diff options
author | nectar <nectar@FreeBSD.org> | 2003-10-01 12:32:41 +0000 |
---|---|---|
committer | nectar <nectar@FreeBSD.org> | 2003-10-01 12:32:41 +0000 |
commit | ee25ce74b3f6742c1079590363995e56ff51b014 (patch) | |
tree | 69b3ffc611270d72c473248fe700c2942eb5e6b5 /crypto/openssl | |
parent | 5d79b842c13e718f85a9f2e1676e361b6fc55367 (diff) | |
download | FreeBSD-src-ee25ce74b3f6742c1079590363995e56ff51b014.zip FreeBSD-src-ee25ce74b3f6742c1079590363995e56ff51b014.tar.gz |
Vendor import of OpenSSL 0.9.7c
Diffstat (limited to 'crypto/openssl')
137 files changed, 1616 insertions, 589 deletions
diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES index 0ef0122..b863079 100644 --- a/crypto/openssl/CHANGES +++ b/crypto/openssl/CHANGES @@ -2,6 +2,92 @@ OpenSSL CHANGES _______________ + Changes between 0.9.7b and 0.9.7c [30 Sep 2003] + + *) Fix various bugs revealed by running the NISCC test suite: + + Stop out of bounds reads in the ASN1 code when presented with + invalid tags (CAN-2003-0543 and CAN-2003-0544). + + Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545). + + If verify callback ignores invalid public key errors don't try to check + certificate signature with the NULL public key. + + [Steve Henson] + + *) New -ignore_err option in ocsp application to stop the server + exiting on the first error in a request. + [Steve Henson] + + *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate + if the server requested one: as stated in TLS 1.0 and SSL 3.0 + specifications. + [Steve Henson] + + *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional + extra data after the compression methods not only for TLS 1.0 + but also for SSL 3.0 (as required by the specification). + [Bodo Moeller; problem pointed out by Matthias Loepfe] + + *) Change X509_certificate_type() to mark the key as exported/exportable + when it's 512 *bits* long, not 512 bytes. + [Richard Levitte] + + *) Change AES_cbc_encrypt() so it outputs exact multiple of + blocks during encryption. + [Richard Levitte] + + *) Various fixes to base64 BIO and non blocking I/O. On write + flushes were not handled properly if the BIO retried. On read + data was not being buffered properly and had various logic bugs. + This also affects blocking I/O when the data being decoded is a + certain size. + [Steve Henson] + + *) Various S/MIME bugfixes and compatibility changes: + output correct application/pkcs7 MIME type if + PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures. + Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening + of files as .eml work). Correctly handle very long lines in MIME + parser. + [Steve Henson] + + Changes between 0.9.7a and 0.9.7b [10 Apr 2003] + + *) Countermeasure against the Klima-Pokorny-Rosa extension of + Bleichbacher's attack on PKCS #1 v1.5 padding: treat + a protocol version number mismatch like a decryption error + in ssl3_get_client_key_exchange (ssl/s3_srvr.c). + [Bodo Moeller] + + *) Turn on RSA blinding by default in the default implementation + to avoid a timing attack. Applications that don't want it can call + RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. + They would be ill-advised to do so in most cases. + [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] + + *) Change RSA blinding code so that it works when the PRNG is not + seeded (in this case, the secret RSA exponent is abused as + an unpredictable seed -- if it is not unpredictable, there + is no point in blinding anyway). Make RSA blinding thread-safe + by remembering the creator's thread ID in rsa->blinding and + having all other threads use local one-time blinding factors + (this requires more computation than sharing rsa->blinding, but + avoids excessive locking; and if an RSA object is not shared + between threads, blinding will still be very fast). + [Bodo Moeller] + + *) Fixed a typo bug that would cause ENGINE_set_default() to set an + ENGINE as defaults for all supported algorithms irrespective of + the 'flags' parameter. 'flags' is now honoured, so applications + should make sure they are passing it correctly. + [Geoff Thorpe] + + *) Target "mingw" now allows native Windows code to be generated in + the Cygwin environment as well as with the MinGW compiler. + [Ulf Moeller] + Changes between 0.9.7 and 0.9.7a [19 Feb 2003] *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked @@ -85,6 +171,9 @@ Changes between 0.9.6h and 0.9.7 [31 Dec 2002] + [NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after + OpenSSL 0.9.7.] + *) Fix session ID handling in SSLv2 client code: the SERVER FINISHED code (06) was taken as the first octet of the session ID and the last octet was ignored consequently. As a result SSLv2 client side session @@ -1903,6 +1992,57 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Clean old EAY MD5 hack from e_os.h. [Richard Levitte] + Changes between 0.9.6j and 0.9.6k [30 Sep 2003] + + *) Fix various bugs revealed by running the NISCC test suite: + + Stop out of bounds reads in the ASN1 code when presented with + invalid tags (CAN-2003-0543 and CAN-2003-0544). + + If verify callback ignores invalid public key errors don't try to check + certificate signature with the NULL public key. + + [Steve Henson] + + *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate + if the server requested one: as stated in TLS 1.0 and SSL 3.0 + specifications. + [Steve Henson] + + *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional + extra data after the compression methods not only for TLS 1.0 + but also for SSL 3.0 (as required by the specification). + [Bodo Moeller; problem pointed out by Matthias Loepfe] + + *) Change X509_certificate_type() to mark the key as exported/exportable + when it's 512 *bits* long, not 512 bytes. + [Richard Levitte] + + Changes between 0.9.6i and 0.9.6j [10 Apr 2003] + + *) Countermeasure against the Klima-Pokorny-Rosa extension of + Bleichbacher's attack on PKCS #1 v1.5 padding: treat + a protocol version number mismatch like a decryption error + in ssl3_get_client_key_exchange (ssl/s3_srvr.c). + [Bodo Moeller] + + *) Turn on RSA blinding by default in the default implementation + to avoid a timing attack. Applications that don't want it can call + RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. + They would be ill-advised to do so in most cases. + [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] + + *) Change RSA blinding code so that it works when the PRNG is not + seeded (in this case, the secret RSA exponent is abused as + an unpredictable seed -- if it is not unpredictable, there + is no point in blinding anyway). Make RSA blinding thread-safe + by remembering the creator's thread ID in rsa->blinding and + having all other threads use local one-time blinding factors + (this requires more computation than sharing rsa->blinding, but + avoids excessive locking; and if an RSA object is not shared + between threads, blinding will still be very fast). + [Bodo Moeller] + Changes between 0.9.6h and 0.9.6i [19 Feb 2003] *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure index 768651f..61331db 100755 --- a/crypto/openssl/Configure +++ b/crypto/openssl/Configure @@ -219,7 +219,7 @@ my %table=( # './Configure irix-[g]cc' manually. # -mips4 flag is added by ./config when appropriate. "irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"irix-mips3-cc", "cc:-n32 -mips3 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # N64 ABI builds. "irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -390,6 +390,7 @@ my %table=( "linux-s390", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-s390x", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-ia64-ecc", "ecc:-DL_ENDIAN -DTERMIO -O2 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o:::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -506,10 +507,8 @@ my %table=( "BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN::::::::::win32", "BC-16","bcc:::(unknown):WIN16::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::", -# Mingw32 -# (Note: the real CFLAGS for Windows builds are defined by util/mk1mf.pl -# and its library files in util/pl/*) -"Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32", +# MinGW +"mingw", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wall:::MINGW32:-mno-cygwin -lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32::::.dll", # UWIN "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32", @@ -561,6 +560,8 @@ my %table=( "vxworks-ppc405","ccppc:-g -msoft-float -mlongcall -DCPU=PPC405 -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::", "vxworks-ppc750","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h \$(DEBUG_FLAG):::VXWORKS:-r:::::", "vxworks-ppc750-debug","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DDEBUG -g:::VXWORKS:-r:::::", +"vxworks-ppc860","ccppc:-nostdinc -msoft-float -DCPU=PPC860 -DNO_STRINGS_H -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::", +"vxworks-mipsle","ccmips:-B\$(WIND_BASE)/host/\$(WIND_HOST_TYPE)/lib/gcc-lib/ -DL_ENDIAN -EL -Wl,-EL -mips2 -mno-branch-likely -G 0 -fno-builtin -msoft-float -DCPU=MIPS32 -DMIPSEL -DNO_STRINGS_H -I\$(WIND_BASE)/target/h:::VXWORKS:-r::::::::::::::::ranlibmips:", ##### Compaq Non-Stop Kernel (Tandem) "tandem-c89","c89:-Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN::(unknown):::THIRTY_TWO_BIT:::", diff --git a/crypto/openssl/FAQ b/crypto/openssl/FAQ index 389d786..ca5683d 100644 --- a/crypto/openssl/FAQ +++ b/crypto/openssl/FAQ @@ -68,7 +68,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from <URL: http://www.openssl.org>. -OpenSSL 0.9.7a was released on February 19, 2003. +OpenSSL 0.9.7c was released on September 30, 2003. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at <URL: @@ -732,6 +732,7 @@ The general answer is to check the config.log file generated when running the OpenSSH configure script. It should contain the detailed information on why the OpenSSL library was not detected or considered incompatible. + * Can I use OpenSSL's SSL library with non-blocking I/O? Yes; make sure to read the SSL_get_error(3) manual page! diff --git a/crypto/openssl/LICENSE b/crypto/openssl/LICENSE index 7b93e0d..dddb078 100644 --- a/crypto/openssl/LICENSE +++ b/crypto/openssl/LICENSE @@ -12,7 +12,7 @@ --------------- /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/openssl/Makefile.org b/crypto/openssl/Makefile.org index 8609019..e80b22a 100644 --- a/crypto/openssl/Makefile.org +++ b/crypto/openssl/Makefile.org @@ -78,7 +78,7 @@ MAKEDEPPROG=makedepend # gcc, then the driver will automatically translate it to -xarch=v8plus # and pass it down to assembler. AS=$(CC) -c -ASFLAGS=$(CFLAG) +ASFLAG=$(CFLAG) # Set BN_ASM to bn_asm.o if you want to use the C version BN_ASM= bn_asm.o @@ -194,6 +194,7 @@ MAKE= make -f Makefile.ssl MANDIR=$(OPENSSLDIR)/man MAN1=1 MAN3=3 +MANSUFFIX= SHELL=/bin/sh TOP= . @@ -225,7 +226,7 @@ sub_all: do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making all in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAGS='${ASFLAGS}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \ + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \ else \ $(MAKE) $$i; \ fi; \ @@ -410,9 +411,10 @@ do_svr3-shared: find . -name "*.o" -print > allobjs ; \ OBJS= ; export OBJS ; \ for obj in `ar t lib$$i.a` ; do \ - OBJS="$${OBJS} `grep $$obj allobjs`" ; \ + OBJS="$${OBJS} `grep /$$obj allobjs`" ; \ done ; \ - set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + set -x; ${CC} ${SHARED_LDFLAGS} \ + -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ $${OBJS} $$libs ${EX_LIBS} ) || exit 1; \ libs="-l$$i $$libs"; \ @@ -429,13 +431,16 @@ do_svr5-shared: libs="$(LIBKRB5) $$libs"; \ fi; \ ( PATH=/usr/ccs/bin:$$PATH ; export PATH; \ + SHARE_FLAG='-G'; \ + (${CC} -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \ find . -name "*.o" -print > allobjs ; \ OBJS= ; export OBJS ; \ for obj in `ar t lib$$i.a` ; do \ - OBJS="$${OBJS} `grep $$obj allobjs`" ; \ + OBJS="$${OBJS} `grep /$$obj allobjs`" ; \ done ; \ - set -x; ${CC} ${SHARED_LDFLAGS} \ - -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + set -x; LD_LIBRARY_PATH=.:$$LD_LIBRARY_PATH \ + ${CC} ${SHARED_LDFLAGS} \ + $${SHARE_FLAG} -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ $${OBJS} $$libs ${EX_LIBS} ) || exit 1; \ libs="-l$$i $$libs"; \ @@ -589,10 +594,10 @@ Makefile.ssl: Makefile.org @false libclean: - rm -f *.a */lib */*/lib + rm -f *.map *.so *.so.* engines/*.so *.a */lib */*/lib -clean: - rm -f shlib/*.o *.o core a.out fluff *.map rehash.time testlog make.log cctest cctest.c +clean: libclean + rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c @for i in $(DIRS) ;\ do \ if [ -d "$$i" ]; then \ @@ -602,7 +607,7 @@ clean: fi; \ done; rm -f openssl.pc - rm -f *.a *.o speed.* *.map *.so .pure core + rm -f speed.* .pure rm -f $(TARFILE) @for i in $(ONEDIRS) ;\ do \ @@ -652,7 +657,10 @@ rehash: rehash.time rehash.time: certs @(OPENSSL="`pwd`/apps/openssl"; OPENSSL_DEBUG_MEMORY=on; \ export OPENSSL OPENSSL_DEBUG_MEMORY; \ - LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \ + LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \ + DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \ + SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \ + LIBPATH="`pwd`:$$LIBPATH"; \ if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ $(PERL) tools/c_rehash certs) @@ -663,10 +671,13 @@ test: tests tests: rehash @(cd test && echo "testing..." && \ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests ); - @LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \ - if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ - export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ - apps/openssl version -a + @LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \ + DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \ + SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \ + LIBPATH="`pwd`:$$LIBPATH"; \ + if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ + export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ + apps/openssl version -a report: @$(PERL) util/selftest.pl @@ -821,6 +832,7 @@ install: all install_docs fi; \ fi cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig install_docs: @$(PERL) $(TOP)/util/mkdir-p.pl \ @@ -837,33 +849,33 @@ install_docs: for i in doc/apps/*.pod; do \ fn=`basename $$i .pod`; \ if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \ - echo "installing man$$sec/$$fn.$$sec"; \ + echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ (cd `$(PERL) util/dirname.pl $$i`; \ sh -c "$$pod2man \ --section=$$sec --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ - > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \ + > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ $(PERL) util/extract-names.pl < $$i | \ grep -v $$filecase "^$$fn\$$" | \ (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \ while read n; do \ - $$here/util/point.sh $$fn.$$sec $$n.$$sec; \ + $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \ done); \ done; \ for i in doc/crypto/*.pod doc/ssl/*.pod; do \ fn=`basename $$i .pod`; \ if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \ - echo "installing man$$sec/$$fn.$$sec"; \ + echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ (cd `$(PERL) util/dirname.pl $$i`; \ sh -c "$$pod2man \ --section=$$sec --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ - > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \ + > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ $(PERL) util/extract-names.pl < $$i | \ grep -v $$filecase "^$$fn\$$" | \ (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \ while read n; do \ - $$here/util/point.sh $$fn.$$sec $$n.$$sec; \ + $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \ done); \ done diff --git a/crypto/openssl/Makefile.ssl b/crypto/openssl/Makefile.ssl index 04de989..2a74a3d 100644 --- a/crypto/openssl/Makefile.ssl +++ b/crypto/openssl/Makefile.ssl @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=0.9.7a +VERSION=0.9.7c MAJOR=0 MINOR=9.7 SHLIB_VERSION_NUMBER=0.9.7 @@ -12,9 +12,9 @@ SHLIB_VERSION_HISTORY= SHLIB_MAJOR=0 SHLIB_MINOR=9.7 SHLIB_EXT= -PLATFORM=dist +PLATFORM=VC-WIN16 OPTIONS= no-krb5 -CONFIGURE_ARGS=dist +CONFIGURE_ARGS=VC-WIN16 SHLIB_TARGET= # HERE indicates where this Makefile lives. This can be used to indicate @@ -59,9 +59,9 @@ OPENSSLDIR=/usr/local/ssl # equal 4. # PKCS1_CHECK - pkcs1 tests. -CC= cc +CC= cl #CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -CFLAG= -DOPENSSL_NO_KRB5 -O +CFLAG= -DOPENSSL_SYSNAME_WIN16 -DOPENSSL_NO_KRB5 DEPFLAG= PEX_LIBS= EX_LIBS= @@ -69,7 +69,7 @@ EXE_EXT= ARFLAGS= AR=ar $(ARFLAGS) r RANLIB= /usr/bin/ranlib -PERL= /usr/local/bin/perl +PERL= /usr/local/bin/perl5 TAR= tar TARFLAGS= --no-recursion MAKEDEPPROG=makedepend @@ -80,7 +80,7 @@ MAKEDEPPROG=makedepend # gcc, then the driver will automatically translate it to -xarch=v8plus # and pass it down to assembler. AS=$(CC) -c -ASFLAGS=$(CFLAG) +ASFLAG=$(CFLAG) # Set BN_ASM to bn_asm.o if you want to use the C version BN_ASM= bn_asm.o @@ -196,6 +196,7 @@ MAKE= make -f Makefile.ssl MANDIR=$(OPENSSLDIR)/man MAN1=1 MAN3=3 +MANSUFFIX= SHELL=/bin/sh TOP= . @@ -227,7 +228,7 @@ sub_all: do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making all in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAGS='${ASFLAGS}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \ + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \ else \ $(MAKE) $$i; \ fi; \ @@ -412,9 +413,10 @@ do_svr3-shared: find . -name "*.o" -print > allobjs ; \ OBJS= ; export OBJS ; \ for obj in `ar t lib$$i.a` ; do \ - OBJS="$${OBJS} `grep $$obj allobjs`" ; \ + OBJS="$${OBJS} `grep /$$obj allobjs`" ; \ done ; \ - set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + set -x; ${CC} ${SHARED_LDFLAGS} \ + -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ $${OBJS} $$libs ${EX_LIBS} ) || exit 1; \ libs="-l$$i $$libs"; \ @@ -431,13 +433,16 @@ do_svr5-shared: libs="$(LIBKRB5) $$libs"; \ fi; \ ( PATH=/usr/ccs/bin:$$PATH ; export PATH; \ + SHARE_FLAG='-G'; \ + (${CC} -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \ find . -name "*.o" -print > allobjs ; \ OBJS= ; export OBJS ; \ for obj in `ar t lib$$i.a` ; do \ - OBJS="$${OBJS} `grep $$obj allobjs`" ; \ + OBJS="$${OBJS} `grep /$$obj allobjs`" ; \ done ; \ - set -x; ${CC} ${SHARED_LDFLAGS} \ - -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + set -x; LD_LIBRARY_PATH=.:$$LD_LIBRARY_PATH \ + ${CC} ${SHARED_LDFLAGS} \ + $${SHARE_FLAG} -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ $${OBJS} $$libs ${EX_LIBS} ) || exit 1; \ libs="-l$$i $$libs"; \ @@ -591,10 +596,10 @@ Makefile.ssl: Makefile.org @false libclean: - rm -f *.a */lib */*/lib + rm -f *.map *.so *.so.* engines/*.so *.a */lib */*/lib -clean: - rm -f shlib/*.o *.o core a.out fluff *.map rehash.time testlog make.log cctest cctest.c +clean: libclean + rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c @for i in $(DIRS) ;\ do \ if [ -d "$$i" ]; then \ @@ -604,7 +609,7 @@ clean: fi; \ done; rm -f openssl.pc - rm -f *.a *.o speed.* *.map *.so .pure core + rm -f speed.* .pure rm -f $(TARFILE) @for i in $(ONEDIRS) ;\ do \ @@ -654,7 +659,10 @@ rehash: rehash.time rehash.time: certs @(OPENSSL="`pwd`/apps/openssl"; OPENSSL_DEBUG_MEMORY=on; \ export OPENSSL OPENSSL_DEBUG_MEMORY; \ - LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \ + LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \ + DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \ + SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \ + LIBPATH="`pwd`:$$LIBPATH"; \ if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ $(PERL) tools/c_rehash certs) @@ -665,10 +673,13 @@ test: tests tests: rehash @(cd test && echo "testing..." && \ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests ); - @LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \ - if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ - export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ - apps/openssl version -a + @LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \ + DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \ + SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \ + LIBPATH="`pwd`:$$LIBPATH"; \ + if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ + export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ + apps/openssl version -a report: @$(PERL) util/selftest.pl @@ -823,6 +834,7 @@ install: all install_docs fi; \ fi cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig install_docs: @$(PERL) $(TOP)/util/mkdir-p.pl \ @@ -839,33 +851,33 @@ install_docs: for i in doc/apps/*.pod; do \ fn=`basename $$i .pod`; \ if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \ - echo "installing man$$sec/$$fn.$$sec"; \ + echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ (cd `$(PERL) util/dirname.pl $$i`; \ sh -c "$$pod2man \ --section=$$sec --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ - > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \ + > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ $(PERL) util/extract-names.pl < $$i | \ grep -v $$filecase "^$$fn\$$" | \ (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \ while read n; do \ - $$here/util/point.sh $$fn.$$sec $$n.$$sec; \ + $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \ done); \ done; \ for i in doc/crypto/*.pod doc/ssl/*.pod; do \ fn=`basename $$i .pod`; \ if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \ - echo "installing man$$sec/$$fn.$$sec"; \ + echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ (cd `$(PERL) util/dirname.pl $$i`; \ sh -c "$$pod2man \ --section=$$sec --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ - > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \ + > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ $(PERL) util/extract-names.pl < $$i | \ grep -v $$filecase "^$$fn\$$" | \ (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \ while read n; do \ - $$here/util/point.sh $$fn.$$sec $$n.$$sec; \ + $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \ done); \ done diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS index 3cf173e..f0282eb 100644 --- a/crypto/openssl/NEWS +++ b/crypto/openssl/NEWS @@ -5,6 +5,24 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c: + + o Security: fix various ASN1 parsing bugs. + o New -ignore_err option to OCSP utility. + o Various interop and bug fixes in S/MIME code. + o SSL/TLS protocol fix for unrequested client certificates. + + Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b: + + o Security: counter the Klima-Pokorny-Rosa extension of + Bleichbacher's attack + o Security: make RSA blinding default. + o Configuration: Irix fixes, AIX fixes, better mingw support. + o Support for new platforms: linux-ia64-ecc. + o Build: shared library support fixes. + o ASN.1: treat domainComponent correctly. + o Documentation: fixes and additions. + Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a: o Security: Important security related bugfixes. @@ -62,6 +80,18 @@ o SSL/TLS: add callback to retrieve SSL/TLS messages. o SSL/TLS: support AES cipher suites (RFC3268). + Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k: + + o Security: fix various ASN1 parsing bugs. + o SSL/TLS protocol fix for unrequested client certificates. + + Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j: + + o Security: counter the Klima-Pokorny-Rosa extension of + Bleichbacher's attack + o Security: make RSA blinding default. + o Build: shared library support fixes. + Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i: o Important security related bugfixes. diff --git a/crypto/openssl/PROBLEMS b/crypto/openssl/PROBLEMS index 1a956b5..85e96a5 100644 --- a/crypto/openssl/PROBLEMS +++ b/crypto/openssl/PROBLEMS @@ -98,3 +98,34 @@ config-line. './Configure aix43-cc shared' is working, but not libraries. It's possible to build 64-bit shared libraries by running 'env OBJECT_MODE=64 make', but we need more elegant solution. Preferably one supporting even gcc shared builds. See RT#463 for background information. + +* Problems building shared libraries on SCO OpenServer Release 5.0.6 + with gcc 2.95.3 + +The symptoms appear when running the test suite, more specifically +test/ectest, with the following result: + +OSSL_LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH="$OSSL_LIBPATH:$LD_LIBRARY_PATH"; DYLD_LIBRARY_PATH="$OSSL_LIBPATH:$DYLD_LIBRARY_PATH"; SHLIB_PATH="$OSSL_LIBPATH:$SHLIB_PATH"; LIBPATH="$OSSL_LIBPATH:$LIBPATH"; if [ "debug-sco5-gcc" = "Cygwin" ]; then PATH="${LIBPATH}:$PATH"; fi; export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; ./ectest +ectest.c:186: ABORT + +The cause of the problem seems to be that isxdigit(), called from +BN_hex2bn(), returns 0 on a perfectly legitimate hex digit. Further +investigation shows that any of the isxxx() macros return 0 on any +input. A direct look in the information array that the isxxx() use, +called __ctype, shows that it contains all zeroes... + +Taking a look at the newly created libcrypto.so with nm, one can see +that the variable __ctype is defined in libcrypto's .bss (which +explains why it is filled with zeroes): + +$ nm -Pg libcrypto.so | grep __ctype +__ctype B 0011659c +__ctype2 U + +Curiously, __ctype2 is undefined, in spite of being declared in +/usr/include/ctype.h in exactly the same way as __ctype. + +Any information helping to solve this issue would be deeply +appreciated. + +NOTE: building non-shared doesn't come with this problem. diff --git a/crypto/openssl/README b/crypto/openssl/README index 35bedc0..65e3a12 100644 --- a/crypto/openssl/README +++ b/crypto/openssl/README @@ -1,5 +1,5 @@ - OpenSSL 0.9.7a Feb 19 2003 + OpenSSL 0.9.7c 30 Sep 2003 Copyright (c) 1998-2003 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/crypto/openssl/apps/CA.pl b/crypto/openssl/apps/CA.pl index 8b2ce7e..669a016 100755 --- a/crypto/openssl/apps/CA.pl +++ b/crypto/openssl/apps/CA.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/perl # # CA - wrapper around ca to make it easier to use ... basically ca requires # some setup stuff to be done before you can use it and this makes diff --git a/crypto/openssl/apps/Makefile.ssl b/crypto/openssl/apps/Makefile.ssl index ff433d6..90e71de 100644 --- a/crypto/openssl/apps/Makefile.ssl +++ b/crypto/openssl/apps/Makefile.ssl @@ -87,6 +87,7 @@ all: exe exe: $(PROGRAM) req: sreq.o $(A_OBJ) $(DLIBCRYPTO) + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o req $(CFLAG) sreq.o $(A_OBJ) $(RAND_OBJ) $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) sreq.o: req.c @@ -147,10 +148,14 @@ $(PROGRAM): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \ fi -(cd ..; OPENSSL="`pwd`/apps/openssl"; export OPENSSL; \ - LIBPATH="`pwd`"; LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; \ + LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \ + DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \ + SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \ + LIBPATH="`pwd`:$$LIBPATH"; \ if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ $(PERL) tools/c_rehash certs) diff --git a/crypto/openssl/apps/apps.c b/crypto/openssl/apps/apps.c index ec3e391..007e3e0 100644 --- a/crypto/openssl/apps/apps.c +++ b/crypto/openssl/apps/apps.c @@ -140,10 +140,6 @@ #include "apps.h" #undef NON_MAIN -#ifdef OPENSSL_SYS_WINDOWS -# include "bss_file.c" -#endif - typedef struct { char *name; unsigned long flag; diff --git a/crypto/openssl/apps/ca.c b/crypto/openssl/apps/ca.c index 1d4e4aa..7ed60c7 100644 --- a/crypto/openssl/apps/ca.c +++ b/crypto/openssl/apps/ca.c @@ -2193,7 +2193,7 @@ again2: #ifdef X509_V3 /* Make it an X509 v3 certificate. */ - if (!X509_set_version(x509,2)) goto err; + if (!X509_set_version(ret,2)) goto err; #endif if (BN_to_ASN1_INTEGER(serial,ci->serialNumber) == NULL) diff --git a/crypto/openssl/apps/crl.c b/crypto/openssl/apps/crl.c index c6089ac..81d6658 100644 --- a/crypto/openssl/apps/crl.c +++ b/crypto/openssl/apps/crl.c @@ -81,6 +81,7 @@ static char *crl_usage[]={ " -in arg - input file - default stdin\n", " -out arg - output file - default stdout\n", " -hash - print hash value\n", +" -fingerprint - print the crl fingerprint\n", " -issuer - print issuer DN\n", " -lastupdate - lastUpdate field\n", " -nextupdate - nextUpdate field\n", diff --git a/crypto/openssl/apps/der_chop b/crypto/openssl/apps/der_chop index 9070b03..2ee9d6b 100644 --- a/crypto/openssl/apps/der_chop +++ b/crypto/openssl/apps/der_chop @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/perl # # der_chop ... this is one total hack that Eric is really not proud of # so don't look at it and don't ask for support diff --git a/crypto/openssl/apps/engine.c b/crypto/openssl/apps/engine.c index 456f80a..c3e1e8d 100644 --- a/crypto/openssl/apps/engine.c +++ b/crypto/openssl/apps/engine.c @@ -520,4 +520,10 @@ end: apps_shutdown(); OPENSSL_EXIT(ret); } +#else + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/crypto/openssl/apps/ocsp.c b/crypto/openssl/apps/ocsp.c index f05ec0e..e5f186f 100644 --- a/crypto/openssl/apps/ocsp.c +++ b/crypto/openssl/apps/ocsp.c @@ -136,6 +136,7 @@ int MAIN(int argc, char **argv) int accept_count = -1; int badarg = 0; int i; + int ignore_err = 0; STACK *reqnames = NULL; STACK_OF(OCSP_CERTID) *ids = NULL; @@ -195,6 +196,8 @@ int MAIN(int argc, char **argv) } else badarg = 1; } + else if (!strcmp(*args, "-ignore_err")) + ignore_err = 1; else if (!strcmp(*args, "-noverify")) noverify = 1; else if (!strcmp(*args, "-nonce")) @@ -524,7 +527,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-serial n serial number to check\n"); BIO_printf (bio_err, "-signer file certificate to sign OCSP request with\n"); BIO_printf (bio_err, "-signkey file private key to sign OCSP request with\n"); - BIO_printf (bio_err, "-sign_certs file additional certificates to include in signed request\n"); + BIO_printf (bio_err, "-sign_other file additional certificates to include in signed request\n"); BIO_printf (bio_err, "-no_certs don't include any certificates in signed request\n"); BIO_printf (bio_err, "-req_text print text form of request\n"); BIO_printf (bio_err, "-resp_text print text form of response\n"); @@ -544,10 +547,10 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); BIO_printf (bio_err, "-status_age n maximum status age in seconds\n"); BIO_printf (bio_err, "-noverify don't verify response at all\n"); - BIO_printf (bio_err, "-verify_certs file additional certificates to search for signer\n"); + BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n"); BIO_printf (bio_err, "-trust_other don't verify additional certificates\n"); BIO_printf (bio_err, "-no_intern don't search certificates contained in response for signer\n"); - BIO_printf (bio_err, "-no_sig_verify don't check signature on response\n"); + BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n"); BIO_printf (bio_err, "-no_cert_verify don't check signing certificate\n"); BIO_printf (bio_err, "-no_chain don't chain verify response\n"); BIO_printf (bio_err, "-no_cert_checks don't do additional checks on signing certificate\n"); @@ -809,6 +812,8 @@ int MAIN(int argc, char **argv) { BIO_printf(out, "Responder Error: %s (%ld)\n", OCSP_response_status_str(i), i); + if (ignore_err) + goto redo_accept; ret = 0; goto end; } diff --git a/crypto/openssl/apps/openssl.c b/crypto/openssl/apps/openssl.c index 45af2ba..e0d89d4 100644 --- a/crypto/openssl/apps/openssl.c +++ b/crypto/openssl/apps/openssl.c @@ -163,7 +163,7 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line) goto err; } - if (type < 0 || type > CRYPTO_NUM_LOCKS) + if (type < 0 || type >= CRYPTO_NUM_LOCKS) { errstr = "type out of bounds"; goto err; diff --git a/crypto/openssl/apps/pkcs8.c b/crypto/openssl/apps/pkcs8.c index 6be27e7..ee8cf02 100644 --- a/crypto/openssl/apps/pkcs8.c +++ b/crypto/openssl/apps/pkcs8.c @@ -235,7 +235,7 @@ int MAIN(int argc, char **argv) return (1); } if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) { - BIO_printf(bio_err, "Error converting key\n", outfile); + BIO_printf(bio_err, "Error converting key\n"); ERR_print_errors(bio_err); return (1); } @@ -259,8 +259,7 @@ int MAIN(int argc, char **argv) if (!(p8 = PKCS8_encrypt(pbe_nid, cipher, p8pass, strlen(p8pass), NULL, 0, iter, p8inf))) { - BIO_printf(bio_err, "Error encrypting key\n", - outfile); + BIO_printf(bio_err, "Error encrypting key\n"); ERR_print_errors(bio_err); return (1); } @@ -303,7 +302,7 @@ int MAIN(int argc, char **argv) } if (!p8) { - BIO_printf (bio_err, "Error reading key\n", outfile); + BIO_printf (bio_err, "Error reading key\n"); ERR_print_errors(bio_err); return (1); } @@ -317,13 +316,13 @@ int MAIN(int argc, char **argv) } if (!p8inf) { - BIO_printf(bio_err, "Error decrypting key\n", outfile); + BIO_printf(bio_err, "Error decrypting key\n"); ERR_print_errors(bio_err); return (1); } if (!(pkey = EVP_PKCS82PKEY(p8inf))) { - BIO_printf(bio_err, "Error converting key\n", outfile); + BIO_printf(bio_err, "Error converting key\n"); ERR_print_errors(bio_err); return (1); } diff --git a/crypto/openssl/apps/s_apps.h b/crypto/openssl/apps/s_apps.h index ff18a72..66b6edd 100644 --- a/crypto/openssl/apps/s_apps.h +++ b/crypto/openssl/apps/s_apps.h @@ -112,6 +112,14 @@ #include <sys/types.h> #include <openssl/opensslconf.h> +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) +#include <conio.h> +#endif + +#ifdef OPENSSL_SYS_MSDOS +#define _kbhit kbhit +#endif + #if defined(OPENSSL_SYS_VMS) && !defined(FD_SET) /* VAX C does not defined fd_set and friends, but it's actually quite simple */ /* These definitions are borrowed from SOCKETSHR. /Richard Levitte */ diff --git a/crypto/openssl/apps/s_client.c b/crypto/openssl/apps/s_client.c index 2e73f34..eb6fd7c 100644 --- a/crypto/openssl/apps/s_client.c +++ b/crypto/openssl/apps/s_client.c @@ -136,10 +136,6 @@ typedef unsigned int u_int; #include <openssl/rand.h> #include "s_apps.h" -#ifdef OPENSSL_SYS_WINDOWS -#include <conio.h> -#endif - #ifdef OPENSSL_SYS_WINCE /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */ #ifdef fileno @@ -221,7 +217,7 @@ static void sc_usage(void) BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n"); BIO_printf(bio_err," for those protocols that support it, where\n"); BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n"); - BIO_printf(bio_err," only \"smtp\" is supported.\n"); + BIO_printf(bio_err," only \"smtp\" and \"pop3\" are supported.\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); #endif @@ -251,7 +247,7 @@ int MAIN(int argc, char **argv) int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending; SSL_CTX *ctx=NULL; int ret=1,in_init=1,i,nbio_test=0; - int smtp_starttls = 0; + int starttls_proto = 0; int prexit = 0, vflags = 0; SSL_METHOD *meth=NULL; BIO *sbio; @@ -260,7 +256,7 @@ int MAIN(int argc, char **argv) char *engine_id=NULL; ENGINE *e=NULL; #endif -#ifdef OPENSSL_SYS_WINDOWS +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) struct timeval tv; #endif @@ -415,7 +411,9 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; ++argv; if (strcmp(*argv,"smtp") == 0) - smtp_starttls = 1; + starttls_proto = 1; + else if (strcmp(*argv,"pop3") == 0) + starttls_proto = 2; else goto bad; } @@ -587,12 +585,18 @@ re_start: sbuf_off=0; /* This is an ugly hack that does a lot of assumptions */ - if (smtp_starttls) + if (starttls_proto == 1) { BIO_read(sbio,mbuf,BUFSIZZ); BIO_printf(sbio,"STARTTLS\r\n"); BIO_read(sbio,sbuf,BUFSIZZ); } + if (starttls_proto == 2) + { + BIO_read(sbio,mbuf,BUFSIZZ); + BIO_printf(sbio,"STLS\r\n"); + BIO_read(sbio,sbuf,BUFSIZZ); + } for (;;) { @@ -613,11 +617,11 @@ re_start: print_stuff(bio_c_out,con,full_log); if (full_log > 0) full_log--; - if (smtp_starttls) + if (starttls_proto) { BIO_printf(bio_err,"%s",mbuf); /* We don't need to know any more */ - smtp_starttls = 0; + starttls_proto = 0; } if (reconnect) @@ -636,7 +640,7 @@ re_start: if (!ssl_pending) { -#ifndef OPENSSL_SYS_WINDOWS +#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) if (tty_on) { if (read_tty) FD_SET(fileno(stdin),&readfds); @@ -663,8 +667,8 @@ re_start: * will choke the compiler: if you do have a cast then * you can either go for (int *) or (void *). */ -#ifdef OPENSSL_SYS_WINDOWS - /* Under Windows we make the assumption that we can +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) + /* Under Windows/DOS we make the assumption that we can * always write to the tty: therefore if we need to * write to the tty we just fall through. Otherwise * we timeout the select every second and see if there @@ -678,7 +682,7 @@ re_start: tv.tv_usec = 0; i=select(width,(void *)&readfds,(void *)&writefds, NULL,&tv); -#ifdef OPENSSL_SYS_WINCE +#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS) if(!i && (!_kbhit() || !read_tty) ) continue; #else if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue; @@ -847,8 +851,8 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240 } } -#ifdef OPENSSL_SYS_WINDOWS -#ifdef OPENSSL_SYS_WINCE +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) +#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS) else if (_kbhit()) #else else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) diff --git a/crypto/openssl/apps/s_server.c b/crypto/openssl/apps/s_server.c index 5157aae..ff4ab6e 100644 --- a/crypto/openssl/apps/s_server.c +++ b/crypto/openssl/apps/s_server.c @@ -140,10 +140,6 @@ typedef unsigned int u_int; #include <openssl/rand.h> #include "s_apps.h" -#ifdef OPENSSL_SYS_WINDOWS -#include <conio.h> -#endif - #ifdef OPENSSL_SYS_WINCE /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */ #ifdef fileno @@ -917,7 +913,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) unsigned long l; SSL *con=NULL; BIO *sbio; -#ifdef OPENSSL_SYS_WINDOWS +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) struct timeval tv; #endif @@ -991,7 +987,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) if (!read_from_sslcon) { FD_ZERO(&readfds); -#ifndef OPENSSL_SYS_WINDOWS +#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) FD_SET(fileno(stdin),&readfds); #endif FD_SET(s,&readfds); @@ -1001,8 +997,8 @@ static int sv_body(char *hostname, int s, unsigned char *context) * the compiler: if you do have a cast then you can either * go for (int *) or (void *). */ -#ifdef OPENSSL_SYS_WINDOWS - /* Under Windows we can't select on stdin: only +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) + /* Under DOS (non-djgpp) and Windows we can't select on stdin: only * on sockets. As a workaround we timeout the select every * second and check for any keypress. In a proper Windows * application we wouldn't do this because it is inefficient. @@ -1263,7 +1259,13 @@ static int init_ssl_connection(SSL *con) if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) & TLS1_FLAGS_TLS_PADDING_BUG) BIO_printf(bio_s_out,"Peer has incorrect TLSv1 block padding\n"); - +#ifndef OPENSSL_NO_KRB5 + if (con->kssl_ctx->client_princ != NULL) + { + BIO_printf(bio_s_out,"Kerberos peer principal is %s\n", + con->kssl_ctx->client_princ); + } +#endif /* OPENSSL_NO_KRB5 */ return(1); } diff --git a/crypto/openssl/apps/smime.c b/crypto/openssl/apps/smime.c index cc248d3..51bc893 100644 --- a/crypto/openssl/apps/smime.c +++ b/crypto/openssl/apps/smime.c @@ -168,6 +168,10 @@ int MAIN(int argc, char **argv) flags |= PKCS7_BINARY; else if (!strcmp (*args, "-nosigs")) flags |= PKCS7_NOSIGS; + else if (!strcmp (*args, "-nooldmime")) + flags |= PKCS7_NOOLDMIMETYPE; + else if (!strcmp (*args, "-crlfeol")) + flags |= PKCS7_CRLFEOL; else if (!strcmp (*args, "-crl_check")) store_flags |= X509_V_FLAG_CRL_CHECK; else if (!strcmp (*args, "-crl_check_all")) diff --git a/crypto/openssl/apps/x509.c b/crypto/openssl/apps/x509.c index 1ac6452..2020b51 100644 --- a/crypto/openssl/apps/x509.c +++ b/crypto/openssl/apps/x509.c @@ -358,12 +358,6 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; if (!set_name_ex(&nmflag, *(++argv))) goto bad; } - else if (strcmp(*argv,"-setalias") == 0) - { - if (--argc < 1) goto bad; - alias= *(++argv); - trustout = 1; - } #ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { @@ -1151,7 +1145,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, else if (!(bs = load_serial(CAfile, serialfile, create))) goto end; - if (!X509_STORE_add_cert(ctx,x)) goto end; +/* if (!X509_STORE_add_cert(ctx,x)) goto end;*/ /* NOTE: this certificate can/should be self signed, unless it was * a certificate request in which case it is not. */ diff --git a/crypto/openssl/bugs/SSLv3 b/crypto/openssl/bugs/SSLv3 index db53e13..a75a165 100644 --- a/crypto/openssl/bugs/SSLv3 +++ b/crypto/openssl/bugs/SSLv3 @@ -29,7 +29,7 @@ RC4-MD5, but a re-connect tries to use DES-CBC-SHA. So netscape, when doing a re-connect, always takes the first cipher in the cipher list. If we accept a netscape connection, demand a client cert, have a -non-self-sighed CA which does not have it's CA in netscape, and the +non-self-signed CA which does not have it's CA in netscape, and the browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta Netscape browsers do not really notice the server sending a diff --git a/crypto/openssl/config b/crypto/openssl/config index 88d2873..b3bd96b 100755 --- a/crypto/openssl/config +++ b/crypto/openssl/config @@ -458,7 +458,7 @@ if [ "${SYSTEM}-${MACHINE}" = "Linux-alpha" ]; then fi if [ "${SYSTEM}" = "AIX" ]; then # favor vendor cc over gcc - (cc) 2>&1 | grep -iv "command not found" > /dev/null && CC=cc + (cc) 2>&1 | grep -iv "not found" > /dev/null && CC=cc fi CCVER=${CCVER:-0} @@ -473,7 +473,7 @@ echo Operating system: $GUESSOS # more time that I want to waste at the moment case "$GUESSOS" in mips2-sgi-irix) - CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` + CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` CPU=${CPU:-0} if [ $CPU -ge 4000 ]; then options="$options -mips2" @@ -481,7 +481,7 @@ case "$GUESSOS" in OUT="irix-$CC" ;; mips3-sgi-irix) - CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` + CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` CPU=${CPU:-0} if [ $CPU -ge 5000 ]; then options="$options -mips4" @@ -497,7 +497,7 @@ case "$GUESSOS" in echo " You have about 5 seconds to press Ctrl-C to abort." (stty -icanon min 0 time 50; read waste) < /dev/tty fi - CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` + CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` CPU=${CPU:-0} if [ $CPU -ge 5000 ]; then options="$options -mips4" diff --git a/crypto/openssl/crypto/aes/aes.h b/crypto/openssl/crypto/aes/aes.h index 8294a41..da067f4 100644 --- a/crypto/openssl/crypto/aes/aes.h +++ b/crypto/openssl/crypto/aes/aes.h @@ -100,7 +100,7 @@ void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out, unsigned char *ivec, int *num); void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out, const unsigned long length, const AES_KEY *key, - unsigned char counter[AES_BLOCK_SIZE], + unsigned char ivec[AES_BLOCK_SIZE], unsigned char ecount_buf[AES_BLOCK_SIZE], unsigned int *num); diff --git a/crypto/openssl/crypto/aes/aes_cbc.c b/crypto/openssl/crypto/aes/aes_cbc.c index de43830..86b27b1 100644 --- a/crypto/openssl/crypto/aes/aes_cbc.c +++ b/crypto/openssl/crypto/aes/aes_cbc.c @@ -72,7 +72,7 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, if (AES_ENCRYPT == enc) { while (len >= AES_BLOCK_SIZE) { - for(n=0; n < sizeof tmp; ++n) + for(n=0; n < AES_BLOCK_SIZE; ++n) tmp[n] = in[n] ^ ivec[n]; AES_encrypt(tmp, out, key); memcpy(ivec, out, AES_BLOCK_SIZE); @@ -86,12 +86,12 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, for(n=len; n < AES_BLOCK_SIZE; ++n) tmp[n] = ivec[n]; AES_encrypt(tmp, tmp, key); - memcpy(out, tmp, len); - memcpy(ivec, tmp, sizeof tmp); + memcpy(out, tmp, AES_BLOCK_SIZE); + memcpy(ivec, tmp, AES_BLOCK_SIZE); } } else { while (len >= AES_BLOCK_SIZE) { - memcpy(tmp, in, sizeof tmp); + memcpy(tmp, in, AES_BLOCK_SIZE); AES_decrypt(in, out, key); for(n=0; n < AES_BLOCK_SIZE; ++n) out[n] ^= ivec[n]; @@ -101,11 +101,11 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, out += AES_BLOCK_SIZE; } if (len) { - memcpy(tmp, in, sizeof tmp); + memcpy(tmp, in, AES_BLOCK_SIZE); AES_decrypt(tmp, tmp, key); for(n=0; n < len; ++n) out[n] ^= ivec[n]; - memcpy(ivec, tmp, sizeof tmp); + memcpy(ivec, tmp, AES_BLOCK_SIZE); } } } diff --git a/crypto/openssl/crypto/aes/aes_ctr.c b/crypto/openssl/crypto/aes/aes_ctr.c index 5908849..79e1c18 100644 --- a/crypto/openssl/crypto/aes/aes_ctr.c +++ b/crypto/openssl/crypto/aes/aes_ctr.c @@ -62,19 +62,49 @@ /* NOTE: CTR mode is big-endian. The rest of the AES code * is endian-neutral. */ -/* increment counter (128-bit int) by 2^64 */ +/* increment counter (128-bit int) by 1 */ static void AES_ctr128_inc(unsigned char *counter) { unsigned long c; - /* Grab 3rd dword of counter and increment */ + /* Grab bottom dword of counter and increment */ #ifdef L_ENDIAN - c = GETU32(counter + 8); + c = GETU32(counter + 0); c++; - PUTU32(counter + 8, c); + PUTU32(counter + 0, c); #else - c = GETU32(counter + 4); + c = GETU32(counter + 12); c++; - PUTU32(counter + 4, c); + PUTU32(counter + 12, c); +#endif + + /* if no overflow, we're done */ + if (c) + return; + + /* Grab 1st dword of counter and increment */ +#ifdef L_ENDIAN + c = GETU32(counter + 4); + c++; + PUTU32(counter + 4, c); +#else + c = GETU32(counter + 8); + c++; + PUTU32(counter + 8, c); +#endif + + /* if no overflow, we're done */ + if (c) + return; + + /* Grab 2nd dword of counter and increment */ +#ifdef L_ENDIAN + c = GETU32(counter + 8); + c++; + PUTU32(counter + 8, c); +#else + c = GETU32(counter + 4); + c++; + PUTU32(counter + 4, c); #endif /* if no overflow, we're done */ @@ -100,10 +130,16 @@ static void AES_ctr128_inc(unsigned char *counter) { * encrypted counter is kept in ecount_buf. Both *num and * ecount_buf must be initialised with zeros before the first * call to AES_ctr128_encrypt(). + * + * This algorithm assumes that the counter is in the x lower bits + * of the IV (ivec), and that the application has full control over + * overflow and the rest of the IV. This implementation takes NO + * responsability for checking that the counter doesn't overflow + * into the rest of the IV when incremented. */ void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out, const unsigned long length, const AES_KEY *key, - unsigned char counter[AES_BLOCK_SIZE], + unsigned char ivec[AES_BLOCK_SIZE], unsigned char ecount_buf[AES_BLOCK_SIZE], unsigned int *num) { @@ -117,8 +153,8 @@ void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out, while (l--) { if (n == 0) { - AES_encrypt(counter, ecount_buf, key); - AES_ctr128_inc(counter); + AES_encrypt(ivec, ecount_buf, key); + AES_ctr128_inc(ivec); } *(out++) = *(in++) ^ ecount_buf[n]; n = (n+1) % AES_BLOCK_SIZE; diff --git a/crypto/openssl/crypto/asn1/a_mbstr.c b/crypto/openssl/crypto/asn1/a_mbstr.c index 5d981c6..e8a26af 100644 --- a/crypto/openssl/crypto/asn1/a_mbstr.c +++ b/crypto/openssl/crypto/asn1/a_mbstr.c @@ -296,7 +296,7 @@ static int in_utf8(unsigned long value, void *arg) static int out_utf8(unsigned long value, void *arg) { - long *outlen; + int *outlen; outlen = arg; *outlen += UTF8_putc(NULL, -1, value); return 1; diff --git a/crypto/openssl/crypto/asn1/a_strex.c b/crypto/openssl/crypto/asn1/a_strex.c index 1def6c6..8abfdfe 100644 --- a/crypto/openssl/crypto/asn1/a_strex.c +++ b/crypto/openssl/crypto/asn1/a_strex.c @@ -279,7 +279,7 @@ static int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING * otherwise it is the number of bytes per character */ -const static char tag2nbyte[] = { +const static signed char tag2nbyte[] = { -1, -1, -1, -1, -1, /* 0-4 */ -1, -1, -1, -1, -1, /* 5-9 */ -1, -1, 0, -1, /* 10-13 */ diff --git a/crypto/openssl/crypto/asn1/a_strnid.c b/crypto/openssl/crypto/asn1/a_strnid.c index 04789d1..613bbc4 100644 --- a/crypto/openssl/crypto/asn1/a_strnid.c +++ b/crypto/openssl/crypto/asn1/a_strnid.c @@ -143,7 +143,7 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in, /* Now the tables and helper functions for the string table: */ -/* size limits: this stuff is taken straight from RFC2459 */ +/* size limits: this stuff is taken straight from RFC3280 */ #define ub_name 32768 #define ub_common_name 64 @@ -153,6 +153,8 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in, #define ub_organization_unit_name 64 #define ub_title 64 #define ub_email_address 128 +#define ub_serial_number 64 + /* This table must be kept in NID order */ @@ -170,9 +172,11 @@ static ASN1_STRING_TABLE tbl_standard[] = { {NID_givenName, 1, ub_name, DIRSTRING_TYPE, 0}, {NID_surname, 1, ub_name, DIRSTRING_TYPE, 0}, {NID_initials, 1, ub_name, DIRSTRING_TYPE, 0}, +{NID_serialNumber, 1, ub_serial_number, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK}, {NID_friendlyName, -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK}, {NID_name, 1, ub_name, DIRSTRING_TYPE, 0}, {NID_dnQualifier, -1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK}, +{NID_domainComponent, 1, -1, B_ASN1_IA5STRING, STABLE_NO_MASK}, {NID_ms_csp_name, -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK} }; @@ -249,4 +253,38 @@ static void st_free(ASN1_STRING_TABLE *tbl) if(tbl->flags & STABLE_FLAGS_MALLOC) OPENSSL_free(tbl); } + IMPLEMENT_STACK_OF(ASN1_STRING_TABLE) + +#ifdef STRING_TABLE_TEST + +main() +{ + ASN1_STRING_TABLE *tmp; + int i, last_nid = -1; + + for (tmp = tbl_standard, i = 0; + i < sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE); i++, tmp++) + { + if (tmp->nid < last_nid) + { + last_nid = 0; + break; + } + last_nid = tmp->nid; + } + + if (last_nid != 0) + { + printf("Table order OK\n"); + exit(0); + } + + for (tmp = tbl_standard, i = 0; + i < sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE); i++, tmp++) + printf("Index %d, NID %d, Name=%s\n", i, tmp->nid, + OBJ_nid2ln(tmp->nid)); + +} + +#endif diff --git a/crypto/openssl/crypto/asn1/asn1.h b/crypto/openssl/crypto/asn1/asn1.h index 99ba920..3414509 100644 --- a/crypto/openssl/crypto/asn1/asn1.h +++ b/crypto/openssl/crypto/asn1/asn1.h @@ -132,7 +132,7 @@ extern "C" { #define B_ASN1_NUMERICSTRING 0x0001 #define B_ASN1_PRINTABLESTRING 0x0002 #define B_ASN1_T61STRING 0x0004 -#define B_ASN1_TELETEXSTRING 0x0008 +#define B_ASN1_TELETEXSTRING 0x0004 #define B_ASN1_VIDEOTEXSTRING 0x0008 #define B_ASN1_IA5STRING 0x0010 #define B_ASN1_GRAPHICSTRING 0x0020 diff --git a/crypto/openssl/crypto/asn1/asn1_lib.c b/crypto/openssl/crypto/asn1/asn1_lib.c index 0638870..e30d5dd 100644 --- a/crypto/openssl/crypto/asn1/asn1_lib.c +++ b/crypto/openssl/crypto/asn1/asn1_lib.c @@ -104,10 +104,12 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass, l<<=7L; l|= *(p++)&0x7f; if (--max == 0) goto err; + if (l > (INT_MAX >> 7L)) goto err; } l<<=7L; l|= *(p++)&0x7f; tag=(int)l; + if (--max == 0) goto err; } else { diff --git a/crypto/openssl/crypto/asn1/tasn_dec.c b/crypto/openssl/crypto/asn1/tasn_dec.c index 76fc023..2426cb6 100644 --- a/crypto/openssl/crypto/asn1/tasn_dec.c +++ b/crypto/openssl/crypto/asn1/tasn_dec.c @@ -691,6 +691,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long inl int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it) { + ASN1_VALUE **opval = NULL; ASN1_STRING *stmp; ASN1_TYPE *typ = NULL; int ret = 0; @@ -705,6 +706,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *pval = (ASN1_VALUE *)typ; } else typ = (ASN1_TYPE *)*pval; if(utype != typ->type) ASN1_TYPE_set(typ, utype, NULL); + opval = pval; pval = (ASN1_VALUE **)&typ->value.ptr; } switch(utype) { @@ -796,7 +798,12 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char ret = 1; err: - if(!ret) ASN1_TYPE_free(typ); + if(!ret) + { + ASN1_TYPE_free(typ); + if (opval) + *opval = NULL; + } return ret; } diff --git a/crypto/openssl/crypto/bio/b_print.c b/crypto/openssl/crypto/bio/b_print.c index 3f5d6a7..2cfc689 100644 --- a/crypto/openssl/crypto/bio/b_print.c +++ b/crypto/openssl/crypto/bio/b_print.c @@ -378,7 +378,7 @@ _dopr( case 'p': value = (long)va_arg(args, void *); fmtint(sbuffer, buffer, &currlen, maxlen, - value, 16, min, max, flags); + value, 16, min, max, flags|DP_F_NUM); break; case 'n': /* XXX */ if (cflags == DP_C_SHORT) { @@ -482,8 +482,9 @@ fmtint( int flags) { int signvalue = 0; + char *prefix = ""; unsigned LLONG uvalue; - char convert[DECIMAL_SIZE(value)+1]; + char convert[DECIMAL_SIZE(value)+3]; int place = 0; int spadlen = 0; int zpadlen = 0; @@ -501,6 +502,10 @@ fmtint( else if (flags & DP_F_SPACE) signvalue = ' '; } + if (flags & DP_F_NUM) { + if (base == 8) prefix = "0"; + if (base == 16) prefix = "0x"; + } if (flags & DP_F_UP) caps = 1; do { @@ -514,7 +519,7 @@ fmtint( convert[place] = 0; zpadlen = max - place; - spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0); + spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0) - strlen(prefix); if (zpadlen < 0) zpadlen = 0; if (spadlen < 0) @@ -536,6 +541,12 @@ fmtint( if (signvalue) doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); + /* prefix */ + while (*prefix) { + doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix); + prefix++; + } + /* zeros */ if (zpadlen > 0) { while (zpadlen > 0) { @@ -692,7 +703,7 @@ fmtfp( * Decimal point. This should probably use locale to find the correct * char to print out. */ - if (max > 0) { + if (max > 0 || (flags & DP_F_NUM)) { doapr_outch(sbuffer, buffer, currlen, maxlen, '.'); while (fplace > 0) @@ -825,5 +836,5 @@ int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args) * had the buffer been large enough.) */ return -1; else - return (retlen <= INT_MAX) ? retlen : -1; + return (retlen <= INT_MAX) ? (int)retlen : -1; } diff --git a/crypto/openssl/crypto/bio/bf_buff.c b/crypto/openssl/crypto/bio/bf_buff.c index 1cecd70..c1fd75a 100644 --- a/crypto/openssl/crypto/bio/bf_buff.c +++ b/crypto/openssl/crypto/bio/bf_buff.c @@ -494,6 +494,7 @@ static int buffer_gets(BIO *b, char *buf, int size) if (i <= 0) { BIO_copy_next_retry(b); + *buf='\0'; if (i < 0) return((num > 0)?num:i); if (i == 0) return(num); } diff --git a/crypto/openssl/crypto/bio/bss_bio.c b/crypto/openssl/crypto/bio/bss_bio.c index aa58dab..0f9f095 100644 --- a/crypto/openssl/crypto/bio/bss_bio.c +++ b/crypto/openssl/crypto/bio/bss_bio.c @@ -1,4 +1,57 @@ /* crypto/bio/bss_bio.c -*- Mode: C; c-file-style: "eay" -*- */ +/* ==================================================================== + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ /* Special method for a BIO where the other endpoint is also a BIO * of this kind, handled by the same thread (i.e. the "peer" is actually @@ -502,7 +555,7 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr) break; case BIO_C_DESTROY_BIO_PAIR: - /* Effects both BIOs in the pair -- call just once! + /* Affects both BIOs in the pair -- call just once! * Or let BIO_free(bio1); BIO_free(bio2); do the job. */ bio_destroy_pair(bio); ret = 1; diff --git a/crypto/openssl/crypto/bio/bss_file.c b/crypto/openssl/crypto/bio/bss_file.c index a66600c..6904b5c 100644 --- a/crypto/openssl/crypto/bio/bss_file.c +++ b/crypto/openssl/crypto/bio/bss_file.c @@ -213,12 +213,29 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) b->shutdown=(int)num&BIO_CLOSE; b->ptr=(char *)ptr; b->init=1; -#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) - /* Set correct text/binary mode */ +#if defined(OPENSSL_SYS_WINDOWS) if (num & BIO_FP_TEXT) _setmode(fileno((FILE *)ptr),_O_TEXT); else _setmode(fileno((FILE *)ptr),_O_BINARY); +#elif defined(OPENSSL_SYS_MSDOS) + { + int fd = fileno((FILE*)ptr); + /* Set correct text/binary mode */ + if (num & BIO_FP_TEXT) + _setmode(fd,_O_TEXT); + /* Dangerous to set stdin/stdout to raw (unless redirected) */ + else + { + if (fd == STDIN_FILENO || fd == STDOUT_FILENO) + { + if (isatty(fd) <= 0) + _setmode(fd,_O_BINARY); + } + else + _setmode(fd,_O_BINARY); + } + } #elif defined(OPENSSL_SYS_OS2) if (num & BIO_FP_TEXT) setmode(fileno((FILE *)ptr), O_TEXT); diff --git a/crypto/openssl/crypto/bn/Makefile.ssl b/crypto/openssl/crypto/bn/Makefile.ssl index c1547a8..090fccd 100644 --- a/crypto/openssl/crypto/bn/Makefile.ssl +++ b/crypto/openssl/crypto/bn/Makefile.ssl @@ -22,6 +22,7 @@ BN_ASM= bn_asm.o #BN_ASM= bn86-elf.o CFLAGS= $(INCLUDES) $(CFLAG) +ASFLAGS= $(INCLUDES) $(ASFLAG) GENERAL=Makefile TEST=bntest.c exptest.c diff --git a/crypto/openssl/crypto/bn/bn.h b/crypto/openssl/crypto/bn/bn.h index b40682f..3da6d8c 100644 --- a/crypto/openssl/crypto/bn/bn.h +++ b/crypto/openssl/crypto/bn/bn.h @@ -248,6 +248,8 @@ typedef struct bn_blinding_st BIGNUM *A; BIGNUM *Ai; BIGNUM *mod; /* just a reference */ + unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b; + * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */ } BN_BLINDING; /* Used for montgomery multiplication */ diff --git a/crypto/openssl/crypto/bn/bn_mul.c b/crypto/openssl/crypto/bn/bn_mul.c index cb93ac3..3ae3822 100644 --- a/crypto/openssl/crypto/bn/bn_mul.c +++ b/crypto/openssl/crypto/bn/bn_mul.c @@ -224,7 +224,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn, int n, BN_ULONG *t) { int i,j,n2=n*2; - unsigned int c1,c2,neg,zero; + int c1,c2,neg,zero; BN_ULONG ln,lo,*p; # ifdef BN_COUNT @@ -376,7 +376,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn, /* The overflow will stop before we over write * words we should not overwrite */ - if (ln < c1) + if (ln < (BN_ULONG)c1) { do { p++; diff --git a/crypto/openssl/crypto/bn/bntest.c b/crypto/openssl/crypto/bn/bntest.c index 3aae945..3c8c540 100644 --- a/crypto/openssl/crypto/bn/bntest.c +++ b/crypto/openssl/crypto/bn/bntest.c @@ -68,10 +68,6 @@ #include <openssl/x509.h> #include <openssl/err.h> -#ifdef OPENSSL_SYS_WINDOWS -#include "../bio/bss_file.c" -#endif - const int num0 = 100; /* number of tests */ const int num1 = 50; /* additional tests for some functions */ const int num2 = 5; /* number of tests for slow functions */ @@ -96,11 +92,6 @@ int test_sqrt(BIO *bp,BN_CTX *ctx); int rand_neg(void); static int results=0; -#ifdef OPENSSL_NO_STDIO -#define APPS_WIN16 -#include "bss_file.c" -#endif - static unsigned char lst[]="\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9" "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0"; diff --git a/crypto/openssl/crypto/bn/exptest.c b/crypto/openssl/crypto/bn/exptest.c index 621e6a9..b09cf88 100644 --- a/crypto/openssl/crypto/bn/exptest.c +++ b/crypto/openssl/crypto/bn/exptest.c @@ -66,9 +66,6 @@ #include <openssl/bn.h> #include <openssl/rand.h> #include <openssl/err.h> -#ifdef OPENSSL_SYS_WINDOWS -#include "../bio/bss_file.c" -#endif #define NUM_BITS (BN_BITS*2) diff --git a/crypto/openssl/crypto/des/cfb_enc.c b/crypto/openssl/crypto/des/cfb_enc.c index 17bf77c..2600bdf 100644 --- a/crypto/openssl/crypto/des/cfb_enc.c +++ b/crypto/openssl/crypto/des/cfb_enc.c @@ -64,32 +64,22 @@ * the second. The second 12 bits will come from the 3rd and half the 4th * byte. */ +/* WARNING WARNING: this uses in and out in 8-byte chunks regardless of + * length */ +/* Until Aug 1 2003 this function did not correctly implement CFB-r, so it + * will not be compatible with any encryption prior to that date. Ben. */ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, - long length, DES_key_schedule *schedule, DES_cblock *ivec, int enc) + long length, DES_key_schedule *schedule, DES_cblock *ivec, + int enc) { register DES_LONG d0,d1,v0,v1,n=(numbits+7)/8; - register DES_LONG mask0,mask1; register unsigned long l=length; register int num=numbits; DES_LONG ti[2]; unsigned char *iv; + unsigned char ovec[16]; if (num > 64) return; - if (num > 32) - { - mask0=0xffffffffL; - if (num == 64) - mask1=mask0; - else mask1=(1L<<(num-32))-1; - } - else - { - if (num == 32) - mask0=0xffffffffL; - else mask0=(1L<<num)-1; - mask1=0x00000000L; - } - iv = &(*ivec)[0]; c2l(iv,v0); c2l(iv,v1); @@ -103,8 +93,8 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, DES_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT); c2ln(in,d0,d1,n); in+=n; - d0=(d0^ti[0])&mask0; - d1=(d1^ti[1])&mask1; + d0^=ti[0]; + d1^=ti[1]; l2cn(d0,d1,out,n); out+=n; /* 30-08-94 - eay - changed because l>>32 and @@ -113,15 +103,25 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, { v0=v1; v1=d0; } else if (num == 64) { v0=d0; v1=d1; } - else if (num > 32) /* && num != 64 */ - { - v0=((v1>>(num-32))|(d0<<(64-num)))&0xffffffffL; - v1=((d0>>(num-32))|(d1<<(64-num)))&0xffffffffL; - } - else /* num < 32 */ + else { - v0=((v0>>num)|(v1<<(32-num)))&0xffffffffL; - v1=((v1>>num)|(d0<<(32-num)))&0xffffffffL; + iv=&ovec[0]; + l2c(v0,iv); + l2c(v1,iv); + l2c(d0,iv); + l2c(d1,iv); + /* shift ovec left most of the bits... */ + memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0)); + /* now the remaining bits */ + if(num%8 != 0) + for(n=0 ; n < 8 ; ++n) + { + ovec[n]<<=num%8; + ovec[n]|=ovec[n+1]>>(8-num%8); + } + iv=&ovec[0]; + c2l(iv,v0); + c2l(iv,v1); } } } @@ -141,18 +141,28 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, { v0=v1; v1=d0; } else if (num == 64) { v0=d0; v1=d1; } - else if (num > 32) /* && num != 64 */ - { - v0=((v1>>(num-32))|(d0<<(64-num)))&0xffffffffL; - v1=((d0>>(num-32))|(d1<<(64-num)))&0xffffffffL; - } - else /* num < 32 */ + else { - v0=((v0>>num)|(v1<<(32-num)))&0xffffffffL; - v1=((v1>>num)|(d0<<(32-num)))&0xffffffffL; + iv=&ovec[0]; + l2c(v0,iv); + l2c(v1,iv); + l2c(d0,iv); + l2c(d1,iv); + /* shift ovec left most of the bits... */ + memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0)); + /* now the remaining bits */ + if(num%8 != 0) + for(n=0 ; n < 8 ; ++n) + { + ovec[n]<<=num%8; + ovec[n]|=ovec[n+1]>>(8-num%8); + } + iv=&ovec[0]; + c2l(iv,v0); + c2l(iv,v1); } - d0=(d0^ti[0])&mask0; - d1=(d1^ti[1])&mask1; + d0^=ti[0]; + d1^=ti[1]; l2cn(d0,d1,out,n); out+=n; } diff --git a/crypto/openssl/crypto/des/destest.c b/crypto/openssl/crypto/des/destest.c index 687c00c..3983ac8 100644 --- a/crypto/openssl/crypto/des/destest.c +++ b/crypto/openssl/crypto/des/destest.c @@ -431,7 +431,7 @@ int main(int argc, char *argv[]) #ifndef LIBDES_LIT printf("Doing ede ecb\n"); - for (i=0; i<(NUM_TESTS-1); i++) + for (i=0; i<(NUM_TESTS-2); i++) { DES_set_key_unchecked(&key_data[i],&ks); DES_set_key_unchecked(&key_data[i+1],&ks2); diff --git a/crypto/openssl/crypto/dh/Makefile.ssl b/crypto/openssl/crypto/dh/Makefile.ssl index ed47f85..1c447e9 100644 --- a/crypto/openssl/crypto/dh/Makefile.ssl +++ b/crypto/openssl/crypto/dh/Makefile.ssl @@ -112,17 +112,14 @@ dh_gen.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h dh_gen.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h dh_gen.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h dh_gen.o: ../cryptlib.h dh_gen.c -dh_key.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h -dh_key.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h -dh_key.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h -dh_key.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h -dh_key.o: ../../include/openssl/engine.h ../../include/openssl/err.h -dh_key.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h -dh_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -dh_key.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h +dh_key.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h +dh_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h +dh_key.o: ../../include/openssl/dh.h ../../include/openssl/e_os2.h +dh_key.o: ../../include/openssl/err.h ../../include/openssl/lhash.h +dh_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +dh_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h dh_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -dh_key.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h -dh_key.o: ../cryptlib.h dh_key.c +dh_key.o: ../../include/openssl/symhacks.h ../cryptlib.h dh_key.c dh_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h dh_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h dh_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h diff --git a/crypto/openssl/crypto/dh/dh_key.c b/crypto/openssl/crypto/dh/dh_key.c index 6ce65ed..77f2f50 100644 --- a/crypto/openssl/crypto/dh/dh_key.c +++ b/crypto/openssl/crypto/dh/dh_key.c @@ -61,9 +61,6 @@ #include <openssl/bn.h> #include <openssl/rand.h> #include <openssl/dh.h> -#ifndef OPENSSL_NO_ENGINE -#include <openssl/engine.h> -#endif static int generate_key(DH *dh); static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); diff --git a/crypto/openssl/crypto/dh/dhtest.c b/crypto/openssl/crypto/dh/dhtest.c index 2723774..d75077f 100644 --- a/crypto/openssl/crypto/dh/dhtest.c +++ b/crypto/openssl/crypto/dh/dhtest.c @@ -62,9 +62,6 @@ #include "../e_os.h" -#ifdef OPENSSL_SYS_WINDOWS -#include "../bio/bss_file.c" -#endif #include <openssl/crypto.h> #include <openssl/bio.h> #include <openssl/bn.h> @@ -87,10 +84,6 @@ int main(int argc, char *argv[]) #endif static void MS_CALLBACK cb(int p, int n, void *arg); -#ifdef OPENSSL_NO_STDIO -#define APPS_WIN16 -#include "bss_file.c" -#endif static const char rnd_seed[] = "string to make the random number generator think it has entropy"; diff --git a/crypto/openssl/crypto/dsa/Makefile.ssl b/crypto/openssl/crypto/dsa/Makefile.ssl index 08e692d..014d006 100644 --- a/crypto/openssl/crypto/dsa/Makefile.ssl +++ b/crypto/openssl/crypto/dsa/Makefile.ssl @@ -143,35 +143,29 @@ dsa_ossl.o: ../../e_os.h ../../include/openssl/asn1.h dsa_ossl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h dsa_ossl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h dsa_ossl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h -dsa_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h -dsa_ossl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h -dsa_ossl.o: ../../include/openssl/opensslconf.h +dsa_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +dsa_ossl.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h dsa_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -dsa_ossl.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h -dsa_ossl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -dsa_ossl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h +dsa_ossl.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h +dsa_ossl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h dsa_ossl.o: ../cryptlib.h dsa_ossl.c dsa_sign.o: ../../e_os.h ../../include/openssl/asn1.h dsa_sign.o: ../../include/openssl/bio.h ../../include/openssl/bn.h dsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h dsa_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h -dsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h -dsa_sign.o: ../../include/openssl/err.h ../../include/openssl/lhash.h -dsa_sign.o: ../../include/openssl/opensslconf.h +dsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +dsa_sign.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h dsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -dsa_sign.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h -dsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -dsa_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h +dsa_sign.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h +dsa_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h dsa_sign.o: ../cryptlib.h dsa_sign.c dsa_vrf.o: ../../e_os.h ../../include/openssl/asn1.h dsa_vrf.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h dsa_vrf.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h dsa_vrf.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h dsa_vrf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h -dsa_vrf.o: ../../include/openssl/engine.h ../../include/openssl/err.h -dsa_vrf.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h -dsa_vrf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -dsa_vrf.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h +dsa_vrf.o: ../../include/openssl/err.h ../../include/openssl/lhash.h +dsa_vrf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +dsa_vrf.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h dsa_vrf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -dsa_vrf.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h -dsa_vrf.o: ../cryptlib.h dsa_vrf.c +dsa_vrf.o: ../../include/openssl/symhacks.h ../cryptlib.h dsa_vrf.c diff --git a/crypto/openssl/crypto/dsa/dsa_ossl.c b/crypto/openssl/crypto/dsa/dsa_ossl.c index 68d91db..b9e7f3e 100644 --- a/crypto/openssl/crypto/dsa/dsa_ossl.c +++ b/crypto/openssl/crypto/dsa/dsa_ossl.c @@ -64,9 +64,6 @@ #include <openssl/dsa.h> #include <openssl/rand.h> #include <openssl/asn1.h> -#ifndef OPENSSL_NO_ENGINE -#include <openssl/engine.h> -#endif static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); diff --git a/crypto/openssl/crypto/dsa/dsa_sign.c b/crypto/openssl/crypto/dsa/dsa_sign.c index 5cdc8ed..8920502 100644 --- a/crypto/openssl/crypto/dsa/dsa_sign.c +++ b/crypto/openssl/crypto/dsa/dsa_sign.c @@ -64,9 +64,6 @@ #include <openssl/dsa.h> #include <openssl/rand.h> #include <openssl/asn1.h> -#ifndef OPENSSL_NO_ENGINE -#include <openssl/engine.h> -#endif DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { diff --git a/crypto/openssl/crypto/dsa/dsa_vrf.c b/crypto/openssl/crypto/dsa/dsa_vrf.c index fffb129..c4aeddd 100644 --- a/crypto/openssl/crypto/dsa/dsa_vrf.c +++ b/crypto/openssl/crypto/dsa/dsa_vrf.c @@ -65,9 +65,6 @@ #include <openssl/rand.h> #include <openssl/asn1.h> #include <openssl/asn1_mac.h> -#ifndef OPENSSL_NO_ENGINE -#include <openssl/engine.h> -#endif int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) diff --git a/crypto/openssl/crypto/dsa/dsatest.c b/crypto/openssl/crypto/dsa/dsatest.c index d4d038a..4734ce4 100644 --- a/crypto/openssl/crypto/dsa/dsatest.c +++ b/crypto/openssl/crypto/dsa/dsatest.c @@ -68,12 +68,6 @@ #include <openssl/rand.h> #include <openssl/bio.h> #include <openssl/err.h> -#ifndef OPENSSL_NO_ENGINE -#include <openssl/engine.h> -#endif -#ifdef OPENSSL_SYS_WINDOWS -#include "../bio/bss_file.c" -#endif #ifdef OPENSSL_NO_DSA int main(int argc, char *argv[]) diff --git a/crypto/openssl/crypto/dso/dso_dlfcn.c b/crypto/openssl/crypto/dso/dso_dlfcn.c index 906b470..9d49ebc 100644 --- a/crypto/openssl/crypto/dso/dso_dlfcn.c +++ b/crypto/openssl/crypto/dso/dso_dlfcn.c @@ -125,7 +125,11 @@ DSO_METHOD *DSO_METHOD_dlfcn(void) # endif # endif #else -# define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */ +# ifdef OPENSSL_SYS_SUNOS +# define DLOPEN_FLAG 1 +# else +# define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */ +# endif #endif /* For this DSO_METHOD, our meth_data STACK will contain; diff --git a/crypto/openssl/crypto/ec/ec_mult.c b/crypto/openssl/crypto/ec/ec_mult.c index 4dbc931..16822a7 100644 --- a/crypto/openssl/crypto/ec/ec_mult.c +++ b/crypto/openssl/crypto/ec/ec_mult.c @@ -175,12 +175,13 @@ static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len, B * (thus the boundaries should be increased) */ #define EC_window_bits_for_scalar_size(b) \ - ((b) >= 2000 ? 6 : \ - (b) >= 800 ? 5 : \ - (b) >= 300 ? 4 : \ - (b) >= 70 ? 3 : \ - (b) >= 20 ? 2 : \ - 1) + ((size_t) \ + ((b) >= 2000 ? 6 : \ + (b) >= 800 ? 5 : \ + (b) >= 300 ? 4 : \ + (b) >= 70 ? 3 : \ + (b) >= 20 ? 2 : \ + 1)) /* Compute * \sum scalars[i]*points[i], diff --git a/crypto/openssl/crypto/engine/eng_fat.c b/crypto/openssl/crypto/engine/eng_fat.c index f7edb5a..0d7dae0 100644 --- a/crypto/openssl/crypto/engine/eng_fat.c +++ b/crypto/openssl/crypto/engine/eng_fat.c @@ -66,18 +66,18 @@ int ENGINE_set_default(ENGINE *e, unsigned int flags) if((flags & ENGINE_METHOD_DIGESTS) && !ENGINE_set_default_digests(e)) return 0; #ifndef OPENSSL_NO_RSA - if((flags & ENGINE_METHOD_RSA) & !ENGINE_set_default_RSA(e)) + if((flags & ENGINE_METHOD_RSA) && !ENGINE_set_default_RSA(e)) return 0; #endif #ifndef OPENSSL_NO_DSA - if((flags & ENGINE_METHOD_DSA) & !ENGINE_set_default_DSA(e)) + if((flags & ENGINE_METHOD_DSA) && !ENGINE_set_default_DSA(e)) return 0; #endif #ifndef OPENSSL_NO_DH - if((flags & ENGINE_METHOD_DH) & !ENGINE_set_default_DH(e)) + if((flags & ENGINE_METHOD_DH) && !ENGINE_set_default_DH(e)) return 0; #endif - if((flags & ENGINE_METHOD_RAND) & !ENGINE_set_default_RAND(e)) + if((flags & ENGINE_METHOD_RAND) && !ENGINE_set_default_RAND(e)) return 0; return 1; } diff --git a/crypto/openssl/crypto/engine/engine.h b/crypto/openssl/crypto/engine/engine.h index 8686879..9c3ab18 100644 --- a/crypto/openssl/crypto/engine/engine.h +++ b/crypto/openssl/crypto/engine/engine.h @@ -538,10 +538,10 @@ void ENGINE_add_conf_module(void); /**************************/ /* Binary/behaviour compatibility levels */ -#define OSSL_DYNAMIC_VERSION (unsigned long)0x00010100 +#define OSSL_DYNAMIC_VERSION (unsigned long)0x00010200 /* Binary versions older than this are too old for us (whether we're a loader or * a loadee) */ -#define OSSL_DYNAMIC_OLDEST (unsigned long)0x00010100 +#define OSSL_DYNAMIC_OLDEST (unsigned long)0x00010200 /* When compiling an ENGINE entirely as an external shared library, loadable by * the "dynamic" ENGINE, these types are needed. The 'dynamic_fns' structure @@ -630,6 +630,10 @@ typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id, if(!fn(e,id)) return 0; \ return 1; } +#if defined(__OpenBSD__) || defined(__FreeBSD__) +void ENGINE_setup_bsd_cryptodev(void); +#endif + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. diff --git a/crypto/openssl/crypto/engine/hw_ubsec.c b/crypto/openssl/crypto/engine/hw_ubsec.c index 6286dd8..5234a08 100644 --- a/crypto/openssl/crypto/engine/hw_ubsec.c +++ b/crypto/openssl/crypto/engine/hw_ubsec.c @@ -561,7 +561,6 @@ static int ubsec_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_BN_EXPAND_FAIL); return 0; } - memset(r->d, 0, BN_num_bytes(m)); if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) { fd = 0; diff --git a/crypto/openssl/crypto/err/err.c b/crypto/openssl/crypto/err/err.c index b873270..633a1ad 100644 --- a/crypto/openssl/crypto/err/err.c +++ b/crypto/openssl/crypto/err/err.c @@ -225,6 +225,7 @@ struct st_ERR_FNS ERR_STRING_DATA *(*cb_err_del_item)(ERR_STRING_DATA *); /* Works on the "thread_hash" error-state table */ LHASH *(*cb_thread_get)(int create); + void (*cb_thread_release)(LHASH **hash); ERR_STATE *(*cb_thread_get_item)(const ERR_STATE *); ERR_STATE *(*cb_thread_set_item)(ERR_STATE *); void (*cb_thread_del_item)(const ERR_STATE *); @@ -239,6 +240,7 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *); static ERR_STRING_DATA *int_err_set_item(ERR_STRING_DATA *); static ERR_STRING_DATA *int_err_del_item(ERR_STRING_DATA *); static LHASH *int_thread_get(int create); +static void int_thread_release(LHASH **hash); static ERR_STATE *int_thread_get_item(const ERR_STATE *); static ERR_STATE *int_thread_set_item(ERR_STATE *); static void int_thread_del_item(const ERR_STATE *); @@ -252,6 +254,7 @@ static const ERR_FNS err_defaults = int_err_set_item, int_err_del_item, int_thread_get, + int_thread_release, int_thread_get_item, int_thread_set_item, int_thread_del_item, @@ -271,6 +274,7 @@ static const ERR_FNS *err_fns = NULL; * and state in the loading application. */ static LHASH *int_error_hash = NULL; static LHASH *int_thread_hash = NULL; +static int int_thread_hash_references = 0; static int int_err_library_number= ERR_LIB_USER; /* Internal function that checks whether "err_fns" is set and if not, sets it to @@ -417,11 +421,37 @@ static LHASH *int_thread_get(int create) CRYPTO_pop_info(); } if (int_thread_hash) + { + int_thread_hash_references++; ret = int_thread_hash; + } CRYPTO_w_unlock(CRYPTO_LOCK_ERR); return ret; } +static void int_thread_release(LHASH **hash) + { + int i; + + if (hash == NULL || *hash == NULL) + return; + + i = CRYPTO_add(&int_thread_hash_references, -1, CRYPTO_LOCK_ERR); + +#ifdef REF_PRINT + fprintf(stderr,"%4d:%s\n",int_thread_hash_references,"ERR"); +#endif + if (i > 0) return; +#ifdef REF_CHECK + if (i < 0) + { + fprintf(stderr,"int_thread_release, bad reference count\n"); + abort(); /* ok */ + } +#endif + *hash = NULL; + } + static ERR_STATE *int_thread_get_item(const ERR_STATE *d) { ERR_STATE *p; @@ -436,6 +466,7 @@ static ERR_STATE *int_thread_get_item(const ERR_STATE *d) p = (ERR_STATE *)lh_retrieve(hash, d); CRYPTO_r_unlock(CRYPTO_LOCK_ERR); + ERRFN(thread_release)(&hash); return p; } @@ -453,6 +484,7 @@ static ERR_STATE *int_thread_set_item(ERR_STATE *d) p = (ERR_STATE *)lh_insert(hash, d); CRYPTO_w_unlock(CRYPTO_LOCK_ERR); + ERRFN(thread_release)(&hash); return p; } @@ -469,13 +501,15 @@ static void int_thread_del_item(const ERR_STATE *d) CRYPTO_w_lock(CRYPTO_LOCK_ERR); p = (ERR_STATE *)lh_delete(hash, d); /* make sure we don't leak memory */ - if (int_thread_hash && (lh_num_items(int_thread_hash) == 0)) + if (int_thread_hash_references == 1 + && int_thread_hash && (lh_num_items(int_thread_hash) == 0)) { lh_free(int_thread_hash); int_thread_hash = NULL; } CRYPTO_w_unlock(CRYPTO_LOCK_ERR); + ERRFN(thread_release)(&hash); if (p) ERR_STATE_free(p); } @@ -845,6 +879,12 @@ LHASH *ERR_get_err_state_table(void) return ERRFN(thread_get)(0); } +void ERR_release_err_state_table(LHASH **hash) + { + err_fns_check(); + ERRFN(thread_release)(hash); + } + const char *ERR_lib_error_string(unsigned long e) { ERR_STRING_DATA d,*p; diff --git a/crypto/openssl/crypto/err/err.h b/crypto/openssl/crypto/err/err.h index 988ef81..8faa3a7 100644 --- a/crypto/openssl/crypto/err/err.h +++ b/crypto/openssl/crypto/err/err.h @@ -278,6 +278,7 @@ ERR_STATE *ERR_get_state(void); #ifndef OPENSSL_NO_LHASH LHASH *ERR_get_string_table(void); LHASH *ERR_get_err_state_table(void); +void ERR_release_err_state_table(LHASH **hash); #endif int ERR_get_next_error_library(void); diff --git a/crypto/openssl/crypto/evp/Makefile.ssl b/crypto/openssl/crypto/evp/Makefile.ssl index 94f61b3..772afd7 100644 --- a/crypto/openssl/crypto/evp/Makefile.ssl +++ b/crypto/openssl/crypto/evp/Makefile.ssl @@ -70,7 +70,7 @@ links: @$(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) - @$(PERL) $(TOP)/util/mklink.pl ../../test $(TESTDATA) + cp $(TESTDATA) ../../test @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @@ -185,13 +185,14 @@ c_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h c_all.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h c_all.o: ../../include/openssl/des.h ../../include/openssl/des_old.h c_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h -c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -c_all.o: ../../include/openssl/evp.h ../../include/openssl/idea.h -c_all.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h -c_all.o: ../../include/openssl/md4.h ../../include/openssl/md5.h -c_all.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h -c_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h -c_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h +c_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h +c_all.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h +c_all.o: ../../include/openssl/md2.h ../../include/openssl/md4.h +c_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h +c_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +c_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +c_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h c_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h c_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h c_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h @@ -496,21 +497,19 @@ evp_acnf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h evp_acnf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h evp_acnf.o: ../../include/openssl/des.h ../../include/openssl/des_old.h evp_acnf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h -evp_acnf.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h -evp_acnf.o: ../../include/openssl/err.h ../../include/openssl/evp.h -evp_acnf.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h -evp_acnf.o: ../../include/openssl/md2.h ../../include/openssl/md4.h -evp_acnf.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h -evp_acnf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h -evp_acnf.o: ../../include/openssl/opensslconf.h +evp_acnf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +evp_acnf.o: ../../include/openssl/evp.h ../../include/openssl/idea.h +evp_acnf.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h +evp_acnf.o: ../../include/openssl/md4.h ../../include/openssl/md5.h +evp_acnf.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h +evp_acnf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h evp_acnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -evp_acnf.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h -evp_acnf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h -evp_acnf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h -evp_acnf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h -evp_acnf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -evp_acnf.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h -evp_acnf.o: ../cryptlib.h evp_acnf.c +evp_acnf.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h +evp_acnf.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h +evp_acnf.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h +evp_acnf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +evp_acnf.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h +evp_acnf.o: ../../include/openssl/ui_compat.h ../cryptlib.h evp_acnf.c evp_enc.o: ../../e_os.h ../../include/openssl/aes.h evp_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h evp_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h diff --git a/crypto/openssl/crypto/evp/bio_b64.c b/crypto/openssl/crypto/evp/bio_b64.c index 6e550f6..33349c2 100644 --- a/crypto/openssl/crypto/evp/bio_b64.c +++ b/crypto/openssl/crypto/evp/bio_b64.c @@ -184,7 +184,9 @@ static int b64_read(BIO *b, char *out, int outl) ret_code=0; while (outl > 0) { - if (ctx->cont <= 0) break; + + if (ctx->cont <= 0) + break; i=BIO_read(b->next_bio,&(ctx->tmp[ctx->tmp_len]), B64_BLOCK_SIZE-ctx->tmp_len); @@ -195,11 +197,21 @@ static int b64_read(BIO *b, char *out, int outl) /* Should be continue next time we are called? */ if (!BIO_should_retry(b->next_bio)) + { ctx->cont=i; - /* else we should continue when called again */ - break; + /* If buffer empty break */ + if(ctx->tmp_len == 0) + break; + /* Fall through and process what we have */ + else + i = 0; + } + /* else we retry and add more data to buffer */ + else + break; } i+=ctx->tmp_len; + ctx->tmp_len = i; /* We need to scan, a line at a time until we * have a valid line if we are starting. */ @@ -255,8 +267,12 @@ static int b64_read(BIO *b, char *out, int outl) * reading until a new line. */ if (p == (unsigned char *)&(ctx->tmp[0])) { - ctx->tmp_nl=1; - ctx->tmp_len=0; + /* Check buffer full */ + if (i == B64_BLOCK_SIZE) + { + ctx->tmp_nl=1; + ctx->tmp_len=0; + } } else if (p != q) /* finished on a '\n' */ { @@ -271,6 +287,11 @@ static int b64_read(BIO *b, char *out, int outl) else ctx->tmp_len=0; } + /* If buffer isn't full and we can retry then + * restart to read in more data. + */ + else if ((i < B64_BLOCK_SIZE) && (ctx->cont > 0)) + continue; if (BIO_get_flags(b) & BIO_FLAGS_BASE64_NO_NL) { @@ -310,8 +331,8 @@ static int b64_read(BIO *b, char *out, int outl) i=EVP_DecodeUpdate(&(ctx->base64), (unsigned char *)ctx->buf,&ctx->buf_len, (unsigned char *)ctx->tmp,i); + ctx->tmp_len = 0; } - ctx->cont=i; ctx->buf_off=0; if (i < 0) { @@ -484,10 +505,7 @@ again: { i=b64_write(b,NULL,0); if (i < 0) - { - ret=i; - break; - } + return i; } if (BIO_get_flags(b) & BIO_FLAGS_BASE64_NO_NL) { diff --git a/crypto/openssl/crypto/evp/bio_enc.c b/crypto/openssl/crypto/evp/bio_enc.c index 510e1bc..ab81851 100644 --- a/crypto/openssl/crypto/evp/bio_enc.c +++ b/crypto/openssl/crypto/evp/bio_enc.c @@ -271,7 +271,7 @@ static int enc_write(BIO *b, const char *in, int inl) if (i <= 0) { BIO_copy_next_retry(b); - return(i); + return (ret == inl) ? i : ret - inl; } n-=i; ctx->buf_off+=i; @@ -325,10 +325,7 @@ again: { i=enc_write(b,NULL,0); if (i < 0) - { - ret=i; - break; - } + return i; } if (!ctx->finished) diff --git a/crypto/openssl/crypto/evp/c_all.c b/crypto/openssl/crypto/evp/c_all.c index af3dd26..fa60a73 100644 --- a/crypto/openssl/crypto/evp/c_all.c +++ b/crypto/openssl/crypto/evp/c_all.c @@ -59,6 +59,9 @@ #include <stdio.h> #include "cryptlib.h" #include <openssl/evp.h> +#ifndef OPENSSL_NO_ENGINE +#include <openssl/engine.h> +#endif #if 0 #undef OpenSSL_add_all_algorithms @@ -73,7 +76,9 @@ void OPENSSL_add_all_algorithms_noconf(void) { OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); -#if defined(__OpenBSD__) || defined(__FreeBSD__) +#ifndef OPENSSL_NO_ENGINE +# if defined(__OpenBSD__) || defined(__FreeBSD__) ENGINE_setup_bsd_cryptodev(); +# endif #endif } diff --git a/crypto/openssl/crypto/evp/digest.c b/crypto/openssl/crypto/evp/digest.c index 5b2104ac..b22eed4 100644 --- a/crypto/openssl/crypto/evp/digest.c +++ b/crypto/openssl/crypto/evp/digest.c @@ -187,12 +187,12 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) ctx->engine = NULL; } else -#endif if(!ctx->digest) { EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_NO_DIGEST_SET); return 0; } +#endif if (ctx->digest != type) { if (ctx->digest && ctx->digest->ctx_size) diff --git a/crypto/openssl/crypto/evp/evp_acnf.c b/crypto/openssl/crypto/evp/evp_acnf.c index 54c073c..ff3e311 100644 --- a/crypto/openssl/crypto/evp/evp_acnf.c +++ b/crypto/openssl/crypto/evp/evp_acnf.c @@ -59,9 +59,6 @@ #include "cryptlib.h" #include <openssl/evp.h> #include <openssl/conf.h> -#ifndef OPENSSL_NO_ENGINE -#include <openssl/engine.h> -#endif /* Load all algorithms and configure OpenSSL. diff --git a/crypto/openssl/crypto/md2/md2test.c b/crypto/openssl/crypto/md2/md2test.c index 901d0a7..9c1e28b 100644 --- a/crypto/openssl/crypto/md2/md2test.c +++ b/crypto/openssl/crypto/md2/md2test.c @@ -59,7 +59,6 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> -#include <openssl/md2.h> #include "../e_os.h" @@ -71,6 +70,7 @@ int main(int argc, char *argv[]) } #else #include <openssl/evp.h> +#include <openssl/md2.h> #ifdef CHARSET_EBCDIC #include <openssl/ebcdic.h> diff --git a/crypto/openssl/crypto/md5/Makefile.ssl b/crypto/openssl/crypto/md5/Makefile.ssl index 56cab5d..2d4df97 100644 --- a/crypto/openssl/crypto/md5/Makefile.ssl +++ b/crypto/openssl/crypto/md5/Makefile.ssl @@ -6,7 +6,7 @@ DIR= md5 TOP= ../.. CC= cc CPP= $(CC) -E -INCLUDES= +INCLUDES=-I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl @@ -20,6 +20,7 @@ AR= ar r MD5_ASM_OBJ= CFLAGS= $(INCLUDES) $(CFLAG) +ASFLAGS= $(INCLUDES) $(ASFLAG) GENERAL=Makefile TEST=md5test.c diff --git a/crypto/openssl/crypto/md5/asm/md5-586.pl b/crypto/openssl/crypto/md5/asm/md5-586.pl index 5fc6a20..fa3fa3b 100644 --- a/crypto/openssl/crypto/md5/asm/md5-586.pl +++ b/crypto/openssl/crypto/md5/asm/md5-586.pl @@ -293,7 +293,7 @@ sub md5_block &mov(&DWP(12,$tmp2,"",0),$D); &cmp($tmp1,$X) unless $normal; # check count - &jge(&label("start")) unless $normal; + &jae(&label("start")) unless $normal; &pop("eax"); # pop the temp variable off the stack &pop("ebx"); diff --git a/crypto/openssl/crypto/md5/asm/md5-sparcv9.S b/crypto/openssl/crypto/md5/asm/md5-sparcv9.S index a599ed5..db45aa4 100644 --- a/crypto/openssl/crypto/md5/asm/md5-sparcv9.S +++ b/crypto/openssl/crypto/md5/asm/md5-sparcv9.S @@ -34,10 +34,12 @@ * * or if above fails (it does if you have gas): * - * gcc -E -DULTRASPARC -DMD5_BLOCK_DATA_ORDER md5_block.sparc.S | \ + * gcc -E -DOPENSSL_SYSNAMEULTRASPARC -DMD5_BLOCK_DATA_ORDER md5_block.sparc.S | \ * as -xarch=v8plus /dev/fd/0 -o md5-sparcv9.o */ +#include <openssl/e_os2.h> + #define A %o0 #define B %o1 #define C %o2 diff --git a/crypto/openssl/crypto/o_time.c b/crypto/openssl/crypto/o_time.c index ca5f3ea..7854681 100644 --- a/crypto/openssl/crypto/o_time.c +++ b/crypto/openssl/crypto/o_time.c @@ -73,15 +73,17 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result) { struct tm *ts = NULL; -#if defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_OS2) && !defined(__CYGWIN32__) && (!defined(OPENSSL_SYS_VMS) || defined(gmtime_r)) && !defined(OPENSSL_SYS_MACOSX) +#if defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_OS2) && !defined(__CYGWIN32__) && (!defined(OPENSSL_SYS_VMS) || defined(gmtime_r)) && !defined(OPENSSL_SYS_MACOSX) && !defined(OPENSSL_SYS_SUNOS) /* should return &data, but doesn't on some systems, so we don't even look at the return value */ gmtime_r(timer,result); ts = result; #elif !defined(OPENSSL_SYS_VMS) ts = gmtime(timer); - if (ts != NULL) - memcpy(result, ts, sizeof(struct tm)); + if (ts == NULL) + return NULL; + + memcpy(result, ts, sizeof(struct tm)); ts = result; #endif #ifdef OPENSSL_SYS_VMS diff --git a/crypto/openssl/crypto/ocsp/ocsp_ht.c b/crypto/openssl/crypto/ocsp/ocsp_ht.c index 357709a..9213e58 100644 --- a/crypto/openssl/crypto/ocsp/ocsp_ht.c +++ b/crypto/openssl/crypto/ocsp/ocsp_ht.c @@ -110,7 +110,7 @@ Content-Length: %d\r\n\r\n"; } /* Parse the HTTP response. This will look like this: * "HTTP/1.0 200 OK". We need to obtain the numeric code and - * informational message. + * (optional) informational message. */ /* Skip to first white space (passed protocol info) */ @@ -138,13 +138,19 @@ Content-Length: %d\r\n\r\n"; if(*r) goto err; /* Skip over any leading white space in message */ while(*q && isspace((unsigned char)*q)) q++; - if(!*q) goto err; + if(*q) { /* Finally zap any trailing white space in message (include CRLF) */ /* We know q has a non white space character so this is OK */ - for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) *r = 0; + for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) *r = 0; + } if(retcode != 200) { OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_ERROR); - ERR_add_error_data(4, "Code=", p, ",Reason=", q); + if(!*q) { + ERR_add_error_data(2, "Code=", p); + } + else { + ERR_add_error_data(4, "Code=", p, ",Reason=", q); + } goto err; } /* Find blank line marking beginning of content */ diff --git a/crypto/openssl/crypto/opensslconf.h b/crypto/openssl/crypto/opensslconf.h index 492041b..fe6ff88 100644 --- a/crypto/openssl/crypto/opensslconf.h +++ b/crypto/openssl/crypto/opensslconf.h @@ -2,6 +2,9 @@ /* WARNING: Generated automatically from opensslconf.h.in by Configure. */ /* OpenSSL was configured with the following options: */ +#ifndef OPENSSL_SYSNAME_WIN16 +# define OPENSSL_SYSNAME_WIN16 +#endif #ifndef OPENSSL_DOING_MAKEDEPEND #ifndef OPENSSL_NO_KRB5 @@ -41,7 +44,7 @@ #endif #if defined(HEADER_MD2_H) && !defined(MD2_INT) -#define MD2_INT unsigned int +#define MD2_INT unsigned char #endif #if defined(HEADER_RC2_H) && !defined(RC2_INT) @@ -98,7 +101,7 @@ #define CONFIG_HEADER_RC4_LOCL_H /* if this is defined data[i] is used instead of *data, this is a %20 * speedup on x86 */ -#undef RC4_INDEX +#define RC4_INDEX #endif #if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) @@ -112,7 +115,7 @@ /* the following is tweaked from a config script, that is why it is a * protected undef/define */ #ifndef DES_PTR -#undef DES_PTR +#define DES_PTR #endif /* This helps C compiler generate the correct code for multiple functional @@ -133,7 +136,7 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! /* Unroll the inner loop, this sometimes helps, sometimes hinders. * Very mucy CPU dependant */ #ifndef DES_UNROLL -#undef DES_UNROLL +#define DES_UNROLL #endif /* These default values were supplied by diff --git a/crypto/openssl/crypto/opensslv.h b/crypto/openssl/crypto/opensslv.h index 396ae7b..e226d9d 100644 --- a/crypto/openssl/crypto/opensslv.h +++ b/crypto/openssl/crypto/opensslv.h @@ -25,8 +25,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x0090701fL -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7a Feb 19 2003" +#define OPENSSL_VERSION_NUMBER 0x0090703fL +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7c 30 Sep 2003" #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/openssl/crypto/perlasm/x86ms.pl b/crypto/openssl/crypto/perlasm/x86ms.pl index 35f1a4d..fbb4afb 100644 --- a/crypto/openssl/crypto/perlasm/x86ms.pl +++ b/crypto/openssl/crypto/perlasm/x86ms.pl @@ -144,7 +144,10 @@ sub main'jle { &out1("jle",@_); } sub main'jz { &out1("jz",@_); } sub main'jge { &out1("jge",@_); } sub main'jl { &out1("jl",@_); } +sub main'ja { &out1("ja",@_); } +sub main'jae { &out1("jae",@_); } sub main'jb { &out1("jb",@_); } +sub main'jbe { &out1("jbe",@_); } sub main'jc { &out1("jc",@_); } sub main'jnc { &out1("jnc",@_); } sub main'jnz { &out1("jnz",@_); } diff --git a/crypto/openssl/crypto/perlasm/x86nasm.pl b/crypto/openssl/crypto/perlasm/x86nasm.pl index f30b746..30346af 100644 --- a/crypto/openssl/crypto/perlasm/x86nasm.pl +++ b/crypto/openssl/crypto/perlasm/x86nasm.pl @@ -152,7 +152,10 @@ sub main'jle { &out1("jle NEAR",@_); } sub main'jz { &out1("jz NEAR",@_); } sub main'jge { &out1("jge NEAR",@_); } sub main'jl { &out1("jl NEAR",@_); } +sub main'ja { &out1("ja NEAR",@_); } +sub main'jae { &out1("jae NEAR",@_); } sub main'jb { &out1("jb NEAR",@_); } +sub main'jbe { &out1("jbe NEAR",@_); } sub main'jc { &out1("jc NEAR",@_); } sub main'jnc { &out1("jnc NEAR",@_); } sub main'jnz { &out1("jnz NEAR",@_); } diff --git a/crypto/openssl/crypto/perlasm/x86unix.pl b/crypto/openssl/crypto/perlasm/x86unix.pl index 72bde06..10b669b 100644 --- a/crypto/openssl/crypto/perlasm/x86unix.pl +++ b/crypto/openssl/crypto/perlasm/x86unix.pl @@ -156,7 +156,10 @@ sub main'jnz { &out1("jnz",@_); } sub main'jz { &out1("jz",@_); } sub main'jge { &out1("jge",@_); } sub main'jl { &out1("jl",@_); } +sub main'ja { &out1("ja",@_); } +sub main'jae { &out1("jae",@_); } sub main'jb { &out1("jb",@_); } +sub main'jbe { &out1("jbe",@_); } sub main'jc { &out1("jc",@_); } sub main'jnc { &out1("jnc",@_); } sub main'jno { &out1("jno",@_); } diff --git a/crypto/openssl/crypto/pkcs12/p12_npas.c b/crypto/openssl/crypto/pkcs12/p12_npas.c index a549433..af708a2 100644 --- a/crypto/openssl/crypto/pkcs12/p12_npas.c +++ b/crypto/openssl/crypto/pkcs12/p12_npas.c @@ -107,7 +107,7 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass) { STACK_OF(PKCS7) *asafes, *newsafes; STACK_OF(PKCS12_SAFEBAG) *bags; - int i, bagnid, pbe_nid, pbe_iter, pbe_saltlen; + int i, bagnid, pbe_nid = 0, pbe_iter = 0, pbe_saltlen = 0; PKCS7 *p7, *p7new; ASN1_OCTET_STRING *p12_data_tmp = NULL, *macnew = NULL; unsigned char mac[EVP_MAX_MD_SIZE]; diff --git a/crypto/openssl/crypto/pkcs7/pk7_doit.c b/crypto/openssl/crypto/pkcs7/pk7_doit.c index 0060a2e..190ca0e 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_doit.c +++ b/crypto/openssl/crypto/pkcs7/pk7_doit.c @@ -767,6 +767,11 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, } if (EVP_MD_CTX_type(mdc) == md_type) break; + /* Workaround for some broken clients that put the signature + * OID instead of the digest OID in digest_alg->algorithm + */ + if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc)) == md_type) + break; btmp=BIO_next(btmp); } diff --git a/crypto/openssl/crypto/pkcs7/pk7_mime.c b/crypto/openssl/crypto/pkcs7/pk7_mime.c index 086d394..5d2a978 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_mime.c +++ b/crypto/openssl/crypto/pkcs7/pk7_mime.c @@ -3,7 +3,7 @@ * project 1999. */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -101,7 +101,7 @@ static int mime_param_cmp(const MIME_PARAM * const *a, static void mime_param_free(MIME_PARAM *param); static int mime_bound_check(char *line, int linelen, char *bound, int blen); static int multi_split(BIO *bio, char *bound, STACK_OF(BIO) **ret); -static int iscrlf(char c); +static int strip_eol(char *linebuf, int *plen); static MIME_HEADER *mime_hdr_find(STACK_OF(MIME_HEADER) *hdrs, char *name); static MIME_PARAM *mime_param_find(MIME_HEADER *hdr, char *name); static void mime_hdr_free(MIME_HEADER *hdr); @@ -150,9 +150,17 @@ static PKCS7 *B64_read_PKCS7(BIO *bio) int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) { - char linebuf[MAX_SMLEN]; char bound[33], c; int i; + char *mime_prefix, *mime_eol; + if (flags & PKCS7_NOOLDMIMETYPE) + mime_prefix = "application/pkcs7-"; + else + mime_prefix = "application/x-pkcs7-"; + if (flags & PKCS7_CRLFEOL) + mime_eol = "\r\n"; + else + mime_eol = "\n"; if((flags & PKCS7_DETACHED) && data) { /* We want multipart/signed */ /* Generate a random boundary */ @@ -164,34 +172,42 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) bound[i] = c; } bound[32] = 0; - BIO_printf(bio, "MIME-Version: 1.0\n"); + BIO_printf(bio, "MIME-Version: 1.0%s", mime_eol); BIO_printf(bio, "Content-Type: multipart/signed;"); - BIO_printf(bio, " protocol=\"application/x-pkcs7-signature\";"); - BIO_printf(bio, " micalg=sha1; boundary=\"----%s\"\n\n", bound); - BIO_printf(bio, "This is an S/MIME signed message\n\n"); + BIO_printf(bio, " protocol=\"%ssignature\";", mime_prefix); + BIO_printf(bio, " micalg=sha1; boundary=\"----%s\"%s%s", + bound, mime_eol, mime_eol); + BIO_printf(bio, "This is an S/MIME signed message%s%s", + mime_eol, mime_eol); /* Now write out the first part */ - BIO_printf(bio, "------%s\n", bound); - if(flags & PKCS7_TEXT) BIO_printf(bio, "Content-Type: text/plain\n\n"); - while((i = BIO_read(data, linebuf, MAX_SMLEN)) > 0) - BIO_write(bio, linebuf, i); - BIO_printf(bio, "\n------%s\n", bound); + BIO_printf(bio, "------%s%s", bound, mime_eol); + SMIME_crlf_copy(data, bio, flags); + BIO_printf(bio, "%s------%s%s", mime_eol, bound, mime_eol); /* Headers for signature */ - BIO_printf(bio, "Content-Type: application/x-pkcs7-signature; name=\"smime.p7s\"\n"); - BIO_printf(bio, "Content-Transfer-Encoding: base64\n"); - BIO_printf(bio, "Content-Disposition: attachment; filename=\"smime.p7s\"\n\n"); + BIO_printf(bio, "Content-Type: %ssignature;", mime_prefix); + BIO_printf(bio, " name=\"smime.p7s\"%s", mime_eol); + BIO_printf(bio, "Content-Transfer-Encoding: base64%s", + mime_eol); + BIO_printf(bio, "Content-Disposition: attachment;"); + BIO_printf(bio, " filename=\"smime.p7s\"%s%s", + mime_eol, mime_eol); B64_write_PKCS7(bio, p7); - BIO_printf(bio,"\n------%s--\n\n", bound); + BIO_printf(bio,"%s------%s--%s%s", mime_eol, bound, + mime_eol, mime_eol); return 1; } /* MIME headers */ - BIO_printf(bio, "MIME-Version: 1.0\n"); - BIO_printf(bio, "Content-Disposition: attachment; filename=\"smime.p7m\"\n"); - BIO_printf(bio, "Content-Type: application/x-pkcs7-mime; name=\"smime.p7m\"\n"); - BIO_printf(bio, "Content-Transfer-Encoding: base64\n\n"); + BIO_printf(bio, "MIME-Version: 1.0%s", mime_eol); + BIO_printf(bio, "Content-Disposition: attachment;"); + BIO_printf(bio, " filename=\"smime.p7m\"%s", mime_eol); + BIO_printf(bio, "Content-Type: %smime;", mime_prefix); + BIO_printf(bio, " name=\"smime.p7m\"%s", mime_eol); + BIO_printf(bio, "Content-Transfer-Encoding: base64%s%s", + mime_eol, mime_eol); B64_write_PKCS7(bio, p7); - BIO_printf(bio, "\n"); + BIO_printf(bio, "%s", mime_eol); return 1; } @@ -316,12 +332,9 @@ int SMIME_crlf_copy(BIO *in, BIO *out, int flags) } if(flags & PKCS7_TEXT) BIO_printf(out, "Content-Type: text/plain\r\n\r\n"); while ((len = BIO_gets(in, linebuf, MAX_SMLEN)) > 0) { - eol = 0; - while(iscrlf(linebuf[len - 1])) { - len--; - eol = 1; - } - BIO_write(out, linebuf, len); + eol = strip_eol(linebuf, &len); + if (len) + BIO_write(out, linebuf, len); if(eol) BIO_write(out, "\r\n", 2); } return 1; @@ -364,6 +377,7 @@ static int multi_split(BIO *bio, char *bound, STACK_OF(BIO) **ret) { char linebuf[MAX_SMLEN]; int len, blen; + int eol = 0, next_eol = 0; BIO *bpart = NULL; STACK_OF(BIO) *parts; char state, part, first; @@ -383,26 +397,23 @@ static int multi_split(BIO *bio, char *bound, STACK_OF(BIO) **ret) sk_BIO_push(parts, bpart); return 1; } else if(part) { + /* Strip CR+LF from linebuf */ + next_eol = strip_eol(linebuf, &len); if(first) { first = 0; if(bpart) sk_BIO_push(parts, bpart); bpart = BIO_new(BIO_s_mem()); - - } else BIO_write(bpart, "\r\n", 2); - /* Strip CR+LF from linebuf */ - while(iscrlf(linebuf[len - 1])) len--; - BIO_write(bpart, linebuf, len); + BIO_set_mem_eof_return(bpart, 0); + } else if (eol) + BIO_write(bpart, "\r\n", 2); + eol = next_eol; + if (len) + BIO_write(bpart, linebuf, len); } } return 0; } -static int iscrlf(char c) -{ - if(c == '\r' || c == '\n') return 1; - return 0; -} - /* This is the big one: parse MIME header lines up to message body */ #define MIME_INVALID 0 @@ -683,3 +694,21 @@ static int mime_bound_check(char *line, int linelen, char *bound, int blen) } return 0; } + +static int strip_eol(char *linebuf, int *plen) + { + int len = *plen; + char *p, c; + int is_eol = 0; + p = linebuf + len - 1; + for (p = linebuf + len - 1; len > 0; len--, p--) + { + c = *p; + if (c == '\n') + is_eol = 1; + else if (c != '\r') + break; + } + *plen = len; + return is_eol; + } diff --git a/crypto/openssl/crypto/pkcs7/pk7_smime.c b/crypto/openssl/crypto/pkcs7/pk7_smime.c index f0d071e..6e5735d 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_smime.c +++ b/crypto/openssl/crypto/pkcs7/pk7_smime.c @@ -3,7 +3,7 @@ * project 1999. */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/openssl/crypto/pkcs7/pkcs7.h b/crypto/openssl/crypto/pkcs7/pkcs7.h index 5819700..15372e1 100644 --- a/crypto/openssl/crypto/pkcs7/pkcs7.h +++ b/crypto/openssl/crypto/pkcs7/pkcs7.h @@ -260,6 +260,8 @@ DECLARE_PKCS12_STACK_OF(PKCS7) #define PKCS7_BINARY 0x80 #define PKCS7_NOATTR 0x100 #define PKCS7_NOSMIMECAP 0x200 +#define PKCS7_NOOLDMIMETYPE 0x400 +#define PKCS7_CRLFEOL 0x800 /* Flags: for compatibility with older code */ diff --git a/crypto/openssl/crypto/rand/rand_win.c b/crypto/openssl/crypto/rand/rand_win.c index 113b586..263068d 100644 --- a/crypto/openssl/crypto/rand/rand_win.c +++ b/crypto/openssl/crypto/rand/rand_win.c @@ -162,6 +162,7 @@ typedef BOOL (WINAPI *GETCURSORINFO)(PCURSORINFO); typedef DWORD (WINAPI *GETQUEUESTATUS)(UINT); typedef HANDLE (WINAPI *CREATETOOLHELP32SNAPSHOT)(DWORD, DWORD); +typedef BOOL (WINAPI *CLOSETOOLHELP32SNAPSHOT)(HANDLE); typedef BOOL (WINAPI *HEAP32FIRST)(LPHEAPENTRY32, DWORD, DWORD); typedef BOOL (WINAPI *HEAP32NEXT)(LPHEAPENTRY32); typedef BOOL (WINAPI *HEAP32LIST)(HANDLE, LPHEAPLIST32); @@ -431,7 +432,7 @@ int RAND_poll(void) * This seeding method was proposed in Peter Gutmann, Software * Generation of Practically Strong Random Numbers, * http://www.usenix.org/publications/library/proceedings/sec98/gutmann.html - * revised version at http://www.cryptoengines.com/~peter/06_random.pdf + * revised version at http://www.cryptoengines.com/~peter/06_random.pdf * (The assignment of entropy estimates below is arbitrary, but based * on Peter's analysis the full poll appears to be safe. Additional * interactive seeding is encouraged.) @@ -440,6 +441,7 @@ int RAND_poll(void) if (kernel) { CREATETOOLHELP32SNAPSHOT snap; + CLOSETOOLHELP32SNAPSHOT close_snap; HANDLE handle; HEAP32FIRST heap_first; @@ -457,6 +459,8 @@ int RAND_poll(void) snap = (CREATETOOLHELP32SNAPSHOT) GetProcAddress(kernel, TEXT("CreateToolhelp32Snapshot")); + close_snap = (CLOSETOOLHELP32SNAPSHOT) + GetProcAddress(kernel, TEXT("CloseToolhelp32Snapshot")); heap_first = (HEAP32FIRST) GetProcAddress(kernel, TEXT("Heap32First")); heap_next = (HEAP32NEXT) GetProcAddress(kernel, TEXT("Heap32Next")); heaplist_first = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListFirst")); @@ -472,7 +476,7 @@ int RAND_poll(void) heaplist_next && process_first && process_next && thread_first && thread_next && module_first && module_next && (handle = snap(TH32CS_SNAPALL,0)) - != NULL) + != INVALID_HANDLE_VALUE) { /* heap list and heap walking */ /* HEAPLIST32 contains 3 fields that will change with @@ -534,8 +538,10 @@ int RAND_poll(void) do RAND_add(&m, m.dwSize, 9); while (module_next(handle, &m)); - - CloseHandle(handle); + if (close_snap) + close_snap(handle); + else + CloseHandle(handle); } FreeLibrary(kernel); diff --git a/crypto/openssl/crypto/rsa/Makefile.ssl b/crypto/openssl/crypto/rsa/Makefile.ssl index 605d488..ce3f818 100644 --- a/crypto/openssl/crypto/rsa/Makefile.ssl +++ b/crypto/openssl/crypto/rsa/Makefile.ssl @@ -104,14 +104,12 @@ rsa_chk.o: rsa_chk.c rsa_eay.o: ../../e_os.h ../../include/openssl/asn1.h rsa_eay.o: ../../include/openssl/bio.h ../../include/openssl/bn.h rsa_eay.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h -rsa_eay.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h -rsa_eay.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h -rsa_eay.o: ../../include/openssl/err.h ../../include/openssl/lhash.h -rsa_eay.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h -rsa_eay.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h -rsa_eay.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h -rsa_eay.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -rsa_eay.o: ../../include/openssl/ui.h ../cryptlib.h rsa_eay.c +rsa_eay.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +rsa_eay.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h +rsa_eay.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +rsa_eay.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h +rsa_eay.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +rsa_eay.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_eay.c rsa_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h rsa_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h rsa_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h @@ -217,21 +215,21 @@ rsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h rsa_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h rsa_sign.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h rsa_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h -rsa_sign.o: ../../include/openssl/engine.h ../../include/openssl/err.h -rsa_sign.o: ../../include/openssl/evp.h ../../include/openssl/idea.h -rsa_sign.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h -rsa_sign.o: ../../include/openssl/md4.h ../../include/openssl/md5.h -rsa_sign.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h -rsa_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h +rsa_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h +rsa_sign.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h +rsa_sign.o: ../../include/openssl/md2.h ../../include/openssl/md4.h +rsa_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h +rsa_sign.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +rsa_sign.o: ../../include/openssl/opensslconf.h rsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -rsa_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h -rsa_sign.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h -rsa_sign.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h -rsa_sign.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h -rsa_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h -rsa_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h -rsa_sign.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h -rsa_sign.o: ../../include/openssl/x509_vfy.h ../cryptlib.h rsa_sign.c +rsa_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h +rsa_sign.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h +rsa_sign.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h +rsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +rsa_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +rsa_sign.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h +rsa_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +rsa_sign.o: ../cryptlib.h rsa_sign.c rsa_ssl.o: ../../e_os.h ../../include/openssl/asn1.h rsa_ssl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h rsa_ssl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h diff --git a/crypto/openssl/crypto/rsa/rsa.h b/crypto/openssl/crypto/rsa/rsa.h index b2e25e4..62fa745 100644 --- a/crypto/openssl/crypto/rsa/rsa.h +++ b/crypto/openssl/crypto/rsa/rsa.h @@ -170,6 +170,12 @@ struct rsa_st */ #define RSA_FLAG_SIGN_VER 0x40 +#define RSA_FLAG_NO_BLINDING 0x80 /* new with 0.9.6j and 0.9.7b; the built-in + * RSA implementation now uses blinding by + * default (ignoring RSA_FLAG_BLINDING), + * but other engines might not need it + */ + #define RSA_PKCS1_PADDING 1 #define RSA_SSLV23_PADDING 2 #define RSA_NO_PADDING 3 diff --git a/crypto/openssl/crypto/rsa/rsa_eay.c b/crypto/openssl/crypto/rsa/rsa_eay.c index e4bcf49..e0d2862 100644 --- a/crypto/openssl/crypto/rsa/rsa_eay.c +++ b/crypto/openssl/crypto/rsa/rsa_eay.c @@ -61,9 +61,6 @@ #include <openssl/bn.h> #include <openssl/rsa.h> #include <openssl/rand.h> -#ifndef OPENSSL_NO_ENGINE -#include <openssl/engine.h> -#endif #ifndef RSA_NULL @@ -208,12 +205,46 @@ static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) #define BLINDING_HELPER(rsa, ctx, err_instr) \ do { \ - if(((rsa)->flags & RSA_FLAG_BLINDING) && \ - ((rsa)->blinding == NULL) && \ - !rsa_eay_blinding(rsa, ctx)) \ - err_instr \ + if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \ + ((rsa)->blinding == NULL) && \ + !rsa_eay_blinding(rsa, ctx)) \ + err_instr \ } while(0) +static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx) + { + BIGNUM *A, *Ai; + BN_BLINDING *ret = NULL; + + /* added in OpenSSL 0.9.6j and 0.9.7b */ + + /* NB: similar code appears in RSA_blinding_on (rsa_lib.c); + * this should be placed in a new function of its own, but for reasons + * of binary compatibility can't */ + + BN_CTX_start(ctx); + A = BN_CTX_get(ctx); + if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) + { + /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ + RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); + if (!BN_pseudo_rand_range(A,rsa->n)) goto err; + } + else + { + if (!BN_rand_range(A,rsa->n)) goto err; + } + if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; + + if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) + goto err; + ret = BN_BLINDING_new(A,Ai,rsa->n); + BN_free(Ai); +err: + BN_CTX_end(ctx); + return ret; + } + /* signing */ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -222,6 +253,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, int i,j,k,num=0,r= -1; unsigned char *buf=NULL; BN_CTX *ctx=NULL; + int local_blinding = 0; + BN_BLINDING *blinding = NULL; BN_init(&f); BN_init(&ret); @@ -259,9 +292,38 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, } BLINDING_HELPER(rsa, ctx, goto err;); + blinding = rsa->blinding; + + /* Now unless blinding is disabled, 'blinding' is non-NULL. + * But the BN_BLINDING object may be owned by some other thread + * (we don't want to keep it constant and we don't want to use + * lots of locking to avoid race conditions, so only a single + * thread can use it; other threads have to use local blinding + * factors) */ + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) + { + if (blinding == NULL) + { + RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); + goto err; + } + } + + if (blinding != NULL) + { + if (blinding->thread_id != CRYPTO_thread_id()) + { + /* we need a local one-time blinding factor */ - if (rsa->flags & RSA_FLAG_BLINDING) - if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; + blinding = setup_blinding(rsa, ctx); + if (blinding == NULL) + goto err; + local_blinding = 1; + } + } + + if (blinding) + if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err; if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || ((rsa->p != NULL) && @@ -275,8 +337,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err; } - if (rsa->flags & RSA_FLAG_BLINDING) - if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; + if (blinding) + if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; /* put in leading 0 bytes if the number is less than the * length of the modulus */ @@ -290,6 +352,8 @@ err: if (ctx != NULL) BN_CTX_free(ctx); BN_clear_free(&ret); BN_clear_free(&f); + if (local_blinding) + BN_BLINDING_free(blinding); if (buf != NULL) { OPENSSL_cleanse(buf,num); @@ -306,6 +370,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *p; unsigned char *buf=NULL; BN_CTX *ctx=NULL; + int local_blinding = 0; + BN_BLINDING *blinding = NULL; BN_init(&f); BN_init(&ret); @@ -338,9 +404,38 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, } BLINDING_HELPER(rsa, ctx, goto err;); + blinding = rsa->blinding; + + /* Now unless blinding is disabled, 'blinding' is non-NULL. + * But the BN_BLINDING object may be owned by some other thread + * (we don't want to keep it constant and we don't want to use + * lots of locking to avoid race conditions, so only a single + * thread can use it; other threads have to use local blinding + * factors) */ + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) + { + if (blinding == NULL) + { + RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); + goto err; + } + } + + if (blinding != NULL) + { + if (blinding->thread_id != CRYPTO_thread_id()) + { + /* we need a local one-time blinding factor */ + + blinding = setup_blinding(rsa, ctx); + if (blinding == NULL) + goto err; + local_blinding = 1; + } + } - if (rsa->flags & RSA_FLAG_BLINDING) - if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; + if (blinding) + if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err; /* do the decrypt */ if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || @@ -356,8 +451,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, goto err; } - if (rsa->flags & RSA_FLAG_BLINDING) - if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; + if (blinding) + if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; p=buf; j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */ @@ -389,6 +484,8 @@ err: if (ctx != NULL) BN_CTX_free(ctx); BN_clear_free(&f); BN_clear_free(&ret); + if (local_blinding) + BN_BLINDING_free(blinding); if (buf != NULL) { OPENSSL_cleanse(buf,num); diff --git a/crypto/openssl/crypto/rsa/rsa_lib.c b/crypto/openssl/crypto/rsa/rsa_lib.c index f234ae0..e4d6228 100644 --- a/crypto/openssl/crypto/rsa/rsa_lib.c +++ b/crypto/openssl/crypto/rsa/rsa_lib.c @@ -62,6 +62,7 @@ #include <openssl/lhash.h> #include <openssl/bn.h> #include <openssl/rsa.h> +#include <openssl/rand.h> #ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> #endif @@ -74,10 +75,6 @@ RSA *RSA_new(void) { RSA *r=RSA_new_method(NULL); -#ifndef OPENSSL_NO_FORCE_RSA_BLINDING - r->flags|=RSA_FLAG_BLINDING; -#endif - return r; } @@ -313,12 +310,13 @@ void RSA_blinding_off(RSA *rsa) BN_BLINDING_free(rsa->blinding); rsa->blinding=NULL; } - rsa->flags&= ~RSA_FLAG_BLINDING; + rsa->flags &= ~RSA_FLAG_BLINDING; + rsa->flags |= RSA_FLAG_NO_BLINDING; } int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) { - BIGNUM *A,*Ai; + BIGNUM *A,*Ai = NULL; BN_CTX *ctx; int ret=0; @@ -329,21 +327,42 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) else ctx=p_ctx; + /* XXXXX: Shouldn't this be RSA_blinding_off(rsa)? */ if (rsa->blinding != NULL) + { BN_BLINDING_free(rsa->blinding); + rsa->blinding = NULL; + } + + /* NB: similar code appears in setup_blinding (rsa_eay.c); + * this should be placed in a new function of its own, but for reasons + * of binary compatibility can't */ BN_CTX_start(ctx); A = BN_CTX_get(ctx); - if (!BN_rand_range(A,rsa->n)) goto err; + if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) + { + /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ + RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); + if (!BN_pseudo_rand_range(A,rsa->n)) goto err; + } + else + { + if (!BN_rand_range(A,rsa->n)) goto err; + } if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) - goto err; - rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n); - rsa->flags|=RSA_FLAG_BLINDING; - BN_free(Ai); + goto err; + if ((rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n)) == NULL) goto err; + /* to make things thread-safe without excessive locking, + * rsa->blinding will be used just by the current thread: */ + rsa->blinding->thread_id = CRYPTO_thread_id(); + rsa->flags |= RSA_FLAG_BLINDING; + rsa->flags &= ~RSA_FLAG_NO_BLINDING; ret=1; err: + if (Ai != NULL) BN_free(Ai); BN_CTX_end(ctx); if (ctx != p_ctx) BN_CTX_free(ctx); return(ret); diff --git a/crypto/openssl/crypto/rsa/rsa_sign.c b/crypto/openssl/crypto/rsa/rsa_sign.c index 9dd62ac..8a1e642 100644 --- a/crypto/openssl/crypto/rsa/rsa_sign.c +++ b/crypto/openssl/crypto/rsa/rsa_sign.c @@ -62,9 +62,6 @@ #include <openssl/rsa.h> #include <openssl/objects.h> #include <openssl/x509.h> -#ifndef OPENSSL_NO_ENGINE -#include <openssl/engine.h> -#endif /* Size of an SSL signature: MD5+SHA1 */ #define SSL_SIG_LENGTH 36 @@ -79,12 +76,11 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len, const unsigned char *s = NULL; X509_ALGOR algor; ASN1_OCTET_STRING digest; -#ifndef OPENSSL_NO_ENGINE - if((rsa->flags & RSA_FLAG_SIGN_VER) - && ENGINE_get_RSA(rsa->engine)->rsa_sign) - return ENGINE_get_RSA(rsa->engine)->rsa_sign(type, - m, m_len, sigret, siglen, rsa); -#endif + if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) + { + return rsa->meth->rsa_sign(type, m, m_len, + sigret, siglen, rsa); + } /* Special case: SSL signature, just check the length */ if(type == NID_md5_sha1) { if(m_len != SSL_SIG_LENGTH) { @@ -159,12 +155,11 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, return(0); } -#ifndef OPENSSL_NO_ENGINE - if((rsa->flags & RSA_FLAG_SIGN_VER) - && ENGINE_get_RSA(rsa->engine)->rsa_verify) - return ENGINE_get_RSA(rsa->engine)->rsa_verify(dtype, - m, m_len, sigbuf, siglen, rsa); -#endif + if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) + { + return rsa->meth->rsa_verify(dtype, m, m_len, + sigbuf, siglen, rsa); + } s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen); if (s == NULL) diff --git a/crypto/openssl/crypto/rsa/rsa_test.c b/crypto/openssl/crypto/rsa/rsa_test.c index 99abb1f..924e9ad 100644 --- a/crypto/openssl/crypto/rsa/rsa_test.c +++ b/crypto/openssl/crypto/rsa/rsa_test.c @@ -16,9 +16,6 @@ int main(int argc, char *argv[]) } #else #include <openssl/rsa.h> -#ifndef OPENSSL_NO_ENGINE -#include <openssl/engine.h> -#endif #define SetKey \ key->n = BN_bin2bn(n, sizeof(n)-1, key->n); \ diff --git a/crypto/openssl/crypto/threads/mttest.c b/crypto/openssl/crypto/threads/mttest.c index 7142e4e..54d5985 100644 --- a/crypto/openssl/crypto/threads/mttest.c +++ b/crypto/openssl/crypto/threads/mttest.c @@ -86,11 +86,6 @@ #include <openssl/err.h> #include <openssl/rand.h> -#ifdef OPENSSL_NO_FP_API -#define APPS_WIN16 -#include "../buffer/bss_file.c" -#endif - #define TEST_SERVER_CERT "../../apps/server.pem" #define TEST_CLIENT_CERT "../../apps/client.pem" diff --git a/crypto/openssl/crypto/x509/by_file.c b/crypto/openssl/crypto/x509/by_file.c index 22be90c..b4b0418 100644 --- a/crypto/openssl/crypto/x509/by_file.c +++ b/crypto/openssl/crypto/x509/by_file.c @@ -285,7 +285,8 @@ int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type) if(itmp->x509) { X509_STORE_add_cert(ctx->store_ctx, itmp->x509); count++; - } else if(itmp->crl) { + } + if(itmp->crl) { X509_STORE_add_crl(ctx->store_ctx, itmp->crl); count++; } diff --git a/crypto/openssl/crypto/x509/x509_trs.c b/crypto/openssl/crypto/x509/x509_trs.c index 17d69ac..8812526 100644 --- a/crypto/openssl/crypto/x509/x509_trs.c +++ b/crypto/openssl/crypto/x509/x509_trs.c @@ -82,6 +82,7 @@ static X509_TRUST trstandard[] = { {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL}, {X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL}, {X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL}, +{X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL}, {X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL}, {X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL} }; diff --git a/crypto/openssl/crypto/x509/x509_vfy.c b/crypto/openssl/crypto/x509/x509_vfy.c index 552d1e7..2bb21b4 100644 --- a/crypto/openssl/crypto/x509/x509_vfy.c +++ b/crypto/openssl/crypto/x509/x509_vfy.c @@ -453,9 +453,9 @@ static int check_revocation(X509_STORE_CTX *ctx) if (!(ctx->flags & X509_V_FLAG_CRL_CHECK)) return 1; if (ctx->flags & X509_V_FLAG_CRL_CHECK_ALL) - last = 0; - else last = sk_X509_num(ctx->chain) - 1; + else + last = 0; for(i = 0; i <= last; i++) { ctx->error_depth = i; @@ -674,7 +674,7 @@ static int internal_verify(X509_STORE_CTX *ctx) ok=(*cb)(0,ctx); if (!ok) goto end; } - if (X509_verify(xs,pkey) <= 0) + else if (X509_verify(xs,pkey) <= 0) /* XXX For the final trusted self-signed cert, * this is a waste of time. That check should * optional so that e.g. 'openssl x509' can be diff --git a/crypto/openssl/crypto/x509/x509type.c b/crypto/openssl/crypto/x509/x509type.c index 8e78b34..f78c2a6 100644 --- a/crypto/openssl/crypto/x509/x509type.c +++ b/crypto/openssl/crypto/x509/x509type.c @@ -99,14 +99,15 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) case EVP_PKEY_RSA: ret|=EVP_PKS_RSA; break; - case EVP_PKS_DSA: + case EVP_PKEY_DSA: ret|=EVP_PKS_DSA; break; default: break; } - if (EVP_PKEY_size(pk) <= 512) + if (EVP_PKEY_size(pk) <= 512/8) /* /8 because it's 512 bits we look + for, not bytes */ ret|=EVP_PKT_EXP; if(pkey==NULL) EVP_PKEY_free(pk); return(ret); diff --git a/crypto/openssl/crypto/x509v3/v3_conf.c b/crypto/openssl/crypto/x509v3/v3_conf.c index 1a3448e..1284d5a 100644 --- a/crypto/openssl/crypto/x509v3/v3_conf.c +++ b/crypto/openssl/crypto/x509v3/v3_conf.c @@ -236,7 +236,7 @@ static int v3_check_critical(char **value) static int v3_check_generic(char **value) { char *p = *value; - if ((strlen(p) < 4) || strncmp(p, "DER:,", 4)) return 0; + if ((strlen(p) < 4) || strncmp(p, "DER:", 4)) return 0; p+=4; while (isspace((unsigned char)*p)) p++; *value = p; diff --git a/crypto/openssl/crypto/x509v3/v3_cpols.c b/crypto/openssl/crypto/x509v3/v3_cpols.c index 0d4ab1f..0d554f3 100644 --- a/crypto/openssl/crypto/x509v3/v3_cpols.c +++ b/crypto/openssl/crypto/x509v3/v3_cpols.c @@ -73,7 +73,7 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *polstrs, int ia5org); static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *unot, int ia5org); -static STACK_OF(ASN1_INTEGER) *nref_nos(STACK_OF(CONF_VALUE) *nos); +static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos); X509V3_EXT_METHOD v3_cpols = { NID_certificate_policies, 0,ASN1_ITEM_ref(CERTIFICATEPOLICIES), @@ -226,6 +226,8 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx, qual = notice_section(ctx, unot, ia5org); X509V3_section_free(ctx, unot); if(!qual) goto err; + if(!pol->qualifiers) pol->qualifiers = + sk_POLICYQUALINFO_new_null(); if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) goto merr; } else { @@ -255,7 +257,7 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx, static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *unot, int ia5org) { - int i; + int i, ret; CONF_VALUE *cnf; USERNOTICE *not; POLICYQUALINFO *qual; @@ -275,8 +277,8 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, if(!(nref = NOTICEREF_new())) goto merr; not->noticeref = nref; } else nref = not->noticeref; - if(ia5org) nref->organization = M_ASN1_IA5STRING_new(); - else nref->organization = M_ASN1_VISIBLESTRING_new(); + if(ia5org) nref->organization->type = V_ASN1_IA5STRING; + else nref->organization->type = V_ASN1_VISIBLESTRING; if(!ASN1_STRING_set(nref->organization, cnf->value, strlen(cnf->value))) goto merr; } else if(!strcmp(cnf->name, "noticeNumbers")) { @@ -292,12 +294,12 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, X509V3_conf_err(cnf); goto err; } - nref->noticenos = nref_nos(nos); + ret = nref_nos(nref->noticenos, nos); sk_CONF_VALUE_pop_free(nos, X509V3_conf_free); - if(!nref->noticenos) goto err; + if (!ret) + goto err; } else { X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_OPTION); - X509V3_conf_err(cnf); goto err; } @@ -319,15 +321,13 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, return NULL; } -static STACK_OF(ASN1_INTEGER) *nref_nos(STACK_OF(CONF_VALUE) *nos) +static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos) { - STACK_OF(ASN1_INTEGER) *nnums; CONF_VALUE *cnf; ASN1_INTEGER *aint; int i; - if(!(nnums = sk_ASN1_INTEGER_new_null())) goto merr; for(i = 0; i < sk_CONF_VALUE_num(nos); i++) { cnf = sk_CONF_VALUE_value(nos, i); if(!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) { @@ -336,14 +336,14 @@ static STACK_OF(ASN1_INTEGER) *nref_nos(STACK_OF(CONF_VALUE) *nos) } if(!sk_ASN1_INTEGER_push(nnums, aint)) goto merr; } - return nnums; + return 1; merr: X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE); err: sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free); - return NULL; + return 0; } diff --git a/crypto/openssl/crypto/x509v3/v3_lib.c b/crypto/openssl/crypto/x509v3/v3_lib.c index 482ca8c..ca5a4a4 100644 --- a/crypto/openssl/crypto/x509v3/v3_lib.c +++ b/crypto/openssl/crypto/x509v3/v3_lib.c @@ -202,6 +202,7 @@ void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx) if(OBJ_obj2nid(ex->object) == nid) { if(idx) { *idx = i; + found_ex = ex; break; } else if(found_ex) { /* Found more than one */ diff --git a/crypto/openssl/crypto/x509v3/v3_prn.c b/crypto/openssl/crypto/x509v3/v3_prn.c index aeaf617..5d268eb 100644 --- a/crypto/openssl/crypto/x509v3/v3_prn.c +++ b/crypto/openssl/crypto/x509v3/v3_prn.c @@ -178,13 +178,13 @@ int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts ASN1_OBJECT *obj; X509_EXTENSION *ex; ex=sk_X509_EXTENSION_value(exts, i); - if (BIO_printf(bp,"%*s",indent, "") <= 0) return 0; + if (indent && BIO_printf(bp,"%*s",indent, "") <= 0) return 0; obj=X509_EXTENSION_get_object(ex); i2a_ASN1_OBJECT(bp,obj); j=X509_EXTENSION_get_critical(ex); if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0) return 0; - if(!X509V3_EXT_print(bp, ex, flag, 12)) + if(!X509V3_EXT_print(bp, ex, flag, indent + 4)) { BIO_printf(bp, "%*s", indent + 4, ""); M_ASN1_OCTET_STRING_print(bp,ex->value); diff --git a/crypto/openssl/demos/engines/zencod/hw_zencod.h b/crypto/openssl/demos/engines/zencod/hw_zencod.h index 195345d..415c9a6 100644 --- a/crypto/openssl/demos/engines/zencod/hw_zencod.h +++ b/crypto/openssl/demos/engines/zencod/hw_zencod.h @@ -46,7 +46,7 @@ typedef int t_zencod_dump_key (FILE *stream, char *msg, KEY *key); /* - * Key managment tools + * Key management tools */ typedef KEY *t_zencod_new_number (unsigned long len, unsigned char *data); typedef int t_zencod_init_number (KEY *n, unsigned long len, unsigned char *data); diff --git a/crypto/openssl/doc/HOWTO/certificates.txt b/crypto/openssl/doc/HOWTO/certificates.txt index 82166e0..d3a6254 100644 --- a/crypto/openssl/doc/HOWTO/certificates.txt +++ b/crypto/openssl/doc/HOWTO/certificates.txt @@ -48,7 +48,7 @@ you have your own certificate authority, you may sign it yourself, or if you need a self-signed certificate (because you just want a test certificate or because you are setting up your own CA). -The certificate is created like this: +The certificate request is created like this: openssl req -new -key privkey.pem -out cert.csr @@ -71,13 +71,11 @@ received. If you don't want to deal with another certificate authority, or just want to create a test certificate for yourself, or are setting up a certificate authority of your own, you may want to make the requested -certificate a self-signed one. If you have created a certificate -request as shown above, you can sign it using the 'openssl x509' -command, for example like this (to create a self-signed CA -certificate): +certificate a self-signed one. This is similar to creating a +certificate request, but creates a certificate instead of a +certificate request (1095 is 3 years): - openssl x509 -req -in cert.csr -extfile openssl.cnf -extensions v3_ca \ - -signkey privkey.pem -out cacert.pem -trustout + openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 5. What to do with the certificate diff --git a/crypto/openssl/doc/HOWTO/keys.txt b/crypto/openssl/doc/HOWTO/keys.txt new file mode 100644 index 0000000..45f42ea --- /dev/null +++ b/crypto/openssl/doc/HOWTO/keys.txt @@ -0,0 +1,73 @@ +<DRAFT!> + HOWTO keys + +1. Introduction + +Keys are the basis of public key algorithms and PKI. Keys usually +come in pairs, with one half being the public key and the other half +being the private key. With OpenSSL, the private key contains the +public key information as well, so a public key doesn't need to be +generated separately. + +Public keys come in several flavors, using different cryptographic +algorithms. The most popular ones associated with certificates are +RSA and DSA, and this HOWTO will show how to generate each of them. + + +2. To generate a RSA key + +A RSA key can be used both for encryption and for signing. + +Generating a key for the RSA algorithm is quite easy, all you have to +do is the following: + + openssl genrsa -des3 -out privkey.pem 2048 + +With this variant, you will be prompted for a protecting password. If +you don't want your key to be protected by a password, remove the flag +'-des3' from the command line above. + + NOTE: if you intend to use the key together with a server + certificate, it may be a good thing to avoid protecting it + with a password, since that would mean someone would have to + type in the password every time the server needs to access + the key. + +The number 2048 is the size of the key, in bits. Today, 2048 or +higher is recommended for RSA keys, as fewer amount of bits is +consider insecure or to be insecure pretty soon. + + +3. To generate a DSA key + +A DSA key can be used both for signing only. This is important to +keep in mind to know what kind of purposes a certificate request with +a DSA key can really be used for. + +Generating a key for the DSA algorithm is a two-step process. First, +you have to generate parameters from which to generate the key: + + openssl dsaparam -out dsaparam.pem 2048 + +The number 2048 is the size of the key, in bits. Today, 2048 or +higher is recommended for DSA keys, as fewer amount of bits is +consider insecure or to be insecure pretty soon. + +When that is done, you can generate a key using the parameters in +question (actually, several keys can be generated from the same +parameters): + + openssl gendsa -des3 -out privkey.pem dsaparam.pem + +With this variant, you will be prompted for a protecting password. If +you don't want your key to be protected by a password, remove the flag +'-des3' from the command line above. + + NOTE: if you intend to use the key together with a server + certificate, it may be a good thing to avoid protecting it + with a password, since that would mean someone would have to + type in the password every time the server needs to access + the key. + +-- +Richard Levitte diff --git a/crypto/openssl/doc/apps/ca.pod b/crypto/openssl/doc/apps/ca.pod index de66c53..74f45ca 100644 --- a/crypto/openssl/doc/apps/ca.pod +++ b/crypto/openssl/doc/apps/ca.pod @@ -359,7 +359,7 @@ the same as the B<-md> option. The message digest to use. Mandatory. the text database file to use. Mandatory. This file must be present though initially it will be empty. -=item B<serialfile> +=item B<serial> a text file containing the next serial number to use in hex. Mandatory. This file must be present and contain a valid serial number. @@ -400,7 +400,7 @@ here, except the B<no_signame> and B<no_sigdump> are permanently set and cannot be disabled (this is because the certificate signature cannot be displayed because the certificate has not been signed at this point). -For convenience the values B<default_ca> are accepted by both to produce +For convenience the values B<ca_default> are accepted by both to produce a reasonable output. If neither option is present the format used in earlier versions of @@ -513,8 +513,8 @@ A sample configuration file with the relevant sections for B<ca>: policy = policy_any # default policy email_in_dn = no # Don't add the email into cert DN - nameopt = default_ca # Subject name display option - certopt = default_ca # Certificate display option + nameopt = ca_default # Subject name display option + certopt = ca_default # Certificate display option copy_extensions = none # Don't copy extensions from request [ policy_any ] diff --git a/crypto/openssl/doc/apps/ocsp.pod b/crypto/openssl/doc/apps/ocsp.pod index da201b9..4f26605 100644 --- a/crypto/openssl/doc/apps/ocsp.pod +++ b/crypto/openssl/doc/apps/ocsp.pod @@ -11,6 +11,10 @@ B<openssl> B<ocsp> [B<-issuer file>] [B<-cert file>] [B<-serial n>] +[B<-signer file>] +[B<-signkey file>] +[B<-sign_other file>] +[B<-no_certs>] [B<-req_text>] [B<-resp_text>] [B<-text>] @@ -20,27 +24,36 @@ B<openssl> B<ocsp> [B<-respin file>] [B<-nonce>] [B<-no_nonce>] -[B<-url responder_url>] +[B<-url URL>] [B<-host host:n>] [B<-path>] -[B<-CApath file>] +[B<-CApath dir>] [B<-CAfile file>] [B<-VAfile file>] -[B<-verify_certs file>] +[B<-validity_period n>] +[B<-status_age n>] [B<-noverify>] +[B<-verify_other file>] [B<-trust_other>] [B<-no_intern>] -[B<-no_sig_verify>] +[B<-no_signature_verify>] [B<-no_cert_verify>] [B<-no_chain>] [B<-no_cert_checks>] -[B<-validity_period nsec>] -[B<-status_age nsec>] +[B<-port num>] +[B<-index file>] +[B<-CA file>] +[B<-rsigner file>] +[B<-rkey file>] +[B<-rother file>] +[B<-resp_no_certs>] +[B<-nmin n>] +[B<-ndays n>] +[B<-resp_key_id>] +[B<-nrequest n>] =head1 DESCRIPTION -B<WARNING: this documentation is preliminary and subject to change.> - The Online Certificate Status Protocol (OCSP) enables applications to determine the (revocation) state of an identified certificate (RFC 2560). @@ -83,6 +96,10 @@ the B<signkey> option is not present then the private key is read from the same file as the certificate. If neither option is specified then the OCSP request is not signed. +=item B<-sign_other filename> + +Additional certificates to include in the signed request. + =item B<-nonce>, B<-no_nonce> Add an OCSP nonce extension to a request or disable OCSP nonce addition. @@ -120,7 +137,7 @@ or "/" by default. file or pathname containing trusted CA certificates. These are used to verify the signature on the OCSP response. -=item B<-verify_certs file> +=item B<-verify_other file> file containing additional certificates to search when attempting to locate the OCSP response signing certificate. Some responders omit the actual signer's @@ -151,7 +168,7 @@ ignore certificates contained in the OCSP response when searching for the signers certificate. With this option the signers certificate must be specified with either the B<-verify_certs> or B<-VAfile> options. -=item B<-no_sig_verify> +=item B<-no_signature_verify> don't check the signature on the OCSP response. Since this option tolerates invalid signatures on OCSP responses it will normally only be used for testing purposes. diff --git a/crypto/openssl/doc/apps/s_client.pod b/crypto/openssl/doc/apps/s_client.pod index 7fca9cb..d061326 100644 --- a/crypto/openssl/doc/apps/s_client.pod +++ b/crypto/openssl/doc/apps/s_client.pod @@ -33,6 +33,7 @@ B<openssl> B<s_client> [B<-no_tls1>] [B<-bugs>] [B<-cipher cipherlist>] +[B<-starttls protocol>] [B<-engine id>] [B<-rand file(s)>] @@ -163,6 +164,12 @@ the server determines which cipher suite is used it should take the first supported cipher in the list sent by the client. See the B<ciphers> command for more information. +=item B<-starttls protocol> + +send the protocol-specific message(s) to switch to TLS for communication. +B<protocol> is a keyword for the intended protocol. Currently, the only +supported keywords are "smtp" and "pop3". + =item B<-engine id> specifying an engine (by it's unique B<id> string) will cause B<s_client> diff --git a/crypto/openssl/doc/apps/s_server.pod b/crypto/openssl/doc/apps/s_server.pod index 4b1e426..1d21921 100644 --- a/crypto/openssl/doc/apps/s_server.pod +++ b/crypto/openssl/doc/apps/s_server.pod @@ -42,6 +42,7 @@ B<openssl> B<s_server> [B<-WWW>] [B<-HTTP>] [B<-engine id>] +[B<-id_prefix arg>] [B<-rand file(s)>] =head1 DESCRIPTION @@ -209,6 +210,13 @@ to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. +=item B<-id_prefix arg> + +generate SSL/TLS session IDs prefixed by B<arg>. This is mostly useful +for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple +servers, when each of which might be generating a unique range of session +IDs (eg. with a certain prefix). + =item B<-rand file(s)> a file or files containing random data used to seed the random number diff --git a/crypto/openssl/doc/crypto/BIO_f_base64.pod b/crypto/openssl/doc/crypto/BIO_f_base64.pod index fdb603b..929557d 100644 --- a/crypto/openssl/doc/crypto/BIO_f_base64.pod +++ b/crypto/openssl/doc/crypto/BIO_f_base64.pod @@ -55,16 +55,15 @@ to standard output: Read Base64 encoded data from standard input and write the decoded data to standard output: - BIO *bio, *b64, bio_out; + BIO *bio, *b64, *bio_out; char inbuf[512]; int inlen; - char message[] = "Hello World \n"; b64 = BIO_new(BIO_f_base64()); bio = BIO_new_fp(stdin, BIO_NOCLOSE); bio_out = BIO_new_fp(stdout, BIO_NOCLOSE); bio = BIO_push(b64, bio); - while((inlen = BIO_read(bio, inbuf, strlen(message))) > 0) + while((inlen = BIO_read(bio, inbuf, 512) > 0) BIO_write(bio_out, inbuf, inlen); BIO_free_all(bio); diff --git a/crypto/openssl/doc/crypto/BIO_f_cipher.pod b/crypto/openssl/doc/crypto/BIO_f_cipher.pod index 4182f2c..02439ce 100644 --- a/crypto/openssl/doc/crypto/BIO_f_cipher.pod +++ b/crypto/openssl/doc/crypto/BIO_f_cipher.pod @@ -28,7 +28,7 @@ BIO_flush() on an encryption BIO that is being written through is used to signal that no more data is to be encrypted: this is used to flush and possibly pad the final block through the BIO. -BIO_set_cipher() sets the cipher of BIO <b> to B<cipher> using key B<key> +BIO_set_cipher() sets the cipher of BIO B<b> to B<cipher> using key B<key> and IV B<iv>. B<enc> should be set to 1 for encryption and zero for decryption. diff --git a/crypto/openssl/doc/openssl-shared.txt b/crypto/openssl/doc/openssl-shared.txt new file mode 100644 index 0000000..5cf84a0 --- /dev/null +++ b/crypto/openssl/doc/openssl-shared.txt @@ -0,0 +1,32 @@ +The OpenSSL shared libraries are often installed in a directory like +/usr/local/ssl/lib. + +If this directory is not in a standard system path for dynamic/shared +libraries, then you will have problems linking and executing +applications that use OpenSSL libraries UNLESS: + +* you link with static (archive) libraries. If you are truly + paranoid about security, you should use static libraries. +* you use the GNU libtool code during linking + (http://www.gnu.org/software/libtool/libtool.html) +* you use pkg-config during linking (this requires that + PKG_CONFIG_PATH includes the path to the OpenSSL shared + library directory), and make use of -R or -rpath. + (http://www.freedesktop.org/software/pkgconfig/) +* you specify the system-wide link path via a command such + as crle(1) on Solaris systems. +* you add the OpenSSL shared library directory to /etc/ld.so.conf + and run ldconfig(8) on Linux systems. +* you define the LD_LIBRARY_PATH, LIBPATH, SHLIB_PATH (HP), + DYLD_LIBRARY_PATH (MacOS X) or PATH (Cygwin and DJGPP) + environment variable and add the OpenSSL shared library + directory to it. + +One common tool to check the dynamic dependencies of an executable +or dynamic library is ldd(1) on most UNIX systems. + +See any operating system documentation and manpages about shared +libraries for your version of UNIX. The following manpages may be +helpful: ld(1), ld.so(1), ld.so.1(1) [Solaris], dld.sl(1) [HP], +ldd(1), crle(1) [Solaris], pldd(1) [Solaris], ldconfig(8) [Linux], +chatr(1) [HP]. diff --git a/crypto/openssl/doc/ssl/SSL_CTX_free.pod b/crypto/openssl/doc/ssl/SSL_CTX_free.pod index 55e592f..51d8676 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_free.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_free.pod @@ -20,12 +20,22 @@ It also calls the free()ing procedures for indirectly affected items, if applicable: the session cache, the list of ciphers, the list of Client CAs, the certificates and keys. +=head1 WARNINGS + +If a session-remove callback is set (SSL_CTX_sess_set_remove_cb()), this +callback will be called for each session being freed from B<ctx>'s +session cache. This implies, that all corresponding sessions from an +external session cache are removed as well. If this is not desired, the user +should explicitly unset the callback by calling +SSL_CTX_sess_set_remove_cb(B<ctx>, NULL) prior to calling SSL_CTX_free(). + =head1 RETURN VALUES SSL_CTX_free() does not provide diagnostic information. =head1 SEE ALSO -L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<ssl(3)|ssl(3)> +L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<ssl(3)|ssl(3)>, +L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)> =cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod index 7c0b2ba..b9d54a4 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod @@ -60,10 +60,11 @@ B<sess>. If the callback returns B<0>, the session will be immediately removed again. The remove_session_cb() is called, whenever the SSL engine removes a session -from the internal cache. This happens if the session is removed because -it is expired or when a connection was not shutdown cleanly. The -remove_session_cb() is passed the B<ctx> and the ssl session B<sess>. -It does not provide any feedback. +from the internal cache. This happens when the session is removed because +it is expired or when a connection was not shutdown cleanly. It also happens +for all sessions in the internal session cache when +L<SSL_CTX_free(3)|SSL_CTX_free(3)> is called. The remove_session_cb() is passed +the B<ctx> and the ssl session B<sess>. It does not provide any feedback. The get_session_cb() is only called on SSL/TLS servers with the session id proposed by the client. The get_session_cb() is always called, also when @@ -80,6 +81,7 @@ L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>. L<ssl(3)|ssl(3)>, L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>, L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>, L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>, -L<SSL_SESSION_free(3)|SSL_SESSION_free(3)> +L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>, +L<SSL_CTX_free(3)|SSL_CTX_free(3)> =cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod index f5e2ec3..766f0c9 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod @@ -176,7 +176,7 @@ will send his list of preferences to the client and the client chooses. =item SSL_OP_NETSCAPE_CA_DN_BUG If we accept a netscape connection, demand a client cert, have a -non-self-sighed CA which does not have it's CA in netscape, and the +non-self-signed CA which does not have its CA in netscape, and the browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta =item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod index d15b2a3..ca8d81b 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod @@ -135,9 +135,9 @@ process is immediately stopped with "verification failed" state. If SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and the TLS/SSL handshake is terminated. If B<verify_callback> returns 1, the verification process is continued. If B<verify_callback> always returns -1, the TLS/SSL handshake will never be terminated because of this application -experiencing a verification failure. The calling process can however -retrieve the error code of the last verification error using +1, the TLS/SSL handshake will not be terminated with respect to verification +failures and the connection will be established. The calling process can +however retrieve the error code of the last verification error using L<SSL_get_verify_result(3)|SSL_get_verify_result(3)> or by maintaining its own error storage managed by B<verify_callback>. diff --git a/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod b/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod index b8868f1..ea2faba 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod @@ -68,7 +68,9 @@ should be preferred. SSL_CTX_use_certificate_chain_file() loads a certificate chain from B<file> into B<ctx>. The certificates must be in PEM format and must -be sorted starting with the certificate to the highest level (root CA). +be sorted starting with the subject's certificate (actual client or server +certificate), followed by intermediate CA certificates if applicable, and +ending at the highest level (root) CA. There is no corresponding function working on a single SSL object. SSL_CTX_use_PrivateKey() adds B<pkey> as private key to B<ctx>. diff --git a/crypto/openssl/doc/ssl/SSL_accept.pod b/crypto/openssl/doc/ssl/SSL_accept.pod index a673edb..cc724c0 100644 --- a/crypto/openssl/doc/ssl/SSL_accept.pod +++ b/crypto/openssl/doc/ssl/SSL_accept.pod @@ -28,7 +28,8 @@ should be called again. If the underlying BIO is B<non-blocking>, SSL_accept() will also return when the underlying BIO could not satisfy the needs of SSL_accept() -to continue the handshake. In this case a call to SSL_get_error() with the +to continue the handshake, indicating the problem by the return value -1. +In this case a call to SSL_get_error() with the return value of SSL_accept() will yield B<SSL_ERROR_WANT_READ> or B<SSL_ERROR_WANT_WRITE>. The calling process then must repeat the call after taking appropriate action to satisfy the needs of SSL_accept(). diff --git a/crypto/openssl/doc/ssl/SSL_connect.pod b/crypto/openssl/doc/ssl/SSL_connect.pod index 8426310..cc56ebb 100644 --- a/crypto/openssl/doc/ssl/SSL_connect.pod +++ b/crypto/openssl/doc/ssl/SSL_connect.pod @@ -25,7 +25,8 @@ handshake has been finished or an error occurred. If the underlying BIO is B<non-blocking>, SSL_connect() will also return when the underlying BIO could not satisfy the needs of SSL_connect() -to continue the handshake. In this case a call to SSL_get_error() with the +to continue the handshake, indicating the problem by the return value -1. +In this case a call to SSL_get_error() with the return value of SSL_connect() will yield B<SSL_ERROR_WANT_READ> or B<SSL_ERROR_WANT_WRITE>. The calling process then must repeat the call after taking appropriate action to satisfy the needs of SSL_connect(). diff --git a/crypto/openssl/e_os.h b/crypto/openssl/e_os.h index f7d09c5..096eabe 100644 --- a/crypto/openssl/e_os.h +++ b/crypto/openssl/e_os.h @@ -174,6 +174,13 @@ extern "C" { #define closesocket(s) close(s) #define readsocket(s,b,n) recv((s),(b),(n),0) #define writesocket(s,b,n) send((s),(b),(n),0) +#elif defined(OPENSSL_SYS_VXWORKS) +#define get_last_socket_error() errno +#define clear_socket_error() errno=0 +#define ioctlsocket(a,b,c) ioctl((a),(b),(int)(c)) +#define closesocket(s) close(s) +#define readsocket(s,b,n) read((s),(b),(n)) +#define writesocket(s,b,n) write((s),(char *)(b),(n)) #else #define get_last_socket_error() errno #define clear_socket_error() errno=0 @@ -250,7 +257,7 @@ extern "C" { # define EXIT(n) _wsetexit(_WINEXITNOPERSIST) # define OPENSSL_EXIT(n) do { if (n == 0) EXIT(n); return(n); } while(0) # else -# define EXIT(n) return(n) +# define EXIT(n) exit(n) # endif # define LIST_SEPARATOR_CHAR ';' # ifndef X_OK @@ -331,6 +338,8 @@ extern "C" { # define pid_t int /* pid_t is missing on NEXTSTEP/OPENSTEP * (unless when compiling with -D_POSIX_SOURCE, * which doesn't work for us) */ +# endif +# if defined(NeXT) || defined(OPENSSL_SYS_NEWS4) || defined(OPENSSL_SYS_SUNOS) # define ssize_t int /* ditto */ # endif # ifdef OPENSSL_SYS_NEWS4 /* setvbuf is missing on mips-sony-bsd */ @@ -517,10 +526,6 @@ extern char *sys_errlist[]; extern int sys_nerr; #define TTY_STRUCT int #define sleep(a) taskDelay((a) * sysClkRateGet()) -#if defined(ioctlsocket) -#undef ioctlsocket -#endif -#define ioctlsocket(a,b,c) ioctl((a),(b),*(c)) #include <vxWorks.h> #include <sockLib.h> diff --git a/crypto/openssl/openssl.spec b/crypto/openssl/openssl.spec index e3ec71a..9ce236e 100644 --- a/crypto/openssl/openssl.spec +++ b/crypto/openssl/openssl.spec @@ -1,7 +1,7 @@ %define libmaj 0 %define libmin 9 %define librel 7 -%define librev a +%define librev c Release: 1 %define openssldir /var/ssl @@ -83,18 +83,18 @@ documentation and POD files from which the man pages were produced. %build -%define CONFIG_FLAGS -DSSL_ALLOW_ADH --prefix=/usr +%define CONFIG_FLAGS -DSSL_ALLOW_ADH --prefix=/usr --openssldir=%{openssldir} perl util/perlpath.pl /usr/bin/perl %ifarch i386 i486 i586 i686 -./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-elf shared +./Configure %{CONFIG_FLAGS} linux-elf shared %endif %ifarch ppc -./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-ppc shared +./Configure %{CONFIG_FLAGS} linux-ppc shared %endif %ifarch alpha -./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-alpha shared +./Configure %{CONFIG_FLAGS} linux-alpha shared %endif LD_LIBRARY_PATH=`pwd` make LD_LIBRARY_PATH=`pwd` make rehash @@ -102,12 +102,7 @@ LD_LIBRARY_PATH=`pwd` make test %install rm -rf $RPM_BUILD_ROOT -make MANDIR=/usr/man INSTALL_PREFIX="$RPM_BUILD_ROOT" install - -# Rename manpages -for x in $RPM_BUILD_ROOT/usr/man/man*/* - do mv ${x} ${x}ssl -done +make MANDIR=/usr/man MANSUFFIX=ssl INSTALL_PREFIX="$RPM_BUILD_ROOT" install # Make backwards-compatibility symlink to ssleay ln -sf /usr/bin/openssl $RPM_BUILD_ROOT/usr/bin/ssleay @@ -135,6 +130,7 @@ rm -rf $RPM_BUILD_ROOT %doc CHANGES CHANGES.SSLeay LICENSE NEWS README %attr(0644,root,root) /usr/lib/*.a +%attr(0644,root,root) /usr/lib/pkgconfig/openssl.pc %attr(0644,root,root) /usr/include/openssl/* %attr(0644,root,root) /usr/man/man[3]/* @@ -150,6 +146,8 @@ ldconfig ldconfig %changelog +* Wed May 7 2003 Richard Levitte <richard@levitte.org> +- Add /usr/lib/pkgconfig/openssl.pc to the development section. * Thu Mar 22 2001 Richard Levitte <richard@levitte.org> - Removed redundant subsection that re-installed libcrypto.a and libssl.a as well. Also remove RSAref stuff completely, since it's not needed diff --git a/crypto/openssl/ssl/kssl.c b/crypto/openssl/ssl/kssl.c index 327b92f..7c45f8f 100644 --- a/crypto/openssl/ssl/kssl.c +++ b/crypto/openssl/ssl/kssl.c @@ -70,6 +70,7 @@ #define _XOPEN_SOURCE /* glibc2 needs this to declare strptime() */ #include <time.h> +#undef _XOPEN_SOURCE /* To avoid clashes with anything else... */ #include <string.h> #include <openssl/ssl.h> @@ -1495,8 +1496,9 @@ kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, "bad ticket from krb5_rd_req.\n"); } else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT, - &krb5ticket->enc_part2->client->realm, - krb5ticket->enc_part2->client->data)) + &krb5ticket->enc_part2->client->realm, + krb5ticket->enc_part2->client->data, + krb5ticket->enc_part2->client->length)) { kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, "kssl_ctx_setprinc() fails.\n"); @@ -1563,16 +1565,17 @@ kssl_ctx_free(KSSL_CTX *kssl_ctx) } -/* Given a (krb5_data *) entity (and optional realm), +/* Given an array of (krb5_data *) entity (and optional realm), ** set the plain (char *) client_princ or service_host member ** of the kssl_ctx struct. */ krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, - krb5_data *realm, krb5_data *entity) + krb5_data *realm, krb5_data *entity, int nentities) { char **princ; int length; + int i; if (kssl_ctx == NULL || entity == NULL) return KSSL_CTX_ERR; @@ -1584,18 +1587,33 @@ kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, } if (*princ) free(*princ); - length = entity->length + ((realm)? realm->length + 2: 1); + /* Add up all the entity->lengths */ + length = 0; + for (i=0; i < nentities; i++) + { + length += entity[i].length; + } + /* Add in space for the '/' character(s) (if any) */ + length += nentities-1; + /* Space for the ('@'+realm+NULL | NULL) */ + length += ((realm)? realm->length + 2: 1); + if ((*princ = calloc(1, length)) == NULL) return KSSL_CTX_ERR; else - { - strncpy(*princ, entity->data, entity->length); - (*princ)[entity->length]='\0'; + { + for (i = 0; i < nentities; i++) + { + strncat(*princ, entity[i].data, entity[i].length); + if (i < nentities-1) + { + strcat (*princ, "/"); + } + } if (realm) { strcat (*princ, "@"); (void) strncat(*princ, realm->data, realm->length); - (*princ)[entity->length+1+realm->length]='\0'; } } diff --git a/crypto/openssl/ssl/kssl.h b/crypto/openssl/ssl/kssl.h index cf7ebdd..19a689b 100644 --- a/crypto/openssl/ssl/kssl.h +++ b/crypto/openssl/ssl/kssl.h @@ -149,7 +149,7 @@ KSSL_CTX *kssl_ctx_new(void); KSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx); void kssl_ctx_show(KSSL_CTX *kssl_ctx); krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, - krb5_data *realm, krb5_data *entity); + krb5_data *realm, krb5_data *entity, int nentities); krb5_error_code kssl_cget_tkt(KSSL_CTX *kssl_ctx, krb5_data **enc_tktp, krb5_data *authenp, KSSL_ERR *kssl_err); krb5_error_code kssl_sget_tkt(KSSL_CTX *kssl_ctx, krb5_data *indata, diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c index fae8ead..eb7daeb 100644 --- a/crypto/openssl/ssl/s3_clnt.c +++ b/crypto/openssl/ssl/s3_clnt.c @@ -1769,6 +1769,7 @@ static int ssl3_send_client_verify(SSL *s) *(d++)=SSL3_MT_CERTIFICATE_VERIFY; l2n3(n,d); + s->state=SSL3_ST_CW_CERT_VRFY_B; s->init_num=(int)n+4; s->init_off=0; } diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c index df40032..881f68b 100644 --- a/crypto/openssl/ssl/s3_srvr.c +++ b/crypto/openssl/ssl/s3_srvr.c @@ -431,10 +431,11 @@ int ssl3_accept(SSL *s) if (ret == 2) s->state = SSL3_ST_SR_CLNT_HELLO_C; else { - /* could be sent for a DH cert, even if we - * have not asked for it :-) */ - ret=ssl3_get_client_certificate(s); - if (ret <= 0) goto end; + if (s->s3->tmp.cert_request) + { + ret=ssl3_get_client_certificate(s); + if (ret <= 0) goto end; + } s->init_num=0; s->state=SSL3_ST_SR_KEY_EXCH_A; } @@ -844,6 +845,9 @@ static int ssl3_get_client_hello(SSL *s) } /* TLS does not mind if there is extra stuff */ +#if 0 /* SSL 3.0 does not mind either, so we should disable this test + * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, + * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */ if (s->version == SSL3_VERSION) { if (p < (d+n)) @@ -855,6 +859,7 @@ static int ssl3_get_client_hello(SSL *s) goto f_err; } } +#endif /* Given s->session->ciphers and SSL_get_ciphers, we must * pick a cipher */ @@ -1352,6 +1357,7 @@ static int ssl3_send_certificate_request(SSL *s) s->init_num += 4; #endif + s->state = SSL3_ST_SW_CERT_REQ_B; } /* SSL3_ST_SW_CERT_REQ_B */ @@ -1472,7 +1478,6 @@ static int ssl3_get_client_key_exchange(SSL *s) * made up by the adversary is properly formatted except * that the version number is wrong. To avoid such attacks, * we should treat this just like any other decryption error. */ - p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-19"; } } diff --git a/crypto/openssl/ssl/ssl_ciph.c b/crypto/openssl/ssl/ssl_ciph.c index c72be89..888b667 100644 --- a/crypto/openssl/ssl/ssl_ciph.c +++ b/crypto/openssl/ssl/ssl_ciph.c @@ -668,13 +668,14 @@ static int ssl_cipher_process_rulestr(const char *rule_str, * So additionally check whether the cipher name found * has the correct length. We can save a strlen() call: * just checking for the '\0' at the right place is - * sufficient, we have to strncmp() anyway. + * sufficient, we have to strncmp() anyway. (We cannot + * use strcmp(), because buf is not '\0' terminated.) */ j = found = 0; while (ca_list[j]) { - if ((ca_list[j]->name[buflen] == '\0') && - !strncmp(buf, ca_list[j]->name, buflen)) + if (!strncmp(buf, ca_list[j]->name, buflen) && + (ca_list[j]->name[buflen] == '\0')) { found = 1; break; diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c index ddd8114..6d69890 100644 --- a/crypto/openssl/ssl/ssl_lib.c +++ b/crypto/openssl/ssl/ssl_lib.c @@ -473,6 +473,11 @@ void SSL_free(SSL *s) if (s->method != NULL) s->method->ssl_free(s); +#ifndef OPENSSL_NO_KRB5 + if (s->kssl_ctx != NULL) + kssl_ctx_free(s->kssl_ctx); +#endif /* OPENSSL_NO_KRB5 */ + OPENSSL_free(s); } diff --git a/crypto/openssl/ssl/ssl_rsa.c b/crypto/openssl/ssl/ssl_rsa.c index 03828b6..3303905 100644 --- a/crypto/openssl/ssl/ssl_rsa.c +++ b/crypto/openssl/ssl/ssl_rsa.c @@ -207,7 +207,7 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) ok=1; else #endif - if (!X509_check_private_key(c->pkeys[i].x509,pkey)) + if (!X509_check_private_key(c->pkeys[i].x509,pkey)) { if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA)) { @@ -241,6 +241,8 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) return(0); } + ERR_clear_error(); /* make sure no error from X509_check_private_key() + * is left if we have chosen to ignore it */ if (c->pkeys[i].privatekey != NULL) EVP_PKEY_free(c->pkeys[i].privatekey); CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY); diff --git a/crypto/openssl/ssl/ssl_sess.c b/crypto/openssl/ssl/ssl_sess.c index fbc30b9..fabcdef 100644 --- a/crypto/openssl/ssl/ssl_sess.c +++ b/crypto/openssl/ssl/ssl_sess.c @@ -79,11 +79,11 @@ SSL_SESSION *SSL_get1_session(SSL *ssl) /* Need to lock this all up rather than just use CRYPTO_add so that * somebody doesn't free ssl->session between when we check it's * non-null and when we up the reference count. */ - CRYPTO_r_lock(CRYPTO_LOCK_SSL_SESSION); + CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION); sess = ssl->session; if(sess) sess->references++; - CRYPTO_r_unlock(CRYPTO_LOCK_SSL_SESSION); + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION); return(sess); } diff --git a/crypto/openssl/ssl/ssltest.c b/crypto/openssl/ssl/ssltest.c index 42b6f1f..42289c2 100644 --- a/crypto/openssl/ssl/ssltest.c +++ b/crypto/openssl/ssl/ssltest.c @@ -142,7 +142,6 @@ #ifdef OPENSSL_SYS_WINDOWS #include <winsock.h> -#include "../crypto/bio/bss_file.c" #else #include OPENSSL_UNISTD #endif @@ -291,7 +290,7 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line) goto err; } - if (type < 0 || type > CRYPTO_NUM_LOCKS) + if (type < 0 || type >= CRYPTO_NUM_LOCKS) { errstr = "type out of bounds"; goto err; diff --git a/crypto/openssl/test/Makefile.ssl b/crypto/openssl/test/Makefile.ssl index 21ec82d..a3339ca 100644 --- a/crypto/openssl/test/Makefile.ssl +++ b/crypto/openssl/test/Makefile.ssl @@ -121,7 +121,11 @@ tests: exe apps $(TESTS) apps: @(cd ..; $(MAKE) DIRS=apps all) -SET_SO_PATHS=LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH="$$LIBPATH"; DYLD_LIBRARY_PATH="$$LIBPATH"; SHLIB_PATH="$$LIBPATH"; \ +SET_SO_PATHS=OSSL_LIBPATH="`cd ..; pwd`"; \ + LD_LIBRARY_PATH="$$OSSL_LIBPATH:$$LD_LIBRARY_PATH"; \ + DYLD_LIBRARY_PATH="$$OSSL_LIBPATH:$$DYLD_LIBRARY_PATH"; \ + SHLIB_PATH="$$OSSL_LIBPATH:$$SHLIB_PATH"; \ + LIBPATH="$$OSSL_LIBPATH:$$LIBPATH"; \ if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="$${LIBPATH}:$$PATH"; fi; \ export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH @@ -289,6 +293,7 @@ $(RSATEST): $(RSATEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(RSATEST) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(RSATEST) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -296,6 +301,7 @@ $(BNTEST): $(BNTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(BNTEST) $(CFLAGS) $(BNTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(BNTEST) $(CFLAGS) $(BNTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -303,6 +309,7 @@ $(ECTEST): $(ECTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(ECTEST) $(CFLAGS) $(ECTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(ECTEST) $(CFLAGS) $(ECTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -310,6 +317,7 @@ $(EXPTEST): $(EXPTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(EXPTEST) $(CFLAGS) $(EXPTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(EXPTEST) $(CFLAGS) $(EXPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -317,6 +325,7 @@ $(IDEATEST): $(IDEATEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(IDEATEST) $(CFLAGS) $(IDEATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(IDEATEST) $(CFLAGS) $(IDEATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -324,6 +333,7 @@ $(MD2TEST): $(MD2TEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(MD2TEST) $(CFLAGS) $(MD2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(MD2TEST) $(CFLAGS) $(MD2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -331,6 +341,7 @@ $(SHATEST): $(SHATEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(SHATEST) $(CFLAGS) $(SHATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(SHATEST) $(CFLAGS) $(SHATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -338,6 +349,7 @@ $(SHA1TEST): $(SHA1TEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(SHA1TEST) $(CFLAGS) $(SHA1TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(SHA1TEST) $(CFLAGS) $(SHA1TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -345,6 +357,7 @@ $(RMDTEST): $(RMDTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(RMDTEST) $(CFLAGS) $(RMDTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(RMDTEST) $(CFLAGS) $(RMDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -352,6 +365,7 @@ $(MDC2TEST): $(MDC2TEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(MDC2TEST) $(CFLAGS) $(MDC2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(MDC2TEST) $(CFLAGS) $(MDC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -359,6 +373,7 @@ $(MD4TEST): $(MD4TEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(MD4TEST) $(CFLAGS) $(MD4TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(MD4TEST) $(CFLAGS) $(MD4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -366,6 +381,7 @@ $(MD5TEST): $(MD5TEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(MD5TEST) $(CFLAGS) $(MD5TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(MD5TEST) $(CFLAGS) $(MD5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -373,6 +389,7 @@ $(HMACTEST): $(HMACTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(HMACTEST) $(CFLAGS) $(HMACTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(HMACTEST) $(CFLAGS) $(HMACTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -380,6 +397,7 @@ $(RC2TEST): $(RC2TEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(RC2TEST) $(CFLAGS) $(RC2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(RC2TEST) $(CFLAGS) $(RC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -387,6 +405,7 @@ $(BFTEST): $(BFTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(BFTEST) $(CFLAGS) $(BFTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(BFTEST) $(CFLAGS) $(BFTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -394,6 +413,7 @@ $(CASTTEST): $(CASTTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(CASTTEST) $(CFLAGS) $(CASTTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(CASTTEST) $(CFLAGS) $(CASTTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -401,6 +421,7 @@ $(RC4TEST): $(RC4TEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(RC4TEST) $(CFLAGS) $(RC4TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(RC4TEST) $(CFLAGS) $(RC4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -408,6 +429,7 @@ $(RC5TEST): $(RC5TEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(RC5TEST) $(CFLAGS) $(RC5TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(RC5TEST) $(CFLAGS) $(RC5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -415,6 +437,7 @@ $(DESTEST): $(DESTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(DESTEST) $(CFLAGS) $(DESTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(DESTEST) $(CFLAGS) $(DESTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -422,6 +445,7 @@ $(RANDTEST): $(RANDTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(RANDTEST) $(CFLAGS) $(RANDTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(RANDTEST) $(CFLAGS) $(RANDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -429,6 +453,7 @@ $(DHTEST): $(DHTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(DHTEST) $(CFLAGS) $(DHTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(DHTEST) $(CFLAGS) $(DHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -436,6 +461,7 @@ $(DSATEST): $(DSATEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(DSATEST) $(CFLAGS) $(DSATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(DSATEST) $(CFLAGS) $(DSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -443,6 +469,7 @@ $(METHTEST): $(METHTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(METHTEST) $(CFLAGS) $(METHTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(METHTEST) $(CFLAGS) $(METHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -450,6 +477,7 @@ $(SSLTEST): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -457,6 +485,7 @@ $(ENGINETEST): $(ENGINETEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(ENGINETEST) $(CFLAGS) $(ENGINETEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(ENGINETEST) $(CFLAGS) $(ENGINETEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -464,6 +493,7 @@ $(EVPTEST): $(EVPTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(EVPTEST) $(CFLAGS) $(EVPTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(EVPTEST) $(CFLAGS) $(EVPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -474,6 +504,7 @@ $(EVPTEST): $(EVPTEST).o $(DLIBCRYPTO) # if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ # $(CC) -o $(AESTEST) $(CFLAGS) $(AESTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ # else \ +# LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ # $(CC) -o $(AESTEST) $(CFLAGS) $(AESTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ # fi @@ -481,6 +512,7 @@ dummytest: dummytest.o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o dummytest $(CFLAGS) dummytest.o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ + LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o dummytest $(CFLAGS) dummytest.o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi @@ -524,16 +556,14 @@ dhtest.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h dhtest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h dhtest.o: ../include/openssl/rand.h ../include/openssl/safestack.h dhtest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h dhtest.c -dsatest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -dsatest.o: ../include/openssl/bn.h ../include/openssl/crypto.h -dsatest.o: ../include/openssl/dh.h ../include/openssl/dsa.h -dsatest.o: ../include/openssl/e_os2.h ../include/openssl/engine.h +dsatest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h +dsatest.o: ../include/openssl/crypto.h ../include/openssl/dh.h +dsatest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h dsatest.o: ../include/openssl/err.h ../include/openssl/lhash.h dsatest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h dsatest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h -dsatest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -dsatest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -dsatest.o: ../include/openssl/ui.h dsatest.c +dsatest.o: ../include/openssl/safestack.h ../include/openssl/stack.h +dsatest.o: ../include/openssl/symhacks.h dsatest.c ectest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ectest.o: ../include/openssl/bn.h ../include/openssl/crypto.h ectest.o: ../include/openssl/dh.h ../include/openssl/dsa.h @@ -698,14 +728,12 @@ rmdtest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h rmdtest.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h rmdtest.c rsa_test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h rsa_test.o: ../include/openssl/bn.h ../include/openssl/crypto.h -rsa_test.o: ../include/openssl/dh.h ../include/openssl/dsa.h -rsa_test.o: ../include/openssl/e_os2.h ../include/openssl/engine.h -rsa_test.o: ../include/openssl/err.h ../include/openssl/lhash.h -rsa_test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -rsa_test.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h -rsa_test.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -rsa_test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -rsa_test.o: ../include/openssl/ui.h rsa_test.c +rsa_test.o: ../include/openssl/e_os2.h ../include/openssl/err.h +rsa_test.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h +rsa_test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +rsa_test.o: ../include/openssl/rand.h ../include/openssl/rsa.h +rsa_test.o: ../include/openssl/safestack.h ../include/openssl/stack.h +rsa_test.o: ../include/openssl/symhacks.h rsa_test.c sha1test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h sha1test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h sha1test.o: ../include/openssl/bn.h ../include/openssl/cast.h diff --git a/crypto/openssl/test/evptests.txt b/crypto/openssl/test/evptests.txt new file mode 100644 index 0000000..80bd9c7 --- /dev/null +++ b/crypto/openssl/test/evptests.txt @@ -0,0 +1,183 @@ +#cipher:key:iv:plaintext:ciphertext:0/1(decrypt/encrypt) +#digest:::input:output + +# SHA(1) tests (from shatest.c) +SHA1:::616263:a9993e364706816aba3e25717850c26c9cd0d89d + +# MD5 tests (from md5test.c) +MD5::::d41d8cd98f00b204e9800998ecf8427e +MD5:::61:0cc175b9c0f1b6a831c399e269772661 +MD5:::616263:900150983cd24fb0d6963f7d28e17f72 +MD5:::6d65737361676520646967657374:f96b697d7cb7938d525a2f31aaf161d0 +MD5:::6162636465666768696a6b6c6d6e6f707172737475767778797a:c3fcd3d76192e4007dfb496cca67e13b +MD5:::4142434445464748494a4b4c4d4e4f505152535455565758595a6162636465666768696a6b6c6d6e6f707172737475767778797a30313233343536373839:d174ab98d277d9f5a5611c2c9f419d9f +MD5:::3132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930:57edf4a22be3c955ac49da2e2107b67a + +# AES 128 ECB tests (from FIPS-197 test vectors, encrypt) + +AES-128-ECB:000102030405060708090A0B0C0D0E0F::00112233445566778899AABBCCDDEEFF:69C4E0D86A7B0430D8CDB78070B4C55A:1 + +# AES 192 ECB tests (from FIPS-197 test vectors, encrypt) + +AES-192-ECB:000102030405060708090A0B0C0D0E0F1011121314151617::00112233445566778899AABBCCDDEEFF:DDA97CA4864CDFE06EAF70A0EC0D7191:1 + +# AES 256 ECB tests (from FIPS-197 test vectors, encrypt) + +AES-256-ECB:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF:8EA2B7CA516745BFEAFC49904B496089:1 + +# AES 128 ECB tests (from NIST test vectors, encrypt) + +#AES-128-ECB:00000000000000000000000000000000::00000000000000000000000000000000:C34C052CC0DA8D73451AFE5F03BE297F:1 + +# AES 128 ECB tests (from NIST test vectors, decrypt) + +#AES-128-ECB:00000000000000000000000000000000::44416AC2D1F53C583303917E6BE9EBE0:00000000000000000000000000000000:0 + +# AES 192 ECB tests (from NIST test vectors, decrypt) + +#AES-192-ECB:000000000000000000000000000000000000000000000000::48E31E9E256718F29229319C19F15BA4:00000000000000000000000000000000:0 + +# AES 256 ECB tests (from NIST test vectors, decrypt) + +#AES-256-ECB:0000000000000000000000000000000000000000000000000000000000000000::058CCFFDBBCB382D1F6F56585D8A4ADE:00000000000000000000000000000000:0 + +# AES 128 CBC tests (from NIST test vectors, encrypt) + +#AES-128-CBC:00000000000000000000000000000000:00000000000000000000000000000000:00000000000000000000000000000000:8A05FC5E095AF4848A08D328D3688E3D:1 + +# AES 192 CBC tests (from NIST test vectors, encrypt) + +#AES-192-CBC:000000000000000000000000000000000000000000000000:00000000000000000000000000000000:00000000000000000000000000000000:7BD966D53AD8C1BB85D2ADFAE87BB104:1 + +# AES 256 CBC tests (from NIST test vectors, encrypt) + +#AES-256-CBC:0000000000000000000000000000000000000000000000000000000000000000:00000000000000000000000000000000:00000000000000000000000000000000:FE3C53653E2F45B56FCD88B2CC898FF0:1 + +# AES 128 CBC tests (from NIST test vectors, decrypt) + +#AES-128-CBC:00000000000000000000000000000000:00000000000000000000000000000000:FACA37E0B0C85373DF706E73F7C9AF86:00000000000000000000000000000000:0 + +# AES tests from NIST document SP800-38A +# For all ECB encrypts and decrypts, the transformed sequence is +# AES-bits-ECB:key::plaintext:ciphertext:encdec +# ECB-AES128.Encrypt and ECB-AES128.Decrypt +AES-128-ECB:2B7E151628AED2A6ABF7158809CF4F3C::6BC1BEE22E409F96E93D7E117393172A:3AD77BB40D7A3660A89ECAF32466EF97 +AES-128-ECB:2B7E151628AED2A6ABF7158809CF4F3C::AE2D8A571E03AC9C9EB76FAC45AF8E51:F5D3D58503B9699DE785895A96FDBAAF +AES-128-ECB:2B7E151628AED2A6ABF7158809CF4F3C::30C81C46A35CE411E5FBC1191A0A52EF:43B1CD7F598ECE23881B00E3ED030688 +AES-128-ECB:2B7E151628AED2A6ABF7158809CF4F3C::F69F2445DF4F9B17AD2B417BE66C3710:7B0C785E27E8AD3F8223207104725DD4 +# ECB-AES192.Encrypt and ECB-AES192.Decrypt +AES-192-ECB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B::6BC1BEE22E409F96E93D7E117393172A:BD334F1D6E45F25FF712A214571FA5CC +AES-192-ECB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B::AE2D8A571E03AC9C9EB76FAC45AF8E51:974104846D0AD3AD7734ECB3ECEE4EEF +AES-192-ECB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B::30C81C46A35CE411E5FBC1191A0A52EF:EF7AFD2270E2E60ADCE0BA2FACE6444E +AES-192-ECB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B::F69F2445DF4F9B17AD2B417BE66C3710:9A4B41BA738D6C72FB16691603C18E0E +# ECB-AES256.Encrypt and ECB-AES256.Decrypt +AES-256-ECB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4::6BC1BEE22E409F96E93D7E117393172A:F3EED1BDB5D2A03C064B5A7E3DB181F8 +AES-256-ECB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4::AE2D8A571E03AC9C9EB76FAC45AF8E51:591CCB10D410ED26DC5BA74A31362870 +AES-256-ECB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4::30C81C46A35CE411E5FBC1191A0A52EF:B6ED21B99CA6F4F9F153E7B1BEAFED1D +AES-256-ECB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4::F69F2445DF4F9B17AD2B417BE66C3710:23304B7A39F9F3FF067D8D8F9E24ECC7 +# For all CBC encrypts and decrypts, the transformed sequence is +# AES-bits-CBC:key:IV/ciphertext':plaintext:ciphertext:encdec +# CBC-AES128.Encrypt and CBC-AES128.Decrypt +AES-128-CBC:2B7E151628AED2A6ABF7158809CF4F3C:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:7649ABAC8119B246CEE98E9B12E9197D +AES-128-CBC:2B7E151628AED2A6ABF7158809CF4F3C:7649ABAC8119B246CEE98E9B12E9197D:AE2D8A571E03AC9C9EB76FAC45AF8E51:5086CB9B507219EE95DB113A917678B2 +AES-128-CBC:2B7E151628AED2A6ABF7158809CF4F3C:5086CB9B507219EE95DB113A917678B2:30C81C46A35CE411E5FBC1191A0A52EF:73BED6B8E3C1743B7116E69E22229516 +AES-128-CBC:2B7E151628AED2A6ABF7158809CF4F3C:73BED6B8E3C1743B7116E69E22229516:F69F2445DF4F9B17AD2B417BE66C3710:3FF1CAA1681FAC09120ECA307586E1A7 +# CBC-AES192.Encrypt and CBC-AES192.Decrypt +AES-192-CBC:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:4F021DB243BC633D7178183A9FA071E8 +AES-192-CBC:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:4F021DB243BC633D7178183A9FA071E8:AE2D8A571E03AC9C9EB76FAC45AF8E51:B4D9ADA9AD7DEDF4E5E738763F69145A +AES-192-CBC:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:B4D9ADA9AD7DEDF4E5E738763F69145A:30C81C46A35CE411E5FBC1191A0A52EF:571B242012FB7AE07FA9BAAC3DF102E0 +AES-192-CBC:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:571B242012FB7AE07FA9BAAC3DF102E0:F69F2445DF4F9B17AD2B417BE66C3710:08B0E27988598881D920A9E64F5615CD +# CBC-AES256.Encrypt and CBC-AES256.Decrypt +AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:F58C4C04D6E5F1BA779EABFB5F7BFBD6 +AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:F58C4C04D6E5F1BA779EABFB5F7BFBD6:AE2D8A571E03AC9C9EB76FAC45AF8E51:9CFC4E967EDB808D679F777BC6702C7D +AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:9CFC4E967EDB808D679F777BC6702C7D:30C81C46A35CE411E5FBC1191A0A52EF:39F23369A9D9BACFA530E26304231461 +AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:39F23369A9D9BACFA530E26304231461:F69F2445DF4F9B17AD2B417BE66C3710:B2EB05E2C39BE9FCDA6C19078C6A9D1B +# We don't support CFB{1,8}-AESxxx.{En,De}crypt +# For all CFB128 encrypts and decrypts, the transformed sequence is +# AES-bits-CFB:key:IV/ciphertext':plaintext:ciphertext:encdec +# CFB128-AES128.Encrypt +AES-128-CFB:2B7E151628AED2A6ABF7158809CF4F3C:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:3B3FD92EB72DAD20333449F8E83CFB4A:1 +AES-128-CFB:2B7E151628AED2A6ABF7158809CF4F3C:3B3FD92EB72DAD20333449F8E83CFB4A:AE2D8A571E03AC9C9EB76FAC45AF8E51:C8A64537A0B3A93FCDE3CDAD9F1CE58B:1 +AES-128-CFB:2B7E151628AED2A6ABF7158809CF4F3C:C8A64537A0B3A93FCDE3CDAD9F1CE58B:30C81C46A35CE411E5FBC1191A0A52EF:26751F67A3CBB140B1808CF187A4F4DF:1 +AES-128-CFB:2B7E151628AED2A6ABF7158809CF4F3C:26751F67A3CBB140B1808CF187A4F4DF:F69F2445DF4F9B17AD2B417BE66C3710:C04B05357C5D1C0EEAC4C66F9FF7F2E6:1 +# CFB128-AES128.Decrypt +AES-128-CFB:2B7E151628AED2A6ABF7158809CF4F3C:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:3B3FD92EB72DAD20333449F8E83CFB4A:0 +AES-128-CFB:2B7E151628AED2A6ABF7158809CF4F3C:3B3FD92EB72DAD20333449F8E83CFB4A:AE2D8A571E03AC9C9EB76FAC45AF8E51:C8A64537A0B3A93FCDE3CDAD9F1CE58B:0 +AES-128-CFB:2B7E151628AED2A6ABF7158809CF4F3C:C8A64537A0B3A93FCDE3CDAD9F1CE58B:30C81C46A35CE411E5FBC1191A0A52EF:26751F67A3CBB140B1808CF187A4F4DF:0 +AES-128-CFB:2B7E151628AED2A6ABF7158809CF4F3C:26751F67A3CBB140B1808CF187A4F4DF:F69F2445DF4F9B17AD2B417BE66C3710:C04B05357C5D1C0EEAC4C66F9FF7F2E6:0 +# CFB128-AES192.Encrypt +AES-192-CFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:CDC80D6FDDF18CAB34C25909C99A4174:1 +AES-192-CFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:CDC80D6FDDF18CAB34C25909C99A4174:AE2D8A571E03AC9C9EB76FAC45AF8E51:67CE7F7F81173621961A2B70171D3D7A:1 +AES-192-CFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:67CE7F7F81173621961A2B70171D3D7A:30C81C46A35CE411E5FBC1191A0A52EF:2E1E8A1DD59B88B1C8E60FED1EFAC4C9:1 +AES-192-CFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:2E1E8A1DD59B88B1C8E60FED1EFAC4C9:F69F2445DF4F9B17AD2B417BE66C3710:C05F9F9CA9834FA042AE8FBA584B09FF:1 +# CFB128-AES192.Decrypt +AES-192-CFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:CDC80D6FDDF18CAB34C25909C99A4174:0 +AES-192-CFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:CDC80D6FDDF18CAB34C25909C99A4174:AE2D8A571E03AC9C9EB76FAC45AF8E51:67CE7F7F81173621961A2B70171D3D7A:0 +AES-192-CFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:67CE7F7F81173621961A2B70171D3D7A:30C81C46A35CE411E5FBC1191A0A52EF:2E1E8A1DD59B88B1C8E60FED1EFAC4C9:0 +AES-192-CFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:2E1E8A1DD59B88B1C8E60FED1EFAC4C9:F69F2445DF4F9B17AD2B417BE66C3710:C05F9F9CA9834FA042AE8FBA584B09FF:0 +# CFB128-AES256.Encrypt +AES-256-CFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:DC7E84BFDA79164B7ECD8486985D3860:1 +AES-256-CFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:DC7E84BFDA79164B7ECD8486985D3860:AE2D8A571E03AC9C9EB76FAC45AF8E51:39FFED143B28B1C832113C6331E5407B:1 +AES-256-CFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:39FFED143B28B1C832113C6331E5407B:30C81C46A35CE411E5FBC1191A0A52EF:DF10132415E54B92A13ED0A8267AE2F9:1 +AES-256-CFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:DF10132415E54B92A13ED0A8267AE2F9:F69F2445DF4F9B17AD2B417BE66C3710:75A385741AB9CEF82031623D55B1E471:1 +# CFB128-AES256.Decrypt +AES-256-CFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:DC7E84BFDA79164B7ECD8486985D3860:0 +AES-256-CFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:DC7E84BFDA79164B7ECD8486985D3860:AE2D8A571E03AC9C9EB76FAC45AF8E51:39FFED143B28B1C832113C6331E5407B:0 +AES-256-CFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:39FFED143B28B1C832113C6331E5407B:30C81C46A35CE411E5FBC1191A0A52EF:DF10132415E54B92A13ED0A8267AE2F9:0 +AES-256-CFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:DF10132415E54B92A13ED0A8267AE2F9:F69F2445DF4F9B17AD2B417BE66C3710:75A385741AB9CEF82031623D55B1E471:0 +# For all OFB encrypts and decrypts, the transformed sequence is +# AES-bits-CFB:key:IV/output':plaintext:ciphertext:encdec +# OFB-AES128.Encrypt +AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:3B3FD92EB72DAD20333449F8E83CFB4A:1 +AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:50FE67CC996D32B6DA0937E99BAFEC60:AE2D8A571E03AC9C9EB76FAC45AF8E51:7789508D16918F03F53C52DAC54ED825:1 +AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:D9A4DADA0892239F6B8B3D7680E15674:30C81C46A35CE411E5FBC1191A0A52EF:9740051E9C5FECF64344F7A82260EDCC:1 +AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:A78819583F0308E7A6BF36B1386ABF23:F69F2445DF4F9B17AD2B417BE66C3710:304C6528F659C77866A510D9C1D6AE5E:1 +# OFB-AES128.Decrypt +AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:3B3FD92EB72DAD20333449F8E83CFB4A:0 +AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:50FE67CC996D32B6DA0937E99BAFEC60:AE2D8A571E03AC9C9EB76FAC45AF8E51:7789508D16918F03F53C52DAC54ED825:0 +AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:D9A4DADA0892239F6B8B3D7680E15674:30C81C46A35CE411E5FBC1191A0A52EF:9740051E9C5FECF64344F7A82260EDCC:0 +AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:A78819583F0308E7A6BF36B1386ABF23:F69F2445DF4F9B17AD2B417BE66C3710:304C6528F659C77866A510D9C1D6AE5E:0 +# OFB-AES192.Encrypt +AES-192-OFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:CDC80D6FDDF18CAB34C25909C99A4174:1 +AES-192-OFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:A609B38DF3B1133DDDFF2718BA09565E:AE2D8A571E03AC9C9EB76FAC45AF8E51:FCC28B8D4C63837C09E81700C1100401:1 +AES-192-OFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:52EF01DA52602FE0975F78AC84BF8A50:30C81C46A35CE411E5FBC1191A0A52EF:8D9A9AEAC0F6596F559C6D4DAF59A5F2:1 +AES-192-OFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:BD5286AC63AABD7EB067AC54B553F71D:F69F2445DF4F9B17AD2B417BE66C3710:6D9F200857CA6C3E9CAC524BD9ACC92A:1 +# OFB-AES192.Decrypt +AES-192-OFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:CDC80D6FDDF18CAB34C25909C99A4174:0 +AES-192-OFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:A609B38DF3B1133DDDFF2718BA09565E:AE2D8A571E03AC9C9EB76FAC45AF8E51:FCC28B8D4C63837C09E81700C1100401:0 +AES-192-OFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:52EF01DA52602FE0975F78AC84BF8A50:30C81C46A35CE411E5FBC1191A0A52EF:8D9A9AEAC0F6596F559C6D4DAF59A5F2:0 +AES-192-OFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:BD5286AC63AABD7EB067AC54B553F71D:F69F2445DF4F9B17AD2B417BE66C3710:6D9F200857CA6C3E9CAC524BD9ACC92A:0 +# OFB-AES256.Encrypt +AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:DC7E84BFDA79164B7ECD8486985D3860:1 +AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:B7BF3A5DF43989DD97F0FA97EBCE2F4A:AE2D8A571E03AC9C9EB76FAC45AF8E51:4FEBDC6740D20B3AC88F6AD82A4FB08D:1 +AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:E1C656305ED1A7A6563805746FE03EDC:30C81C46A35CE411E5FBC1191A0A52EF:71AB47A086E86EEDF39D1C5BBA97C408:1 +AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:41635BE625B48AFC1666DD42A09D96E7:F69F2445DF4F9B17AD2B417BE66C3710:0126141D67F37BE8538F5A8BE740E484:1 +# OFB-AES256.Decrypt +AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:DC7E84BFDA79164B7ECD8486985D3860:0 +AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:B7BF3A5DF43989DD97F0FA97EBCE2F4A:AE2D8A571E03AC9C9EB76FAC45AF8E51:4FEBDC6740D20B3AC88F6AD82A4FB08D:0 +AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:E1C656305ED1A7A6563805746FE03EDC:30C81C46A35CE411E5FBC1191A0A52EF:71AB47A086E86EEDF39D1C5BBA97C408:0 +AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:41635BE625B48AFC1666DD42A09D96E7:F69F2445DF4F9B17AD2B417BE66C3710:0126141D67F37BE8538F5A8BE740E484:0 + +# DES ECB tests (from destest) + +DES-ECB:0000000000000000::0000000000000000:8CA64DE9C1B123A7 +DES-ECB:FFFFFFFFFFFFFFFF::FFFFFFFFFFFFFFFF:7359B2163E4EDC58 +DES-ECB:3000000000000000::1000000000000001:958E6E627A05557B +DES-ECB:1111111111111111::1111111111111111:F40379AB9E0EC533 +DES-ECB:0123456789ABCDEF::1111111111111111:17668DFC7292532D +DES-ECB:1111111111111111::0123456789ABCDEF:8A5AE1F81AB8F2DD +DES-ECB:FEDCBA9876543210::0123456789ABCDEF:ED39D950FA74BCC4 + +# DESX-CBC tests (from destest) +DESX-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363534333231204E6F77206973207468652074696D6520666F722000000000:846B2914851E9A2954732F8AA0A611C115CDC2D7951B1053A63C5E03B21AA3C4 + +# DES EDE3 CBC tests (from destest) +DES-EDE3-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363534333231204E6F77206973207468652074696D6520666F722000000000:3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675 + +# RC4 tests (from rc4test) +RC4:0123456789abcdef0123456789abcdef::0123456789abcdef:75b7878099e0c596 +RC4:0123456789abcdef0123456789abcdef::0000000000000000:7494c2e7104b0879 +RC4:00000000000000000000000000000000::0000000000000000:de188941a3375d3a +RC4:ef012345ef012345ef012345ef012345::0000000000000000000000000000000000000000:d6a141a7ec3c38dfbd615a1162e1c7ba36b67858 +RC4:0123456789abcdef0123456789abcdef::123456789ABCDEF0123456789ABCDEF0123456789ABCDEF012345678:66a0949f8af7d6891f7f832ba833c00c892ebe30143ce28740011ecf +RC4:ef012345ef012345ef012345ef012345::00000000000000000000:d6a141a7ec3c38dfbd61 diff --git a/crypto/openssl/tools/c_rehash b/crypto/openssl/tools/c_rehash index 3e9ba1e..e614fb5 100644 --- a/crypto/openssl/tools/c_rehash +++ b/crypto/openssl/tools/c_rehash @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/perl # Perl c_rehash script, scan all files in a directory diff --git a/crypto/openssl/util/extract-names.pl b/crypto/openssl/util/extract-names.pl index d413a04..9f2ad5e 100644 --- a/crypto/openssl/util/extract-names.pl +++ b/crypto/openssl/util/extract-names.pl @@ -9,8 +9,8 @@ while(<STDIN>) { } elsif ($name) { if (/ - /) { s/ - .*//; - s/[ \t,]+/ /g; - push @words, split ' '; + s/,[ \t]+/,/g; + push @words, split ','; } } if (/^=head1 *NAME *$/) { diff --git a/crypto/openssl/util/libeay.num b/crypto/openssl/util/libeay.num index f5c8c0b..203c771 100755 --- a/crypto/openssl/util/libeay.num +++ b/crypto/openssl/util/libeay.num @@ -2801,3 +2801,5 @@ BIO_indent 3242 EXIST::FUNCTION: BUF_strlcpy 3243 EXIST::FUNCTION: OpenSSLDie 3244 EXIST::FUNCTION: OPENSSL_cleanse 3245 EXIST::FUNCTION: +ENGINE_setup_bsd_cryptodev 3246 EXIST:__FreeBSD__:FUNCTION:ENGINE +ERR_release_err_state_table 3247 EXIST::FUNCTION:LHASH diff --git a/crypto/openssl/util/mk1mf.pl b/crypto/openssl/util/mk1mf.pl index 936b063..c538f9d 100755 --- a/crypto/openssl/util/mk1mf.pl +++ b/crypto/openssl/util/mk1mf.pl @@ -663,6 +663,7 @@ sub var_add return("") if $no_rsa && $dir =~ /^rsaref/; return("") if $no_dsa && $dir =~ /\/dsa/; return("") if $no_dh && $dir =~ /\/dh/; + return("") if $no_ec && $dir =~ /\/ec/; if ($no_des && $dir =~ /\/des/) { if ($val =~ /read_pwd/) diff --git a/crypto/openssl/util/mkdef.pl b/crypto/openssl/util/mkdef.pl index dacb956..cdd2164 100755 --- a/crypto/openssl/util/mkdef.pl +++ b/crypto/openssl/util/mkdef.pl @@ -440,7 +440,12 @@ sub do_defs } s/\/\*.*?\*\///gs; # ignore comments + if (/\/\*/) { # if we have part + $line = $_; # of a comment, + next; # continue reading + } s/{[^{}]*}//gs; # ignore {} blocks + print STDERR "DEBUG: \$def=\"$def\"\n" if $debug && $def ne ""; print STDERR "DEBUG: \$_=\"$_\"\n" if $debug; if (/^\#\s*ifndef\s+(.*)/) { push(@tag,"-"); @@ -814,14 +819,14 @@ sub do_defs } elsif (/\(\*(\w*(\{[0-9]+\})?)\([^\)]+/) { $s = $1; print STDERR "DEBUG: found ANSI C function $s\n" if $debug; - } elsif (/\w+\W+(\w+)\W*\(\s*\)$/s) { + } elsif (/\w+\W+(\w+)\W*\(\s*\)(\s*__attribute__\(.*\)\s*)?$/s) { # K&R C print STDERR "DEBUG: found K&R C function $s\n" if $debug; next; - } elsif (/\w+\W+\w+(\{[0-9]+\})?\W*\(.*\)$/s) { - while (not /\(\)$/s) { - s/[^\(\)]*\)$/\)/s; - s/\([^\(\)]*\)\)$/\)/s; + } elsif (/\w+\W+\w+(\{[0-9]+\})?\W*\(.*\)(\s*__attribute__\(.*\)\s*)?$/s) { + while (not /\(\)(\s*__attribute__\(.*\)\s*)?$/s) { + s/[^\(\)]*\)(\s*__attribute__\(.*\)\s*)?$/\)/s; + s/\([^\(\)]*\)\)(\s*__attribute__\(.*\)\s*)?$/\)/s; } s/\(void\)//; /(\w+(\{[0-9]+\})?)\W*\(\)/s; diff --git a/crypto/openssl/util/mkerr.pl b/crypto/openssl/util/mkerr.pl index 4105047..1b2915c 100644 --- a/crypto/openssl/util/mkerr.pl +++ b/crypto/openssl/util/mkerr.pl @@ -132,16 +132,16 @@ while (($hdr, $lib) = each %libinc) my $name = $1; $name =~ tr/[a-z]/[A-Z]/; $ftrans{$name} = $1; - } elsif (/\w+\W+(\w+)\W*\(\s*\)$/s){ + } elsif (/\w+\W+(\w+)\W*\(\s*\)(\s*__attribute__\(.*\)\s*)?$/s){ # K&R C next ; - } elsif (/\w+\W+\w+\W*\(.*\)$/s) { - while (not /\(\)$/s) { - s/[^\(\)]*\)$/\)/s; - s/\([^\(\)]*\)\)$/\)/s; + } elsif (/\w+\W+\w+\W*\(.*\)(\s*__attribute__\(.*\)\s*)?$/s) { + while (not /\(\)(\s*__attribute__\(.*\)\s*)?$/s) { + s/[^\(\)]*\)(\s*__attribute__\(.*\)\s*)?$/\)/s; + s/\([^\(\)]*\)\)(\s*__attribute__\(.*\)\s*)?$/\)/s; } s/\(void\)//; - /(\w+)\W*\(\)/s; + /(\w+(\{[0-9]+\})?)\W*\(\)/s; my $name = $1; $name =~ tr/[a-z]/[A-Z]/; $ftrans{$name} = $1; @@ -262,7 +262,7 @@ foreach $lib (keys %csrc) } else { push @out, "/* ====================================================================\n", -" * Copyright (c) 2001-2002 The OpenSSL Project. All rights reserved.\n", +" * Copyright (c) 2001-2003 The OpenSSL Project. All rights reserved.\n", " *\n", " * Redistribution and use in source and binary forms, with or without\n", " * modification, are permitted provided that the following conditions\n", @@ -404,7 +404,7 @@ EOF print OUT <<"EOF"; /* $cfile */ /* ==================================================================== - * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/openssl/util/pl/Mingw32.pl b/crypto/openssl/util/pl/Mingw32.pl index 45ab685..4bee638 100644 --- a/crypto/openssl/util/pl/Mingw32.pl +++ b/crypto/openssl/util/pl/Mingw32.pl @@ -1,17 +1,17 @@ #!/usr/local/bin/perl # -# Mingw32.pl -- Mingw32 with GNU cp (Mingw32f.pl uses DOS tools) +# Mingw32.pl -- Mingw # $o='/'; $cp='cp'; -$rm='rem'; # use 'rm -f' if using GNU file utilities +$rm='rm -f'; $mkdir='gmkdir'; -# gcc wouldn't accept backslashes in paths -#$o='\\'; -#$cp='copy'; -#$rm='del'; +$o='\\'; +$cp='copy'; +$rm='del'; +$mkdir='mkdir'; # C compiler stuff @@ -19,29 +19,29 @@ $cc='gcc'; if ($debug) { $cflags="-DL_ENDIAN -DDSO_WIN32 -g2 -ggdb"; } else - { $cflags="-DL_ENDIAN -DDSO_WIN32 -fomit-frame-pointer -O3 -m486 -Wall"; } + { $cflags="-DL_ENDIAN -DDSO_WIN32 -fomit-frame-pointer -O3 -mcpu=i486 -Wall"; } if ($gaswin and !$no_asm) { - $bn_asm_obj='$(OBJ_D)/bn-win32.o'; + $bn_asm_obj='$(OBJ_D)\bn-win32.o'; $bn_asm_src='crypto/bn/asm/bn-win32.s'; - $bnco_asm_obj='$(OBJ_D)/co-win32.o'; + $bnco_asm_obj='$(OBJ_D)\co-win32.o'; $bnco_asm_src='crypto/bn/asm/co-win32.s'; - $des_enc_obj='$(OBJ_D)/d-win32.o $(OBJ_D)/y-win32.o'; + $des_enc_obj='$(OBJ_D)\d-win32.o $(OBJ_D)\y-win32.o'; $des_enc_src='crypto/des/asm/d-win32.s crypto/des/asm/y-win32.s'; - $bf_enc_obj='$(OBJ_D)/b-win32.o'; + $bf_enc_obj='$(OBJ_D)\b-win32.o'; $bf_enc_src='crypto/bf/asm/b-win32.s'; -# $cast_enc_obj='$(OBJ_D)/c-win32.o'; +# $cast_enc_obj='$(OBJ_D)\c-win32.o'; # $cast_enc_src='crypto/cast/asm/c-win32.s'; - $rc4_enc_obj='$(OBJ_D)/r4-win32.o'; + $rc4_enc_obj='$(OBJ_D)\r4-win32.o'; $rc4_enc_src='crypto/rc4/asm/r4-win32.s'; - $rc5_enc_obj='$(OBJ_D)/r5-win32.o'; + $rc5_enc_obj='$(OBJ_D)\r5-win32.o'; $rc5_enc_src='crypto/rc5/asm/r5-win32.s'; - $md5_asm_obj='$(OBJ_D)/m5-win32.o'; + $md5_asm_obj='$(OBJ_D)\m5-win32.o'; $md5_asm_src='crypto/md5/asm/m5-win32.s'; - $rmd160_asm_obj='$(OBJ_D)/rm-win32.o'; + $rmd160_asm_obj='$(OBJ_D)\rm-win32.o'; $rmd160_asm_src='crypto/ripemd/asm/rm-win32.s'; - $sha1_asm_obj='$(OBJ_D)/s1-win32.o'; + $sha1_asm_obj='$(OBJ_D)\s1-win32.o'; $sha1_asm_src='crypto/sha/asm/s1-win32.s'; $cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM"; } @@ -85,7 +85,7 @@ sub do_lib_rule ($Name=$name) =~ tr/a-z/A-Z/; $ret.="$target: \$(${Name}OBJ)\n"; - $ret.="\t\$(RM) $target\n"; + $ret.="\tif exist $target \$(RM) $target\n"; $ret.="\t\$(MKLIB) $target \$(${Name}OBJ)\n"; $ret.="\t\$(RANLIB) $target\n\n"; } diff --git a/crypto/openssl/util/point.sh b/crypto/openssl/util/point.sh index ce7dcc5..4790e08 100755 --- a/crypto/openssl/util/point.sh +++ b/crypto/openssl/util/point.sh @@ -1,10 +1,10 @@ #!/bin/sh -rm -f $2 +rm -f "$2" if test "$OSTYPE" = msdosdjgpp; then - cp $1 $2 + cp "$1" "$2" else - ln -s $1 $2 + ln -s "$1" "$2" fi echo "$2 => $1" |