From 38b6ff9e5294811c57541ad47940f8f8f41dc114 Mon Sep 17 00:00:00 2001 From: beck <> Date: Fri, 22 Jun 2001 00:03:44 +0000 Subject: openssl-engine-0.9.6a merge --- src/lib/libcrypto/Attic/Makefile | 10 +- src/lib/libcrypto/Makefile.ssl | 10 +- src/lib/libcrypto/asn1/Makefile.ssl | 3 +- src/lib/libcrypto/asn1/a_strnid.c | 2 +- src/lib/libcrypto/asn1/asn1_lib.c | 2 +- src/lib/libcrypto/asn1/asn1_mac.h | 23 ++ src/lib/libcrypto/asn1/p7_lib.c | 2 + src/lib/libcrypto/asn1/x_crl.c | 10 +- src/lib/libcrypto/asn1/x_name.c | 6 +- src/lib/libcrypto/bf/Makefile.ssl | 3 +- src/lib/libcrypto/bio/Makefile.ssl | 17 +- src/lib/libcrypto/bio/b_print.c | 1 + src/lib/libcrypto/bio/b_sock.c | 14 +- src/lib/libcrypto/bn/Makefile.ssl | 3 +- src/lib/libcrypto/bn/asm/mips3.s | 8 +- src/lib/libcrypto/bn/asm/pa-risc2.s | 2 +- src/lib/libcrypto/bn/asm/pa-risc2W.s | 2 +- src/lib/libcrypto/bn/bn.h | 8 +- src/lib/libcrypto/bn/bn_div.c | 7 +- src/lib/libcrypto/bn/bn_err.c | 3 + src/lib/libcrypto/bn/bn_lib.c | 7 + src/lib/libcrypto/bn/bn_rand.c | 107 +++++- src/lib/libcrypto/bn/bn_shift.c | 5 + src/lib/libcrypto/bn/bntest.c | 64 ++-- src/lib/libcrypto/buffer/Makefile.ssl | 3 +- src/lib/libcrypto/cast/Makefile.ssl | 3 +- src/lib/libcrypto/comp/Makefile.ssl | 3 +- src/lib/libcrypto/conf/Makefile.ssl | 3 +- src/lib/libcrypto/conf/conf.h | 2 + src/lib/libcrypto/conf/conf_err.c | 2 + src/lib/libcrypto/conf/conf_lib.c | 84 +++-- src/lib/libcrypto/crypto-lib.com | 2 +- src/lib/libcrypto/crypto.h | 2 + src/lib/libcrypto/des/Makefile.ssl | 3 +- src/lib/libcrypto/des/asm/des-586.pl | 4 +- src/lib/libcrypto/des/asm/des686.pl | 2 +- src/lib/libcrypto/des/asm/readme | 2 +- src/lib/libcrypto/des/cbc_cksm.c | 2 +- src/lib/libcrypto/des/cfb64enc.c | 4 +- src/lib/libcrypto/des/cfb_enc.c | 4 +- src/lib/libcrypto/des/des.h | 8 +- src/lib/libcrypto/des/des_enc.c | 2 +- src/lib/libcrypto/des/des_opts.c | 48 +-- src/lib/libcrypto/des/dess.cpp | 18 +- src/lib/libcrypto/des/ecb_enc.c | 2 +- src/lib/libcrypto/des/ede_cbcm_enc.c | 16 +- src/lib/libcrypto/des/ncbc_enc.c | 8 +- src/lib/libcrypto/des/ofb64enc.c | 2 +- src/lib/libcrypto/des/ofb_enc.c | 2 +- src/lib/libcrypto/des/pcbc_enc.c | 4 +- src/lib/libcrypto/des/speed.c | 4 +- src/lib/libcrypto/des/xcbc_enc.c | 8 +- src/lib/libcrypto/dh/Makefile.ssl | 3 +- src/lib/libcrypto/dh/dh_key.c | 11 +- src/lib/libcrypto/dh/dh_lib.c | 8 +- src/lib/libcrypto/doc/RAND_load_file.pod | 2 +- src/lib/libcrypto/doc/bn.pod | 1 + src/lib/libcrypto/doc/evp.pod | 2 +- src/lib/libcrypto/dsa/Makefile.ssl | 3 +- src/lib/libcrypto/dso/Makefile.ssl | 3 +- src/lib/libcrypto/dso/dso_dl.c | 23 +- src/lib/libcrypto/dso/dso_vms.c | 4 +- src/lib/libcrypto/ebcdic.c | 2 +- src/lib/libcrypto/engine/engine_lib.c | 11 +- src/lib/libcrypto/err/Makefile.ssl | 3 +- src/lib/libcrypto/err/err.c | 20 +- src/lib/libcrypto/evp/Makefile.ssl | 3 +- src/lib/libcrypto/evp/evp.h | 36 +- src/lib/libcrypto/ex_data.c | 2 +- src/lib/libcrypto/hmac/Makefile.ssl | 3 +- src/lib/libcrypto/idea/Makefile.ssl | 3 +- src/lib/libcrypto/lhash/Makefile.ssl | 3 +- src/lib/libcrypto/md2/Makefile.ssl | 3 +- src/lib/libcrypto/md4/Makefile.ssl | 3 +- src/lib/libcrypto/md5/Makefile.ssl | 3 +- src/lib/libcrypto/mdc2/Makefile.ssl | 3 +- src/lib/libcrypto/mem_dbg.c | 98 +++-- src/lib/libcrypto/objects/Makefile.ssl | 3 +- src/lib/libcrypto/opensslv.h | 4 +- src/lib/libcrypto/pem/Makefile.ssl | 3 +- src/lib/libcrypto/pem/pem_info.c | 2 +- src/lib/libcrypto/pkcs12/Makefile.ssl | 3 +- src/lib/libcrypto/pkcs12/p12_attr.c | 2 +- src/lib/libcrypto/pkcs12/p12_key.c | 13 +- src/lib/libcrypto/pkcs12/p12_kiss.c | 1 + src/lib/libcrypto/pkcs12/p12_utl.c | 18 +- src/lib/libcrypto/pkcs12/pkcs12.h | 2 +- src/lib/libcrypto/pkcs7/Makefile.ssl | 3 +- src/lib/libcrypto/pkcs7/pk7_doit.c | 13 +- src/lib/libcrypto/pkcs7/pk7_mime.c | 6 +- src/lib/libcrypto/pkcs7/pk7_smime.c | 13 +- src/lib/libcrypto/rand/Makefile.ssl | 3 +- src/lib/libcrypto/rand/md_rand.c | 4 +- src/lib/libcrypto/rand/rand.h | 4 +- src/lib/libcrypto/rand/rand_egd.c | 7 + src/lib/libcrypto/rand/rand_win.c | 8 +- src/lib/libcrypto/rand/randfile.c | 10 +- src/lib/libcrypto/rc2/Makefile.ssl | 3 +- src/lib/libcrypto/rc4/Makefile.ssl | 3 +- src/lib/libcrypto/rc5/Makefile.ssl | 3 +- src/lib/libcrypto/ripemd/Makefile.ssl | 3 +- src/lib/libcrypto/rsa/Makefile.ssl | 3 +- src/lib/libcrypto/rsa/rsa_eay.c | 97 ++++- src/lib/libcrypto/rsa/rsa_lib.c | 10 +- src/lib/libcrypto/sha/Makefile.ssl | 3 +- src/lib/libcrypto/sha/asm/sha1-586.pl | 12 +- src/lib/libcrypto/stack/Makefile.ssl | 3 +- src/lib/libcrypto/txt_db/Makefile.ssl | 3 +- src/lib/libcrypto/uid.c | 88 +++++ src/lib/libcrypto/util/clean-depend.pl | 4 +- src/lib/libcrypto/util/libeay.num | 127 ++++--- src/lib/libcrypto/util/mkdef.pl | 26 +- src/lib/libcrypto/util/mklink.pl | 7 +- src/lib/libcrypto/util/pod2man.pl | 2 + src/lib/libcrypto/x509/Makefile.ssl | 3 +- src/lib/libcrypto/x509/by_dir.c | 2 +- src/lib/libcrypto/x509/x509_cmp.c | 18 +- src/lib/libcrypto/x509v3/Makefile.ssl | 3 +- src/lib/libcrypto/x509v3/v3_alt.c | 2 +- src/lib/libcrypto/x509v3/v3_prn.c | 26 +- src/lib/libcrypto/x509v3/v3_purp.c | 6 +- src/lib/libssl/LICENSE | 2 +- src/lib/libssl/crypto/Makefile | 2 +- src/lib/libssl/crypto/shlib_version | 4 +- src/lib/libssl/s23_lib.c | 38 +- src/lib/libssl/s3_both.c | 4 +- src/lib/libssl/s3_clnt.c | 1 + src/lib/libssl/s3_lib.c | 88 +++-- src/lib/libssl/s3_pkt.c | 24 +- src/lib/libssl/shlib_version | 4 +- src/lib/libssl/src/CHANGES | 285 ++++++++++++++ src/lib/libssl/src/Configure | 152 +++++--- src/lib/libssl/src/FAQ | 419 +++++++++++++-------- src/lib/libssl/src/LICENSE | 2 +- src/lib/libssl/src/Makefile.org | 173 ++++----- src/lib/libssl/src/NEWS | 25 ++ src/lib/libssl/src/README | 3 +- src/lib/libssl/src/apps/Makefile.ssl | 5 +- src/lib/libssl/src/apps/app_rand.c | 6 +- src/lib/libssl/src/apps/ca-cert.srl | 2 +- src/lib/libssl/src/apps/dsaparam.c | 2 +- src/lib/libssl/src/apps/md5.c | 127 +++++++ src/lib/libssl/src/apps/passwd.c | 3 +- src/lib/libssl/src/apps/pca-cert.srl | 2 +- src/lib/libssl/src/apps/req.c | 9 +- src/lib/libssl/src/apps/rmd160.c | 127 +++++++ src/lib/libssl/src/apps/rsautl.c | 4 + src/lib/libssl/src/apps/s_client.c | 18 +- src/lib/libssl/src/apps/s_server.c | 55 ++- src/lib/libssl/src/apps/server.pem | 16 +- src/lib/libssl/src/apps/speed.c | 4 +- src/lib/libssl/src/apps/x509.c | 2 + src/lib/libssl/src/certs/rsa-ssca.pem | 19 - src/lib/libssl/src/config | 50 ++- src/lib/libssl/src/crypto/Makefile | 10 +- src/lib/libssl/src/crypto/Makefile.ssl | 10 +- src/lib/libssl/src/crypto/asn1/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/asn1/a_strnid.c | 2 +- src/lib/libssl/src/crypto/asn1/asn1_lib.c | 2 +- src/lib/libssl/src/crypto/asn1/asn1_mac.h | 23 ++ src/lib/libssl/src/crypto/asn1/p7_lib.c | 2 + src/lib/libssl/src/crypto/asn1/x_crl.c | 10 +- src/lib/libssl/src/crypto/asn1/x_name.c | 6 +- src/lib/libssl/src/crypto/bf/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/bio/Makefile.ssl | 17 +- src/lib/libssl/src/crypto/bio/b_print.c | 1 + src/lib/libssl/src/crypto/bio/b_sock.c | 14 +- src/lib/libssl/src/crypto/bn/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/bn/asm/mips3.s | 8 +- src/lib/libssl/src/crypto/bn/asm/pa-risc2.s | 2 +- src/lib/libssl/src/crypto/bn/asm/pa-risc2W.s | 2 +- src/lib/libssl/src/crypto/bn/bn.h | 8 +- src/lib/libssl/src/crypto/bn/bn_div.c | 7 +- src/lib/libssl/src/crypto/bn/bn_err.c | 3 + src/lib/libssl/src/crypto/bn/bn_lib.c | 7 + src/lib/libssl/src/crypto/bn/bn_rand.c | 107 +++++- src/lib/libssl/src/crypto/bn/bn_shift.c | 5 + src/lib/libssl/src/crypto/bn/bntest.c | 64 ++-- src/lib/libssl/src/crypto/buffer/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/cast/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/comp/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/conf/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/conf/conf.h | 2 + src/lib/libssl/src/crypto/conf/conf_err.c | 2 + src/lib/libssl/src/crypto/conf/conf_lib.c | 84 +++-- src/lib/libssl/src/crypto/crypto-lib.com | 2 +- src/lib/libssl/src/crypto/crypto.h | 2 + src/lib/libssl/src/crypto/des/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/des/asm/des-586.pl | 4 +- src/lib/libssl/src/crypto/des/asm/des686.pl | 2 +- src/lib/libssl/src/crypto/des/asm/readme | 2 +- src/lib/libssl/src/crypto/des/cbc_cksm.c | 2 +- src/lib/libssl/src/crypto/des/cfb64enc.c | 4 +- src/lib/libssl/src/crypto/des/cfb_enc.c | 4 +- src/lib/libssl/src/crypto/des/des.h | 8 +- src/lib/libssl/src/crypto/des/des_enc.c | 2 +- src/lib/libssl/src/crypto/des/des_opts.c | 48 +-- src/lib/libssl/src/crypto/des/dess.cpp | 18 +- src/lib/libssl/src/crypto/des/ecb_enc.c | 2 +- src/lib/libssl/src/crypto/des/ede_cbcm_enc.c | 16 +- src/lib/libssl/src/crypto/des/ncbc_enc.c | 8 +- src/lib/libssl/src/crypto/des/ofb64enc.c | 2 +- src/lib/libssl/src/crypto/des/ofb_enc.c | 2 +- src/lib/libssl/src/crypto/des/pcbc_enc.c | 4 +- src/lib/libssl/src/crypto/des/speed.c | 4 +- src/lib/libssl/src/crypto/des/xcbc_enc.c | 8 +- src/lib/libssl/src/crypto/dh/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/dh/dh_key.c | 11 +- src/lib/libssl/src/crypto/dh/dh_lib.c | 8 +- src/lib/libssl/src/crypto/dsa/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/dso/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/dso/dso_dl.c | 23 +- src/lib/libssl/src/crypto/dso/dso_vms.c | 4 +- src/lib/libssl/src/crypto/ebcdic.c | 2 +- src/lib/libssl/src/crypto/engine/engine_lib.c | 11 +- src/lib/libssl/src/crypto/err/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/err/err.c | 20 +- src/lib/libssl/src/crypto/evp/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/evp/evp.h | 36 +- src/lib/libssl/src/crypto/ex_data.c | 2 +- src/lib/libssl/src/crypto/hmac/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/idea/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/lhash/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/md2/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/md4/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/md5/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/mdc2/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/mem_dbg.c | 98 +++-- src/lib/libssl/src/crypto/objects/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/opensslv.h | 4 +- src/lib/libssl/src/crypto/pem/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/pem/pem_info.c | 2 +- src/lib/libssl/src/crypto/pkcs12/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/pkcs12/p12_attr.c | 2 +- src/lib/libssl/src/crypto/pkcs12/p12_key.c | 13 +- src/lib/libssl/src/crypto/pkcs12/p12_kiss.c | 1 + src/lib/libssl/src/crypto/pkcs12/p12_utl.c | 18 +- src/lib/libssl/src/crypto/pkcs12/pkcs12.h | 2 +- src/lib/libssl/src/crypto/pkcs7/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/pkcs7/pk7_doit.c | 13 +- src/lib/libssl/src/crypto/pkcs7/pk7_mime.c | 6 +- src/lib/libssl/src/crypto/pkcs7/pk7_smime.c | 13 +- src/lib/libssl/src/crypto/rand/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/rand/md_rand.c | 4 +- src/lib/libssl/src/crypto/rand/rand.h | 4 +- src/lib/libssl/src/crypto/rand/rand_egd.c | 7 + src/lib/libssl/src/crypto/rand/rand_win.c | 8 +- src/lib/libssl/src/crypto/rand/randfile.c | 10 +- src/lib/libssl/src/crypto/rc2/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/rc4/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/rc5/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/ripemd/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/rsa/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/rsa/rsa_eay.c | 97 ++++- src/lib/libssl/src/crypto/rsa/rsa_lib.c | 10 +- src/lib/libssl/src/crypto/sha/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/sha/asm/sha1-586.pl | 12 +- src/lib/libssl/src/crypto/stack/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/txt_db/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/uid.c | 88 +++++ src/lib/libssl/src/crypto/x509/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/x509/by_dir.c | 2 +- src/lib/libssl/src/crypto/x509/x509_cmp.c | 18 +- src/lib/libssl/src/crypto/x509v3/Makefile.ssl | 3 +- src/lib/libssl/src/crypto/x509v3/v3_alt.c | 2 +- src/lib/libssl/src/crypto/x509v3/v3_prn.c | 26 +- src/lib/libssl/src/crypto/x509v3/v3_purp.c | 6 +- src/lib/libssl/src/doc/apps/pkcs12.pod | 20 + src/lib/libssl/src/doc/apps/s_client.pod | 9 + src/lib/libssl/src/doc/apps/s_server.pod | 11 +- src/lib/libssl/src/doc/crypto/BN_rand.pod | 22 +- src/lib/libssl/src/doc/crypto/RAND_egd.pod | 35 +- src/lib/libssl/src/doc/crypto/RAND_load_file.pod | 2 +- src/lib/libssl/src/doc/crypto/bn.pod | 1 + src/lib/libssl/src/doc/crypto/evp.pod | 2 +- src/lib/libssl/src/doc/crypto/rand.pod | 12 +- src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod | 67 +++- .../src/doc/ssl/SSL_CTX_add_extra_chain_cert.pod | 38 ++ src/lib/libssl/src/doc/ssl/SSL_CTX_add_session.pod | 65 ++++ .../libssl/src/doc/ssl/SSL_CTX_flush_sessions.pod | 49 +++ src/lib/libssl/src/doc/ssl/SSL_CTX_free.pod | 2 +- .../src/doc/ssl/SSL_CTX_get_ex_new_index.pod | 53 +++ .../libssl/src/doc/ssl/SSL_CTX_get_verify_mode.pod | 50 +++ .../src/doc/ssl/SSL_CTX_load_verify_locations.pod | 124 ++++++ src/lib/libssl/src/doc/ssl/SSL_CTX_new.pod | 15 +- src/lib/libssl/src/doc/ssl/SSL_CTX_sess_number.pod | 76 ++++ .../src/doc/ssl/SSL_CTX_sess_set_cache_size.pod | 51 +++ .../libssl/src/doc/ssl/SSL_CTX_sess_set_get_cb.pod | 81 ++++ src/lib/libssl/src/doc/ssl/SSL_CTX_sessions.pod | 34 ++ .../libssl/src/doc/ssl/SSL_CTX_set_cipher_list.pod | 4 +- .../src/doc/ssl/SSL_CTX_set_client_CA_list.pod | 90 +++++ .../src/doc/ssl/SSL_CTX_set_default_passwd_cb.pod | 70 ++++ src/lib/libssl/src/doc/ssl/SSL_CTX_set_mode.pod | 78 ++++ src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod | 183 +++++++++ .../src/doc/ssl/SSL_CTX_set_session_cache_mode.pod | 107 ++++++ .../src/doc/ssl/SSL_CTX_set_session_id_context.pod | 82 ++++ .../libssl/src/doc/ssl/SSL_CTX_set_ssl_version.pod | 13 +- src/lib/libssl/src/doc/ssl/SSL_CTX_set_timeout.pod | 55 +++ src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod | 284 ++++++++++++++ .../libssl/src/doc/ssl/SSL_CTX_use_certificate.pod | 154 ++++++++ .../src/doc/ssl/SSL_SESSION_get_ex_new_index.pod | 61 +++ .../libssl/src/doc/ssl/SSL_SESSION_get_time.pod | 63 ++++ src/lib/libssl/src/doc/ssl/SSL_accept.pod | 11 +- src/lib/libssl/src/doc/ssl/SSL_clear.pod | 16 +- src/lib/libssl/src/doc/ssl/SSL_connect.pod | 11 +- src/lib/libssl/src/doc/ssl/SSL_free.pod | 13 +- .../libssl/src/doc/ssl/SSL_get_client_CA_list.pod | 52 +++ src/lib/libssl/src/doc/ssl/SSL_get_error.pod | 30 +- .../doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod | 61 +++ .../libssl/src/doc/ssl/SSL_get_ex_new_index.pod | 59 +++ .../libssl/src/doc/ssl/SSL_get_peer_cert_chain.pod | 2 +- .../src/doc/ssl/SSL_get_peer_certificate.pod | 2 +- src/lib/libssl/src/doc/ssl/SSL_get_session.pod | 21 +- .../libssl/src/doc/ssl/SSL_get_verify_result.pod | 4 +- src/lib/libssl/src/doc/ssl/SSL_get_version.pod | 46 +++ .../libssl/src/doc/ssl/SSL_load_client_CA_file.pod | 62 +++ src/lib/libssl/src/doc/ssl/SSL_new.pod | 1 + src/lib/libssl/src/doc/ssl/SSL_pending.pod | 13 + src/lib/libssl/src/doc/ssl/SSL_read.pod | 25 +- .../libssl/src/doc/ssl/SSL_set_connect_state.pod | 47 +++ src/lib/libssl/src/doc/ssl/SSL_set_session.pod | 3 +- src/lib/libssl/src/doc/ssl/SSL_set_shutdown.pod | 68 ++++ src/lib/libssl/src/doc/ssl/SSL_shutdown.pod | 18 +- src/lib/libssl/src/doc/ssl/SSL_write.pod | 31 +- src/lib/libssl/src/doc/ssl/d2i_SSL_SESSION.pod | 56 +++ src/lib/libssl/src/doc/ssl/ssl.pod | 150 +++++--- src/lib/libssl/src/doc/ssleay.txt | 2 +- src/lib/libssl/src/e_os.h | 2 + src/lib/libssl/src/ms/16all.bat | 3 + src/lib/libssl/src/ms/32all.bat | 3 + src/lib/libssl/src/ms/test.bat | 2 +- src/lib/libssl/src/openssl.spec | 36 +- src/lib/libssl/src/rsaref/Makefile.ssl | 3 +- src/lib/libssl/src/ssl/Makefile.ssl | 3 +- src/lib/libssl/src/ssl/s23_lib.c | 38 +- src/lib/libssl/src/ssl/s23_meth.c | 2 +- src/lib/libssl/src/ssl/s2_clnt.c | 1 + src/lib/libssl/src/ssl/s2_lib.c | 10 +- src/lib/libssl/src/ssl/s2_pkt.c | 169 ++++++--- src/lib/libssl/src/ssl/s3_both.c | 4 +- src/lib/libssl/src/ssl/s3_clnt.c | 1 + src/lib/libssl/src/ssl/s3_enc.c | 5 +- src/lib/libssl/src/ssl/s3_lib.c | 88 +++-- src/lib/libssl/src/ssl/s3_pkt.c | 24 +- src/lib/libssl/src/ssl/ssl.h | 16 +- src/lib/libssl/src/ssl/ssl2.h | 6 +- src/lib/libssl/src/ssl/ssl_algs.c | 4 + src/lib/libssl/src/ssl/ssl_cert.c | 2 + src/lib/libssl/src/ssl/ssl_err.c | 4 + src/lib/libssl/src/ssl/ssl_lib.c | 19 +- src/lib/libssl/src/ssl/ssl_locl.h | 59 ++- src/lib/libssl/src/ssl/ssl_sess.c | 1 + src/lib/libssl/src/ssl/t1_enc.c | 5 +- src/lib/libssl/src/test/Makefile.ssl | 4 +- src/lib/libssl/src/tools/c_rehash.in | 14 +- src/lib/libssl/src/util/clean-depend.pl | 4 +- src/lib/libssl/src/util/libeay.num | 127 ++++--- src/lib/libssl/src/util/mkdef.pl | 26 +- src/lib/libssl/src/util/mklink.pl | 7 +- src/lib/libssl/src/util/pod2man.pl | 2 + src/lib/libssl/ssl.h | 16 +- src/lib/libssl/ssl/shlib_version | 4 +- src/lib/libssl/ssl2.h | 6 +- src/lib/libssl/ssl_algs.c | 4 + src/lib/libssl/ssl_cert.c | 2 + src/lib/libssl/ssl_err.c | 4 + src/lib/libssl/ssl_lib.c | 19 +- src/lib/libssl/ssl_locl.h | 59 ++- src/lib/libssl/ssl_sess.c | 1 + src/lib/libssl/t1_enc.c | 5 +- src/lib/libssl/test/Makefile.ssl | 4 +- 371 files changed, 6399 insertions(+), 1594 deletions(-) create mode 100644 src/lib/libcrypto/uid.c create mode 100644 src/lib/libssl/src/apps/md5.c create mode 100644 src/lib/libssl/src/apps/rmd160.c create mode 100644 src/lib/libssl/src/crypto/uid.c create mode 100644 src/lib/libssl/src/doc/ssl/SSL_CTX_add_extra_chain_cert.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_CTX_add_session.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_CTX_flush_sessions.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_CTX_get_ex_new_index.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_CTX_get_verify_mode.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_CTX_load_verify_locations.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_CTX_sess_number.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_CTX_sess_set_cache_size.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_CTX_sess_set_get_cb.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_CTX_sessions.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_CTX_set_client_CA_list.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_CTX_set_default_passwd_cb.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_CTX_set_mode.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_cache_mode.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_id_context.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_CTX_set_timeout.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_CTX_use_certificate.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_SESSION_get_ex_new_index.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_SESSION_get_time.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_get_client_CA_list.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_get_ex_new_index.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_get_version.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_load_client_CA_file.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_set_connect_state.pod create mode 100644 src/lib/libssl/src/doc/ssl/SSL_set_shutdown.pod create mode 100644 src/lib/libssl/src/doc/ssl/d2i_SSL_SESSION.pod (limited to 'src') diff --git a/src/lib/libcrypto/Attic/Makefile b/src/lib/libcrypto/Attic/Makefile index 05e3bb701e..6759b2e4d0 100644 --- a/src/lib/libcrypto/Attic/Makefile +++ b/src/lib/libcrypto/Attic/Makefile @@ -34,8 +34,8 @@ SDIRS= md2 md5 sha mdc2 hmac ripemd \ GENERAL=Makefile README crypto-lib.com install.com LIB= $(TOP)/libcrypto.a -LIBSRC= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c -LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o +LIBSRC= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c +LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o SRC= $(LIBSRC) @@ -90,7 +90,8 @@ links: lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib libs: @@ -197,3 +198,6 @@ tmdiff.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h tmdiff.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h tmdiff.o: ../include/openssl/stack.h ../include/openssl/symhacks.h tmdiff.o: ../include/openssl/tmdiff.h cryptlib.h +uid.o: ../include/openssl/crypto.h ../include/openssl/opensslv.h +uid.o: ../include/openssl/safestack.h ../include/openssl/stack.h +uid.o: ../include/openssl/symhacks.h diff --git a/src/lib/libcrypto/Makefile.ssl b/src/lib/libcrypto/Makefile.ssl index 05e3bb701e..6759b2e4d0 100644 --- a/src/lib/libcrypto/Makefile.ssl +++ b/src/lib/libcrypto/Makefile.ssl @@ -34,8 +34,8 @@ SDIRS= md2 md5 sha mdc2 hmac ripemd \ GENERAL=Makefile README crypto-lib.com install.com LIB= $(TOP)/libcrypto.a -LIBSRC= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c -LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o +LIBSRC= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c +LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o SRC= $(LIBSRC) @@ -90,7 +90,8 @@ links: lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib libs: @@ -197,3 +198,6 @@ tmdiff.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h tmdiff.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h tmdiff.o: ../include/openssl/stack.h ../include/openssl/symhacks.h tmdiff.o: ../include/openssl/tmdiff.h cryptlib.h +uid.o: ../include/openssl/crypto.h ../include/openssl/opensslv.h +uid.o: ../include/openssl/safestack.h ../include/openssl/stack.h +uid.o: ../include/openssl/symhacks.h diff --git a/src/lib/libcrypto/asn1/Makefile.ssl b/src/lib/libcrypto/asn1/Makefile.ssl index b8059ddffe..dace5be2bc 100644 --- a/src/lib/libcrypto/asn1/Makefile.ssl +++ b/src/lib/libcrypto/asn1/Makefile.ssl @@ -75,7 +75,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/asn1/a_strnid.c b/src/lib/libcrypto/asn1/a_strnid.c index 6b10cff994..732e68fe46 100644 --- a/src/lib/libcrypto/asn1/a_strnid.c +++ b/src/lib/libcrypto/asn1/a_strnid.c @@ -133,7 +133,7 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in, if(tbl) { mask = tbl->mask; if(!(tbl->flags & STABLE_NO_MASK)) mask &= global_mask; - ret = ASN1_mbstring_ncopy(out, in, inlen, inform, tbl->mask, + ret = ASN1_mbstring_ncopy(out, in, inlen, inform, mask, tbl->minsize, tbl->maxsize); } else ret = ASN1_mbstring_copy(out, in, inlen, inform, DIRSTRING_TYPE & global_mask); if(ret <= 0) return NULL; diff --git a/src/lib/libcrypto/asn1/asn1_lib.c b/src/lib/libcrypto/asn1/asn1_lib.c index 77447a5240..a8b651e54e 100644 --- a/src/lib/libcrypto/asn1/asn1_lib.c +++ b/src/lib/libcrypto/asn1/asn1_lib.c @@ -301,7 +301,7 @@ int asn1_GetSequence(ASN1_CTX *c, long *length) return(0); } if (c->inf == (1|V_ASN1_CONSTRUCTED)) - c->slen= *length+ *(c->pp)-c->p; + c->slen= *length; c->eos=0; return(1); } diff --git a/src/lib/libcrypto/asn1/asn1_mac.h b/src/lib/libcrypto/asn1/asn1_mac.h index 4512ba6cc6..af0e664b2d 100644 --- a/src/lib/libcrypto/asn1/asn1_mac.h +++ b/src/lib/libcrypto/asn1/asn1_mac.h @@ -196,6 +196,9 @@ err:\ if ((a != NULL) && (sk_##type##_num(a) != 0)) \ M_ASN1_I2D_put_SEQUENCE_type(type,a,f); +#define M_ASN1_I2D_put_SEQUENCE_opt_ex_type(type,a,f) \ + if (a) M_ASN1_I2D_put_SEQUENCE_type(type,a,f); + #define M_ASN1_D2I_get_IMP_set_opt(b,func,free_func,tag) \ if ((c.slen != 0) && \ (M_ASN1_next == \ @@ -389,6 +392,9 @@ err:\ if ((a != NULL) && (sk_##type##_num(a) != 0)) \ M_ASN1_I2D_len_SEQUENCE_type(type,a,f); +#define M_ASN1_I2D_len_SEQUENCE_opt_ex_type(type,a,f) \ + if (a) M_ASN1_I2D_len_SEQUENCE_type(type,a,f); + #define M_ASN1_I2D_len_IMP_SET(a,f,x) \ ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC,IS_SET); @@ -452,6 +458,15 @@ err:\ ret+=ASN1_object_size(1,v,mtag); \ } +#define M_ASN1_I2D_len_EXP_SEQUENCE_opt_ex_type(type,a,f,mtag,tag,v) \ + if (a)\ + { \ + v=i2d_ASN1_SET_OF_##type(a,NULL,f,tag, \ + V_ASN1_UNIVERSAL, \ + IS_SEQUENCE); \ + ret+=ASN1_object_size(1,v,mtag); \ + } + /* Put Macros */ #define M_ASN1_I2D_put(a,f) f(a,&p) @@ -536,6 +551,14 @@ err:\ IS_SEQUENCE); \ } +#define M_ASN1_I2D_put_EXP_SEQUENCE_opt_ex_type(type,a,f,mtag,tag,v) \ + if (a) \ + { \ + ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \ + i2d_ASN1_SET_OF_##type(a,&p,f,tag,V_ASN1_UNIVERSAL, \ + IS_SEQUENCE); \ + } + #define M_ASN1_I2D_seq_total() \ r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE); \ if (pp == NULL) return(r); \ diff --git a/src/lib/libcrypto/asn1/p7_lib.c b/src/lib/libcrypto/asn1/p7_lib.c index b1196ef581..8a340b0119 100644 --- a/src/lib/libcrypto/asn1/p7_lib.c +++ b/src/lib/libcrypto/asn1/p7_lib.c @@ -307,12 +307,14 @@ PKCS7 *d2i_PKCS7(PKCS7 **a, unsigned char **pp, long length) } if (Tinf == (1|V_ASN1_CONSTRUCTED)) { + c.q=c.p; if (!ASN1_check_infinite_end(&c.p,c.slen)) { c.error=ERR_R_MISSING_ASN1_EOS; c.line=__LINE__; goto err; } + c.slen-=(c.p-c.q); } } else diff --git a/src/lib/libcrypto/asn1/x_crl.c b/src/lib/libcrypto/asn1/x_crl.c index 1f302d0e01..51518cdf35 100644 --- a/src/lib/libcrypto/asn1/x_crl.c +++ b/src/lib/libcrypto/asn1/x_crl.c @@ -71,14 +71,14 @@ int i2d_X509_REVOKED(X509_REVOKED *a, unsigned char **pp) M_ASN1_I2D_len(a->serialNumber,i2d_ASN1_INTEGER); M_ASN1_I2D_len(a->revocationDate,i2d_ASN1_TIME); - M_ASN1_I2D_len_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, + M_ASN1_I2D_len_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions, i2d_X509_EXTENSION); M_ASN1_I2D_seq_total(); M_ASN1_I2D_put(a->serialNumber,i2d_ASN1_INTEGER); M_ASN1_I2D_put(a->revocationDate,i2d_ASN1_TIME); - M_ASN1_I2D_put_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, + M_ASN1_I2D_put_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions, i2d_X509_EXTENSION); M_ASN1_I2D_finish(); @@ -121,7 +121,7 @@ int i2d_X509_CRL_INFO(X509_CRL_INFO *a, unsigned char **pp) { M_ASN1_I2D_len(a->nextUpdate,i2d_ASN1_TIME); } M_ASN1_I2D_len_SEQUENCE_opt_type(X509_REVOKED,a->revoked, i2d_X509_REVOKED); - M_ASN1_I2D_len_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, + M_ASN1_I2D_len_EXP_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions, i2d_X509_EXTENSION,0, V_ASN1_SEQUENCE,v1); @@ -138,7 +138,7 @@ int i2d_X509_CRL_INFO(X509_CRL_INFO *a, unsigned char **pp) { M_ASN1_I2D_put(a->nextUpdate,i2d_ASN1_TIME); } M_ASN1_I2D_put_SEQUENCE_opt_type(X509_REVOKED,a->revoked, i2d_X509_REVOKED); - M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, + M_ASN1_I2D_put_EXP_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions, i2d_X509_EXTENSION,0, V_ASN1_SEQUENCE,v1); @@ -260,7 +260,7 @@ X509_CRL_INFO *X509_CRL_INFO_new(void) M_ASN1_New(ret->lastUpdate,M_ASN1_UTCTIME_new); ret->nextUpdate=NULL; M_ASN1_New(ret->revoked,sk_X509_REVOKED_new_null); - M_ASN1_New(ret->extensions,sk_X509_EXTENSION_new_null); + ret->extensions = NULL; sk_X509_REVOKED_set_cmp_func(ret->revoked,X509_REVOKED_cmp); return(ret); M_ASN1_New_Error(ASN1_F_X509_CRL_INFO_NEW); diff --git a/src/lib/libcrypto/asn1/x_name.c b/src/lib/libcrypto/asn1/x_name.c index b832deb928..1885d699ef 100644 --- a/src/lib/libcrypto/asn1/x_name.c +++ b/src/lib/libcrypto/asn1/x_name.c @@ -141,10 +141,12 @@ static int i2d_X509_NAME_entries(X509_NAME *a) } size+=i2d_X509_NAME_ENTRY(ne,NULL); } - - ret+=ASN1_object_size(1,size,V_ASN1_SET); if (fe != NULL) + { + /* SET OF needed only if entries is non empty */ + ret+=ASN1_object_size(1,size,V_ASN1_SET); fe->size=size; + } r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE); diff --git a/src/lib/libcrypto/bf/Makefile.ssl b/src/lib/libcrypto/bf/Makefile.ssl index f4eb90f13f..9205ee7901 100644 --- a/src/lib/libcrypto/bf/Makefile.ssl +++ b/src/lib/libcrypto/bf/Makefile.ssl @@ -44,7 +44,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/src/lib/libcrypto/bio/Makefile.ssl b/src/lib/libcrypto/bio/Makefile.ssl index 916d651d47..567d3fb870 100644 --- a/src/lib/libcrypto/bio/Makefile.ssl +++ b/src/lib/libcrypto/bio/Makefile.ssl @@ -49,7 +49,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: @@ -95,13 +96,13 @@ b_dump.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h b_dump.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h b_dump.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h b_dump.o: ../cryptlib.h -b_print.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h -b_print.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h -b_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -b_print.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h -b_print.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h -b_print.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -b_print.o: ../cryptlib.h +b_print.o: ../../include/openssl/bio.h ../../include/openssl/bn.h +b_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h +b_print.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h +b_print.o: ../../include/openssl/err.h ../../include/openssl/lhash.h +b_print.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +b_print.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +b_print.o: ../../include/openssl/symhacks.h ../cryptlib.h b_sock.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h b_sock.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h b_sock.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h diff --git a/src/lib/libcrypto/bio/b_print.c b/src/lib/libcrypto/bio/b_print.c index a62f551635..b4f7a85f2e 100644 --- a/src/lib/libcrypto/bio/b_print.c +++ b/src/lib/libcrypto/bio/b_print.c @@ -69,6 +69,7 @@ #ifndef NO_SYS_TYPES_H #include #endif +#include /* To get BN_LLONG properly defined */ #include #ifdef BN_LLONG diff --git a/src/lib/libcrypto/bio/b_sock.c b/src/lib/libcrypto/bio/b_sock.c index 64310058b4..62cc3f1a0c 100644 --- a/src/lib/libcrypto/bio/b_sock.c +++ b/src/lib/libcrypto/bio/b_sock.c @@ -113,8 +113,8 @@ int BIO_get_host_ip(const char *str, unsigned char *ip) /* At this point, we have something that is most probably correct in some way, so let's init the socket. */ - if (!BIO_sock_init()) - return(0); /* don't generate another error code here */ + if (BIO_sock_init() != 1) + return 0; /* don't generate another error code here */ /* If the string actually contained an IP address, we need not do anything more */ @@ -519,15 +519,15 @@ int BIO_get_accept_socket(char *host, int bind_mode) { int ret=0; struct sockaddr_in server,client; - int s= -1,cs; + int s=INVALID_SOCKET,cs; unsigned char ip[4]; unsigned short port; - char *str,*e; + char *str=NULL,*e; const char *h,*p; unsigned long l; int err_num; - if (!BIO_sock_init()) return(INVALID_SOCKET); + if (BIO_sock_init() != 1) return(INVALID_SOCKET); if ((str=BUF_strdup(host)) == NULL) return(INVALID_SOCKET); @@ -553,7 +553,7 @@ int BIO_get_accept_socket(char *host, int bind_mode) h="*"; } - if (!BIO_get_port(p,&port)) return(INVALID_SOCKET); + if (!BIO_get_port(p,&port)) goto err; memset((char *)&server,0,sizeof(server)); server.sin_family=AF_INET; @@ -563,7 +563,7 @@ int BIO_get_accept_socket(char *host, int bind_mode) server.sin_addr.s_addr=INADDR_ANY; else { - if (!BIO_get_host_ip(h,&(ip[0]))) return(INVALID_SOCKET); + if (!BIO_get_host_ip(h,&(ip[0]))) goto err; l=(unsigned long) ((unsigned long)ip[0]<<24L)| ((unsigned long)ip[1]<<16L)| diff --git a/src/lib/libcrypto/bn/Makefile.ssl b/src/lib/libcrypto/bn/Makefile.ssl index 17b72d577f..526d7adb5c 100644 --- a/src/lib/libcrypto/bn/Makefile.ssl +++ b/src/lib/libcrypto/bn/Makefile.ssl @@ -68,7 +68,8 @@ bnbug: bnbug.c ../../libcrypto.a top lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/src/lib/libcrypto/bn/asm/mips3.s b/src/lib/libcrypto/bn/asm/mips3.s index 2df4dcd4b0..45786c00a5 100644 --- a/src/lib/libcrypto/bn/asm/mips3.s +++ b/src/lib/libcrypto/bn/asm/mips3.s @@ -586,13 +586,13 @@ LEAF(bn_div_3_words) ld a0,(a3) move ta2,a1 ld a1,-8(a3) - move ta3,ra - move v1,zero + bne a0,a2,.L_bn_div_3_words_proceed li v0,-1 - beq a0,a2,.L_bn_div_3_words_skip_div + jr ra +.L_bn_div_3_words_proceed: + move ta3,ra bal bn_div_words move ra,ta3 -.L_bn_div_3_words_skip_div: dmultu ta2,v0 ld t2,-16(a3) move ta0,zero diff --git a/src/lib/libcrypto/bn/asm/pa-risc2.s b/src/lib/libcrypto/bn/asm/pa-risc2.s index 7239aa2c76..af9730d062 100644 --- a/src/lib/libcrypto/bn/asm/pa-risc2.s +++ b/src/lib/libcrypto/bn/asm/pa-risc2.s @@ -1611,7 +1611,7 @@ bn_mul_comba4 .IMPORT $global$,DATA .SPACE $TEXT$ .SUBSPA $CODE$ - .SUBSPA $LIT$,QUAD=0,ALIGN=8,ACCESS=0x2c,SORT=16 + .SUBSPA $LIT$,ACCESS=0x2c C$7 .ALIGN 8 .STRINGZ "Division would overflow (%d)\n" diff --git a/src/lib/libcrypto/bn/asm/pa-risc2W.s b/src/lib/libcrypto/bn/asm/pa-risc2W.s index 54b6606252..a99545754d 100644 --- a/src/lib/libcrypto/bn/asm/pa-risc2W.s +++ b/src/lib/libcrypto/bn/asm/pa-risc2W.s @@ -1598,7 +1598,7 @@ bn_mul_comba4 .IMPORT $global$,DATA .SPACE $TEXT$ .SUBSPA $CODE$ - .SUBSPA $LIT$,QUAD=0,ALIGN=8,ACCESS=0x2c,SORT=16 + .SUBSPA $LIT$,ACCESS=0x2c C$4 .ALIGN 8 .STRINGZ "Division would overflow (%d)\n" diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h index 1eb8395b25..b232c2ceae 100644 --- a/src/lib/libcrypto/bn/bn.h +++ b/src/lib/libcrypto/bn/bn.h @@ -239,7 +239,7 @@ typedef struct bignum_st } BIGNUM; /* Used for temp variables */ -#define BN_CTX_NUM 12 +#define BN_CTX_NUM 16 #define BN_CTX_NUM_POS 12 typedef struct bignum_ctx { @@ -328,6 +328,7 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx); void BN_CTX_end(BN_CTX *ctx); int BN_rand(BIGNUM *rnd, int bits, int top,int bottom); int BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom); +int BN_rand_range(BIGNUM *rnd, BIGNUM *range); int BN_num_bits(const BIGNUM *a); int BN_num_bits_word(BN_ULONG); BIGNUM *BN_new(void); @@ -467,6 +468,8 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num); # define bn_dump(a,b) #endif +int BN_bntest_rand(BIGNUM *rnd, int bits, int top,int bottom); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. @@ -493,16 +496,19 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num); #define BN_F_BN_MPI2BN 112 #define BN_F_BN_NEW 113 #define BN_F_BN_RAND 114 +#define BN_F_BN_RAND_RANGE 122 #define BN_F_BN_USUB 115 /* Reason codes. */ #define BN_R_ARG2_LT_ARG3 100 #define BN_R_BAD_RECIPROCAL 101 +#define BN_R_BIGNUM_TOO_LONG 114 #define BN_R_CALLED_WITH_EVEN_MODULUS 102 #define BN_R_DIV_BY_ZERO 103 #define BN_R_ENCODING_ERROR 104 #define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA 105 #define BN_R_INVALID_LENGTH 106 +#define BN_R_INVALID_RANGE 115 #define BN_R_NOT_INITIALIZED 107 #define BN_R_NO_INVERSE 108 #define BN_R_TOO_MANY_TEMPORARY_VARIABLES 109 diff --git a/src/lib/libcrypto/bn/bn_div.c b/src/lib/libcrypto/bn/bn_div.c index c3772c243b..c328b5b411 100644 --- a/src/lib/libcrypto/bn/bn_div.c +++ b/src/lib/libcrypto/bn/bn_div.c @@ -180,13 +180,13 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, BN_CTX_start(ctx); tmp=BN_CTX_get(ctx); - tmp->neg=0; snum=BN_CTX_get(ctx); sdiv=BN_CTX_get(ctx); if (dv == NULL) res=BN_CTX_get(ctx); else res=dv; - if (res == NULL) goto err; + if (sdiv==NULL || res == NULL) goto err; + tmp->neg=0; /* First we normalise the numbers */ norm_shift=BN_BITS2-((BN_num_bits(divisor))%BN_BITS2); @@ -237,7 +237,8 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, for (i=0; i +#include #include #include "cryptlib.h" #include "bn_lcl.h" @@ -319,6 +320,12 @@ BIGNUM *bn_expand2(BIGNUM *b, int words) if (words > b->dmax) { + if (words > (INT_MAX/(4*BN_BITS2))) + { + BNerr(BN_F_BN_EXPAND2,BN_R_BIGNUM_TOO_LONG); + return NULL; + } + bn_check_top(b); if (BN_get_flags(b,BN_FLG_STATIC_DATA)) { diff --git a/src/lib/libcrypto/bn/bn_rand.c b/src/lib/libcrypto/bn/bn_rand.c index 21ecbc04ed..acd0619921 100644 --- a/src/lib/libcrypto/bn/bn_rand.c +++ b/src/lib/libcrypto/bn/bn_rand.c @@ -76,7 +76,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) bytes=(bits+7)/8; bit=(bits-1)%8; - mask=0xff<= 128 && i > 0) + buf[i] = buf[i-1]; + else if (c < 42) + buf[i] = 0; + else if (c < 84) + buf[i] = 255; + } + } +#endif + + if (top != -1) + { + if (top) { - buf[0]=1; - buf[1]|=0x80; + if (bit == 0) + { + buf[0]=1; + buf[1]|=0x80; + } + else + { + buf[0]|=(3<<(bit-1)); + } } else { - buf[0]|=(3<<(bit-1)); - buf[0]&= ~(mask<<1); + buf[0]|=(1<neg || BN_is_zero(range)) + { + BNerr(BN_F_BN_RAND_RANGE, BN_R_INVALID_RANGE); + return 0; + } + + n = BN_num_bits(range); /* n > 0 */ + + if (n == 1) + { + if (!BN_zero(r)) return 0; + } + else if (BN_is_bit_set(range, n - 2)) + { + do + { + /* range = 11..._2, so each iteration succeeds with probability >= .75 */ + if (!BN_rand(r, n, -1, 0)) return 0; + } + while (BN_cmp(r, range) >= 0); + } + else + { + /* range = 10..._2, + * so 3*range (= 11..._2) is exactly one bit longer than range */ + do + { + if (!BN_rand(r, n + 1, -1, 0)) return 0; + /* If r < 3*range, use r := r MOD range + * (which is either r, r - range, or r - 2*range). + * Otherwise, iterate once more. + * Since 3*range = 11..._2, each iteration succeeds with + * probability >= .75. */ + if (BN_cmp(r ,range) >= 0) + { + if (!BN_sub(r, r, range)) return 0; + if (BN_cmp(r, range) >= 0) + if (!BN_sub(r, r, range)) return 0; + } + } + while (BN_cmp(r, range) >= 0); + } + + return 1; + } diff --git a/src/lib/libcrypto/bn/bn_shift.c b/src/lib/libcrypto/bn/bn_shift.c index 0883247384..c2608f9f4a 100644 --- a/src/lib/libcrypto/bn/bn_shift.c +++ b/src/lib/libcrypto/bn/bn_shift.c @@ -172,6 +172,11 @@ int BN_rshift(BIGNUM *r, BIGNUM *a, int n) r->neg=a->neg; if (bn_wexpand(r,a->top-nw+1) == NULL) return(0); } + else + { + if (n == 0) + return 1; /* or the copying loop will go berserk */ + } f= &(a->d[nw]); t=r->d; diff --git a/src/lib/libcrypto/bn/bntest.c b/src/lib/libcrypto/bn/bntest.c index 0a97af69c5..af0c2629e8 100644 --- a/src/lib/libcrypto/bn/bntest.c +++ b/src/lib/libcrypto/bn/bntest.c @@ -107,11 +107,9 @@ static const char rnd_seed[] = "string to make the random number generator think static void message(BIO *out, char *m) { fprintf(stderr, "test %s\n", m); -#if defined(linux) || defined(__FreeBSD__) /* can we use GNU bc features? */ BIO_puts(out, "print \"test "); BIO_puts(out, m); BIO_puts(out, "\\n\"\n"); -#endif } int main(int argc, char *argv[]) @@ -122,9 +120,7 @@ int main(int argc, char *argv[]) results = 0; - RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_rand may fail, and we don't - * even check its return value - * (which we should) */ + RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */ argc--; argv++; @@ -253,10 +249,10 @@ int test_add(BIO *bp) BN_init(&b); BN_init(&c); - BN_rand(&a,512,0,0); + BN_bntest_rand(&a,512,0,0); for (i=0; ineg=rand_neg(); b->neg=rand_neg(); if (bp == NULL) @@ -732,11 +728,11 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx) d=BN_new(); e=BN_new(); - BN_rand(c,1024,0,0); /**/ + BN_bntest_rand(c,1024,0,0); /**/ for (i=0; ineg=rand_neg(); b->neg=rand_neg(); /* if (bp == NULL) @@ -794,11 +790,11 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx) d=BN_new(); e=BN_new(); - BN_rand(c,30,0,1); /* must be odd for montgomery */ + BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */ for (i=0; ineg=rand_neg(); } for (i=0; ineg=rand_neg(); for (i=0; ineg=rand_neg(); for (i=0; ineg=rand_neg(); for (i=0; iinit(&ctmp); - ctmp.data = conf; - return NCONF_get_section(&ctmp, section); + default_CONF_method->init(&ctmp); + ctmp.data = conf; + return NCONF_get_section(&ctmp, section); + } } char *CONF_get_string(LHASH *conf,char *group,char *name) { - CONF ctmp; + if (conf == NULL) + { + return NCONF_get_string(NULL, group, name); + } + else + { + CONF ctmp; - if (default_CONF_method == NULL) - default_CONF_method = NCONF_default(); + if (default_CONF_method == NULL) + default_CONF_method = NCONF_default(); - default_CONF_method->init(&ctmp); - ctmp.data = conf; - return NCONF_get_string(&ctmp, group, name); + default_CONF_method->init(&ctmp); + ctmp.data = conf; + return NCONF_get_string(&ctmp, group, name); + } } long CONF_get_number(LHASH *conf,char *group,char *name) { - CONF ctmp; + if (conf == NULL) + { + return NCONF_get_number(NULL, group, name); + } + else + { + CONF ctmp; - if (default_CONF_method == NULL) - default_CONF_method = NCONF_default(); + if (default_CONF_method == NULL) + default_CONF_method = NCONF_default(); - default_CONF_method->init(&ctmp); - ctmp.data = conf; - return NCONF_get_number(&ctmp, group, name); + default_CONF_method->init(&ctmp); + ctmp.data = conf; + return NCONF_get_number(&ctmp, group, name); + } } void CONF_free(LHASH *conf) @@ -299,27 +320,46 @@ STACK_OF(CONF_VALUE) *NCONF_get_section(CONF *conf,char *section) return NULL; } + if (section == NULL) + { + CONFerr(CONF_F_NCONF_GET_SECTION,CONF_R_NO_SECTION); + return NULL; + } + return _CONF_get_section_values(conf, section); } char *NCONF_get_string(CONF *conf,char *group,char *name) { + char *s = _CONF_get_string(conf, group, name); + + /* Since we may get a value from an environment variable even + if conf is NULL, let's check the value first */ + if (s) return s; + if (conf == NULL) { - CONFerr(CONF_F_NCONF_GET_STRING,CONF_R_NO_CONF); + CONFerr(CONF_F_NCONF_GET_STRING, + CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE); return NULL; } - - return _CONF_get_string(conf, group, name); + return NULL; } long NCONF_get_number(CONF *conf,char *group,char *name) { +#if 0 /* As with _CONF_get_string(), we rely on the possibility of finding + an environment variable with a suitable name. Unfortunately, there's + no way with the current API to see if we found one or not... + The meaning of this is that if a number is not found anywhere, it + will always default to 0. */ if (conf == NULL) { - CONFerr(CONF_F_NCONF_GET_NUMBER,CONF_R_NO_CONF); + CONFerr(CONF_F_NCONF_GET_NUMBER, + CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE); return 0; } +#endif return _CONF_get_number(conf, group, name); } diff --git a/src/lib/libcrypto/crypto-lib.com b/src/lib/libcrypto/crypto-lib.com index 21d56a4b50..482a136177 100644 --- a/src/lib/libcrypto/crypto-lib.com +++ b/src/lib/libcrypto/crypto-lib.com @@ -174,7 +174,7 @@ $! $ APPS_DES = "DES/DES,CBC3_ENC" $ APPS_PKCS7 = "ENC/ENC;DEC/DEC;SIGN/SIGN;VERIFY/VERIFY,EXAMPLE" $ -$ LIB_ = "cryptlib,mem,mem_dbg,cversion,ex_data,tmdiff,cpt_err" +$ LIB_ = "cryptlib,mem,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid" $ LIB_MD2 = "md2_dgst,md2_one" $ LIB_MD4 = "md4_dgst,md4_one" $ LIB_MD5 = "md5_dgst,md5_one" diff --git a/src/lib/libcrypto/crypto.h b/src/lib/libcrypto/crypto.h index 52ee97b71a..9257673279 100644 --- a/src/lib/libcrypto/crypto.h +++ b/src/lib/libcrypto/crypto.h @@ -278,6 +278,8 @@ int CRYPTO_is_mem_check_on(void); const char *SSLeay_version(int type); unsigned long SSLeay(void); +int OPENSSL_issetugid(void); + int CRYPTO_get_ex_new_index(int idx, STACK_OF(CRYPTO_EX_DATA_FUNCS) **skp, long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val); diff --git a/src/lib/libcrypto/des/Makefile.ssl b/src/lib/libcrypto/des/Makefile.ssl index 34a360b7ab..cc5379feb2 100644 --- a/src/lib/libcrypto/des/Makefile.ssl +++ b/src/lib/libcrypto/des/Makefile.ssl @@ -57,7 +57,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib des: des.o cbc3_enc.o lib diff --git a/src/lib/libcrypto/des/asm/des-586.pl b/src/lib/libcrypto/des/asm/des-586.pl index f054071077..c890766bc9 100644 --- a/src/lib/libcrypto/des/asm/des-586.pl +++ b/src/lib/libcrypto/des/asm/des-586.pl @@ -20,11 +20,11 @@ $L="edi"; $R="esi"; &external_label("des_SPtrans"); -&des_encrypt("des_encrypt",1); +&des_encrypt("des_encrypt1",1); &des_encrypt("des_encrypt2",0); &des_encrypt3("des_encrypt3",1); &des_encrypt3("des_decrypt3",0); -&cbc("des_ncbc_encrypt","des_encrypt","des_encrypt",0,4,5,3,5,-1); +&cbc("des_ncbc_encrypt","des_encrypt1","des_encrypt1",0,4,5,3,5,-1); &cbc("des_ede3_cbc_encrypt","des_encrypt3","des_decrypt3",0,6,7,3,4,5); &asm_finish(); diff --git a/src/lib/libcrypto/des/asm/des686.pl b/src/lib/libcrypto/des/asm/des686.pl index 77dc5b51cd..84c3e85438 100644 --- a/src/lib/libcrypto/des/asm/des686.pl +++ b/src/lib/libcrypto/des/asm/des686.pl @@ -46,7 +46,7 @@ EOF $L="edi"; $R="esi"; -&des_encrypt("des_encrypt",1); +&des_encrypt("des_encrypt1",1); &des_encrypt("des_encrypt2",0); &des_encrypt3("des_encrypt3",1); diff --git a/src/lib/libcrypto/des/asm/readme b/src/lib/libcrypto/des/asm/readme index f8529d9307..1beafe253b 100644 --- a/src/lib/libcrypto/des/asm/readme +++ b/src/lib/libcrypto/des/asm/readme @@ -8,7 +8,7 @@ assembler for the inner DES routines in libdes :-). The file to implement in assembler is des_enc.c. Replace the following 4 functions -des_encrypt(DES_LONG data[2],des_key_schedule ks, int encrypt); +des_encrypt1(DES_LONG data[2],des_key_schedule ks, int encrypt); des_encrypt2(DES_LONG data[2],des_key_schedule ks, int encrypt); des_encrypt3(DES_LONG data[2],des_key_schedule ks1,ks2,ks3); des_decrypt3(DES_LONG data[2],des_key_schedule ks1,ks2,ks3); diff --git a/src/lib/libcrypto/des/cbc_cksm.c b/src/lib/libcrypto/des/cbc_cksm.c index 1e543cb2a1..b857df0985 100644 --- a/src/lib/libcrypto/des/cbc_cksm.c +++ b/src/lib/libcrypto/des/cbc_cksm.c @@ -82,7 +82,7 @@ DES_LONG des_cbc_cksum(const unsigned char *in, des_cblock *output, tin0^=tout0; tin[0]=tin0; tin1^=tout1; tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT); /* fix 15/10/91 eay - thanks to keithr@sco.COM */ tout0=tin[0]; tout1=tin[1]; diff --git a/src/lib/libcrypto/des/cfb64enc.c b/src/lib/libcrypto/des/cfb64enc.c index 389a232cb3..105530dfa3 100644 --- a/src/lib/libcrypto/des/cfb64enc.c +++ b/src/lib/libcrypto/des/cfb64enc.c @@ -82,7 +82,7 @@ void des_cfb64_encrypt(const unsigned char *in, unsigned char *out, { c2l(iv,v0); ti[0]=v0; c2l(iv,v1); ti[1]=v1; - des_encrypt(ti,schedule,DES_ENCRYPT); + des_encrypt1(ti,schedule,DES_ENCRYPT); iv = &(*ivec)[0]; v0=ti[0]; l2c(v0,iv); v0=ti[1]; l2c(v0,iv); @@ -102,7 +102,7 @@ void des_cfb64_encrypt(const unsigned char *in, unsigned char *out, { c2l(iv,v0); ti[0]=v0; c2l(iv,v1); ti[1]=v1; - des_encrypt(ti,schedule,DES_ENCRYPT); + des_encrypt1(ti,schedule,DES_ENCRYPT); iv = &(*ivec)[0]; v0=ti[0]; l2c(v0,iv); v0=ti[1]; l2c(v0,iv); diff --git a/src/lib/libcrypto/des/cfb_enc.c b/src/lib/libcrypto/des/cfb_enc.c index cca34dd7c5..ec4fd4ea67 100644 --- a/src/lib/libcrypto/des/cfb_enc.c +++ b/src/lib/libcrypto/des/cfb_enc.c @@ -100,7 +100,7 @@ void des_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, l-=n; ti[0]=v0; ti[1]=v1; - des_encrypt((DES_LONG *)ti,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT); c2ln(in,d0,d1,n); in+=n; d0=(d0^ti[0])&mask0; @@ -132,7 +132,7 @@ void des_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, l-=n; ti[0]=v0; ti[1]=v1; - des_encrypt((DES_LONG *)ti,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT); c2ln(in,d0,d1,n); in+=n; /* 30-08-94 - eay - changed because l>>32 and diff --git a/src/lib/libcrypto/des/des.h b/src/lib/libcrypto/des/des.h index 2db9748cb4..6b8a7ee11b 100644 --- a/src/lib/libcrypto/des/des.h +++ b/src/lib/libcrypto/des/des.h @@ -147,14 +147,14 @@ void des_ecb_encrypt(const_des_cblock *input,des_cblock *output, Data is a pointer to 2 unsigned long's and ks is the des_key_schedule to use. enc, is non zero specifies encryption, zero if decryption. */ -void des_encrypt(DES_LONG *data,des_key_schedule ks, int enc); +void des_encrypt1(DES_LONG *data,des_key_schedule ks, int enc); -/* This functions is the same as des_encrypt() except that the DES +/* This functions is the same as des_encrypt1() except that the DES initial permutation (IP) and final permutation (FP) have been left - out. As for des_encrypt(), you should not use this function. + out. As for des_encrypt1(), you should not use this function. It is used by the routines in the library that implement triple DES. IP() des_encrypt2() des_encrypt2() des_encrypt2() FP() is the same - as des_encrypt() des_encrypt() des_encrypt() except faster :-). */ + as des_encrypt1() des_encrypt1() des_encrypt1() except faster :-). */ void des_encrypt2(DES_LONG *data,des_key_schedule ks, int enc); void des_encrypt3(DES_LONG *data, des_key_schedule ks1, diff --git a/src/lib/libcrypto/des/des_enc.c b/src/lib/libcrypto/des/des_enc.c index 8311e10628..0bd9fa39bc 100644 --- a/src/lib/libcrypto/des/des_enc.c +++ b/src/lib/libcrypto/des/des_enc.c @@ -58,7 +58,7 @@ #include "des_locl.h" -void des_encrypt(DES_LONG *data, des_key_schedule ks, int enc) +void des_encrypt1(DES_LONG *data, des_key_schedule ks, int enc) { register DES_LONG l,r,t,u; #ifdef DES_PTR diff --git a/src/lib/libcrypto/des/des_opts.c b/src/lib/libcrypto/des/des_opts.c index b2ca7ac31d..138ee1c6b4 100644 --- a/src/lib/libcrypto/des/des_opts.c +++ b/src/lib/libcrypto/des/des_opts.c @@ -118,7 +118,7 @@ extern void exit(); #undef DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#define des_encrypt des_encrypt_u4_cisc_idx +#define des_encrypt1 des_encrypt_u4_cisc_idx #define des_encrypt2 des_encrypt2_u4_cisc_idx #define des_encrypt3 des_encrypt3_u4_cisc_idx #define des_decrypt3 des_decrypt3_u4_cisc_idx @@ -130,11 +130,11 @@ extern void exit(); #undef DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_cisc_idx +#define des_encrypt1 des_encrypt_u16_cisc_idx #define des_encrypt2 des_encrypt2_u16_cisc_idx #define des_encrypt3 des_encrypt3_u16_cisc_idx #define des_decrypt3 des_decrypt3_u16_cisc_idx @@ -146,11 +146,11 @@ extern void exit(); #undef DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc1_idx +#define des_encrypt1 des_encrypt_u4_risc1_idx #define des_encrypt2 des_encrypt2_u4_risc1_idx #define des_encrypt3 des_encrypt3_u4_risc1_idx #define des_decrypt3 des_decrypt3_u4_risc1_idx @@ -166,11 +166,11 @@ extern void exit(); #define DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc2_idx +#define des_encrypt1 des_encrypt_u4_risc2_idx #define des_encrypt2 des_encrypt2_u4_risc2_idx #define des_encrypt3 des_encrypt3_u4_risc2_idx #define des_decrypt3 des_decrypt3_u4_risc2_idx @@ -182,11 +182,11 @@ extern void exit(); #undef DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc1_idx +#define des_encrypt1 des_encrypt_u16_risc1_idx #define des_encrypt2 des_encrypt2_u16_risc1_idx #define des_encrypt3 des_encrypt3_u16_risc1_idx #define des_decrypt3 des_decrypt3_u16_risc1_idx @@ -198,11 +198,11 @@ extern void exit(); #define DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc2_idx +#define des_encrypt1 des_encrypt_u16_risc2_idx #define des_encrypt2 des_encrypt2_u16_risc2_idx #define des_encrypt3 des_encrypt3_u16_risc2_idx #define des_decrypt3 des_decrypt3_u16_risc2_idx @@ -218,11 +218,11 @@ extern void exit(); #undef DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u4_cisc_ptr +#define des_encrypt1 des_encrypt_u4_cisc_ptr #define des_encrypt2 des_encrypt2_u4_cisc_ptr #define des_encrypt3 des_encrypt3_u4_cisc_ptr #define des_decrypt3 des_decrypt3_u4_cisc_ptr @@ -234,11 +234,11 @@ extern void exit(); #undef DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_cisc_ptr +#define des_encrypt1 des_encrypt_u16_cisc_ptr #define des_encrypt2 des_encrypt2_u16_cisc_ptr #define des_encrypt3 des_encrypt3_u16_cisc_ptr #define des_decrypt3 des_decrypt3_u16_cisc_ptr @@ -250,11 +250,11 @@ extern void exit(); #undef DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc1_ptr +#define des_encrypt1 des_encrypt_u4_risc1_ptr #define des_encrypt2 des_encrypt2_u4_risc1_ptr #define des_encrypt3 des_encrypt3_u4_risc1_ptr #define des_decrypt3 des_decrypt3_u4_risc1_ptr @@ -270,11 +270,11 @@ extern void exit(); #define DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc2_ptr +#define des_encrypt1 des_encrypt_u4_risc2_ptr #define des_encrypt2 des_encrypt2_u4_risc2_ptr #define des_encrypt3 des_encrypt3_u4_risc2_ptr #define des_decrypt3 des_decrypt3_u4_risc2_ptr @@ -286,11 +286,11 @@ extern void exit(); #undef DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc1_ptr +#define des_encrypt1 des_encrypt_u16_risc1_ptr #define des_encrypt2 des_encrypt2_u16_risc1_ptr #define des_encrypt3 des_encrypt3_u16_risc1_ptr #define des_decrypt3 des_decrypt3_u16_risc1_ptr @@ -302,11 +302,11 @@ extern void exit(); #define DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc2_ptr +#define des_encrypt1 des_encrypt_u16_risc2_ptr #define des_encrypt2 des_encrypt2_u16_risc2_ptr #define des_encrypt3 des_encrypt3_u16_risc2_ptr #define des_decrypt3 des_decrypt3_u16_risc2_ptr @@ -453,7 +453,7 @@ int main(int argc, char **argv) count*=2; Time_F(START); for (i=count; i; i--) - des_encrypt(data,&(sch[0]),DES_ENCRYPT); + des_encrypt1(data,&(sch[0]),DES_ENCRYPT); d=Time_F(STOP); } while (d < 3.0); ca=count; diff --git a/src/lib/libcrypto/des/dess.cpp b/src/lib/libcrypto/des/dess.cpp index 753e67ad9b..5549bab90a 100644 --- a/src/lib/libcrypto/des/dess.cpp +++ b/src/lib/libcrypto/des/dess.cpp @@ -45,19 +45,19 @@ void main(int argc,char *argv[]) { for (i=0; i<1000; i++) /**/ { - des_encrypt(&data[0],key,1); + des_encrypt1(&data[0],key,1); GetTSC(s1); - des_encrypt(&data[0],key,1); - des_encrypt(&data[0],key,1); - des_encrypt(&data[0],key,1); + des_encrypt1(&data[0],key,1); + des_encrypt1(&data[0],key,1); + des_encrypt1(&data[0],key,1); GetTSC(e1); GetTSC(s2); - des_encrypt(&data[0],key,1); - des_encrypt(&data[0],key,1); - des_encrypt(&data[0],key,1); - des_encrypt(&data[0],key,1); + des_encrypt1(&data[0],key,1); + des_encrypt1(&data[0],key,1); + des_encrypt1(&data[0],key,1); + des_encrypt1(&data[0],key,1); GetTSC(e2); - des_encrypt(&data[0],key,1); + des_encrypt1(&data[0],key,1); } printf("des %d %d (%d)\n", diff --git a/src/lib/libcrypto/des/ecb_enc.c b/src/lib/libcrypto/des/ecb_enc.c index b261a8aad9..d481327ef3 100644 --- a/src/lib/libcrypto/des/ecb_enc.c +++ b/src/lib/libcrypto/des/ecb_enc.c @@ -114,7 +114,7 @@ void des_ecb_encrypt(const_des_cblock *input, des_cblock *output, c2l(in,l); ll[0]=l; c2l(in,l); ll[1]=l; - des_encrypt(ll,ks,enc); + des_encrypt1(ll,ks,enc); l=ll[0]; l2c(l,out); l=ll[1]; l2c(l,out); l=ll[0]=ll[1]=0; diff --git a/src/lib/libcrypto/des/ede_cbcm_enc.c b/src/lib/libcrypto/des/ede_cbcm_enc.c index c53062481d..b98f7e17af 100644 --- a/src/lib/libcrypto/des/ede_cbcm_enc.c +++ b/src/lib/libcrypto/des/ede_cbcm_enc.c @@ -95,7 +95,7 @@ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, { tin[0]=m0; tin[1]=m1; - des_encrypt(tin,ks3,1); + des_encrypt1(tin,ks3,1); m0=tin[0]; m1=tin[1]; @@ -113,13 +113,13 @@ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, tin[0]=tin0; tin[1]=tin1; - des_encrypt(tin,ks1,1); + des_encrypt1(tin,ks1,1); tin[0]^=m0; tin[1]^=m1; - des_encrypt(tin,ks2,0); + des_encrypt1(tin,ks2,0); tin[0]^=m0; tin[1]^=m1; - des_encrypt(tin,ks1,1); + des_encrypt1(tin,ks1,1); tout0=tin[0]; tout1=tin[1]; @@ -146,7 +146,7 @@ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, { tin[0]=m0; tin[1]=m1; - des_encrypt(tin,ks3,1); + des_encrypt1(tin,ks3,1); m0=tin[0]; m1=tin[1]; @@ -158,13 +158,13 @@ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, tin[0]=tin0; tin[1]=tin1; - des_encrypt(tin,ks1,0); + des_encrypt1(tin,ks1,0); tin[0]^=m0; tin[1]^=m1; - des_encrypt(tin,ks2,1); + des_encrypt1(tin,ks2,1); tin[0]^=m0; tin[1]^=m1; - des_encrypt(tin,ks1,0); + des_encrypt1(tin,ks1,0); tout0=tin[0]; tout1=tin[1]; diff --git a/src/lib/libcrypto/des/ncbc_enc.c b/src/lib/libcrypto/des/ncbc_enc.c index 3b681691a9..b8db07b199 100644 --- a/src/lib/libcrypto/des/ncbc_enc.c +++ b/src/lib/libcrypto/des/ncbc_enc.c @@ -89,7 +89,7 @@ void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length, c2l(in,tin1); tin0^=tout0; tin[0]=tin0; tin1^=tout1; tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT); tout0=tin[0]; l2c(tout0,out); tout1=tin[1]; l2c(tout1,out); } @@ -98,7 +98,7 @@ void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length, c2ln(in,tin0,tin1,l+8); tin0^=tout0; tin[0]=tin0; tin1^=tout1; tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT); tout0=tin[0]; l2c(tout0,out); tout1=tin[1]; l2c(tout1,out); } @@ -116,7 +116,7 @@ void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length, { c2l(in,tin0); tin[0]=tin0; c2l(in,tin1); tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_DECRYPT); tout0=tin[0]^xor0; tout1=tin[1]^xor1; l2c(tout0,out); @@ -128,7 +128,7 @@ void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length, { c2l(in,tin0); tin[0]=tin0; c2l(in,tin1); tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_DECRYPT); tout0=tin[0]^xor0; tout1=tin[1]^xor1; l2cn(tout0,tout1,out,l+8); diff --git a/src/lib/libcrypto/des/ofb64enc.c b/src/lib/libcrypto/des/ofb64enc.c index 64953959ca..1a1d1f1ac4 100644 --- a/src/lib/libcrypto/des/ofb64enc.c +++ b/src/lib/libcrypto/des/ofb64enc.c @@ -87,7 +87,7 @@ void des_ofb64_encrypt(register const unsigned char *in, { if (n == 0) { - des_encrypt(ti,schedule,DES_ENCRYPT); + des_encrypt1(ti,schedule,DES_ENCRYPT); dp=d; t=ti[0]; l2c(t,dp); t=ti[1]; l2c(t,dp); diff --git a/src/lib/libcrypto/des/ofb_enc.c b/src/lib/libcrypto/des/ofb_enc.c index a8f425a575..70493e632c 100644 --- a/src/lib/libcrypto/des/ofb_enc.c +++ b/src/lib/libcrypto/des/ofb_enc.c @@ -101,7 +101,7 @@ void des_ofb_encrypt(const unsigned char *in, unsigned char *out, int numbits, { ti[0]=v0; ti[1]=v1; - des_encrypt((DES_LONG *)ti,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT); vv0=ti[0]; vv1=ti[1]; c2ln(in,d0,d1,n); diff --git a/src/lib/libcrypto/des/pcbc_enc.c b/src/lib/libcrypto/des/pcbc_enc.c index dd69a26d4a..5b987f074d 100644 --- a/src/lib/libcrypto/des/pcbc_enc.c +++ b/src/lib/libcrypto/des/pcbc_enc.c @@ -85,7 +85,7 @@ void des_pcbc_encrypt(const unsigned char *input, unsigned char *output, c2ln(in,sin0,sin1,length); tin[0]=sin0^xor0; tin[1]=sin1^xor1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT); tout0=tin[0]; tout1=tin[1]; xor0=sin0^tout0; @@ -103,7 +103,7 @@ void des_pcbc_encrypt(const unsigned char *input, unsigned char *output, c2l(in,sin1); tin[0]=sin0; tin[1]=sin1; - des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_DECRYPT); tout0=tin[0]^xor0; tout1=tin[1]^xor1; if (length >= 8) diff --git a/src/lib/libcrypto/des/speed.c b/src/lib/libcrypto/des/speed.c index 814b86f4ae..1223edf290 100644 --- a/src/lib/libcrypto/des/speed.c +++ b/src/lib/libcrypto/des/speed.c @@ -204,7 +204,7 @@ int main(int argc, char **argv) count*=2; Time_F(START); for (i=count; i; i--) - des_encrypt(data,&(sch[0]),DES_ENCRYPT); + des_encrypt1(data,&(sch[0]),DES_ENCRYPT); d=Time_F(STOP); } while (d < 3.0); ca=count; @@ -241,7 +241,7 @@ int main(int argc, char **argv) { DES_LONG data[2]; - des_encrypt(data,&(sch[0]),DES_ENCRYPT); + des_encrypt1(data,&(sch[0]),DES_ENCRYPT); } d=Time_F(STOP); printf("%ld des_encrypt's in %.2f second\n",count,d); diff --git a/src/lib/libcrypto/des/xcbc_enc.c b/src/lib/libcrypto/des/xcbc_enc.c index 51e17e6b8a..ccfede13ac 100644 --- a/src/lib/libcrypto/des/xcbc_enc.c +++ b/src/lib/libcrypto/des/xcbc_enc.c @@ -138,7 +138,7 @@ void des_xcbc_encrypt(const unsigned char *in, unsigned char *out, c2l(in,tin1); tin0^=tout0^inW0; tin[0]=tin0; tin1^=tout1^inW1; tin[1]=tin1; - des_encrypt(tin,schedule,DES_ENCRYPT); + des_encrypt1(tin,schedule,DES_ENCRYPT); tout0=tin[0]^outW0; l2c(tout0,out); tout1=tin[1]^outW1; l2c(tout1,out); } @@ -147,7 +147,7 @@ void des_xcbc_encrypt(const unsigned char *in, unsigned char *out, c2ln(in,tin0,tin1,l+8); tin0^=tout0^inW0; tin[0]=tin0; tin1^=tout1^inW1; tin[1]=tin1; - des_encrypt(tin,schedule,DES_ENCRYPT); + des_encrypt1(tin,schedule,DES_ENCRYPT); tout0=tin[0]^outW0; l2c(tout0,out); tout1=tin[1]^outW1; l2c(tout1,out); } @@ -163,7 +163,7 @@ void des_xcbc_encrypt(const unsigned char *in, unsigned char *out, { c2l(in,tin0); tin[0]=tin0^outW0; c2l(in,tin1); tin[1]=tin1^outW1; - des_encrypt(tin,schedule,DES_DECRYPT); + des_encrypt1(tin,schedule,DES_DECRYPT); tout0=tin[0]^xor0^inW0; tout1=tin[1]^xor1^inW1; l2c(tout0,out); @@ -175,7 +175,7 @@ void des_xcbc_encrypt(const unsigned char *in, unsigned char *out, { c2l(in,tin0); tin[0]=tin0^outW0; c2l(in,tin1); tin[1]=tin1^outW1; - des_encrypt(tin,schedule,DES_DECRYPT); + des_encrypt1(tin,schedule,DES_DECRYPT); tout0=tin[0]^xor0^inW0; tout1=tin[1]^xor1^inW1; l2cn(tout0,tout1,out,l+8); diff --git a/src/lib/libcrypto/dh/Makefile.ssl b/src/lib/libcrypto/dh/Makefile.ssl index 88d0d1748b..bf4b47ca9a 100644 --- a/src/lib/libcrypto/dh/Makefile.ssl +++ b/src/lib/libcrypto/dh/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c index 6915d79dcc..22b087b778 100644 --- a/src/lib/libcrypto/dh/dh_key.c +++ b/src/lib/libcrypto/dh/dh_key.c @@ -100,7 +100,6 @@ DH_METHOD *DH_OpenSSL(void) static int generate_key(DH *dh) { int ok=0; - unsigned int i; BN_CTX ctx; BN_MONT_CTX *mont; BIGNUM *pub_key=NULL,*priv_key=NULL; @@ -109,15 +108,11 @@ static int generate_key(DH *dh) if (dh->priv_key == NULL) { - i=dh->length; - if (i == 0) - { - /* Make the number p-1 bits long */ - i=BN_num_bits(dh->p)-1; - } priv_key=BN_new(); if (priv_key == NULL) goto err; - if (!BN_rand(priv_key,i,0,0)) goto err; + do + if (!BN_rand_range(priv_key, dh->p)) goto err; + while (BN_is_zero(priv_key)); } else priv_key=dh->priv_key; diff --git a/src/lib/libcrypto/dh/dh_lib.c b/src/lib/libcrypto/dh/dh_lib.c index 66803b5565..96f118c153 100644 --- a/src/lib/libcrypto/dh/dh_lib.c +++ b/src/lib/libcrypto/dh/dh_lib.c @@ -168,13 +168,13 @@ DH *DH_new_method(ENGINE *engine) ret->method_mont_p=NULL; ret->references = 1; ret->flags=meth->flags; + CRYPTO_new_ex_data(dh_meth,ret,&ret->ex_data); if ((meth->init != NULL) && !meth->init(ret)) { + CRYPTO_free_ex_data(dh_meth,ret,&ret->ex_data); OPENSSL_free(ret); ret=NULL; } - else - CRYPTO_new_ex_data(dh_meth,ret,&ret->ex_data); return(ret); } @@ -196,12 +196,12 @@ void DH_free(DH *r) } #endif - CRYPTO_free_ex_data(dh_meth, r, &r->ex_data); - meth = ENGINE_get_DH(r->engine); if(meth->finish) meth->finish(r); ENGINE_finish(r->engine); + CRYPTO_free_ex_data(dh_meth, r, &r->ex_data); + if (r->p != NULL) BN_clear_free(r->p); if (r->g != NULL) BN_clear_free(r->g); if (r->q != NULL) BN_clear_free(r->q); diff --git a/src/lib/libcrypto/doc/RAND_load_file.pod b/src/lib/libcrypto/doc/RAND_load_file.pod index 8dd700ca3d..d8c134e621 100644 --- a/src/lib/libcrypto/doc/RAND_load_file.pod +++ b/src/lib/libcrypto/doc/RAND_load_file.pod @@ -8,7 +8,7 @@ RAND_load_file, RAND_write_file, RAND_file_name - PRNG seed file #include - const char *RAND_file_name(char *buf, int num); + const char *RAND_file_name(char *buf, size_t num); int RAND_load_file(const char *filename, long max_bytes); diff --git a/src/lib/libcrypto/doc/bn.pod b/src/lib/libcrypto/doc/bn.pod index 1504a1c92d..d183028d61 100644 --- a/src/lib/libcrypto/doc/bn.pod +++ b/src/lib/libcrypto/doc/bn.pod @@ -60,6 +60,7 @@ bn - multiprecision integer arithmetics int BN_rand(BIGNUM *rnd, int bits, int top, int bottom); int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); + int BN_rand_range(BIGNUM *rnd, BIGNUM *range); BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add, BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg); diff --git a/src/lib/libcrypto/doc/evp.pod b/src/lib/libcrypto/doc/evp.pod index f089dd49a2..edf47dbde6 100644 --- a/src/lib/libcrypto/doc/evp.pod +++ b/src/lib/libcrypto/doc/evp.pod @@ -10,7 +10,7 @@ evp - high-level cryptographic functions =head1 DESCRIPTION -The EVP library provided a high-level interface to cryptographic +The EVP library provides a high-level interface to cryptographic functions. BI<...> and BI<...> provide public key encryption diff --git a/src/lib/libcrypto/dsa/Makefile.ssl b/src/lib/libcrypto/dsa/Makefile.ssl index dac582be00..d88f596364 100644 --- a/src/lib/libcrypto/dsa/Makefile.ssl +++ b/src/lib/libcrypto/dsa/Makefile.ssl @@ -41,7 +41,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/dso/Makefile.ssl b/src/lib/libcrypto/dso/Makefile.ssl index a37f547482..48b36c8330 100644 --- a/src/lib/libcrypto/dso/Makefile.ssl +++ b/src/lib/libcrypto/dso/Makefile.ssl @@ -41,7 +41,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/dso/dso_dl.c b/src/lib/libcrypto/dso/dso_dl.c index 69810fc3bb..455bd66ecf 100644 --- a/src/lib/libcrypto/dso/dso_dl.c +++ b/src/lib/libcrypto/dso/dso_dl.c @@ -82,7 +82,7 @@ static int dl_unbind_func(DSO *dso, char *symname, DSO_FUNC_TYPE symptr); static int dl_init(DSO *dso); static int dl_finish(DSO *dso); #endif -static int dl_ctrl(DSO *dso, int cmd, long larg, void *parg); +static long dl_ctrl(DSO *dso, int cmd, long larg, void *parg); static DSO_METHOD dso_meth_dl = { "OpenSSL 'dl' shared library method", @@ -111,6 +111,11 @@ DSO_METHOD *DSO_METHOD_dl(void) * type so the cast is safe. */ +#if defined(__hpux) +static const char extension[] = ".sl"; +#else +static const char extension[] = ".so"; +#endif static int dl_load(DSO *dso, const char *filename) { shl_t ptr; @@ -118,12 +123,12 @@ static int dl_load(DSO *dso, const char *filename) int len; /* The same comment as in dlfcn_load applies here. bleurgh. */ - len = strlen(filename); + len = strlen(filename) + strlen(extension); if((dso->flags & DSO_FLAG_NAME_TRANSLATION) && - (len + 6 < DSO_MAX_TRANSLATED_SIZE) && + (len + 3 < DSO_MAX_TRANSLATED_SIZE) && (strstr(filename, "/") == NULL)) { - sprintf(translated, "lib%s.so", filename); + sprintf(translated, "lib%s%s", filename, extension); ptr = shl_load(translated, BIND_IMMEDIATE, NULL); } else @@ -187,7 +192,7 @@ static void *dl_bind_var(DSO *dso, const char *symname) DSOerr(DSO_F_DL_BIND_VAR,DSO_R_NULL_HANDLE); return(NULL); } - if (shl_findsym(ptr, symname, TYPE_UNDEFINED, &sym) < 0) + if (shl_findsym(&ptr, symname, TYPE_UNDEFINED, &sym) < 0) { DSOerr(DSO_F_DL_BIND_VAR,DSO_R_SYM_FAILURE); return(NULL); @@ -216,7 +221,7 @@ static DSO_FUNC_TYPE dl_bind_func(DSO *dso, const char *symname) DSOerr(DSO_F_DL_BIND_FUNC,DSO_R_NULL_HANDLE); return(NULL); } - if (shl_findsym(ptr, symname, TYPE_UNDEFINED, &sym) < 0) + if (shl_findsym(&ptr, symname, TYPE_UNDEFINED, &sym) < 0) { DSOerr(DSO_F_DL_BIND_FUNC,DSO_R_SYM_FAILURE); return(NULL); @@ -224,7 +229,7 @@ static DSO_FUNC_TYPE dl_bind_func(DSO *dso, const char *symname) return((DSO_FUNC_TYPE)sym); } -static int dl_ctrl(DSO *dso, int cmd, long larg, void *parg) +static long dl_ctrl(DSO *dso, int cmd, long larg, void *parg) { if(dso == NULL) { @@ -236,10 +241,10 @@ static int dl_ctrl(DSO *dso, int cmd, long larg, void *parg) case DSO_CTRL_GET_FLAGS: return dso->flags; case DSO_CTRL_SET_FLAGS: - dso->flags = (int)larg; + dso->flags = larg; return(0); case DSO_CTRL_OR_FLAGS: - dso->flags |= (int)larg; + dso->flags |= larg; return(0); default: break; diff --git a/src/lib/libcrypto/dso/dso_vms.c b/src/lib/libcrypto/dso/dso_vms.c index 8ff7090129..ab48b63eb7 100644 --- a/src/lib/libcrypto/dso/dso_vms.c +++ b/src/lib/libcrypto/dso/dso_vms.c @@ -62,7 +62,6 @@ #ifdef VMS #pragma message disable DOLLARID #include -#include #include #include #include @@ -260,7 +259,8 @@ void vms_bind_sym(DSO *dso, const char *symname, void **sym) { DSO_VMS_INTERNAL *ptr; int status; - int flags = LIB$M_FIS_MIXEDCASE; + int flags = (1<<4); /* LIB$M_FIS_MIXEDCASE, but this symbol isn't + defined in VMS older than 7.0 or so */ struct dsc$descriptor_s symname_dsc; *sym = NULL; diff --git a/src/lib/libcrypto/ebcdic.c b/src/lib/libcrypto/ebcdic.c index 31397b2add..91a7a8bcb4 100644 --- a/src/lib/libcrypto/ebcdic.c +++ b/src/lib/libcrypto/ebcdic.c @@ -211,7 +211,7 @@ ascii2ebcdic(void *dest, const void *srce, size_t count) } #else /*CHARSET_EBCDIC*/ -#ifdef PEDANTIC +#if defined(PEDANTIC) || defined(VMS) || defined(__VMS) static void *dummy=&dummy; #endif #endif diff --git a/src/lib/libcrypto/engine/engine_lib.c b/src/lib/libcrypto/engine/engine_lib.c index 1df07af03a..d6e9109f6e 100644 --- a/src/lib/libcrypto/engine/engine_lib.c +++ b/src/lib/libcrypto/engine/engine_lib.c @@ -230,17 +230,18 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); if(e->funct_ref == 0) { + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY, ENGINE_R_NOT_INITIALISED); return 0; } + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); if (!e->load_privkey) { ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY, ENGINE_R_NO_LOAD_FUNCTION); return 0; } - CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); pkey = e->load_privkey(key_id, passphrase); if (!pkey) { @@ -265,17 +266,18 @@ EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id, CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); if(e->funct_ref == 0) { + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY, ENGINE_R_NOT_INITIALISED); return 0; } + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); if (!e->load_pubkey) { ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY, ENGINE_R_NO_LOAD_FUNCTION); return 0; } - CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); pkey = e->load_pubkey(key_id, passphrase); if (!pkey) { @@ -286,8 +288,6 @@ EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id, return pkey; } -/* Initialise a engine type for use (or up its functional reference count - * if it's already in use). */ int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()) { if(e == NULL) @@ -298,15 +298,16 @@ int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()) CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); if(e->struct_ref == 0) { + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); ENGINEerr(ENGINE_F_ENGINE_CTRL,ENGINE_R_NO_REFERENCE); return 0; } + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); if (!e->ctrl) { ENGINEerr(ENGINE_F_ENGINE_CTRL,ENGINE_R_NO_CONTROL_FUNCTION); return 0; } - CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); return e->ctrl(cmd, i, p, f); } diff --git a/src/lib/libcrypto/err/Makefile.ssl b/src/lib/libcrypto/err/Makefile.ssl index cf94f406e4..58218d1cea 100644 --- a/src/lib/libcrypto/err/Makefile.ssl +++ b/src/lib/libcrypto/err/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/err/err.c b/src/lib/libcrypto/err/err.c index 99272e437c..839f4ab81a 100644 --- a/src/lib/libcrypto/err/err.c +++ b/src/lib/libcrypto/err/err.c @@ -389,20 +389,18 @@ void ERR_put_error(int lib, int func, int reason, const char *file, void ERR_clear_error(void) { + int i; ERR_STATE *es; es=ERR_get_state(); -#if 0 - /* hmm... is this needed */ for (i=0; ierr_buffer[i]=0; + err_clear_data(es,i); es->err_file[i]=NULL; es->err_line[i]= -1; - err_clear_data(es,i); } -#endif es->top=es->bottom=0; } @@ -464,7 +462,14 @@ static unsigned long get_error_values(int inc, const char **file, int *line, } } - if (data != NULL) + if (data == NULL) + { + if (inc) + { + err_clear_data(es, i); + } + } + else { if (es->err_data[i] == NULL) { @@ -749,8 +754,9 @@ void ERR_set_error_data(char *data, int flags) if (i == 0) i=ERR_NUM_ERRORS-1; + err_clear_data(es,i); es->err_data[i]=data; - es->err_data_flags[es->top]=flags; + es->err_data_flags[i]=flags; } void ERR_add_error_data(int num, ...) @@ -759,7 +765,7 @@ void ERR_add_error_data(int num, ...) int i,n,s; char *str,*p,*a; - s=64; + s=80; str=OPENSSL_malloc(s+1); if (str == NULL) return; str[0]='\0'; diff --git a/src/lib/libcrypto/evp/Makefile.ssl b/src/lib/libcrypto/evp/Makefile.ssl index ad39fcc9e7..624168031d 100644 --- a/src/lib/libcrypto/evp/Makefile.ssl +++ b/src/lib/libcrypto/evp/Makefile.ssl @@ -58,7 +58,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h index 62350dfd69..76d417b44a 100644 --- a/src/lib/libcrypto/evp/evp.h +++ b/src/lib/libcrypto/evp/evp.h @@ -462,12 +462,20 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md, int en_de); +#ifndef NO_RSA #define EVP_PKEY_assign_RSA(pkey,rsa) EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\ (char *)(rsa)) +#endif + +#ifndef NO_DSA #define EVP_PKEY_assign_DSA(pkey,dsa) EVP_PKEY_assign((pkey),EVP_PKEY_DSA,\ (char *)(dsa)) +#endif + +#ifndef NO_DH #define EVP_PKEY_assign_DH(pkey,dh) EVP_PKEY_assign((pkey),EVP_PKEY_DH,\ (char *)(dh)) +#endif /* Add some extra combinations */ #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a)) @@ -611,17 +619,29 @@ void BIO_set_cipher(BIO *b,const EVP_CIPHER *c,unsigned char *k, #endif EVP_MD *EVP_md_null(void); +#ifndef NO_MD2 EVP_MD *EVP_md2(void); +#endif +#ifndef NO_MD4 EVP_MD *EVP_md4(void); +#endif +#ifndef NO_MD5 EVP_MD *EVP_md5(void); +#endif +#ifndef NO_SHA EVP_MD *EVP_sha(void); EVP_MD *EVP_sha1(void); EVP_MD *EVP_dss(void); EVP_MD *EVP_dss1(void); +#endif +#ifndef NO_MDC2 EVP_MD *EVP_mdc2(void); +#endif +#ifndef NO_RIPEMD EVP_MD *EVP_ripemd160(void); - +#endif EVP_CIPHER *EVP_enc_null(void); /* does nothing :-) */ +#ifndef NO_DES EVP_CIPHER *EVP_des_ecb(void); EVP_CIPHER *EVP_des_ede(void); EVP_CIPHER *EVP_des_ede3(void); @@ -635,31 +655,43 @@ EVP_CIPHER *EVP_des_cbc(void); EVP_CIPHER *EVP_des_ede_cbc(void); EVP_CIPHER *EVP_des_ede3_cbc(void); EVP_CIPHER *EVP_desx_cbc(void); +#endif +#ifndef NO_RC4 EVP_CIPHER *EVP_rc4(void); EVP_CIPHER *EVP_rc4_40(void); +#endif +#ifndef NO_IDEA EVP_CIPHER *EVP_idea_ecb(void); EVP_CIPHER *EVP_idea_cfb(void); EVP_CIPHER *EVP_idea_ofb(void); EVP_CIPHER *EVP_idea_cbc(void); +#endif +#ifndef NO_RC2 EVP_CIPHER *EVP_rc2_ecb(void); EVP_CIPHER *EVP_rc2_cbc(void); EVP_CIPHER *EVP_rc2_40_cbc(void); EVP_CIPHER *EVP_rc2_64_cbc(void); EVP_CIPHER *EVP_rc2_cfb(void); EVP_CIPHER *EVP_rc2_ofb(void); +#endif +#ifndef NO_BF EVP_CIPHER *EVP_bf_ecb(void); EVP_CIPHER *EVP_bf_cbc(void); EVP_CIPHER *EVP_bf_cfb(void); EVP_CIPHER *EVP_bf_ofb(void); +#endif +#ifndef NO_CAST EVP_CIPHER *EVP_cast5_ecb(void); EVP_CIPHER *EVP_cast5_cbc(void); EVP_CIPHER *EVP_cast5_cfb(void); EVP_CIPHER *EVP_cast5_ofb(void); +#endif +#ifndef NO_RC5 EVP_CIPHER *EVP_rc5_32_12_16_cbc(void); EVP_CIPHER *EVP_rc5_32_12_16_ecb(void); EVP_CIPHER *EVP_rc5_32_12_16_cfb(void); EVP_CIPHER *EVP_rc5_32_12_16_ofb(void); - +#endif void OpenSSL_add_all_algorithms(void); void OpenSSL_add_all_ciphers(void); void OpenSSL_add_all_digests(void); diff --git a/src/lib/libcrypto/ex_data.c b/src/lib/libcrypto/ex_data.c index 1ee88da2a8..739e543d78 100644 --- a/src/lib/libcrypto/ex_data.c +++ b/src/lib/libcrypto/ex_data.c @@ -101,7 +101,7 @@ int CRYPTO_get_ex_new_index(int idx, STACK_OF(CRYPTO_EX_DATA_FUNCS) **skp, long ret=idx; err: MemCheck_on(); - return(idx); + return(ret); } int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val) diff --git a/src/lib/libcrypto/hmac/Makefile.ssl b/src/lib/libcrypto/hmac/Makefile.ssl index cf57311973..326339a90d 100644 --- a/src/lib/libcrypto/hmac/Makefile.ssl +++ b/src/lib/libcrypto/hmac/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/idea/Makefile.ssl b/src/lib/libcrypto/idea/Makefile.ssl index 5b334ce921..30302e0b9f 100644 --- a/src/lib/libcrypto/idea/Makefile.ssl +++ b/src/lib/libcrypto/idea/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/lhash/Makefile.ssl b/src/lib/libcrypto/lhash/Makefile.ssl index 6c3d442e22..79849d7d6e 100644 --- a/src/lib/libcrypto/lhash/Makefile.ssl +++ b/src/lib/libcrypto/lhash/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/md2/Makefile.ssl b/src/lib/libcrypto/md2/Makefile.ssl index d46c73a9b9..269628d739 100644 --- a/src/lib/libcrypto/md2/Makefile.ssl +++ b/src/lib/libcrypto/md2/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/md4/Makefile.ssl b/src/lib/libcrypto/md4/Makefile.ssl index 6ee3ca88ed..646607274e 100644 --- a/src/lib/libcrypto/md4/Makefile.ssl +++ b/src/lib/libcrypto/md4/Makefile.ssl @@ -40,7 +40,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/md5/Makefile.ssl b/src/lib/libcrypto/md5/Makefile.ssl index e8d0cced7f..784215579b 100644 --- a/src/lib/libcrypto/md5/Makefile.ssl +++ b/src/lib/libcrypto/md5/Makefile.ssl @@ -50,7 +50,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/src/lib/libcrypto/mdc2/Makefile.ssl b/src/lib/libcrypto/mdc2/Makefile.ssl index da11c4edea..a9b06b02bd 100644 --- a/src/lib/libcrypto/mdc2/Makefile.ssl +++ b/src/lib/libcrypto/mdc2/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/mem_dbg.c b/src/lib/libcrypto/mem_dbg.c index 866c53e73a..ef19d8f844 100644 --- a/src/lib/libcrypto/mem_dbg.c +++ b/src/lib/libcrypto/mem_dbg.c @@ -81,7 +81,8 @@ static int mh_mode=CRYPTO_MEM_CHECK_OFF; */ static unsigned long order = 0; /* number of memory requests */ -static LHASH *mh=NULL; /* hash-table of memory requests (address as key) */ +static LHASH *mh=NULL; /* hash-table of memory requests (address as key); + * access requires MALLOC2 lock */ typedef struct app_mem_info_st @@ -103,7 +104,8 @@ typedef struct app_mem_info_st static LHASH *amih=NULL; /* hash-table with those app_mem_info_st's * that are at the top of their thread's stack - * (with `thread' as key) */ + * (with `thread' as key); + * access requires MALLOC2 lock */ typedef struct mem_st /* memory-block description */ @@ -128,7 +130,15 @@ static long options = /* extra information to be recorded */ 0; -static unsigned long disabling_thread = 0; +static unsigned int num_disable = 0; /* num_disable > 0 + * iff + * mh_mode == CRYPTO_MEM_CHECK_ON (w/o ..._ENABLE) + */ +static unsigned long disabling_thread = 0; /* Valid iff num_disable > 0. + * CRYPTO_LOCK_MALLOC2 is locked + * exactly in this case (by the + * thread named in disabling_thread). + */ int CRYPTO_mem_ctrl(int mode) { @@ -137,22 +147,23 @@ int CRYPTO_mem_ctrl(int mode) CRYPTO_w_lock(CRYPTO_LOCK_MALLOC); switch (mode) { - /* for applications: */ + /* for applications (not to be called while multiple threads + * use the library): */ case CRYPTO_MEM_CHECK_ON: /* aka MemCheck_start() */ mh_mode = CRYPTO_MEM_CHECK_ON|CRYPTO_MEM_CHECK_ENABLE; - disabling_thread = 0; + num_disable = 0; break; case CRYPTO_MEM_CHECK_OFF: /* aka MemCheck_stop() */ mh_mode = 0; - disabling_thread = 0; + num_disable = 0; /* should be true *before* MemCheck_stop is used, + or there'll be a lot of confusion */ break; /* switch off temporarily (for library-internal use): */ case CRYPTO_MEM_CHECK_DISABLE: /* aka MemCheck_off() */ if (mh_mode & CRYPTO_MEM_CHECK_ON) { - mh_mode&= ~CRYPTO_MEM_CHECK_ENABLE; - if (disabling_thread != CRYPTO_thread_id()) /* otherwise we already have the MALLOC2 lock */ + if (!num_disable || (disabling_thread != CRYPTO_thread_id())) /* otherwise we already have the MALLOC2 lock */ { /* Long-time lock CRYPTO_LOCK_MALLOC2 must not be claimed while * we're holding CRYPTO_LOCK_MALLOC, or we'll deadlock if @@ -169,18 +180,23 @@ int CRYPTO_mem_ctrl(int mode) * OpenSSL threads. */ CRYPTO_w_lock(CRYPTO_LOCK_MALLOC2); CRYPTO_w_lock(CRYPTO_LOCK_MALLOC); + mh_mode &= ~CRYPTO_MEM_CHECK_ENABLE; disabling_thread=CRYPTO_thread_id(); } + num_disable++; } break; case CRYPTO_MEM_CHECK_ENABLE: /* aka MemCheck_on() */ if (mh_mode & CRYPTO_MEM_CHECK_ON) { - mh_mode|=CRYPTO_MEM_CHECK_ENABLE; - if (disabling_thread != 0) + if (num_disable) /* always true, or something is going wrong */ { - disabling_thread=0; - CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2); + num_disable--; + if (num_disable == 0) + { + mh_mode|=CRYPTO_MEM_CHECK_ENABLE; + CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2); + } } } break; @@ -198,12 +214,12 @@ int CRYPTO_is_mem_check_on(void) if (mh_mode & CRYPTO_MEM_CHECK_ON) { - CRYPTO_w_lock(CRYPTO_LOCK_MALLOC); + CRYPTO_r_lock(CRYPTO_LOCK_MALLOC); ret = (mh_mode & CRYPTO_MEM_CHECK_ENABLE) - && disabling_thread != CRYPTO_thread_id(); + || (disabling_thread != CRYPTO_thread_id()); - CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC); + CRYPTO_r_unlock(CRYPTO_LOCK_MALLOC); } return(ret); } @@ -293,7 +309,7 @@ int CRYPTO_push_info_(const char *info, const char *file, int line) if (is_MemCheck_on()) { - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ + MemCheck_off(); /* obtain MALLOC2 lock */ if ((ami = (APP_INFO *)OPENSSL_malloc(sizeof(APP_INFO))) == NULL) { @@ -330,7 +346,7 @@ int CRYPTO_push_info_(const char *info, const char *file, int line) ami->next=amim; } err: - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock */ } return(ret); @@ -342,11 +358,11 @@ int CRYPTO_pop_info(void) if (is_MemCheck_on()) /* _must_ be true, or something went severely wrong */ { - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ + MemCheck_off(); /* obtain MALLOC2 lock */ ret=(pop_info() != NULL); - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock */ } return(ret); } @@ -357,12 +373,12 @@ int CRYPTO_remove_all_info(void) if (is_MemCheck_on()) /* _must_ be true */ { - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ + MemCheck_off(); /* obtain MALLOC2 lock */ while(pop_info() != NULL) ret++; - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock */ } return(ret); } @@ -385,11 +401,12 @@ void CRYPTO_dbg_malloc(void *addr, int num, const char *file, int line, if (is_MemCheck_on()) { - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ + MemCheck_off(); /* make sure we hold MALLOC2 lock */ if ((m=(MEM *)OPENSSL_malloc(sizeof(MEM))) == NULL) { OPENSSL_free(addr); - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock + * if num_disabled drops to 0 */ return; } if (mh == NULL) @@ -448,7 +465,8 @@ void CRYPTO_dbg_malloc(void *addr, int num, const char *file, int line, OPENSSL_free(mm); } err: - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock + * if num_disabled drops to 0 */ } break; } @@ -467,7 +485,7 @@ void CRYPTO_dbg_free(void *addr, int before_p) if (is_MemCheck_on() && (mh != NULL)) { - MemCheck_off(); + MemCheck_off(); /* make sure we hold MALLOC2 lock */ m.addr=addr; mp=(MEM *)lh_delete(mh,(char *)&m); @@ -484,7 +502,8 @@ void CRYPTO_dbg_free(void *addr, int before_p) OPENSSL_free(mp); } - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock + * if num_disabled drops to 0 */ } break; case 1: @@ -518,7 +537,7 @@ void CRYPTO_dbg_realloc(void *addr1, void *addr2, int num, if (is_MemCheck_on()) { - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ + MemCheck_off(); /* make sure we hold MALLOC2 lock */ m.addr=addr1; mp=(MEM *)lh_delete(mh,(char *)&m); @@ -535,7 +554,8 @@ void CRYPTO_dbg_realloc(void *addr1, void *addr2, int num, lh_insert(mh,(char *)mp); } - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock + * if num_disabled drops to 0 */ } break; } @@ -642,10 +662,12 @@ void CRYPTO_mem_leaks(BIO *b) if (mh == NULL && amih == NULL) return; + + MemCheck_off(); /* obtain MALLOC2 lock */ + ml.bio=b; ml.bytes=0; ml.chunks=0; - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ if (mh != NULL) lh_doall_arg(mh,(void (*)())print_leak,(char *)&ml); if (ml.chunks != 0) @@ -671,7 +693,15 @@ void CRYPTO_mem_leaks(BIO *b) * void_fn_to_char kludge in CRYPTO_mem_leaks_cb. * Otherwise the code police will come and get us.) */ + int old_mh_mode; + CRYPTO_w_lock(CRYPTO_LOCK_MALLOC); + + /* avoid deadlock when lh_free() uses CRYPTO_dbg_free(), + * which uses CRYPTO_is_mem_check_on */ + old_mh_mode = mh_mode; + mh_mode = CRYPTO_MEM_CHECK_OFF; + if (mh != NULL) { lh_free(mh); @@ -685,15 +715,11 @@ void CRYPTO_mem_leaks(BIO *b) amih = NULL; } } + + mh_mode = old_mh_mode; CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC); } - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ - -#if 0 - lh_stats_bio(mh,b); - lh_node_stats_bio(mh,b); - lh_node_usage_stats_bio(mh,b); -#endif + MemCheck_on(); /* release MALLOC2 lock */ } #ifndef NO_FP_API diff --git a/src/lib/libcrypto/objects/Makefile.ssl b/src/lib/libcrypto/objects/Makefile.ssl index bdb7aa94dc..6746ad21e7 100644 --- a/src/lib/libcrypto/objects/Makefile.ssl +++ b/src/lib/libcrypto/objects/Makefile.ssl @@ -39,7 +39,8 @@ all: obj_dat.h lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h index 6b5aedeea6..dc50f6d7da 100644 --- a/src/lib/libcrypto/opensslv.h +++ b/src/lib/libcrypto/opensslv.h @@ -25,8 +25,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x0090600fL -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6 [engine] 24 Sep 2000" +#define OPENSSL_VERSION_NUMBER 0x0090601fL +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6a [engine] 5 Apr 2001" #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/src/lib/libcrypto/pem/Makefile.ssl b/src/lib/libcrypto/pem/Makefile.ssl index 97af8255a3..31db6b65a1 100644 --- a/src/lib/libcrypto/pem/Makefile.ssl +++ b/src/lib/libcrypto/pem/Makefile.ssl @@ -40,7 +40,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/pem/pem_info.c b/src/lib/libcrypto/pem/pem_info.c index 1c5c6dea00..f1694f1125 100644 --- a/src/lib/libcrypto/pem/pem_info.c +++ b/src/lib/libcrypto/pem/pem_info.c @@ -305,7 +305,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc, { if ( (xi->enc_data!=NULL) && (xi->enc_len>0) ) { - /* copy from wierdo names into more normal things */ + /* copy from weirdo names into more normal things */ iv=xi->enc_cipher.iv; data=(unsigned char *)xi->enc_data; i=xi->enc_len; diff --git a/src/lib/libcrypto/pkcs12/Makefile.ssl b/src/lib/libcrypto/pkcs12/Makefile.ssl index 67869f204f..d745c53621 100644 --- a/src/lib/libcrypto/pkcs12/Makefile.ssl +++ b/src/lib/libcrypto/pkcs12/Makefile.ssl @@ -45,7 +45,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/pkcs12/p12_attr.c b/src/lib/libcrypto/pkcs12/p12_attr.c index f1a210b5d2..a16a97d03d 100644 --- a/src/lib/libcrypto/pkcs12/p12_attr.c +++ b/src/lib/libcrypto/pkcs12/p12_attr.c @@ -151,7 +151,7 @@ int PKCS12_add_friendlyname_asc (PKCS12_SAFEBAG *bag, const char *name, { unsigned char *uniname; int ret, unilen; - if (!asc2uni(name, &uniname, &unilen)) { + if (!asc2uni(name, namelen, &uniname, &unilen)) { PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC, ERR_R_MALLOC_FAILURE); return 0; diff --git a/src/lib/libcrypto/pkcs12/p12_key.c b/src/lib/libcrypto/pkcs12/p12_key.c index b042dcf05c..a4fd5b98ec 100644 --- a/src/lib/libcrypto/pkcs12/p12_key.c +++ b/src/lib/libcrypto/pkcs12/p12_key.c @@ -84,7 +84,7 @@ int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt, if(!pass) { unipass = NULL; uniplen = 0; - } else if (!asc2uni(pass, &unipass, &uniplen)) { + } else if (!asc2uni(pass, passlen, &unipass, &uniplen)) { PKCS12err(PKCS12_F_PKCS12_KEY_GEN_ASC,ERR_R_MALLOC_FAILURE); return 0; } @@ -102,7 +102,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, const EVP_MD *md_type) { unsigned char *B, *D, *I, *p, *Ai; - int Slen, Plen, Ilen; + int Slen, Plen, Ilen, Ijlen; int i, j, u, v; BIGNUM *Ij, *Bpl1; /* These hold Ij and B + 1 */ EVP_MD_CTX ctx; @@ -180,10 +180,17 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, BN_bin2bn (I + j, v, Ij); BN_add (Ij, Ij, Bpl1); BN_bn2bin (Ij, B); + Ijlen = BN_num_bytes (Ij); /* If more than 2^(v*8) - 1 cut off MSB */ - if (BN_num_bytes (Ij) > v) { + if (Ijlen > v) { BN_bn2bin (Ij, B); memcpy (I + j, B + 1, v); +#ifndef PKCS12_BROKEN_KEYGEN + /* If less than v bytes pad with zeroes */ + } else if (Ijlen < v) { + memset(I + j, 0, v - Ijlen); + BN_bn2bin(Ij, I + j + v - Ijlen); +#endif } else BN_bn2bin (Ij, I + j); } } diff --git a/src/lib/libcrypto/pkcs12/p12_kiss.c b/src/lib/libcrypto/pkcs12/p12_kiss.c index 1fbbd6c99f..5d67f19b45 100644 --- a/src/lib/libcrypto/pkcs12/p12_kiss.c +++ b/src/lib/libcrypto/pkcs12/p12_kiss.c @@ -264,6 +264,7 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, if (lkey) { *keymatch |= MATCH_CERT; if (cert) *cert = x509; + else X509_free(x509); } else { if(ca) sk_X509_push (*ca, x509); else X509_free(x509); diff --git a/src/lib/libcrypto/pkcs12/p12_utl.c b/src/lib/libcrypto/pkcs12/p12_utl.c index 17f41b4549..2f1d1e534f 100644 --- a/src/lib/libcrypto/pkcs12/p12_utl.c +++ b/src/lib/libcrypto/pkcs12/p12_utl.c @@ -62,30 +62,34 @@ /* Cheap and nasty Unicode stuff */ -unsigned char *asc2uni (const char *asc, unsigned char **uni, int *unilen) +unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen) { int ulen, i; unsigned char *unitmp; - ulen = strlen(asc)*2 + 2; - if (!(unitmp = OPENSSL_malloc (ulen))) return NULL; - for (i = 0; i < ulen; i+=2) { + if (asclen == -1) asclen = strlen(asc); + ulen = asclen*2 + 2; + if (!(unitmp = OPENSSL_malloc(ulen))) return NULL; + for (i = 0; i < ulen - 2; i+=2) { unitmp[i] = 0; unitmp[i + 1] = asc[i>>1]; } + /* Make result double null terminated */ + unitmp[ulen - 2] = 0; + unitmp[ulen - 1] = 0; if (unilen) *unilen = ulen; if (uni) *uni = unitmp; return unitmp; } -char *uni2asc (unsigned char *uni, int unilen) +char *uni2asc(unsigned char *uni, int unilen) { int asclen, i; char *asctmp; asclen = unilen / 2; /* If no terminating zero allow for one */ - if (uni[unilen - 1]) asclen++; + if (!unilen || uni[unilen - 1]) asclen++; uni++; - if (!(asctmp = OPENSSL_malloc (asclen))) return NULL; + if (!(asctmp = OPENSSL_malloc(asclen))) return NULL; for (i = 0; i < unilen; i+=2) asctmp[i>>1] = uni[i]; asctmp[asclen - 1] = 0; return asctmp; diff --git a/src/lib/libcrypto/pkcs12/pkcs12.h b/src/lib/libcrypto/pkcs12/pkcs12.h index 502fceff95..e529154f26 100644 --- a/src/lib/libcrypto/pkcs12/pkcs12.h +++ b/src/lib/libcrypto/pkcs12/pkcs12.h @@ -247,7 +247,7 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, EVP_MD *md_type); int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, EVP_MD *md_type); -unsigned char *asc2uni(const char *asc, unsigned char **uni, int *unilen); +unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen); char *uni2asc(unsigned char *uni, int unilen); int i2d_PKCS12_BAGS(PKCS12_BAGS *a, unsigned char **pp); PKCS12_BAGS *PKCS12_BAGS_new(void); diff --git a/src/lib/libcrypto/pkcs7/Makefile.ssl b/src/lib/libcrypto/pkcs7/Makefile.ssl index 6cd18b671e..37b72f0890 100644 --- a/src/lib/libcrypto/pkcs7/Makefile.ssl +++ b/src/lib/libcrypto/pkcs7/Makefile.ssl @@ -58,7 +58,8 @@ verify: verify.o example.o lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c index 099e9651c1..bf43d030ad 100644 --- a/src/lib/libcrypto/pkcs7/pk7_doit.c +++ b/src/lib/libcrypto/pkcs7/pk7_doit.c @@ -370,7 +370,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) if (ri == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE); - return(NULL); + goto err; } jj=EVP_PKEY_size(pkey); @@ -393,7 +393,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) BIO_get_cipher_ctx(etmp,&evp_ctx); EVP_CipherInit(evp_ctx,evp_cipher,NULL,NULL,0); if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0) - return(NULL); + goto err; if (jj != EVP_CIPHER_CTX_key_length(evp_ctx)) { /* Some S/MIME clients don't use the same key @@ -588,8 +588,10 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) pp=NULL; } +#ifndef NO_DSA if (si->pkey->type == EVP_PKEY_DSA) ctx_tmp.digest=EVP_dss1(); +#endif if (!EVP_SignFinal(&ctx_tmp,(unsigned char *)buf->data, (unsigned int *)&buf->length,si->pkey)) @@ -783,7 +785,14 @@ for (ii=0; iienc_digest; pkey = X509_get_pubkey(x509); + if (!pkey) + { + ret = -1; + goto err; + } +#ifndef NO_DSA if(pkey->type == EVP_PKEY_DSA) mdc_tmp.digest=EVP_dss1(); +#endif i=EVP_VerifyFinal(&mdc_tmp,os->data,os->length, pkey); EVP_PKEY_free(pkey); diff --git a/src/lib/libcrypto/pkcs7/pk7_mime.c b/src/lib/libcrypto/pkcs7/pk7_mime.c index 994473c0bd..086d394270 100644 --- a/src/lib/libcrypto/pkcs7/pk7_mime.c +++ b/src/lib/libcrypto/pkcs7/pk7_mime.c @@ -165,9 +165,9 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) } bound[32] = 0; BIO_printf(bio, "MIME-Version: 1.0\n"); - BIO_printf(bio, "Content-Type: multipart/signed ; "); - BIO_printf(bio, "protocol=\"application/x-pkcs7-signature\" ; "); - BIO_printf(bio, "micalg=sha1 ; boundary=\"----%s\"\n\n", bound); + BIO_printf(bio, "Content-Type: multipart/signed;"); + BIO_printf(bio, " protocol=\"application/x-pkcs7-signature\";"); + BIO_printf(bio, " micalg=sha1; boundary=\"----%s\"\n\n", bound); BIO_printf(bio, "This is an S/MIME signed message\n\n"); /* Now write out the first part */ BIO_printf(bio, "------%s\n", bound); diff --git a/src/lib/libcrypto/pkcs7/pk7_smime.c b/src/lib/libcrypto/pkcs7/pk7_smime.c index d716f9faeb..3d3214f5ee 100644 --- a/src/lib/libcrypto/pkcs7/pk7_smime.c +++ b/src/lib/libcrypto/pkcs7/pk7_smime.c @@ -153,7 +153,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, PKCS7_SIGNER_INFO *si; X509_STORE_CTX cert_ctx; char buf[4096]; - int i, j=0, k; + int i, j=0, k, ret = 0; BIO *p7bio; BIO *tmpout; @@ -258,18 +258,15 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, } } - sk_X509_free(signers); - if(indata) BIO_pop(p7bio); - BIO_free_all(p7bio); - - return 1; + ret = 1; err: + if(indata) BIO_pop(p7bio); + BIO_free_all(p7bio); sk_X509_free(signers); - BIO_free(p7bio); - return 0; + return ret; } STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags) diff --git a/src/lib/libcrypto/rand/Makefile.ssl b/src/lib/libcrypto/rand/Makefile.ssl index 5f6199a35f..707eaac678 100644 --- a/src/lib/libcrypto/rand/Makefile.ssl +++ b/src/lib/libcrypto/rand/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/rand/md_rand.c b/src/lib/libcrypto/rand/md_rand.c index d167dea77d..567838f6c3 100644 --- a/src/lib/libcrypto/rand/md_rand.c +++ b/src/lib/libcrypto/rand/md_rand.c @@ -482,12 +482,12 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) unpredictable */ static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num) { - int ret, err; + int ret; ret = RAND_bytes(buf, num); if (ret == 0) { - err = ERR_peek_error(); + long err = ERR_peek_error(); if (ERR_GET_LIB(err) == ERR_LIB_RAND && ERR_GET_REASON(err) == RAND_R_PRNG_NOT_SEEDED) (void)ERR_get_error(); diff --git a/src/lib/libcrypto/rand/rand.h b/src/lib/libcrypto/rand/rand.h index eb9c8c034d..9c6052733e 100644 --- a/src/lib/libcrypto/rand/rand.h +++ b/src/lib/libcrypto/rand/rand.h @@ -59,6 +59,8 @@ #ifndef HEADER_RAND_H #define HEADER_RAND_H +#include + #ifdef __cplusplus extern "C" { #endif @@ -89,7 +91,7 @@ void RAND_seed(const void *buf,int num); void RAND_add(const void *buf,int num,double entropy); int RAND_load_file(const char *file,long max_bytes); int RAND_write_file(const char *file); -const char *RAND_file_name(char *file,int num); +const char *RAND_file_name(char *file,size_t num); int RAND_status(void); int RAND_egd(const char *path); int RAND_egd_bytes(const char *path,int bytes); diff --git a/src/lib/libcrypto/rand/rand_egd.c b/src/lib/libcrypto/rand/rand_egd.c index 02a0d86fa3..79b5e6fa57 100644 --- a/src/lib/libcrypto/rand/rand_egd.c +++ b/src/lib/libcrypto/rand/rand_egd.c @@ -74,7 +74,14 @@ int RAND_egd_bytes(const char *path,int bytes) #include OPENSSL_UNISTD #include #include +#ifndef NO_SYS_UN_H #include +#else +struct sockaddr_un { + short sun_family; /* AF_UNIX */ + char sun_path[108]; /* path name (gag) */ +}; +#endif /* NO_SYS_UN_H */ #include #ifndef offsetof diff --git a/src/lib/libcrypto/rand/rand_win.c b/src/lib/libcrypto/rand/rand_win.c index 9f2dcff9a9..3d137badd0 100644 --- a/src/lib/libcrypto/rand/rand_win.c +++ b/src/lib/libcrypto/rand/rand_win.c @@ -570,14 +570,15 @@ static void readtimer(void) DWORD w; LARGE_INTEGER l; static int have_perfc = 1; -#ifndef __GNUC__ +#ifdef _MSC_VER static int have_tsc = 1; DWORD cyclecount; if (have_tsc) { __try { __asm { - rdtsc + _emit 0x0f + _emit 0x31 mov cyclecount, eax } RAND_add(&cyclecount, sizeof(cyclecount), 1); @@ -725,8 +726,9 @@ int RAND_poll(void) #ifdef DEVRANDOM return 1; -#endif +#else return 0; +#endif } #endif diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c index 663a36cb70..f4376cf8cc 100644 --- a/src/lib/libcrypto/rand/randfile.c +++ b/src/lib/libcrypto/rand/randfile.c @@ -73,7 +73,7 @@ # include #endif -#include +#include "openssl/e_os.h" #include #include @@ -83,6 +83,9 @@ /* #define RFILE ".rnd" - defined in ../../e_os.h */ +/* Note that these functions are intended for seed files only. + * Entropy devices and EGD sockets are handled in rand_unix.c */ + int RAND_load_file(const char *file, long bytes) { /* If bytes >= 0, read up to 'bytes' bytes. @@ -213,7 +216,7 @@ err: return (rand_err ? -1 : ret); } -const char *RAND_file_name(char *buf, int size) +const char *RAND_file_name(char *buf, size_t size) { char *s = NULL; char *ret=NULL; @@ -239,6 +242,8 @@ const char *RAND_file_name(char *buf, int size) strlcat(buf,RFILE,size); ret=buf; } + else + buf[0] = '\0'; /* no file name */ } #ifdef DEVRANDOM @@ -257,3 +262,4 @@ const char *RAND_file_name(char *buf, int size) #endif return(ret); } + diff --git a/src/lib/libcrypto/rc2/Makefile.ssl b/src/lib/libcrypto/rc2/Makefile.ssl index 9e94051cd7..39813d68be 100644 --- a/src/lib/libcrypto/rc2/Makefile.ssl +++ b/src/lib/libcrypto/rc2/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/rc4/Makefile.ssl b/src/lib/libcrypto/rc4/Makefile.ssl index 8d2a795c22..e75858d3b9 100644 --- a/src/lib/libcrypto/rc4/Makefile.ssl +++ b/src/lib/libcrypto/rc4/Makefile.ssl @@ -47,7 +47,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/src/lib/libcrypto/rc5/Makefile.ssl b/src/lib/libcrypto/rc5/Makefile.ssl index 5a54a162ba..c8ee124776 100644 --- a/src/lib/libcrypto/rc5/Makefile.ssl +++ b/src/lib/libcrypto/rc5/Makefile.ssl @@ -44,7 +44,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/src/lib/libcrypto/ripemd/Makefile.ssl b/src/lib/libcrypto/ripemd/Makefile.ssl index de01a953ec..1550c32ca1 100644 --- a/src/lib/libcrypto/ripemd/Makefile.ssl +++ b/src/lib/libcrypto/ripemd/Makefile.ssl @@ -42,7 +42,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/src/lib/libcrypto/rsa/Makefile.ssl b/src/lib/libcrypto/rsa/Makefile.ssl index c159eedafe..2bee181d4e 100644 --- a/src/lib/libcrypto/rsa/Makefile.ssl +++ b/src/lib/libcrypto/rsa/Makefile.ssl @@ -41,7 +41,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c index ccaa62b239..cde5ca27d5 100644 --- a/src/lib/libcrypto/rsa/rsa_eay.c +++ b/src/lib/libcrypto/rsa/rsa_eay.c @@ -141,9 +141,26 @@ static int RSA_eay_public_encrypt(int flen, unsigned char *from, if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) { - if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx)) - goto err; + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa->_method_mod_n == NULL) + { + rsa->_method_mod_n = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); } if (!meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, @@ -378,9 +395,26 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from, /* do the decrypt */ if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) { - if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx)) - goto err; + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa->_method_mod_n == NULL) + { + rsa->_method_mod_n = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); } if (!meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, @@ -433,20 +467,53 @@ static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa) { if (rsa->_method_mod_p == NULL) { - if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p, - ctx)) - goto err; + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa->_method_mod_p == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa->_method_mod_p == NULL) + { + rsa->_method_mod_p = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); } + if (rsa->_method_mod_q == NULL) { - if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q, - ctx)) - goto err; + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa->_method_mod_q == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa->_method_mod_q == NULL) + { + rsa->_method_mod_q = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); } } - + if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; if (!meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx, rsa->_method_mod_q)) goto err; diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c index 5e1e8fcdf3..94395cc22c 100644 --- a/src/lib/libcrypto/rsa/rsa_lib.c +++ b/src/lib/libcrypto/rsa/rsa_lib.c @@ -191,13 +191,13 @@ RSA *RSA_new_method(ENGINE *engine) ret->blinding=NULL; ret->bignum_data=NULL; ret->flags=meth->flags; + CRYPTO_new_ex_data(rsa_meth,ret,&ret->ex_data); if ((meth->init != NULL) && !meth->init(ret)) { + CRYPTO_free_ex_data(rsa_meth,ret,&ret->ex_data); OPENSSL_free(ret); ret=NULL; } - else - CRYPTO_new_ex_data(rsa_meth,ret,&ret->ex_data); return(ret); } @@ -221,13 +221,13 @@ void RSA_free(RSA *r) } #endif - CRYPTO_free_ex_data(rsa_meth,r,&r->ex_data); - meth = ENGINE_get_RSA(r->engine); if (meth->finish != NULL) meth->finish(r); ENGINE_finish(r->engine); + CRYPTO_free_ex_data(rsa_meth,r,&r->ex_data); + if (r->n != NULL) BN_clear_free(r->n); if (r->e != NULL) BN_clear_free(r->e); if (r->d != NULL) BN_clear_free(r->d); @@ -325,7 +325,7 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) BN_CTX_start(ctx); A = BN_CTX_get(ctx); - if (!BN_rand(A,BN_num_bits(rsa->n)-1,1,0)) goto err; + if (!BN_rand_range(A,rsa->n)) goto err; if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; if (!ENGINE_get_RSA(rsa->engine)->bn_mod_exp(A,A, diff --git a/src/lib/libcrypto/sha/Makefile.ssl b/src/lib/libcrypto/sha/Makefile.ssl index 72acd8f046..790e572fa2 100644 --- a/src/lib/libcrypto/sha/Makefile.ssl +++ b/src/lib/libcrypto/sha/Makefile.ssl @@ -42,7 +42,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/src/lib/libcrypto/sha/asm/sha1-586.pl b/src/lib/libcrypto/sha/asm/sha1-586.pl index 09df993ecd..fe51fd0794 100644 --- a/src/lib/libcrypto/sha/asm/sha1-586.pl +++ b/src/lib/libcrypto/sha/asm/sha1-586.pl @@ -317,7 +317,7 @@ sub BODY_60_79 sub sha1_block_host { - local($name)=@_; + local($name, $sclabel)=@_; &function_begin_B($name,""); @@ -352,7 +352,7 @@ sub sha1_block_host &mov(&swtmp($i+0),$A); &mov(&swtmp($i+1),$B); } - &jmp(&label("shortcut")); + &jmp($sclabel); &function_end_B($name); } @@ -529,10 +529,12 @@ sub sha1_block_data &pop("esi"); &ret(); - # it has to reside within sha1_block_asm_host_order body - # because it calls &jmp(&label("shortcut")); - &sha1_block_host("sha1_block_asm_host_order"); + # keep a note of shortcut label so it can be used outside + # block. + my $sclabel = &label("shortcut"); &function_end_B($name); + # Putting this here avoids problems with MASM in debugging mode + &sha1_block_host("sha1_block_asm_host_order", $sclabel); } diff --git a/src/lib/libcrypto/stack/Makefile.ssl b/src/lib/libcrypto/stack/Makefile.ssl index 86ed928750..c916fd5451 100644 --- a/src/lib/libcrypto/stack/Makefile.ssl +++ b/src/lib/libcrypto/stack/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/txt_db/Makefile.ssl b/src/lib/libcrypto/txt_db/Makefile.ssl index cb54d53323..ee054e91f2 100644 --- a/src/lib/libcrypto/txt_db/Makefile.ssl +++ b/src/lib/libcrypto/txt_db/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/uid.c b/src/lib/libcrypto/uid.c new file mode 100644 index 0000000000..b5b61b76d4 --- /dev/null +++ b/src/lib/libcrypto/uid.c @@ -0,0 +1,88 @@ +/* crypto/uid.c */ +/* ==================================================================== + * Copyright (c) 2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include + +#if defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) + +#include + +int OPENSSL_issetugid(void) + { + return issetugid(); + } + +#elif defined(WIN32) + +int OPENSSL_issetugid(void) + { + return 0; + } + +#else + +#include +#include + +int OPENSSL_issetugid(void) + { + if (getuid() != geteuid()) return 1; + if (getgid() != getegid()) return 1; + return 0; + } +#endif + + + diff --git a/src/lib/libcrypto/util/clean-depend.pl b/src/lib/libcrypto/util/clean-depend.pl index af676af751..0193e726fe 100644 --- a/src/lib/libcrypto/util/clean-depend.pl +++ b/src/lib/libcrypto/util/clean-depend.pl @@ -15,8 +15,8 @@ while() { my ($file,$deps)=/^(.*): (.*)$/; next if !defined $deps; my @deps=split ' ',$deps; - @deps=grep(!/^\/usr\/include/,@deps); - @deps=grep(!/^\/usr\/lib\/gcc-lib/,@deps); + @deps=grep(!/^\//,@deps); + @deps=grep(!/^\\$/,@deps); push @{$files{$file}},@deps; } diff --git a/src/lib/libcrypto/util/libeay.num b/src/lib/libcrypto/util/libeay.num index e8eebbf50c..84ae840804 100644 --- a/src/lib/libcrypto/util/libeay.num +++ b/src/lib/libcrypto/util/libeay.num @@ -301,8 +301,8 @@ EVP_des_ede_cfb 308 EXIST::FUNCTION:DES EVP_des_ede_ofb 309 EXIST::FUNCTION:DES EVP_des_ofb 310 EXIST::FUNCTION:DES EVP_desx_cbc 311 EXIST::FUNCTION:DES -EVP_dss 312 EXIST::FUNCTION:DSA -EVP_dss1 313 EXIST::FUNCTION:DSA +EVP_dss 312 EXIST::FUNCTION:DSA,SHA +EVP_dss1 313 EXIST::FUNCTION:DSA,SHA EVP_enc_null 314 EXIST::FUNCTION: EVP_get_cipherbyname 315 EXIST::FUNCTION: EVP_get_digestbyname 316 EXIST::FUNCTION: @@ -779,7 +779,7 @@ des_ede3_cfb64_encrypt 786 EXIST::FUNCTION:DES des_ede3_ofb64_encrypt 787 EXIST::FUNCTION:DES des_enc_read 788 EXIST::FUNCTION:DES des_enc_write 789 EXIST::FUNCTION:DES -des_encrypt 790 EXIST::FUNCTION:DES +des_encrypt1 790 EXIST::FUNCTION:DES des_encrypt2 791 EXIST::FUNCTION:DES des_encrypt3 792 EXIST::FUNCTION:DES des_fcrypt 793 EXIST::FUNCTION:DES @@ -926,7 +926,7 @@ PKCS7_add_signature 938 EXIST::FUNCTION: PKCS7_cert_from_signer_info 939 EXIST::FUNCTION: PKCS7_get_signer_info 940 EXIST::FUNCTION: EVP_delete_alias 941 NOEXIST::FUNCTION: -EVP_mdc2 942 EXIST::FUNCTION: +EVP_mdc2 942 EXIST::FUNCTION:MDC2 PEM_read_bio_RSAPublicKey 943 EXIST::FUNCTION:RSA PEM_write_bio_RSAPublicKey 944 EXIST::FUNCTION:RSA d2i_RSAPublicKey_bio 945 EXIST::FUNCTION:RSA @@ -1870,61 +1870,64 @@ X509_keyid_set1 2460 EXIST::FUNCTION: BIO_next 2461 EXIST::FUNCTION: DSO_METHOD_vms 2462 EXIST::FUNCTION: BIO_f_linebuffer 2463 EXIST:VMS:FUNCTION: -ERR_load_ENGINE_strings 2464 EXIST::FUNCTION: -ENGINE_set_DSA 2465 EXIST::FUNCTION: -ENGINE_get_finish_function 2466 EXIST::FUNCTION: -ENGINE_get_default_RSA 2467 EXIST::FUNCTION: -ENGINE_get_BN_mod_exp 2468 EXIST::FUNCTION: -DSA_get_default_openssl_method 2469 EXIST::FUNCTION:DSA -ENGINE_set_DH 2470 EXIST::FUNCTION: -ENGINE_set_default_BN_mod_exp_crt 2471 EXIST:!VMS:FUNCTION: -ENGINE_set_def_BN_mod_exp_crt 2471 EXIST:VMS:FUNCTION: -ENGINE_init 2472 EXIST::FUNCTION: -DH_get_default_openssl_method 2473 EXIST::FUNCTION:DH -RSA_set_default_openssl_method 2474 EXIST::FUNCTION:RSA -ENGINE_finish 2475 EXIST::FUNCTION: -ENGINE_load_public_key 2476 EXIST::FUNCTION: -ENGINE_get_DH 2477 EXIST::FUNCTION: -ENGINE_ctrl 2478 EXIST::FUNCTION: -ENGINE_get_init_function 2479 EXIST::FUNCTION: -ENGINE_set_init_function 2480 EXIST::FUNCTION: -ENGINE_set_default_DSA 2481 EXIST::FUNCTION: -ENGINE_get_name 2482 EXIST::FUNCTION: -ENGINE_get_last 2483 EXIST::FUNCTION: -ENGINE_get_prev 2484 EXIST::FUNCTION: -ENGINE_get_default_DH 2485 EXIST::FUNCTION: -ENGINE_get_RSA 2486 EXIST::FUNCTION: -ENGINE_set_default 2487 EXIST::FUNCTION: -ENGINE_get_RAND 2488 EXIST::FUNCTION: -ENGINE_get_first 2489 EXIST::FUNCTION: -ENGINE_by_id 2490 EXIST::FUNCTION: -ENGINE_set_finish_function 2491 EXIST::FUNCTION: -ENGINE_get_default_BN_mod_exp_crt 2492 EXIST:!VMS:FUNCTION: -ENGINE_get_def_BN_mod_exp_crt 2492 EXIST:VMS:FUNCTION: -RSA_get_default_openssl_method 2493 EXIST::FUNCTION:RSA -ENGINE_set_RSA 2494 EXIST::FUNCTION: -ENGINE_load_private_key 2495 EXIST::FUNCTION: -ENGINE_set_default_RAND 2496 EXIST::FUNCTION: -ENGINE_set_BN_mod_exp 2497 EXIST::FUNCTION: -ENGINE_remove 2498 EXIST::FUNCTION: -ENGINE_free 2499 EXIST::FUNCTION: -ENGINE_get_BN_mod_exp_crt 2500 EXIST::FUNCTION: -ENGINE_get_next 2501 EXIST::FUNCTION: -ENGINE_set_name 2502 EXIST::FUNCTION: -ENGINE_get_default_DSA 2503 EXIST::FUNCTION: -ENGINE_set_default_BN_mod_exp 2504 EXIST::FUNCTION: -ENGINE_set_default_RSA 2505 EXIST::FUNCTION: -ENGINE_get_default_RAND 2506 EXIST::FUNCTION: -ENGINE_get_default_BN_mod_exp 2507 EXIST::FUNCTION: -ENGINE_set_RAND 2508 EXIST::FUNCTION: -ENGINE_set_id 2509 EXIST::FUNCTION: -ENGINE_set_BN_mod_exp_crt 2510 EXIST::FUNCTION: -ENGINE_set_default_DH 2511 EXIST::FUNCTION: -ENGINE_new 2512 EXIST::FUNCTION: -ENGINE_get_id 2513 EXIST::FUNCTION: -DSA_set_default_openssl_method 2514 EXIST::FUNCTION:DSA -ENGINE_add 2515 EXIST::FUNCTION: -DH_set_default_openssl_method 2516 EXIST::FUNCTION:DH -ENGINE_get_DSA 2517 EXIST::FUNCTION: -ENGINE_get_ctrl_function 2518 EXIST::FUNCTION: -ENGINE_set_ctrl_function 2519 EXIST::FUNCTION: +BN_bntest_rand 2464 EXIST::FUNCTION: +OPENSSL_issetugid 2465 EXIST::FUNCTION: +BN_rand_range 2466 EXIST::FUNCTION: +ERR_load_ENGINE_strings 2467 EXIST::FUNCTION: +ENGINE_set_DSA 2468 EXIST::FUNCTION: +ENGINE_get_finish_function 2469 EXIST::FUNCTION: +ENGINE_get_default_RSA 2470 EXIST::FUNCTION: +ENGINE_get_BN_mod_exp 2471 EXIST::FUNCTION: +DSA_get_default_openssl_method 2472 EXIST::FUNCTION:DSA +ENGINE_set_DH 2473 EXIST::FUNCTION: +ENGINE_set_default_BN_mod_exp_crt 2474 EXIST:!VMS:FUNCTION: +ENGINE_set_def_BN_mod_exp_crt 2474 EXIST:VMS:FUNCTION: +ENGINE_init 2475 EXIST::FUNCTION: +DH_get_default_openssl_method 2476 EXIST::FUNCTION:DH +RSA_set_default_openssl_method 2477 EXIST::FUNCTION:RSA +ENGINE_finish 2478 EXIST::FUNCTION: +ENGINE_load_public_key 2479 EXIST::FUNCTION: +ENGINE_get_DH 2480 EXIST::FUNCTION: +ENGINE_ctrl 2481 EXIST::FUNCTION: +ENGINE_get_init_function 2482 EXIST::FUNCTION: +ENGINE_set_init_function 2483 EXIST::FUNCTION: +ENGINE_set_default_DSA 2484 EXIST::FUNCTION: +ENGINE_get_name 2485 EXIST::FUNCTION: +ENGINE_get_last 2486 EXIST::FUNCTION: +ENGINE_get_prev 2487 EXIST::FUNCTION: +ENGINE_get_default_DH 2488 EXIST::FUNCTION: +ENGINE_get_RSA 2489 EXIST::FUNCTION: +ENGINE_set_default 2490 EXIST::FUNCTION: +ENGINE_get_RAND 2491 EXIST::FUNCTION: +ENGINE_get_first 2492 EXIST::FUNCTION: +ENGINE_by_id 2493 EXIST::FUNCTION: +ENGINE_set_finish_function 2494 EXIST::FUNCTION: +ENGINE_get_default_BN_mod_exp_crt 2495 EXIST:!VMS:FUNCTION: +ENGINE_get_def_BN_mod_exp_crt 2495 EXIST:VMS:FUNCTION: +RSA_get_default_openssl_method 2496 EXIST::FUNCTION:RSA +ENGINE_set_RSA 2497 EXIST::FUNCTION: +ENGINE_load_private_key 2498 EXIST::FUNCTION: +ENGINE_set_default_RAND 2499 EXIST::FUNCTION: +ENGINE_set_BN_mod_exp 2500 EXIST::FUNCTION: +ENGINE_remove 2501 EXIST::FUNCTION: +ENGINE_free 2502 EXIST::FUNCTION: +ENGINE_get_BN_mod_exp_crt 2503 EXIST::FUNCTION: +ENGINE_get_next 2504 EXIST::FUNCTION: +ENGINE_set_name 2505 EXIST::FUNCTION: +ENGINE_get_default_DSA 2506 EXIST::FUNCTION: +ENGINE_set_default_BN_mod_exp 2507 EXIST::FUNCTION: +ENGINE_set_default_RSA 2508 EXIST::FUNCTION: +ENGINE_get_default_RAND 2509 EXIST::FUNCTION: +ENGINE_get_default_BN_mod_exp 2510 EXIST::FUNCTION: +ENGINE_set_RAND 2511 EXIST::FUNCTION: +ENGINE_set_id 2512 EXIST::FUNCTION: +ENGINE_set_BN_mod_exp_crt 2513 EXIST::FUNCTION: +ENGINE_set_default_DH 2514 EXIST::FUNCTION: +ENGINE_new 2515 EXIST::FUNCTION: +ENGINE_get_id 2516 EXIST::FUNCTION: +DSA_set_default_openssl_method 2517 EXIST::FUNCTION:DSA +ENGINE_add 2518 EXIST::FUNCTION: +DH_set_default_openssl_method 2519 EXIST::FUNCTION:DH +ENGINE_get_DSA 2520 EXIST::FUNCTION: +ENGINE_get_ctrl_function 2521 EXIST::FUNCTION: +ENGINE_set_ctrl_function 2522 EXIST::FUNCTION: diff --git a/src/lib/libcrypto/util/mkdef.pl b/src/lib/libcrypto/util/mkdef.pl index cc41a1813e..ba453358cf 100644 --- a/src/lib/libcrypto/util/mkdef.pl +++ b/src/lib/libcrypto/util/mkdef.pl @@ -119,7 +119,7 @@ foreach (@ARGV, split(/ /, $options)) elsif (/^no-rc4$/) { $no_rc4=1; } elsif (/^no-rc5$/) { $no_rc5=1; } elsif (/^no-idea$/) { $no_idea=1; } - elsif (/^no-des$/) { $no_des=1; } + elsif (/^no-des$/) { $no_des=1; $no_mdc2=1; } elsif (/^no-bf$/) { $no_bf=1; } elsif (/^no-cast$/) { $no_cast=1; } elsif (/^no-md2$/) { $no_md2=1; } @@ -705,7 +705,8 @@ EOF } else { (my $n, my $i) = split /\\/, $nums{$s}; my %pf = (); - my @p = split(/,/, ($i =~ /^.*?:(.*?):/,$1)); + my @p = split(/,/, ($i =~ /^[^:]*:([^:]*):/,$1)); + my @a = split(/,/, ($i =~ /^[^:]*:[^:]*:[^:]*:([^:]*)/,$1)); # @p_purged must contain hardware platforms only my @p_purged = (); foreach $ptmp (@p) { @@ -727,7 +728,26 @@ EOF || (!$negatives && ($rsaref || !grep(/^RSAREF$/,@p))) || ($negatives - && (!$rsaref || !grep(/^!RSAREF$/,@p))))) { + && (!$rsaref || !grep(/^!RSAREF$/,@p)))) + && (!@a || (!$no_rc2 || !grep(/^RC2$/,@a))) + && (!@a || (!$no_rc4 || !grep(/^RC4$/,@a))) + && (!@a || (!$no_rc5 || !grep(/^RC5$/,@a))) + && (!@a || (!$no_idea || !grep(/^IDEA$/,@a))) + && (!@a || (!$no_des || !grep(/^DES$/,@a))) + && (!@a || (!$no_bf || !grep(/^BF$/,@a))) + && (!@a || (!$no_cast || !grep(/^CAST$/,@a))) + && (!@a || (!$no_md2 || !grep(/^MD2$/,@a))) + && (!@a || (!$no_md4 || !grep(/^MD4$/,@a))) + && (!@a || (!$no_md5 || !grep(/^MD5$/,@a))) + && (!@a || (!$no_sha || !grep(/^SHA$/,@a))) + && (!@a || (!$no_ripemd || !grep(/^RIPEMD$/,@a))) + && (!@a || (!$no_mdc2 || !grep(/^MDC2$/,@a))) + && (!@a || (!$no_rsa || !grep(/^RSA$/,@a))) + && (!@a || (!$no_dsa || !grep(/^DSA$/,@a))) + && (!@a || (!$no_dh || !grep(/^DH$/,@a))) + && (!@a || (!$no_hmac || !grep(/^HMAC$/,@a))) + && (!@a || (!$no_fp_api || !grep(/^FP_API$/,@a))) + ) { printf OUT " %s%-40s@%d\n",($W32)?"":"_",$s,$n; # } else { # print STDERR "DEBUG: \"$sym\" (@p):", diff --git a/src/lib/libcrypto/util/mklink.pl b/src/lib/libcrypto/util/mklink.pl index d7b997ada7..9e9c9a5146 100644 --- a/src/lib/libcrypto/util/mklink.pl +++ b/src/lib/libcrypto/util/mklink.pl @@ -48,8 +48,13 @@ foreach $dirname (@from_path) { my $to = join('/', @to_path); my $file; +$symlink_exists=eval {symlink("",""); 1}; foreach $file (@files) { my $err = ""; - symlink("$to/$file", "$from/$file") or $err = " [$!]"; + if ($symlink_exists) { + symlink("$to/$file", "$from/$file") or $err = " [$!]"; + } else { + system ("cp", "$file", "$from/$file") and $err = " [$!]"; + } print $file . " => $from/$file$err\n"; } diff --git a/src/lib/libcrypto/util/pod2man.pl b/src/lib/libcrypto/util/pod2man.pl index f5ec0767ed..c6b64add60 100644 --- a/src/lib/libcrypto/util/pod2man.pl +++ b/src/lib/libcrypto/util/pod2man.pl @@ -416,6 +416,8 @@ if ($name ne 'something') { warn "$0: Improper man page - malformed NAME header in paragraph $. of $ARGV[0]\n" } else { + $n[0] =~ s/\n/ /; + $n[1] =~ s/\n/ /; %namedesc = @n; } } diff --git a/src/lib/libcrypto/x509/Makefile.ssl b/src/lib/libcrypto/x509/Makefile.ssl index 4619693733..79f09d4f71 100644 --- a/src/lib/libcrypto/x509/Makefile.ssl +++ b/src/lib/libcrypto/x509/Makefile.ssl @@ -49,7 +49,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c index cac64a6f40..448bd7e69c 100644 --- a/src/lib/libcrypto/x509/by_dir.c +++ b/src/lib/libcrypto/x509/by_dir.c @@ -327,7 +327,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, * it out again */ CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE); j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp); - if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,i); + if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,j); else tmp = NULL; CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE); diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c index b147d573d2..3f9f9b3d47 100644 --- a/src/lib/libcrypto/x509/x509_cmp.c +++ b/src/lib/libcrypto/x509/x509_cmp.c @@ -199,19 +199,13 @@ unsigned long X509_NAME_hash(X509_NAME *x) { unsigned long ret=0; unsigned char md[16]; - unsigned char str[256],*p,*pp; - int i; - - i=i2d_X509_NAME(x,NULL); - if (i > sizeof(str)) - p=OPENSSL_malloc(i); - else - p=str; - pp=p; - i2d_X509_NAME(x,&pp); - MD5((unsigned char *)p,i,&(md[0])); - if (p != str) OPENSSL_free(p); + /* Ensure cached version is up to date */ + i2d_X509_NAME(x,NULL); + /* Use cached encoding directly rather than copying: this should + * keep libsafe happy. + */ + MD5((unsigned char *)x->bytes->data,x->bytes->length,&(md[0])); ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) diff --git a/src/lib/libcrypto/x509v3/Makefile.ssl b/src/lib/libcrypto/x509v3/Makefile.ssl index f7c3a6ca13..236e13af4e 100644 --- a/src/lib/libcrypto/x509v3/Makefile.ssl +++ b/src/lib/libcrypto/x509v3/Makefile.ssl @@ -43,7 +43,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libcrypto/x509v3/v3_alt.c b/src/lib/libcrypto/x509v3/v3_alt.c index 733919f250..94bebcd448 100644 --- a/src/lib/libcrypto/x509v3/v3_alt.c +++ b/src/lib/libcrypto/x509v3/v3_alt.c @@ -270,7 +270,7 @@ static int copy_email(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens) /* Now add any email address(es) to STACK */ i = -1; while((i = X509_NAME_get_index_by_NID(nm, - NID_pkcs9_emailAddress, i)) > 0) { + NID_pkcs9_emailAddress, i)) >= 0) { ne = X509_NAME_get_entry(nm, i); email = M_ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne)); if(!email || !(gen = GENERAL_NAME_new())) { diff --git a/src/lib/libcrypto/x509v3/v3_prn.c b/src/lib/libcrypto/x509v3/v3_prn.c index dbc4fb1f16..14b804c4ad 100644 --- a/src/lib/libcrypto/x509v3/v3_prn.c +++ b/src/lib/libcrypto/x509v3/v3_prn.c @@ -85,9 +85,16 @@ void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml) else BIO_printf(out, "%s:%s", nval->name, nval->value); #else else { - char tmp[10240]; /* 10k is BIO_printf's limit anyway */ - ascii2ebcdic(tmp, nval->value, strlen(nval->value)+1); - BIO_printf(out, "%s:%s", nval->name, tmp); + int len; + char *tmp; + len = strlen(nval->value)+1; + tmp = OPENSSL_malloc(len); + if (tmp) + { + ascii2ebcdic(tmp, nval->value, len); + BIO_printf(out, "%s:%s", nval->name, tmp); + OPENSSL_free(tmp); + } } #endif if(ml) BIO_puts(out, "\n"); @@ -115,9 +122,16 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent) BIO_printf(out, "%*s%s", indent, "", value); #else { - char tmp[10240]; /* 10k is BIO_printf's limit anyway */ - ascii2ebcdic(tmp, value, strlen(value)+1); - BIO_printf(out, "%*s%s", indent, "", tmp); + int len; + char *tmp; + len = strlen(value)+1; + tmp = OPENSSL_malloc(len); + if (tmp) + { + ascii2ebcdic(tmp, value, len); + BIO_printf(out, "%*s%s", indent, "", tmp); + OPENSSL_free(tmp); + } } #endif } else if(method->i2v) { diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c index 867699b26f..8aecd00e63 100644 --- a/src/lib/libcrypto/x509v3/v3_purp.c +++ b/src/lib/libcrypto/x509v3/v3_purp.c @@ -362,6 +362,8 @@ static int ca_check(const X509 *x) else return 0; } else { if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; + /* If key usage present it must have certSign so tolerate it */ + else if (x->ex_flags & EXFLAG_KUSAGE) return 3; else return 2; } } @@ -380,7 +382,7 @@ static int check_ssl_ca(const X509 *x) if(ca_ret != 2) return ca_ret; else return 0; } - + static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca) { @@ -446,7 +448,7 @@ static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int c int ret; ret = purpose_smime(x, ca); if(!ret || ca) return ret; - if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0; + if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0; return ret; } diff --git a/src/lib/libssl/LICENSE b/src/lib/libssl/LICENSE index bdd5f7bdd0..3fd259ac32 100644 --- a/src/lib/libssl/LICENSE +++ b/src/lib/libssl/LICENSE @@ -12,7 +12,7 @@ --------------- /* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/src/lib/libssl/crypto/Makefile b/src/lib/libssl/crypto/Makefile index a44392a9bd..a05ac78e0e 100644 --- a/src/lib/libssl/crypto/Makefile +++ b/src/lib/libssl/crypto/Makefile @@ -29,7 +29,7 @@ CFLAGS+= -DNO_RC5 CFLAGS+= -I${.CURDIR}/../${SSLEAYDIST} CFLAGS+= -I${LCRYPTO_SRC} CFLAGS+= -I${LCRYPTO_INC} -SRCS+= cryptlib.c ex_data.c cpt_err.c mem.c mem_dbg.c tmdiff.c cversion.c +SRCS+= cryptlib.c ex_data.c cpt_err.c mem.c mem_dbg.c tmdiff.c cversion.c uid.c CFLAGS+= -I${LCRYPTO_SRC}/md2 SRCS+= md2_dgst.c md2_one.c CFLAGS+= -I${LCRYPTO_SRC}/md5 diff --git a/src/lib/libssl/crypto/shlib_version b/src/lib/libssl/crypto/shlib_version index 890c57389b..3066b9771e 100644 --- a/src/lib/libssl/crypto/shlib_version +++ b/src/lib/libssl/crypto/shlib_version @@ -1,2 +1,2 @@ -major=4 -minor=1 +major=5 +minor=0 diff --git a/src/lib/libssl/s23_lib.c b/src/lib/libssl/s23_lib.c index dded7a19c5..ad2d8dadf7 100644 --- a/src/lib/libssl/s23_lib.c +++ b/src/lib/libssl/s23_lib.c @@ -63,6 +63,7 @@ static int ssl23_num_ciphers(void ); static SSL_CIPHER *ssl23_get_cipher(unsigned int u); static int ssl23_read(SSL *s, void *buf, int len); +static int ssl23_peek(SSL *s, void *buf, int len); static int ssl23_write(SSL *s, const void *buf, int len); static long ssl23_default_timeout(void ); static int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p); @@ -77,7 +78,7 @@ static SSL_METHOD SSLv23_data= { ssl_undefined_function, ssl_undefined_function, ssl23_read, - (int (*)(struct ssl_st *, char *, int))ssl_undefined_function, + ssl23_peek, ssl23_write, ssl_undefined_function, ssl_undefined_function, @@ -169,13 +170,6 @@ static int ssl23_read(SSL *s, void *buf, int len) { int n; -#if 0 - if (s->shutdown & SSL_RECEIVED_SHUTDOWN) - { - s->rwstate=SSL_NOTHING; - return(0); - } -#endif clear_sys_error(); if (SSL_in_init(s) && (!s->in_handshake)) { @@ -195,17 +189,33 @@ static int ssl23_read(SSL *s, void *buf, int len) } } -static int ssl23_write(SSL *s, const void *buf, int len) +static int ssl23_peek(SSL *s, void *buf, int len) { int n; -#if 0 - if (s->shutdown & SSL_SENT_SHUTDOWN) + clear_sys_error(); + if (SSL_in_init(s) && (!s->in_handshake)) + { + n=s->handshake_func(s); + if (n < 0) return(n); + if (n == 0) + { + SSLerr(SSL_F_SSL23_PEEK,SSL_R_SSL_HANDSHAKE_FAILURE); + return(-1); + } + return(SSL_peek(s,buf,len)); + } + else { - s->rwstate=SSL_NOTHING; - return(0); + ssl_undefined_function(s); + return(-1); } -#endif + } + +static int ssl23_write(SSL *s, const void *buf, int len) + { + int n; + clear_sys_error(); if (SSL_in_init(s) && (!s->in_handshake)) { diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c index d92c164b0f..10d8d3b15a 100644 --- a/src/lib/libssl/s3_both.c +++ b/src/lib/libssl/s3_both.c @@ -365,7 +365,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) while (s->init_num < 4) { i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num], - 4 - s->init_num); + 4 - s->init_num, 0); if (i <= 0) { s->rwstate=SSL_READING; @@ -434,7 +434,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) n=s->s3->tmp.message_size; while (n > 0) { - i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n); + i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n,0); if (i <= 0) { s->rwstate=SSL_READING; diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 62040f9f1d..eec45cfa48 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c @@ -815,6 +815,7 @@ static int ssl3_get_server_certificate(SSL *s) X509_free(s->session->peer); CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); s->session->peer=x; + s->session->verify_result = s->verify_result; x=NULL; ret=1; diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index cee2021b6b..c32c06de32 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include #include @@ -638,10 +691,9 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u) return(NULL); } -/* The problem is that it may not be the correct record type */ int ssl3_pending(SSL *s) { - return(s->s3->rrec.length); + return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0; } int ssl3_new(SSL *s) @@ -1189,7 +1241,7 @@ int ssl3_shutdown(SSL *s) else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { /* If we are waiting for a close from our peer, we are closed */ - ssl3_read_bytes(s,0,NULL,0); + ssl3_read_bytes(s,0,NULL,0,0); } if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && @@ -1252,14 +1304,14 @@ int ssl3_write(SSL *s, const void *buf, int len) return(ret); } -int ssl3_read(SSL *s, void *buf, int len) +static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) { int ret; clear_sys_error(); if (s->s3->renegotiate) ssl3_renegotiate_check(s); s->s3->in_read_app_data=1; - ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len); + ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); if ((ret == -1) && (s->s3->in_read_app_data == 0)) { /* ssl3_read_bytes decided to call s->handshake_func, which @@ -1269,7 +1321,7 @@ int ssl3_read(SSL *s, void *buf, int len) * by resetting 'in_read_app_data', strangely); so disable * handshake processing and try to read application data again. */ s->in_handshake++; - ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len); + ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); s->in_handshake--; } else @@ -1278,26 +1330,14 @@ int ssl3_read(SSL *s, void *buf, int len) return(ret); } -int ssl3_peek(SSL *s, char *buf, int len) +int ssl3_read(SSL *s, void *buf, int len) { - SSL3_RECORD *rr; - int n; - - rr= &(s->s3->rrec); - if ((rr->length == 0) || (rr->type != SSL3_RT_APPLICATION_DATA)) - { - n=ssl3_read(s,buf,1); - if (n <= 0) return(n); - rr->length++; - rr->off--; - } + return ssl3_read_internal(s, buf, len, 0); + } - if ((unsigned int)len > rr->length) - n=rr->length; - else - n=len; - memcpy(buf,&(rr->data[rr->off]),(unsigned int)n); - return(n); +int ssl3_peek(SSL *s, void *buf, int len) + { + return ssl3_read_internal(s, buf, len, 1); } int ssl3_renegotiate(SSL *s) diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c index 1414079853..9ab76604a6 100644 --- a/src/lib/libssl/s3_pkt.c +++ b/src/lib/libssl/s3_pkt.c @@ -704,7 +704,7 @@ static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, * Application data protocol * none of our business */ -int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len) +int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) { int al,i,j,ret; unsigned int n; @@ -715,7 +715,8 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len) if (!ssl3_setup_buffers(s)) return(-1); - if ((type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) + if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) || + (peek && (type != SSL3_RT_APPLICATION_DATA))) { SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_INTERNAL_ERROR); return -1; @@ -728,6 +729,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len) unsigned char *dst = buf; unsigned int k; + /* peek == 0 */ n = 0; while ((len > 0) && (s->s3->handshake_fragment_len > 0)) { @@ -763,7 +765,7 @@ start: * s->s3->rrec.length, - number of bytes. */ rr = &(s->s3->rrec); - /* get new packet */ + /* get new packet if necessary */ if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) { ret=ssl3_get_record(s); @@ -781,7 +783,8 @@ start: goto err; } - /* If the other end has shutdown, throw anything we read away */ + /* If the other end has shut down, throw anything we read away + * (even in 'peek' mode) */ if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { rr->length=0; @@ -810,12 +813,15 @@ start: n = (unsigned int)len; memcpy(buf,&(rr->data[rr->off]),n); - rr->length-=n; - rr->off+=n; - if (rr->length == 0) + if (!peek) { - s->rstate=SSL_ST_READ_HEADER; - rr->off=0; + rr->length-=n; + rr->off+=n; + if (rr->length == 0) + { + s->rstate=SSL_ST_READ_HEADER; + rr->off=0; + } } return(n); } diff --git a/src/lib/libssl/shlib_version b/src/lib/libssl/shlib_version index 890c57389b..3066b9771e 100644 --- a/src/lib/libssl/shlib_version +++ b/src/lib/libssl/shlib_version @@ -1,2 +1,2 @@ -major=4 -minor=1 +major=5 +minor=0 diff --git a/src/lib/libssl/src/CHANGES b/src/lib/libssl/src/CHANGES index 87853c3b29..08ef8508d8 100644 --- a/src/lib/libssl/src/CHANGES +++ b/src/lib/libssl/src/CHANGES @@ -2,6 +2,291 @@ OpenSSL CHANGES _______________ + Changes between 0.9.6 and 0.9.6a [5 Apr 2001] + + *) Fix a couple of memory leaks in PKCS7_dataDecode() + [Steve Henson, reported by Heyun Zheng ] + + *) Change Configure and Makefiles to provide EXE_EXT, which will contain + the default extension for executables, if any. Also, make the perl + scripts that use symlink() to test if it really exists and use "cp" + if it doesn't. All this made OpenSSL compilable and installable in + CygWin. + [Richard Levitte] + + *) Fix for asn1_GetSequence() for indefinite length constructed data. + If SEQUENCE is length is indefinite just set c->slen to the total + amount of data available. + [Steve Henson, reported by shige@FreeBSD.org] + [This change does not apply to 0.9.7.] + + *) Change bctest to avoid here-documents inside command substitution + (workaround for FreeBSD /bin/sh bug). + For compatibility with Ultrix, avoid shell functions (introduced + in the bctest version that searches along $PATH). + [Bodo Moeller] + + *) Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes + with des_encrypt() defined on some operating systems, like Solaris + and UnixWare. + [Richard Levitte] + + *) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton: + On the Importance of Eliminating Errors in Cryptographic + Computations, J. Cryptology 14 (2001) 2, 101-119, + http://theory.stanford.edu/~dabo/papers/faults.ps.gz). + [Ulf Moeller] + + *) MIPS assembler BIGNUM division bug fix. + [Andy Polyakov] + + *) Disabled incorrect Alpha assembler code. + [Richard Levitte] + + *) Fix PKCS#7 decode routines so they correctly update the length + after reading an EOC for the EXPLICIT tag. + [Steve Henson] + [This change does not apply to 0.9.7.] + + *) Fix bug in PKCS#12 key generation routines. This was triggered + if a 3DES key was generated with a 0 initial byte. Include + PKCS12_BROKEN_KEYGEN compilation option to retain the old + (but broken) behaviour. + [Steve Henson] + + *) Enhance bctest to search for a working bc along $PATH and print + it when found. + [Tim Rice via Richard Levitte] + + *) Fix memory leaks in err.c: free err_data string if necessary; + don't write to the wrong index in ERR_set_error_data. + [Bodo Moeller] + + *) Implement ssl23_peek (analogous to ssl23_read), which previously + did not exist. + [Bodo Moeller] + + *) Replace rdtsc with _emit statements for VC++ version 5. + [Jeremy Cooper ] + + *) Make it possible to reuse SSLv2 sessions. + [Richard Levitte] + + *) In copy_email() check for >= 0 as a return value for + X509_NAME_get_index_by_NID() since 0 is a valid index. + [Steve Henson reported by Massimiliano Pala ] + + *) Avoid coredump with unsupported or invalid public keys by checking if + X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when + PKCS7_verify() fails with non detached data. + [Steve Henson] + + *) Don't use getenv in library functions when run as setuid/setgid. + New function OPENSSL_issetugid(). + [Ulf Moeller] + + *) Avoid false positives in memory leak detection code (crypto/mem_dbg.c) + due to incorrect handling of multi-threading: + + 1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl(). + + 2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on(). + + 3. Count how many times MemCheck_off() has been called so that + nested use can be treated correctly. This also avoids + inband-signalling in the previous code (which relied on the + assumption that thread ID 0 is impossible). + [Bodo Moeller] + + *) Add "-rand" option also to s_client and s_server. + [Lutz Jaenicke] + + *) Fix CPU detection on Irix 6.x. + [Kurt Hockenbury and + "Bruce W. Forsberg" ] + + *) Fix X509_NAME bug which produced incorrect encoding if X509_NAME + was empty. + [Steve Henson] + [This change does not apply to 0.9.7.] + + *) Use the cached encoding of an X509_NAME structure rather than + copying it. This is apparently the reason for the libsafe "errors" + but the code is actually correct. + [Steve Henson] + + *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent + Bleichenbacher's DSA attack. + Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits + to be set and top=0 forces the highest bit to be set; top=-1 is new + and leaves the highest bit random. + [Ulf Moeller, Bodo Moeller] + + *) In the NCONF_...-based implementations for CONF_... queries + (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using + a temporary CONF structure with the data component set to NULL + (which gives segmentation faults in lh_retrieve). + Instead, use NULL for the CONF pointer in CONF_get_string and + CONF_get_number (which may use environment variables) and directly + return NULL from CONF_get_section. + [Bodo Moeller] + + *) Fix potential buffer overrun for EBCDIC. + [Ulf Moeller] + + *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign + keyUsage if basicConstraints absent for a CA. + [Steve Henson] + + *) Make SMIME_write_PKCS7() write mail header values with a format that + is more generally accepted (no spaces before the semicolon), since + some programs can't parse those values properly otherwise. Also make + sure BIO's that break lines after each write do not create invalid + headers. + [Richard Levitte] + + *) Make the CRL encoding routines work with empty SEQUENCE OF. The + macros previously used would not encode an empty SEQUENCE OF + and break the signature. + [Steve Henson] + [This change does not apply to 0.9.7.] + + *) Zero the premaster secret after deriving the master secret in + DH ciphersuites. + [Steve Henson] + + *) Add some EVP_add_digest_alias registrations (as found in + OpenSSL_add_all_digests()) to SSL_library_init() + aka OpenSSL_add_ssl_algorithms(). This provides improved + compatibility with peers using X.509 certificates + with unconventional AlgorithmIdentifier OIDs. + [Bodo Moeller] + + *) Fix for Irix with NO_ASM. + ["Bruce W. Forsberg" ] + + *) ./config script fixes. + [Ulf Moeller, Richard Levitte] + + *) Fix 'openssl passwd -1'. + [Bodo Moeller] + + *) Change PKCS12_key_gen_asc() so it can cope with non null + terminated strings whose length is passed in the passlen + parameter, for example from PEM callbacks. This was done + by adding an extra length parameter to asc2uni(). + [Steve Henson, reported by ] + + *) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn + call failed, free the DSA structure. + [Bodo Moeller] + + *) Fix to uni2asc() to cope with zero length Unicode strings. + These are present in some PKCS#12 files. + [Steve Henson] + + *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c). + Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits + when writing a 32767 byte record. + [Bodo Moeller; problem reported by Eric Day ] + + *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c), + obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}. + + (RSA objects have a reference count access to which is protected + by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c], + so they are meant to be shared between threads.) + [Bodo Moeller, Geoff Thorpe; original patch submitted by + "Reddie, Steven" ] + + *) Fix a deadlock in CRYPTO_mem_leaks(). + [Bodo Moeller] + + *) Use better test patterns in bntest. + [Ulf Möller] + + *) rand_win.c fix for Borland C. + [Ulf Möller] + + *) BN_rshift bugfix for n == 0. + [Bodo Moeller] + + *) Add a 'bctest' script that checks for some known 'bc' bugs + so that 'make test' does not abort just because 'bc' is broken. + [Bodo Moeller] + + *) Store verify_result within SSL_SESSION also for client side to + avoid potential security hole. (Re-used sessions on the client side + always resulted in verify_result==X509_V_OK, not using the original + result of the server certificate verification.) + [Lutz Jaenicke] + + *) Fix ssl3_pending: If the record in s->s3->rrec is not of type + SSL3_RT_APPLICATION_DATA, return 0. + Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true. + [Bodo Moeller] + + *) Fix SSL_peek: + Both ssl2_peek and ssl3_peek, which were totally broken in earlier + releases, have been re-implemented by renaming the previous + implementations of ssl2_read and ssl3_read to ssl2_read_internal + and ssl3_read_internal, respectively, and adding 'peek' parameters + to them. The new ssl[23]_{read,peek} functions are calls to + ssl[23]_read_internal with the 'peek' flag set appropriately. + A 'peek' parameter has also been added to ssl3_read_bytes, which + does the actual work for ssl3_read_internal. + [Bodo Moeller] + + *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling + the method-specific "init()" handler. Also clean up ex_data after + calling the method-specific "finish()" handler. Previously, this was + happening the other way round. + [Geoff Thorpe] + + *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16. + The previous value, 12, was not always sufficient for BN_mod_exp(). + [Bodo Moeller] + + *) Make sure that shared libraries get the internal name engine with + the full version number and not just 0. This should mark the + shared libraries as not backward compatible. Of course, this should + be changed again when we can guarantee backward binary compatibility. + [Richard Levitte] + + *) Fix typo in get_cert_by_subject() in by_dir.c + [Jean-Marc Desperrier ] + + *) Rework the system to generate shared libraries: + + - Make note of the expected extension for the shared libraries and + if there is a need for symbolic links from for example libcrypto.so.0 + to libcrypto.so.0.9.7. There is extended info in Configure for + that. + + - Make as few rebuilds of the shared libraries as possible. + + - Still avoid linking the OpenSSL programs with the shared libraries. + + - When installing, install the shared libraries separately from the + static ones. + [Richard Levitte] + + *) Fix SSL_CTX_set_read_ahead macro to actually use its argument. + + Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new + and not in SSL_clear because the latter is also used by the + accept/connect functions; previously, the settings made by + SSL_set_read_ahead would be lost during the handshake. + [Bodo Moeller; problems reported by Anders Gertz ] + + *) Correct util/mkdef.pl to be selective about disabled algorithms. + Previously, it would create entries for disableed algorithms no + matter what. + [Richard Levitte] + + *) Added several new manual pages for SSL_* function. + [Lutz Jaenicke] + Changes between 0.9.5a and 0.9.6 [24 Sep 2000] *) In ssl23_get_client_hello, generate an error message when faced diff --git a/src/lib/libssl/src/Configure b/src/lib/libssl/src/Configure index eed48cfd3c..98bc46bf87 100644 --- a/src/lib/libssl/src/Configure +++ b/src/lib/libssl/src/Configure @@ -98,6 +98,11 @@ my $x86_elf_asm="asm/bn86-elf.o asm/co86-elf.o:asm/dx86-elf.o asm/yx86-elf.o:asm my $x86_out_asm="asm/bn86-out.o asm/co86-out.o:asm/dx86-out.o asm/yx86-out.o:asm/bx86-out.o:asm/mx86-out.o:asm/sx86-out.o:asm/cx86-out.o:asm/rx86-out.o:asm/rm86-out.o:asm/r586-out.o"; my $x86_bsdi_asm="asm/bn86bsdi.o asm/co86bsdi.o:asm/dx86bsdi.o asm/yx86bsdi.o:asm/bx86bsdi.o:asm/mx86bsdi.o:asm/sx86bsdi.o:asm/cx86bsdi.o:asm/rx86bsdi.o:asm/rm86bsdi.o:asm/r586bsdi.o"; +my $mips3_irix_asm="asm/mips3.o::::::::"; +# There seems to be boundary faults in asm/alpha.s. +#my $alpha_asm="asm/alpha.o::::::::"; +my $alpha_asm="::::::::"; + # -DB_ENDIAN slows things down on a sparc for md5, but helps sha1. # So the md5_locl.h file has an undef B_ENDIAN if sun is defined @@ -136,32 +141,32 @@ my %table=( # surrounds it with #APP #NO_APP comment pair which (at least Solaris # 7_x86) /usr/ccs/bin/as fails to assemble with "Illegal mnemonic" # error message. -"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DNO_INLINE_ASM::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}:dlfcn:solaris-shared:-fPIC", +"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DNO_INLINE_ASM::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}:dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Solaris with GNU C setups -"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC", -"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC", -"solaris-sparcv9-gcc","gcc:-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC", +"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv9-gcc","gcc:-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8 # but keep the assembler modules. -"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC", +"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### -"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC", -"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC", +"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Solaris with Sun C setups # DO NOT use /xO[34] on sparc with SC3.0. It is broken, and will not pass the tests -"solaris-sparc-sc3","cc:-fast -O -Xa -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC", +"solaris-sparc-sc3","cc:-fast -O -Xa -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # SC4.0 doesn't pass 'make test', upgrade to SC5.0 or SC4.2. # SC4.2 is ok, better than gcc even on bn as long as you tell it -xarch=v8 # SC5.0 note: Compiler common patch 107357-01 or later is required! -"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC", -"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC", -"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC", -"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC", +"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs", #### -"debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC", -"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC", +"debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Linux setups "linux-sparcv7","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::", @@ -187,11 +192,11 @@ my %table=( # Only N32 and N64 ABIs are supported. If you need O32 ABI build, invoke # './Configure irix-[g]cc' manually. # -mips4 flag is added by ./config when appropriate. -"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:asm/mips3.o::", -"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:asm/mips3.o::", +"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}", +"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}", # N64 ABI builds. -"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:asm/mips3.o::", -"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:asm/mips3.o::", +"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}", +"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}", #### Unified HP-UX ANSI C configs. # Special notes: @@ -271,10 +276,10 @@ my %table=( # Dec Alpha, OSF/1 - the alpha164-cc is the flags for a 21164A with # the new compiler # For gcc, the following gave a %50 speedup on a 164 over the 'DES_INT' version -"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:asm/alpha.o:::::::::dlfcn:true64-shared", -"alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o:::::::::dlfcn:true64-shared", -"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o:::::::::dlfcn:true64-shared", -"FreeBSD-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2:::", +"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${alpha_asm}:dlfcn:tru64-shared::.so", +"alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so", +"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so", +"FreeBSD-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### Alpha Linux with GNU C and Compaq C setups # Special notes: @@ -289,31 +294,32 @@ my %table=( # # # -"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o::", -"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o::", -"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::", -"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::", +"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", +"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", # assembler versions -- currently defunct: -##"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:asm/alpha.o::", +##"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:${alpha_asm}", # The intel boxes :-), It would be worth seeing if bsdi-gcc can use the # bn86-elf.o file file since it is hand tweaked assembler. -"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC", +"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", "linux-mips", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::", "linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", "linux-m68k", "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", +"linux-s390", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", "linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::SIXTY_FOUR_BIT_LONG::", -"NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", -"NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", -"NetBSD-x86", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:", -"FreeBSD-elf", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", +"NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"NetBSD-x86", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"FreeBSD-elf", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "FreeBSD", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", "bsdi-gcc", "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown)::RSA_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_bsdi_asm}", -"bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", +"bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "nextstep", "cc:-O -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", "nextstep3.3", "cc:-O3 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # NCR MP-RAS UNIX ver 02.03.01 @@ -323,18 +329,27 @@ my %table=( "qnx4", "cc:-DL_ENDIAN -DTERMIO::(unknown)::${x86_gcc_des} ${x86_gcc_opts}:", # Linux on ARM -"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC", +"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + +# UnixWare 2.0x fails destest with -O +"unixware-2.0","cc:-DFILIO_H::-Kthread:-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::", +"unixware-2.0-pentium","cc:-DFILIO_H -Kpentium::-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", -# UnixWare 2.0 -"unixware-2.0","cc:-O -DFILIO_H::(unknown):-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:::", -"unixware-2.0-pentium","cc:-O -DFILIO_H -Kpentium -Kthread::(unknown):-lsocket -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +# UnixWare 2.1 +"unixware-2.1","cc:-O -DFILIO_H::-Kthread:-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::", +"unixware-2.1-pentium","cc:-O -DFILIO_H -Kpentium::-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"unixware-2.1-p6","cc:-O -DFILIO_H -Kp6::-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", # UnixWare 7 -"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"unixware-7-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"unixware-7-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::", # IBM's AIX. "aix-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR:::", "aix-gcc", "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR:::", +"aix43-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:", +"aix43-gcc", "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:", # # Cray T90 (SDSC) @@ -361,12 +376,16 @@ my %table=( # DGUX, 88100. "dgux-R3-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown)::RC4_INDEX DES_UNROLL:::", -"dgux-R4-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown):-lnsl -lsocket:RC4_INDEX:RC4_INDEX DES_UNROLL:::", +"dgux-R4-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown):-lnsl -lsocket:RC4_INDEX DES_UNROLL:::", "dgux-R4-x86-gcc", "gcc:-O3 -fomit-frame-pointer -DL_ENDIAN::(unknown):-lnsl -lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", +# SCO 3 - Tim Rice +"sco3-gcc", "gcc:-O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ... + # SCO 5 - Ben Laurie says the -O breaks the # SCO cc. "sco5-cc", "cc:::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options? +"sco5-cc-pentium", "cc:-Kpentium::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options? "sco5-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ... # Sinix/ReliantUNIX RM400 @@ -406,12 +425,12 @@ my %table=( ##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown)::::::", # Some OpenBSD from Bob Beck -"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:::", +"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "OpenBSD-vax", "gcc:-DL_ENDIAN -DTERMIOS -O2 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL:::", -"OpenBSD-x86", "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn", +"OpenBSD-x86", "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "OpenBSD-m68k", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::RC2_CHAR RC4_INDEX DES_UNROLL:::", -"OpenBSD", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL:::", -"OpenBSD-mips","gcc:-O2 -DL_ENDIAN::(unknown):BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR::::", +"OpenBSD", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"OpenBSD-mips","gcc:-O2 -DL_ENDIAN::(unknown):BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ##### MacOS X (a.k.a. Rhapsody) setup "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::", @@ -426,6 +445,7 @@ my @WinTargets=qw(VC-NT VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS BC-32 my $prefix=""; my $openssldir=""; +my $exe_ext=""; my $install_prefix=""; my $no_threads=0; my $no_shared=1; @@ -453,10 +473,10 @@ my $md5_obj=""; my $sha1_obj=""; my $rmd160_obj=""; my $processor=""; -my $ranlib; +my $default_ranlib; my $perl; -$ranlib=&which("ranlib") or $ranlib="true"; +$default_ranlib= &which("ranlib") or $default_ranlib="true"; $perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl") or $perl="perl"; @@ -642,6 +662,7 @@ print "Configuring for $target\n"; my $IsWindows=scalar grep /^$target$/,@WinTargets; +$exe_ext=".exe" if ($target eq "CygWin32"); $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq ""); $prefix=$openssldir if $prefix eq ""; @@ -655,8 +676,8 @@ $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /^\//; print "IsWindows=$IsWindows\n"; (my $cc,my $cflags,my $unistd,my $thread_cflag,my $lflags,my $bn_ops,my $bn_obj,my $des_obj,my $bf_obj, - $md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag)= - split(/\s*:\s*/,$table{$target} . ":" x 22 , -1); + $md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag,my $shared_extension,my $ranlib)= + split(/\s*:\s*/,$table{$target} . ":" x 30 , -1); $cflags="$flags$cflags" if ($flags ne ""); # The DSO code currently always implements all functions so that no @@ -731,17 +752,27 @@ if ($threads) } # You will find shlib_mark1 and shlib_mark2 explained in Makefile.org -my $shared_mark1 = ""; -my $shared_mark2 = ""; -if ($shared_cflag ne "") +my $shared_mark = ""; +if ($shared_target ne "") { - $cflags = "$shared_cflag $cflags"; + if ($shared_cflag ne "") + { + $cflags = "$shared_cflag $cflags"; + } if (!$no_shared) { - $shared_mark1 = ".shlib-clean."; - $shared_mark2 = ".shlib."; + #$shared_mark = "\$(SHARED_LIBS)"; } } +else + { + $no_shared = 1; + } + +if ($ranlib eq "") + { + $ranlib = $default_ranlib; + } #my ($bn1)=split(/\s+/,$bn_obj); #$bn1 = "" unless defined $bn1; @@ -823,6 +854,7 @@ while () s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/; s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/; s/^SHLIB_MINOR=.*/SHLIB_MINOR=$shlib_minor/; + s/^SHLIB_EXT=.*/SHLIB_EXT=$shared_extension/; s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/; s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/; s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/; @@ -833,6 +865,7 @@ while () s/^CFLAG=.*$/CFLAG= $cflags/; s/^DEPFLAG=.*$/DEPFLAG= $depflags/; s/^EX_LIBS=.*$/EX_LIBS= $lflags/; + s/^EXE_EXT=.*$/EXE_EXT= $exe_ext/; s/^BN_ASM=.*$/BN_ASM= $bn_obj/; s/^DES_ENC=.*$/DES_ENC= $des_obj/; s/^BF_ENC=.*$/BF_ENC= $bf_obj/; @@ -846,9 +879,9 @@ while () s/^RANLIB=.*/RANLIB= $ranlib/; s/^PERL=.*/PERL= $perl/; s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; - s/^SHLIB_MARK1=.*/SHLIB_MARK1=$shared_mark1/; - s/^SHLIB_MARK2=.*/SHLIB_MARK2=$shared_mark2/; - s/^LIBS=.*/LIBS=libcrypto\.so\* libssl\.so\*/ if (!$no_shared); + s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; + s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); + s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.so.\$(SHLIB_MAJOR) .so/ if ($shared_extension ne "" && $shared_extension !~ /^\.s[ol]$/); print OUT $_."\n"; } close(IN); @@ -1135,8 +1168,9 @@ sub print_table_entry (my $cc,my $cflags,my $unistd,my $thread_cflag,my $lflags,my $bn_ops, my $bn_obj,my $des_obj,my $bf_obj, my $md5_obj,my $sha1_obj,my $cast_obj,my $rc4_obj,my $rmd160_obj, - my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag)= - split(/\s*:\s*/,$table{$target} . ":" x 22 , -1); + my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag, + my $shared_extension,my $ranlib)= + split(/\s*:\s*/,$table{$target} . ":" x 30 , -1); print < and I get errors why? -* I've called and it fails, why? -* I just get a load of numbers for the error output, what do they mean? -* Why do I get errors about unknown algorithms? * How do I create certificates or certificate requests? * Why can't I create certificate requests? * Why does fail with a certificate verify error? @@ -22,17 +24,38 @@ OpenSSL - Frequently Asked Questions * How can I create DSA certificates? * Why can't I make an SSL connection using a DSA certificate? * How can I remove the passphrase on a private key? -* Why can't the OpenSSH configure script detect OpenSSL? +* Why can't I use OpenSSL certificates with SSL client authentication? +* Why does my browser give a warning about a mismatched hostname? + +[BUILD] Questions about building and testing OpenSSL + +* Why does the linker complain about undefined symbols? * Why does the OpenSSL test fail with "bc: command not found"? * Why does the OpenSSL test fail with "bc: 1 no implemented"? * Why does the OpenSSL compilation fail on Alpha True64 Unix? * Why does the OpenSSL compilation fail with "ar: command not found"? +* Why does the OpenSSL compilation fail on Win32 with VC++? + +[PROG] Questions about programming with OpenSSL + +* Is OpenSSL thread-safe? +* I've compiled a program under Windows and it crashes: why? +* How do I read or write a DER encoded buffer using the ASN1 functions? +* I've tried using and I get errors why? +* I've called and it fails, why? +* I just get a load of numbers for the error output, what do they mean? +* Why do I get errors about unknown algorithms? +* Why can't the OpenSSH configure script detect OpenSSL? +* Can I use OpenSSL's SSL library with non-blocking I/O? + +=============================================================================== +[MISC] ======================================================================== * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 0.9.6 was released on September 24th, 2000. +OpenSSL 0.9.6a was released on April 5th, 2001. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at . +* Where can I get a compiled version of OpenSSL? + +Some applications that use OpenSSL are distributed in binary form. +When using such an application, you don't need to install OpenSSL +yourself; the application will include the required parts (e.g. DLLs). + +If you want to install OpenSSL on a Windows system and you don't have +a C compiler, read the "Mingw32" section of INSTALL.W32 for information +on how to obtain and install the free GNU C compiler. + +A number of Linux and *BSD distributions include OpenSSL. + + +* Why aren't tools like 'autoconf' and 'libtool' used? + +autoconf will probably be used in future OpenSSL versions. If it was +less Unix-centric, it might have been used much earlier. + + +[LEGAL] ======================================================================= + * Do I need patent licenses to use OpenSSL? The patents section of the README file lists patents that may apply to @@ -89,18 +133,26 @@ You can configure OpenSSL so as not to use RC5 and IDEA by using ./config no-rc5 no-idea -* Is OpenSSL thread-safe? +* Can I use OpenSSL with GPL software? -Yes (with limitations: an SSL connection may not concurrently be used -by multiple threads). On Windows and many Unix systems, OpenSSL -automatically uses the multi-threaded versions of the standard -libraries. If your platform is not one of these, consult the INSTALL -file. +On many systems including the major Linux and BSD distributions, yes (the +GPL does not place restrictions on using libraries that are part of the +normal operating system distribution). -Multi-threaded applications must provide two callback functions to -OpenSSL. This is described in the threads(3) manpage. +On other systems, the situation is less clear. Some GPL software copyright +holders claim that you infringe on their rights if you use OpenSSL with +their software on operating systems that don't normally include OpenSSL. + +If you develop open source software that uses OpenSSL, you may find it +useful to choose an other license than the GPL, or state explicitely that +"This program is released under the GPL with the additional exemption that +compiling, linking, and/or using OpenSSL is allowed." If you are using +GPL software developed by others, you may want to ask the copyright holder +for permission to use their software with OpenSSL. +[USER] ======================================================================== + * Why do I get a "PRNG not seeded" error message? Cryptographic software needs a source of unpredictable data to work @@ -138,6 +190,101 @@ versions. However, be warned that /dev/random is usually a blocking device, which may have some effects on OpenSSL. +* How do I create certificates or certificate requests? + +Check out the CA.pl(1) manual page. This provides a simple wrapper round +the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check +out the manual pages for the individual utilities and the certificate +extensions documentation (currently in doc/openssl.txt). + + +* Why can't I create certificate requests? + +You typically get the error: + + unable to find 'distinguished_name' in config + problems making Certificate Request + +This is because it can't find the configuration file. Check out the +DIAGNOSTICS section of req(1) for more information. + + +* Why does fail with a certificate verify error? + +This problem is usually indicated by log messages saying something like +"unable to get local issuer certificate" or "self signed certificate". +When a certificate is verified its root CA must be "trusted" by OpenSSL +this typically means that the CA certificate must be placed in a directory +or file and the relevant program configured to read it. The OpenSSL program +'verify' behaves in a similar way and issues similar error messages: check +the verify(1) program manual page for more information. + + +* Why can I only use weak ciphers when I connect to a server using OpenSSL? + +This is almost certainly because you are using an old "export grade" browser +which only supports weak encryption. Upgrade your browser to support 128 bit +ciphers. + + +* How can I create DSA certificates? + +Check the CA.pl(1) manual page for a DSA certificate example. + + +* Why can't I make an SSL connection to a server using a DSA certificate? + +Typically you'll see a message saying there are no shared ciphers when +the same setup works fine with an RSA certificate. There are two possible +causes. The client may not support connections to DSA servers most web +browsers (including Netscape and MSIE) only support connections to servers +supporting RSA cipher suites. The other cause is that a set of DH parameters +has not been supplied to the server. DH parameters can be created with the +dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example: +check the source to s_server in apps/s_server.c for an example. + + +* How can I remove the passphrase on a private key? + +Firstly you should be really *really* sure you want to do this. Leaving +a private key unencrypted is a major security risk. If you decide that +you do have to do this check the EXAMPLES sections of the rsa(1) and +dsa(1) manual pages. + + +* Why can't I use OpenSSL certificates with SSL client authentication? + +What will typically happen is that when a server requests authentication +it will either not include your certificate or tell you that you have +no client certificates (Netscape) or present you with an empty list box +(MSIE). The reason for this is that when a server requests a client +certificate it includes a list of CAs names which it will accept. Browsers +will only let you select certificates from the list on the grounds that +there is little point presenting a certificate which the server will +reject. + +The solution is to add the relevant CA certificate to your servers "trusted +CA list". How you do this depends on the server sofware in uses. You can +print out the servers list of acceptable CAs using the OpenSSL s_client tool: + +openssl s_client -connect www.some.host:443 -prexit + +If your server only requests certificates on certain URLs then you may need +to manually issue an HTTP GET command to get the list when s_client connects: + +GET /some/page/needing/a/certificate.html + +If your CA does not appear in the list then this confirms the problem. + + +* Why does my browser give a warning about a mismatched hostname? + +Browsers expect the server's hostname to match the value in the commonName +(CN) field of the certificate. If it does not then you get a warning. + + +[BUILD] ======================================================================= + * Why does the linker complain about undefined symbols? Maybe the compilation was interrupted, and make doesn't notice that @@ -162,17 +309,99 @@ If none of these helps, you may want to try using the current snapshot. If the problem persists, please submit a bug report. -* Where can I get a compiled version of OpenSSL? +* Why does the OpenSSL test fail with "bc: command not found"? -Some applications that use OpenSSL are distributed in binary form. -When using such an application, you don't need to install OpenSSL -yourself; the application will include the required parts (e.g. DLLs). +You didn't install "bc", the Unix calculator. If you want to run the +tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor. -If you want to install OpenSSL on a Windows system and you don't have -a C compiler, read the "Mingw32" section of INSTALL.W32 for information -on how to obtain and install the free GNU C compiler. -A number of Linux and *BSD distributions include OpenSSL. +* Why does the OpenSSL test fail with "bc: 1 no implemented"? + +On some SCO installations or versions, bc has a bug that gets triggered +when you run the test suite (using "make test"). The message returned is +"bc: 1 not implemented". + +The best way to deal with this is to find another implementation of bc +and compile/install it. GNU bc (see http://www.gnu.org/software/software.html +for download instructions) can be safely used, for example. + + +* Why does the OpenSSL compilation fail on Alpha True64 Unix? + +On some Alpha installations running True64 Unix and Compaq C, the compilation +of crypto/sha/sha_dgst.c fails with the message 'Fatal: Insufficient virtual +memory to continue compilation.' As far as the tests have shown, this may be +a compiler bug. What happens is that it eats up a lot of resident memory +to build something, probably a table. The problem is clearly in the +optimization code, because if one eliminates optimization completely (-O0), +the compilation goes through (and the compiler consumes about 2MB of resident +memory instead of 240MB or whatever one's limit is currently). + +There are three options to solve this problem: + +1. set your current data segment size soft limit higher. Experience shows +that about 241000 kbytes seems to be enough on an AlphaServer DS10. You do +this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of +kbytes to set the limit to. + +2. If you have a hard limit that is lower than what you need and you can't +get it changed, you can compile all of OpenSSL with -O0 as optimization +level. This is however not a very nice thing to do for those who expect to +get the best result from OpenSSL. A bit more complicated solution is the +following: + +----- snip:start ----- + make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \ + sed -e 's/ -O[0-9] / -O0 /'`" + rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'` + make +----- snip:end ----- + +This will only compile sha_dgst.c with -O0, the rest with the optimization +level chosen by the configuration process. When the above is done, do the +test and installation and you're set. + + +* Why does the OpenSSL compilation fail with "ar: command not found"? + +Getting this message is quite usual on Solaris 2, because Sun has hidden +away 'ar' and other development commands in directories that aren't in +$PATH by default. One of those directories is '/usr/ccs/bin'. The +quickest way to fix this is to do the following (it assumes you use sh +or any sh-compatible shell): + +----- snip:start ----- + PATH=${PATH}:/usr/ccs/bin; export PATH +----- snip:end ----- + +and then redo the compilation. What you should really do is make sure +'/usr/ccs/bin' is permanently in your $PATH, for example through your +'.profile' (again, assuming you use a sh-compatible shell). + + +* Why does the OpenSSL compilation fail on Win32 with VC++? + +Sometimes, you may get reports from VC++ command line (cl) that it +can't find standard include files like stdio.h and other weirdnesses. +One possible cause is that the environment isn't correctly set up. +To solve that problem, one should run VCVARS32.BAT which is found in +the 'bin' subdirectory of the VC++ installation directory (somewhere +under 'Program Files'). This needs to be done prior to running NMAKE, +and the changes are only valid for the current DOS session. + + +[PROG] ======================================================================== + +* Is OpenSSL thread-safe? + +Yes (with limitations: an SSL connection may not concurrently be used +by multiple threads). On Windows and many Unix systems, OpenSSL +automatically uses the multi-threaded versions of the standard +libraries. If your platform is not one of these, consult the INSTALL +file. + +Multi-threaded applications must provide two callback functions to +OpenSSL. This is described in the threads(3) manpage. * I've compiled a program under Windows and it crashes: why? @@ -259,68 +488,6 @@ is forgetting to load OpenSSL's table of algorithms with OpenSSL_add_all_algorithms(). See the manual page for more information. -* How do I create certificates or certificate requests? - -Check out the CA.pl(1) manual page. This provides a simple wrapper round -the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check -out the manual pages for the individual utilities and the certificate -extensions documentation (currently in doc/openssl.txt). - - -* Why can't I create certificate requests? - -You typically get the error: - - unable to find 'distinguished_name' in config - problems making Certificate Request - -This is because it can't find the configuration file. Check out the -DIAGNOSTICS section of req(1) for more information. - - -* Why does fail with a certificate verify error? - -This problem is usually indicated by log messages saying something like -"unable to get local issuer certificate" or "self signed certificate". -When a certificate is verified its root CA must be "trusted" by OpenSSL -this typically means that the CA certificate must be placed in a directory -or file and the relevant program configured to read it. The OpenSSL program -'verify' behaves in a similar way and issues similar error messages: check -the verify(1) program manual page for more information. - - -* Why can I only use weak ciphers when I connect to a server using OpenSSL? - -This is almost certainly because you are using an old "export grade" browser -which only supports weak encryption. Upgrade your browser to support 128 bit -ciphers. - - -* How can I create DSA certificates? - -Check the CA.pl(1) manual page for a DSA certificate example. - - -* Why can't I make an SSL connection to a server using a DSA certificate? - -Typically you'll see a message saying there are no shared ciphers when -the same setup works fine with an RSA certificate. There are two possible -causes. The client may not support connections to DSA servers most web -browsers (including Netscape and MSIE) only support connections to servers -supporting RSA cipher suites. The other cause is that a set of DH parameters -has not been supplied to the server. DH parameters can be created with the -dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example: -check the source to s_server in apps/s_server.c for an example. - - -* How can I remove the passphrase on a private key? - -Firstly you should be really *really* sure you want to do this. Leaving -a private key unencrypted is a major security risk. If you decide that -you do have to do this check the EXAMPLES sections of the rsa(1) and -dsa(1) manual pages. - - * Why can't the OpenSSH configure script detect OpenSSL? There is a problem with OpenSSH 1.2.2p1, in that the configure script @@ -362,71 +529,19 @@ applied to the OpenSSH distribution: ----- snip:end ----- -* Why does the OpenSSL test fail with "bc: command not found"? +* Can I use OpenSSL's SSL library with non-blocking I/O? -You didn't install "bc", the Unix calculator. If you want to run the -tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor. - - -* Why does the OpenSSL test fail with "bc: 1 no implemented"? +Yes; make sure to read the SSL_get_error(3) manual page! -On some SCO installations or versions, bc has a bug that gets triggered when -you run the test suite (using "make test"). The message returned is "bc: -1 not implemented". The best way to deal with this is to find another -implementation of bc and compile/install it. For example, GNU bc (see -http://www.gnu.org/software/software.html for download instructions) can -be safely used. +A pitfall to avoid: Don't assume that SSL_read() will just read from +the underlying transport or that SSL_write() will just write to it -- +it is also possible that SSL_write() cannot do any useful work until +there is data to read, or that SSL_read() cannot do anything until it +is possible to send data. One reason for this is that the peer may +request a new TLS/SSL handshake at any time during the protocol, +requiring a bi-directional message exchange; both SSL_read() and +SSL_write() will try to continue any pending handshake. -* Why does the OpenSSL compilation fail on Alpha True64 Unix? - -On some Alpha installations running True64 Unix and Compaq C, the compilation -of crypto/sha/sha_dgst.c fails with the message 'Fatal: Insufficient virtual -memory to continue compilation.' As far as the tests have shown, this may be -a compiler bug. What happens is that it eats up a lot of resident memory -to build something, probably a table. The problem is clearly in the -optimization code, because if one eliminates optimization completely (-O0), -the compilation goes through (and the compiler consumes about 2MB of resident -memory instead of 240MB or whatever one's limit is currently). - -There are three options to solve this problem: - -1. set your current data segment size soft limit higher. Experience shows -that about 241000 kbytes seems to be enough on an AlphaServer DS10. You do -this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of -kbytes to set the limit to. - -2. If you have a hard limit that is lower than what you need and you can't -get it changed, you can compile all of OpenSSL with -O0 as optimization -level. This is however not a very nice thing to do for those who expect to -get the best result from OpenSSL. A bit more complicated solution is the -following: - ------ snip:start ----- - make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \ - sed -e 's/ -O[0-9] / -O0 /'`" - rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'` - make ------ snip:end ----- - -This will only compile sha_dgst.c with -O0, the rest with the optimization -level chosen by the configuration process. When the above is done, do the -test and installation and you're set. - - -* Why does the OpenSSL compilation fail with "ar: command not found"? - -Getting this message is quite usual on Solaris 2, because Sun has hidden -away 'ar' and other development commands in directories that aren't in -$PATH by default. One of those directories is '/usr/ccs/bin'. The -quickest way to fix this is to do the following (it assumes you use sh -or any sh-compatible shell): - ------ snip:start ----- - PATH=${PATH}:/usr/ccs/bin; export PATH ------ snip:end ----- - -and then redo the compilation. What you should really do is make sure -'/usr/ccs/bin' is permanently in your $PATH, for example through your -'.profile' (again, assuming you use a sh-compatible shell). +=============================================================================== diff --git a/src/lib/libssl/src/LICENSE b/src/lib/libssl/src/LICENSE index bdd5f7bdd0..3fd259ac32 100644 --- a/src/lib/libssl/src/LICENSE +++ b/src/lib/libssl/src/LICENSE @@ -12,7 +12,7 @@ --------------- /* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/src/lib/libssl/src/Makefile.org b/src/lib/libssl/src/Makefile.org index 0dd8a4e644..d24a0b5010 100644 --- a/src/lib/libssl/src/Makefile.org +++ b/src/lib/libssl/src/Makefile.org @@ -9,6 +9,7 @@ SHLIB_VERSION_NUMBER= SHLIB_VERSION_HISTORY= SHLIB_MAJOR= SHLIB_MINOR= +SHLIB_EXT= PLATFORM=dist OPTIONS= CONFIGURE_ARGS= @@ -58,8 +59,9 @@ CC= gcc #CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM CFLAG= -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM DEPFLAG= -PEX_LIBS= -L. -L.. -L../.. -L../../.. +PEX_LIBS= EX_LIBS= +EXE_EXT= AR=ar r RANLIB= ranlib PERL= perl @@ -151,14 +153,11 @@ RMD160_ASM_OBJ= asm/rm86-out.o #RMD160_ASM_OBJ= asm/rm86-out.o # a.out, FreeBSD #RMD160_ASM_OBJ= asm/rm86bsdi.o # bsdi -# To do special treatment, use "directory names" starting with a period. # When we're prepared to use shared libraries in the programs we link here -# we might have SHLIB_MARK1 get the value ".shlib." and SHLIB_MARK2 be empty, -# or have that configurable. -SHLIB_MARK1=.shlib-clean. -SHLIB_MARK2=.shlib. +# we might set SHLIB_MARK to '$(SHARED_LIBS)'. +SHLIB_MARK= -DIRS= crypto ssl rsaref $(SHLIB_MARK1) apps test tools $(SHLIB_MARK2) +DIRS= crypto ssl rsaref $(SHLIB_MARK) apps test tools SHLIBDIRS= crypto ssl # dirs in crypto to build @@ -182,7 +181,10 @@ ONEDIRS=out tmp EDIRS= times doc bugs util include certs ms shlib mt demos perl sf dep VMS WDIRS= windows LIBS= libcrypto.a libssl.a -SHARED_LIBS=libcrypto.so libssl.so +SHARED_CRYPTO=libcrypto$(SHLIB_EXT) +SHARED_SSL=libssl$(SHLIB_EXT) +SHARED_LIBS= +SHARED_LIBS_LINK_EXTS= GENERAL= Makefile BASENAME= openssl @@ -192,108 +194,93 @@ WTARFILE= $(NAME)-win.tar EXHEADER= e_os.h e_os2.h HEADER= e_os.h -all: Makefile.ssl - @need_shlib=true; \ - for i in $(DIRS) ;\ - do \ - if [ "$$i" = ".shlib-clean." ]; then \ - if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) clean-shared; \ - fi; \ - elif [ "$$i" = ".shlib." ]; then \ - if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) $(SHARED_LIBS); \ - fi; \ - need_shlib=false; \ - else \ - (cd $$i && echo "making all in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' SDIRS='${SDIRS}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \ - fi; \ - done; \ - if $$need_shlib && [ "$(SHLIB_MARK1)" != "" -o "$(SHLIB_MARK1)" != "" ]; then \ - $(MAKE) $(SHARED_LIBS); \ - fi +# When we're prepared to use shared libraries in the programs we link here +# we might remove 'clean-shared' from the targets to perform at this stage + +all: clean-shared Makefile.ssl sub_all sub_all: - @need_shlib=true; \ - for i in $(DIRS) ;\ + @for i in $(DIRS); \ do \ - if [ "$$i" = ".shlib-clean." ]; then \ - if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) clean-shared; \ - fi; \ - elif [ "$$i" = ".shlib." ]; then \ - if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) $(SHARED_LIBS); \ - fi; \ - need_shlib=false; \ - else \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making all in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \ + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' EXE_EXT='${EXE_EXT}' all ) || exit 1; \ + else \ + $(MAKE) $$i; \ fi; \ done; \ - if $$need_shlib && [ "$(SHLIB_MARK1)" != "" -o "$(SHLIB_MARK1)" != "" ]; then \ + if echo "$(DIRS)" | \ + egrep '(^| )(crypto|ssl)( |$$)' > /dev/null 2>&1 && \ + [ -n "$(SHARED_LIBS)" ]; then \ $(MAKE) $(SHARED_LIBS); \ fi -libcrypto.so: libcrypto.a +libcrypto$(SHLIB_EXT): libcrypto.a @if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) SHLIBDIRS=crypto $(SHLIB_TARGET); \ + $(MAKE) SHLIBDIRS=crypto build-shared; \ else \ echo "There's no support for shared libraries on this platform" >&2; \ fi -libssl.so: libcrypto.so libssl.a +libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a @if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-L. -lcrypto' $(SHLIB_TARGET); \ + $(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \ else \ echo "There's no support for shared libraries on this platform" >&2; \ fi clean-shared: - for i in ${SHLIBDIRS}; do \ - rm -f lib$$i.so \ - lib$$i.so.${SHLIB_MAJOR} \ - lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ + @for i in $(SHLIBDIRS); do \ + if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \ + tmp="$(SHARED_LIBS_LINK_EXTS)"; \ + for j in $${tmp:-x}; do \ + ( set -x; rm -f lib$$i$$j ); \ + done; \ + fi; \ + ( set -x; rm -f lib$$i$(SHLIB_EXT) ); \ done -linux-shared: - libs='${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ - rm -f lib$$i.so \ - lib$$i.so.${SHLIB_MAJOR} \ - lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ +link-shared: + @for i in $(SHLIBDIRS); do \ + prev=lib$$i$(SHLIB_EXT); \ + if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \ + tmp="$(SHARED_LIBS_LINK_EXTS)"; \ + for j in $${tmp:-x}; do \ + ( set -x; ln -f -s $$prev lib$$i$$j ); \ + prev=lib$$i$$j; \ + done; \ + fi; \ + done + +build-shared: clean-shared do_$(SHLIB_TARGET) link-shared + +do_bsd-gcc-shared: do_gnu-shared +do_linux-shared: do_gnu-shared +do_gnu-shared: + libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ ( set -x; ${CC} -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - -Wl,-S,-soname=lib$$i.so.${SHLIB_MAJOR} \ + -Wl,-S,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Wl,--whole-archive lib$$i.a \ -Wl,--no-whole-archive $$libs ${EX_LIBS} -lc ) || exit 1; \ - libs="$$libs -L. -l$$i"; \ - ( set -x; \ - ln -s lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - lib$$i.so.${SHLIB_MAJOR}; \ - ln -s lib$$i.so.${SHLIB_MAJOR} lib$$i.so ); \ + libs="$$libs -l$$i"; \ done # This assumes that GNU utilities are *not* used -true64-shared: - libs='${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ +do_tru64-shared: + libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ ( set -x; ${CC} -shared -no_archive -o lib$$i.so \ -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \ -all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \ - libs="$$libs -L. -l$$i"; \ + libs="$$libs -l$$i"; \ done # This assumes that GNU utilities are *not* used -solaris-shared: - libs='${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ - rm -f lib$$i.so \ - lib$$i.so.${SHLIB_MAJOR} \ - lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ - ( set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - -h lib$$i.so.${SHLIB_MAJOR} \ +do_solaris-shared: + libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ + ( PATH=/usr/ccs/bin:$$PATH ; export PATH; \ + set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -z allextract lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \ - libs="$$libs -L. -l$$i"; \ - ln -s lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - lib$$i.so.${SHLIB_MAJOR}; \ - ln -s lib$$i.so.${SHLIB_MAJOR} lib$$i.so; \ + libs="$$libs -l$$i"; \ done Makefile.ssl: Makefile.org @@ -308,7 +295,7 @@ clean: rm -f shlib/*.o *.o core a.out fluff *.map rehash.time testlog make.log cctest cctest.c @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making clean in $$i..." && \ $(MAKE) SDIRS='${SDIRS}' clean ) || exit 1; \ rm -f $(LIBS); \ @@ -329,7 +316,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl > $(TOP)/MINFO @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making 'files' in $$i..." && \ $(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' files ) || exit 1; \ fi; \ @@ -340,7 +327,7 @@ links: @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER) @for i in $(DIRS); do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making links in $$i..." && \ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' links ) || exit 1; \ fi; \ @@ -350,7 +337,7 @@ dclean: rm -f *.bak @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making dclean in $$i..." && \ $(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' dclean ) || exit 1; \ fi; \ @@ -365,7 +352,7 @@ test: tests tests: rehash @(cd test && echo "testing..." && \ - $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' tests ); + $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' EXE_EXT='${EXE_EXT}' tests ); @apps/openssl version -a report: @@ -374,7 +361,7 @@ report: depend: @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making dependencies $$i..." && \ $(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' depend ) || exit 1; \ fi; \ @@ -383,7 +370,7 @@ depend: lint: @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making lint $$i..." && \ $(MAKE) SDIRS='${SDIRS}' lint ) || exit 1; \ fi; \ @@ -392,7 +379,7 @@ lint: tags: @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making tags $$i..." && \ $(MAKE) SDIRS='${SDIRS}' tags ) || exit 1; \ fi; \ @@ -454,9 +441,9 @@ install: all install_docs done; @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i; echo "installing $$i..."; \ - $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' EX_LIBS='${EX_LIBS}' SDIRS='${SDIRS}' RANLIB='${RANLIB}' install ); \ + $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' EX_LIBS='${EX_LIBS}' SDIRS='${SDIRS}' RANLIB='${RANLIB}' EXE_EXT='${EXE_EXT}' install ); \ fi; \ done @for i in $(LIBS) ;\ @@ -468,6 +455,20 @@ install: all install_docs chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ fi \ done + @if [ -n "$(SHARED_LIBS)" ]; then \ + tmp="$(SHARED_LIBS)"; \ + for i in $${tmp:-x}; \ + do \ + if [ -f "$$i" ]; then \ + ( echo installing $$i; \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ + fi \ + done; \ + ( here="`pwd`"; \ + cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ + make -f $$here/Makefile link-shared ); \ + fi install_docs: @$(PERL) $(TOP)/util/mkdir-p.pl \ diff --git a/src/lib/libssl/src/NEWS b/src/lib/libssl/src/NEWS index 7cf95cfb0b..b9ea61239f 100644 --- a/src/lib/libssl/src/NEWS +++ b/src/lib/libssl/src/NEWS @@ -5,6 +5,31 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a: + + o Security fix: change behavior of OpenSSL to avoid using + environment variables when running as root. + o Security fix: check the result of RSA-CRT to reduce the + possibility of deducing the private key from an incorrectly + calculated signature. + o Security fix: prevent Bleichenbacher's DSA attack. + o Security fix: Zero the premaster secret after deriving the + master secret in DH ciphersuites. + o Reimplement SSL_peek(), which had various problems. + o Compatibility fix: the function des_encrypt() renamed to + des_encrypt1() to avoid clashes with some Unixen libc. + o Bug fixes for Win32, HP/UX and Irix. + o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and + memory checking routines. + o Bug fixes for RSA operations in threaded enviroments. + o Bug fixes in misc. openssl applications. + o Remove a few potential memory leaks. + o Add tighter checks of BIGNUM routines. + o Shared library support has been reworked for generality. + o More documentation. + o New function BN_rand_range(). + o Add "-rand" option to openssl s_client and s_server. + Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6: o Some documentation for BIO and SSL libraries. diff --git a/src/lib/libssl/src/README b/src/lib/libssl/src/README index e8f20f49a6..c500744c6b 100644 --- a/src/lib/libssl/src/README +++ b/src/lib/libssl/src/README @@ -1,5 +1,6 @@ - OpenSSL 0.9.5 28 Feb 2000 + OpenSSL 0.9.6a [engine] 5 Apr 2001 + Copyright (c) 1998-2000 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/src/lib/libssl/src/apps/Makefile.ssl b/src/lib/libssl/src/apps/Makefile.ssl index e8677cbb2d..75aeb56df3 100644 --- a/src/lib/libssl/src/apps/Makefile.ssl +++ b/src/lib/libssl/src/apps/Makefile.ssl @@ -18,6 +18,7 @@ RM= rm -f PEX_LIBS= EX_LIBS= +EXE_EXT= CFLAGS= -DMONOLITH $(INCLUDES) $(CFLAG) @@ -32,7 +33,7 @@ PROGRAM= openssl SCRIPTS=CA.sh CA.pl der_chop -EXE= $(PROGRAM) +EXE= $(PROGRAM)$(EXE_EXT) E_EXE= verify asn1pars req dgst dh dhparam enc passwd gendh errstr \ ca crl rsa rsautl dsa dsaparam \ @@ -77,7 +78,7 @@ top: all: exe -exe: $(EXE) +exe: $(PROGRAM) req: sreq.o $(A_OBJ) $(DLIBCRYPTO) $(CC) -o req $(CFLAG) sreq.o $(A_OBJ) $(RAND_OBJ) $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) diff --git a/src/lib/libssl/src/apps/app_rand.c b/src/lib/libssl/src/apps/app_rand.c index 1146f9f7f3..8a78e12eb7 100644 --- a/src/lib/libssl/src/apps/app_rand.c +++ b/src/lib/libssl/src/apps/app_rand.c @@ -177,8 +177,10 @@ long app_RAND_load_files(char *name) if (*n == '\0') break; egd=RAND_egd(n); - if (egd > 0) tot+=egd; - tot+=RAND_load_file(n,-1); + if (egd > 0) + tot+=egd; + else + tot+=RAND_load_file(n,-1); if (last) break; } if (tot > 512) diff --git a/src/lib/libssl/src/apps/ca-cert.srl b/src/lib/libssl/src/apps/ca-cert.srl index eeee65ec41..2c7456e3eb 100644 --- a/src/lib/libssl/src/apps/ca-cert.srl +++ b/src/lib/libssl/src/apps/ca-cert.srl @@ -1 +1 @@ -05 +07 diff --git a/src/lib/libssl/src/apps/dsaparam.c b/src/lib/libssl/src/apps/dsaparam.c index 67f054c645..34230b2cfb 100644 --- a/src/lib/libssl/src/apps/dsaparam.c +++ b/src/lib/libssl/src/apps/dsaparam.c @@ -313,7 +313,7 @@ bad: printf("\tdsa->g=BN_bin2bn(dsa%d_g,sizeof(dsa%d_g),NULL);\n", bits_p,bits_p); printf("\tif ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))\n"); - printf("\t\treturn(NULL);\n"); + printf("\t\t{ DSA_free(dsa); return(NULL); }\n"); printf("\treturn(dsa);\n\t}\n"); } diff --git a/src/lib/libssl/src/apps/md5.c b/src/lib/libssl/src/apps/md5.c new file mode 100644 index 0000000000..7ed0024ae1 --- /dev/null +++ b/src/lib/libssl/src/apps/md5.c @@ -0,0 +1,127 @@ +/* crypto/md5/md5.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#include +#include +#include + +#define BUFSIZE 1024*16 + +void do_fp(FILE *f); +void pt(unsigned char *md); +#ifndef _OSD_POSIX +int read(int, void *, unsigned int); +#endif + +int main(int argc, char **argv) + { + int i,err=0; + FILE *IN; + + if (argc == 1) + { + do_fp(stdin); + } + else + { + for (i=1; itype == EVP_PKEY_DSA) - digest=EVP_dss1(); -#endif - if (pkey == NULL) { BIO_printf(bio_err,"you need to specify a private key\n"); goto end; } +#ifndef NO_DSA + if (pkey->type == EVP_PKEY_DSA) + digest=EVP_dss1(); +#endif if (req == NULL) { req=X509_REQ_new(); diff --git a/src/lib/libssl/src/apps/rmd160.c b/src/lib/libssl/src/apps/rmd160.c new file mode 100644 index 0000000000..4f8b88a18a --- /dev/null +++ b/src/lib/libssl/src/apps/rmd160.c @@ -0,0 +1,127 @@ +/* crypto/ripemd/rmd160.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#include +#include +#include + +#define BUFSIZE 1024*16 + +void do_fp(FILE *f); +void pt(unsigned char *md); +#ifndef _OSD_POSIX +int read(int, void *, unsigned int); +#endif + +int main(int argc, char **argv) + { + int i,err=0; + FILE *IN; + + if (argc == 1) + { + do_fp(stdin); + } + else + { + for (i=1; i #include @@ -313,3 +316,4 @@ static void usage() BIO_printf(bio_err, "-hexdump hex dump output\n"); } +#endif diff --git a/src/lib/libssl/src/apps/s_client.c b/src/lib/libssl/src/apps/s_client.c index 45d627a60a..0e1a61b789 100644 --- a/src/lib/libssl/src/apps/s_client.c +++ b/src/lib/libssl/src/apps/s_client.c @@ -79,6 +79,7 @@ typedef unsigned int u_int; #include #include #include +#include #include #include "s_apps.h" @@ -153,8 +154,8 @@ static void sc_usage(void) BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n"); BIO_printf(bio_err," command to see what is available\n"); + BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); - } int MAIN(int, char **); @@ -181,6 +182,7 @@ int MAIN(int argc, char **argv) int prexit = 0; SSL_METHOD *meth=NULL; BIO *sbio; + char *inrand=NULL; char *engine_id=NULL; ENGINE *e=NULL; #ifdef WINDOWS @@ -320,6 +322,11 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-nbio") == 0) { c_nbio=1; } #endif + else if (strcmp(*argv,"-rand") == 0) + { + if (--argc < 1) goto bad; + inrand= *(++argv); + } else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; @@ -341,7 +348,14 @@ bad: goto end; } - app_RAND_load_file(NULL, bio_err, 0); + if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL + && !RAND_status()) + { + BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n"); + } + if (inrand != NULL) + BIO_printf(bio_err,"%ld semi-random bytes loaded\n", + app_RAND_load_files(inrand)); if (bio_c_out == NULL) { diff --git a/src/lib/libssl/src/apps/s_server.c b/src/lib/libssl/src/apps/s_server.c index 61a77dff11..a107b8c14a 100644 --- a/src/lib/libssl/src/apps/s_server.c +++ b/src/lib/libssl/src/apps/s_server.c @@ -83,6 +83,7 @@ typedef unsigned int u_int; #include #include #include +#include #include #include "s_apps.h" @@ -245,6 +246,7 @@ static void sv_usage(void) BIO_printf(bio_err," -bugs - Turn on SSL bug compatibility\n"); BIO_printf(bio_err," -www - Respond to a 'GET /' with a status page\n"); BIO_printf(bio_err," -WWW - Respond to a 'GET / HTTP/1.0' with file ./\n"); + BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); } @@ -415,6 +417,8 @@ int MAIN(int argc, char *argv[]) int no_tmp_rsa=0,no_dhe=0,nocert=0; int state=0; SSL_METHOD *meth=NULL; + char *inrand=NULL; + char *engine_id=NULL; ENGINE *e=NULL; #ifndef NO_DH DH *dh=NULL; @@ -570,6 +574,11 @@ int MAIN(int argc, char *argv[]) else if (strcmp(*argv,"-tls1") == 0) { meth=TLSv1_server_method(); } #endif + else if (strcmp(*argv,"-rand") == 0) + { + if (--argc < 1) goto bad; + inrand= *(++argv); + } else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; @@ -591,7 +600,14 @@ bad: goto end; } - app_RAND_load_file(NULL, bio_err, 0); + if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL + && !RAND_status()) + { + BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n"); + } + if (inrand != NULL) + BIO_printf(bio_err,"%ld semi-random bytes loaded\n", + app_RAND_load_files(inrand)); if (bio_s_out == NULL) { @@ -709,7 +725,8 @@ bad: #ifndef NO_RSA #if 1 - SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb); + if (!no_tmp_rsa) + SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb); #else if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx)) { @@ -1369,15 +1386,29 @@ static int www_body(char *hostname, int s, unsigned char *context) /* skip the '/' */ p= &(buf[5]); - dot=0; + + dot = 1; for (e=p; *e != '\0'; e++) { - if (e[0] == ' ') break; - if ( (e[0] == '.') && - (strncmp(&(e[-1]),"/../",4) == 0)) - dot=1; + if (e[0] == ' ') + break; + + switch (dot) + { + case 1: + dot = (e[0] == '.') ? 2 : 0; + break; + case 2: + dot = (e[0] == '.') ? 3 : 0; + break; + case 3: + dot = (e[0] == '/') ? -1 : 0; + break; + } + if (dot == 0) + dot = (e[0] == '/') ? 1 : 0; } - + dot = (dot == 3) || (dot == -1); /* filename contains ".." component */ if (*e == '\0') { @@ -1401,9 +1432,11 @@ static int www_body(char *hostname, int s, unsigned char *context) break; } +#if 0 /* append if a directory lookup */ if (e[-1] == '/') strcat(p,"index.html"); +#endif /* if a directory, do the index thang */ if (stat(p,&st_buf) < 0) @@ -1415,7 +1448,13 @@ static int www_body(char *hostname, int s, unsigned char *context) } if (S_ISDIR(st_buf.st_mode)) { +#if 0 /* must check buffer size */ strcat(p,"/index.html"); +#else + BIO_puts(io,text); + BIO_printf(io,"'%s' is a directory\r\n",p); + break; +#endif } if ((file=BIO_new_file(p,"r")) == NULL) diff --git a/src/lib/libssl/src/apps/server.pem b/src/lib/libssl/src/apps/server.pem index c57b32507d..56248e57a3 100644 --- a/src/lib/libssl/src/apps/server.pem +++ b/src/lib/libssl/src/apps/server.pem @@ -1,17 +1,17 @@ issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit) -subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit) +subject= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit) -----BEGIN CERTIFICATE----- -MIIB6TCCAVICAQQwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV +MIIB6TCCAVICAQYwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD -VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNOTgwNjI5MjM1MjQwWhcNMDAwNjI4 -MjM1MjQwWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG +VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNMDAxMDE2MjIzMTAzWhcNMDMwMTE0 +MjIzMTAzWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0IGNl cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8SMVIP Fe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8Ey2// -Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCVvvfkGSe2GHgDFfmOua4Isjb9 -JVhImWMASiOClkZlMESDJjsszg/6+d/W+8TrbObhazpl95FivXBVucbj9dudh7AO -IZu1h1MAPlyknc9Ud816vz3FejB4qqUoaXjnlkrIgEbr/un7jSS86WOe0hRhwHkJ -FUGcPZf9ND22Etc+AQ== +Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCT0grFQeZaqYb5EYfk20XixZV4 +GmyAbXMftG1Eo7qGiMhYzRwGNWxEYojf5PZkYZXvSqZ/ZXHXa4g59jK/rJNnaVGM +k+xIX8mxQvlV0n5O9PIha5BX5teZnkHKgL8aKKLKW1BK7YTngsfSzzaeame5iKfz +itAE+OjGF+PFKbwX8Q== -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIIBPAIBAAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVD diff --git a/src/lib/libssl/src/apps/speed.c b/src/lib/libssl/src/apps/speed.c index ba41916371..3562ea277b 100644 --- a/src/lib/libssl/src/apps/speed.c +++ b/src/lib/libssl/src/apps/speed.c @@ -865,6 +865,7 @@ int MAIN(int argc, char **argv) } #endif +#ifndef NO_DSA dsa_c[R_DSA_512][0]=count/1000; dsa_c[R_DSA_512][1]=count/1000/2; for (i=1; itype == EVP_PKEY_DSA) digest=EVP_dss1(); +#endif rq=X509_to_X509_REQ(x,pk,digest); EVP_PKEY_free(pk); diff --git a/src/lib/libssl/src/certs/rsa-ssca.pem b/src/lib/libssl/src/certs/rsa-ssca.pem index c9403212d1..e69de29bb2 100644 --- a/src/lib/libssl/src/certs/rsa-ssca.pem +++ b/src/lib/libssl/src/certs/rsa-ssca.pem @@ -1,19 +0,0 @@ -subject=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority -issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority -notBefore=941109235417Z -notAfter =991231235417Z ------BEGIN X509 CERTIFICATE----- - -MIICKTCCAZYCBQJBAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMSAw -HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJl -IFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDkyMzU0MTda -Fw05OTEyMzEyMzU0MTdaMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0 -YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJlIFNlcnZlciBDZXJ0aWZp -Y2F0aW9uIEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCSznrB -roM+WqqJg1esJQF2DK2ujiw3zus1eGRUA+WEQFHJv48I4oqCCNIWhjdV6bEhAq12 -aIGaBaJLyUslZiJWbIgHj/eBWW2EB2VwE3F2Ppt3TONQiVaYSLkdpykaEy5KEVmc -HhXVSVQsczppgrGXOZxtcGdI5d0t1sgeewIDAQABMA0GCSqGSIb3DQEBAgUAA34A -iNHReSHO4ovo+MF9NFM/YYPZtgs4F7boviGNjwC4i1N+RGceIr2XJ+CchcxK9oU7 -suK+ktPlDemvXA4MRpX/oRxePug2WHpzpgr4IhFrwwk4fia7c+8AvQKk8xQNMD9h -cHsg/jKjn7P0Z1LctO6EjJY2IN6BCINxIYoPnqk= ------END X509 CERTIFICATE----- diff --git a/src/lib/libssl/src/config b/src/lib/libssl/src/config index 458838d800..d22836f80f 100644 --- a/src/lib/libssl/src/config +++ b/src/lib/libssl/src/config @@ -49,10 +49,18 @@ if [ "x$XREL" != "x" ]; then echo "whatever-whatever-sco5"; exit 0 ;; 4.2MP) - if [ "x$VERSION" = "x2.1.1" ]; then + if [ "x$VERSION" = "x2.01" ]; then + echo "${MACHINE}-whatever-unixware201"; exit 0 + elif [ "x$VERSION" = "x2.02" ]; then + echo "${MACHINE}-whatever-unixware202"; exit 0 + elif [ "x$VERSION" = "x2.03" ]; then + echo "${MACHINE}-whatever-unixware203"; exit 0 + elif [ "x$VERSION" = "x2.1.1" ]; then echo "${MACHINE}-whatever-unixware211"; exit 0 elif [ "x$VERSION" = "x2.1.2" ]; then echo "${MACHINE}-whatever-unixware212"; exit 0 + elif [ "x$VERSION" = "x2.1.3" ]; then + echo "${MACHINE}-whatever-unixware213"; exit 0 else echo "${MACHINE}-whatever-unixware2"; exit 0 fi @@ -79,6 +87,14 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in echo "m68k-apple-aux3"; exit 0 ;; + AIX:[3456789]:4:*) + echo "${MACHINE}-ibm-aix43"; exit 0 + ;; + + AIX:*:[56789]:*) + echo "${MACHINE}-ibm-aix43"; exit 0 + ;; + AIX:*) echo "${MACHINE}-ibm-aix"; exit 0 ;; @@ -168,7 +184,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in ;; NetBSD:*:*:*386*) - echo "`/usr/sbin/sysctl -n hw.model | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0 + echo "`(/usr/sbin/sysctl -n hw.model || /sbin/sysctl -n hw.model) | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0 ;; NetBSD:*) @@ -393,10 +409,16 @@ case "$GUESSOS" in ;; mips4-sgi-irix64) echo "WARNING! If you wish to build 64-bit library, then you have to" - echo " invoke './Configre irix64-mips4-$CC' *manually*." - echo " Type Ctrl-C if you don't want to continue." + echo " invoke './Configure irix64-mips4-$CC' *manually*." + echo " Type return if you want to continue, Ctrl-C to abort." read waste < /dev/tty - options="$options -mips4" + CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` + CPU=${CPU:-0} + if [ $CPU -ge 5000 ]; then + options="$options -mips4" + else + options="$options -mips3" + fi OUT="irix-mips3-$CC" ;; alpha-*-linux2) @@ -422,11 +444,11 @@ case "$GUESSOS" in #till 64-bit glibc for SPARC is operational:-( #echo "WARNING! If you wish to build 64-bit library, then you have to" #echo " invoke './Configure linux64-sparcv9' *manually*." - #echo " Type Ctrl-C if you don't want to continue." + #echo " Type return if you want to continue, Ctrl-C to abort." #read waste < /dev/tty OUT="linux-sparcv9" ;; sparc-*-linux2) - KARCH=`awk '/type/{print$3}' /proc/cpuinfo` + KARCH=`awk '/^type/{print$3}' /proc/cpuinfo` case ${KARCH:-sun4} in sun4u*) OUT="linux-sparcv9" ;; sun4m) OUT="linux-sparcv8" ;; @@ -434,6 +456,7 @@ case "$GUESSOS" in *) OUT="linux-sparcv7" ;; esac ;; arm*-*-linux2) OUT="linux-elf-arm" ;; + s390-*-linux2) OUT="linux-s390" ;; *-*-linux2) OUT="linux-elf" ;; *-*-linux1) OUT="linux-aout" ;; sun4u*-*-solaris2) @@ -441,7 +464,7 @@ case "$GUESSOS" in if [ "$ISA64" != "" -a "$CC" = "cc" -a $CCVER -ge 50 ]; then echo "WARNING! If you wish to build 64-bit library, then you have to" echo " invoke './Configure solaris64-sparcv9-cc' *manually*." - echo " Type Ctrl-C if you don't want to continue." + echo " Type return if you want to continue, Ctrl-C to abort." read waste < /dev/tty fi OUT="solaris-sparcv9-$CC" ;; @@ -466,9 +489,12 @@ case "$GUESSOS" in *-*-unixware7) OUT="unixware-7" ;; *-*-UnixWare7) OUT="unixware-7" ;; *-*-Unixware7) OUT="unixware-7" ;; - *-*-unixware[1-2]*) OUT="unixware-2.0" ;; - *-*-UnixWare[1-2]*) OUT="unixware-2.0" ;; - *-*-Unixware[1-2]*) OUT="unixware-2.0" ;; + *-*-unixware20*) OUT="unixware-2.0" ;; + *-*-unixware21*) OUT="unixware-2.1" ;; + *-*-UnixWare20*) OUT="unixware-2.0" ;; + *-*-UnixWare21*) OUT="unixware-2.1" ;; + *-*-Unixware20*) OUT="unixware-2.0" ;; + *-*-Unixware21*) OUT="unixware-2.1" ;; BS2000-siemens-sysv4) OUT="BS2000-OSD" ;; RM*-siemens-sysv4) OUT="ReliantUNIX" ;; *-siemens-sysv4) OUT="SINIX" ;; @@ -563,7 +589,7 @@ OUT="$PREFIX$OUT" $PERL ./Configure LIST | grep "$OUT" > /dev/null if [ $? = "0" ]; then - #echo Configuring for $OUT + echo Configuring for $OUT if [ "$TEST" = "true" ]; then echo $PERL ./Configure $OUT $options diff --git a/src/lib/libssl/src/crypto/Makefile b/src/lib/libssl/src/crypto/Makefile index 05e3bb701e..6759b2e4d0 100644 --- a/src/lib/libssl/src/crypto/Makefile +++ b/src/lib/libssl/src/crypto/Makefile @@ -34,8 +34,8 @@ SDIRS= md2 md5 sha mdc2 hmac ripemd \ GENERAL=Makefile README crypto-lib.com install.com LIB= $(TOP)/libcrypto.a -LIBSRC= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c -LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o +LIBSRC= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c +LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o SRC= $(LIBSRC) @@ -90,7 +90,8 @@ links: lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib libs: @@ -197,3 +198,6 @@ tmdiff.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h tmdiff.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h tmdiff.o: ../include/openssl/stack.h ../include/openssl/symhacks.h tmdiff.o: ../include/openssl/tmdiff.h cryptlib.h +uid.o: ../include/openssl/crypto.h ../include/openssl/opensslv.h +uid.o: ../include/openssl/safestack.h ../include/openssl/stack.h +uid.o: ../include/openssl/symhacks.h diff --git a/src/lib/libssl/src/crypto/Makefile.ssl b/src/lib/libssl/src/crypto/Makefile.ssl index 05e3bb701e..6759b2e4d0 100644 --- a/src/lib/libssl/src/crypto/Makefile.ssl +++ b/src/lib/libssl/src/crypto/Makefile.ssl @@ -34,8 +34,8 @@ SDIRS= md2 md5 sha mdc2 hmac ripemd \ GENERAL=Makefile README crypto-lib.com install.com LIB= $(TOP)/libcrypto.a -LIBSRC= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c -LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o +LIBSRC= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c +LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o SRC= $(LIBSRC) @@ -90,7 +90,8 @@ links: lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib libs: @@ -197,3 +198,6 @@ tmdiff.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h tmdiff.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h tmdiff.o: ../include/openssl/stack.h ../include/openssl/symhacks.h tmdiff.o: ../include/openssl/tmdiff.h cryptlib.h +uid.o: ../include/openssl/crypto.h ../include/openssl/opensslv.h +uid.o: ../include/openssl/safestack.h ../include/openssl/stack.h +uid.o: ../include/openssl/symhacks.h diff --git a/src/lib/libssl/src/crypto/asn1/Makefile.ssl b/src/lib/libssl/src/crypto/asn1/Makefile.ssl index b8059ddffe..dace5be2bc 100644 --- a/src/lib/libssl/src/crypto/asn1/Makefile.ssl +++ b/src/lib/libssl/src/crypto/asn1/Makefile.ssl @@ -75,7 +75,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/asn1/a_strnid.c b/src/lib/libssl/src/crypto/asn1/a_strnid.c index 6b10cff994..732e68fe46 100644 --- a/src/lib/libssl/src/crypto/asn1/a_strnid.c +++ b/src/lib/libssl/src/crypto/asn1/a_strnid.c @@ -133,7 +133,7 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in, if(tbl) { mask = tbl->mask; if(!(tbl->flags & STABLE_NO_MASK)) mask &= global_mask; - ret = ASN1_mbstring_ncopy(out, in, inlen, inform, tbl->mask, + ret = ASN1_mbstring_ncopy(out, in, inlen, inform, mask, tbl->minsize, tbl->maxsize); } else ret = ASN1_mbstring_copy(out, in, inlen, inform, DIRSTRING_TYPE & global_mask); if(ret <= 0) return NULL; diff --git a/src/lib/libssl/src/crypto/asn1/asn1_lib.c b/src/lib/libssl/src/crypto/asn1/asn1_lib.c index 77447a5240..a8b651e54e 100644 --- a/src/lib/libssl/src/crypto/asn1/asn1_lib.c +++ b/src/lib/libssl/src/crypto/asn1/asn1_lib.c @@ -301,7 +301,7 @@ int asn1_GetSequence(ASN1_CTX *c, long *length) return(0); } if (c->inf == (1|V_ASN1_CONSTRUCTED)) - c->slen= *length+ *(c->pp)-c->p; + c->slen= *length; c->eos=0; return(1); } diff --git a/src/lib/libssl/src/crypto/asn1/asn1_mac.h b/src/lib/libssl/src/crypto/asn1/asn1_mac.h index 4512ba6cc6..af0e664b2d 100644 --- a/src/lib/libssl/src/crypto/asn1/asn1_mac.h +++ b/src/lib/libssl/src/crypto/asn1/asn1_mac.h @@ -196,6 +196,9 @@ err:\ if ((a != NULL) && (sk_##type##_num(a) != 0)) \ M_ASN1_I2D_put_SEQUENCE_type(type,a,f); +#define M_ASN1_I2D_put_SEQUENCE_opt_ex_type(type,a,f) \ + if (a) M_ASN1_I2D_put_SEQUENCE_type(type,a,f); + #define M_ASN1_D2I_get_IMP_set_opt(b,func,free_func,tag) \ if ((c.slen != 0) && \ (M_ASN1_next == \ @@ -389,6 +392,9 @@ err:\ if ((a != NULL) && (sk_##type##_num(a) != 0)) \ M_ASN1_I2D_len_SEQUENCE_type(type,a,f); +#define M_ASN1_I2D_len_SEQUENCE_opt_ex_type(type,a,f) \ + if (a) M_ASN1_I2D_len_SEQUENCE_type(type,a,f); + #define M_ASN1_I2D_len_IMP_SET(a,f,x) \ ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC,IS_SET); @@ -452,6 +458,15 @@ err:\ ret+=ASN1_object_size(1,v,mtag); \ } +#define M_ASN1_I2D_len_EXP_SEQUENCE_opt_ex_type(type,a,f,mtag,tag,v) \ + if (a)\ + { \ + v=i2d_ASN1_SET_OF_##type(a,NULL,f,tag, \ + V_ASN1_UNIVERSAL, \ + IS_SEQUENCE); \ + ret+=ASN1_object_size(1,v,mtag); \ + } + /* Put Macros */ #define M_ASN1_I2D_put(a,f) f(a,&p) @@ -536,6 +551,14 @@ err:\ IS_SEQUENCE); \ } +#define M_ASN1_I2D_put_EXP_SEQUENCE_opt_ex_type(type,a,f,mtag,tag,v) \ + if (a) \ + { \ + ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \ + i2d_ASN1_SET_OF_##type(a,&p,f,tag,V_ASN1_UNIVERSAL, \ + IS_SEQUENCE); \ + } + #define M_ASN1_I2D_seq_total() \ r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE); \ if (pp == NULL) return(r); \ diff --git a/src/lib/libssl/src/crypto/asn1/p7_lib.c b/src/lib/libssl/src/crypto/asn1/p7_lib.c index b1196ef581..8a340b0119 100644 --- a/src/lib/libssl/src/crypto/asn1/p7_lib.c +++ b/src/lib/libssl/src/crypto/asn1/p7_lib.c @@ -307,12 +307,14 @@ PKCS7 *d2i_PKCS7(PKCS7 **a, unsigned char **pp, long length) } if (Tinf == (1|V_ASN1_CONSTRUCTED)) { + c.q=c.p; if (!ASN1_check_infinite_end(&c.p,c.slen)) { c.error=ERR_R_MISSING_ASN1_EOS; c.line=__LINE__; goto err; } + c.slen-=(c.p-c.q); } } else diff --git a/src/lib/libssl/src/crypto/asn1/x_crl.c b/src/lib/libssl/src/crypto/asn1/x_crl.c index 1f302d0e01..51518cdf35 100644 --- a/src/lib/libssl/src/crypto/asn1/x_crl.c +++ b/src/lib/libssl/src/crypto/asn1/x_crl.c @@ -71,14 +71,14 @@ int i2d_X509_REVOKED(X509_REVOKED *a, unsigned char **pp) M_ASN1_I2D_len(a->serialNumber,i2d_ASN1_INTEGER); M_ASN1_I2D_len(a->revocationDate,i2d_ASN1_TIME); - M_ASN1_I2D_len_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, + M_ASN1_I2D_len_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions, i2d_X509_EXTENSION); M_ASN1_I2D_seq_total(); M_ASN1_I2D_put(a->serialNumber,i2d_ASN1_INTEGER); M_ASN1_I2D_put(a->revocationDate,i2d_ASN1_TIME); - M_ASN1_I2D_put_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, + M_ASN1_I2D_put_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions, i2d_X509_EXTENSION); M_ASN1_I2D_finish(); @@ -121,7 +121,7 @@ int i2d_X509_CRL_INFO(X509_CRL_INFO *a, unsigned char **pp) { M_ASN1_I2D_len(a->nextUpdate,i2d_ASN1_TIME); } M_ASN1_I2D_len_SEQUENCE_opt_type(X509_REVOKED,a->revoked, i2d_X509_REVOKED); - M_ASN1_I2D_len_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, + M_ASN1_I2D_len_EXP_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions, i2d_X509_EXTENSION,0, V_ASN1_SEQUENCE,v1); @@ -138,7 +138,7 @@ int i2d_X509_CRL_INFO(X509_CRL_INFO *a, unsigned char **pp) { M_ASN1_I2D_put(a->nextUpdate,i2d_ASN1_TIME); } M_ASN1_I2D_put_SEQUENCE_opt_type(X509_REVOKED,a->revoked, i2d_X509_REVOKED); - M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, + M_ASN1_I2D_put_EXP_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions, i2d_X509_EXTENSION,0, V_ASN1_SEQUENCE,v1); @@ -260,7 +260,7 @@ X509_CRL_INFO *X509_CRL_INFO_new(void) M_ASN1_New(ret->lastUpdate,M_ASN1_UTCTIME_new); ret->nextUpdate=NULL; M_ASN1_New(ret->revoked,sk_X509_REVOKED_new_null); - M_ASN1_New(ret->extensions,sk_X509_EXTENSION_new_null); + ret->extensions = NULL; sk_X509_REVOKED_set_cmp_func(ret->revoked,X509_REVOKED_cmp); return(ret); M_ASN1_New_Error(ASN1_F_X509_CRL_INFO_NEW); diff --git a/src/lib/libssl/src/crypto/asn1/x_name.c b/src/lib/libssl/src/crypto/asn1/x_name.c index b832deb928..1885d699ef 100644 --- a/src/lib/libssl/src/crypto/asn1/x_name.c +++ b/src/lib/libssl/src/crypto/asn1/x_name.c @@ -141,10 +141,12 @@ static int i2d_X509_NAME_entries(X509_NAME *a) } size+=i2d_X509_NAME_ENTRY(ne,NULL); } - - ret+=ASN1_object_size(1,size,V_ASN1_SET); if (fe != NULL) + { + /* SET OF needed only if entries is non empty */ + ret+=ASN1_object_size(1,size,V_ASN1_SET); fe->size=size; + } r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE); diff --git a/src/lib/libssl/src/crypto/bf/Makefile.ssl b/src/lib/libssl/src/crypto/bf/Makefile.ssl index f4eb90f13f..9205ee7901 100644 --- a/src/lib/libssl/src/crypto/bf/Makefile.ssl +++ b/src/lib/libssl/src/crypto/bf/Makefile.ssl @@ -44,7 +44,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/src/lib/libssl/src/crypto/bio/Makefile.ssl b/src/lib/libssl/src/crypto/bio/Makefile.ssl index 916d651d47..567d3fb870 100644 --- a/src/lib/libssl/src/crypto/bio/Makefile.ssl +++ b/src/lib/libssl/src/crypto/bio/Makefile.ssl @@ -49,7 +49,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: @@ -95,13 +96,13 @@ b_dump.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h b_dump.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h b_dump.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h b_dump.o: ../cryptlib.h -b_print.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h -b_print.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h -b_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -b_print.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h -b_print.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h -b_print.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -b_print.o: ../cryptlib.h +b_print.o: ../../include/openssl/bio.h ../../include/openssl/bn.h +b_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h +b_print.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h +b_print.o: ../../include/openssl/err.h ../../include/openssl/lhash.h +b_print.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +b_print.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +b_print.o: ../../include/openssl/symhacks.h ../cryptlib.h b_sock.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h b_sock.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h b_sock.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h diff --git a/src/lib/libssl/src/crypto/bio/b_print.c b/src/lib/libssl/src/crypto/bio/b_print.c index a62f551635..b4f7a85f2e 100644 --- a/src/lib/libssl/src/crypto/bio/b_print.c +++ b/src/lib/libssl/src/crypto/bio/b_print.c @@ -69,6 +69,7 @@ #ifndef NO_SYS_TYPES_H #include #endif +#include /* To get BN_LLONG properly defined */ #include #ifdef BN_LLONG diff --git a/src/lib/libssl/src/crypto/bio/b_sock.c b/src/lib/libssl/src/crypto/bio/b_sock.c index 64310058b4..62cc3f1a0c 100644 --- a/src/lib/libssl/src/crypto/bio/b_sock.c +++ b/src/lib/libssl/src/crypto/bio/b_sock.c @@ -113,8 +113,8 @@ int BIO_get_host_ip(const char *str, unsigned char *ip) /* At this point, we have something that is most probably correct in some way, so let's init the socket. */ - if (!BIO_sock_init()) - return(0); /* don't generate another error code here */ + if (BIO_sock_init() != 1) + return 0; /* don't generate another error code here */ /* If the string actually contained an IP address, we need not do anything more */ @@ -519,15 +519,15 @@ int BIO_get_accept_socket(char *host, int bind_mode) { int ret=0; struct sockaddr_in server,client; - int s= -1,cs; + int s=INVALID_SOCKET,cs; unsigned char ip[4]; unsigned short port; - char *str,*e; + char *str=NULL,*e; const char *h,*p; unsigned long l; int err_num; - if (!BIO_sock_init()) return(INVALID_SOCKET); + if (BIO_sock_init() != 1) return(INVALID_SOCKET); if ((str=BUF_strdup(host)) == NULL) return(INVALID_SOCKET); @@ -553,7 +553,7 @@ int BIO_get_accept_socket(char *host, int bind_mode) h="*"; } - if (!BIO_get_port(p,&port)) return(INVALID_SOCKET); + if (!BIO_get_port(p,&port)) goto err; memset((char *)&server,0,sizeof(server)); server.sin_family=AF_INET; @@ -563,7 +563,7 @@ int BIO_get_accept_socket(char *host, int bind_mode) server.sin_addr.s_addr=INADDR_ANY; else { - if (!BIO_get_host_ip(h,&(ip[0]))) return(INVALID_SOCKET); + if (!BIO_get_host_ip(h,&(ip[0]))) goto err; l=(unsigned long) ((unsigned long)ip[0]<<24L)| ((unsigned long)ip[1]<<16L)| diff --git a/src/lib/libssl/src/crypto/bn/Makefile.ssl b/src/lib/libssl/src/crypto/bn/Makefile.ssl index 17b72d577f..526d7adb5c 100644 --- a/src/lib/libssl/src/crypto/bn/Makefile.ssl +++ b/src/lib/libssl/src/crypto/bn/Makefile.ssl @@ -68,7 +68,8 @@ bnbug: bnbug.c ../../libcrypto.a top lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/src/lib/libssl/src/crypto/bn/asm/mips3.s b/src/lib/libssl/src/crypto/bn/asm/mips3.s index 2df4dcd4b0..45786c00a5 100644 --- a/src/lib/libssl/src/crypto/bn/asm/mips3.s +++ b/src/lib/libssl/src/crypto/bn/asm/mips3.s @@ -586,13 +586,13 @@ LEAF(bn_div_3_words) ld a0,(a3) move ta2,a1 ld a1,-8(a3) - move ta3,ra - move v1,zero + bne a0,a2,.L_bn_div_3_words_proceed li v0,-1 - beq a0,a2,.L_bn_div_3_words_skip_div + jr ra +.L_bn_div_3_words_proceed: + move ta3,ra bal bn_div_words move ra,ta3 -.L_bn_div_3_words_skip_div: dmultu ta2,v0 ld t2,-16(a3) move ta0,zero diff --git a/src/lib/libssl/src/crypto/bn/asm/pa-risc2.s b/src/lib/libssl/src/crypto/bn/asm/pa-risc2.s index 7239aa2c76..af9730d062 100644 --- a/src/lib/libssl/src/crypto/bn/asm/pa-risc2.s +++ b/src/lib/libssl/src/crypto/bn/asm/pa-risc2.s @@ -1611,7 +1611,7 @@ bn_mul_comba4 .IMPORT $global$,DATA .SPACE $TEXT$ .SUBSPA $CODE$ - .SUBSPA $LIT$,QUAD=0,ALIGN=8,ACCESS=0x2c,SORT=16 + .SUBSPA $LIT$,ACCESS=0x2c C$7 .ALIGN 8 .STRINGZ "Division would overflow (%d)\n" diff --git a/src/lib/libssl/src/crypto/bn/asm/pa-risc2W.s b/src/lib/libssl/src/crypto/bn/asm/pa-risc2W.s index 54b6606252..a99545754d 100644 --- a/src/lib/libssl/src/crypto/bn/asm/pa-risc2W.s +++ b/src/lib/libssl/src/crypto/bn/asm/pa-risc2W.s @@ -1598,7 +1598,7 @@ bn_mul_comba4 .IMPORT $global$,DATA .SPACE $TEXT$ .SUBSPA $CODE$ - .SUBSPA $LIT$,QUAD=0,ALIGN=8,ACCESS=0x2c,SORT=16 + .SUBSPA $LIT$,ACCESS=0x2c C$4 .ALIGN 8 .STRINGZ "Division would overflow (%d)\n" diff --git a/src/lib/libssl/src/crypto/bn/bn.h b/src/lib/libssl/src/crypto/bn/bn.h index 1eb8395b25..b232c2ceae 100644 --- a/src/lib/libssl/src/crypto/bn/bn.h +++ b/src/lib/libssl/src/crypto/bn/bn.h @@ -239,7 +239,7 @@ typedef struct bignum_st } BIGNUM; /* Used for temp variables */ -#define BN_CTX_NUM 12 +#define BN_CTX_NUM 16 #define BN_CTX_NUM_POS 12 typedef struct bignum_ctx { @@ -328,6 +328,7 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx); void BN_CTX_end(BN_CTX *ctx); int BN_rand(BIGNUM *rnd, int bits, int top,int bottom); int BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom); +int BN_rand_range(BIGNUM *rnd, BIGNUM *range); int BN_num_bits(const BIGNUM *a); int BN_num_bits_word(BN_ULONG); BIGNUM *BN_new(void); @@ -467,6 +468,8 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num); # define bn_dump(a,b) #endif +int BN_bntest_rand(BIGNUM *rnd, int bits, int top,int bottom); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. @@ -493,16 +496,19 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num); #define BN_F_BN_MPI2BN 112 #define BN_F_BN_NEW 113 #define BN_F_BN_RAND 114 +#define BN_F_BN_RAND_RANGE 122 #define BN_F_BN_USUB 115 /* Reason codes. */ #define BN_R_ARG2_LT_ARG3 100 #define BN_R_BAD_RECIPROCAL 101 +#define BN_R_BIGNUM_TOO_LONG 114 #define BN_R_CALLED_WITH_EVEN_MODULUS 102 #define BN_R_DIV_BY_ZERO 103 #define BN_R_ENCODING_ERROR 104 #define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA 105 #define BN_R_INVALID_LENGTH 106 +#define BN_R_INVALID_RANGE 115 #define BN_R_NOT_INITIALIZED 107 #define BN_R_NO_INVERSE 108 #define BN_R_TOO_MANY_TEMPORARY_VARIABLES 109 diff --git a/src/lib/libssl/src/crypto/bn/bn_div.c b/src/lib/libssl/src/crypto/bn/bn_div.c index c3772c243b..c328b5b411 100644 --- a/src/lib/libssl/src/crypto/bn/bn_div.c +++ b/src/lib/libssl/src/crypto/bn/bn_div.c @@ -180,13 +180,13 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, BN_CTX_start(ctx); tmp=BN_CTX_get(ctx); - tmp->neg=0; snum=BN_CTX_get(ctx); sdiv=BN_CTX_get(ctx); if (dv == NULL) res=BN_CTX_get(ctx); else res=dv; - if (res == NULL) goto err; + if (sdiv==NULL || res == NULL) goto err; + tmp->neg=0; /* First we normalise the numbers */ norm_shift=BN_BITS2-((BN_num_bits(divisor))%BN_BITS2); @@ -237,7 +237,8 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, for (i=0; i +#include #include #include "cryptlib.h" #include "bn_lcl.h" @@ -319,6 +320,12 @@ BIGNUM *bn_expand2(BIGNUM *b, int words) if (words > b->dmax) { + if (words > (INT_MAX/(4*BN_BITS2))) + { + BNerr(BN_F_BN_EXPAND2,BN_R_BIGNUM_TOO_LONG); + return NULL; + } + bn_check_top(b); if (BN_get_flags(b,BN_FLG_STATIC_DATA)) { diff --git a/src/lib/libssl/src/crypto/bn/bn_rand.c b/src/lib/libssl/src/crypto/bn/bn_rand.c index 21ecbc04ed..acd0619921 100644 --- a/src/lib/libssl/src/crypto/bn/bn_rand.c +++ b/src/lib/libssl/src/crypto/bn/bn_rand.c @@ -76,7 +76,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) bytes=(bits+7)/8; bit=(bits-1)%8; - mask=0xff<= 128 && i > 0) + buf[i] = buf[i-1]; + else if (c < 42) + buf[i] = 0; + else if (c < 84) + buf[i] = 255; + } + } +#endif + + if (top != -1) + { + if (top) { - buf[0]=1; - buf[1]|=0x80; + if (bit == 0) + { + buf[0]=1; + buf[1]|=0x80; + } + else + { + buf[0]|=(3<<(bit-1)); + } } else { - buf[0]|=(3<<(bit-1)); - buf[0]&= ~(mask<<1); + buf[0]|=(1<neg || BN_is_zero(range)) + { + BNerr(BN_F_BN_RAND_RANGE, BN_R_INVALID_RANGE); + return 0; + } + + n = BN_num_bits(range); /* n > 0 */ + + if (n == 1) + { + if (!BN_zero(r)) return 0; + } + else if (BN_is_bit_set(range, n - 2)) + { + do + { + /* range = 11..._2, so each iteration succeeds with probability >= .75 */ + if (!BN_rand(r, n, -1, 0)) return 0; + } + while (BN_cmp(r, range) >= 0); + } + else + { + /* range = 10..._2, + * so 3*range (= 11..._2) is exactly one bit longer than range */ + do + { + if (!BN_rand(r, n + 1, -1, 0)) return 0; + /* If r < 3*range, use r := r MOD range + * (which is either r, r - range, or r - 2*range). + * Otherwise, iterate once more. + * Since 3*range = 11..._2, each iteration succeeds with + * probability >= .75. */ + if (BN_cmp(r ,range) >= 0) + { + if (!BN_sub(r, r, range)) return 0; + if (BN_cmp(r, range) >= 0) + if (!BN_sub(r, r, range)) return 0; + } + } + while (BN_cmp(r, range) >= 0); + } + + return 1; + } diff --git a/src/lib/libssl/src/crypto/bn/bn_shift.c b/src/lib/libssl/src/crypto/bn/bn_shift.c index 0883247384..c2608f9f4a 100644 --- a/src/lib/libssl/src/crypto/bn/bn_shift.c +++ b/src/lib/libssl/src/crypto/bn/bn_shift.c @@ -172,6 +172,11 @@ int BN_rshift(BIGNUM *r, BIGNUM *a, int n) r->neg=a->neg; if (bn_wexpand(r,a->top-nw+1) == NULL) return(0); } + else + { + if (n == 0) + return 1; /* or the copying loop will go berserk */ + } f= &(a->d[nw]); t=r->d; diff --git a/src/lib/libssl/src/crypto/bn/bntest.c b/src/lib/libssl/src/crypto/bn/bntest.c index 0a97af69c5..af0c2629e8 100644 --- a/src/lib/libssl/src/crypto/bn/bntest.c +++ b/src/lib/libssl/src/crypto/bn/bntest.c @@ -107,11 +107,9 @@ static const char rnd_seed[] = "string to make the random number generator think static void message(BIO *out, char *m) { fprintf(stderr, "test %s\n", m); -#if defined(linux) || defined(__FreeBSD__) /* can we use GNU bc features? */ BIO_puts(out, "print \"test "); BIO_puts(out, m); BIO_puts(out, "\\n\"\n"); -#endif } int main(int argc, char *argv[]) @@ -122,9 +120,7 @@ int main(int argc, char *argv[]) results = 0; - RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_rand may fail, and we don't - * even check its return value - * (which we should) */ + RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */ argc--; argv++; @@ -253,10 +249,10 @@ int test_add(BIO *bp) BN_init(&b); BN_init(&c); - BN_rand(&a,512,0,0); + BN_bntest_rand(&a,512,0,0); for (i=0; ineg=rand_neg(); b->neg=rand_neg(); if (bp == NULL) @@ -732,11 +728,11 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx) d=BN_new(); e=BN_new(); - BN_rand(c,1024,0,0); /**/ + BN_bntest_rand(c,1024,0,0); /**/ for (i=0; ineg=rand_neg(); b->neg=rand_neg(); /* if (bp == NULL) @@ -794,11 +790,11 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx) d=BN_new(); e=BN_new(); - BN_rand(c,30,0,1); /* must be odd for montgomery */ + BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */ for (i=0; ineg=rand_neg(); } for (i=0; ineg=rand_neg(); for (i=0; ineg=rand_neg(); for (i=0; ineg=rand_neg(); for (i=0; iinit(&ctmp); - ctmp.data = conf; - return NCONF_get_section(&ctmp, section); + default_CONF_method->init(&ctmp); + ctmp.data = conf; + return NCONF_get_section(&ctmp, section); + } } char *CONF_get_string(LHASH *conf,char *group,char *name) { - CONF ctmp; + if (conf == NULL) + { + return NCONF_get_string(NULL, group, name); + } + else + { + CONF ctmp; - if (default_CONF_method == NULL) - default_CONF_method = NCONF_default(); + if (default_CONF_method == NULL) + default_CONF_method = NCONF_default(); - default_CONF_method->init(&ctmp); - ctmp.data = conf; - return NCONF_get_string(&ctmp, group, name); + default_CONF_method->init(&ctmp); + ctmp.data = conf; + return NCONF_get_string(&ctmp, group, name); + } } long CONF_get_number(LHASH *conf,char *group,char *name) { - CONF ctmp; + if (conf == NULL) + { + return NCONF_get_number(NULL, group, name); + } + else + { + CONF ctmp; - if (default_CONF_method == NULL) - default_CONF_method = NCONF_default(); + if (default_CONF_method == NULL) + default_CONF_method = NCONF_default(); - default_CONF_method->init(&ctmp); - ctmp.data = conf; - return NCONF_get_number(&ctmp, group, name); + default_CONF_method->init(&ctmp); + ctmp.data = conf; + return NCONF_get_number(&ctmp, group, name); + } } void CONF_free(LHASH *conf) @@ -299,27 +320,46 @@ STACK_OF(CONF_VALUE) *NCONF_get_section(CONF *conf,char *section) return NULL; } + if (section == NULL) + { + CONFerr(CONF_F_NCONF_GET_SECTION,CONF_R_NO_SECTION); + return NULL; + } + return _CONF_get_section_values(conf, section); } char *NCONF_get_string(CONF *conf,char *group,char *name) { + char *s = _CONF_get_string(conf, group, name); + + /* Since we may get a value from an environment variable even + if conf is NULL, let's check the value first */ + if (s) return s; + if (conf == NULL) { - CONFerr(CONF_F_NCONF_GET_STRING,CONF_R_NO_CONF); + CONFerr(CONF_F_NCONF_GET_STRING, + CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE); return NULL; } - - return _CONF_get_string(conf, group, name); + return NULL; } long NCONF_get_number(CONF *conf,char *group,char *name) { +#if 0 /* As with _CONF_get_string(), we rely on the possibility of finding + an environment variable with a suitable name. Unfortunately, there's + no way with the current API to see if we found one or not... + The meaning of this is that if a number is not found anywhere, it + will always default to 0. */ if (conf == NULL) { - CONFerr(CONF_F_NCONF_GET_NUMBER,CONF_R_NO_CONF); + CONFerr(CONF_F_NCONF_GET_NUMBER, + CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE); return 0; } +#endif return _CONF_get_number(conf, group, name); } diff --git a/src/lib/libssl/src/crypto/crypto-lib.com b/src/lib/libssl/src/crypto/crypto-lib.com index 21d56a4b50..482a136177 100644 --- a/src/lib/libssl/src/crypto/crypto-lib.com +++ b/src/lib/libssl/src/crypto/crypto-lib.com @@ -174,7 +174,7 @@ $! $ APPS_DES = "DES/DES,CBC3_ENC" $ APPS_PKCS7 = "ENC/ENC;DEC/DEC;SIGN/SIGN;VERIFY/VERIFY,EXAMPLE" $ -$ LIB_ = "cryptlib,mem,mem_dbg,cversion,ex_data,tmdiff,cpt_err" +$ LIB_ = "cryptlib,mem,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid" $ LIB_MD2 = "md2_dgst,md2_one" $ LIB_MD4 = "md4_dgst,md4_one" $ LIB_MD5 = "md5_dgst,md5_one" diff --git a/src/lib/libssl/src/crypto/crypto.h b/src/lib/libssl/src/crypto/crypto.h index 52ee97b71a..9257673279 100644 --- a/src/lib/libssl/src/crypto/crypto.h +++ b/src/lib/libssl/src/crypto/crypto.h @@ -278,6 +278,8 @@ int CRYPTO_is_mem_check_on(void); const char *SSLeay_version(int type); unsigned long SSLeay(void); +int OPENSSL_issetugid(void); + int CRYPTO_get_ex_new_index(int idx, STACK_OF(CRYPTO_EX_DATA_FUNCS) **skp, long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val); diff --git a/src/lib/libssl/src/crypto/des/Makefile.ssl b/src/lib/libssl/src/crypto/des/Makefile.ssl index 34a360b7ab..cc5379feb2 100644 --- a/src/lib/libssl/src/crypto/des/Makefile.ssl +++ b/src/lib/libssl/src/crypto/des/Makefile.ssl @@ -57,7 +57,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib des: des.o cbc3_enc.o lib diff --git a/src/lib/libssl/src/crypto/des/asm/des-586.pl b/src/lib/libssl/src/crypto/des/asm/des-586.pl index f054071077..c890766bc9 100644 --- a/src/lib/libssl/src/crypto/des/asm/des-586.pl +++ b/src/lib/libssl/src/crypto/des/asm/des-586.pl @@ -20,11 +20,11 @@ $L="edi"; $R="esi"; &external_label("des_SPtrans"); -&des_encrypt("des_encrypt",1); +&des_encrypt("des_encrypt1",1); &des_encrypt("des_encrypt2",0); &des_encrypt3("des_encrypt3",1); &des_encrypt3("des_decrypt3",0); -&cbc("des_ncbc_encrypt","des_encrypt","des_encrypt",0,4,5,3,5,-1); +&cbc("des_ncbc_encrypt","des_encrypt1","des_encrypt1",0,4,5,3,5,-1); &cbc("des_ede3_cbc_encrypt","des_encrypt3","des_decrypt3",0,6,7,3,4,5); &asm_finish(); diff --git a/src/lib/libssl/src/crypto/des/asm/des686.pl b/src/lib/libssl/src/crypto/des/asm/des686.pl index 77dc5b51cd..84c3e85438 100644 --- a/src/lib/libssl/src/crypto/des/asm/des686.pl +++ b/src/lib/libssl/src/crypto/des/asm/des686.pl @@ -46,7 +46,7 @@ EOF $L="edi"; $R="esi"; -&des_encrypt("des_encrypt",1); +&des_encrypt("des_encrypt1",1); &des_encrypt("des_encrypt2",0); &des_encrypt3("des_encrypt3",1); diff --git a/src/lib/libssl/src/crypto/des/asm/readme b/src/lib/libssl/src/crypto/des/asm/readme index f8529d9307..1beafe253b 100644 --- a/src/lib/libssl/src/crypto/des/asm/readme +++ b/src/lib/libssl/src/crypto/des/asm/readme @@ -8,7 +8,7 @@ assembler for the inner DES routines in libdes :-). The file to implement in assembler is des_enc.c. Replace the following 4 functions -des_encrypt(DES_LONG data[2],des_key_schedule ks, int encrypt); +des_encrypt1(DES_LONG data[2],des_key_schedule ks, int encrypt); des_encrypt2(DES_LONG data[2],des_key_schedule ks, int encrypt); des_encrypt3(DES_LONG data[2],des_key_schedule ks1,ks2,ks3); des_decrypt3(DES_LONG data[2],des_key_schedule ks1,ks2,ks3); diff --git a/src/lib/libssl/src/crypto/des/cbc_cksm.c b/src/lib/libssl/src/crypto/des/cbc_cksm.c index 1e543cb2a1..b857df0985 100644 --- a/src/lib/libssl/src/crypto/des/cbc_cksm.c +++ b/src/lib/libssl/src/crypto/des/cbc_cksm.c @@ -82,7 +82,7 @@ DES_LONG des_cbc_cksum(const unsigned char *in, des_cblock *output, tin0^=tout0; tin[0]=tin0; tin1^=tout1; tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT); /* fix 15/10/91 eay - thanks to keithr@sco.COM */ tout0=tin[0]; tout1=tin[1]; diff --git a/src/lib/libssl/src/crypto/des/cfb64enc.c b/src/lib/libssl/src/crypto/des/cfb64enc.c index 389a232cb3..105530dfa3 100644 --- a/src/lib/libssl/src/crypto/des/cfb64enc.c +++ b/src/lib/libssl/src/crypto/des/cfb64enc.c @@ -82,7 +82,7 @@ void des_cfb64_encrypt(const unsigned char *in, unsigned char *out, { c2l(iv,v0); ti[0]=v0; c2l(iv,v1); ti[1]=v1; - des_encrypt(ti,schedule,DES_ENCRYPT); + des_encrypt1(ti,schedule,DES_ENCRYPT); iv = &(*ivec)[0]; v0=ti[0]; l2c(v0,iv); v0=ti[1]; l2c(v0,iv); @@ -102,7 +102,7 @@ void des_cfb64_encrypt(const unsigned char *in, unsigned char *out, { c2l(iv,v0); ti[0]=v0; c2l(iv,v1); ti[1]=v1; - des_encrypt(ti,schedule,DES_ENCRYPT); + des_encrypt1(ti,schedule,DES_ENCRYPT); iv = &(*ivec)[0]; v0=ti[0]; l2c(v0,iv); v0=ti[1]; l2c(v0,iv); diff --git a/src/lib/libssl/src/crypto/des/cfb_enc.c b/src/lib/libssl/src/crypto/des/cfb_enc.c index cca34dd7c5..ec4fd4ea67 100644 --- a/src/lib/libssl/src/crypto/des/cfb_enc.c +++ b/src/lib/libssl/src/crypto/des/cfb_enc.c @@ -100,7 +100,7 @@ void des_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, l-=n; ti[0]=v0; ti[1]=v1; - des_encrypt((DES_LONG *)ti,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT); c2ln(in,d0,d1,n); in+=n; d0=(d0^ti[0])&mask0; @@ -132,7 +132,7 @@ void des_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, l-=n; ti[0]=v0; ti[1]=v1; - des_encrypt((DES_LONG *)ti,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT); c2ln(in,d0,d1,n); in+=n; /* 30-08-94 - eay - changed because l>>32 and diff --git a/src/lib/libssl/src/crypto/des/des.h b/src/lib/libssl/src/crypto/des/des.h index 2db9748cb4..6b8a7ee11b 100644 --- a/src/lib/libssl/src/crypto/des/des.h +++ b/src/lib/libssl/src/crypto/des/des.h @@ -147,14 +147,14 @@ void des_ecb_encrypt(const_des_cblock *input,des_cblock *output, Data is a pointer to 2 unsigned long's and ks is the des_key_schedule to use. enc, is non zero specifies encryption, zero if decryption. */ -void des_encrypt(DES_LONG *data,des_key_schedule ks, int enc); +void des_encrypt1(DES_LONG *data,des_key_schedule ks, int enc); -/* This functions is the same as des_encrypt() except that the DES +/* This functions is the same as des_encrypt1() except that the DES initial permutation (IP) and final permutation (FP) have been left - out. As for des_encrypt(), you should not use this function. + out. As for des_encrypt1(), you should not use this function. It is used by the routines in the library that implement triple DES. IP() des_encrypt2() des_encrypt2() des_encrypt2() FP() is the same - as des_encrypt() des_encrypt() des_encrypt() except faster :-). */ + as des_encrypt1() des_encrypt1() des_encrypt1() except faster :-). */ void des_encrypt2(DES_LONG *data,des_key_schedule ks, int enc); void des_encrypt3(DES_LONG *data, des_key_schedule ks1, diff --git a/src/lib/libssl/src/crypto/des/des_enc.c b/src/lib/libssl/src/crypto/des/des_enc.c index 8311e10628..0bd9fa39bc 100644 --- a/src/lib/libssl/src/crypto/des/des_enc.c +++ b/src/lib/libssl/src/crypto/des/des_enc.c @@ -58,7 +58,7 @@ #include "des_locl.h" -void des_encrypt(DES_LONG *data, des_key_schedule ks, int enc) +void des_encrypt1(DES_LONG *data, des_key_schedule ks, int enc) { register DES_LONG l,r,t,u; #ifdef DES_PTR diff --git a/src/lib/libssl/src/crypto/des/des_opts.c b/src/lib/libssl/src/crypto/des/des_opts.c index b2ca7ac31d..138ee1c6b4 100644 --- a/src/lib/libssl/src/crypto/des/des_opts.c +++ b/src/lib/libssl/src/crypto/des/des_opts.c @@ -118,7 +118,7 @@ extern void exit(); #undef DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#define des_encrypt des_encrypt_u4_cisc_idx +#define des_encrypt1 des_encrypt_u4_cisc_idx #define des_encrypt2 des_encrypt2_u4_cisc_idx #define des_encrypt3 des_encrypt3_u4_cisc_idx #define des_decrypt3 des_decrypt3_u4_cisc_idx @@ -130,11 +130,11 @@ extern void exit(); #undef DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_cisc_idx +#define des_encrypt1 des_encrypt_u16_cisc_idx #define des_encrypt2 des_encrypt2_u16_cisc_idx #define des_encrypt3 des_encrypt3_u16_cisc_idx #define des_decrypt3 des_decrypt3_u16_cisc_idx @@ -146,11 +146,11 @@ extern void exit(); #undef DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc1_idx +#define des_encrypt1 des_encrypt_u4_risc1_idx #define des_encrypt2 des_encrypt2_u4_risc1_idx #define des_encrypt3 des_encrypt3_u4_risc1_idx #define des_decrypt3 des_decrypt3_u4_risc1_idx @@ -166,11 +166,11 @@ extern void exit(); #define DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc2_idx +#define des_encrypt1 des_encrypt_u4_risc2_idx #define des_encrypt2 des_encrypt2_u4_risc2_idx #define des_encrypt3 des_encrypt3_u4_risc2_idx #define des_decrypt3 des_decrypt3_u4_risc2_idx @@ -182,11 +182,11 @@ extern void exit(); #undef DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc1_idx +#define des_encrypt1 des_encrypt_u16_risc1_idx #define des_encrypt2 des_encrypt2_u16_risc1_idx #define des_encrypt3 des_encrypt3_u16_risc1_idx #define des_decrypt3 des_decrypt3_u16_risc1_idx @@ -198,11 +198,11 @@ extern void exit(); #define DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc2_idx +#define des_encrypt1 des_encrypt_u16_risc2_idx #define des_encrypt2 des_encrypt2_u16_risc2_idx #define des_encrypt3 des_encrypt3_u16_risc2_idx #define des_decrypt3 des_decrypt3_u16_risc2_idx @@ -218,11 +218,11 @@ extern void exit(); #undef DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u4_cisc_ptr +#define des_encrypt1 des_encrypt_u4_cisc_ptr #define des_encrypt2 des_encrypt2_u4_cisc_ptr #define des_encrypt3 des_encrypt3_u4_cisc_ptr #define des_decrypt3 des_decrypt3_u4_cisc_ptr @@ -234,11 +234,11 @@ extern void exit(); #undef DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_cisc_ptr +#define des_encrypt1 des_encrypt_u16_cisc_ptr #define des_encrypt2 des_encrypt2_u16_cisc_ptr #define des_encrypt3 des_encrypt3_u16_cisc_ptr #define des_decrypt3 des_decrypt3_u16_cisc_ptr @@ -250,11 +250,11 @@ extern void exit(); #undef DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc1_ptr +#define des_encrypt1 des_encrypt_u4_risc1_ptr #define des_encrypt2 des_encrypt2_u4_risc1_ptr #define des_encrypt3 des_encrypt3_u4_risc1_ptr #define des_decrypt3 des_decrypt3_u4_risc1_ptr @@ -270,11 +270,11 @@ extern void exit(); #define DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc2_ptr +#define des_encrypt1 des_encrypt_u4_risc2_ptr #define des_encrypt2 des_encrypt2_u4_risc2_ptr #define des_encrypt3 des_encrypt3_u4_risc2_ptr #define des_decrypt3 des_decrypt3_u4_risc2_ptr @@ -286,11 +286,11 @@ extern void exit(); #undef DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc1_ptr +#define des_encrypt1 des_encrypt_u16_risc1_ptr #define des_encrypt2 des_encrypt2_u16_risc1_ptr #define des_encrypt3 des_encrypt3_u16_risc1_ptr #define des_decrypt3 des_decrypt3_u16_risc1_ptr @@ -302,11 +302,11 @@ extern void exit(); #define DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc2_ptr +#define des_encrypt1 des_encrypt_u16_risc2_ptr #define des_encrypt2 des_encrypt2_u16_risc2_ptr #define des_encrypt3 des_encrypt3_u16_risc2_ptr #define des_decrypt3 des_decrypt3_u16_risc2_ptr @@ -453,7 +453,7 @@ int main(int argc, char **argv) count*=2; Time_F(START); for (i=count; i; i--) - des_encrypt(data,&(sch[0]),DES_ENCRYPT); + des_encrypt1(data,&(sch[0]),DES_ENCRYPT); d=Time_F(STOP); } while (d < 3.0); ca=count; diff --git a/src/lib/libssl/src/crypto/des/dess.cpp b/src/lib/libssl/src/crypto/des/dess.cpp index 753e67ad9b..5549bab90a 100644 --- a/src/lib/libssl/src/crypto/des/dess.cpp +++ b/src/lib/libssl/src/crypto/des/dess.cpp @@ -45,19 +45,19 @@ void main(int argc,char *argv[]) { for (i=0; i<1000; i++) /**/ { - des_encrypt(&data[0],key,1); + des_encrypt1(&data[0],key,1); GetTSC(s1); - des_encrypt(&data[0],key,1); - des_encrypt(&data[0],key,1); - des_encrypt(&data[0],key,1); + des_encrypt1(&data[0],key,1); + des_encrypt1(&data[0],key,1); + des_encrypt1(&data[0],key,1); GetTSC(e1); GetTSC(s2); - des_encrypt(&data[0],key,1); - des_encrypt(&data[0],key,1); - des_encrypt(&data[0],key,1); - des_encrypt(&data[0],key,1); + des_encrypt1(&data[0],key,1); + des_encrypt1(&data[0],key,1); + des_encrypt1(&data[0],key,1); + des_encrypt1(&data[0],key,1); GetTSC(e2); - des_encrypt(&data[0],key,1); + des_encrypt1(&data[0],key,1); } printf("des %d %d (%d)\n", diff --git a/src/lib/libssl/src/crypto/des/ecb_enc.c b/src/lib/libssl/src/crypto/des/ecb_enc.c index b261a8aad9..d481327ef3 100644 --- a/src/lib/libssl/src/crypto/des/ecb_enc.c +++ b/src/lib/libssl/src/crypto/des/ecb_enc.c @@ -114,7 +114,7 @@ void des_ecb_encrypt(const_des_cblock *input, des_cblock *output, c2l(in,l); ll[0]=l; c2l(in,l); ll[1]=l; - des_encrypt(ll,ks,enc); + des_encrypt1(ll,ks,enc); l=ll[0]; l2c(l,out); l=ll[1]; l2c(l,out); l=ll[0]=ll[1]=0; diff --git a/src/lib/libssl/src/crypto/des/ede_cbcm_enc.c b/src/lib/libssl/src/crypto/des/ede_cbcm_enc.c index c53062481d..b98f7e17af 100644 --- a/src/lib/libssl/src/crypto/des/ede_cbcm_enc.c +++ b/src/lib/libssl/src/crypto/des/ede_cbcm_enc.c @@ -95,7 +95,7 @@ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, { tin[0]=m0; tin[1]=m1; - des_encrypt(tin,ks3,1); + des_encrypt1(tin,ks3,1); m0=tin[0]; m1=tin[1]; @@ -113,13 +113,13 @@ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, tin[0]=tin0; tin[1]=tin1; - des_encrypt(tin,ks1,1); + des_encrypt1(tin,ks1,1); tin[0]^=m0; tin[1]^=m1; - des_encrypt(tin,ks2,0); + des_encrypt1(tin,ks2,0); tin[0]^=m0; tin[1]^=m1; - des_encrypt(tin,ks1,1); + des_encrypt1(tin,ks1,1); tout0=tin[0]; tout1=tin[1]; @@ -146,7 +146,7 @@ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, { tin[0]=m0; tin[1]=m1; - des_encrypt(tin,ks3,1); + des_encrypt1(tin,ks3,1); m0=tin[0]; m1=tin[1]; @@ -158,13 +158,13 @@ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, tin[0]=tin0; tin[1]=tin1; - des_encrypt(tin,ks1,0); + des_encrypt1(tin,ks1,0); tin[0]^=m0; tin[1]^=m1; - des_encrypt(tin,ks2,1); + des_encrypt1(tin,ks2,1); tin[0]^=m0; tin[1]^=m1; - des_encrypt(tin,ks1,0); + des_encrypt1(tin,ks1,0); tout0=tin[0]; tout1=tin[1]; diff --git a/src/lib/libssl/src/crypto/des/ncbc_enc.c b/src/lib/libssl/src/crypto/des/ncbc_enc.c index 3b681691a9..b8db07b199 100644 --- a/src/lib/libssl/src/crypto/des/ncbc_enc.c +++ b/src/lib/libssl/src/crypto/des/ncbc_enc.c @@ -89,7 +89,7 @@ void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length, c2l(in,tin1); tin0^=tout0; tin[0]=tin0; tin1^=tout1; tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT); tout0=tin[0]; l2c(tout0,out); tout1=tin[1]; l2c(tout1,out); } @@ -98,7 +98,7 @@ void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length, c2ln(in,tin0,tin1,l+8); tin0^=tout0; tin[0]=tin0; tin1^=tout1; tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT); tout0=tin[0]; l2c(tout0,out); tout1=tin[1]; l2c(tout1,out); } @@ -116,7 +116,7 @@ void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length, { c2l(in,tin0); tin[0]=tin0; c2l(in,tin1); tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_DECRYPT); tout0=tin[0]^xor0; tout1=tin[1]^xor1; l2c(tout0,out); @@ -128,7 +128,7 @@ void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length, { c2l(in,tin0); tin[0]=tin0; c2l(in,tin1); tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_DECRYPT); tout0=tin[0]^xor0; tout1=tin[1]^xor1; l2cn(tout0,tout1,out,l+8); diff --git a/src/lib/libssl/src/crypto/des/ofb64enc.c b/src/lib/libssl/src/crypto/des/ofb64enc.c index 64953959ca..1a1d1f1ac4 100644 --- a/src/lib/libssl/src/crypto/des/ofb64enc.c +++ b/src/lib/libssl/src/crypto/des/ofb64enc.c @@ -87,7 +87,7 @@ void des_ofb64_encrypt(register const unsigned char *in, { if (n == 0) { - des_encrypt(ti,schedule,DES_ENCRYPT); + des_encrypt1(ti,schedule,DES_ENCRYPT); dp=d; t=ti[0]; l2c(t,dp); t=ti[1]; l2c(t,dp); diff --git a/src/lib/libssl/src/crypto/des/ofb_enc.c b/src/lib/libssl/src/crypto/des/ofb_enc.c index a8f425a575..70493e632c 100644 --- a/src/lib/libssl/src/crypto/des/ofb_enc.c +++ b/src/lib/libssl/src/crypto/des/ofb_enc.c @@ -101,7 +101,7 @@ void des_ofb_encrypt(const unsigned char *in, unsigned char *out, int numbits, { ti[0]=v0; ti[1]=v1; - des_encrypt((DES_LONG *)ti,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT); vv0=ti[0]; vv1=ti[1]; c2ln(in,d0,d1,n); diff --git a/src/lib/libssl/src/crypto/des/pcbc_enc.c b/src/lib/libssl/src/crypto/des/pcbc_enc.c index dd69a26d4a..5b987f074d 100644 --- a/src/lib/libssl/src/crypto/des/pcbc_enc.c +++ b/src/lib/libssl/src/crypto/des/pcbc_enc.c @@ -85,7 +85,7 @@ void des_pcbc_encrypt(const unsigned char *input, unsigned char *output, c2ln(in,sin0,sin1,length); tin[0]=sin0^xor0; tin[1]=sin1^xor1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT); tout0=tin[0]; tout1=tin[1]; xor0=sin0^tout0; @@ -103,7 +103,7 @@ void des_pcbc_encrypt(const unsigned char *input, unsigned char *output, c2l(in,sin1); tin[0]=sin0; tin[1]=sin1; - des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_DECRYPT); tout0=tin[0]^xor0; tout1=tin[1]^xor1; if (length >= 8) diff --git a/src/lib/libssl/src/crypto/des/speed.c b/src/lib/libssl/src/crypto/des/speed.c index 814b86f4ae..1223edf290 100644 --- a/src/lib/libssl/src/crypto/des/speed.c +++ b/src/lib/libssl/src/crypto/des/speed.c @@ -204,7 +204,7 @@ int main(int argc, char **argv) count*=2; Time_F(START); for (i=count; i; i--) - des_encrypt(data,&(sch[0]),DES_ENCRYPT); + des_encrypt1(data,&(sch[0]),DES_ENCRYPT); d=Time_F(STOP); } while (d < 3.0); ca=count; @@ -241,7 +241,7 @@ int main(int argc, char **argv) { DES_LONG data[2]; - des_encrypt(data,&(sch[0]),DES_ENCRYPT); + des_encrypt1(data,&(sch[0]),DES_ENCRYPT); } d=Time_F(STOP); printf("%ld des_encrypt's in %.2f second\n",count,d); diff --git a/src/lib/libssl/src/crypto/des/xcbc_enc.c b/src/lib/libssl/src/crypto/des/xcbc_enc.c index 51e17e6b8a..ccfede13ac 100644 --- a/src/lib/libssl/src/crypto/des/xcbc_enc.c +++ b/src/lib/libssl/src/crypto/des/xcbc_enc.c @@ -138,7 +138,7 @@ void des_xcbc_encrypt(const unsigned char *in, unsigned char *out, c2l(in,tin1); tin0^=tout0^inW0; tin[0]=tin0; tin1^=tout1^inW1; tin[1]=tin1; - des_encrypt(tin,schedule,DES_ENCRYPT); + des_encrypt1(tin,schedule,DES_ENCRYPT); tout0=tin[0]^outW0; l2c(tout0,out); tout1=tin[1]^outW1; l2c(tout1,out); } @@ -147,7 +147,7 @@ void des_xcbc_encrypt(const unsigned char *in, unsigned char *out, c2ln(in,tin0,tin1,l+8); tin0^=tout0^inW0; tin[0]=tin0; tin1^=tout1^inW1; tin[1]=tin1; - des_encrypt(tin,schedule,DES_ENCRYPT); + des_encrypt1(tin,schedule,DES_ENCRYPT); tout0=tin[0]^outW0; l2c(tout0,out); tout1=tin[1]^outW1; l2c(tout1,out); } @@ -163,7 +163,7 @@ void des_xcbc_encrypt(const unsigned char *in, unsigned char *out, { c2l(in,tin0); tin[0]=tin0^outW0; c2l(in,tin1); tin[1]=tin1^outW1; - des_encrypt(tin,schedule,DES_DECRYPT); + des_encrypt1(tin,schedule,DES_DECRYPT); tout0=tin[0]^xor0^inW0; tout1=tin[1]^xor1^inW1; l2c(tout0,out); @@ -175,7 +175,7 @@ void des_xcbc_encrypt(const unsigned char *in, unsigned char *out, { c2l(in,tin0); tin[0]=tin0^outW0; c2l(in,tin1); tin[1]=tin1^outW1; - des_encrypt(tin,schedule,DES_DECRYPT); + des_encrypt1(tin,schedule,DES_DECRYPT); tout0=tin[0]^xor0^inW0; tout1=tin[1]^xor1^inW1; l2cn(tout0,tout1,out,l+8); diff --git a/src/lib/libssl/src/crypto/dh/Makefile.ssl b/src/lib/libssl/src/crypto/dh/Makefile.ssl index 88d0d1748b..bf4b47ca9a 100644 --- a/src/lib/libssl/src/crypto/dh/Makefile.ssl +++ b/src/lib/libssl/src/crypto/dh/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/dh/dh_key.c b/src/lib/libssl/src/crypto/dh/dh_key.c index 6915d79dcc..22b087b778 100644 --- a/src/lib/libssl/src/crypto/dh/dh_key.c +++ b/src/lib/libssl/src/crypto/dh/dh_key.c @@ -100,7 +100,6 @@ DH_METHOD *DH_OpenSSL(void) static int generate_key(DH *dh) { int ok=0; - unsigned int i; BN_CTX ctx; BN_MONT_CTX *mont; BIGNUM *pub_key=NULL,*priv_key=NULL; @@ -109,15 +108,11 @@ static int generate_key(DH *dh) if (dh->priv_key == NULL) { - i=dh->length; - if (i == 0) - { - /* Make the number p-1 bits long */ - i=BN_num_bits(dh->p)-1; - } priv_key=BN_new(); if (priv_key == NULL) goto err; - if (!BN_rand(priv_key,i,0,0)) goto err; + do + if (!BN_rand_range(priv_key, dh->p)) goto err; + while (BN_is_zero(priv_key)); } else priv_key=dh->priv_key; diff --git a/src/lib/libssl/src/crypto/dh/dh_lib.c b/src/lib/libssl/src/crypto/dh/dh_lib.c index 66803b5565..96f118c153 100644 --- a/src/lib/libssl/src/crypto/dh/dh_lib.c +++ b/src/lib/libssl/src/crypto/dh/dh_lib.c @@ -168,13 +168,13 @@ DH *DH_new_method(ENGINE *engine) ret->method_mont_p=NULL; ret->references = 1; ret->flags=meth->flags; + CRYPTO_new_ex_data(dh_meth,ret,&ret->ex_data); if ((meth->init != NULL) && !meth->init(ret)) { + CRYPTO_free_ex_data(dh_meth,ret,&ret->ex_data); OPENSSL_free(ret); ret=NULL; } - else - CRYPTO_new_ex_data(dh_meth,ret,&ret->ex_data); return(ret); } @@ -196,12 +196,12 @@ void DH_free(DH *r) } #endif - CRYPTO_free_ex_data(dh_meth, r, &r->ex_data); - meth = ENGINE_get_DH(r->engine); if(meth->finish) meth->finish(r); ENGINE_finish(r->engine); + CRYPTO_free_ex_data(dh_meth, r, &r->ex_data); + if (r->p != NULL) BN_clear_free(r->p); if (r->g != NULL) BN_clear_free(r->g); if (r->q != NULL) BN_clear_free(r->q); diff --git a/src/lib/libssl/src/crypto/dsa/Makefile.ssl b/src/lib/libssl/src/crypto/dsa/Makefile.ssl index dac582be00..d88f596364 100644 --- a/src/lib/libssl/src/crypto/dsa/Makefile.ssl +++ b/src/lib/libssl/src/crypto/dsa/Makefile.ssl @@ -41,7 +41,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/dso/Makefile.ssl b/src/lib/libssl/src/crypto/dso/Makefile.ssl index a37f547482..48b36c8330 100644 --- a/src/lib/libssl/src/crypto/dso/Makefile.ssl +++ b/src/lib/libssl/src/crypto/dso/Makefile.ssl @@ -41,7 +41,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/dso/dso_dl.c b/src/lib/libssl/src/crypto/dso/dso_dl.c index 69810fc3bb..455bd66ecf 100644 --- a/src/lib/libssl/src/crypto/dso/dso_dl.c +++ b/src/lib/libssl/src/crypto/dso/dso_dl.c @@ -82,7 +82,7 @@ static int dl_unbind_func(DSO *dso, char *symname, DSO_FUNC_TYPE symptr); static int dl_init(DSO *dso); static int dl_finish(DSO *dso); #endif -static int dl_ctrl(DSO *dso, int cmd, long larg, void *parg); +static long dl_ctrl(DSO *dso, int cmd, long larg, void *parg); static DSO_METHOD dso_meth_dl = { "OpenSSL 'dl' shared library method", @@ -111,6 +111,11 @@ DSO_METHOD *DSO_METHOD_dl(void) * type so the cast is safe. */ +#if defined(__hpux) +static const char extension[] = ".sl"; +#else +static const char extension[] = ".so"; +#endif static int dl_load(DSO *dso, const char *filename) { shl_t ptr; @@ -118,12 +123,12 @@ static int dl_load(DSO *dso, const char *filename) int len; /* The same comment as in dlfcn_load applies here. bleurgh. */ - len = strlen(filename); + len = strlen(filename) + strlen(extension); if((dso->flags & DSO_FLAG_NAME_TRANSLATION) && - (len + 6 < DSO_MAX_TRANSLATED_SIZE) && + (len + 3 < DSO_MAX_TRANSLATED_SIZE) && (strstr(filename, "/") == NULL)) { - sprintf(translated, "lib%s.so", filename); + sprintf(translated, "lib%s%s", filename, extension); ptr = shl_load(translated, BIND_IMMEDIATE, NULL); } else @@ -187,7 +192,7 @@ static void *dl_bind_var(DSO *dso, const char *symname) DSOerr(DSO_F_DL_BIND_VAR,DSO_R_NULL_HANDLE); return(NULL); } - if (shl_findsym(ptr, symname, TYPE_UNDEFINED, &sym) < 0) + if (shl_findsym(&ptr, symname, TYPE_UNDEFINED, &sym) < 0) { DSOerr(DSO_F_DL_BIND_VAR,DSO_R_SYM_FAILURE); return(NULL); @@ -216,7 +221,7 @@ static DSO_FUNC_TYPE dl_bind_func(DSO *dso, const char *symname) DSOerr(DSO_F_DL_BIND_FUNC,DSO_R_NULL_HANDLE); return(NULL); } - if (shl_findsym(ptr, symname, TYPE_UNDEFINED, &sym) < 0) + if (shl_findsym(&ptr, symname, TYPE_UNDEFINED, &sym) < 0) { DSOerr(DSO_F_DL_BIND_FUNC,DSO_R_SYM_FAILURE); return(NULL); @@ -224,7 +229,7 @@ static DSO_FUNC_TYPE dl_bind_func(DSO *dso, const char *symname) return((DSO_FUNC_TYPE)sym); } -static int dl_ctrl(DSO *dso, int cmd, long larg, void *parg) +static long dl_ctrl(DSO *dso, int cmd, long larg, void *parg) { if(dso == NULL) { @@ -236,10 +241,10 @@ static int dl_ctrl(DSO *dso, int cmd, long larg, void *parg) case DSO_CTRL_GET_FLAGS: return dso->flags; case DSO_CTRL_SET_FLAGS: - dso->flags = (int)larg; + dso->flags = larg; return(0); case DSO_CTRL_OR_FLAGS: - dso->flags |= (int)larg; + dso->flags |= larg; return(0); default: break; diff --git a/src/lib/libssl/src/crypto/dso/dso_vms.c b/src/lib/libssl/src/crypto/dso/dso_vms.c index 8ff7090129..ab48b63eb7 100644 --- a/src/lib/libssl/src/crypto/dso/dso_vms.c +++ b/src/lib/libssl/src/crypto/dso/dso_vms.c @@ -62,7 +62,6 @@ #ifdef VMS #pragma message disable DOLLARID #include -#include #include #include #include @@ -260,7 +259,8 @@ void vms_bind_sym(DSO *dso, const char *symname, void **sym) { DSO_VMS_INTERNAL *ptr; int status; - int flags = LIB$M_FIS_MIXEDCASE; + int flags = (1<<4); /* LIB$M_FIS_MIXEDCASE, but this symbol isn't + defined in VMS older than 7.0 or so */ struct dsc$descriptor_s symname_dsc; *sym = NULL; diff --git a/src/lib/libssl/src/crypto/ebcdic.c b/src/lib/libssl/src/crypto/ebcdic.c index 31397b2add..91a7a8bcb4 100644 --- a/src/lib/libssl/src/crypto/ebcdic.c +++ b/src/lib/libssl/src/crypto/ebcdic.c @@ -211,7 +211,7 @@ ascii2ebcdic(void *dest, const void *srce, size_t count) } #else /*CHARSET_EBCDIC*/ -#ifdef PEDANTIC +#if defined(PEDANTIC) || defined(VMS) || defined(__VMS) static void *dummy=&dummy; #endif #endif diff --git a/src/lib/libssl/src/crypto/engine/engine_lib.c b/src/lib/libssl/src/crypto/engine/engine_lib.c index 1df07af03a..d6e9109f6e 100644 --- a/src/lib/libssl/src/crypto/engine/engine_lib.c +++ b/src/lib/libssl/src/crypto/engine/engine_lib.c @@ -230,17 +230,18 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); if(e->funct_ref == 0) { + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY, ENGINE_R_NOT_INITIALISED); return 0; } + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); if (!e->load_privkey) { ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY, ENGINE_R_NO_LOAD_FUNCTION); return 0; } - CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); pkey = e->load_privkey(key_id, passphrase); if (!pkey) { @@ -265,17 +266,18 @@ EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id, CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); if(e->funct_ref == 0) { + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY, ENGINE_R_NOT_INITIALISED); return 0; } + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); if (!e->load_pubkey) { ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY, ENGINE_R_NO_LOAD_FUNCTION); return 0; } - CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); pkey = e->load_pubkey(key_id, passphrase); if (!pkey) { @@ -286,8 +288,6 @@ EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id, return pkey; } -/* Initialise a engine type for use (or up its functional reference count - * if it's already in use). */ int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()) { if(e == NULL) @@ -298,15 +298,16 @@ int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()) CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); if(e->struct_ref == 0) { + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); ENGINEerr(ENGINE_F_ENGINE_CTRL,ENGINE_R_NO_REFERENCE); return 0; } + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); if (!e->ctrl) { ENGINEerr(ENGINE_F_ENGINE_CTRL,ENGINE_R_NO_CONTROL_FUNCTION); return 0; } - CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); return e->ctrl(cmd, i, p, f); } diff --git a/src/lib/libssl/src/crypto/err/Makefile.ssl b/src/lib/libssl/src/crypto/err/Makefile.ssl index cf94f406e4..58218d1cea 100644 --- a/src/lib/libssl/src/crypto/err/Makefile.ssl +++ b/src/lib/libssl/src/crypto/err/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/err/err.c b/src/lib/libssl/src/crypto/err/err.c index 99272e437c..839f4ab81a 100644 --- a/src/lib/libssl/src/crypto/err/err.c +++ b/src/lib/libssl/src/crypto/err/err.c @@ -389,20 +389,18 @@ void ERR_put_error(int lib, int func, int reason, const char *file, void ERR_clear_error(void) { + int i; ERR_STATE *es; es=ERR_get_state(); -#if 0 - /* hmm... is this needed */ for (i=0; ierr_buffer[i]=0; + err_clear_data(es,i); es->err_file[i]=NULL; es->err_line[i]= -1; - err_clear_data(es,i); } -#endif es->top=es->bottom=0; } @@ -464,7 +462,14 @@ static unsigned long get_error_values(int inc, const char **file, int *line, } } - if (data != NULL) + if (data == NULL) + { + if (inc) + { + err_clear_data(es, i); + } + } + else { if (es->err_data[i] == NULL) { @@ -749,8 +754,9 @@ void ERR_set_error_data(char *data, int flags) if (i == 0) i=ERR_NUM_ERRORS-1; + err_clear_data(es,i); es->err_data[i]=data; - es->err_data_flags[es->top]=flags; + es->err_data_flags[i]=flags; } void ERR_add_error_data(int num, ...) @@ -759,7 +765,7 @@ void ERR_add_error_data(int num, ...) int i,n,s; char *str,*p,*a; - s=64; + s=80; str=OPENSSL_malloc(s+1); if (str == NULL) return; str[0]='\0'; diff --git a/src/lib/libssl/src/crypto/evp/Makefile.ssl b/src/lib/libssl/src/crypto/evp/Makefile.ssl index ad39fcc9e7..624168031d 100644 --- a/src/lib/libssl/src/crypto/evp/Makefile.ssl +++ b/src/lib/libssl/src/crypto/evp/Makefile.ssl @@ -58,7 +58,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/evp/evp.h b/src/lib/libssl/src/crypto/evp/evp.h index 62350dfd69..76d417b44a 100644 --- a/src/lib/libssl/src/crypto/evp/evp.h +++ b/src/lib/libssl/src/crypto/evp/evp.h @@ -462,12 +462,20 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md, int en_de); +#ifndef NO_RSA #define EVP_PKEY_assign_RSA(pkey,rsa) EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\ (char *)(rsa)) +#endif + +#ifndef NO_DSA #define EVP_PKEY_assign_DSA(pkey,dsa) EVP_PKEY_assign((pkey),EVP_PKEY_DSA,\ (char *)(dsa)) +#endif + +#ifndef NO_DH #define EVP_PKEY_assign_DH(pkey,dh) EVP_PKEY_assign((pkey),EVP_PKEY_DH,\ (char *)(dh)) +#endif /* Add some extra combinations */ #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a)) @@ -611,17 +619,29 @@ void BIO_set_cipher(BIO *b,const EVP_CIPHER *c,unsigned char *k, #endif EVP_MD *EVP_md_null(void); +#ifndef NO_MD2 EVP_MD *EVP_md2(void); +#endif +#ifndef NO_MD4 EVP_MD *EVP_md4(void); +#endif +#ifndef NO_MD5 EVP_MD *EVP_md5(void); +#endif +#ifndef NO_SHA EVP_MD *EVP_sha(void); EVP_MD *EVP_sha1(void); EVP_MD *EVP_dss(void); EVP_MD *EVP_dss1(void); +#endif +#ifndef NO_MDC2 EVP_MD *EVP_mdc2(void); +#endif +#ifndef NO_RIPEMD EVP_MD *EVP_ripemd160(void); - +#endif EVP_CIPHER *EVP_enc_null(void); /* does nothing :-) */ +#ifndef NO_DES EVP_CIPHER *EVP_des_ecb(void); EVP_CIPHER *EVP_des_ede(void); EVP_CIPHER *EVP_des_ede3(void); @@ -635,31 +655,43 @@ EVP_CIPHER *EVP_des_cbc(void); EVP_CIPHER *EVP_des_ede_cbc(void); EVP_CIPHER *EVP_des_ede3_cbc(void); EVP_CIPHER *EVP_desx_cbc(void); +#endif +#ifndef NO_RC4 EVP_CIPHER *EVP_rc4(void); EVP_CIPHER *EVP_rc4_40(void); +#endif +#ifndef NO_IDEA EVP_CIPHER *EVP_idea_ecb(void); EVP_CIPHER *EVP_idea_cfb(void); EVP_CIPHER *EVP_idea_ofb(void); EVP_CIPHER *EVP_idea_cbc(void); +#endif +#ifndef NO_RC2 EVP_CIPHER *EVP_rc2_ecb(void); EVP_CIPHER *EVP_rc2_cbc(void); EVP_CIPHER *EVP_rc2_40_cbc(void); EVP_CIPHER *EVP_rc2_64_cbc(void); EVP_CIPHER *EVP_rc2_cfb(void); EVP_CIPHER *EVP_rc2_ofb(void); +#endif +#ifndef NO_BF EVP_CIPHER *EVP_bf_ecb(void); EVP_CIPHER *EVP_bf_cbc(void); EVP_CIPHER *EVP_bf_cfb(void); EVP_CIPHER *EVP_bf_ofb(void); +#endif +#ifndef NO_CAST EVP_CIPHER *EVP_cast5_ecb(void); EVP_CIPHER *EVP_cast5_cbc(void); EVP_CIPHER *EVP_cast5_cfb(void); EVP_CIPHER *EVP_cast5_ofb(void); +#endif +#ifndef NO_RC5 EVP_CIPHER *EVP_rc5_32_12_16_cbc(void); EVP_CIPHER *EVP_rc5_32_12_16_ecb(void); EVP_CIPHER *EVP_rc5_32_12_16_cfb(void); EVP_CIPHER *EVP_rc5_32_12_16_ofb(void); - +#endif void OpenSSL_add_all_algorithms(void); void OpenSSL_add_all_ciphers(void); void OpenSSL_add_all_digests(void); diff --git a/src/lib/libssl/src/crypto/ex_data.c b/src/lib/libssl/src/crypto/ex_data.c index 1ee88da2a8..739e543d78 100644 --- a/src/lib/libssl/src/crypto/ex_data.c +++ b/src/lib/libssl/src/crypto/ex_data.c @@ -101,7 +101,7 @@ int CRYPTO_get_ex_new_index(int idx, STACK_OF(CRYPTO_EX_DATA_FUNCS) **skp, long ret=idx; err: MemCheck_on(); - return(idx); + return(ret); } int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val) diff --git a/src/lib/libssl/src/crypto/hmac/Makefile.ssl b/src/lib/libssl/src/crypto/hmac/Makefile.ssl index cf57311973..326339a90d 100644 --- a/src/lib/libssl/src/crypto/hmac/Makefile.ssl +++ b/src/lib/libssl/src/crypto/hmac/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/idea/Makefile.ssl b/src/lib/libssl/src/crypto/idea/Makefile.ssl index 5b334ce921..30302e0b9f 100644 --- a/src/lib/libssl/src/crypto/idea/Makefile.ssl +++ b/src/lib/libssl/src/crypto/idea/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/lhash/Makefile.ssl b/src/lib/libssl/src/crypto/lhash/Makefile.ssl index 6c3d442e22..79849d7d6e 100644 --- a/src/lib/libssl/src/crypto/lhash/Makefile.ssl +++ b/src/lib/libssl/src/crypto/lhash/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/md2/Makefile.ssl b/src/lib/libssl/src/crypto/md2/Makefile.ssl index d46c73a9b9..269628d739 100644 --- a/src/lib/libssl/src/crypto/md2/Makefile.ssl +++ b/src/lib/libssl/src/crypto/md2/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/md4/Makefile.ssl b/src/lib/libssl/src/crypto/md4/Makefile.ssl index 6ee3ca88ed..646607274e 100644 --- a/src/lib/libssl/src/crypto/md4/Makefile.ssl +++ b/src/lib/libssl/src/crypto/md4/Makefile.ssl @@ -40,7 +40,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/md5/Makefile.ssl b/src/lib/libssl/src/crypto/md5/Makefile.ssl index e8d0cced7f..784215579b 100644 --- a/src/lib/libssl/src/crypto/md5/Makefile.ssl +++ b/src/lib/libssl/src/crypto/md5/Makefile.ssl @@ -50,7 +50,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/src/lib/libssl/src/crypto/mdc2/Makefile.ssl b/src/lib/libssl/src/crypto/mdc2/Makefile.ssl index da11c4edea..a9b06b02bd 100644 --- a/src/lib/libssl/src/crypto/mdc2/Makefile.ssl +++ b/src/lib/libssl/src/crypto/mdc2/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/mem_dbg.c b/src/lib/libssl/src/crypto/mem_dbg.c index 866c53e73a..ef19d8f844 100644 --- a/src/lib/libssl/src/crypto/mem_dbg.c +++ b/src/lib/libssl/src/crypto/mem_dbg.c @@ -81,7 +81,8 @@ static int mh_mode=CRYPTO_MEM_CHECK_OFF; */ static unsigned long order = 0; /* number of memory requests */ -static LHASH *mh=NULL; /* hash-table of memory requests (address as key) */ +static LHASH *mh=NULL; /* hash-table of memory requests (address as key); + * access requires MALLOC2 lock */ typedef struct app_mem_info_st @@ -103,7 +104,8 @@ typedef struct app_mem_info_st static LHASH *amih=NULL; /* hash-table with those app_mem_info_st's * that are at the top of their thread's stack - * (with `thread' as key) */ + * (with `thread' as key); + * access requires MALLOC2 lock */ typedef struct mem_st /* memory-block description */ @@ -128,7 +130,15 @@ static long options = /* extra information to be recorded */ 0; -static unsigned long disabling_thread = 0; +static unsigned int num_disable = 0; /* num_disable > 0 + * iff + * mh_mode == CRYPTO_MEM_CHECK_ON (w/o ..._ENABLE) + */ +static unsigned long disabling_thread = 0; /* Valid iff num_disable > 0. + * CRYPTO_LOCK_MALLOC2 is locked + * exactly in this case (by the + * thread named in disabling_thread). + */ int CRYPTO_mem_ctrl(int mode) { @@ -137,22 +147,23 @@ int CRYPTO_mem_ctrl(int mode) CRYPTO_w_lock(CRYPTO_LOCK_MALLOC); switch (mode) { - /* for applications: */ + /* for applications (not to be called while multiple threads + * use the library): */ case CRYPTO_MEM_CHECK_ON: /* aka MemCheck_start() */ mh_mode = CRYPTO_MEM_CHECK_ON|CRYPTO_MEM_CHECK_ENABLE; - disabling_thread = 0; + num_disable = 0; break; case CRYPTO_MEM_CHECK_OFF: /* aka MemCheck_stop() */ mh_mode = 0; - disabling_thread = 0; + num_disable = 0; /* should be true *before* MemCheck_stop is used, + or there'll be a lot of confusion */ break; /* switch off temporarily (for library-internal use): */ case CRYPTO_MEM_CHECK_DISABLE: /* aka MemCheck_off() */ if (mh_mode & CRYPTO_MEM_CHECK_ON) { - mh_mode&= ~CRYPTO_MEM_CHECK_ENABLE; - if (disabling_thread != CRYPTO_thread_id()) /* otherwise we already have the MALLOC2 lock */ + if (!num_disable || (disabling_thread != CRYPTO_thread_id())) /* otherwise we already have the MALLOC2 lock */ { /* Long-time lock CRYPTO_LOCK_MALLOC2 must not be claimed while * we're holding CRYPTO_LOCK_MALLOC, or we'll deadlock if @@ -169,18 +180,23 @@ int CRYPTO_mem_ctrl(int mode) * OpenSSL threads. */ CRYPTO_w_lock(CRYPTO_LOCK_MALLOC2); CRYPTO_w_lock(CRYPTO_LOCK_MALLOC); + mh_mode &= ~CRYPTO_MEM_CHECK_ENABLE; disabling_thread=CRYPTO_thread_id(); } + num_disable++; } break; case CRYPTO_MEM_CHECK_ENABLE: /* aka MemCheck_on() */ if (mh_mode & CRYPTO_MEM_CHECK_ON) { - mh_mode|=CRYPTO_MEM_CHECK_ENABLE; - if (disabling_thread != 0) + if (num_disable) /* always true, or something is going wrong */ { - disabling_thread=0; - CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2); + num_disable--; + if (num_disable == 0) + { + mh_mode|=CRYPTO_MEM_CHECK_ENABLE; + CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2); + } } } break; @@ -198,12 +214,12 @@ int CRYPTO_is_mem_check_on(void) if (mh_mode & CRYPTO_MEM_CHECK_ON) { - CRYPTO_w_lock(CRYPTO_LOCK_MALLOC); + CRYPTO_r_lock(CRYPTO_LOCK_MALLOC); ret = (mh_mode & CRYPTO_MEM_CHECK_ENABLE) - && disabling_thread != CRYPTO_thread_id(); + || (disabling_thread != CRYPTO_thread_id()); - CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC); + CRYPTO_r_unlock(CRYPTO_LOCK_MALLOC); } return(ret); } @@ -293,7 +309,7 @@ int CRYPTO_push_info_(const char *info, const char *file, int line) if (is_MemCheck_on()) { - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ + MemCheck_off(); /* obtain MALLOC2 lock */ if ((ami = (APP_INFO *)OPENSSL_malloc(sizeof(APP_INFO))) == NULL) { @@ -330,7 +346,7 @@ int CRYPTO_push_info_(const char *info, const char *file, int line) ami->next=amim; } err: - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock */ } return(ret); @@ -342,11 +358,11 @@ int CRYPTO_pop_info(void) if (is_MemCheck_on()) /* _must_ be true, or something went severely wrong */ { - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ + MemCheck_off(); /* obtain MALLOC2 lock */ ret=(pop_info() != NULL); - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock */ } return(ret); } @@ -357,12 +373,12 @@ int CRYPTO_remove_all_info(void) if (is_MemCheck_on()) /* _must_ be true */ { - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ + MemCheck_off(); /* obtain MALLOC2 lock */ while(pop_info() != NULL) ret++; - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock */ } return(ret); } @@ -385,11 +401,12 @@ void CRYPTO_dbg_malloc(void *addr, int num, const char *file, int line, if (is_MemCheck_on()) { - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ + MemCheck_off(); /* make sure we hold MALLOC2 lock */ if ((m=(MEM *)OPENSSL_malloc(sizeof(MEM))) == NULL) { OPENSSL_free(addr); - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock + * if num_disabled drops to 0 */ return; } if (mh == NULL) @@ -448,7 +465,8 @@ void CRYPTO_dbg_malloc(void *addr, int num, const char *file, int line, OPENSSL_free(mm); } err: - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock + * if num_disabled drops to 0 */ } break; } @@ -467,7 +485,7 @@ void CRYPTO_dbg_free(void *addr, int before_p) if (is_MemCheck_on() && (mh != NULL)) { - MemCheck_off(); + MemCheck_off(); /* make sure we hold MALLOC2 lock */ m.addr=addr; mp=(MEM *)lh_delete(mh,(char *)&m); @@ -484,7 +502,8 @@ void CRYPTO_dbg_free(void *addr, int before_p) OPENSSL_free(mp); } - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock + * if num_disabled drops to 0 */ } break; case 1: @@ -518,7 +537,7 @@ void CRYPTO_dbg_realloc(void *addr1, void *addr2, int num, if (is_MemCheck_on()) { - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ + MemCheck_off(); /* make sure we hold MALLOC2 lock */ m.addr=addr1; mp=(MEM *)lh_delete(mh,(char *)&m); @@ -535,7 +554,8 @@ void CRYPTO_dbg_realloc(void *addr1, void *addr2, int num, lh_insert(mh,(char *)mp); } - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock + * if num_disabled drops to 0 */ } break; } @@ -642,10 +662,12 @@ void CRYPTO_mem_leaks(BIO *b) if (mh == NULL && amih == NULL) return; + + MemCheck_off(); /* obtain MALLOC2 lock */ + ml.bio=b; ml.bytes=0; ml.chunks=0; - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ if (mh != NULL) lh_doall_arg(mh,(void (*)())print_leak,(char *)&ml); if (ml.chunks != 0) @@ -671,7 +693,15 @@ void CRYPTO_mem_leaks(BIO *b) * void_fn_to_char kludge in CRYPTO_mem_leaks_cb. * Otherwise the code police will come and get us.) */ + int old_mh_mode; + CRYPTO_w_lock(CRYPTO_LOCK_MALLOC); + + /* avoid deadlock when lh_free() uses CRYPTO_dbg_free(), + * which uses CRYPTO_is_mem_check_on */ + old_mh_mode = mh_mode; + mh_mode = CRYPTO_MEM_CHECK_OFF; + if (mh != NULL) { lh_free(mh); @@ -685,15 +715,11 @@ void CRYPTO_mem_leaks(BIO *b) amih = NULL; } } + + mh_mode = old_mh_mode; CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC); } - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ - -#if 0 - lh_stats_bio(mh,b); - lh_node_stats_bio(mh,b); - lh_node_usage_stats_bio(mh,b); -#endif + MemCheck_on(); /* release MALLOC2 lock */ } #ifndef NO_FP_API diff --git a/src/lib/libssl/src/crypto/objects/Makefile.ssl b/src/lib/libssl/src/crypto/objects/Makefile.ssl index bdb7aa94dc..6746ad21e7 100644 --- a/src/lib/libssl/src/crypto/objects/Makefile.ssl +++ b/src/lib/libssl/src/crypto/objects/Makefile.ssl @@ -39,7 +39,8 @@ all: obj_dat.h lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/opensslv.h b/src/lib/libssl/src/crypto/opensslv.h index 6b5aedeea6..dc50f6d7da 100644 --- a/src/lib/libssl/src/crypto/opensslv.h +++ b/src/lib/libssl/src/crypto/opensslv.h @@ -25,8 +25,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x0090600fL -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6 [engine] 24 Sep 2000" +#define OPENSSL_VERSION_NUMBER 0x0090601fL +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6a [engine] 5 Apr 2001" #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/src/lib/libssl/src/crypto/pem/Makefile.ssl b/src/lib/libssl/src/crypto/pem/Makefile.ssl index 97af8255a3..31db6b65a1 100644 --- a/src/lib/libssl/src/crypto/pem/Makefile.ssl +++ b/src/lib/libssl/src/crypto/pem/Makefile.ssl @@ -40,7 +40,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/pem/pem_info.c b/src/lib/libssl/src/crypto/pem/pem_info.c index 1c5c6dea00..f1694f1125 100644 --- a/src/lib/libssl/src/crypto/pem/pem_info.c +++ b/src/lib/libssl/src/crypto/pem/pem_info.c @@ -305,7 +305,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc, { if ( (xi->enc_data!=NULL) && (xi->enc_len>0) ) { - /* copy from wierdo names into more normal things */ + /* copy from weirdo names into more normal things */ iv=xi->enc_cipher.iv; data=(unsigned char *)xi->enc_data; i=xi->enc_len; diff --git a/src/lib/libssl/src/crypto/pkcs12/Makefile.ssl b/src/lib/libssl/src/crypto/pkcs12/Makefile.ssl index 67869f204f..d745c53621 100644 --- a/src/lib/libssl/src/crypto/pkcs12/Makefile.ssl +++ b/src/lib/libssl/src/crypto/pkcs12/Makefile.ssl @@ -45,7 +45,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_attr.c b/src/lib/libssl/src/crypto/pkcs12/p12_attr.c index f1a210b5d2..a16a97d03d 100644 --- a/src/lib/libssl/src/crypto/pkcs12/p12_attr.c +++ b/src/lib/libssl/src/crypto/pkcs12/p12_attr.c @@ -151,7 +151,7 @@ int PKCS12_add_friendlyname_asc (PKCS12_SAFEBAG *bag, const char *name, { unsigned char *uniname; int ret, unilen; - if (!asc2uni(name, &uniname, &unilen)) { + if (!asc2uni(name, namelen, &uniname, &unilen)) { PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC, ERR_R_MALLOC_FAILURE); return 0; diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_key.c b/src/lib/libssl/src/crypto/pkcs12/p12_key.c index b042dcf05c..a4fd5b98ec 100644 --- a/src/lib/libssl/src/crypto/pkcs12/p12_key.c +++ b/src/lib/libssl/src/crypto/pkcs12/p12_key.c @@ -84,7 +84,7 @@ int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt, if(!pass) { unipass = NULL; uniplen = 0; - } else if (!asc2uni(pass, &unipass, &uniplen)) { + } else if (!asc2uni(pass, passlen, &unipass, &uniplen)) { PKCS12err(PKCS12_F_PKCS12_KEY_GEN_ASC,ERR_R_MALLOC_FAILURE); return 0; } @@ -102,7 +102,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, const EVP_MD *md_type) { unsigned char *B, *D, *I, *p, *Ai; - int Slen, Plen, Ilen; + int Slen, Plen, Ilen, Ijlen; int i, j, u, v; BIGNUM *Ij, *Bpl1; /* These hold Ij and B + 1 */ EVP_MD_CTX ctx; @@ -180,10 +180,17 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, BN_bin2bn (I + j, v, Ij); BN_add (Ij, Ij, Bpl1); BN_bn2bin (Ij, B); + Ijlen = BN_num_bytes (Ij); /* If more than 2^(v*8) - 1 cut off MSB */ - if (BN_num_bytes (Ij) > v) { + if (Ijlen > v) { BN_bn2bin (Ij, B); memcpy (I + j, B + 1, v); +#ifndef PKCS12_BROKEN_KEYGEN + /* If less than v bytes pad with zeroes */ + } else if (Ijlen < v) { + memset(I + j, 0, v - Ijlen); + BN_bn2bin(Ij, I + j + v - Ijlen); +#endif } else BN_bn2bin (Ij, I + j); } } diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_kiss.c b/src/lib/libssl/src/crypto/pkcs12/p12_kiss.c index 1fbbd6c99f..5d67f19b45 100644 --- a/src/lib/libssl/src/crypto/pkcs12/p12_kiss.c +++ b/src/lib/libssl/src/crypto/pkcs12/p12_kiss.c @@ -264,6 +264,7 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, if (lkey) { *keymatch |= MATCH_CERT; if (cert) *cert = x509; + else X509_free(x509); } else { if(ca) sk_X509_push (*ca, x509); else X509_free(x509); diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_utl.c b/src/lib/libssl/src/crypto/pkcs12/p12_utl.c index 17f41b4549..2f1d1e534f 100644 --- a/src/lib/libssl/src/crypto/pkcs12/p12_utl.c +++ b/src/lib/libssl/src/crypto/pkcs12/p12_utl.c @@ -62,30 +62,34 @@ /* Cheap and nasty Unicode stuff */ -unsigned char *asc2uni (const char *asc, unsigned char **uni, int *unilen) +unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen) { int ulen, i; unsigned char *unitmp; - ulen = strlen(asc)*2 + 2; - if (!(unitmp = OPENSSL_malloc (ulen))) return NULL; - for (i = 0; i < ulen; i+=2) { + if (asclen == -1) asclen = strlen(asc); + ulen = asclen*2 + 2; + if (!(unitmp = OPENSSL_malloc(ulen))) return NULL; + for (i = 0; i < ulen - 2; i+=2) { unitmp[i] = 0; unitmp[i + 1] = asc[i>>1]; } + /* Make result double null terminated */ + unitmp[ulen - 2] = 0; + unitmp[ulen - 1] = 0; if (unilen) *unilen = ulen; if (uni) *uni = unitmp; return unitmp; } -char *uni2asc (unsigned char *uni, int unilen) +char *uni2asc(unsigned char *uni, int unilen) { int asclen, i; char *asctmp; asclen = unilen / 2; /* If no terminating zero allow for one */ - if (uni[unilen - 1]) asclen++; + if (!unilen || uni[unilen - 1]) asclen++; uni++; - if (!(asctmp = OPENSSL_malloc (asclen))) return NULL; + if (!(asctmp = OPENSSL_malloc(asclen))) return NULL; for (i = 0; i < unilen; i+=2) asctmp[i>>1] = uni[i]; asctmp[asclen - 1] = 0; return asctmp; diff --git a/src/lib/libssl/src/crypto/pkcs12/pkcs12.h b/src/lib/libssl/src/crypto/pkcs12/pkcs12.h index 502fceff95..e529154f26 100644 --- a/src/lib/libssl/src/crypto/pkcs12/pkcs12.h +++ b/src/lib/libssl/src/crypto/pkcs12/pkcs12.h @@ -247,7 +247,7 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, EVP_MD *md_type); int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, EVP_MD *md_type); -unsigned char *asc2uni(const char *asc, unsigned char **uni, int *unilen); +unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen); char *uni2asc(unsigned char *uni, int unilen); int i2d_PKCS12_BAGS(PKCS12_BAGS *a, unsigned char **pp); PKCS12_BAGS *PKCS12_BAGS_new(void); diff --git a/src/lib/libssl/src/crypto/pkcs7/Makefile.ssl b/src/lib/libssl/src/crypto/pkcs7/Makefile.ssl index 6cd18b671e..37b72f0890 100644 --- a/src/lib/libssl/src/crypto/pkcs7/Makefile.ssl +++ b/src/lib/libssl/src/crypto/pkcs7/Makefile.ssl @@ -58,7 +58,8 @@ verify: verify.o example.o lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c b/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c index 099e9651c1..bf43d030ad 100644 --- a/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c +++ b/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c @@ -370,7 +370,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) if (ri == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE); - return(NULL); + goto err; } jj=EVP_PKEY_size(pkey); @@ -393,7 +393,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) BIO_get_cipher_ctx(etmp,&evp_ctx); EVP_CipherInit(evp_ctx,evp_cipher,NULL,NULL,0); if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0) - return(NULL); + goto err; if (jj != EVP_CIPHER_CTX_key_length(evp_ctx)) { /* Some S/MIME clients don't use the same key @@ -588,8 +588,10 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) pp=NULL; } +#ifndef NO_DSA if (si->pkey->type == EVP_PKEY_DSA) ctx_tmp.digest=EVP_dss1(); +#endif if (!EVP_SignFinal(&ctx_tmp,(unsigned char *)buf->data, (unsigned int *)&buf->length,si->pkey)) @@ -783,7 +785,14 @@ for (ii=0; iienc_digest; pkey = X509_get_pubkey(x509); + if (!pkey) + { + ret = -1; + goto err; + } +#ifndef NO_DSA if(pkey->type == EVP_PKEY_DSA) mdc_tmp.digest=EVP_dss1(); +#endif i=EVP_VerifyFinal(&mdc_tmp,os->data,os->length, pkey); EVP_PKEY_free(pkey); diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_mime.c b/src/lib/libssl/src/crypto/pkcs7/pk7_mime.c index 994473c0bd..086d394270 100644 --- a/src/lib/libssl/src/crypto/pkcs7/pk7_mime.c +++ b/src/lib/libssl/src/crypto/pkcs7/pk7_mime.c @@ -165,9 +165,9 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) } bound[32] = 0; BIO_printf(bio, "MIME-Version: 1.0\n"); - BIO_printf(bio, "Content-Type: multipart/signed ; "); - BIO_printf(bio, "protocol=\"application/x-pkcs7-signature\" ; "); - BIO_printf(bio, "micalg=sha1 ; boundary=\"----%s\"\n\n", bound); + BIO_printf(bio, "Content-Type: multipart/signed;"); + BIO_printf(bio, " protocol=\"application/x-pkcs7-signature\";"); + BIO_printf(bio, " micalg=sha1; boundary=\"----%s\"\n\n", bound); BIO_printf(bio, "This is an S/MIME signed message\n\n"); /* Now write out the first part */ BIO_printf(bio, "------%s\n", bound); diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c b/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c index d716f9faeb..3d3214f5ee 100644 --- a/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c +++ b/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c @@ -153,7 +153,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, PKCS7_SIGNER_INFO *si; X509_STORE_CTX cert_ctx; char buf[4096]; - int i, j=0, k; + int i, j=0, k, ret = 0; BIO *p7bio; BIO *tmpout; @@ -258,18 +258,15 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, } } - sk_X509_free(signers); - if(indata) BIO_pop(p7bio); - BIO_free_all(p7bio); - - return 1; + ret = 1; err: + if(indata) BIO_pop(p7bio); + BIO_free_all(p7bio); sk_X509_free(signers); - BIO_free(p7bio); - return 0; + return ret; } STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags) diff --git a/src/lib/libssl/src/crypto/rand/Makefile.ssl b/src/lib/libssl/src/crypto/rand/Makefile.ssl index 5f6199a35f..707eaac678 100644 --- a/src/lib/libssl/src/crypto/rand/Makefile.ssl +++ b/src/lib/libssl/src/crypto/rand/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/rand/md_rand.c b/src/lib/libssl/src/crypto/rand/md_rand.c index d167dea77d..567838f6c3 100644 --- a/src/lib/libssl/src/crypto/rand/md_rand.c +++ b/src/lib/libssl/src/crypto/rand/md_rand.c @@ -482,12 +482,12 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) unpredictable */ static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num) { - int ret, err; + int ret; ret = RAND_bytes(buf, num); if (ret == 0) { - err = ERR_peek_error(); + long err = ERR_peek_error(); if (ERR_GET_LIB(err) == ERR_LIB_RAND && ERR_GET_REASON(err) == RAND_R_PRNG_NOT_SEEDED) (void)ERR_get_error(); diff --git a/src/lib/libssl/src/crypto/rand/rand.h b/src/lib/libssl/src/crypto/rand/rand.h index eb9c8c034d..9c6052733e 100644 --- a/src/lib/libssl/src/crypto/rand/rand.h +++ b/src/lib/libssl/src/crypto/rand/rand.h @@ -59,6 +59,8 @@ #ifndef HEADER_RAND_H #define HEADER_RAND_H +#include + #ifdef __cplusplus extern "C" { #endif @@ -89,7 +91,7 @@ void RAND_seed(const void *buf,int num); void RAND_add(const void *buf,int num,double entropy); int RAND_load_file(const char *file,long max_bytes); int RAND_write_file(const char *file); -const char *RAND_file_name(char *file,int num); +const char *RAND_file_name(char *file,size_t num); int RAND_status(void); int RAND_egd(const char *path); int RAND_egd_bytes(const char *path,int bytes); diff --git a/src/lib/libssl/src/crypto/rand/rand_egd.c b/src/lib/libssl/src/crypto/rand/rand_egd.c index 02a0d86fa3..79b5e6fa57 100644 --- a/src/lib/libssl/src/crypto/rand/rand_egd.c +++ b/src/lib/libssl/src/crypto/rand/rand_egd.c @@ -74,7 +74,14 @@ int RAND_egd_bytes(const char *path,int bytes) #include OPENSSL_UNISTD #include #include +#ifndef NO_SYS_UN_H #include +#else +struct sockaddr_un { + short sun_family; /* AF_UNIX */ + char sun_path[108]; /* path name (gag) */ +}; +#endif /* NO_SYS_UN_H */ #include #ifndef offsetof diff --git a/src/lib/libssl/src/crypto/rand/rand_win.c b/src/lib/libssl/src/crypto/rand/rand_win.c index 9f2dcff9a9..3d137badd0 100644 --- a/src/lib/libssl/src/crypto/rand/rand_win.c +++ b/src/lib/libssl/src/crypto/rand/rand_win.c @@ -570,14 +570,15 @@ static void readtimer(void) DWORD w; LARGE_INTEGER l; static int have_perfc = 1; -#ifndef __GNUC__ +#ifdef _MSC_VER static int have_tsc = 1; DWORD cyclecount; if (have_tsc) { __try { __asm { - rdtsc + _emit 0x0f + _emit 0x31 mov cyclecount, eax } RAND_add(&cyclecount, sizeof(cyclecount), 1); @@ -725,8 +726,9 @@ int RAND_poll(void) #ifdef DEVRANDOM return 1; -#endif +#else return 0; +#endif } #endif diff --git a/src/lib/libssl/src/crypto/rand/randfile.c b/src/lib/libssl/src/crypto/rand/randfile.c index 663a36cb70..f4376cf8cc 100644 --- a/src/lib/libssl/src/crypto/rand/randfile.c +++ b/src/lib/libssl/src/crypto/rand/randfile.c @@ -73,7 +73,7 @@ # include #endif -#include +#include "openssl/e_os.h" #include #include @@ -83,6 +83,9 @@ /* #define RFILE ".rnd" - defined in ../../e_os.h */ +/* Note that these functions are intended for seed files only. + * Entropy devices and EGD sockets are handled in rand_unix.c */ + int RAND_load_file(const char *file, long bytes) { /* If bytes >= 0, read up to 'bytes' bytes. @@ -213,7 +216,7 @@ err: return (rand_err ? -1 : ret); } -const char *RAND_file_name(char *buf, int size) +const char *RAND_file_name(char *buf, size_t size) { char *s = NULL; char *ret=NULL; @@ -239,6 +242,8 @@ const char *RAND_file_name(char *buf, int size) strlcat(buf,RFILE,size); ret=buf; } + else + buf[0] = '\0'; /* no file name */ } #ifdef DEVRANDOM @@ -257,3 +262,4 @@ const char *RAND_file_name(char *buf, int size) #endif return(ret); } + diff --git a/src/lib/libssl/src/crypto/rc2/Makefile.ssl b/src/lib/libssl/src/crypto/rc2/Makefile.ssl index 9e94051cd7..39813d68be 100644 --- a/src/lib/libssl/src/crypto/rc2/Makefile.ssl +++ b/src/lib/libssl/src/crypto/rc2/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/rc4/Makefile.ssl b/src/lib/libssl/src/crypto/rc4/Makefile.ssl index 8d2a795c22..e75858d3b9 100644 --- a/src/lib/libssl/src/crypto/rc4/Makefile.ssl +++ b/src/lib/libssl/src/crypto/rc4/Makefile.ssl @@ -47,7 +47,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/src/lib/libssl/src/crypto/rc5/Makefile.ssl b/src/lib/libssl/src/crypto/rc5/Makefile.ssl index 5a54a162ba..c8ee124776 100644 --- a/src/lib/libssl/src/crypto/rc5/Makefile.ssl +++ b/src/lib/libssl/src/crypto/rc5/Makefile.ssl @@ -44,7 +44,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/src/lib/libssl/src/crypto/ripemd/Makefile.ssl b/src/lib/libssl/src/crypto/ripemd/Makefile.ssl index de01a953ec..1550c32ca1 100644 --- a/src/lib/libssl/src/crypto/ripemd/Makefile.ssl +++ b/src/lib/libssl/src/crypto/ripemd/Makefile.ssl @@ -42,7 +42,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/src/lib/libssl/src/crypto/rsa/Makefile.ssl b/src/lib/libssl/src/crypto/rsa/Makefile.ssl index c159eedafe..2bee181d4e 100644 --- a/src/lib/libssl/src/crypto/rsa/Makefile.ssl +++ b/src/lib/libssl/src/crypto/rsa/Makefile.ssl @@ -41,7 +41,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/rsa/rsa_eay.c b/src/lib/libssl/src/crypto/rsa/rsa_eay.c index ccaa62b239..cde5ca27d5 100644 --- a/src/lib/libssl/src/crypto/rsa/rsa_eay.c +++ b/src/lib/libssl/src/crypto/rsa/rsa_eay.c @@ -141,9 +141,26 @@ static int RSA_eay_public_encrypt(int flen, unsigned char *from, if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) { - if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx)) - goto err; + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa->_method_mod_n == NULL) + { + rsa->_method_mod_n = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); } if (!meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, @@ -378,9 +395,26 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from, /* do the decrypt */ if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) { - if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx)) - goto err; + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa->_method_mod_n == NULL) + { + rsa->_method_mod_n = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); } if (!meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, @@ -433,20 +467,53 @@ static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa) { if (rsa->_method_mod_p == NULL) { - if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p, - ctx)) - goto err; + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa->_method_mod_p == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa->_method_mod_p == NULL) + { + rsa->_method_mod_p = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); } + if (rsa->_method_mod_q == NULL) { - if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q, - ctx)) - goto err; + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa->_method_mod_q == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa->_method_mod_q == NULL) + { + rsa->_method_mod_q = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); } } - + if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; if (!meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx, rsa->_method_mod_q)) goto err; diff --git a/src/lib/libssl/src/crypto/rsa/rsa_lib.c b/src/lib/libssl/src/crypto/rsa/rsa_lib.c index 5e1e8fcdf3..94395cc22c 100644 --- a/src/lib/libssl/src/crypto/rsa/rsa_lib.c +++ b/src/lib/libssl/src/crypto/rsa/rsa_lib.c @@ -191,13 +191,13 @@ RSA *RSA_new_method(ENGINE *engine) ret->blinding=NULL; ret->bignum_data=NULL; ret->flags=meth->flags; + CRYPTO_new_ex_data(rsa_meth,ret,&ret->ex_data); if ((meth->init != NULL) && !meth->init(ret)) { + CRYPTO_free_ex_data(rsa_meth,ret,&ret->ex_data); OPENSSL_free(ret); ret=NULL; } - else - CRYPTO_new_ex_data(rsa_meth,ret,&ret->ex_data); return(ret); } @@ -221,13 +221,13 @@ void RSA_free(RSA *r) } #endif - CRYPTO_free_ex_data(rsa_meth,r,&r->ex_data); - meth = ENGINE_get_RSA(r->engine); if (meth->finish != NULL) meth->finish(r); ENGINE_finish(r->engine); + CRYPTO_free_ex_data(rsa_meth,r,&r->ex_data); + if (r->n != NULL) BN_clear_free(r->n); if (r->e != NULL) BN_clear_free(r->e); if (r->d != NULL) BN_clear_free(r->d); @@ -325,7 +325,7 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) BN_CTX_start(ctx); A = BN_CTX_get(ctx); - if (!BN_rand(A,BN_num_bits(rsa->n)-1,1,0)) goto err; + if (!BN_rand_range(A,rsa->n)) goto err; if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; if (!ENGINE_get_RSA(rsa->engine)->bn_mod_exp(A,A, diff --git a/src/lib/libssl/src/crypto/sha/Makefile.ssl b/src/lib/libssl/src/crypto/sha/Makefile.ssl index 72acd8f046..790e572fa2 100644 --- a/src/lib/libssl/src/crypto/sha/Makefile.ssl +++ b/src/lib/libssl/src/crypto/sha/Makefile.ssl @@ -42,7 +42,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/src/lib/libssl/src/crypto/sha/asm/sha1-586.pl b/src/lib/libssl/src/crypto/sha/asm/sha1-586.pl index 09df993ecd..fe51fd0794 100644 --- a/src/lib/libssl/src/crypto/sha/asm/sha1-586.pl +++ b/src/lib/libssl/src/crypto/sha/asm/sha1-586.pl @@ -317,7 +317,7 @@ sub BODY_60_79 sub sha1_block_host { - local($name)=@_; + local($name, $sclabel)=@_; &function_begin_B($name,""); @@ -352,7 +352,7 @@ sub sha1_block_host &mov(&swtmp($i+0),$A); &mov(&swtmp($i+1),$B); } - &jmp(&label("shortcut")); + &jmp($sclabel); &function_end_B($name); } @@ -529,10 +529,12 @@ sub sha1_block_data &pop("esi"); &ret(); - # it has to reside within sha1_block_asm_host_order body - # because it calls &jmp(&label("shortcut")); - &sha1_block_host("sha1_block_asm_host_order"); + # keep a note of shortcut label so it can be used outside + # block. + my $sclabel = &label("shortcut"); &function_end_B($name); + # Putting this here avoids problems with MASM in debugging mode + &sha1_block_host("sha1_block_asm_host_order", $sclabel); } diff --git a/src/lib/libssl/src/crypto/stack/Makefile.ssl b/src/lib/libssl/src/crypto/stack/Makefile.ssl index 86ed928750..c916fd5451 100644 --- a/src/lib/libssl/src/crypto/stack/Makefile.ssl +++ b/src/lib/libssl/src/crypto/stack/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/txt_db/Makefile.ssl b/src/lib/libssl/src/crypto/txt_db/Makefile.ssl index cb54d53323..ee054e91f2 100644 --- a/src/lib/libssl/src/crypto/txt_db/Makefile.ssl +++ b/src/lib/libssl/src/crypto/txt_db/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/uid.c b/src/lib/libssl/src/crypto/uid.c new file mode 100644 index 0000000000..b5b61b76d4 --- /dev/null +++ b/src/lib/libssl/src/crypto/uid.c @@ -0,0 +1,88 @@ +/* crypto/uid.c */ +/* ==================================================================== + * Copyright (c) 2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include + +#if defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) + +#include + +int OPENSSL_issetugid(void) + { + return issetugid(); + } + +#elif defined(WIN32) + +int OPENSSL_issetugid(void) + { + return 0; + } + +#else + +#include +#include + +int OPENSSL_issetugid(void) + { + if (getuid() != geteuid()) return 1; + if (getgid() != getegid()) return 1; + return 0; + } +#endif + + + diff --git a/src/lib/libssl/src/crypto/x509/Makefile.ssl b/src/lib/libssl/src/crypto/x509/Makefile.ssl index 4619693733..79f09d4f71 100644 --- a/src/lib/libssl/src/crypto/x509/Makefile.ssl +++ b/src/lib/libssl/src/crypto/x509/Makefile.ssl @@ -49,7 +49,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/x509/by_dir.c b/src/lib/libssl/src/crypto/x509/by_dir.c index cac64a6f40..448bd7e69c 100644 --- a/src/lib/libssl/src/crypto/x509/by_dir.c +++ b/src/lib/libssl/src/crypto/x509/by_dir.c @@ -327,7 +327,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, * it out again */ CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE); j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp); - if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,i); + if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,j); else tmp = NULL; CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE); diff --git a/src/lib/libssl/src/crypto/x509/x509_cmp.c b/src/lib/libssl/src/crypto/x509/x509_cmp.c index b147d573d2..3f9f9b3d47 100644 --- a/src/lib/libssl/src/crypto/x509/x509_cmp.c +++ b/src/lib/libssl/src/crypto/x509/x509_cmp.c @@ -199,19 +199,13 @@ unsigned long X509_NAME_hash(X509_NAME *x) { unsigned long ret=0; unsigned char md[16]; - unsigned char str[256],*p,*pp; - int i; - - i=i2d_X509_NAME(x,NULL); - if (i > sizeof(str)) - p=OPENSSL_malloc(i); - else - p=str; - pp=p; - i2d_X509_NAME(x,&pp); - MD5((unsigned char *)p,i,&(md[0])); - if (p != str) OPENSSL_free(p); + /* Ensure cached version is up to date */ + i2d_X509_NAME(x,NULL); + /* Use cached encoding directly rather than copying: this should + * keep libsafe happy. + */ + MD5((unsigned char *)x->bytes->data,x->bytes->length,&(md[0])); ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) diff --git a/src/lib/libssl/src/crypto/x509v3/Makefile.ssl b/src/lib/libssl/src/crypto/x509v3/Makefile.ssl index f7c3a6ca13..236e13af4e 100644 --- a/src/lib/libssl/src/crypto/x509v3/Makefile.ssl +++ b/src/lib/libssl/src/crypto/x509v3/Makefile.ssl @@ -43,7 +43,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/crypto/x509v3/v3_alt.c b/src/lib/libssl/src/crypto/x509v3/v3_alt.c index 733919f250..94bebcd448 100644 --- a/src/lib/libssl/src/crypto/x509v3/v3_alt.c +++ b/src/lib/libssl/src/crypto/x509v3/v3_alt.c @@ -270,7 +270,7 @@ static int copy_email(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens) /* Now add any email address(es) to STACK */ i = -1; while((i = X509_NAME_get_index_by_NID(nm, - NID_pkcs9_emailAddress, i)) > 0) { + NID_pkcs9_emailAddress, i)) >= 0) { ne = X509_NAME_get_entry(nm, i); email = M_ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne)); if(!email || !(gen = GENERAL_NAME_new())) { diff --git a/src/lib/libssl/src/crypto/x509v3/v3_prn.c b/src/lib/libssl/src/crypto/x509v3/v3_prn.c index dbc4fb1f16..14b804c4ad 100644 --- a/src/lib/libssl/src/crypto/x509v3/v3_prn.c +++ b/src/lib/libssl/src/crypto/x509v3/v3_prn.c @@ -85,9 +85,16 @@ void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml) else BIO_printf(out, "%s:%s", nval->name, nval->value); #else else { - char tmp[10240]; /* 10k is BIO_printf's limit anyway */ - ascii2ebcdic(tmp, nval->value, strlen(nval->value)+1); - BIO_printf(out, "%s:%s", nval->name, tmp); + int len; + char *tmp; + len = strlen(nval->value)+1; + tmp = OPENSSL_malloc(len); + if (tmp) + { + ascii2ebcdic(tmp, nval->value, len); + BIO_printf(out, "%s:%s", nval->name, tmp); + OPENSSL_free(tmp); + } } #endif if(ml) BIO_puts(out, "\n"); @@ -115,9 +122,16 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent) BIO_printf(out, "%*s%s", indent, "", value); #else { - char tmp[10240]; /* 10k is BIO_printf's limit anyway */ - ascii2ebcdic(tmp, value, strlen(value)+1); - BIO_printf(out, "%*s%s", indent, "", tmp); + int len; + char *tmp; + len = strlen(value)+1; + tmp = OPENSSL_malloc(len); + if (tmp) + { + ascii2ebcdic(tmp, value, len); + BIO_printf(out, "%*s%s", indent, "", tmp); + OPENSSL_free(tmp); + } } #endif } else if(method->i2v) { diff --git a/src/lib/libssl/src/crypto/x509v3/v3_purp.c b/src/lib/libssl/src/crypto/x509v3/v3_purp.c index 867699b26f..8aecd00e63 100644 --- a/src/lib/libssl/src/crypto/x509v3/v3_purp.c +++ b/src/lib/libssl/src/crypto/x509v3/v3_purp.c @@ -362,6 +362,8 @@ static int ca_check(const X509 *x) else return 0; } else { if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; + /* If key usage present it must have certSign so tolerate it */ + else if (x->ex_flags & EXFLAG_KUSAGE) return 3; else return 2; } } @@ -380,7 +382,7 @@ static int check_ssl_ca(const X509 *x) if(ca_ret != 2) return ca_ret; else return 0; } - + static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca) { @@ -446,7 +448,7 @@ static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int c int ret; ret = purpose_smime(x, ca); if(!ret || ca) return ret; - if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0; + if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0; return ret; } diff --git a/src/lib/libssl/src/doc/apps/pkcs12.pod b/src/lib/libssl/src/doc/apps/pkcs12.pod index c4009998b8..7e0307dda0 100644 --- a/src/lib/libssl/src/doc/apps/pkcs12.pod +++ b/src/lib/libssl/src/doc/apps/pkcs12.pod @@ -304,6 +304,26 @@ Include some extra certificates: Some would argue that the PKCS#12 standard is one big bug :-) +Versions of OpenSSL before 0.9.6a had a bug in the PKCS#12 key generation +routines. Under rare circumstances this could produce a PKCS#12 file encrypted +with an invalid key. As a result some PKCS#12 files which triggered this bug +from other implementations (MSIE or Netscape) could not be decrypted +by OpenSSL and similarly OpenSSL could produce PKCS#12 files which could +not be decrypted by other implementations. The chances of producing such +a file are relatively small: less than 1 in 256. + +A side effect of fixing this bug is that any old invalidly encrypted PKCS#12 +files cannot no longer be parsed by the fixed version. Under such circumstances +the B utility will report that the MAC is OK but fail with a decryption +error when extracting private keys. + +This problem can be resolved by extracting the private keys and certificates +from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#12 +file from the keys and certificates using a newer version of OpenSSL. For example: + + old-openssl -in bad.p12 -out keycerts.pem + openssl -in keycerts.pem -export -name "My PKCS#12 file" -out fixed.p12 + =head1 SEE ALSO L diff --git a/src/lib/libssl/src/doc/apps/s_client.pod b/src/lib/libssl/src/doc/apps/s_client.pod index 9df1c07fb7..078ff086c3 100644 --- a/src/lib/libssl/src/doc/apps/s_client.pod +++ b/src/lib/libssl/src/doc/apps/s_client.pod @@ -32,6 +32,7 @@ B B [B<-no_tls1>] [B<-bugs>] [B<-cipher cipherlist>] +[B<-rand file(s)>] [B<-engine id>] =head1 DESCRIPTION @@ -157,6 +158,14 @@ the server determines which cipher suite is used it should take the first supported cipher in the list sent by the client. See the B command for more information. +=item B<-rand file(s)> + +a file or files containing random data used to seed the random number +generator, or an EGD socket (see L). +Multiple files can be specified separated by a OS-dependent character. +The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for +all others. + =item B<-engine id> specifying an engine (by it's unique B string) will cause B diff --git a/src/lib/libssl/src/doc/apps/s_server.pod b/src/lib/libssl/src/doc/apps/s_server.pod index 3a5bf46e28..419383b55d 100644 --- a/src/lib/libssl/src/doc/apps/s_server.pod +++ b/src/lib/libssl/src/doc/apps/s_server.pod @@ -39,6 +39,7 @@ B B [B<-hack>] [B<-www>] [B<-WWW>] +[B<-rand file(s)>] [B<-engine id>] =head1 DESCRIPTION @@ -95,7 +96,7 @@ using a set of DH parameters. If not specified then an attempt is made to load the parameters from the server certificate file. If this fails then a static set of parameters hard coded into the s_server program will be used. -=item B<-nodhe> +=item B<-no_dhe> if this option is set then no DH parameters will be loaded effectively disabling the ephemeral DH cipher suites. @@ -187,6 +188,14 @@ emulates a simple web server. Pages will be resolved relative to the current directory, for example if the URL https://myhost/page.html is requested the file ./page.html will be loaded. +=item B<-rand file(s)> + +a file or files containing random data used to seed the random number +generator, or an EGD socket (see L). +Multiple files can be specified separated by a OS-dependent character. +The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for +all others. + =item B<-engine id> specifying an engine (by it's unique B string) will cause B diff --git a/src/lib/libssl/src/doc/crypto/BN_rand.pod b/src/lib/libssl/src/doc/crypto/BN_rand.pod index f234553853..5406552ba4 100644 --- a/src/lib/libssl/src/doc/crypto/BN_rand.pod +++ b/src/lib/libssl/src/doc/crypto/BN_rand.pod @@ -12,24 +12,31 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); + int BN_rand_range(BIGNUM *rnd, BIGNUM *range); + =head1 DESCRIPTION BN_rand() generates a cryptographically strong pseudo-random number of -B bits in length and stores it in B. If B is true, the -two most significant bits of the number will be set to 1, so that the -product of two such random numbers will always have 2*B length. -If B is true, the number will be odd. +B bits in length and stores it in B. If B is -1, the +most significant bit of the random number can be zero. If B is 0, +it is set to 1, and if B is 1, the two most significant bits of +the number will be set to 1, so that the product of two such random +numbers will always have 2*B length. If B is true, the +number will be odd. BN_pseudo_rand() does the same, but pseudo-random numbers generated by this function are not necessarily unpredictable. They can be used for non-cryptographic purposes and for certain purposes in cryptographic protocols, but usually not for key generation etc. -The PRNG must be seeded prior to calling BN_rand(). +BN_rand_range() generates a cryptographically strong pseudo-random +number B in the range 0 = B E B. + +The PRNG must be seeded prior to calling BN_rand() or BN_rand_range(). =head1 RETURN VALUES -BN_rand() and BN_pseudo_rand() return 1 on success, 0 on error. +The functions return 1 on success, 0 on error. The error codes can be obtained by L. =head1 SEE ALSO @@ -40,6 +47,7 @@ L, L =head1 HISTORY BN_rand() is available in all versions of SSLeay and OpenSSL. -BN_pseudo_rand() was added in OpenSSL 0.9.5. +BN_pseudo_rand() was added in OpenSSL 0.9.5. The B == -1 case +and the function BN_rand_range() were added in OpenSSL 0.9.6a. =cut diff --git a/src/lib/libssl/src/doc/crypto/RAND_egd.pod b/src/lib/libssl/src/doc/crypto/RAND_egd.pod index 40241e2df8..71cab3ca04 100644 --- a/src/lib/libssl/src/doc/crypto/RAND_egd.pod +++ b/src/lib/libssl/src/doc/crypto/RAND_egd.pod @@ -9,10 +9,30 @@ RAND_egd - query entropy gathering daemon #include int RAND_egd(const char *path); + int RAND_egd_bytes(const char *path, int bytes); =head1 DESCRIPTION RAND_egd() queries the entropy gathering daemon EGD on socket B. +It queries 255 bytes and uses L to seed the +OpenSSL built-in PRNG. RAND_egd(path) is a wrapper for +RAND_egd_bytes(path, 255); + +RAND_egd_bytes() queries the entropy gathering daemon EGD on socket B. +It queries B bytes and uses L to seed the +OpenSSL built-in PRNG. +This function is more flexible than RAND_egd(). +When only one secret key must +be generated, it is not necessary to request the full amount 255 bytes from +the EGD socket. This can be advantageous, since the amount of entropy +that can be retrieved from EGD over time is limited. + +=head1 NOTES + +On systems without /dev/*random devices providing entropy from the kernel, +the EGD entropy gathering daemon can be used to collect entropy. It provides +a socket interface through which entropy can be gathered in chunks up to +255 bytes. Several chunks can be queried during one connection. EGD is available from http://www.lothar.com/tech/crypto/ (C to install). It is run as B @@ -21,22 +41,27 @@ RAND_egd() is called with that path as an argument, it tries to read random bytes that EGD has collected. The read is performed in non-blocking mode. -Alternatively, the EGD-compatible daemon PRNGD can be used. It is +Alternatively, the EGD-interface compatible daemon PRNGD can be used. It is available from http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html . +PRNGD does employ an internal PRNG itself and can therefore never run +out of entropy. =head1 RETURN VALUE -RAND_egd() returns the number of bytes read from the daemon on -success, and -1 if the connection failed or the daemon did not return -enough data to fully seed the PRNG. +RAND_egd() and RAND_egd_bytes() return the number of bytes read from the +daemon on success, and -1 if the connection failed or the daemon did not +return enough data to fully seed the PRNG. =head1 SEE ALSO -L, L, L +L, L, +L =head1 HISTORY RAND_egd() is available since OpenSSL 0.9.5. +RAND_egd_bytes() is available since OpenSSL 0.9.6. + =cut diff --git a/src/lib/libssl/src/doc/crypto/RAND_load_file.pod b/src/lib/libssl/src/doc/crypto/RAND_load_file.pod index 8dd700ca3d..d8c134e621 100644 --- a/src/lib/libssl/src/doc/crypto/RAND_load_file.pod +++ b/src/lib/libssl/src/doc/crypto/RAND_load_file.pod @@ -8,7 +8,7 @@ RAND_load_file, RAND_write_file, RAND_file_name - PRNG seed file #include - const char *RAND_file_name(char *buf, int num); + const char *RAND_file_name(char *buf, size_t num); int RAND_load_file(const char *filename, long max_bytes); diff --git a/src/lib/libssl/src/doc/crypto/bn.pod b/src/lib/libssl/src/doc/crypto/bn.pod index 1504a1c92d..d183028d61 100644 --- a/src/lib/libssl/src/doc/crypto/bn.pod +++ b/src/lib/libssl/src/doc/crypto/bn.pod @@ -60,6 +60,7 @@ bn - multiprecision integer arithmetics int BN_rand(BIGNUM *rnd, int bits, int top, int bottom); int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); + int BN_rand_range(BIGNUM *rnd, BIGNUM *range); BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add, BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg); diff --git a/src/lib/libssl/src/doc/crypto/evp.pod b/src/lib/libssl/src/doc/crypto/evp.pod index f089dd49a2..edf47dbde6 100644 --- a/src/lib/libssl/src/doc/crypto/evp.pod +++ b/src/lib/libssl/src/doc/crypto/evp.pod @@ -10,7 +10,7 @@ evp - high-level cryptographic functions =head1 DESCRIPTION -The EVP library provided a high-level interface to cryptographic +The EVP library provides a high-level interface to cryptographic functions. BI<...> and BI<...> provide public key encryption diff --git a/src/lib/libssl/src/doc/crypto/rand.pod b/src/lib/libssl/src/doc/crypto/rand.pod index 295b681050..9545f0e109 100644 --- a/src/lib/libssl/src/doc/crypto/rand.pod +++ b/src/lib/libssl/src/doc/crypto/rand.pod @@ -8,17 +8,17 @@ rand - pseudo-random number generator #include - int RAND_bytes(unsigned char *buf,int num); - int RAND_pseudo_bytes(unsigned char *buf,int num); + int RAND_bytes(unsigned char *buf, int num); + int RAND_pseudo_bytes(unsigned char *buf, int num); - void RAND_seed(const void *buf,int num); - void RAND_add(const void *buf,int num,int entropy); + void RAND_seed(const void *buf, int num); + void RAND_add(const void *buf, int num, int entropy); int RAND_status(void); void RAND_screen(void); - int RAND_load_file(const char *file,long max_bytes); + int RAND_load_file(const char *file, long max_bytes); int RAND_write_file(const char *file); - const char *RAND_file_name(char *file,int num); + const char *RAND_file_name(char *file, size_t num); int RAND_egd(const char *path); diff --git a/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod b/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod index 7fea14ee68..4b91c63ba0 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod @@ -2,8 +2,7 @@ =head1 NAME -SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, -SSL_CIPHER_description - get SSL_CIPHER properties +SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, SSL_CIPHER_description - get SSL_CIPHER properties =head1 SYNOPSIS @@ -29,9 +28,10 @@ SSL_CIPHER_get_version() returns the protocol version for B, currently SSL_CIPHER_description() returns a textual description of the cipher used into the buffer B of length B provided. B must be at least -128 bytes, otherwise the string "Buffer too small" is returned. If B -is NULL, a buffer of 128 bytes is allocated using OPENSSL_malloc(). If the -allocation fails, the string "OPENSSL_malloc Error" is returned. +128 bytes, otherwise a pointer to the the string "Buffer too small" is +returned. If B is NULL, a buffer of 128 bytes is allocated using +OPENSSL_malloc(). If the allocation fails, a pointer to the string +"OPENSSL_malloc Error" is returned. =head1 NOTES @@ -40,11 +40,66 @@ export cipher like e.g. EXP-RC4-MD5 has only 40 secret bits. The algorithm does use the full 128 bits (which would be returned for B), of which however 88bits are fixed. The search space is hence only 40 bits. +The string returned by SSL_CIPHER_description() in case of success consists +of cleartext information separated by one or more blanks in the following +sequence: + +=over 4 + +=item + +Textual representation of the cipher name. + +=item + +Protocol version: B, B. The TLSv1 ciphers are flagged with SSLv3. + +=item Kx= + +Key exchange method: B (for export ciphers as B or +B), B (for export ciphers as B or B), +B, B, B. + +=item Au= + +Authentication method: B, B, B, B. None is the +representation of anonymous ciphers. + +=item Enc= + +Encryption method with number of secret bits: B, B, +B<3DES(168)>, B, B, B, B, +B, B, B, B, B, B. + +=item Mac= + +Message digest: B, B. + +=item + +If the cipher is flagged exportable with respect to old US crypto +regulations, the word "B" is printed. + +=back + +=head1 EXAMPLES + +Some examples for the output of SSL_CIPHER_description(): + + EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 + EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 + RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 + EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export + =head1 BUGS If SSL_CIPHER_description() is called with B being NULL, the library crashes. +If SSL_CIPHER_description() cannot handle a built-in cipher, the according +description of the cipher property is B. This case should not +occur. + =head1 RETURN VALUES See DESCRIPTION @@ -52,6 +107,6 @@ See DESCRIPTION =head1 SEE ALSO L, L, -L +L, L =cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_add_extra_chain_cert.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_add_extra_chain_cert.pod new file mode 100644 index 0000000000..21a9db0e2a --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_add_extra_chain_cert.pod @@ -0,0 +1,38 @@ +=pod + +=head1 NAME + +SSL_CTX_add_extra_chain_cert - add certificate to chain + +=head1 SYNOPSIS + + #include + + long SSL_CTX_add_extra_chain_cert(SSL_CTX ctx, X509 *x509) + +=head1 DESCRIPTION + +SSL_CTX_add_extra_chain_cert() adds the certificate B to the certificate +chain presented together with the certificate. Several certificates +can be added one after the other. + +=head1 NOTES + +When constructing the certificate chain, the chain will be formed from +these certificates explicitly specified. If no chain is specified, +the library will try to complete the chain from the available CA +certificates in the trusted CA storage, see +L. + +=head1 RETURN VALUES + +SSL_CTX_add_extra_chain_cert() returns 1 on success. Check out the +error stack to find out the reason for failure otherwise. + +=head1 SEE ALSO + +L, +L, +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_add_session.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_add_session.pod new file mode 100644 index 0000000000..af326c2f73 --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_add_session.pod @@ -0,0 +1,65 @@ +=pod + +=head1 NAME + +SSL_CTX_add_session, SSL_add_session, SSL_CTX_remove_session, SSL_remove_session - manipulate session cache + +=head1 SYNOPSIS + + #include + + int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c); + int SSL_add_session(SSL_CTX *ctx, SSL_SESSION *c); + + int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c); + int SSL_remove_session(SSL_CTX *ctx, SSL_SESSION *c); + +=head1 DESCRIPTION + +SSL_CTX_add_session() adds the session B to the context B. The +reference count for session B is incremented by 1. If a session with +the same session id already exists, the old session is removed by calling +L. + +SSL_CTX_remove_session() removes the session B from the context B. +L is called once for B. + +SSL_add_session() and SSL_remove_session() are synonyms for their +SSL_CTX_*() counterparts. + +=head1 NOTES + +When adding a new session to the internal session cache, it is examined +whether a session with the same session id already exists. In this case +it is assumed that both sessions are identical. If the same session is +stored in a different SSL_SESSION object, The old session is +removed and replaced by the new session. If the session is actually +identical (the SSL_SESSION object is identical), SSL_CTX_add_session() +is a no-op, and the return value is 0. + + +=head1 RETURN VALUES + +The following values are returned by all functions: + +=over 4 + +=item 0 + + The operation failed. In case of the add operation, it was tried to add + the same (identical) session twice. In case of the remove operation, the + session was not found in the cache. + +=item 1 + + The operation succeeded. + +=back + +=head1 SEE ALSO + +L, +L, +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_flush_sessions.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_flush_sessions.pod new file mode 100644 index 0000000000..148c36c871 --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_flush_sessions.pod @@ -0,0 +1,49 @@ +=pod + +=head1 NAME + +SSL_CTX_flush_sessions, SSL_flush_sessions - remove expired sessions + +=head1 SYNOPSIS + + #include + + void SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm); + void SSL_flush_sessions(SSL_CTX *ctx, long tm); + +=head1 DESCRIPTION + +SSL_CTX_flush_sessions() causes a run through the session cache of +B to remove sessions expired at time B. + +SSL_flush_sessions() is a synonym for SSL_CTX_flush_sessions(). + +=head1 NOTES + +If enabled, the internal session cache will collect all sessions established +up to the specified maximum number (see SSL_CTX_sess_set_cache_size()). +As sessions will not be reused ones they are expired, they should be +removed from the cache to save resources. This can either be done + automatically whenever 255 new sessions were established (see +L) +or manually by calling SSL_CTX_flush_sessions(). + +The parameter B specifies the time which should be used for the +expiration test, in most cases the actual time given by time(0) +will be used. + +SSL_CTX_flush_sessions() will only check sessions stored in the internal +cache. When a session is found and removed, the remove_session_cb is however +called to synchronize with the external cache (see +L). + +=head1 RETURN VALUES + +=head1 SEE ALSO + +L, +L, +L, +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_free.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_free.pod index de69672422..c716cde164 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_CTX_free.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_free.pod @@ -17,7 +17,7 @@ SSL_CTX object pointed to by B and frees up the allocated memory if the the reference count has reached 0. It also calls the free()ing procedures for indirectly affected items, if -applicable: the session cacahe, the list of ciphers, the list of Client CAs, +applicable: the session cache, the list of ciphers, the list of Client CAs, the certificates and keys. =head1 RETURN VALUES diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_get_ex_new_index.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_get_ex_new_index.pod new file mode 100644 index 0000000000..15067438c8 --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_get_ex_new_index.pod @@ -0,0 +1,53 @@ +=pod + +=head1 NAME + +SSL_CTX_get_ex_new_index, SSL_CTX_set_ex_data, SSL_CTX_get_ex_data - internal application specific data functions + +=head1 SYNOPSIS + + #include + + int SSL_CTX_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_new *new_func, + CRYPTO_EX_dup *dup_func, + CRYPTO_EX_free *free_func); + + int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *arg); + + void *SSL_CTX_get_ex_data(SSL_CTX *ctx, int idx); + + typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, + int idx, long argl, void *argp); + +=head1 DESCRIPTION + +Several OpenSSL structures can have application specific data attached to them. +These functions are used internally by OpenSSL to manipulate application +specific data attached to a specific structure. + +SSL_CTX_get_ex_new_index() is used to register a new index for application +specific data. + +SSL_CTX_set_ex_data() is used to store application data at B for B +into the B object. + +SSL_CTX_get_ex_data() is used to retrieve the information for B from +B. + +A detailed description for the B<*_get_ex_new_index()> functionality +can be found in L. +The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in +L. + +=head1 SEE ALSO + +L, +L, +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_get_verify_mode.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_get_verify_mode.pod new file mode 100644 index 0000000000..7f10c6e945 --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_get_verify_mode.pod @@ -0,0 +1,50 @@ +=pod + +=head1 NAME + +SSL_CTX_get_verify_mode, SSL_get_verify_mode, SSL_CTX_get_verify_depth, SSL_get_verify_depth, SSL_get_verify_callback, SSL_CTX_get_verify_callback - get currently set verification parameters + +=head1 SYNOPSIS + + #include + + int SSL_CTX_get_verify_mode(SSL_CTX *ctx); + int SSL_get_verify_mode(SSL *ssl); + int SSL_CTX_get_verify_depth(SSL_CTX *ctx); + int SSL_get_verify_depth(SSL *ssl); + int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int, X509_STORE_CTX *); + int (*SSL_get_verify_callback(SSL *ssl))(int, X509_STORE_CTX *); + +=head1 DESCRIPTION + +SSL_CTX_get_verify_mode() returns the verification mode currently set in +B. + +SSL_get_verify_mode() returns the verification mode currently set in +B. + +SSL_CTX_get_verify_depth() returns the verification depth limit currently set +in B. If no limit has been explicitly set, -1 is returned and the +default value will be used. + +SSL_get_verify_depth() returns the verification depth limit currently set +in B. If no limit has been explicitly set, -1 is returned and the +default value will be used. + +SSL_CTX_get_verify_callback() returns a function pointer to the verification +callback currently set in B. If no callback was explicitly set, the +NULL pointer is returned and the default callback will be used. + +SSL_get_verify_callback() returns a function pointer to the verification +callback currently set in B. If no callback was explicitly set, the +NULL pointer is returned and the default callback will be used. + +=head1 RETURN VALUES + +See DESCRIPTION + +=head1 SEE ALSO + +L, L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_load_verify_locations.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_load_verify_locations.pod new file mode 100644 index 0000000000..88f18bd5ff --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_load_verify_locations.pod @@ -0,0 +1,124 @@ +=pod + +=head1 NAME + +SSL_CTX_load_verify_locations - set default locations for trusted CA +certificates + +=head1 SYNOPSIS + + #include + + int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, + const char *CApath); + +=head1 DESCRIPTION + +SSL_CTX_load_verify_locations() specifies the locations for B, at +which CA certificates for verification purposes are located. The certificates +available via B and B are trusted. + +=head1 NOTES + +If B is not NULL, it points to a file of CA certificates in PEM +format. The file can contain several CA certificates identified by + + -----BEGIN CERTIFICATE----- + ... (CA certificate in base64 encoding) ... + -----END CERTIFICATE----- + +sequences. Before, between, and after the certificates text is allowed +which can be used e.g. for descriptions of the certificates. + +The B is processed on execution of the SSL_CTX_load_verify_locations() +function. + +If on an TLS/SSL server no special setting is performed using *client_CA_list() +functions, the certificates contained in B are listed to the client +as available CAs during the TLS/SSL handshake. + +If B is not NULL, it points to a directory containing CA certificates +in PEM format. The files each contain one CA certificate. The files are +looked up by the CA subject name hash value, which must hence be available. +If more than one CA certificate with the same name hash value exist, the +extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search +is performed in the ordering of the extension number, regardless of other +properties of the certificates. +Use the B utility to create the necessary links. + +The certificates in B are only looked up when required, e.g. when +building the certificate chain or when actually performing the verification +of a peer certificate. + +On a server, the certificates in B are not listed as available +CA certificates to a client during a TLS/SSL handshake. + +When looking up CA certificates, the OpenSSL library will first search the +certificates in B, then those in B. Certificate matching +is done based on the subject name, the key identifier (if present), and the +serial number as taken from the certificate to be verified. If these data +do not match, the next certificate will be tried. If a first certificate +matching the parameters is found, the verification process will be performed; +no other certificates for the same parameters will be searched in case of +failure. + +When building its own certificate chain, an OpenSSL client/server will +try to fill in missing certificates from B/B, if the +certificate chain was not explicitly specified (see +L, +L. + +=head1 WARNINGS + +If several CA certificates matching the name, key identifier, and serial +number condition are available, only the first one will be examined. This +may lead to unexpected results if the same CA certificate is available +with different expiration dates. If a "certificate expired" verification +error occurs, no other certificate will be searched. Make sure to not +have expired certificates mixed with valid ones. + +=head1 EXAMPLES + +Generate a CA certificate file with descriptive text from the CA certificates +ca1.pem ca2.pem ca3.pem: + + #!/bin/sh + rm CAfile.pem + for i in ca1.pem ca2.pem ca3.pem ; do + openssl x509 -in $i -text >> CAfile.pem + done + +Prepare the directory /some/where/certs containing several CA certificates +for use as B: + + cd /some/where/certs + c_rehash . + +=head1 RETURN VALUES + +The following return values can occur: + +=over 4 + +=item 0 + +The operation failed because B and B are NULL or the +processing at one of the locations specified failed. Check the error +stack to find out the reason. + +=item 1 + +The operation succeeded. + +=back + +=head1 SEE ALSO + +L, +L, +L, +L, +L + + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_new.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_new.pod index e166c692c3..1dae8b0bdd 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_CTX_new.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_new.pod @@ -33,9 +33,9 @@ understand SSLv2 client hello messages. =item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void) A TLS/SSL connection established with these methods will only understand the -SSLv3 and TLSv1 protocol. A client will send out SSLv3 client hello messages -and will indicate that it also understands TLSv1. A server will only understand -SSLv3 and TLSv1 client hello messages. This especially means, that it will +SSLv3 protocol. A client will send out SSLv3 client hello messages +and will indicate that it only understands SSLv3. A server will only understand +SSLv3 client hello messages. This especially means, that it will not understand SSLv2 client hello messages which are widely used for compatibility reasons, see SSLv23_*_method(). @@ -46,7 +46,8 @@ TLSv1 protocol. A client will send out TLSv1 client hello messages and will indicate that it only understands TLSv1. A server will only understand TLSv1 client hello messages. This especially means, that it will not understand SSLv2 client hello messages which are widely used for -compatibility reasons, see SSLv23_*_method(). +compatibility reasons, see SSLv23_*_method(). It will also not understand +SSLv3 client hello messages. =item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void) @@ -58,6 +59,10 @@ choice when compatibility is a concern. =back +If a generic method is used, it is necessary to explicitly set client or +server mode with L +or SSL_set_accept_state(). + The list of protocols available can later be limited using the SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1 options of the B or B functions. Using these options it is possible to choose @@ -88,6 +93,6 @@ The return value points to an allocated SSL_CTX object. =head1 SEE ALSO L, L, -L +L, L =cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_number.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_number.pod new file mode 100644 index 0000000000..19aa4e2902 --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_number.pod @@ -0,0 +1,76 @@ +=pod + +=head1 NAME + +SSL_CTX_sess_number, SSL_CTX_sess_connect, SSL_CTX_sess_connect_good, SSL_CTX_sess_connect_renegotiate, SSL_CTX_sess_accept, SSL_CTX_sess_accept_good, SSL_CTX_sess_accept_renegotiate, SSL_CTX_sess_hits, SSL_CTX_sess_cb_hits, SSL_CTX_sess_misses, SSL_CTX_sess_timeouts, SSL_CTX_sess_cache_full - obtain session cache statistics + +=head1 SYNOPSIS + + #include + + long SSL_CTX_sess_number(SSL_CTX *ctx); + long SSL_CTX_sess_connect(SSL_CTX *ctx); + long SSL_CTX_sess_connect_good(SSL_CTX *ctx); + long SSL_CTX_sess_connect_renegotiate(SSL_CTX *ctx); + long SSL_CTX_sess_accept(SSL_CTX *ctx); + long SSL_CTX_sess_accept_good(SSL_CTX *ctx); + long SSL_CTX_sess_accept_renegotiate(SSL_CTX *ctx); + long SSL_CTX_sess_hits(SSL_CTX *ctx); + long SSL_CTX_sess_cb_hits(SSL_CTX *ctx); + long SSL_CTX_sess_misses(SSL_CTX *ctx); + long SSL_CTX_sess_timeouts(SSL_CTX *ctx); + long SSL_CTX_sess_cache_full(SSL_CTX *ctx); + +=head1 DESCRIPTION + +SSL_CTX_sess_number() returns the current number of sessions in the internal +session cache. + +SSL_CTX_sess_connect() returns the number of started SSL/TLS handshakes in +client mode. + +SSL_CTX_sess_connect_good() returns the number of successfully established +SSL/TLS sessions in client mode. + +SSL_CTX_sess_connect_renegotiate() returns the number of start renegotiations +in client mode. + +SSL_CTX_sess_accept() returns the number of started SSL/TLS handshakes in +server mode. + +SSL_CTX_sess_accept_good() returns the number of successfully established +SSL/TLS sessions in server mode. + +SSL_CTX_sess_accept_renegotiate() returns the number of start renegotiations +in server mode. + +SSL_CTX_sess_hits() returns the number of successfully reused sessions. +In client mode a session set with L +successfully reused is counted as a hit. In server mode a session successfully +retrieved from internal or external cache is counted as a hit. + +SSL_CTX_sess_cb_hits() returns the number of successfully retrieved sessions +from the external session cache in server mode. + +SSL_CTX_sess_misses() returns the number of sessions proposed by clients +that were not found in the internal session cache in server mode. + +SSL_CTX_sess_timeouts() returns the number of sessions proposed by clients +and either found in the internal or external session cache in server mode, + but that were invalid due to timeout. These sessions are not included in +the SSL_CTX_sess_hits() count. + +SSL_CTX_sess_cache_full() returns the number of sessions that were removed +because the maximum session cache size was exceeded. + +=head1 RETURN VALUES + +The functions return the values indicated in the DESCRIPTION section. + +=head1 SEE ALSO + +L, L, +L +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_set_cache_size.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_set_cache_size.pod new file mode 100644 index 0000000000..d59a7db636 --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_set_cache_size.pod @@ -0,0 +1,51 @@ +=pod + +=head1 NAME + +SSL_CTX_sess_set_cache_size, SSL_CTX_sess_get_cache_size - manipulate session cache size + +=head1 SYNOPSIS + + #include + + long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, long t); + long SSL_CTX_sess_get_cache_size(SSL_CTX *ctx); + +=head1 DESCRIPTION + +SSL_CTX_sess_set_cache_size() sets the size of the internal session cache +of context B to B. + +SSL_CTX_sess_get_cache_size() returns the currently valid session cache size. + +=head1 NOTES + +The internal session cache size is SSL_SESSION_CACHE_MAX_SIZE_DEFAULT, +currently 1024*20, so that up to 20000 sessions can be held. This size +can be modified using the SSL_CTX_sess_set_cache_size() call. A special +case is the size 0, which is used for unlimited size. + +When the maximum number of sessions is reached, no more new sessions are +added to the cache. New space may be added by calling +L to remove +expired sessions. + +If the size of the session cache is reduced and more sessions are already +in the session cache, old session will be removed at the next time a +session shall be added. This removal is not synchronized with the +expiration of sessions. + +=head1 RETURN VALUES + +SSL_CTX_sess_set_cache_size() returns the previously valid size. + +SSL_CTX_sess_get_cache_size() returns the currently valid size. + +=head1 SEE ALSO + +L, +L, +L, +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_set_get_cb.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_set_get_cb.pod new file mode 100644 index 0000000000..b6f15b4404 --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_set_get_cb.pod @@ -0,0 +1,81 @@ +=pod + +=head1 NAME + +SSL_CTX_sess_set_new_cb, SSL_CTX_sess_set_remove_cb, SSL_CTX_sess_set_get_cb, SSL_CTX_sess_get_new_cb, SSL_CTX_sess_get_remove_cb, SSL_CTX_sess_get_get_cb - provide callback functions for server side external session caching + +=head1 SYNOPSIS + + #include + + void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, + int (*new_session_cb)(SSL *, SSL_SESSION *)); + void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, + void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *)); + void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, + SSL_SESSION (*get_session_cb)(SSL *, unsigned char *, int, int *)); + + int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess); + void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, SSL_SESSION *sess); + SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl, unsigned char *data, int len, int *copy); + + int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess); + void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess); + SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data, + int len, int *copy); + +=head1 DESCRIPTION + +SSL_CTX_sess_set_new_cb() sets the callback function, which is automatically +called whenever a new session was negotiated. + +SSL_CTX_sess_set_remove_cb() sets the callback function, which is +automatically called whenever a session is removed by the SSL engine, +because it is considered faulty or the session has become obsolete because +of exceeding the timeout value. + +SSL_CTX_sess_set_get_cb() sets the callback function which is called, +whenever a SSL/TLS client proposed to resume a session but the session +could not be found in the internal session cache (see +L). +(SSL/TLS server only.) + +SSL_CTX_sess_get_new_cb(), SSL_CTX_sess_get_remove_cb(), and +SSL_CTX_sess_get_get_cb() allow to retrieve the function pointers of the +provided callback functions. If a callback function has not been set, +the NULL pointer is returned. + +=head1 NOTES + +In order to allow external session caching, synchronization with the internal +session cache is realized via callback functions. Inside these callback +functions, session can be saved to disk or put into a database using the +L interface. + +The new_session_cb() is called, whenever a new session has been negotiated +and session caching is enabled (see +L). +The new_session_cb() is passed the B connection and the ssl session +B. If the callback returns B<0>, the session will be immediately +removed again. + +The remove_session_cb() is called, whenever the SSL engine removes a session +from the internal cache. This happens if the session is removed because +it is expired or when a connection was not shutdown cleanly. The +remove_session_cb() is passed the B and the ssl session B. +It does not provide any feedback. + +The get_session_cb() is only called on SSL/TLS servers with the session id +proposed by the client. The get_session_cb() is always called, also when +session caching was disabled. The get_session_cb() is passed the +B connection, the session id of length B at the memory location +B. With the parameter B the callback can require the +SSL engine to increment the reference count of the SSL_SESSION object. + +=head1 SEE ALSO + +L, L, +L, +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_sessions.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_sessions.pod new file mode 100644 index 0000000000..e05aab3c1b --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_sessions.pod @@ -0,0 +1,34 @@ +=pod + +=head1 NAME + +SSL_CTX_sessions - access internal session cache + +=head1 SYNOPSIS + + #include + + struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx); + +=head1 DESCRIPTION + +SSL_CTX_sessions() returns a pointer to the lhash databases containing the +internal session cache for B. + +=head1 NOTES + +The sessions in the internal session cache are kept in an +L type database. It is possible to directly +access this database e.g. for searching. In parallel, the sessions +form a linked list which is maintained separately from the +L operations, so that the database must not be +modified directly but by using the +L family of functions. + +=head1 SEE ALSO + +L, L, +L, +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_cipher_list.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_cipher_list.pod index 272d6b3de2..9a29eeeb95 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_cipher_list.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_cipher_list.pod @@ -2,8 +2,7 @@ =head1 NAME -SSL_CTX_set_cipher_list, SSL_set_cipher_list -- choose list of available SSL_CIPHERs +SSL_CTX_set_cipher_list, SSL_set_cipher_list - choose list of available SSL_CIPHERs =head1 SYNOPSIS @@ -47,6 +46,7 @@ could be selected and 0 on complete failure. =head1 SEE ALSO L, L, +L, L =cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_client_CA_list.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_client_CA_list.pod new file mode 100644 index 0000000000..81e312761e --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_client_CA_list.pod @@ -0,0 +1,90 @@ +=pod + +=head1 NAME + +SSL_CTX_set_client_CA_list, SSL_set_client_CA_list, SSL_CTX_add_client_CA, +SSL_add_client_CA - set list of CAs sent to the client when requesting a +client certificate + +=head1 SYNOPSIS + + #include + + void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); + void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list); + int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert); + int SSL_add_client_CA(SSL *ssl, X509 *cacert); + +=head1 DESCRIPTION + +SSL_CTX_set_client_CA_list() sets the B of CAs sent to the client when +requesting a client certificate for B. + +SSL_set_client_CA_list() sets the B of CAs sent to the client when +requesting a client certificate for the chosen B, overriding the +setting valid for B's SSL_CTX object. + +SSL_CTX_add_client_CA() adds the CA name extracted from B to the +list of CAs sent to the client when requesting a client certificate for +B. + +SSL_add_client_CA() adds the CA name extracted from B to the +list of CAs sent to the client when requesting a client certificate for +the chosen B, overriding the setting valid for B's SSL_CTX object. + +=head1 NOTES + +When a TLS/SSL server requests a client certificate (see +B), it sends a list of CAs, for which +it will accept certificates, to the client. If no special list is provided, +the CAs available using the B option in +L +are sent. + +This list can be explicitly set using the SSL_CTX_set_client_CA_list() for +B and SSL_set_client_CA_list() for the specific B. The list +specified overrides the previous setting. The CAs listed do not become +trusted (B only contains the names, not the complete certificates); use +L +to additionally load them for verification. + +SSL_CTX_add_client_CA() and SSL_add_client_CA() can be used to add additional +items the list of client CAs. If no list was specified before using +SSL_CTX_set_client_CA_list() or SSL_set_client_CA_list(), a new client +CA list for B or B (as appropriate) is opened. The CAs implicitly +specified using +L +are no longer used automatically. + +These functions are only useful for TLS/SSL servers. + +=head1 RETURN VALUES + +SSL_CTX_set_client_CA_list() and SSL_set_client_CA_list() do not return +diagnostic information. + +SSL_CTX_add_client_CA() and SSL_add_client_CA() have the following return +values: + +=over 4 + +=item 1 + +The operation succeeded. + +=item 0 + +A failure while manipulating the STACK_OF(X509_NAME) object occurred or +the X509_NAME could not be extracted from B. Check the error stack +to find out the reason. + +=back + +=head1 SEE ALSO + +L, +L, +L +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_default_passwd_cb.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_default_passwd_cb.pod new file mode 100644 index 0000000000..a5343a1cf3 --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_default_passwd_cb.pod @@ -0,0 +1,70 @@ +=pod + +=head1 NAME + +SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata - set passwd callback for encrypted PEM file handling + +=head1 SYNOPSIS + + #include + + void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb); + void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u); + + int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata); + +=head1 DESCRIPTION + +SSL_CTX_set_default_passwd_cb() sets the default password callback called +when loading/storing a PEM certificate with encryption. + +SSL_CTX_set_default_passwd_cb_userdata() sets a pointer to B which +will be provided to the password callback on invocation. + +The pem_passwd_cb(), which must be provided by the application, hands back the +password to be used during decryption. On invocation a pointer to B +is provided. The pem_passwd_cb must write the password into the provided buffer +B which is of size B. The actual length of the password must +be returned to the calling function. B indicates whether the +callback is used for reading/decryption (rwflag=0) or writing/encryption +(rwflag=1). + +=head1 NOTES + +When loading or storing private keys, a password might be supplied to +protect the private key. The way this password can be supplied may depend +on the application. If only one private key is handled, it can be practical +to have pem_passwd_cb() handle the password dialog interactively. If several +keys have to be handled, it can be practical to ask for the password once, +then keep it in memory and use it several times. In the last case, the +password could be stored into the B storage and the +pem_passwd_cb() only returns the password already stored. + +Other items in PEM formatting (certificates) can also be encrypted, it is +however not usual, as certificate information is considered public. + +=head1 RETURN VALUES + +SSL_CTX_set_default_passwd_cb() and SSL_CTX_set_default_passwd_cb_userdata() +do not provide diagnostic information. + +=head1 EXAMPLES + +The following example returns the password provided as B to the +calling function. The password is considered to be a '\0' terminated +string. If the password does not fit into the buffer, the password is +truncated. + + int pem_passwd_cb(char *buf, int size, int rwflag, void *password) + { + strncpy(buf, (char *)(password), size); + buf[size - 1] = '\0'; + return(strlen(buf)); + } + +=head1 SEE ALSO + +L, +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_mode.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_mode.pod new file mode 100644 index 0000000000..9a035bb4d1 --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_mode.pod @@ -0,0 +1,78 @@ +=pod + +=head1 NAME + +SSL_CTX_set_mode, SSL_set_mode, SSL_CTX_get_mode, SSL_get_mode - manipulate SSL engine mode + +=head1 SYNOPSIS + + #include + + long SSL_CTX_set_mode(SSL_CTX *ctx, long mode); + long SSL_set_mode(SSL *ssl, long mode); + + long SSL_CTX_get_mode(SSL_CTX *ctx); + long SSL_get_mode(SSL *ssl); + +=head1 DESCRIPTION + +SSL_CTX_set_mode() adds the mode set via bitmask in B to B. +Options already set before are not cleared. + +SSL_set_mode() adds the mode set via bitmask in B to B. +Options already set before are not cleared. + +SSL_CTX_get_mode() returns the mode set for B. + +SSL_get_mode() returns the mode set for B. + +=head1 NOTES + +The following mode changes are available: + +=over 4 + +=item SSL_MODE_ENABLE_PARTIAL_WRITE + +Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success +when just a single record has been written). When not set (the default), +SSL_write() will only report success once the complete chunk was written. + +=item SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER + +Make it possible to retry SSL_write() with changed buffer location +(the buffer contents must stay the same). This is not the default to avoid +the misconception that non-blocking SSL_write() behaves like +non-blocking write(). + +=item SSL_MODE_AUTO_RETRY + +Never bother the application with retries if the transport is blocking. +If a renegotiation take place during normal operation, a +L or L would return +with -1 and indicate the need to retry with SSL_ERROR_WANT_READ. +In a non-blocking environment applications must be prepared to handle +incomplete read/write operations. +In a blocking environment, applications are not always prepared to +deal with read/write operations returning without success report. The +flag SSL_MODE_AUTO_RETRY will cause read/write operations to only +return after the handshake and successful completion. + +=back + +=head1 RETURN VALUES + +SSL_CTX_set_mode() and SSL_set_mode() return the new mode bitmask +after adding B. + +SSL_CTX_get_mode() and SSL_get_mode() return the current bitmask. + +=head1 SEE ALSO + +L, L, L + +=head1 HISTORY + +SSL_MODE_AUTO_RETRY as been added in OpenSSL 0.9.6. + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod new file mode 100644 index 0000000000..3dc7cc74ad --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod @@ -0,0 +1,183 @@ +=pod + +=head1 NAME + +SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options - manipulate SSL engine options + +=head1 SYNOPSIS + + #include + + long SSL_CTX_set_options(SSL_CTX *ctx, long options); + long SSL_set_options(SSL *ssl, long options); + + long SSL_CTX_get_options(SSL_CTX *ctx); + long SSL_get_options(SSL *ssl); + +=head1 DESCRIPTION + +SSL_CTX_set_options() adds the options set via bitmask in B to B. +Options already set before are not cleared. + +SSL_set_options() adds the options set via bitmask in B to B. +Options already set before are not cleared. + +SSL_CTX_get_options() returns the options set for B. + +SSL_get_options() returns the options set for B. + +=head1 NOTES + +The behaviour of the SSL library can be changed by setting several options. +The options are coded as bitmasks and can be combined by a logical B +operation (|). Options can only be added but can never be reset. + +During a handshake, the option settings of the SSL object used. When +a new SSL object is created from a context using SSL_new(), the current +option setting is copied. Changes to B do not affect already created +SSL objects. SSL_clear() does not affect the settings. + +The following B options are available: + +=over 4 + +=item SSL_OP_MICROSOFT_SESS_ID_BUG + +www.microsoft.com - when talking SSLv2, if session-id reuse is +performed, the session-id passed back in the server-finished message +is different from the one decided upon. + +=item SSL_OP_NETSCAPE_CHALLENGE_BUG + +Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte +challenge but then appears to only use 16 bytes when generating the +encryption keys. Using 16 bytes is ok but it should be ok to use 32. +According to the SSLv3 spec, one should use 32 bytes for the challenge +when operating in SSLv2/v3 compatibility mode, but as mentioned above, +this breaks this server so 16 bytes is the way to go. + +=item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + +ssl3.netscape.com:443, first a connection is established with RC4-MD5. +If it is then resumed, we end up using DES-CBC3-SHA. It should be +RC4-MD5 according to 7.6.1.3, 'cipher_suite'. + +Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug. +It only really shows up when connecting via SSLv2/v3 then reconnecting +via SSLv3. The cipher list changes.... + +NEW INFORMATION. Try connecting with a cipher list of just +DES-CBC-SHA:RC4-MD5. For some weird reason, each new connection uses +RC4-MD5, but a re-connect tries to use DES-CBC-SHA. So netscape, when +doing a re-connect, always takes the first cipher in the cipher list. + +=item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG + +... + +=item SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER + +... + +=item SSL_OP_MSIE_SSLV2_RSA_PADDING + +... + +=item SSL_OP_SSLEAY_080_CLIENT_DH_BUG + +... + +=item SSL_OP_TLS_D5_BUG + +... + +=item SSL_OP_TLS_BLOCK_PADDING_BUG + +... + +=item SSL_OP_TLS_ROLLBACK_BUG + +Disable version rollback attack detection. + +During the client key exchange, the client must send the same information +about acceptable SSL/TLS protocol levels as during the first hello. Some +clients violate this rule by adapting to the server's answer. (Example: +the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server +only understands up to SSLv3. In this case the client must still use the +same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect +to the server's answer and violate the version rollback protection.) + +=item SSL_OP_ALL + +All of the above bug workarounds. + +=back + +It is save and recommended to use SSL_OP_ALL to enable the bug workaround +options. + +The following B options are available: + +=over 4 + +=item SSL_OP_SINGLE_DH_USE + +Always create a new key when using temporary DH parameters. + +=item SSL_OP_EPHEMERAL_RSA + +Also use the temporary RSA key when doing RSA operations. + +=item SSL_OP_PKCS1_CHECK_1 + +... + +=item SSL_OP_PKCS1_CHECK_2 + +... + +=item SSL_OP_NETSCAPE_CA_DN_BUG + +If we accept a netscape connection, demand a client cert, have a +non-self-sighed CA which does not have it's CA in netscape, and the +browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta + +=item SSL_OP_NON_EXPORT_FIRST + +On servers try to use non-export (stronger) ciphers first. This option does +not work under all circumstances (in the code it is declared "broken"). + +=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG + +... + +=item SSL_OP_NO_SSLv2 + +Do not use the SSLv2 protocol. + +=item SSL_OP_NO_SSLv3 + +Do not use the SSLv3 protocol. + +=item SSL_OP_NO_TLSv1 + +Do not use the TLSv1 protocol. + +=back + +=head1 RETURN VALUES + +SSL_CTX_set_options() and SSL_set_options() return the new options bitmask +after adding B. + +SSL_CTX_get_options() and SSL_get_options() return the current bitmask. + +=head1 SEE ALSO + +L, L, L + +=head1 HISTORY + +SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6. + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_cache_mode.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_cache_mode.pod new file mode 100644 index 0000000000..083766f8d0 --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_cache_mode.pod @@ -0,0 +1,107 @@ +=pod + +=head1 NAME + +SSL_CTX_set_session_cache_mode, SSL_CTX_get_session_cache_mode - enable/disable session caching + +=head1 SYNOPSIS + + #include + + long SSL_CTX_set_session_cache_mode(SSL_CTX ctx, long mode); + long SSL_CTX_get_session_cache_mode(SSL_CTX ctx); + +=head1 DESCRIPTION + +SSL_CTX_set_session_cache_mode() enables/disables session caching +by setting the operational mode for B to . + +SSL_CTX_get_session_cache_mode() returns the currently used cache mode. + +=head1 NOTES + +The OpenSSL library can store/retrieve SSL/TLS sessions for later reuse. +The sessions can be held in memory for each B, if more than one +SSL_CTX object is being maintained, the sessions are unique for each SSL_CTX +object. + +In order to reuse a session, a client must send the session's id to the +server. It can only send exactly one id. The server then decides whether it +agrees in reusing the session or starts the handshake for a new session. + +A server will lookup up the session in its internal session storage. If +the session is not found in internal storage or internal storage is +deactivated, the server will try the external storage if available. + +Since a client may try to reuse a session intended for use in a different +context, the session id context must be set by the server (see +L). + +The following session cache modes and modifiers are available: + +=over 4 + +=item SSL_SESS_CACHE_OFF + +No session caching for client or server takes place. + +=item SSL_SESS_CACHE_CLIENT + +Client sessions are added to the session cache. As there is no reliable way +for the OpenSSL library to know whether a session should be reused or which +session to choose (due to the abstract BIO layer the SSL engine does not +have details about the connection), the application must select the session +to be reused by using the L +function. This option is not activated by default. + +=item SSL_SESS_CACHE_SERVER + +Server sessions are added to the session cache. When a client proposes a +session to be reused, the session is looked up in the internal session cache. +If the session is found, the server will try to reuse the session. +This is the default. + +=item SSL_SESS_CACHE_BOTH + +Enable both SSL_SESS_CACHE_CLIENT and SSL_SESS_CACHE_SERVER at the same time. + +=item SSL_SESS_CACHE_NO_AUTO_CLEAR + +Normally the session cache is checked for expired sessions every +255 connections using the +L function. Since +this may lead to a delay which cannot be controlled, the automatic +flushing may be disabled and +L can be called +explicitly by the application. + +=item SSL_SESS_CACHE_NO_INTERNAL_LOOKUP + +By setting this flag sessions are cached in the internal storage but +they are not looked up automatically. If an external session cache +is enabled, sessions are looked up in the external cache. As automatic +lookup only applies for SSL/TLS servers, the flag has no effect on +clients. + +=back + +The default mode is SSL_SESS_CACHE_SERVER. + +=head1 RETURN VALUES + +SSL_CTX_set_session_cache_mode() returns the previously set cache mode. + +SSL_CTX_get_session_cache_mode() returns the currently set cache mode. + + +=head1 SEE ALSO + +L, L, +L, +L, +L, +L, +L, +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_id_context.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_id_context.pod new file mode 100644 index 0000000000..5949395159 --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_id_context.pod @@ -0,0 +1,82 @@ +=pod + +=head1 NAME + +SSL_CTX_set_session_id_context, SSL_set_session_id_context - set context within which session can be reused (server side only) + +=head1 SYNOPSIS + + #include + + int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, + unsigned int sid_ctx_len); + int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx, + unsigned int sid_ctx_len); + +=head1 DESCRIPTION + +SSL_CTX_set_session_id_context() sets the context B of length +B within which a session can be reused for the B object. + +SSL_set_session_id_context() sets the context B of length +B within which a session can be reused for the B object. + +=head1 NOTES + +Sessions are generated within a certain context. When exporting/importing +sessions with B/B it would be possible, +to re-import a session generated from another context (e.g. another +application), which might lead to malfunctions. Therefore each application +must set its own session id context B which is used to distinguish +the contexts and is stored in exported sessions. The B can be +any kind of binary data with a given length, it is therefore possible +to use e.g. the name of the application and/or the hostname and/or service +name ... + +The session id context becomes part of the session. The session id context +is set by the SSL/TLS server. The SSL_CTX_set_session_id_context() and +SSL_set_session_id_context() functions are therefore only useful on the +server side. + +OpenSSL clients will check the session id context returned by the server +when reusing a session. + +The maximum length of the B is limited to +B. + +=head1 WARNINGS + +If the session id context is not set on an SSL/TLS server, stored sessions +will not be reused but a fatal error will be flagged and the handshake +will fail. + +If a server returns a different session id context to an OpenSSL client +when reusing a session, an error will be flagged and the handshake will +fail. OpenSSL servers will always return the correct session id context, +as an OpenSSL server checks the session id context itself before reusing +a session as described above. + +=head1 RETURN VALUES + +SSL_CTX_set_session_id_context() and SSL_set_session_id_context() +return the following values: + +=over 4 + +=item 0 + +The length B of the session id context B exceeded +the maximum allowed length of B. The error +is logged to the error stack. + +=item 1 + +The operation succeeded. + +=back + +=head1 SEE ALSO + +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_ssl_version.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_ssl_version.pod index 3091bd6895..0020180965 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_ssl_version.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_ssl_version.pod @@ -17,8 +17,8 @@ SSL_CTX_set_ssl_version, SSL_set_ssl_method, SSL_get_ssl_method SSL_CTX_set_ssl_version() sets a new default TLS/SSL B for SSL objects newly created from this B. SSL objects already created with -L are not affected, except when SSL_clear() is -being called. +L are not affected, except when +L is being called. SSL_set_ssl_method() sets a new TLS/SSL B for a particular B object. It may be reset, when SSL_clear() is called. @@ -31,9 +31,9 @@ set in B. The available B choices are described in L. -When SSL_clear() is called and no session is connected to an SSL object, -the method of the SSL object is reset to the method currently set in -the corresponding SSL_CTX object. +When L is called and no session is connected to +an SSL object, the method of the SSL object is reset to the method currently +set in the corresponding SSL_CTX object. =head1 RETURN VALUES @@ -55,6 +55,7 @@ The operation succeeded. =head1 SEE ALSO L, L, -L, L +L, L, +L =cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_timeout.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_timeout.pod new file mode 100644 index 0000000000..21faed12d4 --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_timeout.pod @@ -0,0 +1,55 @@ +=pod + +=head1 NAME + +SSL_CTX_set_timeout, SSL_CTX_get_timeout - manipulate timeout values for session caching + +=head1 SYNOPSIS + + #include + + long SSL_CTX_set_timeout(SSL_CTX *ctx, long t); + long SSL_CTX_get_timeout(SSL_CTX *ctx); + +=head1 DESCRIPTION + +SSL_CTX_set_timeout() sets the timeout for newly created sessions for +B to B. The timeout value B must be given in seconds. + +SSL_CTX_get_timeout() returns the currently set timeout value for B. + +=head1 NOTES + +Whenever a new session is created, it is assigned a maximum lifetime. This +lifetime is specified by storing the creation time of the session and the +timeout value valid at this time. If the actual time is later than creation +time plus timeout, the session is not reused. + +Due to this realization, all sessions behave according to the timeout value +valid at the time of the session negotiation. Changes of the timeout value +do not affect already established sessions. + +The expiration time of a single session can be modified using the +L family of functions. + +Expired sessions are removed from the internal session cache, whenever +L is called, either +directly by the application or automatically (see +L) + +The default value for session timeout is 300 seconds. + +=head1 RETURN VALUES + +SSL_CTX_set_timeout() returns the previously set timeout value. + +SSL_CTX_get_timeout() returns the currently set timeout value. + +=head1 SEE ALSO + +L, +L, +L, +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod new file mode 100644 index 0000000000..fc0b76118f --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod @@ -0,0 +1,284 @@ +=pod + +=head1 NAME + +SSL_CTX_set_verify, SSL_set_verify, SSL_CTX_set_verify_depth, SSL_set_verify_depth - set peer certificate verification parameters + +=head1 SYNOPSIS + + #include + + void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, + int (*verify_callback)(int, X509_STORE_CTX *)); + void SSL_set_verify(SSL *s, int mode, + int (*verify_callback)(int, X509_STORE_CTX *)); + void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth); + void SSL_set_verify_depth(SSL *s, int depth); + + int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx); + +=head1 DESCRIPTION + +SSL_CTX_set_verify() sets the verification flags for B to be B and +specifies the B function to be used. If no callback function +shall be specified, the NULL pointer can be used for B. + +SSL_set_verify() sets the verification flags for B to be B and +specifies the B function to be used. If no callback function +shall be specified, the NULL pointer can be used for B. In +this case last B set specifically for this B remains. If +no special B was set before, the default callback for the underlying +B is used, that was valid at the the time B was created with +L. + +SSL_CTX_set_verify_depth() sets the maximum B for the certificate chain +verification that shall be allowed for B. (See the BUGS section.) + +SSL_set_verify_depth() sets the maximum B for the certificate chain +verification that shall be allowed for B. (See the BUGS section.) + +=head1 NOTES + +The verification of certificates can be controlled by a set of logically +or'ed B flags: + +=over 4 + +=item SSL_VERIFY_NONE + +B the server will not send a client certificate request to the +client, so the client will not send a certificate. + +B if not using an anonymous cipher (by default disabled), the +server will send a certificate which will be checked. The result of the +certificate verification process can be checked after the TLS/SSL handshake +using the L function. +The handshake will be continued regardless of the verification result. + +=item SSL_VERIFY_PEER + +B the server sends a client certificate request to the client. +The certificate returned (if any) is checked. If the verification process +fails as indicated by B, the TLS/SSL handshake is +immediately terminated with an alert message containing the reason for +the verification failure. +The behaviour can be controlled by the additional +SSL_VERIFY_FAIL_IF_NO_PEER_CERT and SSL_VERIFY_CLIENT_ONCE flags. + +B the server certificate is verified. If the verification process +fails as indicated by B, the TLS/SSL handshake is +immediately terminated with an alert message containing the reason for +the verification failure. If no server certificate is sent, because an +anonymous cipher is used, SSL_VERIFY_PEER is ignored. + +=item SSL_VERIFY_FAIL_IF_NO_PEER_CERT + +B if the client did not return a certificate, the TLS/SSL +handshake is immediately terminated with a "handshake failure" alert. +This flag must be used together with SSL_VERIFY_PEER. + +B ignored + +=item SSL_VERIFY_CLIENT_ONCE + +B only request a client certificate on the initial TLS/SSL +handshake. Do not ask for a client certificate again in case of a +renegotiation. This flag must be used together with SSL_VERIFY_PEER. + +B ignored + +=back + +Exactly one of the B flags SSL_VERIFY_NONE and SSL_VERIFY_PEER must be +set at any time. + +SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set the limit up +to which depth certificates in a chain are used during the verification +procedure. If the certificate chain is longer than allowed, the certificates +above the limit are ignored. Error messages are generated as if these +certificates would not be present, most likely a +X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY will be issued. +The depth count is "level 0:peer certificate", "level 1: CA certificate", +"level 2: higher level CA certificate", and so on. Setting the maximum +depth to 2 allows the levels 0, 1, and 2. The default depth limit is 9, +allowing for the peer certificate and additional 9 CA certificates. + +The B function is used to control the behaviour when the +SSL_VERIFY_PEER flag is set. It must be supplied by the application and +receives two arguments: B indicates, whether the verification of +the certificate in question was passed (preverify_ok=1) or not +(preverify_ok=0). B is a pointer to the complete context used +for the certificate chain verification. + +The certificate chain is checked starting with the deepest nesting level +(the root CA certificate) and worked upward to the peer's certificate. +At each level signatures and issuer attributes are checked. Whenever +a verification error is found, the error number is stored in B +and B is called with B=0. By applying +X509_CTX_store_* functions B can locate the certificate +in question and perform additional steps (see EXAMPLES). If no error is +found for a certificate, B is called with B=1 +before advancing to the next level. + +The return value of B controls the strategy of the further +verification process. If B returns 0, the verification +process is immediately stopped with "verification failed" state. If +SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and +the TLS/SSL handshake is terminated. If B returns 1, +the verification process is continued. If B always returns +1, the TLS/SSL handshake will never be terminated because of this application +experiencing a verification failure. The calling process can however +retrieve the error code of the last verification error using +L or by maintaining its +own error storage managed by B. + +If no B is specified, the default callback will be used. +Its return value is identical to B, so that any verification +failure will lead to a termination of the TLS/SSL handshake with an +alert message, if SSL_VERIFY_PEER is set. + +=head1 BUGS + +In client mode, it is not checked whether the SSL_VERIFY_PEER flag +is set, but whether SSL_VERIFY_NONE is not set. This can lead to +unexpected behaviour, if the SSL_VERIFY_PEER and SSL_VERIFY_NONE are not +used as required (exactly one must be set at any time). + +The certificate verification depth set with SSL[_CTX]_verify_depth() +stops the verification at a certain depth. The error message produced +will be that of an incomplete certificate chain and not +X509_V_ERR_CERT_CHAIN_TOO_LONG as may be expected. + +=head1 RETURN VALUES + +The SSL*_set_verify*() functions do not provide diagnostic information. + +=head1 EXAMPLES + +The following code sequence realizes an example B function +that will always continue the TLS/SSL handshake regardless of verification +failure, if wished. The callback realizes a verification depth limit with +more informational output. + +All verification errors are printed, informations about the certificate chain +are printed on request. +The example is realized for a server that does allow but not require client +certificates. + +The example makes use of the ex_data technique to store application data +into/retrieve application data from the SSL structure +(see L, +L). + + ... + typedef struct { + int verbose_mode; + int verify_depth; + int always_continue; + } mydata_t; + int mydata_index; + ... + static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) + { + char buf[256]; + X509 *err_cert; + int err, depth; + SSL *ssl; + mydata_t *mydata; + + err_cert = X509_STORE_CTX_get_current_cert(ctx); + err = X509_STORE_CTX_get_error(ctx); + depth = X509_STORE_CTX_get_error_depth(ctx); + + /* + * Retrieve the pointer to the SSL of the connection currently treated + * and the application specific data stored into the SSL object. + */ + ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); + mydata = SSL_get_ex_data(ssl, mydata_index); + + X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256); + + /* + * Catch a too long certificate chain. The depth limit set using + * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so + * that whenever the "depth>verify_depth" condition is met, we + * have violated the limit and want to log this error condition. + * We must do it here, because the CHAIN_TOO_LONG error would not + * be found explicitly; only errors introduced by cutting off the + * additional certificates would be logged. + */ + if (depth > mydata->verify_depth) { + preverify_ok = 0; + err = X509_V_ERR_CERT_CHAIN_TOO_LONG; + X509_STORE_CTX_set_error(ctx, err); + } + if (!preverify_ok) { + printf("verify error:num=%d:%s:depth=%d:%s\n", err, + X509_verify_cert_error_string(err), depth, buf); + } + else if (mydata->verbose_mode) + { + printf("depth=%d:%s\n", depth, buf); + } + + /* + * At this point, err contains the last verification error. We can use + * it for something special + */ + if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) + { + X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256); + printf("issuer= %s\n", buf); + } + + if (mydata->always_continue) + return 1; + else + return preverify_ok; + } + ... + + mydata_t mydata; + + ... + mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL); + + ... + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, + verify_callback); + + /* + * Let the verify_callback catch the verify_depth error so that we get + * an appropriate error in the logfile. + */ + SSL_CTX_set_verify_depth(verify_depth + 1); + + /* + * Set up the SSL specific data into "mydata" and store it into th SSL + * structure. + */ + mydata.verify_depth = verify_depth; ... + SSL_set_ex_data(ssl, mydata_index, &mydata); + + ... + SSL_accept(ssl); /* check of success left out for clarity */ + if (peer = SSL_get_peer_certificate(ssl)) + { + if (SSL_get_verify_result(ssl) == X509_V_OK) + { + /* The client sent a certificate which verified OK */ + } + } + +=head1 SEE ALSO + +L, L, +L, +L, +L, +L, +L, +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_use_certificate.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_use_certificate.pod new file mode 100644 index 0000000000..3b2fe6fc50 --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_use_certificate.pod @@ -0,0 +1,154 @@ +=pod + +=head1 NAME + +SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1, SSL_CTX_use_certificate_file, SSL_use_certificate, SSL_use_certificate_ASN1, SSL_use_certificate_file, SSL_CTX_use_certificate_chain_file, SSL_CTX_use_PrivateKey, SSL_CTX_use_PrivateKey_ASN1, SSL_CTX_use_PrivateKey_file, SSL_CTX_use_RSAPrivateKey, SSL_CTX_use_RSAPrivateKey_ASN1, SSL_CTX_use_RSAPrivateKey_file, SSL_use_PrivateKey_file, SSL_use_PrivateKey_ASN1, SSL_use_PrivateKey, SSL_use_RSAPrivateKey, SSL_use_RSAPrivateKey_ASN1, SSL_use_RSAPrivateKey_file, SSL_CTX_check_private_key, SSL_check_private_key - load certificate and key data + +=head1 SYNOPSIS + + #include + + int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x); + int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d); + int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type); + int SSL_use_certificate(SSL *ssl, X509 *x); + int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len); + int SSL_use_certificate_file(SSL *ssl, const char *file, int type); + + int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); + + int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey); + int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, unsigned char *d, + long len); + int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type); + int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa); + int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len); + int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type); + int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey); + int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len); + int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type); + int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa); + int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len); + int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type); + + int SSL_CTX_check_private_key(SSL_CTX *ctx); + int SSL_check_private_key(SSL *ssl); + +=head1 DESCRIPTION + +These functions load the certificates and private keys into the SSL_CTX +or SSL object, respectively. + +The SSL_CTX_* class of functions loads the certificates and keys into the +SSL_CTX object B. The information is passed to SSL objects B +created from B with L by copying, so that +changes applied to B do not propagate to already existing SSL objects. + +The SSL_* class of functions only loads certificates and keys into a +specific SSL object. The specific information is kept, when +L is called for this SSL object. + +SSL_CTX_use_certificate() loads the certificate B into B, +SSL_use_certificate() loads B into B. The rest of the +certificates needed to form the complete certificate chain can be +specified using the +L +function. + +SSL_CTX_use_certificate_ASN1() loads the ASN1 encoded certificate from +the memory location B (with length B) into B, +SSL_use_certificate_ASN1() loads the ASN1 encoded certificate into B. + +SSL_CTX_use_certificate_file() loads the first certificate stored in B +into B. The formatting B of the certificate must be specified +from the known types SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1. +SSL_use_certificate_file() loads the certificate from B into B. +See the NOTES section on why SSL_CTX_use_certificate_chain_file() +should be preferred. + +SSL_CTX_use_certificate_chain_file() loads a certificate chain from +B into B. The certificates must be in PEM format and must +be sorted starting with the certificate to the highest level (root CA). +There is no corresponding function working on a single SSL object. + +SSL_CTX_use_PrivateKey() adds B as private key to B. +SSL_CTX_use_RSAPrivateKey() adds the private key B of type RSA +to B. SSL_use_PrivateKey() adds B as private key to B; +SSL_use_RSAPrivateKey() adds B as private key of type RSA to B. + +SSL_CTX_use_PrivateKey_ASN1() adds the private key of type B +stored at memory location B (length B) to B. +SSL_CTX_use_RSAPrivateKey_ASN1() adds the private key of type RSA +stored at memory location B (length B) to B. +SSL_use_PrivateKey_ASN1() and SSL_use_RSAPrivateKey_ASN1() add the private +key to B. + +SSL_CTX_use_PrivateKey_file() adds the first private key found in +B to B. The formatting B of the certificate must be specified +from the known types SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1. +SSL_CTX_use_RSAPrivateKey_file() adds the first private RSA key found in +B to B. SSL_use_PrivateKey_file() adds the first private key found +in B to B; SSL_use_RSAPrivateKey_file() adds the first private +RSA key found to B. + +SSL_CTX_check_private_key() checks the consistency of a private key with +the corresponding certificate loaded into B. If more than one +key/certificate pair (RSA/DSA) is installed, the last item installed will +be checked. If e.g. the last item was a RSA certificate or key, the RSA +key/certificate pair will be checked. SSL_check_private_key() performs +the same check for B. If no key/certificate was explicitly added for +this B, the last item added into B will be checked. + +=head1 NOTES + +The internal certificate store of OpenSSL can hold two private key/certificate +pairs at a time: one key/certificate of type RSA and one key/certificate +of type DSA. The certificate used depends on the cipher select, see +also L. + +When reading certificates and private keys from file, files of type +SSL_FILETYPE_ASN1 (also known as B, binary encoding) can only contain +one certificate or private key, consequently +SSL_CTX_use_certificate_chain_file() is only applicable to PEM formatting. +Files of type SSL_FILETYPE_PEM can contain more than one item. + +SSL_CTX_use_certificate_chain_file() adds the first certificate found +in the file to the certificate store. The other certificates are added +to the store of chain certificates using +L. +There exists only one extra chain store, so that the same chain is appended +to both types of certificates, RSA and DSA! If it is not intended to use +both type of certificate at the same time, it is recommended to use the +SSL_CTX_use_certificate_chain_file() instead of the +SSL_CTX_use_certificate_file() function in order to allow the use of +complete certificate chains even when no trusted CA storage is used or +when the CA issuing the certificate shall not be added to the trusted +CA storage. + +If additional certificates are needed to complete the chain during the +TLS negotiation, CA certificates are additionally looked up in the +locations of trusted CA certificates, see +L. + +The private keys loaded from file can be encrypted. In order to successfully +load encrypted keys, a function returning the passphrase must have been +supplied, see +L. +(Certificate files might be encrypted as well from the technical point +of view, it however does not make sense as the data in the certificate +is considered public anyway.) + +=head1 RETURN VALUES + +On success, the functions return 1. +Otherwise check out the error stack to find out the reason. + +=head1 SEE ALSO + +L, L, L, +L, +L, +L, +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_ex_new_index.pod b/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_ex_new_index.pod new file mode 100644 index 0000000000..dd5cb4f04b --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_ex_new_index.pod @@ -0,0 +1,61 @@ +=pod + +=head1 NAME + +SSL_SESSION_get_ex_new_index, SSL_SESSION_set_ex_data, SSL_SESSION_get_ex_data - internal application specific data functions + +=head1 SYNOPSIS + + #include + + int SSL_SESSION_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_new *new_func, + CRYPTO_EX_dup *dup_func, + CRYPTO_EX_free *free_func); + + int SSL_SESSION_set_ex_data(SSL_SESSION *session, int idx, void *arg); + + void *SSL_SESSION_get_ex_data(SSL_SESSION *session, int idx); + + typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, + int idx, long argl, void *argp); + +=head1 DESCRIPTION + +Several OpenSSL structures can have application specific data attached to them. +These functions are used internally by OpenSSL to manipulate application +specific data attached to a specific structure. + +SSL_SESSION_get_ex_new_index() is used to register a new index for application +specific data. + +SSL_SESSION_set_ex_data() is used to store application data at B for B +into the B object. + +SSL_SESSION_get_ex_data() is used to retrieve the information for B from +B. + +A detailed description for the B<*_get_ex_new_index()> functionality +can be found in L. +The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in +L. + +=head1 WARNINGS + +The application data is only maintained for sessions held in memory. The +application data is not included when dumping the session with +i2d_SSL_SESSION() (and all functions indirectly calling the dump functions +like PEM_write_SSL_SESSION() and PEM_write_bio_SSL_SESSION()) and can +therefore not be restored. + +=head1 SEE ALSO + +L, +L, +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_time.pod b/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_time.pod new file mode 100644 index 0000000000..cd33b73aa3 --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_time.pod @@ -0,0 +1,63 @@ +=pod + +=head1 NAME + +SSL_SESSION_get_time, SSL_SESSION_set_time, SSL_SESSION_get_timeout, SSL_SESSION_get_timeout - retrieve and manipulate session time and timeout settings + +=head1 SYNOPSIS + + #include + + long SSL_SESSION_get_time(SSL_SESSION *s); + long SSL_SESSION_set_time(SSL_SESSION *s, long tm); + long SSL_SESSION_get_timeout(SSL_SESSION *s); + long SSL_SESSION_set_timeout(SSL_SESSION *s, long tm); + + long SSL_get_time(SSL_SESSION *s); + long SSL_set_time(SSL_SESSION *s, long tm); + long SSL_get_timeout(SSL_SESSION *s); + long SSL_set_timeout(SSL_SESSION *s, long tm); + +=head1 DESCRIPTION + +SSL_SESSION_get_time() returns the time at which the session B was +established. The time is given in seconds since the Epoch and therefore +compatible to the time delivered by the time() call. + +SSL_SESSION_set_time() replaces the creation time of the session B with +the chosen value B. + +SSL_SESSION_get_timeout() returns the timeout value set for session B +in seconds. + +SSL_SESSION_set_timeout() sets the timeout value for session B in seconds +to B. + +The SSL_get_time(), SSL_set_time(), SSL_get_timeout(), and SSL_set_timeout() +functions are synonyms for the SSL_SESSION_*() counterparts. + +=head1 NOTES + +Sessions are expired by examining the creation time and the timeout value. +Both are set at creation time of the session to the actual time and the +default timeout value at creation, respectively, as set by +L. +Using these functions it is possible to extend or shorten the lifetime +of the session. + +=head1 RETURN VALUES + +SSL_SESSION_get_time() and SSL_SESSION_get_timeout() return the currently +valid values. + +SSL_SESSION_set_time() and SSL_SESSION_set_timeout() return 1 on success. + +If any of the function is passed the NULL pointer for the session B, +0 is returned. + +=head1 SEE ALSO + +L, +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_accept.pod b/src/lib/libssl/src/doc/ssl/SSL_accept.pod index 0c79ac515e..86f980de41 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_accept.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_accept.pod @@ -37,6 +37,11 @@ nothing is to be done, but select() can be used to check for the required condition. When using a buffering BIO, like a BIO pair, data must be written into or retrieved out of the BIO before being able to continue. +When using a generic method (see L), it +is necessary to call SSL_set_accept_state() +before calling SSL_accept() to explicitly switch the B to server +mode. + =head1 RETURN VALUES The following return values can occur: @@ -54,7 +59,7 @@ The TLS/SSL handshake was not successful but was shut down controlled and by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the return value B to find out the reason. -=item -1 +=item E0 The TLS/SSL handshake was not successful because a fatal error occurred either at the protocol level or a connection failure occurred. The shutdown was @@ -67,6 +72,8 @@ to find out the reason. =head1 SEE ALSO L, L, -L, L, L +L, L, L, +L, +L =cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_clear.pod b/src/lib/libssl/src/doc/ssl/SSL_clear.pod index 862fd8291d..8b735d81dc 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_clear.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_clear.pod @@ -13,8 +13,17 @@ SSL_clear - reset SSL object to allow another connection =head1 DESCRIPTION Reset B to allow another connection. All settings (method, ciphers, -BIOs) are kept. A completely negotiated B is not freed but left -untouched for the underlying B. +BIOs) are kept. + +=head1 NOTES + +SSL_clear is used to prepare an SSL object for a new connection. While all +settings are kept, a side effect is the handling of the current SSL session. +If a session is still B, it is considered bad and will be removed +from the session cache, as required by RFC2246. A session is considered open, +if L was not called for the connection +or at least L was used to +set the SSL_SENT_SHUTDOWN state. =head1 RETURN VALUES @@ -34,6 +43,7 @@ The SSL_clear() operation was successful. =back L, L, -L +L, L, +L, L =cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_connect.pod b/src/lib/libssl/src/doc/ssl/SSL_connect.pod index debe41744f..bcc167745b 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_connect.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_connect.pod @@ -34,6 +34,11 @@ nothing is to be done, but select() can be used to check for the required condition. When using a buffering BIO, like a BIO pair, data must be written into or retrieved out of the BIO before being able to continue. +When using a generic method (see L), it +is necessary to call L +before calling SSL_connect() to explicitly switch the B to client +mode. + =head1 RETURN VALUES The following return values can occur: @@ -51,7 +56,7 @@ The TLS/SSL handshake was not successful but was shut down controlled and by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the return value B to find out the reason. -=item -1 +=item E0 The TLS/SSL handshake was not successful, because a fatal error occurred either at the protocol level or a connection failure occurred. The shutdown was @@ -64,6 +69,8 @@ to find out the reason. =head1 SEE ALSO L, L, -L, L , L +L, L, L, +L, +L =cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_free.pod b/src/lib/libssl/src/doc/ssl/SSL_free.pod index f3f0c345f8..2d4f8b6168 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_free.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_free.pod @@ -16,18 +16,29 @@ SSL_free() decrements the reference count of B, and removes the SSL structure pointed to by B and frees up the allocated memory if the the reference count has reached 0. -It also calls the free()ing procedures for indirectly affected items, if +=head1 NOTES + +SSL_free() also calls the free()ing procedures for indirectly affected items, if applicable: the buffering BIO, the read and write BIOs, cipher lists specially created for this B, the B. Do not explicitly free these indirectly freed up items before or after calling SSL_free(), as trying to free things twice may lead to program failure. +The ssl session has reference counts from two users: the SSL object, for +which the reference count is removed by SSL_free() and the internal +session cache. If the session is considered bad, because +L was not called for the connection +and L was not used to set the +SSL_SENT_SHUTDOWN state, the session will also be removed +from the session cache as required by RFC2246. + =head1 RETURN VALUES SSL_free() does not provide diagnostic information. L, L, +L, L, L =cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_client_CA_list.pod b/src/lib/libssl/src/doc/ssl/SSL_get_client_CA_list.pod new file mode 100644 index 0000000000..40e01cf9c8 --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_get_client_CA_list.pod @@ -0,0 +1,52 @@ +=pod + +=head1 NAME + +SSL_get_client_CA_list, SSL_CTX_get_client_CA_list - get list of client CAs + +=head1 SYNOPSIS + + #include + + STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s); + STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx); + +=head1 DESCRIPTION + +SSL_CTX_get_client_CA_list() returns the list of client CAs explicitly set for +B using L. + +SSL_get_client_CA_list() returns the list of client CAs explicitly +set for B using SSL_set_client_CA_list() or B's SSL_CTX object with +L, when in +server mode. In client mode, SSL_get_client_CA_list returns the list of +client CAs sent from the server, if any. + +=head1 RETURN VALUES + +SSL_CTX_set_client_CA_list() and SSL_set_client_CA_list() do not return +diagnostic information. + +SSL_CTX_add_client_CA() and SSL_add_client_CA() have the following return +values: + +=over 4 + +=item STACK_OF(X509_NAMES) + +List of CA names explicitly set (for B or in server mode) or send +by the server (client mode). + +=item NULL + +No client CA list was explicitly set (for B or in server mode) or +the server did not send a list of CAs (client mode). + +=back + +=head1 SEE ALSO + +L, +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_error.pod b/src/lib/libssl/src/doc/ssl/SSL_get_error.pod index d85b564258..fefaf61936 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_get_error.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_get_error.pod @@ -14,8 +14,8 @@ SSL_get_error - obtain result code for TLS/SSL I/O operation SSL_get_error() returns a result code (suitable for the C "switch" statement) for a preceding call to SSL_connect(), SSL_accept(), -SSL_read(), or SSL_write() on B. The value returned by that -TLS/SSL I/O function must be passed to SSL_get_error() in parameter +SSL_read(), SSL_peek(), or SSL_write() on B. The value returned by +that TLS/SSL I/O function must be passed to SSL_get_error() in parameter B. In addition to B and B, SSL_get_error() inspects the @@ -48,16 +48,26 @@ has been closed. =item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE The operation did not complete; the same TLS/SSL I/O function should be -called again later. There will be protocol progress if, by then, the -underlying B has data available for reading (if the result code is -B) or allows writing data (B). -For socket Bs (e.g. when SSL_set_fd() was used) this means that -select() or poll() on the underlying socket can be used to find out -when the TLS/SSL I/O function should be retried. +called again later. If, by then, the underlying B has data +available for reading (if the result code is B) +or allows writing data (B), then some TLS/SSL +protocol progress will take place, i.e. at least part of an TLS/SSL +record will be read or written. Note that the retry may again lead to +a B or B condition. +There is no fixed upper limit for the number of iterations that +may be necessary until progress becomes visible at application +protocol level. + +For socket Bs (e.g. when SSL_set_fd() was used), select() or +poll() on the underlying socket can be used to find out when the +TLS/SSL I/O function should be retried. Caveat: Any TLS/SSL I/O function can lead to either of -B and B, i.e. SSL_read() -may want to write data and SSL_write() may want to read data. +B and B. In particular, +SSL_read() or SSL_peek() may want to write data and SSL_write() may want +to read data. This is mainly because TLS/SSL handshakes may occur at any +time during the protocol (initiated by either the client or the server); +SSL_read(), SSL_peek(), and SSL_write() will handle any pending handshakes. =item SSL_ERROR_WANT_X509_LOOKUP diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod b/src/lib/libssl/src/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod new file mode 100644 index 0000000000..165c6a5b2c --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod @@ -0,0 +1,61 @@ +=pod + +=head1 NAME + +SSL_get_ex_data_X509_STORE_CTX_idx - get ex_data index to access SSL structure +from X509_STORE_CTX + +=head1 SYNOPSIS + + #include + + int SSL_get_ex_data_X509_STORE_CTX_idx(void); + +=head1 DESCRIPTION + +SSL_get_ex_data_X509_STORE_CTX_idx() returns the index number under which +the pointer to the SSL object is stored into the X509_STORE_CTX object. + +=head1 NOTES + +Whenever a X509_STORE_CTX object is created for the verification of the +peers certificate during a handshake, a pointer to the SSL object is +stored into the X509_STORE_CTX object to identify the connection affected. +To retrieve this pointer the X509_STORE_CTX_get_ex_data() function can +be used with the correct index. This index is globally the same for all +X509_STORE_CTX objects and can be retrieved using +SSL_get_ex_data_X509_STORE_CTX_idx(). The index value is set when +SSL_get_ex_data_X509_STORE_CTX_idx() is first called either by the application +program directly or indirectly during other SSL setup functions or during +the handshake. + +The value depends on other index values defined for X509_STORE_CTX objects +before the SSL index is created. + +=head1 RETURN VALUES + +=over 4 + +=item E=0 + +The index value to access the pointer. + +=item E0 + +An error occurred, check the error stack for a detailed error message. + +=back + +=head1 EXAMPLES + +The index returned from SSL_get_ex_data_X509_STORE_CTX_idx() allows to +access the SSL object for the connection to be accessed during the +verify_callback() when checking the peers certificate. Please check +the example in L, + +=head1 SEE ALSO + +L, L, +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_ex_new_index.pod b/src/lib/libssl/src/doc/ssl/SSL_get_ex_new_index.pod new file mode 100644 index 0000000000..2b69bb1050 --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_get_ex_new_index.pod @@ -0,0 +1,59 @@ +=pod + +=head1 NAME + +SSL_get_ex_new_index, SSL_set_ex_data, SSL_get_ex_data - internal application specific data functions + +=head1 SYNOPSIS + + #include + + int SSL_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_new *new_func, + CRYPTO_EX_dup *dup_func, + CRYPTO_EX_free *free_func); + + int SSL_set_ex_data(SSL *ssl, int idx, void *arg); + + void *SSL_get_ex_data(SSL *ssl, int idx); + + typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, + int idx, long argl, void *argp); + +=head1 DESCRIPTION + +Several OpenSSL structures can have application specific data attached to them. +These functions are used internally by OpenSSL to manipulate application +specific data attached to a specific structure. + +SSL_get_ex_new_index() is used to register a new index for application +specific data. + +SSL_set_ex_data() is used to store application data at B for B into +the B object. + +SSL_get_ex_data() is used to retrieve the information for B from +B. + +A detailed description for the B<*_get_ex_new_index()> functionality +can be found in L. +The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in +L. + +=head1 EXAMPLES + +An example on how to use the functionality is included in the example +verify_callback() in L. + +=head1 SEE ALSO + +L, +L, +L, +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_peer_cert_chain.pod b/src/lib/libssl/src/doc/ssl/SSL_get_peer_cert_chain.pod index e93e8206fa..390ce0b41b 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_get_peer_cert_chain.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_get_peer_cert_chain.pod @@ -15,7 +15,7 @@ SSL_get_peer_cert_chain - get the X509 certificate chain of the peer SSL_get_peer_cert_chain() returns a pointer to STACKOF(X509) certificates forming the certificate chain of the peer. If called on the client side, the stack also contains the peer's certificate; if called on the server -side, the peer's certificate must be obtained seperately using +side, the peer's certificate must be obtained separately using L. If the peer did not present a certificate, NULL is returned. diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod b/src/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod index 79c089aa51..1102c7fba9 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod @@ -23,7 +23,7 @@ to check the verification state. The reference count of the X509 object is incremented by one, so that it will not be destroyed when the session containing the peer certificate is -freed. The X509 object must be explicitely freed using X509_free(). +freed. The X509 object must be explicitly freed using X509_free(). =head1 RETURN VALUES diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_session.pod b/src/lib/libssl/src/doc/ssl/SSL_get_session.pod index aff41fb9cf..a0266e2ac6 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_get_session.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_get_session.pod @@ -16,14 +16,30 @@ SSL_get_session - retrieve TLS/SSL session data SSL_get_session() returns a pointer to the B actually used in B. The reference count of the B is not incremented, so -that the pointer can become invalid when the B is freed and -SSL_SESSION_free() is implicitly called. +that the pointer can become invalid by other operations. SSL_get0_session() is the same as SSL_get_session(). SSL_get1_session() is the same as SSL_get_session(), but the reference count of the B is incremented by one. +=head1 NOTES + +The ssl session contains all information required to re-establish the +connection without a new handshake. + +SSL_get0_session() returns a pointer to the actual session. As the +reference counter is not incremented, the pointer is only valid while +the connection is in use. If L or +L is called, the session may be removed completely +(if considered bad), and the pointer obtained will become invalid. Even +if the session is valid, it can be removed at any time due to timeout +during L. + +If the data is to be kept, SSL_get1_session() will increment the reference +count and the session will stay in memory until explicitly freed with +L, regardless of its state. + =head1 RETURN VALUES The following return values can occur: @@ -43,6 +59,7 @@ The return value points to the data of an SSL session. =head1 SEE ALSO L, L, +L, L =cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_verify_result.pod b/src/lib/libssl/src/doc/ssl/SSL_get_verify_result.pod index 4d66236a05..e6bac9c35a 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_get_verify_result.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_get_verify_result.pod @@ -19,7 +19,7 @@ X509 certificate presented by the peer, if any. SSL_get_verify_result() can only return one error code while the verification of a certificate can fail because of many reasons at the same time. Only -the last verification error that occured during the processing is available +the last verification error that occurred during the processing is available from SSL_get_verify_result(). The verification result is part of the established session and is restored @@ -28,7 +28,7 @@ when a session is reused. =head1 BUGS If no peer certificate was presented, the returned result code is -X509_V_OK. This is because no verification error occured, it does however +X509_V_OK. This is because no verification error occurred, it does however not indicate success. SSL_get_verify_result() is only useful in connection with L. diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_version.pod b/src/lib/libssl/src/doc/ssl/SSL_get_version.pod new file mode 100644 index 0000000000..24d5291256 --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_get_version.pod @@ -0,0 +1,46 @@ +=pod + +=head1 NAME + +SSL_get_version - get the protocol version of a connection. + +=head1 SYNOPSIS + + #include + + const char *SSL_get_version(SSL *ssl); + +=head1 DESCRIPTION + +SSL_get_cipher_version() returns the name of the protocol used for the +connection B. + +=head1 RETURN VALUES + +The following strings can occur: + +=over 4 + +=item SSLv2 + +The connection uses the SSLv2 protocol. + +=item SSLv3 + +The connection uses the SSLv3 protocol. + +=item TLSv1 + +The connection uses the TLSv1 protocol. + +=item unknown + +This indicates that no version has been set (no connection established). + +=back + +=head1 SEE ALSO + +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_load_client_CA_file.pod b/src/lib/libssl/src/doc/ssl/SSL_load_client_CA_file.pod new file mode 100644 index 0000000000..02527dc2ed --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_load_client_CA_file.pod @@ -0,0 +1,62 @@ +=pod + +=head1 NAME + +SSL_load_client_CA_file - load certificate names from file + +=head1 SYNOPSIS + + #include + + STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file); + +=head1 DESCRIPTION + +SSL_load_client_CA_file() reads certificates from B and returns +a STACK_OF(X509_NAME) with the subject names found. + +=head1 NOTES + +SSL_load_client_CA_file() reads a file of PEM formatted certificates and +extracts the X509_NAMES of the certificates found. While the name suggests +the specific usage as support function for +L, +it is not limited to CA certificates. + +=head1 EXAMPLES + +Load names of CAs from file and use it as a client CA list: + + SSL_CTX *ctx; + STACK_OF(X509_NAME) *cert_names; + + ... + cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem"); + if (cert_names != NULL) + SSL_CTX_set_client_CA_list(ctx, cert_names); + else + error_handling(); + ... + +=head1 RETURN VALUES + +The following return values can occur: + +=over 4 + +=item NULL + +The operation failed, check out the error stack for the reason. + +=item Pointer to STACK_OF(X509_NAME) + +Pointer to the subject names of the successfully read certificates. + +=back + +=head1 SEE ALSO + +L, +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_new.pod b/src/lib/libssl/src/doc/ssl/SSL_new.pod index 8e8638fa95..3b084e867d 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_new.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_new.pod @@ -37,6 +37,7 @@ The return value points to an allocated SSL structure. =head1 SEE ALSO L, L, +L, L =cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_pending.pod b/src/lib/libssl/src/doc/ssl/SSL_pending.pod index 744e1855e1..b4c48598b2 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_pending.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_pending.pod @@ -25,6 +25,19 @@ L. The number of bytes pending is returned. +=head1 BUGS + +SSL_pending() takes into account only bytes from the TLS/SSL record +that is currently being processed (if any). If the B object's +I flag is set, additional protocol bytes may have been +read containing more TLS/SSL records; these are ignored by +SSL_pending(). + +Up to OpenSSL 0.9.6, SSL_pending() does not check if the record type +of pending data is application data. + +=head1 SEE ALSO + L, L =cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_read.pod b/src/lib/libssl/src/doc/ssl/SSL_read.pod index 072dc26cf2..7db5ee0a22 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_read.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_read.pod @@ -8,7 +8,7 @@ SSL_read - read bytes from a TLS/SSL connection. #include - int SSL_read(SSL *ssl, char *buf, int num); + int SSL_read(SSL *ssl, void *buf, int num); =head1 DESCRIPTION @@ -18,17 +18,29 @@ buffer B. =head1 NOTES If necessary, SSL_read() will negotiate a TLS/SSL session, if -not already explicitly performed by SSL_connect() or SSL_accept(). If the +not already explicitly performed by L or +L. If the peer requests a re-negotiation, it will be performed transparently during the SSL_read() operation. The behaviour of SSL_read() depends on the underlying BIO. +For the transparent negotiation to succeed, the B must have been +initialized to client or server mode. This is not the case if a generic +method is being used (see L, so that +L or SSL_set_accept_state() +must be used before the first call to an SSL_read() or +L function. + If the underlying BIO is B, SSL_read() will only return, once the -read operation has been finished or an error occurred. +read operation has been finished or an error occurred, except when a +renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. +This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the +L call. If the underlying BIO is B, SSL_read() will also return when the underlying BIO could not satisfy the needs of SSL_read() -to continue the operation. In this case a call to SSL_get_error() with the +to continue the operation. In this case a call to +L with the return value of SSL_read() will yield B or B. As at any time a re-negotiation is possible, a call to SSL_read() can also cause write operations! The calling process @@ -61,7 +73,7 @@ The read operation was not successful, probably because no data was available. Call SSL_get_error() with the return value B to find out, whether an error occurred. -=item -1 +=item E0 The read operation was not successful, because either an error occurred or action must be taken by the calling process. Call SSL_get_error() with the @@ -72,6 +84,9 @@ return value B to find out the reason. =head1 SEE ALSO L, L, +L, L, +L, L +L, L, L =cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_set_connect_state.pod b/src/lib/libssl/src/doc/ssl/SSL_set_connect_state.pod new file mode 100644 index 0000000000..a8c4463c64 --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_set_connect_state.pod @@ -0,0 +1,47 @@ +=pod + +=head1 NAME + +SSL_set_connect_state, SSL_get_accept_state - prepare SSL object to work in client or server mode + +=head1 SYNOPSIS + + #include + + void SSL_set_connect_state(SSL *ssl); + + void SSL_set_accept_state(SSL *ssl); + +=head1 DESCRIPTION + +SSL_set_connect_state() B to work in client mode. + +SSL_set_accept_state() B to work in server mode. + +=head1 NOTES + +When the SSL_CTX object was created with L, +it was either assigned a dedicated client method, a dedicated server +method, or a generic method, that can be used for both client and +server connections. (The method might have been changed with +L or +SSL_set_ssl_method().) + +In order to successfully accomplish the handshake, the SSL routines need +to know whether they should act in server or client mode. If the generic +method was used, this is not clear from the method itself and must be set +with either SSL_set_connect_state() or SSL_set_accept_state(). If these +routines are not called, the default value set when L +is called is server mode. + +=head1 RETURN VALUES + +SSL_set_connect_state() and SSL_set_accept_state() do not return diagnostic +information. + +=head1 SEE ALSO + +L, L, L, +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_set_session.pod b/src/lib/libssl/src/doc/ssl/SSL_set_session.pod index 9f78d9e434..c4f7878579 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_set_session.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_set_session.pod @@ -40,6 +40,7 @@ The operation succeeded. =head1 SEE ALSO -L, L +L, L, +L =cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_set_shutdown.pod b/src/lib/libssl/src/doc/ssl/SSL_set_shutdown.pod new file mode 100644 index 0000000000..6b196c1f15 --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/SSL_set_shutdown.pod @@ -0,0 +1,68 @@ +=pod + +=head1 NAME + +SSL_set_shutdown, SSL_get_shutdown - manipulate shutdown state of an SSL connection + +=head1 SYNOPSIS + + #include + + void SSL_set_shutdown(SSL *ssl, int mode); + + int SSL_get_shutdown(SSL *ssl); + +=head1 DESCRIPTION + +SSL_set_shutdown() sets the shutdown state of B to B. + +SSL_get_shutdown() returns the shutdown mode of B. + +=head1 NOTES + +The shutdown state of an ssl connection is a bitmask of: + +=over 4 + +=item 0 + +No shutdown setting, yet. + +=item SSL_SENT_SHUTDOWN + +A "close notify" shutdown alert was sent to the peer, the connection is being +considered closed and the session is closed and correct. + +=item SSL_RECEIVED_SHUTDOWN + +A shutdown alert was received form the peer, either a normal "close notify" +or a fatal error. + +=back + +SSL_SENT_SHUTDOWN and SSL_RECEIVED_SHUTDOWN can be set at the same time. + +The shutdown state of the connection is used to determine the state of +the ssl session. If the session is still open, when +L or L is called, +it is considered bad and removed according to RFC2246. +The actual condition for a correctly closed session is SSL_SENT_SHUTDOWN. +SSL_set_shutdown() can be used to set this state without sending a +close alert to the peer (see L). + +If a "close notify" was received, SSL_RECEIVED_SHUTDOWN will be set, +for setting SSL_SENT_SHUTDOWN the application must however still call +L or SSL_set_shutdown() itself. + +=head1 RETURN VALUES + +SSL_set_shutdown() does not return diagnostic information. + +SSL_get_shutdown() returns the current setting. + +=head1 SEE ALSO + +L, L, +L, L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_shutdown.pod b/src/lib/libssl/src/doc/ssl/SSL_shutdown.pod index 20e273bd4d..7988dd3c90 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_shutdown.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_shutdown.pod @@ -12,9 +12,17 @@ SSL_shutdown - shut down a TLS/SSL connection =head1 DESCRIPTION -SSL_shutdown() shuts down an active TLS/SSL connection. It sends the shutdown -alert to the peer. The behaviour of SSL_shutdown() depends on the underlying -BIO. +SSL_shutdown() shuts down an active TLS/SSL connection. It sends the +"close notify" shutdown alert to the peer. + +=head1 NOTES + +SSL_shutdown() tries to send the "close notify" shutdown alert to the peer. +Whether the operation succeeds or not, the SSL_SENT_SHUTDOWN flag is set and +a currently open session is considered closed and good and will be kept in the +session cache for further reuse. + +The behaviour of SSL_shutdown() depends on the underlying BIO. If the underlying BIO is B, SSL_shutdown() will only return once the handshake has been finished or an error occurred. @@ -57,6 +65,8 @@ Call SSL_get_error() with the return value B to find out the reason. =head1 SEE ALSO L, L, -L, L, L +L, L, +L, +L, L =cut diff --git a/src/lib/libssl/src/doc/ssl/SSL_write.pod b/src/lib/libssl/src/doc/ssl/SSL_write.pod index db67c187e0..be1ad76d3b 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_write.pod +++ b/src/lib/libssl/src/doc/ssl/SSL_write.pod @@ -2,13 +2,13 @@ =head1 NAME -SSL_read - write bytes to a TLS/SSL connection. +SSL_write - write bytes to a TLS/SSL connection. =head1 SYNOPSIS #include - int SSL_write(SSL *ssl, char *buf, int num); + int SSL_write(SSL *ssl, const void *buf, int num); =head1 DESCRIPTION @@ -18,20 +18,32 @@ B connection. =head1 NOTES If necessary, SSL_write() will negotiate a TLS/SSL session, if -not already explicitly performed by SSL_connect() or SSL_accept(). If the +not already explicitly performed by L or +L. If the peer requests a re-negotiation, it will be performed transparently during the SSL_write() operation. The behaviour of SSL_write() depends on the underlying BIO. +For the transparent negotiation to succeed, the B must have been +initialized to client or server mode. This is not the case if a generic +method is being used (see L, so that +L or SSL_set_accept_state() +must be used before the first call to an L +or SSL_write() function. + If the underlying BIO is B, SSL_write() will only return, once the -write operation has been finished or an error occurred. +write operation has been finished or an error occurred, except when a +renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. +This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the +L call. If the underlying BIO is B, SSL_write() will also return, when the underlying BIO could not satisfy the needs of SSL_write() -to continue the operation. In this case a call to SSL_get_error() with the +to continue the operation. In this case a call to +L with the return value of SSL_write() will yield B or B. As at any time a re-negotiation is possible, a -call to SSL_write() can also cause write operations! The calling process +call to SSL_write() can also cause read operations! The calling process then must repeat the call after taking appropriate action to satisfy the needs of SSL_write(). The action depends on the underlying BIO. When using a non-blocking socket, nothing is to be done, but select() can be used to check @@ -60,9 +72,9 @@ bytes actually written to the TLS/SSL connection. The write operation was not successful. Call SSL_get_error() with the return value B to find out, whether an error occurred. -=item -1 +=item E0 -The read operation was not successful, because either an error occurred +The write operation was not successful, because either an error occurred or action must be taken by the calling process. Call SSL_get_error() with the return value B to find out the reason. @@ -71,6 +83,9 @@ return value B to find out the reason. =head1 SEE ALSO L, L, +L, L, +L, L +L, L, L =cut diff --git a/src/lib/libssl/src/doc/ssl/d2i_SSL_SESSION.pod b/src/lib/libssl/src/doc/ssl/d2i_SSL_SESSION.pod new file mode 100644 index 0000000000..9a1ba6c47b --- /dev/null +++ b/src/lib/libssl/src/doc/ssl/d2i_SSL_SESSION.pod @@ -0,0 +1,56 @@ +=pod + +=head1 NAME + +d2i_SSL_SESSION, i2d_SSL_SESSION - convert SSL_SESSION object from/to ASN1 representation + +=head1 SYNOPSIS + + #include + + SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, long length); + int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp); + +=head1 DESCRIPTION + +d2i_SSL_SESSION() transforms the external ASN1 representation of an SSL/TLS +session, stored as binary data at location B with length B, into +an SSL_SESSION object. + +i2d_SSL_SESSION() transforms the SSL_SESSION object B into the ASN1 +representation and stores it into the memory location pointed to by B. +The length of the resulting ASN1 representation is returned. If B is +the NULL pointer, only the length is calculated and returned. + +=head1 NOTES + +The SSL_SESSION object is built from several malloc()ed parts, it can +therefore not be moved, copied or stored directly. In order to store +session data on disk or into a database, it must be transformed into +a binary ASN1 representation. + +When using d2i_SSL_SESSION(), the SSL_SESSION object is automatically +allocated. + +When using i2d_SSL_SESSION(), the memory location pointed to by B must be +large enough to hold the binary representation of the session. There is no +known limit on the size of the created ASN1 representation, so the necessary +amount of space should be obtained by first calling i2d_SSL_SESSION() with +B, and obtain the size needed, then allocate the memory and +call i2d_SSL_SESSION() again. + +=head1 RETURN VALUES + +d2i_SSL_SESSION() returns a pointer to the newly allocated SSL_SESSION +object. In case of failure the NULL-pointer is returned and the error message +can be retrieved from the error stack. + +i2d_SSL_SESSION() returns the size of the ASN1 representation in bytes. +When the session is not valid, B<0> is returned and no operation is performed. + +=head1 SEE ALSO + +L, +L + +=cut diff --git a/src/lib/libssl/src/doc/ssl/ssl.pod b/src/lib/libssl/src/doc/ssl/ssl.pod index 7787376f7b..16292a05f2 100644 --- a/src/lib/libssl/src/doc/ssl/ssl.pod +++ b/src/lib/libssl/src/doc/ssl/ssl.pod @@ -13,6 +13,69 @@ The OpenSSL B library implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. It provides a rich API which is documented here. +At first the library must be initialized; see +L. + +Then an B object is created as a framework to establish +TLS/SSL enabled connections (see L). +Various options regarding certificates, algorithms etc. can be set +in this object. + +When a network connection has been created, it can be assigned to an +B object. After the B object has been created using +L, L or +L can be used to associate the network +connection with the object. + +Then the TLS/SSL handshake is performed using +L or L +respectively. +L and L are used +to read and write data on the TLS/SSL connection. +L can be used to shut down the +TLS/SSL connection. + +=head1 DATA STRUCTURES + +Currently the OpenSSL B library functions deals with the following data +structures: + +=over 4 + +=item B (SSL Method) + +That's a dispatch structure describing the internal B library +methods/functions which implement the various protocol versions (SSLv1, SSLv2 +and TLSv1). It's needed to create an B. + +=item B (SSL Cipher) + +This structure holds the algorithm information for a particular cipher which +are a core part of the SSL/TLS protocol. The available ciphers are configured +on a B basis and the actually used ones are then part of the +B. + +=item B (SSL Context) + +That's the global context structure which is created by a server or client +once per program life-time and which holds mainly default values for the +B structures which are later created for the connections. + +=item B (SSL Session) + +This is a structure containing the current TLS/SSL session details for a +connection: Bs, client and server certificates, keys, etc. + +=item B (SSL Connection) + +That's the main SSL/TLS structure which is created by a server or client per +established connection. This actually is the core structure in the SSL API. +Under run-time the application usually deals with this structure which has +links to mostly all other structures. + +=back + + =head1 HEADER FILES Currently the OpenSSL B library provides the following C header files @@ -55,46 +118,6 @@ it's already included by ssl.h>. =back -=head1 DATA STRUCTURES - -Currently the OpenSSL B library functions deals with the following data -structures: - -=over 4 - -=item B (SSL Method) - -That's a dispatch structure describing the internal B library -methods/functions which implement the various protocol versions (SSLv1, SSLv2 -and TLSv1). It's needed to create an B. - -=item B (SSL Cipher) - -This structure holds the algorithm information for a particular cipher which -are a core part of the SSL/TLS protocol. The available ciphers are configured -on a B basis and the actually used ones are then part of the -B. - -=item B (SSL Context) - -That's the global context structure which is created by a server or client -once per program life-time and which holds mainly default values for the -B structures which are later created for the connections. - -=item B (SSL Session) - -This is a structure containing the current TLS/SSL session details for a -connection: Bs, client and server certificates, keys, etc. - -=item B (SSL Connection) - -That's the main SSL/TLS structure which is created by a server or client per -established connection. This actually is the core structure in the SSL API. -Under run-time the application usually deals with this structure which has -links to mostly all other structures. - -=back - =head1 API FUNCTIONS Currently the OpenSSL B library exports 214 API functions. @@ -521,11 +544,11 @@ connection defined in the B structure. =item long B(SSL *ssl); -=item int B(SSL *ssl, char *buf, int num); +=item int B(SSL *ssl, void *buf, int num); =item int B(SSL *ssl); -=item int B(SSL *ssl, char *buf, int num); +=item int B(SSL *ssl, void *buf, int num); =item int B(SSL *ssl); @@ -617,7 +640,7 @@ connection defined in the B structure. =item int B(s); -=item int B(SSL *ssl, char *buf, int num); +=item int B(SSL *ssl, const void *buf, int num); =back @@ -625,20 +648,53 @@ connection defined in the B structure. L, L, L, L, -L, L, +L, +L, +L, +L, +L, +L, +L, +L +L, +L, +L, +L, +L, +L, +L, +L, +L, +L, +L, L, +L, +L, +L, L, -L, L, +L, +L, +L, +L, +L, L, L, L, L, -L, L, +L, +L, +L, +L, L, L, +L, L, L, L, +L, L, L, -L +L, +L, +L, +L =head1 HISTORY diff --git a/src/lib/libssl/src/doc/ssleay.txt b/src/lib/libssl/src/doc/ssleay.txt index 3e964c2e9a..fab8d42c42 100644 --- a/src/lib/libssl/src/doc/ssleay.txt +++ b/src/lib/libssl/src/doc/ssleay.txt @@ -5743,7 +5743,7 @@ strucutre but also the private key and certificate associated with EXAMPLES. -So lets play at being a wierd SSL server. +So lets play at being a weird SSL server. /* setup a context */ ctx=SSL_CTX_new(); diff --git a/src/lib/libssl/src/e_os.h b/src/lib/libssl/src/e_os.h index 318e83edb5..fc61e0e00b 100644 --- a/src/lib/libssl/src/e_os.h +++ b/src/lib/libssl/src/e_os.h @@ -340,12 +340,14 @@ extern HINSTANCE _hInstance; # if defined(VMS) && !defined(__DECC) # include # include +# include # else # include # ifdef FILIO_H # include /* Added for FIONBIO under unixware */ # endif # include +# include # endif # if defined(NeXT) || defined(_NEXT_SOURCE) diff --git a/src/lib/libssl/src/ms/16all.bat b/src/lib/libssl/src/ms/16all.bat index e57e177177..62ccf78963 100644 --- a/src/lib/libssl/src/ms/16all.bat +++ b/src/lib/libssl/src/ms/16all.bat @@ -1,10 +1,13 @@ set OPTS=no_asm perl Configure VC-WIN16 +perl util\mkfiles.pl >MINFO perl util\mk1mf.pl %OPTS% debug VC-WIN16 >d16.mak perl util\mk1mf.pl %OPTS% VC-WIN16 >16.mak perl util\mk1mf.pl %OPTS% debug dll VC-WIN16 >d16dll.mak perl util\mk1mf.pl %OPTS% dll VC-WIN16 >16dll.mak +perl util\mkdef.pl 16 libeay > ms\libeay32.def +perl util\mkdef.pl 16 ssleay > ms\ssleay32.def nmake -f d16.mak nmake -f 16.mak diff --git a/src/lib/libssl/src/ms/32all.bat b/src/lib/libssl/src/ms/32all.bat index d1f014c4e0..09f47059ad 100644 --- a/src/lib/libssl/src/ms/32all.bat +++ b/src/lib/libssl/src/ms/32all.bat @@ -1,10 +1,13 @@ set OPTS=no-asm perl Configure VC-WIN32 +perl util\mkfiles.pl >MINFO perl util\mk1mf.pl %OPTS% debug VC-WIN32 >d32.mak perl util\mk1mf.pl %OPTS% VC-WIN32 >32.mak perl util\mk1mf.pl %OPTS% debug dll VC-WIN32 >d32dll.mak perl util\mk1mf.pl %OPTS% dll VC-WIN32 >32dll.mak +perl util\mkdef.pl 32 libeay > ms\libeay32.def +perl util\mkdef.pl 32 ssleay > ms\ssleay32.def nmake -f d32.mak nmake -f 32.mak diff --git a/src/lib/libssl/src/ms/test.bat b/src/lib/libssl/src/ms/test.bat index ef37beaa22..8f69194283 100644 --- a/src/lib/libssl/src/ms/test.bat +++ b/src/lib/libssl/src/ms/test.bat @@ -1,4 +1,4 @@ -@echo=off +@echo off set test=..\ms set opath=%PATH% diff --git a/src/lib/libssl/src/openssl.spec b/src/lib/libssl/src/openssl.spec index 1c8f4e9d81..d00e461e37 100644 --- a/src/lib/libssl/src/openssl.spec +++ b/src/lib/libssl/src/openssl.spec @@ -1,15 +1,15 @@ %define libmaj 0 %define libmin 9 %define librel 6 -#%define librev +%define librev a Release: 1 %define openssldir /var/ssl Summary: Secure Sockets Layer and cryptography libraries and tools Name: openssl-engine -Version: %{libmaj}.%{libmin}.%{librel} -#Version: %{libmaj}.%{libmin}.%{librel}%{librev} +#Version: %{libmaj}.%{libmin}.%{librel} +Version: %{libmaj}.%{libmin}.%{librel}%{librev} Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz Copyright: Freely distributable Group: System Environment/Libraries @@ -105,7 +105,7 @@ LD_LIBRARY_PATH=`pwd` make test %install rm -rf $RPM_BUILD_ROOT -make install MANDIR=/usr/man INSTALL_PREFIX="$RPM_BUILD_ROOT" +make MANDIR=/usr/man INSTALL_PREFIX="$RPM_BUILD_ROOT" install # Rename manpages for x in $RPM_BUILD_ROOT/usr/man/man*/* @@ -119,19 +119,6 @@ install -m644 libRSAglue.a $RPM_BUILD_ROOT/usr/lib # Make backwards-compatibility symlink to ssleay ln -s /usr/bin/openssl $RPM_BUILD_ROOT/usr/bin/ssleay -# Install shared libs -install -m644 libcrypto.a $RPM_BUILD_ROOT/usr/lib -#!#install -m755 libcrypto.so.%{libmaj}.%{libmin}.%{librel} $RPM_BUILD_ROOT/usr/lib -install -m644 libssl.a $RPM_BUILD_ROOT/usr/lib -#!#install -m755 libssl.so.%{libmaj}.%{libmin}.%{librel} $RPM_BUILD_ROOT/usr/lib -( - cd $RPM_BUILD_ROOT/usr/lib - #!#ln -s libcrypto.so.%{libmaj}.%{libmin}.%{librel} libcrypto.so.%{libmaj} - #!#ln -s libcrypto.so.%{libmaj}.%{libmin}.%{librel} libcrypto.so - #!#ln -s libssl.so.%{libmaj}.%{libmin}.%{librel} libssl.so.%{libmaj} - #!#ln -s libssl.so.%{libmaj}.%{libmin}.%{librel} libssl.so -) - %clean rm -rf $RPM_BUILD_ROOT @@ -169,6 +156,21 @@ ldconfig ldconfig %changelog +* Thu Mar 22 2001 Richard Levitte +- Removed redundant subsection that re-installed libcrypto.a and libssl.a + as well. +* Thu Mar 15 2001 Jeremiah Johnson +- Removed redundant subsection that re-installed libcrypto.so.0.9.6 and + libssl.so.0.9.6. As well as the subsection that created symlinks for + these. make install handles all this. +* Sat Oct 21 2000 Horms +- Make sure symlinks are created by using -f flag to ln. + Otherwise some .so libraries are copied rather than + linked in the resulting binary RPM. This causes the package + to be larger than neccessary and makes ldconfig complain. +* Fri Oct 13 2000 Horms +- Make defattr is set for files in all packages so packages built as + non-root will still be installed with files owned by root. * Thu Sep 14 2000 Richard Levitte - Changed to adapt to the new (supported) way of making shared libraries - Installs all static libraries, not just libRSAglue.a diff --git a/src/lib/libssl/src/rsaref/Makefile.ssl b/src/lib/libssl/src/rsaref/Makefile.ssl index a17e38f9a5..861193d39c 100644 --- a/src/lib/libssl/src/rsaref/Makefile.ssl +++ b/src/lib/libssl/src/rsaref/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/ssl/Makefile.ssl b/src/lib/libssl/src/ssl/Makefile.ssl index ad8da5c4be..cfb627d29a 100644 --- a/src/lib/libssl/src/ssl/Makefile.ssl +++ b/src/lib/libssl/src/ssl/Makefile.ssl @@ -55,7 +55,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/src/lib/libssl/src/ssl/s23_lib.c b/src/lib/libssl/src/ssl/s23_lib.c index dded7a19c5..ad2d8dadf7 100644 --- a/src/lib/libssl/src/ssl/s23_lib.c +++ b/src/lib/libssl/src/ssl/s23_lib.c @@ -63,6 +63,7 @@ static int ssl23_num_ciphers(void ); static SSL_CIPHER *ssl23_get_cipher(unsigned int u); static int ssl23_read(SSL *s, void *buf, int len); +static int ssl23_peek(SSL *s, void *buf, int len); static int ssl23_write(SSL *s, const void *buf, int len); static long ssl23_default_timeout(void ); static int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p); @@ -77,7 +78,7 @@ static SSL_METHOD SSLv23_data= { ssl_undefined_function, ssl_undefined_function, ssl23_read, - (int (*)(struct ssl_st *, char *, int))ssl_undefined_function, + ssl23_peek, ssl23_write, ssl_undefined_function, ssl_undefined_function, @@ -169,13 +170,6 @@ static int ssl23_read(SSL *s, void *buf, int len) { int n; -#if 0 - if (s->shutdown & SSL_RECEIVED_SHUTDOWN) - { - s->rwstate=SSL_NOTHING; - return(0); - } -#endif clear_sys_error(); if (SSL_in_init(s) && (!s->in_handshake)) { @@ -195,17 +189,33 @@ static int ssl23_read(SSL *s, void *buf, int len) } } -static int ssl23_write(SSL *s, const void *buf, int len) +static int ssl23_peek(SSL *s, void *buf, int len) { int n; -#if 0 - if (s->shutdown & SSL_SENT_SHUTDOWN) + clear_sys_error(); + if (SSL_in_init(s) && (!s->in_handshake)) + { + n=s->handshake_func(s); + if (n < 0) return(n); + if (n == 0) + { + SSLerr(SSL_F_SSL23_PEEK,SSL_R_SSL_HANDSHAKE_FAILURE); + return(-1); + } + return(SSL_peek(s,buf,len)); + } + else { - s->rwstate=SSL_NOTHING; - return(0); + ssl_undefined_function(s); + return(-1); } -#endif + } + +static int ssl23_write(SSL *s, const void *buf, int len) + { + int n; + clear_sys_error(); if (SSL_in_init(s) && (!s->in_handshake)) { diff --git a/src/lib/libssl/src/ssl/s23_meth.c b/src/lib/libssl/src/ssl/s23_meth.c index b52ca1d58b..40684311db 100644 --- a/src/lib/libssl/src/ssl/s23_meth.c +++ b/src/lib/libssl/src/ssl/s23_meth.c @@ -64,7 +64,7 @@ static SSL_METHOD *ssl23_get_method(int ver); static SSL_METHOD *ssl23_get_method(int ver) { if (ver == SSL2_VERSION) - return(SSLv23_method()); + return(SSLv2_method()); else if (ver == SSL3_VERSION) return(SSLv3_method()); else if (ver == TLS1_VERSION) diff --git a/src/lib/libssl/src/ssl/s2_clnt.c b/src/lib/libssl/src/ssl/s2_clnt.c index 47dd09c286..28d6d65296 100644 --- a/src/lib/libssl/src/ssl/s2_clnt.c +++ b/src/lib/libssl/src/ssl/s2_clnt.c @@ -921,6 +921,7 @@ int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data) goto err; } ERR_clear_error(); /* but we keep s->verify_result */ + s->session->verify_result = s->verify_result; /* server's cert for this session */ sc=ssl_sess_cert_new(); diff --git a/src/lib/libssl/src/ssl/s2_lib.c b/src/lib/libssl/src/ssl/s2_lib.c index 129ed89d97..a590dbfa5c 100644 --- a/src/lib/libssl/src/ssl/s2_lib.c +++ b/src/lib/libssl/src/ssl/s2_lib.c @@ -260,7 +260,7 @@ SSL_CIPHER *ssl2_get_cipher(unsigned int u) int ssl2_pending(SSL *s) { - return(s->s2->ract_data_length); + return SSL_in_init(s) ? 0 : s->s2->ract_data_length; } int ssl2_new(SSL *s) @@ -270,10 +270,16 @@ int ssl2_new(SSL *s) if ((s2=OPENSSL_malloc(sizeof *s2)) == NULL) goto err; memset(s2,0,sizeof *s2); +#if SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER + 3 > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2 +# error "assertion failed" +#endif + if ((s2->rbuf=OPENSSL_malloc( SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err; + /* wbuf needs one byte more because when using two-byte headers, + * we leave the first byte unused in do_ssl_write (s2_pkt.c) */ if ((s2->wbuf=OPENSSL_malloc( - SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err; + SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+3)) == NULL) goto err; s->s2=s2; ssl2_clear(s); diff --git a/src/lib/libssl/src/ssl/s2_pkt.c b/src/lib/libssl/src/ssl/s2_pkt.c index 56662f29fa..f2f46ff377 100644 --- a/src/lib/libssl/src/ssl/s2_pkt.c +++ b/src/lib/libssl/src/ssl/s2_pkt.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include "ssl_locl.h" #ifndef NO_SSL2 @@ -66,23 +119,12 @@ static int read_n(SSL *s,unsigned int n,unsigned int max,unsigned int extend); static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len); static int write_pending(SSL *s, const unsigned char *buf, unsigned int len); static int ssl_mt_error(int n); -int ssl2_peek(SSL *s, char *buf, int len) - { - int ret; - ret=ssl2_read(s,buf,len); - if (ret > 0) - { - s->s2->ract_data_length+=ret; - s->s2->ract_data-=ret; - } - return(ret); - } -/* SSL_read - +/* SSL 2.0 imlementation for SSL_read/SSL_peek - * This routine will return 0 to len bytes, decrypted etc if required. */ -int ssl2_read(SSL *s, void *buf, int len) +static int ssl2_read_internal(SSL *s, void *buf, int len, int peek) { int n; unsigned char mac[MAX_MAC_SIZE]; @@ -90,14 +132,14 @@ int ssl2_read(SSL *s, void *buf, int len) int i; unsigned int mac_size=0; -ssl2_read_again: + ssl2_read_again: if (SSL_in_init(s) && !s->in_handshake) { n=s->handshake_func(s); if (n < 0) return(n); if (n == 0) { - SSLerr(SSL_F_SSL2_READ,SSL_R_SSL_HANDSHAKE_FAILURE); + SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_SSL_HANDSHAKE_FAILURE); return(-1); } } @@ -114,13 +156,22 @@ ssl2_read_again: n=len; memcpy(buf,s->s2->ract_data,(unsigned int)n); - s->s2->ract_data_length-=n; - s->s2->ract_data+=n; - if (s->s2->ract_data_length == 0) - s->rstate=SSL_ST_READ_HEADER; + if (!peek) + { + s->s2->ract_data_length-=n; + s->s2->ract_data+=n; + if (s->s2->ract_data_length == 0) + s->rstate=SSL_ST_READ_HEADER; + } + return(n); } + /* s->s2->ract_data_length == 0 + * + * Fill the buffer, then goto ssl2_read_again. + */ + if (s->rstate == SSL_ST_READ_HEADER) { if (s->first_packet) @@ -133,7 +184,7 @@ ssl2_read_again: (p[2] == SSL2_MT_CLIENT_HELLO) || (p[2] == SSL2_MT_SERVER_HELLO)))) { - SSLerr(SSL_F_SSL2_READ,SSL_R_NON_SSLV2_INITIAL_PACKET); + SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_NON_SSLV2_INITIAL_PACKET); return(-1); } } @@ -211,48 +262,49 @@ ssl2_read_again: (unsigned int)mac_size) != 0) || (s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0)) { - SSLerr(SSL_F_SSL2_READ,SSL_R_BAD_MAC_DECODE); + SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE); return(-1); } } INC32(s->s2->read_sequence); /* expect next number */ /* s->s2->ract_data is now available for processing */ -#if 1 - /* How should we react when a packet containing 0 - * bytes is received? (Note that SSLeay/OpenSSL itself - * never sends such packets; see ssl2_write.) - * Returning 0 would be interpreted by the caller as - * indicating EOF, so it's not a good idea. - * Instead, we just continue reading. Note that using - * select() for blocking sockets *never* guarantees + /* Possibly the packet that we just read had 0 actual data bytes. + * (SSLeay/OpenSSL itself never sends such packets; see ssl2_write.) + * In this case, returning 0 would be interpreted by the caller + * as indicating EOF, so it's not a good idea. Instead, we just + * continue reading; thus ssl2_read_internal may have to process + * multiple packets before it can return. + * + * [Note that using select() for blocking sockets *never* guarantees * that the next SSL_read will not block -- the available - * data may contain incomplete packets, and except for SSL 2 - * renegotiation can confuse things even more. */ + * data may contain incomplete packets, and except for SSL 2, + * renegotiation can confuse things even more.] */ goto ssl2_read_again; /* This should really be - * "return ssl2_read(s,buf,len)", - * but that would allow for - * denial-of-service attacks if a - * C compiler is used that does not - * recognize end-recursion. */ -#else - /* If a 0 byte packet was sent, return 0, otherwise - * we play havoc with people using select with - * blocking sockets. Let them handle a packet at a time, - * they should really be using non-blocking sockets. */ - if (s->s2->ract_data_length == 0) - return(0); - return(ssl2_read(s,buf,len)); -#endif + * "return ssl2_read(s,buf,len)", + * but that would allow for + * denial-of-service attacks if a + * C compiler is used that does not + * recognize end-recursion. */ } else { - SSLerr(SSL_F_SSL2_READ,SSL_R_BAD_STATE); + SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_STATE); return(-1); } } +int ssl2_read(SSL *s, void *buf, int len) + { + return ssl2_read_internal(s, buf, len, 0); + } + +int ssl2_peek(SSL *s, void *buf, int len) + { + return ssl2_read_internal(s, buf, len, 1); + } + static int read_n(SSL *s, unsigned int n, unsigned int max, unsigned int extend) { @@ -483,6 +535,9 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len) { bs=EVP_CIPHER_CTX_block_size(s->enc_read_ctx); j=len+mac_size; + /* Two-byte headers allow for a larger record length than + * three-byte headers, but we can't use them if we need + * padding or if we have to set the escape bit. */ if ((j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) && (!s->s2->escape)) { @@ -498,25 +553,39 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len) } else if ((bs <= 1) && (!s->s2->escape)) { - /* len=len; */ + /* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, thus + * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER */ s->s2->three_byte_header=0; p=0; } - else /* 3 byte header */ + else /* we may have to use a 3 byte header */ { - /*len=len; */ + /* If s->s2->escape is not set, then + * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, and thus + * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER. */ p=(j%bs); p=(p == 0)?0:(bs-p); if (s->s2->escape) + { s->s2->three_byte_header=1; + if (j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) + j=SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER; + } else s->s2->three_byte_header=(p == 0)?0:1; } } + + /* Now + * j <= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + * holds, and if s->s2->three_byte_header is set, then even + * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER. + */ + /* mac_size is the number of MAC bytes * len is the number of data bytes we are going to send * p is the number of padding bytes - * if p == 0, it is a 2 byte header */ + * (if it is a two-byte header, then p == 0) */ s->s2->wlength=len; s->s2->padding=p; diff --git a/src/lib/libssl/src/ssl/s3_both.c b/src/lib/libssl/src/ssl/s3_both.c index d92c164b0f..10d8d3b15a 100644 --- a/src/lib/libssl/src/ssl/s3_both.c +++ b/src/lib/libssl/src/ssl/s3_both.c @@ -365,7 +365,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) while (s->init_num < 4) { i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num], - 4 - s->init_num); + 4 - s->init_num, 0); if (i <= 0) { s->rwstate=SSL_READING; @@ -434,7 +434,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) n=s->s3->tmp.message_size; while (n > 0) { - i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n); + i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n,0); if (i <= 0) { s->rwstate=SSL_READING; diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c index 62040f9f1d..eec45cfa48 100644 --- a/src/lib/libssl/src/ssl/s3_clnt.c +++ b/src/lib/libssl/src/ssl/s3_clnt.c @@ -815,6 +815,7 @@ static int ssl3_get_server_certificate(SSL *s) X509_free(s->session->peer); CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); s->session->peer=x; + s->session->verify_result = s->verify_result; x=NULL; ret=1; diff --git a/src/lib/libssl/src/ssl/s3_enc.c b/src/lib/libssl/src/ssl/s3_enc.c index 012a4b8740..9f52c39ca9 100644 --- a/src/lib/libssl/src/ssl/s3_enc.c +++ b/src/lib/libssl/src/ssl/s3_enc.c @@ -504,7 +504,10 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send) EVP_DigestFinal( &md_ctx,md,&md_size); for (i=7; i>=0; i--) - if (++seq[i]) break; + { + ++seq[i]; + if (seq[i] != 0) break; + } return(md_size); } diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c index cee2021b6b..c32c06de32 100644 --- a/src/lib/libssl/src/ssl/s3_lib.c +++ b/src/lib/libssl/src/ssl/s3_lib.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include #include @@ -638,10 +691,9 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u) return(NULL); } -/* The problem is that it may not be the correct record type */ int ssl3_pending(SSL *s) { - return(s->s3->rrec.length); + return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0; } int ssl3_new(SSL *s) @@ -1189,7 +1241,7 @@ int ssl3_shutdown(SSL *s) else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { /* If we are waiting for a close from our peer, we are closed */ - ssl3_read_bytes(s,0,NULL,0); + ssl3_read_bytes(s,0,NULL,0,0); } if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && @@ -1252,14 +1304,14 @@ int ssl3_write(SSL *s, const void *buf, int len) return(ret); } -int ssl3_read(SSL *s, void *buf, int len) +static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) { int ret; clear_sys_error(); if (s->s3->renegotiate) ssl3_renegotiate_check(s); s->s3->in_read_app_data=1; - ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len); + ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); if ((ret == -1) && (s->s3->in_read_app_data == 0)) { /* ssl3_read_bytes decided to call s->handshake_func, which @@ -1269,7 +1321,7 @@ int ssl3_read(SSL *s, void *buf, int len) * by resetting 'in_read_app_data', strangely); so disable * handshake processing and try to read application data again. */ s->in_handshake++; - ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len); + ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); s->in_handshake--; } else @@ -1278,26 +1330,14 @@ int ssl3_read(SSL *s, void *buf, int len) return(ret); } -int ssl3_peek(SSL *s, char *buf, int len) +int ssl3_read(SSL *s, void *buf, int len) { - SSL3_RECORD *rr; - int n; - - rr= &(s->s3->rrec); - if ((rr->length == 0) || (rr->type != SSL3_RT_APPLICATION_DATA)) - { - n=ssl3_read(s,buf,1); - if (n <= 0) return(n); - rr->length++; - rr->off--; - } + return ssl3_read_internal(s, buf, len, 0); + } - if ((unsigned int)len > rr->length) - n=rr->length; - else - n=len; - memcpy(buf,&(rr->data[rr->off]),(unsigned int)n); - return(n); +int ssl3_peek(SSL *s, void *buf, int len) + { + return ssl3_read_internal(s, buf, len, 1); } int ssl3_renegotiate(SSL *s) diff --git a/src/lib/libssl/src/ssl/s3_pkt.c b/src/lib/libssl/src/ssl/s3_pkt.c index 1414079853..9ab76604a6 100644 --- a/src/lib/libssl/src/ssl/s3_pkt.c +++ b/src/lib/libssl/src/ssl/s3_pkt.c @@ -704,7 +704,7 @@ static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, * Application data protocol * none of our business */ -int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len) +int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) { int al,i,j,ret; unsigned int n; @@ -715,7 +715,8 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len) if (!ssl3_setup_buffers(s)) return(-1); - if ((type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) + if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) || + (peek && (type != SSL3_RT_APPLICATION_DATA))) { SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_INTERNAL_ERROR); return -1; @@ -728,6 +729,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len) unsigned char *dst = buf; unsigned int k; + /* peek == 0 */ n = 0; while ((len > 0) && (s->s3->handshake_fragment_len > 0)) { @@ -763,7 +765,7 @@ start: * s->s3->rrec.length, - number of bytes. */ rr = &(s->s3->rrec); - /* get new packet */ + /* get new packet if necessary */ if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) { ret=ssl3_get_record(s); @@ -781,7 +783,8 @@ start: goto err; } - /* If the other end has shutdown, throw anything we read away */ + /* If the other end has shut down, throw anything we read away + * (even in 'peek' mode) */ if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { rr->length=0; @@ -810,12 +813,15 @@ start: n = (unsigned int)len; memcpy(buf,&(rr->data[rr->off]),n); - rr->length-=n; - rr->off+=n; - if (rr->length == 0) + if (!peek) { - s->rstate=SSL_ST_READ_HEADER; - rr->off=0; + rr->length-=n; + rr->off+=n; + if (rr->length == 0) + { + s->rstate=SSL_ST_READ_HEADER; + rr->off=0; + } } return(n); } diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h index fdbdc70ba7..9de9e611ab 100644 --- a/src/lib/libssl/src/ssl/ssl.h +++ b/src/lib/libssl/src/ssl/ssl.h @@ -206,7 +206,7 @@ typedef struct ssl_method_st int (*ssl_accept)(SSL *s); int (*ssl_connect)(SSL *s); int (*ssl_read)(SSL *s,void *buf,int len); - int (*ssl_peek)(SSL *s,char *buf,int len); + int (*ssl_peek)(SSL *s,void *buf,int len); int (*ssl_write)(SSL *s,const void *buf,int len); int (*ssl_shutdown)(SSL *s); int (*ssl_renegotiate)(SSL *s); @@ -1061,9 +1061,9 @@ int SSL_set_trust(SSL *s, int trust); void SSL_free(SSL *ssl); int SSL_accept(SSL *ssl); int SSL_connect(SSL *ssl); -int SSL_read(SSL *ssl,char *buf,int num); -int SSL_peek(SSL *ssl,char *buf,int num); -int SSL_write(SSL *ssl,const char *buf,int num); +int SSL_read(SSL *ssl,void *buf,int num); +int SSL_peek(SSL *ssl,void *buf,int num); +int SSL_write(SSL *ssl,const void *buf,int num); long SSL_ctrl(SSL *ssl,int cmd, long larg, char *parg); long SSL_callback_ctrl(SSL *, int, void (*)()); long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, char *parg); @@ -1178,7 +1178,7 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void ); #define SSL_CTX_get_read_ahead(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL) #define SSL_CTX_set_read_ahead(ctx,m) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,0,NULL) + SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL) /* NB: the keylength is only applicable when is_export is true */ #ifndef NO_RSA @@ -1209,6 +1209,7 @@ int SSL_COMP_add_compression_method(int id,char *cm); /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. */ +void ERR_load_SSL_strings(void); /* Error codes for the SSL functions. */ @@ -1233,12 +1234,15 @@ int SSL_COMP_add_compression_method(int id,char *cm); #define SSL_F_SSL23_CONNECT 117 #define SSL_F_SSL23_GET_CLIENT_HELLO 118 #define SSL_F_SSL23_GET_SERVER_HELLO 119 +#define SSL_F_SSL23_PEEK 237 #define SSL_F_SSL23_READ 120 #define SSL_F_SSL23_WRITE 121 #define SSL_F_SSL2_ACCEPT 122 #define SSL_F_SSL2_CONNECT 123 #define SSL_F_SSL2_ENC_INIT 124 +#define SSL_F_SSL2_PEEK 234 #define SSL_F_SSL2_READ 125 +#define SSL_F_SSL2_READ_INTERNAL 236 #define SSL_F_SSL2_SET_CERTIFICATE 126 #define SSL_F_SSL2_WRITE 127 #define SSL_F_SSL3_ACCEPT 128 @@ -1263,6 +1267,7 @@ int SSL_COMP_add_compression_method(int id,char *cm); #define SSL_F_SSL3_GET_SERVER_DONE 145 #define SSL_F_SSL3_GET_SERVER_HELLO 146 #define SSL_F_SSL3_OUTPUT_CERT_CHAIN 147 +#define SSL_F_SSL3_PEEK 235 #define SSL_F_SSL3_READ_BYTES 148 #define SSL_F_SSL3_READ_N 149 #define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150 @@ -1559,4 +1564,3 @@ int SSL_COMP_add_compression_method(int id,char *cm); } #endif #endif - diff --git a/src/lib/libssl/src/ssl/ssl2.h b/src/lib/libssl/src/ssl/ssl2.h index df7d03c18f..f8b56afb6b 100644 --- a/src/lib/libssl/src/ssl/ssl2.h +++ b/src/lib/libssl/src/ssl/ssl2.h @@ -134,11 +134,11 @@ extern "C" { /* Upper/Lower Bounds */ #define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256 #ifdef MPE -#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)29998 +#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 29998u #else -#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)32767 +#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767u /* 2^15-1 */ #endif -#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /**/ +#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /* 2^14-1 */ #define SSL2_CHALLENGE_LENGTH 16 /*#define SSL2_CHALLENGE_LENGTH 32 */ diff --git a/src/lib/libssl/src/ssl/ssl_algs.c b/src/lib/libssl/src/ssl/ssl_algs.c index a91ee6d22e..dde8918fe0 100644 --- a/src/lib/libssl/src/ssl/ssl_algs.c +++ b/src/lib/libssl/src/ssl/ssl_algs.c @@ -88,9 +88,13 @@ int SSL_library_init(void) #ifndef NO_SHA EVP_add_digest(EVP_sha1()); /* RSA with sha1 */ EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); + EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); #endif #if !defined(NO_SHA) && !defined(NO_DSA) EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ + EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2); + EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1"); + EVP_add_digest_alias(SN_dsaWithSHA1,"dss1"); #endif /* If you want support for phased out ciphers, add the following */ diff --git a/src/lib/libssl/src/ssl/ssl_cert.c b/src/lib/libssl/src/ssl/ssl_cert.c index c26df62c20..27e7fcc60a 100644 --- a/src/lib/libssl/src/ssl/ssl_cert.c +++ b/src/lib/libssl/src/ssl/ssl_cert.c @@ -271,7 +271,9 @@ CERT *ssl_cert_dup(CERT *cert) return(ret); +#ifndef NO_DH /* avoid 'unreferenced label' warning if NO_DH is defined */ err: +#endif #ifndef NO_RSA if (ret->rsa_tmp != NULL) RSA_free(ret->rsa_tmp); diff --git a/src/lib/libssl/src/ssl/ssl_err.c b/src/lib/libssl/src/ssl/ssl_err.c index 17b4caf528..1ae3333407 100644 --- a/src/lib/libssl/src/ssl/ssl_err.c +++ b/src/lib/libssl/src/ssl/ssl_err.c @@ -86,12 +86,15 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_PACK(0,SSL_F_SSL23_CONNECT,0), "SSL23_CONNECT"}, {ERR_PACK(0,SSL_F_SSL23_GET_CLIENT_HELLO,0), "SSL23_GET_CLIENT_HELLO"}, {ERR_PACK(0,SSL_F_SSL23_GET_SERVER_HELLO,0), "SSL23_GET_SERVER_HELLO"}, +{ERR_PACK(0,SSL_F_SSL23_PEEK,0), "SSL23_PEEK"}, {ERR_PACK(0,SSL_F_SSL23_READ,0), "SSL23_READ"}, {ERR_PACK(0,SSL_F_SSL23_WRITE,0), "SSL23_WRITE"}, {ERR_PACK(0,SSL_F_SSL2_ACCEPT,0), "SSL2_ACCEPT"}, {ERR_PACK(0,SSL_F_SSL2_CONNECT,0), "SSL2_CONNECT"}, {ERR_PACK(0,SSL_F_SSL2_ENC_INIT,0), "SSL2_ENC_INIT"}, +{ERR_PACK(0,SSL_F_SSL2_PEEK,0), "SSL2_PEEK"}, {ERR_PACK(0,SSL_F_SSL2_READ,0), "SSL2_READ"}, +{ERR_PACK(0,SSL_F_SSL2_READ_INTERNAL,0), "SSL2_READ_INTERNAL"}, {ERR_PACK(0,SSL_F_SSL2_SET_CERTIFICATE,0), "SSL2_SET_CERTIFICATE"}, {ERR_PACK(0,SSL_F_SSL2_WRITE,0), "SSL2_WRITE"}, {ERR_PACK(0,SSL_F_SSL3_ACCEPT,0), "SSL3_ACCEPT"}, @@ -116,6 +119,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_PACK(0,SSL_F_SSL3_GET_SERVER_DONE,0), "SSL3_GET_SERVER_DONE"}, {ERR_PACK(0,SSL_F_SSL3_GET_SERVER_HELLO,0), "SSL3_GET_SERVER_HELLO"}, {ERR_PACK(0,SSL_F_SSL3_OUTPUT_CERT_CHAIN,0), "SSL3_OUTPUT_CERT_CHAIN"}, +{ERR_PACK(0,SSL_F_SSL3_PEEK,0), "SSL3_PEEK"}, {ERR_PACK(0,SSL_F_SSL3_READ_BYTES,0), "SSL3_READ_BYTES"}, {ERR_PACK(0,SSL_F_SSL3_READ_N,0), "SSL3_READ_N"}, {ERR_PACK(0,SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,0), "SSL3_SEND_CERTIFICATE_REQUEST"}, diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c index 635b25062e..1fe85b6cb7 100644 --- a/src/lib/libssl/src/ssl/ssl_lib.c +++ b/src/lib/libssl/src/ssl/ssl_lib.c @@ -119,7 +119,9 @@ int SSL_clear(SSL *s) s->client_version=s->version; s->rwstate=SSL_NOTHING; s->rstate=SSL_ST_READ_HEADER; +#if 0 s->read_ahead=s->ctx->read_ahead; +#endif if (s->init_buf != NULL) { @@ -229,6 +231,7 @@ SSL *SSL_new(SSL_CTX *ctx) s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1; s->options=ctx->options; s->mode=ctx->mode; + s->read_ahead=ctx->read_ahead; /* used to happen in SSL_clear */ SSL_clear(s); CRYPTO_new_ex_data(ssl_meth,s,&s->ex_data); @@ -705,7 +708,7 @@ long SSL_get_default_timeout(SSL *s) return(s->method->get_timeout()); } -int SSL_read(SSL *s,char *buf,int num) +int SSL_read(SSL *s,void *buf,int num) { if (s->handshake_func == 0) { @@ -721,8 +724,14 @@ int SSL_read(SSL *s,char *buf,int num) return(s->method->ssl_read(s,buf,num)); } -int SSL_peek(SSL *s,char *buf,int num) +int SSL_peek(SSL *s,void *buf,int num) { + if (s->handshake_func == 0) + { + SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); + return -1; + } + if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { return(0); @@ -730,7 +739,7 @@ int SSL_peek(SSL *s,char *buf,int num) return(s->method->ssl_peek(s,buf,num)); } -int SSL_write(SSL *s,const char *buf,int num) +int SSL_write(SSL *s,const void *buf,int num) { if (s->handshake_func == 0) { @@ -1676,6 +1685,10 @@ SSL *SSL_dup(SSL *s) if (s->cert != NULL) { + if (ret->cert != NULL) + { + ssl_cert_free(ret->cert); + } ret->cert = ssl_cert_dup(s->cert); if (ret->cert == NULL) goto err; diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h index d70fff4627..516d3cc5ae 100644 --- a/src/lib/libssl/src/ssl/ssl_locl.h +++ b/src/lib/libssl/src/ssl/ssl_locl.h @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #ifndef HEADER_SSL_LOCL_H #define HEADER_SSL_LOCL_H @@ -463,7 +516,7 @@ void ssl2_free(SSL *s); int ssl2_accept(SSL *s); int ssl2_connect(SSL *s); int ssl2_read(SSL *s, void *buf, int len); -int ssl2_peek(SSL *s, char *buf, int len); +int ssl2_peek(SSL *s, void *buf, int len); int ssl2_write(SSL *s, const void *buf, int len); int ssl2_shutdown(SSL *s); void ssl2_clear(SSL *s); @@ -494,7 +547,7 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u); int ssl3_renegotiate(SSL *ssl); int ssl3_renegotiate_check(SSL *ssl); int ssl3_dispatch_alert(SSL *s); -int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len); +int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek); int ssl3_write_bytes(SSL *s, int type, const void *buf, int len); int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2, const char *sender, int slen,unsigned char *p); @@ -511,7 +564,7 @@ void ssl3_free(SSL *s); int ssl3_accept(SSL *s); int ssl3_connect(SSL *s); int ssl3_read(SSL *s, void *buf, int len); -int ssl3_peek(SSL *s,char *buf, int len); +int ssl3_peek(SSL *s, void *buf, int len); int ssl3_write(SSL *s, const void *buf, int len); int ssl3_shutdown(SSL *s); void ssl3_clear(SSL *s); diff --git a/src/lib/libssl/src/ssl/ssl_sess.c b/src/lib/libssl/src/ssl/ssl_sess.c index 416def8908..7064262def 100644 --- a/src/lib/libssl/src/ssl/ssl_sess.c +++ b/src/lib/libssl/src/ssl/ssl_sess.c @@ -508,6 +508,7 @@ int SSL_set_session(SSL *s, SSL_SESSION *session) if (s->session != NULL) SSL_SESSION_free(s->session); s->session=session; + s->verify_result = s->session->verify_result; /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/ ret=1; } diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c index 0d34357eb4..d10a23af8e 100644 --- a/src/lib/libssl/src/ssl/t1_enc.c +++ b/src/lib/libssl/src/ssl/t1_enc.c @@ -572,7 +572,10 @@ printf("rec="); #endif for (i=7; i>=0; i--) - if (++seq[i]) break; + { + ++seq[i]; + if (seq[i] != 0) break; + } #ifdef TLS_DEBUG {unsigned int z; for (z=0; ztmp.bntest @echo quit >>tmp.bntest @echo "running bc" - @bc tmp.bntest 2>&1 | $(PERL) -e 'while () {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} print STDERR "."; $$i++;} print STDERR "\n$$i tests passed\n"' + @) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"' @echo 'test a^b%c implementations' ./$(EXPTEST) @@ -241,7 +241,7 @@ dclean: mv -f Makefile.new $(MAKEFILE) clean: - rm -f .rnd tmp.bntest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss log + rm -f .rnd tmp.bntest tmp.bctest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss log $(DLIBSSL): (cd ../ssl; $(MAKE)) diff --git a/src/lib/libssl/src/tools/c_rehash.in b/src/lib/libssl/src/tools/c_rehash.in index baec7c14ff..26db8999d8 100644 --- a/src/lib/libssl/src/tools/c_rehash.in +++ b/src/lib/libssl/src/tools/c_rehash.in @@ -117,7 +117,12 @@ sub link_hash_cert { } $hash .= ".$suffix"; print "$fname => $hash\n"; - symlink $fname, $hash; + $symlink_exists=eval {symlink("",""); 1}; + if ($symlink_exists) { + symlink $fname, $hash; + } else { + system ("cp", $fname, $hash); + } $hashlist{$hash} = $fprint; } @@ -142,7 +147,12 @@ sub link_hash_crl { } $hash .= ".r$suffix"; print "$fname => $hash\n"; - symlink $fname, $hash; + $symlink_exists=eval {symlink("",""); 1}; + if ($symlink_exists) { + symlink $fname, $hash; + } else { + system ("cp", $fname, $hash); + } $hashlist{$hash} = $fprint; } diff --git a/src/lib/libssl/src/util/clean-depend.pl b/src/lib/libssl/src/util/clean-depend.pl index af676af751..0193e726fe 100644 --- a/src/lib/libssl/src/util/clean-depend.pl +++ b/src/lib/libssl/src/util/clean-depend.pl @@ -15,8 +15,8 @@ while() { my ($file,$deps)=/^(.*): (.*)$/; next if !defined $deps; my @deps=split ' ',$deps; - @deps=grep(!/^\/usr\/include/,@deps); - @deps=grep(!/^\/usr\/lib\/gcc-lib/,@deps); + @deps=grep(!/^\//,@deps); + @deps=grep(!/^\\$/,@deps); push @{$files{$file}},@deps; } diff --git a/src/lib/libssl/src/util/libeay.num b/src/lib/libssl/src/util/libeay.num index e8eebbf50c..84ae840804 100644 --- a/src/lib/libssl/src/util/libeay.num +++ b/src/lib/libssl/src/util/libeay.num @@ -301,8 +301,8 @@ EVP_des_ede_cfb 308 EXIST::FUNCTION:DES EVP_des_ede_ofb 309 EXIST::FUNCTION:DES EVP_des_ofb 310 EXIST::FUNCTION:DES EVP_desx_cbc 311 EXIST::FUNCTION:DES -EVP_dss 312 EXIST::FUNCTION:DSA -EVP_dss1 313 EXIST::FUNCTION:DSA +EVP_dss 312 EXIST::FUNCTION:DSA,SHA +EVP_dss1 313 EXIST::FUNCTION:DSA,SHA EVP_enc_null 314 EXIST::FUNCTION: EVP_get_cipherbyname 315 EXIST::FUNCTION: EVP_get_digestbyname 316 EXIST::FUNCTION: @@ -779,7 +779,7 @@ des_ede3_cfb64_encrypt 786 EXIST::FUNCTION:DES des_ede3_ofb64_encrypt 787 EXIST::FUNCTION:DES des_enc_read 788 EXIST::FUNCTION:DES des_enc_write 789 EXIST::FUNCTION:DES -des_encrypt 790 EXIST::FUNCTION:DES +des_encrypt1 790 EXIST::FUNCTION:DES des_encrypt2 791 EXIST::FUNCTION:DES des_encrypt3 792 EXIST::FUNCTION:DES des_fcrypt 793 EXIST::FUNCTION:DES @@ -926,7 +926,7 @@ PKCS7_add_signature 938 EXIST::FUNCTION: PKCS7_cert_from_signer_info 939 EXIST::FUNCTION: PKCS7_get_signer_info 940 EXIST::FUNCTION: EVP_delete_alias 941 NOEXIST::FUNCTION: -EVP_mdc2 942 EXIST::FUNCTION: +EVP_mdc2 942 EXIST::FUNCTION:MDC2 PEM_read_bio_RSAPublicKey 943 EXIST::FUNCTION:RSA PEM_write_bio_RSAPublicKey 944 EXIST::FUNCTION:RSA d2i_RSAPublicKey_bio 945 EXIST::FUNCTION:RSA @@ -1870,61 +1870,64 @@ X509_keyid_set1 2460 EXIST::FUNCTION: BIO_next 2461 EXIST::FUNCTION: DSO_METHOD_vms 2462 EXIST::FUNCTION: BIO_f_linebuffer 2463 EXIST:VMS:FUNCTION: -ERR_load_ENGINE_strings 2464 EXIST::FUNCTION: -ENGINE_set_DSA 2465 EXIST::FUNCTION: -ENGINE_get_finish_function 2466 EXIST::FUNCTION: -ENGINE_get_default_RSA 2467 EXIST::FUNCTION: -ENGINE_get_BN_mod_exp 2468 EXIST::FUNCTION: -DSA_get_default_openssl_method 2469 EXIST::FUNCTION:DSA -ENGINE_set_DH 2470 EXIST::FUNCTION: -ENGINE_set_default_BN_mod_exp_crt 2471 EXIST:!VMS:FUNCTION: -ENGINE_set_def_BN_mod_exp_crt 2471 EXIST:VMS:FUNCTION: -ENGINE_init 2472 EXIST::FUNCTION: -DH_get_default_openssl_method 2473 EXIST::FUNCTION:DH -RSA_set_default_openssl_method 2474 EXIST::FUNCTION:RSA -ENGINE_finish 2475 EXIST::FUNCTION: -ENGINE_load_public_key 2476 EXIST::FUNCTION: -ENGINE_get_DH 2477 EXIST::FUNCTION: -ENGINE_ctrl 2478 EXIST::FUNCTION: -ENGINE_get_init_function 2479 EXIST::FUNCTION: -ENGINE_set_init_function 2480 EXIST::FUNCTION: -ENGINE_set_default_DSA 2481 EXIST::FUNCTION: -ENGINE_get_name 2482 EXIST::FUNCTION: -ENGINE_get_last 2483 EXIST::FUNCTION: -ENGINE_get_prev 2484 EXIST::FUNCTION: -ENGINE_get_default_DH 2485 EXIST::FUNCTION: -ENGINE_get_RSA 2486 EXIST::FUNCTION: -ENGINE_set_default 2487 EXIST::FUNCTION: -ENGINE_get_RAND 2488 EXIST::FUNCTION: -ENGINE_get_first 2489 EXIST::FUNCTION: -ENGINE_by_id 2490 EXIST::FUNCTION: -ENGINE_set_finish_function 2491 EXIST::FUNCTION: -ENGINE_get_default_BN_mod_exp_crt 2492 EXIST:!VMS:FUNCTION: -ENGINE_get_def_BN_mod_exp_crt 2492 EXIST:VMS:FUNCTION: -RSA_get_default_openssl_method 2493 EXIST::FUNCTION:RSA -ENGINE_set_RSA 2494 EXIST::FUNCTION: -ENGINE_load_private_key 2495 EXIST::FUNCTION: -ENGINE_set_default_RAND 2496 EXIST::FUNCTION: -ENGINE_set_BN_mod_exp 2497 EXIST::FUNCTION: -ENGINE_remove 2498 EXIST::FUNCTION: -ENGINE_free 2499 EXIST::FUNCTION: -ENGINE_get_BN_mod_exp_crt 2500 EXIST::FUNCTION: -ENGINE_get_next 2501 EXIST::FUNCTION: -ENGINE_set_name 2502 EXIST::FUNCTION: -ENGINE_get_default_DSA 2503 EXIST::FUNCTION: -ENGINE_set_default_BN_mod_exp 2504 EXIST::FUNCTION: -ENGINE_set_default_RSA 2505 EXIST::FUNCTION: -ENGINE_get_default_RAND 2506 EXIST::FUNCTION: -ENGINE_get_default_BN_mod_exp 2507 EXIST::FUNCTION: -ENGINE_set_RAND 2508 EXIST::FUNCTION: -ENGINE_set_id 2509 EXIST::FUNCTION: -ENGINE_set_BN_mod_exp_crt 2510 EXIST::FUNCTION: -ENGINE_set_default_DH 2511 EXIST::FUNCTION: -ENGINE_new 2512 EXIST::FUNCTION: -ENGINE_get_id 2513 EXIST::FUNCTION: -DSA_set_default_openssl_method 2514 EXIST::FUNCTION:DSA -ENGINE_add 2515 EXIST::FUNCTION: -DH_set_default_openssl_method 2516 EXIST::FUNCTION:DH -ENGINE_get_DSA 2517 EXIST::FUNCTION: -ENGINE_get_ctrl_function 2518 EXIST::FUNCTION: -ENGINE_set_ctrl_function 2519 EXIST::FUNCTION: +BN_bntest_rand 2464 EXIST::FUNCTION: +OPENSSL_issetugid 2465 EXIST::FUNCTION: +BN_rand_range 2466 EXIST::FUNCTION: +ERR_load_ENGINE_strings 2467 EXIST::FUNCTION: +ENGINE_set_DSA 2468 EXIST::FUNCTION: +ENGINE_get_finish_function 2469 EXIST::FUNCTION: +ENGINE_get_default_RSA 2470 EXIST::FUNCTION: +ENGINE_get_BN_mod_exp 2471 EXIST::FUNCTION: +DSA_get_default_openssl_method 2472 EXIST::FUNCTION:DSA +ENGINE_set_DH 2473 EXIST::FUNCTION: +ENGINE_set_default_BN_mod_exp_crt 2474 EXIST:!VMS:FUNCTION: +ENGINE_set_def_BN_mod_exp_crt 2474 EXIST:VMS:FUNCTION: +ENGINE_init 2475 EXIST::FUNCTION: +DH_get_default_openssl_method 2476 EXIST::FUNCTION:DH +RSA_set_default_openssl_method 2477 EXIST::FUNCTION:RSA +ENGINE_finish 2478 EXIST::FUNCTION: +ENGINE_load_public_key 2479 EXIST::FUNCTION: +ENGINE_get_DH 2480 EXIST::FUNCTION: +ENGINE_ctrl 2481 EXIST::FUNCTION: +ENGINE_get_init_function 2482 EXIST::FUNCTION: +ENGINE_set_init_function 2483 EXIST::FUNCTION: +ENGINE_set_default_DSA 2484 EXIST::FUNCTION: +ENGINE_get_name 2485 EXIST::FUNCTION: +ENGINE_get_last 2486 EXIST::FUNCTION: +ENGINE_get_prev 2487 EXIST::FUNCTION: +ENGINE_get_default_DH 2488 EXIST::FUNCTION: +ENGINE_get_RSA 2489 EXIST::FUNCTION: +ENGINE_set_default 2490 EXIST::FUNCTION: +ENGINE_get_RAND 2491 EXIST::FUNCTION: +ENGINE_get_first 2492 EXIST::FUNCTION: +ENGINE_by_id 2493 EXIST::FUNCTION: +ENGINE_set_finish_function 2494 EXIST::FUNCTION: +ENGINE_get_default_BN_mod_exp_crt 2495 EXIST:!VMS:FUNCTION: +ENGINE_get_def_BN_mod_exp_crt 2495 EXIST:VMS:FUNCTION: +RSA_get_default_openssl_method 2496 EXIST::FUNCTION:RSA +ENGINE_set_RSA 2497 EXIST::FUNCTION: +ENGINE_load_private_key 2498 EXIST::FUNCTION: +ENGINE_set_default_RAND 2499 EXIST::FUNCTION: +ENGINE_set_BN_mod_exp 2500 EXIST::FUNCTION: +ENGINE_remove 2501 EXIST::FUNCTION: +ENGINE_free 2502 EXIST::FUNCTION: +ENGINE_get_BN_mod_exp_crt 2503 EXIST::FUNCTION: +ENGINE_get_next 2504 EXIST::FUNCTION: +ENGINE_set_name 2505 EXIST::FUNCTION: +ENGINE_get_default_DSA 2506 EXIST::FUNCTION: +ENGINE_set_default_BN_mod_exp 2507 EXIST::FUNCTION: +ENGINE_set_default_RSA 2508 EXIST::FUNCTION: +ENGINE_get_default_RAND 2509 EXIST::FUNCTION: +ENGINE_get_default_BN_mod_exp 2510 EXIST::FUNCTION: +ENGINE_set_RAND 2511 EXIST::FUNCTION: +ENGINE_set_id 2512 EXIST::FUNCTION: +ENGINE_set_BN_mod_exp_crt 2513 EXIST::FUNCTION: +ENGINE_set_default_DH 2514 EXIST::FUNCTION: +ENGINE_new 2515 EXIST::FUNCTION: +ENGINE_get_id 2516 EXIST::FUNCTION: +DSA_set_default_openssl_method 2517 EXIST::FUNCTION:DSA +ENGINE_add 2518 EXIST::FUNCTION: +DH_set_default_openssl_method 2519 EXIST::FUNCTION:DH +ENGINE_get_DSA 2520 EXIST::FUNCTION: +ENGINE_get_ctrl_function 2521 EXIST::FUNCTION: +ENGINE_set_ctrl_function 2522 EXIST::FUNCTION: diff --git a/src/lib/libssl/src/util/mkdef.pl b/src/lib/libssl/src/util/mkdef.pl index cc41a1813e..ba453358cf 100644 --- a/src/lib/libssl/src/util/mkdef.pl +++ b/src/lib/libssl/src/util/mkdef.pl @@ -119,7 +119,7 @@ foreach (@ARGV, split(/ /, $options)) elsif (/^no-rc4$/) { $no_rc4=1; } elsif (/^no-rc5$/) { $no_rc5=1; } elsif (/^no-idea$/) { $no_idea=1; } - elsif (/^no-des$/) { $no_des=1; } + elsif (/^no-des$/) { $no_des=1; $no_mdc2=1; } elsif (/^no-bf$/) { $no_bf=1; } elsif (/^no-cast$/) { $no_cast=1; } elsif (/^no-md2$/) { $no_md2=1; } @@ -705,7 +705,8 @@ EOF } else { (my $n, my $i) = split /\\/, $nums{$s}; my %pf = (); - my @p = split(/,/, ($i =~ /^.*?:(.*?):/,$1)); + my @p = split(/,/, ($i =~ /^[^:]*:([^:]*):/,$1)); + my @a = split(/,/, ($i =~ /^[^:]*:[^:]*:[^:]*:([^:]*)/,$1)); # @p_purged must contain hardware platforms only my @p_purged = (); foreach $ptmp (@p) { @@ -727,7 +728,26 @@ EOF || (!$negatives && ($rsaref || !grep(/^RSAREF$/,@p))) || ($negatives - && (!$rsaref || !grep(/^!RSAREF$/,@p))))) { + && (!$rsaref || !grep(/^!RSAREF$/,@p)))) + && (!@a || (!$no_rc2 || !grep(/^RC2$/,@a))) + && (!@a || (!$no_rc4 || !grep(/^RC4$/,@a))) + && (!@a || (!$no_rc5 || !grep(/^RC5$/,@a))) + && (!@a || (!$no_idea || !grep(/^IDEA$/,@a))) + && (!@a || (!$no_des || !grep(/^DES$/,@a))) + && (!@a || (!$no_bf || !grep(/^BF$/,@a))) + && (!@a || (!$no_cast || !grep(/^CAST$/,@a))) + && (!@a || (!$no_md2 || !grep(/^MD2$/,@a))) + && (!@a || (!$no_md4 || !grep(/^MD4$/,@a))) + && (!@a || (!$no_md5 || !grep(/^MD5$/,@a))) + && (!@a || (!$no_sha || !grep(/^SHA$/,@a))) + && (!@a || (!$no_ripemd || !grep(/^RIPEMD$/,@a))) + && (!@a || (!$no_mdc2 || !grep(/^MDC2$/,@a))) + && (!@a || (!$no_rsa || !grep(/^RSA$/,@a))) + && (!@a || (!$no_dsa || !grep(/^DSA$/,@a))) + && (!@a || (!$no_dh || !grep(/^DH$/,@a))) + && (!@a || (!$no_hmac || !grep(/^HMAC$/,@a))) + && (!@a || (!$no_fp_api || !grep(/^FP_API$/,@a))) + ) { printf OUT " %s%-40s@%d\n",($W32)?"":"_",$s,$n; # } else { # print STDERR "DEBUG: \"$sym\" (@p):", diff --git a/src/lib/libssl/src/util/mklink.pl b/src/lib/libssl/src/util/mklink.pl index d7b997ada7..9e9c9a5146 100644 --- a/src/lib/libssl/src/util/mklink.pl +++ b/src/lib/libssl/src/util/mklink.pl @@ -48,8 +48,13 @@ foreach $dirname (@from_path) { my $to = join('/', @to_path); my $file; +$symlink_exists=eval {symlink("",""); 1}; foreach $file (@files) { my $err = ""; - symlink("$to/$file", "$from/$file") or $err = " [$!]"; + if ($symlink_exists) { + symlink("$to/$file", "$from/$file") or $err = " [$!]"; + } else { + system ("cp", "$file", "$from/$file") and $err = " [$!]"; + } print $file . " => $from/$file$err\n"; } diff --git a/src/lib/libssl/src/util/pod2man.pl b/src/lib/libssl/src/util/pod2man.pl index f5ec0767ed..c6b64add60 100644 --- a/src/lib/libssl/src/util/pod2man.pl +++ b/src/lib/libssl/src/util/pod2man.pl @@ -416,6 +416,8 @@ if ($name ne 'something') { warn "$0: Improper man page - malformed NAME header in paragraph $. of $ARGV[0]\n" } else { + $n[0] =~ s/\n/ /; + $n[1] =~ s/\n/ /; %namedesc = @n; } } diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index fdbdc70ba7..9de9e611ab 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h @@ -206,7 +206,7 @@ typedef struct ssl_method_st int (*ssl_accept)(SSL *s); int (*ssl_connect)(SSL *s); int (*ssl_read)(SSL *s,void *buf,int len); - int (*ssl_peek)(SSL *s,char *buf,int len); + int (*ssl_peek)(SSL *s,void *buf,int len); int (*ssl_write)(SSL *s,const void *buf,int len); int (*ssl_shutdown)(SSL *s); int (*ssl_renegotiate)(SSL *s); @@ -1061,9 +1061,9 @@ int SSL_set_trust(SSL *s, int trust); void SSL_free(SSL *ssl); int SSL_accept(SSL *ssl); int SSL_connect(SSL *ssl); -int SSL_read(SSL *ssl,char *buf,int num); -int SSL_peek(SSL *ssl,char *buf,int num); -int SSL_write(SSL *ssl,const char *buf,int num); +int SSL_read(SSL *ssl,void *buf,int num); +int SSL_peek(SSL *ssl,void *buf,int num); +int SSL_write(SSL *ssl,const void *buf,int num); long SSL_ctrl(SSL *ssl,int cmd, long larg, char *parg); long SSL_callback_ctrl(SSL *, int, void (*)()); long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, char *parg); @@ -1178,7 +1178,7 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void ); #define SSL_CTX_get_read_ahead(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL) #define SSL_CTX_set_read_ahead(ctx,m) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,0,NULL) + SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL) /* NB: the keylength is only applicable when is_export is true */ #ifndef NO_RSA @@ -1209,6 +1209,7 @@ int SSL_COMP_add_compression_method(int id,char *cm); /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. */ +void ERR_load_SSL_strings(void); /* Error codes for the SSL functions. */ @@ -1233,12 +1234,15 @@ int SSL_COMP_add_compression_method(int id,char *cm); #define SSL_F_SSL23_CONNECT 117 #define SSL_F_SSL23_GET_CLIENT_HELLO 118 #define SSL_F_SSL23_GET_SERVER_HELLO 119 +#define SSL_F_SSL23_PEEK 237 #define SSL_F_SSL23_READ 120 #define SSL_F_SSL23_WRITE 121 #define SSL_F_SSL2_ACCEPT 122 #define SSL_F_SSL2_CONNECT 123 #define SSL_F_SSL2_ENC_INIT 124 +#define SSL_F_SSL2_PEEK 234 #define SSL_F_SSL2_READ 125 +#define SSL_F_SSL2_READ_INTERNAL 236 #define SSL_F_SSL2_SET_CERTIFICATE 126 #define SSL_F_SSL2_WRITE 127 #define SSL_F_SSL3_ACCEPT 128 @@ -1263,6 +1267,7 @@ int SSL_COMP_add_compression_method(int id,char *cm); #define SSL_F_SSL3_GET_SERVER_DONE 145 #define SSL_F_SSL3_GET_SERVER_HELLO 146 #define SSL_F_SSL3_OUTPUT_CERT_CHAIN 147 +#define SSL_F_SSL3_PEEK 235 #define SSL_F_SSL3_READ_BYTES 148 #define SSL_F_SSL3_READ_N 149 #define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150 @@ -1559,4 +1564,3 @@ int SSL_COMP_add_compression_method(int id,char *cm); } #endif #endif - diff --git a/src/lib/libssl/ssl/shlib_version b/src/lib/libssl/ssl/shlib_version index 890c57389b..3066b9771e 100644 --- a/src/lib/libssl/ssl/shlib_version +++ b/src/lib/libssl/ssl/shlib_version @@ -1,2 +1,2 @@ -major=4 -minor=1 +major=5 +minor=0 diff --git a/src/lib/libssl/ssl2.h b/src/lib/libssl/ssl2.h index df7d03c18f..f8b56afb6b 100644 --- a/src/lib/libssl/ssl2.h +++ b/src/lib/libssl/ssl2.h @@ -134,11 +134,11 @@ extern "C" { /* Upper/Lower Bounds */ #define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256 #ifdef MPE -#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)29998 +#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 29998u #else -#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)32767 +#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767u /* 2^15-1 */ #endif -#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /**/ +#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /* 2^14-1 */ #define SSL2_CHALLENGE_LENGTH 16 /*#define SSL2_CHALLENGE_LENGTH 32 */ diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c index a91ee6d22e..dde8918fe0 100644 --- a/src/lib/libssl/ssl_algs.c +++ b/src/lib/libssl/ssl_algs.c @@ -88,9 +88,13 @@ int SSL_library_init(void) #ifndef NO_SHA EVP_add_digest(EVP_sha1()); /* RSA with sha1 */ EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); + EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); #endif #if !defined(NO_SHA) && !defined(NO_DSA) EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ + EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2); + EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1"); + EVP_add_digest_alias(SN_dsaWithSHA1,"dss1"); #endif /* If you want support for phased out ciphers, add the following */ diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c index c26df62c20..27e7fcc60a 100644 --- a/src/lib/libssl/ssl_cert.c +++ b/src/lib/libssl/ssl_cert.c @@ -271,7 +271,9 @@ CERT *ssl_cert_dup(CERT *cert) return(ret); +#ifndef NO_DH /* avoid 'unreferenced label' warning if NO_DH is defined */ err: +#endif #ifndef NO_RSA if (ret->rsa_tmp != NULL) RSA_free(ret->rsa_tmp); diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c index 17b4caf528..1ae3333407 100644 --- a/src/lib/libssl/ssl_err.c +++ b/src/lib/libssl/ssl_err.c @@ -86,12 +86,15 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_PACK(0,SSL_F_SSL23_CONNECT,0), "SSL23_CONNECT"}, {ERR_PACK(0,SSL_F_SSL23_GET_CLIENT_HELLO,0), "SSL23_GET_CLIENT_HELLO"}, {ERR_PACK(0,SSL_F_SSL23_GET_SERVER_HELLO,0), "SSL23_GET_SERVER_HELLO"}, +{ERR_PACK(0,SSL_F_SSL23_PEEK,0), "SSL23_PEEK"}, {ERR_PACK(0,SSL_F_SSL23_READ,0), "SSL23_READ"}, {ERR_PACK(0,SSL_F_SSL23_WRITE,0), "SSL23_WRITE"}, {ERR_PACK(0,SSL_F_SSL2_ACCEPT,0), "SSL2_ACCEPT"}, {ERR_PACK(0,SSL_F_SSL2_CONNECT,0), "SSL2_CONNECT"}, {ERR_PACK(0,SSL_F_SSL2_ENC_INIT,0), "SSL2_ENC_INIT"}, +{ERR_PACK(0,SSL_F_SSL2_PEEK,0), "SSL2_PEEK"}, {ERR_PACK(0,SSL_F_SSL2_READ,0), "SSL2_READ"}, +{ERR_PACK(0,SSL_F_SSL2_READ_INTERNAL,0), "SSL2_READ_INTERNAL"}, {ERR_PACK(0,SSL_F_SSL2_SET_CERTIFICATE,0), "SSL2_SET_CERTIFICATE"}, {ERR_PACK(0,SSL_F_SSL2_WRITE,0), "SSL2_WRITE"}, {ERR_PACK(0,SSL_F_SSL3_ACCEPT,0), "SSL3_ACCEPT"}, @@ -116,6 +119,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_PACK(0,SSL_F_SSL3_GET_SERVER_DONE,0), "SSL3_GET_SERVER_DONE"}, {ERR_PACK(0,SSL_F_SSL3_GET_SERVER_HELLO,0), "SSL3_GET_SERVER_HELLO"}, {ERR_PACK(0,SSL_F_SSL3_OUTPUT_CERT_CHAIN,0), "SSL3_OUTPUT_CERT_CHAIN"}, +{ERR_PACK(0,SSL_F_SSL3_PEEK,0), "SSL3_PEEK"}, {ERR_PACK(0,SSL_F_SSL3_READ_BYTES,0), "SSL3_READ_BYTES"}, {ERR_PACK(0,SSL_F_SSL3_READ_N,0), "SSL3_READ_N"}, {ERR_PACK(0,SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,0), "SSL3_SEND_CERTIFICATE_REQUEST"}, diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 635b25062e..1fe85b6cb7 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c @@ -119,7 +119,9 @@ int SSL_clear(SSL *s) s->client_version=s->version; s->rwstate=SSL_NOTHING; s->rstate=SSL_ST_READ_HEADER; +#if 0 s->read_ahead=s->ctx->read_ahead; +#endif if (s->init_buf != NULL) { @@ -229,6 +231,7 @@ SSL *SSL_new(SSL_CTX *ctx) s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1; s->options=ctx->options; s->mode=ctx->mode; + s->read_ahead=ctx->read_ahead; /* used to happen in SSL_clear */ SSL_clear(s); CRYPTO_new_ex_data(ssl_meth,s,&s->ex_data); @@ -705,7 +708,7 @@ long SSL_get_default_timeout(SSL *s) return(s->method->get_timeout()); } -int SSL_read(SSL *s,char *buf,int num) +int SSL_read(SSL *s,void *buf,int num) { if (s->handshake_func == 0) { @@ -721,8 +724,14 @@ int SSL_read(SSL *s,char *buf,int num) return(s->method->ssl_read(s,buf,num)); } -int SSL_peek(SSL *s,char *buf,int num) +int SSL_peek(SSL *s,void *buf,int num) { + if (s->handshake_func == 0) + { + SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); + return -1; + } + if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { return(0); @@ -730,7 +739,7 @@ int SSL_peek(SSL *s,char *buf,int num) return(s->method->ssl_peek(s,buf,num)); } -int SSL_write(SSL *s,const char *buf,int num) +int SSL_write(SSL *s,const void *buf,int num) { if (s->handshake_func == 0) { @@ -1676,6 +1685,10 @@ SSL *SSL_dup(SSL *s) if (s->cert != NULL) { + if (ret->cert != NULL) + { + ssl_cert_free(ret->cert); + } ret->cert = ssl_cert_dup(s->cert); if (ret->cert == NULL) goto err; diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index d70fff4627..516d3cc5ae 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #ifndef HEADER_SSL_LOCL_H #define HEADER_SSL_LOCL_H @@ -463,7 +516,7 @@ void ssl2_free(SSL *s); int ssl2_accept(SSL *s); int ssl2_connect(SSL *s); int ssl2_read(SSL *s, void *buf, int len); -int ssl2_peek(SSL *s, char *buf, int len); +int ssl2_peek(SSL *s, void *buf, int len); int ssl2_write(SSL *s, const void *buf, int len); int ssl2_shutdown(SSL *s); void ssl2_clear(SSL *s); @@ -494,7 +547,7 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u); int ssl3_renegotiate(SSL *ssl); int ssl3_renegotiate_check(SSL *ssl); int ssl3_dispatch_alert(SSL *s); -int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len); +int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek); int ssl3_write_bytes(SSL *s, int type, const void *buf, int len); int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2, const char *sender, int slen,unsigned char *p); @@ -511,7 +564,7 @@ void ssl3_free(SSL *s); int ssl3_accept(SSL *s); int ssl3_connect(SSL *s); int ssl3_read(SSL *s, void *buf, int len); -int ssl3_peek(SSL *s,char *buf, int len); +int ssl3_peek(SSL *s, void *buf, int len); int ssl3_write(SSL *s, const void *buf, int len); int ssl3_shutdown(SSL *s); void ssl3_clear(SSL *s); diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index 416def8908..7064262def 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c @@ -508,6 +508,7 @@ int SSL_set_session(SSL *s, SSL_SESSION *session) if (s->session != NULL) SSL_SESSION_free(s->session); s->session=session; + s->verify_result = s->session->verify_result; /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/ ret=1; } diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index 0d34357eb4..d10a23af8e 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c @@ -572,7 +572,10 @@ printf("rec="); #endif for (i=7; i>=0; i--) - if (++seq[i]) break; + { + ++seq[i]; + if (seq[i] != 0) break; + } #ifdef TLS_DEBUG {unsigned int z; for (z=0; ztmp.bntest @echo quit >>tmp.bntest @echo "running bc" - @bc tmp.bntest 2>&1 | $(PERL) -e 'while () {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} print STDERR "."; $$i++;} print STDERR "\n$$i tests passed\n"' + @) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"' @echo 'test a^b%c implementations' ./$(EXPTEST) @@ -241,7 +241,7 @@ dclean: mv -f Makefile.new $(MAKEFILE) clean: - rm -f .rnd tmp.bntest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss log + rm -f .rnd tmp.bntest tmp.bctest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss log $(DLIBSSL): (cd ../ssl; $(MAKE)) -- cgit v1.2.3-55-g6feb