From 715a204e4615e4a70a466fcb383a9a57cad5e6b8 Mon Sep 17 00:00:00 2001 From: markus <> Date: Thu, 5 Sep 2002 22:44:52 +0000 Subject: import openssl-0.9.7-beta3 --- src/lib/libcrypto/aes/aes_locl.h | 3 - src/lib/libcrypto/asn1/a_strex.c | 11 +- src/lib/libcrypto/asn1/asn1.h | 1 + src/lib/libcrypto/asn1/asn1_lib.c | 11 +- src/lib/libcrypto/asn1/n_pkey.c | 4 + src/lib/libcrypto/asn1/t_pkey.c | 88 ++++++++++----- src/lib/libcrypto/bio/b_sock.c | 4 + src/lib/libcrypto/bio/bio.h | 3 + src/lib/libcrypto/bio/bio_err.c | 1 + src/lib/libcrypto/bio/bss_file.c | 6 ++ src/lib/libcrypto/bn/bn_lib.c | 6 ++ src/lib/libcrypto/bn/bn_mul.c | 2 +- src/lib/libcrypto/conf/conf.h | 8 +- src/lib/libcrypto/conf/conf_def.c | 3 +- src/lib/libcrypto/conf/conf_lib.c | 5 +- src/lib/libcrypto/conf/conf_mod.c | 2 +- src/lib/libcrypto/cryptlib.c | 8 ++ src/lib/libcrypto/cryptlib.h | 8 ++ src/lib/libcrypto/doc/DH_get_ex_new_index.pod | 2 +- src/lib/libcrypto/doc/EVP_DigestInit.pod | 11 +- src/lib/libcrypto/doc/EVP_EncryptInit.pod | 5 + src/lib/libcrypto/doc/EVP_SignInit.pod | 4 +- src/lib/libcrypto/doc/EVP_VerifyInit.pod | 2 +- src/lib/libcrypto/doc/RSA_check_key.pod | 32 +++++- src/lib/libcrypto/doc/rsa.pod | 2 +- src/lib/libcrypto/engine/eng_cnf.c | 2 +- src/lib/libcrypto/engine/eng_dyn.c | 24 ++++- src/lib/libcrypto/engine/eng_fat.c | 2 +- src/lib/libcrypto/err/err.c | 1 + src/lib/libcrypto/err/err.h | 1 + src/lib/libcrypto/evp/c_all.c | 2 + src/lib/libcrypto/evp/evp.h | 56 ++++++++++ src/lib/libcrypto/evp/evp_pbe.c | 2 +- src/lib/libcrypto/evp/p5_crpt.c | 2 +- src/lib/libcrypto/evp/p5_crpt2.c | 2 +- src/lib/libcrypto/objects/obj_dat.c | 2 +- src/lib/libcrypto/objects/obj_mac.num | 138 ++++++++++++++++++++++++ src/lib/libcrypto/objects/objects.txt | 148 ++++++++++++++++++++++++++ src/lib/libcrypto/opensslv.h | 4 +- src/lib/libcrypto/pem/pem2.h | 2 + src/lib/libcrypto/pem/pem_pkey.c | 1 + src/lib/libcrypto/perlasm/x86asm.pl | 6 ++ src/lib/libcrypto/pkcs12/pkcs12.h | 4 +- src/lib/libcrypto/rand/rand.h | 5 + src/lib/libcrypto/rsa/rsa.h | 3 + src/lib/libcrypto/ui/ui_openssl.c | 2 +- src/lib/libcrypto/ui/ui_util.c | 7 +- src/lib/libcrypto/x509v3/ext_dat.h | 4 +- src/lib/libcrypto/x509v3/v3_info.c | 1 + src/lib/libssl/s23_clnt.c | 2 +- src/lib/libssl/s23_pkt.c | 2 +- src/lib/libssl/s23_srvr.c | 2 +- src/lib/libssl/s3_both.c | 2 +- src/lib/libssl/s3_clnt.c | 15 ++- src/lib/libssl/s3_lib.c | 8 +- src/lib/libssl/s3_pkt.c | 2 +- src/lib/libssl/s3_srvr.c | 20 +++- src/lib/libssl/ssl.h | 46 ++++++-- src/lib/libssl/ssl_asn1.c | 4 +- src/lib/libssl/ssl_ciph.c | 15 +-- src/lib/libssl/ssl_err.c | 4 +- src/lib/libssl/ssl_lib.c | 4 +- src/lib/libssl/ssl_locl.h | 15 +-- src/lib/libssl/ssl_rsa.c | 2 +- src/lib/libssl/ssl_sess.c | 2 + src/lib/libssl/t1_clnt.c | 2 +- src/lib/libssl/t1_enc.c | 27 +++-- src/lib/libssl/t1_srvr.c | 2 +- src/lib/libssl/test/tcrl | 6 +- src/lib/libssl/test/testca | 6 +- src/lib/libssl/test/testgen | 6 +- src/lib/libssl/test/tpkcs7 | 6 +- src/lib/libssl/test/tpkcs7d | 6 +- src/lib/libssl/test/treq | 6 +- src/lib/libssl/test/trsa | 6 +- src/lib/libssl/test/tsid | 6 +- src/lib/libssl/test/tx509 | 6 +- src/lib/libssl/tls1.h | 31 +++--- 78 files changed, 765 insertions(+), 149 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libcrypto/aes/aes_locl.h b/src/lib/libcrypto/aes/aes_locl.h index 541d1d6e84..18fc2d0747 100644 --- a/src/lib/libcrypto/aes/aes_locl.h +++ b/src/lib/libcrypto/aes/aes_locl.h @@ -60,10 +60,7 @@ #include #include - -#if defined(__STDC__) || defined(OPENSSL_SYS_VMS) || defined(M_XENIX) || defined(OPENSSL_SYS_MSDOS) #include -#endif #ifdef _MSC_VER # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00) diff --git a/src/lib/libcrypto/asn1/a_strex.c b/src/lib/libcrypto/asn1/a_strex.c index 128aa7e772..8dab29dca1 100644 --- a/src/lib/libcrypto/asn1/a_strex.c +++ b/src/lib/libcrypto/asn1/a_strex.c @@ -77,8 +77,8 @@ /* Three IO functions for sending data to memory, a BIO and * and a FILE pointer. */ - -int send_mem_chars(void *arg, const void *buf, int len) +#if 0 /* never used */ +static int send_mem_chars(void *arg, const void *buf, int len) { unsigned char **out = arg; if(!out) return 1; @@ -86,15 +86,16 @@ int send_mem_chars(void *arg, const void *buf, int len) *out += len; return 1; } +#endif -int send_bio_chars(void *arg, const void *buf, int len) +static int send_bio_chars(void *arg, const void *buf, int len) { if(!arg) return 1; if(BIO_write(arg, buf, len) != len) return 0; return 1; } -int send_fp_chars(void *arg, const void *buf, int len) +static int send_fp_chars(void *arg, const void *buf, int len) { if(!arg) return 1; if(fwrite(buf, 1, len, arg) != (unsigned int)len) return 0; @@ -240,7 +241,7 @@ static int do_hex_dump(char_io *io_ch, void *arg, unsigned char *buf, int buflen * #01234 format. */ -int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str) +static int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str) { /* Placing the ASN1_STRING in a temp ASN1_TYPE allows * the DER encoding to readily obtained diff --git a/src/lib/libcrypto/asn1/asn1.h b/src/lib/libcrypto/asn1/asn1.h index 0d1713f8dd..dbb30f4f22 100644 --- a/src/lib/libcrypto/asn1/asn1.h +++ b/src/lib/libcrypto/asn1/asn1.h @@ -773,6 +773,7 @@ int ASN1_OCTET_STRING_cmp(ASN1_OCTET_STRING *a, ASN1_OCTET_STRING *b); int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, unsigned char *data, int len); DECLARE_ASN1_FUNCTIONS(ASN1_VISIBLESTRING) +DECLARE_ASN1_FUNCTIONS(ASN1_UNIVERSALSTRING) DECLARE_ASN1_FUNCTIONS(ASN1_UTF8STRING) DECLARE_ASN1_FUNCTIONS(ASN1_NULL) DECLARE_ASN1_FUNCTIONS(ASN1_BMPSTRING) diff --git a/src/lib/libcrypto/asn1/asn1_lib.c b/src/lib/libcrypto/asn1/asn1_lib.c index 830ff2af3c..422685a3b4 100644 --- a/src/lib/libcrypto/asn1/asn1_lib.c +++ b/src/lib/libcrypto/asn1/asn1_lib.c @@ -59,6 +59,7 @@ #include #include "cryptlib.h" #include +#include static int asn1_get_length(unsigned char **pp,int *inf,long *rl,int max); static void asn1_put_length(unsigned char **pp, int length); @@ -123,15 +124,13 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass, (int)(omax+ *pp)); #endif -#if 0 - if ((p+ *plength) > (omax+ *pp)) + if (*plength > (omax - (*pp - p))) { ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG); /* Set this so that even if things are not long enough * the values are set correctly */ ret|=0x80; } -#endif *pp=p; return(ret|inf); err: @@ -158,6 +157,8 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max) i= *p&0x7f; if (*(p++) & 0x80) { + if (i > sizeof(long)) + return 0; if (max-- == 0) return(0); while (i-- > 0) { @@ -169,6 +170,8 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max) else ret=i; } + if (ret < 0) + return 0; *pp=p; *rl=ret; return(1); @@ -406,7 +409,7 @@ int ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b) void asn1_add_error(unsigned char *address, int offset) { - char buf1[16],buf2[16]; + char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1]; sprintf(buf1,"%lu",(unsigned long)address); sprintf(buf2,"%d",offset); diff --git a/src/lib/libcrypto/asn1/n_pkey.c b/src/lib/libcrypto/asn1/n_pkey.c index 49f80fffd2..9146ee02c9 100644 --- a/src/lib/libcrypto/asn1/n_pkey.c +++ b/src/lib/libcrypto/asn1/n_pkey.c @@ -92,6 +92,8 @@ ASN1_BROKEN_SEQUENCE(NETSCAPE_ENCRYPTED_PKEY) = { ASN1_SIMPLE(NETSCAPE_ENCRYPTED_PKEY, enckey, X509_SIG) } ASN1_BROKEN_SEQUENCE_END(NETSCAPE_ENCRYPTED_PKEY) +DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_ENCRYPTED_PKEY) +DECLARE_ASN1_ENCODE_FUNCTIONS_const(NETSCAPE_ENCRYPTED_PKEY,NETSCAPE_ENCRYPTED_PKEY) IMPLEMENT_ASN1_FUNCTIONS_const(NETSCAPE_ENCRYPTED_PKEY) ASN1_SEQUENCE(NETSCAPE_PKEY) = { @@ -100,6 +102,8 @@ ASN1_SEQUENCE(NETSCAPE_PKEY) = { ASN1_SIMPLE(NETSCAPE_PKEY, private_key, ASN1_OCTET_STRING) } ASN1_SEQUENCE_END(NETSCAPE_PKEY) +DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_PKEY) +DECLARE_ASN1_ENCODE_FUNCTIONS_const(NETSCAPE_PKEY,NETSCAPE_PKEY) IMPLEMENT_ASN1_FUNCTIONS_const(NETSCAPE_PKEY) static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os, diff --git a/src/lib/libcrypto/asn1/t_pkey.c b/src/lib/libcrypto/asn1/t_pkey.c index 8060115202..2d46914cb1 100644 --- a/src/lib/libcrypto/asn1/t_pkey.c +++ b/src/lib/libcrypto/asn1/t_pkey.c @@ -96,10 +96,34 @@ int RSA_print(BIO *bp, const RSA *x, int off) char str[128]; const char *s; unsigned char *m=NULL; - int i,ret=0; + int ret=0; + size_t buf_len=0, i; - i=RSA_size(x); - m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10); + if (x->n) + buf_len = (size_t)BN_num_bytes(x->n); + if (x->e) + if (buf_len < (i = (size_t)BN_num_bytes(x->e))) + buf_len = i; + if (x->d) + if (buf_len < (i = (size_t)BN_num_bytes(x->d))) + buf_len = i; + if (x->p) + if (buf_len < (i = (size_t)BN_num_bytes(x->p))) + buf_len = i; + if (x->q) + if (buf_len < (i = (size_t)BN_num_bytes(x->q))) + buf_len = i; + if (x->dmp1) + if (buf_len < (i = (size_t)BN_num_bytes(x->dmp1))) + buf_len = i; + if (x->dmq1) + if (buf_len < (i = (size_t)BN_num_bytes(x->dmq1))) + buf_len = i; + if (x->iqmp) + if (buf_len < (i = (size_t)BN_num_bytes(x->iqmp))) + buf_len = i; + + m=(unsigned char *)OPENSSL_malloc(buf_len+10); if (m == NULL) { RSAerr(RSA_F_RSA_PRINT,ERR_R_MALLOC_FAILURE); @@ -161,22 +185,25 @@ int DSA_print(BIO *bp, const DSA *x, int off) { char str[128]; unsigned char *m=NULL; - int i,ret=0; - BIGNUM *bn=NULL; + int ret=0; + size_t buf_len=0,i; - if (x->p != NULL) - bn=x->p; - else if (x->priv_key != NULL) - bn=x->priv_key; - else if (x->pub_key != NULL) - bn=x->pub_key; - - /* larger than needed but what the hell :-) */ - if (bn != NULL) - i=BN_num_bytes(bn)*2; - else - i=256; - m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10); + if (x->p) + buf_len = (size_t)BN_num_bytes(x->p); + if (x->q) + if (buf_len < (i = (size_t)BN_num_bytes(x->q))) + buf_len = i; + if (x->g) + if (buf_len < (i = (size_t)BN_num_bytes(x->g))) + buf_len = i; + if (x->priv_key) + if (buf_len < (i = (size_t)BN_num_bytes(x->priv_key))) + buf_len = i; + if (x->pub_key) + if (buf_len < (i = (size_t)BN_num_bytes(x->pub_key))) + buf_len = i; + + m=(unsigned char *)OPENSSL_malloc(buf_len+10); if (m == NULL) { DSAerr(DSA_F_DSA_PRINT,ERR_R_MALLOC_FAILURE); @@ -281,10 +308,15 @@ int DHparams_print_fp(FILE *fp, const DH *x) int DHparams_print(BIO *bp, const DH *x) { unsigned char *m=NULL; - int reason=ERR_R_BUF_LIB,i,ret=0; + int reason=ERR_R_BUF_LIB,ret=0; + size_t buf_len=0, i; - i=BN_num_bytes(x->p); - m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10); + if (x->p) + buf_len = (size_t)BN_num_bytes(x->p); + if (x->g) + if (buf_len < (i = (size_t)BN_num_bytes(x->g))) + buf_len = i; + m=(unsigned char *)OPENSSL_malloc(buf_len+10); if (m == NULL) { reason=ERR_R_MALLOC_FAILURE; @@ -334,10 +366,18 @@ int DSAparams_print_fp(FILE *fp, const DSA *x) int DSAparams_print(BIO *bp, const DSA *x) { unsigned char *m=NULL; - int reason=ERR_R_BUF_LIB,i,ret=0; + int reason=ERR_R_BUF_LIB,ret=0; + size_t buf_len=0,i; - i=BN_num_bytes(x->p); - m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10); + if (x->p) + buf_len = (size_t)BN_num_bytes(x->p); + if (x->q) + if (buf_len < (i = (size_t)BN_num_bytes(x->q))) + buf_len = i; + if (x->g) + if (buf_len < (i = (size_t)BN_num_bytes(x->g))) + buf_len = i; + m=(unsigned char *)OPENSSL_malloc(buf_len+10); if (m == NULL) { reason=ERR_R_MALLOC_FAILURE; diff --git a/src/lib/libcrypto/bio/b_sock.c b/src/lib/libcrypto/bio/b_sock.c index dcaef68ea7..45bd7c47e8 100644 --- a/src/lib/libcrypto/bio/b_sock.c +++ b/src/lib/libcrypto/bio/b_sock.c @@ -484,7 +484,11 @@ int BIO_socket_ioctl(int fd, long type, unsigned long *arg) { int i; +#ifdef __DJGPP__ + i=ioctlsocket(fd,type,(char *)arg); +#else i=ioctlsocket(fd,type,arg); +#endif /* __DJGPP__ */ if (i < 0) SYSerr(SYS_F_IOCTLSOCKET,get_last_socket_error()); return(i); diff --git a/src/lib/libcrypto/bio/bio.h b/src/lib/libcrypto/bio/bio.h index b122c7069d..c5caf253c9 100644 --- a/src/lib/libcrypto/bio/bio.h +++ b/src/lib/libcrypto/bio/bio.h @@ -554,7 +554,9 @@ BIO_METHOD *BIO_s_socket(void); BIO_METHOD *BIO_s_connect(void); BIO_METHOD *BIO_s_accept(void); BIO_METHOD *BIO_s_fd(void); +#ifndef OPENSSL_SYS_OS2 BIO_METHOD *BIO_s_log(void); +#endif BIO_METHOD *BIO_s_bio(void); BIO_METHOD *BIO_s_null(void); BIO_METHOD *BIO_f_null(void); @@ -647,6 +649,7 @@ void ERR_load_BIO_strings(void); #define BIO_F_CONN_CTRL 127 #define BIO_F_CONN_STATE 115 #define BIO_F_FILE_CTRL 116 +#define BIO_F_FILE_READ 130 #define BIO_F_LINEBUFFER_CTRL 129 #define BIO_F_MEM_READ 128 #define BIO_F_MEM_WRITE 117 diff --git a/src/lib/libcrypto/bio/bio_err.c b/src/lib/libcrypto/bio/bio_err.c index 99ca3cd0da..68a119d895 100644 --- a/src/lib/libcrypto/bio/bio_err.c +++ b/src/lib/libcrypto/bio/bio_err.c @@ -91,6 +91,7 @@ static ERR_STRING_DATA BIO_str_functs[]= {ERR_PACK(0,BIO_F_CONN_CTRL,0), "CONN_CTRL"}, {ERR_PACK(0,BIO_F_CONN_STATE,0), "CONN_STATE"}, {ERR_PACK(0,BIO_F_FILE_CTRL,0), "FILE_CTRL"}, +{ERR_PACK(0,BIO_F_FILE_READ,0), "FILE_READ"}, {ERR_PACK(0,BIO_F_LINEBUFFER_CTRL,0), "LINEBUFFER_CTRL"}, {ERR_PACK(0,BIO_F_MEM_READ,0), "MEM_READ"}, {ERR_PACK(0,BIO_F_MEM_WRITE,0), "MEM_WRITE"}, diff --git a/src/lib/libcrypto/bio/bss_file.c b/src/lib/libcrypto/bio/bss_file.c index 8b3ff278d9..826b361fa2 100644 --- a/src/lib/libcrypto/bio/bss_file.c +++ b/src/lib/libcrypto/bio/bss_file.c @@ -162,6 +162,12 @@ static int MS_CALLBACK file_read(BIO *b, char *out, int outl) if (b->init && (out != NULL)) { ret=fread(out,1,(int)outl,(FILE *)b->ptr); + if(ret == 0 && ferror((FILE *)b->ptr)) + { + SYSerr(SYS_F_FREAD,get_last_sys_error()); + BIOerr(BIO_F_FILE_READ,ERR_R_SYS_LIB); + ret=-1; + } } return(ret); } diff --git a/src/lib/libcrypto/bn/bn_lib.c b/src/lib/libcrypto/bn/bn_lib.c index a016cb7f53..8abe095af2 100644 --- a/src/lib/libcrypto/bn/bn_lib.c +++ b/src/lib/libcrypto/bn/bn_lib.c @@ -397,6 +397,12 @@ BIGNUM *bn_dup_expand(const BIGNUM *b, int words) { BIGNUM *r = NULL; + /* This function does not work if + * words <= b->dmax && top < words + * because BN_dup() does not preserve 'dmax'! + * (But bn_dup_expand() is not used anywhere yet.) + */ + if (words > b->dmax) { BN_ULONG *a = bn_expand_internal(b, words); diff --git a/src/lib/libcrypto/bn/bn_mul.c b/src/lib/libcrypto/bn/bn_mul.c index fd598b8b3d..b03458d002 100644 --- a/src/lib/libcrypto/bn/bn_mul.c +++ b/src/lib/libcrypto/bn/bn_mul.c @@ -66,7 +66,7 @@ #include "cryptlib.h" #include "bn_lcl.h" -#if defined(OPENSSL_NO_ASM) || !(defined(__i386) || defined(__i386__))/* Assembler implementation exists only for x86 */ +#if defined(OPENSSL_NO_ASM) || !(defined(__i386) || defined(__i386__)) || defined(__DJGPP__) /* Assembler implementation exists only for x86 */ /* Here follows specialised variants of bn_add_words() and bn_sub_words(). They have the property performing operations on arrays of different sizes. The sizes of those arrays is expressed through diff --git a/src/lib/libcrypto/conf/conf.h b/src/lib/libcrypto/conf/conf.h index 3c03fb19c0..f4671442ab 100644 --- a/src/lib/libcrypto/conf/conf.h +++ b/src/lib/libcrypto/conf/conf.h @@ -129,6 +129,7 @@ int CONF_dump_fp(LHASH *conf, FILE *out); int CONF_dump_bio(LHASH *conf, BIO *out); void OPENSSL_config(const char *config_name); +void OPENSSL_no_config(void); /* New conf code. The semantics are different from the functions above. If that wasn't the case, the above functions would have been replaced */ @@ -141,10 +142,10 @@ struct conf_st }; CONF *NCONF_new(CONF_METHOD *meth); -CONF_METHOD *NCONF_default(); -CONF_METHOD *NCONF_WIN32(); +CONF_METHOD *NCONF_default(void); +CONF_METHOD *NCONF_WIN32(void); #if 0 /* Just to give you an idea of what I have in mind */ -CONF_METHOD *NCONF_XML(); +CONF_METHOD *NCONF_XML(void); #endif void NCONF_free(CONF *conf); void NCONF_free_data(CONF *conf); @@ -176,6 +177,7 @@ int CONF_modules_load_file(const char *filename, const char *appname, unsigned long flags); void CONF_modules_unload(int all); void CONF_modules_finish(void); +void CONF_modules_free(void); int CONF_module_add(const char *name, conf_init_func *ifunc, conf_finish_func *ffunc); diff --git a/src/lib/libcrypto/conf/conf_def.c b/src/lib/libcrypto/conf/conf_def.c index 31f2766246..5e194de60e 100644 --- a/src/lib/libcrypto/conf/conf_def.c +++ b/src/lib/libcrypto/conf/conf_def.c @@ -67,6 +67,7 @@ #include "conf_def.h" #include #include +#include "cryptlib.h" static char *eat_ws(CONF *conf, char *p); static char *eat_alpha_numeric(CONF *conf, char *p); @@ -208,12 +209,12 @@ static int def_load(CONF *conf, const char *name, long *line) static int def_load_bio(CONF *conf, BIO *in, long *line) { #define BUFSIZE 512 - char btmp[16]; int bufnum=0,i,ii; BUF_MEM *buff=NULL; char *s,*p,*end; int again,n; long eline=0; + char btmp[DECIMAL_SIZE(eline)+1]; CONF_VALUE *v=NULL,*tv; CONF_VALUE *sv=NULL; char *section=NULL,*buf; diff --git a/src/lib/libcrypto/conf/conf_lib.c b/src/lib/libcrypto/conf/conf_lib.c index 7998f34c7b..6a3cf109dd 100644 --- a/src/lib/libcrypto/conf/conf_lib.c +++ b/src/lib/libcrypto/conf/conf_lib.c @@ -382,8 +382,9 @@ int NCONF_dump_bio(const CONF *conf, BIO *out) return conf->meth->dump(conf, out); } + /* This function should be avoided */ -#undef NCONF_get_number +#if 0 long NCONF_get_number(CONF *conf,char *group,char *name) { int status; @@ -397,4 +398,4 @@ long NCONF_get_number(CONF *conf,char *group,char *name) } return ret; } - +#endif diff --git a/src/lib/libcrypto/conf/conf_mod.c b/src/lib/libcrypto/conf/conf_mod.c index f92babc2e2..edcc08921c 100644 --- a/src/lib/libcrypto/conf/conf_mod.c +++ b/src/lib/libcrypto/conf/conf_mod.c @@ -230,7 +230,7 @@ static int module_run(const CONF *cnf, char *name, char *value, { if (!(flags & CONF_MFLAGS_SILENT)) { - char rcode[10]; + char rcode[DECIMAL_SIZE(ret)+1]; CONFerr(CONF_F_CONF_MODULES_LOAD, CONF_R_MODULE_INITIALIZATION_ERROR); sprintf(rcode, "%-8d", ret); ERR_add_error_data(6, "module=", name, ", value=", value, ", retcode=", rcode); diff --git a/src/lib/libcrypto/cryptlib.c b/src/lib/libcrypto/cryptlib.c index 612b3b93b4..d301b376f7 100644 --- a/src/lib/libcrypto/cryptlib.c +++ b/src/lib/libcrypto/cryptlib.c @@ -492,3 +492,11 @@ BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, #endif #endif + +void OpenSSLDie(const char *file,int line,const char *assertion) + { + fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n", + file,line,assertion); + abort(); + } + diff --git a/src/lib/libcrypto/cryptlib.h b/src/lib/libcrypto/cryptlib.h index a0489e57fc..985a6d377c 100644 --- a/src/lib/libcrypto/cryptlib.h +++ b/src/lib/libcrypto/cryptlib.h @@ -89,6 +89,14 @@ extern "C" { #define X509_CERT_DIR_EVP "SSL_CERT_DIR" #define X509_CERT_FILE_EVP "SSL_CERT_FILE" +/* size of string represenations */ +#define DECIMAL_SIZE(type) ((sizeof(type)*8+2)/3+1) +#define HEX_SIZE(type) ((sizeof(type)*2) + +/* die if we have to */ +void OpenSSLDie(const char *file,int line,const char *assertion); +#define die(e) ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e)) + #ifdef __cplusplus } #endif diff --git a/src/lib/libcrypto/doc/DH_get_ex_new_index.pod b/src/lib/libcrypto/doc/DH_get_ex_new_index.pod index 82e2548bcd..fa5eab2650 100644 --- a/src/lib/libcrypto/doc/DH_get_ex_new_index.pod +++ b/src/lib/libcrypto/doc/DH_get_ex_new_index.pod @@ -26,7 +26,7 @@ as described in L. =head1 SEE ALSO -L, L +L, L =head1 HISTORY diff --git a/src/lib/libcrypto/doc/EVP_DigestInit.pod b/src/lib/libcrypto/doc/EVP_DigestInit.pod index b3a61f1c5d..5901c39526 100644 --- a/src/lib/libcrypto/doc/EVP_DigestInit.pod +++ b/src/lib/libcrypto/doc/EVP_DigestInit.pod @@ -238,14 +238,19 @@ even though they are identical digests. L, L, L, L, L, L, -L, L +L, L =head1 HISTORY EVP_DigestInit(), EVP_DigestUpdate() and EVP_DigestFinal() are available in all versions of SSLeay and OpenSSL. -EVP_DigestInit_ex(), EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex() -were added in OpenSSL 0.9.7. +EVP_MD_CTX_init(), EVP_MD_CTX_create(), EVP_MD_CTX_copy_ex(), +EVP_MD_CTX_cleanup(), EVP_MD_CTX_destroy(), EVP_DigestInit_ex() +and EVP_DigestFinal_ex() were added in OpenSSL 0.9.7. + +EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), +EVP_dss(), EVP_dss1(), EVP_mdc2() and EVP_ripemd160() were +changed to return truely const EVP_MD * in OpenSSL 0.9.7. =cut diff --git a/src/lib/libcrypto/doc/EVP_EncryptInit.pod b/src/lib/libcrypto/doc/EVP_EncryptInit.pod index 371b6a2287..75cceb1ca2 100644 --- a/src/lib/libcrypto/doc/EVP_EncryptInit.pod +++ b/src/lib/libcrypto/doc/EVP_EncryptInit.pod @@ -501,4 +501,9 @@ L =head1 HISTORY +EVP_CIPHER_CTX_init(), EVP_EncryptInit_ex(), EVP_EncryptFinal_ex(), +EVP_DecryptInit_ex(), EVP_DecryptFinal_ex(), EVP_CipherInit_ex(), +EVP_CipherFinal_ex() and EVP_CIPHER_CTX_set_padding() appeared in +OpenSSL 0.9.7. + =cut diff --git a/src/lib/libcrypto/doc/EVP_SignInit.pod b/src/lib/libcrypto/doc/EVP_SignInit.pod index 32e9d54809..b203c3a1c5 100644 --- a/src/lib/libcrypto/doc/EVP_SignInit.pod +++ b/src/lib/libcrypto/doc/EVP_SignInit.pod @@ -84,13 +84,13 @@ L, L, L, L, L, L, L, L, L, -L, L +L, L =head1 HISTORY EVP_SignInit(), EVP_SignUpdate() and EVP_SignFinal() are available in all versions of SSLeay and OpenSSL. -EVP_SignInit_ex() was added in OpenSSL 0.9.7 +EVP_SignInit_ex() was added in OpenSSL 0.9.7. =cut diff --git a/src/lib/libcrypto/doc/EVP_VerifyInit.pod b/src/lib/libcrypto/doc/EVP_VerifyInit.pod index 80c656fde8..b6afaedee5 100644 --- a/src/lib/libcrypto/doc/EVP_VerifyInit.pod +++ b/src/lib/libcrypto/doc/EVP_VerifyInit.pod @@ -74,7 +74,7 @@ L, L, L, L, L, L, L, L, L, -L, L +L, L =head1 HISTORY diff --git a/src/lib/libcrypto/doc/RSA_check_key.pod b/src/lib/libcrypto/doc/RSA_check_key.pod index 79fed753ad..3d824a07f5 100644 --- a/src/lib/libcrypto/doc/RSA_check_key.pod +++ b/src/lib/libcrypto/doc/RSA_check_key.pod @@ -18,7 +18,9 @@ in fact prime, and that B. It also checks that B, and that B, B and B are set correctly or are B. -The key's public components may not be B. +As such, this function can not be used with any arbitrary RSA key object, +even if it is otherwise fit for regular RSA operation. See B for more +information. =head1 RETURN VALUE @@ -28,12 +30,38 @@ RSA_check_key() returns 1 if B is a valid RSA key, and 0 otherwise. If the key is invalid or an error occurred, the reason code can be obtained using L. +=head1 NOTES + +This function does not work on RSA public keys that have only the modulus +and public exponent elements populated. It performs integrity checks on all +the RSA key material, so the RSA key structure must contain all the private +key data too. + +Unlike most other RSA functions, this function does B work +transparently with any underlying ENGINE implementation because it uses the +key data in the RSA structure directly. An ENGINE implementation can +override the way key data is stored and handled, and can even provide +support for HSM keys - in which case the RSA structure may contain B +key data at all! If the ENGINE in question is only being used for +acceleration or analysis purposes, then in all likelihood the RSA key data +is complete and untouched, but this can't be assumed in the general case. + +=head1 BUGS + +A method of verifying the RSA key using opaque RSA API functions might need +to be considered. Right now RSA_check_key() simply uses the RSA structure +elements directly, bypassing the RSA_METHOD table altogether (and +completely violating encapsulation and object-orientation in the process). +The best fix will probably be to introduce a "check_key()" handler to the +RSA_METHOD function table so that alternative implementations can also +provide their own verifiers. + =head1 SEE ALSO L, L =head1 HISTORY -RSA_check() appeared in OpenSSL 0.9.4. +RSA_check_key() appeared in OpenSSL 0.9.4. =cut diff --git a/src/lib/libcrypto/doc/rsa.pod b/src/lib/libcrypto/doc/rsa.pod index 09ad30cab1..2b93a12b65 100644 --- a/src/lib/libcrypto/doc/rsa.pod +++ b/src/lib/libcrypto/doc/rsa.pod @@ -110,7 +110,7 @@ L, L, L, L, L, -L, +L, L =cut diff --git a/src/lib/libcrypto/engine/eng_cnf.c b/src/lib/libcrypto/engine/eng_cnf.c index 8c0ae8a1ad..cdf670901a 100644 --- a/src/lib/libcrypto/engine/eng_cnf.c +++ b/src/lib/libcrypto/engine/eng_cnf.c @@ -92,7 +92,7 @@ static int int_engine_init(ENGINE *e) } -int int_engine_configure(char *name, char *value, const CONF *cnf) +static int int_engine_configure(char *name, char *value, const CONF *cnf) { int i; int ret = 0; diff --git a/src/lib/libcrypto/engine/eng_dyn.c b/src/lib/libcrypto/engine/eng_dyn.c index 4fefcc0cae..4139a16e76 100644 --- a/src/lib/libcrypto/engine/eng_dyn.c +++ b/src/lib/libcrypto/engine/eng_dyn.c @@ -157,6 +157,10 @@ static void dynamic_data_ctx_free_func(void *parent, void *ptr, dynamic_data_ctx *ctx = (dynamic_data_ctx *)ptr; if(ctx->dynamic_dso) DSO_free(ctx->dynamic_dso); + if(ctx->DYNAMIC_LIBNAME) + OPENSSL_free((void*)ctx->DYNAMIC_LIBNAME); + if(ctx->engine_id) + OPENSSL_free((void*)ctx->engine_id); OPENSSL_free(ctx); } } @@ -169,7 +173,7 @@ static int dynamic_set_data_ctx(ENGINE *e, dynamic_data_ctx **ctx) { dynamic_data_ctx *c; c = OPENSSL_malloc(sizeof(dynamic_data_ctx)); - if(!ctx) + if(!c) { ENGINEerr(ENGINE_F_SET_DATA_CTX,ERR_R_MALLOC_FAILURE); return 0; @@ -310,8 +314,13 @@ static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()) /* a NULL 'p' or a string of zero-length is the same thing */ if(p && (strlen((const char *)p) < 1)) p = NULL; - ctx->DYNAMIC_LIBNAME = (const char *)p; - return 1; + if(ctx->DYNAMIC_LIBNAME) + OPENSSL_free((void*)ctx->DYNAMIC_LIBNAME); + if(p) + ctx->DYNAMIC_LIBNAME = BUF_strdup(p); + else + ctx->DYNAMIC_LIBNAME = NULL; + return (ctx->DYNAMIC_LIBNAME ? 1 : 0); case DYNAMIC_CMD_NO_VCHECK: ctx->no_vcheck = ((i == 0) ? 0 : 1); return 1; @@ -319,8 +328,13 @@ static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()) /* a NULL 'p' or a string of zero-length is the same thing */ if(p && (strlen((const char *)p) < 1)) p = NULL; - ctx->engine_id = (const char *)p; - return 1; + if(ctx->engine_id) + OPENSSL_free((void*)ctx->engine_id); + if(p) + ctx->engine_id = BUF_strdup(p); + else + ctx->engine_id = NULL; + return (ctx->engine_id ? 1 : 0); case DYNAMIC_CMD_LIST_ADD: if((i < 0) || (i > 2)) { diff --git a/src/lib/libcrypto/engine/eng_fat.c b/src/lib/libcrypto/engine/eng_fat.c index d49aa7ed40..f7edb5ad32 100644 --- a/src/lib/libcrypto/engine/eng_fat.c +++ b/src/lib/libcrypto/engine/eng_fat.c @@ -84,7 +84,7 @@ int ENGINE_set_default(ENGINE *e, unsigned int flags) /* Set default algorithms using a string */ -int int_def_cb(const char *alg, int len, void *arg) +static int int_def_cb(const char *alg, int len, void *arg) { unsigned int *pflags = arg; if (!strncmp(alg, "ALL", len)) diff --git a/src/lib/libcrypto/err/err.c b/src/lib/libcrypto/err/err.c index 04773d65a6..5abe44e6d5 100644 --- a/src/lib/libcrypto/err/err.c +++ b/src/lib/libcrypto/err/err.c @@ -166,6 +166,7 @@ static ERR_STRING_DATA ERR_str_functs[]= {ERR_PACK(0,SYS_F_WSASTARTUP,0), "WSAstartup"}, #endif {ERR_PACK(0,SYS_F_OPENDIR,0), "opendir"}, + {ERR_PACK(0,SYS_F_FREAD,0), "fread"}, {0,NULL}, }; diff --git a/src/lib/libcrypto/err/err.h b/src/lib/libcrypto/err/err.h index cc9bb649ea..988ef81aa0 100644 --- a/src/lib/libcrypto/err/err.h +++ b/src/lib/libcrypto/err/err.h @@ -182,6 +182,7 @@ typedef struct err_state_st #define SYS_F_ACCEPT 8 #define SYS_F_WSASTARTUP 9 /* Winsock stuff */ #define SYS_F_OPENDIR 10 +#define SYS_F_FREAD 11 /* reasons */ diff --git a/src/lib/libcrypto/evp/c_all.c b/src/lib/libcrypto/evp/c_all.c index 5ffd352ea0..2d3e57c4fa 100644 --- a/src/lib/libcrypto/evp/c_all.c +++ b/src/lib/libcrypto/evp/c_all.c @@ -60,12 +60,14 @@ #include "cryptlib.h" #include +#if 0 #undef OpenSSL_add_all_algorithms void OpenSSL_add_all_algorithms(void) { OPENSSL_add_all_algorithms_noconf(); } +#endif void OPENSSL_add_all_algorithms_noconf(void) { diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h index fb16de6852..45a25f968d 100644 --- a/src/lib/libcrypto/evp/evp.h +++ b/src/lib/libcrypto/evp/evp.h @@ -74,6 +74,48 @@ #ifndef OPENSSL_NO_BIO #include #endif +#ifndef OPENSSL_NO_MD2 +#include +#endif +#ifndef OPENSSL_NO_MD4 +#include +#endif +#ifndef OPENSSL_NO_MD5 +#include +#endif +#ifndef OPENSSL_NO_SHA +#include +#endif +#ifndef OPENSSL_NO_RIPEMD +#include +#endif +#ifndef OPENSSL_NO_DES +#include +#endif +#ifndef OPENSSL_NO_RC4 +#include +#endif +#ifndef OPENSSL_NO_RC2 +#include +#endif +#ifndef OPENSSL_NO_RC5 +#include +#endif +#ifndef OPENSSL_NO_BF +#include +#endif +#ifndef OPENSSL_NO_CAST +#include +#endif +#ifndef OPENSSL_NO_IDEA +#include +#endif +#ifndef OPENSSL_NO_MDC2 +#include +#endif +#ifndef OPENSSL_NO_AES +#include +#endif /* #define EVP_RC2_KEY_SIZE 16 @@ -91,6 +133,18 @@ /* Default PKCS#5 iteration count */ #define PKCS5_DEFAULT_ITER 2048 +#ifndef OPENSSL_NO_RSA +#include +#endif + +#ifndef OPENSSL_NO_DSA +#include +#endif + +#ifndef OPENSSL_NO_DH +#include +#endif + #include #define EVP_PK_RSA 0x0001 @@ -582,6 +636,8 @@ const EVP_CIPHER *EVP_enc_null(void); /* does nothing :-) */ const EVP_CIPHER *EVP_des_ecb(void); const EVP_CIPHER *EVP_des_ede(void); const EVP_CIPHER *EVP_des_ede3(void); +const EVP_CIPHER *EVP_des_ede_ecb(void); +const EVP_CIPHER *EVP_des_ede3_ecb(void); const EVP_CIPHER *EVP_des_cfb(void); const EVP_CIPHER *EVP_des_ede_cfb(void); const EVP_CIPHER *EVP_des_ede3_cfb(void); diff --git a/src/lib/libcrypto/evp/evp_pbe.c b/src/lib/libcrypto/evp/evp_pbe.c index 06afb9d152..bcd4d29f85 100644 --- a/src/lib/libcrypto/evp/evp_pbe.c +++ b/src/lib/libcrypto/evp/evp_pbe.c @@ -57,9 +57,9 @@ */ #include +#include "cryptlib.h" #include #include -#include "cryptlib.h" /* Password based encryption (PBE) functions */ diff --git a/src/lib/libcrypto/evp/p5_crpt.c b/src/lib/libcrypto/evp/p5_crpt.c index 113c60fedb..27a8286489 100644 --- a/src/lib/libcrypto/evp/p5_crpt.c +++ b/src/lib/libcrypto/evp/p5_crpt.c @@ -58,9 +58,9 @@ #include #include +#include "cryptlib.h" #include #include -#include "cryptlib.h" /* PKCS#5 v1.5 compatible PBE functions: see PKCS#5 v2.0 for more info. */ diff --git a/src/lib/libcrypto/evp/p5_crpt2.c b/src/lib/libcrypto/evp/p5_crpt2.c index 7881860b53..7485d6a278 100644 --- a/src/lib/libcrypto/evp/p5_crpt2.c +++ b/src/lib/libcrypto/evp/p5_crpt2.c @@ -58,10 +58,10 @@ #if !defined(OPENSSL_NO_HMAC) && !defined(OPENSSL_NO_SHA) #include #include +#include "cryptlib.h" #include #include #include -#include "cryptlib.h" /* set this to print out info about the keygen algorithm */ /* #define DEBUG_PKCS5V2 */ diff --git a/src/lib/libcrypto/objects/obj_dat.c b/src/lib/libcrypto/objects/obj_dat.c index 3ff64bb8d1..02c3719f04 100644 --- a/src/lib/libcrypto/objects/obj_dat.c +++ b/src/lib/libcrypto/objects/obj_dat.c @@ -436,7 +436,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) unsigned long l; unsigned char *p; const char *s; - char tbuf[32]; + char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2]; if (buf_len <= 0) return(0); diff --git a/src/lib/libcrypto/objects/obj_mac.num b/src/lib/libcrypto/objects/obj_mac.num index 02b39062fe..1486199661 100644 --- a/src/lib/libcrypto/objects/obj_mac.num +++ b/src/lib/libcrypto/objects/obj_mac.num @@ -507,3 +507,141 @@ mime_mhs_bodies 506 id_hex_partial_message 507 id_hex_multipart_message 508 generationQualifier 509 +pseudonym 510 +InternationalRA 511 +id_set 512 +set_ctype 513 +set_msgExt 514 +set_attr 515 +set_policy 516 +set_certExt 517 +set_brand 518 +setct_PANData 519 +setct_PANToken 520 +setct_PANOnly 521 +setct_OIData 522 +setct_PI 523 +setct_PIData 524 +setct_PIDataUnsigned 525 +setct_HODInput 526 +setct_AuthResBaggage 527 +setct_AuthRevReqBaggage 528 +setct_AuthRevResBaggage 529 +setct_CapTokenSeq 530 +setct_PInitResData 531 +setct_PI_TBS 532 +setct_PResData 533 +setct_AuthReqTBS 534 +setct_AuthResTBS 535 +setct_AuthResTBSX 536 +setct_AuthTokenTBS 537 +setct_CapTokenData 538 +setct_CapTokenTBS 539 +setct_AcqCardCodeMsg 540 +setct_AuthRevReqTBS 541 +setct_AuthRevResData 542 +setct_AuthRevResTBS 543 +setct_CapReqTBS 544 +setct_CapReqTBSX 545 +setct_CapResData 546 +setct_CapRevReqTBS 547 +setct_CapRevReqTBSX 548 +setct_CapRevResData 549 +setct_CredReqTBS 550 +setct_CredReqTBSX 551 +setct_CredResData 552 +setct_CredRevReqTBS 553 +setct_CredRevReqTBSX 554 +setct_CredRevResData 555 +setct_PCertReqData 556 +setct_PCertResTBS 557 +setct_BatchAdminReqData 558 +setct_BatchAdminResData 559 +setct_CardCInitResTBS 560 +setct_MeAqCInitResTBS 561 +setct_RegFormResTBS 562 +setct_CertReqData 563 +setct_CertReqTBS 564 +setct_CertResData 565 +setct_CertInqReqTBS 566 +setct_ErrorTBS 567 +setct_PIDualSignedTBE 568 +setct_PIUnsignedTBE 569 +setct_AuthReqTBE 570 +setct_AuthResTBE 571 +setct_AuthResTBEX 572 +setct_AuthTokenTBE 573 +setct_CapTokenTBE 574 +setct_CapTokenTBEX 575 +setct_AcqCardCodeMsgTBE 576 +setct_AuthRevReqTBE 577 +setct_AuthRevResTBE 578 +setct_AuthRevResTBEB 579 +setct_CapReqTBE 580 +setct_CapReqTBEX 581 +setct_CapResTBE 582 +setct_CapRevReqTBE 583 +setct_CapRevReqTBEX 584 +setct_CapRevResTBE 585 +setct_CredReqTBE 586 +setct_CredReqTBEX 587 +setct_CredResTBE 588 +setct_CredRevReqTBE 589 +setct_CredRevReqTBEX 590 +setct_CredRevResTBE 591 +setct_BatchAdminReqTBE 592 +setct_BatchAdminResTBE 593 +setct_RegFormReqTBE 594 +setct_CertReqTBE 595 +setct_CertReqTBEX 596 +setct_CertResTBE 597 +setct_CRLNotificationTBS 598 +setct_CRLNotificationResTBS 599 +setct_BCIDistributionTBS 600 +setext_genCrypt 601 +setext_miAuth 602 +setext_pinSecure 603 +setext_pinAny 604 +setext_track2 605 +setext_cv 606 +set_policy_root 607 +setCext_hashedRoot 608 +setCext_certType 609 +setCext_merchData 610 +setCext_cCertRequired 611 +setCext_tunneling 612 +setCext_setExt 613 +setCext_setQualf 614 +setCext_PGWYcapabilities 615 +setCext_TokenIdentifier 616 +setCext_Track2Data 617 +setCext_TokenType 618 +setCext_IssuerCapabilities 619 +setAttr_Cert 620 +setAttr_PGWYcap 621 +setAttr_TokenType 622 +setAttr_IssCap 623 +set_rootKeyThumb 624 +set_addPolicy 625 +setAttr_Token_EMV 626 +setAttr_Token_B0Prime 627 +setAttr_IssCap_CVM 628 +setAttr_IssCap_T2 629 +setAttr_IssCap_Sig 630 +setAttr_GenCryptgrm 631 +setAttr_T2Enc 632 +setAttr_T2cleartxt 633 +setAttr_TokICCsig 634 +setAttr_SecDevSig 635 +set_brand_IATA_ATA 636 +set_brand_Diners 637 +set_brand_AmericanExpress 638 +set_brand_JCB 639 +set_brand_Visa 640 +set_brand_MasterCard 641 +set_brand_Novus 642 +des_cdmf 643 +rsaOAEPEncryptionSET 644 +itu_t 645 +joint_iso_itu_t 646 +international_organizations 647 diff --git a/src/lib/libcrypto/objects/objects.txt b/src/lib/libcrypto/objects/objects.txt index 65d0b15629..71a4908485 100644 --- a/src/lib/libcrypto/objects/objects.txt +++ b/src/lib/libcrypto/objects/objects.txt @@ -542,6 +542,7 @@ X509 43 : : initials X509 44 : : generationQualifier X509 45 : : x500UniqueIdentifier X509 46 : dnQualifier : dnQualifier +X509 65 : : pseudonym X509 72 : role : role X500 8 : X500algorithms : directory services - algorithms @@ -762,3 +763,150 @@ pilotAttributeType 53 : : personalSignature pilotAttributeType 54 : : dITRedirect pilotAttributeType 55 : audio pilotAttributeType 56 : : documentPublisher + +2 23 42 : id-set : Secure Electronic Transactions + +id-set 0 : set-ctype : content types +id-set 1 : set-msgExt : message extensions +id-set 3 : set-attr +id-set 5 : set-policy +id-set 7 : set-certExt : certificate extensions +id-set 8 : set-brand + +set-ctype 0 : setct-PANData +set-ctype 1 : setct-PANToken +set-ctype 2 : setct-PANOnly +set-ctype 3 : setct-OIData +set-ctype 4 : setct-PI +set-ctype 5 : setct-PIData +set-ctype 6 : setct-PIDataUnsigned +set-ctype 7 : setct-HODInput +set-ctype 8 : setct-AuthResBaggage +set-ctype 9 : setct-AuthRevReqBaggage +set-ctype 10 : setct-AuthRevResBaggage +set-ctype 11 : setct-CapTokenSeq +set-ctype 12 : setct-PInitResData +set-ctype 13 : setct-PI-TBS +set-ctype 14 : setct-PResData +set-ctype 16 : setct-AuthReqTBS +set-ctype 17 : setct-AuthResTBS +set-ctype 18 : setct-AuthResTBSX +set-ctype 19 : setct-AuthTokenTBS +set-ctype 20 : setct-CapTokenData +set-ctype 21 : setct-CapTokenTBS +set-ctype 22 : setct-AcqCardCodeMsg +set-ctype 23 : setct-AuthRevReqTBS +set-ctype 24 : setct-AuthRevResData +set-ctype 25 : setct-AuthRevResTBS +set-ctype 26 : setct-CapReqTBS +set-ctype 27 : setct-CapReqTBSX +set-ctype 28 : setct-CapResData +set-ctype 29 : setct-CapRevReqTBS +set-ctype 30 : setct-CapRevReqTBSX +set-ctype 31 : setct-CapRevResData +set-ctype 32 : setct-CredReqTBS +set-ctype 33 : setct-CredReqTBSX +set-ctype 34 : setct-CredResData +set-ctype 35 : setct-CredRevReqTBS +set-ctype 36 : setct-CredRevReqTBSX +set-ctype 37 : setct-CredRevResData +set-ctype 38 : setct-PCertReqData +set-ctype 39 : setct-PCertResTBS +set-ctype 40 : setct-BatchAdminReqData +set-ctype 41 : setct-BatchAdminResData +set-ctype 42 : setct-CardCInitResTBS +set-ctype 43 : setct-MeAqCInitResTBS +set-ctype 44 : setct-RegFormResTBS +set-ctype 45 : setct-CertReqData +set-ctype 46 : setct-CertReqTBS +set-ctype 47 : setct-CertResData +set-ctype 48 : setct-CertInqReqTBS +set-ctype 49 : setct-ErrorTBS +set-ctype 50 : setct-PIDualSignedTBE +set-ctype 51 : setct-PIUnsignedTBE +set-ctype 52 : setct-AuthReqTBE +set-ctype 53 : setct-AuthResTBE +set-ctype 54 : setct-AuthResTBEX +set-ctype 55 : setct-AuthTokenTBE +set-ctype 56 : setct-CapTokenTBE +set-ctype 57 : setct-CapTokenTBEX +set-ctype 58 : setct-AcqCardCodeMsgTBE +set-ctype 59 : setct-AuthRevReqTBE +set-ctype 60 : setct-AuthRevResTBE +set-ctype 61 : setct-AuthRevResTBEB +set-ctype 62 : setct-CapReqTBE +set-ctype 63 : setct-CapReqTBEX +set-ctype 64 : setct-CapResTBE +set-ctype 65 : setct-CapRevReqTBE +set-ctype 66 : setct-CapRevReqTBEX +set-ctype 67 : setct-CapRevResTBE +set-ctype 68 : setct-CredReqTBE +set-ctype 69 : setct-CredReqTBEX +set-ctype 70 : setct-CredResTBE +set-ctype 71 : setct-CredRevReqTBE +set-ctype 72 : setct-CredRevReqTBEX +set-ctype 73 : setct-CredRevResTBE +set-ctype 74 : setct-BatchAdminReqTBE +set-ctype 75 : setct-BatchAdminResTBE +set-ctype 76 : setct-RegFormReqTBE +set-ctype 77 : setct-CertReqTBE +set-ctype 78 : setct-CertReqTBEX +set-ctype 79 : setct-CertResTBE +set-ctype 80 : setct-CRLNotificationTBS +set-ctype 81 : setct-CRLNotificationResTBS +set-ctype 82 : setct-BCIDistributionTBS + +set-msgExt 1 : setext-genCrypt : generic cryptogram +set-msgExt 3 : setext-miAuth : merchant initiated auth +set-msgExt 4 : setext-pinSecure +set-msgExt 5 : setext-pinAny +set-msgExt 7 : setext-track2 +set-msgExt 8 : setext-cv : additional verification + +set-policy 0 : set-policy-root + +set-certExt 0 : setCext-hashedRoot +set-certExt 1 : setCext-certType +set-certExt 2 : setCext-merchData +set-certExt 3 : setCext-cCertRequired +set-certExt 4 : setCext-tunneling +set-certExt 5 : setCext-setExt +set-certExt 6 : setCext-setQualf +set-certExt 7 : setCext-PGWYcapabilities +set-certExt 8 : setCext-TokenIdentifier +set-certExt 9 : setCext-Track2Data +set-certExt 10 : setCext-TokenType +set-certExt 11 : setCext-IssuerCapabilities + +set-attr 0 : setAttr-Cert +set-attr 1 : setAttr-PGWYcap : payment gateway capabilities +set-attr 2 : setAttr-TokenType +set-attr 3 : setAttr-IssCap : issuer capabilities + +setAttr-Cert 0 : set-rootKeyThumb +setAttr-Cert 1 : set-addPolicy + +setAttr-TokenType 1 : setAttr-Token-EMV +setAttr-TokenType 2 : setAttr-Token-B0Prime + +setAttr-IssCap 3 : setAttr-IssCap-CVM +setAttr-IssCap 4 : setAttr-IssCap-T2 +setAttr-IssCap 5 : setAttr-IssCap-Sig + +setAttr-IssCap-CVM 1 : setAttr-GenCryptgrm : generate cryptogram +setAttr-IssCap-T2 1 : setAttr-T2Enc : encrypted track 2 +setAttr-IssCap-T2 2 : setAttr-T2cleartxt : cleartext track 2 + +setAttr-IssCap-Sig 1 : setAttr-TokICCsig : ICC or token signature +setAttr-IssCap-Sig 2 : setAttr-SecDevSig : secure device signature + +set-brand 1 : set-brand-IATA-ATA +set-brand 30 : set-brand-Diners +set-brand 34 : set-brand-AmericanExpress +set-brand 35 : set-brand-JCB +set-brand 4 : set-brand-Visa +set-brand 5 : set-brand-MasterCard +set-brand 6011 : set-brand-Novus + +rsadsi 3 10 : DES-CDMF : des-cdmf +rsadsi 1 1 6 : rsaOAEPEncryptionSET diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h index 0d23a02fb2..9689b49c5b 100644 --- a/src/lib/libcrypto/opensslv.h +++ b/src/lib/libcrypto/opensslv.h @@ -25,8 +25,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x00907001L -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7-beta1 01 Jun 2002" +#define OPENSSL_VERSION_NUMBER 0x00907003L +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7-beta3 30 Jul 2002" #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/src/lib/libcrypto/pem/pem2.h b/src/lib/libcrypto/pem/pem2.h index 4e484bcd82..f31790d69c 100644 --- a/src/lib/libcrypto/pem/pem2.h +++ b/src/lib/libcrypto/pem/pem2.h @@ -61,7 +61,9 @@ extern "C" { #endif +#ifndef HEADER_PEM_H void ERR_load_PEM_strings(void); +#endif #ifdef __cplusplus } diff --git a/src/lib/libcrypto/pem/pem_pkey.c b/src/lib/libcrypto/pem/pem_pkey.c index 270892d72b..d96ecf6940 100644 --- a/src/lib/libcrypto/pem/pem_pkey.c +++ b/src/lib/libcrypto/pem/pem_pkey.c @@ -85,6 +85,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, vo else if (strcmp(nm,PEM_STRING_PKCS8INF) == 0) { PKCS8_PRIV_KEY_INFO *p8inf; p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, len); + if(!p8inf) goto p8err; ret = EVP_PKCS82PKEY(p8inf); PKCS8_PRIV_KEY_INFO_free(p8inf); } else if (strcmp(nm,PEM_STRING_PKCS8) == 0) { diff --git a/src/lib/libcrypto/perlasm/x86asm.pl b/src/lib/libcrypto/perlasm/x86asm.pl index 81c6e64e87..9a3d85b098 100644 --- a/src/lib/libcrypto/perlasm/x86asm.pl +++ b/src/lib/libcrypto/perlasm/x86asm.pl @@ -87,6 +87,12 @@ $tmp #ifdef OUT #define OK 1 #define ALIGN 4 +#if defined(__CYGWIN__) || defined(__DJGPP__) +#undef SIZE +#undef TYPE +#define SIZE(a,b) +#define TYPE(a,b) +#endif /* __CYGWIN || __DJGPP */ #endif #if defined(BSDI) && !defined(ELF) diff --git a/src/lib/libcrypto/pkcs12/pkcs12.h b/src/lib/libcrypto/pkcs12/pkcs12.h index 1786b6d4f3..dd338f266c 100644 --- a/src/lib/libcrypto/pkcs12/pkcs12.h +++ b/src/lib/libcrypto/pkcs12/pkcs12.h @@ -156,8 +156,8 @@ union { #define M_PKCS12_decrypt_skey PKCS12_decrypt_skey #define M_PKCS8_decrypt PKCS8_decrypt -#define M_PKCS12_bag_type(bag) OBJ_obj2nid(bag->type) -#define M_PKCS12_cert_bag_type(bag) OBJ_obj2nid(bag->value.bag->type) +#define M_PKCS12_bag_type(bg) OBJ_obj2nid((bg)->type) +#define M_PKCS12_cert_bag_type(bg) OBJ_obj2nid((bg)->value.bag->type) #define M_PKCS12_crl_bag_type M_PKCS12_cert_bag_type #define PKCS12_get_attr(bag, attr_nid) \ diff --git a/src/lib/libcrypto/rand/rand.h b/src/lib/libcrypto/rand/rand.h index e17aa7a9f7..66e39991ec 100644 --- a/src/lib/libcrypto/rand/rand.h +++ b/src/lib/libcrypto/rand/rand.h @@ -61,6 +61,11 @@ #include #include +#include + +#if defined(OPENSSL_SYS_WINDOWS) +#include +#endif #ifdef __cplusplus extern "C" { diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h index 030a6c88e5..98b3bd7cc5 100644 --- a/src/lib/libcrypto/rsa/rsa.h +++ b/src/lib/libcrypto/rsa/rsa.h @@ -276,6 +276,9 @@ int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, int RSA_set_ex_data(RSA *r,int idx,void *arg); void *RSA_get_ex_data(const RSA *r, int idx); +RSA *RSAPublicKey_dup(RSA *rsa); +RSA *RSAPrivateKey_dup(RSA *rsa); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. diff --git a/src/lib/libcrypto/ui/ui_openssl.c b/src/lib/libcrypto/ui/ui_openssl.c index 4e12165410..2c2fbc0443 100644 --- a/src/lib/libcrypto/ui/ui_openssl.c +++ b/src/lib/libcrypto/ui/ui_openssl.c @@ -269,7 +269,7 @@ static long tty_orig[3], tty_new[3]; /* XXX Is there any guarantee that this w static long status; static unsigned short channel = 0; #else -#ifndef OPENSSL_SYS_MSDOS +#if !defined(OPENSSL_SYS_MSDOS) || defined(__DJGPP__) static TTY_STRUCT tty_orig,tty_new; #endif #endif diff --git a/src/lib/libcrypto/ui/ui_util.c b/src/lib/libcrypto/ui/ui_util.c index 7c6f7d3a73..f05573df33 100644 --- a/src/lib/libcrypto/ui/ui_util.c +++ b/src/lib/libcrypto/ui/ui_util.c @@ -71,12 +71,15 @@ int UI_UTIL_read_pw(char *buf,char *buff,int size,const char *prompt,int verify) int ok = 0; UI *ui; + if (size < 1) + return -1; + ui = UI_new(); if (ui) { - ok = UI_add_input_string(ui,prompt,0,buf,0,BUFSIZ-1); + ok = UI_add_input_string(ui,prompt,0,buf,0,size-1); if (ok == 0 && verify) - ok = UI_add_verify_string(ui,prompt,0,buff,0,BUFSIZ-1, + ok = UI_add_verify_string(ui,prompt,0,buff,0,size-1, buf); if (ok == 0) ok=UI_process(ui); diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h index 586f116db5..2fb97d8925 100644 --- a/src/lib/libcrypto/x509v3/ext_dat.h +++ b/src/lib/libcrypto/x509v3/ext_dat.h @@ -99,8 +99,8 @@ static X509V3_EXT_METHOD *standard_exts[] = { &v3_ocsp_nocheck, &v3_ocsp_acutoff, &v3_ocsp_serviceloc, -&v3_crl_hold, -&v3_sinfo +&v3_sinfo, +&v3_crl_hold }; /* Number of standard extensions */ diff --git a/src/lib/libcrypto/x509v3/v3_info.c b/src/lib/libcrypto/x509v3/v3_info.c index 7f17f3231d..e1cf01a9b4 100644 --- a/src/lib/libcrypto/x509v3/v3_info.c +++ b/src/lib/libcrypto/x509v3/v3_info.c @@ -158,6 +158,7 @@ static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *metho objlen = ptmp - cnf->name; ctmp.name = ptmp + 1; ctmp.value = cnf->value; + GENERAL_NAME_free(acc->location); if(!(acc->location = v2i_GENERAL_NAME(method, ctx, &ctmp))) goto err; if(!(objtmp = OPENSSL_malloc(objlen + 1))) { diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c index b2be8340fb..019e9aecee 100644 --- a/src/lib/libssl/s23_clnt.c +++ b/src/lib/libssl/s23_clnt.c @@ -57,11 +57,11 @@ */ #include +#include "ssl_locl.h" #include #include #include #include -#include "ssl_locl.h" static SSL_METHOD *ssl23_get_client_method(int ver); static int ssl23_client_hello(SSL *s); diff --git a/src/lib/libssl/s23_pkt.c b/src/lib/libssl/s23_pkt.c index f45e1ce3d8..4ca6a1b258 100644 --- a/src/lib/libssl/s23_pkt.c +++ b/src/lib/libssl/s23_pkt.c @@ -59,9 +59,9 @@ #include #include #define USE_SOCKETS +#include "ssl_locl.h" #include #include -#include "ssl_locl.h" int ssl23_write_bytes(SSL *s) { diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c index 9e89cc7f9a..8743b61cbb 100644 --- a/src/lib/libssl/s23_srvr.c +++ b/src/lib/libssl/s23_srvr.c @@ -110,11 +110,11 @@ */ #include +#include "ssl_locl.h" #include #include #include #include -#include "ssl_locl.h" static SSL_METHOD *ssl23_get_server_method(int ver); int ssl23_get_client_hello(SSL *s); diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c index 58a24cd883..8864366f59 100644 --- a/src/lib/libssl/s3_both.c +++ b/src/lib/libssl/s3_both.c @@ -112,12 +112,12 @@ #include #include #include +#include "ssl_locl.h" #include #include #include #include #include -#include "ssl_locl.h" /* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */ int ssl3_do_write(SSL *s, int type) diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index e5853ede95..2699b5863b 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c @@ -110,13 +110,14 @@ */ #include +#include "ssl_locl.h" +#include "kssl_lcl.h" #include #include #include #include -#include "ssl_locl.h" -#include "kssl_lcl.h" #include +#include "cryptlib.h" static SSL_METHOD *ssl3_get_client_method(int ver); static int ssl3_client_hello(SSL *s); @@ -545,6 +546,7 @@ static int ssl3_client_hello(SSL *s) *(p++)=i; if (i != 0) { + die(i <= sizeof s->session->session_id); memcpy(p,s->session->session_id,i); p+=i; } @@ -626,6 +628,14 @@ static int ssl3_get_server_hello(SSL *s) /* get the session-id */ j= *(p++); + if(j > sizeof s->session->session_id) + { + al=SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, + SSL_R_SSL3_SESSION_ID_TOO_LONG); + goto f_err; + } + if ((j != 0) && (j != SSL3_SESSION_ID_SIZE)) { /* SSLref returns 16 :-( */ @@ -1588,6 +1598,7 @@ static int ssl3_send_client_key_exchange(SSL *s) SSL_MAX_MASTER_KEY_LENGTH); EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl); outl += padl; + die(outl <= sizeof epms); EVP_CIPHER_CTX_cleanup(&ciph_ctx); /* KerberosWrapper.EncryptedPreMasterSecret */ diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 686992406c..14b2f13ae2 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -129,7 +129,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_RSA_NULL_MD5, SSL3_CK_RSA_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, @@ -142,7 +142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_RSA_NULL_SHA, SSL3_CK_RSA_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, @@ -490,7 +490,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_FZA_DMS_NULL_SHA, SSL3_CK_FZA_DMS_NULL_SHA, SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, @@ -504,7 +504,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_FZA_DMS_FZA_SHA, SSL3_CK_FZA_DMS_FZA_SHA, SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c index 43e8502b66..6ccea9aee5 100644 --- a/src/lib/libssl/s3_pkt.c +++ b/src/lib/libssl/s3_pkt.c @@ -112,9 +112,9 @@ #include #include #define USE_SOCKETS +#include "ssl_locl.h" #include #include -#include "ssl_locl.h" static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment); diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 99b6a86983..782b57f57a 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c @@ -114,15 +114,16 @@ #include +#include "ssl_locl.h" +#include "kssl_lcl.h" #include #include #include #include #include #include -#include "ssl_locl.h" -#include "kssl_lcl.h" #include +#include "cryptlib.h" static SSL_METHOD *ssl3_get_server_method(int ver); static int ssl3_get_client_hello(SSL *s); @@ -964,6 +965,7 @@ static int ssl3_send_server_hello(SSL *s) s->session->session_id_length=0; sl=s->session->session_id_length; + die(sl <= sizeof s->session->session_id); *(p++)=sl; memcpy(p,s->session->session_id,sl); p+=sl; @@ -1559,8 +1561,8 @@ static int ssl3_get_client_key_exchange(SSL *s) EVP_CIPHER *enc = NULL; unsigned char iv[EVP_MAX_IV_LENGTH]; unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH - + EVP_MAX_IV_LENGTH + 1]; - int padl, outl = sizeof(pms); + + EVP_MAX_BLOCK_LENGTH]; + int padl, outl; krb5_timestamp authtime = 0; krb5_ticket_times ttimes; @@ -1583,6 +1585,16 @@ static int ssl3_get_client_key_exchange(SSL *s) enc_pms.data = (char *)p; p+=enc_pms.length; + /* Note that the length is checked again below, + ** after decryption + */ + if(enc.pms_length > sizeof pms) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DATA_LENGTH_TOO_LONG); + goto err; + } + if (n != enc_ticket.length + authenticator.length + enc_pms.length + 6) { diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 833f761690..d9949e8eb2 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h @@ -253,7 +253,7 @@ extern "C" { #define SSL_TXT_RC4 "RC4" #define SSL_TXT_RC2 "RC2" #define SSL_TXT_IDEA "IDEA" -#define SSL_TXT_AES "AESdraft" /* AES ciphersuites are not yet official (thus excluded from 'ALL') */ +#define SSL_TXT_AES "AES" #define SSL_TXT_MD5 "MD5" #define SSL_TXT_SHA1 "SHA1" #define SSL_TXT_SHA "SHA" @@ -266,6 +266,23 @@ extern "C" { #define SSL_TXT_TLSV1 "TLSv1" #define SSL_TXT_ALL "ALL" +/* + * COMPLEMENTOF* definitions. These identifiers are used to (de-select) + * ciphers normally not being used. + * Example: "RC4" will activate all ciphers using RC4 including ciphers + * without authentication, which would normally disabled by DEFAULT (due + * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT" + * will make sure that it is also disabled in the specific selection. + * COMPLEMENTOF* identifiers are portable between version, as adjustments + * to the default cipher setup will also be included here. + * + * COMPLEMENTOFDEFAULT does not experience the same special treatment that + * DEFAULT gets, as only selection is being done and no sorting as needed + * for DEFAULT. + */ +#define SSL_TXT_CMPALL "COMPLEMENTOFALL" +#define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT" + /* The following cipher list is used by default. * It also is substituted when an application-defined cipher list string * starts with 'DEFAULT'. */ @@ -429,6 +446,7 @@ typedef struct ssl_session_st struct ssl_session_st *prev,*next; } SSL_SESSION; + #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L @@ -439,6 +457,19 @@ typedef struct ssl_session_st #define SSL_OP_TLS_D5_BUG 0x00000100L #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L +/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added + * in OpenSSL 0.9.6d. Usually (depending on the application protocol) + * the workaround is not needed. Unfortunately some broken SSL/TLS + * implementations cannot handle it at all, which is why we include + * it in SSL_OP_ALL. */ +#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L /* added in 0.9.6e */ + +/* SSL_OP_ALL: various bug workarounds that should be rather harmless. + * This used to be 0x000FFFFFL before 0.9.7. */ +#define SSL_OP_ALL 0x00000FFFL + +/* As server, disallow session resumption on renegotiation */ +#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L /* If set, always create a new key when using tmp_dh parameters */ #define SSL_OP_SINGLE_DH_USE 0x00100000L /* Set to always use the tmp_rsa key when doing RSA operations, @@ -452,8 +483,10 @@ typedef struct ssl_session_st * (version 3.1) was announced in the client hello. Normally this is * forbidden to prevent version rollback attacks. */ #define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L -/* As server, disallow session resumption on renegotiation */ -#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x01000000L + +#define SSL_OP_NO_SSLv2 0x01000000L +#define SSL_OP_NO_SSLv3 0x02000000L +#define SSL_OP_NO_TLSv1 0x04000000L /* The next flag deliberately changes the ciphertest, this is a check * for the PKCS#1 attack */ @@ -461,11 +494,7 @@ typedef struct ssl_session_st #define SSL_OP_PKCS1_CHECK_2 0x10000000L #define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L -#define SSL_OP_ALL 0x000FFFFFL -#define SSL_OP_NO_SSLv2 0x01000000L -#define SSL_OP_NO_SSLv3 0x02000000L -#define SSL_OP_NO_TLSv1 0x04000000L /* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success * when just a single record has been written): */ @@ -479,6 +508,7 @@ typedef struct ssl_session_st * is blocking: */ #define SSL_MODE_AUTO_RETRY 0x00000004L + /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, * they cannot be used to clear bits. */ @@ -1637,6 +1667,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_INVALID_COMMAND 280 #define SSL_R_INVALID_PURPOSE 278 #define SSL_R_INVALID_TRUST 279 +#define SSL_R_KEY_ARG_TOO_LONG 1112 #define SSL_R_KRB5 1104 #define SSL_R_KRB5_C_CC_PRINC 1094 #define SSL_R_KRB5_C_GET_CRED 1095 @@ -1716,6 +1747,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_SHORT_READ 219 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 #define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 +#define SSL_R_SSL3_SESSION_ID_TOO_LONG 1113 #define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c index c5eeeb6bc5..1638c6b525 100644 --- a/src/lib/libssl/ssl_asn1.c +++ b/src/lib/libssl/ssl_asn1.c @@ -58,10 +58,11 @@ #include #include +#include "ssl_locl.h" #include #include #include -#include "ssl_locl.h" +#include "cryptlib.h" typedef struct ssl_session_asn1_st { @@ -296,6 +297,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, os.length=i; ret->session_id_length=os.length; + die(os.length <= sizeof ret->session_id); memcpy(ret->session_id,os.data,os.length); M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING); diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index cdd8dde128..37f58886a6 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c @@ -100,9 +100,10 @@ typedef struct cipher_order_st } CIPHER_ORDER; static const SSL_CIPHER cipher_aliases[]={ - /* Don't include eNULL unless specifically enabled. - * Similarly, don't include AES in ALL because these ciphers are not yet official. */ - {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL & ~SSL_AES, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */ + /* Don't include eNULL unless specifically enabled. */ + {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */ + {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, /* COMPLEMENT OF ALL */ + {0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0}, {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */ {0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0}, {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0}, @@ -999,10 +1000,10 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) case SSL_AES: switch(cipher->strength_bits) { - case 128: enc="AESdraft(128)"; break; - case 192: enc="AESdraft(192)"; break; - case 256: enc="AESdraft(256)"; break; - default: enc="AESdraft(?""?""?)"; break; + case 128: enc="AES(128)"; break; + case 192: enc="AES(192)"; break; + case 256: enc="AES(256)"; break; + default: enc="AES(?""?""?)"; break; } break; default: diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c index c32c4ef6e9..0cad32c855 100644 --- a/src/lib/libssl/ssl_err.c +++ b/src/lib/libssl/ssl_err.c @@ -1,6 +1,6 @@ /* ssl/ssl_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -275,6 +275,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_INVALID_COMMAND ,"invalid command"}, {SSL_R_INVALID_PURPOSE ,"invalid purpose"}, {SSL_R_INVALID_TRUST ,"invalid trust"}, +{SSL_R_KEY_ARG_TOO_LONG ,"key arg too long"}, {SSL_R_KRB5 ,"krb5"}, {SSL_R_KRB5_C_CC_PRINC ,"krb5 client cc principal (no tkt?)"}, {SSL_R_KRB5_C_GET_CRED ,"krb5 client get cred"}, @@ -354,6 +355,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_SHORT_READ ,"short read"}, {SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"}, {SSL_R_SSL23_DOING_SESSION_ID_REUSE ,"ssl23 doing session id reuse"}, +{SSL_R_SSL3_SESSION_ID_TOO_LONG ,"ssl3 session id too long"}, {SSL_R_SSL3_SESSION_ID_TOO_SHORT ,"ssl3 session id too short"}, {SSL_R_SSLV3_ALERT_BAD_CERTIFICATE ,"sslv3 alert bad certificate"}, {SSL_R_SSLV3_ALERT_BAD_RECORD_MAC ,"sslv3 alert bad record mac"}, diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index df307a80c5..ab172aeaec 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c @@ -116,11 +116,11 @@ # include #endif #include +#include "ssl_locl.h" +#include "kssl_lcl.h" #include #include #include -#include "ssl_locl.h" -#include "kssl_lcl.h" const char *SSL_version_str=OPENSSL_VERSION_TEXT; diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 17e9bef832..fe4ac839cf 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h @@ -293,16 +293,17 @@ #define SSL_NOT_EXP 0x00000001L #define SSL_EXPORT 0x00000002L -#define SSL_STRONG_MASK 0x0000007cL -#define SSL_EXP40 0x00000004L +#define SSL_STRONG_MASK 0x000000fcL +#define SSL_STRONG_NONE 0x00000004L +#define SSL_EXP40 0x00000008L #define SSL_MICRO (SSL_EXP40) -#define SSL_EXP56 0x00000008L +#define SSL_EXP56 0x00000010L #define SSL_MINI (SSL_EXP56) -#define SSL_LOW 0x00000010L -#define SSL_MEDIUM 0x00000020L -#define SSL_HIGH 0x00000040L +#define SSL_LOW 0x00000020L +#define SSL_MEDIUM 0x00000040L +#define SSL_HIGH 0x00000080L -/* we have used 0000007f - 25 bits left to go */ +/* we have used 000000ff - 24 bits left to go */ /* * Macros to check the export status and cipher strength for export ciphers. diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c index 1cf8e20934..03828b6632 100644 --- a/src/lib/libssl/ssl_rsa.c +++ b/src/lib/libssl/ssl_rsa.c @@ -57,12 +57,12 @@ */ #include +#include "ssl_locl.h" #include #include #include #include #include -#include "ssl_locl.h" static int ssl_set_cert(CERT *c, X509 *x509); static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey); diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index 6424f775e2..8bfc382bb6 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c @@ -60,6 +60,7 @@ #include #include #include "ssl_locl.h" +#include "cryptlib.h" static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s); @@ -250,6 +251,7 @@ int ssl_get_new_session(SSL *s, int session) ss->session_id_length=0; } + die(s->sid_ctx_length <= sizeof ss->sid_ctx); memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length); ss->sid_ctx_length=s->sid_ctx_length; s->session=ss; diff --git a/src/lib/libssl/t1_clnt.c b/src/lib/libssl/t1_clnt.c index 9745630a00..9ad518f9f4 100644 --- a/src/lib/libssl/t1_clnt.c +++ b/src/lib/libssl/t1_clnt.c @@ -57,11 +57,11 @@ */ #include +#include "ssl_locl.h" #include #include #include #include -#include "ssl_locl.h" static SSL_METHOD *tls1_get_client_method(int ver); static SSL_METHOD *tls1_get_client_method(int ver) diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index b80525f3ba..5290bf6665 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c @@ -110,10 +110,10 @@ */ #include +#include "ssl_locl.h" #include #include #include -#include "ssl_locl.h" #include static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, @@ -483,14 +483,25 @@ printf("\nkey block\n"); { int z; for (z=0; zs3->need_empty_fragments = 1; -#ifndef NO_RC4 - if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)) - s->s3->need_empty_fragments = 0; + if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) + { + /* enable vulnerability countermeasure for CBC ciphers with + * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) + */ + s->s3->need_empty_fragments = 1; + + if (s->session->cipher != NULL) + { + if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL) + s->s3->need_empty_fragments = 0; + +#ifndef OPENSSL_NO_RC4 + if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4) + s->s3->need_empty_fragments = 0; #endif - + } + } + return(1); err: SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); diff --git a/src/lib/libssl/t1_srvr.c b/src/lib/libssl/t1_srvr.c index 996b7ca8e2..6e765e587f 100644 --- a/src/lib/libssl/t1_srvr.c +++ b/src/lib/libssl/t1_srvr.c @@ -57,12 +57,12 @@ */ #include +#include "ssl_locl.h" #include #include #include #include #include -#include "ssl_locl.h" static SSL_METHOD *tls1_get_server_method(int ver); static SSL_METHOD *tls1_get_server_method(int ver) diff --git a/src/lib/libssl/test/tcrl b/src/lib/libssl/test/tcrl index acaf8f3c47..f71ef7a863 100644 --- a/src/lib/libssl/test/tcrl +++ b/src/lib/libssl/test/tcrl @@ -1,6 +1,10 @@ #!/bin/sh -PATH=../apps:$PATH +if test "$OSTYPE" = msdosdjgpp; then + PATH=../apps\;$PATH +else + PATH=../apps:$PATH +fi export PATH cmd='../apps/openssl crl' diff --git a/src/lib/libssl/test/testca b/src/lib/libssl/test/testca index 88c186b6ab..8215ebb5d1 100644 --- a/src/lib/libssl/test/testca +++ b/src/lib/libssl/test/testca @@ -1,7 +1,11 @@ #!/bin/sh SH="/bin/sh" -PATH=../apps:$PATH +if test "$OSTYPE" = msdosdjgpp; then + PATH=./apps\;../apps\;$PATH +else + PATH=../apps:$PATH +fi export SH PATH SSLEAY_CONFIG="-config CAss.cnf" diff --git a/src/lib/libssl/test/testgen b/src/lib/libssl/test/testgen index 6a4b6b9221..55c496f4bc 100644 --- a/src/lib/libssl/test/testgen +++ b/src/lib/libssl/test/testgen @@ -6,7 +6,11 @@ CA=../certs/testca.pem /bin/rm -f $T.1 $T.2 $T.key -PATH=../apps:$PATH; +if test "$OSTYPE" = msdosdjgpp; then + PATH=../apps\;$PATH; +else + PATH=../apps:$PATH; +fi export PATH echo "generating certificate request" diff --git a/src/lib/libssl/test/tpkcs7 b/src/lib/libssl/test/tpkcs7 index 15bbba42c0..cf3bd9fadb 100644 --- a/src/lib/libssl/test/tpkcs7 +++ b/src/lib/libssl/test/tpkcs7 @@ -1,6 +1,10 @@ #!/bin/sh -PATH=../apps:$PATH +if test "$OSTYPE" = msdosdjgpp; then + PATH=../apps\;$PATH +else + PATH=../apps:$PATH +fi export PATH cmd='../apps/openssl pkcs7' diff --git a/src/lib/libssl/test/tpkcs7d b/src/lib/libssl/test/tpkcs7d index 46e5aa2bd6..18f9311b06 100644 --- a/src/lib/libssl/test/tpkcs7d +++ b/src/lib/libssl/test/tpkcs7d @@ -1,6 +1,10 @@ #!/bin/sh -PATH=../apps:$PATH +if test "$OSTYPE" = msdosdjgpp; then + PATH=../apps\;$PATH +else + PATH=../apps:$PATH +fi export PATH cmd='../apps/openssl pkcs7' diff --git a/src/lib/libssl/test/treq b/src/lib/libssl/test/treq index 9f5eb7eea5..47a8273cde 100644 --- a/src/lib/libssl/test/treq +++ b/src/lib/libssl/test/treq @@ -1,6 +1,10 @@ #!/bin/sh -PATH=../apps:$PATH +if test "$OSTYPE" = msdosdjgpp; then + PATH=../apps\;$PATH +else + PATH=../apps:$PATH +fi export PATH cmd='../apps/openssl req -config ../apps/openssl.cnf' diff --git a/src/lib/libssl/test/trsa b/src/lib/libssl/test/trsa index bd6c07650a..413e2ec0a0 100644 --- a/src/lib/libssl/test/trsa +++ b/src/lib/libssl/test/trsa @@ -1,6 +1,10 @@ #!/bin/sh -PATH=../apps:$PATH +if test "$OSTYPE" = msdosdjgpp; then + PATH=../apps\;$PATH +else + PATH=../apps:$PATH +fi export PATH if ../apps/openssl no-rsa; then diff --git a/src/lib/libssl/test/tsid b/src/lib/libssl/test/tsid index 9e0854516c..40a1dfa97c 100644 --- a/src/lib/libssl/test/tsid +++ b/src/lib/libssl/test/tsid @@ -1,6 +1,10 @@ #!/bin/sh -PATH=../apps:$PATH +if test "$OSTYPE" = msdosdjgpp; then + PATH=../apps\;$PATH +else + PATH=../apps:$PATH +fi export PATH cmd='../apps/openssl sess_id' diff --git a/src/lib/libssl/test/tx509 b/src/lib/libssl/test/tx509 index 35169f3a43..d380963abc 100644 --- a/src/lib/libssl/test/tx509 +++ b/src/lib/libssl/test/tx509 @@ -1,6 +1,10 @@ #!/bin/sh -PATH=../apps:$PATH +if test "$OSTYPE" = msdosdjgpp; then + PATH=../apps\;$PATH +else + PATH=../apps:$PATH +fi export PATH cmd='../apps/openssl x509' diff --git a/src/lib/libssl/tls1.h b/src/lib/libssl/tls1.h index 88ec5fb527..38838ea9a5 100644 --- a/src/lib/libssl/tls1.h +++ b/src/lib/libssl/tls1.h @@ -96,7 +96,7 @@ extern "C" { #define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x03000065 #define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA 0x03000066 - /* AES ciphersuites from draft ietf-tls-ciphersuite-03.txt */ +/* AES ciphersuites from RFC3268 */ #define TLS1_CK_RSA_WITH_AES_128_SHA 0x0300002F #define TLS1_CK_DH_DSS_WITH_AES_128_SHA 0x03000030 @@ -126,20 +126,21 @@ extern "C" { #define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA "EXP1024-RC4-SHA" #define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA "EXP1024-DHE-DSS-RC4-SHA" #define TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA "DHE-DSS-RC4-SHA" - /* AES ciphersuites from draft-ietf-tls-ciphersuite-06.txt */ -#define TLS1_TXT_RSA_WITH_AES_128_SHA "AESdraft128-SHA" -#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA "DH-DSS-AESdraft128-SHA" -#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA "DH-RSA-AESdraft128-SHA" -#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA "DHE-DSS-AESdraft128-SHA" -#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA "DHE-RSA-AESdraft128-SHA" -#define TLS1_TXT_ADH_WITH_AES_128_SHA "ADH-AESdraft128-SHA" - -#define TLS1_TXT_RSA_WITH_AES_256_SHA "AESdraft256-SHA" -#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA "DH-DSS-AESdraft256-SHA" -#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA "DH-RSA-AESdraft256-SHA" -#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA "DHE-DSS-AESdraft256-SHA" -#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA "DHE-RSA-AESdraft256-SHA" -#define TLS1_TXT_ADH_WITH_AES_256_SHA "ADH-AESdraft256-SHA" + +/* AES ciphersuites from RFC3268 */ +#define TLS1_TXT_RSA_WITH_AES_128_SHA "AES128-SHA" +#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA "DH-DSS-AES128-SHA" +#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA "DH-RSA-AES128-SHA" +#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA "DHE-DSS-AES128-SHA" +#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA "DHE-RSA-AES128-SHA" +#define TLS1_TXT_ADH_WITH_AES_128_SHA "ADH-AES128-SHA" + +#define TLS1_TXT_RSA_WITH_AES_256_SHA "AES256-SHA" +#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA "DH-DSS-AES256-SHA" +#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA "DH-RSA-AES256-SHA" +#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA "DHE-DSS-AES256-SHA" +#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA "DHE-RSA-AES256-SHA" +#define TLS1_TXT_ADH_WITH_AES_256_SHA "ADH-AES256-SHA" #define TLS_CT_RSA_SIGN 1 -- cgit v1.2.3-55-g6feb