0xE5,0x0C,0xD2,0x24,0xBA,0xCE,0xBA, + 0x76,0x0B,0xDD,0x2B,0xD4,0x09,0x28,0x1A + }; + +static unsigned char pad2[16]={ + 0x2E,0x46,0x79,0xB5,0xAD,0xD9,0xCA,0x75, + 0x35,0xD8,0x7A,0xFE,0xAB,0x33,0xBE,0xE2 + }; + +int main(int argc, char *argv[]) + { + int ret=0; + unsigned char md[MDC2_DIGEST_LENGTH]; + int i; + EVP_MD_CTX c; + static char *text="Now is the time for all "; + +#ifdef CHARSET_EBCDIC + ebcdic2ascii(text,text,strlen(text)); +#endif + + EVP_MD_CTX_init(&c); + EVP_DigestInit_ex(&c,EVP_mdc2(), NULL); + EVP_DigestUpdate(&c,(unsigned char *)text,strlen(text)); + EVP_DigestFinal_ex(&c,&(md[0]),NULL); + + if (memcmp(md,pad1,MDC2_DIGEST_LENGTH) != 0) + { + for (i=0; ipad_type=2; + EVP_DigestUpdate(&c,(unsigned char *)text,strlen(text)); + EVP_DigestFinal_ex(&c,&(md[0]),NULL); + + if (memcmp(md,pad2,MDC2_DIGEST_LENGTH) != 0) + { + for (i=0; i2Kb so the overhead doesn't bother us. */ + if(ret && (num > 2048)) + ((unsigned char *)ret)[0] = cleanse_ctr; + return ret; } @@ -282,6 +291,9 @@ void CRYPTO_free_locked(void *str) void *CRYPTO_malloc(int num, const char *file, int line) { void *ret = NULL; + extern unsigned char cleanse_ctr; + + if (num < 0) return NULL; allow_customize = 0; if (malloc_debug_func != NULL) @@ -296,6 +308,12 @@ void *CRYPTO_malloc(int num, const char *file, int line) if (malloc_debug_func != NULL) malloc_debug_func(ret, num, file, line, 1); + /* Create a dependency on the value of 'cleanse_ctr' so our memory + * sanitisation function can't be optimised out. NB: We only do + * this for >2Kb so the overhead doesn't bother us. */ + if(ret && (num > 2048)) + ((unsigned char *)ret)[0] = cleanse_ctr; + return ret; } @@ -306,6 +324,8 @@ void *CRYPTO_realloc(void *str, int num, const char *file, int line) if (str == NULL) return CRYPTO_malloc(num, file, line); + if (num < 0) return NULL; + if (realloc_debug_func != NULL) realloc_debug_func(str, NULL, num, file, line, 0); ret = realloc_ex_func(str,num,file,line); @@ -318,6 +338,32 @@ void *CRYPTO_realloc(void *str, int num, const char *file, int line) return ret; } +void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file, + int line) + { + void *ret = NULL; + + if (str == NULL) + return CRYPTO_malloc(num, file, line); + + if (num < 0) return NULL; + + if (realloc_debug_func != NULL) + realloc_debug_func(str, NULL, num, file, line, 0); + ret=malloc_ex_func(num,file,line); + if(ret) + memcpy(ret,str,old_len); + OPENSSL_cleanse(str,old_len); + free_func(str); +#ifdef LEVITTE_DEBUG_MEM + fprintf(stderr, "LEVITTE_DEBUG_MEM: | 0x%p -> 0x%p (%d)\n", str, ret, num); +#endif + if (realloc_debug_func != NULL) + realloc_debug_func(str, ret, num, file, line, 1); + + return ret; + } + void CRYPTO_free(void *str) { if (free_debug_func != NULL) @@ -337,7 +383,6 @@ void *CRYPTO_remalloc(void *a, int num, const char *file, int line) return(a); } - void CRYPTO_set_mem_debug_options(long bits) { if (set_debug_options_func != NULL) diff --git a/src/lib/libssl/src/crypto/mem_clr.c b/src/lib/libssl/src/crypto/mem_clr.c new file mode 100644 index 0000000000..e4b7f540b0 --- /dev/null +++ b/src/lib/libssl/src/crypto/mem_clr.c @@ -0,0 +1,75 @@ +/* crypto/mem_clr.c -*- mode:C; c-file-style: "eay" -*- */ +/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL + * project 2002. + */ +/* ==================================================================== + * Copyright (c) 2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include +#include + +unsigned char cleanse_ctr = 0; + +void OPENSSL_cleanse(void *ptr, size_t len) + { + unsigned char *p = ptr; + size_t loop = len; + while(loop--) + { + *(p++) = cleanse_ctr; + cleanse_ctr += (17 + (unsigned char)((int)p & 0xF)); + } + if(memchr(ptr, cleanse_ctr, len)) + cleanse_ctr += 63; + } diff --git a/src/lib/libssl/src/crypto/mem_dbg.c b/src/lib/libssl/src/crypto/mem_dbg.c index 1c4e04f51f..57bd08f65d 100644 --- a/src/lib/libssl/src/crypto/mem_dbg.c +++ b/src/lib/libssl/src/crypto/mem_dbg.c @@ -102,6 +102,8 @@ typedef struct app_mem_info_st int references; } APP_INFO; +static void app_info_free(APP_INFO *); + static LHASH *amih=NULL; /* hash-table with those app_mem_info_st's * that are at the top of their thread's stack * (with `thread' as key); @@ -140,6 +142,18 @@ static unsigned long disabling_thread = 0; /* Valid iff num_disable > 0. * thread named in disabling_thread). */ +static void app_info_free(APP_INFO *inf) + { + if (--(inf->references) <= 0) + { + if (inf->next != NULL) + { + app_info_free(inf->next); + } + OPENSSL_free(inf); + } + } + int CRYPTO_mem_ctrl(int mode) { int ret=mh_mode; @@ -502,9 +516,7 @@ void CRYPTO_dbg_free(void *addr, int before_p) mp->order, mp->addr, mp->num); #endif if (mp->app_info != NULL) - { - mp->app_info->references--; - } + app_info_free(mp->app_info); OPENSSL_free(mp); } @@ -666,7 +678,6 @@ static IMPLEMENT_LHASH_DOALL_ARG_FN(print_leak, const MEM *, MEM_LEAK *) void CRYPTO_mem_leaks(BIO *b) { MEM_LEAK ml; - char buf[80]; if (mh == NULL && amih == NULL) return; @@ -681,9 +692,8 @@ void CRYPTO_mem_leaks(BIO *b) (char *)&ml); if (ml.chunks != 0) { - sprintf(buf,"%ld bytes leaked in %d chunks\n", - ml.bytes,ml.chunks); - BIO_puts(b,buf); + BIO_printf(b,"%ld bytes leaked in %d chunks\n", + ml.bytes,ml.chunks); } else { diff --git a/src/lib/libssl/src/crypto/o_time.c b/src/lib/libssl/src/crypto/o_time.c index 1bc0297b36..723eb1b5af 100644 --- a/src/lib/libssl/src/crypto/o_time.c +++ b/src/lib/libssl/src/crypto/o_time.c @@ -80,6 +80,9 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result) ts = result; #elif !defined(OPENSSL_SYS_VMS) ts = gmtime(timer); + if (ts == NULL) + return NULL; + memcpy(result, ts, sizeof(struct tm)); ts = result; #endif diff --git a/src/lib/libssl/src/crypto/objects/obj_dat.c b/src/lib/libssl/src/crypto/objects/obj_dat.c index ce779dc1b5..5d983e3ed4 100644 --- a/src/lib/libssl/src/crypto/objects/obj_dat.c +++ b/src/lib/libssl/src/crypto/objects/obj_dat.c @@ -464,7 +464,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) sprintf(tbuf,"%d.%lu",i,l); i=strlen(tbuf); - strncpy(buf,tbuf,buf_len); + BUF_strlcpy(buf,tbuf,buf_len); buf_len-=i; buf+=i; n+=i; @@ -476,7 +476,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) sprintf(tbuf,".%lu",l); i=strlen(tbuf); if (buf_len > 0) - strncpy(buf,tbuf,buf_len); + BUF_strlcpy(buf,tbuf,buf_len); buf_len-=i; buf+=i; n+=i; @@ -488,10 +488,9 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) s=OBJ_nid2ln(nid); if (s == NULL) s=OBJ_nid2sn(nid); - strncpy(buf,s,buf_len); + BUF_strlcpy(buf,s,buf_len); n=strlen(s); } - buf[buf_len-1]='\0'; return(n); } diff --git a/src/lib/libssl/src/crypto/objects/obj_dat.h b/src/lib/libssl/src/crypto/objects/obj_dat.h index 30812c8aa6..969b18a341 100644 --- a/src/lib/libssl/src/crypto/objects/obj_dat.h +++ b/src/lib/libssl/src/crypto/objects/obj_dat.h @@ -62,12 +62,12 @@ * [including the GNU Public Licence.] */ -#define NUM_NID 645 -#define NUM_SN 641 -#define NUM_LN 641 -#define NUM_OBJ 615 +#define NUM_NID 650 +#define NUM_SN 643 +#define NUM_LN 643 +#define NUM_OBJ 617 -static unsigned char lvalues[4435]={ +static unsigned char lvalues[4455]={ 0x00, /* [ 0] OBJ_undef */ 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 1] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 7] OBJ_pkcs */ @@ -683,6 +683,8 @@ static unsigned char lvalues[4435]={ 0x67,0x2A,0x08,0xAE,0x7B, /* [4412] OBJ_set_brand_Novus */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x0A, /* [4417] OBJ_des_cdmf */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x06,/* [4425] OBJ_rsaOAEPEncryptionSET */ +0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x02,/* [4434] OBJ_ms_smartcard_login */ +0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x03,/* [4444] OBJ_ms_upn */ }; static ASN1_OBJECT nid_objs[NUM_NID]={ @@ -824,7 +826,7 @@ static ASN1_OBJECT nid_objs[NUM_NID]={ {"RSA-MDC2","mdc2WithRSA",NID_mdc2WithRSA,4,&(lvalues[531]),0}, {"RC4-40","rc4-40",NID_rc4_40,0,NULL}, {"RC2-40-CBC","rc2-40-cbc",NID_rc2_40_cbc,0,NULL}, -{"gn","givenName",NID_givenName,3,&(lvalues[535]),0}, +{"GN","givenName",NID_givenName,3,&(lvalues[535]),0}, {"SN","surname",NID_surname,3,&(lvalues[538]),0}, {"initials","initials",NID_initials,3,&(lvalues[541]),0}, {NULL,NULL,NID_undef,0,NULL}, @@ -1719,6 +1721,13 @@ static ASN1_OBJECT nid_objs[NUM_NID]={ {"DES-CDMF","des-cdmf",NID_des_cdmf,8,&(lvalues[4417]),0}, {"rsaOAEPEncryptionSET","rsaOAEPEncryptionSET", NID_rsaOAEPEncryptionSET,9,&(lvalues[4425]),0}, +{NULL,NULL,NID_undef,0,NULL}, +{NULL,NULL,NID_undef,0,NULL}, +{NULL,NULL,NID_undef,0,NULL}, +{"msSmartcardLogin","Microsoft Smartcardlogin",NID_ms_smartcard_login, + 10,&(lvalues[4434]),0}, +{"msUPN","Microsoft Universal Principal Name",NID_ms_upn,10, + &(lvalues[4444]),0}, }; static ASN1_OBJECT *sn_objs[NUM_SN]={ @@ -1771,6 +1780,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[70]),/* "DSA-SHA1-old" */ &(nid_objs[67]),/* "DSA-old" */ &(nid_objs[297]),/* "DVCS" */ +&(nid_objs[99]),/* "GN" */ &(nid_objs[381]),/* "IANA" */ &(nid_objs[34]),/* "IDEA-CBC" */ &(nid_objs[35]),/* "IDEA-CFB" */ @@ -1917,7 +1927,6 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[490]),/* "friendlyCountryName" */ &(nid_objs[156]),/* "friendlyName" */ &(nid_objs[509]),/* "generationQualifier" */ -&(nid_objs[99]),/* "gn" */ &(nid_objs[163]),/* "hmacWithSHA1" */ &(nid_objs[432]),/* "holdInstructionCallIssuer" */ &(nid_objs[430]),/* "holdInstructionCode" */ @@ -2127,6 +2136,8 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[138]),/* "msEFS" */ &(nid_objs[171]),/* "msExtReq" */ &(nid_objs[137]),/* "msSGC" */ +&(nid_objs[648]),/* "msSmartcardLogin" */ +&(nid_objs[649]),/* "msUPN" */ &(nid_objs[481]),/* "nSRecord" */ &(nid_objs[173]),/* "name" */ &(nid_objs[369]),/* "noCheck" */ @@ -2401,7 +2412,9 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[171]),/* "Microsoft Extension Request" */ &(nid_objs[134]),/* "Microsoft Individual Code Signing" */ &(nid_objs[137]),/* "Microsoft Server Gated Crypto" */ +&(nid_objs[648]),/* "Microsoft Smartcardlogin" */ &(nid_objs[136]),/* "Microsoft Trust List Signing" */ +&(nid_objs[649]),/* "Microsoft Universal Principal Name" */ &(nid_objs[72]),/* "Netscape Base Url" */ &(nid_objs[76]),/* "Netscape CA Policy Url" */ &(nid_objs[74]),/* "Netscape CA Revocation Url" */ @@ -3557,6 +3570,8 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[136]),/* OBJ_ms_ctl_sign 1 3 6 1 4 1 311 10 3 1 */ &(nid_objs[137]),/* OBJ_ms_sgc 1 3 6 1 4 1 311 10 3 3 */ &(nid_objs[138]),/* OBJ_ms_efs 1 3 6 1 4 1 311 10 3 4 */ +&(nid_objs[648]),/* OBJ_ms_smartcard_login 1 3 6 1 4 1 311 20 2 2 */ +&(nid_objs[649]),/* OBJ_ms_upn 1 3 6 1 4 1 311 20 2 3 */ &(nid_objs[196]),/* OBJ_id_smime_mod_cms 1 2 840 113549 1 9 16 0 1 */ &(nid_objs[197]),/* OBJ_id_smime_mod_ess 1 2 840 113549 1 9 16 0 2 */ &(nid_objs[198]),/* OBJ_id_smime_mod_oid 1 2 840 113549 1 9 16 0 3 */ diff --git a/src/lib/libssl/src/crypto/objects/obj_mac.h b/src/lib/libssl/src/crypto/objects/obj_mac.h index 899db8325c..7645012298 100644 --- a/src/lib/libssl/src/crypto/objects/obj_mac.h +++ b/src/lib/libssl/src/crypto/objects/obj_mac.h @@ -850,6 +850,16 @@ #define NID_ms_efs 138 #define OBJ_ms_efs 1L,3L,6L,1L,4L,1L,311L,10L,3L,4L +#define SN_ms_smartcard_login "msSmartcardLogin" +#define LN_ms_smartcard_login "Microsoft Smartcardlogin" +#define NID_ms_smartcard_login 648 +#define OBJ_ms_smartcard_login 1L,3L,6L,1L,4L,1L,311L,20L,2L,2L + +#define SN_ms_upn "msUPN" +#define LN_ms_upn "Microsoft Universal Principal Name" +#define NID_ms_upn 649 +#define OBJ_ms_upn 1L,3L,6L,1L,4L,1L,311L,20L,2L,3L + #define SN_idea_cbc "IDEA-CBC" #define LN_idea_cbc "idea-cbc" #define NID_idea_cbc 34 @@ -1632,7 +1642,7 @@ #define NID_name 173 #define OBJ_name OBJ_X509,41L -#define SN_givenName "gn" +#define SN_givenName "GN" #define LN_givenName "givenName" #define NID_givenName 99 #define OBJ_givenName OBJ_X509,42L diff --git a/src/lib/libssl/src/crypto/objects/obj_mac.num b/src/lib/libssl/src/crypto/objects/obj_mac.num index 1486199661..9838072b65 100644 --- a/src/lib/libssl/src/crypto/objects/obj_mac.num +++ b/src/lib/libssl/src/crypto/objects/obj_mac.num @@ -645,3 +645,5 @@ rsaOAEPEncryptionSET 644 itu_t 645 joint_iso_itu_t 646 international_organizations 647 +ms_smartcard_login 648 +ms_upn 649 diff --git a/src/lib/libssl/src/crypto/objects/objects.txt b/src/lib/libssl/src/crypto/objects/objects.txt index 71a4908485..3ba11f65cc 100644 --- a/src/lib/libssl/src/crypto/objects/objects.txt +++ b/src/lib/libssl/src/crypto/objects/objects.txt @@ -276,6 +276,10 @@ rsadsi 3 8 : RC5-CBC : rc5-cbc 1 3 6 1 4 1 311 10 3 3 : msSGC : Microsoft Server Gated Crypto !Cname ms-efs 1 3 6 1 4 1 311 10 3 4 : msEFS : Microsoft Encrypted File System +!Cname ms-smartcard-login +1 3 6 1 4 1 311 20 2 2 : msSmartcardLogin : Microsoft Smartcardlogin +!Cname ms-upn +1 3 6 1 4 1 311 20 2 3 : msUPN : Microsoft Universal Principal Name 1 3 6 1 4 1 188 7 1 1 2 : IDEA-CBC : idea-cbc : IDEA-ECB : idea-ecb @@ -537,7 +541,7 @@ X509 11 : OU : organizationalUnitName X509 12 : : title X509 13 : : description X509 41 : name : name -X509 42 : gn : givenName +X509 42 : GN : givenName X509 43 : : initials X509 44 : : generationQualifier X509 45 : : x500UniqueIdentifier diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_asn.c b/src/lib/libssl/src/crypto/ocsp/ocsp_asn.c index 8c148cda6a..6a3a360d54 100644 --- a/src/lib/libssl/src/crypto/ocsp/ocsp_asn.c +++ b/src/lib/libssl/src/crypto/ocsp/ocsp_asn.c @@ -117,7 +117,7 @@ IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPONSE) ASN1_CHOICE(OCSP_RESPID) = { ASN1_EXP(OCSP_RESPID, value.byName, X509_NAME, 1), - ASN1_IMP(OCSP_RESPID, value.byKey, ASN1_OCTET_STRING, 2) + ASN1_EXP(OCSP_RESPID, value.byKey, ASN1_OCTET_STRING, 2) } ASN1_CHOICE_END(OCSP_RESPID) IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPID) diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_ht.c b/src/lib/libssl/src/crypto/ocsp/ocsp_ht.c index b78cd37092..9213e58ae4 100644 --- a/src/lib/libssl/src/crypto/ocsp/ocsp_ht.c +++ b/src/lib/libssl/src/crypto/ocsp/ocsp_ht.c @@ -64,6 +64,9 @@ #include #include #include +#ifdef OPENSSL_SYS_SUNOS +#define strtoul (unsigned long)strtol +#endif /* OPENSSL_SYS_SUNOS */ /* Quick and dirty HTTP OCSP request handler. * Could make this a bit cleverer by adding @@ -94,7 +97,7 @@ Content-Length: %d\r\n\r\n"; } if(!(mem = BIO_new(BIO_s_mem()))) goto err; /* Copy response to a memory BIO: socket bios can't do gets! */ - while ((len = BIO_read(b, tmpbuf, 1024))) { + while ((len = BIO_read(b, tmpbuf, sizeof tmpbuf))) { if(len < 0) { OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_READ_ERROR); goto err; @@ -107,7 +110,7 @@ Content-Length: %d\r\n\r\n"; } /* Parse the HTTP response. This will look like this: * "HTTP/1.0 200 OK". We need to obtain the numeric code and - * informational message. + * (optional) informational message. */ /* Skip to first white space (passed protocol info) */ @@ -135,13 +138,19 @@ Content-Length: %d\r\n\r\n"; if(*r) goto err; /* Skip over any leading white space in message */ while(*q && isspace((unsigned char)*q)) q++; - if(!*q) goto err; + if(*q) { /* Finally zap any trailing white space in message (include CRLF) */ /* We know q has a non white space character so this is OK */ - for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) *r = 0; + for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) *r = 0; + } if(retcode != 200) { OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_ERROR); - ERR_add_error_data(4, "Code=", p, ",Reason=", q); + if(!*q) { + ERR_add_error_data(2, "Code=", p); + } + else { + ERR_add_error_data(4, "Code=", p, ",Reason=", q); + } goto err; } /* Find blank line marking beginning of content */ diff --git a/src/lib/libssl/src/crypto/opensslconf.h b/src/lib/libssl/src/crypto/opensslconf.h index c9756e47a3..492041bc7c 100644 --- a/src/lib/libssl/src/crypto/opensslconf.h +++ b/src/lib/libssl/src/crypto/opensslconf.h @@ -69,7 +69,7 @@ #endif #endif -#if (defined(HEADER_DES_H) || defined(HEADER_DES_OLD_H)) && !defined(DES_LONG) +#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a * %20 speed up (longs are 8 bytes, int's are 4). */ #ifndef DES_LONG diff --git a/src/lib/libssl/src/crypto/opensslconf.h.in b/src/lib/libssl/src/crypto/opensslconf.h.in index 9082a16c46..685e83b7a3 100644 --- a/src/lib/libssl/src/crypto/opensslconf.h.in +++ b/src/lib/libssl/src/crypto/opensslconf.h.in @@ -47,7 +47,7 @@ #endif #endif -#if (defined(HEADER_DES_H) || defined(HEADER_DES_OLD_H)) && !defined(DES_LONG) +#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a * %20 speed up (longs are 8 bytes, int's are 4). */ #ifndef DES_LONG diff --git a/src/lib/libssl/src/crypto/opensslv.h b/src/lib/libssl/src/crypto/opensslv.h index 9689b49c5b..08cb1d5018 100644 --- a/src/lib/libssl/src/crypto/opensslv.h +++ b/src/lib/libssl/src/crypto/opensslv.h @@ -25,8 +25,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x00907003L -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7-beta3 30 Jul 2002" +#define OPENSSL_VERSION_NUMBER 0x0090702fL +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7b 10 Apr 2003" #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/src/lib/libssl/src/crypto/ossl_typ.h b/src/lib/libssl/src/crypto/ossl_typ.h index 6bd42aee4d..285fd0b1d9 100644 --- a/src/lib/libssl/src/crypto/ossl_typ.h +++ b/src/lib/libssl/src/crypto/ossl_typ.h @@ -55,6 +55,8 @@ #ifndef HEADER_OPENSSL_TYPES_H #define HEADER_OPENSSL_TYPES_H +#include + #ifdef NO_ASN1_TYPEDEFS #define ASN1_INTEGER ASN1_STRING #define ASN1_ENUMERATED ASN1_STRING diff --git a/src/lib/libssl/src/crypto/pem/pem.h b/src/lib/libssl/src/crypto/pem/pem.h index 3785fca77d..d330cbf9a3 100644 --- a/src/lib/libssl/src/crypto/pem/pem.h +++ b/src/lib/libssl/src/crypto/pem/pem.h @@ -149,7 +149,7 @@ typedef struct pem_recip_st int cipher; int key_enc; - char iv[8]; + /* char iv[8]; unused and wrong size */ } PEM_USER; typedef struct pem_ctx_st @@ -165,7 +165,8 @@ typedef struct pem_ctx_st struct { int cipher; - unsigned char iv[8]; + /* unused, and wrong size + unsigned char iv[8]; */ } DEK_info; PEM_USER *originator; @@ -187,7 +188,8 @@ typedef struct pem_ctx_st EVP_CIPHER *dec; /* date encryption cipher */ int key_len; /* key length */ unsigned char *key; /* key */ - unsigned char iv[8]; /* the iv */ + /* unused, and wrong size + unsigned char iv[8]; */ int data_enc; /* is the data encrypted */ diff --git a/src/lib/libssl/src/crypto/pem/pem_info.c b/src/lib/libssl/src/crypto/pem/pem_info.c index 9a6dffb45c..9e4af29c95 100644 --- a/src/lib/libssl/src/crypto/pem/pem_info.c +++ b/src/lib/libssl/src/crypto/pem/pem_info.c @@ -324,6 +324,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc, } /* create the right magic header stuff */ + OPENSSL_assert(strlen(objstr)+23+2*enc->iv_len+13 <= sizeof buf); buf[0]='\0'; PEM_proc_type(buf,PEM_TYPE_ENCRYPTED); PEM_dek_info(buf,objstr,enc->iv_len,(char *)iv); @@ -358,7 +359,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc, ret=1; err: - memset((char *)&ctx,0,sizeof(ctx)); - memset(buf,0,PEM_BUFSIZE); + OPENSSL_cleanse((char *)&ctx,sizeof(ctx)); + OPENSSL_cleanse(buf,PEM_BUFSIZE); return(ret); } diff --git a/src/lib/libssl/src/crypto/pem/pem_lib.c b/src/lib/libssl/src/crypto/pem/pem_lib.c index a8db6ffbf5..70b5446797 100644 --- a/src/lib/libssl/src/crypto/pem/pem_lib.c +++ b/src/lib/libssl/src/crypto/pem/pem_lib.c @@ -138,7 +138,7 @@ void PEM_proc_type(char *buf, int type) void PEM_dek_info(char *buf, const char *type, int len, char *str) { - static unsigned char map[17]="0123456789ABCDEF"; + static const unsigned char map[17]="0123456789ABCDEF"; long i; int j; @@ -249,7 +249,7 @@ int PEM_bytes_read_bio(unsigned char **pdata, long *plen, char **pnm, const char ret = 1; err: - if (!pnm) OPENSSL_free(nm); + if (!ret || !pnm) OPENSSL_free(nm); OPENSSL_free(header); if (!ret) OPENSSL_free(data); return ret; @@ -304,6 +304,7 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x, goto err; } /* dzise + 8 bytes are needed */ + /* actually it needs the cipher block size extra... */ data=(unsigned char *)OPENSSL_malloc((unsigned int)dsize+20); if (data == NULL) { @@ -333,13 +334,16 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x, kstr=(unsigned char *)buf; } RAND_add(data,i,0);/* put in the RSA key. */ + OPENSSL_assert(enc->iv_len <= sizeof iv); if (RAND_pseudo_bytes(iv,enc->iv_len) < 0) /* Generate a salt */ goto err; /* The 'iv' is used as the iv and as a salt. It is * NOT taken from the BytesToKey function */ EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL); - if (kstr == (unsigned char *)buf) memset(buf,0,PEM_BUFSIZE); + if (kstr == (unsigned char *)buf) OPENSSL_cleanse(buf,PEM_BUFSIZE); + + OPENSSL_assert(strlen(objstr)+23+2*enc->iv_len+13 <= sizeof buf); buf[0]='\0'; PEM_proc_type(buf,PEM_TYPE_ENCRYPTED); @@ -362,13 +366,13 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x, i=PEM_write_bio(bp,name,buf,data,i); if (i <= 0) ret=0; err: - memset(key,0,sizeof(key)); - memset(iv,0,sizeof(iv)); - memset((char *)&ctx,0,sizeof(ctx)); - memset(buf,0,PEM_BUFSIZE); + OPENSSL_cleanse(key,sizeof(key)); + OPENSSL_cleanse(iv,sizeof(iv)); + OPENSSL_cleanse((char *)&ctx,sizeof(ctx)); + OPENSSL_cleanse(buf,PEM_BUFSIZE); if (data != NULL) { - memset(data,0,(unsigned int)dsize); + OPENSSL_cleanse(data,(unsigned int)dsize); OPENSSL_free(data); } return(ret); @@ -409,8 +413,8 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen, EVP_DecryptUpdate(&ctx,data,&i,data,j); o=EVP_DecryptFinal_ex(&ctx,&(data[i]),&j); EVP_CIPHER_CTX_cleanup(&ctx); - memset((char *)buf,0,sizeof(buf)); - memset((char *)key,0,sizeof(key)); + OPENSSL_cleanse((char *)buf,sizeof(buf)); + OPENSSL_cleanse((char *)key,sizeof(key)); j+=i; if (!o) { @@ -691,7 +695,7 @@ int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data, if (strncmp(buf,"-----END ",9) == 0) break; if (i > 65) break; - if (!BUF_MEM_grow(dataB,i+bl+9)) + if (!BUF_MEM_grow_clean(dataB,i+bl+9)) { PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE); goto err; diff --git a/src/lib/libssl/src/crypto/pem/pem_pk8.c b/src/lib/libssl/src/crypto/pem/pem_pk8.c index f44182ffb5..db38a2a79d 100644 --- a/src/lib/libssl/src/crypto/pem/pem_pk8.c +++ b/src/lib/libssl/src/crypto/pem/pem_pk8.c @@ -136,7 +136,7 @@ static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER kstr = buf; } p8 = PKCS8_encrypt(nid, enc, kstr, klen, NULL, 0, 0, p8inf); - if(kstr == buf) memset(buf, 0, klen); + if(kstr == buf) OPENSSL_cleanse(buf, klen); PKCS8_PRIV_KEY_INFO_free(p8inf); if(isder) ret = i2d_PKCS8_bio(bp, p8); else ret = PEM_write_bio_PKCS8(bp, p8); diff --git a/src/lib/libssl/src/crypto/pem/pem_seal.c b/src/lib/libssl/src/crypto/pem/pem_seal.c index ae463a301d..56e08abd70 100644 --- a/src/lib/libssl/src/crypto/pem/pem_seal.c +++ b/src/lib/libssl/src/crypto/pem/pem_seal.c @@ -112,7 +112,7 @@ int PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIPHER *type, EVP_MD *md_type, ret=npubk; err: if (s != NULL) OPENSSL_free(s); - memset(key,0,EVP_MAX_KEY_LENGTH); + OPENSSL_cleanse(key,EVP_MAX_KEY_LENGTH); return(ret); } diff --git a/src/lib/libssl/src/crypto/perlasm/cbc.pl b/src/lib/libssl/src/crypto/perlasm/cbc.pl index 0145c4f0cc..22149c680e 100644 --- a/src/lib/libssl/src/crypto/perlasm/cbc.pl +++ b/src/lib/libssl/src/crypto/perlasm/cbc.pl @@ -146,9 +146,15 @@ sub cbc &mov($count, &wparam(2)); # length &and($count, 7); &jz(&label("finish")); + &call(&label("PIC_point")); +&set_label("PIC_point"); + &blindpop("edx"); + &lea("ecx",&DWP(&label("cbc_enc_jmp_table")."-".&label("PIC_point"),"edx")); + &mov($count,&DWP(0,"ecx",$count,4)) + &add($count,"edx"); &xor("ecx","ecx"); &xor("edx","edx"); - &mov($count,&DWP(&label("cbc_enc_jmp_table"),"",$count,4)); + #&mov($count,&DWP(&label("cbc_enc_jmp_table"),"",$count,4)); &jmp_ptr($count); &set_label("ej7"); @@ -318,22 +324,23 @@ sub cbc &set_label("cbc_enc_jmp_table",1); &data_word("0"); - &data_word(&label("ej1")); - &data_word(&label("ej2")); - &data_word(&label("ej3")); - &data_word(&label("ej4")); - &data_word(&label("ej5")); - &data_word(&label("ej6")); - &data_word(&label("ej7")); - &set_label("cbc_dec_jmp_table",1); - &data_word("0"); - &data_word(&label("dj1")); - &data_word(&label("dj2")); - &data_word(&label("dj3")); - &data_word(&label("dj4")); - &data_word(&label("dj5")); - &data_word(&label("dj6")); - &data_word(&label("dj7")); + &data_word(&label("ej1")."-".&label("PIC_point")); + &data_word(&label("ej2")."-".&label("PIC_point")); + &data_word(&label("ej3")."-".&label("PIC_point")); + &data_word(&label("ej4")."-".&label("PIC_point")); + &data_word(&label("ej5")."-".&label("PIC_point")); + &data_word(&label("ej6")."-".&label("PIC_point")); + &data_word(&label("ej7")."-".&label("PIC_point")); + # not used + #&set_label("cbc_dec_jmp_table",1); + #&data_word("0"); + #&data_word(&label("dj1")."-".&label("PIC_point")); + #&data_word(&label("dj2")."-".&label("PIC_point")); + #&data_word(&label("dj3")."-".&label("PIC_point")); + #&data_word(&label("dj4")."-".&label("PIC_point")); + #&data_word(&label("dj5")."-".&label("PIC_point")); + #&data_word(&label("dj6")."-".&label("PIC_point")); + #&data_word(&label("dj7")."-".&label("PIC_point")); &function_end_B($name); diff --git a/src/lib/libssl/src/crypto/perlasm/x86asm.pl b/src/lib/libssl/src/crypto/perlasm/x86asm.pl index 9a3d85b098..1cb96e914a 100644 --- a/src/lib/libssl/src/crypto/perlasm/x86asm.pl +++ b/src/lib/libssl/src/crypto/perlasm/x86asm.pl @@ -18,9 +18,9 @@ sub main'asm_init ($type,$fn,$i386)=@_; $filename=$fn; - $cpp=$sol=$aout=$win32=$gaswin=0; + $elf=$cpp=$sol=$aout=$win32=$gaswin=0; if ( ($type eq "elf")) - { require "x86unix.pl"; } + { $elf=1; require "x86unix.pl"; } elsif ( ($type eq "a.out")) { $aout=1; require "x86unix.pl"; } elsif ( ($type eq "gaswin")) @@ -47,6 +47,9 @@ EOF exit(1); } + $pic=0; + for (@ARGV) { $pic=1 if (/\-[fK]PIC/i); } + &asm_init_output(); &comment("Don't even think of reading this code"); @@ -91,7 +94,7 @@ $tmp #undef SIZE #undef TYPE #define SIZE(a,b) -#define TYPE(a,b) +#define TYPE(a,b) .def a; .scl 2; .type 32; .endef #endif /* __CYGWIN || __DJGPP */ #endif diff --git a/src/lib/libssl/src/crypto/perlasm/x86ms.pl b/src/lib/libssl/src/crypto/perlasm/x86ms.pl index 206452341d..35f1a4ddb9 100644 --- a/src/lib/libssl/src/crypto/perlasm/x86ms.pl +++ b/src/lib/libssl/src/crypto/perlasm/x86ms.pl @@ -92,6 +92,8 @@ sub get_mem $addr="_$addr"; } + if ($addr =~ /^.+\-.+$/) { $addr="($addr)"; } + $reg1="$regs{$reg1}" if defined($regs{$reg1}); $reg2="$regs{$reg2}" if defined($regs{$reg2}); if (($addr ne "") && ($addr ne 0)) @@ -111,6 +113,7 @@ sub get_mem { $ret.="[$reg1$post]" } + $ret =~ s/\[\]//; # in case $addr was the only argument return($ret); } @@ -151,7 +154,7 @@ sub main'push { &out1("push",@_); $stack+=4; } sub main'pop { &out1("pop",@_); $stack-=4; } sub main'bswap { &out1("bswap",@_); &using486(); } sub main'not { &out1("not",@_); } -sub main'call { &out1("call",'_'.$_[0]); } +sub main'call { &out1("call",($_[0]=~/^\$L/?'':'_').$_[0]); } sub main'ret { &out0("ret"); } sub main'nop { &out0("nop"); } @@ -338,7 +341,7 @@ sub main'set_label { if (!defined($label{$_[0]})) { - $label{$_[0]}="${label}${_[0]}"; + $label{$_[0]}="\$${label}${_[0]}"; $label++; } if((defined $_[2]) && ($_[2] == 1)) @@ -363,3 +366,11 @@ sub out1p push(@out,"\t$name\t ".&conv($p1)."\n"); } + +sub main'picmeup + { + local($dst,$sym)=@_; + &main'lea($dst,&main'DWP($sym)); + } + +sub main'blindpop { &out1("pop",@_); } diff --git a/src/lib/libssl/src/crypto/perlasm/x86nasm.pl b/src/lib/libssl/src/crypto/perlasm/x86nasm.pl index 519d8a5867..f30b7466d4 100644 --- a/src/lib/libssl/src/crypto/perlasm/x86nasm.pl +++ b/src/lib/libssl/src/crypto/perlasm/x86nasm.pl @@ -98,6 +98,8 @@ sub get_mem $addr="_$addr"; } + if ($addr =~ /^.+\-.+$/) { $addr="($addr)"; } + $reg1="$regs{$reg1}" if defined($regs{$reg1}); $reg2="$regs{$reg2}" if defined($regs{$reg2}); if (($addr ne "") && ($addr ne 0)) @@ -117,6 +119,7 @@ sub get_mem { $ret.="$reg1$post]" } + $ret =~ s/\+\]/]/; # in case $addr was the only argument return($ret); } @@ -160,7 +163,7 @@ sub main'push { &out1("push",@_); $stack+=4; } sub main'pop { &out1("pop",@_); $stack-=4; } sub main'bswap { &out1("bswap",@_); &using486(); } sub main'not { &out1("not",@_); } -sub main'call { &out1("call",'_'.$_[0]); } +sub main'call { &out1("call",($_[0]=~/^\$L/?'':'_').$_[0]); } sub main'ret { &out0("ret"); } sub main'nop { &out0("nop"); } @@ -322,7 +325,7 @@ sub main'set_label { if (!defined($label{$_[0]})) { - $label{$_[0]}="${label}${_[0]}"; + $label{$_[0]}="\$${label}${_[0]}"; $label++; } push(@out,"$label{$_[0]}:\n"); @@ -340,3 +343,11 @@ sub out1p push(@out,"\t$name\t ".&conv($p1)."\n"); } + +sub main'picmeup + { + local($dst,$sym)=@_; + &main'lea($dst,&main'DWP($sym)); + } + +sub main'blindpop { &out1("pop",@_); } diff --git a/src/lib/libssl/src/crypto/perlasm/x86unix.pl b/src/lib/libssl/src/crypto/perlasm/x86unix.pl index 9ceabf0705..72bde061c5 100644 --- a/src/lib/libssl/src/crypto/perlasm/x86unix.pl +++ b/src/lib/libssl/src/crypto/perlasm/x86unix.pl @@ -87,12 +87,12 @@ sub main'DWP $ret.=$addr if ($addr ne "") && ($addr ne 0); if ($reg2 ne "") { - if($idx ne "") + if($idx ne "" && $idx != 0) { $ret.="($reg1,$reg2,$idx)"; } else { $ret.="($reg1,$reg2)"; } } - else + elsif ($reg1 ne "") { $ret.="($reg1)" } return($ret); } @@ -167,7 +167,7 @@ sub main'pop { &out1("popl",@_); $stack-=4; } sub main'pushf { &out0("pushf"); $stack+=4; } sub main'popf { &out0("popf"); $stack-=4; } sub main'not { &out1("notl",@_); } -sub main'call { &out1("call",$under.$_[0]); } +sub main'call { &out1("call",($_[0]=~/^\.L/?'':$under).$_[0]); } sub main'ret { &out0("ret"); } sub main'nop { &out0("nop"); } @@ -345,15 +345,15 @@ sub main'function_end popl %ebx popl %ebp ret -.${func}_end: +.L_${func}_end: EOF push(@out,$tmp); if ($main'cpp) - { push(@out,"\tSIZE($func,.${func}_end-$func)\n"); } + { push(@out,"\tSIZE($func,.L_${func}_end-$func)\n"); } elsif ($main'gaswin) { $tmp=push(@out,"\t.align 4\n"); } - else { push(@out,"\t.size\t$func,.${func}_end-$func\n"); } + else { push(@out,"\t.size\t$func,.L_${func}_end-$func\n"); } push(@out,".ident \"$func\"\n"); $stack=0; %label=(); @@ -426,6 +426,11 @@ sub main'swtmp sub main'comment { + if ($main'elf) # GNU and SVR4 as'es use different comment delimiters, + { # so we just skip comments... + push(@out,"\n"); + return; + } foreach (@_) { if (/^\s*$/) @@ -542,3 +547,39 @@ sub popvars &main'pop("edx"); &main'popf(); } + +sub main'picmeup + { + local($dst,$sym)=@_; + if ($main'cpp) + { + local($tmp)=<<___; +#if (defined(ELF) || defined(SOL)) && defined(PIC) + .align 8 + call 1f +1: popl $regs{$dst} + addl \$_GLOBAL_OFFSET_TABLE_+[.-1b],$regs{$dst} + movl $sym\@GOT($regs{$dst}),$regs{$dst} +#else + leal $sym,$regs{$dst} +#endif +___ + push(@out,$tmp); + } + elsif ($main'pic && ($main'elf || $main'aout)) + { + push(@out,"\t.align\t8\n"); + &main'call(&main'label("PIC_me_up")); + &main'set_label("PIC_me_up"); + &main'blindpop($dst); + &main'add($dst,"\$$under"."_GLOBAL_OFFSET_TABLE_+[.-". + &main'label("PIC_me_up") . "]"); + &main'mov($dst,&main'DWP($sym."\@GOT",$dst)); + } + else + { + &main'lea($dst,&main'DWP($sym)); + } + } + +sub main'blindpop { &out1("popl",@_); } diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c b/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c index 97be6a5fb5..5e8958612b 100644 --- a/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c +++ b/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c @@ -118,7 +118,7 @@ int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen, } PBEPARAM_free(pbe); EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de); - memset(key, 0, EVP_MAX_KEY_LENGTH); - memset(iv, 0, EVP_MAX_IV_LENGTH); + OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH); + OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH); return 1; } diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_decr.c b/src/lib/libssl/src/crypto/pkcs12/p12_decr.c index 394af368f4..b5684a83ba 100644 --- a/src/lib/libssl/src/crypto/pkcs12/p12_decr.c +++ b/src/lib/libssl/src/crypto/pkcs12/p12_decr.c @@ -136,7 +136,7 @@ void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it, } #endif ret = ASN1_item_d2i(NULL, &p, outlen, it); - if (zbuf) memset(out, 0, outlen); + if (zbuf) OPENSSL_cleanse(out, outlen); if(!ret) PKCS12err(PKCS12_F_PKCS12_DECRYPT_D2I,PKCS12_R_DECODE_ERROR); OPENSSL_free(out); return ret; @@ -168,7 +168,7 @@ ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor, const ASN1_ITEM *i OPENSSL_free(in); return NULL; } - if (zbuf) memset(in, 0, inlen); + if (zbuf) OPENSSL_cleanse(in, inlen); OPENSSL_free(in); return oct; } diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_key.c b/src/lib/libssl/src/crypto/pkcs12/p12_key.c index 0d39ebde8c..9196a34b4a 100644 --- a/src/lib/libssl/src/crypto/pkcs12/p12_key.c +++ b/src/lib/libssl/src/crypto/pkcs12/p12_key.c @@ -91,7 +91,7 @@ int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt, ret = PKCS12_key_gen_uni(unipass, uniplen, salt, saltlen, id, iter, n, out, md_type); if(unipass) { - memset(unipass, 0, uniplen); /* Clear password from memory */ + OPENSSL_cleanse(unipass, uniplen); /* Clear password from memory */ OPENSSL_free(unipass); } return ret; diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_npas.c b/src/lib/libssl/src/crypto/pkcs12/p12_npas.c index a549433eeb..af708a2743 100644 --- a/src/lib/libssl/src/crypto/pkcs12/p12_npas.c +++ b/src/lib/libssl/src/crypto/pkcs12/p12_npas.c @@ -107,7 +107,7 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass) { STACK_OF(PKCS7) *asafes, *newsafes; STACK_OF(PKCS12_SAFEBAG) *bags; - int i, bagnid, pbe_nid, pbe_iter, pbe_saltlen; + int i, bagnid, pbe_nid = 0, pbe_iter = 0, pbe_saltlen = 0; PKCS7 *p7, *p7new; ASN1_OCTET_STRING *p12_data_tmp = NULL, *macnew = NULL; unsigned char mac[EVP_MAX_MD_SIZE]; diff --git a/src/lib/libssl/src/crypto/pkcs7/bio_ber.c b/src/lib/libssl/src/crypto/pkcs7/bio_ber.c index 42331f7ab0..895a91177b 100644 --- a/src/lib/libssl/src/crypto/pkcs7/bio_ber.c +++ b/src/lib/libssl/src/crypto/pkcs7/bio_ber.c @@ -145,7 +145,7 @@ static int ber_free(BIO *a) if (a == NULL) return(0); b=(BIO_BER_CTX *)a->ptr; - memset(a->ptr,0,sizeof(BIO_BER_CTX)); + OPENSSL_cleanse(a->ptr,sizeof(BIO_BER_CTX)); OPENSSL_free(a->ptr); a->ptr=NULL; a->init=0; diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c b/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c index 4a4ff340ce..0060a2ea3d 100644 --- a/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c +++ b/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c @@ -241,7 +241,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj); } OPENSSL_free(tmp); - memset(key, 0, keylen); + OPENSSL_cleanse(key, keylen); if (out == NULL) out=btmp; @@ -448,7 +448,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) } EVP_CipherInit_ex(evp_ctx,NULL,NULL,tmp,NULL,0); - memset(tmp,0,jj); + OPENSSL_cleanse(tmp,jj); if (out == NULL) out=etmp; @@ -578,7 +578,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) /* We now have the EVP_MD_CTX, lets do the * signing. */ EVP_MD_CTX_copy_ex(&ctx_tmp,mdc); - if (!BUF_MEM_grow(buf,EVP_PKEY_size(si->pkey))) + if (!BUF_MEM_grow_clean(buf,EVP_PKEY_size(si->pkey))) { PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_BIO_LIB); goto err; diff --git a/src/lib/libssl/src/crypto/rand/md_rand.c b/src/lib/libssl/src/crypto/rand/md_rand.c index a00ed70718..eeffc0df4c 100644 --- a/src/lib/libssl/src/crypto/rand/md_rand.c +++ b/src/lib/libssl/src/crypto/rand/md_rand.c @@ -177,10 +177,10 @@ RAND_METHOD *RAND_SSLeay(void) static void ssleay_rand_cleanup(void) { - memset(state,0,sizeof(state)); + OPENSSL_cleanse(state,sizeof(state)); state_num=0; state_index=0; - memset(md,0,MD_DIGEST_LENGTH); + OPENSSL_cleanse(md,MD_DIGEST_LENGTH); md_count[0]=0; md_count[1]=0; entropy=0; diff --git a/src/lib/libssl/src/crypto/rand/rand.h b/src/lib/libssl/src/crypto/rand/rand.h index 66e39991ec..606382dd21 100644 --- a/src/lib/libssl/src/crypto/rand/rand.h +++ b/src/lib/libssl/src/crypto/rand/rand.h @@ -87,7 +87,9 @@ extern int rand_predictable; int RAND_set_rand_method(const RAND_METHOD *meth); const RAND_METHOD *RAND_get_rand_method(void); +#ifndef OPENSSL_NO_ENGINE int RAND_set_rand_engine(ENGINE *engine); +#endif RAND_METHOD *RAND_SSLeay(void); void RAND_cleanup(void ); int RAND_bytes(unsigned char *buf,int num); diff --git a/src/lib/libssl/src/crypto/rand/rand_egd.c b/src/lib/libssl/src/crypto/rand/rand_egd.c index abc3ac27d5..1f168221e3 100644 --- a/src/lib/libssl/src/crypto/rand/rand_egd.c +++ b/src/lib/libssl/src/crypto/rand/rand_egd.c @@ -94,7 +94,7 @@ * RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255. */ -#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(__DJGPP__) +#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) { return(-1); @@ -114,7 +114,7 @@ int RAND_egd_bytes(const char *path,int bytes) #include #include #ifndef NO_SYS_UN_H -# ifdef OPENSSL_SYS_VSWORKS +# ifdef OPENSSL_SYS_VXWORKS # include # else # include @@ -143,7 +143,7 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; - if (strlen(path) > sizeof(addr.sun_path)) + if (strlen(path) >= sizeof(addr.sun_path)) return (-1); strcpy(addr.sun_path,path); len = offsetof(struct sockaddr_un, sun_path) + strlen(path); diff --git a/src/lib/libssl/src/crypto/rand/rand_lib.c b/src/lib/libssl/src/crypto/rand/rand_lib.c index 5cf5dc1188..513e338985 100644 --- a/src/lib/libssl/src/crypto/rand/rand_lib.c +++ b/src/lib/libssl/src/crypto/rand/rand_lib.c @@ -60,19 +60,25 @@ #include #include "cryptlib.h" #include +#ifndef OPENSSL_NO_ENGINE #include +#endif +#ifndef OPENSSL_NO_ENGINE /* non-NULL if default_RAND_meth is ENGINE-provided */ static ENGINE *funct_ref =NULL; +#endif static const RAND_METHOD *default_RAND_meth = NULL; int RAND_set_rand_method(const RAND_METHOD *meth) { +#ifndef OPENSSL_NO_ENGINE if(funct_ref) { ENGINE_finish(funct_ref); funct_ref = NULL; } +#endif default_RAND_meth = meth; return 1; } @@ -81,6 +87,7 @@ const RAND_METHOD *RAND_get_rand_method(void) { if (!default_RAND_meth) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = ENGINE_get_default_RAND(); if(e) { @@ -94,11 +101,13 @@ const RAND_METHOD *RAND_get_rand_method(void) if(e) funct_ref = e; else +#endif default_RAND_meth = RAND_SSLeay(); } return default_RAND_meth; } +#ifndef OPENSSL_NO_ENGINE int RAND_set_rand_engine(ENGINE *engine) { const RAND_METHOD *tmp_meth = NULL; @@ -118,6 +127,7 @@ int RAND_set_rand_engine(ENGINE *engine) funct_ref = engine; return 1; } +#endif void RAND_cleanup(void) { diff --git a/src/lib/libssl/src/crypto/rand/rand_unix.c b/src/lib/libssl/src/crypto/rand/rand_unix.c index ec09d74603..a776e52243 100644 --- a/src/lib/libssl/src/crypto/rand/rand_unix.c +++ b/src/lib/libssl/src/crypto/rand/rand_unix.c @@ -115,7 +115,7 @@ #include #include "rand_lcl.h" -#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2)) +#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS)) #include #include @@ -215,7 +215,7 @@ int RAND_poll(void) if (n > 0) { RAND_add(tmpbuf,sizeof tmpbuf,n); - memset(tmpbuf,0,n); + OPENSSL_cleanse(tmpbuf,n); } #endif @@ -236,3 +236,10 @@ int RAND_poll(void) } #endif + +#if defined(OPENSSL_SYS_VXWORKS) +int RAND_poll(void) +{ + return 0; +} +#endif diff --git a/src/lib/libssl/src/crypto/rand/rand_win.c b/src/lib/libssl/src/crypto/rand/rand_win.c index c1b955b06f..113b58678f 100644 --- a/src/lib/libssl/src/crypto/rand/rand_win.c +++ b/src/lib/libssl/src/crypto/rand/rand_win.c @@ -125,7 +125,7 @@ * http://developer.intel.com/design/security/rng/redist_license.htm */ #define PROV_INTEL_SEC 22 -#define INTEL_DEF_PROV "Intel Hardware Cryptographic Service Provider" +#define INTEL_DEF_PROV TEXT("Intel Hardware Cryptographic Service Provider") static void readtimer(void); static void readscreen(void); @@ -170,7 +170,9 @@ typedef BOOL (WINAPI *THREAD32)(HANDLE, LPTHREADENTRY32); typedef BOOL (WINAPI *MODULE32)(HANDLE, LPMODULEENTRY32); #include +#ifndef OPENSSL_SYS_WINCE #include +#endif #if 1 /* The NET API is Unicode only. It requires the use of the UNICODE * macro. When UNICODE is defined LPTSTR becomes LPWSTR. LMSTR was * was added to the Platform SDK to allow the NET API to be used in @@ -209,20 +211,32 @@ int RAND_poll(void) osverinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO) ; GetVersionEx( &osverinfo ) ; +#if defined(OPENSSL_SYS_WINCE) && WCEPLATFORM!=MS_HPC_PRO + /* poll the CryptoAPI PRNG */ + /* The CryptoAPI returns sizeof(buf) bytes of randomness */ + if (CryptAcquireContext(&hProvider, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) + { + if (CryptGenRandom(hProvider, sizeof(buf), buf)) + RAND_add(buf, sizeof(buf), sizeof(buf)); + CryptReleaseContext(hProvider, 0); + } +#endif + /* load functions dynamically - not available on all systems */ - advapi = LoadLibrary("ADVAPI32.DLL"); - kernel = LoadLibrary("KERNEL32.DLL"); - user = LoadLibrary("USER32.DLL"); - netapi = LoadLibrary("NETAPI32.DLL"); + advapi = LoadLibrary(TEXT("ADVAPI32.DLL")); + kernel = LoadLibrary(TEXT("KERNEL32.DLL")); + user = LoadLibrary(TEXT("USER32.DLL")); + netapi = LoadLibrary(TEXT("NETAPI32.DLL")); +#ifndef OPENSSL_SYS_WINCE #if 1 /* There was previously a problem with NETSTATGET. Currently, this * section is still experimental, but if all goes well, this conditional * will be removed */ if (netapi) { - netstatget = (NETSTATGET) GetProcAddress(netapi,"NetStatisticsGet"); - netfree = (NETFREE) GetProcAddress(netapi,"NetApiBufferFree"); + netstatget = (NETSTATGET) GetProcAddress(netapi,TEXT("NetStatisticsGet")); + netfree = (NETFREE) GetProcAddress(netapi,TEXT("NetApiBufferFree")); } if (netstatget && netfree) @@ -249,7 +263,9 @@ int RAND_poll(void) if (netapi) FreeLibrary(netapi); #endif /* 1 */ +#endif /* !OPENSSL_SYS_WINCE */ +#ifndef OPENSSL_SYS_WINCE /* It appears like this can cause an exception deep within ADVAPI32.DLL * at random times on Windows 2000. Reported by Jeffrey Altman. * Only use it on NT. @@ -280,30 +296,40 @@ int RAND_poll(void) bufsz += 8192; length = bufsz; - rc = RegQueryValueEx(HKEY_PERFORMANCE_DATA, "Global", + rc = RegQueryValueEx(HKEY_PERFORMANCE_DATA, TEXT("Global"), NULL, NULL, buf, &length); } if (rc == ERROR_SUCCESS) { /* For entropy count assume only least significant * byte of each DWORD is random. - */ + */ RAND_add(&length, sizeof(length), 0); RAND_add(buf, length, length / 4.0); + + /* Close the Registry Key to allow Windows to cleanup/close + * the open handle + * Note: The 'HKEY_PERFORMANCE_DATA' key is implicitly opened + * when the RegQueryValueEx above is done. However, if + * it is not explicitly closed, it can cause disk + * partition manipulation problems. + */ + RegCloseKey(HKEY_PERFORMANCE_DATA); } if (buf) free(buf); } #endif +#endif /* !OPENSSL_SYS_WINCE */ if (advapi) { acquire = (CRYPTACQUIRECONTEXT) GetProcAddress(advapi, - "CryptAcquireContextA"); + TEXT("CryptAcquireContextA")); gen = (CRYPTGENRANDOM) GetProcAddress(advapi, - "CryptGenRandom"); + TEXT("CryptGenRandom")); release = (CRYPTRELEASECONTEXT) GetProcAddress(advapi, - "CryptReleaseContext"); + TEXT("CryptReleaseContext")); } if (acquire && gen && release) @@ -357,9 +383,9 @@ int RAND_poll(void) GETFOREGROUNDWINDOW win; GETQUEUESTATUS queue; - win = (GETFOREGROUNDWINDOW) GetProcAddress(user, "GetForegroundWindow"); - cursor = (GETCURSORINFO) GetProcAddress(user, "GetCursorInfo"); - queue = (GETQUEUESTATUS) GetProcAddress(user, "GetQueueStatus"); + win = (GETFOREGROUNDWINDOW) GetProcAddress(user, TEXT("GetForegroundWindow")); + cursor = (GETCURSORINFO) GetProcAddress(user, TEXT("GetCursorInfo")); + queue = (GETQUEUESTATUS) GetProcAddress(user, TEXT("GetQueueStatus")); if (win) { @@ -430,17 +456,17 @@ int RAND_poll(void) MODULEENTRY32 m; snap = (CREATETOOLHELP32SNAPSHOT) - GetProcAddress(kernel, "CreateToolhelp32Snapshot"); - heap_first = (HEAP32FIRST) GetProcAddress(kernel, "Heap32First"); - heap_next = (HEAP32NEXT) GetProcAddress(kernel, "Heap32Next"); - heaplist_first = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListFirst"); - heaplist_next = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListNext"); - process_first = (PROCESS32) GetProcAddress(kernel, "Process32First"); - process_next = (PROCESS32) GetProcAddress(kernel, "Process32Next"); - thread_first = (THREAD32) GetProcAddress(kernel, "Thread32First"); - thread_next = (THREAD32) GetProcAddress(kernel, "Thread32Next"); - module_first = (MODULE32) GetProcAddress(kernel, "Module32First"); - module_next = (MODULE32) GetProcAddress(kernel, "Module32Next"); + GetProcAddress(kernel, TEXT("CreateToolhelp32Snapshot")); + heap_first = (HEAP32FIRST) GetProcAddress(kernel, TEXT("Heap32First")); + heap_next = (HEAP32NEXT) GetProcAddress(kernel, TEXT("Heap32Next")); + heaplist_first = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListFirst")); + heaplist_next = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListNext")); + process_first = (PROCESS32) GetProcAddress(kernel, TEXT("Process32First")); + process_next = (PROCESS32) GetProcAddress(kernel, TEXT("Process32Next")); + thread_first = (THREAD32) GetProcAddress(kernel, TEXT("Thread32First")); + thread_next = (THREAD32) GetProcAddress(kernel, TEXT("Thread32Next")); + module_first = (MODULE32) GetProcAddress(kernel, TEXT("Module32First")); + module_next = (MODULE32) GetProcAddress(kernel, TEXT("Module32Next")); if (snap && heap_first && heap_next && heaplist_first && heaplist_next && process_first && process_next && @@ -575,7 +601,7 @@ static void readtimer(void) DWORD w; LARGE_INTEGER l; static int have_perfc = 1; -#ifdef _MSC_VER +#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE) static int have_tsc = 1; DWORD cyclecount; @@ -628,6 +654,7 @@ static void readtimer(void) static void readscreen(void) { +#ifndef OPENSSL_SYS_WINCE HDC hScrDC; /* screen DC */ HDC hMemDC; /* memory DC */ HBITMAP hBitmap; /* handle for our bitmap */ @@ -641,7 +668,7 @@ static void readscreen(void) int n = 16; /* number of screen lines to grab at a time */ /* Create a screen DC and a memory DC compatible to screen DC */ - hScrDC = CreateDC("DISPLAY", NULL, NULL, NULL); + hScrDC = CreateDC(TEXT("DISPLAY"), NULL, NULL, NULL); hMemDC = CreateCompatibleDC(hScrDC); /* Get screen resolution */ @@ -688,6 +715,7 @@ static void readscreen(void) DeleteObject(hBitmap); DeleteDC(hMemDC); DeleteDC(hScrDC); +#endif /* !OPENSSL_SYS_WINCE */ } #endif diff --git a/src/lib/libssl/src/crypto/rand/randfile.c b/src/lib/libssl/src/crypto/rand/randfile.c index 982074c465..41574768ab 100644 --- a/src/lib/libssl/src/crypto/rand/randfile.c +++ b/src/lib/libssl/src/crypto/rand/randfile.c @@ -124,7 +124,7 @@ int RAND_load_file(const char *file, long bytes) } } fclose(in); - memset(buf,0,BUFSIZE); + OPENSSL_cleanse(buf,BUFSIZE); err: return(ret); } @@ -189,7 +189,7 @@ int RAND_write_file(const char *file) #endif /* OPENSSL_SYS_VMS */ fclose(out); - memset(buf,0,BUFSIZE); + OPENSSL_cleanse(buf,BUFSIZE); err: return (rand_err ? -1 : ret); } @@ -203,8 +203,9 @@ const char *RAND_file_name(char *buf, size_t size) s=getenv("RANDFILE"); if (s != NULL) { - strncpy(buf,s,size-1); - buf[size-1]='\0'; + if(strlen(s) >= size) + return NULL; + strcpy(buf,s); ret=buf; } else diff --git a/src/lib/libssl/src/crypto/rand/randtest.c b/src/lib/libssl/src/crypto/rand/randtest.c index b64de616db..701932e6ee 100644 --- a/src/lib/libssl/src/crypto/rand/randtest.c +++ b/src/lib/libssl/src/crypto/rand/randtest.c @@ -60,6 +60,8 @@ #include #include +#include "../e_os.h" + /* some FIPS 140-1 random number test */ /* some simple tests */ @@ -209,6 +211,6 @@ int main() printf("test 4 done\n"); err: err=((err)?1:0); - exit(err); + EXIT(err); return(err); } diff --git a/src/lib/libssl/src/crypto/rc2/rc2test.c b/src/lib/libssl/src/crypto/rc2/rc2test.c index d9a2a0a1cb..b67bafb49f 100644 --- a/src/lib/libssl/src/crypto/rc2/rc2test.c +++ b/src/lib/libssl/src/crypto/rc2/rc2test.c @@ -63,6 +63,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_RC2 int main(int argc, char *argv[]) { @@ -203,7 +205,7 @@ int main(int argc, char *argv[]) printf("ok\n"); #endif - exit(err); + EXIT(err); return(err); } diff --git a/src/lib/libssl/src/crypto/rc4/rc4.c b/src/lib/libssl/src/crypto/rc4/rc4.c index c2165b0b75..b39c070292 100644 --- a/src/lib/libssl/src/crypto/rc4/rc4.c +++ b/src/lib/libssl/src/crypto/rc4/rc4.c @@ -155,7 +155,7 @@ bad: i=EVP_read_pw_string(buf,BUFSIZ,"Enter RC4 password:",0); if (i != 0) { - memset(buf,0,BUFSIZ); + OPENSSL_cleanse(buf,BUFSIZ); fprintf(stderr,"bad password read\n"); exit(1); } @@ -163,7 +163,7 @@ bad: } EVP_Digest((unsigned char *)keystr,(unsigned long)strlen(keystr),md,NULL,EVP_md5()); - memset(keystr,0,strlen(keystr)); + OPENSSL_cleanse(keystr,strlen(keystr)); RC4_set_key(&key,MD5_DIGEST_LENGTH,md); for(;;) diff --git a/src/lib/libssl/src/crypto/rc4/rc4test.c b/src/lib/libssl/src/crypto/rc4/rc4test.c index a28d457c8d..b9d8f20975 100644 --- a/src/lib/libssl/src/crypto/rc4/rc4test.c +++ b/src/lib/libssl/src/crypto/rc4/rc4test.c @@ -60,6 +60,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_RC4 int main(int argc, char *argv[]) { @@ -195,7 +197,7 @@ int main(int argc, char *argv[]) } } printf("done\n"); - exit(err); + EXIT(err); return(0); } #endif diff --git a/src/lib/libssl/src/crypto/rc5/rc5s.cpp b/src/lib/libssl/src/crypto/rc5/rc5s.cpp new file mode 100644 index 0000000000..1c5518bc80 --- /dev/null +++ b/src/lib/libssl/src/crypto/rc5/rc5s.cpp @@ -0,0 +1,70 @@ +// +// gettsc.inl +// +// gives access to the Pentium's (secret) cycle counter +// +// This software was written by Leonard Janke (janke@unixg.ubc.ca) +// in 1996-7 and is entered, by him, into the public domain. + +#if defined(__WATCOMC__) +void GetTSC(unsigned long&); +#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax]; +#elif defined(__GNUC__) +inline +void GetTSC(unsigned long& tsc) +{ + asm volatile(".byte 15, 49\n\t" + : "=eax" (tsc) + : + : "%edx", "%eax"); +} +#elif defined(_MSC_VER) +inline +void GetTSC(unsigned long& tsc) +{ + unsigned long a; + __asm _emit 0fh + __asm _emit 31h + __asm mov a, eax; + tsc=a; +} +#endif + +#include +#include +#include + +void main(int argc,char *argv[]) + { + RC5_32_KEY key; + unsigned long s1,s2,e1,e2; + unsigned long data[2]; + int i,j; + static unsigned char d[16]={0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}; + + RC5_32_set_key(&key, 16,d,12); + + for (j=0; j<6; j++) + { + for (i=0; i<1000; i++) /**/ + { + RC5_32_encrypt(&data[0],&key); + GetTSC(s1); + RC5_32_encrypt(&data[0],&key); + RC5_32_encrypt(&data[0],&key); + RC5_32_encrypt(&data[0],&key); + GetTSC(e1); + GetTSC(s2); + RC5_32_encrypt(&data[0],&key); + RC5_32_encrypt(&data[0],&key); + RC5_32_encrypt(&data[0],&key); + RC5_32_encrypt(&data[0],&key); + GetTSC(e2); + RC5_32_encrypt(&data[0],&key); + } + + printf("cast %d %d (%d)\n", + e1-s1,e2-s2,((e2-s2)-(e1-s1))); + } + } + diff --git a/src/lib/libssl/src/crypto/ripemd/rmd160.c b/src/lib/libssl/src/crypto/ripemd/rmd160.c index 4f8b88a18a..b0ec574498 100644 --- a/src/lib/libssl/src/crypto/ripemd/rmd160.c +++ b/src/lib/libssl/src/crypto/ripemd/rmd160.c @@ -64,7 +64,7 @@ void do_fp(FILE *f); void pt(unsigned char *md); -#ifndef _OSD_POSIX +#if !defined(_OSD_POSIX) && !defined(__DJGPP__) int read(int, void *, unsigned int); #endif diff --git a/src/lib/libssl/src/crypto/ripemd/rmd_dgst.c b/src/lib/libssl/src/crypto/ripemd/rmd_dgst.c index a3170f7c8a..f351f00eea 100644 --- a/src/lib/libssl/src/crypto/ripemd/rmd_dgst.c +++ b/src/lib/libssl/src/crypto/ripemd/rmd_dgst.c @@ -90,8 +90,8 @@ int RIPEMD160_Init(RIPEMD160_CTX *c) void ripemd160_block_host_order (RIPEMD160_CTX *ctx, const void *p, int num) { const RIPEMD160_LONG *XX=p; - register unsigned long A,B,C,D,E; - register unsigned long a,b,c,d,e; + register unsigned MD32_REG_T A,B,C,D,E; + register unsigned MD32_REG_T a,b,c,d,e; for (;num--;XX+=HASH_LBLOCK) { @@ -290,12 +290,12 @@ void ripemd160_block_host_order (RIPEMD160_CTX *ctx, const void *p, int num) void ripemd160_block_data_order (RIPEMD160_CTX *ctx, const void *p, int num) { const unsigned char *data=p; - register unsigned long A,B,C,D,E; - unsigned long a,b,c,d,e,l; + register unsigned MD32_REG_T A,B,C,D,E; + unsigned MD32_REG_T a,b,c,d,e,l; #ifndef MD32_XARRAY /* See comment in crypto/sha/sha_locl.h for details. */ - unsigned long XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, - XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15; + unsigned MD32_REG_T XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, + XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15; # define X(i) XX##i #else RIPEMD160_LONG XX[16]; diff --git a/src/lib/libssl/src/crypto/ripemd/rmd_one.c b/src/lib/libssl/src/crypto/ripemd/rmd_one.c index efdf2dd6ef..f8b580c33a 100644 --- a/src/lib/libssl/src/crypto/ripemd/rmd_one.c +++ b/src/lib/libssl/src/crypto/ripemd/rmd_one.c @@ -59,6 +59,7 @@ #include #include #include +#include unsigned char *RIPEMD160(const unsigned char *d, unsigned long n, unsigned char *md) @@ -70,7 +71,7 @@ unsigned char *RIPEMD160(const unsigned char *d, unsigned long n, RIPEMD160_Init(&c); RIPEMD160_Update(&c,d,n); RIPEMD160_Final(md,&c); - memset(&c,0,sizeof(c)); /* security consideration */ + OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */ return(md); } diff --git a/src/lib/libssl/src/crypto/ripemd/rmdtest.c b/src/lib/libssl/src/crypto/ripemd/rmdtest.c index be1fb8b1f6..d4c709e646 100644 --- a/src/lib/libssl/src/crypto/ripemd/rmdtest.c +++ b/src/lib/libssl/src/crypto/ripemd/rmdtest.c @@ -60,6 +60,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_RIPEMD int main(int argc, char *argv[]) { @@ -127,7 +129,7 @@ int main(int argc, char *argv[]) R++; P++; } - exit(err); + EXIT(err); return(0); } diff --git a/src/lib/libssl/src/crypto/rsa/rsa.h b/src/lib/libssl/src/crypto/rsa/rsa.h index 98b3bd7cc5..e26a68b482 100644 --- a/src/lib/libssl/src/crypto/rsa/rsa.h +++ b/src/lib/libssl/src/crypto/rsa/rsa.h @@ -158,6 +158,11 @@ struct rsa_st #define RSA_FLAG_CACHE_PUBLIC 0x02 #define RSA_FLAG_CACHE_PRIVATE 0x04 #define RSA_FLAG_BLINDING 0x08 +#define RSA_FLAG_NO_BLINDING 0x80 /* new with 0.9.6j and 0.9.7b; the built-in + * RSA implementation now uses blinding by + * default (ignoring RSA_FLAG_BLINDING), + * but other engines might not need it + */ #define RSA_FLAG_THREAD_SAFE 0x10 /* This flag means the private key operations will be handled by rsa_mod_exp * and that they do not depend on the private key components being present: @@ -170,11 +175,15 @@ struct rsa_st */ #define RSA_FLAG_SIGN_VER 0x40 +#define RSA_FLAG_NO_BLINDING 0x80 + #define RSA_PKCS1_PADDING 1 #define RSA_SSLV23_PADDING 2 #define RSA_NO_PADDING 3 #define RSA_PKCS1_OAEP_PADDING 4 +#define RSA_PKCS1_PADDING_SIZE 11 + #define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg) #define RSA_get_app_data(s) RSA_get_ex_data(s,0) diff --git a/src/lib/libssl/src/crypto/rsa/rsa_eay.c b/src/lib/libssl/src/crypto/rsa/rsa_eay.c index 0eda816081..027b4dc754 100644 --- a/src/lib/libssl/src/crypto/rsa/rsa_eay.c +++ b/src/lib/libssl/src/crypto/rsa/rsa_eay.c @@ -61,7 +61,6 @@ #include #include #include -#include #ifndef RSA_NULL @@ -187,12 +186,65 @@ err: BN_clear_free(&ret); if (buf != NULL) { - memset(buf,0,num); + OPENSSL_cleanse(buf,num); OPENSSL_free(buf); } return(r); } +static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) + { + int ret = 1; + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + /* Check again inside the lock - the macro's check is racey */ + if(rsa->blinding == NULL) + ret = RSA_blinding_on(rsa, ctx); + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + return ret; + } + +#define BLINDING_HELPER(rsa, ctx, err_instr) \ + do { \ + if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \ + ((rsa)->blinding == NULL) && \ + !rsa_eay_blinding(rsa, ctx)) \ + err_instr \ + } while(0) + +static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx) + { + BIGNUM *A, *Ai; + BN_BLINDING *ret = NULL; + + /* added in OpenSSL 0.9.6j and 0.9.7b */ + + /* NB: similar code appears in RSA_blinding_on (rsa_lib.c); + * this should be placed in a new function of its own, but for reasons + * of binary compatibility can't */ + + BN_CTX_start(ctx); + A = BN_CTX_get(ctx); + if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) + { + /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ + RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); + if (!BN_pseudo_rand_range(A,rsa->n)) goto err; + } + else + { + if (!BN_rand_range(A,rsa->n)) goto err; + } + if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; + + if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) + goto err; + ret = BN_BLINDING_new(A,Ai,rsa->n); + BN_free(Ai); +err: + BN_CTX_end(ctx); + return ret; + } + /* signing */ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -201,6 +253,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, int i,j,k,num=0,r= -1; unsigned char *buf=NULL; BN_CTX *ctx=NULL; + int local_blinding = 0; + BN_BLINDING *blinding = NULL; BN_init(&f); BN_init(&ret); @@ -237,10 +291,39 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, goto err; } - if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) - RSA_blinding_on(rsa,ctx); - if (rsa->flags & RSA_FLAG_BLINDING) - if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; + BLINDING_HELPER(rsa, ctx, goto err;); + blinding = rsa->blinding; + + /* Now unless blinding is disabled, 'blinding' is non-NULL. + * But the BN_BLINDING object may be owned by some other thread + * (we don't want to keep it constant and we don't want to use + * lots of locking to avoid race conditions, so only a single + * thread can use it; other threads have to use local blinding + * factors) */ + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) + { + if (blinding == NULL) + { + RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); + goto err; + } + } + + if (blinding != NULL) + { + if (blinding->thread_id != CRYPTO_thread_id()) + { + /* we need a local one-time blinding factor */ + + blinding = setup_blinding(rsa, ctx); + if (blinding == NULL) + goto err; + local_blinding = 1; + } + } + + if (blinding) + if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err; if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || ((rsa->p != NULL) && @@ -254,8 +337,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err; } - if (rsa->flags & RSA_FLAG_BLINDING) - if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; + if (blinding) + if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; /* put in leading 0 bytes if the number is less than the * length of the modulus */ @@ -269,9 +352,11 @@ err: if (ctx != NULL) BN_CTX_free(ctx); BN_clear_free(&ret); BN_clear_free(&f); + if (local_blinding) + BN_BLINDING_free(blinding); if (buf != NULL) { - memset(buf,0,num); + OPENSSL_cleanse(buf,num); OPENSSL_free(buf); } return(r); @@ -285,6 +370,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *p; unsigned char *buf=NULL; BN_CTX *ctx=NULL; + int local_blinding = 0; + BN_BLINDING *blinding = NULL; BN_init(&f); BN_init(&ret); @@ -316,10 +403,39 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, goto err; } - if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) - RSA_blinding_on(rsa,ctx); - if (rsa->flags & RSA_FLAG_BLINDING) - if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; + BLINDING_HELPER(rsa, ctx, goto err;); + blinding = rsa->blinding; + + /* Now unless blinding is disabled, 'blinding' is non-NULL. + * But the BN_BLINDING object may be owned by some other thread + * (we don't want to keep it constant and we don't want to use + * lots of locking to avoid race conditions, so only a single + * thread can use it; other threads have to use local blinding + * factors) */ + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) + { + if (blinding == NULL) + { + RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); + goto err; + } + } + + if (blinding != NULL) + { + if (blinding->thread_id != CRYPTO_thread_id()) + { + /* we need a local one-time blinding factor */ + + blinding = setup_blinding(rsa, ctx); + if (blinding == NULL) + goto err; + local_blinding = 1; + } + } + + if (blinding) + if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err; /* do the decrypt */ if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || @@ -335,8 +451,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, goto err; } - if (rsa->flags & RSA_FLAG_BLINDING) - if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; + if (blinding) + if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; p=buf; j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */ @@ -370,7 +486,7 @@ err: BN_clear_free(&ret); if (buf != NULL) { - memset(buf,0,num); + OPENSSL_cleanse(buf,num); OPENSSL_free(buf); } return(r); @@ -467,7 +583,7 @@ err: BN_clear_free(&ret); if (buf != NULL) { - memset(buf,0,num); + OPENSSL_cleanse(buf,num); OPENSSL_free(buf); } return(r); diff --git a/src/lib/libssl/src/crypto/rsa/rsa_lib.c b/src/lib/libssl/src/crypto/rsa/rsa_lib.c index 93235744f7..53c5092014 100644 --- a/src/lib/libssl/src/crypto/rsa/rsa_lib.c +++ b/src/lib/libssl/src/crypto/rsa/rsa_lib.c @@ -62,7 +62,10 @@ #include #include #include +#include +#ifndef OPENSSL_NO_ENGINE #include +#endif const char *RSA_version="RSA" OPENSSL_VERSION_PTEXT; @@ -70,7 +73,9 @@ static const RSA_METHOD *default_RSA_meth=NULL; RSA *RSA_new(void) { - return(RSA_new_method(NULL)); + RSA *r=RSA_new_method(NULL); + + return r; } void RSA_set_default_method(const RSA_METHOD *meth) @@ -108,11 +113,13 @@ int RSA_set_method(RSA *rsa, const RSA_METHOD *meth) const RSA_METHOD *mtmp; mtmp = rsa->meth; if (mtmp->finish) mtmp->finish(rsa); +#ifndef OPENSSL_NO_ENGINE if (rsa->engine) { ENGINE_finish(rsa->engine); rsa->engine = NULL; } +#endif rsa->meth = meth; if (meth->init) meth->init(rsa); return 1; @@ -130,6 +137,7 @@ RSA *RSA_new_method(ENGINE *engine) } ret->meth = RSA_get_default_method(); +#ifndef OPENSSL_NO_ENGINE if (engine) { if (!ENGINE_init(engine)) @@ -154,6 +162,7 @@ RSA *RSA_new_method(ENGINE *engine) return NULL; } } +#endif ret->pad=0; ret->version=0; @@ -175,8 +184,10 @@ RSA *RSA_new_method(ENGINE *engine) CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data); if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { +#ifndef OPENSSL_NO_ENGINE if (ret->engine) ENGINE_finish(ret->engine); +#endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data); OPENSSL_free(ret); ret=NULL; @@ -205,8 +216,10 @@ void RSA_free(RSA *r) if (r->meth->finish) r->meth->finish(r); +#ifndef OPENSSL_NO_ENGINE if (r->engine) ENGINE_finish(r->engine); +#endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data); @@ -297,7 +310,8 @@ void RSA_blinding_off(RSA *rsa) BN_BLINDING_free(rsa->blinding); rsa->blinding=NULL; } - rsa->flags&= ~RSA_FLAG_BLINDING; + rsa->flags &= ~RSA_FLAG_BLINDING; + rsa->flags |= RSA_FLAG_NO_BLINDING; } int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) @@ -316,15 +330,32 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) if (rsa->blinding != NULL) BN_BLINDING_free(rsa->blinding); + /* NB: similar code appears in setup_blinding (rsa_eay.c); + * this should be placed in a new function of its own, but for reasons + * of binary compatibility can't */ + BN_CTX_start(ctx); A = BN_CTX_get(ctx); - if (!BN_rand_range(A,rsa->n)) goto err; + if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) + { + /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ + RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); + if (!BN_pseudo_rand_range(A,rsa->n)) goto err; + } + else + { + if (!BN_rand_range(A,rsa->n)) goto err; + } if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) - goto err; - rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n); - rsa->flags|=RSA_FLAG_BLINDING; + goto err; + if ((rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n)) == NULL) goto err; + /* to make things thread-safe without excessive locking, + * rsa->blinding will be used just by the current thread: */ + rsa->blinding->thread_id = CRYPTO_thread_id(); + rsa->flags |= RSA_FLAG_BLINDING; + rsa->flags &= ~RSA_FLAG_NO_BLINDING; BN_free(Ai); ret=1; err: diff --git a/src/lib/libssl/src/crypto/rsa/rsa_pk1.c b/src/lib/libssl/src/crypto/rsa/rsa_pk1.c index c1edd6764f..8560755f1d 100644 --- a/src/lib/libssl/src/crypto/rsa/rsa_pk1.c +++ b/src/lib/libssl/src/crypto/rsa/rsa_pk1.c @@ -68,7 +68,7 @@ int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, int j; unsigned char *p; - if (flen > (tlen-11)) + if (flen > (tlen-RSA_PKCS1_PADDING_SIZE)) { RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); return(0); diff --git a/src/lib/libssl/src/crypto/rsa/rsa_saos.c b/src/lib/libssl/src/crypto/rsa/rsa_saos.c index 85adacc08f..f462716a57 100644 --- a/src/lib/libssl/src/crypto/rsa/rsa_saos.c +++ b/src/lib/libssl/src/crypto/rsa/rsa_saos.c @@ -77,7 +77,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type, i=i2d_ASN1_OCTET_STRING(&sig,NULL); j=RSA_size(rsa); - if ((i-RSA_PKCS1_PADDING) > j) + if (i > (j-RSA_PKCS1_PADDING_SIZE)) { RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); return(0); @@ -96,7 +96,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type, else *siglen=i; - memset(s,0,(unsigned int)j+1); + OPENSSL_cleanse(s,(unsigned int)j+1); OPENSSL_free(s); return(ret); } @@ -139,7 +139,7 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype, ret=1; err: if (sig != NULL) M_ASN1_OCTET_STRING_free(sig); - memset(s,0,(unsigned int)siglen); + OPENSSL_cleanse(s,(unsigned int)siglen); OPENSSL_free(s); return(ret); } diff --git a/src/lib/libssl/src/crypto/rsa/rsa_sign.c b/src/lib/libssl/src/crypto/rsa/rsa_sign.c index 2a440901de..8a1e642183 100644 --- a/src/lib/libssl/src/crypto/rsa/rsa_sign.c +++ b/src/lib/libssl/src/crypto/rsa/rsa_sign.c @@ -62,7 +62,6 @@ #include #include #include -#include /* Size of an SSL signature: MD5+SHA1 */ #define SSL_SIG_LENGTH 36 @@ -77,10 +76,11 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len, const unsigned char *s = NULL; X509_ALGOR algor; ASN1_OCTET_STRING digest; - if((rsa->flags & RSA_FLAG_SIGN_VER) - && ENGINE_get_RSA(rsa->engine)->rsa_sign) - return ENGINE_get_RSA(rsa->engine)->rsa_sign(type, - m, m_len, sigret, siglen, rsa); + if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) + { + return rsa->meth->rsa_sign(type, m, m_len, + sigret, siglen, rsa); + } /* Special case: SSL signature, just check the length */ if(type == NID_md5_sha1) { if(m_len != SSL_SIG_LENGTH) { @@ -113,7 +113,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len, i=i2d_X509_SIG(&sig,NULL); } j=RSA_size(rsa); - if ((i-RSA_PKCS1_PADDING) > j) + if (i > (j-RSA_PKCS1_PADDING_SIZE)) { RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); return(0); @@ -136,7 +136,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len, *siglen=i; if(type != NID_md5_sha1) { - memset(tmps,0,(unsigned int)j+1); + OPENSSL_cleanse(tmps,(unsigned int)j+1); OPENSSL_free(tmps); } return(ret); @@ -155,10 +155,11 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, return(0); } - if((rsa->flags & RSA_FLAG_SIGN_VER) - && ENGINE_get_RSA(rsa->engine)->rsa_verify) - return ENGINE_get_RSA(rsa->engine)->rsa_verify(dtype, - m, m_len, sigbuf, siglen, rsa); + if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) + { + return rsa->meth->rsa_verify(dtype, m, m_len, + sigbuf, siglen, rsa); + } s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen); if (s == NULL) @@ -221,7 +222,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, } err: if (sig != NULL) X509_SIG_free(sig); - memset(s,0,(unsigned int)siglen); + OPENSSL_cleanse(s,(unsigned int)siglen); OPENSSL_free(s); return(ret); } diff --git a/src/lib/libssl/src/crypto/rsa/rsa_test.c b/src/lib/libssl/src/crypto/rsa/rsa_test.c index b8b462d33b..924e9ad1f6 100644 --- a/src/lib/libssl/src/crypto/rsa/rsa_test.c +++ b/src/lib/libssl/src/crypto/rsa/rsa_test.c @@ -16,7 +16,6 @@ int main(int argc, char *argv[]) } #else #include -#include #define SetKey \ key->n = BN_bin2bn(n, sizeof(n)-1, key->n); \ diff --git a/src/lib/libssl/src/crypto/sha/sha1_one.c b/src/lib/libssl/src/crypto/sha/sha1_one.c index e6a24888ed..20e660c71d 100644 --- a/src/lib/libssl/src/crypto/sha/sha1_one.c +++ b/src/lib/libssl/src/crypto/sha/sha1_one.c @@ -59,6 +59,7 @@ #include #include #include +#include #ifndef OPENSSL_NO_SHA1 unsigned char *SHA1(const unsigned char *d, unsigned long n, unsigned char *md) @@ -70,7 +71,7 @@ unsigned char *SHA1(const unsigned char *d, unsigned long n, unsigned char *md) SHA1_Init(&c); SHA1_Update(&c,d,n); SHA1_Final(md,&c); - memset(&c,0,sizeof(c)); + OPENSSL_cleanse(&c,sizeof(c)); return(md); } #endif diff --git a/src/lib/libssl/src/crypto/sha/sha1test.c b/src/lib/libssl/src/crypto/sha/sha1test.c index 499a1cf5af..4f2e4ada2d 100644 --- a/src/lib/libssl/src/crypto/sha/sha1test.c +++ b/src/lib/libssl/src/crypto/sha/sha1test.c @@ -60,6 +60,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_SHA int main(int argc, char *argv[]) { @@ -155,7 +157,7 @@ int main(int argc, char *argv[]) } else printf("test 3 ok\n"); - exit(err); + EXIT(err); EVP_MD_CTX_cleanup(&c); return(0); } diff --git a/src/lib/libssl/src/crypto/sha/sha_locl.h b/src/lib/libssl/src/crypto/sha/sha_locl.h index 471dfb9f8f..2dd63a62a6 100644 --- a/src/lib/libssl/src/crypto/sha/sha_locl.h +++ b/src/lib/libssl/src/crypto/sha/sha_locl.h @@ -224,10 +224,10 @@ int HASH_INIT (SHA_CTX *c) void HASH_BLOCK_HOST_ORDER (SHA_CTX *c, const void *d, int num) { const SHA_LONG *W=d; - register unsigned long A,B,C,D,E,T; + register unsigned MD32_REG_T A,B,C,D,E,T; #ifndef MD32_XARRAY - unsigned long XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, - XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15; + unsigned MD32_REG_T XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, + XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15; #else SHA_LONG XX[16]; #endif @@ -349,10 +349,10 @@ void HASH_BLOCK_HOST_ORDER (SHA_CTX *c, const void *d, int num) void HASH_BLOCK_DATA_ORDER (SHA_CTX *c, const void *p, int num) { const unsigned char *data=p; - register unsigned long A,B,C,D,E,T,l; + register unsigned MD32_REG_T A,B,C,D,E,T,l; #ifndef MD32_XARRAY - unsigned long XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, - XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15; + unsigned MD32_REG_T XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, + XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15; #else SHA_LONG XX[16]; #endif diff --git a/src/lib/libssl/src/crypto/sha/sha_one.c b/src/lib/libssl/src/crypto/sha/sha_one.c index 5426faae4a..e61c63f3e9 100644 --- a/src/lib/libssl/src/crypto/sha/sha_one.c +++ b/src/lib/libssl/src/crypto/sha/sha_one.c @@ -59,6 +59,7 @@ #include #include #include +#include #ifndef OPENSSL_NO_SHA0 unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md) @@ -70,7 +71,7 @@ unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md) SHA_Init(&c); SHA_Update(&c,d,n); SHA_Final(md,&c); - memset(&c,0,sizeof(c)); + OPENSSL_cleanse(&c,sizeof(c)); return(md); } #endif diff --git a/src/lib/libssl/src/crypto/sha/shatest.c b/src/lib/libssl/src/crypto/sha/shatest.c index 331294a74f..5d2b1d3b1a 100644 --- a/src/lib/libssl/src/crypto/sha/shatest.c +++ b/src/lib/libssl/src/crypto/sha/shatest.c @@ -60,6 +60,8 @@ #include #include +#include "../e_os.h" + #ifdef OPENSSL_NO_SHA int main(int argc, char *argv[]) { @@ -156,7 +158,7 @@ int main(int argc, char *argv[]) else printf("test 3 ok\n"); EVP_MD_CTX_cleanup(&c); - exit(err); + EXIT(err); return(0); } diff --git a/src/lib/libssl/src/crypto/threads/mttest.c b/src/lib/libssl/src/crypto/threads/mttest.c index 7142e4edc7..54d598565d 100644 --- a/src/lib/libssl/src/crypto/threads/mttest.c +++ b/src/lib/libssl/src/crypto/threads/mttest.c @@ -86,11 +86,6 @@ #include #include -#ifdef OPENSSL_NO_FP_API -#define APPS_WIN16 -#include "../buffer/bss_file.c" -#endif - #define TEST_SERVER_CERT "../../apps/server.pem" #define TEST_CLIENT_CERT "../../apps/client.pem" diff --git a/src/lib/libssl/src/crypto/tmdiff.c b/src/lib/libssl/src/crypto/tmdiff.c index 7ebf2b202a..307523ebba 100644 --- a/src/lib/libssl/src/crypto/tmdiff.c +++ b/src/lib/libssl/src/crypto/tmdiff.c @@ -59,13 +59,16 @@ #include #include "cryptlib.h" #include +#if !defined(OPENSSL_SYS_MSDOS) +#include OPENSSL_UNISTD +#endif #ifdef TIMEB #undef OPENSSL_SYS_WIN32 #undef TIMES #endif -#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_VMS) || defined(__DECC) && !defined(OPENSSL_SYS_MACOSX) && !defined(OPENSSL_SYS_VXWORKS) +#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32) && !(defined(OPENSSL_SYS_VMS) || defined(__DECC)) && !defined(OPENSSL_SYS_MACOSX_RHAPSODY) && !defined(OPENSSL_SYS_VXWORKS) # define TIMES #endif @@ -101,14 +104,19 @@ /* The following if from times(3) man page. It may need to be changed */ #ifndef HZ -# ifndef CLK_TCK -# ifndef _BSD_CLK_TCK_ /* FreeBSD hack */ -# define HZ 100.0 -# else /* _BSD_CLK_TCK_ */ -# define HZ ((double)_BSD_CLK_TCK_) +# if defined(_SC_CLK_TCK) \ + && (!defined(OPENSSL_SYS_VMS) || __CTRL_VER >= 70000000) +# define HZ ((double)sysconf(_SC_CLK_TCK)) +# else +# ifndef CLK_TCK +# ifndef _BSD_CLK_TCK_ /* FreeBSD hack */ +# define HZ 100.0 +# else /* _BSD_CLK_TCK_ */ +# define HZ ((double)_BSD_CLK_TCK_) +# endif +# else /* CLK_TCK */ +# define HZ ((double)CLK_TCK) # endif -# else /* CLK_TCK */ -# define HZ ((double)CLK_TCK) # endif #endif @@ -121,7 +129,7 @@ typedef struct ms_tm HANDLE thread_id; FILETIME ms_win32; # else -# ifdef OPENSSL_SYS_VSWORKS +# ifdef OPENSSL_SYS_VXWORKS unsigned long ticks; # else struct timeb ms_timeb; @@ -163,7 +171,7 @@ void ms_time_get(char *a) # ifdef OPENSSL_SYS_WIN32 GetThreadTimes(tm->thread_id,&tmpa,&tmpb,&tmpc,&(tm->ms_win32)); # else -# ifdef OPENSSL_SYS_VSWORKS +# ifdef OPENSSL_SYS_VXWORKS tm->ticks = tickGet(); # else ftime(&tm->ms_timeb); @@ -197,7 +205,7 @@ double ms_time_diff(char *ap, char *bp) ret=((double)(lb-la))/1e7; } # else -# ifdef OPENSSL_SYS_VSWORKS +# ifdef OPENSSL_SYS_VXWORKS ret = (double)(b->ticks - a->ticks) / (double)sysClkRateGet(); # else ret= (double)(b->ms_timeb.time-a->ms_timeb.time)+ @@ -222,7 +230,7 @@ int ms_time_cmp(char *ap, char *bp) d =(b->ms_win32.dwHighDateTime&0x000fffff)*10+b->ms_win32.dwLowDateTime/1e7; d-=(a->ms_win32.dwHighDateTime&0x000fffff)*10+a->ms_win32.dwLowDateTime/1e7; # else -# ifdef OPENSSL_SYS_VSWORKS +# ifdef OPENSSL_SYS_VXWORKS d = (b->ticks - a->ticks); # else d= (double)(b->ms_timeb.time-a->ms_timeb.time)+ diff --git a/src/lib/libssl/src/crypto/txt_db/txt_db.c b/src/lib/libssl/src/crypto/txt_db/txt_db.c index 9b186f2da5..58b300b00b 100644 --- a/src/lib/libssl/src/crypto/txt_db/txt_db.c +++ b/src/lib/libssl/src/crypto/txt_db/txt_db.c @@ -108,7 +108,7 @@ TXT_DB *TXT_DB_read(BIO *in, int num) if (offset != 0) { size+=BUFSIZE; - if (!BUF_MEM_grow(buf,size)) goto err; + if (!BUF_MEM_grow_clean(buf,size)) goto err; } buf->data[offset]='\0'; BIO_gets(in,&(buf->data[offset]),size-offset); @@ -268,7 +268,7 @@ long TXT_DB_write(BIO *out, TXT_DB *db) if (pp[j] != NULL) l+=strlen(pp[j]); } - if (!BUF_MEM_grow(buf,(int)(l*2+nn))) goto err; + if (!BUF_MEM_grow_clean(buf,(int)(l*2+nn))) goto err; p=buf->data; for (j=0; j #include #include "ui_locl.h" +#include "cryptlib.h" IMPLEMENT_STACK_OF(UI_STRING_ST) @@ -144,7 +145,8 @@ static UI_STRING *general_allocate_prompt(UI *ui, const char *prompt, { UIerr(UI_F_GENERAL_ALLOCATE_PROMPT,ERR_R_PASSED_NULL_PARAMETER); } - else if (result_buf == NULL) + else if ((type == UIT_PROMPT || type == UIT_VERIFY + || type == UIT_BOOLEAN) && result_buf == NULL) { UIerr(UI_F_GENERAL_ALLOCATE_PROMPT,UI_R_NO_RESULT_BUFFER); } @@ -235,7 +237,7 @@ static int general_allocate_boolean(UI *ui, return ret; } -/* Returns the index to the place in the stack or 0 for error. Uses a +/* Returns the index to the place in the stack or -1 for error. Uses a direct reference to the prompt. */ int UI_add_input_string(UI *ui, const char *prompt, int flags, char *result_buf, int minsize, int maxsize) @@ -831,8 +833,8 @@ int UI_set_result(UI *ui, UI_STRING *uis, const char *result) case UIT_PROMPT: case UIT_VERIFY: { - char number1[20]; - char number2[20]; + char number1[DECIMAL_SIZE(uis->_.string_data.result_minsize)+1]; + char number2[DECIMAL_SIZE(uis->_.string_data.result_maxsize)+1]; BIO_snprintf(number1, sizeof(number1), "%d", uis->_.string_data.result_minsize); diff --git a/src/lib/libssl/src/crypto/ui/ui_openssl.c b/src/lib/libssl/src/crypto/ui/ui_openssl.c index 2c2fbc0443..75318d48a1 100644 --- a/src/lib/libssl/src/crypto/ui/ui_openssl.c +++ b/src/lib/libssl/src/crypto/ui/ui_openssl.c @@ -159,8 +159,10 @@ #ifdef WIN_CONSOLE_BUG # include +#ifndef OPENSSL_SYS_WINCE # include #endif +#endif /* There are 5 types of terminal interface supported, @@ -191,7 +193,7 @@ # define SGTTY #endif -#if defined(OPENSSL_SYS_VSWORKS) +#if defined(OPENSSL_SYS_VXWORKS) #undef TERMIOS #undef TERMIO #undef SGTTY @@ -221,7 +223,7 @@ # define TTY_set(tty,data) ioctl(tty,TIOCSETP,data) #endif -#if !defined(_LIBC) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_MACINTOSH_CLASSIC) +#if !defined(_LIBC) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_MACINTOSH_CLASSIC) && !defined(OPENSSL_SYS_SUNOS) # include #endif @@ -241,6 +243,10 @@ struct IOSB { }; #endif +#ifdef OPENSSL_SYS_SUNOS + typedef int sig_atomic_t; +#endif + #if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(MAC_OS_GUSI_SOURCE) /* * This one needs work. As a matter of fact the code is unoperational @@ -277,10 +283,12 @@ static FILE *tty_in, *tty_out; static int is_a_tty; /* Declare static functions */ +#if !defined(OPENSSL_SYS_WIN16) && !defined(OPENSSL_SYS_WINCE) static void read_till_nl(FILE *); static void recsig(int); static void pushsig(void); static void popsig(void); +#endif #if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16) static int noecho_fgets(char *buf, int size, FILE *tty); #endif @@ -367,6 +375,7 @@ static int read_string(UI *ui, UI_STRING *uis) } +#if !defined(OPENSSL_SYS_WIN16) && !defined(OPENSSL_SYS_WINCE) /* Internal functions to read a string without echoing */ static void read_till_nl(FILE *in) { @@ -378,7 +387,8 @@ static void read_till_nl(FILE *in) } while (strchr(buf,'\n') == NULL); } -static sig_atomic_t intr_signal; +static volatile sig_atomic_t intr_signal; +#endif static int read_string_inner(UI *ui, UI_STRING *uis, int echo, int strip_nl) { @@ -386,9 +396,9 @@ static int read_string_inner(UI *ui, UI_STRING *uis, int echo, int strip_nl) int ok; char result[BUFSIZ]; int maxsize = BUFSIZ-1; +#if !defined(OPENSSL_SYS_WIN16) && !defined(OPENSSL_SYS_WINCE) char *p; -#ifndef OPENSSL_SYS_WIN16 intr_signal=0; ok=0; ps=0; @@ -439,7 +449,7 @@ error: ok=1; #endif - memset(result,0,BUFSIZ); + OPENSSL_cleanse(result,BUFSIZ); return ok; } @@ -450,7 +460,7 @@ static int open_console(UI *ui) CRYPTO_w_lock(CRYPTO_LOCK_UI); is_a_tty = 1; -#if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_VSWORKS) +#if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_VXWORKS) tty_in=stdin; tty_out=stderr; #else @@ -540,7 +550,7 @@ static int echo_console(UI *ui) static int close_console(UI *ui) { - if (tty_in != stderr) fclose(tty_in); + if (tty_in != stdin) fclose(tty_in); if (tty_out != stderr) fclose(tty_out); #ifdef OPENSSL_SYS_VMS status = sys$dassgn(channel); @@ -551,6 +561,7 @@ static int close_console(UI *ui) } +#if !defined(OPENSSL_SYS_WIN16) && !defined(OPENSSL_SYS_WINCE) /* Internal functions to handle signals and act on them */ static void pushsig(void) { @@ -614,9 +625,10 @@ static void recsig(int i) { intr_signal=i; } +#endif /* Internal functions specific for Windows */ -#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16) +#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16) && !defined(OPENSSL_SYS_WINCE) static int noecho_fgets(char *buf, int size, FILE *tty) { int i; diff --git a/src/lib/libssl/src/crypto/ui/ui_util.c b/src/lib/libssl/src/crypto/ui/ui_util.c index f05573df33..46bc8c1a9a 100644 --- a/src/lib/libssl/src/crypto/ui/ui_util.c +++ b/src/lib/libssl/src/crypto/ui/ui_util.c @@ -62,7 +62,7 @@ int UI_UTIL_read_pw_string(char *buf,int length,const char *prompt,int verify) int ret; ret=UI_UTIL_read_pw(buf,buff,(length>BUFSIZ)?BUFSIZ:length,prompt,verify); - memset(buff,0,BUFSIZ); + OPENSSL_cleanse(buff,BUFSIZ); return(ret); } @@ -78,12 +78,14 @@ int UI_UTIL_read_pw(char *buf,char *buff,int size,const char *prompt,int verify) if (ui) { ok = UI_add_input_string(ui,prompt,0,buf,0,size-1); - if (ok == 0 && verify) + if (ok >= 0 && verify) ok = UI_add_verify_string(ui,prompt,0,buff,0,size-1, buf); - if (ok == 0) + if (ok >= 0) ok=UI_process(ui); UI_free(ui); } + if (ok > 0) + ok = 0; return(ok); } diff --git a/src/lib/libssl/src/crypto/uid.c b/src/lib/libssl/src/crypto/uid.c index d3d249c36f..73205a4baa 100644 --- a/src/lib/libssl/src/crypto/uid.c +++ b/src/lib/libssl/src/crypto/uid.c @@ -65,7 +65,7 @@ int OPENSSL_issetugid(void) return issetugid(); } -#elif defined(OPENSSL_SYS_WIN32) +#elif defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS) int OPENSSL_issetugid(void) { diff --git a/src/lib/libssl/src/crypto/x509/by_file.c b/src/lib/libssl/src/crypto/x509/by_file.c index 92e00d2d73..b4b04183d0 100644 --- a/src/lib/libssl/src/crypto/x509/by_file.c +++ b/src/lib/libssl/src/crypto/x509/by_file.c @@ -100,18 +100,19 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, case X509_L_FILE_LOAD: if (argl == X509_FILETYPE_DEFAULT) { - ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(), - X509_FILETYPE_PEM) != 0); + file = (char *)Getenv(X509_get_default_cert_file_env()); + if (file) + ok = (X509_load_cert_crl_file(ctx,file, + X509_FILETYPE_PEM) != 0); + + else + ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(), + X509_FILETYPE_PEM) != 0); + if (!ok) { X509err(X509_F_BY_FILE_CTRL,X509_R_LOADING_DEFAULTS); } - else - { - file=(char *)Getenv(X509_get_default_cert_file_env()); - ok = (X509_load_cert_crl_file(ctx,file, - X509_FILETYPE_PEM) != 0); - } } else { @@ -284,7 +285,8 @@ int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type) if(itmp->x509) { X509_STORE_add_cert(ctx->store_ctx, itmp->x509); count++; - } else if(itmp->crl) { + } + if(itmp->crl) { X509_STORE_add_crl(ctx->store_ctx, itmp->crl); count++; } diff --git a/src/lib/libssl/src/crypto/x509/x509.h b/src/lib/libssl/src/crypto/x509/x509.h index 7095440d36..eaad5685a8 100644 --- a/src/lib/libssl/src/crypto/x509/x509.h +++ b/src/lib/libssl/src/crypto/x509/x509.h @@ -87,7 +87,6 @@ #ifndef OPENSSL_NO_SHA #include #endif -#include #include #include @@ -487,10 +486,12 @@ typedef struct Netscape_certificate_sequence STACK_OF(X509) *certs; } NETSCAPE_CERT_SEQUENCE; +/* Unused (and iv length is wrong) typedef struct CBCParameter_st { unsigned char iv[8]; } CBC_PARAM; +*/ /* Password based encryption structure */ diff --git a/src/lib/libssl/src/crypto/x509/x509_cmp.c b/src/lib/libssl/src/crypto/x509/x509_cmp.c index cd20b6d66f..f460102f49 100644 --- a/src/lib/libssl/src/crypto/x509/x509_cmp.c +++ b/src/lib/libssl/src/crypto/x509/x509_cmp.c @@ -57,6 +57,7 @@ */ #include +#include #include "cryptlib.h" #include #include @@ -81,13 +82,14 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) unsigned long ret=0; EVP_MD_CTX ctx; unsigned char md[16]; - char str[256]; + char *f; EVP_MD_CTX_init(&ctx); - X509_NAME_oneline(a->cert_info->issuer,str,256); - ret=strlen(str); + f=X509_NAME_oneline(a->cert_info->issuer,NULL,0); + ret=strlen(f); EVP_DigestInit_ex(&ctx, EVP_md5(), NULL); - EVP_DigestUpdate(&ctx,(unsigned char *)str,ret); + EVP_DigestUpdate(&ctx,(unsigned char *)f,ret); + OPENSSL_free(f); EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data, (unsigned long)a->cert_info->serialNumber->length); EVP_DigestFinal_ex(&ctx,&(md[0]),NULL); @@ -159,6 +161,99 @@ int X509_cmp(const X509 *a, const X509 *b) } #endif + +/* Case insensitive string comparision */ +static int nocase_cmp(const ASN1_STRING *a, const ASN1_STRING *b) +{ + int i; + + if (a->length != b->length) + return (a->length - b->length); + + for (i=0; ilength; i++) + { + int ca, cb; + + ca = tolower(a->data[i]); + cb = tolower(b->data[i]); + + if (ca != cb) + return(ca-cb); + } + return 0; +} + +/* Case insensitive string comparision with space normalization + * Space normalization - ignore leading, trailing spaces, + * multiple spaces between characters are replaced by single space + */ +static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b) +{ + unsigned char *pa = NULL, *pb = NULL; + int la, lb; + + la = a->length; + lb = b->length; + pa = a->data; + pb = b->data; + + /* skip leading spaces */ + while (la > 0 && isspace(*pa)) + { + la--; + pa++; + } + while (lb > 0 && isspace(*pb)) + { + lb--; + pb++; + } + + /* skip trailing spaces */ + while (la > 0 && isspace(pa[la-1])) + la--; + while (lb > 0 && isspace(pb[lb-1])) + lb--; + + /* compare strings with space normalization */ + while (la > 0 && lb > 0) + { + int ca, cb; + + /* compare character */ + ca = tolower(*pa); + cb = tolower(*pb); + if (ca != cb) + return (ca - cb); + + pa++; pb++; + la--; lb--; + + if (la <= 0 || lb <= 0) + break; + + /* is white space next character ? */ + if (isspace(*pa) && isspace(*pb)) + { + /* skip remaining white spaces */ + while (la > 0 && isspace(*pa)) + { + la--; + pa++; + } + while (lb > 0 && isspace(*pb)) + { + lb--; + pb++; + } + } + } + if (la > 0 || lb > 0) + return la - lb; + + return 0; +} + int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) { int i,j; @@ -172,10 +267,20 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) { na=sk_X509_NAME_ENTRY_value(a->entries,i); nb=sk_X509_NAME_ENTRY_value(b->entries,i); - j=na->value->length-nb->value->length; + j=na->value->type-nb->value->type; if (j) return(j); - j=memcmp(na->value->data,nb->value->data, - na->value->length); + if (na->value->type == V_ASN1_PRINTABLESTRING) + j=nocase_spacenorm_cmp(na->value, nb->value); + else if (na->value->type == V_ASN1_IA5STRING + && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress) + j=nocase_cmp(na->value, nb->value); + else + { + j=na->value->length-nb->value->length; + if (j) return(j); + j=memcmp(na->value->data,nb->value->data, + na->value->length); + } if (j) return(j); j=na->set-nb->set; if (j) return(j); diff --git a/src/lib/libssl/src/crypto/x509/x509_v3.c b/src/lib/libssl/src/crypto/x509/x509_v3.c index b5f7daa2e5..67b1796a92 100644 --- a/src/lib/libssl/src/crypto/x509/x509_v3.c +++ b/src/lib/libssl/src/crypto/x509/x509_v3.c @@ -116,7 +116,7 @@ int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit, { ex=sk_X509_EXTENSION_value(sk,lastpos); if ( ((ex->critical > 0) && crit) || - (!(ex->critical <= 0) && !crit)) + ((ex->critical <= 0) && !crit)) return(lastpos); } return(-1); diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c index db12f7bd35..552d1e7251 100644 --- a/src/lib/libssl/src/crypto/x509/x509_vfy.c +++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c @@ -756,7 +756,7 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time) { char *str; ASN1_TIME atm; - time_t offset; + long offset; char buff1[24],buff2[24],*p; int i,j; diff --git a/src/lib/libssl/src/crypto/x509v3/ext_dat.h b/src/lib/libssl/src/crypto/x509v3/ext_dat.h index 2fb97d8925..5442480595 100644 --- a/src/lib/libssl/src/crypto/x509v3/ext_dat.h +++ b/src/lib/libssl/src/crypto/x509v3/ext_dat.h @@ -90,17 +90,23 @@ static X509V3_EXT_METHOD *standard_exts[] = { &v3_crld, &v3_ext_ku, &v3_crl_reason, +#ifndef OPENSSL_NO_OCSP &v3_crl_invdate, +#endif &v3_sxnet, &v3_info, +#ifndef OPENSSL_NO_OCSP &v3_ocsp_nonce, &v3_ocsp_crlid, &v3_ocsp_accresp, &v3_ocsp_nocheck, &v3_ocsp_acutoff, &v3_ocsp_serviceloc, +#endif &v3_sinfo, +#ifndef OPENSSL_NO_OCSP &v3_crl_hold +#endif }; /* Number of standard extensions */ diff --git a/src/lib/libssl/src/crypto/x509v3/v3_info.c b/src/lib/libssl/src/crypto/x509v3/v3_info.c index e1cf01a9b4..e269df1373 100644 --- a/src/lib/libssl/src/crypto/x509v3/v3_info.c +++ b/src/lib/libssl/src/crypto/x509v3/v3_info.c @@ -113,7 +113,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method ret = i2v_GENERAL_NAME(method, desc->location, ret); if(!ret) break; vtmp = sk_CONF_VALUE_value(ret, i); - i2t_ASN1_OBJECT(objtmp, 80, desc->method); + i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method); ntmp = OPENSSL_malloc(strlen(objtmp) + strlen(vtmp->name) + 5); if(!ntmp) { X509V3err(X509V3_F_I2V_AUTHORITY_INFO_ACCESS, diff --git a/src/lib/libssl/src/crypto/x509v3/v3_ocsp.c b/src/lib/libssl/src/crypto/x509v3/v3_ocsp.c index 083112314e..21badc13f9 100644 --- a/src/lib/libssl/src/crypto/x509v3/v3_ocsp.c +++ b/src/lib/libssl/src/crypto/x509v3/v3_ocsp.c @@ -56,6 +56,8 @@ * */ +#ifndef OPENSSL_NO_OCSP + #include #include "cryptlib.h" #include @@ -270,3 +272,4 @@ static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int err: return 0; } +#endif diff --git a/src/lib/libssl/src/crypto/x509v3/v3_prn.c b/src/lib/libssl/src/crypto/x509v3/v3_prn.c index aeaf6170fe..754808b625 100644 --- a/src/lib/libssl/src/crypto/x509v3/v3_prn.c +++ b/src/lib/libssl/src/crypto/x509v3/v3_prn.c @@ -178,7 +178,7 @@ int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts ASN1_OBJECT *obj; X509_EXTENSION *ex; ex=sk_X509_EXTENSION_value(exts, i); - if (BIO_printf(bp,"%*s",indent, "") <= 0) return 0; + if (indent && BIO_printf(bp,"%*s",indent, "") <= 0) return 0; obj=X509_EXTENSION_get_object(ex); i2a_ASN1_OBJECT(bp,obj); j=X509_EXTENSION_get_critical(ex); diff --git a/src/lib/libssl/src/crypto/x509v3/v3_purp.c b/src/lib/libssl/src/crypto/x509v3/v3_purp.c index b739e4fd83..4d145f71fd 100644 --- a/src/lib/libssl/src/crypto/x509v3/v3_purp.c +++ b/src/lib/libssl/src/crypto/x509v3/v3_purp.c @@ -378,6 +378,10 @@ static void x509v3_cache_extensions(X509 *x) case NID_time_stamp: x->ex_xkusage |= XKU_TIMESTAMP; break; + + case NID_dvcs: + x->ex_xkusage |= XKU_DVCS; + break; } } sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free); diff --git a/src/lib/libssl/src/crypto/x509v3/v3_utl.c b/src/lib/libssl/src/crypto/x509v3/v3_utl.c index 283e943e46..34ac2998de 100644 --- a/src/lib/libssl/src/crypto/x509v3/v3_utl.c +++ b/src/lib/libssl/src/crypto/x509v3/v3_utl.c @@ -491,7 +491,7 @@ static STACK *get_email(X509_NAME *name, GENERAL_NAMES *gens) i = -1; /* First supplied X509_NAME */ while((i = X509_NAME_get_index_by_NID(name, - NID_pkcs9_emailAddress, i)) > 0) { + NID_pkcs9_emailAddress, i)) >= 0) { ne = X509_NAME_get_entry(name, i); email = X509_NAME_ENTRY_get_data(ne); if(!append_ia5(&ret, email)) return NULL; diff --git a/src/lib/libssl/src/crypto/x509v3/v3conf.c b/src/lib/libssl/src/crypto/x509v3/v3conf.c index 67ee14f334..00cf5b4a5b 100644 --- a/src/lib/libssl/src/crypto/x509v3/v3conf.c +++ b/src/lib/libssl/src/crypto/x509v3/v3conf.c @@ -118,7 +118,7 @@ int main(int argc, char **argv) printf("%s", OBJ_nid2ln(OBJ_obj2nid(ext->object))); if(ext->critical) printf(",critical:\n"); else printf(":\n"); - X509V3_EXT_print_fp(stdout, ext, 0); + X509V3_EXT_print_fp(stdout, ext, 0, 0); printf("\n"); } diff --git a/src/lib/libssl/src/crypto/x509v3/x509v3.h b/src/lib/libssl/src/crypto/x509v3/x509v3.h index daecc55271..fb07a19016 100644 --- a/src/lib/libssl/src/crypto/x509v3/x509v3.h +++ b/src/lib/libssl/src/crypto/x509v3/x509v3.h @@ -352,6 +352,7 @@ DECLARE_ASN1_SET_OF(POLICYINFO) #define XKU_SGC 0x10 #define XKU_OCSP_SIGN 0x20 #define XKU_TIMESTAMP 0x40 +#define XKU_DVCS 0x80 #define X509_PURPOSE_DYNAMIC 0x1 #define X509_PURPOSE_DYNAMIC_NAME 0x2 diff --git a/src/lib/libssl/src/demos/b64.c b/src/lib/libssl/src/demos/b64.c index 113da89baf..efdd44457d 100644 --- a/src/lib/libssl/src/demos/b64.c +++ b/src/lib/libssl/src/demos/b64.c @@ -83,7 +83,6 @@ char **argv; unsigned char *buff=NULL,*bufsize=NULL; int bsize=BSIZE,verbose=0; int ret=1,inl; - unsigned char key[24],iv[MD5_DIGEST_LENGTH]; char *str=NULL; char *hkey=NULL,*hiv=NULL; int enc=1,printkey=0,i,base64=0; @@ -92,7 +91,6 @@ char **argv; char *inf=NULL,*outf=NULL; BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL; #define PROG_NAME_SIZE 39 - char pname[PROG_NAME_SIZE+1]; apps_startup(); diff --git a/src/lib/libssl/src/demos/bio/saccept.c b/src/lib/libssl/src/demos/bio/saccept.c index 933d6699ee..40cd4daad2 100644 --- a/src/lib/libssl/src/demos/bio/saccept.c +++ b/src/lib/libssl/src/demos/bio/saccept.c @@ -45,6 +45,11 @@ char *argv[]; SSL_load_error_strings(); +#ifdef WATT32 + dbug_init(); + sock_init(); +#endif + /* Add ciphers and message digests */ OpenSSL_add_ssl_algorithms(); diff --git a/src/lib/libssl/src/demos/bio/sconnect.c b/src/lib/libssl/src/demos/bio/sconnect.c index 87b380b258..880344eb78 100644 --- a/src/lib/libssl/src/demos/bio/sconnect.c +++ b/src/lib/libssl/src/demos/bio/sconnect.c @@ -32,6 +32,11 @@ char *argv[]; else host=argv[1]; +#ifdef WATT32 + dbug_init(); + sock_init(); +#endif + /* Lets get nice error messages */ SSL_load_error_strings(); diff --git a/src/lib/libssl/src/demos/engines/cluster_labs/hw_cluster_labs.c b/src/lib/libssl/src/demos/engines/cluster_labs/hw_cluster_labs.c index 00c14f2755..036f48bafa 100644 --- a/src/lib/libssl/src/demos/engines/cluster_labs/hw_cluster_labs.c +++ b/src/lib/libssl/src/demos/engines/cluster_labs/hw_cluster_labs.c @@ -103,7 +103,7 @@ static int cluster_labs_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa); /* DSA stuff */ #ifndef OPENSSL_NO_DSA -DSA_SIG *cluster_labs_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa); +static DSA_SIG *cluster_labs_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int cluster_labs_dsa_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa); static int cluster_labs_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, @@ -245,6 +245,9 @@ static ENGINE *engine_cluster_labs(void) return ret; } +#ifdef ENGINE_DYNAMIC_SUPPORT +static +#endif void ENGINE_load_cluster_labs(void) { @@ -504,7 +507,7 @@ static int cluster_labs_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) } -DSA_SIG *cluster_labs_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa) +static DSA_SIG *cluster_labs_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa) { if(cluster_labs_dso == NULL) diff --git a/src/lib/libssl/src/demos/engines/ibmca/hw_ibmca.c b/src/lib/libssl/src/demos/engines/ibmca/hw_ibmca.c index 881b16a7cb..0c2c39b8a7 100644 --- a/src/lib/libssl/src/demos/engines/ibmca/hw_ibmca.c +++ b/src/lib/libssl/src/demos/engines/ibmca/hw_ibmca.c @@ -288,6 +288,9 @@ static ENGINE *engine_ibmca(void) return ret; } +#ifdef ENGINE_DYNAMIC_SUPPORT +static +#endif void ENGINE_load_ibmca(void) { /* Copied from eng_[openssl|dyn].c */ diff --git a/src/lib/libssl/src/demos/engines/rsaref/Makefile b/src/lib/libssl/src/demos/engines/rsaref/Makefile index 003e35df2e..63b8c79d27 100644 --- a/src/lib/libssl/src/demos/engines/rsaref/Makefile +++ b/src/lib/libssl/src/demos/engines/rsaref/Makefile @@ -34,13 +34,17 @@ update: FORCE.update perl ../../../util/mkerr.pl -conf rsaref.ec \ -nostatic -staticloader -write rsaref.c +darwin: install $(SHLIB).darwin +cygwin: install $(SHLIB).cygwin gnu: install $(SHLIB).gnu +alpha-osf1: install $(SHLIB).alpha-osf1 tru64: install $(SHLIB).tru64 solaris: install $(SHLIB).solaris irix: install $(SHLIB).irix hpux32: install $(SHLIB).hpux32 hpux64: install $(SHLIB).hpux64 aix: install $(SHLIB).aix +reliantunix: install $(SHLIB).reliantunix $(LIB): $(OBJ) $(AR) $(LIB) $(OBJ) @@ -51,6 +55,18 @@ LINK_SO= \ (nm -Pg $(LIBNAME).o | grep ' [BDT] ' | cut -f1 -d' ' > $(LIBNAME).exp; \ $$SHAREDCMD $$SHAREDFLAGS -o $(SHLIB) $(LIBNAME).o -L ../../.. -lcrypto -lc) +$(SHLIB).darwin: $(LIB) install/librsaref.a + ALLSYMSFLAGS='-all_load' \ + SHAREDFLAGS='-dynamiclib -install_name $(SHLIB)' \ + SHAREDCMD='$(CC)'; \ + $(LINK_SO) + touch $(SHLIB).darwin +$(SHLIB).cygwin: $(LIB) install/librsaref.a + ALLSYMSFLAGS='--whole-archive' \ + SHAREDFLAGS='-shared -Wl,-Bsymbolic -Wl,--out-implib,$(LIBNAME).dll.a' \ + SHAREDCMD='$(CC)'; \ + $(LINK_SO) + touch $(SHLIB).cygwin $(SHLIB).gnu: $(LIB) install/librsaref.a ALLSYMSFLAGS='--whole-archive' \ SHAREDFLAGS='-shared -Wl,-soname=$(SHLIB)' \ diff --git a/src/lib/libssl/src/demos/engines/rsaref/rsaref.c b/src/lib/libssl/src/demos/engines/rsaref/rsaref.c index f092acbf3f..872811b8f7 100644 --- a/src/lib/libssl/src/demos/engines/rsaref/rsaref.c +++ b/src/lib/libssl/src/demos/engines/rsaref/rsaref.c @@ -3,11 +3,14 @@ be found a little here and there. */ #include +#include #include "./source/global.h" #include "./source/rsaref.h" #include "./source/rsa.h" #include "./source/des.h" #include +#define OPENSSL_NO_MD2 +#define OPENSSL_NO_MD5 #include #include #include @@ -93,21 +96,21 @@ static int rsaref_digest_nids[] = /***************************************************************************** * DES functions **/ -int cipher_des_cbc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, +static int cipher_des_cbc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); -int cipher_des_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out, +static int cipher_des_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl); -int cipher_des_cbc_clean(EVP_CIPHER_CTX *); -int cipher_des_ede3_cbc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, +static int cipher_des_cbc_clean(EVP_CIPHER_CTX *); +static int cipher_des_ede3_cbc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); -int cipher_des_ede3_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out, +static int cipher_des_ede3_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl); -int cipher_des_ede3_cbc_clean(EVP_CIPHER_CTX *); -int cipher_desx_cbc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, +static int cipher_des_ede3_cbc_clean(EVP_CIPHER_CTX *); +static int cipher_desx_cbc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); -int cipher_desx_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out, +static int cipher_desx_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl); -int cipher_desx_cbc_clean(EVP_CIPHER_CTX *); +static int cipher_desx_cbc_clean(EVP_CIPHER_CTX *); /***************************************************************************** * Our DES ciphers @@ -400,7 +403,7 @@ static int rsaref_private_decrypt(int len, const unsigned char *from, unsigned c if (!RSAref_Private_eay2ref(rsa,&RSAkey)) goto err; - if ((i=RSAPrivateDecrypt(to,&outlen,(unsigned char *)from,len,&RSAkey)) != 0) + if ((i=RSAPrivateDecrypt(to,(unsigned int *)&outlen,(unsigned char *)from,len,&RSAkey)) != 0) { RSAREFerr(RSAREF_F_RSAREF_PRIVATE_DECRYPT,i); outlen= -1; @@ -423,7 +426,7 @@ static int rsaref_private_encrypt(int len, const unsigned char *from, unsigned c } if (!RSAref_Private_eay2ref(rsa,&RSAkey)) goto err; - if ((i=RSAPrivateEncrypt(to,&outlen,(unsigned char *)from,len,&RSAkey)) != 0) + if ((i=RSAPrivateEncrypt(to,(unsigned int)&outlen,(unsigned char *)from,len,&RSAkey)) != 0) { RSAREFerr(RSAREF_F_RSAREF_PRIVATE_ENCRYPT,i); outlen= -1; @@ -441,7 +444,7 @@ static int rsaref_public_decrypt(int len, const unsigned char *from, unsigned ch if (!RSAref_Public_eay2ref(rsa,&RSAkey)) goto err; - if ((i=RSAPublicDecrypt(to,&outlen,(unsigned char *)from,len,&RSAkey)) != 0) + if ((i=RSAPublicDecrypt(to,(unsigned int)&outlen,(unsigned char *)from,len,&RSAkey)) != 0) { RSAREFerr(RSAREF_F_RSAREF_PUBLIC_DECRYPT,i); outlen= -1; @@ -478,7 +481,7 @@ static int rsaref_public_encrypt(int len, const unsigned char *from, unsigned ch if (!RSAref_Public_eay2ref(rsa,&RSAkey)) goto err; - if ((i=RSAPublicEncrypt(to,&outlen,(unsigned char *)from,len,&RSAkey,&rnd)) != 0) + if ((i=RSAPublicEncrypt(to,(unsigned int)&outlen,(unsigned char *)from,len,&RSAkey,&rnd)) != 0) { RSAREFerr(RSAREF_F_RSAREF_PUBLIC_ENCRYPT,i); outlen= -1; @@ -550,13 +553,13 @@ static int rsaref_digests(ENGINE *e, const EVP_MD **digest, **/ #undef data #define data(ctx) ((DES_CBC_CTX *)(ctx)->cipher_data) -int cipher_des_cbc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, +static int cipher_des_cbc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { DES_CBCInit(data(ctx), (unsigned char *)key, (unsigned char *)iv, enc); return 1; } -int cipher_des_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out, +static int cipher_des_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) { int ret = DES_CBCUpdate(data(ctx), out, (unsigned char *)in, inl); @@ -572,7 +575,7 @@ int cipher_des_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out, } return !ret; } -int cipher_des_cbc_clean(EVP_CIPHER_CTX *ctx) +static int cipher_des_cbc_clean(EVP_CIPHER_CTX *ctx) { memset(data(ctx), 0, ctx->cipher->ctx_size); return 1; @@ -580,14 +583,14 @@ int cipher_des_cbc_clean(EVP_CIPHER_CTX *ctx) #undef data #define data(ctx) ((DES3_CBC_CTX *)(ctx)->cipher_data) -int cipher_des_ede3_cbc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, +static int cipher_des_ede3_cbc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { DES3_CBCInit(data(ctx), (unsigned char *)key, (unsigned char *)iv, enc); return 1; } -int cipher_des_ede3_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out, +static int cipher_des_ede3_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) { int ret = DES3_CBCUpdate(data(ctx), out, (unsigned char *)in, inl); @@ -603,7 +606,7 @@ int cipher_des_ede3_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out, } return !ret; } -int cipher_des_ede3_cbc_clean(EVP_CIPHER_CTX *ctx) +static int cipher_des_ede3_cbc_clean(EVP_CIPHER_CTX *ctx) { memset(data(ctx), 0, ctx->cipher->ctx_size); return 1; @@ -611,14 +614,14 @@ int cipher_des_ede3_cbc_clean(EVP_CIPHER_CTX *ctx) #undef data #define data(ctx) ((DESX_CBC_CTX *)(ctx)->cipher_data) -int cipher_desx_cbc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, +static int cipher_desx_cbc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { DESX_CBCInit(data(ctx), (unsigned char *)key, (unsigned char *)iv, enc); return 1; } -int cipher_desx_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out, +static int cipher_desx_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) { int ret = DESX_CBCUpdate(data(ctx), out, (unsigned char *)in, inl); @@ -634,7 +637,7 @@ int cipher_desx_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out, } return !ret; } -int cipher_desx_cbc_clean(EVP_CIPHER_CTX *ctx) +static int cipher_desx_cbc_clean(EVP_CIPHER_CTX *ctx) { memset(data(ctx), 0, ctx->cipher->ctx_size); return 1; diff --git a/src/lib/libssl/src/demos/engines/zencod/hw_zencod.c b/src/lib/libssl/src/demos/engines/zencod/hw_zencod.c index 308e18710f..29206b4a29 100644 --- a/src/lib/libssl/src/demos/engines/zencod/hw_zencod.c +++ b/src/lib/libssl/src/demos/engines/zencod/hw_zencod.c @@ -366,7 +366,7 @@ static int bind_helper ( ENGINE *e ) /* As this is only ever called once, there's no need for locking * (indeed - the lock will already be held by our caller!!!) */ -ENGINE *ENGINE_zencod ( void ) +static ENGINE *ENGINE_zencod ( void ) { ENGINE *eng = ENGINE_new () ; @@ -383,6 +383,9 @@ ENGINE *ENGINE_zencod ( void ) } +#ifdef ENGINE_DYNAMIC_SUPPORT +static +#endif void ENGINE_load_zencod ( void ) { /* Copied from eng_[openssl|dyn].c */ diff --git a/src/lib/libssl/src/demos/spkigen.c b/src/lib/libssl/src/demos/spkigen.c index d87881197c..2cd5dfea97 100644 --- a/src/lib/libssl/src/demos/spkigen.c +++ b/src/lib/libssl/src/demos/spkigen.c @@ -65,7 +65,8 @@ char *argv[]; fprintf(stderr,"please enter challenge string:"); fflush(stderr); - fgets(buf,120,stdin); + buf[0]='\0'; + fgets(buf,sizeof buf,stdin); i=strlen(buf); if (i > 0) buf[--i]='\0'; if (!ASN1_STRING_set((ASN1_STRING *)spki->spkac->challenge, diff --git a/src/lib/libssl/src/demos/x509/mkcert.c b/src/lib/libssl/src/demos/x509/mkcert.c index 4709e18e7c..c5e67b8e28 100644 --- a/src/lib/libssl/src/demos/x509/mkcert.c +++ b/src/lib/libssl/src/demos/x509/mkcert.c @@ -9,7 +9,9 @@ #include #include #include +#ifndef OPENSSL_NO_ENGINE #include +#endif int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days); int add_ext(X509 *cert, int nid, char *value); @@ -35,7 +37,9 @@ int main(int argc, char **argv) X509_free(x509); EVP_PKEY_free(pkey); +#ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); +#endif CRYPTO_cleanup_all_ex_data(); CRYPTO_mem_leaks(bio_err); @@ -88,7 +92,7 @@ int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days) } rsa=NULL; - X509_set_version(x,3); + X509_set_version(x,2); ASN1_INTEGER_set(X509_get_serialNumber(x),serial); X509_gmtime_adj(X509_get_notBefore(x),0); X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days); diff --git a/src/lib/libssl/src/demos/x509/mkreq.c b/src/lib/libssl/src/demos/x509/mkreq.c index d69dcc392b..3dfc65f164 100644 --- a/src/lib/libssl/src/demos/x509/mkreq.c +++ b/src/lib/libssl/src/demos/x509/mkreq.c @@ -8,7 +8,9 @@ #include #include #include +#ifndef OPENSSL_NO_ENGINE #include +#endif int mkreq(X509_REQ **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days); int add_ext(STACK_OF(X509_REQUEST) *sk, int nid, char *value); @@ -33,7 +35,9 @@ int main(int argc, char **argv) X509_REQ_free(req); EVP_PKEY_free(pkey); +#ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); +#endif CRYPTO_cleanup_all_ex_data(); CRYPTO_mem_leaks(bio_err); diff --git a/src/lib/libssl/src/doc/HOWTO/certificates.txt b/src/lib/libssl/src/doc/HOWTO/certificates.txt index 88048645db..d3a62545ad 100644 --- a/src/lib/libssl/src/doc/HOWTO/certificates.txt +++ b/src/lib/libssl/src/doc/HOWTO/certificates.txt @@ -1,6 +1,8 @@ HOWTO certificates +1. Introduction + How you handle certificates depend a great deal on what your role is. Your role can be one or several of: @@ -13,12 +15,14 @@ Certificate authorities should read ca.txt. In all the cases shown below, the standard configuration file, as compiled into openssl, will be used. You may find it in /etc/, -/usr/local/ssr/ or somewhere else. The name is openssl.cnf, and +/usr/local/ssl/ or somewhere else. The name is openssl.cnf, and is better described in another HOWTO . If you want to use a different configuration file, use the argument '-config {file}' with the command shown below. +2. Relationship with keys + Certificates are related to public key cryptography by containing a public key. To be useful, there must be a corresponding private key somewhere. With OpenSSL, public keys are easily derived from private @@ -26,22 +30,25 @@ keys, so before you create a certificate or a certificate request, you need to create a private key. Private keys are generated with 'openssl genrsa' if you want a RSA -private key, or 'openssl gendsa' if you want a DSA private key. More -info on how to handle these commands are found in the manual pages for -those commands or by running them with the argument '-h'. For the -sake of the description in this file, let's assume that the private -key ended up in the file privkey.pem (which is the default in some -cases). - - -Let's start with the most normal way of getting a certificate. Most -often, you want or need to get a certificate from a certificate -authority. To handle that, the certificate authority needs a -certificate request (or, as some certificate authorities like to put +private key, or 'openssl gendsa' if you want a DSA private key. +Further information on how to create private keys can be found in +another HOWTO . The rest of this text assumes you have +a private key in the file privkey.pem. + + +3. Creating a certificate request + +To create a certificate, you need to start with a certificate +request (or, as some certificate authorities like to put it, "certificate signing request", since that's exactly what they do, they sign it and give you the result back, thus making it authentic -according to their policies) from you. To generate a request, use the -command 'openssl req' like this: +according to their policies). A certificate request can then be sent +to a certificate authority to get it signed into a certificate, or if +you have your own certificate authority, you may sign it yourself, or +if you need a self-signed certificate (because you just want a test +certificate or because you are setting up your own CA). + +The certificate request is created like this: openssl req -new -key privkey.pem -out cert.csr @@ -55,9 +62,23 @@ When the certificate authority has then done the checks the need to do (and probably gotten payment from you), they will hand over your new certificate to you. +Section 5 will tell you more on how to handle the certificate you +received. + + +4. Creating a self-signed certificate + +If you don't want to deal with another certificate authority, or just +want to create a test certificate for yourself, or are setting up a +certificate authority of your own, you may want to make the requested +certificate a self-signed one. This is similar to creating a +certificate request, but creates a certificate instead of a +certificate request (1095 is 3 years): + + openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 -[fill in on how to create a self-signed certificate] +5. What to do with the certificate If you created everything yourself, or if the certificate authority was kind enough, your certificate is a raw DER thing in PEM format. diff --git a/src/lib/libssl/src/doc/HOWTO/keys.txt b/src/lib/libssl/src/doc/HOWTO/keys.txt new file mode 100644 index 0000000000..45f42eaaf1 --- /dev/null +++ b/src/lib/libssl/src/doc/HOWTO/keys.txt @@ -0,0 +1,73 @@ + + HOWTO keys + +1. Introduction + +Keys are the basis of public key algorithms and PKI. Keys usually +come in pairs, with one half being the public key and the other half +being the private key. With OpenSSL, the private key contains the +public key information as well, so a public key doesn't need to be +generated separately. + +Public keys come in several flavors, using different cryptographic +algorithms. The most popular ones associated with certificates are +RSA and DSA, and this HOWTO will show how to generate each of them. + + +2. To generate a RSA key + +A RSA key can be used both for encryption and for signing. + +Generating a key for the RSA algorithm is quite easy, all you have to +do is the following: + + openssl genrsa -des3 -out privkey.pem 2048 + +With this variant, you will be prompted for a protecting password. If +you don't want your key to be protected by a password, remove the flag +'-des3' from the command line above. + + NOTE: if you intend to use the key together with a server + certificate, it may be a good thing to avoid protecting it + with a password, since that would mean someone would have to + type in the password every time the server needs to access + the key. + +The number 2048 is the size of the key, in bits. Today, 2048 or +higher is recommended for RSA keys, as fewer amount of bits is +consider insecure or to be insecure pretty soon. + + +3. To generate a DSA key + +A DSA key can be used both for signing only. This is important to +keep in mind to know what kind of purposes a certificate request with +a DSA key can really be used for. + +Generating a key for the DSA algorithm is a two-step process. First, +you have to generate parameters from which to generate the key: + + openssl dsaparam -out dsaparam.pem 2048 + +The number 2048 is the size of the key, in bits. Today, 2048 or +higher is recommended for DSA keys, as fewer amount of bits is +consider insecure or to be insecure pretty soon. + +When that is done, you can generate a key using the parameters in +question (actually, several keys can be generated from the same +parameters): + + openssl gendsa -des3 -out privkey.pem dsaparam.pem + +With this variant, you will be prompted for a protecting password. If +you don't want your key to be protected by a password, remove the flag +'-des3' from the command line above. + + NOTE: if you intend to use the key together with a server + certificate, it may be a good thing to avoid protecting it + with a password, since that would mean someone would have to + type in the password every time the server needs to access + the key. + +-- +Richard Levitte diff --git a/src/lib/libssl/src/doc/apps/ca.pod b/src/lib/libssl/src/doc/apps/ca.pod index c2ca8f2400..de66c534b5 100644 --- a/src/lib/libssl/src/doc/apps/ca.pod +++ b/src/lib/libssl/src/doc/apps/ca.pod @@ -13,6 +13,10 @@ B B [B<-name section>] [B<-gencrl>] [B<-revoke file>] +[B<-crl_reason reason>] +[B<-crl_hold instruction>] +[B<-crl_compromise time>] +[B<-crl_CA_compromise time>] [B<-subj arg>] [B<-crldays days>] [B<-crlhours hours>] @@ -39,6 +43,7 @@ B B [B<-msie_hack>] [B<-extensions section>] [B<-extfile section>] +[B<-engine id>] =head1 DESCRIPTION @@ -74,7 +79,7 @@ a single self signed certificate to be signed by the CA. =item B<-spkac filename> a file containing a single Netscape signed public key and challenge -and additional field values to be signed by the CA. See the B +and additional field values to be signed by the CA. See the B section for information on the required format. =item B<-infiles> @@ -191,6 +196,13 @@ an additional configuration file to read certificate extensions from (using the default section unless the B<-extensions> option is also used). +=item B<-engine id> + +specifying an engine (by it's unique B string) will cause B +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =back =head1 CRL OPTIONS @@ -214,6 +226,33 @@ the number of hours before the next CRL is due. a filename containing a certificate to revoke. +=item B<-crl_reason reason> + +revocation reason, where B is one of: B, B, +B, B, B, B, +B or B. The matching of B is case +insensitive. Setting any revocation reason will make the CRL v2. + +In practive B is not particularly useful because it is only used +in delta CRLs which are not currently implemented. + +=item B<-crl_hold instruction> + +This sets the CRL revocation reason code to B and the hold +instruction to B which must be an OID. Although any OID can be +used only B (the use of which is discouraged by RFC2459) +B or B will normally be used. + +=item B<-crl_compromise time> + +This sets the revocation reason to B and the compromise time to +B