From 58c08aa241f168c84ce7cc3052454ea59a44eada Mon Sep 17 00:00:00 2001
From: markus <>
Date: Wed, 7 Apr 2004 20:42:07 +0000
Subject: import openssl-0.9.7d
---
src/lib/libcrypto/aes/aes_cbc.c | 2 +-
src/lib/libcrypto/asn1/a_mbstr.c | 4 +-
src/lib/libcrypto/asn1/a_strex.c | 2 +-
src/lib/libcrypto/asn1/a_time.c | 9 +-
src/lib/libcrypto/asn1/asn1_lib.c | 4 +-
src/lib/libcrypto/asn1/asn1_par.c | 6 +-
src/lib/libcrypto/asn1/asn_moid.c | 9 +-
src/lib/libcrypto/asn1/t_pkey.c | 4 +-
src/lib/libcrypto/asn1/x_long.c | 10 +-
src/lib/libcrypto/bio/b_dump.c | 32 ++-
src/lib/libcrypto/bio/b_print.c | 12 +-
src/lib/libcrypto/bio/b_sock.c | 12 +-
src/lib/libcrypto/bio/bio_cb.c | 36 +--
src/lib/libcrypto/bio/bss_conn.c | 6 +-
src/lib/libcrypto/bio/bss_file.c | 10 +-
src/lib/libcrypto/bn/asm/bn-586.pl | 2 +-
src/lib/libcrypto/bn/asm/x86_64-gcc.c | 2 +-
src/lib/libcrypto/bn/bn_lcl.h | 17 +-
src/lib/libcrypto/bn/bn_lib.c | 8 +-
src/lib/libcrypto/bn/bn_print.c | 5 +-
src/lib/libcrypto/conf/conf_def.c | 6 +-
src/lib/libcrypto/conf/conf_mod.c | 12 +-
src/lib/libcrypto/cversion.c | 8 +-
src/lib/libcrypto/des/cfb_enc.c | 21 +-
src/lib/libcrypto/des/ecb_enc.c | 4 +-
src/lib/libcrypto/doc/EVP_BytesToKey.pod | 2 +-
src/lib/libcrypto/doc/EVP_DigestInit.pod | 2 +-
src/lib/libcrypto/doc/OPENSSL_config.pod | 82 ++++++
.../libcrypto/doc/OPENSSL_load_builtin_modules.pod | 51 ++++
.../libcrypto/doc/OpenSSL_add_all_algorithms.pod | 2 +-
src/lib/libcrypto/doc/RSA_print.pod | 2 +-
src/lib/libcrypto/doc/d2i_DSAPublicKey.pod | 5 +-
src/lib/libcrypto/doc/d2i_RSAPublicKey.pod | 5 +-
src/lib/libcrypto/dso/dso_lib.c | 4 +-
src/lib/libcrypto/ec/ecp_smpl.c | 2 +-
src/lib/libcrypto/engine/eng_ctrl.c | 10 +-
src/lib/libcrypto/engine/eng_fat.c | 6 +-
src/lib/libcrypto/engine/engine.h | 27 +-
src/lib/libcrypto/err/err.c | 2 +-
src/lib/libcrypto/evp/digest.c | 15 +-
src/lib/libcrypto/evp/evp.h | 2 +
src/lib/libcrypto/evp/evp_enc.c | 14 +-
src/lib/libcrypto/evp/evp_pbe.c | 2 +-
src/lib/libcrypto/evp/evp_pkey.c | 2 +-
src/lib/libcrypto/mem_dbg.c | 17 +-
src/lib/libcrypto/objects/obj_dat.c | 4 +-
src/lib/libcrypto/objects/obj_dat.pl | 4 +
src/lib/libcrypto/ocsp/ocsp_ext.c | 24 +-
src/lib/libcrypto/ocsp/ocsp_lib.c | 1 +
src/lib/libcrypto/ocsp/ocsp_vfy.c | 6 +-
src/lib/libcrypto/opensslv.h | 4 +-
src/lib/libcrypto/pem/pem_lib.c | 21 +-
src/lib/libcrypto/pem/pem_pkey.c | 4 +
src/lib/libcrypto/pkcs7/pk7_doit.c | 58 ++--
src/lib/libcrypto/rand/randfile.c | 71 ++++-
src/lib/libcrypto/sha/asm/sha1-586.pl | 291 +++++++--------------
src/lib/libcrypto/ui/ui_lib.c | 13 +-
src/lib/libcrypto/x509/by_dir.c | 34 ++-
src/lib/libcrypto/x509/x509.h | 4 -
src/lib/libcrypto/x509/x509_txt.c | 8 +-
src/lib/libcrypto/x509/x509_vfy.c | 55 +++-
src/lib/libcrypto/x509/x509_vfy.h | 19 +-
src/lib/libcrypto/x509/x509type.c | 2 +-
src/lib/libcrypto/x509v3/v3_alt.c | 3 +-
src/lib/libcrypto/x509v3/v3_crld.c | 2 +-
src/lib/libcrypto/x509v3/v3_info.c | 11 +-
src/lib/libcrypto/x509v3/v3_purp.c | 5 +-
src/lib/libssl/LICENSE | 2 +-
src/lib/libssl/doc/openssl.cnf | 5 +
src/lib/libssl/s3_clnt.c | 5 +-
src/lib/libssl/s3_lib.c | 2 +
src/lib/libssl/s3_pkt.c | 8 +
src/lib/libssl/s3_srvr.c | 19 +-
src/lib/libssl/ssl.h | 4 +-
src/lib/libssl/ssl_asn1.c | 1 -
src/lib/libssl/ssl_cert.c | 12 +-
src/lib/libssl/ssl_ciph.c | 85 +++---
src/lib/libssl/ssl_lib.c | 1 -
src/lib/libssl/ssl_sess.c | 1 -
79 files changed, 777 insertions(+), 509 deletions(-)
create mode 100644 src/lib/libcrypto/doc/OPENSSL_config.pod
create mode 100644 src/lib/libcrypto/doc/OPENSSL_load_builtin_modules.pod
(limited to 'src')
diff --git a/src/lib/libcrypto/aes/aes_cbc.c b/src/lib/libcrypto/aes/aes_cbc.c
index 86b27b10d6..1222a21002 100644
--- a/src/lib/libcrypto/aes/aes_cbc.c
+++ b/src/lib/libcrypto/aes/aes_cbc.c
@@ -104,7 +104,7 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
memcpy(tmp, in, AES_BLOCK_SIZE);
AES_decrypt(tmp, tmp, key);
for(n=0; n < len; ++n)
- out[n] ^= ivec[n];
+ out[n] = tmp[n] ^ ivec[n];
memcpy(ivec, tmp, AES_BLOCK_SIZE);
}
}
diff --git a/src/lib/libcrypto/asn1/a_mbstr.c b/src/lib/libcrypto/asn1/a_mbstr.c
index e8a26af521..208b3ec395 100644
--- a/src/lib/libcrypto/asn1/a_mbstr.c
+++ b/src/lib/libcrypto/asn1/a_mbstr.c
@@ -145,14 +145,14 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
if((minsize > 0) && (nchar < minsize)) {
ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_SHORT);
- sprintf(strbuf, "%ld", minsize);
+ BIO_snprintf(strbuf, sizeof strbuf, "%ld", minsize);
ERR_add_error_data(2, "minsize=", strbuf);
return -1;
}
if((maxsize > 0) && (nchar > maxsize)) {
ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_LONG);
- sprintf(strbuf, "%ld", maxsize);
+ BIO_snprintf(strbuf, sizeof strbuf, "%ld", maxsize);
ERR_add_error_data(2, "maxsize=", strbuf);
return -1;
}
diff --git a/src/lib/libcrypto/asn1/a_strex.c b/src/lib/libcrypto/asn1/a_strex.c
index 8abfdfe598..bde666a6ff 100644
--- a/src/lib/libcrypto/asn1/a_strex.c
+++ b/src/lib/libcrypto/asn1/a_strex.c
@@ -285,7 +285,7 @@ const static signed char tag2nbyte[] = {
-1, -1, 0, -1, /* 10-13 */
-1, -1, -1, -1, /* 15-17 */
-1, 1, 1, /* 18-20 */
- -1, 1, -1,-1, /* 21-24 */
+ -1, 1, 1, 1, /* 21-24 */
-1, 1, -1, /* 25-27 */
4, -1, 2 /* 28-30 */
};
diff --git a/src/lib/libcrypto/asn1/a_time.c b/src/lib/libcrypto/asn1/a_time.c
index 7348da9457..159681fbcb 100644
--- a/src/lib/libcrypto/asn1/a_time.c
+++ b/src/lib/libcrypto/asn1/a_time.c
@@ -128,6 +128,7 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE
{
ASN1_GENERALIZEDTIME *ret;
char *str;
+ int newlen;
if (!ASN1_TIME_check(t)) return NULL;
@@ -150,12 +151,14 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE
/* grow the string */
if (!ASN1_STRING_set(ret, NULL, t->length + 2))
return NULL;
+ /* ASN1_STRING_set() allocated 'len + 1' bytes. */
+ newlen = t->length + 2 + 1;
str = (char *)ret->data;
/* Work out the century and prepend */
- if (t->data[0] >= '5') strcpy(str, "19");
- else strcpy(str, "20");
+ if (t->data[0] >= '5') BUF_strlcpy(str, "19", newlen);
+ else BUF_strlcpy(str, "20", newlen);
- BUF_strlcat(str, (char *)t->data, t->length+3); /* Include space for a '\0' */
+ BUF_strlcat(str, (char *)t->data, newlen);
return ret;
}
diff --git a/src/lib/libcrypto/asn1/asn1_lib.c b/src/lib/libcrypto/asn1/asn1_lib.c
index e30d5dd303..a74f1368d3 100644
--- a/src/lib/libcrypto/asn1/asn1_lib.c
+++ b/src/lib/libcrypto/asn1/asn1_lib.c
@@ -414,8 +414,8 @@ void asn1_add_error(unsigned char *address, int offset)
{
char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];
- sprintf(buf1,"%lu",(unsigned long)address);
- sprintf(buf2,"%d",offset);
+ BIO_snprintf(buf1,sizeof buf1,"%lu",(unsigned long)address);
+ BIO_snprintf(buf2,sizeof buf2,"%d",offset);
ERR_add_error_data(4,"address=",buf1," offset=",buf2);
}
diff --git a/src/lib/libcrypto/asn1/asn1_par.c b/src/lib/libcrypto/asn1/asn1_par.c
index e48532a24d..676d434f03 100644
--- a/src/lib/libcrypto/asn1/asn1_par.c
+++ b/src/lib/libcrypto/asn1/asn1_par.c
@@ -83,11 +83,11 @@ static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed,
p=str;
if ((xclass & V_ASN1_PRIVATE) == V_ASN1_PRIVATE)
- sprintf(str,"priv [ %d ] ",tag);
+ BIO_snprintf(str,sizeof str,"priv [ %d ] ",tag);
else if ((xclass & V_ASN1_CONTEXT_SPECIFIC) == V_ASN1_CONTEXT_SPECIFIC)
- sprintf(str,"cont [ %d ]",tag);
+ BIO_snprintf(str,sizeof str,"cont [ %d ]",tag);
else if ((xclass & V_ASN1_APPLICATION) == V_ASN1_APPLICATION)
- sprintf(str,"appl [ %d ]",tag);
+ BIO_snprintf(str,sizeof str,"appl [ %d ]",tag);
else p = ASN1_tag2str(tag);
if (p2 != NULL)
diff --git a/src/lib/libcrypto/asn1/asn_moid.c b/src/lib/libcrypto/asn1/asn_moid.c
index be20db4bad..edb44c988f 100644
--- a/src/lib/libcrypto/asn1/asn_moid.c
+++ b/src/lib/libcrypto/asn1/asn_moid.c
@@ -87,9 +87,14 @@ static int oid_module_init(CONF_IMODULE *md, const CONF *cnf)
}
}
return 1;
-}
+ }
+
+static void oid_module_finish(CONF_IMODULE *md)
+ {
+ OBJ_cleanup();
+ }
void ASN1_add_oid_module(void)
{
- CONF_module_add("oid_section", oid_module_init, 0);
+ CONF_module_add("oid_section", oid_module_init, oid_module_finish);
}
diff --git a/src/lib/libcrypto/asn1/t_pkey.c b/src/lib/libcrypto/asn1/t_pkey.c
index 4e09c9e44e..d15006e654 100644
--- a/src/lib/libcrypto/asn1/t_pkey.c
+++ b/src/lib/libcrypto/asn1/t_pkey.c
@@ -139,9 +139,9 @@ int RSA_print(BIO *bp, const RSA *x, int off)
}
if (x->d == NULL)
- sprintf(str,"Modulus (%d bit):",BN_num_bits(x->n));
+ BIO_snprintf(str,sizeof str,"Modulus (%d bit):",BN_num_bits(x->n));
else
- strcpy(str,"modulus:");
+ BUF_strlcpy(str,"modulus:",sizeof str);
if (!print(bp,str,x->n,m,off)) goto err;
s=(x->d == NULL)?"Exponent:":"publicExponent:";
if (!print(bp,s,x->e,m,off)) goto err;
diff --git a/src/lib/libcrypto/asn1/x_long.c b/src/lib/libcrypto/asn1/x_long.c
index c04b192794..c5f25956cb 100644
--- a/src/lib/libcrypto/asn1/x_long.c
+++ b/src/lib/libcrypto/asn1/x_long.c
@@ -104,7 +104,12 @@ static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const A
long ltmp;
unsigned long utmp;
int clen, pad, i;
- ltmp = *(long *)pval;
+ /* this exists to bypass broken gcc optimization */
+ char *cp = (char *)pval;
+
+ /* use memcpy, because we may not be long aligned */
+ memcpy(<mp, cp, sizeof(long));
+
if(ltmp == it->size) return -1;
/* Convert the long to positive: we subtract one if negative so
* we can cleanly handle the padding if only the MSB of the leading
@@ -136,6 +141,7 @@ static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype,
int neg, i;
long ltmp;
unsigned long utmp = 0;
+ char *cp = (char *)pval;
if(len > sizeof(long)) {
ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
return 0;
@@ -158,6 +164,6 @@ static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype,
ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
return 0;
}
- *(long *)pval = ltmp;
+ memcpy(cp, <mp, sizeof(long));
return 1;
}
diff --git a/src/lib/libcrypto/bio/b_dump.c b/src/lib/libcrypto/bio/b_dump.c
index 8397cfab6a..f671e722fa 100644
--- a/src/lib/libcrypto/bio/b_dump.c
+++ b/src/lib/libcrypto/bio/b_dump.c
@@ -104,38 +104,41 @@ int BIO_dump_indent(BIO *bio, const char *s, int len, int indent)
for(i=0;i<rows;i++)
{
buf[0]='\0'; /* start with empty string */
- strcpy(buf,str);
- sprintf(tmp,"%04x - ",i*dump_width);
- strcat(buf,tmp);
+ BUF_strlcpy(buf,str,sizeof buf);
+ BIO_snprintf(tmp,sizeof tmp,"%04x - ",i*dump_width);
+ BUF_strlcat(buf,tmp,sizeof buf);
for(j=0;j<dump_width;j++)
{
if (((i*dump_width)+j)>=len)
{
- strcat(buf," ");
+ BUF_strlcat(buf," ",sizeof buf);
}
else
{
ch=((unsigned char)*(s+i*dump_width+j)) & 0xff;
- sprintf(tmp,"%02x%c",ch,j==7?'-':' ');
- strcat(buf,tmp);
+ BIO_snprintf(tmp,sizeof tmp,"%02x%c",ch,
+ j==7?'-':' ');
+ BUF_strlcat(buf,tmp,sizeof buf);
}
}
- strcat(buf," ");
+ BUF_strlcat(buf," ",sizeof buf);
for(j=0;j<dump_width;j++)
{
if (((i*dump_width)+j)>=len)
break;
ch=((unsigned char)*(s+i*dump_width+j)) & 0xff;
#ifndef CHARSET_EBCDIC
- sprintf(tmp,"%c",((ch>=' ')&&(ch<='~'))?ch:'.');
+ BIO_snprintf(tmp,sizeof tmp,"%c",
+ ((ch>=' ')&&(ch<='~'))?ch:'.');
#else
- sprintf(tmp,"%c",((ch>=os_toascii[' '])&&(ch<=os_toascii['~']))
- ? os_toebcdic[ch]
- : '.');
+ BIO_snprintf(tmp,sizeof tmp,"%c",
+ ((ch>=os_toascii[' '])&&(ch<=os_toascii['~']))
+ ? os_toebcdic[ch]
+ : '.');
#endif
- strcat(buf,tmp);
+ BUF_strlcat(buf,tmp,sizeof buf);
}
- strcat(buf,"\n");
+ BUF_strlcat(buf,"\n",sizeof buf);
/* if this is the last call then update the ddt_dump thing so that
* we will move the selection point in the debug window
*/
@@ -144,7 +147,8 @@ int BIO_dump_indent(BIO *bio, const char *s, int len, int indent)
#ifdef TRUNCATE
if (trunc > 0)
{
- sprintf(buf,"%s%04x - <SPACES/NULS>\n",str,len+trunc);
+ BIO_snprintf(buf,sizeof buf,"%s%04x - <SPACES/NULS>\n",str,
+ len+trunc);
ret+=BIO_write(bio,(char *)buf,strlen(buf));
}
#endif
diff --git a/src/lib/libcrypto/bio/b_print.c b/src/lib/libcrypto/bio/b_print.c
index 2cfc689dd6..fbff331796 100644
--- a/src/lib/libcrypto/bio/b_print.c
+++ b/src/lib/libcrypto/bio/b_print.c
@@ -576,12 +576,12 @@ abs_val(LDOUBLE value)
}
static LDOUBLE
-pow10(int exp)
+pow10(int in_exp)
{
LDOUBLE result = 1;
- while (exp) {
+ while (in_exp) {
result *= 10;
- exp--;
+ in_exp--;
}
return result;
}
@@ -652,8 +652,8 @@ fmtfp(
(caps ? "0123456789ABCDEF"
: "0123456789abcdef")[intpart % 10];
intpart = (intpart / 10);
- } while (intpart && (iplace < sizeof iplace));
- if (iplace == sizeof iplace)
+ } while (intpart && (iplace < sizeof iconvert));
+ if (iplace == sizeof iconvert)
iplace--;
iconvert[iplace] = 0;
@@ -664,7 +664,7 @@ fmtfp(
: "0123456789abcdef")[fracpart % 10];
fracpart = (fracpart / 10);
} while (fplace < max);
- if (fplace == sizeof fplace)
+ if (fplace == sizeof fconvert)
fplace--;
fconvert[fplace] = 0;
diff --git a/src/lib/libcrypto/bio/b_sock.c b/src/lib/libcrypto/bio/b_sock.c
index 601a14f37c..c851298d1e 100644
--- a/src/lib/libcrypto/bio/b_sock.c
+++ b/src/lib/libcrypto/bio/b_sock.c
@@ -709,12 +709,12 @@ int BIO_accept(int sock, char **addr)
}
*addr=p;
}
- sprintf(*addr,"%d.%d.%d.%d:%d",
- (unsigned char)(l>>24L)&0xff,
- (unsigned char)(l>>16L)&0xff,
- (unsigned char)(l>> 8L)&0xff,
- (unsigned char)(l )&0xff,
- port);
+ BIO_snprintf(*addr,24,"%d.%d.%d.%d:%d",
+ (unsigned char)(l>>24L)&0xff,
+ (unsigned char)(l>>16L)&0xff,
+ (unsigned char)(l>> 8L)&0xff,
+ (unsigned char)(l )&0xff,
+ port);
end:
return(ret);
}
diff --git a/src/lib/libcrypto/bio/bio_cb.c b/src/lib/libcrypto/bio/bio_cb.c
index 0ffa4d2136..6f4254a114 100644
--- a/src/lib/libcrypto/bio/bio_cb.c
+++ b/src/lib/libcrypto/bio/bio_cb.c
@@ -70,55 +70,61 @@ long MS_CALLBACK BIO_debug_callback(BIO *bio, int cmd, const char *argp,
MS_STATIC char buf[256];
char *p;
long r=1;
+ size_t p_maxlen;
if (BIO_CB_RETURN & cmd)
r=ret;
- sprintf(buf,"BIO[%08lX]:",(unsigned long)bio);
+ BIO_snprintf(buf,sizeof buf,"BIO[%08lX]:",(unsigned long)bio);
p= &(buf[14]);
+ p_maxlen = sizeof buf - 14;
switch (cmd)
{
case BIO_CB_FREE:
- sprintf(p,"Free - %s\n",bio->method->name);
+ BIO_snprintf(p,p_maxlen,"Free - %s\n",bio->method->name);
break;
case BIO_CB_READ:
if (bio->method->type & BIO_TYPE_DESCRIPTOR)
- sprintf(p,"read(%d,%d) - %s fd=%d\n",bio->num,argi,bio->method->name,bio->num);
+ BIO_snprintf(p,p_maxlen,"read(%d,%d) - %s fd=%d\n",
+ bio->num,argi,bio->method->name,bio->num);
else
- sprintf(p,"read(%d,%d) - %s\n",bio->num,argi,bio->method->name);
+ BIO_snprintf(p,p_maxlen,"read(%d,%d) - %s\n",
+ bio->num,argi,bio->method->name);
break;
case BIO_CB_WRITE:
if (bio->method->type & BIO_TYPE_DESCRIPTOR)
- sprintf(p,"write(%d,%d) - %s fd=%d\n",bio->num,argi,bio->method->name,bio->num);
+ BIO_snprintf(p,p_maxlen,"write(%d,%d) - %s fd=%d\n",
+ bio->num,argi,bio->method->name,bio->num);
else
- sprintf(p,"write(%d,%d) - %s\n",bio->num,argi,bio->method->name);
+ BIO_snprintf(p,p_maxlen,"write(%d,%d) - %s\n",
+ bio->num,argi,bio->method->name);
break;
case BIO_CB_PUTS:
- sprintf(p,"puts() - %s\n",bio->method->name);
+ BIO_snprintf(p,p_maxlen,"puts() - %s\n",bio->method->name);
break;
case BIO_CB_GETS:
- sprintf(p,"gets(%d) - %s\n",argi,bio->method->name);
+ BIO_snprintf(p,p_maxlen,"gets(%d) - %s\n",argi,bio->method->name);
break;
case BIO_CB_CTRL:
- sprintf(p,"ctrl(%d) - %s\n",argi,bio->method->name);
+ BIO_snprintf(p,p_maxlen,"ctrl(%d) - %s\n",argi,bio->method->name);
break;
case BIO_CB_RETURN|BIO_CB_READ:
- sprintf(p,"read return %ld\n",ret);
+ BIO_snprintf(p,p_maxlen,"read return %ld\n",ret);
break;
case BIO_CB_RETURN|BIO_CB_WRITE:
- sprintf(p,"write return %ld\n",ret);
+ BIO_snprintf(p,p_maxlen,"write return %ld\n",ret);
break;
case BIO_CB_RETURN|BIO_CB_GETS:
- sprintf(p,"gets return %ld\n",ret);
+ BIO_snprintf(p,p_maxlen,"gets return %ld\n",ret);
break;
case BIO_CB_RETURN|BIO_CB_PUTS:
- sprintf(p,"puts return %ld\n",ret);
+ BIO_snprintf(p,p_maxlen,"puts return %ld\n",ret);
break;
case BIO_CB_RETURN|BIO_CB_CTRL:
- sprintf(p,"ctrl return %ld\n",ret);
+ BIO_snprintf(p,p_maxlen,"ctrl return %ld\n",ret);
break;
default:
- sprintf(p,"bio callback - unknown type (%d)\n",cmd);
+ BIO_snprintf(p,p_maxlen,"bio callback - unknown type (%d)\n",cmd);
break;
}
diff --git a/src/lib/libcrypto/bio/bss_conn.c b/src/lib/libcrypto/bio/bss_conn.c
index 743db6ff94..f5d0e759e2 100644
--- a/src/lib/libcrypto/bio/bss_conn.c
+++ b/src/lib/libcrypto/bio/bss_conn.c
@@ -521,8 +521,8 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
char buf[16];
unsigned char *p = ptr;
- sprintf(buf,"%d.%d.%d.%d",
- p[0],p[1],p[2],p[3]);
+ BIO_snprintf(buf,sizeof buf,"%d.%d.%d.%d",
+ p[0],p[1],p[2],p[3]);
if (data->param_hostname != NULL)
OPENSSL_free(data->param_hostname);
data->param_hostname=BUF_strdup(buf);
@@ -532,7 +532,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
{
char buf[DECIMAL_SIZE(int)+1];
- sprintf(buf,"%d",*(int *)ptr);
+ BIO_snprintf(buf,sizeof buf,"%d",*(int *)ptr);
if (data->param_port != NULL)
OPENSSL_free(data->param_port);
data->param_port=BUF_strdup(buf);
diff --git a/src/lib/libcrypto/bio/bss_file.c b/src/lib/libcrypto/bio/bss_file.c
index 6904b5c081..9cdf159f82 100644
--- a/src/lib/libcrypto/bio/bss_file.c
+++ b/src/lib/libcrypto/bio/bss_file.c
@@ -249,15 +249,15 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
if (num & BIO_FP_APPEND)
{
if (num & BIO_FP_READ)
- strcpy(p,"a+");
- else strcpy(p,"a");
+ BUF_strlcpy(p,"a+",sizeof p);
+ else BUF_strlcpy(p,"a",sizeof p);
}
else if ((num & BIO_FP_READ) && (num & BIO_FP_WRITE))
- strcpy(p,"r+");
+ BUF_strlcpy(p,"r+",sizeof p);
else if (num & BIO_FP_WRITE)
- strcpy(p,"w");
+ BUF_strlcpy(p,"w",sizeof p);
else if (num & BIO_FP_READ)
- strcpy(p,"r");
+ BUF_strlcpy(p,"r",sizeof p);
else
{
BIOerr(BIO_F_FILE_CTRL,BIO_R_BAD_FOPEN_MODE);
diff --git a/src/lib/libcrypto/bn/asm/bn-586.pl b/src/lib/libcrypto/bn/asm/bn-586.pl
index 33f6125920..c4de4a2bee 100644
--- a/src/lib/libcrypto/bn/asm/bn-586.pl
+++ b/src/lib/libcrypto/bn/asm/bn-586.pl
@@ -11,7 +11,7 @@ require "x86asm.pl";
&bn_div_words("bn_div_words");
&bn_add_words("bn_add_words");
&bn_sub_words("bn_sub_words");
-&bn_sub_part_words("bn_sub_part_words");
+#&bn_sub_part_words("bn_sub_part_words");
&asm_finish();
diff --git a/src/lib/libcrypto/bn/asm/x86_64-gcc.c b/src/lib/libcrypto/bn/asm/x86_64-gcc.c
index b97b394661..450e8e4322 100644
--- a/src/lib/libcrypto/bn/asm/x86_64-gcc.c
+++ b/src/lib/libcrypto/bn/asm/x86_64-gcc.c
@@ -142,7 +142,7 @@ void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n)
BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
{ BN_ULONG ret,waste;
- asm ("divq %3"
+ asm ("divq %4"
: "=a"(ret),"=d"(waste)
: "a"(l),"d"(h),"g"(d)
: "cc");
diff --git a/src/lib/libcrypto/bn/bn_lcl.h b/src/lib/libcrypto/bn/bn_lcl.h
index 5614bc6164..253e195e23 100644
--- a/src/lib/libcrypto/bn/bn_lcl.h
+++ b/src/lib/libcrypto/bn/bn_lcl.h
@@ -433,19 +433,18 @@ void bn_sqr_comba4(BN_ULONG *r,const BN_ULONG *a);
int bn_cmp_words(const BN_ULONG *a,const BN_ULONG *b,int n);
int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b,
int cl, int dl);
-#if 0
-/* bn_mul.c rollback <appro> */
-void bn_mul_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2,
- int dna,int dnb,BN_ULONG *t);
-void bn_mul_part_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,
- int n,int tna,int tnb,BN_ULONG *t);
-#endif
-void bn_sqr_recursive(BN_ULONG *r,const BN_ULONG *a, int n2, BN_ULONG *t);
-void bn_mul_low_normal(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, int n);
+#ifdef BN_RECURSION
+void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
+ BN_ULONG *t);
+void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
+ int n, BN_ULONG *t);
void bn_mul_low_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2,
BN_ULONG *t);
void bn_mul_high(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,BN_ULONG *l,int n2,
BN_ULONG *t);
+void bn_sqr_recursive(BN_ULONG *r,const BN_ULONG *a, int n2, BN_ULONG *t);
+#endif
+void bn_mul_low_normal(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, int n);
#ifdef __cplusplus
}
diff --git a/src/lib/libcrypto/bn/bn_lib.c b/src/lib/libcrypto/bn/bn_lib.c
index fa0ff485ad..e1660450bc 100644
--- a/src/lib/libcrypto/bn/bn_lib.c
+++ b/src/lib/libcrypto/bn/bn_lib.c
@@ -145,11 +145,11 @@ char *BN_options(void)
{
init++;
#ifdef BN_LLONG
- sprintf(data,"bn(%d,%d)",(int)sizeof(BN_ULLONG)*8,
- (int)sizeof(BN_ULONG)*8);
+ BIO_snprintf(data,sizeof data,"bn(%d,%d)",
+ (int)sizeof(BN_ULLONG)*8,(int)sizeof(BN_ULONG)*8);
#else
- sprintf(data,"bn(%d,%d)",(int)sizeof(BN_ULONG)*8,
- (int)sizeof(BN_ULONG)*8);
+ BIO_snprintf(data,sizeof data,"bn(%d,%d)",
+ (int)sizeof(BN_ULONG)*8,(int)sizeof(BN_ULONG)*8);
#endif
}
return(data);
diff --git a/src/lib/libcrypto/bn/bn_print.c b/src/lib/libcrypto/bn/bn_print.c
index 5f46b1826c..0d942603b1 100644
--- a/src/lib/libcrypto/bn/bn_print.c
+++ b/src/lib/libcrypto/bn/bn_print.c
@@ -119,6 +119,7 @@ char *BN_bn2dec(const BIGNUM *a)
}
if ((t=BN_dup(a)) == NULL) goto err;
+#define BUF_REMAIN (num+3 - (size_t)(p - buf))
p=buf;
lp=bn_data;
if (t->neg) *(p++)='-';
@@ -139,12 +140,12 @@ char *BN_bn2dec(const BIGNUM *a)
/* We now have a series of blocks, BN_DEC_NUM chars
* in length, where the last one needs truncation.
* The blocks need to be reversed in order. */
- sprintf(p,BN_DEC_FMT1,*lp);
+ BIO_snprintf(p,BUF_REMAIN,BN_DEC_FMT1,*lp);
while (*p) p++;
while (lp != bn_data)
{
lp--;
- sprintf(p,BN_DEC_FMT2,*lp);
+ BIO_snprintf(p,BUF_REMAIN,BN_DEC_FMT2,*lp);
while (*p) p++;
}
}
diff --git a/src/lib/libcrypto/conf/conf_def.c b/src/lib/libcrypto/conf/conf_def.c
index 57d2739ae0..2e9f52f1fd 100644
--- a/src/lib/libcrypto/conf/conf_def.c
+++ b/src/lib/libcrypto/conf/conf_def.c
@@ -235,7 +235,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_MALLOC_FAILURE);
goto err;
}
- strcpy(section,"default");
+ BUF_strlcpy(section,"default",10);
if (_CONF_new_data(conf) == 0)
{
@@ -392,7 +392,7 @@ again:
ERR_R_MALLOC_FAILURE);
goto err;
}
- strcpy(v->name,pname);
+ BUF_strlcpy(v->name,pname,strlen(pname)+1);
if (!str_copy(conf,psection,&(v->value),start)) goto err;
if (strcmp(psection,section) != 0)
@@ -447,7 +447,7 @@ err:
if (buff != NULL) BUF_MEM_free(buff);
if (section != NULL) OPENSSL_free(section);
if (line != NULL) *line=eline;
- sprintf(btmp,"%ld",eline);
+ BIO_snprintf(btmp,sizeof btmp,"%ld",eline);
ERR_add_error_data(2,"line ",btmp);
if ((h != conf->data) && (conf->data != NULL))
{
diff --git a/src/lib/libcrypto/conf/conf_mod.c b/src/lib/libcrypto/conf/conf_mod.c
index edcc08921c..d45adea851 100644
--- a/src/lib/libcrypto/conf/conf_mod.c
+++ b/src/lib/libcrypto/conf/conf_mod.c
@@ -232,7 +232,7 @@ static int module_run(const CONF *cnf, char *name, char *value,
{
char rcode[DECIMAL_SIZE(ret)+1];
CONFerr(CONF_F_CONF_MODULES_LOAD, CONF_R_MODULE_INITIALIZATION_ERROR);
- sprintf(rcode, "%-8d", ret);
+ BIO_snprintf(rcode, sizeof rcode, "%-8d", ret);
ERR_add_error_data(6, "module=", name, ", value=", value, ", retcode=", rcode);
}
}
@@ -561,11 +561,11 @@ char *CONF_get1_default_config_file(void)
if (!file)
return NULL;
- strcpy(file,X509_get_default_cert_area());
+ BUF_strlcpy(file,X509_get_default_cert_area(),len + 1);
#ifndef OPENSSL_SYS_VMS
- strcat(file,"/");
+ BUF_strlcat(file,"/",len + 1);
#endif
- strcat(file,OPENSSL_CONF);
+ BUF_strlcat(file,OPENSSL_CONF,len + 1);
return file;
}
@@ -576,12 +576,12 @@ char *CONF_get1_default_config_file(void)
* be used to parse comma separated lists for example.
*/
-int CONF_parse_list(const char *list, int sep, int nospc,
+int CONF_parse_list(const char *list_, int sep, int nospc,
int (*list_cb)(const char *elem, int len, void *usr), void *arg)
{
int ret;
const char *lstart, *tmpend, *p;
- lstart = list;
+ lstart = list_;
for(;;)
{
diff --git a/src/lib/libcrypto/cversion.c b/src/lib/libcrypto/cversion.c
index 8ecfba7b16..beeeb14013 100644
--- a/src/lib/libcrypto/cversion.c
+++ b/src/lib/libcrypto/cversion.c
@@ -61,7 +61,9 @@
#include "cryptlib.h"
#include <openssl/crypto.h>
+#ifndef NO_WINDOWS_BRAINDEATH
#include "buildinf.h"
+#endif
const char *SSLeay_version(int t)
{
@@ -72,7 +74,7 @@ const char *SSLeay_version(int t)
#ifdef DATE
static char buf[sizeof(DATE)+11];
- sprintf(buf,"built on: %s",DATE);
+ BIO_snprintf(buf,sizeof buf,"built on: %s",DATE);
return(buf);
#else
return("built on: date not available");
@@ -83,7 +85,7 @@ const char *SSLeay_version(int t)
#ifdef CFLAGS
static char buf[sizeof(CFLAGS)+11];
- sprintf(buf,"compiler: %s",CFLAGS);
+ BIO_snprintf(buf,sizeof buf,"compiler: %s",CFLAGS);
return(buf);
#else
return("compiler: information not available");
@@ -94,7 +96,7 @@ const char *SSLeay_version(int t)
#ifdef PLATFORM
static char buf[sizeof(PLATFORM)+11];
- sprintf(buf,"platform: %s", PLATFORM);
+ BIO_snprintf(buf,sizeof buf,"platform: %s", PLATFORM);
return(buf);
#else
return("platform: information not available");
diff --git a/src/lib/libcrypto/des/cfb_enc.c b/src/lib/libcrypto/des/cfb_enc.c
index 2600bdfc93..03cabb223c 100644
--- a/src/lib/libcrypto/des/cfb_enc.c
+++ b/src/lib/libcrypto/des/cfb_enc.c
@@ -56,6 +56,7 @@
* [including the GNU Public Licence.]
*/
+#include "e_os.h"
#include "des_locl.h"
/* The input and output are loaded in multiples of 8 bits.
@@ -64,17 +65,15 @@
* the second. The second 12 bits will come from the 3rd and half the 4th
* byte.
*/
-/* WARNING WARNING: this uses in and out in 8-byte chunks regardless of
- * length */
/* Until Aug 1 2003 this function did not correctly implement CFB-r, so it
* will not be compatible with any encryption prior to that date. Ben. */
void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
long length, DES_key_schedule *schedule, DES_cblock *ivec,
int enc)
{
- register DES_LONG d0,d1,v0,v1,n=(numbits+7)/8;
- register unsigned long l=length;
- register int num=numbits;
+ register DES_LONG d0,d1,v0,v1;
+ register unsigned long l=length,n=(numbits+7)/8;
+ register int num=numbits,i;
DES_LONG ti[2];
unsigned char *iv;
unsigned char ovec[16];
@@ -114,10 +113,10 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
/* now the remaining bits */
if(num%8 != 0)
- for(n=0 ; n < 8 ; ++n)
+ for(i=0 ; i < 8 ; ++i)
{
- ovec[n]<<=num%8;
- ovec[n]|=ovec[n+1]>>(8-num%8);
+ ovec[i]<<=num%8;
+ ovec[i]|=ovec[i+1]>>(8-num%8);
}
iv=&ovec[0];
c2l(iv,v0);
@@ -152,10 +151,10 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
/* now the remaining bits */
if(num%8 != 0)
- for(n=0 ; n < 8 ; ++n)
+ for(i=0 ; i < 8 ; ++i)
{
- ovec[n]<<=num%8;
- ovec[n]|=ovec[n+1]>>(8-num%8);
+ ovec[i]<<=num%8;
+ ovec[i]|=ovec[i+1]>>(8-num%8);
}
iv=&ovec[0];
c2l(iv,v0);
diff --git a/src/lib/libcrypto/des/ecb_enc.c b/src/lib/libcrypto/des/ecb_enc.c
index 1b70f68806..784aa5ba23 100644
--- a/src/lib/libcrypto/des/ecb_enc.c
+++ b/src/lib/libcrypto/des/ecb_enc.c
@@ -60,6 +60,7 @@
#include "des_ver.h"
#include "spr.h"
#include <openssl/opensslv.h>
+#include <openssl/bio.h>
OPENSSL_GLOBAL const char *libdes_version="libdes" OPENSSL_VERSION_PTEXT;
OPENSSL_GLOBAL const char *DES_version="DES" OPENSSL_VERSION_PTEXT;
@@ -97,7 +98,8 @@ const char *DES_options(void)
size="int";
else
size="long";
- sprintf(buf,"des(%s,%s,%s,%s)",ptr,risc,unroll,size);
+ BIO_snprintf(buf,sizeof buf,"des(%s,%s,%s,%s)",ptr,risc,unroll,
+ size);
init=0;
}
return(buf);
diff --git a/src/lib/libcrypto/doc/EVP_BytesToKey.pod b/src/lib/libcrypto/doc/EVP_BytesToKey.pod
index 5ce4add082..016381f3e9 100644
--- a/src/lib/libcrypto/doc/EVP_BytesToKey.pod
+++ b/src/lib/libcrypto/doc/EVP_BytesToKey.pod
@@ -2,7 +2,7 @@
=head1 NAME
- EVP_BytesToKey - password based encryption routine
+EVP_BytesToKey - password based encryption routine
=head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/EVP_DigestInit.pod b/src/lib/libcrypto/doc/EVP_DigestInit.pod
index 5901c39526..1cb315e739 100644
--- a/src/lib/libcrypto/doc/EVP_DigestInit.pod
+++ b/src/lib/libcrypto/doc/EVP_DigestInit.pod
@@ -4,7 +4,7 @@
EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_DigestInit_ex, EVP_DigestUpdate,
EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
-EVP_MD_CTX_copy_ex EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
+EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type,
EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2,
EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj -
diff --git a/src/lib/libcrypto/doc/OPENSSL_config.pod b/src/lib/libcrypto/doc/OPENSSL_config.pod
new file mode 100644
index 0000000000..16600620cc
--- /dev/null
+++ b/src/lib/libcrypto/doc/OPENSSL_config.pod
@@ -0,0 +1,82 @@
+=pod
+
+=head1 NAME
+
+OPENSSL_config, OPENSSL_no_config - simple OpenSSL configuration functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/conf.h>
+
+ void OPENSSL_config(const char *config_name);
+ void OPENSSL_no_config(void);
+
+=head1 DESCRIPTION
+
+OPENSSL_config() configures OpenSSL using the standard B<openssl.cnf>
+configuration file name using B<config_name>. If B<config_name> is NULL then
+the default name B<openssl_conf> will be used. Any errors are ignored. Further
+calls to OPENSSL_config() will have no effect. The configuration file format
+is documented in the L<conf(5)|conf(5)> manual page.
+
+OPENSSL_no_config() disables configuration. If called before OPENSSL_config()
+no configuration takes place.
+
+=head1 NOTES
+
+It is B<strongly> recommended that B<all> new applications call OPENSSL_config()
+or the more sophisticated functions such as CONF_modules_load() during
+initialization (that is before starting any threads). By doing this
+an application does not need to keep track of all configuration options
+and some new functionality can be supported automatically.
+
+It is also possible to automatically call OPENSSL_config() when an application
+calls OPENSSL_add_all_algorithms() by compiling an application with the
+preprocessor symbol B<OPENSSL_LOAD_CONF> #define'd. In this way configuration
+can be added without source changes.
+
+The environment variable B<OPENSSL_CONFIG> can be set to specify the location
+of the configuration file.
+
+Currently ASN1 OBJECTs and ENGINE configuration can be performed future
+versions of OpenSSL will add new configuration options.
+
+There are several reasons why calling the OpenSSL configuration routines is
+advisable. For example new ENGINE functionality was added to OpenSSL 0.9.7.
+In OpenSSL 0.9.7 control functions can be supported by ENGINEs, this can be
+used (among other things) to load dynamic ENGINEs from shared libraries (DSOs).
+However very few applications currently support the control interface and so
+very few can load and use dynamic ENGINEs. Equally in future more sophisticated
+ENGINEs will require certain control operations to customize them. If an
+application calls OPENSSL_config() it doesn't need to know or care about
+ENGINE control operations because they can be performed by editing a
+configuration file.
+
+Applications should free up configuration at application closedown by calling
+CONF_modules_free().
+
+=head1 RESTRICTIONS
+
+The OPENSSL_config() function is designed to be a very simple "call it and
+forget it" function. As a result its behaviour is somewhat limited. It ignores
+all errors silently and it can only load from the standard configuration file
+location for example.
+
+It is however B<much> better than nothing. Applications which need finer
+control over their configuration functionality should use the configuration
+functions such as CONF_load_modules() directly.
+
+=head1 RETURN VALUES
+
+Neither OPENSSL_config() nor OPENSSL_no_config() return a value.
+
+=head1 SEE ALSO
+
+L<conf(5)|conf(5)>, L<CONF_load_modules_file(3)|CONF_load_modules_file(3)>,
+L<CONF_modules_free(3),CONF_modules_free(3)>
+
+=head1 HISTORY
+
+OPENSSL_config() and OPENSSL_no_config() first appeared in OpenSSL 0.9.7
+
+=cut
diff --git a/src/lib/libcrypto/doc/OPENSSL_load_builtin_modules.pod b/src/lib/libcrypto/doc/OPENSSL_load_builtin_modules.pod
new file mode 100644
index 0000000000..f14dfaf005
--- /dev/null
+++ b/src/lib/libcrypto/doc/OPENSSL_load_builtin_modules.pod
@@ -0,0 +1,51 @@
+=pod
+
+=head1 NAME
+
+OPENSSL_load_builtin_modules - add standard configuration modules
+
+=head1 SYNOPSIS
+
+ #include <openssl/conf.h>
+
+ void OPENSSL_load_builtin_modules(void);
+ void ASN1_add_oid_module(void);
+ ENGINE_add_conf_module();
+
+=head1 DESCRIPTION
+
+The function OPENSSL_load_builtin_modules() adds all the standard OpenSSL
+configuration modules to the internal list. They can then be used by the
+OpenSSL configuration code.
+
+ASN1_add_oid_module() adds just the ASN1 OBJECT module.
+
+ENGINE_add_conf_module() adds just the ENGINE configuration module.
+
+=head1 NOTES
+
+If the simple configuration function OPENSSL_config() is called then
+OPENSSL_load_builtin_modules() is called automatically.
+
+Applications which use the configuration functions directly will need to
+call OPENSSL_load_builtin_modules() themselves I<before> any other
+configuration code.
+
+Applications should call OPENSSL_load_builtin_modules() to load all
+configuration modules instead of adding modules selectively: otherwise
+functionality may be missing from the application if an when new
+modules are added.
+
+=head1 RETURN VALUE
+
+None of the functions return a value.
+
+=head1 SEE ALSO
+
+L<conf(3)|conf(3)>, L<OPENSSL_config(3)|OPENSSL_config(3)>
+
+=head1 HISTORY
+
+These functions first appeared in OpenSSL 0.9.7.
+
+=cut
diff --git a/src/lib/libcrypto/doc/OpenSSL_add_all_algorithms.pod b/src/lib/libcrypto/doc/OpenSSL_add_all_algorithms.pod
index 486c903430..e63411b5bb 100644
--- a/src/lib/libcrypto/doc/OpenSSL_add_all_algorithms.pod
+++ b/src/lib/libcrypto/doc/OpenSSL_add_all_algorithms.pod
@@ -36,7 +36,7 @@ None of the functions return a value.
=head1 NOTES
-A typical application will will call OpenSSL_add_all_algorithms() initially and
+A typical application will call OpenSSL_add_all_algorithms() initially and
EVP_cleanup() before exiting.
An application does not need to add algorithms to use them explicitly, for example
diff --git a/src/lib/libcrypto/doc/RSA_print.pod b/src/lib/libcrypto/doc/RSA_print.pod
index e28d107d1c..c971e91f4d 100644
--- a/src/lib/libcrypto/doc/RSA_print.pod
+++ b/src/lib/libcrypto/doc/RSA_print.pod
@@ -44,6 +44,6 @@ L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<rsa(3)|rsa(3)>, L<BN_bn2bin(3)|BN_bn2bin(3)>
RSA_print(), RSA_print_fp(), DSA_print(), DSA_print_fp(), DH_print(),
DH_print_fp() are available in all versions of SSLeay and OpenSSL.
-DSAparams_print() and DSAparams_print_pf() were added in SSLeay 0.8.
+DSAparams_print() and DSAparams_print_fp() were added in SSLeay 0.8.
=cut
diff --git a/src/lib/libcrypto/doc/d2i_DSAPublicKey.pod b/src/lib/libcrypto/doc/d2i_DSAPublicKey.pod
index 6ebd30427b..22c1b50f22 100644
--- a/src/lib/libcrypto/doc/d2i_DSAPublicKey.pod
+++ b/src/lib/libcrypto/doc/d2i_DSAPublicKey.pod
@@ -9,6 +9,7 @@ and parsing functions.
=head1 SYNOPSIS
#include <openssl/dsa.h>
+ #include <openssl/x509.h>
DSA * d2i_DSAPublicKey(DSA **a, const unsigned char **pp, long length);
@@ -35,8 +36,8 @@ and parsing functions.
d2i_DSAPublicKey() and i2d_DSAPublicKey() decode and encode the DSA public key
components structure.
-d2i_DSA_PUKEY() and i2d_DSA_PUKEY() decode and encode an DSA public key using a
-SubjectPublicKeyInfo (certificate public key) structure.
+d2i_DSA_PUBKEY() and i2d_DSA_PUBKEY() decode and encode an DSA public key using
+a SubjectPublicKeyInfo (certificate public key) structure.
d2i_DSAPrivateKey(), i2d_DSAPrivateKey() decode and encode the DSA private key
components.
diff --git a/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod b/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod
index 7c71bcbf3d..279b29c873 100644
--- a/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod
+++ b/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod
@@ -9,6 +9,7 @@ d2i_Netscape_RSA - RSA public and private key encoding functions.
=head1 SYNOPSIS
#include <openssl/rsa.h>
+ #include <openssl/x509.h>
RSA * d2i_RSAPublicKey(RSA **a, unsigned char **pp, long length);
@@ -31,8 +32,8 @@ d2i_Netscape_RSA - RSA public and private key encoding functions.
d2i_RSAPublicKey() and i2d_RSAPublicKey() decode and encode a PKCS#1 RSAPublicKey
structure.
-d2i_RSA_PUKEY() and i2d_RSA_PUKEY() decode and encode an RSA public key using a
-SubjectPublicKeyInfo (certificate public key) structure.
+d2i_RSA_PUBKEY() and i2d_RSA_PUBKEY() decode and encode an RSA public key using
+a SubjectPublicKeyInfo (certificate public key) structure.
d2i_RSAPrivateKey(), i2d_RSAPrivateKey() decode and encode a PKCS#1 RSAPrivateKey
structure.
diff --git a/src/lib/libcrypto/dso/dso_lib.c b/src/lib/libcrypto/dso/dso_lib.c
index 556069b9b8..48d9fdb25e 100644
--- a/src/lib/libcrypto/dso/dso_lib.c
+++ b/src/lib/libcrypto/dso/dso_lib.c
@@ -383,7 +383,7 @@ int DSO_set_filename(DSO *dso, const char *filename)
DSOerr(DSO_F_DSO_SET_FILENAME,ERR_R_MALLOC_FAILURE);
return(0);
}
- strcpy(copied, filename);
+ BUF_strlcpy(copied, filename, strlen(filename) + 1);
if(dso->filename)
OPENSSL_free(dso->filename);
dso->filename = copied;
@@ -422,7 +422,7 @@ char *DSO_convert_filename(DSO *dso, const char *filename)
ERR_R_MALLOC_FAILURE);
return(NULL);
}
- strcpy(result, filename);
+ BUF_strlcpy(result, filename, strlen(filename) + 1);
}
return(result);
}
diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c
index 4666a052bf..e9a51fb87a 100644
--- a/src/lib/libcrypto/ec/ecp_smpl.c
+++ b/src/lib/libcrypto/ec/ecp_smpl.c
@@ -896,7 +896,7 @@ int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
}
form = buf[0];
y_bit = form & 1;
- form = form & ~1;
+ form = form & ~1U;
if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED)
&& (form != POINT_CONVERSION_UNCOMPRESSED)
&& (form != POINT_CONVERSION_HYBRID))
diff --git a/src/lib/libcrypto/engine/eng_ctrl.c b/src/lib/libcrypto/engine/eng_ctrl.c
index ad3858395b..412c73fb0f 100644
--- a/src/lib/libcrypto/engine/eng_ctrl.c
+++ b/src/lib/libcrypto/engine/eng_ctrl.c
@@ -160,15 +160,19 @@ static int int_ctrl_helper(ENGINE *e, int cmd, long i, void *p, void (*f)())
case ENGINE_CTRL_GET_NAME_LEN_FROM_CMD:
return strlen(e->cmd_defns[idx].cmd_name);
case ENGINE_CTRL_GET_NAME_FROM_CMD:
- return sprintf(s, "%s", e->cmd_defns[idx].cmd_name);
+ return BIO_snprintf(s,strlen(e->cmd_defns[idx].cmd_name) + 1,
+ "%s", e->cmd_defns[idx].cmd_name);
case ENGINE_CTRL_GET_DESC_LEN_FROM_CMD:
if(e->cmd_defns[idx].cmd_desc)
return strlen(e->cmd_defns[idx].cmd_desc);
return strlen(int_no_description);
case ENGINE_CTRL_GET_DESC_FROM_CMD:
if(e->cmd_defns[idx].cmd_desc)
- return sprintf(s, "%s", e->cmd_defns[idx].cmd_desc);
- return sprintf(s, "%s", int_no_description);
+ return BIO_snprintf(s,
+ strlen(e->cmd_defns[idx].cmd_desc) + 1,
+ "%s", e->cmd_defns[idx].cmd_desc);
+ return BIO_snprintf(s, strlen(int_no_description) + 1,"%s",
+ int_no_description);
case ENGINE_CTRL_GET_CMD_FLAGS:
return e->cmd_defns[idx].cmd_flags;
}
diff --git a/src/lib/libcrypto/engine/eng_fat.c b/src/lib/libcrypto/engine/eng_fat.c
index 0d7dae00b2..7ccf7022ee 100644
--- a/src/lib/libcrypto/engine/eng_fat.c
+++ b/src/lib/libcrypto/engine/eng_fat.c
@@ -107,14 +107,14 @@ static int int_def_cb(const char *alg, int len, void *arg)
}
-int ENGINE_set_default_string(ENGINE *e, const char *list)
+int ENGINE_set_default_string(ENGINE *e, const char *def_list)
{
unsigned int flags = 0;
- if (!CONF_parse_list(list, ',', 1, int_def_cb, &flags))
+ if (!CONF_parse_list(def_list, ',', 1, int_def_cb, &flags))
{
ENGINEerr(ENGINE_F_ENGINE_SET_DEFAULT_STRING,
ENGINE_R_INVALID_STRING);
- ERR_add_error_data(2, "str=",list);
+ ERR_add_error_data(2, "str=",def_list);
return 0;
}
return ENGINE_set_default(e, flags);
diff --git a/src/lib/libcrypto/engine/engine.h b/src/lib/libcrypto/engine/engine.h
index 9c3ab182d3..900f75ce8d 100644
--- a/src/lib/libcrypto/engine/engine.h
+++ b/src/lib/libcrypto/engine/engine.h
@@ -513,7 +513,7 @@ ENGINE *ENGINE_get_digest_engine(int nid);
* structure will have had its reference count up'd so the caller
* should still free their own reference 'e'. */
int ENGINE_set_default_RSA(ENGINE *e);
-int ENGINE_set_default_string(ENGINE *e, const char *list);
+int ENGINE_set_default_string(ENGINE *e, const char *def_list);
/* Same for the other "methods" */
int ENGINE_set_default_DSA(ENGINE *e);
int ENGINE_set_default_DH(ENGINE *e);
@@ -616,17 +616,20 @@ typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id,
const dynamic_fns *fns);
#define IMPLEMENT_DYNAMIC_BIND_FN(fn) \
int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { \
- if(!CRYPTO_set_mem_functions(fns->mem_fns.malloc_cb, \
- fns->mem_fns.realloc_cb, fns->mem_fns.free_cb)) \
- return 0; \
- CRYPTO_set_locking_callback(fns->lock_fns.lock_locking_cb); \
- CRYPTO_set_add_lock_callback(fns->lock_fns.lock_add_lock_cb); \
- CRYPTO_set_dynlock_create_callback(fns->lock_fns.dynlock_create_cb); \
- CRYPTO_set_dynlock_lock_callback(fns->lock_fns.dynlock_lock_cb); \
- CRYPTO_set_dynlock_destroy_callback(fns->lock_fns.dynlock_destroy_cb); \
- if(!CRYPTO_set_ex_data_implementation(fns->ex_data_fns)) \
- return 0; \
- if(!ERR_set_implementation(fns->err_fns)) return 0; \
+ if (ERR_get_implementation() != fns->err_fns) \
+ { \
+ if(!CRYPTO_set_mem_functions(fns->mem_fns.malloc_cb, \
+ fns->mem_fns.realloc_cb, fns->mem_fns.free_cb)) \
+ return 0; \
+ CRYPTO_set_locking_callback(fns->lock_fns.lock_locking_cb); \
+ CRYPTO_set_add_lock_callback(fns->lock_fns.lock_add_lock_cb); \
+ CRYPTO_set_dynlock_create_callback(fns->lock_fns.dynlock_create_cb); \
+ CRYPTO_set_dynlock_lock_callback(fns->lock_fns.dynlock_lock_cb); \
+ CRYPTO_set_dynlock_destroy_callback(fns->lock_fns.dynlock_destroy_cb); \
+ if(!CRYPTO_set_ex_data_implementation(fns->ex_data_fns)) \
+ return 0; \
+ if(!ERR_set_implementation(fns->err_fns)) return 0; \
+ } \
if(!fn(e,id)) return 0; \
return 1; }
diff --git a/src/lib/libcrypto/err/err.c b/src/lib/libcrypto/err/err.c
index 633a1addfe..792f329600 100644
--- a/src/lib/libcrypto/err/err.c
+++ b/src/lib/libcrypto/err/err.c
@@ -1065,7 +1065,7 @@ void ERR_add_error_data(int num, ...)
else
str=p;
}
- strcat(str,a);
+ BUF_strlcat(str,a,s+1);
}
}
ERR_set_error_data(str,ERR_TXT_MALLOCED|ERR_TXT_STRING);
diff --git a/src/lib/libcrypto/evp/digest.c b/src/lib/libcrypto/evp/digest.c
index b22eed4421..0623ddf1f0 100644
--- a/src/lib/libcrypto/evp/digest.c
+++ b/src/lib/libcrypto/evp/digest.c
@@ -248,6 +248,7 @@ int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in)
int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
{
+ unsigned char *tmp_buf;
if ((in == NULL) || (in->digest == NULL))
{
EVPerr(EVP_F_EVP_MD_CTX_COPY,EVP_R_INPUT_NOT_INITIALIZED);
@@ -262,15 +263,22 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
}
#endif
+ if (out->digest == in->digest)
+ {
+ tmp_buf = out->md_data;
+ EVP_MD_CTX_set_flags(out,EVP_MD_CTX_FLAG_REUSE);
+ }
+ else tmp_buf = NULL;
EVP_MD_CTX_cleanup(out);
memcpy(out,in,sizeof *out);
if (out->digest->ctx_size)
{
- out->md_data=OPENSSL_malloc(out->digest->ctx_size);
+ if (tmp_buf) out->md_data = tmp_buf;
+ else out->md_data=OPENSSL_malloc(out->digest->ctx_size);
memcpy(out->md_data,in->md_data,out->digest->ctx_size);
}
-
+
if (out->digest->copy)
return out->digest->copy(out,in);
@@ -308,7 +316,8 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
if (ctx->digest && ctx->digest->cleanup
&& !EVP_MD_CTX_test_flags(ctx,EVP_MD_CTX_FLAG_CLEANED))
ctx->digest->cleanup(ctx);
- if (ctx->digest && ctx->digest->ctx_size && ctx->md_data)
+ if (ctx->digest && ctx->digest->ctx_size && ctx->md_data
+ && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE))
{
OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size);
OPENSSL_free(ctx->md_data);
diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h
index 45a25f968d..4801d8eaa3 100644
--- a/src/lib/libcrypto/evp/evp.h
+++ b/src/lib/libcrypto/evp/evp.h
@@ -329,6 +329,8 @@ struct env_md_ctx_st
* once only */
#define EVP_MD_CTX_FLAG_CLEANED 0x0002 /* context has already been
* cleaned */
+#define EVP_MD_CTX_FLAG_REUSE 0x0004 /* Don't free up ctx->md_data
+ * in EVP_MD_CTX_cleanup */
struct evp_cipher_st
{
diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c
index be0758a879..8ea5aa935d 100644
--- a/src/lib/libcrypto/evp/evp_enc.c
+++ b/src/lib/libcrypto/evp/evp_enc.c
@@ -148,7 +148,19 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
#endif
ctx->cipher=cipher;
- ctx->cipher_data=OPENSSL_malloc(ctx->cipher->ctx_size);
+ if (ctx->cipher->ctx_size)
+ {
+ ctx->cipher_data=OPENSSL_malloc(ctx->cipher->ctx_size);
+ if (!ctx->cipher_data)
+ {
+ EVPerr(EVP_F_EVP_CIPHERINIT, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ }
+ else
+ {
+ ctx->cipher_data = NULL;
+ }
ctx->key_len = cipher->key_len;
ctx->flags = 0;
if(ctx->cipher->flags & EVP_CIPH_CTRL_INIT)
diff --git a/src/lib/libcrypto/evp/evp_pbe.c b/src/lib/libcrypto/evp/evp_pbe.c
index 0da88fdcff..91e545a141 100644
--- a/src/lib/libcrypto/evp/evp_pbe.c
+++ b/src/lib/libcrypto/evp/evp_pbe.c
@@ -87,7 +87,7 @@ int EVP_PBE_CipherInit (ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
if (i == -1) {
char obj_tmp[80];
EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_UNKNOWN_PBE_ALGORITHM);
- if (!pbe_obj) strcpy (obj_tmp, "NULL");
+ if (!pbe_obj) BUF_strlcpy (obj_tmp, "NULL", sizeof obj_tmp);
else i2t_ASN1_OBJECT(obj_tmp, sizeof obj_tmp, pbe_obj);
ERR_add_error_data(2, "TYPE=", obj_tmp);
return 0;
diff --git a/src/lib/libcrypto/evp/evp_pkey.c b/src/lib/libcrypto/evp/evp_pkey.c
index 34b5b1d21c..eb481ec661 100644
--- a/src/lib/libcrypto/evp/evp_pkey.c
+++ b/src/lib/libcrypto/evp/evp_pkey.c
@@ -210,7 +210,7 @@ EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8)
#endif
default:
EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);
- if (!a->algorithm) strcpy (obj_tmp, "NULL");
+ if (!a->algorithm) BUF_strlcpy (obj_tmp, "NULL", sizeof obj_tmp);
else i2t_ASN1_OBJECT(obj_tmp, 80, a->algorithm);
ERR_add_error_data(2, "TYPE=", obj_tmp);
EVP_PKEY_free (pkey);
diff --git a/src/lib/libcrypto/mem_dbg.c b/src/lib/libcrypto/mem_dbg.c
index 57bd08f65d..e212de27e4 100644
--- a/src/lib/libcrypto/mem_dbg.c
+++ b/src/lib/libcrypto/mem_dbg.c
@@ -597,6 +597,8 @@ static void print_leak(const MEM *m, MEM_LEAK *l)
struct tm *lcl = NULL;
unsigned long ti;
+#define BUF_REMAIN (sizeof buf - (size_t)(bufp - buf))
+
if(m->addr == (char *)l->bio)
return;
@@ -604,22 +606,22 @@ static void print_leak(const MEM *m, MEM_LEAK *l)
{
lcl = localtime(&m->time);
- sprintf(bufp, "[%02d:%02d:%02d] ",
+ BIO_snprintf(bufp, BUF_REMAIN, "[%02d:%02d:%02d] ",
lcl->tm_hour,lcl->tm_min,lcl->tm_sec);
bufp += strlen(bufp);
}
- sprintf(bufp, "%5lu file=%s, line=%d, ",
+ BIO_snprintf(bufp, BUF_REMAIN, "%5lu file=%s, line=%d, ",
m->order,m->file,m->line);
bufp += strlen(bufp);
if (options & V_CRYPTO_MDEBUG_THREAD)
{
- sprintf(bufp, "thread=%lu, ", m->thread);
+ BIO_snprintf(bufp, BUF_REMAIN, "thread=%lu, ", m->thread);
bufp += strlen(bufp);
}
- sprintf(bufp, "number=%d, address=%08lX\n",
+ BIO_snprintf(bufp, BUF_REMAIN, "number=%d, address=%08lX\n",
m->num,(unsigned long)m->addr);
bufp += strlen(bufp);
@@ -641,7 +643,7 @@ static void print_leak(const MEM *m, MEM_LEAK *l)
ami_cnt++;
memset(buf,'>',ami_cnt);
- sprintf(buf + ami_cnt,
+ BIO_snprintf(buf + ami_cnt, sizeof buf - ami_cnt,
" thread=%lu, file=%s, line=%d, info=\"",
amip->thread, amip->file, amip->line);
buf_len=strlen(buf);
@@ -653,10 +655,11 @@ static void print_leak(const MEM *m, MEM_LEAK *l)
}
else
{
- strcpy(buf + buf_len, amip->info);
+ BUF_strlcpy(buf + buf_len, amip->info,
+ sizeof buf - buf_len);
buf_len = strlen(buf);
}
- sprintf(buf + buf_len, "\"\n");
+ BIO_snprintf(buf + buf_len, sizeof buf - buf_len, "\"\n");
BIO_puts(l->bio,buf);
diff --git a/src/lib/libcrypto/objects/obj_dat.c b/src/lib/libcrypto/objects/obj_dat.c
index 5d983e3ed4..4534dc0985 100644
--- a/src/lib/libcrypto/objects/obj_dat.c
+++ b/src/lib/libcrypto/objects/obj_dat.c
@@ -462,7 +462,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
if (i > 2) i=2;
l-=(long)(i*40);
- sprintf(tbuf,"%d.%lu",i,l);
+ BIO_snprintf(tbuf,sizeof tbuf,"%d.%lu",i,l);
i=strlen(tbuf);
BUF_strlcpy(buf,tbuf,buf_len);
buf_len-=i;
@@ -473,7 +473,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
for (; idx<len; idx++) {
l|=p[idx]&0x7f;
if (!(p[idx] & 0x80)) {
- sprintf(tbuf,".%lu",l);
+ BIO_snprintf(tbuf,sizeof tbuf,".%lu",l);
i=strlen(tbuf);
if (buf_len > 0)
BUF_strlcpy(buf,tbuf,buf_len);
diff --git a/src/lib/libcrypto/objects/obj_dat.pl b/src/lib/libcrypto/objects/obj_dat.pl
index 5dfb84ea00..d0371661f9 100644
--- a/src/lib/libcrypto/objects/obj_dat.pl
+++ b/src/lib/libcrypto/objects/obj_dat.pl
@@ -1,5 +1,9 @@
#!/usr/local/bin/perl
+# fixes bug in floating point emulation on sparc64 when
+# this script produces off-by-one output on sparc64
+use integer;
+
sub obj_cmp
{
local(@a,@b,$_,$r);
diff --git a/src/lib/libcrypto/ocsp/ocsp_ext.c b/src/lib/libcrypto/ocsp/ocsp_ext.c
index d6c8899f58..57399433fc 100644
--- a/src/lib/libcrypto/ocsp/ocsp_ext.c
+++ b/src/lib/libcrypto/ocsp/ocsp_ext.c
@@ -305,6 +305,8 @@ err:
/* Add a nonce to an extension stack. A nonce can be specificed or if NULL
* a random nonce will be generated.
+ * Note: OpenSSL 0.9.7d and later create an OCTET STRING containing the
+ * nonce, previous versions used the raw nonce.
*/
static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
@@ -313,20 +315,28 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val,
ASN1_OCTET_STRING os;
int ret = 0;
if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH;
- if (val) tmpval = val;
+ /* Create the OCTET STRING manually by writing out the header and
+ * appending the content octets. This avoids an extra memory allocation
+ * operation in some cases. Applications should *NOT* do this because
+ * it relies on library internals.
+ */
+ os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
+ os.data = OPENSSL_malloc(os.length);
+ if (os.data == NULL)
+ goto err;
+ tmpval = os.data;
+ ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
+ if (val)
+ memcpy(tmpval, val, len);
else
- {
- if (!(tmpval = OPENSSL_malloc(len))) goto err;
RAND_pseudo_bytes(tmpval, len);
- }
- os.data = tmpval;
- os.length = len;
if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
&os, 0, X509V3_ADD_REPLACE))
goto err;
ret = 1;
err:
- if(!val) OPENSSL_free(tmpval);
+ if (os.data)
+ OPENSSL_free(os.data);
return ret;
}
diff --git a/src/lib/libcrypto/ocsp/ocsp_lib.c b/src/lib/libcrypto/ocsp/ocsp_lib.c
index 3875af165c..9e87fc7895 100644
--- a/src/lib/libcrypto/ocsp/ocsp_lib.c
+++ b/src/lib/libcrypto/ocsp/ocsp_lib.c
@@ -253,6 +253,7 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss
err:
+ if (buf) OPENSSL_free(buf);
if (*ppath) OPENSSL_free(*ppath);
if (*pport) OPENSSL_free(*pport);
if (*phost) OPENSSL_free(*phost);
diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c
index 1f5fda7ca3..3d58dfb06c 100644
--- a/src/lib/libcrypto/ocsp/ocsp_vfy.c
+++ b/src/lib/libcrypto/ocsp/ocsp_vfy.c
@@ -3,7 +3,7 @@
* project 2000.
*/
/* ====================================================================
- * Copyright (c) 2000 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -272,7 +272,7 @@ static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
for (i = 1; i < idcount; i++)
{
- tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
+ tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
/* Check to see if IDs match */
if (OCSP_id_issuer_cmp(cid, tmpid))
{
@@ -330,7 +330,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
OCSP_CERTID *tmpid;
for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++)
{
- tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
+ tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
ret = ocsp_match_issuerid(cert, tmpid, NULL);
if (ret <= 0) return ret;
}
diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h
index e226d9de79..02f1710fb3 100644
--- a/src/lib/libcrypto/opensslv.h
+++ b/src/lib/libcrypto/opensslv.h
@@ -25,8 +25,8 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-#define OPENSSL_VERSION_NUMBER 0x0090703fL
-#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7c 30 Sep 2003"
+#define OPENSSL_VERSION_NUMBER 0x0090704fL
+#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7d 17 Mar 2004"
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
diff --git a/src/lib/libcrypto/pem/pem_lib.c b/src/lib/libcrypto/pem/pem_lib.c
index 70b5446797..7785039b99 100644
--- a/src/lib/libcrypto/pem/pem_lib.c
+++ b/src/lib/libcrypto/pem/pem_lib.c
@@ -131,9 +131,9 @@ void PEM_proc_type(char *buf, int type)
else
str="BAD-TYPE";
- strcat(buf,"Proc-Type: 4,");
- strcat(buf,str);
- strcat(buf,"\n");
+ BUF_strlcat(buf,"Proc-Type: 4,",PEM_BUFSIZE);
+ BUF_strlcat(buf,str,PEM_BUFSIZE);
+ BUF_strlcat(buf,"\n",PEM_BUFSIZE);
}
void PEM_dek_info(char *buf, const char *type, int len, char *str)
@@ -142,10 +142,12 @@ void PEM_dek_info(char *buf, const char *type, int len, char *str)
long i;
int j;
- strcat(buf,"DEK-Info: ");
- strcat(buf,type);
- strcat(buf,",");
+ BUF_strlcat(buf,"DEK-Info: ",PEM_BUFSIZE);
+ BUF_strlcat(buf,type,PEM_BUFSIZE);
+ BUF_strlcat(buf,",",PEM_BUFSIZE);
j=strlen(buf);
+ if (j + (len * 2) + 1 > PEM_BUFSIZE)
+ return;
for (i=0; i<len; i++)
{
buf[j+i*2] =map[(str[i]>>4)&0x0f];
@@ -533,7 +535,7 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data,
long len)
{
int nlen,n,i,j,outl;
- unsigned char *buf;
+ unsigned char *buf = NULL;
EVP_ENCODE_CTX ctx;
int reason=ERR_R_BUF_LIB;
@@ -553,7 +555,7 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data,
goto err;
}
- buf=(unsigned char *)OPENSSL_malloc(PEM_BUFSIZE*8);
+ buf = OPENSSL_malloc(PEM_BUFSIZE*8);
if (buf == NULL)
{
reason=ERR_R_MALLOC_FAILURE;
@@ -574,12 +576,15 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data,
EVP_EncodeFinal(&ctx,buf,&outl);
if ((outl > 0) && (BIO_write(bp,(char *)buf,outl) != outl)) goto err;
OPENSSL_free(buf);
+ buf = NULL;
if ( (BIO_write(bp,"-----END ",9) != 9) ||
(BIO_write(bp,name,nlen) != nlen) ||
(BIO_write(bp,"-----\n",6) != 6))
goto err;
return(i+outl);
err:
+ if (buf)
+ OPENSSL_free(buf);
PEMerr(PEM_F_PEM_WRITE_BIO,reason);
return(0);
}
diff --git a/src/lib/libcrypto/pem/pem_pkey.c b/src/lib/libcrypto/pem/pem_pkey.c
index d96ecf6940..f77c949e87 100644
--- a/src/lib/libcrypto/pem/pem_pkey.c
+++ b/src/lib/libcrypto/pem/pem_pkey.c
@@ -87,6 +87,10 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, vo
p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, len);
if(!p8inf) goto p8err;
ret = EVP_PKCS82PKEY(p8inf);
+ if(x) {
+ if(*x) EVP_PKEY_free((EVP_PKEY *)*x);
+ *x = ret;
+ }
PKCS8_PRIV_KEY_INFO_free(p8inf);
} else if (strcmp(nm,PEM_STRING_PKCS8) == 0) {
PKCS8_PRIV_KEY_INFO *p8inf;
diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c
index 190ca0e9bf..35c7dcd0b3 100644
--- a/src/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/src/lib/libcrypto/pkcs7/pk7_doit.c
@@ -91,17 +91,19 @@ static int PKCS7_type_is_other(PKCS7* p7)
}
-static int PKCS7_type_is_octet_string(PKCS7* p7)
+static ASN1_OCTET_STRING *PKCS7_get_octet_string(PKCS7 *p7)
{
- if ( 0==PKCS7_type_is_other(p7) )
- return 0;
-
- return (V_ASN1_OCTET_STRING==p7->d.other->type) ? 1 : 0;
+ if ( PKCS7_type_is_data(p7))
+ return p7->d.data;
+ if ( PKCS7_type_is_other(p7) && p7->d.other
+ && (p7->d.other->type == V_ASN1_OCTET_STRING))
+ return p7->d.other->value.octet_string;
+ return NULL;
}
BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
{
- int i,j;
+ int i;
BIO *out=NULL,*btmp=NULL;
X509_ALGOR *xa;
const EVP_MD *evp_md;
@@ -159,8 +161,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
goto err;
}
- j=OBJ_obj2nid(xa->algorithm);
- evp_md=EVP_get_digestbyname(OBJ_nid2sn(j));
+ evp_md=EVP_get_digestbyobj(xa->algorithm);
if (evp_md == NULL)
{
PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_UNKNOWN_DIGEST_TYPE);
@@ -250,29 +251,22 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
btmp=NULL;
}
- if (bio == NULL) {
+ if (bio == NULL)
+ {
if (PKCS7_is_detached(p7))
bio=BIO_new(BIO_s_null());
- else {
- if (PKCS7_type_is_signed(p7) ) {
- if ( PKCS7_type_is_data(p7->d.sign->contents)) {
- ASN1_OCTET_STRING *os;
- os=p7->d.sign->contents->d.data;
- if (os->length > 0)
- bio = BIO_new_mem_buf(os->data, os->length);
- }
- else if ( PKCS7_type_is_octet_string(p7->d.sign->contents) ) {
- ASN1_OCTET_STRING *os;
- os=p7->d.sign->contents->d.other->value.octet_string;
- if (os->length > 0)
- bio = BIO_new_mem_buf(os->data, os->length);
- }
- }
- if(bio == NULL) {
+ else
+ {
+ ASN1_OCTET_STRING *os;
+ os = PKCS7_get_octet_string(p7->d.sign->contents);
+ if (os && os->length > 0)
+ bio = BIO_new_mem_buf(os->data, os->length);
+ if(bio == NULL)
+ {
bio=BIO_new(BIO_s_mem());
BIO_set_mem_eof_return(bio,0);
+ }
}
- }
}
BIO_push(out,bio);
bio=NULL;
@@ -311,7 +305,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
switch (i)
{
case NID_pkcs7_signed:
- data_body=p7->d.sign->contents->d.data;
+ data_body=PKCS7_get_octet_string(p7->d.sign->contents);
md_sk=p7->d.sign->md_algs;
break;
case NID_pkcs7_signedAndEnveloped:
@@ -319,7 +313,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
md_sk=p7->d.signed_and_enveloped->md_algs;
data_body=p7->d.signed_and_enveloped->enc_data->enc_data;
enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm;
- evp_cipher=EVP_get_cipherbyname(OBJ_nid2sn(OBJ_obj2nid(enc_alg->algorithm)));
+ evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm);
if (evp_cipher == NULL)
{
PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
@@ -331,7 +325,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
rsk=p7->d.enveloped->recipientinfo;
enc_alg=p7->d.enveloped->enc_data->algorithm;
data_body=p7->d.enveloped->enc_data->enc_data;
- evp_cipher=EVP_get_cipherbyname(OBJ_nid2sn(OBJ_obj2nid(enc_alg->algorithm)));
+ evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm);
if (evp_cipher == NULL)
{
PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
@@ -357,7 +351,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
}
j=OBJ_obj2nid(xa->algorithm);
- evp_md=EVP_get_digestbyname(OBJ_nid2sn(j));
+ evp_md=EVP_get_digestbynid(j);
if (evp_md == NULL)
{
PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNKNOWN_DIGEST_TYPE);
@@ -531,9 +525,9 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
break;
case NID_pkcs7_signed:
si_sk=p7->d.sign->signer_info;
- os=p7->d.sign->contents->d.data;
+ os=PKCS7_get_octet_string(p7->d.sign->contents);
/* If detached data then the content is excluded */
- if(p7->detached) {
+ if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
M_ASN1_OCTET_STRING_free(os);
p7->d.sign->contents->d.data = NULL;
}
diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c
index 41574768ab..f5d0843d13 100644
--- a/src/lib/libcrypto/rand/randfile.c
+++ b/src/lib/libcrypto/rand/randfile.c
@@ -56,6 +56,9 @@
* [including the GNU Public Licence.]
*/
+/* We need to define this to get macros like S_IFBLK and S_IFCHR */
+#define _XOPEN_SOURCE 1
+
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
@@ -64,6 +67,7 @@
#include "e_os.h"
#include <openssl/crypto.h>
#include <openssl/rand.h>
+#include <openssl/buffer.h>
#ifdef OPENSSL_SYS_VMS
#include <unixio.h>
@@ -106,6 +110,16 @@ int RAND_load_file(const char *file, long bytes)
in=fopen(file,"rb");
if (in == NULL) goto err;
+#if defined(S_IFBLK) && defined(S_IFCHR)
+ if (sb.st_mode & (S_IFBLK | S_IFCHR)) {
+ /* this file is a device. we don't want read an infinite number
+ * of bytes from a random device, nor do we want to use buffered
+ * I/O because we will waste system entropy.
+ */
+ bytes = (bytes == -1) ? 2048 : bytes; /* ok, is 2048 enough? */
+ setvbuf(in, NULL, _IONBF, 0); /* don't do buffered reads */
+ }
+#endif
for (;;)
{
if (bytes > 0)
@@ -135,7 +149,22 @@ int RAND_write_file(const char *file)
int i,ret=0,rand_err=0;
FILE *out = NULL;
int n;
+ struct stat sb;
+ i=stat(file,&sb);
+ if (i != -1) {
+#if defined(S_IFBLK) && defined(S_IFCHR)
+ if (sb.st_mode & (S_IFBLK | S_IFCHR)) {
+ /* this file is a device. we don't write back to it.
+ * we "succeed" on the assumption this is some sort
+ * of random device. Otherwise attempting to write to
+ * and chmod the device causes problems.
+ */
+ return(1);
+ }
+#endif
+ }
+
#if defined(O_CREAT) && !defined(OPENSSL_SYS_WIN32)
/* For some reason Win32 can't write to files created this way */
@@ -197,16 +226,17 @@ err:
const char *RAND_file_name(char *buf, size_t size)
{
char *s=NULL;
- char *ret=NULL;
+ int ok = 0;
+#ifdef __OpenBSD__
+ struct stat sb;
+#endif
if (OPENSSL_issetugid() == 0)
s=getenv("RANDFILE");
- if (s != NULL)
+ if (s != NULL && *s && strlen(s) + 1 < size)
{
- if(strlen(s) >= size)
+ if (BUF_strlcpy(buf,s,size) >= size)
return NULL;
- strcpy(buf,s);
- ret=buf;
}
else
{
@@ -218,17 +248,36 @@ const char *RAND_file_name(char *buf, size_t size)
s = DEFAULT_HOME;
}
#endif
- if (s != NULL && (strlen(s)+strlen(RFILE)+2 < size))
+ if (s && *s && strlen(s)+strlen(RFILE)+2 < size)
{
- strcpy(buf,s);
+ BUF_strlcpy(buf,s,size);
#ifndef OPENSSL_SYS_VMS
- strcat(buf,"/");
+ BUF_strlcat(buf,"/",size);
#endif
- strcat(buf,RFILE);
- ret=buf;
+ BUF_strlcat(buf,RFILE,size);
+ ok = 1;
}
else
buf[0] = '\0'; /* no file name */
}
- return(ret);
+
+#ifdef __OpenBSD__
+ /* given that all random loads just fail if the file can't be
+ * seen on a stat, we stat the file we're returning, if it
+ * fails, use /dev/arandom instead. this allows the user to
+ * use their own source for good random data, but defaults
+ * to something hopefully decent if that isn't available.
+ */
+
+ if (!ok)
+ if (BUF_strlcpy(buf,"/dev/arandom",size) >= size) {
+ return(NULL);
+ }
+ if (stat(buf,&sb) == -1)
+ if (BUF_strlcpy(buf,"/dev/arandom",size) >= size) {
+ return(NULL);
+ }
+
+#endif
+ return(buf);
}
diff --git a/src/lib/libcrypto/sha/asm/sha1-586.pl b/src/lib/libcrypto/sha/asm/sha1-586.pl
index fe51fd0794..e00f709553 100644
--- a/src/lib/libcrypto/sha/asm/sha1-586.pl
+++ b/src/lib/libcrypto/sha/asm/sha1-586.pl
@@ -1,5 +1,30 @@
#!/usr/local/bin/perl
+# It was noted that Intel IA-32 C compiler generates code which
+# performs ~30% *faster* on P4 CPU than original *hand-coded*
+# SHA1 assembler implementation. To address this problem (and
+# prove that humans are still better than machines:-), the
+# original code was overhauled, which resulted in following
+# performance changes:
+#
+# compared with original compared with Intel cc
+# assembler impl. generated code
+# Pentium -25% +37%
+# PIII/AMD +8% +16%
+# P4 +85%(!) +45%
+#
+# As you can see Pentium came out as looser:-( Yet I reckoned that
+# improvement on P4 outweights the loss and incorporate this
+# re-tuned code to 0.9.7 and later.
+# ----------------------------------------------------------------
+# Those who for any particular reason absolutely must score on
+# Pentium can replace this module with one from 0.9.6 distribution.
+# This "offer" shall be revoked the moment programming interface to
+# this module is changed, in which case this paragraph should be
+# removed.
+# ----------------------------------------------------------------
+# <appro@fy.chalmers.se>
+
$normal=0;
push(@INC,"perlasm","../../perlasm");
@@ -77,54 +102,21 @@ sub BODY_00_15
{
local($pos,$K,$X,$n,$a,$b,$c,$d,$e,$f)=@_;
-return if $n & 1;
&comment("00_15 $n");
- &mov($f,$c);
-
- &mov($tmp1,$a);
- &xor($f,$d); # F2
-
- &rotl($tmp1,5); # A2
-
- &and($f,$b); # F3
- &add($tmp1,$e);
-
- &rotr($b,1); # B1 <- F
- &mov($e,&swtmp($n)); # G1
-
- &rotr($b,1); # B1 <- F
- &xor($f,$d); # F4
-
- &lea($tmp1,&DWP($K,$tmp1,$e,1));
-
-############################
-# &BODY_40_59( 0,$K[2],$X,42,$A,$B,$C,$D,$E,$T);
-# &BODY_40_59( 0,$K[2],$X,43,$T,$A,$B,$C,$D,$E);
-$n++;
- local($n0,$n1,$n2,$n3,$np)=&Na($n);
- ($b,$c,$d,$e,$f,$a)=($a,$b,$c,$d,$e,$f);
-
- &mov($f,$c);
-
- &add($a,$tmp1); # MOVED DOWN
- &xor($f,$d); # F2
-
&mov($tmp1,$a);
- &and($f,$b); # F3
-
- &rotl($tmp1,5); # A2
-
- &add($tmp1,$e);
- &mov($e,&swtmp($n)); # G1
-
- &rotr($b,1); # B1 <- F
- &xor($f,$d); # F4
-
- &rotr($b,1); # B1 <- F
- &lea($tmp1,&DWP($K,$tmp1,$e,1));
-
- &add($f,$tmp1);
+ &mov($f,$c); # f to hold F_00_19(b,c,d)
+ &rotl($tmp1,5); # tmp1=ROTATE(a,5)
+ &xor($f,$d);
+ &and($f,$b);
+ &rotr($b,2); # b=ROTATE(b,30)
+ &add($tmp1,$e); # tmp1+=e;
+ &mov($e,&swtmp($n)); # e becomes volatile and
+ # is loaded with xi
+ &xor($f,$d); # f holds F_00_19(b,c,d)
+ &lea($tmp1,&DWP($K,$tmp1,$e,1));# tmp1+=K_00_19+xi
+
+ &add($f,$tmp1); # f+=tmp1
}
sub BODY_16_19
@@ -132,66 +124,24 @@ sub BODY_16_19
local($pos,$K,$X,$n,$a,$b,$c,$d,$e,$f)=@_;
local($n0,$n1,$n2,$n3,$np)=&Na($n);
-return if $n & 1;
&comment("16_19 $n");
- &nop() if ($pos < 0);
-&mov($tmp1,&swtmp($n0)); # X1
- &mov($f,&swtmp($n1)); # X2
-&xor($f,$tmp1); # X3
- &mov($tmp1,&swtmp($n2)); # X4
-&xor($f,$tmp1); # X5
- &mov($tmp1,&swtmp($n3)); # X6
-&xor($f,$tmp1); # X7 - slot
- &mov($tmp1,$c); # F1
-&rotl($f,1); # X8 - slot
- &xor($tmp1,$d); # F2
-&mov(&swtmp($n0),$f); # X9 - anytime
- &and($tmp1,$b); # F3
-&lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e
- &xor($tmp1,$d); # F4
-&mov($e,$a); # A1
- &add($f,$tmp1); # tot+=F();
-
-&rotl($e,5); # A2
-
-&rotr($b,1); # B1 <- F
- &add($f,$e); # tot+=a
-
-############################
-# &BODY_40_59( 0,$K[2],$X,42,$A,$B,$C,$D,$E,$T);
-# &BODY_40_59( 0,$K[2],$X,43,$T,$A,$B,$C,$D,$E);
-$n++;
- local($n0,$n1,$n2,$n3,$np)=&Na($n);
- ($b,$c,$d,$e,$f,$a)=($a,$b,$c,$d,$e,$f);
-
-
-&mov($f,&swtmp($n0)); # X1
- &mov($tmp1,&swtmp($n1)); # X2
-&xor($f,$tmp1); # X3
- &mov($tmp1,&swtmp($n2)); # X4
-&xor($f,$tmp1); # X5
- &mov($tmp1,&swtmp($n3)); # X6
-&rotr($c,1); #&rotr($b,1); # B1 <- F # MOVED DOWN
- &xor($f,$tmp1); # X7 - slot
-&rotl($f,1); # X8 - slot
- &mov($tmp1,$c); # F1
-&xor($tmp1,$d); # F2
- &mov(&swtmp($n0),$f); # X9 - anytime
-&and($tmp1,$b); # F3
- &lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e
-
-&xor($tmp1,$d); # F4
- &mov($e,$a); # A1
-
-&rotl($e,5); # A2
-
-&rotr($b,1); # B1 <- F
- &add($f,$e); # tot+=a
-
-&rotr($b,1); # B1 <- F
- &add($f,$tmp1); # tot+=F();
-
+ &mov($f,&swtmp($n1)); # f to hold Xupdate(xi,xa,xb,xc,xd)
+ &mov($tmp1,$c); # tmp1 to hold F_00_19(b,c,d)
+ &xor($f,&swtmp($n0));
+ &xor($tmp1,$d);
+ &xor($f,&swtmp($n2));
+ &and($tmp1,$b); # tmp1 holds F_00_19(b,c,d)
+ &xor($f,&swtmp($n3)); # f holds xa^xb^xc^xd
+ &rotr($b,2); # b=ROTATE(b,30)
+ &xor($tmp1,$d); # tmp1=F_00_19(b,c,d)
+ &rotl($f,1); # f=ROATE(f,1)
+ &mov(&swtmp($n0),$f); # xi=f
+ &lea($f,&DWP($K,$f,$e,1)); # f+=K_00_19+e
+ &mov($e,$a); # e becomes volatile
+ &add($f,$tmp1); # f+=F_00_19(b,c,d)
+ &rotl($e,5); # e=ROTATE(a,5)
+ &add($f,$e); # f+=ROTATE(a,5)
}
sub BODY_20_39
@@ -201,42 +151,21 @@ sub BODY_20_39
&comment("20_39 $n");
local($n0,$n1,$n2,$n3,$np)=&Na($n);
-&mov($f,&swtmp($n0)); # X1
- &mov($tmp1,&swtmp($n1)); # X2
-&xor($f,$tmp1); # X3
- &mov($tmp1,&swtmp($n2)); # X4
-&xor($f,$tmp1); # X5
- &mov($tmp1,&swtmp($n3)); # X6
-&xor($f,$tmp1); # X7 - slot
- &mov($tmp1,$b); # F1
-&rotl($f,1); # X8 - slot
- &xor($tmp1,$c); # F2
-&mov(&swtmp($n0),$f); # X9 - anytime
- &xor($tmp1,$d); # F3
-
-&lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e
- &mov($e,$a); # A1
-
-&rotl($e,5); # A2
-
-if ($n != 79) # last loop
- {
- &rotr($b,1); # B1 <- F
- &add($e,$tmp1); # tmp1=F()+a
-
- &rotr($b,1); # B2 <- F
- &add($f,$e); # tot+=tmp1;
- }
-else
- {
- &add($e,$tmp1); # tmp1=F()+a
- &mov($tmp1,&wparam(0));
-
- &rotr($b,1); # B1 <- F
- &add($f,$e); # tot+=tmp1;
-
- &rotr($b,1); # B2 <- F
- }
+ &mov($f,&swtmp($n0)); # f to hold Xupdate(xi,xa,xb,xc,xd)
+ &mov($tmp1,$b); # tmp1 to hold F_20_39(b,c,d)
+ &xor($f,&swtmp($n1));
+ &rotr($b,2); # b=ROTATE(b,30)
+ &xor($f,&swtmp($n2));
+ &xor($tmp1,$c);
+ &xor($f,&swtmp($n3)); # f holds xa^xb^xc^xd
+ &xor($tmp1,$d); # tmp1 holds F_20_39(b,c,d)
+ &rotl($f,1); # f=ROTATE(f,1)
+ &mov(&swtmp($n0),$f); # xi=f
+ &lea($f,&DWP($K,$f,$e,1)); # f+=K_20_39+e
+ &mov($e,$a); # e becomes volatile
+ &rotl($e,5); # e=ROTATE(a,5)
+ &add($f,$tmp1); # f+=F_20_39(b,c,d)
+ &add($f,$e); # f+=ROTATE(a,5)
}
sub BODY_40_59
@@ -244,70 +173,27 @@ sub BODY_40_59
local($pos,$K,$X,$n,$a,$b,$c,$d,$e,$f)=@_;
&comment("40_59 $n");
- return if $n & 1;
local($n0,$n1,$n2,$n3,$np)=&Na($n);
-&mov($f,&swtmp($n0)); # X1
- &mov($tmp1,&swtmp($n1)); # X2
-&xor($f,$tmp1); # X3
- &mov($tmp1,&swtmp($n2)); # X4
-&xor($f,$tmp1); # X5
- &mov($tmp1,&swtmp($n3)); # X6
-&xor($f,$tmp1); # X7 - slot
- &mov($tmp1,$b); # F1
-&rotl($f,1); # X8 - slot
- &or($tmp1,$c); # F2
-&mov(&swtmp($n0),$f); # X9 - anytime
- &and($tmp1,$d); # F3
-
-&lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e
- &mov($e,$b); # F4
-
-&rotr($b,1); # B1 <- F
- &and($e,$c); # F5
-
-&or($tmp1,$e); # F6
- &mov($e,$a); # A1
-
-&rotl($e,5); # A2
-
-&add($tmp1,$e); # tmp1=F()+a
-
-############################
-# &BODY_40_59( 0,$K[2],$X,42,$A,$B,$C,$D,$E,$T);
-# &BODY_40_59( 0,$K[2],$X,43,$T,$A,$B,$C,$D,$E);
-$n++;
- local($n0,$n1,$n2,$n3,$np)=&Na($n);
- ($b,$c,$d,$e,$f,$a)=($a,$b,$c,$d,$e,$f);
-
- &mov($f,&swtmp($n0)); # X1
-&add($a,$tmp1); # tot+=tmp1; # moved was add f,tmp1
- &mov($tmp1,&swtmp($n1)); # X2
-&xor($f,$tmp1); # X3
- &mov($tmp1,&swtmp($n2)); # X4
-&xor($f,$tmp1); # X5
- &mov($tmp1,&swtmp($n3)); # X6
-&rotr($c,1); # B2 <- F # moved was rotr b,1
- &xor($f,$tmp1); # X7 - slot
-&rotl($f,1); # X8 - slot
- &mov($tmp1,$b); # F1
-&mov(&swtmp($n0),$f); # X9 - anytime
- &or($tmp1,$c); # F2
-&lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e
- &mov($e,$b); # F4
-&and($tmp1,$d); # F3
- &and($e,$c); # F5
-
-&or($tmp1,$e); # F6
- &mov($e,$a); # A1
-
-&rotl($e,5); # A2
-
-&rotr($b,1); # B1 <- F
- &add($tmp1,$e); # tmp1=F()+a
-
-&rotr($b,1); # B2 <- F
- &add($f,$tmp1); # tot+=tmp1;
+ &mov($f,&swtmp($n0)); # f to hold Xupdate(xi,xa,xb,xc,xd)
+ &mov($tmp1,$b); # tmp1 to hold F_40_59(b,c,d)
+ &xor($f,&swtmp($n1));
+ &or($tmp1,$c);
+ &xor($f,&swtmp($n2));
+ &and($tmp1,$d);
+ &xor($f,&swtmp($n3)); # f holds xa^xb^xc^xd
+ &rotl($f,1); # f=ROTATE(f,1)
+ &mov(&swtmp($n0),$f); # xi=f
+ &lea($f,&DWP($K,$f,$e,1)); # f+=K_40_59+e
+ &mov($e,$b); # e becomes volatile and is used
+ # to calculate F_40_59(b,c,d)
+ &rotr($b,2); # b=ROTATE(b,30)
+ &and($e,$c);
+ &or($tmp1,$e); # tmp1 holds F_40_59(b,c,d)
+ &mov($e,$a);
+ &rotl($e,5); # e=ROTATE(a,5)
+ &add($tmp1,$e); # tmp1+=ROTATE(a,5)
+ &add($f,$tmp1); # f+=tmp1;
}
sub BODY_60_79
@@ -495,8 +381,7 @@ sub sha1_block_data
# C -> E
# D -> T
- # The last 2 have been moved into the last loop
- # &mov($tmp1,&wparam(0));
+ &mov($tmp1,&wparam(0));
&mov($D, &DWP(12,$tmp1,"",0));
&add($D,$B);
diff --git a/src/lib/libcrypto/ui/ui_lib.c b/src/lib/libcrypto/ui/ui_lib.c
index 13e5f20dcb..dbc9711a2d 100644
--- a/src/lib/libcrypto/ui/ui_lib.c
+++ b/src/lib/libcrypto/ui/ui_lib.c
@@ -430,14 +430,14 @@ char *UI_construct_prompt(UI *ui, const char *object_desc,
len += sizeof(prompt3) - 1;
prompt = (char *)OPENSSL_malloc(len + 1);
- strcpy(prompt, prompt1);
- strcat(prompt, object_desc);
+ BUF_strlcpy(prompt, prompt1, len + 1);
+ BUF_strlcat(prompt, object_desc, len + 1);
if (object_name)
{
- strcat(prompt, prompt2);
- strcat(prompt, object_name);
+ BUF_strlcat(prompt, prompt2, len + 1);
+ BUF_strlcat(prompt, object_name, len + 1);
}
- strcat(prompt, prompt3);
+ BUF_strlcat(prompt, prompt3, len + 1);
}
return prompt;
}
@@ -865,7 +865,8 @@ int UI_set_result(UI *ui, UI_STRING *uis, const char *result)
return -1;
}
- strcpy(uis->result_buf, result);
+ BUF_strlcpy(uis->result_buf, result,
+ uis->_.string_data.result_maxsize + 1);
break;
case UIT_BOOLEAN:
{
diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c
index 448bd7e69c..6207340472 100644
--- a/src/lib/libcrypto/x509/by_dir.c
+++ b/src/lib/libcrypto/x509/by_dir.c
@@ -302,8 +302,38 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
k=0;
for (;;)
{
- sprintf(b->data,"%s/%08lx.%s%d",ctx->dirs[i],h,
- postfix,k);
+ char c = '/';
+#ifdef OPENSSL_SYS_VMS
+ c = ctx->dirs[i][strlen(ctx->dirs[i])-1];
+ if (c != ':' && c != '>' && c != ']')
+ {
+ /* If no separator is present, we assume the
+ directory specifier is a logical name, and
+ add a colon. We really should use better
+ VMS routines for merging things like this,
+ but this will do for now...
+ -- Richard Levitte */
+ c = ':';
+ }
+ else
+ {
+ c = '\0';
+ }
+#endif
+ if (c == '\0')
+ {
+ /* This is special. When c == '\0', no
+ directory separator should be added. */
+ BIO_snprintf(b->data,b->max,
+ "%s%08lx.%s%d",ctx->dirs[i],h,
+ postfix,k);
+ }
+ else
+ {
+ BIO_snprintf(b->data,b->max,
+ "%s%c%08lx.%s%d",ctx->dirs[i],c,h,
+ postfix,k);
+ }
k++;
if (stat(b->data,&st) < 0)
break;
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index eaad5685a8..8d0c7e2e17 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -810,10 +810,6 @@ X509_REQ *X509_REQ_dup(X509_REQ *req);
X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn);
X509_NAME *X509_NAME_dup(X509_NAME *xn);
X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);
-#ifndef OPENSSL_NO_RSA
-RSA *RSAPublicKey_dup(RSA *rsa);
-RSA *RSAPrivateKey_dup(RSA *rsa);
-#endif
#endif /* !SSLEAY_MACROS */
diff --git a/src/lib/libcrypto/x509/x509_txt.c b/src/lib/libcrypto/x509/x509_txt.c
index 4f83db8ba2..e31ebc6741 100644
--- a/src/lib/libcrypto/x509/x509_txt.c
+++ b/src/lib/libcrypto/x509/x509_txt.c
@@ -147,8 +147,14 @@ const char *X509_verify_cert_error_string(long n)
case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
return("unhandled critical extension");
+ case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
+ return("key usage does not include CRL signing");
+
+ case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
+ return("unhandled critical CRL extension");
+
default:
- sprintf(buf,"error number %ld",n);
+ BIO_snprintf(buf,sizeof buf,"error number %ld",n);
return(buf);
}
}
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 2bb21b443e..2e4d0b823a 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -383,6 +383,7 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
/* Check all untrusted certificates */
for (i = 0; i < ctx->last_untrusted; i++)
{
+ int ret;
x = sk_X509_value(ctx->chain, i);
if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
&& (x->ex_flags & EXFLAG_CRITICAL))
@@ -393,7 +394,10 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
ok=cb(0,ctx);
if (!ok) goto end;
}
- if (!X509_check_purpose(x, ctx->purpose, i))
+ ret = X509_check_purpose(x, ctx->purpose, i);
+ if ((ret == 0)
+ || ((ctx->flags & X509_V_FLAG_X509_STRICT)
+ && (ret != 1)))
{
if (i)
ctx->error = X509_V_ERR_INVALID_CA;
@@ -537,6 +541,14 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
if(issuer)
{
+ /* Check for cRLSign bit if keyUsage present */
+ if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
+ !(issuer->ex_kusage & KU_CRL_SIGN))
+ {
+ ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
+ ok = ctx->verify_cb(0, ctx);
+ if(!ok) goto err;
+ }
/* Attempt to get issuer certificate public key */
ikey = X509_get_pubkey(issuer);
@@ -611,17 +623,46 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
{
int idx, ok;
X509_REVOKED rtmp;
+ STACK_OF(X509_EXTENSION) *exts;
+ X509_EXTENSION *ext;
/* Look for serial number of certificate in CRL */
rtmp.serialNumber = X509_get_serialNumber(x);
idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);
- /* Not found: OK */
- if(idx == -1) return 1;
- /* Otherwise revoked: want something cleverer than
+ /* If found assume revoked: want something cleverer than
* this to handle entry extensions in V2 CRLs.
*/
- ctx->error = X509_V_ERR_CERT_REVOKED;
- ok = ctx->verify_cb(0, ctx);
- return ok;
+ if(idx >= 0)
+ {
+ ctx->error = X509_V_ERR_CERT_REVOKED;
+ ok = ctx->verify_cb(0, ctx);
+ if (!ok) return 0;
+ }
+
+ if (ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
+ return 1;
+
+ /* See if we have any critical CRL extensions: since we
+ * currently don't handle any CRL extensions the CRL must be
+ * rejected.
+ * This code accesses the X509_CRL structure directly: applications
+ * shouldn't do this.
+ */
+
+ exts = crl->crl->extensions;
+
+ for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++)
+ {
+ ext = sk_X509_EXTENSION_value(exts, idx);
+ if (ext->critical > 0)
+ {
+ ctx->error =
+ X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
+ ok = ctx->verify_cb(0, ctx);
+ if(!ok) return 0;
+ break;
+ }
+ }
+ return 1;
}
static int internal_verify(X509_STORE_CTX *ctx)
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
index f0be21f452..198495884c 100644
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -304,17 +304,26 @@ struct x509_store_ctx_st /* X509_STORE_CTX */
#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33
#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34
+#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35
+#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36
/* The application is not happy */
#define X509_V_ERR_APPLICATION_VERIFICATION 50
/* Certificate verify flags */
-#define X509_V_FLAG_CB_ISSUER_CHECK 0x1 /* Send issuer+subject checks to verify_cb */
-#define X509_V_FLAG_USE_CHECK_TIME 0x2 /* Use check time instead of current time */
-#define X509_V_FLAG_CRL_CHECK 0x4 /* Lookup CRLs */
-#define X509_V_FLAG_CRL_CHECK_ALL 0x8 /* Lookup CRLs for whole chain */
-#define X509_V_FLAG_IGNORE_CRITICAL 0x10 /* Ignore unhandled critical extensions */
+/* Send issuer+subject checks to verify_cb */
+#define X509_V_FLAG_CB_ISSUER_CHECK 0x1
+/* Use check time instead of current time */
+#define X509_V_FLAG_USE_CHECK_TIME 0x2
+/* Lookup CRLs */
+#define X509_V_FLAG_CRL_CHECK 0x4
+/* Lookup CRLs for whole chain */
+#define X509_V_FLAG_CRL_CHECK_ALL 0x8
+/* Ignore unhandled critical extensions */
+#define X509_V_FLAG_IGNORE_CRITICAL 0x10
+/* Disable workarounds for broken certificates */
+#define X509_V_FLAG_X509_STRICT 0x20
int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
X509_NAME *name);
diff --git a/src/lib/libcrypto/x509/x509type.c b/src/lib/libcrypto/x509/x509type.c
index f78c2a6b43..c25959a742 100644
--- a/src/lib/libcrypto/x509/x509type.c
+++ b/src/lib/libcrypto/x509/x509type.c
@@ -106,7 +106,7 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
break;
}
- if (EVP_PKEY_size(pk) <= 512/8) /* /8 because it's 512 bits we look
+ if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look
for, not bytes */
ret|=EVP_PKT_EXP;
if(pkey==NULL) EVP_PKEY_free(pk);
diff --git a/src/lib/libcrypto/x509v3/v3_alt.c b/src/lib/libcrypto/x509v3/v3_alt.c
index 0e9e7dcb4f..58b935a3b6 100644
--- a/src/lib/libcrypto/x509v3/v3_alt.c
+++ b/src/lib/libcrypto/x509v3/v3_alt.c
@@ -137,7 +137,8 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
X509V3_add_value("IP Address","<invalid>", &ret);
break;
}
- sprintf(oline, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
+ BIO_snprintf(oline, sizeof oline,
+ "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
X509V3_add_value("IP Address",oline, &ret);
break;
diff --git a/src/lib/libcrypto/x509v3/v3_crld.c b/src/lib/libcrypto/x509v3/v3_crld.c
index 894a8b94d8..f90829c574 100644
--- a/src/lib/libcrypto/x509v3/v3_crld.c
+++ b/src/lib/libcrypto/x509v3/v3_crld.c
@@ -156,7 +156,7 @@ ASN1_SEQUENCE(DIST_POINT) = {
IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT)
ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) =
- ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, DIST_POINT, DIST_POINT)
+ ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CRLDistributionPoints, DIST_POINT)
ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS)
IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS)
diff --git a/src/lib/libcrypto/x509v3/v3_info.c b/src/lib/libcrypto/x509v3/v3_info.c
index e269df1373..53e3f48859 100644
--- a/src/lib/libcrypto/x509v3/v3_info.c
+++ b/src/lib/libcrypto/x509v3/v3_info.c
@@ -105,7 +105,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method
STACK_OF(CONF_VALUE) *ret)
{
ACCESS_DESCRIPTION *desc;
- int i;
+ int i,nlen;
char objtmp[80], *ntmp;
CONF_VALUE *vtmp;
for(i = 0; i < sk_ACCESS_DESCRIPTION_num(ainfo); i++) {
@@ -114,15 +114,16 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method
if(!ret) break;
vtmp = sk_CONF_VALUE_value(ret, i);
i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method);
- ntmp = OPENSSL_malloc(strlen(objtmp) + strlen(vtmp->name) + 5);
+ nlen = strlen(objtmp) + strlen(vtmp->name) + 5;
+ ntmp = OPENSSL_malloc(nlen);
if(!ntmp) {
X509V3err(X509V3_F_I2V_AUTHORITY_INFO_ACCESS,
ERR_R_MALLOC_FAILURE);
return NULL;
}
- strcpy(ntmp, objtmp);
- strcat(ntmp, " - ");
- strcat(ntmp, vtmp->name);
+ BUF_strlcpy(ntmp, objtmp, nlen);
+ BUF_strlcat(ntmp, " - ", nlen);
+ BUF_strlcat(ntmp, vtmp->name, nlen);
OPENSSL_free(vtmp->name);
vtmp->name = ntmp;
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
index 4d145f71fd..b3d1ae5d1c 100644
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -3,7 +3,7 @@
* project 2001.
*/
/* ====================================================================
- * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -415,6 +415,7 @@ static void x509v3_cache_extensions(X509 *x)
* 1 is a CA
* 2 basicConstraints absent so "maybe" a CA
* 3 basicConstraints absent but self signed V1.
+ * 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
*/
#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
@@ -436,7 +437,7 @@ static int ca_check(const X509 *x)
} else {
if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
/* If key usage present it must have certSign so tolerate it */
- else if (x->ex_flags & EXFLAG_KUSAGE) return 3;
+ else if (x->ex_flags & EXFLAG_KUSAGE) return 4;
else return 2;
}
}
diff --git a/src/lib/libssl/LICENSE b/src/lib/libssl/LICENSE
index dddb07842b..40277883a5 100644
--- a/src/lib/libssl/LICENSE
+++ b/src/lib/libssl/LICENSE
@@ -12,7 +12,7 @@
---------------
/* ====================================================================
- * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/src/lib/libssl/doc/openssl.cnf b/src/lib/libssl/doc/openssl.cnf
index eca51c3322..854d1f164e 100644
--- a/src/lib/libssl/doc/openssl.cnf
+++ b/src/lib/libssl/doc/openssl.cnf
@@ -38,10 +38,14 @@ dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
+#crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
@@ -58,6 +62,7 @@ cert_opt = ca_default # Certificate field options
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index eb7daebfdf..26ce0cb963 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -117,7 +117,6 @@
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/md5.h>
-#include "cryptlib.h"
static SSL_METHOD *ssl3_get_client_method(int ver);
static int ssl3_client_hello(SSL *s);
@@ -1947,7 +1946,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
if (algs & SSL_kRSA)
{
if (rsa == NULL
- || RSA_size(rsa) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
+ || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
goto f_err;
@@ -1959,7 +1958,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
{
if (dh == NULL
- || DH_size(dh) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
+ || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
goto f_err;
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 896b12fc4f..d04096016c 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -271,6 +271,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
/* Cipher 07 */
+#ifndef OPENSSL_NO_IDEA
{
1,
SSL3_TXT_RSA_IDEA_128_SHA,
@@ -283,6 +284,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
+#endif
/* Cipher 08 */
{
1,
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index 3f88429e79..9f3e5139ad 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -1085,6 +1085,14 @@ start:
goto err;
}
+ /* Check we have a cipher to change to */
+ if (s->s3->tmp.new_cipher == NULL)
+ {
+ i=SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
+ goto err;
+ }
+
rr->length=0;
if (s->msg_callback)
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 881f68b998..deb3cffabe 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -121,9 +121,10 @@
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
+#ifndef OPENSSL_NO_KRB5
#include <openssl/krb5_asn.h>
+#endif
#include <openssl/md5.h>
-#include "cryptlib.h"
static SSL_METHOD *ssl3_get_server_method(int ver);
static int ssl3_get_client_hello(SSL *s);
@@ -1587,11 +1588,27 @@ static int ssl3_get_client_key_exchange(SSL *s)
n2s(p,i);
enc_ticket.length = i;
+
+ if (n < enc_ticket.length + 6)
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ SSL_R_DATA_LENGTH_TOO_LONG);
+ goto err;
+ }
+
enc_ticket.data = (char *)p;
p+=enc_ticket.length;
n2s(p,i);
authenticator.length = i;
+
+ if (n < enc_ticket.length + authenticator.length + 6)
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ SSL_R_DATA_LENGTH_TOO_LONG);
+ goto err;
+ }
+
authenticator.data = (char *)p;
p+=authenticator.length;
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 4ae8458259..913bd40eea 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1357,8 +1357,8 @@ const char *SSL_alert_type_string(int value);
const char *SSL_alert_desc_string_long(int value);
const char *SSL_alert_desc_string(int value);
-void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);
-void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
+void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
+void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s);
STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *s);
int SSL_add_client_CA(SSL *ssl,X509 *x);
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
index 16bc11b559..d8ff8fc4a3 100644
--- a/src/lib/libssl/ssl_asn1.c
+++ b/src/lib/libssl/ssl_asn1.c
@@ -62,7 +62,6 @@
#include <openssl/asn1_mac.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
-#include "cryptlib.h"
typedef struct ssl_session_asn1_st
{
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index da90078a37..2cfb615878 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -505,12 +505,12 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
return(i);
}
-static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *list)
+static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *name_list)
{
if (*ca_list != NULL)
sk_X509_NAME_pop_free(*ca_list,X509_NAME_free);
- *ca_list=list;
+ *ca_list=name_list;
}
STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
@@ -532,14 +532,14 @@ STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
return(ret);
}
-void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *list)
+void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *name_list)
{
- set_client_CA_list(&(s->client_CA),list);
+ set_client_CA_list(&(s->client_CA),name_list);
}
-void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *list)
+void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list)
{
- set_client_CA_list(&(ctx->client_CA),list);
+ set_client_CA_list(&(ctx->client_CA),name_list);
}
STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx)
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 888b667fa1..44c503eb04 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -125,7 +125,9 @@ static const SSL_CIPHER cipher_aliases[]={
{0,SSL_TXT_3DES,0,SSL_3DES, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_RC4, 0,SSL_RC4, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_RC2, 0,SSL_RC2, 0,0,0,0,SSL_ENC_MASK,0},
+#ifndef OPENSSL_NO_IDEA
{0,SSL_TXT_IDEA,0,SSL_IDEA, 0,0,0,0,SSL_ENC_MASK,0},
+#endif
{0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_eFZA,0,SSL_eFZA, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_AES, 0,SSL_AES, 0,0,0,0,SSL_ENC_MASK,0},
@@ -166,8 +168,12 @@ static void load_ciphers(void)
EVP_get_cipherbyname(SN_rc4);
ssl_cipher_methods[SSL_ENC_RC2_IDX]=
EVP_get_cipherbyname(SN_rc2_cbc);
+#ifndef OPENSSL_NO_IDEA
ssl_cipher_methods[SSL_ENC_IDEA_IDX]=
EVP_get_cipherbyname(SN_idea_cbc);
+#else
+ ssl_cipher_methods[SSL_ENC_IDEA_IDX]= NULL;
+#endif
ssl_cipher_methods[SSL_ENC_AES128_IDX]=
EVP_get_cipherbyname(SN_aes_128_cbc);
ssl_cipher_methods[SSL_ENC_AES256_IDX]=
@@ -334,10 +340,10 @@ static unsigned long ssl_cipher_get_disabled(void)
}
static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
- int num_of_ciphers, unsigned long mask, CIPHER_ORDER *list,
+ int num_of_ciphers, unsigned long mask, CIPHER_ORDER *co_list,
CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
{
- int i, list_num;
+ int i, co_list_num;
SSL_CIPHER *c;
/*
@@ -348,18 +354,18 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
*/
/* Get the initial list of ciphers */
- list_num = 0; /* actual count of ciphers */
+ co_list_num = 0; /* actual count of ciphers */
for (i = 0; i < num_of_ciphers; i++)
{
c = ssl_method->get_cipher(i);
/* drop those that use any of that is not available */
if ((c != NULL) && c->valid && !(c->algorithms & mask))
{
- list[list_num].cipher = c;
- list[list_num].next = NULL;
- list[list_num].prev = NULL;
- list[list_num].active = 0;
- list_num++;
+ co_list[co_list_num].cipher = c;
+ co_list[co_list_num].next = NULL;
+ co_list[co_list_num].prev = NULL;
+ co_list[co_list_num].active = 0;
+ co_list_num++;
#ifdef KSSL_DEBUG
printf("\t%d: %s %lx %lx\n",i,c->name,c->id,c->algorithms);
#endif /* KSSL_DEBUG */
@@ -372,18 +378,18 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
/*
* Prepare linked list from list entries
*/
- for (i = 1; i < list_num - 1; i++)
+ for (i = 1; i < co_list_num - 1; i++)
{
- list[i].prev = &(list[i-1]);
- list[i].next = &(list[i+1]);
+ co_list[i].prev = &(co_list[i-1]);
+ co_list[i].next = &(co_list[i+1]);
}
- if (list_num > 0)
+ if (co_list_num > 0)
{
- (*head_p) = &(list[0]);
+ (*head_p) = &(co_list[0]);
(*head_p)->prev = NULL;
- (*head_p)->next = &(list[1]);
- (*tail_p) = &(list[list_num - 1]);
- (*tail_p)->prev = &(list[list_num - 2]);
+ (*head_p)->next = &(co_list[1]);
+ (*tail_p) = &(co_list[co_list_num - 1]);
+ (*tail_p)->prev = &(co_list[co_list_num - 2]);
(*tail_p)->next = NULL;
}
}
@@ -429,7 +435,7 @@ static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask,
unsigned long algo_strength, unsigned long mask_strength,
- int rule, int strength_bits, CIPHER_ORDER *list,
+ int rule, int strength_bits, CIPHER_ORDER *co_list,
CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
{
CIPHER_ORDER *head, *tail, *curr, *curr2, *tail2;
@@ -524,8 +530,9 @@ static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask,
*tail_p = tail;
}
-static int ssl_cipher_strength_sort(CIPHER_ORDER *list, CIPHER_ORDER **head_p,
- CIPHER_ORDER **tail_p)
+static int ssl_cipher_strength_sort(CIPHER_ORDER *co_list,
+ CIPHER_ORDER **head_p,
+ CIPHER_ORDER **tail_p)
{
int max_strength_bits, i, *number_uses;
CIPHER_ORDER *curr;
@@ -570,14 +577,14 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER *list, CIPHER_ORDER **head_p,
for (i = max_strength_bits; i >= 0; i--)
if (number_uses[i] > 0)
ssl_cipher_apply_rule(0, 0, 0, 0, CIPHER_ORD, i,
- list, head_p, tail_p);
+ co_list, head_p, tail_p);
OPENSSL_free(number_uses);
return(1);
}
static int ssl_cipher_process_rulestr(const char *rule_str,
- CIPHER_ORDER *list, CIPHER_ORDER **head_p,
+ CIPHER_ORDER *co_list, CIPHER_ORDER **head_p,
CIPHER_ORDER **tail_p, SSL_CIPHER **ca_list)
{
unsigned long algorithms, mask, algo_strength, mask_strength;
@@ -702,7 +709,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
ok = 0;
if ((buflen == 8) &&
!strncmp(buf, "STRENGTH", 8))
- ok = ssl_cipher_strength_sort(list,
+ ok = ssl_cipher_strength_sort(co_list,
head_p, tail_p);
else
SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
@@ -722,7 +729,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
{
ssl_cipher_apply_rule(algorithms, mask,
algo_strength, mask_strength, rule, -1,
- list, head_p, tail_p);
+ co_list, head_p, tail_p);
}
else
{
@@ -744,7 +751,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
unsigned long disabled_mask;
STACK_OF(SSL_CIPHER) *cipherstack;
const char *rule_p;
- CIPHER_ORDER *list = NULL, *head = NULL, *tail = NULL, *curr;
+ CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
SSL_CIPHER **ca_list = NULL;
/*
@@ -774,15 +781,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
#ifdef KSSL_DEBUG
printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers);
#endif /* KSSL_DEBUG */
- list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
- if (list == NULL)
+ co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
+ if (co_list == NULL)
{
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
return(NULL); /* Failure */
}
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask,
- list, &head, &tail);
+ co_list, &head, &tail);
/*
* We also need cipher aliases for selecting based on the rule_str.
@@ -798,7 +805,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
(SSL_CIPHER **)OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
if (ca_list == NULL)
{
- OPENSSL_free(list);
+ OPENSSL_free(co_list);
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
return(NULL); /* Failure */
}
@@ -814,21 +821,21 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
if (strncmp(rule_str,"DEFAULT",7) == 0)
{
ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
- list, &head, &tail, ca_list);
+ co_list, &head, &tail, ca_list);
rule_p += 7;
if (*rule_p == ':')
rule_p++;
}
if (ok && (strlen(rule_p) > 0))
- ok = ssl_cipher_process_rulestr(rule_p, list, &head, &tail,
+ ok = ssl_cipher_process_rulestr(rule_p, co_list, &head, &tail,
ca_list);
OPENSSL_free(ca_list); /* Not needed anymore */
if (!ok)
{ /* Rule processing failure */
- OPENSSL_free(list);
+ OPENSSL_free(co_list);
return(NULL);
}
/*
@@ -837,7 +844,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
*/
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL)
{
- OPENSSL_free(list);
+ OPENSSL_free(co_list);
return(NULL);
}
@@ -855,7 +862,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
#endif
}
}
- OPENSSL_free(list); /* Not needed any longer */
+ OPENSSL_free(co_list); /* Not needed any longer */
/*
* The following passage is a little bit odd. If pointer variables
@@ -905,7 +912,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
{
int is_export,pkl,kl;
- char *ver,*exp;
+ char *ver,*exp_str;
char *kx,*au,*enc,*mac;
unsigned long alg,alg2,alg_s;
#ifdef KSSL_DEBUG
@@ -921,7 +928,7 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
is_export=SSL_C_IS_EXPORT(cipher);
pkl=SSL_C_EXPORT_PKEYLENGTH(cipher);
kl=SSL_C_EXPORT_KEYLENGTH(cipher);
- exp=is_export?" export":"";
+ exp_str=is_export?" export":"";
if (alg & SSL_SSLV2)
ver="SSLv2";
@@ -1040,9 +1047,9 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
return("Buffer too small");
#ifdef KSSL_DEBUG
- BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp,alg);
+ BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str,alg);
#else
- BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp);
+ BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str);
#endif /* KSSL_DEBUG */
return(buf);
}
@@ -1129,11 +1136,11 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
{
MemCheck_on();
SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE);
- return(0);
+ return(1);
}
else
{
MemCheck_on();
- return(1);
+ return(0);
}
}
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 6d69890688..ee9a82d586 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -121,7 +121,6 @@
#include <openssl/objects.h>
#include <openssl/lhash.h>
#include <openssl/x509v3.h>
-#include "cryptlib.h"
const char *SSL_version_str=OPENSSL_VERSION_TEXT;
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index fabcdefa6e..7016c87d3b 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -60,7 +60,6 @@
#include <openssl/lhash.h>
#include <openssl/rand.h>
#include "ssl_locl.h"
-#include "cryptlib.h"
static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
--
cgit v1.2.3-55-g6feb