diff options
| author | nectar <nectar@FreeBSD.org> | 2002-07-30 13:38:06 +0000 |
|---|---|---|
| committer | nectar <nectar@FreeBSD.org> | 2002-07-30 13:38:06 +0000 |
| commit | 9b2d8504539be7c47e0a668f28f683954960e251 (patch) | |
| tree | 452372b320a4ccc86f09651553392a2a8f3794be /crypto/openssl | |
| parent | 86b15117de99802621746d29e72559dfc406c288 (diff) | |
| parent | 2f13e0916590f8488178999aec4874ed5662a031 (diff) | |
| download | FreeBSD-src-9b2d8504539be7c47e0a668f28f683954960e251.zip FreeBSD-src-9b2d8504539be7c47e0a668f28f683954960e251.tar.gz | |
This commit was generated by cvs2svn to compensate for changes in r100936,
which included commits to RCS files with non-trunk default branches.
Diffstat (limited to 'crypto/openssl')
104 files changed, 934 insertions, 325 deletions
diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES index 9dec277..be4d128 100644 --- a/crypto/openssl/CHANGES +++ b/crypto/openssl/CHANGES @@ -2,6 +2,58 @@ OpenSSL CHANGES _______________ + Changes between 0.9.6d and 0.9.6e [30 Jul 2002] + + *) Fix cipher selection routines: ciphers without encryption had no flags + for the cipher strength set and where therefore not handled correctly + by the selection routines (PR #130). + [Lutz Jaenicke] + + *) Fix EVP_dsa_sha macro. + [Nils Larsch] + + *) New option + SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure + that was added in OpenSSL 0.9.6d. + + As the countermeasure turned out to be incompatible with some + broken SSL implementations, the new option is part of SSL_OP_ALL. + SSL_OP_ALL is usually employed when compatibility with weird SSL + implementations is desired (e.g. '-bugs' option to 's_client' and + 's_server'), so the new option is automatically set in many + applications. + [Bodo Moeller] + + *) Changes in security patch: + + Changes marked "(CHATS)" were sponsored by the Defense Advanced + Research Projects Agency (DARPA) and Air Force Research Laboratory, + Air Force Materiel Command, USAF, under agreement number + F30602-01-2-0537. + + *) Add various sanity checks to asn1_get_length() to reject + the ASN1 length bytes if they exceed sizeof(long), will appear + negative or the content length exceeds the length of the + supplied buffer. + [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>] + + *) Assertions for various potential buffer overflows, not known to + happen in practice. + [Ben Laurie (CHATS)] + + *) Various temporary buffers to hold ASCII versions of integers were + too small for 64 bit platforms. (CAN-2002-0655) + [Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)> + + *) Remote buffer overflow in SSL3 protocol - an attacker could + supply an oversized session ID to a client. (CAN-2002-0656) + [Ben Laurie (CHATS)] + + *) Remote buffer overflow in SSL2 protocol - an attacker could + supply an oversized client master key. (CAN-2002-0656) + [Ben Laurie (CHATS)] + Changes between 0.9.6c and 0.9.6d [9 May 2002] *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure index 8ccd458..871fb63 100755 --- a/crypto/openssl/Configure +++ b/crypto/openssl/Configure @@ -144,6 +144,7 @@ my %table=( "solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "solaris-sparcv9-gcc","gcc:-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris64-sparcv9-gcc31","gcc:-mcpu=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8 # but keep the assembler modules. "solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -169,10 +170,10 @@ my %table=( "linux-sparcv7","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::", # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently # assisted with debugging of following two configs. -"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o::::", +"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # it's a real mess with -mcpu=ultrasparc option under Linux, but # -Wa,-Av8plus should do the trick no matter what. -"linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DULTRASPARC -DBN_DIV2W::-D_REENTRANT:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # !!!Folowing can't be even tested yet!!! # We have to wait till 64-bit glibc for SPARC is operational!!! #"linux64-sparcv9","sparc64-linux-gcc:-m64 -mcpu=v9 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o:", @@ -228,6 +229,7 @@ my %table=( "hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux64-parisc-gcc","gcc:-DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # More attempts at unified 10.X and 11.X targets for HP C compiler. # @@ -335,7 +337,7 @@ my %table=( # The intel boxes :-), It would be worth seeing if bsdi-gcc can use the # bn86-elf.o file file since it is hand tweaked assembler. "linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", "linux-mipsel", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::", @@ -435,7 +437,7 @@ my %table=( "sco5-cc-pentium", "cc:-Kpentium::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options? "sco5-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ... "sco5-cc-shared","cc:-belf:::-lsocket -lresolv -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr3-shared:-Kpic", -"sco5-gcc-shared","gcc:-O3 -DFILIO_H -fomit-frame-pointer:::-lsocket -lresolv -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:svr3-shared:-fPIC", # the SCO assembler doesn't seem to like our assembler files ... +"sco5-gcc-shared","gcc:-O3 -fomit-frame-pointer:::-lsocket -lresolv -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:svr3-shared:-fPIC", # the SCO assembler doesn't seem to like our assembler files ... # Sinix/ReliantUNIX RM400 # NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer problem. Better use -g */ @@ -470,6 +472,9 @@ my %table=( # and its library files in util/pl/*) "Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32", +# UWIN +"UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32", + # Cygwin "Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32", "Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -m486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32:cygwin-shared:::.dll", @@ -488,7 +493,7 @@ my %table=( ##### MacOS X (a.k.a. Rhapsody or Darwin) setup "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::", -"darwin-ppc-cc","cc:-O3 -D_DARWIN -DB_ENDIAN::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", +"darwin-ppc-cc","cc:-O3 -D_DARWIN -DB_ENDIAN -fno-common::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", ##### Sony NEWS-OS 4.x "newsos4-gcc","gcc:-O -DB_ENDIAN -DNEWS4::(unknown):-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::", @@ -899,6 +904,10 @@ if ($rmd160_obj =~ /\.o$/) $cflags.=" -DRMD160_ASM"; } +# "Stringify" the C flags string. This permits it to be made part of a string +# and works as well on command lines. +$cflags =~ s/([\\\"])/\\\1/g; + my $version = "unknown"; my $major = "unknown"; my $minor = "unknown"; @@ -981,13 +990,21 @@ while (<IN>) if ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*$/) { my $sotmp = $1; - s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/ + s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/; + } + elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.dylib$/) + { + s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.dylib/; } elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) { my $sotmp = $1; s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/; } + elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/) + { + s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.\$(SHLIB_MAJOR).dylib .dylib/; + } s/^SHARED_LDFLAGS=.*/SHARED_LDFLAGS=$shared_ldflag/; print OUT $_."\n"; } diff --git a/crypto/openssl/FAQ b/crypto/openssl/FAQ index 3b69d8b..ad75299 100644 --- a/crypto/openssl/FAQ +++ b/crypto/openssl/FAQ @@ -38,6 +38,8 @@ OpenSSL - Frequently Asked Questions * Why does the OpenSSL compilation fail on Alpha Tru64 Unix? * Why does the OpenSSL compilation fail with "ar: command not found"? * Why does the OpenSSL compilation fail on Win32 with VC++? +* What is special about OpenSSL on Redhat? +* Why does the OpenSSL test suite fail on MacOS X? [PROG] Questions about programming with OpenSSL @@ -59,7 +61,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from <URL: http://www.openssl.org>. -OpenSSL 0.9.6d was released on 9 May, 2002. +OpenSSL 0.9.6e was released on 30 May, 2002. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at <URL: @@ -215,8 +217,11 @@ For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested installing the SUNski package from Sun patch 105710-01 (Sparc) which adds a /dev/random device and make sure it gets used, usually through $RANDFILE. There are probably similar patches for the other Solaris -versions. However, be warned that /dev/random is usually a blocking -device, which may have some effects on OpenSSL. +versions. An official statement from Sun with respect to /dev/random +support can be found at + http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski +However, be warned that /dev/random is usually a blocking device, which +may have some effects on OpenSSL. * Why do I get an "unable to write 'random state'" error message? @@ -451,6 +456,52 @@ under 'Program Files'). This needs to be done prior to running NMAKE, and the changes are only valid for the current DOS session. +* What is special about OpenSSL on Redhat? + +Red Hat Linux (release 7.0 and later) include a preinstalled limited +version of OpenSSL. For patent reasons, support for IDEA, RC5 and MDC2 +is disabled in this version. The same may apply to other Linux distributions. +Users may therefore wish to install more or all of the features left out. + +To do this you MUST ensure that you do not overwrite the openssl that is in +/usr/bin on your Red Hat machine. Several packages depend on this file, +including sendmail and ssh. /usr/local/bin is a good alternative choice. The +libraries that come with Red Hat 7.0 onwards have different names and so are +not affected. (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and +/lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and +/lib/libcrypto.so.2 respectively). + +Please note that we have been advised by Red Hat attempting to recompile the +openssl rpm with all the cryptography enabled will not work. All other +packages depend on the original Red Hat supplied openssl package. It is also +worth noting that due to the way Red Hat supplies its packages, updates to +openssl on each distribution never change the package version, only the +build number. For example, on Red Hat 7.1, the latest openssl package has +version number 0.9.6 and build number 9 even though it contains all the +relevant updates in packages up to and including 0.9.6b. + +A possible way around this is to persuade Red Hat to produce a non-US +version of Red Hat Linux. + +FYI: Patent numbers and expiry dates of US patents: +MDC-2: 4,908,861 13/03/2007 +IDEA: 5,214,703 25/05/2010 +RC5: 5,724,428 03/03/2015 + + +* Why does the OpenSSL test suite fail on MacOS X? + +If the failure happens when running 'make test' and the RC4 test fails, +it's very probable that you have OpenSSL 0.9.6b delivered with the +operating system (you can find out by running '/usr/bin/openssl version') +and that you were trying to build OpenSSL 0.9.6d. The problem is that +the loader ('ld') in MacOS X has a misfeature that's quite difficult to +go around and has linked the programs "openssl" and the test programs +with /usr/lib/libcrypto.dylib and /usr/lib/libssl.dylib instead of the +libraries you just built. +Look in the file PROBLEMS for a more detailed explanation and for possible +solutions. + [PROG] ======================================================================== * Is OpenSSL thread-safe? diff --git a/crypto/openssl/INSTALL b/crypto/openssl/INSTALL index 6634316..75a843b 100644 --- a/crypto/openssl/INSTALL +++ b/crypto/openssl/INSTALL @@ -128,8 +128,11 @@ the failure that aren't problems in OpenSSL itself (like missing standard headers). If it is a problem with OpenSSL itself, please report the problem to <openssl-bugs@openssl.org> (note that your - message will be forwarded to a public mailing list). Include the - output of "make report" in your message. + message will be recorded in the request tracker publicly readable + via http://www.openssl.org/rt2.html and will be forwarded to a public + mailing list). Include the output of "make report" in your message. + Please check out the request tracker. Maybe the bug was already + reported or has already been fixed. [If you encounter assembler error messages, try the "no-asm" configuration option as an immediate fix.] @@ -147,7 +150,8 @@ try removing any compiler optimization flags from the CFLAGS line in Makefile.ssl and run "make clean; make". Please send a bug report to <openssl-bugs@openssl.org>, including the output of - "make report". + "make report" in order to be added to the request tracker at + http://www.openssl.org/rt2.html. 4. If everything tests ok, install OpenSSL with diff --git a/crypto/openssl/Makefile.org b/crypto/openssl/Makefile.org index e47d8b4..2ee1656 100644 --- a/crypto/openssl/Makefile.org +++ b/crypto/openssl/Makefile.org @@ -420,6 +420,7 @@ do_hpux-shared: -b -z -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Fl lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \ + chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} ; \ libs="$$libs -L. -l$$i"; \ done @@ -430,6 +431,7 @@ do_hpux64-shared: -b -z -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ +forceload lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \ + chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} ; \ libs="$$libs -L. -l$$i"; \ done @@ -545,7 +547,7 @@ test: tests tests: rehash @(cd test && echo "testing..." && \ - $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' EXE_EXT='${EXE_EXT}' tests ); + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' OPENSSL_DEBUG_MEMORY=on tests ); @apps/openssl version -a report: @@ -556,7 +558,7 @@ depend: do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making dependencies $$i..." && \ - $(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' depend ) || exit 1; \ + $(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' PERL='${PERL}' depend ) || exit 1; \ fi; \ done; @@ -601,20 +603,26 @@ TABLE: Configure update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h TABLE +# Build distribution tar-file. As the list of files returned by "find" is +# pretty long, on several platforms a "too many arguments" error or similar +# would occur. Therefore the list of files is temporarily stored into a file +# and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal +# tar does not support the --files-from option. tar: - @$(TAR) $(TARFLAGS) -cvf - \ - `find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort` |\ + find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \ + $(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \ tardy --user_number=0 --user_name=openssl \ --group_number=0 --group_name=openssl \ --prefix=openssl-$(VERSION) - |\ gzip --best >../$(TARFILE).gz; \ + rm -f ../$(TARFILE).list; \ ls -l ../$(TARFILE).gz dist: $(PERL) Configure dist @$(MAKE) dist_pem_h @$(MAKE) SDIRS='${SDIRS}' clean - @$(MAKE) tar + @$(MAKE) TAR='${TAR}' TARFLAGS='${TARFLAGS}' tar dist_pem_h: (cd crypto/pem; $(MAKE) CC='${CC}' SDIRS='${SDIRS}' CFLAG='${CFLAG}' pem.h; $(MAKE) clean) @@ -656,7 +664,7 @@ install: all install_docs ( echo installing $$i; \ if [ "$(PLATFORM)" != "Cygwin" ]; then \ cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ + chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ else \ c=`echo $$i | sed 's/^lib/cyg/'`; \ cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \ @@ -681,18 +689,20 @@ install_docs: fn=`basename $$i .pod`; \ if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \ echo "installing man$$sec/`basename $$i .pod`.$$sec"; \ - (cd `dirname $$i`; \ - $(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \ - --release=$(VERSION) `basename $$i`) \ + (cd `$(PERL) util/dirname.pl $$i`; \ + sh -c "$(PERL) `cd ../../util; ./pod2mantest ignore` \ + --section=$$sec --center=OpenSSL \ + --release=$(VERSION) `basename $$i`") \ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \ done @for i in doc/crypto/*.pod doc/ssl/*.pod; do \ fn=`basename $$i .pod`; \ if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \ echo "installing man$$sec/`basename $$i .pod`.$$sec"; \ - (cd `dirname $$i`; \ - $(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \ - --release=$(VERSION) `basename $$i`) \ + (cd `$(PERL) util/dirname.pl $$i`; \ + sh -c "$(PERL) `cd ../../util; ./pod2mantest ignore` \ + --section=$$sec --center=OpenSSL \ + --release=$(VERSION) `basename $$i`") \ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \ done diff --git a/crypto/openssl/Makefile.ssl b/crypto/openssl/Makefile.ssl index 928b1a0..4c1954d 100644 --- a/crypto/openssl/Makefile.ssl +++ b/crypto/openssl/Makefile.ssl @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=0.9.6d +VERSION=0.9.6e MAJOR=0 MINOR=9.6 SHLIB_VERSION_NUMBER=0.9.6 @@ -64,7 +64,7 @@ EX_LIBS= EXE_EXT= AR=ar r RANLIB= /usr/bin/ranlib -PERL= /usr/local/bin/perl +PERL= /usr/local/bin/perl5 TAR= tar TARFLAGS= --no-recursion @@ -422,6 +422,7 @@ do_hpux-shared: -b -z -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Fl lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \ + chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} ; \ libs="$$libs -L. -l$$i"; \ done @@ -432,6 +433,7 @@ do_hpux64-shared: -b -z -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ +forceload lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \ + chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} ; \ libs="$$libs -L. -l$$i"; \ done @@ -547,7 +549,7 @@ test: tests tests: rehash @(cd test && echo "testing..." && \ - $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' EXE_EXT='${EXE_EXT}' tests ); + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' OPENSSL_DEBUG_MEMORY=on tests ); @apps/openssl version -a report: @@ -558,7 +560,7 @@ depend: do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making dependencies $$i..." && \ - $(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' depend ) || exit 1; \ + $(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' PERL='${PERL}' depend ) || exit 1; \ fi; \ done; @@ -603,20 +605,26 @@ TABLE: Configure update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h TABLE +# Build distribution tar-file. As the list of files returned by "find" is +# pretty long, on several platforms a "too many arguments" error or similar +# would occur. Therefore the list of files is temporarily stored into a file +# and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal +# tar does not support the --files-from option. tar: - @$(TAR) $(TARFLAGS) -cvf - \ - `find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort` |\ + find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \ + $(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \ tardy --user_number=0 --user_name=openssl \ --group_number=0 --group_name=openssl \ --prefix=openssl-$(VERSION) - |\ gzip --best >../$(TARFILE).gz; \ + rm -f ../$(TARFILE).list; \ ls -l ../$(TARFILE).gz dist: $(PERL) Configure dist @$(MAKE) dist_pem_h @$(MAKE) SDIRS='${SDIRS}' clean - @$(MAKE) tar + @$(MAKE) TAR='${TAR}' TARFLAGS='${TARFLAGS}' tar dist_pem_h: (cd crypto/pem; $(MAKE) CC='${CC}' SDIRS='${SDIRS}' CFLAG='${CFLAG}' pem.h; $(MAKE) clean) @@ -658,7 +666,7 @@ install: all install_docs ( echo installing $$i; \ if [ "$(PLATFORM)" != "Cygwin" ]; then \ cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ + chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ else \ c=`echo $$i | sed 's/^lib/cyg/'`; \ cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \ @@ -683,18 +691,20 @@ install_docs: fn=`basename $$i .pod`; \ if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \ echo "installing man$$sec/`basename $$i .pod`.$$sec"; \ - (cd `dirname $$i`; \ - $(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \ - --release=$(VERSION) `basename $$i`) \ + (cd `$(PERL) util/dirname.pl $$i`; \ + sh -c "$(PERL) `cd ../../util; ./pod2mantest ignore` \ + --section=$$sec --center=OpenSSL \ + --release=$(VERSION) `basename $$i`") \ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \ done @for i in doc/crypto/*.pod doc/ssl/*.pod; do \ fn=`basename $$i .pod`; \ if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \ echo "installing man$$sec/`basename $$i .pod`.$$sec"; \ - (cd `dirname $$i`; \ - $(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \ - --release=$(VERSION) `basename $$i`) \ + (cd `$(PERL) util/dirname.pl $$i`; \ + sh -c "$(PERL) `cd ../../util; ./pod2mantest ignore` \ + --section=$$sec --center=OpenSSL \ + --release=$(VERSION) `basename $$i`") \ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \ done diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS index 908d063..0af2ded 100644 --- a/crypto/openssl/NEWS +++ b/crypto/openssl/NEWS @@ -56,7 +56,7 @@ o Bug fixes for Win32, HP/UX and Irix. o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and memory checking routines. - o Bug fixes for RSA operations in threaded enviroments. + o Bug fixes for RSA operations in threaded environments. o Bug fixes in misc. openssl applications. o Remove a few potential memory leaks. o Add tighter checks of BIGNUM routines. diff --git a/crypto/openssl/PROBLEMS b/crypto/openssl/PROBLEMS new file mode 100644 index 0000000..f072449 --- /dev/null +++ b/crypto/openssl/PROBLEMS @@ -0,0 +1,34 @@ +* System libcrypto.dylib and libssl.dylib are used by system ld on MacOS X. +[NOTE: This is currently undergoing tests, and may be removed soon] + +This is really a misfeature in ld, which seems to look for .dylib libraries +along the whole library path before it bothers looking for .a libraries. This +means that -L switches won't matter unless OpenSSL is built with shared +library support. + +The workaround may be to change the following lines in apps/Makefile.ssl and +test/Makefile.ssl: + + LIBCRYPTO=-L.. -lcrypto + LIBSSL=-L.. -lssl + +to: + + LIBCRYPTO=../libcrypto.a + LIBSSL=../libssl.a + +It's possible that something similar is needed for shared library support +as well. That hasn't been well tested yet. + + +Another solution that many seem to recommend is to move the libraries +/usr/lib/libcrypto.0.9.dylib, /usr/lib/libssl.0.9.dylib to a different +directory, build and install OpenSSL and anything that depends on your +build, then move libcrypto.0.9.dylib and libssl.0.9.dylib back to their +original places. Note that the version numbers on those two libraries +may differ on your machine. + + +As long as Apple doesn't fix the problem with ld, this problem building +OpenSSL will remain as is. + diff --git a/crypto/openssl/README b/crypto/openssl/README index 16385a0e..48d492e 100644 --- a/crypto/openssl/README +++ b/crypto/openssl/README @@ -1,5 +1,5 @@ - OpenSSL 0.9.6d 9 May 2002 + OpenSSL 0.9.6e 30 July 2002 Copyright (c) 1998-2002 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson @@ -122,6 +122,13 @@ lists the functions; you will probably have to look at the code to work out how to use them. Look at the example programs. + PROBLEMS + -------- + + For some platforms, there are some known problems that may affect the user + or application author. We try to collect those in doc/PROBLEMS, with current + thoughts on how they should be solved in a future of OpenSSL. + SUPPORT ------- @@ -146,11 +153,13 @@ - Problem Description (steps that will reproduce the problem, if known) - Stack Traceback (if the application dumps core) - Report the bug to the OpenSSL project at: + Report the bug to the OpenSSL project via the Request Tracker + (http://www.openssl.org/rt2.html) by mail to: openssl-bugs@openssl.org - Note that mail to openssl-bugs@openssl.org is forwarded to a public + Note that mail to openssl-bugs@openssl.org is recorded in the publicly + readable request tracker database and is forwarded to a public mailing list. Confidential mail may be sent to openssl-security@openssl.org (PGP key available from the key servers). @@ -164,7 +173,9 @@ textual explanation of what your patch does. Note: For legal reasons, contributions from the US can be accepted only - if a copy of the patch is sent to crypt@bxa.doc.gov + if a TSA notification and a copy of the patch is sent to crypt@bis.doc.gov; + see http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic] + and http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e)). The preferred format for changes is "diff -u" output. You might generate it like this: diff --git a/crypto/openssl/apps/CA.pl b/crypto/openssl/apps/CA.pl index f1ac7e7..2f76552 100755 --- a/crypto/openssl/apps/CA.pl +++ b/crypto/openssl/apps/CA.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/local/bin/perl5 # # CA - wrapper around ca to make it easier to use ... basically ca requires # some setup stuff to be done before you can use it and this makes diff --git a/crypto/openssl/apps/Makefile.ssl b/crypto/openssl/apps/Makefile.ssl index 7d9bece..0b3208f 100644 --- a/crypto/openssl/apps/Makefile.ssl +++ b/crypto/openssl/apps/Makefile.ssl @@ -13,7 +13,7 @@ OPENSSLDIR= /usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPEND= $(TOP)/util/domd $(TOP) MAKEFILE= Makefile.ssl -PERL=/usr/local/bin/perl +PERL= perl RM= rm -f PEX_LIBS= @@ -128,10 +128,10 @@ clean: rm -f req $(DLIBSSL): - (cd ../ssl; $(MAKE)) + (cd ../ssl; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}') $(DLIBCRYPTO): - (cd ../crypto; $(MAKE)) + (cd ../crypto; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}') $(PROGRAM): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL) $(RM) $(PROGRAM) diff --git a/crypto/openssl/apps/apps.c b/crypto/openssl/apps/apps.c index c22550b..618e34c 100644 --- a/crypto/openssl/apps/apps.c +++ b/crypto/openssl/apps/apps.c @@ -228,9 +228,16 @@ void program_name(char *in, char *out, int size) q=strrchr(p,'.'); if (q == NULL) - q = in+size; - strncpy(out,p,q-p); - out[q-p]='\0'; + q = p + strlen(p); + strncpy(out,p,size-1); + if (q-p >= size) + { + out[size-1]='\0'; + } + else + { + out[q-p]='\0'; + } } #else void program_name(char *in, char *out, int size) @@ -755,7 +762,7 @@ int set_name_ex(unsigned long *flags, const char *arg) void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags) { - char buf[256]; + char *buf; char mline = 0; int indent = 0; if(title) BIO_puts(out, title); @@ -764,9 +771,10 @@ void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags) indent = 4; } if(lflags == XN_FLAG_COMPAT) { - X509_NAME_oneline(nm,buf,256); - BIO_puts(out,buf); + buf = X509_NAME_oneline(nm, 0, 0); + BIO_puts(out, buf); BIO_puts(out, "\n"); + OPENSSL_free(buf); } else { if(mline) BIO_puts(out, "\n"); X509_NAME_print_ex(out, nm, indent, lflags); diff --git a/crypto/openssl/apps/asn1pars.c b/crypto/openssl/apps/asn1pars.c index f25c9f8..5339166 100644 --- a/crypto/openssl/apps/asn1pars.c +++ b/crypto/openssl/apps/asn1pars.c @@ -181,7 +181,7 @@ bad: BIO_printf(bio_err,"where options are\n"); BIO_printf(bio_err," -inform arg input format - one of DER TXT PEM\n"); BIO_printf(bio_err," -in arg input file\n"); - BIO_printf(bio_err," -out arg output file\n"); + BIO_printf(bio_err," -out arg output file (output format is always DER\n"); BIO_printf(bio_err," -noout arg don't produce any output\n"); BIO_printf(bio_err," -offset arg offset into file\n"); BIO_printf(bio_err," -length arg length of section in file\n"); @@ -192,7 +192,6 @@ bad: BIO_printf(bio_err," -strparse offset\n"); BIO_printf(bio_err," a series of these can be used to 'dig' into multiple\n"); BIO_printf(bio_err," ASN1 blob wrappings\n"); - BIO_printf(bio_err," -out filename output DER encoding to file\n"); goto end; } diff --git a/crypto/openssl/apps/ca.c b/crypto/openssl/apps/ca.c index f342e1f..0618bb5 100644 --- a/crypto/openssl/apps/ca.c +++ b/crypto/openssl/apps/ca.c @@ -1108,7 +1108,7 @@ bad: } if ((crldays == 0) && (crlhours == 0)) { - BIO_printf(bio_err,"cannot lookup how long until the next CRL is issuer\n"); + BIO_printf(bio_err,"cannot lookup how long until the next CRL is issued\n"); goto err; } diff --git a/crypto/openssl/apps/der_chop b/crypto/openssl/apps/der_chop index 9070b03..fbd2889 100644 --- a/crypto/openssl/apps/der_chop +++ b/crypto/openssl/apps/der_chop @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/local/bin/perl5 # # der_chop ... this is one total hack that Eric is really not proud of # so don't look at it and don't ask for support diff --git a/crypto/openssl/apps/pkcs7.c b/crypto/openssl/apps/pkcs7.c index 0af2690..a9fff11 100644 --- a/crypto/openssl/apps/pkcs7.c +++ b/crypto/openssl/apps/pkcs7.c @@ -88,7 +88,7 @@ int MAIN(int argc, char **argv) int informat,outformat; char *infile,*outfile,*prog; int print_certs=0,text=0,noout=0; - int ret=0; + int ret=1; apps_startup(); diff --git a/crypto/openssl/apps/x509.c b/crypto/openssl/apps/x509.c index 9d09d75..b9b1328 100644 --- a/crypto/openssl/apps/x509.c +++ b/crypto/openssl/apps/x509.c @@ -233,7 +233,7 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-CAkeyform") == 0) { if (--argc < 1) goto bad; - CAformat=str2fmt(*(++argv)); + CAkeyformat=str2fmt(*(++argv)); } else if (strcmp(*argv,"-days") == 0) { diff --git a/crypto/openssl/config b/crypto/openssl/config index 0903d99..4f7b418 100755 --- a/crypto/openssl/config +++ b/crypto/openssl/config @@ -381,17 +381,29 @@ done # figure out if gcc is available and if so we use it otherwise # we fallback to whatever cc does on the system -GCCVER=`(gcc --version) 2>/dev/null` +GCCVER=`(gcc -dumpversion) 2>/dev/null` if [ "$GCCVER" != "" ]; then CC=gcc - # then strip off whatever prefix Cygnus prepends the number with... - GCCVER=`echo $GCCVER | sed 's/^[a-z]*\-//'` + # Since gcc 3.1 gcc --version behaviour has changed. gcc -dumpversion + # does give us what we want though, so we use that. We just just the + # major and minor version numbers. # peak single digit before and after first dot, e.g. 2.95.1 gives 29 GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'` else CC=cc fi - +if [ "$SYSTEM" = "HP-UX" ];then + # By default gcc is a ILP32 compiler (with long long == 64). + GCC_BITS="32" + if [ $GCCVER -ge 30 ]; then + # PA64 support only came in with gcc 3.0.x. + # We look for the preprocessor symbol __LP64__ indicating + # 64bit bit long and pointer. sizeof(int) == 32 on HPUX64. + if gcc -v -E -x c /dev/null 2>&1 | grep __LP64__ > /dev/null; then + GCC_BITS="64" + fi + fi +fi if [ "$SYSTEM" = "SunOS" ]; then # check for WorkShop C, expected output is "cc: blah-blah C x.x" CCVER=`(cc -V 2>&1) 2>/dev/null | \ @@ -497,6 +509,10 @@ EOF ${CC} -o dummy dummy.c && OUT=`./dummy ${MACHINE}` rm dummy dummy.c ;; + ppc64-*-linux2) + #Use the standard target for PPC architecture until we create a + #special one for the 64bit architecture. + OUT="linux-ppc" ;; ppc-*-linux2) OUT="linux-ppc" ;; m68k-*-linux*) OUT="linux-m68k" ;; ia64-*-linux?) OUT="linux-ia64" ;; @@ -589,8 +605,18 @@ EOF BS2000-siemens-sysv4) OUT="BS2000-OSD" ;; RM*-siemens-sysv4) OUT="ReliantUNIX" ;; *-siemens-sysv4) OUT="SINIX" ;; - *-hpux1*) OUT="hpux-parisc-$CC" - options="$options -D_REENTRANT" ;; + *-hpux1*) + if [ $CC = "gcc" ]; + then + if [ $GCC_BITS = "64" ]; then + OUT="hpux64-parisc-gcc" + else + OUT="hpux-parisc-gcc" + fi + else + OUT="hpux-parisc-$CC" + fi + options="$options -D_REENTRANT" ;; *-hpux) OUT="hpux-parisc-$CC" ;; # these are all covered by the catchall below # *-aix) OUT="aix-$CC" ;; diff --git a/crypto/openssl/crypto/Makefile.ssl b/crypto/openssl/crypto/Makefile.ssl index 30f929a..f96154c 100644 --- a/crypto/openssl/crypto/Makefile.ssl +++ b/crypto/openssl/crypto/Makefile.ssl @@ -51,11 +51,11 @@ all: buildinf.h lib subdirs buildinf.h: ../Makefile.ssl ( echo "#ifndef MK1MF_BUILD"; \ - echo " /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */"; \ - echo " #define CFLAGS \"$(CC) $(CFLAG)\""; \ - echo " #define PLATFORM \"$(PLATFORM)\""; \ + echo ' /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */'; \ + echo ' #define CFLAGS "$(CC) $(CFLAG)"'; \ + echo ' #define PLATFORM "$(PLATFORM)"'; \ echo " #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \ - echo "#endif" ) >buildinf.h + echo '#endif' ) >buildinf.h testapps: if echo ${SDIRS} | fgrep ' des '; \ @@ -134,7 +134,7 @@ depend: @for i in $(SDIRS) ;\ do \ (cd $$i; echo "making depend in crypto/$$i..."; \ - $(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' DEPFLAG='${DEPFLAG}' depend ); \ + $(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' DEPFLAG='${DEPFLAG}' PERL='${PERL}' depend ); \ done; clean: diff --git a/crypto/openssl/crypto/asn1/a_bitstr.c b/crypto/openssl/crypto/asn1/a_bitstr.c index cdedb29..ecc0d4b 100644 --- a/crypto/openssl/crypto/asn1/a_bitstr.c +++ b/crypto/openssl/crypto/asn1/a_bitstr.c @@ -89,8 +89,6 @@ int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp) if (a == NULL) return(0); len=a->length; - ret=1+len; - if (pp == NULL) return(ret); if (len > 0) { @@ -118,6 +116,10 @@ int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp) } else bits=0; + + ret=1+len; + if (pp == NULL) return(ret); + p= *pp; *(p++)=(unsigned char)bits; diff --git a/crypto/openssl/crypto/asn1/a_enum.c b/crypto/openssl/crypto/asn1/a_enum.c index 1428d1d..1057171 100644 --- a/crypto/openssl/crypto/asn1/a_enum.c +++ b/crypto/openssl/crypto/asn1/a_enum.c @@ -205,7 +205,18 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai) else ret->type=V_ASN1_ENUMERATED; j=BN_num_bits(bn); len=((j == 0)?0:((j/8)+1)); - ret->data=(unsigned char *)OPENSSL_malloc(len+4); + if (ret->length < len+4) + { + unsigned char *new_data= + OPENSSL_realloc(ret->data, len+4); + if (!new_data) + { + ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_MALLOC_FAILURE); + goto err; + } + ret->data=new_data; + } + ret->length=BN_bn2bin(bn,ret->data); return(ret); err: diff --git a/crypto/openssl/crypto/asn1/a_int.c b/crypto/openssl/crypto/asn1/a_int.c index 6f0413f..0a24bef 100644 --- a/crypto/openssl/crypto/asn1/a_int.c +++ b/crypto/openssl/crypto/asn1/a_int.c @@ -451,7 +451,16 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *bn, ASN1_INTEGER *ai) else ret->type=V_ASN1_INTEGER; j=BN_num_bits(bn); len=((j == 0)?0:((j/8)+1)); - ret->data=(unsigned char *)OPENSSL_malloc(len+4); + if (ret->length < len+4) + { + unsigned char *new_data= OPENSSL_realloc(ret->data, len+4); + if (!new_data) + { + ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_MALLOC_FAILURE); + goto err; + } + ret->data=new_data; + } ret->length=BN_bn2bin(bn,ret->data); return(ret); err: diff --git a/crypto/openssl/crypto/asn1/a_set.c b/crypto/openssl/crypto/asn1/a_set.c index caf5a14..5b0938e 100644 --- a/crypto/openssl/crypto/asn1/a_set.c +++ b/crypto/openssl/crypto/asn1/a_set.c @@ -116,7 +116,7 @@ int i2d_ASN1_SET(STACK *a, unsigned char **pp, int (*func)(), int ex_tag, } pStart = p; /* Catch the beg of Setblobs*/ - rgSetBlob = (MYBLOB *)OPENSSL_malloc( sk_num(a) * sizeof(MYBLOB)); /* In this array + if (!(rgSetBlob = (MYBLOB *)OPENSSL_malloc( sk_num(a) * sizeof(MYBLOB)))) return 0; /* In this array we will store the SET blobs */ for (i=0; i<sk_num(a); i++) @@ -133,7 +133,7 @@ SetBlob /* Now we have to sort the blobs. I am using a simple algo. *Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/ qsort( rgSetBlob, sk_num(a), sizeof(MYBLOB), SetBlobCmp); - pTempMem = OPENSSL_malloc(totSize); + if (!(pTempMem = OPENSSL_malloc(totSize))) return 0; /* Copy to temp mem */ p = pTempMem; diff --git a/crypto/openssl/crypto/asn1/a_utctm.c b/crypto/openssl/crypto/asn1/a_utctm.c index 3ae7432..dd5955a 100644 --- a/crypto/openssl/crypto/asn1/a_utctm.c +++ b/crypto/openssl/crypto/asn1/a_utctm.c @@ -270,6 +270,9 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t) int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t) { struct tm *tm; +#if defined(THREADS) && !defined(WIN32) && !defined(__CYGWIN32__) && !defined(_DARWIN) + struct tm data; +#endif int offset; int year; @@ -287,7 +290,8 @@ int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t) t -= offset*60; /* FIXME: may overflow in extreme cases */ #if defined(THREADS) && !defined(WIN32) && !defined(__CYGWIN32__) && !defined(_DARWIN) - { struct tm data; gmtime_r(&t, &data); tm = &data; } + gmtime_r(&t, &data); + tm = &data; #else tm = gmtime(&t); #endif diff --git a/crypto/openssl/crypto/asn1/asn1_lib.c b/crypto/openssl/crypto/asn1/asn1_lib.c index a8b651e..1fe3fbc 100644 --- a/crypto/openssl/crypto/asn1/asn1_lib.c +++ b/crypto/openssl/crypto/asn1/asn1_lib.c @@ -124,15 +124,13 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass, (int)(omax+ *pp)); #endif -#if 0 - if ((p+ *plength) > (omax+ *pp)) + if (*plength > (omax - (*pp - p))) { ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG); /* Set this so that even if things are not long enough * the values are set correctly */ ret|=0x80; } -#endif *pp=p; return(ret|inf); err: @@ -159,6 +157,8 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max) i= *p&0x7f; if (*(p++) & 0x80) { + if (i > sizeof(long)) + return 0; if (max-- == 0) return(0); while (i-- > 0) { @@ -170,6 +170,8 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max) else ret=i; } + if (ret < 0) + return 0; *pp=p; *rl=ret; return(1); @@ -407,7 +409,7 @@ int ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b) void asn1_add_error(unsigned char *address, int offset) { - char buf1[16],buf2[16]; + char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1]; sprintf(buf1,"%lu",(unsigned long)address); sprintf(buf2,"%d",offset); diff --git a/crypto/openssl/crypto/asn1/d2i_dhp.c b/crypto/openssl/crypto/asn1/d2i_dhp.c index 635ae82..223ebbb 100644 --- a/crypto/openssl/crypto/asn1/d2i_dhp.c +++ b/crypto/openssl/crypto/asn1/d2i_dhp.c @@ -87,6 +87,7 @@ DH *d2i_DHparams(DH **a, unsigned char **pp, long length) } M_ASN1_BIT_STRING_free(bs); + bs = NULL; M_ASN1_D2I_Finish_2(a); diff --git a/crypto/openssl/crypto/asn1/d2i_dsap.c b/crypto/openssl/crypto/asn1/d2i_dsap.c index 9d4dea6..a68f35d 100644 --- a/crypto/openssl/crypto/asn1/d2i_dsap.c +++ b/crypto/openssl/crypto/asn1/d2i_dsap.c @@ -84,6 +84,7 @@ DSA *d2i_DSAparams(DSA **a, unsigned char **pp, long length) if ((ret->g=BN_bin2bn(bs->data,bs->length,ret->g)) == NULL) goto err_bn; M_ASN1_BIT_STRING_free(bs); + bs = NULL; M_ASN1_D2I_Finish_2(a); diff --git a/crypto/openssl/crypto/asn1/d2i_r_pr.c b/crypto/openssl/crypto/asn1/d2i_r_pr.c index 6c8a45f..afd5adb 100644 --- a/crypto/openssl/crypto/asn1/d2i_r_pr.c +++ b/crypto/openssl/crypto/asn1/d2i_r_pr.c @@ -108,6 +108,7 @@ RSA *d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length) goto err_bn; M_ASN1_INTEGER_free(bs); + bs = NULL; M_ASN1_D2I_Finish_2(a); err_bn: diff --git a/crypto/openssl/crypto/asn1/t_pkey.c b/crypto/openssl/crypto/asn1/t_pkey.c index ae18da9..a97341d 100644 --- a/crypto/openssl/crypto/asn1/t_pkey.c +++ b/crypto/openssl/crypto/asn1/t_pkey.c @@ -96,10 +96,34 @@ int RSA_print(BIO *bp, RSA *x, int off) char str[128]; const char *s; unsigned char *m=NULL; - int i,ret=0; + int ret=0; + size_t buf_len=0, i; - i=RSA_size(x); - m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10); + if (x->n) + buf_len = (size_t)BN_num_bytes(x->n); + if (x->e) + if (buf_len < (i = (size_t)BN_num_bytes(x->e))) + buf_len = i; + if (x->d) + if (buf_len < (i = (size_t)BN_num_bytes(x->d))) + buf_len = i; + if (x->p) + if (buf_len < (i = (size_t)BN_num_bytes(x->p))) + buf_len = i; + if (x->q) + if (buf_len < (i = (size_t)BN_num_bytes(x->q))) + buf_len = i; + if (x->dmp1) + if (buf_len < (i = (size_t)BN_num_bytes(x->dmp1))) + buf_len = i; + if (x->dmq1) + if (buf_len < (i = (size_t)BN_num_bytes(x->dmq1))) + buf_len = i; + if (x->iqmp) + if (buf_len < (i = (size_t)BN_num_bytes(x->iqmp))) + buf_len = i; + + m=(unsigned char *)OPENSSL_malloc(buf_len+10); if (m == NULL) { RSAerr(RSA_F_RSA_PRINT,ERR_R_MALLOC_FAILURE); @@ -161,22 +185,25 @@ int DSA_print(BIO *bp, DSA *x, int off) { char str[128]; unsigned char *m=NULL; - int i,ret=0; - BIGNUM *bn=NULL; + int ret=0; + size_t buf_len=0,i; - if (x->p != NULL) - bn=x->p; - else if (x->priv_key != NULL) - bn=x->priv_key; - else if (x->pub_key != NULL) - bn=x->pub_key; - - /* larger than needed but what the hell :-) */ - if (bn != NULL) - i=BN_num_bytes(bn)*2; - else - i=256; - m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10); + if (x->p) + buf_len = (size_t)BN_num_bytes(x->p); + if (x->q) + if (buf_len < (i = (size_t)BN_num_bytes(x->q))) + buf_len = i; + if (x->g) + if (buf_len < (i = (size_t)BN_num_bytes(x->g))) + buf_len = i; + if (x->priv_key) + if (buf_len < (i = (size_t)BN_num_bytes(x->priv_key))) + buf_len = i; + if (x->pub_key) + if (buf_len < (i = (size_t)BN_num_bytes(x->pub_key))) + buf_len = i; + + m=(unsigned char *)OPENSSL_malloc(buf_len+10); if (m == NULL) { DSAerr(DSA_F_DSA_PRINT,ERR_R_MALLOC_FAILURE); @@ -281,10 +308,15 @@ int DHparams_print_fp(FILE *fp, DH *x) int DHparams_print(BIO *bp, DH *x) { unsigned char *m=NULL; - int reason=ERR_R_BUF_LIB,i,ret=0; + int reason=ERR_R_BUF_LIB,ret=0; + size_t buf_len=0, i; - i=BN_num_bytes(x->p); - m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10); + if (x->p) + buf_len = (size_t)BN_num_bytes(x->p); + if (x->g) + if (buf_len < (i = (size_t)BN_num_bytes(x->g))) + buf_len = i; + m=(unsigned char *)OPENSSL_malloc(buf_len+10); if (m == NULL) { reason=ERR_R_MALLOC_FAILURE; @@ -334,10 +366,18 @@ int DSAparams_print_fp(FILE *fp, DSA *x) int DSAparams_print(BIO *bp, DSA *x) { unsigned char *m=NULL; - int reason=ERR_R_BUF_LIB,i,ret=0; + int reason=ERR_R_BUF_LIB,ret=0; + size_t buf_len=0, i; - i=BN_num_bytes(x->p); - m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10); + if (x->p) + buf_len = (size_t)BN_num_bytes(x->p); + if (x->q) + if (buf_len < (i = (size_t)BN_num_bytes(x->q))) + buf_len = i; + if (x->g) + if (buf_len < (i = (size_t)BN_num_bytes(x->g))) + buf_len = i; + m=(unsigned char *)OPENSSL_malloc(buf_len+10); if (m == NULL) { reason=ERR_R_MALLOC_FAILURE; diff --git a/crypto/openssl/crypto/asn1/x_pubkey.c b/crypto/openssl/crypto/asn1/x_pubkey.c index 4397a40..914bcda 100644 --- a/crypto/openssl/crypto/asn1/x_pubkey.c +++ b/crypto/openssl/crypto/asn1/x_pubkey.c @@ -156,7 +156,7 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) dsa->write_params=0; ASN1_TYPE_free(a->parameter); i=i2d_DSAparams(dsa,NULL); - p=(unsigned char *)OPENSSL_malloc(i); + if ((p=(unsigned char *)OPENSSL_malloc(i)) == NULL) goto err; pp=p; i2d_DSAparams(dsa,&pp); a->parameter=ASN1_TYPE_new(); diff --git a/crypto/openssl/crypto/bio/b_print.c b/crypto/openssl/crypto/bio/b_print.c index bbd5101..90011db 100644 --- a/crypto/openssl/crypto/bio/b_print.c +++ b/crypto/openssl/crypto/bio/b_print.c @@ -56,6 +56,13 @@ * [including the GNU Public Licence.] */ +/* disable assert() unless BIO_DEBUG has been defined */ +#ifndef BIO_DEBUG +# ifndef NDEBUG +# define NDEBUG +# endif +#endif + /* * Stolen from tjh's ssl/ssl_trc.c stuff. */ diff --git a/crypto/openssl/crypto/bio/bf_nbio.c b/crypto/openssl/crypto/bio/bf_nbio.c index 413ef5c..988cd5a 100644 --- a/crypto/openssl/crypto/bio/bf_nbio.c +++ b/crypto/openssl/crypto/bio/bf_nbio.c @@ -104,7 +104,7 @@ static int nbiof_new(BIO *bi) { NBIO_TEST *nt; - nt=(NBIO_TEST *)OPENSSL_malloc(sizeof(NBIO_TEST)); + if (!(nt=(NBIO_TEST *)OPENSSL_malloc(sizeof(NBIO_TEST)))) return(0); nt->lrn= -1; nt->lwn= -1; bi->ptr=(char *)nt; diff --git a/crypto/openssl/crypto/bio/bss_bio.c b/crypto/openssl/crypto/bio/bss_bio.c index d836e3b..2797049 100644 --- a/crypto/openssl/crypto/bio/bss_bio.c +++ b/crypto/openssl/crypto/bio/bss_bio.c @@ -7,9 +7,18 @@ * for which no specific BIO method is available. * See ssl/ssltest.c for some hints on how this can be used. */ +/* BIO_DEBUG implies BIO_PAIR_DEBUG */ +#ifdef BIO_DEBUG +# ifndef BIO_PAIR_DEBUG +# define BIO_PAIR_DEBUG +# endif +#endif + +/* disable assert() unless BIO_PAIR_DEBUG has been defined */ #ifndef BIO_PAIR_DEBUG -# undef NDEBUG /* avoid conflicting definitions */ -# define NDEBUG +# ifndef NDEBUG +# define NDEBUG +# endif #endif #include <assert.h> diff --git a/crypto/openssl/crypto/bn/bn.h b/crypto/openssl/crypto/bn/bn.h index 7ce9d8c..2ea9cd7 100644 --- a/crypto/openssl/crypto/bn/bn.h +++ b/crypto/openssl/crypto/bn/bn.h @@ -155,7 +155,7 @@ extern "C" { #define BN_BYTES 4 #define BN_BITS2 32 #define BN_BITS4 16 -#ifdef WIN32 +#ifdef _MSC_VER /* VC++ doesn't like the LL suffix */ #define BN_MASK (0xffffffffffffffffL) #else diff --git a/crypto/openssl/crypto/bn/bn_div.c b/crypto/openssl/crypto/bn/bn_div.c index 613a268..903ab2e 100644 --- a/crypto/openssl/crypto/bn/bn_div.c +++ b/crypto/openssl/crypto/bn/bn_div.c @@ -190,10 +190,10 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, /* First we normalise the numbers */ norm_shift=BN_BITS2-((BN_num_bits(divisor))%BN_BITS2); - BN_lshift(sdiv,divisor,norm_shift); + if (!(BN_lshift(sdiv,divisor,norm_shift))) goto err; sdiv->neg=0; norm_shift+=BN_BITS2; - BN_lshift(snum,num,norm_shift); + if (!(BN_lshift(snum,num,norm_shift))) goto err; snum->neg=0; div_n=sdiv->top; num_n=snum->top; @@ -315,7 +315,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, tmp->top=j; j=wnum.top; - BN_sub(&wnum,&wnum,tmp); + if (!BN_sub(&wnum,&wnum,tmp)) goto err; snum->top=snum->top+wnum.top-j; @@ -323,7 +323,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, { q--; j=wnum.top; - BN_add(&wnum,&wnum,sdiv); + if (!BN_add(&wnum,&wnum,sdiv)) goto err; snum->top+=wnum.top-j; } *(resp--)=q; diff --git a/crypto/openssl/crypto/bn/bn_gcd.c b/crypto/openssl/crypto/bn/bn_gcd.c index 3982071..e8cc6c5 100644 --- a/crypto/openssl/crypto/bn/bn_gcd.c +++ b/crypto/openssl/crypto/bn/bn_gcd.c @@ -168,8 +168,8 @@ BIGNUM *BN_mod_inverse(BIGNUM *in, BIGNUM *a, const BIGNUM *n, BN_CTX *ctx) R=in; if (R == NULL) goto err; - BN_zero(X); - BN_one(Y); + if (!BN_zero(X)) goto err; + if (!BN_one(Y)) goto err; if (BN_copy(A,a) == NULL) goto err; if (BN_copy(B,n) == NULL) goto err; sign=1; diff --git a/crypto/openssl/crypto/bn/bn_mont.c b/crypto/openssl/crypto/bn/bn_mont.c index 8cf1feb..1daf507 100644 --- a/crypto/openssl/crypto/bn/bn_mont.c +++ b/crypto/openssl/crypto/bn/bn_mont.c @@ -224,7 +224,7 @@ int BN_from_montgomery(BIGNUM *ret, BIGNUM *a, BN_MONT_CTX *mont, if (!BN_mul(t1,t2,&mont->N,ctx)) goto err; if (!BN_add(t2,a,t1)) goto err; - BN_rshift(ret,t2,mont->ri); + if (!BN_rshift(ret,t2,mont->ri)) goto err; #endif /* MONT_WORD */ if (BN_ucmp(ret, &(mont->N)) >= 0) @@ -284,8 +284,8 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) BN_ULONG buf[2]; mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2; - BN_zero(R); - BN_set_bit(R,BN_BITS2); /* R */ + if (!(BN_zero(R))) goto err; + if (!(BN_set_bit(R,BN_BITS2))) goto err; /* R */ buf[0]=mod->d[0]; /* tmod = N mod word size */ buf[1]=0; @@ -296,36 +296,44 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) /* Ri = R^-1 mod N*/ if ((BN_mod_inverse(&Ri,R,&tmod,ctx)) == NULL) goto err; - BN_lshift(&Ri,&Ri,BN_BITS2); /* R*Ri */ + /* R*Ri */ + if (!(BN_lshift(&Ri,&Ri,BN_BITS2))) goto err; if (!BN_is_zero(&Ri)) - BN_sub_word(&Ri,1); + { + if (!BN_sub_word(&Ri,1)) goto err; + } else /* if N mod word size == 1 */ - BN_set_word(&Ri,BN_MASK2); /* Ri-- (mod word size) */ - BN_div(&Ri,NULL,&Ri,&tmod,ctx); /* Ni = (R*Ri-1)/N, - * keep only least significant word: */ + /* Ri-- (mod word size) */ + { + if (!BN_set_word(&Ri,BN_MASK2)) goto err; + } + /* Ni = (R*Ri-1)/N, keep only least significant word: */ + if (!(BN_div(&Ri,NULL,&Ri,&tmod,ctx))) goto err; mont->n0=Ri.d[0]; BN_free(&Ri); } #else /* !MONT_WORD */ { /* bignum version */ mont->ri=BN_num_bits(mod); - BN_zero(R); - BN_set_bit(R,mont->ri); /* R = 2^ri */ + if (!(BN_zero(R))) goto err; + /* R = 2^ri */ + if (!(BN_set_bit(R,mont->ri))) goto err; /* Ri = R^-1 mod N*/ if ((BN_mod_inverse(&Ri,R,mod,ctx)) == NULL) goto err; - BN_lshift(&Ri,&Ri,mont->ri); /* R*Ri */ - BN_sub_word(&Ri,1); + /* R*Ri */ + if (!(BN_lshift(&Ri,&Ri,mont->ri))) goto err; + if (!(BN_sub_word(&Ri,1))) goto err; /* Ni = (R*Ri-1) / N */ - BN_div(&(mont->Ni),NULL,&Ri,mod,ctx); + if (!(BN_div(&(mont->Ni),NULL,&Ri,mod,ctx))) goto err; BN_free(&Ri); } #endif /* setup RR for conversions */ - BN_zero(&(mont->RR)); - BN_set_bit(&(mont->RR),mont->ri*2); - BN_mod(&(mont->RR),&(mont->RR),&(mont->N),ctx); + if (!(BN_zero(&(mont->RR)))) goto err; + if (!(BN_set_bit(&(mont->RR),mont->ri*2))) goto err; + if (!(BN_mod(&(mont->RR),&(mont->RR),&(mont->N),ctx))) goto err; return(1); err: @@ -336,9 +344,9 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from) { if (to == from) return(to); - BN_copy(&(to->RR),&(from->RR)); - BN_copy(&(to->N),&(from->N)); - BN_copy(&(to->Ni),&(from->Ni)); + if (!(BN_copy(&(to->RR),&(from->RR)))) return NULL; + if (!(BN_copy(&(to->N),&(from->N)))) return NULL; + if (!(BN_copy(&(to->Ni),&(from->Ni)))) return NULL; to->ri=from->ri; to->n0=from->n0; return(to); diff --git a/crypto/openssl/crypto/bn/bn_mul.c b/crypto/openssl/crypto/bn/bn_mul.c index 3e8d8b9..9059271 100644 --- a/crypto/openssl/crypto/bn/bn_mul.c +++ b/crypto/openssl/crypto/bn/bn_mul.c @@ -634,7 +634,7 @@ int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx) if ((al == 0) || (bl == 0)) { - BN_zero(r); + if (!BN_zero(r)) goto err; return(1); } top=al+bl; @@ -677,14 +677,14 @@ int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx) { if (i == 1 && !BN_get_flags(b,BN_FLG_STATIC_DATA)) { - bn_wexpand(b,al); + if (bn_wexpand(b,al) == NULL) goto err; b->d[bl]=0; bl++; i--; } else if (i == -1 && !BN_get_flags(a,BN_FLG_STATIC_DATA)) { - bn_wexpand(a,bl); + if (bn_wexpand(a,bl) == NULL) goto err; a->d[al]=0; al++; i++; @@ -699,16 +699,16 @@ int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx) t = BN_CTX_get(ctx); if (al == j) /* exact multiple */ { - bn_wexpand(t,k*2); - bn_wexpand(rr,k*2); + if (bn_wexpand(t,k*2) == NULL) goto err; + if (bn_wexpand(rr,k*2) == NULL) goto err; bn_mul_recursive(rr->d,a->d,b->d,al,t->d); } else { - bn_wexpand(a,k); - bn_wexpand(b,k); - bn_wexpand(t,k*4); - bn_wexpand(rr,k*4); + if (bn_wexpand(a,k) == NULL ) goto err; + if (bn_wexpand(b,k) == NULL ) goto err; + if (bn_wexpand(t,k*4) == NULL ) goto err; + if (bn_wexpand(rr,k*4) == NULL ) goto err; for (i=a->top; i<k; i++) a->d[i]=0; for (i=b->top; i<k; i++) diff --git a/crypto/openssl/crypto/conf/Makefile.ssl b/crypto/openssl/crypto/conf/Makefile.ssl index f49f365..1a433ab 100644 --- a/crypto/openssl/crypto/conf/Makefile.ssl +++ b/crypto/openssl/crypto/conf/Makefile.ssl @@ -88,10 +88,12 @@ conf_api.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h conf_api.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h conf_def.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h conf_def.o: ../../include/openssl/conf.h ../../include/openssl/conf_api.h -conf_def.o: ../../include/openssl/crypto.h ../../include/openssl/err.h -conf_def.o: ../../include/openssl/lhash.h ../../include/openssl/opensslv.h -conf_def.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -conf_def.o: ../../include/openssl/symhacks.h conf_def.h +conf_def.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h +conf_def.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +conf_def.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h +conf_def.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h +conf_def.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +conf_def.o: ../cryptlib.h conf_def.h conf_err.o: ../../include/openssl/bio.h ../../include/openssl/conf.h conf_err.o: ../../include/openssl/crypto.h ../../include/openssl/err.h conf_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslv.h diff --git a/crypto/openssl/crypto/conf/conf_def.c b/crypto/openssl/crypto/conf/conf_def.c index 773df32..d43c9de 100644 --- a/crypto/openssl/crypto/conf/conf_def.c +++ b/crypto/openssl/crypto/conf/conf_def.c @@ -67,6 +67,7 @@ #include "conf_def.h" #include <openssl/buffer.h> #include <openssl/err.h> +#include "cryptlib.h" static char *eat_ws(CONF *conf, char *p); static char *eat_alpha_numeric(CONF *conf, char *p); @@ -180,12 +181,12 @@ static int def_destroy_data(CONF *conf) static int def_load(CONF *conf, BIO *in, long *line) { #define BUFSIZE 512 - char btmp[16]; int bufnum=0,i,ii; BUF_MEM *buff=NULL; char *s,*p,*end; int again,n; long eline=0; + char btmp[DECIMAL_SIZE(eline)+1]; CONF_VALUE *v=NULL,*tv; CONF_VALUE *sv=NULL; char *section=NULL,*buf; diff --git a/crypto/openssl/crypto/cryptlib.c b/crypto/openssl/crypto/cryptlib.c index 8fd2d4d..832c6c0 100644 --- a/crypto/openssl/crypto/cryptlib.c +++ b/crypto/openssl/crypto/cryptlib.c @@ -491,3 +491,11 @@ BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, #endif #endif + +void OpenSSLDie(const char *file,int line,const char *assertion) + { + fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n", + file,line,assertion); + abort(); + } + diff --git a/crypto/openssl/crypto/cryptlib.h b/crypto/openssl/crypto/cryptlib.h index 5eff5d3..576cbd6 100644 --- a/crypto/openssl/crypto/cryptlib.h +++ b/crypto/openssl/crypto/cryptlib.h @@ -89,6 +89,14 @@ extern "C" { #define X509_CERT_DIR_EVP "SSL_CERT_DIR" #define X509_CERT_FILE_EVP "SSL_CERT_FILE" +/* size of string represenations */ +#define DECIMAL_SIZE(type) ((sizeof(type)*8+2)/3+1) +#define HEX_SIZE(type) ((sizeof(type)*2) + +/* die if we have to */ +void OpenSSLDie(const char *file,int line,const char *assertion); +#define die(e) ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e)) + #ifdef __cplusplus } #endif diff --git a/crypto/openssl/crypto/dsa/dsa_asn1.c b/crypto/openssl/crypto/dsa/dsa_asn1.c index a76c8f7..649d17e 100644 --- a/crypto/openssl/crypto/dsa/dsa_asn1.c +++ b/crypto/openssl/crypto/dsa/dsa_asn1.c @@ -84,6 +84,7 @@ DSA_SIG *d2i_DSA_SIG(DSA_SIG **a, unsigned char **pp, long length) if ((ret->s=BN_bin2bn(bs->data,bs->length,ret->s)) == NULL) goto err_bn; M_ASN1_BIT_STRING_free(bs); + bs = NULL; M_ASN1_D2I_Finish_2(a); err_bn: diff --git a/crypto/openssl/crypto/dso/dso_dlfcn.c b/crypto/openssl/crypto/dso/dso_dlfcn.c index e709c72..acf09f5 100644 --- a/crypto/openssl/crypto/dso/dso_dlfcn.c +++ b/crypto/openssl/crypto/dso/dso_dlfcn.c @@ -112,7 +112,7 @@ DSO_METHOD *DSO_METHOD_dlfcn(void) * as we don't have autoconf yet, I'm implementing a hack that could * be hacked further relatively easily to deal with cases as we find * them. Initially this is to cope with OpenBSD. */ -#ifdef __OpenBSD__ +#if defined(__OpenBSD__) || defined(__NetBSD__) # ifdef DL_LAZY # define DLOPEN_FLAG DL_LAZY # else diff --git a/crypto/openssl/crypto/ebcdic.c b/crypto/openssl/crypto/ebcdic.c index 91a7a8b..a83536b 100644 --- a/crypto/openssl/crypto/ebcdic.c +++ b/crypto/openssl/crypto/ebcdic.c @@ -211,7 +211,7 @@ ascii2ebcdic(void *dest, const void *srce, size_t count) } #else /*CHARSET_EBCDIC*/ -#if defined(PEDANTIC) || defined(VMS) || defined(__VMS) +#if defined(PEDANTIC) || defined(VMS) || defined(__VMS) || defined(_DARWIN) static void *dummy=&dummy; #endif #endif diff --git a/crypto/openssl/crypto/evp/bio_enc.c b/crypto/openssl/crypto/evp/bio_enc.c index 831c71a..c425a97 100644 --- a/crypto/openssl/crypto/evp/bio_enc.c +++ b/crypto/openssl/crypto/evp/bio_enc.c @@ -106,8 +106,8 @@ static int enc_new(BIO *bi) BIO_ENC_CTX *ctx; ctx=(BIO_ENC_CTX *)OPENSSL_malloc(sizeof(BIO_ENC_CTX)); - EVP_CIPHER_CTX_init(&ctx->cipher); if (ctx == NULL) return(0); + EVP_CIPHER_CTX_init(&ctx->cipher); ctx->buf_len=0; ctx->buf_off=0; diff --git a/crypto/openssl/crypto/evp/c_allc.c b/crypto/openssl/crypto/evp/c_allc.c index f24d375..0820557 100644 --- a/crypto/openssl/crypto/evp/c_allc.c +++ b/crypto/openssl/crypto/evp/c_allc.c @@ -64,6 +64,10 @@ void OpenSSL_add_all_ciphers(void) { + static int done=0; + + if (done) return; + done=1; #ifndef NO_DES EVP_add_cipher(EVP_des_cfb()); EVP_add_cipher(EVP_des_ede_cfb()); diff --git a/crypto/openssl/crypto/evp/c_alld.c b/crypto/openssl/crypto/evp/c_alld.c index bbf059e..41695df 100644 --- a/crypto/openssl/crypto/evp/c_alld.c +++ b/crypto/openssl/crypto/evp/c_alld.c @@ -64,6 +64,10 @@ void OpenSSL_add_all_digests(void) { + static int done=0; + + if (done) return; + done=1; #ifndef NO_MD2 EVP_add_digest(EVP_md2()); #endif diff --git a/crypto/openssl/crypto/objects/o_names.c b/crypto/openssl/crypto/objects/o_names.c index dca9882..5eaf95b 100644 --- a/crypto/openssl/crypto/objects/o_names.c +++ b/crypto/openssl/crypto/objects/o_names.c @@ -61,6 +61,8 @@ int OBJ_NAME_new_index(unsigned long (*hash_func)(const char *), { MemCheck_off(); name_funcs = OPENSSL_malloc(sizeof(NAME_FUNCS)); + MemCheck_on(); + if (!name_funcs) return(0); name_funcs->hash_func = lh_strhash; name_funcs->cmp_func = (int (*)())strcmp; name_funcs->free_func = 0; /* NULL is often declared to @@ -68,6 +70,7 @@ int OBJ_NAME_new_index(unsigned long (*hash_func)(const char *), * to Compaq C is not really * compatible with a function * pointer. -- Richard Levitte*/ + MemCheck_off(); sk_NAME_FUNCS_push(name_funcs_stack,name_funcs); MemCheck_on(); } diff --git a/crypto/openssl/crypto/objects/obj_dat.c b/crypto/openssl/crypto/objects/obj_dat.c index d802c4d..41fdf6e 100644 --- a/crypto/openssl/crypto/objects/obj_dat.c +++ b/crypto/openssl/crypto/objects/obj_dat.c @@ -228,7 +228,7 @@ int OBJ_add_object(ASN1_OBJECT *obj) if (added == NULL) if (!init_added()) return(0); if ((o=OBJ_dup(obj)) == NULL) goto err; - ao[ADDED_NID]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)); + if (!(ao[ADDED_NID]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err; if ((o->length != 0) && (obj->data != NULL)) ao[ADDED_DATA]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)); if (o->sn != NULL) @@ -428,7 +428,7 @@ int OBJ_obj2txt(char *buf, int buf_len, ASN1_OBJECT *a, int no_name) unsigned long l; unsigned char *p; const char *s; - char tbuf[32]; + char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2]; if (buf_len <= 0) return(0); diff --git a/crypto/openssl/crypto/opensslv.h b/crypto/openssl/crypto/opensslv.h index eb4b3d9..7ee8f76 100644 --- a/crypto/openssl/crypto/opensslv.h +++ b/crypto/openssl/crypto/opensslv.h @@ -25,8 +25,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x0090604fL -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6d 9 May 2002" +#define OPENSSL_VERSION_NUMBER 0x0090605fL +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6e 30 Jul 2002" #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/openssl/crypto/pem/pem2.h b/crypto/openssl/crypto/pem/pem2.h index 4e484bc..f31790d 100644 --- a/crypto/openssl/crypto/pem/pem2.h +++ b/crypto/openssl/crypto/pem/pem2.h @@ -61,7 +61,9 @@ extern "C" { #endif +#ifndef HEADER_PEM_H void ERR_load_PEM_strings(void); +#endif #ifdef __cplusplus } diff --git a/crypto/openssl/crypto/pem/pem_lib.c b/crypto/openssl/crypto/pem/pem_lib.c index e00af7c..01759f7 100644 --- a/crypto/openssl/crypto/pem/pem_lib.c +++ b/crypto/openssl/crypto/pem/pem_lib.c @@ -258,6 +258,7 @@ char *PEM_ASN1_read_bio(char *(*d2i)(), const char *name, BIO *bp, char **x, PKCS8_PRIV_KEY_INFO *p8inf; p8inf=d2i_PKCS8_PRIV_KEY_INFO( (PKCS8_PRIV_KEY_INFO **) x, &p, len); + if(!p8inf) goto p8err; ret = (char *)EVP_PKCS82PKEY(p8inf); PKCS8_PRIV_KEY_INFO_free(p8inf); } else if (strcmp(nm,PEM_STRING_PKCS8) == 0) { diff --git a/crypto/openssl/crypto/perlasm/x86nasm.pl b/crypto/openssl/crypto/perlasm/x86nasm.pl index b4da364..519d8a5 100644 --- a/crypto/openssl/crypto/perlasm/x86nasm.pl +++ b/crypto/openssl/crypto/perlasm/x86nasm.pl @@ -209,7 +209,7 @@ sub using486 sub main'file { - push(@out, "segment .text\n"); + push(@out, "segment .text use32\n"); } sub main'function_begin diff --git a/crypto/openssl/crypto/pkcs12/pkcs12.h b/crypto/openssl/crypto/pkcs12/pkcs12.h index fefa1a6..08bf15a 100644 --- a/crypto/openssl/crypto/pkcs12/pkcs12.h +++ b/crypto/openssl/crypto/pkcs12/pkcs12.h @@ -141,8 +141,8 @@ union { #define PKCS12_ERROR 0 #define PKCS12_OK 1 -#define M_PKCS12_bag_type(bag) OBJ_obj2nid(bag->type) -#define M_PKCS12_cert_bag_type(bag) OBJ_obj2nid(bag->value.bag->type) +#define M_PKCS12_bag_type(bg) OBJ_obj2nid((bg)->type) +#define M_PKCS12_cert_bag_type(bg) OBJ_obj2nid((bg)->value.bag->type) #define M_PKCS12_crl_bag_type M_PKCS12_cert_bag_type #define M_PKCS12_x5092certbag(x509) \ diff --git a/crypto/openssl/crypto/pkcs7/pk7_doit.c b/crypto/openssl/crypto/pkcs7/pk7_doit.c index b209a86..a45cf76 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_doit.c +++ b/crypto/openssl/crypto/pkcs7/pk7_doit.c @@ -621,7 +621,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) x=i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,NULL, i2d_X509_ATTRIBUTE, V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET); - pp=(unsigned char *)OPENSSL_malloc(x); + if (!(pp=(unsigned char *)OPENSSL_malloc(x))) goto err; p=pp; i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,&p, i2d_X509_ATTRIBUTE, @@ -817,7 +817,7 @@ for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n"); */ i=i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,NULL,i2d_X509_ATTRIBUTE, V_ASN1_SET,V_ASN1_UNIVERSAL, IS_SEQUENCE); - pp=OPENSSL_malloc(i); + if (!(pp=OPENSSL_malloc(i))) goto err; p=pp; i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,&p,i2d_X509_ATTRIBUTE, V_ASN1_SET,V_ASN1_UNIVERSAL, IS_SEQUENCE); diff --git a/crypto/openssl/crypto/pkcs7/verify.c b/crypto/openssl/crypto/pkcs7/verify.c index 49fc8d8..bd27006 100644 --- a/crypto/openssl/crypto/pkcs7/verify.c +++ b/crypto/openssl/crypto/pkcs7/verify.c @@ -179,10 +179,11 @@ char *argv[]; { ASN1_UTCTIME *tm; char *str1,*str2; + int rc; si=sk_PKCS7_SIGNER_INFO_value(sk,i); - i=PKCS7_dataVerify(cert_store,&cert_ctx,p7bio,p7,si); - if (i <= 0) + rc=PKCS7_dataVerify(cert_store,&cert_ctx,p7bio,p7,si); + if (rc <= 0) goto err; printf("signer info\n"); if ((tm=get_signed_time(si)) != NULL) diff --git a/crypto/openssl/crypto/txt_db/txt_db.c b/crypto/openssl/crypto/txt_db/txt_db.c index 3b04fe2..92fcbde 100644 --- a/crypto/openssl/crypto/txt_db/txt_db.c +++ b/crypto/openssl/crypto/txt_db/txt_db.c @@ -122,7 +122,7 @@ TXT_DB *TXT_DB_read(BIO *in, int num) else { buf->data[offset-1]='\0'; /* blat the '\n' */ - p=(char *)OPENSSL_malloc(add+offset); + if (!(p=(char *)OPENSSL_malloc(add+offset))) goto err; offset=0; } pp=(char **)p; diff --git a/crypto/openssl/crypto/x509v3/v3_ia5.c b/crypto/openssl/crypto/x509v3/v3_ia5.c index f3bba38..f941445 100644 --- a/crypto/openssl/crypto/x509v3/v3_ia5.c +++ b/crypto/openssl/crypto/x509v3/v3_ia5.c @@ -82,7 +82,7 @@ static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, { char *tmp; if(!ia5 || !ia5->length) return NULL; - tmp = OPENSSL_malloc(ia5->length + 1); + if (!(tmp = OPENSSL_malloc(ia5->length + 1))) return NULL; memcpy(tmp, ia5->data, ia5->length); tmp[ia5->length] = 0; return tmp; diff --git a/crypto/openssl/demos/maurice/loadkeys.c b/crypto/openssl/demos/maurice/loadkeys.c index 0f34647..792371c 100644 --- a/crypto/openssl/demos/maurice/loadkeys.c +++ b/crypto/openssl/demos/maurice/loadkeys.c @@ -33,7 +33,7 @@ EVP_PKEY * ReadPublicKey(const char *certfile) x509 = (X509 *)PEM_ASN1_read ((char *(*)())d2i_X509, PEM_STRING_X509, - fp, NULL, NULL); + fp, NULL, NULL, NULL); if (x509 == NULL) { @@ -64,7 +64,7 @@ EVP_PKEY *ReadPrivateKey(const char *keyfile) pkey = (EVP_PKEY*)PEM_ASN1_read ((char *(*)())d2i_PrivateKey, PEM_STRING_EVP_PKEY, fp, - NULL, NULL); + NULL, NULL, NULL); fclose (fp); diff --git a/crypto/openssl/doc/apps/crl2pkcs7.pod b/crypto/openssl/doc/apps/crl2pkcs7.pod index da199b0..3797bc0 100644 --- a/crypto/openssl/doc/apps/crl2pkcs7.pod +++ b/crypto/openssl/doc/apps/crl2pkcs7.pod @@ -6,12 +6,13 @@ crl2pkcs7 - Create a PKCS#7 structure from a CRL and certificates. =head1 SYNOPSIS -B<openssl> B<pkcs7> +B<openssl> B<crl2pkcs7> [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-in filename>] [B<-out filename>] -[B<-print_certs>] +[B<-certfile filename>] +[B<-nocrl>] =head1 DESCRIPTION diff --git a/crypto/openssl/doc/apps/smime.pod b/crypto/openssl/doc/apps/smime.pod index ce99b5c..fa5d23e 100644 --- a/crypto/openssl/doc/apps/smime.pod +++ b/crypto/openssl/doc/apps/smime.pod @@ -21,7 +21,6 @@ B<openssl> B<smime> [B<-certfile file>] [B<-signer file>] [B<-recip file>] -[B<-in file>] [B<-inform SMIME|PEM|DER>] [B<-passin arg>] [B<-inkey file>] diff --git a/crypto/openssl/doc/crypto/BN_rand.pod b/crypto/openssl/doc/crypto/BN_rand.pod index ecd410f..9cec238 100644 --- a/crypto/openssl/doc/crypto/BN_rand.pod +++ b/crypto/openssl/doc/crypto/BN_rand.pod @@ -14,7 +14,7 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number int BN_rand_range(BIGNUM *rnd, BIGNUM *range); - int BN_pseudo_rand_range(BIGNUM *rnd, int bits, int top, int bottom); + int BN_pseudo_rand_range(BIGNUM *rnd, BIGNUM *range); =head1 DESCRIPTION diff --git a/crypto/openssl/doc/crypto/DH_get_ex_new_index.pod b/crypto/openssl/doc/crypto/DH_get_ex_new_index.pod index 82e2548..fa5eab2 100644 --- a/crypto/openssl/doc/crypto/DH_get_ex_new_index.pod +++ b/crypto/openssl/doc/crypto/DH_get_ex_new_index.pod @@ -26,7 +26,7 @@ as described in L<RSA_get_ex_new_index(3)>. =head1 SEE ALSO -L<RSA_get_ex_new_index()|RSA_get_ex_new_index()>, L<dh(3)|dh(3)> +L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>, L<dh(3)|dh(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/EVP_DigestInit.pod b/crypto/openssl/doc/crypto/EVP_DigestInit.pod index b8a231c..b99ecd2 100644 --- a/crypto/openssl/doc/crypto/EVP_DigestInit.pod +++ b/crypto/openssl/doc/crypto/EVP_DigestInit.pod @@ -192,7 +192,7 @@ in code that must be recompiled if the size of B<EVP_MD_CTX> increases. L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>, L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>, -L<sha(3)|sha(3)>, L<digest(1)|digest(1)> +L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/EVP_SignInit.pod b/crypto/openssl/doc/crypto/EVP_SignInit.pod index 7f9265d..51d05ff 100644 --- a/crypto/openssl/doc/crypto/EVP_SignInit.pod +++ b/crypto/openssl/doc/crypto/EVP_SignInit.pod @@ -75,7 +75,7 @@ L<EVP_VerifyInit(3)|EVP_VerifyInit(3)>, L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>, L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>, L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>, -L<sha(3)|sha(3)>, L<digest(1)|digest(1)> +L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/EVP_VerifyInit.pod b/crypto/openssl/doc/crypto/EVP_VerifyInit.pod index 736a0f4..5d0d1fb 100644 --- a/crypto/openssl/doc/crypto/EVP_VerifyInit.pod +++ b/crypto/openssl/doc/crypto/EVP_VerifyInit.pod @@ -62,7 +62,7 @@ L<EVP_SignInit(3)|EVP_SignInit(3)>, L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>, L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>, L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>, -L<sha(3)|sha(3)>, L<digest(1)|digest(1)> +L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/RSA_check_key.pod b/crypto/openssl/doc/crypto/RSA_check_key.pod index 79fed75..8a42d2e 100644 --- a/crypto/openssl/doc/crypto/RSA_check_key.pod +++ b/crypto/openssl/doc/crypto/RSA_check_key.pod @@ -18,7 +18,9 @@ in fact prime, and that B<n = p*q>. It also checks that B<d*e = 1 mod (p-1*q-1)>, and that B<dmp1>, B<dmq1> and B<iqmp> are set correctly or are B<NULL>. -The key's public components may not be B<NULL>. +As such, this function can not be used with any arbitrary RSA key object, +even if it is otherwise fit for regular RSA operation. See B<NOTES> for more +information. =head1 RETURN VALUE @@ -28,6 +30,13 @@ RSA_check_key() returns 1 if B<rsa> is a valid RSA key, and 0 otherwise. If the key is invalid or an error occurred, the reason code can be obtained using L<ERR_get_error(3)|ERR_get_error(3)>. +=head1 NOTES + +This function does not work on RSA public keys that have only the modulus +and public exponent elements populated. It performs integrity checks on all +the RSA key material, so the RSA key structure must contain all the private +key data too. + =head1 SEE ALSO L<rsa(3)|rsa(3)>, L<err(3)|err(3)> diff --git a/crypto/openssl/doc/crypto/err.pod b/crypto/openssl/doc/crypto/err.pod index 264e301..6f72955 100644 --- a/crypto/openssl/doc/crypto/err.pod +++ b/crypto/openssl/doc/crypto/err.pod @@ -172,7 +172,7 @@ ERR_get_string_table(void) respectively. =head1 SEE ALSO L<CRYPTO_set_id_callback(3)|CRYPTO_set_id_callback(3)>, -L<CRYPTO_set_locking_callback(3)|<CRYPTO_set_locking_callback(3)>, +L<CRYPTO_set_locking_callback(3)|CRYPTO_set_locking_callback(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<ERR_GET_LIB(3)|ERR_GET_LIB(3)>, L<ERR_clear_error(3)|ERR_clear_error(3)>, diff --git a/crypto/openssl/doc/crypto/rsa.pod b/crypto/openssl/doc/crypto/rsa.pod index 1633840..ec7458c 100644 --- a/crypto/openssl/doc/crypto/rsa.pod +++ b/crypto/openssl/doc/crypto/rsa.pod @@ -110,7 +110,7 @@ L<RSA_blinding_on(3)|RSA_blinding_on(3)>, L<RSA_set_method(3)|RSA_set_method(3)>, L<RSA_print(3)|RSA_print(3)>, L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>, L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>, -L<RSA_sign_ASN_OCTET_STRING(3)|RSA_sign_ASN_OCTET_STRING(3)>, +L<RSA_sign_ASN1_OCTET_STRING(3)|RSA_sign_ASN1_OCTET_STRING(3)>, L<RSA_padding_add_PKCS1_type_1(3)|RSA_padding_add_PKCS1_type_1(3)> =cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod index d59a7db..c8b99f4 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod @@ -27,7 +27,7 @@ case is the size 0, which is used for unlimited size. When the maximum number of sessions is reached, no more new sessions are added to the cache. New space may be added by calling -L<SSL_CTX_flush_sessions(3)|<SSL_CTX_flush_sessions(3)> to remove +L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> to remove expired sessions. If the size of the session cache is reduced and more sessions are already @@ -46,6 +46,6 @@ SSL_CTX_sess_get_cache_size() returns the currently valid size. L<ssl(3)|ssl(3)>, L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>, L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>, -L<SSL_CTX_flush_sessions(3)|<SSL_CTX_flush_sessions(3)> +L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> =cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod index 6e0ef00..7c0b2ba 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod @@ -79,7 +79,7 @@ L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>. L<ssl(3)|ssl(3)>, L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>, L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>, -L<SSL_CTX_flush_sessions(3)|<SSL_CTX_flush_sessions(3)>, +L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>, L<SSL_SESSION_free(3)|SSL_SESSION_free(3)> =cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_cert_store.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_cert_store.pod index 81286ee..3a240c4 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_set_cert_store.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_cert_store.pod @@ -14,7 +14,7 @@ SSL_CTX_set_cert_store, SSL_CTX_get_cert_store - manipulate X509 certificate ver =head1 DESCRIPTION SSL_CTX_set_cert_store() sets/replaces the certificate verification storage -of B<ctx> to/with B<store>. If another X505_STORE object is currently +of B<ctx> to/with B<store>. If another X509_STORE object is currently set in B<ctx>, it will be X509_STORE_free()ed. SSL_CTX_get_cert_store() returns a pointer to the current certificate diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_client_cert_cb.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_client_cert_cb.pod index 53e1827..3465b5c 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_set_client_cert_cb.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_client_cert_cb.pod @@ -15,8 +15,10 @@ SSL_CTX_set_client_cert_cb, SSL_CTX_get_client_cert_cb - handle client certifica =head1 DESCRIPTION SSL_CTX_set_client_cert_cb() sets the B<client_cert_cb()> callback, that is -called when a client certificate is requested by a server. -When B<client_cert_cb()> is NULL, not callback function is used. +called when a client certificate is requested by a server and no certificate +was yet set for the SSL object. + +When B<client_cert_cb()> is NULL, no callback function is used. SSL_CTX_get_client_cert_cb() returns a pointer to the currently set callback function. @@ -25,9 +27,13 @@ client_cert_cb() is the application defined callback. If it wants to set a certificate, a certificate/private key combination must be set using the B<x509> and B<pkey> arguments and "1" must be returned. The certificate will be installed into B<ssl>, see the NOTES and BUGS sections. -If no certificate should be set, "0" has to be returned and the default -certificate will be sent. A fatal error can be indicated by returning -a negative value, in which case the handshake will be canceled. +If no certificate should be set, "0" has to be returned and no certificate +will be sent. A negative return value will suspend the handshake and the +handshake function will return immediatly. L<SSL_get_error(3)|SSL_get_error(3)> +will return SSL_ERROR_WANT_X509_LOOKUP to indicate, that the handshake was +suspended. The next call to the handshake function will again lead to the call +of client_cert_cb(). It is the job of the client_cert_cb() to store information +about the state of the last call, if required to continue. =head1 NOTES @@ -35,26 +41,24 @@ During a handshake (or renegotiation) a server may request a certificate from the client. A client certificate must only be sent, when the server did send the request. -When no callback function is set, an OpenSSL client will send the certificate -that was set using the -L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)> family of functions. -The TLS standard requires that only a certificate is sent, if it matches -the list of acceptable CAs sent by the server. This constraint is -violated by the default behavior of the OpenSSL library. Using the -callback function it is possible to implement a proper selection routine -or to allow a user interaction to choose the certificate to be sent. -The callback function can obtain the list of acceptable CAs using the -L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)> function. - -If a callback function is defined, the callback function will be called. +When a certificate was set using the +L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)> family of functions, +it will be sent to the server. The TLS standard requires that only a +certificate is sent, if it matches the list of acceptable CAs sent by the +server. This constraint is violated by the default behavior of the OpenSSL +library. Using the callback function it is possible to implement a proper +selection routine or to allow a user interaction to choose the certificate to +be sent. + +If a callback function is defined and no certificate was yet defined for the +SSL object, the callback function will be called. If the callback function returns a certificate, the OpenSSL library will try to load the private key and certificate data into the SSL -object using SSL_use_certificate() and SSL_use_private_key() functions. -Thus it will permanently override the certificate and key previously -installed and will not be reset by calling L<SSL_clear(3)|SSL_clear(3)>. -If the callback returns no certificate, the OpenSSL library will send -the certificate previously installed for the SSL_CTX object or the specific -certificate of the SSL object, if available. +object using the SSL_use_certificate() and SSL_use_private_key() functions. +Thus it will permanently install the certificate and key for this SSL +object. It will not be reset by calling L<SSL_clear(3)|SSL_clear(3)>. +If the callback returns no certificate, the OpenSSL library will not send +a certificate. =head1 BUGS diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod index 5842a31..5c07e53 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod @@ -35,7 +35,7 @@ operation (|). Options can only be added but can never be reset. SSL_CTX_set_options() and SSL_set_options() affect the (external) protocol behaviour of the SSL library. The (internal) behaviour of the API can be changed by using the similar -L<SSL_CTX_set_modes(3)|SSL_CTX_set_modes(3)> and SSL_set_modes() functions. +L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)> and SSL_set_mode() functions. During a handshake, the option settings of the SSL object are used. When a new SSL object is created from a context using SSL_new(), the current @@ -112,14 +112,22 @@ only understands up to SSLv3. In this case the client must still use the same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect to the server's answer and violate the version rollback protection.) +=item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + +Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol +vulnerability affecting CBC ciphers, which cannot be handled by some +broken SSL implementations. This option has no effect for connections +using other ciphers. + =item SSL_OP_ALL All of the above bug workarounds. =back -It is save and recommended to use SSL_OP_ALL to enable the bug workaround -options. +It is usually safe to use B<SSL_OP_ALL> to enable the bug workaround +options if compatibility with somewhat broken implementations is +desired. The following B<modifying> options are available: @@ -199,4 +207,9 @@ L<dhparam(1)|dhparam(1)> SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6. +B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS> has been added in OpenSSL 0.9.6e. +Versions up to OpenSSL 0.9.6c do not include the countermeasure that +can be disabled with this option (in OpenSSL 0.9.6d, it was always +enabled). + =cut diff --git a/crypto/openssl/doc/ssl/SSL_accept.pod b/crypto/openssl/doc/ssl/SSL_accept.pod index ac6caf9..a673edb 100644 --- a/crypto/openssl/doc/ssl/SSL_accept.pod +++ b/crypto/openssl/doc/ssl/SSL_accept.pod @@ -69,6 +69,7 @@ to find out the reason. L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_connect(3)|SSL_connect(3)>, L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>, L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>, +L<SSL_do_handshake(3)|SSL_do_handshake(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)> =cut diff --git a/crypto/openssl/doc/ssl/SSL_connect.pod b/crypto/openssl/doc/ssl/SSL_connect.pod index 766f187..8426310 100644 --- a/crypto/openssl/doc/ssl/SSL_connect.pod +++ b/crypto/openssl/doc/ssl/SSL_connect.pod @@ -66,6 +66,7 @@ to find out the reason. L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_accept(3)|SSL_accept(3)>, L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>, L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>, +L<SSL_do_handshake(3)|SSL_do_handshake(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)> =cut diff --git a/crypto/openssl/doc/ssl/SSL_do_handshake.pod b/crypto/openssl/doc/ssl/SSL_do_handshake.pod new file mode 100644 index 0000000..2435764 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_do_handshake.pod @@ -0,0 +1,75 @@ +=pod + +=head1 NAME + +SSL_do_handshake - perform a TLS/SSL handshake + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + int SSL_do_handshake(SSL *ssl); + +=head1 DESCRIPTION + +SSL_do_handshake() will wait for a SSL/TLS handshake to take place. If the +connection is in client mode, the handshake will be started. The handshake +routines may have to be explicitly set in advance using either +L<SSL_set_connect_state(3)|SSL_set_connect_state(3)> or +L<SSL_set_accept_state(3)|SSL_set_accept_state(3)>. + +=head1 NOTES + +The behaviour of SSL_do_handshake() depends on the underlying BIO. + +If the underlying BIO is B<blocking>, SSL_do_handshake() will only return +once the handshake has been finished or an error occurred, except for SGC +(Server Gated Cryptography). For SGC, SSL_do_handshake() may return with -1, +but SSL_get_error() will yield B<SSL_ERROR_WANT_READ/WRITE> and +SSL_do_handshake() should be called again. + +If the underlying BIO is B<non-blocking>, SSL_do_handshake() will also return +when the underlying BIO could not satisfy the needs of SSL_do_handshake() +to continue the handshake. In this case a call to SSL_get_error() with the +return value of SSL_do_handshake() will yield B<SSL_ERROR_WANT_READ> or +B<SSL_ERROR_WANT_WRITE>. The calling process then must repeat the call after +taking appropriate action to satisfy the needs of SSL_do_handshake(). +The action depends on the underlying BIO. When using a non-blocking socket, +nothing is to be done, but select() can be used to check for the required +condition. When using a buffering BIO, like a BIO pair, data must be written +into or retrieved out of the BIO before being able to continue. + +=head1 RETURN VALUES + +The following return values can occur: + +=over 4 + +=item 1 + +The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been +established. + +=item 0 + +The TLS/SSL handshake was not successful but was shut down controlled and +by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the +return value B<ret> to find out the reason. + +=item E<lt>0 + +The TLS/SSL handshake was not successful because a fatal error occurred either +at the protocol level or a connection failure occurred. The shutdown was +not clean. It can also occur of action is need to continue the operation +for non-blocking BIOs. Call SSL_get_error() with the return value B<ret> +to find out the reason. + +=back + +=head1 SEE ALSO + +L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_connect(3)|SSL_connect(3)>, +L<SSL_accept(3)|SSL_accept(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>, +L<SSL_set_connect_state(3)|SSL_set_connect_state(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_get_error.pod b/crypto/openssl/doc/ssl/SSL_get_error.pod index f700bf0..fe28dd9 100644 --- a/crypto/openssl/doc/ssl/SSL_get_error.pod +++ b/crypto/openssl/doc/ssl/SSL_get_error.pod @@ -13,7 +13,7 @@ SSL_get_error - obtain result code for TLS/SSL I/O operation =head1 DESCRIPTION SSL_get_error() returns a result code (suitable for the C "switch" -statement) for a preceding call to SSL_connect(), SSL_accept(), +statement) for a preceding call to SSL_connect(), SSL_accept(), SSL_do_handshake(), SSL_read(), SSL_peek(), or SSL_write() on B<ssl>. The value returned by that TLS/SSL I/O function must be passed to SSL_get_error() in parameter B<ret>. diff --git a/crypto/openssl/doc/ssl/SSL_set_connect_state.pod b/crypto/openssl/doc/ssl/SSL_set_connect_state.pod index 7adf8ad..d88a057 100644 --- a/crypto/openssl/doc/ssl/SSL_set_connect_state.pod +++ b/crypto/openssl/doc/ssl/SSL_set_connect_state.pod @@ -49,6 +49,7 @@ information. L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)>, L<SSL_write(3)|SSL_write(3)>, L<SSL_read(3)|SSL_read(3)>, +L<SSL_do_handshake(3)|SSL_do_handshake(3)>, L<SSL_CTX_set_ssl_version(3)|SSL_CTX_set_ssl_version(3)> =cut diff --git a/crypto/openssl/doc/ssl/SSL_write.pod b/crypto/openssl/doc/ssl/SSL_write.pod index dfa42e9..e013c12 100644 --- a/crypto/openssl/doc/ssl/SSL_write.pod +++ b/crypto/openssl/doc/ssl/SSL_write.pod @@ -65,6 +65,9 @@ When an SSL_write() operation has to be repeated because of B<SSL_ERROR_WANT_READ> or B<SSL_ERROR_WANT_WRITE>, it must be repeated with the same arguments. +When calling SSL_write() with num=0 bytes to be sent the behaviour is +undefined. + =head1 RETURN VALUES The following return values can occur: diff --git a/crypto/openssl/doc/ssl/ssl.pod b/crypto/openssl/doc/ssl/ssl.pod index 79b19d9..2dcee03 100644 --- a/crypto/openssl/doc/ssl/ssl.pod +++ b/crypto/openssl/doc/ssl/ssl.pod @@ -682,6 +682,7 @@ L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>, L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>, L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>, L<SSL_alert_type_string(3)|SSL_alert_type_string(3)>, +L<SSL_do_handshake(3)|SSL_do_handshake(3)>, L<SSL_get_SSL_CTX(3)|SSL_get_SSL_CTX(3)>, L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>, L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>, diff --git a/crypto/openssl/e_os.h b/crypto/openssl/e_os.h index aba8c6f..d49c6ef 100644 --- a/crypto/openssl/e_os.h +++ b/crypto/openssl/e_os.h @@ -114,11 +114,11 @@ extern "C" { # define MS_STATIC #endif -#if defined(_WIN32) && !defined(WIN32) && !defined(__CYGWIN32__) +#if defined(_WIN32) && !defined(WIN32) && !defined(__CYGWIN32__) && !defined(_UWIN) # define WIN32 #endif -#if (defined(WIN32) || defined(WIN16)) && !defined(__CYGWIN32__) +#if (defined(WIN32) || defined(WIN16)) && !defined(__CYGWIN32__) && !defined(_UWIN) # ifndef WINDOWS # define WINDOWS # endif @@ -142,7 +142,8 @@ extern "C" { #define clear_sys_error() errno=0 #endif -#if defined(WINDOWS) && !defined(__CYGWIN32__) +#if defined(WINDOWS) && !defined(__CYGWIN32__) && !defined(_UWIN) + #define get_last_socket_error() WSAGetLastError() #define clear_socket_error() WSASetLastError(0) #define readsocket(s,b,n) recv((s),(b),(n),0) @@ -183,7 +184,7 @@ extern "C" { # define NO_FP_API #endif -#if (defined(WINDOWS) || defined(MSDOS)) && !defined(__CYGWIN32__) +#if (defined(WINDOWS) || defined(MSDOS)) && !defined(__CYGWIN32__) && !defined(_UWIN) # ifndef S_IFDIR # define S_IFDIR _S_IFDIR diff --git a/crypto/openssl/ssl/Makefile.ssl b/crypto/openssl/ssl/Makefile.ssl index b3f2a13..4b8053a 100644 --- a/crypto/openssl/ssl/Makefile.ssl +++ b/crypto/openssl/ssl/Makefile.ssl @@ -229,12 +229,13 @@ s23_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s23_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s23_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h s23_srvr.o: ../include/openssl/x509_vfy.h ssl_locl.h -s2_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s2_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s2_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s2_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s2_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h -s2_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h +s2_clnt.o: ../crypto/cryptlib.h ../include/openssl/asn1.h +s2_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s2_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h +s2_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h +s2_clnt.o: ../include/openssl/dh.h ../include/openssl/dsa.h +s2_clnt.o: ../include/openssl/e_os.h ../include/openssl/e_os.h s2_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h s2_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h s2_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h @@ -274,12 +275,13 @@ s2_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s2_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s2_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s2_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -s2_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s2_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s2_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s2_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s2_lib.o: ../include/openssl/des.h ../include/openssl/dh.h -s2_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h +s2_lib.o: ../crypto/cryptlib.h ../include/openssl/asn1.h +s2_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s2_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h +s2_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h +s2_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h +s2_lib.o: ../include/openssl/e_os.h ../include/openssl/e_os.h s2_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h s2_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h s2_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h @@ -340,12 +342,13 @@ s2_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s2_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s2_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s2_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -s2_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s2_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s2_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s2_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s2_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h -s2_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h +s2_srvr.o: ../crypto/cryptlib.h ../include/openssl/asn1.h +s2_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s2_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h +s2_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h +s2_srvr.o: ../include/openssl/dh.h ../include/openssl/dsa.h +s2_srvr.o: ../include/openssl/e_os.h ../include/openssl/e_os.h s2_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h s2_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h s2_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h @@ -386,12 +389,13 @@ s3_both.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s3_both.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s3_both.o: ../include/openssl/tls1.h ../include/openssl/x509.h s3_both.o: ../include/openssl/x509_vfy.h ssl_locl.h -s3_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s3_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s3_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s3_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h -s3_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h +s3_clnt.o: ../crypto/cryptlib.h ../include/openssl/asn1.h +s3_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s3_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s3_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h +s3_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h +s3_clnt.o: ../include/openssl/dh.h ../include/openssl/dsa.h +s3_clnt.o: ../include/openssl/e_os.h ../include/openssl/e_os.h s3_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h s3_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h s3_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h @@ -497,12 +501,13 @@ s3_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s3_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s3_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s3_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -s3_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s3_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s3_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s3_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s3_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h -s3_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h +s3_srvr.o: ../crypto/cryptlib.h ../include/openssl/asn1.h +s3_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s3_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s3_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h +s3_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h +s3_srvr.o: ../include/openssl/dh.h ../include/openssl/dsa.h +s3_srvr.o: ../include/openssl/e_os.h ../include/openssl/e_os.h s3_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h s3_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h s3_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h @@ -542,12 +547,13 @@ ssl_algs.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h ssl_algs.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ssl_algs.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h ssl_algs.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -ssl_asn1.o: ../include/openssl/asn1.h ../include/openssl/asn1_mac.h -ssl_asn1.o: ../include/openssl/bio.h ../include/openssl/blowfish.h -ssl_asn1.o: ../include/openssl/bn.h ../include/openssl/buffer.h -ssl_asn1.o: ../include/openssl/cast.h ../include/openssl/comp.h -ssl_asn1.o: ../include/openssl/crypto.h ../include/openssl/des.h -ssl_asn1.o: ../include/openssl/dh.h ../include/openssl/dsa.h +ssl_asn1.o: ../crypto/cryptlib.h ../include/openssl/asn1.h +ssl_asn1.o: ../include/openssl/asn1_mac.h ../include/openssl/bio.h +ssl_asn1.o: ../include/openssl/blowfish.h ../include/openssl/bn.h +ssl_asn1.o: ../include/openssl/buffer.h ../include/openssl/cast.h +ssl_asn1.o: ../include/openssl/comp.h ../include/openssl/crypto.h +ssl_asn1.o: ../include/openssl/des.h ../include/openssl/dh.h +ssl_asn1.o: ../include/openssl/dsa.h ../include/openssl/e_os.h ssl_asn1.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h ssl_asn1.o: ../include/openssl/err.h ../include/openssl/evp.h ssl_asn1.o: ../include/openssl/idea.h ../include/openssl/lhash.h @@ -700,12 +706,13 @@ ssl_rsa.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h ssl_rsa.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ssl_rsa.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h ssl_rsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -ssl_sess.o: ../include/openssl/asn1.h ../include/openssl/bio.h -ssl_sess.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -ssl_sess.o: ../include/openssl/buffer.h ../include/openssl/cast.h -ssl_sess.o: ../include/openssl/comp.h ../include/openssl/crypto.h -ssl_sess.o: ../include/openssl/des.h ../include/openssl/dh.h -ssl_sess.o: ../include/openssl/dsa.h ../include/openssl/e_os.h +ssl_sess.o: ../crypto/cryptlib.h ../include/openssl/asn1.h +ssl_sess.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +ssl_sess.o: ../include/openssl/bn.h ../include/openssl/buffer.h +ssl_sess.o: ../include/openssl/cast.h ../include/openssl/comp.h +ssl_sess.o: ../include/openssl/crypto.h ../include/openssl/des.h +ssl_sess.o: ../include/openssl/dh.h ../include/openssl/dsa.h +ssl_sess.o: ../include/openssl/e_os.h ../include/openssl/e_os.h ssl_sess.o: ../include/openssl/e_os2.h ../include/openssl/err.h ssl_sess.o: ../include/openssl/evp.h ../include/openssl/idea.h ssl_sess.o: ../include/openssl/lhash.h ../include/openssl/md2.h diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c index 89ad45a..b921d9a 100644 --- a/crypto/openssl/ssl/s3_clnt.c +++ b/crypto/openssl/ssl/s3_clnt.c @@ -117,6 +117,7 @@ #include <openssl/sha.h> #include <openssl/evp.h> #include "ssl_locl.h" +#include "cryptlib.h" static SSL_METHOD *ssl3_get_client_method(int ver); static int ssl3_client_hello(SSL *s); @@ -545,6 +546,7 @@ static int ssl3_client_hello(SSL *s) *(p++)=i; if (i != 0) { + die(i <= sizeof s->session->session_id); memcpy(p,s->session->session_id,i); p+=i; } @@ -626,6 +628,14 @@ static int ssl3_get_server_hello(SSL *s) /* get the session-id */ j= *(p++); + if(j > sizeof s->session->session_id) + { + al=SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, + SSL_R_SSL3_SESSION_ID_TOO_LONG); + goto f_err; + } + if ((j != 0) && (j != SSL3_SESSION_ID_SIZE)) { /* SSLref returns 16 :-( */ diff --git a/crypto/openssl/ssl/s3_enc.c b/crypto/openssl/ssl/s3_enc.c index d9a161a..79fa4f9 100644 --- a/crypto/openssl/ssl/s3_enc.c +++ b/crypto/openssl/ssl/s3_enc.c @@ -361,13 +361,24 @@ int ssl3_setup_key_block(SSL *s) ssl3_generate_key_block(s,p,num); - /* enable vulnerability countermeasure for CBC ciphers with - * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */ - s->s3->need_empty_fragments = 1; + if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) + { + /* enable vulnerability countermeasure for CBC ciphers with + * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) + */ + s->s3->need_empty_fragments = 1; + + if (s->session->cipher != NULL) + { + if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL) + s->s3->need_empty_fragments = 0; + #ifndef NO_RC4 - if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)) - s->s3->need_empty_fragments = 0; + if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4) + s->s3->need_empty_fragments = 0; #endif + } + } return(1); err: diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c index 57a3fa4..9951ebb 100644 --- a/crypto/openssl/ssl/s3_lib.c +++ b/crypto/openssl/ssl/s3_lib.c @@ -129,7 +129,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_RSA_NULL_MD5, SSL3_CK_RSA_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, @@ -142,7 +142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_RSA_NULL_SHA, SSL3_CK_RSA_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, @@ -490,7 +490,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_FZA_DMS_NULL_SHA, SSL3_CK_FZA_DMS_NULL_SHA, SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, @@ -504,7 +504,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_FZA_DMS_FZA_SHA, SSL3_CK_FZA_DMS_FZA_SHA, SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c index 2319737..d211fd4 100644 --- a/crypto/openssl/ssl/s3_srvr.c +++ b/crypto/openssl/ssl/s3_srvr.c @@ -122,6 +122,7 @@ #include <openssl/evp.h> #include <openssl/x509.h> #include "ssl_locl.h" +#include "cryptlib.h" static SSL_METHOD *ssl3_get_server_method(int ver); static int ssl3_get_client_hello(SSL *s); @@ -948,6 +949,7 @@ static int ssl3_send_server_hello(SSL *s) s->session->session_id_length=0; sl=s->session->session_id_length; + die(sl <= sizeof s->session->session_id); *(p++)=sl; memcpy(p,s->session->session_id,sl); p+=sl; diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h index a638545..e0c0be7 100644 --- a/crypto/openssl/ssl/ssl.h +++ b/crypto/openssl/ssl/ssl.h @@ -350,6 +350,7 @@ typedef struct ssl_session_st struct ssl_session_st *prev,*next; } SSL_SESSION; + #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L @@ -361,11 +362,25 @@ typedef struct ssl_session_st #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L #define SSL_OP_TLS_ROLLBACK_BUG 0x00000400L +/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added + * in OpenSSL 0.9.6d. Usually (depending on the application protocol) + * the workaround is not needed. Unfortunately some broken SSL/TLS + * implementations cannot handle it at all, which is why we include + * it in SSL_OP_ALL. */ +#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L /* added in 0.9.6e */ + +/* SSL_OP_ALL: various bug workarounds that should be rather harmless */ +#define SSL_OP_ALL 0x000FFFFFL + /* If set, always create a new key when using tmp_dh parameters */ #define SSL_OP_SINGLE_DH_USE 0x00100000L /* Set to also use the tmp_rsa key when doing RSA operations. */ #define SSL_OP_EPHEMERAL_RSA 0x00200000L +#define SSL_OP_NO_SSLv2 0x01000000L +#define SSL_OP_NO_SSLv3 0x02000000L +#define SSL_OP_NO_TLSv1 0x04000000L + /* The next flag deliberately changes the ciphertest, this is a check * for the PKCS#1 attack */ #define SSL_OP_PKCS1_CHECK_1 0x08000000L @@ -374,11 +389,7 @@ typedef struct ssl_session_st /* SSL_OP_NON_EXPORT_FIRST looks utterly broken .. */ #define SSL_OP_NON_EXPORT_FIRST 0x40000000L #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x80000000L -#define SSL_OP_ALL 0x000FFFFFL -#define SSL_OP_NO_SSLv2 0x01000000L -#define SSL_OP_NO_SSLv3 0x02000000L -#define SSL_OP_NO_TLSv1 0x04000000L /* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success * when just a single record has been written): */ @@ -392,6 +403,7 @@ typedef struct ssl_session_st * is blocking: */ #define SSL_MODE_AUTO_RETRY 0x00000004L + /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, * they cannot be used to clear bits. */ @@ -1478,6 +1490,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_INVALID_COMMAND 280 #define SSL_R_INVALID_PURPOSE 278 #define SSL_R_INVALID_TRUST 279 +#define SSL_R_KEY_ARG_TOO_LONG 1112 #define SSL_R_LENGTH_MISMATCH 159 #define SSL_R_LENGTH_TOO_SHORT 160 #define SSL_R_LIBRARY_BUG 274 @@ -1546,6 +1559,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_SHORT_READ 219 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 #define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 +#define SSL_R_SSL3_SESSION_ID_TOO_LONG 1113 #define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 diff --git a/crypto/openssl/ssl/ssl_asn1.c b/crypto/openssl/ssl/ssl_asn1.c index fa6456e..3de1dbc 100644 --- a/crypto/openssl/ssl/ssl_asn1.c +++ b/crypto/openssl/ssl/ssl_asn1.c @@ -62,6 +62,7 @@ #include <openssl/objects.h> #include <openssl/x509.h> #include "ssl_locl.h" +#include "cryptlib.h" typedef struct ssl_session_asn1_st { @@ -275,6 +276,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, os.length=i; ret->session_id_length=os.length; + die(os.length <= sizeof ret->session_id); memcpy(ret->session_id,os.data,os.length); M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING); diff --git a/crypto/openssl/ssl/ssl_err.c b/crypto/openssl/ssl/ssl_err.c index 87a13db..b1b7c22 100644 --- a/crypto/openssl/ssl/ssl_err.c +++ b/crypto/openssl/ssl/ssl_err.c @@ -1,6 +1,6 @@ /* ssl/ssl_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -275,6 +275,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_INVALID_COMMAND ,"invalid command"}, {SSL_R_INVALID_PURPOSE ,"invalid purpose"}, {SSL_R_INVALID_TRUST ,"invalid trust"}, +{SSL_R_KEY_ARG_TOO_LONG ,"key arg too long"}, {SSL_R_LENGTH_MISMATCH ,"length mismatch"}, {SSL_R_LENGTH_TOO_SHORT ,"length too short"}, {SSL_R_LIBRARY_BUG ,"library bug"}, @@ -343,6 +344,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_SHORT_READ ,"short read"}, {SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"}, {SSL_R_SSL23_DOING_SESSION_ID_REUSE ,"ssl23 doing session id reuse"}, +{SSL_R_SSL3_SESSION_ID_TOO_LONG ,"ssl3 session id too long"}, {SSL_R_SSL3_SESSION_ID_TOO_SHORT ,"ssl3 session id too short"}, {SSL_R_SSLV3_ALERT_BAD_CERTIFICATE ,"sslv3 alert bad certificate"}, {SSL_R_SSLV3_ALERT_BAD_RECORD_MAC ,"sslv3 alert bad record mac"}, diff --git a/crypto/openssl/ssl/ssl_locl.h b/crypto/openssl/ssl/ssl_locl.h index 516d3cc..9297cd2 100644 --- a/crypto/openssl/ssl/ssl_locl.h +++ b/crypto/openssl/ssl/ssl_locl.h @@ -283,16 +283,17 @@ #define SSL_NOT_EXP 0x00000001L #define SSL_EXPORT 0x00000002L -#define SSL_STRONG_MASK 0x0000007cL -#define SSL_EXP40 0x00000004L +#define SSL_STRONG_MASK 0x000000fcL +#define SSL_STRONG_NONE 0x00000004L +#define SSL_EXP40 0x00000008L #define SSL_MICRO (SSL_EXP40) -#define SSL_EXP56 0x00000008L +#define SSL_EXP56 0x00000010L #define SSL_MINI (SSL_EXP56) -#define SSL_LOW 0x00000010L -#define SSL_MEDIUM 0x00000020L -#define SSL_HIGH 0x00000040L +#define SSL_LOW 0x00000020L +#define SSL_MEDIUM 0x00000040L +#define SSL_HIGH 0x00000080L -/* we have used 0000007f - 25 bits left to go */ +/* we have used 000000ff - 24 bits left to go */ /* * Macros to check the export status and cipher strength for export ciphers. diff --git a/crypto/openssl/ssl/ssl_sess.c b/crypto/openssl/ssl/ssl_sess.c index 8476f41..87cd8a9 100644 --- a/crypto/openssl/ssl/ssl_sess.c +++ b/crypto/openssl/ssl/ssl_sess.c @@ -60,6 +60,7 @@ #include <openssl/lhash.h> #include <openssl/rand.h> #include "ssl_locl.h" +#include "cryptlib.h" static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s); @@ -199,6 +200,7 @@ int ssl_get_new_session(SSL *s, int session) ss->session_id_length=0; } + die(s->sid_ctx_length <= sizeof ss->sid_ctx); memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length); ss->sid_ctx_length=s->sid_ctx_length; s->session=ss; diff --git a/crypto/openssl/ssl/t1_enc.c b/crypto/openssl/ssl/t1_enc.c index b752e89..f3ecc5f 100644 --- a/crypto/openssl/ssl/t1_enc.c +++ b/crypto/openssl/ssl/t1_enc.c @@ -433,13 +433,24 @@ printf("\nkey block\n"); { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); } #endif - /* enable vulnerability countermeasure for CBC ciphers with - * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */ - s->s3->need_empty_fragments = 1; + if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) + { + /* enable vulnerability countermeasure for CBC ciphers with + * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) + */ + s->s3->need_empty_fragments = 1; + + if (s->session->cipher != NULL) + { + if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL) + s->s3->need_empty_fragments = 0; + #ifndef NO_RC4 - if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)) - s->s3->need_empty_fragments = 0; + if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4) + s->s3->need_empty_fragments = 0; #endif + } + } return(1); err: diff --git a/crypto/openssl/test/Makefile.ssl b/crypto/openssl/test/Makefile.ssl index a6e3819..3cb1283 100644 --- a/crypto/openssl/test/Makefile.ssl +++ b/crypto/openssl/test/Makefile.ssl @@ -109,7 +109,7 @@ tests: exe apps \ test_ss test_ca test_ssl apps: - @(cd ../apps; $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' all) + @(cd ../apps; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all) test_des: ./$(DESTEST) @@ -243,10 +243,10 @@ clean: rm -f .rnd tmp.bntest tmp.bctest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss log $(DLIBSSL): - (cd ../ssl; $(MAKE)) + (cd ../ssl; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}') $(DLIBCRYPTO): - (cd ../crypto; $(MAKE)) + (cd ../crypto; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}') $(RSATEST): $(RSATEST).o $(DLIBCRYPTO) $(CC) -o $(RSATEST) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) diff --git a/crypto/openssl/tools/c_rehash b/crypto/openssl/tools/c_rehash index 049bb3f..5f3bd4c 100644 --- a/crypto/openssl/tools/c_rehash +++ b/crypto/openssl/tools/c_rehash @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/local/bin/perl5 # Perl c_rehash script, scan all files in a directory diff --git a/crypto/openssl/util/dirname.pl b/crypto/openssl/util/dirname.pl new file mode 100644 index 0000000..d7a66d9 --- /dev/null +++ b/crypto/openssl/util/dirname.pl @@ -0,0 +1,18 @@ +#!/usr/local/bin/perl + +if ($#ARGV < 0) { + die "dirname.pl: too few arguments\n"; +} elsif ($#ARGV > 0) { + die "dirname.pl: too many arguments\n"; +} + +my $d = $ARGV[0]; + +if ($d =~ m|.*/.*|) { + $d =~ s|/[^/]*$||; +} else { + $d = "."; +} + +print $d,"\n"; +exit(0); diff --git a/crypto/openssl/util/domd b/crypto/openssl/util/domd index 9f75131..51c59bd 100755 --- a/crypto/openssl/util/domd +++ b/crypto/openssl/util/domd @@ -7,5 +7,5 @@ shift cp Makefile.ssl Makefile.save makedepend -f Makefile.ssl $@ -perl $TOP/util/clean-depend.pl < Makefile.ssl > Makefile.new +${PERL} $TOP/util/clean-depend.pl < Makefile.ssl > Makefile.new mv Makefile.new Makefile.ssl diff --git a/crypto/openssl/util/mk1mf.pl b/crypto/openssl/util/mk1mf.pl index 46755fa..4cc7881 100755 --- a/crypto/openssl/util/mk1mf.pl +++ b/crypto/openssl/util/mk1mf.pl @@ -98,7 +98,7 @@ $out_def="out"; $inc_def="outinc"; $tmp_def="tmp"; -$mkdir="mkdir"; +$mkdir="-mkdir"; ($ssl,$crypto)=("ssl","crypto"); $RSAglue="RSAglue"; diff --git a/crypto/openssl/util/pl/BC-32.pl b/crypto/openssl/util/pl/BC-32.pl index 20cb3a9..c268c49 100644 --- a/crypto/openssl/util/pl/BC-32.pl +++ b/crypto/openssl/util/pl/BC-32.pl @@ -65,24 +65,24 @@ $bf_enc_src=''; if (!$no_asm) { - $bn_mulw_obj='crypto\bn\asm\bn-win32.obj'; - $bn_mulw_src='crypto\bn\asm\bn-win32.asm'; - $des_enc_obj='crypto\des\asm\d-win32.obj crypto\des\asm\y-win32.obj'; - $des_enc_src='crypto\des\asm\d-win32.asm crypto\des\asm\y-win32.asm'; - $bf_enc_obj='crypto\bf\asm\b-win32.obj'; - $bf_enc_src='crypto\bf\asm\b-win32.asm'; - $cast_enc_obj='crypto\cast\asm\c-win32.obj'; - $cast_enc_src='crypto\cast\asm\c-win32.asm'; - $rc4_enc_obj='crypto\rc4\asm\r4-win32.obj'; - $rc4_enc_src='crypto\rc4\asm\r4-win32.asm'; - $rc5_enc_obj='crypto\rc5\asm\r5-win32.obj'; - $rc5_enc_src='crypto\rc5\asm\r5-win32.asm'; - $md5_asm_obj='crypto\md5\asm\m5-win32.obj'; - $md5_asm_src='crypto\md5\asm\m5-win32.asm'; - $sha1_asm_obj='crypto\sha\asm\s1-win32.obj'; - $sha1_asm_src='crypto\sha\asm\s1-win32.asm'; - $rmd160_asm_obj='crypto\ripemd\asm\rm-win32.obj'; - $rmd160_asm_src='crypto\ripemd\asm\rm-win32.asm'; + $bn_mulw_obj='crypto\bn\asm\bn_win32.obj'; + $bn_mulw_src='crypto\bn\asm\bn_win32.asm'; + $des_enc_obj='crypto\des\asm\d_win32.obj crypto\des\asm\y_win32.obj'; + $des_enc_src='crypto\des\asm\d_win32.asm crypto\des\asm\y_win32.asm'; + $bf_enc_obj='crypto\bf\asm\b_win32.obj'; + $bf_enc_src='crypto\bf\asm\b_win32.asm'; + $cast_enc_obj='crypto\cast\asm\c_win32.obj'; + $cast_enc_src='crypto\cast\asm\c_win32.asm'; + $rc4_enc_obj='crypto\rc4\asm\r4_win32.obj'; + $rc4_enc_src='crypto\rc4\asm\r4_win32.asm'; + $rc5_enc_obj='crypto\rc5\asm\r5_win32.obj'; + $rc5_enc_src='crypto\rc5\asm\r5_win32.asm'; + $md5_asm_obj='crypto\md5\asm\m5_win32.obj'; + $md5_asm_src='crypto\md5\asm\m5_win32.asm'; + $sha1_asm_obj='crypto\sha\asm\s1_win32.obj'; + $sha1_asm_src='crypto\sha\asm\s1_win32.asm'; + $rmd160_asm_obj='crypto\ripemd\asm\rm_win32.obj'; + $rmd160_asm_src='crypto\ripemd\asm\rm_win32.asm'; $cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM"; } diff --git a/crypto/openssl/util/pl/VC-32.pl b/crypto/openssl/util/pl/VC-32.pl index 7c6674b..8dea921 100644 --- a/crypto/openssl/util/pl/VC-32.pl +++ b/crypto/openssl/util/pl/VC-32.pl @@ -67,24 +67,24 @@ $bf_enc_src=''; if (!$no_asm) { - $bn_asm_obj='crypto\bn\asm\bn-win32.obj'; - $bn_asm_src='crypto\bn\asm\bn-win32.asm'; - $des_enc_obj='crypto\des\asm\d-win32.obj crypto\des\asm\y-win32.obj'; - $des_enc_src='crypto\des\asm\d-win32.asm crypto\des\asm\y-win32.asm'; - $bf_enc_obj='crypto\bf\asm\b-win32.obj'; - $bf_enc_src='crypto\bf\asm\b-win32.asm'; - $cast_enc_obj='crypto\cast\asm\c-win32.obj'; - $cast_enc_src='crypto\cast\asm\c-win32.asm'; - $rc4_enc_obj='crypto\rc4\asm\r4-win32.obj'; - $rc4_enc_src='crypto\rc4\asm\r4-win32.asm'; - $rc5_enc_obj='crypto\rc5\asm\r5-win32.obj'; - $rc5_enc_src='crypto\rc5\asm\r5-win32.asm'; - $md5_asm_obj='crypto\md5\asm\m5-win32.obj'; - $md5_asm_src='crypto\md5\asm\m5-win32.asm'; - $sha1_asm_obj='crypto\sha\asm\s1-win32.obj'; - $sha1_asm_src='crypto\sha\asm\s1-win32.asm'; - $rmd160_asm_obj='crypto\ripemd\asm\rm-win32.obj'; - $rmd160_asm_src='crypto\ripemd\asm\rm-win32.asm'; + $bn_asm_obj='crypto\bn\asm\bn_win32.obj'; + $bn_asm_src='crypto\bn\asm\bn_win32.asm'; + $des_enc_obj='crypto\des\asm\d_win32.obj crypto\des\asm\y_win32.obj'; + $des_enc_src='crypto\des\asm\d_win32.asm crypto\des\asm\y_win32.asm'; + $bf_enc_obj='crypto\bf\asm\b_win32.obj'; + $bf_enc_src='crypto\bf\asm\b_win32.asm'; + $cast_enc_obj='crypto\cast\asm\c_win32.obj'; + $cast_enc_src='crypto\cast\asm\c_win32.asm'; + $rc4_enc_obj='crypto\rc4\asm\r4_win32.obj'; + $rc4_enc_src='crypto\rc4\asm\r4_win32.asm'; + $rc5_enc_obj='crypto\rc5\asm\r5_win32.obj'; + $rc5_enc_src='crypto\rc5\asm\r5_win32.asm'; + $md5_asm_obj='crypto\md5\asm\m5_win32.obj'; + $md5_asm_src='crypto\md5\asm\m5_win32.asm'; + $sha1_asm_obj='crypto\sha\asm\s1_win32.obj'; + $sha1_asm_src='crypto\sha\asm\s1_win32.asm'; + $rmd160_asm_obj='crypto\ripemd\asm\rm_win32.obj'; + $rmd160_asm_src='crypto\ripemd\asm\rm_win32.asm'; $cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM"; } diff --git a/crypto/openssl/util/pod2man.pl b/crypto/openssl/util/pod2man.pl index c6b64ad..657e4e2 100755 --- a/crypto/openssl/util/pod2man.pl +++ b/crypto/openssl/util/pod2man.pl @@ -416,8 +416,8 @@ if ($name ne 'something') { warn "$0: Improper man page - malformed NAME header in paragraph $. of $ARGV[0]\n" } else { - $n[0] =~ s/\n/ /; - $n[1] =~ s/\n/ /; + $n[0] =~ s/\n/ /g; + $n[1] =~ s/\n/ /g; %namedesc = @n; } } diff --git a/crypto/openssl/util/pod2mantest b/crypto/openssl/util/pod2mantest new file mode 100755 index 0000000..449ef14 --- /dev/null +++ b/crypto/openssl/util/pod2mantest @@ -0,0 +1,53 @@ +#!/bin/sh + +# This script is used by test/Makefile.ssl to check whether a sane 'pod2man' +# is installed. +# ('make install' should not try to run 'pod2man' if it does not exist or if +# it is a broken 'pod2man' version that is known to cause trouble. if we find +# the system 'pod2man' to be broken, we use our own copy instead) +# +# In any case, output an appropriate command line for running (or not +# running) pod2man. + + +IFS=: +try_without_dir=false +# First we try "pod2man", then "$dir/pod2man" for each item in $PATH. +for dir in dummy:$PATH; do + if [ "$try_without_dir" = true ]; then + # first iteration + pod2man=pod2man + try_without_dir=false + else + # second and later iterations + pod2man="$dir/pod2man" + if [ ! -f "$pod2man" ]; then # '-x' is not available on Ultrix + pod2man='' + fi + fi + + if [ ! "$pod2man" = '' ]; then + failure=none + + + if "$pod2man" --section=1 --center=OpenSSL --release=dev pod2mantest.pod | grep '^MARKER - ' >/dev/null 2>&1; then + failure=MultilineTest + fi + + + if [ "$failure" = none ]; then + echo "$pod2man" + exit 0 + fi + + echo "$pod2man does not work properly ('$failure' failed). Looking for another pod2man ..." >&2 + fi +done + +echo "No working pod2man found. Consider installing a new version." >&2 +if [ "$1" = ignore ]; then + echo "As a workaround, we'll use a bundled old copy of pod2man.pl." >&2 + echo "../../util/pod2man.pl" + exit 0 +fi +exit 1 diff --git a/crypto/openssl/util/pod2mantest.pod b/crypto/openssl/util/pod2mantest.pod new file mode 100644 index 0000000..5d2539a --- /dev/null +++ b/crypto/openssl/util/pod2mantest.pod @@ -0,0 +1,15 @@ +=pod + +=head1 NAME + +foo, bar, +MARKER - test of multiline name section + +=head1 DESCRIPTION + +This is a test .pod file to see if we have a buggy pod2man or not. +If we have a buggy implementation, we will get a line matching the +regular expression "^ +MARKER - test of multiline name section *$" +at the end of the resulting document. + +=cut |
